Fail fast for removed Codex import auth choice

.agents/maintainer-notes/telegram.md

@@ -1,37 +0,0 @@
-# Telegram Maintainer Decisions
-
-Use this page during Telegram PR review. These are intentional maintainer decisions, not incidental implementation details.
-
-Verified against Telegram Bot API 10.0, May 8 2026.
-
-## Streaming
-
-- Do not reintroduce `sendMessageDraft` for answer streaming. Telegram drafts are ephemeral 30-second previews in private chats; final delivery still requires a separate `sendMessage`. OpenClaw uses `sendMessage` plus `editMessageText`, then finalizes in place so the user sees one persistent answer.
-- Streaming owns one visible preview message. Edit it forward. Do not send an extra final bubble unless the final edit genuinely failed.
-- Keep the first-preview debounce. If a provider sends token-sized deltas, coalesce them into cumulative preview text instead of removing the debounce.
-- Respect Telegram limits in the Telegram layer. Text over 4096 chars chains into continuation messages. Polls keep the current Bot API 12-option cap.
-
-## Telegram API Ownership
-
-- Prefer grammY primitives and Telegram-native helpers when they model the behavior directly. Avoid custom Bot API wrappers for behavior grammY already owns.
-- Throttling is bot-token scoped. All Telegram API clients for the same token share one grammY `apiThrottler()` instance.
-- Do not silently retry failed topic sends without topic metadata. A wrong-surface success is worse than a loud Telegram error.
-- DM topics and forum topics are distinct. `direct_messages_topic_id` and `message_thread_id` are not interchangeable.
-
-## Context And Authorization
-
-- Reply context comes from OpenClaw-observed messages. Bot API updates expose `reply_to_message`, but there is no arbitrary `getMessage(chat, id)` hydration path later.
-- Current local chat context must outrank stale reply ancestry in the prompt. Old replied-to messages should not look like the active conversation.
-- Pairing is DM-only. Group and topic authorization need explicit config allowlists.
-- Telegram allowlists use numeric sender IDs. Usernames are optional, mutable, and not a reliable arbitrary-user lookup key in the Bot API.
-- Group and channel visible replies are policy-controlled. Normal room replies stay private unless `messages.groupChat.visibleReplies: "automatic"` is set or the agent explicitly calls `message.send`.
-
-## Interactive Surfaces
-
-- Native callbacks stay structured. Approval, native command, plugin, select, and multiselect callbacks must not fall through as raw callback text.
-- Preserve callback values exactly, including delimiters such as `env|prod`.
-- Native slash commands should remain fast-pathable before full workspace and agent-turn setup.
-
-## Review Standard
-
-Telegram behavior PRs need real Telegram proof when they touch transport, streaming, topics, callbacks, authorization, or reply context. Prefer the bot-to-bot QA lane or an equivalent live Telegram probe over synthetic-only validation.

.agents/skills/blacksmith-testbox/SKILL.md

@@ -0,0 +1,340 @@
+---
+name: blacksmith-testbox
+description: >
+  Validate code changes against real CI when local execution is not
+  enough. Use for CI-parity checks, secrets/services, migrations, or
+  builds/tests that cannot run reliably on the local machine. Do not
+  replace repo-documented local test/build loops just because this
+  skill exists.
+---
+
+# Blacksmith Testbox
+
+## Scope
+
+Use Testbox when you need remote CI parity, injected secrets, hosted services,
+or an OS/runtime image that your local machine cannot provide cheaply.
+
+Do not default to Testbox for every local test/build loop. If the repo has
+documented local commands for normal iteration, use those first so you keep
+warm caches, local build state, and fast feedback.
+
+Testbox is the expensive path. Reach for it deliberately.
+
+## Install the CLI
+
+If `blacksmith` is not installed, install it:
+
+    curl -fsSL https://get.blacksmith.sh | sh
+
+For the canary channel (bleeding-edge):
+
+    BLACKSMITH_CHANNEL=canary sh -c 'curl -fsSL https://get.blacksmith.sh | sh'
+
+Then authenticate:
+
+    blacksmith auth login
+
+## Agent-triggered browser auth (non-interactive)
+
+When an agent needs to ensure the user is authenticated before running testbox
+commands (e.g. warmup, run), use browser-based auth with non-interactive mode.
+This opens the browser for the user to sign in; the agent does not interact with
+the browser. The org selector in the dashboard is skipped, so the user only sees
+the sign-in flow.
+
+**Required command** (`--organization` is required with `--non-interactive`):
+
+    blacksmith auth login --non-interactive --organization <org-slug>
+
+The org slug can come from `BLACKSMITH_ORG` env var or the `--org` global flag.
+If neither is set, the agent should use the project's known org (e.g. from repo
+config or user context). Example:
+
+    blacksmith auth login --non-interactive --organization acme-corp
+    blacksmith --org acme-corp auth login --non-interactive --organization acme-corp
+
+**Flow**: The CLI starts a local callback server, opens the browser to the
+dashboard auth page, and blocks for up to 2 minutes. The user completes sign-in
+and authorization in the browser. The dashboard redirects to localhost with the
+token; the CLI saves credentials and exits. The agent then proceeds.
+
+**Do not use** `--api-token` for this flow — that is for headless/token-based
+auth. This skill focuses on browser-based auth when the user prefers signing in
+via the web UI.
+
+Optional flags:
+
+- `--dashboard-url <url>` — Override dashboard URL (e.g. for staging)
+
+## Decide first: local or Testbox
+
+Before warming anything up, check the repo's own instructions.
+
+Prefer local commands when:
+
+- the repo documents a supported local test/build workflow
+- you are iterating on unit tests, lint, typecheck, formatting, or other
+  local-only validation
+- the value comes from warm local caches and fast repeat runs
+- the command does not need remote secrets, hosted services, or CI-only images
+
+Prefer Testbox when:
+
+- the repo explicitly requires CI-parity or remote validation
+- the command needs secrets, service containers, or provisioned infra
+- you are reproducing CI-only failures
+- you need the exact workflow image/job environment from GitHub Actions
+
+For OpenClaw specifically, normal local iteration should stay local:
+
+- `pnpm check:changed`
+- `pnpm test:changed`
+- `pnpm test <path-or-filter>`
+- `pnpm test:serial`
+- `pnpm build`
+
+Only use Testbox in OpenClaw when the user explicitly wants CI-parity or the
+check truly depends on remote secrets/services that the local repo loop cannot
+provide.
+
+## Setup: Warmup before coding
+
+If you decided Testbox is actually warranted, warm one up early. This returns
+an ID instantly and boots the CI environment in the background while you work:
+
+    blacksmith testbox warmup ci-check-testbox.yml
+    # → tbx_01jkz5b3t9...
+
+Save this ID. You need it for every `run` command.
+
+Warmup dispatches a GitHub Actions workflow that provisions a VM with the
+full CI environment: dependencies installed, services started, secrets
+injected, and a clean checkout of the repo at the default branch.
+
+Options:
+
+    --ref <branch>         Git ref to dispatch against (default: repo's default branch)
+    --job <name>           Specific job within the workflow (if it has multiple)
+    --idle-timeout <min>   Idle timeout in minutes (default: 30)
+
+## CRITICAL: Always run from the repo root
+
+ALWAYS invoke `blacksmith testbox` commands from the **root of the git
+repository**. The CLI syncs the current working directory to the testbox
+using rsync with `--delete`. If you run from a subdirectory (e.g.
+`cd backend && blacksmith testbox run ...`), rsync will mirror only that
+subdirectory and **delete everything else** on the testbox — wiping other
+directories like `dashboard/`, `cli/`, etc.
+
+    # CORRECT — run from repo root, use paths in the command
+    blacksmith testbox run --id <ID> "cd backend && php artisan test"
+    blacksmith testbox run --id <ID> "cd dashboard && npm test"
+
+    # WRONG — do NOT cd into a subdirectory before invoking the CLI
+    cd backend && blacksmith testbox run --id <ID> "php artisan test"
+
+If your shell is in a subdirectory, `cd` back to the repo root first:
+
+    cd "$(git rev-parse --show-toplevel)"
+    blacksmith testbox run --id <ID> "cd backend && php artisan test"
+
+## Running commands
+
+    blacksmith testbox run --id <ID> "<command>"
+
+The `run` command automatically waits for the testbox to become ready if
+it is still booting, so you can call `run` immediately after warmup without
+needing to check status first.
+
+## Downloading files from a testbox
+
+Use the `download` command to retrieve files or directories from a running
+testbox to your local machine. This is useful for fetching build artifacts,
+test results, coverage reports, or any output generated on the testbox.
+
+    blacksmith testbox download --id <ID> <remote-path> [local-path]
+
+The remote path is relative to the testbox working directory (same as `run`).
+If no local path is specified, the file is saved to the current directory
+using the same base name.
+
+To download a directory, append a trailing `/` to the remote path — this
+triggers recursive mode:
+
+    # Download a single file
+    blacksmith testbox download --id <ID> coverage/report.html
+
+    # Download a file to a specific local path
+    blacksmith testbox download --id <ID> build/output.tar.gz ./output.tar.gz
+
+    # Download an entire directory
+    blacksmith testbox download --id <ID> test-results/ ./results/
+
+Options:
+
+    --ssh-private-key <path>   Path to SSH private key (if warmup used --ssh-public-key)
+
+## How file sync works
+
+Understanding this model is critical for using Testbox correctly.
+
+When you call `run`, the CLI performs a **delta sync** of your local changes
+to the remote testbox before executing your command:
+
+1. The testbox VM starts from a clean `actions/checkout` at the warmup ref.
+   The workflow's setup steps (e.g. `npm install`, `pip install`, `composer install`)
+   run during warmup and populate dependency directories on the remote VM.
+
+2. On each `run`, the CLI uses **git** to detect which files changed locally
+   since the last sync. It syncs ONLY tracked files and untracked non-ignored
+   files (i.e. files that `git ls-files` reports).
+
+3. **`.gitignore`'d directories are never synced.** This means directories
+   like `node_modules/`, `vendor/`, `.venv/`, `build/`, `dist/`, etc. are
+   NOT transferred from your local machine. The testbox uses its own copies
+   of those directories, populated during the warmup workflow steps.
+
+4. If nothing has changed since the last sync (same git commit and working
+   tree state), the sync is skipped entirely for speed.
+
+### Why this matters
+
+- **Changing dependencies**: If you modify `package.json`, `requirements.txt`,
+  `composer.json`, `go.mod`, or similar dependency manifests, the lock/manifest
+  file will be synced but the actual dependency directory will NOT. You must
+  re-run the install command on the testbox:
+
+      blacksmith testbox run --id <ID> "npm install && npm test"
+      blacksmith testbox run --id <ID> "pip install -r requirements.txt && pytest"
+      blacksmith testbox run --id <ID> "composer install && phpunit"
+
+- **Generated/build artifacts**: If your tests depend on a build step (e.g.
+  `npm run build`, `make`), and you changed source files that affect the build
+  output, re-run the build on the testbox before testing.
+
+- **New untracked files**: New files you create locally ARE synced (as long as
+  they are not gitignored). You do not need to `git add` them first.
+
+- **Deleted files**: Files you delete locally are also deleted on the remote
+  testbox. The sync model keeps the remote in lockstep with your local managed
+  file set.
+
+## CRITICAL: Do not ban local tests
+
+Do not assume local validation is forbidden. Many repos intentionally invest in
+fast, warm local loops, and forcing every run through Testbox destroys that
+advantage.
+
+Use Testbox for the checks that actually need it: remote parity, secrets,
+services, CI-only runners, or reproducibility against the workflow image.
+
+If the repo says local tests/builds are the normal path, follow the repo.
+
+## When to use
+
+Use Testbox when:
+
+- running database migrations or destructive environment checks
+- running commands that depend on secrets or environment variables not present locally
+- reproducing CI-only failures or validating against the workflow image
+- validating behavior that needs provisioned services or remote runners
+- doing a final parity check before commit/push when the repo or user wants that
+
+Trim that list based on repo guidance. If the repo documents supported local
+tests/builds, prefer local for routine iteration and keep Testbox for the
+checks that need parity or remote state.
+
+## Workflow
+
+1. Decide whether the repo's local loop is the right default.
+2. Only if Testbox is warranted, warm up early:
+   `blacksmith testbox warmup ci-check-testbox.yml` → save the ID
+3. Write code while the testbox boots in the background.
+4. Run the remote command when needed:
+   `blacksmith testbox run --id <ID> "npm test"`
+5. If tests fail, fix code and re-run against the same warm box.
+6. If you changed dependency manifests (package.json, etc.), prepend
+   the install command: `blacksmith testbox run --id <ID> "npm install && npm test"`
+7. If you need artifacts (coverage reports, build outputs, etc.), download them:
+   `blacksmith testbox download --id <ID> coverage/ ./coverage/`
+8. Once green, commit and push.
+
+## OpenClaw full test suite
+
+For OpenClaw, use the repo package manager and the measured stable full-suite
+profile below. It keeps six Vitest project shards active while limiting each
+shard to one worker to avoid worker OOMs on Testbox:
+
+    blacksmith testbox run --id <ID> "env NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test"
+
+Observed full-suite time on Blacksmith Testbox is about 3-4 minutes:
+
+- 173-180s on a warmed box
+- 219s on a fresh 32-vCPU box
+
+When validating before commit/push, run `pnpm check:changed` first when
+appropriate, then the full suite with the profile above if broad confidence is
+needed.
+
+## Examples
+
+    blacksmith testbox warmup ci-check-testbox.yml
+    # → tbx_01jkz5b3t9...
+
+    # Run tests
+    blacksmith testbox run --id <ID> "npm test -- --testPathPattern=handler.test"
+    blacksmith testbox run --id <ID> "go test ./pkg/api/... -run TestHandler -v"
+    blacksmith testbox run --id <ID> "python -m pytest tests/test_api.py -k test_auth"
+
+    # Re-install deps after changing package.json, then test
+    blacksmith testbox run --id <ID> "npm install && npm test"
+
+    # Build and test
+    blacksmith testbox run --id <ID> "npm run build && npm test"
+
+    # Download artifacts from the testbox
+    blacksmith testbox download --id <ID> coverage/lcov-report/ ./coverage/
+    blacksmith testbox download --id <ID> build/output.tar.gz
+
+## Waiting for the testbox to be ready
+
+The `run` command automatically waits for the testbox, so explicit waiting is
+usually unnecessary. If you do need to check readiness separately (e.g. before
+a series of runs), use the `--wait` flag. Do NOT use a sleep-and-recheck loop.
+
+Correct: block until ready with a timeout:
+
+    blacksmith testbox status --id <ID> --wait [--wait-timeout 5m]
+
+Wrong: never use sleep + status in a loop:
+
+    # BAD — do not do this
+    sleep 30 && blacksmith testbox status --id <ID>
+    while ! blacksmith testbox status --id <ID> | grep ready; do sleep 5; done
+
+`--wait` polls the status and exits as soon as the testbox is ready (or when the
+timeout is reached). Default timeout is 5m; use `--wait-timeout` for longer
+(e.g. `10m`, `1h`).
+
+## Managing testboxes
+
+    # Check status of a specific testbox
+    blacksmith testbox status --id <ID>
+
+    # List all active testboxes for the current repo
+    blacksmith testbox list
+
+    # Stop a testbox when you're done (frees resources)
+    blacksmith testbox stop --id <ID>
+
+Testboxes automatically shut down after being idle (default: 30 minutes).
+If you need a longer session, increase the timeout at warmup time:
+
+    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 60
+
+## With options
+
+    blacksmith testbox warmup ci-check-testbox.yml --ref main
+    blacksmith testbox warmup ci-check-testbox.yml --idle-timeout 60
+    blacksmith testbox run --id <ID> "go test ./..."

.agents/skills/clawsweeper/SKILL.md

@@ -1,340 +0,0 @@
----
-name: clawsweeper
-description: "Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills."
----
-
-# ClawSweeper
-
-ClawSweeper lives at `~/Projects/clawsweeper`. It is the one OpenClaw
-maintenance bot for sweeping, commit review, repair jobs, and guarded fix PRs.
-Use this skill whenever asked about reports, findings, dispatch health,
-repair/cloud PR creation, comment commands, automerge, permissions, or gates.
-
-## Start
-
-```bash
-cd ~/Projects/clawsweeper
-git status --short --branch
-git pull --ff-only
-pnpm run build:all
-```
-
-Do not overwrite unrelated edits. If the tree is dirty, inspect first and keep
-read-only report work read-only unless the requester asked to commit.
-
-## One Bot, One App
-
-Use the ClawSweeper repo and the `clawsweeper` GitHub App. Use only
-`CLAWSWEEPER_*` configuration for this automation. Do not use legacy apps,
-variables, labels, or skills.
-
-Required app setup:
-
-- `CLAWSWEEPER_APP_CLIENT_ID`: public app client ID for `clawsweeper`.
-- `CLAWSWEEPER_APP_PRIVATE_KEY`: private key used only inside
-  `actions/create-github-app-token` steps.
-- Target app permissions: read target scan context; write issues and pull
-  requests; contents write for report commits, repair branches, and workflow
-  inputs; Actions write on `openclaw/clawsweeper` for comment-router
-  re-review dispatch, workflow dispatch, run cancellation, and self-heal;
-  optional Checks write for commit Check Runs.
-
-Token boundary:
-
-- Codex workers do not get mutation credentials.
-- Review workers run with stripped secret/token env.
-- Deterministic scripts own comments, labels, branch pushes, PR creation,
-  closes, and merges through short-lived GitHub App tokens.
-- Merge and write gates default closed.
-
-## Commit Reports
-
-Canonical commit reports:
-
-```text
-records/<repo-slug>/commits/<40-char-sha>.md
-```
-
-Use the lister:
-
-```bash
-pnpm commit-reports -- --since 6h
-pnpm commit-reports -- --since "24 hours ago" --findings
-pnpm commit-reports -- --since 7d --non-clean
-pnpm commit-reports -- --repo openclaw/openclaw --author steipete --since 7d
-pnpm commit-reports -- --since 24h --json
-```
-
-Results: `nothing_found`, `findings`, `inconclusive`, `failed`,
-`skipped_non_code`. One report per SHA; reruns overwrite the SHA-named report.
-
-Manual rerun/backfill:
-
-```bash
-gh workflow run commit-review.yml --repo openclaw/clawsweeper \
-  -f target_repo=openclaw/openclaw \
-  -f commit_sha=<end-sha> \
-  -f before_sha=<start-or-parent-sha> \
-  -f create_checks=false \
-  -f enabled=true
-```
-
-Use `create_checks=true` only when the requester explicitly wants target commit Check
-Runs. Add `-f additional_prompt="..."` for focused one-off review instructions.
-
-## Sweep Reports
-
-Issue/PR reports live at:
-
-```text
-records/<repo-slug>/items/<number>.md
-records/<repo-slug>/closed/<number>.md
-```
-
-Lead with counts, concrete findings, and report links. Do not post unsolicited
-GitHub comments from report-reading work. Public surfaces are markdown reports,
-durable ClawSweeper review comments, and optional checks.
-
-PR reports include Codex `/review`-style `reviewFindings` with priority,
-confidence, repository-relative file, and line range. Public PR comments show a
-short `Review findings:` list when findings exist; full review comments,
-evidence links, likely owners, and runtime details stay inside the collapsed
-`Review details` block.
-
-Useful commands:
-
-```bash
-pnpm run status
-pnpm run audit
-pnpm run reconcile
-pnpm run apply-decisions -- --dry-run
-```
-
-## Create One Repair Job
-
-Create a job from issue/PR refs and a maintainer prompt:
-
-```bash
-pnpm run repair:create-job -- \
-  --repo openclaw/openclaw \
-  --refs 123,456 \
-  --prompt-file /tmp/clawsweeper-prompt.md
-```
-
-Create from an existing ClawSweeper report:
-
-```bash
-pnpm run repair:create-job -- \
-  --from-report ../clawsweeper/records/openclaw-openclaw/items/123.md
-```
-
-The job creator checks for an existing open PR, body match, or remote
-`clawsweeper/<cluster-id>` branch before writing another job. Use `--dry-run`
-to inspect. Use `--force` only after deciding the duplicate guard is stale.
-
-Validate, commit, then dispatch:
-
-```bash
-pnpm run repair:validate-job -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md
-pnpm run repair:dispatch -- jobs/openclaw/inbox/clawsweeper-openclaw-openclaw-123.md \
-  --mode autonomous \
-  --runner blacksmith-4vcpu-ubuntu-2404 \
-  --execution-runner blacksmith-16vcpu-ubuntu-2404 \
-  --model gpt-5.5
-```
-
-Do not dispatch a just-created job before the job file is committed and pushed;
-the workflow reads the job path from GitHub.
-
-## Replacement PRs
-
-For a useful but uneditable/stale/unsafe source PR, make the maintainer prompt
-explicit:
-
-```md
-Treat #123 as useful source work. If the source branch cannot be safely updated
-because it is uneditable, stale, draft-only, unmergeable, or unsafe, create a
-narrow ClawSweeper replacement PR instead of waiting. Preserve the source PR
-author as co-author, credit the source PR in the replacement PR body, and close
-only that source PR after the replacement PR is opened.
-```
-
-The worker should emit `repair_strategy=replace_uneditable_branch` and list the
-source PR URL in `source_prs`. The deterministic executor opens or updates
-`clawsweeper/<cluster-id>`, adds non-bot source authors as `Co-authored-by`
-trailers, and closes superseded source PRs only after replacement exists.
-
-## Gates
-
-Open execution windows intentionally and close them after the run:
-
-```bash
-gh variable set CLAWSWEEPER_ALLOW_EXECUTE --repo openclaw/clawsweeper --body 1
-gh variable set CLAWSWEEPER_ALLOW_FIX_PR --repo openclaw/clawsweeper --body 1
-gh variable set CLAWSWEEPER_ALLOW_MERGE --repo openclaw/clawsweeper --body 1
-gh variable set CLAWSWEEPER_ALLOW_AUTOMERGE --repo openclaw/clawsweeper --body 1
-```
-
-Reset gates only when explicitly requested; the active maintainer window may intentionally
-leave them at `1`.
-
-Important gates:
-
-- `CLAWSWEEPER_ALLOW_EXECUTE`: allows deterministic write lanes.
-- `CLAWSWEEPER_ALLOW_FIX_PR`: allows branch repair/replacement PRs.
-- `CLAWSWEEPER_ALLOW_MERGE`: allows merge-capable applicators.
-- `CLAWSWEEPER_ALLOW_AUTOMERGE`: allows comment-router automerge.
-- `CLAWSWEEPER_COMMENT_ROUTER_EXECUTE`: lets scheduled comment routing
-  post replies and dispatch repair.
-
-## Maintainer Mentions
-
-Prefer `@clawsweeper` comments for all maintainer-facing control. Slash
-commands still parse as compatibility aliases, but examples and live guidance
-should use mentions.
-
-```text
-@clawsweeper status
-@clawsweeper re-review
-@clawsweeper review
-@clawsweeper fix ci
-@clawsweeper address review
-@clawsweeper rebase
-@clawsweeper autofix
-@clawsweeper automerge
-@clawsweeper approve
-@clawsweeper explain
-@clawsweeper stop
-@clawsweeper <question or safe action request>
-@clawsweeper[bot] re-review
-@openclaw-clawsweeper fix ci
-@openclaw-clawsweeper[bot] fix ci
-```
-
-Accepted aliases: `review`, `re-review`, `rereview`, `review again`,
-`rerun review`, and `run review`. `review` and `re-review` dispatch a fresh
-ClawSweeper issue/PR review without starting repair. `fix ci`,
-`address review`, and `rebase` dispatch the
-repair worker only for ClawSweeper PRs or PRs opted into
-`clawsweeper:autofix` or `clawsweeper:automerge`. `autofix` runs the bounded
-review/fix loop without merging. `automerge` runs the bounded review/fix/merge
-loop, but draft PRs stay fix-only until GitHub marks them ready for review.
-
-Freeform maintainer mentions such as `@clawsweeper why did automerge stop?`
-or `@clawsweeper: can you explain this failure?` dispatch a read-only assist
-review with the mention text as one-off instructions. The answer lands in the
-next public ClawSweeper review comment. Action-looking prose does not directly
-mutate GitHub; it must map to existing structured recommendations and pass the
-normal deterministic gates.
-
-Default accepted maintainers: `OWNER`, `MEMBER`, `COLLABORATOR`; fallback
-repository permission accepts `admin`, `maintain`, or `write`. Contributor
-comments are ignored without a reply.
-
-Run router manually:
-
-```bash
-pnpm run repair:comment-router -- --repo openclaw/openclaw --lookback-minutes 180
-pnpm run repair:comment-router -- --repo openclaw/openclaw --execute --wait-for-capacity
-```
-
-Scheduled routing stays dry unless
-`CLAWSWEEPER_COMMENT_ROUTER_EXECUTE=1`.
-
-## Trusted Autofix And Automerge
-
-`@clawsweeper autofix` opts an existing PR into the bounded review/fix loop.
-`@clawsweeper automerge` opts an existing PR into the bounded review/fix/merge
-loop. The router:
-
-- verifies maintainer authorization;
-- labels the PR `clawsweeper:autofix` or `clawsweeper:automerge`;
-- dispatches ClawSweeper review for the current head SHA;
-- creates or reuses a durable adopted job;
-- repairs at most the configured caps;
-- never merges autofix PRs or draft PRs;
-- merges automerge PRs only when ClawSweeper passed the exact current head,
-  checks are green, GitHub says mergeable, no human-review label is present,
-  the PR is not draft, and both merge gates are open.
-
-Missing changelog is not a review finding or merge blocker. If repairing a user-facing change, add/update changelog automatically when practical; never ask or block solely on it.
-
-If ClawSweeper passes while merge gates are closed, it labels
-`clawsweeper:merge-ready` and comments instead of merging. `@clawsweeper stop`
-adds `clawsweeper:human-review`.
-
-When asked to create a PR and enable ClawSweeper automerge, do not
-leave the local OpenClaw checkout on the PR branch. After the PR is created,
-pushed, and the `@clawsweeper automerge` request is posted or otherwise
-confirmed, return the local checkout to `main` and fast-forward it when the
-working tree is clean:
-
-```bash
-git switch main
-git pull --ff-only
-```
-
-If unrelated local edits or an in-progress rebase prevent switching, report the
-blocker instead of stashing, deleting, or overwriting work.
-
-Repair caps:
-
-```bash
-CLAWSWEEPER_MAX_REPAIRS_PER_PR=10
-CLAWSWEEPER_MAX_REPAIRS_PER_HEAD=1
-```
-
-## Security Boundary
-
-Do not stage unapproved security-sensitive work for ClawSweeper Repair. Route
-vulnerability reports, CVE/GHSA/advisory work, leaked secrets/tokens/keys,
-plaintext secret storage, SSRF, XSS, CSRF, RCE, auth bypass, privilege
-escalation, and sensitive data exposure to central OpenClaw security handling.
-
-For PRs explicitly opted into `clawsweeper:autofix` or
-`clawsweeper:automerge`, security-sensitive review findings may dispatch
-bounded repair, but merge remains blocked until a later exact-head review is
-clean and the normal merge gates pass. Trust deterministic ClawSweeper security
-markers, labels, and job frontmatter; do not infer security handling from vague
-prose.
-
-## Monitoring
-
-Receiver workflows:
-
-```bash
-gh run list --repo openclaw/clawsweeper --workflow "ClawSweeper Commit Review" \
-  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
-gh run list --repo openclaw/clawsweeper --workflow "repair cluster worker" \
-  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
-gh run list --repo openclaw/clawsweeper --workflow "repair comment router" \
-  --limit 12 --json databaseId,displayTitle,event,status,conclusion,createdAt,updatedAt,url
-```
-
-Target dispatcher:
-
-```bash
-gh run list --repo openclaw/openclaw --workflow "ClawSweeper Dispatch" \
-  --event push --limit 8 --json databaseId,displayTitle,event,status,conclusion,headSha,url
-```
-
-Target commit check:
-
-```bash
-gh api "repos/openclaw/openclaw/commits/<sha>/check-runs?per_page=100" \
-  --jq '.check_runs[] | select(.name=="ClawSweeper Commit Review") | [.status,.conclusion,.details_url] | @tsv'
-```
-
-## Reading Output
-
-For findings or failures, summarize:
-
-- target repo, item/PR/commit, run, report path
-- result, confidence, severity, and exact blocker
-- affected files or cluster refs
-- validation commands and whether they passed
-- whether mutation gates were open or closed
-- next deterministic action
-
-Keep the broom small: one cluster, one branch, one PR, narrow proof, clear
-owner-visible evidence.

.agents/skills/clawsweeper/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "ClawSweeper"
-  short_description: "Inspect ClawSweeper commit review reports and Actions runs."
-  default_prompt: "Review recent ClawSweeper commit reports and summarize findings."

.agents/skills/crabbox/SKILL.md

@@ -1,461 +0,0 @@
----
-name: crabbox
-description: Use Crabbox for OpenClaw remote Linux validation. Default to Blacksmith Testbox; includes direct Blacksmith and owned AWS/Hetzner fallback notes when Crabbox fails.
----
-
-# Crabbox
-
-Use Crabbox when OpenClaw needs remote Linux proof for broad tests, CI-parity
-checks, secrets, hosted services, Docker/E2E/package lanes, warmed reusable
-boxes, sync timing, logs/results, cache inspection, or lease cleanup.
-
-Default backend: `blacksmith-testbox`. The separate `blacksmith-testbox` skill
-has been removed; this skill owns both the normal Crabbox path and the direct
-Blacksmith fallback playbook.
-
-## First Checks
-
-- Run from the repo root. Crabbox sync mirrors the current checkout.
-- Check the wrapper and providers before remote work:
-
-```sh
-command -v crabbox
-../crabbox/bin/crabbox --version
-pnpm crabbox:run -- --help | sed -n '1,120p'
-../crabbox/bin/crabbox desktop launch --help
-../crabbox/bin/crabbox webvnc --help
-```
-
-- OpenClaw scripts prefer `../crabbox/bin/crabbox` when present. The user PATH
-  shim can be stale.
-- Check `.crabbox.yaml` for repo defaults, but override provider explicitly.
-  Even if config still says AWS, maintainer validation should normally pass
-  `--provider blacksmith-testbox`.
-- For live/provider bugs, check keys on the local Mac before downgrading to
-  mocks: source local `~/.profile` and test only presence/length. If Crabbox
-  does not already have the key, copy only the exact needed key into the remote
-  process environment for that one command. Do not print it, do not sync it as a
-  repo file, and do not leave it in remote shell history or logs. If no
-  secret-safe injection path is available, say true live provider auth is
-  blocked instead of silently using a fake key.
-- Prefer local targeted tests for tight edit loops. Broad gates belong remote.
-- Do not treat inherited shell env as operator intent. In particular,
-  `OPENCLAW_LOCAL_CHECK_MODE=throttled` from the local shell is not permission
-  to move broad `pnpm check:changed`, `pnpm test:changed`, full `pnpm test`, or
-  lint/typecheck fan-out onto the laptop.
-- Only use `OPENCLAW_LOCAL_CHECK_MODE=throttled|full` when the user explicitly
-  asks for local proof in the current task. If Testbox is queued or capacity is
-  constrained, report the blocker and keep only targeted local edit-loop checks
-  running.
-
-## macOS And Windows Targets
-
-Use these only when the task needs an existing non-Linux host. OpenClaw broad
-validation still defaults to `blacksmith-testbox`.
-
-Crabbox supports static SSH targets:
-
-```sh
-../crabbox/bin/crabbox run --provider ssh --target macos --static-host mac-studio.local -- xcodebuild test
-../crabbox/bin/crabbox run --provider ssh --target windows --windows-mode normal --static-host win-dev.local -- pwsh -NoProfile -Command "dotnet test"
-../crabbox/bin/crabbox run --provider ssh --target windows --windows-mode wsl2 --static-host win-dev.local -- pnpm test
-```
-
-- `target=macos` and `target=windows --windows-mode wsl2` use the POSIX SSH,
-  bash, Git, rsync, and tar contract.
-- Native Windows uses OpenSSH, PowerShell, Git, and tar; sync is manifest tar
-  archive transfer into `static.workRoot`.
-- `crabbox actions hydrate/register` are Linux-only today; use plain
-  `crabbox run` loops for static macOS and Windows hosts.
-- Live proof needs a reachable, operator-managed SSH host. Without one, verify
-  with `../crabbox/bin/crabbox run --help`, config/flag tests, and the Crabbox
-  Go test suite.
-
-## Default Blacksmith Backend
-
-Use this for `pnpm check`, `pnpm check:changed`, `pnpm test`,
-`pnpm test:changed`, Docker/E2E/live/package gates, or anything likely to fan
-out across many Vitest projects.
-
-Changed gate:
-
-```sh
-pnpm crabbox:run -- --provider blacksmith-testbox \
-  --blacksmith-org openclaw \
-  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
-  --blacksmith-job check \
-  --blacksmith-ref main \
-  --idle-timeout 90m \
-  --ttl 240m \
-  --timing-json \
-  --shell -- \
-  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
-```
-
-Full suite:
-
-```sh
-pnpm crabbox:run -- --provider blacksmith-testbox \
-  --blacksmith-org openclaw \
-  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
-  --blacksmith-job check \
-  --blacksmith-ref main \
-  --idle-timeout 90m \
-  --ttl 240m \
-  --timing-json \
-  --shell -- \
-  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test"
-```
-
-Focused rerun:
-
-```sh
-pnpm crabbox:run -- --provider blacksmith-testbox \
-  --blacksmith-org openclaw \
-  --blacksmith-workflow .github/workflows/ci-check-testbox.yml \
-  --blacksmith-job check \
-  --blacksmith-ref main \
-  --idle-timeout 90m \
-  --ttl 240m \
-  --timing-json \
-  --shell -- \
-  "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test <path-or-filter>"
-```
-
-Read the JSON summary. Useful fields:
-
-- `provider`: should be `blacksmith-testbox`
-- `leaseId`: `tbx_...`
-- `syncDelegated`: should be `true`
-- `commandMs` / `totalMs`
-- `exitCode`
-
-Crabbox should stop one-shot Blacksmith Testboxes automatically after the run.
-Verify cleanup when a run fails, is interrupted, or the command output is
-unclear:
-
-```sh
-blacksmith testbox list
-```
-
-## Efficient Bug E2E Verification
-
-Use the smallest Crabbox lane that proves the reported user path, not just the
-touched code. Aim for one after-fix E2E proof before commenting, closing, or
-opening a PR for a user-visible bug.
-
-Pick the lane by symptom:
-
-- Docker/setup/install bug: build a package tarball and run the matching
-  `scripts/e2e/*-docker.sh` or package script. This proves npm packaging,
-  install paths, runtime deps, config writes, and container behavior.
-- Provider/model/auth bug: prefer true live E2E. First source local Mac
-  `~/.profile`, then inject the single needed key into Crabbox if needed. Scrub
-  unrelated provider env vars in the child command so interactive defaults do
-  not drift to another provider. If only a dummy key is used, label the proof
-  narrowly, e.g. "UI/install path only; live provider auth not exercised."
-- Channel delivery bug: use the channel Docker/live lane when available; include
-  setup, config, gateway start, send/receive or agent-turn proof, and redacted
-  logs.
-- Gateway/session/tool bug: prefer an end-to-end CLI or Gateway RPC command that
-  creates real state and inspects the resulting files/API output.
-- Pure parser/config bug: targeted tests may be enough, but still run a
-  Crabbox command when OS, package, Docker, secrets, or service lifecycle could
-  change behavior.
-
-Efficient flow:
-
-1. Reproduce or prove the pre-fix symptom when feasible. If the issue cannot be
-   reproduced, capture the exact command and observed behavior instead.
-2. Patch locally and run narrow local tests for edit speed.
-3. Run one Crabbox E2E command that starts from the user-facing entrypoint:
-   package install, Docker setup, onboarding, channel add, gateway start, or
-   agent turn as appropriate.
-4. Record proof as: Testbox id, command, environment shape, redacted secret
-   source, and copied success/failure output.
-5. If the issue says "cannot reproduce", ask for the missing config/log fields
-   that would distinguish the tested path from the reporter's path.
-
-Keep it efficient:
-
-- Reuse existing E2E scripts and helper assertions before writing ad hoc shell.
-- Use one-shot Crabbox for a single proof; use a reusable Testbox only when
-  several commands must share built images, installed packages, or live state.
-- Prefer `OPENCLAW_CURRENT_PACKAGE_TGZ` with Docker/package lanes when testing a
-  candidate tarball; prefer the repo's package helper instead of direct source
-  execution when the bug might be packaging/install related.
-- Keep secrets redacted. It is fine to report key presence, source, and length;
-  never print secret values.
-- Include `--timing-json` on broad or flaky runs when command duration or sync
-  behavior matters.
-
-Interactive CLI/onboarding:
-
-- For full-screen or prompt-heavy CLI flows, run the target command inside tmux
-  on the Crabbox and drive it with `tmux send-keys`; capture proof with
-  `tmux capture-pane`, redacted through `sed`.
-- Prefer deterministic arrow navigation over search typing for Clack-style
-  searchable selects. Raw `send-keys -l openai` may not trigger filtering in a
-  tmux pane; inspect option order locally or on-box and send exact Down/Enter
-  sequences.
-- Isolate mutable state with `OPENCLAW_STATE_DIR=$(mktemp -d)`. Plugin npm
-  installs live under that state dir (`npm/node_modules/...`), not under
-  `OPENCLAW_CONFIG_DIR`. Verify downloads by checking the state dir, package
-  lock, and installed package metadata.
-- To test automatic setup installs against local package artifacts, use
-  `OPENCLAW_ALLOW_PLUGIN_INSTALL_OVERRIDES=1` plus
-  `OPENCLAW_PLUGIN_INSTALL_OVERRIDES='{"plugin-id":"npm-pack:/tmp/plugin.tgz"}'`.
-  Pack with `npm pack`, set an isolated `OPENCLAW_STATE_DIR`, and verify the
-  package under `npm/node_modules`. Overrides are test-only and must not be
-  treated as official/trusted-source installs.
-- For OpenAI/Codex onboarding proof, the useful markers are the UI line
-  `Installed Codex plugin`, `npm/node_modules/@openclaw/codex`, and the
-  package-lock entry showing the bundled `@openai/codex` dependency. A dummy
-  OpenAI-shaped key can prove only UI/install behavior; it is not live auth.
-
-## Reuse And Keepalive
-
-For most Blacksmith-backed Crabbox calls, one-shot is enough. Use reuse only
-when you need multiple manual commands on the same hydrated box.
-
-If Crabbox returns a reusable id or you intentionally keep a lease:
-
-```sh
-pnpm crabbox:run -- --provider blacksmith-testbox --id <tbx_id> --no-sync --timing-json --shell -- "pnpm test <path>"
-```
-
-Stop boxes you created before handoff:
-
-```sh
-pnpm crabbox:stop -- <id-or-slug>
-blacksmith testbox stop --id <tbx_id>
-```
-
-## Interactive Desktop And WebVNC
-
-Prefer WebVNC for human inspection because the browser portal can preload the
-lease VNC password and avoids a native VNC client's copy/paste/password dance.
-Use native `crabbox vnc` only when WebVNC is unavailable, the browser portal is
-broken, or the user explicitly wants a local VNC client.
-
-Common desktop flow:
-
-```sh
-../crabbox/bin/crabbox warmup --provider hetzner --desktop --browser --class standard --idle-timeout 60m --ttl 240m
-../crabbox/bin/crabbox desktop launch --provider hetzner --id <cbx_id-or-slug> --browser --url https://example.com --webvnc --open
-```
-
-Useful WebVNC commands:
-
-```sh
-../crabbox/bin/crabbox webvnc --provider hetzner --id <cbx_id-or-slug> --open
-../crabbox/bin/crabbox webvnc --provider hetzner --id <cbx_id-or-slug> --daemon --open
-../crabbox/bin/crabbox webvnc --provider hetzner --id <cbx_id-or-slug> --status
-../crabbox/bin/crabbox webvnc --provider hetzner --id <cbx_id-or-slug> --stop
-../crabbox/bin/crabbox screenshot --provider hetzner --id <cbx_id-or-slug> --output desktop.png
-```
-
-`desktop launch --webvnc --open` is usually the nicest one-shot: it starts the
-browser/app inside the visible session, bridges the lease into the authenticated
-WebVNC portal, and opens the portal. Keep browsers windowed for human QA; use
-`--fullscreen` only for capture/video workflows.
-
-## If Crabbox Fails
-
-Keep the fallback narrow. First decide whether the failure is Crabbox itself,
-Blacksmith/Testbox, repo hydration, sync, or the test command.
-
-Fast checks:
-
-```sh
-command -v crabbox
-../crabbox/bin/crabbox --version
-crabbox run --provider blacksmith-testbox --help | sed -n '1,140p'
-command -v blacksmith
-blacksmith --version
-blacksmith testbox list
-```
-
-Common Crabbox-only failures:
-
-- Provider missing or old CLI: use `../crabbox/bin/crabbox` from the sibling
-  repo, or update/install Crabbox before retrying.
-- Bad local config: pass `--provider blacksmith-testbox` plus explicit
-  `--blacksmith-*` flags instead of relying on `.crabbox.yaml`.
-- Slug/claim confusion: use the raw `tbx_...` id, or run one-shot without
-  `--id`.
-- Sync/timing bug: add `--debug --timing-json`; capture the final JSON and the
-  printed Actions URL.
-- Cleanup uncertainty: run `blacksmith testbox list` and stop only boxes you
-  created.
-- Testbox queued/capacity pressure: do not convert a broad changed gate or full
-  suite into local `OPENCLAW_LOCAL_CHECK_MODE=throttled pnpm ...`. Leave the
-  remote lane queued, switch to a narrower targeted local check, or stop and
-  report the capacity blocker.
-
-If Crabbox cannot dispatch, sync, attach, or stop but Blacksmith itself works,
-use direct Blacksmith from the repo root:
-
-```sh
-blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90
-blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
-blacksmith testbox stop --id <tbx_id>
-```
-
-Direct full suite:
-
-```sh
-blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test"
-```
-
-Auth fallback, only when `blacksmith` says auth is missing:
-
-```sh
-blacksmith auth login --non-interactive --organization openclaw
-```
-
-Raw Blacksmith footguns:
-
-- Run from repo root. The CLI syncs the current directory.
-- Save the returned `tbx_...` id in the session.
-- Reuse that id for focused reruns; stop it before handoff.
-- Raw commit SHAs are not reliable `warmup --ref` refs; use a branch or tag.
-- Treat `blacksmith testbox list` as cleanup diagnostics, not a shared reusable
-  queue.
-
-Escalate to owned AWS/Hetzner only when Blacksmith is down, quota-limited,
-missing the needed environment, or owned capacity is the explicit goal. Use the
-Owned Cloud Fallback section below.
-
-## Blacksmith Backend Notes
-
-Crabbox Blacksmith backend delegates setup to:
-
-- org: `openclaw`
-- workflow: `.github/workflows/ci-check-testbox.yml`
-- job: `check`
-- ref: `main` unless testing a branch/tag intentionally
-
-The hydration workflow owns checkout, Node/pnpm setup, dependency install,
-secrets, ready marker, and keepalive. Crabbox owns dispatch, sync, SSH command
-execution, timing, logs/results, and cleanup.
-
-Minimal direct Blacksmith fallback, from repo root:
-
-```sh
-blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90
-blacksmith testbox run --id <tbx_id> "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test:changed"
-blacksmith testbox stop --id <tbx_id>
-```
-
-Use direct Blacksmith only when Crabbox is the broken layer and Blacksmith
-itself still works. Prefer direct `blacksmith testbox list` for cleanup
-diagnostics, not as a reusable work queue.
-
-Important Blacksmith footguns:
-
-- Always run from repo root. The CLI syncs the current directory.
-- Raw commit SHAs are not reliable `warmup --ref` refs; use a branch or tag.
-- If auth is missing and browser auth is acceptable:
-
-```sh
-blacksmith auth login --non-interactive --organization openclaw
-```
-
-## Owned Cloud Fallback
-
-Use AWS/Hetzner only when Blacksmith is down, quota-limited, missing the needed
-environment, or owned capacity is explicitly the goal.
-
-```sh
-pnpm crabbox:warmup -- --provider aws --class beast --market on-demand --idle-timeout 90m
-pnpm crabbox:hydrate -- --id <cbx_id-or-slug>
-pnpm crabbox:run -- --id <cbx_id-or-slug> --timing-json --shell -- "env NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm test:changed"
-pnpm crabbox:stop -- <cbx_id-or-slug>
-```
-
-Install/auth for owned Crabbox if needed:
-
-```sh
-brew install openclaw/tap/crabbox
-crabbox login --url https://crabbox.openclaw.ai --provider aws
-```
-
-New users should self-resolve broker auth before anyone asks for AWS keys:
-
-```sh
-crabbox config show
-crabbox doctor
-crabbox whoami
-```
-
-- If broker auth is missing, run `crabbox login --url https://crabbox.openclaw.ai --provider aws`.
-- If the CLI asks for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or AWS
-  profile setup during normal OpenClaw validation, assume the agent selected
-  the wrong path. Use brokered `crabbox login`, `--provider blacksmith-testbox`,
-  or an existing brokered lease before asking the user for cloud credentials.
-- Ask for AWS keys only for explicit direct-provider/account administration,
-  not for normal brokered OpenClaw proof.
-- Trusted automation may still use
-  `printf '%s' "$CRABBOX_COORDINATOR_TOKEN" | crabbox login --url https://crabbox.openclaw.ai --provider aws --token-stdin`.
-
-macOS config lives at:
-
-```text
-~/Library/Application Support/crabbox/config.yaml
-```
-
-It should include `broker.url`, `broker.token`, and usually `provider: aws`
-for owned-cloud lanes. Do not let that config override the OpenClaw default
-when Blacksmith proof is requested; pass `--provider blacksmith-testbox`.
-
-### Interactive Desktop / WebVNC
-
-For human desktop demos, prefer `webvnc` over native `vnc` and keep the remote
-desktop visible/windowed. Do not fullscreen the remote browser or hide the XFCE
-panel/window chrome unless the explicit goal is video/capture output. After
-launch, verify a screenshot shows the desktop panel plus browser title bar. If
-Chrome is fullscreen, toggle it back with:
-
-```sh
-crabbox run --id <lease> --shell -- 'DISPLAY=:99 xdotool search --onlyvisible --class google-chrome windowactivate key F11'
-```
-
-## Diagnostics
-
-```sh
-crabbox status --id <id-or-slug> --wait
-crabbox inspect --id <id-or-slug> --json
-crabbox sync-plan
-crabbox history --lease <id-or-slug>
-crabbox logs <run_id>
-crabbox results <run_id>
-crabbox cache stats --id <id-or-slug>
-crabbox ssh --id <id-or-slug>
-blacksmith testbox list
-```
-
-Use `--debug` on `run` when measuring sync timing.
-Use `--timing-json` on warmup, hydrate, and run when comparing backends.
-Use `--market spot|on-demand` only on AWS warmup/one-shot runs.
-
-## Failure Triage
-
-- Crabbox cannot find provider: verify `../crabbox/bin/crabbox --help` lists
-  `blacksmith-testbox`; update Crabbox before falling back.
-- Hydration stuck or failed: open the printed GitHub Actions run URL and inspect
-  the hydration step.
-- Sync failed: rerun with `--debug`; check changed-file count and whether the
-  checkout is dirty.
-- Command failed: rerun only the failing shard/file first. Do not rerun a full
-  suite until the focused failure is understood.
-- Cleanup uncertain: `blacksmith testbox list`; stop owned `tbx_...` leases you
-  created.
-- Crabbox broken but Blacksmith works: use the direct Blacksmith fallback above,
-  then file/fix the Crabbox issue.
-
-## Boundary
-
-Do not add OpenClaw-specific setup to Crabbox itself. Put repo setup in the
-hydration workflow and keep Crabbox generic around lease, sync, command
-execution, logs/results, timing, and cleanup.

