fix(telegram): reset cleared progress drafts

Fixes #49517.

Updates the TUI command catalog so /new describes spawning an isolated session while /reset describes resetting the current session. Adds a focused regression test for the two descriptions.

Co-authored-by: KhanCold <119404710+KhanCold@users.noreply.github.com>

.crabbox.yaml

@@ -6,18 +6,10 @@ class: standard
 capacity:
   market: spot
   strategy: most-available
-  fallback: on-demand-after-120s
+  # Fail closed instead of silently falling back to on-demand while the
+  # Azure-backed billing account is the default runner path.
+  fallback: spot-only
   hints: true
-  availabilityZones:
-    - eu-west-1a
-    - eu-west-1b
-    - eu-west-1c
-  regions:
-    - eu-west-1
-    - eu-west-2
-    - eu-central-1
-    - us-east-1
-    - us-west-2
 actions:
   workflow: .github/workflows/crabbox-hydrate.yml
   # Default AWS hydration uses local Actions replay. Use
@@ -37,6 +29,8 @@ blacksmith:
   job: check
   ref: main
 aws:
+  # AWS-specific overrides still pin direct `--provider aws` runs without
+  # leaking AWS region names into the Azure default capacity fallback list.
   region: eu-west-1
   rootGB: 400
 sync:

.github/workflows/ci.yml

@@ -601,7 +601,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: .artifacts/build-all-cache
-          key: ${{ runner.os }}-build-all-v3-${{ hashFiles('package.json', 'pnpm-lock.yaml', 'npm-shrinkwrap.json', 'packages/plugin-sdk/package.json', 'packages/llm-core/package.json', 'packages/memory-host-sdk/package.json', 'scripts/build-all.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entries.mjs', 'tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'src/plugin-sdk/**', 'packages/llm-core/src/**', 'packages/memory-host-sdk/src/**', 'src/types/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'scripts/copy-export-html-templates.ts', 'scripts/lib/copy-assets.ts', 'src/auto-reply/reply/export-html/**') }}
+          key: ${{ runner.os }}-build-all-v3-${{ hashFiles('package.json', 'pnpm-lock.yaml', 'npm-shrinkwrap.json', 'packages/plugin-sdk/package.json', 'packages/llm-core/package.json', 'packages/model-catalog-core/package.json', 'packages/memory-host-sdk/package.json', 'scripts/build-all.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entries.mjs', 'tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'src/plugin-sdk/**', 'packages/llm-core/src/**', 'packages/model-catalog-core/src/**', 'packages/memory-host-sdk/src/**', 'src/types/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'scripts/copy-export-html-templates.ts', 'scripts/lib/copy-assets.ts', 'src/auto-reply/reply/export-html/**') }}
           restore-keys: |
             ${{ runner.os }}-build-all-v3-
 
@@ -1403,7 +1403,7 @@ jobs:
             packages/plugin-sdk/dist
             extensions/*/dist/.boundary-tsc.tsbuildinfo
             extensions/*/dist/.boundary-tsc.stamp
-          key: ${{ runner.os }}-extension-package-boundary-v1-${{ hashFiles('tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'packages/plugin-sdk/tsconfig.json', 'packages/llm-core/package.json', 'scripts/check-extension-package-tsc-boundary.mjs', 'scripts/prepare-extension-package-boundary-artifacts.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entrypoints.json', 'scripts/lib/plugin-sdk-entries.mjs', 'src/plugin-sdk/**', 'src/auto-reply/**', 'packages/llm-core/src/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'src/types/**', 'extensions/**', 'extensions/tsconfig.package-boundary*.json', 'package.json', 'pnpm-lock.yaml') }}
+          key: ${{ runner.os }}-extension-package-boundary-v1-${{ hashFiles('tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'packages/plugin-sdk/tsconfig.json', 'packages/llm-core/package.json', 'packages/model-catalog-core/package.json', 'scripts/check-extension-package-tsc-boundary.mjs', 'scripts/prepare-extension-package-boundary-artifacts.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entrypoints.json', 'scripts/lib/plugin-sdk-entries.mjs', 'src/plugin-sdk/**', 'src/auto-reply/**', 'packages/llm-core/src/**', 'packages/model-catalog-core/src/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'src/types/**', 'extensions/**', 'extensions/tsconfig.package-boundary*.json', 'package.json', 'pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-extension-package-boundary-v1-
 
@@ -1420,14 +1420,22 @@ jobs:
           find src \
             -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
             -exec touch -t 200001010000 {} +
-          find packages/llm-core/src \
-            -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
-            -exec touch -t 200001010000 {} +
-          touch -t 200001010000 \
+          if [ -d packages/llm-core/src ]; then
+            find packages/llm-core/src \
+              -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
+              -exec touch -t 200001010000 {} +
+          fi
+          if [ -d packages/model-catalog-core/src ]; then
+            find packages/model-catalog-core/src \
+              -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.mts' -o -name '*.cts' -o -name '*.js' -o -name '*.mjs' -o -name '*.json' \) \
+              -exec touch -t 200001010000 {} +
+          fi
+          cache_inputs=(
             tsconfig.json \
             tsconfig.plugin-sdk.dts.json \
             packages/plugin-sdk/tsconfig.json \
             packages/llm-core/package.json \
+            packages/model-catalog-core/package.json \
             scripts/check-extension-package-tsc-boundary.mjs \
             scripts/prepare-extension-package-boundary-artifacts.mjs \
             scripts/write-plugin-sdk-entry-dts.ts \
@@ -1435,6 +1443,12 @@ jobs:
             scripts/lib/plugin-sdk-entries.mjs \
             package.json \
             pnpm-lock.yaml
+          )
+          for cache_input in "${cache_inputs[@]}"; do
+            if [ -e "$cache_input" ]; then
+              touch -t 200001010000 "$cache_input"
+            fi
+          done
 
       - name: Run additional check shard
         env:

CHANGELOG.md

@@ -24,6 +24,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- CLI: keep `plugins list --json` on the snapshot-only path so plugin sweeps avoid loading the full runtime status graph.
 - Plugins: make PixVerse external-plugin ClawHub metadata explicit and keep it out of bundled dist builds.
 - Providers: bound generated media downloads from OpenAI, Runway, xAI, MiniMax, BytePlus, DashScope-compatible, FAL, OpenRouter, Google, Vydra, and Comfy providers.
 - Providers: cap GitHub Copilot OAuth request timeouts before creating abort signals.
@@ -33,6 +34,20 @@ Docs: https://docs.openclaw.ai
 - Security/config parsing: reject unsafe OAuth/token lifetimes, retry-after delays, inbound timestamps, response body sizes, command timeout config, sandbox observer token TTLs, and gateway WebSocket calls after close.
 - Providers/media: cap local service, model, usage, queue, generated media, TTS, music, workflow polling, and provider OAuth request timers across hosted and local providers.
 - Release/CI/E2E: bound release candidate reads, beta smoke REST calls, changelog restore, kitchen-sink and bundled plugin readiness probes, secret-provider probes, Vitest routing, and mainline test flakes. (#88127, #88137, #88155, #88160)
+- Release/CI/E2E: run the secret-provider integration proof through the repo pnpm runner so native macOS and Windows validation use the hydrated package-manager shim.
+- Release/CI/E2E: run the Telegram desktop proof gateway through the repo pnpm runner so native macOS proof uses the hydrated package-manager shim.
+- Docs/CI: run Mintlify anchor checks through the repo pnpm runner so docs link validation works when pnpm is only available through the hydrated package-manager shim.
+- Agents: keep configured fallback model metadata typed so provider params, context-token caps, and media input limits do not break changed-gate typechecks.
+- CI/Crabbox: keep default runner capacity spot-only and provider-neutral so OpenClaw remote validation does not silently fall back to on-demand leases or stale AWS region hints.
+- CI/Crabbox: route Crabbox wrapper and Testbox workflow edits to their regression tests so changed-test gates do not silently run zero specs.
+- CI/workflows: route workflow sanity helper edits to their guard tests and cover composite-action input interpolation checks.
+- CI/tooling: route CI scope, dependency, changelog, and docs helper edits to their owner tests instead of silently skipping changed-test coverage.
+- CI/tooling: route package, release, and install helper edits to their owner tests so changed-test gates cover publish and installer script changes.
+- CI/tooling: route shared script library edits through their owner tests so lock, process, safety, and scan helpers do not skip changed-test coverage.
+- CI/tooling: skip expensive import-graph scans once a changed diff already requires broad fallback, keeping local changed-test planning fast while still collecting explicit owner tests.
+- CI/tooling: route script edits through conventional owner tests when matching `test/scripts` or `src/scripts` coverage already exists.
+- CI/tooling: honor option terminators in the memory FD repro script so follow-on arguments are not reparsed.
+- Release/CI/E2E: honor option terminators across release, Parallels smoke, plugin gauntlet, and extension-memory scripts.
 - Performance: reuse prepared provider handles, strict tool schemas, gateway runtime metadata, session maintenance config, plugin metadata, bundled skill allowlists, package-local plugin artifacts, and single-entry store writes.
 
 ## 2026.5.28

apps/ios/CHANGELOG.md

@@ -5,6 +5,8 @@
 Maintenance update for the current OpenClaw release.
 
 - Added hosted push relay defaults, realtime Talk playback, and safer WebSocket ping handling for mobile sessions.
+- Updated App Store screenshots to cover Gateway pairing, Command, Chat, Talk, Agent, and Settings flows.
+- Highlighted realtime Talk relay, Gateway connection status, node capabilities, push wake, and privacy controls.
 
 ## 2026.5.28 - 2026-05-28
 

apps/ios/fastlane/Fastfile

@@ -29,6 +29,14 @@ def clear_empty_env_var(key)
   ENV.delete(key) unless env_present?(ENV[key])
 end
 
+def screenshot_upload_requested?
+  ENV["DELIVER_SCREENSHOTS"] == "1"
+end
+
+def screenshot_paths
+  Dir[File.join(__dir__, "screenshots", "**", "*.png")]
+end
+
 def maybe_decode_hex_keychain_secret(value)
   return value unless env_present?(value)
 
@@ -314,6 +322,7 @@ platform :ios do
   desc "Upload App Store metadata (and optionally screenshots)"
   lane :metadata do
     sync_ios_versioning!
+    version_metadata = read_ios_version_metadata
     api_key = asc_api_key
     clear_empty_env_var("APP_STORE_CONNECT_API_KEY_PATH")
     app_identifier = ENV["ASC_APP_IDENTIFIER"]
@@ -321,11 +330,21 @@ platform :ios do
     app_identifier = nil unless env_present?(app_identifier)
     app_id = nil unless env_present?(app_id)
 
+    if screenshot_upload_requested? && screenshot_paths.empty?
+      UI.user_error!("DELIVER_SCREENSHOTS=1 but no PNG screenshots were found under apps/ios/fastlane/screenshots.")
+    end
+
     deliver_options = {
       api_key: api_key,
       force: true,
-      skip_screenshots: ENV["DELIVER_SCREENSHOTS"] != "1",
+      app_version: version_metadata[:short_version],
+      copyright: "2026 OpenClaw",
+      primary_category: "PRODUCTIVITY",
+      secondary_category: "UTILITIES",
+      skip_screenshots: !screenshot_upload_requested?,
       skip_metadata: ENV["DELIVER_METADATA"] != "1",
+      skip_binary_upload: true,
+      overwrite_screenshots: screenshot_upload_requested?,
       run_precheck_before_submit: false
     }
     deliver_options[:app_identifier] = app_identifier if app_identifier

apps/ios/fastlane/metadata/en-US/description.txt

@@ -1,18 +1,19 @@
 OpenClaw is a personal AI assistant you run on your own devices.
 
-Pair this iPhone app with your OpenClaw Gateway to connect your phone as a secure node for voice, camera, and device automation.
+Pair this iPhone app with your OpenClaw Gateway to use your phone as a secure node for chat, voice, approvals, sharing, and device-aware automation.
 
 What you can do:
+- Pair with your private OpenClaw Gateway by QR code or setup code
 - Chat with your assistant from iPhone
-- Use voice wake and push-to-talk
-- Capture photos and short clips on request
-- Record screen snippets for troubleshooting and workflows
+- Use realtime Talk mode and push-to-talk
+- Review Gateway action approvals from your phone
 - Share text, links, and media directly from iOS into OpenClaw
-- Run location-aware and device-aware automations
+- Enable device capabilities such as camera, screen, location, photos, contacts, calendar, and reminders when you choose
+- Receive push wakes and node status updates for connected workflows
 
-OpenClaw is local-first: you control your gateway, keys, and configuration.
+OpenClaw is local-first: you control your gateway, keys, configuration, and permissions. Device access is managed by iOS permissions and can be enabled only for the capabilities you want to use.
 
 Getting started:
 1) Set up your OpenClaw Gateway
 2) Open the iOS app and pair with your gateway
-3) Start using commands and automations from your phone
+3) Start using chat, Talk mode, approvals, and automations from your phone

apps/ios/fastlane/metadata/en-US/keywords.txt

@@ -1 +1 @@
-openclaw,ai assistant,local ai,voice assistant,automation,gateway,chat,agent,node
+openclaw,ai assistant,local ai,iphone ai,voice assistant,automation,gateway,chat,agent

apps/ios/fastlane/metadata/en-US/promotional_text.txt

@@ -1 +1 @@
-Run OpenClaw from your iPhone: pair with your own gateway, trigger automations, and use voice, camera, and share actions.
+Pair your iPhone with your OpenClaw Gateway for chat, realtime voice, approvals, device capabilities, and private automation.

apps/ios/fastlane/metadata/en-US/release_notes.txt

@@ -1,3 +1,5 @@
 Maintenance update for the current OpenClaw release.
 
 - Added hosted push relay defaults, realtime Talk playback, and safer WebSocket ping handling for mobile sessions.
+- Updated App Store screenshots to cover Gateway pairing, Command, Chat, Talk, Agent, and Settings flows.
+- Highlighted realtime Talk relay, Gateway connection status, node capabilities, push wake, and privacy controls.

docs/channels/telegram.md

@@ -318,10 +318,11 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"
     - `channels.telegram.streaming` is `off | partial | block | progress` (default: `partial`)
     - `progress` keeps one editable status draft for tool progress, clears it at completion, and sends the final answer as a normal message
     - `streaming.preview.toolProgress` controls whether tool/progress updates reuse the same edited preview message (default: `true` when preview streaming is active)
+    - `streaming.progress.commentary` (default `false`) opts into Codex preamble/commentary text in the temporary progress draft. Commentary is cleaned before display, stays transient, and does not change final answer delivery.
     - `streaming.preview.commandText` controls command/exec detail inside those tool-progress lines: `raw` (default, preserves released behavior) or `status` (tool label only)
     - legacy `channels.telegram.streamMode` and boolean `streaming` values are detected; run `openclaw doctor --fix` to migrate them to `channels.telegram.streaming.mode`
 
-    Tool-progress preview updates are the short status lines shown while tools run, for example command execution, file reads, planning updates, patch summaries, or Codex preamble/commentary text in Codex app-server mode. Telegram keeps these enabled by default to match released OpenClaw behavior from `v2026.4.22` and later.
+    Tool-progress preview updates are the short status lines shown while tools run, for example command execution, file reads, planning updates, and patch summaries. Telegram keeps these enabled by default to match released OpenClaw behavior from `v2026.4.22` and later.
 
     Direct chats can use native Telegram drafts for these tool-progress lines without persisting tool chatter into chat history. Native drafts stop before answer text starts; final answers stay on the normal persistent delivery path. This lane is off by default and should be gated to trusted DM IDs first:
 

docs/cli/plugins.md

@@ -326,6 +326,8 @@ Use `--link` to avoid copying a local directory (adds to `plugins.load.paths`):
 openclaw plugins install -l ./my-plugin
 ```
 
+Standalone plugin files must be listed in `plugins.load.paths` rather than placed directly in `~/.openclaw/extensions` or `<workspace>/.openclaw/extensions`. Those auto-discovered roots load plugin package or bundle directories, while top-level script files are treated as local helpers and skipped.
+
 <Note>
 `--force` is not supported with `--link` because linked installs reuse the source path instead of copying over a managed install target.
 

docs/gateway/configuration-reference.md

@@ -214,7 +214,8 @@ See [MCP](/cli/mcp#openclaw-as-an-mcp-client-registry) and
 }
 ```
 
-- Loaded from `~/.openclaw/extensions`, `<workspace>/.openclaw/extensions`, plus `plugins.load.paths`.
+- Loaded from package or bundle directories under `~/.openclaw/extensions` and `<workspace>/.openclaw/extensions`, plus files or directories listed in `plugins.load.paths`.
+- Put standalone plugin files in `plugins.load.paths`; auto-discovered extension roots ignore top-level `.js`, `.mjs`, and `.ts` files so helper scripts in those roots do not block startup.
 - Discovery accepts native OpenClaw plugins plus compatible Codex bundles and Claude bundles, including manifestless Claude default-layout bundles.
 - **Config changes require a gateway restart.**
 - `allow`: optional allowlist (only listed plugins load). `deny` wins.

docs/platforms/ios.md

@@ -7,7 +7,7 @@ read_when:
 title: "iOS app"
 ---
 
-Availability: internal preview. The iOS app is not publicly distributed yet.
+Availability: iPhone app builds are distributed through Apple channels when enabled for a release. Local development builds can also run from source.
 
 ## What it does
 

docs/plugins/workboard.md

@@ -108,6 +108,18 @@ Workboard also exposes optional agent tools for board-aware workflows:
   final summaries, proof, artifacts, created-card manifests, and blocker
   reasons. Created-card manifests must reference cards linked back to the
   completed card, which keeps phantom children out of summaries.
+- `workboard_board_create`, `workboard_board_archive`, and
+  `workboard_board_delete` manage persisted board metadata such as display name,
+  description, archive state, and default workspace.
+- `workboard_runs` returns the persisted run-attempt history stored on a card.
+- `workboard_specify` turns a rough triage or backlog card into a clarified
+  `todo` card and records the specification summary on the card.
+- `workboard_decompose` fans a parent orchestration card into linked children,
+  inherits board and tenant metadata, and can complete the parent with a
+  created-card manifest.
+- `workboard_notify_subscribe`, `workboard_notify_list`, and
+  `workboard_notify_unsubscribe` manage notification subscriptions in plugin
+  state so operators and agents can discover durable notification intent.
 - `workboard_boards`, `workboard_stats`, `workboard_promote`,
   `workboard_reassign`, `workboard_reclaim`, `workboard_comment`,
   `workboard_proof`, `workboard_unblock`, and `workboard_dispatch` let an agent
@@ -119,6 +131,12 @@ Claimed cards reject agent-tool mutations from other agents unless the caller
 has the claim token returned by `workboard_claim`. Dashboard operators still use
 the normal Gateway RPC surface and can recover or reassign cards.
 
+Workboard stores all durable board data through the plugin SQLite key-value
+store. Cards live in `workboard.cards`, board metadata in `workboard.boards`,
+and notification subscriptions in `workboard.notify`. Run history, comments,
+proof, artifacts, diagnostics, dependencies, lifecycle events, and automation
+metadata stay on the card record so a card export remains self-contained.
+
 Workboard diagnostics are computed from local card metadata. The built-in checks
 flag assigned cards that wait too long, running cards without recent heartbeat,
 blocked cards that need attention, repeated failures, done cards without proof,
@@ -126,9 +144,9 @@ and running cards that only have a loose session link.
 
 Dispatch is intentionally Gateway-local. It does not spawn arbitrary operating
 system processes; normal OpenClaw sessions still own execution. A dispatch nudge
-promotes dependency-ready cards, records dispatch metadata on ready cards, and
-blocks expired claims or timed-out runs so operators can recover them from the
-board.
+promotes dependency-ready cards, records dispatch metadata on ready cards,
+blocks expired claims or timed-out runs, and leaves durable notification
+subscriptions for the caller that delivers notifications.
 
 ## Session lifecycle sync
 

extensions/active-memory/index.test.ts

@@ -4130,6 +4130,50 @@ describe("active-memory plugin", () => {
     expect(cached?.summary).toBe("memory 1");
   });
 
+  it("drops cached active-memory results when the current clock is not a valid date timestamp", () => {
+    const nowSpy = vi.spyOn(Date, "now").mockReturnValue(1_700_000_000_000);
+    const cacheKey = testing.buildCacheKey({
+      agentId: "main",
+      sessionKey: "agent:main:invalid-clock-cache",
+      query: "cache invalid clock prompt",
+    });
+    testing.setCachedResult(
+      cacheKey,
+      {
+        status: "ok",
+        elapsedMs: 1,
+        rawReply: "memory",
+        summary: "memory",
+      },
+      15_000,
+    );
+
+    nowSpy.mockReturnValue(Number.NaN);
+
+    expect(testing.getCachedResult(cacheKey)).toBeUndefined();
+  });
+
+  it("does not cache active-memory results when the expiry timestamp would exceed the valid date range", () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    const cacheKey = testing.buildCacheKey({
+      agentId: "main",
+      sessionKey: "agent:main:overflow-cache",
+      query: "cache overflow prompt",
+    });
+    testing.setCachedResult(
+      cacheKey,
+      {
+        status: "ok",
+        elapsedMs: 1,
+        rawReply: "memory",
+        summary: "memory",
+      },
+      15_000,
+    );
+
+    expect(testing.getCachedResult(cacheKey)).toBeUndefined();
+  });
+
   it("skips recall after consecutive timeouts when circuit breaker trips (#74054)", async () => {
     const CONFIGURED_TIMEOUT_MS = 25;
     testing.setMinimumTimeoutMsForTests(1);

extensions/active-memory/index.ts

@@ -13,7 +13,11 @@ import {
 } from "openclaw/plugin-sdk/agent-runtime";
 import type { OpenClawConfig } from "openclaw/plugin-sdk/config-contracts";
 import { closeActiveMemorySearchManager } from "openclaw/plugin-sdk/memory-host-search";
-import { parseStrictPositiveInteger } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  parseStrictPositiveInteger,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import {
   resolveLivePluginConfigObject,
   resolvePluginConfigObject,
@@ -1360,7 +1364,12 @@ function getCachedResult(cacheKey: string): ActiveRecallResult | undefined {
   if (!cached) {
     return undefined;
   }
-  if (cached.expiresAt <= Date.now()) {
+  const now = asDateTimestampMs(Date.now());
+  if (
+    now === undefined ||
+    asDateTimestampMs(cached.expiresAt) === undefined ||
+    cached.expiresAt <= now
+  ) {
     activeRecallCache.delete(cacheKey);
     return undefined;
   }
@@ -1368,19 +1377,27 @@ function getCachedResult(cacheKey: string): ActiveRecallResult | undefined {
 }
 
 function setCachedResult(cacheKey: string, result: ActiveRecallResult, ttlMs: number): void {
-  const now = Date.now();
+  const rawNow = Date.now();
+  const now = asDateTimestampMs(rawNow);
   if (
     activeRecallCache.size >= DEFAULT_MAX_CACHE_ENTRIES ||
-    now - lastActiveRecallCacheSweepAt >= CACHE_SWEEP_INTERVAL_MS
+    (now !== undefined && now - lastActiveRecallCacheSweepAt >= CACHE_SWEEP_INTERVAL_MS)
   ) {
     sweepExpiredCacheEntries(now);
-    lastActiveRecallCacheSweepAt = now;
+    if (now !== undefined) {
+      lastActiveRecallCacheSweepAt = now;
+    }
+  }
+  const expiresAt = resolveExpiresAtMsFromDurationMs(ttlMs, { nowMs: rawNow });
+  if (expiresAt === undefined) {
+    activeRecallCache.delete(cacheKey);
+    return;
   }
   if (activeRecallCache.has(cacheKey)) {
     activeRecallCache.delete(cacheKey);
   }
   activeRecallCache.set(cacheKey, {
-    expiresAt: now + ttlMs,
+    expiresAt,
     result,
   });
   while (activeRecallCache.size > DEFAULT_MAX_CACHE_ENTRIES) {
@@ -1392,9 +1409,13 @@ function setCachedResult(cacheKey: string, result: ActiveRecallResult, ttlMs: nu
   }
 }
 
-function sweepExpiredCacheEntries(now = Date.now()): void {
+function sweepExpiredCacheEntries(now = asDateTimestampMs(Date.now())): void {
+  if (now === undefined) {
+    activeRecallCache.clear();
+    return;
+  }
   for (const [cacheKey, cached] of activeRecallCache.entries()) {
-    if (cached.expiresAt <= now) {
+    if (asDateTimestampMs(cached.expiresAt) === undefined || cached.expiresAt <= now) {
       activeRecallCache.delete(cacheKey);
     }
   }

extensions/amazon-bedrock-mantle/discovery.test.ts

@@ -230,6 +230,32 @@ describe("bedrock mantle discovery", () => {
     expect(getCachedIamToken("us-east-1")).toBeUndefined();
   });
 
