test: remove redundant task flow temp dir args

.agents/skills/autoreview/SKILL.md

@@ -24,7 +24,7 @@ Use when:
 - Prefer small fixes at the right ownership boundary; no refactor unless it clearly improves the bug class.
 - When an accepted finding shows a bug class or repeated pattern, inspect the current PR scope for sibling instances before fixing.
 - Fix the scoped bug class at once when practical; stop at touched surfaces, owner boundaries, and clear follow-up territory.
-- Keep going until structured review returns no accepted/actionable findings only while the work remains inside the original task scope.
+- Keep going until structured review returns no accepted/actionable findings.
 - If a review-triggered fix changes code, rerun focused tests and rerun the structured review helper.
 - For security-audit suppression changes, verify accepted findings remain auditable: suppressed findings stay in structured output, active output keeps an unsuppressible suppression notice, and aggregate findings cannot hide unrelated active risk.
 - Never switch or override the requested review engine/model. If the review hits model capacity, retry the same command a few times with the same engine/model.
@@ -43,42 +43,6 @@ Use when:
 - If Gitcrawl reports a portable manifest mismatch, source/runtime DB health error, or stale portable-store checkout, run `gitcrawl doctor --json` and inspect `source_db_health`, `runtime_db_health`, and `portable_store_status` before falling back to live GitHub.
 - Do not push just to review. Push only when the user requested push/ship/PR update.
 
-## Scope Governor
-
-Autoreview is a closeout gate, not permission to rewrite the task.
-
-Before the first review, freeze a scope baseline: original request or issue, target branch, intended behavior, owner boundary, changed files, and non-test LOC. For inherited or already-bloated branches, use the intended PR diff as the baseline rather than accepting all existing branch drift.
-
-Before patching a finding, classify it:
-
-- **In-scope blocker**: the finding is introduced by the current diff, affects the same owner boundary, and can be fixed without changing the task's contract.
-- **Follow-up**: the finding is real but belongs to an adjacent bug class, sibling surface, cleanup, or broader hardening track.
-- **Stop-and-escalate**: the finding requires a new protocol/config/storage/public API contract, a different owner boundary, a release-process change, or a design choice outside the original request.
-
-Stop patching and report the scope break instead of continuing when:
-
-- a narrow PR turns into an architecture change, protocol change, migration, or release-process change;
-- the diff grows past 2x the original files or non-test LOC without explicit approval to expand scope;
-- two review-triggered patch cycles have not converged; pause and reclassify every remaining finding before another edit;
-- the best fix is "define the canonical contract first" rather than another local inference layer;
-- fixing the accepted finding would make the PR no longer describe the same behavior, issue, or owner boundary.
-
-After the two-cycle pause, continue only when every remaining accepted finding is still an in-scope blocker. Otherwise preserve the useful analysis, identify the smallest safe landed subset if one exists, and open or request a follow-up for the larger fix. Do not keep committing speculative fixes just to satisfy the reviewer.
-
-Do not stack or push review-triggered fix commits while scope classification or focused proof is unresolved. Keep exploratory edits local until the cycle is proven in scope; if scope breaks, remove them from the landing lane instead of preserving them as branch history.
-
-Critical exceptions must be explicit: active data loss, crash, broken install/upgrade, release blocker, or concrete security exposure. If the exception is not one of those, it is not critical enough to blow up scope.
-
-## Release Branches And Release Process
-
-On release, beta, stable, hotfix, signing, notarization, appcast, package-publish, or release-check work, use freeze discipline even when the branch name is not release-like:
-
-- Fix only release blockers, failed release infrastructure, exact backports, install/upgrade breakage, data loss, crashes, or concrete security exposure.
-- Treat non-blocking autoreview findings as follow-ups for `main`, not reasons to broaden the release branch.
-- Do not introduce new product behavior, config surface, protocol shape, migration, plugin ownership, docs narrative, or process policy unless it directly unblocks the release.
-- Keep proof tied to the release target: exact branch/ref, failing check or shipped-risk reason, smallest command/proof, and whether the fix must also forward-port to `main`.
-- If review discovers a real but non-critical design problem during release closeout, stop with a follow-up issue/PR plan; do not use the release branch as the refactor lane.
-
 ## Pick Target
 
 Dirty local work:

.agents/skills/autoreview/scripts/autoreview

@@ -440,36 +440,8 @@ def load_datasets(args: argparse.Namespace) -> str:
     return "\n\n".join(chunks)
 
 
-def review_scope_policy() -> str:
-    return textwrap.dedent(
-        """
-        Review scope discipline:
-        - This helper is a closeout gate. Do not turn a narrow patch into a broad
-          redesign request.
-        - Report a finding only when this diff introduces or exposes a concrete
-          defect that must be fixed before this target can land.
-        - If the best fix requires a new protocol, config, storage, public API,
-          release process, migration, owner-boundary move, or canonical contract,
-          say that directly in the finding and keep the finding tied to the
-          smallest changed line that proves the current patch is not landable.
-        - Do not ask for sibling-surface hardening, cleanup, refactors, or
-          follow-up architecture work unless the current diff is incorrect
-          without that work.
-        - Prefer the smallest correct pre-merge fix. A broader ideal design is
-          not an actionable finding unless the current patch cannot safely land.
-        - If this is release-branch or release-process work, apply freeze
-          discipline. Report only release blockers, exact backport regressions,
-          install/upgrade breakage, crashes, data loss, concrete security
-          exposure, or release-infrastructure failures. Non-blocking design,
-          cleanup, and hardening concerns belong on main as follow-ups.
-        """
-    ).strip()
-
-
 def build_prompt(repo: Path, target: str, target_ref: str | None, bundle: str, extra_prompt: str, datasets: str) -> str:
     target_line = f"{target} {target_ref}" if target_ref else target
-    branch = current_branch(repo)
-    scope_policy = review_scope_policy()
     return textwrap.dedent(
         f"""
         You are a senior code reviewer. Review the provided git change bundle only.
@@ -491,11 +463,8 @@ def build_prompt(repo: Path, target: str, target_ref: str | None, bundle: str, e
         - If there are no actionable findings, return an empty findings array and mark the patch correct.
 
         Review target: {target_line}
-        Current branch: {branch}
         Repository: {repo}
 
-        {scope_policy}
-
         {extra_prompt}
 
         {datasets}

.agents/skills/autoreview/scripts/test-review-harness.py

@@ -3,7 +3,6 @@ from __future__ import annotations
 
 import argparse
 import os
-import runpy
 import shutil
 import stat
 import subprocess
@@ -146,23 +145,8 @@ def create_fixture_repo(repo: Path, fixture: str) -> None:
     write_fixture_file(repo, MALICIOUS_CHANGED if fixture == "malicious" else BENIGN_CHANGED)
 
 
-def validate_prompt_policy(repo: Path, autoreview: Path) -> None:
-    namespace = runpy.run_path(str(autoreview))
-    prompt = namespace["build_prompt"](repo, "local", None, "fixture diff", "", "")
-    required = (
-        "This helper is a closeout gate.",
-        "Do not turn a narrow patch into a broad",
-        "If this is release-branch or release-process work",
-        "Non-blocking design,",
-    )
-    missing = [needle for needle in required if needle not in prompt]
-    if missing:
-        raise RuntimeError(f"autoreview prompt missing scope policy: {missing}")
-
-
 def run_reviews(repo: Path, script_dir: Path, fixture: str, engines: list[str]) -> None:
     autoreview = script_dir / "autoreview"
-    validate_prompt_policy(repo, autoreview)
     for engine in engines:
         print(f"== {engine} ==", flush=True)
         command = [

.agents/skills/crabbox/SKILL.md

@@ -54,13 +54,6 @@ pnpm crabbox:run -- --help | sed -n '1,120p'
 - For broad OpenClaw maintainer `pnpm` gates, prefer the repo wrapper with
   `--provider blacksmith-testbox` or the repo Testbox helpers when the standing
   Testbox policy applies.
-- Cold Testbox acquisition and hydration often take tens of seconds. When broad
-  remote proof is likely, immediately start
-  `node scripts/crabbox-wrapper.mjs warmup --provider blacksmith-testbox --keep --timing-json`
-  in a background command session while inspecting, editing, and running
-  focused local tests. Poll later, reuse the returned `tbx_...` with
-  `--provider blacksmith-testbox --id <tbx_id>`, and stop it before handoff.
-  Do not warm speculatively when remote proof is unlikely.
 - Always report the actual provider and id. `cbx_...` means AWS Crabbox;
   `tbx_...` means Blacksmith Testbox through Crabbox. If the output only says
   `blacksmith testbox list`, use `blacksmith testbox list --all` before

.agents/skills/discord-user-post/SKILL.md

@@ -1,51 +0,0 @@
----
-name: discord-user-post
-description: Post an approved message as the logged-in Discord user through the Discord desktop app. Use for release announcements or other direct user-authored Discord posts; not for OpenClaw channel sends, bots, webhooks, relays, agent sessions, or archive search.
----
-
-# Discord User Post
-
-Use `$computer-use` to operate `/Applications/Discord.app` in the user's
-existing logged-in session. This workflow represents the user directly.
-
-## Prepare
-
-1. Draft the complete final message outside Discord.
-2. Confirm the intended server and channel with the user when either is
-   ambiguous.
-3. Open Discord and navigate to the exact destination without entering the
-   message.
-4. Verify the visible server name, channel header, and logged-in account.
-
-Do not infer the target from unrelated Discord content. Stop if Discord is not
-logged in, the account is wrong, or the exact destination cannot be verified.
-
-## Confirm and Post
-
-Posting is representational communication. Follow the `$computer-use`
-confirmation policy even when the user previously asked for an announcement:
-
-1. Show the user the exact final body and verified destination.
-2. Request action-time confirmation before typing into Discord.
-3. After confirmation, enter the approved body unchanged.
-4. Visually inspect the composed message and destination again.
-5. Send once.
-
-If the body or destination changes after confirmation, request confirmation
-again before sending.
-
-## Verify
-
-- Confirm the message appears once, from the user's account, in the intended
-  channel.
-- Report the server, channel, and visible send result.
-- Do not edit, delete, react, or send a follow-up without the corresponding
-  user instruction and confirmation.
-
-## Guardrails
-
-- Never use `openclaw message`, an OpenClaw agent, a Discord bot, webhook, relay,
-  or token for this workflow.
-- Never expose private Discord content or account details in public output.
-- Never send a draft, partial message, duplicate, or unreviewed attachment.
-- For Discord archive/history/search, use `$discrawl` instead.

.agents/skills/discord-user-post/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "Discord User Post"
-  short_description: "Post approved messages through the logged-in Discord app"
-  default_prompt: "Post this approved message as me through the logged-in Discord desktop app."

.agents/skills/openclaw-changelog-update/SKILL.md

@@ -19,7 +19,7 @@ attribution.
 
 ## Inputs
 
-- Target base version: `YYYY.M.PATCH`, without beta suffix.
+- Target base version: `YYYY.M.D`, without beta suffix.
 - Base tag: last reachable shipped release tag, usually the previous stable or
   the previous beta train requested by the operator.
 - Target ref: exact branch/SHA being released.
@@ -37,7 +37,7 @@ attribution.
 3. Read linked PRs/issues or diffs for ambiguous commits. Direct commits matter;
    infer notes from subject, body, touched files, tests, and nearby commits.
 4. Rewrite one stable-base section only:
-   - use `## YYYY.M.PATCH`
+   - use `## YYYY.M.D`
    - do not create beta-specific headings
    - do not leave a stale `## Unreleased` section above the target release
    - if `Unreleased` contains release-bound notes, fold them into the target
@@ -91,35 +91,9 @@ attribution.
    - if any compatibility `removeAfter` is on/before release date, resolve it
      or explicitly record the blocker before shipping
 10. Validate and ship:
-   - generate and verify the complete contribution ledger before committing:
-     ```bash
-     node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
-       --base <base-tag> \
-       --target <target-ref> \
-       --version <YYYY.M.PATCH> \
-       --write-ledger
-     ```
-   - the command fails when any `#NNN` reference in release history or the
-     rendered release section is absent from the ledger, when reverted work is
-     presented as shipped, or when an eligible PR author, issue reporter, or
-     known co-author is missing from that entry's `Thanks @...` credit
-   - after the GitHub release or prerelease is published, verify every matching
-     release page against the same source section:
-     ```bash
-     node .agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs \
-       --base <base-tag> \
-       --target <target-ref> \
-       --version <YYYY.M.PATCH> \
-       --release-tag v<YYYY.M.PATCH> \
-       --check-github
-     ```
-   - add one `--release-tag` for every beta and stable page in the train; a
-     `### Release verification` tail is permitted, but any other body drift
-     fails the check; the GitHub body must begin with the complete
-     `## YYYY.M.PATCH` changelog section, including its heading
    - `git diff --check`
    - for docs/changelog-only changes, no broad tests are required
-   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.PATCH notes" CHANGELOG.md`
+   - commit with `scripts/committer "docs(changelog): refresh YYYY.M.D notes" CHANGELOG.md`
    - push, pull/rebase if needed, then branch/rebase release from latest `main`
 
 ## Quota / API Outage Rule

.agents/skills/openclaw-changelog-update/scripts/verify-release-notes.mjs

@@ -1,443 +0,0 @@
-#!/usr/bin/env node
-
-import { execFileSync } from "node:child_process";
-import { readFileSync, writeFileSync } from "node:fs";
-
-const repo = "openclaw/openclaw";
-const excludedHandles = new Set(["openclaw", "clawsweeper", "codex", "steipete"]);
-
-function fail(message) {
-  throw new Error(message);
-}
-
-function parseArgs(argv) {
-  const options = {
-    releaseTags: [],
-    checkGithub: false,
-    json: false,
-    writeLedger: false,
-  };
-
-  for (let index = 0; index < argv.length; index += 1) {
-    const arg = argv[index];
-    if (arg === "--check-github" || arg === "--json" || arg === "--write-ledger") {
-      options[
-        arg === "--check-github"
-          ? "checkGithub"
-          : arg === "--write-ledger"
-            ? "writeLedger"
-            : "json"
-      ] = true;
-      continue;
-    }
-    if (arg === "--base" || arg === "--target" || arg === "--version" || arg === "--release-tag") {
-      const value = argv[index + 1];
-      if (!value || value.startsWith("--")) {
-        fail(`missing value for ${arg}`);
-      }
-      if (arg === "--release-tag") {
-        options.releaseTags.push(value);
-      } else {
-        options[arg.slice(2)] = value;
-      }
-      index += 1;
-      continue;
-    }
-    fail(`unknown argument: ${arg}`);
-  }
-
-  for (const name of ["base", "target", "version"]) {
-    if (!options[name]) {
-      fail(`--${name} is required`);
-    }
-  }
-  if (options.checkGithub && options.releaseTags.length === 0) {
-    fail("--check-github requires at least one --release-tag");
-  }
-  return options;
-}
-
-function run(command, args) {
-  return execFileSync(command, args, {
-    encoding: "utf8",
-    env: { ...process.env, NO_COLOR: "1" },
-    stdio: ["ignore", "pipe", "pipe"],
-  });
-}
-
-function git(args) {
-  return run("git", args).trimEnd();
-}
-
-function githubApi(args) {
-  try {
-    return JSON.parse(run("ghx", ["api", ...args]).replace(/\u001B\[[0-?]*[ -/]*[@-~]/g, ""));
-  } catch (error) {
-    if (typeof error.stdout === "string" && error.stdout.trim() !== "") {
-      return JSON.parse(error.stdout.replace(/\u001B\[[0-?]*[ -/]*[@-~]/g, ""));
-    }
-    throw error;
-  }
-}
-
-function escapeRegExp(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-function isEligibleHandle(handle) {
-  return Boolean(handle) && !handle.endsWith("[bot]") && !excludedHandles.has(handle.toLowerCase());
-}
-
-function sectionFor(changelog, version) {
-  const heading = new RegExp(`^## ${escapeRegExp(version)}\\r?$`, "m").exec(changelog);
-  if (!heading || heading.index === undefined) {
-    fail(`CHANGELOG.md does not contain ## ${version}`);
-  }
-  const start = heading.index;
-  const bodyStart = changelog.indexOf("\n", start) + 1;
-  const next = /^## /gm;
-  next.lastIndex = bodyStart;
-  const nextHeading = next.exec(changelog);
-  const end = nextHeading?.index ?? changelog.length;
-  return {
-    start,
-    end,
-    source: changelog.slice(start, end).trimEnd(),
-    body: changelog.slice(bodyStart, end).trim(),
-  };
-}
-
-function referencesIn(text) {
-  return [...text.matchAll(/#(\d+)/g)].map((match) => Number(match[1]));
-}
-
-function appendReferences(references, additions) {
-  const seen = new Set(references);
-  for (const number of additions) {
-    if (!seen.has(number)) {
-      references.push(number);
-      seen.add(number);
-    }
-  }
-}
-
-function sourceCommits(base, target) {
-  const mergeBase = git(["merge-base", base, target]);
-  const output = git([
-    "log",
-    "--first-parent",
-    "--reverse",
-    "--format=%H%x1f%s%x1f%B%x1e",
-    `${mergeBase}..${target}`,
-  ]);
-  const commits = new Map();
-  const revertsByTarget = new Map();
-  for (const record of output.split("\x1e")) {
-    if (!record) {
-      continue;
-    }
-    const [rawHash, subject, ...bodyParts] = record.split("\x1f");
-    const hash = rawHash.trim();
-    const body = bodyParts.join("\x1f");
-    const revertedHash = body.match(/This reverts commit ([0-9a-f]{7,40})\./i)?.[1];
-    const isRevert = subject.startsWith('Revert "') || Boolean(revertedHash);
-    commits.set(hash, { body, hash, isRevert, revertedHash, subject });
-  }
-  for (const commit of commits.values()) {
-    if (!commit.revertedHash) {
-      continue;
-    }
-    const targetHash = [...commits.keys()].find((candidate) => candidate.startsWith(commit.revertedHash));
-    if (targetHash) {
-      const reverts = revertsByTarget.get(targetHash) ?? [];
-      reverts.push(commit.hash);
-      revertsByTarget.set(targetHash, reverts);
-    }
-  }
-  const active = new Map();
-  function isActive(hash) {
-    if (active.has(hash)) {
-      return active.get(hash);
-    }
-    const cancellingReverts = revertsByTarget.get(hash) ?? [];
-    const value = !cancellingReverts.some((revertHash) => isActive(revertHash));
-    active.set(hash, value);
-    return value;
-  }
-
-  const references = [];
-  const revertedReferences = new Set();
-  const coauthorsByReference = new Map();
-  for (const commit of commits.values()) {
-    if (commit.isRevert) {
-      continue;
-    }
-    const uniqueReferences = [...new Set(referencesIn(`${commit.subject}\n${commit.body}`))];
-    if (!isActive(commit.hash)) {
-      for (const number of uniqueReferences) {
-        revertedReferences.add(number);
-      }
-      continue;
-    }
-    appendReferences(references, uniqueReferences);
-    const coauthors = [...commit.body.matchAll(/<(?:(?:\d+)\+)?([^@<>\s]+)@users\.noreply\.github\.com>/gi)]
-      .map((match) => match[1])
-      .filter(isEligibleHandle);
-    for (const number of uniqueReferences) {
-      if (coauthors.length > 0) {
-        const handles = coauthorsByReference.get(number) ?? new Set();
-        for (const handle of coauthors) {
-          handles.add(handle);
-        }
-        coauthorsByReference.set(number, handles);
-      }
-    }
-  }
-
-  return { mergeBase, references, revertedReferences, coauthorsByReference };
-}
-
-function graphql(query) {
-  return githubApi(["graphql", "-f", `query=${query}`]).data;
-}
-
-function resolveReferences(numbers) {
-  const nodes = new Map();
-  for (let index = 0; index < numbers.length; index += 40) {
-    const chunk = numbers.slice(index, index + 40);
-    const fields = chunk
-      .map(
-        (number) => `n${number}: repository(owner: "openclaw", name: "openclaw") {
-          issueOrPullRequest(number: ${number}) {
-            __typename
-            ... on Issue { number title author { __typename login } }
-            ... on PullRequest { number title author { __typename login } }
-          }
-        }`,
-      )
-      .join("\n");
-    const data = graphql(`query { ${fields} }`);
-    for (const number of chunk) {
-      const node = data[`n${number}`]?.issueOrPullRequest;
-      if (node) {
-        nodes.set(number, node);
-      }
-    }
-  }
-  return nodes;
-}
-
-function resolveCoauthors(handles) {
-  const resolved = new Map();
-  const uniqueHandles = [...new Set(handles)];
-  for (let index = 0; index < uniqueHandles.length; index += 80) {
-    const chunk = uniqueHandles.slice(index, index + 80);
-    const fields = chunk
-      .map(
-        (handle, offset) =>
-          `u${index + offset}: user(login: ${JSON.stringify(handle)}) { __typename login }`,
-      )
-      .join("\n");
-    const data = graphql(`query { ${fields} }`);
-    for (let offset = 0; offset < chunk.length; offset += 1) {
-      const user = data[`u${index + offset}`];
-      if (user?.__typename === "User" && isEligibleHandle(user.login)) {
-        resolved.set(chunk[offset].toLowerCase(), user.login);
-      }
-    }
-  }
-  return resolved;
-}
-
-function thanksFor(node, coauthorHandles) {
-  const handles = [];
-  if (node.author?.__typename === "User" && isEligibleHandle(node.author.login)) {
-    handles.push(node.author.login);
-  }
-  for (const handle of coauthorHandles) {
-    if (!handles.some((candidate) => candidate.toLowerCase() === handle.toLowerCase())) {
-      handles.push(handle);
-    }
-  }
-  return handles;
-}
-
-function ledgerFor(base, target, references, nodes, coauthorsByReference, resolvedCoauthors) {
-  const missing = references.filter((number) => !nodes.has(number));
-  if (missing.length > 0) {
-    fail(`GitHub could not resolve source references: ${missing.map((number) => `#${number}`).join(", ")}`);
-  }
-
-  const entries = references.map((number) => {
-    const node = nodes.get(number);
-    const rawCoauthors = coauthorsByReference.get(number) ?? new Set();
-    const coauthors = [...rawCoauthors]
-      .map((handle) => resolvedCoauthors.get(handle.toLowerCase()))
-      .filter(Boolean);
-    return {
-      number,
-      title: node.title.replace(/#(\d+)/g, "issue $1").replace(/\s+/g, " ").trim(),
-      type: node.__typename,
-      thanks: thanksFor(node, coauthors),
-    };
-  });
-
-  const pullRequests = entries.filter((entry) => entry.type === "PullRequest");
-  const issues = entries.filter((entry) => entry.type === "Issue");
-  const renderEntry = (entry, issue = false) => {
-    const attribution = entry.thanks.length > 0 ? ` Thanks ${entry.thanks.map((handle) => `@${handle}`).join(" and ")}.` : "";
-    return `- ${issue ? "Reported: " : ""}${entry.title} (#${entry.number}).${attribution}`;
-  };
-  const ledger = [
-    "### Complete contribution ledger",
-    "",
-    `This audited record covers the complete ${base}..${target} history: ${pullRequests.length} PRs and ${issues.length} linked issues. The grouped notes above prioritize user impact; this ledger preserves every contribution reference and eligible human credit.`,
-    "",
-    "#### Pull requests",
-    "",
-    ...pullRequests.map((entry) => renderEntry(entry)),
-    "",
-    "#### Linked issues",
-    "",
-    ...issues.map((entry) => renderEntry(entry, true)),
-  ].join("\n");
-  return { entries, issues, ledger, pullRequests };
-}
-
-function replaceLedger(changelog, section, ledger) {
-  const beforeLedger = section.source.replace(/\n+### Complete contribution ledger[\s\S]*$/m, "").trimEnd();
-  const replacement = `${beforeLedger}\n\n${ledger}\n`;
-  return `${changelog.slice(0, section.start)}${replacement}${changelog.slice(section.end)}`;
-}
-
-function ledgerChecks(section, entries) {
-  const errors = [];
-  if (!section.source.includes("### Highlights")) {
-    errors.push("missing ### Highlights");
-  }
-  if (!section.source.includes("### Changes")) {
-    errors.push("missing ### Changes");
-  }
-  if (!section.source.includes("### Fixes")) {
-    errors.push("missing ### Fixes");
-  }
-  const ledgerStart = section.source.indexOf("### Complete contribution ledger");
-  if (ledgerStart < 0) {
-    errors.push("missing ### Complete contribution ledger");
-    return errors;
-  }
-  const ledger = section.source.slice(ledgerStart);
-  const entryNumbers = new Set(entries.map((entry) => entry.number));
-  for (const number of new Set(referencesIn(section.source))) {
-    if (!entryNumbers.has(number)) {
-      errors.push(`missing ledger entry for #${number}`);
-    }
-  }
-  for (const entry of entries) {
-    const prefix = entry.type === "Issue" ? "- Reported: " : "- ";
-    const line = ledger
-      .split("\n")
-      .find((candidate) => candidate.startsWith(prefix) && candidate.includes(`(#${entry.number})`));
-    if (!line) {
-      errors.push(`missing ledger entry for #${entry.number}`);
-      continue;
-    }
-    for (const handle of entry.thanks) {
-      if (!line.toLowerCase().includes(`@${handle.toLowerCase()}`)) {
-        errors.push(`missing Thanks @${handle} for #${entry.number}`);
-      }
-    }
-  }
-  return errors;
-}
-
-function releaseChecks(section, releaseTags) {
-  const expected = section.source;
-  const checks = [];
-  for (const tag of releaseTags) {
-    const release = githubApi([`repos/${repo}/releases/tags/${encodeURIComponent(tag)}`]);
-    const suffix = release.body.slice(expected.length).trimStart();
-    const matches =
-      release.body === expected ||
-      (release.body.startsWith(expected) && (suffix === "" || suffix.startsWith("### Release verification")));
-    checks.push({
-      tag,
-      releaseId: release.id,
-      matches,
-      bodyLength: release.body.length,
-    });
-  }
-  return checks;
-}
-
-function main() {
-  const options = parseArgs(process.argv.slice(2));
-  let changelog = readFileSync("CHANGELOG.md", "utf8");
-  let section = sectionFor(changelog, options.version);
-  const source = sourceCommits(options.base, options.target);
-  const preexistingNotes = section.source.replace(/\n+### Complete contribution ledger[\s\S]*$/m, "");
-  const noteReferences = referencesIn(preexistingNotes);
-  const revertedNoteReferences = noteReferences.filter((number) => source.revertedReferences.has(number));
-  if (revertedNoteReferences.length > 0) {
-    fail(
-      `release notes reference reverted work: ${[
-        ...new Set(revertedNoteReferences),
-      ]
-        .map((number) => `#${number}`)
-        .join(", ")}`,
-    );
-  }
-  const references = [...source.references];
-  appendReferences(references, noteReferences);
-  const nodes = resolveReferences(references);
-  const coauthorHandles = [...source.coauthorsByReference.values()].flatMap((handles) => [...handles]);
-  const resolvedCoauthors = resolveCoauthors(coauthorHandles);
-  const ledger = ledgerFor(
-    options.base,
-    options.target,
-    references,
-    nodes,
-    source.coauthorsByReference,
-    resolvedCoauthors,
-  );
-
-  if (options.writeLedger) {
-    changelog = replaceLedger(changelog, section, ledger.ledger);
-    writeFileSync("CHANGELOG.md", changelog);
-    section = sectionFor(changelog, options.version);
-  }
-
-  const errors = ledgerChecks(section, ledger.entries);
-  const github = options.checkGithub ? releaseChecks(section, options.releaseTags) : [];
-  for (const check of github) {
-    if (!check.matches) {
-      errors.push(`GitHub release ${check.tag} does not match the ${options.version} CHANGELOG section`);
-    }
-  }
-
-  const result = {
-    base: options.base,
-    target: options.target,
-    mergeBase: source.mergeBase,
-    version: options.version,
-    source: {
-      references: references.length,
-      pullRequests: ledger.pullRequests.length,
-      issues: ledger.issues.length,
-    },
-    github,
-    errors,
-  };
-  if (options.json) {
-    process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
-  } else {
-    process.stdout.write(
-      `${options.version}: ${ledger.pullRequests.length} PRs, ${ledger.issues.length} issues, ${errors.length === 0 ? "verified" : `${errors.length} errors`}\n`,
-    );
-  }
-  if (errors.length > 0) {
-    process.exitCode = 1;
-  }
-}
-
-main();

.agents/skills/openclaw-pr-maintainer/SKILL.md

@@ -284,7 +284,7 @@ gh search issues --repo openclaw/openclaw --match title,body --limit 50 \
 - If bot review conversations exist on your PR, address them and resolve them yourself once fixed.
 - Leave a review conversation unresolved only when reviewer or maintainer judgment is still needed.
 - Before landing any PR with non-trivial code changes, run `$autoreview` until no accepted/actionable findings remain, unless equivalent manual review already covered it, the change is trivial/docs-only, or the user opts out.
-- When an agent is landing or merging a PR targeting `main`, use only the repo-native `scripts/pr` wrapper: run `scripts/pr review-init <PR>`, follow its emitted checkout/guard guidance, initialize and complete review artifacts with `scripts/pr review-artifacts-init <PR>`, validate them with `scripts/pr review-validate-artifacts <PR>`, then run `scripts/pr prepare-run <PR>` and `scripts/pr merge-run <PR>`.
+- When landing or merging any PR, follow the global `/landpr` process.
 - Use `scripts/committer "<msg>" <file...>` for scoped commits instead of manual `git add` and `git commit`.
 - Keep commit messages concise and action-oriented.
 - Group related changes; avoid bundling unrelated refactors.

.agents/skills/openclaw-qa-testing/SKILL.md

@@ -13,7 +13,7 @@ Use this skill for `qa-lab` / `qa-channel` work. Repo-local QA only.
 - `docs/help/testing.md`
 - `docs/channels/qa-channel.md`
 - `qa/README.md`
-- `qa/scenarios/index.yaml`
+- `qa/scenarios/index.md`
 - `extensions/qa-lab/src/suite.ts`
 - `extensions/qa-lab/src/character-eval.ts`
 
@@ -198,9 +198,7 @@ pnpm openclaw qa character-eval \
 - Judges default to `openai/gpt-5.4,thinking=xhigh,fast` and `anthropic/claude-opus-4-6,thinking=high`.
 - Report includes judge ranking, run stats, durations, and full transcripts; do not include raw judge replies. Duration is benchmark context, not a grading signal.
 - Candidate and judge concurrency default to 16. Use `--concurrency <n>` and `--judge-concurrency <n>` to override when local gateways or provider limits need a gentler lane.
-- Scenario source is YAML-only under `qa/scenarios/`: use `index.yaml` and
-  per-scenario `*.yaml` files with top-level `title`, `scenario`, and optional
-  `flow`. Never add fenced `qa-scenario` / `qa-flow` Markdown files.
+- Scenario source should stay markdown-driven under `qa/scenarios/`.
 - For isolated character/persona evals, write the persona into `SOUL.md` and blank `IDENTITY.md` in the scenario flow. Use `SOUL.md + IDENTITY.md` only when intentionally testing how the normal OpenClaw identity combines with the character.
 - Keep prompts natural and task-shaped. The candidate model should receive character setup through `SOUL.md`, then normal user turns such as chat, workspace help, and small file tasks; do not ask "how would you react?" or tell the model it is in an eval.
 - Prefer at least one real task, such as creating or editing a tiny workspace artifact, so the transcript captures character under normal tool use instead of pure roleplay.
@@ -236,8 +234,7 @@ pnpm openclaw qa manual \
 
 ## Repo facts
 
-- Seed scenarios live in `qa/scenarios/index.yaml` and
-  `qa/scenarios/<theme>/*.yaml`.
+- Seed scenarios live in `qa/`.
 - Main live runner: `extensions/qa-lab/src/suite.ts`
 - QA lab server: `extensions/qa-lab/src/lab-server.ts`
 - Child gateway harness: `extensions/qa-lab/src/gateway-child.ts`
@@ -265,9 +262,8 @@ pnpm openclaw qa manual \
 
 ## When adding scenarios
 
-- Add or update scenario YAML under `qa/scenarios/`; do not add `.md` scenario
-  files or fenced YAML blocks.
-- Keep kickoff expectations in `qa/scenarios/index.yaml` aligned
+- Add or update scenario markdown under `qa/scenarios/`
+- Keep kickoff expectations in `qa/scenarios/index.md` aligned
 - Add executable coverage in `extensions/qa-lab/src/suite.ts`
 - Prefer end-to-end assertions over mock-only checks
 - Save outputs under `.artifacts/qa-e2e/`

.agents/skills/release-openclaw-announcement/SKILL.md

@@ -6,8 +6,7 @@ description: "Draft or post OpenClaw beta/stable Discord release announcements f
 # OpenClaw Release Announcement
 
 Use with `release-openclaw-maintainer` after a beta or stable release is live.
-Use with `$discord-user-post` when actually posting to Discord as the logged-in
-user.
+Use with `openclaw-discord` when actually posting to Discord.
 
 ## Evidence First
 
@@ -81,7 +80,6 @@ Fresh installs still point to `https://openclaw.ai`.
 
 ## Posting
 
-When asked to post, use `$discord-user-post` to operate the logged-in Discord
-desktop app as the user. Resolve and visibly verify the exact server/channel,
-inspect the final body, and request action-time confirmation before entering or
-sending it. Never use OpenClaw channel sends, bots, webhooks, relays, or tokens.
+When asked to post, use the configured Discord workflow from
+`openclaw-discord` or the approved OpenClaw relay. Never print tokens.
+For public channels, inspect the final body before sending.

.agents/skills/release-openclaw-ci/SKILL.md

@@ -16,10 +16,6 @@ Use this with `$release-openclaw-maintainer` and `$openclaw-testing` when a rele
 - Watch one parent run plus compact child summaries. Avoid broad `gh run view` polling loops; REST quota is easy to burn.
 - Fetch logs only for failed or currently-blocking jobs. If quota is low, stop polling and wait for reset.
 - Treat live-provider flakes separately from code failures: prove key validity, provider HTTP status, retry evidence, and exact failing lane before editing code.
-- A model-list response proves authentication, not billing or inference
-  entitlement. Mandatory live providers must pass a real completion probe
-  before release dispatch. Fix the credential first; do not add an alternate
-  auth path merely to bypass a failed release credential.
 - Full Release Validation parent monitors fail fast: once a required child job
   fails, the parent cancels the remaining child matrix and prints the failed
   job summary. Inspect that first red job instead of waiting for unrelated
@@ -40,8 +36,6 @@ git rev-parse HEAD
 preflight. Inject those exact targeted keys first, then run the verifier; use
 ambient env only when it was already intentionally injected for this release.
 The script prints only provider status and HTTP class, never tokens.
-The Anthropic check performs a tiny message completion so exhausted or
-non-billable credentials fail before the expensive release matrix.
 
 ## Dispatch
 
@@ -71,13 +65,6 @@ gh workflow run openclaw-performance.yml \
 
 Prefer the trusted workflow on `main`, target the exact release SHA:
 
-- Keep trusted-workflow checks compatible with frozen release targets. If
-  `main` adds a target-owned guard script or package command after the release
-  branch cut, make the trusted workflow skip only when that target surface is
-  absent. Heal the trusted workflow before rerunning validation; do not port an
-  unrelated runtime refactor or mutate the release candidate just to satisfy a
-  newer `main`-only check.
-
 ```bash
 gh workflow run full-release-validation.yml \
   --repo openclaw/openclaw \
@@ -119,10 +106,7 @@ Stop watchers before ending the turn or switching strategy.
      --jq '.jobs[] | select(.conclusion=="failure" or .conclusion=="timed_out" or .conclusion=="cancelled") | [.databaseId,.name,.conclusion,.url] | @tsv'
    ```
 3. Fetch one failed job log. If rate-limited, note reset time and avoid more REST calls.
-4. For secret-looking failures, validate a real completion from the same secret source before editing code. A successful model-list request is insufficient.
-   Claude CLI subscription credentials are a separate native auth path; prove
-   them in a clean-home CLI probe, never as a substitute for a required
-   Anthropic API-key lane.
+4. For secret-looking failures, validate the provider endpoint from the same secret source before editing code.
 5. For live-cache failures, inspect whether it is missing/invalid key, empty text, provider refusal, timeout, or baseline miss. Do not weaken release gates without clear provider evidence.
 6. Fix narrowly, run local/changed proof, commit, push, rerun the smallest matching group.
 

.agents/skills/release-openclaw-ci/scripts/verify-provider-secrets.mjs

@@ -1,22 +1,17 @@
 #!/usr/bin/env node
 /**
- * Release preflight helper that verifies required provider API keys without
- * printing secret values. Anthropic must complete a prompt because model-list
- * access does not prove billing or inference entitlement.
+ * Release preflight helper that verifies required provider API keys can reach
+ * their model-list endpoints without printing secret values.
  */
 import process from "node:process";
 
 const args = new Map();
 for (let index = 2; index < process.argv.length; index += 1) {
   const arg = process.argv[index];
-  if (!arg.startsWith("--")) {
-    continue;
-  }
+  if (!arg.startsWith("--")) continue;
   const [key, inlineValue] = arg.slice(2).split("=", 2);
   const value = inlineValue ?? process.argv[index + 1];
-  if (inlineValue === undefined) {
-    index += 1;
-  }
+  if (inlineValue === undefined) index += 1;
   args.set(key, value);
 }
 
@@ -33,9 +28,7 @@ const timeoutMs = Number(args.get("timeout-ms") ?? 10_000);
 function envFirst(names) {
   for (const name of names) {
     const value = process.env[name]?.trim();
-    if (value) {
-      return { name, value };
-    }
+    if (value) return { name, value };
   }
   return undefined;
 }
@@ -51,19 +44,13 @@ async function checkProvider(id, config) {
   try {
     const headers = config.headers(secret.value);
     const response = await fetch(config.url, {
-      body: config.body,
       headers,
-      method: config.method,
       signal: controller.signal,
     });
-    const responseBody = config.validateResponse
-      ? await response.json().catch(() => undefined)
-      : undefined;
-    const ok = response.ok && (!config.validateResponse || config.validateResponse(responseBody));
     return {
       id,
-      ok,
-      status: response.ok ? (ok ? "ok" : "invalid_response") : `http_${response.status}`,
+      ok: response.ok,
+      status: response.ok ? "ok" : `http_${response.status}`,
       env: secret.name,
     };
   } catch (error) {
@@ -86,21 +73,11 @@ const providers = {
   },
   anthropic: {
     env: ["ANTHROPIC_API_KEY", "ANTHROPIC_API_TOKEN"],
-    url: "https://api.anthropic.com/v1/messages",
-    method: "POST",
-    body: JSON.stringify({
-      max_tokens: 8,
-      messages: [{ role: "user", content: "Reply with OK." }],
-      model: "claude-haiku-4-5",
-    }),
+    url: "https://api.anthropic.com/v1/models",
     headers: (token) => ({
       "anthropic-version": "2023-06-01",
-      "content-type": "application/json",
       "x-api-key": token,
     }),
-    validateResponse: (body) =>
-      Array.isArray(body?.content) &&
-      body.content.some((part) => typeof part?.text === "string" && part.text.trim()),
   },
   fireworks: {
     env: ["FIREWORKS_API_KEY"],
@@ -131,9 +108,7 @@ let failed = false;
 for (const result of results) {
   const requiredLabel = required.has(result.id) ? "required" : "optional";
   console.log(`${result.id}: ${result.status} env=${result.env} ${requiredLabel}`);
-  if (required.has(result.id) && !result.ok) {
-    failed = true;
-  }
+  if (required.has(result.id) && !result.ok) failed = true;
 }
 
 if (failed) {

.agents/skills/release-openclaw-mac/SKILL.md

@@ -36,8 +36,8 @@ Do not update these from mixed sources. All three ASC fields must come from the
 ## Workflow Shape
 
 - Public release branch may carry mac-only packaging fixes after the stable tag/npm are already live.
-- Use `source_ref=release/YYYY.M.PATCH` for private mac preflight/validation when building that branch variation.
-- Keep `tag=vYYYY.M.PATCH` pointing at the original stable release commit.
+- Use `source_ref=release/YYYY.M.D` for private mac preflight/validation when building that branch variation.
+- Keep `tag=vYYYY.M.D` pointing at the original stable release commit.
 - Real mac publish must reuse:
   - a successful private mac preflight run for the same tag/source SHA
   - a successful private mac validation run for the same tag/source SHA
@@ -56,37 +56,37 @@ Private preflight:
 
 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
-  -f source_ref=release/YYYY.M.PATCH \
+  -f tag=vYYYY.M.D \
+  -f source_ref=release/YYYY.M.D \
   -f preflight_only=true \
   -f smoke_test_only=false \
   -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.PATCH
+  -f public_release_branch=release/YYYY.M.D
 ```
 
 Private validation for a branch-variation preflight:
 
 ```bash
 gh workflow run openclaw-macos-validate.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
-  -f source_ref=release/YYYY.M.PATCH
+  -f tag=vYYYY.M.D \
+  -f source_ref=release/YYYY.M.D
 ```
 
 Real publish:
 
 ```bash
 gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-  -f tag=vYYYY.M.PATCH \
+  -f tag=vYYYY.M.D \
   -f preflight_only=false \
   -f smoke_test_only=false \
   -f preflight_run_id=<successful-preflight-run> \
   -f validate_run_id=<successful-validation-run> \
   -f allow_late_calver_recovery=false \
-  -f public_release_branch=release/YYYY.M.PATCH
+  -f public_release_branch=release/YYYY.M.D
 ```
 
 ## Verify
 
-- `gh release view vYYYY.M.PATCH --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
-- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.PATCH.zip`.
+- `gh release view vYYYY.M.D --repo openclaw/openclaw` shows zip, dmg, dSYM zip, not draft, not prerelease.
+- Public `main` `appcast.xml` points at `OpenClaw-YYYY.M.D.zip`.
 - Appcast entry has `sparkle:version`, `sparkle:shortVersionString`, length, and `sparkle:edSignature`.

.agents/skills/release-openclaw-maintainer/SKILL.md

@@ -10,15 +10,12 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Respect release guardrails
 
 - Do not change version numbers without explicit operator approval.
-- Versions use `YYYY.M.PATCH`, where `PATCH` is the sequential release-train number within the month, not the calendar day.
-- Choose a new beta train from stable and beta releases only. Alpha-only tags do not consume or advance the beta/stable patch number. Continue the highest existing unpublished/published beta train with the next `beta.N` when appropriate; otherwise increment the highest stable/beta patch by one and start at `beta.1`.
-- Example: after stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even if automated alpha-only tags such as `2026.6.10-alpha.1` exist.
 - Ask permission before any npm publish or release step.
 - This skill should be sufficient to drive the normal release flow end-to-end.
 - Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
 - Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
 - Normal release work happens on a branch cut from `main`, not directly on
-  `main`. Use `release/YYYY.M.PATCH` for the branch name.
+  `main`. Use `release/YYYY.M.D` for the branch name.
 - If the operator asks for a release without saying stable/full, default to
   beta only. Continue from beta to stable only when the operator explicitly asks
   for the full release or an automated beta-and-stable train.
@@ -95,31 +92,11 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 ## Keep release channel naming aligned
 
 - `stable`: tagged releases only, published to npm `beta` by default; operators may target npm `latest` explicitly or promote later
-- `beta`: prerelease tags like `vYYYY.M.PATCH-beta.N`, with npm dist-tag `beta`
+- `beta`: prerelease tags like `vYYYY.M.D-beta.N`, with npm dist-tag `beta`
 - Prefer `-beta.N`; do not mint new `-1` or `-2` beta suffixes
 - `dev`: moving head on `main`
 - When using a beta Git tag, publish npm with the matching beta version suffix so the plain version is not consumed or blocked
 
-## Close stable releases on main
-
-Stable publication is not complete until `main` carries the actual shipped release state.
-
-1. Start from fresh latest `main`. Audit `release/YYYY.M.PATCH` against it and
-   forward-port real fixes that are absent from `main`. Do not blindly merge
-   release-only compatibility, test, or validation adapters into newer `main`.
-2. Set `main` to the shipped stable version, not a speculative next train. Run
-   `pnpm release:prep` after the root version change, then
-   `pnpm deps:shrinkwrap:generate`.
-3. Make `CHANGELOG.md`'s `## YYYY.M.PATCH` section on `main` exactly match the
-   tagged release branch. Include the stable `appcast.xml` update when the mac
-   release published one.
-4. Do not add `YYYY.M.PATCH+1`, a beta version, or an empty future changelog
-   section to `main` until the operator explicitly starts that release train.
-5. Run `pnpm release:generated:check`, `pnpm deps:shrinkwrap:check`, and
-   `OPENCLAW_TESTBOX=1 pnpm check:changed`. Push, then verify `origin/main`
-   contains the shipped version and changelog before calling the stable release
-   done.
-
 ## Handle versions and release files consistently
 
 - Version locations include:
@@ -131,7 +108,7 @@ Stable publication is not complete until `main` carries the actual shipped relea
   - `docs/install/updating.md`
   - Peekaboo Xcode project and plist version fields
 - Before creating a release tag, make every version location above match the version encoded by that tag.
-- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version locations still stay at `YYYY.M.PATCH`.
+- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
 - “Bump version everywhere” means all version locations above except `appcast.xml`.
 - Release signing and notary credentials live outside the repo in the private maintainer docs.
 - Every stable OpenClaw release ships the npm package, macOS app, and signed
@@ -152,41 +129,29 @@ Stable publication is not complete until `main` carries the actual shipped relea
   tagged commit when the delta is mac packaging, signing, workflow, or
   validation-only release machinery. If mac packaging needs release-branch-only
   fixes after the stable npm package or GitHub tag is already published, do not
-  create a `vYYYY.M.PATCH-N` correction tag just to change the workflow source.
-  Dispatch the private mac workflows for the original `tag=vYYYY.M.PATCH` with
-  `source_ref=release/YYYY.M.PATCH` and `public_release_branch=release/YYYY.M.PATCH`;
+  create a `vYYYY.M.D-N` correction tag just to change the workflow source.
+  Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with
+  `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`;
   provenance checks must prove the source SHA descends from the tag and
-  validation/preflight use the same source. Reserve `vYYYY.M.PATCH-N` correction
+  validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction
   tags for emergency hotfixes that must publish a new npm package/release
   identity, not for ordinary mac-only packaging recovery.
 - The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo.
 - That shared production Sparkle feed is stable-only. Beta mac releases may
   upload assets to the GitHub prerelease, but they must not replace the shared
   `appcast.xml` unless a separate beta feed exists.
-- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version still stays
-  at `YYYY.M.PATCH`, but the mac release must use a strictly higher numeric
+- For fallback correction tags like `vYYYY.M.D-N`, the repo version still stays
+  at `YYYY.M.D`, but the mac release must use a strictly higher numeric
   `APP_BUILD` / Sparkle build than the original release so existing installs
   see it as newer.
 - Stable Windows Hub release closeout requires the signed
   `OpenClawCompanion-Setup-x64.exe`, `OpenClawCompanion-Setup-arm64.exe`, and
   `OpenClawCompanion-SHA256SUMS.txt` assets on the canonical
-  `openclaw/openclaw` GitHub Release. Pass the exact signed
-  `openclaw/openclaw-windows-node` release tag as `windows_node_tag` to
-  `OpenClaw Release Publish`, together with the candidate-approved
-  `windows_node_installer_digests` map; it prevalidates the published source
-  release and required installers against that map before any publish child,
-  dispatches the public `Windows Node Release` workflow while the OpenClaw
-  release is still a draft, carries those pinned source asset digests
-  unchanged, verifies the expected OpenClaw Foundation Authenticode signer on
-  Windows, re-downloads and checksum-verifies the promoted asset contract, and
-  blocks publication until the canonical asset contract is present. Use direct
-  `Windows Node Release` dispatch only for recovery, always with an exact tag,
-  never `latest`, and the explicit `expected_installer_digests` JSON map from
-  the approved source release. Recovery rejects unexpected
-  `OpenClawCompanion-*` target asset names, then replaces the expected contract
-  assets with the pinned source bytes.
+  `openclaw/openclaw` GitHub Release. Use the public `Windows Node Release`
+  workflow after the matching `openclaw/openclaw-windows-node` release exists;
+  it verifies Authenticode signatures on Windows before uploading assets.
 - Website Windows Hub download links should target exact canonical
-  `openclaw/openclaw/releases/download/vYYYY.M.PATCH/...` assets for the current
+  `openclaw/openclaw/releases/download/vYYYY.M.D/...` assets for the current
   stable release, or `releases/latest/download/...` only after verifying the
   redirect resolves to that same tag, so the installable signed Windows artifact
   is visible from both the GitHub release page and openclaw.ai.
@@ -200,7 +165,7 @@ Stable publication is not complete until `main` carries the actual shipped relea
   beta release tag as the base, then inspect every commit through the target
   release SHA.
 - The changelog rewrite is not optional for beta reruns: any `beta.N` after a
-  rebase or backport must refresh the same stable-base `## YYYY.M.PATCH` section
+  rebase or backport must refresh the same stable-base `## YYYY.M.D` section
   before the new version/tag commit.
 - Include both merged PR commits and direct commits on `main`. Direct commits
   matter: infer notes from their subject, body, touched files, linked issues,
@@ -223,16 +188,11 @@ Stable publication is not complete until `main` carries the actual shipped relea
 - Changelog entries should be user-facing, not internal release-process notes.
 - GitHub release and prerelease bodies must use the full matching
   `CHANGELOG.md` version section, not highlights or an excerpt. When creating
-  or editing a release, extract from `## YYYY.M.PATCH` through the line before the
+  or editing a release, extract from `## YYYY.M.D` through the line before the
   next level-2 heading and use that complete block as the release notes.
-- Before publishing or closing a release, run
-  `$openclaw-changelog-update`'s `verify-release-notes.mjs` with every stable
-  and beta release tag in the train. Do not publish or leave a page live when
-  it is missing a source-history reference, eligible human credit, or the
-  complete matching changelog body.
 - To update an existing GitHub Release body, resolve the numeric release id and
   patch that resource with the notes file as the `body` field:
-  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.PATCH --jq .id`, then
+  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.D --jq .id`, then
   `gh api -X PATCH repos/openclaw/openclaw/releases/<id> -F body=@/tmp/notes.md`.
   Do not trust `gh release edit --notes-file` or `--input` JSON if verification
   disagrees; verify with `gh api repos/openclaw/openclaw/releases/<id>` because
@@ -245,10 +205,10 @@ Stable publication is not complete until `main` carries the actual shipped relea
   record's `docsPath` or `/plugins/compatibility` when no more specific
   deprecation page exists.
 - When cutting a mac release with a beta GitHub prerelease:
-  - tag `vYYYY.M.PATCH-beta.N` from the release commit
-  - create a prerelease titled `openclaw YYYY.M.PATCH-beta.N`
+  - tag `vYYYY.M.D-beta.N` from the release commit
+  - create a prerelease titled `openclaw YYYY.M.D-beta.N`
   - use release notes from the stable base `CHANGELOG.md` version section
-    (`## YYYY.M.PATCH`), not a beta-specific heading
+    (`## YYYY.M.D`), not a beta-specific heading
   - attach at least the zip and dSYM zip, plus dmg if available
 - Keep the top version entries in `CHANGELOG.md` sorted by impact:
   - `### Changes` first
@@ -258,10 +218,10 @@ Stable publication is not complete until `main` carries the actual shipped relea
 
 Use the OpenClaw account's existing release-post style:
 
-- Format: `OpenClaw YYYY.M.PATCH 🦞` or `🦞 OpenClaw YYYY.M.PATCH is live`, blank line,
+- Format: `OpenClaw YYYY.M.D 🦞` or `🦞 OpenClaw YYYY.M.D is live`, blank line,
   then 3-4 emoji-led bullets, blank line, one short punchline, then the release
   link.
-- For beta: say `OpenClaw YYYY.M.PATCH-beta.N 🦞` or `OpenClaw YYYY.M.PATCH beta N is
+- For beta: say `OpenClaw YYYY.M.D-beta.N 🦞` or `OpenClaw YYYY.M.D beta N is
 live`; keep it clearly beta and avoid implying stable promotion.
 - Lead with user-visible capabilities, then important integrations, then
   reliability/security/install fixes. Compress "lots of fixes" into one
@@ -346,7 +306,6 @@ Upgrade with the beta channel.
 Before tagging or publishing, run:
 
 ```bash
-pnpm release:fast-pretag-check
 pnpm check:architecture
 pnpm build
 pnpm ui:build
@@ -355,38 +314,6 @@ pnpm release:check
 pnpm test:install:smoke
 ```
 
-- Treat `pnpm release:fast-pretag-check` as a hard packaging gate. Every
-  publishable plugin must have a non-empty package-root `README.md`, build its
-  package-local runtime, and pass the npm and ClawHub release metadata checks
-  before a tag or publish workflow can start. Do not defer README, entrypoint,
-  or packed-artifact failures to postpublish verification.
-- Before tagging, require green CI for the exact release-candidate SHA, not an
-  earlier branch SHA. Heal every related red CI, release-check, packaging, or
-  root-Dockerfile lane on the release branch, forward-port the fix to `main`,
-  and rerun the affected exact-SHA gates. Never waive a red Docker lane because
-  npm preflight passed.
-- Root Dockerfile proof is mandatory before every beta and stable tag. Run the
-  release `install-smoke` group or equivalent root Dockerfile build for the
-  exact candidate SHA and require it to pass. The tag-triggered Docker Release
-  workflow is post-tag publishing, not the first valid proof that the root
-  Dockerfile can build.
-- Before tagging, diff publishable plugin package manifests against the last
-  reachable stable/beta release tag. For every newly publishable package
-  (`openclaw.release.publishToNpm: true` or `publishToClawHub: true`) whose
-  package name did not exist in the base tag, verify the target registry package
-  already exists in npm/ClawHub or stop and help the owner mint/prepublish the
-  package first. Do not hide or disable release surfaces just to unblock a
-  train unless the owner explicitly decides the plugin should not ship in that
-  release; first-package registry ownership is release prep, not product
-  rollback. The mint/prepublish path must either be the real release publish
-  path for the auto-bumped beta version, or a deliberately non-consuming
-  registry-prep step that cannot occupy the next beta version/tag. Confirm
-  registry owner, npm scope/package-creation permission, provenance path, and
-  first-package publish plan before the full release publish continues. Useful
-  npm probe:
-  `npm view <package-name> version dist-tags --json --prefer-online`; a 404 for
-  a package newly added to the release is a release-prep blocker, not something
-  to discover from the publish job.
 - Use `pnpm qa:otel:smoke` when release validation needs telemetry coverage.
   It starts a local OTLP/HTTP trace receiver, runs QA-lab's
   `otel-trace-smoke`, and checks span names plus content/identifier redaction
@@ -405,8 +332,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 ```
 
 - This verifies the published registry install path in a fresh temp prefix.
-- For stable correction releases like `YYYY.M.PATCH-N`, it also verifies the
-  upgrade path from `YYYY.M.PATCH` to `YYYY.M.PATCH-N` so a correction publish cannot
+- For stable correction releases like `YYYY.M.D-N`, it also verifies the
+  upgrade path from `YYYY.M.D` to `YYYY.M.D-N` so a correction publish cannot
   silently leave existing global installs on the old base stable payload.
 - Treat install smoke as a pack-budget gate too. `pnpm test:install:smoke`
   now fails the candidate update tarball when npm reports an oversized
@@ -553,7 +480,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     `npm login --auth-type=legacy`, then confirm `npm whoami` reports
     `steipete`.
   - Promote with a fresh OTP:
-    `npm dist-tag add openclaw@YYYY.M.PATCH latest --otp "$OTP"`.
+    `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`.
   - Verify with a cache-bypassed registry read, for example:
     `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
     and `npm view openclaw@latest version dist.tarball --json --prefer-online`.
@@ -577,19 +504,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - `preflight_only=true` on the npm workflow is also the right way to validate an
   existing tag after publish; it should keep running the build checks even when
   the npm version is already published.
-- npm registry metadata is eventually consistent immediately after trusted
-  publishing. Keep postpublish `npm view` checks on bounded `--prefer-online`
-  retries, and carry that verified tarball/integrity metadata into later proof
-  steps instead of reading the registry again. If the OpenClaw npm child
-  succeeded but the parent publish workflow failed on an immediate exact-version
-  `E404`, verify the exact version with a cache-bypassed registry read, run the
-  standalone postpublish verifier and the full beta verifier with the original
-  successful child run IDs, then finalize the draft, dependency evidence asset,
-  and release proof manually. Never rerun the publish workflow for that
-  already-published version.
 - npm validation-only preflight may still be dispatched from ordinary branches
   when testing workflow changes before merge. Release checks and real publish
-  use only `main` or `release/YYYY.M.PATCH`.
+  use only `main` or `release/YYYY.M.D`.
 - `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a
   public validation-only handoff. It validates the tag/release state and points
   operators to the private repo. It still rebuilds the JS outputs needed for
@@ -614,7 +531,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   waives the full gate; mac beta validation is still only required when
   requested.
 - Real publish runs may be dispatched from `main` or from a
-  `release/YYYY.M.PATCH` branch. For release-branch runs, the tag must be contained
+  `release/YYYY.M.D` branch. For release-branch runs, the tag must be contained
   in that release branch, and the real publish must reuse a successful preflight
   from the same branch.
 - The release workflows stay tag-based; rely on the documented release sequence
@@ -642,11 +559,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm
   does not support trusted publishing for `npm dist-tag add`.
 - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
-- Publishable plugins that are new to npm require owner-led first-package
-  minting before the full release publish. Do not consume the next beta version
-  with an ad-hoc manual package publish; use the release-owned auto-bumped
-  version path, or a non-consuming registry setup/preflight step. Bundled
-  disk-tree-only plugins stay unpublished.
+- Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
 
 ## Fallback local mac publish
 
@@ -686,8 +599,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 4. Pull latest `main` and confirm current `main` CI is green.
 5. Run `/changelog` for the stable base target version on `main`, commit the
    changelog rewrite immediately, push, and pull/rebase. For beta releases,
-   keep the changelog heading as `## YYYY.M.PATCH`, not `## YYYY.M.PATCH-beta.N`.
-6. Create `release/YYYY.M.PATCH` from that post-changelog `main` commit.
+   keep the changelog heading as `## YYYY.M.D`, not `## YYYY.M.D-beta.N`.
+6. Create `release/YYYY.M.D` from that post-changelog `main` commit.
 7. Make every repo version location match the beta tag before creating it.
 8. Commit release preparation changes on the release branch and push the branch.
 9. Immediately dispatch Actions > `OpenClaw Performance` from `main` with
@@ -695,18 +608,15 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
    off, live OpenAI off, and regression failure off. Let it run in parallel
    with preflight and validation work.
 10. Run the fast local beta preflight from the release branch before any npm
-    preflight or publish. Require exact-SHA CI and root Dockerfile install-smoke
-    to be green before tagging. Keep the remaining expensive Docker, Parallels,
-    and published-package install/update lanes for after the beta is live unless
-    the operator asks to run them before beta publication.
+    preflight or publish. Keep expensive Docker, Parallels, and published-package
+    install/update lanes for after the beta is live unless the operator asks to
+    run them before beta publication.
 11. For beta releases, skip mac app build/sign/notarize unless beta scope or a
     release blocker specifically requires it. For stable releases, include the
     mac app, signing, notarization, and appcast path.
 12. Confirm the target npm version is not already published.
 13. Create and push the git tag from the release branch.
-14. Do not create or publish the matching GitHub release page yet. The real
-    publish workflow creates or undrafts it only after postpublish verification
-    and release evidence upload pass.
+14. Create or refresh the matching GitHub release.
 15. Dispatch Actions > `QA-Lab - All Lanes` against the release tag and wait
     for the mock parity, live Matrix, and live Telegram credentialed-channel
     lanes to pass.
@@ -729,39 +639,21 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     with `preflight_only=true` and wait for it to pass. Save that run id because
     the real publish requires it to reuse the notarized mac artifacts.
 21. If any preflight or validation run fails, fix the issue on a new commit,
-    delete the tag and any accidental draft/incomplete GitHub release, recreate
-    the tag from the fixed commit, and rerun all relevant preflights from
-    scratch before continuing. Never reuse old preflight results after the
-    commit changes. Once the npm version exists, do not rerun the publish
-    workflow for that same version; finalize the existing draft/evidence state
-    manually or cut a correction tag. For pushed or published beta tags, do not
-    delete/recreate; increment to the next beta tag. For preflight-only failures
-    where npm did not publish the beta version, delete/recreate the same beta
-    tag and any accidental draft/incomplete prerelease at the fixed commit
-    instead of skipping a prerelease number.
-22. Start `.github/workflows/openclaw-release-publish.yml` from the same branch with
+    delete the tag and matching GitHub release, recreate them from the fixed
+    commit, and rerun all relevant preflights from scratch before continuing.
+    Never reuse old preflight results after the commit changes. For pushed or
+    published beta tags, do not delete/recreate; increment to the next beta tag.
+    For preflight-only failures where npm did not publish the beta version,
+    delete/recreate the same beta tag and prerelease at the fixed commit instead
+    of skipping a prerelease number.
+22. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
     the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
     `latest` only when you intentionally want direct stable publish), keep it
     the same as the preflight run, and pass the successful npm
-    `preflight_run_id` plus the successful `full_release_validation_run_id`.
-    For stable publish, also pass the exact non-prerelease
-    `openclaw/openclaw-windows-node` tag as `windows_node_tag` and its
-    candidate-approved installer digest map as `windows_node_installer_digests`.
+    `preflight_run_id`.
 23. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
-24. Wait for the real publish workflow to run postpublish verification,
-    create or update the GitHub release as a draft, upload dependency evidence,
-    promote and verify the required Windows Hub assets for stable releases,
-    append release verification proof, and only then undraft/publish it. If a
-    waited plugin publish or Windows Hub promotion fails after OpenClaw npm
-    succeeds, the workflow keeps the release draft with OpenClaw npm evidence
-    and exits red; do not undraft until the gap is repaired. The standalone
-    verifier command remains the first recovery probe:
+24. Run postpublish verification:
     `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
-    For a failed postpublish parent after successful publish children, also run
-    `pnpm release:verify-beta -- <published-version> ... --skip-github-release`
-    with the original child run IDs and an evidence output path before manually
-    recreating the workflow's draft, dependency evidence asset, proof section,
-    and publish step.
 25. Run the post-published beta verification roster. First scan current `main`
     for critical fixes that landed after the release branch cut; backport only
     important low-risk fixes before starting expensive lanes, or increment to
@@ -798,13 +690,13 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
     and `.dSYM.zip` artifacts to the existing GitHub release in
     `openclaw/openclaw`.
 32. For stable releases, download `macos-appcast-<tag>` from the successful
-    private mac run, update `appcast.xml` on `main`, verify the feed, then
-    complete the **Close stable releases on main** gate.
+    private mac run, update `appcast.xml` on `main`, and verify the feed. Merge
+    or cherry-pick release branch changes back to `main` after stable succeeds.
 33. For beta releases, publish the mac assets only when intentionally requested;
     expect no shared production
     `appcast.xml` artifact and do not update the shared production feed unless a
     separate beta feed exists.
-34. After stable main closeout, verify npm and the attached release artifacts.
+34. After publish, verify npm and the attached release artifacts.
 
 ## GHSA advisory work
 

.agents/skills/release-openclaw-nightly/SKILL.md

@@ -37,11 +37,9 @@ This is good for auditability if commits are clearly machine-authored and gated
 - Branch name: `tideclaw/alpha/YYYY-MM-DD-HHMMZ`
 - Base: current `origin/main` SHA at trigger time.
 - State file: resolve from `$release-private` on the Tideclaw host.
-- Release tag: `vYYYY.M.PATCH-alpha.N`
+- Release tag: `vYYYY.M.D-alpha.N`
 - npm dist-tag: `alpha`
 
-`PATCH` is a sequential monthly release-train number, never the calendar day. Determine the alpha train from stable and beta releases; ignore alpha-only patch numbers when choosing the next train. Use one greater than the highest stable/beta patch for the month, then increment only `alpha.N` for repeated nightlies on that train. If a beta exists on that next patch, move alpha to the following train. Legacy alpha-only tags with inflated patch numbers do not advance beta/stable numbering.
-
 Do not reuse old alpha branches for a new run. If rerunning the same base SHA, create a new timestamped branch and record why.
 
