fix: load CLI plugin registry for channel-aware commands (#1338 ) (thanks @MaudeBot)

fix(cli): load plugin registry for message/channels commands
Fixes #1327 - 'clawdbot message --channel telegram' fails with 'Unknown channel: telegram' because plugins weren't loaded. The Commander code path (non-route-first) calls ensureConfigReady() in preAction but doesn't load the plugin registry. Channel plugins like telegram are registered during plugin loading, so getChannelPlugin() returns undefined without it. This adds ensurePluginRegistryLoaded() call for commands that need channel plugin access: message, channels, directory.
2026-06-06 22:11:38 +08:00 · 2026-01-21 00:48:36 +00:00 · 2026-01-20 23:59:43 +00:00
724 changed files with 8435 additions and 33048 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -29,7 +29,6 @@
 - Prefer Bun for TypeScript execution (scripts, dev, tests): `bun <file.ts>` / `bunx <tool>`.
 - Run CLI in dev: `pnpm clawdbot ...` (bun) or `pnpm dev`.
 - Node remains supported for running built output (`dist/*`) and production installs.
- Mac packaging (dev): `scripts/package-mac-app.sh` defaults to current arch. Release checklist: `docs/platforms/mac/release.md`.
 - Type-check/build: `pnpm build` (tsc)
 - Lint/format: `pnpm lint` (oxlint), `pnpm format` (oxfmt)
 - Tests: `pnpm test` (vitest); coverage: `pnpm test:coverage`
@@ -101,7 +100,7 @@
 - CLI progress: use `src/cli/progress.ts` (`osc-progress` + `@clack/prompts` spinner); don’t hand-roll spinners/bars.
 - Status output: keep tables + ANSI-safe wrapping (`src/terminal/table.ts`); `status --all` = read-only/pasteable, `status --deep` = probes.
 - Gateway currently runs only as the menubar app; there is no separate LaunchAgent/helper label installed. Restart via the Clawdbot Mac app or `scripts/restart-mac.sh`; to verify/kill use `launchctl print gui/$UID | grep clawdbot` rather than assuming a fixed label. **When debugging on macOS, start/stop the gateway via the app, not ad-hoc tmux sessions; kill any temporary tunnels before handoff.**
- macOS logs: use `./scripts/clawlog.sh` to query unified logs for the Clawdbot subsystem; it supports follow/tail/category filters and expects passwordless sudo for `/usr/bin/log`.
+- macOS logs: use `./scripts/clawlog.sh` (aka `vtlog`) to query unified logs for the Clawdbot subsystem; it supports follow/tail/category filters and expects passwordless sudo for `/usr/bin/log`.
 - If shared guardrails are available locally, review them; otherwise follow this repo's guidance.
 - SwiftUI state management (iOS/macOS): prefer the `Observation` framework (`@Observable`, `@Bindable`) over `ObservableObject`/`@StateObject`; don’t introduce new `ObservableObject` unless required for compatibility, and migrate existing usages when touching related code.
 - Connection providers: when adding a new connection, update every UI surface and docs (macOS app, web UI, mobile if applicable, onboarding/overview docs) and add matching status + configuration forms so provider lists and settings stay in sync.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,257 +2,274 @@

 Docs: https://docs.clawd.bot

-## 2026.1.22 (Unreleased)
-
-### Fixes
- BlueBubbles: stop typing indicator on idle/no-reply. (#1439) Thanks @Nicell.
- Auto-reply: only report a model switch when session state is available. (#1465) Thanks @robbyczgw-cla.
- Node: launch node host service with `node run` (not `node start`) and align node host hints/docs. (#1461) Thanks @ameno-.
-
-## 2026.1.21-2
-
-### Fixes
- Control UI: ignore bootstrap identity placeholder text for avatar values and fall back to the default avatar. https://docs.clawd.bot/cli/agents https://docs.clawd.bot/web/control-ui
-
-## 2026.1.21
-
-### Highlights
- Lobster optional plugin tool for typed workflows + approval gates. https://docs.clawd.bot/tools/lobster
- Custom assistant identity + avatars in the Control UI. https://docs.clawd.bot/cli/agents https://docs.clawd.bot/web/control-ui
- Cache optimizations: cache-ttl pruning + defaults reduce token spend on cold requests. https://docs.clawd.bot/concepts/session-pruning
- Exec approvals + elevated ask/full modes. https://docs.clawd.bot/tools/exec-approvals https://docs.clawd.bot/tools/elevated
- Signal typing/read receipts + MSTeams attachments. https://docs.clawd.bot/channels/signal https://docs.clawd.bot/channels/msteams
- `/models` UX refresh + `clawdbot update wizard`. https://docs.clawd.bot/cli/models https://docs.clawd.bot/cli/update
-
-### Changes
- Highlight: Lobster optional plugin tool for typed workflows + approval gates. https://docs.clawd.bot/tools/lobster (#1152) Thanks @vignesh07.
- Agents/UI: add identity avatar config support and Control UI avatar rendering. (#1329, #1424) Thanks @dlauer. https://docs.clawd.bot/gateway/configuration https://docs.clawd.bot/cli/agents
- Control UI: add custom assistant identity support and per-session identity display. (#1420) Thanks @robbyczgw-cla. https://docs.clawd.bot/web/control-ui
- CLI: add `clawdbot update wizard` with interactive channel selection + restart prompts, plus preflight checks before rebasing. https://docs.clawd.bot/cli/update
- Models/Commands: add `/models`, improve `/model` listing UX, and expand `clawdbot models` paging. (#1398) Thanks @vignesh07. https://docs.clawd.bot/cli/models
- CLI: move gateway service commands under `clawdbot gateway`, flatten node service commands under `clawdbot node`, and add `gateway probe` for reachability. https://docs.clawd.bot/cli/gateway https://docs.clawd.bot/cli/node
- Exec: add elevated ask/full modes, tighten allowlist gating, and render approvals tables on write. https://docs.clawd.bot/tools/elevated https://docs.clawd.bot/tools/exec-approvals
- Exec approvals: default to local host, add gateway/node targeting + target details, support wildcard agent allowlists, and tighten allowlist parsing/safe bins. https://docs.clawd.bot/cli/approvals https://docs.clawd.bot/tools/exec-approvals
- Heartbeat: allow explicit session keys and active hours. (#1256) Thanks @zknicker. https://docs.clawd.bot/gateway/heartbeat
- Sessions: add per-channel idle durations via `sessions.channelIdleMinutes`. (#1353) Thanks @cash-echo-bot.
- Nodes: run exec-style, expose PATH in status/describe, and bootstrap PATH for node-host execution. https://docs.clawd.bot/cli/node
- Cache: add `cache.ttlPrune` mode and auth-aware defaults for cache TTL behavior.
- Queue: add per-channel debounce overrides for auto-reply. https://docs.clawd.bot/concepts/queue
- Discord: add wildcard channel config support. (#1334) Thanks @pvoo. https://docs.clawd.bot/channels/discord
- Signal: add typing indicators and DM read receipts via signal-cli. https://docs.clawd.bot/channels/signal
- MSTeams: add file uploads, adaptive cards, and attachment handling improvements. (#1410) Thanks @Evizero. https://docs.clawd.bot/channels/msteams
- Onboarding: remove the run setup-token auth option (paste setup-token or reuse CLI creds instead).
- macOS: refresh Settings (location access in Permissions, connection mode in menu, remove CLI install UI).
- Diagnostics: add cache trace config for debugging. (#1370) Thanks @parubets.
- Docs: Lobster guides + org URL updates, /model allowlist troubleshooting, Gmail message search examples, gateway.mode troubleshooting, prompt injection guidance, npm prefix/node CLI notes, control UI dev gatewayUrl note, tool_use FAQ, showcase video, and sharp/node-gyp workaround. (#1427, #1220, #1405) Thanks @vignesh07, @mbelinky.
-
-### Breaking
- **BREAKING:** Control UI now rejects insecure HTTP without device identity by default. Use HTTPS (Tailscale Serve) or set `gateway.controlUi.allowInsecureAuth: true` to allow token-only auth. https://docs.clawd.bot/web/control-ui#insecure-http
- **BREAKING:** Envelope and system event timestamps now default to host-local time (was UTC) so agents don’t have to constantly convert.
-
-### Fixes
- Streaming/Typing/Media: keep reply tags across streamed chunks, start typing indicators at run start, and accept MEDIA paths with spaces/tilde while preferring the message tool hint for image replies.
- Agents/Providers: drop unsigned thinking blocks for Claude models (Google Antigravity) and enforce alphanumeric tool call ids for strict providers (Mistral/OpenRouter). (#1372) Thanks @zerone0x.
- Exec approvals: treat main as the default agent, align node/gateway allowlist prechecks, validate resolved paths, avoid allowlist resolve races, and avoid null optional params. (#1417, #1414, #1425) Thanks @czekaj.
- Exec/Windows: resolve Windows exec paths with extensions and handle safe-bin exe names.
- Nodes/macOS: prompt on allowlist miss for node exec approvals, persist allowlist decisions, and flatten node invoke errors. (#1394) Thanks @ngutman.
- Gateway: prevent multiple gateways from sharing the same config/state (singleton lock), keep auto bind loopback-first with explicit tailnet binding, and improve SSH auth handling. (#1380)
- Control UI: remove the chat stop button, keep the composer aligned to the bottom edge, stabilize session previews, and refresh the debug panel on route-driven tab changes. (#1373) Thanks @yazinsai.
- UI/config: export `SECTION_META` for config form modules. (#1418) Thanks @MaudeBot.
- macOS: keep chat pinned during streaming replies, include Textual resources, respect wildcard exec approvals, allow SSH agent auth, and default distribution builds to universal binaries. (#1279, #1362, #1384, #1396) Thanks @ameno-, @JustYannicc.
- BlueBubbles: resolve short message IDs safely, expose full IDs in templates, and harden short-id fetch wrappers. (#1369, #1387) Thanks @tyler6204.
- Models/Configure: inherit session model overrides in threads/topics, map OpenCode Zen models to the correct APIs, narrow Anthropic OAuth allowlist handling, seed allowlist fallbacks, list the full catalog when no allowlist is set, and limit `/model` list output. (#1376, #1416)
- Memory: prevent CLI hangs by deferring vector probes, add sqlite-vec/embedding timeouts, and make session memory indexing async.
- Cron: cap reminder context history to 10 messages and honor `contextMessages`. (#1103) Thanks @mkbehr.
- Cache: restore the 1h cache TTL option and reset the pruning window.
- Zalo Personal: tolerate ANSI/log-prefixed JSON output from `zca`. (#1379) Thanks @ptn1411.
- Browser: suppress Chrome restore prompts for managed profiles. (#1419) Thanks @jamesgroat.
- Infra: preserve fetch helper methods/preconnect when wrapping abort signals and normalize Telegram fetch aborts.
- Config/Doctor: avoid stack traces for invalid configs, log the config path, avoid WhatsApp config resurrection, and warn when `gateway.mode` is unset. (#900)
- CLI: read Codex CLI account_id for workspace billing. (#1422) Thanks @aj47.
- Logs/Status: align rolling log filenames with local time and report sandboxed runtime in `clawdbot status`. (#1343)
- Embedded runner: persist injected history images so attachments aren’t reloaded each turn. (#1374) Thanks @Nicell.
- Nodes/Subagents: include agent/node/gateway context in tool failure logs and ensure subagent list uses the command session.
-
 ## 2026.1.20

 ### Changes
- Control UI: add copy-as-markdown with error feedback. (#1345) https://docs.clawd.bot/web/control-ui
- Control UI: drop the legacy list view. (#1345) https://docs.clawd.bot/web/control-ui
- TUI: add syntax highlighting for code blocks. (#1200) https://docs.clawd.bot/tui
- TUI: session picker shows derived titles, fuzzy search, relative times, and last message preview. (#1271) https://docs.clawd.bot/tui
- TUI: add a searchable model picker for quicker model selection. (#1198) https://docs.clawd.bot/tui
- TUI: add input history (up/down) for submitted messages. (#1348) https://docs.clawd.bot/tui
- ACP: add `clawdbot acp` for IDE integrations. https://docs.clawd.bot/cli/acp
- ACP: add `clawdbot acp client` interactive harness for debugging. https://docs.clawd.bot/cli/acp
- Skills: add download installs with OS-filtered options. https://docs.clawd.bot/tools/skills
- Skills: add the local sherpa-onnx-tts skill. https://docs.clawd.bot/tools/skills
- Memory: add hybrid BM25 + vector search (FTS5) with weighted merging and fallback. https://docs.clawd.bot/concepts/memory
- Memory: add SQLite embedding cache to speed up reindexing and frequent updates. https://docs.clawd.bot/concepts/memory
- Memory: add OpenAI batch indexing for embeddings when configured. https://docs.clawd.bot/concepts/memory
- Memory: enable OpenAI batch indexing by default for OpenAI embeddings. https://docs.clawd.bot/concepts/memory
- Memory: allow parallel OpenAI batch indexing jobs (default concurrency: 2). https://docs.clawd.bot/concepts/memory
- Memory: render progress immediately, color batch statuses in verbose logs, and poll OpenAI batch status every 2s by default. https://docs.clawd.bot/concepts/memory
- Memory: add `--verbose` logging for memory status + batch indexing details. https://docs.clawd.bot/concepts/memory
- Memory: add native Gemini embeddings provider for memory search. (#1151) https://docs.clawd.bot/concepts/memory
- Browser: allow config defaults for efficient snapshots in the tool/CLI. (#1336) https://docs.clawd.bot/tools/browser
- Nostr: add the Nostr channel plugin with profile management + onboarding defaults. (#1323) https://docs.clawd.bot/channels/nostr
- Matrix: migrate to matrix-bot-sdk with E2EE support, location handling, and group allowlist upgrades. (#1298) https://docs.clawd.bot/channels/matrix
- Slack: add HTTP webhook mode via Bolt HTTP receiver. (#1143) https://docs.clawd.bot/channels/slack
- Telegram: enrich forwarded-message context with normalized origin details + legacy fallback. (#1090) https://docs.clawd.bot/channels/telegram
- Discord: fall back to `/skill` when native command limits are exceeded. (#1287)
- Discord: expose `/skill` globally. (#1287)
- Zalouser: add channel dock metadata, config schema, setup wiring, probe, and status issues. (#1219) https://docs.clawd.bot/plugins/zalouser
- Plugins: require manifest-embedded config schemas with preflight validation warnings. (#1272) https://docs.clawd.bot/plugins/manifest
- Plugins: move channel catalog metadata into plugin manifests. (#1290) https://docs.clawd.bot/plugins/manifest
- Plugins: align Nextcloud Talk policy helpers with core patterns. (#1290) https://docs.clawd.bot/plugins/manifest
- Plugins/UI: let channel plugin metadata drive UI labels/icons and cron channel options. (#1306) https://docs.clawd.bot/web/control-ui
- Agents/UI: add agent avatar support in identity config, IDENTITY.md, and the Control UI. (#1329) https://docs.clawd.bot/gateway/configuration
- Plugins: add plugin slots with a dedicated memory slot selector. https://docs.clawd.bot/plugins/agent-tools
- Plugins: ship the bundled BlueBubbles channel plugin (disabled by default). https://docs.clawd.bot/channels/bluebubbles
- Plugins: migrate bundled messaging extensions to the plugin SDK and resolve plugin-sdk imports in the loader.
- Plugins: migrate the Zalo plugin to the shared plugin SDK runtime. https://docs.clawd.bot/channels/zalo
- Plugins: migrate the Zalo Personal plugin to the shared plugin SDK runtime. https://docs.clawd.bot/plugins/zalouser
- Plugins: allow optional agent tools with explicit allowlists and add the plugin tool authoring guide. https://docs.clawd.bot/plugins/agent-tools
- Plugins: auto-enable bundled channel/provider plugins when configuration is present.
- Plugins: sync plugin sources on channel switches and update npm-installed plugins during `clawdbot update`.
- Plugins: share npm plugin update logic between `clawdbot update` and `clawdbot plugins update`.
-
- Gateway/API: add `/v1/responses` (OpenResponses) with item-based input + semantic streaming events. (#1229)
- Gateway/API: expand `/v1/responses` to support file/image inputs, tool_choice, usage, and output limits. (#1229)
- Usage: add `/usage cost` summaries and macOS menu cost charts. https://docs.clawd.bot/reference/api-usage-costs
- Security: warn when <=300B models run without sandboxing while web tools are enabled. https://docs.clawd.bot/cli/security
- Exec: add host/security/ask routing for gateway + node exec. https://docs.clawd.bot/tools/exec
- Exec: add `/exec` directive for per-session exec defaults (host/security/ask/node). https://docs.clawd.bot/tools/exec
- Exec approvals: migrate approvals to `~/.clawdbot/exec-approvals.json` with per-agent allowlists + skill auto-allow toggle, and add approvals UI + node exec lifecycle events. https://docs.clawd.bot/tools/exec-approvals
- Nodes: add headless node host (`clawdbot node start`) for `system.run`/`system.which`. https://docs.clawd.bot/cli/node
- Nodes: add node daemon service install/status/start/stop/restart. https://docs.clawd.bot/cli/node
- Bridge: add `skills.bins` RPC to support node host auto-allow skill bins.
- Sessions: add daily reset policy with per-type overrides and idle windows (default 4am local), preserving legacy idle-only configs. (#1146) https://docs.clawd.bot/concepts/session
- Sessions: allow `sessions_spawn` to override thinking level for sub-agent runs. https://docs.clawd.bot/tools/subagents
- Channels: unify thread/topic allowlist matching + command/mention gating helpers across core providers. https://docs.clawd.bot/concepts/groups
- Models: add Qwen Portal OAuth provider support. (#1120) https://docs.clawd.bot/providers/qwen
- Onboarding: add allowlist prompts and username-to-id resolution across core and extension channels. https://docs.clawd.bot/start/onboarding
- Docs: clarify allowlist input types and onboarding behavior for messaging channels. https://docs.clawd.bot/start/onboarding
- Docs: refresh Android node discovery docs for the Gateway WS service type. https://docs.clawd.bot/platforms/android
- Docs: surface Amazon Bedrock in provider lists and clarify Bedrock auth env vars. (#1289) https://docs.clawd.bot/bedrock
- Docs: clarify WhatsApp voice notes. https://docs.clawd.bot/channels/whatsapp
- Docs: clarify Windows WSL portproxy LAN access notes. https://docs.clawd.bot/platforms/windows
- Docs: refresh bird skill install metadata and usage notes. (#1302) https://docs.clawd.bot/tools/browser-login
- Agents: add local docs path resolution and include docs/mirror/source/community pointers in the system prompt.
- Agents: clarify node_modules read-only guidance in agent instructions.
- Config: stamp last-touched metadata on write and warn if the config is newer than the running build.
- macOS: hide usage section when usage is unavailable instead of showing provider errors.
- Android: migrate node transport to the Gateway WebSocket protocol with TLS pinning support + gateway discovery naming.
- Android: send structured payloads in node events/invokes and include user-agent metadata in gateway connects.
- Android: remove legacy bridge transport code now that nodes use the gateway protocol.
- Android: bump okhttp + dnsjava to satisfy lint dependency checks.
- Build: update workspace + core/plugin deps.
- Build: use tsgo for dev/watch builds by default (opt out with `CLAWDBOT_TS_COMPILER=tsc`).
+- Deps: update workspace + memory-lancedb dependencies.
 - Repo: remove the Peekaboo git submodule now that the SPM release is used.
- macOS: switch PeekabooBridge integration to the tagged Swift Package Manager release.
- macOS: stop syncing Peekaboo in postinstall.
- Swabble: use the tagged Commander Swift package release.
-
-### Breaking
- **BREAKING:** Reject invalid/unknown config entries and refuse to start the gateway for safety. Run `clawdbot doctor --fix` to repair, then update plugins (`clawdbot plugins update`) if you use any.
-
+- Update: sync plugin sources on channel switches and update npm-installed plugins during `clawdbot update`.
+- Plugins: share npm plugin update logic between `clawdbot update` and `clawdbot plugins update`.
+- Channels: add the Nostr plugin channel with profile management + onboarding install defaults. (#1323) — thanks @joelklabo.
+- Plugins: require manifest-embedded config schemas, validate configs without loading plugin code, and surface plugin config warnings. (#1272) — thanks @thewilloftheshadow.
+- Plugins: move channel catalog metadata into plugin manifests; align Nextcloud Talk policy helpers with core patterns. (#1290) — thanks @NicholaiVogel.
+- Discord: fall back to /skill when native command limits are exceeded; expose /skill globally. (#1287) — thanks @thewilloftheshadow.
+- Docs: refresh bird skill install metadata and usage notes. (#1302) — thanks @odysseus0.
+- Matrix: migrate to matrix-bot-sdk with E2EE support, location handling, and group allowlist upgrades. (#1298) — thanks @sibbl.
+- Plugins/UI: let channel plugin metadata drive UI labels/icons and cron channel options. (#1306) — thanks @steipete.
+- Zalouser: add channel dock metadata, config schema, setup wiring, probe, and status issues. (#1219) — thanks @suminhthanh.
+- Security: warn when <=300B models run without sandboxing and with web tools enabled.
 ### Fixes
 - Discovery: shorten Bonjour DNS-SD service type to `_clawdbot-gw._tcp` and update discovery clients/docs.
+- Agents: preserve subagent announce thread/topic routing + queued replies across channels. (#1241) — thanks @gnarco.
+- Agents: avoid treating timeout errors with "aborted" messages as user aborts, so model fallback still runs.
 - Diagnostics: export OTLP logs, correct queue depth tracking, and document message-flow telemetry.
- Diagnostics: emit message-flow diagnostics across channels via shared dispatch. (#1244)
- Diagnostics: gate heartbeat/webhook logging. (#1244)
- Gateway: strip inbound envelope headers from chat history messages to keep clients clean.
- Gateway: clarify unauthorized handshake responses with token/password mismatch guidance.
- Gateway: allow mobile node client ids for iOS + Android handshake validation. (#1354)
- Gateway: clarify connect/validation errors for gateway params. (#1347)
- Gateway: preserve restart wake routing + thread replies across restarts. (#1337)
- Gateway: reschedule per-agent heartbeats on config hot reload without restarting the runner.
- Gateway: require authorized restarts for SIGUSR1 (restart/apply/update) so config gating can't be bypassed.
- Cron: auto-deliver isolated agent output to explicit targets without tool calls. (#1285)
- Agents: preserve subagent announce thread/topic routing + queued replies across channels. (#1241)
- Agents: propagate accountId into embedded runs so sub-agent announce routing honors the originating account. (#1058)
- Agents: avoid treating timeout errors with "aborted" messages as user aborts, so model fallback still runs. (#1137)
- Agents: sanitize oversized image payloads before send and surface image-dimension errors.
- Sessions: fall back to session labels when listing display names. (#1124)
- Compaction: include tool failure summaries in safeguard compaction to prevent retry loops. (#1084)
- Config: log invalid config issues once per run and keep invalid-config errors stackless.
- Config: allow Perplexity as a web_search provider in config validation. (#1230)
- Config: allow custom fields under `skills.entries.<name>.config` for skill credentials/config. (#1226)
+- Model catalog: avoid caching import failures, log transient discovery errors, and keep partial results. (#1332) — thanks @dougvk.
 - Doctor: clarify plugin auto-enable hint text in the startup banner.
- Doctor: canonicalize legacy session keys in session stores to prevent stale metadata. (#1169)
- Docs: make docs:list fail fast with a clear error if the docs directory is missing.
- Plugins: add Nextcloud Talk manifest for plugin config validation. (#1297)
- Plugins: surface plugin load/register/config errors in gateway logs with plugin/source context.
- CLI: preserve cron delivery settings when editing message payloads. (#1322)
- CLI: keep `clawdbot logs` output resilient to broken pipes while preserving progress output.
+- Gateway: clarify unauthorized handshake responses with token/password mismatch guidance.
+- UI: keep config form enums typed, preserve empty strings, protect sensitive defaults, and deepen config search. (#1315) — thanks @MaudeBot.
+- Web search: infer Perplexity base URL from API key source (direct vs OpenRouter).
+- TUI: keep thinking blocks ordered before content during streaming and isolate per-run assembly. (#1202) — thanks @aaronveklabs.
+- TUI: align custom editor initialization with the latest pi-tui API. (#1298) — thanks @sibbl.
 - CLI: avoid duplicating --profile/--dev flags when formatting commands.
- CLI: centralize CLI command registration to keep fast-path routing and program wiring in sync. (#1207)
- CLI: keep banners on routed commands, restore config guarding outside fast-path routing, and tighten fast-path flag parsing while skipping console capture for extra speed. (#1195)
- CLI: skip runner rebuilds when dist is fresh. (#1231)
- CLI: add WSL2/systemd unavailable hints in daemon status/doctor output.
+- CLI: load channel plugins for commands that need registry-backed lookups. (#1338) — thanks @MaudeBot.
 - Status: route native `/status` to the active agent so model selection reflects the correct profile. (#1301)
- Status: show both usage windows with reset hints when usage data is available. (#1101)
- UI: keep config form enums typed, preserve empty strings, protect sensitive defaults, and deepen config search. (#1315)
- UI: preserve ordered list numbering in chat markdown. (#1341)
- UI: allow Control UI to read gatewayUrl from URL params for remote WebSocket targets. (#1342)
- UI: prevent double-scroll in Control UI chat by locking chat layout to the viewport. (#1283)
- UI: enable shell mode for sync Windows spawns to avoid `pnpm ui:build` EINVAL. (#1212)
- TUI: keep thinking blocks ordered before content during streaming and isolate per-run assembly. (#1202)
- TUI: align custom editor initialization with the latest pi-tui API. (#1298)
- TUI: show generic empty-state text for searchable pickers. (#1201)
- TUI: highlight model search matches and stabilize search ordering.
- Configure: hide OpenRouter auto routing model from the model picker. (#1182)
- Memory: show total file counts + scan issues in `clawdbot memory status`.
- Memory: fall back to non-batch embeddings after repeated batch failures.
- Memory: apply OpenAI batch defaults even without explicit remote config.
- Memory: index atomically so failed reindex preserves the previous memory database. (#1151)
- Memory: avoid sqlite-vec unique constraint failures when reindexing duplicate chunk ids. (#1151)
- Memory: retry transient 5xx errors (Cloudflare) during embedding indexing.
- Memory: parallelize embedding indexing with rate-limit retries.
- Memory: split overly long lines to keep embeddings under token limits.
- Memory: skip empty chunks to avoid invalid embedding inputs.
- Memory: split embedding batches to avoid OpenAI token limits during indexing.
- Memory: probe sqlite-vec availability in `clawdbot memory status`.
- Exec approvals: enforce allowlist when ask is off.
- Exec approvals: prefer raw command for node approvals/events.
- Tools: show exec elevated flag before the command and keep it outside markdown in tool summaries.
- Tools: return a companion-app-required message when node exec is requested with no paired node.
- Tools: return a companion-app-required message when `system.run` is requested without a supporting node.
- Exec: default gateway/node exec security to allowlist when unset (sandbox stays deny).
- Exec: prefer bash when fish is default shell, falling back to sh if bash is missing. (#1297)
+- Exec: prefer bash when fish is default shell, falling back to sh if bash is missing. (#1297) — thanks @ysqander.
 - Exec: merge login-shell PATH for host=gateway exec while keeping daemon PATH minimal. (#1304)
- Streaming: emit assistant deltas for OpenAI-compatible SSE chunks. (#1147)
+- Plugins: add Nextcloud Talk manifest for plugin config validation. (#1297) — thanks @ysqander.
+- Anthropic: default API prompt caching to 1h with configurable TTL override; ignore TTL for OAuth.
 - Discord: make resolve warnings avoid raw JSON payloads on rate limits.
 - Discord: process message handlers in parallel across sessions to avoid event queue blocking. (#1295)
- Discord: stop reconnecting the gateway after aborts to prevent duplicate listeners.
- Discord: only emit slow listener warnings after 30s.
- Discord: inherit parent channel allowlists for thread slash commands and reactions. (#1123)
- Telegram: honor pairing allowlists for native slash commands.
- Telegram: preserve hidden text_link URLs by expanding entities in inbound text. (#1118)
- Slack: resolve Bolt import interop for Bun + Node. (#1191)
- Web search: infer Perplexity base URL from API key source (direct vs OpenRouter).
- Web fetch: harden SSRF protection with shared hostname checks and redirect limits. (#1346)
- Browser: register AI snapshot refs for act commands. (#1282)
- Voice call: include request query in Twilio webhook verification when publicUrl is set. (#864)
- Anthropic: default API prompt caching to 1h with configurable TTL override.
- Anthropic: ignore TTL for OAuth.
- Auth profiles: keep auto-pinned preference while allowing rotation on failover. (#1138)
- Auth profiles: user pins stay locked. (#1138)
- Model catalog: avoid caching import failures, log transient discovery errors, and keep partial results. (#1332)
+- Cron: auto-deliver isolated agent output to explicit targets without tool calls. (#1285)
+
+## 2026.1.19-3
+
+### Changes
+- Android: remove legacy bridge transport code now that nodes use the gateway protocol.
+- Android: send structured payloads in node events/invokes and include user-agent metadata in gateway connects.
+- Gateway: expand `/v1/responses` to support file/image inputs, tool_choice, usage, and output limits. (#1229) — thanks @RyanLisse.
+- Docs: surface Amazon Bedrock in provider lists and clarify Bedrock auth env vars. (#1289) — thanks @steipete.
+
+### Fixes
+- Gateway: strip inbound envelope headers from chat history messages to keep clients clean.
+- UI: prevent double-scroll in Control UI chat by locking chat layout to the viewport. (#1283) — thanks @bradleypriest.
+- Config: allow Perplexity as a web_search provider in config validation. (#1230)
+- Browser: register AI snapshot refs for act commands. (#1282) — thanks @John-Rood.
+
+## 2026.1.19-2
+
+### Changes
+- Android: migrate node transport to the Gateway WebSocket protocol with TLS pinning support + gateway discovery naming.
+- Android: bump okhttp + dnsjava to satisfy lint dependency checks.
+- Docs: refresh Android node discovery docs for the Gateway WS service type.
+
+### Fixes
 - Tests: stabilize Windows gateway/CLI tests by skipping sidecars, normalizing argv, and extending timeouts.
- Tests: stabilize plugin SDK resolution and embedded agent timeouts.
- Windows: install gateway scheduled task as the current user.
- Windows: show friendly guidance instead of failing on access denied.
+- CLI: skip runner rebuilds when dist is fresh. (#1231) — thanks @mukhtharcm, @thewilloftheshadow.
+
+## 2026.1.19-1
+
+### Breaking
+- **BREAKING:** Reject invalid/unknown config entries and refuse to start the gateway for safety; run `clawdbot doctor --fix` to repair. 
+
+### Changes
+- Gateway: add `/v1/responses` endpoint (OpenResponses API) for agentic workflows with item-based input and semantic streaming events. Enable via `gateway.http.endpoints.responses.enabled: true`.
+- Usage: add `/usage cost` summaries and macOS menu cost submenu with daily charting.
+- Agents: clarify node_modules read-only guidance in agent instructions.
+- TUI: add syntax highlighting for code blocks. (#1200) — thanks @vignesh07.
+- TUI: session picker shows derived titles, fuzzy search, relative times, and last message preview. (#1271) — thanks @Whoaa512.
+
+### Fixes
+- UI: enable shell mode for sync Windows spawns to avoid `pnpm ui:build` EINVAL. (#1212) — thanks @longmaba.
+- Agents: add `clawdbot agents set-identity` helper and update bootstrap guidance for multi-agent setups. (#1222) — thanks @ThePickle31.
+- Plugins: surface plugin load/register/config errors in gateway logs with plugin/source context.
+- Agents: propagate accountId into embedded runs so sub-agent announce routing honors the originating account. (#1058)
+- Compaction: include tool failure summaries in safeguard compaction to prevent retry loops. (#1084)
+- Daemon: include HOME in service environments to avoid missing HOME errors. (#1214) — thanks @ameno-.
+- Memory: show total file counts + scan issues in `clawdbot memory status`; fall back to non-batch embeddings after repeated batch failures.
+- TUI: show generic empty-state text for searchable pickers. (#1201) — thanks @vignesh07.
+- Doctor: canonicalize legacy session keys in session stores to prevent stale metadata. (#1169)
+- CLI: centralize CLI command registration to keep fast-path routing and program wiring in sync. (#1207) — thanks @gumadeiras.
+- Config: allow custom fields under `skills.entries.<name>.config` for skill credentials/config. (#1226) — thanks @VACInc. (fixes #1225)
+
+## 2026.1.18-5
+
+### Changes
+- Dependencies: update core + plugin deps (grammy, vitest, openai, Microsoft agents hosting, etc.).
+- Onboarding: add allowlist prompts and username-to-id resolution across core and extension channels.
+- TUI: add searchable model picker for quicker model selection. (#1198) — thanks @vignesh07.
+- Docs: clarify allowlist input types and onboarding behavior for messaging channels.
+
+### Fixes
+- Configure: hide OpenRouter auto routing model from the model picker. (#1182) — thanks @zerone0x.
+- Docs: make docs:list fail fast with a clear error if the docs directory is missing.
 - macOS: load menu session previews asynchronously so items populate while the menu is open.
 - macOS: use label colors for session preview text so previews render in menu subviews.
 - macOS: suppress usage error text in the menubar cost view.
- macOS: Doctor repairs LaunchAgent bootstrap issues for Gateway + Node when listed but not loaded. (#1166)
- macOS: avoid touching launchd in Remote over SSH so quitting the app no longer disables the remote gateway. (#1105)
- macOS: bundle Textual resources in packaged app builds to avoid code block crashes. (#1006)
- Daemon: include HOME in service environments to avoid missing HOME errors. (#1214)
+- Telegram: honor pairing allowlists for native slash commands.
+- TUI: highlight model search matches and stabilize search ordering.
+- CLI: keep banners on routed commands, restore config guarding outside fast-path routing, and tighten fast-path flag parsing while skipping console capture for extra speed. (#1195) — thanks @gumadeiras.
+- Slack: resolve Bolt import interop for Bun + Node. (#1191) — thanks @CoreyH.
+- Gateway: require authorized restarts for SIGUSR1 (restart/apply/update) so config gating can't be bypassed.
+- Discord: stop reconnecting the gateway after aborts to prevent duplicate listeners.

-Thanks @AlexMikhalev, @CoreyH, @John-Rood, @KrauseFx, @MaudeBot, @Nachx639, @NicholaiVogel, @RyanLisse, @ThePickle31, @VACInc, @Whoaa512, @YuriNachos, @aaronveklabs, @abdaraxus, @alauppe, @ameno-, @artuskg, @austinm911, @bradleypriest, @cheeeee, @dougvk, @fogboots, @gnarco, @gumadeiras, @jdrhyne, @joelklabo, @longmaba, @mukhtharcm, @odysseus0, @oscargavin, @rhjoh, @sebslight, @sibbl, @sleontenko, @steipete, @suminhthanh, @thewilloftheshadow, @tyler6204, @vignesh07, @visionik, @ysqander, @zerone0x.
+## 2026.1.18-4
+
+### Changes
+- macOS: switch PeekabooBridge integration to the tagged Swift Package Manager release.
+- macOS: stop syncing Peekaboo in postinstall.
+- Swabble: use the tagged Commander Swift package release.
+- CLI: add `clawdbot acp client` interactive ACP harness for debugging.
+- Plugins: route command detection/text chunking helpers through the plugin runtime and drop runtime exports from the SDK.
+- Plugins: auto-enable bundled channel/provider plugins when configuration is present.
+- Config: stamp last-touched metadata on write and warn if the config is newer than the running build.
+- macOS: hide usage section when usage is unavailable instead of showing provider errors.
+- Memory: add native Gemini embeddings provider for memory search. (#1151)
+- Agents: add local docs path resolution and include docs/mirror/source/community pointers in the system prompt.
+- Slack: add HTTP webhook mode via Bolt HTTP receiver for Events API deployments. (#1143) — thanks @jdrhyne.
+
+### Fixes
+- Auth profiles: keep auto-pinned preference while allowing rotation on failover; user pins stay locked. (#1138) — thanks @cheeeee.
+- Agents: sanitize oversized image payloads before send and surface image-dimension errors.
+- macOS: Doctor repairs LaunchAgent bootstrap issues for Gateway + Node when listed but not loaded. (#1166) — thanks @AlexMikhalev.
+- macOS: avoid touching launchd in Remote over SSH so quitting the app no longer disables the remote gateway. (#1105)
+- Memory: index atomically so failed reindex preserves the previous memory database. (#1151)
+- Memory: avoid sqlite-vec unique constraint failures when reindexing duplicate chunk ids. (#1151)
+
+## 2026.1.18-3
+
+### Changes
+- Exec: add host/security/ask routing for gateway + node exec.
+- Exec: add `/exec` directive for per-session exec defaults (host/security/ask/node).
+- macOS: migrate exec approvals to `~/.clawdbot/exec-approvals.json` with per-agent allowlists and skill auto-allow toggle.
+- macOS: add approvals socket UI server + node exec lifecycle events.
+- Nodes: add headless node host (`clawdbot node start`) for `system.run`/`system.which`.
+- Nodes: add node daemon service install/status/start/stop/restart.
+- Bridge: add `skills.bins` RPC to support node host auto-allow skill bins.
+- Slash commands: replace `/cost` with `/usage off|tokens|full` to control per-response usage footer; `/usage` no longer aliases `/status`. (Supersedes #1140) — thanks @Nachx639.
+- Sessions: add daily reset policy with per-type overrides and idle windows (default 4am local), preserving legacy idle-only configs. (#1146) — thanks @austinm911.
+- Agents: auto-inject local image references for vision models and avoid reloading history images. (#1098) — thanks @tyler6204.
+- Docs: refresh exec/elevated/exec-approvals docs for the new flow. https://docs.clawd.bot/tools/exec-approvals
+- Docs: add node host CLI + update exec approvals/bridge protocol docs. https://docs.clawd.bot/cli/node
+- ACP: add experimental ACP support for IDE integrations (`clawdbot acp`). Thanks @visionik.
+- Tools: allow `sessions_spawn` to override thinking level for sub-agent runs.
+- Channels: unify thread/topic allowlist matching + command/mention gating helpers across core providers.
+- Models: add Qwen Portal OAuth provider support. (#1120) — thanks @mukhtharcm.
+- Memory: add `--verbose` logging for memory status + batch indexing details.
+- Memory: allow parallel OpenAI batch indexing jobs (default concurrency: 2).
+- macOS: add per-agent exec approvals with allowlists, skill CLI auto-allow, and settings UI.
+- Docs: add exec approvals guide and link from tools index. https://docs.clawd.bot/tools/exec-approvals
+- macOS: add exec-host IPC for node service `system.run` with HMAC + peer UID checks.
+
+### Fixes
+- Exec approvals: enforce allowlist when ask is off; prefer raw command for node approvals/events.
+- Tools: return a companion-app-required message when node exec is requested with no paired node.
+- Streaming: emit assistant deltas for OpenAI-compatible SSE chunks. (#1147) — thanks @alauppe.
+- Model fallback: treat timeout aborts as failover while preserving user aborts. (#1137) — thanks @cheeeee.
+
+## 2026.1.18-2
+
+### Fixes
+- Tests: stabilize plugin SDK resolution and embedded agent timeouts.
+
+## 2026.1.18-1
+
+### Changes
+- Tools: allow `sessions_spawn` to override thinking level for sub-agent runs.
+- Channels: unify thread/topic allowlist matching + command/mention gating helpers across core providers.
+- Models: add Qwen Portal OAuth provider support. (#1120) — thanks @mukhtharcm.
+- Memory: add `--verbose` logging for memory status + batch indexing details.
+- Memory: allow parallel OpenAI batch indexing jobs (default concurrency: 2).
+- macOS: add per-agent exec approvals with allowlists, skill CLI auto-allow, and settings UI.
+- Docs: add exec approvals guide and link from tools index. https://docs.clawd.bot/tools/exec-approvals
+
+### Fixes
+- Memory: apply OpenAI batch defaults even without explicit remote config.
+- macOS: bundle Textual resources in packaged app builds to avoid code block crashes. (#1006)
+- Tools: return a companion-app-required message when `system.run` is requested without a supporting node.
+- Discord: only emit slow listener warnings after 30s.
+
+## 2026.1.17-6
+
+### Changes
+- Plugins: add exclusive plugin slots with a dedicated memory slot selector.
+- Memory: ship core memory tools + CLI as the bundled `memory-core` plugin.
+- Docs: document plugin slots and memory plugin behavior.
+- Plugins: add the bundled BlueBubbles channel plugin (disabled by default).
+- Plugins: migrate bundled messaging extensions to the plugin SDK; resolve plugin-sdk imports in loader.
+- Plugins: migrate the Zalo plugin to the shared plugin SDK runtime.
+- Plugins: migrate the Zalo Personal plugin to the shared plugin SDK runtime.
+
+## 2026.1.17-5
+
+### Changes
+- Memory: add hybrid BM25 + vector search (FTS5) with weighted merging and fallback.
+- Memory: add SQLite embedding cache to speed up reindexing and frequent updates.
+- CLI: surface FTS + embedding cache state in `clawdbot memory status`.
+- Memory: render progress immediately, color batch statuses in verbose logs, and poll OpenAI batch status every 2s by default.
+- Plugins: allow optional agent tools with explicit allowlists and add plugin tool authoring guide. https://docs.clawd.bot/plugins/agent-tools
+- Tools: centralize plugin tool policy helpers.
+- Commands: add `/subagents info` and show sub-agent counts in `/status`.
+- Docs: clarify plugin agent tool configuration. https://docs.clawd.bot/plugins/agent-tools
+
+### Fixes
+- Voice call: include request query in Twilio webhook verification when publicUrl is set. (#864)
+
+## 2026.1.18-1
+
+### Changes
+- Tools: allow `sessions_spawn` to override thinking level for sub-agent runs.
+- Channels: unify thread/topic allowlist matching + command/mention gating helpers across core providers.
+- Models: add Qwen Portal OAuth provider support. (#1120) — thanks @mukhtharcm.
+- Memory: add `--verbose` logging for memory status + batch indexing details.
+- Memory: allow parallel OpenAI batch indexing jobs (default concurrency: 2).
+- macOS: add per-agent exec approvals with allowlists, skill CLI auto-allow, and settings UI.
+- Docs: add exec approvals guide and link from tools index. https://docs.clawd.bot/tools/exec-approvals
+
+### Fixes
+- Memory: apply OpenAI batch defaults even without explicit remote config.
+- macOS: bundle Textual resources in packaged app builds to avoid code block crashes. (#1006)
+- Tools: return a companion-app-required message when `system.run` is requested without a supporting node.
+- Discord: only emit slow listener warnings after 30s.
+## 2026.1.17-3
+
+### Changes
+- Memory: add OpenAI Batch API indexing for embeddings when configured.
+- Memory: enable OpenAI batch indexing by default for OpenAI embeddings.
+
+### Fixes
+- Memory: retry transient 5xx errors (Cloudflare) during embedding indexing.
+
+## 2026.1.17-2
+
+### Changes
+
+### Fixes
+- Tools: show exec elevated flag before the command and keep it outside markdown in tool summaries.
+- Memory: parallelize embedding indexing with rate-limit retries.
+- Memory: split overly long lines to keep embeddings under token limits.
+- Memory: skip empty chunks to avoid invalid embedding inputs.
+- Sessions: fall back to session labels when listing display names. (#1124) — thanks @abdaraxus.
+- Discord: inherit parent channel allowlists for thread slash commands and reactions. (#1123) — thanks @thewilloftheshadow.
+
+## 2026.1.17-1
+
+### Changes
+- Telegram: enrich forwarded message context with normalized origin details + legacy fallback. (#1090) — thanks @sleontenko.
+- macOS: strip prerelease/build suffixes when parsing gateway semver patches. (#1110) — thanks @zerone0x.
+- macOS: keep CLI install pinned to the full build suffix. (#1111) — thanks @artuskg.
+- CLI: surface update availability in `clawdbot status`.
+- CLI: add `clawdbot memory status --deep/--index` probes.
+- CLI: add playful update completion quips.
+
+### Fixes
+- Doctor: avoid re-adding WhatsApp ack reaction config when only legacy auth files exist. (#1087) — thanks @YuriNachos.
+- Hooks: parse multi-line/YAML frontmatter metadata blocks (JSON5-friendly). (#1114) — thanks @sebslight.
+- CLI: add WSL2/systemd unavailable hints in daemon status/doctor output.
+- Windows: install gateway scheduled task as the current user; show friendly guidance instead of failing on access denied.
+- Status: show both usage windows with reset hints when usage data is available. (#1101) — thanks @rhjoh.
+- Memory: probe sqlite-vec availability in `clawdbot memory status`.
+- Memory: split embedding batches to avoid OpenAI token limits during indexing.
+- Telegram: preserve hidden text_link URLs by expanding entities in inbound text. (#1118) — thanks @sleontenko.

