ci: add process exec codeql security shard

2026-06-15 18:49:31 +08:00 · 2026-06-13 20:38:21 +08:00
1586 changed files with 31822 additions and 126127 deletions
--- a/.agents/skills/crabbox/SKILL.md
+++ b/.agents/skills/crabbox/SKILL.md
@@ -54,13 +54,6 @@ pnpm crabbox:run -- --help | sed -n '1,120p'
 - For broad OpenClaw maintainer `pnpm` gates, prefer the repo wrapper with
  `--provider blacksmith-testbox` or the repo Testbox helpers when the standing
  Testbox policy applies.
- Cold Testbox acquisition and hydration often take tens of seconds. When broad
-  remote proof is likely, immediately start
-  `node scripts/crabbox-wrapper.mjs warmup --provider blacksmith-testbox --keep --timing-json`
-  in a background command session while inspecting, editing, and running
-  focused local tests. Poll later, reuse the returned `tbx_...` with
-  `--provider blacksmith-testbox --id <tbx_id>`, and stop it before handoff.
-  Do not warm speculatively when remote proof is unlikely.
 - Always report the actual provider and id. `cbx_...` means AWS Crabbox;
  `tbx_...` means Blacksmith Testbox through Crabbox. If the output only says
  `blacksmith testbox list`, use `blacksmith testbox list --all` before
--- a/.agents/skills/discord-user-post/SKILL.md
+++ b/.agents/skills/discord-user-post/SKILL.md
@@ -1,51 +0,0 @@
---
-name: discord-user-post
-description: Post an approved message as the logged-in Discord user through the Discord desktop app. Use for release announcements or other direct user-authored Discord posts; not for OpenClaw channel sends, bots, webhooks, relays, agent sessions, or archive search.
---
-
-# Discord User Post
-
-Use `$computer-use` to operate `/Applications/Discord.app` in the user's
-existing logged-in session. This workflow represents the user directly.
-
-## Prepare
-
-1. Draft the complete final message outside Discord.
-2. Confirm the intended server and channel with the user when either is
-   ambiguous.
-3. Open Discord and navigate to the exact destination without entering the
-   message.
-4. Verify the visible server name, channel header, and logged-in account.
-
-Do not infer the target from unrelated Discord content. Stop if Discord is not
-logged in, the account is wrong, or the exact destination cannot be verified.
-
-## Confirm and Post
-
-Posting is representational communication. Follow the `$computer-use`
-confirmation policy even when the user previously asked for an announcement:
-
-1. Show the user the exact final body and verified destination.
-2. Request action-time confirmation before typing into Discord.
-3. After confirmation, enter the approved body unchanged.
-4. Visually inspect the composed message and destination again.
-5. Send once.
-
-If the body or destination changes after confirmation, request confirmation
-again before sending.
-
-## Verify
-
- Confirm the message appears once, from the user's account, in the intended
-  channel.
- Report the server, channel, and visible send result.
- Do not edit, delete, react, or send a follow-up without the corresponding
-  user instruction and confirmation.
-
-## Guardrails
-
- Never use `openclaw message`, an OpenClaw agent, a Discord bot, webhook, relay,
-  or token for this workflow.
- Never expose private Discord content or account details in public output.
- Never send a draft, partial message, duplicate, or unreviewed attachment.
- For Discord archive/history/search, use `$discrawl` instead.
--- a/.agents/skills/discord-user-post/agents/openai.yaml
+++ b/.agents/skills/discord-user-post/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "Discord User Post"
-  short_description: "Post approved messages through the logged-in Discord app"
-  default_prompt: "Post this approved message as me through the logged-in Discord desktop app."
--- a/.agents/skills/openclaw-qa-testing/SKILL.md
+++ b/.agents/skills/openclaw-qa-testing/SKILL.md
@@ -13,7 +13,7 @@ Use this skill for `qa-lab` / `qa-channel` work. Repo-local QA only.
 - `docs/help/testing.md`
 - `docs/channels/qa-channel.md`
 - `qa/README.md`
- `qa/scenarios/index.yaml`
+- `qa/scenarios/index.md`
 - `extensions/qa-lab/src/suite.ts`
 - `extensions/qa-lab/src/character-eval.ts`

@@ -198,9 +198,7 @@ pnpm openclaw qa character-eval \
 - Judges default to `openai/gpt-5.4,thinking=xhigh,fast` and `anthropic/claude-opus-4-6,thinking=high`.
 - Report includes judge ranking, run stats, durations, and full transcripts; do not include raw judge replies. Duration is benchmark context, not a grading signal.
 - Candidate and judge concurrency default to 16. Use `--concurrency <n>` and `--judge-concurrency <n>` to override when local gateways or provider limits need a gentler lane.
- Scenario source is YAML-only under `qa/scenarios/`: use `index.yaml` and
-  per-scenario `*.yaml` files with top-level `title`, `scenario`, and optional
-  `flow`. Never add fenced `qa-scenario` / `qa-flow` Markdown files.
+- Scenario source should stay markdown-driven under `qa/scenarios/`.
 - For isolated character/persona evals, write the persona into `SOUL.md` and blank `IDENTITY.md` in the scenario flow. Use `SOUL.md + IDENTITY.md` only when intentionally testing how the normal OpenClaw identity combines with the character.
 - Keep prompts natural and task-shaped. The candidate model should receive character setup through `SOUL.md`, then normal user turns such as chat, workspace help, and small file tasks; do not ask "how would you react?" or tell the model it is in an eval.
 - Prefer at least one real task, such as creating or editing a tiny workspace artifact, so the transcript captures character under normal tool use instead of pure roleplay.
@@ -236,8 +234,7 @@ pnpm openclaw qa manual \

 ## Repo facts

- Seed scenarios live in `qa/scenarios/index.yaml` and
-  `qa/scenarios/<theme>/*.yaml`.
+- Seed scenarios live in `qa/`.
 - Main live runner: `extensions/qa-lab/src/suite.ts`
 - QA lab server: `extensions/qa-lab/src/lab-server.ts`
 - Child gateway harness: `extensions/qa-lab/src/gateway-child.ts`
@@ -265,9 +262,8 @@ pnpm openclaw qa manual \

 ## When adding scenarios

- Add or update scenario YAML under `qa/scenarios/`; do not add `.md` scenario
-  files or fenced YAML blocks.
- Keep kickoff expectations in `qa/scenarios/index.yaml` aligned
+- Add or update scenario markdown under `qa/scenarios/`
+- Keep kickoff expectations in `qa/scenarios/index.md` aligned
 - Add executable coverage in `extensions/qa-lab/src/suite.ts`
 - Prefer end-to-end assertions over mock-only checks
 - Save outputs under `.artifacts/qa-e2e/`
--- a/.agents/skills/release-openclaw-announcement/SKILL.md
+++ b/.agents/skills/release-openclaw-announcement/SKILL.md
@@ -6,8 +6,7 @@ description: "Draft or post OpenClaw beta/stable Discord release announcements f
 # OpenClaw Release Announcement

 Use with `release-openclaw-maintainer` after a beta or stable release is live.
-Use with `$discord-user-post` when actually posting to Discord as the logged-in
-user.
+Use with `openclaw-discord` when actually posting to Discord.

 ## Evidence First

@@ -81,7 +80,6 @@ Fresh installs still point to `https://openclaw.ai`.

 ## Posting

-When asked to post, use `$discord-user-post` to operate the logged-in Discord
-desktop app as the user. Resolve and visibly verify the exact server/channel,
-inspect the final body, and request action-time confirmation before entering or
-sending it. Never use OpenClaw channel sends, bots, webhooks, relays, or tokens.
+When asked to post, use the configured Discord workflow from
+`openclaw-discord` or the approved OpenClaw relay. Never print tokens.
+For public channels, inspect the final body before sending.
--- a/.agents/skills/release-openclaw-maintainer/SKILL.md
+++ b/.agents/skills/release-openclaw-maintainer/SKILL.md
@@ -150,21 +150,9 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - Stable Windows Hub release closeout requires the signed
  `OpenClawCompanion-Setup-x64.exe`, `OpenClawCompanion-Setup-arm64.exe`, and
  `OpenClawCompanion-SHA256SUMS.txt` assets on the canonical
-  `openclaw/openclaw` GitHub Release. Pass the exact signed
-  `openclaw/openclaw-windows-node` release tag as `windows_node_tag` to
-  `OpenClaw Release Publish`, together with the candidate-approved
-  `windows_node_installer_digests` map; it prevalidates the published source
-  release and required installers against that map before any publish child,
-  dispatches the public `Windows Node Release` workflow while the OpenClaw
-  release is still a draft, carries those pinned source asset digests
-  unchanged, verifies the expected OpenClaw Foundation Authenticode signer on
-  Windows, re-downloads and checksum-verifies the promoted asset contract, and
-  blocks publication until the canonical asset contract is present. Use direct
-  `Windows Node Release` dispatch only for recovery, always with an exact tag,
-  never `latest`, and the explicit `expected_installer_digests` JSON map from
-  the approved source release. Recovery rejects unexpected
-  `OpenClawCompanion-*` target asset names, then replaces the expected contract
-  assets with the pinned source bytes.
+  `openclaw/openclaw` GitHub Release. Use the public `Windows Node Release`
+  workflow after the matching `openclaw/openclaw-windows-node` release exists;
+  it verifies Authenticode signatures on Windows before uploading assets.
 - Website Windows Hub download links should target exact canonical
  `openclaw/openclaw/releases/download/vYYYY.M.PATCH/...` assets for the current
  stable release, or `releases/latest/download/...` only after verifying the
@@ -321,7 +309,6 @@ Upgrade with the beta channel.
 Before tagging or publishing, run:

 ```bash
-pnpm release:fast-pretag-check
 pnpm check:architecture
 pnpm build
 pnpm ui:build
@@ -330,21 +317,6 @@ pnpm release:check
 pnpm test:install:smoke
 ```

- Treat `pnpm release:fast-pretag-check` as a hard packaging gate. Every
-  publishable plugin must have a non-empty package-root `README.md`, build its
-  package-local runtime, and pass the npm and ClawHub release metadata checks
-  before a tag or publish workflow can start. Do not defer README, entrypoint,
-  or packed-artifact failures to postpublish verification.
- Before tagging, require green CI for the exact release-candidate SHA, not an
-  earlier branch SHA. Heal every related red CI, release-check, packaging, or
-  root-Dockerfile lane on the release branch, forward-port the fix to `main`,
-  and rerun the affected exact-SHA gates. Never waive a red Docker lane because
-  npm preflight passed.
- Root Dockerfile proof is mandatory before every beta and stable tag. Run the
-  release `install-smoke` group or equivalent root Dockerfile build for the
-  exact candidate SHA and require it to pass. The tag-triggered Docker Release
-  workflow is post-tag publishing, not the first valid proof that the root
-  Dockerfile can build.
 - Before tagging, diff publishable plugin package manifests against the last
  reachable stable/beta release tag. For every newly publishable package
  (`openclaw.release.publishToNpm: true` or `publishToClawHub: true`) whose
@@ -660,10 +632,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   off, live OpenAI off, and regression failure off. Let it run in parallel
   with preflight and validation work.
 10. Run the fast local beta preflight from the release branch before any npm
-    preflight or publish. Require exact-SHA CI and root Dockerfile install-smoke
-    to be green before tagging. Keep the remaining expensive Docker, Parallels,
-    and published-package install/update lanes for after the beta is live unless
-    the operator asks to run them before beta publication.
+    preflight or publish. Keep expensive Docker, Parallels, and published-package
+    install/update lanes for after the beta is live unless the operator asks to
+    run them before beta publication.
 11. For beta releases, skip mac app build/sign/notarize unless beta scope or a
    release blocker specifically requires it. For stable releases, include the
    mac app, signing, notarization, and appcast path.
@@ -704,23 +675,19 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
    where npm did not publish the beta version, delete/recreate the same beta
    tag and any accidental draft/incomplete prerelease at the fixed commit
    instead of skipping a prerelease number.
-22. Start `.github/workflows/openclaw-release-publish.yml` from the same branch with
+22. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
    the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
    `latest` only when you intentionally want direct stable publish), keep it
    the same as the preflight run, and pass the successful npm
-    `preflight_run_id` plus the successful `full_release_validation_run_id`.
-    For stable publish, also pass the exact non-prerelease
-    `openclaw/openclaw-windows-node` tag as `windows_node_tag` and its
-    candidate-approved installer digest map as `windows_node_installer_digests`.
+    `preflight_run_id`.
 23. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
 24. Wait for the real publish workflow to run postpublish verification,
    create or update the GitHub release as a draft, upload dependency evidence,
-    promote and verify the required Windows Hub assets for stable releases,
    append release verification proof, and only then undraft/publish it. If a
-    waited plugin publish or Windows Hub promotion fails after OpenClaw npm
-    succeeds, the workflow keeps the release draft with OpenClaw npm evidence
-    and exits red; do not undraft until the gap is repaired. The standalone
-    verifier command remains the recovery probe:
+    waited plugin publish fails after OpenClaw npm succeeds, the workflow keeps
+    the release draft with OpenClaw npm evidence and exits red; do not undraft
+    until the plugin publish gap is repaired. The standalone verifier command
+    remains the recovery probe:
    `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
 25. Run the post-published beta verification roster. First scan current `main`
    for critical fixes that landed after the release branch cut; backport only
--- a/.github/codeql/codeql-process-exec-boundary-critical-security.yml
+++ b/.github/codeql/codeql-process-exec-boundary-critical-security.yml
@@ -0,0 +1,61 @@
+name: openclaw-codeql-process-exec-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/
+
+paths:
+  - src/process
+  - src/tui/tui-local-shell.ts
+  - src/tui/tui.ts
+  - src/plugin-sdk/windows-spawn.ts
+  - packages/agent-core/src/harness/env
+  - packages/memory-host-sdk/src/host
+  - extensions/acpx/src
+  - extensions/bonjour/src/advertiser.ts
+  - extensions/browser/src/browser/chrome-mcp.ts
+  - extensions/browser/src/browser/chrome.executables.ts
+  - extensions/browser/src/browser/chrome.ts
+  - extensions/codex/src/app-server/sandbox-exec-server
+  - extensions/codex/src/app-server/transport-stdio.ts
+  - extensions/codex/src/node-cli-sessions.ts
+  - extensions/codex-supervisor/src/json-rpc-client.ts
+  - extensions/file-transfer/src
+  - extensions/google-meet/src
+  - extensions/imessage/src
+  - extensions/memory-core/src/memory/qmd-manager.ts
+  - extensions/memory-wiki/src/obsidian.ts
+  - extensions/microsoft-foundry/cli.ts
+  - extensions/ollama/src/wsl2-crash-loop-check.ts
+  - extensions/qa-lab/src
+  - extensions/signal/src/daemon.ts
+  - extensions/tts-local-cli/speech-provider.ts
+  - extensions/voice-call/src
+  - scripts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.spec.ts"
+  - "**/*.spec.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1288,7 +1288,6 @@ jobs:
        env:
          OPENCLAW_LOCAL_CHECK: "0"
          TASK: ${{ matrix.task }}
-          PR_BASE_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || '' }}
        shell: bash
        run: |
          set -euo pipefail
@@ -1298,10 +1297,6 @@ jobs:
              pnpm tool-display:check
              pnpm check:host-env-policy:swift
              pnpm dup:check:coverage
-              if [ -n "$PR_BASE_SHA" ]; then
-                git fetch --no-tags --depth=1 origin "+${PR_BASE_SHA}:refs/remotes/origin/pr-base"
-                node scripts/report-test-temp-creations.mjs --base refs/remotes/origin/pr-base --head HEAD --no-merge-base
-              fi
              pnpm deps:patches:check
              pnpm lint:webhook:no-low-level-body-read
              pnpm lint:auth:no-pairing-store-group
@@ -1363,8 +1358,6 @@ jobs:
          - check_name: check-additional-boundaries-bcd
            group: boundaries
            boundary_shard: 2/4,3/4,4/4
-          - check_name: check-session-accessor-boundary
-            group: session-accessor-boundary
          - check_name: check-additional-extension-channels
            group: extension-channels
          - check_name: check-additional-extension-bundled
@@ -1511,15 +1504,6 @@ jobs:
            boundaries)
              node scripts/run-additional-boundary-checks.mjs
              ;;
-            session-accessor-boundary)
-              if [ ! -f scripts/check-session-accessor-boundary.mjs ]; then
-                echo "[skip] session accessor boundary check is not present in this checkout"
-              elif ! node -e 'const pkg = require("./package.json"); process.exit(pkg.scripts?.["lint:tmp:session-accessor-boundary"] ? 0 : 1);'; then
-                echo "[skip] session accessor boundary script is not present in package.json"
-              else
-                run_check "lint:tmp:session-accessor-boundary" pnpm run lint:tmp:session-accessor-boundary
-              fi
-              ;;
            extension-channels)
              run_check "lint:extensions:channels" pnpm run lint:extensions:channels
              ;;
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,7 +17,28 @@ on:
      - ".github/actions/**"
      - ".github/codeql/**"
      - ".github/workflows/**"
+      - "extensions/acpx/src/**"
+      - "extensions/bonjour/src/advertiser.ts"
+      - "extensions/browser/src/browser/chrome-mcp.ts"
+      - "extensions/browser/src/browser/chrome.executables.ts"
+      - "extensions/browser/src/browser/chrome.ts"
+      - "extensions/codex/src/app-server/sandbox-exec-server/**"
+      - "extensions/codex/src/app-server/transport-stdio.ts"
+      - "extensions/codex/src/node-cli-sessions.ts"
+      - "extensions/codex-supervisor/src/json-rpc-client.ts"
+      - "extensions/file-transfer/src/**"
+      - "extensions/google-meet/src/**"
+      - "extensions/imessage/src/**"
+      - "extensions/memory-core/src/memory/qmd-manager.ts"
+      - "extensions/memory-wiki/src/obsidian.ts"
+      - "extensions/microsoft-foundry/cli.ts"
+      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
+      - "extensions/qa-lab/src/**"
+      - "extensions/signal/src/daemon.ts"
+      - "extensions/tts-local-cli/speech-provider.ts"
+      - "extensions/voice-call/src/**"
      - "packages/**"
+      - "scripts/**"
      - "src/**"
  push:
    branches:
@@ -26,7 +47,28 @@ on:
      - ".github/actions/**"
      - ".github/codeql/**"
      - ".github/workflows/**"
+      - "extensions/acpx/src/**"
+      - "extensions/bonjour/src/advertiser.ts"
+      - "extensions/browser/src/browser/chrome-mcp.ts"
+      - "extensions/browser/src/browser/chrome.executables.ts"
+      - "extensions/browser/src/browser/chrome.ts"
+      - "extensions/codex/src/app-server/sandbox-exec-server/**"
+      - "extensions/codex/src/app-server/transport-stdio.ts"
+      - "extensions/codex/src/node-cli-sessions.ts"
+      - "extensions/codex-supervisor/src/json-rpc-client.ts"
+      - "extensions/file-transfer/src/**"
+      - "extensions/google-meet/src/**"
+      - "extensions/imessage/src/**"
+      - "extensions/memory-core/src/memory/qmd-manager.ts"
+      - "extensions/memory-wiki/src/obsidian.ts"
+      - "extensions/microsoft-foundry/cli.ts"
+      - "extensions/ollama/src/wsl2-crash-loop-check.ts"
+      - "extensions/qa-lab/src/**"
+      - "extensions/signal/src/daemon.ts"
+      - "extensions/tts-local-cli/speech-provider.ts"
+      - "extensions/voice-call/src/**"
      - "packages/**"
+      - "scripts/**"
      - "src/**"
  schedule:
    - cron: "0 6 * * *"
@@ -73,6 +115,11 @@ jobs:
            runs_on: blacksmith-4vcpu-ubuntu-2404
            timeout_minutes: 25
            config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: process-exec-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-process-exec-boundary-critical-security.yml
          - language: javascript-typescript
            category: plugin-trust-boundary
            runs_on: blacksmith-4vcpu-ubuntu-2404
--- a/.github/workflows/full-release-validation.yml
+++ b/.github/workflows/full-release-validation.yml
@@ -783,7 +783,7 @@ jobs:
          fi

          args=(
-            -f ref="$TARGET_REF"
+            -f ref="$TARGET_SHA"
            -f expected_sha="$TARGET_SHA"
            -f provider="$PROVIDER"
            -f mode="$MODE"
--- a/.github/workflows/ios-periphery-comment.yml
+++ b/.github/workflows/ios-periphery-comment.yml
@@ -1,447 +0,0 @@
-name: iOS Periphery Dead Code Comment
-
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] trusted PR commenter; job gates repository, source event, workflow name, live open PR, and exact current head before reading artifacts or writing comments
-    workflows: ["iOS Periphery Dead Code"]
-    types: [completed]
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  issues: write
-  pull-requests: read
-
-jobs:
-  comment:
-    name: Comment on PR
-    runs-on: ubuntu-24.04
-    if: >
-      github.repository == 'openclaw/openclaw' &&
-      github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.name == 'iOS Periphery Dead Code'
-    steps:
-      - name: Upsert Periphery PR comment
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const fs = require("node:fs");
-            const os = require("node:os");
-            const path = require("node:path");
-            const childProcess = require("node:child_process");
-
-            const marker = "<!-- openclaw-ios-periphery-dead-code -->";
-            const run = context.payload.workflow_run;
-            const pr = run.pull_requests?.[0];
-            if (!pr) {
-              core.info("No pull request attached to workflow_run.");
-              return;
-            }
-
-            const { owner, repo } = context.repo;
-            const repository = `${owner}/${repo}`;
-            if (run.repository?.full_name !== repository) {
-              core.info(`Skipping workflow_run from ${run.repository?.full_name ?? "unknown repository"}.`);
-              return;
-            }
-            if (run.event !== "pull_request") {
-              core.info(`Skipping workflow_run for ${run.event ?? "unknown"} event.`);
-              return;
-            }
-            if (run.name !== "iOS Periphery Dead Code") {
-              core.info(`Skipping unexpected workflow ${run.name ?? "unknown"}.`);
-              return;
-            }
-
-            const livePull = await github.rest.pulls.get({
-              owner,
-              repo,
-              pull_number: pr.number,
-            });
-            if (livePull.data.state !== "open") {
-              core.info(`Skipping closed PR #${pr.number}.`);
-              return;
-            }
-            if (livePull.data.base?.repo?.full_name !== repository) {
-              core.info(`Skipping PR #${pr.number} targeting ${livePull.data.base?.repo?.full_name ?? "unknown repository"}.`);
-              return;
-            }
-            if (livePull.data.head?.sha !== run.head_sha) {
-              core.info(`Skipping stale run ${run.id}; PR #${pr.number} is now at ${livePull.data.head?.sha}.`);
-              return;
-            }
-
-            const jobs = await github.paginate(github.rest.actions.listJobsForWorkflowRun, {
-              owner,
-              repo,
-              run_id: run.id,
-              filter: "latest",
-              per_page: 100,
-            });
-            const scopeJob = jobs.find((job) => job.name === "Detect iOS scan scope");
-            const scanJob = jobs.find((job) => job.name === "Scan iOS dead code");
-            const scanSkipped =
-              scopeJob?.conclusion === "success" && scanJob?.conclusion === "skipped";
-            if (scanSkipped) {
-              core.info(`Skipping intentionally omitted Periphery scan for PR #${pr.number}.`);
-            }
-
-            const artifacts = scanSkipped
-              ? []
-              : await github.paginate(github.rest.actions.listWorkflowRunArtifacts, {
-                  owner,
-                  repo,
-                  run_id: run.id,
-                  per_page: 100,
-                });
-
-            const readReport = async () => {
-              if (scanSkipped) {
-                return;
-              }
-              const artifactName = `ios-periphery-dead-code-${run.id}-${run.run_attempt}`;
-              const artifact = artifacts.find((item) => item.name === artifactName);
-              if (!artifact) {
-                core.warning(`No ${artifactName} artifact found.`);
-                return;
-              }
-              if (artifact.expired) {
-                core.warning(`${artifactName} artifact expired.`);
-                return;
-              }
-
-              const maxArchiveBytes = 1024 * 1024;
-              const archiveSize = Number(artifact.size_in_bytes);
-              if (!Number.isSafeInteger(archiveSize) || archiveSize < 0 || archiveSize > maxArchiveBytes) {
-                core.warning(`Skipping ${artifactName}; compressed artifact size ${artifact.size_in_bytes ?? "unknown"} exceeds the ${maxArchiveBytes} byte limit.`);
-                return;
-              }
-
-              const archive = await github.rest.actions.downloadArtifact({
-                owner,
-                repo,
-                artifact_id: artifact.id,
-                archive_format: "zip",
-              });
-
-              const dir = fs.mkdtempSync(path.join(os.tmpdir(), "ios-periphery-"));
-              const archivePath = path.join(dir, "artifact.zip");
-              const archiveBuffer = Buffer.from(archive.data);
-              fs.writeFileSync(archivePath, archiveBuffer);
-
-              const allowedArtifactFiles = new Set([
-                "periphery.json",
-                "periphery.status",
-                "periphery.stderr.log",
-                "periphery.stdout.json",
-                "should-fail.txt",
-              ]);
-              const maxEntries = allowedArtifactFiles.size;
-              const maxEntryBytes = 2 * 1024 * 1024;
-              const maxTotalBytes = 4 * 1024 * 1024;
-
-              const readUInt16 = (offset) => archiveBuffer.readUInt16LE(offset);
-              const readUInt32 = (offset) => archiveBuffer.readUInt32LE(offset);
-              const findEndOfCentralDirectoryOffset = () => {
-                const minimumOffset = Math.max(0, archiveBuffer.length - 0xffff - 22);
-                for (let offset = archiveBuffer.length - 22; offset >= minimumOffset; offset -= 1) {
-                  if (readUInt32(offset) === 0x06054b50) {
-                    return offset;
-                  }
-                }
-                return -1;
-              };
-
-              const endOfCentralDirectoryOffset = findEndOfCentralDirectoryOffset();
-              if (endOfCentralDirectoryOffset < 0) {
-                core.warning(`Skipping ${artifactName}; ZIP end-of-central-directory record was not found.`);
-                return;
-              }
-              const entryCount = readUInt16(endOfCentralDirectoryOffset + 10);
-              const centralDirectorySize = readUInt32(endOfCentralDirectoryOffset + 12);
-              const centralDirectoryOffset = readUInt32(endOfCentralDirectoryOffset + 16);
-              if (entryCount < 1 || entryCount > maxEntries) {
-                core.warning(`Skipping ${artifactName}; artifact has ${entryCount} entries.`);
-                return;
-              }
-              if (
-                centralDirectoryOffset + centralDirectorySize > archiveBuffer.length ||
-                readUInt32(centralDirectoryOffset) !== 0x02014b50
-              ) {
-                core.warning(`Skipping ${artifactName}; invalid ZIP central directory.`);
-                return;
-              }
-
-              const entries = new Map();
-              let totalUncompressedSize = 0;
-              let offset = centralDirectoryOffset;
-              for (let index = 0; index < entryCount; index += 1) {
-                if (offset + 46 > archiveBuffer.length || readUInt32(offset) !== 0x02014b50) {
-                  core.warning(`Skipping ${artifactName}; invalid central directory entry.`);
-                  return;
-                }
-
-                const compressionMethod = readUInt16(offset + 10);
-                const generalPurposeBitFlag = readUInt16(offset + 8);
-                const compressedSize = readUInt32(offset + 20);
-                const uncompressedSize = readUInt32(offset + 24);
-                const fileNameLength = readUInt16(offset + 28);
-                const extraLength = readUInt16(offset + 30);
-                const commentLength = readUInt16(offset + 32);
-                const externalAttributes = readUInt32(offset + 38);
-                const nameStart = offset + 46;
-                const nameEnd = nameStart + fileNameLength;
-                const nextOffset = nameEnd + extraLength + commentLength;
-                if (nextOffset > archiveBuffer.length) {
-                  core.warning(`Skipping ${artifactName}; central directory entry exceeds archive bounds.`);
-                  return;
-                }
-
-                const name = archiveBuffer.toString("utf8", nameStart, nameEnd);
-                const mode = externalAttributes >>> 16;
-                const fileType = mode & 0o170000;
-                const isRegularFile = fileType === 0 || fileType === 0o100000;
-                const invalidName =
-                  !allowedArtifactFiles.has(name) ||
-                  name.includes("/") ||
-                  name.includes("\\") ||
-                  name.includes("..") ||
-                  path.isAbsolute(name);
-                if (invalidName) {
-                  core.warning(`Skipping ${artifactName}; unexpected artifact entry ${name}.`);
-                  return;
-                }
-                if (!isRegularFile || name.endsWith("/")) {
-                  core.warning(`Skipping ${artifactName}; ${name} is not a regular file.`);
-                  return;
-                }
-                if (entries.has(name)) {
-                  core.warning(`Skipping ${artifactName}; duplicate artifact entry ${name}.`);
-                  return;
-                }
-                if (![0, 8].includes(compressionMethod)) {
-                  core.warning(`Skipping ${artifactName}; ${name} uses unsupported ZIP compression method ${compressionMethod}.`);
-                  return;
-                }
-                if ((generalPurposeBitFlag & 0x1) !== 0) {
-                  core.warning(`Skipping ${artifactName}; ${name} is encrypted.`);
-                  return;
-                }
-                if (compressedSize > maxEntryBytes || uncompressedSize > maxEntryBytes) {
-                  core.warning(`Skipping ${artifactName}; ${name} exceeds the per-file size limit.`);
-                  return;
-                }
-
-                totalUncompressedSize += uncompressedSize;
-                if (totalUncompressedSize > maxTotalBytes) {
-                  core.warning(`Skipping ${artifactName}; artifact exceeds the aggregate size limit.`);
-                  return;
-                }
-
-                entries.set(name, { uncompressedSize });
-                offset = nextOffset;
-              }
-
-              const files = new Map();
-              for (const [name, entry] of entries) {
-                const contents = childProcess.execFileSync("unzip", ["-p", archivePath, name], {
-                  encoding: "utf8",
-                  maxBuffer: Math.max(1, entry.uncompressedSize + 1024),
-                  timeout: 5000,
-                });
-                if (Buffer.byteLength(contents, "utf8") > maxEntryBytes) {
-                  core.warning(`Skipping ${artifactName}; ${name} exceeded the per-file size limit while reading.`);
-                  return;
-                }
-                files.set(name, contents);
-              }
-
-              const read = (name) => {
-                return files.get(name) ?? "";
-              };
-
-              const status = Number(read("periphery.status").trim() || "1");
-              let findings = null;
-              for (const name of ["periphery.json", "periphery.stdout.json"]) {
-                try {
-                  const parsed = JSON.parse(read(name));
-                  const validFindings =
-                    Array.isArray(parsed) &&
-                    parsed.every(
-                      (finding) =>
-                        finding !== null &&
-                        typeof finding === "object" &&
-                        !Array.isArray(finding),
-                    );
-                  if (validFindings) {
-                    findings = parsed;
-                    break;
-                  }
-                } catch {}
-              }
-              return { findings, status };
-            };
-            const report = await readReport();
-            const status = report?.status ?? 1;
-            const findings = report?.findings ?? null;
-
-            const sanitizeCell = (value) => {
-              const normalized = String(value ?? "")
-                .replace(/[\u0000-\u001f\u007f-\u009f]/gu, " ")
-                .replace(/[\u200b-\u200f\u202a-\u202e\u2060\u2066-\u2069\ufeff]/gu, "")
-                .replace(/\s+/gu, " ")
-                .trim();
-              const maxEncodedLength = 180;
-              let escaped = "";
-              for (const character of normalized) {
-                const encoded =
-                  character === "`"
-                    ? "'"
-                    : character === "|"
-                      ? "\\|"
-                      : character;
-                if (escaped.length + encoded.length > maxEncodedLength) {
-                  break;
-                }
-                escaped += encoded;
-              }
-              return `\`${escaped || "-"}\``;
-            };
-
-            const rows = (findings ?? []).map((finding) => {
-              const location = String(finding.location ?? "");
-              const [file, line] = location.split(":");
-              return {
-                file: file ? `apps/ios/${file}` : "",
-                line: line || "",
-                kind: String(finding.kind ?? ""),
-                name: String(finding.name ?? ""),
-              };
-            });
-
-            let mode = "failure";
-            let body = `${marker}\n`;
-            if (scanSkipped) {
-              mode = "skipped";
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery scan skipped because the pull request is a draft or no longer touches iOS scan scope.",
-              ].join("\n");
-            } else if (findings === null) {
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery did not complete or its report could not be safely read. Check the workflow run for details.",
-              ].join("\n");
-            } else if (rows.length === 0 && status === 0) {
-              mode = "success";
-              body += [
-                "### iOS Periphery",
-                "",
-                "No dead Swift code found.",
-              ].join("\n");
-            } else if (rows.length > 0) {
-              const shown = rows.slice(0, 50);
-              body += [
-                "### iOS Periphery",
-                "",
-                `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. Remove the code or add a narrow Periphery exemption with a comment explaining why it must stay.`,
-                "",
-                "| File | Line | Kind | Name |",
-                "| --- | ---: | --- | --- |",
-                ...shown.map((row) => `| ${sanitizeCell(row.file)} | ${sanitizeCell(row.line)} | ${sanitizeCell(row.kind)} | ${sanitizeCell(row.name)} |`),
-                rows.length > shown.length ? "" : null,
-                rows.length > shown.length ? `Showing first ${shown.length}; full JSON is in the workflow artifact.` : null,
-              ].filter(Boolean).join("\n");
-            } else {
-              body += [
-                "### iOS Periphery",
-                "",
-                "Periphery exited with a non-zero status before producing findings. Check the workflow artifact for stdout/stderr.",
-              ].join("\n");
-            }
-            body += "\n";
-            const maxCommentChars = 60_000;
-            if (body.length > maxCommentChars) {
-              body = [
-                marker,
-                "### iOS Periphery",
-                "",
-                `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. The rendered report exceeded the safe comment limit; use the workflow artifact for details.`,
-                "",
-              ].join("\n");
-            }
-
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner,
-              repo,
-              issue_number: livePull.data.number,
-              per_page: 100,
-            });
-            const existing = comments.find(
-              (comment) =>
-                comment.user?.login === "github-actions[bot]" &&
-                comment.body?.includes(marker),
-            );
-
-            if (!existing && ["skipped", "success"].includes(mode)) {
-              core.info(`No existing Periphery comment and scan ${mode}; skipping comment.`);
-              return;
-            }
-
-            const currentPull = await github.rest.pulls.get({
-              owner,
-              repo,
-              pull_number: pr.number,
-            });
-            if (
-              currentPull.data.state !== "open" ||
-              currentPull.data.base?.repo?.full_name !== repository ||
-              currentPull.data.head?.sha !== run.head_sha
-            ) {
-              core.info(`Skipping stale run ${run.id}; PR #${pr.number} changed before comment update.`);
-              return;
-            }
-
-            const workflowRuns = await github.paginate(github.rest.actions.listWorkflowRuns, {
-              owner,
-              repo,
-              workflow_id: run.workflow_id,
-              event: "pull_request",
-              head_sha: run.head_sha,
-              per_page: 100,
-            });
-            const supersedingRun = workflowRuns.find(
-              (candidate) =>
-                (candidate.id === run.id ||
-                  candidate.pull_requests?.some(
-                    (candidatePull) => candidatePull.number === pr.number,
-                  )) &&
-                (candidate.run_number > run.run_number ||
-                  (candidate.run_number === run.run_number &&
-                    candidate.run_attempt > run.run_attempt)),
-            );
-            if (supersedingRun) {
-              core.info(`Skipping superseded run ${run.id} attempt ${run.run_attempt}; run ${supersedingRun.id} attempt ${supersedingRun.run_attempt} is newer.`);
-              return;
-            }
-
-            if (existing) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: existing.id,
-                body,
-              });
-              return;
-            }
-
-            await github.rest.issues.createComment({
-              owner,
-              repo,
-              issue_number: livePull.data.number,
-              body,
-            });
--- a/.github/workflows/ios-periphery.yml
+++ b/.github/workflows/ios-periphery.yml
@@ -1,229 +0,0 @@
-name: iOS Periphery Dead Code
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review, converted_to_draft]
-  workflow_dispatch:
-
-concurrency:
-  group: ios-periphery-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  scope:
-    name: Detect iOS scan scope
-    runs-on: ubuntu-24.04
-    outputs:
-      should-scan: ${{ steps.scope.outputs.should-scan }}
-    steps:
-      - name: Detect changed paths
-        id: scope
-        uses: actions/github-script@v9
-        with:
-          script: |
-            if (context.eventName === "workflow_dispatch") {
-              core.setOutput("should-scan", "true");
-              return;
-            }
-            if (context.payload.pull_request?.draft) {
-              core.setOutput("should-scan", "false");
-              return;
-            }
-
-            const files = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number,
-              per_page: 100,
-            });
-            const isScanPath = (filename) =>
-              typeof filename === "string" && (
-                filename.startsWith("apps/ios/") ||
-                filename === ".github/workflows/ios-periphery.yml" ||
-                filename === ".github/workflows/ios-periphery-comment.yml" ||
-                filename === "config/swiftformat" ||
-                filename === "config/swiftlint.yml"
-              );
-            const shouldScan = files.some(
-              ({ filename, previous_filename: previousFilename }) =>
-                isScanPath(filename) || isScanPath(previousFilename)
-            );
-            core.setOutput("should-scan", String(shouldScan));
-
-  scan:
-    name: Scan iOS dead code
-    needs: scope
-    if: ${{ needs.scope.outputs.should-scan == 'true' }}
-    runs-on: ${{ github.event_name == 'workflow_dispatch' && 'macos-26' || (github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-26' || 'macos-26') }}
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Verify Xcode
-        run: |
-          set -euo pipefail
-          for xcode_app in /Applications/Xcode_26.5.app /Applications/Xcode-26.5.0.app; do
-            if [ -d "$xcode_app/Contents/Developer" ]; then
-              sudo xcode-select -s "$xcode_app/Contents/Developer"
-              break
-            fi
-          done
-          xcodebuild -version
-          xcode_version="$(xcodebuild -version | awk 'NR == 1 { print $2 }')"
-          if [[ "$xcode_version" != 26.* ]]; then
-            echo "error: expected Xcode 26.x, got $xcode_version" >&2
-            exit 1
-          fi
-          swift --version
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Install iOS Swift tooling
-        run: brew install xcodegen swiftformat swiftlint periphery
-
-      - name: Generate iOS project
-        run: |
-          set -euo pipefail
-          ./scripts/ios-configure-signing.sh
-          ./scripts/ios-write-version-xcconfig.sh
-          cd apps/ios
-          xcodegen generate
-
-      - name: Run Periphery
-        run: |
-          set -euo pipefail
-          output_dir="$RUNNER_TEMP/ios-periphery"
-          mkdir -p "$output_dir"
-          cd apps/ios
-          set +e
-          periphery scan \
-            --config .periphery.yml \
-            --strict \
-            --format json \
-            --write-results "$output_dir/periphery.json" \
-            >"$output_dir/periphery.stdout.json" \
-            2>"$output_dir/periphery.stderr.log"
-          periphery_status="$?"
-          set -e
-          printf '%s\n' "$periphery_status" >"$output_dir/periphery.status"
-          if [ ! -s "$output_dir/periphery.json" ]; then
-            cp "$output_dir/periphery.stdout.json" "$output_dir/periphery.json"
-          fi
-
-      - name: Build Periphery report
-        run: |
-          set -euo pipefail
-          node <<'NODE'
-          const fs = require("node:fs");
-          const path = require("node:path");
-
-          const outputDir = path.join(process.env.RUNNER_TEMP, "ios-periphery");
-          const read = (name) => {
-            const file = path.join(outputDir, name);
-            return fs.existsSync(file) ? fs.readFileSync(file, "utf8") : "";
-          };
-
-          const status = Number(read("periphery.status").trim() || "1");
-          let findings = null;
-          for (const name of ["periphery.json", "periphery.stdout.json"]) {
-            try {
-              const parsed = JSON.parse(read(name));
-              if (Array.isArray(parsed)) {
-                findings = parsed;
-                break;
-              }
-            } catch {}
-          }
-
-          const escapeCommandData = (value) =>
-            String(value ?? "")
-              .replaceAll("%", "%25")
-              .replaceAll("\r", "%0D")
-              .replaceAll("\n", "%0A");
-          const escapeCommandProperty = (value) =>
-            escapeCommandData(value)
-              .replaceAll(":", "%3A")
-              .replaceAll(",", "%2C");
-
-          const rows = (findings ?? []).map((finding) => {
-            const location = String(finding.location ?? "");
-            const [file, line] = location.split(":");
-            const repoFile = file ? `apps/ios/${file}` : "";
-            return {
-              file: repoFile,
-              line: line || "",
-              kind: String(finding.kind ?? ""),
-              name: String(finding.name ?? ""),
-            };
-          });
-
-          for (const row of rows) {
-            if (!row.file) continue;
-            const line = row.line ? `,line=${escapeCommandProperty(row.line)}` : "";
-            const title = `${row.kind || "Unused code"} ${row.name}`.trim();
-            console.log(`::error file=${escapeCommandProperty(row.file)}${line},title=Dead Swift code::${escapeCommandData(title)}`);
-          }
-
-          let shouldFail = "1";
-          let summary = "";
-
-          if (findings === null) {
-            summary = [
-              "### iOS Periphery",
-              "",
-              "Periphery did not complete. Check the workflow artifact for stdout/stderr.",
-            ].join("\n");
-          } else if (rows.length === 0 && status === 0) {
-            shouldFail = "0";
-            summary = [
-              "### iOS Periphery",
-              "",
-              "No dead Swift code found.",
-            ].join("\n");
-          } else if (rows.length > 0) {
-            summary = [
-              "### iOS Periphery",
-              "",
-              `Found ${rows.length} dead Swift code ${rows.length === 1 ? "symbol" : "symbols"}. See the PR comment or workflow artifact for details.`,
-            ].join("\n");
-          } else {
-            summary = [
-              "### iOS Periphery",
-              "",
-              "Periphery exited with a non-zero status before producing findings. Check the workflow artifact for stdout/stderr.",
-            ].join("\n");
-          }
-
-          fs.writeFileSync(path.join(outputDir, "should-fail.txt"), `${shouldFail}\n`);
-          fs.appendFileSync(process.env.GITHUB_STEP_SUMMARY, `${summary.trim()}\n`);
-          NODE
-
-      - name: Upload Periphery report
-        if: always()
-        uses: actions/upload-artifact@v7
-        with:
-          name: ios-periphery-dead-code-${{ github.run_id }}-${{ github.run_attempt }}
-          path: ${{ runner.temp }}/ios-periphery
-          if-no-files-found: warn
-          retention-days: 14
-
-      - name: Fail on dead code
-        run: |
-          set -euo pipefail
-          test "$(cat "$RUNNER_TEMP/ios-periphery/should-fail.txt")" = "0"
--- a/.github/workflows/mantis-telegram-live.yml
+++ b/.github/workflows/mantis-telegram-live.yml
@@ -379,6 +379,7 @@ jobs:
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
          CRABBOX_COORDINATOR: ${{ secrets.CRABBOX_COORDINATOR }}
          CRABBOX_COORDINATOR_TOKEN: ${{ secrets.CRABBOX_COORDINATOR_TOKEN }}
          OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR: ${{ secrets.OPENCLAW_QA_MANTIS_CRABBOX_COORDINATOR }}
--- a/.github/workflows/npm-telegram-beta-e2e.yml
+++ b/.github/workflows/npm-telegram-beta-e2e.yml
@@ -220,6 +220,7 @@ jobs:
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
          INPUT_SCENARIO: ${{ inputs.scenario }}
          PACKAGE_ARTIFACT_NAME: ${{ inputs.package_artifact_name || '' }}
        run: |
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -420,7 +420,6 @@ jobs:
              add_suite live-cache