 ## Start
@@ -100,7 +98,7 @@ Tideclaw may run beta releases from `#releases` or mentioned `#maintainers` comm
 Accepted shapes:
 
 ```text
-@Tideclaw beta release from vYYYY.M.PATCH-alpha.N
+@Tideclaw beta release from vYYYY.M.D-alpha.N
 @Tideclaw beta release from tideclaw/alpha/YYYY-MM-DD-HHMMZ
 @Tideclaw beta release from latest proven alpha
 ```
@@ -112,7 +110,7 @@ Rules:
 3. Verify the source alpha first: GitHub release, npm `alpha` package, release CI, recorded state file, and branch/tag SHA.
 4. Create a fresh beta branch `tideclaw/beta/YYYY-MM-DD-HHMMZ` from the proven alpha source, not directly from a moving `main`.
 5. Reuse/squash only stabilization fixes already proven on alpha. Do not import unrelated alpha release mechanics unless the beta release docs require them.
-6. Compute beta as `vYYYY.M.PATCH-beta.N`, matching npm `--tag beta`. Ignore alpha-only patch numbers when selecting the beta train.
+6. Compute beta as `vYYYY.M.D-beta.N`, matching npm `--tag beta`.
 7. Run beta release validation/preflight/full release CI and fix failures on the beta branch.
 8. Publish beta only after green beta gates. Use GitHub Actions/OIDC, never direct npm publish from the host.
 9. Final Discord summary must include source alpha, beta tag/version, branch, fix commits, workflow run IDs, npm/GitHub proof, and any skipped/blocked reason.
@@ -167,7 +165,7 @@ git push -u origin "$BRANCH"
 
 After local proof:
 
-1. Compute the next `vYYYY.M.PATCH-alpha.N` from existing git tags, npm versions, and GitHub releases. Select `PATCH` from stable/beta trains, not the date or the highest alpha-only patch. Reuse the same alpha train and increment `alpha.N` until that patch has a beta; after a beta exists, use the following patch for new alpha builds.
+1. Compute the next `vYYYY.M.D-alpha.N` from existing git tags, npm versions, and GitHub releases.
 2. Make the alpha branch package version and release metadata match that tag, commit it, and push the branch.
 3. Run release validation from the alpha branch, using GitHub CLI, not browser/fetch tools. On the Tideclaw host, bare `gh` is a read-only Codex sandbox wrapper; use `/usr/local/bin/gh-tideclaw-write` for write-capable commands such as `workflow run`, `run cancel`, and publish dispatch:
 

.github/labeler.yml

@@ -293,10 +293,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/lobster/**"
-"extensions: llama-cpp":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/llama-cpp/**"
 "extensions: memory-core":
   - changed-files:
       - any-glob-to-any-file:
@@ -578,10 +574,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/openshell/**"
-"extensions: parallel":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/parallel/**"
 "extensions: perplexity":
   - changed-files:
       - any-glob-to-any-file:

.github/pull_request_template.md

@@ -2,14 +2,19 @@
 
 What problem does this PR solve?
 
+
 Why does this matter now?
 
+
 What is the intended outcome?
 
+
 What is intentionally out of scope?
 
+
 What does success look like?
 
+
 What should reviewers focus on?
 
 <details>
@@ -70,10 +75,13 @@ Be mindful of private information like IP addresses, API keys, phone numbers, no
 
 Which commands did you run?
 
+
 What regression coverage was added or updated?
 
+
 What failed before this fix, if known?
 
+
 If no test was added, why not?
 
 <details>
@@ -87,12 +95,16 @@ List focused commands, not every incidental check. CI is useful support, but ext
 
 Did user-visible behavior change? (`Yes/No`)
 
+
 Did config, environment, or migration behavior change? (`Yes/No`)
 
+
 Did security, auth, secrets, network, or tool execution behavior change? (`Yes/No`)
 
+
 What is the highest-risk area?
 
+
 How is that risk mitigated?
 
 <details>
@@ -106,8 +118,10 @@ Use this for author judgment that is not obvious from the diff. ClawSweeper can
 
 What is the next action?
 
+
 What is still waiting on author, maintainer, CI, or external proof?
 
+
 Which bot or reviewer comments were addressed?
 
 <details>

.github/workflows/ci-build-artifacts-testbox.yml

@@ -61,7 +61,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
@@ -188,7 +188,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          timeout --signal=TERM --kill-after=10s 120s git \
+          timeout --signal=TERM --kill-after=10s 30s git \
             -c protocol.version=2 \
             fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
             "+refs/heads/main:refs/remotes/origin/main"

.github/workflows/ci-check-arm-testbox.yml

@@ -76,7 +76,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
@@ -106,7 +106,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          timeout --signal=TERM --kill-after=10s 120s git \
+          timeout --signal=TERM --kill-after=10s 30s git \
             -c protocol.version=2 \
             fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
             "+refs/heads/main:refs/remotes/origin/main"

.github/workflows/ci-check-testbox.yml

@@ -6,10 +6,6 @@ on:
         type: string
         description: "Testbox session ID"
         required: true
-      timeout_minutes:
-        type: number
-        description: "Maximum GitHub job runtime for long Testbox commands"
-        default: 120
   pull_request:
     paths:
       - ".github/workflows/**"
@@ -29,7 +25,7 @@ jobs:
       contents: read
     name: "check"
     runs-on: blacksmith-32vcpu-ubuntu-2404
-    timeout-minutes: ${{ fromJSON(inputs.timeout_minutes || '30') }}
+    timeout-minutes: 30
     steps:
       - name: Begin Testbox
         uses: useblacksmith/begin-testbox@233448af4bfdc6fca509a7f0974411ac6d8a8043
@@ -65,7 +61,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               -c "http.extraheader=AUTHORIZATION: basic ${auth_header}" \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
@@ -95,7 +91,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          timeout --signal=TERM --kill-after=10s 120s git \
+          timeout --signal=TERM --kill-after=10s 30s git \
             -c protocol.version=2 \
             fetch --no-tags --prune --no-recurse-submodules --depth=50 origin \
             "+refs/heads/main:refs/remotes/origin/main"

.github/workflows/ci.yml

@@ -90,7 +90,7 @@ jobs:
             local ref="$1"
             local fetch_status
             for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 120s git -C "$GITHUB_WORKSPACE" \
+              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
                 -c protocol.version=2 \
                 fetch --no-tags --prune --no-recurse-submodules --depth=2 origin \
                 "+${ref}:refs/remotes/origin/checkout" && return 0
@@ -351,7 +351,7 @@ jobs:
             local ref="$1"
             local fetch_status
             for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 120s git -C "$GITHUB_WORKSPACE" \
+              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
                 -c protocol.version=2 \
                 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
                 "+${ref}:refs/remotes/origin/checkout" && return 0
@@ -499,7 +499,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -564,7 +564,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -722,7 +722,7 @@ jobs:
 
           if [ "$RUN_GATEWAY_WATCH" = "true" ]; then
             start_check "gateway-watch" \
-              node scripts/check-gateway-watch-regression.mjs --skip-build
+              node scripts/check-gateway-watch-regression.mjs --skip-build --ready-timeout-ms 5000
           fi
 
           for index in "${!pids[@]}"; do
@@ -810,7 +810,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -850,10 +850,10 @@ jobs:
               ;;
             contracts-plugins-ci-routing)
               pnpm test:contracts:plugins
-              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/ci-workflow-guards.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
+              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
               ;;
             ci-routing)
-              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/ci-workflow-guards.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
+              pnpm test src/commands/status.scan-result.test.ts src/scripts/ci-changed-scope.test.ts test/scripts/changed-lanes.test.ts test/scripts/run-vitest.test.ts test/scripts/test-projects.test.ts
               ;;
             bun-launcher)
               OPENCLAW_TEST_BUN_LAUNCHER=1 pnpm test test/openclaw-launcher.e2e.test.ts
@@ -899,7 +899,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -979,7 +979,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1056,7 +1056,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1131,7 +1131,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1258,7 +1258,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1288,7 +1288,6 @@ jobs:
         env:
           OPENCLAW_LOCAL_CHECK: "0"
           TASK: ${{ matrix.task }}
-          PR_BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || '' }}
         shell: bash
         run: |
           set -euo pipefail
@@ -1298,10 +1297,6 @@ jobs:
               pnpm tool-display:check
               pnpm check:host-env-policy:swift
               pnpm dup:check:coverage
-              if [ -n "$PR_BASE_SHA" ]; then
-                git fetch --no-tags --depth=1 origin "+${PR_BASE_SHA}:refs/remotes/origin/pr-base"
-                node scripts/report-test-temp-creations.mjs --base refs/remotes/origin/pr-base --head HEAD --no-merge-base
-              fi
               pnpm deps:patches:check
               pnpm lint:webhook:no-low-level-body-read
               pnpm lint:auth:no-pairing-store-group
@@ -1363,10 +1358,6 @@ jobs:
           - check_name: check-additional-boundaries-bcd
             group: boundaries
             boundary_shard: 2/4,3/4,4/4
-          - check_name: check-session-accessor-boundary
-            group: session-accessor-boundary
-          - check_name: check-session-transcript-reader-boundary
-            group: session-transcript-reader-boundary
           - check_name: check-additional-extension-channels
             group: extension-channels
           - check_name: check-additional-extension-bundled
@@ -1399,7 +1390,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1513,24 +1504,6 @@ jobs:
             boundaries)
               node scripts/run-additional-boundary-checks.mjs
               ;;
-            session-accessor-boundary)
-              if [ ! -f scripts/check-session-accessor-boundary.mjs ]; then
-                echo "[skip] session accessor boundary check is not present in this checkout"
-              elif ! node -e 'const pkg = require("./package.json"); process.exit(pkg.scripts?.["lint:tmp:session-accessor-boundary"] ? 0 : 1);'; then
-                echo "[skip] session accessor boundary script is not present in package.json"
-              else
-                run_check "lint:tmp:session-accessor-boundary" pnpm run lint:tmp:session-accessor-boundary
-              fi
-              ;;
-            session-transcript-reader-boundary)
-              if [ ! -f scripts/check-session-transcript-reader-boundary.mjs ]; then
-                echo "[skip] session transcript reader boundary check is not present in this checkout"
-              elif ! node -e 'const pkg = require("./package.json"); process.exit(pkg.scripts?.["lint:tmp:session-transcript-reader-boundary"] ? 0 : 1);'; then
-                echo "[skip] session transcript reader boundary script is not present in package.json"
-              else
-                run_check "lint:tmp:session-transcript-reader-boundary" pnpm run lint:tmp:session-transcript-reader-boundary
-              fi
-              ;;
             extension-channels)
               run_check "lint:extensions:channels" pnpm run lint:extensions:channels
               ;;
@@ -1584,7 +1557,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -1630,7 +1603,7 @@ jobs:
             git -C "$workdir" config gc.auto 0
             git -C "$workdir" remote add origin "https://github.com/openclaw/clawhub.git"
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+refs/heads/main:refs/remotes/origin/checkout" || return 1
@@ -1677,7 +1650,7 @@ jobs:
           fetch_checkout_ref() {
             local fetch_status
             for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 120s git -C "$GITHUB_WORKSPACE" \
+              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
                 -c protocol.version=2 \
                 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
                 "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
@@ -2083,7 +2056,7 @@ jobs:
             git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
             git -C "$workdir" config gc.auto 0
 
-            timeout --signal=TERM --kill-after=10s 120s git -C "$workdir" \
+            timeout --signal=TERM --kill-after=10s 30s git -C "$workdir" \
               -c protocol.version=2 \
               fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
               "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
@@ -2120,7 +2093,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ~/.android-sdk
-          key: ${{ runner.os }}-android-sdk-v1-cmdline-14742923-platform-37.0-build-tools-36.0.0
+          key: ${{ runner.os }}-android-sdk-v1-cmdline-12266719-platform-36-build-tools-36.0.0
           restore-keys: |
             ${{ runner.os }}-android-sdk-v1-
 
@@ -2128,7 +2101,7 @@ jobs:
         run: |
           set -euo pipefail
           ANDROID_SDK_ROOT="$HOME/.android-sdk"
-          CMDLINE_TOOLS_VERSION="14742923"
+          CMDLINE_TOOLS_VERSION="12266719"
           ARCHIVE="commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip"
           URL="https://dl.google.com/android/repository/${ARCHIVE}"
 
@@ -2150,7 +2123,7 @@ jobs:
           yes | sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --licenses >/dev/null
           sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --install \
             "platform-tools" \
-            "platforms;android-37.0" \
+            "platforms;android-36" \
             "build-tools;36.0.0"
 
       - name: Run Android ${{ matrix.task }}

.github/workflows/codeql-android-critical-security.yml

@@ -35,7 +35,7 @@ jobs:
           java-version: "21"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: java-kotlin
           build-mode: manual
@@ -46,6 +46,6 @@ jobs:
         run: ./gradlew --no-daemon :app:assemblePlayDebug
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-security/android"

.github/workflows/codeql-critical-quality.yml

@@ -342,13 +342,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/core-auth-secrets"
 
@@ -365,13 +365,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/config-boundary"
 
@@ -388,13 +388,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/gateway-runtime-boundary"
 
@@ -411,13 +411,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/channel-runtime-boundary"
 
@@ -460,7 +460,7 @@ jobs:
 
       - name: Initialize CodeQL
         if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml
@@ -468,7 +468,7 @@ jobs:
       - name: Analyze
         id: analyze
         if: ${{ github.event_name != 'pull_request' }}
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           output: sarif-results
           category: "/codeql-critical-quality/network-runtime-boundary"
@@ -518,13 +518,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/agent-runtime-boundary"
 
@@ -541,13 +541,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/mcp-process-runtime-boundary"
 
@@ -564,13 +564,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/memory-runtime-boundary"
 
@@ -587,13 +587,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/session-diagnostics-boundary"
 
@@ -610,13 +610,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
 
@@ -633,13 +633,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/provider-runtime-boundary"
 
@@ -655,13 +655,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/ui-control-plane"
 
@@ -677,13 +677,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/web-media-runtime-boundary"
 
@@ -700,13 +700,13 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-boundary"
 
@@ -723,12 +723,12 @@ jobs:
           submodules: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
           config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/plugin-sdk-package-contract"

.github/workflows/codeql-macos-critical-security.yml

@@ -35,7 +35,7 @@ jobs:
           swift --version
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: swift
           build-mode: manual
@@ -46,7 +46,7 @@ jobs:
 
       - name: Analyze
         id: analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           output: sarif-results
           upload: failure-only
@@ -83,7 +83,7 @@ jobs:
           done
 
       - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: sarif-results-filtered
           category: "/codeql-critical-security/macos"

.github/workflows/codeql.yml

@@ -101,12 +101,12 @@ jobs:
             .github/codeql
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: ${{ matrix.language }}
           config-file: ${{ matrix.config_file }}
 
       - name: Analyze
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-security-high/${{ matrix.category }}"

.github/workflows/docker-release.yml

@@ -88,30 +88,11 @@ jobs:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
           fetch-depth: 0
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -180,7 +161,7 @@ jobs:
       - name: Build and push amd64 image
         id: build
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64
@@ -198,7 +179,7 @@ jobs:
         id: build-browser
         if: steps.tags.outputs.browser != ''
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64
@@ -298,30 +279,11 @@ jobs:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
           fetch-depth: 0
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -390,7 +352,7 @@ jobs:
       - name: Build and push arm64 image
         id: build
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/arm64
@@ -408,7 +370,7 @@ jobs:
         id: build-browser
         if: steps.tags.outputs.browser != ''
         # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/arm64
@@ -506,7 +468,7 @@ jobs:
           fetch-depth: 0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -599,30 +561,11 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Pre-pull BuildKit image
-        shell: bash
-        env:
-          BUILDKIT_IMAGE: moby/buildkit:buildx-stable-1
-        run: |
-          set -euo pipefail
-          for attempt in 1 2 3 4; do
-            if docker pull "${BUILDKIT_IMAGE}"; then
-              exit 0
-            fi
-            if [[ "${attempt}" == "4" ]]; then
-              echo "::error::Failed to pull ${BUILDKIT_IMAGE} after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 10))
-            echo "BuildKit image pull failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "${sleep_seconds}"
-          done
-
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}

.github/workflows/docs-agent.yml

@@ -149,7 +149,7 @@ jobs:
 
       - name: Run Codex docs agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
           DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}

.github/workflows/full-release-validation.yml

@@ -275,7 +275,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count
+            local before_json dispatch_output run_id status conclusion url poll_count
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -298,6 +298,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -307,7 +309,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -408,7 +423,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count
+            local before_json dispatch_output run_id status conclusion url poll_count
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -431,6 +446,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -440,7 +457,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -551,7 +581,7 @@ jobs:
             local workflow="$1"
             shift
 
-            local dispatch_output run_id status conclusion url poll_count run_json
+            local before_json dispatch_output run_id status conclusion url poll_count run_json
             gh_with_retry() {
               local output status attempt
               for attempt in 1 2 3 4 5 6; do
@@ -574,6 +604,8 @@ jobs:
               printf '%s\n' "$output" >&2
               return "$status"
             }
+            before_json="$(gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
             dispatch_output="$(gh_with_retry workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@")"
             printf '%s\n' "$dispatch_output"
             run_id="$(
@@ -583,7 +615,20 @@ jobs:
             )"
 
             if [[ -z "$run_id" ]]; then
-              echo "::error::gh workflow run ${workflow} did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+              for _ in $(seq 1 60); do
+                run_id="$(
+                  BEFORE_IDS="$before_json" gh_with_retry run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+                )"
+                if [[ -n "$run_id" ]]; then
+                  break
+                fi
+                sleep 5
+              done
+            fi
+
+            if [[ -z "${run_id:-}" ]]; then
+              echo "Could not find dispatched run for ${workflow}." >&2
               exit 1
             fi
 
@@ -738,7 +783,7 @@ jobs:
           fi
 
           args=(
-            -f ref="$TARGET_REF"
+            -f ref="$TARGET_SHA"
             -f expected_sha="$TARGET_SHA"
             -f provider="$PROVIDER"
             -f mode="$MODE"
@@ -883,6 +928,8 @@ jobs:
             return "$status"
           }
 
+          before_json="$(gh_with_retry run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
           args=(-f package_spec="${PACKAGE_SPEC:-openclaw@beta}" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
           if [[ -z "${PACKAGE_SPEC// }" ]]; then
             if [[ "$PREPARE_PACKAGE_RESULT" != "success" || -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
@@ -899,16 +946,22 @@ jobs:
             args+=(-f scenario="$SCENARIO")
           fi
 
-          dispatch_output="$(gh_with_retry workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}")"
-          printf '%s\n' "$dispatch_output"
-          run_id="$(
-            printf '%s\n' "$dispatch_output" |
-              sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-              tail -n 1
-          )"
+          gh_with_retry workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}"
+
+          run_id=""
+          for _ in $(seq 1 60); do
+            run_id="$(
+              BEFORE_IDS="$before_json" gh_with_retry run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+            )"
+            if [[ -n "$run_id" ]]; then
+              break
+            fi
+            sleep 5
+          done
 
           if [[ -z "$run_id" ]]; then
-            echo "::error::gh workflow run npm-telegram-beta-e2e.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
+            echo "Could not find dispatched run for npm-telegram-beta-e2e.yml." >&2
             exit 1
           fi
 
@@ -1020,23 +1073,31 @@ jobs:
             echo "- Release impact: advisory"
           } >> "$GITHUB_STEP_SUMMARY"
 
-          dispatch_output="$(gh_with_retry workflow run openclaw-performance.yml \
+          before_json="$(gh_with_retry run list --workflow openclaw-performance.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
+
+          gh_with_retry workflow run openclaw-performance.yml \
             --ref "$CHILD_WORKFLOW_REF" \
             -f target_ref="$TARGET_SHA" \
             -f profile=release \
             -f repeat=3 \
             -f deep_profile=false \
             -f live_openai_candidate=false \
-            -f fail_on_regression=false)"
-          printf '%s\n' "$dispatch_output"
-          run_id="$(
-            printf '%s\n' "$dispatch_output" |
-              sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-              tail -n 1
-          )"
+            -f fail_on_regression=false
+
+          run_id=""
+          for _ in $(seq 1 60); do
+            run_id="$(
+              BEFORE_IDS="$before_json" gh_with_retry run list --workflow openclaw-performance.yml --event workflow_dispatch --limit 50 --json databaseId,createdAt \
+                --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
+            )"
+            if [[ -n "$run_id" ]]; then
+              break
+            fi
+            sleep 5
+          done
 
           if [[ -z "$run_id" ]]; then
-            echo "::warning::gh workflow run openclaw-performance.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs."
+            echo "::warning::Could not find dispatched run for openclaw-performance.yml."
             exit 0
           fi
 
@@ -1078,16 +1139,7 @@ jobs:
 
   summary:
     name: Verify full validation
-    needs:
-      [
-        resolve_target,
-        docker_runtime_assets_preflight,
-        normal_ci,
-        plugin_prerelease,
-        release_checks,
-        npm_telegram,
-        performance,
-      ]
+    needs: [resolve_target, docker_runtime_assets_preflight, normal_ci, plugin_prerelease, release_checks, npm_telegram, performance]
     if: always()
     runs-on: ubuntu-24.04
     timeout-minutes: 5

.github/workflows/install-smoke.yml

@@ -112,7 +112,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -223,7 +223,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -245,7 +245,7 @@ jobs:
 
       - name: Set up Blacksmith Docker Builder
         if: steps.existing.outputs.exists != 'true'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -311,7 +311,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -417,7 +417,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -429,7 +429,7 @@ jobs:
         run: timeout --kill-after=30s 600s docker pull "$IMAGE_REF"
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -476,21 +476,19 @@ jobs:
       - name: Run Rocky Linux installer smoke
         run: |
           timeout --kill-after=30s 20m docker run --rm \
-            --platform linux/amd64 \
             -e OPENCLAW_NO_ONBOARD=1 \
             -e OPENCLAW_NO_PROMPT=1 \
             -v "$PWD/scripts/install.sh:/tmp/install.sh:ro" \
-            rockylinux:9@sha256:d644d203142cd5b54ad2a83a203e1dee68af2229f8fe32f52a30c6e1d3c3a9e0 \
+            rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 \
             bash -lc 'dnf install -y -q ca-certificates tar gzip xz findutils which sudo >/dev/null && bash /tmp/install.sh --install-method npm --version latest --no-onboard --no-prompt --verify && openclaw --version'
 
       - name: Run Rocky Linux CLI installer smoke
         run: |
           timeout --kill-after=30s 20m docker run --rm \
-            --platform linux/amd64 \
             -e OPENCLAW_NO_ONBOARD=1 \
             -e OPENCLAW_NO_PROMPT=1 \
             -v "$PWD/scripts/install-cli.sh:/tmp/install-cli.sh:ro" \
-            rockylinux:9@sha256:d644d203142cd5b54ad2a83a203e1dee68af2229f8fe32f52a30c6e1d3c3a9e0 \
+            rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 \
             bash -lc 'dnf install -y -q ca-certificates tar gzip xz findutils which sudo >/dev/null && bash /tmp/install-cli.sh --prefix /tmp/openclaw-cli --version latest --no-onboard && /tmp/openclaw-cli/bin/openclaw --version'
 
   bun_global_install_smoke:
@@ -505,7 +503,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -544,7 +542,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 

.github/workflows/ios-periphery-comment.yml

@@ -1,447 +0,0 @@
-name: iOS Periphery Dead Code Comment
-
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] trusted PR commenter; job gates repository, source event, workflow name, live open PR, and exact current head before reading artifacts or writing comments
-    workflows: ["iOS Periphery Dead Code"]
-    types: [completed]
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  issues: write
-  pull-requests: read
-
-jobs:
-  comment:
-    name: Comment on PR
-    runs-on: ubuntu-24.04
-    if: >
-      github.repository == 'openclaw/openclaw' &&
-      github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.name == 'iOS Periphery Dead Code'
-    steps:
-      - name: Upsert Periphery PR comment
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const fs = require("node:fs");
-            const os = require("node:os");
-            const path = require("node:path");
-            const childProcess = require("node:child_process");
-
-            const marker = "<!-- openclaw-ios-periphery-dead-code -->";
-            const run = context.payload.workflow_run;
-            const pr = run.pull_requests?.[0];
-            if (!pr) {
-              core.info("No pull request attached to workflow_run.");
-              return;
-            }
-
-            const { owner, repo } = context.repo;
-            const repository = `${owner}/${repo}`;
-            if (run.repository?.full_name !== repository) {
-              core.info(`Skipping workflow_run from ${run.repository?.full_name ?? "unknown repository"}.`);
-              return;
-            }
-            if (run.event !== "pull_request") {
-              core.info(`Skipping workflow_run for ${run.event ?? "unknown"} event.`);
-              return;
-            }
-            if (run.name !== "iOS Periphery Dead Code") {
-              core.info(`Skipping unexpected workflow ${run.name ?? "unknown"}.`);
-              return;
-            }
-
-            const livePull = await github.rest.pulls.get({
-              owner,
-              repo,
-              pull_number: pr.number,
-            });
-            if (livePull.data.state !== "open") {
-              core.info(`Skipping closed PR #${pr.number}.`);
-              return;
-            }
-            if (livePull.data.base?.repo?.full_name !== repository) {
-              core.info(`Skipping PR #${pr.number} targeting ${livePull.data.base?.repo?.full_name ?? "unknown repository"}.`);
-              return;
-            }
-            if (livePull.data.head?.sha !== run.head_sha) {
-              core.info(`Skipping stale run ${run.id}; PR #${pr.number} is now at ${livePull.data.head?.sha}.`);
-              return;
-            }
-
-            const jobs = await github.paginate(github.rest.actions.listJobsForWorkflowRun, {
-              owner,
-              repo,
-              run_id: run.id,
-              filter: "latest",
-              per_page: 100,
-            });
-            const scopeJob = jobs.find((job) => job.name === "Detect iOS scan scope");
-            const scanJob = jobs.find((job) => job.name === "Scan iOS dead code");
-            const scanSkipped =
-              scopeJob?.conclusion === "success" && scanJob?.conclusion === "skipped";
-            if (scanSkipped) {
-              core.info(`Skipping intentionally omitted Periphery scan for PR #${pr.number}.`);
-            }
-
-            const artifacts = scanSkipped
-              ? []
-              : await github.paginate(github.rest.actions.listWorkflowRunArtifacts, {
-                  owner,
-                  repo,
-                  run_id: run.id,
-                  per_page: 100,
-                });
-
-            const readReport = async () => {
-              if (scanSkipped) {
-                return;
-              }
-              const artifactName = `ios-periphery-dead-code-${run.id}-${run.run_attempt}`;
-              const artifact = artifacts.find((item) => item.name === artifactName);
-              if (!artifact) {
-                core.warning(`No ${artifactName} artifact found.`);
-                return;
-              }
-              if (artifact.expired) {
-                core.warning(`${artifactName} artifact expired.`);
-                return;
-              }
-
-              const maxArchiveBytes = 1024 * 1024;
-              const archiveSize = Number(artifact.size_in_bytes);
-              if (!Number.isSafeInteger(archiveSize) || archiveSize < 0 || archiveSize > maxArchiveBytes) {
-                core.warning(`Skipping ${artifactName}; compressed artifact size ${artifact.size_in_bytes ?? "unknown"} exceeds the ${maxArchiveBytes} byte limit.`);
-                return;
-              }
-
-              const archive = await github.rest.actions.downloadArtifact({
-                owner,
-                repo,
-                artifact_id: artifact.id,
-                archive_format: "zip",
-              });
-
-              const dir = fs.mkdtempSync(path.join(os.tmpdir(), "ios-periphery-"));
-              const archivePath = path.join(dir, "artifact.zip");
-              const archiveBuffer = Buffer.from(archive.data);
-              fs.writeFileSync(archivePath, archiveBuffer);
-
-              const allowedArtifactFiles = new Set([
-                "periphery.json",
-                "periphery.status",
-                "periphery.stderr.log",
-                "periphery.stdout.json",
-                "should-fail.txt",
-              ]);
-              const maxEntries = allowedArtifactFiles.size;
-              const maxEntryBytes = 2 * 1024 * 1024;
-              const maxTotalBytes = 4 * 1024 * 1024;
-
-              const readUInt16 = (offset) => archiveBuffer.readUInt16LE(offset);
-              const readUInt32 = (offset) => archiveBuffer.readUInt32LE(offset);
-              const findEndOfCentralDirectoryOffset = () => {
-                const minimumOffset = Math.max(0, archiveBuffer.length - 0xffff - 22);
-                for (let offset = archiveBuffer.length - 22; offset >= minimumOffset; offset -= 1) {
-                  if (readUInt32(offset) === 0x06054b50) {
-                    return offset;
-                  }
-                }
-                return -1;
-              };
-
-              const endOfCentralDirectoryOffset = findEndOfCentralDirectoryOffset();
-              if (endOfCentralDirectoryOffset < 0) {
-                core.warning(`Skipping ${artifactName}; ZIP end-of-central-directory record was not found.`);
-                return;
-              }
-              const entryCount = readUInt16(endOfCentralDirectoryOffset + 10);
-              const centralDirectorySize = readUInt32(endOfCentralDirectoryOffset + 12);
-              const centralDirectoryOffset = readUInt32(endOfCentralDirectoryOffset + 16);
-              if (entryCount < 1 || entryCount > maxEntries) {
-                core.warning(`Skipping ${artifactName}; artifact has ${entryCount} entries.`);
-                return;
-              }
-              if (
-                centralDirectoryOffset + centralDirectorySize > archiveBuffer.length ||
-                readUInt32(centralDirectoryOffset) !== 0x02014b50
-              ) {
-                core.warning(`Skipping ${artifactName}; invalid ZIP central directory.`);
-                return;
-              }
-
-              const entries = new Map();
-              let totalUncompressedSize = 0;
-              let offset = centralDirectoryOffset;
-              for (let index = 0; index < entryCount; index += 1) {
-                if (offset + 46 > archiveBuffer.length || readUInt32(offset) !== 0x02014b50) {
-                  core.warning(`Skipping ${artifactName}; invalid central directory entry.`);
-                  return;
-                }
-
-                const compressionMethod = readUInt16(offset + 10);
-                const generalPurposeBitFlag = readUInt16(offset + 8);
-                const compressedSize = readUInt32(offset + 20);
-                const uncompressedSize = readUInt32(offset + 24);
-                const fileNameLength = readUInt16(offset + 28);
-                const extraLength = readUInt16(offset + 30);
-                const commentLength = readUInt16(offset + 32);
-                const externalAttributes = readUInt32(offset + 38);
-                const nameStart = offset + 46;
-                const nameEnd = nameStart + fileNameLength;
-                const nextOffset = nameEnd + extraLength + commentLength;
-                if (nextOffset > archiveBuffer.length) {
-                  core.warning(`Skipping ${artifactName}; central directory entry exceeds archive bounds.`);
-                  return;
-                }
-
-                const name = archiveBuffer.toString("utf8", nameStart, nameEnd);
-                const mode = externalAttributes >>> 16;
-                const fileType = mode & 0o170000;
-                const isRegularFile = fileType === 0 || fileType === 0o100000;
-                const invalidName =
-                  !allowedArtifactFiles.has(name) ||
-                  name.includes("/") ||
-                  name.includes("\\") ||
-                  name.includes("..") ||
-                  path.isAbsolute(name);
-                if (invalidName) {
-                  core.warning(`Skipping ${artifactName}; unexpected artifact entry ${name}.`);
-                  return;
-                }
-                if (!isRegularFile || name.endsWith("/")) {
-                  core.warning(`Skipping ${artifactName}; ${name} is not a regular file.`);
-                  return;
-                }
-                if (entries.has(name)) {
-                  core.warning(`Skipping ${artifactName}; duplicate artifact entry ${name}.`);
-                  return;
-                }
-                if (![0, 8].includes(compressionMethod)) {
-                  core.warning(`Skipping ${artifactName}; ${name} uses unsupported ZIP compression method ${compressionMethod}.`);
-                  return;
-                }
-                if ((generalPurposeBitFlag & 0x1) !== 0) {
-                  core.warning(`Skipping ${artifactName}; ${name} is encrypted.`);
-                  return;
-                }
-                if (compressedSize > maxEntryBytes || uncompressedSize > maxEntryBytes) {
-                  core.warning(`Skipping ${artifactName}; ${name} exceeds the per-file size limit.`);
-                  return;
-                }
-
-                totalUncompressedSize += uncompressedSize;
-                if (totalUncompressedSize > maxTotalBytes) {
-                  core.warning(`Skipping ${artifactName}; artifact exceeds the aggregate size limit.`);
-                  return;
-                }
-
-                entries.set(name, { uncompressedSize });
-                offset = nextOffset;
-              }
-
-              const files = new Map();
-              for (const [name, entry] of entries) {
-                const contents = childProcess.execFileSync("unzip", ["-p", archivePath, name], {
-                  encoding: "utf8",
-                  maxBuffer: Math.max(1, entry.uncompressedSize + 1024),
-                  timeout: 5000,
-                });
-                if (Buffer.byteLength(contents, "utf8") > maxEntryBytes) {
-                  core.warning(`Skipping ${artifactName}; ${name} exceeded the per-file size limit while reading.`);
-                  return;
-                }
-                files.set(name, contents);
-              }
-
-              const read = (name) => {
-                return files.get(name) ?? "";
-              };
-
-              const status = Number(read("periphery.status").trim() || "1");
-              let findings = null;
-              for (const name of ["periphery.json", "periphery.stdout.json"]) {
-                try {
-                  const parsed = JSON.parse(read(name));
-                  const validFindings =
-                    Array.isArray(parsed) &&
-                    parsed.every(
-                      (finding) =>
-                        finding !== null &&
-                        typeof finding === "object" &&
-                        !Array.isArray(finding),
-                    );
-                  if (validFindings) {
-                    findings = parsed;
-                    break;
-                  }
-                } catch {}
-              }
-              return { findings, status };
-            };
-            const report = await readReport();
-            const status = report?.status ?? 1;
-            const findings = report?.findings ?? null;
-
-            const sanitizeCell = (value) => {
-              const normalized = String(value ?? "")
-                .replace(/[\u0000-\u001f\u007f-\u009f]/gu, " ")
-                .replace(/[\u200b-\u200f\u202a-\u202e\u2060\u2066-\u2069\ufeff]/gu, "")
-                .replace(/\s+/gu, " ")
-                .trim();
-              const maxEncodedLength = 180;
-              let escaped = "";
-              for (const character of normalized) {
-                const encoded =
-                  character === "`"
-                    ? "'"
-                    : character === "|"
-                      ? "\\|"
-                      : character;
-                if (escaped.length + encoded.length > maxEncodedLength) {
-                  break;
-                }
-                escaped += encoded;
-              }
-              return `\`${escaped || "-"}\``;
-            };
-
-            const rows = (findings ?? []).map((finding) => {
-              const location = String(finding.location ?? "");
-              const [file, line] = location.split(":");
-              return {
-                file: file ? `apps/ios/${file}` : "",
-                line: line || "",
-                kind: String(finding.kind ?? ""),
-                name: String(finding.name ?? ""),
-              };
-            });
-
-            let mode = "failure";
-            let body = `${marker}\n`;
-            if (scanSkipped) {
-              mode = "skipped";
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery scan skipped because the pull request is a draft or no longer touches iOS scan scope.",
-              ].join("\n");
-            } else if (findings === null) {
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery did not complete or its report could not be safely read. Check the workflow run for details.",
-              ].join("\n");
-            } else if (rows.length === 0 && status === 0) {
-              mode = "success";
-              body += [
-                "### iOS Periphery",
-                "",
-                "No dead Swift code found.",
-              ].join("\n");
-            } else if (rows.length > 0) {
-              const shown = rows.slice(0, 50);
-              body += [
-                "### iOS Periphery",
-                "",
-                `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. Remove the code or add a narrow Periphery exemption with a comment explaining why it must stay.`,
-                "",
-                "| File | Line | Kind | Name |",
-                "| --- | ---: | --- | --- |",
-                ...shown.map((row) => `| ${sanitizeCell(row.file)} | ${sanitizeCell(row.line)} | ${sanitizeCell(row.kind)} | ${sanitizeCell(row.name)} |`),
-                rows.length > shown.length ? "" : null,
-                rows.length > shown.length ? `Showing first ${shown.length}; full JSON is in the workflow artifact.` : null,
-              ].filter(Boolean).join("\n");
-            } else {
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery exited with a non-zero status before producing findings. Check the workflow artifact for stdout/stderr.",
-              ].join("\n");
-            }
-            body += "\n";
-            const maxCommentChars = 60_000;
-            if (body.length > maxCommentChars) {
-              body = [
-                marker,
-                "### iOS Periphery",
-                "",
-                `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. The rendered report exceeded the safe comment limit; use the workflow artifact for details.`,
-                "",
-              ].join("\n");
-            }
-
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner,
-              repo,
-              issue_number: livePull.data.number,
-              per_page: 100,
-            });
-            const existing = comments.find(
-              (comment) =>
-                comment.user?.login === "github-actions[bot]" &&
-                comment.body?.includes(marker),
-            );
-
-            if (!existing && ["skipped", "success"].includes(mode)) {
-              core.info(`No existing Periphery comment and scan ${mode}; skipping comment.`);
-              return;
-            }
-
-            const currentPull = await github.rest.pulls.get({
-              owner,
-              repo,
-              pull_number: pr.number,
-            });
-            if (
-              currentPull.data.state !== "open" ||
-              currentPull.data.base?.repo?.full_name !== repository ||
-              currentPull.data.head?.sha !== run.head_sha
-            ) {
-              core.info(`Skipping stale run ${run.id}; PR #${pr.number} changed before comment update.`);
-              return;
-            }
-
-            const workflowRuns = await github.paginate(github.rest.actions.listWorkflowRuns, {
-              owner,
-              repo,
-              workflow_id: run.workflow_id,
-              event: "pull_request",
-              head_sha: run.head_sha,
-              per_page: 100,
-            });
-            const supersedingRun = workflowRuns.find(
-              (candidate) =>
-                (candidate.id === run.id ||
-                  candidate.pull_requests?.some(
-                    (candidatePull) => candidatePull.number === pr.number,
-                  )) &&
-                (candidate.run_number > run.run_number ||
-                  (candidate.run_number === run.run_number &&
-                    candidate.run_attempt > run.run_attempt)),
-            );
-            if (supersedingRun) {
-              core.info(`Skipping superseded run ${run.id} attempt ${run.run_attempt}; run ${supersedingRun.id} attempt ${supersedingRun.run_attempt} is newer.`);
-              return;
-            }
-
-            if (existing) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: existing.id,
-                body,
-              });
-              return;
-            }
-
-            await github.rest.issues.createComment({
-              owner,
-              repo,
-              issue_number: livePull.data.number,
-              body,
-            });

.github/workflows/ios-periphery.yml

@@ -1,229 +0,0 @@
-name: iOS Periphery Dead Code
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review, converted_to_draft]
-  workflow_dispatch:
-
-concurrency:
-  group: ios-periphery-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  scope:
-    name: Detect iOS scan scope
-    runs-on: ubuntu-24.04
-    outputs:
-      should-scan: ${{ steps.scope.outputs.should-scan }}
-    steps:
-      - name: Detect changed paths
-        id: scope
-        uses: actions/github-script@v9
-        with:
-          script: |
-            if (context.eventName === "workflow_dispatch") {
-              core.setOutput("should-scan", "true");
-              return;
-            }
-            if (context.payload.pull_request?.draft) {
-              core.setOutput("should-scan", "false");
-              return;
-            }
-
-            const files = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number,
-              per_page: 100,
-            });
-            const isScanPath = (filename) =>
-              typeof filename === "string" && (
-                filename.startsWith("apps/ios/") ||
-                filename === ".github/workflows/ios-periphery.yml" ||
-                filename === ".github/workflows/ios-periphery-comment.yml" ||
-                filename === "config/swiftformat" ||
-                filename === "config/swiftlint.yml"
-              );
-            const shouldScan = files.some(
-              ({ filename, previous_filename: previousFilename }) =>
-                isScanPath(filename) || isScanPath(previousFilename)
-            );
-            core.setOutput("should-scan", String(shouldScan));
-
-  scan:
-    name: Scan iOS dead code
-    needs: scope
-    if: ${{ needs.scope.outputs.should-scan == 'true' }}
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-26' || (github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-26' || 'macos-26') }}
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Verify Xcode
-        run: |
-          set -euo pipefail
-          for xcode_app in /Applications/Xcode_26.5.app /Applications/Xcode-26.5.0.app; do
-            if [ -d "$xcode_app/Contents/Developer" ]; then
-              sudo xcode-select -s "$xcode_app/Contents/Developer"
-              break
-            fi
-          done
-          xcodebuild -version
-          xcode_version="$(xcodebuild -version | awk 'NR == 1 { print $2 }')"
-          if [[ "$xcode_version" != 26.* ]]; then
-            echo "error: expected Xcode 26.x, got $xcode_version" >&2
-            exit 1
-          fi
-          swift --version
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Install iOS Swift tooling
-        run: brew install xcodegen swiftformat swiftlint periphery
-
-      - name: Generate iOS project
-        run: |
-          set -euo pipefail
-          ./scripts/ios-configure-signing.sh
-          ./scripts/ios-write-version-xcconfig.sh
-          cd apps/ios
-          xcodegen generate
-
-      - name: Run Periphery
-        run: |
-          set -euo pipefail
-          output_dir="$RUNNER_TEMP/ios-periphery"
-          mkdir -p "$output_dir"
-          cd apps/ios
-          set +e
-          periphery scan \
-            --config .periphery.yml \
-            --strict \
-            --format json \
-            --write-results "$output_dir/periphery.json" \
-            >"$output_dir/periphery.stdout.json" \
-            2>"$output_dir/periphery.stderr.log"
-          periphery_status="$?"
-          set -e
-          printf '%s\n' "$periphery_status" >"$output_dir/periphery.status"
-          if [ ! -s "$output_dir/periphery.json" ]; then
-            cp "$output_dir/periphery.stdout.json" "$output_dir/periphery.json"
-          fi
-
-      - name: Build Periphery report
-        run: |
-          set -euo pipefail
-          node <<'NODE'
-          const fs = require("node:fs");
-          const path = require("node:path");
-
-          const outputDir = path.join(process.env.RUNNER_TEMP, "ios-periphery");
-          const read = (name) => {
-            const file = path.join(outputDir, name);
-            return fs.existsSync(file) ? fs.readFileSync(file, "utf8") : "";
-          };
-
-          const status = Number(read("periphery.status").trim() || "1");
-          let findings = null;
-          for (const name of ["periphery.json", "periphery.stdout.json"]) {
-            try {
-              const parsed = JSON.parse(read(name));
-              if (Array.isArray(parsed)) {
-                findings = parsed;
-                break;
-              }
-            } catch {}
-          }
-
-          const escapeCommandData = (value) =>
-            String(value ?? "")
-              .replaceAll("%", "%25")
-              .replaceAll("\r", "%0D")
-              .replaceAll("\n", "%0A");
-          const escapeCommandProperty = (value) =>
-            escapeCommandData(value)
-              .replaceAll(":", "%3A")
-              .replaceAll(",", "%2C");
-
-          const rows = (findings ?? []).map((finding) => {
-            const location = String(finding.location ?? "");
-            const [file, line] = location.split(":");
-            const repoFile = file ? `apps/ios/${file}` : "";
-            return {
-              file: repoFile,
-              line: line || "",
-              kind: String(finding.kind ?? ""),
-              name: String(finding.name ?? ""),
-            };
-          });
-
-          for (const row of rows) {
-            if (!row.file) continue;
-            const line = row.line ? `,line=${escapeCommandProperty(row.line)}` : "";
-            const title = `${row.kind || "Unused code"} ${row.name}`.trim();
-            console.log(`::error file=${escapeCommandProperty(row.file)}${line},title=Dead Swift code::${escapeCommandData(title)}`);
-          }
-
-          let shouldFail = "1";
-          let summary = "";
-
-          if (findings === null) {
-            summary = [
-              "### iOS Periphery",
-              "",
-              "Periphery did not complete. Check the workflow artifact for stdout/stderr.",
-            ].join("\n");
-          } else if (rows.length === 0 && status === 0) {
-            shouldFail = "0";
-            summary = [
-              "### iOS Periphery",
-              "",
-              "No dead Swift code found.",
-            ].join("\n");
-          } else if (rows.length > 0) {
-            summary = [
-              "### iOS Periphery",
-              "",
-              `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. See the PR comment or workflow artifact for details.`,
-            ].join("\n");
-          } else {
-            summary = [
-              "### iOS Periphery",
-              "",
-              "Periphery exited with a non-zero status before producing findings. Check the workflow artifact for stdout/stderr.",
-            ].join("\n");
-          }
-
-          fs.writeFileSync(path.join(outputDir, "should-fail.txt"), `${shouldFail}\n`);
-          fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, `${summary.trim()}\n`);
-          NODE
-
-      - name: Upload Periphery report
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: ios-periphery-dead-code-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ runner.temp }}/ios-periphery
-          if-no-files-found: warn
-          retention-days: 14
-
-      - name: Fail on dead code
-        run: |
-          set -euo pipefail
-          test "$(cat "$RUNNER_TEMP/ios-periphery/should-fail.txt")" = "0"

.github/workflows/live-media-runner-image.yml

@@ -29,14 +29,14 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 

.github/workflows/macos-release.yml

@@ -13,7 +13,7 @@ on:
         default: true
         type: boolean
       public_release_branch:
-        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.PATCH
+        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.D
         required: false
         default: main
         type: string
@@ -73,7 +73,7 @@ jobs:
         run: |
           set -euo pipefail
           if [[ "${PUBLIC_RELEASE_BRANCH}" != "main" && ! "${PUBLIC_RELEASE_BRANCH}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "public_release_branch must be main or release/YYYY.M.PATCH, got ${PUBLIC_RELEASE_BRANCH}." >&2
+            echo "public_release_branch must be main or release/YYYY.M.D, got ${PUBLIC_RELEASE_BRANCH}." >&2
             exit 1
           fi
           RELEASE_SHA=$(git rev-parse HEAD)

.github/workflows/mantis-discord-smoke.yml

@@ -37,7 +37,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);

.github/workflows/mantis-discord-status-reactions.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const defaultBaseline = "0bf06e953fdda290799fc9fb9244a8f67fdae593";
@@ -437,17 +437,8 @@ jobs:
             echo "::warning::Could not generate motion-trimmed desktop previews; continuing with screenshots and full MP4 links."
           fi
 
-          read_discord_status_reaction_status() {
-            local lane="$1"
-            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
-              jq -r '.entries[0].result.status' "$root/$lane/qa-evidence.json"
-              return
-            fi
-            jq -r '.scenarios[0].status' "$root/$lane/discord-qa-summary.json"
-          }
-
-          baseline_status="$(read_discord_status_reaction_status baseline)"
-          candidate_status="$(read_discord_status_reaction_status candidate)"
+          baseline_status="$(jq -r '.scenarios[0].status' "$root/baseline/discord-qa-summary.json")"
+          candidate_status="$(jq -r '.scenarios[0].status' "$root/candidate/discord-qa-summary.json")"
 
           jq -n \
             --arg baseline_status "$baseline_status" \
@@ -590,7 +581,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-discord-thread-attachment.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const defaultBaseline = "synthetic-reverted-thread-filepath-fix";
@@ -451,17 +451,8 @@ jobs:
 
           capture_candidate_discord_web
 
-          read_discord_thread_attachment_status() {
-            local lane="$1"
-            if [[ -f "$root/$lane/qa-evidence.json" ]]; then
-              jq -r '.entries[] | select(.test.id == "discord-thread-reply-filepath-attachment") | .result.status' "$root/$lane/qa-evidence.json"
-              return
-            fi
-            jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/$lane/discord-qa-summary.json"
-          }
-
-          baseline_status="$(read_discord_thread_attachment_status baseline)"
-          candidate_status="$(read_discord_thread_attachment_status candidate)"
+          baseline_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/baseline/discord-qa-summary.json")"
+          candidate_status="$(jq -r '.scenarios[] | select(.id == "discord-thread-reply-filepath-attachment") | .status' "$root/candidate/discord-qa-summary.json")"
           comparison_status="fail"
           if [[ "$baseline_status" == "fail" && "$candidate_status" == "pass" ]]; then
             comparison_status="pass"
@@ -612,7 +603,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-slack-desktop-smoke.yml

@@ -81,7 +81,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -180,7 +180,7 @@ jobs:
         run: pnpm build
 
       - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.local/share/pnpm/store

.github/workflows/mantis-telegram-desktop-proof.yml

@@ -79,7 +79,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             if (context.eventName === "pull_request_target") {
@@ -125,7 +125,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;
@@ -445,7 +445,7 @@ jobs:
           sudo chown -R codex:codex "$GITHUB_WORKSPACE"
 
       - name: Run Codex Mantis Telegram agent
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         env:
           BASELINE_REF: ${{ needs.resolve_request.outputs.baseline_ref }}
           BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
@@ -709,7 +709,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/mantis-telegram-live.yml

@@ -68,7 +68,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const allowed = new Set(["admin", "maintain", "write"]);
@@ -105,7 +105,7 @@ jobs:
     steps:
       - name: Resolve refs and target PR
         id: resolve
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const eventName = context.eventName;
@@ -327,7 +327,7 @@ jobs:
         run: pnpm build
 
       - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@v5
+        uses: actions/cache@v4
         with:
           path: |
             ~/.local/share/pnpm/store
@@ -379,6 +379,7 @@ jobs:
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           CRABBOX_COORDINATOR: ${{ secrets.CRABBOX_COORDINATOR }}
           CRABBOX_COORDINATOR_TOKEN: ${{ secrets.CRABBOX_COORDINATOR_TOKEN }}
           OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR: ${{ secrets.OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR }}
@@ -444,8 +445,8 @@ jobs:
           telegram_exit=$?
           set -e
 
-          if [[ ! -f "$root/qa-evidence.json" && ! -f "$root/telegram-qa-summary.json" ]]; then
-            echo "Telegram live QA did not produce an evidence summary." >&2
+          if [[ ! -f "$root/telegram-qa-summary.json" ]]; then
+            echo "Telegram live QA did not produce a summary." >&2
             exit "$telegram_exit"
           fi
           echo "telegram_exit=${telegram_exit}" >> "$GITHUB_OUTPUT"
@@ -572,7 +573,7 @@ jobs:
       issues: write
     steps:
       - name: Remove workflow eyes reaction
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/npm-telegram-beta-e2e.yml

@@ -126,7 +126,7 @@ jobs:
           fetch-depth: 1
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -220,6 +220,7 @@ jobs:
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           INPUT_SCENARIO: ${{ inputs.scenario }}
           PACKAGE_ARTIFACT_NAME: ${{ inputs.package_artifact_name || '' }}
         run: |

.github/workflows/openclaw-cross-os-release-checks-reusable.yml

@@ -407,28 +407,12 @@ jobs:
           const path = require("node:path");
 
           const packageDir = process.env.PACKAGE_DIR;
-          function resolveTarballFileName(value, label) {
-            const fileName = typeof value === "string" ? value.trim() : "";
-            if (
-              !fileName.endsWith(".tgz") ||
-              fileName.includes("\0") ||
-              fileName !== path.basename(fileName) ||
-              fileName !== path.win32.basename(fileName)
-            ) {
-              throw new Error(`${label} must be a local .tgz filename.`);
-            }
-            return fileName;
-          }
           const requestedFileName = process.env.INPUT_CANDIDATE_FILE_NAME.trim();
           const files = fs.readdirSync(packageDir).filter((file) => file.endsWith(".tgz"));
-          const selectedCandidateFileName = requestedFileName || (files.length === 1 ? files[0] : "");
-          if (!selectedCandidateFileName) {
+          const candidateFileName = requestedFileName || (files.length === 1 ? files[0] : "");
+          if (!candidateFileName) {
             throw new Error(`Expected exactly one candidate .tgz in ${packageDir}; found ${files.length}.`);
           }
-          const candidateFileName = resolveTarballFileName(
-            selectedCandidateFileName,
-            "candidate_file_name",
-          );
           if (!fs.existsSync(path.join(packageDir, candidateFileName))) {
             throw new Error(`Provided candidate artifact does not contain ${candidateFileName}.`);
           }
@@ -490,23 +474,12 @@ jobs:
         run: |
           node <<'NODE' >>"$GITHUB_OUTPUT"
           const fs = require("node:fs");
-          const path = require("node:path");
-          function resolveTarballFileName(value, label) {
-            const fileName = typeof value === "string" ? value.trim() : "";
-            if (
-              !fileName.endsWith(".tgz") ||
-              fileName.includes("\0") ||
-              fileName !== path.basename(fileName) ||
-              fileName !== path.win32.basename(fileName)
-            ) {
-              throw new Error(`${label} must be a local .tgz filename.`);
-            }
-            return fileName;
-          }
           const payload = JSON.parse(fs.readFileSync(process.env.BASELINE_PACK_JSON, "utf8"));
           const entry = Array.isArray(payload) ? payload.at(-1) : null;
-          const fileName = resolveTarballFileName(entry?.filename, "Baseline npm pack filename");
-          process.stdout.write(`file_name=${fileName}\n`);
+          if (!entry?.filename) {
+            throw new Error("Baseline npm pack did not produce a filename.");
+          }
+          process.stdout.write(`file_name=${entry.filename}\n`);
           NODE
 
       - name: Upload candidate artifact

.github/workflows/openclaw-live-and-e2e-checks-reusable.yml

@@ -420,7 +420,6 @@ jobs:
               add_suite live-cache
 
               add_profile_suite native-live-src-agents "stable full"
-              add_profile_suite native-live-src-agents-zai-coding "stable full"
               add_profile_suite native-live-src-gateway-core "beta minimum stable full"
               add_profile_suite native-live-src-gateway-profiles-anthropic "stable full"
               add_profile_suite native-live-src-gateway-profiles-anthropic-smoke "stable"
@@ -888,7 +887,7 @@ jobs:
           summary=".artifacts/docker-tests/release-${DOCKER_E2E_CHUNK}/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker chunk summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E chunk: ${DOCKER_E2E_CHUNK:-unknown}" >> "$GITHUB_STEP_SUMMARY"
 
@@ -898,7 +897,7 @@ jobs:
         with:
           name: docker-e2e-${{ matrix.chunk_id }}
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   plan_docker_lane_groups:
     needs: validate_selected_ref
@@ -1148,7 +1147,7 @@ jobs:
           summary=".artifacts/docker-tests/targeted-${{ steps.plan.outputs.artifact_suffix }}/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker targeted summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E targeted lanes" >> "$GITHUB_STEP_SUMMARY"
 
@@ -1158,7 +1157,7 @@ jobs:
         with:
           name: docker-e2e-${{ steps.plan.outputs.artifact_suffix }}
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   validate_docker_openwebui:
     needs: [validate_selected_ref, prepare_docker_e2e_image]
@@ -1275,7 +1274,7 @@ jobs:
           summary=".artifacts/docker-tests/release-openwebui/summary.json"
           if [[ ! -f "$summary" ]]; then
             echo "Docker Open WebUI summary missing: \`$summary\`" >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            exit 0
           fi
           node .release-harness/scripts/docker-e2e.mjs summary "$summary" "Docker E2E chunk: openwebui" >> "$GITHUB_STEP_SUMMARY"
 
@@ -1285,7 +1284,7 @@ jobs:
         with:
           name: docker-e2e-openwebui
           path: .artifacts/docker-tests/
-          if-no-files-found: error
+          if-no-files-found: ignore
 
   prepare_docker_e2e_image:
     needs: validate_selected_ref
@@ -1498,72 +1497,37 @@ jobs:
 
       - name: Setup Docker builder
         if: steps.image_exists.outputs.needs_build == '1'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
       - name: Build and push bare Docker E2E image
         if: steps.plan.outputs.needs_bare_image == '1' && steps.image_exists.outputs.bare_exists != '1'
-        shell: bash
-        env:
-          IMAGE_REF: ${{ steps.image.outputs.bare_image }}
-        run: |
-          set -euo pipefail
-          build_cmd=(
-            docker buildx build
-            --file ./scripts/e2e/Dockerfile
-            --target bare
-            --platform linux/amd64
-            --tag "$IMAGE_REF"
-            --sbom=true
-            --provenance=mode=max
-            --push
-            .
-          )
-          for attempt in 1 2 3 4; do
-            if "${build_cmd[@]}"; then
-              exit 0
-            fi
-            if [[ "$attempt" == "4" ]]; then
-              echo "::error::Failed to build Docker E2E bare image after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 20))
-            echo "Docker E2E bare image build failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "$sleep_seconds"
-          done
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
+        with:
+          context: .
+          file: ./scripts/e2e/Dockerfile
+          target: bare
+          platforms: linux/amd64
+          tags: ${{ steps.image.outputs.bare_image }}
+          sbom: true
+          provenance: mode=max
+          push: true
 
       - name: Build and push functional Docker E2E image
         if: steps.plan.outputs.needs_functional_image == '1' && steps.image_exists.outputs.functional_exists != '1'
-        shell: bash
-        env:
-          IMAGE_REF: ${{ steps.image.outputs.functional_image }}
-        run: |
-          set -euo pipefail
-          build_cmd=(
-            docker buildx build
-            --file ./scripts/e2e/Dockerfile
-            --target functional
-            --build-context openclaw_package=.artifacts/docker-e2e-package
-            --platform linux/amd64
-            --tag "$IMAGE_REF"
-            --sbom=true
-            --provenance=mode=max
-            --push
-            .
-          )
-          for attempt in 1 2 3 4; do
-            if "${build_cmd[@]}"; then
-              exit 0
-            fi
-            if [[ "$attempt" == "4" ]]; then
-              echo "::error::Failed to build Docker E2E functional image after ${attempt} attempts"
-              exit 1
-            fi
-            sleep_seconds=$((attempt * 20))
-            echo "Docker E2E functional image build failed; retrying in ${sleep_seconds}s (${attempt}/4)."
-            sleep "$sleep_seconds"
-          done
+        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
+        with:
+          context: .
+          file: ./scripts/e2e/Dockerfile
+          target: functional
+          build-contexts: |
+            openclaw_package=.artifacts/docker-e2e-package
+          platforms: linux/amd64
+          tags: ${{ steps.image.outputs.functional_image }}
+          sbom: true
+          provenance: mode=max
+          push: true
 
   prepare_live_test_image:
     needs: validate_selected_ref
@@ -1594,11 +1558,8 @@ jobs:
         run: |
           set -euo pipefail
           repository="${GITHUB_REPOSITORY,,}"
-          live_image_extensions="matrix,acpx"
-          live_image_tag_suffix="${live_image_extensions//,/-}"
-          live_image="ghcr.io/${repository}-live-test:${SELECTED_SHA}-${live_image_tag_suffix}"
+          live_image="ghcr.io/${repository}-live-test:${SELECTED_SHA}"
           echo "live_image=${live_image}" >> "$GITHUB_OUTPUT"
-          echo "live_image_extensions=${live_image_extensions}" >> "$GITHUB_OUTPUT"
           echo "Shared live-test image: \`${live_image}\`" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Log in to GHCR
@@ -1621,7 +1582,7 @@ jobs:
 
       - name: Setup Docker builder
         if: steps.image_exists.outputs.exists != '1'
-        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
+        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
         with:
           max-cache-size-mb: 800000
 
@@ -1633,7 +1594,7 @@ jobs:
           file: ./Dockerfile
           target: build
           build-args: |
-            OPENCLAW_EXTENSIONS=${{ steps.image.outputs.live_image_extensions }}
+            OPENCLAW_EXTENSIONS=matrix
           platforms: linux/amd64
           tags: ${{ steps.image.outputs.live_image }}
           sbom: true
@@ -1749,7 +1710,6 @@ jobs:
             anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
             google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
             minimax) require_any MiniMax MINIMAX_API_KEY ;;
-            moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
             openai) require_any OpenAI OPENAI_API_KEY ;;
             opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
             openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
@@ -1838,7 +1798,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          all_providers=(anthropic google minimax moonshot openai opencode-go openrouter xai zai fireworks)
+          all_providers=(anthropic google minimax openai opencode-go openrouter xai zai fireworks)
 
           normalize_provider() {
             local value="${1,,}"
@@ -1924,7 +1884,6 @@ jobs:
               anthropic) require_any Anthropic ANTHROPIC_API_KEY ANTHROPIC_API_KEY_OLD ANTHROPIC_API_TOKEN ;;
               google) require_any Google GEMINI_API_KEY GOOGLE_API_KEY ;;
               minimax) require_any MiniMax MINIMAX_API_KEY ;;
-              moonshot) require_any Moonshot MOONSHOT_API_KEY KIMI_API_KEY ;;
               openai) require_any OpenAI OPENAI_API_KEY ;;
               opencode-go) require_any OpenCode OPENCODE_API_KEY OPENCODE_ZEN_API_KEY ;;
               openrouter) require_any OpenRouter OPENROUTER_API_KEY ;;
@@ -1957,15 +1916,9 @@ jobs:
             timeout_minutes: 60
             profile_env_only: false
             profiles: stable full
-          - suite_id: native-live-src-agents-zai-coding
-            label: Native live Z.AI Coding Plan
-            command: ZAI_CODING_LIVE_TEST=1 node .release-harness/scripts/test-live-shard.mjs native-live-src-agents-zai-coding
-            timeout_minutes: 15
-            profile_env_only: false
-            profiles: stable full
           - suite_id: native-live-src-gateway-core
             label: Native live gateway core
-            command: OPENCLAW_LIVE_CODEX_HARNESS=1 OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-core
+            command: node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-core
             timeout_minutes: 60
             profile_env_only: false
             profiles: beta minimum stable full
@@ -2085,7 +2038,7 @@ jobs:
             profiles: full
           - suite_id: native-live-src-gateway-backends
             label: Native live gateway backends
-            command: OPENCLAW_LIVE_CODEX_HARNESS=1 OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-backends
+            command: node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-backends
             timeout_minutes: 60
             profile_env_only: false
             profiles: stable full
@@ -2222,11 +2175,7 @@ jobs:
           case "${{ matrix.suite_id }}" in
             live-cli-backend-docker)
               echo "OPENCLAW_LIVE_CLI_BACKEND_MODEL=claude-cli/claude-sonnet-4-6" >> "$GITHUB_ENV"
-              if [[ -n "${OPENCLAW_CLAUDE_CREDENTIALS_JSON:-}" || -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]]; then
-                echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=subscription" >> "$GITHUB_ENV"
-              else
-                echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
-              fi
+              echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
               echo "OPENCLAW_LIVE_CLI_BACKEND_DEBUG=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_CLI_BACKEND_LOG_OUTPUT=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_TEST_CONSOLE=1" >> "$GITHUB_ENV"
@@ -2451,11 +2400,7 @@ jobs:
           case "${{ matrix.suite_id }}" in
             live-cli-backend-docker)
               echo "OPENCLAW_LIVE_CLI_BACKEND_MODEL=claude-cli/claude-sonnet-4-6" >> "$GITHUB_ENV"
-              if [[ -n "${OPENCLAW_CLAUDE_CREDENTIALS_JSON:-}" || -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]]; then
-                echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=subscription" >> "$GITHUB_ENV"
-              else
-                echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
-              fi
+              echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
               echo "OPENCLAW_LIVE_CLI_BACKEND_DEBUG=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_CLI_BACKEND_LOG_OUTPUT=1" >> "$GITHUB_ENV"
               echo "OPENCLAW_TEST_CONSOLE=1" >> "$GITHUB_ENV"

.github/workflows/openclaw-npm-release.yml

@@ -223,25 +223,10 @@ jobs:
           set -euo pipefail
           PACK_OUTPUT="$RUNNER_TEMP/npm-pack-output.txt"
           npm pack --json 2>&1 | tee "$PACK_OUTPUT"
-          PACK_NAME="$(node - "$PACK_OUTPUT" <<'NODE'
+          PACK_PATH="$(node - "$PACK_OUTPUT" <<'NODE'
           const fs = require("node:fs");
-          const path = require("node:path");
           const input = fs.readFileSync(process.argv[2], "utf8");
 