.agents/skills/discord-clawd/SKILL.md

@@ -1,37 +0,0 @@
----
-name: discord-clawd
-description: Use to talk to the Discord-backed OpenClaw agent/session; not for archive search.
----
-
-# Discord Clawd
-
-Use this when the task is to talk with the Discord-backed agent/session, ask it a question, or post through that route.
-
-For Discord archive/history/search, use `$discrawl` instead.
-
-## Transport
-
-Use the OpenClaw relay helper:
-
-```bash
-cd ~/Projects/agent-scripts
-python3 skills/openclaw-relay/scripts/openclaw_relay.py targets
-python3 skills/openclaw-relay/scripts/openclaw_relay.py resolve --target maintainers
-```
-
-If the target alias exists, prefer a private ask first:
-
-```bash
-python3 skills/openclaw-relay/scripts/openclaw_relay.py ask \
-  --target maintainers \
-  --message "Reply with exactly OK."
-```
-
-Use `publish` when the session should decide whether to post. Use `force-send` only when the user explicitly wants a message posted.
-
-## Guardrails
-
-- Resolve the target before sending real content.
-- Report the target and delivery mode used.
-- Do not use this for local Discord archive queries.
-- Do not expose gateway tokens or session secrets.

.agents/skills/discord-clawd/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "Discord Clawd"
-  short_description: "Talk to the Discord-backed OpenClaw agent"
-  default_prompt: "Use $discord-clawd to route a private ask or explicit post through the Discord-backed OpenClaw agent/session."

.agents/skills/gitcrawl/SKILL.md

@@ -1,68 +0,0 @@
----
-name: gitcrawl
-description: Use gitcrawl for OpenClaw issue and PR archive search, duplicate discovery, related-thread clustering, and local GitHub mirror freshness checks.
-metadata:
-  openclaw:
-    requires:
-      bins:
-        - gitcrawl
----
-
-# Gitcrawl
-
-Use this skill before live GitHub search when triaging OpenClaw issues or PRs.
-
-`gitcrawl` is the local candidate-discovery layer. It is fast, includes open and closed threads, and can surface duplicate attempts, related issues, and already-landed fixes. It is not the final source of truth for comments, labels, merges, closes, or current CI.
-
-## Default Flow
-
-1. Check local state:
-
-```bash
-gitcrawl doctor --json
-```
-
-2. Read the target from the local archive:
-
-```bash
-gitcrawl threads openclaw/openclaw --numbers <issue-or-pr-number> --include-closed --json
-```
-
-3. Find related candidates:
-
-```bash
-gitcrawl neighbors openclaw/openclaw --number <issue-or-pr-number> --limit 12 --json
-gitcrawl search openclaw/openclaw --query "<scope or title keywords>" --mode hybrid --limit 20 --json
-```
-
-4. Inspect relevant clusters:
-
-```bash
-gitcrawl cluster-detail openclaw/openclaw --id <cluster-id> --member-limit 20 --body-chars 280 --json
-```
-
-5. Verify anything actionable with live GitHub and the checkout:
-
-```bash
-gh pr view <number> --json number,title,state,mergedAt,body,files,comments,reviews,statusCheckRollup
-gh issue view <number> --json number,title,state,body,comments,closedAt
-```
-
-## Freshness Rules
-
-- Treat `gitcrawl` as stale if `doctor` shows no target thread, an old `last_sync_at`, missing embeddings for neighbor/search commands, or a clearly wrong open/closed state.
-- If stale data blocks the decision, refresh the portable store first:
-
-```bash
-gitcrawl init --portable-store git@github.com:openclaw/gitcrawl-store.git --json
-```
-
-- Run expensive update commands such as `gitcrawl sync --include-comments` only when the user asked to update the local store or stale data is blocking the decision.
-- The sync default is all GitHub thread states; pass `--state open`, `--state closed`, or `--state all` only when a task requires a narrower or explicit scope.
-
-## Boundaries
-
-- Use `gitcrawl` for candidates, clusters, and historical context.
-- Use `gh`, `gh api`, and the current checkout for live state before commenting, labeling, closing, reopening, merging, or filing a PR review.
-- Do not close or label based only on `gitcrawl` similarity. Require matching problem intent plus live verification.
-- If `gitcrawl` is unavailable, say so and fall back to targeted `gh search` rather than blocking normal maintainer work.

.agents/skills/gitcrawl/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "Gitcrawl"
-  short_description: "Search local OpenClaw issue and PR history before live GitHub triage"
-  default_prompt: "Use $gitcrawl to inspect OpenClaw issue and PR history, find related threads and duplicate candidates, then verify actionable decisions with live GitHub."

.agents/skills/openclaw-docs/SKILL.md

@@ -1,234 +0,0 @@
----
-name: openclaw-docs
-description: Write or review high-quality OpenClaw developer documentation.
-dependencies: []
----
-
-# OpenClaw Docs
-
-## Overview
-
-Use this skill when writing, editing, or reviewing OpenClaw developer documentation for APIs, SDKs, CLI tools, integrations, quickstarts, platform guides, or technical product docs.
-
-Write documentation that is concise, helpful, and comprehensive: fast for first success, precise for production, and easy to scan when debugging.
-
-## Core Model
-
-Use an OpenClaw documentation model, strengthened by Write the Docs principles:
-
-- Lead with what the developer is trying to do.
-- Give one recommended path before alternatives.
-- Make examples runnable and realistic.
-- Keep guides task-oriented and references exhaustive.
-- Explain production risks exactly where developers can make mistakes.
-- Link concepts, guides, API references, SDKs, testing, and troubleshooting so readers can move between them without rereading.
-- Treat docs as part of the product lifecycle: draft them before or alongside implementation, review them with code, and keep them current.
-- Make each page discoverable, addressable, cumulative, complete within its stated scope, and easy to skim.
-
-## Structure
-
-Choose the page type before writing:
-
-- Overview: route readers to the right product, integration path, or guide.
-- Quickstart: get a new user to a working result with the fewest safe steps.
-- Topic page: give an end-to-end overview of a major domain entity, with setup,
-  key subtopics, troubleshooting, and links to deeper references.
-- Guide: explain one workflow from prerequisites to production readiness.
-- API reference: define every object, endpoint, parameter, enum, response, error, and version rule.
-- SDK or CLI reference: document install, auth, commands or methods, options, examples, and failure modes.
-- Testing guide: show sandbox setup, fixtures, test data, simulated failures, and live-mode differences.
-- Troubleshooting guide: map symptoms to checks, causes, and fixes.
-
-Use this default topic page structure:
-
-1. Title: name the major entity or surface.
-2. Overview: explain what it is, what it owns, and what it does not own.
-3. Requirements: include only when setup needs specific accounts, versions,
-   permissions, plugins, operating systems, or credentials.
-4. Quickstart: show the recommended setup path and smallest reliable verification.
-5. Configuration: show the minimum configuration needed to use the surface,
-   common variants users must choose between, and where each option is set:
-   CLI, config file, environment variable, plugin manifest, dashboard, or API.
-6. Subtopics: organize the entity's major concepts, workflows, and decisions by
-   reader intent.
-7. Troubleshooting: diagnose common observable failures.
-8. Related: link to guides, references, commands, concepts, and adjacent topics.
-
-Topic pages may be longer than quickstarts, but they should not become exhaustive
-references. Move field tables, API contracts, narrow internals, legacy details,
-and rare debugging workflows to linked reference or troubleshooting pages when
-they interrupt the end-to-end overview.
-
-For configuration, keep task-critical options inline. Link to reference docs for
-full option lists, defaults, enums, generated schemas, and advanced settings. Do
-not duplicate exhaustive config reference tables in topic pages unless the topic
-page is itself the reference.
-
-Use this default guide structure:
-
-1. Title: name the outcome, not the implementation detail.
-2. Opening: state what the reader can accomplish in one or two sentences.
-3. Before you begin: list accounts, keys, permissions, versions, tools, and assumptions.
-4. Choose a path: compare options only when the reader must decide.
-5. Steps: use verb-led headings with code, expected output, and checks.
-6. Test: show the smallest reliable proof that the integration works.
-7. Production readiness: cover security, idempotency, retries, limits, observability, migrations, and cleanup.
-8. Troubleshooting: include common errors near the workflow that causes them.
-9. See also: link to concepts, API references, SDK docs, and adjacent guides.
-
-Keep navigation user-intent based. Do not force readers to understand internal product taxonomy before they can pick a task.
-
-## Documentation Lifecycle
-
-Write and maintain docs with the same discipline as code:
-
-- Draft docs early enough to expose unclear product, API, CLI, or config design.
-- Keep docs source near the code, config, command, plugin, or protocol it describes when the repo layout allows it.
-- Avoid duplicate truth. If the same contract appears in multiple places, pick the canonical page and link to it.
-- Update docs in the same change as behavior, config, API, CLI, plugin, or troubleshooting changes.
-- Remove, redirect, or clearly mark stale docs. Incorrect docs are worse than missing docs.
-- Involve the right reviewers: code owners for behavior, support or QA for user failure modes, and docs maintainers for structure and style.
-- Preserve older-version guidance only when users need it; otherwise document the current supported behavior.
-
-Do not use FAQs as a dumping ground for unrelated material. Promote recurring questions into task, concept, troubleshooting, or reference pages.
-
-## Writing Style
-
-Write in a direct, practical voice:
-
-- Use present tense and active voice.
-- Address the reader as "you" when giving instructions.
-- Prefer short paragraphs and scannable lists.
-- Use concrete nouns: "agent profile", "Gateway webhook", "plugin manifest", "session state".
-- Put caveats exactly where they affect the step.
-- Avoid marketing language, hype, generic benefits, and vague claims.
-- Avoid long conceptual lead-ins before the first actionable step.
-- Do not over-explain common developer concepts unless the product has a nonstandard contract.
-- Define OpenClaw-specific jargon and abbreviations before first use.
-- Use sentence case for headings unless an OpenClaw product name, command, or identifier requires capitalization.
-- Use descriptive link text that names the destination or action; avoid vague links such as "this page" or "click here".
-- Avoid culturally specific idioms, violent idioms, and jokes that make docs harder to translate or scan.
-- Write accessible prose: do not rely on color, screenshots, or visual position as the only way to understand an instruction.
-
-Use headings that describe actions or reference surfaces:
-
-- Good: "Create an agent", "Configure a Slack channel", "Repair plugin installation"
-- Avoid: "How it works", "Under the hood", "Important notes" unless the section truly needs that shape
-
-Use precise modal language:
-
-- Use "must" for required behavior.
-- Use "can" for optional capability.
-- Use "recommended" for the default path.
-- Use "avoid" for known footguns.
-- Explain "why" only when it changes a developer decision.
-
-## Detail Level
-
-Vary detail by page type:
-
-- Overview pages: be brief; help readers choose.
-- Quickstarts: be procedural; include only what is needed for first success.
-- Guides: be complete for one workflow; include decisions, side effects, and failure handling.
-- References: be exhaustive; document every field, default, enum, nullable value, constraint, response, and error.
-- Troubleshooting: be explicit; assume the reader is blocked and needs observable checks.
-
-Go deep where mistakes are expensive:
-
-- Authentication and secret handling
-- Money movement, billing, permissions, and irreversible actions
-- Webhooks, retries, duplicate events, and ordering
-- Idempotency and concurrency
-- Sandbox versus production differences
-- Versioning, migrations, and backwards compatibility
-- Limits, rate limits, quotas, and timeouts
-- Error codes and recovery paths
-- Data retention, privacy, and compliance-sensitive behavior
-
-Do not bury this detail in a distant reference if developers need it to complete the task safely.
-
-## Examples
-
-Make examples production-shaped, even when using test data:
-
-- Prefer complete copy-pasteable commands or snippets.
-- Use realistic variable names and values.
-- Mark placeholders clearly with angle-bracket names such as `<API_KEY>` or `<CUSTOMER_ID>`.
-- Show expected success output after commands.
-- Show full request and response examples for API references when response shape matters.
-- Keep one conceptual unit per code block.
-- Use language-specific code fences.
-- Avoid toy examples that hide required setup, auth, error handling, or cleanup.
-
-When multiple languages are useful, keep the same scenario across languages so readers can compare equivalents.
-
-## Discoverability and Navigation
-
-Design every page so readers can find it, link to it, and decide quickly whether it answers their question:
-
-- Use goal-oriented titles and headings that match likely search terms.
-- Start each page with a concise answer to "what can I do here?"
-- Include metadata or frontmatter required by the OpenClaw docs index.
-- Add "Read when" hints for docs-list routing when creating or changing OpenClaw docs pages that participate in the docs index.
-- Link from likely entry points, not only from nearby internal taxonomy pages.
-- Keep section headings stable enough for links from issues, PRs, support replies, and chat answers.
-- Order tutorials and examples from prerequisites to advanced tasks; order reference pages alphabetically or topically when that helps lookup.
-- State scope up front when a page is intentionally partial.
-
-## API Reference Pattern
-
-For endpoints, methods, objects, or commands, include:
-
-1. Short purpose statement.
-2. Auth or permission requirements.
-3. Request shape, including path, query, headers, and body fields.
-4. Parameter table with type, requiredness, default, constraints, enum values, and side effects.
-5. Return shape with object lifecycle states.
-6. Error cases with codes, causes, and recovery guidance.
-7. Runnable example request.
-8. Representative successful response.
-9. Related guides and adjacent reference pages.
-
-For nested objects, document child fields near their parent. Do not make readers jump across pages to understand the shape of a single request.
-
-## Verification
-
-Verify docs changes like product changes:
-
-- Run the relevant docs build, docs index, formatter, link checker, or generated-doc check when available.
-- Run commands, snippets, and examples that the page tells users to run whenever feasible.
-- Confirm screenshots, UI labels, CLI output, config keys, flags, defaults, errors, and file paths match current behavior.
-- Prefer executable checks over prose-only review for API, CLI, config, generated reference, and troubleshooting docs.
-- If a verification step is not feasible, say what was not verified and why.
-
-## Completeness Checks
-
-Before finalizing a page, verify:
-
-- The first screen tells readers what they can accomplish.
-- The recommended path is obvious.
-- Prerequisites are explicit and testable.
-- Examples can run with documented inputs.
-- The page has a clear audience: user, operator, plugin author, contributor, or maintainer.
-- Test-mode and production-mode behavior are separated.
-- Security-sensitive values are never exposed in examples.
-- Every warning is attached to the step where it matters.
-- Edge cases are documented where they affect implementation.
-- API fields include types, defaults, constraints, and errors.
-- Troubleshooting starts from observable symptoms.
-- Related links help the reader continue without duplicating the page.
-- The page says where to get support, file issues, or contribute when that is relevant to the reader's next step.
-- The page is complete for the scope it claims, or the limitation is stated up front.
-
-## Review Pass
-
-Edit in this order:
-
-1. Remove repetition and generic explanation.
-2. Move conceptual background below the first useful action unless it is required to choose correctly.
-3. Replace passive or abstract wording with concrete instructions.
-4. Tighten headings until the outline reads like a task map.
-5. Add missing operational details for production safety.
-6. Check examples for copy-paste accuracy.
-7. Add links between guide, reference, SDK, testing, and troubleshooting surfaces.
-8. Check discoverability, addressability, accessibility, and docs-as-code verification.

.agents/skills/openclaw-ghsa-maintainer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-ghsa-maintainer
-description: Inspect, patch, validate, publish, or confirm OpenClaw GHSA security advisories and private-fork state.
+description: Maintainer workflow for OpenClaw GitHub Security Advisories (GHSA). Use when Codex needs to inspect, patch, validate, or publish a repo advisory, verify private-fork state, prepare advisory Markdown or JSON payloads safely, handle GHSA API-specific publish constraints, or confirm advisory publish success.
 ---
 
 # OpenClaw GHSA Maintainer

.agents/skills/openclaw-parallels-smoke/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-parallels-smoke
-description: Run, rerun, debug, or interpret OpenClaw Parallels install, onboarding, gateway smoke, and upgrade checks.
+description: End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
 ---
 
 # OpenClaw Parallels Smoke
@@ -14,7 +14,7 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 - Stable `2026.3.12` pre-upgrade diagnostics may require a plain `gateway status --deep` fallback.
 - Treat `precheck=latest-ref-fail` on that stable pre-upgrade lane as baseline, not automatically a regression.
 - Pass `--json` for machine-readable summaries.
-- Per-phase logs land under `.artifacts/parallels/openclaw-parallels-*` by default. Override with `OPENCLAW_PARALLELS_ARTIFACT_ROOT` when a run needs another artifact volume.
+- Per-phase logs land under `/tmp/openclaw-parallels-*`.
 - Do not run local and gateway agent turns in parallel on the same fresh workspace or session.
 - Hard-cap every top-level Parallels lane with host `timeout --foreground` (or `gtimeout --foreground` if that is the available binary) so a stalled install, snapshot switch, or `prlctl exec` transport cannot consume the rest of the testing window. Defaults:
   - macOS: `75m`
@@ -45,9 +45,6 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 ## npm install then update
 
 - Preferred entrypoint: `pnpm test:parallels:npm-update`
-- For a macOS-only published release update check, use:
-  - `timeout --foreground 75m pnpm test:parallels:npm-update -- --platform macos --package-spec openclaw@<old-version> --update-target <target-version-or-tag> --json`
-    This keeps the same-guest `openclaw update --tag ...` coverage and uses the shared macOS current-user/sudo fallback without starting Windows/Linux lanes.
 - Required coverage: every release/update regression run must include both lanes:
   - fresh snapshot -> install requested package/baseline -> smoke
   - same guest baseline -> run the guest's installed `openclaw update ...` command -> smoke again
@@ -68,16 +65,8 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 - The Windows same-guest update helper should write stage markers to its log before long steps like tgz download and `npm install -g` so the outer progress monitor does not sit on `waiting for first log line` during healthy but quiet installs.
 - Linux same-guest update verification should also export `HOME=/root`, pass `OPENAI_API_KEY` via `prlctl exec ... /usr/bin/env`, and use `openclaw agent --local`; the fresh Linux baseline does not rely on persisted gateway credentials.
 - The npm-update wrapper now prints per-lane progress from the nested log files. If a lane still looks stuck, inspect the nested logs in `runDir` first (`macos-fresh.log`, `windows-fresh.log`, `linux-fresh.log`, `macos-update.log`, `windows-update.log`, `linux-update.log`) instead of assuming the outer wrapper hung.
-- Each run writes both `summary.json` and `summary.md`; read the markdown first for quick human triage, then the JSON/timings for automation.
-- For full beta validation after a tag is published, prefer one command:
-  - `timeout --foreground 150m pnpm test:parallels:npm-update -- --beta-validation beta3 --json`
-    This resolves `beta3` to the latest `*-beta.3` version, runs latest->that-version same-guest update coverage, and then runs fresh install smoke for that exact published target on the same selected OS matrix. Use `--platform macos|windows|linux` to narrow reruns.
-- For beta 4 npm validation with agent turns, the known-good shape is:
-  - `gtimeout --foreground 150m pnpm test:parallels:npm-update -- --beta-validation beta4 --model openai/gpt-5.4 --json`
-    Prefer the explicit `beta4` alias over `openclaw@beta` when validating a specific prerelease number; npm tags can move.
-- If the wrapper fails a lane, read the auto-dumped tail first, then the full nested lane log under `.artifacts/parallels/openclaw-parallels-npm-update.*`.
+- If the wrapper fails a lane, read the auto-dumped tail first, then the full nested lane log under `/tmp/openclaw-parallels-npm-update.*`.
 - Current known macOS update-lane transport signature when the fallback is missing or bypassed: `Unable to authenticate the user. Make sure that the specified credentials are correct and try again.` Treat that as Parallels current-user authentication before blaming npm or OpenClaw.
-- A macOS packaged fresh install with global package directories or bundled files mode `0777` usually means the harness used the root `prlctl exec` fallback under a permissive umask. The POSIX guest transports should prepend `umask 022`; verify the phase preflight line before blaming npm.
 
 ## CLI invocation footgun
 
@@ -86,7 +75,6 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
 ## macOS flow
 
 - Preferred entrypoint: `pnpm test:parallels:macos`
-- `parallels-macos-smoke.sh --mode fresh --target-package-spec openclaw@<version>` is an install smoke only. For published old-version -> new-version update coverage on macOS, prefer the npm-update wrapper with `--platform macos`; `parallels-macos-smoke.sh --mode upgrade --target-package-spec ...` installs the target package and does not exercise the baseline CLI's updater.
 - Default upgrade coverage on macOS should now include: fresh snapshot -> site installer pinned to the latest stable tag -> `openclaw update --channel dev` on the guest. Treat this as part of the default Tahoe regression plan, not an optional side quest.
 - `parallels-macos-smoke.sh --mode upgrade` should run that release-to-dev lane by default. Keep the older host-tgz upgrade path only when the caller explicitly passes `--target-package-spec`.
 - Because the default upgrade lane no longer needs a host tgz, skip `npm pack` + host HTTP server startup for `--mode upgrade` unless `--target-package-spec` is set. Keep the pack/server path for `fresh` and `both`.
@@ -156,7 +144,6 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo
   - `--discord-token-env`
   - `--discord-guild-id`
   - `--discord-channel-id`
-- After a successful Discord smoke/roundtrip, shut down the guest VM before handoff (`prlctl stop "$VM_NAME"` or the concrete VM name). The macOS smoke harness should do this automatically after successful Discord proof; still stop the VM manually after ad-hoc Discord checks. Do not leave the Discord-configured guest running; it can keep reading/posting in `#maintainer` and spam Discord after the proof is complete.
 - Keep the Discord token only in a host env var.
 - Use installed `openclaw message send/read`, not `node openclaw.mjs message ...`.
 - Set `channels.discord.guilds` as one JSON object, not dotted config paths with snowflakes.

.agents/skills/openclaw-pr-maintainer/SKILL.md

@@ -1,91 +1,16 @@
 ---
 name: openclaw-pr-maintainer
-description: Use immediately for any pasted OpenClaw GitHub issue or PR URL/number, and for OpenClaw issue/PR review, triage, duplicate search, opener identity/who wrote it, author account age/activity, comments, labels, close, land, or maintainer evidence checks.
+description: Maintainer workflow for reviewing, triaging, preparing, closing, or landing OpenClaw pull requests and related issues. Use when Codex needs to validate bug-fix claims, search for related issues or PRs, apply or recommend close/reason labels, prepare GitHub comments safely, check review-thread follow-up, or perform maintainer-style PR decision making before merge or closure.
 ---
 
 # OpenClaw PR Maintainer
 
 Use this skill for maintainer-facing GitHub workflow, not for ordinary code changes.
 
-## Start issue and PR triage with gitcrawl
-
-- Use `$gitcrawl` first anytime you inspect OpenClaw issues or PRs.
-- Check local `gitcrawl` data first for related threads, duplicate attempts, and already-landed fixes.
-- Use `gitcrawl` for candidate discovery and clustering; use `gh`, `gh api`, and the current checkout to verify live state before commenting, labeling, closing, or landing.
-- If `gitcrawl` is missing, stale, lacks the target thread, or has no embeddings for neighbor/search commands, fall back to the GitHub search workflow below.
-- Do not run expensive/update commands such as `gitcrawl sync --include-comments`, future enrichment commands, or broad reclustering unless the user asked to update the local store or stale data is blocking the decision.
-
-Common read-only path:
-
-```bash
-gitcrawl threads openclaw/openclaw --numbers <issue-or-pr-number> --include-closed --json
-gitcrawl neighbors openclaw/openclaw --number <issue-or-pr-number> --limit 12 --json
-gitcrawl search openclaw/openclaw --query "<scope or title keywords>" --mode hybrid --json
-gitcrawl cluster-detail openclaw/openclaw --id <cluster-id> --member-limit 20 --body-chars 280 --json
-```
-
-## Surface opener identity
-
-- For every reviewed, triaged, closed, or landed issue/PR, show the opener's human name when available, GitHub login, and account age.
-- Get the login from `gh issue view` / `gh pr view` (`author.login`), then fetch profile metadata once with `gh api users/<login> --jq '{login,name,created_at,type}'`.
-- Report opener identity as one compact line:
-  `By: Jane Doe (@jane, acct 2021-04-03) | OpenClaw: 4 PRs, 2 issues, 11 commits/12mo | GitHub: 9 repos, 86 commits, 9 PRs, 3 issues, 12 reviews`
-- Always show recent activity in two lanes: OpenClaw-local PRs, issues, and commits in the last 12 months; and general public GitHub activity over the same window. For linked issue-fixing PRs, include both the PR author and issue opener when they differ.
-- Prefer the bundled helper for activity lookups:
-
-```bash
-.agents/skills/openclaw-pr-maintainer/scripts/github-activity.sh <login> [other-login...]
-.agents/skills/openclaw-pr-maintainer/scripts/github-activity.sh --global <login>
-```
-
-- The helper reports repo-local activity first and can fetch public GitHub contribution totals for the same window with `--global`; run the global form by default for review/triage identity summaries.
-- If the global contribution graph reports zero or looks inconsistent with visible public activity, sanity-check with `gh api users/<login>`, `gh api 'users/<login>/events/public?per_page=100'`, and recent public repo commits before calling the account inactive.
-- The helper is intentionally cache-friendly for gitcrawl-backed `gh`: it rounds repo-local windows to the UTC day, rounds global contribution windows to the UTC hour, and counts PRs/issues from one paginated issues response before fetching commits separately. Prefer reusing the helper instead of hand-rolling several `gh api` loops.
-- If the contribution graph is misleading or zero but public events/repos show activity, keep it one line, for example:
-  `By: pickaxe (@ProspectOre, acct 2019-08-24) | OpenClaw: 5 PRs, 0 issues, 5 commits/12mo | GitHub: 5 repos, 29 recent events, 100 public own-repo commits; graph=0`
-- If `name` is empty, use the login only. If profile lookup is rate-limited or unavailable, say `account age unknown` rather than omitting the opener.
-- Use identity and activity as triage signal, not proof by itself: new, low-activity, or bot-like accounts can raise review caution, but code, repro, and CI evidence still decide.
-
-## Suppress top-maintainer items in issue triage
-
-When asked for issue triage, hot issues, pressing bugs, Discord-correlated issues, or "what is still open", do not surface issues or PRs authored by top maintainers by default. Prefer external/user-reported hot issues and external PRs, not maintainer-owned work queues.
-
-Suppress by default when the opener/author is one of:
-
-- `@vincentkoc`
-- `@Takhoffman`
-- `@gumadeiras`
-- `@obviyus`
-- `@shakkernerd`
-- `@mbelinky`
-- `@joshavant`
-- `@ngutman`
-- `@vignesh07`
-- `@huntharo`
-
-Also suppress lower-priority maintainer-owned noise from the broader keep/top-maintainer group unless it is directly relevant:
-
-- `@thewilloftheshadow`
-- `@onutc` / `@osolmaz`
-- `@jacobtomlinson`
-- `@tyler6204`
-- `@velvet-shark`
-- `@jalehman`
-- `@frankekn`
-- `@ImLukeF`
-- `@mcaxtr`
-
-Exceptions:
-
-- Show maintainer-authored items when the requester explicitly asks for maintainer PRs/issues, PR landing candidates, release-blocking maintainer work, or a specific PR/issue number.
-- Show a maintainer-authored item when it is the canonical fix for an external hot issue, but frame it as the fix path rather than as a user-facing issue candidate.
-- Do not close, label, or deprioritize solely because an item is maintainer-authored; this section only controls what appears in triage shortlists.
-
 ## Apply close and triage labels correctly
 
 - If an issue or PR matches an auto-close reason, apply the label and let `.github/workflows/auto-response.yml` handle the comment/close/lock flow.
 - Do not manually close plus manually comment for these reasons.
-- If an issue/PR is already fixed on current `main` or solved by a new release, comment with proof plus the canonical commit/PR/release, then close it.
 - `r:*` labels can be used on both issues and PRs.
 - Current reasons:
   - `r: skill`
@@ -99,64 +24,9 @@ Exceptions:
   - `invalid`
   - `dirty` for PRs only
 
-## Select small high-confidence triage candidates
-
-When asked for `X` issues or PRs to triage, `X` means qualified candidates, not sampled threads.
-
-Issue triage is review/prove/patch-local by default:
-
-1. Review the issue body, comments, related threads, current code, and adjacent tests.
-2. Fix only issues that are easy, high-confidence, and narrowly owned by the implicated path.
-3. Add focused regression proof when practical.
-4. Stop with the dirty diff, touched files, and test/gate output for maintainer review.
-5. After maintainer approval to ship, make one commit per accepted fix, with its own changelog entry when user-facing.
-6. Pull/rebase, push, then comment and close only the issues that were fixed or explicitly triaged closed.
-
-Do not batch unrelated issue fixes into one commit. Do not publish, comment, close, or label during the review/prove phase.
-
-Missing changelog is not a PR review finding or merge blocker. If landing/fixing a user-visible change, add/update changelog automatically when practical; never ask or block solely on it.
-
-Only list candidates that pass all gates:
-
-- small owner/surface, with a likely narrow fix and focused regression test
-- symptom is reproducible or provable with logs, failing test, live command, dependency contract, or current-main behavior
-- root cause is traceable to code with file/line and the proposed fix touches that path
-- no strong smell that a broader refactor, ownership rethink, migration, or product decision is the better fix
-- dependency-backed behavior checked against upstream docs/source/types; live or web proof used when local proof is insufficient
-
-Loop:
-
-1. Use `gitcrawl` / `gh` to gather candidate clusters.
-2. Read issue/PR body, comments, current code, adjacent tests, and dependency contracts.
-3. Try focused repro or proof.
-4. Reject unclear, stale, speculative, broad-refactor, or owner-ambiguous items.
-5. Continue until `X` qualified candidates or the bounded search is exhausted.
-
-Output only qualifying candidates, with: ref, surface, proof, cause, fix sketch, why small, expected test/gate. If none qualify, say so; do not pad.
-
-## Structure PR review output
-
-- Start every PR review with 1-3 plain sentences explaining what the change does and why it matters. Put this before `Findings`.
-- Then list findings first. If none, say `No blocking findings` or `No findings`.
-- Always answer: bug/behavior being fixed, PR/issue URL and affected surface, and best-fix verdict.
-- Keep summaries compact, but include enough proof that the verdict is auditable without rereading the PR.
-
-## Read beyond the diff
-
-- Review the surrounding code path, not just changed lines. Open the caller, callee, data contracts, adjacent tests, and owner module.
-- For large-codebase PRs, sample enough related files to understand the runtime boundary before deciding. Default to more code reading when the change touches agents, gateway, plugins, auth, sessions, process, config, or provider/runtime seams.
-- Compare the PR against current `origin/main` behavior. Check whether recent main already changed the same surface.
-- Dependency-backed behavior: MUST read upstream docs/source/types before judging API use, defaults, output shapes, errors, timeouts, memory behavior, or compatibility. Do not assume dependency contracts from memory or PR text.
-- Judge solution quality, not only correctness. Ask whether the PR is the clean owner-boundary fix or a wart/workaround that should be replaced by a small refactor, moved seam, contract change, or deletion of duplicate logic.
-- Mention the main files read when the verdict depends on code-path evidence.
-
 ## Enforce the bug-fix evidence bar
 
 - Never merge a bug-fix PR based only on issue text, PR text, or AI rationale.
-- Whenever feasible, use Crabbox (`$crabbox`) for end-to-end verification before
-  commenting that a bug is unreproducible, closing an issue, or opening/landing
-  a fix PR. Prefer a real packaged/Docker/live lane that exercises the reported
-  user flow over unit-only proof.
 - Before landing, require:
   1. symptom evidence such as a repro, logs, or a failing test
   2. a verified root cause in code with file/line
@@ -164,24 +34,6 @@ Output only qualifying candidates, with: ref, surface, proof, cause, fix sketch,
   4. a regression test when feasible, or explicit manual verification plus a reason no test was added
 - If the claim is unsubstantiated or likely wrong, request evidence or changes instead of merging.
 - If the linked issue appears outdated or incorrect, correct triage first. Do not merge a speculative fix.
-- If Crabbox/E2E proof is blocked, say exactly why and use the closest available
-  local, Docker, mocked, or targeted proof. Do not present unit tests as real
-  behavior proof.
-
-## Close low-signal manual PRs carefully
-
-- Do not close for red CI alone. Require a clear low-signal category plus stale or failed validation.
-- Good manual-close categories:
-  - blank or mostly untouched PR template with no concrete OpenClaw problem/fix
-  - random docs-only churn such as root README translations, generic wording tweaks, or community-plugin discoverability docs that should go through ClawHub
-  - test-only coverage without a linked bug, owner request, or behavior change
-  - refactor-only cleanup, variable renames, formatting, or generated/baseline churn without maintainer request
-  - third-party channel/provider/tool/skill/plugin work that belongs on ClawHub instead of core
-  - risky ops/infra drive-bys such as new external CI services, release workflows, host upgrade scripts, Docker base migrations, or apt retry/fix-missing tweaks without owner request and green validation
-  - dirty branches where a narrow stated change includes unrelated docs/generated/runtime/extension files
-  - repeated bot-review spam or copied bot output without author-owned fixes
-- Keep or escalate plausible focused bug fixes, green PRs, active maintainer discussions, assigned work, recent author follow-up, and unique reproduction details.
-- For third-party capabilities, prefer the `r: third-party-extension` auto-response label when it applies; it points contributors to publish on ClawHub.
 
 ## Handle GitHub text safely
 
@@ -192,9 +44,9 @@ Output only qualifying candidates, with: ref, surface, proof, cause, fix sketch,
 
 ## Search broadly before deciding
 
-- Prefer `gitcrawl` first. Then use targeted GitHub keyword search to verify gaps, live status, comments, and candidates not present in the local store.
-- Use `--repo openclaw/openclaw` with `--match title,body` first when using `gh search`.
-- Add `--match comments` when triaging follow-up discussion or closed-as-duplicate chains.
+- Prefer targeted keyword search before proposing new work or closing something as duplicate.
+- Use `--repo openclaw/openclaw` with `--match title,body` first.
+- Add `--match comments` when triaging follow-up discussion.
 - Do not stop at the first 500 results when the task requires a full search.
 
 Examples:
@@ -209,9 +61,6 @@ gh search issues --repo openclaw/openclaw --match title,body --limit 50 \
 
 ## Follow PR review and landing hygiene
 
-- Never mention merge conflicts that are relatively easy to resolve, such as
-  `CHANGELOG.md` entries, in review-only output. These are landing mechanics,
-  not correctness findings.
 - If bot review conversations exist on your PR, address them and resolve them yourself once fixed.
 - Leave a review conversation unresolved only when reviewer or maintainer judgment is still needed.
 - When landing or merging any PR, follow the global `/landpr` process.
@@ -219,7 +68,6 @@ gh search issues --repo openclaw/openclaw --match title,body --limit 50 \
 - Keep commit messages concise and action-oriented.
 - Group related changes; avoid bundling unrelated refactors.
 - Use `.github/pull_request_template.md` for PR submissions and `.github/ISSUE_TEMPLATE/` for issues.
-- Do not commit PR-only artifacts such as screenshots under `.github/pr-assets`; attach them to the PR/comment or use an external artifact store instead.
 