              add_profile_suite native-live-src-agents "stable full"
-              add_profile_suite native-live-src-agents-zai-coding "stable full"
              add_profile_suite native-live-src-gateway-core "beta minimum stable full"
              add_profile_suite native-live-src-gateway-profiles-anthropic "stable full"
              add_profile_suite native-live-src-gateway-profiles-anthropic-smoke "stable"
@@ -1957,12 +1956,6 @@ jobs:
            timeout_minutes: 60
            profile_env_only: false
            profiles: stable full
-          - suite_id: native-live-src-agents-zai-coding
-            label: Native live Z.AI Coding Plan
-            command: ZAI_CODING_LIVE_TEST=1 node .release-harness/scripts/test-live-shard.mjs native-live-src-agents-zai-coding
-            timeout_minutes: 15
-            profile_env_only: false
-            profiles: stable full
          - suite_id: native-live-src-gateway-core
            label: Native live gateway core
            command: OPENCLAW_LIVE_CODEX_HARNESS=1 OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key node .release-harness/scripts/test-live-shard.mjs native-live-src-gateway-core
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -1181,7 +1181,7 @@ jobs:
  runtime_tool_coverage_release_checks:
    name: Enforce QA Lab runtime tool coverage
    needs: [resolve_target, qa_lab_runtime_parity_release_checks]
-    if: contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
+    if: always() && contains(fromJSON('["all","qa","qa-parity"]'), needs.resolve_target.outputs.rerun_group)
    runs-on: ubuntu-24.04
    timeout-minutes: 15
    permissions:
@@ -1204,35 +1204,13 @@ jobs:
          node-version: ${{ env.NODE_VERSION }}
          install-bun: "true"

-      - name: Download runtime parity status
-        uses: actions/download-artifact@v8
-        with:
-          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
-          path: .artifacts/release-check-status/
-
-      - name: Verify runtime parity producer status
-        id: verify_runtime_parity_status
-        shell: bash
-        run: |
-          set -euo pipefail
-          status_path=".artifacts/release-check-status/qa_lab_runtime_parity_release_checks.env"
-          status="$(sed -n 's/^status=//p' "$status_path" | tail -n 1)"
-          if [[ "$status" != "success" ]]; then
-            echo "Runtime parity producer status is ${status:-missing}; skipping coverage artifact consumer."
-            echo "ready=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "ready=true" >> "$GITHUB_OUTPUT"
-
      - name: Download runtime parity artifacts
-        if: steps.verify_runtime_parity_status.outputs.ready == 'true'
        uses: actions/download-artifact@v8
        with:
          name: release-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/

      - name: Enforce standard runtime tool coverage
-        if: steps.verify_runtime_parity_status.outputs.ready == 'true'
        run: |
          set -euo pipefail
          pnpm openclaw qa coverage \
@@ -1434,6 +1412,7 @@ jobs:
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
        run: |
          set -euo pipefail

--- a/.github/workflows/openclaw-release-publish.yml
+++ b/.github/workflows/openclaw-release-publish.yml
@@ -15,14 +15,6 @@ on:
        description: Successful Full Release Validation run id for this tag/SHA, required when publish_openclaw_npm=true
        required: false
        type: string
-      windows_node_tag:
-        description: Exact openclaw-windows-node release tag, required for stable OpenClaw publish
-        required: false
-        type: string
-      windows_node_installer_digests:
-        description: Candidate-approved compact JSON map of Windows installer names to pinned sha256 digests
-        required: false
-        type: string
      npm_telegram_run_id:
        description: Optional successful NPM Telegram Beta E2E run id to include in final release evidence
        required: false
@@ -89,15 +81,12 @@ jobs:
    outputs:
      sha: ${{ steps.manifest.outputs.sha || steps.ref.outputs.sha }}
      preflight_artifact_name: ${{ steps.preflight_artifact.outputs.name }}
-      windows_node_installer_digests: ${{ steps.windows_source.outputs.installer_digests }}
    steps:
      - name: Validate inputs
        env:
          RELEASE_TAG: ${{ inputs.tag }}
          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
          FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          WINDOWS_NODE_INSTALLER_DIGESTS: ${{ inputs.windows_node_installer_digests }}
          PUBLISH_OPENCLAW_NPM: ${{ inputs.publish_openclaw_npm && 'true' || 'false' }}
          PLUGIN_PUBLISH_SCOPE: ${{ inputs.plugin_publish_scope }}
          PLUGINS: ${{ inputs.plugins }}
@@ -126,22 +115,6 @@ jobs:
            echo "publish_openclaw_npm=true requires full_release_validation_run_id." >&2
            exit 1
          fi
-          stable_release=true
-          if [[ "${RELEASE_TAG}" == *"-alpha."* || "${RELEASE_TAG}" == *"-beta."* ]]; then
-            stable_release=false
-          fi
-          if [[ -n "${WINDOWS_NODE_TAG}" && ! "${WINDOWS_NODE_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z]+([.-][0-9A-Za-z]+)*)?$ ]]; then
-            echo "windows_node_tag must be an explicit openclaw-windows-node release tag, not latest: ${WINDOWS_NODE_TAG}" >&2
-            exit 1
-          fi
-          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${stable_release}" == "true" && -z "${WINDOWS_NODE_TAG}" ]]; then
-            echo "Stable OpenClaw publish requires an explicit windows_node_tag." >&2
-            exit 1
-          fi
-          if [[ "${PUBLISH_OPENCLAW_NPM}" == "true" && "${stable_release}" == "true" && -z "${WINDOWS_NODE_INSTALLER_DIGESTS}" ]]; then
-            echo "Stable OpenClaw publish requires candidate-approved windows_node_installer_digests." >&2
-            exit 1
-          fi
          tideclaw_alpha_publish=false
          if [[ "${RELEASE_TAG}" == *"-alpha."* && "${RELEASE_NPM_DIST_TAG}" == "alpha" && "${WORKFLOW_REF}" =~ ^refs/heads/tideclaw/alpha/[0-9]{4}-[0-9]{2}-[0-9]{2}-[0-9]{4}Z$ ]]; then
            tideclaw_alpha_publish=true
@@ -170,73 +143,6 @@ jobs:
              ;;
          esac

-      - name: Validate stable Windows source release
-        id: windows_source
-        if: ${{ inputs.publish_openclaw_npm }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ inputs.tag }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          APPROVED_INSTALLER_DIGESTS: ${{ inputs.windows_node_installer_digests }}
-        run: |
-          set -euo pipefail
-          if [[ "${RELEASE_TAG}" == *"-alpha."* || "${RELEASE_TAG}" == *"-beta."* ]]; then
-            exit 0
-          fi
-
-          source_json="$(gh release view "${WINDOWS_NODE_TAG}" \
-            --repo openclaw/openclaw-windows-node \
-            --json tagName,isDraft,isPrerelease,assets,url)"
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.tagName')" != "${WINDOWS_NODE_TAG}" ]]; then
-            echo "Windows source release tag does not match ${WINDOWS_NODE_TAG}." >&2
-            exit 1
-          fi
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.isDraft')" == "true" ]]; then
-            echo "Stable OpenClaw publish requires a published Windows source release." >&2
-            exit 1
-          fi
-          if [[ "$(printf '%s' "${source_json}" | jq -r '.isPrerelease')" == "true" ]]; then
-            echo "Stable OpenClaw publish requires a non-prerelease Windows source release." >&2
-            exit 1
-          fi
-
-          required_assets=(
-            "OpenClawCompanion-Setup-x64.exe"
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          required_assets_json="$(printf '%s\n' "${required_assets[@]}" | jq -R . | jq -sc .)"
-          if ! approved_installer_digests="$(printf '%s' "${APPROVED_INSTALLER_DIGESTS}" | jq -ce --argjson names "${required_assets_json}" '
-            if type == "object" and
-              (keys | sort) == ($names | sort) and
-              all(.[]; type == "string" and test("^sha256:[a-f0-9]{64}$"))
-            then .
-            else error("invalid candidate-approved Windows installer digest map")
-            end
-          ')"; then
-            echo "windows_node_installer_digests must contain exactly the candidate-approved current installer asset contract." >&2
-            exit 1
-          fi
-          for asset_name in "${required_assets[@]}"; do
-            asset_matches="$(printf '%s' "${source_json}" | jq -c --arg name "${asset_name}" '[.assets[]? | select(.name == $name)]')"
-            asset_match_count="$(printf '%s' "${asset_matches}" | jq 'length')"
-            if [[ "${asset_match_count}" != "1" ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} must contain exactly one required asset ${asset_name}; found ${asset_match_count}." >&2
-              exit 1
-            fi
-            asset_digest="$(printf '%s' "${asset_matches}" | jq -r '.[0].digest // empty')"
-            if [[ ! "${asset_digest}" =~ ^sha256:[a-f0-9]{64}$ ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} asset ${asset_name} is missing its immutable SHA-256 digest." >&2
-              exit 1
-            fi
-            approved_digest="$(printf '%s' "${approved_installer_digests}" | jq -r --arg name "${asset_name}" '.[$name]')"
-            if [[ "${asset_digest}" != "${approved_digest}" ]]; then
-              echo "Windows source release ${WINDOWS_NODE_TAG} asset ${asset_name} no longer matches its candidate-approved digest." >&2
-              exit 1
-            fi
-          done
-          echo "installer_digests=${approved_installer_digests}" >> "$GITHUB_OUTPUT"
-          echo "- Windows Node source release: prevalidated \`${WINDOWS_NODE_TAG}\`" >> "$GITHUB_STEP_SUMMARY"
-
      - name: Download OpenClaw npm preflight manifest
        id: preflight_artifact
        if: ${{ inputs.publish_openclaw_npm }}
@@ -431,7 +337,6 @@ jobs:
          TARGET_SHA: ${{ steps.manifest.outputs.sha || steps.ref.outputs.sha }}
          RELEASE_PROFILE: ${{ steps.full_manifest.outputs.release_profile || inputs.release_profile }}
          FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
        run: |
          {
            echo "### Release target"
@@ -442,16 +347,13 @@ jobs:
            if [[ -n "${FULL_RELEASE_VALIDATION_RUN_ID// }" ]]; then
              echo "- Full release validation: \`${FULL_RELEASE_VALIDATION_RUN_ID}\`"
            fi
-            if [[ -n "${WINDOWS_NODE_TAG// }" ]]; then
-              echo "- Windows Node source release: \`${WINDOWS_NODE_TAG}\`"
-            fi
          } >> "$GITHUB_STEP_SUMMARY"

  publish:
    name: Publish plugins, then OpenClaw
    needs: [resolve_release_target]
    runs-on: ubuntu-latest
-    timeout-minutes: 120
+    timeout-minutes: 60
    environment: npm-release
    steps:
      - name: Checkout release SHA
@@ -481,16 +383,10 @@ jobs:
          WAIT_FOR_CLAWHUB: ${{ inputs.wait_for_clawhub && 'true' || 'false' }}
          PREFLIGHT_ARTIFACT_NAME: ${{ needs.resolve_release_target.outputs.preflight_artifact_name }}
          NPM_TELEGRAM_RUN_ID: ${{ inputs.npm_telegram_run_id }}
-          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          WINDOWS_NODE_INSTALLER_DIGESTS: ${{ needs.resolve_release_target.outputs.windows_node_installer_digests }}
          POSTPUBLISH_EVIDENCE_DIR: ${{ runner.temp }}/openclaw-release-postpublish-evidence
        run: |
          set -euo pipefail

-          is_stable_release() {
-            [[ "${RELEASE_TAG}" != *"-alpha."* && "${RELEASE_TAG}" != *"-beta."* ]]
-          }
-
          dispatch_workflow_at_ref() {
            local workflow_ref="$1"
            shift
@@ -940,105 +836,10 @@ jobs:
          }

          publish_github_release() {
-            if is_stable_release; then
-              verify_windows_release_asset_contract
-            fi
            gh release edit "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --draft=false
            echo "- GitHub release: https://github.com/${GITHUB_REPOSITORY}/releases/tag/${RELEASE_TAG}" >> "$GITHUB_STEP_SUMMARY"
          }

-          verify_windows_release_asset_contract() {
-            local actual_companion_assets actual_digest asset_name expected_companion_assets expected_digest expected_hash expected_installer_names manifest_dir manifest_json manifest_path release_json
-            # Add future promoted installer names, such as MSIX x64/ARM64, here.
-            local -a installer_assets=(
-              "OpenClawCompanion-Setup-x64.exe"
-              "OpenClawCompanion-Setup-arm64.exe"
-            )
-            local -a required_assets=(
-              "${installer_assets[@]}"
-              "OpenClawCompanion-SHA256SUMS.txt"
-            )
-
-            release_json="$(gh release view "${RELEASE_TAG}" --repo "$GITHUB_REPOSITORY" --json assets,url)"
-            expected_companion_assets="$(printf '%s\n' "${required_assets[@]}" | jq -R . | jq -sc 'sort')"
-            actual_companion_assets="$(printf '%s' "${release_json}" | jq -c '
-              [.assets[]? | select(.name | startswith("OpenClawCompanion-")) | .name] | sort
-            ')"
-            if [[ "${actual_companion_assets}" != "${expected_companion_assets}" ]]; then
-              echo "Stable release OpenClawCompanion asset names do not exactly match the current contract." >&2
-              return 1
-            fi
-            for asset_name in "${required_assets[@]}"; do
-              if ! printf '%s' "${release_json}" | jq -e --arg name "${asset_name}" 'any(.assets[]?; .name == $name)' >/dev/null; then
-                echo "Stable release is missing required Windows asset ${asset_name}." >&2
-                return 1
-              fi
-            done
-
-            manifest_dir="${RUNNER_TEMP}/openclaw-windows-release-contract"
-            manifest_path="${manifest_dir}/OpenClawCompanion-SHA256SUMS.txt"
-            rm -rf "${manifest_dir}"
-            mkdir -p "${manifest_dir}"
-            gh release download "${RELEASE_TAG}" \
-              --repo "$GITHUB_REPOSITORY" \
-              --pattern "OpenClawCompanion-SHA256SUMS.txt" \
-              --dir "${manifest_dir}"
-            if ! manifest_json="$(jq -Rsc '
-              split("\n") as $lines |
-              (if $lines[-1] == "" then $lines[0:-1] else $lines end) |
-              map(sub("\r$"; "")) |
-              if all(.[]; test("^(?<hash>[a-f0-9]{64})  (?<name>[^/\\\\]+)$"))
-              then map(capture("^(?<hash>[a-f0-9]{64})  (?<name>[^/\\\\]+)$"))
-              else error("malformed Windows checksum manifest entry")
-              end
-            ' "${manifest_path}")"; then
-              echo "Stable release Windows checksum manifest contains malformed entries." >&2
-              return 1
-            fi
-            expected_installer_names="$(printf '%s\n' "${installer_assets[@]}" | jq -R . | jq -sc 'sort')"
-            if ! printf '%s' "${manifest_json}" | jq -e --argjson expected "${expected_installer_names}" '
-              length == ($expected | length) and
-              ([.[].name] | sort) == $expected and
-              ([.[].name] | unique | length) == length
-            ' >/dev/null; then
-              echo "Stable release Windows checksum manifest does not exactly match the installer asset contract." >&2
-              return 1
-            fi
-            for asset_name in "${installer_assets[@]}"; do
-              expected_digest="$(printf '%s' "${WINDOWS_NODE_INSTALLER_DIGESTS}" | jq -r --arg name "${asset_name}" '.[$name] // empty')"
-              actual_digest="$(printf '%s' "${release_json}" | jq -r --arg name "${asset_name}" '.assets[]? | select(.name == $name) | .digest // empty')"
-              if [[ -z "${expected_digest}" || "${actual_digest}" != "${expected_digest}" ]]; then
-                echo "Stable release Windows asset ${asset_name} does not match its pinned digest." >&2
-                return 1
-              fi
-              expected_hash="${expected_digest#sha256:}"
-              if ! printf '%s' "${manifest_json}" | jq -e --arg name "${asset_name}" --arg hash "${expected_hash}" '
-                any(.[]; .name == $name and .hash == $hash)
-              ' >/dev/null; then
-                echo "Stable release Windows checksum manifest does not match pinned digest for ${asset_name}." >&2
-                return 1
-              fi
-            done
-            echo "- Windows Hub asset contract: verified" >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          promote_windows_release_assets() {
-            if ! is_stable_release; then
-              return 0
-            fi
-            if [[ -z "${WINDOWS_NODE_INSTALLER_DIGESTS// }" ]]; then
-              echo "Stable release is missing prevalidated Windows installer digests." >&2
-              return 1
-            fi
-
-            windows_node_run_id="$(dispatch_workflow windows-node-release.yml \
-              -f tag="${RELEASE_TAG}" \
-              -f windows_node_tag="${WINDOWS_NODE_TAG}" \
-              -f expected_installer_digests="${WINDOWS_NODE_INSTALLER_DIGESTS}")"
-            echo "- Windows Node release run ID: \`${windows_node_run_id}\`" >> "$GITHUB_STEP_SUMMARY"
-            wait_for_run windows-node-release.yml "${windows_node_run_id}"
-          }
-
          upload_dependency_evidence_release_asset() {
            local release_version download_dir asset_path asset_name artifact_name
            release_version="${RELEASE_TAG#v}"
@@ -1112,7 +913,7 @@ jobs:
          }

          append_release_proof_to_github_release() {
-            local release_version body_file notes_file tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path windows_line
+            local release_version body_file notes_file tarball integrity telegram_line clawhub_line clawhub_bootstrap_line clawhub_runtime_state_path

            release_version="${RELEASE_TAG#v}"
            body_file="${RUNNER_TEMP}/release-body.md"
@@ -1130,10 +931,6 @@ jobs:
            write_clawhub_runtime_state false "${clawhub_runtime_state_path}"
            clawhub_line="$(jq -r '.proofLines.normal' "${clawhub_runtime_state_path}")"
            clawhub_bootstrap_line="$(jq -r '.proofLines.bootstrap' "${clawhub_runtime_state_path}")"
-            windows_line=""
-            if [[ -n "${windows_node_run_id// }" ]]; then
-              windows_line="- Windows Hub promotion: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${windows_node_run_id} from openclaw/openclaw-windows-node@${WINDOWS_NODE_TAG}"
-            fi

            RELEASE_BODY_FILE="${body_file}" \
              RELEASE_NOTES_FILE="${notes_file}" \
@@ -1151,7 +948,6 @@ jobs:
              CLAWHUB_LINE="${clawhub_line}" \
              CLAWHUB_BOOTSTRAP_LINE="${clawhub_bootstrap_line}" \
              TELEGRAM_LINE="${telegram_line}" \
-              WINDOWS_LINE="${windows_line}" \
              node --input-type=module <<'NODE'
          import { readFileSync, writeFileSync } from "node:fs";

@@ -1178,7 +974,6 @@ jobs:
            process.env.CLAWHUB_BOOTSTRAP_LINE,
            `- OpenClaw npm publish: https://github.com/${process.env.RELEASE_REPO}/actions/runs/${process.env.OPENCLAW_NPM_RUN_ID}`,
            process.env.TELEGRAM_LINE,
-            ...(process.env.WINDOWS_LINE ? [process.env.WINDOWS_LINE] : []),
          ].join("\n");

          const withoutOldProof = body.replace(/\n?### Release verification\n[\s\S]*?(?=\n### |\n## |$)/, "");
@@ -1203,9 +998,6 @@ jobs:
            else
              echo "- OpenClaw npm publish: skipped by input"
            fi
-            if is_stable_release && [[ "${PUBLISH_OPENCLAW_NPM}" == "true" ]]; then
-              echo "- Windows Hub promotion: required before the GitHub release can be published"
-            fi
            if [[ "${WAIT_FOR_CLAWHUB}" == "true" ]]; then
              echo "- Workflow completion waits for ClawHub"
            else
@@ -1350,7 +1142,6 @@ jobs:

          failed=0
          openclaw_failed=0
-          windows_node_run_id=""
          if [[ -n "${openclaw_pid}" ]] && ! wait "${openclaw_pid}"; then
            failed=1
            openclaw_failed=1
@@ -1381,9 +1172,6 @@ jobs:
            fi
            create_or_update_github_release
            upload_dependency_evidence_release_asset
-            if ! promote_windows_release_assets; then
-              failed=1
-            fi
            append_release_proof_to_github_release
            if [[ "${failed}" == "0" ]]; then
              publish_github_release
--- a/.github/workflows/qa-live-transports-convex.yml
+++ b/.github/workflows/qa-live-transports-convex.yml
@@ -532,6 +532,7 @@ jobs:
          OPENCLAW_QA_CONVEX_SECRET_CI: ${{ secrets.OPENCLAW_QA_CONVEX_SECRET_CI }}
          OPENCLAW_QA_CREDENTIAL_ACQUIRE_TIMEOUT_MS: "1800000"
          OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
+          OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT: "1"
          INPUT_SCENARIO: ${{ github.event_name == 'workflow_dispatch' && inputs.scenario || '' }}
        run: |
          set -euo pipefail
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -68,7 +68,7 @@ jobs:
          days-before-pr-close: 7
          stale-issue-label: stale
          stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
          exempt-pr-labels: maintainer,no-stale,bad-barnacle
          operations-per-run: 2000
          ascending: true
@@ -100,7 +100,7 @@ jobs:
          days-before-pr-stale: -1
          days-before-pr-close: -1
          stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
          operations-per-run: 2000
          ascending: true
          include-only-assigned: true
@@ -172,7 +172,7 @@ jobs:
          days-before-pr-close: 7
          stale-issue-label: stale
          stale-pr-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
          exempt-pr-labels: maintainer,no-stale,bad-barnacle
          operations-per-run: 2000
          ascending: true
@@ -203,7 +203,7 @@ jobs:
          days-before-pr-stale: -1
          days-before-pr-close: -1
          stale-issue-label: stale
-          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle,clawsweeper:queueable-fix,clawsweeper:source-repro,clawsweeper:fix-shape-clear
+          exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale,bad-barnacle
          operations-per-run: 2000
          ascending: true
          include-only-assigned: true
@@ -277,9 +277,6 @@ jobs:
              "security",
              "no-stale",
              "bad-barnacle",
-              "clawsweeper:queueable-fix",
-              "clawsweeper:source-repro",
-              "clawsweeper:fix-shape-clear",
            ]);
            const prExemptLabels = new Set(["maintainer", "no-stale", "bad-barnacle"]);
            const maintainerAssociations = new Set(["OWNER", "MEMBER", "COLLABORATOR"]);
--- a/.github/workflows/windows-node-release.yml
+++ b/.github/workflows/windows-node-release.yml
@@ -8,12 +8,9 @@ on:
        required: true
        type: string
      windows_node_tag:
-        description: Exact openclaw-windows-node release tag to promote, for example v0.6.3
-        required: true
-        type: string
-      expected_installer_digests:
-        description: Compact JSON map of installer asset names to pinned source sha256 digests
+        description: openclaw-windows-node release tag to promote, or latest
        required: true
+        default: latest
        type: string

 permissions:
@@ -34,129 +31,46 @@ jobs:
        env:
          RELEASE_TAG: ${{ inputs.tag }}
          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          EXPECTED_INSTALLER_DIGESTS: ${{ inputs.expected_installer_digests }}
          GH_TOKEN: ${{ github.token }}
        run: |
          if ($env:RELEASE_TAG -notmatch '^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$') {
            throw "Invalid OpenClaw release tag: $env:RELEASE_TAG"
          }
-          $stableRelease = -not (
-            $env:RELEASE_TAG.Contains("-alpha.") -or
-            $env:RELEASE_TAG.Contains("-beta.")
-          )
-          if ($env:WINDOWS_NODE_TAG -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z]+([.-][0-9A-Za-z]+)*)?$') {
-            throw "windows_node_tag must be an explicit openclaw-windows-node release tag, not latest: $env:WINDOWS_NODE_TAG"
-          }
-
-          try {
-            $expectedDigests = $env:EXPECTED_INSTALLER_DIGESTS | ConvertFrom-Json -AsHashtable
-          } catch {
-            throw "expected_installer_digests must be a JSON object: $_"
-          }
-          # Add future signed installer names, such as MSIX x64/ARM64, here.
-          $requiredInstallerNames = @(
-            "OpenClawCompanion-Setup-x64.exe",
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          $allowedTargetCompanionAssetNames = @(
-            $requiredInstallerNames
-            "OpenClawCompanion-SHA256SUMS.txt"
-          )
-          if ($expectedDigests.Count -ne $requiredInstallerNames.Count) {
-            throw "expected_installer_digests must contain exactly the current installer asset contract."
-          }
-          foreach ($name in $requiredInstallerNames) {
-            $digest = [string]$expectedDigests[$name]
-            if ($digest -notmatch '^sha256:[A-Fa-f0-9]{64}$') {
-              throw "expected_installer_digests is missing a valid pinned digest for $name."
-            }
-          }
-
-          $targetRelease = gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY --json tagName,isDraft,isPrerelease,assets,url | ConvertFrom-Json
-          if ($targetRelease.tagName -ne $env:RELEASE_TAG) {
-            throw "OpenClaw release tag mismatch: expected $env:RELEASE_TAG, got $($targetRelease.tagName)"
-          }
-          $unexpectedTargetCompanionAssets = @(
-            $targetRelease.assets |
-              Where-Object {
-                $_.name.StartsWith("OpenClawCompanion-") -and
-                $_.name -notin $allowedTargetCompanionAssetNames
-              } |
-              ForEach-Object name |
-              Sort-Object
-          )
-          if ($unexpectedTargetCompanionAssets.Count -ne 0) {
-            throw "Target OpenClaw release contains unexpected OpenClawCompanion assets before upload: $($unexpectedTargetCompanionAssets -join ', ')"
-          }
-
-          $sourceRelease = gh release view $env:WINDOWS_NODE_TAG --repo openclaw/openclaw-windows-node --json tagName,isDraft,isPrerelease,assets,url | ConvertFrom-Json
-          if ($sourceRelease.tagName -ne $env:WINDOWS_NODE_TAG) {
-            throw "Windows source release tag mismatch: expected $env:WINDOWS_NODE_TAG, got $($sourceRelease.tagName)"
-          }
-          if ($sourceRelease.isDraft) {
-            throw "Windows source release must be published: $($sourceRelease.url)"
-          }
-          if ($stableRelease -and $sourceRelease.isPrerelease) {
-            throw "Stable OpenClaw releases require a non-prerelease Windows source release: $($sourceRelease.url)"
-          }
-          foreach ($name in $requiredInstallerNames) {
-            $sourceAssets = @($sourceRelease.assets | Where-Object name -eq $name)
-            if ($sourceAssets.Count -ne 1) {
-              throw "Windows source release must contain exactly one required asset $name; found $($sourceAssets.Count)."
-            }
-            if ([string]$sourceAssets[0].digest -ne [string]$expectedDigests[$name]) {
-              throw "Windows source release asset digest does not match the pinned digest: $name"
-            }
+          if ($env:WINDOWS_NODE_TAG -ne "latest" -and $env:WINDOWS_NODE_TAG -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+([-.][0-9A-Za-z.-]+)?$') {
+            throw "Invalid openclaw-windows-node release tag: $env:WINDOWS_NODE_TAG"
          }
+          gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY | Out-Null