 ## 2026.1.16-2

--- a/README.md
+++ b/README.md
@@ -471,34 +471,35 @@ by Peter Steinberger and the community.
 See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines, maintainers, and how to submit PRs.  
 AI/vibe-coded PRs welcome! 🤖

-Special thanks to [Mario Zechner](https://mariozechner.at/) for his support and for
-[pi-mono](https://github.com/badlogic/pi-mono).
+Special thanks to @andrewting19 for the Anthropic OAuth tool-name fix.
+
+Core contributors:
+- @cpojer — Telegram onboarding UX + docs

 Thanks to all clawtributors:

 <p align="left">
-  <a href="https://github.com/steipete"><img src="https://avatars.githubusercontent.com/u/58493?v=4&s=48" width="48" height="48" alt="steipete" title="steipete"/></a> <a href="https://github.com/bohdanpodvirnyi"><img src="https://avatars.githubusercontent.com/u/31819391?v=4&s=48" width="48" height="48" alt="bohdanpodvirnyi" title="bohdanpodvirnyi"/></a> <a href="https://github.com/joaohlisboa"><img src="https://avatars.githubusercontent.com/u/8200873?v=4&s=48" width="48" height="48" alt="joaohlisboa" title="joaohlisboa"/></a> <a href="https://github.com/mneves75"><img src="https://avatars.githubusercontent.com/u/2423436?v=4&s=48" width="48" height="48" alt="mneves75" title="mneves75"/></a> <a href="https://github.com/MatthieuBizien"><img src="https://avatars.githubusercontent.com/u/173090?v=4&s=48" width="48" height="48" alt="MatthieuBizien" title="MatthieuBizien"/></a> <a href="https://github.com/MaudeBot"><img src="https://avatars.githubusercontent.com/u/255777700?v=4&s=48" width="48" height="48" alt="MaudeBot" title="MaudeBot"/></a> <a href="https://github.com/rahthakor"><img src="https://avatars.githubusercontent.com/u/8470553?v=4&s=48" width="48" height="48" alt="rahthakor" title="rahthakor"/></a> <a href="https://github.com/vrknetha"><img src="https://avatars.githubusercontent.com/u/20596261?v=4&s=48" width="48" height="48" alt="vrknetha" title="vrknetha"/></a> <a href="https://github.com/radek-paclt"><img src="https://avatars.githubusercontent.com/u/50451445?v=4&s=48" width="48" height="48" alt="radek-paclt" title="radek-paclt"/></a> <a href="https://github.com/joshp123"><img src="https://avatars.githubusercontent.com/u/1497361?v=4&s=48" width="48" height="48" alt="joshp123" title="joshp123"/></a>
-  <a href="https://github.com/mukhtharcm"><img src="https://avatars.githubusercontent.com/u/56378562?v=4&s=48" width="48" height="48" alt="mukhtharcm" title="mukhtharcm"/></a> <a href="https://github.com/maxsumrall"><img src="https://avatars.githubusercontent.com/u/628843?v=4&s=48" width="48" height="48" alt="maxsumrall" title="maxsumrall"/></a> <a href="https://github.com/xadenryan"><img src="https://avatars.githubusercontent.com/u/165437834?v=4&s=48" width="48" height="48" alt="xadenryan" title="xadenryan"/></a> <a href="https://github.com/tobiasbischoff"><img src="https://avatars.githubusercontent.com/u/711564?v=4&s=48" width="48" height="48" alt="Tobias Bischoff" title="Tobias Bischoff"/></a> <a href="https://github.com/juanpablodlc"><img src="https://avatars.githubusercontent.com/u/92012363?v=4&s=48" width="48" height="48" alt="juanpablodlc" title="juanpablodlc"/></a> <a href="https://github.com/hsrvc"><img src="https://avatars.githubusercontent.com/u/129702169?v=4&s=48" width="48" height="48" alt="hsrvc" title="hsrvc"/></a> <a href="https://github.com/magimetal"><img src="https://avatars.githubusercontent.com/u/36491250?v=4&s=48" width="48" height="48" alt="magimetal" title="magimetal"/></a> <a href="https://github.com/meaningfool"><img src="https://avatars.githubusercontent.com/u/2862331?v=4&s=48" width="48" height="48" alt="meaningfool" title="meaningfool"/></a> <a href="https://github.com/NicholasSpisak"><img src="https://avatars.githubusercontent.com/u/129075147?v=4&s=48" width="48" height="48" alt="NicholasSpisak" title="NicholasSpisak"/></a> <a href="https://github.com/sebslight"><img src="https://avatars.githubusercontent.com/u/19554889?v=4&s=48" width="48" height="48" alt="sebslight" title="sebslight"/></a>
-  <a href="https://github.com/AbhisekBasu1"><img src="https://avatars.githubusercontent.com/u/40645221?v=4&s=48" width="48" height="48" alt="abhisekbasu1" title="abhisekbasu1"/></a> <a href="https://github.com/jamesgroat"><img src="https://avatars.githubusercontent.com/u/2634024?v=4&s=48" width="48" height="48" alt="jamesgroat" title="jamesgroat"/></a> <a href="https://github.com/zerone0x"><img src="https://avatars.githubusercontent.com/u/39543393?v=4&s=48" width="48" height="48" alt="zerone0x" title="zerone0x"/></a> <a href="https://github.com/claude"><img src="https://avatars.githubusercontent.com/u/81847?v=4&s=48" width="48" height="48" alt="claude" title="claude"/></a> <a href="https://github.com/SocialNerd42069"><img src="https://avatars.githubusercontent.com/u/118244303?v=4&s=48" width="48" height="48" alt="SocialNerd42069" title="SocialNerd42069"/></a> <a href="https://github.com/Hyaxia"><img src="https://avatars.githubusercontent.com/u/36747317?v=4&s=48" width="48" height="48" alt="Hyaxia" title="Hyaxia"/></a> <a href="https://github.com/dantelex"><img src="https://avatars.githubusercontent.com/u/631543?v=4&s=48" width="48" height="48" alt="dantelex" title="dantelex"/></a> <a href="https://github.com/daveonkels"><img src="https://avatars.githubusercontent.com/u/533642?v=4&s=48" width="48" height="48" alt="daveonkels" title="daveonkels"/></a> <a href="https://github.com/mteam88"><img src="https://avatars.githubusercontent.com/u/84196639?v=4&s=48" width="48" height="48" alt="mteam88" title="mteam88"/></a> <a href="https://github.com/omniwired"><img src="https://avatars.githubusercontent.com/u/322761?v=4&s=48" width="48" height="48" alt="Eng. Juan Combetto" title="Eng. Juan Combetto"/></a>
-  <a href="https://github.com/mbelinky"><img src="https://avatars.githubusercontent.com/u/132747814?v=4&s=48" width="48" height="48" alt="Mariano Belinky" title="Mariano Belinky"/></a> <a href="https://github.com/dbhurley"><img src="https://avatars.githubusercontent.com/u/5251425?v=4&s=48" width="48" height="48" alt="dbhurley" title="dbhurley"/></a> <a href="https://github.com/TSavo"><img src="https://avatars.githubusercontent.com/u/877990?v=4&s=48" width="48" height="48" alt="TSavo" title="TSavo"/></a> <a href="https://github.com/julianengel"><img src="https://avatars.githubusercontent.com/u/10634231?v=4&s=48" width="48" height="48" alt="julianengel" title="julianengel"/></a> <a href="https://github.com/benithors"><img src="https://avatars.githubusercontent.com/u/20652882?v=4&s=48" width="48" height="48" alt="benithors" title="benithors"/></a> <a href="https://github.com/bradleypriest"><img src="https://avatars.githubusercontent.com/u/167215?v=4&s=48" width="48" height="48" alt="bradleypriest" title="bradleypriest"/></a> <a href="https://github.com/timolins"><img src="https://avatars.githubusercontent.com/u/1440854?v=4&s=48" width="48" height="48" alt="timolins" title="timolins"/></a> <a href="https://github.com/Nachx639"><img src="https://avatars.githubusercontent.com/u/71144023?v=4&s=48" width="48" height="48" alt="nachx639" title="nachx639"/></a> <a href="https://github.com/sreekaransrinath"><img src="https://avatars.githubusercontent.com/u/50989977?v=4&s=48" width="48" height="48" alt="sreekaransrinath" title="sreekaransrinath"/></a> <a href="https://github.com/gupsammy"><img src="https://avatars.githubusercontent.com/u/20296019?v=4&s=48" width="48" height="48" alt="gupsammy" title="gupsammy"/></a>
-  <a href="https://github.com/cristip73"><img src="https://avatars.githubusercontent.com/u/24499421?v=4&s=48" width="48" height="48" alt="cristip73" title="cristip73"/></a> <a href="https://github.com/nachoiacovino"><img src="https://avatars.githubusercontent.com/u/50103937?v=4&s=48" width="48" height="48" alt="nachoiacovino" title="nachoiacovino"/></a> <a href="https://github.com/vsabavat"><img src="https://avatars.githubusercontent.com/u/50385532?v=4&s=48" width="48" height="48" alt="Vasanth Rao Naik Sabavat" title="Vasanth Rao Naik Sabavat"/></a> <a href="https://github.com/cpojer"><img src="https://avatars.githubusercontent.com/u/13352?v=4&s=48" width="48" height="48" alt="cpojer" title="cpojer"/></a> <a href="https://github.com/lc0rp"><img src="https://avatars.githubusercontent.com/u/2609441?v=4&s=48" width="48" height="48" alt="lc0rp" title="lc0rp"/></a> <a href="https://github.com/scald"><img src="https://avatars.githubusercontent.com/u/1215913?v=4&s=48" width="48" height="48" alt="scald" title="scald"/></a> <a href="https://github.com/gumadeiras"><img src="https://avatars.githubusercontent.com/u/5599352?v=4&s=48" width="48" height="48" alt="gumadeiras" title="gumadeiras"/></a> <a href="https://github.com/andranik-sahakyan"><img src="https://avatars.githubusercontent.com/u/8908029?v=4&s=48" width="48" height="48" alt="andranik-sahakyan" title="andranik-sahakyan"/></a> <a href="https://github.com/davidguttman"><img src="https://avatars.githubusercontent.com/u/431696?v=4&s=48" width="48" height="48" alt="davidguttman" title="davidguttman"/></a> <a href="https://github.com/sleontenko"><img src="https://avatars.githubusercontent.com/u/7135949?v=4&s=48" width="48" height="48" alt="sleontenko" title="sleontenko"/></a>
-  <a href="https://github.com/sircrumpet"><img src="https://avatars.githubusercontent.com/u/4436535?v=4&s=48" width="48" height="48" alt="sircrumpet" title="sircrumpet"/></a> <a href="https://github.com/peschee"><img src="https://avatars.githubusercontent.com/u/63866?v=4&s=48" width="48" height="48" alt="peschee" title="peschee"/></a> <a href="https://github.com/rafaelreis-r"><img src="https://avatars.githubusercontent.com/u/57492577?v=4&s=48" width="48" height="48" alt="rafaelreis-r" title="rafaelreis-r"/></a> <a href="https://github.com/thewilloftheshadow"><img src="https://avatars.githubusercontent.com/u/35580099?v=4&s=48" width="48" height="48" alt="thewilloftheshadow" title="thewilloftheshadow"/></a> <a href="https://github.com/ratulsarna"><img src="https://avatars.githubusercontent.com/u/105903728?v=4&s=48" width="48" height="48" alt="ratulsarna" title="ratulsarna"/></a> <a href="https://github.com/lutr0"><img src="https://avatars.githubusercontent.com/u/76906369?v=4&s=48" width="48" height="48" alt="lutr0" title="lutr0"/></a> <a href="https://github.com/danielz1z"><img src="https://avatars.githubusercontent.com/u/235270390?v=4&s=48" width="48" height="48" alt="danielz1z" title="danielz1z"/></a> <a href="https://github.com/emanuelst"><img src="https://avatars.githubusercontent.com/u/9994339?v=4&s=48" width="48" height="48" alt="emanuelst" title="emanuelst"/></a> <a href="https://github.com/KristijanJovanovski"><img src="https://avatars.githubusercontent.com/u/8942284?v=4&s=48" width="48" height="48" alt="KristijanJovanovski" title="KristijanJovanovski"/></a> <a href="https://github.com/CashWilliams"><img src="https://avatars.githubusercontent.com/u/613573?v=4&s=48" width="48" height="48" alt="CashWilliams" title="CashWilliams"/></a>
-  <a href="https://github.com/rdev"><img src="https://avatars.githubusercontent.com/u/8418866?v=4&s=48" width="48" height="48" alt="rdev" title="rdev"/></a> <a href="https://github.com/osolmaz"><img src="https://avatars.githubusercontent.com/u/2453968?v=4&s=48" width="48" height="48" alt="osolmaz" title="osolmaz"/></a> <a href="https://github.com/joshrad-dev"><img src="https://avatars.githubusercontent.com/u/62785552?v=4&s=48" width="48" height="48" alt="joshrad-dev" title="joshrad-dev"/></a> <a href="https://github.com/kiranjd"><img src="https://avatars.githubusercontent.com/u/25822851?v=4&s=48" width="48" height="48" alt="kiranjd" title="kiranjd"/></a> <a href="https://github.com/adityashaw2"><img src="https://avatars.githubusercontent.com/u/41204444?v=4&s=48" width="48" height="48" alt="adityashaw2" title="adityashaw2"/></a> <a href="https://github.com/search?q=sheeek"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="sheeek" title="sheeek"/></a> <a href="https://github.com/artuskg"><img src="https://avatars.githubusercontent.com/u/11966157?v=4&s=48" width="48" height="48" alt="artuskg" title="artuskg"/></a> <a href="https://github.com/onutc"><img src="https://avatars.githubusercontent.com/u/152018508?v=4&s=48" width="48" height="48" alt="onutc" title="onutc"/></a> <a href="https://github.com/tyler6204"><img src="https://avatars.githubusercontent.com/u/64381258?v=4&s=48" width="48" height="48" alt="tyler6204" title="tyler6204"/></a> <a href="https://github.com/ManuelHettich"><img src="https://avatars.githubusercontent.com/u/17690367?v=4&s=48" width="48" height="48" alt="manuelhettich" title="manuelhettich"/></a>
-  <a href="https://github.com/minghinmatthewlam"><img src="https://avatars.githubusercontent.com/u/14224566?v=4&s=48" width="48" height="48" alt="minghinmatthewlam" title="minghinmatthewlam"/></a> <a href="https://github.com/myfunc"><img src="https://avatars.githubusercontent.com/u/19294627?v=4&s=48" width="48" height="48" alt="myfunc" title="myfunc"/></a> <a href="https://github.com/buddyh"><img src="https://avatars.githubusercontent.com/u/31752869?v=4&s=48" width="48" height="48" alt="buddyh" title="buddyh"/></a> <a href="https://github.com/connorshea"><img src="https://avatars.githubusercontent.com/u/2977353?v=4&s=48" width="48" height="48" alt="connorshea" title="connorshea"/></a> <a href="https://github.com/vignesh07"><img src="https://avatars.githubusercontent.com/u/1436853?v=4&s=48" width="48" height="48" alt="vignesh07" title="vignesh07"/></a> <a href="https://github.com/mcinteerj"><img src="https://avatars.githubusercontent.com/u/3613653?v=4&s=48" width="48" height="48" alt="mcinteerj" title="mcinteerj"/></a> <a href="https://github.com/apps/dependabot"><img src="https://avatars.githubusercontent.com/in/29110?v=4&s=48" width="48" height="48" alt="dependabot[bot]" title="dependabot[bot]"/></a> <a href="https://github.com/John-Rood"><img src="https://avatars.githubusercontent.com/u/62669593?v=4&s=48" width="48" height="48" alt="John-Rood" title="John-Rood"/></a> <a href="https://github.com/timkrase"><img src="https://avatars.githubusercontent.com/u/38947626?v=4&s=48" width="48" height="48" alt="timkrase" title="timkrase"/></a> <a href="https://github.com/gerardward2007"><img src="https://avatars.githubusercontent.com/u/3002155?v=4&s=48" width="48" height="48" alt="gerardward2007" title="gerardward2007"/></a>
-  <a href="https://github.com/obviyus"><img src="https://avatars.githubusercontent.com/u/22031114?v=4&s=48" width="48" height="48" alt="obviyus" title="obviyus"/></a> <a href="https://github.com/tosh-hamburg"><img src="https://avatars.githubusercontent.com/u/58424326?v=4&s=48" width="48" height="48" alt="tosh-hamburg" title="tosh-hamburg"/></a> <a href="https://github.com/azade-c"><img src="https://avatars.githubusercontent.com/u/252790079?v=4&s=48" width="48" height="48" alt="azade-c" title="azade-c"/></a> <a href="https://github.com/roshanasingh4"><img src="https://avatars.githubusercontent.com/u/88576930?v=4&s=48" width="48" height="48" alt="roshanasingh4" title="roshanasingh4"/></a> <a href="https://github.com/bjesuiter"><img src="https://avatars.githubusercontent.com/u/2365676?v=4&s=48" width="48" height="48" alt="bjesuiter" title="bjesuiter"/></a> <a href="https://github.com/cheeeee"><img src="https://avatars.githubusercontent.com/u/21245729?v=4&s=48" width="48" height="48" alt="cheeeee" title="cheeeee"/></a> <a href="https://github.com/j1philli"><img src="https://avatars.githubusercontent.com/u/3744255?v=4&s=48" width="48" height="48" alt="Josh Phillips" title="Josh Phillips"/></a> <a href="https://github.com/Whoaa512"><img src="https://avatars.githubusercontent.com/u/1581943?v=4&s=48" width="48" height="48" alt="Whoaa512" title="Whoaa512"/></a> <a href="https://github.com/YuriNachos"><img src="https://avatars.githubusercontent.com/u/19365375?v=4&s=48" width="48" height="48" alt="YuriNachos" title="YuriNachos"/></a> <a href="https://github.com/chriseidhof"><img src="https://avatars.githubusercontent.com/u/5382?v=4&s=48" width="48" height="48" alt="chriseidhof" title="chriseidhof"/></a>
-  <a href="https://github.com/ysqander"><img src="https://avatars.githubusercontent.com/u/80843820?v=4&s=48" width="48" height="48" alt="ysqander" title="ysqander"/></a> <a href="https://github.com/superman32432432"><img src="https://avatars.githubusercontent.com/u/7228420?v=4&s=48" width="48" height="48" alt="superman32432432" title="superman32432432"/></a> <a href="https://github.com/search?q=Yurii%20Chukhlib"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Yurii Chukhlib" title="Yurii Chukhlib"/></a> <a href="https://github.com/grp06"><img src="https://avatars.githubusercontent.com/u/1573959?v=4&s=48" width="48" height="48" alt="grp06" title="grp06"/></a> <a href="https://github.com/antons"><img src="https://avatars.githubusercontent.com/u/129705?v=4&s=48" width="48" height="48" alt="antons" title="antons"/></a> <a href="https://github.com/austinm911"><img src="https://avatars.githubusercontent.com/u/31991302?v=4&s=48" width="48" height="48" alt="austinm911" title="austinm911"/></a> <a href="https://github.com/apps/blacksmith-sh"><img src="https://avatars.githubusercontent.com/in/807020?v=4&s=48" width="48" height="48" alt="blacksmith-sh[bot]" title="blacksmith-sh[bot]"/></a> <a href="https://github.com/dan-dr"><img src="https://avatars.githubusercontent.com/u/6669808?v=4&s=48" width="48" height="48" alt="dan-dr" title="dan-dr"/></a> <a href="https://github.com/dlauer"><img src="https://avatars.githubusercontent.com/u/757041?v=4&s=48" width="48" height="48" alt="dlauer" title="dlauer"/></a> <a href="https://github.com/HeimdallStrategy"><img src="https://avatars.githubusercontent.com/u/223014405?v=4&s=48" width="48" height="48" alt="HeimdallStrategy" title="HeimdallStrategy"/></a>
-  <a href="https://github.com/imfing"><img src="https://avatars.githubusercontent.com/u/5097752?v=4&s=48" width="48" height="48" alt="imfing" title="imfing"/></a> <a href="https://github.com/jalehman"><img src="https://avatars.githubusercontent.com/u/550978?v=4&s=48" width="48" height="48" alt="jalehman" title="jalehman"/></a> <a href="https://github.com/jarvis-medmatic"><img src="https://avatars.githubusercontent.com/u/252428873?v=4&s=48" width="48" height="48" alt="jarvis-medmatic" title="jarvis-medmatic"/></a> <a href="https://github.com/kkarimi"><img src="https://avatars.githubusercontent.com/u/875218?v=4&s=48" width="48" height="48" alt="kkarimi" title="kkarimi"/></a> <a href="https://github.com/mahmoudashraf93"><img src="https://avatars.githubusercontent.com/u/9130129?v=4&s=48" width="48" height="48" alt="mahmoudashraf93" title="mahmoudashraf93"/></a> <a href="https://github.com/ngutman"><img src="https://avatars.githubusercontent.com/u/1540134?v=4&s=48" width="48" height="48" alt="ngutman" title="ngutman"/></a> <a href="https://github.com/petter-b"><img src="https://avatars.githubusercontent.com/u/62076402?v=4&s=48" width="48" height="48" alt="petter-b" title="petter-b"/></a> <a href="https://github.com/pkrmf"><img src="https://avatars.githubusercontent.com/u/1714267?v=4&s=48" width="48" height="48" alt="pkrmf" title="pkrmf"/></a> <a href="https://github.com/RandyVentures"><img src="https://avatars.githubusercontent.com/u/149904821?v=4&s=48" width="48" height="48" alt="RandyVentures" title="RandyVentures"/></a> <a href="https://github.com/search?q=Ryan%20Lisse"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ryan Lisse" title="Ryan Lisse"/></a>
-  <a href="https://github.com/dougvk"><img src="https://avatars.githubusercontent.com/u/401660?v=4&s=48" width="48" height="48" alt="dougvk" title="dougvk"/></a> <a href="https://github.com/erikpr1994"><img src="https://avatars.githubusercontent.com/u/6299331?v=4&s=48" width="48" height="48" alt="erikpr1994" title="erikpr1994"/></a> <a href="https://github.com/search?q=Ghost"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ghost" title="Ghost"/></a> <a href="https://github.com/jonasjancarik"><img src="https://avatars.githubusercontent.com/u/2459191?v=4&s=48" width="48" height="48" alt="jonasjancarik" title="jonasjancarik"/></a> <a href="https://github.com/search?q=Keith%20the%20Silly%20Goose"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Keith the Silly Goose" title="Keith the Silly Goose"/></a> <a href="https://github.com/search?q=L36%20Server"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="L36 Server" title="L36 Server"/></a> <a href="https://github.com/search?q=Marc"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Marc" title="Marc"/></a> <a href="https://github.com/mitschabaude-bot"><img src="https://avatars.githubusercontent.com/u/247582884?v=4&s=48" width="48" height="48" alt="mitschabaude-bot" title="mitschabaude-bot"/></a> <a href="https://github.com/mkbehr"><img src="https://avatars.githubusercontent.com/u/1285?v=4&s=48" width="48" height="48" alt="mkbehr" title="mkbehr"/></a> <a href="https://github.com/neist"><img src="https://avatars.githubusercontent.com/u/1029724?v=4&s=48" width="48" height="48" alt="neist" title="neist"/></a>
-  <a href="https://github.com/chrisrodz"><img src="https://avatars.githubusercontent.com/u/2967620?v=4&s=48" width="48" height="48" alt="chrisrodz" title="chrisrodz"/></a> <a href="https://github.com/search?q=Friederike%20Seiler"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Friederike Seiler" title="Friederike Seiler"/></a> <a href="https://github.com/gabriel-trigo"><img src="https://avatars.githubusercontent.com/u/38991125?v=4&s=48" width="48" height="48" alt="gabriel-trigo" title="gabriel-trigo"/></a> <a href="https://github.com/Iamadig"><img src="https://avatars.githubusercontent.com/u/102129234?v=4&s=48" width="48" height="48" alt="iamadig" title="iamadig"/></a> <a href="https://github.com/search?q=Kit"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kit" title="Kit"/></a> <a href="https://github.com/koala73"><img src="https://avatars.githubusercontent.com/u/996596?v=4&s=48" width="48" height="48" alt="koala73" title="koala73"/></a> <a href="https://github.com/manmal"><img src="https://avatars.githubusercontent.com/u/142797?v=4&s=48" width="48" height="48" alt="manmal" title="manmal"/></a> <a href="https://github.com/ogulcancelik"><img src="https://avatars.githubusercontent.com/u/7064011?v=4&s=48" width="48" height="48" alt="ogulcancelik" title="ogulcancelik"/></a> <a href="https://github.com/pasogott"><img src="https://avatars.githubusercontent.com/u/23458152?v=4&s=48" width="48" height="48" alt="pasogott" title="pasogott"/></a> <a href="https://github.com/petradonka"><img src="https://avatars.githubusercontent.com/u/7353770?v=4&s=48" width="48" height="48" alt="petradonka" title="petradonka"/></a>
-  <a href="https://github.com/rubyrunsstuff"><img src="https://avatars.githubusercontent.com/u/246602379?v=4&s=48" width="48" height="48" alt="rubyrunsstuff" title="rubyrunsstuff"/></a> <a href="https://github.com/sibbl"><img src="https://avatars.githubusercontent.com/u/866535?v=4&s=48" width="48" height="48" alt="sibbl" title="sibbl"/></a> <a href="https://github.com/siddhantjain"><img src="https://avatars.githubusercontent.com/u/4835232?v=4&s=48" width="48" height="48" alt="siddhantjain" title="siddhantjain"/></a> <a href="https://github.com/suminhthanh"><img src="https://avatars.githubusercontent.com/u/2907636?v=4&s=48" width="48" height="48" alt="suminhthanh" title="suminhthanh"/></a> <a href="https://github.com/VACInc"><img src="https://avatars.githubusercontent.com/u/3279061?v=4&s=48" width="48" height="48" alt="VACInc" title="VACInc"/></a> <a href="https://github.com/wes-davis"><img src="https://avatars.githubusercontent.com/u/16506720?v=4&s=48" width="48" height="48" alt="wes-davis" title="wes-davis"/></a> <a href="https://github.com/zats"><img src="https://avatars.githubusercontent.com/u/2688806?v=4&s=48" width="48" height="48" alt="zats" title="zats"/></a> <a href="https://github.com/24601"><img src="https://avatars.githubusercontent.com/u/1157207?v=4&s=48" width="48" height="48" alt="24601" title="24601"/></a> <a href="https://github.com/search?q=Chris%20Taylor"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Chris Taylor" title="Chris Taylor"/></a> <a href="https://github.com/czekaj"><img src="https://avatars.githubusercontent.com/u/1464539?v=4&s=48" width="48" height="48" alt="czekaj" title="czekaj"/></a>
-  <a href="https://github.com/djangonavarro220"><img src="https://avatars.githubusercontent.com/u/251162586?v=4&s=48" width="48" height="48" alt="Django Navarro" title="Django Navarro"/></a> <a href="https://github.com/evalexpr"><img src="https://avatars.githubusercontent.com/u/23485511?v=4&s=48" width="48" height="48" alt="evalexpr" title="evalexpr"/></a> <a href="https://github.com/henrino3"><img src="https://avatars.githubusercontent.com/u/4260288?v=4&s=48" width="48" height="48" alt="henrino3" title="henrino3"/></a> <a href="https://github.com/humanwritten"><img src="https://avatars.githubusercontent.com/u/206531610?v=4&s=48" width="48" height="48" alt="humanwritten" title="humanwritten"/></a> <a href="https://github.com/larlyssa"><img src="https://avatars.githubusercontent.com/u/13128869?v=4&s=48" width="48" height="48" alt="larlyssa" title="larlyssa"/></a> <a href="https://github.com/oswalpalash"><img src="https://avatars.githubusercontent.com/u/6431196?v=4&s=48" width="48" height="48" alt="oswalpalash" title="oswalpalash"/></a> <a href="https://github.com/pcty-nextgen-service-account"><img src="https://avatars.githubusercontent.com/u/112553441?v=4&s=48" width="48" height="48" alt="pcty-nextgen-service-account" title="pcty-nextgen-service-account"/></a> <a href="https://github.com/Syhids"><img src="https://avatars.githubusercontent.com/u/671202?v=4&s=48" width="48" height="48" alt="Syhids" title="Syhids"/></a> <a href="https://github.com/search?q=Aaron%20Konyer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Aaron Konyer" title="Aaron Konyer"/></a> <a href="https://github.com/aaronveklabs"><img src="https://avatars.githubusercontent.com/u/225997828?v=4&s=48" width="48" height="48" alt="aaronveklabs" title="aaronveklabs"/></a>
-  <a href="https://github.com/adam91holt"><img src="https://avatars.githubusercontent.com/u/9592417?v=4&s=48" width="48" height="48" alt="adam91holt" title="adam91holt"/></a> <a href="https://github.com/ameno-"><img src="https://avatars.githubusercontent.com/u/2416135?v=4&s=48" width="48" height="48" alt="ameno-" title="ameno-"/></a> <a href="https://github.com/cash-echo-bot"><img src="https://avatars.githubusercontent.com/u/252747386?v=4&s=48" width="48" height="48" alt="cash-echo-bot" title="cash-echo-bot"/></a> <a href="https://github.com/search?q=Clawd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Clawd" title="Clawd"/></a> <a href="https://github.com/search?q=ClawdFx"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ClawdFx" title="ClawdFx"/></a> <a href="https://github.com/erik-agens"><img src="https://avatars.githubusercontent.com/u/80908960?v=4&s=48" width="48" height="48" alt="erik-agens" title="erik-agens"/></a> <a href="https://github.com/fcatuhe"><img src="https://avatars.githubusercontent.com/u/17382215?v=4&s=48" width="48" height="48" alt="fcatuhe" title="fcatuhe"/></a> <a href="https://github.com/ivanrvpereira"><img src="https://avatars.githubusercontent.com/u/183991?v=4&s=48" width="48" height="48" alt="ivanrvpereira" title="ivanrvpereira"/></a> <a href="https://github.com/jayhickey"><img src="https://avatars.githubusercontent.com/u/1676460?v=4&s=48" width="48" height="48" alt="jayhickey" title="jayhickey"/></a> <a href="https://github.com/jeffersonwarrior"><img src="https://avatars.githubusercontent.com/u/89030989?v=4&s=48" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a>
+  <a href="https://github.com/steipete"><img src="https://avatars.githubusercontent.com/u/58493?v=4&s=48" width="48" height="48" alt="steipete" title="steipete"/></a> <a href="https://github.com/bohdanpodvirnyi"><img src="https://avatars.githubusercontent.com/u/31819391?v=4&s=48" width="48" height="48" alt="bohdanpodvirnyi" title="bohdanpodvirnyi"/></a> <a href="https://github.com/joaohlisboa"><img src="https://avatars.githubusercontent.com/u/8200873?v=4&s=48" width="48" height="48" alt="joaohlisboa" title="joaohlisboa"/></a> <a href="https://github.com/mneves75"><img src="https://avatars.githubusercontent.com/u/2423436?v=4&s=48" width="48" height="48" alt="mneves75" title="mneves75"/></a> <a href="https://github.com/MatthieuBizien"><img src="https://avatars.githubusercontent.com/u/173090?v=4&s=48" width="48" height="48" alt="MatthieuBizien" title="MatthieuBizien"/></a> <a href="https://github.com/rahthakor"><img src="https://avatars.githubusercontent.com/u/8470553?v=4&s=48" width="48" height="48" alt="rahthakor" title="rahthakor"/></a> <a href="https://github.com/vrknetha"><img src="https://avatars.githubusercontent.com/u/20596261?v=4&s=48" width="48" height="48" alt="vrknetha" title="vrknetha"/></a> <a href="https://github.com/radek-paclt"><img src="https://avatars.githubusercontent.com/u/50451445?v=4&s=48" width="48" height="48" alt="radek-paclt" title="radek-paclt"/></a> <a href="https://github.com/joshp123"><img src="https://avatars.githubusercontent.com/u/1497361?v=4&s=48" width="48" height="48" alt="joshp123" title="joshp123"/></a> <a href="https://github.com/mukhtharcm"><img src="https://avatars.githubusercontent.com/u/56378562?v=4&s=48" width="48" height="48" alt="mukhtharcm" title="mukhtharcm"/></a>
+  <a href="https://github.com/maxsumrall"><img src="https://avatars.githubusercontent.com/u/628843?v=4&s=48" width="48" height="48" alt="maxsumrall" title="maxsumrall"/></a> <a href="https://github.com/xadenryan"><img src="https://avatars.githubusercontent.com/u/165437834?v=4&s=48" width="48" height="48" alt="xadenryan" title="xadenryan"/></a> <a href="https://github.com/tobiasbischoff"><img src="https://avatars.githubusercontent.com/u/711564?v=4&s=48" width="48" height="48" alt="Tobias Bischoff" title="Tobias Bischoff"/></a> <a href="https://github.com/juanpablodlc"><img src="https://avatars.githubusercontent.com/u/92012363?v=4&s=48" width="48" height="48" alt="juanpablodlc" title="juanpablodlc"/></a> <a href="https://github.com/hsrvc"><img src="https://avatars.githubusercontent.com/u/129702169?v=4&s=48" width="48" height="48" alt="hsrvc" title="hsrvc"/></a> <a href="https://github.com/magimetal"><img src="https://avatars.githubusercontent.com/u/36491250?v=4&s=48" width="48" height="48" alt="magimetal" title="magimetal"/></a> <a href="https://github.com/meaningfool"><img src="https://avatars.githubusercontent.com/u/2862331?v=4&s=48" width="48" height="48" alt="meaningfool" title="meaningfool"/></a> <a href="https://github.com/NicholasSpisak"><img src="https://avatars.githubusercontent.com/u/129075147?v=4&s=48" width="48" height="48" alt="NicholasSpisak" title="NicholasSpisak"/></a> <a href="https://github.com/AbhisekBasu1"><img src="https://avatars.githubusercontent.com/u/40645221?v=4&s=48" width="48" height="48" alt="abhisekbasu1" title="abhisekbasu1"/></a> <a href="https://github.com/sebslight"><img src="https://avatars.githubusercontent.com/u/19554889?v=4&s=48" width="48" height="48" alt="sebslight" title="sebslight"/></a>
+  <a href="https://github.com/claude"><img src="https://avatars.githubusercontent.com/u/81847?v=4&s=48" width="48" height="48" alt="claude" title="claude"/></a> <a href="https://github.com/jamesgroat"><img src="https://avatars.githubusercontent.com/u/2634024?v=4&s=48" width="48" height="48" alt="jamesgroat" title="jamesgroat"/></a> <a href="https://github.com/Hyaxia"><img src="https://avatars.githubusercontent.com/u/36747317?v=4&s=48" width="48" height="48" alt="Hyaxia" title="Hyaxia"/></a> <a href="https://github.com/dantelex"><img src="https://avatars.githubusercontent.com/u/631543?v=4&s=48" width="48" height="48" alt="dantelex" title="dantelex"/></a> <a href="https://github.com/daveonkels"><img src="https://avatars.githubusercontent.com/u/533642?v=4&s=48" width="48" height="48" alt="daveonkels" title="daveonkels"/></a> <a href="https://github.com/mteam88"><img src="https://avatars.githubusercontent.com/u/84196639?v=4&s=48" width="48" height="48" alt="mteam88" title="mteam88"/></a> <a href="https://github.com/omniwired"><img src="https://avatars.githubusercontent.com/u/322761?v=4&s=48" width="48" height="48" alt="Eng. Juan Combetto" title="Eng. Juan Combetto"/></a> <a href="https://github.com/dbhurley"><img src="https://avatars.githubusercontent.com/u/5251425?v=4&s=48" width="48" height="48" alt="dbhurley" title="dbhurley"/></a> <a href="https://github.com/mbelinky"><img src="https://avatars.githubusercontent.com/u/132747814?v=4&s=48" width="48" height="48" alt="Mariano Belinky" title="Mariano Belinky"/></a> <a href="https://github.com/TSavo"><img src="https://avatars.githubusercontent.com/u/877990?v=4&s=48" width="48" height="48" alt="TSavo" title="TSavo"/></a>
+  <a href="https://github.com/julianengel"><img src="https://avatars.githubusercontent.com/u/10634231?v=4&s=48" width="48" height="48" alt="julianengel" title="julianengel"/></a> <a href="https://github.com/benithors"><img src="https://avatars.githubusercontent.com/u/20652882?v=4&s=48" width="48" height="48" alt="benithors" title="benithors"/></a> <a href="https://github.com/bradleypriest"><img src="https://avatars.githubusercontent.com/u/167215?v=4&s=48" width="48" height="48" alt="bradleypriest" title="bradleypriest"/></a> <a href="https://github.com/timolins"><img src="https://avatars.githubusercontent.com/u/1440854?v=4&s=48" width="48" height="48" alt="timolins" title="timolins"/></a> <a href="https://github.com/Nachx639"><img src="https://avatars.githubusercontent.com/u/71144023?v=4&s=48" width="48" height="48" alt="nachx639" title="nachx639"/></a> <a href="https://github.com/sreekaransrinath"><img src="https://avatars.githubusercontent.com/u/50989977?v=4&s=48" width="48" height="48" alt="sreekaransrinath" title="sreekaransrinath"/></a> <a href="https://github.com/gupsammy"><img src="https://avatars.githubusercontent.com/u/20296019?v=4&s=48" width="48" height="48" alt="gupsammy" title="gupsammy"/></a> <a href="https://github.com/cristip73"><img src="https://avatars.githubusercontent.com/u/24499421?v=4&s=48" width="48" height="48" alt="cristip73" title="cristip73"/></a> <a href="https://github.com/nachoiacovino"><img src="https://avatars.githubusercontent.com/u/50103937?v=4&s=48" width="48" height="48" alt="nachoiacovino" title="nachoiacovino"/></a> <a href="https://github.com/vsabavat"><img src="https://avatars.githubusercontent.com/u/50385532?v=4&s=48" width="48" height="48" alt="Vasanth Rao Naik Sabavat" title="Vasanth Rao Naik Sabavat"/></a>
+  <a href="https://github.com/cpojer"><img src="https://avatars.githubusercontent.com/u/13352?v=4&s=48" width="48" height="48" alt="cpojer" title="cpojer"/></a> <a href="https://github.com/lc0rp"><img src="https://avatars.githubusercontent.com/u/2609441?v=4&s=48" width="48" height="48" alt="lc0rp" title="lc0rp"/></a> <a href="https://github.com/scald"><img src="https://avatars.githubusercontent.com/u/1215913?v=4&s=48" width="48" height="48" alt="scald" title="scald"/></a> <a href="https://github.com/gumadeiras"><img src="https://avatars.githubusercontent.com/u/5599352?v=4&s=48" width="48" height="48" alt="gumadeiras" title="gumadeiras"/></a> <a href="https://github.com/andranik-sahakyan"><img src="https://avatars.githubusercontent.com/u/8908029?v=4&s=48" width="48" height="48" alt="andranik-sahakyan" title="andranik-sahakyan"/></a> <a href="https://github.com/davidguttman"><img src="https://avatars.githubusercontent.com/u/431696?v=4&s=48" width="48" height="48" alt="davidguttman" title="davidguttman"/></a> <a href="https://github.com/sleontenko"><img src="https://avatars.githubusercontent.com/u/7135949?v=4&s=48" width="48" height="48" alt="sleontenko" title="sleontenko"/></a> <a href="https://github.com/sircrumpet"><img src="https://avatars.githubusercontent.com/u/4436535?v=4&s=48" width="48" height="48" alt="sircrumpet" title="sircrumpet"/></a> <a href="https://github.com/peschee"><img src="https://avatars.githubusercontent.com/u/63866?v=4&s=48" width="48" height="48" alt="peschee" title="peschee"/></a> <a href="https://github.com/rafaelreis-r"><img src="https://avatars.githubusercontent.com/u/57492577?v=4&s=48" width="48" height="48" alt="rafaelreis-r" title="rafaelreis-r"/></a>
+  <a href="https://github.com/thewilloftheshadow"><img src="https://avatars.githubusercontent.com/u/35580099?v=4&s=48" width="48" height="48" alt="thewilloftheshadow" title="thewilloftheshadow"/></a> <a href="https://github.com/ratulsarna"><img src="https://avatars.githubusercontent.com/u/105903728?v=4&s=48" width="48" height="48" alt="ratulsarna" title="ratulsarna"/></a> <a href="https://github.com/lutr0"><img src="https://avatars.githubusercontent.com/u/76906369?v=4&s=48" width="48" height="48" alt="lutr0" title="lutr0"/></a> <a href="https://github.com/danielz1z"><img src="https://avatars.githubusercontent.com/u/235270390?v=4&s=48" width="48" height="48" alt="danielz1z" title="danielz1z"/></a> <a href="https://github.com/emanuelst"><img src="https://avatars.githubusercontent.com/u/9994339?v=4&s=48" width="48" height="48" alt="emanuelst" title="emanuelst"/></a> <a href="https://github.com/KristijanJovanovski"><img src="https://avatars.githubusercontent.com/u/8942284?v=4&s=48" width="48" height="48" alt="KristijanJovanovski" title="KristijanJovanovski"/></a> <a href="https://github.com/CashWilliams"><img src="https://avatars.githubusercontent.com/u/613573?v=4&s=48" width="48" height="48" alt="CashWilliams" title="CashWilliams"/></a> <a href="https://github.com/rdev"><img src="https://avatars.githubusercontent.com/u/8418866?v=4&s=48" width="48" height="48" alt="rdev" title="rdev"/></a> <a href="https://github.com/osolmaz"><img src="https://avatars.githubusercontent.com/u/2453968?v=4&s=48" width="48" height="48" alt="osolmaz" title="osolmaz"/></a> <a href="https://github.com/joshrad-dev"><img src="https://avatars.githubusercontent.com/u/62785552?v=4&s=48" width="48" height="48" alt="joshrad-dev" title="joshrad-dev"/></a>
+  <a href="https://github.com/kiranjd"><img src="https://avatars.githubusercontent.com/u/25822851?v=4&s=48" width="48" height="48" alt="kiranjd" title="kiranjd"/></a> <a href="https://github.com/adityashaw2"><img src="https://avatars.githubusercontent.com/u/41204444?v=4&s=48" width="48" height="48" alt="adityashaw2" title="adityashaw2"/></a> <a href="https://github.com/search?q=sheeek"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="sheeek" title="sheeek"/></a> <a href="https://github.com/artuskg"><img src="https://avatars.githubusercontent.com/u/11966157?v=4&s=48" width="48" height="48" alt="artuskg" title="artuskg"/></a> <a href="https://github.com/onutc"><img src="https://avatars.githubusercontent.com/u/152018508?v=4&s=48" width="48" height="48" alt="onutc" title="onutc"/></a> <a href="https://github.com/tyler6204"><img src="https://avatars.githubusercontent.com/u/64381258?v=4&s=48" width="48" height="48" alt="tyler6204" title="tyler6204"/></a> <a href="https://github.com/ManuelHettich"><img src="https://avatars.githubusercontent.com/u/17690367?v=4&s=48" width="48" height="48" alt="manuelhettich" title="manuelhettich"/></a> <a href="https://github.com/minghinmatthewlam"><img src="https://avatars.githubusercontent.com/u/14224566?v=4&s=48" width="48" height="48" alt="minghinmatthewlam" title="minghinmatthewlam"/></a> <a href="https://github.com/myfunc"><img src="https://avatars.githubusercontent.com/u/19294627?v=4&s=48" width="48" height="48" alt="myfunc" title="myfunc"/></a> <a href="https://github.com/buddyh"><img src="https://avatars.githubusercontent.com/u/31752869?v=4&s=48" width="48" height="48" alt="buddyh" title="buddyh"/></a>
+  <a href="https://github.com/connorshea"><img src="https://avatars.githubusercontent.com/u/2977353?v=4&s=48" width="48" height="48" alt="connorshea" title="connorshea"/></a> <a href="https://github.com/mcinteerj"><img src="https://avatars.githubusercontent.com/u/3613653?v=4&s=48" width="48" height="48" alt="mcinteerj" title="mcinteerj"/></a> <a href="https://github.com/John-Rood"><img src="https://avatars.githubusercontent.com/u/62669593?v=4&s=48" width="48" height="48" alt="John-Rood" title="John-Rood"/></a> <a href="https://github.com/timkrase"><img src="https://avatars.githubusercontent.com/u/38947626?v=4&s=48" width="48" height="48" alt="timkrase" title="timkrase"/></a> <a href="https://github.com/zerone0x"><img src="https://avatars.githubusercontent.com/u/39543393?v=4&s=48" width="48" height="48" alt="zerone0x" title="zerone0x"/></a> <a href="https://github.com/gerardward2007"><img src="https://avatars.githubusercontent.com/u/3002155?v=4&s=48" width="48" height="48" alt="gerardward2007" title="gerardward2007"/></a> <a href="https://github.com/obviyus"><img src="https://avatars.githubusercontent.com/u/22031114?v=4&s=48" width="48" height="48" alt="obviyus" title="obviyus"/></a> <a href="https://github.com/tosh-hamburg"><img src="https://avatars.githubusercontent.com/u/58424326?v=4&s=48" width="48" height="48" alt="tosh-hamburg" title="tosh-hamburg"/></a> <a href="https://github.com/azade-c"><img src="https://avatars.githubusercontent.com/u/252790079?v=4&s=48" width="48" height="48" alt="azade-c" title="azade-c"/></a> <a href="https://github.com/roshanasingh4"><img src="https://avatars.githubusercontent.com/u/88576930?v=4&s=48" width="48" height="48" alt="roshanasingh4" title="roshanasingh4"/></a>
+  <a href="https://github.com/bjesuiter"><img src="https://avatars.githubusercontent.com/u/2365676?v=4&s=48" width="48" height="48" alt="bjesuiter" title="bjesuiter"/></a> <a href="https://github.com/cheeeee"><img src="https://avatars.githubusercontent.com/u/21245729?v=4&s=48" width="48" height="48" alt="cheeeee" title="cheeeee"/></a> <a href="https://github.com/j1philli"><img src="https://avatars.githubusercontent.com/u/3744255?v=4&s=48" width="48" height="48" alt="Josh Phillips" title="Josh Phillips"/></a> <a href="https://github.com/Whoaa512"><img src="https://avatars.githubusercontent.com/u/1581943?v=4&s=48" width="48" height="48" alt="Whoaa512" title="Whoaa512"/></a> <a href="https://github.com/YuriNachos"><img src="https://avatars.githubusercontent.com/u/19365375?v=4&s=48" width="48" height="48" alt="YuriNachos" title="YuriNachos"/></a> <a href="https://github.com/chriseidhof"><img src="https://avatars.githubusercontent.com/u/5382?v=4&s=48" width="48" height="48" alt="chriseidhof" title="chriseidhof"/></a> <a href="https://github.com/ysqander"><img src="https://avatars.githubusercontent.com/u/80843820?v=4&s=48" width="48" height="48" alt="ysqander" title="ysqander"/></a> <a href="https://github.com/superman32432432"><img src="https://avatars.githubusercontent.com/u/7228420?v=4&s=48" width="48" height="48" alt="superman32432432" title="superman32432432"/></a> <a href="https://github.com/vignesh07"><img src="https://avatars.githubusercontent.com/u/1436853?v=4&s=48" width="48" height="48" alt="vignesh07" title="vignesh07"/></a> <a href="https://github.com/search?q=Yurii%20Chukhlib"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Yurii Chukhlib" title="Yurii Chukhlib"/></a>
+  <a href="https://github.com/grp06"><img src="https://avatars.githubusercontent.com/u/1573959?v=4&s=48" width="48" height="48" alt="grp06" title="grp06"/></a> <a href="https://github.com/antons"><img src="https://avatars.githubusercontent.com/u/129705?v=4&s=48" width="48" height="48" alt="antons" title="antons"/></a> <a href="https://github.com/austinm911"><img src="https://avatars.githubusercontent.com/u/31991302?v=4&s=48" width="48" height="48" alt="austinm911" title="austinm911"/></a> <a href="https://github.com/apps/blacksmith-sh"><img src="https://avatars.githubusercontent.com/in/807020?v=4&s=48" width="48" height="48" alt="blacksmith-sh[bot]" title="blacksmith-sh[bot]"/></a> <a href="https://github.com/dan-dr"><img src="https://avatars.githubusercontent.com/u/6669808?v=4&s=48" width="48" height="48" alt="dan-dr" title="dan-dr"/></a> <a href="https://github.com/HeimdallStrategy"><img src="https://avatars.githubusercontent.com/u/223014405?v=4&s=48" width="48" height="48" alt="HeimdallStrategy" title="HeimdallStrategy"/></a> <a href="https://github.com/imfing"><img src="https://avatars.githubusercontent.com/u/5097752?v=4&s=48" width="48" height="48" alt="imfing" title="imfing"/></a> <a href="https://github.com/jalehman"><img src="https://avatars.githubusercontent.com/u/550978?v=4&s=48" width="48" height="48" alt="jalehman" title="jalehman"/></a> <a href="https://github.com/jarvis-medmatic"><img src="https://avatars.githubusercontent.com/u/252428873?v=4&s=48" width="48" height="48" alt="jarvis-medmatic" title="jarvis-medmatic"/></a> <a href="https://github.com/kkarimi"><img src="https://avatars.githubusercontent.com/u/875218?v=4&s=48" width="48" height="48" alt="kkarimi" title="kkarimi"/></a>
+  <a href="https://github.com/mahmoudashraf93"><img src="https://avatars.githubusercontent.com/u/9130129?v=4&s=48" width="48" height="48" alt="mahmoudashraf93" title="mahmoudashraf93"/></a> <a href="https://github.com/petter-b"><img src="https://avatars.githubusercontent.com/u/62076402?v=4&s=48" width="48" height="48" alt="petter-b" title="petter-b"/></a> <a href="https://github.com/pkrmf"><img src="https://avatars.githubusercontent.com/u/1714267?v=4&s=48" width="48" height="48" alt="pkrmf" title="pkrmf"/></a> <a href="https://github.com/RandyVentures"><img src="https://avatars.githubusercontent.com/u/149904821?v=4&s=48" width="48" height="48" alt="RandyVentures" title="RandyVentures"/></a> <a href="https://github.com/search?q=Ryan%20Lisse"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ryan Lisse" title="Ryan Lisse"/></a> <a href="https://github.com/erikpr1994"><img src="https://avatars.githubusercontent.com/u/6299331?v=4&s=48" width="48" height="48" alt="erikpr1994" title="erikpr1994"/></a> <a href="https://github.com/search?q=Ghost"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ghost" title="Ghost"/></a> <a href="https://github.com/jonasjancarik"><img src="https://avatars.githubusercontent.com/u/2459191?v=4&s=48" width="48" height="48" alt="jonasjancarik" title="jonasjancarik"/></a> <a href="https://github.com/search?q=Keith%20the%20Silly%20Goose"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Keith the Silly Goose" title="Keith the Silly Goose"/></a> <a href="https://github.com/search?q=L36%20Server"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="L36 Server" title="L36 Server"/></a>
+  <a href="https://github.com/search?q=Marc"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Marc" title="Marc"/></a> <a href="https://github.com/mitschabaude-bot"><img src="https://avatars.githubusercontent.com/u/247582884?v=4&s=48" width="48" height="48" alt="mitschabaude-bot" title="mitschabaude-bot"/></a> <a href="https://github.com/neist"><img src="https://avatars.githubusercontent.com/u/1029724?v=4&s=48" width="48" height="48" alt="neist" title="neist"/></a> <a href="https://github.com/ngutman"><img src="https://avatars.githubusercontent.com/u/1540134?v=4&s=48" width="48" height="48" alt="ngutman" title="ngutman"/></a> <a href="https://github.com/chrisrodz"><img src="https://avatars.githubusercontent.com/u/2967620?v=4&s=48" width="48" height="48" alt="chrisrodz" title="chrisrodz"/></a> <a href="https://github.com/dougvk"><img src="https://avatars.githubusercontent.com/u/401660?v=4&s=48" width="48" height="48" alt="dougvk" title="dougvk"/></a> <a href="https://github.com/search?q=Friederike%20Seiler"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Friederike Seiler" title="Friederike Seiler"/></a> <a href="https://github.com/gabriel-trigo"><img src="https://avatars.githubusercontent.com/u/38991125?v=4&s=48" width="48" height="48" alt="gabriel-trigo" title="gabriel-trigo"/></a> <a href="https://github.com/Iamadig"><img src="https://avatars.githubusercontent.com/u/102129234?v=4&s=48" width="48" height="48" alt="iamadig" title="iamadig"/></a> <a href="https://github.com/search?q=Kit"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kit" title="Kit"/></a>
+  <a href="https://github.com/koala73"><img src="https://avatars.githubusercontent.com/u/996596?v=4&s=48" width="48" height="48" alt="koala73" title="koala73"/></a> <a href="https://github.com/manmal"><img src="https://avatars.githubusercontent.com/u/142797?v=4&s=48" width="48" height="48" alt="manmal" title="manmal"/></a> <a href="https://github.com/ogulcancelik"><img src="https://avatars.githubusercontent.com/u/7064011?v=4&s=48" width="48" height="48" alt="ogulcancelik" title="ogulcancelik"/></a> <a href="https://github.com/pasogott"><img src="https://avatars.githubusercontent.com/u/23458152?v=4&s=48" width="48" height="48" alt="pasogott" title="pasogott"/></a> <a href="https://github.com/petradonka"><img src="https://avatars.githubusercontent.com/u/7353770?v=4&s=48" width="48" height="48" alt="petradonka" title="petradonka"/></a> <a href="https://github.com/rubyrunsstuff"><img src="https://avatars.githubusercontent.com/u/246602379?v=4&s=48" width="48" height="48" alt="rubyrunsstuff" title="rubyrunsstuff"/></a> <a href="https://github.com/sibbl"><img src="https://avatars.githubusercontent.com/u/866535?v=4&s=48" width="48" height="48" alt="sibbl" title="sibbl"/></a> <a href="https://github.com/suminhthanh"><img src="https://avatars.githubusercontent.com/u/2907636?v=4&s=48" width="48" height="48" alt="suminhthanh" title="suminhthanh"/></a> <a href="https://github.com/VACInc"><img src="https://avatars.githubusercontent.com/u/3279061?v=4&s=48" width="48" height="48" alt="VACInc" title="VACInc"/></a> <a href="https://github.com/wes-davis"><img src="https://avatars.githubusercontent.com/u/16506720?v=4&s=48" width="48" height="48" alt="wes-davis" title="wes-davis"/></a>
+  <a href="https://github.com/zats"><img src="https://avatars.githubusercontent.com/u/2688806?v=4&s=48" width="48" height="48" alt="zats" title="zats"/></a> <a href="https://github.com/24601"><img src="https://avatars.githubusercontent.com/u/1157207?v=4&s=48" width="48" height="48" alt="24601" title="24601"/></a> <a href="https://github.com/search?q=Chris%20Taylor"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Chris Taylor" title="Chris Taylor"/></a> <a href="https://github.com/djangonavarro220"><img src="https://avatars.githubusercontent.com/u/251162586?v=4&s=48" width="48" height="48" alt="Django Navarro" title="Django Navarro"/></a> <a href="https://github.com/evalexpr"><img src="https://avatars.githubusercontent.com/u/23485511?v=4&s=48" width="48" height="48" alt="evalexpr" title="evalexpr"/></a> <a href="https://github.com/henrino3"><img src="https://avatars.githubusercontent.com/u/4260288?v=4&s=48" width="48" height="48" alt="henrino3" title="henrino3"/></a> <a href="https://github.com/humanwritten"><img src="https://avatars.githubusercontent.com/u/206531610?v=4&s=48" width="48" height="48" alt="humanwritten" title="humanwritten"/></a> <a href="https://github.com/larlyssa"><img src="https://avatars.githubusercontent.com/u/13128869?v=4&s=48" width="48" height="48" alt="larlyssa" title="larlyssa"/></a> <a href="https://github.com/mkbehr"><img src="https://avatars.githubusercontent.com/u/1285?v=4&s=48" width="48" height="48" alt="mkbehr" title="mkbehr"/></a> <a href="https://github.com/oswalpalash"><img src="https://avatars.githubusercontent.com/u/6431196?v=4&s=48" width="48" height="48" alt="oswalpalash" title="oswalpalash"/></a>
+  <a href="https://github.com/pcty-nextgen-service-account"><img src="https://avatars.githubusercontent.com/u/112553441?v=4&s=48" width="48" height="48" alt="pcty-nextgen-service-account" title="pcty-nextgen-service-account"/></a> <a href="https://github.com/Syhids"><img src="https://avatars.githubusercontent.com/u/671202?v=4&s=48" width="48" height="48" alt="Syhids" title="Syhids"/></a> <a href="https://github.com/search?q=Aaron%20Konyer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Aaron Konyer" title="Aaron Konyer"/></a> <a href="https://github.com/aaronveklabs"><img src="https://avatars.githubusercontent.com/u/225997828?v=4&s=48" width="48" height="48" alt="aaronveklabs" title="aaronveklabs"/></a> <a href="https://github.com/adam91holt"><img src="https://avatars.githubusercontent.com/u/9592417?v=4&s=48" width="48" height="48" alt="adam91holt" title="adam91holt"/></a> <a href="https://github.com/erik-agens"><img src="https://avatars.githubusercontent.com/u/80908960?v=4&s=48" width="48" height="48" alt="erik-agens" title="erik-agens"/></a> <a href="https://github.com/fcatuhe"><img src="https://avatars.githubusercontent.com/u/17382215?v=4&s=48" width="48" height="48" alt="fcatuhe" title="fcatuhe"/></a> <a href="https://github.com/ivanrvpereira"><img src="https://avatars.githubusercontent.com/u/183991?v=4&s=48" width="48" height="48" alt="ivanrvpereira" title="ivanrvpereira"/></a> <a href="https://github.com/jayhickey"><img src="https://avatars.githubusercontent.com/u/1676460?v=4&s=48" width="48" height="48" alt="jayhickey" title="jayhickey"/></a> <a href="https://github.com/jeffersonwarrior"><img src="https://avatars.githubusercontent.com/u/89030989?v=4&s=48" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a>
  <a href="https://github.com/search?q=jeffersonwarrior"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a> <a href="https://github.com/jdrhyne"><img src="https://avatars.githubusercontent.com/u/7828464?v=4&s=48" width="48" height="48" alt="Jonathan D. Rhyne (DJ-D)" title="Jonathan D. Rhyne (DJ-D)"/></a> <a href="https://github.com/jverdi"><img src="https://avatars.githubusercontent.com/u/345050?v=4&s=48" width="48" height="48" alt="jverdi" title="jverdi"/></a> <a href="https://github.com/longmaba"><img src="https://avatars.githubusercontent.com/u/9361500?v=4&s=48" width="48" height="48" alt="longmaba" title="longmaba"/></a> <a href="https://github.com/mickahouan"><img src="https://avatars.githubusercontent.com/u/31423109?v=4&s=48" width="48" height="48" alt="mickahouan" title="mickahouan"/></a> <a href="https://github.com/mjrussell"><img src="https://avatars.githubusercontent.com/u/1641895?v=4&s=48" width="48" height="48" alt="mjrussell" title="mjrussell"/></a> <a href="https://github.com/p6l-richard"><img src="https://avatars.githubusercontent.com/u/18185649?v=4&s=48" width="48" height="48" alt="p6l-richard" title="p6l-richard"/></a> <a href="https://github.com/philipp-spiess"><img src="https://avatars.githubusercontent.com/u/458591?v=4&s=48" width="48" height="48" alt="philipp-spiess" title="philipp-spiess"/></a> <a href="https://github.com/robaxelsen"><img src="https://avatars.githubusercontent.com/u/13132899?v=4&s=48" width="48" height="48" alt="robaxelsen" title="robaxelsen"/></a> <a href="https://github.com/search?q=Sash%20Catanzarite"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Sash Catanzarite" title="Sash Catanzarite"/></a>
-  <a href="https://github.com/T5-AndyML"><img src="https://avatars.githubusercontent.com/u/22801233?v=4&s=48" width="48" height="48" alt="T5-AndyML" title="T5-AndyML"/></a> <a href="https://github.com/search?q=VAC"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="VAC" title="VAC"/></a> <a href="https://github.com/zknicker"><img src="https://avatars.githubusercontent.com/u/1164085?v=4&s=48" width="48" height="48" alt="zknicker" title="zknicker"/></a> <a href="https://github.com/aj47"><img src="https://avatars.githubusercontent.com/u/8023513?v=4&s=48" width="48" height="48" alt="aj47" title="aj47"/></a> <a href="https://github.com/search?q=alejandro%20maza"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="alejandro maza" title="alejandro maza"/></a> <a href="https://github.com/andrewting19"><img src="https://avatars.githubusercontent.com/u/10536704?v=4&s=48" width="48" height="48" alt="andrewting19" title="andrewting19"/></a> <a href="https://github.com/search?q=Andrii"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Andrii" title="Andrii"/></a> <a href="https://github.com/anpoirier"><img src="https://avatars.githubusercontent.com/u/1245729?v=4&s=48" width="48" height="48" alt="anpoirier" title="anpoirier"/></a> <a href="https://github.com/Asleep123"><img src="https://avatars.githubusercontent.com/u/122379135?v=4&s=48" width="48" height="48" alt="Asleep123" title="Asleep123"/></a> <a href="https://github.com/bolismauro"><img src="https://avatars.githubusercontent.com/u/771999?v=4&s=48" width="48" height="48" alt="bolismauro" title="bolismauro"/></a>
-  <a href="https://github.com/conhecendoia"><img src="https://avatars.githubusercontent.com/u/82890727?v=4&s=48" width="48" height="48" alt="conhecendoia" title="conhecendoia"/></a> <a href="https://github.com/search?q=Dimitrios%20Ploutarchos"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Dimitrios Ploutarchos" title="Dimitrios Ploutarchos"/></a> <a href="https://github.com/search?q=Drake%20Thomsen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Drake Thomsen" title="Drake Thomsen"/></a> <a href="https://github.com/search?q=Felix%20Krause"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Felix Krause" title="Felix Krause"/></a> <a href="https://github.com/gtsifrikas"><img src="https://avatars.githubusercontent.com/u/8904378?v=4&s=48" width="48" height="48" alt="gtsifrikas" title="gtsifrikas"/></a> <a href="https://github.com/HazAT"><img src="https://avatars.githubusercontent.com/u/363802?v=4&s=48" width="48" height="48" alt="HazAT" title="HazAT"/></a> <a href="https://github.com/hrdwdmrbl"><img src="https://avatars.githubusercontent.com/u/554881?v=4&s=48" width="48" height="48" alt="hrdwdmrbl" title="hrdwdmrbl"/></a> <a href="https://github.com/hugobarauna"><img src="https://avatars.githubusercontent.com/u/2719?v=4&s=48" width="48" height="48" alt="hugobarauna" title="hugobarauna"/></a> <a href="https://github.com/search?q=Jamie%20Openshaw"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jamie Openshaw" title="Jamie Openshaw"/></a> <a href="https://github.com/search?q=Jarvis"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jarvis" title="Jarvis"/></a>
+  <a href="https://github.com/T5-AndyML"><img src="https://avatars.githubusercontent.com/u/22801233?v=4&s=48" width="48" height="48" alt="T5-AndyML" title="T5-AndyML"/></a> <a href="https://github.com/search?q=VAC"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="VAC" title="VAC"/></a> <a href="https://github.com/zknicker"><img src="https://avatars.githubusercontent.com/u/1164085?v=4&s=48" width="48" height="48" alt="zknicker" title="zknicker"/></a> <a href="https://github.com/search?q=alejandro%20maza"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="alejandro maza" title="alejandro maza"/></a> <a href="https://github.com/andrewting19"><img src="https://avatars.githubusercontent.com/u/10536704?v=4&s=48" width="48" height="48" alt="andrewting19" title="andrewting19"/></a> <a href="https://github.com/anpoirier"><img src="https://avatars.githubusercontent.com/u/1245729?v=4&s=48" width="48" height="48" alt="anpoirier" title="anpoirier"/></a> <a href="https://github.com/Asleep123"><img src="https://avatars.githubusercontent.com/u/122379135?v=4&s=48" width="48" height="48" alt="Asleep123" title="Asleep123"/></a> <a href="https://github.com/bolismauro"><img src="https://avatars.githubusercontent.com/u/771999?v=4&s=48" width="48" height="48" alt="bolismauro" title="bolismauro"/></a> <a href="https://github.com/cash-echo-bot"><img src="https://avatars.githubusercontent.com/u/252747386?v=4&s=48" width="48" height="48" alt="cash-echo-bot" title="cash-echo-bot"/></a> <a href="https://github.com/search?q=Clawd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Clawd" title="Clawd"/></a>
+  <a href="https://github.com/conhecendocontato"><img src="https://avatars.githubusercontent.com/u/82890727?v=4&s=48" width="48" height="48" alt="conhecendocontato" title="conhecendocontato"/></a> <a href="https://github.com/search?q=Dimitrios%20Ploutarchos"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Dimitrios Ploutarchos" title="Dimitrios Ploutarchos"/></a> <a href="https://github.com/search?q=Drake%20Thomsen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Drake Thomsen" title="Drake Thomsen"/></a> <a href="https://github.com/search?q=Felix%20Krause"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Felix Krause" title="Felix Krause"/></a> <a href="https://github.com/gtsifrikas"><img src="https://avatars.githubusercontent.com/u/8904378?v=4&s=48" width="48" height="48" alt="gtsifrikas" title="gtsifrikas"/></a> <a href="https://github.com/HazAT"><img src="https://avatars.githubusercontent.com/u/363802?v=4&s=48" width="48" height="48" alt="HazAT" title="HazAT"/></a> <a href="https://github.com/hrdwdmrbl"><img src="https://avatars.githubusercontent.com/u/554881?v=4&s=48" width="48" height="48" alt="hrdwdmrbl" title="hrdwdmrbl"/></a> <a href="https://github.com/hugobarauna"><img src="https://avatars.githubusercontent.com/u/2719?v=4&s=48" width="48" height="48" alt="hugobarauna" title="hugobarauna"/></a> <a href="https://github.com/search?q=Jamie%20Openshaw"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jamie Openshaw" title="Jamie Openshaw"/></a> <a href="https://github.com/search?q=Jarvis"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jarvis" title="Jarvis"/></a>
  <a href="https://github.com/search?q=Jefferson%20Nunn"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jefferson Nunn" title="Jefferson Nunn"/></a> <a href="https://github.com/search?q=Kevin%20Lin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kevin Lin" title="Kevin Lin"/></a> <a href="https://github.com/kitze"><img src="https://avatars.githubusercontent.com/u/1160594?v=4&s=48" width="48" height="48" alt="kitze" title="kitze"/></a> <a href="https://github.com/levifig"><img src="https://avatars.githubusercontent.com/u/1605?v=4&s=48" width="48" height="48" alt="levifig" title="levifig"/></a> <a href="https://github.com/search?q=Lloyd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Lloyd" title="Lloyd"/></a> <a href="https://github.com/loukotal"><img src="https://avatars.githubusercontent.com/u/18210858?v=4&s=48" width="48" height="48" alt="loukotal" title="loukotal"/></a> <a href="https://github.com/martinpucik"><img src="https://avatars.githubusercontent.com/u/5503097?v=4&s=48" width="48" height="48" alt="martinpucik" title="martinpucik"/></a> <a href="https://github.com/search?q=Miles"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Miles" title="Miles"/></a> <a href="https://github.com/mrdbstn"><img src="https://avatars.githubusercontent.com/u/58957632?v=4&s=48" width="48" height="48" alt="mrdbstn" title="mrdbstn"/></a> <a href="https://github.com/MSch"><img src="https://avatars.githubusercontent.com/u/7475?v=4&s=48" width="48" height="48" alt="MSch" title="MSch"/></a>
