fix(web): show all WhatsApp shared contacts

fix(agents): require raw for gateway config.apply (#566 ) (thanks @sircrumpet)
fix(tools): flatten gateway tool schema for Vertex AI compatibility
2026-06-06 14:01:24 +08:00 · 2026-01-10 00:16:54 +00:00 · 2026-01-10 00:16:17 +00:00 · 2026-01-10 00:16:17 +00:00
16719 changed files with 244190 additions and 3004346 deletions
--- a/.agents/skills/blacksmith-testbox/SKILL.md
+++ b/.agents/skills/blacksmith-testbox/SKILL.md
@@ -1,335 +0,0 @@
---
-name: blacksmith-testbox
-description: Run Blacksmith Testbox for CI-parity checks, secrets, hosted services, migrations, or builds local cannot reproduce.
---
-
-# Blacksmith Testbox
-
-## Scope
-
-Use Testbox when you need remote CI parity, injected secrets, hosted services,
-or an OS/runtime image that your local machine cannot provide cheaply.
-
-Do not default to Testbox for every local test/build loop. If the repo has
-documented local commands for normal iteration, use those first so you keep
-warm caches, local build state, and fast feedback.
-
-Testbox is the expensive path. Reach for it deliberately.
-
-## Install the CLI
-
-If `blacksmith` is not installed, install it:
-
-    curl -fsSL https://get.blacksmith.sh | sh
-
-For the canary channel (bleeding-edge):
-
-    BLACKSMITH_CHANNEL=canary sh -c 'curl -fsSL https://get.blacksmith.sh | sh'
-
-Then authenticate:
-
-    blacksmith auth login
-
-## Agent-triggered browser auth (non-interactive)
-
-When an agent needs to ensure the user is authenticated before running testbox
-commands (e.g. warmup, run), use browser-based auth with non-interactive mode.
-This opens the browser for the user to sign in; the agent does not interact with
-the browser. The org selector in the dashboard is skipped, so the user only sees
-the sign-in flow.
-
-**Required command** (`--organization` is required with `--non-interactive`):
-
-    blacksmith auth login --non-interactive --organization <org-slug>
-
-The org slug can come from `BLACKSMITH_ORG` env var or the `--org` global flag.
-If neither is set, the agent should use the project's known org (e.g. from repo
-config or user context). Example:
-
-    blacksmith auth login --non-interactive --organization acme-corp
-    blacksmith --org acme-corp auth login --non-interactive --organization acme-corp
-
-**Flow**: The CLI starts a local callback server, opens the browser to the
-dashboard auth page, and blocks for up to 2 minutes. The user completes sign-in
-and authorization in the browser. The dashboard redirects to localhost with the
-token; the CLI saves credentials and exits. The agent then proceeds.
-
-**Do not use** `--api-token` for this flow — that is for headless/token-based
-auth. This skill focuses on browser-based auth when the user prefers signing in
-via the web UI.
-
-Optional flags:
-
- `--dashboard-url <url>` — Override dashboard URL (e.g. for staging)
-
-## Decide first: local or Testbox
-
-Before warming anything up, check the repo's own instructions.
-
-Prefer local commands when:
-
- the repo documents a supported local test/build workflow
- you are iterating on unit tests, lint, typecheck, formatting, or other
-  local-only validation
- the value comes from warm local caches and fast repeat runs
- the command does not need remote secrets, hosted services, or CI-only images
-
-Prefer Testbox when:
-
- the repo explicitly requires CI-parity or remote validation
- the command needs secrets, service containers, or provisioned infra
- you are reproducing CI-only failures
- you need the exact workflow image/job environment from GitHub Actions
-
-For OpenClaw specifically, normal local iteration should stay local:
-
- `pnpm check:changed`
- `pnpm test:changed`
- `pnpm test <path-or-filter>`
- `pnpm test:serial`
- `pnpm build`
-
-Only use Testbox in OpenClaw when the user explicitly wants CI-parity or the
-check truly depends on remote secrets/services that the local repo loop cannot
-provide.
-
-## Setup: Warmup before coding
-
-If you decided Testbox is actually warranted, warm one up early. This returns
-an ID instantly and boots the CI environment in the background while you work:
-
-    blacksmith testbox warmup ci-check-testbox.yml
-    # → tbx_01jkz5b3t9...
-
-Save this ID. You need it for every `run` command.
-
-Warmup dispatches a GitHub Actions workflow that provisions a VM with the
-full CI environment: dependencies installed, services started, secrets
-injected, and a clean checkout of the repo at the default branch.
-
-Options:
-
-    --ref <branch>         Git ref to dispatch against (default: repo's default branch)
-    --job <name>           Specific job within the workflow (if it has multiple)
-    --idle-timeout <min>   Idle timeout in minutes (default: 30)
-
-## CRITICAL: Always run from the repo root
-
-ALWAYS invoke `blacksmith testbox` commands from the **root of the git
-repository**. The CLI syncs the current working directory to the testbox
-using rsync with `--delete`. If you run from a subdirectory (e.g.
-`cd backend && blacksmith testbox run ...`), rsync will mirror only that
-subdirectory and **delete everything else** on the testbox — wiping other
-directories like `dashboard/`, `cli/`, etc.
-
-    # CORRECT — run from repo root, use paths in the command
-    blacksmith testbox run --id <ID> "cd backend && php artisan test"
-    blacksmith testbox run --id <ID> "cd dashboard && npm test"
-
-    # WRONG — do NOT cd into a subdirectory before invoking the CLI
-    cd backend && blacksmith testbox run --id <ID> "php artisan test"
-
-If your shell is in a subdirectory, `cd` back to the repo root first:
-
-    cd "$(git rev-parse --show-toplevel)"
-    blacksmith testbox run --id <ID> "cd backend && php artisan test"
-
-## Running commands
-
-    blacksmith testbox run --id <ID> "<command>"
-
-The `run` command automatically waits for the testbox to become ready if
-it is still booting, so you can call `run` immediately after warmup without
-needing to check status first.
-
-## Downloading files from a testbox
-
-Use the `download` command to retrieve files or directories from a running
-testbox to your local machine. This is useful for fetching build artifacts,
-test results, coverage reports, or any output generated on the testbox.
-
-    blacksmith testbox download --id <ID> <remote-path> [local-path]
-
-The remote path is relative to the testbox working directory (same as `run`).
-If no local path is specified, the file is saved to the current directory
-using the same base name.
-
-To download a directory, append a trailing `/` to the remote path — this
-triggers recursive mode:
-
-    # Download a single file
-    blacksmith testbox download --id <ID> coverage/report.html
-
-    # Download a file to a specific local path
-    blacksmith testbox download --id <ID> build/output.tar.gz ./output.tar.gz
-
-    # Download an entire directory
-    blacksmith testbox download --id <ID> test-results/ ./results/
-
-Options:
-
-    --ssh-private-key <path>   Path to SSH private key (if warmup used --ssh-public-key)
-
-## How file sync works
-
-Understanding this model is critical for using Testbox correctly.
-
-When you call `run`, the CLI performs a **delta sync** of your local changes
-to the remote testbox before executing your command:
-
-1. The testbox VM starts from a clean `actions/checkout` at the warmup ref.
-   The workflow's setup steps (e.g. `npm install`, `pip install`, `composer install`)
-   run during warmup and populate dependency directories on the remote VM.
-
-2. On each `run`, the CLI uses **git** to detect which files changed locally
-   since the last sync. It syncs ONLY tracked files and untracked non-ignored
-   files (i.e. files that `git ls-files` reports).
-
-3. **`.gitignore`'d directories are never synced.** This means directories
-   like `node_modules/`, `vendor/`, `.venv/`, `build/`, `dist/`, etc. are
-   NOT transferred from your local machine. The testbox uses its own copies
-   of those directories, populated during the warmup workflow steps.
-
-4. If nothing has changed since the last sync (same git commit and working
-   tree state), the sync is skipped entirely for speed.
-
-### Why this matters
-
- **Changing dependencies**: If you modify `package.json`, `requirements.txt`,
-  `composer.json`, `go.mod`, or similar dependency manifests, the lock/manifest
-  file will be synced but the actual dependency directory will NOT. You must
-  re-run the install command on the testbox:
-
-      blacksmith testbox run --id <ID> "npm install && npm test"
-      blacksmith testbox run --id <ID> "pip install -r requirements.txt && pytest"
-      blacksmith testbox run --id <ID> "composer install && phpunit"
-
- **Generated/build artifacts**: If your tests depend on a build step (e.g.
-  `npm run build`, `make`), and you changed source files that affect the build
-  output, re-run the build on the testbox before testing.
-
- **New untracked files**: New files you create locally ARE synced (as long as
-  they are not gitignored). You do not need to `git add` them first.
-
- **Deleted files**: Files you delete locally are also deleted on the remote
-  testbox. The sync model keeps the remote in lockstep with your local managed
-  file set.
-
-## CRITICAL: Do not ban local tests
-
-Do not assume local validation is forbidden. Many repos intentionally invest in
-fast, warm local loops, and forcing every run through Testbox destroys that
-advantage.
-
-Use Testbox for the checks that actually need it: remote parity, secrets,
-services, CI-only runners, or reproducibility against the workflow image.
-
-If the repo says local tests/builds are the normal path, follow the repo.
-
-## When to use
-
-Use Testbox when:
-
- running database migrations or destructive environment checks
- running commands that depend on secrets or environment variables not present locally
- reproducing CI-only failures or validating against the workflow image
- validating behavior that needs provisioned services or remote runners
- doing a final parity check before commit/push when the repo or user wants that
-
-Trim that list based on repo guidance. If the repo documents supported local
-tests/builds, prefer local for routine iteration and keep Testbox for the
-checks that need parity or remote state.
-
-## Workflow
-
-1. Decide whether the repo's local loop is the right default.
-2. Only if Testbox is warranted, warm up early:
-   `blacksmith testbox warmup ci-check-testbox.yml` → save the ID
-3. Write code while the testbox boots in the background.
-4. Run the remote command when needed:
-   `blacksmith testbox run --id <ID> "npm test"`
-5. If tests fail, fix code and re-run against the same warm box.
-6. If you changed dependency manifests (package.json, etc.), prepend
-   the install command: `blacksmith testbox run --id <ID> "npm install && npm test"`
-7. If you need artifacts (coverage reports, build outputs, etc.), download them:
-   `blacksmith testbox download --id <ID> coverage/ ./coverage/`
-8. Once green, commit and push.
-
-## OpenClaw full test suite
-
-For OpenClaw, use the repo package manager and the measured stable full-suite
-profile below. It keeps six Vitest project shards active while limiting each
-shard to one worker to avoid worker OOMs on Testbox:
-
-    blacksmith testbox run --id <ID> "env NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test"
-
-Observed full-suite time on Blacksmith Testbox is about 3-4 minutes:
-
- 173-180s on a warmed box
- 219s on a fresh 32-vCPU box
-
-When validating before commit/push, run `pnpm check:changed` first when
-appropriate, then the full suite with the profile above if broad confidence is
-needed.
-
-## Examples
-
-    blacksmith testbox warmup ci-check-testbox.yml
-    # → tbx_01jkz5b3t9...
-
-    # Run tests
-    blacksmith testbox run --id <ID> "npm test -- --testPathPattern=handler.test"
-    blacksmith testbox run --id <ID> "go test ./pkg/api/... -run TestHandler -v"
-    blacksmith testbox run --id <ID> "python -m pytest tests/test_api.py -k test_auth"
-
-    # Re-install deps after changing package.json, then test
-    blacksmith testbox run --id <ID> "npm install && npm test"
-
-    # Build and test
-    blacksmith testbox run --id <ID> "npm run build && npm test"
-
-    # Download artifacts from the testbox
-    blacksmith testbox download --id <ID> coverage/lcov-report/ ./coverage/
-    blacksmith testbox download --id <ID> build/output.tar.gz
-
-## Waiting for the testbox to be ready
-
-The `run` command automatically waits for the testbox, so explicit waiting is
-usually unnecessary. If you do need to check readiness separately (e.g. before
-a series of runs), use the `--wait` flag. Do NOT use a sleep-and-recheck loop.
-
-Correct: block until ready with a timeout:
-
-    blacksmith testbox status --id <ID> --wait [--wait-timeout 5m]
-
-Wrong: never use sleep + status in a loop:
-
-    # BAD — do not do this
-    sleep 30 && blacksmith testbox status --id <ID>
-    while ! blacksmith testbox status --id <ID> | grep ready; do sleep 5; done
-
-`--wait` polls the status and exits as soon as the testbox is ready (or when the
-timeout is reached). Default timeout is 5m; use `--wait-timeout` for longer
-(e.g. `10m`, `1h`).
-
-## Managing testboxes
-
-    # Check status of a specific testbox
-    blacksmith testbox status --id <ID>
-
-    # List all active testboxes for the current repo
-    blacksmith testbox list
-
-    # Stop a testbox when you're done (frees resources)
-    blacksmith testbox stop --id <ID>
-
-Testboxes automatically shut down after being idle (default: 30 minutes).
-If you need a longer session, increase the timeout at warmup time:
-
-    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 60
-
-## With options
-
-    blacksmith testbox warmup ci-check-testbox.yml --ref main
-    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 60
-    blacksmith testbox run --id <ID> "go test ./..."
--- a/.agents/skills/openclaw-ghsa-maintainer/SKILL.md
+++ b/.agents/skills/openclaw-ghsa-maintainer/SKILL.md
@@ -1,87 +0,0 @@
---
-name: openclaw-ghsa-maintainer
-description: Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.
---
-
-# OpenClaw GHSA Maintainer
-
-Use this skill for repo security advisory workflow only. Keep general release work in `openclaw-release-maintainer`.
-
-## Respect advisory guardrails
-
- Before reviewing or publishing a repo advisory, read `SECURITY.md`.
- Ask permission before any publish action.
- Treat this skill as GHSA-only. Do not use it for stable or beta release work.
-
-## Fetch and inspect advisory state
-
-Fetch the current advisory and the latest published npm version:
-
-```bash
-gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
-npm view openclaw version --userconfig "$(mktemp)"
-```
-
-Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.
-
-## Verify private fork PRs are closed
-
-Before publishing, verify that the advisory's private fork has no open PRs:
-
-```bash
-fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
-gh pr list -R "$fork" --state open
-```
-
-The PR list must be empty before publish.
-
-## Prepare advisory Markdown and JSON safely
-
- Write advisory Markdown via heredoc to a temp file. Do not use escaped `\n` strings.
- Build PATCH payload JSON with `jq`, not hand-escaped shell JSON.
-
-Example pattern:
-
-```bash
-cat > /tmp/ghsa.desc.md <<'EOF'
-<markdown description>
-EOF
-
-jq -n --rawfile desc /tmp/ghsa.desc.md \
-  '{summary,severity,description:$desc,vulnerabilities:[...]}' \
-  > /tmp/ghsa.patch.json
-```
-
-## Apply PATCH calls in the correct sequence
-
- Do not set `severity` and `cvss_vector_string` in the same PATCH call.
- Use separate calls when the advisory requires both fields.
- Publish by PATCHing the advisory and setting `"state":"published"`. There is no separate `/publish` endpoint.
-
-Example shape:
-
-```bash
-gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
-  --input /tmp/ghsa.patch.json
-```
-
-## Publish and verify success
-
-After publish, re-fetch the advisory and confirm:
-
- `state=published`
- `published_at` is set
- the description does not contain literal escaped `\\n`
-
-Verification pattern:
-
-```bash
-gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
-jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
-```
-
-## Common GHSA footguns
-
- Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
- A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
- Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
--- a/.agents/skills/openclaw-parallels-smoke/SKILL.md
+++ b/.agents/skills/openclaw-parallels-smoke/SKILL.md
@@ -1,156 +0,0 @@
---
-name: openclaw-parallels-smoke
-description: Run, rerun, debug, or interpret OpenClaw Parallels install, onboarding, gateway smoke, and upgrade checks.
---
-
-# OpenClaw Parallels Smoke
-
-Use this skill for Parallels guest workflows and smoke interpretation. Do not load it for normal repo work.
-
-## Global rules
-
- Use the snapshot most closely matching the requested fresh baseline.
- Gateway verification in smoke runs should use `openclaw gateway status --deep --require-rpc` unless the stable version being checked does not support it yet.
- Stable `2026.3.12` pre-upgrade diagnostics may require a plain `gateway status --deep` fallback.
- Treat `precheck=latest-ref-fail` on that stable pre-upgrade lane as baseline, not automatically a regression.
- Pass `--json` for machine-readable summaries.
- Per-phase logs land under `/tmp/openclaw-parallels-*`.
- Do not run local and gateway agent turns in parallel on the same fresh workspace or session.
- Hard-cap every top-level Parallels lane with host `timeout --foreground` (or `gtimeout --foreground` if that is the available binary) so a stalled install, snapshot switch, or `prlctl exec` transport cannot consume the rest of the testing window. Defaults:
-  - macOS: `75m`
-  - Linux: `75m`
-  - Windows: `90m`
-  - aggregate npm-update wrapper: `150m`
-    If a lane hits the cap, stop there, inspect the newest `/tmp/openclaw-parallels-*` run directory and phase log, then fix or rerun the smallest affected lane. Do not keep waiting on a capped lane.
- Actual OpenClaw npm install/update phases are a stricter signal than whole-lane caps: install phases should normally finish within 7 minutes, and update phases should normally show meaningful progress within 5 minutes. If a phase named `install-main`, `install-latest`, `install-baseline`, or `install-baseline-package` exceeds 420s, or a phase named `update-dev` / same-guest `openclaw update` exceeds 300s without new markers, start diagnosis from that phase log and guest process state. Current Windows update phases can still pass after roughly 10-15 minutes because `doctor --fix` may install bundled plugin runtime deps; keep the script hard cap near 20 minutes unless the log is truly stale.
- For a full OS matrix, prefer running independent guest-family lanes in parallel when host capacity allows:
-  - `timeout --foreground 75m pnpm test:parallels:macos -- --json`
-  - `timeout --foreground 90m pnpm test:parallels:windows -- --json`
-  - `timeout --foreground 75m pnpm test:parallels:linux -- --json`
-    Keep each lane in its own shell/session and track the run directory for each one. Before starting the matrix, run any required host build/package gate to completion. When current-main tgz packaging is needed, the smoke scripts hold a shared package lock through `pnpm build`, inventory/staging, and `npm pack`; if that lock is missing or broken, serialize the matrix instead of accepting concurrent `dist` mutation.
- Do not run multiple smoke lanes against the same guest family at once. Tahoe lanes share the host HTTP port, and Windows/Linux lanes can collide on snapshot restore/start state if two jobs touch the same VM concurrently.
- Do not run the aggregate `pnpm test:parallels:npm-update` wrapper in parallel with individual macOS/Windows/Linux smoke lanes; it touches the same guest families and snapshots.
- Do not start Parallels lanes while any unrelated host command may rebuild, clean, or restage `dist` (`pnpm build`, `pnpm ui:build`, `pnpm release:check`, `pnpm test:install:smoke`, npm pack/install smoke, or Docker lanes that run package/build prep). Run unrelated build/package gates first, let them finish, then start the VM matrix. Concurrent `dist` mutation can make host `npm pack` fail with missing files and wastes a full VM cycle.
- While running or optimizing the matrix, record wall-clock duration per lane and the slowest phase from `/tmp/openclaw-parallels-*` logs. Use that timing before changing smoke order, timeouts, or helper behavior.
- If a host build changes tracked generated files such as `src/canvas-host/a2ui/.bundle.hash`, stop before spending VM time. Commit the generated artifact separately or fix the generator drift, then rerun the smallest affected lane.
- If `main` is moving under active multi-agent work, prefer a detached worktree pinned to one commit for long Parallels suites. The smoke scripts now verify the packed tgz commit instead of live `git rev-parse HEAD`, but a pinned worktree still avoids noisy rebuild/version drift during reruns.
- For `openclaw update --channel dev` lanes, remember the guest clones GitHub `main`, not your local worktree. If a local fix exists but the rerun still fails inside the cloned dev checkout, do not treat that as disproof of the fix until the branch has been pushed.
- For `prlctl exec`, pass the VM name before `--current-user` (`prlctl exec "$VM" --current-user ...`), not the other way around.
- If the workflow installs OpenClaw from a repo checkout instead of the site installer/npm release, finish by installing a real guest CLI shim and verifying it in a fresh guest shell. `pnpm openclaw ...` inside the repo is not enough for handoff parity.
- On macOS guests, prefer a user-global install plus a stable PATH-visible shim:
-  - install with `NPM_CONFIG_PREFIX="$HOME/.npm-global" npm install -g .`
-  - make sure `~/.local/bin/openclaw` exists or `~/.npm-global/bin` is on PATH
-  - verify from a brand-new guest shell with `which openclaw` and `openclaw --version`
-
-## npm install then update
-
- Preferred entrypoint: `pnpm test:parallels:npm-update`
- For a macOS-only published release update check, use:
-  - `timeout --foreground 75m pnpm test:parallels:npm-update -- --platform macos --package-spec openclaw@<old-version> --update-target <target-version-or-tag> --json`
-    This keeps the same-guest `openclaw update --tag ...` coverage and uses the shared macOS current-user/sudo fallback without starting Windows/Linux lanes.
- Required coverage: every release/update regression run must include both lanes:
-  - fresh snapshot -> install requested package/baseline -> smoke
-  - same guest baseline -> run the guest's installed `openclaw update ...` command -> smoke again
- The update lane must exercise OpenClaw's internal updater. Do not count a direct `npm install -g <tgz-or-spec>` or harness-side package swap as update-flow coverage; those are install smokes only.
- For published targets, install the old baseline package first (for example `openclaw@2026.4.9`), then run the installed guest CLI with the intended channel/tag (for example `openclaw update --channel beta --yes --json`) and verify `openclaw --version`, `openclaw update status --json`, gateway RPC, and an agent turn after the command.
- For unpublished targets, pack the candidate on the host, serve the `.tgz` over the harness HTTP server, and point the guest updater at that served package. Prefer `openclaw update --tag http://<host-ip>:<port>/openclaw-<version>.tgz --yes --json`; when channel persistence also matters, pass `--channel <stable|beta>` and set `OPENCLAW_UPDATE_PACKAGE_SPEC` to the same served URL in the guest update environment. The command under test must still be `openclaw update`, not direct npm.
- For unpublished local-fix validation, remember the old baseline updater code still controls the first hop. A fix that lives only in the new updater code cannot change that already-running old process; the served candidate must either keep package/plugin metadata compatible with the baseline host or the baseline itself must include the updater fix.
- For beta/stable verification, resolve the tag immediately before the run (`npm view openclaw@beta version dist.tarball` or `npm view openclaw@latest ...`). Tags can move while a long VM matrix is already running; restart the matrix when the intended prerelease appears after an earlier registry 404/tag-lag check.
- Source Peter's profile in the host shell (`set -a; source "$HOME/.profile"; set +a`) before OpenAI/Anthropic lanes. Do not print profile contents or env dumps; pass provider secrets through the guest exec environment.
- Same-guest update verification should set the default model explicitly to `openai/gpt-5.4` before the agent turn and use a fresh explicit `--session-id` so old session model state does not leak into the check.
- The aggregate npm-update wrapper must resolve the Linux VM with the same Ubuntu fallback policy as `parallels-linux-smoke.sh` before both fresh and update lanes. Treat any Ubuntu guest with major version `>= 24` as acceptable when the exact default VM is missing, preferring the closest version match. On Peter's current host today, missing `Ubuntu 24.04.3 ARM64` should fall back to `Ubuntu 25.10`.
- On macOS same-guest update checks, restart the gateway after the npm upgrade before `gateway status` / `agent`; launchd can otherwise report a loaded service while the old process has exited and the fresh process is not RPC-ready yet.
- The npm-update aggregate's macOS update leg writes the guest update script as root, then runs it as the desktop user. If `prlctl exec "$MACOS_VM" --current-user ...` cannot authenticate, retry through plain root `prlctl exec` plus `sudo -u <desktop-user> /usr/bin/env HOME=/Users/<desktop-user> USER=<desktop-user> LOGNAME=<desktop-user> PATH=/opt/homebrew/bin:/opt/homebrew/opt/node/bin:/usr/bin:/bin:/usr/sbin:/sbin ...`. That is a Parallels transport fallback; still verify `openclaw --version`, gateway RPC, and an agent turn after the update.
- On Windows same-guest update checks, restart the gateway after the npm upgrade before `gateway status` / `agent`; in-place global npm updates can otherwise leave stale hashed `dist/*` module imports alive in the running service.
- In those Windows same-guest update checks, do not treat one nonzero `openclaw gateway restart` as definitive failure. Current login-item restarts can report failure before the background service becomes observable again; follow with a longer RPC-ready wait and use `gateway start` only as a recovery step if readiness still never returns.
- After that Windows restart, do not trust one `gateway status --deep --require-rpc` call after a fixed sleep. Retry the RPC-ready probe for roughly 30 seconds and log each attempt; current guests can keep port `18789` bound while the fresh RPC endpoint is still coming up.
- For Windows same-guest update checks, prefer the done-file/log-drain PowerShell runner pattern over one long-lived `prlctl exec ... powershell -EncodedCommand ...` transport. The guest can finish successfully while the outer `prlctl exec` still hangs.
- The Windows same-guest update helper should write stage markers to its log before long steps like tgz download and `npm install -g` so the outer progress monitor does not sit on `waiting for first log line` during healthy but quiet installs.
- Linux same-guest update verification should also export `HOME=/root`, pass `OPENAI_API_KEY` via `prlctl exec ... /usr/bin/env`, and use `openclaw agent --local`; the fresh Linux baseline does not rely on persisted gateway credentials.
- The npm-update wrapper now prints per-lane progress from the nested log files. If a lane still looks stuck, inspect the nested logs in `runDir` first (`macos-fresh.log`, `windows-fresh.log`, `linux-fresh.log`, `macos-update.log`, `windows-update.log`, `linux-update.log`) instead of assuming the outer wrapper hung.
- If the wrapper fails a lane, read the auto-dumped tail first, then the full nested lane log under `/tmp/openclaw-parallels-npm-update.*`.
- Current known macOS update-lane transport signature when the fallback is missing or bypassed: `Unable to authenticate the user. Make sure that the specified credentials are correct and try again.` Treat that as Parallels current-user authentication before blaming npm or OpenClaw.
-
-## CLI invocation footgun
-
- The Parallels smoke shell scripts should tolerate a literal bare `--` arg so `pnpm test:parallels:* -- --json` and similar forwarded invocations work without needing to call `bash scripts/e2e/...` directly.
-
-## macOS flow
-
- Preferred entrypoint: `pnpm test:parallels:macos`
- `parallels-macos-smoke.sh --mode fresh --target-package-spec openclaw@<version>` is an install smoke only. For published old-version -> new-version update coverage on macOS, prefer the npm-update wrapper with `--platform macos`; `parallels-macos-smoke.sh --mode upgrade --target-package-spec ...` installs the target package and does not exercise the baseline CLI's updater.
- Default upgrade coverage on macOS should now include: fresh snapshot -> site installer pinned to the latest stable tag -> `openclaw update --channel dev` on the guest. Treat this as part of the default Tahoe regression plan, not an optional side quest.
- `parallels-macos-smoke.sh --mode upgrade` should run that release-to-dev lane by default. Keep the older host-tgz upgrade path only when the caller explicitly passes `--target-package-spec`.
- Because the default upgrade lane no longer needs a host tgz, skip `npm pack` + host HTTP server startup for `--mode upgrade` unless `--target-package-spec` is set. Keep the pack/server path for `fresh` and `both`.
- If that release-to-dev lane fails with `reason=preflight-no-good-commit` and repeated `sh: pnpm: command not found` tails from `preflight build`, treat it as an updater regression first. The fix belongs in the git/dev updater bootstrap path, not in Parallels retry logic.
- Until the public stable train includes that updater bootstrap fix, the macOS release-to-dev lane may seed a temporary guest-local `pnpm` shim immediately before `openclaw update --channel dev`. Keep that workaround scoped to the smoke harness and remove it once the latest stable no longer needs it.
- In Tahoe `prlctl exec --current-user` runs, prefer explicit `node .../openclaw.mjs ...` invocations for the release->dev handoff itself and for post-update verification. The shebanged global `openclaw` wrapper can fail with `env: node: No such file or directory`, and self-updating through the wrapper is a weaker lane than invoking the entrypoint under a fixed `node`.
- Default to the snapshot closest to `macOS 26.3.1 latest`.
- On Peter's Tahoe VM, `fresh-latest-march-2026` can hang in `prlctl snapshot-switch`; if restore times out there, rerun with `--snapshot-hint 'macOS 26.3.1 latest'` before blaming auth or the harness.
- `parallels-macos-smoke.sh` now retries `snapshot-switch` once after force-stopping a stuck running/suspended guest. If Tahoe still times out after that recovery path, then treat it as a real Parallels/host issue and rerun manually.
- The macOS smoke should include a dashboard load phase after gateway health: resolve the tokenized URL with `openclaw dashboard --no-open`, verify the served HTML contains the Control UI title/root shell, then open Safari and require an established localhost TCP connection from Safari to the gateway port.
- For Tahoe `fresh.gateway-status`, prefer non-TTY `prlctl exec --current-user ... openclaw gateway status ...` plus a few short retries. `prlctl enter` can spam TTY control bytes and hang the phase log even when the CLI itself is healthy.
- If a Tahoe lane times out in `fresh.first-agent-turn` and the phase log stops right after `__OPENCLAW_RC__:0` from `models set`, suspect the `prlctl enter` / `expect` wrapper before blaming auth or the model lane. That pattern means the first guest command finished but the transport never released for the next `guest_current_user_cli` call.
- If a packaged install regresses with `500` on `/`, `/healthz`, or `__openclaw/control-ui-config.json` after `fresh.install-main` or `upgrade.install-main`, suspect bundled plugin runtime deps resolving from the package root `node_modules` rather than `dist/extensions/*/node_modules`. Repro quickly with a real `npm pack`/global install lane before blaming dashboard auth or Safari.
- `prlctl exec` is fine for deterministic repo commands, but use the guest Terminal or `prlctl enter` when installer parity or shell-sensitive behavior matters.
- Multi-word `openclaw agent --message ...` checks should go through a guest shell wrapper (`guest_current_user_sh` / `guest_current_user_cli` or `/bin/sh -lc ...`), not raw `prlctl exec ... node openclaw.mjs ...`, or the message can be split into extra argv tokens and Commander reports `too many arguments for 'agent'`.
- The same wrapper rule applies when bypassing `--current-user`: write a tiny `/tmp/*.sh` on the guest and execute `/bin/bash /tmp/*.sh` through the sudo desktop-user environment. Do not pass `openclaw agent --message '...'` directly as one raw `prlctl exec` command.
- When ref-mode onboarding stores `OPENAI_API_KEY` as an env secret ref, the post-onboard agent verification should also export `OPENAI_API_KEY` for the guest command. The gateway can still reject with pairing-required and fall back to embedded execution, and that fallback needs the env-backed credential available in the shell.
- On the fresh Tahoe snapshot, `brew` exists but `node` may be missing from PATH in noninteractive exec. Use `/opt/homebrew/bin/node` when needed.
- Fresh host-served tgz installs should install as guest root with `HOME=/var/root`, then run onboarding as the desktop user via `prlctl exec --current-user`.
- Root-installed tgz smoke can log plugin blocks for world-writable `extensions/*`; do not treat that as an onboarding or gateway failure unless plugin loading is the task.
-
-## Windows flow
-
- Preferred entrypoint: `pnpm test:parallels:windows`
- Use the snapshot closest to `pre-openclaw-native-e2e-2026-03-12`.
- Default upgrade coverage on Windows should now include: fresh snapshot -> site installer pinned to the requested stable tag -> `openclaw update --channel dev` on the guest. Keep the older host-tgz upgrade path only when the caller explicitly passes `--target-package-spec`.
- Optional exact npm-tag baseline on Windows: `bash scripts/e2e/parallels-windows-smoke.sh --mode upgrade --target-package-spec openclaw@<tag> --json`. That lane installs the published npm tarball as baseline, then runs `openclaw update --channel dev`.
- Optional forward-fix Windows validation: `bash scripts/e2e/parallels-windows-smoke.sh --mode upgrade --upgrade-from-packed-main --json`. That lane installs the packed current-main npm tgz as baseline, then runs `openclaw update --channel dev`.
- Always use `prlctl exec --current-user`; plain `prlctl exec` lands in `NT AUTHORITY\\SYSTEM`.
- Prefer explicit `npm.cmd` and `openclaw.cmd`.
- Use PowerShell only as the transport with `-ExecutionPolicy Bypass`, then call the `.cmd` shims from inside it.
- Current Windows Node installs expose `corepack` as a `.cmd` shim. If a release-to-dev lane sees `corepack` on PATH but `openclaw update --channel dev` still behaves as if corepack is missing, treat that as an exec-shim regression first.
- If an exact published-tag Windows lane fails during preflight with `npm run build` and `'pnpm' is not recognized`, remember that the guest is still executing the old published updater. Validate the fix with `--upgrade-from-packed-main`, then wait for the next tagged npm release before expecting the historical tag lane to pass.
- Multi-word `openclaw agent --message ...` checks should call `& $openclaw ...` inside PowerShell, not `Start-Process ... -ArgumentList` against `openclaw.cmd`, or Commander can see split argv and throw `too many arguments for 'agent'`.
- Windows installer/tgz phases now retry once after guest-ready recheck; keep new Windows smoke steps idempotent so a transport-flake retry is safe.
- If a Windows retry sees the VM become `suspended` or `stopped`, resume/start it before the next `prlctl exec`; otherwise the second attempt just repeats the same `rc=255`.
- Windows global `npm install -g` phases can stay quiet for a minute or more even when healthy; inspect the phase log before calling it hung, and only treat it as a regression once the retry wrapper or timeout trips.
- When those Windows global installs stay quiet, the useful progress often lives in the guest npm debug log, not the helper phase log. The smoke script now streams incremental `npm-cache/_logs/*-debug-0.log` deltas into the phase log during long baseline/package installs; read those lines before assuming the lane is stalled.
- The Windows baseline-package helpers now auto-dump the latest guest `npm-cache/_logs/*-debug-0.log` tail on timeout or nonzero completion. Read that tail in the phase log before opening a second guest shell.
- The same incremental npm-debug streaming also applies to `--upgrade-from-packed-main` / packaged-install baseline phases. A phase log that still says only `install.start`, `install.download-tgz`, `install.install-tgz` can still be healthy if the streamed npm-debug section shows registry fetches or bundled-plugin postinstall work.
- Fresh Windows tgz install phases should also use the background PowerShell runner plus done-file/log-drain pattern; do not rely on one long-lived `prlctl exec ... powershell ... npm install -g` transport for package installs.
- Windows release-to-dev helpers should log `where pnpm` before and after the update and require `where pnpm` to succeed post-update. That proves the updater installed or enabled `pnpm` itself instead of depending on a smoke-only bootstrap.
- Fresh Windows ref-mode onboard should use the same background PowerShell runner plus done-file/log-drain pattern as the npm-update helper, including startup materialization checks, host-side timeouts on short poll `prlctl exec` calls, and retry-on-poll-failure behavior for transient transport flakes.
- Fresh Windows daemon-health reachability should use `openclaw gateway probe --json` with a longer timeout and treat `ok: true` as success; full `gateway status --require-rpc` checks are too eager during initial startup on current main.
- Fresh Windows ref-mode agent verification should set `OPENAI_API_KEY` in the PowerShell environment before invoking `openclaw.cmd agent`, for the same pairing-required fallback reason as macOS.
- The standalone Windows upgrade smoke lane should stop the managed gateway after `upgrade.install-main` and before `upgrade.onboard-ref`. Restarting before onboard can leave the old process alive on the pre-onboard token while onboard rewrites `~/.openclaw/openclaw.json`, which then fails `gateway-health` with `unauthorized: gateway token mismatch`.
- If standalone Windows upgrade fails with a gateway token mismatch but `pnpm test:parallels:npm-update` passes, trust the mismatch as a standalone ref-onboard ordering bug first; the npm-update helper does not re-run ref-mode onboard on the same guest.
- Keep onboarding and status output ASCII-clean in logs; fancy punctuation becomes mojibake in current capture paths.
- If you hit an older run with `rc=255` plus an empty `fresh.install-main.log` or `upgrade.install-main.log`, treat it as a likely `prlctl exec` transport drop after guest start-up, not immediate proof of an npm/package failure.
-
-## Linux flow
-
- Preferred entrypoint: `pnpm test:parallels:linux`
- Use the snapshot closest to fresh `Ubuntu 24.04.3 ARM64`.
- If that exact VM is missing on the host, any Ubuntu guest with major version `>= 24` is acceptable; prefer the closest versioned Ubuntu guest with a fresh poweroff snapshot. On Peter's host today, that is `Ubuntu 25.10`.
- Use plain `prlctl exec`; `--current-user` is not the right transport on this snapshot.
- Fresh snapshots may be missing `curl`, and `apt-get update` can fail on clock skew. Bootstrap with `apt-get -o Acquire::Check-Date=false update` and install `curl ca-certificates`.
- Fresh `main` tgz smoke still needs the latest-release installer first because the snapshot has no Node or npm before bootstrap.
- This snapshot does not have a usable `systemd --user` session; managed daemon install is unsupported.
- The Linux smoke now falls back to a manual `setsid openclaw gateway run --bind loopback --port 18789 --force` launch with `HOME=/root` and the provider secret exported, then verifies `gateway status --deep --require-rpc` when available.
- The Linux manual gateway launch should wait for `gateway status --deep --require-rpc` inside the `gateway-start` phase; otherwise the first status probe can race the background bind and fail a healthy lane.
- If Linux gateway bring-up fails, inspect `/tmp/openclaw-parallels-linux-gateway.log` in the guest phase logs first; the common failure mode is a missing provider secret in the launched gateway environment.
-
-## Discord roundtrip
-
- Discord roundtrip is optional and should be enabled with:
-  - `--discord-token-env`
-  - `--discord-guild-id`
-  - `--discord-channel-id`
- After a successful Discord smoke/roundtrip, shut down the guest VM before handoff (`prlctl stop "$VM_NAME"` or the concrete VM name). The macOS smoke harness should do this automatically after successful Discord proof; still stop the VM manually after ad-hoc Discord checks. Do not leave the Discord-configured guest running; it can keep reading/posting in `#maintainer` and spam Discord after the proof is complete.
- Keep the Discord token only in a host env var.
- Use installed `openclaw message send/read`, not `node openclaw.mjs message ...`.
- Set `channels.discord.guilds` as one JSON object, not dotted config paths with snowflakes.
- Avoid long `prlctl enter` or expect-driven Discord config scripts; prefer `prlctl exec --current-user /bin/sh -lc ...` with short commands.
- For a narrower macOS-only Discord proof run, the existing `parallels-discord-roundtrip` skill is the deep-dive companion.
--- a/.agents/skills/openclaw-pr-maintainer/SKILL.md
+++ b/.agents/skills/openclaw-pr-maintainer/SKILL.md
@@ -1,107 +0,0 @@
---
-name: openclaw-pr-maintainer
-description: Review, triage, close, label, comment on, or land OpenClaw PRs/issues with maintainer evidence checks.
---
-
-# OpenClaw PR Maintainer
-
-Use this skill for maintainer-facing GitHub workflow, not for ordinary code changes.
-
-## Start issue and PR triage with ghcrawl
-
- Anytime you inspect OpenClaw issues or PRs, check local `ghcrawl` data first for related threads, duplicate attempts, and already-landed fixes.
- Use `ghcrawl` for candidate discovery and clustering; use `gh`, `gh api`, and the current checkout to verify live state before commenting, labeling, closing, or landing.
- If `ghcrawl` is missing, stale, lacks the target thread, or has no embeddings for neighbor/search commands, fall back to the GitHub search workflow below.
- Do not run expensive/update commands such as `ghcrawl refresh`, `ghcrawl embed`, or `ghcrawl cluster` unless the user asked to update the local store or the stale data is blocking the decision.
-
-Common read-only path:
-
-```bash
-ghcrawl threads openclaw/openclaw --numbers <issue-or-pr-number> --include-closed --json
-ghcrawl neighbors openclaw/openclaw --number <issue-or-pr-number> --limit 12 --json
-ghcrawl search openclaw/openclaw --query "<scope or title keywords>" --mode hybrid --json
-ghcrawl cluster-detail openclaw/openclaw --id <cluster-id> --member-limit 20 --body-chars 280 --json
-```
-
-## Apply close and triage labels correctly
-
- If an issue or PR matches an auto-close reason, apply the label and let `.github/workflows/auto-response.yml` handle the comment/close/lock flow.
- Do not manually close plus manually comment for these reasons.
- `r:*` labels can be used on both issues and PRs.
- Current reasons:
-  - `r: skill`
-  - `r: support`
-  - `r: no-ci-pr`
-  - `r: too-many-prs`
-  - `r: testflight`
-  - `r: third-party-extension`
-  - `r: moltbook`
-  - `r: spam`
-  - `invalid`
-  - `dirty` for PRs only
-
-## Enforce the bug-fix evidence bar
-
- Never merge a bug-fix PR based only on issue text, PR text, or AI rationale.
- Before landing, require:
-  1. symptom evidence such as a repro, logs, or a failing test
-  2. a verified root cause in code with file/line
-  3. a fix that touches the implicated code path
-  4. a regression test when feasible, or explicit manual verification plus a reason no test was added
- If the claim is unsubstantiated or likely wrong, request evidence or changes instead of merging.
- If the linked issue appears outdated or incorrect, correct triage first. Do not merge a speculative fix.
-
-## Close low-signal manual PRs carefully
-
- Do not close for red CI alone. Require a clear low-signal category plus stale or failed validation.
- Good manual-close categories:
-  - blank or mostly untouched PR template with no concrete OpenClaw problem/fix
-  - random docs-only churn such as root README translations, generic wording tweaks, or community-plugin discoverability docs that should go through ClawHub
-  - test-only coverage without a linked bug, owner request, or behavior change
-  - refactor-only cleanup, variable renames, formatting, or generated/baseline churn without maintainer request
-  - third-party channel/provider/tool/skill/plugin work that belongs on ClawHub instead of core
-  - risky ops/infra drive-bys such as new external CI services, release workflows, host upgrade scripts, Docker base migrations, or apt retry/fix-missing tweaks without owner request and green validation
-  - dirty branches where a narrow stated change includes unrelated docs/generated/runtime/extension files
-  - repeated bot-review spam or copied bot output without author-owned fixes
- Keep or escalate plausible focused bug fixes, green PRs, active maintainer discussions, assigned work, recent author follow-up, and unique reproduction details.
- For third-party capabilities, prefer the `r: third-party-extension` auto-response label when it applies; it points contributors to publish on ClawHub.
-
-## Handle GitHub text safely
-
- For issue comments and PR comments, use literal multiline strings or `-F - <<'EOF'` for real newlines. Never embed `\n`.
- Do not use `gh issue/pr comment -b "..."` when the body contains backticks or shell characters. Prefer a single-quoted heredoc.
- Do not wrap issue or PR refs like `#24643` in backticks when you want auto-linking.
- PR landing comments should include clickable full commit links for landed and source SHAs when present.
-
-## Search broadly before deciding
-
- Prefer `ghcrawl` first. Then use targeted GitHub keyword search to verify gaps, live status, comments, and candidates not present in the local store.
- Use `--repo openclaw/openclaw` with `--match title,body` first when using `gh search`.
- Add `--match comments` when triaging follow-up discussion or closed-as-duplicate chains.
- Do not stop at the first 500 results when the task requires a full search.
-
-Examples:
-
-```bash
-gh search prs --repo openclaw/openclaw --match title,body --limit 50 -- "auto-update"
-gh search issues --repo openclaw/openclaw --match title,body --limit 50 -- "auto-update"
-gh search issues --repo openclaw/openclaw --match title,body --limit 50 \
-  --json number,title,state,url,updatedAt -- "auto update" \
-  --jq '.[] | "\(.number) | \(.state) | \(.title) | \(.url)"'
-```
-
-## Follow PR review and landing hygiene
-
- If bot review conversations exist on your PR, address them and resolve them yourself once fixed.
- Leave a review conversation unresolved only when reviewer or maintainer judgment is still needed.
- When landing or merging any PR, follow the global `/landpr` process.
- Use `scripts/committer "<msg>" <file...>` for scoped commits instead of manual `git add` and `git commit`.
- Keep commit messages concise and action-oriented.
- Group related changes; avoid bundling unrelated refactors.
- Use `.github/pull_request_template.md` for PR submissions and `.github/ISSUE_TEMPLATE/` for issues.
- Do not commit PR-only artifacts such as screenshots under `.github/pr-assets`; attach them to the PR/comment or use an external artifact store instead.
-
-## Extra safety
-
- If a close or reopen action would affect more than 5 PRs, ask for explicit confirmation with the exact count and target query first.
- `sync` means: if the tree is dirty, commit all changes with a sensible Conventional Commit message, then `git pull --rebase`, then `git push`. Stop if rebase conflicts cannot be resolved safely.
--- a/.agents/skills/openclaw-qa-testing/SKILL.md
+++ b/.agents/skills/openclaw-qa-testing/SKILL.md
@@ -1,221 +0,0 @@
---
-name: openclaw-qa-testing
-description: Run, watch, debug, extend, or explain OpenClaw qa-lab and qa-channel scenarios, artifacts, and live lanes.
---
-
-# OpenClaw QA Testing
-
-Use this skill for `qa-lab` / `qa-channel` work. Repo-local QA only.
-
-## Read first
-
- `docs/concepts/qa-e2e-automation.md`
- `docs/help/testing.md`
- `docs/channels/qa-channel.md`
- `qa/README.md`
- `qa/scenarios/index.md`
- `extensions/qa-lab/src/suite.ts`
- `extensions/qa-lab/src/character-eval.ts`
-
-## Model policy
-
- Live OpenAI lane: `openai/gpt-5.4`
- Fast mode: on
- Do not use:
-  - `openai/gpt-5.4-pro`
-  - `openai/gpt-5.4-mini`
- Only change model policy if the user explicitly asks.
-
-## Default workflow
-
-1. Read the scenario pack and current suite implementation.
-2. Decide lane:
-   - mock/dev: `mock-openai`
-   - real validation: `live-frontier`
-3. For live OpenAI, use:
-
-```bash
-OPENCLAW_LIVE_OPENAI_KEY="${OPENAI_API_KEY}" \
-pnpm openclaw qa suite \
-  --provider-mode live-frontier \
-  --model openai/gpt-5.4 \
-  --alt-model openai/gpt-5.4 \
-  --output-dir .artifacts/qa-e2e/run-all-live-frontier-<tag>
-```
-
-4. Watch outputs:
-   - summary: `.artifacts/qa-e2e/run-all-live-frontier-<tag>/qa-suite-summary.json`
-   - report: `.artifacts/qa-e2e/run-all-live-frontier-<tag>/qa-suite-report.md`
-5. If the user wants to watch the live UI, find the current `openclaw-qa` listen port and report `http://127.0.0.1:<port>`.
-6. If a scenario fails, fix the product or harness root cause, then rerun the full lane.
-
-## OTEL smoke
-
-For local QA-lab OpenTelemetry validation, use:
-
-```bash
-pnpm qa:otel:smoke
-```
-
-This starts a local OTLP/HTTP trace receiver, runs the `otel-trace-smoke`
-scenario through qa-channel, decodes the emitted protobuf spans, and verifies
-the exported trace names and privacy contract. It does not require Opik,
-Langfuse, or external collector credentials.
-
-## QA credentials and 1Password
-
- Use `op` only inside `tmux` for QA secret lookup in this repo.
- Quick auth check inside tmux:
-
-```bash
-op account list
-```
-
- Direct Telegram npm live test secrets currently live in 1Password item:
-  - vault: `OpenClaw`
-  - item: `Telegram E2E`
- That item is the first place to look for:
-  - `OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN`
-  - `OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN`
-  - `OPENCLAW_QA_PROVIDER_MODE`
-  - `OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC`
- Convex QA secrets currently live in 1Password items:
-  - vault: `OpenClaw`
-  - item: `OPENCLAW_QA_CONVEX_SITE_URL`
-  - item: `OPENCLAW_QA_CONVEX_SECRET_MAINTAINER`
-  - item: `OPENCLAW_QA_CONVEX_SECRET_CI`
- Additional related notes/login items seen during QA credential work:
-  - vault: `Private`
-  - items: `OPENCLAW QA`, `Convex`, `Telegram`
- If a required value is missing from those notes:
-  - do not guess
-  - ask the maintainer/operator for the current value or the current 1Password item name
-  - for Telegram direct runs, `OPENCLAW_QA_TELEGRAM_GROUP_ID` may be stored separately from `Telegram E2E`
-  - for Convex runs, the leased Telegram credential should provide the Telegram group id and bot tokens together; do not require a separate `OPENCLAW_QA_TELEGRAM_GROUP_ID`
-  - for Convex runs, prefer `OpenClaw/OPENCLAW_QA_CONVEX_SITE_URL`; if that is stale or unclear, ask for the active pool URL before running
- Prefer direct Telegram envs for the npm Telegram Docker lane when available:
-
-```bash
-OPENCLAW_QA_TELEGRAM_GROUP_ID="..." \
-OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN="..." \
-OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN="..." \
-OPENCLAW_QA_PROVIDER_MODE="mock-openai" \
-OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC="openclaw@beta" \
-pnpm test:docker:npm-telegram-live
-```
-
- Prefer Convex mode when the goal is stable shared QA infra:
-  - round-robin credential leasing
-  - thinner wrapper for channel-specific setup
-  - CLI/admin flows around the pooled credentials
- Live npm Telegram Docker lane note:
-  - `scripts/e2e/npm-telegram-live-runner.ts` reads `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE`
-  - do not assume `OPENCLAW_QA_PROVIDER_MODE` is consumed by that wrapper
-  - if a 1Password note only gives `OPENCLAW_QA_PROVIDER_MODE`, map it explicitly to `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE` before running the Docker lane
- Verified live shape:
-  - Convex mode can pass the real Docker lane without direct Telegram env vars
-  - leased Telegram payload includes the group id coupled to the driver/SUT tokens
-  - a real run of `pnpm test:docker:npm-telegram-live` passed with:
-    - `OPENCLAW_QA_CREDENTIAL_SOURCE=convex`
-    - `OPENCLAW_QA_CREDENTIAL_ROLE=maintainer`
-    - `OPENCLAW_QA_CONVEX_SITE_URL`
-    - `OPENCLAW_QA_CONVEX_SECRET_MAINTAINER`
-    - `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE=mock-openai`
-
-## Character evals
-
-Use `qa character-eval` for style/persona/vibe checks across multiple live models.
-
-```bash
-pnpm openclaw qa character-eval \
-  --model openai/gpt-5.4,thinking=xhigh \
-  --model openai/gpt-5.2,thinking=xhigh \
-  --model openai/gpt-5,thinking=xhigh \
-  --model anthropic/claude-opus-4-6,thinking=high \
-  --model anthropic/claude-sonnet-4-6,thinking=high \
-  --model zai/glm-5.1,thinking=high \
-  --model moonshot/kimi-k2.5,thinking=high \
-  --model google/gemini-3.1-pro-preview,thinking=high \
-  --judge-model openai/gpt-5.4,thinking=xhigh,fast \
-  --judge-model anthropic/claude-opus-4-6,thinking=high \
-  --concurrency 16 \
-  --judge-concurrency 16 \
-  --output-dir .artifacts/qa-e2e/character-eval-<tag>
-```
-
- Runs local QA gateway child processes, not Docker.
- Preferred model spec syntax is `provider/model,thinking=<level>[,fast|,no-fast|,fast=<bool>]` for both `--model` and `--judge-model`.
- Do not add new examples with separate `--model-thinking`; keep that flag as legacy compatibility only.
- Defaults to candidate models `openai/gpt-5.4`, `openai/gpt-5.2`, `openai/gpt-5`, `anthropic/claude-opus-4-6`, `anthropic/claude-sonnet-4-6`, `zai/glm-5.1`, `moonshot/kimi-k2.5`, and `google/gemini-3.1-pro-preview` when no `--model` is passed.
- Candidate thinking defaults to `high`, with `xhigh` for OpenAI models that support it. Prefer inline `--model provider/model,thinking=<level>`; `--thinking <level>` and `--model-thinking <provider/model=level>` remain compatibility shims.
- OpenAI candidate refs default to fast mode so priority processing is used where supported. Use inline `,fast`, `,no-fast`, or `,fast=false` for one model; use `--fast` only to force fast mode for every candidate.
- Judges default to `openai/gpt-5.4,thinking=xhigh,fast` and `anthropic/claude-opus-4-6,thinking=high`.
- Report includes judge ranking, run stats, durations, and full transcripts; do not include raw judge replies. Duration is benchmark context, not a grading signal.
- Candidate and judge concurrency default to 16. Use `--concurrency <n>` and `--judge-concurrency <n>` to override when local gateways or provider limits need a gentler lane.
- Scenario source should stay markdown-driven under `qa/scenarios/`.
- For isolated character/persona evals, write the persona into `SOUL.md` and blank `IDENTITY.md` in the scenario flow. Use `SOUL.md + IDENTITY.md` only when intentionally testing how the normal OpenClaw identity combines with the character.
- Keep prompts natural and task-shaped. The candidate model should receive character setup through `SOUL.md`, then normal user turns such as chat, workspace help, and small file tasks; do not ask "how would you react?" or tell the model it is in an eval.
- Prefer at least one real task, such as creating or editing a tiny workspace artifact, so the transcript captures character under normal tool use instead of pure roleplay.
-
-## Codex CLI model lane
-
-Use model refs shaped like `codex-cli/<codex-model>` whenever QA should exercise Codex as a model backend.
-
-Examples:
-
-```bash
-pnpm openclaw qa suite \
-  --provider-mode live-frontier \
-  --model codex-cli/<codex-model> \
-  --alt-model codex-cli/<codex-model> \
-  --scenario <scenario-id> \
-  --output-dir .artifacts/qa-e2e/codex-<tag>
-```
-
-```bash
-pnpm openclaw qa manual \
-  --model codex-cli/<codex-model> \
-  --message "Reply exactly: CODEX_OK"
-```
-
- Treat the concrete Codex model name as user/config input; do not hardcode it in source, docs examples, or scenarios.
- Live QA preserves `CODEX_HOME` so Codex CLI auth/config works while keeping `HOME` and `OPENCLAW_HOME` sandboxed.
- Mock QA should scrub `CODEX_HOME`.
- If Codex returns fallback/auth text every turn, first check `CODEX_HOME`, `~/.profile`, and gateway child logs before changing scenario assertions.
- For model comparison, include `codex-cli/<codex-model>` as another candidate in `qa character-eval`; the report should label it as an opaque model name.
-
-## Repo facts
-
- Seed scenarios live in `qa/`.
- Main live runner: `extensions/qa-lab/src/suite.ts`
- QA lab server: `extensions/qa-lab/src/lab-server.ts`
- Child gateway harness: `extensions/qa-lab/src/gateway-child.ts`
- Synthetic channel: `extensions/qa-channel/`
-
-## What “done” looks like
-
- Full suite green for the requested lane.
- User gets:
-  - watch URL if applicable
-  - pass/fail counts
-  - artifact paths
-  - concise note on what was fixed
-
-## Common failure patterns
-
- Live timeout too short:
-  - widen live waits in `extensions/qa-lab/src/suite.ts`
- Discovery cannot find repo files:
-  - point prompts at `repo/...` inside seeded workspace
- Subagent proof too brittle:
-  - prefer stable final reply evidence over transient child-session listing
- Harness “rebuild” delay:
-  - dirty tree can trigger a pre-run build; expect that before ports appear
-
-## When adding scenarios
-
- Add or update scenario markdown under `qa/scenarios/`
- Keep kickoff expectations in `qa/scenarios/index.md` aligned
- Add executable coverage in `extensions/qa-lab/src/suite.ts`
- Prefer end-to-end assertions over mock-only checks
- Save outputs under `.artifacts/qa-e2e/`
--- a/.agents/skills/openclaw-qa-testing/agents/openai.yaml
+++ b/.agents/skills/openclaw-qa-testing/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "QA Test OpenClaw"
-  short_description: "Run and debug qa-lab and qa-channel scenarios"
-  default_prompt: "Use $openclaw-qa-testing to run or extend the OpenClaw QA suite with qa-lab and qa-channel, using regular openai/gpt-5.4 in fast mode for live OpenAI runs."
--- a/.agents/skills/openclaw-release-maintainer/SKILL.md
+++ b/.agents/skills/openclaw-release-maintainer/SKILL.md
@@ -1,616 +0,0 @@
---
-name: openclaw-release-maintainer
-description: Prepare or verify OpenClaw stable/beta releases, changelogs, release notes, publish commands, and artifacts.
---
-
-# OpenClaw Release Maintainer
-
-Use this skill for release and publish-time workflow. Keep ordinary development changes and GHSA-specific advisory work outside this skill.
-
-## Respect release guardrails
-
- Do not change version numbers without explicit operator approval.
- Ask permission before any npm publish or release step.
- This skill should be sufficient to drive the normal release flow end-to-end.
- Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
- Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
- Normal release work happens on a branch cut from `main`, not directly on
-  `main`. Use `release/YYYY.M.D` for the branch name.
- If the operator asks for a release without saying stable/full, default to
-  beta only. Continue from beta to stable only when the operator explicitly asks
-  for the full release or an automated beta-and-stable train.
- Before release branching, pull latest `main` and confirm current `main` CI is
-  green. Then branch from that commit so regular development can continue on
-  `main` while release validation runs.
- Before release branching, commit any dirty files in coherent groups, push,
-  pull/rebase, then run `/changelog` on `main` and commit/push/pull that
-  changelog rewrite immediately before creating the release branch.
