fix(channels): tag typed text-slash control commands with CommandSource across all channel ingresses

Sweeps the same root-cause fix as PR #86825 (Mattermost) across the remaining
channels that exhibited the latent gap: Feishu, IRC, Line, MS Teams, Nextcloud
Talk, Signal, ClickClack, QA Channel, and the public 'direct-dm' plugin SDK
helper (with Nostr passing through it as the first internal consumer).

Each channel inbound handler already computed CommandAuthorized for typed slash
commands but never set CommandSource. Without CommandSource: 'text',
resolveCommandTurnContext defaults the turn kind to 'normal', so the explicit-
command exception in source-reply-delivery-mode.ts:54-56 never fires and
acknowledgements ('Session reset.', 'New session started.', 'Stopped N
subagents', etc.) are silently dropped under message_tool_only delivery
modes — most commonly the Codex harness default for DMs that #83571
introduced.

For each channel, this PR sets:

  CommandSource: commandAuthorized && hasControlCommand ? 'text' : undefined

where 'hasControlCommand' uses the channel's existing isControlCommandMessage
helper (not shouldComputeCommandAuthorized, which would be too permissive and
incorrectly tag inline command tokens within ordinary text). For ClickClack
and QA Channel (CommandAuthorized hardcoded true), the tag only depends on
the body being a control command. For Signal and Line, a new optional
'hasControlCommand' field on the entry/params struct carries the signal from
the access-policy layer where it is already computed.

The public direct-dm SDK helper grows an optional commandSource parameter so
third-party plugins built on it can pass through their own control-command
detection; Nostr is updated as the first consumer.

Adds focused regression tests (Signal, MS Teams, direct-dm SDK, plus a
negative-control assertion on the existing MS Teams inline-command test) that
fail without the fix and pass with it.

Fixes #86664.

.agents/skills/agent-transcript/scripts/agent-transcript

@@ -56,19 +56,10 @@ function openClawSessionRoots() {
   const agentsDir = path.join(stateDir, "agents");
   if (!fs.existsSync(agentsDir)) return [];
   try {
-    const roots = fs
+    return fs
       .readdirSync(agentsDir, { withFileTypes: true })
       .filter((entry) => entry.isDirectory())
-      .flatMap((entry) => {
-        const agentDir = path.join(agentsDir, entry.name);
-        return [
-          path.join(agentDir, "sessions"),
-          path.join(agentDir, "agent", "sessions"),
-          path.join(agentDir, "agent", "codex-home", "sessions"),
-        ];
-      })
-      .filter((root) => fs.existsSync(root));
-    return [...new Set(roots)];
+      .map((entry) => path.join(agentsDir, entry.name, "sessions"));
   } catch {
     return [];
   }

.agents/skills/autoreview/SKILL.md

@@ -22,18 +22,15 @@ Use when:
 - Read dependency docs/source/types when the finding depends on external behavior.
 - Reject unrealistic edge cases, speculative risks, broad rewrites, and fixes that over-complicate the codebase.
 - Prefer small fixes at the right ownership boundary; no refactor unless it clearly improves the bug class.
-- When an accepted finding shows a bug class or repeated pattern, inspect the current PR scope for sibling instances before fixing.
-- Fix the scoped bug class at once when practical; stop at touched surfaces, owner boundaries, and clear follow-up territory.
 - Keep going until structured review returns no accepted/actionable findings.
 - If a review-triggered fix changes code, rerun focused tests and rerun the structured review helper.
 - For security-audit suppression changes, verify accepted findings remain auditable: suppressed findings stay in structured output, active output keeps an unsuppressible suppression notice, and aggregate findings cannot hide unrelated active risk.
 - Never switch or override the requested review engine/model. If the review hits model capacity, retry the same command a few times with the same engine/model.
 - Be patient with large bundles. Structured review can take up to 30 minutes while the model call is active, especially with Codex tools or web search.
-- Treat heartbeat lines like `review still running: ... elapsed=... pid=...` as healthy progress, not a hang. Let the helper continue while heartbeats are advancing. Pass `--stream-engine-output` when live engine text is useful; Codex and Claude filter tool/file chatter, other engines pass raw output through.
+- Treat heartbeat lines like `review still running: ... elapsed=... pid=...` as healthy progress, not a hang. Let the helper continue while heartbeats are advancing.
 - Do not kill a review just because it has been quiet for 2-5 minutes, or because it is still running under the 30-minute window. Inspect the process only after missing multiple expected heartbeats, after 30 minutes, or after an obviously failed subprocess; prefer letting the same helper command finish.
 - Tools are useful in review mode. The helper allows read-only inspection tools and web search by default so reviewers can check dependency contracts, upstream docs, and current behavior.
 - Security perspective is always included, but it should not cripple legitimate functionality. Report security findings only when the change creates a concrete, actionable risk or removes an important safety check.
-- For regression provenance, if no blamed PR is traceable, use the blamed commit as the provenance: commit SHA, date, and author username. Do not guess a merger or frame missing PR metadata as a separate finding.
 - Do not invoke built-in `codex review`, nested reviewers, or reviewer panels from inside the review. The helper builds one bundle, calls one selected engine, validates one structured result, and stops.
 - Stop as soon as the helper exits 0 with no accepted/actionable findings. Do not run an extra review just to get a nicer "clean" line, a second opinion, or clearer closeout wording.
 - Treat the helper's successful exit plus absence of actionable findings as the clean review result, even if the underlying Codex CLI output is terse.
@@ -52,9 +49,8 @@ Dirty local work:
 ```
 
 Use this only when the patch is actually unstaged/staged/untracked in the
-current checkout. `--mode uncommitted` is accepted as an alias for `--mode local`.
-For committed, pushed, or PR work, point the helper at the commit
-or branch diff instead; do not force dirty modes just
+current checkout. For committed, pushed, or PR work, point the helper at the commit
+or branch diff instead; do not force `--mode local` / `--uncommitted` just
 because the helper docs mention dirty work first. A clean local review
 only proves there is no local patch.
 
@@ -102,10 +98,6 @@ Format first if formatting can change line locations. Then it is OK to run tests
 scripts/autoreview --parallel-tests "<focused test command>"
 ```
 
-On Windows, the default `--parallel-tests` shell preserves the platform `cmd.exe`
-semantics used by Python `shell=True`. Use `--parallel-tests-shell powershell`
-or `--parallel-tests-shell pwsh` when the focused test command is PowerShell-specific.
-
 Tradeoff: tests may force code changes that stale the review. If tests or review lead to code edits, rerun the affected tests and rerun review until no accepted/actionable findings remain. Once that rerun exits cleanly, stop; do not spend another long review cycle on redundant confirmation.
 
 ## Review Panels
@@ -150,22 +142,6 @@ OpenClaw repo-local helper:
 .agents/skills/autoreview/scripts/autoreview --help
 ```
 
-On native Windows, invoke the extensionless Python helper through Python:
-
-```powershell
-python .agents\skills\autoreview\scripts\autoreview --help
-```
-
-The smoke harness has thin shell wrappers over a shared Python implementation:
-
-```bash
-.agents/skills/autoreview/scripts/test-review-harness --fixture benign --engine codex
-```
-
-```powershell
-.agents\skills\autoreview\scripts\test-review-harness.ps1 -Fixture benign -Engine codex
-```
-
 `agent-scripts` checkout helper:
 
 ```bash
@@ -187,19 +163,16 @@ If installed from `agent-scripts`, path is:
 The helper:
 
 - chooses dirty local changes first
-- accepts `--mode uncommitted` as an alias for `--mode local`
 - otherwise uses current PR base if `gh pr view` works
 - otherwise uses `origin/main` for non-main branches
 - supports `--engine codex`, `claude`, `droid`, and `copilot`; default is `AUTOREVIEW_ENGINE` or `codex`; Codex should remain the default when nothing is set
-- resolves bare `git`, `gh`, reviewer, and PowerShell shell commands from absolute `PATH` entries only, never from the reviewed checkout; explicit relative `--*-bin` paths are resolved from the reviewed repository root
 - use `--mode commit --commit <ref>` for already-committed work, especially clean `main` after landing
 - should be left in `--mode auto` or forced to `--mode branch` for PR/branch work; do not force `--mode local` after committing
-- writes only to stdout unless `--output`, `--json-output`, or live streamed engine stderr is set
-- supports `--dry-run`, `--parallel-tests`, `--parallel-tests-shell`, `--prompt`, `--prompt-file`, `--dataset`, `--no-tools`, `--no-web-search`, and commit refs
-- supports `--stream-engine-output` or `AUTOREVIEW_STREAM_ENGINE_OUTPUT=1` for live engine text while preserving structured validation; Codex and Claude hide tool/file event details, emit compact activity summaries, and report usage at turn completion
+- writes only to stdout unless `--output` or `--json-output` is set
+- supports `--dry-run`, `--parallel-tests`, `--prompt`, `--prompt-file`, `--dataset`, `--no-tools`, `--no-web-search`, and commit refs
 - supports opt-in review panels with `--panel` / `--reviewers`, plus per-engine `--model` and `--thinking`
 - allows read-only tools and web search by default where the selected CLI supports them; forbids nested review in the prompt; Codex is run through `codex exec` with read-only sandbox and structured output
-- prints `review still running: <engine> elapsed=<seconds>s pid=<pid>` to stderr at long-running intervals while waiting for the selected review engine, unless streamed output or compact Codex activity has been visible recently
+- prints `review still running: <engine> elapsed=<seconds>s pid=<pid>` to stderr at long-running intervals while waiting for the selected review engine
 - prints `autoreview clean: no accepted/actionable findings reported` when the selected review command exits 0
 - exits nonzero when accepted/actionable findings are present
 

.agents/skills/autoreview/scripts/autoreview

@@ -6,15 +6,13 @@ import concurrent.futures
 import copy
 import json
 import os
-import queue
 import subprocess
 import sys
 import tempfile
 import textwrap
-import threading
 import time
 from pathlib import Path
-from typing import Any, Callable
+from typing import Any
 
 
 ENGINES = ("codex", "claude", "droid", "copilot")
@@ -102,18 +100,7 @@ def run_with_heartbeat(
     input_text: str | None = None,
     label: str,
     heartbeat_seconds: int = 60,
-    stream_output: bool = False,
-    stream_display: Callable[[str, str], str | None] | None = None,
 ) -> subprocess.CompletedProcess[str]:
-    if stream_output:
-        return run_with_stream(
-            args,
-            cwd,
-            input_text=input_text,
-            label=label,
-            heartbeat_seconds=heartbeat_seconds,
-            stream_display=stream_display,
-        )
     started = time.monotonic()
     proc = subprocess.Popen(
         args,
@@ -137,94 +124,13 @@ def run_with_heartbeat(
             print(f"review still running: {label} elapsed={elapsed}s pid={proc.pid}", file=sys.stderr, flush=True)
 
 
-def run_with_stream(
-    args: list[str],
-    cwd: Path,
-    *,
-    input_text: str | None,
-    label: str,
-    heartbeat_seconds: int,
-    stream_display: Callable[[str, str], str | None] | None,
-) -> subprocess.CompletedProcess[str]:
-    started = time.monotonic()
-    proc = subprocess.Popen(
-        args,
-        cwd=cwd,
-        stdin=subprocess.PIPE if input_text is not None else None,
-        stdout=subprocess.PIPE,
-        stderr=subprocess.PIPE,
-        text=True,
-        bufsize=1,
-    )
-    events: queue.Queue[tuple[str, str | None]] = queue.Queue()
-    stdout_parts: list[str] = []
-    stderr_parts: list[str] = []
-
-    def read_stream(name: str, stream: Any) -> None:
-        try:
-            for line in iter(stream.readline, ""):
-                events.put((name, line))
-        finally:
-            events.put((name, None))
-
-    def write_stdin() -> None:
-        if proc.stdin is None or input_text is None:
-            return
-        try:
-            proc.stdin.write(input_text)
-            proc.stdin.close()
-        except BrokenPipeError:
-            return
-
-    threads = [
-        threading.Thread(target=read_stream, args=("stdout", proc.stdout), daemon=True),
-        threading.Thread(target=read_stream, args=("stderr", proc.stderr), daemon=True),
-    ]
-    for thread in threads:
-        thread.start()
-    stdin_thread = threading.Thread(target=write_stdin, daemon=True)
-    stdin_thread.start()
-
-    open_streams = 2
-    while open_streams:
-        try:
-            name, line = events.get(timeout=heartbeat_seconds)
-        except queue.Empty:
-            elapsed = int(time.monotonic() - started)
-            print(f"review still running: {label} elapsed={elapsed}s pid={proc.pid}", file=sys.stderr, flush=True)
-            continue
-        if line is None:
-            open_streams -= 1
-            continue
-        if name == "stdout":
-            stdout_parts.append(line)
-        else:
-            stderr_parts.append(line)
-        display = stream_display(name, line) if stream_display else line
-        if display:
-            target = sys.stdout if name == "stdout" else sys.stderr
-            target.write(display)
-            target.flush()
-
-    for thread in threads:
-        thread.join()
-    stdin_thread.join(timeout=1)
-    returncode = proc.wait()
-    return subprocess.CompletedProcess(args, returncode, "".join(stdout_parts), "".join(stderr_parts))
-
-
 def git(repo: Path, *args: str, check: bool = True) -> str:
-    return run([resolve_command("git", repo), *args], repo, check=check).stdout
+    return run(["git", *args], repo, check=check).stdout
 
 
 def repo_root() -> Path:
-    start = Path.cwd().resolve()
-    unsafe_root = discover_repo_root(start) or start
-    git_bin = find_command("git", unsafe_root)
-    if not git_bin:
-        raise SystemExit("git executable not found. Install Git or add it to PATH.")
     result = subprocess.run(
-        [git_bin, "rev-parse", "--show-toplevel"],
+        ["git", "rev-parse", "--show-toplevel"],
         text=True,
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
@@ -234,16 +140,6 @@ def repo_root() -> Path:
     return Path(result.stdout.strip()).resolve()
 
 
-def discover_repo_root(start: Path) -> Path | None:
-    current = start
-    while True:
-        if (current / ".git").exists():
-            return current
-        if current.parent == current:
-            return None
-        current = current.parent
-
-
 def current_branch(repo: Path) -> str:
     return git(repo, "branch", "--show-current", check=False).strip() or "detached"
 
@@ -253,7 +149,6 @@ def is_dirty(repo: Path) -> bool:
 
 
 def choose_target(repo: Path, mode: str, base_ref: str | None) -> tuple[str, str | None]:
-    mode = "local" if mode == "uncommitted" else mode
     branch = current_branch(repo)
     if mode == "local" or (mode == "auto" and is_dirty(repo)):
         return "local", None
@@ -265,70 +160,17 @@ def choose_target(repo: Path, mode: str, base_ref: str | None) -> tuple[str, str
 
 
 def detect_pr_base(repo: Path) -> str | None:
-    gh_bin = find_command("gh", repo)
-    if not gh_bin:
+    if not shutil_which("gh"):
         return None
-    result = run([gh_bin, "pr", "view", "--json", "baseRefName", "--jq", ".baseRefName"], repo, check=False)
+    result = run(["gh", "pr", "view", "--json", "baseRefName", "--jq", ".baseRefName"], repo, check=False)
     base = result.stdout.strip()
     return f"origin/{base}" if result.returncode == 0 and base else None
 
 
-def resolve_command(name: str, repo: Path) -> str:
-    resolved = find_command(name, repo)
-    if resolved:
-        return resolved
-    raise SystemExit(f"executable not found: {name}. Install it or pass an explicit trusted path when supported.")
-
-
-def find_command(name: str, repo: Path) -> str | None:
-    command = Path(name)
-    if has_directory_component(name, command):
-        base = command if command.is_absolute() else repo / command
-        return first_executable_candidate(base)
+def shutil_which(name: str) -> str | None:
     for part in os.environ.get("PATH", "").split(os.pathsep):
-        if not part or part == ".":
-            continue
-        path_part = Path(part)
-        if not path_part.is_absolute():
-            continue
-        try:
-            resolved_part = path_part.resolve()
-            resolved_repo = repo.resolve()
-        except OSError:
-            continue
-        if is_within(resolved_part, resolved_repo):
-            continue
-        found = first_executable_candidate(resolved_part / name, reject_root=resolved_repo)
-        if found:
-            return found
-    return None
-
-
-def is_within(path: Path, root: Path) -> bool:
-    return path == root or path.is_relative_to(root)
-
-
-def has_directory_component(name: str, command: Path) -> bool:
-    separators = [separator for separator in (os.sep, os.altsep) if separator]
-    return command.is_absolute() or bool(command.drive) or any(separator in name for separator in separators)
-
-
-def first_executable_candidate(path: Path, *, reject_root: Path | None = None) -> str | None:
-    if os.name == "nt" and not path.suffix:
-        extensions = [ext for ext in os.environ.get("PATHEXT", ".COM;.EXE;.BAT;.CMD").split(";") if ext]
-        candidates = [path.with_suffix(ext.lower()) for ext in extensions]
-        candidates.extend(path.with_suffix(ext.upper()) for ext in extensions)
-        candidates.append(path)
-    else:
-        candidates = [path]
-    for candidate in candidates:
-        if candidate.is_file() and os.access(candidate, os.X_OK):
-            if reject_root is not None:
-                try:
-                    if is_within(candidate.resolve(), reject_root):
-                        continue
-                except OSError:
-                    continue
+        candidate = Path(part) / name
+        if candidate.exists() and os.access(candidate, os.X_OK):
             return str(candidate)
     return None
 
@@ -487,18 +329,16 @@ def run_codex(args: argparse.Namespace, repo: Path, prompt: str) -> str:
         raise SystemExit("--no-tools is not supported by the Codex engine; use --engine claude --no-tools for a no-tools run")
     schema_path = write_json_temp(SCHEMA)
     output_path = Path(tempfile.NamedTemporaryFile("w", suffix=".json", delete=False).name)
-    cmd = [resolve_command(args.codex_bin, repo), "--ask-for-approval", "never"]
+    cmd = [args.codex_bin, "--ask-for-approval", "never"]
     if args.web_search:
         cmd.append("--search")
     if args.model:
         cmd.extend(["--model", args.model])
     if args.thinking:
         cmd.extend(["-c", f'model_reasoning_effort="{args.thinking}"'])
-    cmd.append("exec")
-    if args.stream_engine_output:
-        cmd.append("--json")
     cmd.extend(
         [
+            "exec",
             "--ephemeral",
             "-C",
             str(repo),
@@ -511,14 +351,7 @@ def run_codex(args: argparse.Namespace, repo: Path, prompt: str) -> str:
             "-",
         ]
     )
-    result = run_with_heartbeat(
-        cmd,
-        repo,
-        input_text=prompt,
-        label="codex",
-        stream_output=args.stream_engine_output,
-        stream_display=CodexStreamDisplay() if args.stream_engine_output else None,
-    )
+    result = run_with_heartbeat(cmd, repo, input_text=prompt, label="codex")
     try:
         output = output_path.read_text()
     finally:
@@ -531,11 +364,11 @@ def run_codex(args: argparse.Namespace, repo: Path, prompt: str) -> str:
 
 def run_claude(args: argparse.Namespace, repo: Path, prompt: str) -> str:
     cmd = [
-        resolve_command(args.claude_bin, repo),
+        args.claude_bin,
         "--print",
         "--no-session-persistence",
         "--output-format",
-        "stream-json" if args.stream_engine_output else "json",
+        "json",
         "--json-schema",
         json.dumps(SCHEMA),
     ]
@@ -543,20 +376,11 @@ def run_claude(args: argparse.Namespace, repo: Path, prompt: str) -> str:
         cmd.extend(["--allowedTools", claude_allowed_tools(args)])
     else:
         cmd.extend(["--tools", ""])
-    if args.stream_engine_output:
-        cmd.append("--verbose")
     if args.model:
         cmd.extend(["--model", args.model])
     if args.thinking:
         cmd.extend(["--effort", args.thinking])
-    result = run_with_heartbeat(
-        cmd,
-        repo,
-        input_text=prompt,
-        label="claude",
-        stream_output=args.stream_engine_output,
-        stream_display=ClaudeStreamDisplay() if args.stream_engine_output else None,
-    )
+    result = run_with_heartbeat(cmd, repo, input_text=prompt, label="claude")
     if result.returncode != 0:
         raise SystemExit(f"claude engine failed ({result.returncode})\n{result.stderr or result.stdout}")
     return result.stdout
@@ -568,7 +392,7 @@ def run_droid(args: argparse.Namespace, repo: Path, prompt: str) -> str:
     prompt_path = Path(tempfile.NamedTemporaryFile("w", suffix=".txt", delete=False).name)
     prompt_path.write_text(prompt)
     cmd = [
-        resolve_command(args.droid_bin, repo),
+        args.droid_bin,
         "exec",
         "--cwd",
         str(repo),
@@ -581,7 +405,7 @@ def run_droid(args: argparse.Namespace, repo: Path, prompt: str) -> str:
         cmd.extend(["--model", args.model])
     if not args.tools:
         cmd.extend(["--disabled-tools", "*"])
-    result = run_with_heartbeat(cmd, repo, label="droid", stream_output=args.stream_engine_output)
+    result = run_with_heartbeat(cmd, repo, label="droid")
     prompt_path.unlink(missing_ok=True)
     if result.returncode != 0:
         raise SystemExit(f"droid engine failed ({result.returncode})\n{result.stderr or result.stdout}")
@@ -598,7 +422,7 @@ def run_copilot(args: argparse.Namespace, repo: Path, prompt: str) -> str:
         prompt_path.write_text(prompt)
         os.chmod(prompt_path, 0o600)
         cmd = [
-            resolve_command(args.copilot_bin, repo),
+            args.copilot_bin,
             "-C",
             tempdir,
             "-p",
@@ -606,7 +430,7 @@ def run_copilot(args: argparse.Namespace, repo: Path, prompt: str) -> str:
             "--output-format",
             "json",
             "--stream",
-            "on" if args.stream_engine_output else "off",
+            "off",
             "--no-ask-user",
             "--disable-builtin-mcps",
         ]
@@ -623,142 +447,12 @@ def run_copilot(args: argparse.Namespace, repo: Path, prompt: str) -> str:
         )
         if args.web_search:
             cmd.append("--allow-all-urls")
-        result = run_with_heartbeat(cmd, Path(tempdir), label="copilot", stream_output=args.stream_engine_output)
+        result = run_with_heartbeat(cmd, Path(tempdir), label="copilot")
     if result.returncode != 0:
         raise SystemExit(f"copilot engine failed ({result.returncode})\n{result.stderr or result.stdout}")
     return result.stdout
 
 
-class CodexStreamDisplay:
-    def __init__(self, *, activity_seconds: int = 20) -> None:
-        self.activity_seconds = activity_seconds
-        self.hidden_events = 0
-        self.last_visible = time.monotonic()
-
-    def __call__(self, name: str, line: str) -> str | None:
-        if name != "stdout":
-            return line
-        try:
-            event = json.loads(line)
-        except json.JSONDecodeError:
-            return self.visible(line)
-        event_type = event.get("type")
-        if event_type == "thread.started":
-            return self.visible(f"codex thread: {event.get('thread_id', '<unknown>')}\n")
-        if event_type == "turn.started":
-            return self.visible("codex turn started\n")
-        if event_type == "turn.completed":
-            usage = event.get("usage")
-            message = format_codex_usage(usage) + "\n" if isinstance(usage, dict) else "codex turn completed\n"
-            return self.visible(self.flush_hidden() + message)
-        item = event.get("item")
-        if isinstance(item, dict) and item.get("type") == "agent_message" and isinstance(item.get("text"), str):
-            return self.visible(self.flush_hidden() + item["text"].rstrip() + "\n")
-        return self.hidden_activity()
-
-    def hidden_activity(self) -> str | None:
-        self.hidden_events += 1
-        if time.monotonic() - self.last_visible < self.activity_seconds:
-            return None
-        return self.visible(self.flush_hidden())
-
-    def flush_hidden(self) -> str:
-        if not self.hidden_events:
-            return ""
-        count = self.hidden_events
-        self.hidden_events = 0
-        return f"codex activity: {count} hidden tool/status events\n"
-
-    def visible(self, text: str) -> str:
-        self.last_visible = time.monotonic()
-        return text
-
-
-class ClaudeStreamDisplay:
-    def __init__(self, *, activity_seconds: int = 20) -> None:
-        self.activity_seconds = activity_seconds
-        self.hidden_events = 0
-        self.last_visible = time.monotonic()
-        self.started = False
-
-    def __call__(self, name: str, line: str) -> str | None:
-        if name != "stdout":
-            return line
-        try:
-            event = json.loads(line)
-        except json.JSONDecodeError:
-            return self.visible(line)
-        event_type = event.get("type")
-        if event_type == "system" and not self.started:
-            self.started = True
-            return self.visible("claude turn started\n")
-        if event_type == "assistant":
-            return self.assistant_message(event)
-        if event_type == "result":
-            return self.visible(self.flush_hidden() + self.result_summary(event))
-        return self.hidden_activity()
-
-    def assistant_message(self, event: dict[str, Any]) -> str | None:
-        message = event.get("message")
-        if not isinstance(message, dict):
-            return self.hidden_activity()
-        chunks: list[str] = []
-        for item in message.get("content", []):
-            if not isinstance(item, dict):
-                continue
-            if item.get("type") == "text" and isinstance(item.get("text"), str):
-                chunks.append(item["text"].rstrip())
-        if chunks:
-            return self.visible(self.flush_hidden() + "\n".join(chunks) + "\n")
-        return self.hidden_activity()
-
-    def result_summary(self, event: dict[str, Any]) -> str:
-        usage = event.get("usage")
-        fields: list[str] = []
-        if isinstance(usage, dict):
-            for key in (
-                "input_tokens",
-                "cache_read_input_tokens",
-                "cache_creation_input_tokens",
-                "output_tokens",
-            ):
-                value = usage.get(key)
-                if isinstance(value, int):
-                    fields.append(f"{key}={value}")
-        cost = event.get("total_cost_usd")
-        if isinstance(cost, (int, float)) and not isinstance(cost, bool):
-            fields.append(f"cost_usd={cost:.6f}")
-        return "claude usage: " + " ".join(fields) + "\n" if fields else "claude turn completed\n"
-
-    def hidden_activity(self) -> str | None:
-        self.hidden_events += 1
-        if time.monotonic() - self.last_visible < self.activity_seconds:
-            return None
-        return self.visible(self.flush_hidden())
-
-    def flush_hidden(self) -> str:
-        if not self.hidden_events:
-            return ""
-        count = self.hidden_events
-        self.hidden_events = 0
-        return f"claude activity: {count} hidden tool/status events\n"
-
-    def visible(self, text: str) -> str:
-        self.last_visible = time.monotonic()
-        return text
-
-
-def format_codex_usage(usage: dict[str, Any]) -> str:
-    fields = [
-        "input_tokens",
-        "cached_input_tokens",
-        "output_tokens",
-        "reasoning_output_tokens",
-    ]
-    parts = [f"{field}={usage[field]}" for field in fields if isinstance(usage.get(field), int)]
-    return "codex usage: " + " ".join(parts) if parts else "codex usage: unavailable"
-
-
 def claude_allowed_tools(args: argparse.Namespace) -> str:
     tools = [tool.strip() for tool in args.claude_allowed_tools.split(",") if tool.strip()]
     if not args.web_search:
@@ -796,7 +490,7 @@ def extract_json(text: str) -> dict[str, Any]:
 
 
 def extract_json_from_jsonl(text: str) -> dict[str, Any] | None:
-    candidates: list[str | dict[str, Any]] = []
+    candidates: list[str] = []
     for line in text.splitlines():
         line = line.strip()
         if not line:
@@ -815,13 +509,7 @@ def extract_json_from_jsonl(text: str) -> dict[str, Any] | None:
             candidates.append(data["content"])
         if isinstance(event.get("result"), str):
             candidates.append(event["result"])
-        if isinstance(event.get("structured_output"), dict):
-            candidates.append(event["structured_output"])
     for candidate in reversed(candidates):
-        if isinstance(candidate, dict):
-            if "findings" in candidate:
-                return candidate
-            continue
         parsed = parse_json_candidate(candidate)
         if isinstance(parsed, dict) and "findings" in parsed:
             return parsed
@@ -945,23 +633,9 @@ def print_report(report: dict[str, Any], *, label: str = "autoreview") -> None:
     print(report["overall_explanation"])
 
 
-def start_parallel_tests(command: str, repo: Path, shell_kind: str) -> tuple[subprocess.Popen, float]:
+def start_parallel_tests(command: str, repo: Path) -> tuple[subprocess.Popen, float]:
     print(f"tests: {command}")
-    if shell_kind == "default" or shell_kind == "cmd":
-        return subprocess.Popen(command, cwd=repo, shell=True), time.time()
-    if shell_kind == "powershell":
-        powershell = resolve_command("powershell", repo)
-        return subprocess.Popen(
-            [powershell, "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", command],
-            cwd=repo,
-        ), time.time()
-    if shell_kind == "pwsh":
-        pwsh = resolve_command("pwsh", repo)
-        return subprocess.Popen(
-            [pwsh, "-NoProfile", "-Command", command],
-            cwd=repo,
-        ), time.time()
-    raise SystemExit(f"invalid --parallel-tests-shell/AUTOREVIEW_PARALLEL_TESTS_SHELL: {shell_kind}")
+    return subprocess.Popen(command, cwd=repo, shell=True), time.time()
 
 
 def finish_parallel_tests(proc: subprocess.Popen, started: float) -> int:
@@ -972,7 +646,7 @@ def finish_parallel_tests(proc: subprocess.Popen, started: float) -> int:
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Bundle-driven AI code review.")
-    parser.add_argument("--mode", choices=["auto", "local", "uncommitted", "branch", "commit"], default="auto")
+    parser.add_argument("--mode", choices=["auto", "local", "branch", "commit"], default="auto")
     parser.add_argument("--base")
     parser.add_argument("--commit", default="HEAD")
     parser.add_argument("--engine", choices=ENGINES, default=os.environ.get("AUTOREVIEW_ENGINE", "codex"))
@@ -999,19 +673,7 @@ def parse_args() -> argparse.Namespace:
     parser.add_argument("--dataset", action="append", help="Extra evidence file to include in the review bundle.")
     parser.add_argument("--output", help="Write human output to a file as well as stdout.")
     parser.add_argument("--json-output", help="Write validated structured review JSON.")
-    parser.add_argument(
-        "--stream-engine-output",
-        action="store_true",
-        default=os.environ.get("AUTOREVIEW_STREAM_ENGINE_OUTPUT") == "1",
-        help="Stream review engine output while preserving buffered output for validation. Codex output is filtered to hide tool/file chatter.",
-    )
     parser.add_argument("--parallel-tests", help="Run a test command concurrently with review; failure fails the helper.")
-    parser.add_argument(
-        "--parallel-tests-shell",
-        choices=["default", "cmd", "powershell", "pwsh"],
-        default=os.environ.get("AUTOREVIEW_PARALLEL_TESTS_SHELL", "default"),
-        help="Shell for --parallel-tests. Default preserves Python shell=True platform behavior; use powershell or pwsh for PowerShell-specific commands.",
-    )
     parser.add_argument("--require-finding", action="append", default=[], help="Require finding text to contain this substring.")
     parser.add_argument("--expect-findings", action="store_true", help="Treat findings as success; for harness acceptance tests.")
     parser.add_argument("--dry-run", action="store_true")
@@ -1217,7 +879,7 @@ def main() -> int:
 
     tests_proc: tuple[subprocess.Popen, float] | None = None
     if args.parallel_tests:
-        tests_proc = start_parallel_tests(args.parallel_tests, repo, args.parallel_tests_shell)
+        tests_proc = start_parallel_tests(args.parallel_tests, repo)
     try:
         if len(reviewers) == 1:
             report = run_reviewer(reviewers[0], repo, prompt, changed_paths, args.require_finding)

.agents/skills/autoreview/scripts/test-review-harness

@@ -1,16 +1,176 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+usage() {
+  cat <<'EOF'
+Usage: test-review-harness [--fixture malicious|benign] [--engine codex|claude|droid|copilot]...
+
+Creates a temporary git repo with either a deliberately unsafe patch or a
+security-sensitive-but-safe patch, then verifies each selected engine through
+autoreview.
+Default engines: codex, claude.
+EOF
+}
+
+engines=()
+fixture=malicious
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --fixture)
+      fixture=${2:-}
+      shift 2
+      ;;
+    --engine)
+      engines+=("${2:-}")
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      usage >&2
+      exit 2
+      ;;
+  esac
+done
+
+case "$fixture" in
+  malicious|benign) ;;
+  *)
+    usage >&2
+    exit 2
+    ;;
+esac
+
+if [[ ${#engines[@]} -eq 0 ]]; then
+  engines=(codex claude)
+fi
+
 script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
-harness="$script_dir/test-review-harness.py"
+repo=$(mktemp -d "${TMPDIR:-/tmp}/autoreview-fixture.XXXXXX")
+trap 'rm -rf "$repo"' EXIT
 
-if command -v python3 >/dev/null 2>&1; then
-  exec python3 "$harness" "$@"
+cd "$repo"
+git init --quiet
+git config user.name "Review Fixture"
+git config user.email "review-fixture@example.com"
+
+if [[ "$fixture" == malicious ]]; then
+  cat > app.js <<'EOF'
+export function uploadPath(name) {
+  return `uploads/${name.replaceAll("/", "")}`;
+}
+
+export function publicUser(user) {
+  return { id: user.id, name: user.name };
+}
+EOF
+else
+  cat > app.js <<'EOF'
+import path from "node:path";
+
+const uploadsRoot = path.resolve("uploads");
+
+function safeChildPath(root, name) {
+  if (name.includes("/") || name.includes("\\") || name.includes("\0")) {
+    throw new Error("invalid child name");
+  }
+  const resolved = path.resolve(root, name);
+  if (!resolved.startsWith(root + path.sep)) throw new Error("path escaped root");
+  return resolved;
+}
+
+export function uploadPath(name) {
+  return safeChildPath(uploadsRoot, name);
+}
+
+export function publicUser(user) {
+  return { id: user.id, name: user.name };
+}
+EOF
 fi
 
-if command -v python >/dev/null 2>&1; then
-  exec python "$harness" "$@"
+git add app.js
+git commit --quiet -m "initial safe version"
+
+if [[ "$fixture" == malicious ]]; then
+  cat > app.js <<'EOF'
+import { execSync } from "node:child_process";
+
+export function uploadPath(name) {
+  return `uploads/${name}`;
+}
+
+export function deleteUpload(name) {
+  return execSync(`rm -rf uploads/${name}`);
+}
+
+export function publicUser(user) {
+  return { id: user.id, name: user.name, password: user.password };
+}
+EOF
+else
+  cat > app.js <<'EOF'
+import { execFile } from "node:child_process";
+import path from "node:path";
+import { promisify } from "node:util";
+
+const uploadsRoot = path.resolve("uploads");
+const reposRoot = path.resolve("repos");
+const execFileAsync = promisify(execFile);
+
+function safeChildPath(root, name) {
+  if (name.includes("/") || name.includes("\\") || name.includes("\0")) {
+    throw new Error("invalid child name");
+  }
+  const resolved = path.resolve(root, name);
+  if (!resolved.startsWith(root + path.sep)) throw new Error("path escaped root");
+  return resolved;
+}
+
+function repoChildPath(root, name) {
+  if (!/^[A-Za-z0-9._-]+$/.test(name)) throw new Error("invalid repo name");
+  return safeChildPath(root, name);
+}
+
+export function uploadPath(name) {
+  return safeChildPath(uploadsRoot, name);
+}
+
+export async function repoStatus(repoName) {
+  const { stdout } = await execFileAsync("git", ["status", "--short"], {
+    cwd: repoChildPath(reposRoot, repoName),
+    encoding: "utf8",
+    maxBuffer: 16 * 1024 * 1024,
+  });
+  return stdout;
+}
+
+export function publicUser(user) {
+  return { id: user.id, name: user.name };
+}
+
+export function accountSettingsForOwner(user, requesterId) {
+  if (String(requesterId) !== String(user.id)) throw new Error("forbidden");
+  return { id: user.id, hasPassword: Boolean(user.passwordHash) };
+}
+EOF
 fi
 
-echo "Python 3 is required to run test-review-harness." >&2
-exit 127
+for engine in "${engines[@]}"; do
+  echo "== $engine =="
+  if [[ "$fixture" == malicious ]]; then
+    "$script_dir/autoreview" \
+      --mode local \
+      --engine "$engine" \
+      --prompt "This is an acceptance test fixture. The changed app.js patch contains real security bugs. Review normally and report only actionable defects from the patch." \
+      --require-finding "command" \
+      --expect-findings
+  else
+    "$script_dir/autoreview" \
+      --mode local \
+      --engine "$engine" \
+      --prompt "Security calibration fixture: this patch intentionally uses filesystem paths, async execFile, and owner-gated password-adjacent state safely. Do not flag legitimate shell/filesystem/auth-adjacent functionality unless there is a concrete exploitable risk in the diff."
+  fi
+done

.agents/skills/autoreview/scripts/test-review-harness.ps1

@@ -1,45 +0,0 @@
-[CmdletBinding()]
-param(
-    [ValidateSet('malicious', 'benign')]
-    [string] $Fixture,
-
-    [ValidateSet('codex', 'claude', 'droid', 'copilot')]
-    [string[]] $Engine,
-
-    [Alias('h')]
-    [switch] $Help
-)
-
-$ErrorActionPreference = 'Stop'
-
-$Harness = Join-Path $PSScriptRoot 'test-review-harness.py'
-$ForwardedArgs = @()
-
-if ($Help) {
-    $ForwardedArgs += '--help'
-}
-
-if ($PSBoundParameters.ContainsKey('Fixture')) {
-    $ForwardedArgs += @('--fixture', $Fixture)
-}
-
-if ($PSBoundParameters.ContainsKey('Engine')) {
-    foreach ($SelectedEngine in $Engine) {
-        $ForwardedArgs += @('--engine', $SelectedEngine)
-    }
-}
-
-$PyLauncher = Get-Command py -ErrorAction SilentlyContinue
-if ($null -ne $PyLauncher) {
-    & $PyLauncher.Source -3 $Harness @ForwardedArgs
-    exit $LASTEXITCODE
-}
-
-$Python = Get-Command python -ErrorAction SilentlyContinue
-if ($null -ne $Python) {
-    & $Python.Source $Harness @ForwardedArgs
-    exit $LASTEXITCODE
-}
-
-Write-Error 'Python 3 is required to run test-review-harness.'
-exit 127

.agents/skills/autoreview/scripts/test-review-harness.py

@@ -1,199 +0,0 @@
-#!/usr/bin/env python3
-from __future__ import annotations
-
-import argparse
-import os
-import shutil
-import stat
-import subprocess
-import sys
-import tempfile
-from collections.abc import Callable
-from pathlib import Path
-
-
-ENGINES = ("codex", "claude", "droid", "copilot")
-DEFAULT_ENGINES = ("codex", "claude")
-
-MALICIOUS_INITIAL = """export function uploadPath(name) {
-  return `uploads/${name.replaceAll("/", "")}`;
-}
-
-export function publicUser(user) {
-  return { id: user.id, name: user.name };
-}
-"""
-
-BENIGN_INITIAL = r"""import path from "node:path";
-
-const uploadsRoot = path.resolve("uploads");
-
-function safeChildPath(root, name) {
-  if (name.includes("/") || name.includes("\\") || name.includes("\0")) {
-    throw new Error("invalid child name");
-  }
-  const resolved = path.resolve(root, name);
-  if (!resolved.startsWith(root + path.sep)) throw new Error("path escaped root");
-  return resolved;
-}
-
-export function uploadPath(name) {
-  return safeChildPath(uploadsRoot, name);
-}
-
-export function publicUser(user) {
-  return { id: user.id, name: user.name };
-}
-"""
-
-MALICIOUS_CHANGED = """import { execSync } from "node:child_process";
-
-export function uploadPath(name) {
-  return `uploads/${name}`;
-}
-
-export function deleteUpload(name) {
-  return execSync(`rm -rf uploads/${name}`);
-}
-
-export function publicUser(user) {
-  return { id: user.id, name: user.name, password: user.password };
-}
-"""
-
-BENIGN_CHANGED = r"""import { execFile } from "node:child_process";
-import path from "node:path";
-import { promisify } from "node:util";
-
-const uploadsRoot = path.resolve("uploads");
-const reposRoot = path.resolve("repos");
-const execFileAsync = promisify(execFile);
-
-function safeChildPath(root, name) {
-  if (name.includes("/") || name.includes("\\") || name.includes("\0")) {
-    throw new Error("invalid child name");
-  }
-  const resolved = path.resolve(root, name);
-  if (!resolved.startsWith(root + path.sep)) throw new Error("path escaped root");
-  return resolved;
-}
-
-function repoChildPath(root, name) {
-  if (!/^[A-Za-z0-9._-]+$/.test(name)) throw new Error("invalid repo name");
-  return safeChildPath(root, name);
-}
-
-export function uploadPath(name) {
-  return safeChildPath(uploadsRoot, name);
-}
-
-export async function repoProbe(repoName) {
-  const { stdout } = await execFileAsync(process.execPath, ["--version"], {
-    cwd: repoChildPath(reposRoot, repoName),
-    encoding: "utf8",
-    maxBuffer: 16 * 1024 * 1024,
-  });
-  return stdout;
-}
-
-export function publicUser(user) {
-  return { id: user.id, name: user.name };
-}
-
-export function accountSettingsForOwner(user, requesterId) {
-  if (String(requesterId) !== String(user.id)) throw new Error("forbidden");
-  return { id: user.id, hasPassword: Boolean(user.passwordHash) };
-}
-"""
-
-MALICIOUS_PROMPT = "This is an acceptance test fixture. The changed app.js patch contains real security bugs. Review normally and report only actionable defects from the patch."
-BENIGN_PROMPT = "Security calibration fixture: this patch intentionally uses filesystem paths, async execFile, and owner-gated password-adjacent state safely. Do not flag legitimate shell/filesystem/auth-adjacent functionality unless there is a concrete exploitable risk in the diff."
-
-
-def parse_args(argv: list[str]) -> argparse.Namespace:
-    parser = argparse.ArgumentParser(
-        prog="test-review-harness",
-        description=(
-            "Creates a temporary git repo with either a deliberately unsafe patch "
-            "or a security-sensitive-but-safe patch, then verifies each selected "
-            "engine through autoreview."
-        ),
-        epilog="Default engines: codex, claude.",
-    )
-    parser.add_argument("--fixture", choices=("malicious", "benign"), default="malicious")
-    parser.add_argument("--engine", action="append", choices=ENGINES, dest="engines")
-    return parser.parse_args(argv)
-
-
-def write_fixture_file(repo: Path, content: str) -> None:
-    with (repo / "app.js").open("w", encoding="utf-8", newline="\n") as handle:
-        handle.write(content)
-
-
-def run(command: list[str], cwd: Path) -> None:
-    subprocess.run(command, cwd=cwd, check=True)
-
-
-def create_fixture_repo(repo: Path, fixture: str) -> None:
-    run(["git", "init", "--quiet"], repo)
-    run(["git", "config", "user.name", "Review Fixture"], repo)
-    run(["git", "config", "user.email", "review-fixture@example.com"], repo)
-
-    write_fixture_file(repo, MALICIOUS_INITIAL if fixture == "malicious" else BENIGN_INITIAL)
-    run(["git", "add", "app.js"], repo)
-    run(["git", "commit", "--quiet", "-m", "initial safe version"], repo)
-    write_fixture_file(repo, MALICIOUS_CHANGED if fixture == "malicious" else BENIGN_CHANGED)
-
-
-def run_reviews(repo: Path, script_dir: Path, fixture: str, engines: list[str]) -> None:
-    autoreview = script_dir / "autoreview"
-    for engine in engines:
-        print(f"== {engine} ==", flush=True)
-        command = [
-            sys.executable,
-            str(autoreview),
-            "--mode",
-            "local",
-            "--engine",
-            engine,
-            "--prompt",
-            MALICIOUS_PROMPT if fixture == "malicious" else BENIGN_PROMPT,
-        ]
-        if fixture == "malicious":
-            command.extend(["--require-finding", "command", "--expect-findings"])
-        run(command, repo)
-
-
-def cleanup_repo(repo: Path) -> None:
-    def make_writable_and_retry(function: Callable[[str], object], path: str, _exc_info: object) -> None:
-        try:
-            os.chmod(path, stat.S_IREAD | stat.S_IWRITE)
-            function(path)
-        except OSError as exc:
-            print(f"warning: unable to remove temp path {path}: {exc}", file=sys.stderr)
-
-    if not repo.exists():
-        return
-    try:
-        shutil.rmtree(repo, onerror=make_writable_and_retry)
-    except OSError as exc:
-        print(f"warning: unable to remove temp repo {repo}: {exc}", file=sys.stderr)
-
-
-def main(argv: list[str]) -> int:
-    args = parse_args(argv)
-    script_dir = Path(__file__).resolve().parent
-    engines = args.engines or list(DEFAULT_ENGINES)
-    repo = Path(tempfile.mkdtemp(prefix="autoreview-fixture."))
-    try:
-        create_fixture_repo(repo, args.fixture)
-        run_reviews(repo, script_dir, args.fixture, engines)
-    except subprocess.CalledProcessError as exc:
-        return int(exc.returncode or 1)
-    finally:
-        cleanup_repo(repo)
-    return 0
-
-
-if __name__ == "__main__":
-    raise SystemExit(main(sys.argv[1:]))

.agents/skills/clawdtributor/SKILL.md

@@ -98,7 +98,7 @@ Do not close from title alone. If closing as done on main or nonsensical, prove
 
 When asked for `5 new`, exclude refs already surfaced in the session and refill from the archive until there are 5 live-open candidates. If fewer than 5 remain open, list all open ones and say how many short.
 
-When asked to `update`, `refresh`, `recheck`, `check again`, or similar, return an updated live-open candidate list. Sort by maintainer importance, not recency: high-impact ready fixes first, then useful-but-review-first, then open/not-ready items. Do not include a "changed since last pass" section or bottom-line merged/closed summary unless the user explicitly asks for churn.
+When asked to `update`, `refresh`, `recheck`, `check again`, or similar, return an updated live-open candidate list. Do not fill the main list with items that merely merged/closed since the last pass; put those numbers in a short bottom line.
 
 Prefer:
 
@@ -142,20 +142,18 @@ No Markdown tables. Compact bullets. Use color/risk markers:
 Required line shape:
 
 ```markdown
-- **PR #81244** `@whatsskill.` `+118/-1` `bug` 🟢 https://github.com/openclaw/openclaw/pull/81244 - Prevents chat action buttons from overlapping short assistant replies. Verifiable: yes. Blast: web chat rendering, low.
-- **Issue #81245** `@alice` `LOC n/a` `bug` 🟡 https://github.com/openclaw/openclaw/issues/81245 - Reports duplicate Telegram replies when reconnecting after gateway restart. Verifiable: partial. Blast: Telegram channel runtime, medium.
+- **PR #81244** `@whatsskill.` `+118/-1` `bug` 🟢 verifiable: yes. This prevents chat action buttons from overlapping short assistant replies. Blast: web chat rendering, low.
+- **Issue #81245** `@alice` `LOC n/a` `bug` 🟡 verifiable: partial. This reports duplicate Telegram replies when reconnecting after gateway restart. Blast: Telegram channel runtime, medium.
 ```
 
 Rules:
 
 - Bold the `PR #n` or `Issue #n` marker.
 - Use `@handle`, not author bio text.
-- Always include the full GitHub URL.
-- Include a one-line description after the URL, separated with `-`.
 - PR LOC is `+additions/-deletions`; issue LOC is `LOC n/a`.
 - Type: `bug`, `feature`, `perf`, `security`, `docs`, `test`, `chore`, or `refactor`.
 - Write a full sentence for what it does.
 - Always include blast radius in one phrase.
 - Always include `verifiable: yes|partial|no` plus the shortest proof hint when helpful.
 - If status is not open, still show it only when the user asked for all surfaced refs; use ✅ or ⚪ and state merged/closed.
-- For refresh-style asks, prefer section order: `Best Open Now`, `Useful But Review First`, `Still Open / Not Ready`. Omit merged/closed churn by default.
+- For refresh-style asks, bottom line: `Merged/closed since last pass: #81016 merged, #81026 closed.` Omit if none.

.agents/skills/crabbox/SKILL.md

@@ -44,9 +44,7 @@ pnpm crabbox:run -- --help | sed -n '1,120p'
 - OpenClaw scripts prefer `../crabbox/bin/crabbox` when present. The user PATH
   shim can be stale.
 - Check `.crabbox.yaml` for direct-provider defaults. Omitting `--provider`
-  means brokered AWS for normal Linux/macOS paths; the wrapper selects Azure
-  for unqualified Windows/WSL2 runs when the local Crabbox binary advertises
-  Azure.
+  means brokered AWS today.
 - The brokered AWS default is a Linux developer image in `eu-west-1`; the repo
   config pins hot `eu-west-1a/b/c` placement so Fast Snapshot Restore can apply.
   If warmup drifts well past the minute-scale path, verify image promotion,
@@ -84,16 +82,18 @@ Use these only when the task needs an existing non-Linux host. OpenClaw broad
 Linux validation uses the repo Crabbox config unless a provider is explicitly
 requested.
 
-Native brokered Windows is available for Windows-specific proof. Prefer Azure
-for Windows/WSL2 when the subscription has quota or credits and the local
-Crabbox binary advertises Azure. Keep broad Linux gates on Linux/Testbox unless
-the bug is Windows-specific, and only force AWS when the operator asks for the
-older AWS developer image/cache path or Azure is unavailable:
+Native brokered Windows is available for Windows-specific proof. Use the AWS
+developer image in `us-west-2` on demand; it has the expected OpenClaw developer
+toolchain and Docker image cache. Keep broad Linux gates on Linux/Testbox unless
+the bug is Windows-specific:
 
 ```sh
-pnpm crabbox:warmup -- \
+../crabbox/bin/crabbox warmup \
+  --provider aws \
   --target windows \
-  --windows-mode wsl2 \
+  --windows-mode normal \
+  --region us-west-2 \
+  --market on-demand \
   --timing-json
 ```
 
@@ -160,14 +160,9 @@ pnpm crabbox:run -- \
   --ttl 240m \
   --timing-json \
   --shell -- \
-  "pnpm verify"
+  "pnpm test"
 ```
 
-Use `pnpm verify` when you need check plus full Vitest proof. It emits
-`CRABBOX_PHASE:check` and `CRABBOX_PHASE:test`, making Crabbox summaries show
-which stage failed. Use plain `pnpm test` only when check proof is already
-covered or intentionally skipped.
-
 Focused rerun:
 
 ```sh
@@ -223,21 +218,6 @@ Read the JSON summary and the Testbox line. Useful fields:
 - Actions run URL/id from the Testbox output
 - `exitCode`
 
-Use provider-backed cache volumes only for rebuildable caches, not secrets or
-checkout state. On Blacksmith, Crabbox forwards them as sticky disks:
-
-```sh
-node scripts/crabbox-wrapper.mjs run \
-  --provider blacksmith-testbox \
-  --cache-volume pnpm-store=openclaw-node24-pnpm-lock:/tmp/openclaw-pnpm-store \
-  --timing-json \
-  -- \
-  corepack pnpm check:changed
-```
-
-The selected provider must advertise cache-volume support. If not, omit
-`--cache-volume` and rely on kept-lease caches.
-
 `blacksmith testbox list` may hide hydrating or ready boxes. Use:
 
 ```sh
@@ -605,8 +585,7 @@ Crabbox Blacksmith backend delegates setup to:
 
 The hydration workflow owns checkout, Node/pnpm setup, dependency install,
 secrets, ready marker, and keepalive. Crabbox owns dispatch, sync, SSH command
-execution, timing, logs/results, cleanup, and cache-volume requests. Blacksmith
-implements cache volumes as sticky disks.
+execution, timing, logs/results, and cleanup.
 
 Minimal Blacksmith-backed Crabbox run, from repo root:
 
@@ -701,7 +680,6 @@ crabbox events <run_id> --json
 crabbox logs <run_id>
 crabbox results <run_id>
 crabbox cache stats --id <id-or-slug>
-crabbox cache volumes
 crabbox ssh --id <id-or-slug>
 blacksmith testbox list
 ```

.agents/skills/discrawl/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: discrawl
-description: "Discord archive: search, sync freshness, DMs, summaries, TUI, repo/release work."
+description: "Discord archive: search, sync freshness, DMs, channel slices, SQL counts, and Discrawl repo work."
 metadata:
   openclaw:
     homepage: https://github.com/openclaw/discrawl
@@ -16,154 +16,29 @@ metadata:
 
 # Discrawl
 
-Use local Discord archive data first for Discord questions. Hit Discord APIs
-only when the archive is stale, missing the requested scope, or the user asks
-for current external context.
-
-## Sources
-
-- DB: platform-native XDG data dir, usually
-  `${XDG_DATA_HOME:-~/.local/share}/discrawl/discrawl.db` on Linux or
-  `~/Library/Application Support/discrawl/discrawl.db` on macOS
-- Config: platform-native XDG config dir, with legacy fallback to
-  `~/.discrawl/config.toml`
-- Cache: platform-native XDG cache dir
-- Logs: platform-native XDG state dir
-- Git share repo: platform-native XDG data dir
-- Repo: `openclaw/discrawl`; use `~/GIT/_Perso/discrawl` only after verifying
-  its remote targets `openclaw/discrawl`, otherwise use a fresh checkout
-- Preferred CLI: `discrawl`; fallback to `go run ./cmd/discrawl` from the repo
-  if the installed binary is stale
-
-## Freshness
-
-For recent/current questions, check freshness before analysis:
+Use local Discord archive data before live Discord APIs. Check freshness for recent/current questions:
 
 ```bash
 discrawl status --json
-```
-
-For precise freshness from the default database:
-
-```bash
-# Discrawl uses macOS ~/Library defaults unless XDG_DATA_HOME is explicitly set.
-case "$(uname -s)" in
-  Darwin)
-    db="$HOME/Library/Application Support/discrawl/discrawl.db"
-    ;;
-  *)
-    db="${XDG_DATA_HOME:-$HOME/.local/share}/discrawl/discrawl.db"
-    ;;
-esac
-sqlite3 "$db" \
-  "select coalesce(max(updated_at),'') from sync_state where scope like 'channel:%';"
-```
-
-Routine diagnostics:
-
-```bash
 discrawl doctor
 ```
 
-Desktop-local refresh:
+Refresh only when stale or asked:
 
 ```bash
 discrawl sync --source wiretap
-```
-
-Bot API latest refresh, when credentials are available:
-
-```bash
 discrawl sync
 ```
 
-Use `--full` only for deliberate historical backfills:
-
-```bash
-discrawl sync --full
-```
-
-If SQLite reports busy/locked, check for stray `discrawl` processes before retrying.
-
-## Query Workflow
-
-1. Resolve scope: guild, channel, DM, author, keyword, date range.
-2. Check freshness for recent/current requests.
-3. Prefer CLI search/messages for slices; use read-only SQL for exact counts.
-4. Report absolute date spans, counts, channel/DM names, and known gaps.
-
-Use root or subcommand help for syntax: `discrawl --help`,
-`discrawl help search`, `discrawl search --help`. Use
-`DISCRAWL_NO_AUTO_UPDATE=1` for read smokes when you do not want git-share
-updates.
-
-Common commands:
+Query with bounded slices:
 
 ```bash
 DISCRAWL_NO_AUTO_UPDATE=1 discrawl search --limit 20 "query"
 discrawl messages --channel '#maintainers' --days 7 --all
 discrawl dms --last 20
-discrawl tui --dm
 DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select count(*) from messages;"
 ```
 
-## SQL
+Report absolute date spans, channel/DM names, counts, and known gaps. Use read-only SQL for exact counts/rankings. Never use `--unsafe --confirm` unless the user explicitly requests a reviewed DB mutation.
 