      - name: Download Windows Hub release installers
        shell: pwsh
        env:
          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
-          EXPECTED_INSTALLER_DIGESTS: ${{ inputs.expected_installer_digests }}
          GH_TOKEN: ${{ github.token }}
        run: |
          New-Item -ItemType Directory -Force -Path dist | Out-Null
-          # Add future signed installer patterns, such as MSIX x64/ARM64, here.
-          # Every matched installer is signature-checked, checksummed, and promoted.
-          $installerPatterns = @(
-            "OpenClawCompanion-Setup-x64.exe",
-            "OpenClawCompanion-Setup-arm64.exe"
-          )
-          $downloadArgs = @(
-            $env:WINDOWS_NODE_TAG,
-            "--repo", "openclaw/openclaw-windows-node",
-            "--dir", "dist"
-          )
-          foreach ($pattern in $installerPatterns) {
-            $downloadArgs += @("--pattern", $pattern)
-          }
-          gh release download @downloadArgs
-          if ($LASTEXITCODE -ne 0) {
-            throw "Failed to download Windows release assets from $env:WINDOWS_NODE_TAG."
+          $tagArgs = @()
+          if ($env:WINDOWS_NODE_TAG -ne "latest") {
+            $tagArgs += $env:WINDOWS_NODE_TAG
          }
+          gh release download @tagArgs `
+            --repo openclaw/openclaw-windows-node `
+            --pattern "OpenClawCompanion-Setup-*.exe" `
+            --dir dist

-          foreach ($pattern in $installerPatterns) {
-            $patternMatches = @(Get-ChildItem -LiteralPath dist -File | Where-Object Name -Like $pattern)
-            if ($patternMatches.Count -ne 1) {
-              throw "Expected exactly one Windows installer matching '$pattern', found $($patternMatches.Count)."
-            }
-          }
-
-          $expectedDigests = $env:EXPECTED_INSTALLER_DIGESTS | ConvertFrom-Json -AsHashtable
-          foreach ($file in Get-ChildItem -LiteralPath dist -File) {
-            $expectedHash = ([string]$expectedDigests[$file.Name]) -replace '^sha256:', ''
-            $actualHash = (Get-FileHash -Algorithm SHA256 -LiteralPath $file.FullName).Hash
-            if ($actualHash -ne $expectedHash) {
-              throw "Downloaded Windows source asset does not match pinned digest: $($file.Name)"
+          $expected = @(
+            "dist/OpenClawCompanion-Setup-x64.exe",
+            "dist/OpenClawCompanion-Setup-arm64.exe"
+          )
+          foreach ($file in $expected) {
+            if (-not (Test-Path -LiteralPath $file)) {
+              throw "Missing expected Windows installer: $file"
            }
          }

      - name: Verify Authenticode signatures
        shell: pwsh
        run: |
-          $expectedSignerSubject = "CN=OpenClaw Foundation, O=OpenClaw Foundation, L=Mill Valley, S=California, C=US"
-          Get-ChildItem -LiteralPath dist -File | ForEach-Object {
+          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" | ForEach-Object {
            $signature = Get-AuthenticodeSignature -LiteralPath $_.FullName
            if ($signature.Status -ne "Valid") {
              throw "$($_.Name) Authenticode signature was $($signature.Status)."
@@ -164,9 +78,6 @@ jobs:
            if (-not $signature.SignerCertificate) {
              throw "$($_.Name) has no signer certificate."
            }
-            if ($signature.SignerCertificate.Subject -ne $expectedSignerSubject) {
-              throw "$($_.Name) has unexpected signer subject $($signature.SignerCertificate.Subject)."
-            }
            [pscustomobject]@{
              File = $_.Name
              Signer = $signature.SignerCertificate.Subject
@@ -177,7 +88,7 @@ jobs:
      - name: Write SHA-256 manifest
        shell: pwsh
        run: |
-          Get-ChildItem -LiteralPath dist -File |
+          Get-ChildItem -LiteralPath dist -Filter "OpenClawCompanion-Setup-*.exe" |
            Sort-Object Name |
            ForEach-Object {
              $hash = Get-FileHash -Algorithm SHA256 -LiteralPath $_.FullName
@@ -190,81 +101,12 @@ jobs:
          RELEASE_TAG: ${{ inputs.tag }}
          GH_TOKEN: ${{ github.token }}
        run: |
-          $releaseAssets = @(Get-ChildItem -LiteralPath dist -File | Sort-Object Name | ForEach-Object FullName)
-          gh release upload $env:RELEASE_TAG @releaseAssets --repo $env:GITHUB_REPOSITORY --clobber
-          if ($LASTEXITCODE -ne 0) {
-            throw "Failed to upload Windows release assets to $env:RELEASE_TAG."
-          }
-
-      - name: Verify promoted release asset contract
-        shell: pwsh
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          New-Item -ItemType Directory -Force -Path verified | Out-Null
-          $expectedAssets = @(Get-ChildItem -LiteralPath dist -File | Sort-Object Name)
-          $expectedCompanionAssetNames = @($expectedAssets | ForEach-Object Name | Sort-Object)
-          $targetRelease = gh release view $env:RELEASE_TAG --repo $env:GITHUB_REPOSITORY --json assets | ConvertFrom-Json
-          $actualCompanionAssetNames = @(
-            $targetRelease.assets |
-              Where-Object { $_.name.StartsWith("OpenClawCompanion-") } |
-              ForEach-Object name |
-              Sort-Object
-          )
-          $assetContractDiff = @(
-            Compare-Object `
-              -ReferenceObject $expectedCompanionAssetNames `
-              -DifferenceObject $actualCompanionAssetNames
-          )
-          if (
-            $actualCompanionAssetNames.Count -ne $expectedCompanionAssetNames.Count -or
-            $assetContractDiff.Count -ne 0
-          ) {
-            throw "Promoted OpenClawCompanion asset names do not exactly match the current contract."
-          }
-
-          foreach ($asset in $expectedAssets) {
-            gh release download $env:RELEASE_TAG `
-              --repo $env:GITHUB_REPOSITORY `
-              --pattern $asset.Name `
-              --dir verified
-            if ($LASTEXITCODE -ne 0) {
-              throw "Failed to download promoted Windows release asset $($asset.Name)."
-            }
-          }
-
-          $manifestPath = "verified/OpenClawCompanion-SHA256SUMS.txt"
-          $manifestEntries = @(Get-Content -LiteralPath $manifestPath | ForEach-Object {
-            if ($_ -notmatch '^([A-Fa-f0-9]{64})  ([^\\/]+)$') {
-              throw "Invalid Windows SHA-256 manifest entry: $_"
-            }
-            [PSCustomObject]@{
-              Hash = $Matches[1]
-              Name = $Matches[2]
-            }
-          })
-          $expectedInstallerNames = @(
-            $expectedAssets |
-              Where-Object Name -ne "OpenClawCompanion-SHA256SUMS.txt" |
-              ForEach-Object Name
-          )
-          $manifestInstallerNames = @($manifestEntries | ForEach-Object Name | Sort-Object)
-          $contractDiff = @(
-            Compare-Object `
-              -ReferenceObject $expectedInstallerNames `
-              -DifferenceObject $manifestInstallerNames
-          )
-          if ($contractDiff.Count -ne 0) {
-            throw "Promoted Windows SHA-256 manifest does not match the installer asset contract."
-          }
-
-          foreach ($entry in $manifestEntries) {
-            $hash = (Get-FileHash -Algorithm SHA256 -LiteralPath "verified/$($entry.Name)").Hash
-            if ($hash -ne $entry.Hash) {
-              throw "Promoted Windows release asset checksum mismatch: $($entry.Name)"
-            }
-          }
+          gh release upload $env:RELEASE_TAG `
+            dist/OpenClawCompanion-Setup-x64.exe `
+            dist/OpenClawCompanion-Setup-arm64.exe `
+            dist/OpenClawCompanion-SHA256SUMS.txt `
+            --repo $env:GITHUB_REPOSITORY `
+            --clobber

      - name: Summary
        shell: pwsh
@@ -277,9 +119,8 @@ jobs:

          OpenClaw release: $env:RELEASE_TAG
          Source release: openclaw/openclaw-windows-node@$env:WINDOWS_NODE_TAG
+
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-x64.exe
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-Setup-arm64.exe
+          - https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/OpenClawCompanion-SHA256SUMS.txt
          "@ >> $env:GITHUB_STEP_SUMMARY
-          Get-ChildItem -LiteralPath dist -File |
-            Sort-Object Name |
-            ForEach-Object {
-              "- https://github.com/openclaw/openclaw/releases/download/$env:RELEASE_TAG/$($_.Name)"
-            } >> $env:GITHUB_STEP_SUMMARY
--- a/.gitignore
+++ b/.gitignore
@@ -127,8 +127,6 @@ mantis/
 !.agents/skills/clawdtributor/**
 !.agents/skills/control-ui-e2e/
 !.agents/skills/control-ui-e2e/**
-!.agents/skills/discord-user-post/
-!.agents/skills/discord-user-post/**
 !.agents/skills/gitcrawl/
 !.agents/skills/gitcrawl/**
 !.agents/skills/technical-documentation/
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -214,7 +214,6 @@ Skills own workflows; root owns hard policy and routing.

 - Vitest. Colocated `*.test.ts`; e2e `*.e2e.test.ts`; example models `sonnet-4.6`, `gpt-5.5`; test GPT with 5.5 preferred, 5.4 ok; no GPT-4.x agent-smoke defaults.
 - Prefer behavior tests over workflow/docs string greps. Put operator policy reminders in AGENTS/docs.
- QA scenario sources are YAML only: `qa/scenarios/index.yaml` and `qa/scenarios/<theme>/*.yaml`. Do not add fenced `qa-scenario`/`qa-flow` Markdown files under `qa/scenarios/`.
 - Clean timers/env/globals/mocks/sockets/temp dirs/module state; `--isolate=false` safe.
 - Prefer injection and narrow `*.runtime.ts` mocks over broad barrels or `openclaw/plugin-sdk/*`.
 - Do not edit baseline/inventory/ignore/snapshot/expected-failure files to silence checks without explicit approval.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,36 +2,6 @@

 Docs: https://docs.openclaw.ai

-## 2026.6.8
-
-### Highlights
-
- Telegram and WhatsApp channel delivery are richer and less brittle: Telegram can send structured rich text with tables, lists, expandable blockquotes, prompt-preserving CLI backend delivery, retired native draft migration, and safer rich-media boundaries, while WhatsApp now honors configured ACP bindings. (#92679, #84082, #89421, #92513) Thanks @obviyus, @jzakirov, @spacegeologist, and @TurboTheTurtle.
- Agent and Gateway recovery is sharper across account-scoped DM sends, generated media completions, restart shutdown aborts, yielded subagent pauses, yielded cron media, heartbeat dedupe, session identity prompts, and unknown OpenAI agent selector rejection. (#92788, #91246, #91357, #92631, #92146, #91287, #92468, #92510) Thanks @yetval, @TurboTheTurtle, @ooiuuii, @openperf, @IWhatsskill, @ZengWen-DT, and @zhangguiping-xydt.
- Provider/model handling expands and tightens with GLM-5.2, Claude Haiku 4.5 catalog rows, OpenRouter and Google Vertex provider-prefix normalization, managed SecretRef auth, bounded model browse discovery, storeless OpenAI Responses replay gating, and Claude 4.5 Copilot tool-streaming safety. (#92796, #90116, #92627, #91218, #90686, #92247, #90706, #75393) Thanks @arkyu2077, @liuhao1024, @bymle, @rohitjavvadi, @samson910022, @snowzlm, and @Kailigithub.
- `/usage` and reply payload hooks now have a native full footer renderer, default template, fixed-decimal formatting, credential-aware limits, better partial-count handling, and warnings for broken templates instead of silent bad output. (#92657, #89835, #89629) Thanks @Marvinthebored.
- UI and mobile flows are steadier: workspace files can collapse and start collapsed, WebChat backscroll survives streaming, the sidebar session picker remains interactive above the desktop workbench, reset soft args survive UI dispatch, stale dashboard session parent lineage is preserved, and iOS reconnects stale foreground gateways. (#92779, #92622, #92705, #91353, #90658, #92552) Thanks @shakkernerd, @TurboTheTurtle, @NianJiuZst, @zhouhe-xydt, @luoyanglang, and @Solvely-Colin.
- Memory, state, and diagnostics recover cleaner: oversized OpenAI embedding batches split before 431s, QMD memory search stays available in transient mode, SQLite avoids WAL on NFS state volumes, stuck-session recovery scheduling no longer resets warning backoff, and Infinity chunk limits stay genuinely unbounded. (#92650, #92618, #92639, #91247, #92752, #92735) Thanks @mushuiyu886, @TurboTheTurtle, @849261680, @gnanam1990, and @yhterrance.
-
-### Changes
-
- Providers/models: add GLM-5.2 support and Claude Haiku 4.5 catalog entries while keeping provider-qualified model IDs normalized across OpenRouter and Google Vertex paths. (#92796, #90116, #92627, #91218) Thanks @arkyu2077, @liuhao1024, and @bymle.
- Channel plugins: ship Telegram rich-message delivery and WhatsApp ACP binding support, including rich prompt handoff to CLI backends and transport fixtures for richer drafts. (#92679, #92513) Thanks @obviyus and @TurboTheTurtle.
- Agent commands: support `/btw` in CLI-backed sessions and keep CLI usage-error exits classified as usage failures instead of successful runs. (#92669, #92162) Thanks @joshavant and @Pandah97.
- Usage hooks: add built-in full footer rendering, default footer templates, per-turn usage state, credential-aware limits, and fixed-decimal formatting for usage-bar templates. (#92657, #89835, #89629) Thanks @Marvinthebored.
- Docs and operator guidance: document node config examples, clarify before-install hook scope, correct agent default concurrency comments, refresh ZAI provider docs, and update channel/group docs for current Telegram and WhatsApp behavior. (#92677, #92766, #92695) Thanks @liuhao1024, @sallyom, and @ArielSmoliar.
-
-### Fixes
-
- Channels and delivery: preserve account-scoped DM channel send policy, rich Telegram final replies, rich Telegram tables and lists, Telegram thread-create CLI remapping, Slack outbound `message_sent` hooks, contributed message-tool schema optionality, same-channel generated media completions, and channel chunking around surrogate pairs and Infinity limits. (#92788, #92679, #89421, #89943, #91137, #91246, #92735) Thanks @yetval, @obviyus, @spacegeologist, @rishitamrakar, @lundog, @TurboTheTurtle, and @yhterrance.
- Discord: give generated auto-thread titles a 60-second timeout and 4,096-token reasoning-model output budget, clamped to the selected model output cap. (#64734) Thanks @hanamizuki.
- Agent, cron, and Gateway runtime: mark active main sessions before restart shutdown aborts, pause yielded subagent runs whose terminal also signals abort, preserve yielded media completions, de-duplicate main-session heartbeat events, expose session identity in runtime prompts, reject unknown OpenAI agent selectors, keep generated media completions and slash-command block replies in WebChat, preserve fresh post-compaction usage while clearing stale usage snapshots, and require admin privileges for HTTP session/model override surfaces. (#91357, #92631, #92146, #91287, #92468, #92510, #91246, #50795, #50845, #82874, #92651, #92646) Thanks @ooiuuii, @openperf, @IWhatsskill, @ZengWen-DT, @zhangguiping-xydt, @Hollychou924, @leno23, and @TurboTheTurtle.
- Providers and model replay: preserve storeless OpenAI Responses replay compatibility, avoid eager tool streaming for Claude 4.5 in Copilot, honor profile auth for SecretRef model entries, bound model browsing, strip provider prefixes where runtimes need bare IDs, and surface nested embedding fetch failures. (#90706, #75393, #90686, #92247, #92627, #91218, #92628) Thanks @snowzlm, @Kailigithub, @rohitjavvadi, @samson910022, @liuhao1024, @bymle, and @mushuiyu886.
- Memory, state, diagnostics, and config: split header-too-large embedding batches, keep QMD memory search enabled in transient mode, avoid SQLite WAL on NFS volumes, preserve recovery scheduling outside stuck-session warning backoff, and keep shell environment fallbacks contained in config write tests. (#92650, #92618, #92639, #91247, #92752) Thanks @mushuiyu886, @TurboTheTurtle, @849261680, and @gnanam1990.
- UI/mobile/TUI: preserve dashboard session parent lineage, WebChat backscroll, reset soft command args, sidebar session picker interactivity, collapsed workspace files, resolved `/model` confirmation refs, and stale foreground iOS Gateway reconnects. (#90658, #92622, #91353, #92705, #92779, #92773, #92552) Thanks @luoyanglang, @TurboTheTurtle, @zhouhe-xydt, @NianJiuZst, @shakkernerd, @NarahariRaghava, and @Solvely-Colin.
- Release and test reliability: extend slow Gateway/full-suite watchdogs, split local full-suite shards when throttled, stabilize plugin auth marker fixtures, avoid brittle provider-ref error text, and keep QA Lab bootstrap selection assertions aligned with flow-only scenarios. (#92652)
- Agent routing: route subagent RPC callbacks addressed to an agent-shaped `--to` target to the correct session key instead of falling back to the main session, so WeChat (and other channel) session-key callbacks reach the intended subagent session. (#90231) Thanks @zhangguiping-xydt.
-
 ## 2026.6.6

 ### Highlights
--- a/6
+++ b/6
@@ -138,7 +138,7 @@ ARG OPENCLAW_BUNDLED_PLUGIN_DIR
 # BuildKit cache mounts are not part of cached layers; seed tarballs for the
 # installed prod graph in the same step that runs offline prune.
 RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
-    node scripts/list-prod-store-packages.mjs | xargs -r pnpm store add && \
+    pnpm list --prod --depth Infinity --json | node scripts/list-prod-store-packages.mjs | xargs -r pnpm store add && \
    CI=true pnpm prune --prod \
      --config.offline=true \
      --config.supportedArchitectures.os=linux \
@@ -147,10 +147,6 @@ RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/sto
    OPENCLAW_EXTENSIONS="$OPENCLAW_EXTENSIONS" OPENCLAW_BUNDLED_PLUGIN_DIR="$OPENCLAW_BUNDLED_PLUGIN_DIR" node scripts/prune-docker-plugin-dist.mjs && \
    node scripts/postinstall-bundled-plugins.mjs && \
    find dist -type f \( -name '*.d.ts' -o -name '*.d.mts' -o -name '*.d.cts' -o -name '*.map' \) -delete && \
-    rm -rf \
-      /app/node_modules/openclaw \
-      /app/node_modules/.bin/openclaw \
-      /app/node_modules/.pnpm/openclaw@*/node_modules/openclaw && \
    node scripts/check-package-dist-imports.mjs /app

 # ── Runtime base image ──────────────────────────────────────────
--- a/apps/ios/.periphery.yml
+++ b/apps/ios/.periphery.yml
@@ -1,18 +0,0 @@
-project: OpenClaw.xcodeproj
-schemes:
-  - OpenClaw
-retain_codable_properties: true
-retain_swift_ui_previews: true
-retain_objc_accessible: true
-retain_unused_protocol_func_params: true
-retain_assign_only_properties: true
-relative_results: true
-disable_update_check: true
-report_include:
-  - Sources/**
-  - ShareExtension/**
-  - ActivityWidget/**
-  - WatchExtension/Sources/**
-build_arguments:
-  - -destination
-  - generic/platform=iOS Simulator
--- a/apps/ios/Sources/Contacts/ContactsService.swift
+++ b/apps/ios/Sources/Contacts/ContactsService.swift
@@ -202,4 +202,10 @@ final class ContactsService: ContactsServicing {
            phoneNumbers: contact.phoneNumbers.map(\.value.stringValue),
            emails: contact.emailAddresses.map { String($0.value) })
    }
+
+    #if DEBUG
+    static func _test_matches(contact: CNContact, phoneNumbers: [String], emails: [String]) -> Bool {
+        self.matchContacts(contacts: [contact], phoneNumbers: phoneNumbers, emails: emails) != nil
+    }
+    #endif
 }
--- a/apps/ios/Sources/Design/AgentProTab+DetailComponents.swift
+++ b/apps/ios/Sources/Design/AgentProTab+DetailComponents.swift
@@ -1,4 +1,5 @@
 import OpenClawKit
+import OpenClawProtocol
 import SwiftUI

 extension AgentProTab {
--- a/apps/ios/Sources/Design/AgentProTab.swift
+++ b/apps/ios/Sources/Design/AgentProTab.swift
@@ -1,10 +1,12 @@
 import OpenClawKit
+import OpenClawProtocol
 import SwiftUI

 struct AgentProTab: View {
    @Environment(NodeAppModel.self) var appModel
    @Environment(\.colorScheme) var colorScheme
    @Environment(\.scenePhase) var scenePhase
+    let initialRoute: AgentRoute?
    let directRoute: AgentRoute?
    let headerLeadingAction: OpenClawSidebarHeaderAction?
    let headerTitle: String
@@ -125,11 +127,13 @@ struct AgentProTab: View {
    }

    init(
+        initialRoute: AgentRoute? = nil,
        directRoute: AgentRoute? = nil,
        headerLeadingAction: OpenClawSidebarHeaderAction? = nil,
        headerTitle: String = "Agents",
        openSettings: (() -> Void)? = nil)
    {
+        self.initialRoute = initialRoute
        self.directRoute = directRoute
        self.headerLeadingAction = headerLeadingAction
        self.headerTitle = headerTitle
@@ -180,6 +184,9 @@ struct AgentProTab: View {
                self.destination(for: route)
            }
        }
+        .onAppear {
+            self.applyInitialRouteIfNeeded()
+        }
    }

    private func directDestination(for route: AgentRoute) -> some View {
@@ -188,4 +195,11 @@ struct AgentProTab: View {
                self.directHeaderLeadingAction(for: route) == nil ? .visible : .hidden,
                for: .navigationBar)
    }
+
+    private func applyInitialRouteIfNeeded() {
+        guard self.directRoute == nil else { return }
+        guard let initialRoute else { return }
+        guard self.navigationPath != [initialRoute] else { return }
+        self.navigationPath = [initialRoute]
+    }
 }
--- a/apps/ios/Sources/Design/CommandCenterSupport.swift
+++ b/apps/ios/Sources/Design/CommandCenterSupport.swift
@@ -185,3 +185,33 @@ struct CommandEmptyStateRow: View {
        }
    }
 }
+
+struct CommandTaskRow: View {
+    let item: CommandCenterTab.WorkItem
+
+    var body: some View {
+        HStack(alignment: .center, spacing: 6) {
+            Text(self.item.title)
+                .font(.footnote.weight(.semibold))
+                .lineLimit(1)
+                .minimumScaleFactor(0.80)
+                .frame(maxWidth: .infinity, minHeight: 20, alignment: .leading)
+            Text(self.item.detail)
+                .font(.caption.weight(.medium))
+                .foregroundStyle(.secondary)
+                .lineLimit(1)
+                .minimumScaleFactor(0.78)
+                .frame(width: 64, alignment: .leading)
+            if let progress = self.item.progress {
+                ProProgressBar(progress: progress, color: self.item.color)
+                    .frame(width: 56)
+            }
+            Text(self.item.state)
+                .font(.footnote.weight(.medium))
+                .foregroundStyle(self.item.progress == nil ? self.item.color : .secondary)
+                .lineLimit(1)
+                .frame(width: self.item.progress == nil ? 58 : 34, alignment: .trailing)
+        }
+        .padding(.vertical, 8)
+    }
+}
--- a/apps/ios/Sources/Design/IPadSkillWorkshopScreen.swift
+++ b/apps/ios/Sources/Design/IPadSkillWorkshopScreen.swift
@@ -213,6 +213,32 @@ struct IPadSkillWorkshopScreen: View {
        }
    }

+    private var statusMenu: some View {
+        HStack(spacing: 8) {
+            Text("Status")
+                .font(.caption.weight(.semibold))
+                .foregroundStyle(.secondary)
+            Menu {
+                ForEach(Self.proposalStatusFilters, id: \.self) { filter in
+                    Button(Self.proposalStatusFilterLabel(filter)) {
+                        self.statusFilter = filter
+                    }
+                }
+            } label: {
+                HStack(spacing: 6) {
+                    Text(self.statusFilterLabel)
+                        .font(.subheadline.weight(.semibold))
+                    Image(systemName: "chevron.up.chevron.down")
+                        .font(.caption2.weight(.bold))
+                }
+                .frame(maxWidth: .infinity, alignment: .trailing)
+            }
+            .buttonStyle(.bordered)
+            .controlSize(.small)
+            .tint(self.neutralControlTint)
+        }
+    }
+
    private var agentScopeMenu: some View {
        HStack(spacing: 8) {
            Text("Agent")
@@ -1104,6 +1130,7 @@ struct IPadSkillProposalRecord: Decodable {
    let description: String
    let createdAt: String
    let updatedAt: String
+    let proposedVersion: String
    let target: IPadSkillProposalTarget
 }

--- a/apps/ios/Sources/Design/OpenClawBrand.swift
+++ b/apps/ios/Sources/Design/OpenClawBrand.swift
@@ -47,6 +47,13 @@ enum AppAppearancePreference: String, CaseIterable, Identifiable {
 }

 enum OpenClawBrand {
+    static let lightCanvasTop = Color(red: 246 / 255.0, green: 247 / 255.0, blue: 249 / 255.0)
+    static let lightCanvasMiddle = Color(red: 250 / 255.0, green: 251 / 255.0, blue: 252 / 255.0)
+    static let lightCanvasBottom = Color.white
+    static let darkCanvasTop = Color(red: 3 / 255.0, green: 7 / 255.0, blue: 7 / 255.0)
+    static let darkCanvasMiddle = Color(red: 13 / 255.0, green: 17 / 255.0, blue: 17 / 255.0)
+    static let darkCanvasBottom = Color(red: 17 / 255.0, green: 18 / 255.0, blue: 20 / 255.0)
+
    static let accent = Color(uiColor: UIColor { traits in
        traits.userInterfaceStyle == .dark
            ? UIColor(red: 198 / 255.0, green: 62 / 255.0, blue: 56 / 255.0, alpha: 1)
@@ -74,6 +81,11 @@ enum OpenClawBrand {
            ? UIColor(red: 34 / 255.0, green: 36 / 255.0, blue: 39 / 255.0, alpha: 1)
            : UIColor.white
    })
+    static let graphiteSoft = Color(uiColor: UIColor { traits in
+        traits.userInterfaceStyle == .dark
+            ? UIColor(red: 148 / 255.0, green: 163 / 255.0, blue: 184 / 255.0, alpha: 1)
+            : UIColor(red: 102 / 255.0, green: 112 / 255.0, blue: 133 / 255.0, alpha: 1)
+    })

    static var sheetBackground: LinearGradient {
        LinearGradient(
@@ -85,6 +97,40 @@ enum OpenClawBrand {
            startPoint: .topLeading,
            endPoint: .bottomTrailing)
    }
+
+    static var toolbarChrome: LinearGradient {
+        LinearGradient(
+            colors: [
+                graphiteElevated.opacity(0.92),
+                graphite.opacity(0.78),
+            ],
+            startPoint: .topLeading,
+            endPoint: .bottomTrailing)
+    }
+
+    static func glassFill(brighten: Bool) -> Color {
+        Color.black.opacity(brighten ? 0.10 : 0.22)
+    }
+
+    static func glassStroke(brighten: Bool, increasedContrast: Bool, active: Bool = false) -> Color {
+        if active {
+            return self.accent.opacity(increasedContrast ? 0.70 : 0.46)
+        }
+        return Color.white.opacity(increasedContrast ? 0.50 : (brighten ? 0.24 : 0.16))
+    }
+
+    static func formSectionHeader(_ title: String) -> some View {
+        Text(title)
+            .font(.caption.weight(.semibold))
+            .foregroundStyle(self.accent)
+            .textCase(.uppercase)
+    }
+
+    static func canvasColors(for colorScheme: ColorScheme) -> [Color] {
+        colorScheme == .dark
+            ? [self.darkCanvasTop, self.darkCanvasMiddle, self.darkCanvasBottom]
+            : [self.lightCanvasTop, self.lightCanvasMiddle, self.lightCanvasBottom]
+    }
 }

 extension View {
--- a/apps/ios/Sources/Design/OpenClawProComponents.swift
+++ b/apps/ios/Sources/Design/OpenClawProComponents.swift
@@ -5,6 +5,7 @@ enum OpenClawProMetric {
    static let cardRadius: CGFloat = 10
    static let controlRadius: CGFloat = 8
    static let bottomScrollInset: CGFloat = 96
+    static let heroRadius: CGFloat = 12
 }

 struct OpenClawProBackground: View {
@@ -249,6 +250,13 @@ struct OpenClawSidebarRevealButton: View {
        self.headerAction = action
    }

+    init(action: @escaping () -> Void) {
+        self.headerAction = OpenClawSidebarHeaderAction(
+            systemName: "sidebar.left",
+            accessibilityLabel: "Show Sidebar",
+            action: action)
+    }
+
    var body: some View {
        let button = Button(action: self.headerAction.action) {
            Image(systemName: self.headerAction.systemName)
@@ -422,6 +430,46 @@ struct ProProgressBar: View {
    }
 }

+struct ProWorkRow: View {
+    let icon: String
+    let title: String
+    let detail: String
+    let state: String
+    let trailing: String
+    let color: Color
+    var progress: Double?
+
+    var body: some View {
+        HStack(alignment: .top, spacing: 12) {
+            ProIconBadge(systemName: self.icon, color: self.color)
+            VStack(alignment: .leading, spacing: 5) {
+                HStack(alignment: .firstTextBaseline) {
+                    Text(self.title)
+                        .font(.subheadline.weight(.semibold))
+                    Spacer(minLength: 8)
+                    Text(self.trailing)
+                        .font(.caption2)
+                        .foregroundStyle(.secondary)
+                }
+                Text(self.detail)
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+                    .lineLimit(1)
+                HStack(spacing: 8) {
+                    if let progress {
+                        ProProgressBar(progress: progress, color: self.color)
+                            .frame(maxWidth: 120)
+                    }
+                    Text(self.state)
+                        .font(.caption2.weight(.semibold))
+                        .foregroundStyle(self.color)
+                }
+            }
+        }
+        .padding(.vertical, 9)
+    }
+}
+
 struct ProCapsule: View {
    @Environment(\.colorScheme) private var colorScheme
    let title: String
@@ -505,6 +553,94 @@ struct OpenClawGatewayCompactPill: View {
    }
 }

