feat(android): localize every native locale

.github/workflows/ci.yml

@@ -848,6 +848,32 @@ jobs:
           path: .local/gateway-watch-regression/
           retention-days: 7
 
+  native-i18n:
+    permissions:
+      contents: read
+    needs: [preflight]
+    if: ${{ !cancelled() && always() && (needs.preflight.outputs.run_macos == 'true' || needs.preflight.outputs.run_android == 'true' || needs.preflight.outputs.run_node == 'true') }}
+    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          ref: ${{ needs.preflight.outputs.checkout_revision }}
+          persist-credentials: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Check native app i18n inventory
+        run: pnpm native:i18n:check
+
+      - name: Check Android app i18n resources
+        if: needs.preflight.outputs.run_android == 'true'
+        run: pnpm android:i18n:check
+
   checks-fast-core:
     permissions:
       contents: read

apps/android/app/src/main/java/ai/openclaw/app/ui/ConnectTabScreen.kt

@@ -2,6 +2,7 @@ package ai.openclaw.app.ui
 
 import ai.openclaw.app.GatewayConnectionProblem
 import ai.openclaw.app.MainViewModel
+import ai.openclaw.app.R
 import ai.openclaw.app.ui.mobileCardSurface
 import androidx.compose.animation.AnimatedVisibility
 import androidx.compose.foundation.BorderStroke
@@ -51,6 +52,7 @@ import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.text.input.KeyboardType
@@ -100,7 +102,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
     AlertDialog(
       onDismissRequest = { viewModel.declineGatewayTrustPrompt() },
       containerColor = mobileCardSurface,
-      title = { Text("Trust this gateway?", style = mobileHeadline, color = mobileText) },
+      title = { Text(stringResource(R.string.trust_this_gateway), style = mobileHeadline, color = mobileText) },
       text = {
         val message =
           if (prompt.previousFingerprintSha256.isNullOrBlank()) {
@@ -119,7 +121,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           onClick = { viewModel.acceptGatewayTrustPrompt() },
           colors = ButtonDefaults.textButtonColors(contentColor = mobileAccent),
         ) {
-          Text("Trust and continue")
+          Text(stringResource(R.string.trust_and_continue))
         }
       },
       dismissButton = {
@@ -127,7 +129,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           onClick = { viewModel.declineGatewayTrustPrompt() },
           colors = ButtonDefaults.textButtonColors(contentColor = mobileTextSecondary),
         ) {
-          Text("Cancel")
+          Text(stringResource(R.string.cancel))
         }
       },
     )
@@ -158,9 +160,10 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
     verticalArrangement = Arrangement.spacedBy(14.dp),
   ) {
     Column(verticalArrangement = Arrangement.spacedBy(6.dp)) {
-      Text("Gateway Connection", style = mobileTitle1, color = mobileText)
+      Text(stringResource(R.string.gateway_connection), style = mobileTitle1, color = mobileText)
       Text(
-        if (isConnected) "Your gateway is active and ready." else "Connect to your gateway to get started.",
+        if (isConnected) stringResource(R.string.connected_gateway_ready)
+        else stringResource(R.string.connect_gateway_get_started),
         style = mobileCallout,
         color = mobileTextSecondary,
       )
@@ -191,7 +194,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
             )
           }
           Column(verticalArrangement = Arrangement.spacedBy(2.dp)) {
-            Text("Endpoint", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+            Text(stringResource(R.string.endpoint), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
             Text(activeEndpoint, style = mobileBody.copy(fontFamily = FontFamily.Monospace), color = mobileText)
           }
         }
@@ -213,7 +216,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
             )
           }
           Column(verticalArrangement = Arrangement.spacedBy(2.dp)) {
-            Text("Status", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+            Text(stringResource(R.string.status), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
             Text(statusText, style = mobileBody, color = if (isConnected) mobileSuccess else mobileText)
           }
         }
@@ -238,7 +241,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
       ) {
         Icon(Icons.Default.PowerSettingsNew, contentDescription = null, modifier = Modifier.size(18.dp))
         Spacer(modifier = Modifier.width(8.dp))
-        Text("Disconnect", style = mobileHeadline.copy(fontWeight = FontWeight.SemiBold))
+        Text(stringResource(R.string.disconnect), style = mobileHeadline.copy(fontWeight = FontWeight.SemiBold))
       }
     } else {
       Button(
@@ -307,7 +310,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
             contentColor = Color.White,
           ),
       ) {
-        Text("Connect Gateway", style = mobileHeadline.copy(fontWeight = FontWeight.Bold))
+        Text(stringResource(R.string.connect_gateway), style = mobileHeadline.copy(fontWeight = FontWeight.Bold))
       }
     }
 
@@ -354,7 +357,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           ) {
             Icon(Icons.Default.ContentCopy, contentDescription = null, modifier = Modifier.size(18.dp))
             Spacer(modifier = Modifier.width(8.dp))
-            Text("Copy Report for Claw", style = mobileCallout.copy(fontWeight = FontWeight.Bold))
+            Text(stringResource(R.string.copy_report_for_claw), style = mobileCallout.copy(fontWeight = FontWeight.Bold))
           }
         }
       }
@@ -373,7 +376,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
         horizontalArrangement = Arrangement.SpaceBetween,
       ) {
         Column(verticalArrangement = Arrangement.spacedBy(2.dp)) {
-          Text("Advanced controls", style = mobileHeadline, color = mobileText)
+          Text(stringResource(R.string.advanced_controls), style = mobileHeadline, color = mobileText)
           Text("Setup code, endpoint, TLS, token, password, onboarding.", style = mobileCaption1, color = mobileTextSecondary)
         }
         Icon(
@@ -395,15 +398,15 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           modifier = Modifier.fillMaxWidth().padding(horizontal = 14.dp, vertical = 14.dp),
           verticalArrangement = Arrangement.spacedBy(12.dp),
         ) {
-          Text("Connection method", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+          Text(stringResource(R.string.connection_method), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
           Row(horizontalArrangement = Arrangement.spacedBy(8.dp)) {
             MethodChip(
-              label = "Setup Code",
+              label = stringResource(R.string.setup_code),
               active = inputMode == ConnectInputMode.SetupCode,
               onClick = { inputMode = ConnectInputMode.SetupCode },
             )
             MethodChip(
-              label = "Manual",
+              label = stringResource(R.string.manual),
               active = inputMode == ConnectInputMode.Manual,
               onClick = { inputMode = ConnectInputMode.Manual },
             )
@@ -419,14 +422,14 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           )
 
           if (inputMode == ConnectInputMode.SetupCode) {
-            Text("Setup Code", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+            Text(stringResource(R.string.setup_code), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
             OutlinedTextField(
               value = setupCode,
               onValueChange = {
                 setupCode = it
                 validationText = null
               },
-              placeholder = { Text("Paste setup code", style = mobileBody, color = mobileTextTertiary) },
+              placeholder = { Text(stringResource(R.string.paste_setup_code), style = mobileBody, color = mobileTextTertiary) },
               modifier = Modifier.fillMaxWidth(),
               minLines = 3,
               maxLines = 5,
@@ -460,7 +463,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
               )
             }
 
-            Text("Host", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+            Text(stringResource(R.string.host), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
             OutlinedTextField(
               value = manualHostInput,
               onValueChange = {
@@ -502,7 +505,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
               horizontalArrangement = Arrangement.SpaceBetween,
             ) {
               Column(verticalArrangement = Arrangement.spacedBy(2.dp)) {
-                Text("Use TLS", style = mobileHeadline, color = mobileText)
+                Text(stringResource(R.string.use_tls), style = mobileHeadline, color = mobileText)
                 Text(
                   "Turn this on for Tailscale or public hosts. Private LAN ws:// remains supported.",
                   style = mobileCallout,
@@ -525,7 +528,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
               )
             }
 
-            Text("Token (optional)", style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
+            Text(stringResource(R.string.token_optional), style = mobileCaption1.copy(fontWeight = FontWeight.SemiBold), color = mobileTextSecondary)
             OutlinedTextField(
               value = gatewayToken,
               onValueChange = { viewModel.setGatewayToken(it) },
@@ -546,7 +549,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
             OutlinedTextField(
               value = passwordInput,
               onValueChange = { passwordInput = it },
-              placeholder = { Text("password", style = mobileBody, color = mobileTextTertiary) },
+              placeholder = { Text(stringResource(R.string.password), style = mobileBody, color = mobileTextTertiary) },
               modifier = Modifier.fillMaxWidth(),
               singleLine = true,
               keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Ascii),
@@ -563,7 +566,7 @@ fun ConnectTabScreen(viewModel: MainViewModel) {
           HorizontalDivider(color = mobileBorder)
 
           TextButton(onClick = { viewModel.setOnboardingCompleted(false) }) {
-            Text("Run onboarding again", style = mobileCallout.copy(fontWeight = FontWeight.SemiBold), color = mobileAccent)
+            Text(stringResource(R.string.run_onboarding_again), style = mobileCallout.copy(fontWeight = FontWeight.SemiBold), color = mobileAccent)
           }
         }
       }

apps/android/app/src/main/java/ai/openclaw/app/ui/OnboardingFlow.kt

@@ -103,6 +103,7 @@ import androidx.compose.ui.graphics.drawscope.Stroke
 import androidx.compose.ui.graphics.vector.ImageVector
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.painterResource
+import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.text.style.TextAlign
@@ -212,7 +213,13 @@ fun OnboardingFlow(
       AlertDialog(
         onDismissRequest = viewModel::declineGatewayTrustPrompt,
         containerColor = ClawTheme.colors.surfaceRaised,
-        title = { Text("Trust this gateway?", style = ClawTheme.type.section, color = ClawTheme.colors.text) },
+        title = {
+          Text(
+            stringResource(R.string.trust_this_gateway),
+            style = ClawTheme.type.section,
+            color = ClawTheme.colors.text,
+          )
+        },
         text = {
           Text(
             "Verify the certificate fingerprint before continuing.\n\n${prompt.fingerprintSha256}",
@@ -222,12 +229,12 @@ fun OnboardingFlow(
         },
         confirmButton = {
           TextButton(onClick = viewModel::acceptGatewayTrustPrompt) {
-            Text("Trust")
+            Text(stringResource(R.string.trust_and_continue))
           }
         },
         dismissButton = {
           TextButton(onClick = viewModel::declineGatewayTrustPrompt) {
-            Text("Cancel")
+            Text(stringResource(R.string.cancel))
           }
         },
       )
@@ -534,20 +541,24 @@ private fun GatewaySetupScreen(
     Column(modifier = Modifier.fillMaxSize().imePadding(), verticalArrangement = Arrangement.SpaceBetween) {
       LazyColumn(verticalArrangement = Arrangement.spacedBy(9.dp)) {
         item {
-          OnboardingHeader(title = "Gateway Setup", subtitle = "Connect to your Gateway", onBack = onBack)
+          OnboardingHeader(
+            title = stringResource(R.string.gateway_setup),
+            subtitle = stringResource(R.string.connect_to_gateway),
+            onBack = onBack,
+          )
         }
         item {
           GatewayOption(
             icon = Icons.Default.QrCode2,
-            title = "Scan setup code",
-            subtitle = "Use your Gateway QR or setup code",
+            title = stringResource(R.string.scan_setup_code),
+            subtitle = stringResource(R.string.use_gateway_qr),
             onClick = onScan,
           )
         }
         item {
           GatewayOption(
             icon = Icons.Default.WifiTethering,
-            title = "Nearby gateway",
+            title = stringResource(R.string.nearby_gateway),
             subtitle = nearbyGateway.subtitle,
             status = nearbyGateway.status,
             onClick = onUseNearby.takeIf { nearbyGateway.canConnect },
@@ -556,8 +567,8 @@ private fun GatewaySetupScreen(
         item {
           GatewayOption(
             icon = Icons.Default.Link,
-            title = "Enter gateway URL",
-            subtitle = "Connect using a manual URL",
+            title = stringResource(R.string.enter_gateway_url),
+            subtitle = stringResource(R.string.connect_manual_url),
             onClick = { advancedOpen = true },
           )
         }
@@ -638,7 +649,7 @@ private fun GatewayRecoveryScreen(
 
   ClawScaffold(modifier = modifier, contentPadding = PaddingValues(horizontal = 18.dp, vertical = 16.dp)) {
     Column(modifier = Modifier.fillMaxSize(), verticalArrangement = Arrangement.spacedBy(18.dp)) {
-      OnboardingHeader(title = "Gateway Recovery", onBack = onBack)
+      OnboardingHeader(title = stringResource(R.string.gateway_setup), onBack = onBack)
       Spacer(modifier = Modifier.height(12.dp))
       Column(modifier = Modifier.fillMaxWidth(), horizontalAlignment = Alignment.CenterHorizontally, verticalArrangement = Arrangement.spacedBy(12.dp)) {
         Icon(
@@ -923,7 +934,9 @@ private fun PermissionTopBar(onBack: () -> Unit) {
     AlertDialog(
       onDismissRequest = { showHelp = false },
       containerColor = ClawTheme.colors.surfaceRaised,
-      title = { Text("Permissions", style = ClawTheme.type.section, color = ClawTheme.colors.text) },
+      title = {
+        Text(stringResource(R.string.permissions), style = ClawTheme.type.section, color = ClawTheme.colors.text)
+      },
       text = {
         Text(
           "Choose what this phone can share with OpenClaw. You can change these later in Settings.",
@@ -933,7 +946,7 @@ private fun PermissionTopBar(onBack: () -> Unit) {
       },
       confirmButton = {
         TextButton(onClick = { showHelp = false }) {
-          Text("Done")
+          Text(stringResource(R.string.done))
         }
       },
     )

apps/android/app/src/main/res/values-ar/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">اتصال البوابة</string>
+    <string name="connect_gateway">توصيل البوابة</string>
+    <string name="disconnect">قطع الاتصال</string>
+    <string name="trust_this_gateway">هل تثق بهذه البوابة؟</string>
+    <string name="trust_and_continue">الثقة والمتابعة</string>
+    <string name="cancel">إلغاء</string>
+    <string name="endpoint">نقطة النهاية</string>
+    <string name="status">الحالة</string>
+    <string name="connected_gateway_ready">بوابتك نشطة وجاهزة.</string>
+    <string name="connect_gateway_get_started">اتصل ببوابتك للبدء.</string>
+    <string name="copy_report_for_claw">نسخ التقرير لـ Claw</string>
+    <string name="advanced_controls">عناصر التحكم المتقدمة</string>
+    <string name="connection_method">طريقة الاتصال</string>
+    <string name="setup_code">رمز الإعداد</string>
+    <string name="manual">يدوي</string>
+    <string name="paste_setup_code">الصق رمز الإعداد</string>
+    <string name="host">المضيف</string>
+    <string name="use_tls">استخدام TLS</string>
+    <string name="token_optional">الرمز المميز (اختياري)</string>
+    <string name="password">كلمة المرور</string>
+    <string name="run_onboarding_again">تشغيل الإعداد الأولي مرة أخرى</string>
+    <string name="resolved_endpoint">نقطة النهاية التي تم حلها</string>
+    <string name="gateway_setup">إعداد البوابة</string>
+    <string name="connect_to_gateway">الاتصال ببوابتك</string>
+    <string name="scan_setup_code">مسح رمز الإعداد</string>
+    <string name="use_gateway_qr">استخدم رمز QR الخاص ببوابتك أو رمز الإعداد</string>
+    <string name="nearby_gateway">بوابة قريبة</string>
+    <string name="enter_gateway_url">أدخل عنوان URL للبوابة</string>
+    <string name="connect_manual_url">الاتصال باستخدام عنوان URL يدوي</string>
+    <string name="permissions">الأذونات</string>
+    <string name="done">تم</string>
+</resources>

apps/android/app/src/main/res/values-de/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Gateway-Verbindung</string>
+    <string name="connect_gateway">Gateway verbinden</string>
+    <string name="disconnect">Trennen</string>
+    <string name="trust_this_gateway">Diesem Gateway vertrauen?</string>
+    <string name="trust_and_continue">Vertrauen und fortfahren</string>
+    <string name="cancel">Abbrechen</string>
+    <string name="endpoint">Endpunkt</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Ihr Gateway ist aktiv und bereit.</string>
+    <string name="connect_gateway_get_started">Verbinden Sie sich mit Ihrem Gateway, um loszulegen.</string>
+    <string name="copy_report_for_claw">Bericht für Claw kopieren</string>
+    <string name="advanced_controls">Erweiterte Steuerungen</string>
+    <string name="connection_method">Verbindungsmethode</string>
+    <string name="setup_code">Einrichtungscode</string>
+    <string name="manual">Manuell</string>
+    <string name="paste_setup_code">Einrichtungscode einfügen</string>
+    <string name="host">Host</string>
+    <string name="use_tls">TLS verwenden</string>
+    <string name="token_optional">Token (optional)</string>
+    <string name="password">Passwort</string>
+    <string name="run_onboarding_again">Onboarding erneut ausführen</string>
+    <string name="resolved_endpoint">Aufgelöster Endpunkt</string>
+    <string name="gateway_setup">Gateway-Einrichtung</string>
+    <string name="connect_to_gateway">Mit Ihrem Gateway verbinden</string>
+    <string name="scan_setup_code">Einrichtungscode scannen</string>
+    <string name="use_gateway_qr">Verwenden Sie Ihren Gateway-QR- oder Einrichtungscode</string>
+    <string name="nearby_gateway">Gateway in der Nähe</string>
+    <string name="enter_gateway_url">Gateway-URL eingeben</string>
+    <string name="connect_manual_url">Über eine manuelle URL verbinden</string>
+    <string name="permissions">Berechtigungen</string>
+    <string name="done">Fertig</string>
+</resources>

apps/android/app/src/main/res/values-es/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Conexión de Gateway</string>
+    <string name="connect_gateway">Conectar Gateway</string>
+    <string name="disconnect">Desconectar</string>
+    <string name="trust_this_gateway">¿Confiar en este gateway?</string>
+    <string name="trust_and_continue">Confiar y continuar</string>
+    <string name="cancel">Cancelar</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Estado</string>
+    <string name="connected_gateway_ready">Tu gateway está activo y listo.</string>
+    <string name="connect_gateway_get_started">Conéctate a tu gateway para empezar.</string>
+    <string name="copy_report_for_claw">Copiar informe para Claw</string>
+    <string name="advanced_controls">Controles avanzados</string>
+    <string name="connection_method">Método de conexión</string>
+    <string name="setup_code">Código de configuración</string>
+    <string name="manual">Manual</string>
+    <string name="paste_setup_code">Pegar código de configuración</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Usar TLS</string>
+    <string name="token_optional">Token (opcional)</string>
+    <string name="password">Contraseña</string>
+    <string name="run_onboarding_again">Ejecutar la incorporación de nuevo</string>
+    <string name="resolved_endpoint">Endpoint resuelto</string>
+    <string name="gateway_setup">Configuración de Gateway</string>
+    <string name="connect_to_gateway">Conéctate a tu Gateway</string>
+    <string name="scan_setup_code">Escanear código de configuración</string>
+    <string name="use_gateway_qr">Usa el QR o código de configuración de tu Gateway</string>
+    <string name="nearby_gateway">Gateway cercano</string>
+    <string name="enter_gateway_url">Introduce la URL del gateway</string>
+    <string name="connect_manual_url">Conectar usando una URL manual</string>
+    <string name="permissions">Permisos</string>
+    <string name="done">Listo</string>
+</resources>

apps/android/app/src/main/res/values-fa/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">اتصال دروازه</string>
+    <string name="connect_gateway">اتصال به دروازه</string>
+    <string name="disconnect">قطع اتصال</string>
+    <string name="trust_this_gateway">به این دروازه اعتماد دارید؟</string>
+    <string name="trust_and_continue">اعتماد و ادامه</string>
+    <string name="cancel">لغو</string>
+    <string name="endpoint">نقطه پایانی</string>
+    <string name="status">وضعیت</string>
+    <string name="connected_gateway_ready">دروازه شما فعال و آماده است.</string>
+    <string name="connect_gateway_get_started">برای شروع، به دروازه خود متصل شوید.</string>
+    <string name="copy_report_for_claw">کپی گزارش برای Claw</string>
+    <string name="advanced_controls">کنترل‌های پیشرفته</string>
+    <string name="connection_method">روش اتصال</string>
+    <string name="setup_code">کد راه‌اندازی</string>
+    <string name="manual">دستی</string>
+    <string name="paste_setup_code">کد راه‌اندازی را جای‌گذاری کنید</string>
+    <string name="host">میزبان</string>
+    <string name="use_tls">استفاده از TLS</string>
+    <string name="token_optional">توکن (اختیاری)</string>
+    <string name="password">رمز عبور</string>
+    <string name="run_onboarding_again">اجرای دوباره فرایند شروع به کار</string>
+    <string name="resolved_endpoint">نقطه پایانی حل‌شده</string>
+    <string name="gateway_setup">راه‌اندازی دروازه</string>
+    <string name="connect_to_gateway">به دروازه خود متصل شوید</string>
+    <string name="scan_setup_code">اسکن کد راه‌اندازی</string>
+    <string name="use_gateway_qr">از QR دروازه یا کد راه‌اندازی خود استفاده کنید</string>
+    <string name="nearby_gateway">دروازه نزدیک</string>
+    <string name="enter_gateway_url">URL دروازه را وارد کنید</string>
+    <string name="connect_manual_url">اتصال با استفاده از URL دستی</string>
+    <string name="permissions">مجوزها</string>
+    <string name="done">انجام شد</string>
+</resources>

apps/android/app/src/main/res/values-fr/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Connexion à la passerelle</string>
+    <string name="connect_gateway">Connecter la passerelle</string>
+    <string name="disconnect">Déconnecter</string>
+    <string name="trust_this_gateway">Faire confiance à cette passerelle ?</string>
+    <string name="trust_and_continue">Faire confiance et continuer</string>
+    <string name="cancel">Annuler</string>
+    <string name="endpoint">Point de terminaison</string>
+    <string name="status">État</string>
+    <string name="connected_gateway_ready">Votre passerelle est active et prête.</string>
+    <string name="connect_gateway_get_started">Connectez-vous à votre passerelle pour commencer.</string>
+    <string name="copy_report_for_claw">Copier le rapport pour Claw</string>
+    <string name="advanced_controls">Contrôles avancés</string>
+    <string name="connection_method">Méthode de connexion</string>
+    <string name="setup_code">Code de configuration</string>
+    <string name="manual">Manuel</string>
+    <string name="paste_setup_code">Coller le code de configuration</string>
+    <string name="host">Hôte</string>
+    <string name="use_tls">Utiliser TLS</string>
+    <string name="token_optional">Jeton (facultatif)</string>
+    <string name="password">Mot de passe</string>
+    <string name="run_onboarding_again">Relancer l’intégration</string>
+    <string name="resolved_endpoint">Point de terminaison résolu</string>
+    <string name="gateway_setup">Configuration de la passerelle</string>
+    <string name="connect_to_gateway">Connectez-vous à votre Gateway</string>
+    <string name="scan_setup_code">Scanner le code de configuration</string>
+    <string name="use_gateway_qr">Utilisez le QR de votre Gateway ou le code de configuration</string>
+    <string name="nearby_gateway">Passerelle à proximité</string>
+    <string name="enter_gateway_url">Saisir l’URL de la passerelle</string>
+    <string name="connect_manual_url">Se connecter avec une URL manuelle</string>
+    <string name="permissions">Autorisations</string>
+    <string name="done">Terminé</string>
+</resources>

apps/android/app/src/main/res/values-hi/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">गेटवे कनेक्शन</string>
+    <string name="connect_gateway">गेटवे कनेक्ट करें</string>
+    <string name="disconnect">डिस्कनेक्ट करें</string>
+    <string name="trust_this_gateway">इस गेटवे पर भरोसा करें?</string>
+    <string name="trust_and_continue">भरोसा करें और जारी रखें</string>
+    <string name="cancel">रद्द करें</string>
+    <string name="endpoint">एंडपॉइंट</string>
+    <string name="status">स्थिति</string>
+    <string name="connected_gateway_ready">आपका गेटवे सक्रिय और तैयार है।</string>
+    <string name="connect_gateway_get_started">शुरू करने के लिए अपने गेटवे से कनेक्ट करें।</string>
+    <string name="copy_report_for_claw">Claw के लिए रिपोर्ट कॉपी करें</string>
+    <string name="advanced_controls">उन्नत नियंत्रण</string>
+    <string name="connection_method">कनेक्शन विधि</string>
+    <string name="setup_code">सेटअप कोड</string>
+    <string name="manual">मैन्युअल</string>
+    <string name="paste_setup_code">सेटअप कोड पेस्ट करें</string>
+    <string name="host">होस्ट</string>
+    <string name="use_tls">TLS का उपयोग करें</string>
+    <string name="token_optional">टोकन (वैकल्पिक)</string>
+    <string name="password">पासवर्ड</string>
+    <string name="run_onboarding_again">ऑनबोर्डिंग फिर से चलाएँ</string>
+    <string name="resolved_endpoint">रिज़ॉल्व किया गया एंडपॉइंट</string>
+    <string name="gateway_setup">गेटवे सेटअप</string>
+    <string name="connect_to_gateway">अपने गेटवे से कनेक्ट करें</string>
+    <string name="scan_setup_code">सेटअप कोड स्कैन करें</string>
+    <string name="use_gateway_qr">अपने गेटवे QR या सेटअप कोड का उपयोग करें</string>
+    <string name="nearby_gateway">नज़दीकी गेटवे</string>
+    <string name="enter_gateway_url">गेटवे URL दर्ज करें</string>
+    <string name="connect_manual_url">मैन्युअल URL का उपयोग करके कनेक्ट करें</string>
+    <string name="permissions">अनुमतियाँ</string>
+    <string name="done">हो गया</string>
+</resources>

apps/android/app/src/main/res/values-id/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Koneksi Gateway</string>
+    <string name="connect_gateway">Hubungkan Gateway</string>
+    <string name="disconnect">Putuskan koneksi</string>
+    <string name="trust_this_gateway">Percayai gateway ini?</string>
+    <string name="trust_and_continue">Percayai dan lanjutkan</string>
+    <string name="cancel">Batal</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Gateway Anda aktif dan siap.</string>
+    <string name="connect_gateway_get_started">Hubungkan ke gateway Anda untuk memulai.</string>
+    <string name="copy_report_for_claw">Salin Laporan untuk Claw</string>
+    <string name="advanced_controls">Kontrol lanjutan</string>
+    <string name="connection_method">Metode koneksi</string>
+    <string name="setup_code">Kode Penyiapan</string>
+    <string name="manual">Manual</string>
+    <string name="paste_setup_code">Tempel kode penyiapan</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Gunakan TLS</string>
+    <string name="token_optional">Token (opsional)</string>
+    <string name="password">Kata sandi</string>
+    <string name="run_onboarding_again">Jalankan onboarding lagi</string>
+    <string name="resolved_endpoint">Endpoint yang diselesaikan</string>
+    <string name="gateway_setup">Penyiapan Gateway</string>
+    <string name="connect_to_gateway">Hubungkan ke Gateway Anda</string>
+    <string name="scan_setup_code">Pindai kode penyiapan</string>
+    <string name="use_gateway_qr">Gunakan QR Gateway atau kode penyiapan Anda</string>
+    <string name="nearby_gateway">Gateway terdekat</string>
+    <string name="enter_gateway_url">Masukkan URL gateway</string>
+    <string name="connect_manual_url">Hubungkan menggunakan URL manual</string>
+    <string name="permissions">Izin</string>
+    <string name="done">Selesai</string>
+</resources>

apps/android/app/src/main/res/values-it/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Connessione al gateway</string>
+    <string name="connect_gateway">Connetti gateway</string>
+    <string name="disconnect">Disconnetti</string>
+    <string name="trust_this_gateway">Considerare attendibile questo gateway?</string>
+    <string name="trust_and_continue">Considera attendibile e continua</string>
+    <string name="cancel">Annulla</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Stato</string>
+    <string name="connected_gateway_ready">Il tuo gateway è attivo e pronto.</string>
+    <string name="connect_gateway_get_started">Connettiti al tuo gateway per iniziare.</string>
+    <string name="copy_report_for_claw">Copia report per Claw</string>
+    <string name="advanced_controls">Controlli avanzati</string>
+    <string name="connection_method">Metodo di connessione</string>
+    <string name="setup_code">Codice di configurazione</string>
+    <string name="manual">Manuale</string>
+    <string name="paste_setup_code">Incolla codice di configurazione</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Usa TLS</string>
+    <string name="token_optional">Token (opzionale)</string>
+    <string name="password">Password</string>
+    <string name="run_onboarding_again">Esegui di nuovo l&apos;onboarding</string>
+    <string name="resolved_endpoint">Endpoint risolto</string>
+    <string name="gateway_setup">Configurazione gateway</string>
+    <string name="connect_to_gateway">Connettiti al tuo Gateway</string>
+    <string name="scan_setup_code">Scansiona codice di configurazione</string>
+    <string name="use_gateway_qr">Usa il QR del tuo Gateway o il codice di configurazione</string>
+    <string name="nearby_gateway">Gateway nelle vicinanze</string>
+    <string name="enter_gateway_url">Inserisci URL del gateway</string>
+    <string name="connect_manual_url">Connetti usando un URL manuale</string>
+    <string name="permissions">Autorizzazioni</string>
+    <string name="done">Fine</string>
+</resources>

apps/android/app/src/main/res/values-ja/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">ゲートウェイ接続</string>
+    <string name="connect_gateway">ゲートウェイに接続</string>
+    <string name="disconnect">切断</string>
+    <string name="trust_this_gateway">このゲートウェイを信頼しますか？</string>
+    <string name="trust_and_continue">信頼して続行</string>
+    <string name="cancel">キャンセル</string>
+    <string name="endpoint">エンドポイント</string>
+    <string name="status">ステータス</string>
+    <string name="connected_gateway_ready">ゲートウェイはアクティブで準備完了です。</string>
+    <string name="connect_gateway_get_started">開始するにはゲートウェイに接続してください。</string>
+    <string name="copy_report_for_claw">Claw 用レポートをコピー</string>
+    <string name="advanced_controls">詳細コントロール</string>
+    <string name="connection_method">接続方法</string>
+    <string name="setup_code">セットアップコード</string>
+    <string name="manual">手動</string>
+    <string name="paste_setup_code">セットアップコードを貼り付け</string>
+    <string name="host">ホスト</string>
+    <string name="use_tls">TLS を使用</string>
+    <string name="token_optional">トークン（任意）</string>
+    <string name="password">パスワード</string>
+    <string name="run_onboarding_again">オンボーディングを再実行</string>
+    <string name="resolved_endpoint">解決済みエンドポイント</string>
+    <string name="gateway_setup">ゲートウェイ設定</string>
+    <string name="connect_to_gateway">ゲートウェイに接続</string>
+    <string name="scan_setup_code">セットアップコードをスキャン</string>
+    <string name="use_gateway_qr">ゲートウェイの QR またはセットアップコードを使用</string>
+    <string name="nearby_gateway">近くのゲートウェイ</string>
+    <string name="enter_gateway_url">ゲートウェイ URL を入力</string>
+    <string name="connect_manual_url">手動 URL で接続</string>
+    <string name="permissions">権限</string>
+    <string name="done">完了</string>
+</resources>

apps/android/app/src/main/res/values-ko/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">게이트웨이 연결</string>
+    <string name="connect_gateway">게이트웨이 연결</string>
+    <string name="disconnect">연결 해제</string>
+    <string name="trust_this_gateway">이 게이트웨이를 신뢰하시겠습니까?</string>
+    <string name="trust_and_continue">신뢰하고 계속</string>
+    <string name="cancel">취소</string>
+    <string name="endpoint">엔드포인트</string>
+    <string name="status">상태</string>
+    <string name="connected_gateway_ready">게이트웨이가 활성화되어 준비되었습니다.</string>
+    <string name="connect_gateway_get_started">시작하려면 게이트웨이에 연결하세요.</string>
+    <string name="copy_report_for_claw">Claw용 보고서 복사</string>
+    <string name="advanced_controls">고급 제어</string>
+    <string name="connection_method">연결 방법</string>
+    <string name="setup_code">설정 코드</string>
+    <string name="manual">수동</string>
+    <string name="paste_setup_code">설정 코드 붙여넣기</string>
+    <string name="host">호스트</string>
+    <string name="use_tls">TLS 사용</string>
+    <string name="token_optional">토큰(선택 사항)</string>
+    <string name="password">비밀번호</string>
+    <string name="run_onboarding_again">온보딩 다시 실행</string>
+    <string name="resolved_endpoint">확인된 엔드포인트</string>
+    <string name="gateway_setup">게이트웨이 설정</string>
+    <string name="connect_to_gateway">게이트웨이에 연결</string>
+    <string name="scan_setup_code">설정 코드 스캔</string>
+    <string name="use_gateway_qr">게이트웨이 QR 또는 설정 코드 사용</string>
+    <string name="nearby_gateway">주변 게이트웨이</string>
+    <string name="enter_gateway_url">게이트웨이 URL 입력</string>
+    <string name="connect_manual_url">수동 URL을 사용하여 연결</string>
+    <string name="permissions">권한</string>
+    <string name="done">완료</string>
+</resources>