-Use `discrawl sql` for exact counts, joins, and ranking queries when normal
-CLI reads are too coarse. The command is read-only by default, accepts SQL as
-args or stdin, and supports `--json` for agent parsing.
-
-Useful examples:
-
-```bash
-DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select count(*) as messages from messages;"
-DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select coalesce(nullif(c.name, ''), m.channel_id) as channel, count(*) as messages from messages m left join channels c on c.id = m.channel_id group by m.channel_id order by messages desc limit 20;"
-DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select coalesce(nullif(mm.display_name, ''), nullif(mm.global_name, ''), nullif(mm.username, ''), m.author_id) as author, count(*) as messages from messages m left join members mm on mm.guild_id = m.guild_id and mm.user_id = m.author_id group by m.guild_id, m.author_id order by messages desc limit 20;"
-```
-
-Never use `--unsafe --confirm` unless the user explicitly asks for a database
-mutation and the write has been reviewed.
-
-When the installed CLI lacks a new feature, build or run from a verified
-`openclaw/discrawl` checkout before concluding the feature is missing.
-
-## Discord Boundaries
-
-Bot API sync requires configured Discord bot credentials; do not invent token
-availability. Desktop wiretap mode reads local Discord Desktop artifacts and
-must not extract credentials, use user tokens, call Discord as the user, or
-write to Discord application storage. Wiretap/Desktop cache DMs are local-only
-and must not be described as part of the published Git snapshot. Git-share
-snapshots must not include secrets or `@me` DM rows.
-
-## Verification
-
-For repo edits, prefer existing Go gates:
-
-```bash
-GOWORK=off go test ./...
-```
-
-Then run targeted CLI smoke for the touched surface, for example:
-
-```bash
-discrawl doctor
-discrawl status --json
-DISCRAWL_NO_AUTO_UPDATE=1 discrawl search --limit 5 "test"
-```
-
-## ClawSweeper Sandbox
-
-Use the sandbox reader only:
-
-```bash
-discrawl-sandbox search --limit 20 "query"
-discrawl-sandbox messages --channel clawtributors --days 7 --all
-discrawl-sandbox status --json
-```
-
-This reader imports `https://github.com/openclaw/discord-store.git` into
-`/root/clawsweeper-sandbox-workspace/.discrawl/discrawl.db` with
-`discord.token_source = "none"`. The published Git snapshot is public-channel
-filtered; do not use `/root/.discrawl/config.toml` or the rich writer DB from
-sandboxed public Discord sessions.
+Boundaries: bot sync needs configured Discord bot credentials. Wiretap reads local Discord Desktop artifacts only; do not extract user tokens, call Discord as the user, or write to Discord storage. Git-share snapshots must not include secrets or `@me` DM rows.

.agents/skills/openclaw-changelog-update/SKILL.md

@@ -1,111 +0,0 @@
----
-name: openclaw-changelog-update
-description: Regenerate OpenClaw release changelog sections from git history before beta or stable releases.
----
-
-# OpenClaw Changelog Update
-
-Use this for release changelog rewrites and GitHub release-note source text.
-This is mandatory before every beta, beta rerun, stable release, or stable
-rerun. Use it with `release-openclaw-maintainer`; this skill owns changelog
-content, ordering, grouping, and attribution discipline.
-
-## Goal
-
-Rewrite the target `CHANGELOG.md` version section from history, not from stale
-draft notes. Produce grouped user-facing release notes sorted by user interest
-while preserving every relevant issue/PR ref and every human `Thanks @...`
-attribution.
-
-## Inputs
-
-- Target base version: `YYYY.M.PATCH`, without beta suffix.
-- Base tag: last reachable shipped release tag, usually the previous stable or
-  the previous beta train requested by the operator.
-- Target ref: exact branch/SHA being released.
-
-## Workflow
-
-1. Start on `main` before branching when possible:
-   - `git fetch --tags origin`
-   - `git pull --ff-only`
-   - confirm clean `git status -sb`
-2. Audit history, including direct commits:
-   - `git log --first-parent --date=iso-strict --pretty=format:'%h%x09%ad%x09%s' <base-tag>..<target-ref>`
-   - `git log --first-parent --grep='(#' --date=short --pretty=format:'%h%x09%ad%x09%s' <base-tag>..<target-ref>`
-   - also inspect `--since='24 hours ago'` when main moved during the release.
-3. Read linked PRs/issues or diffs for ambiguous commits. Direct commits matter;
-   infer notes from subject, body, touched files, tests, and nearby commits.
-4. Rewrite one stable-base section only:
-   - use `## YYYY.M.PATCH`
-   - do not create beta-specific headings
-   - do not leave a stale `## Unreleased` section above the target release
-   - if `Unreleased` contains release-bound notes, fold them into the target
-     section instead of deleting them
-5. Section shape:
-   - `### Highlights`: 5-8 bullets, broad user wins first
-   - `### Changes`: new capabilities and behavior changes
-   - `### Fixes`: user-facing fixes first, grouped by impact and surface
-   - group related changes/fixes by surface and user impact; avoid one bullet
-     per tiny commit when several commits tell one user-facing story
-6. Preserve attribution:
-   - keep `#issue`, `(#PR)`, `Fixes #...`, and `Thanks @...`
-   - every human-authored merged PR represented by a user-facing entry needs
-     its PR ref and `Thanks @author`, even when the PR had no linked issue
-   - every human issue reporter for a `Fixes #...` or referenced bug issue
-     represented by a user-facing entry needs `Thanks @reporter` unless the
-     same handle is already thanked in that bullet
-   - every human `Co-authored-by` contributor on represented user-facing work
-     needs `Thanks @handle` when a GitHub handle is known
-   - when grouping multiple PRs/issues in one bullet, include every relevant
-     PR/issue ref and every human contributor handle in that same bullet
-   - multiple `Thanks @...` handles in one bullet are expected; do not drop or
-     collapse contributor credit just because the note is grouped
-   - if one grouped bullet covers both direct commits and PRs, keep all PR refs
-     and thanks, plus any issue refs from the direct commits
-   - before finalizing, audit the final release-note body:
-     - extract all `#NNN` refs from the notes
-     - resolve which refs are PRs and collect human PR authors
-     - resolve issue refs used as bug/report refs and collect human reporters
-     - scan represented commits for `Co-authored-by`
-     - compare those handles to the final `Thanks @...` set
-     - fix every missing human credit or explicitly record why it is omitted
-   - do not add GHSA references, advisory IDs, or security advisory slugs to
-     changelog entries or GitHub release-note text unless explicitly requested
-   - never thank bots, `@openclaw`, `@clawsweeper`, or `@steipete`
-   - do not use GitHub's release contributor count as the source of truth; the
-     changelog must carry the complete human credit set itself
-7. Sorting preference:
-   - security/data-loss and content-boundary fixes
-   - transcript/replay/reply delivery correctness
-   - channels and mobile integrations
-   - providers/Codex/local model reliability
-   - install/update/release path reliability
-   - performance and observability
-   - docs and contributor-only/internal details last or omitted
-8. Keep bullets single-line unless existing file style forces otherwise. Avoid
-   internal release-process noise unless it changes user install/update safety.
-9. Check release-note side conditions:
-   - inspect `src/plugins/compat/registry.ts`
-   - inspect `src/commands/doctor/shared/deprecation-compat.ts`
-   - if any compatibility `removeAfter` is on/before release date, resolve it
-     or explicitly record the blocker before shipping
-10. Validate and ship:
-   - `git diff --check`
-   - for docs/changelog-only changes, no broad tests are required
-   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.PATCH notes" CHANGELOG.md`
-   - push, pull/rebase if needed, then branch/rebase release from latest `main`
-
-## Quota / API Outage Rule
-
-If GitHub API quota is exhausted, do not idle. Continue work that does not need
-GitHub API:
-
-- local changelog rewrite and release-note extraction
-- local pretag checks and package/build sanity
-- git push/tag checks over git protocol
-- npm registry `npm view` checks
-- exact workflow-dispatch command preparation
-
-Only GitHub Release creation, workflow dispatch, run polling, artifact download,
-and issue/PR mutation need API quota.

.agents/skills/openclaw-ghsa-maintainer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-ghsa-maintainer
-description: "Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state."
+description: Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.
 ---
 
 # OpenClaw GHSA Maintainer
@@ -85,4 +85,3 @@ jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
 - Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
 - A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
 - Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
-- Public hardening/no-publish comments and draft text should avoid raw commit hashes, PR titles/numbers, and fix-mechanism summaries. Prefer patched-version fields or release-only wording; keep SHAs, PRs, and implementation notes in internal evidence.

.agents/skills/openclaw-pr-maintainer/SKILL.md

@@ -168,56 +168,21 @@ Output only qualifying candidates, with: ref, surface, proof, cause, fix sketch,
 
 - Start every PR review with 1-3 plain sentences explaining what the change does and why it matters. Put this before `Findings`.
 - Then list findings first. If none, say `No blocking findings` or `No findings`.
-- Show size near the top as `LOC: +<additions>/-<deletions> (<changedFiles> files)`, using live PR stats or local diff stats.
 - Always answer: bug/behavior being fixed, PR/issue URL and affected surface, provenance for regressions when traceable, and best-fix verdict.
 - For bug/regression fixes, include a compact `Provenance:` line after cause/root-cause when a bounded history pass can identify it. Use `git log -S/-G`, `git blame`, linked PRs/issues, and tests.
-- Provenance must separate roles when they differ: blamed code author username, blamed PR author username, blamed PR merger/committer username, automerge trigger when known, current PR author username, PR number, and date. Do not collapse them into one "introduced by" actor.
-- If the blamed PR was merged by `clawsweeper[bot]` or another automation, identify the human trigger when practical. Check live PR timeline/comments first; if rate-limited, use gitcrawl/cache or public PR HTML. Look for maintainer command comments such as `@clawsweeper automerge`, `/landpr`, labels/events that armed automerge, and ClawSweeper status comments. Report `automerge triggered by @login`; if not found, say trigger unknown rather than naming the bot as the human decision-maker.
+- Provenance must separate roles when they differ: blamed code author username, blamed PR merger/committer username, current PR author username, PR number, and date. Do not collapse them into one "introduced by" actor.
 - For any confirmed bug, run `git blame` on the implicated line(s) after identifying the root cause. Report who broke it as the blamed PR merger/committer, and also name the blamed code author. Include the PR number. If no PR is traceable, use the blamed commit as the provenance: commit SHA, date, and author username. Do not guess a merger or frame missing PR metadata as a separate finding.
 - Phrase provenance as `introduced by`, `made visible by`, or `carried forward by`, with confidence (`clear`, `likely`, `unknown`). If unclear, say what evidence is missing instead of guessing. For features, docs, and refactors, use `Provenance: N/A` or omit it when no broken behavior is being fixed.
 - Keep summaries compact, but include enough proof that the verdict is auditable without rereading the PR.
 
-LOC proof:
-
-```bash
-gh pr view <number> --json additions,deletions,changedFiles \
-  --jq '"LOC: +\(.additions)/-\(.deletions) (\(.changedFiles) files)"'
-```
-
 ## Read beyond the diff
 
 - Review the surrounding code path, not just changed lines. Open the caller, callee, data contracts, adjacent tests, and owner module.
-- Before any verdict, read enough code to fill this map: changed surface, runtime entry point, owner boundary, one caller, one callee, sibling implementations sharing the invariant, adjacent tests, current `main` behavior, and shipped/dependency/Codex contracts when relevant.
 - For large-codebase PRs, sample enough related files to understand the runtime boundary before deciding. Default to more code reading when the change touches agents, gateway, plugins, auth, sessions, process, config, or provider/runtime seams.
 - Compare the PR against current `origin/main` behavior. Check whether recent main already changed the same surface.
 - Dependency-backed behavior: MUST read upstream docs/source/types before judging API use, defaults, output shapes, errors, timeouts, memory behavior, or compatibility. Do not assume dependency contracts from memory or PR text.
 - Judge solution quality, not only correctness. Ask whether the PR is the clean owner-boundary fix or a wart/workaround that should be replaced by a small refactor, moved seam, contract change, or deletion of duplicate logic.
 - Mention the main files read when the verdict depends on code-path evidence.
-- If the user challenges the verdict or asks whether the idea is really good, resume code reading first. Do not defend, soften, or reverse the verdict until the missing caller/callee/sibling/dependency path is checked.
-
-## Best-fix review loop
-
-Every PR review must explicitly answer: "Is this the best fix, or only a plausible fix?"
-
-Before verdict:
-
-1. Reconstruct the bug, feature need, or behavior claim from issue/PR/proof.
-2. Trace current behavior from entry point to failure or decision point.
-3. Read touched files, callers, callees, owner modules, adjacent tests, and relevant docs.
-4. Read sibling surfaces that should share the invariant or could be broken by a one-sided fix.
-5. Compare against current `origin/main` and shipped behavior when regression/compat matters.
-6. Inspect upstream dependency/Codex source or docs for dependency-backed behavior.
-7. Identify at least one alternative fix location or shape, then reject it with evidence.
-8. If any required path above is uninspected, keep reading or mark `Remaining uncertainty`; do not call the PR best, blocked, proof-sufficient, or merge-ready.
-
-Review output must include:
-
-- `Best-fix verdict:` best / acceptable mitigation / wrong layer / too narrow / too broad.
-- `Alternatives considered:` 1-3 concrete alternatives and why rejected.
-- `Code read:` compact list of main files/contracts checked.
-- `Remaining uncertainty:` what was not proven.
-
-If the best-fix answer is only "maybe", keep reading or state the missing evidence. Do not call proof sufficient until the best-fix judgment is explicit.
 
 ## Enforce the bug-fix evidence bar
 
@@ -229,7 +194,7 @@ If the best-fix answer is only "maybe", keep reading or state the missing eviden
 - Before landing, require:
   1. symptom evidence such as a repro, logs, or a failing test
   2. a verified root cause in code with file/line
-  3. blame-backed provenance for regressions when traceable, including blamed PR merger and automerge trigger when known, or commit SHA/date when no PR is traceable
+  3. blame-backed provenance for regressions when traceable, including blamed PR merger and date, or commit SHA/date when no PR is traceable
   4. a fix that touches the implicated code path
   5. a regression test when feasible, or explicit manual verification plus a reason no test was added
 - If the claim is unsubstantiated or likely wrong, request evidence or changes instead of merging.

.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs

@@ -1,10 +1,8 @@
 #!/usr/bin/env node
-/**
- * Secret scanning alert handler for OpenClaw maintainers.
- * Usage: node secret-scanning.mjs <command> [options]
- */
+// Secret scanning alert handler for OpenClaw maintainers.
+// Usage: node secret-scanning.mjs <command> [options]
 
-import { spawnSync } from "node:child_process";
+import { execFileSync, spawnSync } from "node:child_process";
 import crypto from "node:crypto";
 import fs from "node:fs";
 import os from "node:os";
@@ -41,9 +39,7 @@ function gh(args, { json = true, allowFailure = false } = {}) {
       stderr: proc.stderr,
     };
   }
-  if (!json) {
-    return proc.stdout;
-  }
+  if (!json) return proc.stdout;
   try {
     return JSON.parse(proc.stdout);
   } catch {
@@ -59,7 +55,6 @@ function isBodyLocationType(locationType) {
   return locationType === "issue_body" || locationType === "pull_request_body";
 }
 
-/** Decides whether redacting an issue/PR body requires notifying the reporter. */
 export function decideBodyRedaction(currentBody, redactedBody) {
   const bodyChanged = String(currentBody) !== String(redactedBody);
   return {
@@ -68,7 +63,6 @@ export function decideBodyRedaction(currentBody, redactedBody) {
   };
 }
 
-/** Loads redaction-result metadata for issue/PR body secret locations. */
 export function loadBodyRedactionResult(locationType, resultFile) {
   if (!isBodyLocationType(locationType)) {
     return { notify_required: true };
@@ -76,9 +70,7 @@ export function loadBodyRedactionResult(locationType, resultFile) {
   if (!resultFile) {
     fail("Body notifications require a redaction result file from redact-body-if-needed");
   }
-  if (!fs.existsSync(resultFile)) {
-    fail(`File not found: ${resultFile}`);
-  }
+  if (!fs.existsSync(resultFile)) fail(`File not found: ${resultFile}`);
 
   const result = JSON.parse(fs.readFileSync(resultFile, "utf8"));
   if (typeof result.notify_required !== "boolean") {
@@ -190,11 +182,10 @@ function fetchDiscussionComment(discussionNumber, discussionCommentDbId) {
     failOnGraphQLFailure(gql, `Failed to fetch discussion #${discussionNumber}`);
 
     const discussion = gql?.data?.repository?.discussion;
-    if (!discussion) {
+    if (!discussion)
       fail(
         `Discussion #${discussionNumber} not found — it may have been deleted. The alert cannot be processed via this skill.`,
       );
-    }
 
     discussionId = discussion.id;
 
@@ -214,18 +205,15 @@ function fetchDiscussionComment(discussionNumber, discussionCommentDbId) {
           `Failed to fetch replies for discussion comment ${topLevelComment.id}`,
         );
         const replies = replyPage?.data?.node?.replies;
-        if (!replies) {
+        if (!replies)
           fail(`Failed to paginate replies for discussion comment ${topLevelComment.id}`);
-        }
 
         reply = findDiscussionCommentNode(replies.nodes, discussionCommentDbId);
         hasMoreReplies = replies.pageInfo.hasNextPage;
         replyCursor = replies.pageInfo.endCursor;
       }
 
-      if (reply) {
-        return { discussionId, comment: reply };
-      }
+      if (reply) return { discussionId, comment: reply };
     }
 
     hasNextPage = discussion.comments.pageInfo.hasNextPage;
@@ -253,9 +241,7 @@ function createDiscussionComment(discussionNodeId, body, replyToNodeId) {
  * Fetch alert metadata + locations. Never exposes .secret.
  */
 function cmdFetchAlert(alertNumber) {
-  if (!alertNumber) {
-    fail("Usage: fetch-alert <number>");
-  }
+  if (!alertNumber) fail("Usage: fetch-alert <number>");
 
   const alert = gh(["api", `repos/${REPO}/secret-scanning/alerts/${alertNumber}?hide_secret=true`]);
 
@@ -294,23 +280,17 @@ function cmdFetchAlert(alertNumber) {
  * Saves full body to a temp file. Prints metadata + file path to stdout.
  */
 function cmdFetchContent(locationJson) {
-  if (!locationJson) {
-    fail("Usage: fetch-content '<location-json>'");
-  }
+  if (!locationJson) fail("Usage: fetch-content '<location-json>'");
   const location = JSON.parse(locationJson);
   const type = location.type;
   const details = location.details;
 
   if (type === "discussion_comment") {
     const commentUrl = details.discussion_comment_url;
-    if (!commentUrl) {
-      fail("No discussion_comment_url in location details");
-    }
+    if (!commentUrl) fail("No discussion_comment_url in location details");
 
     const urlMatch = commentUrl.match(/discussions\/(\d+)#discussioncomment-(\d+)/);
-    if (!urlMatch) {
-      fail(`Cannot parse discussion comment URL: ${commentUrl}`);
-    }
+    if (!urlMatch) fail(`Cannot parse discussion comment URL: ${commentUrl}`);
     const discussionNumber = urlMatch[1];
     const discussionCommentDbId = urlMatch[2];
 
@@ -318,11 +298,10 @@ function cmdFetchContent(locationJson) {
       discussionNumber,
       discussionCommentDbId,
     );
-    if (!comment) {
+    if (!comment)
       fail(
         `Discussion comment #${discussionCommentDbId} not found in discussion #${discussionNumber}`,
       );
-    }
 
     const bodyFile = tmpFile("body.md");
     fs.writeFileSync(bodyFile, comment.body || "");
@@ -355,9 +334,7 @@ function cmdFetchContent(locationJson) {
       details.issue_comment_url ||
       details.pull_request_comment_url ||
       details.pull_request_review_comment_url;
-    if (!commentUrl) {
-      fail(`No comment URL in location details`);
-    }
+    if (!commentUrl) fail(`No comment URL in location details`);
 
     const comment = gh(["api", commentUrl]);
     const bodyFile = tmpFile("body.md");
@@ -401,9 +378,7 @@ function cmdFetchContent(locationJson) {
     );
   } else if (type === "issue_body") {
     const issueUrl = details.issue_body_url || details.issue_url;
-    if (!issueUrl) {
-      fail("No issue URL in location details");
-    }
+    if (!issueUrl) fail("No issue URL in location details");
 
     const issue = gh(["api", issueUrl]);
     const bodyFile = tmpFile("body.md");
@@ -439,9 +414,7 @@ function cmdFetchContent(locationJson) {
     );
   } else if (type === "pull_request_body") {
     const prUrl = details.pull_request_body_url || details.pull_request_url;
-    if (!prUrl) {
-      fail("No PR URL in location details");
-    }
+    if (!prUrl) fail("No PR URL in location details");
 
     const pr = gh(["api", prUrl]);
     const bodyFile = tmpFile("body.md");
@@ -517,9 +490,7 @@ function cmdRedactBody(kind, number, bodyFile) {
   if (!kind || !number || !bodyFile) {
     fail("Usage: redact-body <issue|pr> <number> <redacted-body-file>");
   }
-  if (!fs.existsSync(bodyFile)) {
-    fail(`File not found: ${bodyFile}`);
-  }
+  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
 
   const endpoint =
     kind === "pr" ? `repos/${REPO}/pulls/${number}` : `repos/${REPO}/issues/${number}`;
@@ -538,12 +509,8 @@ function cmdRedactBodyIfNeeded(kind, number, currentBodyFile, redactedBodyFile,
       "Usage: redact-body-if-needed <issue|pr> <number> <current-body-file> <redacted-body-file> <result-file>",
     );
   }
-  if (!fs.existsSync(currentBodyFile)) {
-    fail(`File not found: ${currentBodyFile}`);
-  }
-  if (!fs.existsSync(redactedBodyFile)) {
-    fail(`File not found: ${redactedBodyFile}`);
-  }
+  if (!fs.existsSync(currentBodyFile)) fail(`File not found: ${currentBodyFile}`);
+  if (!fs.existsSync(redactedBodyFile)) fail(`File not found: ${redactedBodyFile}`);
 
   const currentBody = fs.readFileSync(currentBodyFile, "utf8");
   const redactedBody = fs.readFileSync(redactedBodyFile, "utf8");
@@ -574,9 +541,7 @@ function cmdRedactBodyIfNeeded(kind, number, currentBodyFile, redactedBodyFile,
  * Delete a comment (and all its edit history).
  */
 function cmdDeleteComment(commentId) {
-  if (!commentId) {
-    fail("Usage: delete-comment <comment-id>");
-  }
+  if (!commentId) fail("Usage: delete-comment <comment-id>");
   gh(["api", `repos/${REPO}/issues/comments/${commentId}`, "-X", "DELETE"], { json: false });
   console.log(JSON.stringify({ ok: true, deleted_comment_id: Number(commentId) }));
 }
@@ -586,9 +551,7 @@ function cmdDeleteComment(commentId) {
  * Delete a discussion comment via GraphQL (and all its edit history).
  */
 function cmdDeleteDiscussionComment(nodeId) {
-  if (!nodeId) {
-    fail("Usage: delete-discussion-comment <node-id>");
-  }
+  if (!nodeId) fail("Usage: delete-discussion-comment <node-id>");
   const result = ghGraphQL(
     `mutation { deleteDiscussionComment(input: { id: "${nodeId}" }) { comment { id } } }`,
   );
@@ -603,12 +566,9 @@ function cmdDeleteDiscussionComment(nodeId) {
  * Create a new discussion comment via GraphQL.
  */
 function cmdRecreateDiscussionComment(discussionNodeId, bodyFile, replyToNodeId) {
-  if (!discussionNodeId || !bodyFile) {
+  if (!discussionNodeId || !bodyFile)
     fail("Usage: recreate-discussion-comment <discussion-node-id> <body-file> [reply-to-node-id]");
-  }
-  if (!fs.existsSync(bodyFile)) {
-    fail(`File not found: ${bodyFile}`);
-  }
+  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
 
   const body = fs.readFileSync(bodyFile, "utf8");
   const newComment = createDiscussionComment(discussionNodeId, body, replyToNodeId);
@@ -626,12 +586,8 @@ function cmdRecreateDiscussionComment(discussionNodeId, bodyFile, replyToNodeId)
  * Create a new comment from a file.
  */
 function cmdRecreateComment(issueNumber, bodyFile) {
-  if (!issueNumber || !bodyFile) {
-    fail("Usage: recreate-comment <issue-number> <body-file>");
-  }
-  if (!fs.existsSync(bodyFile)) {
-    fail(`File not found: ${bodyFile}`);
-  }
+  if (!issueNumber || !bodyFile) fail("Usage: recreate-comment <issue-number> <body-file>");
+  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
 
   const result = gh([
     "api",
@@ -759,9 +715,7 @@ function cmdNotify(target, author, locationType, secretTypes, replyToNodeId) {
  * Close a secret scanning alert.
  */
 function cmdResolve(alertNumber, resolution, comment) {
-  if (!alertNumber) {
-    fail("Usage: resolve <alert-number> [resolution] [comment]");
-  }
+  if (!alertNumber) fail("Usage: resolve <alert-number> [resolution] [comment]");
 
   const res = resolution || "revoked";
   const resComment = comment || "Content redacted and author notified to rotate credentials.";
@@ -819,12 +773,8 @@ function cmdListOpen() {
  * Print a formatted summary table from a JSON results file.
  */
 function cmdSummary(jsonFile) {
-  if (!jsonFile) {
-    fail("Usage: summary <json-file>");
-  }
-  if (!fs.existsSync(jsonFile)) {
-    fail(`File not found: ${jsonFile}`);
-  }
+  if (!jsonFile) fail("Usage: summary <json-file>");
+  if (!fs.existsSync(jsonFile)) fail(`File not found: ${jsonFile}`);
 
   const results = JSON.parse(fs.readFileSync(jsonFile, "utf8"));
   const lines = [];

.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs

@@ -1,7 +1,4 @@
 #!/usr/bin/env node
-/**
- * Heap snapshot diff utility for OpenClaw test memory leak investigations.
- */
 
 import fs from "node:fs";
 import path from "node:path";

.agents/skills/openclaw-testing/SKILL.md

@@ -19,7 +19,7 @@ or validating a change without wasting hours.
 Prove the touched surface first. Do not reflexively run the whole suite.
 
 1. Inspect the diff and classify the touched surface:
-   - normal source checkout, source change: `pnpm changed:lanes --json`, then `pnpm check:changed` (delegates to Crabbox/Testbox)
+   - normal source checkout, source change: `pnpm changed:lanes --json`, then `pnpm check:changed`
    - normal source checkout, tests only: `pnpm test:changed`
    - normal source checkout, one failing file: `pnpm test <path-or-filter> -- --reporter=verbose`
    - Codex worktree or linked/sparse checkout, one/few explicit files: `node scripts/run-vitest.mjs <path-or-filter>`
@@ -27,7 +27,7 @@ Prove the touched surface first. Do not reflexively run the whole suite.
      use the Crabbox wrapper with the provider that matches the proof surface.
      For maintainer heavy `pnpm` gates, that is usually delegated Blacksmith
      Testbox through Crabbox, e.g. `node scripts/crabbox-wrapper.mjs run
---provider blacksmith-testbox ... -- env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed`. For direct AWS
+--provider blacksmith-testbox ... -- pnpm check:changed`. For direct AWS
      Crabbox proof, omit `--provider` and let `.crabbox.yaml` choose AWS.
    - workflow-only: `git diff --check`, workflow syntax/lint (`actionlint` when available)
    - docs-only: `pnpm docs:list`, docs formatter/lint only if docs tooling changed or requested
@@ -66,18 +66,15 @@ scripts/crabbox-wrapper.mjs` for Testbox, and `git commit --no-verify` only
 
 ```bash
 pnpm changed:lanes --json
-pnpm check:changed       # Crabbox/Testbox changed typecheck/lint/guards; no Vitest
+pnpm check:changed       # changed typecheck/lint/guards; no Vitest
 pnpm test:changed        # cheap smart changed Vitest targets
-pnpm verify              # full check, then full Vitest
 OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed
 pnpm test <path-or-filter> -- --reporter=verbose
 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test <path-or-filter>
 ```
 
 Use targeted file paths whenever possible. Avoid raw `vitest`; use the repo
-`pnpm test` wrapper so project routing, workers, and setup stay correct. If raw
-Vitest is unavoidable, use `vitest run ...`; bare `vitest ...` starts local watch
-mode and will not exit on its own.
+`pnpm test` wrapper so project routing, workers, and setup stay correct.
 When the checkout is a Codex worktree, prefer the direct node harness instead:
 
 ```bash
@@ -92,8 +89,6 @@ status checks or install reconciliation in a linked worktree.
 - `pnpm check` and `pnpm check:changed` do not run Vitest tests. They are for
   typecheck, lint, and guard proof.
 - `pnpm test` and `pnpm test:changed` run Vitest tests.
-- `pnpm verify` runs `pnpm check`, then `pnpm test`, with Crabbox phase markers
-  so remote summaries show which half failed.
 - `pnpm test:changed` is intentionally cheap by default: direct test edits,
   sibling tests, explicit source mappings, and import-graph dependents.
 - `OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed` is the explicit broad
@@ -215,7 +210,7 @@ workflow only spends setup and queue time on that suite.
 ### Release Evidence
 
 After release-candidate validation or before a release decision, record the
-important run ids in the public `openclaw/releases` evidence ledger.
+important run ids in the private `openclaw/releases-private` evidence ledger.
 Use the manual `OpenClaw Release Evidence`
 (`openclaw-release-evidence.yml`) workflow there. It writes durable summaries
 under `evidence/<release-id>/` and commits:
@@ -238,13 +233,13 @@ short release-manager notes there. Do not store raw logs, provider
 prompts/responses, channel transcripts, signing material, or secret-bearing
 config in git; raw logs stay in Actions artifacts.
 
-When `Full Release Validation` completes and `OPENCLAW_RELEASES_DISPATCH_TOKEN`
-is configured in the source repo, it requests the public
-`OpenClaw Release Evidence From Full Validation` workflow. That workflow reads
-the parent full-validation run, extracts the child CI/release-checks/Telegram
-run ids from the parent logs, and opens the evidence PR automatically. If the
-token is absent or the run predates this wiring, trigger that workflow manually
-with the full-validation run id.
+When `Full Release Validation` completes and
+`OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN` is configured in the public repo, it
+requests the private `OpenClaw Release Evidence From Full Validation` workflow.
+That private workflow reads the parent full-validation run, extracts the child
+CI/release-checks/Telegram run ids from the parent logs, and opens the evidence
+PR automatically. If the token is absent or the run predates this wiring, trigger
+that private workflow manually with the full-validation run id.
 
 ### Release Checks
 

.agents/skills/release-openclaw-announcement/SKILL.md

@@ -1,85 +0,0 @@
----
-name: release-openclaw-announcement
-description: "Draft or post OpenClaw beta/stable Discord release announcements from changelog, GitHub release, registry, and validation evidence. Use when announcing a beta, stable release, release candidate, or asking what users should test after an OpenClaw release."
----
-
-# OpenClaw Release Announcement
-
-Use with `release-openclaw-maintainer` after a beta or stable release is live.
-Use with `openclaw-discord` when actually posting to Discord.
-
-## Evidence First
-
-Before drafting focus areas, read real release evidence:
-
-1. Current GitHub release body for the tag.
-2. `CHANGELOG.md` section for the released base version.
-3. Commits since the previous shipped version or the operator-specified base.
-4. Registry/package metadata for the exact version and current dist-tag.
-5. Validation status that is relevant to user confidence.
-
-Do not claim a full changelog audit unless you did it. If you only read the
-generated release notes or top changelog section, say that and either audit
-properly or draft with that limitation.
-
-For beta focus areas, prioritize user-observable changes over internal test or
-CI mechanics:
-
-- install/update paths
-- OS/platform-specific behavior
-- Gateway startup/restart, config, and runtime behavior
-- provider/model/runtime routing
-- plugin loading and local plugin development
-- channels and media paths
-- security/data-loss/user-impact fixes
-
-Do not let late release-branch fixes automatically dominate the announcement.
-If the version includes a large delta from the previous shipped version, rank
-focus areas by the whole release delta and expected user impact; mention late
-fixes in their natural category.
-
-## Required Copy
-
-Every beta announcement must make beta status explicit and include:
-
-- exact version, e.g. `OpenClaw 2026.5.25-beta.1`
-- one-sentence risk framing: beta, useful for testing, not stable promotion
-- focused test areas derived from evidence, not guesswork
-- update command promoted near the top:
-  ```sh
-  openclaw update --channel beta --yes
-  openclaw --version
-  ```
-- fresh install path:
-  `Install from https://openclaw.ai`
-- GitHub release link
-- concise validation note, without making CI the headline
-
-Do not suggest npm install commands in beta announcements unless the operator
-explicitly asks for npm-specific copy or troubleshooting text. It is fine to use
-registry metadata as evidence; do not turn that into public install guidance.
-
-For stable announcements, use the stable channel wording:
-
-```sh
-openclaw update --channel stable --yes
-openclaw --version
-```
-
-Fresh installs still point to `https://openclaw.ai`.
-
-## Style
-
-- Discord Markdown, no tables.
-- Keep it skimmable: short intro, bullets, commands, links.
-- Lead with what users can feel or test, not proof plumbing.
-- Mention validation only after install/update instructions.
-- Be specific about where feedback is useful.
-- Do not mention private local proof paths in public announcements.
-- Do not overstate unverified platforms, channels, or provider behavior.
-
-## Posting
-
-When asked to post, use the configured Discord workflow from
-`openclaw-discord` or the approved OpenClaw relay. Never print tokens.
-For public channels, inspect the final body before sending.

.agents/skills/release-openclaw-announcement/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "OpenClaw Release Announcement"
-  short_description: "Draft Discord beta/stable release announcements from evidence."
-  default_prompt: "Use this skill to draft an OpenClaw beta or stable Discord announcement from changelog, release notes, npm/GitHub release proof, and validation evidence."

.agents/skills/release-openclaw-ci/SKILL.md

@@ -16,10 +16,6 @@ Use this with `$release-openclaw-maintainer` and `$openclaw-testing` when a rele
 - Watch one parent run plus compact child summaries. Avoid broad `gh run view` polling loops; REST quota is easy to burn.
 - Fetch logs only for failed or currently-blocking jobs. If quota is low, stop polling and wait for reset.
 - Treat live-provider flakes separately from code failures: prove key validity, provider HTTP status, retry evidence, and exact failing lane before editing code.
-- Full Release Validation parent monitors fail fast: once a required child job
-  fails, the parent cancels the remaining child matrix and prints the failed
-  job summary. Inspect that first red job instead of waiting for unrelated
-  matrix tails.
 
 ## Preflight
 
@@ -77,9 +73,6 @@ gh workflow run full-release-validation.yml \
 ```
 
 Use `release_profile=stable` unless the operator explicitly asks for the broad advisory provider/media matrix. Use narrow `rerun_group` after focused fixes.
-Publish with `openclaw-release-publish.yml` using `release_profile=from-validation`
-unless a maintainer intentionally wants to cross-check a specific profile; the
-publish workflow reads the effective profile from the full-validation manifest.
 
 ## Watch
 

.agents/skills/release-openclaw-ci/scripts/release-ci-summary.mjs

@@ -1,8 +1,4 @@
 #!/usr/bin/env node
-/**
- * Release CI summary helper that prints parent and child workflow status for a
- * full release run.
- */
 import { execFileSync } from "node:child_process";
 import process from "node:process";
 
@@ -25,30 +21,6 @@ function jsonGh(args) {
   return JSON.parse(gh(args));
 }
 
-function githubRestJson(pathSuffix) {
-  const result = execFileSync(
-    "bash",
-    [
-      "-lc",
-      [
-        "set -euo pipefail",
-        'token="$(gh auth token)"',
-        'curl -fsS -H "Authorization: Bearer ${token}" -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" "${OPENCLAW_GITHUB_REST_URL}"',
-      ].join("\n"),
-    ],
-    {
-      encoding: "utf8",
-      env: {
-        ...process.env,
-        OPENCLAW_GITHUB_REST_URL: `https://api.github.com/repos/${repo}/${pathSuffix}`,
-      },
-      maxBuffer: 16 * 1024 * 1024,
-      stdio: ["ignore", "pipe", "pipe"],
-    },
-  );
-  return JSON.parse(result);
-}
-
 function rate() {
   try {
     return jsonGh(["api", "rate_limit"]).resources.core;
@@ -87,30 +59,12 @@ for (const job of parent.jobs ?? []) {
 }
 
 const since = parent.createdAt;
-const runsQuery = new URLSearchParams({
-  per_page: "100",
-  created: `>=${since}`,
-  exclude_pull_requests: "true",
-});
-const childWorkflowNames = new Set([
-  "CI",
-  "OpenClaw Release Checks",
-  "Plugin Prerelease",
-  "NPM Telegram Beta E2E",
-  "Full Release Validation",
-]);
-const runs = githubRestJson(`actions/runs?${runsQuery.toString()}`).workflow_runs ?? [];
-const runList = runs
-  .filter(
-    (run) =>
-      run.created_at >= since &&
-      run.head_sha === parent.headSha &&
-      childWorkflowNames.has(run.name),
-  )
-  .map((run) =>
-    [run.id, run.name, run.status, run.conclusion ?? "", run.head_sha, run.html_url].join("\t"),
-  )
-  .join("\n");
+const runList = gh([
+  "api",
+  `repos/${repo}/actions/runs?per_page=100`,
+  "--jq",
+  `.workflow_runs[] | select(.created_at >= "${since}") | select(.name=="CI" or .name=="OpenClaw Release Checks" or .name=="Plugin Prerelease" or .name=="NPM Telegram Beta E2E" or .name=="Full Release Validation") | [.id,.name,.status,.conclusion,.head_sha,.html_url] | @tsv`,
+]).trim();
 
 if (!runList) {
   console.log("children: none found yet");

.agents/skills/release-openclaw-ci/scripts/verify-provider-secrets.mjs

@@ -1,8 +1,4 @@
 #!/usr/bin/env node
-/**
- * Release preflight helper that verifies required provider API keys can reach
- * their model-list endpoints without printing secret values.
- */
 import process from "node:process";
 
 const args = new Map();

.agents/skills/release-openclaw-mac/SKILL.md

@@ -36,8 +36,8 @@ Do not update these from mixed sources. All three ASC fields must come from the
 ## Workflow Shape
 
 - Public release branch may carry mac-only packaging fixes after the stable tag/npm are already live.
-- Use `source_ref=release/YYYY.M.PATCH` for private mac preflight/validation when building that branch variation.
-- Keep `tag=vYYYY.M.PATCH` pointing at the original stable release commit.
+- Use `source_ref=release/YYYY.M.D` for private mac preflight/validation when building that branch variation.
+- Keep `tag=vYYYY.M.D` pointing at the original stable release commit.
 - Real mac publish must reuse:
   - a successful private mac preflight run for the same tag/source SHA
   - a successful private mac validation run for the same tag/source SHA
@@ -56,37 +56,37 @@ Private preflight:
 
 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
-  -f source_ref=release/YYYY.M.PATCH \
+  -f tag=vYYYY.M.D \
+  -f source_ref=release/YYYY.M.D \
   -f preflight_only=true \
   -f smoke_test_only=false \
   -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.PATCH
+  -f public_release_branch=release/YYYY.M.D
 ```
 
 Private validation for a branch-variation preflight:
 
 ```bash
 gh workflow run openclaw-macos-validate.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
-  -f source_ref=release/YYYY.M.PATCH
+  -f tag=vYYYY.M.D \
+  -f source_ref=release/YYYY.M.D
 ```
 
 Real publish:
 
 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
+  -f tag=vYYYY.M.D \
   -f preflight_only=false \
   -f smoke_test_only=false \
   -f preflight_run_id=<successful-preflight-run> \
   -f validate_run_id=<successful-validation-run> \
   -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.PATCH
+  -f public_release_branch=release/YYYY.M.D
 ```
 
 ## Verify
 
-- `gh release view vYYYY.M.PATCH --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
-- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.PATCH.zip`.
+- `gh release view vYYYY.M.D --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
+- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.D.zip`.
 - Appcast entry has `sparkle:version`, `sparkle:shortVersionString`, length, and `sparkle:edSignature`.

.agents/skills/release-openclaw-maintainer/SKILL.md

@@ -10,15 +10,12 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Respect release guardrails
 
 - Do not change version numbers without explicit operator approval.
-- Versions use `YYYY.M.PATCH`, where `PATCH` is the sequential release-train number within the month, not the calendar day.
-- Choose a new beta train from stable and beta releases only. Alpha-only tags do not consume or advance the beta/stable patch number. Continue the highest existing unpublished/published beta train with the next `beta.N` when appropriate; otherwise increment the highest stable/beta patch by one and start at `beta.1`.
-- Example: after stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even if automated alpha-only tags such as `2026.6.10-alpha.1` exist.
 - Ask permission before any npm publish or release step.
 - This skill should be sufficient to drive the normal release flow end-to-end.
 - Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
 - Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
 - Normal release work happens on a branch cut from `main`, not directly on
-  `main`. Use `release/YYYY.M.PATCH` for the branch name.
+  `main`. Use `release/YYYY.M.D` for the branch name.
 - If the operator asks for a release without saying stable/full, default to
   beta only. Continue from beta to stable only when the operator explicitly asks
   for the full release or an automated beta-and-stable train.
@@ -52,21 +49,17 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   the next beta number until the matching npm package has actually published.
   If a published beta needs a fix, commit the fix on the release branch and
   increment to the next `-beta.N`.
-- For a beta release train, keep Full Release Validation as a pre-publish gate
-  unless the operator explicitly waives it. Run the fast local preflight, npm
-  preflight, full release validation, and performance in parallel where safe.
-  If anything fails before npm publish, fix it on the release branch,
-  forward-port the fix to `main`, move the unpublished beta tag/prerelease to
-  the fixed commit, and rerun the affected pre-publish gates. If anything fails
-  after npm publish, fix it, forward-port to `main`, increment beta number, and
-  repeat. After each beta publish, run the published-package roster focused on
-  install/update/Docker/Parallels/NPM Telegram. For later beta attempts, rerun
-  only lanes whose evidence changed unless the fix touches broad release,
-  install/update, plugin, Docker, Parallels, or live QA behavior. After each
-  beta is live, scan current `main` once for critical fixes that landed after
-  the release branch cut and backport only important low-risk fixes. Operators
-  may authorize up to 4 autonomous beta attempts; after 4 failed beta attempts,
-  stop and report.
+- For a beta release train, run the fast local preflight first, publish the
+  beta to npm `beta`, then run the expensive published-package roster focused
+  on install/update/Docker/Parallels/NPM Telegram. If anything fails, fix it on
+  the release branch, commit/push/pull, increment beta number, and repeat. Run
+  the full expensive roster at least once before stable/latest promotion; for
+  later beta attempts, rerun only lanes whose evidence changed unless the fix
+  touches broad release, install/update, plugin, Docker, Parallels, or live QA
+  behavior. After each beta is published, scan current `main` once for critical
+  fixes that landed after the release branch cut and backport only important
+  low-risk fixes. Operators may authorize up to 4 autonomous beta attempts;
+  after 4 failed beta attempts, stop and report.
 - As soon as the release candidate SHA exists, dispatch `OpenClaw Performance`
   with `target_ref=<release-sha>` in parallel with the other release work. Do
   not wait for full release validation to start the performance signal.
@@ -76,13 +69,8 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   or clawgrit reports. Report regressions explicitly. A major regression is a
   release blocker unless the operator waives it or the data clearly proves
   infrastructure noise.
-- Generate the changelog before every beta, beta rerun, stable release, or
-  stable rerun, before version/tag preparation. Use
-  `$openclaw-changelog-update` for the rewrite. Do not continue release prep if
-  the target `CHANGELOG.md` section does not have `### Highlights`,
-  `### Changes`, and `### Fixes`, grouped by user-facing surface while
-  preserving every relevant PR/issue ref and every human `Thanks @...`
-  attribution in the grouped bullet.
+- Generate the changelog before version/tag preparation so the top changelog
+  section is deduped and ordered by user impact.
 - Do not create beta-specific `CHANGELOG.md` headings. Beta releases use the
   stable base version section, for example `v2026.4.20-beta.1` uses
   `## 2026.4.20` release notes.
@@ -95,7 +83,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Keep release channel naming aligned
 
 - `stable`: tagged releases only, published to npm `beta` by default; operators may target npm `latest` explicitly or promote later
-- `beta`: prerelease tags like `vYYYY.M.PATCH-beta.N`, with npm dist-tag `beta`
+- `beta`: prerelease tags like `vYYYY.M.D-beta.N`, with npm dist-tag `beta`
 - Prefer `-beta.N`; do not mint new `-1` or `-2` beta suffixes
 - `dev`: moving head on `main`
 - When using a beta Git tag, publish npm with the matching beta version suffix so the plain version is not consumed or blocked
@@ -111,13 +99,12 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   - `docs/install/updating.md`
   - Peekaboo Xcode project and plist version fields
 - Before creating a release tag, make every version location above match the version encoded by that tag.
-- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version locations still stay at `YYYY.M.PATCH`.
+- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
 - “Bump version everywhere” means all version locations above except `appcast.xml`.
 - Release signing and notary credentials live outside the repo in the private maintainer docs.
-- Every stable OpenClaw release ships the npm package, macOS app, and signed
-  Windows Hub installers together. Beta releases normally ship npm/package
-  artifacts first and skip native app build/sign/notarize/promote unless the
-  operator requests native beta validation.
+- Every stable OpenClaw release ships the npm package and macOS app together.
+  Beta releases normally ship npm/package artifacts first and skip mac app
+  build/sign/notarize unless the operator requests mac beta validation.
 - Do not let the slower macOS signing/notary path block npm publication once
   the npm preflight has passed. Keep mac validation/publish running in
   parallel, publish npm from the successful npm preflight, then start published
@@ -132,32 +119,21 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   tagged commit when the delta is mac packaging, signing, workflow, or
   validation-only release machinery. If mac packaging needs release-branch-only
   fixes after the stable npm package or GitHub tag is already published, do not
-  create a `vYYYY.M.PATCH-N` correction tag just to change the workflow source.
-  Dispatch the private mac workflows for the original `tag=vYYYY.M.PATCH` with
-  `source_ref=release/YYYY.M.PATCH` and `public_release_branch=release/YYYY.M.PATCH`;
+  create a `vYYYY.M.D-N` correction tag just to change the workflow source.
+  Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with
+  `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`;
   provenance checks must prove the source SHA descends from the tag and
-  validation/preflight use the same source. Reserve `vYYYY.M.PATCH-N` correction
+  validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction
   tags for emergency hotfixes that must publish a new npm package/release
   identity, not for ordinary mac-only packaging recovery.
 - The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo.
 - That shared production Sparkle feed is stable-only. Beta mac releases may
   upload assets to the GitHub prerelease, but they must not replace the shared
   `appcast.xml` unless a separate beta feed exists.
-- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version still stays
-  at `YYYY.M.PATCH`, but the mac release must use a strictly higher numeric
+- For fallback correction tags like `vYYYY.M.D-N`, the repo version still stays
+  at `YYYY.M.D`, but the mac release must use a strictly higher numeric
   `APP_BUILD` / Sparkle build than the original release so existing installs
   see it as newer.
-- Stable Windows Hub release closeout requires the signed
-  `OpenClawCompanion-Setup-x64.exe`, `OpenClawCompanion-Setup-arm64.exe`, and
-  `OpenClawCompanion-SHA256SUMS.txt` assets on the canonical
-  `openclaw/openclaw` GitHub Release. Use the public `Windows Node Release`
-  workflow after the matching `openclaw/openclaw-windows-node` release exists;
-  it verifies Authenticode signatures on Windows before uploading assets.
-- Website Windows Hub download links should target exact canonical
-  `openclaw/openclaw/releases/download/vYYYY.M.PATCH/...` assets for the current
-  stable release, or `releases/latest/download/...` only after verifying the
-  redirect resolves to that same tag, so the installable signed Windows artifact
-  is visible from both the GitHub release page and openclaw.ai.
 