-  <a href="https://github.com/search?q=Mustafa%20Tag%20Eldeen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mustafa Tag Eldeen" title="Mustafa Tag Eldeen"/></a> <a href="https://github.com/ndraiman"><img src="https://avatars.githubusercontent.com/u/12609607?v=4&s=48" width="48" height="48" alt="ndraiman" title="ndraiman"/></a> <a href="https://github.com/nexty5870"><img src="https://avatars.githubusercontent.com/u/3869659?v=4&s=48" width="48" height="48" alt="nexty5870" title="nexty5870"/></a> <a href="https://github.com/odysseus0"><img src="https://avatars.githubusercontent.com/u/8635094?v=4&s=48" width="48" height="48" alt="odysseus0" title="odysseus0"/></a> <a href="https://github.com/prathamdby"><img src="https://avatars.githubusercontent.com/u/134331217?v=4&s=48" width="48" height="48" alt="prathamdby" title="prathamdby"/></a> <a href="https://github.com/ptn1411"><img src="https://avatars.githubusercontent.com/u/57529765?v=4&s=48" width="48" height="48" alt="ptn1411" title="ptn1411"/></a> <a href="https://github.com/reeltimeapps"><img src="https://avatars.githubusercontent.com/u/637338?v=4&s=48" width="48" height="48" alt="reeltimeapps" title="reeltimeapps"/></a> <a href="https://github.com/RLTCmpe"><img src="https://avatars.githubusercontent.com/u/10762242?v=4&s=48" width="48" height="48" alt="RLTCmpe" title="RLTCmpe"/></a> <a href="https://github.com/robbyczgw-cla"><img src="https://avatars.githubusercontent.com/u/239660374?v=4&s=48" width="48" height="48" alt="robbyczgw-cla" title="robbyczgw-cla"/></a> <a href="https://github.com/rodrigouroz"><img src="https://avatars.githubusercontent.com/u/384037?v=4&s=48" width="48" height="48" alt="rodrigouroz" title="rodrigouroz"/></a>
-  <a href="https://github.com/search?q=Rolf%20Fredheim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rolf Fredheim" title="Rolf Fredheim"/></a> <a href="https://github.com/search?q=Rony%20Kelner"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rony Kelner" title="Rony Kelner"/></a> <a href="https://github.com/search?q=Samrat%20Jha"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Samrat Jha" title="Samrat Jha"/></a> <a href="https://github.com/siraht"><img src="https://avatars.githubusercontent.com/u/73152895?v=4&s=48" width="48" height="48" alt="siraht" title="siraht"/></a> <a href="https://github.com/snopoke"><img src="https://avatars.githubusercontent.com/u/249606?v=4&s=48" width="48" height="48" alt="snopoke" title="snopoke"/></a> <a href="https://github.com/search?q=The%20Admiral"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="The Admiral" title="The Admiral"/></a> <a href="https://github.com/thesash"><img src="https://avatars.githubusercontent.com/u/1166151?v=4&s=48" width="48" height="48" alt="thesash" title="thesash"/></a> <a href="https://github.com/search?q=Ubuntu"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ubuntu" title="Ubuntu"/></a> <a href="https://github.com/voidserf"><img src="https://avatars.githubusercontent.com/u/477673?v=4&s=48" width="48" height="48" alt="voidserf" title="voidserf"/></a> <a href="https://github.com/search?q=Vultr-Clawd%20Admin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Vultr-Clawd Admin" title="Vultr-Clawd Admin"/></a>
-  <a href="https://github.com/search?q=Wimmie"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Wimmie" title="Wimmie"/></a> <a href="https://github.com/wstock"><img src="https://avatars.githubusercontent.com/u/1394687?v=4&s=48" width="48" height="48" alt="wstock" title="wstock"/></a> <a href="https://github.com/yazinsai"><img src="https://avatars.githubusercontent.com/u/1846034?v=4&s=48" width="48" height="48" alt="yazinsai" title="yazinsai"/></a> <a href="https://github.com/search?q=Zach%20Knickerbocker"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Zach Knickerbocker" title="Zach Knickerbocker"/></a> <a href="https://github.com/Alphonse-arianee"><img src="https://avatars.githubusercontent.com/u/254457365?v=4&s=48" width="48" height="48" alt="Alphonse-arianee" title="Alphonse-arianee"/></a> <a href="https://github.com/search?q=Azade"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Azade" title="Azade"/></a> <a href="https://github.com/carlulsoe"><img src="https://avatars.githubusercontent.com/u/34673973?v=4&s=48" width="48" height="48" alt="carlulsoe" title="carlulsoe"/></a> <a href="https://github.com/search?q=ddyo"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ddyo" title="ddyo"/></a> <a href="https://github.com/search?q=Erik"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Erik" title="Erik"/></a> <a href="https://github.com/latitudeki5223"><img src="https://avatars.githubusercontent.com/u/119656367?v=4&s=48" width="48" height="48" alt="latitudeki5223" title="latitudeki5223"/></a>
-  <a href="https://github.com/search?q=Manuel%20Maly"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Manuel Maly" title="Manuel Maly"/></a> <a href="https://github.com/search?q=Mourad%20Boustani"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mourad Boustani" title="Mourad Boustani"/></a> <a href="https://github.com/odrobnik"><img src="https://avatars.githubusercontent.com/u/333270?v=4&s=48" width="48" height="48" alt="odrobnik" title="odrobnik"/></a> <a href="https://github.com/pcty-nextgen-ios-builder"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="pcty-nextgen-ios-builder" title="pcty-nextgen-ios-builder"/></a> <a href="https://github.com/search?q=Quentin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Quentin" title="Quentin"/></a> <a href="https://github.com/search?q=Randy%20Torres"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Randy Torres" title="Randy Torres"/></a> <a href="https://github.com/rhjoh"><img src="https://avatars.githubusercontent.com/u/105699450?v=4&s=48" width="48" height="48" alt="rhjoh" title="rhjoh"/></a> <a href="https://github.com/ronak-guliani"><img src="https://avatars.githubusercontent.com/u/23518228?v=4&s=48" width="48" height="48" alt="ronak-guliani" title="ronak-guliani"/></a> <a href="https://github.com/search?q=William%20Stock"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="William Stock" title="William Stock"/></a>
+  <a href="https://github.com/search?q=Mustafa%20Tag%20Eldeen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mustafa Tag Eldeen" title="Mustafa Tag Eldeen"/></a> <a href="https://github.com/ndraiman"><img src="https://avatars.githubusercontent.com/u/12609607?v=4&s=48" width="48" height="48" alt="ndraiman" title="ndraiman"/></a> <a href="https://github.com/nexty5870"><img src="https://avatars.githubusercontent.com/u/3869659?v=4&s=48" width="48" height="48" alt="nexty5870" title="nexty5870"/></a> <a href="https://github.com/odysseus0"><img src="https://avatars.githubusercontent.com/u/8635094?v=4&s=48" width="48" height="48" alt="odysseus0" title="odysseus0"/></a> <a href="https://github.com/prathamdby"><img src="https://avatars.githubusercontent.com/u/134331217?v=4&s=48" width="48" height="48" alt="prathamdby" title="prathamdby"/></a> <a href="https://github.com/reeltimeapps"><img src="https://avatars.githubusercontent.com/u/637338?v=4&s=48" width="48" height="48" alt="reeltimeapps" title="reeltimeapps"/></a> <a href="https://github.com/RLTCmpe"><img src="https://avatars.githubusercontent.com/u/10762242?v=4&s=48" width="48" height="48" alt="RLTCmpe" title="RLTCmpe"/></a> <a href="https://github.com/rodrigouroz"><img src="https://avatars.githubusercontent.com/u/384037?v=4&s=48" width="48" height="48" alt="rodrigouroz" title="rodrigouroz"/></a> <a href="https://github.com/search?q=Rolf%20Fredheim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rolf Fredheim" title="Rolf Fredheim"/></a> <a href="https://github.com/search?q=Rony%20Kelner"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rony Kelner" title="Rony Kelner"/></a>
+  <a href="https://github.com/search?q=Samrat%20Jha"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Samrat Jha" title="Samrat Jha"/></a> <a href="https://github.com/siraht"><img src="https://avatars.githubusercontent.com/u/73152895?v=4&s=48" width="48" height="48" alt="siraht" title="siraht"/></a> <a href="https://github.com/snopoke"><img src="https://avatars.githubusercontent.com/u/249606?v=4&s=48" width="48" height="48" alt="snopoke" title="snopoke"/></a> <a href="https://github.com/search?q=The%20Admiral"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="The Admiral" title="The Admiral"/></a> <a href="https://github.com/thesash"><img src="https://avatars.githubusercontent.com/u/1166151?v=4&s=48" width="48" height="48" alt="thesash" title="thesash"/></a> <a href="https://github.com/search?q=Ubuntu"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ubuntu" title="Ubuntu"/></a> <a href="https://github.com/voidserf"><img src="https://avatars.githubusercontent.com/u/477673?v=4&s=48" width="48" height="48" alt="voidserf" title="voidserf"/></a> <a href="https://github.com/wstock"><img src="https://avatars.githubusercontent.com/u/1394687?v=4&s=48" width="48" height="48" alt="wstock" title="wstock"/></a> <a href="https://github.com/search?q=Zach%20Knickerbocker"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Zach Knickerbocker" title="Zach Knickerbocker"/></a> <a href="https://github.com/Alphonse-arianee"><img src="https://avatars.githubusercontent.com/u/254457365?v=4&s=48" width="48" height="48" alt="Alphonse-arianee" title="Alphonse-arianee"/></a>
+  <a href="https://github.com/search?q=Azade"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Azade" title="Azade"/></a> <a href="https://github.com/carlulsoe"><img src="https://avatars.githubusercontent.com/u/34673973?v=4&s=48" width="48" height="48" alt="carlulsoe" title="carlulsoe"/></a> <a href="https://github.com/search?q=ddyo"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ddyo" title="ddyo"/></a> <a href="https://github.com/search?q=Erik"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Erik" title="Erik"/></a> <a href="https://github.com/latitudeki5223"><img src="https://avatars.githubusercontent.com/u/119656367?v=4&s=48" width="48" height="48" alt="latitudeki5223" title="latitudeki5223"/></a> <a href="https://github.com/search?q=Manuel%20Maly"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Manuel Maly" title="Manuel Maly"/></a> <a href="https://github.com/search?q=Mourad%20Boustani"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mourad Boustani" title="Mourad Boustani"/></a> <a href="https://github.com/odrobnik"><img src="https://avatars.githubusercontent.com/u/333270?v=4&s=48" width="48" height="48" alt="odrobnik" title="odrobnik"/></a> <a href="https://github.com/pcty-nextgen-ios-builder"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="pcty-nextgen-ios-builder" title="pcty-nextgen-ios-builder"/></a> <a href="https://github.com/search?q=Quentin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Quentin" title="Quentin"/></a>
+  <a href="https://github.com/search?q=Randy%20Torres"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Randy Torres" title="Randy Torres"/></a> <a href="https://github.com/rhjoh"><img src="https://avatars.githubusercontent.com/u/105699450?v=4&s=48" width="48" height="48" alt="rhjoh" title="rhjoh"/></a> <a href="https://github.com/ronak-guliani"><img src="https://avatars.githubusercontent.com/u/23518228?v=4&s=48" width="48" height="48" alt="ronak-guliani" title="ronak-guliani"/></a> <a href="https://github.com/search?q=William%20Stock"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="William Stock" title="William Stock"/></a>
 </p>
--- a/appcast.xml
+++ b/appcast.xml
@@ -2,270 +2,6 @@
 <rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
    <channel>
        <title>Clawdbot</title>
-        <item>
-            <title>2026.1.21</title>
-            <pubDate>Thu, 22 Jan 2026 12:22:35 +0000</pubDate>
-            <link>https://raw.githubusercontent.com/clawdbot/clawdbot/main/appcast.xml</link>
-            <sparkle:version>7374</sparkle:version>
-            <sparkle:shortVersionString>2026.1.21</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
-            <description><![CDATA[<h2>Clawdbot 2026.1.21</h2>
-<h3>Highlights</h3>
-<ul>
-<li>Lobster optional plugin tool for typed workflows + approval gates. https://docs.clawd.bot/tools/lobster</li>
-<li>Custom assistant identity + avatars in the Control UI. https://docs.clawd.bot/cli/agents https://docs.clawd.bot/web/control-ui</li>
-<li>Cache optimizations: cache-ttl pruning + defaults reduce token spend on cold requests. https://docs.clawd.bot/concepts/session-pruning</li>
-<li>Exec approvals + elevated ask/full modes. https://docs.clawd.bot/tools/exec-approvals https://docs.clawd.bot/tools/elevated</li>
-<li>Signal typing/read receipts + MSTeams attachments. https://docs.clawd.bot/channels/signal https://docs.clawd.bot/channels/msteams</li>
-<li><code>/models</code> UX refresh + <code>clawdbot update wizard</code>. https://docs.clawd.bot/cli/models https://docs.clawd.bot/cli/update</li>
-</ul>
-<h3>Changes</h3>
-<ul>
-<li>Highlight: Lobster optional plugin tool for typed workflows + approval gates. https://docs.clawd.bot/tools/lobster (#1152) Thanks @vignesh07.</li>
-<li>Agents/UI: add identity avatar config support and Control UI avatar rendering. (#1329, #1424) Thanks @dlauer. https://docs.clawd.bot/gateway/configuration https://docs.clawd.bot/cli/agents</li>
-<li>Control UI: add custom assistant identity support and per-session identity display. (#1420) Thanks @robbyczgw-cla. https://docs.clawd.bot/web/control-ui</li>
-<li>CLI: add <code>clawdbot update wizard</code> with interactive channel selection + restart prompts, plus preflight checks before rebasing. https://docs.clawd.bot/cli/update</li>
-<li>Models/Commands: add <code>/models</code>, improve <code>/model</code> listing UX, and expand <code>clawdbot models</code> paging. (#1398) Thanks @vignesh07. https://docs.clawd.bot/cli/models</li>
-<li>CLI: move gateway service commands under <code>clawdbot gateway</code>, flatten node service commands under <code>clawdbot node</code>, and add <code>gateway probe</code> for reachability. https://docs.clawd.bot/cli/gateway https://docs.clawd.bot/cli/node</li>
-<li>Exec: add elevated ask/full modes, tighten allowlist gating, and render approvals tables on write. https://docs.clawd.bot/tools/elevated https://docs.clawd.bot/tools/exec-approvals</li>
-<li>Exec approvals: default to local host, add gateway/node targeting + target details, support wildcard agent allowlists, and tighten allowlist parsing/safe bins. https://docs.clawd.bot/cli/approvals https://docs.clawd.bot/tools/exec-approvals</li>
-<li>Heartbeat: allow explicit session keys and active hours. (#1256) Thanks @zknicker. https://docs.clawd.bot/gateway/heartbeat</li>
-<li>Sessions: add per-channel idle durations via <code>sessions.channelIdleMinutes</code>. (#1353) Thanks @cash-echo-bot.</li>
-<li>Nodes: run exec-style, expose PATH in status/describe, and bootstrap PATH for node-host execution. https://docs.clawd.bot/cli/node</li>
-<li>Cache: add <code>cache.ttlPrune</code> mode and auth-aware defaults for cache TTL behavior.</li>
-<li>Queue: add per-channel debounce overrides for auto-reply. https://docs.clawd.bot/concepts/queue</li>
-<li>Discord: add wildcard channel config support. (#1334) Thanks @pvoo. https://docs.clawd.bot/channels/discord</li>
-<li>Signal: add typing indicators and DM read receipts via signal-cli. https://docs.clawd.bot/channels/signal</li>
-<li>MSTeams: add file uploads, adaptive cards, and attachment handling improvements. (#1410) Thanks @Evizero. https://docs.clawd.bot/channels/msteams</li>
-<li>Onboarding: remove the run setup-token auth option (paste setup-token or reuse CLI creds instead).</li>
-<li>macOS: refresh Settings (location access in Permissions, connection mode in menu, remove CLI install UI).</li>
-<li>Diagnostics: add cache trace config for debugging. (#1370) Thanks @parubets.</li>
-<li>Docs: Lobster guides + org URL updates, /model allowlist troubleshooting, Gmail message search examples, gateway.mode troubleshooting, prompt injection guidance, npm prefix/node CLI notes, control UI dev gatewayUrl note, tool_use FAQ, showcase video, and sharp/node-gyp workaround. (#1427, #1220, #1405) Thanks @vignesh07, @mbelinky.</li>
-</ul>
-<h3>Breaking</h3>
-<ul>
-<li><strong>BREAKING:</strong> Control UI now rejects insecure HTTP without device identity by default. Use HTTPS (Tailscale Serve) or set <code>gateway.controlUi.allowInsecureAuth: true</code> to allow token-only auth. https://docs.clawd.bot/web/control-ui#insecure-http</li>
-<li><strong>BREAKING:</strong> Envelope and system event timestamps now default to host-local time (was UTC) so agents don’t have to constantly convert.</li>
-</ul>
-<h3>Fixes</h3>
-<ul>
-<li>Streaming/Typing/Media: keep reply tags across streamed chunks, start typing indicators at run start, and accept MEDIA paths with spaces/tilde while preferring the message tool hint for image replies.</li>
-<li>Agents/Providers: drop unsigned thinking blocks for Claude models (Google Antigravity) and enforce alphanumeric tool call ids for strict providers (Mistral/OpenRouter). (#1372) Thanks @zerone0x.</li>
-<li>Exec approvals: treat main as the default agent, align node/gateway allowlist prechecks, validate resolved paths, avoid allowlist resolve races, and avoid null optional params. (#1417, #1414, #1425) Thanks @czekaj.</li>
-<li>Exec/Windows: resolve Windows exec paths with extensions and handle safe-bin exe names.</li>
-<li>Nodes/macOS: prompt on allowlist miss for node exec approvals, persist allowlist decisions, and flatten node invoke errors. (#1394) Thanks @ngutman.</li>
-<li>Gateway: prevent multiple gateways from sharing the same config/state (singleton lock), keep auto bind loopback-first with explicit tailnet binding, and improve SSH auth handling. (#1380)</li>
-<li>Control UI: remove the chat stop button, keep the composer aligned to the bottom edge, stabilize session previews, and refresh the debug panel on route-driven tab changes. (#1373) Thanks @yazinsai.</li>
-<li>UI/config: export <code>SECTION_META</code> for config form modules. (#1418) Thanks @MaudeBot.</li>
-<li>macOS: keep chat pinned during streaming replies, include Textual resources, respect wildcard exec approvals, allow SSH agent auth, and default distribution builds to universal binaries. (#1279, #1362, #1384, #1396) Thanks @ameno-, @JustYannicc.</li>
-<li>BlueBubbles: resolve short message IDs safely, expose full IDs in templates, and harden short-id fetch wrappers. (#1369, #1387) Thanks @tyler6204.</li>
-<li>Models/Configure: inherit session model overrides in threads/topics, map OpenCode Zen models to the correct APIs, narrow Anthropic OAuth allowlist handling, seed allowlist fallbacks, list the full catalog when no allowlist is set, and limit <code>/model</code> list output. (#1376, #1416)</li>
-<li>Memory: prevent CLI hangs by deferring vector probes, add sqlite-vec/embedding timeouts, and make session memory indexing async.</li>
-<li>Cron: cap reminder context history to 10 messages and honor <code>contextMessages</code>. (#1103) Thanks @mkbehr.</li>
-<li>Cache: restore the 1h cache TTL option and reset the pruning window.</li>
-<li>Zalo Personal: tolerate ANSI/log-prefixed JSON output from <code>zca</code>. (#1379) Thanks @ptn1411.</li>
-<li>Browser: suppress Chrome restore prompts for managed profiles. (#1419) Thanks @jamesgroat.</li>
-<li>Infra: preserve fetch helper methods/preconnect when wrapping abort signals and normalize Telegram fetch aborts.</li>
-<li>Config/Doctor: avoid stack traces for invalid configs, log the config path, avoid WhatsApp config resurrection, and warn when <code>gateway.mode</code> is unset. (#900)</li>
-<li>CLI: read Codex CLI account_id for workspace billing. (#1422) Thanks @aj47.</li>
-<li>Logs/Status: align rolling log filenames with local time and report sandboxed runtime in <code>clawdbot status</code>. (#1343)</li>
-<li>Embedded runner: persist injected history images so attachments aren’t reloaded each turn. (#1374) Thanks @Nicell.</li>
-<li>Nodes/Subagents: include agent/node/gateway context in tool failure logs and ensure subagent list uses the command session.</li>
-</ul>
-<p><a href="https://github.com/clawdbot/clawdbot/blob/main/CHANGELOG.md">View full changelog</a></p>
-]]></description>
-            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.21/Clawdbot-2026.1.21.zip" length="22284796" type="application/octet-stream" sparkle:edSignature="pXji4NMA/cu35iMxln385d6LnsT4yIZtFtFiR7sIimKeSC2CsyeWzzSD0EhJsN98PdSoy69iEFZt4I2ZtNCECg=="/>
-        </item>
-        <item>
-            <title>2026.1.21</title>
-            <pubDate>Wed, 21 Jan 2026 08:18:22 +0000</pubDate>
-            <link>https://raw.githubusercontent.com/clawdbot/clawdbot/main/appcast.xml</link>
-            <sparkle:version>7116</sparkle:version>
-            <sparkle:shortVersionString>2026.1.21</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
-            <description><![CDATA[<h2>Clawdbot 2026.1.21</h2>
-<h3>Changes</h3>
-<ul>
-<li>Control UI: add copy-as-markdown with error feedback. (#1345) https://docs.clawd.bot/web/control-ui</li>
-<li>Control UI: drop the legacy list view. (#1345) https://docs.clawd.bot/web/control-ui</li>
-<li>TUI: add syntax highlighting for code blocks. (#1200) https://docs.clawd.bot/tui</li>
-<li>TUI: session picker shows derived titles, fuzzy search, relative times, and last message preview. (#1271) https://docs.clawd.bot/tui</li>
-<li>TUI: add a searchable model picker for quicker model selection. (#1198) https://docs.clawd.bot/tui</li>
-<li>TUI: add input history (up/down) for submitted messages. (#1348) https://docs.clawd.bot/tui</li>
-<li>ACP: add <code>clawdbot acp</code> for IDE integrations. https://docs.clawd.bot/cli/acp</li>
-<li>ACP: add <code>clawdbot acp client</code> interactive harness for debugging. https://docs.clawd.bot/cli/acp</li>
-<li>Skills: add download installs with OS-filtered options. https://docs.clawd.bot/tools/skills</li>
-<li>Skills: add the local sherpa-onnx-tts skill. https://docs.clawd.bot/tools/skills</li>
-<li>Memory: add hybrid BM25 + vector search (FTS5) with weighted merging and fallback. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: add SQLite embedding cache to speed up reindexing and frequent updates. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: add OpenAI batch indexing for embeddings when configured. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: enable OpenAI batch indexing by default for OpenAI embeddings. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: allow parallel OpenAI batch indexing jobs (default concurrency: 2). https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: render progress immediately, color batch statuses in verbose logs, and poll OpenAI batch status every 2s by default. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: add <code>--verbose</code> logging for memory status + batch indexing details. https://docs.clawd.bot/concepts/memory</li>
-<li>Memory: add native Gemini embeddings provider for memory search. (#1151) https://docs.clawd.bot/concepts/memory</li>
-<li>Browser: allow config defaults for efficient snapshots in the tool/CLI. (#1336) https://docs.clawd.bot/tools/browser</li>
-<li>Nostr: add the Nostr channel plugin with profile management + onboarding defaults. (#1323) https://docs.clawd.bot/channels/nostr</li>
-<li>Matrix: migrate to matrix-bot-sdk with E2EE support, location handling, and group allowlist upgrades. (#1298) https://docs.clawd.bot/channels/matrix</li>
-<li>Slack: add HTTP webhook mode via Bolt HTTP receiver. (#1143) https://docs.clawd.bot/channels/slack</li>
-<li>Telegram: enrich forwarded-message context with normalized origin details + legacy fallback. (#1090) https://docs.clawd.bot/channels/telegram</li>
-<li>Discord: fall back to <code>/skill</code> when native command limits are exceeded. (#1287)</li>
-<li>Discord: expose <code>/skill</code> globally. (#1287)</li>
-<li>Zalouser: add channel dock metadata, config schema, setup wiring, probe, and status issues. (#1219) https://docs.clawd.bot/plugins/zalouser</li>
-<li>Plugins: require manifest-embedded config schemas with preflight validation warnings. (#1272) https://docs.clawd.bot/plugins/manifest</li>
-<li>Plugins: move channel catalog metadata into plugin manifests. (#1290) https://docs.clawd.bot/plugins/manifest</li>
-<li>Plugins: align Nextcloud Talk policy helpers with core patterns. (#1290) https://docs.clawd.bot/plugins/manifest</li>
-<li>Plugins/UI: let channel plugin metadata drive UI labels/icons and cron channel options. (#1306) https://docs.clawd.bot/web/control-ui</li>
-<li>Plugins: add plugin slots with a dedicated memory slot selector. https://docs.clawd.bot/plugins/agent-tools</li>
-<li>Plugins: ship the bundled BlueBubbles channel plugin (disabled by default). https://docs.clawd.bot/channels/bluebubbles</li>
-<li>Plugins: migrate bundled messaging extensions to the plugin SDK and resolve plugin-sdk imports in the loader.</li>
-<li>Plugins: migrate the Zalo plugin to the shared plugin SDK runtime. https://docs.clawd.bot/channels/zalo</li>
-<li>Plugins: migrate the Zalo Personal plugin to the shared plugin SDK runtime. https://docs.clawd.bot/plugins/zalouser</li>
-<li>Plugins: allow optional agent tools with explicit allowlists and add the plugin tool authoring guide. https://docs.clawd.bot/plugins/agent-tools</li>
-<li>Plugins: auto-enable bundled channel/provider plugins when configuration is present.</li>
-<li>Plugins: sync plugin sources on channel switches and update npm-installed plugins during <code>clawdbot update</code>.</li>
-<li>Plugins: share npm plugin update logic between <code>clawdbot update</code> and <code>clawdbot plugins update</code>.</li>
-<li>Gateway/API: add <code>/v1/responses</code> (OpenResponses) with item-based input + semantic streaming events. (#1229)</li>
-<li>Gateway/API: expand <code>/v1/responses</code> to support file/image inputs, tool_choice, usage, and output limits. (#1229)</li>
-<li>Usage: add <code>/usage cost</code> summaries and macOS menu cost charts. https://docs.clawd.bot/reference/api-usage-costs</li>
-<li>Security: warn when <=300B models run without sandboxing while web tools are enabled. https://docs.clawd.bot/cli/security</li>
-<li>Exec: add host/security/ask routing for gateway + node exec. https://docs.clawd.bot/tools/exec</li>
-<li>Exec: add <code>/exec</code> directive for per-session exec defaults (host/security/ask/node). https://docs.clawd.bot/tools/exec</li>
-<li>Exec approvals: migrate approvals to <code>~/.clawdbot/exec-approvals.json</code> with per-agent allowlists + skill auto-allow toggle, and add approvals UI + node exec lifecycle events. https://docs.clawd.bot/tools/exec-approvals</li>
-<li>Nodes: add headless node host (<code>clawdbot node start</code>) for <code>system.run</code>/<code>system.which</code>. https://docs.clawd.bot/cli/node</li>
-<li>Nodes: add node daemon service install/status/start/stop/restart. https://docs.clawd.bot/cli/node</li>
-<li>Bridge: add <code>skills.bins</code> RPC to support node host auto-allow skill bins.</li>
-<li>Sessions: add daily reset policy with per-type overrides and idle windows (default 4am local), preserving legacy idle-only configs. (#1146) https://docs.clawd.bot/concepts/session</li>
-<li>Sessions: allow <code>sessions_spawn</code> to override thinking level for sub-agent runs. https://docs.clawd.bot/tools/subagents</li>
-<li>Channels: unify thread/topic allowlist matching + command/mention gating helpers across core providers. https://docs.clawd.bot/concepts/groups</li>
-<li>Models: add Qwen Portal OAuth provider support. (#1120) https://docs.clawd.bot/providers/qwen</li>
-<li>Onboarding: add allowlist prompts and username-to-id resolution across core and extension channels. https://docs.clawd.bot/start/onboarding</li>
-<li>Docs: clarify allowlist input types and onboarding behavior for messaging channels. https://docs.clawd.bot/start/onboarding</li>
-<li>Docs: refresh Android node discovery docs for the Gateway WS service type. https://docs.clawd.bot/platforms/android</li>
-<li>Docs: surface Amazon Bedrock in provider lists and clarify Bedrock auth env vars. (#1289) https://docs.clawd.bot/bedrock</li>
-<li>Docs: clarify WhatsApp voice notes. https://docs.clawd.bot/channels/whatsapp</li>
-<li>Docs: clarify Windows WSL portproxy LAN access notes. https://docs.clawd.bot/platforms/windows</li>
-<li>Docs: refresh bird skill install metadata and usage notes. (#1302) https://docs.clawd.bot/tools/browser-login</li>
-<li>Agents: add local docs path resolution and include docs/mirror/source/community pointers in the system prompt.</li>
-<li>Agents: clarify node_modules read-only guidance in agent instructions.</li>
-<li>Config: stamp last-touched metadata on write and warn if the config is newer than the running build.</li>
-<li>macOS: hide usage section when usage is unavailable instead of showing provider errors.</li>
-<li>Android: migrate node transport to the Gateway WebSocket protocol with TLS pinning support + gateway discovery naming.</li>
-<li>Android: send structured payloads in node events/invokes and include user-agent metadata in gateway connects.</li>
-<li>Android: remove legacy bridge transport code now that nodes use the gateway protocol.</li>
-<li>Android: bump okhttp + dnsjava to satisfy lint dependency checks.</li>
-<li>Build: update workspace + core/plugin deps.</li>
-<li>Build: use tsgo for dev/watch builds by default (opt out with <code>CLAWDBOT_TS_COMPILER=tsc</code>).</li>
-<li>Repo: remove the Peekaboo git submodule now that the SPM release is used.</li>
-<li>macOS: switch PeekabooBridge integration to the tagged Swift Package Manager release.</li>
-<li>macOS: stop syncing Peekaboo in postinstall.</li>
-<li>Swabble: use the tagged Commander Swift package release.</li>
-</ul>
-<h3>Breaking</h3>
-<ul>
-<li><strong>BREAKING:</strong> Reject invalid/unknown config entries and refuse to start the gateway for safety. Run <code>clawdbot doctor --fix</code> to repair, then update plugins (<code>clawdbot plugins update</code>) if you use any.</li>
-</ul>
-<h3>Fixes</h3>
-<ul>
-<li>Discovery: shorten Bonjour DNS-SD service type to <code>_clawdbot-gw._tcp</code> and update discovery clients/docs.</li>
-<li>Diagnostics: export OTLP logs, correct queue depth tracking, and document message-flow telemetry.</li>
-<li>Diagnostics: emit message-flow diagnostics across channels via shared dispatch. (#1244)</li>
-<li>Diagnostics: gate heartbeat/webhook logging. (#1244)</li>
-<li>Gateway: strip inbound envelope headers from chat history messages to keep clients clean.</li>
-<li>Gateway: clarify unauthorized handshake responses with token/password mismatch guidance.</li>
-<li>Gateway: allow mobile node client ids for iOS + Android handshake validation. (#1354)</li>
-<li>Gateway: clarify connect/validation errors for gateway params. (#1347)</li>
-<li>Gateway: preserve restart wake routing + thread replies across restarts. (#1337)</li>
-<li>Gateway: reschedule per-agent heartbeats on config hot reload without restarting the runner.</li>
-<li>Gateway: require authorized restarts for SIGUSR1 (restart/apply/update) so config gating can't be bypassed.</li>
-<li>Cron: auto-deliver isolated agent output to explicit targets without tool calls. (#1285)</li>
-<li>Agents: preserve subagent announce thread/topic routing + queued replies across channels. (#1241)</li>
-<li>Agents: propagate accountId into embedded runs so sub-agent announce routing honors the originating account. (#1058)</li>
-<li>Agents: avoid treating timeout errors with "aborted" messages as user aborts, so model fallback still runs. (#1137)</li>
-<li>Agents: sanitize oversized image payloads before send and surface image-dimension errors.</li>
-<li>Sessions: fall back to session labels when listing display names. (#1124)</li>
-<li>Compaction: include tool failure summaries in safeguard compaction to prevent retry loops. (#1084)</li>
-<li>Config: log invalid config issues once per run and keep invalid-config errors stackless.</li>
-<li>Config: allow Perplexity as a web_search provider in config validation. (#1230)</li>
-<li>Config: allow custom fields under <code>skills.entries.<name>.config</code> for skill credentials/config. (#1226)</li>
-<li>Doctor: clarify plugin auto-enable hint text in the startup banner.</li>
-<li>Doctor: canonicalize legacy session keys in session stores to prevent stale metadata. (#1169)</li>
-<li>Docs: make docs:list fail fast with a clear error if the docs directory is missing.</li>
-<li>Plugins: add Nextcloud Talk manifest for plugin config validation. (#1297)</li>
-<li>Plugins: surface plugin load/register/config errors in gateway logs with plugin/source context.</li>
-<li>CLI: preserve cron delivery settings when editing message payloads. (#1322)</li>
-<li>CLI: keep <code>clawdbot logs</code> output resilient to broken pipes while preserving progress output.</li>
-<li>CLI: avoid duplicating --profile/--dev flags when formatting commands.</li>
-<li>CLI: centralize CLI command registration to keep fast-path routing and program wiring in sync. (#1207)</li>
-<li>CLI: keep banners on routed commands, restore config guarding outside fast-path routing, and tighten fast-path flag parsing while skipping console capture for extra speed. (#1195)</li>
-<li>CLI: skip runner rebuilds when dist is fresh. (#1231)</li>
-<li>CLI: add WSL2/systemd unavailable hints in daemon status/doctor output.</li>
-<li>Status: route native <code>/status</code> to the active agent so model selection reflects the correct profile. (#1301)</li>
-<li>Status: show both usage windows with reset hints when usage data is available. (#1101)</li>
-<li>UI: keep config form enums typed, preserve empty strings, protect sensitive defaults, and deepen config search. (#1315)</li>
-<li>UI: preserve ordered list numbering in chat markdown. (#1341)</li>
-<li>UI: allow Control UI to read gatewayUrl from URL params for remote WebSocket targets. (#1342)</li>
-<li>UI: prevent double-scroll in Control UI chat by locking chat layout to the viewport. (#1283)</li>
-<li>UI: enable shell mode for sync Windows spawns to avoid <code>pnpm ui:build</code> EINVAL. (#1212)</li>
-<li>TUI: keep thinking blocks ordered before content during streaming and isolate per-run assembly. (#1202)</li>
-<li>TUI: align custom editor initialization with the latest pi-tui API. (#1298)</li>
-<li>TUI: show generic empty-state text for searchable pickers. (#1201)</li>
-<li>TUI: highlight model search matches and stabilize search ordering.</li>
-<li>Configure: hide OpenRouter auto routing model from the model picker. (#1182)</li>
-<li>Memory: show total file counts + scan issues in <code>clawdbot memory status</code>.</li>
-<li>Memory: fall back to non-batch embeddings after repeated batch failures.</li>
-<li>Memory: apply OpenAI batch defaults even without explicit remote config.</li>
-<li>Memory: index atomically so failed reindex preserves the previous memory database. (#1151)</li>
-<li>Memory: avoid sqlite-vec unique constraint failures when reindexing duplicate chunk ids. (#1151)</li>
-<li>Memory: retry transient 5xx errors (Cloudflare) during embedding indexing.</li>
-<li>Memory: parallelize embedding indexing with rate-limit retries.</li>
-<li>Memory: split overly long lines to keep embeddings under token limits.</li>
-<li>Memory: skip empty chunks to avoid invalid embedding inputs.</li>
-<li>Memory: split embedding batches to avoid OpenAI token limits during indexing.</li>
-<li>Memory: probe sqlite-vec availability in <code>clawdbot memory status</code>.</li>
-<li>Exec approvals: enforce allowlist when ask is off.</li>
-<li>Exec approvals: prefer raw command for node approvals/events.</li>
-<li>Tools: show exec elevated flag before the command and keep it outside markdown in tool summaries.</li>
-<li>Tools: return a companion-app-required message when node exec is requested with no paired node.</li>
-<li>Tools: return a companion-app-required message when <code>system.run</code> is requested without a supporting node.</li>
-<li>Exec: default gateway/node exec security to allowlist when unset (sandbox stays deny).</li>
-<li>Exec: prefer bash when fish is default shell, falling back to sh if bash is missing. (#1297)</li>
-<li>Exec: merge login-shell PATH for host=gateway exec while keeping daemon PATH minimal. (#1304)</li>
-<li>Streaming: emit assistant deltas for OpenAI-compatible SSE chunks. (#1147)</li>
-<li>Discord: make resolve warnings avoid raw JSON payloads on rate limits.</li>
-<li>Discord: process message handlers in parallel across sessions to avoid event queue blocking. (#1295)</li>
-<li>Discord: stop reconnecting the gateway after aborts to prevent duplicate listeners.</li>
-<li>Discord: only emit slow listener warnings after 30s.</li>
-<li>Discord: inherit parent channel allowlists for thread slash commands and reactions. (#1123)</li>
-<li>Telegram: honor pairing allowlists for native slash commands.</li>
-<li>Telegram: preserve hidden text_link URLs by expanding entities in inbound text. (#1118)</li>
-<li>Slack: resolve Bolt import interop for Bun + Node. (#1191)</li>
-<li>Web search: infer Perplexity base URL from API key source (direct vs OpenRouter).</li>
-<li>Web fetch: harden SSRF protection with shared hostname checks and redirect limits. (#1346)</li>
-<li>Browser: register AI snapshot refs for act commands. (#1282)</li>
-<li>Voice call: include request query in Twilio webhook verification when publicUrl is set. (#864)</li>
-<li>Anthropic: default API prompt caching to 1h with configurable TTL override.</li>
-<li>Anthropic: ignore TTL for OAuth.</li>
-<li>Auth profiles: keep auto-pinned preference while allowing rotation on failover. (#1138)</li>
-<li>Auth profiles: user pins stay locked. (#1138)</li>
-<li>Model catalog: avoid caching import failures, log transient discovery errors, and keep partial results. (#1332)</li>
-<li>Tests: stabilize Windows gateway/CLI tests by skipping sidecars, normalizing argv, and extending timeouts.</li>
-<li>Tests: stabilize plugin SDK resolution and embedded agent timeouts.</li>
-<li>Windows: install gateway scheduled task as the current user.</li>
-<li>Windows: show friendly guidance instead of failing on access denied.</li>
-<li>macOS: load menu session previews asynchronously so items populate while the menu is open.</li>
-<li>macOS: use label colors for session preview text so previews render in menu subviews.</li>
-<li>macOS: suppress usage error text in the menubar cost view.</li>
-<li>macOS: Doctor repairs LaunchAgent bootstrap issues for Gateway + Node when listed but not loaded. (#1166)</li>
-<li>macOS: avoid touching launchd in Remote over SSH so quitting the app no longer disables the remote gateway. (#1105)</li>
-<li>macOS: bundle Textual resources in packaged app builds to avoid code block crashes. (#1006)</li>
-<li>Daemon: include HOME in service environments to avoid missing HOME errors. (#1214)</li>
-</ul>
-Thanks @AlexMikhalev, @CoreyH, @John-Rood, @KrauseFx, @MaudeBot, @Nachx639, @NicholaiVogel, @RyanLisse, @ThePickle31, @VACInc, @Whoaa512, @YuriNachos, @aaronveklabs, @abdaraxus, @alauppe, @ameno-, @artuskg, @austinm911, @bradleypriest, @cheeeee, @dougvk, @fogboots, @gnarco, @gumadeiras, @jdrhyne, @joelklabo, @longmaba, @mukhtharcm, @odysseus0, @oscargavin, @rhjoh, @sebslight, @sibbl, @sleontenko, @steipete, @suminhthanh, @thewilloftheshadow, @tyler6204, @vignesh07, @visionik, @ysqander, @zerone0x.
-<p><a href="https://github.com/clawdbot/clawdbot/blob/main/CHANGELOG.md">View full changelog</a></p>
-]]></description>
-            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.21/Clawdbot-2026.1.21.zip" length="12208102" type="application/octet-stream" sparkle:edSignature="hU495Eii8O3qmmUnxYFhXyEGv+qan6KL+GpeuBhPIXf+7B5F/gBh5Oz9cHaqaAPoZ4/3Bo6xgvic0HTkbz6gDw=="/>
-        </item>
        <item>
            <title>2026.1.16-2</title>
            <pubDate>Sat, 17 Jan 2026 12:46:22 +0000</pubDate>
@@ -282,5 +18,258 @@ Thanks @AlexMikhalev, @CoreyH, @John-Rood, @KrauseFx, @MaudeBot, @Nachx639, @Nic
 ]]></description>
            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.16-2/Clawdbot-2026.1.16-2.zip" length="21399591" type="application/octet-stream" sparkle:edSignature="zelT+KzN32cXsihbFniPF5Heq0hkwFfL3Agrh/AaoKUkr7kJAFarkGSOZRTWZ9y+DvOluzn2wHHjVigRjMzrBA=="/>
        </item>
+        <item>
+            <title>2026.1.15</title>
+            <pubDate>Fri, 16 Jan 2026 10:31:53 +0000</pubDate>
+            <link>https://raw.githubusercontent.com/clawdbot/clawdbot/main/appcast.xml</link>
+            <sparkle:version>5998</sparkle:version>
+            <sparkle:shortVersionString>2026.1.15</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
+            <description><![CDATA[<h2>Clawdbot 2026.1.15</h2>
+<h3>Highlights</h3>
+<ul>
+<li>Plugins: add provider auth registry + <code>clawdbot models auth login</code> for plugin-driven OAuth/API key flows.</li>
+<li>Browser: improve remote CDP/Browserless support (auth passthrough, <code>wss</code> upgrade, timeouts, clearer errors).</li>
+<li>Heartbeat: per-agent configuration + 24h duplicate suppression. (#980) — thanks @voidserf.</li>
+<li>Security: audit warns on weak model tiers; app nodes store auth tokens encrypted (Keychain/SecurePrefs).</li>
+</ul>
+<h3>Breaking</h3>
+<ul>
+<li><strong>BREAKING:</strong> iOS minimum version is now 18.0 to support Textual markdown rendering in native chat. (#702)</li>
+<li><strong>BREAKING:</strong> Microsoft Teams is now a plugin; install <code>@clawdbot/msteams</code> via <code>clawdbot plugins install @clawdbot/msteams</code>.</li>
+</ul>
+<h3>Changes</h3>
+<ul>
+<li>CLI: set process titles to <code>clawdbot-<command></code> for clearer process listings.</li>
+<li>CLI/macOS: sync remote SSH target/identity to config and let <code>gateway status</code> auto-infer SSH targets (ssh-config aware).</li>
+<li>Heartbeat: tighten prompt guidance + suppress duplicate alerts for 24h. (#980) — thanks @voidserf.</li>
+<li>Sessions/Security: add <code>session.dmScope</code> for multi-user DM isolation and audit warnings. (#948) — thanks @Alphonse-arianee.</li>
+<li>Plugins: add provider auth registry + <code>clawdbot models auth login</code> for plugin-driven OAuth/API key flows.</li>
+<li>Onboarding: switch channels setup to a single-select loop with per-channel actions and disabled hints in the picker.</li>
+<li>TUI: show provider/model labels for the active session and default model.</li>
+<li>Heartbeat: add per-agent heartbeat configuration and multi-agent docs example.</li>
+<li>UI: show gateway auth guidance + doc link on unauthorized Control UI connections.</li>
+<li>Security: warn on weak model tiers (Haiku, below GPT-5, below Claude 4.5) in <code>clawdbot security audit</code>.</li>
+<li>Apps: store node auth tokens encrypted (Keychain/SecurePrefs).</li>
+<li>Daemon: share profile/state-dir resolution across service helpers and honor <code>CLAWDBOT_STATE_DIR</code> for Windows task scripts.</li>
+<li>Docs: clarify multi-gateway rescue bot guidance. (#969) — thanks @bjesuiter.</li>
+<li>Agents: add Current Date & Time system prompt section with configurable time format (auto/12/24).</li>
+<li>Tools: normalize Slack/Discord message timestamps with <code>timestampMs</code>/<code>timestampUtc</code> while keeping raw provider fields.</li>
+<li>macOS: add <code>system.which</code> for prompt-free remote skill discovery (with gateway fallback to <code>system.run</code>).</li>
+<li>Docs: add Date & Time guide and update prompt/timezone configuration docs.</li>
+<li>Messages: debounce rapid inbound messages across channels with per-connector overrides. (#971) — thanks @juanpablodlc.</li>
+<li>Messages: allow media-only sends (CLI/tool) and show Telegram voice recording status for voice notes. (#957) — thanks @rdev.</li>
+<li>Auth/Status: keep auth profiles sticky per session (rotate on compaction/new), surface provider usage headers in <code>/status</code> and <code>clawdbot models status</code>, and update docs.</li>
+<li>CLI: add <code>--json</code> output for <code>clawdbot daemon</code> lifecycle/install commands.</li>
+<li>Memory: make <code>node-llama-cpp</code> an optional dependency (avoid Node 25 install failures) and improve local-embeddings fallback/errors.</li>
+<li>Browser: add <code>snapshot refs=aria</code> (Playwright aria-ref ids) for self-resolving refs across <code>snapshot</code> → <code>act</code>.</li>
+<li>Browser: <code>profile="chrome"</code> now defaults to host control and returns clearer “attach a tab” errors.</li>
+<li>Browser: prefer stable Chrome for auto-detect, with Brave/Edge fallbacks and updated docs. (#983) — thanks @cpojer.</li>
+<li>Browser: increase remote CDP reachability timeouts + add <code>remoteCdpTimeoutMs</code>/<code>remoteCdpHandshakeTimeoutMs</code>.</li>
+<li>Browser: preserve auth/query tokens for remote CDP endpoints and pass Basic auth for CDP HTTP/WS. (#895) — thanks @mukhtharcm.</li>
+<li>Telegram: add bidirectional reaction support with configurable notifications and agent guidance. (#964) — thanks @bohdanpodvirnyi.</li>
+<li>Telegram: allow custom commands in the bot menu (merged with native; conflicts ignored). (#860) — thanks @nachoiacovino.</li>
+<li>Discord: allow allowlisted guilds without channel lists to receive messages when <code>groupPolicy="allowlist"</code>. — thanks @thewilloftheshadow.</li>
+<li>Discord: allow emoji/sticker uploads + channel actions in config defaults. (#870) — thanks @JDIVE.</li>
+</ul>
+<h3>Fixes</h3>
+<ul>
+<li>Fix: list model picker entries as provider/model pairs for explicit selection. (#970) — thanks @mcinteerj.</li>
+<li>Fix: align OpenAI image-gen defaults with DALL-E 3 standard quality and document output formats. (#880) — thanks @mkbehr.</li>
+<li>Fix: persist <code>gateway.mode=local</code> after selecting Local run mode in <code>clawdbot configure</code>, even if no other sections are chosen.</li>
+<li>Daemon: fix profile-aware service label resolution (env-driven) and add coverage for launchd/systemd/schtasks. (#969) — thanks @bjesuiter.</li>
+<li>Agents: avoid false positives when logging unsupported Google tool schema keywords.</li>
+<li>Agents: skip Gemini history downgrades for google-antigravity to preserve tool calls. (#894) — thanks @mukhtharcm.</li>
+<li>Status: restore usage summary line for current provider when no OAuth profiles exist.</li>
+<li>Fix: guard model fallback against undefined provider/model values. (#954) — thanks @roshanasingh4.</li>
+<li>Fix: refactor session store updates, add chat.inject, and harden subagent cleanup flow. (#944) — thanks @tyler6204.</li>
+<li>Fix: clean up suspended CLI processes across backends. (#978) — thanks @Nachx639.</li>
+<li>Fix: support MiniMax coding plan usage responses with <code>model_remains</code>/<code>current_interval_*</code> payloads.</li>
+<li>Fix: suppress WhatsApp pairing replies for historical catch-up DMs on initial link. (#904)</li>
+<li>Browser: extension mode recovers when only one tab is attached (stale targetId fallback).</li>
+<li>Browser: fix <code>tab not found</code> for extension relay snapshots/actions when Playwright blocks <code>newCDPSession</code> (use the single available Page).</li>
+<li>Browser: upgrade <code>ws</code> → <code>wss</code> when remote CDP uses <code>https</code> (fixes Browserless handshake).</li>
+<li>Telegram: skip <code>message_thread_id=1</code> for General topic sends while keeping typing indicators. (#848) — thanks @azade-c.</li>
+<li>Fix: sanitize user-facing error text + strip <code><final></code> tags across reply pipelines. (#975) — thanks @ThomsenDrake.</li>
+<li>Fix: normalize pairing CLI aliases, allow extension channels, and harden Zalo webhook payload parsing. (#991) — thanks @longmaba.</li>
+<li>Fix: allow local Tailscale Serve hostnames without treating tailnet clients as direct. (#885) — thanks @oswalpalash.</li>
+<li>Fix: reset sessions after role-ordering conflicts to recover from consecutive user turns. (#998)</li>
+</ul>
+<p><a href="https://github.com/clawdbot/clawdbot/blob/main/CHANGELOG.md">View full changelog</a></p>
+]]></description>
+            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.15/Clawdbot-2026.1.15.zip" length="12127276" type="application/octet-stream" sparkle:edSignature="o79vwTbtW/d91NQFRVfUDhsv6D4zIw7IkhY0N1iLImMu94BURgLcecA6z7Smy3bMobPwOyzN8yfm6mA/Rt8FCA=="/>
+        </item>
+        <item>
+            <title>2026.1.14-1</title>
+            <pubDate>Thu, 15 Jan 2026 11:14:40 +0000</pubDate>
+            <link>https://raw.githubusercontent.com/clawdbot/clawdbot/main/appcast.xml</link>
+            <sparkle:version>5825</sparkle:version>
+            <sparkle:shortVersionString>2026.1.14-1</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
+            <description><![CDATA[<h2>Clawdbot 2026.1.14-1</h2>
+<h3>Highlights</h3>
+<ul>
+<li>Web search: <code>web_search</code>/<code>web_fetch</code> tools (Brave API) + first-time setup in onboarding/configure.</li>
+<li>Browser control: Chrome extension relay takeover mode + remote browser control via <code>clawdbot browser serve</code>.</li>
+<li>Plugins: channel plugins (gateway HTTP hooks) + Zalo plugin + onboarding install flow. (#854) — thanks @longmaba.</li>
+<li>Security: expanded <code>clawdbot security audit</code> (+ <code>--fix</code>), detect-secrets CI scan, and a <code>SECURITY.md</code> reporting policy.</li>
+</ul>
+<h3>Changes</h3>
+<h4>Web Tools</h4>
+<ul>
+<li>Tools: add <code>web_search</code>/<code>web_fetch</code> (Brave API), including helpful setup hints when the key is missing.</li>
+<li>Tools: enable <code>web_fetch</code> by default (unless explicitly disabled in config).</li>
+<li>CLI/Docs: add <code>clawdbot configure --section web</code> for storing Brave API keys and update onboarding tips.</li>
+</ul>
+<h4>Browser / Control UI</h4>
+<ul>
+<li>Browser: add Chrome extension relay takeover mode (toolbar button) + <code>clawdbot browser serve</code> remote control + <code>browser.controlToken</code>.</li>
+<li>Browser: ship a built-in <code>chrome</code> profile for extension relay and start the relay automatically when running locally.</li>
+<li>Browser: default <code>browser.defaultProfile</code> to <code>chrome</code> (existing Chrome takeover mode).</li>
+<li>Browser: add <code>clawdbot browser extension install/path</code> and copy extension path to clipboard.</li>
+<li>Browser: add <code>snapshot refs=aria</code> (Playwright aria-ref ids) for self-resolving refs across <code>snapshot</code> → <code>act</code>.</li>
+<li>Browser: <code>profile="chrome"</code> now defaults to host control and returns clearer “attach a tab” errors.</li>
+<li>Browser: extension mode recovers when only one tab is attached (stale targetId fallback).</li>
+<li>Control UI: show raw any-map entries in config views; move Docs link into the left nav.</li>
+</ul>
+<h4>Plugins</h4>
+<ul>
+<li>Plugins: add plugin HTTP hooks + loader updates to support channel plugins. (#854) — thanks @longmaba.</li>
+<li>Plugins: add onboarding plugin install flow. (#854) — thanks @longmaba.</li>
+<li>Channels: add Matrix plugin (external) with docs + onboarding hooks.</li>
+<li>Voice Call: add Plivo provider (no SDK dependency). (#846) — thanks @vrknetha.</li>
+</ul>
+<h4>Security</h4>
+<ul>
+<li>Security: expand <code>clawdbot security audit</code> checks and publish a <code>SECURITY.md</code> reporting policy.</li>
+<li>Security: extend <code>clawdbot security audit --fix</code> to tighten more sensitive state paths.</li>
+<li>Security: add detect-secrets CI scan and baseline guidance. (#227) — thanks @Hyaxia.</li>
+</ul>
+<h4>Onboarding / Daemon</h4>
+<ul>
+<li>Onboarding: add a security checkpoint prompt (docs link + sandboxing hint); require <code>--accept-risk</code> for <code>--non-interactive</code>.</li>
+<li>Daemon: support profile-aware service names for multi-gateway setups. (#671) — thanks @bjesuiter.</li>
+</ul>
+<h4>Auth / Usage / Config</h4>
+<ul>
+<li>Usage: add MiniMax coding plan usage tracking.</li>
+<li>Auth: label Claude Code CLI auth options. (#915) — thanks @SeanZoR.</li>
+<li>Agents: add optional auth-profile copy prompt on <code>agents add</code> and improve auth error messaging.</li>
+<li>Auth: add dynamic template variables to <code>messages.responsePrefix</code>. (#928) — thanks @sebslight.</li>
+<li>Config: add <code>channels.<provider>.configWrites</code> gating for channel-initiated config writes; migrate Slack channel IDs.</li>
+</ul>
+<h4>Channels</h4>
+<ul>
+<li>Telegram: add message delete action in the message tool. (#903) — thanks @sleontenko.</li>
+<li>WhatsApp: add <code>channels.whatsapp.sendReadReceipts</code> to disable auto read receipts. (#882) — thanks @chrisrodz.</li>
+</ul>
+<h4>Docs</h4>
+<ul>
+<li>Docs: clarify per-agent auth stores, sandboxed skill binaries, and elevated semantics.</li>
+<li>Docs: add FAQ entries for missing provider auth after adding agents and Gemini thinking signature errors.</li>
+<li>Docs: expand gateway security hardening guidance and incident response checklist.</li>
+<li>Docs: document DM history limits for channel DMs. (#883) — thanks @pkrmf.</li>
+<li>Docs: standardize Claude Code CLI naming across docs and prompts. (follow-up to #915)</li>
+<li>Docs: add per-command CLI doc pages and link them from <code>clawdbot <command> --help</code>.</li>
+<li>Docs: add multi-gateway guide (sidebar + nav).</li>
+</ul>
+<h3>Fixes</h3>
+<h4>Gateway / Daemon / Sessions</h4>
+<ul>
+<li>Gateway: forward termination signals to respawned CLI child processes to avoid orphaned systemd runs. (#933) — thanks @roshanasingh4.</li>
+<li>Gateway/UI: ship session defaults in the hello snapshot so the Control UI canonicalizes main session keys (no bare <code>main</code> alias).</li>
+<li>Agents: skip thinking/final tag stripping inside Markdown code spans. (#939) — thanks @ngutman.</li>
+<li>Browser: add tests for snapshot labels/efficient query params and labeled image responses.</li>
+<li>Browser: persist role snapshot refs per CDP target so <code>snapshot</code> → <code>act</code> clicks work even if Playwright returns a different Page instance.</li>
+<li>macOS: ensure launchd log directory exists with a test-only override. (#909) — thanks @roshanasingh4.</li>
+<li>macOS: format ConnectionsStore config to satisfy SwiftFormat lint. (#852) — thanks @mneves75.</li>
+<li>Packaging: run <code>pnpm build</code> on <code>prepack</code> so npm publishes include fresh <code>dist/</code> output.</li>
+<li>Telegram: register dock native commands with underscores to avoid <code>BOT_COMMAND_INVALID</code> (#929, fixes #901) — thanks @grp06.</li>
+<li>Google: downgrade unsigned thinking blocks before send to avoid missing signature errors.</li>
+<li>Agents: make user time zone and 24-hour time explicit in the system prompt. (#859) — thanks @CashWilliams.</li>
+<li>Agents: strip downgraded tool call text without eating adjacent replies and filter thinking-tag leaks. (#905) — thanks @erikpr1994.</li>
+<li>Agents: cap tool call IDs for OpenAI/OpenRouter to avoid request rejections. (#875) — thanks @j1philli.</li>
+<li>Doctor: avoid re-adding WhatsApp config when only legacy ack reactions are set. (#927, fixes #900) — thanks @grp06.</li>
+<li>Agents: scrub tuple <code>items</code> schemas for Gemini tool calls. (#926, fixes #746) — thanks @grp06.</li>
+<li>Agents: stabilize sub-agent announce status from runtime outcomes and normalize Result/Notes. (#835) — thanks @roshanasingh4.</li>
+<li>Apps: use canonical main session keys from gateway defaults across macOS/iOS/Android to avoid creating bare <code>main</code> sessions.</li>
+<li>Embedded runner: suppress raw API error payloads from replies. (#924) — thanks @grp06.</li>
+<li>Auth: normalize Claude Code CLI profile mode to oauth and auto-migrate config. (#855) — thanks @sebslight.</li>
+<li>Daemon: clear persisted launchd disabled state before bootstrap (fixes <code>daemon install</code> after uninstall). (#849) — thanks @ndraiman.</li>
+<li>Sessions: return deep clones (<code>structuredClone</code>) so cached session entries can't be mutated. (#934) — thanks @ronak-guliani.</li>
+<li>Heartbeat: keep <code>updatedAt</code> monotonic when restoring heartbeat sessions. (#934) — thanks @ronak-guliani.</li>
+<li>Agent: clear run context after CLI runs (<code>clearAgentRunContext</code>) to avoid runaway contexts. (#934) — thanks @ronak-guliani.</li>
+<li>Gateway/Dev: ensure <code>pnpm gateway:dev</code> always uses the dev profile config + state (<code>~/.clawdbot-dev</code>).</li>
+</ul>
+<h4>CLI / Onboarding</h4>
+<ul>
+<li>Onboarding: show web search setup at the end (not the beginning).</li>
+<li>Onboarding: show daemon install/restart progress (avoid “blinking cursor”) and fix daemon install output formatting.</li>
+<li>Health: colorize “not configured” provider lines for easier scanning.</li>
+</ul>
+<h4>Control UI / TUI</h4>
+<ul>
+<li>Control UI: load cron run history on job selection and clarify empty-state messaging. (#866)</li>
+<li>UI: use application-defined WebSocket close code and fix dashboard auth query items. (#918) — thanks @rahthakor.</li>
+<li>UI: always apply <code>?token=</code> from URL (fixes unauthorized after re-onboard).</li>
+<li>Browser: add tests for snapshot labels/efficient query params and labeled image responses.</li>
+<li>TUI: render picker overlays via the overlay stack so /models and /settings display. (#921) — thanks @grizzdank.</li>
+<li>TUI: add a bright spinner + elapsed time in the status line for send/stream/run states.</li>
+<li>TUI: show LLM error messages (rate limits, auth, etc.) instead of <code>(no output)</code>.</li>
+</ul>
+<h4>Agents / Auth / Tools / Sandbox</h4>
+<ul>
+<li>Agents: make user time zone and 24-hour time explicit in the system prompt. (#859) — thanks @CashWilliams.</li>
+<li>Agents: strip downgraded tool call text without eating adjacent replies and filter thinking-tag leaks. (#905) — thanks @erikpr1994.</li>
+<li>Agents: cap tool call IDs for OpenAI/OpenRouter to avoid request rejections. (#875) — thanks @j1philli.</li>
+<li>Agents: scrub tuple <code>items</code> schemas for Gemini tool calls. (#926, fixes #746) — thanks @grp06.</li>
+<li>Agents: stabilize sub-agent announce status from runtime outcomes and normalize Result/Notes. (#835) — thanks @roshanasingh4.</li>
+<li>Auth: normalize Claude Code CLI profile mode to oauth and auto-migrate config. (#855) — thanks @sebslight.</li>
+<li>Embedded runner: suppress raw API error payloads from replies. (#924) — thanks @grp06.</li>
+<li>Logging: tolerate <code>EIO</code> from console writes to avoid gateway crashes. (#925, fixes #878) — thanks @grp06.</li>
+<li>Sandbox: restore <code>docker.binds</code> config validation and preserve configured PATH for <code>docker exec</code>. (#873) — thanks @akonyer.</li>
+<li>Google: downgrade unsigned thinking blocks before send to avoid missing signature errors.</li>
+</ul>
+<h4>macOS / Apps</h4>
+<ul>
+<li>macOS: ensure launchd log directory exists with a test-only override. (#909) — thanks @roshanasingh4.</li>
+<li>macOS: format ConnectionsStore config to satisfy SwiftFormat lint. (#852) — thanks @mneves75.</li>
+<li>macOS: pass auth token/password to dashboard URL for authenticated access. (#918) — thanks @rahthakor.</li>
+<li>macOS: reuse launchd gateway auth and skip wizard when gateway config already exists. (#917)</li>
+<li>Apps: use canonical main session keys from gateway defaults across macOS/iOS/Android to avoid creating bare <code>main</code> sessions.</li>
+<li>macOS: fix cron preview/testing payload to use <code>channel</code> key. (#867) — thanks @wes-davis.</li>
+<li>macOS: update cron testing channel arg. (#896) — thanks @ngutman.</li>
+</ul>
+<h4>Channels / Messaging</h4>
+<ul>
+<li>Slack: isolate thread history and avoid inheriting channel transcripts for new threads by default. (#758)</li>
+<li>Slack: respect <code>channels.slack.requireMention</code> default when resolving channel mention gating. (#850) — thanks @evalexpr.</li>
+<li>Slack: drop Socket Mode events with mismatched <code>api_app_id</code>/<code>team_id</code>. (#889) — thanks @roshanasingh4.</li>
+<li>Commands: add native command argument menus across Discord/Slack/Telegram. (#936) — thanks @thewilloftheshadow.</li>
+<li>Discord: isolate autoThread thread context. (#856) — thanks @davidguttman.</li>
+<li>Telegram: honor <code>channels.telegram.timeoutSeconds</code> for grammY API requests. (#863) — thanks @Snaver.</li>
+<li>Telegram: aggregate split inbound messages into one prompt (reduces “one reply per fragment”).</li>
+<li>Telegram: let control commands bypass per-chat sequentialization; always allow abort triggers.</li>
+<li>Telegram: split long captions into media + follow-up text messages. (#907) — thanks @jalehman.</li>
+<li>Telegram: migrate group config when supergroups change chat IDs. (#906) — thanks @sleontenko.</li>
+<li>Telegram: register dock native commands with underscores to avoid <code>BOT_COMMAND_INVALID</code> (#929, fixes #901) — thanks @grp06.</li>
+<li>Messaging: unify markdown formatting + format-first chunking for Slack/Telegram/Signal. (#920) — thanks @TheSethRose.</li>
+<li>iMessage: prefer handle routing for direct-message replies; include imsg RPC error details. (#935)</li>
+<li>WhatsApp: fix context isolation using wrong ID (was bot's number, now conversation ID). (#911) — thanks @tristanmanchester.</li>
+<li>WhatsApp: normalize user JIDs with device suffix for allowlist checks in groups. (#838) — thanks @peschee.</li>
+<li>WhatsApp: harden owner command auth.</li>
+<li>Auto-reply: treat trailing <code>NO_REPLY</code> tokens as silent replies.</li>
+</ul>
+<h4>Config / Doctor / Packaging</h4>
+<ul>
+<li>Config: prevent partial config writes from clobbering unrelated settings (base hash guard + merge patch for connection saves).</li>
+<li>Config/Doctor: remove legacy Clawdis env fallbacks and config/service migrations (Clawdbot-only).</li>
+<li>Doctor: avoid re-adding WhatsApp config when only legacy ack reactions are set. (#927, fixes #900) — thanks @grp06.</li>
+<li>Packaging: run <code>pnpm build</code> on <code>prepack</code> so npm publishes include fresh <code>dist/</code> output.</li>
+</ul>
+<p><a href="https://github.com/clawdbot/clawdbot/blob/main/CHANGELOG.md">View full changelog</a></p>
+]]></description>
+            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.14-1/Clawdbot-2026.1.14-1.zip" length="19887144" type="application/octet-stream" sparkle:edSignature="1irKxBLt2eRtns34m/8JsjL/ZzhZQNjahwrxtArTvzaCnidS/MEnpD4nV2SHnhuo8g+fJZQpV9NoCAoEOAinCw=="/>
+        </item>
    </channel>
 </rss>
--- a/apps/android/app/build.gradle.kts
+++ b/apps/android/app/build.gradle.kts
@@ -21,8 +21,8 @@ android {
    applicationId = "com.clawdbot.android"
    minSdk = 31
    targetSdk = 36
-    versionCode = 202601210
-    versionName = "2026.1.21"
+    versionCode = 202601200
+    versionName = "2026.1.20"
  }