- During release planning, inspect both `src/plugins/compat/registry.ts` and
-  `src/commands/doctor/shared/deprecation-compat.ts` before branching and again
-  before final publish. For every deprecated or removal-pending compatibility
-  record whose `removeAfter` date is on or before the release date, either
-  remove the compatibility path where safe and validate the affected tests, or
-  write down why removal is blocked and get explicit maintainer approval before
-  shipping the expired compatibility path.
- When removing deprecated runtime/config compatibility, preserve any doctor
-  migration, repair, or hint that is still needed by supported upgrade paths.
-  Doctor-side compatibility should stay tracked in
-  `src/commands/doctor/shared/deprecation-compat.ts` until maintainers confirm
-  the repair is no longer needed.
- Revalidate compatibility replacement text during release planning. The
-  recommended replacement can shift as plugin ownership, externalization, and
-  config footprint move, so do not blindly copy stale replacement annotations
-  into release notes.
- Do not delete or rewrite beta tags after they leave the machine. If a
-  published or pushed beta needs a fix, commit the fix on the release branch and
-  increment to the next `-beta.N`.
- For a beta release train, run the fast local preflight first, publish the
-  beta to npm `beta`, then run the expensive published-package roster focused
-  on install/update/Docker/Parallels/NPM Telegram. If anything fails, fix it on
-  the release branch, commit/push/pull, increment beta number, and repeat. Run
-  the full expensive roster at least once before stable/latest promotion; for
-  later beta attempts, rerun only lanes whose evidence changed unless the fix
-  touches broad release, install/update, plugin, Docker, Parallels, or live QA
-  behavior. After each beta is published, scan current `main` once for critical
-  fixes that landed after the release branch cut and backport only important
-  low-risk fixes. Operators may authorize up to 4 autonomous beta attempts;
-  after 4 failed beta attempts, stop and report.
- Use `/changelog` before version/tag preparation so the top changelog section
-  is deduped and ordered by user impact.
- Do not create beta-specific `CHANGELOG.md` headings. Beta releases use the
-  stable base version section, for example `v2026.4.20-beta.1` uses
-  `## 2026.4.20` release notes.
- When any beta or stable release is live, make a best-effort Discord
-  announcement using Peter's bot token from `.profile`; do not block or roll
-  back the release if the announcement fails.
- When asked to announce on X, use `~/Projects/bird/bird` and follow the
-  release tweet style below.
-
-## Keep release channel naming aligned
-
- `stable`: tagged releases only, published to npm `beta` by default; operators may target npm `latest` explicitly or promote later
- `beta`: prerelease tags like `vYYYY.M.D-beta.N`, with npm dist-tag `beta`
- Prefer `-beta.N`; do not mint new `-1` or `-2` beta suffixes
- `dev`: moving head on `main`
- When using a beta Git tag, publish npm with the matching beta version suffix so the plain version is not consumed or blocked
-
-## Handle versions and release files consistently
-
- Version locations include:
-  - `package.json`
-  - `apps/android/app/build.gradle.kts`
-  - `apps/ios/Sources/Info.plist`
-  - `apps/ios/Tests/Info.plist`
-  - `apps/macos/Sources/OpenClaw/Resources/Info.plist`
-  - `docs/install/updating.md`
-  - Peekaboo Xcode project and plist version fields
- Before creating a release tag, make every version location above match the version encoded by that tag.
- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
- “Bump version everywhere” means all version locations above except `appcast.xml`.
- Release signing and notary credentials live outside the repo in the private maintainer docs.
- Every stable OpenClaw release ships the npm package and macOS app together.
-  Beta releases normally ship npm/package artifacts first and skip mac app
-  build/sign/notarize unless the operator requests mac beta validation.
- Do not let the slower macOS signing/notary path block npm publication once
-  the npm preflight has passed. Keep mac validation/publish running in
-  parallel, publish npm from the successful npm preflight, then start published
-  npm install/update, Docker, and Parallels verification while mac artifacts
-  continue.
- After a beta is published, overlap remote/manual release rosters where useful,
-  but avoid piling local Docker, Parallels, and QA-Lab work onto the same host
-  when it would create system-load noise. Use selective reruns after failures or
-  fixes, but keep proof that Docker, Parallels, and QA-Lab each passed at least
-  once before stable/latest promotion.
- Mac packaging may be built from a slight release-branch variation of the
-  tagged commit when the delta is mac packaging, signing, workflow, or
-  validation-only release machinery. If mac packaging needs release-branch-only
-  fixes after the stable npm package or GitHub tag is already published, do not
-  create a `vYYYY.M.D-N` correction tag just to change the workflow source.
-  Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with
-  `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`;
-  provenance checks must prove the source SHA descends from the tag and
-  validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction
-  tags for emergency hotfixes that must publish a new npm package/release
-  identity, not for ordinary mac-only packaging recovery.
- The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo.
- That shared production Sparkle feed is stable-only. Beta mac releases may
-  upload assets to the GitHub prerelease, but they must not replace the shared
-  `appcast.xml` unless a separate beta feed exists.
- For fallback correction tags like `vYYYY.M.D-N`, the repo version still stays
-  at `YYYY.M.D`, but the mac release must use a strictly higher numeric
-  `APP_BUILD` / Sparkle build than the original release so existing installs
-  see it as newer.
-
-## Build changelog-backed release notes
-
- Before release branching or tagging, rewrite the target `CHANGELOG.md`
-  section from commit history, not just from existing notes: scan commits since
-  the last reachable release tag, add missed user-facing changes, dedupe
-  overlapping entries, and sort each section from most to least interesting for
-  users.
- Changelog entries should be user-facing, not internal release-process notes.
- GitHub release and prerelease bodies must use the full matching
-  `CHANGELOG.md` version section, not highlights or an excerpt. When creating
-  or editing a release, extract from `## YYYY.M.D` through the line before the
-  next level-2 heading and use that complete block as the release notes.
- When preparing release notes, scan `src/plugins/compat/registry.ts` and
-  `src/commands/doctor/shared/deprecation-compat.ts` for compatibility records
-  with `warningStarts` or `removeAfter` within 7 days after the release date.
-  Add an `Upcoming deprecations` note to the release notes when any exist,
-  including the compatibility code, target date, replacement, and a link to the
-  record's `docsPath` or `/plugins/compatibility` when no more specific
-  deprecation page exists.
- When cutting a mac release with a beta GitHub prerelease:
-  - tag `vYYYY.M.D-beta.N` from the release commit
-  - create a prerelease titled `openclaw YYYY.M.D-beta.N`
-  - use release notes from the stable base `CHANGELOG.md` version section
-    (`## YYYY.M.D`), not a beta-specific heading
-  - attach at least the zip and dSYM zip, plus dmg if available
- Keep the top version entries in `CHANGELOG.md` sorted by impact:
-  - `### Changes` first
-  - `### Fixes` deduped with user-facing fixes first
-
-## Write release tweets
-
-Use the OpenClaw account's existing release-post style:
-
- Format: `OpenClaw YYYY.M.D 🦞` or `🦞 OpenClaw YYYY.M.D is live`, blank line,
-  then 3-4 emoji-led bullets, blank line, one short punchline, then the release
-  link.
- For beta: say `OpenClaw YYYY.M.D-beta.N 🦞` or `OpenClaw YYYY.M.D beta N is
-live`; keep it clearly beta and avoid implying stable promotion.
- Lead with user-visible capabilities, then important integrations, then
-  reliability/security/install fixes. Compress "lots of fixes" into one
-  readable bullet.
- Read the full changelog section before drafting. Do not lead with coverage,
-  CI, validation, or internal release mechanics unless the release is explicitly
-  about those. Peter prefers concrete user wins: features, integrations,
-  workflow improvements, and practical reliability fixes.
- Tone: high-signal, slightly cheeky, confident, not corporate. One joke is
-  enough. Avoid punching down, insulting users, or promising what was not
-  verified.
- Peter likes dry, compact taglines when they feel earned. Good example:
-  `Big release, tiny release notes... kidding.` Keep the joke short and let the
-  feature bullets carry the tweet; do not turn the punchline into a second
-  paragraph or a forced bit.
- Length: release tweets are always standard tweets under 280 characters, with
-  room for one URL. Trim to 3-4 bullets and count the final text before posting.
- Links/media: include the GitHub release or changelog link at the end of the
-  first release tweet.
- Thread follow-ups: if doing a thread, keep the first release tweet as the
-  compact launch post, then publish one focused feature explainer per reply.
-  Follow-up replies should not repeat "new in VERSION" or the version number
-  when the thread context already makes it obvious.
- Every follow-up tweet should include a docs URL for that specific feature.
-  Prefer a bare URL over `Docs: <url>` unless the label is needed for clarity.
-  Keep follow-ups concise: around 160-220 raw characters is usually the sweet
-  spot; under 280 is the hard cap. If a URL makes a tweet fail, trim prose
-  before dropping the URL.
-  Prefer explaining diagnostics, trajectory/export, provider setup, model
-  commands, or other setup-heavy features in follow-ups instead of overloading
-  the first release tweet.
- Hotfix/correction: be direct and accountable. State what slipped, what is
-  fixed, and the new version. Keep jokes out of incident-style posts.
-
-Examples to adapt:
-
-```text
-OpenClaw 2026.4.20-beta.1 🦞
-
-🐳 Docker install/update smoke
-🖥️ Parallels upgrade checks
-🔧 Package verification tightened
-
-Beta first. Stable after the gauntlet.
-<release link>
-```
-
-```text
-OpenClaw 2026.4.20 🦞
-
-🚀 Faster install + update
-🐳 Docker + Parallels verified
-🍎 macOS signed + notarized
-🔧 Channel/plugin fixes
-
-Good boring release. Best kind.
-<release link>
-```
-
-```text
-Packaging issue in 2026.4.20-beta.1.
-
-2026.4.20-beta.2 fixes install/update verification. No tag rewrites; beta moves
-forward.
-
-Upgrade with the beta channel.
-<release link>
-```
-
-## Run publish-time validation
-
-Before tagging or publishing, run:
-
-```bash
-pnpm check:architecture
-pnpm build
-pnpm ui:build
-pnpm qa:otel:smoke
-pnpm release:check
-pnpm test:install:smoke
-```
-
- Use `pnpm qa:otel:smoke` when release validation needs telemetry coverage.
-  It starts a local OTLP/HTTP trace receiver, runs QA-lab's
-  `otel-trace-smoke`, and checks span names plus content/identifier redaction
-  without external Opik or Langfuse credentials.
-
-For a non-root smoke path:
-
-```bash
-  OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke
-```
-
-After npm publish, run:
-
-```bash
-node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
-```
-
- This verifies the published registry install path in a fresh temp prefix.
- For stable correction releases like `YYYY.M.D-N`, it also verifies the
-  upgrade path from `YYYY.M.D` to `YYYY.M.D-N` so a correction publish cannot
-  silently leave existing global installs on the old base stable payload.
- Treat install smoke as a pack-budget gate too. `pnpm test:install:smoke`
-  now fails the candidate update tarball when npm reports an oversized
-  `unpackedSize`, so release-time e2e cannot miss pack bloat that would risk
-  low-memory install/startup failures.
- Keep direct npm global coverage enabled in install smoke. It exercises plain
-  `npm install -g <candidate>` fresh installs and npm-driven update installs,
-  because many users install with npm even when docs prefer pnpm.
- Use `pnpm test:live:media video` for bounded video-provider smoke when video
-  generation is in release scope. The default video smoke skips `fal`, runs one
-  text-to-video attempt per provider with a one-second lobster prompt, and caps
-  each provider operation with `OPENCLAW_LIVE_VIDEO_GENERATION_TIMEOUT_MS`
-  (`180000` by default).
- Run `pnpm test:live:media video --video-providers fal` only when FAL-specific
-  proof is required. Its queue latency can dominate release time.
- Set `OPENCLAW_LIVE_VIDEO_GENERATION_FULL_MODES=1` only when intentionally
-  validating the slower image-to-video and video-to-video transform lanes.
-
-## Check all relevant release builds
-
- Always validate the OpenClaw npm release path before creating the tag.
- Source Peter's profile before live release validation so OpenAI and Anthropic
-  credentials are available without printing secrets:
-  `set -a; source "$HOME/.profile"; set +a`.
- Parallels validation and any local live model QA for this train must use both
-  `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`. If either is missing after sourcing
-  `.profile`, stop before starting those local long lanes and report the
-  missing key.
- Live credentialed channel QA is the GitHub Actions workflow
-  `QA-Lab - All Lanes` (`.github/workflows/qa-live-telegram-convex.yml`), not a
-  local substitute. Dispatch it from Actions against the release tag and wait
-  for it to pass before npm preflight/publish readiness. Use a SHA only when it
-  satisfies the workflow's secret-bearing trust gate: main ancestor or open PR
-  head. It runs the QA Lab mock parity gate plus live Matrix and live Telegram
-  lanes using the `qa-live-shared` environment; Telegram uses Convex CI
-  credential leases.
- Default release checks:
-  - `pnpm check`
-  - `pnpm check:test-types`
-  - `pnpm check:architecture`
-  - `pnpm build`
-  - `pnpm ui:build`
-  - `pnpm release:check`
-  - `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke`
- Full pre-npm beta test roster:
-  - default release checks above
-  - all Docker tests: `pnpm test:docker:all`, plus standalone Docker live lanes
-    not covered by the aggregate when operator says "all docker tests":
-    `pnpm test:docker:live-acp-bind`, `pnpm test:docker:live-cli-backend`, and
-    `pnpm test:docker:live-codex-harness`
-  - all Parallels install/update tests:
-    `pnpm test:parallels:npm-update -- --json` plus any needed individual
-    rerun lanes from `openclaw-parallels-smoke`
-  - all QA release validation: dispatch GitHub Actions > `QA-Lab - All Lanes`
-    against the release tag and require success. This is the release gate for
-    live credentialed Matrix/Telegram channel coverage. Use a SHA only when it
-    satisfies the workflow trust gate. Run local OpenAI/Anthropic suites or
-    repo-backed character evals only when the operator asks for extra model
-    coverage or a failure needs local debugging.
- Post-published beta verification roster:
-  - `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <beta-version>`
-  - install/update smoke against the published beta channel
-  - Docker install/update coverage that exercises the published beta package
-  - published npm Telegram proof: dispatch Actions > `NPM Telegram Beta E2E`
-    from `main` with `package_spec=openclaw@<beta-version>` and
-    `provider_mode=mock-openai`, and require success. This workflow is
-    maintainer-dispatched and intentionally has no `npm-release` approval gate;
-    `qa-live-shared` only supplies the shared QA secrets. This is the default
-    button path for installed-package onboarding, Telegram setup, and real
-    Telegram E2E against the published npm package.
-    Use the local `pnpm test:docker:npm-telegram-live` lane with the matching
-    `OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC` and Convex CI env only as a fallback
-    or debugging path.
-  - Parallels published beta install/update coverage with both OpenAI and
-    Anthropic provider keys available
-  - Parallels install/update proof must keep plugin installs enabled unless the
-    operator explicitly scopes a harness-only isolation check; a lane that
-    disables bundled plugin installs is not valid plugin/dependency release
-    evidence.
-  - targeted QA reruns only for areas touched by fixes after the full pre-npm
-    roster, unless the operator requests the full QA roster again. If the fix
-    touches live channel QA, credential plumbing, Matrix, Telegram, or the QA
-    harness, rerun Actions > `QA-Lab - All Lanes`.
- Check all release-related build surfaces touched by the release, not only the npm package.
- For beta-style full e2e batteries, hard-cap top-level long lanes instead of letting them run indefinitely. Use host `timeout --foreground`/`gtimeout --foreground` caps such as:
-  - `45m` for `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke`
-  - `90m` for `pnpm test:docker:all`
-  - `60m` each for standalone Docker live lanes
-  - `180m` for local full QA live OpenAI + Anthropic rosters when explicitly
-    requested; the default release channel QA gate is Actions >
-    `QA-Lab - All Lanes`
-  - Parallels caps from the `openclaw-parallels-smoke` skill
-    If a lane hits its cap, stop and inspect/fix the affected lane before continuing; do not continue to wait on the same process.
- Actual npm install/update phases are capped at 5 minutes. If `npm install -g`, installer package install, or `openclaw update` takes longer than 300s in release e2e, stop treating the run as healthy progress and debug the installer/updater or harness.
- Serialize host build/package mutations ahead of VM lanes. Finish `pnpm build`, `pnpm ui:build`, `pnpm release:check`, install smoke, and any Docker/package-prep lanes before starting Parallels `npm pack` lanes; otherwise `dist` can disappear during VM pack prep and produce false failures.
- Include mac release readiness in preflight by running the public validation
-  workflow in `openclaw/openclaw` and the real mac preflight in
-  `openclaw/releases-private` for every release.
- Treat the `appcast.xml` update on `main` as part of mac release readiness, not an optional follow-up.
- The workflows remain tag-based. The agent is responsible for making sure
-  preflight runs complete successfully before any publish run starts.
- Any fix after preflight means a new commit. Delete and recreate the tag and
-  matching GitHub release from the fixed commit, then rerun preflight from
-  scratch before publishing.
-  Exception: never delete or recreate a beta tag that has already been pushed or
-  published; increment to the next beta number instead.
- For stable mac releases, generate the signed `appcast.xml` before uploading
-  public release assets so the updater feed cannot lag the published binaries.
- Serialize stable appcast-producing runs across tags so two releases do not
-  generate replacement `appcast.xml` files from the same stale seed.
- For stable releases, rely primarily on the latest beta's broader release
-  workflow confidence. When promoting the matching non-beta build to npm
-  `latest`, prefer a light time-bounded verification pass: published npm
-  postpublish verify, Docker install/update smoke, macOS-only Parallels
-  install/update smoke, and required QA signal. Do not rerun the full
-  Docker/Parallels matrix unless the beta evidence is stale, the stable build
-  differs materially from beta, or the operator explicitly asks for full
-  retesting.
- If any required build, packaging step, or release workflow is red, do not say the release is ready.
-
-## Use the right auth flow
-
- OpenClaw publish uses GitHub trusted publishing.
- Stable npm promotion from `beta` to `latest` uses the private
-  `openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
-  workflow because `npm dist-tag` management needs `NPM_TOKEN`, while the
-  public npm release workflow stays OIDC-only.
- Prefer fixing the private workflow token path over any local 1Password
-  fallback. The desired setup is a granular npm token stored as the private
-  repo's `NPM_TOKEN` secret, scoped to the `openclaw` package with read/write
-  and 2FA bypass for automation.
- If the private dist-tag workflow cannot promote because `NPM_TOKEN` is absent
-  or stale, use the local tmux + 1Password fallback:
-  - Start or reuse a tmux session so interactive `npm login` and OTP prompts
-    are observable and recoverable.
-  - Hard rule: never run `op` directly in the main agent shell during release
-    work. Any 1Password CLI use must happen inside that tmux session so prompts
-    and alerts are contained and observable.
-  - Use the 1Password item `op://Private/Npmjs` for npm credentials and OTP.
-    Do not print passwords, tokens, or OTPs to the transcript; send them through
-    tmux buffers, env vars scoped to the tmux command, or `expect` with
-    `log_user 0`.
-  - Re-authenticate npm inside that tmux session with
-    `npm login --auth-type=legacy`, then confirm `npm whoami` reports
-    `steipete`.
-  - Promote with a fresh OTP:
-    `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`.
-  - Verify with a cache-bypassed registry read, for example:
-    `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
-    and `npm view openclaw@latest version dist.tarball --json --prefer-online`.
- Direct stable publishes can also use that private dist-tag workflow to point
-  `beta` at the already-published `latest` version when the operator wants both
-  tags aligned immediately.
- The publish run must be started manually with `workflow_dispatch`.
- The npm workflow and the private mac publish workflow accept
-  `preflight_only=true` to run validation/build/package steps without uploading
-  public release assets.
- Real npm publish requires a prior successful npm preflight run id so the
-  publish job promotes the prepared tarball instead of rebuilding it.
- Real private mac publish requires a prior successful private mac preflight
-  run id so the publish job promotes the prepared artifacts instead of
-  rebuilding or renotarizing them again.
- The private mac workflow also accepts `smoke_test_only=true` for branch-safe
-  workflow smoke tests that use ad-hoc signing, skip notarization, skip shared
-  appcast generation, and do not prove release readiness.
- `preflight_only=true` on the npm workflow is also the right way to validate an
-  existing tag after publish; it should keep running the build checks even when
-  the npm version is already published.
- npm validation-only preflight may still be dispatched from ordinary branches
-  when testing workflow changes before merge. Release checks and real publish
-  use only `main` or `release/YYYY.M.D`.
- `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a
-  public validation-only handoff. It validates the tag/release state and points
-  operators to the private repo. It still rebuilds the JS outputs needed for
-  release validation, but it does not sign, notarize, or publish macOS
-  artifacts.
- `openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml`
-  is the required private mac validation lane for `swift test`; keep it green
-  before any real stable mac publish run starts.
- Real mac preflight and real mac publish both use
-  `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`.
- The private mac validation lane runs on GitHub's standard macOS runner.
- The private mac preflight path runs on GitHub's xlarge macOS runner and uses
-  a SwiftPM cache because the build/sign/notarize/package path is CPU-heavy.
- Private mac preflight uploads notarized build artifacts as workflow artifacts
-  instead of uploading public GitHub release assets.
- Private smoke-test runs upload ad-hoc, non-notarized build artifacts as
-  workflow artifacts and intentionally skip stable `appcast.xml` generation.
- For stable releases, npm preflight, public mac validation, private mac
-  validation, and private mac preflight must all pass before any real publish
-  run starts. For beta releases, npm preflight plus the selected Docker,
-  install/update, Parallels, and release-check lanes are sufficient unless mac
-  beta validation was explicitly requested.
- Real publish runs may be dispatched from `main` or from a
-  `release/YYYY.M.D` branch. For release-branch runs, the tag must be contained
-  in that release branch, and the real publish must reuse a successful preflight
-  from the same branch.
- The release workflows stay tag-based; rely on the documented release sequence
-  rather than workflow-level SHA pinning.
- The `npm-release` environment must be approved by `@openclaw/openclaw-release-managers` before publish continues.
- Mac publish uses
-  `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml` for
-  private mac preflight artifact preparation and real publish artifact
-  promotion.
- Real private mac publish uploads the packaged `.zip`, `.dmg`, and
-  `.dSYM.zip` assets to the existing GitHub release in `openclaw/openclaw`
-  automatically when `OPENCLAW_PUBLIC_REPO_RELEASE_TOKEN` is present in the
-  private repo `mac-release` environment.
- For stable releases, the agent must also download the signed
-  `macos-appcast-<tag>` artifact from the successful private mac workflow and
-  then update `appcast.xml` on `main`.
- For beta mac releases, do not update the shared production `appcast.xml`
-  unless a separate beta Sparkle feed exists.
- The private repo targets a dedicated `mac-release` environment. If the GitHub
-  plan does not yet support required reviewers there, do not assume the
-  environment alone is the approval boundary; rely on private repo access and
-  CODEOWNERS until those settings can be enabled.
- Do not use `NPM_TOKEN` or the plugin OTP flow for the OpenClaw package
-  publish path; package publishing uses trusted publishing.
- Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm
-  does not support trusted publishing for `npm dist-tag add`.
- `@openclaw/*` plugin publishes use a separate maintainer-only flow.
- Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
-
-## Fallback local mac publish
-
- Keep the original local macOS publish workflow available as a fallback in case
-  CI/CD mac publishing is unavailable or broken.
- Preserve the existing maintainer workflow Peter uses: run it on a real Mac
-  with local signing, notary, and Sparkle credentials already configured.
- Follow the private maintainer macOS runbook for the local steps:
-  `scripts/package-mac-dist.sh` to build, sign, notarize, and package the app;
-  manual GitHub release asset upload; then `scripts/make_appcast.sh` plus the
-  `appcast.xml` commit to `main`.
- `scripts/package-mac-dist.sh` now fails closed for release builds if the
-  bundled app comes out with a debug bundle id, an empty Sparkle feed URL, or a
-  `CFBundleVersion` below the canonical Sparkle build floor for that short
-  version. For correction tags, set a higher explicit `APP_BUILD`.
- `scripts/make_appcast.sh` first uses `generate_appcast` from `PATH`, then
-  falls back to the SwiftPM Sparkle tool output under `apps/macos/.build`.
- For stable tags, the local fallback may update the shared production
-  `appcast.xml`.
- For beta tags, the local fallback still publishes the mac assets but must not
-  update the shared production `appcast.xml` unless a separate beta feed exists.
- Treat the local workflow as fallback only. Prefer the CI/CD publish workflow
-  when it is working.
- After any stable mac publish, verify all of the following before you call the
-  release finished:
-  - the GitHub release has `.zip`, `.dmg`, and `.dSYM.zip` assets
-  - `appcast.xml` on `main` points at the new stable zip
-  - the packaged app reports the expected short version and a numeric
-    `CFBundleVersion` at or above the canonical Sparkle build floor
-
-## Run the release sequence
-
-1. Confirm the operator explicitly wants to cut a release.
-2. Choose the exact target version and git tag.
-3. Commit any dirty files in coherent groups, push, pull/rebase, and verify the
-   worktree is clean.
-4. Pull latest `main` and confirm current `main` CI is green.
-5. Run `/changelog` for the stable base target version on `main`, commit the
-   changelog rewrite immediately, push, and pull/rebase. For beta releases,
-   keep the changelog heading as `## YYYY.M.D`, not `## YYYY.M.D-beta.N`.
-6. Create `release/YYYY.M.D` from that post-changelog `main` commit.
-7. Make every repo version location match the beta tag before creating it.
-8. Commit release preparation changes on the release branch and push the branch.
-9. Run the fast local beta preflight from the release branch before any npm
-   preflight or publish. Keep expensive Docker, Parallels, and published-package
-   install/update lanes for after the beta is live unless the operator asks to
-   run them before beta publication.
-10. For beta releases, skip mac app build/sign/notarize unless beta scope or a
-    release blocker specifically requires it. For stable releases, include the
-    mac app, signing, notarization, and appcast path.
-11. Confirm the target npm version is not already published.
-12. Create and push the git tag from the release branch.
-13. Create or refresh the matching GitHub release.
-14. Dispatch Actions > `QA-Lab - All Lanes` against the release tag and wait
-    for the mock parity, live Matrix, and live Telegram credentialed-channel
-    lanes to pass.
-15. Start `.github/workflows/openclaw-npm-release.yml` from the release branch
-    with `preflight_only=true`
-    and choose the intended `npm_dist_tag` (`beta` default; `latest` only for
-    an intentional direct stable publish). Wait for it to pass. Save that run id
-    because the real publish requires it to reuse the prepared npm tarball.
-16. For stable releases, start `.github/workflows/macos-release.yml` in
-    `openclaw/openclaw` and wait for the public validation-only run to pass.
-17. For stable releases, start
-    `openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml`
-    with the same tag and wait for the private mac validation lane to pass.
-18. For stable releases, start
-    `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`
-    with `preflight_only=true` and wait for it to pass. Save that run id because
-    the real publish requires it to reuse the notarized mac artifacts.
-19. If any preflight or validation run fails, fix the issue on a new commit,
-    delete the tag and matching GitHub release, recreate them from the fixed
-    commit, and rerun all relevant preflights from scratch before continuing.
-    Never reuse old preflight results after the commit changes. For pushed or
-    published beta tags, do not delete/recreate; increment to the next beta tag.
-20. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
-    the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
-    `latest` only when you intentionally want direct stable publish), keep it
-    the same as the preflight run, and pass the successful npm
-    `preflight_run_id`.
-21. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
-22. Run postpublish verification:
-    `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
-23. Run the post-published beta verification roster. First scan current `main`
-    for critical fixes that landed after the release branch cut; backport only
-    important low-risk fixes before starting expensive lanes, or increment to
-    the next beta if the fix must change the already-published package. If any
-    lane fails after the beta tag/package is pushed or published, fix,
-    commit/push/pull, increment to the next beta tag, and rerun the affected
-    beta evidence. Once the beta is live, start remote/manual rosters where they
-    can overlap safely, but keep local Docker and Parallels load controlled.
-    Ensure the full expensive roster has passed at least once before
-    stable/latest promotion. The roster includes the manual Actions >
-    `NPM Telegram Beta E2E` workflow against the exact published beta package.
-    If a pre-npm lane fails before any tag/package leaves the machine, fix and
-    rerun the same intended beta attempt. Repeat up to the operator's
-    authorized beta-attempt limit, normally 4.
-24. Announce the beta/stable release on Discord best-effort using Peter's bot
-    token from `.profile`.
-25. If the operator requested beta only, stop after beta verification and the
-    announcement.
-26. If the stable release was published to `beta`, use the light stable
-    promotion roster when the matching beta already carried the full confidence
-    pass: published npm postpublish verify, Docker install/update smoke,
-    macOS-only Parallels install/update smoke, and required QA signal.
-    Then start the private
-    `openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
-    workflow to promote that stable version from `beta` to `latest`, then
-    verify `latest` now points at that version.
-27. If the stable release was published directly to `latest` and `beta` should
-    follow it, start that same private dist-tag workflow to point `beta` at the
-    stable version, then verify both `latest` and `beta` point at that version.
-28. For stable releases, start
-    `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`
-    for the real publish with the successful private mac `preflight_run_id` and
-    wait for success.
-29. Verify the successful real private mac run uploaded the `.zip`, `.dmg`,
-    and `.dSYM.zip` artifacts to the existing GitHub release in
-    `openclaw/openclaw`.
-30. For stable releases, download `macos-appcast-<tag>` from the successful
-    private mac run, update `appcast.xml` on `main`, and verify the feed. Merge
-    or cherry-pick release branch changes back to `main` after stable succeeds.
-31. For beta releases, publish the mac assets only when intentionally requested;
-    expect no shared production
-    `appcast.xml` artifact and do not update the shared production feed unless a
-    separate beta feed exists.
-32. After publish, verify npm and the attached release artifacts.
-
-## GHSA advisory work
-
- Use `openclaw-ghsa-maintainer` for GHSA advisory inspection, patch/publish flow, private-fork validation, and GHSA API-specific publish checks.
--- a/.agents/skills/openclaw-secret-scanning-maintainer/SKILL.md
+++ b/.agents/skills/openclaw-secret-scanning-maintainer/SKILL.md
@@ -1,220 +0,0 @@
---
-name: openclaw-secret-scanning-maintainer
-description: Triage, redact, clean up, and resolve OpenClaw GitHub Secret Scanning alerts in issues or PRs.
---
-
-# OpenClaw Secret Scanning Maintainer
-
-**Maintainer-only.** This skill requires repo admin / maintainer permissions to edit or delete other users' comments and resolve secret scanning alerts.
-
-Use this skill when processing alerts from `https://github.com/openclaw/openclaw/security/secret-scanning`.
-
-**Language rule:** All notification comments and replacement comments MUST be written in English.
-
-## Script
-
-All mechanical operations (API calls, temp file management, security enforcements) are handled by:
-
-```
-$REPO_ROOT/.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs
-```
-
-The script enforces:
-
- `hide_secret=true` on all alert fetches (no plaintext secrets in stdout)
- `mktemp` with random UUIDs for all temp files
- `-F body=@file` for all body uploads (no inline shell quoting)
- Notification templates branched by location type
- Never prints `.secret` or `.body` to stdout
-
-## Overall Flow
-
-Supports single or multiple alerts. For multiple alerts, process in ascending order.
-
-For each alert:
-
-1. **Identify** — `fetch-alert` + `fetch-content` to get metadata and body
-2. **Decide** — Agent reads the body file, identifies all secrets, produces redacted version
-3. **Redact** — `redact-body` for issue/PR body; skip for comments (delete directly)
-4. **Purge** — `delete-comment` + `recreate-comment` for comments; cannot purge body history
-5. **Notify** — `notify` posts the right template per location type
-6. **Resolve** — `resolve` closes the alert
-7. **Summary** — `summary` prints formatted results
-
-## Step 1: Identify
-
-```bash
-# List all open alerts
-node secret-scanning.mjs list-open
-
-# Fetch specific alert metadata + locations
-node secret-scanning.mjs fetch-alert <NUMBER>
-
-# Fetch content for each location (saves body to temp file)
-node secret-scanning.mjs fetch-content '<location-json>'
-```
-
-The `fetch-content` output includes:
-
- `body_file`: path to temp file with full body content
- `author`: who posted it
- `issue_number` / `pr_number`: where it is
- `edit_history_count`: number of existing edits
- `type`: location type for routing
- For `discussion_comment`, it also includes `comment_node_id`, `discussion_node_id`, and `reply_to_node_id` when the original comment was a reply.
-
-### Location type routing
-
-| type                          | Flow                                          |
-| ----------------------------- | --------------------------------------------- |
-| `issue_comment`               | Comment: delete+recreate                      |
-| `pull_request_comment`        | Comment: delete+recreate                      |
-| `pull_request_review_comment` | Comment: delete+recreate                      |
-| `discussion_comment`          | Discussion comment: delete+recreate (GraphQL) |
-| `issue_body`                  | Body: redact in place                         |
-| `pull_request_body`           | Body: redact in place                         |
-| `commit`                      | Notify only                                   |
-| _other_                       | Skip and report                               |
-
-## Step 2: Decide (Agent)
-
-The agent reads the body file from `fetch-content` output and:
-
-1. Identifies ALL secrets in the content (there may be more than the alert flagged)
-2. Replaces each secret with `[REDACTED <secret_type>]` — **no partial values, no prefix/suffix**
-3. Saves the redacted content to a new temp file
-
-This is the only step that requires semantic understanding. Everything else is mechanical.
-
-## Step 3: Redact
-
-### For comments (issue_comment / PR comments)
-
-**Do NOT redact.** Skip directly to Step 4 (delete + recreate). PATCHing before DELETE creates an unnecessary edit history revision.
-
-### For issue_body / pull_request_body
-
-```bash
-node secret-scanning.mjs redact-body <issue|pr> <NUMBER> <redacted-body-file>
-```
-
-## Step 4: Purge Edit History
-
-### Comments — Delete and Recreate
-
-For issue/PR comments:
-
-```bash
-# Delete original (all edit history gone)
-node secret-scanning.mjs delete-comment <COMMENT_ID>
-
-# Recreate with redacted content
-node secret-scanning.mjs recreate-comment <ISSUE_NUMBER> <body-file>
-```
-
-For discussion comments (uses GraphQL):
-
-```bash
-# Delete original
-node secret-scanning.mjs delete-discussion-comment <COMMENT_NODE_ID>
-
-# Recreate with redacted content
-node secret-scanning.mjs recreate-discussion-comment <DISCUSSION_NODE_ID> <body-file> [REPLY_TO_NODE_ID]
-```
-
-The `fetch-content` output for `discussion_comment` includes `comment_node_id` and `discussion_node_id` for these commands. When the original discussion comment was a reply, it also includes `reply_to_node_id`; pass that optional third argument so the redacted replacement stays in the original thread.
-
-The recreated comment should follow this format:
-
-```
-> **Note:** The original comment by @<AUTHOR> has been removed due to secret leakage. Below is the redacted version of the original content.
-
---
-
-<redacted original content>
-```
-
-### issue_body / pull_request_body — Cannot Purge
-
-Editing creates an edit history revision with the pre-edit plaintext. This cannot be cleared via API.
-
-**Output to maintainer terminal only (never in public comments):**
-
-```
-⚠️ Issue/PR body edit history still contains plaintext secrets.
-Contact GitHub Support to purge: https://support.github.com/contact
-Request purge of issue/PR #{NUMBER} userContentEdits.
-```
-
-> **CRITICAL:** Do NOT mention edit history or the "edited" button in any public comment or resolution_comment.
-
-### Commits
-
-Cannot clean. Notify author to delete branch or force-push (for unmerged PRs).
-
-## Step 5: Notify
-
-```bash
-node secret-scanning.mjs notify <TARGET> <AUTHOR> <LOCATION_TYPE> <SECRET_TYPES> [REPLY_TO_NODE_ID]
-```
-
- For non-discussion types, `<TARGET>` is the issue/PR number.
- For `discussion_comment`, `<TARGET>` is the `discussion_node_id` returned by `fetch-content`.
- For reply-style `discussion_comment` locations, pass the optional `reply_to_node_id` from `fetch-content` so the notification stays in the same thread.
-
-Secret types are comma-separated: `"Discord Bot Token,Feishu App Secret"`
-
-The script picks the right template:
-
- **comment types**: "your comment … removed and replaced"
- **body types**: "your issue/PR description … redacted in place"
- **commit**: "code you committed"
-
-## Step 6: Resolve
-
-```bash
-node secret-scanning.mjs resolve <ALERT_NUMBER>
-# or with custom resolution:
-node secret-scanning.mjs resolve <ALERT_NUMBER> revoked "Custom comment"
-```
-
-Resolution is `revoked` by default. As maintainers we cannot control whether users rotate — our responsibility is to redact + notify. The `revoked` means "this secret should be considered leaked", not "I confirmed it was revoked".
-
-## Step 7: Summary
-
-After processing, create a JSON results file and pass it to the summary command:
-
-```bash
-node secret-scanning.mjs summary /tmp/results.json
-```
-
-The script outputs a block delimited by `---BEGIN SUMMARY---` and `---END SUMMARY---`. **You MUST output the content between these markers verbatim to the user. Do NOT rephrase, reformat, abbreviate, or create your own summary.** The script already includes full URLs for every alert and location.
-
-The JSON format:
-
-```json
-[
-  {
-    "number": 72,
-    "secret_type": "Discord Bot Token",
-    "location_label": "Issue #63101 comment",
-    "location_url": "https://github.com/openclaw/openclaw/issues/63101#issuecomment-xxx",
-    "actions": "Deleted+Recreated+Notified",
-    "history_cleared": true
-  }
-]
-```
-
-For unsupported types, add `"skipped": true, "unsupported_type": "<type>"`.
-
-## Safety Rules
-
- **Agent reads content, identifies secrets, produces redaction.** Script handles all API calls.
- **Never include any portion of a secret** in public comments, redaction markers, or terminal output.
- **Never include alert URLs or numbers** in public comments.
- **For comments, skip PATCH — go directly to DELETE + recreate.**
- **Never mention edit history, "edited" button, or commit SHAs** in any public content.
- **Ask for confirmation** before deleting any comment.
- **One alert at a time** unless user requests batch.
- **All public comments in English.**
- **Skip unsupported location types** and report in summary.
--- a/.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs
+++ b/.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs
@@ -1,797 +0,0 @@
-#!/usr/bin/env node
-// Secret scanning alert handler for OpenClaw maintainers.
-// Usage: node secret-scanning.mjs <command> [options]
-
-import { execFileSync, spawnSync } from "node:child_process";
-import crypto from "node:crypto";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-
-const REPO = "openclaw/openclaw";
-const REPO_URL = `https://github.com/${REPO}`;
-
-// ─── Helpers ────────────────────────────────────────────────────────────────
-
-function fail(message) {
-  console.error(`error: ${message}`);
-  process.exit(1);
-}
-
-function tmpFile(purpose) {
-  const filePath = path.join(os.tmpdir(), `secretscan-${purpose}-${crypto.randomUUID()}`);
-  // 预创建文件，限制权限为 owner-only
-  fs.writeFileSync(filePath, "", { mode: 0o600 });
-  return filePath;
-}
-
-function gh(args, { json = true, allowFailure = false } = {}) {
-  const proc = spawnSync("gh", args, { encoding: "utf8", maxBuffer: 10 * 1024 * 1024 });
-  if (proc.status !== 0 && !allowFailure) {
-    fail(`gh ${args.slice(0, 3).join(" ")} failed:\n${(proc.stderr || proc.stdout || "").trim()}`);
-  }
-  if (proc.status !== 0) {
-    return {
-      gh_failed: true,
-      status: proc.status,
-      stdout: proc.stdout,
-      stderr: proc.stderr,
-    };
-  }
-  if (!json) return proc.stdout;
-  try {
-    return JSON.parse(proc.stdout);
-  } catch {
-    return proc.stdout;
-  }
-}
-
-function ghGraphQL(query, options = {}) {
-  return gh(["api", "graphql", "-f", `query=${query}`], options);
-}
-
-function failOnGraphQLFailure(result, message) {
-  if (result?.gh_failed) {
-    const details = (
-      result.stderr ||
-      result.stdout ||
-      `gh exited with status ${result.status}`
-    ).trim();
-    fail(`${message}: ${details}`);
-  }
-  if (Array.isArray(result?.errors) && result.errors.length > 0) {
-    fail(`${message}: ${JSON.stringify(result.errors)}`);
-  }
-}
-
-function escapeGraphQLString(value) {
-  return String(value)
-    .replace(/\\/g, "\\\\")
-    .replace(/"/g, '\\"')
-    .replace(/\r/g, "\\r")
-    .replace(/\n/g, "\\n");
-}
-
-function formatGraphQLAfterClause(cursor) {
-  return cursor ? `, after: "${escapeGraphQLString(cursor)}"` : "";
-}
-
-function findDiscussionCommentNode(nodes, discussionCommentDbId) {
-  return nodes.find((node) => String(node.databaseId) === String(discussionCommentDbId)) || null;
-}
-
-function fetchDiscussionReplyPage(commentNodeId, cursor) {
-  const afterClause = formatGraphQLAfterClause(cursor);
-  return ghGraphQL(`{
-    node(id: "${escapeGraphQLString(commentNodeId)}") {
-      ... on DiscussionComment {
-        replies(first: 100${afterClause}) {
-          pageInfo { hasNextPage endCursor }
-          nodes {
-            id
-            databaseId
-            author { login }
-            body
-            url
-            replyTo { id }
-            userContentEdits(first: 50) {
-              totalCount
-            }
-          }
-        }
-      }
-    }
-  }}`);
-}
-
-function fetchDiscussionComment(discussionNumber, discussionCommentDbId) {
-  const [owner, name] = REPO.split("/");
-  let discussionId = null;
-  let cursor = null;
-  let hasNextPage = true;
-
-  while (hasNextPage) {
-    const afterClause = formatGraphQLAfterClause(cursor);
-    const gql = ghGraphQL(
-      `{
-        repository(owner: "${owner}", name: "${name}") {
-          discussion(number: ${discussionNumber}) {
-            id
-            comments(first: 50${afterClause}) {
-              pageInfo { hasNextPage endCursor }
-              nodes {
-                id
-                databaseId
-                author { login }
-                body
-                url
-                replyTo { id }
-                userContentEdits(first: 50) {
-                  totalCount
-                }
-                replies(first: 100) {
-                  pageInfo { hasNextPage endCursor }
-                  nodes {
-                    id
-                    databaseId
-                    author { login }
-                    body
-                    url
-                    replyTo { id }
-                    userContentEdits(first: 50) {
-                      totalCount
-                    }
-                  }
-                }
-              }
-            }
-          }
-        }
-      }`,
-      { allowFailure: true },
-    );
-    failOnGraphQLFailure(gql, `Failed to fetch discussion #${discussionNumber}`);
-
-    const discussion = gql?.data?.repository?.discussion;
-    if (!discussion)
-      fail(
-        `Discussion #${discussionNumber} not found — it may have been deleted. The alert cannot be processed via this skill.`,
-      );
-
-    discussionId = discussion.id;
-
-    for (const topLevelComment of discussion.comments.nodes) {
-      if (String(topLevelComment.databaseId) === String(discussionCommentDbId)) {
-        return { discussionId, comment: topLevelComment };
-      }
-
-      let reply = findDiscussionCommentNode(topLevelComment.replies.nodes, discussionCommentDbId);
-      let replyCursor = topLevelComment.replies.pageInfo.endCursor;
-      let hasMoreReplies = topLevelComment.replies.pageInfo.hasNextPage;
-
-      while (!reply && hasMoreReplies) {
-        const replyPage = fetchDiscussionReplyPage(topLevelComment.id, replyCursor);
-        failOnGraphQLFailure(
-          replyPage,
-          `Failed to fetch replies for discussion comment ${topLevelComment.id}`,
-        );
-        const replies = replyPage?.data?.node?.replies;
-        if (!replies)
-          fail(`Failed to paginate replies for discussion comment ${topLevelComment.id}`);
-
-        reply = findDiscussionCommentNode(replies.nodes, discussionCommentDbId);
-        hasMoreReplies = replies.pageInfo.hasNextPage;
-        replyCursor = replies.pageInfo.endCursor;
-      }
-
-      if (reply) return { discussionId, comment: reply };
-    }
-
-    hasNextPage = discussion.comments.pageInfo.hasNextPage;
-    cursor = discussion.comments.pageInfo.endCursor;
-  }
-
-  return { discussionId, comment: null };
-}
-
-function createDiscussionComment(discussionNodeId, body, replyToNodeId) {
-  const replyToClause = replyToNodeId ? `, replyToId: "${escapeGraphQLString(replyToNodeId)}"` : "";
-  const result = ghGraphQL(
-    `mutation { addDiscussionComment(input: { discussionId: "${escapeGraphQLString(discussionNodeId)}"${replyToClause}, body: "${escapeGraphQLString(body)}" }) { comment { id url } } }`,
-  );
-  if (result?.errors) {
-    fail(`Failed to create discussion comment: ${JSON.stringify(result.errors)}`);
-  }
-  return result?.data?.addDiscussionComment?.comment;
-}
-
-// ─── Commands ───────────────────────────────────────────────────────────────
-
-/**
- * fetch-alert <number>
- * Fetch alert metadata + locations. Never exposes .secret.
- */
-function cmdFetchAlert(alertNumber) {
-  if (!alertNumber) fail("Usage: fetch-alert <number>");
-
-  const alert = gh(["api", `repos/${REPO}/secret-scanning/alerts/${alertNumber}?hide_secret=true`]);
-
-  const locations = gh([
-    "api",
-    `repos/${REPO}/secret-scanning/alerts/${alertNumber}/locations`,
-    "--paginate",
-    "--slurp",
-  ]);
-  // --paginate + --slurp 确保多页结果合并为一个 JSON 数组
-  const flatLocations = Array.isArray(locations?.[0])
-    ? locations.flat()
-    : Array.isArray(locations)
-      ? locations
-      : [];
-
-  const result = {
-    number: alert.number,
-    state: alert.state,
-    secret_type: alert.secret_type,
-    secret_type_display_name: alert.secret_type_display_name,
-    validity: alert.validity,
-    html_url: alert.html_url,
-    locations: flatLocations.map((loc) => ({
-      type: loc.type,
-      details: loc.details,
-    })),
-  };
-
-  console.log(JSON.stringify(result, null, 2));
-}
-
-/**
- * fetch-content <location-json>
- * Fetch the content and metadata for a specific location.
- * Saves full body to a temp file. Prints metadata + file path to stdout.
- */
-function cmdFetchContent(locationJson) {
-  if (!locationJson) fail("Usage: fetch-content '<location-json>'");
-  const location = JSON.parse(locationJson);
-  const type = location.type;
-  const details = location.details;
-
-  if (type === "discussion_comment") {
-    const commentUrl = details.discussion_comment_url;
-    if (!commentUrl) fail("No discussion_comment_url in location details");
-
-    const urlMatch = commentUrl.match(/discussions\/(\d+)#discussioncomment-(\d+)/);
-    if (!urlMatch) fail(`Cannot parse discussion comment URL: ${commentUrl}`);
-    const discussionNumber = urlMatch[1];
-    const discussionCommentDbId = urlMatch[2];
-
-    const { discussionId, comment } = fetchDiscussionComment(
-      discussionNumber,
-      discussionCommentDbId,
-    );
-    if (!comment)
-      fail(
-        `Discussion comment #${discussionCommentDbId} not found in discussion #${discussionNumber}`,
-      );
-
-    const bodyFile = tmpFile("body.md");
-    fs.writeFileSync(bodyFile, comment.body || "");
-
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          comment_node_id: comment.id,
-          discussion_node_id: discussionId,
-          reply_to_node_id: comment.replyTo?.id ?? null,
-          discussion_number: Number(discussionNumber),
-          discussion_comment_db_id: Number(discussionCommentDbId),
-          author: comment.author?.login,
-          html_url: comment.url || commentUrl,
-          edit_history_count: comment.userContentEdits?.totalCount ?? 0,
-          body_file: bodyFile,
-        },
-        null,
-        2,
-      ),
-    );
-  } else if (
-    type === "issue_comment" ||
-    type === "pull_request_comment" ||
-    type === "pull_request_review_comment"
-  ) {
-    // Extract comment ID from URL
-    const commentUrl =
-      details.issue_comment_url ||
-      details.pull_request_comment_url ||
-      details.pull_request_review_comment_url;
-    if (!commentUrl) fail(`No comment URL in location details`);
-
-    const comment = gh(["api", commentUrl]);
-    const bodyFile = tmpFile("body.md");
-    fs.writeFileSync(bodyFile, comment.body || "");
-
-    // Fetch edit history
-    const nodeId = comment.node_id;
-    const typeName =
-      type === "pull_request_review_comment" ? "PullRequestReviewComment" : "IssueComment";
-    const gql = ghGraphQL(`{
-      node(id: "${nodeId}") {
-        ... on ${typeName} {
-          userContentEdits(first: 50) {
-            totalCount
-          }
-        }
-      }
-    }`);
-    const editCount = gql?.data?.node?.userContentEdits?.totalCount ?? 0;
-
-    // Extract issue number from html_url
-    const htmlUrl = comment.html_url || details.html_url || "";
-    const issueMatch = htmlUrl.match(/\/(issues|pull)\/(\d+)/);
-    const issueNumber = issueMatch ? issueMatch[2] : null;
-
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          comment_id: comment.id,
-          node_id: nodeId,
-          author: comment.user?.login,
-          issue_number: issueNumber,
-          html_url: htmlUrl,
-          edit_history_count: editCount,
-          body_file: bodyFile,
-        },
-        null,
-        2,
-      ),
-    );
-  } else if (type === "issue_body") {
-    const issueUrl = details.issue_body_url || details.issue_url;
-    if (!issueUrl) fail("No issue URL in location details");
-
-    const issue = gh(["api", issueUrl]);
-    const bodyFile = tmpFile("body.md");
-    fs.writeFileSync(bodyFile, issue.body || "");
-
-    const nodeId = issue.node_id;
-    const number = issue.number;
-    const gql = ghGraphQL(`{
-      node(id: "${nodeId}") {
-        ... on Issue {
-          userContentEdits(first: 50) {
-            totalCount
-          }
-        }
-      }
-    }`);
-    const editCount = gql?.data?.node?.userContentEdits?.totalCount ?? 0;
-
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          issue_number: number,
-          node_id: nodeId,
-          author: issue.user?.login,
-          html_url: issue.html_url,
-          edit_history_count: editCount,
-          body_file: bodyFile,
-        },
-        null,
-        2,
-      ),
-    );
-  } else if (type === "pull_request_body") {
-    const prUrl = details.pull_request_body_url || details.pull_request_url;
-    if (!prUrl) fail("No PR URL in location details");
-
-    const pr = gh(["api", prUrl]);
-    const bodyFile = tmpFile("body.md");
-    fs.writeFileSync(bodyFile, pr.body || "");
-
-    const nodeId = pr.node_id;
-    const number = pr.number;
-    const gql = ghGraphQL(`{
-      node(id: "${nodeId}") {
-        ... on PullRequest {
-          userContentEdits(first: 50) {
-            totalCount
-          }
-        }
-      }
-    }`);
-    const editCount = gql?.data?.node?.userContentEdits?.totalCount ?? 0;
-
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          pr_number: number,
-          node_id: nodeId,
-          author: pr.user?.login,
-          merged: pr.merged,
-          state: pr.state,
-          html_url: pr.html_url,
-          edit_history_count: editCount,
-          body_file: bodyFile,
-        },
-        null,
-        2,
-      ),
-    );
-  } else if (type === "commit") {
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          commit_sha: details.commit_sha,
-          path: details.path,
-          start_line: details.start_line,
-          end_line: details.end_line,
-          html_url: details.html_url || details.commit_url || details.blob_url || null,
-          // No body file for commits
-          body_file: null,
-        },
-        null,
-        2,
-      ),
-    );
-  } else {
-    console.log(
-      JSON.stringify(
-        {
-          type,
-          unsupported: true,
-          details,
-        },
-        null,
-        2,
-      ),
-    );
-  }
-}
-
-/**
- * redact-body <issue|pr> <number> <redacted-body-file>
- * PATCH the issue or PR body with redacted content from a file.
- */
-function cmdRedactBody(kind, number, bodyFile) {
-  if (!kind || !number || !bodyFile) {
-    fail("Usage: redact-body <issue|pr> <number> <redacted-body-file>");
-  }
-  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
-
-  const endpoint =
-    kind === "pr" ? `repos/${REPO}/pulls/${number}` : `repos/${REPO}/issues/${number}`;
-
-  gh(["api", endpoint, "-X", "PATCH", "-F", `body=@${bodyFile}`]);
-  console.log(JSON.stringify({ ok: true, kind, number: Number(number) }));
-}
-
-/**
- * delete-comment <comment-id>
- * Delete a comment (and all its edit history).
- */
-function cmdDeleteComment(commentId) {
-  if (!commentId) fail("Usage: delete-comment <comment-id>");
-  gh(["api", `repos/${REPO}/issues/comments/${commentId}`, "-X", "DELETE"], { json: false });
-  console.log(JSON.stringify({ ok: true, deleted_comment_id: Number(commentId) }));
-}
-
-/**
- * delete-discussion-comment <node-id>
- * Delete a discussion comment via GraphQL (and all its edit history).
- */
-function cmdDeleteDiscussionComment(nodeId) {
-  if (!nodeId) fail("Usage: delete-discussion-comment <node-id>");
-  const result = ghGraphQL(
-    `mutation { deleteDiscussionComment(input: { id: "${nodeId}" }) { comment { id } } }`,
-  );
-  if (result?.errors) {
-    fail(`Failed to delete discussion comment: ${JSON.stringify(result.errors)}`);
-  }
-  console.log(JSON.stringify({ ok: true, deleted_node_id: nodeId }));
-}
-
-/**
- * recreate-discussion-comment <discussion-node-id> <body-file> [reply-to-node-id]
- * Create a new discussion comment via GraphQL.
- */
-function cmdRecreateDiscussionComment(discussionNodeId, bodyFile, replyToNodeId) {
-  if (!discussionNodeId || !bodyFile)
-    fail("Usage: recreate-discussion-comment <discussion-node-id> <body-file> [reply-to-node-id]");
-  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
-
-  const body = fs.readFileSync(bodyFile, "utf8");
-  const newComment = createDiscussionComment(discussionNodeId, body, replyToNodeId);
-  console.log(
-    JSON.stringify({
-      ok: true,
-      node_id: newComment?.id,
-      html_url: newComment?.url,
-    }),
-  );
-}
-
-/**
- * recreate-comment <issue-number> <body-file>
- * Create a new comment from a file.
- */
-function cmdRecreateComment(issueNumber, bodyFile) {
-  if (!issueNumber || !bodyFile) fail("Usage: recreate-comment <issue-number> <body-file>");
-  if (!fs.existsSync(bodyFile)) fail(`File not found: ${bodyFile}`);
-
-  const result = gh([
-    "api",
-    `repos/${REPO}/issues/${issueNumber}/comments`,
-    "-X",
-    "POST",
-    "-F",
-    `body=@${bodyFile}`,
-  ]);
-
-  console.log(
-    JSON.stringify({
-      ok: true,
-      comment_id: result.id,
-      html_url: result.html_url,
-    }),
-  );
-}
-
-/**
- * notify <target> <author> <location-type> <secret-types> [reply-to-node-id]
- * Post a notification comment with the correct template for the location type.
- * target = issue/PR number for non-discussion types, discussion node ID for discussion_comment.
- */
-function cmdNotify(target, author, locationType, secretTypes, replyToNodeId) {
-  if (!target || !author || !locationType || !secretTypes) {
-    fail(
-      "Usage: notify <target> <author> <location-type> <secret-types-comma-sep> [reply-to-node-id]",
-    );
-  }
-
-  const types = secretTypes.split(",").map((s) => s.trim());
-  const typeList = types.map((t, i) => `${i + 1}. **${t}**`).join("\n");
-
-  let locationDesc;
-  let actionDesc;
-  if (
-    locationType === "issue_comment" ||
-    locationType === "pull_request_comment" ||
-    locationType === "pull_request_review_comment" ||
-    locationType === "discussion_comment"
-  ) {
-    locationDesc = "your comment";
-    actionDesc = "The affected comment has been removed and replaced with a redacted version.";
-  } else if (locationType === "issue_body") {
-    locationDesc = "your issue description";
-    actionDesc = "The affected content has been redacted in place.";
-  } else if (locationType === "pull_request_body") {
-    locationDesc = "your pull request description";
-    actionDesc = "The affected content has been redacted in place.";
-  } else if (locationType === "commit") {
-    locationDesc = "code you committed";
-    actionDesc = "";
-  } else {
-    locationDesc = "your content";
-    actionDesc = "";
-  }
-
-  const body = [
-    `@${author} :warning: **Security Notice: Secret Leakage Detected**`,
-    "",
-    `GitHub Secret Scanning detected the following exposed secret types in ${locationDesc}:`,
-    "",
-    typeList,
-    "",
-    actionDesc,
-    "",
-    "**Please rotate these credentials immediately.**",
-    "",
-    "These secrets were publicly exposed and should be considered compromised.",
-  ]
-    .filter((line) => line !== undefined)
-    .join("\n");
-
-  // Discussion comments must be notified via GraphQL
-  if (locationType === "discussion_comment") {
-    const newComment = createDiscussionComment(target, body, replyToNodeId);
-    console.log(
-      JSON.stringify({
-        ok: true,
-        node_id: newComment?.id,
-        html_url: newComment?.url,
-      }),
-    );
-    return;
-  }
-
-  // Issue/PR comments via REST
-  const bodyFile = tmpFile("notify.md");
-  fs.writeFileSync(bodyFile, body);
-
-  const result = gh([
-    "api",
-    `repos/${REPO}/issues/${target}/comments`,
-    "-X",
-    "POST",
-    "-F",
-    `body=@${bodyFile}`,
-  ]);
-
-  console.log(
-    JSON.stringify({
-      ok: true,
-      comment_id: result.id,
-      html_url: result.html_url,
-    }),
-  );
-}
-
-/**
- * resolve <alert-number> [resolution] [comment]
- * Close a secret scanning alert.