 ## Extra safety
 

.agents/skills/openclaw-pr-maintainer/scripts/github-activity.sh

@@ -1,178 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-repo="openclaw/openclaw"
-months="12"
-include_global="0"
-
-usage() {
-  printf 'Usage: %s [--repo owner/repo] [--months N] [--global] <github-login> [login...]\n' "$0"
-}
-
-die() {
-  printf 'error: %s\n' "$*" >&2
-  exit 1
-}
-
-need() {
-  command -v "$1" >/dev/null 2>&1 || die "missing required command: $1"
-}
-
-date_utc_relative_months() {
-  local count="$1"
-  if date -u -v-"${count}"m +%Y-%m-%dT00:00:00Z >/dev/null 2>&1; then
-    date -u -v-"${count}"m +%Y-%m-%dT00:00:00Z
-    return
-  fi
-  date -u -d "${count} months ago" +%Y-%m-%dT00:00:00Z
-}
-
-date_to_epoch() {
-  local value="$1"
-  if date -u -j -f '%Y-%m-%dT%H:%M:%SZ' "$value" +%s >/dev/null 2>&1; then
-    date -u -j -f '%Y-%m-%dT%H:%M:%SZ' "$value" +%s
-    return
-  fi
-  date -u -d "$value" +%s
-}
-
-rough_age() {
-  local created_at="$1"
-  local now_s created_s days
-  now_s=$(date -u +%s)
-  created_s=$(date_to_epoch "$created_at")
-  days=$(( (now_s - created_s) / 86400 ))
-  if (( days < 120 )); then
-    printf '~%dd old' "$days"
-    return
-  fi
-  awk -v days="$days" 'BEGIN { printf "~%.1fy old", days / 365.2425 }'
-}
-
-thread_kinds() {
-  local login="$1"
-  local since_ts="$2"
-  gh api --paginate "repos/${repo}/issues?state=all&creator=${login}&since=${since_ts}&per_page=100" \
-    --jq ".[] | select(.created_at >= \"${since_ts}\") | if has(\"pull_request\") then \"pr\" else \"issue\" end"
-}
-
-count_kind_lines() {
-  local kind="$1"
-  local lines="$2"
-  grep -cx "$kind" <<<"$lines" 2>/dev/null || true
-}
-
-count_commits() {
-  local login="$1"
-  local since_ts="$2"
-  gh api --paginate "repos/${repo}/commits?author=${login}&since=${since_ts}&per_page=100" \
-    --jq '.[].sha' | wc -l | tr -d '[:space:]'
-}
-
-global_activity() {
-  local login="$1"
-  local since_ts="$2"
-  local now_ts="$3"
-  # shellcheck disable=SC2016
-  gh api graphql \
-    -f login="$login" \
-    -f from="$since_ts" \
-    -f to="$now_ts" \
-    -f query='
-query($login: String!, $from: DateTime!, $to: DateTime!) {
-  user(login: $login) {
-    contributionsCollection(from: $from, to: $to) {
-      totalCommitContributions
-      totalIssueContributions
-      totalPullRequestContributions
-      totalPullRequestReviewContributions
-    }
-  }
-}' \
-    --jq '.data.user.contributionsCollection // empty'
-}
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --repo)
-      [[ $# -ge 2 ]] || die "--repo requires owner/repo"
-      repo="$2"
-      shift 2
-      ;;
-    --months)
-      [[ $# -ge 2 ]] || die "--months requires a positive integer"
-      months="$2"
-      [[ "$months" =~ ^[0-9]+$ && "$months" != "0" ]] || die "--months must be a positive integer"
-      shift 2
-      ;;
-    --global)
-      include_global="1"
-      shift
-      ;;
-    -h|--help)
-      usage
-      exit 0
-      ;;
-    --)
-      shift
-      break
-      ;;
-    -*)
-      die "unknown option: $1"
-      ;;
-    *)
-      break
-      ;;
-  esac
-done
-
-[[ $# -gt 0 ]] || {
-  usage >&2
-  exit 2
-}
-
-need gh
-need jq
-
-since_ts=$(date_utc_relative_months "$months")
-now_ts=$(date -u +%Y-%m-%dT%H:00:00Z)
-
-for login in "$@"; do
-  profile=$(gh api "users/${login}" --jq '{login,name,created_at,type}')
-  display_login=$(jq -r '.login' <<<"$profile")
-  name=$(jq -r '.name // empty' <<<"$profile")
-  created_at=$(jq -r '.created_at' <<<"$profile")
-  type=$(jq -r '.type' <<<"$profile")
-  created_day=${created_at%%T*}
-
-  kinds=$(thread_kinds "$display_login" "$since_ts")
-  prs=$(count_kind_lines pr "$kinds")
-  issues=$(count_kind_lines issue "$kinds")
-  commits=$(count_commits "$display_login" "$since_ts")
-
-  if [[ -n "$name" ]]; then
-    printf '%s (@%s, %s, account created %s, %s)\n' \
-      "$name" "$display_login" "$type" "$created_day" "$(rough_age "$created_at")"
-  else
-    printf '@%s (%s, account created %s, %s)\n' \
-      "$display_login" "$type" "$created_day" "$(rough_age "$created_at")"
-  fi
-  printf '%s last %smo: %s PRs, %s issues, %s commits\n' "$repo" "$months" "$prs" "$issues" "$commits"
-
-  if [[ "$include_global" == "1" ]]; then
-    if global_json=$(global_activity "$display_login" "$since_ts" "$now_ts" 2>/dev/null); then
-      if [[ -n "$global_json" ]]; then
-        global_commits=$(jq -r '.totalCommitContributions' <<<"$global_json")
-        global_issues=$(jq -r '.totalIssueContributions' <<<"$global_json")
-        global_prs=$(jq -r '.totalPullRequestContributions' <<<"$global_json")
-        global_reviews=$(jq -r '.totalPullRequestReviewContributions' <<<"$global_json")
-        printf 'GitHub public last %smo: %s commits, %s PRs, %s issues, %s reviews\n' \
-          "$months" "$global_commits" "$global_prs" "$global_issues" "$global_reviews"
-      else
-        printf 'GitHub public last %smo: unavailable\n' "$months"
-      fi
-    else
-      printf 'GitHub public last %smo: unavailable\n' "$months"
-    fi
-  fi
-done

.agents/skills/openclaw-pre-release-plugin-testing/SKILL.md

@@ -1,234 +0,0 @@
----
-name: openclaw-pre-release-plugin-testing
-description: Plan and run pre-release OpenClaw plugin validation across bundled plugins, package artifacts, lifecycle commands, doctor/fix, config round-trip, gateway startup, SDK compatibility, Docker E2E, Package Acceptance, and Testbox proof.
----
-
-# OpenClaw Pre-Release Plugin Testing
-
-Use this skill when the user asks for plugin release confidence, plugin lifecycle
-sweeps, package-artifact plugin proof, or "what else should we test before
-release?" It complements `openclaw-testing`; use that skill too when choosing
-the cheapest safe runner or debugging a failing lane.
-
-## Goal
-
-Prove the plugin system as a product surface, not just as source tests:
-
-- bundled plugin lifecycle: install, inspect, enable, disable, uninstall
-- package artifact behavior from a clean `HOME`
-- doctor/fix/config validation and idempotence
-- config discovery and config round-trip
-- status/log visibility and diagnostics
-- gateway startup/bootstrap with plugin metadata snapshots
-- public SDK compatibility for real external plugins
-- live-ish provider/channel probes only when safe credentials exist
-
-## First Checks
-
-From the OpenClaw repo root:
-
-```bash
-pnpm docs:list
-git status --short --branch
-readlink node_modules
-pnpm changed:lanes --json
-```
-
-In Codex worktrees under `.codex/worktrees`, `node_modules` must be a symlink to
-the main OpenClaw checkout. Do not run `pnpm install` there. For broad or
-package-heavy proof, use Blacksmith Testbox or GitHub Actions.
-
-## Runner Choice
-
-Prefer this order:
-
-1. **GitHub Package Acceptance** for installable-package product proof.
-2. **`ci-build-artifacts-testbox.yml` Testbox** when Docker/package lanes need
-   seeded `dist`, `dist-runtime`, and package caches.
-3. **`ci-check-testbox.yml` Testbox** for source checks, targeted Vitest,
-   package-boundary checks, or focused Docker lanes.
-4. **Local targeted commands only** for small format/static/unit probes.
-
-Avoid long package Docker runs from a stale sparse worktree. If Testbox sync
-reports hundreds of changed files or starts deleting package inputs, stop and
-warm a fresh box from current `main`, or switch to Package Acceptance.
-
-## Existing Baseline
-
-Run or verify these before inventing new coverage:
-
-```bash
-OPENCLAW_TESTBOX=1 pnpm check:changed
-pnpm run test:extensions:package-boundary:canary
-pnpm run test:extensions:package-boundary:compile
-pnpm test:docker:plugins
-OPENCLAW_PLUGINS_E2E_CLAWHUB=0 pnpm test:docker:plugins
-pnpm test:docker:plugin-update
-pnpm test:docker:bundled-channel-deps:fast
-```
-
-For full bundled install/uninstall proof, shard the packaged sweep:
-
-```bash
-OPENCLAW_BUNDLED_PLUGIN_SWEEP_TOTAL=8 \
-OPENCLAW_BUNDLED_PLUGIN_SWEEP_INDEX=<0-7> \
-pnpm test:docker:bundled-plugin-install-uninstall
-```
-
-Expected current packaged scope: 116 public bundled plugins over shards `0-7`.
-Private QA plugins are source-mode only unless a package explicitly includes
-them.
-
-## Confidence Matrix
-
-Use this matrix for pre-release signoff. Record pass/fail, run URL/Testbox ID,
-package SHA/version, and skipped-live reason.
-
-| Surface | Proof | Preferred runner |
-| --- | --- | --- |
-| Package artifact | Package Acceptance `suite_profile=package` or custom lanes | GitHub Actions |
-| Bundled lifecycle | 8-shard `test:docker:bundled-plugin-install-uninstall` | Testbox or release Docker |
-| External plugins | `test:docker:plugins` and `plugins-offline` | Testbox/package acceptance |
-| Update no-op | `test:docker:plugin-update` | Testbox/package acceptance |
-| Channel runtime deps | `test:docker:bundled-channel-deps:fast` plus key channels | Testbox/package acceptance |
-| Doctor/fix | seeded bad configs + `doctor --fix --non-interactive` | new Docker/Testbox harness |
-| Config round-trip | `config set/get`, inspect, doctor, reload, diff hash | new Docker/Testbox harness |
-| Gateway bootstrap | clean `HOME`, plugin groups enabled/disabled, status JSON | new Docker/Testbox harness |
-| SDK compatibility | directory, tgz, and `file:` external plugins using SDK subpaths | `test:docker:plugins` plus new smoke |
-| Live-ish | redacted provider/channel probes only for present env | Testbox live lanes |
-
-## Package Acceptance Plan
-
-Use this when validating a release branch, beta, or candidate package:
-
-```bash
-gh workflow run package-acceptance.yml \
-  --repo openclaw/openclaw \
-  --ref main \
-  -f workflow_ref=main \
-  -f source=ref \
-  -f package_ref=<branch-or-sha> \
-  -f suite_profile=custom \
-  -f docker_lanes='plugins-offline plugin-update bundled-channel-deps-compat doctor-switch update-channel-switch config-reload mcp-channels npm-onboard-channel-agent' \
-  -f telegram_mode=mock-openai
-```
-
-Use `source=npm -f package_spec=openclaw@beta` for published beta proof. Keep
-`workflow_ref` as trusted current harness code unless the release process says
-otherwise.
-
-## New Testbox Harness Plan
-
-If more certainty is needed, add or run a `plugin-lifecycle-matrix` Docker lane
-that uses one package tarball and sharded plugin lists. Per plugin:
-
-1. Start with a clean `HOME`.
-2. Capture `plugins list --json`.
-3. `plugins install <id>`.
-4. `plugins inspect <id> --json`.
-5. `plugins disable <id>`, then assert disabled visibility.
-6. `plugins enable <id>`, except config-required plugins without config.
-7. `plugins registry --refresh`.
-8. `doctor --non-interactive`.
-9. `plugins uninstall <id> --force`.
-10. Assert no config entry, allow/deny residue, install record, managed dir, or
-    bundled `dist/extensions/...` load path remains.
-11. Assert diagnostics contain no `level: "error"` and output redacts
-    secret-looking values.
-
-Keep `memory-lancedb` special: it is config-required. First assert install does
-not enable it without embedding config, then run a second configured case.
-
-## Doctor/Fix Matrix
-
-Seed bad states and require `doctor --fix --non-interactive` to repair them,
-then run doctor again and require idempotence:
-
-- stale `plugins.allow`
-- stale `plugins.entries`
-- stale channel config for missing channel plugin
-- invalid `plugins.entries.<id>.config`
-- packaged bundled path in `plugins.load.paths`
-- legacy `plugins.installs`
-- disabled channel/plugin config that must not stage runtime deps
-- root-owned global package tree that must remain unmodified
-
-## Gateway Bootstrap Matrix
-
-Start packaged OpenClaw in Docker with clean state:
-
-- provider plugins enabled, no credentials: ready with warnings, no crash
-- channel plugins configured disabled: no runtime deps staged
-- startup-activation plugins enabled: ready and reflected in status
-- invalid single plugin config: bad plugin skipped/quarantined, others remain
-
-Assert:
-
-- gateway reaches ready
-- `openclaw status --json` includes plugin diagnostics
-- `openclaw plugins inspect --all --json` is parseable
-- package tree is not mutated
-- logs contain no raw tokens
-
-## Config Round-Trip Representatives
-
-Use representative plugin families instead of every plugin for deep config
-round-trip:
-
-- providers: `openai`, `anthropic`, `mistral`, `openrouter`
-- channels: `telegram`, `discord`, `slack`, `whatsapp`
-- memory: `memory-lancedb`
-- feature/runtime: `browser`, `acpx`, `tokenjuice`
-
-For each representative:
-
-1. Write config through CLI when possible.
-2. Read it back through `config get` or JSON.
-3. Run `plugins inspect`.
-4. Run `doctor --non-interactive`.
-5. Trigger gateway config reload if applicable.
-6. Compare config hash before/after no-op commands.
-
-## External SDK Smoke
-
-In a package Docker lane, create tiny external plugins and install them from:
-
-- local directory
-- `.tgz`
-- `file:` npm spec
-
-Cover CJS and ESM shapes, plus at least one plugin importing focused
-`openclaw/plugin-sdk/*` subpaths. Assert `plugins inspect` sees its tool,
-gateway method, CLI command, or service.
-
-## Live-Ish Probe Rules
-
-Before live-ish work, source allowed env in Testbox and generate a redacted
-availability matrix: present/missing only, never values.
-
-Only run probes for credentials that exist. Prefer auth/catalog/status probes
-over sending user-visible messages. If a probe might contact an external user,
-channel, or workspace, stop and ask the user.
-
-## Reporting
-
-Report in this shape:
-
-```text
-package/ref:
-tbx ids / run urls:
-matrix:
-  bundled lifecycle:
-  package acceptance:
-  doctor/fix:
-  gateway bootstrap:
-  config round-trip:
-  sdk external:
-  live-ish:
-failures:
-skips:
-next highest-value gap:
-```
-
-Say clearly when a failure is Testbox sync/env damage rather than product
-behavior, and prove that with a clean rerun or current-main comparison.

.agents/skills/openclaw-pre-release-plugin-testing/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "OpenClaw Plugin Pre-Release Testing"
-  short_description: "Plan plugin release validation"
-  default_prompt: "Use $openclaw-pre-release-plugin-testing to plan or run pre-release OpenClaw plugin validation across package, lifecycle, doctor, gateway, SDK, and live-ish proof."

.agents/skills/openclaw-qa-testing/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-qa-testing
-description: Run, watch, debug, extend, or explain OpenClaw qa-lab and qa-channel scenarios, artifacts, and live lanes.
+description: Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
 ---
 
 # OpenClaw QA Testing
@@ -49,125 +49,6 @@ pnpm openclaw qa suite \
 5. If the user wants to watch the live UI, find the current `openclaw-qa` listen port and report `http://127.0.0.1:<port>`.
 6. If a scenario fails, fix the product or harness root cause, then rerun the full lane.
 
-## OTEL smoke
-
-For local QA-lab OpenTelemetry validation, use:
-
-```bash
-pnpm qa:otel:smoke
-```
-
-This starts a local OTLP/HTTP trace receiver, runs the `otel-trace-smoke`
-scenario through qa-channel, decodes the emitted protobuf spans, and verifies
-the exported trace names and privacy contract. It does not require Opik,
-Langfuse, or external collector credentials.
-
-## Matrix live profiles
-
-`pnpm openclaw qa matrix` defaults to the full `all` profile. Use explicit
-profiles for faster CI/release proof:
-
-```bash
-OPENCLAW_QA_MATRIX_NO_REPLY_WINDOW_MS=3000 \
-pnpm openclaw qa matrix --profile fast --fail-fast
-```
-
-- `fast`: release-critical transport contract, excluding generated image and
-  deep E2EE recovery inventory.
-- `transport`, `media`, `e2ee-smoke`, `e2ee-deep`, `e2ee-cli`: sharded full
-  Matrix coverage.
-- `QA-Lab - All Lanes` uses explicit `fast` Matrix on scheduled runs. Manual
-  dispatch keeps `matrix_profile=all` as the default and always shards that full
-  Matrix selection.
-
-## QA credentials and 1Password
-
-- Use `op` only inside `tmux` for QA secret lookup in this repo.
-- Quick auth check inside tmux:
-
-```bash
-op account list
-```
-
-- Direct Telegram npm live test secrets currently live in 1Password item:
-  - vault: `OpenClaw`
-  - item: `Telegram E2E`
-- That item is the first place to look for:
-  - `OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN`
-  - `OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN`
-  - `OPENCLAW_QA_PROVIDER_MODE`
-  - `OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC`
-- Convex QA secrets currently live in 1Password items:
-  - vault: `OpenClaw`
-  - item: `OPENCLAW_QA_CONVEX_SITE_URL`
-  - item: `OPENCLAW_QA_CONVEX_SECRET_MAINTAINER`
-  - item: `OPENCLAW_QA_CONVEX_SECRET_CI`
-- Additional related notes/login items seen during QA credential work:
-  - vault: `Private`
-  - items: `OPENCLAW QA`, `Convex`, `Telegram`
-- If a required value is missing from those notes:
-  - do not guess
-  - ask the maintainer/operator for the current value or the current 1Password item name
-  - for Telegram direct runs, `OPENCLAW_QA_TELEGRAM_GROUP_ID` may be stored separately from `Telegram E2E`
-  - for Convex runs, the leased Telegram credential should provide the Telegram group id and bot tokens together; do not require a separate `OPENCLAW_QA_TELEGRAM_GROUP_ID`
-  - for Convex runs, prefer `OpenClaw/OPENCLAW_QA_CONVEX_SITE_URL`; if that is stale or unclear, ask for the active pool URL before running
-- Prefer direct Telegram envs for the npm Telegram Docker lane when available:
-
-```bash
-OPENCLAW_QA_TELEGRAM_GROUP_ID="..." \
-OPENCLAW_QA_TELEGRAM_DRIVER_BOT_TOKEN="..." \
-OPENCLAW_QA_TELEGRAM_SUT_BOT_TOKEN="..." \
-OPENCLAW_QA_PROVIDER_MODE="mock-openai" \
-OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC="openclaw@beta" \
-pnpm test:docker:npm-telegram-live
-```
-
-- Prefer Convex mode when the goal is stable shared QA infra:
-  - round-robin credential leasing
-  - thinner wrapper for channel-specific setup
-  - CLI/admin flows around the pooled credentials
-- Live npm Telegram Docker lane note:
-  - `scripts/e2e/npm-telegram-live-runner.ts` reads `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE`
-  - do not assume `OPENCLAW_QA_PROVIDER_MODE` is consumed by that wrapper
-  - if a 1Password note only gives `OPENCLAW_QA_PROVIDER_MODE`, map it explicitly to `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE` before running the Docker lane
-- Verified live shape:
-  - Convex mode can pass the real Docker lane without direct Telegram env vars
-  - leased Telegram payload includes the group id coupled to the driver/SUT tokens
-  - a real run of `pnpm test:docker:npm-telegram-live` passed with:
-    - `OPENCLAW_QA_CREDENTIAL_SOURCE=convex`
-    - `OPENCLAW_QA_CREDENTIAL_ROLE=maintainer`
-    - `OPENCLAW_QA_CONVEX_SITE_URL`
-    - `OPENCLAW_QA_CONVEX_SECRET_MAINTAINER`
-    - `OPENCLAW_NPM_TELEGRAM_PROVIDER_MODE=mock-openai`
-- If direct Telegram env is missing locally and `op signin` blocks, prefer dispatching the manual GitHub lane because the `qa-live-shared` environment already has Convex CI credentials:
-
-```bash
-gh workflow run "NPM Telegram Beta E2E" --repo openclaw/openclaw --ref main \
-  -f package_spec=openclaw@YYYY.M.D-beta.N \
-  -f package_label=openclaw@YYYY.M.D-beta.N \
-  -f provider_mode=mock-openai
-```
-
-- Poll the exact run id from the dispatch URL. `gh run view --json artifacts` is not supported; list artifacts with:
-
-```bash
-gh api repos/openclaw/openclaw/actions/runs/<run-id>/artifacts
-```
-
-## WhatsApp live credentials
-
-Use this when setting up or replacing Convex `kind=whatsapp` credentials.
-
-- Treat WhatsApp QA credentials as operator-owned live accounts, not generated fixtures.
-- Use two dedicated WhatsApp-capable test numbers: one driver account and one SUT account. Do not use personal numbers or personal OpenClaw WhatsApp accounts in the shared pool.
-- Register and link each account manually with WhatsApp or WhatsApp Business, storing Web auth only in isolated local auth dirs outside the repo.
-- For group coverage, create a dedicated test group that includes both QA accounts and store its JID as `groupJid`; otherwise the group mention-gating scenario should be skipped by default and fail when explicitly requested.
-- Package the two Baileys auth dirs into base64 `.tgz` payload fields and add a new active Convex credential row. Prefer adding a fresh row and disabling stale/broken rows over overwriting credentials in place.
-- Expected payload fields: `driverPhoneE164`, `sutPhoneE164`, `driverAuthArchiveBase64`, `sutAuthArchiveBase64`, and optional `groupJid`.
-- Keep credential material out of the repo, logs, PRs, and screenshots. Redact phone numbers unless the operator explicitly asks for local debugging.
-- Validate with `pnpm openclaw qa whatsapp --credential-source convex --credential-role maintainer --provider-mode mock-openai` and preserve artifact paths plus redacted pass/fail summaries.
-- If WhatsApp expires or invalidates a linked Web session, relink locally, package fresh auth archives, add a new Convex row, then disable the stale row.
-
 ## Character evals
 
 Use `qa character-eval` for style/persona/vibe checks across multiple live models.

.agents/skills/openclaw-release-maintainer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-release-maintainer
-description: Prepare or verify OpenClaw stable/beta releases, changelogs, release notes, publish commands, and artifacts.
+description: Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
 ---
 
 # OpenClaw Release Maintainer
@@ -25,40 +25,15 @@ Use this skill for release and publish-time workflow. Keep ordinary development
 - Before release branching, commit any dirty files in coherent groups, push,
   pull/rebase, then run `/changelog` on `main` and commit/push/pull that
   changelog rewrite immediately before creating the release branch.
-- During release planning, inspect both `src/plugins/compat/registry.ts` and
-  `src/commands/doctor/shared/deprecation-compat.ts` before branching and again
-  before final publish. For every deprecated or removal-pending compatibility
-  record whose `removeAfter` date is on or before the release date, either
-  remove the compatibility path where safe and validate the affected tests, or
-  write down why removal is blocked and get explicit maintainer approval before
-  shipping the expired compatibility path.
-- When removing deprecated runtime/config compatibility, preserve any doctor
-  migration, repair, or hint that is still needed by supported upgrade paths.
-  Doctor-side compatibility should stay tracked in
-  `src/commands/doctor/shared/deprecation-compat.ts` until maintainers confirm
-  the repair is no longer needed.
-- Revalidate compatibility replacement text during release planning. The
-  recommended replacement can shift as plugin ownership, externalization, and
-  config footprint move, so do not blindly copy stale replacement annotations
-  into release notes.
-- Do not delete or rewrite beta tags after their matching npm package has been
-  published. If a pushed beta tag fails before npm publish, the version is not
-  consumed: keep the same `-beta.N`, delete/recreate or force-move the git tag
-  and prerelease to the fixed commit, and rerun preflight. Do not increment to
-  the next beta number until the matching npm package has actually published.
-  If a published beta needs a fix, commit the fix on the release branch and
+- Do not delete or rewrite beta tags after they leave the machine. If a
+  published or pushed beta needs a fix, commit the fix on the release branch and
   increment to the next `-beta.N`.
-- For a beta release train, run the fast local preflight first, publish the
-  beta to npm `beta`, then run the expensive published-package roster focused
-  on install/update/Docker/Parallels/NPM Telegram. If anything fails, fix it on
-  the release branch, commit/push/pull, increment beta number, and repeat. Run
-  the full expensive roster at least once before stable/latest promotion; for
-  later beta attempts, rerun only lanes whose evidence changed unless the fix
-  touches broad release, install/update, plugin, Docker, Parallels, or live QA
-  behavior. After each beta is published, scan current `main` once for critical
-  fixes that landed after the release branch cut and backport only important
-  low-risk fixes. Operators may authorize up to 4 autonomous beta attempts;
-  after 4 failed beta attempts, stop and report.
+- For a beta release train, run the full pre-npm test roster before publishing
+  each beta. After a beta is published, run the smaller published-install roster
+  focused on install/update/Docker/Parallels. If anything fails, fix it on the
+  release branch, commit/push/pull, increment beta number, and repeat. Operators
+  may authorize up to 4 autonomous beta attempts; after 4 failed beta attempts,
+  stop and report.
 - Use `/changelog` before version/tag preparation so the top changelog section
   is deduped and ordered by user impact.
 - Do not create beta-specific `CHANGELOG.md` headings. Beta releases use the
@@ -95,27 +70,6 @@ Use this skill for release and publish-time workflow. Keep ordinary development
 - Every stable OpenClaw release ships the npm package and macOS app together.
   Beta releases normally ship npm/package artifacts first and skip mac app
   build/sign/notarize unless the operator requests mac beta validation.
-- Do not let the slower macOS signing/notary path block npm publication once
-  the npm preflight has passed. Keep mac validation/publish running in
-  parallel, publish npm from the successful npm preflight, then start published
-  npm install/update, Docker, and Parallels verification while mac artifacts
-  continue.
-- After a beta is published, overlap remote/manual release rosters where useful,
-  but avoid piling local Docker, Parallels, and QA-Lab work onto the same host
-  when it would create system-load noise. Use selective reruns after failures or
-  fixes, but keep proof that Docker, Parallels, and QA-Lab each passed at least
-  once before stable/latest promotion.
-- Mac packaging may be built from a slight release-branch variation of the
-  tagged commit when the delta is mac packaging, signing, workflow, or
-  validation-only release machinery. If mac packaging needs release-branch-only
-  fixes after the stable npm package or GitHub tag is already published, do not
-  create a `vYYYY.M.D-N` correction tag just to change the workflow source.
-  Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with
-  `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`;
-  provenance checks must prove the source SHA descends from the tag and
-  validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction
-  tags for emergency hotfixes that must publish a new npm package/release
-  identity, not for ordinary mac-only packaging recovery.
 - The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo.
 - That shared production Sparkle feed is stable-only. Beta mac releases may
   upload assets to the GitHub prerelease, but they must not replace the shared
@@ -127,23 +81,7 @@ Use this skill for release and publish-time workflow. Keep ordinary development
 
 ## Build changelog-backed release notes
 
-- Before release branching or tagging, rewrite the target `CHANGELOG.md`
-  section from commit history, not just from existing notes: scan commits since
-  the last reachable release tag, add missed user-facing changes, dedupe
-  overlapping entries, and sort each section from most to least interesting for
-  users.
 - Changelog entries should be user-facing, not internal release-process notes.
-- GitHub release and prerelease bodies must use the full matching
-  `CHANGELOG.md` version section, not highlights or an excerpt. When creating
-  or editing a release, extract from `## YYYY.M.D` through the line before the
-  next level-2 heading and use that complete block as the release notes.
-- When preparing release notes, scan `src/plugins/compat/registry.ts` and
-  `src/commands/doctor/shared/deprecation-compat.ts` for compatibility records
-  with `warningStarts` or `removeAfter` within 7 days after the release date.
-  Add an `Upcoming deprecations` note to the release notes when any exist,
-  including the compatibility code, target date, replacement, and a link to the
-  record's `docsPath` or `/plugins/compatibility` when no more specific
-  deprecation page exists.
 - When cutting a mac release with a beta GitHub prerelease:
   - tag `vYYYY.M.D-beta.N` from the release commit
   - create a prerelease titled `openclaw YYYY.M.D-beta.N`
@@ -166,36 +104,14 @@ live`; keep it clearly beta and avoid implying stable promotion.
 - Lead with user-visible capabilities, then important integrations, then
   reliability/security/install fixes. Compress "lots of fixes" into one
   readable bullet.
-- Read the full changelog section before drafting. Do not lead with coverage,
-  CI, validation, or internal release mechanics unless the release is explicitly
-  about those. Peter prefers concrete user wins: features, integrations,
-  workflow improvements, and practical reliability fixes.
 - Tone: high-signal, slightly cheeky, confident, not corporate. One joke is
   enough. Avoid punching down, insulting users, or promising what was not
   verified.
-- Peter likes dry, compact taglines when they feel earned. Good example:
-  `Big release, tiny release notes... kidding.` Keep the joke short and let the
-  feature bullets carry the tweet; do not turn the punchline into a second
-  paragraph or a forced bit.
-- Length: release tweets are always standard tweets under 280 characters, with
-  room for one URL. Trim to 3-4 bullets and count the final text before posting.
-- Links/media: include the GitHub release or changelog link at the end of the
-  first release tweet.
-- Thread follow-ups: if doing a thread, keep the first release tweet as the
-  compact launch post, then publish one focused feature explainer per reply.
-  Follow-up replies should not repeat "new in VERSION" or the version number
-  when the thread context already makes it obvious.
-- Peter's preferred thread workflow: first agree on the generic launch tweet,
-  then proceed through follow-up tweets one by one. When he says `next`, provide
-  or copy the next follow-up only; do not dump the full thread again unless asked.
-- Every follow-up tweet should include a docs URL for that specific feature.
-  Prefer a bare URL over `Docs: <url>` unless the label is needed for clarity.
-  Keep follow-ups concise: around 160-220 raw characters is usually the sweet
-  spot; under 280 is the hard cap. If a URL makes a tweet fail, trim prose
-  before dropping the URL.
-  Prefer explaining diagnostics, trajectory/export, provider setup, model
-  commands, or other setup-heavy features in follow-ups instead of overloading
-  the first release tweet.
+- Length: release tweets are always standard tweets under 280 characters. Trim
+  to 3-4 bullets and count the final text before posting.
+- Links/media: include the GitHub release or changelog link at the end. Add a
+  short docs follow-up reply only when there is a standout feature that needs
+  setup instructions.
 - Hotfix/correction: be direct and accountable. State what slipped, what is
   fixed, and the new version. Keep jokes out of incident-style posts.
 
@@ -242,16 +158,10 @@ Before tagging or publishing, run:
 pnpm check:architecture
 pnpm build
 pnpm ui:build
-pnpm qa:otel:smoke
 pnpm release:check
 pnpm test:install:smoke
 ```
 
-- Use `pnpm qa:otel:smoke` when release validation needs telemetry coverage.
-  It starts a local OTLP/HTTP trace receiver, runs QA-lab's
-  `otel-trace-smoke`, and checks span names plus content/identifier redaction
-  without external Opik or Langfuse credentials.
-
 For a non-root smoke path:
 
 ```bash
@@ -291,18 +201,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Source Peter's profile before live release validation so OpenAI and Anthropic
   credentials are available without printing secrets:
   `set -a; source "$HOME/.profile"; set +a`.
-- Parallels validation and any local live model QA for this train must use both
+- Release QA and Parallels validation for this train must use both
   `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`. If either is missing after sourcing
-  `.profile`, stop before starting those local long lanes and report the
-  missing key.
-- Live credentialed channel QA is the GitHub Actions workflow
-  `QA-Lab - All Lanes` (`.github/workflows/qa-live-telegram-convex.yml`), not a
-  local substitute. Dispatch it from Actions against the release tag and wait
-  for it to pass before npm preflight/publish readiness. Use a SHA only when it
-  satisfies the workflow's secret-bearing trust gate: main ancestor or open PR
-  head. It runs the QA Lab mock parity gate plus live Matrix and live Telegram
-  lanes using the `qa-live-shared` environment; Telegram uses Convex CI
-  credential leases.
+  `.profile`, stop before starting the long lanes and report the missing key.
 - Default release checks:
   - `pnpm check`
   - `pnpm check:test-types`
@@ -320,44 +221,23 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   - all Parallels install/update tests:
     `pnpm test:parallels:npm-update -- --json` plus any needed individual
     rerun lanes from `openclaw-parallels-smoke`
-  - all QA release validation: dispatch GitHub Actions > `QA-Lab - All Lanes`
-    against the release tag and require success. This is the release gate for
-    live credentialed Matrix/Telegram channel coverage. Use a SHA only when it
-    satisfies the workflow trust gate. Run local OpenAI/Anthropic suites or
-    repo-backed character evals only when the operator asks for extra model
-    coverage or a failure needs local debugging.
+  - all QA release validation:
+    OpenAI live suite with `openai/gpt-5.4` in fast mode, Anthropic live suite
+    with `anthropic/claude-opus-4-6`, and the repo-backed character evals
 - Post-published beta verification roster:
   - `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <beta-version>`
   - install/update smoke against the published beta channel
   - Docker install/update coverage that exercises the published beta package
-  - published npm Telegram proof: dispatch Actions > `NPM Telegram Beta E2E`
-    from `main` with `package_spec=openclaw@<beta-version>` and
-    `provider_mode=mock-openai`, and require success. This workflow is
-    maintainer-dispatched and intentionally has no `npm-release` approval gate;
-    `qa-live-shared` only supplies the shared QA secrets. This is the default
-    button path for installed-package onboarding, Telegram setup, and real
-    Telegram E2E against the published npm package.
-    Use the local `pnpm test:docker:npm-telegram-live` lane with the matching
-    `OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC` and Convex CI env only as a fallback
-    or debugging path.
   - Parallels published beta install/update coverage with both OpenAI and
     Anthropic provider keys available
-  - Parallels install/update proof must keep plugin installs enabled unless the
-    operator explicitly scopes a harness-only isolation check; a lane that
-    disables bundled plugin installs is not valid plugin/dependency release
-    evidence.
   - targeted QA reruns only for areas touched by fixes after the full pre-npm
-    roster, unless the operator requests the full QA roster again. If the fix
-    touches live channel QA, credential plumbing, Matrix, Telegram, or the QA
-    harness, rerun Actions > `QA-Lab - All Lanes`.
+    roster, unless the operator requests the full QA roster again
 - Check all release-related build surfaces touched by the release, not only the npm package.
 - For beta-style full e2e batteries, hard-cap top-level long lanes instead of letting them run indefinitely. Use host `timeout --foreground`/`gtimeout --foreground` caps such as:
   - `45m` for `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke`
   - `90m` for `pnpm test:docker:all`
   - `60m` each for standalone Docker live lanes
-  - `180m` for local full QA live OpenAI + Anthropic rosters when explicitly
-    requested; the default release channel QA gate is Actions >
-    `QA-Lab - All Lanes`
+  - `180m` for the full QA live OpenAI + Anthropic roster
   - Parallels caps from the `openclaw-parallels-smoke` skill
     If a lane hits its cap, stop and inspect/fix the affected lane before continuing; do not continue to wait on the same process.
 - Actual npm install/update phases are capped at 5 minutes. If `npm install -g`, installer package install, or `openclaw update` takes longer than 300s in release e2e, stop treating the run as healthy progress and debug the installer/updater or harness.
@@ -371,22 +251,13 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 - Any fix after preflight means a new commit. Delete and recreate the tag and
   matching GitHub release from the fixed commit, then rerun preflight from
   scratch before publishing.
-  Exception: never delete or recreate a beta tag whose matching npm package has
-  already been published; increment to the next beta number instead. If only the
-  pushed tag/prerelease exists and npm publish has not happened, recreate that
-  same beta tag at the fixed commit.
+  Exception: never delete or recreate a beta tag that has already been pushed or
+  published; increment to the next beta number instead.
 - For stable mac releases, generate the signed `appcast.xml` before uploading
   public release assets so the updater feed cannot lag the published binaries.
 - Serialize stable appcast-producing runs across tags so two releases do not
   generate replacement `appcast.xml` files from the same stale seed.
-- For stable releases, rely primarily on the latest beta's broader release
-  workflow confidence. When promoting the matching non-beta build to npm
-  `latest`, prefer a light time-bounded verification pass: published npm
-  postpublish verify, Docker install/update smoke, macOS-only Parallels
-  install/update smoke, and required QA signal. Do not rerun the full
-  Docker/Parallels matrix unless the beta evidence is stale, the stable build
-  differs materially from beta, or the operator explicitly asks for full
-  retesting.
+- For stable releases, confirm the latest beta already passed the broader release workflows before cutting stable.
 - If any required build, packaging step, or release workflow is red, do not say the release is ready.
 
 ## Use the right auth flow
@@ -396,29 +267,6 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
   `openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
   workflow because `npm dist-tag` management needs `NPM_TOKEN`, while the
   public npm release workflow stays OIDC-only.
-- Prefer fixing the private workflow token path over any local 1Password
-  fallback. The desired setup is a granular npm token stored as the private
-  repo's `NPM_TOKEN` secret, scoped to the `openclaw` package with read/write
-  and 2FA bypass for automation.
-- If the private dist-tag workflow cannot promote because `NPM_TOKEN` is absent
-  or stale, use the local tmux + 1Password fallback:
-  - Start or reuse a tmux session so interactive `npm login` and OTP prompts
-    are observable and recoverable.
-  - Hard rule: never run `op` directly in the main agent shell during release
-    work. Any 1Password CLI use must happen inside that tmux session so prompts
-    and alerts are contained and observable.
-  - Use the 1Password item `op://Private/Npmjs` for npm credentials and OTP.
-    Do not print passwords, tokens, or OTPs to the transcript; send them through
-    tmux buffers, env vars scoped to the tmux command, or `expect` with
-    `log_user 0`.
-  - Re-authenticate npm inside that tmux session with
-    `npm login --auth-type=legacy`, then confirm `npm whoami` reports
-    `steipete`.
-  - Promote with a fresh OTP:
-    `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`.
-  - Verify with a cache-bypassed registry read, for example:
-    `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
-    and `npm view openclaw@latest version dist.tarball --json --prefer-online`.
 - Direct stable publishes can also use that private dist-tag workflow to point
   `beta` at the already-published `latest` version when the operator wants both
   tags aligned immediately.
@@ -535,93 +383,73 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>
 6. Create `release/YYYY.M.D` from that post-changelog `main` commit.
 7. Make every repo version location match the beta tag before creating it.
 8. Commit release preparation changes on the release branch and push the branch.
-9. Run the fast local beta preflight from the release branch before any npm
-   preflight or publish. Keep expensive Docker, Parallels, and published-package
-   install/update lanes for after the beta is live unless the operator asks to
-   run them before beta publication.
+9. Run the full pre-npm beta test roster from the release branch before any npm
+   preflight or publish.
 10. For beta releases, skip mac app build/sign/notarize unless beta scope or a
     release blocker specifically requires it. For stable releases, include the
     mac app, signing, notarization, and appcast path.
 11. Confirm the target npm version is not already published.
 12. Create and push the git tag from the release branch.
 13. Create or refresh the matching GitHub release.
-14. Dispatch Actions > `QA-Lab - All Lanes` against the release tag and wait
-    for the mock parity, live Matrix, and live Telegram credentialed-channel
-    lanes to pass.
-15. Start `.github/workflows/openclaw-npm-release.yml` from the release branch
+14. Start `.github/workflows/openclaw-npm-release.yml` from the release branch
     with `preflight_only=true`
     and choose the intended `npm_dist_tag` (`beta` default; `latest` only for
     an intentional direct stable publish). Wait for it to pass. Save that run id
     because the real publish requires it to reuse the prepared npm tarball.
-16. For stable releases, start `.github/workflows/macos-release.yml` in
+15. For stable releases, start `.github/workflows/macos-release.yml` in
     `openclaw/openclaw` and wait for the public validation-only run to pass.
-17. For stable releases, start
+16. For stable releases, start
     `openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml`
     with the same tag and wait for the private mac validation lane to pass.
-18. For stable releases, start
+17. For stable releases, start
     `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`
     with `preflight_only=true` and wait for it to pass. Save that run id because
     the real publish requires it to reuse the notarized mac artifacts.
-19. If any preflight or validation run fails, fix the issue on a new commit,
+18. If any preflight or validation run fails, fix the issue on a new commit,
     delete the tag and matching GitHub release, recreate them from the fixed
     commit, and rerun all relevant preflights from scratch before continuing.
     Never reuse old preflight results after the commit changes. For pushed or
     published beta tags, do not delete/recreate; increment to the next beta tag.
-    For preflight-only failures where npm did not publish the beta version,
-    delete/recreate the same beta tag and prerelease at the fixed commit instead
-    of skipping a prerelease number.
-20. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
+19. Start `.github/workflows/openclaw-npm-release.yml` from the same branch with
     the same tag for the real publish, choose `npm_dist_tag` (`beta` default,
     `latest` only when you intentionally want direct stable publish), keep it
     the same as the preflight run, and pass the successful npm
     `preflight_run_id`.
-21. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
-22. Run postpublish verification:
+20. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
+21. Run postpublish verification:
     `node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>`.
-23. Run the post-published beta verification roster. First scan current `main`
-    for critical fixes that landed after the release branch cut; backport only
-    important low-risk fixes before starting expensive lanes, or increment to
-    the next beta if the fix must change the already-published package. If any
-    lane fails after the beta package is published, fix, commit/push/pull,
-    increment to the next beta tag, and rerun the affected beta evidence. Once
-    the beta is live, start remote/manual rosters where they
-    can overlap safely, but keep local Docker and Parallels load controlled.
-    Ensure the full expensive roster has passed at least once before
-    stable/latest promotion. The roster includes the manual Actions >
-    `NPM Telegram Beta E2E` workflow against the exact published beta package.
-    If a pre-npm lane fails before any tag/package leaves the machine, fix and
-    rerun the same intended beta attempt. Repeat up to the operator's
-    authorized beta-attempt limit, normally 4.
-24. Announce the beta/stable release on Discord best-effort using Peter's bot
+22. Run the post-published beta verification roster. If any lane fails after
+    the beta tag/package is pushed or published, fix, commit/push/pull,
+    increment to the next beta tag, and restart at the full pre-npm beta test
+    roster for the new beta. If a pre-npm lane fails before any tag/package
+    leaves the machine, fix and rerun the same intended beta attempt. Repeat up
+    to the operator's authorized beta-attempt limit, normally 4.
+23. Announce the beta/stable release on Discord best-effort using Peter's bot
     token from `.profile`.
-25. If the operator requested beta only, stop after beta verification and the
+24. If the operator requested beta only, stop after beta verification and the
     announcement.
-26. If the stable release was published to `beta`, use the light stable
-    promotion roster when the matching beta already carried the full confidence
-    pass: published npm postpublish verify, Docker install/update smoke,
-    macOS-only Parallels install/update smoke, and required QA signal.
-    Then start the private
+25. If the stable release was published to `beta`, start the private
     `openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
-    workflow to promote that stable version from `beta` to `latest`, then
-    verify `latest` now points at that version.
-27. If the stable release was published directly to `latest` and `beta` should
+    workflow after beta validation passes to promote that stable version from
+    `beta` to `latest`, then verify `latest` now points at that version.
+26. If the stable release was published directly to `latest` and `beta` should
     follow it, start that same private dist-tag workflow to point `beta` at the
     stable version, then verify both `latest` and `beta` point at that version.
-28. For stable releases, start
+27. For stable releases, start
     `openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`
     for the real publish with the successful private mac `preflight_run_id` and
     wait for success.
-29. Verify the successful real private mac run uploaded the `.zip`, `.dmg`,
+28. Verify the successful real private mac run uploaded the `.zip`, `.dmg`,
     and `.dSYM.zip` artifacts to the existing GitHub release in
     `openclaw/openclaw`.
-30. For stable releases, download `macos-appcast-<tag>` from the successful
+29. For stable releases, download `macos-appcast-<tag>` from the successful
     private mac run, update `appcast.xml` on `main`, and verify the feed. Merge
     or cherry-pick release branch changes back to `main` after stable succeeds.
-31. For beta releases, publish the mac assets only when intentionally requested;
+30. For beta releases, publish the mac assets only when intentionally requested;
     expect no shared production
     `appcast.xml` artifact and do not update the shared production feed unless a
     separate beta feed exists.
-32. After publish, verify npm and the attached release artifacts.
+31. After publish, verify npm and the attached release artifacts.
 
 ## GHSA advisory work
 

.agents/skills/openclaw-secret-scanning-maintainer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-secret-scanning-maintainer
-description: Triage, redact, clean up, and resolve OpenClaw GitHub Secret Scanning alerts in issues or PRs.
+description: Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
 ---
 
 # OpenClaw Secret Scanning Maintainer

.agents/skills/openclaw-small-bugfix-sweep/SKILL.md

@@ -1,77 +0,0 @@
----
-name: openclaw-small-bugfix-sweep
-description: Fix only small, high-certainty OpenClaw bugs from a pasted issue/PR list after deep code review.
----
-
-# OpenClaw Small Bugfix Sweep
-
-Batch workflow for pasted OpenClaw issue/PR refs.
-Execute, do not summarize.
-Triage reviews, proves, and patches local fixes first; publishing waits for Peter's manual review.
-
-## Peter Review Gate
-
-Peter always wants to review code before commits.
-Default flow:
-1. Review each issue deeply enough to prove current behavior and root cause.
-2. Fix only easy, high-confidence bugs with narrow ownership and focused proof.
-3. Stop with the dirty diff summary, touched files, and test/gate output for Peter's manual review.
-4. After Peter approves shipping, make one commit per accepted fix, with a changelog entry for each user-facing fix.
-5. Pull/rebase, push, then comment and close only the fixed or explicitly triaged-closed issues.
-
-Do not batch unrelated issue fixes into one commit. Do not push, create PRs, comment, close, label, land, merge, or otherwise publish during the review/prove phase.
-
-## Companion Skills
-
-Use `$gitcrawl` first, `$openclaw-pr-maintainer` for live GitHub hygiene, `$github-deep-review` posture for source tracing, and `$openclaw-testing` for proof.
-
-## Loop
-
-For each ref:
-
-1. Read live target with `gh`.
-2. Check `gitcrawl` for related, duplicate, closed, or already-fixed threads.
-3. Read body, comments, linked refs, changed files, current code, adjacent tests, and dependency contracts when relevant.
-4. Trace the real runtime path.
-5. For issues: fix locally only if this is a bug, current code proves root cause, the implicated path is clear, and a narrow patch is cleaner than refactor.
-6. For PRs: decide `ready-to-merge`, `needs-fixup`, or `skip`; do not alter PR branches unless explicitly asked.
-7. Add focused regression proof when practical for local issue fixes or PR readiness checks.
-8. Run the smallest meaningful gate.
-9. Continue until every pasted ref is fixed or classified.
-
-No subagents unless explicitly requested.
-
-## Skip If
-
-- not a bug
-- config/docs/workflow/release/support/dependency/product work
-- repro or root cause is uncertain
-- larger refactor or owner-boundary change is cleaner
-- already fixed on current `main`
-- dependency behavior is guessed
-- no focused proof is feasible
-
-Skip with terse reason. Do not pad with low-confidence fixes.
-
-## Fix Rules
-
-- owner module first; generic seam only when required
-- existing patterns/helpers/types
-- no drive-by refactors
-- tests near failing surface
-- docs only for changed public behavior
-- no commit during the review/prove phase
-- after Peter approves shipping, one commit plus changelog per accepted user-facing fix
-- no push/create PR/comment/close/label/land/merge until Peter approves shipping after review
-
-## PR Rules
-
-- `ready-to-merge`: code is good, current head checked, required proof is green or clearly pending only external CI; list for maintainer merge or `@clawsweeper automerge`
-- `needs-fixup`: small bug is clear, but PR branch needs changes; list exact files/tests and wait for explicit fix/push/automerge instruction
-- `skip`: broad, stale, speculative, config/product/security/release, owner-boundary, or refactor-sized
-- if source PR is untrusted/uneditable, do not create a replacement PR during sweep
-
-## Output Shape
-
-Ledger: `fixed-local`, `ready-to-merge`, `needs-fixup`, `skipped`, `needs-human`.
-Final: issue files left on disk, PRs ready for merge/automerge, tests/gates, skip reasons.