apps/android/app/src/main/res/values-nl/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Gatewayverbinding</string>
+    <string name="connect_gateway">Gateway verbinden</string>
+    <string name="disconnect">Verbinding verbreken</string>
+    <string name="trust_this_gateway">Deze gateway vertrouwen?</string>
+    <string name="trust_and_continue">Vertrouwen en doorgaan</string>
+    <string name="cancel">Annuleren</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Je gateway is actief en klaar voor gebruik.</string>
+    <string name="connect_gateway_get_started">Verbind met je gateway om te beginnen.</string>
+    <string name="copy_report_for_claw">Rapport voor Claw kopiëren</string>
+    <string name="advanced_controls">Geavanceerde bediening</string>
+    <string name="connection_method">Verbindingsmethode</string>
+    <string name="setup_code">Setupcode</string>
+    <string name="manual">Handmatig</string>
+    <string name="paste_setup_code">Setupcode plakken</string>
+    <string name="host">Host</string>
+    <string name="use_tls">TLS gebruiken</string>
+    <string name="token_optional">Token (optioneel)</string>
+    <string name="password">Wachtwoord</string>
+    <string name="run_onboarding_again">Onboarding opnieuw uitvoeren</string>
+    <string name="resolved_endpoint">Opgelost endpoint</string>
+    <string name="gateway_setup">Gateway instellen</string>
+    <string name="connect_to_gateway">Verbinden met je Gateway</string>
+    <string name="scan_setup_code">Setupcode scannen</string>
+    <string name="use_gateway_qr">Gebruik je Gateway-QR-code of setupcode</string>
+    <string name="nearby_gateway">Gateway in de buurt</string>
+    <string name="enter_gateway_url">Gateway-URL invoeren</string>
+    <string name="connect_manual_url">Verbinden met een handmatige URL</string>
+    <string name="permissions">Machtigingen</string>
+    <string name="done">Gereed</string>
+</resources>

apps/android/app/src/main/res/values-pl/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Połączenie z bramą</string>
+    <string name="connect_gateway">Połącz z bramą</string>
+    <string name="disconnect">Rozłącz</string>
+    <string name="trust_this_gateway">Ufać tej bramie?</string>
+    <string name="trust_and_continue">Zaufaj i kontynuuj</string>
+    <string name="cancel">Anuluj</string>
+    <string name="endpoint">Punkt końcowy</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Twoja brama jest aktywna i gotowa.</string>
+    <string name="connect_gateway_get_started">Połącz się ze swoją bramą, aby rozpocząć.</string>
+    <string name="copy_report_for_claw">Kopiuj raport dla Claw</string>
+    <string name="advanced_controls">Zaawansowane ustawienia</string>
+    <string name="connection_method">Metoda połączenia</string>
+    <string name="setup_code">Kod konfiguracji</string>
+    <string name="manual">Ręcznie</string>
+    <string name="paste_setup_code">Wklej kod konfiguracji</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Użyj TLS</string>
+    <string name="token_optional">Token (opcjonalnie)</string>
+    <string name="password">Hasło</string>
+    <string name="run_onboarding_again">Uruchom ponownie wdrażanie</string>
+    <string name="resolved_endpoint">Rozpoznany punkt końcowy</string>
+    <string name="gateway_setup">Konfiguracja bramy</string>
+    <string name="connect_to_gateway">Połącz ze swoją bramą</string>
+    <string name="scan_setup_code">Zeskanuj kod konfiguracji</string>
+    <string name="use_gateway_qr">Użyj kodu QR bramy lub kodu konfiguracji</string>
+    <string name="nearby_gateway">Pobliska brama</string>
+    <string name="enter_gateway_url">Wprowadź URL bramy</string>
+    <string name="connect_manual_url">Połącz, używając ręcznego URL</string>
+    <string name="permissions">Uprawnienia</string>
+    <string name="done">Gotowe</string>
+</resources>

apps/android/app/src/main/res/values-pt-rBR/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Conexão do Gateway</string>
+    <string name="connect_gateway">Conectar Gateway</string>
+    <string name="disconnect">Desconectar</string>
+    <string name="trust_this_gateway">Confiar neste gateway?</string>
+    <string name="trust_and_continue">Confiar e continuar</string>
+    <string name="cancel">Cancelar</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Seu gateway está ativo e pronto.</string>
+    <string name="connect_gateway_get_started">Conecte-se ao seu gateway para começar.</string>
+    <string name="copy_report_for_claw">Copiar relatório para o Claw</string>
+    <string name="advanced_controls">Controles avançados</string>
+    <string name="connection_method">Método de conexão</string>
+    <string name="setup_code">Código de configuração</string>
+    <string name="manual">Manual</string>
+    <string name="paste_setup_code">Colar código de configuração</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Usar TLS</string>
+    <string name="token_optional">Token (opcional)</string>
+    <string name="password">Senha</string>
+    <string name="run_onboarding_again">Executar integração novamente</string>
+    <string name="resolved_endpoint">Endpoint resolvido</string>
+    <string name="gateway_setup">Configuração do Gateway</string>
+    <string name="connect_to_gateway">Conecte-se ao seu Gateway</string>
+    <string name="scan_setup_code">Escanear código de configuração</string>
+    <string name="use_gateway_qr">Use o QR do seu Gateway ou o código de configuração</string>
+    <string name="nearby_gateway">Gateway próximo</string>
+    <string name="enter_gateway_url">Inserir URL do gateway</string>
+    <string name="connect_manual_url">Conectar usando uma URL manual</string>
+    <string name="permissions">Permissões</string>
+    <string name="done">Concluído</string>
+</resources>

apps/android/app/src/main/res/values-ru/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Подключение к шлюзу</string>
+    <string name="connect_gateway">Подключить шлюз</string>
+    <string name="disconnect">Отключить</string>
+    <string name="trust_this_gateway">Доверять этому шлюзу?</string>
+    <string name="trust_and_continue">Доверять и продолжить</string>
+    <string name="cancel">Отмена</string>
+    <string name="endpoint">Конечная точка</string>
+    <string name="status">Статус</string>
+    <string name="connected_gateway_ready">Ваш шлюз активен и готов.</string>
+    <string name="connect_gateway_get_started">Подключитесь к своему шлюзу, чтобы начать.</string>
+    <string name="copy_report_for_claw">Скопировать отчет для Claw</string>
+    <string name="advanced_controls">Расширенные настройки</string>
+    <string name="connection_method">Способ подключения</string>
+    <string name="setup_code">Код настройки</string>
+    <string name="manual">Вручную</string>
+    <string name="paste_setup_code">Вставьте код настройки</string>
+    <string name="host">Хост</string>
+    <string name="use_tls">Использовать TLS</string>
+    <string name="token_optional">Токен (необязательно)</string>
+    <string name="password">Пароль</string>
+    <string name="run_onboarding_again">Запустить настройку заново</string>
+    <string name="resolved_endpoint">Разрешенная конечная точка</string>
+    <string name="gateway_setup">Настройка шлюза</string>
+    <string name="connect_to_gateway">Подключитесь к своему шлюзу</string>
+    <string name="scan_setup_code">Сканировать код настройки</string>
+    <string name="use_gateway_qr">Используйте QR-код или код настройки вашего шлюза</string>
+    <string name="nearby_gateway">Шлюз поблизости</string>
+    <string name="enter_gateway_url">Введите URL шлюза</string>
+    <string name="connect_manual_url">Подключиться с помощью URL вручную</string>
+    <string name="permissions">Разрешения</string>
+    <string name="done">Готово</string>
+</resources>

apps/android/app/src/main/res/values-th/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">การเชื่อมต่อเกตเวย์</string>
+    <string name="connect_gateway">เชื่อมต่อเกตเวย์</string>
+    <string name="disconnect">ตัดการเชื่อมต่อ</string>
+    <string name="trust_this_gateway">เชื่อถือเกตเวย์นี้หรือไม่?</string>
+    <string name="trust_and_continue">เชื่อถือและดำเนินการต่อ</string>
+    <string name="cancel">ยกเลิก</string>
+    <string name="endpoint">เอนด์พอยต์</string>
+    <string name="status">สถานะ</string>
+    <string name="connected_gateway_ready">เกตเวย์ของคุณเปิดใช้งานและพร้อมใช้งานแล้ว</string>
+    <string name="connect_gateway_get_started">เชื่อมต่อกับเกตเวย์ของคุณเพื่อเริ่มต้นใช้งาน</string>
+    <string name="copy_report_for_claw">คัดลอกรายงานสำหรับ Claw</string>
+    <string name="advanced_controls">การควบคุมขั้นสูง</string>
+    <string name="connection_method">วิธีการเชื่อมต่อ</string>
+    <string name="setup_code">รหัสตั้งค่า</string>
+    <string name="manual">ด้วยตนเอง</string>
+    <string name="paste_setup_code">วางรหัสตั้งค่า</string>
+    <string name="host">โฮสต์</string>
+    <string name="use_tls">ใช้ TLS</string>
+    <string name="token_optional">โทเค็น (ไม่บังคับ)</string>
+    <string name="password">รหัสผ่าน</string>
+    <string name="run_onboarding_again">เรียกใช้การเริ่มต้นใช้งานอีกครั้ง</string>
+    <string name="resolved_endpoint">เอนด์พอยต์ที่แก้ไขแล้ว</string>
+    <string name="gateway_setup">การตั้งค่าเกตเวย์</string>
+    <string name="connect_to_gateway">เชื่อมต่อกับเกตเวย์ของคุณ</string>
+    <string name="scan_setup_code">สแกนรหัสตั้งค่า</string>
+    <string name="use_gateway_qr">ใช้ QR ของเกตเวย์หรือรหัสตั้งค่าของคุณ</string>
+    <string name="nearby_gateway">เกตเวย์ใกล้เคียง</string>
+    <string name="enter_gateway_url">ป้อน URL เกตเวย์</string>
+    <string name="connect_manual_url">เชื่อมต่อโดยใช้ URL ด้วยตนเอง</string>
+    <string name="permissions">สิทธิ์</string>
+    <string name="done">เสร็จสิ้น</string>
+</resources>

apps/android/app/src/main/res/values-tr/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Ağ Geçidi Bağlantısı</string>
+    <string name="connect_gateway">Ağ Geçidine Bağlan</string>
+    <string name="disconnect">Bağlantıyı Kes</string>
+    <string name="trust_this_gateway">Bu ağ geçidine güvenilsin mi?</string>
+    <string name="trust_and_continue">Güven ve devam et</string>
+    <string name="cancel">İptal</string>
+    <string name="endpoint">Uç nokta</string>
+    <string name="status">Durum</string>
+    <string name="connected_gateway_ready">Ağ geçidiniz etkin ve hazır.</string>
+    <string name="connect_gateway_get_started">Başlamak için ağ geçidinize bağlanın.</string>
+    <string name="copy_report_for_claw">Claw için Raporu Kopyala</string>
+    <string name="advanced_controls">Gelişmiş kontroller</string>
+    <string name="connection_method">Bağlantı yöntemi</string>
+    <string name="setup_code">Kurulum Kodu</string>
+    <string name="manual">Manuel</string>
+    <string name="paste_setup_code">Kurulum kodunu yapıştır</string>
+    <string name="host">Ana makine</string>
+    <string name="use_tls">TLS kullan</string>
+    <string name="token_optional">Token (isteğe bağlı)</string>
+    <string name="password">Parola</string>
+    <string name="run_onboarding_again">Başlangıç sürecini tekrar çalıştır</string>
+    <string name="resolved_endpoint">Çözümlenen uç nokta</string>
+    <string name="gateway_setup">Ağ Geçidi Kurulumu</string>
+    <string name="connect_to_gateway">Ağ Geçidinize Bağlanın</string>
+    <string name="scan_setup_code">Kurulum kodunu tara</string>
+    <string name="use_gateway_qr">Gateway QR kodunuzu veya kurulum kodunuzu kullanın</string>
+    <string name="nearby_gateway">Yakındaki ağ geçidi</string>
+    <string name="enter_gateway_url">Ağ geçidi URL&apos;sini girin</string>
+    <string name="connect_manual_url">Manuel URL kullanarak bağlan</string>
+    <string name="permissions">İzinler</string>
+    <string name="done">Bitti</string>
+</resources>

apps/android/app/src/main/res/values-uk/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Підключення до шлюзу</string>
+    <string name="connect_gateway">Підключити шлюз</string>
+    <string name="disconnect">Відключити</string>
+    <string name="trust_this_gateway">Довіряти цьому шлюзу?</string>
+    <string name="trust_and_continue">Довіряти й продовжити</string>
+    <string name="cancel">Скасувати</string>
+    <string name="endpoint">Кінцева точка</string>
+    <string name="status">Стан</string>
+    <string name="connected_gateway_ready">Ваш шлюз активний і готовий.</string>
+    <string name="connect_gateway_get_started">Підключіться до свого шлюзу, щоб почати.</string>
+    <string name="copy_report_for_claw">Скопіювати звіт для Claw</string>
+    <string name="advanced_controls">Розширені елементи керування</string>
+    <string name="connection_method">Спосіб підключення</string>
+    <string name="setup_code">Код налаштування</string>
+    <string name="manual">Вручну</string>
+    <string name="paste_setup_code">Вставте код налаштування</string>
+    <string name="host">Хост</string>
+    <string name="use_tls">Використовувати TLS</string>
+    <string name="token_optional">Токен (необов’язково)</string>
+    <string name="password">Пароль</string>
+    <string name="run_onboarding_again">Запустити адаптацію знову</string>
+    <string name="resolved_endpoint">Визначена кінцева точка</string>
+    <string name="gateway_setup">Налаштування шлюзу</string>
+    <string name="connect_to_gateway">Підключіться до свого шлюзу</string>
+    <string name="scan_setup_code">Сканувати код налаштування</string>
+    <string name="use_gateway_qr">Використайте QR-код свого шлюзу або код налаштування</string>
+    <string name="nearby_gateway">Шлюз поблизу</string>
+    <string name="enter_gateway_url">Введіть URL-адресу шлюзу</string>
+    <string name="connect_manual_url">Підключитися за допомогою URL-адреси вручну</string>
+    <string name="permissions">Дозволи</string>
+    <string name="done">Готово</string>
+</resources>

apps/android/app/src/main/res/values-vi/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Kết nối cổng</string>
+    <string name="connect_gateway">Kết nối cổng</string>
+    <string name="disconnect">Ngắt kết nối</string>
+    <string name="trust_this_gateway">Tin cậy cổng này?</string>
+    <string name="trust_and_continue">Tin cậy và tiếp tục</string>
+    <string name="cancel">Hủy</string>
+    <string name="endpoint">Điểm cuối</string>
+    <string name="status">Trạng thái</string>
+    <string name="connected_gateway_ready">Cổng của bạn đang hoạt động và sẵn sàng.</string>
+    <string name="connect_gateway_get_started">Kết nối với cổng của bạn để bắt đầu.</string>
+    <string name="copy_report_for_claw">Sao chép báo cáo cho Claw</string>
+    <string name="advanced_controls">Điều khiển nâng cao</string>
+    <string name="connection_method">Phương thức kết nối</string>
+    <string name="setup_code">Mã thiết lập</string>
+    <string name="manual">Thủ công</string>
+    <string name="paste_setup_code">Dán mã thiết lập</string>
+    <string name="host">Máy chủ</string>
+    <string name="use_tls">Sử dụng TLS</string>
+    <string name="token_optional">Token (tùy chọn)</string>
+    <string name="password">Mật khẩu</string>
+    <string name="run_onboarding_again">Chạy hướng dẫn thiết lập lại</string>
+    <string name="resolved_endpoint">Điểm cuối đã phân giải</string>
+    <string name="gateway_setup">Thiết lập cổng</string>
+    <string name="connect_to_gateway">Kết nối với Gateway của bạn</string>
+    <string name="scan_setup_code">Quét mã thiết lập</string>
+    <string name="use_gateway_qr">Sử dụng mã QR Gateway hoặc mã thiết lập của bạn</string>
+    <string name="nearby_gateway">Cổng gần đây</string>
+    <string name="enter_gateway_url">Nhập URL cổng</string>
+    <string name="connect_manual_url">Kết nối bằng URL thủ công</string>
+    <string name="permissions">Quyền</string>
+    <string name="done">Xong</string>
+</resources>

apps/android/app/src/main/res/values-zh-rCN/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">网关连接</string>
+    <string name="connect_gateway">连接网关</string>
+    <string name="disconnect">断开连接</string>
+    <string name="trust_this_gateway">信任此网关？</string>
+    <string name="trust_and_continue">信任并继续</string>
+    <string name="cancel">取消</string>
+    <string name="endpoint">端点</string>
+    <string name="status">状态</string>
+    <string name="connected_gateway_ready">你的网关已激活并准备就绪。</string>
+    <string name="connect_gateway_get_started">连接到你的网关以开始使用。</string>
+    <string name="copy_report_for_claw">复制 Claw 报告</string>
+    <string name="advanced_controls">高级控制</string>
+    <string name="connection_method">连接方式</string>
+    <string name="setup_code">设置代码</string>
+    <string name="manual">手动</string>
+    <string name="paste_setup_code">粘贴设置代码</string>
+    <string name="host">主机</string>
+    <string name="use_tls">使用 TLS</string>
+    <string name="token_optional">令牌（可选）</string>
+    <string name="password">密码</string>
+    <string name="run_onboarding_again">再次运行引导流程</string>
+    <string name="resolved_endpoint">已解析的端点</string>
+    <string name="gateway_setup">网关设置</string>
+    <string name="connect_to_gateway">连接到你的网关</string>
+    <string name="scan_setup_code">扫描设置代码</string>
+    <string name="use_gateway_qr">使用你的网关 QR 码或设置代码</string>
+    <string name="nearby_gateway">附近的网关</string>
+    <string name="enter_gateway_url">输入网关 URL</string>
+    <string name="connect_manual_url">使用手动 URL 连接</string>
+    <string name="permissions">权限</string>
+    <string name="done">完成</string>
+</resources>

apps/android/app/src/main/res/values-zh-rTW/strings.xml

@@ -0,0 +1,34 @@
+<resources>
+    <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">閘道連線</string>
+    <string name="connect_gateway">連接閘道</string>
+    <string name="disconnect">中斷連線</string>
+    <string name="trust_this_gateway">信任此閘道？</string>
+    <string name="trust_and_continue">信任並繼續</string>
+    <string name="cancel">取消</string>
+    <string name="endpoint">端點</string>
+    <string name="status">狀態</string>
+    <string name="connected_gateway_ready">您的閘道已啟用並準備就緒。</string>
+    <string name="connect_gateway_get_started">連接到您的閘道以開始使用。</string>
+    <string name="copy_report_for_claw">複製 Claw 報告</string>
+    <string name="advanced_controls">進階控制項</string>
+    <string name="connection_method">連線方式</string>
+    <string name="setup_code">設定碼</string>
+    <string name="manual">手動</string>
+    <string name="paste_setup_code">貼上設定碼</string>
+    <string name="host">主機</string>
+    <string name="use_tls">使用 TLS</string>
+    <string name="token_optional">權杖（選填）</string>
+    <string name="password">密碼</string>
+    <string name="run_onboarding_again">再次執行新手導覽</string>
+    <string name="resolved_endpoint">已解析的端點</string>
+    <string name="gateway_setup">閘道設定</string>
+    <string name="connect_to_gateway">連接到您的閘道</string>
+    <string name="scan_setup_code">掃描設定碼</string>
+    <string name="use_gateway_qr">使用您的 Gateway QR 或設定碼</string>
+    <string name="nearby_gateway">附近的閘道</string>
+    <string name="enter_gateway_url">輸入閘道 URL</string>
+    <string name="connect_manual_url">使用手動 URL 連接</string>
+    <string name="permissions">權限</string>
+    <string name="done">完成</string>
+</resources>

apps/android/app/src/main/res/values/strings.xml

@@ -1,3 +1,34 @@
 <resources>
     <string name="app_name">OpenClaw Node</string>
+    <string name="gateway_connection">Gateway Connection</string>
+    <string name="connect_gateway">Connect Gateway</string>
+    <string name="disconnect">Disconnect</string>
+    <string name="trust_this_gateway">Trust this gateway?</string>
+    <string name="trust_and_continue">Trust and continue</string>
+    <string name="cancel">Cancel</string>
+    <string name="endpoint">Endpoint</string>
+    <string name="status">Status</string>
+    <string name="connected_gateway_ready">Your gateway is active and ready.</string>
+    <string name="connect_gateway_get_started">Connect to your gateway to get started.</string>
+    <string name="copy_report_for_claw">Copy Report for Claw</string>
+    <string name="advanced_controls">Advanced controls</string>
+    <string name="connection_method">Connection method</string>
+    <string name="setup_code">Setup Code</string>
+    <string name="manual">Manual</string>
+    <string name="paste_setup_code">Paste setup code</string>
+    <string name="host">Host</string>
+    <string name="use_tls">Use TLS</string>
+    <string name="token_optional">Token (optional)</string>
+    <string name="password">Password</string>
+    <string name="run_onboarding_again">Run onboarding again</string>
+    <string name="resolved_endpoint">Resolved endpoint</string>
+    <string name="gateway_setup">Gateway Setup</string>
+    <string name="connect_to_gateway">Connect to your Gateway</string>
+    <string name="scan_setup_code">Scan setup code</string>
+    <string name="use_gateway_qr">Use your Gateway QR or setup code</string>
+    <string name="nearby_gateway">Nearby gateway</string>
+    <string name="enter_gateway_url">Enter gateway URL</string>
+    <string name="connect_manual_url">Connect using a manual URL</string>
+    <string name="permissions">Permissions</string>
+    <string name="done">Done</string>
 </resources>

docs/gateway/configuration-reference.md

@@ -316,11 +316,6 @@ conversation bindings, or any non-Codex harness.
   plugin/app support for the Codex harness. Default: `false`.
 - `plugins.entries.codex.config.codexPlugins.allow_destructive_actions`:
   default destructive-action policy for migrated plugin app elicitations.
-  Use `true` to accept safe Codex approval schemas without prompting, `false`
-  to decline them, `"auto"` to route Codex-required approvals through OpenClaw
-  plugin approvals, or `"always"` to ask for every plugin write/destructive
-  action without durable approval. The `"always"` mode clears durable Codex
-  per-tool approval overrides for the affected app before starting the thread.
   Default: `true`.
 - `plugins.entries.codex.config.codexPlugins.plugins.<key>.enabled`: enables a
   migrated plugin entry when global `codexPlugins.enabled` is also true.
@@ -331,8 +326,7 @@ conversation bindings, or any non-Codex harness.
   Codex plugin identity from migration, for example `"google-calendar"`.
 - `plugins.entries.codex.config.codexPlugins.plugins.<key>.allow_destructive_actions`:
   per-plugin destructive-action override. When omitted, the global
-  `allow_destructive_actions` value is used. The per-plugin value accepts the
-  same `true`, `false`, `"auto"`, or `"always"` policies.
+  `allow_destructive_actions` value is used.
 
 `codexPlugins.enabled` is the global enablement directive. Explicit plugin
 entries written by migration are the durable install and repair eligibility set.

docs/plugins/codex-native-plugins.md

@@ -200,11 +200,11 @@ enabled.
 
 OpenClaw sets app-level `destructive_enabled` from the effective global or
 per-plugin `allow_destructive_actions` policy and lets Codex enforce
-destructive tool metadata from its native app tool annotations. `true`,
-`"auto"`, and `"always"` set `destructive_enabled: true`; `false` sets it
-false. The `_default` app config is disabled with `open_world_enabled: false`.
-Enabled plugin apps are emitted with `open_world_enabled: true`; OpenClaw does
-not expose a separate plugin open-world policy knob and does not maintain
+destructive tool metadata from its native app tool annotations. `true` and
+`"auto"` both set `destructive_enabled: true`; `false` sets it false. The
+`_default` app config is disabled with `open_world_enabled: false`. Enabled
+plugin apps are emitted with `open_world_enabled: true`; OpenClaw does not
+expose a separate plugin open-world policy knob and does not maintain
 per-plugin destructive tool-name deny lists.
 
 Tool approval mode is automatic by default for plugin apps so non-destructive
@@ -225,10 +225,6 @@ plugins, while unsafe schemas and ambiguous ownership still fail closed:
 - When policy is `"auto"`, OpenClaw exposes destructive plugin actions to
   Codex but turns ownership-proven MCP approval elicitations into OpenClaw
   plugin approvals before returning the Codex approval response.
-- When policy is `"always"`, OpenClaw uses the same Codex write/destructive
-  gating as `"auto"`, clears durable Codex per-tool approval overrides for the
-  app before the thread starts, and only offers one-shot approval or denial so
-  durable approvals cannot suppress later write-action prompts.
 - Missing plugin identity, ambiguous ownership, a missing turn id, a wrong turn
   id, or an unsafe elicitation schema declines instead of prompting.
 
@@ -276,9 +272,8 @@ Codex thread bindings keep the app config they started with until OpenClaw
 establishes a new harness session or replaces a stale binding.
 
 **Destructive action is declined:** check the global and per-plugin
-`allow_destructive_actions` values. Even when policy is true, `"auto"`, or
-`"always"`, unsafe elicitation schemas and ambiguous plugin identity still fail
-closed.
+`allow_destructive_actions` values. Even when policy is true or `"auto"`,
+unsafe elicitation schemas and ambiguous plugin identity still fail closed.
 
 ## Related
 

docs/plugins/voice-call.md

@@ -211,18 +211,6 @@ each carrier call should start with fresh context, for example reception,
 booking, IVR, or Google Meet bridge flows where the same phone number may
 represent different meetings.
 
-Voice Call stores generated session keys under the configured agent namespace
-(`agent:<agentId>:voice:*`) so call memory survives Gateway session-key
-canonicalization after restarts. Raw explicit integration keys use the same
-agent namespace. A canonical `agent:<configuredAgentId>:*` key keeps that owner,
-and its main aliases honor core `session.mainKey` and global scope. Foreign or
-malformed `agent:*` input is scoped as an opaque key under the configured agent;
-`global` and `unknown` remain global sentinels. Gateway startup promotes older
-raw keys in default or `{agentId}`-templated stores where the path proves one
-owner. In fixed custom stores, ambiguous legacy rows remain untouched because
-they do not contain enough information to choose an owner; new calls use
-canonical agent-scoped history.
-
 ## Realtime voice conversations
 
 `realtime` selects a full-duplex realtime voice provider for live call

extensions/acpx/src/runtime.test.ts

@@ -192,109 +192,6 @@ describe("AcpxRuntime fresh reset wrapper", () => {
     );
   });
 
-  it("adds the OpenClaw session key to the managed OpenClaw tools MCP bridge", () => {
-    const baseStore: TestSessionStore = {
-      load: vi.fn(async () => undefined),
-      save: vi.fn(async () => {}),
-    };
-    const { runtime } = makeRuntime(baseStore, {
-      openclawToolsMcpBridgeEnabled: true,
-      mcpServers: [
-        {
-          name: "openclaw-tools",
-          command: "node",
-          args: ["dist/mcp/openclaw-tools-serve.js"],
-          env: [],
-        },
-      ],
-    });
-
-    const readScopedMcpEnv = (sessionKey: string) => {
-      const delegate = (
-        runtime as unknown as {
-          resolveOpenClawToolsDelegateForSession(sessionKey: string): unknown;
-        }
-      ).resolveOpenClawToolsDelegateForSession(sessionKey) as {
-        options: {
-          mcpServers?: Array<{
-            env?: Array<{ name: string; value: string }>;
-            name: string;
-          }>;
-        };
-      };
-      return delegate.options.mcpServers?.find((server) => server.name === "openclaw-tools")?.env;
-    };
-
-    expect(readScopedMcpEnv("agent:worker:main")).toContainEqual({
-      name: "OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY",
-      value: "agent:worker:main",
-    });
-    expect(readScopedMcpEnv("agent:research:main")).toContainEqual({
-      name: "OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY",
-      value: "agent:research:main",
-    });
-  });
-
-  it("keeps managed OpenClaw tools MCP delegates reachable for fresh sessions", async () => {
-    const baseStore: TestSessionStore = {
-      load: vi.fn(async () => undefined),
-      save: vi.fn(async () => {}),
-    };
-    const { runtime } = makeRuntime(baseStore, {
-      openclawToolsMcpBridgeEnabled: true,
-      mcpServers: [
-        {
-          name: "openclaw-tools",
-          command: "node",
-          args: ["dist/mcp/openclaw-tools-serve.js"],
-          env: [],
-        },
-      ],
-    });
-    const exposedRuntime = runtime as unknown as {
-      openclawToolsSessionDelegates: Map<string, unknown>;
-      resolveOpenClawToolsDelegateForSession(sessionKey: string): unknown;
-    };
-
-    const firstDelegate =
-      exposedRuntime.resolveOpenClawToolsDelegateForSession("agent:worker:main");
-    expect(exposedRuntime.openclawToolsSessionDelegates.has("agent:worker:main")).toBe(true);
-
-    await runtime.prepareFreshSession({ sessionKey: "agent:worker:main" });
-
-    expect(exposedRuntime.openclawToolsSessionDelegates.has("agent:worker:main")).toBe(true);
-    expect(exposedRuntime.resolveOpenClawToolsDelegateForSession("agent:worker:main")).toBe(
-      firstDelegate,
-    );
-  });
-
-  it("uses the no-MCP delegate for startup probes when the OpenClaw tools bridge is enabled", async () => {
-    const baseStore: TestSessionStore = {
-      load: vi.fn(async () => undefined),
-      save: vi.fn(async () => {}),
-    };
-    const { runtime, delegate, bridgeSafeDelegate } = makeRuntime(baseStore, {
-      openclawToolsMcpBridgeEnabled: true,
-      mcpServers: [
-        {
-          name: "openclaw-tools",
-          command: "node",
-          args: ["dist/mcp/openclaw-tools-serve.js"],
-          env: [],
-        },
-      ],
-    });
-    const defaultProbe = vi.spyOn(delegate, "probeAvailability").mockResolvedValue(undefined);
-    const safeProbe = vi
-      .spyOn(bridgeSafeDelegate, "probeAvailability")
-      .mockResolvedValue(undefined);
-
-    await runtime.probeAvailability();
-
-    expect(safeProbe).toHaveBeenCalledTimes(1);
-    expect(defaultProbe).not.toHaveBeenCalled();
-  });
-
   it("normalizes OpenClaw Codex model ids for ACP startup", async () => {
     const baseStore: TestSessionStore = {
       load: vi.fn(async () => undefined),
@@ -1266,46 +1163,6 @@ describe("AcpxRuntime fresh reset wrapper", () => {
     expect(baseStore["load"]).toHaveBeenCalledOnce();
   });
 
-  it("releases managed OpenClaw tools MCP delegates after close", async () => {
-    const baseStore: TestSessionStore = {
-      load: vi.fn(async () => undefined),
-      save: vi.fn(async () => {}),
-    };
-
-    const { runtime } = makeRuntime(baseStore, {
-      openclawToolsMcpBridgeEnabled: true,
-      mcpServers: [
-        {
-          name: "openclaw-tools",
-          command: "node",
-          args: ["dist/mcp/openclaw-tools-serve.js"],
-          env: [],
-        },
-      ],
-    });
-    const exposedRuntime = runtime as unknown as {
-      openclawToolsSessionDelegates: Map<string, { close: AcpRuntime["close"] }>;
-      resolveOpenClawToolsDelegateForSession(sessionKey: string): {
-        close: AcpRuntime["close"];
-      };
-    };
-    const scopedDelegate =
-      exposedRuntime.resolveOpenClawToolsDelegateForSession("agent:codex:main");
-    const close = vi.spyOn(scopedDelegate, "close").mockResolvedValue(undefined);
-
-    await runtime.close({
-      handle: {
-        sessionKey: "agent:codex:main",
-        backend: "acpx",
-        runtimeSessionName: "agent:codex:main",
-      },
-      reason: "closed",
-    });
-
-    expect(close).toHaveBeenCalledOnce();
-    expect(exposedRuntime.openclawToolsSessionDelegates.has("agent:codex:main")).toBe(false);
-  });
-
   it("cleans up OpenClaw-owned ACPX process trees after close", async () => {
     const baseStore: TestSessionStore = {
       load: vi.fn(async () => ({

extensions/acpx/src/runtime.ts

@@ -50,7 +50,6 @@ type OpenClawAcpxRuntimeOptions = AcpRuntimeOptions & {
   openclawWrapperRoot?: string;
   openclawGatewayInstanceId?: string;
   openclawProcessLeaseStore?: AcpxProcessLeaseStore;
-  openclawToolsMcpBridgeEnabled?: boolean;
 };
 type AcpxRuntimeTestOptions = Record<string, unknown> & {
   openclawProcessCleanup?: AcpxProcessCleanupDeps;
@@ -58,10 +57,6 @@ type AcpxRuntimeTestOptions = Record<string, unknown> & {
 type OpenClawRuntimeTurnInput = Parameters<NonNullable<AcpRuntime["startTurn"]>>[0];
 type OpenClawRuntimeEnsureInput = Parameters<AcpRuntime["ensureSession"]>[0];
 type AcpxDelegateEnsureInput = Parameters<BaseAcpxRuntime["ensureSession"]>[0];
-type AcpxMcpServer = NonNullable<AcpRuntimeOptions["mcpServers"]>[number];
-
-const ACPX_OPENCLAW_TOOLS_MCP_SERVER_NAME = "openclaw-tools";
-const OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY_ENV = "OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY";
 
 type ResetAwareSessionStore = AcpSessionStore & {
   markFresh: (sessionKey: string) => void;
@@ -687,33 +682,6 @@ function shouldUseDistinctBridgeDelegate(options: AcpRuntimeOptions): boolean {
   return Array.isArray(mcpServers) && mcpServers.length > 0;
 }
 