+struct ProSegmentedControl: View {
+    @Environment(\.colorScheme) private var colorScheme
+    let labels: [String]
+    @Binding var selection: Int
+
+    var body: some View {
+        HStack(spacing: 4) {
+            ForEach(Array(self.labels.enumerated()), id: \.offset) { index, label in
+                Button {
+                    self.selection = index
+                } label: {
+                    Text(label)
+                        .font(.subheadline.weight(self.selection == index ? .semibold : .regular))
+                        .frame(maxWidth: .infinity)
+                        .padding(.vertical, 9)
+                        .background(self.segmentFill(isSelected: self.selection == index), in: Capsule())
+                }
+                .buttonStyle(.plain)
+            }
+        }
+        .padding(4)
+        .background {
+            Capsule()
+                .fill(self.trackFill)
+                .overlay {
+                    Capsule().strokeBorder(self.trackStroke, lineWidth: 1)
+                }
+        }
+    }
+
+    private func segmentFill(isSelected: Bool) -> Color {
+        guard isSelected else { return .clear }
+        return self.colorScheme == .dark ? Color.white.opacity(0.12) : Color.primary.opacity(0.08)
+    }
+
+    private var trackFill: Color {
+        self.colorScheme == .dark ? Color.white.opacity(0.045) : Color.white.opacity(0.72)
+    }
+
+    private var trackStroke: Color {
+        self.colorScheme == .dark ? Color.white.opacity(0.10) : Color.black.opacity(0.06)
+    }
+}
+
+struct ProHeroActionButton: View {
+    @Environment(\.colorScheme) private var colorScheme
+    let title: String
+    let detail: String
+    let systemImage: String
+    let action: () -> Void
+
+    var body: some View {
+        Button(action: self.action) {
+            HStack(spacing: 12) {
+                Image(systemName: self.systemImage)
+                    .font(.headline.weight(.semibold))
+                    .foregroundStyle(.white)
+                    .frame(width: 42, height: 42)
+                    .background(OpenClawBrand.accentHot, in: RoundedRectangle(cornerRadius: 13, style: .continuous))
+
+                VStack(alignment: .leading, spacing: 3) {
+                    Text(self.title)
+                        .font(.subheadline.weight(.semibold))
+                        .foregroundStyle(.primary)
+                    Text(self.detail)
+                        .font(.caption)
+                        .foregroundStyle(.secondary)
+                        .lineLimit(1)
+                }
+
+                Spacer(minLength: 8)
+
+                Image(systemName: "arrow.right")
+                    .font(.subheadline.weight(.bold))
+                    .foregroundStyle(OpenClawBrand.accentHot)
+            }
+            .padding(12)
+            .proGlassSurface(
+                fill: self.colorScheme == .dark ? Color.white.opacity(0.045) : Color.white.opacity(0.68),
+                stroke: OpenClawBrand.accent.opacity(self.colorScheme == .dark ? 0.22 : 0.14),
+                radius: 18,
+                isProminent: true,
+                interactive: true)
+        }
+        .buttonStyle(.plain)
+    }
+}
+
 struct ProMetricTile: View {
    @Environment(\.colorScheme) private var colorScheme
    let title: String
@@ -659,3 +795,24 @@ struct ProStatusRow: View {
        .padding(.vertical, 10)
    }
 }
+
+struct ProTimelineRow: View {
+    let done: Bool
+    let title: String
+    let detail: String
+
+    var body: some View {
+        HStack(alignment: .top, spacing: 10) {
+            ProIconBadge(
+                systemName: self.done ? "checkmark.circle.fill" : "clock.fill",
+                color: self.done ? OpenClawBrand.ok : OpenClawBrand.warn)
+            VStack(alignment: .leading, spacing: 3) {
+                Text(self.title)
+                    .font(.subheadline.weight(.medium))
+                Text(self.detail)
+                    .font(.caption)
+                    .foregroundStyle(.secondary)
+            }
+        }
+    }
+}
--- a/apps/ios/Sources/Design/OpenClawProScreens.swift
+++ b/apps/ios/Sources/Design/OpenClawProScreens.swift
@@ -0,0 +1,3 @@
+import SwiftUI
+
+// Pro UI surfaces are split by tab to keep SwiftLint file-length signal useful.
--- a/apps/ios/Sources/Design/SettingsChannelsDestination.swift
+++ b/apps/ios/Sources/Design/SettingsChannelsDestination.swift
@@ -332,6 +332,65 @@ struct SettingsChannelsDestination: View {
    }
 }

+struct SettingsChannelsScreen: View {
+    let headerLeadingAction: OpenClawSidebarHeaderAction?
+    let gatewayAction: (() -> Void)?
+
+    init(headerLeadingAction: OpenClawSidebarHeaderAction? = nil, gatewayAction: (() -> Void)? = nil) {
+        self.headerLeadingAction = headerLeadingAction
+        self.gatewayAction = gatewayAction
+    }
+
+    var body: some View {
+        ZStack {
+            OpenClawProBackground()
+            ScrollView {
+                VStack(alignment: .leading, spacing: 14) {
+                    self.header
+                    SettingsChannelsDestination(showsSummaryCard: false)
+                }
+                .padding(.top, 18)
+                .padding(.bottom, OpenClawProMetric.bottomScrollInset)
+            }
+        }
+        .navigationTitle("Channels")
+        .navigationBarTitleDisplayMode(.inline)
+    }
+
+    private var header: some View {
+        HStack(alignment: .top, spacing: 12) {
+            if let headerLeadingAction {
+                OpenClawSidebarHeaderLeadingSlot(action: headerLeadingAction)
+            }
+
+            VStack(alignment: .leading, spacing: 5) {
+                Text("Channels / Integrations")
+                    .font(.title3.weight(.semibold))
+                Text("Message routing and external channel clients.")
+                    .font(.callout)
+                    .foregroundStyle(.secondary)
+                    .fixedSize(horizontal: false, vertical: true)
+            }
+            Spacer(minLength: 8)
+            self.gatewayPill
+        }
+        .padding(.horizontal, OpenClawProMetric.pagePadding)
+    }
+
+    @ViewBuilder
+    private var gatewayPill: some View {
+        if let gatewayAction {
+            Button(action: gatewayAction) {
+                OpenClawGatewayCompactPill()
+            }
+            .buttonStyle(.plain)
+            .accessibilityHint("Opens Settings / Gateway")
+        } else {
+            OpenClawGatewayCompactPill()
+        }
+    }
+}
+
 private struct SettingsChannelRow: View {
    let entry: SettingsChannelEntry
    let canAdmin: Bool
--- a/apps/ios/Sources/Design/SettingsProTabActions.swift
+++ b/apps/ios/Sources/Design/SettingsProTabActions.swift
@@ -139,6 +139,15 @@ extension SettingsProTab {
        await self.gatewayController.connectLastKnown()
    }

+    func refreshGateway() async {
+        guard !self.isRefreshingGateway else { return }
+        self.isRefreshingGateway = true
+        defer { self.isRefreshingGateway = false }
+        self.gatewayController.refreshActiveGatewayRegistrationFromSettings()
+        self.gatewayController.restartDiscovery()
+        await self.appModel.refreshGatewayOverviewIfConnected()
+    }
+
    @MainActor
    func runDiagnostics() async {
        guard !self.isRefreshingGateway else { return }
@@ -191,7 +200,7 @@ extension SettingsProTab {
            self.setupStatusText = "Failed: invalid port"
            return
        }
-        guard await self.preflightGateway(host: host, port: port) else { return }
+        guard await self.preflightGateway(host: host, port: port, useTLS: self.manualGatewayTLS) else { return }
        self.setupStatusText = "Setup code applied. Connecting..."
        await self.connectManual()
    }
@@ -289,7 +298,7 @@ extension SettingsProTab {
            self.setupStatusText = "Failed: invalid port"
            return
        }
-        guard await self.preflightGateway(host: host, port: port) else { return }
+        guard await self.preflightGateway(host: host, port: port, useTLS: self.manualGatewayTLS) else { return }
        await self.connectManual()
    }

@@ -318,7 +327,7 @@ extension SettingsProTab {
            authOverride: authOverride)
    }

-    func preflightGateway(host: String, port: Int) async -> Bool {
+    func preflightGateway(host: String, port: Int, useTLS: Bool) async -> Bool {
        let trimmed = host.trimmingCharacters(in: .whitespacesAndNewlines)
        guard !trimmed.isEmpty else { return false }
        if Self.isTailnetHostOrIP(trimmed), !Self.hasTailnetIPv4() {
--- a/apps/ios/Sources/Gateway/GatewayConnectionController.swift
+++ b/apps/ios/Sources/Gateway/GatewayConnectionController.swift
@@ -3,6 +3,7 @@ import Contacts
 import CoreLocation
 import CoreMotion
 import CryptoKit
+import Darwin
 import EventKit
 import Foundation
 import Network
@@ -168,6 +169,11 @@ final class GatewayConnectionController {
        }
    }

+    func allowAutoConnectAgain() {
+        self.didAutoConnect = false
+        self.maybeAutoConnect()
+    }
+
    func restartDiscovery() {
        self.discovery.stop()
        self.didAutoConnect = false
@@ -516,7 +522,8 @@ final class GatewayConnectionController {
            let stableID = self.manualStableID(host: manualHost, port: resolvedPort)
            let tlsParams = self.resolveManualTLSParams(
                stableID: stableID,
-                tlsEnabled: resolvedUseTLS)
+                tlsEnabled: resolvedUseTLS,
+                allowTOFUReset: self.shouldRequireTLS(host: manualHost))

            guard let url = self.buildGatewayURL(
                host: manualHost,
@@ -712,7 +719,8 @@ final class GatewayConnectionController {
    }

    private func resolveDiscoveredTLSParams(
-        gateway: GatewayDiscoveryModel.DiscoveredGateway) -> GatewayTLSParams?
+        gateway: GatewayDiscoveryModel.DiscoveredGateway,
+        allowTOFU: Bool) -> GatewayTLSParams?
    {
        let stableID = gateway.stableID
        let stored = GatewayTLSStore.loadFingerprint(stableID: stableID)
@@ -739,7 +747,8 @@ final class GatewayConnectionController {

    private func resolveManualTLSParams(
        stableID: String,
-        tlsEnabled: Bool) -> GatewayTLSParams?
+        tlsEnabled: Bool,
+        allowTOFUReset: Bool = false) -> GatewayTLSParams?
    {
        let stored = GatewayTLSStore.loadFingerprint(stableID: stableID)
        if tlsEnabled || stored != nil {
@@ -776,6 +785,126 @@ final class GatewayConnectionController {
            resolver.start()
        }
    }
+
+    private func resolveHostPortFromBonjourEndpoint(_ endpoint: NWEndpoint) async -> (host: String, port: Int)? {
+        switch endpoint {
+        case let .hostPort(host, port):
+            (host: host.debugDescription, port: Int(port.rawValue))
+        case let .service(name, type, domain, _):
+            await Self.resolveBonjourServiceToHostPort(name: name, type: type, domain: domain)
+        default:
+            nil
+        }
+    }
+
+    private static func resolveBonjourServiceToHostPort(
+        name: String,
+        type: String,
+        domain: String,
+        timeoutSeconds: TimeInterval = 3.0) async -> (host: String, port: Int)?
+    {
+        // NetService callbacks are delivered via a run loop. If we resolve from a thread without one,
+        // we can end up never receiving callbacks, which in turn leaks the continuation and leaves
+        // the UI stuck "connecting". Keep the whole lifecycle on the main run loop and always
+        // resume the continuation exactly once (timeout/cancel safe).
+        @MainActor
+        final class Resolver: NSObject, @preconcurrency NetServiceDelegate {
+            private var cont: CheckedContinuation<(host: String, port: Int)?, Never>?
+            private let service: NetService
+            private var timeoutTask: Task<Void, Never>?
+            private var finished = false
+
+            init(cont: CheckedContinuation<(host: String, port: Int)?, Never>, service: NetService) {
+                self.cont = cont
+                self.service = service
+                super.init()
+            }
+
+            func start(timeoutSeconds: TimeInterval) {
+                self.service.delegate = self
+                self.service.schedule(in: .main, forMode: .default)
+
+                // NetService has its own timeout, but we keep a manual one as a backstop in case
+                // callbacks never arrive (e.g. local network permission issues).
+                self.timeoutTask = Task { @MainActor [weak self] in
+                    guard let self else { return }
+                    let ns = UInt64(max(0.1, timeoutSeconds) * 1_000_000_000)
+                    try? await Task.sleep(nanoseconds: ns)
+                    self.finish(nil)
+                }
+
+                self.service.resolve(withTimeout: timeoutSeconds)
+            }
+
+            func netServiceDidResolveAddress(_ sender: NetService) {
+                self.finish(Self.extractHostPort(sender))
+            }
+
+            func netService(_ sender: NetService, didNotResolve errorDict: [String: NSNumber]) {
+                _ = errorDict // currently best-effort; callers surface a generic failure
+                self.finish(nil)
+            }
+
+            private func finish(_ result: (host: String, port: Int)?) {
+                guard !self.finished else { return }
+                self.finished = true
+
+                self.timeoutTask?.cancel()
+                self.timeoutTask = nil
+
+                self.service.stop()
+                self.service.remove(from: .main, forMode: .default)
+
+                let c = self.cont
+                self.cont = nil
+                c?.resume(returning: result)
+            }
+
+            private static func extractHostPort(_ svc: NetService) -> (host: String, port: Int)? {
+                let port = svc.port
+
+                if let host = svc.hostName?.trimmingCharacters(in: .whitespacesAndNewlines), !host.isEmpty {
+                    return (host: host, port: port)
+                }
+
+                guard let addrs = svc.addresses else { return nil }
+                for addrData in addrs {
+                    let host = addrData.withUnsafeBytes { ptr -> String? in
+                        guard let base = ptr.baseAddress, !ptr.isEmpty else { return nil }
+                        var buffer = [CChar](repeating: 0, count: Int(NI_MAXHOST))
+
+                        let rc = getnameinfo(
+                            base.assumingMemoryBound(to: sockaddr.self),
+                            socklen_t(ptr.count),
+                            &buffer,
+                            socklen_t(buffer.count),
+                            nil,
+                            0,
+                            NI_NUMERICHOST)
+                        guard rc == 0 else { return nil }
+                        let bytes = buffer.prefix { $0 != 0 }.map { UInt8(bitPattern: $0) }
+                        return String(bytes: bytes, encoding: .utf8)
+                    }
+
+                    if let host, !host.isEmpty {
+                        return (host: host, port: port)
+                    }
+                }
+
+                return nil
+            }
+        }
+
+        return await withCheckedContinuation { cont in
+            Task { @MainActor in
+                let service = NetService(domain: domain, type: type, name: name)
+                let resolver = Resolver(cont: cont, service: service)
+                // Keep the resolver alive for the lifetime of the NetService resolve.
+                objc_setAssociatedObject(service, "resolver", resolver, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
+                resolver.start(timeoutSeconds: timeoutSeconds)
+            }
+        }
+    }
 }

 extension GatewayConnectionController {
@@ -1033,10 +1162,30 @@ extension GatewayConnectionController {
        self.currentCommands()
    }

+    func _test_currentPermissions() async -> [String: Bool] {
+        await self.currentPermissions()
+    }
+
    static func _test_isLocationAvailable(servicesEnabled: Bool, status: CLAuthorizationStatus) -> Bool {
        self.isLocationAvailable(servicesEnabled: servicesEnabled, status: status)
    }

+    func _test_platformString() -> String {
+        DeviceInfoHelper.platformString()
+    }
+
+    func _test_deviceFamily() -> String {
+        DeviceInfoHelper.deviceFamily()
+    }
+
+    func _test_modelIdentifier() -> String {
+        DeviceInfoHelper.modelIdentifier()
+    }
+
+    func _test_appVersion() -> String {
+        DeviceInfoHelper.appVersion()
+    }
+
    func _test_setGateways(_ gateways: [GatewayDiscoveryModel.DiscoveredGateway]) {
        self.gateways = gateways
    }
@@ -1050,9 +1199,10 @@ extension GatewayConnectionController {
    }

    func _test_resolveDiscoveredTLSParams(
-        gateway: GatewayDiscoveryModel.DiscoveredGateway) -> GatewayTLSParams?
+        gateway: GatewayDiscoveryModel.DiscoveredGateway,
+        allowTOFU: Bool) -> GatewayTLSParams?
    {
-        self.resolveDiscoveredTLSParams(gateway: gateway)
+        self.resolveDiscoveredTLSParams(gateway: gateway, allowTOFU: allowTOFU)
    }

    func _test_resolveManualUseTLS(host: String, useTLS: Bool) -> Bool {
--- a/apps/ios/Sources/Gateway/GatewaySettingsStore.swift
+++ b/apps/ios/Sources/Gateway/GatewaySettingsStore.swift
@@ -9,6 +9,11 @@ enum GatewaySettingsStore {
    private static let instanceIdDefaultsKey = "node.instanceId"
    private static let preferredGatewayStableIDDefaultsKey = "gateway.preferredStableID"
    private static let lastDiscoveredGatewayStableIDDefaultsKey = "gateway.lastDiscoveredStableID"
+    private static let manualEnabledDefaultsKey = "gateway.manual.enabled"
+    private static let manualHostDefaultsKey = "gateway.manual.host"
+    private static let manualPortDefaultsKey = "gateway.manual.port"
+    private static let manualTlsDefaultsKey = "gateway.manual.tls"
+    private static let discoveryDebugLogsDefaultsKey = "gateway.discovery.debugLogs"
    private static let lastGatewayKindDefaultsKey = "gateway.last.kind"
    private static let lastGatewayHostDefaultsKey = "gateway.last.host"
    private static let lastGatewayPortDefaultsKey = "gateway.last.port"
@@ -179,6 +184,24 @@ enum GatewaySettingsStore {
    enum LastGatewayConnection: Equatable {
        case manual(host: String, port: Int, useTLS: Bool, stableID: String)
        case discovered(stableID: String, useTLS: Bool)
+
+        var stableID: String {
+            switch self {
+            case let .manual(_, _, _, stableID):
+                stableID
+            case let .discovered(stableID, _):
+                stableID
+            }
+        }
+
+        var useTLS: Bool {
+            switch self {
+            case let .manual(_, _, useTLS, _):
+                useTLS
+            case let .discovered(_, useTLS):
+                useTLS
+            }
+        }
    }

    private enum LastGatewayKind: String, Codable {
@@ -206,6 +229,17 @@ enum GatewaySettingsStore {
        return nil
    }

+    static func saveTalkProviderApiKey(_ apiKey: String?, provider: String) {
+        guard let providerId = self.normalizedTalkProviderID(provider) else { return }
+        let account = self.talkProviderApiKeyAccount(providerId: providerId)
+        let trimmed = apiKey?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
+        if trimmed.isEmpty {
+            _ = KeychainStore.delete(service: self.talkService, account: account)
+            return
+        }
+        _ = KeychainStore.saveString(trimmed, service: self.talkService, account: account)
+    }
+
    static func saveLastGatewayConnectionManual(host: String, port: Int, useTLS: Bool, stableID: String) {
        let payload = LastGatewayConnectionData(
            kind: .manual, stableID: stableID, useTLS: useTLS, host: host, port: port)
@@ -546,4 +580,11 @@ enum GatewayDiagnostics {
            }
        }
    }
+
+    static func reset() {
+        guard let url = fileURL else { return }
+        self.queue.async {
+            try? FileManager.default.removeItem(at: url)
+        }
+    }
 }
--- a/apps/ios/Sources/LiveActivity/LiveActivityManager.swift
+++ b/apps/ios/Sources/LiveActivity/LiveActivityManager.swift
@@ -17,6 +17,15 @@ final class LiveActivityManager {
        self.hydrateCurrentAndPruneDuplicates()
    }

+    var isActive: Bool {
+        guard let activity = self.currentActivity else { return false }
+        guard activity.activityState == .active else {
+            self.currentActivity = nil
+            return false
+        }
+        return true
+    }
+
    func showConnecting(statusText: String = "Connecting...", agentName: String, sessionKey: String) {
        self.hydrateCurrentAndPruneDuplicates()

@@ -87,6 +96,10 @@ final class LiveActivityManager {
        self.endActivity(reason: "connected")
    }

+    func handleDisconnect() {
+        self.endActivity(reason: "disconnected")
+    }
+
    func endActivity(reason: String) {
        guard let activity = self.currentActivity else { return }
        self.currentActivity = nil
@@ -170,6 +183,15 @@ final class LiveActivityManager {
            startedAt: self.activityStartDate)
    }

+    private func idleState() -> OpenClawActivityAttributes.ContentState {
+        OpenClawActivityAttributes.ContentState(
+            statusText: "Idle",
+            isIdle: true,
+            isDisconnected: false,
+            isConnecting: false,
+            startedAt: self.activityStartDate)
+    }
+
    private func disconnectedState() -> OpenClawActivityAttributes.ContentState {
        OpenClawActivityAttributes.ContentState(
            statusText: "Disconnected",
--- a/apps/ios/Sources/LiveActivity/OpenClawActivityAttributes.swift
+++ b/apps/ios/Sources/LiveActivity/OpenClawActivityAttributes.swift
@@ -14,3 +14,39 @@ struct OpenClawActivityAttributes: ActivityAttributes {
        var startedAt: Date
    }
 }
+
+#if DEBUG
+extension OpenClawActivityAttributes {
+    static let preview = OpenClawActivityAttributes(agentName: "main", sessionKey: "main")
+}
+
+extension OpenClawActivityAttributes.ContentState {
+    static let connecting = OpenClawActivityAttributes.ContentState(
+        statusText: "Connecting...",
+        isIdle: false,
+        isDisconnected: false,
+        isConnecting: true,
+        startedAt: .now)
+
+    static let idle = OpenClawActivityAttributes.ContentState(
+        statusText: "Idle",
+        isIdle: true,
+        isDisconnected: false,
+        isConnecting: false,
+        startedAt: .now)
+
+    static let disconnected = OpenClawActivityAttributes.ContentState(
+        statusText: "Disconnected",
+        isIdle: false,
+        isDisconnected: true,
+        isConnecting: false,
+        startedAt: .now)
+
+    static let attention = OpenClawActivityAttributes.ContentState(
+        statusText: "Approval needed",
+        isIdle: false,
+        isDisconnected: false,
+        isConnecting: false,
+        startedAt: .now)
+}
+#endif
--- a/apps/ios/Sources/Location/LocationService.swift
+++ b/apps/ios/Sources/Location/LocationService.swift
@@ -12,6 +12,8 @@ final class LocationService: NSObject, CLLocationManagerDelegate, LocationServic
    private let manager = CLLocationManager()
    private var authContinuation: CheckedContinuation<CLAuthorizationStatus, Never>?
    private var locationContinuation: CheckedContinuation<CLLocation, Swift.Error>?
+    private var updatesContinuation: AsyncStream<CLLocation>.Continuation?
+    private var isStreaming = false
    private var significantLocationCallback: (@Sendable (CLLocation) -> Void)?
    private var isMonitoringSignificantChanges = false

@@ -82,6 +84,42 @@ final class LocationService: NSObject, CLLocationManagerDelegate, LocationServic
        try await AsyncTimeout.withTimeoutMs(timeoutMs: timeoutMs, onTimeout: { Error.timeout }, operation: operation)
    }

+    func startLocationUpdates(
+        desiredAccuracy: OpenClawLocationAccuracy,
+        significantChangesOnly: Bool) -> AsyncStream<CLLocation>
+    {
+        self.stopLocationUpdates()
+
+        self.manager.desiredAccuracy = LocationCurrentRequest.accuracyValue(desiredAccuracy)
+        self.manager.pausesLocationUpdatesAutomatically = true
+        self.manager.allowsBackgroundLocationUpdates = true
+
+        self.isStreaming = true
+        if significantChangesOnly {
+            self.manager.startMonitoringSignificantLocationChanges()
+        } else {
+            self.manager.startUpdatingLocation()
+        }
+
+        return AsyncStream(bufferingPolicy: .bufferingNewest(1)) { continuation in
+            self.updatesContinuation = continuation
+            continuation.onTermination = { @Sendable _ in
+                Task { @MainActor in
+                    self.stopLocationUpdates()
+                }
+            }
+        }
+    }
+
+    func stopLocationUpdates() {
+        guard self.isStreaming else { return }
+        self.isStreaming = false
+        self.manager.stopUpdatingLocation()
+        self.manager.stopMonitoringSignificantLocationChanges()
+        self.updatesContinuation?.finish()
+        self.updatesContinuation = nil
+    }
+
    func startMonitoringSignificantLocationChanges(onUpdate: @escaping @Sendable (CLLocation) -> Void) {
        self.significantLocationCallback = onUpdate
        guard !self.isMonitoringSignificantChanges else { return }
@@ -89,6 +127,13 @@ final class LocationService: NSObject, CLLocationManagerDelegate, LocationServic
        self.manager.startMonitoringSignificantLocationChanges()
    }

+    func stopMonitoringSignificantLocationChanges() {
+        guard self.isMonitoringSignificantChanges else { return }
+        self.isMonitoringSignificantChanges = false
+        self.significantLocationCallback = nil
+        self.manager.stopMonitoringSignificantLocationChanges()
+    }
+
    nonisolated func locationManagerDidChangeAuthorization(_ manager: CLLocationManager) {
        let status = manager.authorizationStatus
        Task { @MainActor in
@@ -116,6 +161,9 @@ final class LocationService: NSObject, CLLocationManagerDelegate, LocationServic
            if let callback = self.significantLocationCallback, let latest = locs.last {
                callback(latest)
            }
+            if let latest = locs.last, let updates = self.updatesContinuation {
+                updates.yield(latest)
+            }
        }
    }

--- a/apps/ios/Sources/Model/NodeAppModel.swift
+++ b/apps/ios/Sources/Model/NodeAppModel.swift
@@ -133,6 +133,7 @@ final class NodeAppModel {
        self.lastGatewayProblem?.statusText ?? self.gatewayStatusText
    }

+    var seamColorHex: String?
    private var mainSessionBaseKey: String = "main"
    private var focusedChatSessionKey: String?
    var selectedAgentId: String?
@@ -187,7 +188,6 @@ final class NodeAppModel {
    @ObservationIgnored private var backgroundGraceTaskTimer: Task<Void, Never>?
    private var backgroundReconnectSuppressed = false
    private var backgroundReconnectLeaseUntil: Date?
-    @ObservationIgnored private var foregroundGatewayResumeCheckInFlight = false
    private var lastSignificantLocationWakeAt: Date?
    @ObservationIgnored private let watchReplyCoordinator = WatchReplyCoordinator()
    private var watchExecApprovalPromptsByID: [String: ExecApprovalPrompt] = [:]
@@ -201,6 +201,9 @@ final class NodeAppModel {
    private var apnsDeviceTokenHex: String?
    private var apnsLastRegisteredTokenHex: String?
    @ObservationIgnored private let pushRegistrationManager = PushRegistrationManager()
+    var gatewaySession: GatewayNodeSession {
+        self.nodeGateway
+    }

    var operatorSession: GatewayNodeSession {
        self.operatorGateway
@@ -211,7 +214,6 @@ final class NodeAppModel {
    private static let watchExecApprovalBridgeStateKey = "watch.execApproval.bridge.state.v1"
    private static let backgroundAliveLastSuccessAtMsKey = "gateway.backgroundAlive.lastSuccessAtMs"
    private static let backgroundAliveLastTriggerKey = "gateway.backgroundAlive.lastTrigger"
-    private static let foregroundResumeHealthTimeoutSeconds = 1

    var cameraHUDText: String?
    var cameraHUDKind: CameraHUDKind?
@@ -415,7 +417,9 @@ final class NodeAppModel {
            self.isBackgrounded = false
            self.endBackgroundConnectionGracePeriod(reason: "scene_foreground")
            self.clearBackgroundReconnectSuppression(reason: "scene_foreground")
-            var shouldStartGatewayHealthMonitor = self.operatorConnected
+            if self.operatorConnected {
+                self.startGatewayHealthMonitor()
+            }
            if phase == .active {
                self.voiceWake.resumeAfterExternalAudioCapture(wasSuspended: self.backgroundVoiceWakeSuspended)
                self.backgroundVoiceWakeSuspended = false
@@ -440,8 +444,6 @@ final class NodeAppModel {
                // iOS may suspend network sockets in background without a clean close.
                // On foreground, force a fresh handshake to avoid "connected but dead" states.
                if backgroundedFor >= 3.0 {
-                    shouldStartGatewayHealthMonitor = false
-                    self.foregroundGatewayResumeCheckInFlight = true
                    Task { [weak self] in
                        guard let self else { return }
                        let operatorWasConnected = await MainActor.run { self.operatorConnected }
@@ -450,26 +452,31 @@ final class NodeAppModel {
                            let healthy = await (try? self.operatorGateway.request(
                                method: "health",
                                paramsJSON: nil,
-                                timeoutSeconds: Self.foregroundResumeHealthTimeoutSeconds)) != nil
+                                timeoutSeconds: 2)) != nil
                            if healthy {
-                                await MainActor.run {
-                                    self.foregroundGatewayResumeCheckInFlight = false
-                                    self.startGatewayHealthMonitor()
-                                }
+                                await MainActor.run { self.startGatewayHealthMonitor() }
                                return
                            }
                        }

+                        await self.operatorGateway.disconnect()
+                        await self.nodeGateway.disconnect()
                        await MainActor.run {
-                            self.foregroundGatewayResumeCheckInFlight = false
+                            guard !self.isAppleReviewDemoModeEnabled else { return }
+                            self.setOperatorConnected(false)
+                            self.gatewayConnected = false
+                            // Foreground recovery must actively restart the saved gateway config.
+                            // Disconnecting stale sockets alone can leave us idle if the old
+                            // reconnect tasks were suppressed or otherwise got stuck in background.
+                            self.gatewayStatusText = "Reconnecting…"
+                            self.talkMode.updateGatewayConnected(false)
+                            if let cfg = self.activeGatewayConnectConfig {
+                                self.applyGatewayConnectConfig(cfg)
+                            }
                        }
-                        await self.restartGatewaySessionsAfterForegroundStaleConnection()
                    }
                }
            }
-            if shouldStartGatewayHealthMonitor {
-                self.startGatewayHealthMonitor()
-            }
        @unknown default:
            self.isBackgrounded = false
            self.endBackgroundConnectionGracePeriod(reason: "scene_unknown")
@@ -720,6 +727,11 @@ final class NodeAppModel {
        }
    }

+    var seamColor: Color {
+        Self.color(fromHex: self.seamColorHex) ?? Self.defaultSeamColor
+    }
+
+    private static let defaultSeamColor = Color(red: 79 / 255.0, green: 122 / 255.0, blue: 154 / 255.0)
    private static let apnsDeviceTokenUserDefaultsKey = "push.apns.deviceTokenHex"
    private static let deepLinkKeyUserDefaultsKey = "deeplink.agent.key"
    private static let canvasUnattendedDeepLinkKey: String = NodeAppModel.generateDeepLinkKey()
@@ -729,9 +741,12 @@ final class NodeAppModel {
            let res = try await self.operatorGateway.request(method: "config.get", paramsJSON: "{}", timeoutSeconds: 8)
            guard let json = try JSONSerialization.jsonObject(with: res) as? [String: Any] else { return }
            guard let config = json["config"] as? [String: Any] else { return }
+            let ui = config["ui"] as? [String: Any]
+            let raw = (ui?["seamColor"] as? String)?.trimmingCharacters(in: .whitespacesAndNewlines) ?? ""
            let session = config["session"] as? [String: Any]
            let mainKey = SessionKey.normalizeMainKey(session?["mainKey"] as? String)
            await MainActor.run {
+                self.seamColorHex = raw.isEmpty ? nil : raw
                self.mainSessionBaseKey = mainKey
                self.talkMode.updateMainSessionKey(self.mainSessionKey)
                self.homeCanvasRevision &+= 1
@@ -771,12 +786,6 @@ final class NodeAppModel {

    func refreshGatewayOverviewIfConnected() async {
        guard await self.isOperatorConnected() else { return }
-        if self.foregroundGatewayResumeCheckInFlight {
-            GatewayDiagnostics.log("gateway overview refresh deferred reason=foreground_resume_check")
-            try? await Task.sleep(
-                nanoseconds: UInt64(Self.foregroundResumeHealthTimeoutSeconds) * 1_000_000_000)
-            guard await self.isOperatorConnected(), !self.foregroundGatewayResumeCheckInFlight else { return }
-        }
        await self.refreshBrandingFromGateway()
        await self.refreshAgentsFromGateway()
    }
@@ -1936,7 +1945,7 @@ extension NodeAppModel {
        }

        self.activeGatewayConnectConfig = nextConfig
-        self.prepareForGatewayConnect(stableID: effectiveStableID)
+        self.prepareForGatewayConnect(url: url, stableID: effectiveStableID)
        if operatorLoopRequired {
            self.startOperatorGatewayLoop(
                url: url,
@@ -1977,33 +1986,12 @@ extension NodeAppModel {
    }

    func resetGatewaySessionsForForcedReconnect() async {
-        let nodeGatewayTask = self.nodeGatewayTask
-        let operatorGatewayTask = self.operatorGatewayTask
-        nodeGatewayTask?.cancel()
+        self.nodeGatewayTask?.cancel()
        self.nodeGatewayTask = nil
-        operatorGatewayTask?.cancel()
+        self.operatorGatewayTask?.cancel()
        self.operatorGatewayTask = nil
        await self.operatorGateway.disconnect()
        await self.nodeGateway.disconnect()
-        // Foreground recovery reuses the same config immediately after reset.
-        // Wait for canceled loops so their shutdown cleanup cannot clobber the new reconnect state.
-        if let operatorGatewayTask {
-            await operatorGatewayTask.value
-        }
-        if let nodeGatewayTask {
-            await nodeGatewayTask.value
-        }
-    }
-
-    private func restartGatewaySessionsAfterForegroundStaleConnection() async {
-        await self.resetGatewaySessionsForForcedReconnect()
-        guard !self.isAppleReviewDemoModeEnabled else { return }
-        self.setOperatorConnected(false)
-        self.gatewayConnected = false
-        self.gatewayStatusText = "Reconnecting…"
-        self.talkMode.updateGatewayConnected(false)
-        guard let cfg = self.activeGatewayConnectConfig else { return }
-        self.applyGatewayConnectConfig(cfg, forceReconnect: true)
    }

    func disconnectGateway() {
@@ -2033,6 +2021,7 @@ extension NodeAppModel {
        self.gatewayConnected = false
        self.setOperatorConnected(false)
        self.talkMode.updateGatewayConnected(false)
+        self.seamColorHex = nil
        self.mainSessionBaseKey = "main"
        self.talkMode.updateMainSessionKey(self.mainSessionKey)
        ShareGatewayRelaySettings.clearConfig()
@@ -2041,7 +2030,7 @@ extension NodeAppModel {
 }

 extension NodeAppModel {
-    private func prepareForGatewayConnect(stableID: String) {
+    private func prepareForGatewayConnect(url: URL, stableID: String) {
        self.isAppleReviewDemoModeEnabled = false
        self.gatewayAutoReconnectEnabled = true
        self.gatewayPairingPaused = false
@@ -2645,6 +2634,7 @@ extension NodeAppModel {
                self.gatewayConnected = false
                self.setOperatorConnected(false)
                self.talkMode.updateGatewayConnected(false)
+                self.seamColorHex = nil
                self.mainSessionBaseKey = "main"
                self.talkMode.updateMainSessionKey(self.mainSessionKey)
                self.showLocalCanvasOnDisconnect()
@@ -2817,6 +2807,7 @@ extension NodeAppModel {
        self.talkMode.updateGatewayConnected(false)
        self.talkMode.setEnabled(false)
        self.talkMode.statusText = "Demo mode only"
+        self.seamColorHex = nil
        self.mainSessionBaseKey = "main"
        self.selectedAgentId = nil
        self.gatewayDefaultAgentId = "main"
@@ -2931,6 +2922,14 @@ extension NodeAppModel {
        self.refreshLastShareEventFromRelay()
    }