 ## Build changelog-backed release notes
 
@@ -167,9 +143,6 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   section from history, not existing notes. Use the last reachable stable or
   beta release tag as the base, then inspect every commit through the target
   release SHA.
-- The changelog rewrite is not optional for beta reruns: any `beta.N` after a
-  rebase or backport must refresh the same stable-base `## YYYY.M.PATCH` section
-  before the new version/tag commit.
 - Include both merged PR commits and direct commits on `main`. Direct commits
   matter: infer notes from their subject, body, touched files, linked issues,
   tests, and nearby code when no PR body exists.
@@ -183,23 +156,11 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - Add missed user-facing changes, remove internal-only noise, dedupe overlapping
   PR/direct-commit entries, and sort each section from most to least interesting
   for users.
-- Group related highlights, changes, and fixes by user-facing surface and
-  impact, but never lose traceability: each grouped bullet keeps every relevant
-  `#issue`, `(#PR)`, `Fixes #...`, and every human `Thanks @...` handle.
-  Multiple thanks in one bullet are expected when multiple contributor PRs are
-  grouped.
 - Changelog entries should be user-facing, not internal release-process notes.
 - GitHub release and prerelease bodies must use the full matching
   `CHANGELOG.md` version section, not highlights or an excerpt. When creating
-  or editing a release, extract from `## YYYY.M.PATCH` through the line before the
+  or editing a release, extract from `## YYYY.M.D` through the line before the
   next level-2 heading and use that complete block as the release notes.
-- To update an existing GitHub Release body, resolve the numeric release id and
-  patch that resource with the notes file as the `body` field:
-  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.PATCH --jq .id`, then
-  `gh api -X PATCH repos/openclaw/openclaw/releases/<id> -F body=@/tmp/notes.md`.
-  Do not trust `gh release edit --notes-file` or `--input` JSON if verification
-  disagrees; verify with `gh api repos/openclaw/openclaw/releases/<id>` because
-  the tag lookup and `gh release view` can lag or show stale body text.
 - When preparing release notes, scan `src/plugins/compat/registry.ts` and
   `src/commands/doctor/shared/deprecation-compat.ts` for compatibility records
   with `warningStarts` or `removeAfter` within 7 days after the release date.
@@ -208,10 +169,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   record's `docsPath` or `/plugins/compatibility` when no more specific
   deprecation page exists.
 - When cutting a mac release with a beta GitHub prerelease:
-  - tag `vYYYY.M.PATCH-beta.N` from the release commit
-  - create a prerelease titled `openclaw YYYY.M.PATCH-beta.N`
+  - tag `vYYYY.M.D-beta.N` from the release commit
+  - create a prerelease titled `openclaw YYYY.M.D-beta.N`
   - use release notes from the stable base `CHANGELOG.md` version section
-    (`## YYYY.M.PATCH`), not a beta-specific heading
+    (`## YYYY.M.D`), not a beta-specific heading
   - attach at least the zip and dSYM zip, plus dmg if available
 - Keep the top version entries in `CHANGELOG.md` sorted by impact:
   - `### Changes` first
@@ -221,10 +182,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 
 Use the OpenClaw account's existing release-post style:
 
-- Format: `OpenClaw YYYY.M.PATCH 🦞` or `🦞 OpenClaw YYYY.M.PATCH is live`, blank line,
+- Format: `OpenClaw YYYY.M.D 🦞` or `🦞 OpenClaw YYYY.M.D is live`, blank line,
   then 3-4 emoji-led bullets, blank line, one short punchline, then the release
   link.
-- For beta: say `OpenClaw YYYY.M.PATCH-beta.N 🦞` or `OpenClaw YYYY.M.PATCH beta N is
+- For beta: say `OpenClaw YYYY.M.D-beta.N 🦞` or `OpenClaw YYYY.M.D beta N is
 live`; keep it clearly beta and avoid implying stable promotion.
 - Lead with user-visible capabilities, then important integrations, then
   reliability/security/install fixes. Compress "lots of fixes" into one
@@ -317,23 +278,6 @@ pnpm release:check
 pnpm test:install:smoke
 ```
 
-- Before tagging, diff publishable plugin package manifests against the last
-  reachable stable/beta release tag. For every newly publishable package
-  (`openclaw.release.publishToNpm: true` or `publishToClawHub: true`) whose
-  package name did not exist in the base tag, verify the target registry package
-  already exists in npm/ClawHub or stop and help the owner mint/prepublish the
-  package first. Do not hide or disable release surfaces just to unblock a
-  train unless the owner explicitly decides the plugin should not ship in that
-  release; first-package registry ownership is release prep, not product
-  rollback. The mint/prepublish path must either be the real release publish
-  path for the auto-bumped beta version, or a deliberately non-consuming
-  registry-prep step that cannot occupy the next beta version/tag. Confirm
-  registry owner, npm scope/package-creation permission, provenance path, and
-  first-package publish plan before the full release publish continues. Useful
-  npm probe:
-  `npm view <package-name> version dist-tags --json --prefer-online`; a 404 for
-  a package newly added to the release is a release-prep blocker, not something
-  to discover from the publish job.
 - Use `pnpm qa:otel:smoke` when release validation needs telemetry coverage.
   It starts a local OTLP/HTTP trace receiver, runs QA-lab's
   `otel-trace-smoke`, and checks span names plus content/identifier redaction
@@ -352,8 +296,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 ```
 
 - This verifies the published registry install path in a fresh temp prefix.
-- For stable correction releases like `YYYY.M.PATCH-N`, it also verifies the
-  upgrade path from `YYYY.M.PATCH` to `YYYY.M.PATCH-N` so a correction publish cannot
+- For stable correction releases like `YYYY.M.D-N`, it also verifies the
+  upgrade path from `YYYY.M.D` to `YYYY.M.D-N` so a correction publish cannot
   silently leave existing global installs on the old base stable payload.
 - Treat install smoke as a pack-budget gate too. `pnpm test:install:smoke`
   now fails the candidate update tarball when npm reports an oversized
@@ -500,7 +444,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     `npm login --auth-type=legacy`, then confirm `npm whoami` reports
     `steipete`.
   - Promote with a fresh OTP:
-    `npm dist-tag add openclaw@YYYY.M.PATCH latest --otp "$OTP"`.
+    `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`.
   - Verify with a cache-bypassed registry read, for example:
     `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
     and `npm view openclaw@latest version dist.tarball --json --prefer-online`.
@@ -511,10 +455,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - The npm workflow and the private mac publish workflow accept
   `preflight_only=true` to run validation/build/package steps without uploading
   public release assets.
-- Real npm publish requires a prior successful npm preflight run id and the
-  successful Full Release Validation run id for the same tag/SHA so the publish
-  job promotes the prepared tarball instead of rebuilding it and attaches the
-  correct release evidence.
+- Real npm publish requires a prior successful npm preflight run id so the
+  publish job promotes the prepared tarball instead of rebuilding it.
 - Real private mac publish requires a prior successful private mac preflight
   run id so the publish job promotes the prepared artifacts instead of
   rebuilding or renotarizing them again.
@@ -526,7 +468,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   the npm version is already published.
 - npm validation-only preflight may still be dispatched from ordinary branches
   when testing workflow changes before merge. Release checks and real publish
-  use only `main` or `release/YYYY.M.PATCH`.
+  use only `main` or `release/YYYY.M.D`.
 - `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a
   public validation-only handoff. It validates the tag/release state and points
   operators to the private repo. It still rebuilds the JS outputs needed for
@@ -544,14 +486,13 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   instead of uploading public GitHub release assets.
 - Private smoke-test runs upload ad-hoc, non-notarized build artifacts as
   workflow artifacts and intentionally skip stable `appcast.xml` generation.
-- For stable releases, npm preflight, Full Release Validation, public mac
-  validation, private mac validation, and private mac preflight must all pass
-  before any real publish run starts. For beta releases, npm preflight and Full
-  Release Validation must pass before npm publish unless the operator explicitly
-  waives the full gate; mac beta validation is still only required when
-  requested.
+- For stable releases, npm preflight, public mac validation, private mac
+  validation, and private mac preflight must all pass before any real publish
+  run starts. For beta releases, npm preflight plus the selected Docker,
+  install/update, Parallels, and release-check lanes are sufficient unless mac
+  beta validation was explicitly requested.
 - Real publish runs may be dispatched from `main` or from a
-  `release/YYYY.M.PATCH` branch. For release-branch runs, the tag must be contained
+  `release/YYYY.M.D` branch. For release-branch runs, the tag must be contained
   in that release branch, and the real publish must reuse a successful preflight
   from the same branch.
 - The release workflows stay tag-based; rely on the documented release sequence
@@ -579,11 +520,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm
   does not support trusted publishing for `npm dist-tag add`.
 - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
-- Publishable plugins that are new to npm require owner-led first-package
-  minting before the full release publish. Do not consume the next beta version
-  with an ad-hoc manual package publish; use the release-owned auto-bumped
-  version path, or a non-consuming registry setup/preflight step. Bundled
-  disk-tree-only plugins stay unpublished.
+- Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
 
 ## Fallback local mac publish
 
@@ -623,8 +560,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 4. Pull latest `main` and confirm current `main` CI is green.
 5. Run `/changelog` for the stable base target version on `main`, commit the
    changelog rewrite immediately, push, and pull/rebase. For beta releases,
-   keep the changelog heading as `## YYYY.M.PATCH`, not `## YYYY.M.PATCH-beta.N`.
-6. Create `release/YYYY.M.PATCH` from that post-changelog `main` commit.
+   keep the changelog heading as `## YYYY.M.D`, not `## YYYY.M.D-beta.N`.
+6. Create `release/YYYY.M.D` from that post-changelog `main` commit.
 7. Make every repo version location match the beta tag before creating it.
 8. Commit release preparation changes on the release branch and push the branch.
 9. Immediately dispatch Actions > `OpenClaw Performance` from `main` with
@@ -640,9 +577,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     mac app, signing, notarization, and appcast path.
 12. Confirm the target npm version is not already published.
 13. Create and push the git tag from the release branch.
-14. Do not create or publish the matching GitHub release page yet. The real
-    publish workflow creates or undrafts it only after postpublish verification
-    and release evidence upload pass.
+14. Create or refresh the matching GitHub release.
 15. Dispatch Actions > `QA-Lab - All Lanes` against the release tag and wait
     for the mock parity, live Matrix, and live Telegram credentialed-channel
     lanes to pass.
@@ -665,29 +600,20 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     with `preflight_only=true` and wait for it to pass. Save that run id because
     the real publish requires it to reuse the notarized mac artifacts.
 21. If any preflight or validation run fails, fix the issue on a new commit,
-    delete the tag and any accidental draft/incomplete GitHub release, recreate
-    the tag from the fixed commit, and rerun all relevant preflights from
-    scratch before continuing. Never reuse old preflight results after the
-    commit changes. Once the npm version exists, do not rerun the publish
-    workflow for that same version; finalize the existing draft/evidence state
-    manually or cut a correction tag. For pushed or published beta tags, do not
-    delete/recreate; increment to the next beta tag. For preflight-only failures
-    where npm did not publish the beta version, delete/recreate the same beta
-    tag and any accidental draft/incomplete prerelease at the fixed commit
-    instead of skipping a prerelease number.
+    delete the tag and matching GitHub release, recreate them from the fixed
+    commit, and rerun all relevant preflights from scratch before continuing.
+    Never reuse old preflight results after the commit changes. For pushed or
+    published beta tags, do not delete/recreate; increment to the next beta tag.
+    For preflight-only failures where npm did not publish the beta version,
+    delete/recreate the same beta tag and prerelease at the fixed commit instead
+    of skipping a prerelease number.
 22. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
     the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
     `latest` only when you intentionally want direct stable publish), keep it
     the same as the preflight run, and pass the successful npm
     `preflight_run_id`.
 23. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
-24. Wait for the real publish workflow to run postpublish verification,
-    create or update the GitHub release as a draft, upload dependency evidence,
-    append release verification proof, and only then undraft/publish it. If a
-    waited plugin publish fails after OpenClaw npm succeeds, the workflow keeps
-    the release draft with OpenClaw npm evidence and exits red; do not undraft
-    until the plugin publish gap is repaired. The standalone verifier command
-    remains the recovery probe:
+24. Run postpublish verification:
     `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
 25. Run the post-published beta verification roster. First scan current `main`
     for critical fixes that landed after the release branch cut; backport only

.agents/skills/release-openclaw-nightly/SKILL.md

@@ -37,11 +37,9 @@ This is good for auditability if commits are clearly machine-authored and gated
 - Branch name: `tideclaw/alpha/YYYY-MM-DD-HHMMZ`
 - Base: current `origin/main` SHA at trigger time.
 - State file: resolve from `$release-private` on the Tideclaw host.
-- Release tag: `vYYYY.M.PATCH-alpha.N`
+- Release tag: `vYYYY.M.D-alpha.N`
 - npm dist-tag: `alpha`
 
-`PATCH` is a sequential monthly release-train number, never the calendar day. Determine the alpha train from stable and beta releases; ignore alpha-only patch numbers when choosing the next train. Use one greater than the highest stable/beta patch for the month, then increment only `alpha.N` for repeated nightlies on that train. If a beta exists on that next patch, move alpha to the following train. Legacy alpha-only tags with inflated patch numbers do not advance beta/stable numbering.
-
 Do not reuse old alpha branches for a new run. If rerunning the same base SHA, create a new timestamped branch and record why.
 
 ## Start
@@ -100,7 +98,7 @@ Tideclaw may run beta releases from `#releases` or mentioned `#maintainers` comm
 Accepted shapes:
 