-          function resolveTarballFileName(value) {
-            const fileName = typeof value === "string" ? value.trim() : "";
-            if (
-              !fileName.endsWith(".tgz") ||
-              fileName.includes("\0") ||
-              fileName !== path.basename(fileName) ||
-              fileName !== path.win32.basename(fileName)
-            ) {
-              console.error(`npm pack reported unsafe tarball filename ${JSON.stringify(fileName)}.`);
-              process.exit(1);
-            }
-            return fileName;
-          }
-
           function arrayEndFrom(start) {
             let depth = 0;
             let inString = false;
@@ -281,8 +266,8 @@ jobs:
             try {
               const parsed = JSON.parse(input.slice(start, end));
               const first = Array.isArray(parsed) ? parsed[0] : null;
-              if (first && Object.prototype.hasOwnProperty.call(first, "filename")) {
-                process.stdout.write(resolveTarballFileName(first.filename));
+              if (first && typeof first.filename === "string" && first.filename) {
+                process.stdout.write(first.filename);
                 process.exit(0);
               }
             } catch {
@@ -294,7 +279,6 @@ jobs:
           process.exit(1);
           NODE
           )"
-          PACK_PATH="$PWD/$PACK_NAME"
           if [[ -z "$PACK_PATH" || ! -f "$PACK_PATH" ]]; then
             echo "npm pack did not produce a tarball file." >&2
             exit 1
@@ -306,7 +290,7 @@ jobs:
           else
             RELEASE_TAG="${RELEASE_REF}"
           fi
-          TARBALL_NAME="$PACK_NAME"
+          TARBALL_NAME="$(basename "$PACK_PATH")"
           TARBALL_SHA256="$(sha256sum "$PACK_PATH" | awk '{print $1}')"
           ARTIFACT_DIR="$RUNNER_TEMP/openclaw-npm-preflight"
           rm -rf "$ARTIFACT_DIR"
@@ -407,7 +391,7 @@ jobs:
             tideclaw_alpha_publish=true
           fi
           if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && [[ "${tideclaw_alpha_publish}" != "true" ]]; then
-            echo "Real publish runs must be dispatched from main, release/YYYY.M.PATCH, or a Tideclaw alpha branch for alpha prereleases. Use preflight_only=true for other branch validation."
+            echo "Real publish runs must be dispatched from main, release/YYYY.M.D, or a Tideclaw alpha branch for alpha prereleases. Use preflight_only=true for other branch validation."
             exit 1
           fi
 

.github/workflows/openclaw-performance.yml

@@ -56,7 +56,6 @@ concurrency:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   OCM_VERSION: v0.2.15
-  OCM_LINUX_X64_SHA256: b849b8de5d77e97e0df9319703254ae95e29d7f26a7552ea79bf173ff110ea0a
   KOVA_REPOSITORY: openclaw/Kova
   PERFORMANCE_MODEL_ID: gpt-5.5
 
@@ -188,20 +187,11 @@ jobs:
           set -euo pipefail
           KOVA_SRC="${RUNNER_TEMP}/kova-src"
           echo "KOVA_SRC=$KOVA_SRC" >> "$GITHUB_ENV"
-          mkdir -p "$HOME/.local/bin" "$(dirname "$KOVA_SRC")" "${RUNNER_TEMP}/ocm-install"
-
-          ocm_archive="${RUNNER_TEMP}/ocm-${OCM_VERSION}-x86_64-unknown-linux-gnu.tar.gz"
-          curl -fsSL --proto '=https' --tlsv1.2 --retry 3 --retry-delay 1 --retry-connrefused \
-            -o "$ocm_archive" \
-            "https://github.com/shakkernerd/ocm/releases/download/${OCM_VERSION}/ocm-x86_64-unknown-linux-gnu.tar.gz"
-          echo "${OCM_LINUX_X64_SHA256}  ${ocm_archive}" | sha256sum -c -
-          tar -xzf "$ocm_archive" -C "${RUNNER_TEMP}/ocm-install"
-          install -m 0755 "${RUNNER_TEMP}/ocm-install/ocm" "$HOME/.local/bin/ocm"
-
-          git init -b main "$KOVA_SRC"
-          git -C "$KOVA_SRC" remote add origin "https://github.com/${KOVA_REPOSITORY}.git"
-          git -C "$KOVA_SRC" fetch --filter=blob:none --depth 1 origin "$KOVA_REF"
-          git -C "$KOVA_SRC" checkout --detach FETCH_HEAD
+          mkdir -p "$HOME/.local/bin" "$(dirname "$KOVA_SRC")"
+          curl -fsSL https://raw.githubusercontent.com/shakkernerd/ocm/main/install.sh \
+            | bash -s -- --version "$OCM_VERSION" --prefix "$HOME/.local" --force
+          git clone --filter=blob:none "https://github.com/${KOVA_REPOSITORY}.git" "$KOVA_SRC"
+          git -C "$KOVA_SRC" checkout "$KOVA_REF"
           cat > "$HOME/.local/bin/kova" <<EOF
           #!/usr/bin/env bash
           export KOVA_HOME="${KOVA_HOME}"
@@ -254,8 +244,8 @@ jobs:
         run: |
           set -euo pipefail
           if [[ -z "${OPENAI_API_KEY:-}" ]]; then
-            echo "OPENAI_API_KEY is not configured; live GPT 5.5 lane cannot run without live evidence." >> "$GITHUB_STEP_SUMMARY"
-            exit 1
+            echo "OPENAI_API_KEY is not configured; live GPT 5.5 lane will be skipped." >> "$GITHUB_STEP_SUMMARY"
+            exit 0
           fi
           kova setup --ci --json
           kova setup --non-interactive --auth env-only --provider openai --env-var OPENAI_API_KEY --json
@@ -272,6 +262,11 @@ jobs:
           set -euo pipefail
           mkdir -p "$REPORT_DIR" "$BUNDLE_DIR" "$SUMMARY_DIR"
 
+          if [[ "$MATRIX_LIVE" == "true" && -z "${OPENAI_API_KEY:-}" ]]; then
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           repeat="$REQUESTED_REPEAT"
           if [[ "$MATRIX_REPEAT" != "input" ]]; then
             repeat="$MATRIX_REPEAT"
@@ -314,7 +309,24 @@ jobs:
           report_md="${report_json%.json}.md"
           effective_status="$status"
           if [[ "$FAIL_ON_REGRESSION" == "true" && "$status" != "0" ]]; then
-            if node "$PERFORMANCE_HELPER_DIR/scripts/lib/kova-report-gate.mjs" "$report_json"
+            if REPORT_JSON="$report_json" node <<'NODE'
+          const fs = require("node:fs");
+          const report = JSON.parse(fs.readFileSync(process.env.REPORT_JSON, "utf8"));
+          const statuses = report.summary?.statuses ?? {};
+          const nonPassStatuses = Object.entries(statuses)
+            .filter(([status, count]) => status !== "PASS" && Number(count) > 0);
+          const baselineRegressionCount =
+            Number(report.baseline?.comparison?.regressionCount ?? report.gate?.baseline?.regressionCount ?? 0);
+          const gate = report.gate;
+          const toleratedPartial =
+            gate?.verdict === "PARTIAL" &&
+            Number(gate.blockingCount ?? 0) === 0 &&
+            baselineRegressionCount === 0 &&
+            nonPassStatuses.length === 0;
+          if (!toleratedPartial) {
+            process.exit(1);
+          }
+          NODE
             then
               effective_status=0
               {
@@ -365,28 +377,6 @@ jobs:
             exit "$effective_status"
           fi
 
-      - name: Validate Kova evidence
-        if: ${{ always() && steps.lane.outputs.run == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          missing=0
-          if ! find "$REPORT_DIR" -maxdepth 1 -type f -name '*.json' -size +0c -print -quit | grep -q .; then
-            echo "::error::Kova JSON report is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ ! -s "$BUNDLE_DIR/bundle.json" ]]; then
-            echo "::error::Kova bundle evidence is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ ! -s "$SUMMARY_DIR/${LANE_ID}.md" ]]; then
-            echo "::error::Kova summary evidence is missing for ${LANE_ID}."
-            missing=1
-          fi
-          if [[ "$missing" != "0" ]]; then
-            exit 1
-          fi
-
       - name: Fetch previous source performance baseline
         if: ${{ steps.lane.outputs.run == 'true' && matrix.lane == 'mock-provider' && steps.clawgrit.outputs.present == 'true' }}
         env:
@@ -537,13 +527,6 @@ jobs:
           cleanup_gateway
           trap - EXIT
 
-          if node -e "const fs=require('node:fs'); const scripts=require('./package.json').scripts||{}; process.exit(scripts['test:sqlite:perf:smoke'] && fs.existsSync('scripts/bench-sqlite-state.ts') ? 0 : 1)"; then
-            pnpm test:sqlite:perf:smoke
-            cp .artifacts/sqlite-perf/smoke.json "$SOURCE_PERF_DIR/sqlite-perf-smoke.json"
-          else
-            echo "SQLite state smoke probe is not available in ${TESTED_REF}; continuing with the remaining source probes." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
           summary_args=(node "$PERFORMANCE_HELPER_DIR/scripts/openclaw-performance-source-summary.mjs" \
             --source-dir "$SOURCE_PERF_DIR" \
             --output "$SOURCE_PERF_DIR/index.md")
@@ -564,7 +547,7 @@ jobs:
             .artifacts/kova/bundles/${{ matrix.lane }}
             .artifacts/kova/summaries/${{ matrix.lane }}.md
             .artifacts/openclaw-performance/source/${{ matrix.lane }}
-          if-no-files-found: error
+          if-no-files-found: ignore
           retention-days: ${{ matrix.deep_profile == 'true' && 14 || 30 }}
 
       - name: Prepare clawgrit reports checkout
@@ -621,7 +604,7 @@ jobs:
 
           ## Source probes
 
-          Additional gateway boot, memory, plugin pressure, mock hello-loop, CLI startup, and SQLite state smoke numbers are in [source/index.md](source/index.md).
+          Additional gateway boot, memory, plugin pressure, mock hello-loop, and CLI startup numbers are in [source/index.md](source/index.md).
           EOF
             fi
           fi

.github/workflows/openclaw-release-checks.yml

@@ -132,7 +132,7 @@ jobs:
             fi
           fi
           if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release-ci/[0-9a-f]{12}-[0-9]+$ ]] && [[ "${tideclaw_alpha_check}" != "true" ]]; then
-            echo "Release checks must be dispatched from main, release/YYYY.M.PATCH, a Full Release Validation release-ci/<sha>-<timestamp> ref, or a Tideclaw alpha branch for alpha prereleases." >&2
+            echo "Release checks must be dispatched from main, release/YYYY.M.D, a Full Release Validation release-ci/<sha>-<timestamp> ref, or a Tideclaw alpha branch for alpha prereleases." >&2
             exit 1
           fi
 
@@ -346,7 +346,6 @@ jobs:
             discord_selected=false
             whatsapp_selected=false
             slack_selected=false
-            disabled_required_lanes=()
 
             IFS=', ' read -r -a filter_tokens <<< "$filter"
             for token in "${filter_tokens[@]}"; do
@@ -362,9 +361,6 @@ jobs:
                   discord_selected="$qa_live_discord_ci_enabled"
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
                   slack_selected="$qa_live_slack_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
-                  [[ "$qa_live_slack_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-slack")
                   ;;
                 qa-live-non-slack|qa-non-slack|non-slack|no-slack|without-slack)
                   qa_filter_seen=true
@@ -372,8 +368,6 @@ jobs:
                   telegram_selected=true
                   discord_selected="$qa_live_discord_ci_enabled"
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
                   ;;
                 qa-live-matrix|qa-matrix|matrix)
                   qa_filter_seen=true
@@ -386,27 +380,18 @@ jobs:
                 qa-live-discord|qa-discord|discord)
                   qa_filter_seen=true
                   discord_selected="$qa_live_discord_ci_enabled"
-                  [[ "$qa_live_discord_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-discord")
                   ;;
                 qa-live-whatsapp|qa-whatsapp|whatsapp)
                   qa_filter_seen=true
                   whatsapp_selected="$qa_live_whatsapp_ci_enabled"
-                  [[ "$qa_live_whatsapp_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-whatsapp")
                   ;;
                 qa-live-slack|qa-slack|slack)
                   qa_filter_seen=true
                   slack_selected="$qa_live_slack_ci_enabled"
-                  [[ "$qa_live_slack_ci_enabled" == "true" ]] || disabled_required_lanes+=("qa-live-slack")
                   ;;
               esac
             done
 
-            if [[ "${#disabled_required_lanes[@]}" -gt 0 ]]; then
-              echo "live_suite_filter explicitly requested disabled QA live lane(s): ${disabled_required_lanes[*]}" >&2
-              echo "Enable the matching OPENCLAW_RELEASE_QA_*_LIVE_CI_ENABLED repo variable or remove the lane from live_suite_filter." >&2
-              exit 1
-            fi
-
             if [[ "$qa_filter_seen" == "true" ]]; then
               qa_live_matrix_enabled="$matrix_selected"
               qa_live_telegram_enabled="$telegram_selected"
@@ -816,7 +801,6 @@ jobs:
         run: node scripts/build-all.mjs qaRuntime
 
       - name: Run parity lane
-        id: run_lane
         env:
           QA_PARITY_LANE: ${{ matrix.lane }}
           QA_PARITY_OUTPUT_DIR: ${{ matrix.output_dir }}
@@ -847,7 +831,6 @@ jobs:
             --output-dir ".artifacts/qa-e2e/${QA_PARITY_OUTPUT_DIR}"
 
       - name: Upload parity lane artifacts
-        id: upload_parity_lane_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -856,52 +839,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_parity_lane_release_checks
-          RELEASE_CHECK_VARIANT: ${{ matrix.lane }}
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_parity_lane_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}-${RELEASE_CHECK_VARIANT}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'variant=%s\n' "$RELEASE_CHECK_VARIANT"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_parity_lane_release_checks-${{ matrix.lane }}.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_lab_parity_report_release_checks:
     name: Run QA Lab parity report
     needs: [resolve_target, qa_lab_parity_lane_release_checks]
@@ -942,7 +879,6 @@ jobs:
         run: node scripts/build-all.mjs qaRuntime
 
       - name: Generate parity report
-        id: generate_report
         run: |
           pnpm openclaw qa parity-report \
             --repo-root . \
@@ -953,7 +889,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/parity
 
       - name: Upload parity artifacts
-        id: upload_parity_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -962,50 +897,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_parity_report_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.generate_report.outcome }} ${{ steps.upload_parity_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-parity-report-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_parity_report_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_lab_runtime_parity_release_checks:
     name: Run QA Lab runtime parity lane
     needs: [resolve_target]
@@ -1059,7 +950,6 @@ jobs:
             --output-dir ".artifacts/qa-e2e/runtime-parity"
 
       - name: Run standard runtime parity tier
-        id: runtime_parity_standard_lane
         if: ${{ always() && steps.runtime_parity_lane.outcome != 'skipped' && steps.runtime_parity_lane.outcome != 'cancelled' }}
         run: |
           set -euo pipefail
@@ -1087,7 +977,6 @@ jobs:
             --output-dir ".artifacts/qa-e2e/runtime-parity-soak"
 
       - name: Generate runtime parity report
-        id: generate_runtime_parity_report
         if: always()
         run: |
           set -euo pipefail
@@ -1098,7 +987,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-report
 
       - name: Generate standard runtime parity report
-        id: generate_runtime_parity_standard_report
         if: always()
         run: |
           set -euo pipefail
@@ -1109,7 +997,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-standard-report
 
       - name: Generate soak runtime parity report
-        id: generate_runtime_parity_soak_report
         if: ${{ always() && needs.resolve_target.outputs.run_release_soak == 'true' && steps.runtime_parity_soak_lane.outcome != 'skipped' && steps.runtime_parity_soak_lane.outcome != 'cancelled' }}
         run: |
           set -euo pipefail
@@ -1125,7 +1012,6 @@ jobs:
             --output-dir .artifacts/qa-e2e/runtime-parity-soak-report
 
       - name: Upload runtime parity artifacts
-        id: upload_runtime_parity_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1134,54 +1020,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_lab_runtime_parity_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.runtime_parity_lane.outcome }} ${{ steps.runtime_parity_standard_lane.outcome }} ${{ steps.runtime_parity_soak_lane.outcome }} ${{ steps.generate_runtime_parity_report.outcome }} ${{ steps.generate_runtime_parity_standard_report.outcome }} ${{ steps.generate_runtime_parity_soak_report.outcome }} ${{ steps.upload_runtime_parity_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_lab_runtime_parity_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   runtime_tool_coverage_release_checks:
     name: Enforce QA Lab runtime tool coverage
     needs: [resolve_target, qa_lab_runtime_parity_release_checks]
-    if: contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
+    if: always() && contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
     runs-on: ubuntu-24.04
     timeout-minutes: 15
     permissions:
@@ -1204,35 +1046,13 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           install-bun: "true"
 
-      - name: Download runtime parity status
-        uses: actions/download-artifact@v8
-        with:
-          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/
-
-      - name: Verify runtime parity producer status
-        id: verify_runtime_parity_status
-        shell: bash
-        run: |
-          set -euo pipefail
-          status_path=".artifacts/release-check-status/qa_lab_runtime_parity_release_checks.env"
-          status="$(sed -n 's/^status=//p' "$status_path" | tail -n 1)"
-          if [[ "$status" != "success" ]]; then
-            echo "Runtime parity producer status is ${status:-missing}; skipping coverage artifact consumer."
-            echo "ready=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "ready=true" >> "$GITHUB_OUTPUT"
-
       - name: Download runtime parity artifacts
-        if: steps.verify_runtime_parity_status.outputs.ready == 'true'
         uses: actions/download-artifact@v8
         with:
           name: release-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
           path: .artifacts/qa-e2e/
 
       - name: Enforce standard runtime tool coverage
-        if: steps.verify_runtime_parity_status.outputs.ready == 'true'
         run: |
           set -euo pipefail
           pnpm openclaw qa coverage \
@@ -1321,7 +1141,6 @@ jobs:
           done
 
       - name: Upload Matrix QA artifacts
-        id: upload_matrix_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1330,50 +1149,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_matrix_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_matrix_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_matrix_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_telegram_release_checks:
     name: Run QA Lab live Telegram lane
     needs: [resolve_target]
@@ -1434,6 +1209,7 @@ jobs:
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
         run: |
           set -euo pipefail
 
@@ -1461,7 +1237,6 @@ jobs:
           done
 
       - name: Upload Telegram QA artifacts
-        id: upload_telegram_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1470,54 +1245,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_telegram_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_telegram_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_telegram_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_discord_release_checks:
     name: Run QA Lab live Discord lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_discord_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_discord_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_DISCORD_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1601,7 +1332,6 @@ jobs:
           done
 
       - name: Upload Discord QA artifacts
-        id: upload_discord_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1610,54 +1340,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_discord_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_discord_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-discord-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_discord_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_whatsapp_release_checks:
     name: Run QA Lab live WhatsApp lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_whatsapp_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_whatsapp_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_WHATSAPP_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1744,7 +1430,6 @@ jobs:
           done
 
       - name: Upload WhatsApp QA artifacts
-        id: upload_whatsapp_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1753,54 +1438,10 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_whatsapp_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_whatsapp_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-whatsapp-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_whatsapp_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   qa_live_slack_release_checks:
     name: Run QA Lab live Slack lane
     needs: [resolve_target]
-    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_slack_enabled == 'true'
+    if: contains(fromJSON('["all","qa","qa-live"]'), needs.resolve_target.outputs.rerun_group) && needs.resolve_target.outputs.qa_live_slack_enabled == 'true' && vars.OPENCLAW_RELEASE_QA_SLACK_LIVE_CI_ENABLED == 'true'
     continue-on-error: true
     runs-on: ubuntu-24.04
     timeout-minutes: 60
@@ -1884,7 +1525,6 @@ jobs:
           done
 
       - name: Upload Slack QA artifacts
-        id: upload_slack_qa_artifacts
         if: always()
         uses: actions/upload-artifact@v7
         with:
@@ -1893,50 +1533,6 @@ jobs:
           retention-days: 14
           if-no-files-found: warn
 
-      - name: Record advisory status
-        if: always()
-        shell: bash
-        env:
-          RELEASE_CHECK_JOB: qa_live_slack_release_checks
-          JOB_STATUS: ${{ job.status }}
-          RELEASE_CHECK_STEP_OUTCOMES: ${{ steps.run_lane.outcome }} ${{ steps.upload_slack_qa_artifacts.outcome }}
-        run: |
-          set -euo pipefail
-          status="success"
-          mark_status() {
-            case "$1" in
-              failure) status="failure" ;;
-              cancelled)
-                if [[ "$status" != "failure" ]]; then
-                  status="cancelled"
-                fi
-                ;;
-              success|skipped|"") ;;
-              *) status="failure" ;;
-            esac
-          }
-          mark_status "${JOB_STATUS:-}"
-          for outcome in ${RELEASE_CHECK_STEP_OUTCOMES:-}; do
-            mark_status "$outcome"
-          done
-          mkdir -p .artifacts/release-check-status
-          status_path=".artifacts/release-check-status/${RELEASE_CHECK_JOB}.env"
-          {
-            printf 'job=%s\n' "$RELEASE_CHECK_JOB"
-            printf 'status=%s\n' "$status"
-            printf 'job_status=%s\n' "${JOB_STATUS:-}"
-            printf 'step_outcomes=%s\n' "${RELEASE_CHECK_STEP_OUTCOMES:-}"
-          } > "$status_path"
-
-      - name: Upload advisory status
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-check-status-qa-live-slack-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/qa_live_slack_release_checks.env
-          retention-days: 14
-          if-no-files-found: error
-
   summary:
     name: Verify release checks
     needs:
@@ -1957,19 +1553,9 @@ jobs:
       - qa_live_slack_release_checks
     if: always()
     runs-on: ubuntu-24.04
-    permissions:
-      actions: read
+    permissions: {}
     timeout-minutes: 5
     steps:
-      - name: Download advisory status artifacts
-        if: always()
-        continue-on-error: true
-        uses: actions/download-artifact@v8
-        with:
-          pattern: release-check-status-*
-          path: .artifacts/release-check-status
-          merge-multiple: true
-
       - name: Verify release check results
         shell: bash
         env:
@@ -1981,49 +1567,6 @@ jobs:
           if [[ "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
             tideclaw_alpha=true
           fi
-          release_check_result() {
-            local name="$1"
-            local fallback="$2"
-            local status_dir=".artifacts/release-check-status"
-            local saw=0
-            local saw_failure=0
-            local saw_cancelled=0
-            if [[ -d "$status_dir" ]]; then
-              while IFS= read -r -d '' file; do
-                saw=1
-                status="$(sed -n 's/^status=//p' "$file" | tail -n 1)"
-                case "$status" in
-                  success|skipped) ;;
-                  cancelled) saw_cancelled=1 ;;
-                  failure|"") saw_failure=1 ;;
-                  *) saw_failure=1 ;;
-                esac
-              done < <(find "$status_dir" -type f -name "${name}*.env" -print0)
-            fi
-            if [[ "$saw_failure" == "1" ]]; then
-              printf 'failure\n'
-            elif [[ "$saw_cancelled" == "1" ]]; then
-              printf 'cancelled\n'
-            elif [[ "$fallback" != "success" && "$fallback" != "skipped" ]]; then
-              printf '%s\n' "$fallback"
-            elif [[ "$saw" == "1" ]]; then
-              printf 'success\n'
-            elif [[ "$fallback" == "success" ]]; then
-              printf 'failure\n'
-            else
-              printf '%s\n' "$fallback"
-            fi
-          }
-          advisory_status_override_allowed() {
-            case "$1" in
-              qa_lab_parity_lane_release_checks|qa_lab_parity_report_release_checks|qa_lab_runtime_parity_release_checks|qa_live_matrix_release_checks|qa_live_telegram_release_checks|qa_live_discord_release_checks|qa_live_whatsapp_release_checks|qa_live_slack_release_checks)
-                return 0
-                ;;
-              *)
-                return 1
-                ;;
-            esac
-          }
           for item in \
             "prepare_release_package=${{ needs.prepare_release_package.result }}" \
             "install_smoke_release_checks=${{ needs.install_smoke_release_checks.result }}" \
@@ -2042,12 +1585,7 @@ jobs:
             "qa_live_slack_release_checks=${{ needs.qa_live_slack_release_checks.result }}"
           do
             name="${item%%=*}"
-            raw_result="${item#*=}"
-            if advisory_status_override_allowed "$name"; then
-              result="$(release_check_result "$name" "$raw_result")"
-            else
-              result="$raw_result"
-            fi
+            result="${item#*=}"
             if [[ "$result" != "success" && "$result" != "skipped" ]]; then
               if [[ "$tideclaw_alpha" == "true" ]]; then
                 case "$name" in
@@ -2058,6 +1596,10 @@ jobs:
                     ;;
                 esac
               fi
+              if [[ "$name" == qa_* ]]; then
+                echo "::warning::${name} ended with ${result}; QA release-check lanes are advisory and do not block release validation."
+                continue
+              fi
               echo "::error::${name} ended with ${result}"
               failed=1
             fi

.github/workflows/openclaw-release-publish.yml

@@ -15,14 +15,6 @@ on:
         description: Successful Full Release Validation run id for this tag/SHA, required when publish_openclaw_npm=true
         required: false
         type: string
-      windows_node_tag:
-        description: Exact openclaw-windows-node release tag, required for stable OpenClaw publish
-        required: false
-        type: string
-      windows_node_installer_digests:
-        description: Candidate-approved compact JSON map of Windows installer names to pinned sha256 digests
-        required: false
-        type: string
       npm_telegram_run_id:
         description: Optional successful NPM Telegram Beta E2E run id to include in final release evidence
         required: false
@@ -89,15 +81,12 @@ jobs:
     outputs:
       sha: ${{ steps.manifest.outputs.sha || steps.ref.outputs.sha }}
       preflight_artifact_name: ${{ steps.preflight_artifact.outputs.name }}
-      windows_node_installer_digests: ${{ steps.windows_source.outputs.installer_digests }}
     steps:
       - name: Validate inputs
         env:
           RELEASE_TAG: ${{ inputs.tag }}
           PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
           FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          WINDOWS_NODE_INSTALLER_DIGESTS: ${{ inputs.windows_node_installer_digests }}
           PUBLISH_OPENCLAW_NPM: ${{ inputs.publish_openclaw_npm && 'true' || 'false' }}
           PLUGIN_PUBLISH_SCOPE: ${{ inputs.plugin_publish_scope }}
           PLUGINS: ${{ inputs.plugins }}
@@ -126,28 +115,12 @@ jobs:
             echo "publish_openclaw_npm=true requires full_release_validation_run_id." >&2
             exit 1
           fi
-          stable_release=true
-          if [[ "${RELEASE_TAG}" == *"-alpha."* || "${RELEASE_TAG}" == *"-beta."* ]]; then
-            stable_release=false
-          fi
-          if [[ -n "${WINDOWS_NODE_TAG}" && ! "${WINDOWS_NODE_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z]+([.-][0-9A-Za-z]+)*)?$ ]]; then
-            echo "windows_node_tag must be an explicit openclaw-windows-node release tag, not latest: ${WINDOWS_NODE_TAG}" >&2
-            exit 1
-          fi
-          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${stable_release}" == "true" && -z "${WINDOWS_NODE_TAG}" ]]; then
-            echo "Stable OpenClaw publish requires an explicit windows_node_tag." >&2
-            exit 1
-          fi
-          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${stable_release}" == "true" && -z "${WINDOWS_NODE_INSTALLER_DIGESTS}" ]]; then
-            echo "Stable OpenClaw publish requires candidate-approved windows_node_installer_digests." >&2
-            exit 1
-          fi
           tideclaw_alpha_publish=false
           if [[ "${RELEASE_TAG}" == *"-alpha."* && "${RELEASE_NPM_DIST_TAG}" == "alpha" && "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
             tideclaw_alpha_publish=true
           fi
           if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${WORKFLOW_REF}" != "refs/heads/main" && ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ && "${tideclaw_alpha_publish}" != "true" ]]; then
-            echo "publish_openclaw_npm=true requires dispatching this workflow from main, release/YYYY.M.PATCH, or a Tideclaw alpha branch for alpha prereleases." >&2
+            echo "publish_openclaw_npm=true requires dispatching this workflow from main, release/YYYY.M.D, or a Tideclaw alpha branch for alpha prereleases." >&2
             exit 1
           fi
           if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${PLUGIN_PUBLISH_SCOPE}" != "all-publishable" ]]; then
@@ -170,73 +143,6 @@ jobs:
               ;;
           esac
 
-      - name: Validate stable Windows source release
-        id: windows_source
-        if: ${{ inputs.publish_openclaw_npm }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ inputs.tag }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          APPROVED_INSTALLER_DIGESTS: ${{ inputs.windows_node_installer_digests }}
-        run: |
-          set -euo pipefail
-          if [[ "${RELEASE_TAG}" == *"-alpha."* || "${RELEASE_TAG}" == *"-beta."* ]]; then
-            exit 0
-          fi
-
-          source_json="$(gh release view "${WINDOWS_NODE_TAG}" \
-            --repo openclaw/openclaw-windows-node \
-            --json tagName,isDraft,isPrerelease,assets,url)"
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.tagName')" != "${WINDOWS_NODE_TAG}" ]]; then
-            echo "Windows source release tag does not match ${WINDOWS_NODE_TAG}." >&2
-            exit 1
-          fi
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.isDraft')" == "true" ]]; then
-            echo "Stable OpenClaw publish requires a published Windows source release." >&2
-            exit 1
-          fi
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.isPrerelease')" == "true" ]]; then
-            echo "Stable OpenClaw publish requires a non-prerelease Windows source release." >&2
-            exit 1
-          fi
-
-          required_assets=(
-            "OpenClawCompanion-Setup-x64.exe"
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          required_assets_json="$(printf '%s\n' "${required_assets[@]}" | jq -R . | jq -sc .)"
-          if ! approved_installer_digests="$(printf '%s' "${APPROVED_INSTALLER_DIGESTS}" | jq -ce --argjson names "${required_assets_json}" '
-            if type == "object" and
-              (keys | sort) == ($names | sort) and
-              all(.[]; type == "string" and test("^sha256:[a-f0-9]{64}$"))
-            then .
-            else error("invalid candidate-approved Windows installer digest map")
-            end
-          ')"; then
-            echo "windows_node_installer_digests must contain exactly the candidate-approved current installer asset contract." >&2
-            exit 1
-          fi
-          for asset_name in "${required_assets[@]}"; do
-            asset_matches="$(printf '%s' "${source_json}" | jq -c --arg name "${asset_name}" '[.assets[]? | select(.name == $name)]')"
-            asset_match_count="$(printf '%s' "${asset_matches}" | jq 'length')"
-            if [[ "${asset_match_count}" != "1" ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} must contain exactly one required asset ${asset_name}; found ${asset_match_count}." >&2
-              exit 1
-            fi
-            asset_digest="$(printf '%s' "${asset_matches}" | jq -r '.[0].digest // empty')"
-            if [[ ! "${asset_digest}" =~ ^sha256:[a-f0-9]{64}$ ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} asset ${asset_name} is missing its immutable SHA-256 digest." >&2
-              exit 1
-            fi
-            approved_digest="$(printf '%s' "${approved_installer_digests}" | jq -r --arg name "${asset_name}" '.[$name]')"
-            if [[ "${asset_digest}" != "${approved_digest}" ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} asset ${asset_name} no longer matches its candidate-approved digest." >&2
-              exit 1
-            fi
-          done
-          echo "installer_digests=${approved_installer_digests}" >> "$GITHUB_OUTPUT"
-          echo "- Windows Node source release: prevalidated \`${WINDOWS_NODE_TAG}\`" >> "$GITHUB_STEP_SUMMARY"
-
       - name: Download OpenClaw npm preflight manifest
         id: preflight_artifact
         if: ${{ inputs.publish_openclaw_npm }}
@@ -431,7 +337,6 @@ jobs:
           TARGET_SHA: ${{ steps.manifest.outputs.sha || steps.ref.outputs.sha }}
           RELEASE_PROFILE: ${{ steps.full_manifest.outputs.release_profile || inputs.release_profile }}
           FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
         run: |
           {
             echo "### Release target"
@@ -442,16 +347,13 @@ jobs:
             if [[ -n "${FULL_RELEASE_VALIDATION_RUN_ID// }" ]]; then
               echo "- Full release validation: \`${FULL_RELEASE_VALIDATION_RUN_ID}\`"
             fi
-            if [[ -n "${WINDOWS_NODE_TAG// }" ]]; then
-              echo "- Windows Node source release: \`${WINDOWS_NODE_TAG}\`"
-            fi
           } >> "$GITHUB_STEP_SUMMARY"
 
   publish:
     name: Publish plugins, then OpenClaw
     needs: [resolve_release_target]
     runs-on: ubuntu-latest
-    timeout-minutes: 120
+    timeout-minutes: 60
     environment: npm-release
     steps:
       - name: Checkout release SHA
@@ -481,19 +383,11 @@ jobs:
           WAIT_FOR_CLAWHUB: ${{ inputs.wait_for_clawhub && 'true' || 'false' }}
           PREFLIGHT_ARTIFACT_NAME: ${{ needs.resolve_release_target.outputs.preflight_artifact_name }}
           NPM_TELEGRAM_RUN_ID: ${{ inputs.npm_telegram_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          WINDOWS_NODE_INSTALLER_DIGESTS: ${{ needs.resolve_release_target.outputs.windows_node_installer_digests }}
           POSTPUBLISH_EVIDENCE_DIR: ${{ runner.temp }}/openclaw-release-postpublish-evidence
         run: |
           set -euo pipefail
 
-          is_stable_release() {
-            [[ "${RELEASE_TAG}" != *"-alpha."* && "${RELEASE_TAG}" != *"-beta."* ]]
-          }
-
-          dispatch_workflow_at_ref() {
-            local workflow_ref="$1"
-            shift
+          dispatch_workflow() {
             local workflow="$1"
             shift
 
@@ -503,7 +397,7 @@ jobs:
               -F per_page=100 \
               --jq '[.workflow_runs[].id]')"
 
-            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$workflow_ref" "$@" 2>&1)"
+            dispatch_output="$(gh workflow run --repo "$GITHUB_REPOSITORY" "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
             printf '%s\n' "$dispatch_output" >&2
             run_id="$(
               printf '%s\n' "$dispatch_output" |
@@ -538,10 +432,6 @@ jobs:
             printf '%s\n' "${run_id}"
           }
 
-          dispatch_workflow() {
-            dispatch_workflow_at_ref "$CHILD_WORKFLOW_REF" "$@"
-          }
-
           print_pending_deployments() {
             local workflow="$1"
             local run_id="$2"
@@ -763,128 +653,6 @@ jobs:
             done
           }
 
-          guard_existing_public_release() {
-            local release_version asset_name release_json is_draft has_sha has_proof has_asset release_url
-
-            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
-              return 0
-            fi
-
-            if ! release_json="$(gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json isDraft,assets,body,url 2>/dev/null)"; then
-              return 0
-            fi
-
-            is_draft="$(printf '%s' "${release_json}" | jq -r '.isDraft')"
-            if [[ "${is_draft}" == "true" ]]; then
-              return 0
-            fi
-
-            release_version="${RELEASE_TAG#v}"
-            asset_name="openclaw-${release_version}-dependency-evidence.zip"
-            has_sha="$(printf '%s' "${release_json}" | jq --arg sha "${TARGET_SHA}" -r '.body | contains($sha)')"
-            has_proof="$(printf '%s' "${release_json}" | jq -r '.body | contains("### Release verification")')"
-            has_asset="$(printf '%s' "${release_json}" | jq --arg name "${asset_name}" -r 'any(.assets[]?; .name == $name)')"
-            release_url="$(printf '%s' "${release_json}" | jq -r '.url')"
-
-            if [[ "${has_sha}" == "true" && "${has_proof}" == "true" && "${has_asset}" == "true" ]]; then
-              return 0
-            fi
-
-            {
-              echo "Release ${RELEASE_TAG} already has a public GitHub release page without complete postpublish evidence for ${TARGET_SHA}."
-              echo "Refusing to reuse a public prerelease tag after publication started: ${release_url}"
-              echo "Create a new beta tag or delete/draft the incomplete public release before retrying."
-            } >&2
-            exit 1
-          }
-
-          guard_openclaw_npm_not_already_published() {
-            local release_version release_url
-
-            if [[ "${PUBLISH_OPENCLAW_NPM}" != "true" ]]; then
-              return 0
-            fi
-
-            release_version="${RELEASE_TAG#v}"
-            if ! npm view "openclaw@${release_version}" version >/dev/null 2>&1; then
-              return 0
-            fi
-
-            release_url="https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}"
-            {
-              echo "openclaw@${release_version} is already published on npm."
-              echo "Refusing to dispatch publish child workflows for an already-published version."
-              echo "If this is recovery from a failed postpublish evidence or draft-release step, repair/finalize the existing draft or create a correction tag; do not rerun the publish workflow for the same npm version."
-              echo "Release page, if present: ${release_url}"
-            } >&2
-            exit 1
-          }
-
-          resolve_clawhub_release_plan() {
-            local -a plan_args
-
-            clawhub_plan_path="${RUNNER_TEMP}/openclaw-release-clawhub-plan.json"
-            plan_args=(
-              --release-tag "${RELEASE_TAG}"
-              --release-publish-branch "${CHILD_WORKFLOW_REF}"
-              --release-publish-run-id "${GITHUB_RUN_ID}"
-              --plugin-publish-scope "${PLUGIN_PUBLISH_SCOPE}"
-            )
-            if [[ -n "${PLUGINS// }" ]]; then
-              plan_args+=(--plugins "${PLUGINS}")
-            fi
-
-            CLAWHUB_REGISTRY="${CLAWHUB_REGISTRY:-https://clawhub.ai}" \
-              node --import tsx scripts/openclaw-release-clawhub-plan.ts "${plan_args[@]}" > "${clawhub_plan_path}"
-
-            echo "Resolved OpenClaw release ClawHub dispatch plan:"
-            cat "${clawhub_plan_path}"
-
-            clawhub_workflow_ref="$(jq -r '.clawHubWorkflowRef' "${clawhub_plan_path}")"
-            normal_plugins="$(jq -r '.summary.normalPlugins' "${clawhub_plan_path}")"
-            bootstrap_plugins="$(jq -r '.summary.bootstrapPlugins' "${clawhub_plan_path}")"
-            missing_trusted_plugins="$(jq -r '.summary.missingTrustedPlugins' "${clawhub_plan_path}")"
-            normal_plugin_count="$(jq -r '.summary.normalCount' "${clawhub_plan_path}")"
-            bootstrap_plugin_count="$(jq -r '.summary.bootstrapCount' "${clawhub_plan_path}")"
-            missing_trusted_plugin_count="$(jq -r '.summary.missingTrustedPublisherCount' "${clawhub_plan_path}")"
-
-            {
-              echo "### ClawHub release plan"
-              echo
-              echo "- Normal OIDC candidates: \`${normal_plugin_count}\`"
-              echo "- Bootstrap/repair candidates: \`${bootstrap_plugin_count}\`"
-              echo "- Existing-package trusted-publisher repairs: \`${missing_trusted_plugin_count}\`"
-              if [[ -n "${normal_plugins}" ]]; then
-                echo "- Normal plugins: \`${normal_plugins}\`"
-              fi
-              if [[ -n "${bootstrap_plugins}" ]]; then
-                echo "- Bootstrap/repair plugins: \`${bootstrap_plugins}\`"
-              fi
-              if [[ -n "${missing_trusted_plugins}" ]]; then
-                echo "- Trusted-publisher repair plugins: \`${missing_trusted_plugins}\`"
-              fi
-            } >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          append_clawhub_dispatch_args() {
-            local target="$1"
-            while IFS=$'\t' read -r key value; do
-              clawhub_dispatch_args+=(-f "${key}=${value}")
-            done < <(jq -r --arg target "${target}" '.[$target].inputs | to_entries[] | [.key, .value] | @tsv' "${clawhub_plan_path}")
-          }
-
-          write_clawhub_runtime_state() {
-            local force_skip_clawhub="$1"
-            local output_path="$2"
-            node --import tsx scripts/openclaw-release-clawhub-runtime-state.ts \
-              --repository "${GITHUB_REPOSITORY}" \
-              --wait-for-clawhub "${WAIT_FOR_CLAWHUB}" \
-              --force-skip-clawhub "${force_skip_clawhub}" \
-              --normal-run-id "${plugin_clawhub_run_id:-}" \
-              --bootstrap-run-id "${plugin_clawhub_bootstrap_run_id:-}" \
-              --bootstrap-completed "${plugin_clawhub_bootstrap_completed:-false}" > "${output_path}"
-          }
-
           create_or_update_github_release() {
             local release_version notes_version title notes_file changelog_file latest_arg prerelease_args
             release_version="${RELEASE_TAG#v}"
@@ -930,115 +698,14 @@ jobs:
             else
               gh release create "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" \
                 --verify-tag \
-                --draft \
                 --title "${title}" \
                 --notes-file "${notes_file}" \
                 "${prerelease_args[@]}" \
                 "${latest_arg}"
             fi
-            echo "- GitHub release draft: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          publish_github_release() {
-            if is_stable_release; then
-              verify_windows_release_asset_contract
-            fi
-            gh release edit "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --draft=false
             echo "- GitHub release: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
           }
 
-          verify_windows_release_asset_contract() {
-            local actual_companion_assets actual_digest asset_name expected_companion_assets expected_digest expected_hash expected_installer_names manifest_dir manifest_json manifest_path release_json
-            # Add future promoted installer names, such as MSIX x64/ARM64, here.
-            local -a installer_assets=(
-              "OpenClawCompanion-Setup-x64.exe"
-              "OpenClawCompanion-Setup-arm64.exe"
-            )
-            local -a required_assets=(
-              "${installer_assets[@]}"
-              "OpenClawCompanion-SHA256SUMS.txt"
-            )
-
-            release_json="$(gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json assets,url)"
-            expected_companion_assets="$(printf '%s\n' "${required_assets[@]}" | jq -R . | jq -sc 'sort')"
-            actual_companion_assets="$(printf '%s' "${release_json}" | jq -c '
-              [.assets[]? | select(.name | startswith("OpenClawCompanion-")) | .name] | sort
-            ')"
-            if [[ "${actual_companion_assets}" != "${expected_companion_assets}" ]]; then
-              echo "Stable release OpenClawCompanion asset names do not exactly match the current contract." >&2
-              return 1
-            fi
-            for asset_name in "${required_assets[@]}"; do
-              if ! printf '%s' "${release_json}" | jq -e --arg name "${asset_name}" 'any(.assets[]?; .name == $name)' >/dev/null; then
-                echo "Stable release is missing required Windows asset ${asset_name}." >&2
-                return 1
-              fi
-            done
-
-            manifest_dir="${RUNNER_TEMP}/openclaw-windows-release-contract"
-            manifest_path="${manifest_dir}/OpenClawCompanion-SHA256SUMS.txt"
-            rm -rf "${manifest_dir}"
-            mkdir -p "${manifest_dir}"
-            gh release download "${RELEASE_TAG}" \
-              --repo "$GITHUB_REPOSITORY" \
-              --pattern "OpenClawCompanion-SHA256SUMS.txt" \
-              --dir "${manifest_dir}"
-            if ! manifest_json="$(jq -Rsc '
-              split("\n") as $lines |
-              (if $lines[-1] == "" then $lines[0:-1] else $lines end) |
-              map(sub("\r$"; "")) |
-              if all(.[]; test("^(?<hash>[a-f0-9]{64})  (?<name>[^/\\\\]+)$"))
-              then map(capture("^(?<hash>[a-f0-9]{64})  (?<name>[^/\\\\]+)$"))
-              else error("malformed Windows checksum manifest entry")
-              end
-            ' "${manifest_path}")"; then
-              echo "Stable release Windows checksum manifest contains malformed entries." >&2
-              return 1
-            fi
-            expected_installer_names="$(printf '%s\n' "${installer_assets[@]}" | jq -R . | jq -sc 'sort')"
-            if ! printf '%s' "${manifest_json}" | jq -e --argjson expected "${expected_installer_names}" '
-              length == ($expected | length) and
-              ([.[].name] | sort) == $expected and
-              ([.[].name] | unique | length) == length
-            ' >/dev/null; then
-              echo "Stable release Windows checksum manifest does not exactly match the installer asset contract." >&2
-              return 1
-            fi
-            for asset_name in "${installer_assets[@]}"; do
-              expected_digest="$(printf '%s' "${WINDOWS_NODE_INSTALLER_DIGESTS}" | jq -r --arg name "${asset_name}" '.[$name] // empty')"
-              actual_digest="$(printf '%s' "${release_json}" | jq -r --arg name "${asset_name}" '.assets[]? | select(.name == $name) | .digest // empty')"
-              if [[ -z "${expected_digest}" || "${actual_digest}" != "${expected_digest}" ]]; then
-                echo "Stable release Windows asset ${asset_name} does not match its pinned digest." >&2
-                return 1
-              fi
-              expected_hash="${expected_digest#sha256:}"
-              if ! printf '%s' "${manifest_json}" | jq -e --arg name "${asset_name}" --arg hash "${expected_hash}" '
-                any(.[]; .name == $name and .hash == $hash)
-              ' >/dev/null; then
-                echo "Stable release Windows checksum manifest does not match pinned digest for ${asset_name}." >&2
-                return 1
-              fi
-            done
-            echo "- Windows Hub asset contract: verified" >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          promote_windows_release_assets() {
-            if ! is_stable_release; then
-              return 0
-            fi
-            if [[ -z "${WINDOWS_NODE_INSTALLER_DIGESTS// }" ]]; then
-              echo "Stable release is missing prevalidated Windows installer digests." >&2
-              return 1
-            fi
-
-            windows_node_run_id="$(dispatch_workflow windows-node-release.yml \
-              -f tag="${RELEASE_TAG}" \
-              -f windows_node_tag="${WINDOWS_NODE_TAG}" \
-              -f expected_installer_digests="${WINDOWS_NODE_INSTALLER_DIGESTS}")"
-            echo "- Windows Node release run ID: \`${windows_node_run_id}\`" >> "$GITHUB_STEP_SUMMARY"
-            wait_for_run windows-node-release.yml "${windows_node_run_id}"
-          }
-
           upload_dependency_evidence_release_asset() {
             local release_version download_dir asset_path asset_name artifact_name
             release_version="${RELEASE_TAG#v}"
@@ -1068,11 +735,9 @@ jobs:
           }
 
           verify_published_release() {
-            local release_version evidence_path skip_clawhub clawhub_runtime_state_path
+            local release_version evidence_path
             local -a verify_args
 
-            skip_clawhub="${1:-false}"
-
             release_version="${RELEASE_TAG#v}"
             evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
             mkdir -p "${POSTPUBLISH_EVIDENCE_DIR}"
@@ -1085,18 +750,16 @@ jobs:
               --dist-tag "${RELEASE_NPM_DIST_TAG}"
               --repo "${GITHUB_REPOSITORY}"
               --workflow-ref "${CHILD_WORKFLOW_REF}"
-              --clawhub-workflow-ref "${clawhub_workflow_ref}"
               --full-release-validation-run "${FULL_RELEASE_VALIDATION_RUN_ID}"
               --plugin-npm-run "${plugin_npm_run_id}"
               --openclaw-npm-run "${openclaw_npm_run_id}"
               --evidence-out "${evidence_path}"
-              --skip-github-release
             )
-            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-verify.json"
-            write_clawhub_runtime_state "${skip_clawhub}" "${clawhub_runtime_state_path}"
-            while IFS= read -r arg; do
-              verify_args+=("${arg}")
-            done < <(jq -r '.verifierArgs[]' "${clawhub_runtime_state_path}")
+            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
+              verify_args+=(--plugin-clawhub-run "${plugin_clawhub_run_id}")
+            else
+              verify_args+=(--skip-clawhub)
+            fi
             if [[ -n "${PLUGINS// }" ]]; then
               verify_args+=(--plugins "${PLUGINS}")
             fi
@@ -1112,14 +775,13 @@ jobs:
           }
 
           append_release_proof_to_github_release() {
-            local release_version body_file notes_file evidence_path tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path windows_line
+            local release_version body_file notes_file tarball integrity telegram_line clawhub_line
 
             release_version="${RELEASE_TAG#v}"
             body_file="${RUNNER_TEMP}/release-body.md"
             notes_file="${RUNNER_TEMP}/release-notes-with-proof.md"
-            evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
-            tarball="$(jq -er '.openclawNpmTarball | select(type == "string" and length > 0)' "${evidence_path}")"
-            integrity="$(jq -er '.openclawNpmIntegrity | select(type == "string" and length > 0)' "${evidence_path}")"
+            tarball="$(npm view "openclaw@${release_version}" dist.tarball --json | jq -r '.')"
+            integrity="$(npm view "openclaw@${release_version}" dist.integrity --json | jq -r '.')"
             gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json body --jq .body > "${body_file}"
 
             if [[ -n "${NPM_TELEGRAM_RUN_ID// }" ]]; then
@@ -1127,20 +789,16 @@ jobs:
             else
               telegram_line="- npm Telegram beta E2E: not supplied"
             fi
-            clawhub_runtime_state_path="${RUNNER_TEMP}/openclaw-release-clawhub-runtime-state-proof.json"
-            write_clawhub_runtime_state false "${clawhub_runtime_state_path}"
-            clawhub_line="$(jq -r '.proofLines.normal' "${clawhub_runtime_state_path}")"
-            clawhub_bootstrap_line="$(jq -r '.proofLines.bootstrap' "${clawhub_runtime_state_path}")"
-            windows_line=""
-            if [[ -n "${windows_node_run_id// }" ]]; then
-              windows_line="- Windows Hub promotion: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${windows_node_run_id} from openclaw/openclaw-windows-node@${WINDOWS_NODE_TAG}"
+            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
+              clawhub_line="- plugin ClawHub publish: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
+            else
+              clawhub_line="- plugin ClawHub publish: dispatched separately, not awaited by this proof: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${plugin_clawhub_run_id}"
             fi
 
             RELEASE_BODY_FILE="${body_file}" \
               RELEASE_NOTES_FILE="${notes_file}" \
               RELEASE_VERSION="${release_version}" \
               RELEASE_TAG="${RELEASE_TAG}" \
-              RELEASE_SHA="${TARGET_SHA}" \
               RELEASE_REPO="${GITHUB_REPOSITORY}" \
               RELEASE_TARBALL="${tarball}" \
               RELEASE_INTEGRITY="${integrity}" \
@@ -1150,9 +808,7 @@ jobs:
               PLUGIN_NPM_RUN_ID="${plugin_npm_run_id}" \
               OPENCLAW_NPM_RUN_ID="${openclaw_npm_run_id}" \
               CLAWHUB_LINE="${clawhub_line}" \
-              CLAWHUB_BOOTSTRAP_LINE="${clawhub_bootstrap_line}" \
               TELEGRAM_LINE="${telegram_line}" \
-              WINDOWS_LINE="${windows_line}" \
               node --input-type=module <<'NODE'
           import { readFileSync, writeFileSync } from "node:fs";
 
@@ -1169,17 +825,14 @@ jobs:
             `- npm package: https://www.npmjs.com/package/openclaw/v/${process.env.RELEASE_VERSION}`,
             `- registry tarball: ${process.env.RELEASE_TARBALL}`,
             `- integrity: \`${process.env.RELEASE_INTEGRITY}\``,
-            `- release SHA: \`${process.env.RELEASE_SHA}\``,
             `- full release CI report: https://github.com/openclaw/releases/blob/main/evidence/${process.env.RELEASE_VERSION}/release-evidence.md`,
             `- release publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.RELEASE_PUBLISH_RUN_ID}`,
             `- npm preflight: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PREFLIGHT_RUN_ID}`,
             `- full release validation: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.FULL_RELEASE_VALIDATION_RUN_ID}`,
             `- plugin npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.PLUGIN_NPM_RUN_ID}`,
             process.env.CLAWHUB_LINE,
-            process.env.CLAWHUB_BOOTSTRAP_LINE,
             `- OpenClaw npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.OPENCLAW_NPM_RUN_ID}`,
             process.env.TELEGRAM_LINE,
-            ...(process.env.WINDOWS_LINE ? [process.env.WINDOWS_LINE] : []),
           ].join("\n");
 
           const withoutOldProof = body.replace(/\n?### Release verification\n[\s\S]*?(?=\n### |\n## |$)/, "");
@@ -1194,7 +847,6 @@ jobs:
             echo "### Publish sequence"
             echo
             echo "- Workflow ref: \`${CHILD_WORKFLOW_REF}\`"
-            echo "- ClawHub workflow ref: release tag \`${RELEASE_TAG}\`"
             echo "- Release tag: \`${RELEASE_TAG}\`"
             echo "- Release SHA: \`${TARGET_SHA}\`"
             echo "- Release approval: this workflow job"
@@ -1204,9 +856,6 @@ jobs:
             else
               echo "- OpenClaw npm publish: skipped by input"
             fi
-            if is_stable_release && [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
-              echo "- Windows Hub promotion: required before the GitHub release can be published"
-            fi
             if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
               echo "- Workflow completion waits for ClawHub"
             else
@@ -1214,68 +863,26 @@ jobs:
             fi
           } >> "$GITHUB_STEP_SUMMARY"
 
-          guard_existing_public_release
-          guard_openclaw_npm_not_already_published
-          resolve_clawhub_release_plan
-
           npm_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
+          clawhub_args=(-f publish_scope="${PLUGIN_PUBLISH_SCOPE}" -f ref="${TARGET_SHA}" -f release_publish_run_id="${GITHUB_RUN_ID}")
           if [[ -n "${PLUGINS}" ]]; then
             npm_args+=(-f plugins="${PLUGINS}")
+            clawhub_args+=(-f plugins="${PLUGINS}")
           fi
 
           plugin_npm_run_id="$(dispatch_workflow plugin-npm-release.yml "${npm_args[@]}")"
-          plugin_clawhub_run_id=""
-          if [[ "$(jq -r '.normal.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
-            clawhub_dispatch_args=()
-            append_clawhub_dispatch_args normal
-            plugin_clawhub_run_id="$(dispatch_workflow_at_ref \
-              "$(jq -r '.normal.ref' "${clawhub_plan_path}")" \
-              "$(jq -r '.normal.workflow' "${clawhub_plan_path}")" \
-              "${clawhub_dispatch_args[@]}")"
-          else
-            echo "- plugin-clawhub-release.yml: no normal OIDC candidates" >> "$GITHUB_STEP_SUMMARY"
-          fi
-          plugin_clawhub_bootstrap_run_id=""
-          plugin_clawhub_bootstrap_completed="false"
-          if [[ "$(jq -r '.bootstrap.shouldDispatch' "${clawhub_plan_path}")" == "true" ]]; then
-            clawhub_dispatch_args=()
-            append_clawhub_dispatch_args bootstrap
-            plugin_clawhub_bootstrap_run_id="$(dispatch_workflow_at_ref \
-              "$(jq -r '.bootstrap.ref' "${clawhub_plan_path}")" \
-              "$(jq -r '.bootstrap.workflow' "${clawhub_plan_path}")" \
-              "${clawhub_dispatch_args[@]}")"
-          else
-            echo "- plugin-clawhub-new.yml: no bootstrap candidates" >> "$GITHUB_STEP_SUMMARY"
-          fi
+          plugin_clawhub_run_id="$(dispatch_workflow plugin-clawhub-release.yml "${clawhub_args[@]}")"
           {
             echo "- Plugin npm run ID: \`${plugin_npm_run_id}\`"
-            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id:-none}\`"
-            echo "- Plugin ClawHub bootstrap run ID: \`${plugin_clawhub_bootstrap_run_id:-none}\`"
+            echo "- Plugin ClawHub run ID: \`${plugin_clawhub_run_id}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
           if ! wait_for_run plugin-npm-release.yml "${plugin_npm_run_id}"; then
-            echo "Plugin npm publish failed; cancelling dispatched ClawHub child workflows." >&2
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_bootstrap_run_id}" >/dev/null 2>&1 || true
-            fi
+            echo "Plugin npm publish failed; cancelling ClawHub publish child ${plugin_clawhub_run_id}." >&2
+            gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
             exit 1
           fi
 
-          if [[ -n "${plugin_clawhub_bootstrap_run_id}" && "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-            echo "Waiting for plugin-clawhub-new.yml bootstrap to finish before continuing release publish."
-            if wait_for_run plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
-              plugin_clawhub_bootstrap_completed="true"
-            else
-              if [[ -n "${plugin_clawhub_run_id}" ]]; then
-                gh run cancel --repo "$GITHUB_REPOSITORY" "${plugin_clawhub_run_id}" >/dev/null 2>&1 || true
-              fi
-              exit 1
-            fi
-          fi
-
           openclaw_npm_run_id=""
           if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
             openclaw_npm_run_id="$(dispatch_workflow openclaw-npm-release.yml \
@@ -1292,52 +899,19 @@ jobs:
 
           clawhub_result=""
           clawhub_pid=""
-          clawhub_bootstrap_result=""
-          clawhub_bootstrap_pid=""
           if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
-              wait_run_pid=""
-              wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
-              clawhub_pid="${wait_run_pid}"
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
-                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
-              else
-                clawhub_bootstrap_result="$RUNNER_TEMP/clawhub-bootstrap-result.txt"
-                wait_run_pid=""
-                wait_for_run_background plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "${clawhub_bootstrap_result}"
-                clawhub_bootstrap_pid="${wait_run_pid}"
-              fi
-            fi
+            clawhub_result="$RUNNER_TEMP/clawhub-result.txt"
+            wait_run_pid=""
+            wait_for_run_background plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "${clawhub_result}"
+            clawhub_pid="${wait_run_pid}"
           else
-            if [[ -n "${plugin_clawhub_run_id}" ]]; then
-              wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
-              if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
-                :
-              else
-                echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
-              fi
-              echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
+            wait_for_job_success plugin-clawhub-release.yml "${plugin_clawhub_run_id}" "Validate release publish approval"
+            if approve_child_publish_environment plugin-clawhub-release.yml "${plugin_clawhub_run_id}"; then
+              :
             else
-              echo "- plugin-clawhub-release.yml: no normal OIDC publish to await" >> "$GITHUB_STEP_SUMMARY"
-            fi
-            if [[ -n "${plugin_clawhub_bootstrap_run_id}" ]]; then
-              if [[ "${plugin_clawhub_bootstrap_completed}" == "true" ]]; then
-                echo "- plugin-clawhub-new.yml: bootstrap already completed before continuing" >> "$GITHUB_STEP_SUMMARY"
-              else
-                wait_for_job_success plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}" "Validate release publish approval"
-                if approve_child_publish_environment plugin-clawhub-new.yml "${plugin_clawhub_bootstrap_run_id}"; then
-                  :
-                else
-                  echo "- plugin-clawhub-new.yml: child environment gate not ready; bootstrap was left dispatched (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
-                fi
-                echo "- plugin-clawhub-new.yml: bootstrap not awaited (${plugin_clawhub_bootstrap_run_id})" >> "$GITHUB_STEP_SUMMARY"
-              fi
-            else
-              echo "- plugin-clawhub-new.yml: no bootstrap publish to await" >> "$GITHUB_STEP_SUMMARY"
+              echo "- plugin-clawhub-release.yml: child environment gate not ready; publish was left dispatched (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
             fi
+            echo "- plugin-clawhub-release.yml: publish not awaited (${plugin_clawhub_run_id})" >> "$GITHUB_STEP_SUMMARY"
           fi
 
           openclaw_result=""
@@ -1351,7 +925,6 @@ jobs:
 
           failed=0
           openclaw_failed=0
-          windows_node_run_id=""
           if [[ -n "${openclaw_pid}" ]] && ! wait "${openclaw_pid}"; then
             failed=1
             openclaw_failed=1
@@ -1361,36 +934,21 @@ jobs:
             openclaw_failed=1
           fi
 
+          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
+            create_or_update_github_release
+            upload_dependency_evidence_release_asset
+          fi
+
           if [[ -n "${clawhub_pid}" ]] && ! wait "${clawhub_pid}"; then
             failed=1
           fi
           if [[ -f "${clawhub_result}" && "$(cat "${clawhub_result}")" != "success" ]]; then
             failed=1
           fi
-          if [[ -n "${clawhub_bootstrap_pid}" ]] && ! wait "${clawhub_bootstrap_pid}"; then
-            failed=1
-          fi
-          if [[ -f "${clawhub_bootstrap_result}" && "$(cat "${clawhub_bootstrap_result}")" != "success" ]]; then
-            failed=1
-          fi
 
-          if [[ -n "${openclaw_npm_run_id}" && "${openclaw_failed}" == "0" ]]; then
-            if [[ "${failed}" == "0" ]]; then
-              verify_published_release
-            else
-              verify_published_release true
-            fi
-            create_or_update_github_release
-            upload_dependency_evidence_release_asset
-            if ! promote_windows_release_assets; then
-              failed=1
-            fi
+          if [[ "${failed}" == "0" && -n "${openclaw_npm_run_id}" ]]; then
+            verify_published_release
             append_release_proof_to_github_release
-            if [[ "${failed}" == "0" ]]; then
-              publish_github_release
-            else
-              echo "- GitHub release: left as draft because a required publish child failed" >> "$GITHUB_STEP_SUMMARY"
-            fi
           fi
           if [[ "${failed}" != "0" ]]; then
             exit 1

.github/workflows/opengrep-precise-full.yml

@@ -53,7 +53,7 @@ jobs:
           scripts/run-opengrep.sh --sarif --error
 
       - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v4.36.2
+        uses: github/codeql-action/upload-sarif@v4
         # Only upload if the scan actually produced a SARIF file.
         if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
         with:

.github/workflows/opengrep-precise.yml

@@ -84,7 +84,7 @@ jobs:
           scripts/run-opengrep.sh --changed --sarif --error
 
       - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v4.36.2
+        uses: github/codeql-action/upload-sarif@v4
         # Only upload if the scan actually produced a SARIF file.
         if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
         with:

.github/workflows/plugin-clawhub-new.yml

@@ -1,504 +0,0 @@
-name: Plugin ClawHub New
-
-on:
-  workflow_dispatch:
-    inputs:
-      plugins:
-        description: Comma-separated plugin package names to bootstrap on ClawHub
-        required: true
-        type: string
-      ref:
-        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
-        required: false
-        default: ""
-        type: string
-      release_publish_run_id:
-        description: Approved OpenClaw Release Publish workflow run id
-        required: false
-        type: string
-      release_publish_branch:
-        description: Branch name of the approving OpenClaw Release Publish workflow run
-        required: false
-        type: string
-      dry_run:
-        description: Validate the token-gated ClawHub bootstrap handoff without publishing.
-        required: false
-        default: false
-        type: boolean
-
-concurrency:
-  group: plugin-clawhub-new-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  NODE_VERSION: "24.15.0"
-  CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"
-
-jobs:
-  resolve_bootstrap_plan:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      ref_revision: ${{ steps.ref.outputs.sha }}
-      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
-      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
-      matrix: ${{ steps.plan.outputs.matrix }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Resolve checked-out ref
-        id: ref
-        env:
-          TARGET_REF: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || '' }}
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin \
-            +refs/heads/main:refs/remotes/origin/main \
-            '+refs/heads/release/*:refs/remotes/origin/release/*'
-          if [[ -n "${TARGET_REF}" ]]; then
-            if git rev-parse --verify --quiet "${TARGET_REF}^{commit}" >/dev/null; then
-              target_sha="$(git rev-parse "${TARGET_REF}^{commit}")"
-            elif git rev-parse --verify --quiet "origin/${TARGET_REF}^{commit}" >/dev/null; then
-              target_sha="$(git rev-parse "origin/${TARGET_REF}^{commit}")"
-            else
-              echo "Unable to resolve requested publish ref: ${TARGET_REF}" >&2
-              exit 1
-            fi
-            git checkout --detach "${target_sha}"
-          fi
-          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-
-      - name: Validate ref is on a trusted publish branch
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if git merge-base --is-ancestor HEAD origin/main; then
-            exit 0
-          fi
-          while IFS= read -r release_ref; do
-            if git merge-base --is-ancestor HEAD "${release_ref}"; then
-              exit 0
-            fi
-          done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
-          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
-            git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
-            if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
-              exit 0
-            fi
-          fi
-          echo "Plugin ClawHub bootstraps must target a commit reachable from main, release/*, or the matching Tideclaw alpha branch." >&2
-          exit 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "false"
-
-      - name: Validate publishable plugin metadata
-        env:
-          RELEASE_PLUGINS: ${{ inputs.plugins }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${RELEASE_PLUGINS// }" ]]; then
-            echo "Plugin ClawHub bootstrap requires at least one package name in plugins." >&2
-            exit 1
-          fi
-          pnpm release:plugins:clawhub:check -- --selection-mode selected --plugins "${RELEASE_PLUGINS}"
-
-      - name: Resolve plugin bootstrap plan
-        id: plan
-        env:
-          RELEASE_PLUGINS: ${{ inputs.plugins }}
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-        run: |
-          set -euo pipefail
-          mkdir -p .local
-          node --import tsx scripts/plugin-clawhub-release-plan.ts \
-            --selection-mode selected \
-            --plugins "${RELEASE_PLUGINS}" > .local/plugin-clawhub-release-plan.json
-
-          cat .local/plugin-clawhub-release-plan.json
-
-          bootstrap_candidate_count="$(jq -r '(.bootstrapCandidates | length) + (.missingTrustedPublisher | length)' .local/plugin-clawhub-release-plan.json)"
-          selected_count="$(jq -r '.all | length' .local/plugin-clawhub-release-plan.json)"
-          matrix_json="$(
-            jq -c '
-              [
-                .bootstrapCandidates[]? + {
-                  bootstrapMode: "publish",
-                  requiresManualOverride: false
-                },
-                .missingTrustedPublisher[]? + {
-                  bootstrapMode: (if .alreadyPublished then "configure-only" else "publish" end),
-                  requiresManualOverride: true
-                }
-              ]
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          has_bootstrap_candidates="false"
-          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
-            has_bootstrap_candidates="true"
-          fi
-
-          invalid_scope="$(
-            jq -r '
-              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
-              | select(.packageName | startswith("@openclaw/") | not)
-              | "- \(.packageName)@\(.version)"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${invalid_scope}" ]]; then
-            echo "Plugin ClawHub bootstrap only supports @openclaw/* packages." >&2
-            printf '%s\n' "${invalid_scope}" >&2
-            exit 1
-          fi
-
-          not_bootstrap="$(
-            jq -r '
-              (.bootstrapCandidates | map(.packageName)) as $bootstrapNames
-              | (.missingTrustedPublisher | map(.packageName)) as $repairNames
-              | .all[]?
-              | select(.packageName as $name | ($bootstrapNames + $repairNames | index($name) | not))
-              | "- \(.packageName)@\(.version)"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${not_bootstrap}" ]]; then
-            echo "Selected packages must all be first-publish bootstrap candidates or trusted-publisher repair candidates." >&2
-            printf '%s\n' "${not_bootstrap}" >&2
-            exit 1
-          fi
-          if [[ "${selected_count}" == "0" || "${bootstrap_candidate_count}" == "0" ]]; then
-            echo "No selected packages require ClawHub bootstrap." >&2
-            exit 1
-          fi
-
-          {
-            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
-            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
-            echo "matrix=${matrix_json}"
-          } >> "$GITHUB_OUTPUT"
-
-          echo "ClawHub bootstrap candidates:"
-          jq -r '
-            .bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"
-          ' .local/plugin-clawhub-release-plan.json
-          echo "ClawHub trusted-publisher repair candidates:"
-          jq -r '
-            .missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir), alreadyPublished=\(.alreadyPublished)"
-          ' .local/plugin-clawhub-release-plan.json
-
-      - name: Validate Tideclaw alpha plugin channels
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            exit 0
-          fi
-          invalid="$(
-            jq -r '
-              (.bootstrapCandidates[]?, .missingTrustedPublisher[]?)
-              | select(.publishTag != "alpha" or .channel != "alpha")
-              | "- \(.packageName)@\(.version) [\(.publishTag)]"
-            ' .local/plugin-clawhub-release-plan.json
-          )"
-          if [[ -n "${invalid}" ]]; then
-            echo "Tideclaw alpha ClawHub bootstraps may only publish alpha plugin versions." >&2
-            printf '%s\n' "${invalid}" >&2
-            exit 1
-          fi
-
-  validate_release_publish_approval:
-    name: Validate release publish approval
-    needs: resolve_bootstrap_plan
-    if: github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - name: Validate release publish approval run
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
-          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
-            if [[ "${GITHUB_ACTOR}" == "github-actions[bot]" ]]; then
-              echo "Plugin ClawHub bootstrap dispatched by another workflow must include release_publish_run_id." >&2
-              exit 1
-            fi
-            echo "Direct Plugin ClawHub New dispatch; relying on this workflow's clawhub-plugin-bootstrap environment approval."
-            exit 0
-          fi
-          direct_recovery=false
-          if [[ "${GITHUB_ACTOR}" != "github-actions[bot]" ]]; then
-            direct_recovery=true
-            echo "Direct Plugin ClawHub New recovery with release_publish_run_id; relying on this workflow's clawhub-plugin-bootstrap environment approval."
-          fi
-          RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
-          printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
-
-  validate_bootstrap_trusted_publisher_cli:
-    needs: [resolve_bootstrap_plan, validate_release_publish_approval]
-    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Validate pinned ClawHub trusted publisher CLI support
-        env:
-          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
-        run: |
-          set -euo pipefail
-          help_output="$(
-            npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
-              clawhub package trusted-publisher set --help 2>&1 || true
-          )"
-          printf '%s\n' "${help_output}"
-          if ! grep -Fq "Usage: clawhub package trusted-publisher set" <<<"${help_output}"; then
-            echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} to expose 'package trusted-publisher set' before token bootstrap publish can run. The pinned CLI returned parent help or no set command, so this workflow is stopping before creating a ClawHub package row."
-            exit 1
-          fi
-          for required_flag in --repository --workflow-filename; do
-            if ! grep -Fq -- "${required_flag}" <<<"${help_output}"; then
-              echo "::error::CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows requires ${CLAWHUB_CLI_PACKAGE} trusted-publisher set help to include ${required_flag}."
-              exit 1
-            fi
-          done
-
-  publish_bootstrap_plugins:
-    needs:
-      [
-        resolve_bootstrap_plan,
-        validate_release_publish_approval,
-        validate_bootstrap_trusted_publisher_cli,
-      ]
-    if: always() && github.event_name == 'workflow_dispatch' && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true' && needs.validate_release_publish_approval.result == 'success' && (inputs.dry_run == true || needs.validate_bootstrap_trusted_publisher_cli.result == 'success')
-    runs-on: ubuntu-latest
-    environment: clawhub-plugin-bootstrap
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 8
-      matrix:
-        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-
-      - name: Checkout target revision
-        env:
-          TARGET_SHA: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
-        run: |
-          set -euo pipefail
-          git fetch --no-tags origin \
-            +refs/heads/main:refs/remotes/origin/main \
-            '+refs/heads/release/*:refs/remotes/origin/release/*'
-          git checkout --detach "${TARGET_SHA}"
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "true"
-          install-deps: "true"
-
-      - name: Verify package-local runtime build
-        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
-
-      - name: Install pinned ClawHub CLI wrapper
-        run: |
-          set -euo pipefail
-          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
-          EOF
-          chmod +x "${RUNNER_TEMP}/clawhub"
-          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
-
-      - name: Write ClawHub token config
-        if: inputs.dry_run != true
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          config_path="${RUNNER_TEMP}/clawhub-config.json"
-          CONFIG_PATH="${config_path}" node --input-type=module <<'NODE'
-          import { writeFileSync } from "node:fs";
-
-          const registry = process.env.CLAWHUB_REGISTRY?.trim();
-          const token = process.env.CLAWHUB_TOKEN?.trim();
-          const configPath = process.env.CONFIG_PATH;
-          if (!registry) {
-            throw new Error("CLAWHUB_REGISTRY is required for token-gated ClawHub bootstrap.");
-          }
-          if (!token) {
-            throw new Error("CLAWHUB_TOKEN is required for token-gated ClawHub bootstrap.");
-          }
-          if (!configPath) {
-            throw new Error("CONFIG_PATH is required.");
-          }
-
-          writeFileSync(configPath, `${JSON.stringify({ registry, token }, null, 2)}\n`, {
-            encoding: "utf8",
-            mode: 0o600,
-          });
-          NODE
-          echo "CLAWHUB_CONFIG_PATH=${config_path}" >> "${GITHUB_ENV}"
-
-      - name: Publish ClawHub bootstrap package
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          SOURCE_REPO: ${{ github.repository }}
-          SOURCE_COMMIT: ${{ needs.resolve_bootstrap_plan.outputs.ref_revision }}
-          SOURCE_REF: ${{ github.ref }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-          BOOTSTRAP_MODE: ${{ matrix.plugin.bootstrapMode }}
-          REQUIRES_MANUAL_OVERRIDE: ${{ matrix.plugin.requiresManualOverride && 'true' || 'false' }}
-          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
-          OPENCLAW_PLUGIN_NPM_RUNTIME_BUILD: "0"
-        run: |
-          set -euo pipefail
-          if [[ "${BOOTSTRAP_MODE}" == "configure-only" ]]; then
-            echo "Skipping bootstrap publish because ${PACKAGE_DIR} version is already present on ClawHub; configuring trusted publisher only."
-          elif [[ "${DRY_RUN}" == "true" ]]; then
-            bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
-          else
-            if [[ "${REQUIRES_MANUAL_OVERRIDE}" == "true" ]]; then
-              export OPENCLAW_CLAWHUB_MANUAL_OVERRIDE_REASON="GitHub Actions trusted publisher repair before OIDC migration"
-            fi
-            bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
-          fi
-
-      - name: Configure trusted publisher for normal OIDC releases
-        if: inputs.dry_run != true
-        env:
-          CLAWHUB_CLI_PACKAGE: ${{ env.CLAWHUB_CLI_PACKAGE }}
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-        run: |
-          set -euo pipefail
-          npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- \
-            clawhub package trusted-publisher set "${PACKAGE_NAME}" \
-              --repository openclaw/openclaw \
-              --workflow-filename plugin-clawhub-release.yml
-
-  verify_bootstrap_clawhub_package:
-    needs: [resolve_bootstrap_plan, publish_bootstrap_plugins]
-    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.resolve_bootstrap_plan.outputs.has_bootstrap_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 8
-      matrix:
-        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
-    steps:
-      - name: Verify bootstrap ClawHub package and trusted publisher
-        env:
-          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
-          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
-          PACKAGE_VERSION: ${{ matrix.plugin.version }}
-          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
-        run: |
-          set -euo pipefail
-          node --input-type=module <<'EOF'
-          const registry = (process.env.CLAWHUB_REGISTRY ?? "https://clawhub.ai").replace(/\/+$/, "");
-          const packageName = process.env.PACKAGE_NAME;
-          const packageVersion = process.env.PACKAGE_VERSION;
-          const packageTag = process.env.PACKAGE_TAG;
-          if (!packageName || !packageVersion || !packageTag) {
-            throw new Error("Missing ClawHub bootstrap verification env.");
-          }
-          const encodedName = encodeURIComponent(packageName);
-          const encodedVersion = encodeURIComponent(packageVersion);
-          const detailUrl = `${registry}/api/v1/packages/${encodedName}`;
-          const trustedPublisherUrl = `${detailUrl}/trusted-publisher`;
-          const versionUrl = `${detailUrl}/versions/${encodedVersion}`;
-          const artifactUrl = `${versionUrl}/artifact/download`;
-
-          async function fetchWithRetry(url, options = {}) {
-            let lastStatus = "unknown";
-            for (let attempt = 1; attempt <= 12; attempt += 1) {
-              try {
-                const response = await fetch(url, { redirect: "manual", ...options });
-                lastStatus = response.status;
-                if (response.status !== 429 && response.status < 500) {
-                  return response;
-                }
-              } catch (error) {
-                lastStatus = error instanceof Error ? error.message : String(error);
-              }
-              await new Promise((resolve) => setTimeout(resolve, attempt * 5000));
-            }
-            throw new Error(`${url} did not stabilize; last status ${lastStatus}.`);
-          }
-
-          const detailResponse = await fetchWithRetry(detailUrl, {
-            headers: { accept: "application/json" },
-          });
-          if (!detailResponse.ok) {
-            throw new Error(`${detailUrl} returned HTTP ${detailResponse.status}.`);
-          }
-          const detail = await detailResponse.json();
-          const tags = detail?.package?.tags ?? {};
-          if (tags[packageTag] !== packageVersion) {
-            throw new Error(
-              `${packageName}: ClawHub tag ${packageTag} points to ${tags[packageTag] ?? "<missing>"}, expected ${packageVersion}.`,
-            );
-          }
-
-          const trustedPublisherResponse = await fetchWithRetry(trustedPublisherUrl, {
-            headers: { accept: "application/json" },
-          });
-          if (!trustedPublisherResponse.ok) {
-            throw new Error(`${trustedPublisherUrl} returned HTTP ${trustedPublisherResponse.status}.`);
-          }
-          const trustedPublisherDetail = await trustedPublisherResponse.json();
-          const trustedPublisher = trustedPublisherDetail?.trustedPublisher;
-          if (
-            trustedPublisher?.repository !== "openclaw/openclaw" ||
-            trustedPublisher?.workflowFilename !== "plugin-clawhub-release.yml" ||
-            trustedPublisher?.environment != null
-          ) {
-            throw new Error(
-              `${packageName}: trusted publisher config did not match openclaw/openclaw plugin-clawhub-release.yml without an environment pin.`,
-            );
-          }
-
-          const versionResponse = await fetchWithRetry(versionUrl);
-          if (!versionResponse.ok) {
-            throw new Error(`${versionUrl} returned HTTP ${versionResponse.status}.`);
-          }
-          const artifactResponse = await fetchWithRetry(artifactUrl, { method: "HEAD" });
-          if (artifactResponse.status < 200 || artifactResponse.status >= 400) {
-            throw new Error(`${artifactUrl} returned HTTP ${artifactResponse.status}.`);
-          }
-          console.log(`${packageName}@${packageVersion} bootstrap verified on ClawHub.`);
-          EOF

.github/workflows/plugin-clawhub-release.yml

@@ -16,7 +16,7 @@ on:
         required: false
         type: string
       ref:
-        description: Dry-run target ref to validate; real OIDC publishes must dispatch the workflow with --ref set to the target release tag/ref
+        description: Commit SHA on main, a release branch, or the matching Tideclaw alpha branch to publish from; defaults to the workflow ref
         required: false
         default: ""
         type: string
@@ -24,15 +24,6 @@ on:
         description: Approved OpenClaw Release Publish workflow run id
         required: false
         type: string
-      release_publish_branch:
-        description: Branch name of the approving OpenClaw Release Publish workflow run
-        required: false
-        type: string
-      dry_run:
-        description: Validate the full ClawHub artifact handoff without publishing.
-        required: false
-        default: false
-        type: boolean
 
 concurrency:
   group: plugin-clawhub-release-${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
@@ -42,7 +33,9 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.15.0"
   CLAWHUB_REGISTRY: "https://clawhub.ai"
-  CLAWHUB_CLI_PACKAGE: "clawhub@0.21.0"
+  CLAWHUB_REPOSITORY: "openclaw/clawhub"
+  # Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
+  CLAWHUB_REF: "facf20ceb6cc459e2872d941e71335a784bbc55c"
 
 jobs:
   preview_plugins_clawhub:
@@ -52,15 +45,9 @@ jobs:
     outputs:
       ref_revision: ${{ steps.ref.outputs.sha }}
       has_candidates: ${{ steps.plan.outputs.has_candidates }}
-      has_bootstrap_candidates: ${{ steps.plan.outputs.has_bootstrap_candidates }}
-      has_missing_trusted_publisher: ${{ steps.plan.outputs.has_missing_trusted_publisher }}
       candidate_count: ${{ steps.plan.outputs.candidate_count }}
-      bootstrap_candidate_count: ${{ steps.plan.outputs.bootstrap_candidate_count }}
-      missing_trusted_publisher_count: ${{ steps.plan.outputs.missing_trusted_publisher_count }}
       skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }}
       matrix: ${{ steps.plan.outputs.matrix }}
-      bootstrap_matrix: ${{ steps.plan.outputs.bootstrap_matrix }}
-      missing_trusted_publisher_matrix: ${{ steps.plan.outputs.missing_trusted_publisher_matrix }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -69,6 +56,12 @@ jobs:
           ref: ${{ github.ref }}
           fetch-depth: 0
 
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "false"
+
       - name: Resolve checked-out ref
         id: ref
         env:
@@ -91,27 +84,9 @@ jobs:
           fi
           echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
-      - name: Validate OIDC source matches workflow ref
-        env:
-          TARGET_SHA: ${{ steps.ref.outputs.sha }}
-          WORKFLOW_SHA: ${{ github.sha }}
-          DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
-        run: |
-          set -euo pipefail
-          if [[ "${TARGET_SHA}" != "${WORKFLOW_SHA}" ]]; then
-            if [[ "${DRY_RUN}" == "true" ]]; then
-              echo "Dry-run publish target differs from workflow ref; allowing validation-only dispatch."
-              exit 0
-            fi
-            echo "Plugin ClawHub OIDC publishes must run from the same ref that is being published." >&2
-            echo "The ref input is only supported for dry_run=true." >&2
-            echo "For real publishes, dispatch this workflow with --ref pointing at the target release tag/ref and omit the ref input." >&2
-            exit 1
-          fi
-
       - name: Validate ref is on a trusted publish branch
         env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+          WORKFLOW_REF: ${{ github.ref }}
         run: |
           set -euo pipefail
           if git merge-base --is-ancestor HEAD origin/main; then
@@ -122,8 +97,8 @@ jobs:
               exit 0
             fi
           done < <(git for-each-ref --format='%(refname)' refs/remotes/origin/release)
-          if [[ "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            alpha_branch="${TRUSTED_PUBLISH_BRANCH}"
+          if [[ "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
+            alpha_branch="${WORKFLOW_REF#refs/heads/}"
             git fetch --no-tags origin "+refs/heads/${alpha_branch}:refs/remotes/origin/${alpha_branch}"
             if git merge-base --is-ancestor HEAD "refs/remotes/origin/${alpha_branch}"; then
               exit 0
@@ -132,12 +107,6 @@ jobs:
           echo "Plugin ClawHub publishes must target a commit reachable from main, release/*, or the matching Tideclaw alpha branch." >&2
           exit 1
 
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          install-bun: "false"
-
       - name: Validate publishable plugin metadata
         env:
           PUBLISH_SCOPE: ${{ github.event_name == 'workflow_dispatch' && inputs.publish_scope || '' }}
@@ -184,78 +153,36 @@ jobs:
           cat .local/plugin-clawhub-release-plan.json
 
           candidate_count="$(jq -r '.candidates | length' .local/plugin-clawhub-release-plan.json)"
-          bootstrap_candidate_count="$(jq -r '.bootstrapCandidates | length' .local/plugin-clawhub-release-plan.json)"
-          missing_trusted_publisher_count="$(jq -r '.missingTrustedPublisher | length' .local/plugin-clawhub-release-plan.json)"
           skipped_published_count="$(jq -r '.skippedPublished | length' .local/plugin-clawhub-release-plan.json)"
           has_candidates="false"
           if [[ "${candidate_count}" != "0" ]]; then
             has_candidates="true"
           fi
-          has_bootstrap_candidates="false"
-          if [[ "${bootstrap_candidate_count}" != "0" ]]; then
-            has_bootstrap_candidates="true"
-          fi
-          has_missing_trusted_publisher="false"
-          if [[ "${missing_trusted_publisher_count}" != "0" ]]; then
-            has_missing_trusted_publisher="true"
-          fi
           matrix_json="$(jq -c '.candidates' .local/plugin-clawhub-release-plan.json)"
-          bootstrap_matrix_json="$(jq -c '.bootstrapCandidates' .local/plugin-clawhub-release-plan.json)"
-          missing_trusted_publisher_matrix_json="$(jq -c '.missingTrustedPublisher' .local/plugin-clawhub-release-plan.json)"
 
           {
             echo "candidate_count=${candidate_count}"
-            echo "bootstrap_candidate_count=${bootstrap_candidate_count}"
-            echo "missing_trusted_publisher_count=${missing_trusted_publisher_count}"
             echo "skipped_published_count=${skipped_published_count}"
             echo "has_candidates=${has_candidates}"
-            echo "has_bootstrap_candidates=${has_bootstrap_candidates}"
-            echo "has_missing_trusted_publisher=${has_missing_trusted_publisher}"
             echo "matrix=${matrix_json}"
-            echo "bootstrap_matrix=${bootstrap_matrix_json}"
-            echo "missing_trusted_publisher_matrix=${missing_trusted_publisher_matrix_json}"
           } >> "$GITHUB_OUTPUT"
 
           echo "Plugin release candidates:"
           jq -r '.candidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
 
-          echo "Bootstrap candidates requiring token bootstrap:"
-          jq -r '.bootstrapCandidates[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
-
-          echo "Missing trusted publisher candidates:"
-          jq -r '.missingTrustedPublisher[]? | "- \(.packageName)@\(.version) [\(.publishTag)] from \(.packageDir)"' .local/plugin-clawhub-release-plan.json
-
           echo "Already published / skipped:"
           jq -r '.skippedPublished[]? | "- \(.packageName)@\(.version)"' .local/plugin-clawhub-release-plan.json
 
-      - name: Fail when trusted publisher is missing
-        if: steps.plan.outputs.missing_trusted_publisher_count != '0'
-        run: |
-          echo "::error::One or more ClawHub packages exist but do not have trusted publishing configured. Configure trusted publishing before running the normal OIDC publish workflow."
-          jq -r '.missingTrustedPublisher[]? | "::error::Missing trusted publisher: \(.packageName)@\(.version). Configure trusted publishing for openclaw/openclaw, workflow plugin-clawhub-release.yml."' .local/plugin-clawhub-release-plan.json
-          exit 1
-
-      - name: Fail normal publish when bootstrap is required
-        if: steps.plan.outputs.bootstrap_candidate_count != '0'
-        run: |
-          echo "::error::One or more ClawHub packages do not exist yet and require the token-gated Plugin ClawHub New bootstrap workflow before normal OIDC publish can run."
-          jq -r '.bootstrapCandidates[]? | "::error::Bootstrap required: \(.packageName)@\(.version). Dispatch plugin-clawhub-new.yml for this package, then rerun the normal release."' .local/plugin-clawhub-release-plan.json
-          exit 1
-
       - name: Fail manual publish when target versions already exist
-        if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
+        if: github.event_name == 'workflow_dispatch' && inputs.publish_scope == 'selected' && steps.plan.outputs.skipped_published_count != '0'
         run: |
           echo "::error::One or more selected plugin versions already exist on ClawHub. Bump the version before running a real publish."
           exit 1
 
       - name: Validate Tideclaw alpha plugin channels
-        env:
-          TRUSTED_PUBLISH_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+        if: startsWith(github.ref, 'refs/heads/tideclaw/alpha/')
         run: |
           set -euo pipefail
-          if [[ ! "${TRUSTED_PUBLISH_BRANCH}" =~ ^tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
-            exit 0
-          fi
           invalid="$(
             jq -r '.candidates[]? | select(.publishTag != "alpha" or .channel != "alpha") | "- \(.packageName)@\(.version) [\(.publishTag)]"' .local/plugin-clawhub-release-plan.json
           )"
@@ -265,6 +192,12 @@ jobs:
             exit 1
           fi
 
+      - name: Verify OpenClaw ClawHub package ownership
+        if: steps.plan.outputs.has_candidates == 'true'
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: node --import tsx scripts/plugin-clawhub-owner-preflight.ts .local/plugin-clawhub-release-plan.json
+
   validate_release_publish_approval:
     name: Validate release publish approval
     needs: preview_plugins_clawhub
@@ -283,7 +216,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           RELEASE_PUBLISH_RUN_ID: ${{ inputs.release_publish_run_id }}
-          EXPECTED_WORKFLOW_BRANCH: ${{ inputs.release_publish_branch || github.ref_name }}
+          EXPECTED_WORKFLOW_BRANCH: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           if [[ -z "${RELEASE_PUBLISH_RUN_ID// }" ]]; then
@@ -302,12 +235,106 @@ jobs:
           RUN_JSON="$(gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,status,conclusion,url)"
           printf '%s' "$RUN_JSON" | DIRECT_RELEASE_RECOVERY="${direct_recovery}" node scripts/validate-release-publish-approval.mjs
 
-  pack_plugins_clawhub_artifacts:
-    needs: [preview_plugins_clawhub, validate_release_publish_approval]
-    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
+  preview_plugin_pack:
+    needs: preview_plugins_clawhub
+    if: needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 12
+      matrix:
+        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Checkout target revision
+        env:
+          TARGET_SHA: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin \
+            +refs/heads/main:refs/remotes/origin/main \
+            '+refs/heads/release/*:refs/remotes/origin/release/*'
+          git checkout --detach "${TARGET_SHA}"
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          install-bun: "true"
+          install-deps: "true"
+
+      - name: Checkout ClawHub CLI source
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          repository: ${{ env.CLAWHUB_REPOSITORY }}
+          ref: main
+          path: clawhub-source
+          fetch-depth: 0
+
+      - name: Checkout pinned ClawHub CLI revision
+        working-directory: clawhub-source
+        env:
+          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
+        run: git checkout --detach "${CLAWHUB_REF}"
+
+      - name: Install ClawHub CLI dependencies
+        working-directory: clawhub-source
+        run: |
+          set -euo pipefail
+          for attempt in 1 2 3; do
+            if bun install --frozen-lockfile; then
+              exit 0
+            fi
+            status="$?"
+            if [[ "${attempt}" == "3" ]]; then
+              exit "${status}"
+            fi
+            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
+            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
+            sleep $((attempt * 15))
+          done
+
+      - name: Bootstrap ClawHub CLI
+        run: |
+          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
+          EOF
+          chmod +x "$RUNNER_TEMP/clawhub"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
+
+      - name: Verify package-local runtime build
+        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
+
+      - name: Preview publish command
+        env:
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+          SOURCE_REPO: ${{ github.repository }}
+          SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
+          SOURCE_REF: ${{ github.ref }}
+          PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
+          PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
+        run: bash scripts/plugin-clawhub-publish.sh --dry-run "${PACKAGE_DIR}"
+
+  publish_plugins_clawhub:
+    needs: [preview_plugins_clawhub, preview_plugin_pack, validate_release_publish_approval]
+    if: github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
+    runs-on: ubuntu-latest
+    environment: clawhub-plugin-release
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       max-parallel: 32
@@ -338,21 +365,115 @@ jobs:
           install-bun: "true"
           install-deps: "true"
 
-      - name: Verify package-local runtime build
-        run: node scripts/check-plugin-npm-runtime-builds.mjs --package "${{ matrix.plugin.packageDir }}"
+      - name: Checkout ClawHub CLI source
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          repository: ${{ env.CLAWHUB_REPOSITORY }}
+          ref: main
+          path: clawhub-source
+          fetch-depth: 0
 
-      - name: Install pinned ClawHub CLI wrapper
+      - name: Checkout pinned ClawHub CLI revision
+        working-directory: clawhub-source
+        env:
+          CLAWHUB_REF: ${{ env.CLAWHUB_REF }}
+        run: git checkout --detach "${CLAWHUB_REF}"
+
+      - name: Install ClawHub CLI dependencies
+        working-directory: clawhub-source
         run: |
           set -euo pipefail
-          cat > "${RUNNER_TEMP}/clawhub" <<'EOF'
+          for attempt in 1 2 3; do
+            if bun install --frozen-lockfile; then
+              exit 0
+            fi
+            status="$?"
+            if [[ "${attempt}" == "3" ]]; then
+              exit "${status}"
+            fi
+            echo "bun install failed while preparing ClawHub CLI; retrying (${attempt}/3)."
+            rm -rf node_modules "${RUNNER_TEMP}/bun-install-cache" || true
+            sleep $((attempt * 15))
+          done
+
+      - name: Bootstrap ClawHub CLI
+        run: |
+          cat > "$RUNNER_TEMP/clawhub" <<'EOF'
           #!/usr/bin/env bash
           set -euo pipefail
-          exec npm exec --yes --package "${CLAWHUB_CLI_PACKAGE}" -- clawhub "$@"
+          exec bun "$GITHUB_WORKSPACE/clawhub-source/packages/clawhub/src/cli.ts" "$@"
           EOF
-          chmod +x "${RUNNER_TEMP}/clawhub"
-          echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}"
+          chmod +x "$RUNNER_TEMP/clawhub"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
 
-      - name: Pack ClawHub package artifact
+      - name: Write ClawHub token config
+        env:
+          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${CLAWHUB_TOKEN}" ]]; then
+            echo "No CLAWHUB_TOKEN secret configured; publish will rely on GitHub OIDC trusted publishing."
+            exit 0
+          fi
+          node --input-type=module <<'EOF'
+          import { writeFileSync } from "node:fs";
+          import { join } from "node:path";
+
+          const path = join(process.env.RUNNER_TEMP, "clawhub-config.json");
+          writeFileSync(
+            path,
+            `${JSON.stringify(
+              {
+                registry: process.env.CLAWHUB_REGISTRY,
+                token: process.env.CLAWHUB_TOKEN,
+              },
+              null,
+              2,
+            )}\n`,
+          );
+          console.log(path);
+          EOF
+          echo "CLAWHUB_CONFIG_PATH=${RUNNER_TEMP}/clawhub-config.json" >> "$GITHUB_ENV"
+
+      - name: Check ClawHub package version
+        id: clawhub_package_version
+        env:
+          PACKAGE_NAME: ${{ matrix.plugin.packageName }}
+          PACKAGE_VERSION: ${{ matrix.plugin.version }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          encoded_name="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_NAME ?? ""))')"
+          encoded_version="$(node -e 'console.log(encodeURIComponent(process.env.PACKAGE_VERSION ?? ""))')"
+          url="${CLAWHUB_REGISTRY%/}/api/v1/packages/${encoded_name}/versions/${encoded_version}"
+          status=""
+          for attempt in $(seq 1 8); do
+            status="$(curl --silent --show-error --output /dev/null --write-out '%{http_code}' "${url}")"
+            if [[ "${status}" == "404" || "${status}" =~ ^2 ]]; then
+              break
+            fi
+            if [[ "${status}" == "429" || "${status}" =~ ^5 ]]; then
+              echo "ClawHub availability check returned ${status} for ${PACKAGE_NAME}@${PACKAGE_VERSION}; retrying (${attempt}/8)."
+              sleep 60
+              continue
+            fi
+            break
+          done
+          if [[ "${status}" =~ ^2 ]]; then
+            echo "${PACKAGE_NAME}@${PACKAGE_VERSION} is already published on ClawHub."
+            echo "already_published=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if [[ "${status}" != "404" ]]; then
+            echo "Unexpected ClawHub response (${status}) for ${PACKAGE_NAME}@${PACKAGE_VERSION}."
+            exit 1
+          fi
+          echo "already_published=false" >> "$GITHUB_OUTPUT"
+
+      - name: Publish
+        if: steps.clawhub_package_version.outputs.already_published != 'true'
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
           SOURCE_REPO: ${{ github.repository }}
@@ -360,68 +481,8 @@ jobs:
           SOURCE_REF: ${{ github.ref }}
           PACKAGE_TAG: ${{ matrix.plugin.publishTag }}
           PACKAGE_DIR: ${{ matrix.plugin.packageDir }}
-          OPENCLAW_CLAWHUB_PACK_OUTPUT_DIR: ${{ runner.temp }}/clawhub-package-artifact
-        run: bash scripts/plugin-clawhub-publish.sh --pack "${PACKAGE_DIR}"
+        run: bash scripts/plugin-clawhub-publish.sh --publish "${PACKAGE_DIR}"
 
-      - name: Upload ClawHub package artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: ${{ matrix.plugin.artifactName }}
-          path: ${{ runner.temp }}/clawhub-package-artifact/*.tgz
-          if-no-files-found: error
-          retention-days: 7
-
-  approve_plugins_clawhub_release:
-    needs: [preview_plugins_clawhub, pack_plugins_clawhub_artifacts]
-    if: always() && github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success'
-    runs-on: ubuntu-latest
-    environment: clawhub-plugin-release
-    permissions:
-      contents: read
-    steps:
-      - name: Approve Plugin ClawHub release publish
-        run: |
-          echo "Approved CLAW-277 03 - Split OpenClaw plugin ClawHub publishing into OIDC release and token bootstrap workflows release publish gate."
-
-  publish_plugins_clawhub:
-    needs:
-      [preview_plugins_clawhub, pack_plugins_clawhub_artifacts, approve_plugins_clawhub_release]
-    if: always() && github.event_name == 'workflow_dispatch' && needs.preview_plugins_clawhub.outputs.has_candidates == 'true' && needs.pack_plugins_clawhub_artifacts.result == 'success' && (inputs.dry_run == true || needs.approve_plugins_clawhub_release.result == 'success')
-    uses: openclaw/clawhub/.github/workflows/package-publish.yml@9d49df109d4ad3dc8a6ecf05d26b39f46d294721
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-    strategy:
-      fail-fast: false
-      max-parallel: 32
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    with:
-      package_artifact_name: ${{ matrix.plugin.artifactName }}
-      dry_run: ${{ inputs.dry_run }}
-      registry: https://clawhub.ai
-      site: https://clawhub.ai
-      tags: ${{ matrix.plugin.publishTag }}
-      source_repo: ${{ github.repository }}
-      source_commit: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }}
-      source_ref: ${{ github.ref }}
-      source_path: ${{ matrix.plugin.packageDir }}
-      inspector_artifact_name: ${{ matrix.plugin.artifactName }}-inspector
-      publish_json_artifact_name: ${{ matrix.plugin.artifactName }}-publish-json
-
-  verify_published_clawhub_package:
-    needs: [preview_plugins_clawhub, publish_plugins_clawhub]
-    if: github.event_name == 'workflow_dispatch' && inputs.dry_run != true && needs.preview_plugins_clawhub.outputs.has_candidates == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      max-parallel: 32
-      matrix:
-        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
-    steps:
       - name: Verify published ClawHub package
         env:
           CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}

.github/workflows/plugin-npm-release.yml

@@ -288,7 +288,6 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          OPENCLAW_NPM_PUBLISH_AUTH_MODE: trusted-publisher
         run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"
 
       - name: Verify published runtime

.github/workflows/qa-live-transports-convex.yml

@@ -65,7 +65,7 @@ jobs:
     steps:
       - name: Require maintainer-level repository access
         id: permission
-        uses: actions/github-script@v9
+        uses: actions/github-script@v8
         with:
           script: |
             if (context.eventName === "schedule") {
@@ -159,7 +159,7 @@ jobs:
   run_mock_parity:
     name: Run QA Lab mock parity lane
     needs: [validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 30
     env:
       QA_PARITY_CONCURRENCY: "1"
@@ -186,7 +186,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run OpenAI candidate lane
@@ -232,7 +232,7 @@ jobs:
     name: Run live runtime token-efficiency lane
     needs: [authorize_actor, validate_selected_ref]
     if: github.event_name == 'schedule'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 45
     environment: qa-live-shared
     env:
@@ -267,7 +267,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run live runtime parity lane
@@ -321,7 +321,7 @@ jobs:
     name: Run Matrix live QA lane
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ !(github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all') }}
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -352,7 +352,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Matrix live lane
@@ -397,7 +397,7 @@ jobs:
     name: Run Matrix live QA lane (${{ matrix.profile }})
     needs: [authorize_actor, validate_selected_ref]
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.matrix_profile == 'all' }}
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     strategy:
@@ -437,7 +437,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Matrix live lane shard
@@ -480,7 +480,7 @@ jobs:
   run_live_telegram:
     name: Run Telegram live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -520,7 +520,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Telegram live lane
@@ -532,6 +532,7 @@ jobs:
           OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
           OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
           OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
           INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.scenario || '' }}
         run: |
           set -euo pipefail
@@ -574,7 +575,7 @@ jobs:
   run_live_discord:
     name: Run Discord live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -614,7 +615,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Discord live lane
@@ -668,7 +669,7 @@ jobs:
   run_live_whatsapp:
     name: Run WhatsApp live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     concurrency:
       group: qa-live-whatsapp-shared
@@ -711,7 +712,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run WhatsApp live lane
@@ -765,7 +766,7 @@ jobs:
   run_live_slack:
     name: Run Slack live QA lane with Convex leases
     needs: [authorize_actor, validate_selected_ref]
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-8vcpu-ubuntu-2404
     timeout-minutes: 60
     environment: qa-live-shared
     steps:
@@ -805,7 +806,7 @@ jobs:
 
       - name: Build private QA runtime
         env:
-          NODE_OPTIONS: --max-old-space-size=12288
+          NODE_OPTIONS: --max-old-space-size=8192
         run: pnpm build
 
       - name: Run Slack live lane

.github/workflows/sandbox-common-smoke.yml

@@ -35,7 +35,7 @@ jobs:
           submodules: false
 
       - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Build minimal sandbox base (USER sandbox)
         shell: bash

.github/workflows/stale.yml

@@ -68,7 +68,7 @@ jobs:
           days-before-pr-close: 7
           stale-issue-label: stale
           stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
           exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
@@ -100,7 +100,7 @@ jobs:
           days-before-pr-stale: -1
           days-before-pr-close: -1
           stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
           include-only-assigned: true
@@ -172,7 +172,7 @@ jobs:
           days-before-pr-close: 7
           stale-issue-label: stale
           stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
           exempt-pr-labels: maintainer,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
@@ -203,7 +203,7 @@ jobs:
           days-before-pr-stale: -1
           days-before-pr-close: -1
           stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
           operations-per-run: 2000
           ascending: true
           include-only-assigned: true
@@ -277,9 +277,6 @@ jobs:
               "security",
               "no-stale",
               "bad-barnacle",
-              "clawsweeper:queueable-fix",
-              "clawsweeper:source-repro",
-              "clawsweeper:fix-shape-clear",
             ]);
             const prExemptLabels = new Set(["maintainer", "no-stale", "bad-barnacle"]);
             const maintainerAssociations = new Set(["OWNER", "MEMBER", "COLLABORATOR"]);
@@ -512,62 +509,60 @@ jobs:
 
             let locked = 0;
             let inspected = 0;
-            let cursor = null;
 
+            let page = 1;
             while (true) {
-              const result = await github.graphql(
-                `query ClosedIssuesForLocking(
-                  $owner: String!
-                  $repo: String!
-                  $cursor: String
-                  $perPage: Int!
-                ) {
-                  repository(owner: $owner, name: $repo) {
-                    issues(
-                      first: $perPage
-                      after: $cursor
-                      states: CLOSED
-                      orderBy: { field: CREATED_AT, direction: ASC }
-                    ) {
-                      nodes {
-                        number
-                        locked
-                        closedAt
-                        comments(last: 1) {
-                          nodes {
-                            createdAt
-                          }
-                        }
-                      }
-                      pageInfo {
-                        hasNextPage
-                        endCursor
-                      }
-                    }
-                  }
-                }`,
-                {
-                  owner,
-                  repo,
-                  cursor,
-                  perPage,
-                },
-              );
-              const issues = result.repository.issues;
+              const { data: issues } = await github.rest.issues.listForRepo({
+                owner,
+                repo,
+                state: "closed",
+                sort: "updated",
+                direction: "desc",
+                per_page: perPage,
+                page,
+              });
 
-              for (const issue of issues.nodes) {
-                if (issue.locked || !issue.closedAt) {
+              if (issues.length === 0) {
+                break;
+              }
+
+              for (const issue of issues) {
+                if (issue.pull_request) {
+                  continue;
+                }
+                if (issue.locked) {
+                  continue;
+                }
+                if (!issue.closed_at) {
                   continue;
                 }
 
                 inspected += 1;
-                const closedAtMs = Date.parse(issue.closedAt);
-                if (!Number.isFinite(closedAtMs) || closedAtMs > cutoffMs) {
+                const closedAtMs = Date.parse(issue.closed_at);
+                if (!Number.isFinite(closedAtMs)) {
+                  continue;
+                }
+                if (closedAtMs > cutoffMs) {
                   continue;
                 }
 
-                const lastComment = issue.comments.nodes[0];
-                const lastCommentMs = lastComment ? Date.parse(lastComment.createdAt) : 0;
+                let lastCommentMs = 0;
+                if (issue.comments > 0) {
+                  const { data: comments } = await github.rest.issues.listComments({
+                    owner,
+                    repo,
+                    issue_number: issue.number,
+                    per_page: 1,
+                    page: 1,
+                    sort: "created",
+                    direction: "desc",
+                  });
+
+                  if (comments.length > 0) {
+                    lastCommentMs = Date.parse(comments[0].created_at);
+                  }
+                }
+
                 const lastActivityMs = Math.max(closedAtMs, lastCommentMs || 0);
                 if (lastActivityMs > cutoffMs) {
                   continue;
@@ -583,10 +578,7 @@ jobs:
                 locked += 1;
               }
 
-              if (!issues.pageInfo.hasNextPage || !issues.pageInfo.endCursor) {
-                break;
-              }
-              cursor = issues.pageInfo.endCursor;
+              page += 1;
             }
 
             core.info(`Inspected ${inspected} closed issues; locked ${locked}.`);

.github/workflows/test-performance-agent.yml

@@ -129,7 +129,7 @@ jobs:
 
       - name: Run Codex test performance agent
         if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
         with:
           openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           prompt-file: .github/codex/prompts/test-performance-agent.md

.github/workflows/windows-blacksmith-testbox.yml

@@ -65,9 +65,7 @@ jobs:
           fi
           runner_ssh_port="${BLACKSMITH_SSH_PORT:-22}"
 
-          hydrating_response="$RUNNER_TEMP/testbox-hydrating.response"
-          hydrating_http_code="$(curl -sS -L --post302 --post303 -o "$hydrating_response" -w '%{http_code}' \
-            -X POST "${api_url}/api/testbox/phone-home" \
+          response="$(curl -s -f -L --post302 --post303 -X POST "${api_url}/api/testbox/phone-home" \
             -H "Content-Type: application/json" \
             -H "Authorization: Bearer ${auth_token}" \
             -d "{
@@ -79,15 +77,7 @@ jobs:
               \"working_directory\": \"${GITHUB_WORKSPACE}\",
               \"adopted_run_id\": \"${GITHUB_RUN_ID}\",
               \"metadata\": {}
-            }" || true)"
-
-          echo "phone_home_hydrating_http=${hydrating_http_code}"
-          if [[ ! "$hydrating_http_code" =~ ^2 ]]; then
-            echo "Blacksmith phone-home hydrating failed; response body:" >&2
-            cat "$hydrating_response" >&2 || true
-            exit 1
-          fi
-          response="$(cat "$hydrating_response")"
+            }" 2>/dev/null || true)"
 
           echo "$TESTBOX_ID" > "$state/testbox_id"
           echo "$installation_model_id" > "$state/installation_model_id"
@@ -110,14 +100,12 @@ jobs:
           fi
 
           ssh_public_key="$(cat "$state/ssh_public_key" 2>/dev/null || true)"
-          if [ -z "$ssh_public_key" ]; then
-            echo "Blacksmith phone-home did not return an SSH public key; testbox cannot accept CLI connections." >&2
-            exit 1
+          if [ -n "$ssh_public_key" ]; then
+            mkdir -p ~/.ssh
+            printf '%s\n' "$ssh_public_key" >> ~/.ssh/authorized_keys
+            chmod 700 ~/.ssh
+            chmod 600 ~/.ssh/authorized_keys
           fi
-          mkdir -p ~/.ssh
-          printf '%s\n' "$ssh_public_key" >> ~/.ssh/authorized_keys
-          chmod 700 ~/.ssh
-          chmod 600 ~/.ssh/authorized_keys
 
       - name: Checkout
         uses: actions/checkout@v6
@@ -173,11 +161,6 @@ jobs:
             -H "Authorization: Bearer ${auth_token}" \
             --data-binary @"$ready_body" || true)"
           echo "phone_home_ready_http=${http_code}"
-          if [[ ! "$http_code" =~ ^2 ]]; then
-            echo "Blacksmith phone-home ready failed; response body:" >&2
-            cat "$RUNNER_TEMP/testbox-ready.response" >&2 || true
-            exit 1
-          fi
 
           echo "============================================"
           echo "Testbox ready!"

.github/workflows/windows-node-release.yml

@@ -8,12 +8,9 @@ on:
         required: true
         type: string
       windows_node_tag:
-        description: Exact openclaw-windows-node release tag to promote, for example v0.6.3
-        required: true
-        type: string
-      expected_installer_digests:
-        description: Compact JSON map of installer asset names to pinned source sha256 digests
+        description: openclaw-windows-node release tag to promote, or latest
         required: true
+        default: latest
         type: string
 
 permissions:
@@ -34,129 +31,46 @@ jobs:
         env:
           RELEASE_TAG: ${{ inputs.tag }}
           WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          EXPECTED_INSTALLER_DIGESTS: ${{ inputs.expected_installer_digests }}
           GH_TOKEN: ${{ github.token }}
         run: |
           if ($env:RELEASE_TAG -notmatch '^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$') {
             throw "Invalid OpenClaw release tag: $env:RELEASE_TAG"
           }
-          $stableRelease = -not (
-            $env:RELEASE_TAG.Contains("-alpha.") -or
-            $env:RELEASE_TAG.Contains("-beta.")
-          )
-          if ($env:WINDOWS_NODE_TAG -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z]+([.-][0-9A-Za-z]+)*)?$') {
-            throw "windows_node_tag must be an explicit openclaw-windows-node release tag, not latest: $env:WINDOWS_NODE_TAG"
-          }
-
-          try {
-            $expectedDigests = $env:EXPECTED_INSTALLER_DIGESTS | ConvertFrom-Json -AsHashtable
-          } catch {
-            throw "expected_installer_digests must be a JSON object: $_"
-          }
-          # Add future signed installer names, such as MSIX x64/ARM64, here.
-          $requiredInstallerNames = @(
-            "OpenClawCompanion-Setup-x64.exe",
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          $allowedTargetCompanionAssetNames = @(
-            $requiredInstallerNames
-            "OpenClawCompanion-SHA256SUMS.txt"
-          )
-          if ($expectedDigests.Count -ne $requiredInstallerNames.Count) {
-            throw "expected_installer_digests must contain exactly the current installer asset contract."
-          }
-          foreach ($name in $requiredInstallerNames) {
-            $digest = [string]$expectedDigests[$name]
-            if ($digest -notmatch '^sha256:[A-Fa-f0-9]{64}$') {
-              throw "expected_installer_digests is missing a valid pinned digest for $name."
-            }
-          }
-
-          $targetRelease = gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY --json tagName,isDraft,isPrerelease,assets,url | ConvertFrom-Json
-          if ($targetRelease.tagName -ne $env:RELEASE_TAG) {
-            throw "OpenClaw release tag mismatch: expected $env:RELEASE_TAG, got $($targetRelease.tagName)"
-          }
-          $unexpectedTargetCompanionAssets = @(
-            $targetRelease.assets |
-              Where-Object {
-                $_.name.StartsWith("OpenClawCompanion-") -and
-                $_.name -notin $allowedTargetCompanionAssetNames
-              } |
-              ForEach-Object name |
-              Sort-Object
-          )
-          if ($unexpectedTargetCompanionAssets.Count -ne 0) {
-            throw "Target OpenClaw release contains unexpected OpenClawCompanion assets before upload: $($unexpectedTargetCompanionAssets -join ', ')"
-          }
-
-          $sourceRelease = gh release view $env:WINDOWS_NODE_TAG --repo openclaw/openclaw-windows-node --json tagName,isDraft,isPrerelease,assets,url | ConvertFrom-Json
-          if ($sourceRelease.tagName -ne $env:WINDOWS_NODE_TAG) {
-            throw "Windows source release tag mismatch: expected $env:WINDOWS_NODE_TAG, got $($sourceRelease.tagName)"
-          }
-          if ($sourceRelease.isDraft) {
-            throw "Windows source release must be published: $($sourceRelease.url)"
-          }
-          if ($stableRelease -and $sourceRelease.isPrerelease) {
-            throw "Stable OpenClaw releases require a non-prerelease Windows source release: $($sourceRelease.url)"
-          }
-          foreach ($name in $requiredInstallerNames) {
-            $sourceAssets = @($sourceRelease.assets | Where-Object name -eq $name)
-            if ($sourceAssets.Count -ne 1) {
-              throw "Windows source release must contain exactly one required asset $name; found $($sourceAssets.Count)."
-            }
-            if ([string]$sourceAssets[0].digest -ne [string]$expectedDigests[$name]) {
-              throw "Windows source release asset digest does not match the pinned digest: $name"
-            }
+          if ($env:WINDOWS_NODE_TAG -ne "latest" -and $env:WINDOWS_NODE_TAG -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z.-]+)?$') {
+            throw "Invalid openclaw-windows-node release tag: $env:WINDOWS_NODE_TAG"
           }
+          gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY | Out-Null
 
       - name: Download Windows Hub release installers
         shell: pwsh
         env:
           WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          EXPECTED_INSTALLER_DIGESTS: ${{ inputs.expected_installer_digests }}
           GH_TOKEN: ${{ github.token }}
         run: |
           New-Item -ItemType Directory -Force -Path dist | Out-Null
-          # Add future signed installer patterns, such as MSIX x64/ARM64, here.
-          # Every matched installer is signature-checked, checksummed, and promoted.
-          $installerPatterns = @(
-            "OpenClawCompanion-Setup-x64.exe",
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          $downloadArgs = @(
-            $env:WINDOWS_NODE_TAG,
-            "--repo", "openclaw/openclaw-windows-node",
-            "--dir", "dist"
-          )
-          foreach ($pattern in $installerPatterns) {
-            $downloadArgs += @("--pattern", $pattern)
-          }
-          gh release download @downloadArgs
-          if ($LASTEXITCODE -ne 0) {
-            throw "Failed to download Windows release assets from $env:WINDOWS_NODE_TAG."
+          $tagArgs = @()
+          if ($env:WINDOWS_NODE_TAG -ne "latest") {
+            $tagArgs += $env:WINDOWS_NODE_TAG
           }
+          gh release download @tagArgs `
+            --repo openclaw/openclaw-windows-node `
+            --pattern "OpenClawCompanion-Setup-*.exe" `
+            --dir dist
 
-          foreach ($pattern in $installerPatterns) {
-            $patternMatches = @(Get-ChildItem -LiteralPath dist -File | Where-Object Name -Like $pattern)
-            if ($patternMatches.Count -ne 1) {
-              throw "Expected exactly one Windows installer matching '$pattern', found $($patternMatches.Count)."
-            }
-          }
-
-          $expectedDigests = $env:EXPECTED_INSTALLER_DIGESTS | ConvertFrom-Json -AsHashtable
-          foreach ($file in Get-ChildItem -LiteralPath dist -File) {
-            $expectedHash = ([string]$expectedDigests[$file.Name]) -replace '^sha256:', ''
-            $actualHash = (Get-FileHash -Algorithm SHA256 -LiteralPath $file.FullName).Hash
-            if ($actualHash -ne $expectedHash) {
-              throw "Downloaded Windows source asset does not match pinned digest: $($file.Name)"
+          $expected = @(
+            "dist/OpenClawCompanion-Setup-x64.exe",
+            "dist/OpenClawCompanion-Setup-arm64.exe"
+          )
+          foreach ($file in $expected) {
+            if (-not (Test-Path -LiteralPath $file)) {
+              throw "Missing expected Windows installer: $file"
             }
           }
 
       - name: Verify Authenticode signatures
         shell: pwsh
         run: |
-          $expectedSignerSubject = "CN=OpenClaw Foundation, O=OpenClaw Foundation, L=Mill Valley, S=California, C=US"
-          Get-ChildItem -LiteralPath dist -File | ForEach-Object {
+          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" | ForEach-Object {
             $signature = Get-AuthenticodeSignature -LiteralPath $_.FullName
             if ($signature.Status -ne "Valid") {
               throw "$($_.Name) Authenticode signature was $($signature.Status)."
@@ -164,9 +78,6 @@ jobs:
             if (-not $signature.SignerCertificate) {
               throw "$($_.Name) has no signer certificate."
             }
-            if ($signature.SignerCertificate.Subject -ne $expectedSignerSubject) {
-              throw "$($_.Name) has unexpected signer subject $($signature.SignerCertificate.Subject)."
-            }
             [pscustomobject]@{
               File = $_.Name
               Signer = $signature.SignerCertificate.Subject
@@ -177,7 +88,7 @@ jobs:
       - name: Write SHA-256 manifest
         shell: pwsh
         run: |
-          Get-ChildItem -LiteralPath dist -File |
+          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" |
             Sort-Object Name |
             ForEach-Object {
               $hash = Get-FileHash -Algorithm SHA256 -LiteralPath $_.FullName
@@ -190,81 +101,12 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
           GH_TOKEN: ${{ github.token }}
         run: |
-          $releaseAssets = @(Get-ChildItem -LiteralPath dist -File | Sort-Object Name | ForEach-Object FullName)
-          gh release upload $env:RELEASE_TAG @releaseAssets --repo $env:GITHUB_REPOSITORY --clobber
-          if ($LASTEXITCODE -ne 0) {
-            throw "Failed to upload Windows release assets to $env:RELEASE_TAG."
-          }
-
-      - name: Verify promoted release asset contract
-        shell: pwsh
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          New-Item -ItemType Directory -Force -Path verified | Out-Null
-          $expectedAssets = @(Get-ChildItem -LiteralPath dist -File | Sort-Object Name)
-          $expectedCompanionAssetNames = @($expectedAssets | ForEach-Object Name | Sort-Object)
-          $targetRelease = gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY --json assets | ConvertFrom-Json
-          $actualCompanionAssetNames = @(
-            $targetRelease.assets |
-              Where-Object { $_.name.StartsWith("OpenClawCompanion-") } |
-              ForEach-Object name |
-              Sort-Object
-          )
-          $assetContractDiff = @(
-            Compare-Object `
-              -ReferenceObject $expectedCompanionAssetNames `
-              -DifferenceObject $actualCompanionAssetNames
-          )
-          if (
-            $actualCompanionAssetNames.Count -ne $expectedCompanionAssetNames.Count -or
-            $assetContractDiff.Count -ne 0
-          ) {
-            throw "Promoted OpenClawCompanion asset names do not exactly match the current contract."
-          }
-
-          foreach ($asset in $expectedAssets) {
-            gh release download $env:RELEASE_TAG `
-              --repo $env:GITHUB_REPOSITORY `
-              --pattern $asset.Name `
-              --dir verified
-            if ($LASTEXITCODE -ne 0) {
-              throw "Failed to download promoted Windows release asset $($asset.Name)."
-            }
-          }
-
-          $manifestPath = "verified/OpenClawCompanion-SHA256SUMS.txt"
-          $manifestEntries = @(Get-Content -LiteralPath $manifestPath | ForEach-Object {
-            if ($_ -notmatch '^([A-Fa-f0-9]{64})  ([^\\/]+)$') {
-              throw "Invalid Windows SHA-256 manifest entry: $_"
-            }
-            [PSCustomObject]@{
-              Hash = $Matches[1]
-              Name = $Matches[2]
-            }
-          })
-          $expectedInstallerNames = @(
-            $expectedAssets |
-              Where-Object Name -ne "OpenClawCompanion-SHA256SUMS.txt" |
-              ForEach-Object Name
-          )
-          $manifestInstallerNames = @($manifestEntries | ForEach-Object Name | Sort-Object)
-          $contractDiff = @(
-            Compare-Object `
-              -ReferenceObject $expectedInstallerNames `
-              -DifferenceObject $manifestInstallerNames
-          )
-          if ($contractDiff.Count -ne 0) {
-            throw "Promoted Windows SHA-256 manifest does not match the installer asset contract."
-          }
-
-          foreach ($entry in $manifestEntries) {
-            $hash = (Get-FileHash -Algorithm SHA256 -LiteralPath "verified/$($entry.Name)").Hash
-            if ($hash -ne $entry.Hash) {
-              throw "Promoted Windows release asset checksum mismatch: $($entry.Name)"
-            }
-          }
+          gh release upload $env:RELEASE_TAG `
+            dist/OpenClawCompanion-Setup-x64.exe `
+            dist/OpenClawCompanion-Setup-arm64.exe `
+            dist/OpenClawCompanion-SHA256SUMS.txt `
+            --repo $env:GITHUB_REPOSITORY `
+            --clobber
 
       - name: Summary
         shell: pwsh
@@ -277,9 +119,8 @@ jobs:
 
           OpenClaw release: $env:RELEASE_TAG
           Source release: openclaw/openclaw-windows-node@$env:WINDOWS_NODE_TAG
+
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-x64.exe
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-arm64.exe
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-SHA256SUMS.txt
           "@ >> $env:GITHUB_STEP_SUMMARY
-          Get-ChildItem -LiteralPath dist -File |
-            Sort-Object Name |
-            ForEach-Object {
-              "- https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/$($_.Name)"
-            } >> $env:GITHUB_STEP_SUMMARY

.github/workflows/windows-testbox-probe.yml

@@ -133,9 +133,8 @@ jobs:
               $rootfs = "C:\wsl\ubuntu-noble-wsl.rootfs.tar.gz"
               New-Item -ItemType Directory -Force -Path @((Split-Path -Parent $rootfs), $wslRoot) | Out-Null
               Invoke-WebRequest -Uri $env:UBUNTU_WSL_ROOTFS_URL -OutFile $rootfs -UseBasicParsing
-              $import = Invoke-WslText -Arguments @("--import", "UbuntuProbe", $wslRoot, $rootfs, "--version", "2")
-              Write-Host $import.Text
-              Write-Host "wsl_import_exit=$($import.Code)"
+              wsl.exe --import UbuntuProbe $wslRoot $rootfs --version 2
+              Write-Host "wsl_import_exit=$LASTEXITCODE"
               $list = Invoke-WslText -Arguments @("--list", "--verbose")
               Write-Host $list.Text
               Write-Host "wsl_list_after_import_exit=$($list.Code)"
@@ -145,15 +144,14 @@ jobs:
             if ($distros.Count -gt 0) {
               $distro = $distros[0]
               Write-Host "wsl_probe_distro=$distro"
-              $exec = Invoke-WslText -Arguments @("-d", $distro, "--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
+              wsl.exe -d $distro --exec bash -lc 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi'
             } else {
-              $exec = Invoke-WslText -Arguments @("--exec", "bash", "-lc", 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi')
+              wsl.exe --exec bash -lc 'set -euo pipefail; uname -a; if [ -f /etc/os-release ]; then sed -n "1,8p" /etc/os-release; fi'
             }
-            Write-Host $exec.Text
-            if ($exec.Code -eq 0) {
+            if ($LASTEXITCODE -eq 0) {
               $ok = $true
             }
-            Write-Host "wsl_exec_exit=$($exec.Code)"
+            Write-Host "wsl_exec_exit=$LASTEXITCODE"
           }
 
           if ($ok) {

.github/workflows/workflow-sanity.yml

@@ -34,25 +34,10 @@ jobs:
           git init "$GITHUB_WORKSPACE"
           git -C "$GITHUB_WORKSPACE" config gc.auto 0
           git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
+          timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
+            -c protocol.version=2 \
+            fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+            "+${CHECKOUT_SHA}:refs/remotes/origin/checkout"
           git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
 
       - name: Fail on tabs in workflow files
@@ -93,25 +78,10 @@ jobs:
           git init "$GITHUB_WORKSPACE"
           git -C "$GITHUB_WORKSPACE" config gc.auto 0
           git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
+          timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
+            -c protocol.version=2 \
+            fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+            "+${CHECKOUT_SHA}:refs/remotes/origin/checkout"
           git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
 
       - name: Setup Python
@@ -220,25 +190,10 @@ jobs:
           git init "$GITHUB_WORKSPACE"
           git -C "$GITHUB_WORKSPACE" config gc.auto 0
           git -C "$GITHUB_WORKSPACE" remote add origin "https://github.com/${CHECKOUT_REPO}.git"
-          fetch_checkout_ref() {
-            local fetch_status
-            for attempt in 1 2 3; do
-              timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
-                -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-                "+${CHECKOUT_SHA}:refs/remotes/origin/checkout" && return 0
-              fetch_status="$?"
-              if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
-                return "$fetch_status"
-              fi
-              if [ "$attempt" = "3" ]; then
-                return "$fetch_status"
-              fi
-              echo "::warning::checkout fetch for '$CHECKOUT_SHA' timed out on attempt $attempt; retrying"
-              sleep 5
-            done
-          }
-          fetch_checkout_ref
+          timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
+            -c protocol.version=2 \
+            fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+            "+${CHECKOUT_SHA}:refs/remotes/origin/checkout"
           git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout
 
       - name: Setup Node environment
@@ -251,6 +206,3 @@ jobs:
 
       - name: Check plugin SDK API baseline drift
         run: pnpm plugin-sdk:api:check
-
-      - name: Check plugin SDK surface budget
-        run: pnpm plugin-sdk:surface:check

.gitignore

@@ -83,12 +83,6 @@ apps/ios/fastlane/screenshots/
 apps/ios/fastlane/test_output/
 apps/ios/fastlane/logs/
 apps/ios/fastlane/.env
-apps/android/fastlane/report.xml
-apps/android/fastlane/Preview.html
-apps/android/fastlane/test_output/
-apps/android/fastlane/logs/
-apps/android/fastlane/.env
-apps/android/fastlane/metadata/android/**/images/
 
 # fastlane build artifacts (local)
 apps/ios/*.ipa
@@ -133,8 +127,6 @@ mantis/
 !.agents/skills/clawdtributor/**
 !.agents/skills/control-ui-e2e/
 !.agents/skills/control-ui-e2e/**
-!.agents/skills/discord-user-post/
-!.agents/skills/discord-user-post/**
 !.agents/skills/gitcrawl/
 !.agents/skills/gitcrawl/**
 !.agents/skills/technical-documentation/

AGENTS.md

@@ -172,7 +172,7 @@ Skills own workflows; root owns hard policy and routing.
 - PR artifacts/screenshots: attach to PR/comment/external artifact store. Never push screenshots, videos, proof images, or proof assets to OpenClaw or any product repo branch, including temp artifact branches. Use Crabbox artifact publishing plus the manifest URL. Do not commit `.github/pr-assets`.
 - CI polling: exact SHA, relevant checks only, minimal fields. Skip routine noise (`Auto response`, `Labeler`, docs agents, performance/stale). Logs only after failure/completion or concrete need.
 - OpenClaw write-access maintainers may skip `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
-- Agent PR landing to `main`: use only the repo-native `scripts/pr` wrapper: run `scripts/pr review-init <PR>`, follow its emitted checkout/guard guidance, initialize and complete review artifacts with `scripts/pr review-artifacts-init <PR>`, validate them with `scripts/pr review-validate-artifacts <PR>`, then run `scripts/pr prepare-run <PR>` and `scripts/pr merge-run <PR>`; do not idle on `auto-response` or `check-docs`.
+- `/landpr`: use `~/.codex/prompts/landpr.md`; do not idle on `auto-response` or `check-docs`.
 
 ## Code
 
@@ -214,7 +214,6 @@ Skills own workflows; root owns hard policy and routing.
 
 - Vitest. Colocated `*.test.ts`; e2e `*.e2e.test.ts`; example models `sonnet-4.6`, `gpt-5.5`; test GPT with 5.5 preferred, 5.4 ok; no GPT-4.x agent-smoke defaults.
 - Prefer behavior tests over workflow/docs string greps. Put operator policy reminders in AGENTS/docs.
-- QA scenario sources are YAML only: `qa/scenarios/index.yaml` and `qa/scenarios/<theme>/*.yaml`. Do not add fenced `qa-scenario`/`qa-flow` Markdown files under `qa/scenarios/`.
 - Clean timers/env/globals/mocks/sockets/temp dirs/module state; `--isolate=false` safe.
 - Prefer injection and narrow `*.runtime.ts` mocks over broad barrels or `openclaw/plugin-sdk/*`.
 - Do not edit baseline/inventory/ignore/snapshot/expected-failure files to silence checks without explicit approval.
@@ -252,11 +251,9 @@ Skills own workflows; root owns hard policy and routing.
 - Lockfiles/shrinkwrap are security surface: review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, `package-lock.json`; root/plugin npm packages ship shrinkwrap, not package-lock.
 - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks.
 - Releases/publish/version bumps need explicit approval. Use `$release-openclaw-maintainer`.
-- Release versions use `YYYY.M.PATCH`, where `PATCH` is a sequential monthly release-train number, never the calendar day. Stable and beta tags determine the current train; alpha-only tags do not consume or advance the beta/stable patch number. After `2026.6.5`, the next beta train is `2026.6.6-beta.1` even if higher alpha-only tags exist.
-- Alpha/nightly versions use the next unreleased train plus an incrementing prerelease number. Repeated nightlies for the same train increment only `alpha.N`; they must not mint a new patch number from the date.
 - Backport means apply to newest open `release/` branch unless user names another target.
 - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`.
-- Beta tag/version match: `vYYYY.M.PATCH-beta.N` -> npm `YYYY.M.PATCH-beta.N --tag beta`.
+- Beta tag/version match: `vYYYY.M.D-beta.N` -> npm `YYYY.M.D-beta.N --tag beta`.
 