.agents/skills/openclaw-test-heap-leaks/SKILL.md

@@ -1,14 +1,12 @@
 ---
 name: openclaw-test-heap-leaks
-description: Investigate OpenClaw pnpm test memory growth, Vitest OOMs, RSS spikes, and heap snapshot deltas.
+description: Investigate `pnpm test` memory growth, Vitest worker OOMs, and suspicious RSS increases in OpenClaw using the `scripts/test-parallel.mjs` heap snapshot tooling. Use when Codex needs to reproduce test-lane memory growth, collect repeated `.heapsnapshot` files, compare snapshots from the same worker PID, triage likely transformed-module retention versus likely runtime leaks, and fix or reduce the impact by patching cleanup logic or isolating hotspot tests.
 ---
 
 # OpenClaw Test Heap Leaks
 
 Use this skill for test-memory investigations. Do not guess from RSS alone when heap snapshots are available. Treat snapshot-name deltas as triage evidence, not proof, until retainers or dominators support the call.
 
-For **runtime fixes** (e.g., closure leaks in long-running services like the gateway), see [Validating runtime fixes](#validating-runtime-fixes-not-test-memory) below — that uses a dedicated harness, not the test-parallel snapshot machinery.
-
 ## Workflow
 
 1. Reproduce the failing shape first.
@@ -65,38 +63,6 @@ For **runtime fixes** (e.g., closure leaks in long-running services like the gat
 
 Read the top positive deltas first. Large positive growth in module-transform artifacts suggests lane isolation; large positive growth in runtime objects suggests a real leak. If the names alone do not settle it, open the same snapshot pair in DevTools and inspect retainers/dominators for the top rows before declaring root cause.
 
-## Validating runtime fixes (not test-memory)
-
-The workflow above is for diagnosing Vitest worker memory growth. For
-validating that a runtime/closure fix actually releases captured state, use the
-dedicated harness:
-
-- `pnpm leak:embedded-run` — runs `scripts/embedded-run-abort-leak.ts`. Loops N
-  aborted runs in a function-shaped scope mimicking `runEmbeddedAttempt`,
-  writes heap snapshots, and reports a PASS/FAIL verdict on retention growth
-  using `FinalizationRegistry` for tracked-instance counting plus RSS delta.
-
-Modes:
-
-- `closure-extracted` (default) — production fix shape (helper at module scope).
-- `closure-inline` — pre-fix shape (closure inside the runner scope). Use as a
-  sensitivity check: if it passes you've broken the harness, not fixed a bug.
-- `synthetic-leak` — deliberately retains via a module-level bucket. Use to
-  confirm the harness can detect leaks before trusting a PASS on a real fix.
-
-Snapshots land in `.tmp/embedded-run-abort-leak/`. Diff with the same script
-as above:
-
-```
-node .agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs \
-  .tmp/embedded-run-abort-leak/baseline-*.heapsnapshot \
-  .tmp/embedded-run-abort-leak/batch-N-*.heapsnapshot --top 30
-```
-
-When fixing a different runtime leak, add a new harness alongside this one
-rather than retrofitting it. The fixture function should mimic the lexical
-scope of the function where the leak lives, not be a generic abort-loop.
-
 ## Output Expectations
 
 When using this skill, report:

.agents/skills/openclaw-test-performance/SKILL.md

@@ -1,13 +1,12 @@
 ---
 name: openclaw-test-performance
-description: Benchmark, diagnose, and optimize OpenClaw test and plugin-suite runtime, import hotspots, CPU/RSS, heap growth, and slow coverage paths.
+description: Benchmark, diagnose, and optimize OpenClaw test performance without losing coverage. Use when Codex needs to reassess `pnpm test`, compare grouped Vitest reports, identify CPU/memory/import hotspots, fix slow tests or cold runtime paths, preserve behavior proofs, update the performance report, add AGENTS guardrails, and make scoped commits/pushes for OpenClaw test-speed work.
 ---
 
 # OpenClaw Test Performance
 
-Use evidence first. The goal is real `pnpm test`, plugin-suite, and
-plugin-inspector speed/RSS improvement with coverage intact, not runner tuning by
-guesswork.
+Use evidence first. The goal is real `pnpm test` speed/RSS improvement with
+coverage intact, not runner tuning by guesswork.
 
 ## Workflow
 
@@ -22,9 +21,6 @@ guesswork.
 2. Establish a baseline before changing code:
    - Prefer `pnpm test:perf:groups --full-suite --allow-failures --output <file>`
      for full-suite ranking.
-   - For bundled plugin breadth, run the smallest relevant `pnpm
-test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
-     before jumping to the full extension sweep.
    - For a scoped hotspot use:
      `/usr/bin/time -l pnpm test <file-or-files> --maxWorkers=1 --reporter=verbose`
    - For import-heavy suspicion add:
@@ -37,8 +33,6 @@ test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
      passed, capture that as harness/noise and verify the suspect file directly.
 4. Pick the next attack by return and risk:
    - High return: one file/test dominates seconds or RSS and has a clear root.
-   - High leverage: one plugin or SDK barrel causes every plugin-inspector or
-     extension-batch run to load broad runtime.
    - Lower risk: static descriptors, target parsing, routing, auth bypass,
      setup hints, registry fixtures, or test server lifecycle.
    - Higher risk: real memory/runtime behavior, live providers, protocol
@@ -50,8 +44,6 @@ test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
      and pure helpers over broad mocks.
    - Reuse suite-level servers/clients when a fresh handshake is irrelevant.
    - Keep schedulers/background loops off unless the test proves scheduling.
-   - In plugin paths, move static metadata into manifest/lightweight artifacts
-     and keep runtime plugin loads behind explicit execution boundaries.
 6. Preserve coverage shape:
    - Do not delete a slow integration proof unless the exact production
      composition is extracted into a named helper and tested.
@@ -65,90 +57,6 @@ test:extensions:batch <plugin[,plugin...]>` or plugin-inspector command
 9. Commit with `scripts/committer "<message>" <paths...>` and push when the
    user asked for commits/pushes. Stage only files touched for this attack.
 
-## Plugin-Suite Workflow
-
-Use this section when perf work involves bundled plugins, plugin-inspector, SDK
-barrels, package-boundary tests, or extension suites.
-
-1. Map the suite shape first:
-   - source tests: `pnpm test extensions/<id>` or `pnpm test:extensions:batch <id>`
-   - package boundaries: `pnpm run test:extensions:package-boundary:canary` and
-     `pnpm run test:extensions:package-boundary:compile`
-   - all bundled source tests: `pnpm test:extensions`
-   - plugin import memory: `pnpm test:extensions:memory -- --json .artifacts/test-perf/extensions-memory.json`
-   - plugin-inspector/report work: keep report primitives in `plugin-inspector`;
-     keep wrappers thin and collect peak RSS when the command supports it.
-2. Start narrow, then widen:
-   - one plugin changed: run that plugin's tests and plugin-inspector slice.
-   - SDK/public barrel changed: add representative provider, channel, memory,
-     and feature plugins.
-   - loader/runtime mirror changed: add package-boundary checks and build/package
-     proof as needed.
-   - unknown shared plugin behavior: run `test:extensions:batch` groups before
-     `pnpm test:extensions`.
-3. Treat plugin-inspector failures as product signals:
-   - JSON must parse.
-   - warnings/errors must be classified, not hidden.
-   - runtime capture should be quiet and config-tolerant.
-   - command output should include wall time, exit code, and peak RSS when
-     available.
-4. For broad or package-heavy plugin proof, use Blacksmith Testbox by default on
-   maintainer machines. Warm once and reuse the same box:
-   - `blacksmith testbox warmup ci-check-testbox.yml --ref main --idle-timeout 90`
-   - `blacksmith testbox run --id <ID> "OPENCLAW_TESTBOX=1 pnpm test:extensions:batch <ids>"`
-   - stop the box when done.
-5. If plugin performance is package-artifact sensitive, switch to
-   `openclaw-pre-release-plugin-testing` and Package Acceptance rather than
-   trusting source-only timing.
-
-## Metric Collection
-
-Collect at least one stable metric before and after. Prefer the same machine and
-same command. For Testbox comparisons, use the same `tbx_...` id when possible.
-
-| Metric          | Use for                            | Preferred source                                                            |
-| --------------- | ---------------------------------- | --------------------------------------------------------------------------- |
-| wall time       | user-visible suite cost            | `/usr/bin/time -l`, test wrapper duration, Testbox run time                 |
-| Vitest duration | test body/import cost              | Vitest output per file/shard                                                |
-| import duration | broad barrel/runtime loads         | `OPENCLAW_VITEST_IMPORT_DURATIONS=1`                                        |
-| max RSS         | memory pressure and OOM risk       | `/usr/bin/time -l`, `pnpm test:extensions:memory`, wrapper memory summaries |
-| CPU/user/sys    | CPU-bound vs wait-bound split      | `/usr/bin/time -l` locally, Testbox job timing when local CPU is noisy      |
-| heap snapshots  | real leak vs retained module graph | `openclaw-test-heap-leaks` workflow                                         |
-
-Local scoped command with CPU/RSS:
-
-```bash
-timeout 240 /usr/bin/time -l pnpm test <file> --maxWorkers=1 --reporter=verbose
-```
-
-Plugin import memory profile:
-
-```bash
-pnpm build
-pnpm test:extensions:memory -- --top 20 --json .artifacts/test-perf/extensions-memory.json
-```
-
-Targeted plugin import memory:
-
-```bash
-pnpm test:extensions:memory -- --extension discord --extension telegram --skip-combined
-```
-
-Heap/RSS escalation:
-
-```bash
-OPENCLAW_TEST_MEMORY_TRACE=1 \
-OPENCLAW_TEST_HEAPSNAPSHOT_INTERVAL_MS=60000 \
-OPENCLAW_TEST_HEAPSNAPSHOT_DIR=.tmp/heapsnap \
-OPENCLAW_TEST_WORKERS=2 \
-OPENCLAW_TEST_MAX_OLD_SPACE_SIZE_MB=6144 \
-pnpm test
-```
-
-Use `openclaw-test-heap-leaks` when RSS keeps growing across intervals, workers
-OOM, or the suspect command has app-object retention. Do not call RSS growth a
-leak until snapshots or retainers support it.
-
 ## Common Root Causes
 
 - Full bundled channel/plugin runtime loaded for static data.
@@ -156,12 +64,6 @@ leak until snapshots or retainers support it.
   parser would suffice.
 - Broad `api.ts`, `runtime-api.ts`, `test-api.ts`, or plugin-sdk barrels pulled
   into hot tests.
-- SDK root aliases or package barrels pulling focused subpaths back into a broad
-  plugin graph.
-- Plugin-inspector loading runtime code just to render metadata, reports, or CI
-  policy scores.
-- Bundled plugin capture reusing real config/home state instead of synthetic,
-  redacted, isolated state.
 - Partial-real mocks using `importActual()` around broad modules.
 - `vi.resetModules()` plus fresh imports in per-test loops.
 - Test plugin registry seeded in `beforeAll` while runtime state resets in
@@ -170,10 +72,6 @@ leak until snapshots or retainers support it.
 - Runtime/default model/auth selection paid by idle snapshots or fixtures.
 - Plugin-owned media/action discovery triggered before checking whether args
   contain plugin-owned fields.
-- Timings missing from `test/fixtures/test-timings.unit.json`, causing hotspot
-  files to stay in shared workers.
-- Parallel Vitest runs sharing `node_modules/.experimental-vitest-cache` without
-  distinct `OPENCLAW_VITEST_FS_MODULE_CACHE_PATH` values.
 
 ## Benchmark Commands
 
@@ -199,25 +97,6 @@ pnpm test:perf:groups --full-suite --allow-failures \
   --output .artifacts/test-perf/<name>.json
 ```
 
-Extension batch:
-
-```bash
-pnpm test:extensions:batch <plugin[,plugin...]> -- --reporter=verbose
-```
-
-All extension tests:
-
-```bash
-pnpm test:extensions
-```
-
-Package-boundary plugin checks:
-
-```bash
-pnpm run test:extensions:package-boundary:canary
-pnpm run test:extensions:package-boundary:compile
-```
-
 Reuse an existing Vitest JSON report:
 
 ```bash
@@ -228,26 +107,19 @@ pnpm test:perf:groups --report <vitest-json> \
 ## Verification
 
 - Always run the targeted test surface that proves the change.
-- For source changes, run `pnpm check:changed` before push; in maintainer
-  Testbox mode run it in the warmed Testbox.
-- For test-only changes, run `pnpm test:changed` or the exact edited tests.
+- Run `pnpm check` before commit unless the change is docs-only and the hook
+  handles it.
 - Run `pnpm build` when touching lazy-loading, bundled artifacts, package
   boundaries, dynamic imports, build output, or public surfaces.
-- For plugin SDK/barrel/runtime changes, add `pnpm plugin-sdk:api:check` or
-  `pnpm plugin-sdk:api:gen` when the API surface may drift.
-- For plugin-suite perf fixes, verify at least one representative plugin batch
-  plus the changed gate; use Package Acceptance if the bug only exists in a
-  packed artifact.
 - If deps are missing/stale, run `pnpm install` and retry the exact failed
   command once.
 - Use the report format:
 
 ```markdown
-| Metric         | Before |  After |          Gain |
-| -------------- | -----: | -----: | ------------: |
-| File wall time |   `Xs` |   `Ys` |  `-Zs` (`P%`) |
-| Max RSS        |  `XMB` |  `YMB` | `-ZMB` (`P%`) |
-| CPU user/sys   | `X/Ys` | `A/Bs` |       explain |
+| Metric         | Before | After |          Gain |
+| -------------- | -----: | ----: | ------------: |
+| File wall time |   `Xs` |  `Ys` |  `-Zs` (`P%`) |
+| Max RSS        |  `XMB` | `YMB` | `-ZMB` (`P%`) |
 ```
 
 ## Handoff
@@ -255,12 +127,8 @@ pnpm test:perf:groups --report <vitest-json> \
 Keep the final concise:
 
 - Root cause.
-- Suite/plugin scope.
 - Files changed.
-- Before/after wall, Vitest/import, CPU, and RSS numbers where available.
-- Leak classification if memory was involved: real leak, retained module graph,
-  or inconclusive.
+- Before/after numbers.
 - Coverage retained.
 - Verification commands.
-- Testbox ID or workflow URL for remote proof.
 - Commit hash and push status.

.agents/skills/openclaw-test-performance/agents/openai.yaml

@@ -1,6 +1,6 @@
 interface:
   display_name: "OpenClaw Test Performance"
-  short_description: "Benchmark tests, plugin suites, CPU, RSS, and heap growth"
-  default_prompt: "Use $openclaw-test-performance to reassess OpenClaw test and plugin-suite performance, collect wall/import/CPU/RSS metrics, investigate memory growth when needed, fix the next real hotspot without losing coverage, update the report, and commit scoped changes."
+  short_description: "Benchmark and fix slow OpenClaw tests"
+  default_prompt: "Use $openclaw-test-performance to reassess the OpenClaw test benchmark, identify the next real hotspot, fix it without losing coverage, update the report, and commit scoped changes."
 policy:
   allow_implicit_invocation: false

.agents/skills/openclaw-testing/SKILL.md

@@ -1,647 +0,0 @@
----
-name: openclaw-testing
-description: Choose, run, rerun, or debug OpenClaw tests, CI checks, Docker E2E lanes, release validation, and the cheapest safe verification path.
----
-
-# OpenClaw Testing
-
-Use this skill when deciding what to test, debugging failures, rerunning CI,
-or validating a change without wasting hours.
-
-## Read First
-
-- `docs/reference/test.md` for local test commands.
-- `docs/ci.md` for CI scope, release checks, Docker chunks, and runner behavior.
-- Scoped `AGENTS.md` files before editing code under a subtree.
-
-## Default Rule
-
-Prove the touched surface first. Do not reflexively run the whole suite.
-
-1. Inspect the diff and classify the touched surface:
-   - source: `pnpm changed:lanes --json`, then `pnpm check:changed`
-   - tests only: `pnpm test:changed`
-   - one failing file: `pnpm test <path-or-filter> -- --reporter=verbose`
-   - workflow-only: `git diff --check`, workflow syntax/lint (`actionlint` when available)
-   - docs-only: `pnpm docs:list`, docs formatter/lint only if docs tooling changed or requested
-2. Reproduce narrowly before fixing.
-3. Fix root cause.
-4. Rerun the same narrow proof.
-5. Broaden only when the touched contract demands it.
-
-## Guardrails
-
-- Do not kill unrelated processes or tests. If something is running elsewhere, treat it as owned by the user or another agent.
-- Do not run expensive local Docker, full release checks, full `pnpm test`, or full `pnpm check` unless the user asks or the change genuinely requires it.
-- Prefer GitHub Actions for release/Docker proof when the workflow already has the prepared image and secrets.
-- Use `scripts/committer "<msg>" <paths...>` when committing; stage only your files.
-- If deps are missing, run `pnpm install`, retry once, then report the first actionable error.
-- For Blacksmith Testbox proof, reuse only an id warmed and claimed in this
-  operator session. `blacksmith testbox list` is diagnostics only; a listed id
-  can have a local key and still carry stale rsync state from another lane.
-  After warmup, run `pnpm testbox:claim --id <id>`, then prefer
-  `pnpm testbox:run --id <id> -- "<command>"` for OpenClaw gates so stale
-  org-visible ids fail fast before syncing. Claims older than 12 hours are
-  stale unless `OPENCLAW_TESTBOX_CLAIM_TTL_MINUTES` is explicitly set for long
-  work.
-
-## Local Test Shortcuts
-
-```bash
-pnpm changed:lanes --json
-pnpm check:changed       # changed typecheck/lint/guards; no Vitest
-pnpm test:changed        # cheap smart changed Vitest targets
-OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed
-pnpm test <path-or-filter> -- --reporter=verbose
-OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test <path-or-filter>
-```
-
-Use targeted file paths whenever possible. Avoid raw `vitest`; use the repo
-`pnpm test` wrapper so project routing, workers, and setup stay correct.
-
-## Command Semantics
-
-- `pnpm check` and `pnpm check:changed` do not run Vitest tests. They are for
-  typecheck, lint, and guard proof.
-- `pnpm test` and `pnpm test:changed` run Vitest tests.
-- `pnpm test:changed` is intentionally cheap by default: direct test edits,
-  sibling tests, explicit source mappings, and import-graph dependents.
-- `OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed` is the explicit broad
-  fallback for harness/config/package edits that genuinely need it.
-- Do not run extension sweeps just because core changed. If a core edit is for a
-  specific plugin bug, run that plugin's tests explicitly. If a public SDK or
-  contract change needs consumer proof, choose the smallest representative
-  plugin/contract tests first, then broaden only when the risk justifies it.
-- The test wrapper prints a short `[test] passed|failed|skipped ... in ...`
-  line. Vitest's own duration is still the per-shard detail.
-
-## Routing Model
-
-- `pnpm changed:lanes --json` answers "which check lanes does this diff touch?"
-  It is used by `pnpm check:changed` for typecheck/lint/guard selection.
-- `pnpm test:changed` answers "which Vitest targets are worth running now?" It
-  uses the same changed path list, but applies a cheaper test-target resolver.
-- Direct test edits run themselves. Source edits prefer explicit mappings,
-  sibling `*.test.ts`, then import-graph dependents. Shared harness/config/root
-  edits are skipped by default unless they have precise mapped tests.
-- Shared group-room delivery config and source-reply prompt edits are precise
-  mapped tests: they run the core auto-reply regressions plus Discord and Slack
-  delivery tests so cross-channel default changes fail before a PR push.
-- Public SDK or contract edits do not automatically run every plugin test.
-  `check:changed` proves extension type contracts; the agent chooses the
-  smallest plugin/contract Vitest proof that matches the actual risk.
-- Use `OPENCLAW_TEST_CHANGED_BROAD=1 pnpm test:changed` only when a harness,
-  config, package, or unknown-root edit really needs the broad Vitest fallback.
-
-## CI Debugging
-
-Start with current run state, not logs for everything:
-
-```bash
-gh run list --branch main --limit 10
-gh run view <run-id> --json status,conclusion,headSha,url,jobs
-gh run view <run-id> --job <job-id> --log
-```
-
-- Check exact SHA. Ignore newer unrelated `main` unless asked.
-- For cancelled same-branch runs, confirm whether a newer run superseded it.
-- Fetch full logs only for failed or relevant jobs.
-
-## GitHub Release Workflows
-
-Use the smallest workflow that proves the current risk. The full umbrella is
-available, but it is usually the last step after narrower proof, not the first
-rerun after a focused patch.
-
-### Full Release Validation
-
-`Full Release Validation` (`.github/workflows/full-release-validation.yml`) is
-the manual "everything before release" umbrella. It resolves a target ref, then
-dispatches:
-
-- manual `CI` for the full normal CI graph, with Android enabled via
-  `include_android=true`
-- `Plugin Prerelease` for release-only plugin static checks, extension shards,
-  the release-only `agentic-plugins` shard, and plugin product Docker lanes
-- `OpenClaw Release Checks` for install smoke, cross-OS release checks, live and
-  E2E checks, Docker release-path suites, OpenWebUI, QA Lab, fast Matrix, and
-  Telegram release lanes
-- optional post-publish Telegram E2E when a package spec is supplied
-
-Run it only when validating an actual release candidate, after broad shared CI
-or release orchestration changes, or when explicitly asked:
-
-```bash
-gh workflow run full-release-validation.yml \
-  --repo openclaw/openclaw \
-  --ref main \
-  -f ref=<branch-or-sha> \
-  -f provider=openai \
-  -f mode=both \
-  -f release_profile=stable
-```
-
-Run the workflow itself from the trusted current ref, normally `--ref main`;
-child workflows are dispatched from that same ref even when `ref` points at an
-older release branch or tag. Full Release Validation has no separate child
-workflow ref input; choose the trusted harness by choosing the workflow run ref.
-Use `release_profile=minimum|stable|full` to control live/provider breadth:
-`minimum` keeps the fastest OpenAI/core release-critical set, `stable` adds the
-stable provider/backend set, and `full` adds the broad advisory provider/media
-matrix. Do not make `full` faster by silently dropping suites; optimize setup,
-artifact reuse, and sharding instead. The parent verifier job appends a child
-overview plus slowest-job tables for child runs; rerun only that verifier after
-a child rerun turns green.
-
-Standalone manual `CI` dispatches do not run the plugin prerelease suite, the
-extension batch sweep, or the release-only `agentic-plugins` Vitest shard. Those
-lanes are intentionally reserved for the separate `Plugin Prerelease` child so
-PRs, main pushes, and ad hoc broad CI checks do not spend Docker/package time or
-all-plugin runtime time on release-only product coverage.
-
-If a full run is already active on a newer `origin/main`, prefer watching that
-run over dispatching a duplicate. Do not cancel release, release-check, or child
-workflow runs unless Peter explicitly asks for cancellation.
-
-The child-dispatch jobs record the child run ids. The final
-`Verify full validation` job re-queries those child runs and is the canonical
-parent gate. If a child workflow failed but was later rerun successfully, rerun
-only the failed parent verifier job; do not dispatch a new full umbrella unless
-the release evidence is stale.
-
-For bounded recovery after a focused fix, pass `-f rerun_group=<group>`.
-Supported umbrella groups are `all`, `ci`, `plugin-prerelease`,
-`release-checks`, `install-smoke`, `cross-os`, `live-e2e`, `package`, `qa`,
-`qa-parity`, `qa-live`, and `npm-telegram`. Use the narrowest group that covers
-the failed box. After a targeted release-check fix, do not restart the full
-umbrella by habit: dispatch the matching `rerun_group` and rerun only the parent
-verifier/evidence step after the child is green unless the release evidence is
-stale. For a single failed live/E2E shard, use
-`-f rerun_group=live-e2e -f live_suite_filter=<suite_id>` so the Blacksmith
-workflow only spends setup and queue time on that suite.
-
-### Release Evidence
-
-After release-candidate validation or before a release decision, record the
-important run ids in the private `openclaw/releases-private` evidence ledger.
-Use the manual `OpenClaw Release Evidence`
-(`openclaw-release-evidence.yml`) workflow there. It writes durable summaries
-under `evidence/<release-id>/` and commits:
-
-- `release-evidence.md`
-- `release-evidence.json`
-- `index.json`
-- `runs/<label>.json`
-
-Use one run per line:
-
-```text
-full-release-validation openclaw/openclaw <run-id> blocking
-package-acceptance openclaw/openclaw <run-id> blocking
-release-checks openclaw/openclaw <run-id> blocking
-```
-
-Store summaries, run URLs, artifact metadata, timings, pass/fail state, and
-short release-manager notes there. Do not store raw logs, provider
-prompts/responses, channel transcripts, signing material, or secret-bearing
-config in git; raw logs stay in Actions artifacts.
-
-When `Full Release Validation` completes and
-`OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN` is configured in the public repo, it
-requests the private `OpenClaw Release Evidence From Full Validation` workflow.
-That private workflow reads the parent full-validation run, extracts the child
-CI/release-checks/Telegram run ids from the parent logs, and opens the evidence
-PR automatically. If the token is absent or the run predates this wiring, trigger
-that private workflow manually with the full-validation run id.
-
-### Release Checks
-
-`OpenClaw Release Checks` (`openclaw-release-checks.yml`) is the release child
-workflow. It is broader than normal CI but narrower than the umbrella because it
-does not dispatch the separate full normal CI child. It runs Package Acceptance
-with artifact-native delta lanes and `telegram_mode=mock-openai`, so the release
-package tarball also goes through offline plugin proof, bundled-channel compat,
-and Telegram package QA. The Docker release-path chunks cover the overlapping
-package/update/plugin lanes. Use it when release-path validation is needed
-without rerunning the entire umbrella.
-
-```bash
-gh workflow run openclaw-release-checks.yml \
-  --repo openclaw/openclaw \
-  --ref main \
-  -f ref=<branch-or-sha> \
-  -f provider=openai \
-  -f mode=both \
-  -f release_profile=stable \
-  -f rerun_group=all
-```
-
-Release-check rerun groups are `all`, `install-smoke`, `cross-os`, `live-e2e`,
-`package`, `qa`, `qa-parity`, and `qa-live`.
-`OpenClaw Release Checks` uses the trusted workflow ref to resolve the selected
-ref once as `release-package-under-test` and passes that artifact into cross-OS
-release checks, release-path Docker live/E2E checks, and Package Acceptance.
-When `Full Release Validation` dispatches release checks, it passes the requested
-branch/tag plus an `expected_sha` so branch/tag refs resolve through the fast
-remote-ref path while the package and QA jobs still validate the exact SHA.
-
-The full install-smoke child is split on purpose: one job prepares or reuses the
-target-SHA GHCR root Dockerfile smoke image, QR package install runs in its own
-job, root Dockerfile/gateway smokes pull the prepared image, and installer/Bun
-smokes pull the same image while building only their small installer images.
-If install-smoke gets slow again, first check whether the root image was reused
-or rebuilt before adding/removing coverage.
-
-The full-profile native live media shards use the prebuilt
-`ghcr.io/openclaw/openclaw-live-media-runner:ubuntu-24.04` container so
-`ffmpeg`/`ffprobe` are already present. If those jobs suddenly spend minutes in
-dependency setup again, first check the `Live Media Runner Image` workflow and
-the `Verify preinstalled live media dependencies` step before assuming the media
-tests themselves slowed down.
-
-The release Docker path intentionally shards the plugin/runtime tail. The
-workflow uses `plugins-runtime-plugins`, `plugins-runtime-services`, and
-`plugins-runtime-install-a` through `plugins-runtime-install-d`; aggregate
-aliases such as `plugins-runtime-core`, `plugins-runtime`, and
-`plugins-integrations` remain for manual reruns.
-
-The release QA parity box is internally split into candidate and baseline lane
-jobs, followed by a report job that downloads both artifacts and runs
-`pnpm openclaw qa parity-report`. For parity failures, inspect the failed lane
-first; inspect the report job when both lane summaries exist but the comparison
-fails.
-
-### QA Lab Matrix Profiles
-
-`pnpm openclaw qa matrix` defaults to `--profile all`. Do not assume the CLI
-default is the fast release path. Use explicit profiles:
-
-- `--profile fast`: release-critical Matrix transport contract; add
-  `--fail-fast` only when the target CLI supports it
-- `--profile transport|media|e2ee-smoke|e2ee-deep|e2ee-cli`: sharded full
-  Matrix proof
-- `OPENCLAW_QA_MATRIX_NO_REPLY_WINDOW_MS=3000`: CI-friendly no-reply quiet
-  window when paired with fast or sharded gates
-
-`QA-Lab - All Lanes` uses explicit fast Matrix on scheduled runs; manual
-dispatch keeps `matrix_profile=all` as the default and always shards that full
-Matrix selection. `OpenClaw Release Checks` uses explicit fast Matrix; run the
-all-lanes workflow when release investigation needs full Matrix media/E2EE
-inventory.
-
-### Reusable Live/E2E Checks
-
-`OpenClaw Live And E2E Checks (Reusable)`
-(`openclaw-live-and-e2e-checks-reusable.yml`) is the preferred entry point for
-targeted live, Docker, model, and E2E proof. Inputs let you turn off unrelated
-lanes:
-
-```bash
-gh workflow run openclaw-live-and-e2e-checks-reusable.yml \
-  --repo openclaw/openclaw \
-  --ref main \
-  -f ref=<sha> \
-  -f include_repo_e2e=false \
-  -f include_release_path_suites=false \
-  -f include_openwebui=false \
-  -f include_live_suites=true \
-  -f live_models_only=true \
-  -f live_model_providers=fireworks
-```
-
-Useful knobs:
-
-- `docker_lanes='<lane[,lane]>'`: run selected Docker scheduler lanes against
-  prepared artifacts instead of the release chunk matrix. Multiple selected
-  lanes fan out as parallel targeted Docker jobs after one shared package/image
-  preparation step.
-- `include_live_suites=false`: skip live/provider suites when testing Docker
-  scheduler or release packaging only.
-- `live_models_only=true`: run only Docker live model coverage.
-- `live_model_providers=fireworks` (or comma/space separated providers): run one
-  targeted Docker live model job instead of the full provider matrix.
-- blank `live_model_providers`: run the full live-model provider matrix.
-
-Release-path Docker chunks are currently `core`, `package-update-openai`,
-`package-update-anthropic`, `package-update-core`,
-`plugins-runtime-plugins`, `plugins-runtime-services`,
-`plugins-runtime-install-a`, `plugins-runtime-install-b`,
-`plugins-runtime-install-c`, `plugins-runtime-install-d`,
-`bundled-channels-core`, `bundled-channels-update-a`,
-`bundled-channels-update-b`, and `bundled-channels-contracts`. The aggregate
-`bundled-channels`, `plugins-runtime-core`, `plugins-runtime`, and
-`plugins-integrations` chunks remain valid for manual one-shot reruns, but
-release checks use the split chunks.
-
-When live suites are enabled, the workflow shards broad native `pnpm test:live`
-coverage through `scripts/test-live-shard.mjs` instead of one serial `live-all`
-job:
-
-- `native-live-src-agents`
-- `native-live-src-gateway-core`
-- `native-live-src-gateway-profiles` (release CI runs this with provider
-  filters such as `OPENCLAW_LIVE_GATEWAY_PROVIDERS=anthropic`)
-- `native-live-src-gateway-backends`
-- `native-live-test`
-- `native-live-extensions-a-k`
-- `native-live-extensions-l-n`
-- `native-live-extensions-openai`
-- `native-live-extensions-o-z`
-- `native-live-extensions-o-z-other`
-- `native-live-extensions-xai`
-- `native-live-extensions-media`
-- `native-live-extensions-media-audio`
-- `native-live-extensions-media-music`
-- `native-live-extensions-media-music-google`
-- `native-live-extensions-media-music-minimax`
-- `native-live-extensions-media-video`
-
-Use `node scripts/test-live-shard.mjs <shard> --list` to see the exact files
-before rerunning a failed native live shard. The aggregate `o-z` and `media`
-shards remain useful locally; release CI uses the smaller provider/media shards
-so one live-provider flake does not force a broad native live rerun.
-
-For model-list or provider-selection fixes, use `live_models_only=true` plus the
-specific `live_model_providers` allowlist. Confirm logs show the expected
-`OPENCLAW_LIVE_PROVIDERS` and selected model ids before declaring proof.
-
-## Docker
-
-Docker is expensive. First inspect the scheduler without running Docker:
-
-```bash
-OPENCLAW_DOCKER_ALL_DRY_RUN=1 pnpm test:docker:all
-OPENCLAW_DOCKER_ALL_DRY_RUN=1 OPENCLAW_DOCKER_ALL_LANES=install-e2e pnpm test:docker:all
-OPENCLAW_DOCKER_ALL_LANES=install-e2e node scripts/test-docker-all.mjs --plan-json
-```
-
-Run one failed lane locally only when explicitly asked or when GitHub is not
-usable:
-
-```bash
-OPENCLAW_DOCKER_ALL_LANES=<lane> \
-OPENCLAW_DOCKER_ALL_BUILD=0 \
-OPENCLAW_DOCKER_ALL_PREFLIGHT=0 \
-OPENCLAW_SKIP_DOCKER_BUILD=1 \
-OPENCLAW_DOCKER_E2E_BARE_IMAGE='<prepared-bare-image>' \
-OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE='<prepared-functional-image>' \
-pnpm test:docker:all
-```
-
-For release validation, prefer the reusable GitHub workflow input:
-
-```yaml
-docker_lanes: install-e2e
-```
-
-Multiple lanes are allowed:
-
-```yaml
-docker_lanes: install-e2e bundled-channel-update-acpx
-```
-
-That skips the release chunk matrix and runs one targeted Docker job against the
-prepared GHCR images and the selected package artifact. Rerun commands
-generated inside GitHub artifacts include `package_artifact_run_id`,
-`package_artifact_name`, `docker_e2e_bare_image`, and
-`docker_e2e_functional_image` when available, so failed lanes can reuse the
-exact tarball and prepared images from the failed run. When the fix changes
-package contents, omit those reuse inputs so the workflow packs a new tarball.
-Live-only targeted reruns skip the E2E images and build only the live-test
-image. Release-path normal mode fans out into smaller Docker chunk jobs:
-
-- `core`
-- `package-update-openai`
-- `package-update-anthropic`
-- `package-update-core`
-- `plugins-runtime-plugins`
-- `plugins-runtime-services`
-- `plugins-runtime-install-a`
-- `plugins-runtime-install-b`
-- `plugins-runtime-install-c`
-- `plugins-runtime-install-d`
-- `bundled-channels`
-
-OpenWebUI is folded into `plugins-runtime-services` for full release-path
-coverage and keeps a standalone `openwebui` chunk only for OpenWebUI-only
-dispatches. The legacy `package-update`, `plugins-runtime-core`,
-`plugins-runtime`, and `plugins-integrations` chunks still work as aggregate
-aliases for manual reruns, but the release workflow uses the split chunks so
-provider installer checks, plugin runtime checks, bundled plugin
-install/uninstall shards, and bundled-channel checks can run on separate
-machines. The bundled-channel runtime-dependency coverage
-inside `bundled-channels`
-uses the split `bundled-channel-*` and `bundled-channel-update-*` lanes rather
-than the serial `bundled-channel-deps` lane, so failures produce cheap targeted
-reruns for the exact channel/update scenario. The bundled plugin
-install/uninstall sweep is also split into
-`bundled-plugin-install-uninstall-0` through
-`bundled-plugin-install-uninstall-7`; selecting the legacy
-`bundled-plugin-install-uninstall` lane expands to all eight shards.
-
-## Package Acceptance
-
-Use the manual `Package Acceptance` workflow when the question is "does this
-installable package work as a product?" rather than "does this source diff pass
-Vitest?"
-
-In release validation, treat Package Acceptance as the package-candidate shard
-inside the larger release umbrella, not as a competing full-test path. Full
-Release Validation and private release gauntlets should call Package Acceptance
-for tarball resolution, Docker product/package proof, and optional Telegram QA
-against the same resolved `package-under-test` artifact; keep orchestration,
-secret policy, blocking/advisory status, and evidence rollup in the caller.
-
-Good defaults:
-
-```bash
-gh workflow run package-acceptance.yml --ref main \
-  -f source=npm \
-  -f workflow_ref=main \
-  -f package_spec=openclaw@beta \
-  -f suite_profile=product \
-  -f telegram_mode=mock-openai
-```
-
-Npm candidate selection:
-
-- Resolve the registry immediately before dispatch:
-  `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`
-  and `npm view openclaw@beta version dist.tarball dist.integrity --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`.
-- If Peter asks for "latest beta", use `source=npm` with
-  `package_spec=openclaw@beta`, then record the resolved version from `npm view`
-  or the workflow summary.
-- For reruns, release proof, or comparing one known package, prefer the exact
-  immutable spec: `package_spec=openclaw@YYYY.M.D-beta.N` or
-  `package_spec=openclaw@YYYY.M.D`.
-- For stable package proof, use `package_spec=openclaw@latest` only when the
-  question is explicitly the current stable dist-tag; otherwise pin the exact
-  version.
-- `source=npm` only accepts registry specs for `openclaw@beta`,
-  `openclaw@latest`, or exact OpenClaw release versions. Do not pass semver
-  ranges, git refs, file paths, tarball URLs, or plugin package names there.
-- If the candidate is a tarball URL, use `source=url` with `package_sha256`. If
-  it is an Actions tarball artifact, use `source=artifact`. If it is an
-  unpublished source candidate, use `source=ref` with a trusted ref or SHA.
-- Package acceptance tests exactly the selected package candidate. Do not apply
-  `openclaw update --channel beta` fallback semantics here; if `beta` is absent,
-  stale, older than `latest`, or points at a broken tarball, report that tag
-  state instead of silently testing `latest`.
-
-Profiles:
-
-- `smoke`: quick confidence that the tarball installs, can onboard a channel,
-  can run an agent turn, and basic gateway/config lanes work.
-- `package`: release-package contract. Adds installer/update, doctor install
-  switching, bundled plugin runtime deps, plugin install/update, and package
-  repair lanes. This is the default native replacement for most Parallels
-  package/update coverage.
-- `product`: package profile plus broader product surfaces: MCP channels,
-  cron/subagent cleanup, OpenAI web search, and OpenWebUI.
-- `full`: split Docker release-path chunks with OpenWebUI.
-- `custom`: exact `docker_lanes` list for a focused rerun.
-
-Candidate sources:
-
-- `source=npm`: `openclaw@beta`, `openclaw@latest`, or an exact release version.
-- `source=ref`: pack `package_ref` using the trusted `workflow_ref` harness.
-  This intentionally separates old package commits from new workflow/test code.
-- `source=url`: HTTPS `.tgz` plus required `package_sha256`.
-- `source=artifact`: download one `.tgz` from `artifact_run_id`/`artifact_name`.
-
-Ref model:
-
-- `gh workflow run ... --ref <workflow-ref>` selects the workflow file revision
-  GitHub executes.
-- `workflow_ref` is the trusted harness/script ref passed to reusable Docker
-  E2E.
-- `package_ref` is the source ref to build when `source=ref`. It can be an
-  older branch/tag/SHA as long as it is reachable from an OpenClaw branch or
-  release tag.
-
-Example: run latest package acceptance harness against an older trusted commit:
-
-```bash
-gh workflow run package-acceptance.yml --ref main \
-  -f workflow_ref=main \
-  -f source=ref \
-  -f package_ref=<branch-or-sha> \
-  -f suite_profile=package \
-  -f telegram_mode=mock-openai
-```
-
-Use `telegram_mode=mock-openai` or `telegram_mode=live-frontier` when the same
-resolved `package-under-test` tarball should also run through the Telegram QA
-workflow in the `qa-live-shared` environment. The standalone Telegram workflow
-still accepts a published npm spec for post-publish checks, but Package
-Acceptance passes the resolved artifact for `source=npm`, `ref`, `url`, and
-`artifact`. Use `telegram_mode=none` only when intentionally skipping Telegram
-credentialed package proof for a focused rerun.
-
-Docker E2E images never copy repo sources as the app under test: the bare image
-is a Node/Git runner, and the functional image installs the same prebuilt npm
-tarball that bare lanes mount. `scripts/package-openclaw-for-docker.mjs` is the
-single packer for local scripts and CI and validates the tarball inventory
-before Docker consumes it. `scripts/test-docker-all.mjs --plan-json` is the
-scheduler-owned CI plan for image kind, package, live image, lane, and
-credential needs. Docker lane definitions live in the single scenario catalog
-`scripts/lib/docker-e2e-scenarios.mjs`; planner logic lives in
-`scripts/lib/docker-e2e-plan.mjs`. `scripts/docker-e2e.mjs` converts plan and
-summary JSON into GitHub outputs and step summaries. Every scheduler run writes
-`.artifacts/docker-tests/**/summary.json` plus `failures.json`. Read those
-before rerunning. Lane entries include `command`, `rerunCommand`, status,
-timing, timeout state, image kind, and log file path. The summary also includes
-top-level phase timings for preflight, image build, package prep, lane pools,
-and cleanup. Use `pnpm test:docker:timings <summary.json>` to rank slow lanes
-and phases before deciding whether a broader rerun is justified.
-
-Skill install proof: use `pnpm test:docker:skill-install` or targeted
-`docker_lanes=skill-install` for live ClawHub skill-install validation. The
-lane installs the package tarball in a bare runner, keeps
-`skills.install.allowUploadedArchives=false`, resolves the current live slug
-from `openclaw skills search`, installs it, and verifies `.clawhub` origin/lock
-metadata. Prefer this checked-in script over inline heredoc Testbox recipes.
-
-## Cheap Docker Reruns
-
-First derive the smallest rerun command from artifacts:
-
-```bash
-pnpm test:docker:rerun <github-run-id>
-pnpm test:docker:rerun .artifacts/docker-tests/<run>/failures.json
-```
-
-The script downloads Docker E2E artifacts for a GitHub run, reads
-`summary.json`/`failures.json`, and prints a combined targeted workflow command
-plus per-lane commands. Prefer the combined targeted command when several lanes
-failed for the same patch:
-
-```bash
-gh workflow run openclaw-live-and-e2e-checks-reusable.yml \
-  -f ref=<sha> \
-  -f include_repo_e2e=false \
-  -f include_release_path_suites=false \
-  -f include_openwebui=false \
-  -f docker_lanes='install-e2e bundled-channel-update-acpx' \
-  -f include_live_suites=false \
-  -f live_models_only=false
-```
-
-That path still runs the prepare job, so it creates a new tarball for `<sha>`.
-If the SHA-tagged GHCR bare/functional image already exists, CI skips rebuilding
-that image and only uploads the fresh package artifact before the targeted lane
-job. Do not rerun the full release path unless the failed lane list
-or touched surface really requires it.
-
-## Docker Expected Timings
-
-Treat these as ballpark. Blacksmith queue time, GHCR pull speed, provider
-latency, npm cache state, and Docker daemon health can dominate.
-
-Current local timing artifact (`.artifacts/docker-tests/lane-timings.json`) has
-these rough bands:
-
-- Tiny lanes, seconds to under 1 minute:
-  `agents-delete-shared-workspace` ~3s, `plugin-update` ~7s,
-  `config-reload` ~14s, `pi-bundle-mcp-tools` ~15s, `onboard` ~18s,
-  `session-runtime-context` ~20s, `gateway-network` ~34s, `qr` ~44s.
-- Medium deterministic lanes, ~1-5 minutes:
-  `npm-onboard-channel-agent` ~96s, `openai-image-auth` ~99s,
-  bundled channel/update lanes usually ~90-300s when split, `openwebui` ~225s,
-  `mcp-channels` ~274s.
-- Heavy deterministic lanes, ~6-10 minutes:
-  `bundled-channel-root-owned` ~429s,
-  `bundled-channel-setup-entry` ~420s,
-  `bundled-channel-load-failure` ~383s,
-  `cron-mcp-cleanup` ~567s.
-- Live provider lanes, often ~15-20 minutes:
-  `live-gateway` ~958s, `live-models` ~1054s.
-- Installer/release lanes:
-  `install-e2e` and package-update paths can vary widely with npm, provider,
-  and package registry behavior. Budget tens of minutes; prefer GitHub targeted
-  reruns over local repeats.
-
-Default fallback lane timeout is 120 minutes. A timeout usually means debug the
-lane log/artifacts first, not “run the whole thing again.”
-
-## Failure Workflow
-
-1. Identify exact failing job, SHA, lane, and artifact path.
-2. Read `failures.json`, `summary.json`, and the failed lane log tail.
-3. Use `pnpm test:docker:rerun <run-id|failures.json>` to generate targeted
-   GitHub rerun commands.
-4. If the lane has `rerunCommand`, use that only as a local starting point.
-5. For Docker release failures, dispatch targeted `docker_lanes=<failed-lane>`
-   on GitHub before considering local Docker.
-6. Patch narrowly, then rerun the failed file/lane only.
-7. Broaden to `pnpm check:changed` or CI only after the isolated proof passes.
-
-## When To Escalate
-
-- Public SDK/plugin contract changes: run changed gate plus relevant extension
-  validation.
-- Build output, lazy imports, package boundaries, or published surfaces:
-  include `pnpm build`.
-- Workflow edits: run `pnpm check:workflows`.
-- Release branch or tag validation: use release docs and GitHub workflows; avoid
-  local Docker unless Peter explicitly asks.