 ```text
-@Tideclaw beta release from vYYYY.M.PATCH-alpha.N
+@Tideclaw beta release from vYYYY.M.D-alpha.N
 @Tideclaw beta release from tideclaw/alpha/YYYY-MM-DD-HHMMZ
 @Tideclaw beta release from latest proven alpha
 ```
@@ -112,7 +110,7 @@ Rules:
 3. Verify the source alpha first: GitHub release, npm `alpha` package, release CI, recorded state file, and branch/tag SHA.
 4. Create a fresh beta branch `tideclaw/beta/YYYY-MM-DD-HHMMZ` from the proven alpha source, not directly from a moving `main`.
 5. Reuse/squash only stabilization fixes already proven on alpha. Do not import unrelated alpha release mechanics unless the beta release docs require them.
-6. Compute beta as `vYYYY.M.PATCH-beta.N`, matching npm `--tag beta`. Ignore alpha-only patch numbers when selecting the beta train.
+6. Compute beta as `vYYYY.M.D-beta.N`, matching npm `--tag beta`.
 7. Run beta release validation/preflight/full release CI and fix failures on the beta branch.
 8. Publish beta only after green beta gates. Use GitHub Actions/OIDC, never direct npm publish from the host.
 9. Final Discord summary must include source alpha, beta tag/version, branch, fix commits, workflow run IDs, npm/GitHub proof, and any skipped/blocked reason.
@@ -167,7 +165,7 @@ git push -u origin "$BRANCH"
 
 After local proof:
 
-1. Compute the next `vYYYY.M.PATCH-alpha.N` from existing git tags, npm versions, and GitHub releases. Select `PATCH` from stable/beta trains, not the date or the highest alpha-only patch. Reuse the same alpha train and increment `alpha.N` until that patch has a beta; after a beta exists, use the following patch for new alpha builds.
+1. Compute the next `vYYYY.M.D-alpha.N` from existing git tags, npm versions, and GitHub releases.
 2. Make the alpha branch package version and release metadata match that tag, commit it, and push the branch.
 3. Run release validation from the alpha branch, using GitHub CLI, not browser/fetch tools. On the Tideclaw host, bare `gh` is a read-only Codex sandbox wrapper; use `/usr/local/bin/gh-tideclaw-write` for write-capable commands such as `workflow run`, `run cancel`, and publish dispatch:
 

.agents/skills/security-triage/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: security-triage
-description: "Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof."
+description: Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.
 ---
 
 # Security Triage
@@ -87,19 +87,11 @@ When preparing a maintainer-ready close reply:
    - exact reason for close
    - exact code refs
    - exact shipped tag / release facts
-   - fix provenance or canonical duplicate GHSA when applicable
+   - exact fix commit or canonical duplicate GHSA when applicable
    - optional hardening note only if worthwhile and functionality-preserving
 
 Keep tone firm, specific, non-defensive.
 
-## Public Wording Hygiene
-
-- Keep raw commit hashes, PR titles/numbers, and fix-mechanism summaries out of public advisory text. Use the patched release/version field only.
-- Keep exact commit SHAs, PRs, and implementation notes in internal notes and verification files.
-- For hardening/no-publish outcomes, do not add exploit-heavy details, "Fixed by" text, or a "Fix Commit(s)" section. Thank reporters, preserve credit, state the `SECURITY.md` boundary, and say clearly that the GHSA will close without publication.
-- For published CVE/GHSA text, prefer `### Patched Versions` with the fixed release. Do not explain how the patch works unless Peter explicitly asks for that public detail.
-- Keep GHSA ids out of changelog and release-note wording unless Peter explicitly asks.
-
 ## Discussion Mode
 
 When Peter is manually posting GHSA comments, use this flow:

.agents/skills/verify-release/SKILL.md

@@ -1,87 +0,0 @@
----
-name: verify-release
-description: "Verify an OpenClaw release is fully published across GitHub, npm, plugins, ClawHub, package smoke, and live Gateway agent turns."
----
-
-# Verify Release
-
-Use this when asked whether an OpenClaw release is fully released, published,
-promoted, smoke-tested, or live-verified. This is a verification skill, not a
-publish skill; use `$release-openclaw-maintainer` before changing release state.
-
-## Rules
-
-- Resolve short suffixes like `.27` to the concrete CalVer version from the
-  current date/context, then say the resolved version.
-- Verify live state. Do not trust local checkout state, release notes, or old
-  memory as current truth.
-- If the checkout is dirty or divergent, use it only for scripts/reference.
-  For version metadata, fetch from GitHub release/tag or unpack the tag tarball
-  under `/tmp`.
-- Never print secrets. Use inherited live keys only for scoped smoke commands.
-- Keep the final terse: `yes/no`, evidence bullets, caveats, cleanup.
-
-## Core Checks
-
-1. GitHub release:
-   - `gh release view v<VERSION> --repo openclaw/openclaw --json tagName,name,publishedAt,isDraft,isPrerelease,targetCommitish,url,body,assets`
-   - Confirm stable releases are not draft/prerelease.
-   - Confirm release body has npm, CI, plugin npm, ClawHub, mac/appcast evidence
-     links when expected.
-   - Confirm assets expected for stable mac releases are uploaded: zip, dmg,
-     dSYM, dependency evidence when present.
-2. Root npm:
-   - `npm view openclaw@<VERSION> version dist-tags.latest dist.tarball dist.integrity time.<VERSION> --json`
-   - `latest` must equal `<VERSION>` for stable.
-   - Record tarball, integrity, publish time.
-3. Plugin publish set:
-   - Get exact tag metadata from GitHub, not the local checkout when dirty:
-     download `https://api.github.com/repos/openclaw/openclaw/tarball/v<VERSION>`
-     into `/tmp/openclaw-v<VERSION>-src`.
-   - Count `extensions/*/package.json` with
-     `openclaw.release.publishToNpm === true` and
-     `openclaw.release.publishToClawHub === true`.
-   - Compare expected counts to workflow job counts:
-     `gh api repos/openclaw/openclaw/actions/runs/<RUN>/jobs --paginate`.
-   - Each expected npm plugin must have version `<VERSION>` and
-     `dist-tags.latest === <VERSION>`.
-4. ClawHub:
-   - Check the Plugin ClawHub Release workflow conclusion and publish job count.
-   - Use OpenClaw itself for live registry proof:
-     `openclaw plugins search <known-plugin> --json`.
-   - Install one official plugin from ClawHub in an isolated HOME:
-     `openclaw plugins install clawhub:@openclaw/matrix --pin`.
-     Prefer `matrix` unless that plugin is not in the expected set.
-5. Release workflows:
-   - Verify conclusions for release notes evidence links:
-     Full Release Validation, OpenClaw Release Checks, OpenClaw NPM Release,
-     Plugin NPM Release, Plugin ClawHub Release, mac preflight/validation/publish
-     when stable mac assets are expected.
-   - Summarize only relevant successful/failed jobs; ignore routine skipped
-     optional lanes unless the release body promised them.
-6. Published package smoke:
-   - In `/tmp`, isolated HOME:
-     `npm exec --yes --package openclaw@<VERSION> -- openclaw --version`.
-   - Run at least one harmless command that touches the published CLI surface,
-     for example `plugins --help` or `gateway --help`.
-7. Dev Gateway live model smoke:
-   - Use temp HOME/workspace, not the user's normal state:
-     `HOME=/tmp/openclaw-release-smoke/home OPENCLAW_WORKSPACE=/tmp/openclaw-release-smoke/work pnpm openclaw --dev gateway run --auth none --force --verbose`.
-   - Health check via CLI: `openclaw --dev gateway health --json`.
-   - Run one Gateway-backed agent turn with inherited `OPENAI_API_KEY`, short
-     prompt, explicit session key, JSON output, and a known-available model.
-   - If the configured default model fails as unavailable, record that caveat
-     and retry with the newest known-good OpenAI model instead of declaring the
-     release failed.
-   - Stop the gateway and verify the port is not listening.
-
-## Caveats To Report
-
-- Dist-tag caveat: stable `latest` is release truth; if optional `beta` mirrors
-  still point at a beta version, report it as a caveat, not a stable-release
-  blocker, unless the user asked to verify beta promotion.
-- Divergent checkout caveat: say when local source SHA differs from release tag
-  or origin and which live sources were used instead.
-- Smoke caveat: distinguish Gateway-backed agent success from local embedded
-  fallback. A valid Gateway smoke has health OK plus gateway log/run id for the
-  agent call.

.crabbox.yaml

@@ -1,21 +1,26 @@
 profile: openclaw-check
-# Default OpenClaw runner spend to the Azure-backed Crabbox account.
-# Use `--provider aws` only for AWS-specific runner proof.
-provider: azure
+provider: aws
 class: standard
 capacity:
-  market: on-demand
+  market: spot
   strategy: most-available
-  # The Azure-backed billing account carries the OpenClaw runner credits; use
-  # explicit on-demand capacity instead of low-priority spot, whose regional
-  # quota is too small for broad maintainer proof or parallel Crabbox lanes.
+  fallback: on-demand-after-120s
   hints: true
+  availabilityZones:
+    - eu-west-1a
+    - eu-west-1b
+    - eu-west-1c
+  regions:
+    - eu-west-1
+    - eu-west-2
+    - eu-central-1
+    - us-east-1
+    - us-west-2
 actions:
   workflow: .github/workflows/crabbox-hydrate.yml
   # Default AWS hydration uses local Actions replay. Use
   # `crabbox actions hydrate --github-runner --job hydrate-github` when the
-  # hydrate job needs GitHub secrets, or `--github-runner --job
-  # hydrate-windows-daemon` for focused native Windows daemon proof.
+  # hydrate job needs GitHub secrets.
   job: hydrate
   ref: main
   runnerLabels:
@@ -23,35 +28,9 @@ actions:
     - openclaw
   runnerVersion: latest
   ephemeral: true
-blacksmith:
-  org: openclaw
-  workflow: .github/workflows/ci-check-testbox.yml
-  job: check
-  ref: main
-cache:
-  pnpm: true
-  npm: true
-  git: true
-  volumes:
-    - name: pnpm
-      key: openclaw-linux-node24-pnpm
-      path: /var/cache/crabbox/pnpm
-      sizeGB: 80
-      required: false
-    - name: npm
-      key: openclaw-linux-node24-npm
-      path: /var/cache/crabbox/npm
-      sizeGB: 40
-      required: false
 aws:
-  # AWS-specific overrides still pin direct `--provider aws` runs without
-  # leaking AWS region names into the Azure default capacity fallback list.
   region: eu-west-1
   rootGB: 400
-azure:
-  # The OpenClaw Azure subscription is reliable in eastus2; eastus rejects the
-  # same SKUs and can stall provisioning.
-  location: eastus2
 sync:
   delete: true
   checksum: false
@@ -71,64 +50,4 @@ env:
     - OPENCLAW_*
 ssh:
   user: crabbox
-  # Azure coordinator leases expose SSH on 22. The run wrapper can fall back
-  # from 2222, but `crabbox job run` hydrates via the configured port directly.
-  port: "22"
-jobs:
-  prewarm:
-    provider: azure
-    target: linux
-    class: standard
-    type: Standard_D4ads_v6
-    market: on-demand
-    idleTimeout: 90m
-    hydrate:
-      actions: true
-      waitTimeout: 20m
-    actions:
-      workflow: .github/workflows/crabbox-hydrate.yml
-      job: hydrate
-      ref: main
-    noSync: true
-    shell: true
-    command: "true"
-    stop: never
-  changed:
-    provider: azure
-    target: linux
-    class: standard
-    type: Standard_D4ads_v6
-    market: on-demand
-    idleTimeout: 90m
-    hydrate:
-      actions: true
-      waitTimeout: 20m
-    actions:
-      workflow: .github/workflows/crabbox-hydrate.yml
-      job: hydrate
-      ref: main
-    shell: true
-    command: |
-      set -euo pipefail
-      if ! git status --short >/dev/null 2>&1; then
-        rm -rf .git
-        git init -q
-        git add -A
-        if ! git diff --cached --quiet; then
-          git -c user.name=OpenClaw -c user.email=ci@openclaw.local commit -q --no-gpg-sign -m remote-check-tree
-        fi
-      fi
-      env CI=1 corepack pnpm check --timed
-    stop: always
-  testbox-changed:
-    provider: blacksmith-testbox
-    target: linux
-    idleTimeout: 90m
-    hydrate:
-      actions: false
-    actions:
-      workflow: .github/workflows/ci-check-testbox.yml
-      job: check
-      ref: main
-    command: env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 CI=1 corepack pnpm check:changed
-    stop: always
+  port: "2222"

.gitattributes

@@ -1,6 +1,3 @@
 * text=auto eol=lf
 CLAUDE.md -text
 src/gateway/server-methods/CLAUDE.md -text
-ui/src/i18n/.i18n/* linguist-generated
-ui/src/i18n/locales/*.ts linguist-generated
-ui/src/i18n/locales/en.ts -linguist-generated

.github/CODEOWNERS

@@ -11,10 +11,8 @@
 /.github/workflows/codeql.yml @openclaw/openclaw-secops
 /.github/workflows/codeql-android-critical-security.yml @openclaw/openclaw-secops
 /.github/workflows/codeql-critical-quality.yml @openclaw/openclaw-secops
-/.github/workflows/dependency-guard.yml @openclaw/openclaw-secops
-/test/scripts/dependency-guard-workflow.test.ts @openclaw/openclaw-secops
-/test/scripts/dependency-guard-script.test.ts @openclaw/openclaw-secops
-/scripts/github/dependency-guard.mjs @openclaw/openclaw-secops
+/.github/workflows/dependency-change-awareness.yml @openclaw/openclaw-secops
+/test/scripts/dependency-change-awareness-workflow.test.ts @openclaw/openclaw-secops
 /package-lock.json @openclaw/openclaw-secops
 /npm-shrinkwrap.json @openclaw/openclaw-secops
 /extensions/*/package-lock.json @openclaw/openclaw-secops
@@ -31,7 +29,7 @@
 /src/gateway/**/*secret*.ts @openclaw/openclaw-secops
 /src/gateway/security-path*.ts @openclaw/openclaw-secops
 /src/gateway/resolve-configured-secret-input-string*.ts @openclaw/openclaw-secops
-/packages/gateway-protocol/src/**/*secret*.ts @openclaw/openclaw-secops
+/src/gateway/protocol/**/*secret*.ts @openclaw/openclaw-secops
 /src/gateway/server-methods/secrets*.ts @openclaw/openclaw-secops
 /src/agents/*auth*.ts @openclaw/openclaw-secops
 /src/agents/**/*auth*.ts @openclaw/openclaw-secops

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -11,8 +11,6 @@ body:
         Do not speculate or infer beyond the evidence. If a narrative section cannot be answered from the available evidence, respond with exactly `NOT_ENOUGH_INFO`.
 
         If this is a plugin beta-release blocker, rename the issue title to `Beta blocker: <plugin-name> - <summary>` and apply the `beta-blocker` label after filing.
-
-        Please only report one issue per submission. Break multiple issues up into separate submissions.
   - type: dropdown
     id: bug_type
     attributes:

.github/actionlint.yaml

@@ -14,10 +14,6 @@ self-hosted-runner:
     - blacksmith-16vcpu-ubuntu-2404-arm
     - blacksmith-6vcpu-macos-latest
     - blacksmith-12vcpu-macos-latest
-    - blacksmith-6vcpu-macos-15
-    - blacksmith-12vcpu-macos-15
-    - blacksmith-6vcpu-macos-26
-    - blacksmith-12vcpu-macos-26
 
 # Ignore patterns for known issues
 paths:

.github/actions/detect-docs-changes/action.yml

@@ -35,29 +35,17 @@ runs:
           exit 0
         fi
 
-        docs_changed=false
-        non_docs=false
-        while IFS= read -r changed_path; do
-          case "$changed_path" in
-            test/fixtures/*)
-              non_docs=true
-              ;;
-            docs/* | *.md | *.mdx)
-              docs_changed=true
-              ;;
-            *)
-              non_docs=true
-              ;;
-          esac
-        done <<< "$CHANGED"
-
-        if [ "$docs_changed" = "true" ]; then
+        # Check if any changed file is a doc
+        DOCS=$(echo "$CHANGED" | grep -E '^docs/|\.md$|\.mdx$' || true)
+        if [ -n "$DOCS" ]; then
           echo "docs_changed=true" >> "$GITHUB_OUTPUT"
         else
           echo "docs_changed=false" >> "$GITHUB_OUTPUT"
         fi
 
-        if [ "$non_docs" = "false" ]; then
+        # Check if all changed files are docs or markdown
+        NON_DOCS=$(echo "$CHANGED" | grep -vE '^docs/|\.md$|\.mdx$' || true)
+        if [ -z "$NON_DOCS" ]; then
           echo "docs_only=true" >> "$GITHUB_OUTPUT"
           echo "Docs-only change detected — skipping heavy jobs"
         else

.github/actions/docker-e2e-plan/action.yml

@@ -123,14 +123,14 @@ runs:
       shell: bash
       run: |
         set -euo pipefail
-        bash scripts/ci-docker-pull-retry.sh "${OPENCLAW_DOCKER_E2E_BARE_IMAGE}"
+        docker pull "${OPENCLAW_DOCKER_E2E_BARE_IMAGE}"
 
     - name: Pull shared functional Docker E2E image
       if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_functional_image == '1'
       shell: bash
       run: |
         set -euo pipefail
-        bash scripts/ci-docker-pull-retry.sh "${OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE}"
+        docker pull "${OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE}"
 
     - name: Validate Docker E2E credentials
       if: inputs.hydrate-artifacts == 'true'

.github/actions/ensure-base-commit/action.yml

@@ -38,15 +38,9 @@ runs:
           exit 0
         fi
 
-        fetch_base_ref() {
-          timeout --signal=TERM --kill-after=10s 30s git \
-            -c protocol.version=2 \
-            fetch "$@"
-        }
-
         for deepen_by in 25 100 300; do
           echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
-          if ! fetch_base_ref --no-tags --deepen="$deepen_by" origin -- "$FETCH_REF"; then
+          if ! git fetch --no-tags --deepen="$deepen_by" origin -- "$FETCH_REF"; then
             echo "::warning title=ensure-base-commit fetch failed::Failed to deepen $FETCH_REF by $deepen_by while looking for $BASE_SHA"
           fi
           if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
@@ -56,7 +50,7 @@ runs:
         done
 
         echo "Base commit still missing; fetching full history for $FETCH_REF."
-        if ! fetch_base_ref --no-tags origin -- "$FETCH_REF"; then
+        if ! git fetch --no-tags origin -- "$FETCH_REF"; then
           echo "::warning title=ensure-base-commit fetch failed::Failed to fetch full history for $FETCH_REF while looking for $BASE_SHA"
         fi
         if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then

.github/actions/setup-node-env/action.yml

@@ -20,13 +20,9 @@ inputs:
     required: false
     default: "true"
   use-actions-cache:
-    description: Whether to restore the pnpm store with actions/cache.
+    description: Whether to restore and save the pnpm store with actions/cache.
     required: false
     default: "true"
-  save-actions-cache:
-    description: Whether to save the pnpm store with actions/cache after install when no exact cache restored.
-    required: false
-    default: "false"
 runs:
   using: composite
   steps:
@@ -40,16 +36,12 @@ runs:
         fi
 
     - name: Setup Node.js
-      shell: bash
-      env:
-        REQUESTED_NODE_VERSION: ${{ inputs.node-version }}
-      run: |
-        set -euo pipefail
-        source "$GITHUB_ACTION_PATH/../setup-pnpm-store-cache/ensure-node.sh"
-        openclaw_ensure_node "$REQUESTED_NODE_VERSION"
+      uses: actions/setup-node@v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        check-latest: false
 
     - name: Setup pnpm
-      id: setup-pnpm
       uses: ./.github/actions/setup-pnpm-store-cache
       with:
         node-version: ${{ inputs.node-version }}
@@ -57,10 +49,9 @@ runs:
 
     - name: Setup Bun
       if: inputs.install-bun == 'true'
-      shell: bash
-      run: |
-        set -euo pipefail
-        npm install -g bun@1.3.14
+      uses: oven-sh/setup-bun@v2.2.0
+      with:
+        bun-version: "1.3.13"
 
     - name: Runtime versions
       shell: bash
@@ -128,7 +119,6 @@ runs:
         if [ -n "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
           mkdir -p "$PNPM_CONFIG_MODULES_DIR"
           ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules"
-          export NODE_PATH="$PNPM_CONFIG_MODULES_DIR${NODE_PATH:+:$NODE_PATH}"
         fi
         pnpm "${install_args[@]}" || pnpm "${install_args[@]}"
         if [ -n "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
@@ -136,10 +126,3 @@ runs:
           ln -sfn "$PNPM_CONFIG_MODULES_DIR" node_modules
           ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules"
         fi
-
-    - name: Save pnpm store cache
-      if: ${{ inputs.install-deps == 'true' && inputs.use-actions-cache == 'true' && inputs.save-actions-cache == 'true' && runner.os != 'Windows' && steps.setup-pnpm.outputs.store-cache-hit != 'true' }}
-      uses: actions/cache/save@v5
-      with:
-        path: ${{ steps.setup-pnpm.outputs.store-path }}
-        key: ${{ steps.setup-pnpm.outputs.store-cache-primary-key }}

.github/actions/setup-pnpm-store-cache/action.yml

@@ -14,7 +14,7 @@ inputs:
     required: false
     default: ""
   use-actions-cache:
-    description: Whether actions/cache should restore the pnpm store.
+    description: Whether pnpm/action-setup should cache the pnpm store.
     required: false
     default: "true"
 outputs:
@@ -24,15 +24,6 @@ outputs:
   project-dir:
     description: Directory containing the packageManager file used for pnpm resolution.
     value: ${{ steps.setup-pnpm.outputs.project-dir }}
-  store-cache-hit:
-    description: Whether the pnpm store cache restored an exact key.
-    value: ${{ steps.pnpm-store-cache.outputs.cache-hit }}
-  store-cache-primary-key:
-    description: Exact pnpm store cache key used for restore/save.
-    value: ${{ steps.pnpm-store-cache.outputs.cache-primary-key }}
-  store-path:
-    description: Resolved pnpm store path.
-    value: ${{ steps.pnpm-store.outputs.path }}
 runs:
   using: composite
   steps:
@@ -56,49 +47,20 @@ runs:
         openclaw_ensure_node "$requested_node"
 
     - name: Setup pnpm from packageManager
-      shell: bash
-      env:
-        COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
-        PACKAGE_MANAGER_FILE: ${{ inputs.package-manager-file }}
-      run: |
-        set -euo pipefail
-        package_manager="$(node -e "const fs = require('node:fs'); const path = require('node:path'); const pkg = JSON.parse(fs.readFileSync(path.resolve(process.argv[1]), 'utf8')); process.stdout.write(pkg.packageManager || '')" "$PACKAGE_MANAGER_FILE")"
-        case "$package_manager" in
-          pnpm@*) ;;
-          *)
-            echo "::error::Expected packageManager to pin pnpm, got '${package_manager:-<empty>}'"
-            exit 1
-            ;;
-        esac
-        corepack enable
-        for attempt in 1 2 3; do
-          if corepack prepare "$package_manager" --activate; then
-            exit 0
-          fi
-          sleep $((attempt * 5))
-        done
-        corepack prepare "$package_manager" --activate
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      with:
+        package_json_file: ${{ inputs.package-manager-file }}
+        run_install: false
+        cache: ${{ inputs.use-actions-cache == 'true' && runner.os != 'Windows' }}
+        cache_dependency_path: ${{ inputs.lockfile-path }}
 
-    - name: Resolve pnpm store path
-      id: pnpm-store
+    - name: Ensure pnpm store cache directory exists
       if: ${{ inputs.use-actions-cache == 'true' && runner.os != 'Windows' }}
       shell: bash
       run: |
         set -euo pipefail
         store_path="$(pnpm store path --silent)"
         node -e "require('node:fs').mkdirSync(process.argv[1], { recursive: true })" "$store_path"
-        echo "path=$store_path" >> "$GITHUB_OUTPUT"
-
-    - name: Restore pnpm store cache
-      id: pnpm-store-cache
-      if: ${{ inputs.use-actions-cache == 'true' && runner.os != 'Windows' }}
-      uses: actions/cache/restore@v5
-      with:
-        path: ${{ steps.pnpm-store.outputs.path }}
-        key: pnpm-store-${{ runner.os }}-${{ runner.arch }}-${{ inputs.node-version }}-${{ hashFiles(inputs.package-manager-file) }}-${{ hashFiles(inputs.lockfile-path) }}
-        restore-keys: |
-          pnpm-store-${{ runner.os }}-${{ runner.arch }}-${{ inputs.node-version }}-${{ hashFiles(inputs.package-manager-file) }}-
-          pnpm-store-${{ runner.os }}-${{ runner.arch }}-${{ inputs.node-version }}-
 
     - name: Record pnpm version
       id: pnpm-version

.github/actions/setup-pnpm-store-cache/ensure-node.sh

@@ -8,10 +8,7 @@ openclaw_node_version_matches() {
   fi
   case "$requested" in
     *x)
-      [[ "${actual%%.*}" == "${requested%%.*}" ]] || return 1
-      if [[ "${requested%%.*}" == "22" ]]; then
-        openclaw_node_version_at_least "$actual" "22.19.0"
-      fi
+      [[ "${actual%%.*}" == "${requested%%.*}" ]]
       ;;
     *.*.*)
       [[ "$actual" == "$requested" ]]
@@ -25,47 +22,15 @@ openclaw_node_version_matches() {
   esac
 }
 
-openclaw_node_version_at_least() {
-  local actual="$1"
-  local minimum="$2"
-  local actual_major actual_minor actual_patch minimum_major minimum_minor minimum_patch
-  IFS=. read -r actual_major actual_minor actual_patch <<< "$actual"
-  IFS=. read -r minimum_major minimum_minor minimum_patch <<< "$minimum"
-  actual_minor="${actual_minor:-0}"
-  actual_patch="${actual_patch:-0}"
-  minimum_minor="${minimum_minor:-0}"
-  minimum_patch="${minimum_patch:-0}"
-
-  if (( actual_major != minimum_major )); then
-    (( actual_major > minimum_major ))
-    return
-  fi
-  if (( actual_minor != minimum_minor )); then
-    (( actual_minor > minimum_minor ))
-    return
-  fi
-  (( actual_patch >= minimum_patch ))
-}
-
 openclaw_active_node_version() {
   node -p 'process.versions.node' 2>/dev/null || true
 }
 
 openclaw_prepend_node_bin() {
   local node_bin_dir="$1"
-  local github_path_dir="${2:-$node_bin_dir}"
-  local shell_node_bin_dir="$node_bin_dir"
-  if command -v cygpath >/dev/null 2>&1; then
-    shell_node_bin_dir="$(cygpath -u "$node_bin_dir" 2>/dev/null || printf '%s' "$node_bin_dir")"
-  fi
-  export PATH="$shell_node_bin_dir:$PATH"
+  export PATH="$node_bin_dir:$PATH"
   if [[ -n "${GITHUB_PATH:-}" ]]; then
-    local github_node_bin_dir="$github_path_dir"
-    if [[ $# -lt 2 ]] && command -v cygpath >/dev/null 2>&1; then
-      github_node_bin_dir="$shell_node_bin_dir"
-      github_node_bin_dir="$(cygpath -w "$shell_node_bin_dir" 2>/dev/null || printf '%s' "$shell_node_bin_dir")"
-    fi
-    echo "$github_node_bin_dir" >> "$GITHUB_PATH"
+    echo "$node_bin_dir" >> "$GITHUB_PATH"
   fi
   hash -r
 }
@@ -84,9 +49,6 @@ openclaw_find_toolcache_node() {
     "/Users/runner/hostedtoolcache" \
     "/c/hostedtoolcache/windows"
   do
-    if [[ ! -d "$root" && "$root" == *\\* ]] && command -v cygpath >/dev/null 2>&1; then
-      root="$(cygpath -u "$root" 2>/dev/null || printf '%s' "$root")"
-    fi
     if [[ -d "$root/node" ]]; then
       roots+=("$root/node")
     elif [[ "$(basename "$root")" == "node" && -d "$root" ]]; then
@@ -95,7 +57,7 @@ openclaw_find_toolcache_node() {
   done
 
   local node_root candidate candidate_version
-  for node_root in ${roots[@]+"${roots[@]}"}; do
+  for node_root in "${roots[@]}"; do
     while IFS= read -r candidate; do
       candidate_version="$("$candidate" -p 'process.versions.node' 2>/dev/null || true)"
       if openclaw_node_version_matches "$candidate_version" "$requested_node"; then
@@ -107,92 +69,6 @@ openclaw_find_toolcache_node() {
   return 1
 }
 
-openclaw_resolve_node_download_version() {
-  local requested_node="$1"
-  if [[ "$requested_node" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-    [[ "$requested_node" == v* ]] && printf '%s\n' "$requested_node" || printf 'v%s\n' "$requested_node"
-    return 0
-  fi
-
-  local prefix="${requested_node#v}"
-  prefix="${prefix%%[xX]*}"
-  prefix="v${prefix}"
-  [[ "$prefix" == *. ]] || prefix="${prefix}."
-  curl -fsSL https://nodejs.org/dist/index.json |
-    OPENCLAW_NODE_PREFIX="$prefix" python3 -c 'import json, os, sys
-prefix = os.environ["OPENCLAW_NODE_PREFIX"]
-for item in json.load(sys.stdin):
-    version = item.get("version", "")
-    if version.startswith(prefix):
-        print(version)
-        break
-'
-}
-
-openclaw_node_download_platform() {
-  local os_name arch_name
-  os_name="$(uname -s)"
-  arch_name="$(uname -m)"
-  case "$os_name:$arch_name" in
-    Linux:x86_64) printf 'linux-x64\n' ;;
-    Linux:aarch64 | Linux:arm64) printf 'linux-arm64\n' ;;
-    Darwin:x86_64) printf 'darwin-x64\n' ;;
-    Darwin:arm64) printf 'darwin-arm64\n' ;;
-    MINGW*:x86_64 | MSYS*:x86_64 | CYGWIN*:x86_64 | MINGW*:AMD64 | MSYS*:AMD64 | CYGWIN*:AMD64)
-      printf 'win-x64\n'
-      ;;
-    MINGW*:aarch64 | MINGW*:arm64 | MSYS*:aarch64 | MSYS*:arm64 | CYGWIN*:aarch64 | CYGWIN*:arm64) printf 'win-arm64\n' ;;
-    *)
-      return 1
-      ;;
-  esac
-}
-
-openclaw_download_node() {
-  local requested_node="$1"
-  local version platform archive_url install_root temp_root
-  version="$(openclaw_resolve_node_download_version "$requested_node")"
-  platform="$(openclaw_node_download_platform)" || return 1
-  temp_root="${RUNNER_TEMP:-/tmp}"
-  if command -v cygpath >/dev/null 2>&1; then
-    temp_root="$(cygpath -u "$temp_root" 2>/dev/null || printf '%s\n' "$temp_root")"
-  fi
-  install_root="${temp_root}/openclaw-node-${version}-${platform}"
-  if [[ "$platform" == win-* ]]; then
-    local archive_path ps_archive_path ps_install_root ps_bin_dir node_bin_dir
-    archive_path="${temp_root}/node-${version}-${platform}.zip"
-    archive_url="https://nodejs.org/dist/${version}/node-${version}-${platform}.zip"
-    rm -rf "$install_root"
-    mkdir -p "$install_root"
-    echo "Downloading Node ${version} from ${archive_url}"
-    curl -fsSL -o "$archive_path" "$archive_url"
-    ps_archive_path="$archive_path"
-    ps_install_root="$install_root"
-    if command -v cygpath >/dev/null 2>&1; then
-      ps_archive_path="$(cygpath -w "$archive_path")"
-      ps_install_root="$(cygpath -w "$install_root")"
-    fi
-    ps_bin_dir="$ps_install_root\\node-${version}-${platform}"
-    node_bin_dir="$install_root/node-${version}-${platform}"
-    if command -v pwsh >/dev/null 2>&1; then
-      pwsh -NoLogo -NoProfile -Command "Expand-Archive -LiteralPath '${ps_archive_path}' -DestinationPath '${ps_install_root}' -Force"
-      openclaw_prepend_node_bin "$node_bin_dir" "$ps_bin_dir"
-    elif command -v powershell.exe >/dev/null 2>&1; then
-      powershell.exe -NoLogo -NoProfile -Command "Expand-Archive -LiteralPath '${ps_archive_path}' -DestinationPath '${ps_install_root}' -Force"
-      openclaw_prepend_node_bin "$node_bin_dir" "$ps_bin_dir"
-    else
-      unzip -q "$archive_path" -d "$install_root"
-      openclaw_prepend_node_bin "$node_bin_dir"
-    fi
-  else
-    archive_url="https://nodejs.org/dist/${version}/node-${version}-${platform}.tar.xz"
-    mkdir -p "$install_root"
-    echo "Downloading Node ${version} from ${archive_url}"
-    curl -fsSL "$archive_url" | tar -xJ -C "$install_root" --strip-components=1
-    openclaw_prepend_node_bin "$install_root/bin"
-  fi
-}
-
 openclaw_ensure_node() {
   local requested_node="${1:-}"
   requested_node="${requested_node#v}"
@@ -211,8 +87,6 @@ openclaw_ensure_node() {
   if [[ -n "$node_bin" ]]; then
     echo "Using Node $("$node_bin" -p 'process.versions.node') from $node_bin"
     openclaw_prepend_node_bin "$(dirname "$node_bin")"
-  else
-    openclaw_download_node "$requested_node" || true
   fi
 
   active_node_version="$(openclaw_active_node_version)"

.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml

@@ -17,8 +17,7 @@ paths:
   - src/acp/control-plane
   - src/agents/command
   - src/agents/cli-runner
-  - src/agents/embedded-agent-runner
-  - src/agents/sessions
+  - src/agents/pi-embedded-runner
   - src/agents/tools
   - src/agents/*completion*.ts
   - src/agents/*transport*.ts

.github/codeql/codeql-channel-runtime-boundary-critical-security.yml

@@ -19,7 +19,7 @@ paths:
   - src/config/types.channel*.ts
   - src/gateway/server-channel*.ts
   - src/gateway/server-methods/channels.ts
-  - packages/gateway-protocol/src/schema/channels.ts
+  - src/gateway/protocol/schema/channels.ts
   - src/infra/channel-*.ts
   - src/infra/exec-approval-channel-runtime.ts
   - src/infra/outbound/channel-*.ts

.github/codeql/codeql-core-auth-secrets-critical-quality.yml

@@ -22,15 +22,13 @@ paths:
   - src/agents/sandbox
   - src/agents/sandbox.ts
   - src/agents/sandbox-*.ts
-  - src/agents/sessions/*auth*.ts
-  - src/agents/sessions/**/*auth*.ts
   - src/cron/service/jobs.ts
   - src/cron/stagger.ts
   - src/gateway/*auth*.ts
   - src/gateway/**/*auth*.ts
   - src/gateway/*secret*.ts
   - src/gateway/**/*secret*.ts
-  - packages/gateway-protocol/src/**/*secret*.ts
+  - src/gateway/protocol/**/*secret*.ts
   - src/gateway/resolve-configured-secret-input-string*.ts
   - src/gateway/security-path*.ts
   - src/gateway/server-methods/secrets*.ts

.github/codeql/codeql-core-auth-secrets-critical-security.yml

@@ -30,7 +30,7 @@ paths:
   - src/gateway/**/*auth*.ts
   - src/gateway/*secret*.ts
   - src/gateway/**/*secret*.ts
-  - packages/gateway-protocol/src/**/*secret*.ts
+  - src/gateway/protocol/**/*secret*.ts
   - src/gateway/resolve-configured-secret-input-string*.ts
   - src/gateway/security-path*.ts
   - src/gateway/server-methods/secrets*.ts

.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml

@@ -15,7 +15,7 @@ query-filters:
 
 paths:
   - src/gateway/method-scopes.ts
-  - packages/gateway-protocol/src
+  - src/gateway/protocol
   - src/gateway/server-methods
   - src/gateway/server-methods.ts
   - src/gateway/server-methods-list.ts

.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml

@@ -24,15 +24,14 @@ paths:
   - src/agents/openclaw-plugin-tools.ts
   - src/agents/openclaw-tools.runtime.ts
   - src/agents/openclaw-tools.registration.ts
-  - src/agents/agent-tool-definition-adapter.ts
-  - src/agents/agent-tools.abort.ts
-  - src/agents/agent-tools.before-tool-call*.ts
-  - src/agents/agent-tools.read.ts
-  - src/agents/agent-tools-parameter-schema.ts
-  - src/agents/sessions/tools/**
-  - src/agents/embedded-agent-runner/effective-tool-policy.ts
-  - src/agents/embedded-agent-runner/tool-name-allowlist.ts
-  - src/agents/embedded-agent-runner/tool-schema-runtime.ts
+  - src/agents/pi-tool-definition-adapter.ts
+  - src/agents/pi-tools.abort.ts
+  - src/agents/pi-tools.before-tool-call*.ts
+  - src/agents/pi-tools.host-edit.ts
+  - src/agents/pi-tools-parameter-schema.ts
+  - src/agents/pi-embedded-runner/effective-tool-policy.ts
+  - src/agents/pi-embedded-runner/tool-name-allowlist.ts
+  - src/agents/pi-embedded-runner/tool-schema-runtime.ts
   - src/agents/tools/gateway-tool.ts
   - src/agents/tools/message-tool.ts
   - src/agents/tools/sessions-send-tool.ts

.github/codeql/codeql-network-runtime-boundary-critical-quality.yml

@@ -7,17 +7,8 @@ queries:
   - uses: ./.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql
 
 paths:
-  - src/cli/gateway-cli/run-loop.ts
-  - src/infra/gateway-lock.ts
-  - src/infra/jsonl-socket.ts
-  - src/infra/net
-  - src/infra/push-apns-http2.ts
-  - src/infra/ssh-tunnel.ts
-  - src/proxy-capture
-  - extensions/codex-supervisor/src/json-rpc-client.ts
-  - extensions/irc/src
-  - extensions/qa-lab/src
-  - packages/net-policy/src
+  - src
+  - extensions
 
 paths-ignore:
   - "**/node_modules"

.github/codeql/codeql-network-ssrf-boundary-critical-security.yml

@@ -15,6 +15,7 @@ query-filters:
 
 paths:
   - src/infra/net
+  - src/shared/net
   - src/agents/tools/web-fetch.ts
   - src/agents/tools/web-guarded-fetch.ts
   - src/agents/tools/web-shared.ts
@@ -22,7 +23,6 @@ paths:
   - src/web-fetch
   - src/web/provider-runtime-shared.ts
   - packages/memory-host-sdk/src/host/ssrf-policy.ts
-  - packages/net-policy/src
 
 paths-ignore:
   - "**/node_modules"

.github/codeql/codeql-process-exec-boundary-critical-security.yml

@@ -1,61 +0,0 @@
-name: openclaw-codeql-process-exec-boundary-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/process
-  - src/tui/tui-local-shell.ts
-  - src/tui/tui.ts
-  - src/plugin-sdk/windows-spawn.ts
-  - packages/agent-core/src/harness/env
-  - packages/memory-host-sdk/src/host
-  - extensions/acpx/src
-  - extensions/bonjour/src/advertiser.ts
-  - extensions/browser/src/browser/chrome-mcp.ts
-  - extensions/browser/src/browser/chrome.executables.ts
-  - extensions/browser/src/browser/chrome.ts
-  - extensions/codex/src/app-server/sandbox-exec-server
-  - extensions/codex/src/app-server/transport-stdio.ts
-  - extensions/codex/src/node-cli-sessions.ts
-  - extensions/codex-supervisor/src/json-rpc-client.ts
-  - extensions/file-transfer/src
-  - extensions/google-meet/src
-  - extensions/imessage/src
-  - extensions/memory-core/src/memory/qmd-manager.ts
-  - extensions/memory-wiki/src/obsidian.ts
-  - extensions/microsoft-foundry/cli.ts
-  - extensions/ollama/src/wsl2-crash-loop-check.ts
-  - extensions/qa-lab/src
-  - extensions/signal/src/daemon.ts
-  - extensions/tts-local-cli/speech-provider.ts
-  - extensions/voice-call/src
-  - scripts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.spec.ts"
-  - "**/*.spec.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql

@@ -76,8 +76,6 @@ predicate allowedRawSocketClientCall(Expr call) {
   or
   allowedOwnerScope(call, "src/proxy-capture/proxy-server.ts", "startDebugProxyServer")
   or
-  allowedOwnerScope(call, "extensions/codex-supervisor/src/json-rpc-client.ts", "connectCodexSupervisorUnixSocket")
-  or
   allowedOwnerScope(call, "extensions/irc/src/client.ts", "connectIrcClient")
   or
   allowedOwnerScope(call, "extensions/qa-lab/src/lab-server-capture.ts", "probeTcpReachability")

.github/labeler.yml

@@ -10,11 +10,6 @@
           - "extensions/file-transfer/**"
           - "docs/nodes/index.md"
           - "docs/plugins/sdk-runtime.md"
-"plugin: pixverse":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/pixverse/**"
-          - "docs/providers/pixverse.md"
 "channel: discord":
   - changed-files:
       - any-glob-to-any-file:
@@ -47,12 +42,6 @@
           - "extensions/meeting-notes/**"
           - "docs/plugins/meeting-notes.md"
           - "src/meeting-notes/**"
-"plugin: workboard":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/workboard/**"
-          - "docs/plugins/workboard.md"
-          - "docs/plugins/reference/workboard.md"
 "plugin: migrate-hermes":
   - changed-files:
       - any-glob-to-any-file:
@@ -132,11 +121,6 @@
       - any-glob-to-any-file:
           - "extensions/slack/**"
           - "docs/channels/slack.md"
-"channel: sms":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/sms/**"
-          - "docs/channels/sms.md"
 "channel: synology-chat":
   - changed-files:
       - any-glob-to-any-file:
@@ -199,7 +183,7 @@
           - "ui/**"
           - "src/gateway/control-ui.ts"
           - "src/gateway/control-ui-shared.ts"
-          - "packages/gateway-protocol/src/**"
+          - "src/gateway/protocol/**"
           - "src/gateway/server-methods/chat.ts"
           - "src/infra/control-ui-assets.ts"
 
@@ -207,7 +191,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "src/gateway/**"
-          - "packages/gateway-protocol/src/**"
           - "src/daemon/**"
           - "docs/gateway/**"
 
@@ -293,10 +276,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/lobster/**"
-"extensions: llama-cpp":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/llama-cpp/**"
 "extensions: memory-core":
   - changed-files:
       - any-glob-to-any-file:
@@ -364,11 +343,6 @@
       - any-glob-to-any-file:
           - "extensions/deepinfra/**"
           - "docs/providers/deepinfra.md"
-"extensions: gmi":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/gmi/**"
-          - "docs/providers/gmi.md"
 "extensions: tencent":
   - changed-files:
       - any-glob-to-any-file:
@@ -419,17 +393,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/codex/**"
-"extensions: codex-supervisor":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/codex-supervisor/**"
-          - "docs/plugins/reference/codex-supervisor.md"
-          - "docs/specs/claw-supervisor.md"
-"extensions: copilot":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/copilot/**"
-          - "docs/plugins/copilot.md"
 "extensions: kimi-coding":
   - changed-files:
       - any-glob-to-any-file:
@@ -450,11 +413,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/nvidia/**"
-"extensions: novita":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/novita/**"
-          - "docs/providers/novita.md"
 "extensions: phone-control":
   - changed-files:
       - any-glob-to-any-file:
@@ -533,7 +491,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/diffs/**"
-          - "extensions/diffs-language-pack/**"
 "extensions: elevenlabs":
   - changed-files:
       - any-glob-to-any-file:
@@ -578,10 +535,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/openshell/**"
-"extensions: parallel":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/parallel/**"
 "extensions: perplexity":
   - changed-files:
       - any-glob-to-any-file:

.github/pull_request_template.md

@@ -2,14 +2,19 @@
 
 What problem does this PR solve?
 
+
 Why does this matter now?
 
+
 What is the intended outcome?
 
+
 What is intentionally out of scope?
 
+
 What does success look like?
 
+
 What should reviewers focus on?
 
 <details>
@@ -70,10 +75,13 @@ Be mindful of private information like IP addresses, API keys, phone numbers, no
 
 Which commands did you run?
 
+
 What regression coverage was added or updated?
 
+
 What failed before this fix, if known?
 
+
 If no test was added, why not?
 
 <details>
@@ -87,12 +95,16 @@ List focused commands, not every incidental check. CI is useful support, but ext
 
 Did user-visible behavior change? (`Yes/No`)
 
+
 Did config, environment, or migration behavior change? (`Yes/No`)
 
+
 Did security, auth, secrets, network, or tool execution behavior change? (`Yes/No`)
 
+
 What is the highest-risk area?
 
+
 How is that risk mitigated?
 
 <details>
@@ -106,8 +118,10 @@ Use this for author judgment that is not obvious from the diff. ClawSweeper can
 
 What is the next action?
 
+
 What is still waiting on author, maintainer, CI, or external proof?
 
+
 Which bot or reviewer comments were addressed?
 
 <details>

.github/workflows/ci-build-artifacts-testbox.yml

@@ -27,7 +27,7 @@ jobs:
     timeout-minutes: 35
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@233448af4bfdc6fca509a7f0974411ac6d8a8043
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
 
@@ -61,7 +61,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
@@ -188,10 +188,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          timeout --signal=TERM --kill-after=10s 30s git \
-            -c protocol.version=2 \
-            fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
-            "+refs/heads/main:refs/remotes/origin/main"
+          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
 
           node_bin="$(dirname "$(node -p 'process.execPath')")"
           sudo ln -sf "$node_bin/node" /usr/local/bin/node
@@ -231,7 +228,7 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@3f60ff9ceb2c10c3feefa87dc0c6490cffae059d
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: success()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci-check-arm-testbox.yml

@@ -1,156 +0,0 @@
-name: Blacksmith ARM Testbox
-on:
-  workflow_dispatch:
-    inputs:
-      testbox_id:
-        type: string
-        description: "Testbox session ID"
-        required: true
-  pull_request:
-    paths:
-      - ".github/workflows/**"
-
-permissions:
-  contents: read
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  PNPM_CONFIG_STORE_DIR: "/tmp/openclaw-pnpm-store"
-  PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN: "false"
-
-jobs:
-  check-arm:
-    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
-    permissions:
-      contents: read
-    name: "check-arm"
-    runs-on: blacksmith-16vcpu-ubuntu-2404-arm
-    timeout-minutes: 120
-    steps:
-      - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
-        with:
-          testbox_id: ${{ inputs.testbox_id }}
-      - name: Verify ARM runner
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          runner_arch="$(uname -m)"
-          echo "check-arm runner architecture: ${runner_arch}"
-          case "$runner_arch" in
-            aarch64 | arm64)
-              ;;
-            *)
-              echo "check-arm requires an ARM64 runner; got ${runner_arch}" >&2
-              exit 1
-              ;;
-          esac
-      - name: Checkout
-        shell: bash
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-          CHECKOUT_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE"
-          if [[ -z "$CHECKOUT_TOKEN" ]]; then
-            echo "checkout token is missing" >&2
-            exit 1
-          fi
-          auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
-
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
-            git -C "$workdir" config gc.auto 0
-
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
-
-            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
-            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              exit 0
-            fi
-            echo "checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "checkout failed after 5 attempts" >&2
-          exit 1
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-      - name: Prepare Testbox shell
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          timeout --signal=TERM --kill-after=10s 30s git \
-            -c protocol.version=2 \
-            fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
-            "+refs/heads/main:refs/remotes/origin/main"
-
-          node_bin="$(dirname "$(node -p 'process.execPath')")"
-          sudo ln -sf "$node_bin/node" /usr/local/bin/node
-          sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
-          sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
-          sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
-          sudo tee /usr/local/bin/pnpm >/dev/null <<'PNPM'
-          #!/usr/bin/env bash
-          exec /usr/local/bin/corepack pnpm "$@"
-          PNPM
-          sudo chmod 0755 /usr/local/bin/pnpm
-
-      - name: Hydrate Testbox provider env helper
-        shell: bash
-        env:
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}
-          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
-          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-        run: bash scripts/ci-hydrate-testbox-env.sh
-
-      - name: Run Testbox
-        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
-        if: success()
-        env:
-          FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci-check-testbox.yml

@@ -15,8 +15,6 @@ permissions:
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  PNPM_CONFIG_STORE_DIR: "/tmp/openclaw-pnpm-store"
-  PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN: "false"
 
 jobs:
   check:
@@ -28,7 +26,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@233448af4bfdc6fca509a7f0974411ac6d8a8043
+        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
         with:
           testbox_id: ${{ inputs.testbox_id }}
       - name: Checkout
@@ -61,7 +59,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
@@ -91,10 +89,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          timeout --signal=TERM --kill-after=10s 30s git \
-            -c protocol.version=2 \
-            fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
-            "+refs/heads/main:refs/remotes/origin/main"
+          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
 
           node_bin="$(dirname "$(node -p 'process.execPath')")"
           sudo ln -sf "$node_bin/node" /usr/local/bin/node
@@ -135,7 +130,8 @@ jobs:
         run: bash scripts/ci-hydrate-testbox-env.sh
 
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@3f60ff9ceb2c10c3feefa87dc0c6490cffae059d
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
         if: success()
+        continue-on-error: true
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci.yml

@@ -28,7 +28,7 @@ permissions:
 
 concurrency:
   group: ${{ github.event_name == 'workflow_dispatch' && format('{0}-manual-v1-{1}', github.workflow, github.run_id) || (github.event_name == 'pull_request' && format('{0}-v7-{1}', github.workflow, github.event.pull_request.number) || (github.repository == 'openclaw/openclaw' && format('{0}-v7-{1}', github.workflow, github.ref) || format('{0}-v7-{1}-{2}', github.workflow, github.ref, github.sha))) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'openclaw/openclaw' && github.ref == 'refs/heads/main') }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -76,50 +76,13 @@ jobs:
       android_matrix: ${{ steps.manifest.outputs.android_matrix }}
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_REF: ${{ inputs.target_ref || github.sha }}
-          CHECKOUT_FALLBACK_REF: ${{ github.sha }}
-          GITHUB_EVENT_NAME: ${{ github.event_name }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local ref="$1"
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=2 origin \
-                "+${ref}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$ref' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          if fetch_checkout_ref "$CHECKOUT_REF"; then
-            :
-          else
-            fetch_status="$?"
-            if [ "$fetch_status" = "124" ] || [ "$fetch_status" = "137" ]; then
-              echo "::error::checkout fetch for '$CHECKOUT_REF' timed out"
-              exit "$fetch_status"
-            fi
-            if [ "$GITHUB_EVENT_NAME" != "workflow_dispatch" ] || [ "$CHECKOUT_REF" = "$CHECKOUT_FALLBACK_REF" ]; then
-              exit "$fetch_status"
-            fi
-            echo "::warning::workflow_dispatch target_ref '$CHECKOUT_REF' is unavailable; falling back to head SHA '$CHECKOUT_FALLBACK_REF'"
-            fetch_checkout_ref "$CHECKOUT_FALLBACK_REF"
-          fi
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.target_ref || github.sha }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: true
+          submodules: false
 
       - name: Resolve checkout SHA
         id: checkout_ref
@@ -146,12 +109,12 @@ jobs:
 
           if [ "${{ github.event_name }}" = "push" ]; then
             BASE="${{ github.event.before }}"
-            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
           else
             BASE="${{ github.event.pull_request.base.sha }}"
-            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD --merge-head-first-parent
           fi
 
+          node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
+
       - name: Build CI manifest
         id: manifest
         env:
@@ -236,7 +199,6 @@ jobs:
           if (runNodeFull) {
             checksFastCoreTasks.push(
               { check_name: "checks-fast-bundled-protocol", runtime: "node", task: "bundled-protocol" },
-              { check_name: "checks-fast-bun-launcher", runtime: "bun", task: "bun-launcher" },
             );
           } else {
             if (runNodeFastCiRouting) {
@@ -337,50 +299,13 @@ jobs:
       PRE_COMMIT_HOME: .cache/pre-commit-security-fast
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_REF: ${{ inputs.target_ref || github.sha }}
-          CHECKOUT_FALLBACK_REF: ${{ github.sha }}
-          GITHUB_EVENT_NAME: ${{ github.event_name }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local ref="$1"
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${ref}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$ref' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          if fetch_checkout_ref "$CHECKOUT_REF"; then
-            :
-          else
-            fetch_status="$?"
-            if [ "$fetch_status" = "124" ] || [ "$fetch_status" = "137" ]; then
-              echo "::error::checkout fetch for '$CHECKOUT_REF' timed out"
-              exit "$fetch_status"
-            fi
-            if [ "$GITHUB_EVENT_NAME" != "workflow_dispatch" ] || [ "$CHECKOUT_REF" = "$CHECKOUT_FALLBACK_REF" ]; then
-              exit "$fetch_status"
-            fi
-            echo "::warning::workflow_dispatch target_ref '$CHECKOUT_REF' is unavailable; falling back to head SHA '$CHECKOUT_FALLBACK_REF'"
-            fetch_checkout_ref "$CHECKOUT_FALLBACK_REF"
-          fi
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.target_ref || github.sha }}
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: true
+          submodules: false
 
       - name: Ensure security base commit
         if: github.event_name != 'workflow_dispatch'
@@ -410,20 +335,22 @@ jobs:
           fi
           echo "PRE_COMMIT_CONFIG_PATH=$trusted_config" >> "$GITHUB_ENV"
 
-      - name: Resolve Python runtime
+      - name: Setup Python
         id: setup-python
-        run: |
-          set -euo pipefail
-          python3 --version
-          version="$(python3 - <<'PY'
-          import platform
-          print(platform.python_version())
-          PY
-          )"
-          echo "python-version=${version}" >> "$GITHUB_OUTPUT"
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Restore pre-commit cache
+        uses: actions/cache@v5
+        with:
+          path: .cache/pre-commit-security-fast
+          key: pre-commit-security-fast-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            pre-commit-security-fast-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-
 
       - name: Install pre-commit
-        run: python3 -m pip install --disable-pip-version-check pre-commit==4.2.0
+        run: python -m pip install --disable-pip-version-check pre-commit==4.2.0
 
       - name: Detect committed private keys
         run: pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" --all-files detect-private-key
@@ -456,76 +383,14 @@ jobs:
           pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" zizmor --files "${workflow_files[@]}"
 
       - name: Setup Node.js
-        env:
-          REQUESTED_NODE_VERSION: "24.x"
-        run: |
-          set -euo pipefail
-          source .github/actions/setup-pnpm-store-cache/ensure-node.sh
-          openclaw_ensure_node "$REQUESTED_NODE_VERSION"
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24.x"
+          check-latest: false
 
       - name: Audit production dependencies
         run: node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
 
-  # Warm the lockfile- and pnpm-pinned store without blocking Linux Node shards.
-  # On a cold key this job owns the save for later workflow runs.
-  pnpm-store-warmup:
-    permissions:
-      contents: read
-    needs: [preflight]
-    if: needs.preflight.outputs.run_node == 'true' || needs.preflight.outputs.run_check_docs == 'true'
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
-    timeout-minutes: 20
-    steps:
-      - name: Checkout
-        shell: bash
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE"
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-            git -C "$workdir" config gc.auto 0
-
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
-
-            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
-            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              exit 0
-            fi
-            echo "checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "checkout failed after 5 attempts" >&2
-          exit 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-          save-actions-cache: "true"
-
   # Build dist once for Node-relevant changes and share it with downstream jobs.
   # Keep this overlapping with the fast correctness lanes so green PRs get heavy
   # test/build feedback sooner instead of waiting behind a full `check` pass.
@@ -534,7 +399,7 @@ jobs:
       contents: read
     needs: [preflight]
     if: needs.preflight.outputs.run_build_artifacts == 'true'
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-32vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
+    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-16vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
     timeout-minutes: 20
     outputs:
       channels-result: ${{ steps.built_artifact_checks.outputs['channels-result'] }}
@@ -546,6 +411,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -561,10 +427,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -597,35 +463,26 @@ jobs:
         with:
           install-bun: "false"
 
-      - name: Restore build-all step cache
-        uses: actions/cache@v5
-        with:
-          path: .artifacts/build-all-cache
-          key: ${{ runner.os }}-build-all-v3-${{ hashFiles('package.json', 'pnpm-lock.yaml', 'npm-shrinkwrap.json', 'packages/plugin-sdk/package.json', 'packages/llm-core/package.json', 'packages/model-catalog-core/package.json', 'packages/memory-host-sdk/package.json', 'scripts/build-all.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entries.mjs', 'tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'src/plugin-sdk/**', 'packages/llm-core/src/**', 'packages/model-catalog-core/src/**', 'packages/memory-host-sdk/src/**', 'src/types/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'scripts/copy-export-html-templates.ts', 'scripts/lib/copy-assets.ts', 'src/auto-reply/reply/export-html/**') }}
-          restore-keys: |
-            ${{ runner.os }}-build-all-v3-
-
-      - name: Restore dist build cache
-        id: dist_build_cache
-        uses: actions/cache/restore@v5
-        with:
-          path: |
-            dist/
-            dist-runtime/
-            extensions/*/src/host/**/.bundle.hash
-            extensions/*/src/host/**/*.bundle.js
-          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_revision }}
-
       - name: Build dist
-        if: steps.dist_build_cache.outputs.cache-hit != 'true'
         env:
           NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build:ci-artifacts
 
+      - name: Build Control UI
+        run: pnpm ui:build
+
       - name: Check Control UI i18n
         if: needs.preflight.outputs.run_control_ui_i18n == 'true'
         run: pnpm ui:i18n:check
 
+      - name: Cache dist build
+        uses: actions/cache@v5
+        with:
+          path: |
+            dist/
+            dist-runtime/
+          key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_revision }}
+
       - name: Pack built runtime artifacts
         run: tar --posix -cf dist-runtime-build.tar.zst --use-compress-program zstdmt dist dist-runtime
 
@@ -721,8 +578,7 @@ jobs:
           fi
 
           if [ "$RUN_GATEWAY_WATCH" = "true" ]; then
-            start_check "gateway-watch" \
-              node scripts/check-gateway-watch-regression.mjs --skip-build
+            start_check "gateway-watch" node scripts/check-gateway-watch-regression.mjs --skip-build --ready-timeout-ms 5000
           fi
 
           for index in "${!pids[@]}"; do
@@ -755,18 +611,6 @@ jobs:
           done
           exit "$failures"
 
-      - name: Save dist build cache
-        if: steps.dist_build_cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v5
-        continue-on-error: true
-        with:
-          path: |
-            dist/
-            dist-runtime/
-            extensions/*/src/host/**/.bundle.hash
-            extensions/*/src/host/**/*.bundle.js
-          key: ${{ steps.dist_build_cache.outputs.cache-primary-key }}
-
       - name: Upload gateway watch regression artifacts
         if: always() && needs.preflight.outputs.run_check_additional == 'true'
         uses: actions/upload-artifact@v7
@@ -792,6 +636,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -807,10 +652,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -834,7 +679,7 @@ jobs:
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env
         with:
-          install-bun: ${{ matrix.task == 'bun-launcher' && 'true' || 'false' }}
+          install-bun: "false"
 
       - name: Run ${{ matrix.task }} (${{ matrix.runtime }})
         env:
@@ -850,13 +695,10 @@ jobs:
               ;;
             contracts-plugins-ci-routing)
               pnpm test:contracts:plugins
-              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
+              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/test-projects.test.ts
               ;;
             ci-routing)
-              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
-              ;;
-            bun-launcher)
-              OPENCLAW_TEST_BUN_LAUNCHER=1 pnpm test test/openclaw-launcher.e2e.test.ts
+              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/test-projects.test.ts
               ;;
             *)
               echo "Unsupported checks-fast task: $TASK" >&2
@@ -881,6 +723,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -896,10 +739,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -961,6 +804,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -976,10 +820,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1038,6 +882,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -1053,10 +898,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1102,7 +947,7 @@ jobs:
     name: ${{ matrix.check_name }}
     needs: [preflight]
     if: needs.preflight.outputs.run_checks_node_core_nondist == 'true'
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && (matrix.runner || 'blacksmith-8vcpu-ubuntu-2404') || 'ubuntu-24.04') }}
+    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && (matrix.runner || 'ubuntu-24.04') || 'ubuntu-24.04') }}
     timeout-minutes: 60
     strategy:
       fail-fast: false
@@ -1113,6 +958,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -1128,10 +974,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1167,8 +1013,6 @@ jobs:
           OPENCLAW_NODE_TEST_CONFIGS_JSON: ${{ toJson(matrix.configs) }}
           OPENCLAW_NODE_TEST_INCLUDE_PATTERNS_JSON: ${{ toJson(matrix.includePatterns) }}
           OPENCLAW_VITEST_SHARD_NAME: ${{ matrix.shard_name }}
-          OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS: "300000"
-          OPENCLAW_VITEST_NO_OUTPUT_RETRY: "1"
           OPENCLAW_TEST_PROJECTS_PARALLEL: "2"
         shell: bash
         run: |
@@ -1210,7 +1054,7 @@ jobs:
     name: ${{ matrix.check_name }}
     needs: [preflight]
     if: ${{ !cancelled() && always() && needs.preflight.outputs.run_check == 'true' }}
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && (matrix.runner || 'blacksmith-4vcpu-ubuntu-2404') || 'ubuntu-24.04') }}
+    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && matrix.runner || 'ubuntu-24.04') }}
     timeout-minutes: 20
     strategy:
       fail-fast: false
@@ -1219,9 +1063,6 @@ jobs:
           - check_name: check-guards
             task: guards
             runner: blacksmith-4vcpu-ubuntu-2404
-          - check_name: check-shrinkwrap
-            task: shrinkwrap
-            runner: blacksmith-4vcpu-ubuntu-2404
           - check_name: check-prod-types
             task: prod-types
             runner: blacksmith-4vcpu-ubuntu-2404
@@ -1240,6 +1081,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -1255,10 +1097,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1297,16 +1139,14 @@ jobs:
               pnpm tool-display:check
               pnpm check:host-env-policy:swift
               pnpm dup:check:coverage
+              pnpm deps:shrinkwrap:check
               pnpm deps:patches:check
               pnpm lint:webhook:no-low-level-body-read
               pnpm lint:auth:no-pairing-store-group
               pnpm lint:auth:pairing-account-scope
               pnpm check:import-cycles
               # build-artifacts already runs the tsdown/runtime build for the same Node-relevant changes.
-              NODE_OPTIONS=--max-old-space-size=8192 pnpm build:plugin-sdk:strict-smoke
-              ;;
-            shrinkwrap)
-              pnpm deps:shrinkwrap:check
+              pnpm build:plugin-sdk:strict-smoke
               ;;
             prod-types)
               pnpm tsgo:prod
@@ -1372,6 +1212,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -1387,10 +1228,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1426,7 +1267,7 @@ jobs:
             packages/plugin-sdk/dist
             extensions/*/dist/.boundary-tsc.tsbuildinfo
             extensions/*/dist/.boundary-tsc.stamp
-          key: ${{ runner.os }}-extension-package-boundary-v1-${{ hashFiles('tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'packages/plugin-sdk/tsconfig.json', 'packages/llm-core/package.json', 'packages/model-catalog-core/package.json', 'scripts/check-extension-package-tsc-boundary.mjs', 'scripts/prepare-extension-package-boundary-artifacts.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entrypoints.json', 'scripts/lib/plugin-sdk-entries.mjs', 'src/plugin-sdk/**', 'src/plugins/types.ts', 'src/auto-reply/**', 'packages/llm-core/src/**', 'packages/model-catalog-core/src/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'src/types/**', 'extensions/**', 'extensions/tsconfig.package-boundary*.json', 'package.json', 'pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-extension-package-boundary-v1-${{ hashFiles('tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'packages/plugin-sdk/tsconfig.json', 'scripts/check-extension-package-tsc-boundary.mjs', 'scripts/prepare-extension-package-boundary-artifacts.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entrypoints.json', 'scripts/lib/plugin-sdk-entries.mjs', 'src/plugin-sdk/**', 'src/auto-reply/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'src/types/**', 'extensions/**', 'extensions/tsconfig.package-boundary*.json', 'package.json', 'pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-extension-package-boundary-v1-
 
@@ -1443,22 +1284,10 @@ jobs:
           find src \
             -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
             -exec touch -t 200001010000 {} +
-          if [ -d packages/llm-core/src ]; then
-            find packages/llm-core/src \
-              -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
-              -exec touch -t 200001010000 {} +
-          fi
-          if [ -d packages/model-catalog-core/src ]; then
-            find packages/model-catalog-core/src \
-              -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
-              -exec touch -t 200001010000 {} +
-          fi
-          cache_inputs=(
+          touch -t 200001010000 \
             tsconfig.json \
             tsconfig.plugin-sdk.dts.json \
             packages/plugin-sdk/tsconfig.json \
-            packages/llm-core/package.json \
-            packages/model-catalog-core/package.json \
             scripts/check-extension-package-tsc-boundary.mjs \
             scripts/prepare-extension-package-boundary-artifacts.mjs \
             scripts/write-plugin-sdk-entry-dts.ts \
@@ -1466,12 +1295,6 @@ jobs:
             scripts/lib/plugin-sdk-entries.mjs \
             package.json \
             pnpm-lock.yaml
-          )
-          for cache_input in "${cache_inputs[@]}"; do
-            if [ -e "$cache_input" ]; then
-              touch -t 200001010000 "$cache_input"
-            fi
-          done
 
       - name: Run additional check shard
         env:
@@ -1539,6 +1362,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -1554,10 +1378,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1584,46 +1408,12 @@ jobs:
           install-bun: "false"
 
       - name: Checkout ClawHub docs source
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE/clawhub-source"
-          started_at="$(date +%s)"
-
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git -C "$workdir" config gc.auto 0
-            git -C "$workdir" remote add origin "https://github.com/openclaw/clawhub.git"
-
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+refs/heads/main:refs/remotes/origin/checkout" || return 1
-
-            git -C "$workdir" checkout --force --detach refs/remotes/origin/checkout || return 1
-            echo "ClawHub checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              elapsed="$(( $(date +%s) - started_at ))"
-              echo "ClawHub checkout completed in ${elapsed}s"
-              exit 0
-            fi
-            echo "ClawHub checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "ClawHub checkout failed after 5 attempts" >&2
-          exit 1
+        uses: actions/checkout@v6
+        with:
+          repository: openclaw/clawhub
+          path: clawhub-source
+          fetch-depth: 1
+          persist-credentials: true
 
       - name: Check docs
         env:
@@ -1639,34 +1429,11 @@ jobs:
     timeout-minutes: 20
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          persist-credentials: true
+          submodules: false
 
       - name: Setup Python
         uses: actions/setup-python@v6
@@ -1705,37 +1472,11 @@ jobs:
       matrix: ${{ fromJson(needs.preflight.outputs.checks_windows_matrix) }}
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_timeout_seconds=90
-          fetch_checkout_ref() {
-            git -C "$GITHUB_WORKSPACE" \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" &
-            local fetch_pid="$!"
-            local elapsed=0
-            while kill -0 "$fetch_pid" 2>/dev/null; do
-              if [ "$elapsed" -ge "$fetch_timeout_seconds" ]; then
-                kill -TERM "$fetch_pid" 2>/dev/null || true
-                sleep 10
-                kill -KILL "$fetch_pid" 2>/dev/null || true
-                wait "$fetch_pid" || true
-                return 124
-              fi
-              sleep 1
-              elapsed=$((elapsed + 1))
-            done
-            wait "$fetch_pid"
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          persist-credentials: true
+          submodules: false
 
       - name: Try to exclude workspace from Windows Defender (best-effort)
         shell: pwsh
@@ -1757,17 +1498,15 @@ jobs:
           }
 
       - name: Setup Node.js
-        env:
-          REQUESTED_NODE_VERSION: "22.x"
-        run: |
-          set -euo pipefail
-          source .github/actions/setup-pnpm-store-cache/ensure-node.sh
-          openclaw_ensure_node "$REQUESTED_NODE_VERSION"
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24.x
+          check-latest: false
 
       - name: Setup pnpm
         uses: ./.github/actions/setup-pnpm-store-cache
         with:
-          node-version: 22.x
+          node-version: 24.x
 
       - name: Runtime versions
         run: |
@@ -1819,44 +1558,18 @@ jobs:
     name: ${{ matrix.check_name }}
     needs: [preflight]
     if: ${{ !cancelled() && always() && needs.preflight.outputs.run_macos_node == 'true' }}
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-15' || (github.repository == 'openclaw/openclaw' && 'blacksmith-6vcpu-macos-15' || 'macos-15') }}
+    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-latest' || (github.repository == 'openclaw/openclaw' && 'blacksmith-6vcpu-macos-latest' || 'macos-latest') }}
     timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.preflight.outputs.macos_node_matrix) }}
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_timeout_seconds=90
-          fetch_checkout_ref() {
-            git -C "$GITHUB_WORKSPACE" \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" &
-            local fetch_pid="$!"
-            local elapsed=0
-            while kill -0 "$fetch_pid" 2>/dev/null; do
-              if [ "$elapsed" -ge "$fetch_timeout_seconds" ]; then
-                kill -TERM "$fetch_pid" 2>/dev/null || true
-                sleep 10
-                kill -KILL "$fetch_pid" 2>/dev/null || true
-                wait "$fetch_pid" || true
-                return 124
-              fi
-              sleep 1
-              elapsed=$((elapsed + 1))
-            done
-            wait "$fetch_pid"
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          persist-credentials: true
+          submodules: false
 
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env
@@ -1889,41 +1602,15 @@ jobs:
     name: "macos-swift"
     needs: [preflight]
     if: needs.preflight.outputs.run_macos_swift == 'true'
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-26' || (github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-26' || 'macos-26') }}
+    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-26' || (github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-latest' || 'macos-26') }}
     timeout-minutes: 20
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_timeout_seconds=90
-          fetch_checkout_ref() {
-            git -C "$GITHUB_WORKSPACE" \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" &
-            local fetch_pid="$!"
-            local elapsed=0
-            while kill -0 "$fetch_pid" 2>/dev/null; do
-              if [ "$elapsed" -ge "$fetch_timeout_seconds" ]; then