+    func reloadTalkConfig() {
+        Task { [weak self] in
+            guard let self else { return }
+            await self.talkMode.reloadConfig()
+            await self.talkMode.prefetchRealtimeSessionIfReady(reason: "config_reload")
+        }
+    }
+
    /// Back-compat hook retained for older gateway-connect flows.
    func onNodeGatewayConnected() async {
        await self.registerAPNsTokenIfNeeded()
@@ -3891,6 +3890,32 @@ extension NodeAppModel {
        }
    }

+    func handleExecApprovalNotificationDecision(
+        approvalId: String,
+        decision: String) async
+    {
+        let normalizedApprovalID = approvalId.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !normalizedApprovalID.isEmpty else { return }
+
+        if self.pendingExecApprovalPrompt?.id == normalizedApprovalID {
+            self.pendingExecApprovalPromptResolving = true
+            self.pendingExecApprovalPromptErrorText = nil
+        }
+
+        let outcome = await self.resolveExecApprovalNotificationDecision(
+            approvalId: normalizedApprovalID,
+            decision: decision)
+        switch outcome {
+        case .resolved, .stale, .unavailable:
+            break
+        case let .failed(message):
+            if self.pendingExecApprovalPrompt?.id == normalizedApprovalID {
+                self.pendingExecApprovalPromptResolving = false
+                self.pendingExecApprovalPromptErrorText = message
+            }
+        }
+    }
+
    private func resolveExecApprovalNotificationDecision(
        approvalId: String,
        decision: String,
@@ -4427,6 +4452,17 @@ extension NodeAppModel {
        self.talkMode.updateMainSessionKey(self.mainSessionKey)
    }

+    private static func color(fromHex raw: String?) -> Color? {
+        let trimmed = (raw ?? "").trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else { return nil }
+        let hex = trimmed.hasPrefix("#") ? String(trimmed.dropFirst()) : trimmed
+        guard hex.count == 6, let value = Int(hex, radix: 16) else { return nil }
+        let r = Double((value >> 16) & 0xFF) / 255.0
+        let g = Double((value >> 8) & 0xFF) / 255.0
+        let b = Double(value & 0xFF) / 255.0
+        return Color(red: r, green: g, blue: b)
+    }
+
    func approvePendingAgentDeepLinkPrompt() async {
        guard let prompt = self.pendingAgentDeepLinkPrompt else { return }
        self.pendingAgentDeepLinkPrompt = nil
@@ -4576,10 +4612,30 @@ extension NodeAppModel {
        try self.encodePayload(obj)
    }

+    func _test_isCameraEnabled() -> Bool {
+        self.isCameraEnabled()
+    }
+
+    func _test_triggerCameraFlash() {
+        self.triggerCameraFlash()
+    }
+
+    func _test_showCameraHUD(text: String, kind: CameraHUDKind, autoHideSeconds: Double? = nil) {
+        self.showCameraHUD(text: text, kind: kind, autoHideSeconds: autoHideSeconds)
+    }
+
    func _test_handleCanvasA2UIAction(body: [String: Any]) async {
        await self.handleCanvasA2UIAction(body: body)
    }

+    func _test_showLocalCanvasOnDisconnect() {
+        self.showLocalCanvasOnDisconnect()
+    }
+
+    func _test_applyTalkModeSync(enabled: Bool, phase: String? = nil) {
+        self.applyTalkModeSync(enabled: enabled, phase: phase)
+    }
+
    func _test_queuedWatchReplyCount() -> Int {
        self.watchReplyCoordinator.queuedCount
    }
@@ -4770,10 +4826,6 @@ extension NodeAppModel {
        (self.nodeGatewayTask != nil, self.operatorGatewayTask != nil)
    }

-    func _test_restartGatewaySessionsAfterForegroundStaleConnection() async {
-        await self.restartGatewaySessionsAfterForegroundStaleConnection()
-    }
-
    func _test_handleSuccessfulBootstrapGatewayOnboarding() async {
        await self.handleSuccessfulBootstrapGatewayOnboarding(
            url: URL(string: "wss://gateway.example")!,
--- a/apps/ios/Sources/Onboarding/GatewayOnboardingView.swift
+++ b/apps/ios/Sources/Onboarding/GatewayOnboardingView.swift
@@ -0,0 +1,365 @@
+import Foundation
+import OpenClawKit
+import SwiftUI
+
+struct GatewayOnboardingView: View {
+    var body: some View {
+        NavigationStack {
+            List {
+                Section {
+                    Text("Connect to your gateway to get started.")
+                        .foregroundStyle(.secondary)
+                }
+
+                Section {
+                    NavigationLink("Auto detect") {
+                        AutoDetectStep()
+                    }
+                    NavigationLink("Manual entry") {
+                        ManualEntryStep()
+                    }
+                }
+            }
+            .navigationTitle("Connect Gateway")
+        }
+        .gatewayTrustPromptAlert()
+    }
+}
+
+private struct AutoDetectStep: View {
+    @Environment(NodeAppModel.self) private var appModel: NodeAppModel
+    @Environment(GatewayConnectionController.self) private var gatewayController: GatewayConnectionController
+    @AppStorage("gateway.preferredStableID") private var preferredGatewayStableID: String = ""
+    @AppStorage("gateway.lastDiscoveredStableID") private var lastDiscoveredGatewayStableID: String = ""
+
+    @State private var connectingGatewayID: String?
+    @State private var connectStatusText: String?
+
+    var body: some View {
+        Form {
+            Section {
+                Text("We’ll scan for gateways on your network and connect automatically when we find one.")
+                    .foregroundStyle(.secondary)
+            }
+
+            gatewayConnectionStatusSection(
+                appModel: self.appModel,
+                gatewayController: self.gatewayController,
+                secondaryLine: self.connectStatusText)
+
+            Section {
+                Button("Retry") {
+                    resetGatewayConnectionState(
+                        appModel: self.appModel,
+                        connectStatusText: &self.connectStatusText,
+                        connectingGatewayID: &self.connectingGatewayID)
+                    self.triggerAutoConnect()
+                }
+                .disabled(self.connectingGatewayID != nil)
+            }
+        }
+        .navigationTitle("Auto detect")
+        .onAppear { self.triggerAutoConnect() }
+        .onChange(of: self.gatewayController.gateways) { _, _ in
+            self.triggerAutoConnect()
+        }
+    }
+
+    private func triggerAutoConnect() {
+        guard self.appModel.gatewayServerName == nil else { return }
+        guard self.connectingGatewayID == nil else { return }
+        guard let candidate = self.autoCandidate() else { return }
+
+        self.connectingGatewayID = candidate.id
+        Task {
+            defer { self.connectingGatewayID = nil }
+            await self.gatewayController.connect(candidate)
+        }
+    }
+
+    private func autoCandidate() -> GatewayDiscoveryModel.DiscoveredGateway? {
+        let preferred = self.preferredGatewayStableID.trimmingCharacters(in: .whitespacesAndNewlines)
+        let lastDiscovered = self.lastDiscoveredGatewayStableID.trimmingCharacters(in: .whitespacesAndNewlines)
+
+        if !preferred.isEmpty,
+           let match = self.gatewayController.gateways.first(where: { $0.stableID == preferred })
+        {
+            return match
+        }
+        if !lastDiscovered.isEmpty,
+           let match = self.gatewayController.gateways.first(where: { $0.stableID == lastDiscovered })
+        {
+            return match
+        }
+        if self.gatewayController.gateways.count == 1 {
+            return self.gatewayController.gateways.first
+        }
+        return nil
+    }
+}
+
+private struct ManualEntryStep: View {
+    @Environment(NodeAppModel.self) private var appModel: NodeAppModel
+    @Environment(GatewayConnectionController.self) private var gatewayController: GatewayConnectionController
+
+    @State private var setupCode: String = ""
+    @State private var setupStatusText: String?
+    @State private var manualHost: String = ""
+    @State private var manualPortText: String = ""
+    @State private var manualUseTLS: Bool = true
+    @State private var manualToken: String = ""
+    @State private var manualPassword: String = ""
+    @State private var pendingManualAuthOverride: GatewayConnectionController.ManualAuthOverride?
+
+    @State private var connectingGatewayID: String?
+    @State private var connectStatusText: String?
+
+    var body: some View {
+        Form {
+            Section("Setup code") {
+                Text("Use /pair in your bot to get a setup code.")
+                    .font(.footnote)
+                    .foregroundStyle(.secondary)
+
+                TextField("Paste setup code", text: self.$setupCode)
+                    .textInputAutocapitalization(.never)
+                    .autocorrectionDisabled()
+
+                Button("Apply setup code") {
+                    self.applySetupCode()
+                }
+                .disabled(self.setupCode.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty)
+
+                if let setupStatusText, !setupStatusText.isEmpty {
+                    Text(setupStatusText)
+                        .font(.footnote)
+                        .foregroundStyle(.secondary)
+                }
+            }
+
+            Section {
+                TextField("Host", text: self.$manualHost)
+                    .textInputAutocapitalization(.never)
+                    .autocorrectionDisabled()
+
+                TextField("Port", text: self.$manualPortText)
+                    .keyboardType(.numberPad)
+
+                Toggle("Use TLS", isOn: self.$manualUseTLS)
+
+                TextField("Gateway token", text: self.$manualToken)
+                    .textInputAutocapitalization(.never)
+                    .autocorrectionDisabled()
+
+                SecureField("Gateway password", text: self.$manualPassword)
+                    .textInputAutocapitalization(.never)
+                    .autocorrectionDisabled()
+            }
+
+            gatewayConnectionStatusSection(
+                appModel: self.appModel,
+                gatewayController: self.gatewayController,
+                secondaryLine: self.connectStatusText)
+
+            Section {
+                Button {
+                    Task { await self.connectManual() }
+                } label: {
+                    if self.connectingGatewayID == "manual" {
+                        HStack(spacing: 8) {
+                            ProgressView()
+                                .progressViewStyle(.circular)
+                            Text("Connecting…")
+                        }
+                    } else {
+                        Text("Connect")
+                    }
+                }
+                .disabled(self.connectingGatewayID != nil)
+
+                Button("Retry") {
+                    resetGatewayConnectionState(
+                        appModel: self.appModel,
+                        connectStatusText: &self.connectStatusText,
+                        connectingGatewayID: &self.connectingGatewayID)
+                    self.resetManualForm()
+                }
+                .disabled(self.connectingGatewayID != nil)
+            }
+        }
+        .navigationTitle("Manual entry")
+    }
+
+    private func connectManual() async {
+        let host = self.manualHost.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !host.isEmpty else {
+            self.connectStatusText = "Failed: host required"
+            return
+        }
+
+        if let port = self.manualPortValue(), !(1...65535).contains(port) {
+            self.connectStatusText = "Failed: invalid port"
+            return
+        }
+
+        let defaults = UserDefaults.standard
+        defaults.set(true, forKey: "gateway.manual.enabled")
+        defaults.set(host, forKey: "gateway.manual.host")
+        defaults.set(self.manualPortValue() ?? 0, forKey: "gateway.manual.port")
+        defaults.set(self.manualUseTLS, forKey: "gateway.manual.tls")
+
+        let instanceId = GatewaySettingsStore.currentInstanceID()
+        if !instanceId.isEmpty {
+            let trimmedToken = self.manualToken.trimmingCharacters(in: .whitespacesAndNewlines)
+            let trimmedPassword = self.manualPassword.trimmingCharacters(in: .whitespacesAndNewlines)
+            if !trimmedToken.isEmpty {
+                GatewaySettingsStore.saveGatewayToken(trimmedToken, instanceId: instanceId)
+            }
+            GatewaySettingsStore.saveGatewayPassword(trimmedPassword, instanceId: instanceId)
+        }
+
+        self.connectingGatewayID = "manual"
+        defer { self.connectingGatewayID = nil }
+        let authOverride = GatewayConnectionController.ManualAuthOverride.currentManualInput(
+            token: self.manualToken,
+            pendingOverride: self.pendingManualAuthOverride,
+            password: self.manualPassword)
+        self.pendingManualAuthOverride = nil
+        await self.gatewayController.connectManual(
+            host: host,
+            port: self.manualPortValue() ?? 0,
+            useTLS: self.manualUseTLS,
+            authOverride: authOverride)
+    }
+
+    private func manualPortValue() -> Int? {
+        let trimmed = self.manualPortText.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else { return nil }
+        return Int(trimmed.filter(\.isNumber))
+    }
+
+    private func resetManualForm() {
+        self.setupCode = ""
+        self.setupStatusText = nil
+        self.manualHost = ""
+        self.manualPortText = ""
+        self.manualUseTLS = true
+        self.manualToken = ""
+        self.manualPassword = ""
+    }
+
+    private func applySetupCode() {
+        let raw = self.setupCode.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !raw.isEmpty else {
+            self.setupStatusText = "Paste a setup code to continue."
+            return
+        }
+
+        if AppleReviewDemoMode.isSetupCode(raw) {
+            self.setupCode = ""
+            self.setupStatusText = "Apple Review demo mode enabled."
+            self.appModel.enterAppleReviewDemoMode()
+            return
+        }
+
+        guard let link = GatewayConnectDeepLink.fromSetupInput(raw) else {
+            self.setupStatusText = "Setup code not recognized or uses an insecure ws:// gateway URL."
+            return
+        }
+
+        self.manualHost = link.host
+        self.manualPortText = String(link.port)
+        self.manualUseTLS = link.tls
+
+        let setupAuth = GatewayConnectionController.ManualAuthOverride.setupAuth(from: link)
+        if setupAuth.shouldApplyTokenField {
+            self.manualToken = setupAuth.token
+        }
+        if setupAuth.shouldApplyPasswordField {
+            self.manualPassword = setupAuth.password
+        }
+
+        let trimmedInstanceId = GatewaySettingsStore.currentInstanceID()
+        if !trimmedInstanceId.isEmpty {
+            if setupAuth.hasBootstrapToken {
+                GatewayOnboardingReset.prepareForBootstrapPairing(
+                    appModel: self.appModel,
+                    instanceId: trimmedInstanceId)
+            }
+            GatewaySettingsStore.saveGatewayBootstrapToken(setupAuth.bootstrapToken, instanceId: trimmedInstanceId)
+        }
+        self.pendingManualAuthOverride = setupAuth.manualAuthOverride
+
+        self.setupStatusText = "Setup code applied."
+    }
+}
+
+@MainActor
+private func gatewayConnectionStatusLines(
+    appModel: NodeAppModel,
+    gatewayController: GatewayConnectionController) -> [String]
+{
+    ConnectionStatusBox.defaultLines(appModel: appModel, gatewayController: gatewayController)
+}
+
+@MainActor
+private func resetGatewayConnectionState(
+    appModel: NodeAppModel,
+    connectStatusText: inout String?,
+    connectingGatewayID: inout String?)
+{
+    appModel.disconnectGateway()
+    connectStatusText = nil
+    connectingGatewayID = nil
+}
+
+@MainActor
+private func gatewayConnectionStatusSection(
+    appModel: NodeAppModel,
+    gatewayController: GatewayConnectionController,
+    secondaryLine: String?) -> some View
+{
+    Section("Connection status") {
+        ConnectionStatusBox(
+            statusLines: gatewayConnectionStatusLines(
+                appModel: appModel,
+                gatewayController: gatewayController),
+            secondaryLine: secondaryLine)
+    }
+}
+
+private struct ConnectionStatusBox: View {
+    let statusLines: [String]
+    let secondaryLine: String?
+
+    var body: some View {
+        VStack(alignment: .leading, spacing: 6) {
+            ForEach(self.statusLines, id: \.self) { line in
+                Text(line)
+                    .font(.system(size: 12, weight: .regular, design: .monospaced))
+                    .foregroundStyle(.secondary)
+            }
+            if let secondaryLine, !secondaryLine.isEmpty {
+                Text(secondaryLine)
+                    .font(.footnote)
+                    .foregroundStyle(.secondary)
+            }
+        }
+        .frame(maxWidth: .infinity, alignment: .leading)
+        .padding(10)
+        .background(.thinMaterial, in: RoundedRectangle(cornerRadius: 10, style: .continuous))
+    }
+
+    static func defaultLines(
+        appModel: NodeAppModel,
+        gatewayController: GatewayConnectionController) -> [String]
+    {
+        var lines: [String] = [
+            "gateway: \(appModel.gatewayDisplayStatusText)",
+            "discovery: \(gatewayController.discoveryStatusText)",
+        ]
+        lines.append("server: \(appModel.gatewayServerName ?? "—")")
+        lines.append("address: \(appModel.gatewayRemoteAddress ?? "—")")
+        return lines
+    }
+}
--- a/apps/ios/Sources/Onboarding/OnboardingStateStore.swift
+++ b/apps/ios/Sources/Onboarding/OnboardingStateStore.swift
@@ -53,6 +53,10 @@ enum OnboardingStateStore {
        defaults.set(true, forKey: self.firstRunIntroSeenDefaultsKey)
    }

+    static func markIncomplete(defaults: UserDefaults = .standard) {
+        defaults.set(false, forKey: self.completedDefaultsKey)
+    }
+
    static func reset(defaults: UserDefaults = .standard) {
        defaults.set(false, forKey: self.completedDefaultsKey)
        defaults.set(false, forKey: self.firstRunIntroSeenDefaultsKey)
--- a/apps/ios/Sources/Onboarding/OnboardingWizardView.swift
+++ b/apps/ios/Sources/Onboarding/OnboardingWizardView.swift
@@ -17,6 +17,10 @@ private enum OnboardingStep: Int, CaseIterable {
        Self(rawValue: self.rawValue - 1)
    }

+    var next: Self? {
+        Self(rawValue: self.rawValue + 1)
+    }
+
    /// Progress label for the manual setup flow (mode → connect → auth → success).
    var manualProgressTitle: String {
        let manualSteps: [OnboardingStep] = [.mode, .connect, .auth, .success]
--- a/apps/ios/Sources/Push/PushBuildConfig.swift
+++ b/apps/ios/Sources/Push/PushBuildConfig.swift
@@ -39,6 +39,10 @@ struct PushBuildConfig {
        self.relayBaseURL = Self.readURL(bundle: bundle, key: "OpenClawPushRelayBaseURL")
    }

+    var usesRelay: Bool {
+        self.transport == .relay
+    }
+
    private static func readURL(bundle: Bundle, key: String) -> URL? {
        guard let raw = bundle.object(forInfoDictionaryKey: key) as? String else { return nil }
        let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines)
--- a/apps/ios/Sources/Push/PushRelayKeychainStore.swift
+++ b/apps/ios/Sources/Push/PushRelayKeychainStore.swift
@@ -71,6 +71,11 @@ enum PushRelayRegistrationStore {
        return KeychainStore.saveString(raw, service: self.service, account: self.registrationStateAccount)
    }

+    @discardableResult
+    static func clearRegistrationState() -> Bool {
+        KeychainStore.delete(service: self.service, account: self.registrationStateAccount)
+    }
+
    static func loadAppAttestKeyID() -> String? {
        let value = KeychainStore.loadString(service: self.service, account: self.appAttestKeyIDAccount)?
            .trimmingCharacters(in: .whitespacesAndNewlines)
--- a/apps/ios/Sources/RootTabsNavigation.swift
+++ b/apps/ios/Sources/RootTabsNavigation.swift
@@ -7,6 +7,7 @@ extension RootTabs {
        980
    }

+    static let sidebarSplitMinimumWidth: CGFloat = 292
    static let sidebarSplitIdealWidth: CGFloat = 316
    static let sidebarSplitMaximumWidth: CGFloat = 340
    static let sidebarDrawerMaximumWidth: CGFloat = 340
--- a/apps/ios/Sources/RootView.swift
+++ b/apps/ios/Sources/RootView.swift
@@ -0,0 +1,15 @@
+import SwiftUI
+
+struct RootView: View {
+    @AppStorage(AppAppearancePreference.storageKey) private var appearancePreferenceRaw: String =
+        AppAppearancePreference.system.rawValue
+
+    var body: some View {
+        RootTabs()
+            .preferredColorScheme(self.appearancePreference.colorScheme)
+    }
+
+    private var appearancePreference: AppAppearancePreference {
+        AppAppearancePreference(rawValue: self.appearancePreferenceRaw) ?? .system
+    }
+}
--- a/apps/ios/Sources/Screen/ScreenController.swift
+++ b/apps/ios/Sources/Screen/ScreenController.swift
@@ -181,6 +181,16 @@ final class ScreenController {
        return try await WebViewJavaScriptSupport.evaluateToString(webView: webView, javaScript: javaScript)
    }

+    func snapshotPNGBase64(maxWidth: CGFloat? = nil) async throws -> String {
+        let image = try await self.snapshotImage(maxWidth: maxWidth)
+        guard let data = image.pngData() else {
+            throw NSError(domain: "Screen", code: 1, userInfo: [
+                NSLocalizedDescriptionKey: "snapshot encode failed",
+            ])
+        }
+        return data.base64EncodedString()
+    }
+
    func snapshotBase64(
        maxWidth: CGFloat? = nil,
        format: OpenClawCanvasSnapshotFormat,
--- a/apps/ios/Sources/Services/NodeServiceProtocols.swift
+++ b/apps/ios/Sources/Services/NodeServiceProtocols.swift
@@ -31,7 +31,12 @@ protocol LocationServicing: Sendable {
        desiredAccuracy: OpenClawLocationAccuracy,
        maxAgeMs: Int?,
        timeoutMs: Int?) async throws -> CLLocation
+    func startLocationUpdates(
+        desiredAccuracy: OpenClawLocationAccuracy,
+        significantChangesOnly: Bool) -> AsyncStream<CLLocation>
+    func stopLocationUpdates()
    func startMonitoringSignificantLocationChanges(onUpdate: @escaping @Sendable (CLLocation) -> Void)
+    func stopMonitoringSignificantLocationChanges()
 }

@MainActor
--- a/apps/ios/Sources/SessionKey.swift
+++ b/apps/ios/Sources/SessionKey.swift
@@ -22,4 +22,11 @@ enum SessionKey {
        let agentId = String(parts[1]).trimmingCharacters(in: .whitespacesAndNewlines)
        return agentId.isEmpty ? nil : agentId
    }
+
+    static func isCanonicalMainSessionKey(_ value: String?) -> Bool {
+        let trimmed = (value ?? "").trimmingCharacters(in: .whitespacesAndNewlines)
+        if trimmed.isEmpty { return false }
+        if trimmed == "global" { return true }
+        return trimmed.hasPrefix("agent:")
+    }
 }
--- a/apps/ios/Sources/Settings/SettingsNetworkingHelpers.swift
+++ b/apps/ios/Sources/Settings/SettingsNetworkingHelpers.swift
@@ -0,0 +1,40 @@
+import Foundation
+
+struct SettingsHostPort: Equatable {
+    var host: String
+    var port: Int
+}
+
+enum SettingsNetworkingHelpers {
+    static func parseHostPort(from address: String) -> SettingsHostPort? {
+        let trimmed = address.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else { return nil }
+
+        if trimmed.hasPrefix("["),
+           let close = trimmed.firstIndex(of: "]"),
+           close < trimmed.endIndex
+        {
+            let host = String(trimmed[trimmed.index(after: trimmed.startIndex)..<close])
+            let portStart = trimmed.index(after: close)
+            guard portStart < trimmed.endIndex, trimmed[portStart] == ":" else { return nil }
+            let portString = String(trimmed[trimmed.index(after: portStart)...])
+            guard let port = Int(portString) else { return nil }
+            return SettingsHostPort(host: host, port: port)
+        }
+
+        guard let colon = trimmed.lastIndex(of: ":") else { return nil }
+        let host = String(trimmed[..<colon])
+        let portString = String(trimmed[trimmed.index(after: colon)...])
+        guard !host.isEmpty, let port = Int(portString) else { return nil }
+        return SettingsHostPort(host: host, port: port)
+    }
+
+    static func httpURLString(host: String?, port: Int?, fallback: String) -> String {
+        if let host, let port {
+            let needsBrackets = host.contains(":") && !host.hasPrefix("[") && !host.hasSuffix("]")
+            let hostPart = needsBrackets ? "[\(host)]" : host
+            return "http://\(hostPart):\(port)"
+        }
+        return "http://\(fallback)"
+    }
+}
--- a/apps/ios/Sources/Voice/TalkModeGatewayConfig.swift
+++ b/apps/ios/Sources/Voice/TalkModeGatewayConfig.swift
@@ -3,6 +3,7 @@ import OpenClawKit

 enum TalkModeExecutionMode {
    case native
+    case realtimeClient
    case realtimeRelay
 }

--- a/apps/ios/Sources/Voice/TalkModeManager+Permissions.swift
+++ b/apps/ios/Sources/Voice/TalkModeManager+Permissions.swift
@@ -64,6 +64,22 @@ extension TalkModeManager {
        }
    }

+    static func permissionMessage(
+        kind: String,
+        status: AVAudioSession.RecordPermission) -> String
+    {
+        switch status {
+        case .denied:
+            return "\(kind) permission denied"
+        case .undetermined:
+            return "\(kind) permission not granted"
+        case .granted:
+            return "\(kind) permission denied"
+        @unknown default:
+            return "\(kind) permission denied"
+        }
+    }
+
    static func permissionMessage(
        kind: String,
        status: SFSpeechRecognizerAuthorizationStatus) -> String
--- a/apps/ios/Sources/Voice/TalkModeManager.swift
+++ b/apps/ios/Sources/Voice/TalkModeManager.swift
@@ -70,6 +70,11 @@ final class TalkModeManager: NSObject {
        self.gatewayConnected
    }

+    var hasActiveAudioCapture: Bool {
+        self.isEnabled || self.isListening || self.isPushToTalkActive || self.realtimeRelaySession != nil
+            || self.realtimeRelayStartInFlight
+    }
+
    private enum CaptureMode {
        case idle
        case continuous
@@ -470,6 +475,13 @@ final class TalkModeManager: NSObject {
        return wasActive
    }

+    func setForegroundAudioCaptureAllowed(_ allowed: Bool) {
+        self.foregroundAudioCaptureAllowed = allowed
+        if !allowed {
+            self.cancelPendingStart()
+        }
+    }
+
    func resumeAfterBackground(wasSuspended: Bool, wasKeptActive: Bool = false) async {
        if wasKeptActive { return }
        guard wasSuspended else { return }
@@ -477,6 +489,14 @@ final class TalkModeManager: NSObject {
        await self.start()
    }

+    func userTappedOrb() {
+        if let realtimeSession {
+            realtimeSession.cancelResponse()
+        }
+        self.realtimeRelaySession?.cancelOutput()
+        self.stopSpeaking()
+    }
+
    func beginPushToTalk() async throws -> OpenClawTalkPTTStartPayload {
        guard self.gatewayConnected else {
            self.statusText = "Offline"
@@ -3084,6 +3104,23 @@ extension TalkModeManager {
        self.gatewayTalkCurrentFallbackIssue
    }

+    func _test_seedTranscript(_ transcript: String) {
+        self.lastTranscript = transcript
+        self.lastHeard = Date()
+    }
+
+    func _test_handleTranscript(_ transcript: String, isFinal: Bool) async {
+        await self.handleTranscript(transcript: transcript, isFinal: isFinal)
+    }
+
+    func _test_backdateLastHeard(seconds: TimeInterval) {
+        self.lastHeard = Date().addingTimeInterval(-seconds)
+    }
+
+    func _test_runSilenceCheck() async {
+        await self.checkSilence()
+    }
+
    func _test_incrementalReset() {
        self.incrementalSpeechBuffer = IncrementalSpeechBuffer()
    }
--- a/apps/ios/Sources/Voice/TalkPermissionPromptView.swift
+++ b/apps/ios/Sources/Voice/TalkPermissionPromptView.swift
@@ -3,6 +3,7 @@ import SwiftUI
 struct TalkPermissionPromptView: View {
    enum Style {
        case card
+        case settings
        case sheet
    }

--- a/apps/ios/Sources/Voice/TalkRealtimeWebRTCSession.swift
+++ b/apps/ios/Sources/Voice/TalkRealtimeWebRTCSession.swift
@@ -61,6 +61,7 @@ final class TalkRealtimeWebRTCSession: NSObject {
        let runId: String?
        let status: String?
        let startedAt: Double?
+        let endedAt: Double?
        let error: String?
        let stopReason: String?
        let timeoutPhase: String?
@@ -195,6 +196,11 @@ final class TalkRealtimeWebRTCSession: NSObject {
        Self.logger.info("timeline +\(self.elapsedMs(), privacy: .public)ms \(message, privacy: .public)")
    }

+    func cancelResponse() {
+        self.sendRealtimeEvent(["type": "response.cancel"])
+        self.cancelActiveToolCalls()
+    }
+
    private func cancelActiveToolCalls() {
        let runIds = Array(Set(activeToolRunIds.values))
        for task in self.activeToolTasks.values {
--- a/apps/ios/Sources/Voice/TalkSpeechLocale.swift
+++ b/apps/ios/Sources/Voice/TalkSpeechLocale.swift
@@ -70,6 +70,14 @@ enum TalkSpeechLocale {
        return (recognizer, recognizer?.locale.identifier)
    }

+    static func normalizedExplicitLocaleID(_ raw: String?) -> String? {
+        TalkConfigParsing.normalizedExplicitSpeechLocaleID(raw, automaticID: self.automaticID)
+    }
+
+    private static func normalizedLocaleID(_ raw: String?) -> String? {
+        TalkConfigParsing.normalizedSpeechLocaleID(raw)
+    }
+
    private static func canonicalID(_ raw: String) -> String {
        raw.replacingOccurrences(of: "_", with: "-")
    }
--- a/apps/ios/SwiftSources.input.xcfilelist
+++ b/apps/ios/SwiftSources.input.xcfilelist
@@ -16,6 +16,7 @@ Sources/Design/ChatProTab.swift
 Sources/Design/CommandCenterTab.swift
 Sources/Design/TalkProTab.swift
 Sources/Design/OpenClawProComponents.swift
+Sources/Design/OpenClawProScreens.swift
 Sources/Design/SettingsProTab.swift
 Sources/Design/SettingsProTabSupport.swift
 Sources/Design/SettingsProTabSections.swift
@@ -66,6 +67,7 @@ Sources/Model/NodeAppModel.swift
 Sources/Model/WatchReplyCoordinator.swift
 Sources/Motion/MotionService.swift
 Sources/Onboarding/GatewayOnboardingReset.swift
+Sources/Onboarding/GatewayOnboardingView.swift
 Sources/Onboarding/OnboardingStateStore.swift
 Sources/Onboarding/OnboardingWizardSteps.swift
 Sources/Onboarding/OnboardingWizardView.swift
@@ -81,6 +83,7 @@ Sources/Push/PushRelayKeychainStore.swift
 Sources/Reminders/RemindersService.swift
 Sources/RootTabs.swift
 Sources/RootTabsNavigation.swift
+Sources/RootView.swift
 Sources/Screen/ScreenController.swift
 Sources/Screen/ScreenRecordService.swift
 Sources/Screen/ScreenWebView.swift
@@ -91,6 +94,7 @@ Sources/Services/WatchMessagingPayloadCodec.swift
 Sources/Services/WatchMessagingService.swift
 Sources/SessionKey.swift
 Sources/Settings/PrivacyAccessSectionView.swift
+Sources/Settings/SettingsNetworkingHelpers.swift
 Sources/Settings/VoiceWakeWordsSettingsView.swift
 Sources/Status/GatewayStatusBuilder.swift
 Sources/Status/VoiceWakeToast.swift
--- a/apps/ios/Tests/GatewayConnectionControllerTests.swift
+++ b/apps/ios/Tests/GatewayConnectionControllerTests.swift
@@ -356,20 +356,6 @@ import UIKit
        #expect(!appModel._test_hasGatewayLoopTasks().operator)
    }