+  it("does not cache generated IAM tokens when ttl expiry overflows", async () => {
+    const tokenProvider = vi
+      .fn<() => Promise<string>>()
+      .mockResolvedValueOnce("bedrock-overflow-token-1") // pragma: allowlist secret
+      .mockResolvedValueOnce("bedrock-overflow-token-2"); // pragma: allowlist secret
+    const tokenProviderFactory = createTokenProviderFactory(tokenProvider);
+
+    await expect(
+      generateBearerTokenFromIam({
+        region: "us-east-1",
+        now: () => 8_640_000_000_000_000,
+        tokenProviderFactory,
+      }),
+    ).resolves.toBe("bedrock-overflow-token-1");
+    expect(getCachedIamToken("us-east-1")).toBeUndefined();
+
+    await expect(
+      generateBearerTokenFromIam({
+        region: "us-east-1",
+        now: () => 8_640_000_000_000_000,
+        tokenProviderFactory,
+      }),
+    ).resolves.toBe("bedrock-overflow-token-2");
+    expect(tokenProvider).toHaveBeenCalledTimes(2);
+  });
+
   // ---------------------------------------------------------------------------
   // Model discovery
   // ---------------------------------------------------------------------------

extensions/amazon-bedrock-mantle/discovery.ts

@@ -1,5 +1,9 @@
 import { createSubsystemLogger } from "openclaw/plugin-sdk/core";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import {
+  isFutureDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import type {
   ModelDefinitionConfig,
   ModelProviderConfig,
@@ -92,9 +96,10 @@ function getCachedIamTokenEntry(
   now: number = Date.now(),
 ): { token: string; expiresAt: number } | undefined {
   const cached = iamTokenCache.get(region);
-  if (cached && cached.expiresAt > now) {
+  if (cached && isFutureDateTimestampMs(cached.expiresAt, { nowMs: now })) {
     return cached;
   }
+  iamTokenCache.delete(region);
   return undefined;
 }
 
@@ -123,7 +128,10 @@ export async function generateBearerTokenFromIam(params: {
       region: params.region,
       expiresInSeconds: 7200, // 2 hours
     })();
-    iamTokenCache.set(params.region, { token, expiresAt: now + IAM_TOKEN_TTL_MS });
+    const expiresAt = resolveExpiresAtMsFromDurationMs(IAM_TOKEN_TTL_MS, { nowMs: now });
+    if (expiresAt !== undefined) {
+      iamTokenCache.set(params.region, { token, expiresAt });
+    }
     return token;
   } catch (error) {
     log.debug?.("Mantle IAM token generation unavailable", {

extensions/amazon-bedrock/discovery.test.ts

@@ -256,6 +256,28 @@ describe("bedrock discovery", () => {
     expect(sendMock).toHaveBeenCalledTimes(2);
   });
 
+  it("skips cache when refreshInterval expiry overflows", async () => {
+    sendMock
+      .mockResolvedValueOnce({ modelSummaries: [baseActiveAnthropicSummary] })
+      .mockResolvedValueOnce({ inferenceProfileSummaries: [] })
+      .mockResolvedValueOnce({ modelSummaries: [baseActiveAnthropicSummary] })
+      .mockResolvedValueOnce({ inferenceProfileSummaries: [] });
+
+    await discoverBedrockModels({
+      region: "us-east-1",
+      config: { refreshInterval: 1 },
+      now: () => 8_640_000_000_000_000,
+      clientFactory,
+    });
+    await discoverBedrockModels({
+      region: "us-east-1",
+      config: { refreshInterval: 1 },
+      now: () => 8_640_000_000_000_000,
+      clientFactory,
+    });
+    expect(sendMock).toHaveBeenCalledTimes(4);
+  });
+
   it("skips cache when refreshInterval is 0", async () => {
     sendMock
       .mockResolvedValueOnce({ modelSummaries: [baseActiveAnthropicSummary] })

extensions/amazon-bedrock/discovery.ts

@@ -5,6 +5,10 @@ import {
 } from "@aws-sdk/client-bedrock";
 import { createSubsystemLogger } from "openclaw/plugin-sdk/core";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import {
+  isFutureDateTimestampMs,
+  resolveExpiresAtMsFromDurationSeconds,
+} from "openclaw/plugin-sdk/number-runtime";
 import type {
   BedrockDiscoveryConfig,
   ModelDefinitionConfig,
@@ -503,11 +507,16 @@ export async function discoverBedrockModels(params: {
 
   if (refreshIntervalSeconds > 0) {
     const cached = discoveryCache.get(cacheKey);
-    if (cached?.value && cached.expiresAt > now) {
-      return cached.value;
+    if (cached && isFutureDateTimestampMs(cached.expiresAt, { nowMs: now })) {
+      if (cached.value) {
+        return cached.value;
+      }
+      if (cached.inFlight) {
+        return cached.inFlight;
+      }
     }
-    if (cached?.inFlight) {
-      return cached.inFlight;
+    if (cached) {
+      discoveryCache.delete(cacheKey);
     }
   }
 
@@ -581,19 +590,27 @@ export async function discoverBedrockModels(params: {
   })();
 
   if (refreshIntervalSeconds > 0) {
-    discoveryCache.set(cacheKey, {
-      expiresAt: now + refreshIntervalSeconds * 1000,
-      inFlight: discoveryPromise,
-    });
+    const expiresAt = resolveExpiresAtMsFromDurationSeconds(refreshIntervalSeconds, { nowMs: now });
+    if (expiresAt !== undefined) {
+      discoveryCache.set(cacheKey, {
+        expiresAt,
+        inFlight: discoveryPromise,
+      });
+    }
   }
 
   try {
     const value = await discoveryPromise;
     if (refreshIntervalSeconds > 0) {
-      discoveryCache.set(cacheKey, {
-        expiresAt: now + refreshIntervalSeconds * 1000,
-        value,
+      const expiresAt = resolveExpiresAtMsFromDurationSeconds(refreshIntervalSeconds, {
+        nowMs: now,
       });
+      if (expiresAt !== undefined) {
+        discoveryCache.set(cacheKey, {
+          expiresAt,
+          value,
+        });
+      }
     }
     return value;
   } catch (error) {

extensions/anthropic-vertex/api.ts

@@ -17,6 +17,13 @@ export {
 import { buildAnthropicVertexProvider } from "./provider-catalog.js";
 import { hasAnthropicVertexAvailableAuth } from "./region.js";
 
+let streamRuntimeModulePromise: Promise<typeof import("./stream-runtime.js")> | null = null;
+
+const loadStreamRuntimeModule = async () => {
+  streamRuntimeModulePromise ??= import("./stream-runtime.js");
+  return await streamRuntimeModulePromise;
+};
+
 export function mergeImplicitAnthropicVertexProvider(params: {
   existing?: ReturnType<typeof buildAnthropicVertexProvider>;
   implicit: ReturnType<typeof buildAnthropicVertexProvider>;
@@ -50,7 +57,7 @@ export function createAnthropicVertexStreamFn(
   baseURL?: string,
   deps?: AnthropicVertexStreamDeps,
 ): StreamFn {
-  const streamFnPromise = import("./stream-runtime.js").then((runtime) =>
+  const streamFnPromise = loadStreamRuntimeModule().then((runtime) =>
     runtime.createAnthropicVertexStreamFn(projectId, region, baseURL, deps),
   );
   return async (model, context, options) => {
@@ -64,7 +71,7 @@ export function createAnthropicVertexStreamFnForModel(
   env: NodeJS.ProcessEnv = process.env,
   deps?: AnthropicVertexStreamDeps,
 ): StreamFn {
-  const streamFnPromise = import("./stream-runtime.js").then((runtime) =>
+  const streamFnPromise = loadStreamRuntimeModule().then((runtime) =>
     runtime.createAnthropicVertexStreamFnForModel(model, env, deps),
   );
   return async (...args) => {

extensions/browser/plugin-registration.ts

@@ -15,6 +15,15 @@ import { BrowserToolSchema } from "./src/browser-tool.schema.js";
 
 const EAGER_BROWSER_CONTROL_SERVICE_ENV = "OPENCLAW_EAGER_BROWSER_CONTROL_SERVER";
 
+let browserRegistrationRuntimeModulePromise: Promise<
+  typeof import("./register.runtime.js")
+> | null = null;
+
+const loadBrowserRegistrationRuntimeModule = async () => {
+  browserRegistrationRuntimeModulePromise ??= import("./register.runtime.js");
+  return await browserRegistrationRuntimeModulePromise;
+};
+
 function isTruthyEnvValue(value: string | undefined): boolean {
   return /^(?:1|true|yes|on)$/iu.test(value?.trim() ?? "");
 }
@@ -51,7 +60,7 @@ function createLazyBrowserTool(opts?: {
     ].join(" "),
     parameters: BrowserToolSchema,
     execute: async (toolCallId, args, signal, onUpdate) => {
-      const { createBrowserTool } = await import("./register.runtime.js");
+      const { createBrowserTool } = await loadBrowserRegistrationRuntimeModule();
       const tool = createBrowserTool(opts);
       return await tool.execute(toolCallId, args, signal, onUpdate);
     },
@@ -65,7 +74,7 @@ export const browserPluginNodeHostCommands: OpenClawPluginNodeHostCommand[] = [
     command: "browser.proxy",
     cap: "browser",
     handle: async (paramsJSON) => {
-      const { runBrowserProxyCommand } = await import("./register.runtime.js");
+      const { runBrowserProxyCommand } = await loadBrowserRegistrationRuntimeModule();
       return await runBrowserProxyCommand(paramsJSON);
     },
   },
@@ -73,7 +82,7 @@ export const browserPluginNodeHostCommands: OpenClawPluginNodeHostCommand[] = [
 
 export const browserSecurityAuditCollectors: OpenClawPluginSecurityAuditCollector[] = [
   async (ctx) => {
-    const { collectBrowserSecurityAuditFindings } = await import("./register.runtime.js");
+    const { collectBrowserSecurityAuditFindings } = await loadBrowserRegistrationRuntimeModule();
     return collectBrowserSecurityAuditFindings(ctx);
   },
 ];
@@ -82,7 +91,7 @@ function createLazyBrowserPluginService(): OpenClawPluginService {
   let service: OpenClawPluginService | null = null;
   const loadService = async () => {
     if (!service) {
-      const { createBrowserPluginService } = await import("./register.runtime.js");
+      const { createBrowserPluginService } = await loadBrowserRegistrationRuntimeModule();
       service = createBrowserPluginService();
     }
     return service;
@@ -124,7 +133,7 @@ export function registerBrowserPlugin(api: OpenClawPluginApi) {
   api.registerGatewayMethod(
     BROWSER_REQUEST_GATEWAY_METHOD,
     async (opts) => {
-      const { handleBrowserGatewayRequest } = await import("./register.runtime.js");
+      const { handleBrowserGatewayRequest } = await loadBrowserRegistrationRuntimeModule();
       return await handleBrowserGatewayRequest(opts);
     },
     {

extensions/browser/src/browser/routes/basic.ts

@@ -1,6 +1,6 @@
 import { redactCdpUrl } from "../cdp.helpers.js";
 import { snapshotAria } from "../cdp.js";
-import { getChromeMcpPid } from "../chrome-mcp.js";
+import { getChromeMcpPid, takeChromeMcpSnapshot } from "../chrome-mcp.js";
 import { resolveBrowserExecutableForPlatform } from "../chrome.executables.js";
 import { resolveManagedBrowserHeadlessMode } from "../config.js";
 import { buildBrowserDoctorReport } from "../doctor.js";
@@ -227,7 +227,6 @@ async function runBrowserLiveProbe(req: BrowserRequest, ctx: BrowserRouteContext
   try {
     const tab = await profileCtx.ensureTabAvailable();
     if (capabilities.usesChromeMcp) {
-      const { takeChromeMcpSnapshot } = await import("../chrome-mcp.js");
       await takeChromeMcpSnapshot({
         profileName: profileCtx.profile.name,
         profile: profileCtx.profile,

extensions/codex/src/app-server/client-factory.ts

@@ -13,13 +13,20 @@ export type CodexAppServerClientFactory = (
   config?: AuthProfileOrderConfig,
 ) => Promise<CodexAppServerClient>;
 
+let sharedClientModulePromise: Promise<typeof import("./shared-client.js")> | null = null;
+
+const loadSharedClientModule = async () => {
+  sharedClientModulePromise ??= import("./shared-client.js");
+  return await sharedClientModulePromise;
+};
+
 export const defaultCodexAppServerClientFactory: CodexAppServerClientFactory = (
   startOptions,
   authProfileId,
   agentDir,
   config,
 ) =>
-  import("./shared-client.js").then(({ getSharedCodexAppServerClient }) =>
+  loadSharedClientModule().then(({ getSharedCodexAppServerClient }) =>
     getSharedCodexAppServerClient({ startOptions, authProfileId, agentDir, config }),
   );
 
@@ -29,6 +36,6 @@ export const defaultLeasedCodexAppServerClientFactory: CodexAppServerClientFacto
   agentDir,
   config,
 ) =>
-  import("./shared-client.js").then(({ getLeasedSharedCodexAppServerClient }) =>
+  loadSharedClientModule().then(({ getLeasedSharedCodexAppServerClient }) =>
     getLeasedSharedCodexAppServerClient({ startOptions, authProfileId, agentDir, config }),
   );

extensions/codex/src/app-server/native-execution-policy.ts

@@ -189,7 +189,7 @@ function resolveEffectiveExecHost(params: {
 
 function readRuntimeSessionEntryBestEffort(sessionKey: string): SessionEntry | undefined {
   try {
-    return getSessionEntry({ sessionKey });
+    return getSessionEntry({ sessionKey, hydrateSkillPromptRefs: false });
   } catch {
     return undefined;
   }

extensions/codex/src/app-server/startup-binding.test.ts

@@ -77,6 +77,31 @@ describe("Codex app-server startup binding", () => {
     expect(savedBinding?.threadId).toBe("thread-existing");
   });
 
+  it("reuses the session record cache while sessions.json is unchanged", async () => {
+    const sessionFile = path.join(tempDir, "session.jsonl");
+    const workspaceDir = path.join(tempDir, "workspace");
+    const agentDir = path.join(tempDir, "agent");
+    await writeExistingBinding(sessionFile, workspaceDir, { dynamicToolsFingerprint: "[]" });
+    await writeSessionRecord(sessionFile, { totalTokens: 12_000 });
+    const sessionsJson = path.join(path.dirname(sessionFile), "sessions.json");
+    const readFileSpy = vi.spyOn(fs, "readFile");
+
+    for (let i = 0; i < 2; i += 1) {
+      const binding = await rotateOversizedCodexAppServerStartupBinding({
+        binding: await readCodexAppServerBinding(sessionFile),
+        sessionFile,
+        agentDir,
+        config: undefined,
+      });
+      expect(binding?.threadId).toBe("thread-existing");
+    }
+
+    const sessionStoreReads = readFileSpy.mock.calls.filter(
+      ([file]) => typeof file === "string" && file === sessionsJson,
+    );
+    expect(sessionStoreReads).toHaveLength(1);
+  });
+
   it("checks native rollout token pressure under default compaction config", async () => {
     const sessionFile = path.join(tempDir, "session.jsonl");
     const workspaceDir = path.join(tempDir, "workspace");

extensions/codex/src/app-server/startup-binding.ts

@@ -30,6 +30,14 @@ const CODEX_APP_SERVER_BYTE_UNITS: Record<string, number> = {
   tb: 1024 * 1024 * 1024 * 1024,
   tib: 1024 * 1024 * 1024 * 1024,
 };
+type CodexSessionRecordCacheEntry = {
+  sessionsFile: string;
+  mtimeMs: number;
+  size: number;
+  record: (Record<string, unknown> & { sessionKey: string }) | undefined;
+};
+
+const codexSessionRecordCache = new Map<string, CodexSessionRecordCacheEntry>();
 
 function parseCodexAppServerByteLimit(value: unknown): number | undefined {
   if (typeof value === "number" && Number.isFinite(value) && value > 0) {
@@ -112,16 +120,34 @@ async function readCodexSessionRecordForSessionFile(
   sessionFile: string,
 ): Promise<(Record<string, unknown> & { sessionKey: string }) | undefined> {
   const sessionsFile = path.join(path.dirname(sessionFile), "sessions.json");
+  const resolvedSessionFile = path.resolve(sessionFile);
+  let stat: Awaited<ReturnType<typeof fs.stat>>;
+  try {
+    stat = await fs.stat(sessionsFile);
+  } catch {
+    codexSessionRecordCache.delete(resolvedSessionFile);
+    return undefined;
+  }
+  const cached = codexSessionRecordCache.get(resolvedSessionFile);
+  if (
+    cached?.sessionsFile === sessionsFile &&
+    cached.mtimeMs === stat.mtimeMs &&
+    cached.size === stat.size
+  ) {
+    return cached.record;
+  }
   let store: JsonValue | undefined;
   try {
     store = JSON.parse(await fs.readFile(sessionsFile, "utf8")) as JsonValue;
   } catch {
+    codexSessionRecordCache.delete(resolvedSessionFile);
     return undefined;
   }
   if (!isJsonObject(store)) {
+    codexSessionRecordCache.delete(resolvedSessionFile);
     return undefined;
   }
-  const resolvedSessionFile = path.resolve(sessionFile);
+  let found: (Record<string, unknown> & { sessionKey: string }) | undefined;
   for (const [sessionKey, record] of Object.entries(store)) {
     if (!isJsonObject(record) || typeof record.sessionFile !== "string") {
       continue;
@@ -129,9 +155,16 @@ async function readCodexSessionRecordForSessionFile(
     if (path.resolve(record.sessionFile) !== resolvedSessionFile) {
       continue;
     }
-    return { sessionKey, ...record };
+    found = { sessionKey, ...record };
+    break;
   }
-  return undefined;
+  codexSessionRecordCache.set(resolvedSessionFile, {
+    sessionsFile,
+    mtimeMs: stat.mtimeMs,
+    size: stat.size,
+    record: found,
+  });
+  return found;
 }
 
 type CodexAppServerRolloutTokenSnapshot = {

extensions/diffs/src/store.test.ts

@@ -54,6 +54,21 @@ describe("DiffArtifactStore", () => {
     expect(await store.readHtml(artifact.id)).toBe("<html>demo</html>");
   });
 
+  it("caps artifact expiry instead of throwing near the Date boundary", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000 - 1_000));
+
+    const artifact = await store.createArtifact({
+      html: "<html>demo</html>",
+      title: "Demo",
+      inputKind: "patch",
+      fileCount: 1,
+      ttlMs: 60_000,
+    });
+
+    expect(artifact.expiresAt).toBe("+275760-09-13T00:00:00.000Z");
+  });
+
   it("expires artifacts after the ttl", async () => {
     vi.useFakeTimers();
     const now = new Date("2026-02-27T16:00:00Z");
@@ -131,6 +146,15 @@ describe("DiffArtifactStore", () => {
     });
   });
 
+  it("caps standalone file expiry instead of throwing near the Date boundary", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000 - 1_000));
+
+    const standalone = await store.createStandaloneFileArtifact({ ttlMs: 60_000 });
+
+    expect(standalone.expiresAt).toBe("+275760-09-13T00:00:00.000Z");
+  });
+
   it("expires standalone file artifacts using ttl metadata", async () => {
     vi.useFakeTimers();
     const now = new Date("2026-02-27T16:00:00Z");

extensions/diffs/src/store.ts

@@ -1,6 +1,7 @@
 import crypto from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
+import { MAX_DATE_TIMESTAMP_MS, timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import { root as fsRoot } from "openclaw/plugin-sdk/security-runtime";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
 import type { PluginLogger } from "../api.js";
@@ -64,15 +65,16 @@ export class DiffArtifactStore {
     const htmlPath = path.join(artifactDir, "viewer.html");
     const ttlMs = normalizeTtlMs(params.ttlMs);
     const createdAt = new Date();
-    const expiresAt = new Date(createdAt.getTime() + ttlMs);
+    const createdAtIso = createdAt.toISOString();
+    const expiresAt = resolveExpiresAtIso(createdAt.getTime(), ttlMs);
     const meta: DiffArtifactMeta = {
       id,
       token,
       title: params.title,
       inputKind: params.inputKind,
       fileCount: params.fileCount,
-      createdAt: createdAt.toISOString(),
-      expiresAt: expiresAt.toISOString(),
+      createdAt: createdAtIso,
+      expiresAt,
       viewerPath: `${VIEWER_PREFIX}/${id}/${token}`,
       htmlPath,
       ...(params.context ? { context: params.context } : {}),
@@ -144,11 +146,12 @@ export class DiffArtifactStore {
     const filePath = path.join(artifactDir, `preview.${format}`);
     const ttlMs = normalizeTtlMs(params.ttlMs);
     const createdAt = new Date();
-    const expiresAt = new Date(createdAt.getTime() + ttlMs).toISOString();
+    const createdAtIso = createdAt.toISOString();
+    const expiresAt = resolveExpiresAtIso(createdAt.getTime(), ttlMs);
     const meta: StandaloneFileMeta = {
       kind: "standalone_file",
       id,
-      createdAt: createdAt.toISOString(),
+      createdAt: createdAtIso,
       expiresAt,
       filePath: this.normalizeStoredPath(filePath, "filePath"),
       ...(params.context ? { context: params.context } : {}),
@@ -357,6 +360,14 @@ function normalizeTtlMs(value?: number): number {
   return Math.min(rounded, MAX_TTL_MS);
 }
 
+function resolveExpiresAtIso(createdAtMs: number, ttlMs: number): string {
+  return (
+    timestampMsToIsoString(createdAtMs + ttlMs) ??
+    timestampMsToIsoString(MAX_DATE_TIMESTAMP_MS) ??
+    "1970-01-01T00:00:00.000Z"
+  );
+}
+
 function isExpired(meta: { expiresAt: string }): boolean {
   const expiresAt = Date.parse(meta.expiresAt);
   if (!Number.isFinite(expiresAt)) {

extensions/discord/src/internal/client.test.ts

@@ -342,6 +342,47 @@ describe("Client.deployCommands", () => {
     await client.fetchChannel("c1");
     expect(get).toHaveBeenCalledTimes(2);
   });
+
+  it("does not reuse cached REST objects while the process clock is invalid", async () => {
+    const client = createInternalTestClient();
+    const get = vi
+      .fn()
+      .mockResolvedValueOnce({ id: "c1", type: 0, name: "old" })
+      .mockResolvedValueOnce({ id: "c1", type: 0, name: "fresh" })
+      .mockResolvedValueOnce({ id: "c1", type: 0, name: "recovered" });
+    attachRestMock(client, { get });
+
+    const first = await client.fetchChannel("c1");
+    expect(first.name).toBe("old");
+
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    const second = await client.fetchChannel("c1");
+
+    expect(second.name).toBe("fresh");
+
+    vi.mocked(Date.now).mockReturnValue(1_000);
+    const third = await client.fetchChannel("c1");
+
+    expect(third.name).toBe("recovered");
+    expect(get).toHaveBeenCalledTimes(3);
+  });
+
+  it("does not cache REST objects when the cache expiry would exceed the Date range", async () => {
+    const client = createInternalTestClient();
+    const get = vi
+      .fn()
+      .mockResolvedValueOnce({ id: "c1", type: 0, name: "first" })
+      .mockResolvedValueOnce({ id: "c1", type: 0, name: "second" });
+    attachRestMock(client, { get });
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+
+    const first = await client.fetchChannel("c1");
+    const second = await client.fetchChannel("c1");
+
+    expect(first.name).toBe("first");
+    expect(second.name).toBe("second");
+    expect(get).toHaveBeenCalledTimes(2);
+  });
 });
 
 describe("Client gateway event queue", () => {

extensions/discord/src/internal/entity-cache.ts

@@ -1,4 +1,8 @@
 import { GatewayDispatchEvents } from "discord-api-types/v10";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { getChannel, getGuild, getGuildMember, getUser } from "./api.js";
 import type { RequestClient } from "./rest.js";
 import { Guild, GuildMember, User, channelFactory, type StructureClient } from "./structures.js";
@@ -79,15 +83,23 @@ export class DiscordEntityCache {
 
   private async fetchCached<T>(key: string, fetcher: () => Promise<T>): Promise<T> {
     const ttl = this.params.ttlMs ?? DEFAULT_REST_CACHE_TTL_MS;
+    const rawNow = Date.now();
+    const now = asDateTimestampMs(rawNow);
     if (ttl > 0) {
       const cached = this.entries.get(key) as CacheEntry<T> | undefined;
-      if (cached && cached.expiresAt > Date.now()) {
+      if (cached && now !== undefined && cached.expiresAt > now) {
         return cached.value;
       }
+      if (cached) {
+        this.entries.delete(key);
+      }
     }
     const value = await fetcher();
     if (ttl > 0) {
-      this.entries.set(key, { expiresAt: Date.now() + ttl, value });
+      const expiresAt = resolveExpiresAtMsFromDurationMs(ttl, { nowMs: rawNow });
+      if (expiresAt !== undefined) {
+        this.entries.set(key, { expiresAt, value });
+      }
     }
     return value;
   }

extensions/discord/src/monitor/message-channel-info.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { logVerbose } from "openclaw/plugin-sdk/runtime-env";
 import { normalizeOptionalStringifiedId } from "openclaw/plugin-sdk/string-coerce-runtime";
 import type { ChannelType, Message } from "../internal/discord.js";
@@ -30,6 +34,22 @@ export function resetDiscordChannelInfoCacheForTest() {
   DISCORD_CHANNEL_INFO_CACHE.clear();
 }
 