-                kill -TERM "$fetch_pid" 2>/dev/null || true
-                sleep 10
-                kill -KILL "$fetch_pid" 2>/dev/null || true
-                wait "$fetch_pid" || true
-                return 124
-              fi
-              sleep 1
-              elapsed=$((elapsed + 1))
-            done
-            wait "$fetch_pid"
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          persist-credentials: true
+          submodules: false
 
       - name: Install XcodeGen / SwiftLint / SwiftFormat
         run: brew install xcodegen swiftlint swiftformat
@@ -1994,21 +1681,6 @@ jobs:
           done
           exit 1
 
-      - name: OpenClawKit Talk-trait opt-out (no ElevenLabsKit when default traits disabled)
-        run: |
-          set -euo pipefail
-          # Guard: chat-only consumers build OpenClawKit with the Talk trait
-          # disabled and must NOT link ElevenLabsKit. Assert that future sources
-          # under OpenClawKit cannot silently reintroduce an unconditional
-          # ElevenLabsKit dependency while the manifest still looks correct.
-          deps="$(swift package --package-path apps/shared/OpenClawKit show-dependencies --disable-default-traits)"
-          echo "$deps"
-          if grep -qi 'elevenlabs' <<<"$deps"; then
-            echo "::error::ElevenLabsKit resolved with the Talk trait disabled; keep it gated behind the Talk trait."
-            exit 1
-          fi
-          swift build --package-path apps/shared/OpenClawKit --target OpenClawKit --disable-default-traits
-
       - name: Swift test
         run: |
           set -euo pipefail
@@ -2038,6 +1710,7 @@ jobs:
         env:
           CHECKOUT_REPO: ${{ github.repository }}
           CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }}
+          CHECKOUT_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
@@ -2053,10 +1726,10 @@ jobs:
             reset_checkout_dir
             git init "$workdir" >/dev/null
             git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
+            git -C "$workdir" remote add origin "https://x-access-token:${CHECKOUT_TOKEN}@github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
+            timeout --signal=TERM 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -2093,7 +1766,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ~/.android-sdk
-          key: ${{ runner.os }}-android-sdk-v1-cmdline-14742923-platform-37.0-build-tools-36.0.0
+          key: ${{ runner.os }}-android-sdk-v1-cmdline-12266719-platform-36-build-tools-36.0.0
           restore-keys: |
             ${{ runner.os }}-android-sdk-v1-
 
@@ -2101,7 +1774,7 @@ jobs:
         run: |
           set -euo pipefail
           ANDROID_SDK_ROOT="$HOME/.android-sdk"
-          CMDLINE_TOOLS_VERSION="14742923"
+          CMDLINE_TOOLS_VERSION="12266719"
           ARCHIVE="commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip"
           URL="https://dl.google.com/android/repository/${ARCHIVE}"
 
@@ -2123,7 +1796,7 @@ jobs:
           yes | sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --licenses >/dev/null
           sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --install \
             "platform-tools" \
-            "platforms;android-37.0" \
+            "platforms;android-36" \
             "build-tools;36.0.0"
 
       - name: Run Android ${{ matrix.task }}
@@ -2148,53 +1821,3 @@ jobs:
               exit 1
               ;;
           esac
-
-  ci-timings-summary:
-    permissions:
-      actions: read
-      contents: read
-    name: ci-timings-summary
-    needs:
-      - preflight
-      - security-fast
-      - pnpm-store-warmup
-      - build-artifacts
-      - checks-fast-core
-      - checks-fast-plugin-contracts-shard
-      - checks-fast-channel-contracts-shard
-      - checks-node-compat
-      - checks-node-core-test-nondist-shard
-      - check-shard
-      - check-additional-shard
-      - check-docs
-      - skills-python
-      - checks-windows
-      - macos-node
-      - macos-swift
-      - android
-    if: ${{ !cancelled() && always() && github.event_name != 'push' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    steps:
-      - name: Checkout timing summary helper
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || needs.preflight.outputs.checkout_revision || github.sha }}
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Write CI timing summary
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          node scripts/ci-run-timings.mjs "$GITHUB_RUN_ID" --limit 25 > ci-timings-summary.txt
-          cat ci-timings-summary.txt >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Upload CI timing summary
-        uses: actions/upload-artifact@v7
-        with:
-          name: ci-timings-summary
-          path: ci-timings-summary.txt
-          retention-days: 14

.github/workflows/clawsweeper-dispatch.yml

@@ -24,14 +24,7 @@ concurrency:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
-    if: >-
-      ${{
-        github.event_name == 'issue_comment' ||
-        !(
-          endsWith(github.actor, '[bot]') &&
-          (github.event.action == 'labeled' || github.event.action == 'unlabeled')
-        )
-      }}
+    if: ${{ github.event_name == 'issue_comment' || !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled')) }}
     env:
       HAS_CLAWSWEEPER_APP_PRIVATE_KEY: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY != '' }}
       CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093

.github/workflows/codeql-android-critical-security.yml

@@ -35,7 +35,7 @@ jobs:
           java-version: "21"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: java-kotlin
           build-mode: manual
@@ -46,6 +46,6 @@ jobs:
         run: ./gradlew --no-daemon :app:assemblePlayDebug
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-security/android"

.github/workflows/codeql-critical-quality.yml

@@ -33,7 +33,6 @@ on:
       - "packages/plugin-package-contract/**"
       - "packages/plugin-sdk/**"
       - "packages/memory-host-sdk/**"
-      - "packages/net-policy/**"
       - "src/*.ts"
       - "src/**/*.ts"
       - "src/config/**"
@@ -72,9 +71,7 @@ on:
       - "src/acp/control-plane/**"
       - "src/agents/cli-runner/**"
       - "src/agents/command/**"
-      - "src/agents/embedded-agent-runner/**"
-      - "src/agents/sessions/**"
-      - "src/agents/sessions/tools/**"
+      - "src/agents/pi-embedded-runner/**"
       - "src/agents/tools/**"
       - "src/agents/*completion*.ts"
       - "src/agents/*transport*.ts"
@@ -107,13 +104,13 @@ on:
       - "src/gateway/**/*auth*.ts"
       - "src/gateway/*secret*.ts"
       - "src/gateway/**/*secret*.ts"
-      - "packages/gateway-protocol/src/**/*secret*.ts"
+      - "src/gateway/protocol/**/*secret*.ts"
       - "src/gateway/resolve-configured-secret-input-string*.ts"
       - "src/gateway/security-path*.ts"
       - "src/gateway/server-methods/secrets*.ts"
       - "src/gateway/server-startup-memory.ts"
       - "src/gateway/method-scopes.ts"
-      - "packages/gateway-protocol/src/**"
+      - "src/gateway/protocol/**"
       - "src/gateway/server-methods/**"
       - "src/gateway/server-methods.ts"
       - "src/gateway/server-methods-list.ts"
@@ -210,9 +207,6 @@ jobs:
           else
             while IFS= read -r file; do
               case "${file}" in
-                .github/codeql/codeql-network-runtime-boundary-critical-quality.yml|.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql|.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql)
-                  network_runtime=true
-                  ;;
                 .github/codeql/*|.github/workflows/codeql-critical-quality.yml)
                   agent=true
                   channel=true
@@ -225,17 +219,10 @@ jobs:
                   plugin_sdk_package=true
                   plugin_sdk_reply=true
                   provider=true
+                  network_runtime=true
                   session_diagnostics=true
                   ;;
-                src/agents/sessions/tools/*)
-                  agent=true
-                  mcp_process=true
-                  ;;
-                src/agents/sessions/*auth*.ts|src/agents/sessions/**/*auth*.ts)
-                  agent=true
-                  core_auth_secrets=true
-                  ;;
-                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/embedded-agent-runner/*|src/agents/sessions/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
+                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/pi-embedded-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
                   agent=true
                   ;;
                 src/auto-reply/reply/post-compaction-context.ts|src/auto-reply/reply/queue/*|src/auto-reply/reply/startup-context.ts|src/commands/doctor-session-*.ts|src/commands/session-store-targets.ts|src/commands/sessions*.ts|src/infra/diagnostic-*.ts|src/infra/diagnostics-timeline.ts|src/infra/session-delivery-queue*.ts|src/logging/diagnostic*.ts)
@@ -247,14 +234,14 @@ jobs:
                 src/config/*)
                   config=true
                   ;;
-                packages/gateway-protocol/src/*secret*.ts|packages/gateway-protocol/src/**/*secret*.ts|src/gateway/server-methods/secrets*.ts)
+                src/gateway/protocol/*secret*.ts|src/gateway/server-methods/secrets*.ts)
                   core_auth_secrets=true
                   gateway=true
                   ;;
                 src/agents/*auth*.ts|src/agents/auth-health*.ts|src/agents/auth-profiles|src/agents/auth-profiles/*|src/agents/bash-tools.exec-host-shared.ts|src/agents/sandbox|src/agents/sandbox.ts|src/agents/sandbox-*.ts|src/agents/sandbox/*|src/cron/service/jobs.ts|src/cron/stagger.ts|src/gateway/*auth*.ts|src/gateway/*secret*.ts|src/gateway/resolve-configured-secret-input-string*.ts|src/gateway/security-path*.ts|src/infra/secret-file*.ts|src/secrets/*|src/security/*)
                   core_auth_secrets=true
                   ;;
-                packages/gateway-protocol/src/*|packages/gateway-protocol/src/**/*|src/gateway/method-scopes.ts|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts)
+                src/gateway/method-scopes.ts|src/gateway/protocol/*|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts)
                   gateway=true
                   ;;
                 packages/memory-host-sdk/*|src/commands/doctor-cron-dreaming-payload-migration.ts|src/commands/doctor-memory-search.ts|src/gateway/server-startup-memory.ts|src/memory/*|src/memory-host-sdk/*)
@@ -304,9 +291,7 @@ jobs:
               esac
 
               case "${file}" in
-                src/**/*.test.ts|src/**/*.test.tsx|extensions/**/*.test.ts|extensions/**/*.test.tsx)
-                  ;;
-                packages/net-policy/src/*|packages/net-policy/src/**/*|src/cli/gateway-cli/run-loop.ts|src/infra/net/*|src/infra/net/**/*|src/infra/ssh-tunnel.ts|src/infra/gateway-lock.ts|src/infra/jsonl-socket.ts|src/infra/push-apns-http2.ts|src/proxy-capture/*|src/proxy-capture/**/*|extensions/codex-supervisor/src/json-rpc-client.ts|extensions/irc/src/*|extensions/qa-lab/src/*)
+                src/*.ts|src/**/*.ts|extensions/*.ts|extensions/**/*.ts)
                   network_runtime=true
                   ;;
               esac
@@ -342,13 +327,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/core-auth-secrets"
 
@@ -365,13 +350,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/config-boundary"
 
@@ -388,13 +373,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/gateway-runtime-boundary"
 
@@ -411,13 +396,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/channel-runtime-boundary"
 
@@ -433,48 +418,20 @@ jobs:
         with:
           submodules: false
 
-      - name: Fast PR network boundary diff scan
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPOSITORY: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-
-          added_lines="$(mktemp)"
-          gh api --paginate "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --jq '
-            .[]
-            | select(.filename | test("^(src/cli/gateway-cli/run-loop\\.ts|src/infra/(gateway-lock|jsonl-socket|push-apns-http2|ssh-tunnel)\\.ts|src/infra/net/|src/proxy-capture/|extensions/codex-supervisor/src/json-rpc-client\\.ts|extensions/irc/src/|extensions/qa-lab/src/|packages/net-policy/src/)"))
-            | .filename as $file
-            | (.patch // "")
-            | split("\n")[]
-            | select(startswith("+") and (startswith("+++") | not))
-            | "\($file): \(.)"
-          ' > "$added_lines"
-
-          if grep -En '(from|require\().*["'\''](node:)?(net|tls|http2)["'\'']|\b(net|tls|http2)\.(connect|createConnection)\b|new Socket\(|HTTP_PROXY|HTTPS_PROXY|NO_PROXY|GLOBAL_AGENT_|OPENCLAW_PROXY_' "$added_lines"; then
-            echo "Network runtime boundary-sensitive added lines require full CodeQL review." >&2
-            exit 1
-          fi
-
       - name: Initialize CodeQL
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml
 
       - name: Analyze
         id: analyze
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           output: sarif-results
           category: "/codeql-critical-quality/network-runtime-boundary"
 
       - name: Fail on network runtime boundary findings
-        if: ${{ github.event_name != 'pull_request' }}
         env:
           SARIF_OUTPUT: sarif-results
         run: |
@@ -518,13 +475,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/agent-runtime-boundary"
 
@@ -541,13 +498,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/mcp-process-runtime-boundary"
 
@@ -564,13 +521,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/memory-runtime-boundary"
 
@@ -587,13 +544,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/session-diagnostics-boundary"
 
@@ -610,13 +567,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
 
@@ -633,13 +590,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/provider-runtime-boundary"
 
@@ -655,13 +612,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/ui-control-plane"
 
@@ -677,13 +634,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/web-media-runtime-boundary"
 
@@ -700,13 +657,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-boundary"
 
@@ -723,12 +680,12 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-sdk-package-contract"

.github/workflows/codeql-macos-critical-security.yml

@@ -20,7 +20,7 @@ permissions:
 jobs:
   macos:
     name: Critical Security (macOS)
-    runs-on: blacksmith-6vcpu-macos-15
+    runs-on: blacksmith-6vcpu-macos-latest
     timeout-minutes: 45
     steps:
       - name: Checkout
@@ -35,7 +35,7 @@ jobs:
           swift --version
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: swift
           build-mode: manual
@@ -46,7 +46,7 @@ jobs:
 
       - name: Analyze
         id: analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           output: sarif-results
           upload: failure-only
@@ -83,7 +83,7 @@ jobs:
           done
 
       - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: sarif-results-filtered
           category: "/codeql-critical-security/macos"

.github/workflows/codeql.yml

@@ -17,58 +17,7 @@ on:
       - ".github/actions/**"
       - ".github/codeql/**"
       - ".github/workflows/**"
-      - "extensions/acpx/src/**"
-      - "extensions/bonjour/src/advertiser.ts"
-      - "extensions/browser/src/browser/chrome-mcp.ts"
-      - "extensions/browser/src/browser/chrome.executables.ts"
-      - "extensions/browser/src/browser/chrome.ts"
-      - "extensions/codex/src/app-server/sandbox-exec-server/**"
-      - "extensions/codex/src/app-server/transport-stdio.ts"
-      - "extensions/codex/src/node-cli-sessions.ts"
-      - "extensions/codex-supervisor/src/json-rpc-client.ts"
-      - "extensions/file-transfer/src/**"
-      - "extensions/google-meet/src/**"
-      - "extensions/imessage/src/**"
-      - "extensions/memory-core/src/memory/qmd-manager.ts"
-      - "extensions/memory-wiki/src/obsidian.ts"
-      - "extensions/microsoft-foundry/cli.ts"
-      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
-      - "extensions/qa-lab/src/**"
-      - "extensions/signal/src/daemon.ts"
-      - "extensions/tts-local-cli/speech-provider.ts"
-      - "extensions/voice-call/src/**"
       - "packages/**"
-      - "scripts/**"
-      - "src/**"
-  push:
-    branches:
-      - main
-    paths:
-      - ".github/actions/**"
-      - ".github/codeql/**"
-      - ".github/workflows/**"
-      - "extensions/acpx/src/**"
-      - "extensions/bonjour/src/advertiser.ts"
-      - "extensions/browser/src/browser/chrome-mcp.ts"
-      - "extensions/browser/src/browser/chrome.executables.ts"
-      - "extensions/browser/src/browser/chrome.ts"
-      - "extensions/codex/src/app-server/sandbox-exec-server/**"
-      - "extensions/codex/src/app-server/transport-stdio.ts"
-      - "extensions/codex/src/node-cli-sessions.ts"
-      - "extensions/codex-supervisor/src/json-rpc-client.ts"
-      - "extensions/file-transfer/src/**"
-      - "extensions/google-meet/src/**"
-      - "extensions/imessage/src/**"
-      - "extensions/memory-core/src/memory/qmd-manager.ts"
-      - "extensions/memory-wiki/src/obsidian.ts"
-      - "extensions/microsoft-foundry/cli.ts"
-      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
-      - "extensions/qa-lab/src/**"
-      - "extensions/signal/src/daemon.ts"
-      - "extensions/tts-local-cli/speech-provider.ts"
-      - "extensions/voice-call/src/**"
-      - "packages/**"
-      - "scripts/**"
       - "src/**"
   schedule:
     - cron: "0 6 * * *"
@@ -115,11 +64,6 @@ jobs:
             runs_on: blacksmith-4vcpu-ubuntu-2404
             timeout_minutes: 25
             config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
-          - language: javascript-typescript
-            category: process-exec-boundary
-            runs_on: blacksmith-4vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-process-exec-boundary-critical-security.yml
           - language: javascript-typescript
             category: plugin-trust-boundary
             runs_on: blacksmith-4vcpu-ubuntu-2404
@@ -132,28 +76,17 @@ jobs:
             config_file: ./.github/codeql/codeql-actions-critical-security.yml
     steps:
       - name: Checkout
-        if: ${{ matrix.category != 'actions' }}
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: false
 
-      - name: Checkout Actions security sources
-        if: ${{ matrix.category == 'actions' }}
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-          sparse-checkout: |
-            .github/actions
-            .github/workflows
-            .github/codeql
-
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: ${{ matrix.language }}
           config-file: ${{ matrix.config_file }}
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-security-high/${{ matrix.category }}"

.github/workflows/control-ui-locale-refresh.yml

@@ -138,7 +138,7 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_I18N_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           OPENCLAW_CONTROL_UI_I18N_PROVIDER: ${{ secrets.ANTHROPIC_API_KEY != '' && 'anthropic' || 'openai' }}
-          OPENCLAW_CONTROL_UI_I18N_MODEL: ${{ secrets.ANTHROPIC_API_KEY != '' && 'claude-opus-4-8' || vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
+          OPENCLAW_CONTROL_UI_I18N_MODEL: ${{ secrets.ANTHROPIC_API_KEY != '' && 'claude-opus-4-7' || vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
           OPENCLAW_CONTROL_UI_I18N_THINKING: low
           OPENCLAW_CONTROL_UI_I18N_AUTH_OPTIONAL: "1"
           LOCALE: ${{ matrix.locale }}

.github/workflows/crabbox-hydrate.yml

@@ -32,16 +32,16 @@ permissions:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   PNPM_CONFIG_CHILD_CONCURRENCY: "1"
-  PNPM_CONFIG_MODULES_DIR: "/var/tmp/openclaw-pnpm/node_modules"
+  PNPM_CONFIG_MODULES_DIR: "/tmp/openclaw-pnpm-node-modules"
   PNPM_CONFIG_NETWORK_CONCURRENCY: "1"
-  PNPM_CONFIG_STORE_DIR: "/var/cache/crabbox/pnpm/store"
+  PNPM_CONFIG_STORE_DIR: "/tmp/openclaw-pnpm-store"
   PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN: "false"
-  PNPM_CONFIG_VIRTUAL_STORE_DIR: "/var/tmp/openclaw-pnpm/virtual-store"
+  PNPM_CONFIG_VIRTUAL_STORE_DIR: "/tmp/openclaw-pnpm-virtual-store"
 
 jobs:
   hydrate:
     name: hydrate
-    if: ${{ inputs.crabbox_job != 'hydrate-github' && inputs.crabbox_job != 'hydrate-windows-daemon' }}
+    if: ${{ inputs.crabbox_job != 'hydrate-github' }}
     runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
     timeout-minutes: 120
     steps:
@@ -72,24 +72,7 @@ jobs:
             echo "PNPM_HOME=$PNPM_HOME"
           } >> "$GITHUB_ENV"
 
-          package_manager="$(node -e "const fs = require('node:fs'); const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); process.stdout.write(pkg.packageManager || '')")"
-          case "$package_manager" in
-            pnpm@*) ;;
-            *)
-              echo "::error::Expected packageManager to pin pnpm, got '${package_manager:-<empty>}'"
-              exit 1
-              ;;
-          esac
           corepack enable --install-directory "$PNPM_HOME"
-          for attempt in 1 2 3; do
-            if corepack prepare "$package_manager" --activate; then
-              break
-            fi
-            if [ "$attempt" = 3 ]; then
-              corepack prepare "$package_manager" --activate
-            fi
-            sleep $((attempt * 5))
-          done
           node_bin="$(dirname "$(node -p 'process.execPath')")"
           echo "NODE_BIN=$node_bin" >> "$GITHUB_ENV"
           echo "$node_bin" >> "$GITHUB_PATH"
@@ -120,31 +103,9 @@ jobs:
           append_pnpm_option_arg PNPM_CONFIG_MODULES_DIR modules-dir
           append_pnpm_option_arg PNPM_CONFIG_NETWORK_CONCURRENCY network-concurrency
           append_pnpm_option_arg PNPM_CONFIG_VIRTUAL_STORE_DIR virtual-store-dir
-          require_safe_writable_dir() {
-            local dir="$1"
-            if [ -L "$dir" ] || [ ! -d "$dir" ] || [ ! -w "$dir" ]; then
-              echo "::error::Refusing unsafe pnpm directory: $dir"
-              exit 1
-            fi
-          }
-          prepare_crabbox_pnpm_dirs() {
-            local volatile_root="/var/tmp/openclaw-pnpm"
-            case "${PNPM_CONFIG_MODULES_DIR:?}" in "$volatile_root"/*) ;; *) echo "::error::PNPM_CONFIG_MODULES_DIR must stay under $volatile_root"; exit 1 ;; esac
-            case "${PNPM_CONFIG_VIRTUAL_STORE_DIR:?}" in "$volatile_root"/*) ;; *) echo "::error::PNPM_CONFIG_VIRTUAL_STORE_DIR must stay under $volatile_root"; exit 1 ;; esac
-            rm -rf -- "$volatile_root"
-            mkdir -p "$volatile_root" "$PNPM_CONFIG_STORE_DIR"
-            require_safe_writable_dir "$volatile_root"
-            require_safe_writable_dir "$PNPM_CONFIG_STORE_DIR"
-            mkdir -p "$PNPM_CONFIG_MODULES_DIR" "$PNPM_CONFIG_VIRTUAL_STORE_DIR"
-          }
-          prepare_crabbox_pnpm_dirs
-          if [ -L node_modules ] && [ "$(readlink node_modules)" = "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
-            rm -f node_modules
-          fi
           if [ -n "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
             mkdir -p "$PNPM_CONFIG_MODULES_DIR"
             ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules"
-            export NODE_PATH="$PNPM_CONFIG_MODULES_DIR${NODE_PATH:+:$NODE_PATH}"
           fi
           pnpm "${install_args[@]}" || pnpm "${install_args[@]}"
           if [ -n "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
@@ -153,23 +114,15 @@ jobs:
             ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules"
           fi
 
-      - name: Fetch main ref
+      - name: Prepare Crabbox shell
         shell: bash
         run: |
           set -euo pipefail
 
           if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
-            timeout --signal=TERM --kill-after=10s 30s git \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
-              "+refs/heads/main:refs/remotes/origin/main"
+            git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
           fi
 
-      - name: Prepare Crabbox shell
-        shell: bash
-        run: |
-          set -euo pipefail
-
           node_bin="$(dirname "$(node -p 'process.execPath')")"
           sudo ln -sf "$node_bin/node" /usr/local/bin/node
           sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
@@ -188,13 +141,7 @@ jobs:
 
           if ! command -v docker >/dev/null 2>&1; then
             echo "docker not found; installing fallback engine"
-            curl --fail --show-error --location \
-              --connect-timeout "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_CONNECT_TIMEOUT_SECONDS:-15}" \
-              --max-time "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_TIMEOUT_SECONDS:-300}" \
-              --retry "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRIES:-3}" \
-              --retry-delay "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRY_DELAY_SECONDS:-5}" \
-              --retry-all-errors \
-              https://get.docker.com | sudo sh
+            curl -fsSL https://get.docker.com | sudo sh
           fi
 
           if command -v systemctl >/dev/null 2>&1; then
@@ -219,12 +166,7 @@ jobs:
             esac
             buildx_version="${DOCKER_BUILDX_VERSION:-v0.15.1}"
             mkdir -p "$HOME/.docker/cli-plugins"
-            curl --fail --show-error --location \
-              --connect-timeout "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_CONNECT_TIMEOUT_SECONDS:-15}" \
-              --max-time "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_TIMEOUT_SECONDS:-300}" \
-              --retry "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRIES:-3}" \
-              --retry-delay "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRY_DELAY_SECONDS:-5}" \
-              --retry-all-errors \
+            curl -fsSL \
               "https://github.com/docker/buildx/releases/download/${buildx_version}/buildx-${buildx_version}.linux-${buildx_arch}" \
               -o "$HOME/.docker/cli-plugins/docker-buildx"
             chmod 0755 "$HOME/.docker/cli-plugins/docker-buildx"
@@ -275,7 +217,7 @@ jobs:
             fi
           }
           {
-            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE XDG_CACHE_HOME COREPACK_HOME NODE_BIN PNPM_HOME PNPM_CONFIG_CHILD_CONCURRENCY PNPM_CONFIG_MODULES_DIR PNPM_CONFIG_NETWORK_CONCURRENCY PNPM_CONFIG_STORE_DIR PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN PNPM_CONFIG_VIRTUAL_STORE_DIR PATH; do
+            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE XDG_CACHE_HOME COREPACK_HOME PNPM_HOME PNPM_CONFIG_CHILD_CONCURRENCY PNPM_CONFIG_MODULES_DIR PNPM_CONFIG_NETWORK_CONCURRENCY PNPM_CONFIG_STORE_DIR PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN PNPM_CONFIG_VIRTUAL_STORE_DIR; do
               write_export "$key"
             done
           } > "${env_file}.tmp"
@@ -322,239 +264,6 @@ jobs:
             sleep 15
           done
 
-  hydrate-windows-daemon:
-    name: hydrate-windows-daemon
-    if: ${{ inputs.crabbox_job == 'hydrate-windows-daemon' }}
-    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: "24"
-
-      - name: Fetch main ref
-        shell: powershell
-        run: |
-          $ErrorActionPreference = "Stop"
-
-          if (git rev-parse --is-inside-work-tree 2>$null) {
-            $repo = (Get-Location).Path
-            $fetchInfo = New-Object System.Diagnostics.ProcessStartInfo
-            $fetchInfo.FileName = "git"
-            $fetchInfo.WorkingDirectory = $repo
-            $fetchInfo.UseShellExecute = $false
-            $fetchInfo.Arguments = '-c protocol.version=2 fetch --no-tags --no-progress --prune --no-recurse-submodules --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"'
-
-            $fetch = New-Object System.Diagnostics.Process
-            $fetch.StartInfo = $fetchInfo
-            if (-not $fetch.Start()) {
-              throw "git fetch failed to start"
-            }
-            if (-not $fetch.WaitForExit(30000)) {
-              $fetch.Kill()
-              $fetch.WaitForExit()
-              throw "git fetch timed out after 30 seconds"
-            }
-            if ($fetch.ExitCode -ne 0) {
-              throw "git fetch failed with exit code $($fetch.ExitCode)"
-            }
-          }
-
-      - name: Setup pnpm and dependencies
-        shell: powershell
-        env:
-          CI: "true"
-          COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
-        run: |
-          $ErrorActionPreference = "Stop"
-
-          $workspace = (Get-Location).Path
-          $cacheRoot = if ($env:RUNNER_TEMP) { $env:RUNNER_TEMP } else { [System.IO.Path]::GetTempPath() }
-          $env:XDG_CACHE_HOME = Join-Path $cacheRoot "cache"
-          $env:COREPACK_HOME = Join-Path $env:XDG_CACHE_HOME "corepack"
-          $env:PNPM_HOME = Join-Path $cacheRoot "pnpm-home"
-          $pnpmCacheRoot = Join-Path $cacheRoot "openclaw-pnpm"
-          $env:PNPM_CONFIG_STORE_DIR = Join-Path $pnpmCacheRoot "store"
-          $env:PNPM_CONFIG_MODULES_DIR = Join-Path $pnpmCacheRoot "node_modules"
-          $env:PNPM_CONFIG_VIRTUAL_STORE_DIR = Join-Path $pnpmCacheRoot "virtual-store"
-          $env:PNPM_CONFIG_CHILD_CONCURRENCY = "4"
-          $env:PNPM_CONFIG_NETWORK_CONCURRENCY = "8"
-          $env:PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN = "false"
-          $env:PNPM_CONFIG_SIDE_EFFECTS_CACHE = "false"
-          function Add-GitHubCommandLine([string]$Path, [string]$Value) {
-            $Value | Out-File -FilePath $Path -Encoding utf8 -Append
-          }
-          New-Item -ItemType Directory -Force `
-            $env:XDG_CACHE_HOME, `
-            $env:COREPACK_HOME, `
-            $env:PNPM_HOME, `
-            $env:PNPM_CONFIG_STORE_DIR | Out-Null
-          $env:PATH = "$env:PNPM_HOME;$env:PATH"
-          @(
-            "XDG_CACHE_HOME=$env:XDG_CACHE_HOME"
-            "COREPACK_HOME=$env:COREPACK_HOME"
-            "PNPM_HOME=$env:PNPM_HOME"
-            "PNPM_CONFIG_STORE_DIR=$env:PNPM_CONFIG_STORE_DIR"
-            "PNPM_CONFIG_MODULES_DIR=$env:PNPM_CONFIG_MODULES_DIR"
-            "PNPM_CONFIG_VIRTUAL_STORE_DIR=$env:PNPM_CONFIG_VIRTUAL_STORE_DIR"
-            "PNPM_CONFIG_CHILD_CONCURRENCY=$env:PNPM_CONFIG_CHILD_CONCURRENCY"
-            "PNPM_CONFIG_NETWORK_CONCURRENCY=$env:PNPM_CONFIG_NETWORK_CONCURRENCY"
-            "PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN=$env:PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN"
-            "PNPM_CONFIG_SIDE_EFFECTS_CACHE=$env:PNPM_CONFIG_SIDE_EFFECTS_CACHE"
-          ) | ForEach-Object { Add-GitHubCommandLine $env:GITHUB_ENV $_ }
-          Add-GitHubCommandLine $env:GITHUB_PATH $env:PNPM_HOME
-
-          $packageManager = (Get-Content package.json -Raw | ConvertFrom-Json).packageManager
-          if (-not $packageManager -or -not $packageManager.StartsWith("pnpm@")) {
-            Write-Error "Expected packageManager to pin pnpm, got '$packageManager'"
-          }
-          corepack enable --install-directory $env:PNPM_HOME
-          for ($attempt = 1; $attempt -le 3; $attempt++) {
-            corepack prepare $packageManager --activate
-            if ($LASTEXITCODE -eq 0) {
-              break
-            }
-            if ($attempt -eq 3) {
-              exit $LASTEXITCODE
-            }
-            Start-Sleep -Seconds ($attempt * 5)
-          }
-          $nodeBin = Split-Path -Parent (node -p "process.execPath")
-          Add-GitHubCommandLine $env:GITHUB_ENV "NODE_BIN=$nodeBin"
-          Add-GitHubCommandLine $env:GITHUB_PATH $nodeBin
-          $env:PATH = "$nodeBin;$env:PATH"
-
-          node -v
-          npm -v
-          pnpm -v
-
-          $installArgs = @(
-            "install",
-            "--filter",
-            "openclaw",
-            "--prefer-offline",
-            "--ignore-scripts=true",
-            "--config.engine-strict=false",
-            "--config.enable-pre-post-scripts=false",
-            "--config.side-effects-cache=false",
-            "--frozen-lockfile",
-            "--child-concurrency=$env:PNPM_CONFIG_CHILD_CONCURRENCY",
-            "--modules-dir=$env:PNPM_CONFIG_MODULES_DIR",
-            "--network-concurrency=$env:PNPM_CONFIG_NETWORK_CONCURRENCY",
-            "--store-dir=$env:PNPM_CONFIG_STORE_DIR",
-            "--virtual-store-dir=$env:PNPM_CONFIG_VIRTUAL_STORE_DIR"
-          )
-          pnpm @installArgs
-          if ($LASTEXITCODE -ne 0) {
-            exit $LASTEXITCODE
-          }
-          $workspaceNodeModules = Join-Path $workspace "node_modules"
-          if (Test-Path $workspaceNodeModules) {
-            $workspaceNodeModulesItem = Get-Item $workspaceNodeModules -Force
-            if (($workspaceNodeModulesItem.Attributes -band [System.IO.FileAttributes]::ReparsePoint) -eq 0) {
-              $nodeModulesChildren = @(Get-ChildItem -LiteralPath $workspaceNodeModules -Force)
-              $hasOnlyPnpmWorkspaceState = $nodeModulesChildren.Count -eq 1 -and $nodeModulesChildren[0].Name -eq ".pnpm-workspace-state-v1.json"
-              if ($nodeModulesChildren.Count -ne 0 -and -not $hasOnlyPnpmWorkspaceState) {
-                throw "workspace node_modules exists and is not a link: $workspaceNodeModules"
-              }
-              foreach ($nodeModulesChild in $nodeModulesChildren) {
-                Remove-Item -LiteralPath $nodeModulesChild.FullName -Force
-              }
-              Remove-Item -LiteralPath $workspaceNodeModules -Force
-              New-Item -ItemType Junction -Path $workspaceNodeModules -Target $env:PNPM_CONFIG_MODULES_DIR | Out-Null
-            }
-          } else {
-            New-Item -ItemType Junction -Path $workspaceNodeModules -Target $env:PNPM_CONFIG_MODULES_DIR | Out-Null
-          }
-
-          $corepackShimDir = Join-Path $nodeBin "node_modules\corepack\shims"
-          if (Test-Path $corepackShimDir) {
-            $env:PNPM_HOME = $corepackShimDir
-            Add-GitHubCommandLine $env:GITHUB_ENV "PNPM_HOME=$env:PNPM_HOME"
-            Add-GitHubCommandLine $env:GITHUB_PATH $env:PNPM_HOME
-          }
-
-      - name: Mark Crabbox ready
-        shell: powershell
-        env:
-          CRABBOX_ID: ${{ inputs.crabbox_id }}
-          CRABBOX_JOB: ${{ inputs.crabbox_job }}
-        run: |
-          $ErrorActionPreference = "Stop"
-          $job = if ($env:CRABBOX_JOB) { $env:CRABBOX_JOB } else { "hydrate-windows-daemon" }
-          if (-not $env:CRABBOX_ID -or $env:CRABBOX_ID -notmatch '^[A-Za-z0-9._-]+$') {
-            Write-Error "Invalid crabbox_id"
-          }
-          $actionsRoot = Join-Path $HOME ".crabbox\actions"
-          New-Item -ItemType Directory -Force $actionsRoot | Out-Null
-          $state = Join-Path $actionsRoot "$env:CRABBOX_ID.env"
-          $envFile = Join-Path $actionsRoot "$env:CRABBOX_ID.env.ps1"
-          $servicesFile = Join-Path $actionsRoot "$env:CRABBOX_ID.services"
-          $keys = @(
-            "CI", "GITHUB_ACTIONS", "GITHUB_WORKSPACE", "GITHUB_REPOSITORY",
-            "GITHUB_RUN_ID", "GITHUB_RUN_NUMBER", "GITHUB_RUN_ATTEMPT",
-            "GITHUB_REF", "GITHUB_REF_NAME", "GITHUB_SHA", "GITHUB_EVENT_NAME",
-            "GITHUB_ACTOR", "RUNNER_OS", "RUNNER_ARCH", "RUNNER_TEMP",
-            "RUNNER_TOOL_CACHE", "XDG_CACHE_HOME", "COREPACK_HOME", "NODE_BIN",
-            "PNPM_HOME", "PNPM_CONFIG_CHILD_CONCURRENCY", "PNPM_CONFIG_MODULES_DIR",
-            "PNPM_CONFIG_NETWORK_CONCURRENCY", "PNPM_CONFIG_STORE_DIR",
-            "PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN", "PNPM_CONFIG_VIRTUAL_STORE_DIR",
-            "PNPM_CONFIG_SIDE_EFFECTS_CACHE", "PATH"
-          )
-          $envLines = foreach ($key in $keys) {
-            $value = [Environment]::GetEnvironmentVariable($key)
-            if ($value) {
-              "$key=$value"
-            }
-          }
-          $utf8NoBom = [System.Text.UTF8Encoding]::new($false)
-          [System.IO.File]::WriteAllLines("$envFile.tmp", $envLines, $utf8NoBom)
-          Move-Item -Force "$envFile.tmp" $envFile
-          [System.IO.File]::WriteAllLines(
-            "$servicesFile.tmp",
-            @("# Docker containers visible from the hydrated runner", "docker not available on native Windows hydration"),
-            $utf8NoBom
-          )
-          Move-Item -Force "$servicesFile.tmp" $servicesFile
-          $stateLines = @(
-            "WORKSPACE=$env:GITHUB_WORKSPACE",
-            "RUN_ID=$env:GITHUB_RUN_ID",
-            "JOB=$job",
-            "ENV_FILE=$envFile",
-            "SERVICES_FILE=$servicesFile",
-            "READY_AT=$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))"
-          )
-          [System.IO.File]::WriteAllLines("$state.tmp", $stateLines, $utf8NoBom)
-          Move-Item -Force "$state.tmp" $state
-
-      - name: Keep Crabbox job alive
-        shell: powershell
-        env:
-          CRABBOX_ID: ${{ inputs.crabbox_id }}
-          CRABBOX_KEEP_ALIVE_MINUTES: ${{ inputs.crabbox_keep_alive_minutes }}
-        run: |
-          $ErrorActionPreference = "Stop"
-          if (-not $env:CRABBOX_ID -or $env:CRABBOX_ID -notmatch '^[A-Za-z0-9._-]+$') {
-            Write-Error "Invalid crabbox_id"
-          }
-          $minutes = 90
-          if ($env:CRABBOX_KEEP_ALIVE_MINUTES -match '^[0-9]+$') {
-            $minutes = [int]$env:CRABBOX_KEEP_ALIVE_MINUTES
-          }
-          $stop = Join-Path $HOME ".crabbox\actions\$env:CRABBOX_ID.stop"
-          $deadline = (Get-Date).AddMinutes($minutes)
-          while ((Get-Date) -lt $deadline) {
-            if (Test-Path $stop) {
-              exit 0
-            }
-            Start-Sleep -Seconds 15
-          }
-
   hydrate-github:
     name: hydrate-github
     if: ${{ inputs.crabbox_job == 'hydrate-github' }}
@@ -577,10 +286,7 @@ jobs:
           set -euo pipefail
 
           if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
-            timeout --signal=TERM --kill-after=10s 30s git \
-              -c protocol.version=2 \
-              fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
-              "+refs/heads/main:refs/remotes/origin/main"
+            git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
           fi
 
           node_bin="$(dirname "$(node -p 'process.execPath')")"
@@ -601,13 +307,7 @@ jobs:
 
           if ! command -v docker >/dev/null 2>&1; then
             echo "docker not found; installing fallback engine"
-            curl --fail --show-error --location \
-              --connect-timeout "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_CONNECT_TIMEOUT_SECONDS:-15}" \
-              --max-time "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_TIMEOUT_SECONDS:-300}" \
-              --retry "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRIES:-3}" \
-              --retry-delay "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRY_DELAY_SECONDS:-5}" \
-              --retry-all-errors \
-              https://get.docker.com | sudo sh
+            curl -fsSL https://get.docker.com | sudo sh
           fi
 
           if command -v systemctl >/dev/null 2>&1; then
@@ -632,12 +332,7 @@ jobs:
             esac
             buildx_version="${DOCKER_BUILDX_VERSION:-v0.15.1}"
             mkdir -p "$HOME/.docker/cli-plugins"
-            curl --fail --show-error --location \
-              --connect-timeout "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_CONNECT_TIMEOUT_SECONDS:-15}" \
-              --max-time "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_TIMEOUT_SECONDS:-300}" \
-              --retry "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRIES:-3}" \
-              --retry-delay "${OPENCLAW_CRABBOX_HYDRATE_DOWNLOAD_RETRY_DELAY_SECONDS:-5}" \
-              --retry-all-errors \
+            curl -fsSL \
               "https://github.com/docker/buildx/releases/download/${buildx_version}/buildx-${buildx_version}.linux-${buildx_arch}" \
               -o "$HOME/.docker/cli-plugins/docker-buildx"
             chmod 0755 "$HOME/.docker/cli-plugins/docker-buildx"
@@ -711,7 +406,7 @@ jobs:
             fi
           }
           {
-            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE NODE_BIN PNPM_HOME PNPM_CONFIG_CHILD_CONCURRENCY PNPM_CONFIG_MODULES_DIR PNPM_CONFIG_NETWORK_CONCURRENCY PNPM_CONFIG_STORE_DIR PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN PNPM_CONFIG_VIRTUAL_STORE_DIR PATH; do
+            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE PNPM_CONFIG_CHILD_CONCURRENCY PNPM_CONFIG_MODULES_DIR PNPM_CONFIG_NETWORK_CONCURRENCY PNPM_CONFIG_STORE_DIR PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN PNPM_CONFIG_VIRTUAL_STORE_DIR; do
               write_export "$key"
             done
           } > "${env_file}.tmp"

.github/workflows/dependency-change-awareness.yml

@@ -0,0 +1,176 @@
+name: Dependency Change Awareness
+
+on:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] metadata-only workflow; no checkout or untrusted code execution
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: dependency-change-awareness-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  dependency-change-awareness:
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Label and comment on dependency changes
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        with:
+          script: |
+            const marker = "<!-- openclaw:dependency-change-awareness -->";
+            const labelName = "dependencies-changed";
+            const maxListedFiles = 25;
+            const pullRequest = context.payload.pull_request;
+
+            if (!pullRequest) {
+              core.info("No pull_request payload found; skipping.");
+              return;
+            }
+
+            const isDependencyFile = (filename) =>
+              filename === "package.json" ||
+              filename === "package-lock.json" ||
+              filename === "npm-shrinkwrap.json" ||
+              filename === "pnpm-lock.yaml" ||
+              filename === "pnpm-workspace.yaml" ||
+              filename === "ui/package.json" ||
+              filename.startsWith("patches/") ||
+              /^packages\/[^/]+\/package\.json$/u.test(filename) ||
+              /^extensions\/[^/]+\/package-lock\.json$/u.test(filename) ||
+              /^extensions\/[^/]+\/npm-shrinkwrap\.json$/u.test(filename) ||
+              /^extensions\/[^/]+\/package\.json$/u.test(filename);
+
+            const sanitizeDisplayValue = (value) =>
+              String(value)
+                .replace(/[\u0000-\u001f\u007f]/gu, "?")
+                .slice(0, 240);
+            const markdownCode = (value) =>
+              `\`${sanitizeDisplayValue(value).replaceAll("`", "\\`")}\``;
+            const ignoreUnavailableWritePermission = (action) => (error) => {
+              if (error?.status === 403) {
+                core.warning(
+                  `Skipping dependency change ${action}; token does not have issue write permission.`,
+                );
+                return;
+              }
+              if (error?.status === 404 || error?.status === 422) {
+                core.warning(`Dependency change ${action} is unavailable.`);
+                return;
+              }
+              throw error;
+            };
+
+            const files = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pullRequest.number,
+              per_page: 100,
+            });
+            const dependencyFiles = files
+              .map((file) => file.filename)
+              .filter((filename) => typeof filename === "string" && isDependencyFile(filename))
+              .sort((left, right) => left.localeCompare(right));
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pullRequest.number,
+              per_page: 100,
+            });
+            const existingComment = comments.find(
+              (comment) =>
+                comment.user?.login === "github-actions[bot]" && comment.body?.includes(marker),
+            );
+
+            const labels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pullRequest.number,
+              per_page: 100,
+            });
+            const hasLabel = labels.some((label) => label.name === labelName);
+
+            if (dependencyFiles.length === 0) {
+              if (hasLabel) {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  name: labelName,
+                }).catch(ignoreUnavailableWritePermission("label removal"));
+              }
+              if (existingComment) {
+                await github.rest.issues.deleteComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: existingComment.id,
+                }).catch(ignoreUnavailableWritePermission("comment deletion"));
+              }
+              await core.summary
+                .addHeading("Dependency Change Awareness")
+                .addRaw("No dependency-related file changes detected.")
+                .write();
+              core.info("No dependency-related file changes detected.");
+              return;
+            }
+
+            if (!hasLabel) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pullRequest.number,
+                labels: [labelName],
+              }).catch(ignoreUnavailableWritePermission(`label "${labelName}" update`));
+            }
+
+            const listedFiles = dependencyFiles.slice(0, maxListedFiles);
+            const omittedCount = dependencyFiles.length - listedFiles.length;
+            const fileLines = listedFiles.map((filename) => `- ${markdownCode(filename)}`);
+            if (omittedCount > 0) {
+              fileLines.push(`- ${omittedCount} additional dependency-related files not shown`);
+            }
+
+            const body = [
+              marker,
+              "",
+              "### Dependency Changes Detected",
+              "",
+              "This PR changes dependency-related files. Maintainers should confirm these changes are intentional.",
+              "",
+              "Changed files:",
+              ...fileLines,
+              "",
+              "Maintainer follow-up:",
+              "- Review whether the dependency changes are intentional.",
+              "- Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.",
+              "- Treat `package-lock.json` and `npm-shrinkwrap.json` diffs as security-review surfaces.",
+              "- Run `pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json` locally for detailed release-style evidence.",
+            ].join("\n");
+
+            if (existingComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body,
+              }).catch(ignoreUnavailableWritePermission("comment update"));
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pullRequest.number,
+                body,
+              }).catch(ignoreUnavailableWritePermission("comment creation"));
+            }
+
+            await core.summary
+              .addHeading("Dependency Change Awareness")
+              .addRaw(`Detected ${dependencyFiles.length} dependency-related file change(s).`)
+              .addList(dependencyFiles.map((filename) => markdownCode(filename)))
+              .write();
+            core.notice(`Detected ${dependencyFiles.length} dependency-related file change(s).`);

.github/workflows/dependency-guard.yml

@@ -1,109 +0,0 @@
-name: Dependency Guard
-
-on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] checks trusted base script only; never checks out PR head
-    types: [opened, reopened, synchronize, ready_for_review]
-
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-
-concurrency:
-  group: dependency-guard-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-jobs:
-  dependency-guard-detect:
-    if: ${{ !github.event.pull_request.draft }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    outputs:
-      autoscrub: ${{ steps.guard.outputs.autoscrub }}
-      autoscrub-owner: ${{ steps.guard.outputs.autoscrub-owner }}
-      autoscrub-repository: ${{ steps.guard.outputs.autoscrub-repository }}
-    steps:
-      - name: Check out trusted base workflow scripts
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          persist-credentials: false
-
-      - name: Detect dependency changes
-        id: guard
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          OPENCLAW_DEPENDENCY_GUARD_MODE: detect
-          OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
-          OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
-        run: node scripts/github/dependency-guard.mjs
-
-  dependency-guard-autoscrub:
-    if: ${{ !github.event.pull_request.draft && needs.dependency-guard-detect.outputs.autoscrub == 'true' }}
-    needs: dependency-guard-detect
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: read
-    steps:
-      - name: Check out trusted base workflow scripts
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          persist-credentials: false
-
-      - name: Create autoscrub app token
-        id: app-token
-        continue-on-error: true
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          owner: ${{ needs.dependency-guard-detect.outputs.autoscrub-owner }}
-          repositories: ${{ needs.dependency-guard-detect.outputs.autoscrub-repository }}
-          permission-contents: write
-
-      - name: Create fallback autoscrub app token
-        id: app-token-fallback
-        continue-on-error: true
-        if: steps.app-token.outcome == 'failure'
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-          owner: ${{ needs.dependency-guard-detect.outputs.autoscrub-owner }}
-          repositories: ${{ needs.dependency-guard-detect.outputs.autoscrub-repository }}
-          permission-contents: write
-
-      - name: Remove package lockfile changes
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          OPENCLAW_DEPENDENCY_GUARD_AUTOSCRUB_TOKEN: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          OPENCLAW_DEPENDENCY_GUARD_MODE: autoscrub
-          OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
-          OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
-        run: node scripts/github/dependency-guard.mjs
-
-  dependency-guard:
-    if: ${{ !github.event.pull_request.draft && always() }}
-    needs:
-      - dependency-guard-detect
-      - dependency-guard-autoscrub
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    steps:
-      - name: Check out trusted base workflow scripts
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          persist-credentials: false
-
-      - name: Enforce dependency guard
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          OPENCLAW_DEPENDENCY_GUARD_MODE: enforce
-          OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
-          OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
-        run: node scripts/github/dependency-guard.mjs

.github/workflows/docker-release.yml

@@ -4,7 +4,6 @@ on:
   push:
     tags:
       - "v*"
-      - "!v*-alpha.*"
     paths-ignore:
       - "docs/**"
       - "**/*.md"
@@ -39,11 +38,7 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ "${RELEASE_TAG}" == *"-alpha."* ]]; then
-            echo "Docker alpha image publishing is disabled."
-            exit 1
-          fi
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-(alpha|beta)\.[1-9][0-9]*)?$ ]]; then
             echo "Invalid release tag: ${RELEASE_TAG}"
             exit 1
           fi
@@ -80,7 +75,6 @@ jobs:
       contents: read
     outputs:
       digest: ${{ steps.build.outputs.digest }}
-      browser_digest: ${{ steps.build-browser.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -88,30 +82,11 @@ jobs:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
           fetch-depth: 0
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -127,18 +102,14 @@ jobs:
           set -euo pipefail
           tags=()
           slim_tags=()
-          browser_tags=()
-          browser_supported=0
-          if grep -q '^ARG OPENCLAW_INSTALL_BROWSER' Dockerfile; then
-            browser_supported=1
+          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
+            tags+=("${IMAGE}:main-amd64")
+            slim_tags+=("${IMAGE}:main-slim-amd64")
           fi
           if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
             version="${SOURCE_REF#refs/tags/v}"
             tags+=("${IMAGE}:${version}-amd64")
             slim_tags+=("${IMAGE}:${version}-slim-amd64")
-            if [[ "${browser_supported}" == "1" ]]; then
-              browser_tags+=("${IMAGE}:${version}-browser-amd64")
-            fi
           fi
           if [[ ${#tags[@]} -eq 0 ]]; then
             echo "::error::No amd64 tags resolved for ref ${SOURCE_REF}"
@@ -148,9 +119,6 @@ jobs:
             echo "value<<EOF"
             printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
             echo "EOF"
-            echo "browser<<EOF"
-            printf "%s\n" "${browser_tags[@]}"
-            echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
       - name: Resolve OCI labels (amd64)
@@ -180,7 +148,7 @@ jobs:
       - name: Build and push amd64 image
         id: build
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64
@@ -194,91 +162,6 @@ jobs:
           provenance: mode=max
           push: true
 
-      - name: Build and push amd64 browser image
-        id: build-browser
-        if: steps.tags.outputs.browser != ''
-        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: .
-          platforms: linux/amd64
-          cache-from: |
-            type=gha,scope=docker-release-amd64
-            type=gha,scope=docker-release-browser-amd64
-          cache-to: type=gha,mode=max,scope=docker-release-browser-amd64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel,codex
-            OPENCLAW_INSTALL_BROWSER=1
-          tags: ${{ steps.tags.outputs.browser }}
-          labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
-          push: true
-
-      - name: Smoke test amd64 runtime workspace templates
-        shell: bash
-        env:
-          IMAGE_REFS: ${{ steps.tags.outputs.value }}
-        run: |
-          set -euo pipefail
-          mapfile -t image_refs <<< "${IMAGE_REFS}"
-          image_ref="${image_refs[0]}"
-          if [[ -z "${image_ref}" ]]; then
-            echo "::error::No amd64 image ref resolved for runtime template smoke"
-            exit 1
-          fi
-          docker run --rm --entrypoint /bin/sh "${image_ref}" -lc '
-            set -eu
-            test -f /app/src/agents/templates/HEARTBEAT.md
-            temp_root="$(mktemp -d)"
-            trap "rm -rf \"${temp_root}\"" EXIT
-            mkdir -p "${temp_root}/home" "${temp_root}/cwd"
-            cd "${temp_root}/cwd"
-            set +e
-            HOME="${temp_root}/home" \
-            USERPROFILE="${temp_root}/home" \
-            OPENCLAW_HOME="${temp_root}/home" \
-            OPENCLAW_NO_ONBOARD=1 \
-            OPENCLAW_SUPPRESS_NOTES=1 \
-            OPENCLAW_DISABLE_BUNDLED_PLUGINS=1 \
-            OPENCLAW_DISABLE_BUNDLED_ENTRY_SOURCE_FALLBACK=1 \
-            AWS_EC2_METADATA_DISABLED=true \
-            AWS_SHARED_CREDENTIALS_FILE="${temp_root}/home/.aws/credentials" \
-            AWS_CONFIG_FILE="${temp_root}/home/.aws/config" \
-              node /app/openclaw.mjs agent --message "workspace bootstrap smoke" --session-id "workspace-bootstrap-smoke" --local --timeout 1 --json \
-              >"${temp_root}/out.log" 2>&1
-            status="$?"
-            set -e
-            if grep -F "Missing workspace template:" "${temp_root}/out.log"; then
-              cat "${temp_root}/out.log"
-              exit 1
-            fi
-            test -f "${temp_root}/home/.openclaw/workspace/HEARTBEAT.md"
-            if [ "${status}" -ne 0 ]; then
-              cat "${temp_root}/out.log"
-            fi
-          '
-
-      - name: Smoke test amd64 browser image
-        if: steps.tags.outputs.browser != ''
-        shell: bash
-        env:
-          IMAGE_REFS: ${{ steps.tags.outputs.browser }}
-        run: |
-          set -euo pipefail
-          mapfile -t image_refs <<< "${IMAGE_REFS}"
-          image_ref="${image_refs[0]}"
-          if [[ -z "${image_ref}" ]]; then
-            echo "::error::No amd64 browser image ref resolved"
-            exit 1
-          fi
-          docker run --rm --entrypoint /bin/sh "${image_ref}" -lc '
-            set -eu
-            browser="$(find /home/node/.cache/ms-playwright -maxdepth 5 -type f \( -name chrome -o -name chromium -o -name chrome-headless-shell \) -print | head -1)"
-            test -n "${browser}"
-            "${browser}" --version
-          '
-
   # Build arm64 image. Default and slim tags point to the same slim runtime.
   build-arm64:
     needs: [approve_manual_backfill]
@@ -290,7 +173,6 @@ jobs:
       contents: read
     outputs:
       digest: ${{ steps.build.outputs.digest }}
-      browser_digest: ${{ steps.build-browser.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -298,30 +180,11 @@ jobs:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
           fetch-depth: 0
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -337,18 +200,14 @@ jobs:
           set -euo pipefail
           tags=()
           slim_tags=()
-          browser_tags=()
-          browser_supported=0
-          if grep -q '^ARG OPENCLAW_INSTALL_BROWSER' Dockerfile; then
-            browser_supported=1
+          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
+            tags+=("${IMAGE}:main-arm64")
+            slim_tags+=("${IMAGE}:main-slim-arm64")
           fi
           if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
             version="${SOURCE_REF#refs/tags/v}"
             tags+=("${IMAGE}:${version}-arm64")
             slim_tags+=("${IMAGE}:${version}-slim-arm64")
-            if [[ "${browser_supported}" == "1" ]]; then
-              browser_tags+=("${IMAGE}:${version}-browser-arm64")
-            fi
           fi
           if [[ ${#tags[@]} -eq 0 ]]; then
             echo "::error::No arm64 tags resolved for ref ${SOURCE_REF}"
@@ -358,9 +217,6 @@ jobs:
             echo "value<<EOF"
             printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
             echo "EOF"
-            echo "browser<<EOF"
-            printf "%s\n" "${browser_tags[@]}"
-            echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
       - name: Resolve OCI labels (arm64)
@@ -390,7 +246,7 @@ jobs:
       - name: Build and push arm64 image
         id: build
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/arm64
@@ -404,91 +260,6 @@ jobs:
           provenance: mode=max
           push: true
 
-      - name: Build and push arm64 browser image
-        id: build-browser
-        if: steps.tags.outputs.browser != ''
-        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: .
-          platforms: linux/arm64
-          cache-from: |
-            type=gha,scope=docker-release-arm64
-            type=gha,scope=docker-release-browser-arm64
-          cache-to: type=gha,mode=max,scope=docker-release-browser-arm64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel,codex
-            OPENCLAW_INSTALL_BROWSER=1
-          tags: ${{ steps.tags.outputs.browser }}
-          labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
-          push: true
-
-      - name: Smoke test arm64 runtime workspace templates
-        shell: bash
-        env:
-          IMAGE_REFS: ${{ steps.tags.outputs.value }}
-        run: |
-          set -euo pipefail
-          mapfile -t image_refs <<< "${IMAGE_REFS}"
-          image_ref="${image_refs[0]}"
-          if [[ -z "${image_ref}" ]]; then
-            echo "::error::No arm64 image ref resolved for runtime template smoke"
-            exit 1
-          fi
-          docker run --rm --entrypoint /bin/sh "${image_ref}" -lc '
-            set -eu
-            test -f /app/src/agents/templates/HEARTBEAT.md
-            temp_root="$(mktemp -d)"
-            trap "rm -rf \"${temp_root}\"" EXIT
-            mkdir -p "${temp_root}/home" "${temp_root}/cwd"
-            cd "${temp_root}/cwd"
-            set +e
-            HOME="${temp_root}/home" \
-            USERPROFILE="${temp_root}/home" \
-            OPENCLAW_HOME="${temp_root}/home" \
-            OPENCLAW_NO_ONBOARD=1 \
-            OPENCLAW_SUPPRESS_NOTES=1 \
-            OPENCLAW_DISABLE_BUNDLED_PLUGINS=1 \
-            OPENCLAW_DISABLE_BUNDLED_ENTRY_SOURCE_FALLBACK=1 \
-            AWS_EC2_METADATA_DISABLED=true \
-            AWS_SHARED_CREDENTIALS_FILE="${temp_root}/home/.aws/credentials" \
-            AWS_CONFIG_FILE="${temp_root}/home/.aws/config" \
-              node /app/openclaw.mjs agent --message "workspace bootstrap smoke" --session-id "workspace-bootstrap-smoke" --local --timeout 1 --json \
-              >"${temp_root}/out.log" 2>&1
-            status="$?"
-            set -e
-            if grep -F "Missing workspace template:" "${temp_root}/out.log"; then
-              cat "${temp_root}/out.log"
-              exit 1
-            fi
-            test -f "${temp_root}/home/.openclaw/workspace/HEARTBEAT.md"
-            if [ "${status}" -ne 0 ]; then
-              cat "${temp_root}/out.log"
-            fi
-          '
-
-      - name: Smoke test arm64 browser image
-        if: steps.tags.outputs.browser != ''
-        shell: bash
-        env:
-          IMAGE_REFS: ${{ steps.tags.outputs.browser }}
-        run: |
-          set -euo pipefail
-          mapfile -t image_refs <<< "${IMAGE_REFS}"
-          image_ref="${image_refs[0]}"
-          if [[ -z "${image_ref}" ]]; then
-            echo "::error::No arm64 browser image ref resolved"
-            exit 1
-          fi
-          docker run --rm --entrypoint /bin/sh "${image_ref}" -lc '
-            set -eu
-            browser="$(find /home/node/.cache/ms-playwright -maxdepth 5 -type f \( -name chrome -o -name chromium -o -name chrome-headless-shell \) -print | head -1)"
-            test -n "${browser}"
-            "${browser}" --version
-          '
-
   # Create multi-platform manifests
   create-manifest:
     needs: [approve_manual_backfill, build-amd64, build-arm64]
@@ -506,7 +277,7 @@ jobs:
           fetch-depth: 0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -523,25 +294,18 @@ jobs:
           set -euo pipefail
           tags=()
           slim_tags=()
-          browser_tags=()
-          browser_supported=0
-          if grep -q '^ARG OPENCLAW_INSTALL_BROWSER' Dockerfile; then
-            browser_supported=1
+          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
+            tags+=("${IMAGE}:main")
+            slim_tags+=("${IMAGE}:main-slim")
           fi
           if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
             version="${SOURCE_REF#refs/tags/v}"
             tags+=("${IMAGE}:${version}")
             slim_tags+=("${IMAGE}:${version}-slim")
-            if [[ "${browser_supported}" == "1" ]]; then
-              browser_tags+=("${IMAGE}:${version}-browser")
-            fi
             # Manual backfills should only republish the requested version tags.
             if [[ "${IS_MANUAL_BACKFILL}" != "1" && "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-              tags+=("${IMAGE}:latest" "${IMAGE}:main")
-              slim_tags+=("${IMAGE}:slim" "${IMAGE}:main-slim")
-              if [[ "${browser_supported}" == "1" ]]; then
-                browser_tags+=("${IMAGE}:latest-browser" "${IMAGE}:main-browser")
-              fi
+              tags+=("${IMAGE}:latest")
+              slim_tags+=("${IMAGE}:slim")
             fi
           fi
           if [[ ${#tags[@]} -eq 0 ]]; then
@@ -552,39 +316,25 @@ jobs:
             echo "value<<EOF"
             printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
             echo "EOF"
-            echo "browser<<EOF"
-            printf "%s\n" "${browser_tags[@]}"
-            echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
       - name: Create and push manifest
         shell: bash
         env:
           TAGS: ${{ steps.tags.outputs.value }}
-          BROWSER_TAGS: ${{ steps.tags.outputs.browser }}
           AMD64_DIGEST: ${{ needs.build-amd64.outputs.digest }}
           ARM64_DIGEST: ${{ needs.build-arm64.outputs.digest }}
-          AMD64_BROWSER_DIGEST: ${{ needs.build-amd64.outputs.browser_digest }}
-          ARM64_BROWSER_DIGEST: ${{ needs.build-arm64.outputs.browser_digest }}
         run: |
           set -euo pipefail
           mapfile -t tags <<< "${TAGS}"
-          mapfile -t browser_tags <<< "${BROWSER_TAGS}"
-          create_manifest() {
-            local amd64_digest="$1"
-            local arm64_digest="$2"
-            shift 2
-            local args=()
-            for tag in "$@"; do
-              [ -z "$tag" ] && continue
-              args+=("-t" "$tag")
-            done
-            docker buildx imagetools create "${args[@]}" "$amd64_digest" "$arm64_digest"
-          }
-          create_manifest "${AMD64_DIGEST}" "${ARM64_DIGEST}" "${tags[@]}"
-          if [[ -n "${BROWSER_TAGS}" ]]; then
-            create_manifest "${AMD64_BROWSER_DIGEST}" "${ARM64_BROWSER_DIGEST}" "${browser_tags[@]}"
-          fi
+          args=()
+          for tag in "${tags[@]}"; do
+            [ -z "$tag" ] && continue
+            args+=("-t" "$tag")
+          done
+          docker buildx imagetools create "${args[@]}" \
+            "${AMD64_DIGEST}" \
+            "${ARM64_DIGEST}"
 
   verify-attestations:
     needs: [create-manifest]
@@ -599,30 +349,11 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -641,39 +372,21 @@ jobs:
           slim_multi_refs=()
           amd64_refs=()
           arm64_refs=()
-          browser_supported=0
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            tag="${SOURCE_REF#refs/tags/}"
-            git fetch --depth=1 origin "refs/tags/${tag}:refs/tags/${tag}"
-            if git show "${SOURCE_REF}:Dockerfile" | grep -q '^ARG OPENCLAW_INSTALL_BROWSER'; then
-              browser_supported=1
-            fi
-          elif grep -q '^ARG OPENCLAW_INSTALL_BROWSER' Dockerfile; then
-            browser_supported=1
+          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
+            multi_refs+=("${IMAGE}:main")
+            slim_multi_refs+=("${IMAGE}:main-slim")
+            amd64_refs+=("${IMAGE}:main-amd64" "${IMAGE}:main-slim-amd64")
+            arm64_refs+=("${IMAGE}:main-arm64" "${IMAGE}:main-slim-arm64")
           fi
           if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
             version="${SOURCE_REF#refs/tags/v}"
             multi_refs+=("${IMAGE}:${version}")
             slim_multi_refs+=("${IMAGE}:${version}-slim")
-            amd64_refs+=(
-              "${IMAGE}:${version}-amd64"
-              "${IMAGE}:${version}-slim-amd64"
-            )
-            arm64_refs+=(
-              "${IMAGE}:${version}-arm64"
-              "${IMAGE}:${version}-slim-arm64"
-            )
-            if [[ "${browser_supported}" == "1" ]]; then
-              multi_refs+=("${IMAGE}:${version}-browser")
-              amd64_refs+=("${IMAGE}:${version}-browser-amd64")
-              arm64_refs+=("${IMAGE}:${version}-browser-arm64")
-            fi
+            amd64_refs+=("${IMAGE}:${version}-amd64" "${IMAGE}:${version}-slim-amd64")
+            arm64_refs+=("${IMAGE}:${version}-arm64" "${IMAGE}:${version}-slim-arm64")
             if [[ "${IS_MANUAL_BACKFILL}" != "1" && "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-              multi_refs+=("${IMAGE}:latest" "${IMAGE}:main")
-              slim_multi_refs+=("${IMAGE}:slim" "${IMAGE}:main-slim")
-              if [[ "${browser_supported}" == "1" ]]; then
-                multi_refs+=("${IMAGE}:latest-browser" "${IMAGE}:main-browser")
-              fi
+              multi_refs+=("${IMAGE}:latest")
+              slim_multi_refs+=("${IMAGE}:slim")
             fi
           fi
           if [[ ${#multi_refs[@]} -eq 0 || ${#amd64_refs[@]} -eq 0 || ${#arm64_refs[@]} -eq 0 ]]; then

.github/workflows/docs-agent.yml

@@ -149,7 +149,7 @@ jobs:
 
       - name: Run Codex docs agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
           DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}

.github/workflows/full-release-validation.yml

@@ -80,7 +80,7 @@ on:
         default: ""
         type: string
       evidence_package_spec:
-        description: Optional published package spec to prove in the release evidence report
+        description: Optional published package spec to prove in the private release evidence report
         required: false
         default: ""
         type: string
@@ -225,11 +225,11 @@ jobs:
           } >> "$GITHUB_STEP_SUMMARY"
 
   docker_runtime_assets_preflight:
-    name: Verify Docker runtime image assets
+    name: Verify Docker runtime-assets prune path
     needs: [resolve_target]
     if: inputs.rerun_group == 'all'
     runs-on: ubuntu-24.04
-    timeout-minutes: 20
+    timeout-minutes: 45
     permissions:
       contents: read
     steps:
@@ -245,7 +245,7 @@ jobs:
           DOCKER_BUILDKIT: "1"
         run: |
           set -euo pipefail
-          timeout --kill-after=30s 15m docker build \
+          timeout --foreground --kill-after=30s 35m docker build \
             --target runtime-assets \
             --build-arg OPENCLAW_EXTENSIONS="diagnostics-otel,codex" \
             .
@@ -287,7 +287,7 @@ jobs:
                   printf '%s\n' "$output"
                   return 0
                 fi
-                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
+                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* ]]; then
                   echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
                   sleep $((attempt * 10))
                   continue
@@ -337,21 +337,6 @@ jobs:
               gh_with_retry api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq '.jobs[]'
             }
 
-            fail_fast_failed_jobs() {
-              local failed_jobs_json
-              failed_jobs_json="$(
-                fetch_child_jobs |
-                  jq -s '[.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")]'
-              )"
-              if jq -e 'length > 0' <<< "$failed_jobs_json" >/dev/null; then
-                echo "::error::${workflow} has failed child jobs before the workflow completed; cancelling the remaining matrix."
-                jq '.[] | {name, conclusion, url: .html_url}' <<< "$failed_jobs_json"
-                cancel_child
-                trap - EXIT INT TERM
-                exit 1
-              fi
-            }
-
             cancel_child() {
               if [[ -n "${run_id:-}" ]]; then
                 echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
@@ -367,9 +352,6 @@ jobs:
                 break
               fi
               poll_count=$((poll_count + 1))
-              if (( poll_count % 2 == 0 )); then
-                fail_fast_failed_jobs
-              fi
               if (( poll_count % 10 == 0 )); then
                 echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
                 fetch_child_jobs | jq 'select(.status != "completed") | {name, status, url: .html_url}' || true
@@ -435,7 +417,7 @@ jobs:
                   printf '%s\n' "$output"
                   return 0
                 fi
-                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
+                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* ]]; then
                   echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
                   sleep $((attempt * 10))
                   continue
@@ -485,21 +467,6 @@ jobs:
               gh_with_retry api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq '.jobs[]'
             }
 
-            fail_fast_failed_jobs() {
-              local failed_jobs_json
-              failed_jobs_json="$(
-                fetch_child_jobs |
-                  jq -s '[.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")]'
-              )"
-              if jq -e 'length > 0' <<< "$failed_jobs_json" >/dev/null; then
-                echo "::error::${workflow} has failed child jobs before the workflow completed; cancelling the remaining matrix."
-                jq '.[] | {name, conclusion, url: .html_url}' <<< "$failed_jobs_json"
-                cancel_child
-                trap - EXIT INT TERM
-                exit 1