-function withOpenClawToolsMcpSessionEnv(params: {
-  enabled: boolean | undefined;
-  mcpServers: AcpRuntimeOptions["mcpServers"];
-  sessionKey: string;
-}): AcpRuntimeOptions["mcpServers"] {
-  const sessionKey = params.sessionKey.trim();
-  if (!params.enabled || !sessionKey || !params.mcpServers?.length) {
-    return params.mcpServers;
-  }
-  let changed = false;
-  const nextServers = params.mcpServers.map((server): AcpxMcpServer => {
-    if (server.name !== ACPX_OPENCLAW_TOOLS_MCP_SERVER_NAME || !("command" in server)) {
-      return server;
-    }
-    changed = true;
-    const env = [
-      ...server.env.filter((entry) => entry.name !== OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY_ENV),
-      {
-        name: OPENCLAW_TOOLS_MCP_AGENT_SESSION_KEY_ENV,
-        value: sessionKey,
-      },
-    ];
-    return { ...server, env };
-  });
-  return changed ? nextServers : params.mcpServers;
-}
-
 /** OpenClaw-managed ACP runtime implementation backed by the upstream acpx runtime. */
 export class AcpxRuntime implements AcpRuntime {
   private readonly sessionStore: ResetAwareSessionStore;
@@ -725,10 +693,6 @@ export class AcpxRuntime implements AcpRuntime {
   private readonly delegate: BaseAcpxRuntime;
   private readonly bridgeSafeDelegate: BaseAcpxRuntime;
   private readonly probeDelegate: BaseAcpxRuntime;
-  private readonly delegateOptions: AcpRuntimeOptions;
-  private readonly delegateTestOptions: BaseAcpxRuntimeTestOptions;
-  private readonly openclawToolsMcpBridgeEnabled: boolean;
-  private readonly openclawToolsSessionDelegates = new Map<string, BaseAcpxRuntime>();
   private readonly processCleanupDeps: AcpxProcessCleanupDeps | undefined;
   private readonly wrapperRoot: string | undefined;
   private readonly gatewayInstanceId: string | undefined;
@@ -742,7 +706,6 @@ export class AcpxRuntime implements AcpRuntime {
     this.wrapperRoot = options.openclawWrapperRoot;
     this.gatewayInstanceId = options.openclawGatewayInstanceId;
     this.processLeaseStore = options.openclawProcessLeaseStore;
-    this.openclawToolsMcpBridgeEnabled = options.openclawToolsMcpBridgeEnabled === true;
     this.cwd = options.cwd;
     this.sessionStore = createResetAwareSessionStore(options.sessionStore, {
       gatewayInstanceId: this.gatewayInstanceId,
@@ -760,21 +723,20 @@ export class AcpxRuntime implements AcpRuntime {
       sessionStore: this.sessionStore,
       agentRegistry: this.scopedAgentRegistry,
     };
-    this.delegateOptions = sharedOptions;
-    this.delegateTestOptions = delegateTestOptions as BaseAcpxRuntimeTestOptions;
-    this.delegate = new BaseAcpxRuntime(sharedOptions, this.delegateTestOptions);
+    this.delegate = new BaseAcpxRuntime(
+      sharedOptions,
+      delegateTestOptions as BaseAcpxRuntimeTestOptions,
+    );
     this.bridgeSafeDelegate = shouldUseDistinctBridgeDelegate(options)
       ? new BaseAcpxRuntime(
           {
             ...sharedOptions,
             mcpServers: [],
           },
-          this.delegateTestOptions,
+          delegateTestOptions as BaseAcpxRuntimeTestOptions,
         )
       : this.delegate;
-    this.probeDelegate = this.openclawToolsMcpBridgeEnabled
-      ? this.bridgeSafeDelegate
-      : this.resolveDelegateForAgent(resolveProbeAgentName(options));
+    this.probeDelegate = this.resolveDelegateForAgent(resolveProbeAgentName(options));
   }
 
   private resolveDelegateForAgent(agentName: string | undefined): BaseAcpxRuntime {
@@ -789,57 +751,6 @@ export class AcpxRuntime implements AcpRuntime {
     return shouldUseBridgeSafeDelegateForCommand(command) ? this.bridgeSafeDelegate : this.delegate;
   }
 
-  private resolveDelegateForSession(params: {
-    command: string | undefined;
-    sessionKey: string;
-  }): BaseAcpxRuntime {
-    if (shouldUseBridgeSafeDelegateForCommand(params.command)) {
-      return this.bridgeSafeDelegate;
-    }
-    return this.resolveOpenClawToolsDelegateForSession(params.sessionKey);
-  }
-
-  private resolveOpenClawToolsDelegateForSession(sessionKey: string): BaseAcpxRuntime {
-    if (!this.openclawToolsMcpBridgeEnabled) {
-      return this.delegate;
-    }
-    const normalizedSessionKey = sessionKey.trim();
-    if (!normalizedSessionKey) {
-      return this.delegate;
-    }
-    const cached = this.openclawToolsSessionDelegates.get(normalizedSessionKey);
-    if (cached) {
-      return cached;
-    }
-    // Upstream acpx captures mcpServers at runtime construction. The managed
-    // OpenClaw tools bridge needs per-session identity, so cache one delegate
-    // per session with the scoped MCP env already embedded.
-    const delegate = new BaseAcpxRuntime(
-      {
-        ...this.delegateOptions,
-        mcpServers: withOpenClawToolsMcpSessionEnv({
-          enabled: this.openclawToolsMcpBridgeEnabled,
-          mcpServers: this.delegateOptions.mcpServers,
-          sessionKey: normalizedSessionKey,
-        }),
-      },
-      this.delegateTestOptions,
-    );
-    this.openclawToolsSessionDelegates.set(normalizedSessionKey, delegate);
-    return delegate;
-  }
-
-  private releaseOpenClawToolsDelegateForSession(sessionKey: string): void {
-    if (!this.openclawToolsMcpBridgeEnabled) {
-      return;
-    }
-    const normalizedSessionKey = sessionKey.trim();
-    if (!normalizedSessionKey) {
-      return;
-    }
-    this.openclawToolsSessionDelegates.delete(normalizedSessionKey);
-  }
-
   private async resolveDelegateForHandle(handle: AcpRuntimeHandle): Promise<BaseAcpxRuntime> {
     const record = await this.sessionStore.load(handle.acpxRecordId ?? handle.sessionKey);
     return this.resolveDelegateForLoadedRecord(handle, record);
@@ -851,17 +762,9 @@ export class AcpxRuntime implements AcpRuntime {
   ): BaseAcpxRuntime {
     const recordCommand = readAgentCommandFromRecord(record);
     if (recordCommand) {
-      return this.resolveDelegateForSession({
-        command: recordCommand,
-        sessionKey: handle.sessionKey,
-      });
+      return this.resolveDelegateForCommand(recordCommand);
     }
-    const agentName = readAgentFromHandle(handle);
-    const command = resolveAgentCommandForName({
-      agentName,
-      agentRegistry: this.agentRegistry,
-    });
-    return this.resolveDelegateForSession({ command, sessionKey: handle.sessionKey });
+    return this.resolveDelegateForAgent(readAgentFromHandle(handle));
   }
 
   private async resolveCommandForHandle(handle: AcpRuntimeHandle): Promise<string | undefined> {
@@ -1077,7 +980,7 @@ export class AcpxRuntime implements AcpRuntime {
       agentName: input.agent,
       agentRegistry: this.agentRegistry,
     });
-    const delegate = this.resolveDelegateForSession({ command, sessionKey: input.sessionKey });
+    const delegate = this.resolveDelegateForCommand(command);
     const claudeModelOverride = isClaudeAcpCommand(command)
       ? normalizeClaudeAcpModelOverride(input.model)
       : undefined;
@@ -1361,9 +1264,6 @@ export class AcpxRuntime implements AcpRuntime {
   }
 
   async prepareFreshSession(input: { sessionKey: string }): Promise<void> {
-    // Fresh reset has no ACP handle to close the delegate's upstream client.
-    // Keep the scoped delegate reachable so the next ensure can replace it;
-    // close() owns cache release when the session lifecycle ends.
     this.sessionStore.markFresh(input.sessionKey);
   }
 
@@ -1372,9 +1272,8 @@ export class AcpxRuntime implements AcpRuntime {
       input.handle.acpxRecordId ?? input.handle.sessionKey,
     );
     let closeSucceeded;
-    const delegate = this.resolveDelegateForLoadedRecord(input.handle, record);
     try {
-      await delegate.close({
+      await this.resolveDelegateForLoadedRecord(input.handle, record).close({
         handle: input.handle,
         reason: input.reason,
         discardPersistentState: input.discardPersistentState,
@@ -1383,9 +1282,6 @@ export class AcpxRuntime implements AcpRuntime {
     } finally {
       await this.cleanupProcessTreeForRecord(input.handle, record);
     }
-    if (closeSucceeded) {
-      this.releaseOpenClawToolsDelegateForSession(input.handle.sessionKey);
-    }
     if (closeSucceeded && input.discardPersistentState) {
       this.sessionStore.markFresh(input.handle.sessionKey);
     }

extensions/acpx/src/service.ts

@@ -111,7 +111,6 @@ function createLazyDefaultRuntime(params: AcpxRuntimeFactoryParams): AcpxRuntime
         }),
         probeAgent: params.pluginConfig.probeAgent,
         mcpServers: toAcpMcpServers(params.pluginConfig.mcpServers),
-        openclawToolsMcpBridgeEnabled: params.pluginConfig.openClawToolsMcpBridge,
         permissionMode: params.pluginConfig.permissionMode,
         nonInteractivePermissions: params.pluginConfig.nonInteractivePermissions,
         timeoutMs: resolveAcpxTimerTimeoutMs(params.pluginConfig.timeoutSeconds),

extensions/codex/doctor-contract-api.test.ts

@@ -36,14 +36,6 @@ describe("codex doctor contract", () => {
         },
       }),
     ).toBe(false);
-    expect(
-      legacyConfigRules[1]?.match({
-        allow_destructive_actions: "always",
-        plugins: {
-          "google-calendar": { allow_destructive_actions: "always" },
-        },
-      }),
-    ).toBe(false);
   });
 
   it("removes the retired dynamic tools profile without dropping other Codex config", () => {

extensions/codex/openclaw.plugin.json

@@ -101,7 +101,7 @@
             "default": false
           },
           "allow_destructive_actions": {
-            "oneOf": [{ "type": "boolean" }, { "const": "auto" }, { "const": "always" }],
+            "oneOf": [{ "type": "boolean" }, { "const": "auto" }],
             "default": true
           },
           "plugins": {
@@ -121,7 +121,7 @@
                   "type": "string"
                 },
                 "allow_destructive_actions": {
-                  "oneOf": [{ "type": "boolean" }, { "const": "auto" }, { "const": "always" }]
+                  "oneOf": [{ "type": "boolean" }, { "const": "auto" }]
                 }
               }
             }
@@ -343,7 +343,7 @@
     },
     "codexPlugins.allow_destructive_actions": {
       "label": "Allow Destructive Plugin Actions",
-      "help": "Default policy for plugin app write or destructive action elicitations. Use true to accept safe schemas without prompting, false to decline, auto to ask through plugin approvals when Codex requires approval, or always to ask for every write/destructive action without durable approval.",
+      "help": "Default policy for plugin app write or destructive action elicitations. Use true to accept safe schemas without prompting, false to decline, or auto to ask through plugin approvals.",
       "advanced": true
     },
     "codexPlugins.plugins": {

extensions/codex/src/app-server/attempt-startup.ts

@@ -346,7 +346,6 @@ export async function startCodexAttemptThread(params: {
                               timeoutMs: params.appServer.requestTimeoutMs,
                               signal,
                             }),
-                          configCwd: startupExecutionCwd,
                           appCache: defaultCodexAppInventoryCache,
                           appCacheKey: pluginAppCacheKey,
                         }),

extensions/codex/src/app-server/config.test.ts

@@ -1192,52 +1192,6 @@ allowed_sandbox_modes = ["read-only", "workspace-write"]
     });
   });
 
-  it("parses always native Codex plugin destructive policy", () => {
-    const config = readCodexPluginConfig({
-      codexPlugins: {
-        enabled: true,
-        allow_destructive_actions: "always",
-        plugins: {
-          "google-calendar": {
-            marketplaceName: "openai-curated",
-            pluginName: "google-calendar",
-          },
-          slack: {
-            marketplaceName: "openai-curated",
-            pluginName: "slack",
-            allow_destructive_actions: "auto",
-          },
-        },
-      },
-    });
-
-    expect(config.codexPlugins?.allow_destructive_actions).toBe("always");
-    expect(resolveCodexPluginsPolicy(config)).toEqual({
-      configured: true,
-      enabled: true,
-      allowDestructiveActions: true,
-      destructiveApprovalMode: "always",
-      pluginPolicies: [
-        {
-          configKey: "google-calendar",
-          marketplaceName: "openai-curated",
-          pluginName: "google-calendar",
-          enabled: true,
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "always",
-        },
-        {
-          configKey: "slack",
-          marketplaceName: "openai-curated",
-          pluginName: "slack",
-          enabled: true,
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "auto",
-        },
-      ],
-    });
-  });
-
   it("rejects unsupported native Codex plugin destructive policy strings", () => {
     const config = readCodexPluginConfig({
       codexPlugins: {

extensions/codex/src/app-server/config.ts

@@ -74,8 +74,8 @@ export type CodexAppServerSandboxMode = "read-only" | "workspace-write" | "dange
 type CodexAppServerApprovalsReviewer = "user" | "auto_review" | "guardian_subagent";
 type CodexAppServerCommandSource = "managed" | "resolved-managed" | "config" | "env";
 export type CodexDynamicToolsLoading = "searchable" | "direct";
-export type CodexPluginDestructivePolicy = boolean | "auto" | "always";
-export type CodexPluginDestructiveApprovalMode = "allow" | "deny" | "auto" | "always";
+export type CodexPluginDestructivePolicy = boolean | "auto";
+export type CodexPluginDestructiveApprovalMode = "allow" | "deny" | "auto";
 
 export const CODEX_PLUGINS_MARKETPLACE_NAME = "openai-curated";
 
@@ -311,11 +311,7 @@ const codexAppServerApprovalPolicySchema = z.enum([
 const codexAppServerSandboxSchema = z.enum(["read-only", "workspace-write", "danger-full-access"]);
 const codexAppServerApprovalsReviewerSchema = z.enum(["user", "auto_review", "guardian_subagent"]);
 const codexDynamicToolsLoadingSchema = z.enum(["searchable", "direct"]);
-const codexPluginDestructivePolicySchema = z.union([
-  z.boolean(),
-  z.literal("auto"),
-  z.literal("always"),
-]);
+const codexPluginDestructivePolicySchema = z.union([z.boolean(), z.literal("auto")]);
 const codexAppServerServiceTierSchema = z
   .preprocess(
     (value) => (value === null ? null : normalizeCodexServiceTier(value)),
@@ -499,8 +495,8 @@ function resolveCodexPluginDestructivePolicy(policy: CodexPluginDestructivePolic
   allowDestructiveActions: boolean;
   destructiveApprovalMode: CodexPluginDestructiveApprovalMode;
 } {
-  if (policy === "auto" || policy === "always") {
-    return { allowDestructiveActions: true, destructiveApprovalMode: policy };
+  if (policy === "auto") {
+    return { allowDestructiveActions: true, destructiveApprovalMode: "auto" };
   }
   return {
     allowDestructiveActions: policy,

extensions/codex/src/app-server/elicitation-bridge.test.ts

@@ -157,7 +157,7 @@ function buildConnectorPluginApprovalElicitation(overrides: Record<string, unkno
 function createPluginAppPolicyContext(
   params: {
     allowDestructiveActions?: boolean;
-    destructiveApprovalMode?: "allow" | "deny" | "auto" | "always";
+    destructiveApprovalMode?: "allow" | "deny" | "auto";
     apps?: Array<{ appId: string; pluginName: string; mcpServerNames: string[] }>;
   } = {},
 ) {
@@ -1017,96 +1017,6 @@ describe("Codex app-server elicitation bridge", () => {
     });
   });
 
-  it("does not expose allow-always for always plugin policy", async () => {
-    mockCallGatewayTool
-      .mockResolvedValueOnce({ id: "plugin:approval-calendar-always-policy", status: "accepted" })
-      .mockResolvedValueOnce({
-        id: "plugin:approval-calendar-always-policy",
-        decision: "allow-once",
-      });
-
-    const result = await handleCodexAppServerElicitationRequest({
-      requestParams: buildConnectorPluginApprovalElicitation({
-        _meta: {
-          codex_approval_kind: "mcp_tool_call",
-          source: "connector",
-          connector_id: "connector_google_calendar",
-          connector_name: "Google Calendar",
-          persist: ["session", "always"],
-          tool_title: "create_event",
-        },
-      }),
-      paramsForRun: createParams(),
-      threadId: "thread-1",
-      turnId: "turn-1",
-      pluginAppPolicyContext: createPluginAppPolicyContext({
-        allowDestructiveActions: true,
-        destructiveApprovalMode: "always",
-        apps: [
-          {
-            appId: "connector_google_calendar",
-            pluginName: "google-calendar",
-            mcpServerNames: [],
-          },
-        ],
-      }),
-    });
-
-    expect(result).toEqual({
-      action: "accept",
-      content: null,
-      _meta: null,
-    });
-    expect(gatewayToolArg(0, 2)).toMatchObject({
-      allowedDecisions: ["allow-once", "deny"],
-    });
-  });
-
-  it("maps unexpected allow-always decisions to one-shot for always plugin policy", async () => {
-    mockCallGatewayTool
-      .mockResolvedValueOnce({
-        id: "plugin:approval-calendar-unexpected-always",
-        status: "accepted",
-      })
-      .mockResolvedValueOnce({
-        id: "plugin:approval-calendar-unexpected-always",
-        decision: "allow-always",
-      });
-
-    const result = await handleCodexAppServerElicitationRequest({
-      requestParams: buildConnectorPluginApprovalElicitation({
-        _meta: {
-          codex_approval_kind: "mcp_tool_call",
-          source: "connector",
-          connector_id: "connector_google_calendar",
-          connector_name: "Google Calendar",
-          persist: ["session", "always"],
-          tool_title: "create_event",
-        },
-      }),
-      paramsForRun: createParams(),
-      threadId: "thread-1",
-      turnId: "turn-1",
-      pluginAppPolicyContext: createPluginAppPolicyContext({
-        allowDestructiveActions: true,
-        destructiveApprovalMode: "always",
-        apps: [
-          {
-            appId: "connector_google_calendar",
-            pluginName: "google-calendar",
-            mcpServerNames: [],
-          },
-        ],
-      }),
-    });
-
-    expect(result).toEqual({
-      action: "accept",
-      content: null,
-      _meta: null,
-    });
-  });
-
   it("declines denied auto plugin app approvals", async () => {
     mockCallGatewayTool
       .mockResolvedValueOnce({ id: "plugin:approval-calendar-deny", status: "accepted" })

extensions/codex/src/app-server/elicitation-bridge.ts

@@ -318,13 +318,10 @@ async function buildPluginPolicyElicitationResponse(params: {
       paramsForRun: params.paramsForRun,
       title: approvalPrompt.title,
       description: approvalPrompt.description,
-      allowedDecisions: allowedPluginPolicyApprovalDecisions(mode, approvalPrompt),
+      allowedDecisions: approvalPrompt.allowedDecisions,
       signal: params.signal,
     });
-    return buildElicitationResponse(
-      approvalPrompt,
-      oneShotPluginPolicyApprovalOutcome(mode, outcome),
-    );
+    return buildElicitationResponse(approvalPrompt, outcome);
   }
   logPluginElicitationDecline("unmappable_schema", params.requestParams);
   return declineElicitationResponse();
@@ -332,28 +329,10 @@ async function buildPluginPolicyElicitationResponse(params: {
 
 function resolvePluginDestructiveApprovalMode(
   entry: PluginAppPolicyContextEntry,
-): "allow" | "deny" | "auto" | "always" {
+): "allow" | "deny" | "auto" {
   return entry.destructiveApprovalMode ?? (entry.allowDestructiveActions ? "allow" : "deny");
 }
 
-function allowedPluginPolicyApprovalDecisions(
-  mode: "allow" | "deny" | "auto" | "always",
-  approvalPrompt: BridgeableApprovalElicitation,
-): ExecApprovalDecision[] {
-  const allowedDecisions = approvalPrompt.allowedDecisions ?? ["allow-once", "deny"];
-  if (mode !== "always") {
-    return allowedDecisions;
-  }
-  return allowedDecisions.filter((decision) => decision !== "allow-always");
-}
-
-function oneShotPluginPolicyApprovalOutcome(
-  mode: "allow" | "deny" | "auto" | "always",
-  outcome: AppServerApprovalOutcome,
-): AppServerApprovalOutcome {
-  return mode === "always" && outcome === "approved-session" ? "approved-once" : outcome;
-}
-
 function readPluginApprovalElicitation(
   entry: PluginAppPolicyContextEntry,
   requestParams: JsonObject,

extensions/codex/src/app-server/plugin-thread-config.test.ts

@@ -170,379 +170,6 @@ describe("Codex plugin thread config", () => {
     });
   });
 
-  it("exposes destructive app access while clearing only durable approval overrides for always mode", async () => {
-    const appCache = new CodexAppInventoryCache();
-    await appCache.refreshNow({
-      key: "runtime",
-      nowMs: 0,
-      request: async () => ({
-        data: [appInfo("google-calendar-app", true)],
-        nextCursor: null,
-      }),
-    });
-    let configReadCount = 0;
-    const request = vi.fn(async (method: string) => {
-      if (method === "plugin/list") {
-        return pluginList([pluginSummary("google-calendar", { installed: true, enabled: true })]);
-      }
-      if (method === "plugin/read") {
-        return pluginDetail(
-          "google-calendar",
-          [appSummary("google-calendar-app")],
-          ["google-calendar"],
-        );
-      }
-      if (method === "config/read") {
-        configReadCount += 1;
-        if (configReadCount > 1) {
-          return {
-            config: {
-              apps: {
-                "google-calendar-app": {
-                  tools: {
-                    "calendar/read": {
-                      enabled: false,
-                    },
-                  },
-                },
-              },
-            },
-          };
-        }
-        return {
-          config: {
-            apps: {
-              "google-calendar-app": {
-                tools: {
-                  "calendar/create": {
-                    approval_mode: "approve",
-                    enabled: false,
-                  },
-                  "calendar/read": {
-                    enabled: false,
-                  },
-                  "calendar/update": {
-                    approvalMode: "approve",
-                  },
-                },
-              },
-            },
-          },
-        };
-      }
-      if (method === "config/value/write") {
-        return {};
-      }
-      throw new Error(`unexpected request ${method}`);
-    });
-
-    const config = await buildCodexPluginThreadConfig({
-      pluginConfig: {
-        codexPlugins: {
-          enabled: true,
-          allow_destructive_actions: "always",
-          plugins: {
-            "google-calendar": {
-              marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-              pluginName: "google-calendar",
-            },
-          },
-        },
-      },
-      appCache,
-      appCacheKey: "runtime",
-      nowMs: 1,
-      request,
-    });
-
-    const apps = config.configPatch?.apps as Record<string, unknown> | undefined;
-    expect(apps?.["google-calendar-app"]).toEqual({
-      enabled: true,
-      destructive_enabled: true,
-      open_world_enabled: true,
-      default_tools_approval_mode: "auto",
-    });
-    expect(config.policyContext.apps["google-calendar-app"]).toMatchObject({
-      allowDestructiveActions: true,
-      destructiveApprovalMode: "always",
-    });
-    expect(request).toHaveBeenCalledWith("config/read", { includeLayers: false });
-    expect(request.mock.calls.filter(([method]) => method === "config/read")).toHaveLength(2);
-    expect(request).toHaveBeenCalledWith("config/value/write", {
-      keyPath: 'apps."google-calendar-app".tools."calendar/create".approval_mode',
-      value: null,
-      mergeStrategy: "replace",
-    });
-    expect(request).toHaveBeenCalledWith("config/value/write", {
-      keyPath: 'apps."google-calendar-app".tools."calendar/update".approval_mode',
-      value: null,
-      mergeStrategy: "replace",
-    });
-    expect(request).not.toHaveBeenCalledWith("config/value/write", {
-      keyPath: 'apps."google-calendar-app".tools',
-      value: null,
-      mergeStrategy: "replace",
-    });
-  });
-
-  it("omits always policy apps when cwd effective approval overrides remain after cleanup", async () => {
-    const appCache = new CodexAppInventoryCache();
-    await appCache.refreshNow({
-      key: "runtime",
-      nowMs: 0,
-      request: async () => ({
-        data: [appInfo("google-calendar-app", true)],
-        nextCursor: null,
-      }),
-    });
-    let configReadCount = 0;
-    const request = vi.fn(async (method: string) => {
-      if (method === "plugin/list") {
-        return pluginList([pluginSummary("google-calendar", { installed: true, enabled: true })]);
-      }
-      if (method === "plugin/read") {
-        return pluginDetail(
-          "google-calendar",
-          [appSummary("google-calendar-app")],
-          ["google-calendar"],
-        );
-      }
-      if (method === "config/read") {
-        configReadCount += 1;
-        return {
-          config: {
-            apps: {
-              "google-calendar-app": {
-                tools: {
-                  "calendar/create": {
-                    approval_mode: "approve",
-                    source: configReadCount === 1 ? "user" : "project",
-                  },
-                },
-              },
-            },
-          },
-        };
-      }
-      if (method === "config/value/write") {
-        return { status: "ok" };
-      }
-      throw new Error(`unexpected request ${method}`);
-    });
-
-    const config = await buildCodexPluginThreadConfig({
-      pluginConfig: {
-        codexPlugins: {
-          enabled: true,
-          allow_destructive_actions: "always",
-          plugins: {
-            "google-calendar": {
-              marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-              pluginName: "google-calendar",
-            },
-          },
-        },
-      },
-      appCache,
-      appCacheKey: "runtime",
-      configCwd: "/repo/project",
-      nowMs: 1,
-      request,
-    });
-
-    expect(config.configPatch).toEqual({
-      apps: {
-        _default: {
-          enabled: false,
-          destructive_enabled: false,
-          open_world_enabled: false,
-        },
-      },
-    });
-    expect(config.policyContext.apps).toStrictEqual({});
-    expect(request).toHaveBeenCalledWith("config/read", {
-      includeLayers: false,
-      cwd: "/repo/project",
-    });
-    expect(request.mock.calls.filter(([method]) => method === "config/read")).toHaveLength(2);
-    expect(config.diagnostics).toStrictEqual([
-      {
-        code: "approval_overrides_clear_failed",
-        plugin: {
-          configKey: "google-calendar",
-          marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-          pluginName: "google-calendar",
-          enabled: true,
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "always",
-        },
-        message:
-          "Could not clear durable Codex app approval overrides for google-calendar-app: effective approval overrides remain for calendar/create",
-      },
-    ]);
-  });
-
-  it("omits always policy apps when approval override writes are overridden", async () => {
-    const appCache = new CodexAppInventoryCache();
-    await appCache.refreshNow({
-      key: "runtime",
-      nowMs: 0,
-      request: async () => ({
-        data: [appInfo("google-calendar-app", true)],
-        nextCursor: null,
-      }),
-    });
-    const request = vi.fn(async (method: string) => {
-      if (method === "plugin/list") {
-        return pluginList([pluginSummary("google-calendar", { installed: true, enabled: true })]);
-      }
-      if (method === "plugin/read") {
-        return pluginDetail(
-          "google-calendar",
-          [appSummary("google-calendar-app")],
-          ["google-calendar"],
-        );
-      }
-      if (method === "config/read") {
-        return {
-          config: {
-            apps: {
-              "google-calendar-app": {
-                tools: {
-                  "calendar/create": {
-                    approval_mode: "approve",
-                  },
-                },
-              },
-            },
-          },
-        };
-      }
-      if (method === "config/value/write") {
-        return { status: "okOverridden" };
-      }
-      throw new Error(`unexpected request ${method}`);
-    });
-
-    const config = await buildCodexPluginThreadConfig({
-      pluginConfig: {
-        codexPlugins: {
-          enabled: true,
-          allow_destructive_actions: "always",
-          plugins: {
-            "google-calendar": {
-              marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-              pluginName: "google-calendar",
-            },
-          },
-        },
-      },
-      appCache,
-      appCacheKey: "runtime",
-      configCwd: "/repo/project",
-      nowMs: 1,
-      request,
-    });
-
-    expect(config.configPatch).toEqual({
-      apps: {
-        _default: {
-          enabled: false,
-          destructive_enabled: false,
-          open_world_enabled: false,
-        },
-      },
-    });
-    expect(config.policyContext.apps).toStrictEqual({});
-    expect(config.diagnostics).toStrictEqual([
-      {
-        code: "approval_overrides_clear_failed",
-        plugin: {
-          configKey: "google-calendar",
-          marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-          pluginName: "google-calendar",
-          enabled: true,
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "always",
-        },
-        message:
-          "Could not clear durable Codex app approval overrides for google-calendar-app: approval override for calendar/create is controlled by another config layer",
-      },
-    ]);
-  });
-
-  it("omits always policy apps when durable approval override cleanup fails", async () => {
-    const appCache = new CodexAppInventoryCache();
-    await appCache.refreshNow({
-      key: "runtime",
-      nowMs: 0,
-      request: async () => ({
-        data: [appInfo("google-calendar-app", true)],
-        nextCursor: null,
-      }),
-    });
-
-    const config = await buildCodexPluginThreadConfig({
-      pluginConfig: {
-        codexPlugins: {
-          enabled: true,
-          allow_destructive_actions: "always",
-          plugins: {
-            "google-calendar": {
-              marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-              pluginName: "google-calendar",
-            },
-          },
-        },
-      },
-      appCache,
-      appCacheKey: "runtime",
-      nowMs: 1,
-      request: async (method) => {
-        if (method === "plugin/list") {
-          return pluginList([pluginSummary("google-calendar", { installed: true, enabled: true })]);
-        }
-        if (method === "plugin/read") {
-          return pluginDetail(
-            "google-calendar",
-            [appSummary("google-calendar-app")],
-            ["google-calendar"],
-          );
-        }
-        if (method === "config/read") {
-          throw new Error("readonly config");
-        }
-        throw new Error(`unexpected request ${method}`);
-      },
-    });
-
-    expect(config.configPatch).toEqual({
-      apps: {
-        _default: {
-          enabled: false,
-          destructive_enabled: false,
-          open_world_enabled: false,
-        },
-      },
-    });
-    expect(config.policyContext.apps).toStrictEqual({});
-    expect(config.diagnostics).toStrictEqual([
-      {
-        code: "approval_overrides_clear_failed",
-        plugin: {
-          configKey: "google-calendar",
-          marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-          pluginName: "google-calendar",
-          enabled: true,
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "always",
-        },
-        message:
-          "Could not clear durable Codex app approval overrides for google-calendar-app: readonly config",
-      },
-    ]);
-  });
-
   it("builds a restrictive app config when native plugin support is disabled", async () => {
     expect(
       shouldBuildCodexPluginThreadConfig({

extensions/codex/src/app-server/plugin-thread-config.ts

@@ -29,7 +29,7 @@ import {
   type CodexPluginOwnedApp,
   type CodexPluginRuntimeRequest,
 } from "./plugin-inventory.js";
-import { isJsonObject, type JsonObject, type JsonValue } from "./protocol.js";
+import type { JsonObject, JsonValue } from "./protocol.js";
 
 /** Policy context for one app id exposed by a configured Codex plugin. */
 export type PluginAppPolicyContextEntry = {
@@ -52,7 +52,7 @@ export type PluginAppPolicyContext = {
 export type CodexPluginThreadConfigDiagnostic =
   | CodexPluginInventoryDiagnostic
   | {
-      code: "plugin_activation_failed" | "app_not_ready" | "approval_overrides_clear_failed";
+      code: "plugin_activation_failed" | "app_not_ready";
       plugin?: ResolvedCodexPluginPolicy;
       message: string;
     };
@@ -72,7 +72,6 @@ export type CodexPluginThreadConfig = {
 export type BuildCodexPluginThreadConfigParams = {
   pluginConfig?: unknown;
   request: CodexPluginRuntimeRequest;
-  configCwd?: string;
   appCache?: CodexAppInventoryCache;
   appCacheKey: string;
   nowMs?: number;
@@ -251,18 +250,6 @@ export async function buildCodexPluginThreadConfig(
         });
         continue;
       }
-      if (
-        record.policy.destructiveApprovalMode === "always" &&
-        !(await clearPersistedAppToolApprovalOverrides({
-          request: params.request,
-          configCwd: params.configCwd,
-          plugin: record.policy,
-          app,
-          diagnostics,
-        }))
-      ) {
-        continue;
-      }
       const appConfig: JsonObject = {
         enabled: true,
         destructive_enabled: record.policy.allowDestructiveActions,
@@ -380,86 +367,6 @@ function buildPluginAppPolicyContext(
   };
 }
 
-async function clearPersistedAppToolApprovalOverrides(params: {
-  request: CodexPluginRuntimeRequest;
-  configCwd?: string;
-  plugin: ResolvedCodexPluginPolicy;
-  app: CodexPluginOwnedApp;
-  diagnostics: CodexPluginThreadConfigDiagnostic[];
-}): Promise<boolean> {
-  try {
-    const overrideNames = await readPersistedAppToolApprovalOverrideNames(params);
-    for (const toolName of overrideNames) {
-      const response = await params.request("config/value/write", {
-        keyPath: `apps.${quoteConfigKeyPathSegment(params.app.id)}.tools.${quoteConfigKeyPathSegment(
-          toolName,
-        )}.approval_mode`,
-        value: null,
-        mergeStrategy: "replace",
-      });
-      if (isOverriddenConfigWriteResponse(response)) {
-        throw new Error(`approval override for ${toolName} is controlled by another config layer`);
-      }
-    }
-    const remainingOverrideNames = await readPersistedAppToolApprovalOverrideNames(params);
-    if (remainingOverrideNames.length > 0) {
-      throw new Error(
-        `effective approval overrides remain for ${remainingOverrideNames.join(", ")}`,
-      );
-    }
-    return true;
-  } catch (error) {
-    params.diagnostics.push({
-      code: "approval_overrides_clear_failed",
-      plugin: params.plugin,
-      message: `Could not clear durable Codex app approval overrides for ${params.app.id}: ${
-        error instanceof Error ? error.message : String(error)
-      }`,
-    });
-    return false;
-  }
-}
-
-async function readPersistedAppToolApprovalOverrideNames(params: {
-  request: CodexPluginRuntimeRequest;
-  configCwd?: string;
-  app: CodexPluginOwnedApp;
-}): Promise<string[]> {
-  const response = await params.request("config/read", {
-    includeLayers: false,
-    ...(params.configCwd ? { cwd: params.configCwd } : {}),
-  });
-  const config = isJsonObject(response) ? response.config : undefined;
-  const appsRoot = isJsonObject(config) ? config.apps : undefined;
-  const nestedApps = isJsonObject(appsRoot) ? appsRoot.apps : undefined;
-  const appConfig = isJsonObject(appsRoot)
-    ? (appsRoot[params.app.id] ??
-      (isJsonObject(nestedApps) ? nestedApps[params.app.id] : undefined))
-    : undefined;
-  const tools = isJsonObject(appConfig) ? appConfig.tools : undefined;
-  if (!isJsonObject(tools)) {
-    return [];
-  }
-  return Object.entries(tools)
-    .filter(([, value]) => hasPersistedToolApprovalOverride(value))
-    .map(([toolName]) => toolName)
-    .toSorted();
-}
-
-function hasPersistedToolApprovalOverride(value: JsonValue): boolean {
-  return (
-    isJsonObject(value) && (value.approval_mode !== undefined || value.approvalMode !== undefined)
-  );
-}
-
-function isOverriddenConfigWriteResponse(response: unknown): boolean {
-  return isJsonObject(response) && response.status === "okOverridden";
-}
-
-function quoteConfigKeyPathSegment(segment: string): string {
-  return `"${segment.replace(/["\\]/g, (char) => `\\${char}`)}"`;
-}
-
 function shouldWaitForInitialAppInventory(
   params: BuildCodexPluginThreadConfigParams,
   policy: ResolvedCodexPluginsPolicy,

extensions/codex/src/app-server/protocol.ts

@@ -575,8 +575,6 @@ type CodexAppServerRequestResultMap = {
   "account/read": CodexGetAccountResponse;
   "app/list": CodexAppsListResponse;
   "config/mcpServer/reload": JsonValue;
-  "config/read": JsonValue;
-  "config/value/write": JsonValue;
   "environment/add": JsonValue;
   "experimentalFeature/enablement/set": JsonValue;
   "feedback/upload": JsonValue;

extensions/codex/src/app-server/request.test.ts

@@ -112,44 +112,6 @@ describe("requestCodexAppServerJson sandbox guard", () => {
     expect(request).toHaveBeenCalledWith("thread/list", { limit: 10 }, { timeoutMs: 60_000 });
   });
 