+function resolveDiscordChannelInfoCacheExpiresAt(ttlMs: number, nowMs: number): number | undefined {
+  return resolveExpiresAtMsFromDurationMs(ttlMs, { nowMs });
+}
+
+function cacheDiscordChannelInfo(
+  channelId: string,
+  value: DiscordChannelInfo | null,
+  ttlMs: number,
+  nowMs: number,
+): void {
+  const expiresAt = resolveDiscordChannelInfoCacheExpiresAt(ttlMs, nowMs);
+  if (expiresAt !== undefined) {
+    DISCORD_CHANNEL_INFO_CACHE.set(channelId, { value, expiresAt });
+  }
+}
+
 function normalizeDiscordChannelId(value: unknown): string {
   return normalizeOptionalStringifiedId(value) ?? "";
 }
@@ -51,9 +71,11 @@ export async function resolveDiscordChannelInfo(
   client: DiscordChannelInfoClient,
   channelId: string,
 ): Promise<DiscordChannelInfo | null> {
+  const rawNow = Date.now();
+  const now = asDateTimestampMs(rawNow);
   const cached = DISCORD_CHANNEL_INFO_CACHE.get(channelId);
   if (cached) {
-    if (cached.expiresAt > Date.now()) {
+    if (now !== undefined && cached.expiresAt > now) {
       return cached.value;
     }
     DISCORD_CHANNEL_INFO_CACHE.delete(channelId);
@@ -61,10 +83,7 @@ export async function resolveDiscordChannelInfo(
   try {
     const channel = await client.fetchChannel(channelId);
     if (!channel) {
-      DISCORD_CHANNEL_INFO_CACHE.set(channelId, {
-        value: null,
-        expiresAt: Date.now() + DISCORD_CHANNEL_INFO_NEGATIVE_CACHE_TTL_MS,
-      });
+      cacheDiscordChannelInfo(channelId, null, DISCORD_CHANNEL_INFO_NEGATIVE_CACHE_TTL_MS, rawNow);
       return null;
     }
     const channelInfo = resolveDiscordChannelInfoSafe(channel);
@@ -80,17 +99,11 @@ export async function resolveDiscordChannelInfo(
       parentId: channelInfo.parentId,
       ownerId: channelInfo.ownerId,
     };
-    DISCORD_CHANNEL_INFO_CACHE.set(channelId, {
-      value: payload,
-      expiresAt: Date.now() + DISCORD_CHANNEL_INFO_CACHE_TTL_MS,
-    });
+    cacheDiscordChannelInfo(channelId, payload, DISCORD_CHANNEL_INFO_CACHE_TTL_MS, rawNow);
     return payload;
   } catch (err) {
     logVerbose(`discord: failed to fetch channel ${channelId}: ${String(err)}`);
-    DISCORD_CHANNEL_INFO_CACHE.set(channelId, {
-      value: null,
-      expiresAt: Date.now() + DISCORD_CHANNEL_INFO_NEGATIVE_CACHE_TTL_MS,
-    });
+    cacheDiscordChannelInfo(channelId, null, DISCORD_CHANNEL_INFO_NEGATIVE_CACHE_TTL_MS, rawNow);
     return null;
   }
 }

extensions/discord/src/monitor/message-handler.draft-preview.ts

@@ -1,11 +1,14 @@
 import { EmbeddedBlockChunker } from "openclaw/plugin-sdk/agent-runtime";
 import {
+  buildChannelCommentaryProgressDraftLine,
   createChannelProgressDraftGate,
   type ChannelProgressDraftLine,
   formatChannelProgressDraftText,
   isChannelProgressDraftWorkToolName,
   mergeChannelProgressDraftLine,
   normalizeChannelProgressDraftLineIdentity,
+  removeChannelProgressDraftLine,
+  resolveChannelCommentaryProgressLineId,
   resolveChannelProgressDraftMaxLines,
   resolveChannelStreamingBlockEnabled,
   resolveChannelStreamingProgressCommentary,
@@ -123,10 +126,8 @@ export function createDiscordDraftPreviewController(params: {
   });
 
   const clearProgressDraftLine = async (lineId: string) => {
-    const nextLines = previewToolProgressLines.filter(
-      (line) => typeof line !== "object" || line.id?.trim() !== lineId,
-    );
-    if (nextLines.length === previewToolProgressLines.length) {
+    const nextLines = removeChannelProgressDraftLine(previewToolProgressLines, lineId);
+    if (nextLines === previewToolProgressLines) {
       return;
     }
     previewToolProgressLines = nextLines;
@@ -307,25 +308,20 @@ export function createDiscordDraftPreviewController(params: {
       if (finalReplyStarted || finalReplyDelivered) {
         return;
       }
-      const itemId = options?.itemId?.trim();
-      if (!text && !itemId) {
-        return;
-      }
-      const normalized = normalizeCommentaryProgressText(text ?? "");
-      const lineId = itemId ? `commentary:${itemId}` : normalized ? `commentary:${normalized}` : "";
-      if (!normalized) {
+      const line = buildChannelCommentaryProgressDraftLine({
+        text,
+        itemId: options?.itemId,
+      });
+      if (!line) {
+        const lineId = resolveChannelCommentaryProgressLineId({
+          text,
+          itemId: options?.itemId,
+        });
         if (lineId) {
           await clearProgressDraftLine(lineId);
         }
         return;
       }
-      const line: ChannelProgressDraftLine = {
-        id: lineId,
-        kind: "item",
-        text: normalized,
-        label: "Commentary",
-        prefix: false,
-      };
       previewToolProgressLines = mergeChannelProgressDraftLine(previewToolProgressLines, line, {
         maxLines: resolveChannelProgressDraftMaxLines(params.discordConfig),
       });
@@ -469,24 +465,6 @@ function normalizeReasoningProgressLine(text: string): string {
     .trim();
 }
 
-function normalizeCommentaryProgressText(text: string): string {
-  const cleaned = stripInlineDirectiveTagsForDelivery(text).text.trim();
-  if (!cleaned || isSilentCommentaryProgressText(cleaned)) {
-    return "";
-  }
-  return cleaned
-    .split(/\r?\n/u)
-    .map((line) => line.replace(/\s+/g, " ").trim())
-    .filter(Boolean)
-    .map((line) => `_${line}_`)
-    .join("\n");
-}
-
-function isSilentCommentaryProgressText(text: string): boolean {
-  const normalized = text.replace(/^[\s*_`~]+|[\s*_`~]+$/gu, "").trim();
-  return /^NO_REPLY$/iu.test(normalized);
-}
-
 function mergeReasoningProgressText(
   current: string,
   incoming: string,

extensions/discord/src/monitor/message-handler.preflight.test.ts

@@ -2252,4 +2252,40 @@ describe("shouldIgnoreBoundThreadWebhookMessage", () => {
       }),
     ).toBe(true);
   });
+
+  it("does not suppress unbound thread webhook echoes when echo expiry overflows", async () => {
+    const manager = createThreadBindingManager({
+      cfg: DEFAULT_PREFLIGHT_CFG,
+      accountId: "default",
+      persist: false,
+      enableSweeper: false,
+    });
+    const binding = await manager.bindTarget({
+      threadId: "thread-overflow",
+      channelId: "parent-1",
+      targetKind: "subagent",
+      targetSessionKey: "agent:main:subagent:child-1",
+      agentId: "main",
+      webhookId: "wh-overflow",
+      webhookToken: "tok-1",
+    });
+    expect(binding).not.toBeNull();
+    const nowSpy = vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    try {
+      manager.unbindThread({
+        threadId: "thread-overflow",
+        sendFarewell: false,
+      });
+    } finally {
+      nowSpy.mockRestore();
+    }
+
+    expect(
+      shouldIgnoreBoundThreadWebhookMessage({
+        accountId: "default",
+        threadId: "thread-overflow",
+        webhookId: "wh-overflow",
+      }),
+    ).toBe(false);
+  });
 });

extensions/discord/src/monitor/message-utils.test.ts

@@ -4,7 +4,7 @@ import {
   MessageReferenceType,
   StickerFormatType,
 } from "discord-api-types/v10";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { ChannelType, type Client, type Message } from "../internal/discord.js";
 
 const readRemoteMediaBuffer = vi.fn();
@@ -65,6 +65,10 @@ beforeAll(async () => {
   } = await import("./message-utils.js"));
 });
 
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
 function asMessage(payload: Record<string, unknown>): Message {
   return payload as unknown as Message;
 }
@@ -1231,4 +1235,37 @@ describe("resolveDiscordChannelInfo", () => {
     expect(second).toBeNull();
     expect(fetchChannel).toHaveBeenCalledTimes(1);
   });
+
+  it("does not reuse cached channel info while the process clock is invalid", async () => {
+    const fetchChannel = vi
+      .fn()
+      .mockResolvedValueOnce({ type: ChannelType.GuildText, name: "old" })
+      .mockResolvedValueOnce({ type: ChannelType.GuildText, name: "fresh" });
+    const client = { fetchChannel } as unknown as Client;
+
+    const first = await resolveDiscordChannelInfo(client, "invalid-clock-channel");
+    expect(first?.name).toBe("old");
+
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    const second = await resolveDiscordChannelInfo(client, "invalid-clock-channel");
+
+    expect(second?.name).toBe("fresh");
+    expect(fetchChannel).toHaveBeenCalledTimes(2);
+  });
+
+  it("does not cache channel info when the cache expiry would exceed the Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    const fetchChannel = vi
+      .fn()
+      .mockResolvedValueOnce({ type: ChannelType.GuildText, name: "first" })
+      .mockResolvedValueOnce({ type: ChannelType.GuildText, name: "second" });
+    const client = { fetchChannel } as unknown as Client;
+
+    const first = await resolveDiscordChannelInfo(client, "overflow-cache-channel");
+    const second = await resolveDiscordChannelInfo(client, "overflow-cache-channel");
+
+    expect(first?.name).toBe("first");
+    expect(second?.name).toBe("second");
+    expect(fetchChannel).toHaveBeenCalledTimes(2);
+  });
 });

extensions/discord/src/monitor/model-picker-preferences-migrations.test.ts

@@ -63,4 +63,88 @@ describe("Discord model picker preference migration", () => {
       updatedAt: "2026-05-29T00:00:00.001Z",
     });
   });
+
+  it("plans legacy JSON import with max Date timestamps", async () => {
+    const stateDir = await makeStateDir();
+    const sourcePath = path.join(stateDir, "discord", "model-picker-preferences.json");
+    await fs.mkdir(path.dirname(sourcePath), { recursive: true });
+    await fs.writeFile(
+      sourcePath,
+      JSON.stringify({
+        version: 1,
+        entries: {
+          "discord:default:dm:user:max-date": {
+            recent: ["openai/gpt-5", "openai/gpt-4.1"],
+            updatedAt: "+275760-09-13T00:00:00.000Z",
+          },
+        },
+      }),
+    );
+
+    const plans = await Promise.resolve(
+      detectDiscordLegacyStateMigrations({
+        cfg: {},
+        env: {},
+        oauthDir: path.join(stateDir, "credentials"),
+        stateDir,
+      }),
+    );
+
+    const plan = plans?.[0];
+    if (plan?.kind !== "plugin-state-import") {
+      throw new Error("expected plugin-state import plan");
+    }
+    const entries = await plan.readEntries();
+    expect(
+      entries.map((entry) => {
+        const value = entry.value as { updatedAt?: unknown };
+        return value.updatedAt;
+      }),
+    ).toEqual(["+275760-09-13T00:00:00.000Z", "+275760-09-12T23:59:59.999Z"]);
+  });
+
+  it("keeps legacy JSON import order near max Date", async () => {
+    const stateDir = await makeStateDir();
+    const sourcePath = path.join(stateDir, "discord", "model-picker-preferences.json");
+    await fs.mkdir(path.dirname(sourcePath), { recursive: true });
+    await fs.writeFile(
+      sourcePath,
+      JSON.stringify({
+        version: 1,
+        entries: {
+          "discord:default:dm:user:near-max-date": {
+            recent: ["openai/gpt-5", "openai/gpt-4.1"],
+            updatedAt: "+275760-09-12T23:59:59.999Z",
+          },
+        },
+      }),
+    );
+
+    const plans = await Promise.resolve(
+      detectDiscordLegacyStateMigrations({
+        cfg: {},
+        env: {},
+        oauthDir: path.join(stateDir, "credentials"),
+        stateDir,
+      }),
+    );
+
+    const plan = plans?.[0];
+    if (plan?.kind !== "plugin-state-import") {
+      throw new Error("expected plugin-state import plan");
+    }
+    const entries = await plan.readEntries();
+    expect(
+      entries.map((entry) => {
+        const value = entry.value as { modelRef?: unknown };
+        return value.modelRef;
+      }),
+    ).toEqual(["openai/gpt-5", "openai/gpt-4.1"]);
+    expect(
+      entries.map((entry) => {
+        const value = entry.value as { updatedAt?: unknown };
+        return value.updatedAt;
+      }),
+    ).toEqual(["+275760-09-13T00:00:00.000Z", "+275760-09-12T23:59:59.999Z"]);
+  });
 });

extensions/discord/src/monitor/model-picker-preferences-migrations.ts

@@ -2,6 +2,7 @@ import { createHash } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import type { BundledChannelLegacyStateMigrationDetector } from "openclaw/plugin-sdk/channel-entry-contract";
+import { MAX_DATE_TIMESTAMP_MS, timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import { normalizeProviderId } from "openclaw/plugin-sdk/provider-model-shared";
 
 const PREFERENCE_MAX_ENTRIES = 2_000;
@@ -92,7 +93,15 @@ function timestampMs(value: unknown): number {
 }
 
 function legacyUpdatedAtForIndex(updatedAt: unknown, index: number, total: number): string {
-  return new Date(timestampMs(updatedAt) + Math.max(0, total - index)).toISOString();
+  const baseMs = timestampMs(updatedAt);
+  const anchorMs = Math.min(baseMs + Math.max(0, total), MAX_DATE_TIMESTAMP_MS);
+  const shiftedMs = anchorMs - Math.max(0, index);
+  return (
+    timestampMsToIsoString(shiftedMs) ??
+    timestampMsToIsoString(baseMs) ??
+    timestampMsToIsoString(Math.max(0, total - index)) ??
+    "1970-01-01T00:00:00.000Z"
+  );
 }
 
 export const detectDiscordLegacyStateMigrations: BundledChannelLegacyStateMigrationDetector = ({

extensions/discord/src/monitor/model-picker-preferences.test.ts

@@ -6,7 +6,7 @@ import {
   createPluginStateKeyedStoreForTests,
   resetPluginStateStoreForTests,
 } from "openclaw/plugin-sdk/plugin-state-test-runtime";
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { setDiscordRuntime, type DiscordRuntime } from "../runtime.js";
 import {
   buildDiscordModelPickerPreferenceKey,
@@ -163,6 +163,68 @@ describe("discord model picker preferences", () => {
     ]);
   });
 
+  it("imports legacy JSON preferences with max Date timestamps", async () => {
+    const env = await createStateEnv();
+    const scope = { accountId: "main", guildId: "guild-max-date", userId: "user-max-date" };
+    const key = buildDiscordModelPickerPreferenceKey(scope);
+    expect(key).toBeTruthy();
+    const legacyPath = path.join(
+      env.OPENCLAW_STATE_DIR as string,
+      "discord",
+      "model-picker-preferences.json",
+    );
+    await fs.mkdir(path.dirname(legacyPath), { recursive: true });
+    await fs.writeFile(
+      legacyPath,
+      JSON.stringify({
+        version: 1,
+        entries: {
+          [key as string]: {
+            recent: ["openai/gpt-4.1", "openai/gpt-4o"],
+            updatedAt: "+275760-09-13T00:00:00.000Z",
+          },
+        },
+      }),
+      "utf8",
+    );
+
+    await expect(readDiscordModelPickerRecentModels({ env, scope })).resolves.toEqual([
+      "openai/gpt-4.1",
+      "openai/gpt-4o",
+    ]);
+  });
+
+  it("preserves legacy JSON preference order near max Date", async () => {
+    const env = await createStateEnv();
+    const scope = { accountId: "main", guildId: "guild-near-max-date", userId: "user-near-max" };
+    const key = buildDiscordModelPickerPreferenceKey(scope);
+    expect(key).toBeTruthy();
+    const legacyPath = path.join(
+      env.OPENCLAW_STATE_DIR as string,
+      "discord",
+      "model-picker-preferences.json",
+    );
+    await fs.mkdir(path.dirname(legacyPath), { recursive: true });
+    await fs.writeFile(
+      legacyPath,
+      JSON.stringify({
+        version: 1,
+        entries: {
+          [key as string]: {
+            recent: ["openai/gpt-4.1", "openai/gpt-4o"],
+            updatedAt: "+275760-09-12T23:59:59.999Z",
+          },
+        },
+      }),
+      "utf8",
+    );
+
+    await expect(readDiscordModelPickerRecentModels({ env, scope })).resolves.toEqual([
+      "openai/gpt-4.1",
+      "openai/gpt-4o",
+    ]);
+  });
+
   it("skips malformed legacy JSON entries during import", async () => {
     const env = await createStateEnv();
     const scope = { userId: "valid-legacy-user" };
@@ -207,4 +269,34 @@ describe("discord model picker preferences", () => {
     const recent = await readDiscordModelPickerRecentModels({ env, scope });
     expect(new Set(recent)).toEqual(new Set(["openai/gpt-4o", "openai/gpt-4.1"]));
   });
+
+  it("keeps selections recent when the process clock is outside the Date range", async () => {
+    const env = await createStateEnv();
+    const scope = { userId: "invalid-clock-user" };
+    await recordDiscordModelPickerRecentModel({ env, scope, modelRef: "openai/gpt-4.1" });
+    await recordDiscordModelPickerRecentModel({ env, scope, modelRef: "openai/gpt-4o" });
+    const dateNowSpy = vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+
+    try {
+      await recordDiscordModelPickerRecentModel({
+        env,
+        scope,
+        modelRef: "openai/gpt-5.5",
+        limit: 2,
+      });
+      await recordDiscordModelPickerRecentModel({
+        env,
+        scope,
+        modelRef: "openai/gpt-5.6",
+        limit: 2,
+      });
+    } finally {
+      dateNowSpy.mockRestore();
+    }
+
+    await expect(readDiscordModelPickerRecentModels({ env, scope, limit: 3 })).resolves.toEqual([
+      "openai/gpt-5.6",
+      "openai/gpt-5.5",
+    ]);
+  });
 });

extensions/discord/src/monitor/model-picker-preferences.ts

@@ -3,6 +3,12 @@ import os from "node:os";
 import path from "node:path";
 import { normalizeAccountId as normalizeSharedAccountId } from "openclaw/plugin-sdk/account-id";
 import { readJsonFileWithFallback } from "openclaw/plugin-sdk/json-store";
+import {
+  MAX_DATE_TIMESTAMP_MS,
+  resolveDateTimestampMs,
+  resolveTimestampMsToIsoString,
+  timestampMsToIsoString,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeProviderId } from "openclaw/plugin-sdk/provider-model-shared";
 import { resolveStateDir } from "openclaw/plugin-sdk/state-paths";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
@@ -13,11 +19,13 @@ const PREFERENCE_MAX_ENTRIES = 2_000;
 const MAX_PLUGIN_STATE_KEY_BYTES = 512;
 const textEncoder = new TextEncoder();
 let lastPreferenceTimestampMs = 0;
+let lastPreferenceOrder = 0;
 
 type ModelPickerPreferencesEntry = {
   scopeKey: string;
   modelRef: string;
   updatedAt: string;
+  updatedOrder?: number;
 };
 
 type LegacyModelPickerPreferencesEntry = {
@@ -124,6 +132,7 @@ function sanitizeStoredPreferenceEntry(value: unknown): ModelPickerPreferencesEn
     scopeKey?: unknown;
     modelRef?: unknown;
     updatedAt?: unknown;
+    updatedOrder?: unknown;
   };
   if (typeof typedValue.scopeKey !== "string" || typeof typedValue.modelRef !== "string") {
     return undefined;
@@ -136,6 +145,10 @@ function sanitizeStoredPreferenceEntry(value: unknown): ModelPickerPreferencesEn
     scopeKey: typedValue.scopeKey,
     modelRef,
     updatedAt: typeof typedValue.updatedAt === "string" ? typedValue.updatedAt : "",
+    updatedOrder:
+      typeof typedValue.updatedOrder === "number" && Number.isSafeInteger(typedValue.updatedOrder)
+        ? typedValue.updatedOrder
+        : undefined,
   };
 }
 
@@ -152,13 +165,58 @@ function timestampMs(value: string): number {
   return Number.isFinite(parsed) ? parsed : 0;
 }
 
-function legacyUpdatedAtForIndex(updatedAt: string, index: number, total: number): string {
-  return new Date(timestampMs(updatedAt) + Math.max(0, total - index)).toISOString();
+function timestampOrder(value?: number): number {
+  return value !== undefined && value >= 0 ? value : 0;
 }
 
-function nextPreferenceTimestampIso(): string {
-  lastPreferenceTimestampMs = Math.max(Date.now(), lastPreferenceTimestampMs + 1);
-  return new Date(lastPreferenceTimestampMs).toISOString();
+function comparePreferenceEntries(
+  left: { key: string; value: ModelPickerPreferencesEntry },
+  right: { key: string; value: ModelPickerPreferencesEntry },
+): number {
+  return (
+    timestampMs(right.value.updatedAt) - timestampMs(left.value.updatedAt) ||
+    timestampOrder(right.value.updatedOrder) - timestampOrder(left.value.updatedOrder) ||
+    left.key.localeCompare(right.key)
+  );
+}
+
+function legacyUpdatedAtForIndex(updatedAt: string, index: number, total: number): string {
+  const baseMs = timestampMs(updatedAt);
+  const anchorMs = Math.min(baseMs + Math.max(0, total), MAX_DATE_TIMESTAMP_MS);
+  const shiftedMs = anchorMs - Math.max(0, index);
+  return (
+    timestampMsToIsoString(shiftedMs) ??
+    timestampMsToIsoString(baseMs) ??
+    timestampMsToIsoString(Math.max(0, total - index)) ??
+    "1970-01-01T00:00:00.000Z"
+  );
+}
+
+function nextPreferenceTimestamp(existingEntries: ModelPickerPreferencesEntry[]): {
+  updatedAt: string;
+  updatedOrder: number;
+} {
+  const existingMaxTimestampMs = existingEntries.reduce(
+    (max, entry) => Math.max(max, timestampMs(entry.updatedAt)),
+    0,
+  );
+  lastPreferenceTimestampMs = Math.min(
+    Math.max(
+      resolveDateTimestampMs(Date.now(), 0),
+      lastPreferenceTimestampMs + 1,
+      existingMaxTimestampMs + 1,
+    ),
+    MAX_DATE_TIMESTAMP_MS,
+  );
+  const existingMaxOrder = existingEntries.reduce(
+    (max, entry) => Math.max(max, timestampOrder(entry.updatedOrder)),
+    0,
+  );
+  lastPreferenceOrder = Math.max(lastPreferenceOrder + 1, existingMaxOrder + 1);
+  return {
+    updatedAt: resolveTimestampMsToIsoString(lastPreferenceTimestampMs),
+    updatedOrder: lastPreferenceOrder,
+  };
 }
 
 function normalizeLegacyPreferenceKey(key: string): string | undefined {
@@ -237,10 +295,13 @@ export async function readDiscordModelPickerRecentModels(params: {
     await importLegacyPreferences(params.env);
     const store = openPreferenceStore(params.env);
     const recent = (await store.entries())
-      .map((entry) => sanitizeStoredPreferenceEntry(entry.value))
-      .filter((entry): entry is ModelPickerPreferencesEntry => entry?.scopeKey === key)
-      .toSorted((left, right) => timestampMs(right.updatedAt) - timestampMs(left.updatedAt))
-      .map((entry) => entry.modelRef);
+      .map((entry) => ({ key: entry.key, value: sanitizeStoredPreferenceEntry(entry.value) }))
+      .filter(
+        (entry): entry is { key: string; value: ModelPickerPreferencesEntry } =>
+          entry.value?.scopeKey === key,
+      )
+      .toSorted(comparePreferenceEntries)
+      .map((entry) => entry.value.modelRef);
     if (!params.allowedModelRefs || params.allowedModelRefs.size === 0) {
       return sanitizeRecentModels(recent, limit);
     }
@@ -268,10 +329,14 @@ export async function recordDiscordModelPickerRecentModel(params: {
   try {
     await importLegacyPreferences(params.env);
     const store = openPreferenceStore(params.env);
+    const existingEntries = (await store.entries())
+      .map((entry) => sanitizeStoredPreferenceEntry(entry.value))
+      .filter((entry): entry is ModelPickerPreferencesEntry => entry?.scopeKey === key);
+    const timestamp = nextPreferenceTimestamp(existingEntries);
     await store.register(buildPreferenceModelKey(key, normalizedModelRef), {
       scopeKey: key,
       modelRef: normalizedModelRef,
-      updatedAt: nextPreferenceTimestampIso(),
+      ...timestamp,
     });
     const limit = Math.max(1, Math.min(params.limit ?? DEFAULT_RECENT_LIMIT, 10));
     const scopedEntries = (await store.entries())
@@ -280,11 +345,7 @@ export async function recordDiscordModelPickerRecentModel(params: {
         (entry): entry is { key: string; value: ModelPickerPreferencesEntry } =>
           entry.value?.scopeKey === key,
       )
-      .toSorted(
-        (left, right) =>
-          timestampMs(right.value.updatedAt) - timestampMs(left.value.updatedAt) ||
-          left.key.localeCompare(right.key),
-      );
+      .toSorted(comparePreferenceEntries);
     await Promise.all(scopedEntries.slice(limit).map((entry) => store.delete(entry.key)));
   } catch {
     return;

extensions/discord/src/monitor/thread-bindings.state.ts

@@ -1,6 +1,10 @@
 import fs from "node:fs";
 import path from "node:path";
 import { loadJsonFile, saveJsonFile } from "openclaw/plugin-sdk/json-store";
+import {
+  isFutureDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeAccountId, resolveAgentIdFromSessionKey } from "openclaw/plugin-sdk/routing";
 import { resolveStateDir } from "openclaw/plugin-sdk/state-paths";
 import {
@@ -345,9 +349,14 @@ export function rememberRecentUnboundWebhookEcho(record: ThreadBindingRecord) {
   if (!bindingKey) {
     return;
   }
+  const expiresAt = resolveExpiresAtMsFromDurationMs(RECENT_UNBOUND_WEBHOOK_ECHO_WINDOW_MS);
+  if (expiresAt === undefined) {
+    RECENT_UNBOUND_WEBHOOK_ECHOES_BY_BINDING_KEY.delete(bindingKey);
+    return;
+  }
   RECENT_UNBOUND_WEBHOOK_ECHOES_BY_BINDING_KEY.set(bindingKey, {
     webhookId,
-    expiresAt: Date.now() + RECENT_UNBOUND_WEBHOOK_ECHO_WINDOW_MS,
+    expiresAt,
   });
 }
 