-    @Test @MainActor func foregroundStaleConnectionRestartReappliesActiveGatewayConfig() async {
-        let appModel = NodeAppModel()
-        defer { appModel.disconnectGateway() }
-
-        let config = Self.makeGatewayConnectConfig()
-        appModel.applyGatewayConnectConfig(config)
-        await appModel._test_restartGatewaySessionsAfterForegroundStaleConnection()
-
-        #expect(appModel.gatewayStatusText == "Reconnecting…")
-        #expect(appModel.activeGatewayConnectConfig?.hasSameConnectionInputs(as: config) == true)
-        #expect(appModel._test_hasGatewayLoopTasks().node)
-        #expect(appModel._test_hasGatewayLoopTasks().operator)
-    }
-
    @Test @MainActor func loadLastConnectionReadsSavedValues() {
        let prior = KeychainStore.loadString(service: "ai.openclaw.gateway", account: "lastConnection")
        defer {
--- a/apps/ios/Tests/GatewayConnectionSecurityTests.swift
+++ b/apps/ios/Tests/GatewayConnectionSecurityTests.swift
@@ -39,19 +39,19 @@ import Testing
    @Test @MainActor func discoveredTLSParams_prefersStoredPinOverAdvertisedTXT() async {
        let stableID = "test|\(UUID().uuidString)"
        defer { clearTLSFingerprint(stableID: stableID) }
-        self.clearTLSFingerprint(stableID: stableID)
+        clearTLSFingerprint(stableID: stableID)

        GatewayTLSStore.saveFingerprint("11", stableID: stableID)

-        let gateway = self.makeDiscoveredGateway(
+        let gateway = makeDiscoveredGateway(
            stableID: stableID,
            lanHost: "evil.example.com",
            tailnetDns: "evil.example.com",
            gatewayPort: 12345,
            fingerprint: "22")
-        let controller = self.makeController()
+        let controller = makeController()

-        let params = controller._test_resolveDiscoveredTLSParams(gateway: gateway)
+        let params = controller._test_resolveDiscoveredTLSParams(gateway: gateway, allowTOFU: true)
        #expect(params?.expectedFingerprint == "11")
        #expect(params?.allowTOFU == false)
    }
@@ -59,17 +59,17 @@ import Testing
    @Test @MainActor func discoveredTLSParams_doesNotTrustAdvertisedFingerprint() async {
        let stableID = "test|\(UUID().uuidString)"
        defer { clearTLSFingerprint(stableID: stableID) }
-        self.clearTLSFingerprint(stableID: stableID)
+        clearTLSFingerprint(stableID: stableID)

-        let gateway = self.makeDiscoveredGateway(
+        let gateway = makeDiscoveredGateway(
            stableID: stableID,
            lanHost: nil,
            tailnetDns: nil,
            gatewayPort: nil,
            fingerprint: "22")
-        let controller = self.makeController()
+        let controller = makeController()

-        let params = controller._test_resolveDiscoveredTLSParams(gateway: gateway)
+        let params = controller._test_resolveDiscoveredTLSParams(gateway: gateway, allowTOFU: true)
        #expect(params?.expectedFingerprint == nil)
        #expect(params?.allowTOFU == false)
    }
@@ -77,7 +77,7 @@ import Testing
    @Test @MainActor func autoconnectRequiresStoredPinForDiscoveredGateways() async {
        let stableID = "test|\(UUID().uuidString)"
        defer { clearTLSFingerprint(stableID: stableID) }
-        self.clearTLSFingerprint(stableID: stableID)
+        clearTLSFingerprint(stableID: stableID)

        let defaults = UserDefaults.standard
        defaults.set(true, forKey: "gateway.autoconnect")
@@ -90,13 +90,13 @@ import Testing
        defaults.removeObject(forKey: "gateway.preferredStableID")
        defaults.set(stableID, forKey: "gateway.lastDiscoveredStableID")

-        let gateway = self.makeDiscoveredGateway(
+        let gateway = makeDiscoveredGateway(
            stableID: stableID,
            lanHost: "test.local",
            tailnetDns: nil,
            gatewayPort: 18789,
            fingerprint: nil)
-        let controller = self.makeController()
+        let controller = makeController()
        controller._test_setGateways([gateway])
        controller._test_triggerAutoConnect()

@@ -104,7 +104,7 @@ import Testing
    }

    @Test @MainActor func manualConnectionsForceTLSForNonLoopbackHosts() async {
-        let controller = self.makeController()
+        let controller = makeController()

        #expect(controller._test_resolveManualUseTLS(host: "gateway.example.com", useTLS: false) == true)
        #expect(controller._test_resolveManualUseTLS(host: "127.attacker.example", useTLS: false) == true)
@@ -120,7 +120,7 @@ import Testing
    }

    @Test @MainActor func manualConnectionsAllowPrivateLanPlaintext() async {
-        let controller = self.makeController()
+        let controller = makeController()

        #expect(controller._test_resolveManualUseTLS(host: "openclaw.local", useTLS: false) == false)
        #expect(controller._test_resolveManualUseTLS(host: "192.168.1.20", useTLS: false) == false)
@@ -131,7 +131,7 @@ import Testing
    }

    @Test @MainActor func manualDefaultPortUses443OnlyForTailnetTLSHosts() async {
-        let controller = self.makeController()
+        let controller = makeController()

        #expect(controller._test_resolveManualPort(host: "gateway.example.com", port: 0, useTLS: true) == 18789)
        #expect(controller._test_resolveManualPort(host: "device.sample.ts.net", port: 0, useTLS: true) == 443)
--- a/apps/ios/Tests/GatewaySettingsStoreTests.swift
+++ b/apps/ios/Tests/GatewaySettingsStoreTests.swift
@@ -9,9 +9,11 @@ private struct KeychainEntry: Hashable {

 private let gatewayService = "ai.openclaw.gateway"
 private let nodeService = "ai.openclaw.node"
+private let talkService = "ai.openclaw.talk"
 private let instanceIdEntry = KeychainEntry(service: nodeService, account: "instanceId")
 private let preferredGatewayEntry = KeychainEntry(service: gatewayService, account: "preferredStableID")
 private let lastGatewayEntry = KeychainEntry(service: gatewayService, account: "lastDiscoveredStableID")
+private let talkAcmeProviderEntry = KeychainEntry(service: talkService, account: "provider.apiKey.acme")
 private let bootstrapDefaultsKeys = [
    "node.instanceId",
    "gateway.preferredStableID",
@@ -185,4 +187,17 @@ private func withLastGatewaySnapshot(_ body: () -> Void) {
            #expect(defaults.object(forKey: "gateway.last.host") == nil)
        }
    }
+
+    @Test func talkProviderApiKey_genericRoundTrip() {
+        let keychainSnapshot = snapshotKeychain([talkAcmeProviderEntry])
+        defer { restoreKeychain(keychainSnapshot) }
+
+        _ = KeychainStore.delete(service: talkService, account: talkAcmeProviderEntry.account)
+
+        GatewaySettingsStore.saveTalkProviderApiKey("acme-key", provider: "acme")
+        #expect(GatewaySettingsStore.loadTalkProviderApiKey(provider: "acme") == "acme-key")
+
+        GatewaySettingsStore.saveTalkProviderApiKey(nil, provider: "acme")
+        #expect(GatewaySettingsStore.loadTalkProviderApiKey(provider: "acme") == nil)
+    }
 }
--- a/apps/ios/Tests/OnboardingStateStoreTests.swift
+++ b/apps/ios/Tests/OnboardingStateStoreTests.swift
@@ -56,6 +56,12 @@ import Testing
            appModel: appModel,
            defaults: defaults,
            hasSavedGatewayConnection: false))
+
+        OnboardingStateStore.markIncomplete(defaults: defaults)
+        #expect(OnboardingStateStore.shouldPresentOnLaunch(
+            appModel: appModel,
+            defaults: defaults,
+            hasSavedGatewayConnection: false))
    }

    @Test func firstRunIntroDefaultsToVisibleThenPersists() {
--- a/apps/ios/Tests/RootTabsSourceGuardTests.swift
+++ b/apps/ios/Tests/RootTabsSourceGuardTests.swift
@@ -153,9 +153,13 @@ import Testing
        let destinationsSource = try String(contentsOf: Self.agentProTabDestinationsSourceURL(), encoding: .utf8)
        let nodesSource = try String(contentsOf: Self.agentProNodesDestinationSourceURL(), encoding: .utf8)
        let dreamingSource = try String(contentsOf: Self.agentProDreamingDestinationSourceURL(), encoding: .utf8)
+        let directDestination = try Self.extract(
+            source,
+            from: "private func directDestination(for route: AgentRoute) -> some View",
+            to: "private func applyInitialRouteIfNeeded()")

-        #expect(!source.contains("ToolbarItem"))
-        #expect(source.contains("self.directHeaderLeadingAction(for: route) == nil ? .visible : .hidden"))
+        #expect(!directDestination.contains("ToolbarItem"))
+        #expect(directDestination.contains("self.directHeaderLeadingAction(for: route) == nil ? .visible : .hidden"))
        #expect(destinationsSource.contains("self.directHeaderLeadingAction(for: .instances)"))
        #expect(destinationsSource.contains("self.directHeaderLeadingAction(for: .dreaming)"))
        #expect(destinationsSource.contains("self.directHeader(\n                        for: .usage"))
@@ -494,6 +498,7 @@ import Testing
        let chatSource = try String(contentsOf: Self.chatProTabSourceURL(), encoding: .utf8)
        let docsSource = try String(contentsOf: Self.docsSourceURL(), encoding: .utf8)
        let settingsSource = try String(contentsOf: Self.settingsProTabSectionsSourceURL(), encoding: .utf8)
+        let channelsSource = try String(contentsOf: Self.channelsSourceURL(), encoding: .utf8)

        #expect(rootSource.matches(of: /openSettings: \{ self\.selectSidebarDestination\(\.gateway\) \}/).count >= 2)
        #expect(rootSource.matches(of: /gatewayAction: \{ self\.selectSidebarDestination\(\.gateway\) \}/).count == 1)
@@ -517,7 +522,9 @@ import Testing
        #expect(rootSource.contains("SettingsProTab(initialRoute: self.selectedSidebarDestination.settingsRoute)"))
        #expect(settingsSource.contains("title: \"Channels / Integrations\""))
        #expect(settingsSource.contains("route: .channels"))
+        #expect(channelsSource.contains("let gatewayAction: (() -> Void)?"))
        #expect(docsSource.contains(".accessibilityHint(\"Opens Settings / Gateway\")"))
+        #expect(channelsSource.contains(".accessibilityHint(\"Opens Settings / Gateway\")"))
    }

    @Test func gatewaySettingsKeepsPairingTrustDiagnosticsAndTailscaleActions() throws {
--- a/apps/ios/Tests/SettingsNetworkingHelpersTests.swift
+++ b/apps/ios/Tests/SettingsNetworkingHelpersTests.swift
@@ -29,4 +29,50 @@ import Testing
                talkConfigLoaded: true,
                notificationStatusText: "Allowed") == 0)
    }
+
+    @Test func parseHostPortParsesIPv4() {
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "127.0.0.1:8080") == .init(host: "127.0.0.1", port: 8080))
+    }
+
+    @Test func parseHostPortParsesHostnameAndTrims() {
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "  example.com:80 \n") == .init(
+            host: "example.com",
+            port: 80))
+    }
+
+    @Test func parseHostPortParsesBracketedIPv6() {
+        #expect(
+            SettingsNetworkingHelpers.parseHostPort(from: "[2001:db8::1]:443") ==
+                .init(host: "2001:db8::1", port: 443))
+    }
+
+    @Test func parseHostPortRejectsMissingPort() {
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "example.com") == nil)
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "[2001:db8::1]") == nil)
+    }
+
+    @Test func parseHostPortRejectsInvalidPort() {
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "example.com:lol") == nil)
+        #expect(SettingsNetworkingHelpers.parseHostPort(from: "[2001:db8::1]:lol") == nil)
+    }
+
+    @Test func httpURLStringFormatsIPv4AndPort() {
+        #expect(SettingsNetworkingHelpers
+            .httpURLString(host: "127.0.0.1", port: 8080, fallback: "fallback") == "http://127.0.0.1:8080")
+    }
+
+    @Test func httpURLStringBracketsIPv6() {
+        #expect(SettingsNetworkingHelpers
+            .httpURLString(host: "2001:db8::1", port: 8080, fallback: "fallback") == "http://[2001:db8::1]:8080")
+    }
+
+    @Test func httpURLStringLeavesAlreadyBracketedIPv6() {
+        #expect(SettingsNetworkingHelpers
+            .httpURLString(host: "[2001:db8::1]", port: 8080, fallback: "fallback") == "http://[2001:db8::1]:8080")
+    }
+
+    @Test func httpURLStringFallsBackWhenMissingHostOrPort() {
+        #expect(SettingsNetworkingHelpers.httpURLString(host: nil, port: 80, fallback: "x") == "http://x")
+        #expect(SettingsNetworkingHelpers.httpURLString(host: "example.com", port: nil, fallback: "y") == "http://y")
+    }
 }
--- a/apps/ios/Tests/SwiftUIRenderSmokeTests.swift
+++ b/apps/ios/Tests/SwiftUIRenderSmokeTests.swift
@@ -103,6 +103,7 @@ import UIKit
            AnyView(CommandCenterTab(openChat: {}, openSettings: {})),
            AnyView(IPadActivityScreen(openChat: {}, openSettings: {})),
            AnyView(OpenClawDocsScreen()),
+            AnyView(SettingsChannelsScreen()),
            AnyView(IPadWorkboardScreen(openChat: {}, openSettings: {})),
            AnyView(IPadSkillWorkshopScreen(openSettings: {})),
            AnyView(AgentProTab(directRoute: .agents)),
--- a/apps/macos/Package.resolved
+++ b/apps/macos/Package.resolved
@@ -1,5 +1,5 @@
 {
-  "originHash" : "ae9f37f50cff0d32d189e60948f61e2fa1704e997a6ef4ad5e37f6a11c165ea4",
+  "originHash" : "035a4fe955164c62c1628de75f6437a14443a947eea2a1b0176ba484d6fde6f8",
  "pins" : [
    {
      "identity" : "axorcist",
@@ -42,8 +42,8 @@
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/steipete/Peekaboo.git",
      "state" : {
-        "revision" : "ee0e3185431788dad533ffca77cd75315aa3d26f",
-        "version" : "3.4.1"
+        "revision" : "3a56ed2aa769bfefb5a78722dfce3c34088cfba1",
+        "version" : "3.4.0"
      }
    },
    {
@@ -51,8 +51,8 @@
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/sparkle-project/Sparkle",
      "state" : {
-        "revision" : "d46d456107feacc80711b21847b82b07bd9fb46e",
-        "version" : "2.9.3"
+        "revision" : "6276ba2b404829d139c45ff98427cf90e2efc59b",
+        "version" : "2.9.2"
      }
    },
    {
@@ -78,8 +78,8 @@
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/apple/swift-log.git",
      "state" : {
-        "revision" : "92448c359f00ebe36ae97d3bd9086f13c7692b5a",
-        "version" : "1.13.2"
+        "revision" : "2aed77ae5ec9a86d8fe42c12275e4c2653a286ee",
+        "version" : "1.13.1"
      }
    },
    {
--- a/apps/macos/Package.swift
+++ b/apps/macos/Package.swift
@@ -19,7 +19,7 @@ let package = Package(
        .package(url: "https://github.com/swiftlang/swift-subprocess.git", from: "0.4.0"),
        .package(url: "https://github.com/apple/swift-log.git", from: "1.10.1"),
        .package(url: "https://github.com/sparkle-project/Sparkle", from: "2.9.0"),
-        .package(url: "https://github.com/steipete/Peekaboo.git", exact: "3.4.1"),
+        .package(url: "https://github.com/steipete/Peekaboo.git", exact: "3.4.0"),
        .package(path: "../shared/OpenClawKit"),
        .package(path: "../swabble"),
    ],
--- a/apps/macos/Sources/OpenClaw/VoiceWakeOverlayController+Window.swift
+++ b/apps/macos/Sources/OpenClaw/VoiceWakeOverlayController+Window.swift
@@ -92,13 +92,7 @@ extension VoiceWakeOverlayController {

        let contentHeight = ceil(used.height + (textInset.height * 2))
        let total = contentHeight + self.verticalPadding * 2
-        // Defer the overflow state mutation to break the SwiftUI onChange → measuredHeight →
-        // isOverflowing → re-render → onChange synchronous render loop (fixes #43480).
-        let overflowing = total > self.maxHeight
-        DispatchQueue.main.async { [weak self] in
-            guard let self, self.model.isOverflowing != overflowing else { return }
-            self.model.isOverflowing = overflowing
-        }
+        self.model.isOverflowing = total > self.maxHeight
        return max(self.minHeight, min(total, self.maxHeight))
    }

--- a/apps/macos/Tests/OpenClawIPCTests/ExecApprovalsStoreRefactorTests.swift
+++ b/apps/macos/Tests/OpenClawIPCTests/ExecApprovalsStoreRefactorTests.swift
@@ -4,64 +4,14 @@ import Testing

@Suite(.serialized)
 struct ExecApprovalsStoreRefactorTests {
-    private var realTemporaryDirectory: URL {
-        let path = FileManager().temporaryDirectory.path
-        if path.hasPrefix("/var/") {
-            return URL(fileURLWithPath: "/private\(path)", isDirectory: true)
-        }
-        return FileManager().temporaryDirectory.resolvingSymlinksInPath()
-    }
-
-    private func withLockedEnv(
-        _ values: [String: String?],
-        _ body: () async throws -> Void) async throws
-    {
-        func restoreEnv(_ values: [String: String?]) {
-            for (key, value) in values {
-                if let value {
-                    setenv(key, value, 1)
-                } else {
-                    unsetenv(key)
-                }
-            }
-        }
-
-        await TestIsolationLock.shared.acquire()
-        var previousEnv: [String: String?] = [:]
-        for (key, value) in values {
-            previousEnv[key] = getenv(key).map { String(cString: $0) }
-            if let value {
-                setenv(key, value, 1)
-            } else {
-                unsetenv(key)
-            }
-        }
-
-        do {
-            try await body()
-            restoreEnv(previousEnv)
-            await TestIsolationLock.shared.release()
-        } catch {
-            restoreEnv(previousEnv)
-            await TestIsolationLock.shared.release()
-            throw error
-        }
-    }
-
    private func withTempStateDir(
        _ body: @escaping @Sendable (URL) async throws -> Void) async throws
    {
-        let root = self.realTemporaryDirectory
+        let stateDir = FileManager().temporaryDirectory
            .appendingPathComponent("openclaw-state-\(UUID().uuidString)", isDirectory: true)
-        let home = root.appendingPathComponent("home", isDirectory: true)
-        let stateDir = root.appendingPathComponent("state", isDirectory: true)
-        defer { try? FileManager().removeItem(at: root) }
-        try Self.seedCurrentApprovalsFile(in: stateDir)
+        defer { try? FileManager().removeItem(at: stateDir) }

-        try await self.withLockedEnv([
-            "OPENCLAW_HOME": home.path,
-            "OPENCLAW_STATE_DIR": stateDir.path,
-        ]) {
+        try await TestIsolation.withEnvValues(["OPENCLAW_STATE_DIR": stateDir.path]) {
            try await body(stateDir)
        }
    }
@@ -69,13 +19,13 @@ struct ExecApprovalsStoreRefactorTests {
    private func withTempHomeAndStateDir(
        _ body: @escaping @Sendable (URL, URL) async throws -> Void) async throws
    {
-        let root = self.realTemporaryDirectory
+        let root = FileManager().temporaryDirectory
            .appendingPathComponent("openclaw-home-state-\(UUID().uuidString)", isDirectory: true)
        let home = root.appendingPathComponent("home", isDirectory: true)
        let stateDir = root.appendingPathComponent("state", isDirectory: true)
        defer { try? FileManager().removeItem(at: root) }

-        try await self.withLockedEnv([
+        try await TestIsolation.withEnvValues([
            "OPENCLAW_HOME": home.path,
            "OPENCLAW_STATE_DIR": stateDir.path,
        ]) {
@@ -197,19 +147,4 @@ struct ExecApprovalsStoreRefactorTests {
        }
        return identifier
    }
-
-    private static func seedCurrentApprovalsFile(in stateDir: URL) throws {
-        try FileManager().createDirectory(at: stateDir, withIntermediateDirectories: true)
-        let file = ExecApprovalsFile(
-            version: 1,
-            socket: ExecApprovalsSocketConfig(
-                path: stateDir.appendingPathComponent("exec-approvals.sock").path,
-                token: "test-token"),
-            defaults: nil,
-            agents: [:])
-        let encoder = JSONEncoder()
-        encoder.outputFormatting = [.prettyPrinted, .sortedKeys]
-        try encoder.encode(file)
-            .write(to: stateDir.appendingPathComponent("exec-approvals.json"))
-    }
 }
--- a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
@@ -46,17 +46,6 @@ public enum NodePresenceAliveReason: String, Codable, Sendable {
    case connect = "connect"
 }

-public enum SessionFileKind: String, Codable, Sendable {
-    case modified = "modified"
-    case read = "read"
-}
-
-public enum SessionFileRelevance: String, Codable, Sendable {
-    case modified = "modified"
-    case read = "read"
-    case mixed = "mixed"
-}
-
 public struct ConnectParams: Codable, Sendable {
    public let minprotocol: Int
    public let maxprotocol: Int
@@ -1767,7 +1756,6 @@ public struct SessionsResolveParams: Codable, Sendable {
    public let spawnedby: String?
    public let includeglobal: Bool?
    public let includeunknown: Bool?
-    public let allowmissing: Bool?

    public init(
        key: String?,
@@ -1776,8 +1764,7 @@ public struct SessionsResolveParams: Codable, Sendable {
        agentid: String? = nil,
        spawnedby: String?,
        includeglobal: Bool?,
-        includeunknown: Bool?,
-        allowmissing: Bool? = nil)
+        includeunknown: Bool?)
    {
        self.key = key
        self.sessionid = sessionid
@@ -1786,7 +1773,6 @@ public struct SessionsResolveParams: Codable, Sendable {
        self.spawnedby = spawnedby
        self.includeglobal = includeglobal
        self.includeunknown = includeunknown
-        self.allowmissing = allowmissing
    }

    private enum CodingKeys: String, CodingKey {
@@ -1797,7 +1783,6 @@ public struct SessionsResolveParams: Codable, Sendable {
        case spawnedby = "spawnedBy"
        case includeglobal = "includeGlobal"
        case includeunknown = "includeUnknown"
-        case allowmissing = "allowMissing"
    }
 }

@@ -2089,204 +2074,6 @@ public struct SessionsCompactionRestoreResult: Codable, Sendable {
    }
 }

-public struct SessionFileBrowserEntry: Codable, Sendable {
-    public let path: String
-    public let name: String
-    public let kind: AnyCodable
-    public let sessionkind: SessionFileRelevance?
-    public let size: Int?
-    public let updatedatms: Int?
-
-    public init(
-        path: String,
-        name: String,
-        kind: AnyCodable,
-        sessionkind: SessionFileRelevance?,
-        size: Int?,
-        updatedatms: Int?)
-    {
-        self.path = path
-        self.name = name
-        self.kind = kind
-        self.sessionkind = sessionkind
-        self.size = size
-        self.updatedatms = updatedatms
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case path
-        case name
-        case kind
-        case sessionkind = "sessionKind"
-        case size
-        case updatedatms = "updatedAtMs"
-    }
-}
-
-public struct SessionFileBrowserResult: Codable, Sendable {
-    public let path: String
-    public let parentpath: String?
-    public let search: String?
-    public let entries: [SessionFileBrowserEntry]
-    public let truncated: Bool?
-
-    public init(
-        path: String,
-        parentpath: String?,
-        search: String?,
-        entries: [SessionFileBrowserEntry],
-        truncated: Bool?)
-    {
-        self.path = path
-        self.parentpath = parentpath
-        self.search = search
-        self.entries = entries
-        self.truncated = truncated
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case path
-        case parentpath = "parentPath"
-        case search
-        case entries
-        case truncated
-    }
-}
-
-public struct SessionFileEntry: Codable, Sendable {
-    public let path: String
-    public let name: String
-    public let kind: SessionFileKind
-    public let missing: Bool
-    public let size: Int?
-    public let updatedatms: Int?
-    public let content: String?
-
-    public init(
-        path: String,
-        name: String,
-        kind: SessionFileKind,
-        missing: Bool,
-        size: Int?,
-        updatedatms: Int?,
-        content: String?)
-    {
-        self.path = path
-        self.name = name
-        self.kind = kind
-        self.missing = missing
-        self.size = size
-        self.updatedatms = updatedatms
-        self.content = content
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case path
-        case name
-        case kind
-        case missing
-        case size
-        case updatedatms = "updatedAtMs"
-        case content
-    }
-}
-
-public struct SessionsFilesListParams: Codable, Sendable {
-    public let sessionkey: String
-    public let agentid: String?
-    public let path: String?
-    public let search: String?
-
-    public init(
-        sessionkey: String,
-        agentid: String? = nil,
-        path: String?,
-        search: String?)
-    {
-        self.sessionkey = sessionkey
-        self.agentid = agentid
-        self.path = path
-        self.search = search
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case sessionkey = "sessionKey"
-        case agentid = "agentId"
-        case path
-        case search
-    }
-}
-
-public struct SessionsFilesListResult: Codable, Sendable {
-    public let sessionkey: String
-    public let root: String?
-    public let files: [SessionFileEntry]
-    public let browser: SessionFileBrowserResult?
-
-    public init(
-        sessionkey: String,
-        root: String?,
-        files: [SessionFileEntry],
-        browser: SessionFileBrowserResult?)
-    {
-        self.sessionkey = sessionkey
-        self.root = root
-        self.files = files
-        self.browser = browser
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case sessionkey = "sessionKey"
-        case root
-        case files
-        case browser
-    }
-}
-
-public struct SessionsFilesGetParams: Codable, Sendable {
-    public let sessionkey: String
-    public let path: String
-    public let agentid: String?
-
-    public init(
-        sessionkey: String,
-        path: String,
-        agentid: String? = nil)
-    {
-        self.sessionkey = sessionkey
-        self.path = path
-        self.agentid = agentid
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case sessionkey = "sessionKey"
-        case path
-        case agentid = "agentId"
-    }
-}
-
-public struct SessionsFilesGetResult: Codable, Sendable {
-    public let sessionkey: String
-    public let root: String?
-    public let file: SessionFileEntry
-
-    public init(
-        sessionkey: String,
-        root: String?,
-        file: SessionFileEntry)
-    {
-        self.sessionkey = sessionkey
-        self.root = root
-        self.file = file
-    }
-
-    private enum CodingKeys: String, CodingKey {
-        case sessionkey = "sessionKey"
-        case root
-        case file
-    }
-}
-
 public struct SessionsCreateParams: Codable, Sendable {
    public let key: String?
    public let agentid: String?
--- a/docs/.generated/config-baseline.sha256
+++ b/docs/.generated/config-baseline.sha256
@@ -1,4 +1,4 @@
-0485ba902d2afd89d2c41cde7180d0cec2900b2db6804b9f97d42b7d85cd3af5  config-baseline.json
-72bb80be618406f3337eaa2560d2559a35e49bd29576de8dd4a3aec1a6a94d92  config-baseline.core.json
-1218f5555541b61bd5ddcac6441f15061b44789e2471d4ffecbe3059777c55c1  config-baseline.channel.json
-a14ac4261e98403d1a7e047070e6f151938444e27382b860315bd0c74fda4861  config-baseline.plugin.json
+37b56008790612b8293930b6a29d74490e98daa90f954fca9d133fcc28645c4c  config-baseline.json
+75b64c2ea081369ba4306493313a8a4cd48b784145f92fed995e6b77a5df350d  config-baseline.core.json
+17d64c9799dfa239a49493413f1100bdd9237e9b67aaeae331a4604dbc227023  config-baseline.channel.json
+f9d1f50bfa8403891e76cd99dc1357cdece4a71e8ae18a39b190c2a14e6f97b0  config-baseline.plugin.json
--- a/docs/.generated/plugin-sdk-api-baseline.sha256
+++ b/docs/.generated/plugin-sdk-api-baseline.sha256
@@ -1,2 +1,2 @@
-b121079a0912b3051a9fc319a675ef920da9db23364ca0c0ccd3c9f0a05a3a49  plugin-sdk-api-baseline.json
-61a0108da670e0f44ba4b861c002eb6eaa5cf63e392d4e7e7de42044cbe7d115  plugin-sdk-api-baseline.jsonl
+2c783beea6b3cda3d79060739a923f9f39e7e8b5942123dd6b08a09143a587ca  plugin-sdk-api-baseline.json
+0b33af2cffb42abb46682fb71c8f214da220793f13d10a34d332e75ff99e8ce9  plugin-sdk-api-baseline.jsonl
--- a/docs/automation/tasks.md
+++ b/docs/automation/tasks.md
@@ -311,9 +311,7 @@ $OPENCLAW_STATE_DIR/tasks/runs.sqlite

 The registry loads into memory at gateway start and syncs writes to SQLite for durability across restarts.
 The Gateway keeps the SQLite write-ahead log bounded by using SQLite's default
-autocheckpoint threshold plus periodic `PASSIVE` checkpoints. Shutdown and
-explicit maintenance checkpoints still use `TRUNCATE` so normal closes can
-reclaim WAL space without making the background sweeper wait on active readers.
+autocheckpoint threshold plus periodic and shutdown `TRUNCATE` checkpoints.

 ### Automatic maintenance

--- a/docs/channels/broadcast-groups.md
+++ b/docs/channels/broadcast-groups.md
@@ -161,20 +161,17 @@ Control how agents process messages:
  <Step title="Incoming message arrives">
    A WhatsApp group or DM message arrives.
  </Step>
-  <Step title="Route and admission">
-    OpenClaw applies channel allowlists, group activation rules, and configured ACP binding ownership.
-  </Step>
  <Step title="Broadcast check">
-    If no configured ACP binding owns the route, OpenClaw checks whether the peer ID is in `broadcast`.
+    System checks if peer ID is in `broadcast`.
  </Step>
-  <Step title="If broadcast applies">
+  <Step title="If in broadcast list">
    - All listed agents process the message.
    - Each agent has its own session key and isolated context.
    - Agents process in parallel (default) or sequentially.

  </Step>
-  <Step title="If broadcast does not apply">
-    OpenClaw dispatches the ordinary route or the configured ACP session route selected during routing.
+  <Step title="If not in broadcast list">
+    Normal routing applies (first matching binding).
  </Step>
 </Steps>

@@ -325,7 +322,7 @@ Broadcast groups work alongside existing routing:
 - `GROUP_B`: agent1 AND agent2 respond (broadcast).

 <Note>
-**Precedence:** `broadcast` takes priority over ordinary route bindings. Configured ACP bindings (`bindings[].type="acp"`) are exclusive: when one matches, OpenClaw dispatches to the configured ACP session instead of fan-out broadcast.
+**Precedence:** `broadcast` takes priority over `bindings`.
 </Note>

 ## Troubleshooting
@@ -346,9 +343,9 @@ Broadcast groups work alongside existing routing:

  </Accordion>
  <Accordion title="Only one agent responding">
-    **Cause:** Peer ID might be in ordinary route bindings but not `broadcast`, or it might match an exclusive configured ACP binding.
+    **Cause:** Peer ID might be in `bindings` but not `broadcast`.

-    **Fix:** Add ordinary route-bound peers to broadcast config, or remove/change the configured ACP binding if fan-out broadcast is desired.
+    **Fix:** Add to broadcast config or remove from bindings.

  </Accordion>
  <Accordion title="Performance issues">
--- a/docs/channels/feishu.md
+++ b/docs/channels/feishu.md
@@ -416,9 +416,7 @@ Enable `dynamicAgentCreation` to automatically create **isolated agent instances
 This is essential for public bots where you want each user to have their own private AI assistant experience.

 <Note>
-Dynamic bindings include the normalized Feishu `accountId`, so default and named accounts route each sender to the correct dynamic agent.
-
-If a named account created an unscoped dynamic agent on an older release, that legacy agent still counts toward `maxAgents`. Confirm that it is not used by the default account before removing it, or temporarily increase `maxAgents`; OpenClaw cannot safely infer which account owns ambiguous legacy state.
+**Account limitation**: `dynamicAgentCreation` currently works with the **default Feishu account only**. Named/multi-account setups are not yet fully supported — dynamic bindings are created without `accountId`, so messages to named accounts may still route to `agent:main`. Track progress in [Issue #42837](https://github.com/openclaw/openclaw/issues/42837).
 </Note>

 ### Quick setup
@@ -449,7 +447,7 @@ If a named account created an unscoped dynamic agent on an older release, that l

 When a new user sends their first DM:

-1. The channel generates a unique `agentId`: `feishu-{user_open_id}` for the default account, or a bounded account-prefixed identity digest for a named account
+1. The channel generates a unique `agentId` = `feishu-{user_open_id}`
 2. Creates a new workspace at `workspaceTemplate` path
 3. Registers the agent and creates a binding for this user
 4. The workspace helper ensures bootstrap files (`AGENTS.md`, `SOUL.md`, `USER.md`, etc.) on first access
@@ -466,23 +464,22 @@ When a new user sends their first DM:

 Template variables:

- `{agentId}` - the generated agent ID (e.g., `feishu-ou_xxxxxx` or `feishu-support-<identity_digest>`)
+- `{agentId}` - the generated agent ID (e.g., `feishu-ou_xxxxxx`)
 - `{userId}` - the sender's Feishu open_id (e.g., `ou_xxxxxx`)

 ### Session scope

 `session.dmScope` controls how direct messages are mapped to agent sessions. This is a **global setting** that affects all channels.