  buildTypes {
--- a/apps/android/app/src/main/java/com/clawdbot/android/NodeRuntime.kt
+++ b/apps/android/app/src/main/java/com/clawdbot/android/NodeRuntime.kt
@@ -529,7 +529,7 @@ class NodeRuntime(context: Context) {
      caps = buildCapabilities(),
      commands = buildInvokeCommands(),
      permissions = emptyMap(),
-      client = buildClientInfo(clientId = "clawdbot-android", clientMode = "node"),
+      client = buildClientInfo(clientId = "node-host", clientMode = "node"),
      userAgent = buildUserAgent(),
    )
  }
--- a/apps/ios/Sources/Info.plist
+++ b/apps/ios/Sources/Info.plist
@@ -19,9 +19,9 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2026.1.21</string>
+	<string>2026.1.20</string>
 	<key>CFBundleVersion</key>
-	<string>20260121</string>
+	<string>20260120</string>
 	<key>NSAppTransportSecurity</key>
 	<dict>
 		<key>NSAllowsArbitraryLoadsInWebContent</key>
--- a/apps/ios/Sources/Voice/TalkModeManager.swift
+++ b/apps/ios/Sources/Voice/TalkModeManager.swift
@@ -132,12 +132,6 @@ final class TalkModeManager: NSObject {
    }

    private func startRecognition() throws {
-        #if targetEnvironment(simulator)
-            throw NSError(domain: "TalkMode", code: 2, userInfo: [
-                NSLocalizedDescriptionKey: "Talk mode is not supported on the iOS simulator",
-            ])
-        #endif
-
        self.stopRecognition()
        self.speechRecognizer = SFSpeechRecognizer()
        guard let recognizer = self.speechRecognizer else {
@@ -152,11 +146,6 @@ final class TalkModeManager: NSObject {

        let input = self.audioEngine.inputNode
        let format = input.outputFormat(forBus: 0)
-        guard format.sampleRate > 0, format.channelCount > 0 else {
-            throw NSError(domain: "TalkMode", code: 3, userInfo: [
-                NSLocalizedDescriptionKey: "Invalid audio input format",
-            ])
-        }
        input.removeTap(onBus: 0)
        let tapBlock = Self.makeAudioTapAppendCallback(request: request)
        input.installTap(onBus: 0, bufferSize: 2048, format: format, block: tapBlock)
--- a/apps/ios/Tests/Info.plist
+++ b/apps/ios/Tests/Info.plist
@@ -17,8 +17,8 @@
 	<key>CFBundlePackageType</key>
 	<string>BNDL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2026.1.21</string>
+	<string>2026.1.20</string>
 	<key>CFBundleVersion</key>
-	<string>20260121</string>
+	<string>20260120</string>
 </dict>
 </plist>
--- a/apps/ios/project.yml
+++ b/apps/ios/project.yml
@@ -81,8 +81,8 @@ targets:
      properties:
        CFBundleDisplayName: Clawdbot
        CFBundleIconName: AppIcon
-        CFBundleShortVersionString: "2026.1.21"
-        CFBundleVersion: "20260121"
+        CFBundleShortVersionString: "2026.1.20"
+        CFBundleVersion: "20260120"
        UILaunchScreen: {}
        UIApplicationSceneManifest:
          UIApplicationSupportsMultipleScenes: false
@@ -130,5 +130,5 @@ targets:
      path: Tests/Info.plist
      properties:
        CFBundleDisplayName: ClawdbotTests
-        CFBundleShortVersionString: "2026.1.21"
-        CFBundleVersion: "20260121"
+        CFBundleShortVersionString: "2026.1.20"
+        CFBundleVersion: "20260120"
--- a/apps/macos/Package.resolved
+++ b/apps/macos/Package.resolved
@@ -1,5 +1,5 @@
 {
-  "originHash" : "f847d54db16b371dbb1a79271d50436cdec572179b0f0cf14cfe1b75df8dfbc2",
+  "originHash" : "550d4ea41d4bb2546b99a7bfa1c5cba7e28a13862bc226727ea7426c61555a33",
  "pins" : [
    {
      "identity" : "axorcist",
@@ -24,7 +24,7 @@
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/steipete/ElevenLabsKit",
      "state" : {
-        "revision" : "c8679fbd37416a8780fe43be88a497ff16209e2d",
+        "revision" : "7e3c948d8340abe3977014f3de020edf221e9269",
        "version" : "0.1.0"
      }
    },
--- a/apps/macos/Sources/Clawdbot/CommandResolver.swift
+++ b/apps/macos/Sources/Clawdbot/CommandResolver.swift
@@ -284,16 +284,13 @@ enum CommandResolver {

        var args: [String] = [
            "-o", "BatchMode=yes",
+            "-o", "IdentitiesOnly=yes",
            "-o", "StrictHostKeyChecking=accept-new",
            "-o", "UpdateHostKeys=yes",
        ]
        if parsed.port > 0 { args.append(contentsOf: ["-p", String(parsed.port)]) }
-        let identity = settings.identity.trimmingCharacters(in: .whitespacesAndNewlines)
-        if !identity.isEmpty {
-            // Only use IdentitiesOnly when an explicit identity file is provided.
-            // This allows 1Password SSH agent and other SSH agents to provide keys.
-            args.append(contentsOf: ["-o", "IdentitiesOnly=yes"])
-            args.append(contentsOf: ["-i", identity])
+        if !settings.identity.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty {
+            args.append(contentsOf: ["-i", settings.identity])
        }
        let userHost = parsed.user.map { "\($0)@\(parsed.host)" } ?? parsed.host
        args.append(userHost)
--- a/apps/macos/Sources/Clawdbot/ConfigSettings.swift
+++ b/apps/macos/Sources/Clawdbot/ConfigSettings.swift
@@ -6,19 +6,15 @@ struct ConfigSettings: View {
    private let isNixMode = ProcessInfo.processInfo.isNixMode
    @Bindable var store: ChannelsStore
    @State private var hasLoaded = false
-    @State private var activeSectionKey: String?
-    @State private var activeSubsection: SubsectionSelection?

    init(store: ChannelsStore = .shared) {
        self.store = store
    }

    var body: some View {
-        HStack(spacing: 16) {
-            self.sidebar
-            self.detail
+        ScrollView {
+            self.content
        }
-        .frame(maxWidth: .infinity, maxHeight: .infinity, alignment: .topLeading)
        .task {
            guard !self.hasLoaded else { return }
            guard !self.isPreview else { return }
@@ -26,125 +22,42 @@ struct ConfigSettings: View {
            await self.store.loadConfigSchema()
            await self.store.loadConfig()
        }
-        .onAppear { self.ensureSelection() }
-        .onChange(of: self.store.configSchemaLoading) { _, loading in
-            if !loading { self.ensureSelection() }
-        }
    }
 }

 extension ConfigSettings {
-    private enum SubsectionSelection: Hashable {
-        case all
-        case key(String)
-    }
-
-    private struct ConfigSection: Identifiable {
-        let key: String
-        let label: String
-        let help: String?
-        let node: ConfigSchemaNode
-
-        var id: String { self.key }
-    }
-
-    private struct ConfigSubsection: Identifiable {
-        let key: String
-        let label: String
-        let help: String?
-        let node: ConfigSchemaNode
-        let path: ConfigPath
-
-        var id: String { self.key }
-    }
-
-    private var sections: [ConfigSection] {
-        guard let schema = self.store.configSchema else { return [] }
-        return self.resolveSections(schema)
-    }
-
-    private var activeSection: ConfigSection? {
-        self.sections.first { $0.key == self.activeSectionKey }
-    }
-
-    private var sidebar: some View {
-        ScrollView {
-            LazyVStack(alignment: .leading, spacing: 8) {
-                if self.sections.isEmpty {
-                    Text("No config sections available.")
+    private var content: some View {
+        VStack(alignment: .leading, spacing: 16) {
+            self.header
+            if let status = self.store.configStatus {
+                Text(status)
+                    .font(.callout)
+                    .foregroundStyle(.secondary)
+            }
+            self.actionRow
+            Group {
+                if self.store.configSchemaLoading {
+                    ProgressView().controlSize(.small)
+                } else if let schema = self.store.configSchema {
+                    ConfigSchemaForm(store: self.store, schema: schema, path: [])
+                        .disabled(self.isNixMode)
+                } else {
+                    Text("Schema unavailable.")
                        .font(.caption)
                        .foregroundStyle(.secondary)
-                        .padding(.horizontal, 6)
-                        .padding(.vertical, 4)
-                } else {
-                    ForEach(self.sections) { section in
-                        self.sidebarRow(section)
-                    }
                }
            }
-            .padding(.vertical, 10)
-            .padding(.horizontal, 10)
-        }
-        .frame(minWidth: 220, idealWidth: 240, maxWidth: 280, maxHeight: .infinity, alignment: .topLeading)
-        .background(
-            RoundedRectangle(cornerRadius: 12, style: .continuous)
-                .fill(Color(nsColor: .windowBackgroundColor)))
-        .clipShape(RoundedRectangle(cornerRadius: 12, style: .continuous))
-    }
-
-    private var detail: some View {
-        VStack(alignment: .leading, spacing: 16) {
-            if self.store.configSchemaLoading {
-                ProgressView().controlSize(.small)
-            } else if let section = self.activeSection {
-                self.sectionDetail(section)
-            } else if self.store.configSchema != nil {
-                self.emptyDetail
-            } else {
-                Text("Schema unavailable.")
+            if self.store.configDirty, !self.isNixMode {
+                Text("Unsaved changes")
                    .font(.caption)
                    .foregroundStyle(.secondary)
            }
+            Spacer(minLength: 0)
        }
-        .frame(minWidth: 460, maxWidth: .infinity, maxHeight: .infinity, alignment: .topLeading)
-    }
-
-    private var emptyDetail: some View {
-        VStack(alignment: .leading, spacing: 8) {
-            self.header
-            Text("Select a config section to view settings.")
-                .font(.callout)
-                .foregroundStyle(.secondary)
-        }
+        .frame(maxWidth: .infinity, alignment: .leading)
        .padding(.horizontal, 24)
        .padding(.vertical, 18)
-    }
-
-    private func sectionDetail(_ section: ConfigSection) -> some View {
-        ScrollView(.vertical) {
-            VStack(alignment: .leading, spacing: 16) {
-                self.header
-                if let status = self.store.configStatus {
-                    Text(status)
-                        .font(.callout)
-                        .foregroundStyle(.secondary)
-                }
-                self.actionRow
-                self.sectionHeader(section)
-                self.subsectionNav(section)
-                self.sectionForm(section)
-                if self.store.configDirty, !self.isNixMode {
-                    Text("Unsaved changes")
-                        .font(.caption)
-                        .foregroundStyle(.secondary)
-                }
-                Spacer(minLength: 0)
-            }
-            .frame(maxWidth: .infinity, alignment: .leading)
-            .padding(.horizontal, 24)
-            .padding(.vertical, 18)
-            .groupBoxStyle(PlainSettingsGroupBoxStyle())
-        }
+        .groupBoxStyle(PlainSettingsGroupBoxStyle())
    }

    @ViewBuilder
@@ -158,18 +71,6 @@ extension ConfigSettings {
            .foregroundStyle(.secondary)
    }

-    private func sectionHeader(_ section: ConfigSection) -> some View {
-        VStack(alignment: .leading, spacing: 6) {
-            Text(section.label)
-                .font(.title3.weight(.semibold))
-            if let help = section.help {
-                Text(help)
-                    .font(.callout)
-                    .foregroundStyle(.secondary)
-            }
-        }
-    }
-
    private var actionRow: some View {
        HStack(spacing: 10) {
            Button("Reload") {
@@ -184,204 +85,6 @@ extension ConfigSettings {
        }
        .buttonStyle(.bordered)
    }
-
-    private func sidebarRow(_ section: ConfigSection) -> some View {
-        let isSelected = self.activeSectionKey == section.key
-        return Button {
-            self.selectSection(section)
-        } label: {
-            VStack(alignment: .leading, spacing: 2) {
-                Text(section.label)
-                if let help = section.help {
-                    Text(help)
-                        .font(.caption)
-                        .foregroundStyle(.secondary)
-                        .lineLimit(2)
-                }
-            }
-            .padding(.vertical, 6)
-            .padding(.horizontal, 8)
-            .frame(maxWidth: .infinity, alignment: .leading)
-            .background(isSelected ? Color.accentColor.opacity(0.18) : Color.clear)
-            .clipShape(RoundedRectangle(cornerRadius: 10, style: .continuous))
-            .background(Color.clear)
-            .contentShape(Rectangle())
-        }
-        .frame(maxWidth: .infinity, alignment: .leading)
-        .buttonStyle(.plain)
-        .contentShape(Rectangle())
-    }
-
-    @ViewBuilder
-    private func subsectionNav(_ section: ConfigSection) -> some View {
-        let subsections = self.resolveSubsections(for: section)
-        if subsections.isEmpty {
-            EmptyView()
-        } else {
-            ScrollView(.horizontal, showsIndicators: false) {
-                HStack(spacing: 8) {
-                    self.subsectionButton(
-                        title: "All",
-                        isSelected: self.activeSubsection == .all)
-                    {
-                        self.activeSubsection = .all
-                    }
-                    ForEach(subsections) { subsection in
-                        self.subsectionButton(
-                            title: subsection.label,
-                            isSelected: self.activeSubsection == .key(subsection.key))
-                        {
-                            self.activeSubsection = .key(subsection.key)
-                        }
-                    }
-                }
-                .padding(.vertical, 2)
-            }
-        }
-    }
-
-    private func subsectionButton(
-        title: String,
-        isSelected: Bool,
-        action: @escaping () -> Void) -> some View
-    {
-        Button(action: action) {
-            Text(title)
-                .font(.callout.weight(.semibold))
-                .foregroundStyle(isSelected ? Color.accentColor : .primary)
-                .padding(.horizontal, 10)
-                .padding(.vertical, 6)
-                .background(isSelected ? Color.accentColor.opacity(0.18) : Color(nsColor: .controlBackgroundColor))
-                .clipShape(Capsule())
-        }
-        .buttonStyle(.plain)
-    }
-
-    private func sectionForm(_ section: ConfigSection) -> some View {
-        let subsection = self.activeSubsection
-        let defaultPath: ConfigPath = [.key(section.key)]
-        let subsections = self.resolveSubsections(for: section)
-        let resolved: (ConfigSchemaNode, ConfigPath) = {
-            if case let .key(key) = subsection,
-               let match = subsections.first(where: { $0.key == key })
-            {
-                return (match.node, match.path)
-            }
-            return (self.resolvedSchemaNode(section.node), defaultPath)
-        }()
-
-        return ConfigSchemaForm(store: self.store, schema: resolved.0, path: resolved.1)
-            .disabled(self.isNixMode)
-    }
-
-    private func ensureSelection() {
-        guard let schema = self.store.configSchema else { return }
-        let sections = self.resolveSections(schema)
-        guard !sections.isEmpty else { return }
-
-        let active = sections.first { $0.key == self.activeSectionKey } ?? sections[0]
-        if self.activeSectionKey != active.key {
-            self.activeSectionKey = active.key
-        }
-        self.ensureSubsection(for: active)
-    }
-
-    private func ensureSubsection(for section: ConfigSection) {
-        let subsections = self.resolveSubsections(for: section)
-        guard !subsections.isEmpty else {
-            self.activeSubsection = nil
-            return
-        }
-
-        switch self.activeSubsection {
-        case .all:
-            return
-        case let .key(key):
-            if subsections.contains(where: { $0.key == key }) { return }
-        case .none:
-            break
-        }
-
-        if let first = subsections.first {
-            self.activeSubsection = .key(first.key)
-        }
-    }
-
-    private func selectSection(_ section: ConfigSection) {
-        guard self.activeSectionKey != section.key else { return }
-        self.activeSectionKey = section.key
-        let subsections = self.resolveSubsections(for: section)
-        if let first = subsections.first {
-            self.activeSubsection = .key(first.key)
-        } else {
-            self.activeSubsection = nil
-        }
-    }
-
-    private func resolveSections(_ root: ConfigSchemaNode) -> [ConfigSection] {
-        let node = self.resolvedSchemaNode(root)
-        let hints = self.store.configUiHints
-        let keys = node.properties.keys.sorted { lhs, rhs in
-            let orderA = hintForPath([.key(lhs)], hints: hints)?.order ?? 0
-            let orderB = hintForPath([.key(rhs)], hints: hints)?.order ?? 0
-            if orderA != orderB { return orderA < orderB }
-            return lhs < rhs
-        }
-
-        return keys.compactMap { key in
-            guard let child = node.properties[key] else { return nil }
-            let path: ConfigPath = [.key(key)]
-            let hint = hintForPath(path, hints: hints)
-            let label = hint?.label
-                ?? child.title
-                ?? self.humanize(key)
-            let help = hint?.help ?? child.description
-            return ConfigSection(key: key, label: label, help: help, node: child)
-        }
-    }
-
-    private func resolveSubsections(for section: ConfigSection) -> [ConfigSubsection] {
-        let node = self.resolvedSchemaNode(section.node)
-        guard node.schemaType == "object" else { return [] }
-        let hints = self.store.configUiHints
-        let keys = node.properties.keys.sorted { lhs, rhs in
-            let orderA = hintForPath([.key(section.key), .key(lhs)], hints: hints)?.order ?? 0
-            let orderB = hintForPath([.key(section.key), .key(rhs)], hints: hints)?.order ?? 0
-            if orderA != orderB { return orderA < orderB }
-            return lhs < rhs
-        }
-
-        return keys.compactMap { key in
-            guard let child = node.properties[key] else { return nil }
-            let path: ConfigPath = [.key(section.key), .key(key)]
-            let hint = hintForPath(path, hints: hints)
-            let label = hint?.label
-                ?? child.title
-                ?? self.humanize(key)
-            let help = hint?.help ?? child.description
-            return ConfigSubsection(
-                key: key,
-                label: label,
-                help: help,
-                node: child,
-                path: path)
-        }
-    }
-
-    private func resolvedSchemaNode(_ node: ConfigSchemaNode) -> ConfigSchemaNode {
-        let variants = node.anyOf.isEmpty ? node.oneOf : node.anyOf
-        if !variants.isEmpty {
-            let nonNull = variants.filter { !$0.isNullSchema }
-            if nonNull.count == 1, let only = nonNull.first { return only }
-        }
-        return node
-    }
-
-    private func humanize(_ key: String) -> String {
-        key.replacingOccurrences(of: "_", with: " ")
-            .replacingOccurrences(of: "-", with: " ")
-            .capitalized
-    }
 }

 struct ConfigSettings_Previews: PreviewProvider {
--- a/apps/macos/Sources/Clawdbot/ConnectionModeCoordinator.swift
+++ b/apps/macos/Sources/Clawdbot/ConnectionModeCoordinator.swift
@@ -6,20 +6,15 @@ final class ConnectionModeCoordinator {
    static let shared = ConnectionModeCoordinator()

    private let logger = Logger(subsystem: "com.clawdbot", category: "connection")
-    private var lastMode: AppState.ConnectionMode?

    /// Apply the requested connection mode by starting/stopping local gateway,
    /// managing the control-channel SSH tunnel, and cleaning up chat windows/panels.
    func apply(mode: AppState.ConnectionMode, paused: Bool) async {
-        if let lastMode = self.lastMode, lastMode != mode {
-            GatewayProcessManager.shared.clearLastFailure()
-            NodesStore.shared.lastError = nil
-        }
-        self.lastMode = mode
        switch mode {
        case .unconfigured:
-            _ = await NodeServiceManager.stop()
-            NodesStore.shared.lastError = nil
+            if let error = await NodeServiceManager.stop() {
+                NodesStore.shared.lastError = "Node service stop failed: \(error)"
+            }
            await RemoteTunnelManager.shared.stopAll()
            WebChatManager.shared.resetTunnels()
            GatewayProcessManager.shared.stop()
@@ -28,8 +23,9 @@ final class ConnectionModeCoordinator {
            Task.detached { await PortGuardian.shared.sweep(mode: .unconfigured) }

        case .local:
-            _ = await NodeServiceManager.stop()
-            NodesStore.shared.lastError = nil
+            if let error = await NodeServiceManager.stop() {
+                NodesStore.shared.lastError = "Node service stop failed: \(error)"
+            }
            await RemoteTunnelManager.shared.stopAll()
            WebChatManager.shared.resetTunnels()
            let shouldStart = GatewayAutostartPolicy.shouldStartGateway(mode: .local, paused: paused)
@@ -60,7 +56,6 @@ final class ConnectionModeCoordinator {
            WebChatManager.shared.resetTunnels()

            do {
-                NodesStore.shared.lastError = nil
                if let error = await NodeServiceManager.start() {
                    NodesStore.shared.lastError = "Node service start failed: \(error)"
                }
--- a/apps/macos/Sources/Clawdbot/ControlChannel.swift
+++ b/apps/macos/Sources/Clawdbot/ControlChannel.swift
@@ -74,7 +74,6 @@ final class ControlChannel {
    }

    private(set) var lastPingMs: Double?
-    private(set) var authSourceLabel: String?

    private let logger = Logger(subsystem: "com.clawdbot", category: "control")

@@ -88,7 +87,15 @@ final class ControlChannel {

    func configure() async {
        self.logger.info("control channel configure mode=local")
-        await self.refreshEndpoint(reason: "configure")
+        self.state = .connecting
+        do {
+            try await GatewayConnection.shared.refresh()
+            self.state = .connected
+            PresenceReporter.shared.sendImmediate(reason: "connect")
+        } catch {
+            let message = self.friendlyGatewayMessage(error)
+            self.state = .degraded(message)
+        }
    }

    func configure(mode: Mode = .local) async throws {
@@ -104,7 +111,7 @@ final class ControlChannel {
                        "target=\(target, privacy: .public) identitySet=\(idSet, privacy: .public)")
                self.state = .connecting
                _ = try await GatewayEndpointStore.shared.ensureRemoteControlTunnel()
-                await self.refreshEndpoint(reason: "configure")
+                await self.configure()
            } catch {
                self.state = .degraded(error.localizedDescription)
                throw error
@@ -112,24 +119,10 @@ final class ControlChannel {
        }
    }

-    func refreshEndpoint(reason: String) async {
-        self.logger.info("control channel refresh endpoint reason=\(reason, privacy: .public)")
-        self.state = .connecting
-        do {
-            try await self.establishGatewayConnection()
-            self.state = .connected
-            PresenceReporter.shared.sendImmediate(reason: "connect")
-        } catch {
-            let message = self.friendlyGatewayMessage(error)
-            self.state = .degraded(message)
-        }
-    }
-
    func disconnect() async {
        await GatewayConnection.shared.shutdown()
        self.state = .disconnected
        self.lastPingMs = nil
-        self.authSourceLabel = nil
    }

    func health(timeout: TimeInterval? = nil) async throws -> Data {
@@ -190,11 +183,8 @@ final class ControlChannel {
           urlErr.code == .dataNotAllowed // used for WS close 1008 auth failures
        {
            let reason = urlErr.failureURLString ?? urlErr.localizedDescription
-            let tokenKey = CommandResolver.connectionModeIsRemote()
-                ? "gateway.remote.token"
-                : "gateway.auth.token"
            return
-                "Gateway rejected token; set \(tokenKey) (or CLAWDBOT_GATEWAY_TOKEN) " +
+                "Gateway rejected token; set gateway.auth.token (or CLAWDBOT_GATEWAY_TOKEN) " +
                "or clear it on the gateway. " +
                "Reason: \(reason)"
        }
@@ -285,49 +275,18 @@ final class ControlChannel {
                }
            }

-            await self.refreshEndpoint(reason: "recovery:\(reasonText)")
-            if case .connected = self.state {
+            do {
+                try await GatewayConnection.shared.refresh()
                self.logger.info("control channel recovery finished")
-            } else if case let .degraded(message) = self.state {
-                self.logger.error("control channel recovery failed \(message, privacy: .public)")
+            } catch {
+                self.logger.error(
+                    "control channel recovery failed \(error.localizedDescription, privacy: .public)")
            }

            self.recoveryTask = nil
        }
    }

-    private func establishGatewayConnection(timeoutMs: Int = 5000) async throws {
-        try await GatewayConnection.shared.refresh()
-        let ok = try await GatewayConnection.shared.healthOK(timeoutMs: timeoutMs)
-        if ok == false {
-            throw NSError(
-                domain: "Gateway",
-                code: 0,
-                userInfo: [NSLocalizedDescriptionKey: "gateway health not ok"])
-        }
-        await self.refreshAuthSourceLabel()
-    }
-
-    private func refreshAuthSourceLabel() async {
-        let isRemote = CommandResolver.connectionModeIsRemote()
-        let authSource = await GatewayConnection.shared.authSource()
-        self.authSourceLabel = Self.formatAuthSource(authSource, isRemote: isRemote)
-    }
-
-    private static func formatAuthSource(_ source: GatewayAuthSource?, isRemote: Bool) -> String? {
-        guard let source else { return nil }
-        switch source {
-        case .deviceToken:
-            return "Auth: device token (paired device)"
-        case .sharedToken:
-            return "Auth: shared token (\(isRemote ? "gateway.remote.token" : "gateway.auth.token"))"
-        case .password:
-            return "Auth: password (\(isRemote ? "gateway.remote.password" : "gateway.auth.password"))"
-        case .none:
-            return "Auth: none"
-        }
-    }
-
    func sendSystemEvent(_ text: String, params: [String: AnyHashable] = [:]) async throws {
        var merged = params
        merged["text"] = AnyHashable(text)
--- a/apps/macos/Sources/Clawdbot/DebugSettings.swift
+++ b/apps/macos/Sources/Clawdbot/DebugSettings.swift
@@ -484,22 +484,6 @@ struct DebugSettings: View {
                    }
                }

-                VStack(alignment: .leading, spacing: 6) {
-                    Text(
-                        "Note: macOS may require restarting Clawdbot after enabling Accessibility or Screen Recording.")
-                        .font(.caption)
-                        .foregroundStyle(.secondary)
-                        .fixedSize(horizontal: false, vertical: true)
-
-                    Button {
-                        LaunchdManager.startClawdbot()
-                    } label: {
-                        Label("Restart Clawdbot", systemImage: "arrow.counterclockwise")
-                    }
-                    .buttonStyle(.bordered)
-                    .controlSize(.small)
-                }
-
                HStack(spacing: 8) {
                    Button("Restart app") { DebugActions.restartApp() }
                    Button("Restart onboarding") { DebugActions.restartOnboarding() }
--- a/apps/macos/Sources/Clawdbot/ExecApprovals.swift
+++ b/apps/macos/Sources/Clawdbot/ExecApprovals.swift
@@ -149,7 +149,6 @@ struct ExecApprovalsResolvedDefaults {

 enum ExecApprovalsStore {
    private static let logger = Logger(subsystem: "com.clawdbot", category: "exec-approvals")
-    private static let defaultAgentId = "main"
    private static let defaultSecurity: ExecSecurity = .deny
    private static let defaultAsk: ExecAsk = .onMiss
    private static let defaultAskFallback: ExecSecurity = .deny
@@ -166,22 +165,13 @@ enum ExecApprovalsStore {
    static func normalizeIncoming(_ file: ExecApprovalsFile) -> ExecApprovalsFile {
        let socketPath = file.socket?.path?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
        let token = file.socket?.token?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        var agents = file.agents ?? [:]
-        if let legacyDefault = agents["default"] {
-            if let main = agents[self.defaultAgentId] {
-                agents[self.defaultAgentId] = self.mergeAgents(current: main, legacy: legacyDefault)
-            } else {
-                agents[self.defaultAgentId] = legacyDefault
-            }
-            agents.removeValue(forKey: "default")
-        }
        return ExecApprovalsFile(
            version: 1,
            socket: ExecApprovalsSocketConfig(
                path: socketPath.isEmpty ? nil : socketPath,
                token: token.isEmpty ? nil : token),
            defaults: file.defaults,
-            agents: agents)
+            agents: file.agents)
    }

    static func readSnapshot() -> ExecApprovalsSnapshot {
@@ -282,17 +272,16 @@ enum ExecApprovalsStore {
            ask: defaults.ask ?? self.defaultAsk,
            askFallback: defaults.askFallback ?? self.defaultAskFallback,
            autoAllowSkills: defaults.autoAllowSkills ?? self.defaultAutoAllowSkills)
-        let key = self.agentKey(agentId)
+        let key = (agentId?.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty == false)
+            ? agentId!.trimmingCharacters(in: .whitespacesAndNewlines)
+            : "default"
        let agentEntry = file.agents?[key] ?? ExecApprovalsAgent()
-        let wildcardEntry = file.agents?["*"] ?? ExecApprovalsAgent()
        let resolvedAgent = ExecApprovalsResolvedDefaults(
-            security: agentEntry.security ?? wildcardEntry.security ?? resolvedDefaults.security,
-            ask: agentEntry.ask ?? wildcardEntry.ask ?? resolvedDefaults.ask,
-            askFallback: agentEntry.askFallback ?? wildcardEntry.askFallback
-                ?? resolvedDefaults.askFallback,
-            autoAllowSkills: agentEntry.autoAllowSkills ?? wildcardEntry.autoAllowSkills
-                ?? resolvedDefaults.autoAllowSkills)
-        let allowlist = ((wildcardEntry.allowlist ?? []) + (agentEntry.allowlist ?? []))
+            security: agentEntry.security ?? resolvedDefaults.security,
+            ask: agentEntry.ask ?? resolvedDefaults.ask,
+            askFallback: agentEntry.askFallback ?? resolvedDefaults.askFallback,
+            autoAllowSkills: agentEntry.autoAllowSkills ?? resolvedDefaults.autoAllowSkills)
+        let allowlist = (agentEntry.allowlist ?? [])
            .map { entry in
                ExecAllowlistEntry(
                    pattern: entry.pattern.trimmingCharacters(in: .whitespacesAndNewlines),
@@ -465,40 +454,7 @@ enum ExecApprovalsStore {

    private static func agentKey(_ agentId: String?) -> String {
        let trimmed = agentId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        return trimmed.isEmpty ? self.defaultAgentId : trimmed
-    }
-
-    private static func normalizedPattern(_ pattern: String?) -> String? {
-        let trimmed = pattern?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        return trimmed.isEmpty ? nil : trimmed.lowercased()
-    }
-
-    private static func mergeAgents(
-        current: ExecApprovalsAgent,
-        legacy: ExecApprovalsAgent) -> ExecApprovalsAgent
-    {
-        var seen = Set<String>()
-        var allowlist: [ExecAllowlistEntry] = []
-        func append(_ entry: ExecAllowlistEntry) {
-            guard let key = self.normalizedPattern(entry.pattern), !seen.contains(key) else {
-                return
-            }
-            seen.insert(key)
-            allowlist.append(entry)
-        }
-        for entry in current.allowlist ?? [] {
-            append(entry)
-        }
-        for entry in legacy.allowlist ?? [] {
-            append(entry)
-        }
-
-        return ExecApprovalsAgent(
-            security: current.security ?? legacy.security,
-            ask: current.ask ?? legacy.ask,
-            askFallback: current.askFallback ?? legacy.askFallback,
-            autoAllowSkills: current.autoAllowSkills ?? legacy.autoAllowSkills,
-            allowlist: allowlist.isEmpty ? nil : allowlist)
+        return trimmed.isEmpty ? "default" : trimmed
    }
 }