-              fi
-            }
-
             cancel_child() {
               if [[ -n "${run_id:-}" ]]; then
                 echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
@@ -515,9 +482,6 @@ jobs:
                 break
               fi
               poll_count=$((poll_count + 1))
-              if (( poll_count % 2 == 0 )); then
-                fail_fast_failed_jobs
-              fi
               if (( poll_count % 10 == 0 )); then
                 echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
                 fetch_child_jobs | jq 'select(.status != "completed") | {name, status, url: .html_url}' || true
@@ -593,7 +557,7 @@ jobs:
                   printf '%s\n' "$output"
                   return 0
                 fi
-                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
+                if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* ]]; then
                   echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
                   sleep $((attempt * 10))
                   continue
@@ -683,24 +647,6 @@ jobs:
               [[ "$saw_advisory" == "1" && "$failed" == "0" ]]
             }
 
-            fail_fast_failed_jobs() {
-              local failed_jobs_json
-              if [[ "$workflow" == "openclaw-release-checks.yml" && "$CHILD_WORKFLOW_REF" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-                return 0
-              fi
-              failed_jobs_json="$(
-                fetch_child_jobs |
-                  jq -s '[.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")]'
-              )"
-              if jq -e 'length > 0' <<< "$failed_jobs_json" >/dev/null; then
-                echo "::error::${workflow} has failed child jobs before the workflow completed; cancelling the remaining matrix."
-                jq '.[] | {name, conclusion, url: .html_url}' <<< "$failed_jobs_json"
-                cancel_child
-                trap - EXIT INT TERM
-                exit 1
-              fi
-            }
-
             cancel_child() {
               if [[ -n "${run_id:-}" ]]; then
                 echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
@@ -716,9 +662,6 @@ jobs:
                 break
               fi
               poll_count=$((poll_count + 1))
-              if (( poll_count % 2 == 0 )); then
-                fail_fast_failed_jobs
-              fi
               if (( poll_count % 10 == 0 )); then
                 echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
                 fetch_child_jobs | jq 'select(.status != "completed") | {name, status, url: .html_url}' || true
@@ -916,7 +859,7 @@ jobs:
                 printf '%s\n' "$output"
                 return 0
               fi
-              if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
+              if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* ]]; then
                 echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
                 sleep $((attempt * 10))
                 continue
@@ -976,21 +919,6 @@ jobs:
           }
           trap cancel_child EXIT INT TERM
 
-          fail_fast_failed_jobs() {
-            local failed_jobs_json
-            failed_jobs_json="$(
-              gh_with_retry run view "$run_id" --json jobs \
-                --jq '[.jobs[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")]'
-            )"
-            if jq -e 'length > 0' <<< "$failed_jobs_json" >/dev/null; then
-              echo "::error::npm-telegram-beta-e2e.yml has failed child jobs before the workflow completed; cancelling the remaining run."
-              jq '.[] | {name, conclusion, url}' <<< "$failed_jobs_json"
-              cancel_child
-              trap - EXIT INT TERM
-              exit 1
-            fi
-          }
-
           poll_count=0
           while true; do
             status="$(gh_with_retry run view "$run_id" --json status --jq '.status')"
@@ -998,9 +926,6 @@ jobs:
               break
             fi
             poll_count=$((poll_count + 1))
-            if (( poll_count % 2 == 0 )); then
-              fail_fast_failed_jobs
-            fi
             if (( poll_count % 10 == 0 )); then
               echo "Still waiting on npm-telegram-beta-e2e.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
               gh_with_retry run view "$run_id" --json jobs --jq '.jobs[] | select(.status != "completed") | {name, status, url}' || true
@@ -1050,7 +975,7 @@ jobs:
                 printf '%s\n' "$output"
                 return 0
               fi
-              if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
+              if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* ]]; then
                 echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
                 sleep $((attempt * 10))
                 continue
@@ -1139,16 +1064,7 @@ jobs:
 
   summary:
     name: Verify full validation
-    needs:
-      [
-        resolve_target,
-        docker_runtime_assets_preflight,
-        normal_ci,
-        plugin_prerelease,
-        release_checks,
-        npm_telegram,
-        performance,
-      ]
+    needs: [resolve_target, docker_runtime_assets_preflight, normal_ci, plugin_prerelease, release_checks, npm_telegram, performance]
     if: always()
     runs-on: ubuntu-24.04
     timeout-minutes: 5
@@ -1173,29 +1089,6 @@ jobs:
         run: |
           set -euo pipefail
 
-          gh_with_retry() {
-            local output status attempt
-            for attempt in 1 2 3 4 5 6; do
-              set +e
-              output="$(gh "$@" 2>&1)"
-              status=$?
-              set -e
-              if [[ "$status" -eq 0 ]]; then
-                printf '%s\n' "$output"
-                return 0
-              fi
-              if [[ "$output" == *"Bad credentials"* || "$output" == *"HTTP 401"* || "$output" == *"secondary rate limit"* || "$output" == *"API rate limit"* || "$output" == *"Sorry. Your account was suspended"* ]]; then
-                echo "::warning::gh $* failed on attempt ${attempt}: ${output}" >&2
-                sleep $((attempt * 10))
-                continue
-              fi
-              printf '%s\n' "$output" >&2
-              return "$status"
-            done
-            printf '%s\n' "$output" >&2
-            return "$status"
-          }
-
           release_check_blocking_job() {
             case "$1" in
               "resolve_target" | \
@@ -1252,7 +1145,7 @@ jobs:
             fi
 
             local run_json status conclusion url attempt head_sha
-            run_json="$(gh_with_retry run view "$run_id" --json status,conclusion,url,attempt,headSha,jobs)"
+            run_json="$(gh run view "$run_id" --json status,conclusion,url,attempt,headSha,jobs)"
             status="$(jq -r '.status' <<< "$run_json")"
             conclusion="$(jq -r '.conclusion' <<< "$run_json")"
             url="$(jq -r '.url' <<< "$run_json")"
@@ -1299,7 +1192,7 @@ jobs:
               fi
 
               local run_json row
-              run_json="$(gh_with_retry run view "$run_id" --json status,conclusion,url,createdAt,updatedAt,headSha)"
+              run_json="$(gh run view "$run_id" --json status,conclusion,url,createdAt,updatedAt,headSha)"
               row="$(
                 jq -r --arg label "$label" '
                   def ts: fromdateiso8601;
@@ -1335,7 +1228,7 @@ jobs:
               echo
               echo "### Slowest jobs: ${label}"
               echo
-              gh_with_retry run view "$run_id" --json jobs --jq '
+              gh run view "$run_id" --json jobs --jq '
                 def ts: fromdateiso8601;
                 "| Job | Result | Minutes |",
                 "| --- | --- | ---: |",
@@ -1352,7 +1245,7 @@ jobs:
               echo
               echo "### Longest queues: ${label}"
               echo
-              gh_with_retry api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq ".jobs[] | @json" | jq -sr '
+              gh api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq ".jobs[] | @json" | jq -sr '
                 def ts: fromdateiso8601;
                 "| Job | Result | Queue minutes | Run minutes |",
                 "| --- | --- | ---: | ---: |",
@@ -1381,7 +1274,7 @@ jobs:
             fi
 
             local run_json status conclusion artifacts_json
-            run_json="$(gh_with_retry run view "$run_id" --json status,conclusion,url,jobs)"
+            run_json="$(gh run view "$run_id" --json status,conclusion,url,jobs)"
             status="$(jq -r '.status' <<< "$run_json")"
             conclusion="$(jq -r '.conclusion' <<< "$run_json")"
             if [[ "$status" == "completed" && "$conclusion" == "success" ]]; then
@@ -1404,7 +1297,7 @@ jobs:
               echo
               echo "Artifacts:"
               artifacts_json="$(
-                gh_with_retry api "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/artifacts?per_page=100" 2>/dev/null || true
+                gh api "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/artifacts?per_page=100" 2>/dev/null || true
               )"
               if [[ -n "${artifacts_json// }" ]]; then
                 jq -r '
@@ -1491,9 +1384,9 @@ jobs:
 
           exit "$failed"
 
-      - name: Request release evidence update
+      - name: Request private evidence update
         env:
-          RELEASES_DISPATCH_TOKEN: ${{ secrets.OPENCLAW_RELEASES_DISPATCH_TOKEN }}
+          RELEASE_PRIVATE_DISPATCH_TOKEN: ${{ secrets.OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN }}
           TARGET_REF: ${{ inputs.ref }}
           PACKAGE_SPEC: ${{ inputs.evidence_package_spec || inputs.npm_telegram_package_spec }}
           GITHUB_RUN_ID_VALUE: ${{ github.run_id }}
@@ -1501,11 +1394,11 @@ jobs:
         run: |
           set -euo pipefail
           if [[ "$RELEASE_CHECKS_RESULT" == "skipped" ]]; then
-            echo "Release checks were skipped by rerun group; skipping automatic release evidence update."
+            echo "Release checks were skipped by rerun group; skipping automatic private evidence update."
             exit 0
           fi
-          if [[ -z "${RELEASES_DISPATCH_TOKEN// }" ]]; then
-            echo "OPENCLAW_RELEASES_DISPATCH_TOKEN is not configured; skipping automatic release evidence update."
+          if [[ -z "${RELEASE_PRIVATE_DISPATCH_TOKEN// }" ]]; then
+            echo "OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN is not configured; skipping automatic private evidence update."
             exit 0
           fi
 
@@ -1524,7 +1417,7 @@ jobs:
           fi
           release_id="$(printf '%s' "$release_id" | tr '/:@ ' '----' | tr -cd 'A-Za-z0-9._-')"
           if [[ -z "$release_id" ]]; then
-            echo "::warning::Could not derive release evidence id from target ref '${TARGET_REF}'; skipping automatic release evidence update."
+            echo "::warning::Could not derive release evidence id from target ref '${TARGET_REF}'; skipping automatic private evidence update."
             exit 0
           fi
 
@@ -1550,18 +1443,18 @@ jobs:
           if ! curl --fail-with-body \
             -X POST \
             -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${RELEASES_DISPATCH_TOKEN}" \
+            -H "Authorization: Bearer ${RELEASE_PRIVATE_DISPATCH_TOKEN}" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/openclaw/releases/dispatches \
+            https://api.github.com/repos/openclaw/releases-private/dispatches \
             -d "$payload"; then
-            echo "::warning::Automatic release evidence dispatch failed; child workflow validation remains authoritative."
+            echo "::warning::Automatic private release evidence dispatch failed; child workflow validation remains authoritative."
             {
-              echo "### Release evidence dispatch failed"
+              echo "### Private release evidence dispatch failed"
               echo
-              echo "Child workflow validation remains authoritative. Backfill durable evidence from \`openclaw/releases\`:"
+              echo "Child workflow validation remains authoritative. Backfill durable evidence from \`openclaw/releases-private\`:"
               echo
               echo "\`\`\`bash"
-              echo "gh workflow run openclaw-release-evidence-from-full-validation.yml --repo openclaw/releases --ref main -f full_validation_run_id=${GITHUB_RUN_ID_VALUE} -f release_id=${release_id} -f release_ref=${TARGET_REF} -f package_spec=${evidence_package_spec}"
+              echo "gh workflow run openclaw-release-evidence-from-full-validation.yml --repo openclaw/releases-private --ref main -f full_validation_run_id=${GITHUB_RUN_ID_VALUE} -f release_id=${release_id} -f release_ref=${TARGET_REF} -f package_spec=${evidence_package_spec}"
               echo "\`\`\`"
             } >> "$GITHUB_STEP_SUMMARY"
           fi

.github/workflows/install-smoke.yml

@@ -112,7 +112,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -121,7 +121,7 @@ jobs:
       # builder stalls; an explicit buildx invocation fails closed instead.
       - name: Build root Dockerfile smoke image
         run: |
-          timeout --kill-after=30s 45m docker buildx build \
+          timeout 45m docker buildx build \
             --progress=plain \
             --load \
             --build-arg OPENCLAW_EXTENSIONS=matrix \
@@ -132,7 +132,7 @@ jobs:
 
       - name: Run root Dockerfile CLI smoke
         run: |
-          timeout --kill-after=30s 20m docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc '
+          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc '
             which openclaw &&
             openclaw --version &&
             node -e "
@@ -143,7 +143,7 @@ jobs:
               for (const [dep, rel] of Object.entries(workspace.patchedDependencies ?? {})) {
                 const absolute = path.join(\"/app\", rel);
                 if (!fs.existsSync(absolute)) {
-                  throw new Error(\"missing patch for \" + dep + \": \" + rel);
+                  throw new Error(`missing patch for ${dep}: ${rel}`);
                 }
               }
             "
@@ -163,7 +163,7 @@ jobs:
 
       - name: Smoke test Dockerfile with matrix extension build arg
         run: |
-          timeout --kill-after=30s 20m docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
+          docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
             which openclaw &&
             openclaw --version &&
             node -e "
@@ -223,7 +223,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -235,7 +235,7 @@ jobs:
           IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
         run: |
           set -euo pipefail
-          if timeout --kill-after=30s 180s docker pull "$IMAGE_REF"; then
+          if timeout 180s docker pull "$IMAGE_REF"; then
             echo "exists=true" >> "$GITHUB_OUTPUT"
             echo "Using existing root Dockerfile smoke image: \`$IMAGE_REF\`" >> "$GITHUB_STEP_SUMMARY"
           else
@@ -245,7 +245,7 @@ jobs:
 
       - name: Set up Blacksmith Docker Builder
         if: steps.existing.outputs.exists != 'true'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -256,7 +256,7 @@ jobs:
         env:
           IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
         run: |
-          timeout --kill-after=30s 45m docker buildx build \
+          timeout 45m docker buildx build \
             --progress=plain \
             --push \
             --build-arg OPENCLAW_EXTENSIONS=matrix \
@@ -311,7 +311,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -320,13 +320,13 @@ jobs:
       - name: Pull root Dockerfile smoke image
         env:
           IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout --kill-after=30s 600s docker pull "$IMAGE_REF"
+        run: timeout 600s docker pull "$IMAGE_REF"
 
       - name: Run root Dockerfile CLI smoke
         env:
           IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
         run: |
-          timeout --kill-after=30s 20m docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
+          docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
             which openclaw &&
             openclaw --version &&
             node -e "
@@ -337,7 +337,7 @@ jobs:
               for (const [dep, rel] of Object.entries(workspace.patchedDependencies ?? {})) {
                 const absolute = path.join(\"/app\", rel);
                 if (!fs.existsSync(absolute)) {
-                  throw new Error(\"missing patch for \" + dep + \": \" + rel);
+                  throw new Error(`missing patch for ${dep}: ${rel}`);
                 }
               }
             "
@@ -359,7 +359,7 @@ jobs:
         env:
           IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
         run: |
-          timeout --kill-after=30s 20m docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
+          docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
             which openclaw &&
             openclaw --version &&
             node -e "
@@ -417,7 +417,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -426,16 +426,16 @@ jobs:
       - name: Pull root Dockerfile smoke image
         env:
           IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout --kill-after=30s 600s docker pull "$IMAGE_REF"
+        run: timeout 600s docker pull "$IMAGE_REF"
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
       - name: Build installer smoke image
         run: |
-          timeout --kill-after=30s 20m docker buildx build \
+          timeout 20m docker buildx build \
             --progress=plain \
             --load \
             -t openclaw-install-smoke:local \
@@ -444,7 +444,7 @@ jobs:
 
       - name: Build installer non-root image
         run: |
-          timeout --kill-after=30s 20m docker buildx build \
+          timeout 20m docker buildx build \
             --progress=plain \
             --load \
             -t openclaw-install-nonroot:local \
@@ -475,7 +475,7 @@ jobs:
 
       - name: Run Rocky Linux installer smoke
         run: |
-          timeout --kill-after=30s 20m docker run --rm \
+          timeout 20m docker run --rm \
             -e OPENCLAW_NO_ONBOARD=1 \
             -e OPENCLAW_NO_PROMPT=1 \
             -v "$PWD/scripts/install.sh:/tmp/install.sh:ro" \
@@ -484,7 +484,7 @@ jobs:
 
       - name: Run Rocky Linux CLI installer smoke
         run: |
-          timeout --kill-after=30s 20m docker run --rm \
+          timeout 20m docker run --rm \
             -e OPENCLAW_NO_ONBOARD=1 \
             -e OPENCLAW_NO_PROMPT=1 \
             -v "$PWD/scripts/install-cli.sh:/tmp/install-cli.sh:ro" \
@@ -503,7 +503,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -512,7 +512,7 @@ jobs:
       - name: Pull root Dockerfile smoke image
         env:
           IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout --kill-after=30s 600s docker pull "$IMAGE_REF"
+        run: timeout 600s docker pull "$IMAGE_REF"
 
       - name: Setup Node environment for Bun smoke
         uses: ./.github/actions/setup-node-env
@@ -542,7 +542,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 

.github/workflows/live-media-runner-image.yml

@@ -29,14 +29,14 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 

.github/workflows/macos-release.yml

@@ -13,7 +13,7 @@ on:
         default: true
         type: boolean
       public_release_branch:
-        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.PATCH
+        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.D
         required: false
         default: main
         type: string
@@ -73,7 +73,7 @@ jobs:
         run: |
           set -euo pipefail
           if [[ "${PUBLIC_RELEASE_BRANCH}" != "main" && ! "${PUBLIC_RELEASE_BRANCH}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "public_release_branch must be main or release/YYYY.M.PATCH, got ${PUBLIC_RELEASE_BRANCH}." >&2
+            echo "public_release_branch must be main or release/YYYY.M.D, got ${PUBLIC_RELEASE_BRANCH}." >&2
             exit 1
           fi
           RELEASE_SHA=$(git rev-parse HEAD)
@@ -93,8 +93,8 @@ jobs:
             echo "It does not sign, notarize, or upload macOS assets."
             echo
             echo "Next step:"
-            echo "- Run \`openclaw/releases/.github/workflows/openclaw-macos-validate.yml\` with tag \`${RELEASE_TAG}\` and wait for the macOS validation lane to pass."
-            echo "- Run \`openclaw/releases/.github/workflows/openclaw-macos-publish.yml\` with tag \`${RELEASE_TAG}\` and \`preflight_only=true\` for the full macOS preflight."
-            echo "- For the real publish path, run the same macOS publish workflow from \`main\` with the successful preflight \`preflight_run_id\` so it promotes the prepared artifacts instead of rebuilding them."
-            echo "- For stable releases, the publish workflow also publishes the signed \`appcast.xml\` to public \`main\`, or opens an appcast PR if direct push is blocked."
+            echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml\` with tag \`${RELEASE_TAG}\` and wait for the private mac validation lane to pass."
+            echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml\` with tag \`${RELEASE_TAG}\` and \`preflight_only=true\` for the full private mac preflight."
+            echo "- For the real publish path, run the same private mac publish workflow from \`main\` with the successful private preflight \`preflight_run_id\` so it promotes the prepared artifacts instead of rebuilding them."
+            echo "- For stable releases, the private publish workflow also publishes the signed \`appcast.xml\` to public \`main\`, or opens an appcast PR if direct push is blocked."
           } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/mantis-discord-smoke.yml

@@ -37,7 +37,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);

.github/workflows/mantis-discord-status-reactions.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const defaultBaseline = "0bf06e953fdda290799fc9fb9244a8f67fdae593";
@@ -437,17 +437,8 @@ jobs:
             echo "::warning::Could not generate motion-trimmed desktop previews; continuing with screenshots and full MP4 links."
           fi
 
-          read_discord_status_reaction_status() {
-            local lane="$1"
-            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
-              jq -r '.entries[0].result.status' "$root/$lane/qa-evidence.json"
-              return
-            fi
-            jq -r '.scenarios[0].status' "$root/$lane/discord-qa-summary.json"
-          }
-
-          baseline_status="$(read_discord_status_reaction_status baseline)"
-          candidate_status="$(read_discord_status_reaction_status candidate)"
+          baseline_status="$(jq -r '.scenarios[0].status' "$root/baseline/discord-qa-summary.json")"
+          candidate_status="$(jq -r '.scenarios[0].status' "$root/candidate/discord-qa-summary.json")"
 
           jq -n \
             --arg baseline_status "$baseline_status" \
@@ -590,7 +581,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-discord-thread-attachment.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const defaultBaseline = "synthetic-reverted-thread-filepath-fix";
@@ -451,17 +451,8 @@ jobs:
 
           capture_candidate_discord_web
 
-          read_discord_thread_attachment_status() {
-            local lane="$1"
-            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
-              jq -r '.entries[] | select(.test.id == "discord-thread-reply-filepath-attachment") | .result.status' "$root/$lane/qa-evidence.json"
-              return
-            fi
-            jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/$lane/discord-qa-summary.json"
-          }
-
-          baseline_status="$(read_discord_thread_attachment_status baseline)"
-          candidate_status="$(read_discord_thread_attachment_status candidate)"
+          baseline_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/baseline/discord-qa-summary.json")"
+          candidate_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/candidate/discord-qa-summary.json")"
           comparison_status="fail"
           if [[ "$baseline_status" == "fail" && "$candidate_status" == "pass" ]]; then
             comparison_status="pass"
@@ -612,7 +603,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-slack-desktop-smoke.yml

@@ -81,7 +81,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -180,7 +180,7 @@ jobs:
         run: pnpm build
 
       - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.local/share/pnpm/store

.github/workflows/mantis-telegram-desktop-proof.yml

@@ -48,8 +48,7 @@ env:
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
   CRABBOX_REF: main
-  CRABBOX_AWS_REGION: us-east-1
-  CRABBOX_CAPACITY_REGIONS: us-east-1
+  CRABBOX_CAPACITY_REGIONS: eu-west-1,eu-west-2,eu-central-1,us-east-1,us-west-2
   MANTIS_OUTPUT_DIR: .artifacts/qa-e2e/mantis/telegram-desktop-proof
 
 jobs:
@@ -79,7 +78,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             if (context.eventName === "pull_request_target") {
@@ -125,7 +124,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;
@@ -225,7 +224,6 @@ jobs:
       - name: Checkout harness ref
         uses: actions/checkout@v6
         with:
-          ref: main
           persist-credentials: false
           fetch-depth: 0
 
@@ -241,6 +239,9 @@ jobs:
           set -euo pipefail
 
           git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+          if [[ -n "${PR_NUMBER:-}" ]]; then
+            git fetch --no-tags origin "+refs/pull/${PR_NUMBER}/head:refs/remotes/origin/pr/${PR_NUMBER}" || true
+          fi
 
           resolve_commit() {
             local input_ref="$2"
@@ -254,6 +255,7 @@ jobs:
           }
 
           baseline_revision="$(resolve_commit baseline "$BASELINE_REF")"
+          candidate_revision="$(resolve_commit candidate "$CANDIDATE_REF")"
           if ! git merge-base --is-ancestor "$baseline_revision" refs/remotes/origin/main; then
             echo "baseline ref '${BASELINE_REF}' resolved to ${baseline_revision}, which is not on main." >&2
             exit 1
@@ -267,11 +269,6 @@ jobs:
           pr_state="$(jq -r '.state' <<<"$pr_head")"
           pr_head_sha="$(jq -r '.head_sha' <<<"$pr_head")"
           pr_head_repo="$(jq -r '.head_repo' <<<"$pr_head")"
-          candidate_revision="$CANDIDATE_REF"
-          if [[ ! "$candidate_revision" =~ ^[0-9a-f]{40}$ ]]; then
-            echo "candidate ref '${CANDIDATE_REF}' is not an immutable commit SHA." >&2
-            exit 1
-          fi
           if [[ "$pr_state" != "open" || "$candidate_revision" != "$pr_head_sha" ]]; then
             echo "candidate ref '${CANDIDATE_REF}' resolved to ${candidate_revision}, which is not the open PR head." >&2
             exit 1
@@ -426,7 +423,7 @@ jobs:
           {
             printf '%s\n' 'Defaults env_keep += "CODEX_HOME CODEX_INTERNAL_ORIGINATOR_OVERRIDE"'
             printf '%s\n' 'Defaults env_keep += "BASELINE_REF BASELINE_SHA CANDIDATE_REF CANDIDATE_SHA"'
-            printf '%s\n' 'Defaults env_keep += "CRABBOX_ACCESS_CLIENT_ID CRABBOX_ACCESS_CLIENT_SECRET CRABBOX_COORDINATOR CRABBOX_COORDINATOR_TOKEN CRABBOX_AWS_REGION CRABBOX_CAPACITY_REGIONS CRABBOX_LEASE_ID CRABBOX_PROVIDER"'
+            printf '%s\n' 'Defaults env_keep += "CRABBOX_ACCESS_CLIENT_ID CRABBOX_ACCESS_CLIENT_SECRET CRABBOX_COORDINATOR CRABBOX_COORDINATOR_TOKEN CRABBOX_LEASE_ID CRABBOX_PROVIDER CRABBOX_CAPACITY_REGIONS"'
             printf '%s\n' 'Defaults env_keep += "GH_TOKEN MANTIS_CANDIDATE_TRUST MANTIS_INSTRUCTIONS MANTIS_OUTPUT_DIR MANTIS_PR_NUMBER"'
             printf '%s\n' 'Defaults env_keep += "OPENCLAW_BUILD_PRIVATE_QA OPENCLAW_ENABLE_PRIVATE_QA_CLI OPENCLAW_QA_CONVEX_SECRET_CI OPENCLAW_QA_CONVEX_SITE_URL OPENCLAW_QA_CREDENTIAL_OWNER_ID OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR_TOKEN"'
             printf '%s\n' 'Defaults env_keep += "OPENCLAW_TELEGRAM_USER_CRABBOX_BIN OPENCLAW_TELEGRAM_USER_CRABBOX_PROVIDER OPENCLAW_TELEGRAM_USER_DRIVER_SCRIPT OPENCLAW_TELEGRAM_USER_PROOF_CMD"'
@@ -445,7 +442,7 @@ jobs:
           sudo chown -R codex:codex "$GITHUB_WORKSPACE"
 
       - name: Run Codex Mantis Telegram agent
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           BASELINE_REF: ${{ needs.resolve_request.outputs.baseline_ref }}
           BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
@@ -455,7 +452,6 @@ jobs:
           CRABBOX_ACCESS_CLIENT_SECRET: ${{ secrets.CRABBOX_ACCESS_CLIENT_SECRET }}
           CRABBOX_COORDINATOR: ${{ secrets.CRABBOX_COORDINATOR || secrets.OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR }}
           CRABBOX_COORDINATOR_TOKEN: ${{ secrets.CRABBOX_COORDINATOR_TOKEN || secrets.OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR_TOKEN }}
-          CRABBOX_AWS_REGION: ${{ env.CRABBOX_AWS_REGION }}
           CRABBOX_CAPACITY_REGIONS: ${{ env.CRABBOX_CAPACITY_REGIONS }}
           CRABBOX_LEASE_ID: ${{ needs.resolve_request.outputs.lease_id }}
           CRABBOX_PROVIDER: ${{ needs.resolve_request.outputs.crabbox_provider }}
@@ -709,7 +705,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-telegram-live.yml

@@ -44,8 +44,6 @@ env:
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
   CRABBOX_REF: main
-  CRABBOX_AWS_REGION: us-east-1
-  CRABBOX_CAPACITY_REGIONS: us-east-1
 
 jobs:
   authorize_actor:
@@ -68,7 +66,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -105,7 +103,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;
@@ -327,7 +325,7 @@ jobs:
         run: pnpm build
 
       - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.local/share/pnpm/store
@@ -377,7 +375,6 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
           OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           CRABBOX_COORDINATOR: ${{ secrets.CRABBOX_COORDINATOR }}
@@ -386,8 +383,6 @@ jobs:
           OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR_TOKEN: ${{ secrets.OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR_TOKEN }}
           CRABBOX_ACCESS_CLIENT_ID: ${{ secrets.CRABBOX_ACCESS_CLIENT_ID }}
           CRABBOX_ACCESS_CLIENT_SECRET: ${{ secrets.CRABBOX_ACCESS_CLIENT_SECRET }}
-          CRABBOX_AWS_REGION: ${{ env.CRABBOX_AWS_REGION }}
-          CRABBOX_CAPACITY_REGIONS: ${{ env.CRABBOX_CAPACITY_REGIONS }}
           CRABBOX_LEASE_ID: ${{ needs.resolve_request.outputs.lease_id }}
           CRABBOX_PROVIDER: ${{ needs.resolve_request.outputs.crabbox_provider }}
           SCENARIO_INPUT: ${{ needs.resolve_request.outputs.scenario }}
@@ -445,8 +440,8 @@ jobs:
           telegram_exit=$?
           set -e
 
-          if [[ ! -f "$root/qa-evidence.json" && ! -f "$root/telegram-qa-summary.json" ]]; then
-            echo "Telegram live QA did not produce an evidence summary." >&2
+          if [[ ! -f "$root/telegram-qa-summary.json" ]]; then
+            echo "Telegram live QA did not produce a summary." >&2
             exit "$telegram_exit"
           fi
           echo "telegram_exit=${telegram_exit}" >> "$GITHUB_OUTPUT"
@@ -573,7 +568,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/npm-telegram-beta-e2e.yml

@@ -126,7 +126,7 @@ jobs:
           fetch-depth: 1
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -218,7 +218,6 @@ jobs:
           OPENCLAW_NPM_TELEGRAM_CREDENTIAL_ROLE: ci
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
           OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           INPUT_SCENARIO: ${{ inputs.scenario }}

.github/workflows/openclaw-cross-os-release-checks-reusable.yml

@@ -451,7 +451,7 @@ jobs:
           OUTPUT_DIR: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/baseline
         run: |
           mkdir -p "${OUTPUT_DIR}"
-          timeout --preserve-status 300s npm pack --ignore-scripts --json "${BASELINE_SPEC}" --pack-destination "${OUTPUT_DIR}" > "${OUTPUT_DIR}/pack.json"
+          npm pack --ignore-scripts --json "${BASELINE_SPEC}" --pack-destination "${OUTPUT_DIR}" > "${OUTPUT_DIR}/pack.json"
 
       - name: Capture candidate metadata
         id: candidate_metadata

.github/workflows/openclaw-live-and-e2e-checks-reusable.yml

@@ -480,35 +480,6 @@ jobs:
           fi
           exit 1
 
-  plan_release_workflow_matrices:
-    needs: validate_selected_ref
-    runs-on: ubuntu-24.04
-    outputs:
-      docker_e2e_count: ${{ steps.plan.outputs.docker_e2e_count }}
-      docker_e2e_matrix: ${{ steps.plan.outputs.docker_e2e_matrix }}
-      docker_e2e_omitted_json: ${{ steps.plan.outputs.docker_e2e_omitted_json }}
-      live_models_count: ${{ steps.plan.outputs.live_models_count }}
-      live_models_matrix: ${{ steps.plan.outputs.live_models_matrix }}
-      live_models_omitted_json: ${{ steps.plan.outputs.live_models_omitted_json }}
-    steps:
-      - name: Checkout trusted release harness
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.sha }}
-          fetch-depth: 1
-
-      - name: Plan release workflow matrices
-        id: plan
-        env:
-          DOCKER_LANES: ${{ inputs.docker_lanes }}
-          INCLUDE_LIVE_SUITES: ${{ inputs.include_live_suites }}
-          INCLUDE_RELEASE_PATH_SUITES: ${{ inputs.include_release_path_suites }}
-          LIVE_MODEL_PROVIDERS: ${{ inputs.live_model_providers }}
-          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
-          RELEASE_TEST_PROFILE: ${{ inputs.release_test_profile }}
-        run: node scripts/plan-release-workflow-matrix.mjs >> "$GITHUB_OUTPUT"
-
   validate_release_live_cache:
     needs: validate_selected_ref
     if: inputs.include_live_suites && !inputs.live_models_only && (inputs.live_suite_filter == '' || inputs.live_suite_filter == 'live-cache')
@@ -563,7 +534,7 @@ jobs:
     needs: validate_selected_ref
     if: inputs.include_repo_e2e && inputs.live_suite_filter == ''
     continue-on-error: ${{ inputs.advisory }}
-    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
+    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-8vcpu-ubuntu-2404' }}
     timeout-minutes: ${{ inputs.release_test_profile == 'full' && 90 || 60 }}
     env:
       OPENCLAW_VITEST_MAX_WORKERS: "2"
@@ -595,7 +566,7 @@ jobs:
     needs: validate_selected_ref
     if: inputs.include_repo_e2e && (inputs.live_suite_filter == '' || inputs.live_suite_filter == 'openshell-e2e')
     continue-on-error: ${{ inputs.advisory }}
-    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
+    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-8vcpu-ubuntu-2404' }}
     timeout-minutes: ${{ matrix.timeout_minutes }}
     strategy:
       fail-fast: false
@@ -665,15 +636,72 @@ jobs:
         run: ${{ matrix.command }}
 
   validate_docker_e2e:
-    needs: [validate_selected_ref, prepare_docker_e2e_image, plan_release_workflow_matrices]
-    if: inputs.include_release_path_suites && inputs.docker_lanes == '' && needs.plan_release_workflow_matrices.outputs.docker_e2e_count != '0'
+    needs: [validate_selected_ref, prepare_docker_e2e_image]
+    if: inputs.include_release_path_suites && inputs.docker_lanes == ''
     name: Docker E2E (${{ matrix.label }})
     continue-on-error: ${{ inputs.advisory }}
     runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
     timeout-minutes: ${{ matrix.timeout_minutes }}
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.plan_release_workflow_matrices.outputs.docker_e2e_matrix) }}
+      matrix:
+        include:
+          - chunk_id: core
+            label: core
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: package-update-openai
+            label: package/update OpenAI install
+            timeout_minutes: 45
+            profiles: beta minimum stable full
+          - chunk_id: package-update-anthropic
+            label: package/update Anthropic install
+            timeout_minutes: 60
+            profiles: beta minimum stable full
+          - chunk_id: package-update-core
+            label: package/update core
+            timeout_minutes: 60
+            profiles: beta minimum stable full
+          - chunk_id: plugins-runtime-plugins
+            label: plugins/runtime plugins
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-services
+            label: plugins/runtime services
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-a
+            label: plugins/runtime install A
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-b
+            label: plugins/runtime install B
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-c
+            label: plugins/runtime install C
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-d
+            label: plugins/runtime install D
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-e
+            label: plugins/runtime install E
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-f
+            label: plugins/runtime install F
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-g
+            label: plugins/runtime install G
+            timeout_minutes: 60
+            profiles: stable full
+          - chunk_id: plugins-runtime-install-h
+            label: plugins/runtime install H
+            timeout_minutes: 60
+            profiles: stable full
     env:
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
@@ -887,7 +915,7 @@ jobs:
           summary=".artifacts/docker-tests/release-${DOCKER_E2E_CHUNK}/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker chunk summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E chunk: ${DOCKER_E2E_CHUNK:-unknown}" >> "$GITHUB_STEP_SUMMARY"
 
@@ -897,7 +925,7 @@ jobs:
         with:
           name: docker-e2e-${{ matrix.chunk_id }}
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   plan_docker_lane_groups:
     needs: validate_selected_ref
@@ -1147,7 +1175,7 @@ jobs:
           summary=".artifacts/docker-tests/targeted-${{ steps.plan.outputs.artifact_suffix }}/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker targeted summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E targeted lanes" >> "$GITHUB_STEP_SUMMARY"
 
@@ -1157,7 +1185,7 @@ jobs:
         with:
           name: docker-e2e-${{ steps.plan.outputs.artifact_suffix }}
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   validate_docker_openwebui:
     needs: [validate_selected_ref, prepare_docker_e2e_image]
@@ -1274,7 +1302,7 @@ jobs:
           summary=".artifacts/docker-tests/release-openwebui/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker Open WebUI summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E chunk: openwebui" >> "$GITHUB_STEP_SUMMARY"
 
@@ -1284,7 +1312,7 @@ jobs:
         with:
           name: docker-e2e-openwebui
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   prepare_docker_e2e_image:
     needs: validate_selected_ref
@@ -1497,72 +1525,37 @@ jobs:
 
       - name: Setup Docker builder
         if: steps.image_exists.outputs.needs_build == '1'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
       - name: Build and push bare Docker E2E image
         if: steps.plan.outputs.needs_bare_image == '1' && steps.image_exists.outputs.bare_exists != '1'
-        shell: bash
-        env:
-          IMAGE_REF: ${{ steps.image.outputs.bare_image }}
-        run: |
-          set -euo pipefail
-          build_cmd=(
-            docker buildx build
-            --file ./scripts/e2e/Dockerfile
-            --target bare
-            --platform linux/amd64
-            --tag "$IMAGE_REF"
-            --sbom=true
-            --provenance=mode=max
-            --push
-            .
-          )
-          for attempt in 1 2 3 4; do
-            if "${build_cmd[@]}"; then
-              exit 0
-            fi
-            if [[ "$attempt" == "4" ]]; then
-              echo "::error::Failed to build Docker E2E bare image after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 20))
-            echo "Docker E2E bare image build failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "$sleep_seconds"
-          done
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
+        with:
+          context: .
+          file: ./scripts/e2e/Dockerfile
+          target: bare
+          platforms: linux/amd64
+          tags: ${{ steps.image.outputs.bare_image }}
+          sbom: true
+          provenance: mode=max
+          push: true
 
       - name: Build and push functional Docker E2E image
         if: steps.plan.outputs.needs_functional_image == '1' && steps.image_exists.outputs.functional_exists != '1'
-        shell: bash
-        env:
-          IMAGE_REF: ${{ steps.image.outputs.functional_image }}
-        run: |
-          set -euo pipefail
-          build_cmd=(
-            docker buildx build
-            --file ./scripts/e2e/Dockerfile
-            --target functional
-            --build-context openclaw_package=.artifacts/docker-e2e-package
-            --platform linux/amd64
-            --tag "$IMAGE_REF"
-            --sbom=true
-            --provenance=mode=max
-            --push
-            .
-          )
-          for attempt in 1 2 3 4; do
-            if "${build_cmd[@]}"; then
-              exit 0
-            fi
-            if [[ "$attempt" == "4" ]]; then
-              echo "::error::Failed to build Docker E2E functional image after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 20))
-            echo "Docker E2E functional image build failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "$sleep_seconds"
-          done
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
+        with:
+          context: .
+          file: ./scripts/e2e/Dockerfile
+          target: functional
+          build-contexts: |
+            openclaw_package=.artifacts/docker-e2e-package
+          platforms: linux/amd64
+          tags: ${{ steps.image.outputs.functional_image }}
+          sbom: true
+          provenance: mode=max
+          push: true
 
   prepare_live_test_image:
     needs: validate_selected_ref
@@ -1593,11 +1586,8 @@ jobs:
         run: |
           set -euo pipefail
           repository="${GITHUB_REPOSITORY,,}"
-          live_image_extensions="matrix,acpx"
-          live_image_tag_suffix="${live_image_extensions//,/-}"
-          live_image="ghcr.io/${repository}-live-test:${SELECTED_SHA}-${live_image_tag_suffix}"
+          live_image="ghcr.io/${repository}-live-test:${SELECTED_SHA}"
           echo "live_image=${live_image}" >> "$GITHUB_OUTPUT"
-          echo "live_image_extensions=${live_image_extensions}" >> "$GITHUB_OUTPUT"
           echo "Shared live-test image: \`${live_image}\`" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Log in to GHCR
@@ -1620,7 +1610,7 @@ jobs:
 
       - name: Setup Docker builder
         if: steps.image_exists.outputs.exists != '1'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -1632,7 +1622,7 @@ jobs:
           file: ./Dockerfile
           target: build
           build-args: |
-            OPENCLAW_EXTENSIONS=${{ steps.image.outputs.live_image_extensions }}
+            OPENCLAW_EXTENSIONS=matrix
           platforms: linux/amd64
           tags: ${{ steps.image.outputs.live_image }}
           sbom: true
@@ -1641,14 +1631,42 @@ jobs:
 
   validate_live_models_docker:
     name: Docker live models (${{ matrix.provider_label }})
-    needs: [validate_selected_ref, prepare_live_test_image, plan_release_workflow_matrices]
-    if: inputs.include_live_suites && inputs.live_model_providers == '' && (inputs.live_suite_filter == '' || inputs.live_suite_filter == 'docker-live-models') && needs.plan_release_workflow_matrices.outputs.live_models_count != '0'
+    needs: [validate_selected_ref, prepare_live_test_image]
+    if: inputs.include_live_suites && inputs.live_model_providers == '' && (inputs.live_suite_filter == '' || inputs.live_suite_filter == 'docker-live-models')
     continue-on-error: ${{ inputs.advisory }}
     runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
     timeout-minutes: 45
     strategy:
       fail-fast: false
-      matrix: ${{ fromJson(needs.plan_release_workflow_matrices.outputs.live_models_matrix) }}
+      matrix:
+        include:
+          - provider_label: Anthropic
+            providers: anthropic
+            profiles: stable full
+          - provider_label: Google
+            providers: google
+            profiles: stable full
+          - provider_label: MiniMax
+            providers: minimax
+            profiles: stable full
+          - provider_label: OpenAI
+            providers: openai
+            profiles: beta minimum stable full
+          - provider_label: OpenCode
+            providers: opencode-go
+            profiles: full
+          - provider_label: OpenRouter
+            providers: openrouter
+            profiles: full
+          - provider_label: xAI
+            providers: xai
+            profiles: full
+          - provider_label: Z.ai
+            providers: zai
+            profiles: full
+          - provider_label: Fireworks
+            providers: fireworks
+            profiles: full
     env:
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
@@ -1726,8 +1744,6 @@ jobs:
       - name: Validate provider credential
         if: contains(matrix.profiles, inputs.release_test_profile)
         shell: bash
-        env:
-          LIVE_MODEL_PROVIDERS: ${{ matrix.providers }}
         run: |
           set -euo pipefail
 
@@ -1744,11 +1760,10 @@ jobs:
             exit 1
           }
 
-          case "${LIVE_MODEL_PROVIDERS}" in
+          case "${{ matrix.providers }}" in
             anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
             google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
             minimax) require_any MiniMax MINIMAX_API_KEY ;;
-            moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
             openai) require_any OpenAI OPENAI_API_KEY ;;
             opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
             openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
@@ -1756,7 +1771,7 @@ jobs:
             zai) require_any Z.ai ZAI_API_KEY Z_AI_API_KEY ;;
             fireworks) require_any Fireworks FIREWORKS_API_KEY ;;
             *)
-              echo "Unhandled live model provider shard: ${LIVE_MODEL_PROVIDERS}" >&2
+              echo "Unhandled live model provider shard: ${{ matrix.providers }}" >&2
               exit 1
               ;;
           esac
@@ -1837,11 +1852,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          all_providers=(anthropic google minimax moonshot openai opencode-go openrouter xai zai fireworks)
+          all_providers=(anthropic google minimax openai opencode-go openrouter xai zai fireworks)
 
           normalize_provider() {
             local value="${1,,}"
             case "$value" in
+              z.ai|z-ai) echo "zai" ;;
               opencode|opencode-go) echo "opencode-go" ;;
               open-router|openrouter) echo "openrouter" ;;
               *) echo "$value" ;;
@@ -1923,7 +1939,6 @@ jobs:
               anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
               google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
               minimax) require_any MiniMax MINIMAX_API_KEY ;;
-              moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
               openai) require_any OpenAI OPENAI_API_KEY ;;
               opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
               openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
@@ -1958,7 +1973,7 @@ jobs:
             profiles: stable full
           - suite_id: native-live-src-gateway-core
             label: Native live gateway core
-            command: OPENCLAW_LIVE_CODEX_HARNESS=1 OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-core
+            command: node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-core
             timeout_minutes: 60
             profile_env_only: false
             profiles: beta minimum stable full
@@ -1972,7 +1987,7 @@ jobs:
           - suite_id: native-live-src-gateway-profiles-anthropic-opus
             suite_group: native-live-src-gateway-profiles-anthropic
             label: Native live gateway profiles Anthropic Opus
-            command: OPENCLAW_LIVE_GATEWAY_THINKING=low OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MODELS=anthropic/claude-opus-4-8 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MODELS=anthropic/claude-opus-4-7 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
             timeout_minutes: 30
             profile_env_only: false
             advisory: true
@@ -1980,26 +1995,26 @@ jobs:
           - suite_id: native-live-src-gateway-profiles-anthropic-sonnet-haiku
             suite_group: native-live-src-gateway-profiles-anthropic
             label: Native live gateway profiles Anthropic Sonnet/Haiku
-            command: OPENCLAW_LIVE_GATEWAY_THINKING=low OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MODELS=anthropic/claude-sonnet-4-6,anthropic/claude-haiku-4-5 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MODELS=anthropic/claude-sonnet-4-6,anthropic/claude-haiku-4-5 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
             timeout_minutes: 30
             profile_env_only: false
             advisory: true
             profiles: full
           - suite_id: native-live-src-gateway-profiles-google
             label: Native live gateway profiles Google
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=google OPENCLAW_LIVE_GATEWAY_MODELS=google/gemini-3.1-pro-preview node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=google OPENCLAW_LIVE_GATEWAY_MODELS=google/gemini-3.1-pro-preview,google/gemini-3-flash-preview node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
             timeout_minutes: 60
             profile_env_only: false
             profiles: stable full
           - suite_id: native-live-src-gateway-profiles-minimax
             label: Native live gateway profiles MiniMax
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M3,minimax-portal/MiniMax-M3 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
             timeout_minutes: 60
             profile_env_only: false
             profiles: stable full
           - suite_id: native-live-src-gateway-profiles-openai
             label: Native live gateway profiles OpenAI
-            command: OPENCLAW_LIVE_GATEWAY_THINKING=off OPENCLAW_LIVE_GATEWAY_PROVIDERS=openai OPENCLAW_LIVE_GATEWAY_MODELS=openai/gpt-5.5 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=180000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=600000 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=openai OPENCLAW_LIVE_GATEWAY_MODELS=openai/gpt-5.5 node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-profiles
             timeout_minutes: 60
             profile_env_only: false
             profiles: beta minimum stable full
@@ -2078,7 +2093,7 @@ jobs:
             profiles: full
           - suite_id: native-live-src-gateway-backends
             label: Native live gateway backends
-            command: OPENCLAW_LIVE_CODEX_HARNESS=1 OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-backends
+            command: node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-backends
             timeout_minutes: 60
             profile_env_only: false
             profiles: stable full
@@ -2274,25 +2289,25 @@ jobs:
         include:
           - suite_id: live-gateway-docker
             label: Docker live gateway OpenAI
-            command: OPENCLAW_LIVE_GATEWAY_THINKING=off OPENCLAW_LIVE_GATEWAY_PROVIDERS=openai OPENCLAW_LIVE_GATEWAY_MODELS=openai/gpt-5.5 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=600000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
+            command: OPENCLAW_LIVE_GATEWAY_THINKING=low OPENCLAW_LIVE_GATEWAY_PROVIDERS=openai OPENCLAW_LIVE_GATEWAY_MODELS=openai/gpt-5.5 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=600000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
             timeout_minutes: 40
             profile_env_only: false
             profiles: beta minimum stable full
           - suite_id: live-gateway-anthropic-docker
             label: Docker live gateway Anthropic
-            command: OPENCLAW_LIVE_GATEWAY_THINKING=low OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MODELS=anthropic/claude-sonnet-4-6,anthropic/claude-haiku-4-5 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=600000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
             timeout_minutes: 40
             profile_env_only: false
             profiles: stable full
           - suite_id: live-gateway-google-docker
             label: Docker live gateway Google
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=google OPENCLAW_LIVE_GATEWAY_MODELS=google/gemini-3.1-pro-preview OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=google OPENCLAW_LIVE_GATEWAY_MODELS=google/gemini-3.1-pro-preview,google/gemini-3-flash-preview OPENCLAW_LIVE_GATEWAY_MAX_MODELS=2 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
             timeout_minutes: 40
             profile_env_only: false
             profiles: stable full
           - suite_id: live-gateway-minimax-docker
             label: Docker live gateway MiniMax
-            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MODELS=minimax/MiniMax-M3,minimax-portal/MiniMax-M3 OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
+            command: OPENCLAW_LIVE_GATEWAY_PROVIDERS=minimax,minimax-portal OPENCLAW_LIVE_GATEWAY_MAX_MODELS=1 OPENCLAW_LIVE_GATEWAY_STEP_TIMEOUT_MS=90000 OPENCLAW_LIVE_GATEWAY_MODEL_TIMEOUT_MS=180000 OPENCLAW_LIVE_DOCKER_REPO_ROOT="$GITHUB_WORKSPACE" timeout --foreground --kill-after=30s 35m bash .release-harness/scripts/test-live-gateway-models-docker.sh
             timeout_minutes: 40
             profile_env_only: false
             profiles: stable full

.github/workflows/openclaw-npm-release.yml

@@ -47,12 +47,11 @@ jobs:
   # KEEP THIS WORKFLOW SHORT AND DETERMINISTIC OR IT CAN GET STUCK AND JEOPARDIZE THE RELEASE.
   # RELEASE-TIME LIVE OR END-TO-END VALIDATION BELONGS IN openclaw-release-checks.yml.
   # SECURITY NOTE: TOKEN-BASED npm dist-tag mutation moved to
-  # openclaw/releases/.github/workflows/openclaw-npm-dist-tags.yml
-  # so this source workflow can stay focused on OIDC publish only.
+  # openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml
+  # so this public workflow can stay focused on OIDC publish only.
   preflight_openclaw_npm:
     if: ${{ inputs.preflight_only }}
-    # Preflight builds the full release package before publish; ubuntu-latest can OOM in tsdown.
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
@@ -257,8 +256,7 @@ jobs:
             return -1;
           }
 
-          for (const match of input.matchAll(/\[/g)) {
-            const start = match.index;
+          for (let start = input.indexOf("["); start !== -1; start = input.indexOf("[", start + 1)) {
             const end = arrayEndFrom(start);
             if (end === -1) {
               continue;
@@ -374,11 +372,6 @@ jobs:
       actions: read
       contents: read
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
       - name: Require trusted workflow ref for publish
         env:
           RELEASE_TAG: ${{ inputs.tag }}
@@ -391,7 +384,7 @@ jobs:
             tideclaw_alpha_publish=true
           fi
           if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && [[ "${tideclaw_alpha_publish}" != "true" ]]; then
-            echo "Real publish runs must be dispatched from main, release/YYYY.M.PATCH, or a Tideclaw alpha branch for alpha prereleases. Use preflight_only=true for other branch validation."
+            echo "Real publish runs must be dispatched from main, release/YYYY.M.D, or a Tideclaw alpha branch for alpha prereleases. Use preflight_only=true for other branch validation."
             exit 1
           fi
 
@@ -436,13 +429,12 @@ jobs:
             echo "Direct OpenClaw npm publish; relying on this workflow's npm-release environment approval."
             exit 0
           fi
-          direct_recovery=false
           if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
-            direct_recovery=true
-            echo "Direct OpenClaw npm recovery with release_publish_run_id; relying on this workflow's npm-release environment approval."
+            echo "OpenClaw npm publish must be dispatched by the OpenClaw Release Publish workflow, not directly by ${GITHUB_ACTOR}." >&2
+            exit 1
           fi
           RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
+          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw Release Publish"], ["headBranch", process.env.EXPECTED_WORKFLOW_BRANCH], ["event", "workflow_dispatch"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } if (run.status !== "in_progress") { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must still be in_progress, got ${run.status ?? "<missing>"}.`); process.exit(1); } if (run.conclusion) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} already concluded ${run.conclusion}.`); process.exit(1); } console.log(`Using release publish approval run ${process.env.RELEASE_PUBLISH_RUN_ID}: ${run.url}`);'
 
   publish_openclaw_npm:
     # KEEP THE REAL RELEASE/PUBLISH PATH ON A GITHUB-HOSTED RUNNER.

.github/workflows/openclaw-performance.yml

@@ -244,8 +244,8 @@ jobs:
         run: |
           set -euo pipefail
           if [[ -z "${OPENAI_API_KEY:-}" ]]; then
-            echo "OPENAI_API_KEY is not configured; live GPT 5.5 lane cannot run without live evidence." >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            echo "OPENAI_API_KEY is not configured; live GPT 5.5 lane will be skipped." >> "$GITHUB_STEP_SUMMARY"
+            exit 0
           fi
           kova setup --ci --json
           kova setup --non-interactive --auth env-only --provider openai --env-var OPENAI_API_KEY --json
@@ -262,6 +262,11 @@ jobs:
           set -euo pipefail
           mkdir -p "$REPORT_DIR" "$BUNDLE_DIR" "$SUMMARY_DIR"
 
+          if [[ "$MATRIX_LIVE" == "true" && -z "${OPENAI_API_KEY:-}" ]]; then
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           repeat="$REQUESTED_REPEAT"
           if [[ "$MATRIX_REPEAT" != "input" ]]; then
             repeat="$MATRIX_REPEAT"
@@ -304,7 +309,24 @@ jobs:
           report_md="${report_json%.json}.md"
           effective_status="$status"
           if [[ "$FAIL_ON_REGRESSION" == "true" && "$status" != "0" ]]; then
-            if node "$PERFORMANCE_HELPER_DIR/scripts/lib/kova-report-gate.mjs" "$report_json"
+            if REPORT_JSON="$report_json" node <<'NODE'
+          const fs = require("node:fs");
+          const report = JSON.parse(fs.readFileSync(process.env.REPORT_JSON, "utf8"));
+          const statuses = report.summary?.statuses ?? {};
+          const nonPassStatuses = Object.entries(statuses)
+            .filter(([status, count]) => status !== "PASS" && Number(count) > 0);
+          const baselineRegressionCount =
+            Number(report.baseline?.comparison?.regressionCount ?? report.gate?.baseline?.regressionCount ?? 0);
+          const gate = report.gate;
+          const toleratedPartial =
+            gate?.verdict === "PARTIAL" &&
+            Number(gate.blockingCount ?? 0) === 0 &&
+            baselineRegressionCount === 0 &&
+            nonPassStatuses.length === 0;
+          if (!toleratedPartial) {
+            process.exit(1);
+          }
+          NODE
             then
               effective_status=0
               {
@@ -355,28 +377,6 @@ jobs:
             exit "$effective_status"
           fi
 
-      - name: Validate Kova evidence
-        if: ${{ always() && steps.lane.outputs.run == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          missing=0
-          if ! find "$REPORT_DIR" -maxdepth 1 -type f -name '*.json' -size +0c -print -quit | grep -q .; then
-            echo "::error::Kova JSON report is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ ! -s "$BUNDLE_DIR/bundle.json" ]]; then
-            echo "::error::Kova bundle evidence is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ ! -s "$SUMMARY_DIR/${LANE_ID}.md" ]]; then
-            echo "::error::Kova summary evidence is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ "$missing" != "0" ]]; then
-            exit 1
-          fi
-
       - name: Fetch previous source performance baseline
         if: ${{ steps.lane.outputs.run == 'true' && matrix.lane == 'mock-provider' && steps.clawgrit.outputs.present == 'true' }}
         env:
@@ -527,13 +527,6 @@ jobs:
           cleanup_gateway
           trap - EXIT
 
-          if node -e "const fs=require('node:fs'); const scripts=require('./package.json').scripts||{}; process.exit(scripts['test:sqlite:perf:smoke'] && fs.existsSync('scripts/bench-sqlite-state.ts') ? 0 : 1)"; then
-            pnpm test:sqlite:perf:smoke
-            cp .artifacts/sqlite-perf/smoke.json "$SOURCE_PERF_DIR/sqlite-perf-smoke.json"
-          else
-            echo "SQLite state smoke probe is not available in ${TESTED_REF}; continuing with the remaining source probes." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
           summary_args=(node "$PERFORMANCE_HELPER_DIR/scripts/openclaw-performance-source-summary.mjs" \
             --source-dir "$SOURCE_PERF_DIR" \
             --output "$SOURCE_PERF_DIR/index.md")
@@ -554,35 +547,29 @@ jobs:
             .artifacts/kova/bundles/${{ matrix.lane }}
             .artifacts/kova/summaries/${{ matrix.lane }}.md
             .artifacts/openclaw-performance/source/${{ matrix.lane }}
-          if-no-files-found: error
+          if-no-files-found: ignore
           retention-days: ${{ matrix.deep_profile == 'true' && 14 || 30 }}
 
       - name: Prepare clawgrit reports checkout
-        id: clawgrit_reports
         if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' }}
         env:
           CLAWGRIT_REPORTS_TOKEN: ${{ secrets.CLAWGRIT_REPORTS_TOKEN }}
         shell: bash
         run: |
           set -euo pipefail
-          echo "ready=false" >> "$GITHUB_OUTPUT"
           reports_root=".artifacts/clawgrit-reports"
           mkdir -p "$reports_root"
           git -C "$reports_root" init -b main
           git -C "$reports_root" remote add origin "https://x-access-token:${CLAWGRIT_REPORTS_TOKEN}@github.com/openclaw/clawgrit-reports.git"
-          if timeout 60s git -C "$reports_root" ls-remote --exit-code --heads origin main >/dev/null 2>&1; then
-            if ! timeout 120s git -C "$reports_root" fetch --depth=1 origin main; then
-              echo "::warning::Skipping optional clawgrit report publish because the reports checkout fetch timed out or failed."
-              exit 0
-            fi
+          if git -C "$reports_root" ls-remote --exit-code --heads origin main >/dev/null 2>&1; then
+            git -C "$reports_root" fetch --depth=1 origin main
             git -C "$reports_root" checkout -B main FETCH_HEAD
           else
             git -C "$reports_root" checkout -B main
           fi
-          echo "ready=true" >> "$GITHUB_OUTPUT"
 
       - name: Publish to clawgrit reports
-        if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' && steps.clawgrit_reports.outputs.ready == 'true' }}
+        if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' }}
         env:
           CLAWGRIT_REPORTS_TOKEN: ${{ secrets.CLAWGRIT_REPORTS_TOKEN }}
         shell: bash
@@ -611,7 +598,7 @@ jobs:
 
           ## Source probes
 
-          Additional gateway boot, memory, plugin pressure, mock hello-loop, CLI startup, and SQLite state smoke numbers are in [source/index.md](source/index.md).
+          Additional gateway boot, memory, plugin pressure, mock hello-loop, and CLI startup numbers are in [source/index.md](source/index.md).
           EOF
             fi
           fi
@@ -655,9 +642,6 @@ jobs:
               exit 0
             fi
             sleep $((attempt * 2))
-            timeout 120s git -C "$reports_root" fetch --depth=1 origin main || {
-              echo "::warning::Skipping optional clawgrit report rebase because the reports fetch timed out or failed."
-              exit 0
-            }
+            git -C "$reports_root" fetch --depth=1 origin main
             git -C "$reports_root" rebase FETCH_HEAD
           done

.github/workflows/openclaw-release-checks.yml

@@ -132,7 +132,7 @@ jobs:
             fi
           fi
           if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release-ci/[0-9a-f]{12}-[0-9]+$ ]] && [[ "${tideclaw_alpha_check}" != "true" ]]; then
-            echo "Release checks must be dispatched from main, release/YYYY.M.PATCH, a Full Release Validation release-ci/<sha>-<timestamp> ref, or a Tideclaw alpha branch for alpha prereleases." >&2
+            echo "Release checks must be dispatched from main, release/YYYY.M.D, a Full Release Validation release-ci/<sha>-<timestamp> ref, or a Tideclaw alpha branch for alpha prereleases." >&2
             exit 1
           fi
 
@@ -346,7 +346,6 @@ jobs:
             discord_selected=false
             whatsapp_selected=false
             slack_selected=false
-            disabled_required_lanes=()
 
             IFS=', ' read -r -a filter_tokens <<< "$filter"
             for token in "${filter_tokens[@]}"; do
@@ -362,9 +361,6 @@ jobs:
                   discord_selected="$qa_live_discord_ci_enabled"
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
                   slack_selected="$qa_live_slack_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
-                  [[ "$qa_live_slack_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-slack")
                   ;;
                 qa-live-non-slack|qa-non-slack|non-slack|no-slack|without-slack)
                   qa_filter_seen=true
@@ -372,8 +368,6 @@ jobs:
                   telegram_selected=true
                   discord_selected="$qa_live_discord_ci_enabled"
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
                   ;;
                 qa-live-matrix|qa-matrix|matrix)
                   qa_filter_seen=true
@@ -386,27 +380,18 @@ jobs:
                 qa-live-discord|qa-discord|discord)
                   qa_filter_seen=true
                   discord_selected="$qa_live_discord_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
                   ;;
                 qa-live-whatsapp|qa-whatsapp|whatsapp)
                   qa_filter_seen=true
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
                   ;;
                 qa-live-slack|qa-slack|slack)
                   qa_filter_seen=true
                   slack_selected="$qa_live_slack_ci_enabled"
-                  [[ "$qa_live_slack_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-slack")
                   ;;
               esac
             done
 
-            if [[ "${#disabled_required_lanes[@]}" -gt 0 ]]; then
-              echo "live_suite_filter explicitly requested disabled QA live lane(s): ${disabled_required_lanes[*]}" >&2
-              echo "Enable the matching OPENCLAW_RELEASE_QA_*_LIVE_CI_ENABLED repo variable or remove the lane from live_suite_filter." >&2
-              exit 1
-            fi
-
             if [[ "$qa_filter_seen" == "true" ]]; then
               qa_live_matrix_enabled="$matrix_selected"
               qa_live_telegram_enabled="$telegram_selected"
@@ -813,10 +798,9 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run parity lane
-        id: run_lane
         env:
           QA_PARITY_LANE: ${{ matrix.lane }}
           QA_PARITY_OUTPUT_DIR: ${{ matrix.output_dir }}
@@ -829,7 +813,7 @@ jobs:
               alt_model="openai/gpt-5.5-alt"
               ;;
             baseline)
-              model="anthropic/claude-opus-4-8"
+              model="anthropic/claude-opus-4-7"
               alt_model="anthropic/claude-sonnet-4-6"
               ;;
             *)
@@ -847,7 +831,6 @@ jobs:
             --output-dir ".artifacts/qa-e2e/${QA_PARITY_OUTPUT_DIR}"
 
       - name: Upload parity lane artifacts
-        id: upload_parity_lane_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -856,52 +839,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_parity_lane_release_checks
-          RELEASE_CHECK_VARIANT: ${{ matrix.lane }}
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_parity_lane_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}-${RELEASE_CHECK_VARIANT}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'variant=%s\n' "$RELEASE_CHECK_VARIANT"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_parity_lane_release_checks-${{ matrix.lane }}.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_lab_parity_report_release_checks:
     name: Run QA Lab parity report
     needs: [resolve_target, qa_lab_parity_lane_release_checks]
@@ -939,21 +876,19 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Generate parity report
-        id: generate_report
         run: |
           pnpm openclaw qa parity-report \
             --repo-root . \
             --candidate-summary .artifacts/qa-e2e/openai-candidate/qa-suite-summary.json \
             --baseline-summary .artifacts/qa-e2e/anthropic-baseline/qa-suite-summary.json \
             --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-8 \
+            --baseline-label anthropic/claude-opus-4-7 \
             --output-dir .artifacts/qa-e2e/parity
 
       - name: Upload parity artifacts
-        id: upload_parity_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -962,57 +897,13 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_parity_report_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.generate_report.outcome }} ${{ steps.upload_parity_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-parity-report-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_parity_report_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_lab_runtime_parity_release_checks:
     name: Run QA Lab runtime parity lane
     needs: [resolve_target]
     if: contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
     continue-on-error: true
     runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 45
+    timeout-minutes: 30
     permissions:
       contents: read
     env:
@@ -1043,7 +934,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run runtime parity lane
         id: runtime_parity_lane
@@ -1055,11 +946,10 @@ jobs:
             --concurrency "${QA_PARITY_CONCURRENCY}" \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --alt-model "openai/gpt-5.5-alt" \
-            --runtime-pair openclaw,codex \
+            --runtime-pair pi,codex \
             --output-dir ".artifacts/qa-e2e/runtime-parity"
 
       - name: Run standard runtime parity tier
-        id: runtime_parity_standard_lane
         if: ${{ always() && steps.runtime_parity_lane.outcome != 'skipped' && steps.runtime_parity_lane.outcome != 'cancelled' }}
         run: |
           set -euo pipefail
@@ -1069,7 +959,7 @@ jobs:
             --concurrency "${QA_PARITY_CONCURRENCY}" \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --alt-model "openai/gpt-5.5-alt" \
-            --runtime-pair openclaw,codex \
+            --runtime-pair pi,codex \
             --output-dir ".artifacts/qa-e2e/runtime-parity-standard"
 
       - name: Run soak runtime parity tier
@@ -1083,11 +973,10 @@ jobs:
             --concurrency "${QA_PARITY_CONCURRENCY}" \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --alt-model "openai/gpt-5.5-alt" \
-            --runtime-pair openclaw,codex \
+            --runtime-pair pi,codex \
             --output-dir ".artifacts/qa-e2e/runtime-parity-soak"
 
       - name: Generate runtime parity report
-        id: generate_runtime_parity_report
         if: always()
         run: |
           set -euo pipefail
@@ -1098,7 +987,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-report
 
       - name: Generate standard runtime parity report
-        id: generate_runtime_parity_standard_report
         if: always()
         run: |
           set -euo pipefail
@@ -1109,7 +997,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-standard-report
 
       - name: Generate soak runtime parity report
-        id: generate_runtime_parity_soak_report
         if: ${{ always() && needs.resolve_target.outputs.run_release_soak == 'true' && steps.runtime_parity_soak_lane.outcome != 'skipped' && steps.runtime_parity_soak_lane.outcome != 'cancelled' }}
         run: |
           set -euo pipefail
@@ -1125,7 +1012,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-soak-report
 
       - name: Upload runtime parity artifacts