-  it("allows config value writes in sandboxed sessions", async () => {
-    const request = vi.fn(async () => ({ ok: true }));
-    sharedClientMocks.getSharedCodexAppServerClient.mockResolvedValue({ request });
-    const params = {
-      keyPath: 'apps."google-calendar-app".tools',
-      value: null,
-      mergeStrategy: "replace",
-    };
-
-    await expect(
-      requestCodexAppServerJson({
-        method: "config/value/write",
-        requestParams: params,
-        config: { agents: { defaults: { sandbox: { mode: "all" } } } },
-        sessionKey: "sandboxed-session",
-      }),
-    ).resolves.toEqual({ ok: true });
-
-    expect(request).toHaveBeenCalledWith("config/value/write", params, { timeoutMs: 60_000 });
-  });
-
-  it("allows config reads in sandboxed sessions", async () => {
-    const request = vi.fn(async () => ({ config: { apps: { apps: {} } } }));
-    sharedClientMocks.getSharedCodexAppServerClient.mockResolvedValue({ request });
-    const params = { includeLayers: false };
-
-    await expect(
-      requestCodexAppServerJson({
-        method: "config/read",
-        requestParams: params,
-        config: { agents: { defaults: { sandbox: { mode: "all" } } } },
-        sessionKey: "sandboxed-session",
-      }),
-    ).resolves.toEqual({ config: { apps: { apps: {} } } });
-
-    expect(request).toHaveBeenCalledWith("config/read", params, { timeoutMs: 60_000 });
-  });
-
   it("allows sandbox-pinned thread starts in sandboxed sessions", async () => {
     const request = vi.fn(async () => ({ thread: { id: "thread-1" }, model: "gpt-5.5" }));
     sharedClientMocks.getSharedCodexAppServerClient.mockResolvedValue({ request });

extensions/codex/src/app-server/sandbox-guard.ts

@@ -19,8 +19,6 @@ const DIRECT_METHOD_POLICIES = new Map<string, DirectMethodPolicy>([
   ["account/read", "allowed-control-plane"],
   ["app/list", "allowed-control-plane"],
   ["config/mcpServer/reload", "allowed-control-plane"],
-  ["config/read", "allowed-control-plane"],
-  ["config/value/write", "allowed-control-plane"],
   ["environment/add", "allowed-control-plane"],
   ["experimentalFeature/enablement/set", "allowed-control-plane"],
   ["feedback/upload", "allowed-control-plane"],

extensions/codex/src/app-server/session-binding.test.ts

@@ -145,35 +145,6 @@ describe("codex app-server session binding", () => {
     expect(binding?.pluginAppPolicyContext).toEqual(pluginAppPolicyContext);
   });
 
-  it("round-trips always plugin app policy context destructive approval mode", async () => {
-    const sessionFile = path.join(tempDir, "session.json");
-    const pluginAppPolicyContext = {
-      fingerprint: "plugin-policy-always",
-      apps: {
-        "google-calendar-app": {
-          configKey: "google-calendar",
-          marketplaceName: "openai-curated" as const,
-          pluginName: "google-calendar",
-          allowDestructiveActions: true,
-          destructiveApprovalMode: "always" as const,
-          mcpServerNames: ["google-calendar"],
-        },
-      },
-      pluginAppIds: {
-        "google-calendar": ["google-calendar-app"],
-      },
-    };
-    await writeCodexAppServerBinding(sessionFile, {
-      threadId: "thread-123",
-      cwd: tempDir,
-      pluginAppPolicyContext,
-    });
-
-    const binding = await readCodexAppServerBinding(sessionFile);
-
-    expect(binding?.pluginAppPolicyContext).toEqual(pluginAppPolicyContext);
-  });
-
   it("normalizes v1 plugin app policy context destructive approval modes", async () => {
     const sessionFile = path.join(tempDir, "session.json");
     await fs.writeFile(

extensions/codex/src/app-server/session-binding.ts

@@ -421,9 +421,6 @@ function readDestructiveApprovalMode(
   if (value === "auto") {
     return bindingSchemaVersion === 1 ? "allow" : "auto";
   }
-  if (value === "always" && bindingSchemaVersion === 2) {
-    return "always";
-  }
   if (value === "on-request" && bindingSchemaVersion === 1) {
     return "auto";
   }

extensions/codex/src/app-server/trajectory.test.ts

@@ -5,7 +5,6 @@ import path from "node:path";
 import { afterEach, describe, expect, it } from "vitest";
 import {
   createCodexTrajectoryRecorder,
-  recordCodexTrajectoryCompletion,
   recordCodexTrajectoryContext,
   resolveCodexTrajectoryAppendFlags,
   resolveCodexTrajectoryPointerFlags,
@@ -81,9 +80,7 @@ describe("Codex trajectory recorder", () => {
     expect(content).not.toContain("secret");
     expect(content).not.toContain("sk-test-secret-token");
     expect(content).not.toContain("sk-other-secret-token");
-    if (process.platform !== "win32") {
-      expect(fs.statSync(filePath).mode & 0o777).toBe(0o600);
-    }
+    expect(fs.statSync(filePath).mode & 0o777).toBe(0o600);
     expect(fs.existsSync(path.join(tmpDir, "session.trajectory-path.json"))).toBe(true);
   });
 
@@ -256,235 +253,4 @@ describe("Codex trajectory recorder", () => {
     expect(parsed.data?.truncated).toBe(true);
     expect(parsed.data?.reason).toBe("trajectory-event-size-limit");
   });
-
-  it("preserves usage when truncating oversized model completion events", async () => {
-    const tmpDir = makeTempDir();
-    const sessionFile = path.join(tmpDir, "session.jsonl");
-    const attempt = {
-      sessionFile,
-      sessionId: "session-1",
-      sessionKey: "agent:main:session-1",
-      runId: "run-1",
-      provider: "codex",
-      modelId: "gpt-5.4",
-      model: { api: "responses" },
-    } as never;
-    const usage = {
-      input: 384_954,
-      output: 5_624,
-      cacheRead: 333_824,
-      reasoningTokens: 2_038,
-      total: 724_402,
-    };
-    const recorder = createCodexTrajectoryRecorder({
-      cwd: tmpDir,
-      attempt,
-      env: {},
-    });
-
-    const trajectoryRecorder = expectTrajectoryRecorder(recorder);
-    recordCodexTrajectoryCompletion(trajectoryRecorder, {
-      attempt,
-      threadId: "thread-1",
-      turnId: "turn-1",
-      timedOut: false,
-      result: {
-        aborted: false,
-        attemptUsage: usage,
-        assistantTexts: ["done"],
-        messagesSnapshot: Array.from({ length: 20 }, (_value, index) => ({
-          role: index % 2 === 0 ? "user" : "assistant",
-          content: `message-${index} ${"x".repeat(32_000)}`,
-        })),
-      } as never,
-    });
-    await trajectoryRecorder.flush();
-
-    const parsed = JSON.parse(
-      fs.readFileSync(path.join(tmpDir, "session.trajectory.jsonl"), "utf8"),
-    );
-    expect(parsed.type).toBe("model.completed");
-    expect(parsed.data).toMatchObject({
-      truncated: true,
-      reason: "trajectory-event-size-limit",
-      usage,
-    });
-    expect(parsed.data.messagesSnapshot).toBeUndefined();
-    expect(parsed.data.droppedFields).toContain("messagesSnapshot");
-    expect(Buffer.byteLength(JSON.stringify(parsed), "utf8")).toBeLessThanOrEqual(256 * 1024);
-  });
-
-  it("drops oversized preserved fields when needed to keep completion events bounded", async () => {
-    const tmpDir = makeTempDir();
-    const sessionFile = path.join(tmpDir, "session.jsonl");
-    const attempt = {
-      sessionFile,
-      sessionId: "session-1",
-      sessionKey: "agent:main:session-1",
-      runId: "run-1",
-      provider: "codex",
-      modelId: "gpt-5.4",
-      model: { api: "responses" },
-    } as never;
-    const oversizedUsage = Object.fromEntries(
-      Array.from({ length: 100 }, (_value, index) => [`field-${index}`, "x".repeat(5_000)]),
-    );
-    const recorder = createCodexTrajectoryRecorder({
-      cwd: tmpDir,
-      attempt,
-      env: {},
-    });
-
-    const trajectoryRecorder = expectTrajectoryRecorder(recorder);
-    recordCodexTrajectoryCompletion(trajectoryRecorder, {
-      attempt,
-      threadId: "thread-1",
-      turnId: "turn-1",
-      timedOut: false,
-      result: {
-        aborted: false,
-        attemptUsage: oversizedUsage,
-        assistantTexts: ["x".repeat(32_000)],
-        messagesSnapshot: [{ role: "assistant", content: "x".repeat(32_000) }],
-      } as never,
-    });
-    await trajectoryRecorder.flush();
-
-    const parsed = JSON.parse(
-      fs.readFileSync(path.join(tmpDir, "session.trajectory.jsonl"), "utf8"),
-    );
-    expect(parsed.data).toMatchObject({
-      truncated: true,
-      reason: "trajectory-event-size-limit",
-    });
-    expect(parsed.data.usage).toBeUndefined();
-    expect(parsed.data.droppedFields).toEqual(
-      expect.arrayContaining(["usage", "assistantTexts", "messagesSnapshot"]),
-    );
-    expect(Buffer.byteLength(JSON.stringify(parsed), "utf8")).toBeLessThanOrEqual(256 * 1024);
-  });
-
-  it("preserves usage on non-final oversized model completion events", async () => {
-    const tmpDir = makeTempDir();
-    const sessionFile = path.join(tmpDir, "session.jsonl");
-    const attempt = {
-      sessionFile,
-      sessionId: "session-1",
-      sessionKey: "agent:main:session-1",
-      runId: "run-1",
-      provider: "codex",
-      modelId: "gpt-5.4",
-      model: { api: "responses" },
-    } as never;
-    const firstUsage = {
-      input: 384_954,
-      output: 5_624,
-      cacheRead: 333_824,
-      reasoningTokens: 2_038,
-      total: 724_402,
-    };
-    const secondUsage = { input: 12, output: 3, total: 15 };
-    const recorder = createCodexTrajectoryRecorder({
-      cwd: tmpDir,
-      attempt,
-      env: {},
-    });
-
-    const trajectoryRecorder = expectTrajectoryRecorder(recorder);
-    recordCodexTrajectoryCompletion(trajectoryRecorder, {
-      attempt,
-      threadId: "thread-1",
-      turnId: "turn-1",
-      timedOut: false,
-      result: {
-        aborted: false,
-        attemptUsage: firstUsage,
-        assistantTexts: ["first"],
-        messagesSnapshot: Array.from({ length: 20 }, (_value, index) => ({
-          role: index % 2 === 0 ? "user" : "assistant",
-          content: `message-${index} ${"x".repeat(32_000)}`,
-        })),
-      } as never,
-    });
-    recordCodexTrajectoryCompletion(trajectoryRecorder, {
-      attempt,
-      threadId: "thread-1",
-      turnId: "turn-2",
-      timedOut: false,
-      result: {
-        aborted: false,
-        attemptUsage: secondUsage,
-        assistantTexts: ["final answer"],
-        messagesSnapshot: [{ role: "assistant", content: "final answer" }],
-      } as never,
-    });
-    await trajectoryRecorder.flush();
-
-    const events = fs
-      .readFileSync(path.join(tmpDir, "session.trajectory.jsonl"), "utf8")
-      .trim()
-      .split(/\r?\n/u)
-      .map((line) => JSON.parse(line));
-    expect(events).toHaveLength(2);
-    expect(events[0].data).toMatchObject({
-      truncated: true,
-      usage: firstUsage,
-    });
-    expect(events[1].data).toMatchObject({
-      turnId: "turn-2",
-      usage: secondUsage,
-      assistantTexts: ["final answer"],
-    });
-    expect(events[1].data.truncated).toBeUndefined();
-  });
-
-  it("redacts secrets before preserving usage in truncated completion events", async () => {
-    const tmpDir = makeTempDir();
-    const sessionFile = path.join(tmpDir, "session.jsonl");
-    const attempt = {
-      sessionFile,
-      sessionId: "session-1",
-      sessionKey: "agent:main:session-1",
-      runId: "run-1",
-      provider: "codex",
-      modelId: "gpt-5.4",
-      model: { api: "responses" },
-    } as never;
-    const recorder = createCodexTrajectoryRecorder({
-      cwd: tmpDir,
-      attempt,
-      env: {},
-    });
-
-    const trajectoryRecorder = expectTrajectoryRecorder(recorder);
-    recordCodexTrajectoryCompletion(trajectoryRecorder, {
-      attempt,
-      threadId: "thread-1",
-      turnId: "turn-1",
-      timedOut: false,
-      result: {
-        aborted: false,
-        attemptUsage: {
-          total: 1,
-          apiKey: "sk-test-secret-token",
-          authorization: "Bearer sk-other-secret-token",
-        },
-        assistantTexts: ["done"],
-        messagesSnapshot: Array.from({ length: 20 }, (_value, index) => ({
-          role: index % 2 === 0 ? "user" : "assistant",
-          content: `message-${index} ${"x".repeat(32_000)}`,
-        })),
-      } as never,
-    });
-    await trajectoryRecorder.flush();
-
-    const parsed = JSON.parse(
-      fs.readFileSync(path.join(tmpDir, "session.trajectory.jsonl"), "utf8"),
-    );
-    const preservedUsage = JSON.stringify(parsed.data.usage);
-    expect(parsed.data.truncated).toBe(true);
-    expect(preservedUsage).toContain("redacted");
-    expect(preservedUsage).not.toContain("sk-test-secret-token");
-    expect(preservedUsage).not.toContain("sk-other-secret-token");
-  });
 });

extensions/codex/src/app-server/trajectory.ts

@@ -40,7 +40,6 @@ const JWT_VALUE_RE = /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]
 const COOKIE_PAIR_RE = /\b([A-Za-z][A-Za-z0-9_.-]{1,64})=([A-Za-z0-9+/._~%=-]{16,})(?=;|\s|$)/gu;
 const TRAJECTORY_RUNTIME_FILE_MAX_BYTES = 50 * 1024 * 1024;
 const TRAJECTORY_RUNTIME_EVENT_MAX_BYTES = 256 * 1024;
-const TRAJECTORY_RUNTIME_OVERSIZE_PRESERVED_DATA_KEYS = ["usage", "promptCache"] as const;
 
 type CodexTrajectoryOpenFlagConstants = Pick<
   typeof nodeFs.constants,
@@ -83,57 +82,19 @@ function boundedTrajectoryLine(event: Record<string, unknown>): string | undefin
   if (bytes <= TRAJECTORY_RUNTIME_EVENT_MAX_BYTES) {
     return `${line}\n`;
   }
-
-  const originalData =
-    event.data && typeof event.data === "object" && !Array.isArray(event.data)
-      ? (event.data as Record<string, unknown>)
-      : {};
-  const originalDataKeys = Object.keys(originalData);
-  const preservedDataKeys = new Set<string>();
-  const baseData = {
-    truncated: true,
-    originalBytes: bytes,
-    limitBytes: TRAJECTORY_RUNTIME_EVENT_MAX_BYTES,
-    reason: "trajectory-event-size-limit",
-  };
-  const buildTruncatedLine = (includeDroppedFields: boolean): string | undefined => {
-    const data: Record<string, unknown> = { ...baseData };
-    for (const key of TRAJECTORY_RUNTIME_OVERSIZE_PRESERVED_DATA_KEYS) {
-      if (preservedDataKeys.has(key)) {
-        data[key] = originalData[key];
-      }
-    }
-    if (includeDroppedFields) {
-      const droppedFields = originalDataKeys.filter((key) => !preservedDataKeys.has(key));
-      if (droppedFields.length > 0) {
-        data.droppedFields = droppedFields;
-      }
-    }
-    const truncated = JSON.stringify({ ...event, data });
-    if (Buffer.byteLength(truncated, "utf8") <= TRAJECTORY_RUNTIME_EVENT_MAX_BYTES) {
-      return `${truncated}\n`;
-    }
-    return undefined;
-  };
-
-  let best = buildTruncatedLine(true) ?? buildTruncatedLine(false);
-  if (!best) {
-    return undefined;
+  const truncated = JSON.stringify({
+    ...event,
+    data: {
+      truncated: true,
+      originalBytes: bytes,
+      limitBytes: TRAJECTORY_RUNTIME_EVENT_MAX_BYTES,
+      reason: "trajectory-event-size-limit",
+    },
+  });
+  if (Buffer.byteLength(truncated, "utf8") <= TRAJECTORY_RUNTIME_EVENT_MAX_BYTES) {
+    return `${truncated}\n`;
   }
-
-  for (const key of TRAJECTORY_RUNTIME_OVERSIZE_PRESERVED_DATA_KEYS) {
-    if (!Object.hasOwn(originalData, key)) {
-      continue;
-    }
-    preservedDataKeys.add(key);
-    const next = buildTruncatedLine(true) ?? buildTruncatedLine(false);
-    if (next) {
-      best = next;
-      continue;
-    }
-    preservedDataKeys.delete(key);
-  }
-  return best;
+  return undefined;
 }
 
 function resolveTrajectoryPointerFilePath(sessionFile: string): string {

extensions/codex/src/command-plugins-management.ts

@@ -23,7 +23,7 @@ export type CodexPluginConfigEntry = {
   enabled?: boolean;
   marketplaceName?: string;
   pluginName?: string;
-  allow_destructive_actions?: boolean | "auto" | "always";
+  allow_destructive_actions?: boolean | "auto";
 };
 
 export type CodexPluginsConfigBlock = {

extensions/codex/src/migration/plan.ts

@@ -43,7 +43,7 @@ export type CodexPluginMigrationConfigEntry = {
   configKey: string;
   pluginName: string;
   enabled: boolean;
-  allowDestructiveActions?: "auto" | "always";
+  allowDestructiveActions?: "auto";
 };
 
 type CodexPluginMigrationBlockSkipDetails = {
@@ -168,18 +168,15 @@ function isLegacyDestructivePolicyRepair(
   );
 }
 
-function readExistingPluginAllowDestructiveActions(
+function isLegacyDestructivePolicyConfigEntryRepair(
   existing: unknown,
   pluginName: string,
-): "auto" | "always" | undefined {
+): boolean {
   const existingEntry = isRecord(existing) ? existing : undefined;
-  if (existingEntry?.pluginName !== pluginName) {
-    return undefined;
-  }
-  const normalized = normalizeExistingAllowDestructiveActions(
-    existingEntry.allow_destructive_actions,
+  return (
+    existingEntry?.allow_destructive_actions === "on-request" &&
+    existingEntry.pluginName === pluginName
   );
-  return normalized === "auto" || normalized === "always" ? normalized : undefined;
 }
 
 function buildPluginItems(
@@ -206,15 +203,12 @@ function buildPluginItems(
         enabled: true,
         marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
         pluginName: plugin.pluginName,
-        ...(() => {
-          const allowDestructiveActions = readExistingPluginAllowDestructiveActions(
-            existingPluginEntries[configKey],
-            plugin.pluginName,
-          );
-          return allowDestructiveActions
-            ? { allow_destructive_actions: allowDestructiveActions }
-            : {};
-        })(),
+        ...(isLegacyDestructivePolicyConfigEntryRepair(
+          existingPluginEntries[configKey],
+          plugin.pluginName,
+        )
+          ? { allow_destructive_actions: "auto" }
+          : {}),
       };
       const conflict =
         !ctx.overwrite &&
@@ -240,9 +234,8 @@ function buildPluginItems(
             pluginName: plugin.pluginName,
             sourceInstalled: plugin.installed === true,
             sourceEnabled: plugin.enabled === true,
-            ...(plannedEntry.allow_destructive_actions === "auto" ||
-            plannedEntry.allow_destructive_actions === "always"
-              ? { allowDestructiveActions: plannedEntry.allow_destructive_actions }
+            ...(plannedEntry.allow_destructive_actions === "auto"
+              ? { allowDestructiveActions: "auto" }
               : {}),
             ...(plugin.apps && plugin.apps.length > 0 && !shouldVerifyPluginApps(ctx)
               ? { sourceAppVerification: CODEX_PLUGIN_SOURCE_APP_VERIFICATION_UNVERIFIED }
@@ -317,15 +310,13 @@ export function readCodexPluginMigrationConfigEntry(
     configKey,
     pluginName,
     enabled,
-    ...(allowDestructiveActions === "auto" || allowDestructiveActions === "always"
-      ? { allowDestructiveActions }
-      : {}),
+    ...(allowDestructiveActions === "auto" ? { allowDestructiveActions: "auto" } : {}),
   };
 }
 
 function readExistingAllowDestructiveActions(
   config: MigrationProviderContext["config"],
-): boolean | "auto" | "always" | undefined {
+): boolean | "auto" | undefined {
   const value = readMigrationConfigPath(config as Record<string, unknown>, [
     ...CODEX_PLUGIN_NATIVE_CONFIG_PATH,
     "allow_destructive_actions",
@@ -333,16 +324,8 @@ function readExistingAllowDestructiveActions(
   return normalizeExistingAllowDestructiveActions(value);
 }
 
-function normalizeExistingAllowDestructiveActions(
-  value: unknown,
-): boolean | "auto" | "always" | undefined {
-  if (value === "auto" || value === "on-request") {
-    return "auto";
-  }
-  if (value === "always") {
-    return "always";
-  }
-  return asBoolean(value);
+function normalizeExistingAllowDestructiveActions(value: unknown): boolean | "auto" | undefined {
+  return value === "auto" || value === "on-request" ? "auto" : asBoolean(value);
 }
 
 function readExistingPluginPolicyRepairs(

extensions/codex/src/migration/provider.test.ts

@@ -2108,76 +2108,6 @@ describe("buildCodexMigrationProvider", () => {
     });
   });
 
-  it("preserves global always destructive plugin policy during migration", async () => {
-    const fixture = await createCodexFixture();
-    const configState: MigrationProviderContext["config"] = {
-      plugins: {
-        entries: {
-          codex: {
-            enabled: true,
-            config: {
-              codexPlugins: {
-                enabled: true,
-                allow_destructive_actions: "always",
-                plugins: {},
-              },
-            },
-          },
-        },
-      },
-      agents: { defaults: { workspace: fixture.workspaceDir } },
-    } as MigrationProviderContext["config"];
-    appServerRequest.mockImplementation(async ({ method }: { method: string }) => {
-      if (method === "plugin/list") {
-        return pluginList([pluginSummary("google-calendar", { installed: true, enabled: true })]);
-      }
-      if (method === "plugin/read") {
-        return pluginRead("google-calendar");
-      }
-      if (method === "plugin/install") {
-        return { authPolicy: "ON_USE", appsNeedingAuth: [] } satisfies v2.PluginInstallResponse;
-      }
-      if (method === "skills/list") {
-        return { data: [] } satisfies v2.SkillsListResponse;
-      }
-      if (method === "hooks/list") {
-        return { data: [] } satisfies v2.HooksListResponse;
-      }
-      if (method === "config/mcpServer/reload") {
-        return {};
-      }
-      if (method === "app/list") {
-        return appsList([]);
-      }
-      throw new Error(`unexpected request ${method}`);
-    });
-    const provider = buildCodexMigrationProvider({
-      runtime: createConfigRuntime(configState),
-    });
-
-    const result = await provider.apply(
-      makeContext({
-        source: fixture.codexHome,
-        stateDir: fixture.stateDir,
-        workspaceDir: fixture.workspaceDir,
-        config: configState,
-      }),
-    );
-
-    expectRecordFields(findItem(result.items, "config:codex-plugins"), { status: "migrated" });
-    expect(configState.plugins?.entries?.codex?.config?.codexPlugins).toEqual({
-      enabled: true,
-      allow_destructive_actions: "always",
-      plugins: {
-        "google-calendar": {
-          enabled: true,
-          marketplaceName: CODEX_PLUGINS_MARKETPLACE_NAME,
-          pluginName: "google-calendar",
-        },
-      },
-    });
-  });
-
   it("records auth-required plugin installs as disabled explicit config entries", async () => {
     const fixture = await createCodexFixture();
     const configState: MigrationProviderContext["config"] = {

extensions/google/transport-stream.test.ts

@@ -476,45 +476,6 @@ describe("google transport stream", () => {
     expect(result.content[2]).toHaveProperty("thoughtSignature", "Y2FsbF9zaWdfMQ==");
   });
 
-  it("preserves MAX_TOKENS when the partial response contains a function call", async () => {
-    guardedFetchMock.mockResolvedValueOnce(
-      buildSseResponse([
-        {
-          candidates: [
-            {
-              content: {
-                parts: [{ functionCall: { name: "lookup", args: { q: "hello" } } }],
-              },
-              finishReason: "MAX_TOKENS",
-            },
-          ],
-        },
-      ]),
-    );
-
-    const streamFn = createGoogleGenerativeAiTransportStreamFn();
-    const stream = await Promise.resolve(
-      streamFn(
-        buildGeminiModel(),
-        {
-          messages: [{ role: "user", content: "hello", timestamp: 0 }],
-          tools: [
-            {
-              name: "lookup",
-              description: "Look up a value",
-              parameters: { type: "object" },
-            },
-          ],
-        } as Parameters<typeof streamFn>[1],
-        { apiKey: "gemini-api-key" } as Parameters<typeof streamFn>[2],
-      ),
-    );
-    const result = await stream.result();
-
-    expect(result.stopReason).toBe("length");
-    expect(result.content).toEqual([expect.objectContaining({ type: "toolCall", name: "lookup" })]);
-  });
-
   it("strips redundant google provider prefixes from Gemini API model paths", async () => {
     guardedFetchMock.mockResolvedValueOnce(buildSseResponse([]));
 

extensions/google/transport-stream.ts

@@ -1404,12 +1404,7 @@ function createGoogleTransportStreamFn(kind: CanonicalGoogleTransportApi): Strea
           }
           if (typeof candidate?.finishReason === "string") {
             output.stopReason = mapStopReasonString(candidate.finishReason);
-            // MAX_TOKENS can leave a complete-looking partial call. Only a normal
-            // Google stop may promote parsed calls into an executable tool-use turn.
-            if (
-              output.stopReason === "stop" &&
-              output.content.some((block) => block.type === "toolCall")
-            ) {
+            if (output.content.some((block) => block.type === "toolCall")) {
               output.stopReason = "toolUse";
             }
           }

extensions/googlechat/src/api.ts

@@ -2,10 +2,6 @@
 import crypto from "node:crypto";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
 import { parseMediaContentLength } from "openclaw/plugin-sdk/media-runtime";
-import {
-  readProviderJsonResponse,
-  readResponseTextLimited,
-} from "openclaw/plugin-sdk/provider-http";
 import { readResponseWithLimit } from "openclaw/plugin-sdk/response-limit-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import type { ResolvedGoogleChatAccount } from "./accounts.js";
@@ -17,7 +13,11 @@ const CHAT_API_BASE = "https://chat.googleapis.com/v1";
 const CHAT_UPLOAD_BASE = "https://chat.googleapis.com/upload/v1";
 
 async function readGoogleChatJsonResponse<T>(response: Response, label: string): Promise<T> {
-  return readProviderJsonResponse<T>(response, label);
+  try {
+    return (await response.json()) as T;
+  } catch (cause) {
+    throw new Error(`${label}: malformed JSON response`, { cause });
+  }
 }
 
 const headersToObject = (headers?: HeadersInit): Record<string, string> =>
@@ -57,7 +57,7 @@ async function withGoogleChatResponse<T>(params: {
   });
   try {
     if (!response.ok) {
-      const text = await readResponseTextLimited(response).catch(() => "");
+      const text = await response.text().catch(() => "");
       throw new Error(`${errorPrefix} ${response.status}: ${text || response.statusText}`);
     }
     return await handleResponse(response);

extensions/googlechat/src/auth.ts

@@ -1,5 +1,4 @@
 // Googlechat plugin module implements auth behavior.
-import { readProviderJsonResponse } from "openclaw/plugin-sdk/provider-http";
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { fetchWithSsrFGuard } from "../runtime-api.js";
 import type { ResolvedGoogleChatAccount } from "./accounts.js";
@@ -18,10 +17,11 @@ const CHAT_CERTS_URL =
   "https://www.googleapis.com/service_accounts/v1/metadata/x509/chat@system.gserviceaccount.com";
 
 async function readGoogleChatCertsResponse(response: Response): Promise<Record<string, string>> {
-  return readProviderJsonResponse<Record<string, string>>(
-    response,
-    "Google Chat cert fetch failed",
-  );
+  try {
+    return (await response.json()) as Record<string, string>;
+  } catch (cause) {
+    throw new Error("Google Chat cert fetch failed: malformed JSON response", { cause });
+  }
 }
 
 // Size-capped to prevent unbounded growth in long-running deployments (#4948)

extensions/googlechat/src/targets.test.ts

@@ -568,137 +568,4 @@ describe("verifyGoogleChatRequest", () => {
     });
     expect(release).toHaveBeenCalledOnce();
   });
-
-  describe("bounded JSON read (readProviderJsonResponse delegation)", () => {
-    afterEach(() => {
-      authTesting.resetGoogleChatAuthForTests();
-      mocks.fetchWithSsrFGuard.mockClear();
-      vi.unstubAllGlobals();
-    });
-
-    it("cancels oversized cert fetch JSON body via the 16 MiB provider cap", async () => {
-      const ONE_MIB = 1024 * 1024;
-      const TOTAL_CHUNKS = 32;
-      const chunk = new Uint8Array(ONE_MIB);
-
-      let bytesPulled = 0;
-      let canceled = false;
-      const oversizedJson = new Response(
-        new ReadableStream<Uint8Array>({
-          pull(controller) {
-            if (bytesPulled >= TOTAL_CHUNKS * ONE_MIB) {
-              controller.close();
-              return;
-            }
-            bytesPulled += chunk.length;
-            controller.enqueue(chunk);
-          },
-          cancel() {
-            canceled = true;
-          },
-        }),
-        { status: 200, headers: { "Content-Type": "application/json" } },
-      );
-      const release = vi.fn(async () => {});
-      mocks.fetchWithSsrFGuard.mockResolvedValueOnce({
-        response: oversizedJson,
-        release,
-      });
-
-      const result = await verifyGoogleChatRequest({
-        bearer: "token",
-        audienceType: "project-number",
-        audience: "123456789",
-      });
-
-      expect(result.ok).toBe(false);
-      expect(result.reason).toMatch(/JSON response exceeds 16777216 bytes/);
-      expect(canceled).toBe(true);
-      expect(bytesPulled).toBeLessThan(TOTAL_CHUNKS * ONE_MIB);
-      expect(release).toHaveBeenCalledOnce();
-    });
-
-    it("rejects oversized sendMessage JSON body via the 16 MiB provider cap", async () => {
-      const ONE_MIB = 1024 * 1024;
-      const TOTAL_CHUNKS = 32;
-      const chunk = new Uint8Array(ONE_MIB);
-
-      let bytesPulled = 0;
-      let canceled = false;
-      const oversizedJson = new Response(
-        new ReadableStream<Uint8Array>({
-          pull(controller) {
-            if (bytesPulled >= TOTAL_CHUNKS * ONE_MIB) {
-              controller.close();
-              return;
-            }
-            bytesPulled += chunk.length;
-            controller.enqueue(chunk);
-          },
-          cancel() {
-            canceled = true;
-          },
-        }),
-        { status: 200, headers: { "Content-Type": "application/json" } },
-      );
-      const release = vi.fn(async () => {});
-      mocks.fetchWithSsrFGuard.mockResolvedValueOnce({
-        response: oversizedJson,
-        release,
-      });
-
-      await expect(
-        sendGoogleChatMessage({
-          account,
-          space: "spaces/AAA",
-          text: "hello",
-        }),
-      ).rejects.toThrow(/Google Chat API request failed: JSON response exceeds 16777216 bytes/);
-
-      expect(canceled).toBe(true);
-      expect(bytesPulled).toBeLessThan(TOTAL_CHUNKS * ONE_MIB);
-    });
-
-    it("caps non-OK sendMessage error bodies before formatting the API error", async () => {
-      const ONE_MIB = 1024 * 1024;
-      const TOTAL_CHUNKS = 32;
-      const chunk = new TextEncoder().encode("x".repeat(ONE_MIB));
-
-      let bytesPulled = 0;
-      let canceled = false;
-      const oversizedError = new Response(
-        new ReadableStream<Uint8Array>({
-          pull(controller) {
-            if (bytesPulled >= TOTAL_CHUNKS * ONE_MIB) {
-              controller.close();
-              return;
-            }
-            bytesPulled += chunk.length;
-            controller.enqueue(chunk);
-          },
-          cancel() {
-            canceled = true;
-          },
-        }),
-        { status: 500, statusText: "Internal Server Error" },
-      );
-      const release = vi.fn(async () => {});
-      mocks.fetchWithSsrFGuard.mockResolvedValueOnce({
-        response: oversizedError,
-        release,
-      });
-
-      await expect(
-        sendGoogleChatMessage({
-          account,
-          space: "spaces/AAA",
-          text: "hello",
-        }),
-      ).rejects.toThrow(/^Google Chat API 500: x+/);
-
-      expect(canceled).toBe(true);
-      expect(bytesPulled).toBeLessThan(TOTAL_CHUNKS * ONE_MIB);
-      expect(release).toHaveBeenCalledOnce();
-    });
-  });
 });

extensions/ollama/src/stream.test.ts

@@ -98,13 +98,13 @@ describe("buildAssistantMessage", () => {
     expect(msg.stopReason).toBe("length");
   });
 