@@ -408,7 +417,7 @@ export function isRecentlyUnboundThreadWebhookMessage(params: {
   if (!suppressed) {
     return false;
   }
-  if (suppressed.expiresAt <= Date.now()) {
+  if (!isFutureDateTimestampMs(suppressed.expiresAt)) {
     RECENT_UNBOUND_WEBHOOK_ECHOES_BY_BINDING_KEY.delete(bindingKey);
     return false;
   }

extensions/discord/src/send.creates-thread.test.ts

@@ -121,6 +121,7 @@ beforeEach(() => {
 
 afterEach(() => {
   vi.useRealTimers();
+  vi.restoreAllMocks();
 });
 
 afterAll(() => {
@@ -322,6 +323,18 @@ describe("sendMessageDiscord", () => {
     ).toBeTypeOf("string");
   });
 
+  it("rejects timeout durations outside Date range", async () => {
+    const { rest, patchMock } = makeDiscordRest();
+
+    await expect(
+      timeoutMemberDiscord(
+        { guildId: "g1", userId: "u1", durationMinutes: 8_640_000_000_000_001 },
+        discordClientOpts(rest),
+      ),
+    ).rejects.toThrow("Discord timeout duration is outside the supported Date range");
+    expect(patchMock).not.toHaveBeenCalled();
+  });
+
   it("adds and removes roles", async () => {
     const { rest, putMock, deleteMock } = makeDiscordRest();
     putMock.mockResolvedValue({});

extensions/discord/src/send.guild.ts

@@ -6,6 +6,7 @@ import type {
   APIVoiceState,
   RESTPostAPIGuildScheduledEventJSONBody,
 } from "discord-api-types/v10";
+import { timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { loadWebMediaRaw } from "openclaw/plugin-sdk/web-media";
 import {
@@ -139,7 +140,10 @@ export async function timeoutMemberDiscord(
   let until = payload.until;
   if (!until && payload.durationMinutes) {
     const ms = payload.durationMinutes * 60 * 1000;
-    until = new Date(Date.now() + ms).toISOString();
+    until = timestampMsToIsoString(Date.now() + ms);
+    if (!until) {
+      throw new Error("Discord timeout duration is outside the supported Date range");
+    }
   }
   return await timeoutGuildMember(rest, payload.guildId, payload.userId, {
     body: { communication_disabled_until: until ?? null },

extensions/discord/src/voice/realtime.ts

@@ -1,5 +1,9 @@
 import { PassThrough } from "node:stream";
 import type { DiscordAccountConfig, OpenClawConfig } from "openclaw/plugin-sdk/config-contracts";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import {
   buildRealtimeVoiceAgentConsultChatMessage,
   buildRealtimeVoiceAgentConsultPolicyInstructions,
@@ -1497,10 +1501,14 @@ export class DiscordRealtimeVoiceSession implements VoiceRealtimeSession {
       );
       return;
     }
+    const expiresAt = resolveExpiresAtMsFromDurationMs(DISCORD_REALTIME_WAKE_NAME_FOLLOWUP_TTL_MS);
+    if (expiresAt === undefined) {
+      return;
+    }
     this.pendingWakeNameFollowup = {
       context,
       startedAt: turn?.startedAt ?? Date.now(),
-      expiresAt: Date.now() + DISCORD_REALTIME_WAKE_NAME_FOLLOWUP_TTL_MS,
+      expiresAt,
     };
     logger.info(
       `discord voice: realtime wake-name follow-up armed speaker=${context.speakerLabel} voiceSession=${this.params.entry.voiceSessionKey} agent=${this.params.entry.route.agentId}`,
@@ -1510,7 +1518,9 @@ export class DiscordRealtimeVoiceSession implements VoiceRealtimeSession {
   private consumePendingWakeNameFollowup(): TranscriptUtteranceAttribution | undefined {
     const pending = this.pendingWakeNameFollowup;
     this.pendingWakeNameFollowup = undefined;
-    if (!pending || Date.now() > pending.expiresAt) {
+    const now = asDateTimestampMs(Date.now());
+    const expiresAt = pending ? asDateTimestampMs(pending.expiresAt) : undefined;
+    if (!pending || now === undefined || expiresAt === undefined || now > expiresAt) {
       return undefined;
     }
     const currentTurn = this.peekPendingSpeakerTurn();

extensions/discord/src/voice/realtime.wake-name-followup.test.ts

@@ -0,0 +1,68 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { DiscordRealtimeVoiceSession } from "./realtime.js";
+
+type WakeNameFollowupTestSession = {
+  armWakeNameFollowup: () => void;
+  consumePendingWakeNameFollowup: () => unknown;
+  pendingWakeNameFollowup?: unknown;
+  speakerTurns: {
+    consumeAudioContext: () => unknown;
+    peekAudioTurn: () => unknown;
+  };
+};
+
+function createSession(): WakeNameFollowupTestSession {
+  return new DiscordRealtimeVoiceSession({
+    cfg: {},
+    discordConfig: { voice: { realtime: {} } },
+    entry: {
+      voiceSessionKey: "voice-1",
+      route: { agentId: "agent-1" },
+    },
+    mode: "agent-proxy",
+    runAgentTurn: vi.fn(),
+  } as never) as unknown as WakeNameFollowupTestSession;
+}
+
+describe("DiscordRealtimeVoiceSession wake-name follow-up cache", () => {
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it("arms and consumes a valid wake-name follow-up", () => {
+    const session = createSession();
+    session.speakerTurns = {
+      consumeAudioContext: vi.fn(() => ({
+        userId: "u1",
+        speakerLabel: "Ada",
+        senderIsOwner: true,
+      })),
+      peekAudioTurn: vi.fn(() => undefined),
+    };
+
+    session.armWakeNameFollowup();
+
+    expect(session.consumePendingWakeNameFollowup()).toMatchObject({
+      context: { userId: "u1", speakerLabel: "Ada" },
+    });
+  });
+
+  it("does not arm follow-ups when the expiry would exceed Date range", () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    const session = createSession();
+    session.speakerTurns = {
+      consumeAudioContext: vi.fn(() => ({
+        userId: "u1",
+        speakerLabel: "Ada",
+        senderIsOwner: true,
+      })),
+      peekAudioTurn: vi.fn(() => undefined),
+    };
+
+    session.armWakeNameFollowup();
+
+    expect(session.pendingWakeNameFollowup).toBeUndefined();
+    expect(session.consumePendingWakeNameFollowup()).toBeUndefined();
+  });
+});

extensions/discord/src/voice/speaker-context.test.ts

@@ -0,0 +1,57 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import type { Client } from "../internal/discord.js";
+import { DiscordVoiceSpeakerContextResolver } from "./speaker-context.js";
+
+function createClient(fetchMember: ReturnType<typeof vi.fn>): Client {
+  return {
+    fetchMember,
+    fetchUser: vi.fn(),
+  } as unknown as Client;
+}
+
+describe("DiscordVoiceSpeakerContextResolver", () => {
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it("reuses cached speaker context for repeated speaker lookups", async () => {
+    const fetchMember = vi.fn().mockResolvedValue({
+      nickname: "Ada",
+      roles: [],
+      user: { id: "u1", username: "ada", globalName: "Ada" },
+    });
+    const resolver = new DiscordVoiceSpeakerContextResolver({
+      client: createClient(fetchMember),
+    });
+
+    await expect(resolver.resolveContext("g1", "u1")).resolves.toMatchObject({ label: "Ada" });
+    await expect(resolver.resolveContext("g1", "u1")).resolves.toMatchObject({ label: "Ada" });
+
+    expect(fetchMember).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not cache speaker context when the cache expiry would exceed Date range", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    const fetchMember = vi
+      .fn()
+      .mockResolvedValueOnce({
+        nickname: "Ada",
+        roles: [],
+        user: { id: "u1", username: "ada", globalName: "Ada" },
+      })
+      .mockResolvedValueOnce({
+        nickname: "Grace",
+        roles: [],
+        user: { id: "u1", username: "grace", globalName: "Grace" },
+      });
+    const resolver = new DiscordVoiceSpeakerContextResolver({
+      client: createClient(fetchMember),
+    });
+
+    await expect(resolver.resolveContext("g1", "u1")).resolves.toMatchObject({ label: "Ada" });
+    await expect(resolver.resolveContext("g1", "u1")).resolves.toMatchObject({ label: "Grace" });
+
+    expect(fetchMember).toHaveBeenCalledTimes(2);
+  });
+});

extensions/discord/src/voice/speaker-context.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import type { Client } from "../internal/discord.js";
 import { resolveDiscordOwnerAccess } from "../monitor/allow-list.js";
 import { formatDiscordUserTag } from "../monitor/format.js";
@@ -104,7 +108,9 @@ export class DiscordVoiceSpeakerContextResolver {
     if (!cached) {
       return undefined;
     }
-    if (cached.expiresAt <= Date.now()) {
+    const now = asDateTimestampMs(Date.now());
+    const expiresAt = asDateTimestampMs(cached.expiresAt);
+    if (now === undefined || expiresAt === undefined || expiresAt <= now) {
       this.cache.delete(key);
       return undefined;
     }
@@ -119,9 +125,12 @@ export class DiscordVoiceSpeakerContextResolver {
 
   private setCachedContext(guildId: string, userId: string, context: VoiceSpeakerContext): void {
     const key = this.resolveCacheKey(guildId, userId);
-    this.cache.set(key, {
-      ...context,
-      expiresAt: Date.now() + SPEAKER_CONTEXT_CACHE_TTL_MS,
-    });
+    const expiresAt = resolveExpiresAtMsFromDurationMs(SPEAKER_CONTEXT_CACHE_TTL_MS);
+    if (expiresAt !== undefined) {
+      this.cache.set(key, {
+        ...context,
+        expiresAt,
+      });
+    }
   }
 }

extensions/feishu/src/bot-group-name.test.ts

@@ -84,6 +84,37 @@ describe("resolveGroupName", () => {
     expect(mockGetChatInfo).toHaveBeenCalledOnce(); // only 1 API call
   });
 
+  it("does not cache group names when the expiry would exceed a valid Date", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    try {
+      mockGetChatInfo.mockResolvedValue({ name: "Boundary Group" });
+
+      const first = await resolveGroupName({ account, chatId: "oc_boundary", log });
+      const second = await resolveGroupName({ account, chatId: "oc_boundary", log });
+
+      expect(first).toBe("Boundary Group");
+      expect(second).toBe("Boundary Group");
+      expect(mockGetChatInfo).toHaveBeenCalledTimes(2);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  it("evicts cached group names when the current clock is invalid", async () => {
+    mockGetChatInfo.mockResolvedValue({ name: "Cached Group" });
+    await resolveGroupName({ account, chatId: "oc_invalid_clock", log });
+    const dateNow = vi.spyOn(Date, "now").mockReturnValue(Number.NaN);
+    try {
+      const result = await resolveGroupName({ account, chatId: "oc_invalid_clock", log });
+
+      expect(result).toBe("Cached Group");
+    } finally {
+      dateNow.mockRestore();
+    }
+    expect(mockGetChatInfo).toHaveBeenCalledTimes(2);
+  });
+
   it("caches negative result (API failure) and skips retry", async () => {
     mockGetChatInfo.mockRejectedValue(new Error("fail"));
     await resolveGroupName({ account, chatId: "oc_test5", log });

extensions/feishu/src/bot-sender-name.test.ts

@@ -0,0 +1,67 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { resolveFeishuSenderName } from "./bot-sender-name.js";
+import { FeishuConfigSchema } from "./config-schema.js";
+import type { ResolvedFeishuAccount } from "./types.js";
+
+const createFeishuClientMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./client.js", () => ({
+  createFeishuClient: createFeishuClientMock,
+}));
+
+const account = {
+  accountId: "main",
+  selectionSource: "explicit",
+  enabled: true,
+  configured: true,
+  appId: "app-id",
+  appSecret: "secret",
+  domain: "feishu",
+  config: FeishuConfigSchema.parse({}),
+} satisfies ResolvedFeishuAccount;
+
+function mockUserNames(...names: string[]): ReturnType<typeof vi.fn> {
+  const get = vi.fn();
+  for (const name of names) {
+    get.mockResolvedValueOnce({ data: { user: { name } } });
+  }
+  createFeishuClientMock.mockReturnValue({
+    contact: { user: { get } },
+  });
+  return get;
+}
+
+describe("resolveFeishuSenderName", () => {
+  afterEach(() => {
+    vi.useRealTimers();
+    createFeishuClientMock.mockReset();
+  });
+
+  it("reuses a cached sender name within the TTL", async () => {
+    const get = mockUserNames("Ada");
+
+    await expect(
+      resolveFeishuSenderName({ account, senderId: "ou_sender_cache", log: vi.fn() }),
+    ).resolves.toEqual({ name: "Ada" });
+    await expect(
+      resolveFeishuSenderName({ account, senderId: "ou_sender_cache", log: vi.fn() }),
+    ).resolves.toEqual({ name: "Ada" });
+
+    expect(get).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not cache sender names when the expiry would exceed Date range", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    const get = mockUserNames("Ada", "Grace");
+
+    await expect(
+      resolveFeishuSenderName({ account, senderId: "ou_sender_overflow", log: vi.fn() }),
+    ).resolves.toEqual({ name: "Ada" });
+    await expect(
+      resolveFeishuSenderName({ account, senderId: "ou_sender_overflow", log: vi.fn() }),
+    ).resolves.toEqual({ name: "Grace" });
+
+    expect(get).toHaveBeenCalledTimes(2);
+  });
+});

extensions/feishu/src/bot-sender-name.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { createFeishuClient } from "./client.js";
 import type { ResolvedFeishuAccount } from "./types.js";
@@ -89,10 +93,14 @@ export async function resolveFeishuSenderName(params: {
   }
 
   const cached = senderNameCache.get(normalizedSenderId);
-  const now = Date.now();
-  if (cached && cached.expireAt > now) {
+  const now = asDateTimestampMs(Date.now());
+  const cachedExpireAt = cached ? asDateTimestampMs(cached.expireAt) : undefined;
+  if (cached && now !== undefined && cachedExpireAt !== undefined && cachedExpireAt > now) {
     return { name: cached.name };
   }
+  if (cached) {
+    senderNameCache.delete(normalizedSenderId);
+  }
 
   try {
     const client = createFeishuClient(account);
@@ -105,7 +113,10 @@ export async function resolveFeishuSenderName(params: {
     const name = user?.name ?? user?.nickname ?? user?.en_name;
 
     if (name) {
-      senderNameCache.set(normalizedSenderId, { name, expireAt: now + SENDER_NAME_TTL_MS });
+      const expireAt = resolveExpiresAtMsFromDurationMs(SENDER_NAME_TTL_MS);
+      if (expireAt !== undefined) {
+        senderNameCache.set(normalizedSenderId, { name, expireAt });
+      }
       return { name };
     }
     return {};

extensions/feishu/src/bot.card-action.test.ts

@@ -270,6 +270,45 @@ describe("Feishu Card Action Handler", () => {
     expect(handleFeishuMessage).not.toHaveBeenCalled();
   });
 
+  it("does not open approval cards when the expiry would exceed a valid Date", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    try {
+      const event: FeishuCardActionEvent = {
+        operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+        token: "tok4-boundary",
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "meta",
+            a: FEISHU_APPROVAL_REQUEST_ACTION,
+            m: {
+              command: "/new",
+              prompt: "Start a fresh session?",
+            },
+            c: {
+              u: "u123",
+              h: "chat1",
+              t: "group",
+              s: "agent:codex:feishu:chat:chat1",
+              e: 8_640_000_000_000_000,
+            },
+          }),
+          tag: "button",
+        },
+        context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+      };
+
+      await handleFeishuCardAction({ cfg, event, runtime, accountId: "main" });
+
+      expect(sendCardFeishuMock).not.toHaveBeenCalled();
+      const sendMessage = sendMessageCall();
+      expect(sendMessage.to).toBe("chat:chat1");
+      expect(String(sendMessage.text)).toContain("payload is invalid");
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
   it("runs approval confirmation through the normal message path", async () => {
     const event = createStructuredQuickActionEvent({
       token: "tok5",
@@ -376,6 +415,39 @@ describe("Feishu Card Action Handler", () => {
     expect(createFeishuClientMock).toHaveBeenCalledTimes(1);
   });
 
+  it("does not cache resolved chat type when expiry would exceed a valid Date", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    try {
+      const getChat = vi.fn().mockResolvedValue({ code: 0, data: { chat_type: "p2p" } });
+      createFeishuClientMock.mockReturnValue({
+        im: {
+          chat: {
+            get: getChat,
+          },
+        },
+      });
+      const firstEvent = createCardActionEvent({
+        token: "tok9b-boundary-1",
+        chatId: "oc_dm_chat_boundary",
+        actionValue: { text: "/help" },
+      });
+      const secondEvent = createCardActionEvent({
+        token: "tok9b-boundary-2",
+        chatId: "oc_dm_chat_boundary",
+        actionValue: { text: "/help" },
+      });
+
+      await handleFeishuCardAction({ cfg, event: firstEvent, runtime });
+      await handleFeishuCardAction({ cfg, event: secondEvent, runtime });
+
+      expect(getChat).toHaveBeenCalledTimes(2);
+      expect(handleFeishuMessage).toHaveBeenCalledTimes(2);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
   it("uses resolved DM chat type when building approval cards without stored context", async () => {
     createFeishuClientMock.mockReturnValueOnce({
       im: {
@@ -459,6 +531,20 @@ describe("Feishu Card Action Handler", () => {
     expect(handleFeishuMessage).toHaveBeenCalledTimes(1);
   });
 
+  it("does not cache callback tokens when token ttl expiry overflows", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    const event = createCardActionEvent({
+      token: "tok10-boundary",
+      actionValue: { text: "/help" },
+    });
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(2);
+  });
+
   it("rejects empty callback tokens before dispatch", async () => {
     const log = vi.fn();
     const event = createStructuredQuickActionEvent({

extensions/feishu/src/bot.ts

@@ -10,7 +10,11 @@ import {
   resolveConfiguredBindingRoute,
   resolveRuntimeConversationBindingRoute,
 } from "openclaw/plugin-sdk/conversation-runtime";
-import { parseStrictNonNegativeInteger } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  parseStrictNonNegativeInteger,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import {
   DEFAULT_GROUP_HISTORY_LIMIT,
   createChannelHistoryWindow,
@@ -108,9 +112,14 @@ function isFeishuTopicSessionScope(scope: FeishuGroupSessionScope): boolean {
 }
 
 function evictGroupNameCache(): void {
-  const now = Date.now();
+  const now = asDateTimestampMs(Date.now());
+  if (now === undefined) {
+    groupNameCache.clear();
+    return;
+  }
   for (const [key, val] of groupNameCache) {
-    if (val.expiresAt <= now) {
+    const expiresAt = asDateTimestampMs(val.expiresAt);
+    if (expiresAt === undefined || expiresAt <= now) {
       groupNameCache.delete(key);
     }
   }
@@ -128,9 +137,12 @@ function evictGroupNameCache(): void {
   }
 }
 
-function setCacheEntry(key: string, value: { name: string; expiresAt: number }): void {
+function setCacheEntry(key: string, name: string): void {
+  const expiresAt = resolveExpiresAtMsFromDurationMs(GROUP_NAME_CACHE_TTL_MS);
   groupNameCache.delete(key);
-  groupNameCache.set(key, value);
+  if (expiresAt !== undefined) {
+    groupNameCache.set(key, { name, expiresAt });
+  }
 }
 
 export function clearGroupNameCache(): void {
@@ -150,37 +162,34 @@ export async function resolveGroupName(params: {
   const cacheKey = `${account.accountId}:${chatId}`;
 
   const cached = groupNameCache.get(cacheKey);
-  if (cached && cached.expiresAt > Date.now()) {
-    return cached.name || undefined;
+  if (cached) {
+    const now = asDateTimestampMs(Date.now());
+    const expiresAt = asDateTimestampMs(cached.expiresAt);
+    if (now !== undefined && expiresAt !== undefined && expiresAt > now) {
+      return cached.name || undefined;
+    }
+    groupNameCache.delete(cacheKey);
   }
 
+  let resolvedName: string | undefined;
   try {
     const client = createFeishuClient(account);
     const chatInfo = await getChatInfo(client, chatId);
     const name = chatInfo?.name?.trim();
     if (name) {
-      setCacheEntry(cacheKey, {
-        name,
-        expiresAt: Date.now() + GROUP_NAME_CACHE_TTL_MS,
-      });
+      setCacheEntry(cacheKey, name);
+      resolvedName = name;
     } else {
-      setCacheEntry(cacheKey, {
-        name: "",
-        expiresAt: Date.now() + GROUP_NAME_CACHE_TTL_MS,
-      });
+      setCacheEntry(cacheKey, "");
     }
   } catch (err) {
     log(`feishu[${account.accountId}]: getChatInfo failed for ${chatId}: ${String(err)}`);
-    setCacheEntry(cacheKey, {
-      name: "",
-      expiresAt: Date.now() + GROUP_NAME_CACHE_TTL_MS,
-    });
+    setCacheEntry(cacheKey, "");
   }
 
-  const result = groupNameCache.get(cacheKey)?.name || undefined;
   evictGroupNameCache();
 
-  return result;
+  return resolvedName;
 }
 
 async function resolveFeishuAudioPreflightTranscript(params: {

extensions/feishu/src/card-action.ts

@@ -1,3 +1,8 @@
+import {
+  asDateTimestampMs,
+  isFutureDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import type { ClawdbotConfig, RuntimeEnv } from "../runtime-api.js";
 import { resolveFeishuRuntimeAccount } from "./accounts.js";
 import { handleFeishuMessage, type FeishuMessageEvent } from "./bot.js";
@@ -47,16 +52,26 @@ export class FeishuRetryableCardActionError extends Error {
 
 export function resetProcessedFeishuCardActionTokensForTests(): void {
   processedCardActionTokens.clear();
+  resolvedChatTypeCache.clear();
 }
 
 function pruneProcessedCardActionTokens(now: number): void {
+  const validNow = asDateTimestampMs(now);
+  if (validNow === undefined) {
+    processedCardActionTokens.clear();
+    return;
+  }
   for (const [key, entry] of processedCardActionTokens.entries()) {
-    if (entry.expiresAt <= now) {
+    if (!isFutureDateTimestampMs(entry.expiresAt, { nowMs: validNow })) {
       processedCardActionTokens.delete(key);
     }
   }
 }
 