- */
-function cmdResolve(alertNumber, resolution, comment) {
-  if (!alertNumber) fail("Usage: resolve <alert-number> [resolution] [comment]");
-
-  const res = resolution || "revoked";
-  const resComment = comment || "Content redacted and author notified to rotate credentials.";
-
-  const result = gh([
-    "api",
-    `repos/${REPO}/secret-scanning/alerts/${alertNumber}`,
-    "-X",
-    "PATCH",
-    "-f",
-    `state=resolved`,
-    "-f",
-    `resolution=${res}`,
-    "-f",
-    `resolution_comment=${resComment}`,
-  ]);
-
-  console.log(
-    JSON.stringify({
-      ok: true,
-      number: result.number,
-      state: result.state,
-      resolution: result.resolution,
-      resolved_at: result.resolved_at,
-    }),
-  );
-}
-
-/**
- * list-open
- * List all open secret scanning alerts.
- */
-function cmdListOpen() {
-  const alerts = gh([
-    "api",
-    `repos/${REPO}/secret-scanning/alerts?hide_secret=true&state=open`,
-    "--paginate",
-    "--slurp",
-  ]);
-
-  // --slurp 将分页结果合并为 [[page1], [page2], ...] 需要 flat
-  const flat = Array.isArray(alerts?.[0]) ? alerts.flat() : Array.isArray(alerts) ? alerts : [];
-  const rows = flat.map((a) => ({
-    number: a.number,
-    secret_type_display_name: a.secret_type_display_name,
-    html_url: a.html_url,
-    first_location_html_url: a.first_location_detected?.html_url || null,
-  }));
-
-  console.log(JSON.stringify(rows, null, 2));
-}
-
-/**
- * summary <json-file>
- * Print a formatted summary table from a JSON results file.
- */
-function cmdSummary(jsonFile) {
-  if (!jsonFile) fail("Usage: summary <json-file>");
-  if (!fs.existsSync(jsonFile)) fail(`File not found: ${jsonFile}`);
-
-  const results = JSON.parse(fs.readFileSync(jsonFile, "utf8"));
-  const lines = [];
-
-  lines.push("---BEGIN SUMMARY---");
-  lines.push("");
-  lines.push("## Secret Scanning Results");
-  lines.push("");
-  lines.push("| Alert | Type | Location | Actions | Edit History |");
-  lines.push("|-------|------|----------|---------|--------------|");
-
-  const needsPurge = [];
-
-  for (const r of results) {
-    const alertLink = `#${r.number} ${REPO_URL}/security/secret-scanning/${r.number}`;
-    const locationLink = r.location_url
-      ? `${r.location_label} ${r.location_url}`
-      : r.location_label;
-    const history = r.history_cleared ? "Cleared" : "⚠️ History remains";
-
-    lines.push(`| ${alertLink} | ${r.secret_type} | ${locationLink} | ${r.actions} | ${history} |`);
-
-    if (!r.history_cleared && r.location_url) {
-      needsPurge.push(r);
-    }
-  }
-
-  if (needsPurge.length > 0) {
-    lines.push("");
-    lines.push("Issues requiring GitHub Support to purge edit history:");
-    for (const r of needsPurge) {
-      lines.push(`- ${r.location_label} ${r.location_url} — ${r.secret_type}`);
-    }
-    lines.push(
-      `Contact: https://support.github.com/contact — request purge of userContentEdits for the above issues.`,
-    );
-  }
-
-  const skipped = results.filter((r) => r.skipped);
-  if (skipped.length > 0) {
-    lines.push("");
-    lines.push(
-      "⚠️ The following alerts were skipped because their location type is not supported:",
-    );
-    for (const r of skipped) {
-      lines.push(
-        `- Alert #${r.number}: unsupported type "${r.unsupported_type}" — ${REPO_URL}/security/secret-scanning/${r.number}`,
-      );
-    }
-    lines.push("Please update the skill to define handling for these types.");
-  }
-
-  lines.push("");
-  lines.push("---END SUMMARY---");
-
-  console.log(lines.join("\n"));
-}
-
-// ─── Dispatch ───────────────────────────────────────────────────────────────
-
-const [command, ...args] = process.argv.slice(2);
-
-const commands = {
-  "fetch-alert": () => cmdFetchAlert(args[0]),
-  "fetch-content": () => cmdFetchContent(args[0]),
-  "redact-body": () => cmdRedactBody(args[0], args[1], args[2]),
-  "delete-comment": () => cmdDeleteComment(args[0]),
-  "delete-discussion-comment": () => cmdDeleteDiscussionComment(args[0]),
-  "recreate-comment": () => cmdRecreateComment(args[0], args[1]),
-  "recreate-discussion-comment": () => cmdRecreateDiscussionComment(args[0], args[1], args[2]),
-  notify: () => cmdNotify(args[0], args[1], args[2], args[3], args[4]),
-  resolve: () => cmdResolve(args[0], args[1], args[2]),
-  "list-open": () => cmdListOpen(),
-  summary: () => cmdSummary(args[0]),
-};
-
-if (!command || !commands[command]) {
-  console.error(
-    [
-      "Usage: node secret-scanning.mjs <command> [args]",
-      "",
-      "Commands:",
-      "  fetch-alert <number>             Fetch alert metadata + locations",
-      "  fetch-content '<location-json>'   Fetch content for a location",
-      "  redact-body <issue|pr> <n> <file> PATCH body with redacted file",
-      "  delete-comment <comment-id>       Delete a comment",
-      "  delete-discussion-comment <node-id> Delete a discussion comment (GraphQL)",
-      "  recreate-comment <issue-n> <file> Create replacement comment",
-      "  recreate-discussion-comment <disc-node-id> <file> [reply-to-node-id] Create discussion comment (GraphQL)",
-      "  notify <target> <author> <type> <types> [reply-to-node-id] Post notification",
-      "  resolve <n> [resolution] [comment] Close alert",
-      "  list-open                          List open alerts",
-      "  summary <json-file>               Print formatted summary",
-    ].join("\n"),
-  );
-  process.exit(1);
-}
-
-commands[command]();
--- a/.agents/skills/openclaw-test-heap-leaks/SKILL.md
+++ b/.agents/skills/openclaw-test-heap-leaks/SKILL.md
@@ -1,75 +0,0 @@
---
-name: openclaw-test-heap-leaks
-description: Investigate OpenClaw pnpm test memory growth, Vitest OOMs, RSS spikes, and heap snapshot deltas.
---
-
-# OpenClaw Test Heap Leaks
-
-Use this skill for test-memory investigations. Do not guess from RSS alone when heap snapshots are available. Treat snapshot-name deltas as triage evidence, not proof, until retainers or dominators support the call.
-
-## Workflow
-
-1. Reproduce the failing shape first.
-   - Match the real entrypoint if possible. For Linux CI-style unit failures, start with:
-   - `pnpm canvas:a2ui:bundle && OPENCLAW_TEST_MEMORY_TRACE=1 OPENCLAW_TEST_HEAPSNAPSHOT_INTERVAL_MS=60000 OPENCLAW_TEST_HEAPSNAPSHOT_DIR=.tmp/heapsnap OPENCLAW_TEST_WORKERS=2 OPENCLAW_TEST_MAX_OLD_SPACE_SIZE_MB=6144 pnpm test`
-   - Keep `OPENCLAW_TEST_MEMORY_TRACE=1` enabled so the wrapper prints per-file RSS summaries alongside the snapshots.
-   - If the report is about a specific shard or worker budget, preserve that shape.
-   - Before you analyze snapshots, identify the real lane names from `[test-parallel] start ...` lines or `pnpm test --plan`. Do not assume a single `unit-fast` lane; local plans often split into `unit-fast-batch-*`.
-
-2. Wait for repeated snapshots before concluding anything.
-   - Take at least two intervals from the same lane.
-   - Compare snapshots from the same PID inside the real lane directory such as `.tmp/heapsnap/unit-fast-batch-2/`.
-   - Use `.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs` to compare either two files directly or the earliest/latest pair per PID in one lane directory.
-   - If the helper suggests transformed-module retention, confirm the top entries in DevTools retainers/dominators before calling it solved.
-
-3. Classify the growth before choosing a fix.
-   - If growth is dominated by Vite/Vitest transformed source strings, `Module`, `system / Context`, bytecode, descriptor arrays, or property maps, treat it as likely retained module graph growth in long-lived workers.
-   - If growth is dominated by app objects, caches, buffers, server handles, timers, mock state, sqlite state, or similar runtime objects, treat it as a likely cleanup or lifecycle leak.
-   - If the names are ambiguous, stop short of a confident label and inspect retainers/dominators in DevTools for the top deltas.
-
-4. Fix the right layer.
-   - For likely retained transformed-module growth in shared workers:
-   - Prefer timing and hotspot-driven scheduling fixes first. Check whether the file is already represented in `test/fixtures/test-timings.unit.json` and whether `scripts/test-update-memory-hotspots.mjs` should refresh the measured hotspot manifest before hand-editing behavior overrides.
-   - Move hotspot files out of the real shared lane by updating `test/fixtures/test-parallel.behavior.json` only when timing-driven peeling is insufficient.
-   - Prefer `singletonIsolated` for files that are safe alone but inflate shared worker heaps.
-   - If the file should already have been peeled out by timings but is absent from `test/fixtures/test-timings.unit.json`, call that out explicitly. Missing timings are a scheduling blind spot.
-   - For real leaks:
-   - Patch the implicated test or runtime cleanup path.
-   - Look for missing `afterEach`/`afterAll`, module-reset gaps, retained global state, unreleased DB handles, or listeners/timers that survive the file.
-
-5. Verify with the most direct proof.
-   - Re-run the targeted lane or file with heap snapshots enabled if the suite still finishes in reasonable time.
-   - If snapshot overhead pushes tests over Vitest timeouts, fall back to the same lane without snapshots and confirm the RSS trend or OOM is reduced.
-   - For wrapper-only changes, at minimum verify the expected lanes start and the snapshot files are written.
-
-## Heuristics
-
- Do not call everything a leak. In this repo, large `unit-fast` or `unit-fast-batch-*` growth can be a worker-lifetime problem rather than an application object leak.
- `scripts/test-parallel.mjs` and `scripts/test-parallel-memory.mjs` are the primary control points for wrapper diagnostics.
- The lane names printed by `[test-parallel] start ...` and `[test-parallel][mem] summary ...` tell you where to focus.
- When one or two files account for most of the delta and they are missing from timings, reducing impact by isolating them is usually the first pragmatic fix.
- When the same retained object families grow across multiple intervals in the same worker PID, trust the snapshots over intuition, then confirm ambiguous calls with retainer evidence.
-
-## Snapshot Comparison
-
- Direct comparison:
-  - `node .agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs before.heapsnapshot after.heapsnapshot`
- Auto-select earliest/latest snapshots per PID within one lane:
-  - `node .agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs --lane-dir .tmp/heapsnap/unit-fast-batch-2`
- Useful flags:
-  - `--top 40`
-  - `--min-kb 32`
-  - `--pid 16133`
-
-Read the top positive deltas first. Large positive growth in module-transform artifacts suggests lane isolation; large positive growth in runtime objects suggests a real leak. If the names alone do not settle it, open the same snapshot pair in DevTools and inspect retainers/dominators for the top rows before declaring root cause.
-
-## Output Expectations
-
-When using this skill, report:
-
- The exact reproduce command.
- Which lane and PID were compared.
- The dominant retained object families from the snapshot delta.
- Whether the issue is a likely real leak or likely shared-worker retained module growth, plus whether retainers/dominators confirmed it.
- The concrete fix or impact-reduction patch.
- What you verified, and what snapshot overhead prevented you from verifying.
--- a/.agents/skills/openclaw-test-heap-leaks/agents/openai.yaml
+++ b/.agents/skills/openclaw-test-heap-leaks/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "Test Heap Leaks"
-  short_description: "Investigate test OOMs with heap snapshots"
-  default_prompt: "Use $openclaw-test-heap-leaks to investigate test memory growth with heap snapshots and reduce its impact."
--- a/.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs
+++ b/.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs
@@ -1,553 +0,0 @@
-#!/usr/bin/env node
-
-import fs from "node:fs";
-import path from "node:path";
-
-function printUsage() {
-  console.error(
-    "Usage: node heapsnapshot-delta.mjs <before.heapsnapshot> <after.heapsnapshot> [--top N] [--min-kb N]",
-  );
-  console.error(
-    "   or: node heapsnapshot-delta.mjs --lane-dir <dir> [--pid PID] [--top N] [--min-kb N]",
-  );
-}
-
-function fail(message) {
-  console.error(message);
-  process.exit(1);
-}
-
-function parseArgs(argv) {
-  const options = {
-    top: 30,
-    minKb: 64,
-    laneDir: null,
-    pid: null,
-    files: [],
-  };
-
-  for (let index = 0; index < argv.length; index += 1) {
-    const arg = argv[index];
-    if (arg === "--top") {
-      options.top = Number.parseInt(argv[index + 1] ?? "", 10);
-      index += 1;
-      continue;
-    }
-    if (arg === "--min-kb") {
-      options.minKb = Number.parseInt(argv[index + 1] ?? "", 10);
-      index += 1;
-      continue;
-    }
-    if (arg === "--lane-dir") {
-      options.laneDir = argv[index + 1] ?? null;
-      index += 1;
-      continue;
-    }
-    if (arg === "--pid") {
-      options.pid = Number.parseInt(argv[index + 1] ?? "", 10);
-      index += 1;
-      continue;
-    }
-    options.files.push(arg);
-  }
-
-  if (!Number.isFinite(options.top) || options.top <= 0) {
-    fail("--top must be a positive integer");
-  }
-  if (!Number.isFinite(options.minKb) || options.minKb < 0) {
-    fail("--min-kb must be a non-negative integer");
-  }
-  if (options.pid !== null && (!Number.isInteger(options.pid) || options.pid <= 0)) {
-    fail("--pid must be a positive integer");
-  }
-
-  return options;
-}
-
-class JsonStreamScanner {
-  constructor(filePath) {
-    this.stream = fs.createReadStream(filePath, {
-      encoding: "utf8",
-      highWaterMark: 1024 * 1024,
-    });
-    this.iterator = this.stream[Symbol.asyncIterator]();
-    this.buffer = "";
-    this.offset = 0;
-    this.done = false;
-  }
-
-  compactBuffer() {
-    if (this.offset > 65536) {
-      this.buffer = this.buffer.slice(this.offset);
-      this.offset = 0;
-    }
-  }
-
-  async ensureAvailable(count = 1) {
-    while (!this.done && this.buffer.length - this.offset < count) {
-      const next = await this.iterator.next();
-      if (next.done) {
-        this.done = true;
-        break;
-      }
-      this.buffer += next.value;
-    }
-  }
-
-  async peek() {
-    await this.ensureAvailable(1);
-    return this.buffer[this.offset] ?? null;
-  }
-
-  async next() {
-    await this.ensureAvailable(1);
-    if (this.offset >= this.buffer.length) {
-      return null;
-    }
-    const char = this.buffer[this.offset];
-    this.offset += 1;
-    this.compactBuffer();
-    return char;
-  }
-
-  async skipWhitespace() {
-    while (true) {
-      const char = await this.peek();
-      if (char === null || !/\s/u.test(char)) {
-        return;
-      }
-      await this.next();
-    }
-  }
-
-  async expectChar(expected) {
-    const char = await this.next();
-    if (char !== expected) {
-      fail(`Expected ${expected} but found ${char ?? "<eof>"}`);
-    }
-  }
-
-  async find(sequence) {
-    let matched = 0;
-    while (true) {
-      const char = await this.next();
-      if (char === null) {
-        fail(`Could not find ${sequence}`);
-      }
-      if (char === sequence[matched]) {
-        matched += 1;
-        if (matched === sequence.length) {
-          return;
-        }
-        continue;
-      }
-      matched = char === sequence[0] ? 1 : 0;
-      if (matched === sequence.length) {
-        return;
-      }
-    }
-  }
-
-  async readBalancedObject() {
-    const start = await this.next();
-    if (start !== "{") {
-      fail(`Expected { but found ${start ?? "<eof>"}`);
-    }
-    let text = "{";
-    let depth = 1;
-    let inString = false;
-    let escaped = false;
-    while (depth > 0) {
-      const char = await this.next();
-      if (char === null) {
-        fail("Unexpected EOF while reading JSON object");
-      }
-      text += char;
-      if (inString) {
-        if (escaped) {
-          escaped = false;
-        } else if (char === "\\") {
-          escaped = true;
-        } else if (char === '"') {
-          inString = false;
-        }
-        continue;
-      }
-      if (char === '"') {
-        inString = true;
-      } else if (char === "{") {
-        depth += 1;
-      } else if (char === "}") {
-        depth -= 1;
-      }
-    }
-    return text;
-  }
-
-  async parseNumberArray(onValue) {
-    await this.skipWhitespace();
-    await this.expectChar("[");
-    await this.skipWhitespace();
-    if ((await this.peek()) === "]") {
-      await this.next();
-      return;
-    }
-
-    let token = "";
-    let index = 0;
-    const flush = () => {
-      if (token.length === 0) {
-        fail("Unexpected empty number token");
-      }
-      const value = Number.parseInt(token, 10);
-      if (!Number.isFinite(value)) {
-        fail(`Invalid numeric token: ${token}`);
-      }
-      onValue(value, index);
-      index += 1;
-      token = "";
-    };
-
-    while (true) {
-      const char = await this.next();
-      if (char === null) {
-        fail("Unexpected EOF while reading number array");
-      }
-      if (char === "]") {
-        flush();
-        return;
-      }
-      if (char === ",") {
-        flush();
-        continue;
-      }
-      if (/\s/u.test(char)) {
-        continue;
-      }
-      token += char;
-    }
-  }
-
-  async readJsonString() {
-    await this.expectChar('"');
-    let value = "";
-    while (true) {
-      const char = await this.next();
-      if (char === null) {
-        fail("Unexpected EOF while reading JSON string");
-      }
-      if (char === '"') {
-        return value;
-      }
-      if (char !== "\\") {
-        value += char;
-        continue;
-      }
-      const escaped = await this.next();
-      if (escaped === null) {
-        fail("Unexpected EOF while reading JSON string escape");
-      }
-      if (escaped === "u") {
-        let hex = "";
-        for (let index = 0; index < 4; index += 1) {
-          const hexChar = await this.next();
-          if (hexChar === null) {
-            fail("Unexpected EOF while reading JSON unicode escape");
-          }
-          hex += hexChar;
-        }
-        value += String.fromCharCode(Number.parseInt(hex, 16));
-        continue;
-      }
-      value +=
-        escaped === "b"
-          ? "\b"
-          : escaped === "f"
-            ? "\f"
-            : escaped === "n"
-              ? "\n"
-              : escaped === "r"
-                ? "\r"
-                : escaped === "t"
-                  ? "\t"
-                  : escaped;
-    }
-  }
-
-  async parseStringArray(onValue) {
-    await this.skipWhitespace();
-    await this.expectChar("[");
-    await this.skipWhitespace();
-    if ((await this.peek()) === "]") {
-      await this.next();
-      return;
-    }
-
-    let index = 0;
-    while (true) {
-      const value = await this.readJsonString();
-      onValue(value, index);
-      index += 1;
-      await this.skipWhitespace();
-      const separator = await this.next();
-      if (separator === "]") {
-        return;
-      }
-      if (separator !== ",") {
-        fail(`Expected , or ] but found ${separator ?? "<eof>"}`);
-      }
-      await this.skipWhitespace();
-    }
-  }
-}
-
-function parseHeapFilename(filePath) {
-  const base = path.basename(filePath);
-  const match = base.match(
-    /^Heap\.(?<stamp>\d{8}\.\d{6})\.(?<pid>\d+)\.0\.(?<seq>\d+)\.heapsnapshot$/u,
-  );
-  if (!match?.groups) {
-    return null;
-  }
-  return {
-    filePath,
-    pid: Number.parseInt(match.groups.pid, 10),
-    stamp: match.groups.stamp,
-    sequence: Number.parseInt(match.groups.seq, 10),
-  };
-}
-
-function resolvePair(options) {
-  if (options.laneDir) {
-    const entries = fs
-      .readdirSync(options.laneDir)
-      .map((name) => parseHeapFilename(path.join(options.laneDir, name)))
-      .filter((entry) => entry !== null)
-      .filter((entry) => options.pid === null || entry.pid === options.pid)
-      .toSorted((left, right) => {
-        if (left.pid !== right.pid) {
-          return left.pid - right.pid;
-        }
-        if (left.stamp !== right.stamp) {
-          return left.stamp.localeCompare(right.stamp);
-        }
-        return left.sequence - right.sequence;
-      });
-
-    if (entries.length === 0) {
-      fail(`No matching heap snapshots found in ${options.laneDir}`);
-    }
-
-    const groups = new Map();
-    for (const entry of entries) {
-      const group = groups.get(entry.pid) ?? [];
-      group.push(entry);
-      groups.set(entry.pid, group);
-    }
-
-    const candidates = Array.from(groups.values())
-      .map((group) => ({
-        pid: group[0].pid,
-        before: group[0],
-        after: group.at(-1),
-        count: group.length,
-      }))
-      .filter((entry) => entry.count >= 2);
-
-    if (candidates.length === 0) {
-      fail(`Need at least two snapshots for one PID in ${options.laneDir}`);
-    }
-
-    const chosen =
-      options.pid !== null
-        ? (candidates.find((entry) => entry.pid === options.pid) ?? null)
-        : candidates.toSorted((left, right) => right.count - left.count || left.pid - right.pid)[0];
-
-    if (!chosen) {
-      fail(`No PID with at least two snapshots matched in ${options.laneDir}`);
-    }
-
-    return {
-      before: chosen.before.filePath,
-      after: chosen.after.filePath,
-      pid: chosen.pid,
-      snapshotCount: chosen.count,
-    };
-  }
-
-  if (options.files.length !== 2) {
-    printUsage();
-    process.exit(1);
-  }
-
-  return {
-    before: options.files[0],
-    after: options.files[1],
-    pid: null,
-    snapshotCount: 2,
-  };
-}
-
-async function parseSnapshotMeta(scanner) {
-  await scanner.find('"snapshot":');
-  await scanner.skipWhitespace();
-  const metaObjectText = await scanner.readBalancedObject();
-  const parsed = JSON.parse(metaObjectText);
-  return parsed?.meta ?? null;
-}
-
-async function buildSummary(filePath) {
-  const scanner = new JsonStreamScanner(filePath);
-  const meta = await parseSnapshotMeta(scanner);
-  if (!meta) {
-    fail(`Invalid heap snapshot: ${filePath}`);
-  }
-
-  const nodeFieldCount = meta.node_fields.length;
-  const typeNames = meta.node_types[0];
-  const typeIndex = meta.node_fields.indexOf("type");
-  const nameIndex = meta.node_fields.indexOf("name");
-  const selfSizeIndex = meta.node_fields.indexOf("self_size");
-  if (typeIndex === -1 || nameIndex === -1 || selfSizeIndex === -1) {
-    fail(`Unsupported heap snapshot schema: ${filePath}`);
-  }
-
-  const summaryByIndex = new Map();
-  let nodeCount = 0;
-  let currentTypeId = 0;
-  let currentNameId = 0;
-  let currentSelfSize = 0;
-  await scanner.find('"nodes":');
-  await scanner.parseNumberArray((value, index) => {
-    const fieldIndex = index % nodeFieldCount;
-    if (fieldIndex === typeIndex) {
-      currentTypeId = value;
-      return;
-    }
-    if (fieldIndex === nameIndex) {
-      currentNameId = value;
-      return;
-    }
-    if (fieldIndex === selfSizeIndex) {
-      currentSelfSize = value;
-    }
-    if (fieldIndex !== nodeFieldCount - 1) {
-      return;
-    }
-    const key = `${currentTypeId}\t${currentNameId}`;
-    const current = summaryByIndex.get(key) ?? {
-      typeId: currentTypeId,
-      nameId: currentNameId,
-      selfSize: 0,
-      count: 0,
-    };
-    current.selfSize += currentSelfSize;
-    current.count += 1;
-    summaryByIndex.set(key, current);
-    nodeCount += 1;
-  });
-
-  const requiredNameIds = new Set(
-    Array.from(summaryByIndex.values(), (entry) => entry.nameId).filter((value) => value >= 0),
-  );
-  const nameStrings = new Map();
-  await scanner.find('"strings":');
-  await scanner.parseStringArray((value, index) => {
-    if (requiredNameIds.has(index)) {
-      nameStrings.set(index, value);
-    }
-  });
-
-  const summary = new Map();
-  for (const entry of summaryByIndex.values()) {
-    const key = `${typeNames[entry.typeId] ?? "unknown"}\t${nameStrings.get(entry.nameId) ?? ""}`;
-    summary.set(key, {
-      type: typeNames[entry.typeId] ?? "unknown",
-      name: nameStrings.get(entry.nameId) ?? "",
-      selfSize: entry.selfSize,
-      count: entry.count,
-    });
-  }
-
-  return {
-    nodeCount,
-    summary,
-  };
-}
-
-function formatBytes(bytes) {
-  if (Math.abs(bytes) >= 1024 ** 2) {
-    return `${(bytes / 1024 ** 2).toFixed(2)} MiB`;
-  }
-  if (Math.abs(bytes) >= 1024) {
-    return `${(bytes / 1024).toFixed(1)} KiB`;
-  }
-  return `${bytes} B`;
-}
-
-function formatDelta(bytes) {
-  return `${bytes >= 0 ? "+" : "-"}${formatBytes(Math.abs(bytes))}`;
-}
-
-function truncate(text, maxLength) {
-  return text.length <= maxLength ? text : `${text.slice(0, maxLength - 1)}…`;
-}
-
-async function main() {
-  const options = parseArgs(process.argv.slice(2));
-  const pair = resolvePair(options);
-  const before = await buildSummary(pair.before);
-  const after = await buildSummary(pair.after);
-  const minBytes = options.minKb * 1024;
-
-  const rows = [];
-  for (const [key, next] of after.summary) {
-    const previous = before.summary.get(key) ?? { selfSize: 0, count: 0 };
-    const sizeDelta = next.selfSize - previous.selfSize;
-    const countDelta = next.count - previous.count;
-    if (sizeDelta < minBytes) {
-      continue;
-    }
-    rows.push({
-      type: next.type,
-      name: next.name,
-      sizeDelta,
-      countDelta,
-      afterSize: next.selfSize,
-      afterCount: next.count,
-    });
-  }
-
-  rows.sort(
-    (left, right) => right.sizeDelta - left.sizeDelta || right.countDelta - left.countDelta,
-  );
-
-  console.log(`before: ${pair.before}`);
-  console.log(`after:  ${pair.after}`);
-  if (pair.pid !== null) {
-    console.log(`pid:    ${pair.pid} (${pair.snapshotCount} snapshots found)`);
-  }
-  console.log(
-    `nodes:   ${before.nodeCount} -> ${after.nodeCount} (${after.nodeCount - before.nodeCount >= 0 ? "+" : ""}${after.nodeCount - before.nodeCount})`,
-  );
-  console.log(`filter:  top=${options.top} min=${options.minKb} KiB`);
-  console.log("");
-
-  if (rows.length === 0) {
-    console.log("No entries exceeded the minimum delta.");
-    return;
-  }
-
-  for (const row of rows.slice(0, options.top)) {
-    console.log(
-      [
-        formatDelta(row.sizeDelta).padStart(11),
-        `count ${row.countDelta >= 0 ? "+" : ""}${row.countDelta}`.padStart(10),
-        row.type.padEnd(16),
-        truncate(row.name || "(empty)", 96),
-      ].join("  "),
-    );
-  }
-}
-
-await main();
--- a/.agents/skills/openclaw-test-performance/SKILL.md
+++ b/.agents/skills/openclaw-test-performance/SKILL.md
@@ -1,134 +0,0 @@
---
-name: openclaw-test-performance
-description: Benchmark, diagnose, and optimize OpenClaw test runtime, import hotspots, CPU/RSS, and slow coverage paths.
---
-
-# OpenClaw Test Performance
-
-Use evidence first. The goal is real `pnpm test` speed/RSS improvement with
-coverage intact, not runner tuning by guesswork.
-
-## Workflow
-
-1. Read the relevant local `AGENTS.md` files before editing:
-   - `src/agents/AGENTS.md` for agent/import hotspots.
-   - `src/channels/AGENTS.md` and `src/plugins/AGENTS.md` for plugin/channel
-     laziness.
-   - `src/gateway/AGENTS.md` for server lifecycle tests.
-   - `test/helpers/AGENTS.md` and `test/helpers/channels/AGENTS.md` for shared
-     contract helpers.
-   - `src/infra/outbound/AGENTS.md` for outbound/media/action tests.
-2. Establish a baseline before changing code:
-   - Prefer `pnpm test:perf:groups --full-suite --allow-failures --output <file>`
-     for full-suite ranking.
-   - For a scoped hotspot use:
-     `/usr/bin/time -l pnpm test <file-or-files> --maxWorkers=1 --reporter=verbose`
-   - For import-heavy suspicion add:
-     `OPENCLAW_VITEST_IMPORT_DURATIONS=1 OPENCLAW_VITEST_PRINT_IMPORT_BREAKDOWN=1`.
-3. Separate wall/runner noise from real file cost:
-   - Compare Vitest duration, test body timing, import breakdown, wall time, and
-     max RSS.
-   - Re-run single files when grouped/full-suite numbers look stale or noisy.
-   - If a full-suite grouped run reports a lane failure but JSON says tests
-     passed, capture that as harness/noise and verify the suspect file directly.
-4. Pick the next attack by return and risk:
-   - High return: one file/test dominates seconds or RSS and has a clear root.
-   - Lower risk: static descriptors, target parsing, routing, auth bypass,
-     setup hints, registry fixtures, or test server lifecycle.
-   - Higher risk: real memory/runtime behavior, live providers, protocol
-     contracts, or broad production refactors.
-5. Fix the root cause, not the symptom:
-   - Move static metadata/parsing into narrow helpers or lightweight artifacts
-     reused by full runtime and fast paths.
-   - Prefer dependency injection, loaded-plugin-only lookup, explicit fixtures,
-     and pure helpers over broad mocks.
-   - Reuse suite-level servers/clients when a fresh handshake is irrelevant.
-   - Keep schedulers/background loops off unless the test proves scheduling.
-6. Preserve coverage shape:
-   - Do not delete a slow integration proof unless the exact production
-     composition is extracted into a named helper and tested.
-   - Keep one cheap integration smoke when cross-component wiring matters.
-   - State explicitly what incidental coverage was removed, if any.
-7. Re-benchmark the same command after the change and compute seconds plus
-   percent gain.
-8. Update the running report when requested or when this thread is tracking one.
-   Include before/after commands, artifacts, coverage notes, verification, and
-   next attack order.
-9. Commit with `scripts/committer "<message>" <paths...>` and push when the
-   user asked for commits/pushes. Stage only files touched for this attack.
-
-## Common Root Causes
-
- Full bundled channel/plugin runtime loaded for static data.
- `getChannelPlugin()` fallback used when an already-loaded fixture or pure
-  parser would suffice.
- Broad `api.ts`, `runtime-api.ts`, `test-api.ts`, or plugin-sdk barrels pulled
-  into hot tests.
- Partial-real mocks using `importActual()` around broad modules.
- `vi.resetModules()` plus fresh imports in per-test loops.
- Test plugin registry seeded in `beforeAll` while runtime state resets in
-  `afterEach`.
- Per-test gateway/server/client startup when state reset would suffice.
- Runtime/default model/auth selection paid by idle snapshots or fixtures.
- Plugin-owned media/action discovery triggered before checking whether args
-  contain plugin-owned fields.
-
-## Benchmark Commands
-
-Scoped file:
-
-```bash
-timeout 240 /usr/bin/time -l pnpm test <file> --maxWorkers=1 --reporter=verbose
-```
-
-Scoped file with import breakdown:
-
-```bash
-timeout 240 /usr/bin/time -l env \
-  OPENCLAW_VITEST_IMPORT_DURATIONS=1 \
-  OPENCLAW_VITEST_PRINT_IMPORT_BREAKDOWN=1 \
-  pnpm test <file> --maxWorkers=1 --reporter=verbose
-```
-
-Grouped suite:
-
-```bash
-pnpm test:perf:groups --full-suite --allow-failures \
-  --output .artifacts/test-perf/<name>.json
-```
-
-Reuse an existing Vitest JSON report:
-
-```bash
-pnpm test:perf:groups --report <vitest-json> \
-  --output .artifacts/test-perf/<name>.json
-```
-
-## Verification
-
- Always run the targeted test surface that proves the change.
- Run `pnpm check` before commit unless the change is docs-only and the hook
-  handles it.
- Run `pnpm build` when touching lazy-loading, bundled artifacts, package
-  boundaries, dynamic imports, build output, or public surfaces.
- If deps are missing/stale, run `pnpm install` and retry the exact failed
-  command once.
- Use the report format:
-
-```markdown
-| Metric         | Before | After |          Gain |
-| -------------- | -----: | ----: | ------------: |
-| File wall time |   `Xs` |  `Ys` |  `-Zs` (`P%`) |
-| Max RSS        |  `XMB` | `YMB` | `-ZMB` (`P%`) |
-```
-
-## Handoff
-
-Keep the final concise:
-
- Root cause.
- Files changed.
- Before/after numbers.
- Coverage retained.
- Verification commands.
- Commit hash and push status.
--- a/.agents/skills/openclaw-test-performance/agents/openai.yaml
+++ b/.agents/skills/openclaw-test-performance/agents/openai.yaml
@@ -1,6 +0,0 @@
-interface:
-  display_name: "OpenClaw Test Performance"
-  short_description: "Benchmark and fix slow OpenClaw tests"
-  default_prompt: "Use $openclaw-test-performance to reassess the OpenClaw test benchmark, identify the next real hotspot, fix it without losing coverage, update the report, and commit scoped changes."
-policy:
-  allow_implicit_invocation: false
--- a/.agents/skills/openclaw-testing/SKILL.md
+++ b/.agents/skills/openclaw-testing/SKILL.md
@@ -1,244 +0,0 @@
---
-name: openclaw-testing
-description: Choose, run, rerun, or debug OpenClaw tests, CI checks, Docker E2E lanes, release validation, and the cheapest safe verification path.
---
-
-# OpenClaw Testing
-
-Use this skill when deciding what to test, debugging failures, rerunning CI,
-or validating a change without wasting hours.
-
-## Read First
-
- `docs/reference/test.md` for local test commands.
- `docs/ci.md` for CI scope, release checks, Docker chunks, and runner behavior.
- Scoped `AGENTS.md` files before editing code under a subtree.
-
-## Default Rule
-
-Prove the touched surface first. Do not reflexively run the whole suite.
-
-1. Inspect the diff and classify the touched surface:
-   - source: `pnpm changed:lanes --json`, then `pnpm check:changed`
-   - tests only: `pnpm test:changed`
-   - one failing file: `pnpm test <path-or-filter> -- --reporter=verbose`
-   - workflow-only: `git diff --check`, workflow syntax/lint (`actionlint` when available)
-   - docs-only: `pnpm docs:list`, docs formatter/lint only if docs tooling changed or requested
-2. Reproduce narrowly before fixing.
-3. Fix root cause.
-4. Rerun the same narrow proof.
-5. Broaden only when the touched contract demands it.
-
-## Guardrails
-
- Do not kill unrelated processes or tests. If something is running elsewhere, treat it as owned by the user or another agent.
- Do not run expensive local Docker, full release checks, full `pnpm test`, or full `pnpm check` unless the user asks or the change genuinely requires it.
- Prefer GitHub Actions for release/Docker proof when the workflow already has the prepared image and secrets.
- Use `scripts/committer "<msg>" <paths...>` when committing; stage only your files.
- If deps are missing, run `pnpm install`, retry once, then report the first actionable error.
-
-## Local Test Shortcuts
-
-```bash
-pnpm changed:lanes --json
-pnpm check:changed       # changed typecheck/lint/guards; no Vitest
-pnpm test:changed        # cheap smart changed Vitest targets
-OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed
-pnpm test <path-or-filter> -- --reporter=verbose
-OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test <path-or-filter>
-```
-
-Use targeted file paths whenever possible. Avoid raw `vitest`; use the repo
-`pnpm test` wrapper so project routing, workers, and setup stay correct.
-
-## Command Semantics
-
- `pnpm check` and `pnpm check:changed` do not run Vitest tests. They are for
-  typecheck, lint, and guard proof.
- `pnpm test` and `pnpm test:changed` run Vitest tests.
- `pnpm test:changed` is intentionally cheap by default: direct test edits,
-  sibling tests, explicit source mappings, and import-graph dependents.
- `OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed` is the explicit broad
-  fallback for harness/config/package edits that genuinely need it.
- Do not run extension sweeps just because core changed. If a core edit is for a
-  specific plugin bug, run that plugin's tests explicitly. If a public SDK or
-  contract change needs consumer proof, choose the smallest representative
-  plugin/contract tests first, then broaden only when the risk justifies it.
- The test wrapper prints a short `[test] passed|failed|skipped ... in ...`
-  line. Vitest's own duration is still the per-shard detail.
-
-## Routing Model
-
- `pnpm changed:lanes --json` answers "which check lanes does this diff touch?"
-  It is used by `pnpm check:changed` for typecheck/lint/guard selection.
- `pnpm test:changed` answers "which Vitest targets are worth running now?" It
-  uses the same changed path list, but applies a cheaper test-target resolver.
- Direct test edits run themselves. Source edits prefer explicit mappings,
-  sibling `*.test.ts`, then import-graph dependents. Shared harness/config/root
-  edits are skipped by default unless they have precise mapped tests.
- Public SDK or contract edits do not automatically run every plugin test.
-  `check:changed` proves extension type contracts; the agent chooses the
-  smallest plugin/contract Vitest proof that matches the actual risk.
- Use `OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed` only when a harness,
-  config, package, or unknown-root edit really needs the broad Vitest fallback.
-
-## CI Debugging
-
-Start with current run state, not logs for everything:
-
-```bash
-gh run list --branch main --limit 10
-gh run view <run-id> --json status,conclusion,headSha,url,jobs
-gh run view <run-id> --job <job-id> --log
-```
-
- Check exact SHA. Ignore newer unrelated `main` unless asked.
- For cancelled same-branch runs, confirm whether a newer run superseded it.
- Fetch full logs only for failed or relevant jobs.
-
-## Docker
-
-Docker is expensive. First inspect the scheduler without running Docker:
-
-```bash
-OPENCLAW_DOCKER_ALL_DRY_RUN=1 pnpm test:docker:all
-OPENCLAW_DOCKER_ALL_DRY_RUN=1 OPENCLAW_DOCKER_ALL_LANES=install-e2e pnpm test:docker:all
-OPENCLAW_DOCKER_ALL_LANES=install-e2e node scripts/test-docker-all.mjs --plan-json
-```
-
-Run one failed lane locally only when explicitly asked or when GitHub is not
-usable:
-
-```bash
-OPENCLAW_DOCKER_ALL_LANES=<lane> \
-OPENCLAW_DOCKER_ALL_BUILD=0 \
-OPENCLAW_DOCKER_ALL_PREFLIGHT=0 \
-OPENCLAW_SKIP_DOCKER_BUILD=1 \
-OPENCLAW_DOCKER_E2E_BARE_IMAGE='<prepared-bare-image>' \
-OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE='<prepared-functional-image>' \
-pnpm test:docker:all
-```
-
-For release validation, prefer the reusable GitHub workflow input:
-
-```yaml
-docker_lanes: install-e2e
-```
-
-Multiple lanes are allowed:
-
-```yaml
-docker_lanes: install-e2e bundled-channel-update-acpx
-```
-
-That skips the three chunk matrix and runs one targeted Docker job against the
-prepared GHCR images and a fresh OpenClaw npm tarball for the selected ref.
-Reruns usually need that new tarball because the fix being tested changed the
-package contents even if the SHA-tagged GHCR Docker image can be reused.
-Live-only targeted reruns skip the E2E images and build only the live-test
-image. Release-path normal mode remains max three Docker chunk jobs:
-
- `core`
- `package-update`
- `plugins-integrations`
-
-Docker E2E images never copy repo sources as the app under test: the bare image
-is a Node/Git runner, and the functional image installs the same prebuilt npm
-tarball that bare lanes mount. `scripts/package-openclaw-for-docker.mjs` is the
-single packer for local scripts and CI and validates the tarball inventory
-before Docker consumes it. `scripts/test-docker-all.mjs --plan-json` is the
-scheduler-owned CI plan for image kind, package, live image, lane, and
-credential needs. Docker lane definitions live in the single scenario catalog
-`scripts/lib/docker-e2e-scenarios.mjs`; planner logic lives in
-`scripts/lib/docker-e2e-plan.mjs`. `scripts/docker-e2e.mjs` converts plan and
-summary JSON into GitHub outputs and step summaries. Every scheduler run writes
-`.artifacts/docker-tests/**/summary.json` plus `failures.json`. Read those
-before rerunning. Lane entries include `command`, `rerunCommand`, status,
-timing, timeout state, image kind, and log file path. The summary also includes
-top-level phase timings for preflight, image build, package prep, lane pools,
-and cleanup. Use `pnpm test:docker:timings <summary.json>` to rank slow lanes
-and phases before deciding whether a broader rerun is justified.
-
-## Cheap Docker Reruns
-
-First derive the smallest rerun command from artifacts:
-
-```bash
-pnpm test:docker:rerun <github-run-id>
-pnpm test:docker:rerun .artifacts/docker-tests/<run>/failures.json
-```
-
-The script downloads Docker E2E artifacts for a GitHub run, reads
-`summary.json`/`failures.json`, and prints a combined targeted workflow command
-plus per-lane commands. Prefer the combined targeted command when several lanes
-failed for the same patch:
-
-```bash
-gh workflow run openclaw-live-and-e2e-checks-reusable.yml \
-  -f ref=<sha> \
-  -f include_repo_e2e=false \
-  -f include_release_path_suites=false \
-  -f include_openwebui=false \
-  -f docker_lanes='install-e2e bundled-channel-update-acpx' \
-  -f include_live_suites=false \
-  -f live_models_only=false
-```
-
-That path still runs the prepare job, so it creates a new tarball for `<sha>`.
-If the SHA-tagged GHCR bare/functional image already exists, CI skips rebuilding
-that image and only uploads the fresh package artifact before the targeted lane
-job. Do not rerun the full three-chunk release path unless the failed lane list
-or touched surface really requires it.
-
-## Docker Expected Timings
-
-Treat these as ballpark. Blacksmith queue time, GHCR pull speed, provider
-latency, npm cache state, and Docker daemon health can dominate.
-
-Current local timing artifact (`.artifacts/docker-tests/lane-timings.json`) has
-these rough bands:
-
- Tiny lanes, seconds to under 1 minute:
-  `agents-delete-shared-workspace` ~3s, `plugin-update` ~7s,
-  `config-reload` ~14s, `pi-bundle-mcp-tools` ~15s, `onboard` ~18s,
-  `session-runtime-context` ~20s, `gateway-network` ~34s, `qr` ~44s.
- Medium deterministic lanes, ~1-5 minutes:
-  `npm-onboard-channel-agent` ~96s, `openai-image-auth` ~99s,
-  bundled channel/update lanes usually ~90-300s, `openwebui` ~225s,
-  `mcp-channels` ~274s.
- Heavy deterministic lanes, ~6-10 minutes:
-  `bundled-channel-root-owned` ~429s,
-  `bundled-channel-setup-entry` ~420s,
-  `bundled-channel-load-failure` ~383s,
-  `cron-mcp-cleanup` ~567s.
- Live provider lanes, often ~15-20 minutes:
-  `live-gateway` ~958s, `live-models` ~1054s.
- Installer/release lanes:
-  `install-e2e` and package-update paths can vary widely with npm, provider,
-  and package registry behavior. Budget tens of minutes; prefer GitHub targeted
-  reruns over local repeats.
-
-Default fallback lane timeout is 120 minutes. A timeout usually means debug the
-lane log/artifacts first, not “run the whole thing again.”
-
-## Failure Workflow
-
-1. Identify exact failing job, SHA, lane, and artifact path.
-2. Read `failures.json`, `summary.json`, and the failed lane log tail.
-3. Use `pnpm test:docker:rerun <run-id|failures.json>` to generate targeted
-   GitHub rerun commands.
-4. If the lane has `rerunCommand`, use that only as a local starting point.
-5. For Docker release failures, dispatch targeted `docker_lanes=<failed-lane>`
-   on GitHub before considering local Docker.
-6. Patch narrowly, then rerun the failed file/lane only.
-7. Broaden to `pnpm check:changed` or CI only after the isolated proof passes.
-
-## When To Escalate
-
- Public SDK/plugin contract changes: run changed gate plus relevant extension
-  validation.
- Build output, lazy imports, package boundaries, or published surfaces:
-  include `pnpm build`.
- Workflow edits: run `pnpm check:workflows`.
- Release branch or tag validation: use release docs and GitHub workflows; avoid
-  local Docker unless Peter explicitly asks.
--- a/.agents/skills/openclaw-testing/agents/openai.yaml
+++ b/.agents/skills/openclaw-testing/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "OpenClaw Testing"
-  short_description: "Choose cheap, targeted OpenClaw validation"
-  default_prompt: "Use $openclaw-testing to choose the cheapest safe test or CI verification path, inspect failures, and rerun only the relevant OpenClaw lane."
--- a/.agents/skills/optimizetests/SKILL.md
+++ b/.agents/skills/optimizetests/SKILL.md
@@ -1,41 +0,0 @@
---
-name: optimizetests
-description: Optimize OpenClaw slow tests, imports, misplaced coverage, and CI wall time without dropping coverage.
---
-
-# Optimize Tests
-
-Goal: real OpenClaw test/runtime speedups with coverage intact. Do not add shards,
-skip assertions, weaken gates, or tune runner flags as the main fix.
-
-## Runbook
-
-1. Read `docs/help/testing.md`, `docs/ci.md`, and the scoped `AGENTS.md` files
-   for any subtree you will edit.
-2. Establish evidence before edits:
-   - Full ranking: `pnpm test:perf:groups --full-suite --allow-failures --output .artifacts/test-perf/<name>.json`
-   - Targeted file: `timeout 240 /usr/bin/time -l pnpm test <file> --maxWorkers=1 --reporter=verbose`
-   - Import suspicion: add `OPENCLAW_VITEST_IMPORT_DURATIONS=1 OPENCLAW_VITEST_PRINT_IMPORT_BREAKDOWN=1`
-3. Attack highest-return hotspots first:
-   - broad barrels or `importActual()` in hot tests
-   - per-test `vi.resetModules()` plus fresh imports
-   - expensive gateway/server/client setup where reset/reuse proves same behavior
-   - core tests asserting extension-owned behavior
-   - duplicated fixture construction or contract assertions
-4. Prefer production-quality fixes:
-   - narrow runtime seams over broad mocks
-   - pure helpers for static parsing/metadata
-   - injected deps over module resets
-   - extension-owned tests for bundled plugin/provider/channel behavior
-5. After each change, rerun the same benchmark and the proving test lane. Record
-   before/after wall time, Vitest duration, and max RSS when available.
-6. Run `pnpm check:changed`; run broader gates (`pnpm check`, `pnpm test`,
-   `pnpm build`) when touched surfaces require them.
-7. Commit scoped changes with `scripts/committer "<conventional message>" <paths...>`.
-   Push when requested. If CI is red, inspect with `gh run list/view`, fix, push,
-   repeat until current CI is green or a blocker is proven unrelated.
-
-## Output
-
-End with the pushed commit(s), before/after timings, gates run, current CI state,
-and any remaining tail lanes that need separate optimization.
--- a/.agents/skills/optimizetests/agents/openai.yaml
+++ b/.agents/skills/optimizetests/agents/openai.yaml
@@ -1,6 +0,0 @@
-interface:
-  display_name: "Optimize Tests"
-  short_description: "Benchmark and speed up OpenClaw tests"
-  default_prompt: "Use $optimizetests to benchmark slow OpenClaw tests, optimize imports and duplicated setup, move misplaced core coverage to extensions, verify gates, commit scoped changes, push, and keep CI green without adding shards or dropping coverage."
-policy:
-  allow_implicit_invocation: false
--- a/.agents/skills/parallels-discord-roundtrip/SKILL.md
+++ b/.agents/skills/parallels-discord-roundtrip/SKILL.md
@@ -1,63 +0,0 @@
---
-name: parallels-discord-roundtrip
-description: Run macOS Parallels smoke with Discord send, host verification, host reply, and guest readback proof.
---
-
-# Parallels Discord Roundtrip
-
-Use when macOS Parallels smoke must prove Discord two-way delivery end to end.
-
-## Goal
-
-Cover:
-
- install on fresh macOS snapshot
- onboard + gateway health
- guest `message send` to Discord
- host sees that message on Discord
- host posts a new Discord message
- guest `message read` sees that new message
-
-## Inputs
-
- host env var with Discord bot token
- Discord guild ID
- Discord channel ID
- `OPENAI_API_KEY`
-
-## Preferred run
-
-```bash
-export OPENCLAW_PARALLELS_DISCORD_TOKEN="$(
-  ssh peters-mac-studio-1 'jq -r ".channels.discord.token" ~/.openclaw/openclaw.json' | tr -d '\n'
-)"
-
-pnpm test:parallels:macos \
-  --discord-token-env OPENCLAW_PARALLELS_DISCORD_TOKEN \
-  --discord-guild-id 1456350064065904867 \
-  --discord-channel-id 1456744319972282449 \
-  --json
-```
-
-## Notes
-
- Snapshot target: closest to `macOS 26.3.1 fresh`.
- Snapshot resolver now prefers matching `*-poweroff*` clones when the base hint also matches. That lets the harness reuse disk-only recovery snapshots without passing a longer hint.
- If Windows/Linux snapshot restore logs show `PET_QUESTION_SNAPSHOT_STATE_INCOMPATIBLE_CPU`, drop the suspended state once, create a `*-poweroff*` replacement snapshot, and rerun. The smoke scripts now auto-start restored power-off snapshots.
- Harness configures Discord inside the guest; no checked-in token/config.
- Use the `openclaw` wrapper for guest `message send/read`; `node openclaw.mjs message ...` does not expose the lazy message subcommands the same way.
- Write `channels.discord.guilds` in one JSON object (`--strict-json`), not dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated like array indexes.
- Avoid `prlctl enter` / expect for long Discord setup scripts; it line-wraps/corrupts long commands. Use `prlctl exec --current-user /bin/sh -lc ...` for the Discord config phase.
- Full 3-OS sweeps: the shared build lock is safe in parallel, but snapshot restore is still a Parallels bottleneck. Prefer serialized Windows/Linux restore-heavy reruns if the host is already under load.
- Harness cleanup deletes the temporary Discord smoke messages at exit.
- After a successful Discord roundtrip, shut down the macOS guest before handoff (`prlctl stop "macOS Tahoe"`). The macOS smoke harness should do this automatically after successful Discord proof; still stop the VM manually after ad-hoc Discord checks. Do not leave the Discord-configured VM running; it can keep reading/posting in `#maintainer` and spam Discord after the proof is complete.
- Per-phase logs: `/tmp/openclaw-parallels-smoke.*`
- Machine summary: pass `--json`
- If roundtrip flakes, inspect `fresh.discord-roundtrip.log` and `discord-last-readback.json` in the run dir first.
-
-## Pass criteria
-
- fresh lane or upgrade lane requested passes
- summary reports `discord=pass` for that lane
- guest outbound nonce appears in channel history
- host inbound nonce appears in `openclaw message read` output
--- a/.agents/skills/security-triage/SKILL.md
+++ b/.agents/skills/security-triage/SKILL.md
@@ -1,140 +0,0 @@
---
-name: security-triage
-description: Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.
---
-
-# Security Triage
-
-Use when reviewing OpenClaw security advisories, drafts, or GHSA reports.
-
-Goal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions.
-
-## Close Bar
-
-Close only if one of these is true:
-
- duplicate of an existing advisory or fixed issue
- invalid against shipped behavior
- out of scope under `SECURITY.md`
- fixed before any affected release/tag
-
-Do not close only because `main` is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status.
-
-## Required Reads
-
-Before answering:
-
-1. Read `SECURITY.md`.
-2. Read the GHSA body with `gh api /repos/openclaw/openclaw/security-advisories/<GHSA>`.
-3. Inspect the exact implicated code paths.
-4. Verify shipped state:
-   - `git tag --sort=-creatordate | head`
-   - `npm view openclaw version --userconfig "$(mktemp)"`
-   - `git tag --contains <fix-commit>`
-   - if needed: `git show <tag>:path/to/file`
-5. Search for canonical overlap:
-   - existing published GHSAs
-   - older fixed bugs
-   - same trust-model class already covered in `SECURITY.md`
-
-## Review Method
-
-For each advisory, decide:
-
- `close`
- `keep open`
- `keep open but narrow`
-
-Default to one advisory at a time when comments/closures are involved:
-
-1. Review exactly one GHSA.
-2. Print the GHSA URL first.
-3. Summarize the decision and evidence for discussion.
-4. Draft one maintainer-ready comment.
-5. Copy only that one comment to the clipboard.
-6. Stop and wait for Peter to post/discuss before moving to the next GHSA.
-
-Do not batch multiple close comments unless Peter explicitly asks for a batch.
-
-Check in this order:
-
-1. Trust model
-   - Is the prerequisite already inside trusted host/local/plugin/operator state?
-   - Does `SECURITY.md` explicitly call this class out as out of scope or hardening-only?
-2. Shipped behavior
-   - Is the bug present in the latest shipped tag or npm release?
-   - Was it fixed before release?
-3. Exploit path
-   - Does the report show a real boundary bypass, not just prompt injection, local same-user control, or helper-level semantics?
-   - If data only moves between trusted workspace-memory files called out in `SECURITY.md`, do not treat "injection markers" alone as a security bug.
-   - In that case, frame sanitization as optional hardening only if it preserves expected memory workflows.
-4. Functional tradeoff
-   - If a hardening change would reduce intended user functionality, call that out before proposing it.
-   - Prefer fixes that preserve user workflows over deny-by-default regressions unless the boundary demands it.
-5. Hardening follow-up
-   - Even when the GHSA should close, ask whether a narrow hardening change would reduce footguns without changing the documented trust boundary.
-   - Separate hardening from vulnerability status. Phrase it as "not required for GHSA closure, but worth considering".
-   - Bring up hardening only if it is concrete, low-risk, and preserves intended maintainer/operator workflows.
-   - If hardening would require a product/security model change, say that explicitly and do not imply it is a required fix for closure.
-
-## Response Format
-
-When preparing a maintainer-ready close reply:
-
-1. Print the GHSA URL first.
-2. Then draft a detailed response the maintainer can post.
-3. Include:
-   - exact reason for close
-   - exact code refs
-   - exact shipped tag / release facts
-   - exact fix commit or canonical duplicate GHSA when applicable
-   - optional hardening note only if worthwhile and functionality-preserving
-
-Keep tone firm, specific, non-defensive.
-
-## Discussion Mode
-
-When Peter is manually posting GHSA comments, use this flow:
-
-1. Show the URL.
-2. Give a terse verdict (`close`, `keep open`, or `keep open but narrow`).
-3. List the strongest evidence bullets.
-4. State any optional hardening follow-up separately from the close reason.
-5. Copy the proposed comment body with `pbcopy`.
-6. End the reply after the one advisory. Do not continue to the next advisory until Peter says to continue.
-
-If the GitHub API cannot post comments for private advisories, say so once and keep using clipboard/UI paste.
-
-## Clipboard Step
-
-After drafting the final post body for the current advisory, copy it:
-
-```bash
-pbcopy <<'EOF'
-<final response>
-EOF
-```
-
-Tell the user that the clipboard now contains the proposed response for that advisory.
-
-## Useful Commands
-
-```bash
-gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
-gh api /repos/openclaw/openclaw/security-advisories --paginate
-git tag --sort=-creatordate | head -n 20
-npm view openclaw version --userconfig "$(mktemp)"
-git tag --contains <commit>
-git show <tag>:<path>
-gh search issues --repo openclaw/openclaw --match title,body,comments -- "<terms>"
-gh search prs --repo openclaw/openclaw --match title,body,comments -- "<terms>"
-```
-
-## Decision Notes
-
- “fixed on main, unreleased” is usually not a close.
- “needs attacker-controlled trusted local state first” is usually out of scope.
- “same-host same-user process can already read/write local state” is usually out of scope.
- “trusted workspace memory promotes/reindexes trusted workspace memory” is usually out of scope unless it crosses a documented boundary.
- “helper function behaves differently than documented config semantics” is usually invalid.
- If only the severity is wrong but the bug is real, keep it open and narrow the impact in the reply.
--- a/.agents/skills/tag-duplicate-prs-issues/SKILL.md
+++ b/.agents/skills/tag-duplicate-prs-issues/SKILL.md
@@ -1,485 +0,0 @@
---
-name: tag-duplicate-prs-issues
-description: Search duplicate OpenClaw PRs/issues, group related work in prtags, and sync duplicate state to GitHub.