 ## Platform / Ops
 

Dockerfile

@@ -116,19 +116,11 @@ RUN pnpm_config_verify_deps_before_run=false pnpm canvas:a2ui:bundle || \
      echo "/* A2UI bundle unavailable in this build */" > extensions/canvas/src/host/a2ui/a2ui.bundle.js && \
      echo "stub" > extensions/canvas/src/host/a2ui/.bundle.hash && \
      rm -rf vendor/a2ui apps/shared/OpenClawKit/Tools/CanvasA2UI)
-RUN if printf '%s\n' "$OPENCLAW_EXTENSIONS" | tr ',' ' ' | tr ' ' '\n' | grep -qx 'qa-lab'; then \
-      export OPENCLAW_BUILD_PRIVATE_QA=1 OPENCLAW_ENABLE_PRIVATE_QA_CLI=1; \
-    fi && \
-    NODE_OPTIONS=--max-old-space-size=8192 pnpm_config_verify_deps_before_run=false pnpm build:docker
+RUN NODE_OPTIONS=--max-old-space-size=8192 pnpm_config_verify_deps_before_run=false pnpm build:docker
 # Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
 ENV OPENCLAW_PREFER_PNPM=1
 RUN pnpm_config_verify_deps_before_run=false pnpm ui:build
-RUN if printf '%s\n' "$OPENCLAW_EXTENSIONS" | tr ',' ' ' | tr ' ' '\n' | grep -qx 'qa-lab'; then \
-      pnpm_config_verify_deps_before_run=false pnpm qa:lab:build && \
-      mkdir -p dist/extensions/qa-lab/web && \
-      rm -rf dist/extensions/qa-lab/web/dist && \
-      cp -R extensions/qa-lab/web/dist dist/extensions/qa-lab/web/dist; \
-    fi
+RUN pnpm_config_verify_deps_before_run=false pnpm qa:lab:build
 
 # Prune dev dependencies, omitted plugin runtime packages, and build-only
 # metadata before copying runtime assets into the final image.
@@ -138,7 +130,7 @@ ARG OPENCLAW_BUNDLED_PLUGIN_DIR
 # BuildKit cache mounts are not part of cached layers; seed tarballs for the
 # installed prod graph in the same step that runs offline prune.
 RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
-    node scripts/list-prod-store-packages.mjs | xargs -r pnpm store add && \
+    pnpm list --prod --depth Infinity --json | node scripts/list-prod-store-packages.mjs | xargs -r pnpm store add && \
     CI=true pnpm prune --prod \
       --config.offline=true \
       --config.supportedArchitectures.os=linux \
@@ -147,10 +139,6 @@ RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/sto
     OPENCLAW_EXTENSIONS="$OPENCLAW_EXTENSIONS" OPENCLAW_BUNDLED_PLUGIN_DIR="$OPENCLAW_BUNDLED_PLUGIN_DIR" node scripts/prune-docker-plugin-dist.mjs && \
     node scripts/postinstall-bundled-plugins.mjs && \
     find dist -type f \( -name '*.d.ts' -o -name '*.d.mts' -o -name '*.d.cts' -o -name '*.map' \) -delete && \
-    rm -rf \
-      /app/node_modules/openclaw \
-      /app/node_modules/.bin/openclaw \
-      /app/node_modules/.pnpm/openclaw@*/node_modules/openclaw && \
     node scripts/check-package-dist-imports.mjs /app
 
 # ── Runtime base image ──────────────────────────────────────────

SECURITY.md

@@ -48,7 +48,6 @@ These patterns are usually not vulnerabilities by themselves:
 
 - Prompt injection without a policy, auth, approval, sandbox, or tool-boundary bypass.
 - A trusted operator using an intentional local feature, such as local shell access or browser/script execution.
-- A report whose only primitive is changing the process or child-process environment before running OpenClaw or an executable OpenClaw invokes.
 - A malicious plugin after a trusted operator installs or enables it.
 - Multiple adversarial users sharing one Gateway host/config and expecting per-user isolation.
 - Scanner-only, dependency-only, or stale-path reports without a working repro and demonstrated OpenClaw impact.
@@ -104,7 +103,6 @@ These are frequently reported but are typically closed with no code change:
 - ReDoS/DoS claims that require trusted operator configuration input (for example catastrophic regex in `sessionFilter` or `logging.redactPatterns`) without a trust-boundary bypass.
 - Archive/install extraction claims that require pre-existing local filesystem priming in trusted state (for example planting symlink/hardlink aliases under destination directories such as skills/tools paths) without showing an untrusted path that can create/control that primitive.
 - Reports that depend on replacing or rewriting an already-approved executable path on a trusted host (same-path inode/content swap) without showing an untrusted path to perform that write.
-- Reports that depend on attacker-controlled environment variables changing executable behavior, including variables that redirect lookup paths, preload code, select wrappers/interpreters, alter package-manager or runtime hooks, or make one executable call another executable. Control of the process or child-process environment is trusted host/operator control in OpenClaw's model; these reports need a separate OpenClaw boundary bypass that lets untrusted input set or mutate that environment.
 - Reports that depend on pre-existing symlinked skill/workspace filesystem state (for example symlink chains involving `skills/*/SKILL.md`) without showing an untrusted path that can create/control that state.
 - Missing HSTS findings on default local/loopback deployments.
 - Reports against test-only harnesses, QA Lab, QE Lab, E2E fixtures, benchmark rigs, or maintainer-only debugging tools when the vulnerable code is not shipped as a supported production surface.
@@ -163,7 +161,6 @@ Plugins/extensions are part of OpenClaw's trusted computing base for a gateway.
 - Reports where exploitability depends on attacker-controlled pre-existing symlink/hardlink filesystem state in trusted local paths (for example extraction/install target trees) unless a separate untrusted boundary bypass is shown that creates that state.
 - Reports whose only claim is sandbox/workspace read expansion through trusted local skill/workspace symlink state (for example `skills/*/SKILL.md` symlink chains) unless a separate untrusted boundary bypass is shown that creates/controls that state.
 - Reports whose only claim is post-approval executable identity drift on a trusted host via same-path file replacement/rewrite unless a separate untrusted boundary bypass is shown for that host write primitive.
-- Reports whose only claim is environment-variable-driven executable behavior change, including path lookup changes, preload hooks, wrapper/interpreter selection, package-manager/runtime hooks, or variables that make an executable invoke another executable, unless a separate OpenClaw boundary bypass lets untrusted input set or mutate that environment.
 - Reports where the only demonstrated impact is an already-authorized sender intentionally invoking a local-action command (for example `/export-session` writing to an absolute host path) without bypassing auth, sandbox, or another documented boundary
 - Reports whose only claim is use of an explicit trusted-operator control surface (for example `canvas.eval`, browser evaluate/script execution, or direct `node.invoke` execution) without demonstrating an auth, policy, allowlist, approval, or sandbox bypass.
 - Reports where the only claim is that a trusted-installed/enabled plugin can execute with gateway/host privileges (documented trust model behavior).
@@ -184,7 +181,6 @@ Plugins/extensions are part of OpenClaw's trusted computing base for a gateway.
 OpenClaw security guidance assumes:
 
 - The host where OpenClaw runs is within a trusted OS/admin boundary.
-- Anyone who can set or mutate the OpenClaw process environment, launcher environment, or child-process environment is inside that trusted host/operator boundary.
 - Anyone who can modify `~/.openclaw` state/config (including `openclaw.json`) is effectively a trusted operator.
 - A single Gateway shared by mutually untrusted people is **not a recommended setup**. Use separate gateways (or at minimum separate OS users/hosts) per trust boundary.
 - Authenticated Gateway callers are treated as trusted operators. Session identifiers (for example `sessionKey`) are routing controls, not per-user authorization boundaries.

appcast.xml

@@ -2,128 +2,6 @@
 <rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
     <channel>
         <title>OpenClaw</title>
-        <item>
-            <title>2026.6.8</title>
-            <pubDate>Tue, 16 Jun 2026 17:17:20 +0000</pubDate>
-            <link>https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml</link>
-            <sparkle:version>2606000890</sparkle:version>
-            <sparkle:shortVersionString>2026.6.8</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
-            <description><![CDATA[<h2>OpenClaw 2026.6.8</h2>
-<h3>Highlights</h3>
-<ul>
-<li>Telegram and WhatsApp channel delivery are richer and less brittle: Telegram can send structured rich text with tables, lists, expandable blockquotes, preserved intentional line breaks, prompt-preserving CLI backend delivery, retired native draft migration, and safer rich-media boundaries, while WhatsApp now honors configured ACP bindings. (#92679, #93164, #84082, #89421, #92513) Thanks @obviyus, @jzakirov, @spacegeologist, and @TurboTheTurtle.</li>
-<li>Agent and Gateway recovery is sharper across account-scoped DM sends, generated media completions, auto-reply message-tool final replies, reset archive fallback reads, restart shutdown aborts, yielded subagent pauses, trusted subagent thinking override fallback, yielded cron media, heartbeat dedupe, session identity prompts, and unknown OpenAI agent selector rejection. (#92788, #91246, #92879, #91357, #92631, #92412, #92146, #91287, #92468, #92510) Thanks @yetval, @TurboTheTurtle, @masatohoshino, @CadanHu, @ooiuuii, @openperf, @IWhatsskill, @ZengWen-DT, and @zhangguiping-xydt.</li>
-<li>Provider/model handling expands and tightens with GLM-5.2, Claude Haiku 4.5 catalog rows, OpenRouter and Google Vertex provider-prefix normalization, managed SecretRef auth, OAuth image-default routing through Codex, bounded model browse discovery, LM Studio binary thinking-off delivery, storeless OpenAI Responses replay gating, invalid OpenAI reasoning-signature and genericized Anthropic thinking-signature recovery, Claude 4.5 Copilot tool-streaming safety, and OpenAI/Anthropic-family payload quarantine for unreadable or post-hook tool schemas. (#92796, #90116, #92627, #91218, #90686, #92824, #92247, #92002, #90706, #92941, #92201, #92916, #75393, #92908, #92921, #92928) Thanks @arkyu2077, @liuhao1024, @bymle, @rohitjavvadi, @nxmxbbd, @bek91, @samson910022, @mmyzwl, @CarlCapital, @snowzlm, @Kailigithub, and @vincentkoc.</li>
-<li><code>/usage</code> and reply payload hooks now have a native full footer renderer, default template, fixed-decimal formatting, credential-aware limits, better partial-count handling, and warnings for broken templates instead of silent bad output. (#92657, #89835, #89629) Thanks @Marvinthebored.</li>
-<li>UI and mobile flows are steadier: workspace files can collapse and start collapsed, WebChat backscroll survives streaming, the sidebar session picker remains interactive above the desktop workbench, reset soft args survive UI dispatch, stale dashboard session parent lineage is preserved, and iOS reconnects stale foreground gateways. (#92779, #92622, #92705, #91353, #90658, #92552) Thanks @shakkernerd, @TurboTheTurtle, @NianJiuZst, @zhouhe-xydt, @luoyanglang, and @Solvely-Colin.</li>
-<li>Memory, state, and diagnostics recover cleaner: oversized OpenAI embedding batches split before 431s, QMD memory search stays available in transient mode, SQLite avoids WAL on NFS state volumes, stuck-session recovery scheduling no longer resets warning backoff, full memory reindexes preserve rollback/cache recovery, raw Memory Wiki source pages stop looking malformed, and Infinity chunk limits stay genuinely unbounded. (#92650, #92618, #92639, #91247, #92752, #92881, #59137, #92876, #69700, #92735) Thanks @mushuiyu886, @TurboTheTurtle, @849261680, @gnanam1990, @TSHOGX, @arlen8411, and @yhterrance.</li>
-</ul>
-<h3>Changes</h3>
-<ul>
-<li>Providers/models: add GLM-5.2 support and Claude Haiku 4.5 catalog entries while keeping provider-qualified model IDs normalized across OpenRouter and Google Vertex paths. (#92796, #90116, #92627, #91218) Thanks @arkyu2077, @liuhao1024, and @bymle.</li>
-<li>Web search: keep key-free providers such as Parallel Free, DuckDuckGo, Ollama, and Codex Hosted Search as explicit opt-ins instead of selecting them automatically when no API-backed provider is configured. (#93616) Thanks @davemorin and @vincentkoc.</li>
-<li>Channel plugins: ship Telegram rich-message delivery and WhatsApp ACP binding support, including preserved intentional line breaks, rich prompt handoff to CLI backends, and transport fixtures for richer drafts. (#92679, #93164, #92513) Thanks @obviyus and @TurboTheTurtle.</li>
-<li>Agent commands: support <code>/btw</code> in CLI-backed sessions and keep CLI usage-error exits classified as usage failures instead of successful runs. (#92669, #92162) Thanks @joshavant and @Pandah97.</li>
-<li>Usage hooks: add built-in full footer rendering, default footer templates, per-turn usage state, credential-aware limits, and fixed-decimal formatting for usage-bar templates. (#92657, #89835, #89629) Thanks @Marvinthebored.</li>
-<li>Docs and operator guidance: document node config examples, clarify before-install hook scope, correct agent default concurrency comments, refresh ZAI provider docs, and update channel/group docs for current Telegram and WhatsApp behavior. (#92677, #92766, #92695) Thanks @liuhao1024, @sallyom, and @ArielSmoliar.</li>
-</ul>
-<h3>Fixes</h3>
-<ul>
-<li>Channels and delivery: preserve account-scoped DM channel send policy, intentional rich-message line breaks in Telegram and status output, rich Telegram final replies, rich Telegram tables and lists, Telegram thread-create CLI remapping, Feishu dynamic-agent routes after persisted binding reuse, Slack outbound <code>message_sent</code> hooks, contributed message-tool schema optionality, same-channel generated media completions, and channel chunking around surrogate pairs and Infinity limits. (#92788, #93164, #92679, #89421, #89943, #42837, #92814, #91137, #91246, #92735) Thanks @yetval, @obviyus, @spacegeologist, @rishitamrakar, @liuhao1024, @lundog, @TurboTheTurtle, and @yhterrance.</li>
-<li>Discord: give generated auto-thread titles a 60-second timeout and 4,096-token reasoning-model output budget, clamped to the selected model output cap. (#64734) Thanks @hanamizuki.</li>
-<li>Agent, cron, and Gateway runtime: mark active main sessions before restart shutdown aborts, pause yielded subagent runs whose terminal also signals abort, clamp trusted subagent thinking overrides through provider/model fallback, preserve yielded media completions, deliver channel message-tool final replies through auto-reply while hiding internal delivery hints, restore reset archive fallback reads when active async transcripts are missing, de-duplicate main-session heartbeat events, expose session identity in runtime prompts, reject unknown OpenAI agent selectors, keep generated media completions, slash-command block replies, and trajectory export commands in WebChat, and require admin privileges for HTTP session/model override surfaces. (#91357, #92631, #92412, #92146, #92879, #91287, #92468, #92510, #91246, #92651, #92646) Thanks @ooiuuii, @openperf, @IWhatsskill, @masatohoshino, @CadanHu, @ZengWen-DT, @zhangguiping-xydt, and @TurboTheTurtle.</li>
-<li>Providers and model replay: preserve storeless OpenAI Responses replay compatibility, recover invalid OpenAI reasoning signatures and genericized Anthropic thinking-signature replay errors, route OAuth image defaults through Codex for eligible OpenAI profiles, avoid eager tool streaming for Claude 4.5 in Copilot, quarantine unreadable and post-hook OpenAI/Anthropic-family tool schemas without broadening allowed tool choices, deliver explicit thinking-off requests to LM Studio binary-thinking models, honor profile auth for SecretRef model entries, bound model browsing, strip provider prefixes where runtimes need bare IDs, and surface nested embedding fetch failures. (#90706, #92941, #92201, #92916, #92824, #75393, #92908, #92921, #92928, #92002, #90686, #92247, #92627, #91218, #92628) Thanks @snowzlm, @mmyzwl, @CarlCapital, @bek91, @Kailigithub, @vincentkoc, @rohitjavvadi, @samson910022, @nxmxbbd, @liuhao1024, @bymle, and @mushuiyu886.</li>
-<li>Memory, state, diagnostics, and config: split header-too-large embedding batches, keep QMD memory search enabled in transient mode, avoid SQLite WAL on NFS volumes, preserve recovery scheduling outside stuck-session warning backoff, preserve full-reindex rollback/cache recovery, treat raw Memory Wiki source pages as source evidence, and keep shell environment fallbacks contained in config write tests. (#92650, #92618, #92639, #91247, #92752, #92881, #59137, #92876, #69700) Thanks @mushuiyu886, @TurboTheTurtle, @849261680, @gnanam1990, @TSHOGX, and @arlen8411.</li>
-<li>UI/mobile/TUI: preserve dashboard session parent lineage, WebChat backscroll, reset soft command args, sidebar session picker interactivity, collapsed workspace files, resolved <code>/model</code> confirmation refs, stale foreground iOS Gateway reconnects, and paused setup-parent stdin after inherited-stdio child exit. (#90658, #92622, #91353, #92705, #92779, #92773, #92552, #93159) Thanks @luoyanglang, @TurboTheTurtle, @zhouhe-xydt, @NianJiuZst, @shakkernerd, @NarahariRaghava, @Solvely-Colin, and @fuller-stack-dev.</li>
-<li>Plugins and updates: repair missing required platform packages during managed plugin installs and updates, including omitted Codex platform binaries.</li>
-<li>Dependencies: update Hono to 4.12.25 so published OpenClaw and ACPX packages use the patched runtime.</li>
-<li>Release and test reliability: extend slow Gateway/full-suite watchdogs, split local full-suite shards when throttled, stabilize plugin auth marker fixtures, avoid brittle provider-ref error text, fold Telegram RTT sampling into live QA evidence, simplify QA scorecard mappings around canonical coverage IDs, keep QA Lab bootstrap selection assertions aligned with flow-only scenarios, skip QA coverage artifact consumers when runtime parity producer status is not green, keep Feishu lifecycle release checks pointed at the active fixture config, isolate trajectory-export live seed turns from Codex-native shell approvals, preserve release-check child refs while pinning expected SHAs, widen live OpenAI TTS budgets for slower provider responses, and avoid false downgrade prompts for unresolved latest-tag updates. (#92652, #92550, #92558, #92911) Thanks @RomneyDa and @Andy312432.</li>
-</ul>
-<p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
-]]></description>
-            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.6.8/OpenClaw-2026.6.8.zip" length="55815364" type="application/octet-stream" sparkle:edSignature="hLJ14xg6+DMFrXViIW3Njs++OPIGO+RWH9h+mPCSzXPAkKyYUGvtOLu1qEKvvfC8rs5FGgW/w4zDLfD2azqiBA=="/>
-        </item>
-        <item>
-            <title>2026.6.5</title>
-            <pubDate>Tue, 09 Jun 2026 19:06:49 +0000</pubDate>
-            <link>https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml</link>
-            <sparkle:version>2606000590</sparkle:version>
-            <sparkle:shortVersionString>2026.6.5</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
-            <description><![CDATA[<h2>OpenClaw 2026.6.5</h2>
-<h3>Highlights</h3>
-<ul>
-<li>QQBot now strips model reasoning/thinking scaffolding before native delivery, preventing raw <code><thinking></code> content from leaking into channel replies. (#89913, #90132) Thanks @openperf.</li>
-<li>MCP tool results now coerce <code>resource_link</code>, <code>resource</code>, <code>audio</code>, malformed image, and future non-text/image blocks at the materialize boundary, preventing Anthropic 400s and poisoned session history after a tool returns richer MCP content. (#90710, #90728) Thanks @RanSHammer and @849261680.</li>
-<li>Anthropic extended-thinking sessions recover after prompt-cache expiry or Gateway restart because stream start events wait for <code>message_start</code>, letting pre-generation signature errors trigger the existing recovery retry. (#90667, #90697) Thanks @openperf.</li>
-<li>Parallel is now a bundled <code>web_search</code> provider with <code>PARALLEL_API_KEY</code> discovery, guarded endpoint handling, cache-safe session ids, onboarding picker support, and docs. (#85158) Thanks @NormallyGaussian.</li>
-<li>Google Vertex ADC users get static catalog rows and runtime model resolution again, while single-provider cooldown recovery and memory adapter status checks are more reliable. (#90506, #90609, #90717, #90816) Thanks @849261680.</li>
-<li>Matrix can preflight voice notes before mention gating, preserve thread reads/replies through Matrix relations pagination, and carry QA coverage for voice and thread flows. (#78016, #90415)</li>
-<li>Auth and plugin install state is more durable: auth profiles now live in SQLite, official npm plugin install records keep their trusted pins, and prerelease fallback integrity checks avoid carrying stale integrity forward. (#89102, #88585)</li>
-<li>Agent, tool, and provider loops are stricter around MCP lease timestamps, prompt-cache tool names, local tool catalogs, unreadable dynamic tools, owner-only HTTP tools, and provider catalog metadata, reducing hidden retries and unsafe exposure. (#91124, #91233, #90022, #90261)</li>
-<li>macOS node mode no longer silently self-reconnects away from a healthy direct Gateway session, reducing unexpected companion app session churn. (#90668, #90815) Thanks @vrurg.</li>
-<li>Upgrade and service paths are safer: cron legacy JSON stores migrate during doctor preflight, service env placeholders no longer mask state-dir secrets, WhatsApp startup waits are bounded, and disabled WhatsApp accounts tear down on config reload. (#90072, #90208, #90277, #90488, #90486, #87951, #87965) Thanks @MonkeyLeeT, @sallyom, @mcaxtr, and @MukundaKatta.</li>
-</ul>
-<h3>Changes</h3>
-<ul>
-<li>Search/providers: add the Parallel bundled web-search plugin, live provider tests, registration contracts, onboarding/docs wiring, and guarded <code>api.parallel.ai/v1/search</code> support. (#85158) Thanks @NormallyGaussian.</li>
-<li>Matrix/channels: add voice-message preflight and thread-aware read/reply behavior, including Matrix QA scenario wiring and docs for voice-message behavior. (#78016, #90415)</li>
-<li>Skills/ClawHub: install ClawHub skills backed by GitHub repositories through the resolved install API, download the pinned GitHub commit, keep install-policy checks, and report install telemetry after success. (#90478) Thanks @Patrick-Erichsen.</li>
-<li>Skills/ClawHub: avoid one filesystem watcher per skill file during refresh, keeping large skill trees from exhausting watcher limits.</li>
-<li>Google Chat/channels: add native approval card actions and click handling so Google Chat approvals use platform-native cards instead of generic message flow.</li>
-<li>Mobile: Android provider/model screens now surface expiring, unavailable, unresolved, and attention states more clearly, Android adds theme mode selection, and iOS settings and Talk tabs keep diagnostics, gateway rows, attachment labels, fallback copy, and unavailable Talk controls reachable. (#90752, #91201)</li>
-<li>Memory: QMD search can use the new rerank toggle, and memory adapter status uses the resolved default model identity when checking plain status. (#61834)</li>
-<li>Docs/tooling: add Parallel search docs, refresh weather-skill guidance toward <code>web_fetch</code>, clarify legacy <code>openai-codex</code> auth, document release/test helper scripts, and tighten changed-test routing docs for CI/debugging work. (#90028, #90250) Thanks @fuller-stack-dev.</li>
-<li>Release/process: switch release trains to <code>YYYY.M.PATCH</code> monthly patch numbering, keep pre-transition tags compatible, and pin the June 2026 floor at <code>2026.6.5</code>.</li>
-<li>Release/process: defer the session-metadata SQLite migration from the <code>2026.6.5</code> beta train so this release keeps the existing JSON-backed session metadata path while the migration risk is worked on <code>main</code>.</li>
-<li>Release metadata: align OpenClaw, publishable plugin manifests, generated shrinkwraps, app version metadata, iOS release notes, Matrix plugin changelog, and generated release baselines with the <code>2026.6.5</code> release train.</li>
-<li>Platform maintenance: refresh Android, Swift/macOS, Docker, CodeQL, Buildx, Docker build/push, and Codex Action dependencies for this release train. (#74980, #81757, #86481, #86483, #90601)</li>
-</ul>
-<h3>Fixes</h3>
-<ul>
-<li>Channel content boundaries: QQBot now strips reasoning/thinking tags before sending, preserving final answers while hiding internal model narration from users. (#89913, #90132) Thanks @openperf.</li>
-<li>Agents/MCP/providers: coerce non-text/image MCP tool-result blocks before they reach provider converters, preserving valid images and turning richer MCP content into text instead of malformed image blocks. (#90710, #90728) Thanks @RanSHammer and @849261680.</li>
-<li>Anthropic/Codex/ACP/agent recovery: defer Anthropic stream start events until <code>message_start</code>, strip stale compaction thinking signatures before Anthropic replay, detect unsigned thinking-only stalls, refresh prompt fences after compaction writes, reject empty completion handoffs, preserve parent streaming-off overrides/shared progress commentary, forward heartbeat metadata to context-engine hooks, and cover Codex session/thread migration edge cases. (#90667, #90697, #90163, #90108, #89874, #89505, #90632, #89302, #90729, #90317, #90319) Thanks @openperf, @100yenadmin, and @ooiuuii.</li>
-<li>Agents/Codex/tools: MCP lease release no longer refreshes <code>lastUsedAt</code>, prompt-cache tool names are guarded, lean local tool catalogs stay compact, unreadable dynamic tools are quarantined, orphan tool errors still surface, native subagent completion results survive app-server monitoring, and background-session name derivation avoids regex backtracking risk. (#91124, #90612, #90022, #91235, #91233)</li>
-<li>Provider/model resolution: preserve Google Vertex ADC auth markers in generated catalogs, re-probe a single-provider primary after cooldown, share Codex model visibility, fail closed for unknown model auth, preserve Codex alias availability, keep unresolved profile refs unknown, and avoid resolving auth while listing models. (#90506, #90609, #90717, #90702) Thanks @849261680.</li>
-<li>Provider/model resolution: live provider model catalogs keep helper coverage, Ollama catalog metadata is preserved, Google provider prefixes are stripped from Gemini paths, Foundry Responses reasoning replay ids survive, MiniMax M3 thinking stays enabled, Vertex multi-region calls use the right regional host, and OpenRouter streamed generation cost is reconciled. (#91125)</li>
-<li>Gateway/macOS/mobile: avoid duplicate Gateway probe warnings by identity, rate-limit node pairing requests while preserving paired-node reconnects, keep macOS node mode on a healthy direct Gateway session, keep iOS diagnostics and gateway rows reachable, and avoid Linux ARM Gradle resource tasks during Android builds. (#85791, #90147, #90668, #90815) Thanks @giodl73-repo and @vrurg.</li>
-<li>Gateway/security/config: owner-only HTTP tools are gated, sandbox skills remain readable in writable sandboxes, legacy agent registry and Codex model metadata migrate safely, and stalled MCP response bodies time out instead of tying up Gateway workers. (#90261)</li>
-<li>Gateway/config: <code>config.patch</code> now preserves explicit array replacement semantics for arrays without merge keys, so replacement patches do not accidentally merge stale entries. (#91551)</li>
-<li>SDK: event pump failures now surface to clients instead of being swallowed behind a quiet iterator shutdown.</li>
-<li>Agents/transcripts: inline image payload redaction now catches data URLs and repaired transcript images before they can leak raw image bytes into stored or exported transcripts. (#91529)</li>
-<li>Plugins/Gateway: legacy flat Control UI descriptors from shipped JavaScript plugins now normalize <code>name</code> and missing surface fields into session descriptors, restoring Kitchen Sink RPC descriptor proof for package-backed plugin validation.</li>
-<li>TUI/chat/Workboard/auto-reply: optimistic user messages stay stable across stale history reloads, runId reassignment, and abort windows instead of disappearing, jumping, or lingering as ghost rows; Workboard stale lifecycle bulk updates no longer overwrite newer status/provenance; message-tool sends now count as delivery. (#86205, #89600, #88592, #90123) Thanks @RomneyDa.</li>
-<li>Cron/update/service env: doctor config preflight now migrates legacy cron JSON stores into SQLite before runtime reads, isolated agent turn payload messages preserve timeout context, service env planning skips unresolved placeholders that would mask state-dir <code>.env</code> values, and session transcript rewrites keep registry markers/discriminants consistent. (#90072, #90208, #91230, #90277, #90488) Thanks @MonkeyLeeT and @sallyom.</li>
-<li>State/storage: Matrix sync and crypto sidecars, memory-wiki import/source-sync state, sandbox registry state, ACPX process state, device-pair notify state, Zalo hosted media, and plugin SDK dedupe state now use SQLite-owned storage instead of ad hoc runtime files. (#91100, #91108, #91056)</li>
-<li>Security/config/tooling: guard MCP HTTP redirects, protect global agent config defaults, and keep release/test/tooling proof failures bounded and explicit. (#89732, #90145)</li>
-<li>Channels: WhatsApp restarts when per-account config changes, bounds background startup waits, closes failed sockets, and preserves reconnect behavior; Mattermost slash commands keep their state on <code>globalThis</code> and default replies stay inside existing Mattermost threads instead of starting new ones; Feishu streaming cards preserve full merged content; iMessage private-API failures and send timeouts explain themselves while split-send coalescing honors balloon metadata; voice-call tracks Twilio streams after connect; ClickClack reply tools respect <code>toolsAllow</code>; Discord runtime adapters stay resolvable; and outbound delivery retries survive budget deferrals. (#87951, #87965, #90486, #68113, #90534, #90181, #90607, #89500, #91041, #90858, #91119, #91241) Thanks @MukundaKatta, @mcaxtr, @infoanton, @mushuiyu886, @sahibzada-allahyar, and @jacobtomlinson.</li>
-<li>Feishu: retry transient send rate-limit errors (HTTP 429, per-chat code 230020, tenant-level code 11232) with linear backoff, including SDK responses that fulfill with rate-limit bodies instead of throwing, and route streaming-card sends through the retry wrapper. (#89659) Thanks @ladygege.</li>
-<li>WhatsApp: captured replies after restart now route through the successor controller instead of the stale pre-restart controller. (#85823)</li>
-<li>Release/CI/E2E: main CI guard drift, PR merge diff scoping, live Docker credential staging, base-image qualification, installer Docker classification, Playwright dependency install recovery, API-key auth for Codex live Docker lanes, Parallels option terminators, and JSON-mode progress handling are tighter so release proof fails cleaner. (#90532, #90287, #90058) Thanks @RomneyDa, @hxy91819, and @mrunalp.</li>
-<li>Release/CI/E2E: installed-package root dist verification now allows the current package's JavaScript file count while keeping dependency, per-file-size, and scan-bound checks active.</li>
-<li>Release/CI/E2E: Chutes OAuth model-discovery proof now accepts standard <code>Headers</code> requests, and QR package install smoke caps Docker CPU requests to the hosted runner capacity so beta validation fails on real package regressions.</li>
-<li>Release/CI/E2E: Docker E2E and live Docker harness runs now apply default memory, CPU, and process ceilings while preserving explicit per-lane overrides.</li>
-<li>Release/CI/E2E: Docker E2E CPU limits now cap to the runner capacity, keeping package Telegram acceptance on hosted 8-vCPU runners focused on package regressions instead of impossible Docker resource requests.</li>
-<li>Release/CI/E2E: task maintenance release checks now reset pinned config around isolated temp state dirs, keeping normal CI focused on the active session-store fixture instead of stale process snapshots.</li>
-<li>Release/CI/E2E: plugin lifecycle matrix resource sampling now fails phases that exceed RSS, wall-clock, or CPU ceilings instead of only logging the measurements.</li>
-<li>Release/CI/E2E: Codex npm plugin live assertions now cap transcript discovery and diagnostic log reads so failure proof stays bounded.</li>
-<li>Release/CI/E2E: browser snapshot, release-scenario, release-user-journey, Telegram desktop/RTT/package, web-search, Parallels update, plugin update, doctor switch, and upgrade-survivor diagnostics now stream or bound log/artifact reads so failed proof stays inspectable without unbounded output.</li>
-<li>Release/CI/E2E: Parallels smoke validation now runs without requiring <code>pnpm</code> on the host, supports already-started Windows/Linux guests without snapshots, reports empty snapshot metadata clearly, and finds portable user-local Node on Windows.</li>
-<li>Release/CI/E2E: ClawHub publish jobs prepare dependencies after checking out the target ref, and Docker store seed package discovery now targets the intended production packages. (#91547)</li>
-<li>Release/CI/E2E: QA Lab capability-flip release validation now marks intentional <code>tools.deny</code> restores as array replacements, so beta validation fails only on real capability regressions.</li>
-<li>Tests/state isolation: QA Lab valid-tool-call metrics now require runtime tool-call evidence when runtime parity data is available instead of counting tool-backed scenario pass status alone.</li>
-<li>Tests/state isolation: QA Lab runtime parity now fails planned-only tool-call rows without matching tool results instead of treating matching mock plans as real tool evidence.</li>
-<li>Tests/state isolation: QA Lab runtime parity now treats matching controlled tool errors as equivalent and falls back to transcript tool results when mock debug rows miss async image-generation starts.</li>
-<li>Tests/state isolation: QA suites now fail closed on skipped summaries, missing runtime tool proof, planned-only rows, loose release limits, missing live/provider artifacts, failed agent reply markers, and package Telegram summary failures.</li>
-<li>Tests/state isolation: provider, media, auth, cron, task, session, sandbox, Gateway, and Codex timeout fixtures now scope more home/state/env data per test, reducing cross-test leakage and making release validation failures less noisy. (#90027, #89974)</li>
-<li>Sessions: the beta SQLite downgrade rescue now skips extra pre-reads for active non-empty JSON session stores, preserving cache race detection while still restoring missing or empty beta session files.</li>
-</ul>
-<p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
-]]></description>
-            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.6.5/OpenClaw-2026.6.5.zip" length="55725877" type="application/octet-stream" sparkle:edSignature="EKr7gCfpEVStis9HSADJk1CWYbmH2MHMqSgNfZvLbBFCBWmk3pjBJS6K2qkxkq5lIbTj4H+Lo7Iri6ip/xTGDA=="/>
-        </item>
         <item>
             <title>2026.6.1</title>
             <pubDate>Wed, 03 Jun 2026 21:26:22 +0000</pubDate>
@@ -251,5 +129,116 @@
 ]]></description>
             <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.6.1/OpenClaw-2026.6.1.zip" length="55062100" type="application/octet-stream" sparkle:edSignature="PVp8E2HBCvikB/0LCr36lFEyHPAzoFA2ScT6LW27FlzvP+m4r1AEuVN2UrtgWlpkGSsn4Eav0kPJe32u4ObNBw=="/>
         </item>
+        <item>
+            <title>2026.5.28</title>
+            <pubDate>Sat, 30 May 2026 21:21:09 +0000</pubDate>
+            <link>https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml</link>
+            <sparkle:version>2026052890</sparkle:version>
+            <sparkle:shortVersionString>2026.5.28</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
+            <description><![CDATA[<h2>OpenClaw 2026.5.28</h2>
+<h3>Highlights</h3>
+<ul>
+<li>Agent and Codex runtime recovery is steadier: subagents keep cwd/workspace separation, hook context stays prompt-local, session locks release on timeout abort while live OpenClaw locks survive cleanup, stale restart continuations are avoided, and Codex app-server/helper failures no longer tear down shared runtime state. (#87218, #86875, #87409, #87399, #87375, #88129)</li>
+<li>Channel delivery and session identity got safer across outbound plugin hooks, Matrix room ids, iMessage reactions/approvals, Slack final replies, Discord recovered tool warnings, runtime-config message actions, WhatsApp profile auth roots, Telegram polling, and Microsoft Teams service URL trust checks. (#73706, #75670, #87366, #87451, #87334, #84535, #82492, #83304, #87160)</li>
+<li>Mobile and chat surfaces got a broader refresh: the iOS Pro UI, hosted push relay default, realtime Talk tab playback, Gateway chat transport, onboarding, Talk permissions, WebChat reconnect delivery, and session picker behavior now preserve more state across reconnects and empty searches. (#87367, #87531, #87682, #88096, #88105) Thanks @ngutman.</li>
+<li>Browser, channel, and automation inputs are stricter: Browser tool timeouts, viewport/tab indices, Gateway ports, cron retry handling, Discord component ids, schema array refs, Telegram callback pages, and channel progress callbacks now reject malformed values earlier and preserve the intended delivery context. (#82887)</li>
+<li>Provider, media, and document coverage expands with Claude Opus 4.8, Fal Krea image schemas, NVIDIA featured models, MiniMax streaming music responses, encrypted PDF extraction, voice model catalogs, GitHub Copilot agent runtime support, and a Codex Supervisor plugin path for delegated Codex workflows. (#87845, #87890, #80775, #84764, #87751, #87794)</li>
+<li>CLI, auth, doctor, and provider paths fail faster and recover more clearly: malformed numeric/version options are rejected, workspace dotenv provider credentials are ignored, heartbeat defaults, OAuth/token lifetimes, and local service startup requests are bounded, agent auth health labels are clearer, legacy <code>api_key</code> auth profiles migrate to canonical form, and restart guidance is actionable. (#87398, #86281, #87361, #88133, #83655, #87559, #88088, #85924) Thanks @vincentkoc and @giodl73-repo.</li>
+<li>Plugin and Gateway hot paths do less repeated work while preserving cache correctness for install records, config JSON parsing, tool search catalogs, session stores, manifest model rows, auto-enabled plugin config, browser tokens, viewer assets, and release-split external plugin packages. (#86699)</li>
+<li>Release, QA, and E2E validation now bound more log, artifact, harness, and cross-OS waits so failing lanes produce proof instead of hanging or false-greening.</li>
+</ul>
+<h3>Changes</h3>
+<ul>
+<li>Status: show active subagent details in status output.</li>
+<li>Diffs: split the default language pack and expand default Diffs language coverage while keeping the host floor aligned. (#87370, #87372) Thanks @RomneyDa.</li>
+<li>ClawHub: add plugin display names plus skill verification and trust surfaces. (#87354, #86699) Thanks @thewilloftheshadow and @Patrick-Erichsen.</li>
+<li>iOS: refresh the dev app with Pro Command, Chat, Agents, Settings, hosted push relay defaults, and realtime Talk playback wired to gateway sessions, diagnostics, chat, and realtime Talk. (#87367, #88096, #88105) Thanks @Solvely-Colin and @ngutman.</li>
+<li>Docs: clarify Codex computer-use setup, paste-token stdin auth setup, macOS gateway sleep troubleshooting, native Codex hook relay recovery, container model auth, install deployment cards, device-token admin gating, CLI setup flow compatibility, Notte cloud browser CDP setup, and backport targets. (#87313, #63050, #87685) Thanks @bdjben, @liaoandi, and @thewilloftheshadow.</li>
+<li>PDF/tools: use ClawPDF for PDF extraction, support encrypted PDF extraction, and surface MCP structured content in agent tool results. (#87670, #87751)</li>
+<li>Providers: add Claude Opus 4.8 support, Fal Krea image model schemas, NVIDIA featured model catalogs, MiniMax streaming music responses, and provider-backed voice model catalogs. (#87845, #87890, #80775, #84764, #87794) Thanks @eleqtrizit and @vincentkoc.</li>
+<li>Codex/GitHub: add the GitHub Copilot agent runtime and the Codex Supervisor plugin package.</li>
+<li>Plugins: externalize GitHub Copilot and Tokenjuice as official install-on-demand plugins with npm and ClawHub publish metadata.</li>
+<li>Workboard: add agent coordination tools for tracking and handing off active agent work.</li>
+<li>Discord: show commentary in progress drafts so live Discord runs expose useful in-progress context. (#85200)</li>
+<li>Plugin SDK: add a reply payload sending hook for plugins that need to deliver channel-owned replies and flatten package types for SDK declarations. (#82823, #87165) Thanks @RomneyDa.</li>
+<li>Policy: add policy comparison, ingress-channel conformance, and sandbox-posture conformance checks. (#85572, #85744, #86768)</li>
+</ul>
+<h3>Fixes</h3>
+<ul>
+<li>Agents: fall back to local config pruning when the optional <code>agents delete</code> Gateway probe cannot authenticate, so offline installs can still delete agents without removing shared workspaces.</li>
+<li>Tighten phone-control mutation authorization [AI]. (#87150) Thanks @pgondhi987.</li>
+<li>Clarify directive persistence authorization policy [AI]. (#86369) Thanks @pgondhi987.</li>
+<li>Agents/Codex: keep spawned agent cwd/workspace state separated, forward ACP spawn attachments, keep hook context prompt-local, release session locks on timeout abort and runtime teardown without deleting live OpenClaw-owned locks during cleanup, avoid session event queue self-wait, clean up exec abort listeners, stream assistant deltas incrementally, recover raw missing-thread compaction failures, preserve rotated compaction session identity, keep compaction-timeout snapshots continuable, preserve shared app-server state across startup or helper failures, keep native hook relay alive across restarts and prune stale bridge files, close native hook relay replacement races, keep Claude live tool progress visible for watchdog recovery, suppress abandoned requester completion handoff, route workspace memory through tools, resolve Codex runtime models first, report quarantined dynamic tools, format <code>skills</code> command output, bind node auto-review to prepared plans, retry Claude CLI transcript probes, and bound compaction/steering retries. (#87218, #86875, #86123, #88129, #87399, #87375, #72574, #87383, #87400, #83022, #87671, #87738, #87747, #87706, #87546, #87541, #81048) Thanks @mbelinky, @Alix-007, @luoyanglang, @yetval, @sjf, @joshavant, and @benjamin1492.</li>
+<li>Codex Supervisor: keep real-home app-server MCP session listing on the loaded state path, bound stored history scans, and close WebSocket probes cleanly.</li>
+<li>Channels: thread canonical session keys into outbound hooks, preserve Matrix room-id case, keep fallback tool warnings mention-inert, retain delivered Slack final replies during late cleanup, continue iMessage polling after denied reactions, suppress duplicate native exec approvals, resolve Gateway message actions against the active runtime config, preserve Telegram SecretRef prompt config and polling keepalives, preserve WhatsApp profile auth roots, QR display, document filenames, and plugin hook config, suppress Discord recovered tool warnings, preserve the Discord voice outbound helper, cap Discord/Signal/Zalo channel request and container timeouts, and block untrusted Teams service URLs while keeping TeamsSDK patterns aligned. (#73706, #75670, #87366, #87451, #87465, #87334, #84535, #76262, #83304, #82492, #87581, #77114, #86426, #85529, #87160) Thanks @zeroaltitude, @lukeboyett, @xiaotian, @funmerlin, @joshavant, @eleqtrizit, @heyitsaamir, @amittell, @liorb-mountapps, @masatohoshino, @bladin, and @giodl73-repo.</li>
+<li>CLI/auth/doctor/providers: reject malformed numeric/timeout/subcommand-version inputs, ignore workspace dotenv provider credentials, wait for respawn child shutdown, bound heartbeat defaults plus Codex, GitHub Copilot, OpenAI, Anthropic, Google, Feishu, LM Studio, MiniMax, Xiaomi TTS, and local-provider OAuth/token/model requests, harden Codex auth probes, label auth health by agent, preserve explicit agentRuntime pins during Codex model migration, warm provider auth off the main thread, honor Codex response timeouts, stop migrating current Claude Haiku 4.5 profiles to Sonnet, bound local service startup, resolve GPT-5.5 without cached catalog, migrate legacy memory auto-provider config, rewrite non-canonical <code>api_key</code> auth profiles, and make doctor restart follow-ups actionable. (#87398, #86281, #87361, #88133, #83655, #87559, #87719, #88088, #85924, #84362) Thanks @Patrick-Erichsen, @samzong, @giodl73-repo, @alkor2000, @mmaps, @nxmxbbd, and @vincentkoc.</li>
+<li>Gateway/security/session state: expire browser tokens after auth rotation, scope assistant idempotency dedupe, drain probe client closes, avoid stale restart continuation reuse, preserve retry-after fallbacks and stale rate-limit cooldown probes, bound webchat image and artifact transcript scans, include seconds in inbound metadata timestamps, clear completed session active runs, clear stale chat stream buffers, and evict current plugin-state namespaces at row caps. (#87810, #87833, #75089) Thanks @joshavant and @litang9.</li>
+<li>Config/parsing/network: reject partial numeric parsing, parse provider/Discord retry headers and dates strictly, honor IPv6 and bare IPv6 <code>no_proxy</code> entries, preserve empty plugin allowlists, canonicalize secret target array indexes, and reject malformed media content lengths, inspected TCP ports, marketplace content lengths, cron epochs, sandbox stat fields, unsafe duration values, empty config path segments, noncanonical schema array refs, unsafe Telegram callback pages, and invalid Teams attachment-fetch DNS targets. (#87883) Thanks @zhangguiping-xydt.</li>
+<li>Browser/input hardening: reject invalid tab indexes, excessive viewport resizes, explicit zero CDP ports, malformed geolocation options, unsafe screenshot or permission-grant timeouts, loose response-body limits, invalid cookie expiries, and non-finite Browser tool delays/timeouts.</li>
+<li>Cron/automation: retry recurring jobs after transient model rate limits before waiting for the next scheduled slot, and preflight model fallbacks before skipping scheduled work. (#82887)</li>
+<li>Auto-reply/directives: respect provider and relayed channel metadata during directive persistence so channel-originated decisions keep their intended context. (#87683)</li>
+<li>WhatsApp: resolve the auth directory from the active profile so profile-scoped WhatsApp installs do not drift to the wrong credential root. (#82492)</li>
+<li>Gateway/session state: clear completed session active runs, avoid cold-loading providers for MCP inventory, cache single-session child indexes, cap handshake timers, and bound preauth, auth-guard, media, transcript, readiness, and port options.</li>
+<li>Channels/replies: preserve channel-owned progress callbacks when verbose output is off, keep group-room progress suppression intact, prefer external session delivery context, escape Discord component id delimiters, force final TUI chat repaints, show Slack reasoning previews, and normalize Discord/Matrix/Mattermost channel numeric options. (#87476, #87423)</li>
+<li>Agents/tool args: harden smart-quoted argument repair for edit arrays and exact escaped arguments so model-produced tool calls recover without corrupting valid input. (#86611)</li>
+<li>Providers/agents: preserve seeded Anthropic signatures, preserve signed thinking payloads, concatenate signature-delta chunks, preserve DeepSeek <code>reasoning_content</code> replay across tier suffixes, apply OpenRouter strict9 ids to Mistral routes, promote Ollama plain-text tool calls, load NVIDIA featured model catalogs, stream MiniMax music generation responses, and recover empty preflight compaction. (#87593, #87493, #80775, #84764) Thanks @eleqtrizit.</li>
+<li>Media/images: skip CLI image cache refs when resolving generated images, allow trusted generated HTML attachments, and bound generated video downloads so stale refs and slow providers fail cleanly. (#87523, #87982)</li>
+<li>File transfer: handle late tar stdin pipe errors after archive validation or unpacking has already settled.</li>
+<li>Performance: trust install-record caches between reloads, prefer native JSON parsing, reuse unchanged tool-search catalogs, reuse gateway session and plugin metadata paths, skip unchanged store serialization, patch single-entry session writes, add precomputed session patch writers, reduce store clone allocations, cache manifest model catalog rows and auto-enabled plugin config, avoid full session snapshots for entry reads, defer configured Slack full startup, prefer bundled plugin dist entries, and slim current metadata identity caches. (#87760)</li>
+<li>Docker/release/QA: package runtime workspace templates, stream cross-OS served artifacts, preserve sparse Crabbox run artifacts, isolate npm plugin installs per package, reject incompatible package plugin API installs, drop the leftover root Sharp dependency from package manifests after the Rastermill migration, bound OpenClaw instance logs, plugin gauntlet relay logs, MCP channel buffers, kitchen-sink scans, agent-turn assertions, QA-Lab credential broker calls, QA Matrix substrate requests, and release scenario logs, and keep release/google live guards current. (#87647, #87477) Thanks @rohitjavvadi and @vincentkoc.</li>
+<li>Release/CI: bound manual git fetches, ClawHub verifier responses, ClawHub owner metadata, dependency-guard error bodies, Parallels limits, startup/test/memory budget parsing, and diffs viewer build warnings so release lanes fail with useful proof instead of hanging. (#87839)</li>
+</ul>
+<p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
+]]></description>
+            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.5.28/OpenClaw-2026.5.28.zip" length="54750142" type="application/octet-stream" sparkle:edSignature="U4O55uMdPU+OqSx9QR1ApUJ8wg65wxTydzD7iyCn1GHtm1MBK9noEeiA/yoUKkqb/bx0hzi1gNhn+ye19RXnCA=="/>
+        </item>
+        <item>
+            <title>2026.5.27</title>
+            <pubDate>Thu, 28 May 2026 12:12:19 +0000</pubDate>
+            <link>https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml</link>
+            <sparkle:version>2026052790</sparkle:version>
+            <sparkle:shortVersionString>2026.5.27</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
+            <description><![CDATA[<h2>OpenClaw 2026.5.27</h2>
+<h3>Highlights</h3>
+<ul>
+<li>Stronger security and content boundaries: group prompt text is kept out of the system prompt, repeated-dot hostnames are normalized, side-effecting command wrappers and unsafe Node runtime env overrides are blocked, no-auth Tailscale exposure is rejected, and node/device-role approvals now require admin authority. (#87144, #87305, #87292, #87308, #87146) Thanks @eleqtrizit and @pgondhi987.</li>
+<li>More reliable Codex app-server runs: Codex runtime models resolve first, workspace memory is routed through tools, shared app-server clients survive startup and spawned-helper failures, native hook relay generations survive restarts and rotate on fresh fallbacks, and false runtime live switches are avoided. (#87383, #87403, #87375, #72574, #87428) Thanks @yetval.</li>
+<li>Faster Gateway and reply paths: session reads, plugin metadata fingerprints, auth env snapshots, auto-enabled plugin config, tool-search catalogs, and stable metadata caches do less hot-path rediscovery while visible replies no longer inherit hidden cleanup timeouts. (#86439, #87044) Thanks @keshavbotagent.</li>
+<li>Better provider and model coverage: OpenAI-compatible embedding providers are core, DeepInfra catalog browsing loads the full credential-aware model set, Pixverse adds video generation and API region selection, VLLM thinking params are wired, Claude CLI OAuth overlays load for PI auth profiles, and bare direct Anthropic model ids work. (#85269, #84549, #87167) Thanks @dutifulbob, @ats3v, and @joshavant.</li>
+<li>Channel delivery is steadier: Telegram <code>sendMessage</code> actions use durable outbound delivery, iMessage suppresses duplicate native exec approval prompts and sends, Slack keeps delivered final replies during late cleanup, Matrix mention previews/finals are stricter, QQBot fallback approval buttons honor slash-command auth, Discord guild requester checks are tighter, recovered Discord tool-warning artifacts stay out of successful replies, and Google Chat stops thread sends in DMs. (#87261, #87154) Thanks @mbelinky and @eleqtrizit.</li>
+<li>Release, package, and CI proof paths are harder to wedge: npm/package inventory honors dist exclusions, shrinkwrap override pins merge correctly, Docker runtime workspace templates are packaged and smoked, release postpublish checks are stricter, beta smoke rejects empty runs, and E2E log/probe waits are bounded.</li>
+</ul>
+<h3>Changes</h3>
+<ul>
+<li>Memory: add a core OpenAI-compatible embedding provider for local and hosted OpenAI-style endpoints, with config, doctor, and docs support. (#85269) Thanks @dutifulbob.</li>
+<li>Plugin SDK: mark memory-specific embedding provider registration as deprecated compatibility and surface non-bundled usage in plugin compatibility diagnostics. (#85072) Thanks @mbelinky.</li>
+<li>Providers: add the Pixverse video generation provider, API region selection, docs, and external plugin packaging support.</li>
+<li>DeepInfra: load the full model catalog when users browse models during onboarding, preserve configured API-key catalogs, refresh media/video defaults, and keep pricing/default model metadata aligned. (#84549) Thanks @ats3v.</li>
+<li>Plugin SDK: expose plugin approval action metadata and stop exporting Vitest test helpers from the public SDK surface. (#87120) Thanks @RomneyDa.</li>
+<li>Channel SDK: move channel message compatibility into core, remove old channel turn runtime aliases, and preserve runtime catalog markdown metadata for plugins.</li>
+<li>ClawHub: add plugin display metadata so catalog/package listings use cleaner names. (#87354) Thanks @thewilloftheshadow.</li>
+<li>Agents: split the heartbeat runtime template out of docs assets and add compatibility repair for legacy heartbeat template content. (#85416) Thanks @hxy91819.</li>
+</ul>
+<h3>Fixes</h3>
+<ul>
+<li>Security/content boundaries: route untrusted group prompt metadata outside system prompts, normalize repeated trailing hostname dots, block side-effecting command wrappers, reject unsafe Node runtime env overrides, reject no-auth Tailscale exposure, block untrusted Microsoft Teams service URLs, enforce <code>/allowlist configWrites</code> origin policy, gate QQBot fallback approval buttons, and require admin for node/device-role approvals. (#87144, #87305, #87292, #87308, #87146, #87154, #87334) Thanks @eleqtrizit and @pgondhi987.</li>
+<li>Codex: resolve Codex runtime models before generic routing, route workspace memory through tools, preserve shared app-server clients after startup and spawned-helper failures, preserve native hook relay generations across restarts and fresh fallbacks, keep raw reasoning/source-reply guards intact, report quarantined dynamic tools, keep the attempt watchdog armed for queued terminal turns, and route Codex OAuth compaction through OpenAI-Codex. (#87383, #87403, #87375, #72574, #87428) Thanks @yetval.</li>
+<li>Agents/runtime: avoid session event queue self-waits, bound compaction wake and steering retries, preserve grace for pending error diagnostics, avoid false Codex runtime live switches, avoid stale restart continuation reuse, preserve session fallback errors, suppress duplicate Claude CLI skill prompts, keep runtime context before active user turns, strip stale Anthropic thinking, quarantine unsupported tool schemas, recover completed write timeouts safely, release retained session write locks on timeout abort, and validate forced plugin harness support before pinning. (#86123, #55424, #86855, #74341, #87278) Thanks @luoyanglang, @cathrynlavery, and @openperf.</li>
+<li>Reply/session delivery: keep visible turn admission unbounded, keep visible fallback delivery on latest targets, preserve bridge hook context, classify direct fallback targets by channel grammar, report approval resolutions in bridge mode, and avoid stale source-reply artifacts. (#87044) Thanks @keshavbotagent.</li>
+<li>Channels: make Telegram <code>sendMessage</code> action replies durable and preserve SecretRef prompt config, suppress duplicate iMessage native exec approval prompts and sends, keep iMessage approval polling alive after denied reactions, keep Slack delivered final replies during late cleanup, keep Matrix mention previews/finals mention-inert and normally delivered, ignore filename-embedded Matrix IDs, suppress recovered Discord tool-warning artifacts from successful replies, suppress Google Chat thread sends in DMs, and harden Discord guild requester checks. (#87261, #87452) Thanks @mbelinky.</li>
+<li>Memory: salvage QMD search JSON after nonzero exits and keep workspace memory routing through the Codex tool path where possible. (#87225, #87383, #87403) Thanks @osolmaz.</li>
+<li>Providers/models: forward cached token usage in OpenAI-compatible chat completions, load Claude CLI OAuth overlays for PI auth profiles, send bare direct Anthropic model ids, wire configured VLLM thinking params, honor OpenAI-compatible cache retention, normalize OpenAI Responses replay tool ids, resolve OpenAI <code>gpt-5.5</code> without a cached catalog, preserve <code>retry-after</code> fallback handling, bound GitHub Copilot auth requests, and load DeepInfra custom/live catalogs consistently. (#82062, #87167, #84549) Thanks @caz0075, @joshavant, and @ats3v.</li>
+<li>Gateway/performance: borrow read-only session metadata and active session working stores, cache current/stable plugin metadata fingerprints, cache auto-enabled plugin config, slim metadata identity caches, trust current metadata lifecycle caches, stabilize isolated cron prompt-cache affinity, persist model auth profile suffixes, drain probe client closes, expire browser tokens after auth rotation, and keep default status fast paths bounded. Thanks @ferminquant.</li>
+<li>CLI/help/config: reject loose or malformed numeric options for gateway timeouts, model limits, directory limits, message options, webhooks, and partial values; respect subcommand version options; route generated/root/plugin help targets correctly; keep skills JSON output flushing naturally; and keep plugin descriptor loading quiet in root help. (#87398) Thanks @Patrick-Erichsen.</li>
+<li>Plugin state/tool search: evict the current namespace when plugin rows hit caps, reuse unchanged tool-search catalogs, align the release catalog reuse wrapper, and keep fallback tool warnings mention-inert.</li>
+<li>Install/package/release: match npm globstar exclusions, honor dist package exclusions in inventory, omit unpacked test helpers, skip Homebrew until macOS packages need it, package Docker runtime workspace templates, smoke Docker runtime templates during full validation, merge nested shrinkwrap override pins, preserve forked shrinkwrap pins, pin aged <code>lru-cache</code>, harden postpublish verification, accept main full-validation proof, and reject empty beta smoke runs.</li>
+<li>E2E/QA/Crabbox: bound Telegram, Open WebUI, ClawHub, Matrix, Tool Search, MCP, gateway network, bundled runtime, kitchen-sink, codex media, config reload, and agent-turn assertion waits; prefer Azure for Windows targets; reinitialize invalid changed-gate git dirs; full-sync sparse container runs; and fail empty explicit test requests. (#87186)</li>
+</ul>
+<p><a href="https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md">View full changelog</a></p>
+]]></description>
+            <enclosure url="https://github.com/openclaw/openclaw/releases/download/v2026.5.27/OpenClaw-2026.5.27.zip" length="54488811" type="application/octet-stream" sparkle:edSignature="c5w2T1UO6vpPs70hyYH93cIyWEOd5sl5z2NkhU53E+XQBSd+jAr+xd0qf3KzWbeX2mfXYMQmnx+VMls3L22EDg=="/>
+        </item>
     </channel>
 </rss>

apps/android/Config/Version.properties

@@ -1,6 +0,0 @@
-# Shared Android version defaults.
-# Source of truth: apps/android/version.json
-# Generated by scripts/android-sync-versioning.ts.
-
-OPENCLAW_ANDROID_VERSION_NAME=2026.6.2
-OPENCLAW_ANDROID_VERSION_CODE=2026060201

apps/android/README.md

@@ -32,7 +32,7 @@ cd apps/android
 ./gradlew :app:installPlayDebug
 ./gradlew :app:testPlayDebugUnitTest
 cd ../..
-pnpm android:release:archive
+bun run android:bundle:release
 ```
 
 Third-party debug flavor:
@@ -44,29 +44,10 @@ cd apps/android
 ./gradlew :app:testThirdPartyDebugUnitTest
 ```
 
-Android release archives use the pinned version in `apps/android/version.json`. Update it with:
+`bun run android:bundle:release` auto-bumps Android `versionName`/`versionCode` in `apps/android/app/build.gradle.kts`, then builds two signed release bundles:
 
-```bash
-pnpm android:version
-pnpm android:version:check
-pnpm android:version:pin -- --from-gateway
-pnpm android:version:pin -- --version 2026.6.5 --version-code 2026060501
-```
-
-Generate raw Google Play screenshots:
-
-```bash
-pnpm android:screenshots
-```
-
-`pnpm android:release:archive` builds signed release artifacts into `apps/android/build/release-artifacts/` and writes `.sha256` checksum files:
-
-- Play build: `openclaw-<version>-play-release.aab`
-- Third-party build: `openclaw-<version>-third-party-release.apk`
-
-`pnpm android:bundle:release` is an alias for the same archive helper.
-
-See `apps/android/VERSIONING.md` and `apps/android/fastlane/SETUP.md` for the release workflow.
+- Play build: `apps/android/build/release-bundles/openclaw-<version>-play-release.aab`
+- Third-party build: `apps/android/build/release-bundles/openclaw-<version>-third-party-release.aab`
 
 Flavor-specific direct Gradle tasks:
 

apps/android/VERSIONING.md

@@ -1,38 +0,0 @@
-# OpenClaw Android Versioning
-
-Android release builds use pinned app metadata instead of auto-bumping `build.gradle.kts`.
-
-## Version model
-
-- `apps/android/version.json` is the source of truth.
-- `version` is the Play `versionName` and uses CalVer: `YYYY.M.D`.
-- `versionCode` uses `YYYYMMDDNN`, where `NN` is a two-digit build number for that pinned app version.
-- `apps/android/Config/Version.properties` is generated from `version.json` and read by Gradle.
-
-Examples:
-
-- `version = 2026.6.2`
-- `versionCode = 2026060201`
-- another upload on the same release train: `versionCode = 2026060202`
-
-## Commands
-
-```bash
-pnpm android:version
-pnpm android:version:check
-pnpm android:version:sync
-pnpm android:version:pin -- --from-gateway
-pnpm android:version:pin -- --version 2026.6.5 --version-code 2026060501
-```
-
-## Release Workflow
-
-1. Pin Android to the intended release version.
-2. Run `pnpm android:version:sync`.
-3. Update `apps/android/fastlane/metadata/android/en-US/release_notes.txt`.
-4. Run `pnpm android:screenshots` to refresh raw Google Play screenshots.
-5. Run `pnpm android:release:archive` to produce the signed Play AAB and third-party APK.
-6. Run `pnpm android:release:upload` to upload metadata, screenshots, and the Play AAB to Google Play internal testing.
-7. Promote to production manually in Google Play Console.
-
-The third-party flavor is archived as a signed APK for non-Play distribution. It is not uploaded by the Play release lane.

apps/android/app/build.gradle.kts

@@ -1,24 +1,6 @@
 import com.android.build.api.variant.impl.VariantOutputImpl
-import java.util.Properties
 
 val dnsjavaInetAddressResolverService = "META-INF/services/java.net.spi.InetAddressResolverProvider"
-val openClawAndroidVersionFile = rootProject.file("Config/Version.properties")
-val openClawAndroidVersionProperties =
-  Properties().apply {
-    if (!openClawAndroidVersionFile.isFile) {
-      error("Missing Android version properties. Run `pnpm android:version:sync`.")
-    }
-    openClawAndroidVersionFile.inputStream().use(::load)
-  }
-
-fun requireOpenClawAndroidVersionProperty(name: String): String =
-  openClawAndroidVersionProperties.getProperty(name)?.trim()?.takeIf { it.isNotEmpty() }
-    ?: error("Missing $name in Config/Version.properties. Run `pnpm android:version:sync`.")
-
-val openClawAndroidVersionName = requireOpenClawAndroidVersionProperty("OPENCLAW_ANDROID_VERSION_NAME")
-val openClawAndroidVersionCode =
-  requireOpenClawAndroidVersionProperty("OPENCLAW_ANDROID_VERSION_CODE").toIntOrNull()
-    ?: error("OPENCLAW_ANDROID_VERSION_CODE must be an integer in Config/Version.properties.")
 