-  it("keeps a length stop authoritative over complete-looking tool calls", () => {
+  it("keeps tool use authoritative over a length stop", () => {
     const response = makeOllamaResponse({
       done_reason: "length",
       tool_calls: [{ function: { name: "read", arguments: { path: "README.md" } } }],
     });
     const msg = buildAssistantMessage(response, MODEL_INFO);
-    expect(msg.stopReason).toBe("length");
+    expect(msg.stopReason).toBe("toolUse");
   });
 });
 
@@ -282,32 +282,6 @@ describe("createOllamaStreamFn thinking events", () => {
     expect(done.message?.stopReason).toBe("length");
   });
 
-  it("preserves a native length stop when the partial response contains tool calls", async () => {
-    const events = await streamOllamaEvents(
-      [
-        makeOllamaResponse({
-          done_reason: "length",
-          tool_calls: [{ function: { name: "read", arguments: { path: "README.md" } } }],
-        }),
-      ],
-      {},
-      {
-        messages: [{ role: "user", content: "test" }],
-        tools: [{ name: "read", description: "Read files", parameters: { type: "object" } }],
-      } as never,
-    );
-
-    const done = events.find((event) => event.type === "done") as {
-      reason?: string;
-      message?: { content?: Array<Record<string, unknown>>; stopReason?: string };
-    };
-    expect(done.reason).toBe("length");
-    expect(done.message?.stopReason).toBe("length");
-    expect(done.message?.content).toEqual([
-      expect.objectContaining({ type: "toolCall", name: "read" }),
-    ]);
-  });
-
   it("uses generic stream timeout for Ollama request timeout", async () => {
     await streamOllamaEvents([makeOllamaResponse({ content: "ok" })], { timeoutMs: 2500 });
 

extensions/ollama/src/stream.ts

@@ -656,15 +656,10 @@ function estimateTokensFromChars(chars: number): number {
 }
 
 function resolveOllamaStopReason(response: OllamaChatResponse) {
-  // Ollama's length terminal means generation hit its token limit, even when
-  // the partial response already contains a complete-looking tool call.
-  if (response.done_reason === "length") {
-    return "length" as const;
-  }
   if (response.message.tool_calls?.length) {
     return "toolUse" as const;
   }
-  return "stop" as const;
+  return response.done_reason === "length" ? ("length" as const) : ("stop" as const);
 }
 
 function estimateOllamaPromptTokens(params: {

extensions/opencode-go/stream-termination.test.ts

@@ -713,100 +713,4 @@ describe("createOpencodeGoStalledStreamWrapper", () => {
     controller.end();
     await consumer;
   });
-
-  it("must NOT abort a live stream that keeps emitting block-boundary events between deltas", async () => {
-    // Regression for https://github.com/openclaw/openclaw/issues/96518:
-    // the idle timer must re-arm on block-boundary events (text_end,
-    // thinking_end, toolcall_start, toolcall_end), not only on token
-    // deltas. A stream that keeps producing boundary events between
-    // deltas is demonstrably alive and must not be aborted.
-    const { stream: baseStream, controller } = createFakeBaseStream();
-    let abortCalled = false;
-    const underlying = vi.fn((_model, _context, options) => {
-      if (options?.signal) {
-        options.signal.addEventListener("abort", () => {
-          abortCalled = true;
-        });
-      }
-      return baseStream;
-    });
-
-    const idleTimeoutMs = 5_000;
-    const wrapper = createOpencodeGoStalledStreamWrapper(underlying as any, {
-      provider: "opencode-go",
-      idleTimeoutMs,
-    });
-
-    const downstream = await Promise.resolve(
-      wrapper({ provider: "opencode-go", id: "glm-4.6" } as any, {} as any, {} as any),
-    );
-    expect(downstream).toBeDefined();
-      if (!downstream) {
-        return;
-      }
-
-    const received: AnyEvent[] = [];
-    const consumer = (async () => {
-      for await (const event of downstream) {
-        received.push(event);
-      }
-    })();
-
-    const partial = { role: "assistant", content: [{ type: "text", text: "x" }] };
-
-    // Provider starts producing a tool-call turn. The last *delta* arms the idle timer.
-    controller.emit({ type: "start", partial } as any);
-    controller.emit({
-      type: "toolcall_delta",
-      contentIndex: 0,
-      delta: "{",
-      partial,
-    } as any);
-    await vi.advanceTimersByTimeAsync(0);
-
-    // The model finalizes the tool call and deliberates on the next one,
-    // emitting real block-boundary events that prove the SSE socket is alive.
-    // Each gap is < idleTimeoutMs, so a liveness-aware watchdog must stay armed.
-    await vi.advanceTimersByTimeAsync(3_000);
-    controller.emit({
-      type: "toolcall_end",
-      contentIndex: 0,
-      toolCall: { name: "f", arguments: "{}" },
-      partial,
-    } as any);
-    await vi.advanceTimersByTimeAsync(3_000);
-    controller.emit({
-      type: "toolcall_start",
-      contentIndex: 1,
-      partial,
-    } as any);
-
-    // Advance to 5s after the last delta, but only 2s after the last
-    // boundary event. The idle timer should have been re-armed by the
-    // boundary events, so it must NOT fire yet.
-    await vi.advanceTimersByTimeAsync(1_000);
-
-    // The provider's completed answer arrives right after.
-    controller.emit({
-      type: "done",
-      reason: "stop",
-      message: {
-        ...partial,
-        content: [{ type: "text", text: "final answer" }],
-        stopReason: "stop",
-      },
-    } as any);
-    controller.end();
-    await vi.advanceTimersByTimeAsync(0);
-    await consumer;
-
-    const hasDone = received.some((e) => e.type === "done");
-    const hasStalledError = received.some(
-      (e) => e.type === "error" && (e as any).error?.stopReason === "error",
-    );
-
-    expect(abortCalled).toBe(false);
-    expect(hasDone).toBe(true);
-    expect(hasStalledError).toBe(false);
-  });
 });

extensions/opencode-go/stream-termination.ts

@@ -55,11 +55,7 @@ function isProviderProgressEvent(event: AssistantMessageEvent): boolean {
   return (
     event.type === "text_delta" ||
     event.type === "thinking_delta" ||
-    event.type === "toolcall_delta" ||
-    event.type === "text_end" ||
-    event.type === "thinking_end" ||
-    event.type === "toolcall_start" ||
-    event.type === "toolcall_end"
+    event.type === "toolcall_delta"
   );
 }
 

extensions/telegram/src/fetch.test.ts

@@ -957,7 +957,7 @@ describe("resolveTelegramFetch", () => {
     expect(eighthDispatcher).toBe(firstDispatcher);
     expect(ninthDispatcher).toBe(firstDispatcher);
     expectPinnedFallbackIpDispatcher(3);
-    expectLoggerMessageContaining(loggerWarn, "fetch fallback: primary connection path failed");
+    expectLoggerMessageContaining(loggerWarn, "fetch fallback: DNS-resolved IP unreachable");
     expectLoggerMessageContaining(
       loggerDebug,
       "fetch fallback: recovered from attempt 2 to attempt 0",
@@ -1193,31 +1193,6 @@ describe("resolveTelegramFetch", () => {
     expect(undiciFetch).toHaveBeenCalledTimes(1);
   });
 
-  it("does not automatically retry structured EADDRNOTAVAIL fetch failures", async () => {
-    const fetchError = buildFetchFallbackError("EADDRNOTAVAIL");
-    undiciFetch.mockRejectedValue(fetchError);
-
-    const resolved = resolveTelegramFetchOrThrow(undefined, STICKY_IPV4_FALLBACK_NETWORK);
-
-    await expect(resolved("https://api.telegram.org/botx/sendMessage")).rejects.toThrow(
-      "fetch failed",
-    );
-
-    expect(undiciFetch).toHaveBeenCalledTimes(1);
-  });
-
-  it("preserves EADDRNOTAVAIL in forced fallback diagnostics", () => {
-    const transport = resolveTelegramTransport(undefined, STICKY_IPV4_FALLBACK_NETWORK);
-    const fetchError = buildFetchFallbackError("EADDRNOTAVAIL");
-
-    expect(transport.forceFallback?.("probe timeout/network error", fetchError)).toBe(true);
-    expect(transport.forceFallback?.("probe timeout/network error", fetchError)).toBe(true);
-
-    expectLoggerMessageContaining(loggerWarn, "primary connection path failed");
-    expectLoggerMessageContaining(loggerWarn, "codes=EADDRNOTAVAIL");
-    expectNoLoggerMessageContaining(loggerWarn, "DNS-resolved IP unreachable");
-  });
-
   it("retries sticky fallback when the local network is down during connect", async () => {
     undiciFetch
       .mockRejectedValueOnce(buildFetchFallbackError("ENETDOWN"))

extensions/telegram/src/fetch.ts

@@ -488,10 +488,9 @@ export type TelegramTransport = {
   dispatcherAttempts?: TelegramDispatcherAttempt[];
   /**
    * Promote this transport to its next fallback dispatcher before the next
-   * request. The original error, when available, is retained in diagnostics.
-   * Returns false when no fallback path exists.
+   * request. Returns false when no fallback path exists.
    */
-  forceFallback?: (reason: string, err?: unknown) => boolean;
+  forceFallback?: (reason: string) => boolean;
   /**
    * Release all dispatchers owned by this transport and the TCP sockets they
    * hold. Safe to call multiple times; subsequent calls resolve immediately.
@@ -564,8 +563,7 @@ function createTelegramTransportAttempts(params: {
     },
     exportAttempt: { dispatcherPolicy: fallbackIpPolicy },
     logLevel: "warn",
-    logMessage:
-      "fetch fallback: primary connection path failed; trying alternative Telegram API IP",
+    logMessage: "fetch fallback: DNS-resolved IP unreachable; trying alternative Telegram API IP",
   });
 
   return attempts;
@@ -866,8 +864,8 @@ export function resolveTelegramTransport(
     fetch: resolvedFetch,
     sourceFetch,
     dispatcherAttempts: transportAttempts.map((attempt) => attempt.exportAttempt),
-    forceFallback: (reason: string, err?: unknown) =>
-      promoteStickyAttempt(stickyAttemptIndex + 1, err ?? new Error("forced fallback"), reason),
+    forceFallback: (reason: string) =>
+      promoteStickyAttempt(stickyAttemptIndex + 1, new Error("forced fallback"), reason),
     close,
   };
 }

extensions/telegram/src/probe.test.ts

@@ -362,7 +362,7 @@ describe("probeTelegram retry logic", () => {
 
       const result = await probePromise;
       expect(result.ok).toBe(true);
-      expect(localForceFallback).toHaveBeenCalledWith("probe timeout/network error", timeoutError);
+      expect(localForceFallback).toHaveBeenCalledWith("probe timeout/network error");
       expect(fetchMock).toHaveBeenCalledTimes(3); // 1 failed + 1 getMe success + 1 webhook
     } finally {
       vi.useRealTimers();

extensions/telegram/src/probe.ts

@@ -162,8 +162,7 @@ export async function probeTelegram(
         // On timeout or network error, promote the transport to its IPv4
         // fallback dispatcher so the next retry (and all future probes
         // sharing this cached transport) skip the stalled IPv6 path.
-        // Keep the original socket code in transport fallback diagnostics.
-        transport.forceFallback?.("probe timeout/network error", err);
+        transport.forceFallback?.("probe timeout/network error");
         if (i < 2) {
           const remainingAfterAttemptMs = resolveRemainingBudgetMs();
           if (remainingAfterAttemptMs <= 0) {

extensions/voice-call/doctor-contract-api.test.ts

@@ -12,7 +12,7 @@ import type {
   PluginDoctorStateMigrationContext,
 } from "openclaw/plugin-sdk/runtime-doctor";
 import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { resolveSessionStoreAgentIds, stateMigrations } from "./doctor-contract-api.js";
+import { stateMigrations } from "./doctor-contract-api.js";
 import {
   createTestStorePath,
   makePersistedCall,
@@ -68,42 +68,6 @@ describe("voice-call doctor state migration", () => {
     await fs.rm(storePath, { recursive: true, force: true });
   });
 
-  it("reports top-level and per-number session-store agents", () => {
-    expect(
-      resolveSessionStoreAgentIds({
-        cfg: {
-          plugins: {
-            entries: {
-              "voice-call": {
-                config: {
-                  agentId: "Voice",
-                  numbers: {
-                    "+15550001111": { agentId: "Cards" },
-                    "+15550002222": {},
-                  },
-                },
-              },
-            },
-          },
-        },
-      }),
-    ).toEqual(["cards", "voice"]);
-    expect(
-      resolveSessionStoreAgentIds({
-        cfg: {
-          plugins: { entries: { "@openclaw/voice-call": { config: {} } } },
-        },
-      }),
-    ).toEqual(["main"]);
-    expect(
-      resolveSessionStoreAgentIds({
-        cfg: {
-          plugins: { entries: { "voice-call": { enabled: true } } },
-        },
-      }),
-    ).toEqual(["main"]);
-  });
-
   it("imports legacy calls.jsonl into plugin state", async () => {
     const sourcePath = path.join(storePath, "calls.jsonl");
     const call = makePersistedCall({

extensions/voice-call/doctor-contract-api.ts

@@ -2,8 +2,6 @@
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import type { OpenClawConfig } from "openclaw/plugin-sdk/plugin-entry";
-import { normalizeAgentId } from "openclaw/plugin-sdk/routing";
 import type {
   PluginDoctorStateMigration,
   PluginStateKeyedStore,
@@ -83,36 +81,6 @@ type PluginDoctorStateMigrationParams = Parameters<
   PluginDoctorStateMigration["detectLegacyState"]
 >[0];
 
-function asRecord(value: unknown): Record<string, unknown> | undefined {
-  return value && typeof value === "object" && !Array.isArray(value)
-    ? (value as Record<string, unknown>)
-    : undefined;
-}
-
-/** Return Voice Call agents whose templated core session stores need migration. */
-export function resolveSessionStoreAgentIds(params: { cfg: OpenClawConfig }): string[] {
-  const agentIds = new Set<string>();
-  for (const pluginId of ["voice-call", "@openclaw/voice-call"]) {
-    const entry = params.cfg.plugins?.entries?.[pluginId];
-    if (!entry) {
-      continue;
-    }
-    const config = entry.config === undefined ? {} : asRecord(entry.config);
-    if (!config) {
-      continue;
-    }
-    agentIds.add(normalizeAgentId(typeof config.agentId === "string" ? config.agentId : undefined));
-    const numbers = asRecord(config.numbers);
-    for (const route of Object.values(numbers ?? {})) {
-      const agentId = asRecord(route)?.agentId;
-      if (typeof agentId === "string") {
-        agentIds.add(normalizeAgentId(agentId));
-      }
-    }
-  }
-  return [...agentIds].toSorted();
-}
-
 /** Resolve the voice-call store path used by legacy and plugin-state call records. */
 function resolveVoiceCallStorePath(params: {
   config: PluginDoctorStateMigrationParams["config"];

extensions/voice-call/src/config.test.ts

@@ -2,11 +2,9 @@
 import { afterEach, beforeEach, describe, expect, it } from "vitest";
 import {
   VoiceCallConfigSchema,
-  resolveVoiceCallAgentSessionKey,
   resolveTwilioAuthToken,
   resolveVoiceCallEffectiveConfig,
   resolveVoiceCallNumberRouteKey,
-  resolveVoiceCallNumberRouteKeyForCall,
   resolveVoiceCallSessionKey,
   validateProviderConfig,
   normalizeVoiceCallConfig,
@@ -298,23 +296,7 @@ describe("resolveVoiceCallConfig session routing", () => {
         callId: "call-123",
         phone: "+1 (555) 000-1111",
       }),
-    ).toBe("agent:main:voice:15550001111");
-  });
-
-  it("scopes generated voice session keys by configured agent", () => {
-    const config = resolveVoiceCallConfig({
-      enabled: true,
-      provider: "mock",
-      agentId: "Voice",
-    });
-
-    expect(
-      resolveVoiceCallSessionKey({
-        config,
-        callId: "CALL-123",
-        phone: "+1 (555) 000-1111",
-      }),
-    ).toBe("agent:voice:voice:15550001111");
+    ).toBe("voice:15550001111");
   });
 
   it("can scope voice sessions to each call", () => {
@@ -331,10 +313,10 @@ describe("resolveVoiceCallConfig session routing", () => {
         callId: "call-123",
         phone: "+1 (555) 000-1111",
       }),
-    ).toBe("agent:main:voice:call:call-123");
+    ).toBe("voice:call:call-123");
   });
 
-  it("scopes explicit voice session keys by configured agent", () => {
+  it("preserves explicit voice session keys", () => {
     const config = resolveVoiceCallConfig({
       enabled: true,
       provider: "mock",
@@ -346,135 +328,9 @@ describe("resolveVoiceCallConfig session routing", () => {
         config,
         callId: "call-123",
         phone: "+1 (555) 000-1111",
-        explicitSessionKey: "Meet-Room-1",
+        explicitSessionKey: "meet-room-1",
       }),
-    ).toBe("agent:main:meet-room-1");
-  });
-
-  it("scopes persisted and explicit keys at the agent session boundary", () => {
-    const config = resolveVoiceCallConfig({
-      enabled: true,
-      provider: "mock",
-      agentId: "Voice",
-    });
-
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "voice:call:legacy-call",
-      }),
-    ).toBe("agent:voice:voice:call:legacy-call");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "meet-room-1",
-      }),
-    ).toBe("agent:voice:meet-room-1");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:main:shared-room",
-      }),
-    ).toBe("agent:voice:agent:main:shared-room");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:other:Matrix:Channel:!RoomAbC:example.org",
-      }),
-    ).toBe("agent:voice:agent:other:matrix:channel:!RoomAbC:example.org");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:voice:agent:other:matrix:channel:!RoomAbC:example.org",
-      }),
-    ).toBe("agent:voice:agent:other:matrix:channel:!RoomAbC:example.org");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "Signal:Group:AbC123=",
-      }),
-    ).toBe("agent:voice:signal:group:AbC123=");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:broken",
-      }),
-    ).toBe("agent:voice:agent:broken");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent::broken",
-      }),
-    ).toBe("agent:voice:agent::broken");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent::Matrix:Channel:!RoomAbC:example.org",
-      }),
-    ).toBe("agent:voice:agent::matrix:channel:!RoomAbC:example.org");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:other:room::part",
-      }),
-    ).toBe("agent:voice:agent:other:room::part");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:voice:room::part",
-      }),
-    ).toBe("agent:voice:room::part");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:voice::Matrix:Channel:!RoomAbC:example.org",
-      }),
-    ).toBe("agent:voice:agent:voice::matrix:channel:!RoomAbC:example.org");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:bad/id:room",
-      }),
-    ).toBe("agent:voice:agent:bad/id:room");
-  });
-
-  it("canonicalizes raw and scoped main aliases with the core session config", () => {
-    const config = resolveVoiceCallConfig({
-      enabled: true,
-      provider: "mock",
-      agentId: "Voice",
-    });
-
-    for (const sessionKey of ["main", "agent:voice:main"]) {
-      expect(
-        resolveVoiceCallAgentSessionKey({
-          config,
-          sessionKey,
-          coreSession: { mainKey: "work" },
-        }),
-      ).toBe("agent:voice:work");
-    }
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "main",
-        coreSession: { scope: "global" },
-      }),
-    ).toBe("global");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:main:main",
-        coreSession: { mainKey: "work" },
-      }),
-    ).toBe("agent:voice:agent:main:main");
-    expect(
-      resolveVoiceCallAgentSessionKey({
-        config,
-        sessionKey: "agent:main:main",
-        coreSession: { scope: "global" },
-      }),
-    ).toBe("agent:voice:agent:main:main");
+    ).toBe("meet-room-1");
   });
 
   it("resolves per-number inbound route overrides over global voice settings", () => {
@@ -539,35 +395,6 @@ describe("resolveVoiceCallConfig session routing", () => {
     expect(effective.config).toBe(config);
     expect(effective.config.inboundGreeting).toBe("Hello from global.");
   });
-
-  it("uses dialed-number fallback only for inbound calls", () => {
-    expect(
-      resolveVoiceCallNumberRouteKeyForCall({
-        direction: "inbound",
-        to: "+15550001111",
-      }),
-    ).toBe("+15550001111");
-    expect(
-      resolveVoiceCallNumberRouteKeyForCall({
-        direction: "outbound",
-        to: "+15550001111",
-      }),
-    ).toBeUndefined();
-    expect(
-      resolveVoiceCallNumberRouteKeyForCall({
-        direction: "inbound",
-        to: "+15550001111",
-        metadata: { numberRouteKey: "+15550002222" },
-      }),
-    ).toBe("+15550002222");
-    expect(
-      resolveVoiceCallNumberRouteKeyForCall({
-        direction: "outbound",
-        to: "+15550001111",
-        metadata: { numberRouteKey: "+15550002222" },
-      }),
-    ).toBeUndefined();
-  });
 });
 
 describe("normalizeVoiceCallConfig", () => {

extensions/voice-call/src/config.ts

@@ -1,16 +1,11 @@
 // Voice Call helper module supports config behavior.
 import { REALTIME_VOICE_AGENT_CONSULT_TOOL_POLICIES } from "openclaw/plugin-sdk/realtime-voice";
-import { normalizeAgentId, parseAgentSessionKey } from "openclaw/plugin-sdk/routing";
 import {
   buildSecretInputSchema,
   hasConfiguredSecretInput,
   normalizeResolvedSecretInputString,
   type SecretInput,
 } from "openclaw/plugin-sdk/secret-input";
-import {
-  canonicalizeMainSessionAlias,
-  type SessionScope,
-} from "openclaw/plugin-sdk/session-store-runtime";
 import { z } from "zod";
 import { TtsConfigSchema } from "../api.js";
 import { deepMergeDefined } from "./deep-merge.js";
@@ -574,22 +569,6 @@ export function resolveVoiceCallNumberRouteKey(
   );
 }
 
-/** Resolve inbound-only number routing from a persisted call record. */
-export function resolveVoiceCallNumberRouteKeyForCall(call: {
-  direction?: "inbound" | "outbound";
-  to?: string;
-  metadata?: { numberRouteKey?: unknown };
-}): string | undefined {
-  if (call.direction !== "inbound") {
-    return undefined;
-  }
-  const storedRouteKey = call.metadata?.numberRouteKey;
-  if (typeof storedRouteKey === "string") {
-    return storedRouteKey;
-  }
-  return call.to;
-}
-
 export function resolveVoiceCallEffectiveConfig(
   config: VoiceCallConfig,
   phoneOrRouteKey: string | undefined,
@@ -716,73 +695,21 @@ export function normalizeVoiceCallConfig(config: VoiceCallConfigInput): VoiceCal
   };
 }
 
-export type VoiceCallCoreSessionConfig = { mainKey?: string; scope?: SessionScope };
-
 export function resolveVoiceCallSessionKey(params: {
-  config: Pick<VoiceCallConfig, "agentId" | "sessionScope">;
+  config: Pick<VoiceCallConfig, "sessionScope">;
   callId: string;
   phone?: string;
   explicitSessionKey?: string;
-  coreSession?: VoiceCallCoreSessionConfig;
 }): string {
   const explicit = params.explicitSessionKey?.trim();
   if (explicit) {
-    return resolveVoiceCallAgentSessionKey({
-      config: params.config,
-      sessionKey: explicit,
-      coreSession: params.coreSession,
-    });
+    return explicit;
   }
-  // Startup migration promotes unambiguous shipped `voice:*` rows;
-  // generate only canonical keys here so new history never needs repair.
-  const prefix = `agent:${normalizeAgentId(params.config.agentId)}:voice`;
   if (params.config.sessionScope === "per-call") {
-    return `${prefix}:call:${params.callId}`.toLowerCase();
+    return `voice:call:${params.callId}`;
   }
   const normalizedPhone = params.phone?.replace(/\D/g, "");
-  return (
-    normalizedPhone ? `${prefix}:${normalizedPhone}` : `${prefix}:${params.callId}`
-  ).toLowerCase();
-}
-
-/** Resolve persisted or integration-provided keys into the configured agent namespace. */
-export function resolveVoiceCallAgentSessionKey(params: {
-  config: Pick<VoiceCallConfig, "agentId">;
-  sessionKey: string;
-  coreSession?: VoiceCallCoreSessionConfig;
-}): string {
-  const sessionKey = params.sessionKey.trim();
-  if (!sessionKey) {
-    throw new Error("Voice Call session key cannot be empty");
-  }
-  const lower = sessionKey.toLowerCase();
-  const agentId = normalizeAgentId(params.config.agentId);
-  if (lower === "global" || lower === "unknown") {
-    return lower;
-  }
-  const parsedInput = parseAgentSessionKey(sessionKey);
-  let normalizedScopedKey: string;
-  if (
-    parsedInput &&
-    normalizeAgentId(parsedInput.agentId) === parsedInput.agentId &&
-    parsedInput.agentId === agentId
-  ) {
-    normalizedScopedKey = `agent:${parsedInput.agentId}:${parsedInput.rest}`;
-  } else {
-    // Voice Call's configured agent owns both the store and runtime. Foreign or
-    // malformed agent-shaped input is an opaque integration key, not a route.
-    const wrappedInput = parseAgentSessionKey(`agent:${agentId}:${sessionKey}`);
-    if (!wrappedInput) {
-      throw new Error("Voice Call session key could not be normalized");
-    }
-    normalizedScopedKey = `agent:${agentId}:${wrappedInput.rest}`;
-  }
-  const canonicalMain = canonicalizeMainSessionAlias({
-    cfg: { session: params.coreSession },
-    agentId,
-    sessionKey: normalizedScopedKey,
-  });
-  return canonicalMain === normalizedScopedKey ? normalizedScopedKey : canonicalMain;
+  return normalizedPhone ? `voice:${normalizedPhone}` : `voice:${params.callId}`;
 }
 
 /**

extensions/voice-call/src/core-bridge.ts

@@ -1,12 +1,14 @@
 // Voice Call plugin module implements core bridge behavior.
 import type { OpenClawPluginApi } from "../api.js";
-import type { VoiceCallCoreSessionConfig, VoiceCallTtsConfig } from "./config.js";
+import type { VoiceCallTtsConfig } from "./config.js";
 
 // Narrow core runtime/config contracts consumed by the voice-call plugin.
 
 /** Core config subset read by voice-call helpers. */
 export type CoreConfig = {
-  session?: VoiceCallCoreSessionConfig & { store?: string };
+  session?: {
+    store?: string;
+  };
   messages?: {
     tts?: VoiceCallTtsConfig;
   };

extensions/voice-call/src/manager.ts

@@ -4,7 +4,7 @@ import os from "node:os";
 import path from "node:path";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
-import type { VoiceCallConfig, VoiceCallCoreSessionConfig } from "./config.js";
+import type { VoiceCallConfig } from "./config.js";
 import type { CallManagerContext, StreamSessionIssuer } from "./manager/context.js";
 import { processEvent as processManagerEvent } from "./manager/events.js";
 import { getCallByProviderCallId as getCallByProviderCallIdFromMaps } from "./manager/lookup.js";
@@ -82,7 +82,6 @@ export class CallManager {
   private rejectedProviderCallIds = new Set<string>();
   private provider: VoiceCallProvider | null = null;
   private config: VoiceCallConfig;
-  private coreSession: VoiceCallCoreSessionConfig | undefined;
   private storePath: string;
   private webhookUrl: string | null = null;
   private activeTurnCalls = new Set<CallId>();
@@ -104,13 +103,8 @@ export class CallManager {
    */
   streamSessionIssuer: StreamSessionIssuer | undefined;
 
-  constructor(
-    config: VoiceCallConfig,
-    storePath?: string,
-    coreSession?: VoiceCallCoreSessionConfig,
-  ) {
+  constructor(config: VoiceCallConfig, storePath?: string) {
     this.config = config;
-    this.coreSession = coreSession;
     this.storePath = resolveDefaultStoreBase(config, storePath);
   }
 
@@ -359,7 +353,6 @@ export class CallManager {
       rejectedProviderCallIds: this.rejectedProviderCallIds,
       provider: this.provider,
       config: this.config,
-      coreSession: this.coreSession,
       storePath: this.storePath,
       webhookUrl: this.webhookUrl,
       activeTurnCalls: this.activeTurnCalls,

extensions/voice-call/src/manager/context.ts

@@ -1,5 +1,5 @@
 // Voice Call plugin module implements context behavior.
-import type { VoiceCallConfig, VoiceCallCoreSessionConfig } from "../config.js";
+import type { VoiceCallConfig } from "../config.js";
 import type { VoiceCallProvider } from "../providers/base.js";
 import type { CallId, CallRecord } from "../types.js";
 
@@ -21,7 +21,6 @@ type CallManagerRuntimeState = {
 type CallManagerRuntimeDeps = {
   provider: VoiceCallProvider | null;
   config: VoiceCallConfig;
-  coreSession?: VoiceCallCoreSessionConfig;
   storePath: string;
   webhookUrl: string | null;
 };

extensions/voice-call/src/manager/events.test.ts

@@ -633,7 +633,7 @@ describe("processEvent (functional)", () => {
     processEvent(ctx, event);
 
     const call = requireFirstActiveCall(ctx);
-    expect(call.sessionKey).toBe(`agent:main:voice:call:${call.callId}`);
+    expect(call.sessionKey).toBe(`voice:call:${call.callId}`);
   });
 
   it("applies per-number inbound greeting and stores the matched route key", () => {

extensions/voice-call/src/manager/outbound.test.ts

@@ -155,12 +155,11 @@ describe("voice-call outbound helpers", () => {
         fromNumber: "+14155550100",
         tts: { provider: "openai", providers: { openai: { voice: "nova" } } },
       },
-      coreSession: { mainKey: "work" },
       storePath: "/tmp/voice-call.json",
       webhookUrl: "https://example.com/webhook",
     };
 
-    const result = await initiateCall(ctx as never, "+14155550123", "main", {
+    const result = await initiateCall(ctx as never, "+14155550123", "session-1", {
       mode: "notify",
       message: "hello there",
     });
@@ -179,7 +178,7 @@ describe("voice-call outbound helpers", () => {
       inlineTwiml: "<Response />",
     });
     expect(ctx.providerCallIdMap.get("provider-1")).toBe(callId);
-    expect(ctx.activeCalls.get(callId)?.sessionKey).toBe("agent:main:work");
+    expect(ctx.activeCalls.get(callId)?.sessionKey).toBe("session-1");
     expect(persistCallRecordMock).toHaveBeenCalledTimes(2);
   });
 
@@ -204,9 +203,7 @@ describe("voice-call outbound helpers", () => {
     expect(result.success).toBe(true);
     expect(result.callId).toBeTypeOf("string");
     expect(result.callId).not.toBe("");
-    expect(ctx.activeCalls.get(result.callId)?.sessionKey).toBe(
-      `agent:main:voice:call:${result.callId}`,
-    );
+    expect(ctx.activeCalls.get(result.callId)?.sessionKey).toBe(`voice:call:${result.callId}`);
   });
 
   it("initiates conversation calls with pre-connect DTMF TwiML", async () => {
@@ -407,7 +404,6 @@ describe("voice-call outbound helpers", () => {
     const call = {
       callId: "call-1",
       providerCallId: "provider-1",
-      direction: "inbound",
       state: "active",
       to: "+15550002222",
       metadata: { numberRouteKey: "+15550002222" },
@@ -442,40 +438,6 @@ describe("voice-call outbound helpers", () => {
     });
   });
 
-  it("keeps top-level TTS for outbound calls to a number with an inbound route", async () => {
-    const call = {
-      callId: "call-1",
-      providerCallId: "provider-1",
-      direction: "outbound",
-      state: "active",
-      to: "+15550002222",
-    };
-    const playTts = vi.fn(async () => {});
-    const ctx = {
-      activeCalls: new Map([["call-1", call]]),
-      providerCallIdMap: new Map(),
-      provider: { name: "twilio", playTts },
-      config: {
-        tts: { provider: "openai", providers: { openai: { voice: "coral" } } },
-        numbers: {
-          "+15550002222": {
-            tts: { providers: { openai: { voice: "alloy" } } },
-          },
-        },
-      },
-      storePath: "/tmp/voice-call.json",
-    };
-
-    await expect(speak(ctx as never, "call-1", "hello")).resolves.toEqual({ success: true });
-
-    expect(playTts).toHaveBeenCalledWith({
-      callId: "call-1",
-      providerCallId: "provider-1",
-      text: "hello",
-      voice: "coral",
-    });
-  });
-
   it("sends DTMF through connected provider calls", async () => {
     const call = { callId: "call-1", providerCallId: "provider-1", state: "active" };
     const sendDtmfProvider = vi.fn(async () => {});

extensions/voice-call/src/manager/outbound.ts

@@ -3,7 +3,6 @@ import crypto from "node:crypto";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
 import {
   resolveVoiceCallEffectiveConfig,
-  resolveVoiceCallNumberRouteKeyForCall,
   resolveVoiceCallSessionKey,
   type CallMode,
 } from "../config.js";
@@ -35,7 +34,6 @@ type InitiateContext = Pick<
   | "providerCallIdMap"
   | "provider"
   | "config"
-  | "coreSession"
   | "storePath"
   | "webhookUrl"
   | "streamSessionIssuer"
@@ -192,7 +190,6 @@ export async function initiateCall(
       callId,
       phone: to,
       explicitSessionKey: sessionKey,
-      coreSession: ctx.coreSession,
     }),
     startedAt: Date.now(),
     transcript: [],
@@ -291,7 +288,8 @@ export async function speak(
     transitionState(call, "speaking");
     persistCallRecord(ctx.storePath, call);
 