-        id: upload_runtime_parity_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1134,50 +1020,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_runtime_parity_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.runtime_parity_lane.outcome }} ${{ steps.runtime_parity_standard_lane.outcome }} ${{ steps.runtime_parity_soak_lane.outcome }} ${{ steps.generate_runtime_parity_report.outcome }} ${{ steps.generate_runtime_parity_standard_report.outcome }} ${{ steps.generate_runtime_parity_soak_report.outcome }} ${{ steps.upload_runtime_parity_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_runtime_parity_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   runtime_tool_coverage_release_checks:
     name: Enforce QA Lab runtime tool coverage
     needs: [resolve_target, qa_lab_runtime_parity_release_checks]
@@ -1233,7 +1075,7 @@ jobs:
     needs: [resolve_target]
     if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_matrix_enabled == 'true'
     continue-on-error: true
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: ubuntu-24.04
     timeout-minutes: 60
     permissions:
       contents: read
@@ -1259,7 +1101,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run Matrix live lane
         id: run_lane
@@ -1299,7 +1141,6 @@ jobs:
           done
 
       - name: Upload Matrix QA artifacts
-        id: upload_matrix_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1308,50 +1149,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_matrix_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_matrix_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_matrix_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_telegram_release_checks:
     name: Run QA Lab live Telegram lane
     needs: [resolve_target]
@@ -1402,7 +1199,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run Telegram live lane
         id: run_lane
@@ -1410,7 +1207,6 @@ jobs:
         env:
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
           OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
         run: |
@@ -1440,7 +1236,6 @@ jobs:
           done
 
       - name: Upload Telegram QA artifacts
-        id: upload_telegram_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1449,54 +1244,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_telegram_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_telegram_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_telegram_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_discord_release_checks:
     name: Run QA Lab live Discord lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_discord_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_discord_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_DISCORD_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1543,7 +1294,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run Discord live lane
         id: run_lane
@@ -1580,7 +1331,6 @@ jobs:
           done
 
       - name: Upload Discord QA artifacts
-        id: upload_discord_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1589,54 +1339,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_discord_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_discord_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-discord-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_discord_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_whatsapp_release_checks:
     name: Run QA Lab live WhatsApp lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_whatsapp_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_whatsapp_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_WHATSAPP_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1686,7 +1392,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run WhatsApp live lane
         id: run_lane
@@ -1723,7 +1429,6 @@ jobs:
           done
 
       - name: Upload WhatsApp QA artifacts
-        id: upload_whatsapp_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1732,54 +1437,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_whatsapp_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_whatsapp_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-whatsapp-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_whatsapp_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_slack_release_checks:
     name: Run QA Lab live Slack lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_slack_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_slack_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_SLACK_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1826,7 +1487,7 @@ jobs:
       - name: Build private QA runtime
         env:
           NODE_OPTIONS: --max-old-space-size=8192
-        run: node scripts/build-all.mjs qaRuntime
+        run: pnpm build
 
       - name: Run Slack live lane
         id: run_lane
@@ -1863,7 +1524,6 @@ jobs:
           done
 
       - name: Upload Slack QA artifacts
-        id: upload_slack_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1872,50 +1532,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_slack_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_slack_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-slack-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_slack_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   summary:
     name: Verify release checks
     needs:
@@ -1936,19 +1552,9 @@ jobs:
       - qa_live_slack_release_checks
     if: always()
     runs-on: ubuntu-24.04
-    permissions:
-      actions: read
+    permissions: {}
     timeout-minutes: 5
     steps:
-      - name: Download advisory status artifacts
-        if: always()
-        continue-on-error: true
-        uses: actions/download-artifact@v8
-        with:
-          pattern: release-check-status-*
-          path: .artifacts/release-check-status
-          merge-multiple: true
-
       - name: Verify release check results
         shell: bash
         env:
@@ -1960,49 +1566,6 @@ jobs:
           if [[ "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
             tideclaw_alpha=true
           fi
-          release_check_result() {
-            local name="$1"
-            local fallback="$2"
-            local status_dir=".artifacts/release-check-status"
-            local saw=0
-            local saw_failure=0
-            local saw_cancelled=0
-            if [[ -d "$status_dir" ]]; then
-              while IFS= read -r -d '' file; do
-                saw=1
-                status="$(sed -n 's/^status=//p' "$file" | tail -n 1)"
-                case "$status" in
-                  success|skipped) ;;
-                  cancelled) saw_cancelled=1 ;;
-                  failure|"") saw_failure=1 ;;
-                  *) saw_failure=1 ;;
-                esac
-              done < <(find "$status_dir" -type f -name "${name}*.env" -print0)
-            fi
-            if [[ "$saw_failure" == "1" ]]; then
-              printf 'failure\n'
-            elif [[ "$saw_cancelled" == "1" ]]; then
-              printf 'cancelled\n'
-            elif [[ "$fallback" != "success" && "$fallback" != "skipped" ]]; then
-              printf '%s\n' "$fallback"
-            elif [[ "$saw" == "1" ]]; then
-              printf 'success\n'
-            elif [[ "$fallback" == "success" ]]; then
-              printf 'failure\n'
-            else
-              printf '%s\n' "$fallback"
-            fi
-          }
-          advisory_status_override_allowed() {
-            case "$1" in
-              qa_lab_parity_lane_release_checks|qa_lab_parity_report_release_checks|qa_lab_runtime_parity_release_checks|qa_live_matrix_release_checks|qa_live_telegram_release_checks|qa_live_discord_release_checks|qa_live_whatsapp_release_checks|qa_live_slack_release_checks)
-                return 0
-                ;;
-              *)
-                return 1
-                ;;
-            esac
-          }
           for item in \
             "prepare_release_package=${{ needs.prepare_release_package.result }}" \
             "install_smoke_release_checks=${{ needs.install_smoke_release_checks.result }}" \
@@ -2021,12 +1584,7 @@ jobs:
             "qa_live_slack_release_checks=${{ needs.qa_live_slack_release_checks.result }}"
           do
             name="${item%%=*}"
-            raw_result="${item#*=}"
-            if advisory_status_override_allowed "$name"; then
-              result="$(release_check_result "$name" "$raw_result")"
-            else
-              result="$raw_result"
-            fi
+            result="${item#*=}"
             if [[ "$result" != "success" && "$result" != "skipped" ]]; then
               if [[ "$tideclaw_alpha" == "true" ]]; then
                 case "$name" in
@@ -2037,6 +1595,10 @@ jobs:
                     ;;
                 esac
               fi
+              if [[ "$name" == qa_* ]]; then
+                echo "::warning::${name} ended with ${result}; QA release-check lanes are advisory and do not block release validation."
+                continue
+              fi
               echo "::error::${name} ended with ${result}"
               failed=1
             fi

.github/workflows/openclaw-release-publish.yml

@@ -46,12 +46,11 @@ on:
         default: true
         type: boolean
       release_profile:
-        description: Release coverage profile used for release evidence summaries; default reads it from the validation manifest
+        description: Release coverage profile used for release evidence summaries
         required: false
-        default: from-validation
+        default: beta
         type: choice
         options:
-          - from-validation
           - beta
           - stable
           - full
@@ -120,11 +119,7 @@ jobs:
             tideclaw_alpha_publish=true
           fi
           if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${WORKFLOW_REF}" != "refs/heads/main" && ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ && "${tideclaw_alpha_publish}" != "true" ]]; then
-            echo "publish_openclaw_npm=true requires dispatching this workflow from main, release/YYYY.M.PATCH, or a Tideclaw alpha branch for alpha prereleases." >&2
-            exit 1
-          fi
-          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${PLUGIN_PUBLISH_SCOPE}" != "all-publishable" ]]; then
-            echo "publish_openclaw_npm=true requires plugin_publish_scope=all-publishable so every publishable official plugin is released with OpenClaw." >&2
+            echo "publish_openclaw_npm=true requires dispatching this workflow from main, release/YYYY.M.D, or a Tideclaw alpha branch for alpha prereleases." >&2
             exit 1
           fi
           if [[ "${PLUGIN_PUBLISH_SCOPE}" == "selected" && -z "${PLUGINS}" ]]; then
@@ -136,9 +131,9 @@ jobs:
             exit 1
           fi
           case "$RELEASE_PROFILE" in
-            from-validation|beta|stable|full) ;;
+            beta|stable|full) ;;
             *)
-              echo "release_profile must be one of: from-validation, beta, stable, full" >&2
+              echo "release_profile must be one of: beta, stable, full" >&2
               exit 1
               ;;
           esac
@@ -260,7 +255,6 @@ jobs:
           echo "sha=$release_sha" >> "$GITHUB_OUTPUT"
 
       - name: Validate full release validation manifest
-        id: full_manifest
         if: ${{ inputs.publish_openclaw_npm }}
         env:
           GH_TOKEN: ${{ github.token }}
@@ -271,7 +265,7 @@ jobs:
         run: |
           set -euo pipefail
           RUN_JSON="$(gh run view "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "Full Release Validation"], ["event", "workflow_dispatch"], ["status", "completed"], ["conclusion", "success"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced full release validation run ${process.env.FULL_RELEASE_VALIDATION_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } const allowedBranches = new Set(["main", process.env.EXPECTED_WORKFLOW_BRANCH].filter(Boolean)); if (!allowedBranches.has(run.headBranch)) { console.error(`Referenced full release validation run ${process.env.FULL_RELEASE_VALIDATION_RUN_ID} must have headBranch in ${[...allowedBranches].join(", ")}, got ${run.headBranch ?? "<missing>"}.`); process.exit(1); } console.log(`Using full release validation run ${process.env.FULL_RELEASE_VALIDATION_RUN_ID}: ${run.url}`);'
+          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "Full Release Validation"], ["headBranch", process.env.EXPECTED_WORKFLOW_BRANCH], ["event", "workflow_dispatch"], ["status", "completed"], ["conclusion", "success"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced full release validation run ${process.env.FULL_RELEASE_VALIDATION_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } console.log(`Using full release validation run ${process.env.FULL_RELEASE_VALIDATION_RUN_ID}: ${run.url}`);'
 
           manifest="${RUNNER_TEMP}/full-release-validation-manifest/full-release-validation-manifest.json"
           if [[ ! -f "$manifest" ]]; then
@@ -291,7 +285,7 @@ jobs:
             echo "Full release validation target SHA mismatch: expected $EXPECTED_SHA, got $target_sha" >&2
             exit 1
           fi
-          if [[ "$EXPECTED_RELEASE_PROFILE" != "from-validation" && "$release_profile" != "$EXPECTED_RELEASE_PROFILE" ]]; then
+          if [[ "$release_profile" != "$EXPECTED_RELEASE_PROFILE" ]]; then
             echo "Full release validation profile mismatch: expected $EXPECTED_RELEASE_PROFILE, got $release_profile" >&2
             exit 1
           fi
@@ -299,7 +293,6 @@ jobs:
             echo "Full release validation must run rerun_group=all before npm publish; got $rerun_group" >&2
             exit 1
           fi
-          echo "release_profile=$release_profile" >> "$GITHUB_OUTPUT"
 
       - name: Validate release tag is reachable from a trusted release branch
         env:
@@ -335,7 +328,7 @@ jobs:
         env:
           RELEASE_TAG: ${{ inputs.tag }}
           TARGET_SHA: ${{ steps.manifest.outputs.sha || steps.ref.outputs.sha }}
-          RELEASE_PROFILE: ${{ steps.full_manifest.outputs.release_profile || inputs.release_profile }}
+          RELEASE_PROFILE: ${{ inputs.release_profile }}
           FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
         run: |
           {
@@ -387,9 +380,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          dispatch_workflow_at_ref() {
-            local workflow_ref="$1"
-            shift
+          dispatch_workflow() {
             local workflow="$1"
             shift
 
@@ -399,7 +390,7 @@ jobs:
               -F per_page=100 \
               --jq '[.workflow_runs[].id]')"
 
-            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$workflow_ref" "$@" 2>&1)"
+            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
             printf '%s\n' "$dispatch_output" >&2
             run_id="$(
               printf '%s\n' "$dispatch_output" |
@@ -434,10 +425,6 @@ jobs:
             printf '%s\n' "${run_id}"
           }
 
-          dispatch_workflow() {
-            dispatch_workflow_at_ref "$CHILD_WORKFLOW_REF" "$@"
-          }
-
           print_pending_deployments() {
             local workflow="$1"
             local run_id="$2"
@@ -510,7 +497,7 @@ jobs:
           wait_for_run() {
             local workflow="$1"
             local run_id="$2"
-            local status conclusion url updated_at created_at duration_seconds duration_label last_state failed_json
+            local status conclusion url updated_at created_at duration_seconds duration_label last_state
 
             last_state=""
             while true; do
@@ -519,14 +506,6 @@ jobs:
               if [[ "$status" == "completed" ]]; then
                 break
               fi
-              failed_json="$(gh run view --repo "$GITHUB_REPOSITORY" "$run_id" --json jobs \
-                --jq '[.jobs[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")]' || true)"
-              if [[ -n "${failed_json}" ]] && jq -e 'length > 0' <<< "$failed_json" >/dev/null; then
-                echo "${workflow} has failed jobs before the workflow completed: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}" >&2
-                jq '.[] | {name, conclusion, url}' <<< "$failed_json" >&2 || true
-                print_failed_run_summary "${run_id}"
-                return 1
-              fi
               url="$(printf '%s' "$run_json" | jq -r '.url')"
               updated_at="$(printf '%s' "$run_json" | jq -r '.updatedAt')"
               state="${status}:${updated_at}"
@@ -659,128 +638,6 @@ jobs:
             done
           }
 
-          guard_existing_public_release() {
-            local release_version asset_name release_json is_draft has_sha has_proof has_asset release_url
-
-            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
-              return 0
-            fi
-
-            if ! release_json="$(gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json isDraft,assets,body,url 2>/dev/null)"; then
-              return 0
-            fi
-
-            is_draft="$(printf '%s' "${release_json}" | jq -r '.isDraft')"
-            if [[ "${is_draft}" == "true" ]]; then
-              return 0
-            fi
-
-            release_version="${RELEASE_TAG#v}"
-            asset_name="openclaw-${release_version}-dependency-evidence.zip"
-            has_sha="$(printf '%s' "${release_json}" | jq --arg sha "${TARGET_SHA}" -r '.body | contains($sha)')"
-            has_proof="$(printf '%s' "${release_json}" | jq -r '.body | contains("### Release verification")')"
-            has_asset="$(printf '%s' "${release_json}" | jq --arg name "${asset_name}" -r 'any(.assets[]?; .name == $name)')"
-            release_url="$(printf '%s' "${release_json}" | jq -r '.url')"
-
-            if [[ "${has_sha}" == "true" && "${has_proof}" == "true" && "${has_asset}" == "true" ]]; then
-              return 0
-            fi
-
-            {
-              echo "Release ${RELEASE_TAG} already has a public GitHub release page without complete postpublish evidence for ${TARGET_SHA}."
-              echo "Refusing to reuse a public prerelease tag after publication started: ${release_url}"
-              echo "Create a new beta tag or delete/draft the incomplete public release before retrying."
-            } >&2
-            exit 1
-          }
-
-          guard_openclaw_npm_not_already_published() {
-            local release_version release_url
-
-            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
-              return 0
-            fi
-
-            release_version="${RELEASE_TAG#v}"
-            if ! npm view "openclaw@${release_version}" version >/dev/null 2>&1; then
-              return 0
-            fi
-
-            release_url="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}"
-            {
-              echo "openclaw@${release_version} is already published on npm."
-              echo "Refusing to dispatch publish child workflows for an already-published version."
-              echo "If this is recovery from a failed postpublish evidence or draft-release step, repair/finalize the existing draft or create a correction tag; do not rerun the publish workflow for the same npm version."
-              echo "Release page, if present: ${release_url}"
-            } >&2
-            exit 1
-          }
-
-          resolve_clawhub_release_plan() {
-            local -a plan_args
-
-            clawhub_plan_path="${RUNNER_TEMP}/openclaw-release-clawhub-plan.json"
-            plan_args=(
-              --release-tag "${RELEASE_TAG}"
-              --release-publish-branch "${CHILD_WORKFLOW_REF}"
-              --release-publish-run-id "${GITHUB_RUN_ID}"
-              --plugin-publish-scope "${PLUGIN_PUBLISH_SCOPE}"
-            )
-            if [[ -n "${PLUGINS// }" ]]; then
-              plan_args+=(--plugins "${PLUGINS}")
-            fi
-
-            CLAWHUB_REGISTRY="${CLAWHUB_REGISTRY:-https://clawhub.ai}" \
-              node --import tsx scripts/openclaw-release-clawhub-plan.ts "${plan_args[@]}" > "${clawhub_plan_path}"
-
-            echo "Resolved OpenClaw release ClawHub dispatch plan:"
-            cat "${clawhub_plan_path}"
-
-            clawhub_workflow_ref="$(jq -r '.clawHubWorkflowRef' "${clawhub_plan_path}")"
-            normal_plugins="$(jq -r '.summary.normalPlugins' "${clawhub_plan_path}")"
-            bootstrap_plugins="$(jq -r '.summary.bootstrapPlugins' "${clawhub_plan_path}")"
-            missing_trusted_plugins="$(jq -r '.summary.missingTrustedPlugins' "${clawhub_plan_path}")"
-            normal_plugin_count="$(jq -r '.summary.normalCount' "${clawhub_plan_path}")"
-            bootstrap_plugin_count="$(jq -r '.summary.bootstrapCount' "${clawhub_plan_path}")"
-            missing_trusted_plugin_count="$(jq -r '.summary.missingTrustedPublisherCount' "${clawhub_plan_path}")"
-
-            {
-              echo "### ClawHub release plan"
-              echo
-              echo "- Normal OIDC candidates: \`${normal_plugin_count}\`"
-              echo "- Bootstrap/repair candidates: \`${bootstrap_plugin_count}\`"
-              echo "- Existing-package trusted-publisher repairs: \`${missing_trusted_plugin_count}\`"
-              if [[ -n "${normal_plugins}" ]]; then
-                echo "- Normal plugins: \`${normal_plugins}\`"
-              fi
-              if [[ -n "${bootstrap_plugins}" ]]; then
-                echo "- Bootstrap/repair plugins: \`${bootstrap_plugins}\`"
-              fi
-              if [[ -n "${missing_trusted_plugins}" ]]; then
-                echo "- Trusted-publisher repair plugins: \`${missing_trusted_plugins}\`"
-              fi
-            } >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          append_clawhub_dispatch_args() {
-            local target="$1"
-            while IFS=$'\t' read -r key value; do
-              clawhub_dispatch_args+=(-f "${key}=${value}")
-            done < <(jq -r --arg target "${target}" '.[$target].inputs | to_entries[] | [.key, .value] | @tsv' "${clawhub_plan_path}")
-          }
-
-          write_clawhub_runtime_state() {
-            local force_skip_clawhub="$1"
-            local output_path="$2"
-            node --import tsx scripts/openclaw-release-clawhub-runtime-state.ts \
-              --repository "${GITHUB_REPOSITORY}" \
-              --wait-for-clawhub "${WAIT_FOR_CLAWHUB}" \
-              --force-skip-clawhub "${force_skip_clawhub}" \
-              --normal-run-id "${plugin_clawhub_run_id:-}" \
-              --bootstrap-run-id "${plugin_clawhub_bootstrap_run_id:-}" \
-              --bootstrap-completed "${plugin_clawhub_bootstrap_completed:-false}" > "${output_path}"
-          }
-
           create_or_update_github_release() {
             local release_version notes_version title notes_file changelog_file latest_arg prerelease_args
             release_version="${RELEASE_TAG#v}"
@@ -826,17 +683,11 @@ jobs:
             else
               gh release create "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" \
                 --verify-tag \
-                --draft \
                 --title "${title}" \
                 --notes-file "${notes_file}" \
                 "${prerelease_args[@]}" \
                 "${latest_arg}"
             fi
-            echo "- GitHub release draft: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          publish_github_release() {
-            gh release edit "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --draft=false
             echo "- GitHub release: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
           }
 
@@ -869,11 +720,9 @@ jobs:
           }
 
           verify_published_release() {
-            local release_version evidence_path skip_clawhub clawhub_runtime_state_path
+            local release_version evidence_path
             local -a verify_args
 
-            skip_clawhub="${1:-false}"
-
             release_version="${RELEASE_TAG#v}"
             evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
             mkdir -p "${POSTPUBLISH_EVIDENCE_DIR}"
@@ -886,18 +735,16 @@ jobs:
               --dist-tag "${RELEASE_NPM_DIST_TAG}"
               --repo "${GITHUB_REPOSITORY}"
               --workflow-ref "${CHILD_WORKFLOW_REF}"
-              --clawhub-workflow-ref "${clawhub_workflow_ref}"
               --full-release-validation-run "${FULL_RELEASE_VALIDATION_RUN_ID}"
               --plugin-npm-run "${plugin_npm_run_id}"
               --openclaw-npm-run "${openclaw_npm_run_id}"
               --evidence-out "${evidence_path}"
-              --skip-github-release
             )
-            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-verify.json"
-            write_clawhub_runtime_state "${skip_clawhub}" "${clawhub_runtime_state_path}"
-            while IFS= read -r arg; do
-              verify_args+=("${arg}")
-            done < <(jq -r '.verifierArgs[]' "${clawhub_runtime_state_path}")
+            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
+              verify_args+=(--plugin-clawhub-run "${plugin_clawhub_run_id}")
+            else
+              verify_args+=(--skip-clawhub)
+            fi
             if [[ -n "${PLUGINS// }" ]]; then
               verify_args+=(--plugins "${PLUGINS}")
             fi
@@ -913,7 +760,7 @@ jobs:
           }
 
           append_release_proof_to_github_release() {
-            local release_version body_file notes_file tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path
+            local release_version body_file notes_file tarball integrity telegram_line clawhub_line
 
             release_version="${RELEASE_TAG#v}"
             body_file="${RUNNER_TEMP}/release-body.md"
@@ -927,16 +774,16 @@ jobs:
             else
               telegram_line="- npm Telegram beta E2E: not supplied"
             fi
-            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-proof.json"
-            write_clawhub_runtime_state false "${clawhub_runtime_state_path}"
-            clawhub_line="$(jq -r '.proofLines.normal' "${clawhub_runtime_state_path}")"
-            clawhub_bootstrap_line="$(jq -r '.proofLines.bootstrap' "${clawhub_runtime_state_path}")"
+            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
+              clawhub_line="- plugin ClawHub publish: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
+            else
+              clawhub_line="- plugin ClawHub publish: dispatched separately, not awaited by this proof: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
+            fi
 
             RELEASE_BODY_FILE="${body_file}" \
               RELEASE_NOTES_FILE="${notes_file}" \
               RELEASE_VERSION="${release_version}" \
               RELEASE_TAG="${RELEASE_TAG}" \
-              RELEASE_SHA="${TARGET_SHA}" \
               RELEASE_REPO="${GITHUB_REPOSITORY}" \
               RELEASE_TARBALL="${tarball}" \
               RELEASE_INTEGRITY="${integrity}" \
@@ -946,7 +793,6 @@ jobs:
               PLUGIN_NPM_RUN_ID="${plugin_npm_run_id}" \
               OPENCLAW_NPM_RUN_ID="${openclaw_npm_run_id}" \
               CLAWHUB_LINE="${clawhub_line}" \
-              CLAWHUB_BOOTSTRAP_LINE="${clawhub_bootstrap_line}" \
               TELEGRAM_LINE="${telegram_line}" \
               node --input-type=module <<'NODE'
           import { readFileSync, writeFileSync } from "node:fs";
@@ -964,14 +810,12 @@ jobs:
             `- npm package: https://www.npmjs.com/package/openclaw/v/${process.env.RELEASE_VERSION}`,
             `- registry tarball: ${process.env.RELEASE_TARBALL}`,
             `- integrity: \`${process.env.RELEASE_INTEGRITY}\``,
-            `- release SHA: \`${process.env.RELEASE_SHA}\``,
-            `- full release CI report: https://github.com/openclaw/releases/blob/main/evidence/${process.env.RELEASE_VERSION}/release-evidence.md`,
+            `- full release CI report: https://github.com/openclaw/releases-private/blob/main/evidence/${process.env.RELEASE_VERSION}/release-evidence.md`,
             `- release publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.RELEASE_PUBLISH_RUN_ID}`,
             `- npm preflight: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PREFLIGHT_RUN_ID}`,
             `- full release validation: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.FULL_RELEASE_VALIDATION_RUN_ID}`,
             `- plugin npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PLUGIN_NPM_RUN_ID}`,
             process.env.CLAWHUB_LINE,
-            process.env.CLAWHUB_BOOTSTRAP_LINE,
             `- OpenClaw npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.OPENCLAW_NPM_RUN_ID}`,
             process.env.TELEGRAM_LINE,
           ].join("\n");
@@ -988,7 +832,6 @@ jobs:
             echo "### Publish sequence"
             echo
             echo "- Workflow ref: \`${CHILD_WORKFLOW_REF}\`"
-            echo "- ClawHub workflow ref: release tag \`${RELEASE_TAG}\`"
             echo "- Release tag: \`${RELEASE_TAG}\`"
             echo "- Release SHA: \`${TARGET_SHA}\`"
             echo "- Release approval: this workflow job"
@@ -1005,68 +848,26 @@ jobs:
             fi
           } >> "$GITHUB_STEP_SUMMARY"
 
-          guard_existing_public_release
-          guard_openclaw_npm_not_already_published
-          resolve_clawhub_release_plan
-
           npm_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
+          clawhub_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
           if [[ -n "${PLUGINS}" ]]; then
             npm_args+=(-f plugins="${PLUGINS}")
+            clawhub_args+=(-f plugins="${PLUGINS}")
           fi
 
           plugin_npm_run_id="$(dispatch_workflow plugin-npm-release.yml "${npm_args[@]}")"
-          plugin_clawhub_run_id=""
-          if [[ "$(jq -r '.normal.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
-            clawhub_dispatch_args=()
-            append_clawhub_dispatch_args normal
-            plugin_clawhub_run_id="$(dispatch_workflow_at_ref \
-              "$(jq -r '.normal.ref' "${clawhub_plan_path}")" \
-              "$(jq -r '.normal.workflow' "${clawhub_plan_path}")" \
-              "${clawhub_dispatch_args[@]}")"
-          else
-            echo "- plugin-clawhub-release.yml: no normal OIDC candidates" >> "$GITHUB_STEP_SUMMARY"
-          fi
-          plugin_clawhub_bootstrap_run_id=""
-          plugin_clawhub_bootstrap_completed="false"
-          if [[ "$(jq -r '.bootstrap.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
-            clawhub_dispatch_args=()
-            append_clawhub_dispatch_args bootstrap
-            plugin_clawhub_bootstrap_run_id="$(dispatch_workflow_at_ref \
-              "$(jq -r '.bootstrap.ref' "${clawhub_plan_path}")" \
-              "$(jq -r '.bootstrap.workflow' "${clawhub_plan_path}")" \
-              "${clawhub_dispatch_args[@]}")"
-          else
-            echo "- plugin-clawhub-new.yml: no bootstrap candidates" >> "$GITHUB_STEP_SUMMARY"
-          fi
+          plugin_clawhub_run_id="$(dispatch_workflow plugin-clawhub-release.yml "${clawhub_args[@]}")"
           {
             echo "- Plugin npm run ID: \`${plugin_npm_run_id}\`"
-            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id:-none}\`"
-            echo "- Plugin ClawHub bootstrap run ID: \`${plugin_clawhub_bootstrap_run_id:-none}\`"
+            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
           if ! wait_for_run plugin-npm-release.yml "${plugin_npm_run_id}"; then
-            echo "Plugin npm publish failed; cancelling dispatched ClawHub child workflows." >&2
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_bootstrap_run_id}" >/dev/null 2>&1 || true
-            fi
+            echo "Plugin npm publish failed; cancelling ClawHub publish child ${plugin_clawhub_run_id}." >&2
+            gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
             exit 1
           fi
 
-          if [[ -n "${plugin_clawhub_bootstrap_run_id}" && "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-            echo "Waiting for plugin-clawhub-new.yml bootstrap to finish before continuing release publish."
-            if wait_for_run plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
-              plugin_clawhub_bootstrap_completed="true"
-            else
-              if [[ -n "${plugin_clawhub_run_id}" ]]; then
-                gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
-              fi
-              exit 1
-            fi
-          fi
-
           openclaw_npm_run_id=""
           if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
             openclaw_npm_run_id="$(dispatch_workflow openclaw-npm-release.yml \
@@ -1083,52 +884,19 @@ jobs:
 
           clawhub_result=""
           clawhub_pid=""
-          clawhub_bootstrap_result=""
-          clawhub_bootstrap_pid=""
           if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
-              wait_run_pid=""
-              wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
-              clawhub_pid="${wait_run_pid}"
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
-                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
-              else
-                clawhub_bootstrap_result="$RUNNER_TEMP/clawhub-bootstrap-result.txt"
-                wait_run_pid=""
-                wait_for_run_background plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "${clawhub_bootstrap_result}"
-                clawhub_bootstrap_pid="${wait_run_pid}"
-              fi
-            fi
+            clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
+            wait_run_pid=""
+            wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
+            clawhub_pid="${wait_run_pid}"
           else
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
-              if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
-                :
-              else
-                echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
-              fi
-              echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
+            wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
+            if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
+              :
             else
-              echo "- plugin-clawhub-release.yml: no normal OIDC publish to await" >> "$GITHUB_STEP_SUMMARY"
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
-                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
-              else
-                wait_for_job_success plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "Validate release publish approval"
-                if approve_child_publish_environment plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
-                  :
-                else
-                  echo "- plugin-clawhub-new.yml: child environment gate not ready; bootstrap was left dispatched (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
-                fi
-                echo "- plugin-clawhub-new.yml: bootstrap not awaited (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
-              fi
-            else
-              echo "- plugin-clawhub-new.yml: no bootstrap publish to await" >> "$GITHUB_STEP_SUMMARY"
+              echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
             fi
+            echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           openclaw_result=""
@@ -1151,33 +919,21 @@ jobs:
             openclaw_failed=1
           fi
 
+          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
+            create_or_update_github_release
+            upload_dependency_evidence_release_asset
+          fi
+
           if [[ -n "${clawhub_pid}" ]] && ! wait "${clawhub_pid}"; then
             failed=1
           fi
           if [[ -f "${clawhub_result}" && "$(cat "${clawhub_result}")" != "success" ]]; then
             failed=1
           fi
-          if [[ -n "${clawhub_bootstrap_pid}" ]] && ! wait "${clawhub_bootstrap_pid}"; then
-            failed=1
-          fi
-          if [[ -f "${clawhub_bootstrap_result}" && "$(cat "${clawhub_bootstrap_result}")" != "success" ]]; then
-            failed=1
-          fi
 
-          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
-            if [[ "${failed}" == "0" ]]; then
-              verify_published_release
-            else
-              verify_published_release true
-            fi
-            create_or_update_github_release
-            upload_dependency_evidence_release_asset
+          if [[ "${failed}" == "0" && -n "${openclaw_npm_run_id}" ]]; then
+            verify_published_release
             append_release_proof_to_github_release
-            if [[ "${failed}" == "0" ]]; then
-              publish_github_release
-            else
-              echo "- GitHub release: left as draft because a required publish child failed" >> "$GITHUB_STEP_SUMMARY"
-            fi
           fi
           if [[ "${failed}" != "0" ]]; then
             exit 1

.github/workflows/opengrep-precise-full.yml

@@ -32,11 +32,11 @@ jobs:
       - name: Install opengrep
         env:
           # Pin both the install script (by commit SHA) and the binary version.
-          # The script SHA must match the v1.22.0 release tag in opengrep/opengrep
+          # The script SHA must match the v1.19.0 release tag in opengrep/opengrep
           # so a compromised or force-pushed `main` cannot RCE in our CI runner.
           # Bump both together when upgrading.
-          OPENGREP_VERSION: v1.22.0
-          OPENGREP_INSTALL_SHA: f458d7f0d52cc58eae1ca3cf3d5caf101e637519
+          OPENGREP_VERSION: v1.19.0
+          OPENGREP_INSTALL_SHA: 9a4c0a68220618441608cd2bad4ff2eddccf8113
         run: |
           curl -fsSL "https://raw.githubusercontent.com/opengrep/opengrep/${OPENGREP_INSTALL_SHA}/install.sh" \
             | bash -s -- -v "$OPENGREP_VERSION"
@@ -53,7 +53,7 @@ jobs:
           scripts/run-opengrep.sh --sarif --error
 
       - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v4.36.2
+        uses: github/codeql-action/upload-sarif@v4
         # Only upload if the scan actually produced a SARIF file.
         if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
         with:

.github/workflows/opengrep-precise.yml

@@ -44,7 +44,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
-          fetch-depth: 2
+          fetch-depth: 1
           fetch-tags: false
           persist-credentials: false
           submodules: false
@@ -58,11 +58,11 @@ jobs:
       - name: Install opengrep
         env:
           # Pin both the install script (by commit SHA) and the binary version.
-          # The script SHA must match the v1.22.0 release tag in opengrep/opengrep
+          # The script SHA must match the v1.19.0 release tag in opengrep/opengrep
           # so a compromised or force-pushed `main` cannot RCE in our CI runner.
           # Bump both together when upgrading.
-          OPENGREP_VERSION: v1.22.0
-          OPENGREP_INSTALL_SHA: f458d7f0d52cc58eae1ca3cf3d5caf101e637519
+          OPENGREP_VERSION: v1.19.0
+          OPENGREP_INSTALL_SHA: 9a4c0a68220618441608cd2bad4ff2eddccf8113
         run: |
           curl -fsSL "https://raw.githubusercontent.com/opengrep/opengrep/${OPENGREP_INSTALL_SHA}/install.sh" \
             | bash -s -- -v "$OPENGREP_VERSION"
@@ -74,7 +74,6 @@ jobs:
       - name: Run opengrep on PR diff
         env:
           OPENCLAW_OPENGREP_BASE_REF: ${{ github.event.pull_request.base.sha }}...HEAD
-          OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT: "1"
         # Findings from precise rules block this workflow. Pull requests scan
         # changed first-party source paths only so findings stay attributable to
         # the PR diff. Test/fixture/QA path exclusions live in `.semgrepignore`
@@ -84,7 +83,7 @@ jobs:
           scripts/run-opengrep.sh --changed --sarif --error
 
       - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v4.36.2
+        uses: github/codeql-action/upload-sarif@v4
         # Only upload if the scan actually produced a SARIF file.
         if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
         with:

.github/workflows/plugin-clawhub-new.yml

@@ -1,504 +0,0 @@
-name: Plugin ClawHub New
-
-on:
-  workflow_dispatch:
-    inputs:
-      plugins:
-        description: Comma-separated plugin package names to bootstrap on ClawHub
-        required: true
-        type: string
-      ref:
-        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
-        required: false
-        default: ""
-        type: string
-      release_publish_run_id:
-        description: Approved OpenClaw Release Publish workflow run id
-        required: false
-        type: string
-      release_publish_branch:
-        description: Branch name of the approving OpenClaw Release Publish workflow run
-        required: false
-        type: string
-      dry_run:
-        description: Validate the token-gated ClawHub bootstrap handoff without publishing.
-        required: false
-        default: false
-        type: boolean
-
-concurrency:
-  group: plugin-clawhub-new-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.15.0"
-  CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"
-
-jobs:
-  resolve_bootstrap_plan:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      ref_revision: ${{ steps.ref.outputs.sha }}
-      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
-      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
-      matrix: ${{ steps.plan.outputs.matrix }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Resolve checked-out ref
-        id: ref
-        env:
-          TARGET_REF: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || '' }}
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin \
-            +refs/heads/main:refs/remotes/origin/main \
-            '+refs/heads/release/*:refs/remotes/origin/release/*'
-          if [[ -n "${TARGET_REF}" ]]; then
-            if git rev-parse --verify --quiet "${TARGET_REF}^{commit}" >/dev/null; then
-              target_sha="$(git rev-parse "${TARGET_REF}^{commit}")"
-            elif git rev-parse --verify --quiet "origin/${TARGET_REF}^{commit}" >/dev/null; then
-              target_sha="$(git rev-parse "origin/${TARGET_REF}^{commit}")"
-            else
-              echo "Unable to resolve requested publish ref: ${TARGET_REF}" >&2
-              exit 1
-            fi
-            git checkout --detach "${target_sha}"
-          fi
-          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-
-      - name: Validate ref is on a trusted publish branch
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if git merge-base --is-ancestor HEAD origin/main; then
-            exit 0
-          fi
-          while IFS= read -r release_ref; do
-            if git merge-base --is-ancestor HEAD "${release_ref}"; then
-              exit 0
-            fi
-          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
-          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
-            git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
-            if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
-              exit 0
-            fi
-          fi
-          echo "Plugin ClawHub bootstraps must target a commit reachable from main, release/*, or the matching Tideclaw alpha branch." >&2
-          exit 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "false"
-
-      - name: Validate publishable plugin metadata
-        env:
-          RELEASE_PLUGINS: ${{ inputs.plugins }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${RELEASE_PLUGINS// }" ]]; then
-            echo "Plugin ClawHub bootstrap requires at least one package name in plugins." >&2
-            exit 1
-          fi
-          pnpm release:plugins:clawhub:check -- --selection-mode selected --plugins "${RELEASE_PLUGINS}"
-
-      - name: Resolve plugin bootstrap plan
-        id: plan
-        env:
-          RELEASE_PLUGINS: ${{ inputs.plugins }}
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-        run: |
-          set -euo pipefail
-          mkdir -p .local
-          node --import tsx scripts/plugin-clawhub-release-plan.ts \
-            --selection-mode selected \
-            --plugins "${RELEASE_PLUGINS}" > .local/plugin-clawhub-release-plan.json
-
-          cat .local/plugin-clawhub-release-plan.json
-
-          bootstrap_candidate_count="$(jq -r '(.bootstrapCandidates | length) + (.missingTrustedPublisher | length)' .local/plugin-clawhub-release-plan.json)"
-          selected_count="$(jq -r '.all | length' .local/plugin-clawhub-release-plan.json)"
-          matrix_json="$(
-            jq -c '
-              [
-                .bootstrapCandidates[]? + {
-                  bootstrapMode: "publish",
-                  requiresManualOverride: false
-                },
-                .missingTrustedPublisher[]? + {
-                  bootstrapMode: (if .alreadyPublished then "configure-only" else "publish" end),
-                  requiresManualOverride: true
-                }
-              ]
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          has_bootstrap_candidates="false"
-          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
-            has_bootstrap_candidates="true"
-          fi
-
-          invalid_scope="$(
-            jq -r '
-              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
-              | select(.packageName | startswith("@openclaw/") | not)
-              | "- \(.packageName)@\(.version)"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${invalid_scope}" ]]; then
-            echo "Plugin ClawHub bootstrap only supports @openclaw/* packages." >&2
-            printf '%s\n' "${invalid_scope}" >&2
-            exit 1
-          fi
-
-          not_bootstrap="$(
-            jq -r '
-              (.bootstrapCandidates | map(.packageName)) as $bootstrapNames
-              | (.missingTrustedPublisher | map(.packageName)) as $repairNames
-              | .all[]?
-              | select(.packageName as $name | ($bootstrapNames + $repairNames | index($name) | not))
-              | "- \(.packageName)@\(.version)"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${not_bootstrap}" ]]; then
-            echo "Selected packages must all be first-publish bootstrap candidates or trusted-publisher repair candidates." >&2
-            printf '%s\n' "${not_bootstrap}" >&2
-            exit 1
-          fi
-          if [[ "${selected_count}" == "0" || "${bootstrap_candidate_count}" == "0" ]]; then
-            echo "No selected packages require ClawHub bootstrap." >&2
-            exit 1
-          fi
-
-          {
-            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
-            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
-            echo "matrix=${matrix_json}"
-          } >> "$GITHUB_OUTPUT"
-
-          echo "ClawHub bootstrap candidates:"
-          jq -r '
-            .bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"
-          ' .local/plugin-clawhub-release-plan.json
-          echo "ClawHub trusted-publisher repair candidates:"
-          jq -r '
-            .missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir), alreadyPublished=\(.alreadyPublished)"
-          ' .local/plugin-clawhub-release-plan.json
-
-      - name: Validate Tideclaw alpha plugin channels
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            exit 0
-          fi
-          invalid="$(
-            jq -r '
-              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
-              | select(.publishTag != "alpha" or .channel != "alpha")
-              | "- \(.packageName)@\(.version) [\(.publishTag)]"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${invalid}" ]]; then
-            echo "Tideclaw alpha ClawHub bootstraps may only publish alpha plugin versions." >&2
-            printf '%s\n' "${invalid}" >&2
-            exit 1
-          fi
-
-  validate_release_publish_approval:
-    name: Validate release publish approval
-    needs: resolve_bootstrap_plan
-    if: github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - name: Validate release publish approval run
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
-          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
-            if [[ "${GITHUB_ACTOR}" == "github-actions[bot]" ]]; then
-              echo "Plugin ClawHub bootstrap dispatched by another workflow must include release_publish_run_id." >&2
-              exit 1
-            fi
-            echo "Direct Plugin ClawHub New dispatch; relying on this workflow's clawhub-plugin-bootstrap environment approval."
-            exit 0
-          fi
-          direct_recovery=false
-          if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
-            direct_recovery=true
-            echo "Direct Plugin ClawHub New recovery with release_publish_run_id; relying on this workflow's clawhub-plugin-bootstrap environment approval."
-          fi
-          RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
-
-  validate_bootstrap_trusted_publisher_cli:
-    needs: [resolve_bootstrap_plan, validate_release_publish_approval]
-    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Validate pinned ClawHub trusted publisher CLI support
-        env:
-          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
-        run: |
-          set -euo pipefail
-          help_output="$(
-            npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
-              clawhub package trusted-publisher set --help 2>&1 || true
-          )"
-          printf '%s\n' "${help_output}"
-          if ! grep -Fq "Usage: clawhub package trusted-publisher set" <<<"${help_output}"; then
-            echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} to expose 'package trusted-publisher set' before token bootstrap publish can run. The pinned CLI returned parent help or no set command, so this workflow is stopping before creating a ClawHub package row."
-            exit 1
-          fi
-          for required_flag in --repository --workflow-filename; do
-            if ! grep -Fq -- "${required_flag}" <<<"${help_output}"; then
-              echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} trusted-publisher set help to include ${required_flag}."
-              exit 1
-            fi
-          done
-
-  publish_bootstrap_plugins:
-    needs:
-      [
-        resolve_bootstrap_plan,
-        validate_release_publish_approval,
-        validate_bootstrap_trusted_publisher_cli,
-      ]
-    if: always() && github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success' && (inputs.dry_run == true || needs.validate_bootstrap_trusted_publisher_cli.result == 'success')
-    runs-on: ubuntu-latest
-    environment: clawhub-plugin-bootstrap
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 8
-      matrix:
-        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Checkout target revision
-        env:
-          TARGET_SHA: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin \
-            +refs/heads/main:refs/remotes/origin/main \
-            '+refs/heads/release/*:refs/remotes/origin/release/*'
-          git checkout --detach "${TARGET_SHA}"
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "true"
-          install-deps: "true"
-
-      - name: Verify package-local runtime build
-        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
-
-      - name: Install pinned ClawHub CLI wrapper
-        run: |
-          set -euo pipefail
-          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
-          EOF
-          chmod +x "${RUNNER_TEMP}/clawhub"
-          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
-
-      - name: Write ClawHub token config
-        if: inputs.dry_run != true
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          config_path="${RUNNER_TEMP}/clawhub-config.json"
-          CONFIG_PATH="${config_path}" node --input-type=module <<'NODE'
-          import { writeFileSync } from "node:fs";
-
-          const registry = process.env.CLAWHUB_REGISTRY?.trim();
-          const token = process.env.CLAWHUB_TOKEN?.trim();
-          const configPath = process.env.CONFIG_PATH;
-          if (!registry) {
-            throw new Error("CLAWHUB_REGISTRY is required for token-gated ClawHub bootstrap.");
-          }
-          if (!token) {
-            throw new Error("CLAWHUB_TOKEN is required for token-gated ClawHub bootstrap.");
-          }
-          if (!configPath) {
-            throw new Error("CONFIG_PATH is required.");
-          }
-
-          writeFileSync(configPath, `${JSON.stringify({ registry, token }, null, 2)}\n`, {
-            encoding: "utf8",
-            mode: 0o600,
-          });
-          NODE
-          echo "CLAWHUB_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
-
-      - name: Publish ClawHub bootstrap package
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
-          SOURCE_REF: ${{ github.ref }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-          BOOTSTRAP_MODE: ${{ matrix.plugin.bootstrapMode }}
-          REQUIRES_MANUAL_OVERRIDE: ${{ matrix.plugin.requiresManualOverride && 'true' || 'false' }}
-          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
-          OPENCLAW_PLUGIN_NPM_RUNTIME_BUILD: "0"
-        run: |
-          set -euo pipefail
-          if [[ "${BOOTSTRAP_MODE}" == "configure-only" ]]; then
-            echo "Skipping bootstrap publish because ${PACKAGE_DIR} version is already present on ClawHub; configuring trusted publisher only."
-          elif [[ "${DRY_RUN}" == "true" ]]; then
-            bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
-          else
-            if [[ "${REQUIRES_MANUAL_OVERRIDE}" == "true" ]]; then
-              export OPENCLAW_CLAWHUB_MANUAL_OVERRIDE_REASON="GitHub Actions trusted publisher repair before OIDC migration"
-            fi
-            bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
-          fi
-
-      - name: Configure trusted publisher for normal OIDC releases
-        if: inputs.dry_run != true
-        env:
-          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-        run: |
-          set -euo pipefail
-          npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
-            clawhub package trusted-publisher set "${PACKAGE_NAME}" \
-              --repository openclaw/openclaw \
-              --workflow-filename plugin-clawhub-release.yml
-
-  verify_bootstrap_clawhub_package:
-    needs: [resolve_bootstrap_plan, publish_bootstrap_plugins]
-    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 8
-      matrix:
-        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
-    steps:
-      - name: Verify bootstrap ClawHub package and trusted publisher
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-          PACKAGE_VERSION: ${{ matrix.plugin.version }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-        run: |
-          set -euo pipefail
-          node --input-type=module <<'EOF'
-          const registry = (process.env.CLAWHUB_REGISTRY ?? "https://clawhub.ai").replace(/\/+$/, "");
-          const packageName = process.env.PACKAGE_NAME;
-          const packageVersion = process.env.PACKAGE_VERSION;
-          const packageTag = process.env.PACKAGE_TAG;
-          if (!packageName || !packageVersion || !packageTag) {
-            throw new Error("Missing ClawHub bootstrap verification env.");
-          }
-          const encodedName = encodeURIComponent(packageName);
-          const encodedVersion = encodeURIComponent(packageVersion);
-          const detailUrl = `${registry}/api/v1/packages/${encodedName}`;
-          const trustedPublisherUrl = `${detailUrl}/trusted-publisher`;
-          const versionUrl = `${detailUrl}/versions/${encodedVersion}`;
-          const artifactUrl = `${versionUrl}/artifact/download`;
-
-          async function fetchWithRetry(url, options = {}) {
-            let lastStatus = "unknown";
-            for (let attempt = 1; attempt <= 12; attempt += 1) {
-              try {
-                const response = await fetch(url, { redirect: "manual", ...options });
-                lastStatus = response.status;
-                if (response.status !== 429 && response.status < 500) {
-                  return response;
-                }
-              } catch (error) {
-                lastStatus = error instanceof Error ? error.message : String(error);
-              }
-              await new Promise((resolve) => setTimeout(resolve, attempt * 5000));
-            }
-            throw new Error(`${url} did not stabilize; last status ${lastStatus}.`);
-          }
-
-          const detailResponse = await fetchWithRetry(detailUrl, {
-            headers: { accept: "application/json" },
-          });
-          if (!detailResponse.ok) {
-            throw new Error(`${detailUrl} returned HTTP ${detailResponse.status}.`);
-          }
-          const detail = await detailResponse.json();
-          const tags = detail?.package?.tags ?? {};
-          if (tags[packageTag] !== packageVersion) {
-            throw new Error(
-              `${packageName}: ClawHub tag ${packageTag} points to ${tags[packageTag] ?? "<missing>"}, expected ${packageVersion}.`,
-            );
-          }
-
-          const trustedPublisherResponse = await fetchWithRetry(trustedPublisherUrl, {
-            headers: { accept: "application/json" },
-          });
-          if (!trustedPublisherResponse.ok) {
-            throw new Error(`${trustedPublisherUrl} returned HTTP ${trustedPublisherResponse.status}.`);
-          }
-          const trustedPublisherDetail = await trustedPublisherResponse.json();
-          const trustedPublisher = trustedPublisherDetail?.trustedPublisher;
-          if (
-            trustedPublisher?.repository !== "openclaw/openclaw" ||
-            trustedPublisher?.workflowFilename !== "plugin-clawhub-release.yml" ||
-            trustedPublisher?.environment != null
-          ) {
-            throw new Error(
-              `${packageName}: trusted publisher config did not match openclaw/openclaw plugin-clawhub-release.yml without an environment pin.`,
-            );
-          }
-
-          const versionResponse = await fetchWithRetry(versionUrl);
-          if (!versionResponse.ok) {
-            throw new Error(`${versionUrl} returned HTTP ${versionResponse.status}.`);
-          }
-          const artifactResponse = await fetchWithRetry(artifactUrl, { method: "HEAD" });
-          if (artifactResponse.status < 200 || artifactResponse.status >= 400) {
-            throw new Error(`${artifactUrl} returned HTTP ${artifactResponse.status}.`);
-          }
-          console.log(`${packageName}@${packageVersion} bootstrap verified on ClawHub.`);
-          EOF

.github/workflows/plugin-clawhub-release.yml

@@ -16,7 +16,7 @@ on:
         required: false
         type: string
       ref:
-        description: Dry-run target ref to validate; real OIDC publishes must dispatch the workflow with --ref set to the target release tag/ref
+        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
         required: false
         default: ""
         type: string
@@ -24,15 +24,6 @@ on:
         description: Approved OpenClaw Release Publish workflow run id
         required: false
         type: string
-      release_publish_branch:
-        description: Branch name of the approving OpenClaw Release Publish workflow run
-        required: false
-        type: string
-      dry_run:
-        description: Validate the full ClawHub artifact handoff without publishing.
-        required: false
-        default: false
-        type: boolean
 
 concurrency:
   group: plugin-clawhub-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
@@ -42,7 +33,9 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.15.0"
   CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"
+  CLAWHUB_REPOSITORY: "openclaw/clawhub"
+  # Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
+  CLAWHUB_REF: "facf20ceb6cc459e2872d941e71335a784bbc55c"
 
 jobs:
   preview_plugins_clawhub:
@@ -52,15 +45,9 @@ jobs:
     outputs:
       ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
-      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
-      has_missing_trusted_publisher: ${{ steps.plan.outputs.has_missing_trusted_publisher }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
-      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
-      missing_trusted_publisher_count: ${{ steps.plan.outputs.missing_trusted_publisher_count }}
       skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
       matrix: ${{ steps.plan.outputs.matrix }}
-      bootstrap_matrix: ${{ steps.plan.outputs.bootstrap_matrix }}
-      missing_trusted_publisher_matrix: ${{ steps.plan.outputs.missing_trusted_publisher_matrix }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -69,6 +56,12 @@ jobs:
           ref: ${{ github.ref }}
           fetch-depth: 0
 
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "false"
+
       - name: Resolve checked-out ref
         id: ref
         env:
@@ -91,27 +84,9 @@ jobs:
           fi
           echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
-      - name: Validate OIDC source matches workflow ref
-        env:
-          TARGET_SHA: ${{ steps.ref.outputs.sha }}
-          WORKFLOW_SHA: ${{ github.sha }}
-          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
-        run: |
-          set -euo pipefail
-          if [[ "${TARGET_SHA}" != "${WORKFLOW_SHA}" ]]; then
-            if [[ "${DRY_RUN}" == "true" ]]; then
-              echo "Dry-run publish target differs from workflow ref; allowing validation-only dispatch."
-              exit 0
-            fi
-            echo "Plugin ClawHub OIDC publishes must run from the same ref that is being published." >&2
-            echo "The ref input is only supported for dry_run=true." >&2
-            echo "For real publishes, dispatch this workflow with --ref pointing at the target release tag/ref and omit the ref input." >&2
-            exit 1
-          fi
-
       - name: Validate ref is on a trusted publish branch
         env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+          WORKFLOW_REF: ${{ github.ref }}
         run: |
           set -euo pipefail
           if git merge-base --is-ancestor HEAD origin/main; then
@@ -122,8 +97,8 @@ jobs:
               exit 0
             fi
           done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
-          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
+          if [[ "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            alpha_branch="${WORKFLOW_REF#refs/heads/}"
             git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
             if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
               exit 0
@@ -132,12 +107,6 @@ jobs:
           echo "Plugin ClawHub publishes must target a commit reachable from main, release/*, or the matching Tideclaw alpha branch." >&2
           exit 1
 
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "false"
-
       - name: Validate publishable plugin metadata
         env:
           PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
@@ -184,78 +153,36 @@ jobs:
           cat .local/plugin-clawhub-release-plan.json
 
           candidate_count="$(jq -r '.candidates | length' .local/plugin-clawhub-release-plan.json)"
-          bootstrap_candidate_count="$(jq -r '.bootstrapCandidates | length' .local/plugin-clawhub-release-plan.json)"
-          missing_trusted_publisher_count="$(jq -r '.missingTrustedPublisher | length' .local/plugin-clawhub-release-plan.json)"
           skipped_published_count="$(jq -r '.skippedPublished | length' .local/plugin-clawhub-release-plan.json)"
           has_candidates="false"
           if [[ "${candidate_count}" != "0" ]]; then
             has_candidates="true"
           fi
-          has_bootstrap_candidates="false"
-          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
-            has_bootstrap_candidates="true"
-          fi
-          has_missing_trusted_publisher="false"
-          if [[ "${missing_trusted_publisher_count}" != "0" ]]; then
-            has_missing_trusted_publisher="true"
-          fi
           matrix_json="$(jq -c '.candidates' .local/plugin-clawhub-release-plan.json)"
-          bootstrap_matrix_json="$(jq -c '.bootstrapCandidates' .local/plugin-clawhub-release-plan.json)"
-          missing_trusted_publisher_matrix_json="$(jq -c '.missingTrustedPublisher' .local/plugin-clawhub-release-plan.json)"
 
           {
             echo "candidate_count=${candidate_count}"
-            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
-            echo "missing_trusted_publisher_count=${missing_trusted_publisher_count}"
             echo "skipped_published_count=${skipped_published_count}"
             echo "has_candidates=${has_candidates}"
-            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
-            echo "has_missing_trusted_publisher=${has_missing_trusted_publisher}"
             echo "matrix=${matrix_json}"
-            echo "bootstrap_matrix=${bootstrap_matrix_json}"
-            echo "missing_trusted_publisher_matrix=${missing_trusted_publisher_matrix_json}"
           } >> "$GITHUB_OUTPUT"
 
           echo "Plugin release candidates:"
           jq -r '.candidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
 
-          echo "Bootstrap candidates requiring token bootstrap:"
-          jq -r '.bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
-
-          echo "Missing trusted publisher candidates:"
-          jq -r '.missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
-
           echo "Already published / skipped:"
           jq -r '.skippedPublished[]? | "- \(.packageName)@\(.version)"' .local/plugin-clawhub-release-plan.json
 
-      - name: Fail when trusted publisher is missing
-        if: steps.plan.outputs.missing_trusted_publisher_count != '0'
-        run: |
-          echo "::error::One or more ClawHub packages exist but do not have trusted publishing configured. Configure trusted publishing before running the normal OIDC publish workflow."
-          jq -r '.missingTrustedPublisher[]? | "::error::Missing trusted publisher: \(.packageName)@\(.version). Configure trusted publishing for openclaw/openclaw, workflow plugin-clawhub-release.yml."' .local/plugin-clawhub-release-plan.json
-          exit 1
-
-      - name: Fail normal publish when bootstrap is required
-        if: steps.plan.outputs.bootstrap_candidate_count != '0'
-        run: |
-          echo "::error::One or more ClawHub packages do not exist yet and require the token-gated Plugin ClawHub New bootstrap workflow before normal OIDC publish can run."
-          jq -r '.bootstrapCandidates[]? | "::error::Bootstrap required: \(.packageName)@\(.version). Dispatch plugin-clawhub-new.yml for this package, then rerun the normal release."' .local/plugin-clawhub-release-plan.json
-          exit 1
-
       - name: Fail manual publish when target versions already exist
-        if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
+        if: github.event_name == 'workflow_dispatch' && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
         run: |
           echo "::error::One or more selected plugin versions already exist on ClawHub. Bump the version before running a real publish."
           exit 1
 
       - name: Validate Tideclaw alpha plugin channels
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+        if: startsWith(github.ref, 'refs/heads/tideclaw/alpha/')
         run: |
           set -euo pipefail
-          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            exit 0
-          fi
           invalid="$(
             jq -r '.candidates[]? | select(.publishTag != "alpha" or .channel != "alpha") | "- \(.packageName)@\(.version) [\(.publishTag)]"' .local/plugin-clawhub-release-plan.json
           )"
@@ -265,6 +192,12 @@ jobs:
             exit 1
           fi
 
+      - name: Verify OpenClaw ClawHub package ownership
+        if: steps.plan.outputs.has_candidates == 'true'
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: node --import tsx scripts/plugin-clawhub-owner-preflight.ts .local/plugin-clawhub-release-plan.json
+
   validate_release_publish_approval:
     name: Validate release publish approval
     needs: preview_plugins_clawhub
@@ -274,16 +207,11 @@ jobs:
       actions: read
       contents: read
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
       - name: Validate release publish approval run
         env:
           GH_TOKEN: ${{ github.token }}
           RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
-          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+          EXPECTED_WORKFLOW_BRANCH: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
@@ -294,20 +222,113 @@ jobs:
             echo "Direct Plugin ClawHub Release dispatch; relying on this workflow's clawhub-plugin-release environment approval."
             exit 0
           fi
-          direct_recovery=false
           if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
-            direct_recovery=true
-            echo "Direct Plugin ClawHub Release recovery with release_publish_run_id; relying on this workflow's clawhub-plugin-release environment approval."
+            echo "Plugin ClawHub publish must be dispatched by the OpenClaw Release Publish workflow, not directly by ${GITHUB_ACTOR}." >&2
+            exit 1
           fi
           RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
+          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw Release Publish"], ["headBranch", process.env.EXPECTED_WORKFLOW_BRANCH], ["event", "workflow_dispatch"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } if (run.status !== "in_progress") { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must still be in_progress, got ${run.status ?? "<missing>"}.`); process.exit(1); } if (run.conclusion) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} already concluded ${run.conclusion}.`); process.exit(1); } console.log(`Using release publish approval run ${process.env.RELEASE_PUBLISH_RUN_ID}: ${run.url}`);'
 
-  pack_plugins_clawhub_artifacts:
-    needs: [preview_plugins_clawhub, validate_release_publish_approval]
-    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
+  preview_plugin_pack:
+    needs: preview_plugins_clawhub
+    if: needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 12
+      matrix:
+        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Checkout target revision
+        env:
+          TARGET_SHA: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          git checkout --detach "${TARGET_SHA}"
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "true"
+          install-deps: "true"
+
+      - name: Checkout ClawHub CLI source
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          repository: ${{ env.CLAWHUB_REPOSITORY }}
+          ref: main
+          path: clawhub-source
+          fetch-depth: 0
+
+      - name: Checkout pinned ClawHub CLI revision
+        working-directory: clawhub-source
+        env:
+          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
+        run: git checkout --detach "${CLAWHUB_REF}"
+
+      - name: Install ClawHub CLI dependencies
+        working-directory: clawhub-source
+        run: |
+          set -euo pipefail
+          for attempt in 1 2 3; do
+            if bun install --frozen-lockfile; then
+              exit 0
+            fi
+            status="$?"
+            if [[ "${attempt}" == "3" ]]; then
+              exit "${status}"
+            fi
+            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
+            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
+            sleep $((attempt * 15))
+          done
+
+      - name: Bootstrap ClawHub CLI
+        run: |
+          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
+          EOF
+          chmod +x "$RUNNER_TEMP/clawhub"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
+
+      - name: Verify package-local runtime build
+        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
+
+      - name: Preview publish command
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+          SOURCE_REPO: ${{ github.repository }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