.agents/skills/openclaw-testing/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "OpenClaw Testing"
-  short_description: "Choose cheap, targeted OpenClaw validation"
-  default_prompt: "Use $openclaw-testing to choose the cheapest safe test or CI verification path, inspect failures, and rerun only the relevant OpenClaw lane."

.agents/skills/optimizetests/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: optimizetests
-description: Optimize OpenClaw slow tests, imports, misplaced coverage, and CI wall time without dropping coverage.
+description: Optimize OpenClaw test runtime end to end. Use when the user asks for /optimizetests, slow-test review, import optimization, deduping tests, moving misplaced core coverage to extensions, or reducing CI/test wall time without adding shards or dropping coverage.
 ---
 
 # Optimize Tests

.agents/skills/parallels-discord-roundtrip/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: parallels-discord-roundtrip
-description: Run macOS Parallels smoke with Discord send, host verification, host reply, and guest readback proof.
+description: Run the macOS Parallels smoke harness with Discord end-to-end roundtrip verification, including guest send, host verification, host reply, and guest readback.
 ---
 
 # Parallels Discord Roundtrip
@@ -50,7 +50,6 @@ pnpm test:parallels:macos \
 - Avoid `prlctl enter` / expect for long Discord setup scripts; it line-wraps/corrupts long commands. Use `prlctl exec --current-user /bin/sh -lc ...` for the Discord config phase.
 - Full 3-OS sweeps: the shared build lock is safe in parallel, but snapshot restore is still a Parallels bottleneck. Prefer serialized Windows/Linux restore-heavy reruns if the host is already under load.
 - Harness cleanup deletes the temporary Discord smoke messages at exit.
-- After a successful Discord roundtrip, shut down the macOS guest before handoff (`prlctl stop "macOS Tahoe"`). The macOS smoke harness should do this automatically after successful Discord proof; still stop the VM manually after ad-hoc Discord checks. Do not leave the Discord-configured VM running; it can keep reading/posting in `#maintainer` and spam Discord after the proof is complete.
 - Per-phase logs: `/tmp/openclaw-parallels-smoke.*`
 - Machine summary: pass `--json`
 - If roundtrip flakes, inspect `fresh.discord-roundtrip.log` and `discord-last-readback.json` in the run dir first.

.agents/skills/security-triage/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: security-triage
-description: Triage OpenClaw security advisories, drafts, and GHSA reports with shipped-tag and trust-model proof.
+description: Triage GitHub security advisories for OpenClaw with high-confidence close/keep decisions, exact tag and commit verification, trust-model checks, optional hardening notes, and a final reply ready to post and copy to clipboard.
 ---
 
 # Security Triage
@@ -45,17 +45,6 @@ For each advisory, decide:
 - `keep open`
 - `keep open but narrow`
 
-Default to one advisory at a time when comments/closures are involved:
-
-1. Review exactly one GHSA.
-2. Print the GHSA URL first.
-3. Summarize the decision and evidence for discussion.
-4. Draft one maintainer-ready comment.
-5. Copy only that one comment to the clipboard.
-6. Stop and wait for Peter to post/discuss before moving to the next GHSA.
-
-Do not batch multiple close comments unless Peter explicitly asks for a batch.
-
 Check in this order:
 
 1. Trust model
@@ -71,11 +60,6 @@ Check in this order:
 4. Functional tradeoff
    - If a hardening change would reduce intended user functionality, call that out before proposing it.
    - Prefer fixes that preserve user workflows over deny-by-default regressions unless the boundary demands it.
-5. Hardening follow-up
-   - Even when the GHSA should close, ask whether a narrow hardening change would reduce footguns without changing the documented trust boundary.
-   - Separate hardening from vulnerability status. Phrase it as "not required for GHSA closure, but worth considering".
-   - Bring up hardening only if it is concrete, low-risk, and preserves intended maintainer/operator workflows.
-   - If hardening would require a product/security model change, say that explicitly and do not imply it is a required fix for closure.
 
 ## Response Format
 
@@ -92,22 +76,9 @@ When preparing a maintainer-ready close reply:
 
 Keep tone firm, specific, non-defensive.
 
-## Discussion Mode
-
-When Peter is manually posting GHSA comments, use this flow:
-
-1. Show the URL.
-2. Give a terse verdict (`close`, `keep open`, or `keep open but narrow`).
-3. List the strongest evidence bullets.
-4. State any optional hardening follow-up separately from the close reason.
-5. Copy the proposed comment body with `pbcopy`.
-6. End the reply after the one advisory. Do not continue to the next advisory until Peter says to continue.
-
-If the GitHub API cannot post comments for private advisories, say so once and keep using clipboard/UI paste.
-
 ## Clipboard Step
 
-After drafting the final post body for the current advisory, copy it:
+After drafting the final post body, copy it:
 
 ```bash
 pbcopy <<'EOF'
@@ -115,7 +86,7 @@ pbcopy <<'EOF'
 EOF
 ```
 
-Tell the user that the clipboard now contains the proposed response for that advisory.
+Tell the user that the clipboard now contains the proposed response.
 
 ## Useful Commands
 

.agents/skills/tag-duplicate-prs-issues/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: tag-duplicate-prs-issues
-description: Use gitcrawl to search duplicate OpenClaw PRs/issues, group related work in prtags, and sync duplicate state to GitHub.
+description: Maintainer workflow for deciding whether an OpenClaw pull request or issue is a duplicate, gathering evidence with ghreplica and pr-search-cli, grouping related work in prtags, and syncing the duplicate grouping back to GitHub through prtags. Use when Codex needs to search for duplicate PRs or issues, create or reuse a duplicate group, enforce one-group-per-target discipline, save duplicate judgments in prtags, or prepare group state for comment sync.
 ---
 
 # Tag Duplicate PRs and Issues
@@ -12,25 +12,43 @@ It is not for reviewing the implementation quality of a PR.
 
 ## Required Setup
 
-Do not write duplicate groups or annotations until this setup is complete.
-Read-only discovery can still proceed with `gitcrawl` and live `gh`.
+Do not start duplicate triage until this setup is complete.
 
-### Companion Skills
+### Install the companion skills
 
-Use `$gitcrawl` first for local candidate discovery.
-Use the `prtags` skill from the `prtags` repo at `skills/prtags/SKILL.md` when it is available.
+Install these skills first because they teach the agent how to use the two main CLIs correctly:
+
+- `ghreplica` skill from the `ghreplica` repo at `skills/ghreplica/SKILL.md`
+- `prtags` skill from the `prtags` repo at `skills/prtags/SKILL.md`
+
+This skill assumes those two skills are available and can be used during the same run.
 
 ### Install the CLIs
 
-Install `prtags` from its latest GitHub release.
+Install `ghreplica` and `prtags` from their latest GitHub releases.
 Do not rely on an old local build unless the maintainer explicitly wants to test unreleased behavior.
 
+`ghreplica` CLI install path:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/dutifuldev/ghreplica/main/scripts/install-ghr.sh | bash -s -- --bin-dir "$HOME/.local/bin"
+```
+
 `prtags` CLI install path:
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/dutifuldev/prtags/main/scripts/install-prtags.sh | bash -s -- --bin-dir "$HOME/.local/bin"
 ```
 
+Use the `pr-search-cli` project with `uvx`.
+The command itself is `pr-search`.
+Do not require a permanent install unless the maintainer explicitly wants one.
+
+```bash
+uvx --from pr-search-cli pr-search status
+uvx --from pr-search-cli pr-search code similar 67144
+```
+
 ### Authenticate prtags
 
 `prtags` should be logged in with the maintainer's own GitHub account through OAuth device flow.
@@ -48,15 +66,20 @@ The expected outcome is that `prtags` stores the logged-in maintainer identity l
 Do not require an up-front preflight before starting the workflow.
 Proceed with the normal steps until you actually need a tool or account state.
 
-As soon as you discover that `prtags` is missing or not logged in at the write step, stop immediately.
-Do not continue in a partial write mode after that point.
+As soon as you discover that a required CLI is missing or `prtags` is not logged in, stop immediately.
+Do not continue in a partial mode after that point.
 
-If `prtags` is missing, ask the user to run:
+If `ghr` is missing, ask the user to run the `ghreplica` install command.
+
+If `prtags` is missing, ask the user to run both CLI install commands:
 
 ```bash
+curl -fsSL https://raw.githubusercontent.com/dutifuldev/ghreplica/main/scripts/install-ghr.sh | bash -s -- --bin-dir "$HOME/.local/bin"
 curl -fsSL https://raw.githubusercontent.com/dutifuldev/prtags/main/scripts/install-prtags.sh | bash -s -- --bin-dir "$HOME/.local/bin"
 ```
 
+If `uvx --from pr-search-cli pr-search ...` fails because `uvx` or the `pr-search` launcher is not available, ask the user to make that command work before continuing.
+
 If `prtags auth status` shows that the user is not logged in, ask the user to run:
 
 ```bash
@@ -67,19 +90,19 @@ Resume only after the missing tool or login state has been fixed.
 
 ## Read-Path Default
 
-For candidate discovery in this workflow, use `gitcrawl` first.
-Treat it as the local history and clustering layer for related issues, duplicate attempts, and closed threads.
+For read-only GitHub operations in this workflow, use `ghr` as the default CLI.
+Treat it as a drop-in replacement for the `gh` read operations you would normally use for PRs, issues, comments, reviews, and duplicate-search evidence.
 
-Use live `gh` or `gh api` for the target thread and for any candidate before making an actionable judgment.
-Use live GitHub when `gitcrawl` is missing or stale for a concrete reason, such as:
+Only fall back to `gh` when `ghr` is failing for a concrete reason, such as:
 
-- the target or candidate is not present yet
-- the local data is clearly stale or incomplete for the decision you need to make
-- `gitcrawl` errors, times out, or lacks the needed neighbor/search data
+- the mirrored object is not present yet
+- the mirror data is clearly stale or incomplete for the decision you need to make
+- the `ghr` command errors, times out, or does not expose the specific read you need
 
-When you fall back to live GitHub search, note that you did so and why.
+When you fall back to `gh`, note that you did so and why.
 
-If a later `prtags` target-level write fails because its own mirror has not caught up, stop and report that the curation backend is missing the target object instead of forcing a fallback write.
+If `ghr` is missing a fresh PR or issue but `gh` can read it, you may use `gh` for the read-side judgment.
+If a later `prtags` target-level write fails because the same object is still missing from `ghreplica`, stop and report that the mirror has not caught up yet instead of forcing the write.
 
 ## Goal
 
@@ -95,12 +118,14 @@ For each target PR or issue:
 
 Use the tools with these boundaries:
 
-- `gitcrawl` is candidate generation and historical context
-  - use it first for local title/body search, neighbors, clusters, and closed-thread discovery
-  - treat every candidate as a lead until live GitHub confirms it
-- `gh` is live GitHub truth
-  - use it for target state, body, comments, reviews, files, linked issues, and current open/closed/merged status
-  - use `gh search` only when `gitcrawl` is stale, missing data, or cannot express the needed query
+- `ghreplica` is the raw evidence source
+  - use `ghr` first for normal GitHub read operations in this workflow
+  - use it for title/body/comment search, related PRs, overlapping files, overlapping ranges, and current PR or issue status
+  - resort to `gh` only when `ghr` cannot provide the needed read cleanly
+- `pr-search-cli` is candidate generation and ranking
+  - use it to suggest likely duplicate PRs or issue-cluster context
+  - do not treat it as final truth
+  - do not create or expand a duplicate group only because `pr-search-cli` put multiple PRs in the same issue or duplicate cluster
 - `prtags` is the maintainer curation layer
   - use it to create or reuse one duplicate group
   - use it to save the duplicate status, confidence, rationale, and group summary
@@ -157,7 +182,7 @@ Examples:
 ## Evidence Checklist
 
 Before declaring a duplicate, gather evidence from at least two categories.
-`gitcrawl` neighbors, search hits, and cluster membership count as candidate generation, not as enough proof by themselves.
+Same-issue or same-cluster output from `pr-search-cli` counts only as candidate generation, not as one of the required proof categories by itself.
 
 For PRs:
 
@@ -180,18 +205,21 @@ If you only have wording similarity, that is not enough.
 ## Step 1: Read The Target
 
 Start by reading the target itself.
-Use live GitHub for current target state.
+Use `ghr` first for this step even if you would normally reach for `gh`.
 
 For a PR:
 
 ```bash
-gh pr view <number> --json number,title,state,mergedAt,body,closingIssuesReferences,files,comments,reviews,statusCheckRollup
+ghr pr view -R openclaw/openclaw <number> --comments
+ghr pr reviews -R openclaw/openclaw <number>
+ghr pr comments -R openclaw/openclaw <number>
 ```
 
 For an issue:
 
 ```bash
-gh issue view <number> --json number,title,state,body,comments,closedAt
+ghr issue view -R openclaw/openclaw <number> --comments
+ghr issue comments -R openclaw/openclaw <number>
 ```
 
 Record:
@@ -204,56 +232,74 @@ Record:
 - whether it is open, closed, or merged
 - whether there is already a likely duplicate thread mentioned by humans
 
-## Step 2: Search Broadly With Gitcrawl
+## Step 2: Search Broadly With ghreplica
 
-Use `gitcrawl` first because it is the local OpenClaw history and clustering source.
-Do not switch to broad live GitHub search unless `gitcrawl` is missing data, stale, or failing.
+Use `ghreplica` first because it is the most direct evidence source.
+Do not switch to `gh` for ordinary reads unless `ghr` is missing data or failing.
 
-Start with the target and nearby threads:
+### PR duplicate search
+
+Run all of these when the target is a PR:
 
 ```bash
-gitcrawl threads openclaw/openclaw --numbers <issue-or-pr-number> --include-closed --json
-gitcrawl neighbors openclaw/openclaw --number <issue-or-pr-number> --limit 20 --json
+ghr search related-prs -R openclaw/openclaw <pr-number> --mode path_overlap --state all
+ghr search related-prs -R openclaw/openclaw <pr-number> --mode range_overlap --state all
+ghr search mentions -R openclaw/openclaw --query "<key phrase from title or body>" --mode fts --scope pull_requests --state all
+ghr search mentions -R openclaw/openclaw --query "<subsystem or error phrase>" --mode fts --scope issues --state all
 ```
 
-Then search key phrases and subsystem terms:
+Use `prs-by-paths` or `prs-by-ranges` when the likely duplicate surface is already known:
 
 ```bash
-gitcrawl search openclaw/openclaw --query "<key phrase from title or body>" --mode hybrid --limit 20 --json
-gitcrawl search openclaw/openclaw --query "<subsystem or error phrase>" --mode hybrid --limit 20 --json
+ghr search prs-by-paths -R openclaw/openclaw --path src/example.ts --state all
+ghr search prs-by-ranges -R openclaw/openclaw --path src/example.ts --start 20 --end 80 --state all
 ```
 
-Inspect likely clusters:
+### Issue duplicate search
+
+`ghreplica` does not have a special issue-to-issue “related issues” command.
+For issues, search mirrored text and linked PR context instead.
+
+Run targeted text searches:
 
 ```bash
-gitcrawl cluster-detail openclaw/openclaw --id <cluster-id> --member-limit 20 --body-chars 280 --json
+ghr search mentions -R openclaw/openclaw --query "<issue title phrase>" --mode fts --scope issues --state all
+ghr search mentions -R openclaw/openclaw --query "<error message or symptom>" --mode fts --scope issues --state all
+ghr search mentions -R openclaw/openclaw --query "<subsystem phrase>" --mode fts --scope pull_requests --state all
 ```
 
-For PRs, verify likely code overlap with live file data:
+Then inspect the candidate PRs or issues those searches uncover.
+
+## Step 3: Use pr-search-cli As A Hint Layer
+
+Use `pr-search-cli` after `ghreplica`.
+It is good at surfacing candidates quickly, but it is not the final decision-maker.
+Run it through the `pr-search` command.
+
+For a PR:
 
 ```bash
-gh pr view <candidate-pr> --json number,title,state,mergedAt,files,body,comments,reviews
+uvx --from pr-search-cli pr-search -R openclaw/openclaw code similar <pr-number>
+uvx --from pr-search-cli pr-search -R openclaw/openclaw code clusters for-pr <pr-number>
+uvx --from pr-search-cli pr-search -R openclaw/openclaw issues for-pr <pr-number>
+uvx --from pr-search-cli pr-search -R openclaw/openclaw issues duplicate-prs
 ```
 
-For issues, verify likely duplicate issue state and comments live:
+Interpretation:
 
-```bash
-gh issue view <candidate-issue> --json number,title,state,body,comments,closedAt
-```
+- `code similar` suggests PRs with similar change shape
+- `code clusters for-pr` shows the PR’s nearby code cluster
+- `issues for-pr` shows which issue clusters the PR appears to belong to
+- `issues duplicate-prs` is useful for spotting already-known duplicate PR patterns
 
-## Step 3: Use Live GitHub Search For Gaps
+Treat every `pr-search-cli` result as a hint to investigate, not as enough evidence to create or widen a duplicate group.
+Multiple PRs can share the same issue or issue cluster while still taking meaningfully different fix paths.
 
-Use targeted live GitHub search after `gitcrawl` when:
+For an issue:
 
-- the target is too new for the local store
-- comments or reviews matter and the local store lacks them
-- the exact phrase did not appear in local results but the issue/PR is current enough that GitHub should know it
-
-```bash
-gh search prs --repo openclaw/openclaw --match title,body --limit 50 -- "<key phrase>"
-gh search issues --repo openclaw/openclaw --match title,body --limit 50 -- "<key phrase>"
-gh search issues --repo openclaw/openclaw --match comments --limit 50 -- "<error or maintainer phrase>"
-```
+- use `ghreplica` first to find candidate PRs or issue wording
+- if the issue has linked PRs or a likely implementation PR, run `pr-search-cli` on those PRs
+- treat issue-cluster output as supporting context, not as enough by itself to call the issue a duplicate
 
 ## Step 4: Decide The Outcome
 
@@ -298,7 +344,7 @@ Reuse an existing group when:
 - it already contains clearly related members
 - adding the target would keep the group coherent
 
-Do not widen an existing group just because `gitcrawl` placed several PRs or issues near each other.
+Do not widen an existing group just because `pr-search-cli` placed several PRs under the same issue or duplicate cluster.
 Confirm that the actual implementation path and maintainer intent still match before adding the new member.
 
 Create a new group only when no existing group clearly fits.
@@ -377,8 +423,8 @@ prtags annotation group set <group-id> \
 
 When the evidence is incomplete, set `duplicate_status=candidate` and lower the confidence.
 
-If a per-PR or per-issue annotation write fails because `prtags` cannot resolve the target, do not force a fallback write path.
-Keep the group state you were able to write, report that the curation backend is still missing the target object, and defer the target-level annotation until `prtags` catches up.
+If a per-PR or per-issue annotation write fails because `prtags` cannot resolve the target through `ghreplica`, do not force a fallback write path.
+Keep the group state you were able to write, report that the mirror is still missing the target object, and defer the target-level annotation until `ghreplica` catches up.
 
 ## Step 8: Let prtags Sync The Group Comment
 

.agents/skills/tag-duplicate-prs-issues/agents/openai.yaml

@@ -1,4 +1,4 @@
 interface:
   display_name: "Tag Duplicate PRs and Issues"
-  short_description: "Find duplicate PRs and issues with gitcrawl, group them in prtags, and let prtags sync the GitHub comment"
-  default_prompt: "Use $tag-duplicate-prs-issues to decide whether an OpenClaw PR or issue is a duplicate, gather candidates with gitcrawl, verify live state with GitHub, group related items in prtags, and save the duplicate judgment."
+  short_description: "Find duplicate PRs and issues, group them in prtags, and let prtags sync the GitHub comment"
+  default_prompt: "Use $tag-duplicate-prs-issues to decide whether an OpenClaw PR or issue is a duplicate, gather evidence with ghreplica and pr-search-cli, group related items in prtags, and save the duplicate judgment."

.agents/skills/telegram-crabbox-e2e-proof/SKILL.md

@@ -1,196 +0,0 @@
----
-name: telegram-crabbox-e2e-proof
-description: Use when reviewing, reproducing, or proving OpenClaw Telegram behavior with a real Telegram user on Crabbox, including PR review workflows that need an agent-controlled Telegram Desktop recording, TDLib user-driver commands, Convex-leased credentials, WebVNC observation, and motion-trimmed artifacts.
----
-
-# Telegram Crabbox E2E Proof
-
-Use this for Telegram PR review or bug reproduction when bot-to-bot proof is
-not enough. The goal is to let the agent keep a real Telegram user session open
-until it is satisfied, then attach visual proof.
-
-Do not use personal accounts. Do not add credentials to the repo, prompt, or
-artifact bundle. The runner leases the shared burner account from Convex.
-
-## Start
-
-Run from the OpenClaw repo and branch under test:
-
-```bash
-pnpm qa:telegram-user:crabbox -- start \
-  --tdlib-url http://artifacts.openclaw.ai/tdlib-v1.8.0-linux-x64.tgz \
-  --output-dir .artifacts/qa-e2e/telegram-user-crabbox/pr-review
-```
-
-This starts one held session:
-
-- leases the exclusive `telegram-user` Convex credential
-- restores TDLib and Telegram Desktop with the same user account
-- starts a mock OpenClaw Telegram SUT from the current checkout
-- selects the configured Telegram chat in the visible Linux desktop
-- starts a 24fps desktop recording
-- writes `.artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json`
-
-Keep the session alive while investigating. It is valid for the agent to test
-for minutes, run several commands, use WebVNC, inspect transcripts, and only
-finish once the behavior is understood.
-
-For deterministic visual repros, put the exact mock-model reply in a file and
-pass it to `start`:
-
-```bash
-pnpm qa:telegram-user:crabbox -- start \
-  --tdlib-url http://artifacts.openclaw.ai/tdlib-v1.8.0-linux-x64.tgz \
-  --mock-response-file .artifacts/qa-e2e/telegram-user-crabbox/reply.txt \
-  --output-dir .artifacts/qa-e2e/telegram-user-crabbox/pr-review
-```
-
-The runner defaults to `--class standard`, `--record-fps 24`,
-`--preview-fps 24`, and `--preview-width 1920`. Keep those defaults unless the
-proof needs something else.
-
-## While Testing
-
-For visual proof, first send or identify a bottom marker message, then open the
-group/topic directly by message id:
-
-```bash
-pnpm qa:telegram-user:crabbox -- view \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json \
-  --message-id <message-id>
-```
-
-This uses Telegram Desktop directly with `tg://privatepost`, not `xdg-open`.
-It also resizes Telegram to `650x1000` at the tested desktop position so
-Telegram switches to single-chat mode with no left chat list or right info
-pane. Do not press Escape after this; Escape can close the selected chat.
-
-Bottom behavior matters:
-
-- deep-linking to the newest message keeps Telegram pinned to the bottom, so
-  later messages appear live in the recording
-- deep-linking to an older message does not auto-scroll to new arrivals; link
-  again to the newest/final marker instead of clicking the down-arrow
-- `650px` is the largest tested clean width; `660px` switches Telegram back to
-  split/sidebar layout
-
-Send as the real Telegram user:
-
-```bash
-pnpm qa:telegram-user:crabbox -- send \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json \
-  --text /status
-```
-
-For slash commands, omit the bot username; the runner targets the SUT bot.
-
-Run arbitrary commands on the Crabbox:
-
-```bash
-pnpm qa:telegram-user:crabbox -- run \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json \
-  -- bash -lc 'source /tmp/openclaw-telegram-user-crabbox/env.sh && python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py transcript --limit 20 --json'
-```
-
-Useful remote user-driver commands:
-
-```bash
-source /tmp/openclaw-telegram-user-crabbox/env.sh
-python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py status --json
-python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py chats --json
-python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py transcript --limit 20 --json
-python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py send --text '/status@{sut}'
-python3 /tmp/openclaw-telegram-user-crabbox/user-driver.py probe --text '@{sut} Reply exactly: USER-E2E-{run}' --expect USER-E2E-
-```
-
-Capture the current desktop without ending the session:
-
-```bash
-pnpm qa:telegram-user:crabbox -- screenshot \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json
-```
-
-Check lease state and get the WebVNC command:
-
-```bash
-pnpm qa:telegram-user:crabbox -- status \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json
-```
-
-## Finish
-
-Always finish or explicitly keep the box:
-
-```bash
-pnpm qa:telegram-user:crabbox -- finish \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json \
-  --preview-crop telegram-window
-```
-
-`finish` stops recording, creates motion-trimmed MP4/GIF artifacts, captures a
-final screenshot and logs, releases the Convex credential, stops the local SUT,
-and stops the Crabbox lease. `--preview-crop telegram-window` also creates a
-fixed-geometry GIF from the tested Telegram proof window for clean side-by-side
-PR tables; the full desktop video/GIF remains in the artifact directory. Pass
-`--keep-box` only when a human needs to continue VNC debugging after the
-credential is released.
-
-After any failure or interruption, verify cleanup:
-
-```bash
-crabbox list --provider aws
-```
-
-If a session file exists and the credential may still be leased, run `finish`
-with that session file before retrying.
-
-## Attach Proof
-
-Attach only the useful visual artifact to the PR unless logs are needed. The
-runner is GIF-only by default:
-
-```bash
-pnpm qa:telegram-user:crabbox -- publish \
-  --session .artifacts/qa-e2e/telegram-user-crabbox/pr-review/session.json \
-  --pr <pr-number> \
-  --summary 'Telegram real-user Crabbox session motion GIF'
-```
-
-This copies only the useful GIF into a temporary publish bundle and comments
-that GIF. If `finish --preview-crop telegram-window` produced a cropped GIF,
-publish uses that; otherwise it uses `telegram-user-crabbox-session-motion.gif`.
-Use `--full-artifacts` only when the PR needs logs or JSON output. Never publish
-credential payloads, local env files, TDLib databases, Telegram Desktop
-profiles, or raw session archives.
-
-For before/after proof, run one session on `main` and one on the PR head, then
-publish only the intended GIFs from a clean bundle:
-
-```bash
-mkdir -p .artifacts/qa-e2e/telegram-user-crabbox/pr-123/comparison
-cp <main-output>/telegram-user-crabbox-session-motion-telegram-window.gif \
-  .artifacts/qa-e2e/telegram-user-crabbox/pr-123/comparison/main-before.gif
-cp <pr-output>/telegram-user-crabbox-session-motion-telegram-window.gif \
-  .artifacts/qa-e2e/telegram-user-crabbox/pr-123/comparison/pr-after.gif
-crabbox artifacts publish \
-  --repo openclaw/openclaw \
-  --pr 123 \
-  --dir .artifacts/qa-e2e/telegram-user-crabbox/pr-123/comparison \
-  --summary 'Telegram before/after proof' \
-  --no-comment
-```
-
-Then post a concise markdown table with those two URLs. Do not publish working
-directories that contain screenshots, raw videos, logs, session JSON, or crop
-experiments unless those artifacts are explicitly needed.
-
-## Quick Smoke
-
-For a fast one-shot check, use:
-
-```bash
-pnpm qa:telegram-user:crabbox -- --text /status
-```
-
-This is a start/send/finish shortcut. Prefer the held session for PR review,
-issue reproduction, or any task where the agent may need several attempts.

.crabbox.yaml

@@ -1,46 +0,0 @@
-profile: openclaw-check
-provider: aws
-class: standard
-capacity:
-  market: spot
-  strategy: most-available
-  fallback: on-demand-after-120s
-  hints: true
-  regions:
-    - eu-west-1
-    - eu-west-2
-    - eu-central-1
-    - us-east-1
-    - us-west-2
-actions:
-  workflow: .github/workflows/crabbox-hydrate.yml
-  job: hydrate
-  ref: main
-  runnerLabels:
-    - crabbox
-    - openclaw
-  runnerVersion: latest
-  ephemeral: true
-aws:
-  region: eu-west-1
-  rootGB: 400
-sync:
-  delete: true
-  checksum: false
-  gitSeed: true
-  fingerprint: true
-  baseRef: main
-  exclude:
-    - .artifacts
-    - .codex
-    - .DS_Store
-    - playwright-report
-    - test-results
-env:
-  allow:
-    - CI
-    - NODE_OPTIONS
-    - OPENCLAW_*
-ssh:
-  user: crabbox
-  port: "2222"

.detect-secrets.cfg

@@ -0,0 +1,45 @@
+# detect-secrets exclusion patterns (regex)
+#
+# Note: detect-secrets does not read this file by default. If you want these
+# applied, wire them into your scan command (e.g. translate to --exclude-files
+# / --exclude-lines) or into a baseline's filters_used.
+
+[exclude-files]
+# pnpm lockfiles contain lots of high-entropy package integrity blobs.
+pattern = (^|/)pnpm-lock\.yaml$
+
+[exclude-lines]
+# Fastlane checks for private key marker; not a real key.
+pattern = key_content\.include\?\("BEGIN PRIVATE KEY"\)
+# UI label string for Anthropic auth mode.
+pattern = case \.apiKeyEnv: "API key \(env var\)"
+# CodingKeys mapping uses apiKey literal.
+pattern = case apikey = "apiKey"
+# Schema labels referencing password fields (not actual secrets).
+pattern = "gateway\.remote\.password"
+pattern = "gateway\.auth\.password"
+# Schema label for talk API key (label text only).
+pattern = "talk\.apiKey"
+# checking for typeof is not something we care about.
+pattern = === "string"
+# specific optional-chaining password check that didn't match the line above.
+pattern = typeof remote\?\.password === "string"
+# Docker apt signing key fingerprint constant; not a secret.
+pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
+# Credential matrix metadata field in docs JSON; not a secret value.
+pattern = "secretShape": "(secret_input|sibling_ref)"
+# Docs line describing API key rotation knobs; not a credential.
+pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
+# Docs line describing remote password precedence; not a credential.
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
+# Test fixture starts a multiline fake private key; detector should ignore the header line.
+pattern = const key = `-----BEGIN PRIVATE KEY-----
+# Docs examples: literal placeholder API key snippets and shell heredoc helper.
+pattern = export CUSTOM_API_K[E]Y="your-key"
+pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
+pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
+pattern = "ap[i]Key": "xxxxx",
+pattern = ap[i]Key: "A[I]za\.\.\.",
+# Sparkle appcast signatures are release metadata, not credentials.
+pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"

.dockerignore

@@ -8,14 +8,6 @@
 
 .bun-cache
 .bun
-.artifacts
-**/.artifacts
-.local
-**/.local
-.pi
-**/.pi
-__openclaw_vitest__
-**/__openclaw_vitest__
 .tmp
 **/.tmp
 .DS_Store
@@ -46,9 +38,6 @@ docs/.generated
 *.log
 tmp
 **/tmp
-dist-runtime
-**/dist-runtime
-openclaw-path-alias-*
 
 # build artifacts
 dist
@@ -59,6 +48,11 @@ apps/ios/build
 
 # large app trees not needed for CLI build
 apps/
+assets/
+Peekaboo/
+Swabble/
+Core/
+Users/
 vendor/
 
 # Needed for building the Canvas A2UI bundle during Docker image builds.

.env.example

@@ -29,12 +29,6 @@ OPENCLAW_GATEWAY_TOKEN=
 # OPENCLAW_CONFIG_PATH=~/.openclaw/openclaw.json
 # OPENCLAW_HOME=~
 
-# Allowlist of extra directories that `$include` directives in openclaw.json may
-# resolve files from. Path-list separated (':' on POSIX, ';' on Windows). Each
-# entry is tilde-expanded. Without this, `$include` is confined to the directory
-# containing openclaw.json.
-# OPENCLAW_INCLUDE_ROOTS=/etc/openclaw/shared:~/.openclaw/shared
-
 # Optional: import missing keys from your login shell profile.
 # OPENCLAW_LOAD_SHELL_ENV=1
 # OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000
@@ -88,5 +82,4 @@ OPENCLAW_GATEWAY_TOKEN=
 
 # ELEVENLABS_API_KEY=...
 # XI_API_KEY=...  # alias for ElevenLabs
-# INWORLD_API_KEY=...
 # DEEPGRAM_API_KEY=...

.github/CODEOWNERS

@@ -2,51 +2,49 @@
 /.github/CODEOWNERS @steipete
 
 # WARNING: GitHub CODEOWNERS uses last-match-wins semantics.
-# If you add overlapping rules below the secops block, include @openclaw/openclaw-secops
+# If you add overlapping rules below the secops block, include @openclaw/secops
 # on those entries too or you can silently remove required secops review.
 # Security-sensitive code, config, and docs require secops review.
-/SECURITY.md @openclaw/openclaw-secops
-/.github/dependabot.yml @openclaw/openclaw-secops
-/.github/codeql/ @openclaw/openclaw-secops
-/.github/workflows/codeql.yml @openclaw/openclaw-secops
-/.github/workflows/codeql-android-critical-security.yml @openclaw/openclaw-secops
-/.github/workflows/codeql-critical-quality.yml @openclaw/openclaw-secops
-/src/security/ @openclaw/openclaw-secops
-/src/secrets/ @openclaw/openclaw-secops
-/src/config/*secret*.ts @openclaw/openclaw-secops
-/src/config/**/*secret*.ts @openclaw/openclaw-secops
-/src/gateway/*auth*.ts @openclaw/openclaw-secops
-/src/gateway/**/*auth*.ts @openclaw/openclaw-secops
-/src/gateway/*secret*.ts @openclaw/openclaw-secops
-/src/gateway/**/*secret*.ts @openclaw/openclaw-secops
-/src/gateway/security-path*.ts @openclaw/openclaw-secops
-/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/openclaw-secops
-/src/gateway/protocol/**/*secret*.ts @openclaw/openclaw-secops
-/src/gateway/server-methods/secrets*.ts @openclaw/openclaw-secops
-/src/agents/*auth*.ts @openclaw/openclaw-secops
-/src/agents/**/*auth*.ts @openclaw/openclaw-secops
-/src/agents/auth-profiles*.ts @openclaw/openclaw-secops
-/src/agents/auth-health*.ts @openclaw/openclaw-secops
-/src/agents/auth-profiles/ @openclaw/openclaw-secops
-/src/agents/sandbox.ts @openclaw/openclaw-secops
-/src/agents/sandbox-*.ts @openclaw/openclaw-secops
-/src/agents/sandbox/ @openclaw/openclaw-secops
-/src/infra/secret-file*.ts @openclaw/openclaw-secops
-/src/cron/stagger.ts @openclaw/openclaw-secops
-/src/cron/service/jobs.ts @openclaw/openclaw-secops
-/docs/security/ @openclaw/openclaw-secops
-/docs/gateway/authentication.md @openclaw/openclaw-secops
-/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/openclaw-secops
-/docs/gateway/sandboxing.md @openclaw/openclaw-secops
-/docs/gateway/secrets-plan-contract.md @openclaw/openclaw-secops
-/docs/gateway/secrets.md @openclaw/openclaw-secops
-/docs/gateway/security/ @openclaw/openclaw-secops
-/docs/cli/approvals.md @openclaw/openclaw-secops
-/docs/cli/sandbox.md @openclaw/openclaw-secops
-/docs/cli/security.md @openclaw/openclaw-secops
-/docs/cli/secrets.md @openclaw/openclaw-secops
-/docs/reference/secretref-credential-surface.md @openclaw/openclaw-secops
-/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/openclaw-secops
+/SECURITY.md @openclaw/secops
+/.github/dependabot.yml @openclaw/secops
+/.github/codeql/ @openclaw/secops
+/.github/workflows/codeql.yml @openclaw/secops
+/src/security/ @openclaw/secops
+/src/secrets/ @openclaw/secops
+/src/config/*secret*.ts @openclaw/secops
+/src/config/**/*secret*.ts @openclaw/secops
+/src/gateway/*auth*.ts @openclaw/secops
+/src/gateway/**/*auth*.ts @openclaw/secops
+/src/gateway/*secret*.ts @openclaw/secops
+/src/gateway/**/*secret*.ts @openclaw/secops
+/src/gateway/security-path*.ts @openclaw/secops
+/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/secops
+/src/gateway/protocol/**/*secret*.ts @openclaw/secops
+/src/gateway/server-methods/secrets*.ts @openclaw/secops
+/src/agents/*auth*.ts @openclaw/secops
+/src/agents/**/*auth*.ts @openclaw/secops
+/src/agents/auth-profiles*.ts @openclaw/secops
+/src/agents/auth-health*.ts @openclaw/secops
+/src/agents/auth-profiles/ @openclaw/secops
+/src/agents/sandbox.ts @openclaw/secops
+/src/agents/sandbox-*.ts @openclaw/secops
+/src/agents/sandbox/ @openclaw/secops
+/src/infra/secret-file*.ts @openclaw/secops
+/src/cron/stagger.ts @openclaw/secops
+/src/cron/service/jobs.ts @openclaw/secops
+/docs/security/ @openclaw/secops
+/docs/gateway/authentication.md @openclaw/secops
+/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/secops
+/docs/gateway/sandboxing.md @openclaw/secops
+/docs/gateway/secrets-plan-contract.md @openclaw/secops
+/docs/gateway/secrets.md @openclaw/secops
+/docs/gateway/security/ @openclaw/secops
+/docs/cli/approvals.md @openclaw/secops
+/docs/cli/sandbox.md @openclaw/secops
+/docs/cli/security.md @openclaw/secops
+/docs/cli/secrets.md @openclaw/secops
+/docs/reference/secretref-credential-surface.md @openclaw/secops
+/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/secops
 
 # Release workflow and its supporting release-path checks.
 /.github/workflows/openclaw-npm-release.yml @openclaw/openclaw-release-managers

.github/actionlint.yaml

@@ -4,7 +4,6 @@
 self-hosted-runner:
   labels:
     # Blacksmith CI runners
-    - blacksmith-4vcpu-ubuntu-2404
     - blacksmith-8vcpu-ubuntu-2404
     - blacksmith-8vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404

.github/actions/docker-e2e-plan/action.yml

@@ -1,152 +0,0 @@
-name: Docker E2E plan and hydrate
-description: >
-  Create a Docker E2E lane plan, expose GitHub outputs, and optionally hydrate
-  the prebuilt package artifact plus shared Docker images needed by the plan.
-inputs:
-  mode:
-    description: prepare, chunk, or targeted.
-    required: true
-  chunk:
-    description: Release-path chunk for mode=chunk.
-    required: false
-    default: ""
-  lanes:
-    description: Comma/space separated lane names for targeted or prepare mode.
-    required: false
-    default: ""
-  include-openwebui:
-    description: Whether Open WebUI is included when planning release/prepare coverage.
-    required: false
-    default: "true"
-  include-release-path-suites:
-    description: Whether prepare mode should plan all release-path suites.
-    required: false
-    default: "false"
-  hydrate-artifacts:
-    description: Whether to download/pull artifacts required by the plan.
-    required: false
-    default: "true"
-  package-artifact-name:
-    description: Workflow artifact name containing openclaw-current.tgz.
-    required: false
-    default: docker-e2e-package
-outputs:
-  credentials:
-    description: Comma-separated credential groups required by selected lanes.
-    value: ${{ steps.plan.outputs.credentials }}
-  needs_bare_image:
-    description: "1 when selected lanes require the bare Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_bare_image }}
-  needs_e2e_image:
-    description: "1 when selected lanes require any Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_e2e_image }}
-  needs_functional_image:
-    description: "1 when selected lanes require the functional Docker E2E image."
-    value: ${{ steps.plan.outputs.needs_functional_image }}
-  needs_live_image:
-    description: "1 when selected lanes require building the live Docker image."
-    value: ${{ steps.plan.outputs.needs_live_image }}
-  needs_package:
-    description: "1 when selected lanes require the OpenClaw package tarball."
-    value: ${{ steps.plan.outputs.needs_package }}
-  plan_json:
-    description: Path to the generated plan JSON.
-    value: ${{ steps.plan.outputs.plan_json }}
-runs:
-  using: composite
-  steps:
-    - name: Plan Docker E2E lanes
-      id: plan
-      shell: bash
-      env:
-        MODE: ${{ inputs.mode }}
-        CHUNK: ${{ inputs.chunk }}
-        LANES: ${{ inputs.lanes }}
-        INCLUDE_OPENWEBUI: ${{ inputs.include-openwebui }}
-        INCLUDE_RELEASE_PATH_SUITES: ${{ inputs.include-release-path-suites }}
-      run: |
-        set -euo pipefail
-        mkdir -p .artifacts/docker-tests
-
-        case "$MODE" in
-          prepare)
-            plan_path=".artifacts/docker-tests/plan.json"
-            if [[ "$INCLUDE_RELEASE_PATH_SUITES" == "true" ]]; then
-              export OPENCLAW_DOCKER_ALL_PROFILE=release-path
-              export OPENCLAW_DOCKER_ALL_PLAN_RELEASE_ALL=1
-            elif [[ -n "$LANES" ]]; then
-              export OPENCLAW_DOCKER_ALL_LANES="$LANES"
-            elif [[ "$INCLUDE_OPENWEBUI" == "true" ]]; then
-              export OPENCLAW_DOCKER_ALL_LANES=openwebui
-            fi
-            ;;
-          chunk)
-            if [[ -z "$CHUNK" ]]; then
-              echo "chunk input is required for Docker E2E chunk planning." >&2
-              exit 1
-            fi
-            export OPENCLAW_DOCKER_ALL_PROFILE=release-path
-            export OPENCLAW_DOCKER_ALL_CHUNK="$CHUNK"
-            plan_path=".artifacts/docker-tests/release-${CHUNK}-plan.json"
-            ;;
-          targeted)
-            if [[ -z "$LANES" ]]; then
-              echo "lanes input is required for Docker E2E targeted planning." >&2
-              exit 1
-            fi
-            if [[ "$INCLUDE_RELEASE_PATH_SUITES" == "true" ]]; then
-              export OPENCLAW_DOCKER_ALL_PROFILE=release-path
-            fi
-            export OPENCLAW_DOCKER_ALL_LANES="$LANES"
-            plan_path=".artifacts/docker-tests/targeted-plan.json"
-            ;;
-          *)
-            echo "mode must be prepare, chunk, or targeted. Got: $MODE" >&2
-            exit 1
-            ;;
-        esac
-
-        export OPENCLAW_DOCKER_ALL_INCLUDE_OPENWEBUI="$INCLUDE_OPENWEBUI"
-        node scripts/test-docker-all.mjs --plan-json > "$plan_path"
-        node scripts/docker-e2e.mjs github-outputs "$plan_path" >> "$GITHUB_OUTPUT"
-        echo "plan_json=$plan_path" >> "$GITHUB_OUTPUT"
-
-    - name: Download OpenClaw Docker E2E package
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_package == '1'
-      uses: actions/download-artifact@v8
-      with:
-        name: ${{ inputs.package-artifact-name }}
-        path: .artifacts/docker-e2e-package
-
-    - name: Pull shared bare Docker E2E image
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_bare_image == '1'
-      shell: bash
-      run: |
-        set -euo pipefail
-        docker pull "${OPENCLAW_DOCKER_E2E_BARE_IMAGE}"
-
-    - name: Pull shared functional Docker E2E image
-      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_functional_image == '1'
-      shell: bash
-      run: |
-        set -euo pipefail
-        docker pull "${OPENCLAW_DOCKER_E2E_FUNCTIONAL_IMAGE}"
-
-    - name: Validate Docker E2E credentials
-      if: inputs.hydrate-artifacts == 'true'
-      shell: bash
-      env:
-        CREDENTIALS: ${{ steps.plan.outputs.credentials }}
-      run: |
-        set -euo pipefail
-        credentials=",$CREDENTIALS,"
-        if [[ "$credentials" == *",openai,"* ]]; then
-          [[ -n "${OPENAI_API_KEY:-}" ]] || {
-            echo "OPENAI_API_KEY is required for selected Docker E2E lanes." >&2
-            exit 1
-          }
-        fi
-        if [[ "$credentials" == *",anthropic,"* && -z "${ANTHROPIC_API_TOKEN:-}" && -z "${ANTHROPIC_API_KEY:-}" ]]; then
-          echo "ANTHROPIC_API_TOKEN or ANTHROPIC_API_KEY is required for selected Docker E2E lanes." >&2
-          exit 1
-        fi