 val androidStoreFile = providers.gradleProperty("OPENCLAW_ANDROID_STORE_FILE").orNull?.takeIf { it.isNotBlank() }
 val androidStorePassword = providers.gradleProperty("OPENCLAW_ANDROID_STORE_PASSWORD").orNull?.takeIf { it.isNotBlank() }
@@ -59,7 +41,7 @@ plugins {
 
 android {
   namespace = "ai.openclaw.app"
-  compileSdk = 37
+  compileSdk = 36
 
   // Release signing is local-only; keep the keystore path and passwords out of the repo.
   signingConfigs {
@@ -83,8 +65,8 @@ android {
     applicationId = "ai.openclaw.app"
     minSdk = 31
     targetSdk = 36
-    versionCode = openClawAndroidVersionCode
-    versionName = openClawAndroidVersionName
+    versionCode = 2026060201
+    versionName = "2026.6.2"
     ndk {
       // Support all major ABIs — native libs are tiny (~47 KB per ABI)
       abiFilters += listOf("armeabi-v7a", "arm64-v8a", "x86", "x86_64")

apps/android/app/src/main/AndroidManifest.xml

@@ -1,9 +1,8 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android">
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
-    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
-    <uses-permission android:name="android.permission.FOREGROUND_SERVICE_CONNECTED_DEVICE" />
+    <uses-permission android:name="android.permission.FOREGROUND_SERVICE_DATA_SYNC" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE_MICROPHONE" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
     <uses-permission
@@ -51,7 +50,7 @@
         <service
             android:name=".NodeForegroundService"
             android:exported="false"
-            android:foregroundServiceType="connectedDevice|microphone" />
+            android:foregroundServiceType="dataSync|microphone" />
         <service
             android:name=".node.DeviceNotificationListenerService"
             android:label="@string/app_name"

apps/android/app/src/main/java/ai/openclaw/app/AndroidScreenshotMode.kt

@@ -1,28 +0,0 @@
-package ai.openclaw.app
-
-import android.content.Intent
-
-const val extraAndroidScreenshotMode = "openclaw.screenshotMode"
-const val extraAndroidScreenshotScene = "openclaw.screenshotScene"
-
-enum class AndroidScreenshotScene(
-  val rawValue: String,
-) {
-  Connect("connect"),
-  Chat("chat"),
-  Voice("voice"),
-  Screen("screen"),
-  Settings("settings"),
-  ;
-
-  companion object {
-    fun fromRawValue(raw: String?): AndroidScreenshotScene = entries.firstOrNull { it.rawValue == raw?.trim()?.lowercase() } ?: Connect
-  }
-}
-
-fun parseAndroidScreenshotModeIntent(intent: Intent?): AndroidScreenshotScene? {
-  if (intent?.getBooleanExtra(extraAndroidScreenshotMode, false) != true) {
-    return null
-  }
-  return AndroidScreenshotScene.fromRawValue(intent.getStringExtra(extraAndroidScreenshotScene))
-}

apps/android/app/src/main/java/ai/openclaw/app/AppearanceThemeMode.kt

@@ -1,25 +0,0 @@
-package ai.openclaw.app
-
-/** User-selectable app theme mode for Android appearance settings. */
-enum class AppearanceThemeMode(
-  val rawValue: String,
-  val displayLabel: String,
-) {
-  System(rawValue = "system", displayLabel = "System"),
-  Dark(rawValue = "dark", displayLabel = "Dark"),
-  Light(rawValue = "light", displayLabel = "Light"),
-  ;
-
-  fun isDark(systemDark: Boolean): Boolean =
-    when (this) {
-      System -> systemDark
-      Dark -> true
-      Light -> false
-    }
-
-  companion object {
-    fun fromRawValue(value: String?): AppearanceThemeMode = entries.firstOrNull { it.rawValue == value?.trim()?.lowercase() } ?: Dark
-
-    fun fromDisplayLabel(label: String): AppearanceThemeMode = entries.firstOrNull { it.displayLabel.equals(label.trim(), ignoreCase = true) } ?: Dark
-  }
-}

apps/android/app/src/main/java/ai/openclaw/app/MainActivity.kt

@@ -1,38 +1,19 @@
 package ai.openclaw.app
 
-import ai.openclaw.app.ui.AndroidScreenshotModeScreen
 import ai.openclaw.app.ui.OpenClawTheme
 import ai.openclaw.app.ui.RootScreen
-import android.content.Intent
 import android.os.Bundle
 import android.view.WindowManager
 import androidx.activity.ComponentActivity
 import androidx.activity.compose.setContent
 import androidx.activity.viewModels
-import androidx.compose.foundation.layout.Box
-import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.material3.Surface
-import androidx.compose.material3.Text
-import androidx.compose.runtime.Composable
-import androidx.compose.runtime.LaunchedEffect
-import androidx.compose.runtime.collectAsState
-import androidx.compose.runtime.getValue
-import androidx.compose.runtime.mutableStateOf
-import androidx.compose.runtime.remember
-import androidx.compose.runtime.setValue
-import androidx.compose.runtime.withFrameNanos
-import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
-import androidx.compose.ui.graphics.Color
-import androidx.compose.ui.text.font.FontWeight
-import androidx.compose.ui.unit.sp
 import androidx.core.view.WindowCompat
 import androidx.lifecycle.Lifecycle
 import androidx.lifecycle.lifecycleScope
 import androidx.lifecycle.repeatOnLifecycle
-import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
 
 /**
  * Main Android activity that owns Compose UI attachment and runtime UI wiring.
@@ -40,101 +21,18 @@ import kotlinx.coroutines.withContext
 class MainActivity : ComponentActivity() {
   private val viewModel: MainViewModel by viewModels()
   private lateinit var permissionRequester: PermissionRequester
-  private var initializedViewModel: MainViewModel? = null
   private var didAttachRuntimeUi = false
   private var didStartNodeService = false
-  private var didStartViewModelCollectors = false
-  private var foreground = false
-  private var pendingIntent: Intent? = null
 
   override fun onCreate(savedInstanceState: Bundle?) {
     super.onCreate(savedInstanceState)
-    pendingIntent = intent
+    handleAssistantIntent(intent)
     WindowCompat.setDecorFitsSystemWindows(window, false)
     permissionRequester = PermissionRequester(this)
-    if (BuildConfig.DEBUG) {
-      parseAndroidScreenshotModeIntent(intent)?.let { scene ->
-        enterScreenshotMode(scene)
-        return
-      }
-    }
-
-    setContent {
-      var activeViewModel by remember { mutableStateOf<MainViewModel?>(null) }
-
-      LaunchedEffect(Unit) {
-        withFrameNanos { }
-        withContext(Dispatchers.Default) {
-          (application as NodeApp).prefs
-        }
-        val readyViewModel = viewModel
-        activateViewModel(readyViewModel)
-        activeViewModel = readyViewModel
-      }
-
-      val currentViewModel = activeViewModel
-      if (currentViewModel == null) {
-        OpenClawTheme {
-          StartupSurface()
-        }
-      } else {
-        val appearanceThemeMode by currentViewModel.appearanceThemeMode.collectAsState()
-        OpenClawTheme(themeMode = appearanceThemeMode) {
-          RootScreen(viewModel = currentViewModel)
-        }
-      }
-    }
-  }
-
-  private fun enterScreenshotMode(scene: AndroidScreenshotScene) {
-    setContent {
-      AndroidScreenshotModeScreen(scene = scene)
-    }
-  }
-
-  override fun onStart() {
-    super.onStart()
-    foreground = true
-    initializedViewModel?.setForeground(true)
-  }
-
-  override fun onStop() {
-    foreground = false
-    initializedViewModel?.setForeground(false)
-    super.onStop()
-  }
-
-  override fun onNewIntent(intent: android.content.Intent) {
-    super.onNewIntent(intent)
-    setIntent(intent)
-    pendingIntent = intent
-    initializedViewModel?.let { handleAssistantIntent(viewModel = it, intent = intent) }
-  }
-
-  /**
-   * Wires MainViewModel only after Activity first draw and background prefs warm-up.
-   */
-  private fun activateViewModel(readyViewModel: MainViewModel) {
-    if (initializedViewModel != null) return
-    initializedViewModel = readyViewModel
-    readyViewModel.setForeground(foreground)
-    startViewModelCollectors(readyViewModel)
-    pendingIntent?.let { initialIntent ->
-      handleAssistantIntent(viewModel = readyViewModel, intent = initialIntent)
-      pendingIntent = null
-    }
-  }
-
-  /**
-   * Starts lifecycle collectors after ViewModel construction so they cannot force early startup.
-   */
-  private fun startViewModelCollectors(readyViewModel: MainViewModel) {
-    if (didStartViewModelCollectors) return
-    didStartViewModelCollectors = true
 
     lifecycleScope.launch {
       repeatOnLifecycle(Lifecycle.State.STARTED) {
-        readyViewModel.preventSleep.collect { enabled ->
+        viewModel.preventSleep.collect { enabled ->
           if (enabled) {
             window.addFlags(WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON)
           } else {
@@ -146,10 +44,10 @@ class MainActivity : ComponentActivity() {
 
     lifecycleScope.launch {
       repeatOnLifecycle(Lifecycle.State.STARTED) {
-        readyViewModel.runtimeInitialized.collect { ready ->
+        viewModel.runtimeInitialized.collect { ready ->
           if (!ready || didAttachRuntimeUi) return@collect
           // Runtime UI helpers need an Activity owner, so attach once after NodeRuntime is ready.
-          readyViewModel.attachRuntimeUi(owner = this@MainActivity, permissionRequester = permissionRequester)
+          viewModel.attachRuntimeUi(owner = this@MainActivity, permissionRequester = permissionRequester)
           didAttachRuntimeUi = true
           if (!didStartNodeService) {
             NodeForegroundService.start(this@MainActivity)
@@ -158,15 +56,36 @@ class MainActivity : ComponentActivity() {
         }
       }
     }
+
+    setContent {
+      OpenClawTheme {
+        Surface(modifier = Modifier) {
+          RootScreen(viewModel = viewModel)
+        }
+      }
+    }
+  }
+
+  override fun onStart() {
+    super.onStart()
+    viewModel.setForeground(true)
+  }
+
+  override fun onStop() {
+    viewModel.setForeground(false)
+    super.onStop()
+  }
+
+  override fun onNewIntent(intent: android.content.Intent) {
+    super.onNewIntent(intent)
+    setIntent(intent)
+    handleAssistantIntent(intent)
   }
 
   /**
    * Routes assistant/app-action intents into ViewModel state without recreating the activity.
    */
-  private fun handleAssistantIntent(
-    viewModel: MainViewModel,
-    intent: Intent?,
-  ) {
+  private fun handleAssistantIntent(intent: android.content.Intent?) {
     parseHomeDestinationIntent(intent)?.let { destination ->
       viewModel.requestHomeDestination(destination)
       return
@@ -175,23 +94,3 @@ class MainActivity : ComponentActivity() {
     viewModel.handleAssistantLaunch(request)
   }
 }
-
-@Composable
-private fun StartupSurface() {
-  Surface(
-    modifier = Modifier.fillMaxSize(),
-    color = Color.Black,
-    contentColor = Color.White,
-  ) {
-    Box(
-      modifier = Modifier.fillMaxSize(),
-      contentAlignment = Alignment.Center,
-    ) {
-      Text(
-        text = "OPENCLAW",
-        fontSize = 22.sp,
-        fontWeight = FontWeight.Medium,
-      )
-    }
-  }
-}

apps/android/app/src/main/java/ai/openclaw/app/MainViewModel.kt

@@ -4,8 +4,6 @@ import ai.openclaw.app.chat.ChatMessage
 import ai.openclaw.app.chat.ChatPendingToolCall
 import ai.openclaw.app.chat.ChatSessionEntry
 import ai.openclaw.app.chat.OutgoingAttachment
-import ai.openclaw.app.gateway.DeviceAuthStore
-import ai.openclaw.app.gateway.DeviceIdentityStore
 import ai.openclaw.app.gateway.GatewayEndpoint
 import ai.openclaw.app.gateway.GatewayUpdateAvailableSummary
 import ai.openclaw.app.node.CameraCaptureManager
@@ -16,7 +14,6 @@ import android.app.Application
 import androidx.lifecycle.AndroidViewModel
 import androidx.lifecycle.LifecycleOwner
 import androidx.lifecycle.viewModelScope
-import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.SharingStarted
@@ -24,7 +21,6 @@ import kotlinx.coroutines.flow.StateFlow
 import kotlinx.coroutines.flow.flatMapLatest
 import kotlinx.coroutines.flow.flowOf
 import kotlinx.coroutines.flow.stateIn
-import kotlinx.coroutines.launch
 
 /**
  * UI-facing bridge that exposes NodeRuntime and preference state as Compose-friendly StateFlows.
@@ -36,11 +32,7 @@ class MainViewModel(
   private val nodeApp = app as NodeApp
   private val prefs = nodeApp.prefs
   private val runtimeRef = MutableStateFlow<NodeRuntime?>(null)
-
-  @Volatile private var foreground = false
-
-  @Volatile private var runtimeStartupQueued = false
-
+  private var foreground = true
   private val _requestedHomeDestination = MutableStateFlow<HomeDestination?>(null)
   val requestedHomeDestination: StateFlow<HomeDestination?> = _requestedHomeDestination
   private val _startOnboardingAtGatewaySetup = MutableStateFlow(false)
@@ -61,19 +53,6 @@ class MainViewModel(
     return runtime
   }
 
-  /**
-   * Starts the node runtime off the main thread so fresh installs can render
-   * the shell before encrypted prefs, device identity, and gateway setup warm up.
-   */
-  private fun queueRuntimeStartup() {
-    if (runtimeRef.value != null || runtimeStartupQueued) return
-    runtimeStartupQueued = true
-    viewModelScope.launch(Dispatchers.Default) {
-      runCatching { ensureRuntime() }
-      runtimeStartupQueued = false
-    }
-  }
-
   /**
    * Adapts a runtime StateFlow to a stable ViewModel StateFlow before runtime startup.
    */
@@ -111,10 +90,7 @@ class MainViewModel(
 
   val isConnected: StateFlow<Boolean> = runtimeState(initial = false) { it.isConnected }
   val isNodeConnected: StateFlow<Boolean> = runtimeState(initial = false) { it.nodeConnected }
-  val nodeCapabilityApprovalState: StateFlow<GatewayNodeApprovalState> =
-    runtimeState(initial = GatewayNodeApprovalState.Loading) { it.nodeCapabilityApprovalState }
   val statusText: StateFlow<String> = runtimeState(initial = "Offline") { it.statusText }
-  val gatewayConnectionProblem: StateFlow<GatewayConnectionProblem?> = runtimeState(initial = null) { it.gatewayConnectionProblem }
   val serverName: StateFlow<String?> = runtimeState(initial = null) { it.serverName }
   val remoteAddress: StateFlow<String?> = runtimeState(initial = null) { it.remoteAddress }
   val gatewayVersion: StateFlow<String?> = runtimeState(initial = null) { it.gatewayVersion }
@@ -174,7 +150,6 @@ class MainViewModel(
   val canvasDebugStatusEnabled: StateFlow<Boolean> = prefs.canvasDebugStatusEnabled
   val installedAppsSharingEnabled: StateFlow<Boolean> = prefs.installedAppsSharingEnabled
   val speakerEnabled: StateFlow<Boolean> = prefs.speakerEnabled
-  val appearanceThemeMode: StateFlow<AppearanceThemeMode> = prefs.appearanceThemeMode
   val voiceCaptureMode: StateFlow<VoiceCaptureMode> = runtimeState(initial = VoiceCaptureMode.Off) { it.voiceCaptureMode }
   val micEnabled: StateFlow<Boolean> = runtimeState(initial = false) { it.micEnabled }
 
@@ -205,6 +180,12 @@ class MainViewModel(
   val chatSessions: StateFlow<List<ChatSessionEntry>> = runtimeState(initial = emptyList()) { it.chatSessions }
   val pendingRunCount: StateFlow<Int> = runtimeState(initial = 0) { it.pendingRunCount }
 
+  init {
+    if (prefs.onboardingCompleted.value) {
+      ensureRuntime()
+    }
+  }
+
   val canvas: CanvasController
     get() = ensureRuntime().canvas
 
@@ -232,10 +213,13 @@ class MainViewModel(
    */
   fun setForeground(value: Boolean) {
     foreground = value
-    if (value && prefs.onboardingCompleted.value) {
-      queueRuntimeStartup()
-    }
-    runtimeRef.value?.setForeground(value)
+    val runtime =
+      if (value && prefs.onboardingCompleted.value) {
+        ensureRuntime()
+      } else {
+        runtimeRef.value
+      }
+    runtime?.setForeground(value)
   }
 
   fun setDisplayName(value: String) {
@@ -286,51 +270,9 @@ class MainViewModel(
     prefs.setGatewayPassword(value)
   }
 
-  /** Clears setup credentials without starting the runtime just to discard first-run pairing auth. */
-  private fun resetGatewaySetupAuth() {
-    runtimeRef.value?.resetGatewaySetupAuth() ?: resetGatewaySetupAuthWithoutRuntime()
-  }
-
-  private fun resetGatewaySetupAuthWithoutRuntime() {
-    prefs.clearGatewaySetupAuth()
-    val deviceId = DeviceIdentityStore(nodeApp).loadOrCreate().deviceId
-    val deviceAuthStore = DeviceAuthStore(prefs)
-    deviceAuthStore.clearToken(deviceId, "node")
-    deviceAuthStore.clearToken(deviceId, "operator")
-  }
-
-  fun saveGatewayConfigAndConnect(
-    host: String,
-    port: Int,
-    tls: Boolean,
-    token: String,
-    bootstrapToken: String,
-    password: String,
-    resetSetupAuth: Boolean,
-  ) {
-    // Gateway pairing touches encrypted prefs, identity files, and sockets; keep
-    // the whole sequence off the Compose thread so retries cannot trigger ANRs.
-    viewModelScope.launch(Dispatchers.Default) {
-      if (resetSetupAuth) {
-        resetGatewaySetupAuth()
-      }
-      prefs.setManualEnabled(true)
-      prefs.setManualHost(host)
-      prefs.setManualPort(port)
-      prefs.setManualTls(tls)
-      prefs.setGatewayBootstrapToken(bootstrapToken)
-      prefs.setGatewayToken(token)
-      prefs.setGatewayPassword(password)
-      ensureRuntime()
-        .connect(
-          GatewayEndpoint.manual(host = host, port = port),
-          NodeRuntime.GatewayConnectAuth(
-            token = token.ifEmpty { null },
-            bootstrapToken = bootstrapToken.ifEmpty { null },
-            password = password.ifEmpty { null },
-          ),
-        )
-    }
+  /** Clears setup credentials through the runtime so active gateway sessions drop stale auth state. */
+  fun resetGatewaySetupAuth() {
+    ensureRuntime().resetGatewaySetupAuth()
   }
 
   /** Marks onboarding complete and starts the runtime before UI observes connected-state flows. */
@@ -343,12 +285,10 @@ class MainViewModel(
 
   /** Re-enters gateway setup after disconnecting and clearing one-time setup credentials. */
   fun pairNewGateway() {
-    viewModelScope.launch(Dispatchers.Default) {
-      runtimeRef.value?.disconnect()
-      resetGatewaySetupAuth()
-      prefs.setOnboardingCompleted(false)
-      _startOnboardingAtGatewaySetup.value = true
-    }
+    runtimeRef.value?.disconnect()
+    resetGatewaySetupAuth()
+    _startOnboardingAtGatewaySetup.value = true
+    prefs.setOnboardingCompleted(false)
   }
 
   /** Acknowledges the one-shot request that opens onboarding at the gateway setup step. */
@@ -443,30 +383,14 @@ class MainViewModel(
     ensureRuntime().setSpeakerEnabled(enabled)
   }
 
-  fun setAppearanceThemeMode(mode: AppearanceThemeMode) {
-    prefs.setAppearanceThemeMode(mode)
-  }
-
   fun refreshGatewayConnection() {
-    viewModelScope.launch(Dispatchers.Default) {
-      ensureRuntime().refreshGatewayConnection()
-    }
-  }
-
-  fun startGatewayDiscovery() {
-    queueRuntimeStartup()
+    ensureRuntime().refreshGatewayConnection()
   }
 
   fun connect(endpoint: GatewayEndpoint) {
     ensureRuntime().connect(endpoint)
   }
 
-  fun connectInBackground(endpoint: GatewayEndpoint) {
-    viewModelScope.launch(Dispatchers.Default) {
-      ensureRuntime().connect(endpoint)
-    }
-  }
-
   fun connect(
     endpoint: GatewayEndpoint,
     token: String?,

apps/android/app/src/main/java/ai/openclaw/app/NodeForegroundService.kt

@@ -23,6 +23,7 @@ import kotlinx.coroutines.launch
 class NodeForegroundService : Service() {
   private val scope: CoroutineScope = CoroutineScope(SupervisorJob() + Dispatchers.Main)
   private var notificationJob: Job? = null
+  private var didStartForeground = false
   private var voiceCaptureMode = VoiceCaptureMode.Off
 
   override fun onCreate() {
@@ -182,7 +183,13 @@ class NodeForegroundService : Service() {
 
   private fun startForegroundWithTypes(notification: Notification) {
     val serviceTypes = foregroundServiceTypesForVoiceMode(voiceCaptureMode)
+    if (didStartForeground) {
+      // Re-issue startForeground when Talk mode toggles so Android sees the microphone service type.
+      ServiceCompat.startForeground(this, NOTIFICATION_ID, notification, serviceTypes)
+      return
+    }
     ServiceCompat.startForeground(this, NOTIFICATION_ID, notification, serviceTypes)
+    didStartForeground = true
   }
 
   companion object {
@@ -193,16 +200,19 @@ class NodeForegroundService : Service() {
     private const val ACTION_SET_VOICE_CAPTURE_MODE = "ai.openclaw.app.action.SET_VOICE_CAPTURE_MODE"
     private const val EXTRA_VOICE_CAPTURE_MODE = "ai.openclaw.app.extra.VOICE_CAPTURE_MODE"
 
+    /** Starts the persistent node foreground service from UI lifecycle code. */
     fun start(context: Context) {
       val intent = Intent(context, NodeForegroundService::class.java)
       context.startForegroundService(intent)
     }
 
+    /** Requests disconnect through the service action path so notification actions and UI share behavior. */
     fun stop(context: Context) {
       val intent = Intent(context, NodeForegroundService::class.java).setAction(ACTION_STOP)
       context.startService(intent)
     }
 
+    /** Updates Android's foreground-service type before voice capture mode changes require microphone access. */
     fun setVoiceCaptureMode(
       context: Context,
       mode: VoiceCaptureMode,
@@ -221,8 +231,11 @@ class NodeForegroundService : Service() {
   }
 }
 
+/**
+ * Foreground-service type mask required by Android for the current voice capture mode.
+ */
 internal fun foregroundServiceTypesForVoiceMode(mode: VoiceCaptureMode): Int {
-  val base = ServiceInfo.FOREGROUND_SERVICE_TYPE_CONNECTED_DEVICE
+  val base = ServiceInfo.FOREGROUND_SERVICE_TYPE_DATA_SYNC
   return if (mode == VoiceCaptureMode.TalkMode) {
     base or ServiceInfo.FOREGROUND_SERVICE_TYPE_MICROPHONE
   } else {
@@ -230,6 +243,9 @@ internal fun foregroundServiceTypesForVoiceMode(mode: VoiceCaptureMode): Int {
   }
 }
 
+/**
+ * Compact notification suffix for voice state; kept pure for service-notification tests.
+ */
 internal fun voiceNotificationSuffix(
   mode: VoiceCaptureMode,
   manualMicEnabled: Boolean,

apps/android/app/src/main/java/ai/openclaw/app/NodeRuntime.kt

@@ -69,7 +69,6 @@ import kotlinx.coroutines.withTimeout
 import kotlinx.serialization.Serializable
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.JsonArray
-import kotlinx.serialization.json.JsonElement
 import kotlinx.serialization.json.JsonObject
 import kotlinx.serialization.json.JsonPrimitive
 import kotlinx.serialization.json.buildJsonObject
@@ -79,25 +78,6 @@ import java.util.concurrent.atomic.AtomicLong
 /**
  * Process runtime that owns gateway sessions, node command handlers, capture managers, and UI-facing state.
  */
-data class GatewayConnectionProblem(
-  val code: String?,
-  val message: String,
-  val reason: String?,
-  val requestId: String?,
-  val recommendedNextStep: String?,
-  val pauseReconnect: Boolean,
-  val retryable: Boolean,
-) {
-  val isPairingRequired: Boolean = code == "PAIRING_REQUIRED"
-  val canAutoRetry: Boolean =
-    isPairingRequired &&
-      (
-        retryable ||
-          !pauseReconnect ||
-          recommendedNextStep == "wait_then_retry"
-      )
-}
-
 class NodeRuntime(
   context: Context,
   val prefs: SecurePrefs = SecurePrefs(context.applicationContext),
@@ -302,13 +282,9 @@ class NodeRuntime(
   val isConnected: StateFlow<Boolean> = _isConnected.asStateFlow()
   private val _nodeConnected = MutableStateFlow(false)
   val nodeConnected: StateFlow<Boolean> = _nodeConnected.asStateFlow()
-  private val _nodeCapabilityApprovalState = MutableStateFlow(GatewayNodeApprovalState.Loading)
-  val nodeCapabilityApprovalState: StateFlow<GatewayNodeApprovalState> = _nodeCapabilityApprovalState.asStateFlow()
 
   private val _statusText = MutableStateFlow("Offline")
   val statusText: StateFlow<String> = _statusText.asStateFlow()
-  private val _gatewayConnectionProblem = MutableStateFlow<GatewayConnectionProblem?>(null)
-  val gatewayConnectionProblem: StateFlow<GatewayConnectionProblem?> = _gatewayConnectionProblem.asStateFlow()
 
   private val _pendingGatewayTrust = MutableStateFlow<GatewayTrustPrompt?>(null)
   val pendingGatewayTrust: StateFlow<GatewayTrustPrompt?> = _pendingGatewayTrust.asStateFlow()
@@ -398,7 +374,6 @@ class NodeRuntime(
   val nodesDevicesRefreshing: StateFlow<Boolean> = _nodesDevicesRefreshing.asStateFlow()
   private val _nodesDevicesErrorText = MutableStateFlow<String?>(null)
   val nodesDevicesErrorText: StateFlow<String?> = _nodesDevicesErrorText.asStateFlow()
-  private val nodeApprovalRefreshGuard = GatewayNodeApprovalRefreshGuard()
   private val _channelsSummary = MutableStateFlow(GatewayChannelsSummary(channels = emptyList()))
   val channelsSummary: StateFlow<GatewayChannelsSummary> = _channelsSummary.asStateFlow()
   private val _channelsRefreshing = MutableStateFlow(false)
@@ -435,7 +410,6 @@ class NodeRuntime(
       identityStore = identityStore,
       deviceAuthStore = deviceAuthStore,
       onConnected = { hello ->
-        _gatewayConnectionProblem.value = null
         operatorConnected = true
         operatorStatusText = "Connected"
         _serverName.value = hello.serverName
@@ -447,7 +421,6 @@ class NodeRuntime(
         updateStatus()
         micCapture.onGatewayConnectionChanged(true)
         scope.launch {
-          subscribeOperatorSessionEvents()
           refreshHomeCanvasOverviewIfConnected()
           if (voiceReplySpeakerLazy.isInitialized()) {
             voiceReplySpeaker.refreshConfig()
@@ -456,7 +429,6 @@ class NodeRuntime(
       },
       onDisconnected = { message ->
         operatorConnected = false
-        invalidateNodeCapabilityApprovalState()
         operatorStatusText = message
         _serverName.value = null
         _remoteAddress.value = null
@@ -485,27 +457,17 @@ class NodeRuntime(
         updateStatus()
         micCapture.onGatewayConnectionChanged(false)
       },
-      onConnectFailure = ::handleGatewayConnectFailure,
       onEvent = { event, payloadJson ->
         handleGatewayEvent(event, payloadJson)
       },
     )
 
-  private suspend fun subscribeOperatorSessionEvents() {
-    try {
-      operatorSession.request("sessions.subscribe", null)
-    } catch (err: Throwable) {
-      Log.d("OpenClawRuntime", "sessions.subscribe failed: ${err.message ?: err::class.java.simpleName}")
-    }
-  }
-
   private val nodeSession =
     GatewaySession(
       scope = scope,
       identityStore = identityStore,
       deviceAuthStore = deviceAuthStore,
       onConnected = {
-        _gatewayConnectionProblem.value = null
         _nodeConnected.value = true
         nodeStatusText = "Connected"
         didAutoRequestCanvasRehydrate = false
@@ -517,15 +479,12 @@ class NodeRuntime(
         publishNodePresenceAliveBeacon(NodePresenceAliveBeacon.Trigger.Connect)
         val endpoint = connectedEndpoint
         val auth = activeGatewayAuth
-        if (operatorConnected) {
-          scope.launch { refreshNodesDevicesFromGateway() }
-        } else if (endpoint != null && auth != null) {
+        if (endpoint != null && auth != null) {
           maybeStartOperatorSessionAfterNodeConnect(endpoint, auth)
         }
       },
       onDisconnected = { message ->
         _nodeConnected.value = false
-        invalidateNodeCapabilityApprovalState()
         nodeStatusText = message
         didAutoRequestCanvasRehydrate = false
         _canvasA2uiHydrated.value = false
@@ -534,7 +493,6 @@ class NodeRuntime(
         updateStatus()
         showLocalCanvasOnDisconnect()
       },
-      onConnectFailure = ::handleGatewayConnectFailure,
       onEvent = { _, _ -> },
       onInvoke = { req ->
         invokeDispatcher.handleInvoke(req.command, req.paramsJson)
@@ -729,23 +687,6 @@ class NodeRuntime(
     updateHomeCanvasState()
   }
 
-  private fun handleGatewayConnectFailure(
-    error: GatewaySession.ErrorShape,
-    pauseReconnect: Boolean,
-  ) {
-    val details = error.details
-    _gatewayConnectionProblem.value =
-      GatewayConnectionProblem(
-        code = details?.code ?: error.code,
-        message = error.message,
-        reason = details?.reason,
-        requestId = details?.requestId,
-        recommendedNextStep = details?.recommendedNextStep,
-        pauseReconnect = pauseReconnect || details?.pauseReconnect == true,
-        retryable = details?.retryable == true,
-      )
-  }
-
   private fun resolveMainSessionKey(): String {
     val trimmed = _mainSessionKey.value.trim()
     return if (trimmed.isEmpty()) "main" else trimmed
@@ -1469,14 +1410,11 @@ class NodeRuntime(
   }
 
   fun refreshGatewayConnection() {
-    val endpoint = connectedEndpoint
-    if (endpoint == null) {
-      resolvePreferredGatewayEndpoint()?.let(::connect)
-        ?: run {
-          _statusText.value = "Failed: no saved gateway endpoint"
-        }
-      return
-    }
+    val endpoint =
+      connectedEndpoint ?: run {
+        _statusText.value = "Failed: no cached gateway endpoint"
+        return
+      }
     operatorStatusText = "Connecting…"
     updateStatus()
     connectWithAuth(endpoint = endpoint, auth = resolveGatewayConnectAuth(), reconnect = true)
@@ -1586,7 +1524,6 @@ class NodeRuntime(
     connectAttemptId: Long,
   ) {
     if (!isCurrentConnectAttempt(connectAttemptId)) return
-    _gatewayConnectionProblem.value = null
     connectedEndpoint = endpoint
     operatorStatusText = "Connecting…"
     nodeStatusText = "Connecting…"
@@ -1683,7 +1620,6 @@ class NodeRuntime(
     stopActiveVoiceSession()
     connectedEndpoint = null
     activeGatewayAuth = null
-    _gatewayConnectionProblem.value = null
     _pendingGatewayTrust.value = null
     operatorSession.disconnect()
     nodeSession.disconnect()
@@ -1922,7 +1858,7 @@ class NodeRuntime(
       return
     }
     try {
-      val modelsRes = operatorSession.request("models.list", "{}")
+      val modelsRes = operatorSession.request("models.list", """{"view":"all"}""")
       val modelsRoot = json.parseToJsonElement(modelsRes).asObjectOrNull()
       _modelCatalog.value = parseGatewayModels(modelsRoot?.get("models") as? JsonArray)
 
@@ -2017,42 +1953,21 @@ class NodeRuntime(
   }
 
   private suspend fun refreshNodesDevicesFromGateway() {
-    val refreshGeneration = nodeApprovalRefreshGuard.begin()
-    val refreshStarted =
-      nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-        _nodesDevicesRefreshing.value = true
-        _nodesDevicesErrorText.value = null
-        _nodeCapabilityApprovalState.value = GatewayNodeApprovalState.Loading
-      }
-    if (!refreshStarted) return
+    _nodesDevicesRefreshing.value = true
+    _nodesDevicesErrorText.value = null
     if (!operatorConnected) {
-      nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-        _nodesDevicesSummary.value =
-          GatewayNodesDevicesSummary(
-            nodes = emptyList(),
-            pendingDevices = emptyList(),
-            pairedDevices = emptyList(),
-          )
-        _nodesDevicesRefreshing.value = false
-      }
+      _nodesDevicesSummary.value =
+        GatewayNodesDevicesSummary(
+          nodes = emptyList(),
+          pendingDevices = emptyList(),
+          pairedDevices = emptyList(),
+        )
+      _nodesDevicesRefreshing.value = false
       return
     }
     try {
       val nodesRes = operatorSession.request("node.list", "{}")
       val nodesRoot = json.parseToJsonElement(nodesRes).asObjectOrNull()
-      val nodes = parseGatewayNodes(nodesRoot?.get("nodes") as? JsonArray)
-      val approvalState =
-        currentNodeCapabilityApprovalState(
-          nodes = nodes,
-          selfNodeId = identityStore.loadOrCreate().deviceId,
-        )
-      val publishedApproval =
-        nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-          _nodeCapabilityApprovalState.value = approvalState
-        }
-      if (!publishedApproval) {
-        return
-      }
       val devicesRoot =
         try {
           val devicesRes = operatorSession.request("device.pair.list", "{}")
@@ -2060,30 +1975,16 @@ class NodeRuntime(
         } catch (_: Throwable) {
           null
         }
-      nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-        _nodesDevicesSummary.value =
-          GatewayNodesDevicesSummary(
-            nodes = nodes,
-            pendingDevices = parsePendingDevices(devicesRoot?.get("pending") as? JsonArray),
-            pairedDevices = parsePairedDevices(devicesRoot?.get("paired") as? JsonArray),
-            devicePairingAvailable = devicesRoot != null,
-          )
-      }
+      _nodesDevicesSummary.value =
+        GatewayNodesDevicesSummary(
+          nodes = parseGatewayNodes(nodesRoot?.get("nodes") as? JsonArray),
+          pendingDevices = parsePendingDevices(devicesRoot?.get("pending") as? JsonArray),
+          pairedDevices = parsePairedDevices(devicesRoot?.get("paired") as? JsonArray),
+          devicePairingAvailable = devicesRoot != null,
+        )
     } catch (_: Throwable) {
-      nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-        _nodesDevicesErrorText.value = "Could not load nodes and devices."
-      }
+      _nodesDevicesErrorText.value = "Could not load nodes and devices."
     } finally {
-      nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-        _nodesDevicesRefreshing.value = false
-      }
-    }
-  }
-
-  private fun invalidateNodeCapabilityApprovalState() {
-    val refreshGeneration = nodeApprovalRefreshGuard.begin()
-    nodeApprovalRefreshGuard.publishIfCurrent(refreshGeneration) {
-      _nodeCapabilityApprovalState.value = GatewayNodeApprovalState.Loading
       _nodesDevicesRefreshing.value = false
     }
   }
@@ -2184,7 +2085,6 @@ class NodeRuntime(
           id = id,
           name = obj["name"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() } ?: id,
           provider = provider,
-          available = obj.optionalBoolean("available"),
           supportsVision = "image" in inputTypes,
           supportsAudio = "audio" in inputTypes,
           supportsDocuments = "document" in inputTypes,
@@ -2332,8 +2232,22 @@ class NodeRuntime(
 
   private fun parseGatewayNodes(nodes: JsonArray?): List<GatewayNodeSummary> =
     nodes
-      ?.mapNotNull(::parseGatewayNodeSummary)
-      .orEmpty()
+      ?.mapNotNull { item ->
+        val obj = item.asObjectOrNull() ?: return@mapNotNull null
+        val id = obj["nodeId"].asStringOrNull()?.trim().orEmpty()
+        if (id.isEmpty()) return@mapNotNull null
+        GatewayNodeSummary(
+          id = id,
+          displayName = obj["displayName"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
+          remoteIp = obj["remoteIp"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
+          version = obj["version"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
+          deviceFamily = obj["deviceFamily"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
+          paired = obj.boolean("paired"),
+          connected = obj.boolean("connected"),
+          capabilities = parseStringArray(obj["caps"] as? JsonArray),
+          commands = parseStringArray(obj["commands"] as? JsonArray),
+        )
+      }.orEmpty()
 
   private fun parsePendingDevices(devices: JsonArray?): List<GatewayPendingDeviceSummary> =
     devices
@@ -2787,7 +2701,6 @@ data class GatewayModelSummary(
   val id: String,
   val name: String,
   val provider: String,
-  val available: Boolean?,
   val supportsVision: Boolean,
   val supportsAudio: Boolean,
   val supportsDocuments: Boolean,
@@ -2861,81 +2774,6 @@ data class GatewayNodesDevicesSummary(
   val devicePairingAvailable: Boolean = true,
 )
 
-enum class GatewayNodeApprovalState {
-  Loading,
-  Unsupported,
-  Approved,
-  PendingApproval,
-  PendingReapproval,
-  Unapproved,
-}
-
-/** Prevents older node.list responses from overwriting newer approval state. */
-internal class GatewayNodeApprovalRefreshGuard {
-  private val lock = Any()
-  private var generation = 0L
-
-  fun begin(): Long =
-    synchronized(lock) {
-      generation += 1
-      generation
-    }
-
-  fun publishIfCurrent(
-    refreshGeneration: Long,
-    publish: () -> Unit,
-  ): Boolean =
-    synchronized(lock) {
-      if (refreshGeneration != generation) return@synchronized false
-      publish()
-      true
-    }
-}
-
-internal fun parseGatewayNodeApprovalState(raw: String?): GatewayNodeApprovalState =
-  when (raw?.trim()?.lowercase()) {
-    null, "" -> GatewayNodeApprovalState.Loading
-    "approved" -> GatewayNodeApprovalState.Approved
-    "pending-approval" -> GatewayNodeApprovalState.PendingApproval
-    "pending-reapproval" -> GatewayNodeApprovalState.PendingReapproval
-    "unapproved" -> GatewayNodeApprovalState.Unapproved
-    else -> GatewayNodeApprovalState.Loading
-  }
-
-internal fun currentNodeCapabilityApprovalState(
-  nodes: List<GatewayNodeSummary>,
-  selfNodeId: String,
-): GatewayNodeApprovalState =
-  nodes
-    .firstOrNull { it.id == selfNodeId }
-    ?.approvalState
-    ?: GatewayNodeApprovalState.Loading
-
-internal fun parseGatewayNodeSummary(item: JsonElement): GatewayNodeSummary? {
-  val obj = item.asObjectOrNull() ?: return null
-  val id = obj["nodeId"].asStringOrNull()?.trim().orEmpty()
-  if (id.isEmpty()) return null
-  return GatewayNodeSummary(
-    id = id,
-    displayName = obj["displayName"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
-    remoteIp = obj["remoteIp"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
-    version = obj["version"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
-    deviceFamily = obj["deviceFamily"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
-    paired = obj.boolean("paired"),
-    connected = obj.boolean("connected"),
-    // Only an omitted field identifies a legacy gateway; malformed and future values stay fail-closed.
-    approvalState =
-      if (obj.containsKey("approvalState")) {
-        parseGatewayNodeApprovalState(obj["approvalState"].asStringOrNull())
-      } else {
-        GatewayNodeApprovalState.Unsupported
-      },
-    pendingRequestId = obj["pendingRequestId"].asStringOrNull()?.trim()?.takeIf { it.isNotEmpty() },
-    capabilities = parseGatewayStringArray(obj["caps"] as? JsonArray),
-    commands = parseGatewayStringArray(obj["commands"] as? JsonArray),
-  )
-}
-
 data class GatewayNodeSummary(
   val id: String,
   val displayName: String?,
@@ -2944,8 +2782,6 @@ data class GatewayNodeSummary(
   val deviceFamily: String?,
   val paired: Boolean,
   val connected: Boolean,
-  val approvalState: GatewayNodeApprovalState,
-  val pendingRequestId: String?,
   val capabilities: List<String>,
   val commands: List<String>,
 )
@@ -3047,15 +2883,6 @@ private fun JsonObject?.double(key: String): Double? = (this?.get(key) as? JsonP
 
 private fun JsonObject?.boolean(key: String): Boolean = (this?.get(key) as? JsonPrimitive)?.content?.trim() == "true"
 
-private fun JsonObject?.optionalBoolean(key: String): Boolean? =
-  (this?.get(key) as? JsonPrimitive)?.content?.trim()?.lowercase()?.let { value ->
-    when (value) {
-      "true" -> true
-      "false" -> false
-      else -> null
-    }
-  }
-
 internal fun cronJobLastRunStatus(state: JsonObject?): String? =
   state
     .cronStatus("lastStatus")
@@ -3068,11 +2895,6 @@ private fun JsonObject?.cronStatus(key: String): String? =
     ?.trim()
     ?.takeIf { it.isNotEmpty() }
 
-private fun parseGatewayStringArray(items: JsonArray?): List<String> =
-  items
-    ?.mapNotNull { it.asStringOrNull()?.trim()?.takeIf { value -> value.isNotEmpty() } }
-    .orEmpty()
-
 fun providerDisplayName(provider: String): String =
   when (provider.trim().lowercase()) {
     "openai" -> "OpenAI"

apps/android/app/src/main/java/ai/openclaw/app/PermissionRequester.kt

@@ -53,7 +53,6 @@ class PermissionRequester internal constructor(
   private val mutex = Mutex()
   private val requestSlotsLock = Any()
   private val mainHandler = Handler(Looper.getMainLooper())
-
   // ActivityResult launchers cannot be registered after start; pre-register a small pool for nested UI flows.
   private val launchers = List(4) { createPermissionRequestSlot(launcherFactory) }
 

apps/android/app/src/main/java/ai/openclaw/app/SecurePrefs.kt

@@ -42,7 +42,6 @@ class SecurePrefs(
     private const val notificationsForwardingSessionKeyKey = "notifications.forwarding.sessionKey"
     private const val installedAppsSharingEnabledKey = "device.apps.sharing.enabled"
     private const val voiceMicEnabledKey = "voice.micEnabled"
-    private const val appearanceThemeModeKey = "appearance.themeMode"
   }
 
   private val appContext = context.applicationContext
@@ -182,10 +181,6 @@ class SecurePrefs(
   private val _speakerEnabled = MutableStateFlow(plainPrefs.getBoolean("voice.speakerEnabled", true))
   val speakerEnabled: StateFlow<Boolean> = _speakerEnabled
 
-  private val _appearanceThemeMode =
-    MutableStateFlow(AppearanceThemeMode.fromRawValue(plainPrefs.getString(appearanceThemeModeKey, null)))
-  val appearanceThemeMode: StateFlow<AppearanceThemeMode> = _appearanceThemeMode
-
   fun setLastDiscoveredStableId(value: String) {
     val trimmed = value.trim()
     plainPrefs.edit { putString("gateway.lastDiscoveredStableID", trimmed) }
@@ -530,11 +525,6 @@ class SecurePrefs(
     _speakerEnabled.value = value
   }
 
-  fun setAppearanceThemeMode(mode: AppearanceThemeMode) {
-    plainPrefs.edit { putString(appearanceThemeModeKey, mode.rawValue) }
-    _appearanceThemeMode.value = mode
-  }
-
   private fun loadNotificationForwardingPackages(): Set<String> {
     val raw = plainPrefs.getString(notificationsForwardingPackagesKey, null)?.trim()
     if (raw.isNullOrEmpty()) {

apps/android/app/src/main/java/ai/openclaw/app/chat/ChatController.kt

@@ -61,11 +61,9 @@ class ChatController(
 
   private val pendingRuns = mutableSetOf<String>()
   private val pendingRunTimeoutJobs = ConcurrentHashMap<String, Job>()
-
   // Preserve sent messages locally until chat.history includes the gateway-confirmed copy.
   private val optimisticMessagesByRunId = LinkedHashMap<String, ChatMessage>()
   private val pendingRunTimeoutMs = 120_000L
-
   // Drops stale history responses after session switches or refresh races.
   private val historyLoadGeneration = AtomicLong(0)
 
@@ -227,7 +225,6 @@ class ChatController(
         role = "user",
         content = userContent,
         timestampMs = System.currentTimeMillis(),
-        idempotencyKey = "$runId:user",
       )
     optimisticMessagesByRunId[runId] = optimisticMessage
     _messages.value = _messages.value + optimisticMessage
@@ -311,6 +308,7 @@ class ChatController(
     }
   }
 
+  /** Applies gateway chat/agent stream events to local transcript and pending-run state. */
   fun handleGatewayEvent(
     event: String,
     payloadJson: String?,
@@ -320,6 +318,7 @@ class ChatController(
         scope.launch { pollHealthIfNeeded(force = false) }
       }
       "health" -> {
+        // If we receive a health snapshot, the gateway is reachable.
         _healthOk.value = true
       }
       "seqGap" -> {
@@ -330,17 +329,6 @@ class ChatController(
         if (payloadJson.isNullOrBlank()) return
         handleChatEvent(payloadJson)
       }
-      "sessions.changed" -> {
-        if (payloadJson.isNullOrBlank()) {
-          refreshSessionsForCurrentWindow()
-        } else {
-          handleSessionsChangedEvent(payloadJson)
-        }
-      }
-      "session.message" -> {
-        if (payloadJson.isNullOrBlank()) return
-        handleSessionMessageEvent(payloadJson)
-      }
       "agent" -> {
         if (payloadJson.isNullOrBlank()) return
         handleAgentEvent(payloadJson)
@@ -362,8 +350,6 @@ class ChatController(
         )
       if (!isCurrentHistoryLoad(sessionKey, _sessionKey.value, generation, historyLoadGeneration.get())) return
       val history = parseHistory(historyJson, sessionKey = sessionKey, previousMessages = _messages.value)
-      updateSessionFromHistory(history)
-      prunePersistedOptimisticMessages(history.messages)
       _messages.value = mergeOptimisticMessages(incoming = history.messages, optimistic = optimisticMessagesByRunId.values)
       _sessionId.value = history.sessionId
       _historyLoading.value = false
@@ -398,10 +384,6 @@ class ChatController(
     }
   }
 
-  private fun refreshSessionsForCurrentWindow() {
-    scope.launch { fetchSessions(limit = _sessions.value.size.takeIf { it > 0 } ?: 100) }
-  }
-
   private suspend fun pollHealthIfNeeded(force: Boolean) {
     val now = System.currentTimeMillis()
     val last = lastHealthPollAtMs
@@ -440,8 +422,10 @@ class ChatController(
         }
         if (runId != null) {
           clearPendingRun(runId)
+          optimisticMessagesByRunId.remove(runId)
         } else {
-          clearPendingRuns(clearOptimisticMessages = false)
+          clearPendingRuns()
+          optimisticMessagesByRunId.clear()
         }
         pendingToolCallsById.clear()
         publishPendingToolCalls()
@@ -471,8 +455,6 @@ class ChatController(
                 sessionKey = currentSessionKey,
                 previousMessages = _messages.value,
               )
-            updateSessionFromHistory(history)
-            prunePersistedOptimisticMessages(history.messages)
             _messages.value = mergeOptimisticMessages(incoming = history.messages, optimistic = optimisticMessagesByRunId.values)
             _sessionId.value = history.sessionId
             history.thinkingLevel
@@ -487,31 +469,6 @@ class ChatController(
     }
   }
 
-  private fun handleSessionsChangedEvent(payloadJson: String) {
-    val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
-    if (payload["reason"].asStringOrNull() == "delete") {
-      removeSessionEntry(payload["sessionKey"].asStringOrNull() ?: payload["key"].asStringOrNull())
-      return
-    }
-    val entry = parseEventSessionEntry(payload)
-    if (entry != null) {
-      upsertSessionEntry(entry)
-    } else {
-      refreshSessionsForCurrentWindow()
-    }
-  }
-
-  private fun handleSessionMessageEvent(payloadJson: String) {
-    val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
-    val entry = parseEventSessionEntry(payload)
-    if (entry != null) {
-      upsertSessionEntry(entry)
-    }
-  }
-
-  private fun parseEventSessionEntry(payload: JsonObject): ChatSessionEntry? =
-    payload["session"].asObjectOrNull()?.let(::parseSessionEntry) ?: parseSessionEntry(payload)
-
   private fun handleAgentEvent(payloadJson: String) {
     val payload = json.parseToJsonElement(payloadJson).asObjectOrNull() ?: return
     val sessionKey = payload["sessionKey"].asStringOrNull()?.trim()
@@ -604,14 +561,12 @@ class ChatController(
     }
   }
 
-  private fun clearPendingRuns(clearOptimisticMessages: Boolean = true) {
+  private fun clearPendingRuns() {
     for ((_, job) in pendingRunTimeoutJobs) {
       job.cancel()
     }
     pendingRunTimeoutJobs.clear()
-    if (clearOptimisticMessages) {
-      optimisticMessagesByRunId.clear()
-    }
+    optimisticMessagesByRunId.clear()
     synchronized(pendingRuns) {
       pendingRuns.clear()
       _pendingRunCount.value = 0
@@ -623,15 +578,6 @@ class ChatController(
     _messages.value = _messages.value.filterNot { it.id == message.id }
   }
 
-  private fun prunePersistedOptimisticMessages(incoming: List<ChatMessage>) {
-    val retained =
-      retainUnmatchedOptimisticMessages(
-        incoming = incoming,
-        optimistic = optimisticMessagesByRunId.values,
-      ).toSet()
-    optimisticMessagesByRunId.entries.removeAll { entry -> entry.value !in retained }
-  }
-
   private fun parseHistory(
     historyJson: String,
     sessionKey: String,
@@ -640,21 +586,19 @@ class ChatController(
     val root = json.parseToJsonElement(historyJson).asObjectOrNull() ?: return ChatHistory(sessionKey, null, null, emptyList())
     val sid = root["sessionId"].asStringOrNull()
     val thinkingLevel = root["thinkingLevel"].asStringOrNull()
-    val sessionInfo = root["sessionInfo"].asObjectOrNull()?.let { parseSessionEntry(it, fallbackKey = sessionKey) }
     val array = root["messages"].asArrayOrNull() ?: JsonArray(emptyList())
 
     val messages =
       array.mapNotNull { item ->
         val obj = item.asObjectOrNull() ?: return@mapNotNull null
         val role = obj["role"].asStringOrNull() ?: return@mapNotNull null
-        val content = parseChatMessageContents(obj)
+        val content = obj["content"].asArrayOrNull()?.mapNotNull(::parseChatMessageContent) ?: emptyList()
         val ts = obj["timestamp"].asLongOrNull()
         ChatMessage(
           id = UUID.randomUUID().toString(),
           role = role,
           content = content,
           timestampMs = ts,
-          idempotencyKey = obj["idempotencyKey"].asStringOrNull(),
         )
       }
 
@@ -663,69 +607,20 @@ class ChatController(
       sessionId = sid,
       thinkingLevel = thinkingLevel,
       messages = reconcileMessageIds(previous = previousMessages, incoming = messages),
-      sessionInfo = sessionInfo,
     )
   }
 
   private fun parseSessions(jsonString: String): List<ChatSessionEntry> {
     val root = json.parseToJsonElement(jsonString).asObjectOrNull() ?: return emptyList()
     val sessions = root["sessions"].asArrayOrNull() ?: return emptyList()
-    return sessions.mapNotNull { item -> parseSessionEntry(item.asObjectOrNull()) }
-  }
-
-  private fun parseSessionEntry(
-    obj: JsonObject?,
-    fallbackKey: String? = null,
-  ): ChatSessionEntry? {
-    if (obj == null) return null
-    val key =
-      obj["key"].asStringOrNull()?.trim().orEmpty()
-        .ifEmpty { obj["sessionKey"].asStringOrNull()?.trim().orEmpty() }
-        .ifEmpty { fallbackKey?.trim().orEmpty() }
-    if (key.isEmpty()) return null
-    return ChatSessionEntry(
-      key = key,
-      updatedAtMs = obj["updatedAt"].asLongOrNull(),
-      displayName = obj["displayName"].asStringOrNull()?.trim(),
-      totalTokens = obj["totalTokens"].asLongOrNull(),
-      totalTokensFresh = obj["totalTokensFresh"].asBooleanOrNull(),
-      contextTokens = obj["contextTokens"].asLongOrNull(),
-      hasContextUsageMetadata =
-        "totalTokens" in obj ||
-          "totalTokensFresh" in obj ||
-          "contextTokens" in obj,
-    )
-  }
-
-  private fun updateSessionFromHistory(history: ChatHistory) {
-    val info = history.sessionInfo ?: return
-    upsertSessionEntry(info, preserveExistingContextUsageWithoutTotal = true)
-  }
-
-  private fun upsertSessionEntry(
-    entry: ChatSessionEntry,
-    preserveExistingContextUsageWithoutTotal: Boolean = false,
-  ) {
-    val current = _sessions.value
-    val index = current.indexOfFirst { it.key == entry.key }
-    _sessions.value =
-      if (index >= 0) {
-        current.toMutableList().also {
-          it[index] =
-            mergeChatSessionEntry(
-              existing = it[index],
-              next = entry,
-              preserveExistingContextUsageWithoutTotal = preserveExistingContextUsageWithoutTotal,
-            )
-        }
-      } else {
-        listOf(entry) + current
-      }
-  }
-
-  private fun removeSessionEntry(sessionKey: String?) {
-    val key = sessionKey?.trim()?.takeIf { it.isNotEmpty() } ?: return
-    _sessions.value = _sessions.value.filterNot { it.key == key }
+    return sessions.mapNotNull { item ->
+      val obj = item.asObjectOrNull() ?: return@mapNotNull null
+      val key = obj["key"].asStringOrNull()?.trim().orEmpty()
+      if (key.isEmpty()) return@mapNotNull null
+      val updatedAt = obj["updatedAt"].asLongOrNull()
+      val displayName = obj["displayName"].asStringOrNull()?.trim()
+      ChatSessionEntry(key = key, updatedAtMs = updatedAt, displayName = displayName)
+    }
   }
 
   private fun parseRunId(resJson: String): String? =
@@ -779,19 +674,6 @@ internal fun parseChatMessageContent(el: JsonElement): ChatMessageContent? {
   }
 }
 
-internal fun parseChatMessageContents(obj: JsonObject): List<ChatMessageContent> {
-  obj["content"].asArrayOrNull()?.let { content ->
-    return content.mapNotNull(::parseChatMessageContent)
-  }
-  obj["content"].asStringOrNull()?.let { text ->
-    return listOf(ChatMessageContent(type = "text", text = text))
-  }
-  obj["text"].asStringOrNull()?.let { text ->
-    return listOf(ChatMessageContent(type = "text", text = text))
-  }
-  return emptyList()
-}
-
 internal data class MainSessionState(
   val currentSessionKey: String,
   val appliedMainSessionKey: String,
@@ -850,41 +732,29 @@ internal fun mergeOptimisticMessages(
 ): List<ChatMessage> {
   if (optimistic.isEmpty()) return incoming
 
-  val missingOptimistic = retainUnmatchedOptimisticMessages(incoming = incoming, optimistic = optimistic)
+  val unmatchedIncoming = incoming.toMutableList()
+  val missingOptimistic =
+    optimistic.filter { message ->
+      val matchIndex =
+        unmatchedIncoming.indexOfFirst { incomingMessage ->
+          incomingMessageConsumesOptimistic(incomingMessage, message)
+        }
+      if (matchIndex >= 0) {
+        unmatchedIncoming.removeAt(matchIndex)
+        false
+      } else {
+        true
+      }
+    }
   if (missingOptimistic.isEmpty()) return incoming
 
   return (incoming + missingOptimistic).sortedWith(compareBy<ChatMessage> { it.timestampMs ?: Long.MAX_VALUE }.thenBy { it.id })
 }
 
-internal fun retainUnmatchedOptimisticMessages(
-  incoming: List<ChatMessage>,
-  optimistic: Collection<ChatMessage>,
-): List<ChatMessage> {
-  if (optimistic.isEmpty()) return emptyList()
-
-  val unmatchedIncoming = incoming.toMutableList()
-  return optimistic.filter { message ->
-    val matchIndex =
-      unmatchedIncoming.indexOfFirst { incomingMessage ->
-        incomingMessageConsumesOptimistic(incomingMessage, message)
-      }
-    if (matchIndex >= 0) {
-      unmatchedIncoming.removeAt(matchIndex)
-      false
-    } else {
-      true
-    }
-  }
-}
-
 /**
  * Message identity used only for refresh reconciliation; it avoids exposing gateway ids as UI keys.
  */
 internal fun messageIdentityKey(message: ChatMessage): String? {
-  val idempotencyKey = message.idempotencyKey?.trim().orEmpty()
-  if (idempotencyKey.isNotEmpty()) {
-    return listOf(message.role.trim().lowercase(), idempotencyKey).joinToString(separator = "|")
-  }
   val contentKey = messageContentIdentityKey(message) ?: return null
   val timestamp = message.timestampMs?.toString().orEmpty()
   if (timestamp.isEmpty() && contentKey.isEmpty()) return null
@@ -897,10 +767,6 @@ private fun incomingMessageConsumesOptimistic(
   incoming: ChatMessage,
   optimistic: ChatMessage,
 ): Boolean {
-  val optimisticIdempotencyKey = optimistic.idempotencyKey?.trim().orEmpty()
-  if (optimisticIdempotencyKey.isNotEmpty()) {
-    return incoming.idempotencyKey?.trim() == optimisticIdempotencyKey
-  }
   if (optimisticMessageIdentityKey(incoming) != optimisticMessageIdentityKey(optimistic)) return false
   val incomingTimestamp = incoming.timestampMs ?: return false
   val optimisticTimestamp = optimistic.timestampMs ?: return true
@@ -947,44 +813,3 @@ private fun JsonElement?.asLongOrNull(): Long? =
     is JsonPrimitive -> content.toLongOrNull()
     else -> null
   }
-
-private fun JsonElement?.asBooleanOrNull(): Boolean? =
-  when (this) {
-    is JsonPrimitive -> content.toBooleanStrictOrNull()
-    else -> null
-  }
-
-internal fun mergeChatSessionEntry(
-  existing: ChatSessionEntry,
-  next: ChatSessionEntry,
-  preserveExistingContextUsageWithoutTotal: Boolean = false,
-): ChatSessionEntry {
-  val preserveExistingContextUsage = preserveExistingContextUsageWithoutTotal && next.totalTokens == null
-  return existing.copy(
-    updatedAtMs = next.updatedAtMs ?: existing.updatedAtMs,
-    displayName = next.displayName ?: existing.displayName,
-    totalTokens =
-      when {
-        preserveExistingContextUsage -> existing.totalTokens
-        next.hasContextUsageMetadata -> next.totalTokens
-        else -> null
-      },
-    totalTokensFresh =
-      when {
-        preserveExistingContextUsage -> existing.totalTokensFresh
-        next.hasContextUsageMetadata -> next.totalTokensFresh
-        else -> null
-      },
-    contextTokens =
-      when {
-        preserveExistingContextUsage -> next.contextTokens ?: existing.contextTokens
-        next.hasContextUsageMetadata -> next.contextTokens
-        else -> null
-      },
-    hasContextUsageMetadata =
-      when {
-        preserveExistingContextUsage -> existing.hasContextUsageMetadata || next.contextTokens != null
-        else -> next.hasContextUsageMetadata
-      },
-  )
-}

apps/android/app/src/main/java/ai/openclaw/app/chat/ChatModels.kt

@@ -8,7 +8,6 @@ data class ChatMessage(
   val role: String,
   val content: List<ChatMessageContent>,
   val timestampMs: Long?,
-  val idempotencyKey: String? = null,
 )
 
 /**
@@ -40,10 +39,6 @@ data class ChatSessionEntry(
   val key: String,
   val updatedAtMs: Long?,
   val displayName: String? = null,
-  val totalTokens: Long? = null,
-  val totalTokensFresh: Boolean? = null,
-  val contextTokens: Long? = null,
-  val hasContextUsageMetadata: Boolean = totalTokens != null || totalTokensFresh != null || contextTokens != null,
 )
 
 /**
@@ -54,7 +49,6 @@ data class ChatHistory(
   val sessionId: String?,
   val thinkingLevel: String?,
   val messages: List<ChatMessage>,
-  val sessionInfo: ChatSessionEntry? = null,
 )
 
 /**

apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewayDiscovery.kt

@@ -49,19 +49,6 @@ import java.util.concurrent.Executors
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 
-private fun createDnsResolver(context: Context): DnsResolver =
-  if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.CINNAMON_BUN) {
-    createContextDnsResolver(context)
-  } else {
-    createLegacyDnsResolver()
-  }
-
-@TargetApi(Build.VERSION_CODES.CINNAMON_BUN)
-private fun createContextDnsResolver(context: Context): DnsResolver = DnsResolver(context, null)
-
-@Suppress("DEPRECATION")
-private fun createLegacyDnsResolver(): DnsResolver = DnsResolver.getInstance()
-
 /**
  * Watches local DNS-SD and optional wide-area DNS-SD for reachable OpenClaw gateways.
  */
@@ -71,7 +58,7 @@ class GatewayDiscovery(
 ) {
   private val nsd = context.getSystemService(NsdManager::class.java)
   private val connectivity = context.getSystemService(ConnectivityManager::class.java)
-  private val dns = createDnsResolver(context)
+  private val dns = DnsResolver.getInstance()
   private val serviceType = "_openclaw-gw._tcp."
   private val wideAreaDomain = System.getenv("OPENCLAW_WIDE_AREA_DOMAIN")
   private val logTag = "OpenClaw/GatewayDiscovery"
@@ -79,12 +66,10 @@ class GatewayDiscovery(
   private val localById = ConcurrentHashMap<String, GatewayEndpoint>()
   private val unicastById = ConcurrentHashMap<String, GatewayEndpoint>()
   private val _gateways = MutableStateFlow<List<GatewayEndpoint>>(emptyList())
-
   /** Current discovered gateway list, merged from local DNS-SD and optional wide-area DNS-SD. */
   val gateways: StateFlow<List<GatewayEndpoint>> = _gateways.asStateFlow()
 
   private val _statusText = MutableStateFlow("Searching…")
-
   /** Short diagnostic text shown by connect UI while discovery is running. */
   val statusText: StateFlow<String> = _statusText.asStateFlow()
 

apps/android/app/src/main/java/ai/openclaw/app/gateway/GatewaySession.kt

@@ -77,8 +77,6 @@ data class GatewayConnectErrorDetails(
   val recommendedNextStep: String?,
   val pauseReconnect: Boolean? = null,
   val reason: String? = null,
-  val requestId: String? = null,
-  val retryable: Boolean = false,
 )
 
 /**
@@ -122,7 +120,6 @@ class GatewaySession(
   private val deviceAuthStore: DeviceAuthTokenStore,
   private val onConnected: (GatewayHelloSummary) -> Unit,
   private val onDisconnected: (message: String) -> Unit,
-  private val onConnectFailure: (error: ErrorShape, pauseReconnect: Boolean) -> Unit = { _, _ -> },
   private val onEvent: (event: String, payloadJson: String?) -> Unit,
   private val onInvoke: (suspend (InvokeRequest) -> InvokeResult)? = null,
   private val onTlsFingerprint: ((stableId: String, fingerprint: String) -> Unit)? = null,
@@ -130,7 +127,6 @@ class GatewaySession(
   private companion object {
     // Keep connect timeout above observed gateway unauthorized close on lower-end devices.
     private const val CONNECT_RPC_TIMEOUT_MS = 12_000L
-    private val PAIRING_REQUEST_ID_PATTERN = Regex("^[A-Za-z0-9][A-Za-z0-9._:-]{0,127}$")
   }
 
   /**
@@ -927,8 +923,6 @@ class GatewaySession(
                 recommendedNextStep = it["recommendedNextStep"].asStringOrNull(),
                 pauseReconnect = it["pauseReconnect"].asBooleanOrNull(),
                 reason = it["reason"].asStringOrNull(),
-                requestId = normalizePairingRequestId(it["requestId"].asStringOrNull()),
-                retryable = it["retryable"].asBooleanOrNull() == true,
               )
             }
           ErrorShape(code, msg, details)
@@ -954,11 +948,6 @@ class GatewaySession(
       onEvent(event, payloadJson)
     }
 
-    private fun normalizePairingRequestId(requestId: String?): String? {
-      val trimmed = requestId?.trim()?.takeIf { it.isNotEmpty() } ?: return null
-      return trimmed.takeIf { PAIRING_REQUEST_ID_PATTERN.matches(it) }
-    }
-
     private suspend fun awaitConnectNonce(): String =
       try {
         withTimeout(2_000) { connectNonceDeferred.await() }
@@ -1072,14 +1061,10 @@ class GatewaySession(
       } catch (err: Throwable) {
         attempt += 1
         onDisconnected("Gateway error: ${err.message ?: err::class.java.simpleName}")
-        val gatewayConnectFailure = err as? GatewayConnectFailure
-        val pauseForAuthFailure =
-          gatewayConnectFailure
-            ?.let { shouldPauseReconnectAfterAuthFailure(it.gatewayError) } == true
-        if (gatewayConnectFailure != null) {
-          onConnectFailure(gatewayConnectFailure.gatewayError, pauseForAuthFailure)
-        }
-        if (pauseForAuthFailure) {
+        if (
+          err is GatewayConnectFailure &&
+          shouldPauseReconnectAfterAuthFailure(err.gatewayError)
+        ) {
           reconnectPausedForAuthFailure = true
           continue
         }

apps/android/app/src/main/java/ai/openclaw/app/node/DeviceHandler.kt

@@ -30,7 +30,8 @@ private const val MAX_DEVICE_APPS_LIMIT = 200
 private const val DEVICE_APPS_SYSTEM_FLAGS =
   ApplicationInfo.FLAG_SYSTEM or ApplicationInfo.FLAG_UPDATED_SYSTEM_APP
 