-| Value                        | Behavior                                                            | Best for                                                           |
-| ---------------------------- | ------------------------------------------------------------------- | ------------------------------------------------------------------ |
-| `"main"`                     | Each user's DM maps to their agent's main session                   | Single-user bots where you want `USER.md` / `SOUL.md` to auto-load |
-| `"per-channel-peer"`         | Each (channel + user) combination gets a separate session           | Public multi-user bots needing stronger isolation                  |
-| `"per-account-channel-peer"` | Each (account + channel + user) combination gets a separate session | Multi-account bots needing account-level session isolation         |
+| Value                | Behavior                                                  | Best for                                                           |
+| -------------------- | --------------------------------------------------------- | ------------------------------------------------------------------ |
+| `"main"`             | Each user's DM maps to their agent's main session         | Single-user bots where you want `USER.md` / `SOUL.md` to auto-load |
+| `"per-channel-peer"` | Each (channel + user) combination gets a separate session | Public multi-user bots needing stronger isolation                  |

 **Tradeoff**: Using `"main"` enables automatic bootstrap file loading (`USER.md`, `SOUL.md`, `MEMORY.md`), but means all DMs across all channels share the same session key pattern. For public multi-user bots where isolation matters more than bootstrap auto-loading, consider `"per-channel-peer"` and manage bootstrap files manually.

 <Note>
-Use `"per-account-channel-peer"` when named Feishu accounts should keep separate sessions for the same sender. Dynamic bindings preserve the account scope.
+`"per-account-channel-peer"` is not recommended with `dynamicAgentCreation` because dynamic bindings are created without `accountId`. Use it only with manual bindings.
 </Note>

 ```json5
--- a/docs/channels/groups.md
+++ b/docs/channels/groups.md
@@ -586,7 +586,7 @@ Group inbound payloads set:
 - `WasMentioned` (mention gating result)
 - Telegram forum topics also include `MessageThreadId` and `IsForum`.

-The agent system prompt includes a group intro on the first turn of a new group session. It reminds the model to respond like a human, minimize empty lines and follow normal chat spacing, and avoid typing literal `\n` sequences. Non-Telegram groups also discourage Markdown tables; Telegram rich-text guidance comes from the Telegram channel prompt. Channel-sourced group names and participant labels are rendered as fenced untrusted metadata, not inline system instructions.
+The agent system prompt includes a group intro on the first turn of a new group session. It reminds the model to respond like a human, avoid Markdown tables, minimize empty lines and follow normal chat spacing, and avoid typing literal `\n` sequences. Channel-sourced group names and participant labels are rendered as fenced untrusted metadata, not inline system instructions.

 ## iMessage specifics

--- a/docs/channels/telegram.md
+++ b/docs/channels/telegram.md
@@ -311,6 +311,7 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"

    - direct chats: preview message + `editMessageText`
    - groups/topics: preview message + `editMessageText`
+    - direct-chat tool progress: optional native `sendMessageDraft` status preview when enabled and supported

    Requirement:

@@ -319,10 +320,29 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"
    - `streaming.preview.toolProgress` controls whether tool/progress updates reuse the same edited preview message (default: `true` when preview streaming is active)
    - `streaming.preview.commandText` controls command/exec detail inside those tool-progress lines: `raw` (default, preserves released behavior) or `status` (tool label only)
    - `streaming.progress.commentary` (default: `false`) opts into assistant commentary/preamble text in the temporary progress draft
-    - legacy `channels.telegram.streamMode`, boolean `streaming` values, and retired native draft preview keys are detected; run `openclaw doctor --fix` to migrate them to current streaming config
+    - legacy `channels.telegram.streamMode` and boolean `streaming` values are detected; run `openclaw doctor --fix` to migrate them to `channels.telegram.streaming.mode`

    Tool-progress preview updates are the short status lines shown while tools run, for example command execution, file reads, planning updates, patch summaries, or Codex preamble/commentary text in Codex app-server mode. Telegram keeps these enabled by default to match released OpenClaw behavior from `v2026.4.22` and later.

+    Direct chats can use native Telegram drafts for these tool-progress lines without persisting tool chatter into chat history. Native drafts stop before answer text starts; final answers stay on the normal persistent delivery path. This lane is off by default and should be gated to trusted DM IDs first:
+
+    ```json
+    {
+      "channels": {
+        "telegram": {
+          "streaming": {
+            "mode": "partial",
+            "preview": {
+              "toolProgress": true,
+              "nativeToolProgress": true,
+              "nativeToolProgressAllowFrom": ["123456789"]
+            }
+          }
+        }
+      }
+    }
+    ```
+
    To keep the edited preview for answer text but hide tool-progress lines, set:

    ```json
@@ -400,16 +420,14 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"

  </Accordion>

-  <Accordion title="Rich message formatting">
-    Outbound text uses Telegram rich messages.
+  <Accordion title="Formatting and HTML fallback">
+    Outbound text uses Telegram `parse_mode: "HTML"`.

-    - Markdown text is sent as rich Markdown without converting it to HTML.
-    - Explicit HTML payloads are sent as rich HTML.
-    - Media captions still use Telegram HTML captions because rich messages do not replace captions.
+    - Markdown-ish text is rendered to Telegram-safe HTML.
+    - Supported Telegram HTML tags are preserved; unsupported HTML is escaped.
+    - If Telegram rejects parsed HTML, OpenClaw retries as plain text.

-    Long rich text is split automatically across Telegram's rich text and rich block limits. Tables over Telegram's column limit are sent as code blocks.
-
-    Link previews are enabled by default. `channels.telegram.linkPreview: false` skips automatic entity detection for rich text.
+    Link previews are enabled by default and can be disabled with `channels.telegram.linkPreview: false`.

  </Accordion>

--- a/docs/channels/whatsapp.md
+++ b/docs/channels/whatsapp.md
@@ -164,7 +164,7 @@ handoff path over manual terminal capture.

 - Gateway owns the WhatsApp socket and reconnect loop.
 - The reconnect watchdog uses WhatsApp Web transport activity, not only inbound app-message volume, so a quiet linked-device session is not restarted solely because nobody has sent a message recently. A longer application-silence cap still forces a reconnect if transport frames keep arriving but no application messages are handled for the watchdog window; after a transient reconnect for a recently active session, that application-silence check uses the normal message timeout for the first recovery window.
- Baileys socket timings are explicit under `web.whatsapp.*`: `keepAliveIntervalMs` controls WhatsApp Web application pings, `connectTimeoutMs` controls the opening handshake timeout, and `defaultQueryTimeoutMs` controls Baileys query waits plus OpenClaw's local outbound send/presence operation bound.
+- Baileys socket timings are explicit under `web.whatsapp.*`: `keepAliveIntervalMs` controls WhatsApp Web application pings, `connectTimeoutMs` controls the opening handshake timeout, and `defaultQueryTimeoutMs` controls Baileys query timeouts.
 - Outbound sends require an active WhatsApp listener for the target account.
 - Group sends attach native mention metadata for `@+<digits>` and `@<digits>` tokens in text and media captions when the token matches current WhatsApp participant metadata, including LID-backed groups.
 - Status and broadcast chats are ignored (`@status`, `@broadcast`).
@@ -319,40 +319,6 @@ content and identifiers.
  </Tab>
 </Tabs>

-## Configured ACP bindings
-
-WhatsApp supports persistent ACP bindings with top-level `bindings[]` entries:
-
-```json5
-{
-  bindings: [
-    {
-      type: "acp",
-      agentId: "codex",
-      match: {
-        channel: "whatsapp",
-        accountId: "work",
-        peer: { kind: "direct", id: "+15555550123" },
-      },
-    },
-    {
-      type: "acp",
-      agentId: "codex",
-      match: {
-        channel: "whatsapp",
-        accountId: "work",
-        peer: { kind: "group", id: "120363424282127706@g.us" },
-      },
-    },
-  ],
-}
-```
-
- Direct chats match E.164 numbers such as `+15555550123`.
- Groups match WhatsApp group JIDs such as `120363424282127706@g.us`.
- Group allowlists, sender policy, and mention or activation gating run before OpenClaw ensures the configured ACP session exists.
- A matched configured ACP binding owns the route. WhatsApp broadcast groups do not fan out that turn to ordinary WhatsApp sessions.
-
 ## Personal-number and self-chat behavior

 When the linked self number is also present in `allowFrom`, WhatsApp self-chat safeguards activate:
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -200,19 +200,13 @@ from `release/YYYY.M.PATCH` or `main` after the release tag exists and after the
 OpenClaw npm preflight has succeeded. It verifies `pnpm plugins:sync:check`,
 dispatches `Plugin NPM Release` for all publishable plugin packages, dispatches
 `Plugin ClawHub Release` for the same release SHA, and only then dispatches
-`OpenClaw NPM Release` with the saved `preflight_run_id`. Stable publish also
-requires an exact `windows_node_tag`; the workflow verifies the Windows source
-release and compares its x64/ARM64 installers with the candidate-approved
-`windows_node_installer_digests` input before any publish child, then promotes
-and verifies those same pinned installer digests plus the exact companion asset
-and checksum contract before publishing the GitHub release draft.
+`OpenClaw NPM Release` with the saved `preflight_run_id`.

 ```bash
 gh workflow run openclaw-release-publish.yml \
  --ref release/YYYY.M.PATCH \
  -f tag=vYYYY.M.PATCH-beta.N \
  -f preflight_run_id=<successful-openclaw-npm-preflight-run-id> \
-  -f full_release_validation_run_id=<successful-full-release-validation-run-id> \
  -f npm_dist_tag=beta
 ```

@@ -458,7 +452,7 @@ For normal PRs, follow scoped CI/check evidence instead of treating parity as a

 The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily, manual, and non-draft pull request guard runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript surfaces with high-confidence security queries filtered to high/critical `security-severity`.

-The pull request guard stays light: it only starts for changes under `.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, or `src`, and it runs the same high-confidence security matrix as the scheduled workflow. Android and macOS CodeQL stay out of PR defaults.
+The pull request guard stays light: it only starts for changes under `.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, `scripts`, `src`, or process-owning bundled plugin runtime paths, and it runs the same high-confidence security matrix as the scheduled workflow. Android and macOS CodeQL stay out of PR defaults.

 ### Security categories

@@ -468,6 +462,7 @@ The pull request guard stays light: it only starts for changes under `.github/ac
 | `/codeql-security-high/channel-runtime-boundary`  | Core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, audit touchpoints              |
 | `/codeql-security-high/network-ssrf-boundary`     | Core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces                                                |
 | `/codeql-security-high/mcp-process-tool-boundary` | MCP servers, process execution helpers, outbound delivery, and agent tool-execution gates                                           |
+| `/codeql-security-high/process-exec-boundary`     | Local shell, process spawn helpers, subprocess-owning bundled plugin runtimes, and workflow script glue                             |
 | `/codeql-security-high/plugin-trust-boundary`     | Plugin install, loader, manifest, registry, package-manager install, source-loading, and Plugin SDK package contract trust surfaces |

 ### Platform-specific security shards
--- a/docs/cli/browser.md
+++ b/docs/cli/browser.md
@@ -174,22 +174,7 @@ Notes:
  or `--element`.
 - `existing-session` / `user` profiles support page screenshots and `--ref`
  screenshots from snapshot output, but not CSS `--element` screenshots.
- `--labels` overlays current snapshot refs on the screenshot. On
-  Playwright-backed profiles, it works with `--full-page` (full-page label
-  overlay), `--ref` (element-clip label overlay by ARIA ref), and `--element`
-  (element-clip label overlay by CSS selector); in element-clip modes, labels
-  are projected relative to the element. The response also includes an
-  `annotations` array with each ref's bounding box. Each item has `ref`,
-  `number`, `role`, optional `name`, and `box: {x, y, width, height}`;
-  coordinates are in the captured image's space (viewport / fullpage /
-  element-relative). The field is omitted when empty.
-  `existing-session` profiles render a chrome-mcp overlay on page screenshots
-  but do not use the Playwright projection helper and do not include
-  `annotations`; CSS `--element` screenshots are unsupported there. Without
-  Playwright or chrome-mcp, labeled screenshots are not available. Prior
-  releases ignored `--full-page`, `--ref`, and `--element` on labeled
-  Playwright screenshots and always returned a viewport capture; labeled
-  screenshots now honor those scopes.
+- `--labels` overlays current snapshot refs on the screenshot.
 - `snapshot --urls` appends discovered link destinations to AI snapshots so
  agents can choose direct navigation targets instead of guessing from link
  text alone.
--- a/docs/cli/onboard.md
+++ b/docs/cli/onboard.md
@@ -182,10 +182,7 @@ Interactive onboarding behavior with reference mode:
 ### Non-interactive Z.AI endpoint choices

 <Note>
-`--auth-choice zai-api-key` auto-detects the best Z.AI endpoint and model for
-your key. Coding Plan endpoints prefer `zai/glm-5.2`; general API endpoints use
-`zai/glm-5.1`. To force a Coding Plan endpoint, pick `zai-coding-global` or
-`zai-coding-cn`.
+`--auth-choice zai-api-key` auto-detects the best Z.AI endpoint for your key (prefers the general API with `zai/glm-5.1`). If you specifically want the GLM Coding Plan endpoints, pick `zai-coding-global` or `zai-coding-cn`.
 </Note>

 ```bash
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -159,7 +159,7 @@ is available, then fall back to `latest`.
  <Accordion title="--dangerously-force-unsafe-install">
    `--dangerously-force-unsafe-install` is deprecated and is now a no-op. OpenClaw no longer runs built-in install-time dangerous-code blocking for plugin installs.

-    Use the shared operator-owned `security.installPolicy` surface when host-specific install policy is required. Plugin `before_install` hooks are plugin-runtime lifecycle hooks and are not the primary policy boundary for CLI installs.
+    Use the shared operator-owned `security.installPolicy` surface when host-specific install policy is required. Plugin `before_install` hooks and `security.installPolicy` can still block installs.

    If a plugin you published on ClawHub is hidden or blocked by a registry scan, use the publisher steps in [ClawHub publishing](/clawhub/publishing). `--dangerously-force-unsafe-install` does not ask ClawHub to rescan the plugin or make a blocked release public.

@@ -405,7 +405,7 @@ Updates apply to tracked plugin installs in the managed plugin index and tracked

  </Accordion>
  <Accordion title="--dangerously-force-unsafe-install on update">
-    `--dangerously-force-unsafe-install` is also accepted on `plugins update` for compatibility, but it is deprecated and no longer changes plugin update behavior. Operator `security.installPolicy` can still block updates; plugin `before_install` hooks only apply in processes where plugin hooks are loaded.
+    `--dangerously-force-unsafe-install` is also accepted on `plugins update` for compatibility, but it is deprecated and no longer changes plugin update behavior. Operator `security.installPolicy` and plugin `before_install` hooks can still block updates.
  </Accordion>
 </AccordionGroup>

--- a/docs/concepts/active-memory.md
+++ b/docs/concepts/active-memory.md
@@ -479,9 +479,6 @@ names that plugin registers. Active Memory lists those tools in the recall
 prompt and passes the same list to the embedded sub-agent. If none of the
 configured tools are available, or the memory sub-agent fails, Active Memory
 skips recall for that turn and the main reply continues without memory context.
-For custom recall tools, non-empty model-visible tool output counts as recall
-evidence unless structured result fields explicitly report an empty result or
-failure.
 `toolsAllow` only accepts concrete memory tool names. Wildcards, `group:*`
 entries, and core agent tools such as `read`, `exec`, `message`, and
 `web_search` are ignored before the hidden memory sub-agent starts.
@@ -746,11 +743,7 @@ Before v2026.5.2 the plugin silently extended your configured `timeoutMs` by an
 extra 30000 ms during cold-start so model warm-up, embedding-index load, and
 the first recall could share one larger budget. v2026.5.2 moved that grace
 behind an explicit `setupGraceTimeoutMs` config — your configured `timeoutMs`
-is now the recall-work budget by default, unless you opt in. The blocking hook
-uses two bounded phases around that budget: up to 1500 ms for session/config
-preflight before recall starts, then a separate fixed 1500 ms for abort
-settlement and transcript recovery after recall work stops. Neither allowance
-extends model or tool execution.
+is now the budget by default, unless you opt in.

 If you upgraded from v2026.4.x and you set `timeoutMs` to a value tuned for the
 old implicit-grace world (the recommended starter `timeoutMs: 15000` is one
@@ -772,16 +765,14 @@ outer watchdog budgets back to the pre-v5.2 effective values:
 }
 ```

-The v2026.5.2 change removed the old implicit 30000 ms cold-start extension.
-Beyond the configured recall-work budget, the hook can use up to 1500 ms for
-preflight and another 1500 ms for post-recall completion. Its worst-case
-blocking time is therefore `timeoutMs + setupGraceTimeoutMs + 3000` ms.
+Per the v2026.5.2 changelog: _"use the configured recall timeout as the
+blocking prompt-build hook budget by default and move cold-start setup grace
+behind explicit `setupGraceTimeoutMs` config, so the plugin no longer silently
+extends 15000 ms configs to 45000 ms on the main lane."_

 The embedded recall runner uses the same effective timeout budget, so
 `setupGraceTimeoutMs` covers both the outer prompt-build watchdog and the inner
-blocking recall run. The preflight cap covers session/config checks before that
-budget begins. The post-recall allowance lets the outer hook settle abort
-cleanup and read any final transcript state.
+blocking recall run.

 For resource-tight gateways where cold-start latency is a known trade-off,
 lower values (5000–15000 ms) work too — the trade-off is a higher chance of
--- a/docs/concepts/agent-loop.md
+++ b/docs/concepts/agent-loop.md
@@ -97,7 +97,7 @@ These run inside the agent loop or gateway pipeline:
 - **`agent_end`**: inspect the final message list and run metadata after completion.
 - **`before_compaction` / `after_compaction`**: observe or annotate compaction cycles.
 - **`before_tool_call` / `after_tool_call`**: intercept tool params/results.
- **`before_install`**: inspect staged skill or plugin install material after operator install policy runs, when plugin hooks are loaded in the current OpenClaw process.
+- **`before_install`**: inspect install context and optionally block skill or plugin installs after operator install policy runs.
 - **`tool_result_persist`**: synchronously transform tool results before they are written to an OpenClaw-owned session transcript.
 - **`message_received` / `message_sending` / `message_sent`**: inbound + outbound message hooks.
 - **`session_start` / `session_end`**: session lifecycle boundaries.
@@ -109,7 +109,6 @@ Hook decision rules for outbound/tool guards:
 - `before_tool_call`: `{ block: false }` is a no-op and does not clear a prior block.
 - `before_install`: `{ block: true }` is terminal and stops lower-priority handlers.
 - `before_install`: `{ block: false }` is a no-op and does not clear a prior block.
- Use `security.installPolicy`, not `before_install`, for operator-owned install allow/block decisions that must cover CLI install and update paths.
 - `message_sending`: `{ cancel: true }` is terminal and stops lower-priority handlers.
 - `message_sending`: `{ cancel: false }` is a no-op and does not clear a prior cancel.

--- a/docs/concepts/mantis.md
+++ b/docs/concepts/mantis.md
@@ -247,13 +247,12 @@ of only a bot-to-bot Slack transcript.
 evidence pipeline. It checks out the trusted candidate ref in a separate
 worktree, runs `pnpm openclaw qa telegram --credential-source convex
 --credential-role ci`, writes a `mantis-evidence.json` manifest from the
-Telegram QA summary, `qa-evidence.json`, and report artifacts, renders the
-redacted evidence HTML through a Crabbox desktop browser, generates a
-motion-trimmed GIF with `crabbox media preview`, and posts the inline PR
-evidence comment when a PR number is available. This lane is QA-evidence visual
-rather than logged-in Telegram Web proof: the Telegram Bot API gives stable live
-message evidence, but Telegram Web login state is not required for normal Mantis
-automation.
+Telegram QA summary and observed-message artifact, renders the redacted
+transcript HTML through a Crabbox desktop browser, generates a motion-trimmed GIF
+with `crabbox media preview`, and posts the inline PR evidence comment when a PR
+number is available. This lane is transcript-visual rather than logged-in
+Telegram Web proof: the Telegram Bot API gives stable live message evidence, but
+Telegram Web login state is not required for normal Mantis automation.

 `Mantis Telegram Desktop Proof` is the agentic native Telegram Desktop
 before/after wrapper. A maintainer can trigger it from a PR comment with
@@ -495,8 +494,8 @@ zero:

 - `pnpm openclaw qa discord` already runs a live Discord lane with driver and
  SUT bots.
- The live transport runner already writes reports, QA evidence, and
-  transport-specific artifacts under `.artifacts/qa-e2e/`.
+- The live transport runner already writes reports and observed-message
+  artifacts under `.artifacts/qa-e2e/`.
 - Convex credential leases already provide exclusive access to shared live
  transport credentials.
 - The browser control service already supports screenshots, snapshots,
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -99,7 +99,7 @@ Official provider plugins publish their own model catalog rows. These providers
 - Use `params.serviceTier` when you want an explicit tier instead of the shared `/fast` toggle
 - Hidden OpenClaw attribution headers (`originator`, `version`, `User-Agent`) apply only on native OpenAI traffic to `api.openai.com`, not generic OpenAI-compatible proxies
 - Native OpenAI routes also keep Responses `store`, prompt-cache hints, and OpenAI reasoning-compat payload shaping; proxy routes do not
- `openai/gpt-5.3-codex-spark` is available through ChatGPT/Codex OAuth subscription auth when your signed-in account exposes it; OpenClaw still suppresses direct OpenAI API-key and Azure API-key routes for this model because those transports reject it
+- `openai/gpt-5.3-codex-spark` is intentionally suppressed in OpenClaw because live OpenAI API requests reject it and the current Codex catalog does not expose it

 ```json5
 {
@@ -264,7 +264,7 @@ Gemini CLI JSON replies are parsed from `response`; usage falls back to `stats`,

 - Provider: `zai`
 - Auth: `ZAI_API_KEY`
- Example model: `zai/glm-5.2`
+- Example model: `zai/glm-5.1`
 - CLI: `openclaw onboard --auth-choice zai-api-key`
  - Model refs use the canonical `zai/*` provider ID.
  - `zai-api-key` auto-detects the matching Z.AI endpoint; `zai-coding-global`, `zai-coding-cn`, `zai-global`, and `zai-cn` force a specific surface
--- a/docs/concepts/personal-agent-benchmark-pack.md
+++ b/docs/concepts/personal-agent-benchmark-pack.md
@@ -11,7 +11,7 @@ The Personal Agent Benchmark Pack is a small repo-backed QA scenario pack for
 local personal assistant workflows. It is not a generic model benchmark and it
 does not require a new runner. The pack reuses the private QA stack described in
 [QA overview](/concepts/qa-e2e-automation), the synthetic
-[QA channel](/channels/qa-channel), and the existing `qa/scenarios` YAML
+[QA channel](/channels/qa-channel), and the existing `qa/scenarios` markdown
 catalog.

 The first pack is intentionally narrow:
@@ -61,9 +61,9 @@ to inspect and file in issues.

 ## Extending The Pack

-Add new `.yaml` cases under `qa/scenarios/personal/`, then add the scenario id
-to `QA_PERSONAL_AGENT_SCENARIO_IDS`. Keep each case small, local, deterministic
-in `mock-openai`, and focused on one personal assistant behavior.
+Add new cases under `qa/scenarios/personal/`, then add the scenario id to
+`QA_PERSONAL_AGENT_SCENARIO_IDS`. Keep each case small, local, deterministic in
+`mock-openai`, and focused on one personal assistant behavior.

 Good follow-up candidates:

--- a/docs/concepts/qa-e2e-automation.md
+++ b/docs/concepts/qa-e2e-automation.md
@@ -31,9 +31,9 @@ script aliases; both forms are supported.

 | Command                                             | Purpose                                                                                                                                                                                                                                                                 |
 | --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `qa run`                                            | Bundled QA self-check without `--qa-profile`; taxonomy-backed maturity profile runner with `--qa-profile smoke-ci` or `--qa-profile release`.                                                                                                                           |
+| `qa run`                                            | Bundled QA self-check; writes a Markdown report.                                                                                                                                                                                                                        |
 | `qa suite`                                          | Run repo-backed scenarios against the QA gateway lane. Aliases: `pnpm openclaw qa suite --runner multipass` for a disposable Linux VM.                                                                                                                                  |
-| `qa coverage`                                       | Print the YAML scenario-coverage inventory (`--json` for machine output).                                                                                                                                                                                               |
+| `qa coverage`                                       | Print the markdown scenario-coverage inventory (`--json` for machine output).                                                                                                                                                                                           |
 | `qa parity-report`                                  | Compare two `qa-suite-summary.json` files and write the agentic parity report, or use `--runtime-axis --token-efficiency` to write Codex-vs-OpenClaw runtime parity and token-efficiency reports from one runtime-pair summary.                                         |
 | `qa character-eval`                                 | Run the character QA scenario across multiple live models with a judged report. See [Reporting](#reporting).                                                                                                                                                            |
 | `qa manual`                                         | Run a one-off prompt against the selected provider/model lane.                                                                                                                                                                                                          |
@@ -51,30 +51,6 @@ script aliases; both forms are supported.
 | `qa whatsapp`                                       | Live transport lane against real WhatsApp Web accounts.                                                                                                                                                                                                                 |
 | `qa mantis`                                         | Before and after verification runner for live transport bugs, with Discord status-reactions evidence, Crabbox desktop/browser smoke, and Slack-in-VNC smoke. See [Mantis](/concepts/mantis) and [Mantis Slack Desktop Runbook](/concepts/mantis-slack-desktop-runbook). |

-Profile-backed `qa run` reads membership from `taxonomy.yaml`, then dispatches
-the resolved scenarios through `qa suite`. `--surface` and
-`--category` filter the selected profile instead of defining separate lanes.
-The resulting `qa-evidence.json` includes a profile scorecard summary with
-selected-category counts and missing coverage IDs; the individual evidence
-entries remain the source of truth for the tests, coverage roles, artifacts,
-and results:
-
-```bash
-pnpm openclaw qa run \
-  --qa-profile smoke-ci \
-  --category agent-runtime-and-provider-execution.agent-turn-execution \
-  --provider-mode mock-openai \
-  --output-dir .artifacts/qa-e2e/smoke-ci-profile-dispatch
-```
-
-Use `smoke-ci` for deterministic no-live-service proof and `release` for the
-Stable/LTS proof lane. When a command also needs an OpenClaw root profile, put
-the root profile before the QA command:
-
-```bash
-pnpm openclaw --profile work qa run --qa-profile smoke-ci
-```
-
 ## Operator flow

 The current QA operator flow is a two-pane QA site:
@@ -342,17 +318,17 @@ Matrix has a [dedicated page](/concepts/qa-matrix) because of its scenario count

 These lanes register through `extensions/qa-lab/src/live-transports/shared/live-transport-cli.ts` and accept the same flags:

-| Flag                                  | Default                                            | Description                                                                                                                                     |
-| ------------------------------------- | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| `--scenario <id>`                     | -                                                  | Run only this scenario. Repeatable.                                                                                                             |
-| `--output-dir <path>`                 | `<repo>/.artifacts/qa-e2e/<transport>-<timestamp>` | Where reports, summaries, evidence, transport-specific artifacts, and the output log are written. Relative paths resolve against `--repo-root`. |
-| `--repo-root <path>`                  | `process.cwd()`                                    | Repository root when invoking from a neutral cwd.                                                                                               |
-| `--sut-account <id>`                  | `sut`                                              | Temporary account id inside the QA gateway config.                                                                                              |
-| `--provider-mode <mode>`              | `live-frontier`                                    | `mock-openai` or `live-frontier` (legacy `live-openai` still works).                                                                            |
-| `--model <ref>` / `--alt-model <ref>` | provider default                                   | Primary/alternate model refs.                                                                                                                   |
-| `--fast`                              | off                                                | Provider fast mode where supported.                                                                                                             |
-| `--credential-source <env\|convex>`   | `env`                                              | See [Convex credential pool](#convex-credential-pool).                                                                                          |
-| `--credential-role <maintainer\|ci>`  | `ci` in CI, `maintainer` otherwise                 | Role used when `--credential-source convex`.                                                                                                    |
+| Flag                                  | Default                                            | Description                                                                                                           |
+| ------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
+| `--scenario <id>`                     | -                                                  | Run only this scenario. Repeatable.                                                                                   |
+| `--output-dir <path>`                 | `<repo>/.artifacts/qa-e2e/<transport>-<timestamp>` | Where reports/summary/observed messages and the output log are written. Relative paths resolve against `--repo-root`. |
+| `--repo-root <path>`                  | `process.cwd()`                                    | Repository root when invoking from a neutral cwd.                                                                     |
+| `--sut-account <id>`                  | `sut`                                              | Temporary account id inside the QA gateway config.                                                                    |
+| `--provider-mode <mode>`              | `live-frontier`                                    | `mock-openai` or `live-frontier` (legacy `live-openai` still works).                                                  |
+| `--model <ref>` / `--alt-model <ref>` | provider default                                   | Primary/alternate model refs.                                                                                         |
+| `--fast`                              | off                                                | Provider fast mode where supported.                                                                                   |
+| `--credential-source <env\|convex>`   | `env`                                              | See [Convex credential pool](#convex-credential-pool).                                                                |
+| `--credential-role <maintainer\|ci>`  | `ci` in CI, `maintainer` otherwise                 | Role used when `--credential-source convex`.                                                                          |

 Each lane exits non-zero on any failed scenario. `--allow-failures` writes artifacts without setting a failing exit code.

@@ -370,6 +346,10 @@ Required env when `--credential-source env`:
 - `OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN`
 - `OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN`

+Optional:
+
+- `OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT=1` keeps message bodies in observed-message artifacts (default redacts).
+
 Scenarios (`extensions/qa-lab/src/live-transports/telegram/telegram-live.runtime.ts`):

 - `telegram-canary`
@@ -395,26 +375,26 @@ Output artifacts:

 - `telegram-qa-report.md`
 - `qa-evidence.json` - evidence entries for the live transport checks, including profile, coverage, provider, channel, artifacts, result, and RTT fields.
+- `telegram-qa-observed-messages.json` - bodies redacted unless `OPENCLAW_QA_TELEGRAM_CAPTURE_CONTENT=1`.

-Package Telegram runs use the same Telegram credential contract. Repeated RTT
-measurement is part of the normal package Telegram live lane; the RTT
-distribution is folded into `qa-evidence.json` under `result.timing` for the
-selected RTT check.
+Package RTT comparison uses the same Telegram credential contract while keeping
+its RTT sample controls on the RTT harness path:

 ```bash
-OPENCLAW_QA_CREDENTIAL_SOURCE=convex \
-pnpm test:docker:npm-telegram-live
+pnpm rtt openclaw@beta \
+  --credential-source convex \
+  --credential-role maintainer \
+  --samples 20 \
+  --sample-timeout-ms 30000
 ```

-When `OPENCLAW_QA_CREDENTIAL_SOURCE=convex` is set, the package live wrapper
-leases a `kind: "telegram"` credential, exports the leased group/driver/SUT bot
-env into the installed-package run, heartbeats the lease, and releases it on
-shutdown. The package wrapper defaults to 20 RTT checks of
-`telegram-mentioned-message-reply`, a 30s RTT timeout, and Convex role
-`maintainer` outside CI when Convex is selected. Override
-`OPENCLAW_NPM_TELEGRAM_RTT_SAMPLES`, `OPENCLAW_NPM_TELEGRAM_RTT_TIMEOUT_MS`,
-or `OPENCLAW_NPM_TELEGRAM_RTT_MAX_FAILURES` to tune RTT measurement without
-creating a separate RTT command or Telegram-specific summary format.
+When `--credential-source convex` is set, the RTT Docker wrapper leases a
+`kind: "telegram"` credential, exports the leased group/driver/SUT bot env into
+the installed-package run, heartbeats the lease, and releases it on shutdown.
+`--samples` and `--sample-timeout-ms` still feed
+`OPENCLAW_NPM_TELEGRAM_WARM_SAMPLES` and
+`OPENCLAW_NPM_TELEGRAM_SAMPLE_TIMEOUT_MS`, so `result.json` remains comparable
+across env-backed and Convex-backed RTT runs.

 ### Discord QA

@@ -793,26 +773,25 @@ Operational env vars and the Convex broker endpoint contract live in [Testing

 Seed assets live in `qa/`:

- `qa/scenarios/index.yaml`
- `qa/scenarios/<theme>/*.yaml`
+- `qa/scenarios/index.md`
+- `qa/scenarios/<theme>/*.md`

 These are intentionally in git so the QA plan is visible to both humans and the
 agent.

-`qa-lab` should stay a generic YAML scenario runner. Each scenario YAML file is
+`qa-lab` should stay a generic markdown runner. Each scenario markdown file is
 the source of truth for one test run and should define:

- top-level `title`
- `scenario` metadata
- optional category, capability, lane, and risk metadata in `scenario`
- docs and code refs in `scenario`
- optional plugin requirements in `scenario`
- optional gateway config patch in `scenario`
- executable top-level `flow` for flow scenarios, or `scenario.execution.kind` /
-  `scenario.execution.path` for Vitest and Playwright scenarios
+- scenario metadata
+- optional category, capability, lane, and risk metadata
+- docs and code refs
+- optional plugin requirements
+- optional gateway config patch
+- an executable `qa-flow` block for flow scenarios, or `execution.kind`/`execution.path`
+  for Vitest and Playwright scenarios

-The reusable runtime surface that backs `flow` is allowed to stay generic
-and cross-cutting. For example, YAML scenarios can combine transport-side
+The reusable runtime surface that backs `qa-flow` blocks is allowed to stay generic
+and cross-cutting. For example, markdown scenarios can combine transport-side
 helpers with browser-side helpers that drive the embedded Control UI through the
 Gateway `browser.request` seam without adding a special-case runner.

@@ -850,17 +829,17 @@ provider names.

 ## Transport adapters

-`qa-lab` owns a generic transport seam for YAML QA scenarios. `qa-channel` is the first adapter on that seam, but the design target is wider: future real or synthetic channels should plug into the same suite runner instead of adding a transport-specific QA runner.
+`qa-lab` owns a generic transport seam for markdown QA scenarios. `qa-channel` is the first adapter on that seam, but the design target is wider: future real or synthetic channels should plug into the same suite runner instead of adding a transport-specific QA runner.