.github/actions/setup-node-env/action.yml

@@ -37,7 +37,6 @@ runs:
         check-latest: false
 
     - name: Setup pnpm + cache store
-      id: pnpm-cache
       uses: ./.github/actions/setup-pnpm-store-cache
       with:
         pnpm-version: ${{ inputs.pnpm-version }}
@@ -47,7 +46,7 @@ runs:
       if: inputs.install-bun == 'true'
       uses: oven-sh/setup-bun@v2.2.0
       with:
-        bun-version: "1.3.13"
+        bun-version: "1.3.9"
 
     - name: Runtime versions
       shell: bash
@@ -90,21 +89,11 @@ runs:
 
         install_args=(
           install
-          --prefer-offline
           --ignore-scripts=false
           --config.engine-strict=false
           --config.enable-pre-post-scripts=true
-          --config.side-effects-cache=true
         )
         if [ -n "$LOCKFILE_FLAG" ]; then
           install_args+=("$LOCKFILE_FLAG")
         fi
         pnpm "${install_args[@]}" || pnpm "${install_args[@]}"
-
-    - name: Save pnpm store cache
-      if: inputs.install-deps == 'true' && steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true'
-      uses: actions/cache/save@v5
-      continue-on-error: true
-      with:
-        path: ${{ steps.pnpm-cache.outputs.store-path }}
-        key: ${{ steps.pnpm-cache.outputs.primary-key }}

.github/actions/setup-pnpm-store-cache/action.yml

@@ -14,32 +14,15 @@ inputs:
     required: false
     default: "true"
   use-actions-cache:
-    description: Whether to restore pnpm store with actions/cache.
+    description: Whether to restore/save pnpm store with actions/cache.
     required: false
     default: "true"
-outputs:
-  cache-enabled:
-    description: Whether actions/cache restore was enabled.
-    value: ${{ steps.pnpm-cache-config.outputs.enabled }}
-  cache-hit:
-    description: Whether the pnpm store cache had an exact key hit.
-    value: ${{ steps.pnpm-cache-restore.outputs.cache-hit }}
-  cache-matched-key:
-    description: Cache key matched by restore, if any.
-    value: ${{ steps.pnpm-cache-restore.outputs.cache-matched-key }}
-  primary-key:
-    description: Primary pnpm store cache key.
-    value: ${{ steps.pnpm-cache-config.outputs.primary-key }}
-  store-path:
-    description: Resolved pnpm store path.
-    value: ${{ steps.pnpm-store.outputs.path }}
 runs:
   using: composite
   steps:
     - name: Setup pnpm (corepack retry)
       shell: bash
       env:
-        COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
         PNPM_VERSION: ${{ inputs.pnpm-version }}
       run: |
         set -euo pipefail
@@ -63,29 +46,18 @@ runs:
       shell: bash
       run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
 
-    - name: Resolve pnpm store cache keys
-      id: pnpm-cache-config
-      shell: bash
-      env:
-        CACHE_KEY_SUFFIX: ${{ inputs.cache-key-suffix }}
-        LOCKFILE_HASH: ${{ hashFiles('pnpm-lock.yaml') }}
-        USE_ACTIONS_CACHE: ${{ inputs.use-actions-cache }}
-        USE_RESTORE_KEYS: ${{ inputs.use-restore-keys }}
-      run: |
-        set -euo pipefail
-        echo "enabled=$USE_ACTIONS_CACHE" >> "$GITHUB_OUTPUT"
-        echo "primary-key=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-${LOCKFILE_HASH}" >> "$GITHUB_OUTPUT"
-        if [ "$USE_RESTORE_KEYS" = "true" ]; then
-          echo "restore-keys=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-" >> "$GITHUB_OUTPUT"
-        else
-          echo "restore-keys=" >> "$GITHUB_OUTPUT"
-        fi
-
-    - name: Restore pnpm store cache
-      id: pnpm-cache-restore
-      if: inputs.use-actions-cache == 'true'
-      uses: actions/cache/restore@v5
+    - name: Restore pnpm store cache (exact key only)
+      if: inputs.use-actions-cache == 'true' && inputs.use-restore-keys != 'true'
+      uses: actions/cache@v5
       with:
         path: ${{ steps.pnpm-store.outputs.path }}
-        key: ${{ steps.pnpm-cache-config.outputs.primary-key }}
-        restore-keys: ${{ steps.pnpm-cache-config.outputs.restore-keys }}
+        key: ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}
+
+    - name: Restore pnpm store cache (with fallback keys)
+      if: inputs.use-actions-cache == 'true' && inputs.use-restore-keys == 'true'
+      uses: actions/cache@v5
+      with:
+        path: ${{ steps.pnpm-store.outputs.path }}
+        key: ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-

.github/codeql/codeql-actions-critical-security.yml

@@ -1,21 +0,0 @@
-name: openclaw-codeql-actions-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - .github/actions
-  - .github/workflows
-
-paths-ignore:
-  - .github/workflows/stale.yml

.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml

@@ -1,53 +0,0 @@
-name: openclaw-codeql-agent-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/acp/control-plane
-  - src/agents/command
-  - src/agents/cli-runner
-  - src/agents/pi-embedded-runner
-  - src/agents/tools
-  - src/agents/*completion*.ts
-  - src/agents/*transport*.ts
-  - src/agents/model-*.ts
-  - src/agents/openclaw-tools*.ts
-  - src/agents/provider-*.ts
-  - src/agents/session*.ts
-  - src/agents/tool-call*.ts
-  - src/auto-reply/reply/agent-runner*.ts
-  - src/auto-reply/reply/commands*.ts
-  - src/auto-reply/reply/directive-handling*.ts
-  - src/auto-reply/reply/dispatch-*.ts
-  - src/auto-reply/reply/get-reply-run*.ts
-  - src/auto-reply/reply/provider-dispatcher*.ts
-  - src/auto-reply/reply/queue*.ts
-  - src/auto-reply/reply/reply-run-registry*.ts
-  - src/auto-reply/reply/session*.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-android-critical-security.yml

@@ -1,30 +0,0 @@
-name: openclaw-codeql-android-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
-  - exclude:
-      id: java/android/websettings-javascript-enabled
-  # Gateway TLS already pins verified certificate SHA-256 fingerprints. OkHttp CertificatePinner pins SPKI hashes,
-  # so this query is noisy for OpenClaw's TOFU/local-gateway trust model and does not belong in the critical profile.
-  - exclude:
-      id: java/android/missing-certificate-pinning
-
-paths:
-  - apps/android/app/src/main
-
-paths-ignore:
-  - "**/.gradle"
-  - "**/build"
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.*"
-  - "**/*Test.kt"
-  - "**/*Test.java"
-  - "**/*Benchmark.kt"
-  - apps/android/app/src/test
-  - apps/android/benchmark

.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml

@@ -1,55 +0,0 @@
-name: openclaw-codeql-channel-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - extensions/discord/src
-  - extensions/feishu/src
-  - extensions/googlechat/src
-  - extensions/imessage/src
-  - extensions/irc/src
-  - extensions/line/src
-  - extensions/matrix/src
-  - extensions/mattermost/src
-  - extensions/msteams/src
-  - extensions/nextcloud-talk/src
-  - extensions/nostr/src
-  - extensions/qa-channel/src
-  - extensions/qqbot/src
-  - extensions/signal/src
-  - extensions/slack/src
-  - extensions/synology-chat/src
-  - extensions/telegram/src
-  - extensions/tlon/src
-  - extensions/twitch/src
-  - extensions/whatsapp/src
-  - extensions/zalo/src
-  - extensions/zalouser/src
-  - src/channels
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-channel-runtime-boundary-critical-security.yml

@@ -1,48 +0,0 @@
-name: openclaw-codeql-channel-runtime-boundary-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/channels
-  - src/config/channel-*.ts
-  - src/config/types.channel*.ts
-  - src/gateway/server-channel*.ts
-  - src/gateway/server-methods/channels.ts
-  - src/gateway/protocol/schema/channels.ts
-  - src/infra/channel-*.ts
-  - src/infra/exec-approval-channel-runtime.ts
-  - src/infra/outbound/channel-*.ts
-  - src/plugin-sdk/channel-*.ts
-  - src/plugins/channel-*.ts
-  - src/plugins/bundled-channel-*.ts
-  - src/plugins/runtime/*channel*.ts
-  - src/secrets/channel-*.ts
-  - src/secrets/runtime-config-collectors-channels.ts
-  - src/security/audit-channel*.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-config-boundary-critical-quality.yml

@@ -1,33 +0,0 @@
-name: openclaw-codeql-config-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/config
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-core-auth-secrets-critical-quality.yml

@@ -1,53 +0,0 @@
-name: openclaw-codeql-core-auth-secrets-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/agents/*auth*.ts
-  - src/agents/**/*auth*.ts
-  - src/agents/auth-health*.ts
-  - src/agents/auth-profiles
-  - src/agents/bash-tools.exec-host-shared.ts
-  - src/agents/sandbox
-  - src/agents/sandbox.ts
-  - src/agents/sandbox-*.ts
-  - src/cron/service/jobs.ts
-  - src/cron/stagger.ts
-  - src/gateway/*auth*.ts
-  - src/gateway/**/*auth*.ts
-  - src/gateway/*secret*.ts
-  - src/gateway/**/*secret*.ts
-  - src/gateway/protocol/**/*secret*.ts
-  - src/gateway/resolve-configured-secret-input-string*.ts
-  - src/gateway/security-path*.ts
-  - src/gateway/server-methods/secrets*.ts
-  - src/infra/secret-file*.ts
-  - src/secrets
-  - src/security
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-core-auth-secrets-critical-security.yml

@@ -1,55 +0,0 @@
-name: openclaw-codeql-core-auth-secrets-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/agents/*auth*.ts
-  - src/agents/**/*auth*.ts
-  - src/agents/auth-health*.ts
-  - src/agents/auth-profiles
-  - src/agents/bash-tools.exec-host-shared.ts
-  - src/agents/sandbox
-  - src/agents/sandbox.ts
-  - src/agents/sandbox-*.ts
-  - src/config/*secret*.ts
-  - src/config/**/*secret*.ts
-  - src/cron/service/jobs.ts
-  - src/cron/stagger.ts
-  - src/gateway/*auth*.ts
-  - src/gateway/**/*auth*.ts
-  - src/gateway/*secret*.ts
-  - src/gateway/**/*secret*.ts
-  - src/gateway/protocol/**/*secret*.ts
-  - src/gateway/resolve-configured-secret-input-string*.ts
-  - src/gateway/security-path*.ts
-  - src/gateway/server-methods/secrets*.ts
-  - src/infra/secret-file*.ts
-  - src/secrets
-  - src/security
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml

@@ -1,37 +0,0 @@
-name: openclaw-codeql-gateway-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/gateway/method-scopes.ts
-  - src/gateway/protocol
-  - src/gateway/server-methods
-  - src/gateway/server-methods.ts
-  - src/gateway/server-methods-list.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-javascript-typescript.yml

@@ -0,0 +1,18 @@
+name: openclaw-codeql-javascript-typescript
+
+paths:
+  - src
+  - extensions
+  - ui/src
+  - skills
+
+paths-ignore:
+  - apps
+  - dist
+  - docs
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"

.github/codeql/codeql-macos-critical-security.yml

@@ -1,17 +0,0 @@
-name: openclaw-codeql-macos-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-paths:
-  - apps/macos/Sources
-
-paths-ignore:
-  - "**/.build"
-  - "**/.build/**"
-  - "**/DerivedData"
-  - "**/DerivedData/**"
-  - "**/*.generated.swift"
-  - "**/*Tests.swift"

.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml

@@ -1,35 +0,0 @@
-name: openclaw-codeql-mcp-process-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/mcp
-  - src/process
-  - src/infra/outbound
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml

@@ -1,56 +0,0 @@
-name: openclaw-codeql-mcp-process-tool-boundary-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/mcp
-  - src/process
-  - src/infra/outbound
-  - src/agents/bash-tools.exec*.ts
-  - src/agents/bash-tools.process*.ts
-  - src/agents/exec-*.ts
-  - src/agents/execution-contract.ts
-  - src/agents/openclaw-plugin-tools.ts
-  - src/agents/openclaw-tools.runtime.ts
-  - src/agents/openclaw-tools.registration.ts
-  - src/agents/pi-tool-definition-adapter.ts
-  - src/agents/pi-tools.abort.ts
-  - src/agents/pi-tools.before-tool-call*.ts
-  - src/agents/pi-tools.host-edit.ts
-  - src/agents/pi-tools-parameter-schema.ts
-  - src/agents/pi-embedded-runner/effective-tool-policy.ts
-  - src/agents/pi-embedded-runner/tool-name-allowlist.ts
-  - src/agents/pi-embedded-runner/tool-schema-runtime.ts
-  - src/agents/tools/gateway-tool.ts
-  - src/agents/tools/message-tool.ts
-  - src/agents/tools/sessions-send-tool.ts
-  - src/agents/tools/sessions-spawn-tool.ts
-  - src/agents/tools/subagents-tool.ts
-  - src/agents/tools/tool-runtime.helpers.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml

@@ -1,41 +0,0 @@
-name: openclaw-codeql-memory-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - packages/memory-host-sdk/src
-  - src/memory
-  - src/memory-host-sdk
-  - src/plugin-sdk/memory-*.ts
-  - src/plugin-sdk/memory-core-host-*.ts
-  - src/plugins/memory-*.ts
-  - src/gateway/server-startup-memory.ts
-  - src/commands/doctor-memory-search.ts
-  - src/commands/doctor-cron-dreaming-payload-migration.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-network-runtime-boundary-critical-quality.yml

@@ -1,28 +0,0 @@
-name: openclaw-codeql-network-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: ./.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql
-  - uses: ./.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql
-
-paths:
-  - src
-  - extensions
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"
-  - "extensions/diffs/assets/**"

.github/codeql/codeql-network-ssrf-boundary-critical-security.yml

@@ -1,41 +0,0 @@
-name: openclaw-codeql-network-ssrf-boundary-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/infra/net
-  - src/shared/net
-  - src/agents/tools/web-fetch.ts
-  - src/agents/tools/web-guarded-fetch.ts
-  - src/agents/tools/web-shared.ts
-  - src/plugin-sdk/ssrf-policy.ts
-  - src/web-fetch
-  - src/web/provider-runtime-shared.ts
-  - packages/memory-host-sdk/src/host/ssrf-policy.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-plugin-boundary-critical-quality.yml

@@ -1,75 +0,0 @@
-name: openclaw-codeql-plugin-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/plugins/activation-planner.ts
-  - src/plugins/api-builder.ts
-  - src/plugins/bundled-compat.ts
-  - src/plugins/bundled-dir.ts
-  - src/plugins/bundled-plugin-metadata.ts
-  - src/plugins/bundled-public-surface-runtime-root.ts
-  - src/plugins/plugin-sdk-dist-alias.ts
-  - src/plugins/captured-registration.ts
-  - src/plugins/config-activation-shared.ts
-  - src/plugins/config-contracts.ts
-  - src/plugins/config-normalization-shared.ts
-  - src/plugins/config-policy.ts
-  - src/plugins/config-schema.ts
-  - src/plugins/config-state.ts
-  - src/plugins/discovery.ts
-  - src/plugins/effective-plugin-ids.ts
-  - src/plugins/externalized-bundled-plugins.ts
-  - src/plugins/installed-plugin-index*.ts
-  - src/plugins/loader*.ts
-  - src/plugins/manifest*.ts
-  - src/plugins/module-export.ts
-  - src/plugins/package-entrypoints.ts
-  - src/plugins/plugin-registry*.ts
-  - src/plugins/provider-contract-public-artifacts.ts
-  - src/plugins/provider-public-artifacts.ts
-  - src/plugins/public-surface*.ts
-  - src/plugins/registry.ts
-  - src/plugins/registry-types.ts
-  - src/plugins/runtime
-  - src/plugins/runtime-state.ts
-  - src/plugins/runtime.ts
-  - src/plugins/sdk-alias.ts
-  - src/plugins/source-loader.ts
-  - src/plugins/types.ts
-  - src/plugins/validation-diagnostics.ts
-  - src/plugins/web-provider-public-artifacts*.ts
-  - src/plugin-sdk/*entry*.ts
-  - src/plugin-sdk/*facade*.ts
-  - src/plugin-sdk/api-baseline.ts
-  - src/plugin-sdk/config-schema.ts
-  - src/plugin-sdk/config-types.ts
-  - src/plugin-sdk/core.ts
-  - src/plugin-sdk/extension-shared.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml

@@ -1,36 +0,0 @@
-name: openclaw-codeql-plugin-sdk-package-contract-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - packages/plugin-sdk/src
-  - packages/plugin-package-contract/src
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.spec.ts"
-  - "**/*.spec.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml

@@ -1,44 +0,0 @@
-name: openclaw-codeql-plugin-sdk-reply-runtime-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/plugin-sdk/inbound-envelope.ts
-  - src/plugin-sdk/inbound-reply-dispatch.ts
-  - src/plugin-sdk/reply-*.ts
-  - src/plugin-sdk/channel-reply-*.ts
-  - src/plugin-sdk/delivery-queue-runtime.ts
-  - src/plugin-sdk/outbound-runtime.ts
-  - src/plugin-sdk/outbound-send-deps.ts
-  - src/plugin-sdk/model-session-runtime.ts
-  - src/plugin-sdk/session-*.ts
-  - src/plugin-sdk/thread-bindings-runtime.ts
-  - src/plugin-sdk/thread-bindings-session-runtime.ts
-  - src/plugin-sdk/conversation-binding-runtime.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-plugin-trust-boundary-critical-security.yml

@@ -1,86 +0,0 @@
-name: openclaw-codeql-plugin-trust-boundary-critical-security
-
-disable-default-queries: true
-
-queries:
-  - uses: security-extended
-
-query-filters:
-  - include:
-      precision:
-        - high
-        - very-high
-      tags contain: security
-      security-severity: /([7-9]|10)\.(\d)+/
-
-paths:
-  - src/cli/plugin-install-config-policy.ts
-  - src/cli/plugin-registry-loader.ts
-  - src/cli/plugins-command-helpers.ts
-  - src/cli/plugins-install-command.ts
-  - src/cli/plugins-install-record-commit.ts
-  - src/plugins/activation-planner.ts
-  - src/plugins/bundle-manifest.ts
-  - src/plugins/bundled-compat.ts
-  - src/plugins/bundled-dir.ts
-  - src/plugins/bundled-plugin-metadata.ts
-  - src/plugins/bundled-plugin-scan.ts
-  - src/plugins/plugin-sdk-dist-alias.ts
-  - src/plugins/cli-registry-loader.ts
-  - src/plugins/config-activation-shared.ts
-  - src/plugins/config-contracts.ts
-  - src/plugins/config-policy.ts
-  - src/plugins/config-schema.ts
-  - src/plugins/dependency-denylist.ts
-  - src/plugins/discovery.ts
-  - src/plugins/effective-plugin-ids.ts
-  - src/plugins/externalized-bundled-plugins.ts
-  - src/plugins/install.runtime.ts
-  - src/plugins/install-source-info.ts
-  - src/plugins/installed-plugin-index*.ts
-  - src/plugins/loader*.ts
-  - src/plugins/manifest*.ts
-  - src/plugins/marketplace.ts
-  - src/plugins/module-export.ts
-  - src/plugins/package-entrypoints.ts
-  - src/plugins/plugin-config-trust.ts
-  - src/plugins/plugin-origin.types.ts
-  - src/plugins/plugin-registry*.ts
-  - src/plugins/public-surface*.ts
-  - src/plugins/registry*.ts
-  - src/plugins/runtime
-  - src/plugins/runtime-state.ts
-  - src/plugins/runtime.ts
-  - src/plugins/source-loader.ts
-  - src/plugins/update.ts
-  - src/plugins/validation-diagnostics.ts
-  - src/plugin-sdk/*entry*.ts
-  - src/plugin-sdk/*facade*.ts
-  - src/plugin-sdk/api-baseline.ts
-  - src/plugin-sdk/config-schema.ts
-  - src/plugin-sdk/config-types.ts
-  - src/plugin-sdk/core.ts
-  - src/plugin-sdk/extension-shared.ts
-  - packages/plugin-package-contract/src
-  - packages/plugin-sdk/src/plugin-entry.ts
-  - packages/plugin-sdk/src/plugin-runtime.ts
-  - packages/plugin-sdk/src/runtime-env.ts
-  - packages/plugin-sdk/src/security-runtime.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.spec.ts"
-  - "**/*.spec.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml

@@ -1,44 +0,0 @@
-name: openclaw-codeql-provider-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/model-catalog
-  - src/plugins/provider-*.ts
-  - src/plugins/providers*.ts
-  - src/plugins/*provider*.ts
-  - src/plugins/capability-provider-runtime.ts
-  - src/plugins/compaction-provider.ts
-  - src/plugins/memory-embedding-provider*.ts
-  - src/plugins/memory-embedding-providers*.ts
-  - src/plugins/migration-provider-runtime.ts
-  - src/plugins/synthetic-auth.runtime.ts
-  - src/plugins/web-fetch-providers*.ts
-  - src/plugins/web-search-providers*.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml

@@ -1,48 +0,0 @@
-name: openclaw-codeql-session-diagnostics-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/auto-reply/reply/queue
-  - src/auto-reply/reply/post-compaction-context.ts
-  - src/auto-reply/reply/startup-context.ts
-  - src/infra/diagnostic-*.ts
-  - src/infra/diagnostics-timeline.ts
-  - src/infra/session-delivery-queue*.ts
-  - src/infra/outbound/base-session-key.ts
-  - src/infra/outbound/delivery-queue*.ts
-  - src/infra/outbound/outbound-session.ts
-  - src/infra/outbound/session-binding*.ts
-  - src/infra/outbound/session-context.ts
-  - src/infra/outbound/targets-session.ts
-  - src/logging/diagnostic*.ts
-  - src/commands/doctor-session-*.ts
-  - src/commands/session-store-targets.ts
-  - src/commands/sessions*.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-ui-control-plane-critical-quality.yml

@@ -1,36 +0,0 @@
-name: openclaw-codeql-ui-control-plane-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - ui/src/main.ts
-  - ui/src/local-storage.ts
-  - ui/src/ui
-  - src/tasks/task-registry-control*.ts
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml

@@ -1,39 +0,0 @@
-name: openclaw-codeql-web-media-runtime-boundary-critical-quality
-
-disable-default-queries: true
-
-queries:
-  - uses: security-and-quality
-
-query-filters:
-  - include:
-      problem.severity:
-        - error
-  - exclude:
-      tags:
-        - security
-
-paths:
-  - src/web-fetch
-  - src/web-search
-  - src/web/provider-runtime-shared.ts
-  - src/media
-  - src/media-understanding
-  - src/image-generation
-  - src/media-generation
-
-paths-ignore:
-  - "**/node_modules"
-  - "**/coverage"
-  - "**/*.generated.ts"
-  - "**/*.bundle.js"
-  - "**/*-runtime.js"
-  - "**/*.test.ts"
-  - "**/*.test.tsx"
-  - "**/*.e2e.test.ts"
-  - "**/*.e2e.test.tsx"
-  - "**/*test-support*"
-  - "**/*test-helper*"
-  - "**/*mock*"
-  - "**/*fixture*"
-  - "**/*bench*"

.github/codeql/openclaw-boundary/codeql-pack.lock.yml

@@ -1,30 +0,0 @@
----
-lockVersion: 1.0.0
-dependencies:
-  codeql/concepts:
-    version: 0.0.22
-  codeql/controlflow:
-    version: 2.0.32
-  codeql/dataflow:
-    version: 2.1.4
-  codeql/javascript-all:
-    version: 2.6.28
-  codeql/mad:
-    version: 1.0.48
-  codeql/regex:
-    version: 1.0.48
-  codeql/ssa:
-    version: 2.0.24
-  codeql/threat-models:
-    version: 1.0.48
-  codeql/tutorial:
-    version: 1.0.48
-  codeql/typetracking:
-    version: 2.0.32
-  codeql/util:
-    version: 2.0.35
-  codeql/xml:
-    version: 1.0.48
-  codeql/yaml:
-    version: 1.0.48
-compiled: false

.github/codeql/openclaw-boundary/qlpack.yml

@@ -1,6 +0,0 @@
-name: openclaw/codeql-boundary-queries
-version: 0.0.0
-library: false
-dependencies:
-  codeql/javascript-all: 2.6.28
-extractor: javascript

.github/codeql/openclaw-boundary/queries/managed-proxy-runtime-mutation.ql

@@ -1,325 +0,0 @@
-/**
- * @name Managed proxy runtime mutation
- * @description Proxy-related process.env and GLOBAL_AGENT runtime mutations must stay in managed proxy owner scopes.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id js/openclaw/managed-proxy-runtime-mutation
- * @tags maintainability
- *       security
- *       external/cwe/cwe-441
- */
-
-import javascript
-
-predicate forbiddenEnvKey(string key) {
-  key =
-    [
-      "HTTP_PROXY",
-      "HTTPS_PROXY",
-      "http_proxy",
-      "https_proxy",
-      "NO_PROXY",
-      "no_proxy",
-      "GLOBAL_AGENT_HTTP_PROXY",
-      "GLOBAL_AGENT_HTTPS_PROXY",
-      "GLOBAL_AGENT_NO_PROXY",
-      "GLOBAL_AGENT_FORCE_GLOBAL_AGENT",
-      "OPENCLAW_PROXY_ACTIVE",
-      "OPENCLAW_PROXY_LOOPBACK_MODE"
-    ]
-}
-
-predicate forbiddenGlobalAgentKey(string key) { key = ["HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY"] }
-
-predicate relevantSourceFile(File file) {
-  exists(string path |
-    path = file.getRelativePath() and
-    path.regexpMatch("^(src|extensions)/.*\\.(ts|mts|js|mjs)$") and
-    not path.regexpMatch(".*\\.(test|spec)\\.(ts|mts|js|mjs)$") and
-    not path.regexpMatch(".*\\.(test-utils|test-harness|e2e-harness)\\.ts$") and
-    not path.regexpMatch(".*/test-support/.*") and
-    not path.regexpMatch(".*/vendor/.*") and
-    not path.regexpMatch(".*\\.min\\.js$") and
-    not path.regexpMatch("^extensions/diffs/assets/.*")
-  )
-}
-
-predicate namedExpr(Expr expr, string name) {
-  expr.getUnderlyingValue().(Identifier).getName() = name
-}
-
-predicate directProcessEnvExpr(Expr expr) {
-  exists(PropAccess access |
-    expr.getUnderlyingValue() = access and
-    access.getPropertyName() = "env" and
-    namedExpr(access.getBase(), "process")
-  )
-}
-
-predicate envAlias(Variable variable) {
-  exists(VariableDeclarator decl |
-    decl.getBindingPattern().getAVariable() = variable and
-    directProcessEnvExpr(decl.getInit())
-  )
-  or
-  exists(VariableDeclarator decl, ObjectPattern pattern, PropertyPattern property |
-    decl.getBindingPattern() = pattern and
-    namedExpr(decl.getInit(), "process") and
-    property = pattern.getAPropertyPattern() and
-    property.getName() = "env" and
-    property.getValuePattern().(BindingPattern).getAVariable() = variable
-  )
-}
-
-predicate processEnvExpr(Expr expr) {
-  directProcessEnvExpr(expr)
-  or
-  exists(VarAccess access |
-    expr.getUnderlyingValue() = access and
-    envAlias(access.getVariable())
-  )
-}
-
-predicate stringConst(Variable variable, string value) {
-  exists(VariableDeclarator decl |
-    decl.getBindingPattern().getAVariable() = variable and
-    value = decl.getInit().getStringValue()
-  )
-}
-
-predicate stringArrayContains(Variable variable, string value) {
-  exists(VariableDeclarator decl, ArrayExpr array, Expr element |
-    decl.getBindingPattern().getAVariable() = variable and
-    decl.getInit().getUnderlyingValue() = array and
-    element = array.getAnElement().getUnderlyingValue() and
-    value = element.getStringValue()
-  )
-  or
-  exists(VariableDeclarator decl, ArrayExpr array, SpreadElement spread, VarAccess access |
-    decl.getBindingPattern().getAVariable() = variable and
-    decl.getInit().getUnderlyingValue() = array and
-    spread = array.getAnElement().getUnderlyingValue() and
-    spread.getOperand().getUnderlyingValue() = access and
-    stringArrayContains(access.getVariable(), value)
-  )
-}
-
-predicate forbiddenEnvLoopVariable(Variable variable) {
-  exists(ForOfStmt loop, VarAccess domain, string key |
-    variable = loop.getAnIterationVariable() and
-    loop.getIterationDomain().getUnderlyingValue() = domain and
-    stringArrayContains(domain.getVariable(), key) and
-    forbiddenEnvKey(key)
-  )
-}
-
-predicate envKeyExprForbidden(Expr keyExpr) {
-  forbiddenEnvKey(keyExpr.getStringValue())
-  or
-  exists(VarAccess access, string key |
-    keyExpr.getUnderlyingValue() = access and
-    stringConst(access.getVariable(), key) and
-    forbiddenEnvKey(key)
-  )
-  or
-  exists(VarAccess access |
-    keyExpr.getUnderlyingValue() = access and
-    forbiddenEnvLoopVariable(access.getVariable())
-  )
-}
-
-predicate globalAgentKeyExprForbidden(Expr keyExpr) {
-  forbiddenGlobalAgentKey(keyExpr.getStringValue())
-  or
-  exists(VarAccess access, string key |
-    keyExpr.getUnderlyingValue() = access and
-    stringConst(access.getVariable(), key) and
-    forbiddenGlobalAgentKey(key)
-  )
-}
-
-predicate directGlobalExpr(Expr expr) {
-  namedExpr(expr, "global")
-  or
-  namedExpr(expr, "globalThis")
-}
-
-predicate globalAlias(Variable variable) {
-  exists(VariableDeclarator decl |
-    decl.getBindingPattern().getAVariable() = variable and
-    directGlobalExpr(decl.getInit())
-  )
-}
-
-predicate globalExpr(Expr expr) {
-  directGlobalExpr(expr)
-  or
-  exists(VarAccess access |
-    expr.getUnderlyingValue() = access and
-    globalAlias(access.getVariable())
-  )
-}
-
-predicate directGlobalAgentExpr(Expr expr) {
-  exists(PropAccess access |
-    expr.getUnderlyingValue() = access and
-    access.getPropertyName() = "GLOBAL_AGENT" and
-    globalExpr(access.getBase())
-  )
-}
-
-predicate globalAgentAlias(Variable variable) {
-  exists(VariableDeclarator decl |
-    decl.getBindingPattern().getAVariable() = variable and
-    directGlobalAgentExpr(decl.getInit())
-  )
-}
-
-predicate globalAgentExpr(Expr expr) {
-  directGlobalAgentExpr(expr)
-  or
-  exists(VarAccess access |
-    expr.getUnderlyingValue() = access and
-    globalAgentAlias(access.getVariable())
-  )
-}
-
-predicate envMutationTarget(Expr target) {
-  exists(PropAccess access |
-    target.getUnderlyingReference() = access and
-    processEnvExpr(access.getBase()) and
-    (
-      forbiddenEnvKey(access.getPropertyName())
-      or
-      envKeyExprForbidden(access.getPropertyNameExpr())
-    )
-  )
-}
-
-predicate globalAgentMutationTarget(Expr target) {
-  globalAgentExpr(target)
-  or
-  exists(PropAccess access |
-    target.getUnderlyingReference() = access and
-    globalAgentExpr(access.getBase()) and
-    (
-      forbiddenGlobalAgentKey(access.getPropertyName())
-      or
-      globalAgentKeyExprForbidden(access.getPropertyNameExpr())
-    )
-  )
-}
-
-predicate objectPropertyWithKey(Expr expr, string key) {
-  exists(ObjectExpr object, Property property |
-    expr.getUnderlyingValue() = object and
-    property = object.getAProperty() and
-    property.getName() = key
-  )
-}
-
-Expr managedProxyRuntimeMutation() {
-  exists(Assignment assignment |
-    result = assignment and
-    (
-      envMutationTarget(assignment.getTarget())
-      or
-      globalAgentMutationTarget(assignment.getTarget())
-    )
-  )
-  or
-  exists(DeleteExpr delete |
-    result = delete and
-    (
-      envMutationTarget(delete.getOperand())
-      or
-      globalAgentMutationTarget(delete.getOperand())
-    )
-  )
-  or
-  exists(MethodCallExpr call |
-    result = call and
-    namedExpr(call.getReceiver(), "Object") and
-    call.getMethodName() = "assign" and
-    (
-      processEnvExpr(call.getArgument(0)) and
-      exists(string key |
-        forbiddenEnvKey(key) and
-        objectPropertyWithKey(call.getArgument(1), key)
-      )
-      or
-      globalAgentExpr(call.getArgument(0)) and
-      exists(string key |
-        forbiddenGlobalAgentKey(key) and
-        objectPropertyWithKey(call.getArgument(1), key)
-      )
-    )
-  )
-  or
-  exists(MethodCallExpr call |
-    result = call and
-    namedExpr(call.getReceiver(), "Object") and
-    call.getMethodName() = "defineProperty" and
-    (
-      processEnvExpr(call.getArgument(0)) and
-      envKeyExprForbidden(call.getArgument(1))
-      or
-      globalAgentExpr(call.getArgument(0)) and
-      globalAgentKeyExprForbidden(call.getArgument(1))
-    )
-  )
-}
-
-predicate allowedFunctionOwnerScope(Expr mutation, string path, string functionName) {
-  exists(Function owner |
-    mutation.getFile().getRelativePath() = path and
-    owner.getFile() = mutation.getFile() and
-    owner.getName() = functionName and
-    mutation.getParent*() = owner.getBody()
-  )
-}
-
-predicate allowedMethodOwnerScope(Expr mutation, string path, string methodName) {
-  exists(MethodDeclaration method |
-    mutation.getFile().getRelativePath() = path and
-    method.getFile() = mutation.getFile() and
-    method.getDeclaringType().getName() + "." + method.getName() = methodName and
-    mutation.getParent*() = method.getBody().getBody()
-  )
-}
-
-predicate allowedManagedProxyRuntimeMutation(Expr mutation) {
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "applyProxyEnv")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts", "restoreProxyEnv")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
-    "restoreGlobalAgentRuntime")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
-    "restoreNodeHttpStack")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
-    "bootstrapNodeHttpStack")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
-    "writeGlobalAgentNoProxy")
-  or
-  allowedFunctionOwnerScope(mutation, "src/infra/net/proxy/proxy-lifecycle.ts",
-    "disableGlobalAgentProxyForIpv6GatewayLoopback")
-  or
-  allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
-    "NoProxyLeaseManager.acquire")
-  or
-  allowedMethodOwnerScope(mutation, "extensions/browser/src/browser/cdp-proxy-bypass.ts",
-    "NoProxyLeaseManager.release")
-}
-
-from Expr mutation
-where
-  managedProxyRuntimeMutation() = mutation and
-  relevantSourceFile(mutation.getFile()) and
-  not allowedManagedProxyRuntimeMutation(mutation)
-select mutation,
-  "Only managed proxy owner scopes may mutate proxy-related process.env or GLOBAL_AGENT runtime state."

.github/codeql/openclaw-boundary/queries/raw-socket-callsite-classification.ql

@@ -1,92 +0,0 @@
-/**
- * @name Raw socket client callsite classification
- * @description Raw net/tls/http2 client egress must be classified before landing.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id js/openclaw/raw-socket-callsite-classification
- * @tags maintainability
- *       security
- *       external/cwe/cwe-441
- */
-
-import javascript
-
-predicate rawModule(string moduleName) {
-  moduleName = ["net", "node:net", "tls", "node:tls", "http2", "node:http2"]
-}
-
-predicate netModule(string moduleName) { moduleName = ["net", "node:net"] }
-
-predicate rawConnectMember(string memberName) { memberName = ["connect", "createConnection"] }
-
-predicate relevantSourceFile(File file) {
-  exists(string path |
-    path = file.getRelativePath() and
-    path.regexpMatch("^(src|extensions)/.*\\.ts$") and
-    not path.regexpMatch(".*\\.(test|spec|test-utils|test-harness|e2e-harness)\\.ts$") and
-    not path.regexpMatch(".*/test-support/.*") and
-    not path.regexpMatch("^extensions/diffs/assets/.*")
-  )
-}
-
-Expr rawSocketClientCall() {
-  exists(API::CallNode call, string moduleName, string memberName |
-    rawModule(moduleName) and
-    rawConnectMember(memberName) and
-    call = API::moduleImport(moduleName).getMember(memberName).getACall() and
-    result = call.asExpr()
-  )
-  or
-  exists(string moduleName |
-    netModule(moduleName) and
-    result =
-      DataFlow::moduleMember(moduleName, "Socket")
-          .getAnInstantiation()
-          .getAMethodCall("connect")
-          .asExpr()
-  )
-}
-
-predicate allowedOwnerScope(Expr call, string path, string functionName) {
-  exists(Function owner |
-    call.getFile().getRelativePath() = path and
-    owner.getFile() = call.getFile() and
-    owner.getName() = functionName and
-    call.getParent*() = owner.getBody()
-  )
-}
-
-predicate allowedRawSocketClientCall(Expr call) {
-  allowedOwnerScope(call, "src/cli/gateway-cli/run-loop.ts", "waitForGatewayPortReady")
-  or
-  allowedOwnerScope(call, "src/infra/ssh-tunnel.ts", "canConnectLocal")
-  or
-  allowedOwnerScope(call, "src/infra/gateway-lock.ts", "checkPortFree")
-  or
-  allowedOwnerScope(call, "src/infra/jsonl-socket.ts", "requestJsonlSocket")
-  or
-  allowedOwnerScope(call, "src/infra/net/http-connect-tunnel.ts", "connectToProxy")
-  or
-  allowedOwnerScope(call, "src/infra/net/http-connect-tunnel.ts", "startTargetTls")
-  or
-  allowedOwnerScope(call, "src/infra/push-apns-http2.ts", "openProxiedApnsHttp2Session")
-  or
-  allowedOwnerScope(call, "src/infra/push-apns-http2.ts", "connectApnsHttp2Session")
-  or
-  allowedOwnerScope(call, "src/proxy-capture/proxy-server.ts", "startDebugProxyServer")
-  or
-  allowedOwnerScope(call, "extensions/irc/src/client.ts", "connectIrcClient")
-  or
-  allowedOwnerScope(call, "extensions/qa-lab/src/lab-server-capture.ts", "probeTcpReachability")
-  or
-  allowedOwnerScope(call, "extensions/qa-lab/src/lab-server-ui.ts", "proxyUpgradeRequest")
-}
-
-from Expr call
-where
-  rawSocketClientCall() = call and
-  relevantSourceFile(call.getFile()) and
-  not allowedRawSocketClientCall(call)
-select call,
-  "Classify raw net/tls/http2 client egress as managed/proxied, local-only, diagnostic guarded, or documented unsupported before adding this callsite."

.github/codex/prompts/docs-agent.md

@@ -1,33 +0,0 @@
-# OpenClaw Docs Agent
-
-You are maintaining OpenClaw documentation after a main-branch commit.
-
-Goal: inspect the code changes and existing documentation, then update existing docs only when they are stale, incomplete, or misleading.
-
-Hard limits:
-
-- Edit existing files only.
-- Do not create new docs pages, images, assets, scripts, code files, or workflow files.
-- Do not delete or rename files.
-- Do not change production code, tests, package metadata, generated baselines, lockfiles, or CI config.
-- Keep changes minimal and factual.
-- Use "plugin/plugins" in user-facing docs/UI/changelog; `extensions/` is only the internal workspace layout.
-- Do not add a changelog entry unless the docs update describes a user-facing behavior/API change from the triggering commit.
-
-Allowed paths:
-
-- `docs/**`
-- `README.md`
-- `CHANGELOG.md`
-
-Required workflow:
-
-1. Run `pnpm docs:list` if available and read relevant docs based on `read_when` hints.
-2. Inspect the triggering event via `$GITHUB_EVENT_PATH`, then review `$DOCS_AGENT_BASE_SHA..$DOCS_AGENT_HEAD_SHA` and its changed files. If either env var is missing, fall back to the event payload.
-3. Update stale existing documentation, if needed.
-4. Run `pnpm check:docs` if dependencies are available.
-5. Leave the worktree clean if no docs need changes.
-
-If `pnpm docs:check-mdx` or `pnpm check:docs` reports MDX parse errors, fix only the syntax needed for the listed existing docs files. Preserve prose meaning, frontmatter, code fences, and links; do not broadly rewrite translated or source content while repairing parser failures.
-
-When uncertain, prefer no edit and explain the uncertainty in the final message.

.github/codex/prompts/docs-mdx-repair.md

@@ -1,25 +0,0 @@
-# OpenClaw Docs MDX Repair Agent
-
-You are repairing generated OpenClaw documentation after a fast MDX validation failure.
-
-Goal: fix only the MDX syntax errors reported by the checker.
-
-Hard limits:
-
-- Edit only existing Markdown/MDX files under the locale path named by `LOCALE`.
-- Do not edit source English docs unless `LOCALE=en`.
-- Do not edit code, workflows, package metadata, generated sync metadata, translation memory, or assets.
-- Do not add, delete, or rename files.
-- Preserve the meaning of translated prose.
-- Preserve frontmatter, `x-i18n.source_hash`, links, code fences, JSX component names, and existing page structure.
-- Avoid broad formatting or retranslation.
-
-Required workflow:
-
-1. Read `.openclaw-sync/mdx/${LOCALE}.json` when it exists.
-2. Inspect only the listed files and nearby lines.
-3. Fix the minimal syntax issue, such as broken JSX attribute quoting, mismatched component closing tags, raw `<` text, raw HTML comments, or accidental top-level `import`/`export` text.
-4. Run `node source/scripts/check-docs-mdx.mjs "docs/${LOCALE}" --json-out ".openclaw-sync/mdx/${LOCALE}.json"`.
-5. Leave no changes outside `docs/${LOCALE}`.
-
-When uncertain, prefer the smallest escaping fix: backticks for literal words, `&lt;` for literal `<`, double quotes around JSX attribute values, and balanced component tags.