---
-
-# Tag Duplicate PRs and Issues
-
-Use this skill when a maintainer needs to decide whether a pull request or issue is a duplicate of existing work.
-
-This skill is for maintainer triage and grouping.
-It is not for reviewing the implementation quality of a PR.
-
-## Required Setup
-
-Do not start duplicate triage until this setup is complete.
-
-### Install the companion skills
-
-Install these skills first because they teach the agent how to use the two main CLIs correctly:
-
- `ghreplica` skill from the `ghreplica` repo at `skills/ghreplica/SKILL.md`
- `prtags` skill from the `prtags` repo at `skills/prtags/SKILL.md`
-
-This skill assumes those two skills are available and can be used during the same run.
-
-### Install the CLIs
-
-Install `ghreplica` and `prtags` from their latest GitHub releases.
-Do not rely on an old local build unless the maintainer explicitly wants to test unreleased behavior.
-
-`ghreplica` CLI install path:
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/dutifuldev/ghreplica/main/scripts/install-ghr.sh | bash -s -- --bin-dir "$HOME/.local/bin"
-```
-
-`prtags` CLI install path:
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/dutifuldev/prtags/main/scripts/install-prtags.sh | bash -s -- --bin-dir "$HOME/.local/bin"
-```
-
-Use the `pr-search-cli` project with `uvx`.
-The command itself is `pr-search`.
-Do not require a permanent install unless the maintainer explicitly wants one.
-
-```bash
-uvx --from pr-search-cli pr-search status
-uvx --from pr-search-cli pr-search code similar 67144
-```
-
-### Authenticate prtags
-
-`prtags` should be logged in with the maintainer's own GitHub account through OAuth device flow.
-Do not use a shared maintainer token for interactive triage.
-
-```bash
-prtags auth login
-prtags auth status
-```
-
-The expected outcome is that `prtags` stores the logged-in maintainer identity locally and uses that account for authenticated writes.
-
-## Missing-Setup Rule
-
-Do not require an up-front preflight before starting the workflow.
-Proceed with the normal steps until you actually need a tool or account state.
-
-As soon as you discover that a required CLI is missing or `prtags` is not logged in, stop immediately.
-Do not continue in a partial mode after that point.
-
-If `ghr` is missing, ask the user to run the `ghreplica` install command.
-
-If `prtags` is missing, ask the user to run both CLI install commands:
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/dutifuldev/ghreplica/main/scripts/install-ghr.sh | bash -s -- --bin-dir "$HOME/.local/bin"
-curl -fsSL https://raw.githubusercontent.com/dutifuldev/prtags/main/scripts/install-prtags.sh | bash -s -- --bin-dir "$HOME/.local/bin"
-```
-
-If `uvx --from pr-search-cli pr-search ...` fails because `uvx` or the `pr-search` launcher is not available, ask the user to make that command work before continuing.
-
-If `prtags auth status` shows that the user is not logged in, ask the user to run:
-
-```bash
-prtags auth login
-```
-
-Resume only after the missing tool or login state has been fixed.
-
-## Read-Path Default
-
-For read-only GitHub operations in this workflow, use `ghr` as the default CLI.
-Treat it as a drop-in replacement for the `gh` read operations you would normally use for PRs, issues, comments, reviews, and duplicate-search evidence.
-
-Only fall back to `gh` when `ghr` is failing for a concrete reason, such as:
-
- the mirrored object is not present yet
- the mirror data is clearly stale or incomplete for the decision you need to make
- the `ghr` command errors, times out, or does not expose the specific read you need
-
-When you fall back to `gh`, note that you did so and why.
-
-If `ghr` is missing a fresh PR or issue but `gh` can read it, you may use `gh` for the read-side judgment.
-If a later `prtags` target-level write fails because the same object is still missing from `ghreplica`, stop and report that the mirror has not caught up yet instead of forcing the write.
-
-## Goal
-
-For each target PR or issue:
-
-1. gather duplicate evidence
-2. decide whether it is a real duplicate
-3. create or reuse one `prtags` group for that duplicate cluster
-4. save the maintainer judgment in `prtags`
-5. rely on normal `prtags` group writes to drive GitHub comment sync when that integration is configured
-
-## Tool Roles
-
-Use the tools with these boundaries:
-
- `ghreplica` is the raw evidence source
-  - use `ghr` first for normal GitHub read operations in this workflow
-  - use it for title/body/comment search, related PRs, overlapping files, overlapping ranges, and current PR or issue status
-  - resort to `gh` only when `ghr` cannot provide the needed read cleanly
- `pr-search-cli` is candidate generation and ranking
-  - use it to suggest likely duplicate PRs or issue-cluster context
-  - do not treat it as final truth
-  - do not create or expand a duplicate group only because `pr-search-cli` put multiple PRs in the same issue or duplicate cluster
- `prtags` is the maintainer curation layer
-  - use it to create or reuse one duplicate group
-  - use it to save the duplicate status, confidence, rationale, and group summary
-  - use it as the source of truth for the GitHub-facing group comment
-
-## Working Rules
-
- Do not call something a duplicate only because the titles are similar.
- Do not call something a duplicate only because the same files changed.
- A duplicate cluster should be based on the same user-facing problem, the same intent, and substantially overlapping implementation or investigation context.
-
-## One-Group Rule
-
-Treat duplicate groups as exclusive.
-A PR or issue should belong to at most one duplicate group at a time.
-
-That means:
-
- before creating a new group, search for an existing group that already represents the same duplicate story
- if the target already appears to belong to a different duplicate group, stop and resolve that conflict first
- do not create a second group for the same target just because the wording is slightly different
- if two plausible existing groups overlap and you cannot safely merge the judgment, stop and ask the maintainer
-
-This rule matters more than speed.
-The skill should keep one coherent duplicate cluster per problem, not many near-duplicate clusters.
-
-## What A Good Duplicate Group Represents
-
-A duplicate group should describe the underlying problem and the intended fix direction.
-Do not group items only because they share a keyword.
-
-Good group shape:
-
- same user-facing bug or same maintainer-facing task
- same subsystem or code surface
- same intended change direction
- same likely duplicate-resolution path
-
-Bad group shape:
-
- “all PRs that touch Slack”
- “all issues mentioning retry”
- “all auth-related items”
-
-The group title should name the real problem.
-The group description should summarize the intent and the code surface.
-
-Examples:
-
- `gateway: startup regression from channel status bootstrap`
- `whatsapp: QR preflight timeout handling`
- `release: cross-OS validation handoff gaps`
-
-## Evidence Checklist
-
-Before declaring a duplicate, gather evidence from at least two categories.
-Same-issue or same-cluster output from `pr-search-cli` counts only as candidate generation, not as one of the required proof categories by itself.
-
-For PRs:
-
- same or nearly same problem statement
- same changed files or overlapping file ranges
- same fix direction
- same subsystem and failure mode
- same linked issue or same user-visible symptom
-
-For issues:
-
- same user-visible problem
- same reproduction story or same failure mode
- same likely fix area
- same PRs already linked or discussed
- same maintainers already steering toward the same duplicate grouping
-
-If you only have wording similarity, that is not enough.
-
-## Step 1: Read The Target
-
-Start by reading the target itself.
-Use `ghr` first for this step even if you would normally reach for `gh`.
-
-For a PR:
-
-```bash
-ghr pr view -R openclaw/openclaw <number> --comments
-ghr pr reviews -R openclaw/openclaw <number>
-ghr pr comments -R openclaw/openclaw <number>
-```
-
-For an issue:
-
-```bash
-ghr issue view -R openclaw/openclaw <number> --comments
-ghr issue comments -R openclaw/openclaw <number>
-```
-
-Record:
-
- target type and number
- title
- problem statement
- proposed intent
- subsystem
- whether it is open, closed, or merged
- whether there is already a likely duplicate thread mentioned by humans
-
-## Step 2: Search Broadly With ghreplica
-
-Use `ghreplica` first because it is the most direct evidence source.
-Do not switch to `gh` for ordinary reads unless `ghr` is missing data or failing.
-
-### PR duplicate search
-
-Run all of these when the target is a PR:
-
-```bash
-ghr search related-prs -R openclaw/openclaw <pr-number> --mode path_overlap --state all
-ghr search related-prs -R openclaw/openclaw <pr-number> --mode range_overlap --state all
-ghr search mentions -R openclaw/openclaw --query "<key phrase from title or body>" --mode fts --scope pull_requests --state all
-ghr search mentions -R openclaw/openclaw --query "<subsystem or error phrase>" --mode fts --scope issues --state all
-```
-
-Use `prs-by-paths` or `prs-by-ranges` when the likely duplicate surface is already known:
-
-```bash
-ghr search prs-by-paths -R openclaw/openclaw --path src/example.ts --state all
-ghr search prs-by-ranges -R openclaw/openclaw --path src/example.ts --start 20 --end 80 --state all
-```
-
-### Issue duplicate search
-
-`ghreplica` does not have a special issue-to-issue “related issues” command.
-For issues, search mirrored text and linked PR context instead.
-
-Run targeted text searches:
-
-```bash
-ghr search mentions -R openclaw/openclaw --query "<issue title phrase>" --mode fts --scope issues --state all
-ghr search mentions -R openclaw/openclaw --query "<error message or symptom>" --mode fts --scope issues --state all
-ghr search mentions -R openclaw/openclaw --query "<subsystem phrase>" --mode fts --scope pull_requests --state all
-```
-
-Then inspect the candidate PRs or issues those searches uncover.
-
-## Step 3: Use pr-search-cli As A Hint Layer
-
-Use `pr-search-cli` after `ghreplica`.
-It is good at surfacing candidates quickly, but it is not the final decision-maker.
-Run it through the `pr-search` command.
-
-For a PR:
-
-```bash
-uvx --from pr-search-cli pr-search -R openclaw/openclaw code similar <pr-number>
-uvx --from pr-search-cli pr-search -R openclaw/openclaw code clusters for-pr <pr-number>
-uvx --from pr-search-cli pr-search -R openclaw/openclaw issues for-pr <pr-number>
-uvx --from pr-search-cli pr-search -R openclaw/openclaw issues duplicate-prs
-```
-
-Interpretation:
-
- `code similar` suggests PRs with similar change shape
- `code clusters for-pr` shows the PR’s nearby code cluster
- `issues for-pr` shows which issue clusters the PR appears to belong to
- `issues duplicate-prs` is useful for spotting already-known duplicate PR patterns
-
-Treat every `pr-search-cli` result as a hint to investigate, not as enough evidence to create or widen a duplicate group.
-Multiple PRs can share the same issue or issue cluster while still taking meaningfully different fix paths.
-
-For an issue:
-
- use `ghreplica` first to find candidate PRs or issue wording
- if the issue has linked PRs or a likely implementation PR, run `pr-search-cli` on those PRs
- treat issue-cluster output as supporting context, not as enough by itself to call the issue a duplicate
-
-## Step 4: Decide The Outcome
-
-Choose one of these outcomes:
-
- `not_duplicate`
- `duplicate_needs_judgment`
- `duplicate_confirmed`
-
-Use `duplicate_confirmed` only when the evidence is strong enough that the maintainer could safely close or retag the duplicate item.
-
-Use `duplicate_needs_judgment` when:
-
- the problem looks the same but the implementation goal differs
- the code overlap is weak
- the issue wording is ambiguous
- there may be two valid duplicate group interpretations
- the target appears to intersect two existing duplicate groups
-
-## Step 5: Reuse Or Create One prtags Group
-
-Before creating a group, search `prtags` for an existing one.
-
-Start with text search over groups:
-
-```bash
-prtags search text -R openclaw/openclaw "<problem phrase>" --types group --limit 10
-prtags search similar -R openclaw/openclaw "<problem summary>" --types group --limit 10
-prtags group list -R openclaw/openclaw
-```
-
-Inspect likely groups:
-
-```bash
-prtags group get <group-id>
-prtags group get <group-id> --include-metadata
-```
-
-Reuse an existing group when:
-
- it represents the same problem
- it already contains clearly related members
- adding the target would keep the group coherent
-
-Do not widen an existing group just because `pr-search-cli` placed several PRs under the same issue or duplicate cluster.
-Confirm that the actual implementation path and maintainer intent still match before adding the new member.
-
-Create a new group only when no existing group clearly fits.
-
-Create the group with a problem-based title and an intent-based description:
-
-```bash
-prtags group create -R openclaw/openclaw \
-  --kind mixed \
-  --title "<problem-centered title>" \
-  --description "<same intent, subsystem, and duplicate-resolution path>" \
-  --status open
-```
-
-Then attach the target and any known duplicate members:
-
-```bash
-prtags group add-pr <group-id> <pr-number>
-prtags group add-issue <group-id> <issue-number>
-```
-
-If a target appears to already belong to another duplicate group and you cannot safely reuse that group, stop.
-Do not create a second group.
-
-## Step 6: Ensure The Annotation Fields Exist
-
-Use `field ensure` so the skill is idempotent.
-
-Recommended target-level fields:
-
-```bash
-prtags field ensure -R openclaw/openclaw --name duplicate_status --scope pull_request --type enum --enum-values not_duplicate,candidate,confirmed --filterable
-prtags field ensure -R openclaw/openclaw --name duplicate_status --scope issue --type enum --enum-values not_duplicate,candidate,confirmed --filterable
-prtags field ensure -R openclaw/openclaw --name duplicate_confidence --scope pull_request --type enum --enum-values low,medium,high --filterable
-prtags field ensure -R openclaw/openclaw --name duplicate_confidence --scope issue --type enum --enum-values low,medium,high --filterable
-prtags field ensure -R openclaw/openclaw --name duplicate_rationale --scope pull_request --type text --searchable
-prtags field ensure -R openclaw/openclaw --name duplicate_rationale --scope issue --type text --searchable
-```
-
-Recommended group-level fields:
-
-```bash
-prtags field ensure -R openclaw/openclaw --name duplicate_confidence --scope group --type enum --enum-values low,medium,high --filterable
-prtags field ensure -R openclaw/openclaw --name duplicate_rationale --scope group --type text --searchable
-prtags field ensure -R openclaw/openclaw --name cluster_summary --scope group --type text --searchable
-```
-
-## Step 7: Save The Maintainer Judgment In prtags
-
-For a PR:
-
-```bash
-prtags annotation pr set -R openclaw/openclaw <pr-number> \
-  duplicate_status=confirmed \
-  duplicate_confidence=high \
-  duplicate_rationale="<same problem, same fix direction, overlapping files and comments>"
-```
-
-For an issue:
-
-```bash
-prtags annotation issue set -R openclaw/openclaw <issue-number> \
-  duplicate_status=confirmed \
-  duplicate_confidence=high \
-  duplicate_rationale="<same user-visible problem and same intended fix path>"
-```
-
-For the group:
-
-```bash
-prtags annotation group set <group-id> \
-  duplicate_confidence=high \
-  cluster_summary="<one-sentence problem summary>" \
-  duplicate_rationale="<why these items belong in one duplicate cluster>"
-```
-
-When the evidence is incomplete, set `duplicate_status=candidate` and lower the confidence.
-
-If a per-PR or per-issue annotation write fails because `prtags` cannot resolve the target through `ghreplica`, do not force a fallback write path.
-Keep the group state you were able to write, report that the mirror is still missing the target object, and defer the target-level annotation until `ghreplica` catches up.
-
-## Step 8: Let prtags Sync The Group Comment
-
-Do not tell the agent to create a GitHub comment directly.
-`prtags` owns the outbound GitHub comment as a derived projection of group state.
-
-In the normal case, do not manually trigger comment sync.
-When comment sync is configured, group writes already enqueue the derived comment projection automatically.
-
-Use manual sync only as a repair or retry path:
-
-```bash
-prtags group sync-comments <group-id>
-```
-
-If the maintainer needs to see which groups still need attention, use:
-
-```bash
-prtags group list-comment-sync-targets -R openclaw/openclaw
-```
-
-The skill should treat the GitHub comment as a consequence of correct `prtags` group state.
-It should not treat manual comment authoring as part of the normal duplicate workflow.
-It should also not treat `sync-comments` as a required step for every duplicate decision.
-
-## Output Format
-
-Return a short maintainer report with these sections:
-
-```text
-Decision: duplicate_confirmed | duplicate_needs_judgment | not_duplicate
-Target: PR #<n> | Issue #<n>
-Confidence: high | medium | low
-
-Evidence:
- ...
- ...
- ...
-
-prtags actions:
- reused group <group-id> | created group <group-id>
- added members: ...
- annotations written: ...
- comment sync: automatic if configured | manual repair triggered for <group-id>
-```
-
-## Stop Conditions
-
-Stop and escalate instead of forcing a duplicate decision when:
-
- the target appears to belong to two different duplicate groups
- the duplicate grouping is unclear
- the wording matches but the implementation goals differ
- two PRs touch the same files for different reasons
- two issues describe similar symptoms but likely different root causes
-
-The maintainer should get one clean duplicate judgment or an explicit “needs judgment” result.
-Do not blur the line.
--- a/.agents/skills/tag-duplicate-prs-issues/agents/openai.yaml
+++ b/.agents/skills/tag-duplicate-prs-issues/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "Tag Duplicate PRs and Issues"
-  short_description: "Find duplicate PRs and issues, group them in prtags, and let prtags sync the GitHub comment"
-  default_prompt: "Use $tag-duplicate-prs-issues to decide whether an OpenClaw PR or issue is a duplicate, gather evidence with ghreplica and pr-search-cli, group related items in prtags, and save the duplicate judgment."
--- a/.codex
+++ b/.codex
--- a/.detect-secrets.cfg
+++ b/.detect-secrets.cfg
@@ -1,45 +0,0 @@
-# detect-secrets exclusion patterns (regex)
-#
-# Note: detect-secrets does not read this file by default. If you want these
-# applied, wire them into your scan command (e.g. translate to --exclude-files
-# / --exclude-lines) or into a baseline's filters_used.
-
-[exclude-files]
-# pnpm lockfiles contain lots of high-entropy package integrity blobs.
-pattern = (^|/)pnpm-lock\.yaml$
-
-[exclude-lines]
-# Fastlane checks for private key marker; not a real key.
-pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
-# UI label string for Anthropic auth mode.
-pattern = case \.apiKeyEnv: "API key \(env var\)"
-# CodingKeys mapping uses apiKey literal.
-pattern = case apikey = "apiKey"
-# Schema labels referencing password fields (not actual secrets).
-pattern = "gateway\.remote\.password"
-pattern = "gateway\.auth\.password"
-# Schema label for talk API key (label text only).
-pattern = "talk\.apiKey"
-# checking for typeof is not something we care about.
-pattern = === "string"
-# specific optional-chaining password check that didn't match the line above.
-pattern = typeof remote\?\.password === "string"
-# Docker apt signing key fingerprint constant; not a secret.
-pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
-# Credential matrix metadata field in docs JSON; not a secret value.
-pattern = "secretShape": "(secret_input|sibling_ref)"
-# Docs line describing API key rotation knobs; not a credential.
-pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
-# Docs line describing remote password precedence; not a credential.
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
-pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
-# Test fixture starts a multiline fake private key; detector should ignore the header line.
-pattern = const key = `-----BEGIN PRIVATE KEY-----
-# Docs examples: literal placeholder API key snippets and shell heredoc helper.
-pattern = export CUSTOM_API_K[E]Y="your-key"
-pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
-pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
-pattern = "ap[i]Key": "xxxxx",
-pattern = ap[i]Key: "A[I]za\.\.\.",
-# Sparkle appcast signatures are release metadata, not credentials.
-pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,21 +1,7 @@
 .git
 .worktrees
-
-# Sensitive files – scripts/docker/setup.sh writes .env with OPENCLAW_GATEWAY_TOKEN
-# into the project root; keep it out of the build context.
-.env
-.env.*
-
 .bun-cache
 .bun
-.artifacts
-**/.artifacts
-.local
-**/.local
-.pi
-**/.pi
-__openclaw_vitest__
-**/__openclaw_vitest__
 .tmp
 **/.tmp
 .DS_Store
@@ -41,14 +27,9 @@ node_modules
 **/.next
 coverage
 **/coverage
-docs/.generated
-**/.generated
 *.log
 tmp
 **/tmp
-dist-runtime
-**/dist-runtime
-openclaw-path-alias-*

 # build artifacts
 dist
@@ -65,19 +46,3 @@ Swabble/
 Core/
 Users/
 vendor/
-
-# Needed for building the Canvas A2UI bundle during Docker image builds.
-# Keep the rest of apps/ and vendor/ excluded to avoid a large build context.
-!apps/shared/
-!apps/shared/OpenClawKit/
-!apps/shared/OpenClawKit/Sources/
-!apps/shared/OpenClawKit/Sources/OpenClawKit/
-!apps/shared/OpenClawKit/Sources/OpenClawKit/Resources/
-!apps/shared/OpenClawKit/Sources/OpenClawKit/Resources/tool-display.json
-!apps/shared/OpenClawKit/Tools/
-!apps/shared/OpenClawKit/Tools/CanvasA2UI/
-!apps/shared/OpenClawKit/Tools/CanvasA2UI/**
-!vendor/a2ui/
-!vendor/a2ui/renderers/
-!vendor/a2ui/renderers/lit/
-!vendor/a2ui/renderers/lit/**
--- a/.env.example
+++ b/.env.example
@@ -1,86 +1,5 @@
-# OpenClaw .env example
-#
-# Quick start:
-# 1) Copy this file to `.env` (for local runs from this repo), OR to `~/.openclaw/.env` (for launchd/systemd daemons).
-# 2) Fill only the values you use.
-# 3) Keep real secrets out of git.
-#
-# Env-source precedence for environment variables (highest -> lowest):
-# process env, ./.env, ~/.openclaw/.env, then openclaw.json `env` block.
-# Existing non-empty process env vars are not overridden by dotenv/config env loading.
-# Note: direct config keys (for example `gateway.auth.token` or channel tokens in openclaw.json)
-# are resolved separately from env loading and often take precedence over env fallbacks.
-
-# -----------------------------------------------------------------------------
-# Gateway auth + paths
-# -----------------------------------------------------------------------------
-# Required if the gateway binds beyond loopback. Leave blank to have OpenClaw
-# auto-generate a token on first start, or provide your own using
-# `openssl rand -hex 32`. The gateway will refuse to start if this is set to
-# the documented example placeholder, so never copy-paste an example value
-# from docs or tutorials into this file verbatim.
-OPENCLAW_GATEWAY_TOKEN=
-
-# Optional alternative auth mode (use token OR password).
-# OPENCLAW_GATEWAY_PASSWORD=
-
-# Optional path overrides (defaults shown for reference).
-# OPENCLAW_STATE_DIR=~/.openclaw
-# OPENCLAW_CONFIG_PATH=~/.openclaw/openclaw.json
-# OPENCLAW_HOME=~
-
-# Optional: import missing keys from your login shell profile.
-# OPENCLAW_LOAD_SHELL_ENV=1
-# OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000
-
-# -----------------------------------------------------------------------------
-# Model provider API keys (set at least one)
-# -----------------------------------------------------------------------------
-# OPENAI_API_KEY=sk-...
-# ANTHROPIC_API_KEY=sk-ant-...
-# GEMINI_API_KEY=...
-# OPENROUTER_API_KEY=sk-or-...
-# OPENCLAW_LIVE_OPENAI_KEY=sk-...
-# OPENCLAW_LIVE_ANTHROPIC_KEY=sk-ant-...
-# OPENCLAW_LIVE_GEMINI_KEY=...
-# OPENAI_API_KEY_1=...
-# ANTHROPIC_API_KEY_1=...
-# GEMINI_API_KEY_1=...
-# GOOGLE_API_KEY=...
-# OPENAI_API_KEYS=sk-1,sk-2
-# ANTHROPIC_API_KEYS=sk-ant-1,sk-ant-2
-# GEMINI_API_KEYS=key-1,key-2
-
-# Optional additional providers
-# ZAI_API_KEY=...
-# AI_GATEWAY_API_KEY=...
-# TOKENHUB_API_KEY=...
-# LKEAP_API_KEY=...
-# MINIMAX_API_KEY=...
-# SYNTHETIC_API_KEY=...
-
-# -----------------------------------------------------------------------------
-# Channels (only set what you enable)
-# -----------------------------------------------------------------------------
-# TELEGRAM_BOT_TOKEN=123456:ABCDEF...
-# DISCORD_BOT_TOKEN=...
-# SLACK_BOT_TOKEN=xoxb-...
-# SLACK_APP_TOKEN=xapp-...
-
-# Optional channel env fallbacks
-# MATTERMOST_BOT_TOKEN=...
-# MATTERMOST_URL=https://chat.example.com
-# ZALO_BOT_TOKEN=...
-# OPENCLAW_TWITCH_ACCESS_TOKEN=oauth:...
-
-# -----------------------------------------------------------------------------
-# Tools + voice/media (optional)
-# -----------------------------------------------------------------------------
-# BRAVE_API_KEY=...
-# PERPLEXITY_API_KEY=pplx-...
-# FIRECRAWL_API_KEY=...
-
-# ELEVENLABS_API_KEY=...
-# XI_API_KEY=...  # alias for ElevenLabs
-# INWORLD_API_KEY=...
-# DEEPGRAM_API_KEY=...
+# Copy to .env and fill with your Twilio credentials
+TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+TWILIO_AUTH_TOKEN=your_auth_token_here
+# Must be a WhatsApp-enabled Twilio number, prefixed with whatsapp:
+TWILIO_WHATSAPP_FROM=whatsapp:+17343367101
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1 @@
 * text=auto eol=lf
-CLAUDE.md -text
-src/gateway/server-methods/CLAUDE.md -text
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,54 +0,0 @@
-# Protect the ownership rules themselves.
-/.github/CODEOWNERS @steipete
-
-# WARNING: GitHub CODEOWNERS uses last-match-wins semantics.
-# If you add overlapping rules below the secops block, include @openclaw/secops
-# on those entries too or you can silently remove required secops review.
-# Security-sensitive code, config, and docs require secops review.
-/SECURITY.md @openclaw/secops
-/.github/dependabot.yml @openclaw/secops
-/.github/codeql/ @openclaw/secops
-/.github/workflows/codeql.yml @openclaw/secops
-/src/security/ @openclaw/secops
-/src/secrets/ @openclaw/secops
-/src/config/*secret*.ts @openclaw/secops
-/src/config/**/*secret*.ts @openclaw/secops
-/src/gateway/*auth*.ts @openclaw/secops
-/src/gateway/**/*auth*.ts @openclaw/secops
-/src/gateway/*secret*.ts @openclaw/secops
-/src/gateway/**/*secret*.ts @openclaw/secops
-/src/gateway/security-path*.ts @openclaw/secops
-/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/secops
-/src/gateway/protocol/**/*secret*.ts @openclaw/secops
-/src/gateway/server-methods/secrets*.ts @openclaw/secops
-/src/agents/*auth*.ts @openclaw/secops
-/src/agents/**/*auth*.ts @openclaw/secops
-/src/agents/auth-profiles*.ts @openclaw/secops
-/src/agents/auth-health*.ts @openclaw/secops
-/src/agents/auth-profiles/ @openclaw/secops
-/src/agents/sandbox.ts @openclaw/secops
-/src/agents/sandbox-*.ts @openclaw/secops
-/src/agents/sandbox/ @openclaw/secops
-/src/infra/secret-file*.ts @openclaw/secops
-/src/cron/stagger.ts @openclaw/secops
-/src/cron/service/jobs.ts @openclaw/secops
-/docs/security/ @openclaw/secops
-/docs/gateway/authentication.md @openclaw/secops
-/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/secops
-/docs/gateway/sandboxing.md @openclaw/secops
-/docs/gateway/secrets-plan-contract.md @openclaw/secops
-/docs/gateway/secrets.md @openclaw/secops
-/docs/gateway/security/ @openclaw/secops
-/docs/cli/approvals.md @openclaw/secops
-/docs/cli/sandbox.md @openclaw/secops
-/docs/cli/security.md @openclaw/secops
-/docs/cli/secrets.md @openclaw/secops
-/docs/reference/secretref-credential-surface.md @openclaw/secops
-/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/secops
-
-# Release workflow and its supporting release-path checks.
-/.github/workflows/openclaw-npm-release.yml @openclaw/openclaw-release-managers
-/docs/reference/RELEASING.md @openclaw/openclaw-release-managers
-/scripts/openclaw-npm-publish.sh @openclaw/openclaw-release-managers
-/scripts/openclaw-npm-release-check.ts @openclaw/openclaw-release-managers
-/scripts/release-check.ts @openclaw/openclaw-release-managers
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,28 @@
+---
+name: Bug report
+about: Report a problem or unexpected behavior in Clawdbot.
+title: "[Bug]: "
+labels: bug
+---
+
+## Summary
+What went wrong?
+
+## Steps to reproduce
+1.
+2.
+3.
+
+## Expected behavior
+What did you expect to happen?
+
+## Actual behavior
+What actually happened?
+
+## Environment
+- Clawdbot version:
+- OS:
+- Install method (pnpm/npx/docker/etc):
+
+## Logs or screenshots
+Paste relevant logs or add screenshots (redact secrets).
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,148 +0,0 @@
-name: Bug report
-description: Report defects, including regressions, crashes, and behavior bugs.
-title: "[Bug]: "
-labels:
-  - bug
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing this report. Keep every answer concise, reproducible, and grounded in observed evidence.
-        Do not speculate or infer beyond the evidence. If a narrative section cannot be answered from the available evidence, respond with exactly `NOT_ENOUGH_INFO`.
-
-        If this is a plugin beta-release blocker, rename the issue title to `Beta blocker: <plugin-name> - <summary>` and apply the `beta-blocker` label after filing.
-  - type: dropdown
-    id: bug_type
-    attributes:
-      label: Bug type
-      description: Choose the category that best matches this report.
-      options:
-        - Regression (worked before, now fails)
-        - Crash (process/app exits or hangs)
-        - Behavior bug (incorrect output/state without crash)
-    validations:
-      required: true
-  - type: dropdown
-    id: beta_blocker
-    attributes:
-      label: Beta release blocker
-      description: >
-        Choose `Yes` only if this blocks plugin compatibility during the current beta release window.
-        Selecting `Yes` does not apply the label automatically. You must also rename the issue title
-        to `Beta blocker: <plugin-name> - <summary>` for the automation to apply the `beta-blocker` label.
-      options:
-        - "No"
-        - "Yes"
-    validations:
-      required: true
-  - type: textarea
-    id: summary
-    attributes:
-      label: Summary
-      description: One-sentence statement of what is broken, based only on observed evidence. If the evidence is insufficient, respond with exactly `NOT_ENOUGH_INFO`.
-      placeholder: After upgrading from 2026.2.10 to 2026.2.17, Telegram thread replies stopped posting; reproduced twice and confirmed by gateway logs.
-    validations:
-      required: true
-  - type: textarea
-    id: repro
-    attributes:
-      label: Steps to reproduce
-      description: Provide the shortest deterministic repro path supported by direct observation. If the repro path cannot be grounded from the evidence, respond with exactly `NOT_ENOUGH_INFO`.
-      placeholder: |
-        1. Start OpenClaw 2026.2.17 with the attached config.
-        2. Send a Telegram thread reply in the affected chat.
-        3. Observe no reply and confirm the attached `reply target not found` log line.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: Expected behavior
-      description: State the expected result using a concrete reference such as prior observed behavior, attached docs, or a known-good version. If no grounded reference exists, respond with exactly `NOT_ENOUGH_INFO`.
-      placeholder: In 2026.2.10, the agent posted replies in the same Telegram thread under the same workflow.
-    validations:
-      required: true
-  - type: textarea
-    id: actual
-    attributes:
-      label: Actual behavior
-      description: Describe only the observed result, including user-visible errors and cited evidence. If the observed result cannot be grounded from the evidence, respond with exactly `NOT_ENOUGH_INFO`.
-      placeholder: No reply is posted in the thread; the attached gateway log shows `reply target not found` at 14:23:08 UTC.
-    validations:
-      required: true
-  - type: input
-    id: version
-    attributes:
-      label: OpenClaw version
-      description: Exact version/build tested.
-      placeholder: <version such as 2026.2.17>
-    validations:
-      required: true
-  - type: input
-    id: os
-    attributes:
-      label: Operating system
-      description: OS and version where this occurs.
-      placeholder: macOS 15.4 / Ubuntu 24.04 / Windows 11
-    validations:
-      required: true
-  - type: input
-    id: install_method
-    attributes:
-      label: Install method
-      description: How OpenClaw was installed or launched.
-      placeholder: npm global / pnpm dev / docker / mac app
-  - type: input
-    id: model
-    attributes:
-      label: Model
-      description: Effective model under test.
-      placeholder: minimax/text-01 / openrouter/anthropic/claude-opus-4.1 / anthropic/claude-sonnet-4.5
-    validations:
-      required: true
-  - type: input
-    id: provider_chain
-    attributes:
-      label: Provider / routing chain
-      description: Effective request path through gateways, proxies, providers, or model routers.
-      placeholder: openclaw -> cloudflare-ai-gateway -> minimax
-    validations:
-      required: true
-  - type: textarea
-    id: provider_setup_details
-    attributes:
-      label: Additional provider/model setup details
-      description: Optional. Include redacted routing details, per-agent overrides, auth-profile interactions, env/config context, or anything else needed to explain the effective provider/model setup. Do not include API keys, tokens, or passwords.
-      placeholder: |
-        Default route is openclaw -> cloudflare-ai-gateway -> minimax.
-        Previous setup was openclaw -> cloudflare-ai-gateway -> openrouter -> minimax.
-        Relevant config lives in ~/.openclaw/openclaw.json under models.providers.minimax and models.providers.cloudflare-ai-gateway.
-  - type: textarea
-    id: logs
-    attributes:
-      label: Logs, screenshots, and evidence
-      description: Include the redacted logs, screenshots, recordings, docs, or version comparisons that support the grounded answers above.
-      render: shell
-  - type: textarea
-    id: impact
-    attributes:
-      label: Impact and severity
-      description: |
-        Explain who is affected, how severe it is, how often it happens, and the practical consequence using only observed evidence.
-        If any part cannot be grounded from the evidence, respond with exactly `NOT_ENOUGH_INFO`.
-        Include:
-        - Affected users/systems/channels
-        - Severity (annoying, blocks workflow, data risk, etc.)
-        - Frequency (always/intermittent/edge case)
-        - Consequence (missed messages, failed onboarding, extra cost, etc.)
-      placeholder: |
-        Affected: Telegram group users on 2026.2.17
-        Severity: High (blocks thread replies)
-        Frequency: 4/4 observed attempts
-        Consequence: Agents do not respond in the affected threads
-  - type: textarea
-    id: additional_information
-    attributes:
-      label: Additional information
-      description: Add any remaining grounded context that helps triage but does not fit above. If this is a regression, include the last known good and first known bad versions when observed. If there is not enough evidence, respond with exactly `NOT_ENOUGH_INFO`.
-      placeholder: Last known good version 2026.2.10, first known bad version 2026.2.17, temporary workaround is sending a top-level message instead of a thread reply.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,8 @@
-blank_issues_enabled: false
+blank_issues_enabled: true
 contact_links:
  - name: Onboarding
    url: https://discord.gg/clawd
-    about: "New to OpenClaw? Join Discord for setup guidance in #help."
+    about: New to Clawdbot? Join Discord for setup guidance from Krill in #help.
  - name: Support
    url: https://discord.gg/clawd
-    about: "Get help from the OpenClaw community on Discord in #help."
+    about: Get help from Krill and the community on Discord in #help.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,18 @@
+---
+name: Feature request
+about: Suggest an idea or improvement for Clawdbot.
+title: "[Feature]: "
+labels: enhancement
+---
+
+## Summary
+Describe the problem you are trying to solve or the opportunity you see.
+
+## Proposed solution
+What would you like Clawdbot to do?
+
+## Alternatives considered
+Any other approaches you have considered?
+
+## Additional context
+Links, screenshots, or related issues.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,70 +0,0 @@
-name: Feature request
-description: Propose a new capability or product improvement.
-title: "[Feature]: "
-labels:
-  - enhancement
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Help us evaluate this request with concrete use cases and tradeoffs.
-  - type: textarea
-    id: summary
-    attributes:
-      label: Summary
-      description: One-line statement of the requested capability.
-      placeholder: Add per-channel default response prefix.
-    validations:
-      required: true
-  - type: textarea
-    id: problem
-    attributes:
-      label: Problem to solve
-      description: What user pain this solves and why current behavior is insufficient.
-      placeholder: Agents cannot distinguish persona context in mixed channels, causing misrouted follow-ups.
-    validations:
-      required: true
-  - type: textarea
-    id: proposed_solution
-    attributes:
-      label: Proposed solution
-      description: Desired behavior/API/UX with as much specificity as possible.
-      placeholder: Support channels.<channel>.responsePrefix with default fallback and account-level override.
-    validations:
-      required: true
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives considered
-      description: Other approaches considered and why they are weaker.
-      placeholder: Manual prefixing in prompts is inconsistent and hard to enforce.
-  - type: textarea
-    id: impact
-    attributes:
-      label: Impact
-      description: |
-        Explain who is affected, severity/urgency, how often this pain occurs, and practical consequences.
-        Include:
-        - Affected users/systems/channels
-        - Severity (annoying, blocks workflow, etc.)
-        - Frequency (always/intermittent/edge case)
-        - Consequence (delays, errors, extra manual work, etc.)
-      placeholder: |
-        Affected: Multi-team shared channels
-        Severity: Medium
-        Frequency: Daily
-        Consequence: +20 minutes/day/operator and delayed alerts
-    validations:
-      required: true
-  - type: textarea
-    id: evidence
-    attributes:
-      label: Evidence/examples
-      description: Prior art, links, screenshots, logs, or metrics.
-      placeholder: Comparable behavior in X, sample config, and screenshot of current limitation.
-  - type: textarea
-    id: additional_information
-    attributes:
-      label: Additional information
-      description: Extra context, constraints, or references not covered above.
-      placeholder: Must remain backward-compatible with existing config keys.
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -1,26 +0,0 @@
-# actionlint configuration
-# https://github.com/rhysd/actionlint/blob/main/docs/config.md
-
-self-hosted-runner:
-  labels:
-    # Blacksmith CI runners
-    - blacksmith-8vcpu-ubuntu-2404
-    - blacksmith-8vcpu-windows-2025
-    - blacksmith-16vcpu-ubuntu-2404
-    - blacksmith-32vcpu-ubuntu-2404
-    - blacksmith-16vcpu-windows-2025
-    - blacksmith-32vcpu-windows-2025
-    - blacksmith-16vcpu-ubuntu-2404-arm
-    - blacksmith-6vcpu-macos-latest
-    - blacksmith-12vcpu-macos-latest
-
-# Ignore patterns for known issues
-paths:
-  .github/workflows/**/*.yml:
-    ignore:
-      # Ignore shellcheck warnings (we run shellcheck separately)
-      - "shellcheck reported issue.+"
-      # Ignore intentional if: false for disabled jobs
-      - 'constant expression "false" in condition'
-      # actionlint's built-in runner label allowlist lags Blacksmith additions.
-      - 'label "blacksmith-16vcpu-[^"]+" is unknown\.'
--- a/.github/actions/detect-docs-changes/action.yml
+++ b/.github/actions/detect-docs-changes/action.yml
@@ -1,53 +0,0 @@
-name: Detect docs-only changes
-description: >
-  Outputs docs_only=true when all changed files are under docs/ or are
-  markdown (.md/.mdx). Fail-safe: if detection fails, outputs false (run
-  everything). Uses git diff — no API calls, no extra permissions needed.
-
-outputs:
-  docs_only:
-    description: "'true' if all changes are docs/markdown, 'false' otherwise"
-    value: ${{ steps.check.outputs.docs_only }}
-  docs_changed:
-    description: "'true' if any changed file is under docs/ or is markdown"
-    value: ${{ steps.check.outputs.docs_changed }}
-
-runs:
-  using: composite
-  steps:
-    - name: Detect docs-only changes
-      id: check
-      shell: bash
-      run: |
-        if [ "${{ github.event_name }}" = "push" ]; then
-          BASE="${{ github.event.before }}"
-        else
-          # Use the exact base SHA from the event payload — stable regardless
-          # of base branch movement (avoids origin/<ref> drift).
-          BASE="${{ github.event.pull_request.base.sha }}"
-        fi
-
-        # Fail-safe: if we can't diff, assume non-docs (run everything)
-        CHANGED=$(git diff --name-only "$BASE" HEAD 2>/dev/null || echo "UNKNOWN")
-        if [ "$CHANGED" = "UNKNOWN" ] || [ -z "$CHANGED" ]; then
-          echo "docs_only=false" >> "$GITHUB_OUTPUT"
-          echo "docs_changed=false" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        # Check if any changed file is a doc
-        DOCS=$(echo "$CHANGED" | grep -E '^docs/|\.md$|\.mdx$' || true)
-        if [ -n "$DOCS" ]; then
-          echo "docs_changed=true" >> "$GITHUB_OUTPUT"
-        else
-          echo "docs_changed=false" >> "$GITHUB_OUTPUT"
-        fi
-
-        # Check if all changed files are docs or markdown
-        NON_DOCS=$(echo "$CHANGED" | grep -vE '^docs/|\.md$|\.mdx$' || true)
-        if [ -z "$NON_DOCS" ]; then
-          echo "docs_only=true" >> "$GITHUB_OUTPUT"
-          echo "Docs-only change detected — skipping heavy jobs"
-        else
-          echo "docs_only=false" >> "$GITHUB_OUTPUT"
-        fi
--- a/.github/actions/docker-e2e-plan/action.yml
+++ b/.github/actions/docker-e2e-plan/action.yml
@@ -1,145 +0,0 @@
-name: Docker E2E plan and hydrate
-description: >
-  Create a Docker E2E lane plan, expose GitHub outputs, and optionally hydrate
-  the prebuilt package artifact plus shared Docker images needed by the plan.
-inputs:
-  mode:
-    description: prepare, chunk, or targeted.
-    required: true
-  chunk:
-    description: Release-path chunk for mode=chunk.
-    required: false
-    default: ""
-  lanes:
-    description: Comma/space separated lane names for targeted or prepare mode.
-    required: false
-    default: ""
-  include-openwebui:
-    description: Whether Open WebUI is included when planning release/prepare coverage.
-    required: false
-    default: "true"
-  include-release-path-suites:
-    description: Whether prepare mode should plan all release-path suites.
-    required: false
-    default: "false"
-  hydrate-artifacts:
-    description: Whether to download/pull artifacts required by the plan.
-    required: false
-    default: "true"
-outputs:
-  credentials:
-    description: Comma-separated credential groups required by selected lanes.
-    value: ${{ steps.plan.outputs.credentials }}
-  needs_bare_image:
-    description: "1 when selected lanes require the bare Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_bare_image }}
-  needs_e2e_image:
-    description: "1 when selected lanes require any Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_e2e_image }}
-  needs_functional_image:
-    description: "1 when selected lanes require the functional Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_functional_image }}
-  needs_live_image:
-    description: "1 when selected lanes require building the live Docker image."
-    value: ${{ steps.plan.outputs.needs_live_image }}
-  needs_package:
-    description: "1 when selected lanes require the OpenClaw package tarball."
-    value: ${{ steps.plan.outputs.needs_package }}
-  plan_json:
-    description: Path to the generated plan JSON.
-    value: ${{ steps.plan.outputs.plan_json }}
-runs:
-  using: composite
-  steps:
-    - name: Plan Docker E2E lanes
-      id: plan
-      shell: bash
-      env:
-        MODE: ${{ inputs.mode }}
-        CHUNK: ${{ inputs.chunk }}
-        LANES: ${{ inputs.lanes }}
-        INCLUDE_OPENWEBUI: ${{ inputs.include-openwebui }}
-        INCLUDE_RELEASE_PATH_SUITES: ${{ inputs.include-release-path-suites }}
-      run: |
-        set -euo pipefail
-        mkdir -p .artifacts/docker-tests
-
-        case "$MODE" in
-          prepare)
-            plan_path=".artifacts/docker-tests/plan.json"
-            if [[ "$INCLUDE_RELEASE_PATH_SUITES" == "true" ]]; then
-              export OPENCLAW_DOCKER_ALL_PROFILE=release-path
-              export OPENCLAW_DOCKER_ALL_PLAN_RELEASE_ALL=1
-            elif [[ -n "$LANES" ]]; then
-              export OPENCLAW_DOCKER_ALL_LANES="$LANES"
-            elif [[ "$INCLUDE_OPENWEBUI" == "true" ]]; then
-              export OPENCLAW_DOCKER_ALL_LANES=openwebui
-            fi
-            ;;
-          chunk)
-            if [[ -z "$CHUNK" ]]; then
-              echo "chunk input is required for Docker E2E chunk planning." >&2
-              exit 1
-            fi
-            export OPENCLAW_DOCKER_ALL_PROFILE=release-path
-            export OPENCLAW_DOCKER_ALL_CHUNK="$CHUNK"
-            plan_path=".artifacts/docker-tests/release-${CHUNK}-plan.json"
-            ;;
-          targeted)
-            if [[ -z "$LANES" ]]; then
-              echo "lanes input is required for Docker E2E targeted planning." >&2
-              exit 1
-            fi
-            export OPENCLAW_DOCKER_ALL_LANES="$LANES"
-            plan_path=".artifacts/docker-tests/targeted-plan.json"
-            ;;
-          *)
-            echo "mode must be prepare, chunk, or targeted. Got: $MODE" >&2
-            exit 1
-            ;;
-        esac
-
-        export OPENCLAW_DOCKER_ALL_INCLUDE_OPENWEBUI="$INCLUDE_OPENWEBUI"
-        node scripts/test-docker-all.mjs --plan-json > "$plan_path"
-        node scripts/docker-e2e.mjs github-outputs "$plan_path" >> "$GITHUB_OUTPUT"
-        echo "plan_json=$plan_path" >> "$GITHUB_OUTPUT"
-
-    - name: Download OpenClaw Docker E2E package
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_package == '1'
-      uses: actions/download-artifact@v8
-      with:
-        name: docker-e2e-package
-        path: .artifacts/docker-e2e-package
-
-    - name: Pull shared bare Docker E2E image
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_bare_image == '1'
-      shell: bash
-      run: |
-        set -euo pipefail
-        docker pull "${OPENCLAW_DOCKER_E2E_BARE_IMAGE}"
-
-    - name: Pull shared functional Docker E2E image
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_functional_image == '1'
-      shell: bash
-      run: |
-        set -euo pipefail
-        docker pull "${OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE}"
-
-    - name: Validate Docker E2E credentials
-      if: inputs.hydrate-artifacts == 'true'
-      shell: bash
-      env:
-        CREDENTIALS: ${{ steps.plan.outputs.credentials }}
-      run: |
-        set -euo pipefail
-        credentials=",$CREDENTIALS,"
-        if [[ "$credentials" == *",openai,"* ]]; then
-          [[ -n "${OPENAI_API_KEY:-}" ]] || {
-            echo "OPENAI_API_KEY is required for selected Docker E2E lanes." >&2
-            exit 1
-          }
-        fi
-        if [[ "$credentials" == *",anthropic,"* && -z "${ANTHROPIC_API_TOKEN:-}" && -z "${ANTHROPIC_API_KEY:-}" ]]; then
-          echo "ANTHROPIC_API_TOKEN or ANTHROPIC_API_KEY is required for selected Docker E2E lanes." >&2
-          exit 1
-        fi
--- a/.github/actions/ensure-base-commit/action.yml
+++ b/.github/actions/ensure-base-commit/action.yml
@@ -1,61 +0,0 @@
-name: Ensure base commit
-description: Ensure a shallow checkout has enough history to diff against a base SHA.
-inputs:
-  base-sha:
-    description: Base commit SHA to diff against.
-    required: true
-  fetch-ref:
-    description: Branch or ref to deepen/fetch from origin when base-sha is missing.
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: Ensure base commit is available
-      shell: bash
-      env:
-        BASE_SHA: ${{ inputs.base-sha }}
-        FETCH_REF: ${{ inputs.fetch-ref }}
-      run: |
-        set -euo pipefail
-
-        if [ -z "$BASE_SHA" ] || [[ "$BASE_SHA" =~ ^0+$ ]]; then
-          echo "No concrete base SHA available; skipping targeted fetch."
-          exit 0
-        fi
-
-        if ! [[ "$BASE_SHA" =~ ^[0-9a-fA-F]{7,40}$ ]]; then
-          echo "::error title=ensure-base-commit invalid base sha::Refusing invalid base SHA: $BASE_SHA"
-          exit 2
-        fi
-
-        if ! git check-ref-format --branch "$FETCH_REF" >/dev/null 2>&1; then
-          echo "::error title=ensure-base-commit invalid fetch ref::Refusing invalid fetch ref: $FETCH_REF"
-          exit 2
-        fi
-
-        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
-          echo "Base commit already present: $BASE_SHA"
-          exit 0
-        fi
-
-        for deepen_by in 25 100 300; do
-          echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
-          if ! git fetch --no-tags --deepen="$deepen_by" origin -- "$FETCH_REF"; then
-            echo "::warning title=ensure-base-commit fetch failed::Failed to deepen $FETCH_REF by $deepen_by while looking for $BASE_SHA"
-          fi
-          if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
-            echo "Resolved base commit after deepening: $BASE_SHA"
-            exit 0
-          fi
-        done
-
-        echo "Base commit still missing; fetching full history for $FETCH_REF."
-        if ! git fetch --no-tags origin -- "$FETCH_REF"; then
-          echo "::warning title=ensure-base-commit fetch failed::Failed to fetch full history for $FETCH_REF while looking for $BASE_SHA"
-        fi
-        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
-          echo "Resolved base commit after full ref fetch: $BASE_SHA"
-          exit 0
-        fi
-
-        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"
--- a/.github/actions/setup-node-env/action.yml
+++ b/.github/actions/setup-node-env/action.yml
@@ -1,108 +0,0 @@
-name: Setup Node environment
-description: >
-  Install Node 24 by default, pnpm, optionally Bun, and optionally run pnpm
-  install. Requires actions/checkout to run first.
-inputs:
-  node-version:
-    description: Node.js version to install.
-    required: false
-    default: "24.x"
-  cache-key-suffix:
-    description: Suffix appended to the pnpm store cache key.
-    required: false
-    default: "node24"
-  pnpm-version:
-    description: pnpm version for corepack.
-    required: false
-    default: "10.33.0"
-  install-bun:
-    description: Whether to install Bun alongside Node.
-    required: false
-    default: "true"
-  install-deps:
-    description: Whether to run pnpm install after environment setup.
-    required: false
-    default: "true"
-  frozen-lockfile:
-    description: Whether to use --frozen-lockfile for install.
-    required: false
-    default: "true"
-runs:
-  using: composite
-  steps:
-    - name: Setup Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: ${{ inputs.node-version }}
-        check-latest: false
-
-    - name: Setup pnpm + cache store
-      id: pnpm-cache
-      uses: ./.github/actions/setup-pnpm-store-cache
-      with:
-        pnpm-version: ${{ inputs.pnpm-version }}
-        cache-key-suffix: ${{ inputs.cache-key-suffix }}
-
-    - name: Setup Bun
-      if: inputs.install-bun == 'true'
-      uses: oven-sh/setup-bun@v2.2.0
-      with:
-        bun-version: "1.3.9"
-
-    - name: Runtime versions
-      shell: bash
-      run: |
-        node -v
-        npm -v
-        pnpm -v
-        if command -v bun &>/dev/null; then bun -v; fi
-
-    - name: Capture node path
-      if: inputs.install-deps == 'true'
-      shell: bash
-      run: |
-        node_bin="$(dirname "$(node -p 'process.execPath')")"
-        if command -v cygpath >/dev/null 2>&1; then
-          node_bin="$(cygpath -u "$node_bin")"
-        fi
-        echo "NODE_BIN=$node_bin" >> "$GITHUB_ENV"
-
-    - name: Install dependencies
-      if: inputs.install-deps == 'true'
-      shell: bash
-      env:
-        CI: "true"
-        FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
-      run: |
-        set -euo pipefail
-        export PATH="$NODE_BIN:$PATH"
-        which node
-        node -v
-        pnpm -v
-        case "$FROZEN_LOCKFILE" in
-          true) LOCKFILE_FLAG="--frozen-lockfile" ;;
-          false) LOCKFILE_FLAG="" ;;
-          *)
-            echo "::error::Invalid frozen-lockfile input: '$FROZEN_LOCKFILE' (expected true or false)"
-            exit 2
-            ;;
-        esac
-
-        install_args=(
-          install
-          --ignore-scripts=false
-          --config.engine-strict=false
-          --config.enable-pre-post-scripts=true
-        )
-        if [ -n "$LOCKFILE_FLAG" ]; then
-          install_args+=("$LOCKFILE_FLAG")
-        fi
-        pnpm "${install_args[@]}" || pnpm "${install_args[@]}"
-
-    - name: Save pnpm store cache
-      if: inputs.install-deps == 'true' && steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true'
-      uses: actions/cache/save@v5
-      continue-on-error: true
-      with:
-        path: ${{ steps.pnpm-cache.outputs.store-path }}
-        key: ${{ steps.pnpm-cache.outputs.primary-key }}
--- a/.github/actions/setup-pnpm-store-cache/action.yml
+++ b/.github/actions/setup-pnpm-store-cache/action.yml
@@ -1,90 +0,0 @@
-name: Setup pnpm + store cache
-description: Prepare pnpm via corepack and restore pnpm store cache.
-inputs:
-  pnpm-version:
-    description: pnpm version to activate via corepack.
-    required: false
-    default: "10.33.0"
-  cache-key-suffix:
-    description: Suffix appended to the cache key.
-    required: false
-    default: "node24"
-  use-restore-keys:
-    description: Whether to use restore-keys fallback for actions/cache.
-    required: false
-    default: "true"
-  use-actions-cache:
-    description: Whether to restore pnpm store with actions/cache.
-    required: false
-    default: "true"
-outputs:
-  cache-enabled:
-    description: Whether actions/cache restore was enabled.
-    value: ${{ steps.pnpm-cache-config.outputs.enabled }}
-  cache-hit:
-    description: Whether the pnpm store cache had an exact key hit.
-    value: ${{ steps.pnpm-cache-restore.outputs.cache-hit }}
-  cache-matched-key:
-    description: Cache key matched by restore, if any.
-    value: ${{ steps.pnpm-cache-restore.outputs.cache-matched-key }}
-  primary-key:
-    description: Primary pnpm store cache key.
-    value: ${{ steps.pnpm-cache-config.outputs.primary-key }}
-  store-path:
-    description: Resolved pnpm store path.
-    value: ${{ steps.pnpm-store.outputs.path }}
-runs:
-  using: composite
-  steps:
-    - name: Setup pnpm (corepack retry)
-      shell: bash
-      env:
-        PNPM_VERSION: ${{ inputs.pnpm-version }}
-      run: |
-        set -euo pipefail
-        if [[ ! "$PNPM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,2}([.-][0-9A-Za-z.-]+)?$ ]]; then
-          echo "::error::Invalid pnpm-version input: '$PNPM_VERSION'"
-          exit 2
-        fi
-        corepack enable
-        for attempt in 1 2 3; do
-          if corepack prepare "pnpm@$PNPM_VERSION" --activate; then
-            pnpm -v
-            exit 0
-          fi
-          echo "corepack prepare failed (attempt $attempt/3). Retrying..."
-          sleep $((attempt * 10))
-        done
-        exit 1
-
-    - name: Resolve pnpm store path
-      id: pnpm-store
-      shell: bash
-      run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
-
-    - name: Resolve pnpm store cache keys
-      id: pnpm-cache-config
-      shell: bash
-      env:
-        CACHE_KEY_SUFFIX: ${{ inputs.cache-key-suffix }}
-        LOCKFILE_HASH: ${{ hashFiles('pnpm-lock.yaml') }}
-        USE_ACTIONS_CACHE: ${{ inputs.use-actions-cache }}
-        USE_RESTORE_KEYS: ${{ inputs.use-restore-keys }}
-      run: |
-        set -euo pipefail
-        echo "enabled=$USE_ACTIONS_CACHE" >> "$GITHUB_OUTPUT"
-        echo "primary-key=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-${LOCKFILE_HASH}" >> "$GITHUB_OUTPUT"
-        if [ "$USE_RESTORE_KEYS" = "true" ]; then
-          echo "restore-keys=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-" >> "$GITHUB_OUTPUT"
-        else
-          echo "restore-keys=" >> "$GITHUB_OUTPUT"
-        fi
-
-    - name: Restore pnpm store cache
-      id: pnpm-cache-restore
-      if: inputs.use-actions-cache == 'true'
-      uses: actions/cache/restore@v5
-      with:
-        path: ${{ steps.pnpm-store.outputs.path }}
-        key: ${{ steps.pnpm-cache-config.outputs.primary-key }}
-        restore-keys: ${{ steps.pnpm-cache-config.outputs.restore-keys }}
--- a/.github/codeql/codeql-javascript-typescript.yml
+++ b/.github/codeql/codeql-javascript-typescript.yml
@@ -1,21 +0,0 @@
-name: openclaw-codeql-javascript-typescript
-
-paths:
-  - src
-  - extensions
-  - ui/src
-  - skills
-
-paths-ignore:
-  - apps
-  - dist
-  - docs
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
--- a/.github/codex/prompts/docs-agent.md
+++ b/.github/codex/prompts/docs-agent.md
@@ -1,33 +0,0 @@
-# OpenClaw Docs Agent
-
-You are maintaining OpenClaw documentation after a main-branch commit.
-
-Goal: inspect the code changes and existing documentation, then update existing docs only when they are stale, incomplete, or misleading.
-
-Hard limits:
-
- Edit existing files only.
- Do not create new docs pages, images, assets, scripts, code files, or workflow files.