+function resolveProcessedCardActionTokenExpiresAt(now: number): number | undefined {
+  return resolveExpiresAtMsFromDurationMs(FEISHU_CARD_ACTION_TOKEN_TTL_MS, { nowMs: now });
+}
+
 function beginFeishuCardActionToken(params: {
   token: string;
   accountId: string;
@@ -70,13 +85,17 @@ function beginFeishuCardActionToken(params: {
   }
   const key = `${params.accountId}:${normalizedToken}`;
   const existing = processedCardActionTokens.get(key);
-  if (existing && existing.expiresAt > now) {
+  if (existing && isFutureDateTimestampMs(existing.expiresAt, { nowMs: now })) {
     return false;
   }
-  processedCardActionTokens.set(key, {
-    status: "inflight",
-    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
-  });
+  processedCardActionTokens.delete(key);
+  const expiresAt = resolveProcessedCardActionTokenExpiresAt(now);
+  if (expiresAt !== undefined) {
+    processedCardActionTokens.set(key, {
+      status: "inflight",
+      expiresAt,
+    });
+  }
   return true;
 }
 
@@ -90,9 +109,15 @@ function completeFeishuCardActionToken(params: {
   if (!normalizedToken) {
     return;
   }
-  processedCardActionTokens.set(`${params.accountId}:${normalizedToken}`, {
+  const key = `${params.accountId}:${normalizedToken}`;
+  const expiresAt = resolveProcessedCardActionTokenExpiresAt(now);
+  if (expiresAt === undefined) {
+    processedCardActionTokens.delete(key);
+    return;
+  }
+  processedCardActionTokens.set(key, {
     status: "completed",
-    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
+    expiresAt,
   });
 }
 
@@ -185,8 +210,14 @@ const CHAT_TYPE_CACHE_TTL_MS = 30 * 60_000;
 const CHAT_TYPE_CACHE_MAX_SIZE = 5_000;
 
 function pruneChatTypeCache(now: number): void {
+  const validNow = asDateTimestampMs(now);
+  if (validNow === undefined) {
+    resolvedChatTypeCache.clear();
+    return;
+  }
   for (const [key, entry] of resolvedChatTypeCache.entries()) {
-    if (entry.expiresAt <= now) {
+    const expiresAt = asDateTimestampMs(entry.expiresAt);
+    if (expiresAt === undefined || expiresAt <= validNow) {
       resolvedChatTypeCache.delete(key);
     }
   }
@@ -206,6 +237,25 @@ function sanitizeLogValue(v: string): string {
   return v.replace(/[\r\n]/g, " ").slice(0, 500);
 }
 
+function resolveFeishuApprovalCardExpiresAt(nowRaw = Date.now()): number | undefined {
+  const now = asDateTimestampMs(nowRaw);
+  return now === undefined
+    ? undefined
+    : resolveExpiresAtMsFromDurationMs(FEISHU_APPROVAL_CARD_TTL_MS, { nowMs: now });
+}
+
+function cacheResolvedCardActionChatType(
+  cacheKey: string,
+  value: "p2p" | "group",
+  now: number,
+): void {
+  const expiresAt = resolveExpiresAtMsFromDurationMs(CHAT_TYPE_CACHE_TTL_MS, { nowMs: now });
+  resolvedChatTypeCache.delete(cacheKey);
+  if (expiresAt !== undefined) {
+    resolvedChatTypeCache.set(cacheKey, { value, expiresAt });
+  }
+}
+
 async function resolveCardActionChatType(params: {
   event: FeishuCardActionEvent;
   account: ReturnType<typeof resolveFeishuRuntimeAccount>;
@@ -226,9 +276,13 @@ async function resolveCardActionChatType(params: {
   const now = Date.now();
   pruneChatTypeCache(now);
   const cached = resolvedChatTypeCache.get(cacheKey);
-  if (cached) {
+  const cachedExpiresAt = cached ? asDateTimestampMs(cached.expiresAt) : undefined;
+  if (cached && cachedExpiresAt !== undefined) {
     return cached.value;
   }
+  if (cached) {
+    resolvedChatTypeCache.delete(cacheKey);
+  }
 
   try {
     const response = (await createFeishuClient(params.account).im.chat.get({
@@ -239,10 +293,7 @@ async function resolveCardActionChatType(params: {
         normalizeResolvedCardActionChatType(response.data?.chat_mode) ??
         normalizeResolvedCardActionChatType(response.data?.chat_type);
       if (resolvedChatType) {
-        resolvedChatTypeCache.set(cacheKey, {
-          value: resolvedChatType,
-          expiresAt: now + CHAT_TYPE_CACHE_TTL_MS,
-        });
+        cacheResolvedCardActionChatType(cacheKey, resolvedChatType, now);
         return resolvedChatType;
       }
       params.log(
@@ -349,6 +400,17 @@ export async function handleFeishuCardAction(params: {
           typeof envelope.m?.prompt === "string" && envelope.m.prompt.trim()
             ? envelope.m.prompt
             : `Run \`${command}\` in this Feishu conversation?`;
+        const expiresAt = resolveFeishuApprovalCardExpiresAt();
+        if (expiresAt === undefined) {
+          await sendInvalidInteractionNotice({
+            cfg,
+            event,
+            reason: "malformed",
+            accountId,
+          });
+          completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+          return;
+        }
         await sendCardFeishu({
           cfg,
           to: resolveCallbackTarget(event),
@@ -358,7 +420,7 @@ export async function handleFeishuCardAction(params: {
             command,
             prompt,
             sessionKey: envelope.c?.s,
-            expiresAt: Date.now() + FEISHU_APPROVAL_CARD_TTL_MS,
+            expiresAt,
             chatType: await resolveCardActionChatType({
               event,
               account,

extensions/feishu/src/card-ux-launcher.test.ts

@@ -88,6 +88,25 @@ describe("feishu quick-action launcher", () => {
     expectFirstSentCardUsesFillWidthOnly(sendCardFeishuMock);
   });
 
+  it("does not send launcher cards when expiry would exceed a valid Date", async () => {
+    const runtime: RuntimeEnv = createRuntimeEnv();
+
+    const handled = await maybeHandleFeishuQuickActionMenu({
+      cfg,
+      eventKey: "quick-actions",
+      operatorOpenId: "u123",
+      accountId: "main",
+      runtime,
+      now: 8_640_000_000_000_000,
+    });
+
+    expect(handled).toBe(false);
+    expect(sendCardFeishuMock).not.toHaveBeenCalled();
+    expect(runtime.log).toHaveBeenCalledWith(
+      "feishu[main]: failed to open quick-action launcher for u123: invalid expiry clock",
+    );
+  });
+
   it("falls back to legacy menu handling when launcher send fails", async () => {
     sendCardFeishuMock.mockRejectedValueOnce(new Error("network"));
     const runtime: RuntimeEnv = createRuntimeEnv();

extensions/feishu/src/card-ux-launcher.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
 import type { ClawdbotConfig, RuntimeEnv } from "../runtime-api.js";
 import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
@@ -96,7 +100,17 @@ export async function maybeHandleFeishuQuickActionMenu(params: {
     return false;
   }
 
-  const expiresAt = (params.now ?? Date.now()) + FEISHU_QUICK_ACTION_CARD_TTL_MS;
+  const now = asDateTimestampMs(params.now ?? Date.now());
+  const expiresAt =
+    now === undefined
+      ? undefined
+      : resolveExpiresAtMsFromDurationMs(FEISHU_QUICK_ACTION_CARD_TTL_MS, { nowMs: now });
+  if (expiresAt === undefined) {
+    params.runtime?.log?.(
+      `feishu[${params.accountId ?? "default"}]: failed to open quick-action launcher for ${params.operatorOpenId}: invalid expiry clock`,
+    );
+    return false;
+  }
   try {
     await sendCardFeishu({
       cfg: params.cfg,

extensions/feishu/src/probe.test.ts

@@ -187,6 +187,32 @@ describe("probeFeishu", () => {
     expect(requestFn).toHaveBeenCalledTimes(1);
   });
 
+  it("does not cache probe results when the expiry would exceed a valid Date", async () => {
+    await withFakeTimers(async () => {
+      vi.setSystemTime(new Date(8_640_000_000_000_000));
+      const requestFn = setupSuccessClient();
+
+      const { first, second } = await readSequentialDefaultProbePair();
+
+      expect(first).toEqual(second);
+      expect(requestFn).toHaveBeenCalledTimes(2);
+    });
+  });
+
+  it("evicts cached probe results when the current clock is invalid", async () => {
+    const requestFn = setupSuccessClient();
+
+    await probeFeishu(DEFAULT_CREDS);
+    const dateNow = vi.spyOn(Date, "now").mockReturnValue(Number.NaN);
+    try {
+      await probeFeishu(DEFAULT_CREDS);
+    } finally {
+      dateNow.mockRestore();
+    }
+
+    expect(requestFn).toHaveBeenCalledTimes(2);
+  });
+
   it("makes a fresh API call after cache expires", async () => {
     await withFakeTimers(async () => {
       const requestFn = setupSuccessClient();

extensions/feishu/src/probe.ts

@@ -1,4 +1,8 @@
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { raceWithTimeoutAndAbort } from "./async.js";
 import { createFeishuClient, type FeishuClientCredentials } from "./client.js";
 import type { FeishuProbeResult } from "./types.js";
@@ -38,7 +42,12 @@ function setCachedProbeResult(
   result: FeishuProbeResult,
   ttlMs: number,
 ): FeishuProbeResult {
-  probeCache.set(cacheKey, { result, expiresAt: Date.now() + ttlMs });
+  const expiresAt = resolveExpiresAtMsFromDurationMs(ttlMs);
+  if (expiresAt === undefined) {
+    probeCache.delete(cacheKey);
+    return result;
+  }
+  probeCache.set(cacheKey, { result, expiresAt });
   if (probeCache.size > MAX_PROBE_CACHE_SIZE) {
     const oldest = probeCache.keys().next().value;
     if (oldest !== undefined) {
@@ -74,8 +83,13 @@ export async function probeFeishu(
   // pollute each other's cache entry.
   const cacheKey = creds.accountId ?? `${creds.appId}:${creds.appSecret.slice(0, 8)}`;
   const cached = probeCache.get(cacheKey);
-  if (cached && cached.expiresAt > Date.now()) {
-    return cached.result;
+  if (cached) {
+    const now = asDateTimestampMs(Date.now());
+    const expiresAt = asDateTimestampMs(cached.expiresAt);
+    if (now !== undefined && expiresAt !== undefined && expiresAt > now) {
+      return cached.result;
+    }
+    probeCache.delete(cacheKey);
   }
 
   try {

extensions/feishu/src/setup-surface.ts

@@ -251,6 +251,13 @@ function applyNewAppSecurityPolicy(
 // Scan-to-create flow
 // ---------------------------------------------------------------------------
 
+let appRegistrationModulePromise: Promise<typeof import("./app-registration.js")> | null = null;
+
+const loadAppRegistrationModule = async () => {
+  appRegistrationModulePromise ??= import("./app-registration.js");
+  return await appRegistrationModulePromise;
+};
+
 async function promptFeishuDomain(params: {
   prompter: WizardPrompter;
   initialValue?: FeishuDomain;
@@ -281,7 +288,7 @@ async function runScanToCreate(
   domain: FeishuDomain,
 ): Promise<AppRegistrationResult | null> {
   const { beginAppRegistration, initAppRegistration, pollAppRegistration, printQrCode } =
-    await import("./app-registration.js");
+    await loadAppRegistrationModule();
   try {
     await initAppRegistration(domain);
   } catch {
@@ -392,7 +399,7 @@ async function runNewAppFlow(params: {
 
     // Fetch openId via API for manual flow.
     if (appId && appSecretProbeValue) {
-      const { getAppOwnerOpenId } = await import("./app-registration.js");
+      const { getAppOwnerOpenId } = await loadAppRegistrationModule();
       scanOpenId = await getAppOwnerOpenId({
         appId,
         appSecret: appSecretProbeValue,

extensions/feishu/src/streaming-card.test.ts

@@ -50,6 +50,7 @@ describe("FeishuStreamingSession", () => {
   });
 
   afterEach(() => {
+    vi.restoreAllMocks();
     vi.useRealTimers();
   });
 
@@ -111,6 +112,45 @@ describe("FeishuStreamingSession", () => {
     );
   }
 
+  function mockStreamingTokenStart(resolveAuthJson: (token: string) => Record<string, unknown>): {
+    authTokens: string[];
+    client: ConstructorParameters<typeof FeishuStreamingSession>[0];
+  } {
+    const release = vi.fn(async () => {});
+    const authTokens: string[] = [];
+    fetchWithSsrFGuardMock.mockImplementation(
+      async ({ url }: { url: string; init?: { body?: string } }) => {
+        if (url.includes("/auth/")) {
+          const token = `token-${authTokens.length + 1}`;
+          authTokens.push(token);
+          return {
+            response: { ok: true, json: async () => resolveAuthJson(token) },
+            release,
+          };
+        }
+        return {
+          response: {
+            ok: true,
+            json: async () => ({
+              code: 0,
+              msg: "ok",
+              data: { card_id: `card-${authTokens.length}` },
+            }),
+          },
+          release,
+        };
+      },
+    );
+    const client = {
+      im: {
+        message: {
+          create: vi.fn(async () => ({ code: 0, msg: "ok", data: { message_id: "om_1" } })),
+        },
+      },
+    } as unknown as ConstructorParameters<typeof FeishuStreamingSession>[0];
+    return { authTokens, client };
+  }
+
   it("flushes throttled pending text after the throttle window", async () => {
     vi.useFakeTimers();
     vi.setSystemTime(1_000);
@@ -346,46 +386,12 @@ describe("FeishuStreamingSession", () => {
   it("bounds streaming token cache lifetime when token expiry overflows", async () => {
     vi.useFakeTimers();
     vi.setSystemTime(new Date("2026-05-29T12:00:00.000Z"));
-    const release = vi.fn(async () => {});
-    const authTokens: string[] = [];
-    fetchWithSsrFGuardMock.mockImplementation(
-      async ({ url }: { url: string; init?: { body?: string } }) => {
-        if (url.includes("/auth/")) {
-          const token = `token-${authTokens.length + 1}`;
-          authTokens.push(token);
-          return {
-            response: {
-              ok: true,
-              json: async () => ({
-                code: 0,
-                msg: "ok",
-                tenant_access_token: token,
-                expire: Number.MAX_SAFE_INTEGER,
-              }),
-            },
-            release,
-          };
-        }
-        return {
-          response: {
-            ok: true,
-            json: async () => ({
-              code: 0,
-              msg: "ok",
-              data: { card_id: `card-${authTokens.length}` },
-            }),
-          },
-          release,
-        };
-      },
-    );
-    const client = {
-      im: {
-        message: {
-          create: vi.fn(async () => ({ code: 0, msg: "ok", data: { message_id: "om_1" } })),
-        },
-      },
-    } as never;
+    const { authTokens, client } = mockStreamingTokenStart((token) => ({
+      code: 0,
+      msg: "ok",
+      tenant_access_token: token,
+      expire: Number.MAX_SAFE_INTEGER,
+    }));
 
     await new FeishuStreamingSession(client, {
       appId: "app_unsafe_token_expiry",
@@ -401,6 +407,55 @@ describe("FeishuStreamingSession", () => {
 
     expect(authTokens).toEqual(["token-1", "token-2"]);
   });
+
+  it("bounds streaming token fallback lifetime when the process clock is invalid", async () => {
+    const dateNow = vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    const { authTokens, client } = mockStreamingTokenStart((token) => ({
+      code: 0,
+      msg: "ok",
+      tenant_access_token: token,
+    }));
+
+    await new FeishuStreamingSession(client, {
+      appId: "app_invalid_clock_token_expiry",
+      appSecret: "secret",
+    }).start("chat_id", "open_id");
+    expect(authTokens).toEqual(["token-1"]);
+
+    dateNow.mockReturnValue(7200 * 1000 - 60_000 + 1);
+    await new FeishuStreamingSession(client, {
+      appId: "app_invalid_clock_token_expiry",
+      appSecret: "secret",
+    }).start("chat_id", "open_id");
+
+    expect(authTokens).toEqual(["token-1", "token-2"]);
+    dateNow.mockRestore();
+  });
+
+  it("treats an invalid process clock as a streaming token cache miss", async () => {
+    const dateNow = vi.spyOn(Date, "now").mockReturnValue(Date.parse("2026-05-29T12:00:00.000Z"));
+    const { authTokens, client } = mockStreamingTokenStart((token) => ({
+      code: 0,
+      msg: "ok",
+      tenant_access_token: token,
+      expire: 7200,
+    }));
+
+    await new FeishuStreamingSession(client, {
+      appId: "app_invalid_clock_cache_miss",
+      appSecret: "secret",
+    }).start("chat_id", "open_id");
+    expect(authTokens).toEqual(["token-1"]);
+
+    dateNow.mockReturnValue(8_640_000_000_000_001);
+    await new FeishuStreamingSession(client, {
+      appId: "app_invalid_clock_cache_miss",
+      appSecret: "secret",
+    }).start("chat_id", "open_id");
+
+    expect(authTokens).toEqual(["token-1", "token-2"]);
+    dateNow.mockRestore();
+  });
 });
 
 describe("mergeStreamingText", () => {

extensions/feishu/src/streaming-card.ts

@@ -3,7 +3,11 @@
  */
 
 import type { Client } from "@larksuiteoapi/node-sdk";
-import { resolveExpiresAtMsFromDurationSeconds } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  resolveDateTimestampMs,
+  resolveExpiresAtMsFromDurationSeconds,
+} from "openclaw/plugin-sdk/number-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { getFeishuUserAgent } from "./client.js";
 import { resolveFeishuCardTemplate, type CardHeaderConfig } from "./send.js";
@@ -48,13 +52,17 @@ const FEISHU_STREAMING_TOKEN_DEFAULT_LIFETIME_SECONDS = 7200;
 // Token cache (keyed by domain + appId)
 const tokenCache = new Map<string, { token: string; expiresAt: number }>();
 
-function resolveStreamingTokenExpiresAt(value: unknown): number {
+function resolveStreamingTokenExpiresAt(value: unknown, nowMs = Date.now()): number {
+  const now = resolveDateTimestampMs(nowMs);
   if (typeof value === "number" && Number.isFinite(value) && value <= 0) {
-    return Date.now();
+    return now;
   }
   return (
-    resolveExpiresAtMsFromDurationSeconds(value) ??
-    Date.now() + FEISHU_STREAMING_TOKEN_DEFAULT_LIFETIME_SECONDS * 1000
+    resolveExpiresAtMsFromDurationSeconds(value, { nowMs: now }) ??
+    resolveExpiresAtMsFromDurationSeconds(FEISHU_STREAMING_TOKEN_DEFAULT_LIFETIME_SECONDS, {
+      nowMs: now,
+    }) ??
+    now
   );
 }
 
@@ -85,7 +93,11 @@ function resolveAllowedHostnames(domain?: FeishuDomain): string[] {
 async function getToken(creds: Credentials): Promise<string> {
   const key = `${creds.domain ?? "feishu"}|${creds.appId}`;
   const cached = tokenCache.get(key);
-  if (cached && cached.expiresAt > Date.now() + 60000) {
+  const rawNow = Date.now();
+  const hasValidClock = asDateTimestampMs(rawNow) !== undefined;
+  const now = resolveDateTimestampMs(rawNow);
+  const minUsableExpiresAt = resolveExpiresAtMsFromDurationSeconds(60, { nowMs: now }) ?? now;
+  if (cached && hasValidClock && cached.expiresAt > minUsableExpiresAt) {
     return cached.token;
   }
 
@@ -115,7 +127,7 @@ async function getToken(creds: Credentials): Promise<string> {
   }
   tokenCache.set(key, {
     token: data.tenant_access_token,
-    expiresAt: resolveStreamingTokenExpiresAt(data.expire),
+    expiresAt: resolveStreamingTokenExpiresAt(data.expire, now),
   });
   return data.tenant_access_token;
 }

extensions/feishu/subagent-hooks-api.ts

@@ -23,9 +23,3 @@ export function registerFeishuSubagentHooks(api: OpenClawPluginApi): void {
     handleFeishuSubagentEnded(event);
   });
 }
-
-export {
-  handleFeishuSubagentDeliveryTarget,
-  handleFeishuSubagentEnded,
-  handleFeishuSubagentSpawning,
-} from "./src/subagent-hooks.js";

extensions/google-meet/index.ts

@@ -37,6 +37,19 @@ import { handleGoogleMeetNodeHostCommand } from "./src/node-host.js";
 import { GoogleMeetRuntime } from "./src/runtime.js";
 import { isGoogleMeetBrowserManualActionError } from "./src/transports/chrome-create.js";
 
+let googleMeetCreateModulePromise: Promise<typeof import("./src/create.js")> | null = null;
+let googleMeetCliModulePromise: Promise<typeof import("./src/cli.js")> | null = null;
+
+const loadGoogleMeetCreateModule = async () => {
+  googleMeetCreateModulePromise ??= import("./src/create.js");
+  return await googleMeetCreateModulePromise;
+};
+
+const loadGoogleMeetCliModule = async () => {
+  googleMeetCliModulePromise ??= import("./src/cli.js");
+  return await googleMeetCliModulePromise;
+};
+
 const googleMeetConfigSchema = {
   parse(value: unknown) {
     return resolveGoogleMeetConfig(value);
@@ -493,7 +506,7 @@ async function createMeetFromParams(params: {
   runtime: OpenClawPluginApi["runtime"];
   raw: Record<string, unknown>;
 }) {
-  const create = await import("./src/create.js");
+  const create = await loadGoogleMeetCreateModule();
   return create.createMeetFromParams(params);
 }
 
@@ -503,7 +516,7 @@ async function createAndJoinMeetFromParams(params: {
   raw: Record<string, unknown>;
   ensureRuntime: () => Promise<GoogleMeetRuntime>;
 }) {
-  const create = await import("./src/create.js");
+  const create = await loadGoogleMeetCreateModule();
   return create.createAndJoinMeetFromParams(params);
 }
 
@@ -615,7 +628,7 @@ async function exportGoogleMeetBundleFromParams(
     }),
   ]);
   const { buildGoogleMeetExportManifest, googleMeetExportFileNames, writeMeetExportBundle } =
-    await import("./src/cli.js");
+    await loadGoogleMeetCliModule();
   const calendarId = normalizeOptionalString(raw.calendarId);
   const request = {
     ...(resolved.meeting ? { meeting: resolved.meeting } : {}),
@@ -1189,7 +1202,7 @@ export default definePluginEntry({
 
     api.registerCli(
       async ({ program }) => {
-        const { registerGoogleMeetCli } = await import("./src/cli.js");
+        const { registerGoogleMeetCli } = await loadGoogleMeetCliModule();
         registerGoogleMeetCli({
           program,
           config,

extensions/google-meet/src/oauth.test.ts

@@ -7,6 +7,7 @@ import {
 
 describe("Google Meet OAuth", () => {
   afterEach(() => {
+    vi.restoreAllMocks();
     vi.unstubAllGlobals();
     vi.useRealTimers();
   });
@@ -117,6 +118,27 @@ describe("Google Meet OAuth", () => {
     expect(tokens.expiresAt).toBe(Date.now() + 3600 * 1000);
   });
 
+  it("bounds fallback token lifetimes when the process clock is invalid", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    const fetchMock = vi.fn(async (_input: RequestInfo | URL, _init?: RequestInit) => {
+      return new Response(
+        JSON.stringify({
+          access_token: "new-access-token",
+          expires_in: Number.MAX_SAFE_INTEGER,
+        }),
+        { status: 200, headers: { "Content-Type": "application/json" } },
+      );
+    });
+    vi.stubGlobal("fetch", fetchMock);
+
+    const tokens = await refreshGoogleMeetAccessToken({
+      clientId: "client-id",
+      refreshToken: "refresh-token",
+    });
+
+    expect(tokens.expiresAt).toBe(3600 * 1000);
+  });
+
   it("keeps explicit zero-second token lifetimes immediately stale", async () => {
     vi.useFakeTimers();
     vi.setSystemTime(new Date("2026-05-29T12:00:00.000Z"));

extensions/google-meet/src/oauth.ts

@@ -1,5 +1,6 @@
 import {
   MAX_DATE_TIMESTAMP_MS,
+  resolveDateTimestampMs,
   resolveExpiresAtMsFromDurationSeconds,
 } from "openclaw/plugin-sdk/number-runtime";
 import { generateHexPkceVerifierChallenge } from "openclaw/plugin-sdk/provider-auth";
@@ -24,13 +25,17 @@ const GOOGLE_MEET_SCOPES = [
   "https://www.googleapis.com/auth/drive.meet.readonly",
 ] as const;
 