@@ -597,30 +553,6 @@ enum ExecCommandFormatter {
    }
 }

-enum ExecApprovalHelpers {
-    static func parseDecision(_ raw: String?) -> ExecApprovalDecision? {
-        let trimmed = raw?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        guard !trimmed.isEmpty else { return nil }
-        return ExecApprovalDecision(rawValue: trimmed)
-    }
-
-    static func requiresAsk(
-        ask: ExecAsk,
-        security: ExecSecurity,
-        allowlistMatch: ExecAllowlistEntry?,
-        skillAllow: Bool) -> Bool
-    {
-        if ask == .always { return true }
-        if ask == .onMiss, security == .allowlist, allowlistMatch == nil, !skillAllow { return true }
-        return false
-    }
-
-    static func allowlistPattern(command: [String], resolution: ExecCommandResolution?) -> String? {
-        let pattern = resolution?.resolvedPath ?? resolution?.rawExecutable ?? command.first ?? ""
-        return pattern.isEmpty ? nil : pattern
-    }
-}
-
 enum ExecAllowlistMatcher {
    static func match(entries: [ExecAllowlistEntry], resolution: ExecCommandResolution?) -> ExecAllowlistEntry? {
        guard let resolution, !entries.isEmpty else { return nil }
--- a/apps/macos/Sources/Clawdbot/ExecApprovalsGatewayPrompter.swift
+++ b/apps/macos/Sources/Clawdbot/ExecApprovalsGatewayPrompter.swift
@@ -1,6 +1,5 @@
 import ClawdbotKit
 import ClawdbotProtocol
-import CoreGraphics
 import Foundation
 import OSLog

@@ -45,7 +44,6 @@ final class ExecApprovalsGatewayPrompter {
        do {
            let data = try JSONEncoder().encode(payload)
            let request = try JSONDecoder().decode(GatewayApprovalRequest.self, from: data)
-            guard self.shouldPresent(request: request) else { return }
            let decision = ExecApprovalsPromptPresenter.prompt(request.request)
            try await GatewayConnection.shared.requestVoid(
                method: .execApprovalResolve,
@@ -58,66 +56,4 @@ final class ExecApprovalsGatewayPrompter {
            self.logger.error("exec approval handling failed \(error.localizedDescription, privacy: .public)")
        }
    }
-
-    private func shouldPresent(request: GatewayApprovalRequest) -> Bool {
-        let mode = AppStateStore.shared.connectionMode
-        let activeSession = WebChatManager.shared.activeSessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
-        let requestSession = request.request.sessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
-        return Self.shouldPresent(
-            mode: mode,
-            activeSession: activeSession,
-            requestSession: requestSession,
-            lastInputSeconds: Self.lastInputSeconds(),
-            thresholdSeconds: 120)
-    }
-
-    private static func shouldPresent(
-        mode: AppState.ConnectionMode,
-        activeSession: String?,
-        requestSession: String?,
-        lastInputSeconds: Int?,
-        thresholdSeconds: Int) -> Bool
-    {
-        let active = activeSession?.trimmingCharacters(in: .whitespacesAndNewlines)
-        let requested = requestSession?.trimmingCharacters(in: .whitespacesAndNewlines)
-        let recentlyActive = lastInputSeconds.map { $0 <= thresholdSeconds } ?? (mode == .local)
-
-        if let session = requested, !session.isEmpty {
-            if let active, !active.isEmpty {
-                return active == session
-            }
-            return recentlyActive
-        }
-
-        if let active, !active.isEmpty {
-            return true
-        }
-        return mode == .local
-    }
-
-    private static func lastInputSeconds() -> Int? {
-        let anyEvent = CGEventType(rawValue: UInt32.max) ?? .null
-        let seconds = CGEventSource.secondsSinceLastEventType(.combinedSessionState, eventType: anyEvent)
-        if seconds.isNaN || seconds.isInfinite || seconds < 0 { return nil }
-        return Int(seconds.rounded())
-    }
 }
-
-#if DEBUG
-extension ExecApprovalsGatewayPrompter {
-    static func _testShouldPresent(
-        mode: AppState.ConnectionMode,
-        activeSession: String?,
-        requestSession: String?,
-        lastInputSeconds: Int?,
-        thresholdSeconds: Int = 120) -> Bool
-    {
-        self.shouldPresent(
-            mode: mode,
-            activeSession: activeSession,
-            requestSession: requestSession,
-            lastInputSeconds: lastInputSeconds,
-            thresholdSeconds: thresholdSeconds)
-    }
-}
-#endif
--- a/apps/macos/Sources/Clawdbot/ExecApprovalsSocket.swift
+++ b/apps/macos/Sources/Clawdbot/ExecApprovalsSocket.swift
@@ -13,7 +13,6 @@ struct ExecApprovalPromptRequest: Codable, Sendable {
    var ask: String?
    var agentId: String?
    var resolvedPath: String?
-    var sessionKey: String?
 }

 private struct ExecApprovalSocketRequest: Codable {
@@ -216,15 +215,36 @@ enum ExecApprovalsPromptPresenter {
        let alert = NSAlert()
        alert.alertStyle = .warning
        alert.messageText = "Allow this command?"
-        alert.informativeText = "Review the command details before allowing."
-        alert.accessoryView = self.buildAccessoryView(request)
+
+        var details = "Clawdbot wants to run:\n\n\(request.command)"
+        let trimmedCwd = request.cwd?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedCwd.isEmpty {
+            details += "\n\nWorking directory:\n\(trimmedCwd)"
+        }
+        let trimmedAgent = request.agentId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedAgent.isEmpty {
+            details += "\n\nAgent:\n\(trimmedAgent)"
+        }
+        let trimmedPath = request.resolvedPath?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedPath.isEmpty {
+            details += "\n\nExecutable:\n\(trimmedPath)"
+        }
+        let trimmedHost = request.host?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if !trimmedHost.isEmpty {
+            details += "\n\nHost:\n\(trimmedHost)"
+        }
+        if let security = request.security?.trimmingCharacters(in: .whitespacesAndNewlines), !security.isEmpty {
+            details += "\n\nSecurity:\n\(security)"
+        }
+        if let ask = request.ask?.trimmingCharacters(in: .whitespacesAndNewlines), !ask.isEmpty {
+            details += "\nAsk mode:\n\(ask)"
+        }
+        details += "\n\nThis runs on this machine."
+        alert.informativeText = details

        alert.addButton(withTitle: "Allow Once")
        alert.addButton(withTitle: "Always Allow")
        alert.addButton(withTitle: "Don't Allow")
-        if #available(macOS 11.0, *), alert.buttons.indices.contains(2) {
-            alert.buttons[2].hasDestructiveAction = true
-        }

        switch alert.runModal() {
        case .alertFirstButtonReturn:
@@ -235,110 +255,6 @@ enum ExecApprovalsPromptPresenter {
            return .deny
        }
    }
-
-    @MainActor
-    private static func buildAccessoryView(_ request: ExecApprovalPromptRequest) -> NSView {
-        let stack = NSStackView()
-        stack.orientation = .vertical
-        stack.spacing = 8
-        stack.alignment = .leading
-
-        let commandTitle = NSTextField(labelWithString: "Command")
-        commandTitle.font = NSFont.boldSystemFont(ofSize: NSFont.systemFontSize)
-        stack.addArrangedSubview(commandTitle)
-
-        let commandText = NSTextView()
-        commandText.isEditable = false
-        commandText.isSelectable = true
-        commandText.drawsBackground = true
-        commandText.backgroundColor = NSColor.textBackgroundColor
-        commandText.font = NSFont.monospacedSystemFont(ofSize: NSFont.systemFontSize, weight: .regular)
-        commandText.string = request.command
-        commandText.textContainerInset = NSSize(width: 6, height: 6)
-        commandText.textContainer?.lineFragmentPadding = 0
-        commandText.textContainer?.widthTracksTextView = true
-        commandText.isHorizontallyResizable = false
-        commandText.isVerticallyResizable = false
-
-        let commandScroll = NSScrollView()
-        commandScroll.borderType = .lineBorder
-        commandScroll.hasVerticalScroller = false
-        commandScroll.hasHorizontalScroller = false
-        commandScroll.documentView = commandText
-        commandScroll.translatesAutoresizingMaskIntoConstraints = false
-        commandScroll.widthAnchor.constraint(lessThanOrEqualToConstant: 440).isActive = true
-        commandScroll.heightAnchor.constraint(greaterThanOrEqualToConstant: 56).isActive = true
-        stack.addArrangedSubview(commandScroll)
-
-        let contextTitle = NSTextField(labelWithString: "Context")
-        contextTitle.font = NSFont.boldSystemFont(ofSize: NSFont.systemFontSize)
-        stack.addArrangedSubview(contextTitle)
-
-        let contextStack = NSStackView()
-        contextStack.orientation = .vertical
-        contextStack.spacing = 4
-        contextStack.alignment = .leading
-
-        let trimmedCwd = request.cwd?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        if !trimmedCwd.isEmpty {
-            self.addDetailRow(title: "Working directory", value: trimmedCwd, to: contextStack)
-        }
-        let trimmedAgent = request.agentId?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        if !trimmedAgent.isEmpty {
-            self.addDetailRow(title: "Agent", value: trimmedAgent, to: contextStack)
-        }
-        let trimmedPath = request.resolvedPath?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        if !trimmedPath.isEmpty {
-            self.addDetailRow(title: "Executable", value: trimmedPath, to: contextStack)
-        }
-        let trimmedHost = request.host?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
-        if !trimmedHost.isEmpty {
-            self.addDetailRow(title: "Host", value: trimmedHost, to: contextStack)
-        }
-        if let security = request.security?.trimmingCharacters(in: .whitespacesAndNewlines), !security.isEmpty {
-            self.addDetailRow(title: "Security", value: security, to: contextStack)
-        }
-        if let ask = request.ask?.trimmingCharacters(in: .whitespacesAndNewlines), !ask.isEmpty {
-            self.addDetailRow(title: "Ask mode", value: ask, to: contextStack)
-        }
-
-        if contextStack.arrangedSubviews.isEmpty {
-            let empty = NSTextField(labelWithString: "No additional context provided.")
-            empty.textColor = NSColor.secondaryLabelColor
-            empty.font = NSFont.systemFont(ofSize: NSFont.smallSystemFontSize)
-            contextStack.addArrangedSubview(empty)
-        }
-
-        stack.addArrangedSubview(contextStack)
-
-        let footer = NSTextField(labelWithString: "This runs on this machine.")
-        footer.textColor = NSColor.secondaryLabelColor
-        footer.font = NSFont.systemFont(ofSize: NSFont.smallSystemFontSize)
-        stack.addArrangedSubview(footer)
-
-        return stack
-    }
-
-    @MainActor
-    private static func addDetailRow(title: String, value: String, to stack: NSStackView) {
-        let row = NSStackView()
-        row.orientation = .horizontal
-        row.spacing = 6
-        row.alignment = .firstBaseline
-
-        let titleLabel = NSTextField(labelWithString: "\(title):")
-        titleLabel.font = NSFont.systemFont(ofSize: NSFont.smallSystemFontSize, weight: .semibold)
-        titleLabel.textColor = NSColor.secondaryLabelColor
-
-        let valueLabel = NSTextField(labelWithString: value)
-        valueLabel.font = NSFont.systemFont(ofSize: NSFont.smallSystemFontSize)
-        valueLabel.lineBreakMode = .byTruncatingMiddle
-        valueLabel.setContentCompressionResistancePriority(.defaultLow, for: .horizontal)
-
-        row.addArrangedSubview(titleLabel)
-        row.addArrangedSubview(valueLabel)
-        stack.addArrangedSubview(row)
-    }
 }

@MainActor
@@ -398,12 +314,12 @@ private enum ExecHostExecutor {
        }

        var approvedByAsk = approvalDecision != nil
-        if ExecApprovalHelpers.requiresAsk(
+        if self.requiresAsk(
            ask: context.ask,
            security: context.security,
            allowlistMatch: context.allowlistMatch,
            skillAllow: context.skillAllow),
-            approvalDecision == nil
+           approvalDecision == nil
        {
            let decision = ExecApprovalsPromptPresenter.prompt(
                ExecApprovalPromptRequest(
@@ -413,8 +329,7 @@ private enum ExecHostExecutor {
                    security: context.security.rawValue,
                    ask: context.ask.rawValue,
                    agentId: context.trimmedAgent,
-                    resolvedPath: context.resolution?.resolvedPath,
-                    sessionKey: request.sessionKey))
+                    resolvedPath: context.resolution?.resolvedPath))

            switch decision {
            case .deny:
@@ -502,20 +417,36 @@ private enum ExecHostExecutor {
            skillAllow: skillAllow)
    }

+    private static func requiresAsk(
+        ask: ExecAsk,
+        security: ExecSecurity,
+        allowlistMatch: ExecAllowlistEntry?,
+        skillAllow: Bool) -> Bool
+    {
+        if ask == .always { return true }
+        if ask == .onMiss, security == .allowlist, allowlistMatch == nil, !skillAllow { return true }
+        return false
+    }
+
    private static func persistAllowlistEntry(
        decision: ExecApprovalDecision?,
        context: ExecApprovalContext)
    {
        guard decision == .allowAlways, context.security == .allowlist else { return }
-        guard let pattern = ExecApprovalHelpers.allowlistPattern(
-            command: context.command,
-            resolution: context.resolution)
-        else {
+        guard let pattern = self.allowlistPattern(command: context.command, resolution: context.resolution) else {
            return
        }
        ExecApprovalsStore.addAllowlistEntry(agentId: context.trimmedAgent, pattern: pattern)
    }

+    private static func allowlistPattern(
+        command: [String],
+        resolution: ExecCommandResolution?) -> String?
+    {
+        let pattern = resolution?.resolvedPath ?? resolution?.rawExecutable ?? command.first ?? ""
+        return pattern.isEmpty ? nil : pattern
+    }
+
    private static func ensureScreenRecordingAccess(_ needsScreenRecording: Bool?) async -> ExecHostResponse? {
        guard needsScreenRecording == true else { return nil }
        let authorized = await PermissionManager
--- a/apps/macos/Sources/Clawdbot/GatewayConnection.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayConnection.swift
@@ -69,7 +69,6 @@ actor GatewayConnection {
        case channelsLogout = "channels.logout"
        case modelsList = "models.list"
        case chatHistory = "chat.history"
-        case sessionsPreview = "sessions.preview"
        case chatSend = "chat.send"
        case chatAbort = "chat.abort"
        case skillsStatus = "skills.status"
@@ -250,11 +249,6 @@ actor GatewayConnection {
        await self.configure(url: cfg.url, token: cfg.token, password: cfg.password)
    }

-    func authSource() async -> GatewayAuthSource? {
-        guard let client else { return nil }
-        return await client.authSource()
-    }
-
    func shutdown() async {
        if let client {
            await client.shutdown()
@@ -541,30 +535,6 @@ extension GatewayConnection {
        return try await self.requestDecoded(method: .skillsUpdate, params: params)
    }

-    // MARK: - Sessions
-
-    func sessionsPreview(
-        keys: [String],
-        limit: Int? = nil,
-        maxChars: Int? = nil,
-        timeoutMs: Int? = nil) async throws -> ClawdbotSessionsPreviewPayload
-    {
-        let resolvedKeys = keys
-            .map { self.canonicalizeSessionKey($0) }
-            .filter { !$0.isEmpty }
-        if resolvedKeys.isEmpty {
-            return ClawdbotSessionsPreviewPayload(ts: 0, previews: [])
-        }
-        var params: [String: AnyCodable] = ["keys": AnyCodable(resolvedKeys)]
-        if let limit { params["limit"] = AnyCodable(limit) }
-        if let maxChars { params["maxChars"] = AnyCodable(maxChars) }
-        let timeout = timeoutMs.map { Double($0) }
-        return try await self.requestDecoded(
-            method: .sessionsPreview,
-            params: params,
-            timeoutMs: timeout)
-    }
-
    // MARK: - Chat

    func chatHistory(
--- a/apps/macos/Sources/Clawdbot/GatewayConnectivityCoordinator.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayConnectivityCoordinator.swift
@@ -1,63 +0,0 @@
-import Foundation
-import Observation
-import OSLog
-
-@MainActor
-@Observable
-final class GatewayConnectivityCoordinator {
-    static let shared = GatewayConnectivityCoordinator()
-
-    private let logger = Logger(subsystem: "com.clawdbot", category: "gateway.connectivity")
-    private var endpointTask: Task<Void, Never>?
-    private var lastResolvedURL: URL?
-
-    private(set) var endpointState: GatewayEndpointState?
-    private(set) var resolvedURL: URL?
-    private(set) var resolvedMode: AppState.ConnectionMode?
-    private(set) var resolvedHostLabel: String?
-
-    private init() {
-        self.start()
-    }
-
-    func start() {
-        guard self.endpointTask == nil else { return }
-        self.endpointTask = Task { [weak self] in
-            guard let self else { return }
-            let stream = await GatewayEndpointStore.shared.subscribe()
-            for await state in stream {
-                await MainActor.run { self.handleEndpointState(state) }
-            }
-        }
-    }
-
-    var localEndpointHostLabel: String? {
-        guard self.resolvedMode == .local, let url = self.resolvedURL else { return nil }
-        return Self.hostLabel(for: url)
-    }
-
-    private func handleEndpointState(_ state: GatewayEndpointState) {
-        self.endpointState = state
-        switch state {
-        case let .ready(mode, url, _, _):
-            self.resolvedMode = mode
-            self.resolvedURL = url
-            self.resolvedHostLabel = Self.hostLabel(for: url)
-            let urlChanged = self.lastResolvedURL?.absoluteString != url.absoluteString
-            if urlChanged {
-                self.lastResolvedURL = url
-                Task { await ControlChannel.shared.refreshEndpoint(reason: "endpoint changed") }
-            }
-        case let .connecting(mode, _):
-            self.resolvedMode = mode
-        case let .unavailable(mode, _):
-            self.resolvedMode = mode
-        }
-    }
-
-    private static func hostLabel(for url: URL) -> String {
-        let host = url.host ?? url.absoluteString
-        if let port = url.port { return "\(host):\(port)" }
-        return host
-    }
-}
--- a/apps/macos/Sources/Clawdbot/GatewayEndpointStore.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayEndpointStore.swift
@@ -68,7 +68,6 @@ actor GatewayEndpointStore {
                    env: ProcessInfo.processInfo.environment)
                let customBindHost = GatewayEndpointStore.resolveGatewayCustomBindHost(root: root)
                let tailscaleIP = await MainActor.run { TailscaleService.shared.tailscaleIP }
-                    ?? TailscaleService.fallbackTailnetIPv4()
                return GatewayEndpointStore.resolveLocalGatewayHost(
                    bindMode: bind,
                    customBindHost: customBindHost,
@@ -173,10 +172,6 @@ actor GatewayEndpointStore {
            return configToken
        }

-        if isRemote {
-            return nil
-        }
-
        if let token = launchdSnapshot?.token?.trimmingCharacters(in: .whitespacesAndNewlines),
           !token.isEmpty
        {
@@ -482,13 +477,12 @@ actor GatewayEndpointStore {
        let bind = GatewayEndpointStore.resolveGatewayBindMode(
            root: root,
            env: ProcessInfo.processInfo.environment)
-        guard bind == "tailnet" else { return nil }
+        guard bind == "auto" else { return nil }

        let currentHost = currentURL.host?.lowercased() ?? ""
        guard currentHost == "127.0.0.1" || currentHost == "localhost" else { return nil }

        let tailscaleIP = await MainActor.run { TailscaleService.shared.tailscaleIP }
-            ?? TailscaleService.fallbackTailnetIPv4()
        guard let tailscaleIP, !tailscaleIP.isEmpty else { return nil }

        let scheme = GatewayEndpointStore.resolveGatewayScheme(
@@ -637,12 +631,11 @@ extension GatewayEndpointStore {

    static func _testResolveLocalGatewayHost(
        bindMode: String?,
-        tailscaleIP: String?,
-        customBindHost: String? = nil) -> String
+        tailscaleIP: String?) -> String
    {
        self.resolveLocalGatewayHost(
            bindMode: bindMode,
-            customBindHost: customBindHost,
+            customBindHost: nil,
            tailscaleIP: tailscaleIP)
    }
 }
--- a/apps/macos/Sources/Clawdbot/GatewayLaunchAgentManager.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayLaunchAgentManager.swift
@@ -115,7 +115,7 @@ extension GatewayLaunchAgentManager {
        quiet: Bool) async -> CommandResult
    {
        let command = CommandResolver.clawdbotCommand(
-            subcommand: "gateway",
+            subcommand: "daemon",
            extraArgs: self.withJsonFlag(args),
            // Launchd management must always run locally, even if remote mode is configured.
            configRoot: ["gateway": ["mode": "local"]])
--- a/apps/macos/Sources/Clawdbot/GatewayProcessManager.swift
+++ b/apps/macos/Sources/Clawdbot/GatewayProcessManager.swift
@@ -42,20 +42,10 @@ final class GatewayProcessManager {
    private var environmentRefreshTask: Task<Void, Never>?
    private var lastEnvironmentRefresh: Date?
    private var logRefreshTask: Task<Void, Never>?
-    #if DEBUG
-    private var testingConnection: GatewayConnection?
-    #endif
    private let logger = Logger(subsystem: "com.clawdbot", category: "gateway.process")

    private let logLimit = 20000 // characters to keep in-memory
    private let environmentRefreshMinInterval: TimeInterval = 30
-    private var connection: GatewayConnection {
-        #if DEBUG
-        return self.testingConnection ?? .shared
-        #else
-        return .shared
-        #endif
-    }

    func setActive(_ active: Bool) {
        // Remote mode should never spawn a local gateway; treat as stopped.
@@ -136,10 +126,6 @@ final class GatewayProcessManager {
        }
    }

-    func clearLastFailure() {
-        self.lastFailureReason = nil
-    }
-
    func refreshEnvironmentStatus(force: Bool = false) {
        let now = Date()
        if !force {
@@ -192,7 +178,7 @@ final class GatewayProcessManager {
        let hasListener = instance != nil

        let attemptAttach = {
-            try await self.connection.requestRaw(method: .health, timeoutMs: 2000)
+            try await GatewayConnection.shared.requestRaw(method: .health, timeoutMs: 2000)
        }

        for attempt in 0..<(hasListener ? 3 : 1) {
@@ -201,7 +187,6 @@ final class GatewayProcessManager {
                let snap = decodeHealthSnapshot(from: data)
                let details = self.describe(details: instanceText, port: port, snap: snap)
                self.existingGatewayDetails = details
-                self.clearLastFailure()
                self.status = .attachedExisting(details: details)
                self.appendLog("[gateway] using existing instance: \(details)\n")
                self.logger.info("gateway using existing instance details=\(details)")
@@ -325,10 +310,9 @@ final class GatewayProcessManager {
        while Date() < deadline {
            if !self.desiredActive { return }
            do {
-                _ = try await self.connection.requestRaw(method: .health, timeoutMs: 1500)
+                _ = try await GatewayConnection.shared.requestRaw(method: .health, timeoutMs: 1500)
                let instance = await PortGuardian.shared.describe(port: port)
                let details = instance.map { "pid \($0.pid)" }
-                self.clearLastFailure()
                self.status = .running(details: details)
                self.logger.info("gateway started details=\(details ?? "ok")")
                self.refreshControlChannelIfNeeded(reason: "gateway started")
@@ -368,8 +352,7 @@ final class GatewayProcessManager {
        while Date() < deadline {
            if !self.desiredActive { return false }
            do {
-                _ = try await self.connection.requestRaw(method: .health, timeoutMs: 1500)
-                self.clearLastFailure()
+                _ = try await GatewayConnection.shared.requestRaw(method: .health, timeoutMs: 1500)
                return true
            } catch {
                try? await Task.sleep(nanoseconds: 300_000_000)
@@ -402,19 +385,3 @@ final class GatewayProcessManager {
        return String(text.suffix(limit))
    }
 }
-
-#if DEBUG
-extension GatewayProcessManager {
-    func setTestingConnection(_ connection: GatewayConnection?) {
-        self.testingConnection = connection
-    }
-
-    func setTestingDesiredActive(_ active: Bool) {
-        self.desiredActive = active
-    }
-
-    func setTestingLastFailureReason(_ reason: String?) {
-        self.lastFailureReason = reason
-    }
-}
-#endif
--- a/apps/macos/Sources/Clawdbot/GeneralSettings.swift
+++ b/apps/macos/Sources/Clawdbot/GeneralSettings.swift
@@ -2,25 +2,52 @@ import AppKit
 import ClawdbotDiscovery
 import ClawdbotIPC
 import ClawdbotKit
+import CoreLocation
 import Observation
 import SwiftUI

 struct GeneralSettings: View {
    @Bindable var state: AppState
    @AppStorage(cameraEnabledKey) private var cameraEnabled: Bool = false
+    @AppStorage(locationModeKey) private var locationModeRaw: String = ClawdbotLocationMode.off.rawValue
+    @AppStorage(locationPreciseKey) private var locationPreciseEnabled: Bool = true
    private let healthStore = HealthStore.shared
    private let gatewayManager = GatewayProcessManager.shared
    @State private var gatewayDiscovery = GatewayDiscoveryModel(
        localDisplayName: InstanceIdentity.displayName)
+    @State private var isInstallingCLI = false
+    @State private var cliStatus: String?
+    @State private var cliInstalled = false
+    @State private var cliInstallLocation: String?
    @State private var gatewayStatus: GatewayEnvironmentStatus = .checking
    @State private var remoteStatus: RemoteStatus = .idle
    @State private var showRemoteAdvanced = false
    private let isPreview = ProcessInfo.processInfo.isPreview
    private var isNixMode: Bool { ProcessInfo.processInfo.isNixMode }
+    @State private var lastLocationModeRaw: String = ClawdbotLocationMode.off.rawValue

    var body: some View {
        ScrollView(.vertical) {
            VStack(alignment: .leading, spacing: 18) {
+                if !self.state.onboardingSeen {
+                    Button {
+                        DebugActions.restartOnboarding()
+                    } label: {
+                        HStack(spacing: 8) {
+                            Label("Complete onboarding to finish setup", systemImage: "arrow.counterclockwise")
+                                .font(.callout.weight(.semibold))
+                                .foregroundStyle(Color.accentColor)
+                            Spacer(minLength: 0)
+                            Image(systemName: "chevron.right")
+                                .font(.caption.weight(.semibold))
+                                .foregroundStyle(.tertiary)
+                        }
+                        .contentShape(Rectangle())
+                    }
+                    .buttonStyle(.plain)
+                    .padding(.bottom, 2)
+                }
+
                VStack(alignment: .leading, spacing: 12) {
                    SettingsToggleRow(
                        title: "Clawdbot active",
@@ -56,6 +83,29 @@ struct GeneralSettings: View {
                        subtitle: "Allow the agent to capture a photo or short video via the built-in camera.",
                        binding: self.$cameraEnabled)

+                    SystemRunSettingsView()
+
+                    VStack(alignment: .leading, spacing: 6) {
+                        Text("Location Access")
+                            .font(.body)
+
+                        Picker("", selection: self.$locationModeRaw) {
+                            Text("Off").tag(ClawdbotLocationMode.off.rawValue)
+                            Text("While Using").tag(ClawdbotLocationMode.whileUsing.rawValue)
+                            Text("Always").tag(ClawdbotLocationMode.always.rawValue)
+                        }
+                        .labelsHidden()
+                        .pickerStyle(.menu)
+
+                        Toggle("Precise Location", isOn: self.$locationPreciseEnabled)
+                            .disabled(self.locationMode == .off)
+
+                        Text("Always may require System Settings to approve background location.")
+                            .font(.footnote)
+                            .foregroundStyle(.tertiary)
+                            .fixedSize(horizontal: false, vertical: true)
+                    }
+
                    SettingsToggleRow(
                        title: "Enable Peekaboo Bridge",
                        subtitle: "Allow signed tools (e.g. `peekaboo`) to drive UI automation via PeekabooBridge.",
@@ -80,13 +130,29 @@ struct GeneralSettings: View {
        }
        .onAppear {
            guard !self.isPreview else { return }
+            self.refreshCLIStatus()
            self.refreshGatewayStatus()
+            self.lastLocationModeRaw = self.locationModeRaw
        }
        .onChange(of: self.state.canvasEnabled) { _, enabled in
            if !enabled {
                CanvasManager.shared.hideAll()
            }
        }
+        .onChange(of: self.locationModeRaw) { _, newValue in
+            let previous = self.lastLocationModeRaw
+            self.lastLocationModeRaw = newValue
+            guard let mode = ClawdbotLocationMode(rawValue: newValue) else { return }
+            Task {
+                let granted = await self.requestLocationAuthorization(mode: mode)
+                if !granted {
+                    await MainActor.run {
+                        self.locationModeRaw = previous
+                        self.lastLocationModeRaw = previous
+                    }
+                }
+            }
+        }
    }

    private var activeBinding: Binding<Bool> {
@@ -95,20 +161,39 @@ struct GeneralSettings: View {
            set: { self.state.isPaused = !$0 })
    }

+    private var locationMode: ClawdbotLocationMode {
+        ClawdbotLocationMode(rawValue: self.locationModeRaw) ?? .off
+    }
+
+    private func requestLocationAuthorization(mode: ClawdbotLocationMode) async -> Bool {
+        guard mode != .off else { return true }
+        guard CLLocationManager.locationServicesEnabled() else {
+            await MainActor.run { LocationPermissionHelper.openSettings() }
+            return false
+        }
+
+        let status = CLLocationManager().authorizationStatus
+        let requireAlways = mode == .always
+        if PermissionManager.isLocationAuthorized(status: status, requireAlways: requireAlways) {
+            return true
+        }
+        let updated = await LocationPermissionRequester.shared.request(always: requireAlways)
+        return PermissionManager.isLocationAuthorized(status: updated, requireAlways: requireAlways)
+    }
+
    private var connectionSection: some View {
        VStack(alignment: .leading, spacing: 10) {
            Text("Clawdbot runs")
                .font(.title3.weight(.semibold))
                .frame(maxWidth: .infinity, alignment: .leading)

-            Picker("Mode", selection: self.$state.connectionMode) {
+            Picker("", selection: self.$state.connectionMode) {
                Text("Not configured").tag(AppState.ConnectionMode.unconfigured)
                Text("Local (this Mac)").tag(AppState.ConnectionMode.local)
                Text("Remote over SSH").tag(AppState.ConnectionMode.remote)
            }
-            .pickerStyle(.menu)
-            .labelsHidden()
-            .frame(width: 260, alignment: .leading)
+            .pickerStyle(.segmented)
+            .frame(width: 380, alignment: .leading)

            if self.state.connectionMode == .unconfigured {
                Text("Pick Local or Remote to start the Gateway.")
@@ -131,6 +216,8 @@ struct GeneralSettings: View {
            if self.state.connectionMode == .remote {
                self.remoteCard
            }
+
+            self.cliInstaller
        }
    }

@@ -212,11 +299,6 @@ struct GeneralSettings: View {
                        .font(.caption)
                        .foregroundStyle(.secondary)
                }
-                if let authLabel = ControlChannel.shared.authSourceLabel {
-                    Text(authLabel)
-                        .font(.caption)
-                        .foregroundStyle(.secondary)
-                }
            }

            Text("Tip: enable Tailscale for stable remote access.")
@@ -264,6 +346,59 @@ struct GeneralSettings: View {
        return message == self.controlStatusLine
    }

+    private var cliInstaller: some View {
+        VStack(alignment: .leading, spacing: 8) {
+            HStack(spacing: 10) {
+                Button {
+                    Task { await self.installCLI() }
+                } label: {
+                    let title = self.cliInstalled ? "Reinstall CLI" : "Install CLI"
+                    ZStack {
+                        Text(title)
+                            .opacity(self.isInstallingCLI ? 0 : 1)
+                        if self.isInstallingCLI {
+                            ProgressView()
+                                .controlSize(.mini)
+                        }
+                    }
+                    .frame(minWidth: 150)
+                }
+                .disabled(self.isInstallingCLI)
+
+                if self.isInstallingCLI {
+                    Text("Working...")
+                        .font(.callout)
+                        .foregroundStyle(.secondary)
+                } else if self.cliInstalled {
+                    Label("Installed", systemImage: "checkmark.circle.fill")
+                        .font(.callout)
+                        .foregroundStyle(.secondary)
+                } else {
+                    Text("Not installed")
+                        .font(.callout)
+                        .foregroundStyle(.secondary)
+                }
+            }
+
+            if let status = cliStatus {
+                Text(status)
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+                    .lineLimit(2)
+            } else if let installLocation = self.cliInstallLocation {
+                Text("Found at \(installLocation)")
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+                    .lineLimit(2)
+            } else {
+                Text("Installs a user-space Node 22+ runtime and the CLI (no Homebrew).")
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+                    .lineLimit(2)
+            }
+        }
+    }
+
    private var gatewayInstallerCard: some View {
        VStack(alignment: .leading, spacing: 8) {
            HStack(spacing: 10) {
@@ -319,6 +454,22 @@ struct GeneralSettings: View {
        .cornerRadius(10)
    }

+    private func installCLI() async {
+        guard !self.isInstallingCLI else { return }
+        self.isInstallingCLI = true
+        defer { isInstallingCLI = false }
+        await CLIInstaller.install { status in
+            self.cliStatus = status
+            self.refreshCLIStatus()
+        }
+    }
+
+    private func refreshCLIStatus() {
+        let installLocation = CLIInstaller.installedLocation()
+        self.cliInstallLocation = installLocation
+        self.cliInstalled = installLocation != nil
+    }
+
    private func refreshGatewayStatus() {
        Task {
            let status = await Task.detached(priority: .utility) {
@@ -612,6 +763,9 @@ extension GeneralSettings {
            message: "Gateway ready")
        view.remoteStatus = .failed("SSH failed")
        view.showRemoteAdvanced = true
+        view.cliInstalled = true
+        view.cliInstallLocation = "/usr/local/bin/clawdbot"
+        view.cliStatus = "Installed"
        _ = view.body

        state.connectionMode = .unconfigured
--- a/apps/macos/Sources/Clawdbot/HealthStore.swift
+++ b/apps/macos/Sources/Clawdbot/HealthStore.swift
@@ -235,8 +235,8 @@ final class HealthStore {
            let lower = error.lowercased()
            if lower.contains("connection refused") {
                let port = GatewayEnvironment.gatewayPort()
-                let host = GatewayConnectivityCoordinator.shared.localEndpointHostLabel ?? "127.0.0.1:\(port)"
-                return "The gateway control port (\(host)) isn’t listening — restart Clawdbot to bring it back."
+                return "The gateway control port (127.0.0.1:\(port)) isn’t listening — " +
+                    "restart Clawdbot to bring it back."
            }
            if lower.contains("timeout") {
                return "Timed out waiting for the control server; the gateway may be crashed or still starting."
--- a/apps/macos/Sources/Clawdbot/MenuBar.swift
+++ b/apps/macos/Sources/Clawdbot/MenuBar.swift
@@ -13,7 +13,6 @@ struct ClawdbotApp: App {
    private let gatewayManager = GatewayProcessManager.shared
    private let controlChannel = ControlChannel.shared
    private let activityStore = WorkActivityStore.shared
-    private let connectivityCoordinator = GatewayConnectivityCoordinator.shared
    @State private var statusItem: NSStatusItem?
    @State private var isMenuPresented = false
    @State private var isPanelVisible = false
--- a/apps/macos/Sources/Clawdbot/MenuSessionsInjector.swift
+++ b/apps/macos/Sources/Clawdbot/MenuSessionsInjector.swift
@@ -1,5 +1,4 @@
 import AppKit
-import Observation
 import SwiftUI

@MainActor
@@ -19,7 +18,6 @@ final class MenuSessionsInjector: NSObject, NSMenuDelegate {
    private var isMenuOpen = false
    private var lastKnownMenuWidth: CGFloat?
    private var menuOpenWidth: CGFloat?
-    private var isObservingControlChannel = false

    private var cachedSnapshot: SessionStoreSnapshot?
    private var cachedErrorText: String?
@@ -52,7 +50,6 @@ final class MenuSessionsInjector: NSObject, NSMenuDelegate {
            self.loadTask = Task { await self.refreshCache(force: true) }
        }

-        self.startControlChannelObservation()
        self.nodesStore.start()
    }

@@ -99,50 +96,6 @@ final class MenuSessionsInjector: NSObject, NSMenuDelegate {
        self.cancelPreviewTasks()
    }

-    private func startControlChannelObservation() {
-        guard !self.isObservingControlChannel else { return }
-        self.isObservingControlChannel = true
-        self.observeControlChannelState()
-    }
-
-    private func observeControlChannelState() {
-        withObservationTracking {
-            _ = ControlChannel.shared.state
-        } onChange: { [weak self] in
-            Task { @MainActor [weak self] in
-                guard let self else { return }
-                self.handleControlChannelStateChange()
-                self.observeControlChannelState()
-            }
-        }
-    }
-
-    private func handleControlChannelStateChange() {
-        guard self.isMenuOpen, let menu = self.statusItem?.menu else { return }
-        self.loadTask?.cancel()
-        self.loadTask = Task { [weak self, weak menu] in
-            guard let self, let menu else { return }
-            await self.refreshCache(force: true)
-            await self.refreshUsageCache(force: true)
-            await self.refreshCostUsageCache(force: true)
-            await MainActor.run {
-                guard self.isMenuOpen else { return }
-                self.inject(into: menu)
-                self.injectNodes(into: menu)
-            }
-        }
-
-        self.nodesLoadTask?.cancel()
-        self.nodesLoadTask = Task { [weak self, weak menu] in
-            guard let self, let menu else { return }
-            await self.nodesStore.refresh()
-            await MainActor.run {
-                guard self.isMenuOpen else { return }
-                self.injectNodes(into: menu)
-            }
-        }
-    }
-
    func menuNeedsUpdate(_ menu: NSMenu) {
        self.originalDelegate?.menuNeedsUpdate?(menu)
    }
@@ -188,23 +141,14 @@ extension MenuSessionsInjector {
                if rhs.key == mainKey { return false }
                return (lhs.updatedAt ?? .distantPast) > (rhs.updatedAt ?? .distantPast)
            }
-            if !rows.isEmpty {
-                let previewKeys = rows.prefix(20).map(\.key)
-                let task = Task {
-                    await SessionMenuPreviewLoader.prewarm(sessionKeys: previewKeys, maxItems: 10)
-                }
-                self.previewTasks.append(task)
-            }

            let headerItem = NSMenuItem()
            headerItem.tag = self.tag
            headerItem.isEnabled = false
-            let statusText = self
-                .cachedErrorText ?? (isConnected ? nil : self.controlChannelStatusText(for: channelState))
            let hosted = self.makeHostedView(
                rootView: AnyView(MenuSessionsHeaderView(
                    count: rows.count,
-                    statusText: statusText)),
+                    statusText: isConnected ? nil : self.controlChannelStatusText(for: channelState))),
                width: width,
                highlighted: false)
            headerItem.view = hosted
@@ -525,7 +469,7 @@ extension MenuSessionsInjector {
            }
        case .local:
            platform = "local"
-            host = GatewayConnectivityCoordinator.shared.localEndpointHostLabel ?? "127.0.0.1:\(port)"
+            host = "127.0.0.1:\(port)"
        case .unconfigured:
            platform = nil
            host = nil
@@ -654,11 +598,8 @@ extension MenuSessionsInjector {
        }

        guard self.isControlChannelConnected else {
-            if self.cachedSnapshot != nil {
-                self.cachedErrorText = "Gateway disconnected (showing cached)"
-            } else {
-                self.cachedErrorText = nil
-            }
+            self.cachedSnapshot = nil
+            self.cachedErrorText = nil
            self.cacheUpdatedAt = Date()
            return
        }
@@ -683,6 +624,8 @@ extension MenuSessionsInjector {
        }

        guard self.isControlChannelConnected else {
+            self.cachedUsageSummary = nil
+            self.cachedUsageErrorText = nil
            self.usageCacheUpdatedAt = Date()
            return
        }
@@ -705,6 +648,8 @@ extension MenuSessionsInjector {
        }

        guard self.isControlChannelConnected else {
+            self.cachedCostSummary = nil
+            self.cachedCostErrorText = nil
            self.costCacheUpdatedAt = Date()
            return
        }
--- a/apps/macos/Sources/Clawdbot/ModelCatalogLoader.swift
+++ b/apps/macos/Sources/Clawdbot/ModelCatalogLoader.swift
@@ -2,28 +2,14 @@ import Foundation
 import JavaScriptCore

 enum ModelCatalogLoader {
-    static var defaultPath: String { self.resolveDefaultPath() }
+    static let defaultPath: String = FileManager().homeDirectoryForCurrentUser
+        .appendingPathComponent("Projects/pi-mono/packages/ai/src/models.generated.ts").path
    private static let logger = Logger(subsystem: "com.clawdbot", category: "models")
-    private nonisolated static let appSupportDir: URL = {
-        let base = FileManager().urls(for: .applicationSupportDirectory, in: .userDomainMask).first!
-        return base.appendingPathComponent("Clawdbot", isDirectory: true)
-    }()
-
-    private static var cachePath: URL {
-        self.appSupportDir.appendingPathComponent("model-catalog/models.generated.js", isDirectory: false)
-    }

    static func load(from path: String) async throws -> [ModelChoice] {
        let expanded = (path as NSString).expandingTildeInPath
-        guard let resolved = self.resolvePath(preferred: expanded) else {
-            self.logger.error("model catalog load failed: file not found")
-            throw NSError(
-                domain: "ModelCatalogLoader",
-                code: 1,
-                userInfo: [NSLocalizedDescriptionKey: "Model catalog file not found"])
-        }
-        self.logger.debug("model catalog load start file=\(URL(fileURLWithPath: resolved.path).lastPathComponent)")
-        let source = try String(contentsOfFile: resolved.path, encoding: .utf8)
+        self.logger.debug("model catalog load start file=\(URL(fileURLWithPath: expanded).lastPathComponent)")
+        let source = try String(contentsOfFile: expanded, encoding: .utf8)
        let sanitized = self.sanitize(source: source)

        let ctx = JSContext()
@@ -59,82 +45,9 @@ enum ModelCatalogLoader {
            return lhs.provider.localizedCaseInsensitiveCompare(rhs.provider) == .orderedAscending
        }
        self.logger.debug("model catalog loaded providers=\(rawModels.count) models=\(sorted.count)")
-        if resolved.shouldCache {
-            self.cacheCatalog(sourcePath: resolved.path)
-        }
        return sorted
    }

-    private static func resolveDefaultPath() -> String {
-        let cache = self.cachePath.path
-        if FileManager().isReadableFile(atPath: cache) { return cache }
-        if let bundlePath = self.bundleCatalogPath() { return bundlePath }
-        if let nodePath = self.nodeModulesCatalogPath() { return nodePath }
-        return cache
-    }
-
-    private static func resolvePath(preferred: String) -> (path: String, shouldCache: Bool)? {
-        if FileManager().isReadableFile(atPath: preferred) {
-            return (preferred, preferred != self.cachePath.path)
-        }
-
-        if let bundlePath = self.bundleCatalogPath(), bundlePath != preferred {
-            self.logger.warning("model catalog path missing; falling back to bundled catalog")
-            return (bundlePath, true)
-        }
-
-        let cache = self.cachePath.path
-        if cache != preferred, FileManager().isReadableFile(atPath: cache) {
-            self.logger.warning("model catalog path missing; falling back to cached catalog")
-            return (cache, false)
-        }
-
-        if let nodePath = self.nodeModulesCatalogPath(), nodePath != preferred {
-            self.logger.warning("model catalog path missing; falling back to node_modules catalog")
-            return (nodePath, true)
-        }
-
-        return nil
-    }
-
-    private static func bundleCatalogPath() -> String? {
-        guard let url = Bundle.main.url(forResource: "models.generated", withExtension: "js") else {
-            return nil
-        }
-        return url.path
-    }
-
-    private static func nodeModulesCatalogPath() -> String? {
-        let roots = [
-            URL(fileURLWithPath: CommandResolver.projectRootPath()),
-            URL(fileURLWithPath: FileManager().currentDirectoryPath),
-        ]
-        for root in roots {
-            let candidate = root
-                .appendingPathComponent("node_modules/@mariozechner/pi-ai/dist/models.generated.js")
-            if FileManager().isReadableFile(atPath: candidate.path) {
-                return candidate.path
-            }
-        }
-        return nil
-    }
-
-    private static func cacheCatalog(sourcePath: String) {
-        let destination = self.cachePath
-        do {
-            try FileManager().createDirectory(
-                at: destination.deletingLastPathComponent(),
-                withIntermediateDirectories: true)
-            if FileManager().fileExists(atPath: destination.path) {
-                try FileManager().removeItem(at: destination)
-            }
-            try FileManager().copyItem(atPath: sourcePath, toPath: destination.path)
-            self.logger.debug("model catalog cached file=\(destination.lastPathComponent)")
-        } catch {
-            self.logger.warning("model catalog cache failed: \(error.localizedDescription)")
-        }
-    }
-
    private static func sanitize(source: String) -> String {
        guard let exportRange = source.range(of: "export const MODELS"),
              let firstBrace = source[exportRange.upperBound...].firstIndex(of: "{"),
--- a/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntime.swift
+++ b/apps/macos/Sources/Clawdbot/NodeMode/MacNodeRuntime.swift
@@ -480,26 +480,26 @@ actor MacNodeRuntime {
                message: "SYSTEM_RUN_DISABLED: security=deny")
        }

-        let approval = await self.resolveSystemRunApproval(
-            req: req,
-            params: params,
-            context: ExecRunContext(
-                displayCommand: displayCommand,
-                security: security,
-                ask: ask,
-                agentId: agentId,
-                resolution: resolution,
-                allowlistMatch: allowlistMatch,
-                skillAllow: skillAllow,
-                sessionKey: sessionKey,
-                runId: runId))
-        if let response = approval.response { return response }
-        let approvedByAsk = approval.approvedByAsk
-        let persistAllowlist = approval.persistAllowlist
-        if persistAllowlist, security == .allowlist,
-           let pattern = ExecApprovalHelpers.allowlistPattern(command: command, resolution: resolution)
-        {
-            ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern)
+        let requiresAsk: Bool = {
+            if ask == .always { return true }
+            if ask == .onMiss, security == .allowlist, allowlistMatch == nil, !skillAllow { return true }
+            return false
+        }()
+
+        let approvedByAsk = params.approved == true
+        if requiresAsk, !approvedByAsk {
+            await self.emitExecEvent(
+                "exec.denied",
+                payload: ExecEventPayload(
+                    sessionKey: sessionKey,
+                    runId: runId,
+                    host: "node",
+                    command: displayCommand,
+                    reason: "approval-required"))
+            return Self.errorResponse(
+                req,
+                code: .unavailable,
+                message: "SYSTEM_RUN_DENIED: approval required")
        }

        if security == .allowlist, allowlistMatch == nil, !skillAllow, !approvedByAsk {
@@ -619,100 +619,6 @@ actor MacNodeRuntime {
        return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
    }

-    private struct ExecApprovalOutcome {
-        var approvedByAsk: Bool
-        var persistAllowlist: Bool
-        var response: BridgeInvokeResponse?
-    }
-
-    private struct ExecRunContext {
-        var displayCommand: String
-        var security: ExecSecurity
-        var ask: ExecAsk
-        var agentId: String?
-        var resolution: ExecCommandResolution?
-        var allowlistMatch: ExecAllowlistEntry?
-        var skillAllow: Bool
-        var sessionKey: String
-        var runId: String
-    }
-
-    private func resolveSystemRunApproval(
-        req: BridgeInvokeRequest,
-        params: ClawdbotSystemRunParams,
-        context: ExecRunContext) async -> ExecApprovalOutcome
-    {
-        let requiresAsk = ExecApprovalHelpers.requiresAsk(
-            ask: context.ask,
-            security: context.security,
-            allowlistMatch: context.allowlistMatch,
-            skillAllow: context.skillAllow)
-
-        let decisionFromParams = ExecApprovalHelpers.parseDecision(params.approvalDecision)
-        var approvedByAsk = params.approved == true || decisionFromParams != nil
-        var persistAllowlist = decisionFromParams == .allowAlways
-        if decisionFromParams == .deny {
-            await self.emitExecEvent(
-                "exec.denied",
-                payload: ExecEventPayload(
-                    sessionKey: context.sessionKey,
-                    runId: context.runId,
-                    host: "node",
-                    command: context.displayCommand,
-                    reason: "user-denied"))
-            return ExecApprovalOutcome(
-                approvedByAsk: approvedByAsk,
-                persistAllowlist: persistAllowlist,
-                response: Self.errorResponse(
-                    req,
-                    code: .unavailable,
-                    message: "SYSTEM_RUN_DENIED: user denied"))
-        }
-
-        if requiresAsk, !approvedByAsk {
-            let decision = await MainActor.run {
-                ExecApprovalsPromptPresenter.prompt(
-                    ExecApprovalPromptRequest(
-                        command: context.displayCommand,
-                        cwd: params.cwd,
-                        host: "node",
-                        security: context.security.rawValue,
-                        ask: context.ask.rawValue,
-                        agentId: context.agentId,
-                        resolvedPath: context.resolution?.resolvedPath,
-                        sessionKey: context.sessionKey))
-            }
-            switch decision {
-            case .deny:
-                await self.emitExecEvent(
-                    "exec.denied",
-                    payload: ExecEventPayload(
-                        sessionKey: context.sessionKey,
-                        runId: context.runId,
-                        host: "node",
-                        command: context.displayCommand,
-                        reason: "user-denied"))
-                return ExecApprovalOutcome(
-                    approvedByAsk: approvedByAsk,
-                    persistAllowlist: persistAllowlist,
-                    response: Self.errorResponse(
-                        req,
-                        code: .unavailable,
-                        message: "SYSTEM_RUN_DENIED: user denied"))
-            case .allowAlways:
-                approvedByAsk = true
-                persistAllowlist = true
-            case .allowOnce:
-                approvedByAsk = true
-            }
-        }
-
-        return ExecApprovalOutcome(
-            approvedByAsk: approvedByAsk,
-            persistAllowlist: persistAllowlist,
-            response: nil)
-    }
-
    private func handleSystemExecApprovalsGet(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
        _ = ExecApprovalsStore.ensureFile()
        let snapshot = ExecApprovalsStore.readSnapshot()
--- a/apps/macos/Sources/Clawdbot/PermissionsSettings.swift
+++ b/apps/macos/Sources/Clawdbot/PermissionsSettings.swift
@@ -1,6 +1,4 @@
 import ClawdbotIPC
-import ClawdbotKit
-import CoreLocation
 import SwiftUI

 struct PermissionsSettings: View {
@@ -10,8 +8,6 @@ struct PermissionsSettings: View {

    var body: some View {
        VStack(alignment: .leading, spacing: 14) {
-            SystemRunSettingsView()
-
            Text("Allow these so Clawdbot can notify and capture when needed.")
                .padding(.top, 4)