- Do not delete or rename files.
- Do not change production code, tests, package metadata, generated baselines, lockfiles, or CI config.
- Keep changes minimal and factual.
- Use "plugin/plugins" in user-facing docs/UI/changelog; `extensions/` is only the internal workspace layout.
- Do not add a changelog entry unless the docs update describes a user-facing behavior/API change from the triggering commit.
-
-Allowed paths:
-
- `docs/**`
- `README.md`
- `CHANGELOG.md`
-
-Required workflow:
-
-1. Run `pnpm docs:list` if available and read relevant docs based on `read_when` hints.
-2. Inspect the triggering event via `$GITHUB_EVENT_PATH`, then review `$DOCS_AGENT_BASE_SHA..$DOCS_AGENT_HEAD_SHA` and its changed files. If either env var is missing, fall back to the event payload.
-3. Update stale existing documentation, if needed.
-4. Run `pnpm check:docs` if dependencies are available.
-5. Leave the worktree clean if no docs need changes.
-
-If `pnpm docs:check-mdx` or `pnpm check:docs` reports MDX parse errors, fix only the syntax needed for the listed existing docs files. Preserve prose meaning, frontmatter, code fences, and links; do not broadly rewrite translated or source content while repairing parser failures.
-
-When uncertain, prefer no edit and explain the uncertainty in the final message.
--- a/.github/codex/prompts/docs-mdx-repair.md
+++ b/.github/codex/prompts/docs-mdx-repair.md
@@ -1,25 +0,0 @@
-# OpenClaw Docs MDX Repair Agent
-
-You are repairing generated OpenClaw documentation after a fast MDX validation failure.
-
-Goal: fix only the MDX syntax errors reported by the checker.
-
-Hard limits:
-
- Edit only existing Markdown/MDX files under the locale path named by `LOCALE`.
- Do not edit source English docs unless `LOCALE=en`.
- Do not edit code, workflows, package metadata, generated sync metadata, translation memory, or assets.
- Do not add, delete, or rename files.
- Preserve the meaning of translated prose.
- Preserve frontmatter, `x-i18n.source_hash`, links, code fences, JSX component names, and existing page structure.
- Avoid broad formatting or retranslation.
-
-Required workflow:
-
-1. Read `.openclaw-sync/mdx/${LOCALE}.json` when it exists.
-2. Inspect only the listed files and nearby lines.
-3. Fix the minimal syntax issue, such as broken JSX attribute quoting, mismatched component closing tags, raw `<` text, raw HTML comments, or accidental top-level `import`/`export` text.
-4. Run `node source/scripts/check-docs-mdx.mjs "docs/${LOCALE}" --json-out ".openclaw-sync/mdx/${LOCALE}.json"`.
-5. Leave no changes outside `docs/${LOCALE}`.
-
-When uncertain, prefer the smallest escaping fix: backticks for literal words, `&lt;` for literal `<`, double quotes around JSX attribute values, and balanced component tags.
--- a/.github/codex/prompts/test-performance-agent.md
+++ b/.github/codex/prompts/test-performance-agent.md
@@ -1,44 +0,0 @@
-# OpenClaw Test Performance Agent
-
-You are maintaining OpenClaw test performance after a trusted main-branch CI run.
-
-Goal: inspect the full-suite test performance report, then make small, coverage-preserving improvements to slow tests when the fix is clear. If the baseline report shows failing tests and the fix is obvious, fix those too.
-
-Inputs:
-
- Baseline grouped report: `.artifacts/test-perf/baseline-before.json`
- Per-config Vitest JSON reports: `.artifacts/test-perf/baseline-before/vitest-json/`
- Per-config logs: `.artifacts/test-perf/baseline-before/logs/`
-
-Hard limits:
-
- Preserve test coverage and behavioral intent.
- Do not delete, skip, weaken, or narrow test cases to make the suite faster.
- Do not add `test.skip`, `it.skip`, `describe.skip`, `test.only`, `it.only`, or `describe.only`.
- Do not update snapshots, generated baselines, inventories, ignore files, lockfiles, package metadata, CI workflows, or release metadata.
- Do not add dependencies.
- Do not create, delete, or rename files.
- Do not do broad refactors or style-only rewrites.
- Keep changes minimal and focused on the slow or failing tests you can justify from the report.
- Prefer no edit when a performance improvement is speculative.
- If `.artifacts/test-perf/baseline-before.json` has `"failed": true`, do not make performance-only edits. First inspect the failed config logs. Edit only when the test failure has an obvious, coverage-preserving fix. If no obvious failure fix exists, leave the worktree clean.
-
-Good fixes:
-
- Replace broad partial module mocks, especially `importOriginal()` mocks, with narrow injected dependencies or local runtime seams.
- Avoid importing heavy barrels in hot tests when a narrow module or helper covers the same behavior.
- Add or adjust a production lazy/injection seam only when that is the narrowest way to preserve coverage while removing expensive imports or fixing an obvious mock/import failure.
- Move expensive setup from per-test hooks to shared setup only when state isolation remains correct.
- Reuse existing fixtures/builders instead of recreating expensive work per case.
- Mock expensive runtime boundaries directly: filesystem crawls, package registries, provider SDKs, network/process launch, browser/runtime scanners.
- Keep one integration smoke per boundary and test pure helpers directly, but only when the same behavior remains covered.
-
-Required workflow:
-
-1. Run `pnpm docs:list` if available, then read `docs/reference/test.md` and `docs/help/testing.md` sections about test performance.
-2. Inspect `.artifacts/test-perf/baseline-before.json`. If `failed` is true, inspect the failed config logs before looking at slow files.
-3. Pick at most a few low-risk files. When baseline failed, pick only files needed for the obvious failure fix; otherwise focus on the slowest files/configs. Explain the coverage-preserving reason in comments only if the code would otherwise be unclear.
-4. Run targeted tests for changed files where possible. Use `pnpm test <path>` and optionally `pnpm test:perf:imports <path>`.
-5. Leave the worktree clean if no safe improvement exists.
-
-When uncertain, make no edit and explain the uncertainty in the final message.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,127 +0,0 @@
-# Dependabot configuration
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
-version: 2
-
-registries:
-  npm-npmjs:
-    type: npm-registry
-    url: https://registry.npmjs.org
-    token: ${{secrets.NPM_NPMJS_TOKEN}}
-    replaces-base: true
-
-updates:
-  # npm dependencies (root)
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      production:
-        dependency-type: production
-        update-types:
-          - minor
-          - patch
-      development:
-        dependency-type: development
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 10
-    registries:
-      - npm-npmjs
-
-  # GitHub Actions
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      actions:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Swift Package Manager - macOS app
-  - package-ecosystem: swift
-    directory: /apps/macos
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      swift-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Swift Package Manager - shared MoltbotKit
-  - package-ecosystem: swift
-    directory: /apps/shared/MoltbotKit
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      swift-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Swift Package Manager - Swabble
-  - package-ecosystem: swift
-    directory: /Swabble
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      swift-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Gradle - Android app
-  - package-ecosystem: gradle
-    directory: /apps/android
-    schedule:
-      interval: daily
-    cooldown:
-      default-days: 2
-    groups:
-      android-deps:
-        patterns:
-          - "*"
-        update-types:
-          - minor
-          - patch
-    open-pull-requests-limit: 5
-
-  # Docker base images
-  - package-ecosystem: docker
-    directory: /
-    schedule:
-      interval: weekly
-    cooldown:
-      default-days: 2
-    groups:
-      docker-images:
-        patterns:
-          - "*"
-    open-pull-requests-limit: 5
--- a/.github/instructions/copilot.instructions.md
+++ b/.github/instructions/copilot.instructions.md
@@ -1,64 +0,0 @@
-# OpenClaw Codebase Patterns
-
-**Always reuse existing code - no redundancy!**
-
-## Tech Stack
-
- **Runtime**: Node 22+ (Bun also supported for dev/scripts)
- **Language**: TypeScript (ESM, strict mode)
- **Package Manager**: pnpm (keep `pnpm-lock.yaml` in sync)
- **Lint/Format**: Oxlint, Oxfmt (`pnpm check`)
- **Tests**: Vitest with V8 coverage
- **CLI Framework**: Commander + clack/prompts
- **Build**: tsdown (outputs to `dist/`)
-
-## Anti-Redundancy Rules
-
- Avoid files that just re-export from another file. Import directly from the original source.
- If a function already exists, import it - do NOT create a duplicate in another file.
- Before creating any formatter, utility, or helper, search for existing implementations first.
-
-## Source of Truth Locations
-
-### Formatting Utilities (`src/infra/`)
-
- **Time formatting**: `src\infra\format-time`
-
-**NEVER create local `formatAge`, `formatDuration`, `formatElapsedTime` functions - import from centralized modules.**
-
-### Terminal Output (`src/terminal/`)
-
- Tables: `src/terminal/table.ts` (`renderTable`)
- Themes/colors: `src/terminal/theme.ts` (`theme.success`, `theme.muted`, etc.)
- Progress: `src/cli/progress.ts` (spinners, progress bars)
-
-### CLI Patterns
-
- CLI option wiring: `src/cli/`
- Commands: `src/commands/`
- Dependency injection via `createDefaultDeps`
-
-## Import Conventions
-
- Use `.js` extension for cross-package imports (ESM)
- Direct imports only - no re-export wrapper files
- Types: `import type { X }` for type-only imports
-
-## Code Quality
-
- TypeScript (ESM), strict typing, avoid `any`
- Keep files under ~700 LOC - extract helpers when larger
- Colocated tests: `*.test.ts` next to source files
- Run `pnpm check` before commits (production type check + lint + format)
- Run `pnpm check:test-types` when you need test type coverage, or `pnpm tsgo:all` for a full production plus test type sweep
-
-## Stack & Commands
-
- **Package manager**: pnpm (`pnpm install`)
- **Dev**: `pnpm openclaw ...` or `pnpm dev`
- **Type-check**: `pnpm tsgo` (core production), `pnpm tsgo:prod` (core + extension production), `pnpm check:test-types` (tests)
- **Lint/format**: `pnpm check`
- **Tests**: `pnpm test`
- **Build**: `pnpm build`
-
-If you are coding together with a human, do NOT use scripts/committer, but git directly and run the above commands manually to ensure quality.
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,423 +0,0 @@
-"channel: bluebubbles":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/bluebubbles/**"
-          - "docs/channels/bluebubbles.md"
-"plugin: azure-speech":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/azure-speech/**"
-          - "docs/providers/azure-speech.md"
-          - "docs/tools/tts.md"
-"channel: discord":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/discord/**"
-          - "docs/channels/discord.md"
-"channel: irc":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/irc/**"
-          - "docs/channels/irc.md"
-"channel: feishu":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "src/feishu/**"
-          - "extensions/feishu/**"
-          - "docs/channels/feishu.md"
-"channel: googlechat":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/googlechat/**"
-          - "docs/channels/googlechat.md"
-"plugin: google-meet":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/google-meet/**"
-          - "docs/plugins/google-meet.md"
-"plugin: bonjour":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/bonjour/**"
-          - "docs/gateway/bonjour.md"
-"channel: imessage":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/imessage/**"
-          - "docs/channels/imessage.md"
-"channel: line":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/line/**"
-          - "docs/channels/line.md"
-"channel: matrix":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/matrix/**"
-          - "docs/channels/matrix.md"
-"channel: mattermost":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/mattermost/**"
-          - "docs/channels/mattermost.md"
-"channel: msteams":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/msteams/**"
-          - "docs/channels/msteams.md"
-"channel: nextcloud-talk":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/nextcloud-talk/**"
-          - "docs/channels/nextcloud-talk.md"
-"channel: nostr":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/nostr/**"
-          - "docs/channels/nostr.md"
-"channel: qqbot":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/qqbot/**"
-          - "docs/channels/qqbot.md"
-"channel: qa-channel":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/qa-channel/**"
-          - "docs/channels/qa-channel.md"
-"extensions: qa-lab":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/qa-lab/**"
-          - "docs/concepts/qa-e2e-automation.md"
-          - "docs/channels/qa-channel.md"
-"channel: signal":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/signal/**"
-          - "docs/channels/signal.md"
-"channel: slack":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/slack/**"
-          - "docs/channels/slack.md"
-"channel: telegram":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/telegram/**"
-          - "docs/channels/telegram.md"
-"channel: tlon":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tlon/**"
-          - "docs/channels/tlon.md"
-"channel: twitch":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/twitch/**"
-          - "docs/channels/twitch.md"
-"channel: voice-call":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/voice-call/**"
-"channel: whatsapp-web":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/whatsapp/**"
-          - "docs/channels/whatsapp.md"
-"channel: zalo":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/zalo/**"
-          - "docs/channels/zalo.md"
-"channel: zalouser":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/zalouser/**"
-          - "docs/channels/zalouser.md"
-
-"app: android":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/android/**"
-          - "docs/platforms/android.md"
-"app: ios":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/ios/**"
-          - "docs/platforms/ios.md"
-"app: macos":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "apps/macos/**"
-          - "docs/platforms/macos.md"
-          - "docs/platforms/mac/**"
-"app: web-ui":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "ui/**"
-          - "src/gateway/control-ui.ts"
-          - "src/gateway/control-ui-shared.ts"
-          - "src/gateway/protocol/**"
-          - "src/gateway/server-methods/chat.ts"
-          - "src/infra/control-ui-assets.ts"
-
-"gateway":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "src/gateway/**"
-          - "src/daemon/**"
-          - "docs/gateway/**"
-
-"docs":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "docs/**"
-          - "docs.acp.md"
-
-"cli":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "src/cli/**"
-
-"commands":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "src/commands/**"
-
-"scripts":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "scripts/**"
-
-"docker":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "Dockerfile"
-          - "Dockerfile.*"
-          - "docker-compose.yml"
-          - "docker-setup.sh"
-          - "setup-podman.sh"
-          - ".dockerignore"
-          - "scripts/docker/setup.sh"
-          - "scripts/podman/setup.sh"
-          - "scripts/**/*docker*"
-          - "scripts/**/Dockerfile*"
-          - "scripts/sandbox-*.sh"
-          - "src/agents/sandbox*.ts"
-          - "src/commands/sandbox*.ts"
-          - "src/cli/sandbox-cli.ts"
-          - "src/docker-setup.test.ts"
-          - "src/config/**/*sandbox*"
-          - "docs/cli/sandbox.md"
-          - "docs/gateway/sandbox*.md"
-          - "docs/install/docker.md"
-          - "docs/multi-agent-sandbox-tools.md"
-
-"agents":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "src/agents/**"
-
-"security":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "docs/cli/security.md"
-          - "docs/gateway/security.md"
-
-"extensions: copilot-proxy":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/copilot-proxy/**"
-"extensions: diagnostics-otel":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/diagnostics-otel/**"
-"extensions: diagnostics-prometheus":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/diagnostics-prometheus/**"
-"extensions: llm-task":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/llm-task/**"
-"extensions: lobster":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/lobster/**"
-"extensions: memory-core":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/memory-core/**"
-"extensions: memory-lancedb":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/memory-lancedb/**"
-"extensions: memory-wiki":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/memory-wiki/**"
-"extensions: open-prose":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/open-prose/**"
-"extensions: tokenjuice":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tokenjuice/**"
-"extensions: webhooks":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/webhooks/**"
-"extensions: device-pair":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/device-pair/**"
-"extensions: duckduckgo":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/duckduckgo/**"
-"extensions: acpx":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/acpx/**"
-"extensions: arcee":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/arcee/**"
-"extensions: byteplus":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/byteplus/**"
-"extensions: deepseek":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/deepseek/**"
-"extensions: tencent":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tencent/**"
-"extensions: stepfun":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/stepfun/**"
-"extensions: anthropic":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/anthropic/**"
-"extensions: cloudflare-ai-gateway":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/cloudflare-ai-gateway/**"
-"extensions: minimax-portal-auth":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/minimax-portal-auth/**"
-"extensions: huggingface":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/huggingface/**"
-"extensions: inworld":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/inworld/**"
-          - "docs/providers/inworld.md"
-"extensions: kilocode":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/kilocode/**"
-"extensions: lmstudio":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/lmstudio/**"
-"extensions: litellm":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/litellm/**"
-          - "docs/providers/litellm.md"
-"extensions: openai":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/openai/**"
-"extensions: codex":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/codex/**"
-"extensions: kimi-coding":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/kimi-coding/**"
-"extensions: minimax":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/minimax/**"
-"extensions: modelstudio":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/modelstudio/**"
-"extensions: moonshot":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/moonshot/**"
-"extensions: nvidia":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/nvidia/**"
-"extensions: phone-control":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/phone-control/**"
-"extensions: qianfan":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/qianfan/**"
-"extensions: senseaudio":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/senseaudio/**"
-          - "docs/providers/senseaudio.md"
-"extensions: synthetic":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/synthetic/**"
-"extensions: tavily":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tavily/**"
-"extensions: talk-voice":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/talk-voice/**"
-"extensions: together":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/together/**"
-"extensions: tts-local-cli":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tts-local-cli/**"
-          - "docs/tools/tts.md"
-"extensions: venice":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/venice/**"
-"extensions: vercel-ai-gateway":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/vercel-ai-gateway/**"
-"extensions: volcengine":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/volcengine/**"
-"extensions: xiaomi":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/xiaomi/**"
-"extensions: fal":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/fal/**"
-"extensions: gradium":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/gradium/**"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,147 +0,0 @@
-## Summary
-
-Describe the problem and fix in 2–5 bullets:
-
-If this PR fixes a plugin beta-release blocker, title it `fix(<plugin-id>): beta blocker - <summary>` and link the matching `Beta blocker: <plugin-name> - <summary>` issue labeled `beta-blocker`. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.
-
- Problem:
- Why it matters:
- What changed:
- What did NOT change (scope boundary):
-
-## Change Type (select all)
-
- [ ] Bug fix
- [ ] Feature
- [ ] Refactor required for the fix
- [ ] Docs
- [ ] Security hardening
- [ ] Chore/infra
-
-## Scope (select all touched areas)
-
- [ ] Gateway / orchestration
- [ ] Skills / tool execution
- [ ] Auth / tokens
- [ ] Memory / storage
- [ ] Integrations
- [ ] API / contracts
- [ ] UI / DX
- [ ] CI/CD / infra
-
-## Linked Issue/PR
-
- Closes #
- Related #
- [ ] This PR fixes a bug or regression
-
-## Root Cause (if applicable)
-
-For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write `N/A`. If the cause is unclear, write `Unknown`.
-
- Root cause:
- Missing detection / guardrail:
- Contributing context (if known):
-
-## Regression Test Plan (if applicable)
-
-For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write `N/A`.
-
- Coverage level that should have caught this:
-  - [ ] Unit test
-  - [ ] Seam / integration test
-  - [ ] End-to-end test
-  - [ ] Existing coverage already sufficient
- Target test or file:
- Scenario the test should lock in:
- Why this is the smallest reliable guardrail:
- Existing test that already covers this (if any):
- If no new test is added, why not:
-
-## User-visible / Behavior Changes
-
-List user-visible changes (including defaults/config).  
-If none, write `None`.
-
-## Diagram (if applicable)
-
-For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write `N/A`.
-
-```text
-Before:
-[user action] -> [old state]
-
-After:
-[user action] -> [new state] -> [result]
-```
-
-## Security Impact (required)
-
- New permissions/capabilities? (`Yes/No`)
- Secrets/tokens handling changed? (`Yes/No`)
- New/changed network calls? (`Yes/No`)
- Command/tool execution surface changed? (`Yes/No`)
- Data access scope changed? (`Yes/No`)
- If any `Yes`, explain risk + mitigation:
-
-## Repro + Verification
-
-### Environment
-
- OS:
- Runtime/container:
- Model/provider:
- Integration/channel (if any):
- Relevant config (redacted):
-
-### Steps
-
-1.
-2.
-3.
-
-### Expected
-
-
-
-### Actual
-
-
-
-## Evidence
-
-Attach at least one:
-
- [ ] Failing test/log before + passing after
- [ ] Trace/log snippets
- [ ] Screenshot/recording
- [ ] Perf numbers (if relevant)
-
-## Human Verification (required)
-
-What you personally verified (not just CI), and how:
-
- Verified scenarios:
- Edge cases checked:
- What you did **not** verify:
-
-## Review Conversations
-
- [ ] I replied to or resolved every bot review conversation I addressed in this PR.
- [ ] I left unresolved only the conversations that still need reviewer or maintainer judgment.
-
-If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.
-
-## Compatibility / Migration
-
- Backward compatible? (`Yes/No`)
- Config/env changes? (`Yes/No`)
- Migration needed? (`Yes/No`)
- If yes, exact upgrade steps:
-
-## Risks and Mitigations
-
-List only real risks for this PR. Add/remove entries as needed. If none, write `None`.
-
- Risk:
-  - Mitigation:
--- a/.github/workflows/auto-response.yml
+++ b/.github/workflows/auto-response.yml
@@ -1,55 +0,0 @@
-name: Auto response
-
-on:
-  issues:
-    types: [opened, edited, labeled]
-  issue_comment:
-    types: [created]
-  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned label automation; trusted base checkout only, no untrusted PR code execution
-    types: [opened, edited, synchronize, reopened, labeled]
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request_target' }}
-
-permissions: {}
-
-jobs:
-  auto-response:
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ github.sha }}
-          persist-credentials: false
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        continue-on-error: true
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@v3
-        id: app-token-fallback
-        if: steps.app-token.outcome == 'failure'
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - name: Run Barnacle auto-response
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const { pathToFileURL } = require("node:url");
-            const moduleUrl = pathToFileURL(
-              `${process.env.GITHUB_WORKSPACE}/scripts/github/barnacle-auto-response.mjs`,
-            );
-            const { runBarnacleAutoResponse } = await import(moduleUrl.href);
-
-            await runBarnacleAutoResponse({ github, context, core });
--- a/.github/workflows/ci-check-testbox.yml
+++ b/.github/workflows/ci-check-testbox.yml
@@ -1,100 +0,0 @@
-name: Blacksmith Testbox
-on:
-  workflow_dispatch:
-    inputs:
-      testbox_id:
-        type: string
-        description: "Testbox session ID"
-        required: true
-  pull_request:
-    paths:
-      - ".github/workflows/**"
-
-permissions:
-  contents: read
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  check:
-    permissions:
-      contents: read
-    name: "check"
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    steps:
-      - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@v2
-        with:
-          testbox_id: ${{ inputs.testbox_id }}
-      - name: Checkout
-        shell: bash
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-          CHECKOUT_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE"
-          auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
-
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
-            git -C "$workdir" config gc.auto 0
-
-            timeout --signal=TERM 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
-
-            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
-            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              exit 0
-            fi
-            echo "checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "checkout failed after 5 attempts" >&2
-          exit 1
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-      - name: Prepare Testbox shell
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
-
-          node_bin="$(dirname "$(node -p 'process.execPath')")"
-          pnpm_bin="$(command -v pnpm)"
-          sudo ln -sf "$node_bin/node" /usr/local/bin/node
-          sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
-          sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
-          sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
-          sudo ln -sf "$pnpm_bin" /usr/local/bin/pnpm
-      - name: Run Testbox
-        uses: useblacksmith/run-testbox@v2
-        if: always()
-        env:
-          FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,138 +0,0 @@
-name: CodeQL
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 6 * * *"
-
-concurrency:
-  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ${{ matrix.runs_on }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - language: javascript-typescript
-            runs_on: blacksmith-32vcpu-ubuntu-2404
-            needs_node: true
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ./.github/codeql/codeql-javascript-typescript.yml
-          - language: actions
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ""
-          - language: python
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: true
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ""
-          - language: java-kotlin
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: false
-            needs_java: true
-            needs_swift_tools: false
-            needs_manual_build: true
-            needs_autobuild: false
-            config_file: ""
-          - language: swift
-            runs_on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-latest' || 'macos-latest' }}
-            needs_node: false
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: true
-            needs_manual_build: true
-            needs_autobuild: false
-            config_file: ""
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Setup Node environment
-        if: matrix.needs_node
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Setup Python
-        if: matrix.needs_python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Setup Java
-        if: matrix.needs_java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Setup Swift build tools
-        if: matrix.needs_swift_tools
-        run: |
-          sudo xcode-select -s /Applications/Xcode_26.1.app
-          xcodebuild -version
-          brew install xcodegen swiftlint swiftformat
-          swift --version
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
-        with:
-          languages: ${{ matrix.language }}
-          queries: security-and-quality
-          config-file: ${{ matrix.config_file || '' }}
-
-      - name: Autobuild
-        if: matrix.needs_autobuild
-        uses: github/codeql-action/autobuild@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
-
-      - name: Build Android for CodeQL
-        if: matrix.language == 'java-kotlin'
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Build Swift for CodeQL
-        if: matrix.language == 'swift'
-        run: |
-          set -euo pipefail
-          swift build --package-path apps/macos --configuration release
-          cd apps/ios
-          xcodegen generate
-          xcodebuild build \
-            -project OpenClaw.xcodeproj \
-            -scheme OpenClaw \
-            -destination "generic/platform=iOS Simulator" \
-            CODE_SIGNING_ALLOWED=NO
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
-        with:
-          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/control-ui-locale-refresh.yml
+++ b/.github/workflows/control-ui-locale-refresh.yml
@@ -1,172 +0,0 @@
-name: Control UI Locale Refresh
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - ui/src/i18n/locales/en.ts
-      - ui/src/i18n/locales/*.ts
-      - ui/src/i18n/.i18n/*
-      - ui/src/i18n/lib/types.ts
-      - ui/src/i18n/lib/registry.ts
-      - scripts/control-ui-i18n.ts
-      - .github/workflows/control-ui-locale-refresh.yml
-  release:
-    types:
-      - published
-  schedule:
-    - cron: "23 4 * * *"
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-concurrency:
-  group: control-ui-locale-refresh
-  cancel-in-progress: false
-
-jobs:
-  plan:
-    if: github.repository == 'openclaw/openclaw' && (github.event_name != 'push' || github.actor != 'github-actions[bot]')
-    runs-on: ubuntu-latest
-    outputs:
-      has_locales: ${{ steps.plan.outputs.has_locales }}
-      locales_json: ${{ steps.plan.outputs.locales_json }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-          submodules: false
-
-      - name: Plan locale matrix
-        id: plan
-        env:
-          BEFORE_SHA: ${{ github.event.before }}
-          EVENT_NAME: ${{ github.event_name }}
-        run: |
-          set -euo pipefail
-
-          all_locales_json='["zh-CN","zh-TW","pt-BR","de","es","ja-JP","ko","fr","tr","uk","id","pl","th"]'
-
-          if [ "$EVENT_NAME" != "push" ]; then
-            echo "has_locales=true" >> "$GITHUB_OUTPUT"
-            echo "locales_json=$all_locales_json" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          before_ref="$BEFORE_SHA"
-          if [ -z "$before_ref" ] || [ "$before_ref" = "0000000000000000000000000000000000000000" ]; then
-            before_ref="$(git rev-parse HEAD^)"
-          fi
-
-          changed_files="$(git diff --name-only "$before_ref" HEAD)"
-          echo "changed files:"
-          printf '%s\n' "$changed_files"
-
-          if printf '%s\n' "$changed_files" | grep -Eq '^(ui/src/i18n/locales/en\.ts|ui/src/i18n/lib/types\.ts|ui/src/i18n/lib/registry\.ts|scripts/control-ui-i18n\.ts|\.github/workflows/control-ui-locale-refresh\.yml)$'; then
-            echo "has_locales=true" >> "$GITHUB_OUTPUT"
-            echo "locales_json=$all_locales_json" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          locales_json="$(printf '%s\n' "$changed_files" | node <<'EOF'
-          const fs = require("node:fs");
-          const changed = fs.readFileSync(0, "utf8").split(/\r?\n/).filter(Boolean);
-          const locales = new Set();
-          for (const file of changed) {
-            let match = file.match(/^ui\/src\/i18n\/locales\/(.+)\.ts$/);
-            if (match && match[1] !== "en") {
-              locales.add(match[1]);
-              continue;
-            }
-            match = file.match(/^ui\/src\/i18n\/\.i18n\/(.+)\.(?:meta\.json|tm\.jsonl)$/);
-            if (match) {
-              locales.add(match[1]);
-            }
-          }
-          process.stdout.write(JSON.stringify([...locales]));
-          EOF
-          )"
-
-          if [ "$locales_json" = "[]" ]; then
-            echo "has_locales=false" >> "$GITHUB_OUTPUT"
-            echo "locales_json=[]" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          echo "has_locales=true" >> "$GITHUB_OUTPUT"
-          echo "locales_json=$locales_json" >> "$GITHUB_OUTPUT"
-
-  refresh:
-    needs: plan
-    if: github.repository == 'openclaw/openclaw' && needs.plan.outputs.has_locales == 'true'
-    strategy:
-      fail-fast: false
-      max-parallel: 4
-      matrix:
-        locale: ${{ fromJson(needs.plan.outputs.locales_json) }}
-    runs-on: ubuntu-latest
-    name: Refresh ${{ matrix.locale }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: true
-          submodules: false
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Ensure translation provider secrets exist
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_I18N_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-        run: |
-          set -euo pipefail
-          if [ -z "${OPENAI_API_KEY:-}" ] && [ -z "${ANTHROPIC_API_KEY:-}" ]; then
-            echo "Missing OPENCLAW_DOCS_I18N_OPENAI_API_KEY, OPENAI_API_KEY, or ANTHROPIC_API_KEY secret."
-            exit 1
-          fi
-
-      - name: Refresh control UI locale files
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_I18N_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          OPENCLAW_CONTROL_UI_I18N_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
-          OPENCLAW_CONTROL_UI_I18N_THINKING: low
-          LOCALE: ${{ matrix.locale }}
-        run: node --import tsx scripts/control-ui-i18n.ts sync --locale "${LOCALE}" --write
-
-      - name: Commit and push locale updates
-        env:
-          LOCALE: ${{ matrix.locale }}
-          TARGET_BRANCH: ${{ github.event.repository.default_branch }}
-        run: |
-          set -euo pipefail
-          if git diff --quiet -- ui/src/i18n; then
-            echo "No control UI locale changes for ${LOCALE}."
-            exit 0
-          fi
-
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add -A ui/src/i18n
-          git commit --no-verify -m "chore(ui): refresh ${LOCALE} control ui locale"
-
-          for attempt in 1 2 3 4 5; do
-            git fetch origin "${TARGET_BRANCH}"
-            git rebase --autostash "origin/${TARGET_BRANCH}"
-            if git push origin HEAD:"${TARGET_BRANCH}"; then
-              exit 0
-            fi
-            echo "Push attempt ${attempt} for ${LOCALE} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to push ${LOCALE} locale update after retries."
-          exit 1
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -1,428 +0,0 @@
-name: Docker Release
-
-on:
-  push:
-    tags:
-      - "v*"
-    paths-ignore:
-      - "docs/**"
-      - "**/*.md"
-      - "**/*.mdx"
-      - ".agents/**"
-      - "skills/**"
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: Existing release tag to backfill (for example v2026.3.22)
-        required: true
-        type: string
-
-concurrency:
-  group: ${{ github.event_name == 'workflow_dispatch' && format('docker-release-manual-{0}', inputs.tag) || format('docker-release-push-{0}', github.run_id) }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  validate_manual_backfill:
-    if: github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    steps:
-      - name: Validate tag input format
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
-            echo "Invalid release tag: ${RELEASE_TAG}"
-            exit 1
-          fi
-
-      - name: Checkout selected tag
-        uses: actions/checkout@v6
-        with:
-          ref: refs/tags/${{ inputs.tag }}
-          fetch-depth: 0
-
-  approve_manual_backfill:
-    if: github.event_name == 'workflow_dispatch'
-    needs: validate_manual_backfill
-    # WARNING: KEEP MANUAL BACKFILLS GATED BY THE docker-release ENVIRONMENT.
-    runs-on: ubuntu-24.04
-    environment: docker-release
-    steps:
-      - name: Approve Docker backfill
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-        run: echo "Approved Docker backfill for $RELEASE_TAG"
-
-  # KEEP THIS WORKFLOW ON GITHUB-HOSTED RUNNERS.
-  # DO NOT MOVE IT BACK TO BLACKSMITH WITHOUT RE-VALIDATING TAG BUILDS AND BACKFILLS.
-  # Build amd64 image. Default and slim tags point to the same slim runtime.
-  build-amd64:
-    needs: [approve_manual_backfill]
-    if: ${{ always() && (github.event_name != 'workflow_dispatch' || needs.approve_manual_backfill.result == 'success') }}
-    # WARNING: DO NOT REVERT THIS TO A BLACKSMITH RUNNER WITHOUT RE-VALIDATING TAG BACKFILLS.
-    runs-on: ubuntu-24.04
-    permissions:
-      packages: write
-      contents: read
-    outputs:
-      digest: ${{ steps.build.outputs.digest }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          fetch-depth: 0
-
-      - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Resolve image tags (amd64)
-        id: tags
-        shell: bash
-        env:
-          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-        run: |
-          set -euo pipefail
-          tags=()
-          slim_tags=()
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            tags+=("${IMAGE}:main-amd64")
-            slim_tags+=("${IMAGE}:main-slim-amd64")
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-            tags+=("${IMAGE}:${version}-amd64")
-            slim_tags+=("${IMAGE}:${version}-slim-amd64")
-          fi
-          if [[ ${#tags[@]} -eq 0 ]]; then
-            echo "::error::No amd64 tags resolved for ref ${SOURCE_REF}"
-            exit 1
-          fi
-          {
-            echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Resolve OCI labels (amd64)
-        id: labels
-        shell: bash
-        env:
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-        run: |
-          set -euo pipefail
-          source_sha="$(git rev-parse HEAD)"
-          version="${source_sha}"
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            version="main"
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-          fi
-          created="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-          {
-            echo "value<<EOF"
-            echo "org.opencontainers.image.revision=${source_sha}"
-            echo "org.opencontainers.image.version=${version}"
-            echo "org.opencontainers.image.created=${created}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Build and push amd64 image
-        id: build
-        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          platforms: linux/amd64
-          cache-from: type=gha,scope=docker-release-amd64
-          cache-to: type=gha,mode=max,scope=docker-release-amd64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel
-          tags: ${{ steps.tags.outputs.value }}
-          labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
-          push: true
-
-  # Build arm64 image. Default and slim tags point to the same slim runtime.
-  build-arm64:
-    needs: [approve_manual_backfill]
-    if: ${{ always() && (github.event_name != 'workflow_dispatch' || needs.approve_manual_backfill.result == 'success') }}
-    # WARNING: DO NOT REVERT THIS TO A BLACKSMITH RUNNER WITHOUT RE-VALIDATING TAG BACKFILLS.
-    runs-on: ubuntu-24.04-arm
-    permissions:
-      packages: write
-      contents: read
-    outputs:
-      digest: ${{ steps.build.outputs.digest }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          fetch-depth: 0
-
-      - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Resolve image tags (arm64)
-        id: tags
-        shell: bash
-        env:
-          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-        run: |
-          set -euo pipefail
-          tags=()
-          slim_tags=()
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            tags+=("${IMAGE}:main-arm64")
-            slim_tags+=("${IMAGE}:main-slim-arm64")
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-            tags+=("${IMAGE}:${version}-arm64")
-            slim_tags+=("${IMAGE}:${version}-slim-arm64")
-          fi
-          if [[ ${#tags[@]} -eq 0 ]]; then
-            echo "::error::No arm64 tags resolved for ref ${SOURCE_REF}"
-            exit 1
-          fi
-          {
-            echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Resolve OCI labels (arm64)
-        id: labels
-        shell: bash
-        env:
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-        run: |
-          set -euo pipefail
-          source_sha="$(git rev-parse HEAD)"
-          version="${source_sha}"
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            version="main"
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-          fi
-          created="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-          {
-            echo "value<<EOF"
-            echo "org.opencontainers.image.revision=${source_sha}"
-            echo "org.opencontainers.image.version=${version}"
-            echo "org.opencontainers.image.created=${created}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Build and push arm64 image
-        id: build
-        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          platforms: linux/arm64
-          cache-from: type=gha,scope=docker-release-arm64
-          cache-to: type=gha,mode=max,scope=docker-release-arm64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel
-          tags: ${{ steps.tags.outputs.value }}
-          labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
-          push: true
-
-  # Create multi-platform manifests
-  create-manifest:
-    needs: [approve_manual_backfill, build-amd64, build-arm64]
-    if: ${{ always() && needs.build-amd64.result == 'success' && needs.build-arm64.result == 'success' && (github.event_name != 'workflow_dispatch' || needs.approve_manual_backfill.result == 'success') }}
-    # WARNING: DO NOT REVERT THIS TO A BLACKSMITH RUNNER WITHOUT RE-VALIDATING TAG BACKFILLS.
-    runs-on: ubuntu-24.04
-    permissions:
-      packages: write
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          fetch-depth: 0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Resolve manifest tags
-        id: tags
-        shell: bash
-        env:
-          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          IS_MANUAL_BACKFILL: ${{ github.event_name == 'workflow_dispatch' && '1' || '0' }}
-        run: |
-          set -euo pipefail
-          tags=()
-          slim_tags=()
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            tags+=("${IMAGE}:main")
-            slim_tags+=("${IMAGE}:main-slim")
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-            tags+=("${IMAGE}:${version}")
-            slim_tags+=("${IMAGE}:${version}-slim")
-            # Manual backfills should only republish the requested version tags.
-            if [[ "${IS_MANUAL_BACKFILL}" != "1" && "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-              tags+=("${IMAGE}:latest")
-              slim_tags+=("${IMAGE}:slim")
-            fi
-          fi
-          if [[ ${#tags[@]} -eq 0 ]]; then
-            echo "::error::No manifest tags resolved for ref ${SOURCE_REF}"
-            exit 1
-          fi
-          {
-            echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Create and push manifest
-        shell: bash
-        env:
-          TAGS: ${{ steps.tags.outputs.value }}
-          AMD64_DIGEST: ${{ needs.build-amd64.outputs.digest }}
-          ARM64_DIGEST: ${{ needs.build-arm64.outputs.digest }}
-        run: |
-          set -euo pipefail
-          mapfile -t tags <<< "${TAGS}"
-          args=()
-          for tag in "${tags[@]}"; do
-            [ -z "$tag" ] && continue
-            args+=("-t" "$tag")
-          done
-          docker buildx imagetools create "${args[@]}" \
-            "${AMD64_DIGEST}" \
-            "${ARM64_DIGEST}"
-
-  verify-attestations:
-    needs: [create-manifest]
-    if: ${{ always() && needs.create-manifest.result == 'success' }}
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      packages: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-
-      - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Resolve image refs
-        id: refs
-        shell: bash
-        env:
-          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          IS_MANUAL_BACKFILL: ${{ github.event_name == 'workflow_dispatch' && '1' || '0' }}
-        run: |
-          set -euo pipefail
-          multi_refs=()
-          slim_multi_refs=()
-          amd64_refs=()
-          arm64_refs=()
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            multi_refs+=("${IMAGE}:main")
-            slim_multi_refs+=("${IMAGE}:main-slim")
-            amd64_refs+=("${IMAGE}:main-amd64" "${IMAGE}:main-slim-amd64")
-            arm64_refs+=("${IMAGE}:main-arm64" "${IMAGE}:main-slim-arm64")
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-            multi_refs+=("${IMAGE}:${version}")
-            slim_multi_refs+=("${IMAGE}:${version}-slim")
-            amd64_refs+=("${IMAGE}:${version}-amd64" "${IMAGE}:${version}-slim-amd64")
-            arm64_refs+=("${IMAGE}:${version}-arm64" "${IMAGE}:${version}-slim-arm64")
-            if [[ "${IS_MANUAL_BACKFILL}" != "1" && "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-              multi_refs+=("${IMAGE}:latest")
-              slim_multi_refs+=("${IMAGE}:slim")
-            fi
-          fi
-          if [[ ${#multi_refs[@]} -eq 0 || ${#amd64_refs[@]} -eq 0 || ${#arm64_refs[@]} -eq 0 ]]; then
-            echo "::error::No Docker image refs resolved for ref ${SOURCE_REF}"
-            exit 1
-          fi
-          {
-            echo "multi<<EOF"
-            printf "%s\n" "${multi_refs[@]}" "${slim_multi_refs[@]}"
-            echo "EOF"
-            echo "amd64<<EOF"
-            printf "%s\n" "${amd64_refs[@]}"
-            echo "EOF"
-            echo "arm64<<EOF"
-            printf "%s\n" "${arm64_refs[@]}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Verify Docker attestations
-        shell: bash
-        env:
-          MULTI_REFS: ${{ steps.refs.outputs.multi }}
-          AMD64_REFS: ${{ steps.refs.outputs.amd64 }}
-          ARM64_REFS: ${{ steps.refs.outputs.arm64 }}
-        run: |
-          set -euo pipefail
-          mapfile -t multi_refs <<< "${MULTI_REFS}"
-          mapfile -t amd64_refs <<< "${AMD64_REFS}"
-          mapfile -t arm64_refs <<< "${ARM64_REFS}"
-
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/amd64 \
-            --platform linux/arm64 \
-            "${multi_refs[@]}"
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/amd64 \
-            "${amd64_refs[@]}"
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/arm64 \
-            "${arm64_refs[@]}"
--- a/.github/workflows/docs-agent.yml
+++ b/.github/workflows/docs-agent.yml
@@ -1,251 +0,0 @@
-name: Docs Agent
-
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] main-only docs repair after trusted CI; job gates repository, event, branch, actor, conclusion, exact current main SHA, and hourly cadence before using write token
-    workflows:
-      - CI
-    types:
-      - completed
-  workflow_dispatch:
-
-permissions:
-  actions: read
-  contents: write
-
-concurrency:
-  group: docs-agent-main
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  update-docs:
-    if: >
-      github.repository == 'openclaw/openclaw' &&
-      github.actor != 'github-actions[bot]' &&
-      (github.event_name != 'workflow_run' ||
-        (github.event.workflow_run.conclusion == 'success' &&
-          github.event.workflow_run.event == 'push' &&
-          github.event.workflow_run.head_branch == 'main' &&
-          github.event.workflow_run.actor.login != 'github-actions[bot]'))
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: main
-          fetch-depth: 0
-          persist-credentials: false
-          submodules: false
-
-      - name: Gate trusted main activity and hourly cadence
-        id: gate
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GH_TOKEN: ${{ github.token }}
-          WORKFLOW_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
-        run: |
-          set -euo pipefail
-
-          if [ "$EVENT_NAME" != "workflow_run" ]; then
-            head_sha="$(git rev-parse HEAD)"
-            review_base="$(git rev-parse "${head_sha}^" 2>/dev/null || printf '%s' "$head_sha")"
-            {
-              echo "run_agent=true"
-              echo "base_sha=${head_sha}"
-              echo "review_base_sha=${review_base}"
-              echo "review_head_sha=${head_sha}"
-            } >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          for attempt in 1 2 3 4 5; do
-            if git fetch --no-tags origin main; then
-              break
-            fi
-            if [ "$attempt" = "5" ]; then
-              echo "Failed to fetch main after retries." >&2
-              exit 1
-            fi
-            echo "Fetch attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-          remote_main="$(git rev-parse origin/main)"
-          if [ "$remote_main" != "$WORKFLOW_HEAD_SHA" ]; then
-            echo "CI run is superseded by ${remote_main}; skipping docs agent for ${WORKFLOW_HEAD_SHA}."
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          runs_json="$RUNNER_TEMP/docs-agent-runs.json"
-          gh api --method GET "repos/${GITHUB_REPOSITORY}/actions/workflows/docs-agent.yml/runs" \
-            -f branch=main \
-            -f event=workflow_run \
-            -f per_page=100 > "$runs_json"
-
-          one_hour_ago="$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%SZ)"
-          recent_runs="$(
-            jq -r \
-              --argjson current_run_id "$GITHUB_RUN_ID" \
-              --arg one_hour_ago "$one_hour_ago" \
-              '.workflow_runs[]
-                | select(.database_id != $current_run_id)
-                | select(.created_at >= $one_hour_ago)
-                | select(.status != "cancelled")
-                | select((.conclusion // "") != "skipped")
-                | [.database_id, .status, (.conclusion // ""), .created_at, .head_sha]
-                | @tsv' "$runs_json"
-          )"
-
-          if [ -n "$recent_runs" ]; then
-            echo "Docs agent already ran or is running within the last hour; skipping."
-            printf '%s\n' "$recent_runs"
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          review_base="$(
-            jq -r \
-              --argjson current_run_id "$GITHUB_RUN_ID" \
-              --arg remote_main "$remote_main" \
-              '.workflow_runs[]
-                | select(.database_id != $current_run_id)
-                | select(.status != "cancelled")
-                | select((.conclusion // "") != "skipped")
-                | .head_sha
-                | select(. != null and . != "")
-                | select(. != $remote_main)
-              ' "$runs_json" | head -n 1
-          )"
-          if [ -z "$review_base" ] || ! git cat-file -e "${review_base}^{commit}" 2>/dev/null; then
-            review_base="$(git rev-parse "${remote_main}^" 2>/dev/null || printf '%s' "$remote_main")"
-          fi
-
-          {
-            echo "run_agent=true"
-            echo "base_sha=${remote_main}"
-            echo "review_base_sha=${review_base}"
-            echo "review_head_sha=${remote_main}"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Setup Node environment
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Ensure docs agent key exists
-        if: steps.gate.outputs.run_agent == 'true'
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-        run: |
-          set -euo pipefail
-          if [ -z "${OPENAI_API_KEY:-}" ]; then
-            echo "Missing OPENCLAW_DOCS_AGENT_OPENAI_API_KEY or OPENAI_API_KEY secret." >&2
-            exit 1
-          fi
-
-      - name: Run Codex docs agent
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
-        env:
-          DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
-          DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}
-        with:
-          openai-api-key: ${{ secrets.OPENCLAW_DOCS_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-          prompt-file: .github/codex/prompts/docs-agent.md
-          model: ${{ vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
-          effort: medium
-          sandbox: workspace-write
-          safety-strategy: drop-sudo
-          codex-args: '["--full-auto"]'
-
-      - name: Enforce existing-docs-only patch
-        if: steps.gate.outputs.run_agent == 'true'
-        run: |
-          set -euo pipefail
-
-          untracked="$(git ls-files --others --exclude-standard)"
-          if [ -n "$untracked" ]; then
-            echo "Docs agent created untracked files; forbidden:"
-            printf '%s\n' "$untracked"
-            exit 1
-          fi
-
-          added_or_deleted="$(git diff --name-status --diff-filter=AD)"
-          if [ -n "$added_or_deleted" ]; then
-            echo "Docs agent added or deleted tracked files; forbidden:"
-            printf '%s\n' "$added_or_deleted"
-            exit 1
-          fi
-
-          bad_paths="$(
-            git diff --name-only | while IFS= read -r path; do
-              case "$path" in
-                docs/*|README.md|CHANGELOG.md) ;;
-                *) printf '%s\n' "$path" ;;
-              esac
-            done
-          )"
-          if [ -n "$bad_paths" ]; then
-            echo "Docs agent touched non-doc paths; forbidden:"
-            printf '%s\n' "$bad_paths"
-            exit 1
-          fi
-
-      - name: Restore Node 24 path
-        if: steps.gate.outputs.run_agent == 'true'
-        run:
-          | # zizmor: ignore[github-env] NODE_BIN is set by the trusted local setup-node-env action in this same job
-          set -euo pipefail
-          export PATH="${NODE_BIN}:${PATH}"
-          echo "${NODE_BIN}" >> "$GITHUB_PATH"
-          node -v
-          corepack enable
-          pnpm -v
-
-      - name: Check docs
-        if: steps.gate.outputs.run_agent == 'true'
-        run: pnpm check:docs
-
-      - name: Commit docs updates
-        if: steps.gate.outputs.run_agent == 'true'
-        env:
-          BASE_SHA: ${{ steps.gate.outputs.base_sha }}
-          GITHUB_TOKEN: ${{ github.token }}
-          TARGET_BRANCH: main
-        run: |
-          set -euo pipefail
-
-          if git diff --quiet; then
-            echo "No docs changes."
-            exit 0
-          fi
-
-          git config user.name "openclaw-docs-agent[bot]"
-          git config user.email "openclaw-docs-agent[bot]@users.noreply.github.com"
-          git add docs README.md CHANGELOG.md
-          git commit --no-verify -m "docs: refresh documentation"
-
-          for attempt in 1 2 3 4 5; do
-            if ! git fetch --no-tags origin "${TARGET_BRANCH}"; then
-              echo "Fetch attempt ${attempt} failed; retrying."
-              sleep $((attempt * 2))
-              continue
-            fi
-            if git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" HEAD:"${TARGET_BRANCH}"; then
-              exit 0
-            fi
-            remote_main="$(git rev-parse "origin/${TARGET_BRANCH}")"
-            if [ "$remote_main" != "$BASE_SHA" ]; then
-              echo "main advanced from ${BASE_SHA} to ${remote_main}; skipping stale docs update."
-              exit 0
-            fi
-            echo "Docs update attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to push docs updates after retries." >&2
-          exit 1
--- a/.github/workflows/docs-sync-publish.yml
+++ b/.github/workflows/docs-sync-publish.yml
@@ -1,110 +0,0 @@
-name: Docs Sync Publish Repo
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - docs/**
-      - scripts/docs-sync-publish.mjs
-      - .github/workflows/docs-sync-publish.yml
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  sync-publish-repo:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout source repo
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: "22.18.0"
-
-      - name: Clone publish repo
-        env:
-          OPENCLAW_DOCS_SYNC_TOKEN: ${{ secrets.OPENCLAW_DOCS_SYNC_TOKEN }}
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4 5; do
-            rm -rf publish
-            if git clone \
-              "https://x-access-token:${OPENCLAW_DOCS_SYNC_TOKEN}@github.com/openclaw/docs.git" \
-              publish; then
-              exit 0
-            fi
-            echo "Clone attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to clone publish repo after retries." >&2
-          exit 1
-
-      - name: Sync docs into publish repo
-        run: |
-          node scripts/docs-sync-publish.mjs \
-            --target "$GITHUB_WORKSPACE/publish" \
-            --source-repo "$GITHUB_REPOSITORY" \
-            --source-sha "$GITHUB_SHA"
-
-      - name: Install docs MDX checker dependency
-        run: npm install --no-save --package-lock=false @mdx-js/mdx@3.1.1
-
-      - name: Check publish docs MDX
-        run: node "$GITHUB_WORKSPACE/publish/.openclaw-sync/check-docs-mdx.mjs" "$GITHUB_WORKSPACE/publish/docs"
-
-      - name: Commit publish repo sync
-        working-directory: publish
-        run: |
-          set -euo pipefail
-          remote_source_sha() {
-            git show refs/remotes/origin/main:.openclaw-sync/source.json 2>/dev/null \
-              | node -e 'const fs = require("node:fs"); try { const data = JSON.parse(fs.readFileSync(0, "utf8")); if (data.sha) process.stdout.write(data.sha); } catch {}' \
-              || true
-          }
-
-          skip_stale_source() {
-            current_source_sha="$(remote_source_sha)"
-            if [ -z "$current_source_sha" ] || [ "$current_source_sha" = "$GITHUB_SHA" ]; then
-              return
-            fi
-
-            if git -C "$GITHUB_WORKSPACE" merge-base --is-ancestor "$GITHUB_SHA" "$current_source_sha"; then
-              echo "Skipping stale publish sync for $GITHUB_SHA; origin/main already mirrors $current_source_sha."
-              exit 0
-            fi
-          }
-
-          if git diff --quiet -- docs .openclaw-sync; then
-            echo "No publish-repo changes."
-            exit 0
-          fi
-
-          if git fetch origin main:refs/remotes/origin/main; then
-            skip_stale_source
-          fi
-
-          git config user.name "openclaw-docs-sync[bot]"
-          git config user.email "openclaw-docs-sync[bot]@users.noreply.github.com"
-          git add docs .openclaw-sync
-          git commit -m "chore(sync): mirror docs from $GITHUB_REPOSITORY@$GITHUB_SHA"
-          for attempt in 1 2 3 4 5; do
-            if git fetch origin main:refs/remotes/origin/main; then
-              skip_stale_source
-              if git rebase -X theirs origin/main && git push origin HEAD:main; then
-                exit 0
-              fi
-            fi
-            git rebase --abort >/dev/null 2>&1 || true
-            echo "Publish sync attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to push publish-repo sync after retries."
-          exit 1
--- a/.github/workflows/docs-translate-trigger-release.yml
+++ b/.github/workflows/docs-translate-trigger-release.yml
@@ -1,43 +0,0 @@
-name: Docs Trigger Locale Translate On Release
-
-on:
-  release:
-    types:
-      - published
-
-permissions:
-  contents: read
-
-jobs:
-  dispatch-translate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Trigger locale translates in publish repo
-        env:
-          GH_TOKEN: ${{ secrets.OPENCLAW_DOCS_SYNC_TOKEN }}
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
-        run: |
-          set -euo pipefail
-          for event_type in \
-            translate-zh-cn-release \
-            translate-ja-jp-release \
-            translate-es-release \
-            translate-pt-br-release \
-            translate-ko-release \
-            translate-de-release \
-            translate-fr-release \
-            translate-ar-release \
-            translate-it-release \
-            translate-tr-release \
-            translate-uk-release \
-            translate-id-release \
-            translate-pl-release \
-            translate-th-release
-          do
-            gh api repos/openclaw/docs/dispatches \
-              --method POST \
-              -f event_type="${event_type}" \
-              -f client_payload[release_tag]="${RELEASE_TAG}" \
-              -f client_payload[source_repository]="${GITHUB_REPOSITORY}" \
-              -f client_payload[source_sha]="${GITHUB_SHA}"
-          done
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,39 +0,0 @@
-name: Docs
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "**/*.md"
-      - "docs/**"
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ format('{0}-{1}', github.workflow, github.ref) }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  docs:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Check docs
-        run: pnpm check:docs
--- a/.github/workflows/duplicate-after-merge.yml
+++ b/.github/workflows/duplicate-after-merge.yml
@@ -1,59 +0,0 @@
-name: Duplicate PRs After Merge
-
-on:
-  workflow_dispatch:
-    inputs:
-      landed_pr:
-        description: "Merged PR number that supersedes the duplicates"
-        required: true
-        type: string
-      duplicate_prs:
-        description: "Comma or whitespace separated duplicate PR numbers to close"
-        required: true
-        type: string
-      apply:
-        description: "When true, label/comment/close; otherwise dry-run only"
-        required: true
-        type: boolean
-        default: false
-
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-
-concurrency:
-  group: duplicate-after-merge-${{ github.event.inputs.landed_pr }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  GH_TOKEN: ${{ github.token }}
-
-jobs:
-  close-duplicates:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Close confirmed duplicates
-        env:
-          APPLY: ${{ inputs.apply }}
-          DUPLICATE_PRS: ${{ inputs.duplicate_prs }}
-          LANDED_PR: ${{ inputs.landed_pr }}
-          REPO: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-
-          args=(
-            --repo "$REPO"
-            --landed-pr "$LANDED_PR"
-            --duplicates "$DUPLICATE_PRS"
-          )
-
-          if [[ "$APPLY" == "true" ]]; then
-            args+=(--apply)
-          fi
-
-          node scripts/close-duplicate-prs-after-merge.mjs "${args[@]}"
--- a/.github/workflows/install-smoke.yml
+++ b/.github/workflows/install-smoke.yml
@@ -1,375 +0,0 @@
-name: Install Smoke
-
-on:
-  schedule:
-    - cron: "17 3 * * *"
-  workflow_dispatch:
-    inputs:
-      run_bun_global_install_smoke:
-        description: Run the Bun global install image-provider smoke
-        required: false
-        default: false
-        type: boolean
-      update_baseline_version:
-        description: Baseline openclaw version or dist-tag for installer update smoke
-        required: false
-        default: latest
-        type: string
-  workflow_call:
-    inputs:
-      ref:
-        description: Git ref to validate
-        required: false
-        type: string
-      run_bun_global_install_smoke:
-        description: Run the Bun global install image-provider smoke
-        required: false
-        default: true
-        type: boolean
-      update_baseline_version:
-        description: Baseline openclaw version or dist-tag for installer update smoke
-        required: false
-        default: latest
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.event_name == 'workflow_dispatch' && format('{0}-manual-{1}', github.workflow, github.run_id) || format('{0}-{1}', github.workflow, github.ref) }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  preflight:
-    runs-on: ubuntu-24.04
-    outputs:
-      docs_only: ${{ steps.manifest.outputs.docs_only }}
-      run_install_smoke: ${{ steps.manifest.outputs.run_install_smoke }}
-      run_fast_install_smoke: ${{ steps.manifest.outputs.run_fast_install_smoke }}
-      run_full_install_smoke: ${{ steps.manifest.outputs.run_full_install_smoke }}
-      run_bun_global_install_smoke: ${{ steps.manifest.outputs.run_bun_global_install_smoke }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Build install-smoke CI manifest
-        id: manifest
-        env:
-          OPENCLAW_CI_EVENT_NAME: ${{ github.event_name }}
-          OPENCLAW_CI_WORKFLOW_BUN_GLOBAL_INSTALL_SMOKE: ${{ inputs.run_bun_global_install_smoke || 'false' }}
-        run: |
-          event_name="${OPENCLAW_CI_EVENT_NAME:-}"
-          workflow_bun_global_install_smoke="${OPENCLAW_CI_WORKFLOW_BUN_GLOBAL_INSTALL_SMOKE:-false}"
-          docs_only=false
-          run_fast_install_smoke=true
-          run_full_install_smoke=true
-          run_bun_global_install_smoke=false
-          run_install_smoke=true
-          if [ "$event_name" = "schedule" ]; then
-            run_bun_global_install_smoke=true
-          elif [ "$event_name" = "workflow_dispatch" ] || [ "$event_name" = "workflow_call" ]; then
-            if [ "$workflow_bun_global_install_smoke" = "true" ]; then
-              run_bun_global_install_smoke=true
-            fi
-          fi
-          {
-            echo "docs_only=$docs_only"
-            echo "run_install_smoke=$run_install_smoke"
-            echo "run_fast_install_smoke=$run_fast_install_smoke"
-            echo "run_full_install_smoke=$run_full_install_smoke"
-            echo "run_bun_global_install_smoke=$run_bun_global_install_smoke"
-          } >> "$GITHUB_OUTPUT"
-
-  install-smoke-fast:
-    needs: [preflight]
-    if: needs.preflight.outputs.run_fast_install_smoke == 'true' && needs.preflight.outputs.run_full_install_smoke != 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
-
-      # Blacksmith's builder owns the Docker layer cache; keep smoke builds off
-      # explicit gha cache directives so local tags still load cleanly.