-    const numberRouteKey = resolveVoiceCallNumberRouteKeyForCall(call);
+    const numberRouteKey =
+      typeof call.metadata?.numberRouteKey === "string" ? call.metadata.numberRouteKey : call.to;
     const voice = resolvePreferredTtsVoice(
       resolveVoiceCallEffectiveConfig(ctx.config, numberRouteKey).config,
     );

extensions/voice-call/src/response-generator.test.ts

@@ -71,7 +71,7 @@ function createAgentRuntime(payloads: Array<Record<string, unknown>>) {
       sessionStore[params.sessionKey] = { ...params.entry };
     },
   );
-  const runEmbeddedAgent = vi.fn(async (_args: EmbeddedAgentArgs) => ({
+  const runEmbeddedAgent = vi.fn(async () => ({
     payloads,
     meta: { durationMs: 12, aborted: false },
   }));
@@ -233,7 +233,7 @@ describe("generateVoiceResponse", () => {
     const { runtime, runEmbeddedAgent, patchSessionEntry, sessionStore } = createAgentRuntime([
       { text: '{"spoken":"Pinned model works."}' },
     ]);
-    sessionStore["agent:main:voice:15550001111"] = {
+    sessionStore["voice:15550001111"] = {
       sessionId: "existing-session",
       updatedAt: 100,
       model: "old-model",
@@ -257,7 +257,7 @@ describe("generateVoiceResponse", () => {
     });
 
     expect(result.text).toBe("Pinned model works.");
-    const pinnedSessionEntry = sessionStore["agent:main:voice:15550001111"];
+    const pinnedSessionEntry = sessionStore["voice:15550001111"];
     expect(pinnedSessionEntry?.providerOverride).toBe("openai");
     expect(pinnedSessionEntry?.modelOverride).toBe("gpt-4.1-nano");
     expect(pinnedSessionEntry?.modelOverrideSource).toBe("auto");
@@ -271,17 +271,17 @@ describe("generateVoiceResponse", () => {
     );
     expect(patchSessionEntryCall[0]).toMatchObject({
       storePath: "/tmp/openclaw/main/sessions.json",
-      sessionKey: "agent:main:voice:15550001111",
+      sessionKey: "voice:15550001111",
       replaceEntry: true,
     });
     expect((patchSessionEntryCall[0] as { update?: unknown }).update).toBeTypeOf("function");
     const args = requireEmbeddedAgentArgs(runEmbeddedAgent);
     expect(args.provider).toBe("openai");
     expect(args.model).toBe("gpt-4.1-nano");
-    expect(args.sessionKey).toBe("agent:main:voice:15550001111");
+    expect(args.sessionKey).toBe("voice:15550001111");
   });
 
-  it("canonicalizes a restored legacy per-call key for classic responses", async () => {
+  it("uses the persisted per-call session key for classic responses", async () => {
     const { runtime, runEmbeddedAgent, sessionStore } = createAgentRuntime([
       { text: '{"spoken":"Fresh call context."}' },
     ]);
@@ -302,102 +302,15 @@ describe("generateVoiceResponse", () => {
     });
 
     expect(result.text).toBe("Fresh call context.");
-    const perCallSessionEntry = sessionStore["agent:main:voice:call:call-123"];
+    const perCallSessionEntry = sessionStore["voice:call:call-123"];
     expect(perCallSessionEntry?.sessionId).toBeTypeOf("string");
     expect(perCallSessionEntry?.sessionId).not.toBe("");
     expect(sessionStore["voice:15550001111"]).toBeUndefined();
     const args = requireEmbeddedAgentArgs(runEmbeddedAgent);
-    expect(args.sessionKey).toBe("agent:main:voice:call:call-123");
+    expect(args.sessionKey).toBe("voice:call:call-123");
     expect(args.sandboxSessionKey).toBe("agent:main:voice:call:call-123");
   });
 
-  it("preserves an explicit call key while scoping its session-store identity", async () => {
-    const { runtime, runEmbeddedAgent, sessionStore } = createAgentRuntime([
-      { text: '{"spoken":"Shared meeting context."}' },
-    ]);
-    const voiceConfig = VoiceCallConfigSchema.parse({
-      agentId: "voice",
-      responseTimeoutMs: 5000,
-    });
-
-    await generateVoiceResponse({
-      voiceConfig,
-      coreConfig: {} as CoreConfig,
-      agentRuntime: runtime,
-      callId: "call-123",
-      sessionKey: "meet-room-1",
-      from: "+15550001111",
-      transcript: [],
-      userMessage: "hello there",
-    });
-
-    expect(sessionStore["agent:voice:meet-room-1"]?.sessionId).toBeTypeOf("string");
-    expect(sessionStore["meet-room-1"]).toBeUndefined();
-    expect(requireEmbeddedAgentArgs(runEmbeddedAgent).sessionKey).toBe("agent:voice:meet-room-1");
-  });
-
-  it("keeps wrapped foreign Matrix identities stable across restore", async () => {
-    const { runtime, runEmbeddedAgent, sessionStore } = createAgentRuntime([
-      { text: '{"spoken":"Matrix context."}' },
-    ]);
-    const voiceConfig = VoiceCallConfigSchema.parse({
-      agentId: "voice",
-      responseTimeoutMs: 5000,
-    });
-    const canonical = "agent:voice:agent:other:matrix:channel:!RoomAbC:example.org";
-    const generate = (sessionKey: string) =>
-      generateVoiceResponse({
-        voiceConfig,
-        coreConfig: {} as CoreConfig,
-        agentRuntime: runtime,
-        callId: "call-123",
-        sessionKey,
-        from: "+15550001111",
-        transcript: [],
-        userMessage: "hello there",
-      });
-
-    await generate("agent:other:matrix:channel:!RoomAbC:example.org");
-    await generate(canonical);
-    await generate("agent:other:matrix:channel:!Roomabc:example.org");
-
-    expect(sessionStore[canonical]?.sessionId).toBeTypeOf("string");
-    expect(
-      sessionStore["agent:voice:agent:other:matrix:channel:!Roomabc:example.org"]?.sessionId,
-    ).toBeTypeOf("string");
-    expect(Object.keys(sessionStore)).toHaveLength(2);
-    const sessionKeys = runEmbeddedAgent.mock.calls.map(([args]) => args.sessionKey);
-    expect(sessionKeys).toEqual([
-      canonical,
-      canonical,
-      "agent:voice:agent:other:matrix:channel:!Roomabc:example.org",
-    ]);
-  });
-
-  it("uses the configured core main key for restored call aliases", async () => {
-    const { runtime, runEmbeddedAgent, sessionStore } = createAgentRuntime([
-      { text: '{"spoken":"Main context."}' },
-    ]);
-    const voiceConfig = VoiceCallConfigSchema.parse({
-      agentId: "voice",
-      responseTimeoutMs: 5000,
-    });
-
-    await generateVoiceResponse({
-      voiceConfig,
-      coreConfig: { session: { mainKey: "work" } },
-      agentRuntime: runtime,
-      callId: "call-123",
-      sessionKey: "agent:voice:main",
-      from: "+15550001111",
-      transcript: [],
-      userMessage: "hello there",
-    });
-
-    expect(sessionStore["agent:voice:work"]?.sessionId).toBeTypeOf("string");
-    expect(requireEmbeddedAgentArgs(runEmbeddedAgent).sessionKey).toBe("agent:voice:work");
-  });
-
   it("uses the main agent workspace when voice config omits agentId", async () => {
     const {
       runtime,
@@ -424,18 +337,17 @@ describe("generateVoiceResponse", () => {
     expect(resolveAgentDir).toHaveBeenCalledWith(coreConfig, "main");
     expect(resolveAgentWorkspaceDir).toHaveBeenCalledWith(coreConfig, "main");
     expect(resolveAgentIdentity).toHaveBeenCalledWith(coreConfig, "main");
-    const defaultSessionEntry = sessionStore["agent:main:voice:15550001111"];
+    const defaultSessionEntry = sessionStore["voice:15550001111"];
     if (!defaultSessionEntry) {
       throw new Error("Expected default voice session entry");
     }
     const args = requireEmbeddedAgentArgs(runEmbeddedAgent);
     expect(args.agentDir).toBe("/tmp/openclaw/agents/main");
     expect(args.agentId).toBe("main");
-    expect(args.sessionKey).toBe("agent:main:voice:15550001111");
     expect(args.sessionTarget).toStrictEqual({
       agentId: "main",
       sessionId: defaultSessionEntry.sessionId,
-      sessionKey: "agent:main:voice:15550001111",
+      sessionKey: "voice:15550001111",
       storePath: "/tmp/openclaw/main/sessions.json",
     });
     expect(args.sandboxSessionKey).toBe("agent:main:voice:15550001111");
@@ -473,18 +385,17 @@ describe("generateVoiceResponse", () => {
     expect(resolveAgentDir).toHaveBeenCalledWith(coreConfig, "voice");
     expect(resolveAgentWorkspaceDir).toHaveBeenCalledWith(coreConfig, "voice");
     expect(resolveAgentIdentity).toHaveBeenCalledWith(coreConfig, "voice");
-    const voiceSessionEntry = sessionStore["agent:voice:voice:15550001111"];
+    const voiceSessionEntry = sessionStore["voice:15550001111"];
     if (!voiceSessionEntry) {
       throw new Error("Expected routed voice session entry");
     }
     const args = requireEmbeddedAgentArgs(runEmbeddedAgent);
     expect(args.agentDir).toBe("/tmp/openclaw/agents/voice");
     expect(args.agentId).toBe("voice");
-    expect(args.sessionKey).toBe("agent:voice:voice:15550001111");
     expect(args.sessionTarget).toStrictEqual({
       agentId: "voice",
       sessionId: voiceSessionEntry.sessionId,
-      sessionKey: "agent:voice:voice:15550001111",
+      sessionKey: "voice:15550001111",
       storePath: "/tmp/openclaw/voice/sessions.json",
     });
     expect(args.sandboxSessionKey).toBe("agent:voice:voice:15550001111");

extensions/voice-call/src/response-generator.ts

@@ -234,7 +234,6 @@ export async function generateVoiceResponse(
     callId,
     phone: from,
     explicitSessionKey: sessionKey,
-    coreSession: coreConfig.session,
   });
   const agentId = voiceConfig.agentId ?? "main";
   const toolsAllow = resolveVoiceAgentToolsAllow(cfg, agentId);

extensions/voice-call/src/runtime.test.ts

@@ -29,42 +29,22 @@ const mocks = vi.hoisted(() => ({
 
 vi.mock("./config.js", () => ({
   resolveVoiceCallSessionKey: (params: {
-    config: Pick<VoiceCallConfig, "agentId" | "sessionScope">;
+    config: Pick<VoiceCallConfig, "sessionScope">;
     callId: string;
     phone?: string;
     explicitSessionKey?: string;
   }) => {
     const explicit = params.explicitSessionKey?.trim();
     if (explicit) {
-      const lower = explicit.toLowerCase();
-      return lower === "global" || lower === "unknown" || lower.startsWith("agent:")
-        ? explicit
-        : `agent:${params.config.agentId?.trim().toLowerCase() || "main"}:${explicit}`;
+      return explicit;
     }
-    const agentId = params.config.agentId?.trim().toLowerCase() || "main";
-    const prefix = `agent:${agentId}:voice`;
     if (params.config.sessionScope === "per-call") {
-      return `${prefix}:call:${params.callId}`.toLowerCase();
+      return `voice:call:${params.callId}`;
     }
     const normalizedPhone = params.phone?.replace(/\D/g, "");
-    return (
-      normalizedPhone ? `${prefix}:${normalizedPhone}` : `${prefix}:${params.callId}`
-    ).toLowerCase();
-  },
-  resolveVoiceCallNumberRouteKeyForCall: (call: {
-    direction?: "inbound" | "outbound";
-    to?: string;
-    metadata?: { numberRouteKey?: unknown };
-  }) =>
-    call.direction === "inbound"
-      ? typeof call.metadata?.numberRouteKey === "string"
-        ? call.metadata.numberRouteKey
-        : call.to
-      : undefined,
-  resolveVoiceCallEffectiveConfig: (config: VoiceCallConfig, numberRouteKey?: string) => {
-    const route = numberRouteKey ? config.numbers[numberRouteKey] : undefined;
-    return route ? { config: { ...config, ...route }, numberRouteKey } : { config };
+    return normalizedPhone ? `voice:${normalizedPhone}` : `voice:${params.callId}`;
   },
+  resolveVoiceCallEffectiveConfig: (config: VoiceCallConfig) => ({ config }),
   resolveVoiceCallConfig: mocks.resolveVoiceCallConfig,
   resolveTwilioAuthToken: mocks.resolveTwilioAuthToken,
   validateProviderConfig: mocks.validateProviderConfig,
@@ -398,13 +378,9 @@ describe("createVoiceCallRuntime lifecycle", () => {
     await runtime.stop();
   });
 
-  it("wires realtime consults and keeps outbound calls off inbound number routes", async () => {
+  it("wires the shared realtime agent consult tool and handler", async () => {
     const config = createBaseConfig();
     config.inboundPolicy = "allowlist";
-    config.numbers["+15550009999"] = {
-      agentId: "inbound-route",
-      responseModel: "openai/gpt-5.5",
-    };
     config.realtime.enabled = true;
     config.realtime.tools = [
       {
@@ -470,7 +446,7 @@ describe("createVoiceCallRuntime lifecycle", () => {
       firstCallParam(runEmbeddedAgent.mock.calls as unknown[][], "embedded OpenClaw consult"),
       "embedded OpenClaw consult params",
     );
-    expect(consultParams.sessionKey).toBe("agent:main:voice:15550009999");
+    expect(consultParams.sessionKey).toBe("voice:15550009999");
     expect(consultParams.spawnedBy).toBe("agent:main:discord:channel:general");
     expect(consultParams.messageProvider).toBe("voice");
     expect(consultParams.lane).toBe("voice");
@@ -489,7 +465,7 @@ describe("createVoiceCallRuntime lifecycle", () => {
     expect(consultParams.prompt).toContain("Caller: Also check the ETA.");
   });
 
-  it("canonicalizes restored legacy per-call keys for realtime consults", async () => {
+  it("uses persisted per-call session keys for realtime consults", async () => {
     const config = createBaseConfig();
     config.inboundPolicy = "allowlist";
     config.realtime.enabled = true;
@@ -537,7 +513,7 @@ describe("createVoiceCallRuntime lifecycle", () => {
       ),
       "per-call embedded OpenClaw consult params",
     );
-    expect(consultParams.sessionKey).toBe("agent:main:voice:call:call-1");
+    expect(consultParams.sessionKey).toBe("voice:call:call-1");
   });
 
   it("answers realtime consults from fast memory context before starting the full agent", async () => {
@@ -606,7 +582,7 @@ describe("createVoiceCallRuntime lifecycle", () => {
         error: console.error,
         debug: console.debug,
       },
-      sessionKey: "agent:main:voice:15550001234",
+      sessionKey: "voice:15550001234",
     });
     expect(runEmbeddedAgent).not.toHaveBeenCalled();
   });

extensions/voice-call/src/runtime.ts

@@ -13,7 +13,6 @@ import {
 import type { VoiceCallConfig } from "./config.js";
 import {
   resolveVoiceCallEffectiveConfig,
-  resolveVoiceCallNumberRouteKeyForCall,
   resolveVoiceCallSessionKey,
   resolveTwilioAuthToken,
   resolveVoiceCallConfig,
@@ -112,19 +111,20 @@ function loadRealtimeHandler(): Promise<RealtimeHandlerModule> {
 
 function resolveVoiceCallConsultSessionKey(call: {
   config: VoiceCallConfig;
-  coreSession?: OpenClawConfig["session"];
   sessionKey?: string;
   from?: string;
   to?: string;
   direction?: "inbound" | "outbound";
   callId: string;
 }): string {
+  if (call.sessionKey) {
+    return call.sessionKey;
+  }
+  const phone = call.direction === "outbound" ? call.to : call.from;
   return resolveVoiceCallSessionKey({
     config: call.config,
     callId: call.callId,
-    phone: call.direction === "outbound" ? call.to : call.from,
-    explicitSessionKey: call.sessionKey,
-    coreSession: call.coreSession,
+    phone,
   });
 }
 
@@ -309,7 +309,7 @@ export async function createVoiceCallRuntime(params: {
   if (stateRuntime) {
     setVoiceCallStateRuntime({ state: stateRuntime });
   }
-  const manager = new CallManager(config, undefined, cfg.session);
+  const manager = new CallManager(config);
   const realtimeProvider = config.realtime.enabled
     ? await resolveRealtimeProvider({
         config,
@@ -358,13 +358,15 @@ export async function createVoiceCallRuntime(params: {
           if (!call) {
             return { error: `Call "${callId}" not found` };
           }
-          const numberRouteKey = resolveVoiceCallNumberRouteKeyForCall(call);
+          const numberRouteKey =
+            typeof call.metadata?.numberRouteKey === "string"
+              ? call.metadata.numberRouteKey
+              : call.to;
           const effectiveConfig = resolveVoiceCallEffectiveConfig(config, numberRouteKey).config;
           const agentId = effectiveConfig.agentId ?? "main";
           const sessionKey = resolveVoiceCallConsultSessionKey({
             ...call,
             config: effectiveConfig,
-            coreSession: cfg.session,
           });
           const requesterSessionKey =
             typeof call.metadata?.requesterSessionKey === "string"

extensions/voice-call/src/webhook.test.ts

@@ -31,7 +31,6 @@ const mocks = vi.hoisted(() => {
   };
 
   return {
-    generateVoiceResponse: vi.fn(async () => ({ text: null })),
     getRealtimeTranscriptionProvider: vi.fn<(...args: unknown[]) => unknown>(
       () => realtimeTranscriptionProvider,
     ),
@@ -44,10 +43,6 @@ vi.mock("./realtime-transcription.runtime.js", () => ({
   listRealtimeTranscriptionProviders: mocks.listRealtimeTranscriptionProviders,
 }));
 
-vi.mock("./response-generator.js", () => ({
-  generateVoiceResponse: mocks.generateVoiceResponse,
-}));
-
 const provider: VoiceCallProvider = {
   name: "mock",
   verifyWebhook: () => ({ ok: true, verifiedRequestKey: "mock:req:base" }),
@@ -1651,46 +1646,6 @@ describe("VoiceCallWebhookServer pre-auth webhook guards", () => {
   });
 });
 
-describe("VoiceCallWebhookServer classic response routing", () => {
-  it("keeps outbound calls on the top-level agent when the dialed number has an inbound route", async () => {
-    const call = createCall(Date.now());
-    call.direction = "outbound";
-    call.to = "+15550001111";
-    call.sessionKey = "agent:top:voice:15550001111";
-    const manager = {
-      getCall: (callId: string) => (callId === call.callId ? call : undefined),
-      speak: vi.fn(async () => ({ success: true })),
-    } as unknown as CallManager;
-    const config = createConfig({
-      agentId: "top",
-      numbers: {
-        "+15550001111": { agentId: "inbound-route" },
-      },
-    });
-    const server = new VoiceCallWebhookServer(
-      config,
-      manager,
-      provider,
-      {} as never,
-      undefined,
-      {} as never,
-    );
-    mocks.generateVoiceResponse.mockReset().mockResolvedValue({ text: null });
-
-    await (
-      server as unknown as {
-        handleInboundResponse: (callId: string, message: string) => Promise<void>;
-      }
-    ).handleInboundResponse(call.callId, "hello");
-
-    const params = requireFirstMockCall(
-      mocks.generateVoiceResponse.mock.calls,
-      "classic voice response",
-    )[0] as { voiceConfig?: VoiceCallConfig } | undefined;
-    expect(params?.voiceConfig?.agentId).toBe("top");
-  });
-});
-
 describe("VoiceCallWebhookServer response normalization", () => {
   it("preserves explicit empty provider response bodies", async () => {
     const responseProvider: VoiceCallProvider = {

extensions/voice-call/src/webhook.ts

@@ -25,7 +25,6 @@ import { isAllowlistedCaller, normalizePhoneNumber } from "./allowlist.js";
 import {
   normalizeVoiceCallConfig,
   resolveVoiceCallEffectiveConfig,
-  resolveVoiceCallNumberRouteKeyForCall,
   type VoiceCallConfig,
 } from "./config.js";
 import type { CoreAgentDeps, CoreConfig } from "./core-bridge.js";
@@ -1032,7 +1031,8 @@ export class VoiceCallWebhookServer {
 
     try {
       const { generateVoiceResponse } = await loadResponseGeneratorModule();
-      const numberRouteKey = resolveVoiceCallNumberRouteKeyForCall(call);
+      const numberRouteKey =
+        typeof call.metadata?.numberRouteKey === "string" ? call.metadata.numberRouteKey : call.to;
       const effectiveConfig = resolveVoiceCallEffectiveConfig(this.config, numberRouteKey).config;
 
       const result = await generateVoiceResponse({

package.json

@@ -1695,7 +1695,6 @@
     "plugin-sdk:surface:check": "node --max-old-space-size=8192 scripts/plugin-sdk-surface-report.mjs --check",
     "plugin-sdk:sync-exports": "node scripts/sync-plugin-sdk-exports.mjs",
     "plugin-sdk:usage": "node --max-old-space-size=8192 --import tsx scripts/analyze-plugin-sdk-usage.ts",
-    "policy:config-coverage": "node --import tsx scripts/check-policy-config-coverage.ts",
     "plugins:boundary-report": "node --import tsx scripts/plugin-boundary-report.ts",
     "plugins:boundary-report:ci": "node --import tsx scripts/plugin-boundary-report.ts --summary --fail-on-cross-owner --fail-on-unclassified-unused-reserved --fail-on-eligible-compat",
     "plugins:boundary-report:json": "node --import tsx scripts/plugin-boundary-report.ts --json",
@@ -1778,7 +1777,6 @@
     "test:docker:crestodian-first-run": "bash scripts/e2e/crestodian-first-run-docker.sh",
     "test:docker:crestodian-planner": "bash scripts/e2e/crestodian-planner-docker.sh",
     "test:docker:crestodian-rescue": "bash scripts/e2e/crestodian-rescue-docker.sh",
-    "test:docker:cron-cli": "bash scripts/e2e/cron-cli-docker.sh",
     "test:docker:cron-mcp-cleanup": "bash scripts/e2e/cron-mcp-cleanup-docker.sh",
     "test:docker:codex-media-path": "bash scripts/e2e/codex-media-path-docker.sh",
     "test:docker:doctor-switch": "bash scripts/e2e/doctor-install-switch-docker.sh",
@@ -1953,6 +1951,9 @@
     "ui:i18n:check": "node --import tsx scripts/control-ui-i18n.ts check",
     "ui:i18n:report": "node --import tsx scripts/control-ui-i18n-report.ts",
     "ui:i18n:sync": "node --import tsx scripts/control-ui-i18n.ts sync --write",
+    "native:i18n:check": "node --import tsx scripts/native-app-i18n.ts check",
+    "native:i18n:sync": "node --import tsx scripts/native-app-i18n.ts sync --write",
+    "android:i18n:check": "node --import tsx scripts/android-app-i18n.ts check",
     "ui:install": "node scripts/ui.js install",
     "verify": "node scripts/verify.mjs"
   },

packages/agent-core/src/agent-loop.test.ts

@@ -164,126 +164,6 @@ describe("agentLoop streaming updates", () => {
       expect(update.assistantMessageEvent).not.toHaveProperty("partial");
     }
   });
-
-  it("does not execute tool calls from a max-token-truncated assistant turn", async () => {
-    const execute = vi.fn(
-      async (): Promise<AgentToolResult<unknown>> => ({
-        content: [{ type: "text", text: "should not run" }],
-        details: {},
-      }),
-    );
-    const contexts: Context[] = [];
-    let streamCalls = 0;
-    const streamFn: StreamFn = async (_model, context) => {
-      contexts.push(context);
-      streamCalls += 1;
-      const stream = createAssistantMessageEventStream();
-      if (streamCalls > 1) {
-        const message: AssistantMessage = {
-          role: "assistant",
-          content: [{ type: "text", text: "continued" }],
-          api: model.api,
-          provider: model.provider,
-          model: model.id,
-          usage: TEST_USAGE,
-          stopReason: "stop",
-          timestamp: 2,
-        };
-        queueMicrotask(() => {
-          stream.push({ type: "done", reason: "stop", message });
-        });
-        return stream;
-      }
-      const toolCall = {
-        type: "toolCall" as const,
-        id: "call-truncated-spawn",
-        name: "sessions_spawn",
-        arguments: {},
-      };
-      const message: AssistantMessage = {
-        role: "assistant",
-        content: [{ type: "text", text: "spawning" }, toolCall],
-        api: model.api,
-        provider: model.provider,
-        model: model.id,
-        usage: TEST_USAGE,
-        stopReason: "length",
-        timestamp: 1,
-      };
-
-      queueMicrotask(() => {
-        stream.push({ type: "start", partial: { ...message, content: [] } });
-        stream.push({ type: "toolcall_start", contentIndex: 1, partial: message });
-        stream.push({
-          type: "toolcall_end",
-          contentIndex: 1,
-          toolCall,
-          partial: message,
-        });
-        stream.push({ type: "done", reason: "length", message });
-      });
-
-      return stream;
-    };
-
-    const stream = agentLoop(
-      [{ role: "user", content: "spawn specialists", timestamp: 1 }],
-      {
-        systemPrompt: "",
-        messages: [],
-        tools: [
-          {
-            name: "sessions_spawn",
-            label: "sessions_spawn",
-            description: "Spawn a child session",
-            parameters: Type.Object({}, { additionalProperties: false }),
-            execute,
-          },
-        ],
-      },
-      {
-        ...config,
-        getFollowUpMessages: async () =>
-          streamCalls === 1 ? [{ role: "user", content: "continue", timestamp: 2 }] : [],
-      },
-      undefined,
-      streamFn,
-    );
-
-    const events = await collectEvents(stream);
-    const messages = await stream.result();
-    const truncatedMessageEnd = events.find(
-      (event): event is Extract<AgentEvent, { type: "message_end" }> =>
-        event.type === "message_end" &&
-        event.message.role === "assistant" &&
-        event.message.stopReason === "length",
-    );
-    const replayedTruncatedMessage = contexts[1]?.messages[1];
-
-    if (!truncatedMessageEnd || !replayedTruncatedMessage) {
-      throw new Error("expected the truncated assistant message to be emitted and replayed");
-    }
-
-    expect(execute).not.toHaveBeenCalled();
-    expect(events.some((event) => event.type === "tool_execution_start")).toBe(false);
-    expect(messages.map((message) => message.role)).toEqual([
-      "user",
-      "assistant",
-      "user",
-      "assistant",
-    ]);
-    expect(messages[1]).toMatchObject({ role: "assistant", stopReason: "length" });
-    expect(messages[1]).not.toMatchObject({
-      content: expect.arrayContaining([expect.objectContaining({ type: "toolCall" })]),
-    });
-    expect(truncatedMessageEnd.message).not.toMatchObject({
-      content: expect.arrayContaining([expect.objectContaining({ type: "toolCall" })]),
-    });
-    expect(replayedTruncatedMessage).toMatchObject({ role: "assistant", stopReason: "length" });
-    expect(replayedTruncatedMessage).not.toMatchObject({
-      content: expect.arrayContaining([expect.objectContaining({ type: "toolCall" })]),
-    });
-  });
 });
 
 describe("runAgentLoop deferred tool hydration", () => {
@@ -1056,7 +936,7 @@ describe("agentLoop thinking state", () => {
         totalTokens: 0,
         cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
       },
-      stopReason: content.some((item) => item.type === "toolCall") ? "toolUse" : "stop",
+      stopReason: "stop",
       timestamp: 1,
     };
   }
@@ -1088,7 +968,7 @@ describe("agentLoop thinking state", () => {
             : [{ type: "text", text: "done" }];
         stream.push({
           type: "done",
-          reason: content.some((item) => item.type === "toolCall") ? "toolUse" : "stop",
+          reason: "stop",
           message: makeAssistantMessage(activeModel, content),
         });
         stream.end();

packages/agent-core/src/agent-loop.ts

@@ -80,14 +80,6 @@ function resolveAssistantMessageUpdate(
   return currentMessage;
 }
 
-function removeNonExecutableToolCalls(message: AssistantMessage): AssistantMessage {
-  if (message.stopReason === "toolUse") {
-    return message;
-  }
-  const content = message.content.filter((item) => item.type !== "toolCall");
-  return content.length === message.content.length ? message : { ...message, content };
-}
-
 /**
  * Start an agent loop with a new prompt message.
  * The prompt is added to the context and events are emitted for it.
@@ -350,12 +342,12 @@ async function runLoop(
         return;
       }
 
-      // Only completed toolUse turns dispatch; length/stop can carry partial stream blocks.
+      // Check for tool calls
       const toolCalls = message.content.filter((c) => c.type === "toolCall");
 
       const toolResults: ToolResultMessage[] = [];
       hasMoreToolCalls = false;
-      if (message.stopReason === "toolUse" && toolCalls.length > 0) {
+      if (toolCalls.length > 0) {
         const executedToolBatch = await executeToolCalls(
           currentContext,
           message,
@@ -516,7 +508,7 @@ async function streamAssistantResponse(
 
       case "done":
       case "error": {
-        const finalMessage = removeNonExecutableToolCalls(await response.result());
+        const finalMessage = await response.result();
         if (addedPartial) {
           context.messages[context.messages.length - 1] = finalMessage;
         } else {
@@ -531,7 +523,7 @@ async function streamAssistantResponse(
     }
   }
 
-  const finalMessage = removeNonExecutableToolCalls(await response.result());
+  const finalMessage = await response.result();
   if (addedPartial) {
     context.messages[context.messages.length - 1] = finalMessage;
   } else {

packages/gateway-client/src/client.ts

@@ -328,7 +328,6 @@ type SelectedConnectAuth = {
   authDeviceToken?: string;
   authPassword?: string;
   authApprovalRuntimeToken?: string;
-  authAgentRuntimeIdentityToken?: string;
   signatureToken?: string;
   resolvedDeviceToken?: string;
   storedToken?: string;
@@ -344,7 +343,6 @@ type StoredDeviceAuth = {
 type AssembledConnect = {
   params: ConnectParams;
   authApprovalRuntimeToken: string | undefined;
-  authAgentRuntimeIdentityToken: string | undefined;
   resolvedDeviceToken: string | undefined;
   storedToken: string | undefined;
   usingStoredDeviceToken: boolean | undefined;
@@ -432,7 +430,6 @@ export type GatewayClientOptions = {
   deviceToken?: string;
   password?: string;
   approvalRuntimeToken?: string;
-  agentRuntimeIdentityToken?: string;
   instanceId?: string;
   clientName?: GatewayClientName;
   clientDisplayName?: string;
@@ -972,24 +969,6 @@ export class GatewayClient {
           this.ws?.close(1013, "gateway starting");
           return;
         }
-        if (
-          this.shouldFailClosedForUnsupportedAgentRuntimeIdentity({
-            error: err,
-            authAgentRuntimeIdentityToken: assembled.authAgentRuntimeIdentityToken,
-          })
-        ) {
-          const unsupportedIdentityError = new Error(
-            "gateway rejected required agent runtime identity auth field; refusing to retry without it",
-          );
-          this.notifyConnectError(unsupportedIdentityError);
-          this.logError(`gateway connect failed: ${unsupportedIdentityError.message}`);
-          // This identity scopes model-mediated cron calls. Retrying without it
-          // would turn an old/new mismatch into an unscoped operator call.
-          this.closed = true;
-          this.clearReconnectTimer();
-          this.ws?.close(1008, "connect failed");
-          return;
-        }
         if (
           this.shouldRetryWithoutApprovalRuntimeToken({
             error: err,
@@ -1025,7 +1004,6 @@ export class GatewayClient {
       authDeviceToken,
       authPassword,
       authApprovalRuntimeToken,
-      authAgentRuntimeIdentityToken,
       signatureToken,
       resolvedDeviceToken,
       storedToken,
@@ -1042,15 +1020,13 @@ export class GatewayClient {
       authBootstrapToken ||
       authPassword ||
       resolvedDeviceToken ||
-      authApprovalRuntimeToken ||
-      authAgentRuntimeIdentityToken
+      authApprovalRuntimeToken
         ? {
             token: authToken,
             bootstrapToken: authBootstrapToken,
             deviceToken: authDeviceToken ?? resolvedDeviceToken,
             password: authPassword,
             approvalRuntimeToken: authApprovalRuntimeToken,
-            agentRuntimeIdentityToken: authAgentRuntimeIdentityToken,
           }
         : undefined;
     const signedAtMs = Date.now();
@@ -1093,7 +1069,6 @@ export class GatewayClient {
         }),
       },
       authApprovalRuntimeToken,
-      authAgentRuntimeIdentityToken,
       resolvedDeviceToken,
       storedToken,
       usingStoredDeviceToken,
@@ -1319,25 +1294,6 @@ export class GatewayClient {
     return message.includes("invalid connect params") && message.includes("approvalruntimetoken");
   }
 