-internal fun isSystemDeviceApp(appInfo: ApplicationInfo): Boolean = (appInfo.flags and DEVICE_APPS_SYSTEM_FLAGS) != 0
+internal fun isSystemDeviceApp(appInfo: ApplicationInfo): Boolean =
+  (appInfo.flags and DEVICE_APPS_SYSTEM_FLAGS) != 0
 
 internal data class DeviceAppEntry(
   val label: String,

apps/android/app/src/main/java/ai/openclaw/app/ui/AndroidScreenshotModeScreen.kt

@@ -1,394 +0,0 @@
-package ai.openclaw.app.ui
-
-import ai.openclaw.app.AndroidScreenshotScene
-import ai.openclaw.app.ui.design.ClawDesignTheme
-import ai.openclaw.app.ui.design.ClawTheme
-import androidx.compose.foundation.BorderStroke
-import androidx.compose.foundation.background
-import androidx.compose.foundation.layout.Arrangement
-import androidx.compose.foundation.layout.Box
-import androidx.compose.foundation.layout.Column
-import androidx.compose.foundation.layout.Row
-import androidx.compose.foundation.layout.Spacer
-import androidx.compose.foundation.layout.fillMaxSize
-import androidx.compose.foundation.layout.fillMaxWidth
-import androidx.compose.foundation.layout.height
-import androidx.compose.foundation.layout.padding
-import androidx.compose.foundation.layout.size
-import androidx.compose.foundation.layout.width
-import androidx.compose.foundation.shape.CircleShape
-import androidx.compose.foundation.shape.RoundedCornerShape
-import androidx.compose.material.icons.Icons
-import androidx.compose.material.icons.automirrored.filled.ScreenShare
-import androidx.compose.material.icons.filled.ChatBubble
-import androidx.compose.material.icons.filled.CheckCircle
-import androidx.compose.material.icons.filled.Mic
-import androidx.compose.material.icons.filled.Settings
-import androidx.compose.material.icons.filled.WifiTethering
-import androidx.compose.material3.Icon
-import androidx.compose.material3.Surface
-import androidx.compose.material3.Text
-import androidx.compose.runtime.Composable
-import androidx.compose.ui.Alignment
-import androidx.compose.ui.Modifier
-import androidx.compose.ui.draw.clip
-import androidx.compose.ui.graphics.Color
-import androidx.compose.ui.graphics.vector.ImageVector
-import androidx.compose.ui.text.font.FontWeight
-import androidx.compose.ui.text.style.TextOverflow
-import androidx.compose.ui.unit.dp
-
-@Composable
-fun AndroidScreenshotModeScreen(scene: AndroidScreenshotScene) {
-  ClawDesignTheme(dark = true) {
-    Column(
-      modifier =
-        Modifier
-          .fillMaxSize()
-          .background(ClawTheme.colors.canvas)
-          .padding(horizontal = 20.dp, vertical = 26.dp),
-      verticalArrangement = Arrangement.SpaceBetween,
-    ) {
-      ScreenshotHeader(scene)
-      ScreenshotSceneBody(scene = scene, modifier = Modifier.weight(1f))
-      ScreenshotTabBar(activeScene = scene)
-    }
-  }
-}
-
-@Composable
-private fun ScreenshotHeader(scene: AndroidScreenshotScene) {
-  Row(
-    modifier = Modifier.fillMaxWidth(),
-    horizontalArrangement = Arrangement.SpaceBetween,
-    verticalAlignment = Alignment.CenterVertically,
-  ) {
-    Column {
-      Text(text = "OpenClaw", style = ClawTheme.type.title, color = ClawTheme.colors.text)
-      Text(
-        text = sceneTitle(scene),
-        style = ClawTheme.type.caption,
-        color = ClawTheme.colors.textMuted,
-      )
-    }
-    StatusPill(label = "Connected", color = ClawTheme.colors.success)
-  }
-}
-
-@Composable
-private fun ScreenshotSceneBody(
-  scene: AndroidScreenshotScene,
-  modifier: Modifier = Modifier,
-) {
-  Column(
-    modifier = modifier.fillMaxWidth().padding(vertical = 20.dp),
-    verticalArrangement = Arrangement.spacedBy(14.dp),
-  ) {
-    when (scene) {
-      AndroidScreenshotScene.Connect -> ConnectScene()
-      AndroidScreenshotScene.Chat -> ChatScene()
-      AndroidScreenshotScene.Voice -> VoiceScene()
-      AndroidScreenshotScene.Screen -> ScreenScene()
-      AndroidScreenshotScene.Settings -> SettingsScene()
-    }
-  }
-}
-
-@Composable
-private fun ConnectScene() {
-  FeaturePanel(icon = Icons.Default.WifiTethering, title = "Gateway paired", subtitle = "Mac Studio - Tailnet") {
-    MetricRow(label = "Node", value = "Android Pixel 9")
-    MetricRow(label = "Transport", value = "Secure WebSocket")
-    MetricRow(label = "Capabilities", value = "Chat, Talk, Camera, Screen")
-  }
-  CompactList(
-    title = "Ready",
-    rows =
-      listOf(
-        "Push wakes active",
-        "Approvals synced",
-        "Device tools available",
-      ),
-  )
-}
-
-@Composable
-private fun ChatScene() {
-  ChatBubble(label = "You", text = "Summarize the launch checklist before I start the release.")
-  ChatBubble(
-    label = "OpenClaw",
-    text = "Android archive, Play metadata, and internal testing upload are ready. Screenshots are being refreshed now.",
-    raised = true,
-  )
-  CompactList(
-    title = "Working set",
-    rows = listOf("Release notes", "Play bundle", "Device screenshots"),
-  )
-}
-
-@Composable
-private fun VoiceScene() {
-  Box(modifier = Modifier.fillMaxWidth().padding(vertical = 20.dp), contentAlignment = Alignment.Center) {
-    Surface(
-      modifier = Modifier.size(196.dp),
-      shape = CircleShape,
-      color = ClawTheme.colors.surfaceRaised,
-      border = BorderStroke(1.dp, ClawTheme.colors.borderStrong),
-    ) {
-      Box(contentAlignment = Alignment.Center) {
-        Icon(
-          imageVector = Icons.Default.Mic,
-          contentDescription = null,
-          tint = ClawTheme.colors.primary,
-          modifier = Modifier.size(72.dp),
-        )
-      }
-    }
-  }
-  FeaturePanel(icon = Icons.Default.Mic, title = "Talk mode", subtitle = "Listening on device") {
-    MetricRow(label = "Wake phrase", value = "OpenClaw")
-    MetricRow(label = "Latency", value = "Realtime")
-  }
-}
-
-@Composable
-private fun ScreenScene() {
-  FeaturePanel(icon = Icons.AutoMirrored.Filled.ScreenShare, title = "Screen tools", subtitle = "Shared with your gateway") {
-    MetricRow(label = "Canvas", value = "Available")
-    MetricRow(label = "Camera", value = "Permission granted")
-    MetricRow(label = "Location", value = "On request")
-  }
-  Surface(
-    modifier = Modifier.fillMaxWidth().height(168.dp),
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surfaceRaised,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Column(modifier = Modifier.padding(16.dp), verticalArrangement = Arrangement.spacedBy(10.dp)) {
-      Text(text = "Live context", style = ClawTheme.type.section, color = ClawTheme.colors.text)
-      ContextBar(label = "Camera", fraction = 0.74f)
-      ContextBar(label = "Screen", fraction = 0.58f)
-      ContextBar(label = "Location", fraction = 0.38f)
-    }
-  }
-}
-
-@Composable
-private fun SettingsScene() {
-  CompactList(
-    title = "Security",
-    rows = listOf("Biometric lock enabled", "Gateway token encrypted", "Tool approvals required"),
-  )
-  CompactList(
-    title = "Notifications",
-    rows = listOf("Gateway status", "Approval requests", "Background presence"),
-  )
-}
-
-@Composable
-private fun FeaturePanel(
-  icon: ImageVector,
-  title: String,
-  subtitle: String,
-  content: @Composable () -> Unit,
-) {
-  Surface(
-    modifier = Modifier.fillMaxWidth(),
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surface,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Column(modifier = Modifier.padding(16.dp), verticalArrangement = Arrangement.spacedBy(14.dp)) {
-      Row(verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(12.dp)) {
-        IconBox(icon = icon)
-        Column {
-          Text(text = title, style = ClawTheme.type.section, color = ClawTheme.colors.text)
-          Text(text = subtitle, style = ClawTheme.type.caption, color = ClawTheme.colors.textMuted)
-        }
-      }
-      content()
-    }
-  }
-}
-
-@Composable
-private fun CompactList(
-  title: String,
-  rows: List<String>,
-) {
-  Surface(
-    modifier = Modifier.fillMaxWidth(),
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surfaceRaised,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Column(modifier = Modifier.padding(16.dp), verticalArrangement = Arrangement.spacedBy(12.dp)) {
-      Text(text = title, style = ClawTheme.type.section, color = ClawTheme.colors.text)
-      rows.forEach { row ->
-        Row(verticalAlignment = Alignment.CenterVertically) {
-          Box(modifier = Modifier.size(7.dp).clip(CircleShape).background(ClawTheme.colors.success))
-          Spacer(modifier = Modifier.width(10.dp))
-          Text(text = row, style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
-        }
-      }
-    }
-  }
-}
-
-@Composable
-private fun ChatBubble(
-  label: String,
-  text: String,
-  raised: Boolean = false,
-) {
-  Surface(
-    modifier = Modifier.fillMaxWidth(),
-    shape = RoundedCornerShape(8.dp),
-    color = if (raised) ClawTheme.colors.surfaceRaised else ClawTheme.colors.surface,
-    border = BorderStroke(1.dp, if (raised) ClawTheme.colors.borderStrong else ClawTheme.colors.border),
-  ) {
-    Column(modifier = Modifier.padding(16.dp), verticalArrangement = Arrangement.spacedBy(8.dp)) {
-      Text(text = label, style = ClawTheme.type.caption, color = ClawTheme.colors.textSubtle)
-      Text(text = text, style = ClawTheme.type.body, color = ClawTheme.colors.text)
-    }
-  }
-}
-
-@Composable
-private fun MetricRow(
-  label: String,
-  value: String,
-) {
-  Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.SpaceBetween) {
-    Text(text = label, style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
-    Text(
-      text = value,
-      style = ClawTheme.type.label,
-      color = ClawTheme.colors.text,
-      maxLines = 1,
-      overflow = TextOverflow.Ellipsis,
-    )
-  }
-}
-
-@Composable
-private fun ContextBar(
-  label: String,
-  fraction: Float,
-) {
-  Column(verticalArrangement = Arrangement.spacedBy(5.dp)) {
-    Text(text = label, style = ClawTheme.type.caption, color = ClawTheme.colors.textMuted)
-    Box(
-      modifier =
-        Modifier
-          .fillMaxWidth()
-          .height(7.dp)
-          .clip(RoundedCornerShape(4.dp))
-          .background(ClawTheme.colors.surfacePressed),
-    ) {
-      Box(
-        modifier =
-          Modifier
-            .fillMaxWidth(fraction)
-            .height(7.dp)
-            .background(ClawTheme.colors.primary),
-      )
-    }
-  }
-}
-
-@Composable
-private fun ScreenshotTabBar(activeScene: AndroidScreenshotScene) {
-  Surface(
-    modifier = Modifier.fillMaxWidth(),
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surface,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Row(
-      modifier = Modifier.padding(horizontal = 10.dp, vertical = 8.dp),
-      horizontalArrangement = Arrangement.SpaceBetween,
-    ) {
-      TabIcon(icon = Icons.Default.CheckCircle, active = activeScene == AndroidScreenshotScene.Connect)
-      TabIcon(icon = Icons.Default.ChatBubble, active = activeScene == AndroidScreenshotScene.Chat)
-      TabIcon(icon = Icons.Default.Mic, active = activeScene == AndroidScreenshotScene.Voice)
-      TabIcon(icon = Icons.AutoMirrored.Filled.ScreenShare, active = activeScene == AndroidScreenshotScene.Screen)
-      TabIcon(icon = Icons.Default.Settings, active = activeScene == AndroidScreenshotScene.Settings)
-    }
-  }
-}
-
-@Composable
-private fun TabIcon(
-  icon: ImageVector,
-  active: Boolean,
-) {
-  Box(
-    modifier =
-      Modifier
-        .size(42.dp)
-        .clip(RoundedCornerShape(6.dp))
-        .background(if (active) ClawTheme.colors.surfacePressed else Color.Transparent),
-    contentAlignment = Alignment.Center,
-  ) {
-    Icon(
-      imageVector = icon,
-      contentDescription = null,
-      tint = if (active) ClawTheme.colors.text else ClawTheme.colors.textSubtle,
-      modifier = Modifier.size(20.dp),
-    )
-  }
-}
-
-@Composable
-private fun IconBox(icon: ImageVector) {
-  Box(
-    modifier =
-      Modifier
-        .size(42.dp)
-        .clip(RoundedCornerShape(8.dp))
-        .background(ClawTheme.colors.surfacePressed),
-    contentAlignment = Alignment.Center,
-  ) {
-    Icon(
-      imageVector = icon,
-      contentDescription = null,
-      tint = ClawTheme.colors.primary,
-      modifier = Modifier.size(22.dp),
-    )
-  }
-}
-
-@Composable
-private fun StatusPill(
-  label: String,
-  color: Color,
-) {
-  Surface(
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surfaceRaised,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Row(
-      modifier = Modifier.padding(horizontal = 10.dp, vertical = 7.dp),
-      verticalAlignment = Alignment.CenterVertically,
-    ) {
-      Box(modifier = Modifier.size(7.dp).clip(CircleShape).background(color))
-      Spacer(modifier = Modifier.width(7.dp))
-      Text(
-        text = label,
-        style = ClawTheme.type.caption.copy(fontWeight = FontWeight.SemiBold),
-        color = color,
-      )
-    }
-  }
-}
-
-private fun sceneTitle(scene: AndroidScreenshotScene): String =
-  when (scene) {
-    AndroidScreenshotScene.Connect -> "Connect"
-    AndroidScreenshotScene.Chat -> "Chat"
-    AndroidScreenshotScene.Voice -> "Talk"
-    AndroidScreenshotScene.Screen -> "Device tools"
-    AndroidScreenshotScene.Settings -> "Settings"
-  }

apps/android/app/src/main/java/ai/openclaw/app/ui/CommandPalette.kt

@@ -297,15 +297,17 @@ private fun CommandSectionLabel(title: String) {
   }
 }
 
-internal fun providerCommandSubtitle(
+/** Builds provider quick-action metadata from current gateway/catalog state. */
+private fun providerCommandSubtitle(
   isConnected: Boolean,
   providers: List<GatewayModelProviderSummary>,
   models: List<GatewayModelSummary>,
 ): String {
-  if (!isConnected) return "Connect Gateway to view providers"
-  val readyProviderCount = providerRows(providers = providers, models = models).count { it.ready }
+  if (!isConnected) return "Connect Gateway to load models"
+  val readyProviderCount = providers.count { modelProviderReady(it.status) }
   if (readyProviderCount > 0) return "$readyProviderCount providers ready"
-  return "No ready providers"
+  if (models.isNotEmpty()) return "${models.size} models available"
+  return "Configure model access"
 }
 
 /** Falls back to the canonical main-session label when gateway display names are blank. */

apps/android/app/src/main/java/ai/openclaw/app/ui/ConnectTabScreen.kt

@@ -1,7 +1,7 @@
 package ai.openclaw.app.ui
 
-import ai.openclaw.app.GatewayConnectionProblem
 import ai.openclaw.app.MainViewModel
+import ai.openclaw.app.gateway.GatewayEndpoint
 import ai.openclaw.app.ui.mobileCardSurface
 import androidx.compose.animation.AnimatedVisibility
 import androidx.compose.foundation.BorderStroke
@@ -66,7 +66,6 @@ private enum class ConnectInputMode {
 fun ConnectTabScreen(viewModel: MainViewModel) {
   val context = LocalContext.current
   val statusText by viewModel.statusText.collectAsState()
-  val gatewayConnectionProblem by viewModel.gatewayConnectionProblem.collectAsState()
   val isConnected by viewModel.isConnected.collectAsState()
   val remoteAddress by viewModel.remoteAddress.collectAsState()
   val manualHost by viewModel.manualHost.collectAsState()
@@ -148,10 +147,13 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
       }
     }
 
-  val showDiagnostics = !isConnected && (gatewayConnectionProblem != null || gatewayStatusHasDiagnostics(statusText))
-  val pairingRequired = !isConnected && (gatewayConnectionProblem?.isPairingRequired == true || gatewayStatusLooksLikePairing(statusText))
-  val pairingInstruction = gatewayPairingInstruction(gatewayConnectionProblem)
-  val statusLabel = gatewayStatusForDisplay(gatewayConnectionProblem?.message ?: statusText)
+  val showDiagnostics = !isConnected && gatewayStatusHasDiagnostics(statusText)
+  val pairingRequired = !isConnected && gatewayStatusLooksLikePairing(statusText)
+  val statusLabel = gatewayStatusForDisplay(statusText)
+
+  PairingAutoRetryEffect(enabled = pairingRequired) {
+    viewModel.refreshGatewayConnection()
+  }
 
   Column(
     modifier = Modifier.verticalScroll(rememberScrollState()).padding(horizontal = 20.dp, vertical = 16.dp),
@@ -289,14 +291,27 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           }
 
           validationText = null
-          viewModel.saveGatewayConfigAndConnect(
-            host = config.host,
-            port = config.port,
-            tls = config.tls,
-            token = config.token,
-            bootstrapToken = config.bootstrapToken,
-            password = config.password,
-            resetSetupAuth = inputMode == ConnectInputMode.SetupCode,
+          if (inputMode == ConnectInputMode.SetupCode) {
+            // Setup-code auth should replace old bootstrap/shared credentials;
+            // manual reconnects keep existing typed credentials.
+            viewModel.resetGatewaySetupAuth()
+          }
+          viewModel.setManualEnabled(true)
+          viewModel.setManualHost(config.host)
+          viewModel.setManualPort(config.port)
+          viewModel.setManualTls(config.tls)
+          viewModel.setGatewayBootstrapToken(config.bootstrapToken)
+          if (config.token.isNotBlank()) {
+            viewModel.setGatewayToken(config.token)
+          } else if (config.bootstrapToken.isNotBlank()) {
+            viewModel.setGatewayToken("")
+          }
+          viewModel.setGatewayPassword(config.password)
+          viewModel.connect(
+            GatewayEndpoint.manual(host = config.host, port = config.port),
+            token = config.token.ifEmpty { null },
+            bootstrapToken = config.bootstrapToken.ifEmpty { null },
+            password = config.password.ifEmpty { null },
           )
         },
         modifier = Modifier.fillMaxWidth().height(52.dp),
@@ -326,7 +341,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           Text(statusLabel, style = mobileBody.copy(fontFamily = FontFamily.Monospace), color = mobileText)
           if (pairingRequired) {
             Text(
-              pairingInstruction,
+              "Approve this phone on the gateway. OpenClaw retries automatically while this screen stays open.",
               style = mobileCallout,
               color = mobileTextSecondary,
             )
@@ -575,13 +590,6 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
   }
 }
 
-private fun gatewayPairingInstruction(problem: GatewayConnectionProblem?): String =
-  if (problem?.canAutoRetry == true) {
-    "Approve this phone on the gateway. OpenClaw will reconnect automatically."
-  } else {
-    "Approve this phone on the gateway, then retry the connection."
-  }
-
 @Composable
 private fun MethodChip(
   label: String,

apps/android/app/src/main/java/ai/openclaw/app/ui/GatewayPairingRetry.kt

@@ -0,0 +1,53 @@
+package ai.openclaw.app.ui
+
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.DisposableEffect
+import androidx.compose.runtime.LaunchedEffect
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
+import androidx.lifecycle.Lifecycle
+import androidx.lifecycle.LifecycleEventObserver
+import androidx.lifecycle.compose.LocalLifecycleOwner
+import kotlinx.coroutines.delay
+
+internal const val PAIRING_INITIAL_AUTO_RETRY_MS = 1_500L
+internal const val PAIRING_AUTO_RETRY_MS = 4_000L
+
+/** Retries pairing-only gateway refreshes while the screen is visible and started. */
+@Composable
+internal fun PairingAutoRetryEffect(
+  enabled: Boolean,
+  onRetry: () -> Unit,
+) {
+  val lifecycleOwner = LocalLifecycleOwner.current
+  var lifecycleStarted by
+    remember(lifecycleOwner) {
+      mutableStateOf(lifecycleOwner.lifecycle.currentState.isAtLeast(Lifecycle.State.STARTED))
+    }
+
+  DisposableEffect(lifecycleOwner) {
+    val observer =
+      LifecycleEventObserver { _, _ ->
+        lifecycleStarted = lifecycleOwner.lifecycle.currentState.isAtLeast(Lifecycle.State.STARTED)
+      }
+    lifecycleOwner.lifecycle.addObserver(observer)
+    onDispose {
+      lifecycleOwner.lifecycle.removeObserver(observer)
+    }
+  }
+
+  LaunchedEffect(enabled, lifecycleStarted) {
+    if (!enabled || !lifecycleStarted) {
+      return@LaunchedEffect
+    }
+    // Give the gateway a short settling window before the first retry so an
+    // approval response is not immediately chased by a redundant reconnect.
+    delay(PAIRING_INITIAL_AUTO_RETRY_MS)
+    while (true) {
+      onRetry()
+      delay(PAIRING_AUTO_RETRY_MS)
+    }
+  }
+}

apps/android/app/src/main/java/ai/openclaw/app/ui/MobileUiTokens.kt

@@ -41,27 +41,27 @@ internal data class MobileColors(
 
 internal fun lightMobileColors() =
   MobileColors(
-    surface = Color(0xFFFAFBFC),
-    surfaceStrong = Color(0xFFEFF3F8),
+    surface = Color(0xFFF6F7FA),
+    surfaceStrong = Color(0xFFECEEF3),
     cardSurface = Color(0xFFFFFFFF),
-    border = Color(0xFFDDE3EC),
-    borderStrong = Color(0xFFC7D0DC),
-    text = Color(0xFF16181D),
-    textSecondary = Color(0xFF505B6A),
-    textTertiary = Color(0xFF8E98A7),
-    accent = Color(0xFF1B5ACB),
-    accentSoft = Color(0xFFEAF2FF),
-    accentBorderStrong = Color(0xFF174CA9),
-    success = Color(0xFF287F52),
-    successSoft = Color(0xFFEAF7F0),
-    warning = Color(0xFFAF7418),
-    warningSoft = Color(0xFFFFF4DF),
-    danger = Color(0xFFC94343),
-    dangerSoft = Color(0xFFFFECEC),
-    codeBg = Color(0xFFEFF3F8),
-    codeText = Color(0xFF172033),
-    codeBorder = Color(0xFFD7DDE7),
-    codeAccent = Color(0xFF287F52),
+    border = Color(0xFFE5E7EC),
+    borderStrong = Color(0xFFD6DAE2),
+    text = Color(0xFF17181C),
+    textSecondary = Color(0xFF5D6472),
+    textTertiary = Color(0xFF99A0AE),
+    accent = Color(0xFF1D5DD8),
+    accentSoft = Color(0xFFECF3FF),
+    accentBorderStrong = Color(0xFF184DAF),
+    success = Color(0xFF2F8C5A),
+    successSoft = Color(0xFFEEF9F3),
+    warning = Color(0xFFC8841A),
+    warningSoft = Color(0xFFFFF8EC),
+    danger = Color(0xFFD04B4B),
+    dangerSoft = Color(0xFFFFF2F2),
+    codeBg = Color(0xFF15171B),
+    codeText = Color(0xFFE8EAEE),
+    codeBorder = Color(0xFF2B2E35),
+    codeAccent = Color(0xFF3FC97A),
     chipBorderConnected = Color(0xFFCFEBD8),
     chipBorderConnecting = Color(0xFFD5E2FA),
     chipBorderWarning = Color(0xFFEED8B8),

apps/android/app/src/main/java/ai/openclaw/app/ui/NodesDevicesSettingsScreen.kt

@@ -1,7 +1,6 @@
 package ai.openclaw.app.ui
 
 import ai.openclaw.app.GatewayDeviceTokenSummary
-import ai.openclaw.app.GatewayNodeApprovalState
 import ai.openclaw.app.GatewayNodeSummary
 import ai.openclaw.app.GatewayNodesDevicesSummary
 import ai.openclaw.app.GatewayPairedDeviceSummary
@@ -156,8 +155,8 @@ private fun NodeRow(node: GatewayNodeSummary) {
     badge = nodeBadge(node.displayName ?: node.id),
     title = node.displayName ?: node.id,
     subtitle = nodeSubtitle(node),
-    statusText = nodeStatusText(node),
-    status = nodeStatus(node),
+    statusText = if (node.connected) "Online" else "Offline",
+    status = if (node.connected) ClawStatus.Success else ClawStatus.Warning,
   )
 }
 
@@ -206,46 +205,14 @@ private fun nodeSubtitle(node: GatewayNodeSummary): String {
   val kind = node.deviceFamily ?: "Node host"
   val version = node.version?.let { "OpenClaw $it" }
   val status = if (node.paired) "Paired" else "Unpaired"
-  val approval = nodeApprovalSubtitle(node.approvalState)
   val commands =
     node.commands
       .take(2)
       .joinToString(", ")
       .takeIf { it.isNotBlank() }
-  return listOfNotNull(kind, version, status, approval, commands).joinToString(" · ")
+  return listOfNotNull(kind, version, status, commands).joinToString(" · ")
 }
 
-private fun nodeStatusText(node: GatewayNodeSummary): String =
-  when (node.approvalState) {
-    GatewayNodeApprovalState.PendingApproval -> "Needs approval"
-    GatewayNodeApprovalState.PendingReapproval -> "Needs reapproval"
-    GatewayNodeApprovalState.Unapproved -> "Unapproved"
-    else -> if (node.connected) "Online" else "Offline"
-  }
-
-private fun nodeStatus(node: GatewayNodeSummary): ClawStatus =
-  when (node.approvalState) {
-    GatewayNodeApprovalState.Approved -> if (node.connected) ClawStatus.Success else ClawStatus.Warning
-    GatewayNodeApprovalState.PendingApproval,
-    GatewayNodeApprovalState.PendingReapproval,
-    GatewayNodeApprovalState.Unapproved,
-    -> ClawStatus.Warning
-    GatewayNodeApprovalState.Loading,
-    GatewayNodeApprovalState.Unsupported,
-    -> if (node.connected) ClawStatus.Neutral else ClawStatus.Warning
-  }
-
-private fun nodeApprovalSubtitle(approvalState: GatewayNodeApprovalState): String? =
-  when (approvalState) {
-    GatewayNodeApprovalState.Approved -> "Approved"
-    GatewayNodeApprovalState.PendingApproval -> "Capability approval pending"
-    GatewayNodeApprovalState.PendingReapproval -> "Capability reapproval pending"
-    GatewayNodeApprovalState.Unapproved -> "Capability unapproved"
-    GatewayNodeApprovalState.Loading,
-    GatewayNodeApprovalState.Unsupported,
-    -> null
-  }
-
 private fun pendingDeviceSubtitle(device: GatewayPendingDeviceSummary): String {
   val roles = formatDeviceList(device.roles, "role")
   val scopes = formatDeviceList(device.scopes, "scope")

apps/android/app/src/main/java/ai/openclaw/app/ui/OnboardingFlow.kt

@@ -1,11 +1,9 @@
 package ai.openclaw.app.ui
 
-import ai.openclaw.app.GatewayConnectionProblem
-import ai.openclaw.app.GatewayNodeApprovalState
 import ai.openclaw.app.LocationMode
 import ai.openclaw.app.MainViewModel
-import ai.openclaw.app.R
 import ai.openclaw.app.SensitiveFeatureConfig
+import ai.openclaw.app.gateway.GatewayEndpoint
 import ai.openclaw.app.node.DeviceNotificationListenerService
 import ai.openclaw.app.ui.design.ClawDesignTheme
 import ai.openclaw.app.ui.design.ClawErrorState
@@ -33,31 +31,24 @@ import androidx.activity.compose.rememberLauncherForActivityResult
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.compose.foundation.BorderStroke
 import androidx.compose.foundation.Canvas
-import androidx.compose.foundation.Image
-import androidx.compose.foundation.background
-import androidx.compose.foundation.isSystemInDarkTheme
 import androidx.compose.foundation.layout.Arrangement
 import androidx.compose.foundation.layout.Box
 import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.PaddingValues
 import androidx.compose.foundation.layout.Row
 import androidx.compose.foundation.layout.Spacer
-import androidx.compose.foundation.layout.WindowInsets
 import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.height
 import androidx.compose.foundation.layout.heightIn
 import androidx.compose.foundation.layout.imePadding
 import androidx.compose.foundation.layout.padding
-import androidx.compose.foundation.layout.safeDrawing
 import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.layout.width
-import androidx.compose.foundation.layout.windowInsetsPadding
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
 import androidx.compose.foundation.shape.CircleShape
 import androidx.compose.foundation.shape.RoundedCornerShape
-import androidx.compose.foundation.text.selection.SelectionContainer
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.automirrored.filled.ArrowBack
 import androidx.compose.material.icons.automirrored.filled.KeyboardArrowRight
@@ -97,13 +88,10 @@ import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.runtime.setValue
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
-import androidx.compose.ui.graphics.Brush
 import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.graphics.drawscope.Stroke
 import androidx.compose.ui.graphics.vector.ImageVector
 import androidx.compose.ui.platform.LocalContext
-import androidx.compose.ui.res.painterResource
-import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.text.style.TextAlign
 import androidx.compose.ui.unit.dp
@@ -132,29 +120,18 @@ fun OnboardingFlow(
   viewModel: MainViewModel,
   modifier: Modifier = Modifier,
 ) {
-  val appearanceThemeMode by viewModel.appearanceThemeMode.collectAsState()
-  val onboardingDark = appearanceThemeMode.isDark(systemDark = isSystemInDarkTheme())
-  ClawDesignTheme(dark = onboardingDark) {
+  ClawDesignTheme {
     val context = LocalContext.current
     val statusText by viewModel.statusText.collectAsState()
-    val gatewayConnectionProblem by viewModel.gatewayConnectionProblem.collectAsState()
     val isConnected by viewModel.isConnected.collectAsState()
     val isNodeConnected by viewModel.isNodeConnected.collectAsState()
-    val nodeCapabilityApprovalState by viewModel.nodeCapabilityApprovalState.collectAsState()
-    val runtimeInitialized by viewModel.runtimeInitialized.collectAsState()
     val serverName by viewModel.serverName.collectAsState()
     val remoteAddress by viewModel.remoteAddress.collectAsState()
     val gateways by viewModel.gateways.collectAsState()
-    val discoveryStatusText by viewModel.discoveryStatusText.collectAsState()
     val savedToken by viewModel.gatewayToken.collectAsState()
     val pendingTrust by viewModel.pendingGatewayTrust.collectAsState()
     val startAtGatewaySetup by viewModel.startOnboardingAtGatewaySetup.collectAsState()
-    val ready =
-      canFinishOnboarding(
-        isConnected = isConnected,
-        isNodeConnected = isNodeConnected,
-        nodeCapabilityApprovalState = nodeCapabilityApprovalState,
-      )
+    val ready = canFinishOnboarding(isConnected = isConnected, isNodeConnected = isNodeConnected)
 
     var step by rememberSaveable { mutableStateOf(OnboardingStep.Welcome) }
     var setupCode by rememberSaveable { mutableStateOf("") }
@@ -165,12 +142,9 @@ fun OnboardingFlow(
     var password by rememberSaveable { mutableStateOf("") }
     var setupError by rememberSaveable { mutableStateOf<String?>(null) }
     var attemptedConnect by rememberSaveable { mutableStateOf(false) }
-    var attemptedGatewayName by rememberSaveable { mutableStateOf<String?>(null) }
     var connectAttemptStartedAtMs by rememberSaveable { mutableLongStateOf(0L) }
     var recoveryNowMs by remember { mutableLongStateOf(SystemClock.elapsedRealtime()) }
 
-    OpenClawSystemBarAppearance(lightAppearance = !onboardingDark && step != OnboardingStep.Welcome)
-
     val qrScannerOptions =
       remember {
         GmsBarcodeScannerOptions
@@ -189,12 +163,6 @@ fun OnboardingFlow(
       }
     }
 
-    LaunchedEffect(step) {
-      if (step == OnboardingStep.Gateway) {
-        viewModel.startGatewayDiscovery()
-      }
-    }
-
     LaunchedEffect(ready, attemptedConnect) {
       if (attemptedConnect && ready) {
         step = OnboardingStep.Permissions
@@ -235,12 +203,10 @@ fun OnboardingFlow(
 
     when (step) {
       OnboardingStep.Welcome ->
-        ClawDesignTheme(dark = true) {
-          WelcomeScreen(
-            modifier = modifier,
-            onConnect = { step = OnboardingStep.Gateway },
-          )
-        }
+        WelcomeScreen(
+          modifier = modifier,
+          onConnect = { step = OnboardingStep.Gateway },
+        )
       OnboardingStep.Gateway ->
         GatewaySetupScreen(
           modifier = modifier,
@@ -251,8 +217,6 @@ fun OnboardingFlow(
           token = token,
           password = password,
           nearbyGatewayName = gateways.firstOrNull()?.name,
-          discoveryStatusText = discoveryStatusText,
-          discoveryStarted = runtimeInitialized,
           error = setupError,
           onBack = { step = OnboardingStep.Welcome },
           onScan = {
@@ -289,10 +253,8 @@ fun OnboardingFlow(
           onPasswordChange = { password = it },
           onUseNearby = {
             val endpoint = gateways.firstOrNull() ?: return@GatewaySetupScreen
-            attemptedGatewayName = endpoint.name
             attemptedConnect = true
-            connectAttemptStartedAtMs = SystemClock.elapsedRealtime()
-            viewModel.connectInBackground(endpoint)
+            viewModel.connect(endpoint)
             step = OnboardingStep.Recovery
           },
           onPair = {
@@ -311,17 +273,23 @@ fun OnboardingFlow(
             }
 
             setupError = null
-            attemptedGatewayName = null
             attemptedConnect = true
             connectAttemptStartedAtMs = SystemClock.elapsedRealtime()
-            viewModel.saveGatewayConfigAndConnect(
-              host = config.host,
-              port = config.port,
-              tls = config.tls,
-              token = config.token,
-              bootstrapToken = config.bootstrapToken,
-              password = config.password,
-              resetSetupAuth = true,
+            // Setup-code pairing replaces any stale shared credentials before
+            // the bootstrap token is stored for the first authenticated connect.
+            viewModel.resetGatewaySetupAuth()
+            viewModel.setManualEnabled(true)
+            viewModel.setManualHost(config.host)
+            viewModel.setManualPort(config.port)
+            viewModel.setManualTls(config.tls)
+            viewModel.setGatewayBootstrapToken(config.bootstrapToken)
+            viewModel.setGatewayToken(config.token)
+            viewModel.setGatewayPassword(config.password)
+            viewModel.connect(
+              GatewayEndpoint.manual(host = config.host, port = config.port),
+              token = config.token.ifEmpty { null },
+              bootstrapToken = config.bootstrapToken.ifEmpty { null },
+              password = config.password.ifEmpty { null },
             )
             step = OnboardingStep.Recovery
           },
@@ -331,12 +299,11 @@ fun OnboardingFlow(
           modifier = modifier,
           statusText = statusText,
           serverName = serverName,
-          attemptedGatewayName = attemptedGatewayName,
           remoteAddress = remoteAddress,
           ready = ready,
-          nodeCapabilityApprovalState = nodeCapabilityApprovalState,
-          gatewayConnectionProblem = gatewayConnectionProblem,
+          attemptedConnect = attemptedConnect,
           connectSettling = recoveryNowMs - connectAttemptStartedAtMs < GATEWAY_CONNECT_SETTLING_MS,
+          onAutoRetry = viewModel::refreshGatewayConnection,
           onBack = { step = OnboardingStep.Gateway },
           onRetry = {
             attemptedConnect = true
@@ -350,14 +317,11 @@ fun OnboardingFlow(
                 token = token,
                 password = password,
               ) ?: return@GatewayRecoveryScreen
-            viewModel.saveGatewayConfigAndConnect(
-              host = config.host,
-              port = config.port,
-              tls = config.tls,
-              token = config.token,
-              bootstrapToken = config.bootstrapToken,
-              password = config.password,
-              resetSetupAuth = false,
+            viewModel.connect(
+              GatewayEndpoint.manual(host = config.host, port = config.port),
+              token = config.token.ifEmpty { null },
+              bootstrapToken = config.bootstrapToken.ifEmpty { null },
+              password = config.password.ifEmpty { null },
             )
           },
           onEdit = { step = OnboardingStep.Gateway },
@@ -382,39 +346,20 @@ private fun WelcomeScreen(
   onConnect: () -> Unit,
   modifier: Modifier = Modifier,
 ) {
-  val welcomeBackground =
-    Brush.verticalGradient(
-      colors =
-        listOf(
-          Color(0xFFFF4D4D),
-          Color(0xFFD73332),
-          Color(0xFF991B1B),
-          Color(0xFF260707),
-        ),
-    )
-
-  Box(
-    modifier =
-      modifier
-        .fillMaxSize()
-        .background(welcomeBackground)
-        .windowInsetsPadding(WindowInsets.safeDrawing)
-        .padding(horizontal = 24.dp, vertical = 18.dp),
-  ) {
+  ClawScaffold(modifier = modifier, contentPadding = PaddingValues(horizontal = 24.dp, vertical = 18.dp)) {
     Column(
       modifier = Modifier.fillMaxSize(),
       horizontalAlignment = Alignment.CenterHorizontally,
     ) {
       Spacer(modifier = Modifier.height(96.dp))
       Column(horizontalAlignment = Alignment.CenterHorizontally, verticalArrangement = Arrangement.spacedBy(18.dp)) {
-        WelcomeLogo()
         Text(
           text = "OPENCLAW",
           style = ClawTheme.type.display.copy(fontSize = 34.sp, lineHeight = 38.sp, fontWeight = FontWeight.Black),
           color = ClawTheme.colors.text,
         )
         Text(
-          text = "Your personal AI assistant.\nExfoliate! Exfoliate!",
+          text = "Your AI command center.\nPrivate. Local. Under your control.",
           style = ClawTheme.type.section,
           color = ClawTheme.colors.text,
           textAlign = TextAlign.Center,
@@ -425,26 +370,19 @@ private fun WelcomeScreen(
       Spacer(modifier = Modifier.height(30.dp))
       Column(modifier = Modifier.fillMaxWidth(), verticalArrangement = Arrangement.spacedBy(10.dp)) {
         HeroPrimaryAction(title = "Connect Gateway", onClick = onConnect)
+        OutlinedAction(title = "Enter setup code", icon = Icons.AutoMirrored.Filled.KeyboardArrowRight, onClick = onConnect)
+        Surface(onClick = onConnect, color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+          Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.Center) {
+            Text(text = "Already have a setup?  ", style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
+            Text(text = "Sign in", style = ClawTheme.type.body.copy(fontWeight = FontWeight.SemiBold), color = ClawTheme.colors.text)
+          }
+        }
       }
       Spacer(modifier = Modifier.height(104.dp))
     }
   }
 }
 
-@Composable
-private fun WelcomeLogo() {
-  Surface(
-    modifier = Modifier.size(82.dp),
-    shape = CircleShape,
-    color = Color.White.copy(alpha = 0.92f),
-    contentColor = Color.Unspecified,
-  ) {
-    Box(modifier = Modifier.fillMaxSize().padding(12.dp), contentAlignment = Alignment.Center) {
-      Image(painter = painterResource(id = R.drawable.openclaw_logo), contentDescription = "OpenClaw logo", modifier = Modifier.fillMaxSize())
-    }
-  }
-}
-
 @Composable
 private fun WelcomeHorizon() {
   Canvas(modifier = Modifier.fillMaxWidth().height(120.dp)) {
@@ -490,8 +428,6 @@ private fun GatewaySetupScreen(
   token: String,
   password: String,
   nearbyGatewayName: String?,
-  discoveryStatusText: String,
-  discoveryStarted: Boolean,
   error: String?,
   onBack: () -> Unit,
   onScan: () -> Unit,
@@ -506,29 +442,6 @@ private fun GatewaySetupScreen(
   modifier: Modifier = Modifier,
 ) {
   var advancedOpen by rememberSaveable { mutableStateOf(false) }
-  var nearbySearchTimedOut by remember { mutableStateOf(false) }
-
-  LaunchedEffect(nearbyGatewayName, discoveryStatusText, discoveryStarted) {
-    if (!nearbyGatewayName.isNullOrBlank()) {
-      nearbySearchTimedOut = false
-      return@LaunchedEffect
-    }
-    if (!discoveryStarted) {
-      nearbySearchTimedOut = false
-      return@LaunchedEffect
-    }
-    nearbySearchTimedOut = false
-    delay(5_000)
-    nearbySearchTimedOut = true
-  }
-
-  val nearbyGateway =
-    nearbyGatewayUiState(
-      nearbyGatewayName = nearbyGatewayName,
-      discoveryStatusText = discoveryStatusText,
-      discoveryStarted = discoveryStarted,
-      searchTimedOut = nearbySearchTimedOut,
-    )
 
   ClawScaffold(modifier = modifier, contentPadding = PaddingValues(horizontal = 18.dp, vertical = 16.dp)) {
     Column(modifier = Modifier.fillMaxSize().imePadding(), verticalArrangement = Arrangement.SpaceBetween) {
@@ -548,9 +461,9 @@ private fun GatewaySetupScreen(
           GatewayOption(
             icon = Icons.Default.WifiTethering,
             title = "Nearby gateway",
-            subtitle = nearbyGateway.subtitle,
-            status = nearbyGateway.status,
-            onClick = onUseNearby.takeIf { nearbyGateway.canConnect },
+            subtitle = nearbyGatewayName ?: "Discovery ready",
+            status = nearbyGatewayName?.let { "Found" },
+            onClick = onUseNearby,
           )
         }
         item {
@@ -614,27 +527,20 @@ private fun GatewaySetupScreen(
 private fun GatewayRecoveryScreen(
   statusText: String,
   serverName: String?,
-  attemptedGatewayName: String?,
   remoteAddress: String?,
   ready: Boolean,
-  nodeCapabilityApprovalState: GatewayNodeApprovalState,
-  gatewayConnectionProblem: GatewayConnectionProblem?,
+  attemptedConnect: Boolean,
   connectSettling: Boolean,
+  onAutoRetry: () -> Unit,
   onBack: () -> Unit,
   onRetry: () -> Unit,
   onEdit: () -> Unit,
   onContinue: () -> Unit,
   modifier: Modifier = Modifier,
 ) {
-  val recoveryState =
-    gatewayRecoveryUiState(
-      ready = ready,
-      statusText = statusText,
-      connectSettling = connectSettling,
-      nodeCapabilityApprovalState = nodeCapabilityApprovalState,
-      gatewayConnectionProblem = gatewayConnectionProblem,
-    )
+  val recoveryState = gatewayRecoveryUiState(ready = ready, statusText = statusText, connectSettling = connectSettling)
   val context = LocalContext.current
+  PairingAutoRetryEffect(enabled = recoveryState.canAutoRetry && attemptedConnect, onRetry = onAutoRetry)
 
   ClawScaffold(modifier = modifier, contentPadding = PaddingValues(horizontal = 18.dp, vertical = 16.dp)) {
     Column(modifier = Modifier.fillMaxSize(), verticalArrangement = Arrangement.spacedBy(18.dp)) {
@@ -645,8 +551,6 @@ private fun GatewayRecoveryScreen(
           imageVector =
             when (recoveryState) {
               GatewayRecoveryUiState.Connected -> Icons.Default.CheckCircle
-              GatewayRecoveryUiState.NodeCapabilityApprovalPending -> Icons.Default.WifiTethering
-              GatewayRecoveryUiState.ApprovalRequired -> Icons.Default.WifiTethering
               GatewayRecoveryUiState.Pairing -> Icons.Default.WifiTethering
               GatewayRecoveryUiState.Finishing -> Icons.Default.WifiTethering
               GatewayRecoveryUiState.Failed -> Icons.Default.ErrorOutline
@@ -656,8 +560,6 @@ private fun GatewayRecoveryScreen(
           tint =
             when (recoveryState) {
               GatewayRecoveryUiState.Connected -> ClawTheme.colors.success
-              GatewayRecoveryUiState.NodeCapabilityApprovalPending -> ClawTheme.colors.warning
-              GatewayRecoveryUiState.ApprovalRequired -> ClawTheme.colors.warning
               GatewayRecoveryUiState.Pairing -> ClawTheme.colors.text
               GatewayRecoveryUiState.Finishing -> ClawTheme.colors.text
               GatewayRecoveryUiState.Failed -> ClawTheme.colors.warning
@@ -675,28 +577,12 @@ private fun GatewayRecoveryScreen(
       ClawPanel {
         Column(verticalArrangement = Arrangement.spacedBy(10.dp)) {
           Text(text = "Last gateway", style = ClawTheme.type.caption, color = ClawTheme.colors.textMuted)
-          Text(text = recoveryGatewayName(serverName = serverName, attemptedGatewayName = attemptedGatewayName), style = ClawTheme.type.section, color = ClawTheme.colors.text)
-          Text(
-            text =
-              recoveryGatewayDetail(
-                ready = ready,
-                remoteAddress = remoteAddress,
-                statusText = statusText,
-                nodeCapabilityApprovalState = nodeCapabilityApprovalState,
-                gatewayConnectionProblem = gatewayConnectionProblem,
-              ),
-            style = ClawTheme.type.body,
-            color = ClawTheme.colors.textMuted,
-          )
-          recoveryGatewayApprovalCommand(gatewayConnectionProblem)?.let { command ->
-            ApprovalCommandBlock(command = command, onCopy = { copyApprovalCommand(context, command) })
-          }
+          Text(text = serverName?.takeIf { it.isNotBlank() } ?: "Home Gateway", style = ClawTheme.type.section, color = ClawTheme.colors.text)
+          Text(text = recoveryGatewayDetail(ready = ready, remoteAddress = remoteAddress, statusText = statusText), style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
           ClawStatusPill(
             text =
               when (recoveryState) {
                 GatewayRecoveryUiState.Connected -> "Healthy"
-                GatewayRecoveryUiState.NodeCapabilityApprovalPending -> "Node approval"
-                GatewayRecoveryUiState.ApprovalRequired -> "Needs approval"
                 GatewayRecoveryUiState.Pairing -> "Pairing"
                 GatewayRecoveryUiState.Finishing -> "Connecting"
                 GatewayRecoveryUiState.Failed -> "Needs attention"
@@ -704,8 +590,6 @@ private fun GatewayRecoveryScreen(
             status =
               when (recoveryState) {
                 GatewayRecoveryUiState.Connected -> ClawStatus.Success
-                GatewayRecoveryUiState.NodeCapabilityApprovalPending -> ClawStatus.Warning
-                GatewayRecoveryUiState.ApprovalRequired -> ClawStatus.Warning
                 GatewayRecoveryUiState.Pairing -> ClawStatus.Neutral
                 GatewayRecoveryUiState.Finishing -> ClawStatus.Neutral
                 GatewayRecoveryUiState.Failed -> ClawStatus.Warning
@@ -722,42 +606,7 @@ private fun GatewayRecoveryScreen(
           modifier = Modifier.fillMaxWidth(),
         )
         OutlinedAction(title = "Edit connection", icon = Icons.Default.Edit, onClick = onEdit)
-        OutlinedAction(title = "Copy diagnostic", icon = Icons.Default.ContentCopy, onClick = { copyGatewayDiagnostic(context, statusText, serverName, remoteAddress, ready, gatewayConnectionProblem) })
-      }
-    }
-  }
-}
-
-@Composable
-private fun ApprovalCommandBlock(
-  command: String,
-  onCopy: () -> Unit,
-) {
-  Surface(
-    modifier = Modifier.fillMaxWidth(),
-    shape = RoundedCornerShape(8.dp),
-    color = ClawTheme.colors.surfacePressed,
-    border = BorderStroke(1.dp, ClawTheme.colors.border),
-  ) {
-    Row(
-      modifier = Modifier.fillMaxWidth().padding(start = 12.dp, end = 6.dp, top = 8.dp, bottom = 8.dp),
-      verticalAlignment = Alignment.CenterVertically,
-      horizontalArrangement = Arrangement.spacedBy(8.dp),
-    ) {
-      SelectionContainer(modifier = Modifier.weight(1f)) {
-        Text(text = command, style = ClawTheme.type.body.copy(fontFamily = FontFamily.Monospace), color = ClawTheme.colors.text)
-      }
-      Surface(
-        onClick = onCopy,
-        modifier = Modifier.size(36.dp),
-        shape = RoundedCornerShape(8.dp),
-        color = ClawTheme.colors.surfaceRaised,
-        contentColor = ClawTheme.colors.text,
-        border = BorderStroke(1.dp, ClawTheme.colors.border),
-      ) {
-        Box(contentAlignment = Alignment.Center) {
-          Icon(imageVector = Icons.Default.ContentCopy, contentDescription = "Copy approval command", modifier = Modifier.size(18.dp))
-        }
+        OutlinedAction(title = "Copy diagnostic", icon = Icons.Default.ContentCopy, onClick = { copyGatewayDiagnostic(context, statusText, serverName, remoteAddress, ready) })
       }
     }
   }
@@ -854,7 +703,7 @@ private fun GatewayOption(
   icon: ImageVector,
   title: String,
   subtitle: String,
-  onClick: (() -> Unit)?,
+  onClick: () -> Unit,
   status: String? = null,
 ) {
   ClawPanel(contentPadding = PaddingValues(horizontal = 12.dp, vertical = 8.dp)) {
@@ -863,12 +712,9 @@ private fun GatewayOption(
       subtitle = subtitle,
       metadata = status,
       leading = { Icon(imageVector = icon, contentDescription = null, modifier = Modifier.size(22.dp), tint = ClawTheme.colors.text) },
-      trailing =
-        onClick?.let {
-          {
-            Icon(imageVector = Icons.AutoMirrored.Filled.KeyboardArrowRight, contentDescription = "Open $title", modifier = Modifier.size(20.dp), tint = ClawTheme.colors.text)
-          }
-        },
+      trailing = {
+        Icon(imageVector = Icons.AutoMirrored.Filled.KeyboardArrowRight, contentDescription = "Open $title", modifier = Modifier.size(20.dp), tint = ClawTheme.colors.text)
+      },
       onClick = onClick,
     )
   }
@@ -1044,89 +890,38 @@ private fun PermissionContinueButton(onClick: () -> Unit) {
 internal enum class GatewayRecoveryUiState(
   val title: String,
   val message: String,
+  val canAutoRetry: Boolean,
 ) {
   Connected(
     title = "Connected",
     message = "Your Gateway is ready.",
-  ),
-  ApprovalRequired(
-    title = "Pairing Gateway",
-    message = "Approve this phone on the gateway.\nThen retry the connection.",
-  ),
-  NodeCapabilityApprovalPending(
-    title = "Node Approval Pending",
-    message = "Gateway pairing worked.\nApprove this phone's node capabilities from an operator UI.",
+    canAutoRetry = false,
   ),
   Pairing(
     title = "Pairing Gateway",
     message = "Approval is in progress.\nOpenClaw will reconnect automatically.",
+    canAutoRetry = true,
   ),
   Finishing(
-    title = "Connecting Gateway",
-    message = "OpenClaw is checking gateway and node access.",
+    title = "Finishing Setup",
+    message = "Gateway approved this phone.\nOpenClaw is bringing the node online.",
+    canAutoRetry = true,
   ),
   Failed(
     title = "Connection issue",
     message = "We could not reach your Gateway.\nLet's fix this.",
+    canAutoRetry = false,
   ),
 }
 
-internal data class NearbyGatewayUiState(
-  val subtitle: String,
-  val status: String?,
-  val canConnect: Boolean,
-)
-
-/** Maps best-effort discovery into row copy and clickability for onboarding. */
-internal fun nearbyGatewayUiState(
-  nearbyGatewayName: String?,
-  discoveryStatusText: String,
-  discoveryStarted: Boolean = true,
-  searchTimedOut: Boolean = false,
-): NearbyGatewayUiState {
-  val name = nearbyGatewayName?.trim().takeUnless { it.isNullOrEmpty() }
-  if (name != null) {
-    return NearbyGatewayUiState(subtitle = name, status = "Found", canConnect = true)
-  }
-  if (!discoveryStarted) {
-    return NearbyGatewayUiState(subtitle = "Starting discovery...", status = "Starting", canConnect = false)
-  }
-
-  val status = discoveryStatusText.trim()
-  val searching =
-    status.isEmpty() ||
-      status.equals("Searching…", ignoreCase = true) ||
-      status.contains("Searching", ignoreCase = true) ||
-      status.endsWith("?", ignoreCase = true)
-  return if (searching) {
-    if (searchTimedOut) {
-      NearbyGatewayUiState(subtitle = "No gateway found", status = "Not found", canConnect = false)
-    } else {
-      NearbyGatewayUiState(subtitle = "Searching for gateways...", status = "Searching", canConnect = false)
-    }
-  } else {
-    NearbyGatewayUiState(subtitle = "No gateway found", status = "Not found", canConnect = false)
-  }
-}
-
 /** Derives recovery screen state from gateway/node readiness and transient status text. */
 internal fun gatewayRecoveryUiState(
   ready: Boolean,
   statusText: String,
   connectSettling: Boolean,
-  nodeCapabilityApprovalState: GatewayNodeApprovalState = GatewayNodeApprovalState.Loading,
-  gatewayConnectionProblem: GatewayConnectionProblem? = null,
 ): GatewayRecoveryUiState =
   when {
     ready -> GatewayRecoveryUiState.Connected
-    nodeCapabilityApprovalState == GatewayNodeApprovalState.PendingApproval ||
-      nodeCapabilityApprovalState == GatewayNodeApprovalState.PendingReapproval ||
-      nodeCapabilityApprovalState == GatewayNodeApprovalState.Unapproved -> GatewayRecoveryUiState.NodeCapabilityApprovalPending
-    gatewayConnectionProblem?.isPairingRequired == true &&
-      !gatewayConnectionProblem.canAutoRetry -> GatewayRecoveryUiState.ApprovalRequired
-    gatewayConnectionProblem?.isPairingRequired == true -> GatewayRecoveryUiState.Pairing
-    gatewayConnectionProblem?.pauseReconnect == true -> GatewayRecoveryUiState.Failed
-    nodeCapabilityApprovalState == GatewayNodeApprovalState.Loading -> GatewayRecoveryUiState.Finishing
     connectSettling -> GatewayRecoveryUiState.Finishing
     gatewayStatusLooksLikePairing(statusText) -> GatewayRecoveryUiState.Pairing
     gatewayStatusLooksLikePartialConnect(statusText) -> GatewayRecoveryUiState.Finishing
@@ -1139,18 +934,6 @@ internal fun gatewayStatusLooksLikePartialConnect(statusText: String): Boolean {
   return lower.contains("operator offline") || lower.contains("node offline")
 }
 
-internal fun recoveryGatewayName(
-  serverName: String?,
-  attemptedGatewayName: String?,
-): String =
-  serverName
-    ?.trim()
-    ?.takeIf { it.isNotEmpty() }
-    ?: attemptedGatewayName
-      ?.trim()
-      ?.takeIf { it.isNotEmpty() }
-    ?: "Home Gateway"
-
 private data class GatewayConfig(
   val host: String,
   val port: Int,
@@ -1210,25 +993,11 @@ private fun recoveryGatewayDetail(
   ready: Boolean,
   remoteAddress: String?,
   statusText: String,
-  nodeCapabilityApprovalState: GatewayNodeApprovalState,
-  gatewayConnectionProblem: GatewayConnectionProblem?,
 ): String =
   remoteAddress
     ?.takeIf { it.isNotBlank() }
     ?: if (ready) {
       "Ready for chat and voice"
-    } else if (
-      nodeCapabilityApprovalState == GatewayNodeApprovalState.PendingApproval ||
-      nodeCapabilityApprovalState == GatewayNodeApprovalState.PendingReapproval ||
-      nodeCapabilityApprovalState == GatewayNodeApprovalState.Unapproved
-    ) {
-      "Gateway paired. Waiting for node capability approval."
-    } else if (nodeCapabilityApprovalState == GatewayNodeApprovalState.Loading) {
-      "Gateway paired. Checking node capability approval."
-    } else if (gatewayConnectionProblem?.isPairingRequired == true && !gatewayConnectionProblem.canAutoRetry) {
-      recoveryGatewayApprovalCommand(gatewayConnectionProblem)
-        ?.let { "Gateway approval is pending. Run this on the gateway host:" }
-        ?: "Gateway approval is pending. Run openclaw devices list on the gateway host, approve this phone, then retry."
     } else if (statusText.contains("operator offline", ignoreCase = true)) {
       "Gateway paired. Waiting for operator access."
     } else if (gatewayStatusLooksLikePairing(statusText)) {
@@ -1237,25 +1006,6 @@ private fun recoveryGatewayDetail(
       "Gateway unreachable"
     }
 
-private fun recoveryGatewayApprovalCommand(gatewayConnectionProblem: GatewayConnectionProblem?): String? {
-  if (gatewayConnectionProblem?.isPairingRequired != true || gatewayConnectionProblem.canAutoRetry) return null
-  val requestId = gatewayConnectionProblem.requestId?.trim()?.takeIf { it.isNotEmpty() }
-  return if (requestId != null) {
-    "openclaw devices approve $requestId"
-  } else {
-    "openclaw devices list"
-  }
-}
-
-private fun copyApprovalCommand(
-  context: Context,
-  command: String,
-) {
-  val clipboard = context.getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
-  clipboard.setPrimaryClip(ClipData.newPlainText("OpenClaw pairing approval command", command))
-  Toast.makeText(context, "Approval command copied", Toast.LENGTH_SHORT).show()
-}
-
 /** Copies the onboarding recovery snapshot for support without including credentials. */
 private fun copyGatewayDiagnostic(
   context: Context,
@@ -1263,16 +1013,11 @@ private fun copyGatewayDiagnostic(
   serverName: String?,
   remoteAddress: String?,
   ready: Boolean,
-  gatewayConnectionProblem: GatewayConnectionProblem?,
 ) {
-  val approvalCommand = recoveryGatewayApprovalCommand(gatewayConnectionProblem)
   val diagnostic =
-    listOfNotNull(
+    listOf(
       "OpenClaw Android gateway diagnostic",
       "Status: $statusText",
-      gatewayConnectionProblem?.message?.let { "Gateway problem: $it" },
-      gatewayConnectionProblem?.requestId?.let { "Pairing request: $it" },
-      approvalCommand?.let { "Approval command: $it" },
       "Gateway: ${serverName?.takeIf { it.isNotBlank() } ?: "Home Gateway"}",
       "Address: ${remoteAddress?.takeIf { it.isNotBlank() } ?: "Not available"}",
       "Ready: ${if (ready) "yes" else "no"}",
@@ -1297,24 +1042,11 @@ private class PermissionState(
   val applyToViewModel: () -> Unit,
 )
 
-/** Onboarding finishes only after the gateway resolves node capability approval. */
+/** Onboarding can finish only after gateway and node channels are both ready. */
 internal fun canFinishOnboarding(
   isConnected: Boolean,
   isNodeConnected: Boolean,
-  nodeCapabilityApprovalState: GatewayNodeApprovalState,
-): Boolean =
-  isConnected &&
-    isNodeConnected &&
-    when (nodeCapabilityApprovalState) {
-      GatewayNodeApprovalState.PendingApproval,
-      GatewayNodeApprovalState.PendingReapproval,
-      GatewayNodeApprovalState.Unapproved,
-      GatewayNodeApprovalState.Loading,
-      -> false
-      GatewayNodeApprovalState.Approved,
-      GatewayNodeApprovalState.Unsupported,
-      -> true
-    }
+): Boolean = isConnected && isNodeConnected
 
 /** Builds permission rows and applies granted feature toggles after onboarding. */
 @Composable

apps/android/app/src/main/java/ai/openclaw/app/ui/OpenClawTheme.kt

@@ -1,6 +1,5 @@
 package ai.openclaw.app.ui
 
-import ai.openclaw.app.AppearanceThemeMode
 import android.app.Activity
 import androidx.compose.foundation.isSystemInDarkTheme
 import androidx.compose.material3.MaterialTheme
@@ -9,51 +8,34 @@ import androidx.compose.material3.dynamicLightColorScheme
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.CompositionLocalProvider
 import androidx.compose.runtime.SideEffect
-import androidx.compose.runtime.staticCompositionLocalOf
 import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.platform.LocalView
 import androidx.core.view.WindowCompat
 
-private val LocalOpenClawDarkTheme = staticCompositionLocalOf { true }
-
 /**
  * App theme wrapper that installs dynamic Material colors and legacy mobile color tokens.
  */
 @Composable
-fun OpenClawTheme(
-  themeMode: AppearanceThemeMode = AppearanceThemeMode.Dark,
-  content: @Composable () -> Unit,
-) {
+fun OpenClawTheme(content: @Composable () -> Unit) {
   val context = LocalContext.current
-  val isDark = themeMode.isDark(systemDark = isSystemInDarkTheme())
+  val isDark = isSystemInDarkTheme()
   val colorScheme = if (isDark) dynamicDarkColorScheme(context) else dynamicLightColorScheme(context)
   val mobileColors = if (isDark) darkMobileColors() else lightMobileColors()
 
-  OpenClawSystemBarAppearance(lightAppearance = !isDark)
-
-  CompositionLocalProvider(
-    LocalMobileColors provides mobileColors,
-    LocalOpenClawDarkTheme provides isDark,
-  ) {
-    MaterialTheme(colorScheme = colorScheme, content = content)
-  }
-}
-
-@Composable
-internal fun OpenClawSystemBarAppearance(lightAppearance: Boolean) {
   val view = LocalView.current
   if (!view.isInEditMode) {
     SideEffect {
-      val window = (view.context as? Activity)?.window ?: return@SideEffect
+      val window = (view.context as Activity).window
       WindowCompat
         .getInsetsController(window, window.decorView)
-        .isAppearanceLightStatusBars = lightAppearance
-      WindowCompat
-        .getInsetsController(window, window.decorView)
-        .isAppearanceLightNavigationBars = lightAppearance
+        .isAppearanceLightStatusBars = !isDark
     }
   }
+
+  CompositionLocalProvider(LocalMobileColors provides mobileColors) {
+    MaterialTheme(colorScheme = colorScheme, content = content)
+  }
 }
 
 /**
@@ -62,9 +44,9 @@ internal fun OpenClawSystemBarAppearance(lightAppearance: Boolean) {
 @Composable
 fun overlayContainerColor(): Color {
   val scheme = MaterialTheme.colorScheme
-  val isDark = LocalOpenClawDarkTheme.current
+  val isDark = isSystemInDarkTheme()
   val base = if (isDark) scheme.surfaceContainerLow else scheme.surfaceContainerHigh
-  // Light mode keeps overlays away from pure-white glare on the app canvas.
+  // Light mode: background stays dark (canvas), so clamp overlays away from pure-white glare.
   return if (isDark) base else base.copy(alpha = 0.88f)
 }
 

apps/android/app/src/main/java/ai/openclaw/app/ui/ProvidersModelsScreen.kt

@@ -6,6 +6,7 @@ import ai.openclaw.app.MainViewModel
 import ai.openclaw.app.providerDisplayName
 import ai.openclaw.app.ui.design.ClawEmptyState
 import ai.openclaw.app.ui.design.ClawPanel
+import ai.openclaw.app.ui.design.ClawPrimaryButton
 import ai.openclaw.app.ui.design.ClawScaffold
 import ai.openclaw.app.ui.design.ClawSecondaryButton
 import ai.openclaw.app.ui.design.ClawTheme
@@ -16,20 +17,27 @@ import androidx.compose.foundation.layout.Box
 import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.PaddingValues
 import androidx.compose.foundation.layout.Row
+import androidx.compose.foundation.layout.Spacer
 import androidx.compose.foundation.layout.WindowInsets
 import androidx.compose.foundation.layout.WindowInsetsSides
 import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.height
 import androidx.compose.foundation.layout.heightIn
 import androidx.compose.foundation.layout.only
 import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.layout.safeDrawing
 import androidx.compose.foundation.layout.size
+import androidx.compose.foundation.layout.width
 import androidx.compose.foundation.lazy.LazyColumn
+import androidx.compose.foundation.lazy.items
 import androidx.compose.foundation.shape.CircleShape
 import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.automirrored.filled.ArrowBack
+import androidx.compose.material.icons.automirrored.filled.KeyboardArrowRight
+import androidx.compose.material.icons.filled.Add
+import androidx.compose.material.icons.filled.KeyboardArrowDown
 import androidx.compose.material3.HorizontalDivider
 import androidx.compose.material3.Icon
 import androidx.compose.material3.Surface
@@ -38,20 +46,25 @@ import androidx.compose.runtime.Composable
 import androidx.compose.runtime.LaunchedEffect
 import androidx.compose.runtime.collectAsState
 import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.runtime.setValue
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.draw.clip
 import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.graphics.vector.ImageVector
 import androidx.compose.ui.text.style.TextAlign
+import androidx.compose.ui.text.style.TextOverflow
 import androidx.compose.ui.unit.dp
 import androidx.compose.ui.unit.sp
 