-function resolveGoogleMeetTokenExpiresAt(value: unknown): number {
+function resolveGoogleMeetTokenExpiresAt(value: unknown, nowMs = Date.now()): number {
+  const now = resolveDateTimestampMs(nowMs);
   if (typeof value === "number" && Number.isFinite(value) && value <= 0) {
-    return Date.now();
+    return now;
   }
   return (
-    resolveExpiresAtMsFromDurationSeconds(value) ??
-    Date.now() + GOOGLE_MEET_DEFAULT_TOKEN_LIFETIME_SECONDS * 1000
+    resolveExpiresAtMsFromDurationSeconds(value, { nowMs: now }) ??
+    resolveExpiresAtMsFromDurationSeconds(GOOGLE_MEET_DEFAULT_TOKEN_LIFETIME_SECONDS, {
+      nowMs: now,
+    }) ??
+    now
   );
 }
 

extensions/google/gemini-cli-provider.ts

@@ -20,6 +20,13 @@ const ENV_VARS = [
   "GEMINI_CLI_OAUTH_CLIENT_SECRET",
 ] as const;
 
+let oauthRuntimeModulePromise: Promise<typeof import("./oauth.runtime.js")> | null = null;
+
+const loadOauthRuntimeModule = async () => {
+  oauthRuntimeModulePromise ??= import("./oauth.runtime.js");
+  return await oauthRuntimeModulePromise;
+};
+
 async function fetchGeminiCliUsage(ctx: ProviderFetchUsageSnapshotContext) {
   return await fetchGeminiUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn, PROVIDER_ID);
 }
@@ -58,7 +65,7 @@ export function buildGoogleGeminiCliProvider(): ProviderPlugin {
 
           const spin = ctx.prompter.progress("Starting Gemini CLI OAuth…");
           try {
-            const { loginGeminiCliOAuth } = await import("./oauth.runtime.js");
+            const { loginGeminiCliOAuth } = await loadOauthRuntimeModule();
             const result = await loginGeminiCliOAuth({
               isRemote: ctx.isRemote,
               openUrl: ctx.openUrl,
@@ -122,7 +129,7 @@ export function buildGoogleGeminiCliProvider(): ProviderPlugin {
     isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
     formatApiKey: (cred) => formatGoogleOauthApiKey(cred),
     refreshOAuth: async (cred) => {
-      const { refreshGeminiCliOAuthToken } = await import("./oauth.runtime.js");
+      const { refreshGeminiCliOAuthToken } = await loadOauthRuntimeModule();
       return await refreshGeminiCliOAuthToken(cred);
     },
     resolveUsageAuth: async (ctx) => {

extensions/google/oauth.test.ts

@@ -951,6 +951,39 @@ describe("loginGeminiCliOAuth", () => {
     expect(result.expires).toBeLessThanOrEqual(beforeRefresh);
   });
 
+  it("keeps invalid clocks out of refreshed Gemini CLI credential expiry", async () => {
+    mockSettingsExistsSync.mockReturnValue(true);
+    mockSettingsReadFileSync.mockReturnValue(
+      JSON.stringify({
+        security: {
+          auth: {
+            selectedType: "oauth-personal",
+          },
+        },
+      }),
+    );
+
+    installGeminiOAuthFetchMock(() => undefined, {
+      tokenResponse: () =>
+        responseJson({
+          access_token: "access-token",
+          expires_in: 3600,
+        }),
+    });
+    const dateNow = vi.spyOn(Date, "now").mockReturnValue(Number.NaN);
+    try {
+      const { refreshTokensForGeminiCli } = await import("./oauth.token.js");
+      const result = await refreshTokensForGeminiCli({
+        refresh: "refresh-token",
+        email: "lobster@openclaw.ai",
+      });
+
+      expect(result.expires).toBe(0);
+    } finally {
+      dateNow.mockRestore();
+    }
+  });
+
   it("keeps unsafe token expiry values out of refreshed Gemini CLI credentials", async () => {
     mockSettingsExistsSync.mockReturnValue(true);
     mockSettingsReadFileSync.mockReturnValue(

extensions/google/oauth.token.ts

@@ -1,4 +1,7 @@
-import { resolveExpiresAtMsFromDurationSeconds } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationSeconds,
+} from "openclaw/plugin-sdk/number-runtime";
 import { resolveOAuthClientConfig } from "./oauth.credentials.js";
 import { fetchWithTimeout } from "./oauth.http.js";
 import { resolveGoogleOAuthIdentity, resolveGooglePersonalOAuthIdentity } from "./oauth.project.js";
@@ -34,10 +37,18 @@ async function requestTokenGrant(body: URLSearchParams): Promise<{
   };
 }
 
+function resolveExpiredTokenTimestampMs(nowMs: number): number {
+  return asDateTimestampMs(nowMs - TOKEN_EXPIRY_BUFFER_MS) ?? nowMs;
+}
+
 function resolveTokenExpiresAt(value: unknown): number {
+  const nowMs = asDateTimestampMs(Date.now());
+  if (nowMs === undefined) {
+    return 0;
+  }
   return (
-    resolveExpiresAtMsFromDurationSeconds(value, { bufferMs: TOKEN_EXPIRY_BUFFER_MS }) ??
-    Date.now() - TOKEN_EXPIRY_BUFFER_MS
+    resolveExpiresAtMsFromDurationSeconds(value, { nowMs, bufferMs: TOKEN_EXPIRY_BUFFER_MS }) ??
+    resolveExpiredTokenTimestampMs(nowMs)
   );
 }
 

extensions/google/realtime-voice-provider.test.ts

@@ -100,6 +100,7 @@ describe("buildGoogleRealtimeVoiceProvider", () => {
 
   afterEach(() => {
     vi.useRealTimers();
+    vi.restoreAllMocks();
     for (const key of ENV_KEYS) {
       const value = envSnapshot[key];
       if (value === undefined) {
@@ -452,6 +453,20 @@ describe("buildGoogleRealtimeVoiceProvider", () => {
     ]);
   });
 
+  it("rejects browser session expiry outside Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    const provider = buildGoogleRealtimeVoiceProvider();
+
+    await expect(
+      provider.createBrowserSession?.({
+        providerConfig: {
+          apiKey: "gemini-key",
+        },
+      }),
+    ).rejects.toThrow("Google realtime browser session expiry is outside the supported Date range");
+    expect(createTokenMock).not.toHaveBeenCalled();
+  });
+
   it("can opt out of Google Live session resumption and context compression", async () => {
     const provider = buildGoogleRealtimeVoiceProvider();
     const bridge = provider.createBridge({

extensions/google/realtime-voice-provider.ts

@@ -16,6 +16,7 @@ import type {
   ThinkingConfig,
   TurnCoverage,
 } from "@google/genai";
+import { timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import type { OpenClawConfig } from "openclaw/plugin-sdk/provider-onboard";
 import type {
   RealtimeVoiceAudioFormat,
@@ -857,6 +858,11 @@ async function createGoogleRealtimeBrowserSession(
   const voice = req.voice ?? config.voice ?? GOOGLE_REALTIME_DEFAULT_VOICE;
   const expiresAtMs = Date.now() + GOOGLE_REALTIME_BROWSER_SESSION_TTL_MS;
   const newSessionExpiresAtMs = Date.now() + GOOGLE_REALTIME_BROWSER_NEW_SESSION_TTL_MS;
+  const expireTime = timestampMsToIsoString(expiresAtMs);
+  const newSessionExpireTime = timestampMsToIsoString(newSessionExpiresAtMs);
+  if (!expireTime || !newSessionExpireTime) {
+    throw new Error("Google realtime browser session expiry is outside the supported Date range");
+  }
   const ai = createGoogleGenAI({
     apiKey,
     httpOptions: {
@@ -866,8 +872,8 @@ async function createGoogleRealtimeBrowserSession(
   const token = await ai.authTokens.create({
     config: {
       uses: 1,
-      expireTime: new Date(expiresAtMs).toISOString(),
-      newSessionExpireTime: new Date(newSessionExpiresAtMs).toISOString(),
+      expireTime,
+      newSessionExpireTime,
       liveConnectConstraints: {
         model,
         config: buildGoogleLiveConnectConfig({

extensions/google/transport-stream.test.ts

@@ -292,6 +292,7 @@ describe("google transport stream", () => {
   });
 
   afterEach(() => {
+    vi.useRealTimers();
     vi.unstubAllEnvs();
   });
 
@@ -767,6 +768,29 @@ describe("google transport stream", () => {
     expect(tokenFetchMock).not.toHaveBeenCalled();
   });
 
+  it("does not cache google-auth ADC tokens when fallback expiry would exceed Date range", async () => {
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-authlib-expiry-"));
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");
+    vi.stubEnv("HOME", path.join(tempDir, "home"));
+    vi.stubEnv("APPDATA", "");
+    googleAuthGetAccessTokenMock
+      .mockResolvedValueOnce("ya29.first-token")
+      .mockResolvedValueOnce("ya29.second-token");
+    const tokenFetchMock = vi.fn();
+
+    await expect(resolveGoogleVertexAuthorizedUserHeaders(tokenFetchMock)).resolves.toEqual({
+      Authorization: "Bearer ya29.first-token",
+    });
+    await expect(resolveGoogleVertexAuthorizedUserHeaders(tokenFetchMock)).resolves.toEqual({
+      Authorization: "Bearer ya29.second-token",
+    });
+
+    expect(googleAuthGetAccessTokenMock).toHaveBeenCalledTimes(2);
+    expect(tokenFetchMock).not.toHaveBeenCalled();
+  });
+
   it("uses google-auth-library bearer auth for Google Vertex credential marker requests", async () => {
     const tempDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-google-vertex-authlib-stream-"));
     vi.stubEnv("GOOGLE_APPLICATION_CREDENTIALS", "");

extensions/google/vertex-adc.ts

@@ -2,7 +2,11 @@ import { existsSync, readFileSync } from "node:fs";
 import { readFile } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { resolveExpiresAtMsFromDurationSeconds } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+  resolveExpiresAtMsFromDurationSeconds,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
 
 type GoogleAuthorizedUserCredentials = {
@@ -32,6 +36,7 @@ const GOOGLE_VERTEX_OAUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platfor
 // leaves the gateway.
 const GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS = 60_000;
 const GOOGLE_VERTEX_DEFAULT_TOKEN_LIFETIME_SECONDS = 3600;
+const GOOGLE_VERTEX_AUTHLIB_TOKEN_CACHE_MS = 5 * 60_000;
 
 let cachedGoogleVertexAuthorizedUserToken: GoogleVertexAuthorizedUserToken | undefined;
 let cachedGoogleAuthClient:
@@ -43,18 +48,36 @@ let cachedGoogleAuthClient:
   | undefined;
 let cachedGoogleVertexAdcToken: GoogleVertexAdcToken | undefined;
 
-function resolveAuthorizedUserTokenExpiresAtMs(value: unknown, nowMs: number): number {
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return (
-      resolveExpiresAtMsFromDurationSeconds(Math.max(1, value), { nowMs }) ??
-      nowMs - GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS
-    );
+function isGoogleVertexTokenFresh(expiresAtMsRaw: number, nowRaw = Date.now()): boolean {
+  const expiresAtMs = asDateTimestampMs(expiresAtMsRaw);
+  const nowMs = asDateTimestampMs(nowRaw);
+  if (expiresAtMs === undefined || nowMs === undefined) {
+    return false;
   }
-  return (
-    resolveExpiresAtMsFromDurationSeconds(GOOGLE_VERTEX_DEFAULT_TOKEN_LIFETIME_SECONDS, {
-      nowMs,
-    }) ?? nowMs - GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS
+  const minFreshExpiresAtMs = resolveExpiresAtMsFromDurationMs(
+    GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS,
+    { nowMs },
   );
+  return minFreshExpiresAtMs !== undefined && expiresAtMs > minFreshExpiresAtMs;
+}
+
+function resolveAuthorizedUserTokenExpiresAtMs(value: unknown, nowRaw: number): number | undefined {
+  const nowMs = asDateTimestampMs(nowRaw);
+  if (nowMs === undefined) {
+    return undefined;
+  }
+  const lifetimeSeconds =
+    typeof value === "number" && Number.isFinite(value)
+      ? Math.max(1, value)
+      : GOOGLE_VERTEX_DEFAULT_TOKEN_LIFETIME_SECONDS;
+  return resolveExpiresAtMsFromDurationSeconds(lifetimeSeconds, { nowMs }) ?? nowMs;
+}
+
+function resolveGoogleAuthLibraryTokenExpiresAtMs(nowRaw = Date.now()): number | undefined {
+  const nowMs = asDateTimestampMs(nowRaw);
+  return nowMs === undefined
+    ? undefined
+    : resolveExpiresAtMsFromDurationMs(GOOGLE_VERTEX_AUTHLIB_TOKEN_CACHE_MS, { nowMs });
 }
 
 export function resetGoogleVertexAuthorizedUserTokenCacheForTest(): void {
@@ -177,7 +200,7 @@ async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
   if (
     cached?.credentialsPath === params.credentialsPath &&
     cached.refreshToken === refreshToken &&
-    cached.expiresAtMs - Date.now() > GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS
+    isGoogleVertexTokenFresh(cached.expiresAtMs)
   ) {
     return cached.token;
   }
@@ -208,12 +231,15 @@ async function refreshGoogleVertexAuthorizedUserAccessToken(params: {
     throw new Error("Google Vertex ADC token refresh response did not include an access_token.");
   }
   const nowMs = Date.now();
-  cachedGoogleVertexAuthorizedUserToken = {
-    token,
-    expiresAtMs: resolveAuthorizedUserTokenExpiresAtMs(payload?.expires_in, nowMs),
-    credentialsPath: params.credentialsPath,
-    refreshToken,
-  };
+  const expiresAtMs = resolveAuthorizedUserTokenExpiresAtMs(payload?.expires_in, nowMs);
+  if (expiresAtMs !== undefined) {
+    cachedGoogleVertexAuthorizedUserToken = {
+      token,
+      expiresAtMs,
+      credentialsPath: params.credentialsPath,
+      refreshToken,
+    };
+  }
   return token;
 }
 
@@ -238,7 +264,7 @@ async function resolveGoogleVertexAccessTokenViaGoogleAuth(): Promise<string> {
   const auth = await cachedGoogleAuthClient.promise;
 
   const cached = cachedGoogleVertexAdcToken;
-  if (cached && cached.expiresAtMs - Date.now() > GOOGLE_VERTEX_TOKEN_EXPIRY_BUFFER_MS) {
+  if (cached && isGoogleVertexTokenFresh(cached.expiresAtMs)) {
     return cached.token;
   }
 
@@ -255,10 +281,13 @@ async function resolveGoogleVertexAccessTokenViaGoogleAuth(): Promise<string> {
   // `getAccessToken()` return type, so we cache for a conservative 5 minutes.
   // The library itself already refreshes well before its own internal expiry,
   // so this cache is mainly to avoid hot-loop calls into the auth client.
-  cachedGoogleVertexAdcToken = {
-    token: normalized,
-    expiresAtMs: Date.now() + 5 * 60_000,
-  };
+  const expiresAtMs = resolveGoogleAuthLibraryTokenExpiresAtMs();
+  if (expiresAtMs !== undefined) {
+    cachedGoogleVertexAdcToken = {
+      token: normalized,
+      expiresAtMs,
+    };
+  }
   return normalized;
 }
 

extensions/imessage/src/actions.runtime.test.ts

@@ -1,16 +1,27 @@
 import { EventEmitter } from "node:events";
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 
 const spawnMock = vi.hoisted(() => vi.fn());
+const createIMessageRpcClientMock = vi.hoisted(() => vi.fn());
 
 vi.mock("node:child_process", async (importOriginal) => ({
   ...(await importOriginal<typeof import("node:child_process")>()),
   spawn: spawnMock,
 }));
 
+vi.mock("./client.js", () => ({
+  createIMessageRpcClient: createIMessageRpcClientMock,
+}));
+
 const { imessageActionsRuntime, findChatGuidForTest, normalizeDirectChatIdentifierForTest } =
   await import("./actions.runtime.js");
 
+afterEach(() => {
+  vi.restoreAllMocks();
+  createIMessageRpcClientMock.mockReset();
+  spawnMock.mockReset();
+});
+
 function mockSpawnJsonResponse(payload: Record<string, unknown> = { success: true }) {
   spawnMock.mockImplementationOnce(() => {
     const child = new EventEmitter() as EventEmitter & {
@@ -29,6 +40,13 @@ function mockSpawnJsonResponse(payload: Record<string, unknown> = { success: tru
   });
 }
 
+function mockRpcChatList(chats: Array<Record<string, unknown>>) {
+  const request = vi.fn().mockResolvedValue({ chats });
+  const stop = vi.fn().mockResolvedValue(undefined);
+  createIMessageRpcClientMock.mockResolvedValueOnce({ request, stop });
+  return { request, stop };
+}
+
 describe("imessage actions runtime", () => {
   it("passes the configured Messages db path to private API bridge commands", async () => {
     mockSpawnJsonResponse();
@@ -63,6 +81,58 @@ describe("imessage actions runtime", () => {
       { stdio: ["ignore", "pipe", "pipe"] },
     );
   });
+
+  it("drops cached chats.list entries when the current clock is not a valid date timestamp", async () => {
+    vi.spyOn(Date, "now").mockReturnValueOnce(1_700_000_000_000).mockReturnValueOnce(Number.NaN);
+    const firstClient = mockRpcChatList([{ id: 1, guid: "iMessage;+;first" }]);
+    const secondClient = mockRpcChatList([{ id: 2, guid: "iMessage;+;second" }]);
+
+    await expect(
+      imessageActionsRuntime.resolveChatGuidForTarget({
+        target: { kind: "chat_id", chatId: 1 },
+        options: { cliPath: "imsg-invalid-clock" },
+      }),
+    ).resolves.toBe("iMessage;+;first");
+    await expect(
+      imessageActionsRuntime.resolveChatGuidForTarget({
+        target: { kind: "chat_id", chatId: 2 },
+        options: { cliPath: "imsg-invalid-clock" },
+      }),
+    ).resolves.toBe("iMessage;+;second");
+
+    expect(createIMessageRpcClientMock).toHaveBeenCalledTimes(2);
+    expect(firstClient.request).toHaveBeenCalledWith(
+      "chats.list",
+      { limit: 1000 },
+      { timeoutMs: undefined },
+    );
+    expect(secondClient.request).toHaveBeenCalledWith(
+      "chats.list",
+      { limit: 1000 },
+      { timeoutMs: undefined },
+    );
+  });
+
+  it("does not cache chats.list when the expiry timestamp would exceed the valid date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    mockRpcChatList([{ id: 1, guid: "iMessage;+;first" }]);
+    mockRpcChatList([{ id: 2, guid: "iMessage;+;second" }]);
+
+    await expect(
+      imessageActionsRuntime.resolveChatGuidForTarget({
+        target: { kind: "chat_id", chatId: 1 },
+        options: { cliPath: "imsg-overflow-clock" },
+      }),
+    ).resolves.toBe("iMessage;+;first");
+    await expect(
+      imessageActionsRuntime.resolveChatGuidForTarget({
+        target: { kind: "chat_id", chatId: 2 },
+        options: { cliPath: "imsg-overflow-clock" },
+      }),
+    ).resolves.toBe("iMessage;+;second");
+
+    expect(createIMessageRpcClientMock).toHaveBeenCalledTimes(2);
+  });
 });
 
 describe("findChatGuid cross-format identifier resolution", () => {

extensions/imessage/src/actions.runtime.ts

@@ -1,7 +1,11 @@
 import { spawn } from "node:child_process";
 import { mkdtemp, rm, writeFile } from "node:fs/promises";
 import { extname, join } from "node:path";
-import { parseStrictInteger } from "openclaw/plugin-sdk/number-runtime";
+import {
+  asDateTimestampMs,
+  parseStrictInteger,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeStringEntries } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
 import { appendIMessageCliStderrTail, appendIMessageCliStdout } from "./cli-output.js";
@@ -76,12 +80,14 @@ function chatListCacheGet(
   cliPath: string,
   dbPath?: string,
 ): ReadonlyArray<Record<string, unknown>> | null {
-  const entry = chatListCache.get(chatListCacheKey(cliPath, dbPath));
+  const key = chatListCacheKey(cliPath, dbPath);
+  const entry = chatListCache.get(key);
   if (!entry) {
     return null;
   }
-  if (entry.expiresAt < Date.now()) {
-    chatListCache.delete(chatListCacheKey(cliPath, dbPath));
+  const now = asDateTimestampMs(Date.now());
+  if (now === undefined || entry.expiresAt <= now) {
+    chatListCache.delete(key);
     return null;
   }
   return entry.list;
@@ -92,9 +98,13 @@ function chatListCacheSet(
   dbPath: string | undefined,
   list: ReadonlyArray<Record<string, unknown>>,
 ): void {
+  const expiresAt = resolveExpiresAtMsFromDurationMs(CHAT_LIST_CACHE_TTL_MS);
+  if (expiresAt === undefined) {
+    return;
+  }
   chatListCache.set(chatListCacheKey(cliPath, dbPath), {
     list,
-    expiresAt: Date.now() + CHAT_LIST_CACHE_TTL_MS,
+    expiresAt,
   });
 }
 

extensions/imessage/src/actions.ts

@@ -24,7 +24,7 @@ import {
   rememberIMessageReplyCache,
   type IMessageChatContext,
 } from "./monitor-reply-cache.js";
-import { getCachedIMessagePrivateApiStatus } from "./probe.js";
+import { getCachedIMessagePrivateApiStatus, probeIMessagePrivateApi } from "./probe.js";
 import { parseIMessageTarget, type IMessageTarget } from "./targets.js";
 
 const loadIMessageActionsRuntime = createLazyRuntimeNamedExport(
@@ -417,7 +417,6 @@ export const imessageMessageActions: ChannelMessageActionAdapter = {
         // status adapter, which doesn't fire eagerly on first dispatch. Run
         // an inline probe so the first react/send-rich attempt after `imsg
         // launch` succeeds without requiring a manual `channels status`.
-        const { probeIMessagePrivateApi } = await import("./probe.js");
         privateApiStatus = await probeIMessagePrivateApi(
           cliPathForProbe,
           account.config.probeTimeoutMs ?? DEFAULT_IMESSAGE_PROBE_TIMEOUT_MS,

extensions/imessage/src/monitor.last-route.test.ts

@@ -168,7 +168,7 @@ describe("iMessage monitor last-route updates", () => {
     expect(recordParams?.updateLastRoute?.sessionKey).toBe(recordParams?.sessionKey);
     expect(recordParams?.updateLastRoute?.sessionKey).not.toBe("agent:main:main");
     expect(recordParams?.updateLastRoute?.channel).toBe("imessage");
-    expect(recordParams?.updateLastRoute?.to).toBe("+15550001111");
+    expect(recordParams?.updateLastRoute?.to).toBe("imessage:+15550001111");
     expect(recordParams?.updateLastRoute?.mainDmOwnerPin).toBeUndefined();
   });
 

extensions/imessage/src/monitor/catchup-bridge.test.ts

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { runIMessageCatchup } from "./catchup-bridge.js";
-import { resolveCatchupConfig } from "./catchup.js";
+import { resolveCatchupConfig, saveIMessageCatchupCursor } from "./catchup.js";
 import type { IMessagePayload } from "./types.js";
 
 type RpcCall = {
@@ -157,6 +157,32 @@ describe("runIMessageCatchup", () => {
     expect(summary.replayed).toBe(1);
   });
 