-  private shouldFailClosedForUnsupportedAgentRuntimeIdentity(params: {
-    error: unknown;
-    authAgentRuntimeIdentityToken?: string;
-  }): boolean {
-    if (!params.authAgentRuntimeIdentityToken) {
-      return false;
-    }
-    if (!(params.error instanceof GatewayClientRequestError)) {
-      return false;
-    }
-    if (params.error.gatewayCode !== "INVALID_REQUEST") {
-      return false;
-    }
-    const message = normalizeLowercaseStringOrEmpty(params.error.message);
-    return (
-      message.includes("invalid connect params") && message.includes("agentruntimeidentitytoken")
-    );
-  }
-
   private isTrustedDeviceRetryEndpoint(): boolean {
     const rawUrl = this.opts.url ?? "ws://127.0.0.1:18789";
     try {
@@ -1365,9 +1321,6 @@ export class GatewayClient {
     const authApprovalRuntimeToken = this.approvalRuntimeTokenCompatibilityDisabled
       ? undefined
       : normalizeOptionalString(this.opts.approvalRuntimeToken);
-    const authAgentRuntimeIdentityToken = normalizeOptionalString(
-      this.opts.agentRuntimeIdentityToken,
-    );
     const storedAuth = this.loadStoredDeviceAuth(role);
     const storedToken = storedAuth?.token ?? null;
     const storedScopes = storedAuth?.scopes;
@@ -1401,7 +1354,6 @@ export class GatewayClient {
       authDeviceToken: shouldUseDeviceRetryToken ? (storedToken ?? undefined) : undefined,
       authPassword,
       authApprovalRuntimeToken,
-      authAgentRuntimeIdentityToken,
       signatureToken: authToken ?? authBootstrapToken ?? undefined,
       resolvedDeviceToken,
       storedToken: storedToken ?? undefined,

packages/gateway-protocol/src/cron-validators.test.ts

@@ -26,36 +26,11 @@ const minimalAddParams = {
   payload: { kind: "systemEvent", text: "tick" },
 } as const;
 
-const agentToolCallerScope = {
-  kind: "agentTool",
-  agentId: "ops",
-} as const;
-
 describe("cron protocol validators", () => {
   it("accepts minimal add params", () => {
     expect(validateCronAddParams(minimalAddParams)).toBe(true);
   });
 
-  it("rejects public caller scope on cron admin params", () => {
-    expect(validateCronListParams({ callerScope: agentToolCallerScope })).toBe(false);
-    expect(validateCronGetParams({ id: "job-1", callerScope: agentToolCallerScope })).toBe(false);
-    expect(validateCronAddParams({ ...minimalAddParams, callerScope: agentToolCallerScope })).toBe(
-      false,
-    );
-    expect(
-      validateCronUpdateParams({
-        id: "job-1",
-        patch: { enabled: false },
-        callerScope: agentToolCallerScope,
-      }),
-    ).toBe(false);
-    expect(validateCronRemoveParams({ jobId: "job-1", callerScope: agentToolCallerScope })).toBe(
-      false,
-    );
-    expect(validateCronRunParams({ id: "job-1", callerScope: agentToolCallerScope })).toBe(false);
-    expect(validateCronRunsParams({ id: "job-1", callerScope: agentToolCallerScope })).toBe(false);
-  });
-
   it("accepts current and custom session targets", () => {
     expect(
       validateCronAddParams({

packages/gateway-protocol/src/schema/frames.ts

@@ -70,7 +70,6 @@ export const ConnectParamsSchema = Type.Object(
           deviceToken: Type.Optional(Type.String()),
           password: Type.Optional(Type.String()),
           approvalRuntimeToken: Type.Optional(Type.String()),
-          agentRuntimeIdentityToken: Type.Optional(Type.String()),
         },
         { additionalProperties: false },
       ),

scripts/android-app-i18n.ts

@@ -0,0 +1,52 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { NATIVE_I18N_LOCALES } from "./native-app-i18n.ts";
+
+const HERE = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(HERE, "..");
+const RESOURCE_ROOT = path.join(ROOT, "apps", "android", "app", "src", "main", "res");
+const ANDROID_QUALIFIERS: Record<string, string> = {
+  "zh-CN": "zh-rCN",
+  "zh-TW": "zh-rTW",
+  "pt-BR": "pt-rBR",
+  "ja-JP": "ja",
+};
+const localeDirectory = (locale: string) => `values-${ANDROID_QUALIFIERS[locale] ?? locale}`;
+const LOCALES = ["values", ...NATIVE_I18N_LOCALES.map(localeDirectory)] as const;
+const KEY_RE = /<string\s+name="([A-Za-z0-9_]+)"[^>]*>/gu;
+
+async function readKeys(locale: string): Promise<Set<string>> {
+  const source = await readFile(path.join(RESOURCE_ROOT, locale, "strings.xml"), "utf8");
+  return new Set([...source.matchAll(KEY_RE)].map((match) => match[1]).filter(Boolean));
+}
+
+export async function checkAndroidAppI18n() {
+  const [base, ...translations] = await Promise.all(LOCALES.map(readKeys));
+  const problems = translations.flatMap((keys, index) => {
+    const locale = NATIVE_I18N_LOCALES[index];
+    return [
+      [`${locale} missing`, [...base].filter((key) => !keys.has(key))],
+      [`${locale} extra`, [...keys].filter((key) => !base.has(key))],
+    ] as const;
+  });
+  if (problems.some(([, keys]) => keys.length)) {
+    throw new Error(
+      [
+        "Android app i18n resources are out of sync.",
+        ...problems.map(([label, keys]) => `${label}=${keys.join(",") || "none"}`),
+      ].join("\n"),
+    );
+  }
+  process.stdout.write(
+    `android-app-i18n: keys=${base.size} locales=${NATIVE_I18N_LOCALES.join(",")}\n`,
+  );
+}
+
+if (process.argv[1] && import.meta.url === `file://${path.resolve(process.argv[1])}`) {
+  const [command] = process.argv.slice(2);
+  if (command !== "check") {
+    throw new Error("usage: node --import tsx scripts/android-app-i18n.ts check");
+  }
+  await checkAndroidAppI18n();
+}

scripts/check-policy-config-coverage.ts

@@ -1,232 +0,0 @@
-#!/usr/bin/env node
-import fs from "node:fs/promises";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import JSON5 from "json5";
-import {
-  renderConfigDocBaselineArtifacts,
-  type ConfigDocBaselineEntry,
-} from "../src/config/doc-baseline.js";
-
-type ClassificationStatus = "observed" | "ignored" | "out-of-scope" | "deferred";
-
-type CoverageClassification = {
-  readonly pattern: string;
-  readonly status: ClassificationStatus;
-  readonly area: string;
-  readonly policy?: string;
-  readonly reason: string;
-  readonly allowNoSchemaPath?: boolean;
-};
-
-type CoverageConfig = {
-  readonly monitored: readonly string[];
-  readonly classifications: readonly CoverageClassification[];
-};
-
-type ConfigDocBaseline = {
-  readonly coreEntries: readonly ConfigDocBaselineEntry[];
-  readonly channelEntries: readonly ConfigDocBaselineEntry[];
-  readonly pluginEntries: readonly ConfigDocBaselineEntry[];
-};
-
-function flattenConfigDocBaselineEntries(
-  baseline: ConfigDocBaseline,
-): readonly ConfigDocBaselineEntry[] {
-  return [...baseline.coreEntries, ...baseline.channelEntries, ...baseline.pluginEntries];
-}
-
-type ClassifiedEntry = {
-  readonly path: string;
-  readonly kind: ConfigDocBaselineEntry["kind"];
-  readonly classification?: CoverageClassification;
-};
-
-type UnmatchedMonitoredPattern = {
-  readonly pattern: string;
-};
-
-const args = new Set(process.argv.slice(2));
-const json = args.has("--json");
-const check = args.has("--check");
-const showCovered = args.has("--show-covered");
-
-if (args.has("--help")) {
-  console.log(`Usage: pnpm policy:config-coverage [--check] [--json] [--show-covered]
-
-Internal maintainer report for Policy config coverage.
-
-Default mode is report-only and exits 0 even when paths are unclassified.
-Use --check when a policy maintainer intentionally wants unclassified or stale
-coverage entries to fail locally.`);
-  process.exit(0);
-}
-
-const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
-const configPath = path.join(repoRoot, "scripts/lib/policy-config-coverage.jsonc");
-
-const config = JSON5.parse(await fs.readFile(configPath, "utf8")) as CoverageConfig;
-const { baseline } = await renderConfigDocBaselineArtifacts();
-const monitoredEntries = flattenConfigDocBaselineEntries(baseline)
-  .filter((entry) => !entry.hasChildren)
-  .filter((entry) => matchesAny(config.monitored, entry.path))
-  .toSorted((left, right) => left.path.localeCompare(right.path));
-const leafEntries = flattenConfigDocBaselineEntries(baseline).filter((entry) => !entry.hasChildren);
-const unmatchedMonitored = config.monitored
-  .filter(
-    (pattern) =>
-      !leafEntries.some((entry) => pathMatchesPattern(pattern, entry.path)) &&
-      !config.classifications.some(
-        (item) => item.allowNoSchemaPath === true && pathMatchesPattern(item.pattern, pattern),
-      ),
-  )
-  .map((pattern) => ({ pattern }))
-  .toSorted((left, right) => left.pattern.localeCompare(right.pattern));
-
-const classified: ClassifiedEntry[] = monitoredEntries.map((entry) => ({
-  path: entry.path,
-  kind: entry.kind,
-  classification: config.classifications.find((item) =>
-    pathMatchesPattern(item.pattern, entry.path),
-  ),
-}));
-const unclassified = classified.filter((entry) => entry.classification === undefined);
-const stale = config.classifications.filter(
-  (item) =>
-    item.allowNoSchemaPath !== true &&
-    !monitoredEntries.some((entry) => pathMatchesPattern(item.pattern, entry.path)),
-);
-const summaryCounts = summarize(classified);
-
-if (json) {
-  console.log(
-    JSON.stringify(
-      {
-        ok: unclassified.length === 0 && stale.length === 0 && unmatchedMonitored.length === 0,
-        monitoredPaths: monitoredEntries.length,
-        counts: summaryCounts,
-        unclassified,
-        unmatchedMonitored,
-        stale,
-      },
-      null,
-      2,
-    ),
-  );
-} else {
-  printTextReport({
-    monitoredPaths: monitoredEntries.length,
-    counts: summaryCounts,
-    unclassified,
-    unmatchedMonitored,
-    stale,
-    classified,
-  });
-}
-
-if (check && (unclassified.length > 0 || stale.length > 0 || unmatchedMonitored.length > 0)) {
-  process.exit(1);
-}
-
-function printTextReport(input: {
-  readonly monitoredPaths: number;
-  readonly counts: Record<string, number>;
-  readonly unclassified: readonly ClassifiedEntry[];
-  readonly unmatchedMonitored: readonly UnmatchedMonitoredPattern[];
-  readonly stale: readonly CoverageClassification[];
-  readonly classified: readonly ClassifiedEntry[];
-}): void {
-  console.log(`Policy config coverage: ${input.monitoredPaths} monitored config leaf paths`);
-  for (const [key, count] of Object.entries(input.counts).toSorted(([a], [b]) =>
-    a.localeCompare(b),
-  )) {
-    console.log(`  ${key}: ${count}`);
-  }
-
-  if (input.unclassified.length > 0) {
-    console.log("\nUnclassified config paths:");
-    for (const entry of input.unclassified) {
-      console.log(`  - ${entry.path} (${entry.kind})`);
-    }
-    console.log(
-      "\nClassify each as observed, ignored, out-of-scope, or deferred in scripts/lib/policy-config-coverage.jsonc.",
-    );
-  } else {
-    console.log("\nNo unclassified monitored config paths.");
-  }
-
-  if (input.unmatchedMonitored.length > 0) {
-    console.log("\nMonitored patterns with no matching config paths:");
-    for (const entry of input.unmatchedMonitored) {
-      console.log(`  - ${entry.pattern}`);
-    }
-  } else {
-    console.log("\nNo monitored patterns without matching config paths.");
-  }
-
-  if (input.stale.length > 0) {
-    console.log("\nStale coverage classifications:");
-    for (const entry of input.stale) {
-      console.log(`  - ${entry.pattern} (${entry.area}, ${entry.status})`);
-    }
-  }
-
-  if (showCovered) {
-    console.log("\nCovered paths:");
-    for (const entry of input.classified) {
-      const classification = entry.classification;
-      console.log(
-        `  - ${entry.path}: ${classification?.area ?? "unclassified"} / ${
-          classification?.status ?? "unclassified"
-        }`,
-      );
-    }
-  }
-}
-
-function summarize(entries: readonly ClassifiedEntry[]): Record<string, number> {
-  const counts: Record<string, number> = {};
-  for (const entry of entries) {
-    const key =
-      entry.classification === undefined
-        ? "unclassified"
-        : `${entry.classification.area}.${entry.classification.status}`;
-    counts[key] = (counts[key] ?? 0) + 1;
-  }
-  return counts;
-}
-
-function matchesAny(patterns: readonly string[], value: string): boolean {
-  return patterns.some((pattern) => pathMatchesPattern(pattern, value));
-}
-
-function pathMatchesPattern(pattern: string, value: string): boolean {
-  const patternParts = pattern.split(".");
-  const valueParts = value.split(".");
-  return matchesParts(patternParts, valueParts);
-}
-
-function matchesParts(patternParts: readonly string[], valueParts: readonly string[]): boolean {
-  if (patternParts.length === 0) {
-    return valueParts.length === 0;
-  }
-  const [head, ...tail] = patternParts;
-  if (head === "**") {
-    if (tail.length === 0) {
-      return true;
-    }
-    for (let index = 0; index <= valueParts.length; index += 1) {
-      if (matchesParts(tail, valueParts.slice(index))) {
-        return true;
-      }
-    }
-    return false;
-  }
-  if (valueParts.length === 0) {
-    return false;
-  }
-  if (head !== "*" && head !== valueParts[0]) {
-    return false;
-  }
-  return matchesParts(tail, valueParts.slice(1));
-}

scripts/control-ui-i18n.ts

@@ -595,6 +595,8 @@ function buildSystemPrompt(targetLocale: string, glossary: readonly GlossaryEntr
     "- The JSON must be an object whose keys exactly match the provided ids.",
     "- Translate all English prose; keep code, URLs, product names, CLI commands, config keys, and env vars in English.",
     "- Preserve placeholders exactly, including {count}, {time}, {shown}, {total}, and similar tokens.",
+    "- Preserve Swift interpolation expressions such as \\(name) exactly, including the backslash and parentheses.",
+    "- Preserve Kotlin interpolation expressions such as $name and ${value} exactly.",
     "- Preserve punctuation, ellipses, arrows, and casing when they are part of literal UI text.",
     "- Preserve Markdown, inline code, HTML tags, and slash commands when present.",
     "- Use fluent, neutral product UI language.",

scripts/e2e/cron-cli-docker.sh

@@ -1,251 +0,0 @@
-#!/usr/bin/env bash
-# Starts a packaged Gateway in Docker and verifies public cron CLI CRUD/run flows.
-set -euo pipefail
-
-ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
-source "$ROOT_DIR/scripts/lib/docker-e2e-image.sh"
-
-IMAGE_NAME="$(docker_e2e_resolve_image "openclaw-cron-cli-e2e" OPENCLAW_IMAGE)"
-PORT="18789"
-TOKEN="cron-cli-e2e-$(date +%s)-$$"
-CONTAINER_NAME="openclaw-cron-cli-e2e-$$"
-CLIENT_LOG="$(mktemp -t openclaw-cron-cli-log.XXXXXX)"
-
-cleanup() {
-  docker_e2e_docker_cmd rm -f "$CONTAINER_NAME" >/dev/null 2>&1 || true
-  rm -f "$CLIENT_LOG"
-}
-trap cleanup EXIT
-
-docker_e2e_build_or_reuse "$IMAGE_NAME" cron-cli
-OPENCLAW_TEST_STATE_SCRIPT_B64="$(docker_e2e_test_state_shell_b64 cron-cli empty)"
-
-echo "Running in-container Gateway + cron CLI smoke..."
-set +e
-docker_e2e_run_with_harness \
-  --name "$CONTAINER_NAME" \
-  -e "OPENCLAW_GATEWAY_TOKEN=$TOKEN" \
-  -e "OPENCLAW_SKIP_CHANNELS=1" \
-  -e "OPENCLAW_SKIP_GMAIL_WATCHER=1" \
-  -e "OPENCLAW_SKIP_CANVAS_HOST=1" \
-  -e "OPENCLAW_SKIP_ACPX_RUNTIME=1" \
-  -e "OPENCLAW_SKIP_ACPX_RUNTIME_PROBE=1" \
-  -e "OPENCLAW_TEST_STATE_SCRIPT_B64=$OPENCLAW_TEST_STATE_SCRIPT_B64" \
-  -e "GW_TOKEN=$TOKEN" \
-  -e "OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1" \
-  -i \
-  "$IMAGE_NAME" \
-  bash -s >"$CLIENT_LOG" 2>&1 <<'INNER'
-set -euo pipefail
-
-source scripts/lib/openclaw-e2e-instance.sh
-openclaw_e2e_eval_test_state_from_b64 "${OPENCLAW_TEST_STATE_SCRIPT_B64:?missing OPENCLAW_TEST_STATE_SCRIPT_B64}"
-
-entry="$(openclaw_e2e_resolve_entrypoint)"
-gateway_pid=
-
-cleanup_inner() {
-  openclaw_e2e_stop_process "${gateway_pid:-}"
-}
-
-dump_logs_on_error() {
-  status=$?
-  if [ "$status" -ne 0 ]; then
-    openclaw_e2e_dump_logs \
-      /tmp/cron-cli-gateway.log \
-      /tmp/cron-cli-device-seed.json \
-      /tmp/cron-cli-status.json \
-      /tmp/cron-cli-add.json \
-      /tmp/cron-cli-list.json \
-      /tmp/cron-cli-show.json \
-      /tmp/cron-cli-disable.json \
-      /tmp/cron-cli-enable.json \
-      /tmp/cron-cli-run.json \
-      /tmp/cron-cli-runs.json \
-      /tmp/cron-cli-remove.json
-  fi
-  cleanup_inner
-  exit "$status"
-}
-
-trap cleanup_inner EXIT
-trap dump_logs_on_error ERR
-
-cron_cli() {
-  node "$entry" cron "$@" --token "${GW_TOKEN:?missing GW_TOKEN}"
-}
-
-seed_paired_cli_device() {
-  node --input-type=module <<'NODE'
-import { readdir, readFile } from "node:fs/promises";
-import { join } from "node:path";
-import { pathToFileURL } from "node:url";
-
-async function importDistChunk(prefix, marker) {
-  const distDir = join(process.cwd(), "dist");
-  const entries = await readdir(distDir);
-  for (const entry of entries) {
-    if (!entry.startsWith(prefix) || !entry.endsWith(".js")) {
-      continue;
-    }
-    const fullPath = join(distDir, entry);
-    if ((await readFile(fullPath, "utf8")).includes(marker)) {
-      return await import(pathToFileURL(fullPath).href);
-    }
-  }
-  throw new Error(`missing dist chunk ${prefix} containing ${marker}`);
-}
-
-const identityModule = await importDistChunk("device-identity-", "loadOrCreateDeviceIdentity");
-const pairingModule = await importDistChunk("device-pairing-", "requestDevicePairing");
-const loadOrCreateDeviceIdentity =
-  identityModule.loadOrCreateDeviceIdentity ?? identityModule.r;
-const publicKeyRawBase64UrlFromPem =
-  identityModule.publicKeyRawBase64UrlFromPem ?? identityModule.a;
-const approveDevicePairing = pairingModule.approveDevicePairing ?? pairingModule.n;
-const getPairedDevice = pairingModule.getPairedDevice ?? pairingModule.a;
-const requestDevicePairing = pairingModule.requestDevicePairing ?? pairingModule.m;
-
-if (
-  typeof loadOrCreateDeviceIdentity !== "function" ||
-  typeof publicKeyRawBase64UrlFromPem !== "function" ||
-  typeof approveDevicePairing !== "function" ||
-  typeof getPairedDevice !== "function" ||
-  typeof requestDevicePairing !== "function"
-) {
-  throw new Error("missing device pairing exports in dist chunks");
-}
-
-const identity = loadOrCreateDeviceIdentity();
-const publicKey = publicKeyRawBase64UrlFromPem(identity.publicKeyPem);
-const requiredScopes = ["operator.admin"];
-const paired = await getPairedDevice(identity.deviceId);
-const pairedScopes = Array.isArray(paired?.approvedScopes)
-  ? paired.approvedScopes
-  : Array.isArray(paired?.scopes)
-    ? paired.scopes
-    : [];
-
-if (paired?.publicKey !== publicKey || !requiredScopes.every((scope) => pairedScopes.includes(scope))) {
-  const pairing = await requestDevicePairing({
-    deviceId: identity.deviceId,
-    publicKey,
-    displayName: "cron cli docker smoke",
-    platform: process.platform,
-    clientId: "cli",
-    clientMode: "cli",
-    role: "operator",
-    scopes: requiredScopes,
-    silent: true,
-  });
-  const approved = await approveDevicePairing(pairing.request.requestId, {
-    callerScopes: requiredScopes,
-  });
-  if (approved?.status !== "approved") {
-    throw new Error(`failed to seed paired CLI device: ${approved?.status ?? "missing-result"}`);
-  }
-}
-
-process.stdout.write(JSON.stringify({ ok: true, deviceId: identity.deviceId }) + "\n");
-NODE
-}
-
-read_json_field() {
-  local file="$1"
-  local field="$2"
-  node --input-type=module -e '
-    const fs = await import("node:fs/promises");
-    const [file, field] = process.argv.slice(1);
-    const value = JSON.parse(await fs.readFile(file, "utf8"))[field];
-    if (typeof value !== "string" || value.length === 0) {
-      throw new Error(`missing string field ${field} in ${file}`);
-    }
-    process.stdout.write(value);
-  ' "$file" "$field"
-}
-
-seed_paired_cli_device > /tmp/cron-cli-device-seed.json
-gateway_pid="$(openclaw_e2e_start_gateway "$entry" 18789 /tmp/cron-cli-gateway.log)"
-openclaw_e2e_wait_gateway_ready "$gateway_pid" /tmp/cron-cli-gateway.log 300 18789
-
-cron_cli status --json > /tmp/cron-cli-status.json
-cron_add_args=(
-  "cli cron smoke"
-  --every 1m
-  --command "printf openclaw-cli-cron-ok"
-  --no-deliver
-  --timeout-seconds 15
-  --json
-)
-cron_cli add "${cron_add_args[@]}" > /tmp/cron-cli-add.json
-
-job_id="$(read_json_field /tmp/cron-cli-add.json id)"
-
-cron_cli list --all --json > /tmp/cron-cli-list.json
-node --input-type=module -e '
-  const fs = await import("node:fs/promises");
-  const jobId = process.argv[1];
-  const value = JSON.parse(await fs.readFile("/tmp/cron-cli-list.json", "utf8"));
-  if (!Array.isArray(value.jobs) || !value.jobs.some((job) => job.id === jobId && job.name === "cli cron smoke")) {
-    throw new Error("created job missing from cron list");
-  }
-' "$job_id"
-
-cron_cli show "$job_id" --json > /tmp/cron-cli-show.json
-node --input-type=module -e '
-  const fs = await import("node:fs/promises");
-  const jobId = process.argv[1];
-  const value = JSON.parse(await fs.readFile("/tmp/cron-cli-show.json", "utf8"));
-  if (value.id !== jobId || value.name !== "cli cron smoke") {
-    throw new Error("cron show returned the wrong job");
-  }
-' "$job_id"
-
-cron_cli disable "$job_id" > /tmp/cron-cli-disable.json
-cron_cli enable "$job_id" > /tmp/cron-cli-enable.json
-
-cron_cli run "$job_id" --wait --wait-timeout 120s --poll-interval 500ms > /tmp/cron-cli-run.json
-node --input-type=module -e '
-  const fs = await import("node:fs/promises");
-  const value = JSON.parse(await fs.readFile("/tmp/cron-cli-run.json", "utf8"));
-  if (value.completed !== true || value.status !== "ok") {
-    throw new Error(`cron run did not complete ok: ${JSON.stringify(value)}`);
-  }
-'
-
-cron_cli runs --id "$job_id" --limit 5 > /tmp/cron-cli-runs.json
-node --input-type=module -e '
-  const fs = await import("node:fs/promises");
-  const value = JSON.parse(await fs.readFile("/tmp/cron-cli-runs.json", "utf8"));
-  const matching = Array.isArray(value.entries)
-    ? value.entries.find((entry) => entry.status === "ok" && entry.summary === "openclaw-cli-cron-ok")
-    : undefined;
-  if (!matching) {
-    throw new Error("cron runs missing successful command summary");
-  }
-'
-
-cron_cli rm "$job_id" --json > /tmp/cron-cli-remove.json
-node --input-type=module -e '
-  const fs = await import("node:fs/promises");
-  const value = JSON.parse(await fs.readFile("/tmp/cron-cli-remove.json", "utf8"));
-  if (value.ok !== true) {
-    throw new Error("cron remove failed");
-  }
-'
-
-node --input-type=module -e '
-  process.stdout.write(JSON.stringify({ ok: true, jobId: process.argv[1] }) + "\n");
-' "$job_id"
-INNER
-status=${PIPESTATUS[0]}
-set -e
-
-if [ "$status" -ne 0 ]; then
-  echo "Docker cron CLI smoke failed"
-  docker_e2e_print_log "$CLIENT_LOG"
-  exit "$status"
-fi
-
-docker_e2e_print_log "$CLIENT_LOG"
-echo "OK"

scripts/e2e/lib/upgrade-survivor/assertions.mjs

@@ -7,7 +7,6 @@ import { readPluginInstallIndex } from "../plugin-index-sqlite.mjs";
 const command = process.argv[2];
 const SCENARIOS = new Set([
   "base",
-  "acpx-openclaw-tools-bridge",
   "feishu-channel",
   "bootstrap-persona",
   "channel-post-core-restore",
@@ -313,16 +312,6 @@ function assertConfigSurvived() {
     }
   }
 
-  if (hasCoverage(coverage) && acceptsIntent(coverage, "acpx-openclaw-tools-bridge")) {
-    const pluginAllow = config.plugins?.allow ?? [];
-    assert(pluginAllow.includes("acpx"), "ACPX plugin allow entry missing");
-    assert(config.plugins?.entries?.acpx?.enabled === true, "ACPX plugin entry changed");
-    assert(
-      config.plugins?.entries?.acpx?.config?.openClawToolsMcpBridge === true,
-      "ACPX OpenClaw tools bridge config changed",
-    );
-  }
-
   if (hasCoverage(coverage) && acceptsIntent(coverage, "configured-plugin-installs")) {
     const pluginAllow = config.plugins?.allow ?? [];
     assert(pluginAllow.includes("discord"), "configured install discord allow entry missing");

scripts/e2e/lib/upgrade-survivor/config-recipe.mjs

@@ -108,17 +108,6 @@ const representativeConfigSteps = [
 ];
 
 const scenarioConfigSteps = new Map([
-  [
-    "acpx-openclaw-tools-bridge",
-    [
-      configSetJsonFile(
-        "plugins-acpx-openclaw-tools-bridge",
-        "acpx-openclaw-tools-bridge",
-        "plugins",
-        "plugins-acpx-openclaw-tools-bridge.json",
-      ),
-    ],
-  ],
   [
     "feishu-channel",
     [
@@ -185,15 +174,6 @@ function selectedScenario() {
 }
 
 function adaptStepForBaseline(step, baselineVersion, summary) {
-  if (
-    step.intent === "acpx-openclaw-tools-bridge" &&
-    isReleaseBefore(baselineVersion, "2026.4.22")
-  ) {
-    if (!summary.skippedIntents.includes("acpx-openclaw-tools-bridge")) {
-      summary.skippedIntents.push("acpx-openclaw-tools-bridge");
-    }
-    return null;
-  }
   if (!isReleaseBefore(baselineVersion, "2026.4.0")) {
     return step;
   }

scripts/e2e/lib/upgrade-survivor/config-recipe/plugins-acpx-openclaw-tools-bridge.json

@@ -1,21 +0,0 @@
-{
-  "enabled": true,
-  "allow": ["acpx", "discord", "memory", "telegram", "whatsapp"],
-  "entries": {
-    "acpx": {
-      "enabled": true,
-      "config": {
-        "openClawToolsMcpBridge": true
-      }
-    },
-    "discord": {
-      "enabled": true
-    },
-    "telegram": {
-      "enabled": true
-    },
-    "whatsapp": {
-      "enabled": true
-    }
-  }
-}

scripts/install-cli.sh

@@ -1168,7 +1168,7 @@ refresh_gateway_service_if_loaded() {
 
   if ! "$claw" gateway restart >/dev/null 2>&1; then
     emit_json '{"event":"step","name":"gateway-service","status":"warn","reason":"restart-failed"}'
-    log "Warning: gateway service restart failed; continuing. Run: openclaw gateway restart"
+    log "Warning: gateway service restart failed; continuing."
     return 0
   fi
 

scripts/install.ps1

@@ -1401,7 +1401,7 @@ function Refresh-GatewayServiceIfLoaded {
         Invoke-OpenClawCommand gateway status --json | Out-Null
         Write-Host "[OK] Gateway service refreshed" -ForegroundColor Green
     } catch {
-        Write-Host "[!] Gateway service restart failed; continuing. Run: openclaw gateway restart" -ForegroundColor Yellow
+        Write-Host "[!] Gateway service restart failed; continuing." -ForegroundColor Yellow
     }
 }
 

scripts/install.sh

@@ -3000,7 +3000,7 @@ refresh_gateway_service_if_loaded() {
     if run_quiet_step "Restarting gateway service" "$claw" gateway restart; then
         ui_success "Gateway service restarted"
     else
-        ui_warn "Gateway service restart failed; continuing. Run: openclaw gateway restart"
+        ui_warn "Gateway service restart failed; continuing"
         return 0
     fi
 

scripts/lib/docker-e2e-plan.mjs

@@ -75,7 +75,6 @@ function sanitizeLaneNameSuffix(value) {
 
 const UPGRADE_SURVIVOR_SCENARIOS = [
   "base",
-  "acpx-openclaw-tools-bridge",
   "feishu-channel",
   "bootstrap-persona",
   "channel-post-core-restore",
@@ -184,17 +183,6 @@ function supportsUpgradeSurvivorPluginDependencyCleanup(baselineSpec) {
   return comparePublishedReleaseVersion(version, { year: 2026, month: 4, patch: 23 }) >= 0;
 }
 