-/** Android provider readiness screen backed by the configured gateway model view. */
+/** Android providers/models browser backed by the gateway catalog. */
 @Composable
 internal fun ProvidersModelsScreen(
   viewModel: MainViewModel,
   onBack: () -> Unit,
+  onAddProvider: () -> Unit,
 ) {
   val isConnected by viewModel.isConnected.collectAsState()
   val models by viewModel.modelCatalog.collectAsState()
@@ -59,6 +72,9 @@ internal fun ProvidersModelsScreen(
   val refreshing by viewModel.modelCatalogRefreshing.collectAsState()
   val errorText by viewModel.modelCatalogErrorText.collectAsState()
   val providerRows = providerRows(providers = providers, models = models)
+  val modelGroups = sortedModelGroups(models)
+  val setupRows = providerSetupRows(providerRows)
+  var expandedModelProviders by rememberSaveable { mutableStateOf(emptyList<String>()) }
 
   LaunchedEffect(isConnected) {
     if (isConnected) {
@@ -84,11 +100,12 @@ internal fun ProvidersModelsScreen(
               horizontalArrangement = Arrangement.SpaceBetween,
             ) {
               ProviderHeaderIconButton(icon = Icons.AutoMirrored.Filled.ArrowBack, contentDescription = "Back", onClick = onBack)
+              ProviderHeaderIconButton(icon = Icons.Default.Add, contentDescription = "Add provider", outlined = true, onClick = onAddProvider)
             }
             Column(verticalArrangement = Arrangement.spacedBy(3.dp)) {
               Text(text = "Providers & Models", style = ClawTheme.type.display.copy(fontSize = 14.8.sp, lineHeight = 18.sp), color = ClawTheme.colors.text, maxLines = 1)
               Text(
-                text = "Review provider readiness\nand configured models.",
+                text = "Connect and manage AI providers\nBrowse models and their capabilities.",
                 style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp),
                 color = ClawTheme.colors.textMuted,
               )
@@ -102,17 +119,26 @@ internal fun ProvidersModelsScreen(
             providerRows = providerRows,
             modelCount = models.size,
             onRefresh = viewModel::refreshModelCatalog,
+            onSetup = onAddProvider,
             refreshing = refreshing,
           )
         }
 
+        item {
+          ProviderSectionLabel(title = "Provider setup")
+        }
+
+        item {
+          ProviderSetupList(rows = setupRows, onSetup = onAddProvider)
+        }
+
         item {
           ProviderSectionLabel(title = "Connected providers")
         }
 
         item {
           if (!isConnected && providerRows.isEmpty()) {
-            ClawEmptyState(title = "Gateway offline", body = "Connect your Gateway to load provider readiness.")
+            ClawEmptyState(title = "Gateway offline", body = "Connect your Gateway to load provider readiness and model catalog.")
           } else {
             ProviderList(rows = providerRows, refreshing = refreshing)
           }
@@ -125,12 +151,50 @@ internal fun ProvidersModelsScreen(
             }
           }
         }
+
+        item {
+          ProviderSectionLabel(title = "Model catalog")
+        }
+
+        if (modelGroups.isEmpty()) {
+          item {
+            ModelCatalogEmpty(
+              title = if (refreshing) "Loading models" else "No models loaded",
+              body = if (isConnected) "Refresh after configuring a provider on the Gateway." else "Connect the Gateway to browse models.",
+            )
+          }
+        } else {
+          items(modelGroups, key = { it.first }) { entry ->
+            val expanded = expandedModelProviders.contains(entry.first)
+            ModelGroup(
+              provider = entry.first,
+              models = entry.second,
+              expanded = expanded,
+              onToggle = {
+                expandedModelProviders =
+                  if (expanded) {
+                    expandedModelProviders - entry.first
+                  } else {
+                    expandedModelProviders + entry.first
+                  }
+              },
+            )
+          }
+        }
       }
+      ProviderAddButton(onClick = onAddProvider, modifier = Modifier.align(Alignment.BottomCenter))
     }
   }
 }
 
-internal data class ProviderRow(
+private data class ProviderSetupRow(
+  val id: String,
+  val name: String,
+  val subtitle: String,
+  val ready: Boolean,
+)
+
+private data class ProviderRow(
   val id: String,
   val name: String,
   val status: String,
@@ -138,28 +202,28 @@ internal data class ProviderRow(
   val modelCount: Int,
 )
 
-/** Combines gateway auth-provider readiness with configured model providers. */
-internal fun providerRows(
+/** Combines auth-provider readiness rows with catalog-only providers. */
+private fun providerRows(
   providers: List<GatewayModelProviderSummary>,
   models: List<GatewayModelSummary>,
 ): List<ProviderRow> {
   val modelCounts = models.groupingBy { it.provider }.eachCount()
   val authRows =
-    providers
-      .map { provider ->
-        val ready = modelProviderReady(provider.status)
-        ProviderRow(
-          id = provider.id,
-          name = provider.displayName,
-          status = if (ready) "Ready" else "Needs attention",
-          ready = ready,
-          modelCount = modelCounts[provider.id] ?: 0,
-        )
-      }
-  val authProviderIds = authRows.mapTo(mutableSetOf()) { it.id.trim().lowercase() }
-  val configuredModelRows =
+    providers.map { provider ->
+      val ready = modelProviderReady(provider.status)
+      ProviderRow(
+        id = provider.id,
+        name = provider.displayName,
+        status = if (ready) "Ready" else "Needs setup",
+        ready = ready,
+        modelCount = modelCounts[provider.id] ?: 0,
+      )
+    }
+  // Static/catalog-only providers may expose models without a matching auth
+  // provider row; keep them visible as ready providers.
+  val missingAuthRows =
     modelCounts.keys
-      .filter { provider -> provider.trim().lowercase() !in authProviderIds }
+      .filter { provider -> authRows.none { it.id == provider } }
       .map { provider ->
         ProviderRow(
           id = provider,
@@ -169,9 +233,33 @@ internal fun providerRows(
           modelCount = modelCounts[provider] ?: 0,
         )
       }
-  return (authRows + configuredModelRows).sortedWith(compareBy(::providerPriority, { it.name.lowercase() }))
+  return (authRows + missingAuthRows).sortedWith(compareBy(::providerPriority, { it.name.lowercase() }))
 }
 
+private fun providerSetupRows(providerRows: List<ProviderRow>): List<ProviderSetupRow> {
+  val byId = providerRows.associateBy { it.id.trim().lowercase() }
+  return listOf("openai", "anthropic", "google", "openrouter", "ollama").map { id ->
+    val row = byId[id] ?: byId["ollama-local"].takeIf { id == "ollama" }
+    ProviderSetupRow(
+      id = id,
+      name = providerDisplayName(id),
+      subtitle = providerSetupSubtitle(id, row),
+      ready = row?.ready == true,
+    )
+  }
+}
+
+private fun providerSetupSubtitle(
+  id: String,
+  row: ProviderRow?,
+): String =
+  when {
+    row?.ready == true -> if (row.modelCount > 0) "${row.modelCount} models available" else "Ready"
+    row != null -> "Finish setup to use ${row.name}"
+    id == "ollama" -> "Use models running on your network"
+    else -> "Add provider credentials on your Gateway"
+  }
+
 /** Normalizes gateway provider status strings into a ready/not-ready boolean. */
 internal fun modelProviderReady(status: String): Boolean {
   val normalized = status.trim().lowercase()
@@ -182,6 +270,14 @@ internal fun modelProviderReady(status: String): Boolean {
     normalized == "static"
 }
 
+/** Groups models by provider using the same display priority as provider rows. */
+private fun sortedModelGroups(models: List<GatewayModelSummary>): List<Pair<String, List<GatewayModelSummary>>> =
+  models
+    .groupBy { it.provider }
+    .entries
+    .sortedWith(compareBy({ providerPriority(it.key) }, { providerDisplayName(it.key).lowercase() }))
+    .map { it.key to it.value }
+
 private fun providerPriority(row: ProviderRow): Int = providerPriority(row.id)
 
 private fun providerPriority(provider: String): Int =
@@ -203,15 +299,7 @@ private fun ProviderList(
   ClawPanel(contentPadding = PaddingValues(horizontal = 0.dp, vertical = 0.dp)) {
     Column {
       if (rows.isEmpty()) {
-        ProviderListRow(
-          ProviderRow(
-            id = "loading",
-            name = "Provider catalog",
-            status = if (refreshing) "Loading" else "No providers",
-            ready = false,
-            modelCount = 0,
-          ),
-        )
+        ProviderListRow(ProviderRow(id = "loading", name = "Provider catalog", status = if (refreshing) "Loading" else "No providers", ready = false, modelCount = 0))
       } else {
         val visibleRows = rows.take(5)
         visibleRows.forEachIndexed { index, row ->
@@ -232,6 +320,7 @@ private fun ProviderOverviewPanel(
   modelCount: Int,
   refreshing: Boolean,
   onRefresh: () -> Unit,
+  onSetup: () -> Unit,
 ) {
   val readyCount = providerRows.count { it.ready }
   val needsSetupCount = providerRows.count { !it.ready }
@@ -240,14 +329,17 @@ private fun ProviderOverviewPanel(
       Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.spacedBy(8.dp)) {
         ProviderMetricTile(label = "Ready", value = readyCount.toString(), modifier = Modifier.weight(1f))
         ProviderMetricTile(label = "Models", value = modelCount.toString(), modifier = Modifier.weight(1f))
-        ProviderMetricTile(label = "Needs", value = needsSetupCount.toString(), modifier = Modifier.weight(1f))
+        ProviderMetricTile(label = "Setup", value = needsSetupCount.toString(), modifier = Modifier.weight(1f))
       }
       Text(
-        text = if (isConnected) "Refresh to recheck provider readiness from your Gateway." else "Connect your Gateway to view provider readiness.",
+        text = if (isConnected) "Choose a provider below, then finish credentials on your Gateway." else "Connect your Gateway before adding model providers.",
         style = ClawTheme.type.body,
         color = ClawTheme.colors.textMuted,
       )
-      ClawSecondaryButton(text = if (refreshing) "Refreshing" else "Refresh", onClick = onRefresh, enabled = isConnected && !refreshing, modifier = Modifier.fillMaxWidth())
+      Row(modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.spacedBy(8.dp)) {
+        ClawSecondaryButton(text = if (refreshing) "Refreshing" else "Refresh", onClick = onRefresh, enabled = isConnected && !refreshing, modifier = Modifier.weight(1f))
+        ClawPrimaryButton(text = "Setup Provider", onClick = onSetup, enabled = isConnected, modifier = Modifier.weight(1f))
+      }
     }
   }
 }
@@ -272,13 +364,55 @@ private fun ProviderMetricTile(
   }
 }
 
+@Composable
+private fun ProviderSetupList(
+  rows: List<ProviderSetupRow>,
+  onSetup: () -> Unit,
+) {
+  ClawPanel(contentPadding = PaddingValues(horizontal = 0.dp, vertical = 0.dp)) {
+    Column {
+      rows.forEachIndexed { index, row ->
+        ProviderSetupListRow(row = row, onClick = onSetup)
+        if (index != rows.lastIndex) {
+          HorizontalDivider(color = ClawTheme.colors.border, thickness = 1.dp)
+        }
+      }
+    }
+  }
+}
+
+@Composable
+private fun ProviderSetupListRow(
+  row: ProviderSetupRow,
+  onClick: () -> Unit,
+) {
+  Surface(onClick = onClick, color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+    Row(
+      modifier = Modifier.fillMaxWidth().heightIn(min = 58.dp).padding(horizontal = 10.dp, vertical = 6.dp),
+      verticalAlignment = Alignment.CenterVertically,
+      horizontalArrangement = Arrangement.spacedBy(10.dp),
+    ) {
+      ProviderBadge(text = row.name)
+      Column(modifier = Modifier.weight(1f), verticalArrangement = Arrangement.spacedBy(1.dp)) {
+        Text(text = row.name, style = ClawTheme.type.body, color = ClawTheme.colors.text, maxLines = 1)
+        Text(text = row.subtitle, style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted, maxLines = 1, overflow = TextOverflow.Ellipsis)
+      }
+      Row(verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(6.dp)) {
+        Box(modifier = Modifier.size(5.dp).clip(CircleShape).background(if (row.ready) ClawTheme.colors.success else ClawTheme.colors.warning))
+        Text(text = if (row.ready) "Ready" else "Setup", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted, maxLines = 1)
+        Icon(imageVector = Icons.AutoMirrored.Filled.KeyboardArrowRight, contentDescription = "Open ${row.name}", modifier = Modifier.size(17.dp), tint = ClawTheme.colors.text)
+      }
+    }
+  }
+}
+
 @Composable
 private fun ProviderListRow(row: ProviderRow) {
   Row(modifier = Modifier.fillMaxWidth().heightIn(min = 58.dp).padding(horizontal = 10.dp, vertical = 6.dp), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(10.dp)) {
     ProviderBadge(text = row.name)
     Column(modifier = Modifier.weight(1f), verticalArrangement = Arrangement.spacedBy(1.dp)) {
       Text(text = row.name, style = ClawTheme.type.body, color = ClawTheme.colors.text, maxLines = 1)
-      Text(text = if (row.modelCount > 0) "${row.modelCount} models" else "No configured models", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted, maxLines = 1)
+      Text(text = if (row.modelCount > 0) "${row.modelCount} models" else "Provider setup", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted, maxLines = 1)
     }
     Row(verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(5.dp)) {
       Box(modifier = Modifier.size(4.5.dp).clip(CircleShape).background(if (row.ready) ClawTheme.colors.success else ClawTheme.colors.warning))
@@ -305,6 +439,78 @@ private fun providerInitials(value: String): String =
     .joinToString("")
     .ifBlank { "AI" }
 
+@Composable
+private fun ModelCatalogEmpty(
+  title: String,
+  body: String,
+) {
+  ClawPanel(contentPadding = PaddingValues(horizontal = 11.dp, vertical = 10.dp)) {
+    Column(modifier = Modifier.fillMaxWidth(), verticalArrangement = Arrangement.spacedBy(4.dp)) {
+      Text(text = title, style = ClawTheme.type.section, color = ClawTheme.colors.text)
+      Text(text = body, style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted)
+    }
+  }
+}
+
+@Composable
+private fun ModelGroup(
+  provider: String,
+  models: List<GatewayModelSummary>,
+  expanded: Boolean,
+  onToggle: () -> Unit,
+) {
+  ClawPanel(contentPadding = PaddingValues(horizontal = 0.dp, vertical = 0.dp)) {
+    Column {
+      Surface(onClick = onToggle, color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+        Row(modifier = Modifier.fillMaxWidth().heightIn(min = 52.dp).padding(horizontal = 10.dp, vertical = 6.dp), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(10.dp)) {
+          ProviderBadge(text = providerDisplayName(provider))
+          Text(text = providerDisplayName(provider), style = ClawTheme.type.body, color = ClawTheme.colors.text, modifier = Modifier.weight(1f), maxLines = 1)
+          ProviderMiniTag(text = "${models.size} models")
+          Icon(imageVector = if (expanded) Icons.Default.KeyboardArrowDown else Icons.AutoMirrored.Filled.KeyboardArrowRight, contentDescription = if (expanded) "Collapse ${providerDisplayName(provider)} models" else "Expand ${providerDisplayName(provider)} models", modifier = Modifier.size(14.dp), tint = ClawTheme.colors.textMuted)
+        }
+      }
+      HorizontalDivider(color = ClawTheme.colors.border, thickness = 1.dp)
+      val visibleModels = if (expanded) models else models.take(3)
+      visibleModels.forEachIndexed { index, model ->
+        ModelRow(model)
+        if (index != visibleModels.lastIndex || models.size > visibleModels.size) {
+          HorizontalDivider(color = ClawTheme.colors.border, thickness = 1.dp)
+        }
+      }
+      if (models.size > visibleModels.size) {
+        Surface(onClick = onToggle, color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+          Row(modifier = Modifier.fillMaxWidth().padding(horizontal = 10.dp, vertical = 8.dp), verticalAlignment = Alignment.CenterVertically) {
+            Text(text = "View all models", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted, modifier = Modifier.weight(1f))
+            Icon(imageVector = Icons.AutoMirrored.Filled.KeyboardArrowRight, contentDescription = "View all models", modifier = Modifier.size(14.dp), tint = ClawTheme.colors.text)
+          }
+        }
+      }
+    }
+  }
+}
+
+@Composable
+private fun ModelRow(model: GatewayModelSummary) {
+  Row(modifier = Modifier.fillMaxWidth().heightIn(min = 48.dp).padding(horizontal = 10.dp, vertical = 5.dp), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(6.dp)) {
+    Text(text = model.name, style = ClawTheme.type.mono, color = ClawTheme.colors.text, modifier = Modifier.weight(1f), maxLines = 1, overflow = TextOverflow.Ellipsis)
+    modelCapabilityLabels(model).take(3).forEach { label ->
+      ProviderMiniTag(text = label)
+    }
+    Box(modifier = Modifier.size(4.5.dp).clip(CircleShape).background(ClawTheme.colors.success))
+  }
+}
+
+/** Derives compact capability chips for model catalog rows. */
+private fun modelCapabilityLabels(model: GatewayModelSummary): List<String> =
+  buildList {
+    if (model.supportsReasoning) add("Reasoning")
+    if (model.supportsVision) add("Vision")
+    if (model.supportsAudio) add("Voice")
+    if (model.supportsDocuments) add("Docs")
+    if ((model.contextTokens ?: 0L) >= 100_000L) add("Long context")
+    if (isEmpty()) add("Fast")
+  }
+
 @Composable
 private fun ProviderSectionLabel(title: String) {
   Row(modifier = Modifier.fillMaxWidth(), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.SpaceBetween) {
@@ -332,3 +538,39 @@ private fun ProviderHeaderIconButton(
     }
   }
 }
+
+@Composable
+private fun ProviderAddButton(
+  onClick: () -> Unit,
+  modifier: Modifier = Modifier,
+) {
+  Surface(
+    onClick = onClick,
+    modifier = modifier.fillMaxWidth().height(ClawTheme.spacing.touchTarget),
+    shape = RoundedCornerShape(ClawTheme.radii.pill),
+    color = ClawTheme.colors.primary,
+    contentColor = ClawTheme.colors.primaryText,
+  ) {
+    Row(
+      modifier = Modifier.fillMaxSize(),
+      verticalAlignment = Alignment.CenterVertically,
+      horizontalArrangement = Arrangement.Center,
+    ) {
+      Icon(imageVector = Icons.Default.Add, contentDescription = null, modifier = Modifier.size(17.dp))
+      Spacer(modifier = Modifier.width(7.dp))
+      Text(text = "Open Gateway Setup", style = ClawTheme.type.label, maxLines = 1)
+    }
+  }
+}
+
+@Composable
+private fun ProviderMiniTag(text: String) {
+  Surface(
+    shape = RoundedCornerShape(5.dp),
+    color = Color.Transparent,
+    border = BorderStroke(1.dp, ClawTheme.colors.border),
+    contentColor = ClawTheme.colors.textMuted,
+  ) {
+    Text(text = text, modifier = Modifier.padding(horizontal = 4.dp, vertical = 0.5.dp), style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), maxLines = 1)
+  }
+}

apps/android/app/src/main/java/ai/openclaw/app/ui/SessionsScreen.kt

@@ -217,7 +217,7 @@ private fun SessionRow(
   compact: Boolean,
   onClick: () -> Unit,
 ) {
-  Surface(onClick = onClick, color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+  Surface(onClick = onClick, color = ClawTheme.colors.canvas, contentColor = ClawTheme.colors.text) {
     Column {
       Row(
         modifier = Modifier.fillMaxWidth().heightIn(min = 58.dp).padding(vertical = 5.dp),

apps/android/app/src/main/java/ai/openclaw/app/ui/SettingsScreens.kt

@@ -1,6 +1,5 @@
 package ai.openclaw.app.ui
 
-import ai.openclaw.app.AppearanceThemeMode
 import ai.openclaw.app.BuildConfig
 import ai.openclaw.app.GatewayAgentSummary
 import ai.openclaw.app.GatewayCronJobSummary
@@ -9,6 +8,7 @@ import ai.openclaw.app.LocationMode
 import ai.openclaw.app.MainViewModel
 import ai.openclaw.app.NotificationPackageFilterMode
 import ai.openclaw.app.chat.ChatPendingToolCall
+import ai.openclaw.app.gateway.GatewayEndpoint
 import ai.openclaw.app.node.DeviceNotificationListenerService
 import ai.openclaw.app.ui.design.ClawDetailRow
 import ai.openclaw.app.ui.design.ClawIconBadge
@@ -147,7 +147,7 @@ internal fun SettingsDetailScreen(
     SettingsRoute.Notifications -> NotificationSettingsScreen(viewModel = viewModel, onBack = onBack)
     SettingsRoute.PhoneCapabilities -> PhoneCapabilitiesScreen(viewModel = viewModel, onBack = onBack)
     SettingsRoute.Gateway -> GatewaySettingsScreen(viewModel = viewModel, onBack = onBack)
-    SettingsRoute.Appearance -> AppearanceSettingsScreen(viewModel = viewModel, onBack = onBack)
+    SettingsRoute.Appearance -> AppearanceSettingsScreen(onBack = onBack)
     SettingsRoute.Health -> HealthLogsSettingsScreen(viewModel = viewModel, onBack = onBack)
     SettingsRoute.About -> AboutSettingsScreen(viewModel = viewModel, onBack = onBack)
   }
@@ -897,14 +897,18 @@ private fun GatewaySettingsScreen(
                 .orEmpty()
                 .ifEmpty { passwordInput.trim() }
             validationText = null
-            viewModel.saveGatewayConfigAndConnect(
-              host = endpointConfig.host,
-              port = endpointConfig.port,
-              tls = endpointConfig.tls,
-              token = token,
-              bootstrapToken = bootstrapToken,
-              password = password,
-              resetSetupAuth = setup != null,
+            viewModel.setManualEnabled(true)
+            viewModel.setManualHost(endpointConfig.host)
+            viewModel.setManualPort(endpointConfig.port)
+            viewModel.setManualTls(endpointConfig.tls)
+            viewModel.setGatewayBootstrapToken(bootstrapToken)
+            viewModel.setGatewayToken(token)
+            viewModel.setGatewayPassword(password)
+            viewModel.connect(
+              GatewayEndpoint.manual(host = endpointConfig.host, port = endpointConfig.port),
+              token = token.ifEmpty { null },
+              bootstrapToken = bootstrapToken.ifEmpty { null },
+              password = password.ifEmpty { null },
             )
           },
           modifier = Modifier.fillMaxWidth(),
@@ -915,40 +919,22 @@ private fun GatewaySettingsScreen(
 }
 
 @Composable
-private fun AppearanceSettingsScreen(
-  viewModel: MainViewModel,
-  onBack: () -> Unit,
-) {
-  val themeMode by viewModel.appearanceThemeMode.collectAsState()
-
+private fun AppearanceSettingsScreen(onBack: () -> Unit) {
   SettingsDetailFrame(title = "Appearance", subtitle = "A calm, high-contrast OpenClaw interface.", icon = Icons.Default.Palette, onBack = onBack) {
     SettingsMetricPanel(
       rows =
         listOf(
-          SettingsMetric("Theme", appearanceThemeSummary(themeMode)),
+          SettingsMetric("Theme", "Dark"),
           SettingsMetric("Contrast", "High"),
           SettingsMetric("Typography", "Readable"),
         ),
     )
     ClawPanel {
-      Column(verticalArrangement = Arrangement.spacedBy(10.dp)) {
-        Text(text = "Theme", style = ClawTheme.type.section, color = ClawTheme.colors.text)
-        ClawSegmentedControl(
-          options = appearanceThemeOptions(),
-          selected = appearanceThemeSummary(themeMode),
-          onSelect = { selected -> viewModel.setAppearanceThemeMode(appearanceThemeModeForLabel(selected)) },
-        )
-      }
+      Text(text = "OpenClaw uses a fixed premium dark theme so it stays consistent across devices.", style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
     }
   }
 }
 
-internal fun appearanceThemeSummary(mode: AppearanceThemeMode): String = mode.displayLabel
-
-internal fun appearanceThemeOptions(): List<String> = AppearanceThemeMode.entries.map { it.displayLabel }
-
-internal fun appearanceThemeModeForLabel(label: String): AppearanceThemeMode = AppearanceThemeMode.fromDisplayLabel(label)
-
 /** Converts raw gateway connection text into stable settings metric labels. */
 private fun gatewayStatusLabel(
   statusText: String,
@@ -985,7 +971,7 @@ private fun AboutSettingsScreen(
         listOf(
           SettingsMetric("Android App", BuildConfig.VERSION_NAME),
           SettingsMetric("Build", BuildConfig.VERSION_CODE.toString()),
-          SettingsMetric("Channel", androidDistributionChannel()),
+          SettingsMetric("Channel", "Play"),
           SettingsMetric("Gateway", currentGatewayVersion ?: "Not connected"),
         ),
     )
@@ -1008,14 +994,6 @@ private fun AboutSettingsScreen(
   }
 }
 
-internal fun androidDistributionChannel(flavor: String = BuildConfig.FLAVOR): String =
-  when (flavor.trim()) {
-    "play" -> "Play"
-    "thirdParty" -> "Third-party"
-    "" -> "Unknown"
-    else -> flavor.trim()
-  }
-
 @Composable
 private fun AboutStatusRow(
   title: String,

apps/android/app/src/main/java/ai/openclaw/app/ui/ShellScreen.kt

@@ -3,7 +3,6 @@ package ai.openclaw.app.ui
 import ai.openclaw.app.BuildConfig
 import ai.openclaw.app.GatewayChannelsSummary
 import ai.openclaw.app.GatewayDreamingSummary
-import ai.openclaw.app.GatewayNodeApprovalState
 import ai.openclaw.app.GatewayNodesDevicesSummary
 import ai.openclaw.app.GatewaySkillSummary
 import ai.openclaw.app.HomeDestination
@@ -23,7 +22,6 @@ import androidx.activity.compose.BackHandler
 import androidx.compose.foundation.BorderStroke
 import androidx.compose.foundation.background
 import androidx.compose.foundation.clickable
-import androidx.compose.foundation.isSystemInDarkTheme
 import androidx.compose.foundation.layout.Arrangement
 import androidx.compose.foundation.layout.Box
 import androidx.compose.foundation.layout.Column
@@ -105,10 +103,7 @@ private val shellNavTabs = listOf(Tab.Overview, Tab.Chat, Tab.Voice, Tab.Setting
 private val shellContentInsets: WindowInsets
   @Composable get() = WindowInsets.safeDrawing.only(WindowInsetsSides.Top + WindowInsetsSides.Horizontal)
 
-internal fun shellBottomNavVisible(
-  keyboardVisible: Boolean,
-  commandOpen: Boolean,
-): Boolean = !keyboardVisible && !commandOpen
+internal fun shellBottomNavVisible(keyboardVisible: Boolean, commandOpen: Boolean): Boolean = !keyboardVisible && !commandOpen
 
 /** Main post-onboarding shell that owns top-level Android navigation state. */
 @Composable
@@ -116,18 +111,13 @@ fun ShellScreen(
   viewModel: MainViewModel,
   modifier: Modifier = Modifier,
 ) {
-  val appearanceThemeMode by viewModel.appearanceThemeMode.collectAsState()
-  val shellDark = appearanceThemeMode.isDark(systemDark = isSystemInDarkTheme())
-  OpenClawSystemBarAppearance(lightAppearance = !shellDark)
-  ClawDesignTheme(dark = shellDark) {
+  ClawDesignTheme {
     var activeTab by rememberSaveable { mutableStateOf(Tab.Overview) }
     var settingsRoute by rememberSaveable { mutableStateOf(SettingsRoute.Home) }
     var returnToOverviewFromSettings by rememberSaveable { mutableStateOf(false) }
     var commandOpen by rememberSaveable { mutableStateOf(false) }
-    var voiceScreenWasActive by rememberSaveable { mutableStateOf(false) }
     val requestedHomeDestination by viewModel.requestedHomeDestination.collectAsState()
     val pendingTrust by viewModel.pendingGatewayTrust.collectAsState()
-    val runtimeInitialized by viewModel.runtimeInitialized.collectAsState()
 
     LaunchedEffect(requestedHomeDestination) {
       val destination = requestedHomeDestination ?: return@LaunchedEffect
@@ -148,12 +138,8 @@ fun ShellScreen(
       viewModel.clearRequestedHomeDestination()
     }
 
-    LaunchedEffect(activeTab, runtimeInitialized) {
-      val voiceScreenActive = activeTab == Tab.Voice
-      if (voiceScreenActive || voiceScreenWasActive || runtimeInitialized) {
-        viewModel.setVoiceScreenActive(voiceScreenActive)
-      }
-      voiceScreenWasActive = voiceScreenActive
+    LaunchedEffect(activeTab) {
+      viewModel.setVoiceScreenActive(activeTab == Tab.Voice)
     }
 
     BackHandler(enabled = activeTab != Tab.Overview) {
@@ -227,6 +213,11 @@ fun ShellScreen(
             ProvidersModelsScreen(
               viewModel = viewModel,
               onBack = { activeTab = Tab.Overview },
+              onAddProvider = {
+                settingsRoute = SettingsRoute.Gateway
+                returnToOverviewFromSettings = false
+                activeTab = Tab.Settings
+              },
             )
           Tab.Sessions ->
             SessionsScreen(
@@ -351,7 +342,7 @@ private fun OverviewScreen(
   val cronStatus by viewModel.cronStatus.collectAsState()
   val nodesDevicesSummary by viewModel.nodesDevicesSummary.collectAsState()
   val channelsSummary by viewModel.channelsSummary.collectAsState()
-  val readyProviderCount = providerRows(providers = providers, models = models).count { it.ready }
+  val readyProviderCount = providers.count { modelProviderReady(it.status) }
   val attentionRows =
     homeAttentionRows(
       isConnected = isConnected,
@@ -464,12 +455,13 @@ private fun OverviewScreen(
                 ModuleRow("Sessions", "Conversation history", if (sessions.isEmpty()) "Empty" else "${sessions.size} recent", Icons.Outlined.AccessTime, Tab.Sessions),
                 ModuleRow(
                   title = "Providers & Models",
-                  subtitle = "Provider readiness",
+                  subtitle = "Model setup",
                   metadata =
                     when {
                       !isConnected -> "Offline"
                       readyProviderCount > 0 -> "$readyProviderCount ready"
-                      else -> "No ready"
+                      models.isNotEmpty() -> "${models.size} models"
+                      else -> "Setup"
                     },
                   icon = Icons.Outlined.Inventory2,
                   tab = Tab.ProvidersModels,
@@ -549,7 +541,6 @@ internal fun homeAttentionRows(
   channelsSummary: GatewayChannelsSummary,
   nodesDevicesSummary: GatewayNodesDevicesSummary,
   readyProviderCount: Int,
-  expiringProviderCount: Int = 0,
 ): List<HomeAttentionRow> =
   listOfNotNull(
     if (!isConnected) {
@@ -567,13 +558,13 @@ internal fun homeAttentionRows(
     } else {
       null
     },
-    if (nodesDevicesSummary.pendingDevices.isNotEmpty() || nodesDevicesSummary.hasNodeCapabilityApprovalPending()) {
+    if (nodesDevicesSummary.pendingDevices.isNotEmpty()) {
       HomeAttentionRow("Nodes & Devices", nodesDevicesSummaryText(nodesDevicesSummary), Icons.Default.Cloud, Tab.Settings, SettingsRoute.NodesDevices)
     } else {
       null
     },
     if (isConnected && readyProviderCount == 0) {
-      HomeAttentionRow("Providers", "No ready providers", Icons.Outlined.Inventory2, Tab.Settings, SettingsRoute.Gateway)
+      HomeAttentionRow("Providers", "No ready providers", Icons.Outlined.Inventory2, Tab.ProvidersModels)
     } else {
       null
     },
@@ -756,7 +747,7 @@ private fun RecentSessionRowContent(
   metadata: String,
   onClick: () -> Unit,
 ) {
-  Surface(color = Color.Transparent, contentColor = ClawTheme.colors.text) {
+  Surface(color = ClawTheme.colors.canvas, contentColor = ClawTheme.colors.text) {
     Row(
       modifier =
         Modifier
@@ -854,7 +845,6 @@ private fun SettingsShellScreen(
   val nodesDevicesSummary by viewModel.nodesDevicesSummary.collectAsState()
   val channelsSummary by viewModel.channelsSummary.collectAsState()
   val dreamingSummary by viewModel.dreamingSummary.collectAsState()
-  val appearanceThemeMode by viewModel.appearanceThemeMode.collectAsState()
 
   LaunchedEffect(isConnected) {
     if (isConnected) {
@@ -916,7 +906,7 @@ private fun SettingsShellScreen(
               SettingsRow("Notifications", if (notificationForwardingEnabled) "Smart delivery" else "Off", Icons.Default.Notifications, route = SettingsRoute.Notifications),
               SettingsRow("Phone Capabilities", if (cameraEnabled) "Camera enabled" else "Locked", Icons.Default.Lock, status = !cameraEnabled, route = SettingsRoute.PhoneCapabilities),
               SettingsRow("Gateway", gatewaySummary(statusText, isConnected), Icons.Default.Cloud, status = isConnected, route = SettingsRoute.Gateway),
-              SettingsRow("Appearance", appearanceThemeSummary(appearanceThemeMode), Icons.Default.Palette, route = SettingsRoute.Appearance),
+              SettingsRow("Appearance", "Dark", Icons.Default.Palette, route = SettingsRoute.Appearance),
               SettingsRow("Health", "Diagnostics", Icons.Default.Settings, status = isConnected, route = SettingsRoute.Health),
               SettingsRow("About", "Version and update", Icons.Default.Storage, route = SettingsRoute.About),
             ),
@@ -998,7 +988,6 @@ private fun nodesDevicesSummaryText(summary: GatewayNodesDevicesSummary): String
   val devices = summary.pairedDevices.size
   return when {
     summary.pendingDevices.isNotEmpty() -> "${summary.pendingDevices.size} pending"
-    summary.hasNodeCapabilityApprovalPending() -> "Node approval pending"
     summary.nodes.isNotEmpty() -> "$online/${summary.nodes.size} online"
     devices > 0 -> "$devices paired"
     else -> "No devices"
@@ -1009,19 +998,11 @@ private fun nodesDevicesSummaryText(summary: GatewayNodesDevicesSummary): String
 private fun nodesDevicesStatus(summary: GatewayNodesDevicesSummary): Boolean? =
   when {
     summary.pendingDevices.isNotEmpty() -> false
-    summary.hasNodeCapabilityApprovalPending() -> false
     summary.nodes.any { it.connected } -> true
     summary.pairedDevices.isNotEmpty() -> true
     else -> null
   }
 
-private fun GatewayNodesDevicesSummary.hasNodeCapabilityApprovalPending(): Boolean =
-  nodes.any { node ->
-    node.approvalState == GatewayNodeApprovalState.PendingApproval ||
-      node.approvalState == GatewayNodeApprovalState.PendingReapproval ||
-      node.approvalState == GatewayNodeApprovalState.Unapproved
-  }
-
 /** Summarizes channel connection state, surfacing errors before connected counts. */
 private fun channelsSummaryText(summary: GatewayChannelsSummary): String {
   val connected = summary.channels.count { it.connected }

apps/android/app/src/main/java/ai/openclaw/app/ui/VoiceScreen.kt

@@ -97,7 +97,6 @@ fun VoiceScreen(
   val talkModeEnabled by viewModel.talkModeEnabled.collectAsState()
   val talkModeListening by viewModel.talkModeListening.collectAsState()
   val talkModeSpeaking by viewModel.talkModeSpeaking.collectAsState()
-  val talkModeStatusText by viewModel.talkModeStatusText.collectAsState()
   val talkModeConversation by viewModel.talkModeConversation.collectAsState()
 
   var pendingAction by remember { mutableStateOf<VoiceAction?>(null) }
@@ -120,16 +119,6 @@ fun VoiceScreen(
   val activeConversation = if (voiceCaptureMode == VoiceCaptureMode.TalkMode) talkModeConversation else micConversation
   val voiceActive = micEnabled || micIsSending || talkModeEnabled
   val gatewayReady = gatewayStatus.isVoiceGatewayReady()
-  val voiceAttentionStatus =
-    voiceAttentionStatus(
-      talkModeStatusText = talkModeStatusText,
-      voiceCaptureMode = voiceCaptureMode,
-      micEnabled = micEnabled,
-      micIsSending = micIsSending,
-      talkModeEnabled = talkModeEnabled,
-      talkModeListening = talkModeListening,
-      talkModeSpeaking = talkModeSpeaking,
-    )
   val activeStatus =
     voiceStatusLabel(
       gatewayStatus = gatewayStatus,
@@ -139,7 +128,6 @@ fun VoiceScreen(
       micIsSending = micIsSending,
       talkModeListening = talkModeListening,
       talkModeSpeaking = talkModeSpeaking,
-      voiceAttentionStatus = voiceAttentionStatus,
     )
 
   if (talkModeEnabled) {
@@ -181,7 +169,7 @@ fun VoiceScreen(
     verticalArrangement = Arrangement.spacedBy(10.dp),
   ) {
     VoiceHeader(
-      statusText = voiceAttentionStatus ?: if (voiceActive || !gatewayReady) activeStatus else "Your voice command center.",
+      statusText = if (voiceActive || !gatewayReady) activeStatus else "Your voice command center.",
       speakerEnabled = speakerEnabled,
       onToggleSpeaker = { viewModel.setSpeakerEnabled(!speakerEnabled) },
       onOpenCommand = onOpenCommand,
@@ -196,7 +184,6 @@ fun VoiceScreen(
       talkModeSpeaking = talkModeSpeaking,
       micLiveTranscript = micLiveTranscript,
       gatewayReady = gatewayReady,
-      voiceAttentionStatus = voiceAttentionStatus,
       onStartTalk = {
         runVoiceAction(
           action = VoiceAction.Talk,
@@ -255,9 +242,7 @@ private fun DictationScreen(
 ) {
   val lastUserText = conversation.lastOrNull { it.role == VoiceConversationRole.User }?.text
   val draftText = liveTranscript?.takeIf { it.isNotBlank() } ?: lastUserText.orEmpty()
-  val providerAttentionStatus = voiceRuntimeAttentionStatus(statusText)
-  val displayStatusText = providerAttentionStatus ?: statusText
-  val speechProviderReady = providerAttentionStatus == null && gatewayStatus.isVoiceGatewayReady()
+  val speechProviderReady = gatewayStatus.isVoiceGatewayReady()
   Column(
     modifier =
       Modifier
@@ -293,7 +278,7 @@ private fun DictationScreen(
           DictationWaveform(active = listening || sending)
           Row(horizontalArrangement = Arrangement.spacedBy(7.dp), verticalAlignment = Alignment.CenterVertically) {
             Icon(imageVector = Icons.Default.Mic, contentDescription = null, modifier = Modifier.size(15.dp), tint = if (listening) ClawTheme.colors.success else ClawTheme.colors.textMuted)
-            Text(text = displayStatusText, style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
+            Text(text = statusText, style = ClawTheme.type.body, color = ClawTheme.colors.textMuted)
           }
         }
       }
@@ -313,20 +298,13 @@ private fun DictationScreen(
         }
         Column(modifier = Modifier.weight(1f), verticalArrangement = Arrangement.spacedBy(2.dp)) {
           Text(text = "Speech provider", style = ClawTheme.type.section, color = ClawTheme.colors.text)
-          Text(
-            text = providerAttentionStatus ?: gatewayStatus.voiceGatewayLabel(),
-            style = ClawTheme.type.body,
-            color = ClawTheme.colors.textMuted,
-            maxLines = 1,
-            overflow = TextOverflow.Ellipsis,
-          )
+          Text(text = gatewayStatus.voiceGatewayLabel(), style = ClawTheme.type.body, color = ClawTheme.colors.textMuted, maxLines = 1, overflow = TextOverflow.Ellipsis)
         }
         Row(verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(6.dp)) {
           Text(
             text =
               when {
                 sending -> "Sending"
-                providerAttentionStatus != null -> "Attention"
                 speechProviderReady -> "Ready"
                 else -> "Offline"
               },
@@ -334,7 +312,6 @@ private fun DictationScreen(
             color =
               when {
                 sending -> ClawTheme.colors.warning
-                providerAttentionStatus != null -> ClawTheme.colors.warning
                 speechProviderReady -> ClawTheme.colors.success
                 else -> ClawTheme.colors.textMuted
               },
@@ -347,7 +324,6 @@ private fun DictationScreen(
                 .background(
                   when {
                     sending -> ClawTheme.colors.warning
-                    providerAttentionStatus != null -> ClawTheme.colors.warning
                     speechProviderReady -> ClawTheme.colors.success
                     else -> ClawTheme.colors.textSubtle
                   },
@@ -618,7 +594,6 @@ private fun VoiceHero(
   talkModeSpeaking: Boolean,
   micLiveTranscript: String?,
   gatewayReady: Boolean,
-  voiceAttentionStatus: String?,
   onStartTalk: () -> Unit,
   onStartDictation: () -> Unit,
   onConnectGateway: () -> Unit,
@@ -641,7 +616,6 @@ private fun VoiceHero(
       Text(
         text =
           when {
-            voiceAttentionStatus != null -> voiceAttentionStatus
             talkModeSpeaking -> "OpenClaw is replying"
             talkModeListening -> "Listening"
             talkModeEnabled -> "Talk is live"
@@ -698,7 +672,7 @@ private fun VoiceHero(
       )
     }
 
-    VoiceProviderCard(gatewayStatus = gatewayStatus, voiceAttentionStatus = voiceAttentionStatus)
+    VoiceProviderCard(gatewayStatus = gatewayStatus)
 
     VoicePrimaryAction(
       text =
@@ -760,11 +734,8 @@ private fun VoiceModeRow(
 }
 
 @Composable
-private fun VoiceProviderCard(
-  gatewayStatus: String,
-  voiceAttentionStatus: String?,
-) {
-  val ready = voiceAttentionStatus == null && gatewayStatus.isVoiceGatewayReady()
+private fun VoiceProviderCard(gatewayStatus: String) {
+  val ready = gatewayStatus.isVoiceGatewayReady()
   Surface(
     modifier = Modifier.fillMaxWidth().heightIn(min = 58.dp),
     shape = RoundedCornerShape(ClawTheme.radii.panel),
@@ -790,13 +761,7 @@ private fun VoiceProviderCard(
       }
       Column(modifier = Modifier.weight(1f), verticalArrangement = Arrangement.spacedBy(2.dp)) {
         Text(text = "Provider", style = ClawTheme.type.body, color = ClawTheme.colors.text, maxLines = 1)
-        Text(
-          text = voiceAttentionStatus ?: gatewayStatus.voiceGatewayLabel(),
-          style = ClawTheme.type.caption,
-          color = ClawTheme.colors.textMuted,
-          maxLines = 1,
-          overflow = TextOverflow.Ellipsis,
-        )
+        Text(text = gatewayStatus.voiceGatewayLabel(), style = ClawTheme.type.caption, color = ClawTheme.colors.textMuted, maxLines = 1, overflow = TextOverflow.Ellipsis)
       }
       Row(verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(7.dp)) {
         Box(
@@ -804,25 +769,9 @@ private fun VoiceProviderCard(
             Modifier
               .size(7.dp)
               .clip(CircleShape)
-              .background(
-                when {
-                  ready -> ClawTheme.colors.success
-                  voiceAttentionStatus != null -> ClawTheme.colors.warning
-                  else -> ClawTheme.colors.textSubtle
-                },
-              ),
-        )
-        Text(
-          text =
-            when {
-              ready -> "Ready"
-              voiceAttentionStatus != null -> "Attention"
-              else -> "Offline"
-            },
-          style = ClawTheme.type.caption,
-          color = ClawTheme.colors.textMuted,
-          maxLines = 1,
+              .background(if (ready) ClawTheme.colors.success else ClawTheme.colors.textSubtle),
         )
+        Text(text = if (ready) "Ready" else "Offline", style = ClawTheme.type.caption, color = ClawTheme.colors.textMuted, maxLines = 1)
       }
     }
   }
@@ -1019,7 +968,7 @@ private fun runVoiceAction(
   }
 }
 
-internal fun voiceStatusLabel(
+private fun voiceStatusLabel(
   gatewayStatus: String,
   voiceCaptureMode: VoiceCaptureMode,
   micStatusText: String,
@@ -1027,10 +976,8 @@ internal fun voiceStatusLabel(
   micIsSending: Boolean,
   talkModeListening: Boolean,
   talkModeSpeaking: Boolean,
-  voiceAttentionStatus: String?,
 ): String =
   when {
-    voiceAttentionStatus != null -> voiceAttentionStatus
     voiceCaptureMode == VoiceCaptureMode.TalkMode && talkModeSpeaking -> "OpenClaw is speaking"
     voiceCaptureMode == VoiceCaptureMode.TalkMode && talkModeListening -> "Listening"
     voiceCaptureMode == VoiceCaptureMode.TalkMode -> "Talk is live"
@@ -1041,69 +988,6 @@ internal fun voiceStatusLabel(
     else -> "Ready to talk"
   }
 
-internal fun voiceAttentionStatus(
-  talkModeStatusText: String,
-  voiceCaptureMode: VoiceCaptureMode,
-  micEnabled: Boolean,
-  micIsSending: Boolean,
-  talkModeEnabled: Boolean,
-  talkModeListening: Boolean,
-  talkModeSpeaking: Boolean,
-): String? {
-  if (voiceCaptureMode != VoiceCaptureMode.Off || micEnabled || micIsSending) return null
-  if (talkModeEnabled || talkModeListening || talkModeSpeaking) return null
-  val status = talkModeStatusText.trim()
-  if (status.isBlank()) return null
-  val lower = status.lowercase()
-  if (lower == "off" || lower == "ready" || lower == "listening" || lower == "connecting…") return null
-  return status
-    .takeIf {
-      lower.contains("failed") ||
-        lower.contains("unavailable") ||
-        lower.contains("permission required") ||
-        lower.contains("not connected") ||
-        lower.contains("error")
-    }?.let(::userFacingVoiceAttentionStatus)
-}
-
-internal fun voiceRuntimeAttentionStatus(statusText: String): String? {
-  val status = statusText.trim()
-  if (status.isBlank()) return null
-  val lower = status.lowercase()
-  return status
-    .takeIf {
-      lower.contains("transcription unavailable") ||
-        lower.contains("provider unavailable") ||
-        (lower.contains("provider") && lower.contains("not configured")) ||
-        lower.contains("no realtime transcription provider") ||
-        lower.contains("failed")
-    }?.let(::userFacingVoiceAttentionStatus)
-}
-
-private fun userFacingVoiceAttentionStatus(status: String): String {
-  val normalized =
-    status
-      .removePrefix("Start failed:")
-      .trim()
-      .removePrefix("Transcription unavailable:")
-      .trim()
-      .removePrefix("UNAVAILABLE:")
-      .trim()
-      .removePrefix("Error:")
-      .trim()
-  val lower = normalized.lowercase()
-  if (lower.contains("realtime voice provider") && lower.contains("not configured")) {
-    return "Realtime voice provider is not configured."
-  }
-  if (lower.contains("no realtime transcription provider")) {
-    return "Realtime transcription provider is not configured."
-  }
-  if (lower.contains("microphone permission required")) {
-    return "Microphone permission is required."
-  }
-  return if (normalized.length <= 90) normalized else "${normalized.take(87)}..."
-}
-
 private fun String.isVoiceGatewayReady(): Boolean {
   val status = lowercase()
   return !status.contains("offline") && !status.contains("not connected") && !status.contains("failed") && !status.contains("error")

apps/android/app/src/main/java/ai/openclaw/app/ui/chat/ChatMessageListCard.kt

@@ -15,7 +15,7 @@ import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.lazy.LazyColumn
-import androidx.compose.foundation.lazy.itemsIndexed
+import androidx.compose.foundation.lazy.items
 import androidx.compose.foundation.lazy.rememberLazyListState
 import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material3.CircularProgressIndicator
@@ -40,19 +40,17 @@ fun ChatMessageListCard(
   modifier: Modifier = Modifier,
 ) {
   val listState = rememberLazyListState()
-  val timeline =
-    remember(messages, pendingRunCount, pendingToolCalls, streamingAssistantText) {
-      buildChatTimeline(
-        messages = messages,
-        pendingRunCount = pendingRunCount,
-        pendingToolCalls = pendingToolCalls,
-        streamingAssistantText = streamingAssistantText,
-      )
-    }
+  val displayMessages = remember(messages) { messages.asReversed() }
+  val stream = streamingAssistantText?.trim()
 
-  LaunchedEffect(timeline.scrollTargetIndex, timeline.items.size, pendingRunCount, pendingToolCalls.size) {
-    timeline.scrollTargetIndex?.let { index ->
-      listState.animateScrollToItem(index = index)
+  // New list items/tool rows should animate into view, but token streaming should not restart
+  // that animation on every delta.
+  LaunchedEffect(messages.size, pendingRunCount, pendingToolCalls.size) {
+    listState.animateScrollToItem(index = 0)
+  }
+  LaunchedEffect(stream) {
+    if (!stream.isNullOrEmpty()) {
+      listState.scrollToItem(index = 0)
     }
   }
 
@@ -66,17 +64,32 @@ fun ChatMessageListCard(
         androidx.compose.foundation.layout
           .PaddingValues(bottom = 8.dp),
     ) {
-      itemsIndexed(items = timeline.items, key = { _, item -> chatTimelineItemKey(item) }) { _, item ->
-        when (item) {
-          is ChatTimelineItem.Message -> ChatMessageBubble(message = item.message)
-          is ChatTimelineItem.PendingTools -> ChatPendingToolsBubble(toolCalls = item.toolCalls)
-          is ChatTimelineItem.StreamingAssistant -> ChatStreamingAssistantBubble(text = item.text)
-          ChatTimelineItem.Thinking -> ChatTypingIndicatorBubble()
+      // With reverseLayout = true, index 0 renders at the BOTTOM.
+      // So we emit newest items first: streaming → tools → typing → messages (newest→oldest).
+      if (!stream.isNullOrEmpty()) {
+        item(key = "stream") {
+          ChatStreamingAssistantBubble(text = stream)
         }
       }
+
+      if (pendingToolCalls.isNotEmpty()) {
+        item(key = "tools") {
+          ChatPendingToolsBubble(toolCalls = pendingToolCalls)
+        }
+      }
+
+      if (pendingRunCount > 0) {
+        item(key = "typing") {
+          ChatTypingIndicatorBubble()
+        }
+      }
+
+      items(items = displayMessages, key = { it.id }) { message ->
+        ChatMessageBubble(message = message)
+      }
     }
 
-    if (timeline.items.isEmpty()) {
+    if (messages.isEmpty() && pendingRunCount == 0 && pendingToolCalls.isEmpty() && streamingAssistantText.isNullOrBlank()) {
       if (historyLoading) {
         LoadingChatHint(modifier = Modifier.align(Alignment.Center))
       } else {

apps/android/app/src/main/java/ai/openclaw/app/ui/chat/ChatScreen.kt

@@ -31,7 +31,7 @@ import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.layout.width
 import androidx.compose.foundation.lazy.LazyColumn
-import androidx.compose.foundation.lazy.itemsIndexed
+import androidx.compose.foundation.lazy.items
 import androidx.compose.foundation.lazy.rememberLazyListState
 import androidx.compose.foundation.rememberScrollState
 import androidx.compose.foundation.shape.CircleShape
@@ -74,7 +74,6 @@ import kotlinx.coroutines.withContext
 import java.text.DateFormat
 import java.util.Date
 import java.util.Locale
-import kotlin.math.roundToInt
 
 /** Full chat surface that wires MainViewModel state to messages, attachments, voice, and composer actions. */
 @Composable
@@ -96,7 +95,6 @@ fun ChatScreen(
   val sessions by viewModel.chatSessions.collectAsState()
   val chatDraft by viewModel.chatDraft.collectAsState()
   val pendingAssistantAutoSend by viewModel.pendingAssistantAutoSend.collectAsState()
-  val contextUsage = resolveChatContextUsage(sessionKey = sessionKey, mainSessionKey = mainSessionKey, sessions = sessions)
   val context = LocalContext.current
   val resolver = context.contentResolver
   val scope = rememberCoroutineScope()
@@ -198,7 +196,6 @@ fun ChatScreen(
       onValueChange = { input = it },
       attachments = attachments,
       thinkingLevel = thinkingLevel,
-      contextUsage = contextUsage,
       healthOk = healthOk,
       pendingRunCount = pendingRunCount,
       onThinkingLevelChange = viewModel::setChatThinkingLevel,
@@ -409,19 +406,15 @@ private fun ChatMessageList(
   modifier: Modifier = Modifier,
 ) {
   val listState = rememberLazyListState()
-  val timeline =
-    remember(messages, pendingRunCount, pendingToolCalls, streamingAssistantText) {
-      buildChatTimeline(
-        messages = messages,
-        pendingRunCount = pendingRunCount,
-        pendingToolCalls = pendingToolCalls,
-        streamingAssistantText = streamingAssistantText,
-      )
-    }
+  val displayMessages = remember(messages) { messages.asReversed() }
+  val stream = streamingAssistantText?.trim()
 
-  LaunchedEffect(timeline.scrollTargetIndex, timeline.items.size, pendingRunCount, pendingToolCalls.size) {
-    timeline.scrollTargetIndex?.let { index ->
-      listState.animateScrollToItem(index = index)
+  LaunchedEffect(messages.size, pendingRunCount, pendingToolCalls.size) {
+    listState.animateScrollToItem(index = 0)
+  }
+  LaunchedEffect(stream) {
+    if (!stream.isNullOrEmpty()) {
+      listState.scrollToItem(index = 0)
     }
   }
 
@@ -433,29 +426,30 @@ private fun ChatMessageList(
       verticalArrangement = Arrangement.spacedBy(5.dp),
       contentPadding = PaddingValues(top = 6.dp, bottom = 3.dp),
     ) {
-      itemsIndexed(items = timeline.items, key = { _, item -> chatTimelineItemKey(item) }) { _, item ->
-        when (item) {
-          is ChatTimelineItem.Message ->
-            ChatBubble(
-              role = item.message.role,
-              live = false,
-              content = item.message.content,
-              timestampMs = item.message.timestampMs,
-            )
-          is ChatTimelineItem.PendingTools -> ToolBubble(toolCalls = item.toolCalls)
-          is ChatTimelineItem.StreamingAssistant ->
-            ChatBubble(
-              role = "assistant",
-              live = true,
-              content = listOf(ChatMessageContent(text = item.text)),
-              timestampMs = null,
-            )
-          ChatTimelineItem.Thinking -> ChatThinkingBubble()
+      if (!stream.isNullOrEmpty()) {
+        item(key = "stream") {
+          ChatBubble(role = "assistant", live = true, content = listOf(ChatMessageContent(text = stream)), timestampMs = null)
         }
       }
+
+      if (pendingToolCalls.isNotEmpty()) {
+        item(key = "tools") {
+          ToolBubble(toolCalls = pendingToolCalls)
+        }
+      }
+
+      if (pendingRunCount > 0) {
+        item(key = "thinking") {
+          ChatThinkingBubble()
+        }
+      }
+
+      items(items = displayMessages, key = { it.id }) { message ->
+        ChatBubble(role = message.role, live = false, content = message.content, timestampMs = message.timestampMs)
+      }
     }
 
-    if (timeline.items.isEmpty()) {
+    if (messages.isEmpty() && pendingRunCount == 0 && pendingToolCalls.isEmpty() && stream.isNullOrBlank()) {
       if (historyLoading) {
         ClawLoadingState(title = "Loading session", modifier = Modifier.align(Alignment.Center))
       } else {
@@ -688,7 +682,6 @@ private fun ChatComposer(
   onValueChange: (String) -> Unit,
   attachments: List<PendingImageAttachment>,
   thinkingLevel: String,
-  contextUsage: ChatContextUsage,
   healthOk: Boolean,
   pendingRunCount: Int,
   onThinkingLevelChange: (String) -> Unit,
@@ -703,11 +696,7 @@ private fun ChatComposer(
       AttachmentStrip(attachments = attachments, onRemoveAttachment = onRemoveAttachment)
     }
 
-    ChatContextMeter(
-      thinkingLevel = thinkingLevel,
-      contextUsage = contextUsage,
-      onClick = { onThinkingLevelChange(nextThinkingValue(thinkingLevel)) },
-    )
+    ChatContextMeter(thinkingLevel = thinkingLevel, onClick = { onThinkingLevelChange(nextThinkingValue(thinkingLevel)) })
 
     Row(modifier = Modifier.fillMaxWidth(), verticalAlignment = Alignment.CenterVertically, horizontalArrangement = Arrangement.spacedBy(6.dp)) {
       ChatInputPill(value = value, onValueChange = onValueChange, onPickImages = onPickImages, onVoice = onVoice, modifier = Modifier.weight(1f))
@@ -743,10 +732,8 @@ private fun ChatComposer(
 @Composable
 private fun ChatContextMeter(
   thinkingLevel: String,
-  contextUsage: ChatContextUsage,
   onClick: () -> Unit,
 ) {
-  val contextFraction = contextMeterWidth(contextUsage) ?: 0f
   Row(
     modifier = Modifier.width(178.dp),
     verticalAlignment = Alignment.CenterVertically,
@@ -765,13 +752,7 @@ private fun ChatContextMeter(
         horizontalArrangement = Arrangement.spacedBy(6.dp),
       ) {
         Icon(imageVector = Icons.Default.Refresh, contentDescription = null, modifier = Modifier.size(12.dp), tint = ClawTheme.colors.textSubtle)
-        Text(
-          text = contextMeterLabel(contextUsage, thinkingLevel),
-          style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp),
-          color = ClawTheme.colors.textMuted,
-          maxLines = 1,
-          overflow = TextOverflow.Ellipsis,
-        )
+        Text(text = "Context ${contextPercent(thinkingLevel)}%", style = ClawTheme.type.caption.copy(fontSize = 12.5.sp, lineHeight = 16.sp), color = ClawTheme.colors.textMuted)
       }
     }
     Box(
@@ -784,7 +765,7 @@ private fun ChatContextMeter(
       Box(
         modifier =
           Modifier
-            .fillMaxWidth(contextFraction)
+            .fillMaxWidth(thinkingMeterWidth(thinkingLevel))
             .height(3.dp)
             .background(ClawTheme.colors.primary, RoundedCornerShape(999.dp)),
       )
@@ -918,32 +899,6 @@ private fun isActiveSessionChoice(
   return choiceKey == current
 }
 
-internal data class ChatContextUsage(
-  val totalTokens: Long?,
-  val totalTokensFresh: Boolean?,
-  val contextTokens: Long?,
-)
-
-internal fun resolveChatContextUsage(
-  sessionKey: String,
-  mainSessionKey: String,
-  sessions: List<ChatSessionEntry>,
-): ChatContextUsage {
-  val entry =
-    sessions.firstOrNull {
-      isActiveSessionChoice(
-        choiceKey = it.key,
-        sessionKey = sessionKey,
-        mainSessionKey = mainSessionKey,
-      )
-  }
-  return ChatContextUsage(
-    totalTokens = entry?.totalTokens,
-    totalTokensFresh = entry?.totalTokensFresh,
-    contextTokens = entry?.contextTokens,
-  )
-}
-
 @Composable
 private fun SendButton(
   enabled: Boolean,
@@ -1000,29 +955,17 @@ private fun nextThinkingValue(value: String): String =
     else -> "off"
   }
 
-internal fun contextMeterWidth(usage: ChatContextUsage): Float? {
-  if (usage.totalTokensFresh == false) return null
-  val total = usage.totalTokens?.takeIf { it >= 0L } ?: return null
-  val context = usage.contextTokens?.takeIf { it > 0L } ?: return null
-  return (total.toDouble() / context.toDouble()).coerceIn(0.0, 1.0).toFloat()
-}
-
-internal fun contextMeterLabel(
-  usage: ChatContextUsage,
-  thinkingLevel: String,
-): String {
-  val contextLabel = contextMeterWidth(usage)?.let { "Context ${(it * 100).roundToInt()}%" } ?: "Context --"
-  return "$contextLabel · ${contextMeterThinkingLabel(thinkingLevel)}"
-}
-
-internal fun contextMeterThinkingLabel(value: String): String =
+/** Maps thinking presets to the visual context meter fill fraction. */
+private fun thinkingMeterWidth(value: String): Float =
   when (value.lowercase(Locale.US)) {
-    "low" -> "low"
-    "medium" -> "medium"
-    "high" -> "high"
-    else -> "off"
+    "low" -> 0.34f
+    "medium" -> 0.58f
+    "high" -> 0.82f
+    else -> 0.18f
   }
 
+private fun contextPercent(value: String): Int = (thinkingMeterWidth(value) * 100).toInt()
+
 private fun formatChatTimestamp(timestampMs: Long): String = DateFormat.getTimeInstance(DateFormat.SHORT, Locale.getDefault()).format(Date(timestampMs))
 
 /** Quick markdown detector used to avoid routing plain chat text through the markdown renderer. */

apps/android/app/src/main/java/ai/openclaw/app/ui/chat/ChatTimeline.kt

@@ -1,69 +0,0 @@
-package ai.openclaw.app.ui.chat
-
-import ai.openclaw.app.chat.ChatMessage
-import ai.openclaw.app.chat.ChatPendingToolCall
-
-internal sealed class ChatTimelineItem {
-  data class Message(
-    val message: ChatMessage,
-  ) : ChatTimelineItem()
-
-  data class StreamingAssistant(
-    val text: String,
-  ) : ChatTimelineItem()
-
-  data class PendingTools(
-    val toolCalls: List<ChatPendingToolCall>,
-  ) : ChatTimelineItem()
-
-  object Thinking : ChatTimelineItem()
-}
-
-internal data class ChatTimeline(
-  val items: List<ChatTimelineItem>,
-  val scrollTargetIndex: Int?,
-)
-
-internal fun buildChatTimeline(
-  messages: List<ChatMessage>,
-  pendingRunCount: Int,
-  pendingToolCalls: List<ChatPendingToolCall>,
-  streamingAssistantText: String?,
-): ChatTimeline {
-  val stream = streamingAssistantText?.trim()?.takeIf { it.isNotEmpty() }
-  val hasActiveRun = pendingRunCount > 0 || pendingToolCalls.isNotEmpty() || stream != null
-  val items =
-    buildList {
-      if (stream != null) add(ChatTimelineItem.StreamingAssistant(stream))
-      if (pendingToolCalls.isNotEmpty()) add(ChatTimelineItem.PendingTools(pendingToolCalls))
-      if (pendingRunCount > 0) add(ChatTimelineItem.Thinking)
-      messages.asReversed().forEach { message -> add(ChatTimelineItem.Message(message)) }
-    }
-  if (items.isEmpty()) return ChatTimeline(items = items, scrollTargetIndex = null)
-
-  // In reverseLayout, index 0 is bottom-most. During an active run, keep the prompt
-  // anchored so streaming/tool rows do not immediately push the just-sent message away.
-  val activePromptIndex =
-    if (hasActiveRun) {
-      items.indexOfFirst { item ->
-        item is ChatTimelineItem.Message &&
-          item.message.role
-            .trim()
-            .equals("user", ignoreCase = true)
-      }
-    } else {
-      -1
-    }
-  return ChatTimeline(
-    items = items,
-    scrollTargetIndex = activePromptIndex.takeIf { it >= 0 } ?: 0,
-  )
-}
-
-internal fun chatTimelineItemKey(item: ChatTimelineItem): String =
-  when (item) {
-    is ChatTimelineItem.Message -> "message:${item.message.id}"
-    is ChatTimelineItem.PendingTools -> "tools"
-    is ChatTimelineItem.StreamingAssistant -> "stream"
-    ChatTimelineItem.Thinking -> "thinking"
-  }