@@ -19,8 +15,6 @@ struct PermissionsSettings: View {
                .padding(.horizontal, 2)
                .padding(.vertical, 6)

-            LocationAccessSettings()
-
            Button("Restart onboarding") { self.showOnboarding() }
                .buttonStyle(.bordered)
            Spacer()
@@ -30,72 +24,6 @@ struct PermissionsSettings: View {
    }
 }

-private struct LocationAccessSettings: View {
-    @AppStorage(locationModeKey) private var locationModeRaw: String = ClawdbotLocationMode.off.rawValue
-    @AppStorage(locationPreciseKey) private var locationPreciseEnabled: Bool = true
-    @State private var lastLocationModeRaw: String = ClawdbotLocationMode.off.rawValue
-
-    var body: some View {
-        VStack(alignment: .leading, spacing: 6) {
-            Text("Location Access")
-                .font(.body)
-
-            Picker("", selection: self.$locationModeRaw) {
-                Text("Off").tag(ClawdbotLocationMode.off.rawValue)
-                Text("While Using").tag(ClawdbotLocationMode.whileUsing.rawValue)
-                Text("Always").tag(ClawdbotLocationMode.always.rawValue)
-            }
-            .labelsHidden()
-            .pickerStyle(.menu)
-
-            Toggle("Precise Location", isOn: self.$locationPreciseEnabled)
-                .disabled(self.locationMode == .off)
-
-            Text("Always may require System Settings to approve background location.")
-                .font(.footnote)
-                .foregroundStyle(.tertiary)
-                .fixedSize(horizontal: false, vertical: true)
-        }
-        .onAppear {
-            self.lastLocationModeRaw = self.locationModeRaw
-        }
-        .onChange(of: self.locationModeRaw) { _, newValue in
-            let previous = self.lastLocationModeRaw
-            self.lastLocationModeRaw = newValue
-            guard let mode = ClawdbotLocationMode(rawValue: newValue) else { return }
-            Task {
-                let granted = await self.requestLocationAuthorization(mode: mode)
-                if !granted {
-                    await MainActor.run {
-                        self.locationModeRaw = previous
-                        self.lastLocationModeRaw = previous
-                    }
-                }
-            }
-        }
-    }
-
-    private var locationMode: ClawdbotLocationMode {
-        ClawdbotLocationMode(rawValue: self.locationModeRaw) ?? .off
-    }
-
-    private func requestLocationAuthorization(mode: ClawdbotLocationMode) async -> Bool {
-        guard mode != .off else { return true }
-        guard CLLocationManager.locationServicesEnabled() else {
-            await MainActor.run { LocationPermissionHelper.openSettings() }
-            return false
-        }
-
-        let status = CLLocationManager().authorizationStatus
-        let requireAlways = mode == .always
-        if PermissionManager.isLocationAuthorized(status: status, requireAlways: requireAlways) {
-            return true
-        }
-        let updated = await LocationPermissionRequester.shared.request(always: requireAlways)
-        return PermissionManager.isLocationAuthorized(status: updated, requireAlways: requireAlways)
-    }
-}
-
 struct PermissionStatusList: View {
    let status: [Capability: Bool]
    let refresh: () async -> Void
@@ -117,6 +45,25 @@ struct PermissionStatusList: View {
            .font(.footnote)
            .padding(.top, 2)
            .help("Refresh status")
+
+            if (self.status[.accessibility] ?? false) == false || (self.status[.screenRecording] ?? false) == false {
+                VStack(alignment: .leading, spacing: 8) {
+                    Text(
+                        "Note: macOS may require restarting Clawdbot after enabling Accessibility or Screen Recording.")
+                        .font(.caption)
+                        .foregroundStyle(.secondary)
+                        .fixedSize(horizontal: false, vertical: true)
+
+                    Button {
+                        LaunchdManager.startClawdbot()
+                    } label: {
+                        Label("Restart Clawdbot", systemImage: "arrow.counterclockwise")
+                    }
+                    .buttonStyle(.bordered)
+                    .controlSize(.small)
+                }
+                .padding(.top, 4)
+            }
        }
    }

--- a/apps/macos/Sources/Clawdbot/PortGuardian.swift
+++ b/apps/macos/Sources/Clawdbot/PortGuardian.swift
@@ -184,14 +184,6 @@ actor PortGuardian {
        }
    }

-    func isListening(port: Int, pid: Int32? = nil) async -> Bool {
-        let listeners = await self.listeners(on: port)
-        if let pid {
-            return listeners.contains(where: { $0.pid == pid })
-        }
-        return !listeners.isEmpty
-    }
-
    private func listeners(on port: Int) async -> [Listener] {
        let res = await ShellExecutor.run(
            command: ["lsof", "-nP", "-iTCP:\(port)", "-sTCP:LISTEN", "-Fpcn"],
--- a/apps/macos/Sources/Clawdbot/RemotePortTunnel.swift
+++ b/apps/macos/Sources/Clawdbot/RemotePortTunnel.swift
@@ -72,6 +72,7 @@ final class RemotePortTunnel {
        }
        var args: [String] = [
            "-o", "BatchMode=yes",
+            "-o", "IdentitiesOnly=yes",
            "-o", "ExitOnForwardFailure=yes",
            "-o", "StrictHostKeyChecking=accept-new",
            "-o", "UpdateHostKeys=yes",
@@ -83,12 +84,7 @@ final class RemotePortTunnel {
        ]
        if parsed.port > 0 { args.append(contentsOf: ["-p", String(parsed.port)]) }
        let identity = settings.identity.trimmingCharacters(in: .whitespacesAndNewlines)
-        if !identity.isEmpty {
-            // Only use IdentitiesOnly when an explicit identity file is provided.
-            // This allows 1Password SSH agent and other SSH agents to provide keys.
-            args.append(contentsOf: ["-o", "IdentitiesOnly=yes"])
-            args.append(contentsOf: ["-i", identity])
-        }
+        if !identity.isEmpty { args.append(contentsOf: ["-i", identity]) }
        let userHost = parsed.user.map { "\($0)@\(parsed.host)" } ?? parsed.host
        args.append(userHost)

--- a/apps/macos/Sources/Clawdbot/RemoteTunnelManager.swift
+++ b/apps/macos/Sources/Clawdbot/RemoteTunnelManager.swift
@@ -20,13 +20,11 @@ actor RemoteTunnelManager {
           tunnel.process.isRunning,
           let local = tunnel.localPort
        {
-            let pid = tunnel.process.processIdentifier
-            if await PortGuardian.shared.isListening(port: Int(local), pid: pid) {
+            if await self.isTunnelHealthy(port: local) {
                self.logger.info("reusing active SSH tunnel localPort=\(local, privacy: .public)")
                return local
            }
-            self.logger.error(
-                "active SSH tunnel on port \(local, privacy: .public) is not listening; restarting")
+            self.logger.error("active SSH tunnel on port \(local, privacy: .public) is unhealthy; restarting")
            await self.beginRestart()
            tunnel.terminate()
            self.controlTunnel = nil
@@ -37,11 +35,19 @@ actor RemoteTunnelManager {
        if let desc = await PortGuardian.shared.describe(port: Int(desiredPort)),
           self.isSshProcess(desc)
        {
-            self.logger.info(
-                "reusing existing SSH tunnel listener " +
-                    "localPort=\(desiredPort, privacy: .public) " +
-                    "pid=\(desc.pid, privacy: .public)")
-            return desiredPort
+            if await self.isTunnelHealthy(port: desiredPort) {
+                self.logger.info(
+                    "reusing existing SSH tunnel listener " +
+                        "localPort=\(desiredPort, privacy: .public) " +
+                        "pid=\(desc.pid, privacy: .public)")
+                return desiredPort
+            }
+            if self.restartInFlight {
+                self.logger.info("control tunnel restart in flight; skip stale tunnel cleanup")
+                return nil
+            }
+            await self.beginRestart()
+            await self.cleanupStaleTunnel(desc: desc, port: desiredPort)
        }
        return nil
    }
@@ -82,6 +88,10 @@ actor RemoteTunnelManager {
        self.controlTunnel = nil
    }

+    private func isTunnelHealthy(port: UInt16) async -> Bool {
+        await PortGuardian.shared.probeGatewayHealth(port: Int(port))
+    }
+
    private func isSshProcess(_ desc: PortGuardian.Descriptor) -> Bool {
        let cmd = desc.command.lowercased()
        if cmd.contains("ssh") { return true }
@@ -118,5 +128,21 @@ actor RemoteTunnelManager {
        try? await Task.sleep(nanoseconds: UInt64(remaining * 1_000_000_000))
    }

-    // Keep tunnel reuse lightweight; restart only when the listener disappears.
+    private func cleanupStaleTunnel(desc: PortGuardian.Descriptor, port: UInt16) async {
+        let pid = desc.pid
+        self.logger.error(
+            "stale SSH tunnel detected on port \(port, privacy: .public) pid \(pid, privacy: .public)")
+        let killed = await self.kill(pid: pid)
+        if !killed {
+            self.logger.error("failed to terminate stale SSH tunnel pid \(pid, privacy: .public)")
+        }
+        await PortGuardian.shared.removeRecord(pid: pid)
+    }
+
+    private func kill(pid: Int32) async -> Bool {
+        let term = await ShellExecutor.run(command: ["kill", "-TERM", "\(pid)"], cwd: nil, env: nil, timeout: 2)
+        if term.ok { return true }
+        let sigkill = await ShellExecutor.run(command: ["kill", "-KILL", "\(pid)"], cwd: nil, env: nil, timeout: 2)
+        return sigkill.ok
+    }
 }
--- a/apps/macos/Sources/Clawdbot/Resources/Info.plist
+++ b/apps/macos/Sources/Clawdbot/Resources/Info.plist
@@ -15,9 +15,9 @@
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
-    <string>2026.1.21</string>
+    <string>2026.1.20</string>
    <key>CFBundleVersion</key>
-    <string>202601210</string>
+    <string>202601200</string>
    <key>CFBundleIconFile</key>
    <string>Clawdbot</string>
    <key>CFBundleURLTypes</key>
--- a/apps/macos/Sources/Clawdbot/SessionMenuPreviewView.swift
+++ b/apps/macos/Sources/Clawdbot/SessionMenuPreviewView.swift
@@ -1,6 +1,5 @@
 import ClawdbotChatUI
 import ClawdbotKit
-import ClawdbotProtocol
 import OSLog
 import SwiftUI

@@ -32,80 +31,31 @@ actor SessionPreviewCache {
    static let shared = SessionPreviewCache()

    private struct CacheEntry {
-        let snapshot: SessionMenuPreviewSnapshot
+        let items: [SessionPreviewItem]
        let updatedAt: Date
    }

    private var entries: [String: CacheEntry] = [:]

-    func cachedSnapshot(for sessionKey: String, maxAge: TimeInterval) -> SessionMenuPreviewSnapshot? {
+    func cachedItems(for sessionKey: String, maxAge: TimeInterval) -> [SessionPreviewItem]? {
        guard let entry = self.entries[sessionKey] else { return nil }
        guard Date().timeIntervalSince(entry.updatedAt) < maxAge else { return nil }
-        return entry.snapshot
+        return entry.items
    }

-    func store(snapshot: SessionMenuPreviewSnapshot, for sessionKey: String) {
-        self.entries[sessionKey] = CacheEntry(snapshot: snapshot, updatedAt: Date())
+    func store(items: [SessionPreviewItem], for sessionKey: String) {
+        self.entries[sessionKey] = CacheEntry(items: items, updatedAt: Date())
    }

-    func lastSnapshot(for sessionKey: String) -> SessionMenuPreviewSnapshot? {
-        self.entries[sessionKey]?.snapshot
-    }
-}
-
-actor SessionPreviewLimiter {
-    static let shared = SessionPreviewLimiter(maxConcurrent: 2)
-
-    private let maxConcurrent: Int
-    private var available: Int
-    private var waitQueue: [UUID] = []
-    private var waiters: [UUID: CheckedContinuation<Void, Never>] = [:]
-
-    init(maxConcurrent: Int) {
-        let normalized = max(1, maxConcurrent)
-        self.maxConcurrent = normalized
-        self.available = normalized
-    }
-
-    func withPermit<T>(_ operation: () async throws -> T) async throws -> T {
-        await self.acquire()
-        defer { self.release() }
-        if Task.isCancelled { throw CancellationError() }
-        return try await operation()
-    }
-
-    private func acquire() async {
-        if self.available > 0 {
-            self.available -= 1
-            return
-        }
-        let id = UUID()
-        await withCheckedContinuation { cont in
-            self.waitQueue.append(id)
-            self.waiters[id] = cont
-        }
-    }
-
-    private func release() {
-        if let id = self.waitQueue.first {
-            self.waitQueue.removeFirst()
-            if let cont = self.waiters.removeValue(forKey: id) {
-                cont.resume()
-            }
-            return
-        }
-        self.available = min(self.available + 1, self.maxConcurrent)
+    func lastItems(for sessionKey: String) -> [SessionPreviewItem]? {
+        self.entries[sessionKey]?.items
    }
 }

 #if DEBUG
 extension SessionPreviewCache {
-    func _testSet(
-        snapshot: SessionMenuPreviewSnapshot,
-        for sessionKey: String,
-        updatedAt: Date = Date())
-    {
-        self.entries[sessionKey] = CacheEntry(snapshot: snapshot, updatedAt: updatedAt)
+    func _testSet(items: [SessionPreviewItem], for sessionKey: String, updatedAt: Date = Date()) {
+        self.entries[sessionKey] = CacheEntry(items: items, updatedAt: updatedAt)
    }

    func _testReset() {
@@ -224,44 +174,36 @@ enum SessionMenuPreviewLoader {
    private static let logger = Logger(subsystem: "com.clawdbot", category: "SessionPreview")
    private static let previewTimeoutSeconds: Double = 4
    private static let cacheMaxAgeSeconds: TimeInterval = 30
-    private static let previewMaxChars = 240

    private struct PreviewTimeoutError: LocalizedError {
        var errorDescription: String? { "preview timeout" }
    }

-    static func prewarm(sessionKeys: [String], maxItems: Int) async {
-        let keys = self.uniqueKeys(sessionKeys)
-        guard !keys.isEmpty else { return }
-        do {
-            let payload = try await self.requestPreview(keys: keys, maxItems: maxItems)
-            await self.cache(payload: payload, maxItems: maxItems)
-        } catch {
-            if self.isUnknownMethodError(error) { return }
-            let errorDescription = String(describing: error)
-            Self.logger.debug(
-                "Session preview prewarm failed count=\(keys.count, privacy: .public) " +
-                    "error=\(errorDescription, privacy: .public)")
-        }
-    }
-
    static func load(sessionKey: String, maxItems: Int) async -> SessionMenuPreviewSnapshot {
-        if let cached = await SessionPreviewCache.shared.cachedSnapshot(
-            for: sessionKey,
-            maxAge: cacheMaxAgeSeconds)
-        {
-            return cached
+        if let cached = await SessionPreviewCache.shared.cachedItems(for: sessionKey, maxAge: cacheMaxAgeSeconds) {
+            return self.snapshot(from: cached)
        }

        do {
-            let snapshot = try await self.fetchSnapshot(sessionKey: sessionKey, maxItems: maxItems)
-            await SessionPreviewCache.shared.store(snapshot: snapshot, for: sessionKey)
-            return snapshot
+            let timeoutMs = Int(self.previewTimeoutSeconds * 1000)
+            let payload = try await AsyncTimeout.withTimeout(
+                seconds: self.previewTimeoutSeconds,
+                onTimeout: { PreviewTimeoutError() },
+                operation: {
+                    try await GatewayConnection.shared.chatHistory(
+                        sessionKey: sessionKey,
+                        limit: self.previewLimit(for: maxItems),
+                        timeoutMs: timeoutMs)
+                })
+            let built = Self.previewItems(from: payload, maxItems: maxItems)
+            await SessionPreviewCache.shared.store(items: built, for: sessionKey)
+            return Self.snapshot(from: built)
        } catch is CancellationError {
            return SessionMenuPreviewSnapshot(items: [], status: .loading)
        } catch {
-            if let fallback = await SessionPreviewCache.shared.lastSnapshot(for: sessionKey) {
-                return fallback
+            let fallback = await SessionPreviewCache.shared.lastItems(for: sessionKey)
+            if let fallback {
+                return Self.snapshot(from: fallback)
            }
            let errorDescription = String(describing: error)
            Self.logger.warning(
@@ -271,120 +213,18 @@ enum SessionMenuPreviewLoader {
        }
    }

-    private static func fetchSnapshot(sessionKey: String, maxItems: Int) async throws -> SessionMenuPreviewSnapshot {
-        do {
-            let payload = try await self.requestPreview(keys: [sessionKey], maxItems: maxItems)
-            if let entry = payload.previews.first(where: { $0.key == sessionKey }) ?? payload.previews.first {
-                return self.snapshot(from: entry, maxItems: maxItems)
-            }
-            return SessionMenuPreviewSnapshot(items: [], status: .error("Preview unavailable"))
-        } catch {
-            if self.isUnknownMethodError(error) {
-                return try await self.fetchHistorySnapshot(sessionKey: sessionKey, maxItems: maxItems)
-            }
-            throw error
-        }
-    }
-
-    private static func requestPreview(
-        keys: [String],
-        maxItems: Int) async throws -> ClawdbotSessionsPreviewPayload
-    {
-        let boundedItems = self.normalizeMaxItems(maxItems)
-        let timeoutMs = Int(self.previewTimeoutSeconds * 1000)
-        return try await SessionPreviewLimiter.shared.withPermit {
-            try await AsyncTimeout.withTimeout(
-                seconds: self.previewTimeoutSeconds,
-                onTimeout: { PreviewTimeoutError() },
-                operation: {
-                    try await GatewayConnection.shared.sessionsPreview(
-                        keys: keys,
-                        limit: boundedItems,
-                        maxChars: self.previewMaxChars,
-                        timeoutMs: timeoutMs)
-                })
-        }
-    }
-
-    private static func fetchHistorySnapshot(
-        sessionKey: String,
-        maxItems: Int) async throws -> SessionMenuPreviewSnapshot
-    {
-        let timeoutMs = Int(self.previewTimeoutSeconds * 1000)
-        let payload = try await SessionPreviewLimiter.shared.withPermit {
-            try await AsyncTimeout.withTimeout(
-                seconds: self.previewTimeoutSeconds,
-                onTimeout: { PreviewTimeoutError() },
-                operation: {
-                    try await GatewayConnection.shared.chatHistory(
-                        sessionKey: sessionKey,
-                        limit: self.previewLimit(for: maxItems),
-                        timeoutMs: timeoutMs)
-                })
-        }
-        let built = Self.previewItems(from: payload, maxItems: maxItems)
-        return Self.snapshot(from: built)
-    }
-
    private static func snapshot(from items: [SessionPreviewItem]) -> SessionMenuPreviewSnapshot {
        SessionMenuPreviewSnapshot(items: items, status: items.isEmpty ? .empty : .ready)
    }

-    private static func snapshot(
-        from entry: ClawdbotSessionPreviewEntry,
-        maxItems: Int) -> SessionMenuPreviewSnapshot
-    {
-        let items = self.previewItems(from: entry, maxItems: maxItems)
-        let normalized = entry.status.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
-        switch normalized {
-        case "ok":
-            return SessionMenuPreviewSnapshot(items: items, status: items.isEmpty ? .empty : .ready)
-        case "empty":
-            return SessionMenuPreviewSnapshot(items: items, status: .empty)
-        case "missing":
-            return SessionMenuPreviewSnapshot(items: items, status: .error("Session missing"))
-        default:
-            return SessionMenuPreviewSnapshot(items: items, status: .error("Preview unavailable"))
-        }
-    }
-
-    private static func cache(payload: ClawdbotSessionsPreviewPayload, maxItems: Int) async {
-        for entry in payload.previews {
-            let snapshot = self.snapshot(from: entry, maxItems: maxItems)
-            await SessionPreviewCache.shared.store(snapshot: snapshot, for: entry.key)
-        }
-    }
-
    private static func previewLimit(for maxItems: Int) -> Int {
-        let boundedItems = self.normalizeMaxItems(maxItems)
-        return min(max(boundedItems * 3, 20), 120)
-    }
-
-    private static func normalizeMaxItems(_ maxItems: Int) -> Int {
-        max(1, min(maxItems, 50))
-    }
-
-    private static func previewItems(
-        from entry: ClawdbotSessionPreviewEntry,
-        maxItems: Int) -> [SessionPreviewItem]
-    {
-        let boundedItems = self.normalizeMaxItems(maxItems)
-        let built: [SessionPreviewItem] = entry.items.enumerated().compactMap { index, item in
-            let text = item.text.trimmingCharacters(in: .whitespacesAndNewlines)
-            guard !text.isEmpty else { return nil }
-            let role = self.previewRoleFromRaw(item.role)
-            return SessionPreviewItem(id: "\(entry.key)-\(index)", role: role, text: text)
-        }
-
-        let trimmed = built.suffix(boundedItems)
-        return Array(trimmed.reversed())
+        min(max(maxItems * 3, 20), 120)
    }

    private static func previewItems(
        from payload: ClawdbotChatHistoryPayload,
        maxItems: Int) -> [SessionPreviewItem]
    {
-        let boundedItems = self.normalizeMaxItems(maxItems)
        let raw: [ClawdbotKit.AnyCodable] = payload.messages ?? []
        let messages = self.decodeMessages(raw)
        let built = messages.compactMap { message -> SessionPreviewItem? in
@@ -395,7 +235,7 @@ enum SessionMenuPreviewLoader {
            return SessionPreviewItem(id: id, role: role, text: text)
        }

-        let trimmed = built.suffix(boundedItems)
+        let trimmed = built.suffix(maxItems)
        return Array(trimmed.reversed())
    }

@@ -408,16 +248,12 @@ enum SessionMenuPreviewLoader {

    private static func previewRole(_ raw: String, isTool: Bool) -> PreviewRole {
        if isTool { return .tool }
-        return self.previewRoleFromRaw(raw)
-    }
-
-    private static func previewRoleFromRaw(_ raw: String) -> PreviewRole {
        switch raw.lowercased() {
-        case "user": .user
-        case "assistant": .assistant
-        case "system": .system
-        case "tool": .tool
-        default: .other
+        case "user": return .user
+        case "assistant": return .assistant
+        case "system": return .system
+        case "tool": return .tool
+        default: return .other
        }
    }

@@ -480,16 +316,4 @@ enum SessionMenuPreviewLoader {
        }
        return result
    }
-
-    private static func uniqueKeys(_ keys: [String]) -> [String] {
-        let trimmed = keys.map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
-        return self.dedupePreservingOrder(trimmed.filter { !$0.isEmpty })
-    }
-
-    private static func isUnknownMethodError(_ error: Error) -> Bool {
-        guard let response = error as? GatewayResponseError else { return false }
-        guard response.code == ErrorCode.invalidRequest.rawValue else { return false }
-        let message = response.message.lowercased()
-        return message.contains("unknown method")
-    }
 }
--- a/apps/macos/Sources/Clawdbot/TailscaleService.swift
+++ b/apps/macos/Sources/Clawdbot/TailscaleService.swift
@@ -2,9 +2,6 @@ import AppKit
 import Foundation
 import Observation
 import os
-#if canImport(Darwin)
-import Darwin
-#endif

 /// Manages Tailscale integration and status checking.
@Observable
@@ -103,14 +100,16 @@ final class TailscaleService {
    }

    func checkTailscaleStatus() async {
-        let previousIP = self.tailscaleIP
        self.isInstalled = self.checkAppInstallation()
-        if !self.isInstalled {
+        guard self.isInstalled else {
            self.isRunning = false
            self.tailscaleHostname = nil
            self.tailscaleIP = nil
            self.statusError = "Tailscale is not installed"
-        } else if let apiResponse = await fetchTailscaleStatus() {
+            return
+        }
+
+        if let apiResponse = await fetchTailscaleStatus() {
            self.isRunning = apiResponse.status.lowercased() == "running"

            if self.isRunning {
@@ -139,19 +138,6 @@ final class TailscaleService {
            self.statusError = "Please start the Tailscale app"
            self.logger.info("Tailscale API not responding; app likely not running")
        }
-
-        if self.tailscaleIP == nil, let fallback = Self.detectTailnetIPv4() {
-            self.tailscaleIP = fallback
-            if !self.isRunning {
-                self.isRunning = true
-            }
-            self.statusError = nil
-            self.logger.info("Tailscale interface IP detected (fallback) ip=\(fallback, privacy: .public)")
-        }
-
-        if previousIP != self.tailscaleIP {
-            await GatewayEndpointStore.shared.refresh()
-        }
    }

    func openTailscaleApp() {
@@ -177,50 +163,4 @@ final class TailscaleService {
            NSWorkspace.shared.open(url)
        }
    }
-
-    private nonisolated static func isTailnetIPv4(_ address: String) -> Bool {
-        let parts = address.split(separator: ".")
-        guard parts.count == 4 else { return false }
-        let octets = parts.compactMap { Int($0) }
-        guard octets.count == 4 else { return false }
-        let a = octets[0]
-        let b = octets[1]
-        return a == 100 && b >= 64 && b <= 127
-    }
-
-    private nonisolated static func detectTailnetIPv4() -> String? {
-        var addrList: UnsafeMutablePointer<ifaddrs>?
-        guard getifaddrs(&addrList) == 0, let first = addrList else { return nil }
-        defer { freeifaddrs(addrList) }
-
-        for ptr in sequence(first: first, next: { $0.pointee.ifa_next }) {
-            let flags = Int32(ptr.pointee.ifa_flags)
-            let isUp = (flags & IFF_UP) != 0
-            let isLoopback = (flags & IFF_LOOPBACK) != 0
-            let family = ptr.pointee.ifa_addr.pointee.sa_family
-            if !isUp || isLoopback || family != UInt8(AF_INET) { continue }
-
-            var addr = ptr.pointee.ifa_addr.pointee
-            var buffer = [CChar](repeating: 0, count: Int(NI_MAXHOST))
-            let result = getnameinfo(
-                &addr,
-                socklen_t(ptr.pointee.ifa_addr.pointee.sa_len),
-                &buffer,
-                socklen_t(buffer.count),
-                nil,
-                0,
-                NI_NUMERICHOST)
-            guard result == 0 else { continue }
-            let len = buffer.prefix { $0 != 0 }
-            let bytes = len.map { UInt8(bitPattern: $0) }
-            guard let ip = String(bytes: bytes, encoding: .utf8) else { continue }
-            if Self.isTailnetIPv4(ip) { return ip }
-        }
-
-        return nil
-    }
-
-    nonisolated static func fallbackTailnetIPv4() -> String? {
-        self.detectTailnetIPv4()
-    }
 }
--- a/apps/macos/Sources/ClawdbotMacCLI/ConnectCommand.swift
+++ b/apps/macos/Sources/ClawdbotMacCLI/ConnectCommand.swift
@@ -1,16 +1,13 @@
 import ClawdbotKit
 import ClawdbotProtocol
 import Foundation
-#if canImport(Darwin)
-import Darwin
-#endif

 struct ConnectOptions {
    var url: String?
    var token: String?
    var password: String?
    var mode: String?
-    var timeoutMs: Int = 15000
+    var timeoutMs: Int = 15_000
    var json: Bool = false
    var probe: Bool = false
    var clientId: String = "clawdbot-macos"
@@ -22,43 +19,53 @@ struct ConnectOptions {

    static func parse(_ args: [String]) -> ConnectOptions {
        var opts = ConnectOptions()
-        let flagHandlers: [String: (inout ConnectOptions) -> Void] = [
-            "-h": { $0.help = true },
-            "--help": { $0.help = true },
-            "--json": { $0.json = true },
-            "--probe": { $0.probe = true },
-        ]
-        let valueHandlers: [String: (inout ConnectOptions, String) -> Void] = [
-            "--url": { $0.url = $1 },
-            "--token": { $0.token = $1 },
-            "--password": { $0.password = $1 },
-            "--mode": { $0.mode = $1 },
-            "--timeout": { opts, raw in
-                if let parsed = Int(raw.trimmingCharacters(in: .whitespacesAndNewlines)) {
-                    opts.timeoutMs = max(250, parsed)
-                }
-            },
-            "--client-id": { $0.clientId = $1 },
-            "--client-mode": { $0.clientMode = $1 },
-            "--display-name": { $0.displayName = $1 },
-            "--role": { $0.role = $1 },
-            "--scopes": { opts, raw in
-                opts.scopes = raw.split(separator: ",").map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
-                    .filter { !$0.isEmpty }
-            },
-        ]
        var i = 0
        while i < args.count {
            let arg = args[i]
-            if let handler = flagHandlers[arg] {
-                handler(&opts)
-                i += 1
-                continue
-            }
-            if let handler = valueHandlers[arg], let value = self.nextValue(args, index: &i) {
-                handler(&opts, value)
-                i += 1
-                continue
+            switch arg {
+            case "-h", "--help":
+                opts.help = true
+            case "--json":
+                opts.json = true
+            case "--probe":
+                opts.probe = true
+            case "--url":
+                opts.url = self.nextValue(args, index: &i)
+            case "--token":
+                opts.token = self.nextValue(args, index: &i)
+            case "--password":
+                opts.password = self.nextValue(args, index: &i)
+            case "--mode":
+                if let value = self.nextValue(args, index: &i) {
+                    opts.mode = value
+                }
+            case "--timeout":
+                if let raw = self.nextValue(args, index: &i),
+                   let parsed = Int(raw.trimmingCharacters(in: .whitespacesAndNewlines))
+                {
+                    opts.timeoutMs = max(250, parsed)
+                }
+            case "--client-id":
+                if let value = self.nextValue(args, index: &i) {
+                    opts.clientId = value
+                }
+            case "--client-mode":
+                if let value = self.nextValue(args, index: &i) {
+                    opts.clientMode = value
+                }
+            case "--display-name":
+                opts.displayName = self.nextValue(args, index: &i)
+            case "--role":
+                if let value = self.nextValue(args, index: &i) {
+                    opts.role = value
+                }
+            case "--scopes":
+                if let value = self.nextValue(args, index: &i) {
+                    opts.scopes = value.split(separator: ",").map { $0.trimmingCharacters(in: .whitespacesAndNewlines) }
+                        .filter { !$0.isEmpty }
+                }
+            default:
+                break
            }
            i += 1
        }
@@ -247,12 +254,8 @@ private func resolveGatewayEndpoint(opts: ConnectOptions, config: GatewayConfig)

    if resolvedMode == "remote" {
        guard let raw = config.remoteUrl?.trimmingCharacters(in: .whitespacesAndNewlines),
-              !raw.isEmpty
-        else {
-            throw NSError(
-                domain: "Gateway",
-                code: 1,
-                userInfo: [NSLocalizedDescriptionKey: "gateway.remote.url is missing"])
+              !raw.isEmpty else {
+            throw NSError(domain: "Gateway", code: 1, userInfo: [NSLocalizedDescriptionKey: "gateway.remote.url is missing"])
        }
        guard let url = URL(string: raw) else {
            throw NSError(domain: "Gateway", code: 1, userInfo: [NSLocalizedDescriptionKey: "invalid url: \(raw)"])
@@ -265,12 +268,9 @@ private func resolveGatewayEndpoint(opts: ConnectOptions, config: GatewayConfig)
    }

    let port = config.port ?? 18789
-    let host = resolveLocalHost(bind: config.bind)
+    let host = "127.0.0.1"
    guard let url = URL(string: "ws://\(host):\(port)") else {
-        throw NSError(
-            domain: "Gateway",
-            code: 1,
-            userInfo: [NSLocalizedDescriptionKey: "invalid url: ws://\(host):\(port)"])
+        throw NSError(domain: "Gateway", code: 1, userInfo: [NSLocalizedDescriptionKey: "invalid url: ws://\(host):\(port)"])
    }
    return GatewayEndpoint(
        url: url,
@@ -280,7 +280,7 @@ private func resolveGatewayEndpoint(opts: ConnectOptions, config: GatewayConfig)
 }

 private func bestEffortEndpoint(opts: ConnectOptions, config: GatewayConfig) -> GatewayEndpoint? {
-    try? resolveGatewayEndpoint(opts: opts, config: config)
+    return try? resolveGatewayEndpoint(opts: opts, config: config)
 }

 private func resolvedToken(opts: ConnectOptions, mode: String, config: GatewayConfig) -> String? {
@@ -304,56 +304,3 @@ private func resolvedPassword(opts: ConnectOptions, mode: String, config: Gatewa
    }
    return config.password
 }
-
-private func resolveLocalHost(bind: String?) -> String {
-    let normalized = (bind ?? "").trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
-    let tailnetIP = detectTailnetIPv4()
-    switch normalized {
-    case "tailnet":
-        return tailnetIP ?? "127.0.0.1"
-    default:
-        return "127.0.0.1"
-    }
-}
-
-private func detectTailnetIPv4() -> String? {
-    var addrList: UnsafeMutablePointer<ifaddrs>?
-    guard getifaddrs(&addrList) == 0, let first = addrList else { return nil }
-    defer { freeifaddrs(addrList) }
-
-    for ptr in sequence(first: first, next: { $0.pointee.ifa_next }) {
-        let flags = Int32(ptr.pointee.ifa_flags)
-        let isUp = (flags & IFF_UP) != 0
-        let isLoopback = (flags & IFF_LOOPBACK) != 0
-        let family = ptr.pointee.ifa_addr.pointee.sa_family
-        if !isUp || isLoopback || family != UInt8(AF_INET) { continue }
-
-        var addr = ptr.pointee.ifa_addr.pointee
-        var buffer = [CChar](repeating: 0, count: Int(NI_MAXHOST))
-        let result = getnameinfo(
-            &addr,
-            socklen_t(ptr.pointee.ifa_addr.pointee.sa_len),
-            &buffer,
-            socklen_t(buffer.count),
-            nil,
-            0,
-            NI_NUMERICHOST)
-        guard result == 0 else { continue }
-        let len = buffer.prefix { $0 != 0 }
-        let bytes = len.map { UInt8(bitPattern: $0) }
-        guard let ip = String(bytes: bytes, encoding: .utf8) else { continue }
-        if isTailnetIPv4(ip) { return ip }
-    }
-
-    return nil
-}
-
-private func isTailnetIPv4(_ address: String) -> Bool {
-    let parts = address.split(separator: ".")
-    guard parts.count == 4 else { return false }
-    let octets = parts.compactMap { Int($0) }
-    guard octets.count == 4 else { return false }
-    let a = octets[0]
-    let b = octets[1]
-    return a == 100 && b >= 64 && b <= 127
-}
--- a/apps/macos/Sources/ClawdbotProtocol/GatewayModels.swift
+++ b/apps/macos/Sources/ClawdbotProtocol/GatewayModels.swift
@@ -18,7 +18,6 @@ public struct ConnectParams: Codable, Sendable {
    public let caps: [String]?
    public let commands: [String]?
    public let permissions: [String: AnyCodable]?
-    public let pathenv: String?
    public let role: String?
    public let scopes: [String]?
    public let device: [String: AnyCodable]?
@@ -33,7 +32,6 @@ public struct ConnectParams: Codable, Sendable {
        caps: [String]?,
        commands: [String]?,
        permissions: [String: AnyCodable]?,
-        pathenv: String?,
        role: String?,
        scopes: [String]?,
        device: [String: AnyCodable]?,
@@ -47,7 +45,6 @@ public struct ConnectParams: Codable, Sendable {
        self.caps = caps
        self.commands = commands
        self.permissions = permissions
-        self.pathenv = pathenv
        self.role = role
        self.scopes = scopes
        self.device = device
@@ -62,7 +59,6 @@ public struct ConnectParams: Codable, Sendable {
        case caps
        case commands
        case permissions
-        case pathenv = "pathEnv"
        case role
        case scopes
        case device
@@ -477,7 +473,6 @@ public struct AgentParams: Codable, Sendable {
    public let replychannel: String?
    public let accountid: String?
    public let replyaccountid: String?
-    public let threadid: String?
    public let timeout: Int?
    public let lane: String?
    public let extrasystemprompt: String?
@@ -499,7 +494,6 @@ public struct AgentParams: Codable, Sendable {
        replychannel: String?,
        accountid: String?,
        replyaccountid: String?,
-        threadid: String?,
        timeout: Int?,
        lane: String?,
        extrasystemprompt: String?,
@@ -520,7 +514,6 @@ public struct AgentParams: Codable, Sendable {
        self.replychannel = replychannel
        self.accountid = accountid
        self.replyaccountid = replyaccountid
-        self.threadid = threadid
        self.timeout = timeout
        self.lane = lane
        self.extrasystemprompt = extrasystemprompt
@@ -542,7 +535,6 @@ public struct AgentParams: Codable, Sendable {
        case replychannel = "replyChannel"
        case accountid = "accountId"
        case replyaccountid = "replyAccountId"
-        case threadid = "threadId"
        case timeout
        case lane
        case extrasystemprompt = "extraSystemPrompt"
@@ -552,44 +544,6 @@ public struct AgentParams: Codable, Sendable {
    }
 }

-public struct AgentIdentityParams: Codable, Sendable {
-    public let agentid: String?
-    public let sessionkey: String?
-
-    public init(
-        agentid: String?,
-        sessionkey: String?
-    ) {
-        self.agentid = agentid
-        self.sessionkey = sessionkey
-    }
-    private enum CodingKeys: String, CodingKey {
-        case agentid = "agentId"
-        case sessionkey = "sessionKey"
-    }
-}
-
-public struct AgentIdentityResult: Codable, Sendable {
-    public let agentid: String
-    public let name: String?
-    public let avatar: String?
-
-    public init(
-        agentid: String,
-        name: String?,
-        avatar: String?
-    ) {
-        self.agentid = agentid
-        self.name = name
-        self.avatar = avatar
-    }
-    private enum CodingKeys: String, CodingKey {
-        case agentid = "agentId"
-        case name
-        case avatar
-    }
-}
-
 public struct AgentWaitParams: Codable, Sendable {
    public let runid: String
    public let timeoutms: Int?
@@ -881,68 +835,35 @@ public struct SessionsListParams: Codable, Sendable {
    public let activeminutes: Int?
    public let includeglobal: Bool?
    public let includeunknown: Bool?
-    public let includederivedtitles: Bool?
-    public let includelastmessage: Bool?
    public let label: String?
    public let spawnedby: String?
    public let agentid: String?
-    public let search: String?

    public init(
        limit: Int?,
        activeminutes: Int?,
        includeglobal: Bool?,
        includeunknown: Bool?,
-        includederivedtitles: Bool?,
-        includelastmessage: Bool?,
        label: String?,
        spawnedby: String?,
-        agentid: String?,
-        search: String?
+        agentid: String?
    ) {
        self.limit = limit
        self.activeminutes = activeminutes
        self.includeglobal = includeglobal
        self.includeunknown = includeunknown
-        self.includederivedtitles = includederivedtitles
-        self.includelastmessage = includelastmessage
        self.label = label
        self.spawnedby = spawnedby
        self.agentid = agentid
-        self.search = search
    }
    private enum CodingKeys: String, CodingKey {
        case limit
        case activeminutes = "activeMinutes"
        case includeglobal = "includeGlobal"
        case includeunknown = "includeUnknown"
-        case includederivedtitles = "includeDerivedTitles"
-        case includelastmessage = "includeLastMessage"
        case label
        case spawnedby = "spawnedBy"
        case agentid = "agentId"
-        case search
-    }
-}
-
-public struct SessionsPreviewParams: Codable, Sendable {
-    public let keys: [String]
-    public let limit: Int?
-    public let maxchars: Int?
-
-    public init(
-        keys: [String],
-        limit: Int?,
-        maxchars: Int?
-    ) {
-        self.keys = keys
-        self.limit = limit
-        self.maxchars = maxchars
-    }
-    private enum CodingKeys: String, CodingKey {
-        case keys
-        case limit
-        case maxchars = "maxChars"
    }
 }

@@ -1506,21 +1427,17 @@ public struct WebLoginWaitParams: Codable, Sendable {
 public struct AgentSummary: Codable, Sendable {
    public let id: String
    public let name: String?
-    public let identity: [String: AnyCodable]?

    public init(
        id: String,
-        name: String?,
-        identity: [String: AnyCodable]?
+        name: String?
    ) {
        self.id = id
        self.name = name
-        self.identity = identity
    }
    private enum CodingKeys: String, CodingKey {
        case id
        case name
-        case identity
    }
 }

@@ -1971,7 +1888,6 @@ public struct ExecApprovalsSnapshot: Codable, Sendable {
 }

 public struct ExecApprovalRequestParams: Codable, Sendable {
-    public let id: String?
    public let command: String
    public let cwd: String?
    public let host: String?
@@ -1983,7 +1899,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
    public let timeoutms: Int?

    public init(
-        id: String?,
        command: String,
        cwd: String?,
        host: String?,
@@ -1994,7 +1909,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        sessionkey: String?,
        timeoutms: Int?
    ) {
-        self.id = id
        self.command = command
        self.cwd = cwd
        self.host = host
@@ -2006,7 +1920,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        self.timeoutms = timeoutms
    }
    private enum CodingKeys: String, CodingKey {
-        case id
        case command
        case cwd
        case host
--- a/apps/macos/Tests/ClawdbotIPCTests/ChannelsSettingsSmokeTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/ChannelsSettingsSmokeTests.swift
@@ -3,8 +3,6 @@ import SwiftUI
 import Testing
@testable import Clawdbot

-private typealias SnapshotAnyCodable = Clawdbot.AnyCodable
-
@Suite(.serialized)
@MainActor
 struct ChannelsSettingsSmokeTests {
@@ -19,11 +17,8 @@ struct ChannelsSettingsSmokeTests {
                "signal": "Signal",
                "imessage": "iMessage",
            ],
-            channelDetailLabels: nil,
-            channelSystemImages: nil,
-            channelMeta: nil,
            channels: [
-                "whatsapp": SnapshotAnyCodable([
+                "whatsapp": AnyCodable([
                    "configured": true,
                    "linked": true,
                    "authAgeMs": 86_400_000,
@@ -42,7 +37,7 @@ struct ChannelsSettingsSmokeTests {
                    "lastEventAt": 1_700_000_060_000,
                    "lastError": "needs login",
                ]),
-                "telegram": SnapshotAnyCodable([
+                "telegram": AnyCodable([
                    "configured": true,
                    "tokenSource": "env",
                    "running": true,
@@ -57,7 +52,7 @@ struct ChannelsSettingsSmokeTests {
                    ],
                    "lastProbeAt": 1_700_000_050_000,
                ]),
-                "signal": SnapshotAnyCodable([
+                "signal": AnyCodable([
                    "configured": true,
                    "baseUrl": "http://127.0.0.1:8080",
                    "running": true,
@@ -70,7 +65,7 @@ struct ChannelsSettingsSmokeTests {
                    ],
                    "lastProbeAt": 1_700_000_050_000,
                ]),
-                "imessage": SnapshotAnyCodable([
+                "imessage": AnyCodable([
                    "configured": false,
                    "running": false,
                    "lastError": "not configured",
@@ -105,18 +100,15 @@ struct ChannelsSettingsSmokeTests {
                "signal": "Signal",
                "imessage": "iMessage",
            ],
-            channelDetailLabels: nil,
-            channelSystemImages: nil,
-            channelMeta: nil,
            channels: [
-                "whatsapp": SnapshotAnyCodable([
+                "whatsapp": AnyCodable([
                    "configured": false,
                    "linked": false,
                    "running": false,
                    "connected": false,
                    "reconnectAttempts": 0,
                ]),
-                "telegram": SnapshotAnyCodable([
+                "telegram": AnyCodable([
                    "configured": false,
                    "running": false,
                    "lastError": "bot missing",
@@ -128,7 +120,7 @@ struct ChannelsSettingsSmokeTests {
                    ],
                    "lastProbeAt": 1_700_000_100_000,
                ]),
-                "signal": SnapshotAnyCodable([
+                "signal": AnyCodable([
                    "configured": false,
                    "baseUrl": "http://127.0.0.1:8080",
                    "running": false,
@@ -141,7 +133,7 @@ struct ChannelsSettingsSmokeTests {
                    ],
                    "lastProbeAt": 1_700_000_200_000,
                ]),
-                "imessage": SnapshotAnyCodable([
+                "imessage": AnyCodable([
                    "configured": false,
                    "running": false,
                    "lastError": "not configured",
--- a/apps/macos/Tests/ClawdbotIPCTests/CronJobEditorSmokeTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/CronJobEditorSmokeTests.swift
@@ -11,19 +11,16 @@ struct CronJobEditorSmokeTests {
    }

    @Test func cronJobEditorBuildsBodyForNewJob() {
-        let channelsStore = ChannelsStore(isPreview: true)
        let view = CronJobEditor(
            job: nil,
            isSaving: .constant(false),
            error: .constant(nil),
-            channelsStore: channelsStore,
            onCancel: {},
            onSave: { _ in })
        _ = view.body
    }

    @Test func cronJobEditorBuildsBodyForExistingJob() {
-        let channelsStore = ChannelsStore(isPreview: true)
        let job = CronJob(
            id: "job-1",
            agentId: "ops",
@@ -57,36 +54,31 @@ struct CronJobEditorSmokeTests {
            job: job,
            isSaving: .constant(false),
            error: .constant(nil),
-            channelsStore: channelsStore,
            onCancel: {},
            onSave: { _ in })
        _ = view.body
    }

    @Test func cronJobEditorExercisesBuilders() {
-        let channelsStore = ChannelsStore(isPreview: true)
        var view = CronJobEditor(
            job: nil,
            isSaving: .constant(false),
            error: .constant(nil),
-            channelsStore: channelsStore,
            onCancel: {},
            onSave: { _ in })
        view.exerciseForTesting()
    }

    @Test func cronJobEditorIncludesDeleteAfterRunForAtSchedule() throws {
-        let channelsStore = ChannelsStore(isPreview: true)
        let view = CronJobEditor(
            job: nil,
            isSaving: .constant(false),
            error: .constant(nil),
-            channelsStore: channelsStore,
            onCancel: {},
            onSave: { _ in })

        var root: [String: Any] = [:]
-        view.applyDeleteAfterRun(to: &root, scheduleKind: CronJobEditor.ScheduleKind.at, deleteAfterRun: true)
+        view.applyDeleteAfterRun(to: &root, scheduleKind: .at, deleteAfterRun: true)
        let raw = root["deleteAfterRun"] as? Bool
        #expect(raw == true)
    }
--- a/apps/macos/Tests/ClawdbotIPCTests/ExecApprovalHelpersTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/ExecApprovalHelpersTests.swift
@@ -1,60 +0,0 @@
-import Foundation
-import Testing
-@testable import Clawdbot
-
-@Suite struct ExecApprovalHelpersTests {
-    @Test func parseDecisionTrimsAndRejectsInvalid() {
-        #expect(ExecApprovalHelpers.parseDecision("allow-once") == .allowOnce)
-        #expect(ExecApprovalHelpers.parseDecision(" allow-always ") == .allowAlways)
-        #expect(ExecApprovalHelpers.parseDecision("deny") == .deny)
-        #expect(ExecApprovalHelpers.parseDecision("") == nil)
-        #expect(ExecApprovalHelpers.parseDecision("nope") == nil)
-    }
-
-    @Test func allowlistPatternPrefersResolution() {
-        let resolved = ExecCommandResolution(
-            rawExecutable: "rg",
-            resolvedPath: "/opt/homebrew/bin/rg",
-            executableName: "rg",
-            cwd: nil)
-        #expect(ExecApprovalHelpers.allowlistPattern(command: ["rg"], resolution: resolved) == resolved.resolvedPath)
-
-        let rawOnly = ExecCommandResolution(
-            rawExecutable: "rg",
-            resolvedPath: nil,
-            executableName: "rg",
-            cwd: nil)
-        #expect(ExecApprovalHelpers.allowlistPattern(command: ["rg"], resolution: rawOnly) == "rg")
-        #expect(ExecApprovalHelpers.allowlistPattern(command: ["rg"], resolution: nil) == "rg")
-        #expect(ExecApprovalHelpers.allowlistPattern(command: [], resolution: nil) == nil)
-    }
-
-    @Test func requiresAskMatchesPolicy() {
-        let entry = ExecAllowlistEntry(pattern: "/bin/ls", lastUsedAt: nil, lastUsedCommand: nil, lastResolvedPath: nil)
-        #expect(ExecApprovalHelpers.requiresAsk(
-            ask: .always,
-            security: .deny,
-            allowlistMatch: nil,
-            skillAllow: false))
-        #expect(ExecApprovalHelpers.requiresAsk(
-            ask: .onMiss,
-            security: .allowlist,
-            allowlistMatch: nil,
-            skillAllow: false))
-        #expect(!ExecApprovalHelpers.requiresAsk(
-            ask: .onMiss,
-            security: .allowlist,
-            allowlistMatch: entry,
-            skillAllow: false))
-        #expect(!ExecApprovalHelpers.requiresAsk(
-            ask: .onMiss,
-            security: .allowlist,
-            allowlistMatch: nil,
-            skillAllow: true))
-        #expect(!ExecApprovalHelpers.requiresAsk(
-            ask: .off,
-            security: .allowlist,
-            allowlistMatch: nil,
-            skillAllow: false))
-    }
-}
--- a/apps/macos/Tests/ClawdbotIPCTests/ExecApprovalsGatewayPrompterTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/ExecApprovalsGatewayPrompterTests.swift
@@ -1,56 +0,0 @@
-import Testing
-@testable import Clawdbot
-
-@Suite
-@MainActor
-struct ExecApprovalsGatewayPrompterTests {
-    @Test func sessionMatchPrefersActiveSession() {
-        let matches = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .remote,
-            activeSession: " main ",
-            requestSession: "main",
-            lastInputSeconds: nil)
-        #expect(matches)
-
-        let mismatched = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .remote,
-            activeSession: "other",
-            requestSession: "main",
-            lastInputSeconds: 0)
-        #expect(!mismatched)
-    }
-
-    @Test func sessionFallbackUsesRecentActivity() {
-        let recent = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .remote,
-            activeSession: nil,
-            requestSession: "main",
-            lastInputSeconds: 10,
-            thresholdSeconds: 120)
-        #expect(recent)
-
-        let stale = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .remote,
-            activeSession: nil,
-            requestSession: "main",
-            lastInputSeconds: 200,
-            thresholdSeconds: 120)
-        #expect(!stale)
-    }
-
-    @Test func defaultBehaviorMatchesMode() {
-        let local = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .local,
-            activeSession: nil,
-            requestSession: nil,
-            lastInputSeconds: 400)
-        #expect(local)
-
-        let remote = ExecApprovalsGatewayPrompter._testShouldPresent(
-            mode: .remote,
-            activeSession: nil,
-            requestSession: nil,
-            lastInputSeconds: 400)
-        #expect(!remote)
-    }
-}
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelConfigureTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelConfigureTests.swift
@@ -1,4 +1,3 @@
-import ClawdbotKit
 import Foundation
 import os
 import Testing
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelConnectTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelConnectTests.swift
@@ -1,4 +1,3 @@
-import ClawdbotKit
 import Foundation
 import os
 import Testing
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelRequestTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelRequestTests.swift
@@ -1,4 +1,3 @@
-import ClawdbotKit
 import Foundation
 import os
 import Testing
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelShutdownTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayChannelShutdownTests.swift
@@ -1,4 +1,3 @@
-import ClawdbotKit
 import Foundation
 import os
 import Testing
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayConnectionControlTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayConnectionControlTests.swift
@@ -1,4 +1,3 @@
-import ClawdbotKit
 import Foundation
 import Testing
@testable import Clawdbot
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayEndpointStoreTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayEndpointStoreTests.swift
@@ -139,40 +139,4 @@ import Testing
        let resolved = ConnectionModeResolver.resolve(root: root, defaults: defaults)
        #expect(resolved.mode == .remote)
    }
-
-    @Test func resolveLocalGatewayHostUsesLoopbackForAutoEvenWithTailnet() {
-        let host = GatewayEndpointStore._testResolveLocalGatewayHost(
-            bindMode: "auto",
-            tailscaleIP: "100.64.1.2")
-        #expect(host == "127.0.0.1")
-    }
-
-    @Test func resolveLocalGatewayHostUsesLoopbackForAutoWithoutTailnet() {
-        let host = GatewayEndpointStore._testResolveLocalGatewayHost(
-            bindMode: "auto",
-            tailscaleIP: nil)
-        #expect(host == "127.0.0.1")
-    }
-
-    @Test func resolveLocalGatewayHostPrefersTailnetForTailnetMode() {
-        let host = GatewayEndpointStore._testResolveLocalGatewayHost(
-            bindMode: "tailnet",
-            tailscaleIP: "100.64.1.5")
-        #expect(host == "100.64.1.5")
-    }
-
-    @Test func resolveLocalGatewayHostFallsBackToLoopbackForTailnetMode() {
-        let host = GatewayEndpointStore._testResolveLocalGatewayHost(
-            bindMode: "tailnet",
-            tailscaleIP: nil)
-        #expect(host == "127.0.0.1")
-    }
-
-    @Test func resolveLocalGatewayHostUsesCustomBindHost() {
-        let host = GatewayEndpointStore._testResolveLocalGatewayHost(
-            bindMode: "custom",
-            tailscaleIP: "100.64.1.9",
-            customBindHost: "192.168.1.10")
-        #expect(host == "192.168.1.10")
-    }
 }
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayEnvironmentTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayEnvironmentTests.swift
@@ -48,10 +48,7 @@ import Testing