.github/codex/prompts/test-performance-agent.md

@@ -1,44 +0,0 @@
-# OpenClaw Test Performance Agent
-
-You are maintaining OpenClaw test performance after a trusted main-branch CI run.
-
-Goal: inspect the full-suite test performance report, then make small, coverage-preserving improvements to slow tests when the fix is clear. If the baseline report shows failing tests and the fix is obvious, fix those too.
-
-Inputs:
-
-- Baseline grouped report: `.artifacts/test-perf/baseline-before.json`
-- Per-config Vitest JSON reports: `.artifacts/test-perf/baseline-before/vitest-json/`
-- Per-config logs: `.artifacts/test-perf/baseline-before/logs/`
-
-Hard limits:
-
-- Preserve test coverage and behavioral intent.
-- Do not delete, skip, weaken, or narrow test cases to make the suite faster.
-- Do not add `test.skip`, `it.skip`, `describe.skip`, `test.only`, `it.only`, or `describe.only`.
-- Do not update snapshots, generated baselines, inventories, ignore files, lockfiles, package metadata, CI workflows, or release metadata.
-- Do not add dependencies.
-- Do not create, delete, or rename files.
-- Do not do broad refactors or style-only rewrites.
-- Keep changes minimal and focused on the slow or failing tests you can justify from the report.
-- Prefer no edit when a performance improvement is speculative.
-- If `.artifacts/test-perf/baseline-before.json` has `"failed": true`, do not make performance-only edits. First inspect the failed config logs. Edit only when the test failure has an obvious, coverage-preserving fix. If no obvious failure fix exists, leave the worktree clean.
-
-Good fixes:
-
-- Replace broad partial module mocks, especially `importOriginal()` mocks, with narrow injected dependencies or local runtime seams.
-- Avoid importing heavy barrels in hot tests when a narrow module or helper covers the same behavior.
-- Add or adjust a production lazy/injection seam only when that is the narrowest way to preserve coverage while removing expensive imports or fixing an obvious mock/import failure.
-- Move expensive setup from per-test hooks to shared setup only when state isolation remains correct.
-- Reuse existing fixtures/builders instead of recreating expensive work per case.
-- Mock expensive runtime boundaries directly: filesystem crawls, package registries, provider SDKs, network/process launch, browser/runtime scanners.
-- Keep one integration smoke per boundary and test pure helpers directly, but only when the same behavior remains covered.
-
-Required workflow:
-
-1. Run `pnpm docs:list` if available, then read `docs/reference/test.md` and `docs/help/testing.md` sections about test performance.
-2. Inspect `.artifacts/test-perf/baseline-before.json`. If `failed` is true, inspect the failed config logs before looking at slow files.
-3. Pick at most a few low-risk files. When baseline failed, pick only files needed for the obvious failure fix; otherwise focus on the slowest files/configs. Explain the coverage-preserving reason in comments only if the code would otherwise be unclear.
-4. Run targeted tests for changed files where possible. Use `pnpm test <path>` and optionally `pnpm test:perf:imports <path>`.
-5. Leave the worktree clean if no safe improvement exists.
-
-When uncertain, make no edit and explain the uncertainty in the final message.

.github/dependabot.yml

@@ -29,7 +29,7 @@ updates:
         update-types:
           - minor
           - patch
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 10
     registries:
       - npm-npmjs
 
@@ -83,7 +83,7 @@ updates:
 
   # Swift Package Manager - Swabble
   - package-ecosystem: swift
-    directory: /apps/swabble
+    directory: /Swabble
     schedule:
       interval: daily
     cooldown:

.github/images/live-media-runner/Dockerfile

@@ -1,16 +0,0 @@
-FROM ubuntu:24.04
-
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-    bash \
-    ca-certificates \
-    curl \
-    ffmpeg \
-    git \
-    openssh-client \
-    unzip \
-    xz-utils \
-    zstd \
-  && rm -rf /var/lib/apt/lists/*

.github/labeler.yml

@@ -1,15 +1,8 @@
-"plugin: azure-speech":
+"channel: bluebubbles":
   - changed-files:
       - any-glob-to-any-file:
-          - "extensions/azure-speech/**"
-          - "docs/providers/azure-speech.md"
-          - "docs/tools/tts.md"
-"plugin: file-transfer":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/file-transfer/**"
-          - "docs/nodes/index.md"
-          - "docs/plugins/sdk-runtime.md"
+          - "extensions/bluebubbles/**"
+          - "docs/channels/bluebubbles.md"
 "channel: discord":
   - changed-files:
       - any-glob-to-any-file:
@@ -31,27 +24,6 @@
       - any-glob-to-any-file:
           - "extensions/googlechat/**"
           - "docs/channels/googlechat.md"
-"plugin: google-meet":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/google-meet/**"
-          - "docs/plugins/google-meet.md"
-"plugin: migrate-hermes":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/migrate-hermes/**"
-          - "docs/cli/migrate.md"
-"plugin: migrate-claude":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/migrate-claude/**"
-          - "docs/cli/migrate.md"
-          - "docs/install/migrating-claude.md"
-"plugin: bonjour":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/bonjour/**"
-          - "docs/gateway/bonjour.md"
 "channel: imessage":
   - changed-files:
       - any-glob-to-any-file:
@@ -113,11 +85,6 @@
       - any-glob-to-any-file:
           - "extensions/slack/**"
           - "docs/channels/slack.md"
-"channel: synology-chat":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/synology-chat/**"
-          - "docs/channels/synology-chat.md"
 "channel: telegram":
   - changed-files:
       - any-glob-to-any-file:
@@ -190,6 +157,7 @@
   - changed-files:
       - any-glob-to-any-file:
           - "docs/**"
+          - "docs.acp.md"
 
 "cli":
   - changed-files:
@@ -212,10 +180,10 @@
           - "Dockerfile"
           - "Dockerfile.*"
           - "docker-compose.yml"
+          - "docker-setup.sh"
+          - "setup-podman.sh"
           - ".dockerignore"
-          - "deploy/fly.private.toml"
           - "scripts/docker/setup.sh"
-          - "scripts/docker/sandbox/Dockerfile*"
           - "scripts/podman/setup.sh"
           - "scripts/**/*docker*"
           - "scripts/**/Dockerfile*"
@@ -238,11 +206,8 @@
 "security":
   - changed-files:
       - any-glob-to-any-file:
-          - ".github/workflows/opengrep-*.yml"
-          - ".semgrepignore"
           - "docs/cli/security.md"
           - "docs/gateway/security.md"
-          - "security/**"
 
 "extensions: copilot-proxy":
   - changed-files:
@@ -252,10 +217,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/diagnostics-otel/**"
-"extensions: diagnostics-prometheus":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/diagnostics-prometheus/**"
 "extensions: llm-task":
   - changed-files:
       - any-glob-to-any-file:
@@ -276,10 +237,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/memory-wiki/**"
-"extensions: oc-path":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/oc-path/**"
 "extensions: open-prose":
   - changed-files:
       - any-glob-to-any-file:
@@ -312,20 +269,10 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/byteplus/**"
-"extensions: cerebras":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/cerebras/**"
-          - "docs/providers/cerebras.md"
 "extensions: deepseek":
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/deepseek/**"
-"extensions: deepinfra":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/deepinfra/**"
-          - "docs/providers/deepinfra.md"
 "extensions: tencent":
   - changed-files:
       - any-glob-to-any-file:
@@ -350,11 +297,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/huggingface/**"
-"extensions: inworld":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/inworld/**"
-          - "docs/providers/inworld.md"
 "extensions: kilocode":
   - changed-files:
       - any-glob-to-any-file:
@@ -363,11 +305,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/lmstudio/**"
-"extensions: litellm":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/litellm/**"
-          - "docs/providers/litellm.md"
 "extensions: openai":
   - changed-files:
       - any-glob-to-any-file:
@@ -404,11 +341,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/qianfan/**"
-"extensions: senseaudio":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/senseaudio/**"
-          - "docs/providers/senseaudio.md"
 "extensions: synthetic":
   - changed-files:
       - any-glob-to-any-file:
@@ -425,11 +357,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/together/**"
-"extensions: tts-local-cli":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/tts-local-cli/**"
-          - "docs/tools/tts.md"
 "extensions: venice":
   - changed-files:
       - any-glob-to-any-file:
@@ -450,7 +377,3 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/fal/**"
-"extensions: gradium":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/gradium/**"

.github/pull_request_template.md

@@ -35,18 +35,6 @@ If this PR fixes a plugin beta-release blocker, title it `fix(<plugin-id>): beta
 - Related #
 - [ ] This PR fixes a bug or regression
 
-## Real behavior proof (required for external PRs)
-
-External contributors must show after-fix evidence from a real OpenClaw setup. Unit tests, mocks, lint, typechecks, snapshots, and CI are supplemental only. Screenshots are encouraged even for CLI, console, text, or log changes; terminal screenshots and copied live output count. Be mindful of private information like IP addresses, API keys, phone numbers, non-public endpoints, or other private details when providing evidence.
-
-- Behavior or issue addressed:
-- Real environment tested:
-- Exact steps or command run after this patch:
-- Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):
-- Observed result after fix:
-- What was not tested:
-- Before evidence (optional but encouraged):
-
 ## Root Cause (if applicable)
 
 For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write `N/A`. If the cause is unclear, write `Unknown`.

.github/workflows/auto-response.yml

@@ -5,8 +5,8 @@ on:
     types: [opened, edited, labeled]
   issue_comment:
     types: [created]
-  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned label automation; trusted base checkout only, no untrusted PR code execution
-    types: [opened, edited, synchronize, reopened, labeled, unlabeled]
+  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned label automation; no untrusted checkout or code execution
+    types: [labeled]
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -20,15 +20,10 @@ permissions: {}
 jobs:
   auto-response:
     permissions:
-      contents: read
       issues: write
       pull-requests: write
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ github.sha }}
-          persist-credentials: false
       - uses: actions/create-github-app-token@v3
         id: app-token
         continue-on-error: true
@@ -41,15 +36,499 @@ jobs:
         with:
           app-id: "2971289"
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - name: Run Barnacle auto-response
+      - name: Handle labeled items
         uses: actions/github-script@v9
         with:
           github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
           script: |
-            const { pathToFileURL } = require("node:url");
-            const moduleUrl = pathToFileURL(
-              `${process.env.GITHUB_WORKSPACE}/scripts/github/barnacle-auto-response.mjs`,
-            );
-            const { runBarnacleAutoResponse } = await import(moduleUrl.href);
+            // Labels prefixed with "r:" are auto-response triggers.
+            const activePrLimit = 10;
+            const rules = [
+              {
+                label: "r: skill",
+                close: true,
+                message:
+                  "Thanks for the contribution! New skills should be published to [Clawhub](https://clawhub.ai) for everyone to use. We’re keeping the core lean on skills, so I’m closing this out.",
+              },
+              {
+                label: "r: support",
+                close: true,
+                message:
+                  "Please use [our support server](https://discord.gg/clawd) and ask in #help or #users-helping-users to resolve this, or follow the stuck FAQ at https://docs.openclaw.ai/help/faq#im-stuck-whats-the-fastest-way-to-get-unstuck.",
+              },
+              {
+                label: "r: no-ci-pr",
+                close: true,
+                message:
+                  "Please don't make PRs for test failures on main.\n\n" +
+                  "The team is aware of those and will handle them directly on the codebase, not only fixing the tests but also investigating what the root cause is. Having to sift through test-fix-PRs (including some that have been out of date for weeks...) on top of that doesn't help. There are already way too many PRs for humans to manage; please don't make the flood worse.\n\n" +
+                  "Thank you.",
+              },
+              {
+                label: "r: too-many-prs",
+                close: true,
+                message:
+                  `Closing this PR because the author has more than ${activePrLimit} active PRs in this repo. ` +
+                  "Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.",
+              },
+              {
+                label: "r: testflight",
+                close: true,
+                commentTriggers: ["testflight"],
+                message: "Not available, build from source.",
+              },
+              {
+                label: "r: third-party-extension",
+                close: true,
+                message:
+                  "Please make this as a third-party plugin that you maintain yourself in your own repo. Docs: https://docs.openclaw.ai/plugin. Feel free to open a PR after to add it to our community plugins page: https://docs.openclaw.ai/plugins/community",
+              },
+              {
+                label: "r: moltbook",
+                close: true,
+                lock: true,
+                lockReason: "off-topic",
+                commentTriggers: ["moltbook"],
+                message:
+                  "OpenClaw is not affiliated with Moltbook, and issues related to Moltbook should not be submitted here.",
+              },
+            ];
 
-            await runBarnacleAutoResponse({ github, context, core });
+            const maintainerTeam = "maintainer";
+            const pingWarningMessage =
+              "Please don’t spam-ping multiple maintainers at once. Be patient, or join our community Discord for help: https://discord.gg/clawd";
+            const mentionRegex = /@([A-Za-z0-9-]+)/g;
+            const maintainerCache = new Map();
+            const normalizeLogin = (login) => login.toLowerCase();
+            const bugSubtypeLabelSpecs = {
+              regression: {
+                color: "D93F0B",
+                description: "Behavior that previously worked and now fails",
+              },
+              "bug:crash": {
+                color: "B60205",
+                description: "Process/app exits unexpectedly or hangs",
+              },
+              "bug:behavior": {
+                color: "D73A4A",
+                description: "Incorrect behavior without a crash",
+              },
+            };
+            const bugTypeToLabel = {
+              "Regression (worked before, now fails)": "regression",
+              "Crash (process/app exits or hangs)": "bug:crash",
+              "Behavior bug (incorrect output/state without crash)": "bug:behavior",
+            };
+            const bugSubtypeLabels = Object.keys(bugSubtypeLabelSpecs);
+
+            const extractIssueFormValue = (body, field) => {
+              if (!body) {
+                return "";
+              }
+              const escapedField = field.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+              const regex = new RegExp(
+                `(?:^|\\n)###\\s+${escapedField}\\s*\\n([\\s\\S]*?)(?=\\n###\\s+|$)`,
+                "i",
+              );
+              const match = body.match(regex);
+              if (!match) {
+                return "";
+              }
+              for (const line of match[1].split("\n")) {
+                const trimmed = line.trim();
+                if (trimmed) {
+                  return trimmed;
+                }
+              }
+              return "";
+            };
+
+            const ensureLabelExists = async (name, color, description) => {
+              try {
+                await github.rest.issues.getLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name,
+                });
+              } catch (error) {
+                if (error?.status !== 404) {
+                  throw error;
+                }
+                await github.rest.issues.createLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name,
+                  color,
+                  description,
+                });
+              }
+            };
+
+            const syncBugSubtypeLabel = async (issue, labelSet) => {
+              if (!labelSet.has("bug")) {
+                return;
+              }
+
+              const selectedBugType = extractIssueFormValue(issue.body ?? "", "Bug type");
+              const targetLabel = bugTypeToLabel[selectedBugType];
+              if (!targetLabel) {
+                return;
+              }
+
+              const targetSpec = bugSubtypeLabelSpecs[targetLabel];
+              await ensureLabelExists(targetLabel, targetSpec.color, targetSpec.description);
+
+              for (const subtypeLabel of bugSubtypeLabels) {
+                if (subtypeLabel === targetLabel) {
+                  continue;
+                }
+                if (!labelSet.has(subtypeLabel)) {
+                  continue;
+                }
+                try {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    name: subtypeLabel,
+                  });
+                  labelSet.delete(subtypeLabel);
+                } catch (error) {
+                  if (error?.status !== 404) {
+                    throw error;
+                  }
+                }
+              }
+
+              if (!labelSet.has(targetLabel)) {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  labels: [targetLabel],
+                });
+                labelSet.add(targetLabel);
+              }
+            };
+
+            const isMaintainer = async (login) => {
+              if (!login) {
+                return false;
+              }
+              const normalized = normalizeLogin(login);
+              if (maintainerCache.has(normalized)) {
+                return maintainerCache.get(normalized);
+              }
+              let isMember = false;
+              try {
+                const membership = await github.rest.teams.getMembershipForUserInOrg({
+                  org: context.repo.owner,
+                  team_slug: maintainerTeam,
+                  username: normalized,
+                });
+                isMember = membership?.data?.state === "active";
+              } catch (error) {
+                if (error?.status !== 404) {
+                  throw error;
+                }
+              }
+              maintainerCache.set(normalized, isMember);
+              return isMember;
+            };
+
+            const countMaintainerMentions = async (body, authorLogin) => {
+              if (!body) {
+                return 0;
+              }
+              const normalizedAuthor = authorLogin ? normalizeLogin(authorLogin) : "";
+              if (normalizedAuthor && (await isMaintainer(normalizedAuthor))) {
+                return 0;
+              }
+
+              const haystack = body.toLowerCase();
+              const teamMention = `@${context.repo.owner.toLowerCase()}/${maintainerTeam}`;
+              if (haystack.includes(teamMention)) {
+                return 3;
+              }
+
+              const mentions = new Set();
+              for (const match of body.matchAll(mentionRegex)) {
+                mentions.add(normalizeLogin(match[1]));
+              }
+              if (normalizedAuthor) {
+                mentions.delete(normalizedAuthor);
+              }
+
+              let count = 0;
+              for (const login of mentions) {
+                if (await isMaintainer(login)) {
+                  count += 1;
+                }
+              }
+              return count;
+            };
+
+            const triggerLabel = "trigger-response";
+            const activePrLimitLabel = "r: too-many-prs";
+            const activePrLimitOverrideLabel = "r: too-many-prs-override";
+            const target = context.payload.issue ?? context.payload.pull_request;
+            if (!target) {
+              return;
+            }
+
+            const labelSet = new Set(
+              (target.labels ?? [])
+                .map((label) => (typeof label === "string" ? label : label?.name))
+                .filter((name) => typeof name === "string"),
+            );
+
+            const issue = context.payload.issue;
+            const pullRequest = context.payload.pull_request;
+            const comment = context.payload.comment;
+            if (comment) {
+              const authorLogin = comment.user?.login ?? "";
+              if (comment.user?.type === "Bot" || authorLogin.endsWith("[bot]")) {
+                return;
+              }
+
+              const commentBody = comment.body ?? "";
+              const responses = [];
+              const mentionCount = await countMaintainerMentions(commentBody, authorLogin);
+              if (mentionCount >= 3) {
+                responses.push(pingWarningMessage);
+              }
+
+              const commentHaystack = commentBody.toLowerCase();
+              const commentRule = rules.find((item) =>
+                (item.commentTriggers ?? []).some((trigger) =>
+                  commentHaystack.includes(trigger),
+                ),
+              );
+              if (commentRule) {
+                responses.push(commentRule.message);
+              }
+
+              if (responses.length > 0) {
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: target.number,
+                  body: responses.join("\n\n"),
+                });
+              }
+              return;
+            }
+
+            if (issue) {
+              const action = context.payload.action;
+              if (action === "opened" || action === "edited") {
+                const issueText = `${issue.title ?? ""}\n${issue.body ?? ""}`.trim();
+                const authorLogin = issue.user?.login ?? "";
+                const mentionCount = await countMaintainerMentions(
+                  issueText,
+                  authorLogin,
+                );
+                if (mentionCount >= 3) {
+                  await github.rest.issues.createComment({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    body: pingWarningMessage,
+                  });
+                }
+
+                await syncBugSubtypeLabel(issue, labelSet);
+              }
+            }
+
+            const hasTriggerLabel = labelSet.has(triggerLabel);
+            if (hasTriggerLabel) {
+              labelSet.delete(triggerLabel);
+              try {
+                await github.rest.issues.removeLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: target.number,
+                  name: triggerLabel,
+                });
+              } catch (error) {
+                if (error?.status !== 404) {
+                  throw error;
+                }
+              }
+            }
+
+            const isLabelEvent = context.payload.action === "labeled";
+            if (!hasTriggerLabel && !isLabelEvent) {
+              return;
+            }
+
+            if (issue) {
+              const title = issue.title ?? "";
+              const body = issue.body ?? "";
+              const haystack = `${title}\n${body}`.toLowerCase();
+              const hasMoltbookLabel = labelSet.has("r: moltbook");
+              const hasTestflightLabel = labelSet.has("r: testflight");
+              const hasSecurityLabel = labelSet.has("security");
+              if (title.toLowerCase().includes("security") && !hasSecurityLabel) {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  labels: ["security"],
+                });
+                labelSet.add("security");
+              }
+              if (title.toLowerCase().includes("testflight") && !hasTestflightLabel) {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  labels: ["r: testflight"],
+                });
+                labelSet.add("r: testflight");
+              }
+              if (haystack.includes("moltbook") && !hasMoltbookLabel) {
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  labels: ["r: moltbook"],
+                });
+                labelSet.add("r: moltbook");
+              }
+            }
+
+            const invalidLabel = "invalid";
+            const spamLabel = "r: spam";
+            const dirtyLabel = "dirty";
+            const badBarnacleLabel = "bad-barnacle";
+            const noisyPrMessage =
+              "Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.";
+
+            if (pullRequest) {
+              if (labelSet.has(badBarnacleLabel)) {
+                core.info(`Skipping PR auto-response checks for #${pullRequest.number} because ${badBarnacleLabel} is present.`);
+                return;
+              }
+
+              if (labelSet.has(dirtyLabel)) {
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  body: noisyPrMessage,
+                });
+                await github.rest.issues.update({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  state: "closed",
+                });
+                return;
+              }
+              const labelCount = labelSet.size;
+              if (labelCount > 20) {
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  body: noisyPrMessage,
+                });
+                await github.rest.issues.update({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  state: "closed",
+                });
+                return;
+              }
+              if (labelSet.has(spamLabel)) {
+                await github.rest.issues.update({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  state: "closed",
+                });
+                await github.rest.issues.lock({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  lock_reason: "spam",
+                });
+                return;
+              }
+              if (labelSet.has(invalidLabel)) {
+                await github.rest.issues.update({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pullRequest.number,
+                  state: "closed",
+                });
+                return;
+              }
+            }
+
+            if (issue && labelSet.has(spamLabel)) {
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                state: "closed",
+                state_reason: "not_planned",
+              });
+              await github.rest.issues.lock({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                lock_reason: "spam",
+              });
+              return;
+            }
+
+            if (issue && labelSet.has(invalidLabel)) {
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issue.number,
+                state: "closed",
+                state_reason: "not_planned",
+              });
+              return;
+            }
+
+            if (pullRequest && labelSet.has(activePrLimitOverrideLabel)) {
+              labelSet.delete(activePrLimitLabel);
+            }
+
+            const rule = rules.find((item) => labelSet.has(item.label));
+            if (!rule) {
+              return;
+            }
+
+            const issueNumber = target.number;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issueNumber,
+              body: rule.message,
+            });
+
+            if (rule.close) {
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issueNumber,
+                state: "closed",
+              });
+            }
+
+            if (rule.lock) {
+              await github.rest.issues.lock({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issueNumber,
+                lock_reason: rule.lockReason ?? "resolved",
+              });
+            }

.github/workflows/ci-build-artifacts-testbox.yml

@@ -1,227 +0,0 @@
-name: Blacksmith Build Artifacts Testbox
-
-on:
-  workflow_dispatch:
-    inputs:
-      testbox_id:
-        type: string
-        description: "Testbox session ID"
-        required: true
-  pull_request:
-    paths:
-      - ".github/workflows/**"
-
-permissions:
-  contents: read
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  build-artifacts:
-    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
-    permissions:
-      contents: read
-    name: "build-artifacts"
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 35
-    steps:
-      - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
-        with:
-          testbox_id: ${{ inputs.testbox_id }}
-
-      - name: Checkout
-        shell: bash
-        env:
-          CHECKOUT_REPO: ${{ github.repository }}
-          CHECKOUT_SHA: ${{ github.sha }}
-          CHECKOUT_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          workdir="$GITHUB_WORKSPACE"
-          auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
-
-          reset_checkout_dir() {
-            mkdir -p "$workdir"
-            find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-          }
-
-          checkout_attempt() {
-            local attempt="$1"
-
-            reset_checkout_dir
-            git init "$workdir" >/dev/null
-            git config --global --add safe.directory "$workdir"
-            git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
-            git -C "$workdir" config gc.auto 0
-
-            timeout --signal=TERM 30s git -C "$workdir" \
-              -c protocol.version=2 \
-              -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \
-              fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
-              "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
-
-            git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
-            test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
-          }
-
-          for attempt in 1 2 3 4 5; do
-            if checkout_attempt "$attempt"; then
-              exit 0
-            fi
-            echo "checkout attempt ${attempt}/5 failed"
-            sleep $((attempt * 5))
-          done
-
-          echo "checkout failed after 5 attempts" >&2
-          exit 1
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Resolve release dist cache seeds
-        id: dist-cache-seeds
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          cache_prefix="${RUNNER_OS}-dist-build-"
-          declare -A seen=()
-
-          resolve_tag_sha() {
-            local tag="$1"
-            local direct=""
-            local peeled=""
-
-            while read -r sha ref; do
-              if [[ "$ref" == "refs/tags/${tag}^{}" ]]; then
-                peeled="$sha"
-              elif [[ "$ref" == "refs/tags/${tag}" ]]; then
-                direct="$sha"
-              fi
-            done < <(git ls-remote --tags origin "refs/tags/${tag}" "refs/tags/${tag}^{}")
-
-            printf '%s\n' "${peeled:-$direct}"
-          }
-
-          {
-            echo "restore-keys<<EOF"
-            for dist_tag in beta latest; do
-              version="$(npm view "openclaw@${dist_tag}" version 2>/dev/null || true)"
-              if [[ -z "$version" ]]; then
-                echo "Could not resolve npm dist-tag ${dist_tag}; skipping cache seed." >&2
-                continue
-              fi
-
-              sha="$(resolve_tag_sha "v${version}")"
-              if [[ -z "$sha" ]]; then
-                echo "Could not resolve git tag v${version}; skipping cache seed." >&2
-                continue
-              fi
-
-              key="${cache_prefix}${sha}"
-              if [[ -z "${seen[$key]+x}" ]]; then
-                echo "$key"
-                seen[$key]=1
-              fi
-            done
-            echo "${cache_prefix}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Restore dist build cache
-        id: dist-cache
-        uses: actions/cache/restore@v5
-        with:
-          path: |
-            .artifacts/build-all-cache/
-            dist/
-            dist-runtime/
-          key: ${{ runner.os }}-dist-build-${{ github.sha }}
-          restore-keys: ${{ steps.dist-cache-seeds.outputs.restore-keys }}
-
-      - name: Build dist on cache miss
-        if: steps.dist-cache.outputs.cache-hit != 'true'
-        env:
-          NODE_OPTIONS: --max-old-space-size=8192
-        run: pnpm build:ci-artifacts
-
-      - name: Build Control UI on cache miss
-        if: steps.dist-cache.outputs.cache-hit != 'true'
-        run: pnpm ui:build
-
-      - name: Verify build artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          test -d dist
-          test -d dist-runtime
-          if [[ ! -f dist/index.js && ! -f dist/index.mjs ]]; then
-            echo "Missing dist/index.js or dist/index.mjs" >&2
-            exit 1
-          fi
-          test -f dist/build-info.json
-          test -f dist/control-ui/index.html
-
-      - name: Save dist build cache
-        if: steps.dist-cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v5
-        with:
-          path: |
-            .artifacts/build-all-cache/
-            dist/
-            dist-runtime/
-          key: ${{ runner.os }}-dist-build-${{ github.sha }}
-
-      - name: Prepare Testbox shell
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
-
-          node_bin="$(dirname "$(node -p 'process.execPath')")"
-          pnpm_bin="$(command -v pnpm)"
-          sudo ln -sf "$node_bin/node" /usr/local/bin/node
-          sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
-          sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
-          sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
-          sudo ln -sf "$pnpm_bin" /usr/local/bin/pnpm
-
-      - name: Hydrate Testbox provider env helper
-        shell: bash
-        env:
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
-          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-        run: bash scripts/ci-hydrate-testbox-env.sh
-
-      - name: Run Testbox
-        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
-        if: always()
-        env:
-          FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/ci-check-testbox.yml

@@ -18,7 +18,6 @@ env:
 
 jobs:
   check:
-    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
     permissions:
       contents: read
     name: "check"
@@ -26,7 +25,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Begin Testbox
-        uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67
+        uses: useblacksmith/begin-testbox@v2
         with:
           testbox_id: ${{ inputs.testbox_id }}
       - name: Checkout
@@ -63,18 +62,18 @@ jobs:
 
             git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
             test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
-            echo "checkout attempt ${attempt}/5 succeeded"
+            echo "checkout attempt ${attempt}/2 succeeded"
           }
 
-          for attempt in 1 2 3 4 5; do
+          for attempt in 1 2; do
             if checkout_attempt "$attempt"; then
               exit 0
             fi
-            echo "checkout attempt ${attempt}/5 failed"
+            echo "checkout attempt ${attempt}/2 failed"
             sleep $((attempt * 5))
           done
 
-          echo "checkout failed after 5 attempts" >&2
+          echo "checkout failed after 2 attempts" >&2
           exit 1
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env
@@ -94,35 +93,8 @@ jobs:
           sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
           sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
           sudo ln -sf "$pnpm_bin" /usr/local/bin/pnpm
-
-      - name: Hydrate Testbox provider env helper
-        shell: bash
-        env:
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
-          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-        run: bash scripts/ci-hydrate-testbox-env.sh
-
       - name: Run Testbox
-        uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc
+        uses: useblacksmith/run-testbox@v2
         if: always()
         env:
           FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

.github/workflows/clawsweeper-dispatch.yml

@@ -1,262 +0,0 @@
-name: ClawSweeper Dispatch
-
-on:
-  issues:
-    types: [opened, reopened, edited, labeled, unlabeled]
-  issue_comment:
-    types: [created, edited]
-  push:
-    branches: [main]
-  pull_request_target: # zizmor: ignore[dangerous-triggers] maintainer-owned external dispatch; no checkout or untrusted PR code execution
-    types: [opened, reopened, synchronize, ready_for_review, edited, labeled, unlabeled]
-  pull_request_review:
-    types: [submitted, edited, dismissed]
-  pull_request_review_comment:
-    types: [created, edited]
-
-permissions:
-  contents: read
-
-concurrency:
-  group: clawsweeper-dispatch-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: ${{ github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review' }}
-
-jobs:
-  dispatch:
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'issue_comment' || !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled')) }}
-    env:
-      HAS_CLAWSWEEPER_APP_PRIVATE_KEY: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY != '' }}
-      CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093
-      SUPERSEDES_IN_PROGRESS: ${{ (github.event.action == 'edited' || github.event.action == 'synchronize' || github.event.action == 'ready_for_review') && 'true' || 'false' }}
-    steps:
-      - name: Debounce bursty metadata events
-        if: ${{ github.event.action == 'labeled' || github.event.action == 'unlabeled' }}
-        run: sleep 20
-
-      - name: Create ClawSweeper dispatch token
-        id: token
-        if: ${{ env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
-        with:
-          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
-          private-key: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY }}
-          owner: openclaw
-          repositories: clawsweeper
-          permission-contents: write
-
-      - name: Create target comment token
-        id: target_token
-        if: ${{ github.event_name == 'issue_comment' && env.HAS_CLAWSWEEPER_APP_PRIVATE_KEY == 'true' }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
-        with:
-          client-id: ${{ env.CLAWSWEEPER_APP_CLIENT_ID }}
-          private-key: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: ${{ github.event.repository.name }}
-          permission-issues: write
-          permission-pull-requests: read
-
-      - name: Dispatch GitHub activity to ClawSweeper
-        env:
-          GH_TOKEN: ${{ steps.token.outputs.token }}
-          TARGET_REPO: ${{ github.repository }}
-          SOURCE_EVENT: ${{ github.event_name }}
-          SOURCE_ACTION: ${{ github.event.action }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          set -euo pipefail
-          if [ -z "$GH_TOKEN" ]; then
-            echo "::notice::Skipping GitHub activity dispatch because no ClawSweeper app token is configured."
-            exit 0
-          fi
-          activity="$(jq -c \
-            --arg target_repo "$TARGET_REPO" \
-            --arg event_name "$SOURCE_EVENT" \
-            --arg source_action "$SOURCE_ACTION" \
-            --arg actor "$ACTOR" \
-            '
-            def body_excerpt(value):
-              if (value // "" | type) == "string" then
-                ((value // "") | gsub("\\s+"; " ") | .[0:1200])
-              else null end;
-            {
-              type: $event_name,
-              repo: $target_repo,
-              action: $source_action,
-              actor: $actor,
-              subject: (
-                if .pull_request then {
-                  kind: "pull_request",
-                  number: .pull_request.number,
-                  title: .pull_request.title,
-                  url: .pull_request.html_url,
-                  state: (if .pull_request.merged == true then "merged" else .pull_request.state end)
-                } elif .issue then {
-                  kind: (if .issue.pull_request then "pull_request" else "issue" end),
-                  number: .issue.number,
-                  title: .issue.title,
-                  url: .issue.html_url,
-                  state: .issue.state
-                } elif $event_name == "push" then {
-                  kind: "push",
-                  title: (.head_commit.message // .after // "push"),
-                  url: (.head_commit.url // .compare),
-                  state: .ref
-                } else {
-                  kind: $event_name
-                } end),
-              comment: (if .comment then {
-                id: .comment.id,
-                url: .comment.html_url,
-                body_excerpt: body_excerpt(.comment.body)
-              } else null end),
-              review: (if .review then {
-                id: .review.id,
-                state: .review.state,
-                url: .review.html_url,
-                body_excerpt: body_excerpt(.review.body)
-              } else null end),
-              review_comment: (if .comment and $event_name == "pull_request_review_comment" then {
-                id: .comment.id,
-                path: .comment.path,
-                line: (.comment.line // .comment.original_line),
-                url: .comment.html_url,
-                body_excerpt: body_excerpt(.comment.body)
-              } else null end),
-              push: (if $event_name == "push" then {
-                before: .before,
-                after: .after,
-                ref: .ref,
-                compare: .compare,
-                head_commit: .head_commit.id
-              } else null end),
-              delivery_id: (.comment.id // .review.id // .pull_request.head.sha // .issue.updated_at // .after // env.GITHUB_RUN_ID)
-            } | del(.. | nulls)
-            ' "$GITHUB_EVENT_PATH")"
-          payload="$(jq -nc --argjson activity "$activity" \
-            '{event_type:"github_activity",client_payload:{activity:$activity}}')"
-          if gh api repos/openclaw/clawsweeper/dispatches \
-            --method POST \
-            --input - <<< "$payload"; then
-            echo "Dispatched GitHub activity to ClawSweeper."
-          else
-            echo "::warning::Skipping GitHub activity dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
-          fi
-
-      - name: Dispatch exact ClawSweeper review
-        if: ${{ github.event_name == 'issues' || github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ steps.token.outputs.token }}
-          TARGET_REPO: ${{ github.repository }}
-          ITEM_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
-          ITEM_KIND: ${{ github.event_name == 'pull_request_target' && 'pull_request' || 'issue' }}
-          SOURCE_EVENT: ${{ github.event_name }}
-          SOURCE_ACTION: ${{ github.event.action }}
-        run: |
-          if [ -z "$GH_TOKEN" ]; then
-            echo "::notice::Skipping ClawSweeper dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
-            exit 0
-          fi
-          payload="$(jq -nc \
-            --arg target_repo "$TARGET_REPO" \
-            --argjson item_number "$ITEM_NUMBER" \
-            --arg item_kind "$ITEM_KIND" \
-            --arg source_event "$SOURCE_EVENT" \
-            --arg source_action "$SOURCE_ACTION" \
-            --argjson supersedes_in_progress "$SUPERSEDES_IN_PROGRESS" \
-            '{event_type:"clawsweeper_item",client_payload:{target_repo:$target_repo,item_number:$item_number,item_kind:$item_kind,source_event:$source_event,source_action:$source_action,supersedes_in_progress:$supersedes_in_progress}}')"
-          if gh api repos/openclaw/clawsweeper/dispatches \
-            --method POST \
-            --input - <<< "$payload"; then
-            echo "Dispatched ClawSweeper review."
-          else
-            echo "::warning::Skipping ClawSweeper dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
-          fi
-
-      - name: Acknowledge and dispatch ClawSweeper comment
-        if: ${{ github.event_name == 'issue_comment' }}
-        env:
-          DISPATCH_TOKEN: ${{ steps.token.outputs.token }}
-          TARGET_TOKEN: ${{ steps.target_token.outputs.token }}
-          TARGET_REPO: ${{ github.repository }}
-          ITEM_NUMBER: ${{ github.event.issue.number }}
-          COMMENT_ID: ${{ github.event.comment.id }}
-          COMMENT_BODY: ${{ github.event.comment.body }}
-          SOURCE_ACTION: ${{ github.event.action }}
-        run: |
-          set -euo pipefail
-          if [ -z "$DISPATCH_TOKEN" ]; then
-            echo "::notice::Skipping ClawSweeper comment dispatch because no ClawSweeper app token is configured."
-            exit 0
-          fi
-          body_file="$RUNNER_TEMP/clawsweeper-comment-body.txt"
-          printf '%s\n' "$COMMENT_BODY" > "$body_file"
-          if ! grep -Eiq '(^|[[:space:]])@(clawsweeper|openclaw-clawsweeper)\b(\[bot\])?|(^|[[:space:]])/(clawsweeper|review|automerge|autoclose)\b' "$body_file"; then
-            echo "No ClawSweeper command found in comment."
-            exit 0
-          fi
-          if [ -n "$TARGET_TOKEN" ]; then
-            err="$(mktemp)"
-            if GH_TOKEN="$TARGET_TOKEN" gh api -X POST \
-              -H "Accept: application/vnd.github+json" \
-              "repos/$TARGET_REPO/issues/comments/$COMMENT_ID/reactions" \
-              -f content="eyes" 2>"$err" >/dev/null; then
-              echo "Acknowledged ClawSweeper command comment."
-            elif grep -qi "HTTP 422\\|already exists" "$err"; then
-              echo "ClawSweeper command comment already acknowledged."
-            else
-              cat "$err" >&2
-              echo "::warning::Could not acknowledge ClawSweeper command comment."
-            fi
-            rm -f "$err"
-          else
-            echo "::notice::Skipping ClawSweeper comment acknowledgement because no target token is configured."
-          fi
-          payload="$(jq -nc \
-            --arg target_repo "$TARGET_REPO" \
-            --argjson item_number "$ITEM_NUMBER" \
-            --argjson comment_id "$COMMENT_ID" \
-            --arg source_event "issue_comment" \
-            --arg source_action "$SOURCE_ACTION" \
-            '{event_type:"clawsweeper_comment",client_payload:{target_repo:$target_repo,item_number:$item_number,comment_id:$comment_id,source_event:$source_event,source_action:$source_action}}')"
-          if GH_TOKEN="$DISPATCH_TOKEN" gh api repos/openclaw/clawsweeper/dispatches \
-            --method POST \
-            --input - <<< "$payload"; then
-            echo "Dispatched ClawSweeper comment router."
-          else
-            echo "::warning::Skipping ClawSweeper comment dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
-          fi
-
-      - name: Dispatch ClawSweeper commit review
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.event.deleted != true }}
-        env:
-          GH_TOKEN: ${{ steps.token.outputs.token }}
-          TARGET_REPO: ${{ github.repository }}
-          BEFORE_SHA: ${{ github.event.before }}
-          AFTER_SHA: ${{ github.sha }}
-          SOURCE_REF: ${{ github.ref }}
-          CREATE_CHECKS: ${{ vars.CLAWSWEEPER_COMMIT_REVIEW_CREATE_CHECKS || 'false' }}
-        run: |
-          if [ -z "$GH_TOKEN" ]; then
-            echo "::notice::Skipping ClawSweeper commit dispatch because no ClawSweeper app token is configured. Not falling back to a maintainer token."
-            exit 0
-          fi
-          case "$CREATE_CHECKS" in
-            true|TRUE|1|yes|YES|on|ON) create_checks=true ;;
-            *) create_checks=false ;;
-          esac
-          payload="$(jq -nc \
-            --arg target_repo "$TARGET_REPO" \
-            --arg before_sha "$BEFORE_SHA" \
-            --arg after_sha "$AFTER_SHA" \
-            --arg ref "$SOURCE_REF" \
-            --argjson create_checks "$create_checks" \
-            '{event_type:"clawsweeper_commit_review",client_payload:{target_repo:$target_repo,before_sha:$before_sha,after_sha:$after_sha,ref:$ref,enabled:true,create_checks:$create_checks}}')"
-          if gh api repos/openclaw/clawsweeper/dispatches \
-            --method POST \
-            --input - <<< "$payload"; then
-            echo "Dispatched ClawSweeper commit review."
-          else
-            echo "::warning::Skipping ClawSweeper commit dispatch because the configured credential could not dispatch to openclaw/clawsweeper."
-          fi

.github/workflows/codeql-android-critical-security.yml

@@ -1,51 +0,0 @@
-name: CodeQL Android Critical Security
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 7 * * *"
-
-concurrency:
-  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  android:
-    name: Critical Security (android)
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: java-kotlin
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-android-critical-security.yml
-
-      - name: Build Android for CodeQL
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-security/android"