+  it("does not crash on Date-invalid persisted cursor timestamps", async () => {
+    const log = vi.fn();
+    await saveIMessageCatchupCursor("default", {
+      lastSeenMs: 8_700_000_000_000_000,
+      lastSeenRowid: 10,
+    });
+    const { client, calls } = makeFakeClient(() => {
+      throw new Error("unexpected rpc");
+    });
+
+    const summary = await runIMessageCatchup({
+      client: client as never,
+      accountId: "default",
+      config: resolveCatchupConfig({ enabled: true, perRunLimit: 50, maxAgeMinutes: 60 }),
+      includeAttachments: false,
+      dispatchPayload: async () => {},
+      runtime: { log },
+    });
+
+    expect(summary.querySucceeded).toBe(false);
+    expect(calls).toEqual([]);
+    expect(log).toHaveBeenCalledWith(
+      expect.stringContaining("imessage catchup: invalid since timestamp"),
+    );
+  });
+
   it("returns querySucceeded=false when chats.list throws", async () => {
     vi.useFakeTimers();
     vi.setSystemTime(new Date("2026-05-08T12:00:00Z"));

extensions/imessage/src/monitor/catchup-bridge.ts

@@ -1,3 +1,4 @@
+import { timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import { warn } from "openclaw/plugin-sdk/runtime-env";
 import type { IMessageRpcClient } from "../client.js";
 import {
@@ -88,6 +89,11 @@ export async function runIMessageCatchup(
   const payloadByGuid = new Map<string, IMessagePayload>();
 
   const fetchFn: CatchupFetchFn = async ({ sinceMs, sinceRowid, limit }) => {
+    const sinceISO = timestampMsToIsoString(sinceMs);
+    if (!sinceISO) {
+      warnLog(`imessage catchup: invalid since timestamp ${sinceMs}`);
+      return { resolved: false, rows: [] };
+    }
     let chatsResult: { chats?: ChatsListEntry[] } | undefined;
     try {
       chatsResult = await client.request<{ chats?: ChatsListEntry[] }>(
@@ -100,7 +106,6 @@ export async function runIMessageCatchup(
       return { resolved: false, rows: [] };
     }
     const chats = chatsResult?.chats ?? [];
-    const sinceISO = new Date(sinceMs).toISOString();
     const collected: IMessageCatchupRow[] = [];
     const perChatLimit = Math.min(limit, PER_CHAT_HISTORY_LIMIT_CAP);
     let historyFetchFailed = false;

extensions/imessage/src/private-api-status.ts

@@ -1,3 +1,5 @@
+import { asDateTimestampMs } from "openclaw/plugin-sdk/number-runtime";
+
 export type IMessagePrivateApiStatus = {
   available: boolean;
   v2Ready: boolean;
@@ -56,7 +58,11 @@ export function getCachedIMessagePrivateApiStatus(
   if (!entry) {
     return undefined;
   }
-  if (entry.expiresAt > 0 && entry.expiresAt < Date.now()) {
+  if (entry.expiresAt === 0) {
+    return entry.status;
+  }
+  const now = asDateTimestampMs(Date.now());
+  if (now === undefined || entry.expiresAt <= now) {
     bridgeStatusCache.delete(key);
     return undefined;
   }
@@ -68,6 +74,9 @@ export function setCachedIMessagePrivateApiStatus(
   status: IMessagePrivateApiStatus,
   expiresAt = 0,
 ): void {
+  if (expiresAt !== 0 && asDateTimestampMs(expiresAt) === undefined) {
+    return;
+  }
   bridgeStatusCache.set(normalizeCliPath(cliPath), { status, expiresAt });
 }
 

extensions/imessage/src/probe.test.ts

@@ -1,6 +1,16 @@
-import { describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearCachedIMessagePrivateApiStatus,
+  getCachedIMessagePrivateApiStatus,
+  setCachedIMessagePrivateApiStatus,
+} from "./private-api-status.js";
 import { imessageRpcSupportsMethod } from "./probe.js";
 
+afterEach(() => {
+  vi.restoreAllMocks();
+  clearCachedIMessagePrivateApiStatus();
+});
+
 describe("imessageRpcSupportsMethod", () => {
   it("returns false when the bridge is not available", () => {
     expect(
@@ -92,3 +102,35 @@ describe("imessageRpcSupportsMethod", () => {
     }
   });
 });
+
+describe("iMessage private API status cache", () => {
+  const availableStatus = {
+    available: true,
+    v2Ready: true,
+    selectors: {},
+    rpcMethods: ["chats.list"],
+  };
+
+  it("drops expiring private API status when the current clock is not a valid date timestamp", () => {
+    clearCachedIMessagePrivateApiStatus();
+    setCachedIMessagePrivateApiStatus(
+      "imsg-invalid-private-clock",
+      availableStatus,
+      1_700_000_030_000,
+    );
+    vi.spyOn(Date, "now").mockReturnValue(Number.NaN);
+
+    expect(getCachedIMessagePrivateApiStatus("imsg-invalid-private-clock")).toBeUndefined();
+  });
+
+  it("does not cache private API status with an invalid expiry timestamp", () => {
+    clearCachedIMessagePrivateApiStatus();
+    setCachedIMessagePrivateApiStatus(
+      "imsg-overflow-private-clock",
+      availableStatus,
+      Number.POSITIVE_INFINITY,
+    );
+
+    expect(getCachedIMessagePrivateApiStatus("imsg-overflow-private-clock")).toBeUndefined();
+  });
+});

extensions/imessage/src/probe.ts

@@ -1,5 +1,9 @@
 import path from "node:path";
 import type { BaseProbeResult } from "openclaw/plugin-sdk/channel-contract";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { runCommandWithTimeout } from "openclaw/plugin-sdk/process-runtime";
 import { getRuntimeConfig } from "openclaw/plugin-sdk/runtime-config-snapshot";
 import type { RuntimeEnv } from "openclaw/plugin-sdk/runtime-env";
@@ -53,6 +57,27 @@ type RpcSupportCacheEntry = { result: RpcSupportResult; expiresAt: number };
 
 const rpcSupportCache = new Map<string, RpcSupportCacheEntry>();
 
+function getCachedRpcSupport(cliPath: string): RpcSupportResult | undefined {
+  const cached = rpcSupportCache.get(cliPath);
+  if (!cached) {
+    return undefined;
+  }
+  const now = asDateTimestampMs(Date.now());
+  if (now === undefined || cached.expiresAt <= now) {
+    rpcSupportCache.delete(cliPath);
+    return undefined;
+  }
+  return cached.result;
+}
+
+function setCachedRpcSupport(cliPath: string, result: RpcSupportResult): void {
+  const expiresAt = resolveExpiresAtMsFromDurationMs(RPC_SUPPORT_CACHE_TTL_MS);
+  if (expiresAt === undefined) {
+    return;
+  }
+  rpcSupportCache.set(cliPath, { result, expiresAt });
+}
+
 function isDefaultLocalIMessageCliPath(cliPath: string): boolean {
   const trimmed = cliPath.trim();
   return trimmed === "imsg" || (!trimmed.includes("/") && path.basename(trimmed) === "imsg");
@@ -69,9 +94,9 @@ export function resolveIMessageNonMacHostError(
 }
 
 async function probeRpcSupport(cliPath: string, timeoutMs: number): Promise<RpcSupportResult> {
-  const cached = rpcSupportCache.get(cliPath);
-  if (cached && cached.expiresAt > Date.now()) {
-    return cached.result;
+  const cached = getCachedRpcSupport(cliPath);
+  if (cached) {
+    return cached;
   }
   try {
     const result = await runCommandWithTimeout([cliPath, "rpc", "--help"], { timeoutMs });
@@ -83,18 +108,12 @@ async function probeRpcSupport(cliPath: string, timeoutMs: number): Promise<RpcS
         fatal: true,
         error: 'imsg CLI does not support the "rpc" subcommand (update imsg)',
       };
-      rpcSupportCache.set(cliPath, {
-        result: fatal,
-        expiresAt: Date.now() + RPC_SUPPORT_CACHE_TTL_MS,
-      });
+      setCachedRpcSupport(cliPath, fatal);
       return fatal;
     }
     if (result.code === 0) {
       const supported = { supported: true };
-      rpcSupportCache.set(cliPath, {
-        result: supported,
-        expiresAt: Date.now() + RPC_SUPPORT_CACHE_TTL_MS,
-      });
+      setCachedRpcSupport(cliPath, supported);
       return supported;
     }
     return {

extensions/imessage/src/status.test.ts

@@ -5,7 +5,7 @@ import { afterAll, afterEach, beforeEach, describe, expect, it, vi } from "vites
 import { resolveIMessageAccount } from "./accounts.js";
 import * as channelRuntimeModule from "./channel.runtime.js";
 import * as clientModule from "./client.js";
-import { probeIMessage } from "./probe.js";
+import { clearIMessagePrivateApiCache, probeIMessage } from "./probe.js";
 import { imessageSetupWizard } from "./setup-surface.js";
 import { probeIMessageStatusAccount } from "./status-core.js";
 
@@ -159,6 +159,7 @@ describe("imessage setup status", () => {
 describe("probeIMessage", () => {
   beforeEach(() => {
     vi.restoreAllMocks();
+    clearIMessagePrivateApiCache();
     spawnMock.mockClear();
     vi.spyOn(setupRuntime, "detectBinary").mockResolvedValue(true);
     vi.spyOn(processRuntime, "runCommandWithTimeout").mockResolvedValue({
@@ -185,6 +186,102 @@ describe("probeIMessage", () => {
     expect(createIMessageRpcClientMock).not.toHaveBeenCalled();
   });
 
+  it("drops cached rpc support when the current clock is not a valid date timestamp", async () => {
+    vi.spyOn(Date, "now")
+      .mockReturnValueOnce(1_700_000_000_000)
+      .mockReturnValueOnce(Number.NaN)
+      .mockReturnValue(1_700_000_000_000);
+    const runCommand = vi
+      .spyOn(processRuntime, "runCommandWithTimeout")
+      .mockResolvedValueOnce({
+        stdout: "",
+        stderr: 'unknown command "rpc" for "imsg"',
+        code: 1,
+        signal: null,
+        killed: false,
+        termination: "exit",
+      })
+      .mockResolvedValueOnce({
+        stdout: "rpc help",
+        stderr: "",
+        code: 0,
+        signal: null,
+        killed: false,
+        termination: "exit",
+      })
+      .mockResolvedValueOnce({
+        stdout: JSON.stringify({
+          advanced_features: true,
+          v2_ready: true,
+          selectors: {},
+          rpc_methods: ["chats.list"],
+        }),
+        stderr: "",
+        code: 0,
+        signal: null,
+        killed: false,
+        termination: "exit",
+      })
+      .mockResolvedValueOnce({
+        stdout: "send-rich --file",
+        stderr: "",
+        code: 0,
+        signal: null,
+        killed: false,
+        termination: "exit",
+      });
+    vi.spyOn(clientModule, "createIMessageRpcClient").mockResolvedValue({
+      request: vi.fn().mockResolvedValue({ chats: [] }),
+      stop: vi.fn().mockResolvedValue(undefined),
+    } as unknown as Awaited<ReturnType<typeof clientModule.createIMessageRpcClient>>);
+
+    await expect(probeIMessage(1000, { cliPath: "imsg-invalid-rpc-clock" })).resolves.toMatchObject(
+      {
+        ok: false,
+        fatal: true,
+      },
+    );
+    await expect(probeIMessage(1000, { cliPath: "imsg-invalid-rpc-clock" })).resolves.toMatchObject(
+      {
+        ok: true,
+      },
+    );
+
+    expect(runCommand).toHaveBeenNthCalledWith(1, ["imsg-invalid-rpc-clock", "rpc", "--help"], {
+      timeoutMs: 1000,
+    });
+    expect(runCommand).toHaveBeenNthCalledWith(2, ["imsg-invalid-rpc-clock", "rpc", "--help"], {
+      timeoutMs: 1000,
+    });
+  });
+
+  it("does not cache rpc support when the expiry timestamp would exceed the valid date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    const runCommand = vi.spyOn(processRuntime, "runCommandWithTimeout").mockResolvedValue({
+      stdout: "",
+      stderr: 'unknown command "rpc" for "imsg"',
+      code: 1,
+      signal: null,
+      killed: false,
+      termination: "exit",
+    });
+
+    await expect(
+      probeIMessage(1000, { cliPath: "imsg-overflow-rpc-clock" }),
+    ).resolves.toMatchObject({
+      ok: false,
+      fatal: true,
+    });
+    await expect(
+      probeIMessage(1000, { cliPath: "imsg-overflow-rpc-clock" }),
+    ).resolves.toMatchObject({
+      ok: false,
+      fatal: true,
+    });
+
+    expect(runCommand).toHaveBeenCalledTimes(2);
+  });
+
   it("fails fast for default local imsg probes on non-mac hosts", async () => {
     const createIMessageRpcClientMock = vi
       .spyOn(clientModule, "createIMessageRpcClient")

extensions/imessage/src/targets.test.ts

@@ -28,7 +28,7 @@ describe("imessage targets", () => {
 
   it("parses sms handles with service", () => {
     const target = parseIMessageTarget("sms:+1555");
-    expect(target).toEqual({ kind: "handle", to: "+1555", service: "sms" });
+    expect(target).toEqual({ kind: "handle", to: "+1555", service: "sms", serviceExplicit: true });
   });
 
   it("normalizes handles", () => {

extensions/matrix/src/channel.ts

@@ -85,6 +85,12 @@ const loadMatrixChannelRuntime = createLazyRuntimeNamedExport(
   () => import("./channel.runtime.js"),
   "matrixChannelRuntime",
 );
+let matrixDoctorModulePromise: Promise<typeof import("./doctor.js")> | null = null;
+
+const loadMatrixDoctorModule = async () => {
+  matrixDoctorModulePromise ??= import("./doctor.js");
+  return await matrixDoctorModulePromise;
+};
 
 const meta = {
   id: "matrix",
@@ -118,9 +124,9 @@ const matrixDoctor: ChannelDoctorAdapter = {
   legacyConfigRules: MATRIX_LEGACY_CONFIG_RULES,
   normalizeCompatibilityConfig: normalizeMatrixCompatibilityConfig,
   runConfigSequence: async ({ cfg, env, shouldRepair }) =>
-    await (await import("./doctor.js")).runMatrixDoctorSequence({ cfg, env, shouldRepair }),
+    await (await loadMatrixDoctorModule()).runMatrixDoctorSequence({ cfg, env, shouldRepair }),
   cleanStaleConfig: async ({ cfg }) =>
-    await (await import("./doctor.js")).cleanStaleMatrixPluginConfig(cfg),
+    await (await loadMatrixDoctorModule()).cleanStaleMatrixPluginConfig(cfg),
 };
 
 const listMatrixDirectoryPeersFromConfig =

extensions/matrix/src/matrix/monitor/handler.test.ts

@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import { MAX_DATE_TIMESTAMP_MS } from "openclaw/plugin-sdk/number-runtime";
 import {
   testing as sessionBindingTesting,
   registerSessionBindingAdapter,
@@ -321,6 +322,58 @@ describe("matrix monitor handler pairing account scope", () => {
     }
   });
 
+  it("does not reuse account-scoped allowFrom cache while the process clock is invalid", async () => {
+    const readAllowFromStore = vi.fn(async () => [] as string[]);
+    const nowSpy = vi.spyOn(Date, "now");
+    const { handler } = createMatrixHandlerTestHarness({
+      readAllowFromStore,
+      dmPolicy: "pairing",
+      buildPairingReply: () => "pairing",
+    });
+    const makeEvent = (id: string): MatrixRawEvent =>
+      createMatrixTextMessageEvent({
+        eventId: id,
+        body: "@room hello",
+        mentions: { room: true },
+      });
+
+    try {
+      nowSpy.mockReturnValue(Number.NaN);
+      await handler("!room:example.org", makeEvent("$event1"));
+      await handler("!room:example.org", makeEvent("$event2"));
+
+      expect(readAllowFromStore).toHaveBeenCalledTimes(2);
+    } finally {
+      nowSpy.mockRestore();
+    }
+  });
+
+  it("does not cache account-scoped allowFrom reads when cache expiry overflows", async () => {
+    const readAllowFromStore = vi.fn(async () => [] as string[]);
+    const nowSpy = vi.spyOn(Date, "now");
+    const { handler } = createMatrixHandlerTestHarness({
+      readAllowFromStore,
+      dmPolicy: "pairing",
+      buildPairingReply: () => "pairing",
+    });
+    const makeEvent = (id: string): MatrixRawEvent =>
+      createMatrixTextMessageEvent({
+        eventId: id,
+        body: "@room hello",
+        mentions: { room: true },
+      });
+
+    try {
+      nowSpy.mockReturnValue(MAX_DATE_TIMESTAMP_MS);
+      await handler("!room:example.org", makeEvent("$event1"));
+      await handler("!room:example.org", makeEvent("$event2"));
+
+      expect(readAllowFromStore).toHaveBeenCalledTimes(2);
+    } finally {
+      nowSpy.mockRestore();
+    }
+  });
+
   it("pins direct-message main route updates to the configured owner", async () => {
     const { handler, recordInboundSession } = createMatrixHandlerTestHarness({
       cfg: {

extensions/matrix/src/matrix/monitor/handler.ts

@@ -27,6 +27,10 @@ import {
   resolveChannelContextVisibilityMode,
 } from "openclaw/plugin-sdk/context-visibility-runtime";
 import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
+import {
+  isFutureDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { mergePairLoopGuardConfig } from "openclaw/plugin-sdk/pair-loop-guard-runtime";
 import { buildInboundHistoryFromEntries } from "openclaw/plugin-sdk/reply-history";
 import {
@@ -510,9 +514,13 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam
 
   const readStoreAllowFrom = async (): Promise<string[]> => {
     const now = Date.now();
-    if (cachedStoreAllowFrom && now < cachedStoreAllowFrom.expiresAtMs) {
+    if (
+      cachedStoreAllowFrom &&
+      isFutureDateTimestampMs(cachedStoreAllowFrom.expiresAtMs, { nowMs: now })
+    ) {
       return cachedStoreAllowFrom.value;
     }
+    cachedStoreAllowFrom = null;
     const value = await core.channel.pairing
       .readAllowFromStore({
         channel: "matrix",
@@ -520,10 +528,10 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam
         accountId,
       })
       .catch(() => []);
-    cachedStoreAllowFrom = {
-      value,
-      expiresAtMs: now + ALLOW_FROM_STORE_CACHE_TTL_MS,
-    };
+    const expiresAtMs = resolveExpiresAtMsFromDurationMs(ALLOW_FROM_STORE_CACHE_TTL_MS, {
+      nowMs: now,
+    });
+    cachedStoreAllowFrom = expiresAtMs === undefined ? null : { value, expiresAtMs };
     return value;
   };
 

extensions/matrix/src/matrix/monitor/startup-verification.test.ts

@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { ensureMatrixStartupVerification } from "./startup-verification.js";
 
 function createTempStateDir(): string {
@@ -80,6 +80,10 @@ function createHarness(params?: {
 }
 
 describe("ensureMatrixStartupVerification", () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
   it("skips automatic requests when the device is already verified", async () => {
     const tempHome = createTempStateDir();
     const harness = createHarness({ verified: true });
@@ -203,6 +207,27 @@ describe("ensureMatrixStartupVerification", () => {
     expect(fs.existsSync(createStateFilePath(tempHome))).toBe(true);
   });
 
+  it("falls back when startup verification nowMs is outside Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(Date.parse("2026-05-30T12:00:00.000Z"));
+    const tempHome = createTempStateDir();
+    const stateFilePath = createStateFilePath(tempHome);
+    const harness = createHarness();
+
+    const result = await ensureMatrixStartupVerification({
+      client: harness.client as never,
+      auth: createAuth(),
+      accountConfig: {},
+      stateFilePath,
+      nowMs: 8_640_000_000_000_001,
+    });
+
+    expect(result.kind).toBe("requested");
+    const state = JSON.parse(fs.readFileSync(stateFilePath, "utf-8")) as {
+      attemptedAt?: string;
+    };
+    expect(state.attemptedAt).toBe("2026-05-30T12:00:00.000Z");
+  });
+
   it("keeps startup verification failures non-fatal", async () => {
     const tempHome = createTempStateDir();
     const harness = createHarness({

extensions/matrix/src/matrix/monitor/startup-verification.ts

@@ -1,6 +1,7 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { readJsonFileWithFallback, writeJsonFileAtomically } from "openclaw/plugin-sdk/json-store";
+import { timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
 import type { MatrixConfig } from "../../types.js";
 import { resolveMatrixStoragePaths } from "../client/storage.js";
 import type { MatrixAuth } from "../client/types.js";
@@ -95,6 +96,14 @@ function resolveRetryAfterMs(params: {
   return remaining > 0 ? remaining : undefined;
 }
 
+function resolveStartupVerificationTimestamp(nowMs: unknown): string {
+  return (
+    timestampMsToIsoString(nowMs) ??
+    timestampMsToIsoString(Date.now()) ??
+    "1970-01-01T00:00:00.000Z"
+  );
+}
+
 function shouldHonorCooldown(params: {
   state: MatrixStartupVerificationState | null;
   verification: MatrixOwnDeviceVerificationStatus;
@@ -189,6 +198,7 @@ export async function ensureMatrixStartupVerification(params: {
   );
   const cooldownMs = cooldownHours * 60 * 60 * 1000;
   const nowMs = params.nowMs ?? Date.now();
+  const attemptedAt = resolveStartupVerificationTimestamp(nowMs);
   const state = await readStartupVerificationState(statePath);
   const stateCooldownMs = resolveStateCooldownMs(state, cooldownMs);
   if (shouldHonorCooldown({ state, verification, stateCooldownMs, nowMs })) {
@@ -208,7 +218,7 @@ export async function ensureMatrixStartupVerification(params: {
     await writeJsonFileAtomically(statePath, {
       userId: verification.userId,
       deviceId: verification.deviceId,
-      attemptedAt: new Date(nowMs).toISOString(),
+      attemptedAt,
       outcome: "requested",
       requestId: request.id,
       transactionId: request.transactionId,
@@ -224,7 +234,7 @@ export async function ensureMatrixStartupVerification(params: {
     await writeJsonFileAtomically(statePath, {
       userId: verification.userId,
       deviceId: verification.deviceId,
-      attemptedAt: new Date(nowMs).toISOString(),
+      attemptedAt,
       outcome: "failed",
       error,
     } satisfies MatrixStartupVerificationState).catch(() => {});

extensions/matrix/src/matrix/sdk/verification-manager.test.ts

@@ -166,6 +166,26 @@ describe("MatrixVerificationManager", () => {
     expect(summary.phaseName).toBe("requested");
   });
 
+  it("tracks verification requests when the process clock is outside the Date range", () => {
+    const manager = new MatrixVerificationManager();
+    const dateNowSpy = vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+
+    try {
+      const summary = manager.trackVerificationRequest(
+        new MockVerificationRequest({
+          transactionId: "txn-invalid-clock",
+          phase: VerificationPhase.Requested,
+        }),
+      );
+
+      expect(summary.createdAt).toBe("1970-01-01T00:00:00.000Z");
+      expect(summary.updatedAt).toBe("1970-01-01T00:00:00.000Z");
+      expect(manager.listVerifications()).toHaveLength(1);
+    } finally {
+      dateNowSpy.mockRestore();
+    }
+  });
+
   it("reuses the same tracked id for repeated transaction IDs", () => {
     const manager = new MatrixVerificationManager();
     const first = new MockVerificationRequest({

extensions/matrix/src/matrix/sdk/verification-manager.ts

@@ -4,6 +4,10 @@ import {
   VerifierEvent,
 } from "matrix-js-sdk/lib/crypto-api/verification.js";
 import { VerificationMethod } from "matrix-js-sdk/lib/types.js";
+import {
+  resolveDateTimestampMs,
+  resolveTimestampMsToIsoString,
+} from "openclaw/plugin-sdk/number-runtime";
 import { formatMatrixErrorMessage } from "../errors.js";
 
 export type MatrixVerificationMethod = "sas" | "show-qr" | "scan-qr";
@@ -266,7 +270,7 @@ export class MatrixVerificationManager {
   }
 
   private touchVerificationSession(session: MatrixVerificationSession): void {
-    session.updatedAtMs = Date.now();
+    session.updatedAtMs = resolveDateTimestampMs(Date.now());
     this.emitVerificationSummary(session);
   }
 
@@ -317,8 +321,8 @@ export class MatrixVerificationManager {
       hasReciprocateQr: Boolean(session.reciprocateQrCallbacks),
       completed: phase === VerificationPhase.Done,
       error: session.error,
-      createdAt: new Date(session.createdAtMs).toISOString(),
-      updatedAt: new Date(session.updatedAtMs).toISOString(),
+      createdAt: resolveTimestampMsToIsoString(session.createdAtMs),
+      updatedAt: resolveTimestampMsToIsoString(session.updatedAtMs),
     };
   }
 
@@ -594,7 +598,7 @@ export class MatrixVerificationManager {
       }
     }
 
-    const now = Date.now();
+    const now = resolveDateTimestampMs(Date.now());
     const id = `verification-${++this.verificationSessionCounter}`;
     const session: MatrixVerificationSession = {
       id,

extensions/matrix/subagent-hooks-api.ts

@@ -23,9 +23,3 @@ export function registerMatrixSubagentHooks(api: OpenClawPluginApi): void {
     return handleMatrixSubagentDeliveryTarget(event);
   });
 }
-
-export {
-  handleMatrixSubagentDeliveryTarget,
-  handleMatrixSubagentEnded,
-  handleMatrixSubagentSpawning,
-} from "./src/matrix/subagent-hooks.js";

extensions/mattermost/src/mattermost/model-picker.ts

@@ -342,7 +342,7 @@ export function renderMattermostModelsPickerView(params: {
 
   const page = paginateItems(models, params.page);
   const rows: MattermostInteractiveButtonInput[][] = page.items.map((model) => {
-    const isCurrent = current?.provider === provider && current.model === model;
+    const isCurrent = current?.provider === provider && current?.model === model;
     return [
       buildButton({
         action: "select",

extensions/mattermost/src/mattermost/monitor-resources.test.ts

@@ -1,4 +1,4 @@
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
 const fetchMattermostChannel = vi.hoisted(() => vi.fn());
 const fetchMattermostUser = vi.hoisted(() => vi.fn());
@@ -32,6 +32,10 @@ describe("mattermost monitor resources", () => {
     buildButtonProps.mockReset();
   });
 