-      - name: Build root Dockerfile smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: .
-          file: ./Dockerfile
-          build-args: |
-            OPENCLAW_EXTENSIONS=matrix
-          tags: |
-            openclaw-dockerfile-smoke:local
-            openclaw-ext-smoke:local
-          load: true
-          push: false
-          provenance: false
-
-      - name: Run root Dockerfile CLI smoke
-        run: |
-          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc '
-            which openclaw &&
-            openclaw --version &&
-            node -e "
-              const fs = require(\"node:fs\");
-              const path = require(\"node:path\");
-              const pkg = require(\"/app/package.json\");
-              for (const [dep, rel] of Object.entries(pkg.pnpm?.patchedDependencies ?? {})) {
-                const absolute = path.join(\"/app\", rel);
-                if (!fs.existsSync(absolute)) {
-                  throw new Error(`missing patch for ${dep}: ${rel}`);
-                }
-              }
-            "
-          '
-
-      - name: Run agents delete shared workspace Docker CLI smoke
-        env:
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/agents-delete-shared-workspace-docker.sh
-
-      - name: Run Docker gateway network e2e
-        env:
-          OPENCLAW_GATEWAY_NETWORK_E2E_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_GATEWAY_NETWORK_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/gateway-network-docker.sh
-
-      - name: Smoke test Dockerfile with matrix extension build arg
-        run: |
-          docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
-            which openclaw &&
-            openclaw --version &&
-            node -e "
-              const Module = require(\"node:module\");
-              const matrixPackage = require(\"/app/extensions/matrix/package.json\");
-              const requireFromMatrix = Module.createRequire(\"/app/extensions/matrix/package.json\");
-              const runtimeDeps = Object.keys(matrixPackage.dependencies ?? {});
-              if (runtimeDeps.length === 0) {
-                throw new Error(
-                  \"matrix package has no declared runtime dependencies; smoke cannot validate install mirroring\",
-                );
-              }
-              for (const dep of runtimeDeps) {
-                requireFromMatrix.resolve(dep);
-              }
-              const { spawnSync } = require(\"node:child_process\");
-              const run = spawnSync(\"openclaw\", [\"plugins\", \"list\", \"--json\"], { encoding: \"utf8\" });
-              if (run.status !== 0) {
-                process.stderr.write(run.stderr || run.stdout || \"plugins list failed\\n\");
-                process.exit(run.status ?? 1);
-              }
-              const parsed = JSON.parse(run.stdout);
-              const matrix = (parsed.plugins || []).find((entry) => entry.id === \"matrix\");
-              if (!matrix) {
-                throw new Error(\"matrix plugin missing from bundled plugin list\");
-              }
-              const matrixDiag = (parsed.diagnostics || []).filter(
-                (diag) =>
-                  typeof diag.source === \"string\" &&
-                  diag.source.includes(\"/extensions/matrix\") &&
-                  typeof diag.message === \"string\" &&
-                  diag.message.includes(\"extension entry escapes package directory\"),
-              );
-              if (matrixDiag.length > 0) {
-                throw new Error(
-                  \"unexpected matrix diagnostics: \" +
-                    matrixDiag.map((diag) => diag.message).join(\"; \"),
-                );
-              }
-            "
-          '
-
-  install-smoke:
-    needs: [preflight]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
-
-      # Blacksmith's builder owns the Docker layer cache; keep smoke builds off
-      # explicit gha cache directives so local tags still load cleanly.
-      - name: Run QR package install smoke
-        env:
-          OPENCLAW_QR_SMOKE_FORCE_INSTALL: "1"
-        run: bash scripts/e2e/qr-import-docker.sh
-
-      # Build once with the matrix extension and tag both smoke names. This
-      # keeps the build-arg coverage without a second Blacksmith build action.
-      - name: Build root Dockerfile smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: .
-          file: ./Dockerfile
-          build-args: |
-            OPENCLAW_EXTENSIONS=matrix
-          tags: |
-            openclaw-dockerfile-smoke:local
-            openclaw-ext-smoke:local
-          load: true
-          push: false
-          provenance: false
-
-      - name: Run root Dockerfile CLI smoke
-        run: |
-          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc 'which openclaw && openclaw --version'
-
-      - name: Run agents delete shared workspace Docker CLI smoke
-        env:
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/agents-delete-shared-workspace-docker.sh
-
-      - name: Run Docker gateway network e2e
-        env:
-          OPENCLAW_GATEWAY_NETWORK_E2E_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_GATEWAY_NETWORK_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/gateway-network-docker.sh
-
-      - name: Smoke test Dockerfile with matrix extension build arg
-        run: |
-          docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
-            which openclaw &&
-            openclaw --version &&
-            node -e "
-              const Module = require(\"node:module\");
-              const matrixPackage = require(\"/app/extensions/matrix/package.json\");
-              const requireFromMatrix = Module.createRequire(\"/app/extensions/matrix/package.json\");
-              const runtimeDeps = Object.keys(matrixPackage.dependencies ?? {});
-              if (runtimeDeps.length === 0) {
-                throw new Error(
-                  \"matrix package has no declared runtime dependencies; smoke cannot validate install mirroring\",
-                );
-              }
-              for (const dep of runtimeDeps) {
-                requireFromMatrix.resolve(dep);
-              }
-              const { spawnSync } = require(\"node:child_process\");
-              const run = spawnSync(\"openclaw\", [\"plugins\", \"list\", \"--json\"], { encoding: \"utf8\" });
-              if (run.status !== 0) {
-                process.stderr.write(run.stderr || run.stdout || \"plugins list failed\\n\");
-                process.exit(run.status ?? 1);
-              }
-              const parsed = JSON.parse(run.stdout);
-              const matrix = (parsed.plugins || []).find((entry) => entry.id === \"matrix\");
-              if (!matrix) {
-                throw new Error(\"matrix plugin missing from bundled plugin list\");
-              }
-              const matrixDiag = (parsed.diagnostics || []).filter(
-                (diag) =>
-                  typeof diag.source === \"string\" &&
-                  diag.source.includes(\"/extensions/matrix\") &&
-                  typeof diag.message === \"string\" &&
-                  diag.message.includes(\"extension entry escapes package directory\"),
-              );
-              if (matrixDiag.length > 0) {
-                throw new Error(
-                  \"unexpected matrix diagnostics: \" +
-                    matrixDiag.map((diag) => diag.message).join(\"; \"),
-                );
-              }
-            "
-          '
-
-      - name: Build installer smoke image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: ./scripts/docker
-          file: ./scripts/docker/install-sh-smoke/Dockerfile
-          tags: openclaw-install-smoke:local
-          load: true
-          push: false
-          provenance: false
-
-      - name: Build installer non-root image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: ./scripts/docker
-          file: ./scripts/docker/install-sh-nonroot/Dockerfile
-          tags: openclaw-install-nonroot:local
-          load: true
-          push: false
-          provenance: false
-
-      - name: Setup Node environment for installer smoke
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: ${{ needs.preflight.outputs.run_bun_global_install_smoke }}
-          install-deps: "true"
-
-      - name: Run Bun global install image-provider smoke
-        if: needs.preflight.outputs.run_bun_global_install_smoke == 'true'
-        env:
-          OPENCLAW_BUN_GLOBAL_SMOKE_DIST_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_BUN_GLOBAL_SMOKE_HOST_BUILD: "0"
-        run: bash scripts/e2e/bun-global-install-smoke.sh
-
-      - name: Run installer docker tests
-        env:
-          OPENCLAW_INSTALL_URL: https://openclaw.ai/install.sh
-          OPENCLAW_INSTALL_CLI_URL: https://openclaw.ai/install-cli.sh
-          OPENCLAW_NO_ONBOARD: "1"
-          OPENCLAW_INSTALL_SMOKE_SKIP_CLI: "1"
-          OPENCLAW_INSTALL_SMOKE_SKIP_IMAGE_BUILD: "1"
-          OPENCLAW_INSTALL_NONROOT_SKIP_IMAGE_BUILD: "1"
-          OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT: "0"
-          OPENCLAW_INSTALL_SMOKE_SKIP_NPM_GLOBAL: "1"
-          OPENCLAW_INSTALL_SMOKE_SKIP_PREVIOUS: "1"
-          OPENCLAW_INSTALL_SMOKE_UPDATE_BASELINE: ${{ inputs.update_baseline_version || 'latest' }}
-          OPENCLAW_INSTALL_SMOKE_UPDATE_DIST_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_INSTALL_SMOKE_UPDATE_SKIP_LOCAL_BUILD: "1"
-        run: bash scripts/test-install-sh-docker.sh
-
-  docker-e2e-fast:
-    needs: [preflight]
-    if: needs.preflight.outputs.run_fast_install_smoke == 'true' || needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    timeout-minutes: 8
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
-
-      - name: Setup Node environment for package smoke
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-          install-deps: "true"
-
-      - name: Run fast bundled plugin Docker E2E
-        env:
-          OPENCLAW_BUNDLED_CHANNEL_DEPS_E2E_IMAGE: openclaw-bundled-channel-fast:local
-          OPENCLAW_BUNDLED_CHANNEL_DOCKER_RUN_TIMEOUT: 90s
-        run: timeout 240s pnpm test:docker:bundled-channel-deps:fast
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,877 +0,0 @@
-name: Labeler
-
-on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned triage workflow; no untrusted checkout or PR code execution
-    types: [opened, synchronize, reopened, edited]
-  issues:
-    types: [opened, edited]
-  workflow_dispatch:
-    inputs:
-      max_prs:
-        description: "Maximum number of open PRs to process (0 = all)"
-        required: false
-        default: "200"
-      per_page:
-        description: "PRs per page (1-100)"
-        required: false
-        default: "50"
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request_target' }}
-
-permissions: {}
-
-jobs:
-  label:
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        continue-on-error: true
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@v3
-        id: app-token-fallback
-        if: steps.app-token.outcome == 'failure'
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - uses: actions/labeler@v6
-        with:
-          configuration-path: .github/labeler.yml
-          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          sync-labels: true
-      - name: Apply PR size label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const pullRequest = context.payload.pull_request;
-            if (!pullRequest) {
-              return;
-            }
-
-            const sizeLabels = ["size: XS", "size: S", "size: M", "size: L", "size: XL"];
-            const labelColor = "b76e79";
-
-            for (const label of sizeLabels) {
-              try {
-                await github.rest.issues.getLabel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  name: label,
-                });
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-                await github.rest.issues.createLabel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  name: label,
-                  color: labelColor,
-                });
-              }
-            }
-
-            const files = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: pullRequest.number,
-              per_page: 100,
-            });
-
-            const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
-            const totalChangedLines = files.reduce((total, file) => {
-              const path = file.filename ?? "";
-              if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
-                return total;
-              }
-              return total + (file.additions ?? 0) + (file.deletions ?? 0);
-            }, 0);
-
-            let targetSizeLabel = "size: XL";
-            if (totalChangedLines < 50) {
-              targetSizeLabel = "size: XS";
-            } else if (totalChangedLines < 200) {
-              targetSizeLabel = "size: S";
-            } else if (totalChangedLines < 500) {
-              targetSizeLabel = "size: M";
-            } else if (totalChangedLines < 1000) {
-              targetSizeLabel = "size: L";
-            }
-
-            const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pullRequest.number,
-              per_page: 100,
-            });
-
-            for (const label of currentLabels) {
-              const name = label.name ?? "";
-              if (!sizeLabels.includes(name)) {
-                continue;
-              }
-              if (name === targetSizeLabel) {
-                continue;
-              }
-              await github.rest.issues.removeLabel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: pullRequest.number,
-                name,
-              });
-            }
-
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pullRequest.number,
-              labels: [targetSizeLabel],
-            });
-      - name: Apply maintainer or trusted-contributor label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const login = context.payload.pull_request?.user?.login;
-            if (!login) {
-              return;
-            }
-
-            const repo = `${context.repo.owner}/${context.repo.repo}`;
-            // const trustedLabel = "trusted-contributor";
-            // const experiencedLabel = "experienced-contributor";
-            // const trustedThreshold = 4;
-            // const experiencedThreshold = 10;
-
-            let isMaintainer = false;
-            try {
-              const membership = await github.rest.teams.getMembershipForUserInOrg({
-                org: context.repo.owner,
-                team_slug: "maintainer",
-                username: login,
-              });
-              isMaintainer = membership?.data?.state === "active";
-            } catch (error) {
-              if (error?.status !== 404) {
-                throw error;
-              }
-            }
-
-            if (isMaintainer) {
-              await github.rest.issues.addLabels({
-                ...context.repo,
-                issue_number: context.payload.pull_request.number,
-                labels: ["maintainer"],
-              });
-              return;
-            }
-
-            // trusted-contributor and experienced-contributor labels disabled.
-            // const mergedQuery = `repo:${repo} is:pr is:merged author:${login}`;
-            // let mergedCount = 0;
-            // try {
-            //   const merged = await github.rest.search.issuesAndPullRequests({
-            //     q: mergedQuery,
-            //     per_page: 1,
-            //   });
-            //   mergedCount = merged?.data?.total_count ?? 0;
-            // } catch (error) {
-            //   if (error?.status !== 422) {
-            //     throw error;
-            //   }
-            //   core.warning(`Skipping merged search for ${login}; treating as 0.`);
-            // }
-            //
-            // if (mergedCount >= experiencedThreshold) {
-            //   await github.rest.issues.addLabels({
-            //     ...context.repo,
-            //     issue_number: context.payload.pull_request.number,
-            //     labels: [experiencedLabel],
-            //   });
-            //   return;
-            // }
-            //
-            // if (mergedCount >= trustedThreshold) {
-            //   await github.rest.issues.addLabels({
-            //     ...context.repo,
-            //     issue_number: context.payload.pull_request.number,
-            //     labels: [trustedLabel],
-            //   });
-            // }
-      - name: Apply beta-blocker title label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const pullRequest = context.payload.pull_request;
-            if (!pullRequest) {
-              return;
-            }
-
-            const labelName = "beta-blocker";
-            const matchesBetaBlocker = /\bbeta blocker\b/i.test(pullRequest.title ?? "");
-
-            try {
-              await github.rest.issues.getLabel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                name: labelName,
-              });
-            } catch (error) {
-              if (error?.status !== 404) {
-                throw error;
-              }
-              core.info(`Skipping ${labelName} labeling because the label does not exist in the repository.`);
-              return;
-            }
-
-            const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pullRequest.number,
-              per_page: 100,
-            });
-            const hasLabel = currentLabels.some((label) => label.name === labelName);
-
-            if (matchesBetaBlocker && !hasLabel) {
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: pullRequest.number,
-                labels: [labelName],
-              });
-              return;
-            }
-
-            if (!matchesBetaBlocker && hasLabel) {
-              await github.rest.issues.removeLabel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: pullRequest.number,
-                name: labelName,
-              });
-            }
-      - name: Apply too-many-prs label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const pullRequest = context.payload.pull_request;
-            if (!pullRequest) {
-              return;
-            }
-
-            const activePrLimitLabel = "r: too-many-prs";
-            const activePrLimitOverrideLabel = "r: too-many-prs-override";
-            const activePrLimit = 10;
-            const labelColor = "B60205";
-            const labelDescription = `Author has more than ${activePrLimit} active PRs in this repo`;
-            const authorLogin = pullRequest.user?.login;
-            if (!authorLogin) {
-              return;
-            }
-
-            const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pullRequest.number,
-              per_page: 100,
-            });
-
-            const labelNames = new Set(
-              currentLabels
-                .map((label) => (typeof label === "string" ? label : label?.name))
-                .filter((name) => typeof name === "string"),
-            );
-
-            if (labelNames.has(activePrLimitOverrideLabel)) {
-              if (labelNames.has(activePrLimitLabel)) {
-                try {
-                  await github.rest.issues.removeLabel({
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    issue_number: pullRequest.number,
-                    name: activePrLimitLabel,
-                  });
-                } catch (error) {
-                  if (error?.status !== 404) {
-                    throw error;
-                  }
-                }
-              }
-              return;
-            }
-
-            const ensureLabelExists = async () => {
-              try {
-                await github.rest.issues.getLabel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  name: activePrLimitLabel,
-                });
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-                await github.rest.issues.createLabel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  name: activePrLimitLabel,
-                  color: labelColor,
-                  description: labelDescription,
-                });
-              }
-            };
-
-            const isPrivilegedAuthor = async () => {
-              if (pullRequest.author_association === "OWNER") {
-                return true;
-              }
-
-              let isMaintainer = false;
-              try {
-                const membership = await github.rest.teams.getMembershipForUserInOrg({
-                  org: context.repo.owner,
-                  team_slug: "maintainer",
-                  username: authorLogin,
-                });
-                isMaintainer = membership?.data?.state === "active";
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-              }
-
-              if (isMaintainer) {
-                return true;
-              }
-
-              try {
-                const permission = await github.rest.repos.getCollaboratorPermissionLevel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  username: authorLogin,
-                });
-                const roleName = (permission?.data?.role_name ?? "").toLowerCase();
-                return roleName === "admin" || roleName === "maintain";
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-              }
-
-              return false;
-            };
-
-            if (await isPrivilegedAuthor()) {
-              if (labelNames.has(activePrLimitLabel)) {
-                try {
-                  await github.rest.issues.removeLabel({
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    issue_number: pullRequest.number,
-                    name: activePrLimitLabel,
-                  });
-                } catch (error) {
-                  if (error?.status !== 404) {
-                    throw error;
-                  }
-                }
-              }
-              return;
-            }
-
-            let openPrCount = 0;
-            try {
-              const result = await github.rest.search.issuesAndPullRequests({
-                q: `repo:${context.repo.owner}/${context.repo.repo} is:pr is:open author:${authorLogin}`,
-                per_page: 1,
-              });
-              openPrCount = result?.data?.total_count ?? 0;
-            } catch (error) {
-              if (error?.status !== 422) {
-                throw error;
-              }
-              core.warning(`Skipping open PR count for ${authorLogin}; treating as 0.`);
-            }
-
-            if (openPrCount > activePrLimit) {
-              await ensureLabelExists();
-              if (!labelNames.has(activePrLimitLabel)) {
-                await github.rest.issues.addLabels({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: pullRequest.number,
-                  labels: [activePrLimitLabel],
-                });
-              }
-              return;
-            }
-
-            if (labelNames.has(activePrLimitLabel)) {
-              try {
-                await github.rest.issues.removeLabel({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: pullRequest.number,
-                  name: activePrLimitLabel,
-                });
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-              }
-            }
-
-  backfill-pr-labels:
-    if: github.event_name == 'workflow_dispatch'
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        continue-on-error: true
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@v3
-        id: app-token-fallback
-        if: steps.app-token.outcome == 'failure'
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - name: Backfill PR labels
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const owner = context.repo.owner;
-            const repo = context.repo.repo;
-            const repoFull = `${owner}/${repo}`;
-            const inputs = context.payload.inputs ?? {};
-            const maxPrsInput = inputs.max_prs ?? "200";
-            const perPageInput = inputs.per_page ?? "50";
-            const parsedMaxPrs = Number.parseInt(maxPrsInput, 10);
-            const parsedPerPage = Number.parseInt(perPageInput, 10);
-            const maxPrs = Number.isFinite(parsedMaxPrs) ? parsedMaxPrs : 200;
-            const perPage = Number.isFinite(parsedPerPage) ? Math.min(100, Math.max(1, parsedPerPage)) : 50;
-            const processAll = maxPrs <= 0;
-            const maxCount = processAll ? Number.POSITIVE_INFINITY : Math.max(1, maxPrs);
-
-            const sizeLabels = ["size: XS", "size: S", "size: M", "size: L", "size: XL"];
-            const betaBlockerLabel = "beta-blocker";
-            const labelColor = "b76e79";
-            // const trustedLabel = "trusted-contributor";
-            // const experiencedLabel = "experienced-contributor";
-            // const trustedThreshold = 4;
-            // const experiencedThreshold = 10;
-
-            const contributorCache = new Map();
-
-            async function ensureSizeLabels() {
-              for (const label of sizeLabels) {
-                try {
-                  await github.rest.issues.getLabel({
-                    owner,
-                    repo,
-                    name: label,
-                  });
-                } catch (error) {
-                  if (error?.status !== 404) {
-                    throw error;
-                  }
-                  await github.rest.issues.createLabel({
-                    owner,
-                    repo,
-                    name: label,
-                    color: labelColor,
-                  });
-                }
-              }
-            }
-
-            async function hasBetaBlockerLabel() {
-              try {
-                await github.rest.issues.getLabel({
-                  owner,
-                  repo,
-                  name: betaBlockerLabel,
-                });
-                return true;
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-                return false;
-              }
-            }
-
-            async function resolveContributorLabel(login) {
-              if (contributorCache.has(login)) {
-                return contributorCache.get(login);
-              }
-
-              let isMaintainer = false;
-              try {
-                const membership = await github.rest.teams.getMembershipForUserInOrg({
-                  org: owner,
-                  team_slug: "maintainer",
-                  username: login,
-                });
-                isMaintainer = membership?.data?.state === "active";
-              } catch (error) {
-                if (error?.status !== 404) {
-                  throw error;
-                }
-              }
-
-              if (isMaintainer) {
-                contributorCache.set(login, "maintainer");
-                return "maintainer";
-              }
-
-              // trusted-contributor and experienced-contributor labels disabled.
-              // const mergedQuery = `repo:${repoFull} is:pr is:merged author:${login}`;
-              // let mergedCount = 0;
-              // try {
-              //   const merged = await github.rest.search.issuesAndPullRequests({
-              //     q: mergedQuery,
-              //     per_page: 1,
-              //   });
-              //   mergedCount = merged?.data?.total_count ?? 0;
-              // } catch (error) {
-              //   if (error?.status !== 422) {
-              //     throw error;
-              //   }
-              //   core.warning(`Skipping merged search for ${login}; treating as 0.`);
-              // }
-
-              const label = null;
-              // if (mergedCount >= experiencedThreshold) {
-              //   label = experiencedLabel;
-              // } else if (mergedCount >= trustedThreshold) {
-              //   label = trustedLabel;
-              // }
-
-              contributorCache.set(login, label);
-              return label;
-            }
-
-            async function applySizeLabel(pullRequest, currentLabels, labelNames) {
-              const files = await github.paginate(github.rest.pulls.listFiles, {
-                owner,
-                repo,
-                pull_number: pullRequest.number,
-                per_page: 100,
-              });
-
-              const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
-              const totalChangedLines = files.reduce((total, file) => {
-                const path = file.filename ?? "";
-                if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
-                  return total;
-                }
-                return total + (file.additions ?? 0) + (file.deletions ?? 0);
-              }, 0);
-
-              let targetSizeLabel = "size: XL";
-              if (totalChangedLines < 50) {
-                targetSizeLabel = "size: XS";
-              } else if (totalChangedLines < 200) {
-                targetSizeLabel = "size: S";
-              } else if (totalChangedLines < 500) {
-                targetSizeLabel = "size: M";
-              } else if (totalChangedLines < 1000) {
-                targetSizeLabel = "size: L";
-              }
-
-              for (const label of currentLabels) {
-                const name = label.name ?? "";
-                if (!sizeLabels.includes(name)) {
-                  continue;
-                }
-                if (name === targetSizeLabel) {
-                  continue;
-                }
-                await github.rest.issues.removeLabel({
-                  owner,
-                  repo,
-                  issue_number: pullRequest.number,
-                  name,
-                });
-                labelNames.delete(name);
-              }
-
-              if (!labelNames.has(targetSizeLabel)) {
-                await github.rest.issues.addLabels({
-                  owner,
-                  repo,
-                  issue_number: pullRequest.number,
-                  labels: [targetSizeLabel],
-                });
-                labelNames.add(targetSizeLabel);
-              }
-            }
-
-            async function applyContributorLabel(pullRequest, labelNames) {
-              const login = pullRequest.user?.login;
-              if (!login) {
-                return;
-              }
-
-              const label = await resolveContributorLabel(login);
-              if (!label) {
-                return;
-              }
-
-              if (labelNames.has(label)) {
-                return;
-              }
-
-              await github.rest.issues.addLabels({
-                owner,
-                repo,
-                issue_number: pullRequest.number,
-                labels: [label],
-              });
-              labelNames.add(label);
-            }
-
-            async function applyBetaBlockerTitleLabel(pullRequest, labelNames) {
-              const matchesBetaBlocker = /\bbeta blocker\b/i.test(pullRequest.title ?? "");
-
-              if (matchesBetaBlocker) {
-                if (!labelNames.has(betaBlockerLabel)) {
-                  await github.rest.issues.addLabels({
-                    owner,
-                    repo,
-                    issue_number: pullRequest.number,
-                    labels: [betaBlockerLabel],
-                  });
-                  labelNames.add(betaBlockerLabel);
-                }
-                return;
-              }
-
-              if (!labelNames.has(betaBlockerLabel)) {
-                return;
-              }
-
-              await github.rest.issues.removeLabel({
-                owner,
-                repo,
-                issue_number: pullRequest.number,
-                name: betaBlockerLabel,
-              });
-              labelNames.delete(betaBlockerLabel);
-            }
-
-            await ensureSizeLabels();
-            const betaBlockerLabelExists = await hasBetaBlockerLabel();
-
-            let page = 1;
-            let processed = 0;
-
-            while (processed < maxCount) {
-              const remaining = maxCount - processed;
-              const pageSize = processAll ? perPage : Math.min(perPage, remaining);
-              const { data: pullRequests } = await github.rest.pulls.list({
-                owner,
-                repo,
-                state: "open",
-                per_page: pageSize,
-                page,
-              });
-
-              if (pullRequests.length === 0) {
-                break;
-              }
-
-              for (const pullRequest of pullRequests) {
-                if (!processAll && processed >= maxCount) {
-                  break;
-                }
-
-                const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
-                  owner,
-                  repo,
-                  issue_number: pullRequest.number,
-                  per_page: 100,
-                });
-
-                const labelNames = new Set(
-                  currentLabels.map((label) => label.name).filter((name) => typeof name === "string"),
-                );
-
-                await applySizeLabel(pullRequest, currentLabels, labelNames);
-                await applyContributorLabel(pullRequest, labelNames);
-                if (betaBlockerLabelExists) {
-                  await applyBetaBlockerTitleLabel(pullRequest, labelNames);
-                }
-
-                processed += 1;
-              }
-
-              if (pullRequests.length < pageSize) {
-                break;
-              }
-
-              page += 1;
-            }
-
-            core.info(`Processed ${processed} pull requests.`);
-
-  label-issues:
-    permissions:
-      issues: write
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        continue-on-error: true
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@v3
-        id: app-token-fallback
-        if: steps.app-token.outcome == 'failure'
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - name: Apply maintainer or trusted-contributor label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const login = context.payload.issue?.user?.login;
-            if (!login) {
-              return;
-            }
-
-            const repo = `${context.repo.owner}/${context.repo.repo}`;
-            // const trustedLabel = "trusted-contributor";
-            // const experiencedLabel = "experienced-contributor";
-            // const trustedThreshold = 4;
-            // const experiencedThreshold = 10;
-
-            let isMaintainer = false;
-            try {
-              const membership = await github.rest.teams.getMembershipForUserInOrg({
-                org: context.repo.owner,
-                team_slug: "maintainer",
-                username: login,
-              });
-              isMaintainer = membership?.data?.state === "active";
-            } catch (error) {
-              if (error?.status !== 404) {
-                throw error;
-              }
-            }
-
-            if (isMaintainer) {
-              await github.rest.issues.addLabels({
-                ...context.repo,
-                issue_number: context.payload.issue.number,
-                labels: ["maintainer"],
-              });
-              return;
-            }
-
-            // trusted-contributor and experienced-contributor labels disabled.
-            // const mergedQuery = `repo:${repo} is:pr is:merged author:${login}`;
-            // let mergedCount = 0;
-            // try {
-            //   const merged = await github.rest.search.issuesAndPullRequests({
-            //     q: mergedQuery,
-            //     per_page: 1,
-            //   });
-            //   mergedCount = merged?.data?.total_count ?? 0;
-            // } catch (error) {
-            //   if (error?.status !== 422) {
-            //     throw error;
-            //   }
-            //   core.warning(`Skipping merged search for ${login}; treating as 0.`);
-            // }
-            //
-            // if (mergedCount >= experiencedThreshold) {
-            //   await github.rest.issues.addLabels({
-            //     ...context.repo,
-            //     issue_number: context.payload.issue.number,
-            //     labels: [experiencedLabel],
-            //   });
-            //   return;
-            // }
-            //
-            // if (mergedCount >= trustedThreshold) {
-            //   await github.rest.issues.addLabels({
-            //     ...context.repo,
-            //     issue_number: context.payload.issue.number,
-            //     labels: [trustedLabel],
-            //   });
-            // }
-      - name: Apply beta-blocker title label
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          script: |
-            const issue = context.payload.issue;
-            if (!issue || issue.pull_request) {
-              return;
-            }
-
-            const labelName = "beta-blocker";
-            const matchesBetaBlocker = /^beta blocker:/i.test(issue.title ?? "");
-
-            try {
-              await github.rest.issues.getLabel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                name: labelName,
-              });
-            } catch (error) {
-              if (error?.status !== 404) {
-                throw error;
-              }
-              core.info(`Skipping ${labelName} labeling because the label does not exist in the repository.`);
-              return;
-            }
-
-            const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: issue.number,
-              per_page: 100,
-            });
-            const hasLabel = currentLabels.some((label) => label.name === labelName);
-
-            if (matchesBetaBlocker && !hasLabel) {
-              await github.rest.issues.addLabels({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: issue.number,
-                labels: [labelName],
-              });
-              return;
-            }
-
-            if (!matchesBetaBlocker && hasLabel) {
-              await github.rest.issues.removeLabel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: issue.number,
-                name: labelName,
-              });
-            }
--- a/.github/workflows/macos-release.yml
+++ b/.github/workflows/macos-release.yml
@@ -1,93 +0,0 @@
-name: macOS Release
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22 or v2026.3.22-beta.1)
-        required: true
-        type: string
-      preflight_only:
-        description: Retained for operator compatibility; this public workflow is validation-only
-        required: true
-        default: true
-        type: boolean
-
-concurrency:
-  group: macos-release-${{ inputs.tag }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-
-jobs:
-  validate_macos_release_request:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Validate tag input format
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
-            echo "Invalid release tag format: ${RELEASE_TAG}"
-            exit 1
-          fi
-
-      - name: Checkout selected tag
-        uses: actions/checkout@v6
-        with:
-          ref: refs/tags/${{ inputs.tag }}
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-
-      - name: Ensure matching GitHub release exists
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ inputs.tag }}
-        run: gh release view "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" >/dev/null
-
-      - name: Build
-        run: pnpm build
-
-      - name: Build Control UI
-        run: pnpm ui:build
-
-      - name: Validate release tag and package metadata
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          WORKFLOW_REF_NAME: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          RELEASE_SHA=$(git rev-parse HEAD)
-          RELEASE_MAIN_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          pnpm release:openclaw:npm:check
-
-      - name: Summarize next step
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-        run: |
-          {
-            echo "## Public macOS validation only"
-            echo
-            echo "This workflow validates the public release handoff and still builds JS artifacts needed for release checks."
-            echo "It does not sign, notarize, or upload macOS assets."
-            echo
-            echo "Next step:"
-            echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml\` with tag \`${RELEASE_TAG}\` and wait for the private mac validation lane to pass."
-            echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml\` with tag \`${RELEASE_TAG}\` and \`preflight_only=true\` for the full private mac preflight."
-            echo "- For the real publish path, run the same private mac publish workflow from \`main\` with the successful private preflight \`preflight_run_id\` so it promotes the prepared artifacts instead of rebuilding them."
-            echo "- For stable releases, also download \`macos-appcast-${RELEASE_TAG}\` from the successful private run and commit \`appcast.xml\` back to \`main\` in \`openclaw/openclaw\`."
-          } >> "$GITHUB_STEP_SUMMARY"
--- a/.github/workflows/npm-telegram-beta-e2e.yml
+++ b/.github/workflows/npm-telegram-beta-e2e.yml
@@ -1,144 +0,0 @@
-name: NPM Telegram Beta E2E
-
-on:
-  workflow_dispatch:
-    inputs:
-      package_spec:
-        description: Published OpenClaw package spec to test
-        required: true
-        default: openclaw@beta
-        type: string
-      provider_mode:
-        description: QA provider mode
-        required: true
-        default: mock-openai
-        type: choice
-        options:
-          - mock-openai
-          - live-frontier
-      scenario:
-        description: Optional comma-separated Telegram scenario ids
-        required: false
-        type: string
-
-permissions:
-  contents: read
-
-concurrency:
-  group: npm-telegram-beta-e2e-${{ github.run_id }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.33.0"
-
-jobs:
-  run_npm_telegram_beta_e2e:
-    name: Run published npm Telegram E2E
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    environment: qa-live-shared
-    permissions:
-      contents: read
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout dispatch ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.sha }}
-          fetch-depth: 1
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
-        with:
-          max-cache-size-mb: 800000
-
-      - name: Build Docker E2E image
-        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
-        with:
-          context: .
-          file: ./scripts/e2e/Dockerfile
-          target: build
-          platforms: linux/amd64
-          tags: openclaw-docker-e2e:local
-          load: true
-          push: false
-          provenance: false
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate inputs and secrets
-        env:
-          PACKAGE_SPEC: ${{ inputs.package_spec }}
-          PROVIDER_MODE: ${{ inputs.provider_mode }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if [[ ! "${PACKAGE_SPEC}" =~ ^openclaw@(beta|latest|[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-[1-9][0-9]*|-beta\.[1-9][0-9]*)?)$ ]]; then
-            echo "package_spec must be openclaw@beta, openclaw@latest, or an exact OpenClaw release version; got: ${PACKAGE_SPEC}" >&2
-            exit 1
-          fi
-
-          require_var() {
-            local key="$1"
-            if [[ -z "${!key:-}" ]]; then
-              echo "Missing required ${key}." >&2
-              exit 1
-            fi
-          }
-
-          require_var OPENCLAW_QA_CONVEX_SITE_URL
-          require_var OPENCLAW_QA_CONVEX_SECRET_CI
-          if [[ "${PROVIDER_MODE}" == "live-frontier" ]]; then
-            require_var OPENAI_API_KEY
-          fi
-
-      - name: Run npm Telegram beta E2E
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_SKIP_DOCKER_BUILD: "1"
-          OPENCLAW_DOCKER_E2E_IMAGE: openclaw-docker-e2e:local
-          OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC: ${{ inputs.package_spec }}
-          OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE: ${{ inputs.provider_mode }}
-          OPENCLAW_NPM_TELEGRAM_CREDENTIAL_SOURCE: convex
-          OPENCLAW_NPM_TELEGRAM_CREDENTIAL_ROLE: ci
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
-          INPUT_SCENARIO: ${{ inputs.scenario }}
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/npm-telegram-beta-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-          export OPENCLAW_NPM_TELEGRAM_OUTPUT_DIR="${output_dir}"
-
-          if [[ -n "${INPUT_SCENARIO// }" ]]; then
-            export OPENCLAW_NPM_TELEGRAM_SCENARIOS="${INPUT_SCENARIO}"
-          fi
-
-          pnpm test:docker:npm-telegram-live
-
-      - name: Upload npm Telegram E2E artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: npm-telegram-beta-e2e-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
--- a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml
+++ b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml
@@ -1,483 +0,0 @@
-name: OpenClaw Cross-OS Release Checks (Reusable)
-
-on:
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: Public OpenClaw ref to validate (tag, branch, or full commit SHA)
-        required: true
-        default: main
-        type: string
-      workflow_ref:
-        description: Optional openclaw/openclaw ref that provides the reusable workflow harness
-        required: false
-        default: ""
-        type: string
-      provider:
-        description: Provider lane to use for onboarding and the end-to-end turn
-        required: true
-        default: openai
-        type: choice
-        options:
-          - openai
-          - anthropic
-          - minimax
-      mode:
-        description: Which release-check lanes to run
-        required: true
-        default: both
-        type: choice
-        options:
-          - fresh
-          - upgrade
-          - both
-      previous_version:
-        description: Optional baseline version for installer/dev-update and packaged upgrade
-        required: false
-        default: ""
-        type: string
-      ubuntu_runner:
-        description: Optional Linux runner label override
-        required: false
-        default: ""
-        type: string
-      windows_runner:
-        description: Optional Windows runner label override
-        required: false
-        default: ""
-        type: string
-      macos_runner:
-        description: Optional macOS runner label override
-        required: false
-        default: ""
-        type: string
-  workflow_call:
-    inputs:
-      ref:
-        description: Public OpenClaw ref to validate (tag, branch, or full commit SHA)
-        required: true
-        type: string
-      workflow_ref:
-        description: Optional openclaw/openclaw ref that provides the reusable workflow harness
-        required: false
-        default: ""
-        type: string
-      provider:
-        description: Provider lane to use for onboarding and the end-to-end turn
-        required: true
-        type: string
-      mode:
-        description: Which release-check lanes to run
-        required: true
-        type: string
-      previous_version:
-        description: Optional baseline version for the upgrade lane (defaults to npm latest)
-        required: false
-        default: ""
-        type: string
-      ubuntu_runner:
-        description: Optional Linux runner label override
-        required: false
-        default: ""
-        type: string
-      windows_runner:
-        description: Optional Windows runner label override
-        required: false
-        default: ""
-        type: string
-      macos_runner:
-        description: Optional macOS runner label override
-        required: false
-        default: ""
-        type: string
-    secrets:
-      OPENAI_API_KEY:
-        required: false
-      ANTHROPIC_API_KEY:
-        required: false
-      MINIMAX_API_KEY:
-        required: false
-      OPENCLAW_DISCORD_SMOKE_BOT_TOKEN:
-        required: false
-      OPENCLAW_DISCORD_SMOKE_GUILD_ID:
-        required: false
-      OPENCLAW_DISCORD_SMOKE_CHANNEL_ID:
-        required: false
-
-permissions: read-all
-
-concurrency:
-  group: openclaw-cross-os-release-checks-${{ inputs.ref }}-${{ inputs.provider }}-${{ inputs.mode }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-  OPENCLAW_REPOSITORY: openclaw/openclaw
-  TSX_VERSION: "4.21.0"
-
-jobs:
-  prepare:
-    runs-on: ubuntu-latest
-    outputs:
-      baseline_file_name: ${{ steps.baseline_metadata.outputs.file_name }}
-      baseline_spec: ${{ steps.baseline.outputs.value }}
-      candidate_file_name: ${{ steps.candidate_metadata.outputs.file_name }}
-      candidate_version: ${{ steps.candidate_metadata.outputs.version }}
-      matrix: ${{ steps.matrix.outputs.value }}
-      source_sha: ${{ steps.candidate_metadata.outputs.source_sha }}
-      workflow_ref: ${{ steps.workflow_ref.outputs.value }}
-    steps:
-      - name: Validate provider secret availability
-        env:
-          PROVIDER: ${{ inputs.provider }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-        run: |
-          set -euo pipefail
-          case "${PROVIDER}" in
-            openai)
-              [[ -n "${OPENAI_API_KEY}" ]] || { echo "Missing OPENAI_API_KEY secret." >&2; exit 1; }
-              ;;
-            anthropic)
-              [[ -n "${ANTHROPIC_API_KEY}" ]] || { echo "Missing ANTHROPIC_API_KEY secret." >&2; exit 1; }
-              ;;
-            minimax)
-              [[ -n "${MINIMAX_API_KEY}" ]] || { echo "Missing MINIMAX_API_KEY secret." >&2; exit 1; }
-              ;;
-            *)
-              echo "Unsupported provider: ${PROVIDER}" >&2
-              exit 1
-              ;;
-          esac
-
-      - name: Resolve workflow ref
-        id: workflow_ref
-        env:
-          INPUT_WORKFLOW_REF: ${{ inputs.workflow_ref }}
-          CALLER_REPOSITORY: ${{ github.repository }}
-          CURRENT_SHA: ${{ github.sha }}
-          WORKFLOW_CONTEXT_REF: ${{ github.workflow_ref }}
-          WORKFLOW_REPOSITORY: ${{ env.OPENCLAW_REPOSITORY }}
-        run: |
-          set -euo pipefail
-          resolve_unique_remote_ref() {
-            local remote_url="$1"
-            shift
-            local -a refs=("$@")
-            local -a matches=()
-            local ref=""
-
-            for ref in "${refs[@]}"; do
-              [[ -n "${ref}" ]] || continue
-              mapfile -t matches < <(
-                git ls-remote "${remote_url}" "${ref}" | awk '{print $1}' | awk '!seen[$0]++'
-              )
-              if [[ "${#matches[@]}" -eq 0 ]]; then
-                continue
-              fi
-              if [[ "${#matches[@]}" -ne 1 ]]; then
-                return 2
-              fi
-
-              printf '%s\n' "${matches[0]}"
-              return 0
-            done
-            return 1
-          }
-
-          if [[ -n "${INPUT_WORKFLOW_REF}" ]]; then
-            TARGET_REF="${INPUT_WORKFLOW_REF}"
-          elif [[ "${CALLER_REPOSITORY}" == "${WORKFLOW_REPOSITORY}" ]]; then
-            TARGET_REF="${CURRENT_SHA}"
-          elif [[ "${WORKFLOW_CONTEXT_REF}" == "${WORKFLOW_REPOSITORY}/"* ]] && [[ "${WORKFLOW_CONTEXT_REF}" == *"@"* ]]; then
-            TARGET_REF="${WORKFLOW_CONTEXT_REF##*@}"
-          else
-            echo "Failed to infer workflow ref from github.workflow_ref=${WORKFLOW_CONTEXT_REF}" >&2
-            exit 1
-          fi
-
-          if [[ "${TARGET_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "value=${TARGET_REF}" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          REMOTE_URL="https://github.com/${WORKFLOW_REPOSITORY}.git"
-          if [[ "${TARGET_REF}" == refs/* ]]; then
-            if [[ "${TARGET_REF}" == refs/tags/* ]]; then
-              mapfile -t MATCHES < <(
-                resolve_unique_remote_ref "${REMOTE_URL}" "${TARGET_REF}^{}" "${TARGET_REF}" || true
-              )
-            else
-              mapfile -t MATCHES < <(resolve_unique_remote_ref "${REMOTE_URL}" "${TARGET_REF}" || true)
-            fi
-          else
-            mapfile -t BRANCH_MATCHES < <(
-              resolve_unique_remote_ref "${REMOTE_URL}" "refs/heads/${TARGET_REF}" || true
-            )
-            mapfile -t TAG_MATCHES < <(
-              resolve_unique_remote_ref "${REMOTE_URL}" "refs/tags/${TARGET_REF}^{}" "refs/tags/${TARGET_REF}" || true
-            )
-
-            MATCH_COUNT=$(( ${#BRANCH_MATCHES[@]} + ${#TAG_MATCHES[@]} ))
-            if [[ "${MATCH_COUNT}" -eq 1 ]]; then
-              if [[ "${#BRANCH_MATCHES[@]}" -eq 1 ]]; then
-                MATCHES=("${BRANCH_MATCHES[0]}")
-              else
-                MATCHES=("${TAG_MATCHES[0]}")
-              fi
-            elif [[ "${MATCH_COUNT}" -eq 0 ]]; then
-              MATCHES=()
-            else
-              echo "Workflow ref resolved ambiguously: ${TARGET_REF}" >&2
-              exit 1
-            fi
-          fi
-
-          case "${#MATCHES[@]}" in
-            1)
-              echo "value=${MATCHES[0]}" >> "$GITHUB_OUTPUT"
-              ;;
-            0)
-              echo "Failed to resolve workflow ref: ${TARGET_REF}" >&2
-              exit 1
-              ;;
-            *)
-              echo "Workflow ref resolved ambiguously: ${TARGET_REF}" >&2
-              exit 1
-              ;;
-          esac
-
-      - name: Checkout workflow repo
-        uses: actions/checkout@v6
-        with:
-          repository: ${{ env.OPENCLAW_REPOSITORY }}
-          ref: ${{ steps.workflow_ref.outputs.value }}
-          path: workflow
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Checkout public source ref
-        uses: actions/checkout@v6
-        with:
-          repository: ${{ env.OPENCLAW_REPOSITORY }}
-          ref: ${{ inputs.ref }}
-          path: source
-          fetch-depth: 0
-          persist-credentials: false
-          submodules: recursive
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: ${{ env.PNPM_VERSION }}
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: pnpm
-          cache-dependency-path: source/pnpm-lock.yaml
-
-      - name: Build candidate artifact once
-        env:
-          OUTPUT_DIR: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare
-        run: |
-          pnpm dlx "tsx@${TSX_VERSION}" workflow/scripts/openclaw-cross-os-release-checks.ts \
-            --prepare-only \
-            --source-dir source \
-            --output-dir "${OUTPUT_DIR}"
-
-      - name: Resolve baseline package spec
-        if: ${{ inputs.mode != 'fresh' }}
-        id: baseline
-        env:
-          INPUT_PREVIOUS_VERSION: ${{ inputs.previous_version }}
-        run: |
-          set -euo pipefail
-          if [[ -n "${INPUT_PREVIOUS_VERSION}" ]]; then
-            echo "value=openclaw@${INPUT_PREVIOUS_VERSION}" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          BASELINE_VERSION="$(npm view openclaw@latest version)"
-          echo "value=openclaw@${BASELINE_VERSION}" >> "$GITHUB_OUTPUT"
-
-      - name: Pack baseline artifact
-        if: ${{ inputs.mode != 'fresh' }}
-        env:
-          BASELINE_SPEC: ${{ steps.baseline.outputs.value }}
-          OUTPUT_DIR: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/baseline
-        run: |
-          mkdir -p "${OUTPUT_DIR}"
-          npm pack --ignore-scripts --json "${BASELINE_SPEC}" --pack-destination "${OUTPUT_DIR}" > "${OUTPUT_DIR}/pack.json"
-
-      - name: Capture candidate metadata
-        id: candidate_metadata
-        env:
-          CANDIDATE_JSON: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/candidate.json
-        run: |
-          node <<'NODE' >>"$GITHUB_OUTPUT"
-          const fs = require("node:fs");
-          const payload = JSON.parse(fs.readFileSync(process.env.CANDIDATE_JSON, "utf8"));
-          process.stdout.write(`file_name=${payload.candidateFileName}\n`);
-          process.stdout.write(`version=${payload.candidateVersion}\n`);
-          process.stdout.write(`source_sha=${payload.sourceSha}\n`);
-          NODE
-
-      - name: Capture baseline metadata
-        if: ${{ inputs.mode != 'fresh' }}
-        id: baseline_metadata
-        env:
-          BASELINE_PACK_JSON: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/baseline/pack.json
-        run: |
-          node <<'NODE' >>"$GITHUB_OUTPUT"
-          const fs = require("node:fs");
-          const payload = JSON.parse(fs.readFileSync(process.env.BASELINE_PACK_JSON, "utf8"));
-          const entry = Array.isArray(payload) ? payload.at(-1) : null;
-          if (!entry?.filename) {
-            throw new Error("Baseline npm pack did not produce a filename.");
-          }
-          process.stdout.write(`file_name=${entry.filename}\n`);
-          NODE
-
-      - name: Upload candidate artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: openclaw-cross-os-release-checks-candidate-${{ github.run_id }}
-          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/package/${{ steps.candidate_metadata.outputs.file_name }}
-          if-no-files-found: error
-
-      - name: Upload baseline artifact
-        if: ${{ inputs.mode != 'fresh' }}
-        uses: actions/upload-artifact@v7
-        with:
-          name: openclaw-cross-os-release-checks-baseline-${{ github.run_id }}
-          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/baseline/${{ steps.baseline_metadata.outputs.file_name }}
-          if-no-files-found: error
-
-      - name: Resolve runner matrix
-        id: matrix
-        env:
-          INPUT_REF: ${{ inputs.ref }}
-          INPUT_MODE: ${{ inputs.mode }}
-          INPUT_UBUNTU_RUNNER: ${{ inputs.ubuntu_runner }}
-          INPUT_WINDOWS_RUNNER: ${{ inputs.windows_runner }}
-          INPUT_MACOS_RUNNER: ${{ inputs.macos_runner }}
-          VAR_UBUNTU_RUNNER: ${{ vars.OPENCLAW_RELEASE_CHECKS_UBUNTU_RUNNER }}
-          VAR_WINDOWS_RUNNER: ${{ vars.OPENCLAW_RELEASE_CHECKS_WINDOWS_RUNNER }}
-          VAR_MACOS_RUNNER: ${{ vars.OPENCLAW_RELEASE_CHECKS_MACOS_RUNNER }}
-        run: |
-          MATRIX_JSON="$(pnpm dlx "tsx@${TSX_VERSION}" workflow/scripts/openclaw-cross-os-release-checks.ts \
-            --resolve-matrix \
-            --ref "${INPUT_REF}" \
-            --mode "${INPUT_MODE}" \
-            --ubuntu-runner "${INPUT_UBUNTU_RUNNER}" \
-            --windows-runner "${INPUT_WINDOWS_RUNNER}" \
-            --macos-runner "${INPUT_MACOS_RUNNER}")"
-          echo "value=${MATRIX_JSON}" >> "$GITHUB_OUTPUT"
-
-  cross_os_release_checks:
-    name: "${{ matrix.display_name }} / ${{ matrix.suite_label }}"
-    needs: prepare
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJson(needs.prepare.outputs.matrix) }}
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 120
-    steps:
-      - name: Checkout workflow repo
-        uses: actions/checkout@v6
-        with:
-          repository: ${{ env.OPENCLAW_REPOSITORY }}
-          ref: ${{ needs.prepare.outputs.workflow_ref }}
-          path: workflow
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: ${{ env.PNPM_VERSION }}
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Download candidate artifact
-        uses: actions/download-artifact@v8
-        with:
-          name: openclaw-cross-os-release-checks-candidate-${{ github.run_id }}
-          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/candidate
-
-      - name: Download baseline artifact
-        if: ${{ matrix.suite == 'packaged-upgrade' }}
-        uses: actions/download-artifact@v8
-        with:
-          name: openclaw-cross-os-release-checks-baseline-${{ github.run_id }}
-          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/baseline
-
-      - name: Run cross-OS release checks
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          OPENCLAW_DISCORD_SMOKE_BOT_TOKEN: ${{ secrets.OPENCLAW_DISCORD_SMOKE_BOT_TOKEN }}
-          OPENCLAW_DISCORD_SMOKE_GUILD_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_GUILD_ID }}
-          OPENCLAW_DISCORD_SMOKE_CHANNEL_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_CHANNEL_ID }}
-          OPENCLAW_RELEASE_CHECK_OS: ${{ matrix.os_id }}
-          OPENCLAW_RELEASE_CHECK_RUNNER: ${{ matrix.runner }}
-          CANDIDATE_TGZ: ${{ runner.temp }}/openclaw-cross-os-release-checks/candidate/${{ needs.prepare.outputs.candidate_file_name }}
-          CANDIDATE_VERSION: ${{ needs.prepare.outputs.candidate_version }}
-          SOURCE_SHA: ${{ needs.prepare.outputs.source_sha }}
-          BASELINE_SPEC: ${{ needs.prepare.outputs.baseline_spec }}
-          PREVIOUS_VERSION: ${{ inputs.previous_version }}
-          BASELINE_TGZ: ${{ runner.temp }}/openclaw-cross-os-release-checks/baseline/${{ needs.prepare.outputs.baseline_file_name }}
-          PROVIDER: ${{ inputs.provider }}
-          MODE: ${{ matrix.lane }}
-          SUITE: ${{ matrix.suite }}
-          REF: ${{ inputs.ref }}
-          OUTPUT_DIR: ${{ runner.temp }}/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }}
-        run: |
-          DISCORD_ARGS=()
-          if [[ -n "${OPENCLAW_DISCORD_SMOKE_BOT_TOKEN}" ]] && [[ -n "${OPENCLAW_DISCORD_SMOKE_GUILD_ID}" ]] && [[ -n "${OPENCLAW_DISCORD_SMOKE_CHANNEL_ID}" ]]; then
-            DISCORD_ARGS+=(--run-discord-roundtrip true)
-          fi
-          pnpm dlx "tsx@${TSX_VERSION}" workflow/scripts/openclaw-cross-os-release-checks.ts \
-            --candidate-tgz "${CANDIDATE_TGZ}" \
-            --candidate-version "${CANDIDATE_VERSION}" \
-            --source-sha "${SOURCE_SHA}" \
-            --baseline-spec "${BASELINE_SPEC}" \
-            --previous-version "${PREVIOUS_VERSION}" \
-            --baseline-tgz "${BASELINE_TGZ}" \
-            --provider "${PROVIDER}" \
-            --mode "${MODE}" \
-            --suite "${SUITE}" \
-            --ref "${REF}" \
-            "${DISCORD_ARGS[@]}" \
-            --output-dir "${OUTPUT_DIR}"
-
-      - name: Summarize release checks
-        if: always()
-        shell: bash
-        env:
-          SUMMARY_PATH: ${{ runner.temp }}/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }}/summary.md
-        run: |
-          if [[ -f "${SUMMARY_PATH}" ]]; then
-            cat "${SUMMARY_PATH}" >> "$GITHUB_STEP_SUMMARY"
-          else
-            echo "No summary generated." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
-      - name: Upload release-check artifacts
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: openclaw-cross-os-release-checks-${{ matrix.artifact_name }}-${{ matrix.suite }}-${{ github.run_id }}
-          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }}
-          if-no-files-found: error
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
--- a/.github/workflows/openclaw-npm-release.yml
+++ b/.github/workflows/openclaw-npm-release.yml
@@ -1,420 +0,0 @@
-name: OpenClaw NPM Release
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: Release tag to publish, or a full 40-character workflow-branch commit SHA for validation-only preflight (for example v2026.3.22 or 0123456789abcdef0123456789abcdef01234567)
-        required: true
-        type: string
-      preflight_only:
-        description: Run validation/build only and skip the gated publish job
-        required: true
-        default: false
-        type: boolean
-      preflight_run_id:
-        description: Existing successful preflight workflow run id to promote without rebuilding
-        required: false
-        type: string
-      npm_dist_tag:
-        description: npm dist-tag to publish to for stable releases
-        required: true
-        default: beta
-        type: choice
-        options:
-          - beta
-          - latest
-
-concurrency:
-  group: openclaw-npm-release-${{ github.event_name == 'workflow_dispatch' && format('{0}-{1}', inputs.tag, inputs.npm_dist_tag) || github.ref }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-
-jobs:
-  # PLEASE DON'T ADD LONG-RUNNING OR FLAKY CHECKS TO THE npm RELEASE PATH.
-  # KEEP THIS WORKFLOW SHORT AND DETERMINISTIC OR IT CAN GET STUCK AND JEOPARDIZE THE RELEASE.
-  # RELEASE-TIME LIVE OR END-TO-END VALIDATION BELONGS IN openclaw-release-checks.yml.
-  # SECURITY NOTE: TOKEN-BASED npm dist-tag mutation moved to
-  # openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml
-  # so this public workflow can stay focused on OIDC publish only.
-  preflight_openclaw_npm:
-    if: ${{ inputs.preflight_only }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Validate release ref input format
-        env:
-          RELEASE_REF: ${{ inputs.tag }}
-          PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
-          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${RELEASE_REF}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]] && [[ ! "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "Invalid release ref format: ${RELEASE_REF}"
-            exit 1
-          fi
-          if [[ "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]] && [[ "${PREFLIGHT_ONLY}" != "true" ]]; then
-            echo "Full commit SHA input is only supported for validation-only preflight runs."
-            exit 1
-          fi
-          if [[ "${RELEASE_REF}" == *"-beta."* && "${RELEASE_NPM_DIST_TAG}" != "beta" ]]; then
-            echo "Beta prerelease tags must publish to npm dist-tag beta."
-            exit 1
-          fi
-
-      - name: Forbid preflight artifact promotion on validation-only runs
-        if: ${{ inputs.preflight_only && inputs.preflight_run_id != '' }}
-        run: |
-          echo "preflight_run_id is only valid for real publish runs."
-          exit 1
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.tag }}
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Ensure version is not already published
-        env:
-          PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
-        run: |
-          set -euo pipefail
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-
-          if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
-            if [[ "${PREFLIGHT_ONLY}" == "true" ]]; then
-              echo "openclaw@${PACKAGE_VERSION} is already published on npm; continuing because preflight_only=true."
-              exit 0
-            fi
-            echo "openclaw@${PACKAGE_VERSION} is already published on npm."