    @Test func expectedGatewayVersionFromStringUsesParser() {
        #expect(GatewayEnvironment.expectedGatewayVersion(from: "v9.1.2") == Semver(major: 9, minor: 1, patch: 2))
-        #expect(GatewayEnvironment.expectedGatewayVersion(from: "2026.1.11-4") == Semver(
-            major: 2026,
-            minor: 1,
-            patch: 11))
+        #expect(GatewayEnvironment.expectedGatewayVersion(from: "2026.1.11-4") == Semver(major: 2026, minor: 1, patch: 11))
        #expect(GatewayEnvironment.expectedGatewayVersion(from: nil) == nil)
    }
 }
--- a/apps/macos/Tests/ClawdbotIPCTests/GatewayProcessManagerTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/GatewayProcessManagerTests.swift
@@ -1,147 +0,0 @@
-import ClawdbotKit
-import Foundation
-import os
-import Testing
-@testable import Clawdbot
-
-@Suite(.serialized)
-@MainActor
-struct GatewayProcessManagerTests {
-    private final class FakeWebSocketTask: WebSocketTasking, @unchecked Sendable {
-        private let connectRequestID = OSAllocatedUnfairLock<String?>(initialState: nil)
-        private let pendingReceiveHandler =
-            OSAllocatedUnfairLock<(@Sendable (Result<URLSessionWebSocketTask.Message, Error>)
-                    -> Void)?>(initialState: nil)
-        private let cancelCount = OSAllocatedUnfairLock(initialState: 0)
-        private let sendCount = OSAllocatedUnfairLock(initialState: 0)
-
-        var state: URLSessionTask.State = .suspended
-
-        func resume() {
-            self.state = .running
-        }
-
-        func cancel(with closeCode: URLSessionWebSocketTask.CloseCode, reason: Data?) {
-            _ = (closeCode, reason)
-            self.state = .canceling
-            self.cancelCount.withLock { $0 += 1 }
-            let handler = self.pendingReceiveHandler.withLock { handler in
-                defer { handler = nil }
-                return handler
-            }
-            handler?(Result<URLSessionWebSocketTask.Message, Error>.failure(URLError(.cancelled)))
-        }
-
-        func send(_ message: URLSessionWebSocketTask.Message) async throws {
-            let currentSendCount = self.sendCount.withLock { count in
-                defer { count += 1 }
-                return count
-            }
-
-            if currentSendCount == 0 {
-                guard case let .data(data) = message else { return }
-                if let obj = try? JSONSerialization.jsonObject(with: data) as? [String: Any],
-                   (obj["type"] as? String) == "req",
-                   (obj["method"] as? String) == "connect",
-                   let id = obj["id"] as? String
-                {
-                    self.connectRequestID.withLock { $0 = id }
-                }
-                return
-            }
-
-            guard case let .data(data) = message else { return }
-            guard
-                let obj = try? JSONSerialization.jsonObject(with: data) as? [String: Any],
-                (obj["type"] as? String) == "req",
-                let id = obj["id"] as? String
-            else {
-                return
-            }
-
-            let response = Self.responseData(id: id)
-            let handler = self.pendingReceiveHandler.withLock { $0 }
-            handler?(Result<URLSessionWebSocketTask.Message, Error>.success(.data(response)))
-        }
-
-        func receive() async throws -> URLSessionWebSocketTask.Message {
-            let id = self.connectRequestID.withLock { $0 } ?? "connect"
-            return .data(Self.connectOkData(id: id))
-        }
-
-        func receive(
-            completionHandler: @escaping @Sendable (Result<URLSessionWebSocketTask.Message, Error>) -> Void)
-        {
-            self.pendingReceiveHandler.withLock { $0 = completionHandler }
-        }
-
-        private static func connectOkData(id: String) -> Data {
-            let json = """
-            {
-              "type": "res",
-              "id": "\(id)",
-              "ok": true,
-              "payload": {
-                "type": "hello-ok",
-                "protocol": 2,
-                "server": { "version": "test", "connId": "test" },
-                "features": { "methods": [], "events": [] },
-                "snapshot": {
-                  "presence": [ { "ts": 1 } ],
-                  "health": {},
-                  "stateVersion": { "presence": 0, "health": 0 },
-                  "uptimeMs": 0
-                },
-                "policy": { "maxPayload": 1, "maxBufferedBytes": 1, "tickIntervalMs": 30000 }
-              }
-            }
-            """
-            return Data(json.utf8)
-        }
-
-        private static func responseData(id: String) -> Data {
-            let json = """
-            {
-              "type": "res",
-              "id": "\(id)",
-              "ok": true,
-              "payload": { "ok": true }
-            }
-            """
-            return Data(json.utf8)
-        }
-    }
-
-    private final class FakeWebSocketSession: WebSocketSessioning, @unchecked Sendable {
-        private let tasks = OSAllocatedUnfairLock(initialState: [FakeWebSocketTask]())
-
-        func makeWebSocketTask(url: URL) -> WebSocketTaskBox {
-            _ = url
-            let task = FakeWebSocketTask()
-            self.tasks.withLock { $0.append(task) }
-            return WebSocketTaskBox(task: task)
-        }
-    }
-
-    @Test func clearsLastFailureWhenHealthSucceeds() async {
-        let session = FakeWebSocketSession()
-        let url = URL(string: "ws://example.invalid")!
-        let connection = GatewayConnection(
-            configProvider: { (url: url, token: nil, password: nil) },
-            sessionBox: WebSocketSessionBox(session: session))
-
-        let manager = GatewayProcessManager.shared
-        manager.setTestingConnection(connection)
-        manager.setTestingDesiredActive(true)
-        manager.setTestingLastFailureReason("health failed")
-        defer {
-            manager.setTestingConnection(nil)
-            manager.setTestingDesiredActive(false)
-            manager.setTestingLastFailureReason(nil)
-        }
-
-        let ready = await manager.waitForGatewayReady(timeout: 0.5)
-        #expect(ready)
-        #expect(manager.lastFailureReason == nil)
-    }
-}
--- a/apps/macos/Tests/ClawdbotIPCTests/LowCoverageHelperTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/LowCoverageHelperTests.swift
@@ -7,17 +7,15 @@ import Testing

@Suite(.serialized)
 struct LowCoverageHelperTests {
-    private typealias ProtoAnyCodable = ClawdbotProtocol.AnyCodable
-
    @Test func anyCodableHelperAccessors() throws {
-        let payload: [String: ProtoAnyCodable] = [
-            "title": ProtoAnyCodable("Hello"),
-            "flag": ProtoAnyCodable(true),
-            "count": ProtoAnyCodable(3),
-            "ratio": ProtoAnyCodable(1.25),
-            "list": ProtoAnyCodable([ProtoAnyCodable("a"), ProtoAnyCodable(2)]),
+        let payload: [String: AnyCodable] = [
+            "title": AnyCodable("Hello"),
+            "flag": AnyCodable(true),
+            "count": AnyCodable(3),
+            "ratio": AnyCodable(1.25),
+            "list": AnyCodable([AnyCodable("a"), AnyCodable(2)]),
        ]
-        let any = ProtoAnyCodable(payload)
+        let any = AnyCodable(payload)
        let dict = try #require(any.dictionaryValue)
        #expect(dict["title"]?.stringValue == "Hello")
        #expect(dict["flag"]?.boolValue == true)
@@ -78,27 +76,31 @@ struct LowCoverageHelperTests {
        #expect(result.stderr.contains("stderr-1999"))
    }

-    @Test func nodeInfoCodableRoundTrip() throws {
-        let info = NodeInfo(
+    @Test func pairedNodesStorePersists() async throws {
+        let dir = FileManager().temporaryDirectory
+            .appendingPathComponent("paired-\(UUID().uuidString)", isDirectory: true)
+        try FileManager().createDirectory(at: dir, withIntermediateDirectories: true)
+        let url = dir.appendingPathComponent("nodes.json")
+        let store = PairedNodesStore(fileURL: url)
+        await store.load()
+        #expect(await store.all().isEmpty)
+
+        let node = PairedNode(
            nodeId: "node-1",
            displayName: "Node One",
            platform: "macOS",
            version: "1.0",
-            coreVersion: "1.0-core",
-            uiVersion: "1.0-ui",
            deviceFamily: "Mac",
            modelIdentifier: "MacBookPro",
-            remoteIp: "192.168.1.2",
-            caps: ["chat"],
-            commands: ["send"],
-            permissions: ["send": true],
-            paired: true,
-            connected: false)
-        let data = try JSONEncoder().encode(info)
-        let decoded = try JSONDecoder().decode(NodeInfo.self, from: data)
-        #expect(decoded.nodeId == "node-1")
-        #expect(decoded.isPaired == true)
-        #expect(decoded.isConnected == false)
+            token: "token",
+            createdAtMs: 1,
+            lastSeenAtMs: nil)
+        try await store.upsert(node)
+        #expect(await store.find(nodeId: "node-1")?.displayName == "Node One")
+
+        try await store.touchSeen(nodeId: "node-1")
+        let updated = await store.find(nodeId: "node-1")
+        #expect(updated?.lastSeenAtMs != nil)
    }

    @Test @MainActor func presenceReporterHelpers() {
--- a/apps/macos/Tests/ClawdbotIPCTests/MacGatewayChatTransportMappingTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/MacGatewayChatTransportMappingTests.swift
@@ -21,7 +21,6 @@ import Testing
            features: [:],
            snapshot: snapshot,
            canvashosturl: nil,
-            auth: nil,
            policy: [:])

        let mapped = MacGatewayChatTransport.mapPushToTransportEvent(.snapshot(hello))
--- a/apps/macos/Tests/ClawdbotIPCTests/OnboardingWizardStepViewTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/OnboardingWizardStepViewTests.swift
@@ -3,15 +3,13 @@ import SwiftUI
 import Testing
@testable import Clawdbot

-private typealias ProtoAnyCodable = ClawdbotProtocol.AnyCodable
-
@Suite(.serialized)
@MainActor
 struct OnboardingWizardStepViewTests {
    @Test func noteStepBuilds() {
        let step = WizardStep(
            id: "step-1",
-            type: ProtoAnyCodable("note"),
+            type: AnyCodable("note"),
            title: "Welcome",
            message: "Hello",
            options: nil,
@@ -24,17 +22,17 @@ struct OnboardingWizardStepViewTests {
    }

    @Test func selectStepBuilds() {
-        let options: [[String: ProtoAnyCodable]] = [
-            ["value": ProtoAnyCodable("local"), "label": ProtoAnyCodable("Local"), "hint": ProtoAnyCodable("This Mac")],
-            ["value": ProtoAnyCodable("remote"), "label": ProtoAnyCodable("Remote")],
+        let options: [[String: AnyCodable]] = [
+            ["value": AnyCodable("local"), "label": AnyCodable("Local"), "hint": AnyCodable("This Mac")],
+            ["value": AnyCodable("remote"), "label": AnyCodable("Remote")],
        ]
        let step = WizardStep(
            id: "step-2",
-            type: ProtoAnyCodable("select"),
+            type: AnyCodable("select"),
            title: "Mode",
            message: "Choose a mode",
            options: options,
-            initialvalue: ProtoAnyCodable("local"),
+            initialvalue: AnyCodable("local"),
            placeholder: nil,
            sensitive: nil,
            executor: nil)
--- a/apps/macos/Tests/ClawdbotIPCTests/SessionMenuPreviewTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/SessionMenuPreviewTests.swift
@@ -7,22 +7,20 @@ struct SessionMenuPreviewTests {
    @Test func loaderReturnsCachedItems() async {
        await SessionPreviewCache.shared._testReset()
        let items = [SessionPreviewItem(id: "1", role: .user, text: "Hi")]
-        let snapshot = SessionMenuPreviewSnapshot(items: items, status: .ready)
-        await SessionPreviewCache.shared._testSet(snapshot: snapshot, for: "main")
+        await SessionPreviewCache.shared._testSet(items: items, for: "main")

-        let loaded = await SessionMenuPreviewLoader.load(sessionKey: "main", maxItems: 10)
-        #expect(loaded.status == .ready)
-        #expect(loaded.items.count == 1)
-        #expect(loaded.items.first?.text == "Hi")
+        let snapshot = await SessionMenuPreviewLoader.load(sessionKey: "main", maxItems: 10)
+        #expect(snapshot.status == .ready)
+        #expect(snapshot.items.count == 1)
+        #expect(snapshot.items.first?.text == "Hi")
    }

    @Test func loaderReturnsEmptyWhenCachedEmpty() async {
        await SessionPreviewCache.shared._testReset()
-        let snapshot = SessionMenuPreviewSnapshot(items: [], status: .empty)
-        await SessionPreviewCache.shared._testSet(snapshot: snapshot, for: "main")
+        await SessionPreviewCache.shared._testSet(items: [], for: "main")

-        let loaded = await SessionMenuPreviewLoader.load(sessionKey: "main", maxItems: 10)
-        #expect(loaded.status == .empty)
-        #expect(loaded.items.isEmpty)
+        let snapshot = await SessionMenuPreviewLoader.load(sessionKey: "main", maxItems: 10)
+        #expect(snapshot.status == .empty)
+        #expect(snapshot.items.isEmpty)
    }
 }
--- a/apps/shared/ClawdbotKit/Sources/ClawdbotChatUI/ChatModels.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotChatUI/ChatModels.swift
@@ -235,27 +235,6 @@ public struct ClawdbotChatHistoryPayload: Codable, Sendable {
    public let thinkingLevel: String?
 }

-public struct ClawdbotSessionPreviewItem: Codable, Hashable, Sendable {
-    public let role: String
-    public let text: String
-}
-
-public struct ClawdbotSessionPreviewEntry: Codable, Sendable {
-    public let key: String
-    public let status: String
-    public let items: [ClawdbotSessionPreviewItem]
-}
-
-public struct ClawdbotSessionsPreviewPayload: Codable, Sendable {
-    public let ts: Int
-    public let previews: [ClawdbotSessionPreviewEntry]
-
-    public init(ts: Int, previews: [ClawdbotSessionPreviewEntry]) {
-        self.ts = ts
-        self.previews = previews
-    }
-}
-
 public struct ClawdbotChatSendResponse: Codable, Sendable {
    public let runId: String
    public let status: String
--- a/apps/shared/ClawdbotKit/Sources/ClawdbotChatUI/ChatView.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotChatUI/ChatView.swift
@@ -12,7 +12,6 @@ public struct ClawdbotChatView: View {
    @State private var scrollPosition: UUID?
    @State private var showSessions = false
    @State private var hasPerformedInitialScroll = false
-    @State private var isPinnedToBottom = true
    private let showsSessionSwitcher: Bool
    private let style: Style
    private let markdownVariant: ChatMarkdownVariant
@@ -88,28 +87,36 @@ public struct ClawdbotChatView: View {
    private var messageList: some View {
        ZStack {
            ScrollView {
-                LazyVStack(spacing: Layout.messageSpacing) {
-                    self.messageListRows
+                #if os(macOS)
+                VStack(spacing: 0) {
+                    LazyVStack(spacing: Layout.messageSpacing) {
+                        self.messageListRows
+                    }

                    Color.clear
-                        #if os(macOS)
                        .frame(height: Layout.messageListPaddingBottom)
-                        #else
-                        .frame(height: Layout.messageListPaddingBottom + 1)
-                        #endif
                        .id(self.scrollerBottomID)
                }
                // Use scroll targets for stable auto-scroll without ScrollViewReader relayout glitches.
                .scrollTargetLayout()
                .padding(.top, Layout.messageListPaddingTop)
                .padding(.horizontal, Layout.messageListPaddingHorizontal)
+                #else
+                LazyVStack(spacing: Layout.messageSpacing) {
+                    self.messageListRows
+
+                    Color.clear
+                        .frame(height: Layout.messageListPaddingBottom + 1)
+                        .id(self.scrollerBottomID)
+                }
+                // Use scroll targets for stable auto-scroll without ScrollViewReader relayout glitches.
+                .scrollTargetLayout()
+                .padding(.top, Layout.messageListPaddingTop)
+                .padding(.horizontal, Layout.messageListPaddingHorizontal)
+                #endif
            }
            // Keep the scroll pinned to the bottom for new messages.
            .scrollPosition(id: self.$scrollPosition, anchor: .bottom)
-            .onChange(of: self.scrollPosition) { _, position in
-                guard let position else { return }
-                self.isPinnedToBottom = position == self.scrollerBottomID
-            }

            if self.viewModel.isLoading {
                ProgressView()
@@ -126,26 +133,18 @@ public struct ClawdbotChatView: View {
            guard !isLoading, !self.hasPerformedInitialScroll else { return }
            self.scrollPosition = self.scrollerBottomID
            self.hasPerformedInitialScroll = true
-            self.isPinnedToBottom = true
        }
        .onChange(of: self.viewModel.sessionKey) { _, _ in
            self.hasPerformedInitialScroll = false
-            self.isPinnedToBottom = true
        }
        .onChange(of: self.viewModel.messages.count) { _, _ in
-            guard self.hasPerformedInitialScroll, self.isPinnedToBottom else { return }
+            guard self.hasPerformedInitialScroll else { return }
            withAnimation(.snappy(duration: 0.22)) {
                self.scrollPosition = self.scrollerBottomID
            }
        }
        .onChange(of: self.viewModel.pendingRunCount) { _, _ in
-            guard self.hasPerformedInitialScroll, self.isPinnedToBottom else { return }
-            withAnimation(.snappy(duration: 0.22)) {
-                self.scrollPosition = self.scrollerBottomID
-            }
-        }
-        .onChange(of: self.viewModel.streamingAssistantText) { _, _ in
-            guard self.hasPerformedInitialScroll, self.isPinnedToBottom else { return }
+            guard self.hasPerformedInitialScroll else { return }
            withAnimation(.snappy(duration: 0.22)) {
                self.scrollPosition = self.scrollerBottomID
            }
--- a/apps/shared/ClawdbotKit/Sources/ClawdbotKit/GatewayChannel.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotKit/GatewayChannel.swift
@@ -15,9 +15,6 @@ extension URLSessionWebSocketTask: WebSocketTasking {}

 public struct WebSocketTaskBox: @unchecked Sendable {
    public let task: any WebSocketTasking
-    public init(task: any WebSocketTasking) {
-        self.task = task
-    }

    public var state: URLSessionTask.State { self.task.state }

@@ -94,13 +91,6 @@ public struct GatewayConnectOptions: Sendable {
    }
 }

-public enum GatewayAuthSource: String, Sendable {
-    case deviceToken = "device-token"
-    case sharedToken = "shared-token"
-    case password = "password"
-    case none = "none"
-}
-
 // Avoid ambiguity with the app's own AnyCodable type.
 private typealias ProtoAnyCodable = ClawdbotProtocol.AnyCodable

@@ -124,7 +114,6 @@ public actor GatewayChannelActor {
    private var lastSeq: Int?
    private var lastTick: Date?
    private var tickIntervalMs: Double = 30000
-    private var lastAuthSource: GatewayAuthSource = .none
    private let decoder = JSONDecoder()
    private let encoder = JSONEncoder()
    private let connectTimeoutSeconds: Double = 6
@@ -157,8 +146,6 @@ public actor GatewayChannelActor {
        }
    }

-    public func authSource() -> GatewayAuthSource { self.lastAuthSource }
-
    public func shutdown() async {
        self.shouldReconnect = false
        self.connected = false
@@ -310,18 +297,6 @@ public actor GatewayChannelActor {
        let identity = DeviceIdentityStore.loadOrCreate()
        let storedToken = DeviceAuthStore.loadToken(deviceId: identity.deviceId, role: role)?.token
        let authToken = storedToken ?? self.token
-        let authSource: GatewayAuthSource
-        if storedToken != nil {
-            authSource = .deviceToken
-        } else if authToken != nil {
-            authSource = .sharedToken
-        } else if self.password != nil {
-            authSource = .password
-        } else {
-            authSource = .none
-        }
-        self.lastAuthSource = authSource
-        self.logger.info("gateway connect auth=\(authSource.rawValue, privacy: .public)")
        let canFallbackToShared = storedToken != nil && self.token != nil
        if let authToken {
            params["auth"] = ProtoAnyCodable(["token": ProtoAnyCodable(authToken)])
@@ -593,14 +568,7 @@ public actor GatewayChannelActor {
            id: id,
            method: method,
            params: paramsObject)
-        let data: Data
-        do {
-            data = try self.encoder.encode(frame)
-        } catch {
-            self.logger.error(
-                "gateway request encode failed \(method, privacy: .public) error=\(error.localizedDescription, privacy: .public)")
-            throw error
-        }
+        let data = try self.encoder.encode(frame)
        let response = try await withCheckedThrowingContinuation { (cont: CheckedContinuation<GatewayFrame, Error>) in
            self.pending[id] = cont
            Task { [weak self] in
--- a/apps/shared/ClawdbotKit/Sources/ClawdbotKit/GatewayNodeSession.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotKit/GatewayNodeSession.swift
@@ -23,35 +23,6 @@ public actor GatewayNodeSession {
    private var onConnected: (@Sendable () async -> Void)?
    private var onDisconnected: (@Sendable (String) async -> Void)?
    private var onInvoke: (@Sendable (BridgeInvokeRequest) async -> BridgeInvokeResponse)?
-
-    static func invokeWithTimeout(
-        request: BridgeInvokeRequest,
-        timeoutMs: Int?,
-        onInvoke: @escaping @Sendable (BridgeInvokeRequest) async -> BridgeInvokeResponse
-    ) async -> BridgeInvokeResponse {
-        let timeout = max(0, timeoutMs ?? 0)
-        guard timeout > 0 else {
-            return await onInvoke(request)
-        }
-
-        return await withTaskGroup(of: BridgeInvokeResponse.self) { group in
-            group.addTask { await onInvoke(request) }
-            group.addTask {
-                try? await Task.sleep(nanoseconds: UInt64(timeout) * 1_000_000)
-                return BridgeInvokeResponse(
-                    id: request.id,
-                    ok: false,
-                    error: ClawdbotNodeError(
-                        code: .unavailable,
-                        message: "node invoke timed out")
-                )
-            }
-
-            let first = await group.next()!
-            group.cancelAll()
-            return first
-        }
-    }
    private var serverEventSubscribers: [UUID: AsyncStream<EventFrame>.Continuation] = [:]
    private var canvasHostUrl: String?

@@ -196,11 +167,7 @@ public actor GatewayNodeSession {
            let request = try self.decoder.decode(NodeInvokeRequestPayload.self, from: data)
            guard let onInvoke else { return }
            let req = BridgeInvokeRequest(id: request.id, command: request.command, paramsJSON: request.paramsJSON)
-            let response = await Self.invokeWithTimeout(
-                request: req,
-                timeoutMs: request.timeoutMs,
-                onInvoke: onInvoke
-            )
+            let response = await onInvoke(req)
            await self.sendInvokeResult(request: request, response: response)
        } catch {
            self.logger.error("node invoke decode failed: \(error.localizedDescription, privacy: .public)")
@@ -213,14 +180,12 @@ public actor GatewayNodeSession {
            "id": AnyCodable(request.id),
            "nodeId": AnyCodable(request.nodeId),
            "ok": AnyCodable(response.ok),
+            "payloadJSON": AnyCodable(response.payloadJSON ?? NSNull()),
        ]
-        if let payloadJSON = response.payloadJSON {
-            params["payloadJSON"] = AnyCodable(payloadJSON)
-        }
        if let error = response.error {
            params["error"] = AnyCodable([
-                "code": error.code.rawValue,
-                "message": error.message,
+                "code": AnyCodable(error.code.rawValue),
+                "message": AnyCodable(error.message),
            ])
        }
        do {
--- a/apps/shared/ClawdbotKit/Sources/ClawdbotKit/SystemCommands.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotKit/SystemCommands.swift
@@ -30,7 +30,6 @@ public struct ClawdbotSystemRunParams: Codable, Sendable, Equatable {
    public var agentId: String?
    public var sessionKey: String?
    public var approved: Bool?
-    public var approvalDecision: String?

    public init(
        command: [String],
@@ -41,8 +40,7 @@ public struct ClawdbotSystemRunParams: Codable, Sendable, Equatable {
        needsScreenRecording: Bool? = nil,
        agentId: String? = nil,
        sessionKey: String? = nil,
-        approved: Bool? = nil,
-        approvalDecision: String? = nil)
+        approved: Bool? = nil)
    {
        self.command = command
        self.rawCommand = rawCommand
@@ -53,7 +51,6 @@ public struct ClawdbotSystemRunParams: Codable, Sendable, Equatable {
        self.agentId = agentId
        self.sessionKey = sessionKey
        self.approved = approved
-        self.approvalDecision = approvalDecision
    }
 }

--- a/apps/shared/ClawdbotKit/Sources/ClawdbotProtocol/GatewayModels.swift
+++ b/apps/shared/ClawdbotKit/Sources/ClawdbotProtocol/GatewayModels.swift
@@ -18,7 +18,6 @@ public struct ConnectParams: Codable, Sendable {
    public let caps: [String]?
    public let commands: [String]?
    public let permissions: [String: AnyCodable]?
-    public let pathenv: String?
    public let role: String?
    public let scopes: [String]?
    public let device: [String: AnyCodable]?
@@ -33,7 +32,6 @@ public struct ConnectParams: Codable, Sendable {
        caps: [String]?,
        commands: [String]?,
        permissions: [String: AnyCodable]?,
-        pathenv: String?,
        role: String?,
        scopes: [String]?,
        device: [String: AnyCodable]?,
@@ -47,7 +45,6 @@ public struct ConnectParams: Codable, Sendable {
        self.caps = caps
        self.commands = commands
        self.permissions = permissions
-        self.pathenv = pathenv
        self.role = role
        self.scopes = scopes
        self.device = device
@@ -62,7 +59,6 @@ public struct ConnectParams: Codable, Sendable {
        case caps
        case commands
        case permissions
-        case pathenv = "pathEnv"
        case role
        case scopes
        case device
@@ -477,7 +473,6 @@ public struct AgentParams: Codable, Sendable {
    public let replychannel: String?
    public let accountid: String?
    public let replyaccountid: String?
-    public let threadid: String?
    public let timeout: Int?
    public let lane: String?
    public let extrasystemprompt: String?
@@ -499,7 +494,6 @@ public struct AgentParams: Codable, Sendable {
        replychannel: String?,
        accountid: String?,
        replyaccountid: String?,
-        threadid: String?,
        timeout: Int?,
        lane: String?,
        extrasystemprompt: String?,
@@ -520,7 +514,6 @@ public struct AgentParams: Codable, Sendable {
        self.replychannel = replychannel
        self.accountid = accountid
        self.replyaccountid = replyaccountid
-        self.threadid = threadid
        self.timeout = timeout
        self.lane = lane
        self.extrasystemprompt = extrasystemprompt
@@ -542,7 +535,6 @@ public struct AgentParams: Codable, Sendable {
        case replychannel = "replyChannel"
        case accountid = "accountId"
        case replyaccountid = "replyAccountId"
-        case threadid = "threadId"
        case timeout
        case lane
        case extrasystemprompt = "extraSystemPrompt"
@@ -552,44 +544,6 @@ public struct AgentParams: Codable, Sendable {
    }
 }

-public struct AgentIdentityParams: Codable, Sendable {
-    public let agentid: String?
-    public let sessionkey: String?
-
-    public init(
-        agentid: String?,
-        sessionkey: String?
-    ) {
-        self.agentid = agentid
-        self.sessionkey = sessionkey
-    }
-    private enum CodingKeys: String, CodingKey {
-        case agentid = "agentId"
-        case sessionkey = "sessionKey"
-    }
-}
-
-public struct AgentIdentityResult: Codable, Sendable {
-    public let agentid: String
-    public let name: String?
-    public let avatar: String?
-
-    public init(
-        agentid: String,
-        name: String?,
-        avatar: String?
-    ) {
-        self.agentid = agentid
-        self.name = name
-        self.avatar = avatar
-    }
-    private enum CodingKeys: String, CodingKey {
-        case agentid = "agentId"
-        case name
-        case avatar
-    }
-}
-
 public struct AgentWaitParams: Codable, Sendable {
    public let runid: String
    public let timeoutms: Int?
@@ -881,68 +835,35 @@ public struct SessionsListParams: Codable, Sendable {
    public let activeminutes: Int?
    public let includeglobal: Bool?
    public let includeunknown: Bool?
-    public let includederivedtitles: Bool?
-    public let includelastmessage: Bool?
    public let label: String?
    public let spawnedby: String?
    public let agentid: String?
-    public let search: String?

    public init(
        limit: Int?,
        activeminutes: Int?,
        includeglobal: Bool?,
        includeunknown: Bool?,
-        includederivedtitles: Bool?,
-        includelastmessage: Bool?,
        label: String?,
        spawnedby: String?,
-        agentid: String?,
-        search: String?
+        agentid: String?
    ) {
        self.limit = limit
        self.activeminutes = activeminutes
        self.includeglobal = includeglobal
        self.includeunknown = includeunknown
-        self.includederivedtitles = includederivedtitles
-        self.includelastmessage = includelastmessage
        self.label = label
        self.spawnedby = spawnedby
        self.agentid = agentid
-        self.search = search
    }
    private enum CodingKeys: String, CodingKey {
        case limit
        case activeminutes = "activeMinutes"
        case includeglobal = "includeGlobal"
        case includeunknown = "includeUnknown"
-        case includederivedtitles = "includeDerivedTitles"
-        case includelastmessage = "includeLastMessage"
        case label
        case spawnedby = "spawnedBy"
        case agentid = "agentId"
-        case search
-    }
-}
-
-public struct SessionsPreviewParams: Codable, Sendable {
-    public let keys: [String]
-    public let limit: Int?
-    public let maxchars: Int?
-
-    public init(
-        keys: [String],
-        limit: Int?,
-        maxchars: Int?
-    ) {
-        self.keys = keys
-        self.limit = limit
-        self.maxchars = maxchars
-    }
-    private enum CodingKeys: String, CodingKey {
-        case keys
-        case limit
-        case maxchars = "maxChars"
    }
 }

@@ -1403,9 +1324,6 @@ public struct ChannelsStatusResult: Codable, Sendable {
    public let ts: Int
    public let channelorder: [String]
    public let channellabels: [String: AnyCodable]
-    public let channeldetaillabels: [String: AnyCodable]?
-    public let channelsystemimages: [String: AnyCodable]?
-    public let channelmeta: [[String: AnyCodable]]?
    public let channels: [String: AnyCodable]
    public let channelaccounts: [String: AnyCodable]
    public let channeldefaultaccountid: [String: AnyCodable]
@@ -1414,9 +1332,6 @@ public struct ChannelsStatusResult: Codable, Sendable {
        ts: Int,
        channelorder: [String],
        channellabels: [String: AnyCodable],
-        channeldetaillabels: [String: AnyCodable]?,
-        channelsystemimages: [String: AnyCodable]?,
-        channelmeta: [[String: AnyCodable]]?,
        channels: [String: AnyCodable],
        channelaccounts: [String: AnyCodable],
        channeldefaultaccountid: [String: AnyCodable]
@@ -1424,9 +1339,6 @@ public struct ChannelsStatusResult: Codable, Sendable {
        self.ts = ts
        self.channelorder = channelorder
        self.channellabels = channellabels
-        self.channeldetaillabels = channeldetaillabels
-        self.channelsystemimages = channelsystemimages
-        self.channelmeta = channelmeta
        self.channels = channels
        self.channelaccounts = channelaccounts
        self.channeldefaultaccountid = channeldefaultaccountid
@@ -1435,9 +1347,6 @@ public struct ChannelsStatusResult: Codable, Sendable {
        case ts
        case channelorder = "channelOrder"
        case channellabels = "channelLabels"
-        case channeldetaillabels = "channelDetailLabels"
-        case channelsystemimages = "channelSystemImages"
-        case channelmeta = "channelMeta"
        case channels
        case channelaccounts = "channelAccounts"
        case channeldefaultaccountid = "channelDefaultAccountId"
@@ -1506,21 +1415,17 @@ public struct WebLoginWaitParams: Codable, Sendable {
 public struct AgentSummary: Codable, Sendable {
    public let id: String
    public let name: String?
-    public let identity: [String: AnyCodable]?

    public init(
        id: String,
-        name: String?,
-        identity: [String: AnyCodable]?
+        name: String?
    ) {
        self.id = id
        self.name = name
-        self.identity = identity
    }
    private enum CodingKeys: String, CodingKey {
        case id
        case name
-        case identity
    }
 }

@@ -1971,7 +1876,6 @@ public struct ExecApprovalsSnapshot: Codable, Sendable {
 }

 public struct ExecApprovalRequestParams: Codable, Sendable {
-    public let id: String?
    public let command: String
    public let cwd: String?
    public let host: String?
@@ -1983,7 +1887,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
    public let timeoutms: Int?

    public init(
-        id: String?,
        command: String,
        cwd: String?,
        host: String?,
@@ -1994,7 +1897,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        sessionkey: String?,
        timeoutms: Int?
    ) {
-        self.id = id
        self.command = command
        self.cwd = cwd
        self.host = host
@@ -2006,7 +1908,6 @@ public struct ExecApprovalRequestParams: Codable, Sendable {
        self.timeoutms = timeoutms
    }
    private enum CodingKeys: String, CodingKey {
-        case id
        case command
        case cwd
        case host
--- a/apps/shared/ClawdbotKit/Tests/ClawdbotKitTests/GatewayNodeSessionTests.swift
+++ b/apps/shared/ClawdbotKit/Tests/ClawdbotKitTests/GatewayNodeSessionTests.swift
@@ -1,56 +0,0 @@
-import Foundation
-import Testing
-@testable import ClawdbotKit
-import ClawdbotProtocol
-
-struct GatewayNodeSessionTests {
-    @Test
-    func invokeWithTimeoutReturnsUnderlyingResponseBeforeTimeout() async {
-        let request = BridgeInvokeRequest(id: "1", command: "x", paramsJSON: nil)
-        let response = await GatewayNodeSession.invokeWithTimeout(
-            request: request,
-            timeoutMs: 50,
-            onInvoke: { req in
-                #expect(req.id == "1")
-                return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: "{}", error: nil)
-            }
-        )
-
-        #expect(response.ok == true)
-        #expect(response.error == nil)
-        #expect(response.payloadJSON == "{}")
-    }
-
-    @Test
-    func invokeWithTimeoutReturnsTimeoutError() async {
-        let request = BridgeInvokeRequest(id: "abc", command: "x", paramsJSON: nil)
-        let response = await GatewayNodeSession.invokeWithTimeout(
-            request: request,
-            timeoutMs: 10,
-            onInvoke: { _ in
-                try? await Task.sleep(nanoseconds: 200_000_000) // 200ms
-                return BridgeInvokeResponse(id: "abc", ok: true, payloadJSON: "{}", error: nil)
-            }
-        )
-
-        #expect(response.ok == false)
-        #expect(response.error?.code == .unavailable)
-        #expect(response.error?.message.contains("timed out") == true)
-    }
-
-    @Test
-    func invokeWithTimeoutZeroDisablesTimeout() async {
-        let request = BridgeInvokeRequest(id: "1", command: "x", paramsJSON: nil)
-        let response = await GatewayNodeSession.invokeWithTimeout(
-            request: request,
-            timeoutMs: 0,
-            onInvoke: { req in
-                try? await Task.sleep(nanoseconds: 5_000_000)
-                return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: nil, error: nil)
-            }
-        )
-
-        #expect(response.ok == true)
-        #expect(response.error == nil)
-    }
-}
--- a/dist/control-ui/assets/index-BPDeGGxb.css
+++ b/dist/control-ui/assets/index-BPDeGGxb.css
--- a/dist/control-ui/assets/index-bYQnHP3a.js
+++ b/dist/control-ui/assets/index-bYQnHP3a.js
--- a/dist/control-ui/assets/index-bYQnHP3a.js.map
+++ b/dist/control-ui/assets/index-bYQnHP3a.js.map
--- a/dist/control-ui/index.html
+++ b/dist/control-ui/index.html
@@ -1,15 +0,0 @@
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Clawdbot Control</title>
-    <meta name="color-scheme" content="dark light" />
-    <link rel="icon" href="./favicon.ico" sizes="any" />
-    <script type="module" crossorigin src="./assets/index-bYQnHP3a.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-BPDeGGxb.css">
-  </head>
-  <body>
-    <clawdbot-app></clawdbot-app>
-  </body>
-</html>
--- a/docs/channels/bluebubbles.md
+++ b/docs/channels/bluebubbles.md
@@ -149,19 +149,6 @@ Available actions:
 - **leaveGroup**: Leave a group chat (`chatGuid`)
 - **sendAttachment**: Send media/files (`to`, `buffer`, `filename`)

-### Message IDs (short vs full)
-Clawdbot may surface *short* message IDs (e.g., `1`, `2`) to save tokens.
- `MessageSid` / `ReplyToId` can be short IDs.
- `MessageSidFull` / `ReplyToIdFull` contain the provider full IDs.
- Short IDs are in-memory; they can expire on restart or cache eviction.
- Actions accept short or full `messageId`, but short IDs will error if no longer available.
-
-Use full IDs for durable automations and storage:
- Templates: `{{MessageSidFull}}`, `{{ReplyToIdFull}}`
- Context: `MessageSidFull` / `ReplyToIdFull` in inbound payloads
-
-See [Configuration](/gateway/configuration) for template variables.
-
 ## Block streaming
 Control whether responses are sent as a single message or streamed in blocks:
 ```json5
--- a/docs/channels/discord.md
+++ b/docs/channels/discord.md
@@ -175,7 +175,6 @@ Notes:
 - `agents.list[].groupChat.mentionPatterns` (or `messages.groupChat.mentionPatterns`) also count as mentions for guild messages.
 - Multi-agent override: set per-agent patterns on `agents.list[].groupChat.mentionPatterns`.
 - If `channels` is present, any channel not listed is denied by default.
- Use a `"*"` channel entry to apply defaults across all channels; explicit channel entries override the wildcard.
 - Threads inherit parent channel config (allowlist, `requireMention`, skills, prompts, etc.) unless you add the thread channel id explicitly.
 - Bot-authored messages are ignored by default; set `channels.discord.allowBots=true` to allow them (own messages remain filtered).
 - Warning: If you allow replies to other bots (`channels.discord.allowBots=true`), prevent bot-to-bot reply loops with `requireMention`, `channels.discord.guilds.*.channels.<id>.users` allowlists, and/or clear guardrails in `AGENTS.md` and `SOUL.md`.
--- a/docs/channels/msteams.md
+++ b/docs/channels/msteams.md
@@ -8,9 +8,9 @@ read_when:
 > "Abandon all hope, ye who enter here."


-Updated: 2026-01-21
+Updated: 2026-01-16

-Status: text + DM attachments are supported; channel/group file sending requires `sharePointSiteId` + Graph permissions (see [Sending files in group chats](#sending-files-in-group-chats)). Polls are sent via Adaptive Cards.
+Status: text + DM attachments are supported; channel/group attachments require Microsoft Graph permissions. Polls are sent via Adaptive Cards.

 ## Plugin required
 Microsoft Teams ships as a plugin and is not bundled with the core install.
@@ -403,7 +403,7 @@ Clawdbot handles this by returning quickly and sending replies proactively, but
 Teams markdown is more limited than Slack or Discord:
 - Basic formatting works: **bold**, *italic*, `code`, links
 - Complex markdown (tables, nested lists) may not render correctly
- Adaptive Cards are supported for polls and arbitrary card sends (see below)
+- Adaptive Cards are used for polls; other card types are not yet supported

 ## Configuration
 Key settings (see `/gateway/configuration` for shared channel patterns):
@@ -422,7 +422,6 @@ Key settings (see `/gateway/configuration` for shared channel patterns):
 - `channels.msteams.teams.<teamId>.requireMention`: per-team override.
 - `channels.msteams.teams.<teamId>.channels.<conversationId>.replyStyle`: per-channel override.
 - `channels.msteams.teams.<teamId>.channels.<conversationId>.requireMention`: per-channel override.
- `channels.msteams.sharePointSiteId`: SharePoint site ID for file uploads in group chats/channels (see [Sending files in group chats](#sending-files-in-group-chats)).

 ## Routing & Sessions
 - Session keys follow the standard agent format (see [/concepts/session](/concepts/session)):
@@ -472,75 +471,6 @@ Teams recently introduced two channel UI styles over the same underlying data mo
 Without Graph permissions, channel messages with images will be received as text-only (the image content is not accessible to the bot).
 By default, Clawdbot only downloads media from Microsoft/Teams hostnames. Override with `channels.msteams.mediaAllowHosts` (use `["*"]` to allow any host).

-## Sending files in group chats
-
-Bots can send files in DMs using the FileConsentCard flow (built-in). However, **sending files in group chats/channels** requires additional setup:
-
-| Context | How files are sent | Setup needed |
-|---------|-------------------|--------------|
-| **DMs** | FileConsentCard → user accepts → bot uploads | Works out of the box |
-| **Group chats/channels** | Upload to SharePoint → share link | Requires `sharePointSiteId` + Graph permissions |
-| **Images (any context)** | Base64-encoded inline | Works out of the box |
-
-### Why group chats need SharePoint
-
-Bots don't have a personal OneDrive drive (the `/me/drive` Graph API endpoint doesn't work for application identities). To send files in group chats/channels, the bot uploads to a **SharePoint site** and creates a sharing link.
-
-### Setup
-
-1. **Add Graph API permissions** in Entra ID (Azure AD) → App Registration:
-   - `Sites.ReadWrite.All` (Application) - upload files to SharePoint
-   - `Chat.Read.All` (Application) - optional, enables per-user sharing links
-
-2. **Grant admin consent** for the tenant.
-
-3. **Get your SharePoint site ID:**
-   ```bash
-   # Via Graph Explorer or curl with a valid token:
-   curl -H "Authorization: Bearer $TOKEN" \
-     "https://graph.microsoft.com/v1.0/sites/{hostname}:/{site-path}"
-
-   # Example: for a site at "contoso.sharepoint.com/sites/BotFiles"
-   curl -H "Authorization: Bearer $TOKEN" \
-     "https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/BotFiles"
-
-   # Response includes: "id": "contoso.sharepoint.com,guid1,guid2"
-   ```
-
-4. **Configure Clawdbot:**
-   ```json5
-   {
-     channels: {
-       msteams: {
-         // ... other config ...
-         sharePointSiteId: "contoso.sharepoint.com,guid1,guid2"
-       }
-     }
-   }
-   ```
-
-### Sharing behavior
-
-| Permission | Sharing behavior |
-|------------|------------------|
-| `Sites.ReadWrite.All` only | Organization-wide sharing link (anyone in org can access) |
-| `Sites.ReadWrite.All` + `Chat.Read.All` | Per-user sharing link (only chat members can access) |
-
-Per-user sharing is more secure as only the chat participants can access the file. If `Chat.Read.All` permission is missing, the bot falls back to organization-wide sharing.
-
-### Fallback behavior
-
-| Scenario | Result |
-|----------|--------|
-| Group chat + file + `sharePointSiteId` configured | Upload to SharePoint, send sharing link |
-| Group chat + file + no `sharePointSiteId` | Attempt OneDrive upload (may fail), send text only |
-| Personal chat + file | FileConsentCard flow (works without SharePoint) |
-| Any context + image | Base64-encoded inline (works without SharePoint) |
-
-### Files stored location
-
-Uploaded files are stored in a `/ClawdbotShared/` folder in the configured SharePoint site's default document library.
-
 ## Polls (Adaptive Cards)
 Clawdbot sends Teams polls as Adaptive Cards (there is no native Teams poll API).

@@ -549,82 +479,6 @@ Clawdbot sends Teams polls as Adaptive Cards (there is no native Teams poll API)
 - The gateway must stay online to record votes.
 - Polls do not auto-post result summaries yet (inspect the store file if needed).

-## Adaptive Cards (arbitrary)
-Send any Adaptive Card JSON to Teams users or conversations using the `message` tool or CLI.
-
-The `card` parameter accepts an Adaptive Card JSON object. When `card` is provided, the message text is optional.
-
-**Agent tool:**
-```json
-{
-  "action": "send",
-  "channel": "msteams",
-  "target": "user:<id>",
-  "card": {
-    "type": "AdaptiveCard",
-    "version": "1.5",
-    "body": [{"type": "TextBlock", "text": "Hello!"}]
-  }
-}
-```
-
-**CLI:**
-```bash
-clawdbot message send --channel msteams \
-  --target "conversation:19:abc...@thread.tacv2" \
-  --card '{"type":"AdaptiveCard","version":"1.5","body":[{"type":"TextBlock","text":"Hello!"}]}'
-```
-
-See [Adaptive Cards documentation](https://adaptivecards.io/) for card schema and examples. For target format details, see [Target formats](#target-formats) below.
-
-## Target formats
-
-MSTeams targets use prefixes to distinguish between users and conversations:
-
-| Target type | Format | Example |
-|-------------|--------|---------|
-| User (by ID) | `user:<aad-object-id>` | `user:40a1a0ed-4ff2-4164-a219-55518990c197` |
-| User (by name) | `user:<display-name>` | `user:John Smith` (requires Graph API) |
-| Group/channel | `conversation:<conversation-id>` | `conversation:19:abc123...@thread.tacv2` |
-| Group/channel (raw) | `<conversation-id>` | `19:abc123...@thread.tacv2` (if contains `@thread`) |
-
-**CLI examples:**
-```bash
-# Send to a user by ID
-clawdbot message send --channel msteams --target "user:40a1a0ed-..." --message "Hello"
-
-# Send to a user by display name (triggers Graph API lookup)
-clawdbot message send --channel msteams --target "user:John Smith" --message "Hello"
-
-# Send to a group chat or channel
-clawdbot message send --channel msteams --target "conversation:19:abc...@thread.tacv2" --message "Hello"
-
-# Send an Adaptive Card to a conversation
-clawdbot message send --channel msteams --target "conversation:19:abc...@thread.tacv2" \
-  --card '{"type":"AdaptiveCard","version":"1.5","body":[{"type":"TextBlock","text":"Hello"}]}'
-```
-
-**Agent tool examples:**
-```json
-{
-  "action": "send",
-  "channel": "msteams",
-  "target": "user:John Smith",
-  "message": "Hello!"
-}
-```
-
-```json
-{
-  "action": "send",
-  "channel": "msteams",
-  "target": "conversation:19:abc...@thread.tacv2",
-  "card": {"type": "AdaptiveCard", "version": "1.5", "body": [{"type": "TextBlock", "text": "Hello"}]}
-}
-```
-
-Note: Without the `user:` prefix, names default to group/team resolution. Always use `user:` when targeting people by display name.
-
 ## Proactive messaging
 - Proactive messages are only possible **after** a user has interacted, because we store conversation references at that point.
 - See `/gateway/configuration` for `dmPolicy` and allowlist gating.
--- a/docs/channels/signal.md
+++ b/docs/channels/signal.md
@@ -100,11 +100,6 @@ Groups:
 - Use `channels.signal.ignoreAttachments` to skip downloading media.
 - Group history context uses `channels.signal.historyLimit` (or `channels.signal.accounts.*.historyLimit`), falling back to `messages.groupChat.historyLimit`. Set `0` to disable (default 50).

-## Typing + read receipts
- **Typing indicators**: Clawdbot sends typing signals via `signal-cli sendTyping` and refreshes them while a reply is running.
- **Read receipts**: when `channels.signal.sendReadReceipts` is true, Clawdbot forwards read receipts for allowed DMs.
- Signal-cli does not expose read receipts for groups.
-
 ## Delivery targets (CLI/cron)
 - DMs: `signal:+15551234567` (or plain E.164).
 - Groups: `signal:group:<groupId>`.
--- a/docs/channels/telegram.md
+++ b/docs/channels/telegram.md
@@ -484,10 +484,6 @@ The agent sees reactions as **system notifications** in the conversation history
 - Make sure your Telegram user ID is authorized (via pairing or `channels.telegram.allowFrom`)
 - Commands require authorization even in groups with `groupPolicy: "open"`

-**Long-polling aborts immediately on Node 22+ (often with proxies/custom fetch):**
- Node 22+ is stricter about `AbortSignal` instances; foreign signals can abort `fetch` calls right away.
- Upgrade to a Clawdbot build that normalizes abort signals, or run the gateway on Node 20 until you can upgrade.
-
 **Bot starts, then silently stops responding (or logs `HttpError: Network request ... failed`):**
 - Some hosts resolve `api.telegram.org` to IPv6 first. If your server does not have working IPv6 egress, grammY can get stuck on IPv6-only requests.
 - Fix by enabling IPv6 egress **or** forcing IPv4 resolution for `api.telegram.org` (for example, add an `/etc/hosts` entry using the IPv4 A record, or prefer IPv4 in your OS DNS stack), then restart the gateway.
--- a/docs/channels/whatsapp.md
+++ b/docs/channels/whatsapp.md
@@ -286,11 +286,6 @@ WhatsApp can automatically send emoji reactions to incoming messages immediately
    - CLI: `clawdbot message send --media <mp4> --gif-playback`
    - Gateway: `send` params include `gifPlayback: true`

-## Voice notes (PTT audio)
-WhatsApp sends audio as **voice notes** (PTT bubble).
- Best results: OGG/Opus. Clawdbot rewrites `audio/ogg` to `audio/ogg; codecs=opus`.
- `[[audio_as_voice]]` is ignored for WhatsApp (audio already ships as voice note).
-
 ## Media limits + optimization
 - Default outbound cap: 5 MB (per media item).
 - Override: `agents.defaults.mediaMaxMb`.
@@ -334,7 +329,6 @@ WhatsApp sends audio as **voice notes** (PTT bubble).
 - `agents.defaults.heartbeat.model` (optional override)
 - `agents.defaults.heartbeat.target`
 - `agents.defaults.heartbeat.to`
- `agents.defaults.heartbeat.session`
 - `agents.list[].heartbeat.*` (per-agent overrides)
 - `session.*` (scope, idle, store, mainKey)
 - `web.enabled` (disable channel startup when false)
--- a/docs/cli/agents.md
+++ b/docs/cli/agents.md
@@ -18,54 +18,5 @@ Related:
 clawdbot agents list
 clawdbot agents add work --workspace ~/clawd-work
 clawdbot agents set-identity --workspace ~/clawd --from-identity
-clawdbot agents set-identity --agent main --avatar avatars/clawd.png
 clawdbot agents delete work
 ```
-
-## Identity files
-
-Each agent workspace can include an `IDENTITY.md` at the workspace root:
- Example path: `~/clawd/IDENTITY.md`
- `set-identity --from-identity` reads from the workspace root (or an explicit `--identity-file`)
-
-Avatar paths resolve relative to the workspace root.
-
-## Set identity
-
-`set-identity` writes fields into `agents.list[].identity`:
- `name`
- `theme`
- `emoji`
- `avatar` (workspace-relative path, http(s) URL, or data URI)
-
-Load from `IDENTITY.md`:
-
-```bash
-clawdbot agents set-identity --workspace ~/clawd --from-identity
-```
-
-Override fields explicitly:
-
-```bash
-clawdbot agents set-identity --agent main --name "Clawd" --emoji "🦞" --avatar avatars/clawd.png
-```
-
-Config sample:
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "main",
-        identity: {
-          name: "Clawd",
-          theme: "space lobster",
-          emoji: "🦞",
-          avatar: "avatars/clawd.png"
-        }
-      }
-    ]
-  }
-}
-```
--- a/docs/cli/approvals.md
+++ b/docs/cli/approvals.md
@@ -7,8 +7,8 @@ read_when:

 # `clawdbot approvals`

-Manage exec approvals for the **local host**, **gateway host**, or a **node host**.
-By default, commands target the local approvals file on disk. Use `--gateway` to target the gateway, or `--node` to target a specific node.
+Manage exec approvals for the **gateway host** or a **node host**.
+By default, commands target the gateway. Use `--node` to edit a node’s approvals.