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
   it("downloads media, preserves auth headers, and infers media kind", async () => {
     const saveRemoteMedia = vi.fn(async () => ({
       path: "/tmp/file.png",
@@ -120,6 +124,70 @@ describe("mattermost monitor resources", () => {
     });
   });
 
+  it("does not reuse cached lookups while the process clock is invalid", async () => {
+    fetchMattermostChannel
+      .mockResolvedValueOnce({ id: "chan-1", name: "old" })
+      .mockResolvedValueOnce({ id: "chan-1", name: "fresh" })
+      .mockResolvedValueOnce({ id: "chan-1", name: "recovered" });
+
+    const resources = createMattermostMonitorResources({
+      accountId: "default",
+      callbackUrl: "https://openclaw.test/callback",
+      client: {} as never,
+      logger: {},
+      mediaMaxBytes: 1024,
+      saveRemoteMedia: vi.fn(),
+      mediaKindFromMime: () => "document",
+    });
+
+    await expect(resources.resolveChannelInfo("chan-1")).resolves.toEqual({
+      id: "chan-1",
+      name: "old",
+    });
+
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    await expect(resources.resolveChannelInfo("chan-1")).resolves.toEqual({
+      id: "chan-1",
+      name: "fresh",
+    });
+
+    vi.mocked(Date.now).mockReturnValue(1_000);
+    await expect(resources.resolveChannelInfo("chan-1")).resolves.toEqual({
+      id: "chan-1",
+      name: "recovered",
+    });
+
+    expect(fetchMattermostChannel).toHaveBeenCalledTimes(3);
+  });
+
+  it("does not cache lookups when cache expiry would exceed the Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    fetchMattermostUser
+      .mockResolvedValueOnce({ id: "user-1", username: "first" })
+      .mockResolvedValueOnce({ id: "user-1", username: "second" });
+
+    const resources = createMattermostMonitorResources({
+      accountId: "default",
+      callbackUrl: "https://openclaw.test/callback",
+      client: {} as never,
+      logger: {},
+      mediaMaxBytes: 1024,
+      saveRemoteMedia: vi.fn(),
+      mediaKindFromMime: () => "document",
+    });
+
+    await expect(resources.resolveUserInfo("user-1")).resolves.toEqual({
+      id: "user-1",
+      username: "first",
+    });
+    await expect(resources.resolveUserInfo("user-1")).resolves.toEqual({
+      id: "user-1",
+      username: "second",
+    });
+
+    expect(fetchMattermostUser).toHaveBeenCalledTimes(2);
+  });
+
   it("proxies typing indicators to the mattermost client helper", async () => {
     const client = {} as never;
 

extensions/mattermost/src/mattermost/monitor-resources.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { normalizeStringEntries } from "openclaw/plugin-sdk/string-coerce-runtime";
 import {
   fetchMattermostChannel,
@@ -50,6 +54,35 @@ export function createMattermostMonitorResources(params: {
   const channelCache = new Map<string, { value: MattermostChannel | null; expiresAt: number }>();
   const userCache = new Map<string, { value: MattermostUser | null; expiresAt: number }>();
 
+  const getCachedValue = <T>(
+    cache: Map<string, { value: T | null; expiresAt: number }>,
+    key: string,
+    nowMs: number | undefined,
+  ): T | null | undefined => {
+    const cached = cache.get(key);
+    if (!cached) {
+      return undefined;
+    }
+    if (nowMs !== undefined && cached.expiresAt > nowMs) {
+      return cached.value;
+    }
+    cache.delete(key);
+    return undefined;
+  };
+
+  const setCachedValue = <T>(
+    cache: Map<string, { value: T | null; expiresAt: number }>,
+    key: string,
+    value: T | null,
+    ttlMs: number,
+    rawNowMs: number,
+  ): void => {
+    const expiresAt = resolveExpiresAtMsFromDurationMs(ttlMs, { nowMs: rawNowMs });
+    if (expiresAt !== undefined) {
+      cache.set(key, { value, expiresAt });
+    }
+  };
+
   const resolveMattermostMedia = async (
     fileIds?: string[] | null,
   ): Promise<MattermostMediaInfo[]> => {
@@ -89,45 +122,35 @@ export function createMattermostMonitorResources(params: {
   };
 
   const resolveChannelInfo = async (channelId: string): Promise<MattermostChannel | null> => {
-    const cached = channelCache.get(channelId);
-    if (cached && cached.expiresAt > Date.now()) {
-      return cached.value;
+    const rawNow = Date.now();
+    const cached = getCachedValue(channelCache, channelId, asDateTimestampMs(rawNow));
+    if (cached !== undefined) {
+      return cached;
     }
     try {
       const info = await fetchMattermostChannel(client, channelId);
-      channelCache.set(channelId, {
-        value: info,
-        expiresAt: Date.now() + CHANNEL_CACHE_TTL_MS,
-      });
+      setCachedValue(channelCache, channelId, info, CHANNEL_CACHE_TTL_MS, rawNow);
       return info;
     } catch (err) {
       logger.debug?.(`mattermost: channel lookup failed: ${String(err)}`);
-      channelCache.set(channelId, {
-        value: null,
-        expiresAt: Date.now() + CHANNEL_CACHE_TTL_MS,
-      });
+      setCachedValue(channelCache, channelId, null, CHANNEL_CACHE_TTL_MS, rawNow);
       return null;
     }
   };
 
   const resolveUserInfo = async (userId: string): Promise<MattermostUser | null> => {
-    const cached = userCache.get(userId);
-    if (cached && cached.expiresAt > Date.now()) {
-      return cached.value;
+    const rawNow = Date.now();
+    const cached = getCachedValue(userCache, userId, asDateTimestampMs(rawNow));
+    if (cached !== undefined) {
+      return cached;
     }
     try {
       const info = await fetchMattermostUser(client, userId);
-      userCache.set(userId, {
-        value: info,
-        expiresAt: Date.now() + USER_CACHE_TTL_MS,
-      });
+      setCachedValue(userCache, userId, info, USER_CACHE_TTL_MS, rawNow);
       return info;
     } catch (err) {
       logger.debug?.(`mattermost: user lookup failed: ${String(err)}`);
-      userCache.set(userId, {
-        value: null,
-        expiresAt: Date.now() + USER_CACHE_TTL_MS,
-      });
+      setCachedValue(userCache, userId, null, USER_CACHE_TTL_MS, rawNow);
       return null;
     }
   };

extensions/mattermost/src/mattermost/reactions.test.ts

@@ -1,4 +1,4 @@
-import { beforeEach, describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import {
   addMattermostReaction,
   removeMattermostReaction,
@@ -15,6 +15,10 @@ describe("mattermost reactions", () => {
     resetMattermostReactionBotUserCacheForTests();
   });
 
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
   async function addReactionWithFetch(fetchMock: typeof fetch) {
     return addMattermostReaction({
       cfg: createMattermostTestConfig(),
@@ -104,4 +108,94 @@ describe("mattermost reactions", () => {
     expect(removeResult).toEqual({ ok: true });
     expect(usersMeCalls).toHaveLength(1);
   });
+
+  it("does not reuse cached bot user ids while the process clock is invalid", async () => {
+    const cfg = createMattermostTestConfig();
+    const firstFetch = createMattermostReactionFetchMock({
+      mode: "add",
+      postId: "POST1",
+      emojiName: "thumbsup",
+      userId: "BOT_OLD",
+    });
+    const secondFetch = createMattermostReactionFetchMock({
+      mode: "add",
+      postId: "POST2",
+      emojiName: "thumbsup",
+      userId: "BOT_FRESH",
+    });
+    const thirdFetch = createMattermostReactionFetchMock({
+      mode: "add",
+      postId: "POST3",
+      emojiName: "thumbsup",
+      userId: "BOT_RECOVERED",
+    });
+
+    await expect(
+      addMattermostReaction({
+        cfg,
+        postId: "POST1",
+        emojiName: "thumbsup",
+        fetchImpl: firstFetch,
+      }),
+    ).resolves.toEqual({ ok: true });
+
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_001);
+    await expect(
+      addMattermostReaction({
+        cfg,
+        postId: "POST2",
+        emojiName: "thumbsup",
+        fetchImpl: secondFetch,
+      }),
+    ).resolves.toEqual({ ok: true });
+
+    vi.mocked(Date.now).mockReturnValue(1_000);
+    await expect(
+      addMattermostReaction({
+        cfg,
+        postId: "POST3",
+        emojiName: "thumbsup",
+        fetchImpl: thirdFetch,
+      }),
+    ).resolves.toEqual({ ok: true });
+
+    const usersMeCalls = [
+      ...firstFetch.mock.calls,
+      ...secondFetch.mock.calls,
+      ...thirdFetch.mock.calls,
+    ].filter((call) => requestUrl(call[0]).endsWith("/api/v4/users/me"));
+    expect(usersMeCalls).toHaveLength(3);
+  });
+
+  it("does not cache bot user ids when cache expiry would exceed the Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(8_640_000_000_000_000);
+    const cfg = createMattermostTestConfig();
+    const fetchMock = createMattermostReactionFetchMock({
+      mode: "both",
+      postId: "POST1",
+      emojiName: "thumbsup",
+    });
+
+    await expect(
+      addMattermostReaction({
+        cfg,
+        postId: "POST1",
+        emojiName: "thumbsup",
+        fetchImpl: fetchMock,
+      }),
+    ).resolves.toEqual({ ok: true });
+    await expect(
+      removeMattermostReaction({
+        cfg,
+        postId: "POST1",
+        emojiName: "thumbsup",
+        fetchImpl: fetchMock,
+      }),
+    ).resolves.toEqual({ ok: true });
+
+    const usersMeCalls = fetchMock.mock.calls.filter((call) =>
+      requestUrl(call[0]).endsWith("/api/v4/users/me"),
+    );
+    expect(usersMeCalls).toHaveLength(2);
+  });
 });

extensions/mattermost/src/mattermost/reactions.ts

@@ -1,3 +1,7 @@
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { isPrivateNetworkOptInEnabled } from "openclaw/plugin-sdk/ssrf-runtime";
 import { resolveMattermostAccount } from "./accounts.js";
 import {
@@ -26,16 +30,24 @@ async function resolveBotUserId(
   client: MattermostClient,
   cacheKey: string,
 ): Promise<string | null> {
+  const rawNow = Date.now();
+  const now = asDateTimestampMs(rawNow);
   const cached = botUserIdCache.get(cacheKey);
-  if (cached && cached.expiresAt > Date.now()) {
-    return cached.userId;
+  if (cached) {
+    if (now !== undefined && cached.expiresAt > now) {
+      return cached.userId;
+    }
+    botUserIdCache.delete(cacheKey);
   }
   const me = await fetchMattermostMe(client);
   const userId = me?.id?.trim();
   if (!userId) {
     return null;
   }
-  botUserIdCache.set(cacheKey, { userId, expiresAt: Date.now() + BOT_USER_CACHE_TTL_MS });
+  const expiresAt = resolveExpiresAtMsFromDurationMs(BOT_USER_CACHE_TTL_MS, { nowMs: rawNow });
+  if (expiresAt !== undefined) {
+    botUserIdCache.set(cacheKey, { userId, expiresAt });
+  }
   return userId;
 }
 

extensions/mattermost/src/mattermost/slash-http.test.ts

@@ -458,6 +458,119 @@ describe("slash-http", () => {
     expect(client.requests).toEqual(["/commands/cmd-1"]);
   });
 
+  it("does not cache failed command validation when the expiry would exceed a valid Date", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date(8_640_000_000_000_000));
+    try {
+      const registeredCommand = createRegisteredCommand({ token: "old-token" });
+      const client = createCommandLookupClient({
+        command: {
+          id: "cmd-1",
+          token: "new-token",
+          team_id: "t1",
+          trigger: "oc_status",
+          method: MATTERMOST_SLASH_POST_METHOD,
+          url: "https://gateway.example.com/slash",
+          auto_complete: true,
+          delete_at: 0,
+        },
+      });
+      const payload = {
+        token: "old-token",
+        team_id: "t1",
+        channel_id: "c1",
+        user_id: "u1",
+        command: "/oc_status",
+        text: "",
+      };
+
+      await expect(
+        validateMattermostSlashCommandToken({
+          accountId: "default",
+          client,
+          registeredCommand,
+          payload,
+        }),
+      ).resolves.toBe(false);
+      await expect(
+        validateMattermostSlashCommandToken({
+          accountId: "default",
+          client,
+          registeredCommand,
+          payload,
+        }),
+      ).resolves.toBe(false);
+
+      expect(client.requests).toEqual(["/commands/cmd-1", "/commands/cmd-1"]);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  it("drops exhausted validation lookup buckets when the current clock is invalid", async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date("2026-04-27T00:00:00Z"));
+    try {
+      const registeredCommand = createRegisteredCommand({ token: "valid-token" });
+      const command = {
+        id: "cmd-1",
+        token: "valid-token",
+        team_id: "t1",
+        trigger: "oc_status",
+        method: MATTERMOST_SLASH_POST_METHOD,
+        url: "https://gateway.example.com/slash",
+        auto_complete: true,
+        delete_at: 0,
+      };
+      const client = createCommandLookupClient({ command });
+      const payload = {
+        token: "valid-token",
+        team_id: "t1",
+        channel_id: "c1",
+        user_id: "u1",
+        command: "/oc_status",
+        text: "",
+      };
+
+      for (let i = 0; i < 20; i += 1) {
+        await expect(
+          validateMattermostSlashCommandToken({
+            accountId: "default",
+            client,
+            registeredCommand,
+            payload,
+          }),
+        ).resolves.toBe(true);
+      }
+      await expect(
+        validateMattermostSlashCommandToken({
+          accountId: "default",
+          client,
+          registeredCommand,
+          payload,
+        }),
+      ).resolves.toBe(false);
+
+      const dateNow = vi.spyOn(Date, "now").mockReturnValue(Number.NaN);
+      try {
+        await expect(
+          validateMattermostSlashCommandToken({
+            accountId: "default",
+            client,
+            registeredCommand,
+            payload,
+          }),
+        ).resolves.toBe(true);
+      } finally {
+        dateNow.mockRestore();
+      }
+
+      expect(client.requests).toHaveLength(21);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
   it("scopes validation cache entries by account", async () => {
     const registeredCommand = createRegisteredCommand();
     const clientA = createCommandLookupClient({

extensions/mattermost/src/mattermost/slash-http.ts

@@ -6,6 +6,10 @@
  */
 
 import type { IncomingMessage, ServerResponse } from "node:http";
+import {
+  asDateTimestampMs,
+  resolveExpiresAtMsFromDurationMs,
+} from "openclaw/plugin-sdk/number-runtime";
 import { safeEqualSecret } from "openclaw/plugin-sdk/security-runtime";
 import { isPrivateNetworkOptInEnabled } from "openclaw/plugin-sdk/ssrf-runtime";
 import type { ResolvedMattermostAccount } from "../mattermost/accounts.js";
@@ -209,8 +213,14 @@ export function clearMattermostSlashCommandValidationCacheForAccount(accountId:
 }
 
 function sweepCommandValidationFailureCache(now = Date.now()): void {
+  const validNow = asDateTimestampMs(now);
+  if (validNow === undefined) {
+    commandValidationFailureCache.clear();
+    return;
+  }
   for (const [key, entry] of commandValidationFailureCache) {
-    if (entry.expiresAt <= now) {
+    const expiresAt = asDateTimestampMs(entry.expiresAt);
+    if (expiresAt === undefined || expiresAt <= validNow) {
       commandValidationFailureCache.delete(key);
     }
   }
@@ -225,11 +235,16 @@ function sweepCommandValidationFailureCache(now = Date.now()): void {
 
 function hasCachedCommandValidationFailure(key: string, now = Date.now()): boolean {
   sweepCommandValidationFailureCache(now);
+  const validNow = asDateTimestampMs(now);
+  if (validNow === undefined) {
+    return false;
+  }
   const cached = commandValidationFailureCache.get(key);
   if (!cached) {
     return false;
   }
-  if (cached.expiresAt > now) {
+  const expiresAt = asDateTimestampMs(cached.expiresAt);
+  if (expiresAt !== undefined && expiresAt > validNow) {
     return true;
   }
   commandValidationFailureCache.delete(key);
@@ -237,17 +252,31 @@ function hasCachedCommandValidationFailure(key: string, now = Date.now()): boole
 }
 
 function cacheCommandValidationFailure(key: string, accountId: string): void {
-  sweepCommandValidationFailureCache();
+  const now = Date.now();
+  sweepCommandValidationFailureCache(now);
+  const expiresAt = resolveExpiresAtMsFromDurationMs(COMMAND_VALIDATION_FAILURE_CACHE_MS, {
+    nowMs: now,
+  });
+  if (expiresAt === undefined) {
+    commandValidationFailureCache.delete(key);
+    return;
+  }
   commandValidationFailureCache.set(key, {
     accountId,
-    expiresAt: Date.now() + COMMAND_VALIDATION_FAILURE_CACHE_MS,
+    expiresAt,
   });
 }
 
 function sweepCommandValidationLookupRateLimit(now = Date.now()): void {
+  const validNow = asDateTimestampMs(now);
+  if (validNow === undefined) {
+    commandValidationLookupRateLimit.clear();
+    return;
+  }
   const staleAfterMs = COMMAND_VALIDATION_LOOKUP_REFILL_MS * COMMAND_VALIDATION_LOOKUP_BURST * 2;
   for (const [key, entry] of commandValidationLookupRateLimit) {
-    if (now - entry.updatedAt > staleAfterMs) {
+    const updatedAt = asDateTimestampMs(entry.updatedAt);
+    if (updatedAt === undefined || validNow - updatedAt > staleAfterMs) {
       commandValidationLookupRateLimit.delete(key);
     }
   }
@@ -265,7 +294,12 @@ function reserveCommandValidationLookup(params: {
   accountId: string;
   now?: number;
 }): { allowed: true } | { allowed: false; shouldLog: boolean } {
-  const now = params.now ?? Date.now();
+  const rawNow = params.now ?? Date.now();
+  const now = asDateTimestampMs(rawNow);
+  if (now === undefined) {
+    commandValidationLookupRateLimit.clear();
+    return { allowed: true };
+  }
   sweepCommandValidationLookupRateLimit(now);
   const existing = commandValidationLookupRateLimit.get(params.key);
   if (!existing) {

extensions/memory-core/src/dreaming-markdown.test.ts

@@ -1,11 +1,15 @@
 import fs from "node:fs/promises";
 import path from "node:path";
-import { describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { writeDailyDreamingPhaseBlock, writeDeepDreamingReport } from "./dreaming-markdown.js";
 import { createMemoryCoreTestHarness } from "./test-helpers.js";
 
 const { createTempWorkspace } = createMemoryCoreTestHarness();
 
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
 async function expectPathMissing(targetPath: string): Promise<void> {
   const error = await fs.access(targetPath).then(
     () => undefined,
@@ -55,6 +59,25 @@ describe("dreaming markdown storage", () => {
     expect(content).toContain("- Candidate: remember the API key is fake");
   });
 
+  it("falls back when the injected timestamp is outside Date range", async () => {
+    vi.spyOn(Date, "now").mockReturnValue(Date.UTC(2026, 4, 30, 12, 0, 0));
+    const workspaceDir = await createTempWorkspace("openclaw-dreaming-markdown-");
+
+    const result = await writeDailyDreamingPhaseBlock({
+      workspaceDir,
+      phase: "light",
+      bodyLines: ["- Candidate: bounded fallback"],
+      nowMs: 8_640_000_000_000_001,
+      timezone,
+      storage: {
+        mode: "inline",
+        separateReports: false,
+      },
+    });
+
+    expect(requireInlinePath(result)).toBe(path.join(workspaceDir, "memory", "2026-05-30.md"));
+  });
+
   it("keeps multiple inline phases in the shared daily memory file", async () => {
     const workspaceDir = await createTempWorkspace("openclaw-dreaming-markdown-");
 

extensions/memory-core/src/dreaming-markdown.ts

@@ -10,6 +10,7 @@ import {
   replaceManagedMarkdownBlock,
   withTrailingNewline,
 } from "openclaw/plugin-sdk/memory-host-markdown";
+import { resolveMemoryCoreNowMs, resolveMemoryCoreTimestamp } from "./time.js";
 
 const DAILY_PHASE_HEADINGS: Record<Exclude<MemoryDreamingPhaseName, "deep">, string> = {
   light: "## Light Sleep",
@@ -63,7 +64,7 @@ export async function writeDailyDreamingPhaseBlock(params: {
   timezone?: string;
   storage: MemoryDreamingStorageConfig;
 }): Promise<{ inlinePath?: string; reportPath?: string }> {
-  const nowMs = Number.isFinite(params.nowMs) ? (params.nowMs as number) : Date.now();
+  const nowMs = resolveMemoryCoreNowMs(params.nowMs);
   const body = params.bodyLines.length > 0 ? params.bodyLines.join("\n") : "- No notable updates.";
   let inlinePath: string | undefined;
   let reportPath: string | undefined;
@@ -107,7 +108,7 @@ export async function writeDailyDreamingPhaseBlock(params: {
 
   await appendMemoryHostEvent(params.workspaceDir, {
     type: "memory.dream.completed",
-    timestamp: new Date(nowMs).toISOString(),
+    timestamp: resolveMemoryCoreTimestamp(nowMs),
     phase: params.phase,
     ...(inlinePath ? { inlinePath } : {}),
     ...(reportPath ? { reportPath } : {}),
@@ -131,14 +132,14 @@ export async function writeDeepDreamingReport(params: {
   if (!shouldWriteSeparate(params.storage)) {
     return undefined;
   }
-  const nowMs = Number.isFinite(params.nowMs) ? (params.nowMs as number) : Date.now();
+  const nowMs = resolveMemoryCoreNowMs(params.nowMs);
   const reportPath = resolveSeparateReportPath(params.workspaceDir, "deep", nowMs, params.timezone);
   await fs.mkdir(path.dirname(reportPath), { recursive: true });
   const body = params.bodyLines.length > 0 ? params.bodyLines.join("\n") : "- No durable changes.";
   await fs.writeFile(reportPath, `# Deep Sleep\n\n${body}\n`, "utf-8");
   await appendMemoryHostEvent(params.workspaceDir, {
     type: "memory.dream.completed",
-    timestamp: new Date(nowMs).toISOString(),
+    timestamp: resolveMemoryCoreTimestamp(nowMs),
     phase: "deep",
     reportPath,
     lineCount: params.bodyLines.length,

extensions/memory-core/src/flush-plan.test.ts

@@ -0,0 +1,18 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { buildMemoryFlushPlan } from "./flush-plan.js";
+
+describe("buildMemoryFlushPlan", () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("falls back when the injected timestamp is outside Date range", () => {
+    vi.spyOn(Date, "now").mockReturnValue(Date.UTC(2026, 4, 30, 12, 0, 0));
+
+    const plan = buildMemoryFlushPlan({
+      nowMs: 8_640_000_000_000_001,
+    });
+
+    expect(plan?.relativePath).toBe("memory/2026-05-30.md");
+  });
+});

extensions/memory-core/src/flush-plan.ts

@@ -6,6 +6,7 @@ import {
   type MemoryFlushPlan,
   type OpenClawConfig,
 } from "openclaw/plugin-sdk/memory-core-host-runtime-core";
+import { resolveMemoryCoreNowMs } from "./time.js";
 
 export const DEFAULT_MEMORY_FLUSH_SOFT_TOKENS = 4000;
 export const DEFAULT_MEMORY_FLUSH_FORCE_TRANSCRIPT_BYTES = 2 * 1024 * 1024;
@@ -53,7 +54,7 @@ function formatDateStampInTimezone(nowMs: number, timezone: string): string {
   if (year && month && day) {
     return `${year}-${month}-${day}`;
   }
-  return new Date(nowMs).toISOString().slice(0, 10);
+  return new Date(resolveMemoryCoreNowMs(nowMs)).toISOString().slice(0, 10);
 }
 
 function normalizeNonNegativeInt(value: unknown): number | null {
@@ -99,7 +100,7 @@ export function buildMemoryFlushPlan(
   } = {},
 ): MemoryFlushPlan | null {
   const resolved = params;
-  const nowMs = Number.isFinite(resolved.nowMs) ? (resolved.nowMs as number) : Date.now();
+  const nowMs = resolveMemoryCoreNowMs(resolved.nowMs);
   const cfg = resolved.cfg;
   const defaults = cfg?.agents?.defaults?.compaction?.memoryFlush;
   if (defaults?.enabled === false) {