-            exit 1
-          fi
-
-          echo "Publishing openclaw@${PACKAGE_VERSION}"
-
-      - name: Check
-        env:
-          OPENCLAW_LOCAL_CHECK: "0"
-        run: pnpm check
-
-      - name: Check test types
-        env:
-          OPENCLAW_LOCAL_CHECK: "0"
-        run: pnpm check:test-types
-
-      - name: Check architecture
-        env:
-          OPENCLAW_LOCAL_CHECK: "0"
-        run: pnpm check:architecture
-
-      - name: Build
-        run: pnpm build
-
-      - name: Build Control UI
-        run: pnpm ui:build
-
-      - name: Validate release metadata
-        if: ${{ inputs.preflight_run_id == '' }}
-        env:
-          OPENCLAW_NPM_RELEASE_SKIP_PACK_CHECK: "1"
-          RELEASE_REF: ${{ inputs.tag }}
-          PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
-          WORKFLOW_REF_NAME: ${{ github.ref_name }}
-          OPENCLAW_NPM_PUBLISH_TAG: ${{ inputs.npm_dist_tag }}
-        run: |
-          set -euo pipefail
-          RELEASE_SHA=$(git rev-parse HEAD)
-          RELEASE_BRANCH_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          export RELEASE_SHA RELEASE_BRANCH_REF
-          # Fetch the workflow branch so merge-base ancestry checks keep working
-          # for older tagged commits contained in a release branch.
-          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          if [[ "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            BRANCH_SHA="$(git rev-parse "${RELEASE_BRANCH_REF}")"
-            if [[ "${RELEASE_SHA}" != "${BRANCH_SHA}" ]]; then
-              echo "Validation-only SHA mode only supports the current ${WORKFLOW_REF_NAME} HEAD." >&2
-              exit 1
-            fi
-            RELEASE_TAG="v$(node -p "require('./package.json').version")"
-            export RELEASE_TAG
-            echo "Validation-only SHA mode: using synthetic release tag ${RELEASE_TAG} for package metadata checks."
-          else
-            RELEASE_TAG="${RELEASE_REF}"
-            export RELEASE_TAG
-          fi
-          RELEASE_MAIN_REF="${RELEASE_BRANCH_REF}"
-          export RELEASE_MAIN_REF
-          pnpm release:openclaw:npm:check
-
-      # KEEP THIS LANE LIMITED TO FAST, REPEATABLE RELEASE READINESS CHECKS.
-      # IF A CHECK CAN TAKE A LONG TIME, NEEDS LIVE CREDENTIALS, OR IS KNOWN TO BE FLAKY,
-      # IT BELONGS IN openclaw-release-checks.yml INSTEAD OF BLOCKING npm PUBLISH.
-      - name: Verify release contents
-        run: pnpm release:check
-
-      - name: Pack prepared npm tarball
-        id: packed_tarball
-        env:
-          OPENCLAW_PREPACK_PREPARED: "1"
-          RELEASE_TAG: ${{ inputs.tag }}
-          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
-        run: |
-          set -euo pipefail
-          PACK_OUTPUT="$RUNNER_TEMP/npm-pack-output.txt"
-          npm pack --json 2>&1 | tee "$PACK_OUTPUT"
-          PACK_PATH="$(node - "$PACK_OUTPUT" <<'NODE'
-          const fs = require("node:fs");
-          const input = fs.readFileSync(process.argv[2], "utf8");
-
-          function arrayEndFrom(start) {
-            let depth = 0;
-            let inString = false;
-            let escape = false;
-            for (let i = start; i < input.length; i += 1) {
-              const char = input[i];
-              if (inString) {
-                if (escape) {
-                  escape = false;
-                } else if (char === "\\") {
-                  escape = true;
-                } else if (char === "\"") {
-                  inString = false;
-                }
-                continue;
-              }
-              if (char === "\"") {
-                inString = true;
-              } else if (char === "[") {
-                depth += 1;
-              } else if (char === "]") {
-                depth -= 1;
-                if (depth === 0) {
-                  return i + 1;
-                }
-              }
-            }
-            return -1;
-          }
-
-          for (let start = input.indexOf("["); start !== -1; start = input.indexOf("[", start + 1)) {
-            const end = arrayEndFrom(start);
-            if (end === -1) {
-              continue;
-            }
-            try {
-              const parsed = JSON.parse(input.slice(start, end));
-              const first = Array.isArray(parsed) ? parsed[0] : null;
-              if (first && typeof first.filename === "string" && first.filename) {
-                process.stdout.write(first.filename);
-                process.exit(0);
-              }
-            } catch {
-              // Keep scanning; npm lifecycle output can legally precede the JSON.
-            }
-          }
-
-          console.error("Could not find npm pack --json output with a filename.");
-          process.exit(1);
-          NODE
-          )"
-          if [[ -z "$PACK_PATH" || ! -f "$PACK_PATH" ]]; then
-            echo "npm pack did not produce a tarball file." >&2
-            exit 1
-          fi
-          RELEASE_SHA="$(git rev-parse HEAD)"
-          ARTIFACT_DIR="$RUNNER_TEMP/openclaw-npm-preflight"
-          rm -rf "$ARTIFACT_DIR"
-          mkdir -p "$ARTIFACT_DIR"
-          cp "$PACK_PATH" "$ARTIFACT_DIR/"
-          printf '%s\n' "$RELEASE_TAG" > "$ARTIFACT_DIR/release-tag.txt"
-          printf '%s\n' "$RELEASE_SHA" > "$ARTIFACT_DIR/release-sha.txt"
-          printf '%s\n' "$RELEASE_NPM_DIST_TAG" > "$ARTIFACT_DIR/release-npm-dist-tag.txt"
-          echo "dir=$ARTIFACT_DIR" >> "$GITHUB_OUTPUT"
-
-      - name: Upload prepared npm publish bundle
-        uses: actions/upload-artifact@v7
-        with:
-          name: openclaw-npm-preflight-${{ inputs.tag }}
-          path: ${{ steps.packed_tarball.outputs.dir }}
-          if-no-files-found: error
-
-  validate_publish_request:
-    if: ${{ !inputs.preflight_only }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Require main or release workflow ref for publish
-        env:
-          WORKFLOW_REF: ${{ github.ref }}
-        run: |
-          set -euo pipefail
-          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "Real publish runs must be dispatched from main or release/YYYY.M.D. Use preflight_only=true for other branch validation."
-            exit 1
-          fi
-
-      - name: Require preflight artifact promotion on real publish
-        env:
-          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${PREFLIGHT_RUN_ID}" ]]; then
-            echo "Real publish requires preflight_run_id from a successful npm preflight run." >&2
-            exit 1
-          fi
-
-  publish_openclaw_npm:
-    # KEEP THE REAL RELEASE/PUBLISH PATH ON A GITHUB-HOSTED RUNNER.
-    # npm trusted publishing + provenance requires this to stay on ubuntu-latest.
-    needs: [validate_publish_request]
-    if: ${{ !inputs.preflight_only }}
-    runs-on: ubuntu-latest
-    environment: npm-release
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-    steps:
-      - name: Validate tag input format
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
-            echo "Invalid release tag format: ${RELEASE_TAG}"
-            exit 1
-          fi
-          if [[ "${RELEASE_TAG}" == *"-beta."* && "${RELEASE_NPM_DIST_TAG}" != "beta" ]]; then
-            echo "Beta prerelease tags must publish to npm dist-tag beta."
-            exit 1
-          fi
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: refs/tags/${{ inputs.tag }}
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-
-      - name: Ensure version is not already published
-        run: |
-          set -euo pipefail
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-
-          if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
-            echo "openclaw@${PACKAGE_VERSION} is already published on npm."
-            exit 1
-          fi
-
-          echo "Publishing openclaw@${PACKAGE_VERSION}"
-
-      - name: Verify preflight run metadata
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
-          EXPECTED_PREFLIGHT_BRANCH: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          RUN_JSON="$(gh run view "$PREFLIGHT_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,conclusion,url)"
-          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw NPM Release"], ["headBranch", process.env.EXPECTED_PREFLIGHT_BRANCH], ["event", "workflow_dispatch"], ["conclusion", "success"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced npm preflight run ${process.env.PREFLIGHT_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } console.log(`Using npm preflight run ${process.env.PREFLIGHT_RUN_ID}: ${run.url}`);'
-
-      - name: Download prepared npm tarball
-        uses: actions/download-artifact@v8
-        with:
-          name: openclaw-npm-preflight-${{ inputs.tag }}
-          path: preflight-tarball
-          repository: ${{ github.repository }}
-          run-id: ${{ inputs.preflight_run_id }}
-          github-token: ${{ github.token }}
-
-      - name: Validate release tag and package metadata
-        if: ${{ inputs.preflight_run_id == '' }}
-        env:
-          OPENCLAW_NPM_RELEASE_SKIP_PACK_CHECK: "1"
-          RELEASE_TAG: ${{ inputs.tag }}
-          WORKFLOW_REF_NAME: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          RELEASE_SHA=$(git rev-parse HEAD)
-          RELEASE_MAIN_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          # Fetch the workflow branch so merge-base ancestry checks keep working
-          # for older tagged commits contained in a release branch.
-          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          pnpm release:openclaw:npm:check
-
-      - name: Verify prepared tarball provenance
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          RELEASE_NPM_DIST_TAG: ${{ inputs.npm_dist_tag }}
-        run: |
-          set -euo pipefail
-          EXPECTED_RELEASE_SHA="$(git rev-parse HEAD)"
-          TAG_FILE="preflight-tarball/release-tag.txt"
-          SHA_FILE="preflight-tarball/release-sha.txt"
-          NPM_DIST_TAG_FILE="preflight-tarball/release-npm-dist-tag.txt"
-          if [[ ! -f "$TAG_FILE" || ! -f "$SHA_FILE" || ! -f "$NPM_DIST_TAG_FILE" ]]; then
-            echo "Prepared preflight metadata is missing." >&2
-            ls -la preflight-tarball >&2 || true
-            exit 1
-          fi
-          ARTIFACT_RELEASE_TAG="$(tr -d '\r\n' < "$TAG_FILE")"
-          ARTIFACT_RELEASE_SHA="$(tr -d '\r\n' < "$SHA_FILE")"
-          ARTIFACT_RELEASE_NPM_DIST_TAG="$(tr -d '\r\n' < "$NPM_DIST_TAG_FILE")"
-          if [[ "$ARTIFACT_RELEASE_TAG" != "$RELEASE_TAG" ]]; then
-            echo "Prepared preflight tag mismatch: expected $RELEASE_TAG, got $ARTIFACT_RELEASE_TAG" >&2
-            exit 1
-          fi
-          if [[ "$ARTIFACT_RELEASE_SHA" != "$EXPECTED_RELEASE_SHA" ]]; then
-            echo "Prepared preflight SHA mismatch: expected $EXPECTED_RELEASE_SHA, got $ARTIFACT_RELEASE_SHA" >&2
-            exit 1
-          fi
-          if [[ "$ARTIFACT_RELEASE_NPM_DIST_TAG" != "$RELEASE_NPM_DIST_TAG" ]]; then
-            echo "Prepared preflight npm dist-tag mismatch: expected $RELEASE_NPM_DIST_TAG, got $ARTIFACT_RELEASE_NPM_DIST_TAG" >&2
-            exit 1
-          fi
-
-      - name: Resolve publish tarball
-        id: publish_tarball
-        run: |
-          set -euo pipefail
-          TARBALL_PATH="$(find preflight-tarball -type f -name '*.tgz' -print | sort | tail -n 1)"
-          if [[ -z "$TARBALL_PATH" ]]; then
-            echo "Prepared preflight tarball not found." >&2
-            ls -la preflight-tarball >&2 || true
-            exit 1
-          fi
-          echo "path=$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-
-      - name: Publish
-        env:
-          OPENCLAW_PREPACK_PREPARED: "1"
-          OPENCLAW_NPM_PUBLISH_TAG: ${{ inputs.npm_dist_tag }}
-          PUBLISH_TARBALL_PATH: ${{ steps.publish_tarball.outputs.path }}
-        run: |
-          set -euo pipefail
-          publish_target="${PUBLISH_TARBALL_PATH}"
-          if [[ -n "${publish_target}" ]]; then
-            publish_target="./${publish_target}"
-          fi
-          bash scripts/openclaw-npm-publish.sh --publish "${publish_target}"
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -1,440 +0,0 @@
-name: OpenClaw Release Checks
-
-on:
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: Existing release tag or current full 40-character workflow-branch commit SHA to validate (for example v2026.4.12 or 0123456789abcdef0123456789abcdef01234567)
-        required: true
-        type: string
-      provider:
-        description: Provider lane for cross-OS onboarding and the end-to-end agent turn
-        required: false
-        default: openai
-        type: choice
-        options:
-          - openai
-          - anthropic
-          - minimax
-      mode:
-        description: Which cross-OS release lanes to run
-        required: false
-        default: both
-        type: choice
-        options:
-          - fresh
-          - upgrade
-          - both
-
-concurrency:
-  group: openclaw-release-checks-${{ inputs.ref }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
-
-jobs:
-  resolve_target:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    outputs:
-      ref: ${{ steps.inputs.outputs.ref }}
-      sha: ${{ steps.ref.outputs.sha }}
-      provider: ${{ steps.inputs.outputs.provider }}
-      mode: ${{ steps.inputs.outputs.mode }}
-    steps:
-      - name: Require main or release workflow ref for release checks
-        env:
-          WORKFLOW_REF: ${{ github.ref }}
-        run: |
-          set -euo pipefail
-          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "Release checks must be dispatched from main or release/YYYY.M.D so workflow logic and secrets stay controlled." >&2
-            exit 1
-          fi
-
-      - name: Validate ref input
-        env:
-          RELEASE_REF: ${{ inputs.ref }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${RELEASE_REF}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]] && [[ ! "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "Expected an existing release tag or current full 40-character workflow-branch commit SHA, got: ${RELEASE_REF}" >&2
-            exit 1
-          fi
-
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref }}
-          fetch-depth: 0
-
-      - name: Resolve checked-out SHA
-        id: ref
-        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-
-      - name: Validate selected ref is on workflow branch
-        env:
-          RELEASE_REF: ${{ inputs.ref }}
-          WORKFLOW_REF_NAME: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          RELEASE_BRANCH_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
-          if [[ "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            BRANCH_SHA="$(git rev-parse "${RELEASE_BRANCH_REF}")"
-            if [[ "$(git rev-parse HEAD)" != "${BRANCH_SHA}" ]]; then
-              echo "Commit SHA mode only supports the current ${WORKFLOW_REF_NAME} HEAD. Use a release tag for older commits." >&2
-              exit 1
-            fi
-          else
-            git merge-base --is-ancestor HEAD "${RELEASE_BRANCH_REF}"
-          fi
-
-      - name: Capture selected inputs
-        id: inputs
-        env:
-          RELEASE_REF_INPUT: ${{ inputs.ref }}
-          RELEASE_PROVIDER_INPUT: ${{ inputs.provider }}
-          RELEASE_MODE_INPUT: ${{ inputs.mode }}
-        run: |
-          set -euo pipefail
-          {
-            printf 'ref=%s\n' "$RELEASE_REF_INPUT"
-            printf 'provider=%s\n' "$RELEASE_PROVIDER_INPUT"
-            printf 'mode=%s\n' "$RELEASE_MODE_INPUT"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Summarize validated ref
-        env:
-          RELEASE_REF: ${{ inputs.ref }}
-          RELEASE_SHA: ${{ steps.ref.outputs.sha }}
-          RELEASE_PROVIDER: ${{ inputs.provider }}
-          RELEASE_MODE: ${{ inputs.mode }}
-        run: |
-          {
-            echo "## Release checks"
-            echo
-            echo "- Requested ref: \`${RELEASE_REF}\`"
-            echo "- Validated SHA: \`${RELEASE_SHA}\`"
-            echo "- Cross-OS provider: \`${RELEASE_PROVIDER}\`"
-            echo "- Cross-OS mode: \`${RELEASE_MODE}\`"
-            echo "- This run will execute cross-OS release validation, install smoke, QA Lab parity, Matrix, and Telegram lanes, and the non-Parallels Docker/live/openwebui coverage from the CI migration plan."
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  install_smoke_release_checks:
-    needs: [resolve_target]
-    permissions:
-      contents: read
-    uses: ./.github/workflows/install-smoke.yml
-    with:
-      ref: ${{ needs.resolve_target.outputs.ref }}
-      run_bun_global_install_smoke: true
-
-  cross_os_release_checks:
-    needs: [resolve_target]
-    permissions: read-all
-    uses: ./.github/workflows/openclaw-cross-os-release-checks-reusable.yml
-    with:
-      ref: ${{ needs.resolve_target.outputs.ref }}
-      provider: ${{ needs.resolve_target.outputs.provider }}
-      mode: ${{ needs.resolve_target.outputs.mode }}
-    secrets:
-      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-      MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-      OPENCLAW_DISCORD_SMOKE_BOT_TOKEN: ${{ secrets.OPENCLAW_DISCORD_SMOKE_BOT_TOKEN }}
-      OPENCLAW_DISCORD_SMOKE_GUILD_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_GUILD_ID }}
-      OPENCLAW_DISCORD_SMOKE_CHANNEL_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_CHANNEL_ID }}
-
-  live_and_e2e_release_checks:
-    needs: [resolve_target]
-    permissions:
-      contents: read
-      packages: write
-      pull-requests: read
-    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
-    with:
-      ref: ${{ needs.resolve_target.outputs.ref }}
-      include_repo_e2e: true
-      include_release_path_suites: true
-      include_openwebui: true
-      include_live_suites: true
-    secrets:
-      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-      OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-      ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-      ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-      BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
-      CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-      DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
-      GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-      KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-      MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
-      MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-      MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-      MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-      OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-      OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-      OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-      OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-      OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-      OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
-      GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-      QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-      FAL_KEY: ${{ secrets.FAL_KEY }}
-      RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-      DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
-      TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-      VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
-      XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-      ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-      Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-      BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-      BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-      OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-      OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-      OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-      OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-      OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-      OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-      OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
-      FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
-
-  qa_lab_parity_release_checks:
-    name: Run QA Lab parity gate
-    needs: [resolve_target]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    env:
-      QA_PARITY_CONCURRENCY: "1"
-      OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
-      OPENAI_API_KEY: ""
-      ANTHROPIC_API_KEY: ""
-      OPENCLAW_LIVE_OPENAI_KEY: ""
-      OPENCLAW_LIVE_ANTHROPIC_KEY: ""
-      OPENCLAW_LIVE_GEMINI_KEY: ""
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ""
-      OPENCLAW_BUILD_PRIVATE_QA: "1"
-      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.resolve_target.outputs.ref }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run OpenAI candidate lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model openai/gpt-5.4-alt \
-            --output-dir .artifacts/qa-e2e/gpt54
-
-      - name: Run Opus 4.6 lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model anthropic/claude-opus-4-6 \
-            --alt-model anthropic/claude-sonnet-4-6 \
-            --output-dir .artifacts/qa-e2e/opus46
-
-      - name: Generate parity report
-        run: |
-          pnpm openclaw qa parity-report \
-            --repo-root . \
-            --candidate-summary .artifacts/qa-e2e/gpt54/qa-suite-summary.json \
-            --baseline-summary .artifacts/qa-e2e/opus46/qa-suite-summary.json \
-            --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-6 \
-            --output-dir .artifacts/qa-e2e/parity
-
-      - name: Upload parity artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: release-qa-parity-${{ needs.resolve_target.outputs.sha }}
-          path: .artifacts/qa-e2e/
-          retention-days: 14
-          if-no-files-found: warn
-
-  qa_live_matrix_release_checks:
-    name: Run QA Lab live Matrix lane
-    needs: [resolve_target]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    permissions:
-      contents: read
-      pull-requests: read
-    environment: qa-live-shared
-    env:
-      OPENCLAW_BUILD_PRIVATE_QA: "1"
-      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.resolve_target.outputs.ref }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${OPENAI_API_KEY:-}" ]]; then
-            echo "Missing required OPENAI_API_KEY." >&2
-            exit 1
-          fi
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run Matrix live lane
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/matrix-live-release-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-
-          pnpm openclaw qa matrix \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --fast
-
-      - name: Upload Matrix QA artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.sha }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
-
-  qa_live_telegram_release_checks:
-    name: Run QA Lab live Telegram lane
-    needs: [resolve_target]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    permissions:
-      contents: read
-      pull-requests: read
-    environment: qa-live-shared
-    env:
-      OPENCLAW_BUILD_PRIVATE_QA: "1"
-      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.resolve_target.outputs.ref }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          require_var() {
-            local key="$1"
-            if [[ -z "${!key:-}" ]]; then
-              echo "Missing required ${key}." >&2
-              exit 1
-            fi
-          }
-
-          require_var OPENAI_API_KEY
-          require_var OPENCLAW_QA_CONVEX_SITE_URL
-          require_var OPENCLAW_QA_CONVEX_SECRET_CI
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run Telegram live lane
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/telegram-live-release-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-
-          pnpm openclaw qa telegram \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --fast \
-            --credential-source convex \
-            --credential-role ci
-
-      - name: Upload Telegram QA artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.sha }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
--- a/.github/workflows/openclaw-scheduled-live-checks.yml
+++ b/.github/workflows/openclaw-scheduled-live-checks.yml
@@ -1,77 +0,0 @@
-name: OpenClaw Scheduled Live And E2E Checks
-
-on:
-  schedule:
-    - cron: "23 4 * * *"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  packages: write
-  pull-requests: read
-
-concurrency:
-  group: openclaw-scheduled-live-checks-${{ github.ref }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  live_and_openwebui_checks:
-    permissions:
-      contents: read
-      packages: write
-      pull-requests: read
-    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
-    with:
-      ref: ${{ github.sha }}
-      include_repo_e2e: true
-      include_release_path_suites: true
-      include_openwebui: true
-      include_live_suites: true
-    secrets:
-      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-      OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-      ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-      ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-      BYTEPLUS_API_KEY: ${{ secrets.BYTEPLUS_API_KEY }}
-      CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-      DASHSCOPE_API_KEY: ${{ secrets.DASHSCOPE_API_KEY }}
-      GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-      KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-      MODELSTUDIO_API_KEY: ${{ secrets.MODELSTUDIO_API_KEY }}
-      MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-      MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-      MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-      OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
-      OPENCODE_ZEN_API_KEY: ${{ secrets.OPENCODE_ZEN_API_KEY }}
-      OPENCLAW_LIVE_BROWSER_CDP_URL: ${{ secrets.OPENCLAW_LIVE_BROWSER_CDP_URL }}
-      OPENCLAW_LIVE_SETUP_TOKEN: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN }}
-      OPENCLAW_LIVE_SETUP_TOKEN_MODEL: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_MODEL }}
-      OPENCLAW_LIVE_SETUP_TOKEN_PROFILE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_PROFILE }}
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ${{ secrets.OPENCLAW_LIVE_SETUP_TOKEN_VALUE }}
-      GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-      GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-      OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-      QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-      FAL_KEY: ${{ secrets.FAL_KEY }}
-      RUNWAY_API_KEY: ${{ secrets.RUNWAY_API_KEY }}
-      DEEPGRAM_API_KEY: ${{ secrets.DEEPGRAM_API_KEY }}
-      TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-      VYDRA_API_KEY: ${{ secrets.VYDRA_API_KEY }}
-      XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-      ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-      Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-      BYTEPLUS_ACCESS_KEY_ID: ${{ secrets.BYTEPLUS_ACCESS_KEY_ID }}
-      BYTEPLUS_SECRET_ACCESS_KEY: ${{ secrets.BYTEPLUS_SECRET_ACCESS_KEY }}
-      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-      OPENCLAW_CODEX_AUTH_JSON: ${{ secrets.OPENCLAW_CODEX_AUTH_JSON }}
-      OPENCLAW_CODEX_CONFIG_TOML: ${{ secrets.OPENCLAW_CODEX_CONFIG_TOML }}
-      OPENCLAW_CLAUDE_JSON: ${{ secrets.OPENCLAW_CLAUDE_JSON }}
-      OPENCLAW_CLAUDE_CREDENTIALS_JSON: ${{ secrets.OPENCLAW_CLAUDE_CREDENTIALS_JSON }}
-      OPENCLAW_CLAUDE_SETTINGS_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_JSON }}
-      OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON: ${{ secrets.OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON }}
-      OPENCLAW_GEMINI_SETTINGS_JSON: ${{ secrets.OPENCLAW_GEMINI_SETTINGS_JSON }}
-      FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
--- a/.github/workflows/parity-gate.yml
+++ b/.github/workflows/parity-gate.yml
@@ -1,116 +0,0 @@
-name: Parity gate
-
-on:
-  pull_request:
-    types: [opened, reopened, synchronize, ready_for_review]
-    paths:
-      - "extensions/qa-lab/**"
-      - "extensions/qa-channel/**"
-      - "extensions/openai/**"
-      - "qa/scenarios/**"
-      - "src/agents/**"
-      - "src/context-engine/**"
-      - "src/gateway/**"
-      - "src/media/**"
-      - ".github/workflows/parity-gate.yml"
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: parity-gate-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  parity-gate:
-    name: Run the OpenAI / Opus 4.6 parity gate against the qa-lab mock
-    if: ${{ github.event.pull_request.draft != true }}
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    env:
-      # Fence the gate off from any real provider credentials. The qa-lab
-      # mock server + auth staging (PR N) should be enough to produce a
-      # meaningful verdict without touching a real API. If any of these
-      # leak into the job env, fail hard instead of silently running
-      # against a live provider and burning real budget.
-      #
-      # The parity pack has 11 isolated scenario workers. It exercises a real
-      # gateway child plus mock model turns and subagents, so keep it serial in
-      # CI even on the larger runner. Concurrent isolated gateway workers make
-      # the short strict-agentic scenarios flaky, especially the approval-turn
-      # followthrough gate that expects a fast post-approval read within a 30s
-      # agent.wait timeout.
-      QA_PARITY_CONCURRENCY: "1"
-      OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
-      OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
-      OPENAI_API_KEY: ""
-      ANTHROPIC_API_KEY: ""
-      OPENCLAW_LIVE_OPENAI_KEY: ""
-      OPENCLAW_LIVE_ANTHROPIC_KEY: ""
-      OPENCLAW_LIVE_GEMINI_KEY: ""
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ""
-      # The parity suite is a private QA command. Build that exact runtime up
-      # front so CI never tests a public dist plus a later no-clean QA overlay.
-      OPENCLAW_BUILD_PRIVATE_QA: "1"
-      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-    steps:
-      - name: Checkout PR
-        uses: actions/checkout@v6
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: "22.18.0"
-          cache: "pnpm"
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      # The approval-turn sentinel still runs inside the full parity pack below.
-      # Keep the exact mock read-plan contract in deterministic unit tests instead
-      # of paying for a separate full-runtime preflight that has been flaky in CI.
-      - name: Run OpenAI candidate lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model openai/gpt-5.4-alt \
-            --output-dir .artifacts/qa-e2e/gpt54
-
-      - name: Run Opus 4.6 lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model anthropic/claude-opus-4-6 \
-            --alt-model anthropic/claude-sonnet-4-6 \
-            --output-dir .artifacts/qa-e2e/opus46
-
-      - name: Generate parity report
-        run: |
-          pnpm openclaw qa parity-report \
-            --repo-root . \
-            --candidate-summary .artifacts/qa-e2e/gpt54/qa-suite-summary.json \
-            --baseline-summary .artifacts/qa-e2e/opus46/qa-suite-summary.json \
-            --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-6 \
-            --output-dir .artifacts/qa-e2e/parity
-
-      - name: Upload parity artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: parity-gate-${{ github.event.pull_request.number || github.sha }}
-          path: .artifacts/qa-e2e/
-          retention-days: 14
-          if-no-files-found: warn
--- a/.github/workflows/plugin-clawhub-release.yml
+++ b/.github/workflows/plugin-clawhub-release.yml
@@ -1,273 +0,0 @@
-name: Plugin ClawHub Release
-
-on:
-  workflow_dispatch:
-    inputs:
-      publish_scope:
-        description: Publish the selected plugins or all ClawHub-publishable plugins from the workflow ref
-        required: true
-        default: selected
-        type: choice
-        options:
-          - selected
-          - all-publishable
-      plugins:
-        description: Comma-separated plugin package names to publish when publish_scope=selected
-        required: false
-        type: string
-
-concurrency:
-  group: plugin-clawhub-release-${{ github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-  CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_REPOSITORY: "openclaw/clawhub"
-  # Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
-  CLAWHUB_REF: "4af2bd50a71465683dbf8aa269af764b9d39bdf5"
-
-jobs:
-  preview_plugins_clawhub:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
-      has_candidates: ${{ steps.plan.outputs.has_candidates }}
-      candidate_count: ${{ steps.plan.outputs.candidate_count }}
-      skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
-      matrix: ${{ steps.plan.outputs.matrix }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.sha }}
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-
-      - name: Resolve checked-out ref
-        id: ref
-        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-
-      - name: Validate ref is on main
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-          git merge-base --is-ancestor HEAD origin/main
-
-      - name: Validate publishable plugin metadata
-        env:
-          PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
-          RELEASE_PLUGINS: ${{ github.event_name == 'workflow_dispatch' && inputs.plugins || '' }}
-          BASE_REF: ${{ github.event_name != 'workflow_dispatch' && github.event.before || '' }}
-          HEAD_REF: ${{ steps.ref.outputs.sha }}
-        run: |
-          set -euo pipefail
-          if [[ -n "${PUBLISH_SCOPE}" ]]; then
-            release_args=(--selection-mode "${PUBLISH_SCOPE}")
-            if [[ -n "${RELEASE_PLUGINS}" ]]; then
-              release_args+=(--plugins "${RELEASE_PLUGINS}")
-            fi
-            pnpm release:plugins:clawhub:check -- "${release_args[@]}"
-          elif [[ -n "${BASE_REF}" ]]; then
-            pnpm release:plugins:clawhub:check -- --base-ref "${BASE_REF}" --head-ref "${HEAD_REF}"
-          else
-            pnpm release:plugins:clawhub:check
-          fi
-
-      - name: Resolve plugin release plan
-        id: plan
-        env:
-          PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
-          RELEASE_PLUGINS: ${{ github.event_name == 'workflow_dispatch' && inputs.plugins || '' }}
-          BASE_REF: ${{ github.event_name != 'workflow_dispatch' && github.event.before || '' }}
-          HEAD_REF: ${{ steps.ref.outputs.sha }}
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-        run: |
-          set -euo pipefail
-          mkdir -p .local
-          if [[ -n "${PUBLISH_SCOPE}" ]]; then
-            plan_args=(--selection-mode "${PUBLISH_SCOPE}")
-            if [[ -n "${RELEASE_PLUGINS}" ]]; then
-              plan_args+=(--plugins "${RELEASE_PLUGINS}")
-            fi
-            node --import tsx scripts/plugin-clawhub-release-plan.ts "${plan_args[@]}" > .local/plugin-clawhub-release-plan.json
-          elif [[ -n "${BASE_REF}" ]]; then
-            node --import tsx scripts/plugin-clawhub-release-plan.ts --base-ref "${BASE_REF}" --head-ref "${HEAD_REF}" > .local/plugin-clawhub-release-plan.json
-          else
-            node --import tsx scripts/plugin-clawhub-release-plan.ts > .local/plugin-clawhub-release-plan.json
-          fi
-
-          cat .local/plugin-clawhub-release-plan.json
-
-          candidate_count="$(jq -r '.candidates | length' .local/plugin-clawhub-release-plan.json)"
-          skipped_published_count="$(jq -r '.skippedPublished | length' .local/plugin-clawhub-release-plan.json)"
-          has_candidates="false"
-          if [[ "${candidate_count}" != "0" ]]; then
-            has_candidates="true"
-          fi
-          matrix_json="$(jq -c '.candidates' .local/plugin-clawhub-release-plan.json)"
-
-          {
-            echo "candidate_count=${candidate_count}"
-            echo "skipped_published_count=${skipped_published_count}"
-            echo "has_candidates=${has_candidates}"
-            echo "matrix=${matrix_json}"
-          } >> "$GITHUB_OUTPUT"
-
-          echo "Plugin release candidates:"
-          jq -r '.candidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
-
-          echo "Already published / skipped:"
-          jq -r '.skippedPublished[]? | "- \(.packageName)@\(.version)"' .local/plugin-clawhub-release-plan.json
-
-      - name: Fail manual publish when target versions already exist
-        if: github.event_name == 'workflow_dispatch' && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
-        run: |
-          echo "::error::One or more selected plugin versions already exist on ClawHub. Bump the version before running a real publish."
-          exit 1
-
-  preview_plugin_pack:
-    needs: preview_plugins_clawhub
-    if: needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-          install-deps: "false"
-
-      - name: Checkout ClawHub CLI source
-        uses: actions/checkout@v6
-        with:
-          repository: ${{ env.CLAWHUB_REPOSITORY }}
-          ref: ${{ env.CLAWHUB_REF }}
-          path: clawhub-source
-          fetch-depth: 1
-
-      - name: Install ClawHub CLI dependencies
-        working-directory: clawhub-source
-        run: bun install --frozen-lockfile
-
-      - name: Bootstrap ClawHub CLI
-        run: |
-          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
-          EOF
-          chmod +x "$RUNNER_TEMP/clawhub"
-          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
-
-      - name: Preview publish command
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
-          SOURCE_REF: ${{ github.ref }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-        run: bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
-
-  publish_plugins_clawhub:
-    needs: [preview_plugins_clawhub, preview_plugin_pack]
-    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    environment: clawhub-plugin-release
-    permissions:
-      contents: read
-      id-token: write
-    strategy:
-      fail-fast: false
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-          install-deps: "false"
-
-      - name: Checkout ClawHub CLI source
-        uses: actions/checkout@v6
-        with:
-          repository: ${{ env.CLAWHUB_REPOSITORY }}
-          ref: ${{ env.CLAWHUB_REF }}
-          path: clawhub-source
-          fetch-depth: 1
-
-      - name: Install ClawHub CLI dependencies
-        working-directory: clawhub-source
-        run: bun install --frozen-lockfile
-
-      - name: Bootstrap ClawHub CLI
-        run: |
-          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
-          EOF
-          chmod +x "$RUNNER_TEMP/clawhub"
-          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
-
-      - name: Ensure version is not already published
-        env:
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-          PACKAGE_VERSION: ${{ matrix.plugin.version }}
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-        run: |
-          set -euo pipefail
-          encoded_name="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_NAME ?? ""))')"
-          encoded_version="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_VERSION ?? ""))')"
-          url="${CLAWHUB_REGISTRY%/}/api/v1/packages/${encoded_name}/versions/${encoded_version}"
-          status="$(curl --silent --show-error --output /dev/null --write-out '%{http_code}' "${url}")"
-          if [[ "${status}" =~ ^2 ]]; then
-            echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published on ClawHub."
-            exit 1
-          fi
-          if [[ "${status}" != "404" ]]; then
-            echo "Unexpected ClawHub response (${status}) for ${PACKAGE_NAME}@${PACKAGE_VERSION}."
-            exit 1
-          fi
-
-      - name: Publish
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }}
-          SOURCE_REF: ${{ github.ref }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-        run: bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
--- a/.github/workflows/plugin-npm-release.yml
+++ b/.github/workflows/plugin-npm-release.yml
@@ -1,214 +0,0 @@
-name: Plugin NPM Release
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - ".github/workflows/plugin-npm-release.yml"
-      - "extensions/**"
-      - "package.json"
-      - "scripts/lib/plugin-npm-release.ts"
-      - "scripts/plugin-npm-publish.sh"
-      - "scripts/plugin-npm-release-check.ts"
-      - "scripts/plugin-npm-release-plan.ts"
-  workflow_dispatch:
-    inputs:
-      publish_scope:
-        description: Publish the selected plugins or all publishable plugins from the ref
-        required: true
-        default: selected
-        type: choice
-        options:
-          - selected
-          - all-publishable
-      ref:
-        description: Commit SHA on main to publish from (copy from the preview run)
-        required: true
-        type: string
-      plugins:
-        description: Comma-separated plugin package names to publish when publish_scope=selected
-        required: false
-        type: string
-
-concurrency:
-  group: plugin-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-
-jobs:
-  preview_plugins_npm:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      ref_sha: ${{ steps.ref.outputs.sha }}
-      has_candidates: ${{ steps.plan.outputs.has_candidates }}
-      candidate_count: ${{ steps.plan.outputs.candidate_count }}
-      matrix: ${{ steps.plan.outputs.matrix }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-
-      - name: Resolve checked-out ref
-        id: ref
-        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-
-      - name: Validate ref is on main
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-          git merge-base --is-ancestor HEAD origin/main
-
-      - name: Validate publishable plugin metadata
-        env:
-          PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
-          RELEASE_PLUGINS: ${{ github.event_name == 'workflow_dispatch' && inputs.plugins || '' }}
-          BASE_REF: ${{ github.event_name != 'workflow_dispatch' && github.event.before || '' }}
-          HEAD_REF: ${{ steps.ref.outputs.sha }}
-        run: |
-          set -euo pipefail
-          if [[ -n "${PUBLISH_SCOPE}" ]]; then
-            release_args=(--selection-mode "${PUBLISH_SCOPE}")
-            if [[ -n "${RELEASE_PLUGINS}" ]]; then
-              release_args+=(--plugins "${RELEASE_PLUGINS}")
-            fi
-            pnpm release:plugins:npm:check -- "${release_args[@]}"
-          elif [[ -n "${BASE_REF}" ]]; then
-            pnpm release:plugins:npm:check -- --base-ref "${BASE_REF}" --head-ref "${HEAD_REF}"
-          else
-            pnpm release:plugins:npm:check
-          fi
-
-      - name: Resolve plugin release plan
-        id: plan
-        env:
-          PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
-          RELEASE_PLUGINS: ${{ github.event_name == 'workflow_dispatch' && inputs.plugins || '' }}
-          BASE_REF: ${{ github.event_name != 'workflow_dispatch' && github.event.before || '' }}
-          HEAD_REF: ${{ steps.ref.outputs.sha }}
-        run: |
-          set -euo pipefail
-          mkdir -p .local
-          if [[ -n "${PUBLISH_SCOPE}" ]]; then
-            plan_args=(--selection-mode "${PUBLISH_SCOPE}")
-            if [[ -n "${RELEASE_PLUGINS}" ]]; then
-              plan_args+=(--plugins "${RELEASE_PLUGINS}")
-            fi
-            node --import tsx scripts/plugin-npm-release-plan.ts "${plan_args[@]}" > .local/plugin-npm-release-plan.json
-          elif [[ -n "${BASE_REF}" ]]; then
-            node --import tsx scripts/plugin-npm-release-plan.ts --base-ref "${BASE_REF}" --head-ref "${HEAD_REF}" > .local/plugin-npm-release-plan.json
-          else
-            node --import tsx scripts/plugin-npm-release-plan.ts > .local/plugin-npm-release-plan.json
-          fi
-
-          cat .local/plugin-npm-release-plan.json
-
-          candidate_count="$(jq -r '.candidates | length' .local/plugin-npm-release-plan.json)"
-          has_candidates="false"
-          if [[ "${candidate_count}" != "0" ]]; then
-            has_candidates="true"
-          fi
-          matrix_json="$(jq -c '.candidates' .local/plugin-npm-release-plan.json)"
-
-          {
-            echo "candidate_count=${candidate_count}"
-            echo "has_candidates=${has_candidates}"
-            echo "matrix=${matrix_json}"
-          } >> "$GITHUB_OUTPUT"
-
-          echo "Plugin release candidates:"
-          jq -r '.candidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-npm-release-plan.json
-
-          echo "Already published / skipped:"
-          jq -r '.skippedPublished[]? | "- \(.packageName)@\(.version)"' .local/plugin-npm-release-plan.json
-
-  preview_plugin_pack:
-    needs: preview_plugins_npm
-    if: needs.preview_plugins_npm.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_npm.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-          install-deps: "false"
-
-      - name: Preview publish command
-        run: bash scripts/plugin-npm-publish.sh --dry-run "${{ matrix.plugin.packageDir }}"
-
-      - name: Preview npm pack contents
-        working-directory: ${{ matrix.plugin.packageDir }}
-        run: npm pack --dry-run --json --ignore-scripts
-
-  publish_plugins_npm:
-    needs: [preview_plugins_npm, preview_plugin_pack]
-    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_npm.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    environment: npm-release
-    permissions:
-      contents: read
-      id-token: write
-    strategy:
-      fail-fast: false
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_npm.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-          install-deps: "false"
-
-      - name: Ensure version is not already published
-        env:
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-          PACKAGE_VERSION: ${{ matrix.plugin.version }}
-        run: |
-          set -euo pipefail
-          if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
-            echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published on npm."
-            exit 1
-          fi
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"
--- a/.github/workflows/qa-live-transports-convex.yml
+++ b/.github/workflows/qa-live-transports-convex.yml
@@ -1,445 +0,0 @@
-name: QA-Lab - All Lanes
-
-on:
-  schedule:
-    - cron: "41 4 * * *"
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: Ref, tag, or SHA to run
-        required: true
-        default: main
-        type: string
-      scenario:
-        description: Optional comma-separated Telegram scenario ids
-        required: false
-        type: string
-      discord_scenario:
-        description: Optional comma-separated Discord scenario ids
-        required: false
-        type: string
-
-permissions:
-  contents: read
-  pull-requests: read
-
-concurrency:
-  group: qa-lab-all-lanes-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.33.0"
-  OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL }}
-  OPENCLAW_BUILD_PRIVATE_QA: "1"
-  OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-
-jobs:
-  authorize_actor:
-    name: Authorize workflow actor
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    steps:
-      - name: Require maintainer-level repository access
-        uses: actions/github-script@v8
-        with:
-          script: |
-            if (context.eventName === "schedule") {
-              core.info("Scheduled default-branch QA run; actor permission check is only required for manual dispatch.");
-              return;
-            }
-            const allowed = new Set(["admin", "maintain", "write"]);
-            const { owner, repo } = context.repo;
-            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-              owner,
-              repo,
-              username: context.actor,
-            });
-            const permission = data.permission;
-            core.info(`Actor ${context.actor} permission: ${permission}`);
-            if (!allowed.has(permission)) {
-              core.setFailed(
-                `Workflow requires write/maintain/admin access. Actor "${context.actor}" has "${permission}".`,
-              );
-            }
-
-  validate_selected_ref:
-    name: Validate selected ref
-    needs: authorize_actor
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    outputs:
-      selected_sha: ${{ steps.validate.outputs.selected_sha }}
-      trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-          fetch-depth: 0
-
-      - name: Validate selected ref
-        id: validate
-        env:
-          GH_TOKEN: ${{ github.token }}
-          INPUT_REF: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          selected_sha="$(git rev-parse HEAD)"
-          trusted_reason=""
-
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-
-          if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then
-            trusted_reason="main-ancestor"
-          elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then
-            trusted_reason="release-tag"
-          elif [[ "$INPUT_REF" =~ ^release/[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then
-            git fetch --no-tags origin "+refs/heads/${INPUT_REF}:refs/remotes/origin/${INPUT_REF}"
-            release_branch_sha="$(git rev-parse "refs/remotes/origin/${INPUT_REF}")"
-            if [[ "$selected_sha" == "$release_branch_sha" ]]; then
-              trusted_reason="release-branch-head"
-            fi
-          else
-            pr_head_count="$(
-              gh api \
-                -H "Accept: application/vnd.github+json" \
-                "repos/${GITHUB_REPOSITORY}/commits/${selected_sha}/pulls" \
-                --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_sha}"'")] | length'
-            )"
-            if [[ "$pr_head_count" != "0" ]]; then
-              trusted_reason="open-pr-head"
-            fi
-          fi
-
-          if [[ -z "$trusted_reason" ]]; then
-            echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for this secret-bearing QA run." >&2
-            echo "Allowed refs must be on main, point to a release tag, match a release branch head, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
-            exit 1
-          fi
-
-          echo "selected_sha=$selected_sha" >> "$GITHUB_OUTPUT"
-          echo "trusted_reason=$trusted_reason" >> "$GITHUB_OUTPUT"
-          {
-            echo "Validated ref: \`${INPUT_REF}\`"
-            echo "Resolved SHA: \`$selected_sha\`"
-            echo "Trust reason: \`$trusted_reason\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  run_mock_parity:
-    name: Run QA Lab parity gate
-    needs: [validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 30
-    env:
-      QA_PARITY_CONCURRENCY: "1"
-      OPENCLAW_QA_TRANSPORT_READY_TIMEOUT_MS: "180000"
-      OPENAI_API_KEY: ""
-      ANTHROPIC_API_KEY: ""
-      OPENCLAW_LIVE_OPENAI_KEY: ""
-      OPENCLAW_LIVE_ANTHROPIC_KEY: ""
-      OPENCLAW_LIVE_GEMINI_KEY: ""
-      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ""
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run OpenAI candidate lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model openai/gpt-5.4-alt \
-            --output-dir .artifacts/qa-e2e/gpt54
-
-      - name: Run Opus 4.6 lane
-        run: |
-          pnpm openclaw qa suite \
-            --provider-mode mock-openai \
-            --parity-pack agentic \
-            --concurrency "${QA_PARITY_CONCURRENCY}" \
-            --model anthropic/claude-opus-4-6 \
-            --alt-model anthropic/claude-sonnet-4-6 \
-            --output-dir .artifacts/qa-e2e/opus46
-
-      - name: Generate parity report
-        run: |
-          pnpm openclaw qa parity-report \
-            --repo-root . \
-            --candidate-summary .artifacts/qa-e2e/gpt54/qa-suite-summary.json \
-            --baseline-summary .artifacts/qa-e2e/opus46/qa-suite-summary.json \
-            --candidate-label "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --baseline-label anthropic/claude-opus-4-6 \
-            --output-dir .artifacts/qa-e2e/parity
-
-      - name: Upload parity artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: qa-parity-${{ github.run_id }}-${{ github.run_attempt }}
-          path: .artifacts/qa-e2e/
-          retention-days: 14
-          if-no-files-found: warn
-
-  run_live_matrix:
-    name: Run Matrix live QA lane
-    needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    environment: qa-live-shared
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${OPENAI_API_KEY:-}" ]]; then
-            echo "Missing required OPENAI_API_KEY." >&2
-            exit 1
-          fi
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run Matrix live lane
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/matrix-live-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-
-          pnpm openclaw qa matrix \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --fast
-
-      - name: Upload Matrix QA artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: qa-live-matrix-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
-
-  run_live_telegram:
-    name: Run Telegram live QA lane with Convex leases
-    needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    environment: qa-live-shared
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          require_var() {
-            local key="$1"
-            if [[ -z "${!key:-}" ]]; then
-              echo "Missing required ${key}." >&2
-              exit 1
-            fi
-          }
-
-          require_var OPENAI_API_KEY
-          require_var OPENCLAW_QA_CONVEX_SITE_URL
-          require_var OPENCLAW_QA_CONVEX_SECRET_CI
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run Telegram live lane
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
-          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.scenario || '' }}
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/telegram-live-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          scenario_args=()
-
-          if [[ -n "${INPUT_SCENARIO// }" ]]; then
-            IFS=',' read -r -a raw_scenarios <<<"${INPUT_SCENARIO}"
-            for raw in "${raw_scenarios[@]}"; do
-              scenario="$(printf '%s' "${raw}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-              if [[ -n "${scenario}" ]]; then
-                scenario_args+=(--scenario "${scenario}")
-              fi
-            done
-          fi
-
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-
-          pnpm openclaw qa telegram \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --alt-model "${OPENCLAW_CI_OPENAI_MODEL}" \
-            --fast \
-            --credential-source convex \
-            --credential-role ci \
-            "${scenario_args[@]}"
-
-      - name: Upload Telegram QA artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: qa-live-telegram-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
-
-  run_live_discord:
-    name: Run Discord live QA lane with Convex leases
-    needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: 60
-    environment: qa-live-shared
-    steps:
-      - name: Checkout selected ref
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
-          fetch-depth: 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-
-      - name: Validate required QA credential env
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          require_var() {
-            local key="$1"
-            if [[ -z "${!key:-}" ]]; then
-              echo "Missing required ${key}." >&2
-              exit 1
-            fi
-          }
-
-          require_var OPENAI_API_KEY
-          require_var OPENCLAW_QA_CONVEX_SITE_URL
-          require_var OPENCLAW_QA_CONVEX_SECRET_CI
-
-      - name: Build private QA runtime
-        run: pnpm build
-
-      - name: Run Discord live lane
-        id: run_lane
-        shell: bash
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENCLAW_QA_CONVEX_SITE_URL: ${{ secrets.OPENCLAW_QA_CONVEX_SITE_URL }}
-          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
-          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
-          OPENCLAW_QA_DISCORD_CAPTURE_CONTENT: "1"
-          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.discord_scenario || '' }}
-        run: |
-          set -euo pipefail
-
-          output_dir=".artifacts/qa-e2e/discord-live-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
-          scenario_args=()
-
-          if [[ -n "${INPUT_SCENARIO// }" ]]; then
-            IFS=',' read -r -a raw_scenarios <<<"${INPUT_SCENARIO}"
-            for raw in "${raw_scenarios[@]}"; do
-              scenario="$(printf '%s' "${raw}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-              if [[ -n "${scenario}" ]]; then
-                scenario_args+=(--scenario "${scenario}")
-              fi
-            done
-          fi
-
-          echo "output_dir=${output_dir}" >> "$GITHUB_OUTPUT"
-
-          pnpm openclaw qa discord \
-            --repo-root . \
-            --output-dir "${output_dir}" \
-            --provider-mode live-frontier \
-            --model openai/gpt-5.4 \
-            --alt-model openai/gpt-5.4 \
-            --fast \
-            --credential-source convex \
-            --credential-role ci \
-            "${scenario_args[@]}"
-
-      - name: Upload Discord QA artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: qa-live-discord-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ steps.run_lane.outputs.output_dir }}
-          retention-days: 14
-          if-no-files-found: warn
--- a/.github/workflows/sandbox-common-smoke.yml
+++ b/.github/workflows/sandbox-common-smoke.yml
@@ -1,67 +0,0 @@
-name: Sandbox Common Smoke
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - Dockerfile.sandbox
-      - Dockerfile.sandbox-common
-      - scripts/sandbox-common-setup.sh
-  pull_request:
-    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
-    paths:
-      - Dockerfile.sandbox
-      - Dockerfile.sandbox-common
-      - scripts/sandbox-common-setup.sh
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  sandbox-common-smoke:
-    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          submodules: false
-
-      - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Build minimal sandbox base (USER sandbox)
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          docker build -t openclaw-sandbox-smoke-base:bookworm-slim - <<'EOF'
-          FROM debian:bookworm-slim
-          RUN useradd --create-home --shell /bin/bash sandbox
-          USER sandbox
-          WORKDIR /home/sandbox
-          EOF
-
-      - name: Build sandbox-common image (root for installs, sandbox at runtime)
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          BASE_IMAGE="openclaw-sandbox-smoke-base:bookworm-slim" \
-            TARGET_IMAGE="openclaw-sandbox-common-smoke:bookworm-slim" \
-            PACKAGES="ca-certificates" \
-            INSTALL_PNPM=0 \
-            INSTALL_BUN=0 \
-            INSTALL_BREW=0 \
-            FINAL_USER=sandbox \
-            scripts/sandbox-common-setup.sh
-
-          u="$(docker run --rm openclaw-sandbox-common-smoke:bookworm-slim sh -lc 'id -un')"
-          test "$u" = "sandbox"
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,311 +0,0 @@
-name: Stale
-
-on:
-  schedule:
-    - cron: "17 3 * * *"
-  workflow_dispatch:
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions: {}
-
-jobs:
-  stale:
-    permissions:
-      issues: write
-      pull-requests: write
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        continue-on-error: true
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@v3
-        id: app-token-fallback
-        continue-on-error: true
-        with:
-          app-id: "2971289"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - name: Mark stale unassigned issues and pull requests (primary)
-        id: stale-primary
-        continue-on-error: true
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 7
-          days-before-issue-close: 5
-          days-before-pr-stale: 5
-          days-before-pr-close: 3
-          stale-issue-label: stale
-          stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          exempt-pr-labels: maintainer,no-stale,bad-barnacle
-          operations-per-run: 2000
-          ascending: true
-          exempt-all-assignees: true
-          remove-stale-when-updated: true
-          stale-issue-message: |
-            This issue has been automatically marked as stale due to inactivity.
-            Please add updates or it will be closed.
-          stale-pr-message: |
-            This pull request has been automatically marked as stale due to inactivity.
-            Please add updates or it will be closed.
-          close-issue-message: |
-            Closing due to inactivity.
-            If this is still an issue, please retry on the latest OpenClaw release and share updated details.
-            If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.
-          close-issue-reason: not_planned
-          close-pr-message: |
-            Closing due to inactivity.
-            If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
-            That channel is the escape hatch for high-quality PRs that get auto-closed.
-      - name: Mark stale assigned issues (primary)
-        id: assigned-issue-stale-primary
-        continue-on-error: true
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 30
-          days-before-issue-close: 10
-          days-before-pr-stale: -1
-          days-before-pr-close: -1
-          stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          operations-per-run: 2000
-          ascending: true
-          include-only-assigned: true
-          remove-stale-when-updated: true
-          stale-issue-message: |
-            This assigned issue has been automatically marked as stale after 30 days of inactivity.
-            Please add updates or it will be closed.
-          close-issue-message: |
-            Closing due to inactivity.
-            If this is still an issue, please retry on the latest OpenClaw release and share updated details.
-            If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.
-          close-issue-reason: not_planned
-      - name: Mark stale assigned pull requests (primary)
-        id: assigned-stale-primary
-        continue-on-error: true
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: -1
-          days-before-issue-close: -1
-          days-before-pr-stale: 27
-          days-before-pr-close: 3
-          stale-pr-label: stale
-          exempt-pr-labels: maintainer,no-stale,bad-barnacle
-          operations-per-run: 2000
-          ascending: true
-          include-only-assigned: true
-          ignore-pr-updates: true
-          remove-stale-when-updated: true
-          stale-pr-message: |
-            This assigned pull request has been automatically marked as stale after being open for 27 days.
-            Please add updates or it will be closed.
-          close-pr-message: |
-            Closing due to inactivity.
-            If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
-            That channel is the escape hatch for high-quality PRs that get auto-closed.
-      - name: Check stale state cache
-        id: stale-state
-        if: always()
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token-fallback.outputs.token || steps.app-token.outputs.token }}
-          script: |
-            const cacheKey = "_state";
-            const { owner, repo } = context.repo;
-
-            try {
-              const { data } = await github.rest.actions.getActionsCacheList({
-                owner,
-                repo,
-                key: cacheKey,
-              });
-              const caches = data.actions_caches ?? [];
-              const hasState = caches.some(cache => cache.key === cacheKey);
-              core.setOutput("has_state", hasState ? "true" : "false");
-            } catch (error) {
-              const message = error instanceof Error ? error.message : String(error);
-              core.warning(`Failed to check stale state cache: ${message}`);
-              core.setOutput("has_state", "false");
-            }
-      - name: Mark stale unassigned issues and pull requests (fallback)
-        if: (steps.stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 7
-          days-before-issue-close: 5
-          days-before-pr-stale: 5
-          days-before-pr-close: 3
-          stale-issue-label: stale
-          stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          exempt-pr-labels: maintainer,no-stale,bad-barnacle
-          operations-per-run: 2000
-          ascending: true
-          exempt-all-assignees: true
-          remove-stale-when-updated: true
-          stale-issue-message: |
-            This issue has been automatically marked as stale due to inactivity.
-            Please add updates or it will be closed.
-          stale-pr-message: |
-            This pull request has been automatically marked as stale due to inactivity.
-            Please add updates or it will be closed.
-          close-issue-message: |
-            Closing due to inactivity.
-            If this is still an issue, please retry on the latest OpenClaw release and share updated details.
-            If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.
-          close-issue-reason: not_planned
-          close-pr-message: |
-            Closing due to inactivity.
-            If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
-            That channel is the escape hatch for high-quality PRs that get auto-closed.
-      - name: Mark stale assigned issues (fallback)
-        if: (steps.assigned-issue-stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: 30
-          days-before-issue-close: 10
-          days-before-pr-stale: -1
-          days-before-pr-close: -1
-          stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale
-          operations-per-run: 2000
-          ascending: true
-          include-only-assigned: true
-          remove-stale-when-updated: true
-          stale-issue-message: |
-            This assigned issue has been automatically marked as stale after 30 days of inactivity.
-            Please add updates or it will be closed.
-          close-issue-message: |
-            Closing due to inactivity.
-            If this is still an issue, please retry on the latest OpenClaw release and share updated details.
-            If you are absolutely sure it still happens on the latest release, open a new issue with fresh steps to reproduce.
-          close-issue-reason: not_planned
-      - name: Mark stale assigned pull requests (fallback)
-        if: (steps.assigned-stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@v10
-        with:
-          repo-token: ${{ steps.app-token-fallback.outputs.token }}
-          days-before-issue-stale: -1
-          days-before-issue-close: -1
-          days-before-pr-stale: 27
-          days-before-pr-close: 3
-          stale-pr-label: stale
-          exempt-pr-labels: maintainer,no-stale,bad-barnacle
-          operations-per-run: 2000
-          ascending: true
-          include-only-assigned: true
-          ignore-pr-updates: true
-          remove-stale-when-updated: true
-          stale-pr-message: |
-            This assigned pull request has been automatically marked as stale after being open for 27 days.
-            Please add updates or it will be closed.
-          close-pr-message: |
-            Closing due to inactivity.
-            If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
-            That channel is the escape hatch for high-quality PRs that get auto-closed.