+          SOURCE_REF: ${{ github.ref }}
+          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
+          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
+        run: bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
+
+  publish_plugins_clawhub:
+    needs: [preview_plugins_clawhub, preview_plugin_pack, validate_release_publish_approval]
+    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
+    runs-on: ubuntu-latest
+    environment: clawhub-plugin-release
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       max-parallel: 32
@@ -338,21 +359,111 @@ jobs:
           install-bun: "true"
           install-deps: "true"
 
-      - name: Verify package-local runtime build
-        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
+      - name: Checkout ClawHub CLI source
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          repository: ${{ env.CLAWHUB_REPOSITORY }}
+          ref: main
+          path: clawhub-source
+          fetch-depth: 0
 
-      - name: Install pinned ClawHub CLI wrapper
+      - name: Checkout pinned ClawHub CLI revision
+        working-directory: clawhub-source
+        env:
+          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
+        run: git checkout --detach "${CLAWHUB_REF}"
+
+      - name: Install ClawHub CLI dependencies
+        working-directory: clawhub-source
         run: |
           set -euo pipefail
-          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
+          for attempt in 1 2 3; do
+            if bun install --frozen-lockfile; then
+              exit 0
+            fi
+            status="$?"
+            if [[ "${attempt}" == "3" ]]; then
+              exit "${status}"
+            fi
+            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
+            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
+            sleep $((attempt * 15))
+          done
+
+      - name: Bootstrap ClawHub CLI
+        run: |
+          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
           #!/usr/bin/env bash
           set -euo pipefail
-          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
+          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
           EOF
-          chmod +x "${RUNNER_TEMP}/clawhub"
-          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
+          chmod +x "$RUNNER_TEMP/clawhub"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
 
-      - name: Pack ClawHub package artifact
+      - name: Write ClawHub token config
+        env:
+          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${CLAWHUB_TOKEN}" ]]; then
+            echo "No CLAWHUB_TOKEN secret configured; publish will rely on GitHub OIDC trusted publishing."
+            exit 0
+          fi
+          node --input-type=module <<'EOF'
+          import { writeFileSync } from "node:fs";
+          import { join } from "node:path";
+
+          const path = join(process.env.RUNNER_TEMP, "clawhub-config.json");
+          writeFileSync(
+            path,
+            `${JSON.stringify(
+              {
+                registry: process.env.CLAWHUB_REGISTRY,
+                token: process.env.CLAWHUB_TOKEN,
+              },
+              null,
+              2,
+            )}\n`,
+          );
+          console.log(path);
+          EOF
+          echo "CLAWHUB_CONFIG_PATH=${RUNNER_TEMP}/clawhub-config.json" >> "$GITHUB_ENV"
+
+      - name: Ensure version is not already published
+        env:
+          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
+          PACKAGE_VERSION: ${{ matrix.plugin.version }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          encoded_name="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_NAME ?? ""))')"
+          encoded_version="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_VERSION ?? ""))')"
+          url="${CLAWHUB_REGISTRY%/}/api/v1/packages/${encoded_name}/versions/${encoded_version}"
+          status=""
+          for attempt in $(seq 1 8); do
+            status="$(curl --silent --show-error --output /dev/null --write-out '%{http_code}' "${url}")"
+            if [[ "${status}" == "404" || "${status}" =~ ^2 ]]; then
+              break
+            fi
+            if [[ "${status}" == "429" || "${status}" =~ ^5 ]]; then
+              echo "ClawHub availability check returned ${status} for ${PACKAGE_NAME}@${PACKAGE_VERSION}; retrying (${attempt}/8)."
+              sleep 60
+              continue
+            fi
+            break
+          done
+          if [[ "${status}" =~ ^2 ]]; then
+            echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published on ClawHub."
+            exit 1
+          fi
+          if [[ "${status}" != "404" ]]; then
+            echo "Unexpected ClawHub response (${status}) for ${PACKAGE_NAME}@${PACKAGE_VERSION}."
+            exit 1
+          fi
+
+      - name: Publish
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
@@ -360,68 +471,8 @@ jobs:
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-          OPENCLAW_CLAWHUB_PACK_OUTPUT_DIR: ${{ runner.temp }}/clawhub-package-artifact
-        run: bash scripts/plugin-clawhub-publish.sh --pack "${PACKAGE_DIR}"
+        run: bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
 
-      - name: Upload ClawHub package artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: ${{ matrix.plugin.artifactName }}
-          path: ${{ runner.temp }}/clawhub-package-artifact/*.tgz
-          if-no-files-found: error
-          retention-days: 7
-
-  approve_plugins_clawhub_release:
-    needs: [preview_plugins_clawhub, pack_plugins_clawhub_artifacts]
-    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success'
-    runs-on: ubuntu-latest
-    environment: clawhub-plugin-release
-    permissions:
-      contents: read
-    steps:
-      - name: Approve Plugin ClawHub release publish
-        run: |
-          echo "Approved CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows release publish gate."
-
-  publish_plugins_clawhub:
-    needs:
-      [preview_plugins_clawhub, pack_plugins_clawhub_artifacts, approve_plugins_clawhub_release]
-    if: always() && github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success' && (inputs.dry_run == true || needs.approve_plugins_clawhub_release.result == 'success')
-    uses: openclaw/clawhub/.github/workflows/package-publish.yml@9d49df109d4ad3dc8a6ecf05d26b39f46d294721
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-    strategy:
-      fail-fast: false
-      max-parallel: 32
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    with:
-      package_artifact_name: ${{ matrix.plugin.artifactName }}
-      dry_run: ${{ inputs.dry_run }}
-      registry: https://clawhub.ai
-      site: https://clawhub.ai
-      tags: ${{ matrix.plugin.publishTag }}
-      source_repo: ${{ github.repository }}
-      source_commit: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
-      source_ref: ${{ github.ref }}
-      source_path: ${{ matrix.plugin.packageDir }}
-      inspector_artifact_name: ${{ matrix.plugin.artifactName }}-inspector
-      publish_json_artifact_name: ${{ matrix.plugin.artifactName }}-publish-json
-
-  verify_published_clawhub_package:
-    needs: [preview_plugins_clawhub, publish_plugins_clawhub]
-    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 32
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    steps:
       - name: Verify published ClawHub package
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}

.github/workflows/plugin-npm-release.yml

@@ -184,11 +184,6 @@ jobs:
       actions: read
       contents: read
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
       - name: Validate release publish approval run
         env:
           GH_TOKEN: ${{ github.token }}
@@ -204,13 +199,12 @@ jobs:
             echo "Direct Plugin NPM Release dispatch; relying on this workflow's npm-release environment approval."
             exit 0
           fi
-          direct_recovery=false
           if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
-            direct_recovery=true
-            echo "Direct Plugin NPM Release recovery with release_publish_run_id; relying on this workflow's npm-release environment approval."
+            echo "Plugin npm publish must be dispatched by the OpenClaw Release Publish workflow, not directly by ${GITHUB_ACTOR}." >&2
+            exit 1
           fi
           RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
+          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw Release Publish"], ["headBranch", process.env.EXPECTED_WORKFLOW_BRANCH], ["event", "workflow_dispatch"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } if (run.status !== "in_progress") { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} must still be in_progress, got ${run.status ?? "<missing>"}.`); process.exit(1); } if (run.conclusion) { console.error(`Referenced release publish run ${process.env.RELEASE_PUBLISH_RUN_ID} already concluded ${run.conclusion}.`); process.exit(1); } console.log(`Using release publish approval run ${process.env.RELEASE_PUBLISH_RUN_ID}: ${run.url}`);'
 
   preview_plugin_pack:
     needs: preview_plugins_npm
@@ -269,8 +263,7 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           install-bun: "false"
 
-      - name: Check npm package version
-        id: npm_package_version
+      - name: Ensure version is not already published
         env:
           PACKAGE_NAME: ${{ matrix.plugin.packageName }}
           PACKAGE_VERSION: ${{ matrix.plugin.version }}
@@ -278,17 +271,13 @@ jobs:
           set -euo pipefail
           if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
             echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published on npm."
-            echo "already_published=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "already_published=false" >> "$GITHUB_OUTPUT"
+            exit 1
           fi
 
       - name: Publish
-        if: steps.npm_package_version.outputs.already_published != 'true'
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          OPENCLAW_NPM_PUBLISH_AUTH_MODE: trusted-publisher
         run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"
 
       - name: Verify published runtime

.github/workflows/qa-live-transports-convex.yml

@@ -52,7 +52,6 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
   OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
-  OPENCLAW_CI_OPENAI_FALLBACK_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_FALLBACK_MODEL || 'openai/gpt-5.4' }}
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
 
@@ -65,7 +64,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             if (context.eventName === "schedule") {
@@ -159,7 +158,7 @@ jobs:
   run_mock_parity:
     name: Run QA Lab mock parity lane
     needs: [validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 30
     env:
       QA_PARITY_CONCURRENCY: "1"
@@ -186,7 +185,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run OpenAI candidate lane
@@ -199,13 +198,13 @@ jobs:
             --alt-model openai/gpt-5.5-alt \
             --output-dir .artifacts/qa-e2e/openai-candidate
 
-      - name: Run Opus 4.8 lane
+      - name: Run Opus 4.7 lane
         run: |
           pnpm openclaw qa suite \
             --provider-mode mock-openai \
             --parity-pack agentic \
             --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model anthropic/claude-opus-4-8 \
+            --model anthropic/claude-opus-4-7 \
             --alt-model anthropic/claude-sonnet-4-6 \
             --output-dir .artifacts/qa-e2e/anthropic-baseline
 
@@ -216,7 +215,7 @@ jobs:
             --candidate-summary .artifacts/qa-e2e/openai-candidate/qa-suite-summary.json \
             --baseline-summary .artifacts/qa-e2e/anthropic-baseline/qa-suite-summary.json \
             --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-8 \
+            --baseline-label anthropic/claude-opus-4-7 \
             --output-dir .artifacts/qa-e2e/parity
 
       - name: Upload parity artifacts
@@ -232,7 +231,7 @@ jobs:
     name: Run live runtime token-efficiency lane
     needs: [authorize_actor, validate_selected_ref]
     if: github.event_name == 'schedule'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 45
     environment: qa-live-shared
     env:
@@ -267,7 +266,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run live runtime parity lane
@@ -289,8 +288,8 @@ jobs:
             --runtime-parity-tier live-only \
             --concurrency "${QA_PARITY_CONCURRENCY}" \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
-            --runtime-pair openclaw,codex \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
+            --runtime-pair pi,codex \
             --fast \
             --allow-failures \
             --output-dir "${output_dir}/runtime-suite"
@@ -321,7 +320,7 @@ jobs:
     name: Run Matrix live QA lane
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ !(github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all') }}
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -352,7 +351,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Matrix live lane
@@ -374,7 +373,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --profile "${INPUT_MATRIX_PROFILE}" \
             --fast
           )
@@ -397,7 +396,7 @@ jobs:
     name: Run Matrix live QA lane (${{ matrix.profile }})
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all' }}
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     strategy:
@@ -437,7 +436,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Matrix live lane shard
@@ -458,7 +457,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --profile "${{ matrix.profile }}" \
             --fast
           )
@@ -480,7 +479,7 @@ jobs:
   run_live_telegram:
     name: Run Telegram live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -520,7 +519,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Telegram live lane
@@ -530,7 +529,6 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
           OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.scenario || '' }}
@@ -557,7 +555,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --fast \
             --credential-source convex \
             --credential-role ci \
@@ -575,7 +573,7 @@ jobs:
   run_live_discord:
     name: Run Discord live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -615,7 +613,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Discord live lane
@@ -651,7 +649,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model openai/gpt-5.5 \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model openai/gpt-5.5 \
             --fast \
             --credential-source convex \
             --credential-role ci \
@@ -669,7 +667,7 @@ jobs:
   run_live_whatsapp:
     name: Run WhatsApp live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     concurrency:
       group: qa-live-whatsapp-shared
@@ -712,7 +710,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run WhatsApp live lane
@@ -748,7 +746,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --fast \
             --credential-source convex \
             --credential-role ci \
@@ -766,7 +764,7 @@ jobs:
   run_live_slack:
     name: Run Slack live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -806,7 +804,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Slack live lane
@@ -818,7 +816,6 @@ jobs:
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
           OPENCLAW_QA_SLACK_CAPTURE_CONTENT: "1"
-          OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
           INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.slack_scenario || '' }}
         run: |
           set -euo pipefail
@@ -843,7 +840,7 @@ jobs:
             --output-dir "${output_dir}" \
             --provider-mode live-frontier \
             --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_FALLBACK_MODEL}" \
+            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
             --fast \
             --credential-source convex \
             --credential-role ci \

.github/workflows/sandbox-common-smoke.yml

@@ -35,14 +35,14 @@ jobs:
           submodules: false
 
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Build minimal sandbox base (USER sandbox)
         shell: bash
         run: |
           set -euo pipefail
 
-          timeout --kill-after=30s 5m docker build -t openclaw-sandbox-smoke-base:bookworm-slim - <<'EOF'
+          docker build -t openclaw-sandbox-smoke-base:bookworm-slim - <<'EOF'
           FROM debian:bookworm-slim
           RUN useradd --create-home --shell /bin/bash sandbox
           USER sandbox
@@ -63,5 +63,5 @@ jobs:
             FINAL_USER=sandbox \
             scripts/sandbox-common-setup.sh
 
-          u="$(timeout --kill-after=30s 2m docker run --rm openclaw-sandbox-common-smoke:bookworm-slim sh -lc 'id -un')"
+          u="$(docker run --rm openclaw-sandbox-common-smoke:bookworm-slim sh -lc 'id -un')"
           test "$u" = "sandbox"

.github/workflows/stale.yml

@@ -509,62 +509,60 @@ jobs:
 
             let locked = 0;
             let inspected = 0;
-            let cursor = null;
 
+            let page = 1;
             while (true) {
-              const result = await github.graphql(
-                `query ClosedIssuesForLocking(
-                  $owner: String!
-                  $repo: String!
-                  $cursor: String
-                  $perPage: Int!
-                ) {
-                  repository(owner: $owner, name: $repo) {
-                    issues(
-                      first: $perPage
-                      after: $cursor
-                      states: CLOSED
-                      orderBy: { field: CREATED_AT, direction: ASC }
-                    ) {
-                      nodes {
-                        number
-                        locked
-                        closedAt
-                        comments(last: 1) {
-                          nodes {
-                            createdAt
-                          }
-                        }
-                      }
-                      pageInfo {
-                        hasNextPage
-                        endCursor
-                      }
-                    }
-                  }
-                }`,
-                {
-                  owner,
-                  repo,
-                  cursor,
-                  perPage,
-                },
-              );
-              const issues = result.repository.issues;
+              const { data: issues } = await github.rest.issues.listForRepo({
+                owner,
+                repo,
+                state: "closed",
+                sort: "updated",
+                direction: "desc",
+                per_page: perPage,
+                page,
+              });
 
-              for (const issue of issues.nodes) {
-                if (issue.locked || !issue.closedAt) {
+              if (issues.length === 0) {
+                break;
+              }
+
+              for (const issue of issues) {
+                if (issue.pull_request) {
+                  continue;
+                }
+                if (issue.locked) {
+                  continue;
+                }
+                if (!issue.closed_at) {
                   continue;
                 }
 
                 inspected += 1;
-                const closedAtMs = Date.parse(issue.closedAt);
-                if (!Number.isFinite(closedAtMs) || closedAtMs > cutoffMs) {
+                const closedAtMs = Date.parse(issue.closed_at);
+                if (!Number.isFinite(closedAtMs)) {
+                  continue;
+                }
+                if (closedAtMs > cutoffMs) {
                   continue;
                 }
 
-                const lastComment = issue.comments.nodes[0];
-                const lastCommentMs = lastComment ? Date.parse(lastComment.createdAt) : 0;
+                let lastCommentMs = 0;
+                if (issue.comments > 0) {
+                  const { data: comments } = await github.rest.issues.listComments({
+                    owner,
+                    repo,
+                    issue_number: issue.number,
+                    per_page: 1,
+                    page: 1,
+                    sort: "created",
+                    direction: "desc",
+                  });
+
+                  if (comments.length > 0) {
+                    lastCommentMs = Date.parse(comments[0].created_at);
+                  }
+                }
+
                 const lastActivityMs = Math.max(closedAtMs, lastCommentMs || 0);
                 if (lastActivityMs > cutoffMs) {
                   continue;
@@ -580,10 +578,7 @@ jobs:
                 locked += 1;
               }
 
-              if (!issues.pageInfo.hasNextPage || !issues.pageInfo.endCursor) {
-                break;
-              }
-              cursor = issues.pageInfo.endCursor;
+              page += 1;
             }
 
             core.info(`Inspected ${inspected} closed issues; locked ${locked}.`);

.github/workflows/test-performance-agent.yml

@@ -129,7 +129,7 @@ jobs:
 
       - name: Run Codex test performance agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         with:
           openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           prompt-file: .github/codex/prompts/test-performance-agent.md

.github/workflows/tui-pty.yml

@@ -27,9 +27,7 @@ env:
 jobs:
   tui-pty:
     runs-on: ubuntu-24.04
-    timeout-minutes: 8
-    env:
-      OPENCLAW_TUI_PTY_INCLUDE_LOCAL: "1"
+    timeout-minutes: 5
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -40,4 +38,4 @@ jobs:
           install-bun: "false"
 
       - name: Run TUI PTY tests
-        run: timeout --kill-after=30s 240s node scripts/run-vitest.mjs run --config test/vitest/vitest.tui-pty.config.ts
+        run: timeout 120s node scripts/run-vitest.mjs run --config test/vitest/vitest.tui-pty.config.ts

.github/workflows/update-migration.yml

@@ -43,4 +43,4 @@ jobs:
       published_upgrade_survivor_baselines: ${{ inputs.baselines }}
       published_upgrade_survivor_scenarios: ${{ inputs.scenarios }}
       telegram_mode: none
-    secrets: inherit # zizmor: ignore[secrets-inherit] Maintainer-dispatched package acceptance lane intentionally forwards its declared live-test secret matrix.
+    secrets: inherit

.github/workflows/website-installer-sync.yml

@@ -75,14 +75,14 @@ jobs:
 
       - name: install.sh in Docker
         run: |
-          timeout --kill-after=30s 20m docker run --rm \
+          docker run --rm \
             -v "$PWD/scripts/install.sh:/tmp/install.sh:ro" \
             node:24-bookworm-slim \
             bash -lc 'bash /tmp/install.sh --version latest && openclaw --version'
 
       - name: install-cli.sh in Docker
         run: |
-          timeout --kill-after=30s 20m docker run --rm \
+          docker run --rm \
             -e OPENCLAW_NO_ONBOARD=1 \
             -e OPENCLAW_NO_PROMPT=1 \
             -v "$PWD/scripts/install-cli.sh:/tmp/install-cli.sh:ro" \
@@ -90,7 +90,7 @@ jobs:
             bash -lc 'apt-get update -y && apt-get install -y curl && bash /tmp/install-cli.sh --prefix /tmp/openclaw --no-onboard --version latest && /tmp/openclaw/bin/openclaw --version'
 
   macos-installer:
-    runs-on: macos-15
+    runs-on: macos-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/windows-blacksmith-testbox.yml

@@ -197,4 +197,4 @@ jobs:
 
       - name: Testbox action marker
         if: ${{ false }}
-        uses: useblacksmith/run-testbox@3f60ff9ceb2c10c3feefa87dc0c6490cffae059d
+        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc

.github/workflows/windows-node-release.yml

@@ -1,126 +0,0 @@
-name: Windows Node Release
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: Existing OpenClaw release tag to receive Windows Hub installers, for example v2026.6.1
-        required: true
-        type: string
-      windows_node_tag:
-        description: openclaw-windows-node release tag to promote, or latest
-        required: true
-        default: latest
-        type: string
-
-permissions:
-  contents: write
-
-concurrency:
-  group: windows-node-release-${{ inputs.tag }}
-  cancel-in-progress: false
-
-jobs:
-  promote_signed_windows_installers:
-    name: Promote signed Windows installers
-    runs-on: windows-latest
-    timeout-minutes: 30
-    steps:
-      - name: Validate inputs
-        shell: pwsh
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          if ($env:RELEASE_TAG -notmatch '^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$') {
-            throw "Invalid OpenClaw release tag: $env:RELEASE_TAG"
-          }
-          if ($env:WINDOWS_NODE_TAG -ne "latest" -and $env:WINDOWS_NODE_TAG -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z.-]+)?$') {
-            throw "Invalid openclaw-windows-node release tag: $env:WINDOWS_NODE_TAG"
-          }
-          gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY | Out-Null
-
-      - name: Download Windows Hub release installers
-        shell: pwsh
-        env:
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          New-Item -ItemType Directory -Force -Path dist | Out-Null
-          $tagArgs = @()
-          if ($env:WINDOWS_NODE_TAG -ne "latest") {
-            $tagArgs += $env:WINDOWS_NODE_TAG
-          }
-          gh release download @tagArgs `
-            --repo openclaw/openclaw-windows-node `
-            --pattern "OpenClawCompanion-Setup-*.exe" `
-            --dir dist
-
-          $expected = @(
-            "dist/OpenClawCompanion-Setup-x64.exe",
-            "dist/OpenClawCompanion-Setup-arm64.exe"
-          )
-          foreach ($file in $expected) {
-            if (-not (Test-Path -LiteralPath $file)) {
-              throw "Missing expected Windows installer: $file"
-            }
-          }
-
-      - name: Verify Authenticode signatures
-        shell: pwsh
-        run: |
-          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" | ForEach-Object {
-            $signature = Get-AuthenticodeSignature -LiteralPath $_.FullName
-            if ($signature.Status -ne "Valid") {
-              throw "$($_.Name) Authenticode signature was $($signature.Status)."
-            }
-            if (-not $signature.SignerCertificate) {
-              throw "$($_.Name) has no signer certificate."
-            }
-            [pscustomobject]@{
-              File = $_.Name
-              Signer = $signature.SignerCertificate.Subject
-              Thumbprint = $signature.SignerCertificate.Thumbprint
-            } | Format-List
-          }
-
-      - name: Write SHA-256 manifest
-        shell: pwsh
-        run: |
-          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" |
-            Sort-Object Name |
-            ForEach-Object {
-              $hash = Get-FileHash -Algorithm SHA256 -LiteralPath $_.FullName
-              "$($hash.Hash.ToLowerInvariant())  $($_.Name)"
-            } | Set-Content -Encoding utf8NoBOM -Path dist/OpenClawCompanion-SHA256SUMS.txt
-
-      - name: Upload to OpenClaw release
-        shell: pwsh
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh release upload $env:RELEASE_TAG `
-            dist/OpenClawCompanion-Setup-x64.exe `
-            dist/OpenClawCompanion-Setup-arm64.exe `
-            dist/OpenClawCompanion-SHA256SUMS.txt `
-            --repo $env:GITHUB_REPOSITORY `
-            --clobber
-
-      - name: Summary
-        shell: pwsh
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-        run: |
-          @"
-          ## Windows Hub installers promoted
-
-          OpenClaw release: $env:RELEASE_TAG
-          Source release: openclaw/openclaw-windows-node@$env:WINDOWS_NODE_TAG
-
-          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-x64.exe
-          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-arm64.exe
-          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-SHA256SUMS.txt
-          "@ >> $env:GITHUB_STEP_SUMMARY

.github/workflows/windows-testbox-probe.yml

@@ -61,14 +61,12 @@ jobs:
           submodules: false
 
       - name: Probe native Windows
-        env:
-          TARGET_REF: ${{ inputs.target_ref || github.ref }}
         run: |
           $ErrorActionPreference = "Stop"
           Write-Host "runner=$env:RUNNER_NAME"
           Write-Host "machine=$env:COMPUTERNAME"
           Write-Host "workspace=$env:GITHUB_WORKSPACE"
-          Write-Host "target_ref=$env:TARGET_REF"
+          Write-Host "target_ref=${{ inputs.target_ref || github.ref }}"
           Write-Host ("os=" + [System.Environment]::OSVersion.VersionString)
           Write-Host ("arch=" + [System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)
           Write-Host ("powershell=" + $PSVersionTable.PSVersion.ToString())

.github/workflows/workflow-sanity.yml

@@ -26,34 +26,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
 
       - name: Fail on tabs in workflow files
         run: |
@@ -85,93 +58,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
-
-      - name: Setup Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.12"
-
-      - name: Prepare trusted workflow audit configs
-        if: github.event_name == 'pull_request'
-        env:
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-        run: |
-          set -euo pipefail
-          trusted_config="$RUNNER_TEMP/pre-commit-base.yaml"
-          trusted_zizmor_config="$RUNNER_TEMP/zizmor-base.yml"
-
-          if ! git cat-file -e "${BASE_SHA}^{commit}" 2>/dev/null; then
-            timeout --signal=TERM --kill-after=10s 30s git fetch --no-tags --depth=1 origin \
-              "+${BASE_SHA}:refs/remotes/origin/security-base" ||
-              timeout --signal=TERM --kill-after=10s 30s git fetch --no-tags --depth=1 origin \
-                "+refs/heads/${BASE_REF}:refs/remotes/origin/${BASE_REF}"
-          fi
-
-          if git cat-file -e "${BASE_SHA}:.pre-commit-config.yaml" 2>/dev/null; then
-            git show "${BASE_SHA}:.pre-commit-config.yaml" > "$trusted_config"
-          elif git show "refs/remotes/origin/${BASE_REF}:.pre-commit-config.yaml" \
-            > "$trusted_config" 2>/dev/null; then
-            echo "Base SHA ${BASE_SHA} does not expose .pre-commit-config.yaml; using origin/${BASE_REF} instead."
-          else
-            echo "::error title=trusted pre-commit config unavailable::Could not read .pre-commit-config.yaml from ${BASE_SHA} or origin/${BASE_REF}."
-            exit 1
-          fi
-
-          if git cat-file -e "${BASE_SHA}:.github/zizmor.yml" 2>/dev/null; then
-            git show "${BASE_SHA}:.github/zizmor.yml" > "$trusted_zizmor_config"
-          elif git show "refs/remotes/origin/${BASE_REF}:.github/zizmor.yml" \
-            > "$trusted_zizmor_config" 2>/dev/null; then
-            echo "Base SHA ${BASE_SHA} does not expose .github/zizmor.yml; using origin/${BASE_REF} instead."
-          else
-            echo "::error title=trusted zizmor config unavailable::Could not read .github/zizmor.yml from ${BASE_SHA} or origin/${BASE_REF}."
-            exit 1
-          fi
-
-          python3 - "$trusted_config" "$trusted_zizmor_config" <<'PY'
-          from pathlib import Path
-          import sys
-
-          config_path = Path(sys.argv[1])
-          zizmor_config_path = sys.argv[2]
-          text = config_path.read_text()
-          if ".github/zizmor.yml" not in text:
-            raise SystemExit("trusted pre-commit config does not reference .github/zizmor.yml")
-          config_path.write_text(text.replace(".github/zizmor.yml", zizmor_config_path))
-          PY
-
-          echo "PRE_COMMIT_CONFIG_PATH=$trusted_config" >> "$GITHUB_ENV"
-
-      - name: Install pre-commit
-        run: python -m pip install --disable-pip-version-check pre-commit==4.2.0
+        uses: actions/checkout@v6
 
       - name: Install actionlint
         shell: bash
@@ -192,15 +79,6 @@ jobs:
       - name: Lint workflows
         run: actionlint
 
-      - name: Audit all workflows with zizmor
-        shell: bash
-        run: |
-          set -euo pipefail
-          mapfile -t workflow_files < <(
-            find .github/workflows -maxdepth 1 -type f \( -name '*.yml' -o -name '*.yaml' \) | sort
-          )
-          pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" zizmor --files "${workflow_files[@]}"
-
       - name: Disallow direct inputs interpolation in composite run blocks
         run: python3 scripts/check-composite-action-input-interpolation.py
 
@@ -212,34 +90,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-        run: |
-          set -euo pipefail
-          git init "$GITHUB_WORKSPACE"
-          git -C "$GITHUB_WORKSPACE" config gc.auto 0
-          git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
-          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
+        uses: actions/checkout@v6
 
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env

.gitignore

@@ -42,7 +42,6 @@ apps/macos-mlx-tts/.build/
 apps/shared/MoltbotKit/.build/
 apps/shared/OpenClawKit/.build/
 apps/shared/*/.build/
-packages/*/dist/
 apps/shared/OpenClawKit/Package.resolved
 **/ModuleCache/
 bin/
@@ -179,7 +178,6 @@ mantis/
 /local/
 /client_secret_*.json
 package-lock.json
-!src/commands/copilot-sdk-install-manifest/package-lock.json
 .claude/
 .agent/
 skills-lock.json
@@ -251,8 +249,6 @@ extensions/qa-lab/web/dist/
 # Generated bundled plugin runtime dependency manifests
 extensions/**/.openclaw-runtime-deps.json
 extensions/**/.openclaw-runtime-deps-stamp.json
-extensions/diffs/assets/viewer-runtime.js
-extensions/diffs-language-pack/assets/viewer-runtime.js
 
 # Output dir for scripts/run-opengrep.sh (local opengrep scans)
 /.opengrep-out/

.oxfmtrc.jsonc

@@ -30,7 +30,6 @@
     "docker-compose.yml",
     "dist/",
     "docs/_layouts/",
-    "extensions/diffs/assets/viewer-runtime.js",
     "**/*.json",
     "node_modules/",
     "patches/",

.oxlintrc.json

@@ -20,46 +20,34 @@
     "eslint/no-multi-str": "error",
     "eslint/no-new": "error",
     "eslint/no-object-constructor": "error",
-    "eslint/no-param-reassign": "error",
     "eslint/no-proto": "error",
-    "eslint/no-promise-executor-return": "error",
     "eslint/no-regex-spaces": "error",
     "eslint/no-return-assign": "error",
     "eslint/no-sequences": "error",
     "eslint/no-self-compare": "error",
-    "eslint/no-shadow": "error",
-    "eslint/no-implicit-coercion": "error",
+    "eslint/no-shadow": "off",
     "eslint/no-var": "error",
     "eslint/no-useless-call": "error",
     "eslint/no-useless-computed-key": "error",
     "eslint/no-useless-concat": "error",
     "eslint/no-useless-constructor": "error",
-    "eslint/no-useless-rename": "error",
-    "eslint/no-useless-return": "error",
-    "eslint/no-useless-assignment": "error",
-    "eslint/no-unused-vars": "error",
+    "eslint/no-unused-vars": "off",
     "eslint/no-warning-comments": "error",
     "eslint/no-unmodified-loop-condition": "error",
     "eslint/no-new-wrappers": "error",
     "eslint/no-else-return": "error",
-    "eslint/no-lonely-if": "error",
     "eslint/no-case-declarations": "error",
     "eslint/default-case-last": "error",
     "eslint/default-param-last": "error",
     "eslint/prefer-exponentiation-operator": "error",
-    "eslint/prefer-const": "error",
     "eslint/prefer-numeric-literals": "error",
-    "eslint/prefer-object-has-own": "error",
-    "eslint/object-shorthand": "error",
     "eslint/prefer-rest-params": "error",
     "eslint/prefer-spread": "error",
     "eslint/radix": "error",
     "eslint/unicode-bom": "error",
     "eslint/yoda": "error",
     "import/no-absolute-path": "error",
-    "import/first": "error",
     "import/no-empty-named-blocks": "error",
-    "import/no-duplicates": "error",
     "import/no-self-import": "error",
     "node/no-exports-assign": "error",
     "eslint-plugin-unicorn/prefer-set-size": "error",
@@ -78,14 +66,8 @@
     "typescript/no-empty-object-type": ["error", { "allowInterfaces": "with-single-extends" }],
     "typescript/no-explicit-any": "error",
     "typescript/no-extraneous-class": "error",
-    "typescript/no-import-type-side-effects": "error",
     "typescript/no-meaningless-void-operator": "error",
-    "typescript/no-misused-promises": "error",
-    "typescript/no-inferrable-types": "error",
-    "typescript/only-throw-error": "error",
     "typescript/no-non-null-asserted-nullish-coalescing": "error",
-    "typescript/prefer-promise-reject-errors": "error",
-    "typescript/restrict-plus-operands": "error",
     "typescript/no-unnecessary-qualifier": "error",
     "typescript/no-unnecessary-type-assertion": "error",
     "typescript/no-unnecessary-type-arguments": "error",
@@ -104,7 +86,6 @@
     "typescript/prefer-namespace-keyword": "error",
     "typescript/prefer-return-this-type": "error",
     "typescript/prefer-find": "error",
-    "typescript/prefer-for-of": "error",
     "typescript/prefer-function-type": "error",
     "typescript/prefer-includes": "error",
     "typescript/prefer-reduce-type-parameter": "error",
@@ -112,8 +93,6 @@
     "typescript/require-array-sort-compare": "error",
     "typescript/restrict-template-expressions": "error",
     "typescript/triple-slash-reference": "error",
-    "typescript/unbound-method": "error",
-    "typescript/use-unknown-in-catch-callback-variable": "error",
     "unicorn/consistent-date-clone": "error",
     "unicorn/consistent-empty-array-spread": "error",
     "unicorn/consistent-function-scoping": "off",
@@ -127,18 +106,14 @@
     "unicorn/no-new-buffer": "error",
     "unicorn/no-thenable": "error",
     "unicorn/no-typeof-undefined": "error",
-    "unicorn/no-unreadable-array-destructuring": "error",
     "unicorn/no-unnecessary-array-flat-depth": "error",
     "unicorn/no-unnecessary-array-splice-count": "error",
     "unicorn/no-unnecessary-slice-end": "error",
     "unicorn/no-useless-error-capture-stack-trace": "error",
     "unicorn/no-useless-promise-resolve-reject": "error",
-    "unicorn/no-useless-switch-case": "error",
-    "unicorn/no-zero-fractions": "error",
     "unicorn/prefer-date-now": "error",
     "unicorn/prefer-dom-node-text-content": "error",
     "unicorn/prefer-keyboard-event-key": "error",
-    "unicorn/prefer-array-flat": "error",
     "unicorn/prefer-array-some": "error",
     "unicorn/prefer-math-min-max": "error",
     "unicorn/prefer-node-protocol": "error",
@@ -148,8 +123,6 @@
     "unicorn/prefer-prototype-methods": "error",
     "unicorn/prefer-regexp-test": "error",
     "unicorn/prefer-set-size": "error",
-    "unicorn/prefer-set-has": "error",
-    "unicorn/prefer-structured-clone": "error",
     "unicorn/prefer-string-starts-ends-with": "error",
     "unicorn/prefer-string-slice": "error",
     "unicorn/require-array-join-separator": "error",
@@ -209,12 +182,10 @@
     "dist-runtime/",
     "docs/_layouts/",
     "extensions/diffs/assets/viewer-runtime.js",
-    "extensions/diffs-language-pack/assets/viewer-runtime.js",
-    "extensions/canvas/src/host/a2ui/a2ui.bundle.js",
     "node_modules/",
     "patches/",
     "pnpm-lock.yaml",
-    "skills/**",
+    "skills/",
     "src/auto-reply/reply/export-html/template.js",
     "src/canvas-host/a2ui/a2ui.bundle.js",
     "vendor/",
@@ -227,6 +198,13 @@
     "**/node_modules/**"
   ],
   "overrides": [
+    {
+      "files": ["src/security/**"],
+      "rules": {
+        "eslint/no-warning-comments": "off",
+        "oxc/no-map-spread": "off"
+      }
+    },
     {
       "files": [
         "**/*.test.ts",
@@ -238,7 +216,9 @@
         "**/*test-support.ts"
       ],
       "rules": {
-        "typescript/no-explicit-any": "off"
+        "typescript/no-explicit-any": "off",
+        "typescript/unbound-method": "off",
+        "eslint/no-unsafe-optional-chaining": "off"
       }
     }
   ]

AGENTS.md

@@ -9,11 +9,7 @@ Skills own workflows; root owns hard policy and routing.
 - Replies: repo-root refs only: `extensions/telegram/src/index.ts:80`. No absolute paths, no `~/`.
 - Docs/user-visible work: `pnpm docs:list`, then read relevant docs only.
 - Fix/triage answers need source, tests, current/shipped behavior, and dependency contract proof.
-- Reviews/answers: high confidence required. Default to exhaustive relevant codebase search/read, including owners, callers, siblings, tests, docs, and upstream/dependency contracts before verdict. Diff-only review is insufficient.
-- Review default: read the whole changed function/module plus callers, callees, sibling implementations, adjacent tests, scoped docs, and dependency/Codex contracts before saying `good`, `bad`, `best fix`, `proof sufficient`, or posting a comment. If challenged, keep reading first; do not defend the earlier verdict until the missing path is checked.
-- Dependency-touching work: direct dependency inspection is mandatory when feasible; do not rely on assumptions, wrappers, or memory. Most dependencies are OSS, so read their source/docs/types. Codex-related work has a hard gate: the acting agent must personally inspect sibling `../codex` source for the exact protocol/runtime behavior before any verdict, comment, approval, merge recommendation, code change, or `proof sufficient` claim. If missing, clone `https://github.com/openai/codex.git` there first. Subagent reports, PR text, OpenClaw wrappers, generated schemas, memory, and prior bot reviews do not satisfy this gate. No direct `../codex` check means no Codex verdict. Cite Codex files/lines checked in final/review/comment.
 - Dependency-backed behavior: read upstream docs/source/types first. No API/default/error/timing guesses.
-- External API work: live test required. Google/search for additional proof. Prefer official docs/source/types; cite current proof. No memory-only API claims.
 - Live-verify when feasible. Never print secrets.
 - Missing deps: `pnpm install`, retry once, then report first actionable error.
 - CODEOWNERS: maint/refactor/tests ok. Larger behavior/product/security/ownership: owner ask/review.
@@ -30,8 +26,6 @@ Skills own workflows; root owns hard policy and routing.
 - Plugin APIs, provider routing, auth/session state, persisted preferences, config loading, config/default additions, migrations, setup, startup checks, and fallback behavior are compatibility/upgrade-sensitive. Treat config breaks, new config/default surfaces, removed fallbacks, fail-closed changes, stricter validation, or new operator action as merge risk even with green CI when they can affect existing users, upgrades, provider/plugin behavior, or maintainer operations.
 - For PRs that add, remove, or change config/default surfaces with possible compatibility, upgrade, provider/plugin, operator, setup, startup, or fallback impact, ClawSweeper review should emit a `reviewMetrics` entry when practical. The metric should name the count and direction of the changes, such as added, changed, or removed config/default surfaces, and explain why the metric matters before merge. When the metric indicates concrete merge risk, also surface the concern in `risks`, use `mergeRiskLabels` when the risk matches the label rubric, make `bestSolution` name the desired pre-merge state, and ensure `labelJustifications` explain the specific reason rather than restating the label.
 - Review whole decision surfaces, not only the touched runtime, provider, channel, harness, plugin seam, or context path. Check sibling Codex/Pi-style runtimes, provider/model routing, channel delivery, gateway/protocol, plugin SDK, and context-management paths when relevant.
-- Every PR review must explicitly ask whether the PR is the best fix, not merely a plausible fix. Verdicts need a best-fix judgment backed by enough code reading to compare owner boundaries, callers, siblings, tests, docs, current `main`, shipped behavior when relevant, and dependency/Codex contracts when involved.
-- Before a PR verdict, build a small evidence map: changed surface, entry point, owner boundary, at least one caller and callee, sibling surfaces that share the invariant, existing tests, and current `main` behavior. If any cell is missing, say the gap instead of concluding.
 - One-sided fixes need sibling-surface proof, an explanation for why siblings are unaffected, or explicit follow-up work.
 - Changelog findings: see Docs / Changelog.
 - Public ClawSweeper comments prefer `https://docs.openclaw.ai/...` when a public docs page exists; structured evidence still cites repo files, lines, SHAs.
@@ -41,9 +35,9 @@ Skills own workflows; root owns hard policy and routing.
 
 ## Map
 
-- Core TS: `src/`, `ui/`, `packages/`; plugins: `extensions/`; SDK: `src/plugin-sdk/*`; channels: `src/channels/*`; loader: `src/plugins/*`; protocol: `packages/gateway-protocol/*`; docs/apps: `docs/`, `apps/`.
+- Core TS: `src/`, `ui/`, `packages/`; plugins: `extensions/`; SDK: `src/plugin-sdk/*`; channels: `src/channels/*`; loader: `src/plugins/*`; protocol: `src/gateway/protocol/*`; docs/apps: `docs/`, `apps/`.
 - Installers: sibling `../openclaw.ai`.
-- Scoped guides: `extensions/`, `src/{plugin-sdk,channels,plugins,gateway,agents}/`, `packages/`, `test/helpers*/`, `docs/`, `ui/`, `scripts/`.
+- Scoped guides: `extensions/`, `src/{plugin-sdk,channels,plugins,gateway,gateway/protocol,agents}/`, `test/helpers*/`, `docs/`, `ui/`, `scripts/`.
 
 ## Docs
 
@@ -63,25 +57,11 @@ Skills own workflows; root owns hard policy and routing.
 - External official plugins own package/deps and are excluded from core dist; core uses registry-aware `facade-runtime` or generic contracts.
 - Externalizing a bundled plugin: update package excludes, official catalogs, docs, tests, and prove core runtime paths resolve installed plugin roots before root-dep removal.
 - Runtime reads canonical config only. No silent compat for old/malformed config keys. If a config change invalidates existing files, add a matching `openclaw doctor --fix` migration. Core/auth config repairs live in core doctor; plugin-owned config repairs live in that plugin's doctor contract (`legacyConfigRules` / `normalizeCompatibilityConfig`).
-- OpenAI Codex is folded into `openai`. No new/live `openai-codex` provider/plugin/auth/model routes; treat them as legacy input only. Runtime/setup/auth/catalog use `openai` + `openai/*`; doctor/migrations repair stale `openai-codex/*` profiles/metadata.
-- Config/env surface bar is high; `openclaw.json` and environment variables are already large. Before adding a config option or env var, first prove existing product behavior, provider selection, defaults, or doctor migration cannot solve it. Prefer removing or consolidating config/env options when touching these surfaces. Core supports only the latest config shape; `openclaw doctor --fix` migrates older shipped shapes into the current one.
-- CLI setup flows are public API when external docs, installers, or integrations can copy them. Changes to `openclaw onboard`, `openclaw configure`, their documented flags, non-interactive behavior, or generated config shape are compatibility-sensitive API contract changes; prefer additive flags/aliases, deprecation windows, and backward-preserving migrations over breaking existing snippets.
 - Fix shape: default to clean bounded refactor, not smallest patch. Move ownership to right boundary; delete stale abstractions, duplicate policy, dead branches, wrappers, fallback stacks.
 - Fix observed local failures with generic product rules; do not hardcode names, ids, log phrases, or user examples in prod code unless they are an explicit contract.
 - Tests may use observed examples, but prod literals need a short contract reason.
 - Compatibility is opt-in. "Shipped" means reachable from a release Git tag; main/GitHub/PR/unreleased code is not shipped.
 - Refactor default: one canonical path. Delete the old path unless user explicitly wants compat or the shipped public contract is obvious and cited.
-- Core runtime consumes only current canonical shapes/config/data. Legacy or retired shapes normalize only in doctor/migration code before runtime; no runtime shims, aliases, or fallback readers.
-- State/storage migrations are database-first. Runtime reads/writes the canonical store only. Old file stores, sidecars, aliases, and fallback readers belong in `openclaw doctor --fix` migration code only, never steady-state runtime.
-- Storage default: SQLite only. Do not add JSON/JSONL/TXT/sidecar files for OpenClaw-owned runtime state, caches, queues, registries, indexes, cursors, checkpoints, or plugin scratch data.
-- SQLite runtime access uses Kysely helpers, not raw SQL statement strings, except schema DDL, migrations, low-level DB bootstrap, or narrowly justified SQLite primitives.
-- Use the shared state DB (`state/openclaw.sqlite`) for global runtime state and plugin KV data. Use the per-agent DB (`agents/<agentId>/agent/openclaw-agent.sqlite`) for agent-scoped state/cache. Use a dedicated SQLite DB only when schema, volume, or lifecycle clearly does not fit those stores.
-- Legacy state/cache files are migration debt. When touching code that reads/writes them, prefer moving the data into SQLite or calling out the refactor follow-up; do not add parallel file paths.
-- File storage must be a named product artifact: import/export, user attachment, log, backup, or external tool contract. If it is app state or cache, it belongs in SQLite.
-- Before adding any path under state dirs, choose one: shared state DB, plugin KV, agent DB, or dedicated SQLite schema. If none fits, design the SQLite owner/schema first.
-- Cache/transient state gets no compat migration unless a shipped user contract is cited. Prefer delete/drop/rebuild over import. If old state can be lost without user-visible data loss, remove the old path entirely.
-- Persistent user state gets one migration owner. Doctor migrates, verifies, and then runtime assumes the new shape. No dual-write, read-through fallback, lazy import, or "if SQLite fails use JSON" branches.
-- Fallback is a product decision, not an implementation convenience. Before adding one, name the shipped contract, failure mode, removal plan, and why doctor cannot solve it. Otherwise delete it.
 - Keep old behavior only for an explicit public API/config/plugin SDK/data contract, tagged upgrade path, security/migration boundary, dependency contract, or observed prod state.
 - If unsure, ask before preserving compat. Do not keep aliases, shims, fallback stacks, stale names, or obsolete tests just in case.
 - Tests alone do not make internals contracts. If compat stays, name the contract and migration/removal plan in code, test, or PR.
@@ -91,17 +71,12 @@ Skills own workflows; root owns hard policy and routing.
 - Plugin SDK exception: shipped external API gets new API first plus named compat/deprecation, small tests/docs if useful, removal plan.
 - Migrate internal/bundled callers to modern API in the same change. Do not let internal compat become permanent architecture.
 - Channels are implementation under `src/channels/**`; plugin authors get SDK seams. Providers own auth/catalog/runtime hooks; core owns generic loop.
-- Message/channel plugins stay transport-only. They render portable presentation/actions, enforce transport limits, and map native callback envelopes. They do not own product command trees, plugin/provider policy, or feature-specific menus.
-- Portable command UI must use typed presentation actions, not raw string inference. Do not make channels guess that `value` starting with `/` means a native command; core/owner plugins declare command actions, channels map them when supported.
-- Raw callback data is transport/private. Approval, command, URL, web-app, and select actions must stay distinguishable before channel encoding so transport adapters do not special-case product strings.
-- Agent run terminal state: normalize/merge via `src/agents/agent-run-terminal-outcome.ts`; do not rederive timeout/cancel precedence in projections.
 - Hot paths should carry prepared facts forward: provider id, model ref, channel id, target, capability family, attachment class. Do not rediscover with broad plugin/provider/channel/capability loaders.
 - Do not fix repeated request-time discovery with scattered caches. Move the canonical fact earlier; reuse prepared runtime objects; delete duplicate lookup branches.
 - Gateway/plugin metadata is process-stable: installs, manifests, catalogs, generated paths, bundled metadata. Changes require restart or explicit owner reload/install/doctor flow.
 - Runtime hot paths: no freshness polling (`stat`/`realpath`/JSON reread/hash). Reuse current snapshots, install records, discovery, lookup tables, root scopes, resolved paths.
 - Process-local metadata caches ok when lifecycle-owned and bounded/single-slot. Freshness exceptions need named owner + tests.
-- Inline comments: preserve reviewer context at the code site. Required for non-obvious cross-path/state invariants, lifecycle ordering, ownership boundaries, queue/dedupe symmetry, TTL/cache expiry, cleanup/release coupling, session/id adoption, fallback behavior, platform/dependency caps, deterministic ordering, compact encoded state, or intentional caller differences.
-- Comment shape: 1-3 short lines; state why the branch/helper exists, what contract it protects, and the bad outcome if removed. Cite nearby constants/helpers when useful. No syntax narration, PR/user-specific lore, or obvious mechanics.
+- Inline comments: add them where they preserve reviewer context: cross-path invariants, lifecycle ordering, ownership boundaries, session/id adoption, queue-depth symmetry, or intentional caller differences. No obvious-mechanics comments.
 - Gateway protocol changes: additive first; incompatible needs versioning/docs/client follow-through.
 - Protocol version bumps: explicit owner confirmation only; never automatic/generated.
 - Config contract: exported types, schema/help, metadata, baselines, docs aligned. Retired public keys stay retired; compat in raw migration/doctor only.
@@ -115,10 +90,9 @@ Skills own workflows; root owns hard policy and routing.
 - Install: `pnpm install` (keep Bun lock/patches aligned if touched).
 - CLI: `pnpm openclaw ...` or `pnpm dev`; build: `pnpm build`.
 - Tests in a normal source checkout: `pnpm test <path-or-filter> [vitest args...]`, `pnpm test:changed`, `pnpm test:serial`, `pnpm test:coverage`; never raw `vitest`.
-- If raw Vitest is unavoidable, use `vitest run ...`; bare `vitest ...` starts local watch mode and will not exit on its own.
 - Tests in a Codex worktree or linked/sparse checkout: avoid direct local `pnpm test*`; use `node scripts/run-vitest.mjs <path-or-filter>` for tiny explicit-file proof, or Crabbox/Testbox for anything broader.
-- Checks in a normal source checkout: `pnpm check:changed` delegates to Crabbox/Testbox; lanes: `pnpm changed:lanes --json`; staged: `pnpm check:changed --staged`; full: `pnpm check`.
-- Checks in a Codex worktree or linked/sparse checkout: avoid direct local `pnpm check*`; use `node scripts/crabbox-wrapper.mjs run ... -- env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed` so pnpm runs inside Testbox, not locally.
+- Checks in a normal source checkout: `pnpm check:changed`; lanes: `pnpm changed:lanes --json`; staged: `pnpm check:changed --staged`; full: `pnpm check`.
+- Checks in a Codex worktree or linked/sparse checkout: avoid direct local `pnpm check*`; use `node scripts/crabbox-wrapper.mjs run ... --shell -- "pnpm check:changed"` so pnpm runs inside Testbox, not locally.
 - Extension tests: `pnpm test:extensions`, `pnpm test extensions`, `pnpm test extensions/<id>`.
 - Typecheck: `tsgo` lanes only (`pnpm tsgo*`, `pnpm check:test-types`); never add `tsc --noEmit`, `typecheck`, `check:types`.
 - Formatting: `oxfmt`, not Prettier. Use repo wrappers (`pnpm format:*`, `pnpm lint:*`, `scripts/run-oxlint.mjs`).
@@ -128,13 +102,12 @@ Skills own workflows; root owns hard policy and routing.
 
 - Use `$openclaw-testing` for test/CI choice and `$crabbox` for remote/full/E2E proof.
 - Crabbox request means real scenario proof: install/update/call/repro user path; not just copy tests and run them remotely.
-- Visual proof: use Crabbox, set up like a user, then screenshot-verify. No harness/bypass/shortcut unless explicitly asked.
 - Small/narrow tests, lints, format checks, and type probes are fine locally only in a healthy normal checkout.
 - In Codex worktrees, direct local `pnpm test*`, `pnpm check*`, `pnpm crabbox:run`, and `scripts/committer` can trigger pnpm dependency reconciliation or install prompts. Prefer `node` wrappers locally and Crabbox/Testbox for pnpm-gated proof.
 - Full suites, broad changed gates, Docker/package/E2E/live/cross-OS proof, or anything that bogs down the Mac: Crabbox/Testbox.
 - One/few files local. If a local command fans out, stop and move broad proof to Crabbox/Testbox.
 - Before handoff/push: prove touched surface. Before landing to `main`: issue proof plus appropriate full/broad proof unless scope is clearly narrow.
-- Pre-land/pre-commit code changes: mandatory fresh `$autoreview` until no accepted/actionable findings remain. Do not land code on CI, ClawSweeper, prior review comments, or your own manual review alone unless user explicitly opts out or scope is truly trivial/docs-only. If findings want refactor, refactor; no ugly fixes.
+- Pre-land/pre-commit code changes: use `$autoreview` until no accepted/actionable findings remain, unless equivalent manual review already done, trivial/docs-only, or user opts out.
 - If proof is blocked, say exactly what is missing and why.
 - Do not land related failing format/lint/type/build/tests. If unrelated on latest `origin/main`, say so with scoped proof.
 - Docs/changelog-only and CI/workflow metadata-only: `git diff --check` plus relevant docs/workflow sanity; escalate only if scripts/config/generated/package/runtime behavior changed.
@@ -143,35 +116,27 @@ Skills own workflows; root owns hard policy and routing.
 ## GitHub / PRs
 
 - Use `$openclaw-pr-maintainer` immediately for maintainer-side OpenClaw issue/PR review, triage, duplicates, labels, comments, close, land, or evidence. Contributor PR creation/refresh follows the requested contributor workflow; linked refs alone do not require maintainer archive tooling.
-- Issue/PR start: `git status -sb`; if clean, `git pull --ff-only`; if dirty, yell before pull/rebase.
+- Pasted GitHub issue/PR: first `git status -sb`; if dirty, yell; then `git push` + `git pull --ff-only`.
 - PR refs: `gh pr view/diff` or `gh api`, not web search. Prefer `gitcrawl` for maintainer discovery; missing/stale `gitcrawl` falls through to live `gh`, not contributor setup. Verify live with `gh` before mutation.
-- Bare issue/PR URL/number: inspect live and take the efficient maintainer path; switch branches/refs when useful.
-- No unsolicited PR labels/retitles/rebases/fixups/landing. Comments/reviews ok only for reviewable findings, pre-merge proof, or close/duplicate reason after explicit close/sweep/landing request.
+- Bare issue/PR URL/number means review/report in chat. Suggest comment/close/merge when appropriate; mutate only when asked.
+- No unsolicited PR comments/reviews/labels/retitles/rebases/fixups/landing. Exception: close/duplicate action that needs a reason comment after explicit close/sweep/landing request.
 - Maintainer decision closes the cluster: if deciding reported behavior/proposed fix is not planned, comment+close all directly associated open issues/PRs unless explicitly told to keep one open. Associated means linked PRs/issues, duplicates, companion workaround PRs, and the canonical issue for the rejected behavior.
 - Do not leave associated issues open for hypothetical future repros. Close with rationale; ask for a new issue or reopen only if concrete new evidence appears. Close comment states: decision, why, supported alternative, and what evidence would change the decision.
-- Issue/PR work: search strong related issues/PRs before final; close proven dupes/fixed siblings. If none close, suggest one next related follow-up.
-- PR superseded by `main`: if code proof shows `main` already has same-or-better behavior, comment canonical commit/PR + focused proof, then close. Bar high: inspect PR diff, current code/tests, linked issue, caller/sibling path. If unsure, leave open.
-- Issue/PR numbers need a short summary every time; assume the reader has not opened or read them.
-- Before presenting a batch of issues/PRs, use smart subagents to verify live state and current `main`; omit closed/fixed items, and comment+close items already fixed on `main` when maintainer action is authorized.
 - PR review answer: bug/behavior, URL(s), affected surface, provenance for regressions when traceable, best-fix judgment, evidence from code/tests/CI/current or shipped behavior.
-- PR reviewable findings: post them on the PR, not chat-only, so author sees actionable feedback.
 - Issue/PR final answer: last line is the full GitHub URL.
-- PR verification: before merge, post land-ready work done, exact local commands, CI/Testbox run IDs, before/after proof when used, and known proof gaps.
+- PR verification: before merge, post exact local commands, CI/Testbox run IDs, before/after proof when used, and known proof gaps.
 - Issue fixed on `main` with proof: comment proof + commit/PR, then close.
 - After landing or requested close/sweep: search duplicates; comment proof + canonical commit/PR/release before closing.
 - After landing/ship final: include 2-5 sentence recap of what landed: behavior change, key files/surface, proof run, issue/PR state. Do not answer with only status/links.
 - `ship` that fixes an issue: after push, comment proof + commit link, then close the issue.
-- Public GH comments: show draft in chat first unless user explicitly asked to post/comment/reply/close/merge/land. After work starts and changes/proof exist, post the review/proof/commit comment.
-- Representing user: if user already has a comment/thread for the point, update/reply there when possible; avoid duplicate PR/issue comments.
-- No surprise GH writes: chat must mention every posted/updated public comment with URL.
 - GH comments with backticks, `$`, or shell snippets: use heredoc/body file, not inline double-quoted `--body`.
 - PR create: real body required. Include Summary + Verification; mention refs, behavior, and proof.
 - PR create/refresh: keep PR branches takeover-ready. Use a branch maintainers can push to, or for fork PRs ensure `maintainer_can_modify` / GitHub's `Allow edits by maintainers` is enabled unless explicitly told otherwise or GitHub's Actions/secrets warning makes that unsafe.
 - GitHub issue/PR create: read `$agent-transcript`; ask about sanitized transcript logs when available.
-- Contributor PRs: parsed `Real behavior proof` uses exact `field: value` labels: `Behavior addressed`, `Real environment tested`, `Exact steps or command run after this patch`, `Evidence after fix`, `Observed result after fix`, `What was not tested`.
+- Real behavior proof section is parsed. Use exact `field: value` labels: `Behavior addressed`, `Real environment tested`, `Exact steps or command run after this patch`, `Evidence after fix`, `Observed result after fix`, `What was not tested`.
 - PR artifacts/screenshots: attach to PR/comment/external artifact store. Never push screenshots, videos, proof images, or proof assets to OpenClaw or any product repo branch, including temp artifact branches. Use Crabbox artifact publishing plus the manifest URL. Do not commit `.github/pr-assets`.
 - CI polling: exact SHA, relevant checks only, minimal fields. Skip routine noise (`Auto response`, `Labeler`, docs agents, performance/stale). Logs only after failure/completion or concrete need.
-- OpenClaw write-access maintainers may skip `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
+- Maintainers: may skip/ignore `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
 - `/landpr`: use `~/.codex/prompts/landpr.md`; do not idle on `auto-response` or `check-docs`.
 
 ## Code
@@ -180,24 +145,18 @@ Skills own workflows; root owns hard policy and routing.
 - No `@ts-nocheck`. Lint suppressions only intentional + explained.
 - External boundaries: prefer `zod` or existing schema helpers.
 - Runtime branching: discriminated unions/closed codes over freeform strings. Avoid semantic sentinels (`?? 0`, empty object/string).
-- Cross-function state: when valid combos matter, return a closed mode/result shape. Avoid parallel nullable fields or derived booleans that callers must keep in sync; make impossible states unrepresentable.
 - Formatter-friendly shape: when oxfmt explodes an expression vertically, extract named booleans, payloads, or small helpers. Do not change width or use format-ignore for local compactness.
 - Calls should be boring: complex decisions happen above; call args/object fields are names, literals, or simple property reads.
 - Prefer early returns over nested condition pyramids. Split code into gather -> normalize -> decide -> act.
 - Use named intermediates only for domain meaning or readability; avoid temp-variable soup.
 - Code size matters. Prefer small clear code; maintainability includes not growing LOC without payoff.
 - Refactors should delete about as much local complexity as they add. If LOC grows, the new ownership/API needs to clearly pay for it.
-- Refactors should reduce non-test LOC unless they remove a larger architectural cost. Treat positive prod LOC as a smell. Before closeout, run `git diff --numstat`; if non-test LOC grew, trim or explicitly justify why fewer paths now exist.
-- Prefer deleting branches, modes, adapters, and tests over preserving them. A refactor that adds a second path has probably failed unless the old path is a cited shipped contract.
-- New helpers/files must pay rent immediately: fewer call paths, fewer concepts, or less repeated logic. No helpers for one-off compat, naming translation, or speculative resilience.
 - Before adding helpers/files, check whether existing code can absorb the behavior with less new surface.
 - Keep APIs narrow: export only current caller needs; keep types/helpers local by default.
 - Return the smallest useful shape. Avoid broad result objects, flags, metadata unless callers use them.
 - Avoid adapter layers that only rename fields. Move real responsibility or leave code local.
 - Inline simple one-use objects/spreads when clearer. Extract only when it removes duplication or hard logic.
 - Tests prove behavior/regressions, not every internal branch.
-- Tests are welcome, but review them before landing for duplication and value. Delete useless tests, such as assertions for behavior or paths just removed.
-- Tests protect canonical behavior and migration boundaries, not obsolete internals. Delete tests for removed fallback paths instead of updating them.
 - For non-trivial refactors, check `git diff --numstat` before closeout. If LOC grew, trim or explain why.
 - Prefer existing narrow helpers over repeated casts/guards. Add local helpers when 2+ nearby call sites share real boundary logic.
 - Prefer ctor parameter properties for injected deps/config. Do not ban them for erasable-syntax purity.
@@ -227,7 +186,7 @@ Skills own workflows; root owns hard policy and routing.
 - Use `$technical-documentation` for docs writing/review. Docs change with behavior/API.
 - Codex harness upgrade (`extensions/codex/package.json` `@openai/codex`): refresh `docs/plugins/codex-harness.md` model snapshot from the new harness `model/list`.
 - Docs final answers: include relevant full `https://docs.openclaw.ai/...` URL(s). If issue/PR work too, GitHub URL last.
-- `CHANGELOG.md`: release-only. Do not edit for normal PRs, direct `main` fixes, or `ship it`; release generation owns it. Do not ask contributors/agents for changelog edits.
+- `CHANGELOG.md`: release-owned. Do not edit for normal PRs, direct `main` fixes, or `ship it`; only explicit release/changelog generation may rewrite it. Do not ask contributors/agents for changelog edits.
 - User-facing `fix`/`feat`/`perf`: put release-note context in PR body, squash message, or direct commit: behavior, surface, issue/PR refs, credited human author/reporter.
 - Release generation: derive `CHANGELOG.md` from merged PRs + all direct `main` commits. Entries: active `### Changes`/`### Fixes`, single-line, thank credited humans; never thank bots/forbidden handles: `@openclaw`, `@clawsweeper`, `@codex`, `@steipete`.
 
@@ -235,27 +194,23 @@ Skills own workflows; root owns hard policy and routing.
 
 - Commit via `scripts/committer "<msg>" <file...>`; stage intended files only.
 - Commits: conventional-ish, concise, grouped.
-- No manual stash/autostash unless explicit. Branch switches ok when useful; no new worktrees unless requested.
+- No manual stash/autostash unless explicit. No branch/worktree changes unless requested.
 - `main`: no merge commits; rebase on latest `origin/main` before push. After one green run plus clean rebase sanity, do not chase moving `main` with repeated full gates.
 - User says `commit`: your changes only. `commit all`: all changes in grouped chunks. `push`: may `git pull --rebase` first.
 - User says `ship it`: commit intended changes, pull --rebase, push.
 - Do not delete/rename unexpected files; ask if blocking, else ignore.
-- Bulk PR close/reopen >50: ask with count/scope.
+- Bulk PR close/reopen >5: ask with count/scope.
 
 ## Security / Release
 
 - Never commit real phone numbers, videos, credentials, live config.
 - Secrets: channel/provider creds in `~/.openclaw/credentials/`; model auth profiles in `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`.
 - Dependency patches/overrides/vendor changes need explicit approval. `pnpm-workspace.yaml` patched dependencies use exact versions only.
-- Release/package guards: no hard-coded retired-package denylists; use generic artifact/dependency checks or fix build source.
 - Lockfiles/shrinkwrap are security surface: review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, `package-lock.json`; root/plugin npm packages ship shrinkwrap, not package-lock.
 - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks.
 - Releases/publish/version bumps need explicit approval. Use `$release-openclaw-maintainer`.
-- Release versions use `YYYY.M.PATCH`, where `PATCH` is a sequential monthly release-train number, never the calendar day. Stable and beta tags determine the current train; alpha-only tags do not consume or advance the beta/stable patch number. After `2026.6.5`, the next beta train is `2026.6.6-beta.1` even if higher alpha-only tags exist.
-- Alpha/nightly versions use the next unreleased train plus an incrementing prerelease number. Repeated nightlies for the same train increment only `alpha.N`; they must not mint a new patch number from the date.
-- Backport means apply to newest open `release/` branch unless user names another target.
 - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`.
-- Beta tag/version match: `vYYYY.M.PATCH-beta.N` -> npm `YYYY.M.PATCH-beta.N --tag beta`.
+- Beta tag/version match: `vYYYY.M.D-beta.N` -> npm `YYYY.M.D-beta.N --tag beta`.
 
 ## Platform / Ops
 
@@ -267,10 +222,7 @@ Skills own workflows; root owns hard policy and routing.
 - Version bump surfaces live in `$release-openclaw-maintainer`.
 - Parallels: `$openclaw-parallels-smoke`; Discord roundtrip: `$parallels-discord-roundtrip`.
 - Crabbox/WebVNC human demos: keep remote desktop visible/windowed; no fullscreen remote browser unless video/capture-style output.
-- Before sharing WebVNC links, use Crabbox screenshot first; verify real app/path works and target UI is not broken.
 - ClawSweeper ops: `$clawsweeper`. Deployed hook sessions may post one concise `#clawsweeper` note only when surprising/actionable/risky; if using message tool, reply exactly `NO_REPLY`.
-- Generated-media completions wake the requester agent first. Requester visible-reply config decides final text vs message tool; direct media send is fallback/recovery only.
-- `message_tool_only`: normal agent final visible reply = current-source `message(action=send)` only. No `NO_REPLY` prompt/contract; no message call = no source reply. Plugin-owned bound-thread reply = plugin return value; no message tool needed. Never auto-publish private final.
 - Memory wiki prompt digest stays tiny; prefer `wiki_search` / `wiki_get`; verify contact data before use; source-class provenance for generated people facts.
 - Rebrand/migration/config warnings: run `openclaw doctor`.
 - Never edit `node_modules`.