 Related:
 - Exec approvals: [Exec approvals](/tools/exec-approvals)
@@ -19,7 +19,6 @@ Related:
 ```bash
 clawdbot approvals get
 clawdbot approvals get --node <id|name|ip>
-clawdbot approvals get --gateway
 ```

 ## Replace approvals from a file
@@ -27,7 +26,6 @@ clawdbot approvals get --gateway
 ```bash
 clawdbot approvals set --file ./exec-approvals.json
 clawdbot approvals set --node <id|name|ip> --file ./exec-approvals.json
-clawdbot approvals set --gateway --file ./exec-approvals.json
 ```

 ## Allowlist helpers
@@ -35,7 +33,6 @@ clawdbot approvals set --gateway --file ./exec-approvals.json
 ```bash
 clawdbot approvals allowlist add "~/Projects/**/bin/rg"
 clawdbot approvals allowlist add --agent main --node <id|name|ip> "/usr/bin/uptime"
-clawdbot approvals allowlist add --agent "*" "/usr/bin/uname"

 clawdbot approvals allowlist remove "~/Projects/**/bin/rg"
 ```
@@ -43,6 +40,5 @@ clawdbot approvals allowlist remove "~/Projects/**/bin/rg"
 ## Notes

 - `--node` uses the same resolver as `clawdbot nodes` (id, name, ip, or id prefix).
- `--agent` defaults to `"*"`, which applies to all agents.
 - The node host must advertise `system.execApprovals.get/set` (macOS app or headless node host).
 - Approvals files are stored per host at `~/.clawdbot/exec-approvals.json`.
--- a/docs/cli/configure.md
+++ b/docs/cli/configure.md
@@ -8,9 +8,6 @@ read_when:

 Interactive prompt to set up credentials, devices, and agent defaults.

-Note: The **Model** section now includes a multi-select for the
-`agents.defaults.models` allowlist (what shows up in `/model` and the model picker).
-
 Tip: `clawdbot config` without a subcommand opens the same wizard. Use
 `clawdbot config get|set|unset` for non-interactive edits.

--- a/docs/cli/cron.md
+++ b/docs/cli/cron.md
@@ -14,16 +14,3 @@ Related:

 Tip: run `clawdbot cron --help` for the full command surface.

-## Common edits
-
-Update delivery settings without changing the message:
-
-```bash
-clawdbot cron edit <job-id> --deliver --channel telegram --to "123456789"
-```
-
-Disable delivery for an isolated job:
-
-```bash
-clawdbot cron edit <job-id> --no-deliver
-```
--- a/docs/cli/daemon.md
+++ b/docs/cli/daemon.md
@@ -0,0 +1,23 @@
+---
+summary: "CLI reference for `clawdbot daemon` (install/uninstall/status for the Gateway service)"
+read_when:
+  - You want to run the Gateway as a background service
+  - You’re debugging daemon install, status, or logs
+---
+
+# `clawdbot daemon`
+
+Manage the Gateway daemon (background service).
+
+Note: `clawdbot service gateway …` is the preferred surface; `daemon` remains
+as a legacy alias for compatibility.
+
+Related:
+- Gateway CLI: [Gateway](/cli/gateway)
+- macOS platform notes: [macOS](/platforms/macos)
+
+Tip: run `clawdbot daemon --help` for platform-specific flags.
+
+Notes:
+- `daemon status` supports `--json` for scripting.
+- `daemon install|uninstall|start|stop|restart` support `--json` for scripting (default output stays human-friendly).
--- a/docs/cli/gateway.md
+++ b/docs/cli/gateway.md
@@ -25,12 +25,6 @@ Run a local Gateway process:
 clawdbot gateway
 ```

-Foreground alias:
-
-```bash
-clawdbot gateway run
-```
-
 Notes:
 - By default, the Gateway refuses to start unless `gateway.mode=local` is set in `~/.clawdbot/clawdbot.json`. Use `--allow-unconfigured` for ad-hoc/dev runs.
 - Binding beyond loopback without auth is blocked (safety guardrail).
@@ -40,7 +34,7 @@ Notes:
 ### Options

 - `--port <port>`: WebSocket port (default comes from config/env; usually `18789`).
- `--bind <loopback|lan|tailnet|auto|custom>`: listener bind mode.
+- `--bind <loopback|lan|tailnet|auto>`: listener bind mode.
 - `--auth <token|password>`: auth mode override.
 - `--token <token>`: token override (also sets `CLAWDBOT_GATEWAY_TOKEN` for the process).
 - `--password <password>`: password override (also sets `CLAWDBOT_GATEWAY_PASSWORD` for the process).
@@ -81,32 +75,15 @@ clawdbot gateway health --url ws://127.0.0.1:18789

 ### `gateway status`

-`gateway status` shows the Gateway service (launchd/systemd/schtasks) plus an optional RPC probe.
-
-```bash
-clawdbot gateway status
-clawdbot gateway status --json
-```
-
-Options:
- `--url <url>`: override the probe URL.
- `--token <token>`: token auth for the probe.
- `--password <password>`: password auth for the probe.
- `--timeout <ms>`: probe timeout (default `10000`).
- `--no-probe`: skip the RPC probe (service-only view).
- `--deep`: scan system-level services too.
-
-### `gateway probe`
-
-`gateway probe` is the “debug everything” command. It always probes:
+`gateway status` is the “debug everything” command. It always probes:
 - your configured remote gateway (if set), and
 - localhost (loopback) **even if remote is configured**.

 If multiple gateways are reachable, it prints all of them. Multiple gateways are supported when you use isolated profiles/ports (e.g., a rescue bot), but most installs still run a single gateway.

 ```bash
-clawdbot gateway probe
-clawdbot gateway probe --json
+clawdbot gateway status
+clawdbot gateway status --json
 ```

 #### Remote over SSH (Mac app parity)
@@ -116,7 +93,7 @@ The macOS app “Remote over SSH” mode uses a local port-forward so the remote
 CLI equivalent:

 ```bash
-clawdbot gateway probe --ssh user@gateway-host
+clawdbot gateway status --ssh user@gateway-host
 ```

 Options:
@@ -137,20 +114,6 @@ clawdbot gateway call status
 clawdbot gateway call logs.tail --params '{"sinceMs": 60000}'
 ```

-## Manage the Gateway service
-
-```bash
-clawdbot gateway install
-clawdbot gateway start
-clawdbot gateway stop
-clawdbot gateway restart
-clawdbot gateway uninstall
-```
-
-Notes:
- `gateway install` supports `--port`, `--runtime`, `--token`, `--force`, `--json`.
- Lifecycle commands accept `--json` for scripting.
-
 ## Discover gateways (Bonjour)

 `gateway discover` scans for Gateway beacons (`_clawdbot-gw._tcp`).
--- a/docs/cli/index.md
+++ b/docs/cli/index.md
@@ -28,6 +28,8 @@ This page describes the current CLI behavior. If commands change, update this do
 - [`health`](/cli/health)
 - [`sessions`](/cli/sessions)
 - [`gateway`](/cli/gateway)
+- [`daemon`](/cli/daemon)
+- [`service`](/cli/service)
 - [`logs`](/cli/logs)
 - [`models`](/cli/models)
 - [`memory`](/cli/memory)
@@ -136,14 +138,29 @@ clawdbot [--dev] [--profile <name>] <command>
    call
    health
    status
-    probe
    discover
+  daemon
+    status
    install
    uninstall
    start
    stop
    restart
-    run
+  service
+    gateway
+      status
+      install
+      uninstall
+      start
+      stop
+      restart
+    node
+      status
+      install
+      uninstall
+      start
+      stop
+      restart
  logs
  models
    list
@@ -174,13 +191,14 @@ clawdbot [--dev] [--profile <name>] <command>
  nodes
  devices
  node
-    run
-    status
-    install
-    uninstall
    start
-    stop
-    restart
+    daemon
+      status
+      install
+      uninstall
+      start
+      stop
+      restart
  approvals
    get
    set
@@ -310,7 +328,7 @@ Options:
 - `--minimax-api-key <key>`
 - `--opencode-zen-api-key <key>`
 - `--gateway-port <port>`
- `--gateway-bind <loopback|lan|tailnet|auto|custom>`
+- `--gateway-bind <loopback|lan|tailnet|auto>`
 - `--gateway-auth <off|token|password>`
 - `--gateway-token <token>`
 - `--gateway-password <password>`
@@ -526,7 +544,7 @@ Options:
 - `--debug` (alias for `--verbose`)

 Notes:
- Overview includes Gateway + node host service status when available.
+- Overview includes Gateway + Node service status when available.

 ### Usage tracking
 Clawdbot can surface provider usage/quota when OAuth/API creds are available.
@@ -596,7 +614,7 @@ Run the WebSocket Gateway.

 Options:
 - `--port <port>`
- `--bind <loopback|tailnet|lan|auto|custom>`
+- `--bind <loopback|tailnet|lan|auto>`
 - `--token <token>`
 - `--auth <token|password>`
 - `--password <password>`
@@ -613,25 +631,25 @@ Options:
 - `--raw-stream`
 - `--raw-stream-path <path>`

-### `gateway service`
+### `daemon`
 Manage the Gateway service (launchd/systemd/schtasks).

 Subcommands:
- `gateway status` (probes the Gateway RPC by default)
- `gateway install` (service install)
- `gateway uninstall`
- `gateway start`
- `gateway stop`
- `gateway restart`
+- `daemon status` (probes the Gateway RPC by default)
+- `daemon install` (service install)
+- `daemon uninstall`
+- `daemon start`
+- `daemon stop`
+- `daemon restart`

 Notes:
- `gateway status` probes the Gateway RPC by default using the service’s resolved port/config (override with `--url/--token/--password`).
- `gateway status` supports `--no-probe`, `--deep`, and `--json` for scripting.
- `gateway status` also surfaces legacy or extra gateway services when it can detect them (`--deep` adds system-level scans). Profile-named Clawdbot services are treated as first-class and aren't flagged as "extra".
- `gateway status` prints which config path the CLI uses vs which config the service likely uses (service env), plus the resolved probe target URL.
- `gateway install|uninstall|start|stop|restart` support `--json` for scripting (default output stays human-friendly).
- `gateway install` defaults to Node runtime; bun is **not recommended** (WhatsApp/Telegram bugs).
- `gateway install` options: `--port`, `--runtime`, `--token`, `--force`, `--json`.
+- `daemon status` probes the Gateway RPC by default using the daemon’s resolved port/config (override with `--url/--token/--password`).
+- `daemon status` supports `--no-probe`, `--deep`, and `--json` for scripting.
+- `daemon status` also surfaces legacy or extra gateway services when it can detect them (`--deep` adds system-level scans). Profile-named Clawdbot services are treated as first-class and aren't flagged as "extra".
+- `daemon status` prints which config path the CLI uses vs which config the daemon likely uses (service env), plus the resolved probe target URL.
+- `daemon install|uninstall|start|stop|restart` support `--json` for scripting (default output stays human-friendly).
+- `daemon install` defaults to Node runtime; bun is **not recommended** (WhatsApp/Telegram bugs).
+- `daemon install` options: `--port`, `--runtime`, `--token`, `--force`, `--json`.

 ### `logs`
 Tail Gateway file logs via RPC.
@@ -650,16 +668,13 @@ clawdbot logs --no-color
 ```

 ### `gateway <subcommand>`
-Gateway CLI helpers (use `--url`, `--token`, `--password`, `--timeout`, `--expect-final` for RPC subcommands).
+Gateway RPC helpers (use `--url`, `--token`, `--password`, `--timeout`, `--expect-final` for each).

 Subcommands:
 - `gateway call <method> [--params <json>]`
 - `gateway health`
 - `gateway status`
- `gateway probe`
 - `gateway discover`
- `gateway install|uninstall|start|stop|restart`
- `gateway run`

 Common RPCs:
 - `config.apply` (validate + write config + restart + wake)
@@ -791,13 +806,16 @@ All `cron` commands accept `--url`, `--token`, `--timeout`, `--expect-final`.
 [`clawdbot node`](/cli/node).

 Subcommands:
- `node run --host <gateway-host> --port 18790`
- `node status`
- `node install [--host <gateway-host>] [--port <port>] [--tls] [--tls-fingerprint <sha256>] [--node-id <id>] [--display-name <name>] [--runtime <node|bun>] [--force]`
- `node uninstall`
- `node run`
- `node stop`
- `node restart`
+- `node start --host <gateway-host> --port 18790`
+- `node service status`
+- `node service install [--host <gateway-host>] [--port <port>] [--tls] [--tls-fingerprint <sha256>] [--node-id <id>] [--display-name <name>] [--runtime <node|bun>] [--force]`
+- `node service uninstall`
+- `node service start`
+- `node service stop`
+- `node service restart`
+
+Legacy alias:
+- `node daemon …` (same as `node service …`)

 ## Nodes

@@ -807,9 +825,9 @@ Common options:
 - `--url`, `--token`, `--timeout`, `--json`

 Subcommands:
- `nodes status [--connected] [--last-connected <duration>]`
+- `nodes status`
 - `nodes describe --node <id|name|ip>`
- `nodes list [--connected] [--last-connected <duration>]`
+- `nodes list`
 - `nodes pending`
 - `nodes approve <requestId>`
 - `nodes reject <requestId>`
--- a/docs/cli/node.md
+++ b/docs/cli/node.md
@@ -23,10 +23,10 @@ Common use cases:
 Execution is still guarded by **exec approvals** and per‑agent allowlists on the
 node host, so you can keep command access scoped and explicit.

-## Run (foreground)
+## Start (foreground)

 ```bash
-clawdbot node run --host <gateway-host> --port 18790
+clawdbot node start --host <gateway-host> --port 18790
 ```

 Options:
@@ -42,7 +42,9 @@ Options:
 Install a headless node host as a user service.

 ```bash
-clawdbot node install --host <gateway-host> --port 18790
+clawdbot node service install --host <gateway-host> --port 18790
+# or
+clawdbot service node install --host <gateway-host> --port 18790
 ```

 Options:
@@ -59,9 +61,18 @@ Manage the service:

 ```bash
 clawdbot node status
-clawdbot node stop
-clawdbot node restart
-clawdbot node uninstall
+clawdbot service node status
+clawdbot node service status
+clawdbot node service start
+clawdbot node service stop
+clawdbot node service restart
+clawdbot node service uninstall
+```
+
+Legacy alias:
+
+```bash
+clawdbot node daemon status
 ```

 ## Pairing
--- a/docs/cli/nodes.md
+++ b/docs/cli/nodes.md
@@ -18,37 +18,15 @@ Related:

 ```bash
 clawdbot nodes list
-clawdbot nodes list --connected
-clawdbot nodes list --last-connected 24h
 clawdbot nodes pending
 clawdbot nodes approve <requestId>
 clawdbot nodes status
-clawdbot nodes status --connected
-clawdbot nodes status --last-connected 24h
 ```

-`nodes list` prints pending/paired tables. Paired rows include the most recent connect age (Last Connect).
-Use `--connected` to only show currently-connected nodes. Use `--last-connected <duration>` to
-filter to nodes that connected within a duration (e.g. `24h`, `7d`).
-
 ## Invoke / run

 ```bash
 clawdbot nodes invoke --node <id|name|ip> --command <command> --params <json>
 clawdbot nodes run --node <id|name|ip> <command...>
-clawdbot nodes run --raw "git status"
-clawdbot nodes run --agent main --node <id|name|ip> --raw "git status"
 ```

-### Exec-style defaults
-
-`nodes run` mirrors the model’s exec behavior (defaults + approvals):
-
- Reads `tools.exec.*` (plus `agents.list[].tools.exec.*` overrides).
- Uses exec approvals (`exec.approval.request`) before invoking `system.run`.
- `--node` can be omitted when `tools.exec.node` is set.
-
-Flags:
- `--raw <command>`: run a shell string (`/bin/sh -lc` or `cmd.exe /c`).
- `--agent <id>`: agent-scoped approvals/allowlists (defaults to configured agent).
- `--ask <off|on-miss|always>`, `--security <deny|allowlist|full>`: overrides.
--- a/docs/cli/security.md
+++ b/docs/cli/security.md
@@ -21,4 +21,4 @@ clawdbot security audit --fix
 ```

 The audit warns when multiple DM senders share the main session and recommends `session.dmScope="per-channel-peer"` for shared inboxes.
-It also warns when small models (`<=300B`) are used without sandboxing and with web/browser tools enabled.
+It also warns when small models (<=300B) are used without sandboxing and with web/browser tools enabled.
--- a/docs/cli/service.md
+++ b/docs/cli/service.md
@@ -0,0 +1,51 @@
+---
+summary: "CLI reference for `clawdbot service` (manage gateway + node services)"
+read_when:
+  - You want to manage Gateway or node services cross-platform
+  - You want a single surface for start/stop/install/uninstall
+---
+
+# `clawdbot service`
+
+Manage the **Gateway** service and **node host** services.
+
+Related:
+- Gateway daemon (legacy alias): [Daemon](/cli/daemon)
+- Node host: [Node](/cli/node)
+
+## Gateway service
+
+```bash
+clawdbot service gateway status
+clawdbot service gateway install --port 18789
+clawdbot service gateway start
+clawdbot service gateway stop
+clawdbot service gateway restart
+clawdbot service gateway uninstall
+```
+
+Notes:
+- `service gateway status` supports `--json` and `--deep` for system checks.
+- `service gateway install` supports `--runtime node|bun` and `--token`.
+
+## Node host service
+
+```bash
+clawdbot service node status
+clawdbot service node install --host <gateway-host> --port 18790
+clawdbot service node start
+clawdbot service node stop
+clawdbot service node restart
+clawdbot service node uninstall
+```
+
+Notes:
+- `service node install` supports `--runtime node|bun`, `--node-id`, `--display-name`,
+  and TLS options (`--tls`, `--tls-fingerprint`).
+
+## Aliases
+
+- `clawdbot daemon …` → `clawdbot service gateway …`
+- `clawdbot node service …` → `clawdbot service node …`
+- `clawdbot node status` → `clawdbot service node status`
+- `clawdbot node daemon …` → `clawdbot service node …` (legacy)
--- a/docs/cli/status.md
+++ b/docs/cli/status.md
@@ -19,6 +19,6 @@ clawdbot status --usage
 Notes:
 - `--deep` runs live probes (WhatsApp Web + Telegram + Discord + Slack + Signal).
 - Output includes per-agent session stores when multiple agents are configured.
- Overview includes Gateway + node host service install/runtime status when available.
+- Overview includes Gateway + Node service install/runtime status when available.
 - Overview includes update channel + git SHA (for source checkouts).
 - Update info surfaces in the Overview; if an update is available, status prints a hint to run `clawdbot update` (see [Updating](/install/updating)).
--- a/docs/cli/update.md
+++ b/docs/cli/update.md
@@ -1,5 +1,5 @@
 ---
-summary: "CLI reference for `clawdbot update` (safe-ish source update + optional gateway restart)"
+summary: "CLI reference for `clawdbot update` (safe-ish source update + optional daemon restart)"
 read_when:
  - You want to update a source checkout safely
  - You need to understand `--update` shorthand behavior
@@ -7,16 +7,15 @@ read_when:

 # `clawdbot update`

-Safely update Clawdbot and switch between stable/beta/dev channels.
+Safely update a **source checkout** (git install) of Clawdbot.

-If you installed via **npm/pnpm** (global install, no git metadata), updates happen via the package manager flow in [Updating](/install/updating).
+If you installed via **npm/pnpm** (global install, no git metadata), use the package manager flow in [Updating](/install/updating).

 ## Usage

 ```bash
 clawdbot update
 clawdbot update status
-clawdbot update wizard
 clawdbot update --channel beta
 clawdbot update --channel dev
 clawdbot update --tag beta
@@ -27,7 +26,7 @@ clawdbot --update

 ## Options

- `--restart`: restart the Gateway service after a successful update.
+- `--restart`: restart the Gateway daemon after a successful update.
 - `--channel <stable|beta|dev>`: set the update channel (git + npm; persisted in config).
 - `--tag <dist-tag|version>`: override the npm dist-tag or version for this update only.
 - `--json`: print machine-readable `UpdateRunResult` JSON.
@@ -49,21 +48,7 @@ Options:
 - `--json`: print machine-readable status JSON.
 - `--timeout <seconds>`: timeout for checks (default is 3s).

-## `update wizard`
-
-Interactive flow to pick an update channel and confirm whether to restart the Gateway
-after updating. If you select `dev` without a git checkout, it offers to create one.
-
-## What it does
-
-When you switch channels explicitly (`--channel ...`), Clawdbot also keeps the
-install method aligned:
-
- `dev` → ensures a git checkout (default: `~/clawdbot`, override with `CLAWDBOT_GIT_DIR`),
-  updates it, and installs the global CLI from that checkout.
- `stable`/`beta` → installs from npm using the matching dist-tag.
-
-## Git checkout flow
+## What it does (git checkout)

 Channels:

@@ -75,13 +60,11 @@ High-level:

 1. Requires a clean worktree (no uncommitted changes).
 2. Switches to the selected channel (tag or branch).
-3. Fetches upstream (dev only).
-4. Dev only: preflight lint + TypeScript build in a temp worktree; if the tip fails, walks back up to 10 commits to find the newest clean build.
-5. Rebases onto the selected commit (dev only).
-6. Installs deps (pnpm preferred; npm fallback).
-7. Builds + builds the Control UI.
-8. Runs `clawdbot doctor` as the final “safe update” check.
-9. Syncs plugins to the active channel (dev uses bundled extensions; stable/beta uses npm) and updates npm-installed plugins.
+3. Fetches and rebases against `@{upstream}` (dev only).
+4. Installs deps (pnpm preferred; npm fallback).
+5. Builds + builds the Control UI.
+6. Runs `clawdbot doctor` as the final “safe update” check.
+7. Syncs plugins to the active channel (dev uses bundled extensions; stable/beta uses npm) and updates npm-installed plugins.

 ## `--update` shorthand

--- a/docs/concepts/agent-workspace.md
+++ b/docs/concepts/agent-workspace.md
@@ -140,9 +140,6 @@ workspace lives).

 ### 1) Initialize the repo

-If git is installed, brand-new workspaces are initialized automatically. If this
-workspace is not already a repo, run:
-
 ```bash
 cd ~/clawd
 git init
--- a/docs/concepts/architecture.md
+++ b/docs/concepts/architecture.md
@@ -77,21 +77,6 @@ Client                    Gateway
  safely retry; the server keeps a short‑lived dedupe cache.
 - Nodes must include `role: "node"` plus caps/commands/permissions in `connect`.

-## Pairing + local trust
-
- All WS clients (operators + nodes) include a **device identity** on `connect`.
- New device IDs require pairing approval; the Gateway issues a **device token**
-  for subsequent connects.
- **Local** connects (loopback or the gateway host’s own tailnet address) can be
-  auto‑approved to keep same‑host UX smooth.
- **Non‑local** connects must sign the `connect.challenge` nonce and require
-  explicit approval.
- Gateway auth (`gateway.auth.*`) still applies to **all** connections, local or
-  remote.
-
-Details: [Gateway protocol](/gateway/protocol), [Pairing](/start/pairing),
-[Security](/gateway/security).
-
 ## Protocol typing and codegen

 - TypeBox schemas define the protocol.
--- a/docs/concepts/memory.md
+++ b/docs/concepts/memory.md
@@ -194,7 +194,7 @@ Local mode:

 - File type: Markdown only (`MEMORY.md`, `memory/**/*.md`).
 - Index storage: per-agent SQLite at `~/.clawdbot/memory/<agentId>.sqlite` (configurable via `agents.defaults.memorySearch.store.path`, supports `{agentId}` token).
- Freshness: watcher on `MEMORY.md` + `memory/` marks the index dirty (debounce 1.5s). Sync is scheduled on session start, on search, or on an interval and runs asynchronously. Session transcripts use delta thresholds to trigger background sync.
+- Freshness: watcher on `MEMORY.md` + `memory/` marks the index dirty (debounce 1.5s). Sync runs on session start, on first search when dirty, and optionally on an interval.
 - Reindex triggers: the index stores the embedding **provider/model + endpoint fingerprint + chunking params**. If any of those change, Clawdbot automatically resets and reindexes the entire store.

 ### Hybrid search (BM25 + vector)
@@ -299,29 +299,11 @@ agents: {

 Notes:
 - Session indexing is **opt-in** (off by default).
- Session updates are debounced and **indexed asynchronously** once they cross delta thresholds (best-effort).
- `memory_search` never blocks on indexing; results can be slightly stale until background sync finishes.
+- Session updates are debounced and indexed lazily on the next `memory_search` (or manual `clawdbot memory index`).
 - Results still include snippets only; `memory_get` remains limited to memory files.
 - Session indexing is isolated per agent (only that agent’s session logs are indexed).
 - Session logs live on disk (`~/.clawdbot/agents/<agentId>/sessions/*.jsonl`). Any process/user with filesystem access can read them, so treat disk access as the trust boundary. For stricter isolation, run agents under separate OS users or hosts.

-Delta thresholds (defaults shown):
-
-```json5
-agents: {
-  defaults: {
-    memorySearch: {
-      sync: {
-        sessions: {
-          deltaBytes: 100000,   // ~100 KB
-          deltaMessages: 50     // JSONL lines
-        }
-      }
-    }
-  }
-}
-```
-
 ### SQLite vector acceleration (sqlite-vec)

 When the sqlite-vec extension is available, Clawdbot stores embeddings in a
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -38,7 +38,7 @@ Clawdbot ships with the pi‑ai catalog. These providers require **no**
 - Provider: `anthropic`
 - Auth: `ANTHROPIC_API_KEY` or `claude setup-token`
 - Example model: `anthropic/claude-opus-4-5`
- CLI: `clawdbot onboard --auth-choice token` (paste setup-token) or `clawdbot models auth paste-token --provider anthropic`
+- CLI: `clawdbot onboard --auth-choice setup-token`

 ```json5
 {
--- a/docs/concepts/session-pruning.md
+++ b/docs/concepts/session-pruning.md
@@ -9,22 +9,8 @@ read_when:
 Session pruning trims **old tool results** from the in-memory context right before each LLM call. It does **not** rewrite the on-disk session history (`*.jsonl`).

 ## When it runs
- When `mode: "cache-ttl"` is enabled and the last Anthropic call for the session is older than `ttl`.
+- Before each LLM request (context hook).
 - Only affects the messages sent to the model for that request.
- - Only active for Anthropic API calls (and OpenRouter Anthropic models).
- - For best results, match `ttl` to your model `cacheControlTtl`.
- - After a prune, the TTL window resets so subsequent requests keep cache until `ttl` expires again.
-
-## Smart defaults (Anthropic)
- **OAuth or setup-token** profiles: enable `cache-ttl` pruning and set heartbeat to `1h`.
- **API key** profiles: enable `cache-ttl` pruning, set heartbeat to `30m`, and default `cacheControlTtl` to `1h` on Anthropic models.
- If you set any of these values explicitly, Clawdbot does **not** override them.
-
-## What this improves (cost + cache behavior)
- **Why prune:** Anthropic prompt caching only applies within the TTL. If a session goes idle past the TTL, the next request re-caches the full prompt unless you trim it first.
- **What gets cheaper:** pruning reduces the **cacheWrite** size for that first request after the TTL expires.
- **Why the TTL reset matters:** once pruning runs, the cache window resets, so follow‑up requests can reuse the freshly cached prompt instead of re-caching the full history again.
- **What it does not do:** pruning doesn’t add tokens or “double” costs; it only changes what gets cached on that first post‑TTL request.

 ## What can be pruned
 - Only `toolResult` messages.
@@ -40,10 +26,14 @@ Pruning uses an estimated context window (chars ≈ tokens × 4). The window siz
 3) `agents.defaults.contextTokens`.
 4) Default `200000` tokens.

-## Mode
-### cache-ttl
- Pruning only runs if the last Anthropic call is older than `ttl` (default `5m`).
- When it runs: same soft-trim + hard-clear behavior as before.
+## Modes
+### adaptive
+- If estimated context ratio ≥ `softTrimRatio`: soft-trim oversized tool results.
+- If still ≥ `hardClearRatio` **and** prunable tool text ≥ `minPrunableToolChars`: hard-clear oldest eligible tool results.
+
+### aggressive
+- Always hard-clears eligible tool results before the cutoff.
+- Ignores `hardClear.enabled` (always clears when eligible).

 ## Soft vs hard pruning
 - **Soft-trim**: only for oversized tool results.
@@ -62,7 +52,6 @@ Pruning uses an estimated context window (chars ≈ tokens × 4). The window siz
 - Compaction is separate: compaction summarizes and persists, pruning is transient per request. See [/concepts/compaction](/concepts/compaction).

 ## Defaults (when enabled)
- `ttl`: `"5m"`
 - `keepLastAssistants`: `3`
 - `softTrimRatio`: `0.3`
 - `hardClearRatio`: `0.5`
@@ -71,7 +60,16 @@ Pruning uses an estimated context window (chars ≈ tokens × 4). The window siz
 - `hardClear`: `{ enabled: true, placeholder: "[Old tool result content cleared]" }`

 ## Examples
-Default (off):
+Default (adaptive):
+```json5
+{
+  agent: {
+    contextPruning: { mode: "adaptive" }
+  }
+}
+```
+
+To disable:
 ```json5
 {
  agent: {
@@ -80,11 +78,11 @@ Default (off):
 }
 ```

-Enable TTL-aware pruning:
+Aggressive:
 ```json5
 {
  agent: {
-    contextPruning: { mode: "cache-ttl", ttl: "5m" }
+    contextPruning: { mode: "aggressive" }
  }
 }
 ```
@@ -94,7 +92,7 @@ Restrict pruning to specific tools:
 {
  agent: {
    contextPruning: {
-      mode: "cache-ttl",
+      mode: "adaptive",
      tools: { allow: ["exec", "read"], deny: ["*image*"] }
    }
  }
--- a/docs/concepts/session.md
+++ b/docs/concepts/session.md
@@ -60,7 +60,6 @@ the workspace is writable. See [Memory](/concepts/memory) and
 - Idle reset (optional): `idleMinutes` adds a sliding idle window. When both daily and idle resets are configured, **whichever expires first** forces a new session.
 - Legacy idle-only: if you set `session.idleMinutes` without any `session.reset`/`resetByType` config, Clawdbot stays in idle-only mode for backward compatibility.
 - Per-type overrides (optional): `resetByType` lets you override the policy for `dm`, `group`, and `thread` sessions (thread = Slack/Discord threads, Telegram topics, Matrix threads when provided by the connector).
- Per-channel overrides (optional): `resetByChannel` overrides the reset policy for a channel (applies to all session types for that channel and takes precedence over `reset`/`resetByType`).
 - Reset triggers: exact `/new` or `/reset` (plus any extras in `resetTriggers`) start a fresh session id and pass the remainder of the message through. `/new <model>` accepts a model alias, `provider/model`, or provider name (fuzzy match) to set the new session model. If `/new` or `/reset` is sent alone, Clawdbot runs a short “hello” greeting turn to confirm the reset.
 - Manual reset: delete specific keys from the store or remove the JSONL transcript; the next message recreates them.
 - Isolated cron jobs always mint a fresh `sessionId` per run (no idle reuse).
@@ -110,9 +109,6 @@ Send these as standalone messages so they register.
      dm: { mode: "idle", idleMinutes: 240 },
      group: { mode: "idle", idleMinutes: 120 }
    },
-    resetByChannel: {
-      discord: { mode: "idle", idleMinutes: 10080 }
-    },
    resetTriggers: ["/new", "/reset"],
    store: "~/.clawdbot/agents/{agentId}/sessions/sessions.json",
    mainKey: "main",
--- a/docs/concepts/system-prompt.md
+++ b/docs/concepts/system-prompt.md
@@ -24,7 +24,7 @@ The prompt is intentionally compact and uses fixed sections:
 - **Current Date & Time**: user-local time, timezone, and time format.
 - **Reply Tags**: optional reply tag syntax for supported providers.
 - **Heartbeats**: heartbeat prompt and ack behavior.
- **Runtime**: host, OS, node, model, repo root (when detected), thinking level (one line).
+- **Runtime**: host, OS, node, model, thinking level (one line).
 - **Reasoning**: current visibility level + /reasoning toggle hint.

 ## Prompt modes
--- a/docs/concepts/timezone.md
+++ b/docs/concepts/timezone.md
@@ -9,15 +9,15 @@ read_when:

 Clawdbot standardizes timestamps so the model sees a **single reference time**.

-## Message envelopes (local by default)
+## Message envelopes (UTC by default)

 Inbound messages are wrapped in an envelope like:

 ```
-[Provider ... 2026-01-05 16:26 PST] message text
+[Provider ... 2026-01-05T21:26Z] message text
 ```

-The timestamp in the envelope is **host-local by default**, with minutes precision.
+The timestamp in the envelope is **UTC by default**, with minutes precision.

 You can override this with:

@@ -25,7 +25,7 @@ You can override this with:
 {
  agents: {
    defaults: {
-      envelopeTimezone: "local", // "utc" | "local" | "user" | IANA timezone
+      envelopeTimezone: "user", // "utc" | "local" | "user" | IANA timezone
      envelopeTimestamp: "on", // "on" | "off"
      envelopeElapsed: "on" // "on" | "off"
    }
@@ -33,7 +33,6 @@ You can override this with:
 }
 ```

- `envelopeTimezone: "utc"` uses UTC.
 - `envelopeTimezone: "user"` uses `agents.defaults.userTimezone` (falls back to host timezone).
 - Use an explicit IANA timezone (e.g., `"Europe/Vienna"`) for a fixed offset.
 - `envelopeTimestamp: "off"` removes absolute timestamps from envelope headers.
@@ -41,10 +40,10 @@ You can override this with:

 ### Examples

-**Local (default):**
+**UTC (default):**

 ```
-[Signal Alice +1555 2026-01-18 00:19 PST] hello
+[Signal Alice +1555 2026-01-18T05:19Z] hello
 ```

 **Fixed timezone:**
--- a/docs/date-time.md
+++ b/docs/date-time.md
@@ -7,18 +7,18 @@ read_when:

 # Date & Time

-Clawdbot defaults to **host-local time for transport timestamps** and **user-local time only in the system prompt**.
+Clawdbot defaults to **UTC for transport timestamps** and **user-local time only in the system prompt**.
 Provider timestamps are preserved so tools keep their native semantics.

-## Message envelopes (local by default)
+## Message envelopes (UTC by default)

-Inbound messages are wrapped with a timestamp (minute precision):
+Inbound messages are wrapped with a UTC timestamp (minute precision):

 ```
-[Provider ... 2026-01-05 16:26 PST] message text
+[Provider ... 2026-01-05T21:26Z] message text
 ```

-This envelope timestamp is **host-local by default**, regardless of the provider timezone.
+This envelope timestamp is **UTC by default**, regardless of the host timezone.

 You can override this behavior:

@@ -26,7 +26,7 @@ You can override this behavior:
 {
  agents: {
    defaults: {
-      envelopeTimezone: "local", // "utc" | "local" | "user" | IANA timezone
+      envelopeTimezone: "utc", // "utc" | "local" | "user" | IANA timezone
      envelopeTimestamp: "on", // "on" | "off"
      envelopeElapsed: "on" // "on" | "off"
    }
@@ -34,7 +34,6 @@ You can override this behavior:
 }
 ```

- `envelopeTimezone: "utc"` uses UTC.
 - `envelopeTimezone: "local"` uses the host timezone.
 - `envelopeTimezone: "user"` uses `agents.defaults.userTimezone` (falls back to host timezone).
 - Use an explicit IANA timezone (e.g., `"America/Chicago"`) for a fixed zone.
@@ -43,10 +42,10 @@ You can override this behavior:

 ### Examples

-**Local (default):**
+**UTC (default):**

 ```
-[WhatsApp +1555 2026-01-18 00:19 PST] hello
+[WhatsApp +1555 2026-01-18T05:19Z] hello
 ```

 **User timezone:**
@@ -74,13 +73,12 @@ Time format: 12-hour
 If only the timezone is known, we still include the section and instruct the model
 to assume UTC for unknown time references.

-## System event lines (local by default)
+## System event lines (UTC)

-Queued system events inserted into agent context are prefixed with a timestamp using the
-same timezone selection as message envelopes (default: host-local).
+Queued system events inserted into agent context are prefixed with a UTC timestamp:

 ```
-System: [2026-01-12 12:19:17 PST] Model switched.
+System: [2026-01-12T20:19:17Z] Model switched.
 ```

 ### Configure user timezone + format
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -100,7 +100,7 @@ CLAWDBOT_PROFILE=dev clawdbot gateway --dev --reset
 Tip: if a non‑dev gateway is already running (launchd/systemd), stop it first:

 ```bash
-clawdbot gateway stop
+clawdbot daemon stop
 ```

 ## Raw stream logging (Clawdbot)
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -829,6 +829,8 @@
          "cli/nodes",
          "cli/approvals",
          "cli/gateway",
+          "cli/daemon",
+          "cli/service",
          "cli/tui",
          "cli/voicecall",
          "cli/wake",
--- a/docs/gateway/bridge-protocol.md
+++ b/docs/gateway/bridge-protocol.md
@@ -58,8 +58,8 @@ Exact allowlist is enforced in `src/gateway/server-bridge.ts`.

 ## Exec lifecycle events

-Nodes can emit `exec.finished` or `exec.denied` events to surface system.run activity.
-These are mapped to system events in the gateway. (Legacy nodes may still emit `exec.started`.)
+Nodes can emit `exec.started`, `exec.finished`, or `exec.denied` events to surface
+system.run activity. These are mapped to system events in the gateway.

 Payload fields (all optional unless noted):
 - `sessionKey` (required): agent session to receive the system event.
--- a/docs/gateway/configuration-examples.md
+++ b/docs/gateway/configuration-examples.md
@@ -151,9 +151,7 @@ Save to `~/.clawdbot/clawdbot.json` and you can DM the bot from that number.
      atHour: 4,
      idleMinutes: 60
    },
-    resetByChannel: {
-      discord: { mode: "idle", idleMinutes: 10080 }
-    },
+    heartbeatIdleMinutes: 120,
    resetTriggers: ["/new", "/reset"],
    store: "~/.clawdbot/agents/default/sessions/sessions.json",
    typingIntervalSeconds: 5,
--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@@ -400,26 +400,12 @@ Optional per-agent identity used for defaults and UX. This is written by the mac
 If set, Clawdbot derives defaults (only when you haven’t set them explicitly):
 - `messages.ackReaction` from the **active agent**’s `identity.emoji` (falls back to 👀)
 - `agents.list[].groupChat.mentionPatterns` from the agent’s `identity.name`/`identity.emoji` (so “@Samantha” works in groups across Telegram/Slack/Discord/iMessage/WhatsApp)
- `identity.avatar` accepts a workspace-relative image path or a remote URL/data URL. Local files must live inside the agent workspace.
-
-`identity.avatar` accepts:
- Workspace-relative path (must stay within the agent workspace)
- `http(s)` URL
- `data:` URI

 ```json5
 {
  agents: {
    list: [
-      {
-        id: "main",
-        identity: {
-          name: "Samantha",
-          theme: "helpful sloth",
-          emoji: "🦥",
-          avatar: "avatars/samantha.png"
-        }
-      }
+      { id: "main", identity: { name: "Samantha", theme: "helpful sloth", emoji: "🦥" } }
    ]
  }
 }
@@ -1280,18 +1266,6 @@ Default: `~/clawd`.
 If `agents.defaults.sandbox` is enabled, non-main sessions can override this with their
 own per-scope workspaces under `agents.defaults.sandbox.workspaceRoot`.

-### `agents.defaults.repoRoot`
-
-Optional repository root to show in the system prompt’s Runtime line. If unset, Clawdbot
-tries to detect a `.git` directory by walking upward from the workspace (and current
-working directory). The path must exist to be used.
-
-```json5
-{
-  agents: { defaults: { repoRoot: "~/Projects/clawdbot" } }
-}
-```
-
 ### `agents.defaults.skipBootstrap`

 Disables automatic creation of the workspace bootstrap files (`AGENTS.md`, `SOUL.md`, `TOOLS.md`, `IDENTITY.md`, `USER.md`, and `BOOTSTRAP.md`).
@@ -1440,7 +1414,7 @@ Each `agents.defaults.models` entry can include:
 - `alias` (optional model shortcut, e.g. `/opus`).
 - `params` (optional provider-specific API params passed through to the model request).

-`params` is also applied to streaming runs (embedded agent + compaction). Supported keys today: `temperature`, `maxTokens`. These merge with call-time options; caller-supplied values win. `temperature` is an advanced knob—leave unset unless you know the model’s defaults and need a change.
+`params` is also applied to streaming runs (embedded agent + compaction). Supported keys today: `temperature`, `maxTokens`, `cacheControlTtl` (`"5m"` or `"1h"`, Anthropic API + OpenRouter Anthropic models only; ignored for Anthropic OAuth/Claude Code tokens). These merge with call-time options; caller-supplied values win. `temperature` is an advanced knob—leave unset unless you know the model’s defaults and need a change. Anthropic API defaults to `"1h"` unless you override (`cacheControlTtl: "5m"`). Clawdbot includes the `extended-cache-ttl-2025-04-11` beta flag for Anthropic API; keep it if you override provider headers.

 Example:

@@ -1768,9 +1742,8 @@ Z.AI models are available as `zai/<model>` (e.g. `zai/glm-4.7`) and require
  `30m`. Set `0m` to disable.
 - `model`: optional override model for heartbeat runs (`provider/model`).
 - `includeReasoning`: when `true`, heartbeats will also deliver the separate `Reasoning:` message when available (same shape as `/reasoning on`). Default: `false`.
- `session`: optional session key to control which session the heartbeat runs in. Default: `main`.
+- `target`: optional delivery channel (`last`, `whatsapp`, `telegram`, `discord`, `slack`, `signal`, `imessage`, `none`). Default: `last`.
 - `to`: optional recipient override (channel-specific id, e.g. E.164 for WhatsApp, chat id for Telegram).
- `target`: optional delivery channel (`last`, `whatsapp`, `telegram`, `discord`, `slack`, `msteams`, `signal`, `imessage`, `none`). Default: `last`.
 - `prompt`: optional override for the heartbeat body (default: `Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. Do not infer or repeat old tasks from prior chats. If nothing needs attention, reply HEARTBEAT_OK.`). Overrides are sent verbatim; include a `Read HEARTBEAT.md` line if you still want the file read.
 - `ackMaxChars`: max chars allowed after `HEARTBEAT_OK` before delivery (default: 300).

@@ -1867,7 +1840,7 @@ Example:

 `agents.defaults.subagents` configures sub-agent defaults:
 - `model`: default model for spawned sub-agents (string or `{ primary, fallbacks }`). If omitted, sub-agents inherit the caller’s model unless overridden per agent or per call.
- `maxConcurrent`: max concurrent sub-agent runs (default 1)
+- `maxConcurrent`: max concurrent sub-agent runs (default 8)
 - `archiveAfterMinutes`: auto-archive sub-agent sessions after N minutes (default 60; set `0` to disable)
 - Per-subagent tool policy: `tools.subagents.tools.allow` / `tools.subagents.tools.deny` (deny wins)

@@ -1995,13 +1968,13 @@ Per-agent override (further restrict):

 Notes:
 - `tools.elevated` is the global baseline. `agents.list[].tools.elevated` can only further restrict (both must allow).
- `/elevated on|off|ask|full` stores state per session key; inline directives apply to a single message.
+- `/elevated on|off` stores state per session key; inline directives apply to a single message.
 - Elevated `exec` runs on the host and bypasses sandboxing.
 - Tool policy still applies; if `exec` is denied, elevated cannot be used.

 `agents.defaults.maxConcurrent` sets the maximum number of embedded agent runs that can
 execute in parallel across sessions. Each session is still serialized (one run
-per session key at a time). Default: 1.
+per session key at a time). Default: 4.

 ### `agents.defaults.sandbox`

@@ -2654,13 +2627,7 @@ If unset, clients fall back to a muted light-blue.
 ```json5
 {
  ui: {
-    seamColor: "#FF4500", // hex (RRGGBB or #RRGGBB)
-    // Optional: Control UI assistant identity override.
-    // If unset, the Control UI uses the active agent identity (config or IDENTITY.md).
-    assistant: {
-      name: "Clawdbot",
-      avatar: "CB" // emoji, short text, or image URL/data URI
-    }
+    seamColor: "#FF4500" // hex (RRGGBB or #RRGGBB)
  }
 }
 ```
@@ -2691,8 +2658,6 @@ Control UI base path:
 - `gateway.controlUi.basePath` sets the URL prefix where the Control UI is served.
 - Examples: `"/ui"`, `"/clawdbot"`, `"/apps/clawdbot"`.
 - Default: root (`/`) (unchanged).
- `gateway.controlUi.allowInsecureAuth` allows token-only auth over **HTTP** (no device identity).
-  Default: `false`. Prefer HTTPS (Tailscale Serve) or `127.0.0.1`.

 Related docs:
 - [Control UI](/web/control-ui)
@@ -2704,6 +2669,7 @@ Notes:
 - `clawdbot gateway` refuses to start unless `gateway.mode` is set to `local` (or you pass the override flag).
 - `gateway.port` controls the single multiplexed port used for WebSocket + HTTP (control UI, hooks, A2UI).
 - OpenAI Chat Completions endpoint: **disabled by default**; enable with `gateway.http.endpoints.chatCompletions.enabled: true`.
+- OpenResponses endpoint: **disabled by default**; enable with `gateway.http.endpoints.responses.enabled: true`.
 - Precedence: `--port` > `CLAWDBOT_GATEWAY_PORT` > `gateway.port` > default `18789`.
 - Non-loopback binds (`lan`/`tailnet`/`auto`) require auth. Use `gateway.auth.token` (or `CLAWDBOT_GATEWAY_TOKEN`).
 - The onboarding wizard generates a gateway token by default (even on loopback).
@@ -2711,7 +2677,7 @@ Notes:

 Auth and Tailscale:
 - `gateway.auth.mode` sets the handshake requirements (`token` or `password`).
- `gateway.auth.token` stores the shared token for token auth (used by the CLI on the same machine).
+- `gateway.auth.token` stores the shared token for token auth (used by the CLI on the same machine and as the bootstrap credential for device pairing).
 - When `gateway.auth.mode` is set, only that method is accepted (plus optional Tailscale headers).
 - `gateway.auth.password` can be set here, or via `CLAWDBOT_GATEWAY_PASSWORD` (recommended).
 - `gateway.auth.allowTailscale` allows Tailscale Serve identity headers
@@ -2720,6 +2686,9 @@ Auth and Tailscale:
  `true`, Serve requests do not need a token/password; set `false` to require
  explicit credentials. Defaults to `true` when `tailscale.mode = "serve"` and
  auth mode is not `password`.
+- After pairing, the Gateway issues **device tokens** scoped to the device role + scopes.
+  These are returned in `hello-ok.auth.deviceToken`; clients should persist and reuse them
+  instead of the shared token. Rotate/revoke via `device.token.rotate`/`device.token.revoke`.
 - `gateway.tailscale.mode: "serve"` uses Tailscale Serve (tailnet only, loopback bind).
 - `gateway.tailscale.mode: "funnel"` exposes the dashboard publicly; requires auth.
 - `gateway.tailscale.resetOnExit` resets Serve/Funnel config on shutdown.
@@ -2728,6 +2697,7 @@ Remote client defaults (CLI):
 - `gateway.remote.url` sets the default Gateway WebSocket URL for CLI calls when `gateway.mode = "remote"`.
 - `gateway.remote.token` supplies the token for remote calls (leave unset for no auth).
 - `gateway.remote.password` supplies the password for remote calls (leave unset for no auth).
+- `gateway.remote.tlsFingerprint` pins the gateway TLS cert fingerprint (sha256).

 macOS app behavior:
 - Clawdbot.app watches `~/.clawdbot/clawdbot.json` and switches modes live when `gateway.mode` or `gateway.remote.url` changes.
@@ -2741,12 +2711,36 @@ macOS app behavior:
    remote: {
      url: "ws://gateway.tailnet:18789",
      token: "your-token",
-      password: "your-password"
+      password: "your-password",
+      tlsFingerprint: "sha256:ab12cd34..."
    }
  }
 }
 ```

+### `gateway.nodes` (Node command allowlist)
+
+The Gateway enforces a per-platform command allowlist for `node.invoke`. Nodes must both
+**declare** a command and have it **allowed** by the Gateway to run it.
+
+Use this section to extend or deny commands:
+
+```json5
+{
+  gateway: {
+    nodes: {
+      allowCommands: ["custom.vendor.command"], // extra commands beyond defaults
+      denyCommands: ["sms.send"]      // block a command even if declared
+    }
+  }
+}
+```
+
+Notes:
+- `allowCommands` extends the built-in per-platform defaults.
+- `denyCommands` always wins (even if the node claims the command).
+- `node.invoke` rejects commands that are not declared by the node.
+
 ### `gateway.reload` (Config hot reload)

 The Gateway watches `~/.clawdbot/clawdbot.json` (or `CLAWDBOT_CONFIG_PATH`) and applies changes automatically.
@@ -2994,7 +2988,7 @@ Auto-generated certs require `openssl` on PATH; if generation fails, the bridge

 ### `discovery.wideArea` (Wide-Area Bonjour / unicast DNS‑SD)

-When enabled, the Gateway writes a unicast DNS-SD zone for `_clawdbot-bridge._tcp` under `~/.clawdbot/dns/` using the standard discovery domain `clawdbot.internal.`
+When enabled, the Gateway writes a unicast DNS-SD zone for `_clawdbot-gw._tcp` under `~/.clawdbot/dns/` using the standard discovery domain `clawdbot.internal.`

 To make iOS/Android discover across networks (Vienna ⇄ London), pair this with:
 - a DNS server on the gateway host serving `clawdbot.internal.` (CoreDNS is recommended)
--- a/docs/gateway/doctor.md
+++ b/docs/gateway/doctor.md
@@ -225,10 +225,10 @@ Notes:
 - `clawdbot doctor --yes` accepts the default repair prompts.
 - `clawdbot doctor --repair` applies recommended fixes without prompts.
 - `clawdbot doctor --repair --force` overwrites custom supervisor configs.
- You can always force a full rewrite via `clawdbot gateway install --force`.
+- You can always force a full rewrite via `clawdbot daemon install --force`.

 ### 16) Gateway runtime + port diagnostics
-Doctor inspects the service runtime (PID, last exit status) and warns when the
+Doctor inspects the daemon runtime (PID, last exit status) and warns when the
 service is installed but not actually running. It also checks for port collisions
 on the gateway port (default `18789`) and reports likely causes (gateway already
 running, SSH tunnel).
@@ -236,7 +236,7 @@ running, SSH tunnel).
 ### 17) Gateway runtime best practices
 Doctor warns when the gateway service runs on Bun or a version-managed Node path
 (`nvm`, `fnm`, `volta`, `asdf`, etc.). WhatsApp + Telegram channels require Node,
-and version-manager paths can break after upgrades because the service does not
+and version-manager paths can break after upgrades because the daemon does not
 load your shell init. Doctor offers to migrate to a system Node install when
 available (Homebrew/apt/choco).

--- a/Show More
+++ b/Show More