-
-  lock-closed-issues:
-    permissions:
-      issues: write
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - uses: actions/create-github-app-token@v3
-        id: app-token
-        with:
-          app-id: "2729701"
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Lock closed issues after 48h of no comments
-        uses: actions/github-script@v9
-        with:
-          github-token: ${{ steps.app-token.outputs.token }}
-          script: |
-            const lockAfterHours = 48;
-            const lockAfterMs = lockAfterHours * 60 * 60 * 1000;
-            const perPage = 100;
-            const cutoffMs = Date.now() - lockAfterMs;
-            const { owner, repo } = context.repo;
-
-            let locked = 0;
-            let inspected = 0;
-
-            let page = 1;
-            while (true) {
-              const { data: issues } = await github.rest.issues.listForRepo({
-                owner,
-                repo,
-                state: "closed",
-                sort: "updated",
-                direction: "desc",
-                per_page: perPage,
-                page,
-              });
-
-              if (issues.length === 0) {
-                break;
-              }
-
-              for (const issue of issues) {
-                if (issue.pull_request) {
-                  continue;
-                }
-                if (issue.locked) {
-                  continue;
-                }
-                if (!issue.closed_at) {
-                  continue;
-                }
-
-                inspected += 1;
-                const closedAtMs = Date.parse(issue.closed_at);
-                if (!Number.isFinite(closedAtMs)) {
-                  continue;
-                }
-                if (closedAtMs > cutoffMs) {
-                  continue;
-                }
-
-                let lastCommentMs = 0;
-                if (issue.comments > 0) {
-                  const { data: comments } = await github.rest.issues.listComments({
-                    owner,
-                    repo,
-                    issue_number: issue.number,
-                    per_page: 1,
-                    page: 1,
-                    sort: "created",
-                    direction: "desc",
-                  });
-
-                  if (comments.length > 0) {
-                    lastCommentMs = Date.parse(comments[0].created_at);
-                  }
-                }
-
-                const lastActivityMs = Math.max(closedAtMs, lastCommentMs || 0);
-                if (lastActivityMs > cutoffMs) {
-                  continue;
-                }
-
-                await github.rest.issues.lock({
-                  owner,
-                  repo,
-                  issue_number: issue.number,
-                  lock_reason: "resolved",
-                });
-
-                locked += 1;
-              }
-
-              page += 1;
-            }
-
-            core.info(`Inspected ${inspected} closed issues; locked ${locked}.`);
--- a/.github/workflows/test-performance-agent.yml
+++ b/.github/workflows/test-performance-agent.yml
@@ -1,279 +0,0 @@
-name: Test Performance Agent
-
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] main-only test optimization after trusted CI; job gates repository, event, branch, actor, conclusion, current main SHA, and daily cadence before using write token
-    workflows:
-      - CI
-    types:
-      - completed
-  workflow_dispatch:
-
-permissions:
-  actions: read
-  contents: write
-
-concurrency:
-  group: test-performance-agent-main
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  TEST_PERF_BEFORE: .artifacts/test-perf/baseline-before.json
-  TEST_PERF_AFTER: .artifacts/test-perf/after-agent.json
-  TEST_PERF_COMPARE: .artifacts/test-perf/agent-compare.json
-
-jobs:
-  optimize-tests:
-    if: >
-      github.repository == 'openclaw/openclaw' &&
-      (github.event_name == 'workflow_dispatch' ||
-        (github.event.workflow_run.conclusion == 'success' &&
-          github.event.workflow_run.event == 'push' &&
-          github.event.workflow_run.head_branch == 'main' &&
-          !endsWith(github.event.workflow_run.actor.login, '[bot]')))
-    runs-on: ubuntu-24.04
-    timeout-minutes: 240
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: main
-          fetch-depth: 0
-          persist-credentials: false
-          submodules: false
-
-      - name: Gate trusted main activity and daily cadence
-        id: gate
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GH_TOKEN: ${{ github.token }}
-          WORKFLOW_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
-        run: |
-          set -euo pipefail
-
-          if [ "$EVENT_NAME" != "workflow_run" ]; then
-            echo "run_agent=true" >> "$GITHUB_OUTPUT"
-            echo "base_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          for attempt in 1 2 3 4 5; do
-            if git fetch --no-tags origin main; then
-              break
-            fi
-            if [ "$attempt" = "5" ]; then
-              echo "Failed to fetch main after retries." >&2
-              exit 1
-            fi
-            echo "Fetch attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          remote_main="$(git rev-parse origin/main)"
-          if [ "$remote_main" != "$WORKFLOW_HEAD_SHA" ]; then
-            echo "CI run is superseded by ${remote_main}; skipping test performance agent for ${WORKFLOW_HEAD_SHA}."
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          day_start="$(date -u +%Y-%m-%dT00:00:00Z)"
-          runs_json="$RUNNER_TEMP/test-performance-agent-runs.json"
-          gh api --method GET "repos/${GITHUB_REPOSITORY}/actions/workflows/test-performance-agent.yml/runs" \
-            -f branch=main \
-            -f event=workflow_run \
-            -f per_page=50 > "$runs_json"
-
-          prior_runs="$(
-            jq -r \
-              --argjson current_run_id "$GITHUB_RUN_ID" \
-              --arg day_start "$day_start" \
-              '.workflow_runs[]
-                | select(.database_id != $current_run_id)
-                | select(.created_at >= $day_start)
-                | select(.status != "cancelled")
-                | select((.conclusion // "") != "skipped")
-                | [.database_id, .status, (.conclusion // ""), .created_at, .head_sha]
-                | @tsv' "$runs_json"
-          )"
-
-          if [ -n "$prior_runs" ]; then
-            echo "Test performance agent already ran or is running today; skipping."
-            printf '%s\n' "$prior_runs"
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          echo "run_agent=true" >> "$GITHUB_OUTPUT"
-          echo "base_sha=${remote_main}" >> "$GITHUB_OUTPUT"
-
-      - name: Setup Node environment
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Ensure test performance agent key exists
-        if: steps.gate.outputs.run_agent == 'true'
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-        run: |
-          set -euo pipefail
-          if [ -z "${OPENAI_API_KEY:-}" ]; then
-            echo "Missing OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY or OPENAI_API_KEY secret." >&2
-            exit 1
-          fi
-
-      - name: Build baseline full-suite performance report
-        if: steps.gate.outputs.run_agent == 'true'
-        run: pnpm test:perf:groups --full-suite --allow-failures --output "$TEST_PERF_BEFORE" --limit 20 --top-files 40
-
-      - name: Run Codex test performance agent
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@v1
-        with:
-          openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-          prompt-file: .github/codex/prompts/test-performance-agent.md
-          model: ${{ vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
-          effort: high
-          sandbox: workspace-write
-          safety-strategy: drop-sudo
-          codex-args: '["--full-auto"]'
-
-      - name: Enforce focused test performance patch
-        if: steps.gate.outputs.run_agent == 'true'
-        id: patch
-        run: |
-          set -euo pipefail
-
-          untracked="$(git ls-files --others --exclude-standard)"
-          if [ -n "$untracked" ]; then
-            echo "Test performance agent created untracked files; forbidden:"
-            printf '%s\n' "$untracked"
-            exit 1
-          fi
-
-          added_deleted_or_renamed="$(git diff --name-status --diff-filter=ADR)"
-          if [ -n "$added_deleted_or_renamed" ]; then
-            echo "Test performance agent added, deleted, or renamed tracked files; forbidden:"
-            printf '%s\n' "$added_deleted_or_renamed"
-            exit 1
-          fi
-
-          bad_paths="$(
-            git diff --name-only | while IFS= read -r path; do
-              case "$path" in
-                apps/*|extensions/*|packages/*|scripts/*|src/*|Swabble/*|test/*|ui/*) ;;
-                *) printf '%s\n' "$path" ;;
-              esac
-            done
-          )"
-          if [ -n "$bad_paths" ]; then
-            echo "Test performance agent touched forbidden paths:"
-            printf '%s\n' "$bad_paths"
-            exit 1
-          fi
-
-          if git diff --quiet; then
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Restore Node 24 path
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run:
-          | # zizmor: ignore[github-env] NODE_BIN is set by the trusted local setup-node-env action in this same job
-          set -euo pipefail
-          export PATH="${NODE_BIN}:${PATH}"
-          echo "${NODE_BIN}" >> "$GITHUB_PATH"
-          node -v
-          corepack enable
-          pnpm -v
-
-      - name: Run full-suite performance report after agent changes
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run: pnpm test:perf:groups --full-suite --output "$TEST_PERF_AFTER" --limit 20 --top-files 40
-
-      - name: Compare test performance reports
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run: pnpm test:perf:groups:compare "$TEST_PERF_BEFORE" "$TEST_PERF_AFTER" --output "$TEST_PERF_COMPARE" --limit 20 --top-files 40
-
-      - name: Enforce coverage-preserving test count
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run: |
-          set -euo pipefail
-          node <<'NODE'
-          const fs = require("node:fs");
-          const before = JSON.parse(fs.readFileSync(process.env.TEST_PERF_BEFORE, "utf8"));
-          const after = JSON.parse(fs.readFileSync(process.env.TEST_PERF_AFTER, "utf8"));
-
-          if (before.failed) {
-            console.log("Baseline had failing configs; skipping total test-count comparison against partial report.");
-            process.exit(0);
-          }
-
-          const beforeTests = before.totals?.testCount ?? 0;
-          const afterTests = after.totals?.testCount ?? 0;
-          if (afterTests < beforeTests) {
-            console.error(`Test count decreased from ${beforeTests} to ${afterTests}; refusing coverage-reducing patch.`);
-            process.exit(1);
-          }
-          console.log(`Test count preserved: ${beforeTests} -> ${afterTests}.`);
-          NODE
-
-      - name: Check changed lanes
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        run: pnpm check:changed
-
-      - name: Commit test performance updates
-        if: steps.gate.outputs.run_agent == 'true' && steps.patch.outputs.has_changes == 'true'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          TARGET_BRANCH: main
-        run: |
-          set -euo pipefail
-
-          if git diff --quiet; then
-            echo "No test performance changes."
-            exit 0
-          fi
-
-          git config user.name "openclaw-test-performance-agent[bot]"
-          git config user.email "openclaw-test-performance-agent[bot]@users.noreply.github.com"
-          git add apps extensions packages scripts src Swabble test ui
-          git commit --no-verify -m "test: optimize slow tests"
-
-          for attempt in 1 2 3 4 5; do
-            if ! git fetch --no-tags origin "${TARGET_BRANCH}"; then
-              echo "Fetch attempt ${attempt} failed; retrying."
-              sleep $((attempt * 2))
-              continue
-            fi
-            if git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" HEAD:"${TARGET_BRANCH}"; then
-              exit 0
-            fi
-            remote_main="$(git rev-parse "origin/${TARGET_BRANCH}")"
-            if [ "$remote_main" != "$(git rev-parse HEAD^)" ]; then
-              echo "main advanced; rebasing test performance update onto ${remote_main}."
-              if ! git rebase "origin/${TARGET_BRANCH}"; then
-                echo "Test performance update no longer applies cleanly; skipping stale update."
-                git rebase --abort || true
-                exit 0
-              fi
-              pnpm check:changed
-            fi
-            echo "Test performance update attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to push test performance updates after retries." >&2
-          exit 1
-
-      - name: Upload test performance artifacts
-        if: steps.gate.outputs.run_agent == 'true' && always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: test-performance-agent-${{ github.run_id }}
-          path: .artifacts/test-perf/
-          if-no-files-found: ignore
-          retention-days: 14
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -3,26 +3,13 @@ name: Workflow Sanity
 on:
  pull_request:
  push:
-    branches: [main]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

 jobs:
  no-tabs:
-    if: github.event_name != 'workflow_dispatch'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Fail on tabs in workflow files
        run: |
@@ -48,53 +35,3 @@ jobs:
              print(f"- {path}")
            sys.exit(1)
          PY
-
-  actionlint:
-    if: github.event_name != 'workflow_dispatch'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install actionlint
-        shell: bash
-        run: |
-          set -euo pipefail
-          ACTIONLINT_VERSION="1.7.11"
-          archive="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
-          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
-          # GitHub release downloads occasionally return transient 5xx responses.
-          # Retry all curl errors here so workflow-sanity does not fail closed on
-          # a one-off release edge outage.
-          curl --retry 5 --retry-delay 2 --retry-all-errors -sSfL -o "${archive}" "${base_url}/${archive}"
-          curl --retry 5 --retry-delay 2 --retry-all-errors -sSfL -o checksums.txt "${base_url}/actionlint_${ACTIONLINT_VERSION}_checksums.txt"
-          grep " ${archive}\$" checksums.txt | sha256sum -c -
-          tar -xzf "${archive}" actionlint
-          sudo install -m 0755 actionlint /usr/local/bin/actionlint
-
-      - name: Lint workflows
-        run: actionlint
-
-      - name: Disallow direct inputs interpolation in composite run blocks
-        run: python3 scripts/check-composite-action-input-interpolation.py
-
-      - name: Disallow tracked merge conflict markers
-        run: node scripts/check-no-conflict-markers.mjs
-
-  generated-doc-baselines:
-    if: github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Check config docs drift statefile
-        run: pnpm config:docs:check
-
-      - name: Check plugin SDK API baseline drift
-        run: pnpm plugin-sdk:api:check
--- a/.gitignore
+++ b/.gitignore
@@ -1,18 +1,11 @@
 node_modules
-**/node_modules/
 .env
-docker-compose.override.yml
-docker-compose.extra.yml
 dist
-dist-runtime/
+*.bun-build
 pnpm-lock.yaml
 bun.lock
 bun.lockb
 coverage
-__openclaw_vitest__/
-__pycache__/
-*.pyc
-.tsbuildinfo
 .pnpm-store
 .worktrees/
 .DS_Store
@@ -20,52 +13,26 @@ __pycache__/
 ui/src/ui/__screenshots__/
 ui/playwright-report/
 ui/test-results/
-packages/dashboard-next/.next/
-packages/dashboard-next/out/
-
-# Mise configuration files
-mise.toml
-
-# Android build artifacts
-apps/android/.gradle/
-apps/android/app/build/
-apps/android/.cxx/
-apps/android/.kotlin/
-apps/android/benchmark/results/

 # Bun build artifacts
 *.bun-build
 apps/macos/.build/
-apps/macos-mlx-tts/.build/
-apps/shared/MoltbotKit/.build/
-apps/shared/OpenClawKit/.build/
-apps/shared/OpenClawKit/Package.resolved
+apps/shared/ClawdbotKit/.build/
 **/ModuleCache/
 bin/
 bin/clawdbot-mac
 bin/docs-list
 apps/macos/.build-local/
 apps/macos/.swiftpm/
-apps/shared/MoltbotKit/.swiftpm/
-apps/shared/OpenClawKit/.swiftpm/
+apps/shared/ClawdbotKit/.swiftpm/
 Core/
 apps/ios/*.xcodeproj/
 apps/ios/*.xcworkspace/
 apps/ios/.swiftpm/
-apps/ios/.derivedData/
-apps/ios/.local-signing.xcconfig
 vendor/
-apps/ios/Clawdbot.xcodeproj/
-apps/ios/Clawdbot.xcodeproj/**
-apps/macos/.build/**
-apps/macos-mlx-tts/.build/**
-**/*.bun-build
-apps/ios/*.xcfilelist

 # Vendor build artifacts
 vendor/a2ui/renderers/lit/dist/
-src/canvas-host/a2ui/*.bundle.js
-src/canvas-host/a2ui/*.map
 .bundle.hash

 # fastlane (iOS)
@@ -75,7 +42,6 @@ apps/ios/fastlane/Preview.html
 apps/ios/fastlane/screenshots/
 apps/ios/fastlane/test_output/
 apps/ios/fastlane/logs/
-apps/ios/fastlane/.env

 # fastlane build artifacts (local)
 apps/ios/*.ipa
@@ -83,108 +49,8 @@ apps/ios/*.dSYM.zip

 # provisioning profiles (local)
 apps/ios/*.mobileprovision
+.env

 # Local untracked files
 .local/
-docs/.local/
-docs/internal/
-tmp/
-IDENTITY.md
-USER.md
-.tgz
-.idea
-
-# local tooling
-.serena/
-
-# Local project-agent skill installs. Only repo-owned skills are visible by
-# default; promoting a new repo skill should require an intentional `git add -f`.
-.agents/skills/*
-!.agents/skills/blacksmith-testbox/
-!.agents/skills/blacksmith-testbox/**
-!.agents/skills/openclaw-ghsa-maintainer/
-!.agents/skills/openclaw-ghsa-maintainer/**
-!.agents/skills/openclaw-parallels-smoke/
-!.agents/skills/openclaw-parallels-smoke/**
-!.agents/skills/openclaw-pr-maintainer/
-!.agents/skills/openclaw-pr-maintainer/**
-!.agents/skills/openclaw-qa-testing/
-!.agents/skills/openclaw-qa-testing/**
-!.agents/skills/openclaw-release-maintainer/
-!.agents/skills/openclaw-release-maintainer/**
-!.agents/skills/openclaw-secret-scanning-maintainer/
-!.agents/skills/openclaw-secret-scanning-maintainer/**
-!.agents/skills/openclaw-test-heap-leaks/
-!.agents/skills/openclaw-test-heap-leaks/**
-!.agents/skills/openclaw-test-performance/
-!.agents/skills/openclaw-test-performance/**
-!.agents/skills/openclaw-testing/
-!.agents/skills/openclaw-testing/**
-!.agents/skills/optimizetests/
-!.agents/skills/optimizetests/**
-!.agents/skills/parallels-discord-roundtrip/
-!.agents/skills/parallels-discord-roundtrip/**
-!.agents/skills/security-triage/
-!.agents/skills/security-triage/**
-!.agents/skills/tag-duplicate-prs-issues/
-!.agents/skills/tag-duplicate-prs-issues/**
-
-# Agent credentials and memory (NEVER COMMIT)
-/memory/
-.agent/*.json
-!.agent/workflows/
-/local/
-package-lock.json
-.claude/
-.agent/
-skills-lock.json
-
-# Local iOS signing overrides
-apps/ios/LocalSigning.xcconfig
-
-# Xcode build directories (xcodebuild output)
-apps/ios/build/
-apps/shared/OpenClawKit/build/
-Swabble/build/
-
-# Generated protocol schema (produced via pnpm protocol:gen)
-dist/protocol.schema.json
-.ant-colony/
-
-# Eclipse
-**/.project
-**/.classpath
-**/.settings/
-**/.gradle/
-
-# Synthing
-**/.stfolder/
-.dev-state
-docs/superpowers
-.superpowers/
-.gitignore
-test/config-form.analyze.telegram.test.ts
-ui/src/ui/theme-variants.browser.test.ts
-ui/src/ui/__screenshots__
-ui/src/ui/views/__screenshots__
-ui/.vitest-attachments
-
-# Generated docs baseline artifacts (locally generated, only hashes tracked)
-docs/.generated/*.json
-docs/.generated/*.jsonl
-
-# Deprecated changelog fragment workflow
-changelog/fragments/
-
-# Local scratch workspace
-.tmp/
-.vmux*
-.artifacts/
-test/fixtures/openclaw-vitest-unit-report.json
-analysis/
-.artifacts/qa-e2e/
-extensions/qa-lab/web/dist/
-
-# Generated bundled plugin runtime dependency manifests
-extensions/**/.openclaw-runtime-deps.json
-extensions/**/.openclaw-runtime-deps-stamp.json
+.vscode/
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "Peekaboo"]
+	path = Peekaboo
+	url = https://github.com/steipete/Peekaboo.git
+	branch = main
--- a/.jscpd.json
+++ b/.jscpd.json
@@ -1,16 +0,0 @@
-{
-  "gitignore": true,
-  "noSymlinks": true,
-  "ignore": [
-    "**/node_modules/**",
-    "**/dist/**",
-    "dist/**",
-    "**/.git/**",
-    "**/coverage/**",
-    "**/build/**",
-    "**/.build/**",
-    "**/.artifacts/**",
-    "docs/zh-CN/**",
-    "**/CHANGELOG.md"
-  ]
-}
--- a/.mailmap
+++ b/.mailmap
@@ -1,13 +0,0 @@
-# Canonical contributor identity mappings for cherry-picked commits.
-bmendonca3 <208517100+bmendonca3@users.noreply.github.com> <brianmendonca@Brians-MacBook-Air.local>
-hcl <7755017+hclsys@users.noreply.github.com> <chenglunhu@gmail.com>
-Glucksberg <80581902+Glucksberg@users.noreply.github.com> <markuscontasul@gmail.com>
-JackyWay <53031570+JackyWay@users.noreply.github.com> <jackybbc@gmail.com>
-Marcus Castro <7562095+mcaxtr@users.noreply.github.com> <mcaxtr@gmail.com>
-Marc Gratch <2238658+mgratch@users.noreply.github.com> <me@marcgratch.com>
-Peter Machona <7957943+chilu18@users.noreply.github.com> <chilu.machona@icloud.com>
-Ben Marvell <92585+easternbloc@users.noreply.github.com> <ben@marvell.consulting>
-zerone0x <39543393+zerone0x@users.noreply.github.com> <hi@trine.dev>
-Marco Di Dionisio <3519682+marcodd23@users.noreply.github.com> <m.didionisio23@gmail.com>
-mujiannan <46643837+mujiannan@users.noreply.github.com> <shennan@mujiannan.com>
-Santhanakrishnan <239082898+bitfoundry-ai@users.noreply.github.com> <noreply@anthropic.com>
--- a/.markdownlint-cli2.jsonc
+++ b/.markdownlint-cli2.jsonc
@@ -1,60 +0,0 @@
-{
-  "globs": ["docs/**/*.md", "docs/**/*.mdx", "README.md"],
-  "ignores": ["docs/zh-CN/**", "docs/.i18n/**", "docs/reference/templates/**", "**/.local/**"],
-  "config": {
-    "default": true,
-
-    "MD013": false,
-    "MD025": false,
-    "MD029": false,
-
-    "MD033": {
-      "allowed_elements": [
-        "Note",
-        "Info",
-        "Tip",
-        "Warning",
-        "Card",
-        "CardGroup",
-        "Columns",
-        "Steps",
-        "Step",
-        "Tabs",
-        "Tab",
-        "Accordion",
-        "AccordionGroup",
-        "CodeGroup",
-        "Frame",
-        "Callout",
-        "ParamField",
-        "ResponseField",
-        "RequestExample",
-        "ResponseExample",
-        "img",
-        "a",
-        "br",
-        "table",
-        "tr",
-        "td",
-        "details",
-        "summary",
-        "p",
-        "div",
-        "strong",
-        "span",
-        "iframe",
-        "h2",
-        "h3",
-        "picture",
-        "source",
-        "Tooltip",
-        "Check",
-      ],
-    },
-
-    "MD036": false,
-    "MD040": false,
-    "MD041": false,
-    "MD046": false,
-  },
-}
--- a/.npmignore
+++ b/.npmignore
@@ -1,3 +0,0 @@
-**/node_modules/
-**/.runtime-deps-*/
-docs/.generated/
--- a/.npmrc
+++ b/.npmrc
@@ -1,4 +1 @@
-# pnpm build-script allowlist lives in package.json -> pnpm.onlyBuiltDependencies.
-# TS 7 native-preview fails to resolve packages reliably from pnpm's isolated linker.
-# Keep the workspace on a hoisted layout so pnpm check/build stay stable.
-node-linker=hoisted
+allow-build-scripts=@whiskeysockets/baileys,sharp,esbuild,protobufjs,fs-ext,node-pty
--- a/.oxfmtrc.jsonc
+++ b/.oxfmtrc.jsonc
@@ -1,27 +0,0 @@
-{
-  "$schema": "./node_modules/oxfmt/configuration_schema.json",
-  "sortImports": {
-    "newlinesBetween": false,
-  },
-  "sortPackageJson": {
-    "sortScripts": true,
-  },
-  "tabWidth": 2,
-  "useTabs": false,
-  "ignorePatterns": [
-    "apps/",
-    "assets/",
-    "CLAUDE.md",
-    "docker-compose.yml",
-    "dist/",
-    "docs/_layouts/",
-    "node_modules/",
-    "patches/",
-    "pnpm-lock.yaml/",
-    "src/gateway/server-methods/CLAUDE.md",
-    "src/auto-reply/reply/export-html/",
-    "src/canvas-host/a2ui/a2ui.bundle.js",
-    "Swabble/",
-    "vendor/",
-  ],
-}
--- a/.oxlintrc.json
+++ b/.oxlintrc.json
@@ -1,160 +0,0 @@
-{
-  "$schema": "./node_modules/oxlint/configuration_schema.json",
-  "plugins": ["unicorn", "typescript", "oxc"],
-  "categories": {
-    "correctness": "error",
-    "perf": "error",
-    "suspicious": "error"
-  },
-  "rules": {
-    "curly": "error",
-    "eslint-plugin-unicorn/prefer-array-find": "error",
-    "eslint/no-array-constructor": "error",
-    "eslint/no-await-in-loop": "off",
-    "eslint/no-constructor-return": "error",
-    "eslint/no-div-regex": "error",
-    "eslint/no-extra-label": "error",
-    "eslint/no-empty-pattern": "error",
-    "eslint/no-lone-blocks": "error",
-    "eslint/no-multi-str": "error",
-    "eslint/no-new": "error",
-    "eslint/no-object-constructor": "error",
-    "eslint/no-proto": "error",
-    "eslint/no-regex-spaces": "error",
-    "eslint/no-return-assign": "error",
-    "eslint/no-sequences": "error",
-    "eslint/no-self-compare": "error",
-    "eslint/no-shadow": "off",
-    "eslint/no-var": "error",
-    "eslint/no-useless-call": "error",
-    "eslint/no-useless-computed-key": "error",
-    "eslint/no-useless-concat": "error",
-    "eslint/no-useless-constructor": "error",
-    "eslint/no-warning-comments": "error",
-    "eslint/no-unmodified-loop-condition": "error",
-    "eslint/no-new-wrappers": "error",
-    "eslint/no-else-return": "error",
-    "eslint/no-case-declarations": "error",
-    "eslint/prefer-exponentiation-operator": "error",
-    "eslint/prefer-numeric-literals": "error",
-    "eslint/radix": "error",
-    "eslint/unicode-bom": "error",
-    "eslint/yoda": "error",
-    "import/no-absolute-path": "error",
-    "import/no-empty-named-blocks": "error",
-    "import/no-self-import": "error",
-    "node/no-exports-assign": "error",
-    "eslint-plugin-unicorn/prefer-set-size": "error",
-    "oxc/no-accumulating-spread": "error",
-    "oxc/no-async-endpoint-handlers": "error",
-    "oxc/no-map-spread": "error",
-    "promise/no-new-statics": "error",
-    "typescript/adjacent-overload-signatures": "error",
-    "typescript/ban-tslint-comment": "error",
-    "typescript/consistent-return": "error",
-    "typescript/no-empty-object-type": ["error", { "allowInterfaces": "with-single-extends" }],
-    "typescript/no-explicit-any": "error",
-    "typescript/no-extraneous-class": "error",
-    "typescript/no-meaningless-void-operator": "error",
-    "typescript/no-non-null-asserted-nullish-coalescing": "error",
-    "typescript/no-unnecessary-qualifier": "error",
-    "typescript/no-unnecessary-type-assertion": "error",
-    "typescript/no-unnecessary-type-arguments": "error",
-    "typescript/no-unnecessary-type-constraint": "error",
-    "typescript/no-unnecessary-type-conversion": "error",
-    "typescript/no-unnecessary-type-parameters": "error",
-    "typescript/no-unsafe-type-assertion": "off",
-    "typescript/no-useless-default-assignment": "error",
-    "typescript/switch-exhaustiveness-check": [
-      "error",
-      { "considerDefaultExhaustiveForUnions": true }
-    ],
-    "typescript/prefer-return-this-type": "error",
-    "typescript/prefer-find": "error",
-    "typescript/prefer-function-type": "error",
-    "typescript/prefer-includes": "error",
-    "typescript/prefer-reduce-type-parameter": "error",
-    "typescript/prefer-ts-expect-error": "error",
-    "unicorn/consistent-date-clone": "error",
-    "unicorn/consistent-empty-array-spread": "error",
-    "unicorn/consistent-function-scoping": "off",
-    "unicorn/no-console-spaces": "error",
-    "unicorn/no-length-as-slice-end": "error",
-    "unicorn/no-instanceof-array": "error",
-    "unicorn/no-negation-in-equality-check": "error",
-    "unicorn/no-new-buffer": "error",
-    "unicorn/no-typeof-undefined": "error",
-    "unicorn/no-unnecessary-array-flat-depth": "error",
-    "unicorn/no-unnecessary-array-splice-count": "error",
-    "unicorn/no-unnecessary-slice-end": "error",
-    "unicorn/no-useless-error-capture-stack-trace": "error",
-    "unicorn/no-useless-promise-resolve-reject": "error",
-    "unicorn/prefer-date-now": "error",
-    "unicorn/prefer-dom-node-text-content": "error",
-    "unicorn/prefer-keyboard-event-key": "error",
-    "unicorn/prefer-array-some": "error",
-    "unicorn/prefer-math-min-max": "error",
-    "unicorn/prefer-node-protocol": "error",
-    "unicorn/prefer-number-properties": "error",
-    "unicorn/prefer-negative-index": "error",
-    "unicorn/prefer-optional-catch-binding": "error",
-    "unicorn/prefer-prototype-methods": "error",
-    "unicorn/prefer-regexp-test": "error",
-    "unicorn/prefer-set-size": "error",
-    "unicorn/prefer-string-slice": "error",
-    "unicorn/require-array-join-separator": "error",
-    "unicorn/require-number-to-fixed-digits-argument": "error",
-    "unicorn/require-post-message-target-origin": "error",
-    "unicorn/throw-new-error": "error",
-    "vitest/no-import-node-test": "error",
-    "vitest/consistent-vitest-vi": "error",
-    "vitest/prefer-called-once": "error",
-    "vitest/prefer-called-times": "error",
-    "vitest/prefer-expect-type-of": "error"
-  },
-  "ignorePatterns": [
-    "assets/",
-    "dist/",
-    "dist-runtime/",
-    "docs/_layouts/",
-    "node_modules/",
-    "patches/",
-    "pnpm-lock.yaml",
-    "skills/",
-    "src/auto-reply/reply/export-html/template.js",
-    "src/canvas-host/a2ui/a2ui.bundle.js",
-    "Swabble/",
-    "vendor/",
-    "**/.cache/**",
-    "**/build/**",
-    "**/coverage/**",
-    "**/dist/**",
-    "**/dist-runtime/**",
-    "**/node_modules/**"
-  ],
-  "overrides": [
-    {
-      "files": ["src/security/**"],
-      "rules": {
-        "eslint/no-warning-comments": "off",
-        "oxc/no-map-spread": "off"
-      }
-    },
-    {
-      "files": [
-        "**/*.test.ts",
-        "**/*.test.tsx",
-        "**/*.e2e.test.ts",
-        "**/*.live.test.ts",
-        "**/*test-harness.ts",
-        "**/*test-helpers.ts",
-        "**/*test-support.ts"
-      ],
-      "rules": {
-        "typescript/no-explicit-any": "off",
-        "typescript/unbound-method": "off",
-        "eslint/no-unsafe-optional-chaining": "off"
-      }
-    }
-  ]
-}
--- a/.pi/extensions/diff.ts
+++ b/.pi/extensions/diff.ts
@@ -1,117 +0,0 @@
-/**
- * Diff Extension
- *
- * /diff command shows modified/deleted/new files from git status and opens
- * the selected file in VS Code's diff view.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { showPagedSelectList } from "./ui/paged-select";
-
-interface FileInfo {
-  status: string;
-  statusLabel: string;
-  file: string;
-}
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("diff", {
-    description: "Show git changes and open in VS Code diff view",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        ctx.ui.notify("No UI available", "error");
-        return;
-      }
-
-      // Get changed files from git status
-      const result = await pi.exec("git", ["status", "--porcelain"], { cwd: ctx.cwd });
-
-      if (result.code !== 0) {
-        ctx.ui.notify(`git status failed: ${result.stderr}`, "error");
-        return;
-      }
-
-      if (!result.stdout || !result.stdout.trim()) {
-        ctx.ui.notify("No changes in working tree", "info");
-        return;
-      }
-
-      // Parse git status output
-      // Format: XY filename (where XY is two-letter status, then space, then filename)
-      const lines = result.stdout.split("\n");
-      const files: FileInfo[] = [];
-
-      for (const line of lines) {
-        if (line.length < 4) {
-          continue;
-        } // Need at least "XY f"
-
-        const status = line.slice(0, 2);
-        const file = line.slice(2).trimStart();
-
-        // Translate status codes to short labels
-        let statusLabel: string;
-        if (status.includes("M")) {
-          statusLabel = "M";
-        } else if (status.includes("A")) {
-          statusLabel = "A";
-        } else if (status.includes("D")) {
-          statusLabel = "D";
-        } else if (status.includes("?")) {
-          statusLabel = "?";
-        } else if (status.includes("R")) {
-          statusLabel = "R";
-        } else if (status.includes("C")) {
-          statusLabel = "C";
-        } else {
-          statusLabel = status.trim() || "~";
-        }
-
-        files.push({ status: statusLabel, statusLabel, file });
-      }
-
-      if (files.length === 0) {
-        ctx.ui.notify("No changes found", "info");
-        return;
-      }
-
-      const openSelected = async (fileInfo: FileInfo): Promise<void> => {
-        try {
-          // Open in VS Code diff view.
-          // For untracked files, git difftool won't work, so fall back to just opening the file.
-          if (fileInfo.status === "?") {
-            await pi.exec("code", ["-g", fileInfo.file], { cwd: ctx.cwd });
-            return;
-          }
-
-          const diffResult = await pi.exec(
-            "git",
-            ["difftool", "-y", "--tool=vscode", fileInfo.file],
-            {
-              cwd: ctx.cwd,
-            },
-          );
-          if (diffResult.code !== 0) {
-            await pi.exec("code", ["-g", fileInfo.file], { cwd: ctx.cwd });
-          }
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          ctx.ui.notify(`Failed to open ${fileInfo.file}: ${message}`, "error");
-        }
-      };
-
-      const items = files.map((file) => ({
-        value: file,
-        label: `${file.status} ${file.file}`,
-      }));
-      await showPagedSelectList({
-        ctx,
-        title: " Select file to diff",
-        items,
-        onSelect: (item) => {
-          void openSelected(item.value as FileInfo);
-        },
-      });
-    },
-  });
-}
--- a/.pi/extensions/files.ts
+++ b/.pi/extensions/files.ts
@@ -1,134 +0,0 @@
-/**
- * Files Extension
- *
- * /files command lists all files the model has read/written/edited in the active session branch,
- * coalesced by path and sorted newest first. Selecting a file opens it in VS Code.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { showPagedSelectList } from "./ui/paged-select";
-
-interface FileEntry {
-  path: string;
-  operations: Set<"read" | "write" | "edit">;
-  lastTimestamp: number;
-}
-
-type FileToolName = "read" | "write" | "edit";
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("files", {
-    description: "Show files read/written/edited in this session",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        ctx.ui.notify("No UI available", "error");
-        return;
-      }
-
-      // Get the current branch (path from leaf to root)
-      const branch = ctx.sessionManager.getBranch();
-
-      // First pass: collect tool calls (id -> {path, name}) from assistant messages
-      const toolCalls = new Map<string, { path: string; name: FileToolName; timestamp: number }>();
-
-      for (const entry of branch) {
-        if (entry.type !== "message") {
-          continue;
-        }
-        const msg = entry.message;
-
-        if (msg.role === "assistant" && Array.isArray(msg.content)) {
-          for (const block of msg.content) {
-            if (block.type === "toolCall") {
-              const name = block.name;
-              if (name === "read" || name === "write" || name === "edit") {
-                const path = block.arguments?.path;
-                if (path && typeof path === "string") {
-                  toolCalls.set(block.id, { path, name, timestamp: msg.timestamp });
-                }
-              }
-            }
-          }
-        }
-      }
-
-      // Second pass: match tool results to get the actual execution timestamp
-      const fileMap = new Map<string, FileEntry>();
-
-      for (const entry of branch) {
-        if (entry.type !== "message") {
-          continue;
-        }
-        const msg = entry.message;
-
-        if (msg.role === "toolResult") {
-          const toolCall = toolCalls.get(msg.toolCallId);
-          if (!toolCall) {
-            continue;
-          }
-
-          const { path, name } = toolCall;
-          const timestamp = msg.timestamp;
-
-          const existing = fileMap.get(path);
-          if (existing) {
-            existing.operations.add(name);
-            if (timestamp > existing.lastTimestamp) {
-              existing.lastTimestamp = timestamp;
-            }
-          } else {
-            fileMap.set(path, {
-              path,
-              operations: new Set([name]),
-              lastTimestamp: timestamp,
-            });
-          }
-        }
-      }
-
-      if (fileMap.size === 0) {
-        ctx.ui.notify("No files read/written/edited in this session", "info");
-        return;
-      }
-
-      // Sort by most recent first
-      const files = Array.from(fileMap.values()).toSorted(
-        (a, b) => b.lastTimestamp - a.lastTimestamp,
-      );
-
-      const openSelected = async (file: FileEntry): Promise<void> => {
-        try {
-          await pi.exec("code", ["-g", file.path], { cwd: ctx.cwd });
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          ctx.ui.notify(`Failed to open ${file.path}: ${message}`, "error");
-        }
-      };
-
-      const items = files.map((file) => {
-        const ops: string[] = [];
-        if (file.operations.has("read")) {
-          ops.push("R");
-        }
-        if (file.operations.has("write")) {
-          ops.push("W");
-        }
-        if (file.operations.has("edit")) {
-          ops.push("E");
-        }
-        return {
-          value: file,
-          label: `${ops.join("")} ${file.path}`,
-        };
-      });
-      await showPagedSelectList({
-        ctx,
-        title: " Select file to open",
-        items,
-        onSelect: (item) => {
-          void openSelected(item.value as FileEntry);
-        },
-      });
-    },
-  });
-}
--- a/.pi/extensions/prompt-url-widget.ts
+++ b/.pi/extensions/prompt-url-widget.ts
@@ -1,190 +0,0 @@
-import {
-  DynamicBorder,
-  type ExtensionAPI,
-  type ExtensionContext,
-} from "@mariozechner/pi-coding-agent";
-import { Container, Text } from "@mariozechner/pi-tui";
-
-const PR_PROMPT_PATTERN = /^\s*You are given one or more GitHub PR URLs:\s*(\S+)/im;
-const ISSUE_PROMPT_PATTERN = /^\s*Analyze GitHub issue\(s\):\s*(\S+)/im;
-
-type PromptMatch = {
-  kind: "pr" | "issue";
-  url: string;
-};
-
-type GhMetadata = {
-  title?: string;
-  author?: {
-    login?: string;
-    name?: string | null;
-  };
-};
-
-function extractPromptMatch(prompt: string): PromptMatch | undefined {
-  const prMatch = prompt.match(PR_PROMPT_PATTERN);
-  if (prMatch?.[1]) {
-    return { kind: "pr", url: prMatch[1].trim() };
-  }
-
-  const issueMatch = prompt.match(ISSUE_PROMPT_PATTERN);
-  if (issueMatch?.[1]) {
-    return { kind: "issue", url: issueMatch[1].trim() };
-  }
-
-  return undefined;
-}
-
-async function fetchGhMetadata(
-  pi: ExtensionAPI,
-  kind: PromptMatch["kind"],
-  url: string,
-): Promise<GhMetadata | undefined> {
-  const args =
-    kind === "pr"
-      ? ["pr", "view", url, "--json", "title,author"]
-      : ["issue", "view", url, "--json", "title,author"];
-
-  try {
-    const result = await pi.exec("gh", args);
-    if (result.code !== 0 || !result.stdout) {
-      return undefined;
-    }
-    return JSON.parse(result.stdout) as GhMetadata;
-  } catch {
-    return undefined;
-  }
-}
-
-function formatAuthor(author?: GhMetadata["author"]): string | undefined {
-  if (!author) {
-    return undefined;
-  }
-  const name = author.name?.trim();
-  const login = author.login?.trim();
-  if (name && login) {
-    return `${name} (@${login})`;
-  }
-  if (login) {
-    return `@${login}`;
-  }
-  if (name) {
-    return name;
-  }
-  return undefined;
-}
-
-export default function promptUrlWidgetExtension(pi: ExtensionAPI) {
-  const setWidget = (
-    ctx: ExtensionContext,
-    match: PromptMatch,
-    title?: string,
-    authorText?: string,
-  ) => {
-    ctx.ui.setWidget("prompt-url", (_tui, thm) => {
-      const titleText = title ? thm.fg("accent", title) : thm.fg("accent", match.url);
-      const authorLine = authorText ? thm.fg("muted", authorText) : undefined;
-      const urlLine = thm.fg("dim", match.url);
-
-      const lines = [titleText];
-      if (authorLine) {
-        lines.push(authorLine);
-      }
-      lines.push(urlLine);
-
-      const container = new Container();
-      container.addChild(new DynamicBorder((s: string) => thm.fg("muted", s)));
-      container.addChild(new Text(lines.join("\n"), 1, 0));
-      return container;
-    });
-  };
-
-  const applySessionName = (ctx: ExtensionContext, match: PromptMatch, title?: string) => {
-    const label = match.kind === "pr" ? "PR" : "Issue";
-    const trimmedTitle = title?.trim();
-    const fallbackName = `${label}: ${match.url}`;
-    const desiredName = trimmedTitle ? `${label}: ${trimmedTitle} (${match.url})` : fallbackName;
-    const currentName = pi.getSessionName()?.trim();
-    if (!currentName) {
-      pi.setSessionName(desiredName);
-      return;
-    }
-    if (currentName === match.url || currentName === fallbackName) {
-      pi.setSessionName(desiredName);
-    }
-  };
-
-  const renderPromptMatch = (ctx: ExtensionContext, match: PromptMatch) => {
-    setWidget(ctx, match);
-    applySessionName(ctx, match);
-    void fetchGhMetadata(pi, match.kind, match.url).then((meta) => {
-      const title = meta?.title?.trim();
-      const authorText = formatAuthor(meta?.author);
-      setWidget(ctx, match, title, authorText);
-      applySessionName(ctx, match, title);
-    });
-  };
-
-  pi.on("before_agent_start", async (event, ctx) => {
-    if (!ctx.hasUI) {
-      return;
-    }
-    const match = extractPromptMatch(event.prompt);
-    if (!match) {
-      return;
-    }
-
-    renderPromptMatch(ctx, match);
-  });
-
-  pi.on("session_switch", async (_event, ctx) => {
-    rebuildFromSession(ctx);
-  });
-
-  const getUserText = (content: string | { type: string; text?: string }[] | undefined): string => {
-    if (!content) {
-      return "";
-    }
-    if (typeof content === "string") {
-      return content;
-    }
-    return (
-      content
-        .filter((block): block is { type: "text"; text: string } => block.type === "text")
-        .map((block) => block.text)
-        .join("\n") ?? ""
-    );
-  };
-
-  const rebuildFromSession = (ctx: ExtensionContext) => {
-    if (!ctx.hasUI) {
-      return;
-    }
-
-    const entries = ctx.sessionManager.getEntries();
-    const lastMatch = [...entries].toReversed().find((entry) => {
-      if (entry.type !== "message" || entry.message.role !== "user") {
-        return false;
-      }
-      const text = getUserText(entry.message.content);
-      return !!extractPromptMatch(text);
-    });
-
-    const content =
-      lastMatch?.type === "message" && lastMatch.message.role === "user"
-        ? lastMatch.message.content
-        : undefined;
-    const text = getUserText(content);
-    const match = text ? extractPromptMatch(text) : undefined;
-    if (!match) {
-      ctx.ui.setWidget("prompt-url", undefined);
-      return;
-    }
-
-    renderPromptMatch(ctx, match);
-  };
-
-  pi.on("session_start", async (_event, ctx) => {
-    rebuildFromSession(ctx);
-  });
-}
--- a/.pi/extensions/redraws.ts
+++ b/.pi/extensions/redraws.ts
@@ -1,26 +0,0 @@
-/**
- * Redraws Extension
- *
- * Exposes /tui to show TUI redraw stats.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { Text } from "@mariozechner/pi-tui";
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("tui", {
-    description: "Show TUI stats",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        return;
-      }
-      let redraws = 0;
-      await ctx.ui.custom<void>((tui, _theme, _keybindings, done) => {
-        redraws = tui.fullRedraws;
-        done(undefined);
-        return new Text("", 0, 0);
-      });
-      ctx.ui.notify(`TUI full redraws: ${redraws}`, "info");
-    },
-  });
-}
--- a/.pi/extensions/ui/paged-select.ts
+++ b/.pi/extensions/ui/paged-select.ts
@@ -1,82 +0,0 @@
-import { DynamicBorder } from "@mariozechner/pi-coding-agent";
-import {
-  Container,
-  Key,
-  matchesKey,
-  type SelectItem,
-  SelectList,
-  Text,
-} from "@mariozechner/pi-tui";
-
-type CustomUiContext = {
-  ui: {
-    custom: <T>(
-      render: (
-        tui: { requestRender: () => void },
-        theme: {
-          fg: (tone: string, text: string) => string;
-          bold: (text: string) => string;
-        },
-        kb: unknown,
-        done: () => void,
-      ) => {
-        render: (width: number) => string;
-        invalidate: () => void;
-        handleInput: (data: string) => void;
-      },
-    ) => Promise<T>;
-  };
-};
-
-export async function showPagedSelectList(params: {
-  ctx: CustomUiContext;
-  title: string;
-  items: SelectItem[];
-  onSelect: (item: SelectItem) => void;
-}): Promise<void> {
-  await params.ctx.ui.custom<void>((tui, theme, _kb, done) => {
-    const container = new Container();
-
-    container.addChild(new DynamicBorder((s: string) => theme.fg("accent", s)));
-    container.addChild(new Text(theme.fg("accent", theme.bold(params.title)), 0, 0));
-
-    const visibleRows = Math.min(params.items.length, 15);
-    let currentIndex = 0;
-
-    const selectList = new SelectList(params.items, visibleRows, {
-      selectedPrefix: (text) => theme.fg("accent", text),
-      selectedText: (text) => text,
-      description: (text) => theme.fg("muted", text),
-      scrollInfo: (text) => theme.fg("dim", text),
-      noMatch: (text) => theme.fg("warning", text),
-    });
-    selectList.onSelect = (item) => params.onSelect(item);
-    selectList.onCancel = () => done();
-    selectList.onSelectionChange = (item) => {
-      currentIndex = params.items.indexOf(item);
-    };
-    container.addChild(selectList);
-
-    container.addChild(
-      new Text(theme.fg("dim", " ↑↓ navigate • ←→ page • enter open • esc close"), 0, 0),
-    );
-    container.addChild(new DynamicBorder((s: string) => theme.fg("accent", s)));
-
-    return {
-      render: (width) => container.render(width),
-      invalidate: () => container.invalidate(),
-      handleInput: (data) => {
-        if (matchesKey(data, Key.left)) {
-          currentIndex = Math.max(0, currentIndex - visibleRows);
-          selectList.setSelectedIndex(currentIndex);
-        } else if (matchesKey(data, Key.right)) {
-          currentIndex = Math.min(params.items.length - 1, currentIndex + visibleRows);
-          selectList.setSelectedIndex(currentIndex);
-        } else {
-          selectList.handleInput(data);
-        }
-        tui.requestRender();
-      },
-    };
-  });
-}
--- a/.pi/git/.gitignore
+++ b/.pi/git/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/.pi/prompts/cl.md
+++ b/.pi/prompts/cl.md
@@ -1,58 +0,0 @@
---
-description: Audit changelog entries before release
---
-
-Audit changelog entries for all commits since the last release.
-
-## Process
-
-1. **Find the last release tag:**
-
-   ```bash
-   git tag --sort=-version:refname | head -1
-   ```
-
-2. **List all commits since that tag:**
-
-   ```bash
-   git log <tag>..HEAD --oneline
-   ```
-
-3. **Read each package's [Unreleased] section:**
-   - packages/ai/CHANGELOG.md
-   - packages/tui/CHANGELOG.md
-   - packages/coding-agent/CHANGELOG.md
-
-4. **For each commit, check:**
-   - Skip: changelog updates, doc-only changes, release housekeeping
-   - Determine which package(s) the commit affects (use `git show <hash> --stat`)
-   - Verify a changelog entry exists in the affected package(s)
-   - For external contributions (PRs), verify format: `Description ([#N](url) by [@user](url))`
-
-5. **Cross-package duplication rule:**
-   Changes in `ai`, `agent` or `tui` that affect end users should be duplicated to `coding-agent` changelog, since coding-agent is the user-facing package that depends on them.
-
-6. **Add New Features section after changelog fixes:**
-   - Insert a `### New Features` section at the start of `## [Unreleased]` in `packages/coding-agent/CHANGELOG.md`.
-   - Propose the top new features to the user for confirmation before writing them.
-   - Link to relevant docs and sections whenever possible.
-
-7. **Report:**
-   - List commits with missing entries
-   - List entries that need cross-package duplication
-   - Add any missing entries directly
-
-## Changelog Format Reference
-
-Sections (in order):
-
- `### Breaking Changes` - API changes requiring migration
- `### Added` - New features
- `### Changed` - Changes to existing functionality
- `### Fixed` - Bug fixes
- `### Removed` - Removed features
-
-Attribution:
-
- Internal: `Fixed foo ([#123](https://github.com/badlogic/pi-mono/issues/123))`
- External: `Added bar ([#456](https://github.com/badlogic/pi-mono/pull/456) by [@user](https://github.com/user))`
--- a/.pi/prompts/is.md
+++ b/.pi/prompts/is.md
@@ -1,22 +0,0 @@
---
-description: Analyze GitHub issues (bugs or feature requests)
---
-
-Analyze GitHub issue(s): $ARGUMENTS
-
-For each issue:
-
-1. Read the issue in full, including all comments and linked issues/PRs.
-
-2. **For bugs**:
-   - Ignore any root cause analysis in the issue (likely wrong)
-   - Read all related code files in full (no truncation)
-   - Trace the code path and identify the actual root cause
-   - Propose a fix
-
-3. **For feature requests**:
-   - Read all related code files in full (no truncation)
-   - Propose the most concise implementation approach
-   - List affected files and changes needed
-
-Do NOT implement unless explicitly asked. Analyze and propose only.
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,157 +0,0 @@
-# Pre-commit hooks for openclaw
-# Install: prek install
-# Run manually: prek run --all-files
-#
-# See https://pre-commit.com for more information
-
-repos:
-  # Basic file hygiene
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
-    hooks:
-      - id: trailing-whitespace
-        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
-      - id: end-of-file-fixer
-        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
-      - id: check-yaml
-        args: [--allow-multiple-documents]
-      - id: check-added-large-files
-        args: [--maxkb=500]
-      - id: check-merge-conflict
-      - id: detect-private-key
-        exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'
-
-  # Secret detection (same as CI)
-  - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.5.0
-    hooks:
-      - id: detect-secrets
-        args:
-          - --baseline
-          - .secrets.baseline
-          - --exclude-files
-          - '(^|/)pnpm-lock\.yaml$'
-          - --exclude-lines
-          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
-          - --exclude-lines
-          - 'case \.apiKeyEnv: "API key \(env var\)"'
-          - --exclude-lines
-          - 'case apikey = "apiKey"'
-          - --exclude-lines
-          - '"gateway\.remote\.password"'
-          - --exclude-lines
-          - '"gateway\.auth\.password"'
-          - --exclude-lines
-          - '"talk\.apiKey"'
-          - --exclude-lines
-          - '=== "string"'
-          - --exclude-lines
-          - 'typeof remote\?\.password === "string"'
-          - --exclude-lines
-          - "OPENCLAW_DOCKER_GPG_FINGERPRINT="
-          - --exclude-lines
-          - '"secretShape": "(secret_input|sibling_ref)"'
-          - --exclude-lines
-          - 'API key rotation \(provider-specific\): set `\*_API_KEYS`'
-          - --exclude-lines
-          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`'
-          - --exclude-lines
-          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`'
-          - --exclude-files
-          - '^src/gateway/client\.watchdog\.test\.ts$'
-          - --exclude-lines
-          - 'export CUSTOM_API_K[E]Y="your-key"'
-          - --exclude-lines
-          - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF'''
-          - --exclude-lines
-          - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},'
-          - --exclude-lines
-          - '"ap[i]Key": "xxxxx"(,)?'
-          - --exclude-lines
-          - 'ap[i]Key: "A[I]za\.\.\.",'
-          - --exclude-lines
-          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
-          - --exclude-lines
-          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
-  # Shell script linting
-  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.11.0
-    hooks:
-      - id: shellcheck
-        args: [--severity=error] # Only fail on errors, not warnings/info
-        # Exclude vendor and scripts with embedded code or known issues
-        exclude: "^(vendor/|scripts/e2e/)"
-
-  # GitHub Actions linting
-  - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.10
-    hooks:
-      - id: actionlint
-
-  # GitHub Actions security audit
-  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.22.0
-    hooks:
-      - id: zizmor
-        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
-        exclude: "^(vendor/|Swabble/)"
-
-  # Python checks for skills scripts
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.1
-    hooks:
-      - id: ruff
-        files: "^skills/.*\\.py$"
-        args: [--config, pyproject.toml]
-
-  - repo: local
-    hooks:
-      - id: skills-python-tests
-        name: skills python tests
-        entry: pytest -q skills
-        language: python
-        additional_dependencies: [pytest>=8, <9]
-        pass_filenames: false
-        files: "^skills/.*\\.py$"
-
-  # Project checks (same commands as CI)
-  - repo: local
-    hooks:
-      # node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
-      - id: pnpm-audit-prod
-        name: pnpm-audit-prod
-        entry: node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
-        language: system
-        pass_filenames: false
-
-      # oxlint --type-aware src test
-      - id: oxlint
-        name: oxlint
-        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
-        language: system
-        pass_filenames: false
-        types_or: [javascript, jsx, ts, tsx]
-
-      # oxfmt --check src test
-      - id: oxfmt
-        name: oxfmt
-        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
-        language: system
-        pass_filenames: false
-        types_or: [javascript, jsx, ts, tsx]
-
-      # swiftlint (same as CI)
-      - id: swiftlint
-        name: swiftlint
-        entry: swiftlint --config .swiftlint.yml
-        language: system
-        pass_filenames: false
-        types: [swift]
-
-      # swiftformat --lint (same as CI)
-      - id: swiftformat
-        name: swiftformat
-        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
-        language: system
-        pass_filenames: false
-        types: [swift]
--- a/.prettierignore
+++ b/.prettierignore
@@ -1 +0,0 @@
-docs/.generated/
--- a/.secrets.baseline
+++ b/.secrets.baseline
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -1,25 +0,0 @@
-# ShellCheck configuration
-# https://www.shellcheck.net/wiki/
-
-# Disable common false positives and style suggestions
-
-# SC2034: Variable appears unused (often exported or used indirectly)
-disable=SC2034
-
-# SC2155: Declare and assign separately (common idiom, rarely causes issues)
-disable=SC2155
-
-# SC2295: Expansions inside ${..} need quoting (info-level, rarely causes issues)
-disable=SC2295
-
-# SC1012: \r is literal (tr -d '\r' works as intended on most systems)
-disable=SC1012
-
-# SC2026: Word outside quotes (info-level, often intentional)
-disable=SC2026
-
-# SC2016: Expressions don't expand in single quotes (often intentional in sed/awk)
-disable=SC2016
-
-# SC2129: Consider using { cmd1; cmd2; } >> file (style preference)
-disable=SC2129
--- a/.swiftformat
+++ b/.swiftformat
@@ -23,7 +23,7 @@
 # Whitespace
 --trimwhitespace always
 --emptybraces no-space
--nospaceoperators ...,..<
+--nospaceoperators ...,..< 
 --ranges no-space
 --someAny true
 --voidtype void
@@ -48,4 +48,4 @@
 --allman false

 # Exclusions
--exclude .build,.swiftpm,DerivedData,node_modules,dist,coverage,xcuserdata,Peekaboo,Swabble,apps/android,apps/ios,apps/shared,apps/macos/Sources/OpenClawProtocol,apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+--exclude .build,.swiftpm,DerivedData,node_modules,dist,coverage,xcuserdata,Peekaboo,Swabble,apps/android,apps/ios,apps/shared,apps/macos/Sources/ClawdisProtocol,apps/macos/Sources/ClawdbotProtocol
--- a/.swiftlint.yml
+++ b/.swiftlint.yml
@@ -18,9 +18,7 @@ excluded:
  - coverage
  - "*.playground"
  # Generated (protocol-gen-swift.ts)
-  - apps/macos/Sources/OpenClawProtocol/GatewayModels.swift
-  # Generated (generate-host-env-security-policy-swift.mjs)
-  - apps/macos/Sources/OpenClaw/HostEnvSecurityPolicy.generated.swift
+  - apps/macos/Sources/ClawdbotProtocol/GatewayModels.swift

 analyzer_rules:
  - unused_declaration
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,3 +0,0 @@
-{
-  "recommendations": ["oxc.oxc-vscode"]
-}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,22 +0,0 @@
-{
-  "editor.formatOnSave": true,
-  "files.insertFinalNewline": true,
-  "files.trimFinalNewlines": true,
-  "[javascript]": {
-    "editor.defaultFormatter": "oxc.oxc-vscode"
-  },
-  "[typescriptreact]": {
-    "editor.defaultFormatter": "oxc.oxc-vscode"
-  },
-  "[typescript]": {
-    "editor.defaultFormatter": "oxc.oxc-vscode"
-  },
-  "[json]": {
-    "editor.defaultFormatter": "oxc.oxc-vscode"
-  },
-  "typescript.preferences.importModuleSpecifierEnding": "js",
-  "typescript.reportStyleChecksAsWarnings": false,
-  "typescript.updateImportsOnFileMove.enabled": "always",
-  "typescript.tsdk": "node_modules/typescript/lib",
-  "makefile.configureOnOpen": false
-}
--- a/Show More
+++ b/Show More