-function supportsUpgradeSurvivorAcpToolsBridge(baselineSpec) {
-  if (!baselineSpec) {
-    return true;
-  }
-  const version = parsePublishedReleaseVersion(baselineSpec);
-  if (!version) {
-    return true;
-  }
-  return comparePublishedReleaseVersion(version, { year: 2026, month: 4, patch: 22 }) >= 0;
-}
-
 function expandUpgradeSurvivorBaselineLanes(poolLanes, rawBaselineSpecs, rawScenarios = "") {
   const baselineSpecs = parseUpgradeSurvivorBaselineSpecs(rawBaselineSpecs);
   const scenarios = parseUpgradeSurvivorScenarios(rawScenarios);
@@ -211,10 +199,8 @@ function expandUpgradeSurvivorBaselineLanes(poolLanes, rawBaselineSpecs, rawScen
       matrixScenarios
         .filter(
           (scenario) =>
-            (scenario !== "plugin-deps-cleanup" ||
-              supportsUpgradeSurvivorPluginDependencyCleanup(baselineSpec)) &&
-            (scenario !== "acpx-openclaw-tools-bridge" ||
-              supportsUpgradeSurvivorAcpToolsBridge(baselineSpec)),
+            scenario !== "plugin-deps-cleanup" ||
+            supportsUpgradeSurvivorPluginDependencyCleanup(baselineSpec),
         )
         .map((scenario) => {
           const suffixParts = [

scripts/lib/official-external-channel-catalog.json

@@ -114,10 +114,10 @@
           }
         },
         "install": {
-          "npmSpec": "@tencent-weixin/openclaw-weixin@2.4.6",
+          "npmSpec": "@tencent-weixin/openclaw-weixin@2.4.3",
           "defaultChoice": "npm",
-          "expectedIntegrity": "sha512-qw9k3PLTiMWGNjjsknHgcTManH1w4j+Ji1ArWIaYLKCq3aFRsVwcqnPi127bvOoVMJGW4dbyJ8NECEMgoO+iRw==",
-          "minHostVersion": ">=2026.5.12"
+          "expectedIntegrity": "sha512-dPQbidUNWigC6V10vGW4i+GLH09x+6zUhafZRjuxkJ9GDu8o62WBsnUTojp4KqUH756hz+t2v9khiCRSi0dBDw==",
+          "minHostVersion": ">=2026.3.22"
         }
       }
     },

scripts/lib/policy-config-coverage.jsonc

@@ -1,761 +0,0 @@
-{
-  // Internal maintainer inventory for `pnpm policy:config-coverage`.
-  // Keep this report-only by default: it helps policy maintainers notice config
-  // drift without making every config PR author update Policy.
-  "monitored": [
-    "auth.profiles.*.mode",
-    "auth.profiles.*.provider",
-    "browser.ssrfPolicy.allowPrivateNetwork",
-    "browser.ssrfPolicy.dangerouslyAllowPrivateNetwork",
-    "channels.*.accounts.*.dmPolicy",
-    "channels.*.accounts.*.groupPolicy",
-    "channels.*.accounts.*.groups.*.requireMention",
-    "channels.*.dmPolicy",
-    "channels.*.enabled",
-    "channels.*.groupPolicy",
-    "channels.*.groups.*.requireMention",
-    "diagnostics.otel.captureContent",
-    "gateway.auth.mode",
-    "gateway.auth.rateLimit.*",
-    "gateway.bind",
-    "gateway.controlUi.allowInsecureAuth",
-    "gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback",
-    "gateway.controlUi.dangerouslyDisableDeviceAuth",
-    "gateway.customBindHost",
-    "gateway.http.endpoints.*.*.allowUrl",
-    "gateway.http.endpoints.*.*.urlAllowlist.*",
-    "gateway.http.endpoints.*.enabled",
-    "gateway.mode",
-    "gateway.remote.enabled",
-    "gateway.tailscale.mode",
-    "gateway.tailscale.preserveFunnel",
-    "logging.redactSensitive",
-    "memory.qmd.sessions.enabled",
-    "mcp.servers.*.command",
-    "mcp.servers.*.transport",
-    "mcp.servers.*.url",
-    "models.providers.*.type",
-    "models.selected",
-    "models.selectedByAgent.*",
-    "models.selectedByChannel.*",
-    "session.dmScope",
-    "session.maintenance.mode",
-    "secrets.defaults.provider",
-    "secrets.providers.*.allowInsecureTransport",
-    "secrets.providers.*.source",
-    "tools.allow.*",
-    "tools.alsoAllow.*",
-    "tools.deny.*",
-    "tools.elevated.allowFrom.*.*",
-    "tools.elevated.enabled",
-    "tools.exec.ask",
-    "tools.exec.host",
-    "tools.exec.security",
-    "tools.fs.workspaceOnly",
-    "tools.profile",
-    "tools.sandbox.tools.allow.*",
-    "tools.sandbox.tools.alsoAllow.*",
-    "tools.sandbox.tools.deny.*",
-    "tools.web.fetch.ssrfPolicy.allowIpv6UniqueLocalRange",
-    "tools.web.fetch.ssrfPolicy.allowPrivateNetwork",
-    "tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange",
-    "tools.web.fetch.ssrfPolicy.dangerouslyAllowPrivateNetwork",
-    "agents.defaults.memorySearch.enabled",
-    "agents.defaults.memorySearch.experimental.sessionMemory",
-    "agents.defaults.memorySearch.sources.*",
-    "agents.defaults.model.fallbacks.*",
-    "agents.defaults.model.primary",
-    "agents.defaults.models.*.alias",
-    "agents.defaults.sandbox.backend",
-    "agents.defaults.sandbox.browser.binds.*",
-    "agents.defaults.sandbox.browser.cdpSourceRange",
-    "agents.defaults.sandbox.docker.apparmorProfile",
-    "agents.defaults.sandbox.docker.binds.*",
-    "agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin",
-    "agents.defaults.sandbox.docker.network",
-    "agents.defaults.sandbox.docker.readOnlyRoot",
-    "agents.defaults.sandbox.docker.seccompProfile",
-    "agents.defaults.sandbox.mode",
-    "agents.defaults.sandbox.workspaceAccess",
-    "agents.defaults.tools.allow.*",
-    "agents.defaults.tools.alsoAllow.*",
-    "agents.defaults.tools.deny.*",
-    "agents.defaults.tools.elevated.allowFrom.*.*",
-    "agents.defaults.tools.elevated.enabled",
-    "agents.defaults.tools.exec.ask",
-    "agents.defaults.tools.exec.host",
-    "agents.defaults.tools.exec.security",
-    "agents.defaults.tools.fs.workspaceOnly",
-    "agents.defaults.tools.profile",
-    "agents.defaults.tools.sandbox.tools.allow.*",
-    "agents.defaults.tools.sandbox.tools.alsoAllow.*",
-    "agents.defaults.tools.sandbox.tools.deny.*",
-    "agents.list.*.memorySearch.enabled",
-    "agents.list.*.memorySearch.experimental.sessionMemory",
-    "agents.list.*.memorySearch.sources.*",
-    "agents.list.*.model.fallbacks.*",
-    "agents.list.*.model.primary",
-    "agents.list.*.models.*.alias",
-    "agents.list.*.sandbox.backend",
-    "agents.list.*.sandbox.browser.binds.*",
-    "agents.list.*.sandbox.browser.cdpSourceRange",
-    "agents.list.*.sandbox.docker.apparmorProfile",
-    "agents.list.*.sandbox.docker.binds.*",
-    "agents.list.*.sandbox.docker.dangerouslyAllowContainerNamespaceJoin",
-    "agents.list.*.sandbox.docker.network",
-    "agents.list.*.sandbox.docker.readOnlyRoot",
-    "agents.list.*.sandbox.docker.seccompProfile",
-    "agents.list.*.sandbox.mode",
-    "agents.list.*.sandbox.workspaceAccess",
-    "agents.list.*.tools.allow.*",
-    "agents.list.*.tools.alsoAllow.*",
-    "agents.list.*.tools.deny.*",
-    "agents.list.*.tools.elevated.allowFrom.*.*",
-    "agents.list.*.tools.elevated.enabled",
-    "agents.list.*.tools.exec.ask",
-    "agents.list.*.tools.exec.host",
-    "agents.list.*.tools.exec.security",
-    "agents.list.*.tools.fs.workspaceOnly",
-    "agents.list.*.tools.profile",
-    "agents.list.*.tools.sandbox.tools.allow.*",
-    "agents.list.*.tools.sandbox.tools.alsoAllow.*",
-    "agents.list.*.tools.sandbox.tools.deny.*",
-  ],
-  "classifications": [
-    {
-      "pattern": "browser.ssrfPolicy.dangerouslyAllowPrivateNetwork",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy observes private-network browser SSRF posture.",
-    },
-    {
-      "pattern": "browser.ssrfPolicy.allowPrivateNetwork",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy observes the legacy browser private-network toggle.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "tools.web.fetch.ssrfPolicy.dangerouslyAllowPrivateNetwork",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy observes private-network web-fetch SSRF posture.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "tools.web.fetch.ssrfPolicy.allowPrivateNetwork",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy observes the legacy web-fetch private-network toggle.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy treats RFC 2544 benchmark ranges as private-network posture.",
-    },
-    {
-      "pattern": "tools.web.fetch.ssrfPolicy.allowIpv6UniqueLocalRange",
-      "status": "observed",
-      "area": "network",
-      "policy": "network.privateNetwork.allow",
-      "reason": "Policy treats IPv6 unique-local ranges as private-network posture.",
-    },
-    {
-      "pattern": "session.dmScope",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.session.requireDmScope",
-      "reason": "Policy observes direct-message session isolation scope.",
-    },
-    {
-      "pattern": "logging.redactSensitive",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.sensitiveLogging.requireRedaction",
-      "reason": "Policy observes sensitive log redaction posture.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "diagnostics.otel.captureContent",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.telemetry.denyContentCapture",
-      "reason": "Policy observes telemetry content-capture posture.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "session.maintenance.mode",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.retention.requireSessionMaintenance",
-      "reason": "Policy observes session maintenance enforcement posture.",
-    },
-    {
-      "pattern": "memory.qmd.sessions.enabled",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes QMD session-transcript indexing.",
-    },
-    {
-      "pattern": "agents.defaults.memorySearch.enabled",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes default memory-search session indexing enablement.",
-    },
-    {
-      "pattern": "agents.defaults.memorySearch.experimental.sessionMemory",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes default memory-search session-memory toggle.",
-    },
-    {
-      "pattern": "agents.defaults.memorySearch.sources.*",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes whether default memory-search sources include sessions.",
-    },
-    {
-      "pattern": "agents.list.*.memorySearch.enabled",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes per-agent memory-search session indexing enablement.",
-    },
-    {
-      "pattern": "agents.list.*.memorySearch.experimental.sessionMemory",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes per-agent memory-search session-memory toggle.",
-    },
-    {
-      "pattern": "agents.list.*.memorySearch.sources.*",
-      "status": "observed",
-      "area": "dataHandling",
-      "policy": "dataHandling.memory.denySessionTranscriptIndexing",
-      "reason": "Policy observes whether per-agent memory-search sources include sessions.",
-    },
-    {
-      "pattern": "auth.profiles.*.mode",
-      "status": "observed",
-      "area": "auth",
-      "policy": "auth.profiles.allowModes",
-      "reason": "Policy observes configured auth profile mode metadata.",
-    },
-    {
-      "pattern": "auth.profiles.*.provider",
-      "status": "observed",
-      "area": "auth",
-      "policy": "auth.profiles.requireMetadata",
-      "reason": "Policy observes configured auth profile provider metadata.",
-    },
-    {
-      "pattern": "channels.*.enabled",
-      "status": "observed",
-      "area": "channels",
-      "policy": "channels.denyRules",
-      "reason": "Provider deny rules only apply to enabled configured channels.",
-    },
-    {
-      "pattern": "channels.*.accounts.*.dmPolicy",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.allowDmPolicies",
-      "reason": "Policy observes account-level direct-message access posture.",
-    },
-    {
-      "pattern": "channels.*.dmPolicy",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.allowDmPolicies",
-      "reason": "Policy observes channel-level direct-message access posture.",
-    },
-    {
-      "pattern": "channels.*.accounts.*.groupPolicy",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.denyOpenGroups",
-      "reason": "Policy observes account-level group access posture.",
-    },
-    {
-      "pattern": "channels.*.groupPolicy",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.denyOpenGroups",
-      "reason": "Policy observes channel-level group access posture.",
-    },
-    {
-      "pattern": "channels.*.accounts.*.groups.*.requireMention",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.requireMentionInGroups",
-      "reason": "Policy observes account group mention gates.",
-    },
-    {
-      "pattern": "channels.*.groups.*.requireMention",
-      "status": "observed",
-      "area": "ingress",
-      "policy": "ingress.channels.requireMentionInGroups",
-      "reason": "Policy observes channel group mention gates.",
-    },
-    {
-      "pattern": "gateway.bind",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.exposure.allowNonLoopbackBind",
-      "reason": "Policy observes Gateway bind exposure posture.",
-    },
-    {
-      "pattern": "gateway.customBindHost",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.exposure.allowNonLoopbackBind",
-      "reason": "Policy observes custom bind host exposure posture.",
-    },
-    {
-      "pattern": "gateway.tailscale.mode",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.exposure.allowTailscaleFunnel",
-      "reason": "Policy observes Tailscale serve/funnel mode when deriving Gateway exposure posture.",
-    },
-    {
-      "pattern": "gateway.tailscale.preserveFunnel",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.exposure.allowTailscaleFunnel",
-      "reason": "Policy observes preserveFunnel because serve mode can preserve Funnel exposure.",
-    },
-    {
-      "pattern": "gateway.auth.mode",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.auth.requireAuth",
-      "reason": "Policy observes Gateway auth mode posture.",
-    },
-    {
-      "pattern": "gateway.auth.rateLimit.*",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.auth.requireExplicitRateLimit",
-      "reason": "Policy observes whether Gateway auth rate limiting is explicitly configured.",
-    },
-    {
-      "pattern": "gateway.controlUi.allowInsecureAuth",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.controlUi.allowInsecure",
-      "reason": "Policy observes the Control UI insecure auth toggle.",
-    },
-    {
-      "pattern": "gateway.controlUi.dangerouslyDisableDeviceAuth",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.controlUi.allowInsecure",
-      "reason": "Policy observes the Control UI device-auth disable toggle.",
-    },
-    {
-      "pattern": "gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.controlUi.allowInsecure",
-      "reason": "Policy observes the Control UI Host-header origin fallback toggle.",
-    },
-    {
-      "pattern": "gateway.mode",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.remote.allow",
-      "reason": "Policy observes whether Gateway remote mode is enabled.",
-    },
-    {
-      "pattern": "gateway.remote.enabled",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.remote.allow",
-      "reason": "Policy observes explicit remote Gateway enablement.",
-    },
-    {
-      "pattern": "gateway.http.endpoints.*.enabled",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.http.denyEndpoints",
-      "reason": "Policy observes Gateway HTTP endpoint enablement.",
-    },
-    {
-      "pattern": "gateway.http.endpoints.*.*.allowUrl",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.http.requireUrlAllowlists",
-      "reason": "Policy observes URL-fetch enablement on Gateway HTTP inputs.",
-    },
-    {
-      "pattern": "gateway.http.endpoints.*.*.urlAllowlist.*",
-      "status": "observed",
-      "area": "gateway",
-      "policy": "gateway.http.requireUrlAllowlists",
-      "reason": "Policy observes URL-fetch allowlists on Gateway HTTP inputs.",
-    },
-    {
-      "pattern": "mcp.servers.*.command",
-      "status": "observed",
-      "area": "mcp",
-      "policy": "mcp.servers.allow / mcp.servers.deny",
-      "reason": "Policy observes configured MCP server ids and command posture context.",
-    },
-    {
-      "pattern": "mcp.servers.*.transport",
-      "status": "observed",
-      "area": "mcp",
-      "policy": "mcp.servers.allow / mcp.servers.deny",
-      "reason": "Policy observes configured MCP server transport posture context.",
-    },
-    {
-      "pattern": "mcp.servers.*.url",
-      "status": "observed",
-      "area": "mcp",
-      "policy": "mcp.servers.allow / mcp.servers.deny",
-      "reason": "Policy observes configured MCP server URL posture context.",
-    },
-    {
-      "pattern": "models.providers.*.type",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes configured provider ids.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "models.selected",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes selected model refs.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "models.selectedByAgent.*",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes agent-specific selected model refs.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "models.selectedByChannel.*",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes channel-specific selected model refs.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "agents.defaults.model.**",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes default agent model refs.",
-    },
-    {
-      "pattern": "agents.defaults.models.*.alias",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes default agent model aliases.",
-    },
-    {
-      "pattern": "agents.list.*.model.**",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes per-agent model refs.",
-    },
-    {
-      "pattern": "agents.list.*.models.*.alias",
-      "status": "observed",
-      "area": "models",
-      "policy": "models.providers.allow / models.providers.deny",
-      "reason": "Policy observes per-agent model aliases.",
-    },
-    {
-      "pattern": "secrets.defaults.provider",
-      "status": "observed",
-      "area": "secrets",
-      "policy": "secrets.requireManagedProviders",
-      "reason": "Policy observes default SecretRef provider provenance.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "secrets.providers.*.source",
-      "status": "observed",
-      "area": "secrets",
-      "policy": "secrets.denySources",
-      "reason": "Policy observes configured secret provider source type.",
-    },
-    {
-      "pattern": "secrets.providers.*.allowInsecureTransport",
-      "status": "observed",
-      "area": "secrets",
-      "policy": "secrets.allowInsecureProviders",
-      "reason": "Policy observes insecure secret-provider transport posture.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "tools.profile",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.profiles.allow",
-      "reason": "Policy observes global tool profile posture.",
-    },
-    {
-      "pattern": "tools.fs.workspaceOnly",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.fs.requireWorkspaceOnly",
-      "reason": "Policy observes global filesystem workspace-only posture.",
-    },
-    {
-      "pattern": "tools.exec.security",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.exec.allowSecurity",
-      "reason": "Policy observes global exec security posture.",
-    },
-    {
-      "pattern": "tools.exec.ask",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.exec.requireAsk",
-      "reason": "Policy observes global exec approval posture.",
-    },
-    {
-      "pattern": "tools.exec.host",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.exec.allowHosts",
-      "reason": "Policy observes global exec host routing posture.",
-    },
-    {
-      "pattern": "tools.elevated.enabled",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.elevated.allow",
-      "reason": "Policy observes global elevated tool posture.",
-    },
-    {
-      "pattern": "tools.elevated.allowFrom.*.*",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.elevated.allow",
-      "reason": "Policy observes global elevated provider allowlists.",
-    },
-    {
-      "pattern": "tools.allow.*",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tool posture evidence",
-      "reason": "Policy includes global tool allow posture in evidence for attestation drift.",
-    },
-    {
-      "pattern": "tools.alsoAllow.*",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.alsoAllow.expected",
-      "reason": "Policy observes global tools.alsoAllow posture.",
-    },
-    {
-      "pattern": "tools.deny.*",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.denyTools",
-      "reason": "Policy observes global tool deny posture.",
-    },
-    {
-      "pattern": "tools.sandbox.tools.*.*",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.denyTools",
-      "reason": "Policy observes global sandbox tool posture.",
-    },
-    {
-      "pattern": "agents.*.tools.**",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.* scoped by agentIds",
-      "reason": "Policy observes default and per-agent tool posture overrides.",
-      "allowNoSchemaPath": true,
-    },
-    {
-      "pattern": "agents.list.*.tools.**",
-      "status": "observed",
-      "area": "tools",
-      "policy": "tools.* scoped by agentIds",
-      "reason": "Policy observes per-agent tool posture overrides.",
-    },
-    {
-      "pattern": "agents.*.sandbox.mode",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.requireMode",
-      "reason": "Policy observes sandbox mode posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.mode",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.requireMode",
-      "reason": "Policy observes per-agent sandbox mode posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.backend",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.allowBackends",
-      "reason": "Policy observes sandbox backend posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.backend",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.allowBackends",
-      "reason": "Policy observes per-agent sandbox backend posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.workspaceAccess",
-      "status": "observed",
-      "area": "agents",
-      "policy": "agents.workspace.allowedAccess",
-      "reason": "Policy observes sandbox workspace access posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.workspaceAccess",
-      "status": "observed",
-      "area": "agents",
-      "policy": "agents.workspace.allowedAccess",
-      "reason": "Policy observes per-agent sandbox workspace access posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.network",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyHostNetwork and sandbox.containers.denyContainerNamespaceJoin",
-      "reason": "Policy observes Docker container network posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.network",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyHostNetwork and sandbox.containers.denyContainerNamespaceJoin",
-      "reason": "Policy observes per-agent Docker container network posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.binds.*",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts and sandbox.containers.denyContainerRuntimeSocketMounts",
-      "reason": "Policy observes Docker bind mount posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.binds.*",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts and sandbox.containers.denyContainerRuntimeSocketMounts",
-      "reason": "Policy observes per-agent Docker bind mount posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.browser.binds.*",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts",
-      "reason": "Policy observes sandbox browser bind mount posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.browser.binds.*",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts",
-      "reason": "Policy observes per-agent sandbox browser bind mount posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.apparmorProfile",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyUnconfinedProfiles",
-      "reason": "Policy observes Docker AppArmor profile posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.apparmorProfile",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyUnconfinedProfiles",
-      "reason": "Policy observes per-agent Docker AppArmor profile posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.seccompProfile",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyUnconfinedProfiles",
-      "reason": "Policy observes Docker seccomp profile posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.seccompProfile",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyUnconfinedProfiles",
-      "reason": "Policy observes per-agent Docker seccomp profile posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.dangerouslyAllowContainerNamespaceJoin",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyContainerNamespaceJoin",
-      "reason": "Policy observes explicit Docker namespace-join escape posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.dangerouslyAllowContainerNamespaceJoin",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.denyContainerNamespaceJoin",
-      "reason": "Policy observes explicit per-agent Docker namespace-join escape posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.docker.readOnlyRoot",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts",
-      "reason": "Policy observes Docker read-only root posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.docker.readOnlyRoot",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.containers.requireReadOnlyMounts",
-      "reason": "Policy observes per-agent Docker read-only root posture.",
-    },
-    {
-      "pattern": "agents.*.sandbox.browser.cdpSourceRange",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.browser.requireCdpSourceRange",
-      "reason": "Policy observes sandbox browser CDP source range posture.",
-    },
-    {
-      "pattern": "agents.list.*.sandbox.browser.cdpSourceRange",
-      "status": "observed",
-      "area": "sandbox",
-      "policy": "sandbox.browser.requireCdpSourceRange",
-      "reason": "Policy observes per-agent sandbox browser CDP source range posture.",
-    },
-  ],
-}

scripts/native-app-i18n.ts

@@ -0,0 +1,362 @@
+import { createHash } from "node:crypto";
+import { mkdir, readdir, readFile, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+export type NativeI18nSurface = "android" | "apple";
+
+export const NATIVE_I18N_LOCALES = [
+  "zh-CN",
+  "zh-TW",
+  "pt-BR",
+  "de",
+  "es",
+  "ja-JP",
+  "ko",
+  "fr",
+  "hi",
+  "ar",
+  "it",
+  "tr",
+  "uk",
+  "id",
+  "pl",
+  "th",
+  "vi",
+  "nl",
+  "fa",
+  "ru",
+] as const;
+
+export type NativeI18nEntry = {
+  id: string;
+  kind: string;
+  line: number;
+  path: string;
+  source: string;
+  surface: NativeI18nSurface;
+};
+
+type Candidate = Omit<NativeI18nEntry, "id">;
+
+const HERE = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(HERE, "..");
+const OUTPUT_PATH = path.join(ROOT, "apps", ".i18n", "native-source.json");
+const SOURCE_ROOTS: Record<NativeI18nSurface, string[]> = {
+  android: [path.join(ROOT, "apps", "android", "app", "src", "main")],
+  apple: [
+    path.join(ROOT, "apps", "ios"),
+    path.join(ROOT, "apps", "macos", "Sources"),
+    path.join(ROOT, "apps", "shared", "OpenClawKit", "Sources"),
+  ],
+};
+
+const ANDROID_EXTENSIONS = new Set([".kt", ".kts"]);
+const APPLE_EXTENSIONS = new Set([".swift", ".plist"]);
+const APPLE_UI_CALLS =
+  /(?:Text|Label|Button|TextField|SecureField|Picker|Section|LabeledContent|Toggle|Menu|ShareLink|Link|TextEditor|ProgressView|Gauge|DisclosureGroup|ControlGroup|DatePicker|Stepper)\s*\(\s*"((?:\\.|[^"\\])*)"/gu;
+const APPLE_MODIFIER_CALLS =
+  /\.(?:navigationTitle|accessibilityLabel|accessibilityHint|help|alert|confirmationDialog)\s*\(\s*"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_CALLS =
+  /\b(?:Text|OutlinedTextField|BasicTextField|Button|IconButton|TopAppBar|Snackbar|AlertDialog)\s*\(\s*(?:text\s*=\s*)?"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_PROPERTIES =
+  /\b(?:contentDescription|label|placeholder|title|message|supportingText)\s*=\s*"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_WRAPPER_ARGS =
+  /\b[A-Z][A-Za-z0-9_]*\s*\([^)\n]{0,160}?\b(?:text|title|label|message|contentDescription|placeholder)\s*=\s*"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_TOAST_ARGS =
+  /\b(?:Toast\.makeText|Snackbar\.make)\s*\([^,\n]*,\s*"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_DIALOG_CALLS =
+  /\.(?:setTitle|setMessage|setPositiveButton|setNegativeButton|setNeutralButton)\s*\(\s*"((?:\\.|[^"\\])*)"/gu;
+const ANDROID_STATE_CALLS = /\b(?:MutableStateFlow|StateFlow|flowOf)\s*\(\s*"((?:\\.|[^"\\])*)"/gu;
+const CONDITIONAL_BRANCHES = [
+  /\bif\s*\([^)]*\)\s*"((?:\\.|[^"\\])*)"\s*else\s*"((?:\\.|[^"\\])*)"/gu,
+  /\?\s*"((?:\\.|[^"\\])*)"\s*:\s*"((?:\\.|[^"\\])*)"/gu,
+];
+const ANDROID_RESOURCE_STRINGS = /<string\b[^>]*>([\s\S]*?)<\/string>/gu;
+const APPLE_NAMED_ARGUMENTS =
+  /\b(?:title|subtitle|label|message|text|prompt|description|help)\s*:\s*"((?:\\.|[^"\\])*)"/gu;
+const APPLE_PLIST_STRINGS = /<string>([\s\S]*?)<\/string>/gu;
+const GENERATED_PATH_RE = /(?:^|[\\/])(?:build|\.gradle|\.build|DerivedData)(?:$|[\\/])/u;
+const EXCLUDED_PATH_RE = /(?:^|[\\/])(?:Tests?|UITests?|test|Preview(?:s)?)(?:$|[\\/])/u;
+const EXCLUDED_FILE_RE = /(?:Tests?|UITests?|Previews?|Testing)\.(?:swift|kt|kts)$/u;
+const BUILD_SETTING_RE = /\$\([A-Za-z0-9_.-]+\)/gu;
+
+function isTranslatableCandidate(source: string, kind: string): boolean {
+  if (BUILD_SETTING_RE.test(source)) {
+    BUILD_SETTING_RE.lastIndex = 0;
+    return false;
+  }
+  BUILD_SETTING_RE.lastIndex = 0;
+  if (/^[a-z0-9_.:/$-]+$/u.test(source) || /^[A-Z0-9_.:/$-]+$/u.test(source)) {
+    return false;
+  }
+  if (/[{}[\]]/u.test(source) && !/(?:\\\(|\$\{)/u.test(source)) {
+    return false;
+  }
+  return kind !== "plist-string" || /\s/u.test(source);
+}
+
+function extractSwiftInterpolations(source: string): string[] | null {
+  const values: string[] = [];
+  for (let index = 0; index < source.length; index += 1) {
+    if (source[index] !== "\\" || source[index + 1] !== "(") continue;
+    const start = index;
+    let depth = 1;
+    let quoted = false;
+    let escaped = false;
+    for (index += 2; index < source.length; index += 1) {
+      const character = source[index];
+      if (escaped) escaped = false;
+      else if (character === "\\") escaped = true;
+      else if (character === '"') quoted = !quoted;
+      else if (!quoted && character === "(") depth += 1;
+      else if (!quoted && character === ")") {
+        depth -= 1;
+        if (depth === 0) {
+          values.push(source.slice(start, index + 1));
+          break;
+        }
+      }
+    }
+    if (depth !== 0) return null;
+  }
+  return values;
+}
+
+function extractKotlinInterpolations(source: string): string[] | null {
+  const values = [...source.matchAll(/\$[A-Za-z_][A-Za-z0-9_]*/gu)].map((match) => match[0]);
+  for (let index = 0; index < source.length; index += 1) {
+    if (source[index] !== "$" || source[index + 1] !== "{") continue;
+    const start = index;
+    let depth = 1;
+    for (index += 2; index < source.length; index += 1) {
+      if (source[index] === "{") depth += 1;
+      else if (source[index] === "}") {
+        depth -= 1;
+        if (depth === 0) {
+          values.push(source.slice(start, index + 1));
+          break;
+        }
+      }
+    }
+    if (depth !== 0) return null;
+  }
+  return values;
+}
+
+function lineNumber(source: string, offset: number): number {
+  return source.slice(0, offset).split("\n").length;
+}
+
+function decodeLiteral(raw: string): string {
+  try {
+    return JSON.parse(`"${raw}"`) as string;
+  } catch {
+    return raw;
+  }
+}
+
+function normalizeSource(source: string): string {
+  return source;
+}
+
+function addCandidate(
+  entries: Candidate[],
+  surface: NativeI18nSurface,
+  repoPath: string,
+  source: string,
+  kind: string,
+  line: number,
+) {
+  const normalized = normalizeSource(decodeLiteral(source));
+  if (!normalized.trim() || !/\p{L}/u.test(normalized)) {
+    return;
+  }
+  if (!isTranslatableCandidate(normalized, kind)) {
+    return;
+  }
+  if (
+    normalized.length > 500 ||
+    extractSwiftInterpolations(normalized) === null ||
+    extractKotlinInterpolations(normalized) === null
+  ) {
+    return;
+  }
+  entries.push({ kind, line, path: repoPath, source: normalized, surface });
+}
+
+function extractCandidates(
+  surface: NativeI18nSurface,
+  repoPath: string,
+  source: string,
+): Candidate[] {
+  const entries: Candidate[] = [];
+  const patterns =
+    surface === "apple"
+      ? [
+          [APPLE_UI_CALLS, "ui-call"],
+          [APPLE_MODIFIER_CALLS, "ui-modifier"],
+          [APPLE_NAMED_ARGUMENTS, "ui-named-argument"],
+          ...CONDITIONAL_BRANCHES.map((pattern) => [pattern, "conditional-branch"] as const),
+        ]
+      : [
+          [ANDROID_CALLS, "ui-call"],
+          [ANDROID_PROPERTIES, "ui-property"],
+          [ANDROID_WRAPPER_ARGS, "ui-wrapper-argument"],
+          [ANDROID_TOAST_ARGS, "ui-toast"],
+          [ANDROID_DIALOG_CALLS, "ui-dialog"],
+          [ANDROID_STATE_CALLS, "ui-state"],
+          ...CONDITIONAL_BRANCHES.map((pattern) => [pattern, "conditional-branch"] as const),
+        ];
+  for (const [pattern, kind] of patterns) {
+    for (const match of source.matchAll(pattern)) {
+      const offset = match.index ?? 0;
+      for (const value of match.slice(1)) {
+        if (value) {
+          addCandidate(entries, surface, repoPath, value, kind, lineNumber(source, offset));
+        }
+      }
+    }
+  }
+  if (surface === "android" && repoPath.endsWith("/res/values/strings.xml")) {
+    for (const match of source.matchAll(ANDROID_RESOURCE_STRINGS)) {
+      if (match[1])
+        addCandidate(
+          entries,
+          surface,
+          repoPath,
+          match[1],
+          "resource-string",
+          lineNumber(source, match.index ?? 0),
+        );
+    }
+  }
+  if (surface === "apple" && repoPath.endsWith(".plist")) {
+    for (const match of source.matchAll(APPLE_PLIST_STRINGS)) {
+      if (match[1])
+        addCandidate(
+          entries,
+          surface,
+          repoPath,
+          match[1],
+          "plist-string",
+          lineNumber(source, match.index ?? 0),
+        );
+    }
+  }
+  return entries;
+}
+
+async function walkFiles(
+  root: string,
+  surface: NativeI18nSurface,
+  out: string[] = [],
+): Promise<string[]> {
+  const entries = await readdir(root, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = path.join(root, entry.name);
+    if (entry.isDirectory()) {
+      if (GENERATED_PATH_RE.test(fullPath) || EXCLUDED_PATH_RE.test(fullPath)) {
+        continue;
+      }
+      await walkFiles(fullPath, surface, out);
+      continue;
+    }
+    const extension = path.extname(entry.name);
+    const allowed =
+      surface === "apple"
+        ? APPLE_EXTENSIONS
+        : fullPath.endsWith(`${path.sep}res${path.sep}values${path.sep}strings.xml`)
+          ? new Set([...ANDROID_EXTENSIONS, ".xml"])
+          : ANDROID_EXTENSIONS;
+    if (entry.isFile() && allowed.has(extension) && !EXCLUDED_FILE_RE.test(entry.name)) {
+      out.push(fullPath);
+    }
+  }
+  return out;
+}
+
+function withIds(entries: Candidate[]): NativeI18nEntry[] {
+  const seen = new Set<string>();
+  const unique = [
+    ...new Map(
+      entries.map((entry) => [`${entry.surface}\u0000${entry.path}\u0000${entry.source}`, entry]),
+    ).values(),
+  ];
+  return unique
+    .toSorted(
+      (left, right) =>
+        left.surface.localeCompare(right.surface) ||
+        left.path.localeCompare(right.path) ||
+        left.line - right.line ||
+        left.kind.localeCompare(right.kind) ||
+        left.source.localeCompare(right.source),
+    )
+    .map((entry) => {
+      const digest = createHash("sha256")
+        .update([entry.surface, entry.path, entry.kind, entry.source].join("\u0000"))
+        .digest("hex")
+        .slice(0, 16);
+      let id = `native.${entry.surface}.${digest}`;
+      if (seen.has(id)) {
+        id = `${id}.${entry.line}`;
+      }
+      seen.add(id);
+      return { ...entry, id };
+    });
+}
+
+export async function collectNativeI18nEntries(): Promise<NativeI18nEntry[]> {
+  const entries: Candidate[] = [];
+  for (const surface of ["android", "apple"] as const) {
+    for (const sourceRoot of SOURCE_ROOTS[surface]) {
+      const files = await walkFiles(sourceRoot, surface);
+      for (const filePath of files.toSorted()) {
+        const source = await readFile(filePath, "utf8");
+        const repoPath = path.relative(ROOT, filePath).split(path.sep).join("/");
+        entries.push(...extractCandidates(surface, repoPath, source));
+      }
+    }
+  }
+  return withIds(entries);
+}
+
+function render(entries: NativeI18nEntry[]): string {
+  return `${JSON.stringify({ version: 1, entries }, null, 2)}\n`;
+}
+
+export async function syncNativeI18n(options: { checkOnly: boolean; write: boolean }) {
+  const expected = render(await collectNativeI18nEntries());
+  let current = "";
+  try {
+    current = await readFile(OUTPUT_PATH, "utf8");
+  } catch {
+    // The first sync creates the inventory.
+  }
+  if (current !== expected && options.checkOnly) {
+    throw new Error(
+      "native app i18n inventory drift detected. Run `pnpm native:i18n:sync` and commit apps/.i18n/native-source.json.",
+    );
+  }
+  if (current !== expected && options.write) {
+    await mkdir(path.dirname(OUTPUT_PATH), { recursive: true });
+    await writeFile(OUTPUT_PATH, expected, "utf8");
+  }
+  const count = JSON.parse(expected).entries.length as number;
+  process.stdout.write(`native-app-i18n: entries=${count} changed=${current !== expected}\n`);
+}
+
+async function main() {
+  const [command] = process.argv.slice(2);
+  if (command !== "check" && command !== "sync") {
+    throw new Error("usage: node --import tsx scripts/native-app-i18n.ts check|sync [--write]");
+  }
+  await syncNativeI18n({
+    checkOnly: command === "check",
+    write: command === "sync" && process.argv.includes("--write"),
+  });
+}
+
+if (process.argv[1] && import.meta.url === `file://${path.resolve(process.argv[1])}`) {
+  await main();
+}

scripts/test-live-acp-bind-docker.sh

@@ -422,7 +422,6 @@ for ACP_AGENT in "${ACP_AGENTS[@]}"; do
     -e OPENCLAW_LIVE_TEST=1 \
     -e OPENCLAW_LIVE_ACP_BIND=1 \
     -e OPENCLAW_LIVE_ACP_BIND_AGENT="$ACP_AGENT" \
-    -e OPENCLAW_LIVE_ACP_BIND_REQUIRE_CRON="${OPENCLAW_LIVE_ACP_BIND_REQUIRE_CRON:-}" \
     -e OPENCLAW_LIVE_ACP_BIND_TEST_FILES="${OPENCLAW_LIVE_ACP_BIND_TEST_FILES:-}" \
     -e OPENCLAW_LIVE_ACP_BIND_CODEX_MODEL="${OPENCLAW_LIVE_ACP_BIND_CODEX_MODEL:-}" \
     -e OPENCLAW_LIVE_ACP_BIND_SETUP_TIMEOUT_SECONDS="$ACP_SETUP_TIMEOUT_SECONDS" \