 At the architecture level, the split is:

 - `qa-lab` owns generic scenario execution, worker concurrency, artifact writing, and reporting.
 - The transport adapter owns gateway config, readiness, inbound and outbound observation, transport actions, and normalized transport state.
- YAML scenario files under `qa/scenarios/` define the test run; `qa-lab` provides the reusable runtime surface that executes them.
+- Markdown scenario files under `qa/scenarios/` define the test run; `qa-lab` provides the reusable runtime surface that executes them.

 ### Adding a channel

-Adding a channel to the YAML QA system requires exactly two things:
+Adding a channel to the markdown QA system requires exactly two things:

 1. A transport adapter for the channel.
 2. A scenario pack that exercises the channel contract.
@@ -894,7 +873,7 @@ The minimum adoption bar for a new channel:
 2. Implement the transport runner on the shared `qa-lab` host seam.
 3. Keep transport-specific mechanics inside the runner plugin or channel harness.
 4. Mount the runner as `openclaw qa <runner>` instead of registering a competing root command. Runner plugins should declare `qaRunners` in `openclaw.plugin.json` and export a matching `qaRunnerCliRegistrations` array from `runtime-api.ts`. Keep `runtime-api.ts` light; lazy CLI and runner execution should stay behind separate entrypoints.
-5. Author or adapt YAML scenarios under the themed `qa/scenarios/` directories.
+5. Author or adapt markdown scenarios under the themed `qa/scenarios/` directories.
 6. Use the generic scenario helpers for new scenarios.
 7. Keep existing compatibility aliases working unless the repo is doing an intentional migration.

@@ -937,13 +916,7 @@ The report should answer:
 For the inventory of available scenarios - useful when sizing follow-up work or wiring a new transport - run `pnpm openclaw qa coverage` (add `--json` for machine-readable output).
 When choosing focused proof for a touched behavior or file path, run `pnpm openclaw qa coverage --match <query>`.
 The match report searches scenario metadata, docs refs, code refs, coverage IDs, plugins, and provider requirements, then prints matching `qa suite --scenario ...` targets.
-Every `qa suite` run writes top-level `qa-evidence.json`,
-`qa-suite-summary.json`, and `qa-suite-report.md` artifacts for the selected
-scenario set. Scenarios that declare `execution.kind: vitest` or
-`execution.kind: playwright` run the matching test path and also write
-per-scenario logs. When `qa suite` is reached through
-`qa run --qa-profile`, the same `qa-evidence.json` also includes the profile
-scorecard summary for the selected taxonomy categories.
+Every `qa suite` scenario execution writes a `qa-evidence.json` artifact. Flow scenarios also write `qa-suite-summary.json` for existing suite/report tooling; scenarios that declare `execution.kind: vitest` or `execution.kind: playwright` run the matching test path and write `qa-vitest-report.md` or `qa-playwright-report.md` plus per-scenario logs.
 Treat it as a discovery aid, not a gate replacement; the selected scenario still needs the right provider mode, live transport, Multipass, Testbox, or release lane for the behavior under test.

 For character and style checks, run the same scenario across multiple live model
--- a/docs/concepts/usage-tracking.md
+++ b/docs/concepts/usage-tracking.md
@@ -32,13 +32,8 @@ title: "Usage tracking"

 ## Custom `/usage full` footer

-`/usage full` shows a built-in compact footer with model, reasoning, fast/slow,
-context window, turn tokens, cache, and cost when those fields are available. No
-template file is required.
-
-`messages.usageTemplate` is only for advanced custom layouts. The value is a
-JSON file path (supports `~`) or an inline object, and it replaces the built-in
-footer when valid:
+Set `messages.usageTemplate` to customize the per-response `/usage full`
+footer. The value can be an inline template object or a JSON file path:

 ```json
 {
@@ -48,182 +43,9 @@ footer when valid:
 }
 ```

-Missing or empty templates fall back to the built-in footer quietly. Unreadable
-or invalid configured templates also fall back to the built-in footer and emit an
-operator warning.
-
-Start custom templates from the built-in shape, then edit the parts you want to
-change:
-
-```jsonc
-{
-  "schema": "openclaw.usageBar.v1",
-  "scales": {
-    "braille": "⠐⡀⡄⡆⡇⣇⣧⣷⣿",
-    "block": "░▏▎▍▌▋▊▉█",
-    "shade": "░▒▓█",
-    "moon": "🌑🌘🌗🌖🌕",
-    "level": "▁▂▃▄▅▆▇█",
-    "weather": ["🥶", "☁️", "🌥", "⛅️", "🌤", "☀️"],
-    "plants": ["🪾", "🍂", "🌱", "☘️", "🍀", "🌿"],
-    "moons6": ["🌑", "🌚", "🌘", "🌗", "🌖", "🌝"],
-  },
-  "aliases": {
-    "models": {
-      "claude-opus-4-6": "opus46",
-      "claude-opus-4-8": "opus48",
-      "claude-sonnet-4-6": "sonnet46",
-      "claude-haiku-4-5": "haiku45",
-      "gpt-5.5": "gpt5.5",
-    },
-    "reasoning": {
-      "off": "🌑",
-      "minimal": "🌚",
-      "low": "🌘",
-      "medium": "🌗",
-      "high": "🌕",
-      "xhigh": "🌝",
-    },
-  },
-  "output": {
-    "sep": "",
-    "default": [
-      { "text": "{model.provider}{identity.emoji|🤖} {model.display_name|alias:models}" },
-      { "map": "model.is_fallback", "cases": { "true": " 🔄" } },
-      { "map": "model.is_override", "cases": { "true": " 📌" } },
-      { "when": "model.reasoning", "text": " {model.reasoning|alias:reasoning}" },
-      { "map": "state.fast_mode", "cases": { "true": " ⚡", "false": " 🐌" } },
-      {
-        "when": "context.max_tokens",
-        "text": " | 📚 [{context.pct_used|meter:5:braille}]{context.max_tokens|num}",
-      },
-      {
-        "when": "usage.has_split_tokens",
-        "text": " ↕️ {usage.input_tokens|num|?}/{usage.output_tokens|num|?}",
-      },
-      { "when": "usage.has_total_only_tokens", "text": " ↕️ {usage.total_tokens|num}" },
-      { "when": "usage.cache_hit_pct", "text": " 🗄 {usage.cache_hit_pct|pct}" },
-      { "when": "cost.turn_usd", "text": " 💰{cost.turn_usd|fixed:4}" },
-    ],
-    "surfaces": {
-      "discord": [
-        { "text": "-# -\n" },
-        { "text": "-# {model.provider}{identity.emoji|🤖} {model.display_name|alias:models}" },
-        { "map": "model.is_fallback", "cases": { "true": "🔄" } },
-        { "map": "model.is_override", "cases": { "true": "📌" } },
-        { "when": "model.reasoning", "text": " {model.reasoning|alias:reasoning}" },
-        { "map": "state.fast_mode", "cases": { "true": " ⚡️", "false": " 🐌" } },
-        {
-          "when": "context.max_tokens",
-          "text": " | 📚 [{context.pct_used|meter:5:braille}]{context.max_tokens|num}",
-        },
-        {
-          "when": "usage.has_split_tokens",
-          "text": " ↕️ {usage.input_tokens|num|?}/{usage.output_tokens|num|?}",
-        },
-        { "when": "usage.has_total_only_tokens", "text": " ↕️ {usage.total_tokens|num}" },
-        { "when": "usage.cache_hit_pct", "text": " 🗄 {usage.cache_hit_pct|pct}" },
-        { "when": "cost.turn_usd", "text": " 💰{cost.turn_usd|fixed:4}" },
-      ],
-    },
-  },
-}
-```
-
-### Shape
-
-```jsonc
-{
-  "schema": "openclaw.usageBar.v1",
-  "scales": { "<name>": "low-to-high glyphs" }, // string (1 glyph/char) or array
-  "aliases": { "<table>": { "<value>": "<label>" } },
-  "output": {
-    "sep": "", // joins surviving pieces
-    "default": [
-      /* pieces */
-    ], // fallback for any surface
-    "surfaces": {
-      "discord": [
-        /* pieces */
-      ],
-      "telegram": [
-        /* pieces */
-      ],
-    },
-  },
-}
-```
-
-Each surface is an ordered list of **pieces**; the engine renders each, drops
-empties, and joins survivors with `sep`. A surface with no entry uses
-`output.default`.
-
-### Contract Paths
-
-A piece reads values from the per-turn contract by dot-path. Absent values are
-empty (so a `when` guard or a `|fallback` keeps the piece clean).
-
-| Path                                                                                | Meaning                                |
-| ----------------------------------------------------------------------------------- | -------------------------------------- |
-| `surface`                                                                           | channel id (`discord`/`telegram`/etc.) |
-| `model.provider` / `model.display_name`                                             | provider id / model id                 |
-| `model.reasoning`                                                                   | effort (`off` through `xhigh`)         |
-| `model.is_fallback` / `model.is_override`                                           | bool: fallback used / model pinned     |
-| `state.fast_mode`                                                                   | bool: fast vs slow                     |
-| `context.max_tokens` / `context.pct_used`                                           | window budget / 0-100 used             |
-| `usage.input_tokens` / `usage.output_tokens` / `usage.total_tokens`                 | turn aggregate                         |
-| `usage.has_split_tokens` / `usage.has_total_only_tokens` / `usage.cache_hit_pct`    | token display guards and cache percent |
-| `usage.last.input_tokens` / `usage.last.output_tokens` / `usage.last.cache_hit_pct` | final model call only                  |
-| `cost.turn_usd`                                                                     | estimated turn cost                    |
-| `identity.name` / `identity.emoji`                                                  | agent name / chosen emoji              |
-
-(Provider rate-limit windows are **not** in this contract.)
-
-### Verbs
-
-Pipe a value through verbs left to right; a non-verb segment is the fallback.
-
-| Verb            | Effect                                | Example                           |
-| --------------- | ------------------------------------- | --------------------------------- |
-| `num`           | compact count                         | `272000 -> 272k`                  |
-| `fixed:N`       | N decimals (default 2)                | `0.0377`                          |
-| `dur`           | seconds to duration                   | `14820 -> 4h07m`                  |
-| `pct`           | append `%`                            | `96 -> 96%`                       |
-| `inv`           | `100 - x`                             | for used to remaining             |
-| `alias:TABLE`   | lookup in `aliases`, echo if unlisted | `medium -> 🌗`                    |
-| `meter:W:SCALE` | W-cell glyph bar over a 0-100 value   | `[⣿⣿⠐⠐⠐]` (`meter:1` = one glyph) |
-
-### Piece forms
-
- `{ "text": "📚 {context.max_tokens|num}" }`: literal + interpolation.
- `{ "when": "<path>", "text": "..." }`: render only if the path is truthy.
- `{ "map": "<path>", "cases": { "true": "⚡", "false": "🐌" } }`: value to glyph.
- `{ "each": "limits.windows", "item": "{label}" }`: iterate an array.
-
-### Example
-
-```jsonc
-{
-  "schema": "openclaw.usageBar.v1",
-  "scales": { "braille": "⠐⡀⡄⡆⡇⣇⣧⣷⣿" },
-  "aliases": { "reasoning": { "medium": "🌗", "high": "🌕" } },
-  "output": {
-    "surfaces": {
-      "discord": [
-        { "text": "{model.display_name}" },
-        { "when": "model.reasoning", "text": " {model.reasoning|alias:reasoning}" },
-        { "map": "state.fast_mode", "cases": { "true": " ⚡", "false": " 🐌" } },
-        {
-          "when": "context.max_tokens",
-          "text": " | 📚 [{context.pct_used|meter:5:braille}]{context.max_tokens|num}",
-        },
-      ],
-    },
-  },
-}
-```
-
-renders e.g. `claude-sonnet-4-6 🌗 🐌 | 📚 [⣿⣿⣿⣿⣧]272k`.
+Templates read the `openclaw.usageLine.v1` contract and can use `scales`,
+`aliases`, and `output.surfaces` to render channel-specific footers. Missing,
+unreadable, invalid, or empty templates fall back to the built-in usage line.

 ## Providers + credentials

--- a/docs/gateway/config-channels.md
+++ b/docs/gateway/config-channels.md
@@ -130,8 +130,6 @@ WhatsApp runs through the gateway's web channel (Baileys Web). It starts automat
 }
 ```

- Top-level `bindings[]` entries with `type: "acp"` configure persistent ACP bindings for WhatsApp DMs and groups. Use an E.164 direct number or WhatsApp group JID in `match.peer.id`. Field semantics are shared in [ACP Agents](/tools/acp-agents#persistent-channel-bindings).
-
 <Accordion title="Multi-account WhatsApp">

 ```json5
--- a/docs/gateway/config-tools.md
+++ b/docs/gateway/config-tools.md
@@ -339,7 +339,7 @@ Configures inbound media understanding (image/audio/video):

    - `capabilities`: optional list (`image`, `audio`, `video`). Defaults: `openai`/`anthropic`/`minimax` → image, `google` → image+audio+video, `groq` → audio.
    - `prompt`, `maxChars`, `maxBytes`, `timeoutSeconds`, `language`: per-entry overrides.
-    - `tools.media.image.timeoutSeconds` and matching image model `timeoutSeconds` entries also apply when the agent calls the explicit `image` tool. For image understanding, this timeout applies to the request itself and is not reduced by earlier preparation work.
+    - `tools.media.image.timeoutSeconds` and matching image model `timeoutSeconds` entries also apply when the agent calls the explicit `image` tool.
    - Failures fall back to the next entry.

    Provider auth follows standard order: `auth-profiles.json` → env vars → `models.providers.*.apiKey`.
--- a/docs/help/testing-live.md
+++ b/docs/help/testing-live.md
@@ -73,7 +73,7 @@ Live tests are split into two layers so we can isolate failures:
  - `pnpm test:live` (or `OPENCLAW_LIVE_TEST=1` if invoking Vitest directly)
 - Set `OPENCLAW_LIVE_MODELS=modern`, `small`, or `all` (alias for modern) to actually run this suite; otherwise it skips to keep `pnpm test:live` focused on gateway smoke
 - How to select models:
-  - `OPENCLAW_LIVE_MODELS=modern` to run the modern allowlist (Opus/Sonnet 4.6+, GPT-5.2 + Codex, Gemini 3, DeepSeek V4, GLM 5.1, MiniMax M3, Grok 4.3)
+  - `OPENCLAW_LIVE_MODELS=modern` to run the modern allowlist (Opus/Sonnet 4.6+, GPT-5.2 + Codex, Gemini 3, DeepSeek V4, GLM 4.7, MiniMax M3, Grok 4.3)
  - `OPENCLAW_LIVE_MODELS=small` to run the constrained small-model allowlist (Qwen 8B/9B local-compatible routes, Ollama Gemma, OpenRouter Qwen/GLM, and Z.AI GLM)
  - `OPENCLAW_LIVE_MODELS=all` is an alias for the modern allowlist
  - or `OPENCLAW_LIVE_MODELS="openai/gpt-5.5,anthropic/claude-opus-4-6,..."` (comma allowlist)
@@ -357,9 +357,6 @@ Narrow, explicit allowlists are fastest and least flaky:
 - Tool calling across several providers:
  - `OPENCLAW_LIVE_GATEWAY_MODELS="openai/gpt-5.5,anthropic/claude-opus-4-6,google/gemini-3-flash-preview,deepseek/deepseek-v4-flash,zai/glm-5.1,minimax/MiniMax-M3" pnpm test:live src/gateway/gateway-models.profiles.live.test.ts`

- Z.AI Coding Plan GLM-5.2 direct smoke:
-  - `ZAI_CODING_LIVE_TEST=1 pnpm test:live src/agents/zai.live.test.ts`
-
 - Google focus (Gemini API key + Antigravity):
  - Gemini (API key): `OPENCLAW_LIVE_GATEWAY_MODELS="google/gemini-3-flash-preview" pnpm test:live src/gateway/gateway-models.profiles.live.test.ts`
  - Antigravity (OAuth): `OPENCLAW_LIVE_GATEWAY_MODELS="google-antigravity/claude-opus-4-6-thinking,google-antigravity/gemini-3-pro-high" pnpm test:live src/gateway/gateway-models.profiles.live.test.ts`
@@ -391,7 +388,7 @@ This is the "common models" run we expect to keep working:
 - Google (Gemini API): `google/gemini-3.1-pro-preview` and `google/gemini-3-flash-preview` (avoid older Gemini 2.x models)
 - Google (Antigravity): `google-antigravity/claude-opus-4-6-thinking` and `google-antigravity/gemini-3-flash`
 - DeepSeek: `deepseek/deepseek-v4-flash` and `deepseek/deepseek-v4-pro`
- Z.AI (GLM): `zai/glm-5.1` (general API) or `zai/glm-5.2` (Coding Plan)
+- Z.AI (GLM): `zai/glm-5.1`
 - MiniMax: `minimax/MiniMax-M3`

 Run gateway smoke with tools + image:
@@ -405,7 +402,7 @@ Pick at least one per provider family:
 - Anthropic: `anthropic/claude-opus-4-6` (or `anthropic/claude-sonnet-4-6`)
 - Google: `google/gemini-3-flash-preview` (or `google/gemini-3.1-pro-preview`)
 - DeepSeek: `deepseek/deepseek-v4-flash`
- Z.AI (GLM): `zai/glm-5.1` (general API) or `zai/glm-5.2` (Coding Plan)
+- Z.AI (GLM): `zai/glm-5.1`
 - MiniMax: `minimax/MiniMax-M3`

 Optional additional coverage (nice to have):
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -42,45 +42,6 @@ When you touch tests or want extra confidence:
 - Coverage gate: `pnpm test:coverage`
 - E2E suite: `pnpm test:e2e`

-## Test Temp Directories
-
-Prefer the shared helpers in `test/helpers/temp-dir.ts` for test-owned
-temporary directories. They make ownership explicit and keep cleanup in the same
-test lifecycle:
-
-```ts
-import { afterEach } from "vitest";
-import { createTempDirTracker } from "../helpers/temp-dir.js";
-
-const tempDirs = createTempDirTracker();
-
-afterEach(tempDirs.cleanup);
-
-it("uses a temp workspace", () => {
-  const workspace = tempDirs.make("openclaw-example-");
-  // use workspace
-});
-```
-
-Use `makeTempDir(tempDirs, prefix)` and `cleanupTempDirs(tempDirs)` when a test
-already owns an array or set of paths. Avoid new bare `fs.mkdtemp*` calls in
-tests unless a case is explicitly verifying raw temp-dir behavior. Add an
-auditable allow comment with a concrete reason when a test intentionally needs a
-bare temp directory:
-
-```ts
-// openclaw-temp-dir: allow verifies raw fs cleanup behavior
-const workspace = fs.mkdtempSync(prefix);
-```
-
-For migration visibility, `node scripts/report-test-temp-creations.mjs` reports
-new bare temp-dir creation in added diff lines without blocking existing cleanup
-styles. Its file scope intentionally follows the same test-path classification
-used by `scripts/changed-lanes.mjs` instead of maintaining a separate test-helper
-filename heuristic, while skipping the shared helper implementation itself.
-`check:changed` runs this report for changed test paths as a warning-only CI
-signal; findings are GitHub warning annotations, not failures.
-
 When debugging real providers/models (requires real creds):

 - Live suite (models + gateway tool/image probes): `pnpm test:live`
@@ -184,11 +145,6 @@ inside every shard.

 - `pnpm openclaw qa suite`
  - Runs repo-backed QA scenarios directly on the host.
-  - Writes top-level `qa-evidence.json`, `qa-suite-summary.json`, and
-    `qa-suite-report.md` artifacts for the selected scenario set, including
-    mixed flow, Vitest, and Playwright scenario selections.
-  - When dispatched by `pnpm openclaw qa run --qa-profile <profile>`, embeds the
-    selected taxonomy profile scorecard in the same `qa-evidence.json`.
  - Runs multiple selected scenarios in parallel by default with isolated
    gateway workers. `qa-channel` defaults to concurrency 4 (bounded by the
    selected scenario count). Use `--concurrency <count>` to tune the worker
@@ -262,27 +218,17 @@ inside every shard.
    `OPENCLAW_NPM_TELEGRAM_PACKAGE_TGZ=/path/to/openclaw-current.tgz` or
    `OPENCLAW_CURRENT_PACKAGE_TGZ` to test a resolved local tarball instead of
    installing from the registry.
-  - Emits repeated RTT timing in `qa-evidence.json` by default with
-    `OPENCLAW_NPM_TELEGRAM_RTT_SAMPLES=20`. Override
-    `OPENCLAW_NPM_TELEGRAM_RTT_SAMPLES`,
-    `OPENCLAW_NPM_TELEGRAM_RTT_TIMEOUT_MS`, or
-    `OPENCLAW_NPM_TELEGRAM_RTT_MAX_FAILURES` to tune the RTT run.
-    `OPENCLAW_NPM_TELEGRAM_RTT_CHECKS` accepts a comma-separated list of
-    Telegram QA check IDs to sample; when unset, the default RTT-capable check
-    is `telegram-mentioned-message-reply`.
  - Uses the same Telegram env credentials or Convex credential source as
    `pnpm openclaw qa telegram`. For CI/release automation, set
    `OPENCLAW_NPM_TELEGRAM_CREDENTIAL_SOURCE=convex` plus
-    `OPENCLAW_QA_CONVEX_SITE_URL` and a role secret. If
+    `OPENCLAW_QA_CONVEX_SITE_URL` and the role secret. If
    `OPENCLAW_QA_CONVEX_SITE_URL` and a Convex role secret are present in CI,
    the Docker wrapper selects Convex automatically.
  - The wrapper validates Telegram or Convex credential env on the host before
    Docker build/install work. Set `OPENCLAW_NPM_TELEGRAM_SKIP_CREDENTIAL_PREFLIGHT=1`
    only when deliberately debugging pre-credential setup.
  - `OPENCLAW_NPM_TELEGRAM_CREDENTIAL_ROLE=ci|maintainer` overrides the shared
-    `OPENCLAW_QA_CREDENTIAL_ROLE` for this lane only. When Convex credentials
-    are selected and no role is set, the wrapper uses `ci` in CI and
-    `maintainer` outside CI.
+    `OPENCLAW_QA_CREDENTIAL_ROLE` for this lane only.
  - GitHub Actions exposes this lane as the manual maintainer workflow
    `NPM Telegram Beta E2E`. It does not run on merge. The workflow uses the
    `qa-live-shared` environment and Convex CI credential leases.
@@ -398,11 +344,11 @@ gh workflow run package-acceptance.yml --ref main \
    want artifacts without a failing exit code.
  - Requires two distinct bots in the same private group, with the SUT bot exposing a Telegram username.
  - For stable bot-to-bot observation, enable Bot-to-Bot Communication Mode in `@BotFather` for both bots and ensure the driver bot can observe group bot traffic.
-  - Writes a Telegram QA report, summary, and `qa-evidence.json` under `.artifacts/qa-e2e/...`. Replying scenarios include RTT from driver send request to observed SUT reply.
+  - Writes a Telegram QA report, summary, and observed-messages artifact under `.artifacts/qa-e2e/...`. Replying scenarios include RTT from driver send request to observed SUT reply.

 `Mantis Telegram Live` is the PR-evidence wrapper around this lane. It runs the
-candidate ref with Convex-leased Telegram credentials, renders the redacted QA
-report/evidence bundle in a Crabbox desktop browser, records MP4 evidence,
+candidate ref with Convex-leased Telegram credentials, renders the redacted
+observed-message transcript in a Crabbox desktop browser, records MP4 evidence,
 generates a motion-trimmed GIF, uploads the artifact bundle, and posts inline PR
 evidence through the Mantis GitHub App when `pr_number` is set. Maintainers can
 start it from the Actions UI through `Mantis Scenario` (`scenario_id:
--- a/docs/nodes/index.md
+++ b/docs/nodes/index.md
@@ -214,59 +214,6 @@ permission boundary. Dangerous plugin node commands still require explicit
 After a node changes its declared command list, reject the old device pairing
 and approve the new request so the gateway stores the updated command snapshot.

-## Config (`openclaw.json`)
-
-Node-related settings live under `gateway.nodes` and `tools.exec`:
-
-```json5
-{
-  gateway: {
-    nodes: {
-      // Auto-approve first-time node pairing from trusted networks (CIDR list).
-      // Disabled when unset. Only applies to first-time role:node requests
-      // with no requested scopes; does not auto-approve upgrades.
-      pairing: {
-        autoApproveCidrs: ["192.168.1.0/24"],
-      },
-      // Opt into dangerous/privacy-heavy node commands (camera.snap, etc.).
-      allowCommands: ["camera.snap", "screen.record"],
-      // Block exact command names even if defaults or allowCommands include them.
-      denyCommands: ["camera.clip"],
-    },
-  },
-  tools: {
-    exec: {
-      // Default exec host: "node" routes all exec calls to a paired node.
-      host: "node",
-      // Security mode for node exec: allow only approved/allowlisted commands.
-      security: "allowlist",
-      // Pin exec to a specific node (id or name). Omit to allow any node.
-      node: "build-node",
-    },
-  },
-}
-```
-
-Use exact node command names. `denyCommands` removes a command even when a
-platform default or `allowCommands` entry would otherwise allow it. See
-[Gateway configuration reference](/gateway/configuration-reference#gateway-field-details)
-for gateway node pairing and command-policy field details.
-
-Per-agent exec node override:
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "main",
-        tools: { exec: { node: "build-node" } },
-      },
-    ],
-  },
-}
-```
-
 ## Screenshots (canvas snapshots)

 If the node is showing the Canvas (WebView), `canvas.snapshot` returns `{ format, base64 }`.
--- a/docs/plugins/adding-capabilities.md
+++ b/docs/plugins/adding-capabilities.md
@@ -71,7 +71,7 @@ If the work is vendor-only and no shared contract exists yet, stop and define th

 Use **provider hooks** when the behavior belongs to the model provider contract rather than the generic agent loop. Examples include provider-specific request params after transport selection, auth-profile preference, prompt overlays, and follow-up fallback routing after model/profile failover.

-Use **agent harness hooks** when the behavior belongs to the runtime that is executing a turn. Harnesses can classify explicit protocol outcomes such as empty output, reasoning without visible output, or a structured plan without a final answer so the outer model fallback policy can make the retry decision.
+Use **agent harness hooks** when the behavior belongs to the runtime that is executing a turn. Harnesses can classify successful-but-unusable attempt results such as empty, reasoning-only, or planning-only responses so the outer model fallback policy can make the retry decision.

 Keep both seams narrow:

--- a/docs/plugins/cli-backend-plugins.md
+++ b/docs/plugins/cli-backend-plugins.md
@@ -197,30 +197,22 @@ only for behavior that really belongs to the backend.

 `CliBackendPlugin` can also define:

-| Hook                               | Use                                                                         |
-| ---------------------------------- | --------------------------------------------------------------------------- |
-| `normalizeConfig(config, context)` | Rewrite legacy user config after merge                                      |
-| `resolveExecutionArgs(ctx)`        | Add request-scoped flags such as thinking effort or side-question isolation |
-| `prepareExecution(ctx)`            | Create temporary auth or config bridges before launch                       |
-| `transformSystemPrompt(ctx)`       | Apply a final CLI-specific system prompt transform                          |
-| `textTransforms`                   | Bidirectional prompt/output replacements                                    |
-| `defaultAuthProfileId`             | Prefer a specific OpenClaw auth profile                                     |
-| `authEpochMode`                    | Decide how auth changes invalidate stored CLI sessions                      |
-| `nativeToolMode`                   | Declare whether the CLI has always-on native tools                          |
-| `sideQuestionToolMode`             | Declare disabled native tools for `/btw` side questions                     |
-| `bundleMcp` / `bundleMcpMode`      | Opt into OpenClaw's loopback MCP tool bridge                                |
-| `ownsNativeCompaction`             | Backend owns its own compaction - OpenClaw defers                           |
+| Hook                               | Use                                                    |
+| ---------------------------------- | ------------------------------------------------------ |
+| `normalizeConfig(config, context)` | Rewrite legacy user config after merge                 |
+| `resolveExecutionArgs(ctx)`        | Add request-scoped flags such as thinking effort       |
+| `prepareExecution(ctx)`            | Create temporary auth or config bridges before launch  |
+| `transformSystemPrompt(ctx)`       | Apply a final CLI-specific system prompt transform     |
+| `textTransforms`                   | Bidirectional prompt/output replacements               |
+| `defaultAuthProfileId`             | Prefer a specific OpenClaw auth profile                |
+| `authEpochMode`                    | Decide how auth changes invalidate stored CLI sessions |
+| `nativeToolMode`                   | Declare whether the CLI has always-on native tools     |
+| `bundleMcp` / `bundleMcpMode`      | Opt into OpenClaw's loopback MCP tool bridge           |
+| `ownsNativeCompaction`             | Backend owns its own compaction - OpenClaw defers      |

 Keep these hooks provider-owned. Do not add CLI-specific branches to core when a
 backend hook can express the behavior.

-`ctx.executionMode` is `"agent"` for normal turns and `"side-question"` for
-ephemeral `/btw` calls. Use it when the CLI needs different one-shot flags, such
-as disabling native tools, session persistence, or resume behavior for BTW. If a
-backend normally has `nativeToolMode: "always-on"` but its side-question argv
-reliably disables those tools, also set `sideQuestionToolMode: "disabled"`;
-otherwise OpenClaw fails closed when BTW requires a no-tools CLI run.
-
 ### `ownsNativeCompaction`: opting out of OpenClaw compaction

 If your backend runs an agent that compacts its **own** transcript, set
--- a/docs/plugins/codex-harness-reference.md
+++ b/docs/plugins/codex-harness-reference.md
@@ -313,13 +313,9 @@ available timeout in this order:
 - For `image_generate` without a configured timeout, the 120 second
  image-generation default.
 - For the media-understanding `image` tool, `tools.media.image.timeoutSeconds`
-  converted to milliseconds, or the 60 second media default. For image
-  understanding, this applies to the request itself and is not reduced by
-  earlier preparation work.
+  converted to milliseconds, or the 60 second media default.
 - The 90 second dynamic-tool default.

-This watchdog is the outer dynamic `item/tool/call` budget. Provider-specific
-request timeouts run inside that call and keep their own timeout semantics.
 Dynamic tool budgets are capped at 600000 ms. On timeout, OpenClaw aborts the
 tool signal where supported and returns a failed dynamic-tool response to Codex
 so the turn can continue instead of leaving the session in `processing`.
--- a/docs/plugins/codex-harness.md
+++ b/docs/plugins/codex-harness.md
@@ -557,14 +557,10 @@ or shortens that specific tool budget. The `image_generate` tool uses
 `agents.defaults.imageGenerationModel.timeoutMs` when the tool call does not
 provide its own timeout, or a 120 second image-generation default otherwise.
 The media-understanding `image` tool uses
-`tools.media.image.timeoutSeconds` or its 60 second media default. For image
-understanding, that timeout applies to the request itself and is not
-reduced by earlier preparation work. Dynamic tool budgets are
-capped at 600000 ms. On timeout, OpenClaw aborts the tool signal
+`tools.media.image.timeoutSeconds` or its 60 second media default. Dynamic tool
+budgets are capped at 600000 ms. On timeout, OpenClaw aborts the tool signal
 where supported and returns a failed dynamic-tool response to Codex so the turn
 can continue instead of leaving the session in `processing`.
-This watchdog is the outer dynamic `item/tool/call` budget; provider-specific
-request timeouts run inside that call and keep their own timeout semantics.

 After Codex accepts a turn, and after OpenClaw responds to a turn-scoped
 app-server request, the harness expects Codex to make current-turn progress and
--- a/docs/plugins/codex-native-plugins.md
+++ b/docs/plugins/codex-native-plugins.md
@@ -200,12 +200,11 @@ enabled.

 OpenClaw sets app-level `destructive_enabled` from the effective global or
 per-plugin `allow_destructive_actions` policy and lets Codex enforce
-destructive tool metadata from its native app tool annotations. `true` and
-`"auto"` both set `destructive_enabled: true`; `false` sets it false. The
-`_default` app config is disabled with `open_world_enabled: false`. Enabled
-plugin apps are emitted with `open_world_enabled: true`; OpenClaw does not
-expose a separate plugin open-world policy knob and does not maintain
-per-plugin destructive tool-name deny lists.
+destructive tool metadata from its native app tool annotations. The `_default`
+app config is disabled with `open_world_enabled: false`. Enabled plugin apps
+are emitted with `open_world_enabled: true`; OpenClaw does not expose a separate
+plugin open-world policy knob and does not maintain per-plugin destructive
+tool-name deny lists.

 Tool approval mode is automatic by default for plugin apps so non-destructive
 read tools can run without a same-thread approval UI. Destructive tools remain
@@ -222,9 +221,6 @@ plugins, while unsafe schemas and ambiguous ownership still fail closed:
 - When policy is `false`, OpenClaw returns a deterministic decline.
 - When policy is `true`, OpenClaw auto-accepts only safe schemas it can map to
  an approval response, such as a boolean approve field.
- When policy is `"auto"`, OpenClaw exposes destructive plugin actions to
-  Codex but turns ownership-proven MCP approval elicitations into OpenClaw
-  plugin approvals before returning the Codex approval response.
 - Missing plugin identity, ambiguous ownership, a missing turn id, a wrong turn
  id, or an unsafe elicitation schema declines instead of prompting.

@@ -272,8 +268,8 @@ Codex thread bindings keep the app config they started with until OpenClaw
 establishes a new harness session or replaces a stale binding.

 **Destructive action is declined:** check the global and per-plugin
-`allow_destructive_actions` values. Even when policy is true or `"auto"`,
-unsafe elicitation schemas and ambiguous plugin identity still fail closed.
+`allow_destructive_actions` values. Even when policy is true, unsafe elicitation
+schemas and ambiguous plugin identity still fail closed.

 ## Related

--- a/Show More
+++ b/Show More