.github/workflows/codeql-critical-quality.yml

@@ -1,691 +0,0 @@
-name: CodeQL Critical Quality
-
-on:
-  workflow_dispatch:
-    inputs:
-      profile:
-        description: CodeQL quality profile to run
-        required: false
-        default: all
-        type: choice
-        options:
-          - all
-          - agent-runtime-boundary
-          - config-boundary
-          - core-auth-secrets
-          - channel-runtime-boundary
-          - gateway-runtime-boundary
-          - memory-runtime-boundary
-          - mcp-process-runtime-boundary
-          - plugin-boundary
-          - plugin-sdk-package-contract
-          - plugin-sdk-reply-runtime
-          - provider-runtime-boundary
-          - network-runtime-boundary
-          - session-diagnostics-boundary
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
-    paths:
-      - ".github/codeql/**"
-      - ".github/workflows/codeql-critical-quality.yml"
-      - "extensions/*.ts"
-      - "extensions/**/*.ts"
-      - "packages/plugin-package-contract/**"
-      - "packages/plugin-sdk/**"
-      - "packages/memory-host-sdk/**"
-      - "src/*.ts"
-      - "src/**/*.ts"
-      - "src/config/**"
-      - "extensions/discord/src/**"
-      - "extensions/feishu/src/**"
-      - "extensions/googlechat/src/**"
-      - "extensions/imessage/src/**"
-      - "extensions/irc/src/**"
-      - "extensions/line/src/**"
-      - "extensions/matrix/src/**"
-      - "extensions/mattermost/src/**"
-      - "extensions/msteams/src/**"
-      - "extensions/nextcloud-talk/src/**"
-      - "extensions/nostr/src/**"
-      - "extensions/qa-channel/src/**"
-      - "extensions/qqbot/src/**"
-      - "extensions/signal/src/**"
-      - "extensions/slack/src/**"
-      - "extensions/synology-chat/src/**"
-      - "extensions/telegram/src/**"
-      - "extensions/tlon/src/**"
-      - "extensions/twitch/src/**"
-      - "extensions/whatsapp/src/**"
-      - "extensions/zalo/src/**"
-      - "extensions/zalouser/src/**"
-      - "src/agents/*auth*.ts"
-      - "src/agents/**/*auth*.ts"
-      - "src/agents/auth-health*.ts"
-      - "src/agents/auth-profiles"
-      - "src/agents/auth-profiles/**"
-      - "src/agents/bash-tools.exec-host-shared.ts"
-      - "src/agents/sandbox"
-      - "src/agents/sandbox/**"
-      - "src/agents/sandbox.ts"
-      - "src/agents/sandbox-*.ts"
-      - "src/acp/control-plane/**"
-      - "src/agents/cli-runner/**"
-      - "src/agents/command/**"
-      - "src/agents/pi-embedded-runner/**"
-      - "src/agents/tools/**"
-      - "src/agents/*completion*.ts"
-      - "src/agents/*transport*.ts"
-      - "src/agents/model-*.ts"
-      - "src/agents/openclaw-tools*.ts"
-      - "src/agents/provider-*.ts"
-      - "src/agents/session*.ts"
-      - "src/agents/tool-call*.ts"
-      - "src/auto-reply/reply/agent-runner*.ts"
-      - "src/auto-reply/reply/commands*.ts"
-      - "src/auto-reply/reply/directive-handling*.ts"
-      - "src/auto-reply/reply/dispatch-*.ts"
-      - "src/auto-reply/reply/get-reply-run*.ts"
-      - "src/auto-reply/reply/provider-dispatcher*.ts"
-      - "src/auto-reply/reply/queue*.ts"
-      - "src/auto-reply/reply/reply-run-registry*.ts"
-      - "src/auto-reply/reply/session*.ts"
-      - "src/channels/**"
-      - "src/auto-reply/reply/post-compaction-context.ts"
-      - "src/auto-reply/reply/queue/**"
-      - "src/auto-reply/reply/startup-context.ts"
-      - "src/commands/doctor-cron-dreaming-payload-migration.ts"
-      - "src/commands/doctor-memory-search.ts"
-      - "src/commands/doctor-session-*.ts"
-      - "src/commands/session-store-targets.ts"
-      - "src/commands/sessions*.ts"
-      - "src/cron/service/jobs.ts"
-      - "src/cron/stagger.ts"
-      - "src/gateway/*auth*.ts"
-      - "src/gateway/**/*auth*.ts"
-      - "src/gateway/*secret*.ts"
-      - "src/gateway/**/*secret*.ts"
-      - "src/gateway/protocol/**/*secret*.ts"
-      - "src/gateway/resolve-configured-secret-input-string*.ts"
-      - "src/gateway/security-path*.ts"
-      - "src/gateway/server-methods/secrets*.ts"
-      - "src/gateway/server-startup-memory.ts"
-      - "src/gateway/method-scopes.ts"
-      - "src/gateway/protocol/**"
-      - "src/gateway/server-methods/**"
-      - "src/gateway/server-methods.ts"
-      - "src/gateway/server-methods-list.ts"
-      - "src/infra/diagnostic-*.ts"
-      - "src/infra/diagnostics-timeline.ts"
-      - "src/infra/outbound/**"
-      - "src/infra/secret-file*.ts"
-      - "src/infra/session-delivery-queue*.ts"
-      - "src/logging/diagnostic*.ts"
-      - "src/memory/**"
-      - "src/memory-host-sdk/**"
-      - "src/mcp/**"
-      - "src/model-catalog/**"
-      - "src/plugin-sdk/**"
-      - "src/plugins/**"
-      - "src/process/**"
-      - "src/secrets/**"
-      - "src/security/**"
-  schedule:
-    - cron: "30 6 * * *"
-
-concurrency:
-  group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  pull-requests: read
-  security-events: write
-
-jobs:
-  quality-shards:
-    name: Select Critical Quality shards
-    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 5
-    outputs:
-      agent: ${{ steps.detect.outputs.agent }}
-      channel: ${{ steps.detect.outputs.channel }}
-      config: ${{ steps.detect.outputs.config }}
-      core_auth_secrets: ${{ steps.detect.outputs.core_auth_secrets }}
-      gateway: ${{ steps.detect.outputs.gateway }}
-      memory: ${{ steps.detect.outputs.memory }}
-      mcp_process: ${{ steps.detect.outputs.mcp_process }}
-      plugin: ${{ steps.detect.outputs.plugin }}
-      plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
-      plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }}
-      provider: ${{ steps.detect.outputs.provider }}
-      network_runtime: ${{ steps.detect.outputs.network_runtime }}
-      session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }}
-    steps:
-      - name: Detect PR shard paths
-        id: detect
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPOSITORY: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-
-          agent=false
-          channel=false
-          config=false
-          core_auth_secrets=false
-          gateway=false
-          memory=false
-          mcp_process=false
-          plugin=false
-          plugin_sdk_package=false
-          plugin_sdk_reply=false
-          provider=false
-          network_runtime=false
-          session_diagnostics=false
-
-          if [[ "${EVENT_NAME}" != "pull_request" ]]; then
-            agent=true
-            channel=true
-            config=true
-            core_auth_secrets=true
-            gateway=true
-            memory=true
-            mcp_process=true
-            plugin=true
-            plugin_sdk_package=true
-            plugin_sdk_reply=true
-            provider=true
-            network_runtime=true
-            session_diagnostics=true
-          else
-            while IFS= read -r file; do
-              case "${file}" in
-                .github/codeql/*|.github/workflows/codeql-critical-quality.yml)
-                  agent=true
-                  channel=true
-                  config=true
-                  core_auth_secrets=true
-                  gateway=true
-                  memory=true
-                  mcp_process=true
-                  plugin=true
-                  plugin_sdk_package=true
-                  plugin_sdk_reply=true
-                  provider=true
-                  network_runtime=true
-                  session_diagnostics=true
-                  ;;
-                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/pi-embedded-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
-                  agent=true
-                  ;;
-                src/auto-reply/reply/post-compaction-context.ts|src/auto-reply/reply/queue/*|src/auto-reply/reply/startup-context.ts|src/commands/doctor-session-*.ts|src/commands/session-store-targets.ts|src/commands/sessions*.ts|src/infra/diagnostic-*.ts|src/infra/diagnostics-timeline.ts|src/infra/session-delivery-queue*.ts|src/logging/diagnostic*.ts)
-                  session_diagnostics=true
-                  ;;
-                extensions/discord/src/*|extensions/feishu/src/*|extensions/googlechat/src/*|extensions/imessage/src/*|extensions/irc/src/*|extensions/line/src/*|extensions/matrix/src/*|extensions/mattermost/src/*|extensions/msteams/src/*|extensions/nextcloud-talk/src/*|extensions/nostr/src/*|extensions/qa-channel/src/*|extensions/qqbot/src/*|extensions/signal/src/*|extensions/slack/src/*|extensions/synology-chat/src/*|extensions/telegram/src/*|extensions/tlon/src/*|extensions/twitch/src/*|extensions/whatsapp/src/*|extensions/zalo/src/*|extensions/zalouser/src/*|src/channels/*)
-                  channel=true
-                  ;;
-                src/config/*)
-                  config=true
-                  ;;
-                src/gateway/protocol/*secret*.ts|src/gateway/server-methods/secrets*.ts)
-                  core_auth_secrets=true
-                  gateway=true
-                  ;;
-                src/agents/*auth*.ts|src/agents/auth-health*.ts|src/agents/auth-profiles|src/agents/auth-profiles/*|src/agents/bash-tools.exec-host-shared.ts|src/agents/sandbox|src/agents/sandbox.ts|src/agents/sandbox-*.ts|src/agents/sandbox/*|src/cron/service/jobs.ts|src/cron/stagger.ts|src/gateway/*auth*.ts|src/gateway/*secret*.ts|src/gateway/resolve-configured-secret-input-string*.ts|src/gateway/security-path*.ts|src/infra/secret-file*.ts|src/secrets/*|src/security/*)
-                  core_auth_secrets=true
-                  ;;
-                src/gateway/method-scopes.ts|src/gateway/protocol/*|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts)
-                  gateway=true
-                  ;;
-                packages/memory-host-sdk/*|src/commands/doctor-cron-dreaming-payload-migration.ts|src/commands/doctor-memory-search.ts|src/gateway/server-startup-memory.ts|src/memory/*|src/memory-host-sdk/*)
-                  memory=true
-                  ;;
-                src/infra/outbound/base-session-key.ts|src/infra/outbound/delivery-queue*.ts|src/infra/outbound/outbound-session.ts|src/infra/outbound/session-binding*.ts|src/infra/outbound/session-context.ts|src/infra/outbound/targets-session.ts)
-                  mcp_process=true
-                  session_diagnostics=true
-                  ;;
-                src/infra/outbound/*|src/mcp/*|src/process/*)
-                  mcp_process=true
-                  ;;
-                src/plugin-sdk/inbound-envelope.ts|src/plugin-sdk/inbound-reply-dispatch.ts|src/plugin-sdk/reply-*.ts|src/plugin-sdk/channel-reply-*.ts|src/plugin-sdk/delivery-queue-runtime.ts|src/plugin-sdk/outbound-runtime.ts|src/plugin-sdk/outbound-send-deps.ts|src/plugin-sdk/model-session-runtime.ts|src/plugin-sdk/session-*.ts|src/plugin-sdk/thread-bindings-runtime.ts|src/plugin-sdk/thread-bindings-session-runtime.ts|src/plugin-sdk/conversation-binding-runtime.ts)
-                  plugin=true
-                  plugin_sdk_package=true
-                  plugin_sdk_reply=true
-                  ;;
-                src/plugin-sdk/memory-*.ts|src/plugin-sdk/memory-core-host-*.ts)
-                  memory=true
-                  plugin=true
-                  plugin_sdk_package=true
-                  ;;
-                src/plugin-sdk/*)
-                  plugin=true
-                  plugin_sdk_package=true
-                  ;;
-                src/plugins/provider-contract-public-artifacts.ts|src/plugins/provider-public-artifacts.ts|src/plugins/web-provider-public-artifacts*.ts)
-                  plugin=true
-                  provider=true
-                  ;;
-                src/plugins/memory-embedding-provider*.ts|src/plugins/memory-embedding-providers*.ts)
-                  memory=true
-                  provider=true
-                  ;;
-                src/plugins/memory-*.ts)
-                  memory=true
-                  ;;
-                src/model-catalog/*|src/plugins/*provider*.ts|src/plugins/capability-provider-runtime.ts|src/plugins/compaction-provider.ts|src/plugins/memory-embedding-provider*.ts|src/plugins/memory-embedding-providers*.ts|src/plugins/migration-provider-runtime.ts|src/plugins/synthetic-auth.runtime.ts|src/plugins/web-fetch-providers*.ts|src/plugins/web-search-providers*.ts)
-                  provider=true
-                  ;;
-                src/plugins/activation-planner.ts|src/plugins/api-builder.ts|src/plugins/bundled-*.ts|src/plugins/captured-registration.ts|src/plugins/config-*.ts|src/plugins/discovery.ts|src/plugins/effective-plugin-ids.ts|src/plugins/externalized-bundled-plugins.ts|src/plugins/installed-plugin-index*.ts|src/plugins/loader*.ts|src/plugins/manifest*.ts|src/plugins/module-export.ts|src/plugins/package-entrypoints.ts|src/plugins/plugin-registry*.ts|src/plugins/public-surface*.ts|src/plugins/registry.ts|src/plugins/registry-types.ts|src/plugins/runtime|src/plugins/runtime/*|src/plugins/runtime-state.ts|src/plugins/runtime.ts|src/plugins/sdk-alias.ts|src/plugins/source-loader.ts|src/plugins/types.ts|src/plugins/validation-diagnostics.ts)
-                  plugin=true
-                  ;;
-                packages/plugin-package-contract/*|packages/plugin-sdk/*)
-                  plugin_sdk_package=true
-                  ;;
-              esac
-
-              case "${file}" in
-                src/*.ts|src/**/*.ts|extensions/*.ts|extensions/**/*.ts)
-                  network_runtime=true
-                  ;;
-              esac
-            done < <(gh api --paginate "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --jq '.[].filename')
-          fi
-
-          {
-            echo "agent=${agent}"
-            echo "channel=${channel}"
-            echo "config=${config}"
-            echo "core_auth_secrets=${core_auth_secrets}"
-            echo "gateway=${gateway}"
-            echo "memory=${memory}"
-            echo "mcp_process=${mcp_process}"
-            echo "plugin=${plugin}"
-            echo "plugin_sdk_package=${plugin_sdk_package}"
-            echo "plugin_sdk_reply=${plugin_sdk_reply}"
-            echo "provider=${provider}"
-            echo "network_runtime=${network_runtime}"
-            echo "session_diagnostics=${session_diagnostics}"
-          } >> "${GITHUB_OUTPUT}"
-
-  core-auth-secrets:
-    name: Critical Quality (core-auth-secrets)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.core_auth_secrets == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'core-auth-secrets') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/core-auth-secrets"
-
-  config-boundary:
-    name: Critical Quality (config-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.config == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'config-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/config-boundary"
-
-  gateway-runtime-boundary:
-    name: Critical Quality (gateway-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.gateway == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'gateway-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/gateway-runtime-boundary"
-
-  channel-runtime-boundary:
-    name: Critical Quality (channel-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.channel == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'channel-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/channel-runtime-boundary"
-
-  network-runtime-boundary:
-    name: Critical Quality (network-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.network_runtime == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'network-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-network-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        id: analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          output: sarif-results
-          category: "/codeql-critical-quality/network-runtime-boundary"
-
-      - name: Fail on network runtime boundary findings
-        env:
-          SARIF_OUTPUT: sarif-results
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-
-          files=("$SARIF_OUTPUT"/*.sarif)
-          if [ "${#files[@]}" -eq 0 ]; then
-            echo "No SARIF files found in $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          findings="$(jq -s '[.[].runs[]?.results[]?] | length' "${files[@]}")"
-          if [ "$findings" = "0" ]; then
-            exit 0
-          fi
-
-          echo "Found ${findings} network runtime boundary finding(s):" >&2
-          jq -r '
-            .runs[]?.results[]?
-            | .locations[0].physicalLocation as $location
-            | "- "
-              + ($location.artifactLocation.uri // "unknown")
-              + ":"
-              + (($location.region.startLine // 0) | tostring)
-              + " "
-              + (.message.text // .ruleId)
-          ' "${files[@]}" >&2
-          exit 1
-
-  agent-runtime-boundary:
-    name: Critical Quality (agent-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.agent == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'agent-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/agent-runtime-boundary"
-
-  mcp-process-runtime-boundary:
-    name: Critical Quality (mcp-process-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.mcp_process == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'mcp-process-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/mcp-process-runtime-boundary"
-
-  memory-runtime-boundary:
-    name: Critical Quality (memory-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.memory == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'memory-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/memory-runtime-boundary"
-
-  session-diagnostics-boundary:
-    name: Critical Quality (session-diagnostics-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.session_diagnostics == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'session-diagnostics-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/session-diagnostics-boundary"
-
-  plugin-sdk-reply-runtime:
-    name: Critical Quality (plugin-sdk-reply-runtime)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.plugin_sdk_reply == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
-
-  provider-runtime-boundary:
-    name: Critical Quality (provider-runtime-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.provider == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/provider-runtime-boundary"
-
-  ui-control-plane:
-    name: Critical Quality (ui-control-plane)
-    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/ui-control-plane"
-
-  web-media-runtime-boundary:
-    name: Critical Quality (web-media-runtime-boundary)
-    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/web-media-runtime-boundary"
-
-  plugin-boundary:
-    name: Critical Quality (plugin-boundary)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.plugin == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-boundary') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/plugin-boundary"
-
-  plugin-sdk-package-contract:
-    name: Critical Quality (plugin-sdk-package-contract)
-    needs: quality-shards
-    if: ${{ needs.quality-shards.outputs.plugin_sdk_package == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract') }}
-    runs-on: blacksmith-4vcpu-ubuntu-2404
-    timeout-minutes: 25
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-quality/plugin-sdk-package-contract"

.github/workflows/codeql-macos-critical-security.yml

@@ -1,89 +0,0 @@
-name: CodeQL macOS Critical Security
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 8 * * 1"
-
-concurrency:
-  group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  macos:
-    name: Critical Security (macOS)
-    runs-on: blacksmith-6vcpu-macos-latest
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Select Xcode
-        run: |
-          sudo xcode-select -s /Applications/Xcode_26.1.app
-          xcodebuild -version
-          swift --version
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: swift
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-macos-critical-security.yml
-
-      - name: Build macOS for CodeQL
-        run: swift build --package-path apps/macos --product OpenClaw
-
-      - name: Analyze
-        id: analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          output: sarif-results
-          upload: failure-only
-          category: "/codeql-critical-security/macos"
-
-      - name: Remove dependency build results
-        env:
-          SARIF_OUTPUT: sarif-results
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-
-          if [ ! -d "$SARIF_OUTPUT" ]; then
-            echo "SARIF output directory not found: $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          mkdir -p sarif-results-filtered
-
-          files=("$SARIF_OUTPUT"/*.sarif)
-          if [ "${#files[@]}" -eq 0 ]; then
-            echo "No SARIF files found in $SARIF_OUTPUT" >&2
-            exit 1
-          fi
-
-          for file in "${files[@]}"; do
-            jq '
-              def in_dependency_build:
-                ((.locations // []) | length > 0)
-                and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/"));
-
-              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
-            ' "$file" > "sarif-results-filtered/$(basename "$file")"
-          done
-
-      - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          sarif_file: sarif-results-filtered
-          category: "/codeql-critical-security/macos"

.github/workflows/codeql.yml

@@ -2,28 +2,11 @@ name: CodeQL
 
 on:
   workflow_dispatch:
-    inputs:
-      profile:
-        description: CodeQL security profile to run
-        required: false
-        default: all
-        type: choice
-        options:
-          - all
-          - security
-  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
-    paths:
-      - ".github/actions/**"
-      - ".github/codeql/**"
-      - ".github/workflows/**"
-      - "packages/**"
-      - "src/**"
   schedule:
     - cron: "0 6 * * *"
 
 concurrency:
-  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 env:
@@ -35,58 +18,121 @@ permissions:
   security-events: write
 
 jobs:
-  security-high:
-    name: Security High (${{ matrix.category }})
-    if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }}
+  analyze:
+    name: Analyze (${{ matrix.language }})
     runs-on: ${{ matrix.runs_on }}
-    timeout-minutes: ${{ matrix.timeout_minutes }}
     strategy:
       fail-fast: false
       matrix:
         include:
           - language: javascript-typescript
-            category: core-auth-secrets
-            runs_on: blacksmith-8vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml
-          - language: javascript-typescript
-            category: channel-runtime-boundary
-            runs_on: blacksmith-8vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
-          - language: javascript-typescript
-            category: network-ssrf-boundary
-            runs_on: blacksmith-4vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
-          - language: javascript-typescript
-            category: mcp-process-tool-boundary
-            runs_on: blacksmith-4vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
-          - language: javascript-typescript
-            category: plugin-trust-boundary
-            runs_on: blacksmith-4vcpu-ubuntu-2404
-            timeout_minutes: 25
-            config_file: ./.github/codeql/codeql-plugin-trust-boundary-critical-security.yml
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: true
+            needs_python: false
+            needs_java: false
+            needs_swift_tools: false
+            needs_manual_build: false
+            needs_autobuild: false
+            config_file: ./.github/codeql/codeql-javascript-typescript.yml
           - language: actions
-            category: actions
-            runs_on: blacksmith-8vcpu-ubuntu-2404
-            timeout_minutes: 10
-            config_file: ./.github/codeql/codeql-actions-critical-security.yml
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: false
+            needs_java: false
+            needs_swift_tools: false
+            needs_manual_build: false
+            needs_autobuild: false
+            config_file: ""
+          - language: python
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: true
+            needs_java: false
+            needs_swift_tools: false
+            needs_manual_build: false
+            needs_autobuild: false
+            config_file: ""
+          - language: java-kotlin
+            runs_on: blacksmith-16vcpu-ubuntu-2404
+            needs_node: false
+            needs_python: false
+            needs_java: true
+            needs_swift_tools: false
+            needs_manual_build: true
+            needs_autobuild: false
+            config_file: ""
+          - language: swift
+            runs_on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-latest' || 'macos-latest' }}
+            needs_node: false
+            needs_python: false
+            needs_java: false
+            needs_swift_tools: true
+            needs_manual_build: true
+            needs_autobuild: false
+            config_file: ""
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: false
 
+      - name: Setup Node environment
+        if: matrix.needs_node
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+
+      - name: Setup Python
+        if: matrix.needs_python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: "3.12"
+
+      - name: Setup Java
+        if: matrix.needs_java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Setup Swift build tools
+        if: matrix.needs_swift_tools
+        run: |
+          sudo xcode-select -s /Applications/Xcode_26.1.app
+          xcodebuild -version
+          brew install xcodegen swiftlint swiftformat
+          swift --version
+
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           languages: ${{ matrix.language }}
-          config-file: ${{ matrix.config_file }}
+          queries: security-and-quality
+          config-file: ${{ matrix.config_file || '' }}
+
+      - name: Autobuild
+        if: matrix.needs_autobuild
+        uses: github/codeql-action/autobuild@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
+
+      - name: Build Android for CodeQL
+        if: matrix.language == 'java-kotlin'
+        working-directory: apps/android
+        run: ./gradlew --no-daemon :app:assemblePlayDebug
+
+      - name: Build Swift for CodeQL
+        if: matrix.language == 'swift'
+        run: |
+          set -euo pipefail
+          swift build --package-path apps/macos --configuration release
+          cd apps/ios
+          xcodegen generate
+          xcodebuild build \
+            -project OpenClaw.xcodeproj \
+            -scheme OpenClaw \
+            -destination "generic/platform=iOS Simulator" \
+            CODE_SIGNING_ALLOWED=NO
 
       - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
-          category: "/codeql-security-high/${{ matrix.category }}"
+          category: "/language:${{ matrix.language }}"

.github/workflows/control-ui-locale-refresh.yml

@@ -49,7 +49,7 @@ jobs:
         run: |
           set -euo pipefail
 
-          all_locales_json='["zh-CN","zh-TW","pt-BR","de","es","ja-JP","ko","fr","ar","it","tr","uk","id","pl","th","vi","nl","fa"]'
+          all_locales_json='["zh-CN","zh-TW","pt-BR","de","es","ja-JP","ko","fr","tr","uk","id","pl"]'
 
           if [ "$EVENT_NAME" != "push" ]; then
             echo "has_locales=true" >> "$GITHUB_OUTPUT"
@@ -137,7 +137,7 @@ jobs:
         env:
           OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_I18N_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          OPENCLAW_CONTROL_UI_I18N_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
+          OPENCLAW_CONTROL_UI_I18N_MODEL: gpt-5.4
           OPENCLAW_CONTROL_UI_I18N_THINKING: low
           LOCALE: ${{ matrix.locale }}
         run: node --import tsx scripts/control-ui-i18n.ts sync --locale "${LOCALE}" --write

.github/workflows/crabbox-hydrate.yml

@@ -1,183 +0,0 @@
-name: Crabbox Hydrate
-
-on:
-  workflow_dispatch:
-    inputs:
-      crabbox_id:
-        description: "Crabbox lease ID"
-        required: true
-        type: string
-      ref:
-        description: "Git ref to hydrate"
-        required: false
-        type: string
-      crabbox_runner_label:
-        description: "Dynamic Crabbox runner label"
-        required: true
-        type: string
-      crabbox_job:
-        description: "Hydration job identifier expected by Crabbox"
-        required: false
-        default: "hydrate"
-        type: string
-      crabbox_keep_alive_minutes:
-        description: "Minutes to keep the hydrated job alive"
-        required: false
-        default: "90"
-        type: string
-
-permissions:
-  contents: read
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  hydrate:
-    name: hydrate
-    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Prepare Crabbox shell
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          git fetch --no-tags --depth=50 origin "+refs/heads/main:refs/remotes/origin/main"
-
-          node_bin="$(dirname "$(node -p 'process.execPath')")"
-          pnpm_bin="$(command -v pnpm)"
-          sudo ln -sf "$node_bin/node" /usr/local/bin/node
-          sudo ln -sf "$node_bin/npm" /usr/local/bin/npm
-          sudo ln -sf "$node_bin/npx" /usr/local/bin/npx
-          sudo ln -sf "$node_bin/corepack" /usr/local/bin/corepack
-          sudo ln -sf "$pnpm_bin" /usr/local/bin/pnpm
-
-      - name: Ensure Docker is available
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if ! command -v docker >/dev/null 2>&1; then
-            curl -fsSL https://get.docker.com | sudo sh
-          fi
-
-          if command -v systemctl >/dev/null 2>&1; then
-            sudo systemctl start docker
-          fi
-
-          if [ -S /var/run/docker.sock ]; then
-            sudo usermod -aG docker "$USER" || true
-            # The runner process keeps its original groups; grant this
-            # ephemeral runner session access without requiring a relogin.
-            sudo chmod 666 /var/run/docker.sock
-          fi
-
-      - name: Hydrate provider env helper
-        shell: bash
-        env:
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
-          ANTHROPIC_API_KEY_OLD: ${{ secrets.ANTHROPIC_API_KEY_OLD }}
-          ANTHROPIC_API_TOKEN: ${{ secrets.ANTHROPIC_API_TOKEN }}
-          CEREBRAS_API_KEY: ${{ secrets.CEREBRAS_API_KEY }}
-          DEEPINFRA_API_KEY: ${{ secrets.DEEPINFRA_API_KEY }}
-          FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
-          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-          KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
-          MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
-          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
-          MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
-          OPENAI_BASE_URL: ${{ secrets.OPENAI_BASE_URL }}
-          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
-          QWEN_API_KEY: ${{ secrets.QWEN_API_KEY }}
-          TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
-          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
-          ZAI_API_KEY: ${{ secrets.ZAI_API_KEY }}
-          Z_AI_API_KEY: ${{ secrets.Z_AI_API_KEY }}
-        run: bash scripts/ci-hydrate-testbox-env.sh
-
-      - name: Mark Crabbox ready
-        shell: bash
-        env:
-          CRABBOX_ID: ${{ inputs.crabbox_id }}
-          CRABBOX_JOB: ${{ inputs.crabbox_job }}
-        run: |
-          set -euo pipefail
-          job="${CRABBOX_JOB}"
-          if [ -z "$job" ]; then job=hydrate; fi
-          case "$CRABBOX_ID" in
-            ''|*[!A-Za-z0-9._-]*)
-              echo "Invalid crabbox_id" >&2
-              exit 2
-              ;;
-          esac
-          mkdir -p "$HOME/.crabbox/actions"
-          state="$HOME/.crabbox/actions/${CRABBOX_ID}.env"
-          env_file="$HOME/.crabbox/actions/${CRABBOX_ID}.env.sh"
-          services_file="$HOME/.crabbox/actions/${CRABBOX_ID}.services"
-          write_export() {
-            key="$1"
-            value="${!key-}"
-            if [ -n "$value" ]; then
-              printf 'export %s=%q\n' "$key" "$value"
-            fi
-          }
-          {
-            for key in CI GITHUB_ACTIONS GITHUB_WORKSPACE GITHUB_REPOSITORY GITHUB_RUN_ID GITHUB_RUN_NUMBER GITHUB_RUN_ATTEMPT GITHUB_REF GITHUB_REF_NAME GITHUB_SHA GITHUB_EVENT_NAME GITHUB_ACTOR RUNNER_OS RUNNER_ARCH RUNNER_TEMP RUNNER_TOOL_CACHE; do
-              write_export "$key"
-            done
-          } > "${env_file}.tmp"
-          mv "${env_file}.tmp" "$env_file"
-          {
-            echo "# Docker containers visible from the hydrated runner"
-            docker ps --format '{{.Names}}\t{{.Image}}\t{{.Ports}}' 2>/dev/null || true
-          } > "${services_file}.tmp"
-          mv "${services_file}.tmp" "$services_file"
-          tmp="${state}.tmp"
-          {
-            echo "WORKSPACE=${GITHUB_WORKSPACE}"
-            echo "RUN_ID=${GITHUB_RUN_ID}"
-            echo "JOB=${job}"
-            echo "ENV_FILE=${env_file}"
-            echo "SERVICES_FILE=${services_file}"
-            echo "READY_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
-          } > "$tmp"
-          mv "$tmp" "$state"
-
-      - name: Keep Crabbox job alive
-        shell: bash
-        env:
-          CRABBOX_ID: ${{ inputs.crabbox_id }}
-          CRABBOX_KEEP_ALIVE_MINUTES: ${{ inputs.crabbox_keep_alive_minutes }}
-        run: |
-          set -euo pipefail
-          case "$CRABBOX_ID" in
-            ''|*[!A-Za-z0-9._-]*)
-              echo "Invalid crabbox_id" >&2
-              exit 2
-              ;;
-          esac
-          minutes="${CRABBOX_KEEP_ALIVE_MINUTES}"
-          case "$minutes" in
-            ''|*[!0-9]*) minutes=90 ;;
-          esac
-          stop="$HOME/.crabbox/actions/${CRABBOX_ID}.stop"
-          deadline=$(( $(date +%s) + minutes * 60 ))
-          while [ "$(date +%s)" -lt "$deadline" ]; do
-            if [ -f "$stop" ]; then
-              exit 0
-            fi
-            sleep 15
-          done

.github/workflows/docker-release.yml

@@ -38,7 +38,7 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-(alpha|beta)\.[1-9][0-9]*)?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
             echo "Invalid release tag: ${RELEASE_TAG}"
             exit 1
           fi
@@ -55,7 +55,6 @@ jobs:
     # WARNING: KEEP MANUAL BACKFILLS GATED BY THE docker-release ENVIRONMENT.
     runs-on: ubuntu-24.04
     environment: docker-release
-    permissions: {}
     steps:
       - name: Approve Docker backfill
         env:
@@ -64,7 +63,7 @@ jobs:
 
   # KEEP THIS WORKFLOW ON GITHUB-HOSTED RUNNERS.
   # DO NOT MOVE IT BACK TO BLACKSMITH WITHOUT RE-VALIDATING TAG BUILDS AND BACKFILLS.
-  # Build amd64 image. Default and slim tags point to the same slim runtime.
+  # Build amd64 images (default + slim share the build stage cache)
   build-amd64:
     needs: [approve_manual_backfill]
     if: ${{ always() && (github.event_name != 'workflow_dispatch' || needs.approve_manual_backfill.result == 'success') }}
@@ -75,6 +74,7 @@ jobs:
       contents: read
     outputs:
       digest: ${{ steps.build.outputs.digest }}
+      slim-digest: ${{ steps.build-slim.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -117,7 +117,12 @@ jobs:
           fi
           {
             echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
+            printf "%s\n" "${tags[@]}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+          {
+            echo "slim<<EOF"
+            printf "%s\n" "${slim_tags[@]}"
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
@@ -154,15 +159,28 @@ jobs:
           platforms: linux/amd64
           cache-from: type=gha,scope=docker-release-amd64
           cache-to: type=gha,mode=max,scope=docker-release-amd64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel
           tags: ${{ steps.tags.outputs.value }}
           labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
+          provenance: false
           push: true
 
-  # Build arm64 image. Default and slim tags point to the same slim runtime.
+      - name: Build and push amd64 slim image
+        id: build-slim
+        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          platforms: linux/amd64
+          cache-from: type=gha,scope=docker-release-amd64
+          cache-to: type=gha,mode=max,scope=docker-release-amd64
+          build-args: |
+            OPENCLAW_VARIANT=slim
+          tags: ${{ steps.tags.outputs.slim }}
+          labels: ${{ steps.labels.outputs.value }}
+          provenance: false
+          push: true
+
+  # Build arm64 images (default + slim share the build stage cache)
   build-arm64:
     needs: [approve_manual_backfill]
     if: ${{ always() && (github.event_name != 'workflow_dispatch' || needs.approve_manual_backfill.result == 'success') }}
@@ -173,6 +191,7 @@ jobs:
       contents: read
     outputs:
       digest: ${{ steps.build.outputs.digest }}
+      slim-digest: ${{ steps.build-slim.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -215,7 +234,12 @@ jobs:
           fi
           {
             echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
+            printf "%s\n" "${tags[@]}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+          {
+            echo "slim<<EOF"
+            printf "%s\n" "${slim_tags[@]}"
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
@@ -252,12 +276,25 @@ jobs:
           platforms: linux/arm64
           cache-from: type=gha,scope=docker-release-arm64
           cache-to: type=gha,mode=max,scope=docker-release-arm64
-          build-args: |
-            OPENCLAW_EXTENSIONS=diagnostics-otel
           tags: ${{ steps.tags.outputs.value }}
           labels: ${{ steps.labels.outputs.value }}
-          sbom: true
-          provenance: mode=max
+          provenance: false
+          push: true
+
+      - name: Build and push arm64 slim image
+        id: build-slim
+        # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY.
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          platforms: linux/arm64
+          cache-from: type=gha,scope=docker-release-arm64
+          cache-to: type=gha,mode=max,scope=docker-release-arm64
+          build-args: |
+            OPENCLAW_VARIANT=slim
+          tags: ${{ steps.tags.outputs.slim }}
+          labels: ${{ steps.labels.outputs.value }}
+          provenance: false
           push: true
 
   # Create multi-platform manifests
@@ -314,11 +351,16 @@ jobs:
           fi
           {
             echo "value<<EOF"
-            printf "%s\n" "${tags[@]}" "${slim_tags[@]}"
+            printf "%s\n" "${tags[@]}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+          {
+            echo "slim<<EOF"
+            printf "%s\n" "${slim_tags[@]}"
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Create and push manifest
+      - name: Create and push default manifest
         shell: bash
         env:
           TAGS: ${{ steps.tags.outputs.value }}
@@ -336,94 +378,20 @@ jobs:
             "${AMD64_DIGEST}" \
             "${ARM64_DIGEST}"
 
-  verify-attestations:
-    needs: [create-manifest]
-    if: ${{ always() && needs.create-manifest.result == 'success' }}
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      packages: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-
-      - name: Set up Docker Builder
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Resolve image refs
-        id: refs
+      - name: Create and push slim manifest
         shell: bash
         env:
-          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          SOURCE_REF: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
-          IS_MANUAL_BACKFILL: ${{ github.event_name == 'workflow_dispatch' && '1' || '0' }}
+          SLIM_TAGS: ${{ steps.tags.outputs.slim }}
+          AMD64_SLIM_DIGEST: ${{ needs.build-amd64.outputs.slim-digest }}
+          ARM64_SLIM_DIGEST: ${{ needs.build-arm64.outputs.slim-digest }}
         run: |
           set -euo pipefail
-          multi_refs=()
-          slim_multi_refs=()
-          amd64_refs=()
-          arm64_refs=()
-          if [[ "${SOURCE_REF}" == "refs/heads/main" ]]; then
-            multi_refs+=("${IMAGE}:main")
-            slim_multi_refs+=("${IMAGE}:main-slim")
-            amd64_refs+=("${IMAGE}:main-amd64" "${IMAGE}:main-slim-amd64")
-            arm64_refs+=("${IMAGE}:main-arm64" "${IMAGE}:main-slim-arm64")
-          fi
-          if [[ "${SOURCE_REF}" == refs/tags/v* ]]; then
-            version="${SOURCE_REF#refs/tags/v}"
-            multi_refs+=("${IMAGE}:${version}")
-            slim_multi_refs+=("${IMAGE}:${version}-slim")
-            amd64_refs+=("${IMAGE}:${version}-amd64" "${IMAGE}:${version}-slim-amd64")
-            arm64_refs+=("${IMAGE}:${version}-arm64" "${IMAGE}:${version}-slim-arm64")
-            if [[ "${IS_MANUAL_BACKFILL}" != "1" && "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-              multi_refs+=("${IMAGE}:latest")
-              slim_multi_refs+=("${IMAGE}:slim")
-            fi
-          fi
-          if [[ ${#multi_refs[@]} -eq 0 || ${#amd64_refs[@]} -eq 0 || ${#arm64_refs[@]} -eq 0 ]]; then
-            echo "::error::No Docker image refs resolved for ref ${SOURCE_REF}"
-            exit 1
-          fi
-          {
-            echo "multi<<EOF"
-            printf "%s\n" "${multi_refs[@]}" "${slim_multi_refs[@]}"
-            echo "EOF"
-            echo "amd64<<EOF"
-            printf "%s\n" "${amd64_refs[@]}"
-            echo "EOF"
-            echo "arm64<<EOF"
-            printf "%s\n" "${arm64_refs[@]}"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Verify Docker attestations
-        shell: bash
-        env:
-          MULTI_REFS: ${{ steps.refs.outputs.multi }}
-          AMD64_REFS: ${{ steps.refs.outputs.amd64 }}
-          ARM64_REFS: ${{ steps.refs.outputs.arm64 }}
-        run: |
-          set -euo pipefail
-          mapfile -t multi_refs <<< "${MULTI_REFS}"
-          mapfile -t amd64_refs <<< "${AMD64_REFS}"
-          mapfile -t arm64_refs <<< "${ARM64_REFS}"
-
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/amd64 \
-            --platform linux/arm64 \
-            "${multi_refs[@]}"
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/amd64 \
-            "${amd64_refs[@]}"
-          node scripts/verify-docker-attestations.mjs \
-            --platform linux/arm64 \
-            "${arm64_refs[@]}"
+          mapfile -t tags <<< "${SLIM_TAGS}"
+          args=()
+          for tag in "${tags[@]}"; do
+            [ -z "$tag" ] && continue
+            args+=("-t" "$tag")
+          done
+          docker buildx imagetools create "${args[@]}" \
+            "${AMD64_SLIM_DIGEST}" \
+            "${ARM64_SLIM_DIGEST}"

.github/workflows/docs-agent.yml

@@ -1,251 +0,0 @@
-name: Docs Agent
-
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] main-only docs repair after trusted CI; job gates repository, event, branch, actor, conclusion, exact current main SHA, and hourly cadence before using write token
-    workflows:
-      - CI
-    types:
-      - completed
-  workflow_dispatch:
-
-permissions:
-  actions: read
-  contents: write
-
-concurrency:
-  group: docs-agent-main
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  update-docs:
-    if: >
-      github.repository == 'openclaw/openclaw' &&
-      github.actor != 'github-actions[bot]' &&
-      (github.event_name != 'workflow_run' ||
-        (github.event.workflow_run.conclusion == 'success' &&
-          github.event.workflow_run.event == 'push' &&
-          github.event.workflow_run.head_branch == 'main' &&
-          github.event.workflow_run.actor.login != 'github-actions[bot]'))
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: main
-          fetch-depth: 0
-          persist-credentials: false
-          submodules: false
-
-      - name: Gate trusted main activity and hourly cadence
-        id: gate
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GH_TOKEN: ${{ github.token }}
-          WORKFLOW_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
-        run: |
-          set -euo pipefail
-
-          if [ "$EVENT_NAME" != "workflow_run" ]; then
-            head_sha="$(git rev-parse HEAD)"
-            review_base="$(git rev-parse "${head_sha}^" 2>/dev/null || printf '%s' "$head_sha")"
-            {
-              echo "run_agent=true"
-              echo "base_sha=${head_sha}"
-              echo "review_base_sha=${review_base}"
-              echo "review_head_sha=${head_sha}"
-            } >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          for attempt in 1 2 3 4 5; do
-            if git fetch --no-tags origin main; then
-              break
-            fi
-            if [ "$attempt" = "5" ]; then
-              echo "Failed to fetch main after retries." >&2
-              exit 1
-            fi
-            echo "Fetch attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-          remote_main="$(git rev-parse origin/main)"
-          if [ "$remote_main" != "$WORKFLOW_HEAD_SHA" ]; then
-            echo "CI run is superseded by ${remote_main}; skipping docs agent for ${WORKFLOW_HEAD_SHA}."
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          runs_json="$RUNNER_TEMP/docs-agent-runs.json"
-          gh api --method GET "repos/${GITHUB_REPOSITORY}/actions/workflows/docs-agent.yml/runs" \
-            -f branch=main \
-            -f event=workflow_run \
-            -f per_page=100 > "$runs_json"
-
-          one_hour_ago="$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%SZ)"
-          recent_runs="$(
-            jq -r \
-              --argjson current_run_id "$GITHUB_RUN_ID" \
-              --arg one_hour_ago "$one_hour_ago" \
-              '.workflow_runs[]
-                | select(.database_id != $current_run_id)
-                | select(.created_at >= $one_hour_ago)
-                | select(.status != "cancelled")
-                | select((.conclusion // "") != "skipped")
-                | [.database_id, .status, (.conclusion // ""), .created_at, .head_sha]
-                | @tsv' "$runs_json"
-          )"
-
-          if [ -n "$recent_runs" ]; then
-            echo "Docs agent already ran or is running within the last hour; skipping."
-            printf '%s\n' "$recent_runs"
-            echo "run_agent=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          review_base="$(
-            jq -r \
-              --argjson current_run_id "$GITHUB_RUN_ID" \
-              --arg remote_main "$remote_main" \
-              '.workflow_runs[]
-                | select(.database_id != $current_run_id)
-                | select(.status != "cancelled")
-                | select((.conclusion // "") != "skipped")
-                | .head_sha
-                | select(. != null and . != "")
-                | select(. != $remote_main)
-              ' "$runs_json" | head -n 1
-          )"
-          if [ -z "$review_base" ] || ! git cat-file -e "${review_base}^{commit}" 2>/dev/null; then
-            review_base="$(git rev-parse "${remote_main}^" 2>/dev/null || printf '%s' "$remote_main")"
-          fi
-
-          {
-            echo "run_agent=true"
-            echo "base_sha=${remote_main}"
-            echo "review_base_sha=${review_base}"
-            echo "review_head_sha=${remote_main}"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Setup Node environment
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Ensure docs agent key exists
-        if: steps.gate.outputs.run_agent == 'true'
-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENCLAW_DOCS_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-        run: |
-          set -euo pipefail
-          if [ -z "${OPENAI_API_KEY:-}" ]; then
-            echo "Missing OPENCLAW_DOCS_AGENT_OPENAI_API_KEY or OPENAI_API_KEY secret." >&2
-            exit 1
-          fi
-
-      - name: Run Codex docs agent
-        if: steps.gate.outputs.run_agent == 'true'
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02
-        env:
-          DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }}
-          DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }}
-        with:
-          openai-api-key: ${{ secrets.OPENCLAW_DOCS_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }}
-          prompt-file: .github/codex/prompts/docs-agent.md
-          model: ${{ vars.OPENCLAW_CI_OPENAI_MODEL_BARE }}
-          effort: medium
-          sandbox: workspace-write
-          safety-strategy: drop-sudo
-          codex-args: '["--full-auto"]'
-
-      - name: Enforce existing-docs-only patch
-        if: steps.gate.outputs.run_agent == 'true'
-        run: |
-          set -euo pipefail
-
-          untracked="$(git ls-files --others --exclude-standard)"
-          if [ -n "$untracked" ]; then
-            echo "Docs agent created untracked files; forbidden:"
-            printf '%s\n' "$untracked"
-            exit 1
-          fi
-
-          added_or_deleted="$(git diff --name-status --diff-filter=AD)"
-          if [ -n "$added_or_deleted" ]; then
-            echo "Docs agent added or deleted tracked files; forbidden:"
-            printf '%s\n' "$added_or_deleted"
-            exit 1
-          fi
-
-          bad_paths="$(
-            git diff --name-only | while IFS= read -r path; do
-              case "$path" in
-                docs/*|README.md|CHANGELOG.md) ;;
-                *) printf '%s\n' "$path" ;;
-              esac
-            done
-          )"
-          if [ -n "$bad_paths" ]; then
-            echo "Docs agent touched non-doc paths; forbidden:"
-            printf '%s\n' "$bad_paths"
-            exit 1
-          fi
-
-      - name: Restore Node 24 path
-        if: steps.gate.outputs.run_agent == 'true'
-        run:
-          | # zizmor: ignore[github-env] NODE_BIN is set by the trusted local setup-node-env action in this same job
-          set -euo pipefail
-          export PATH="${NODE_BIN}:${PATH}"
-          echo "${NODE_BIN}" >> "$GITHUB_PATH"
-          node -v
-          corepack enable
-          pnpm -v
-
-      - name: Check docs
-        if: steps.gate.outputs.run_agent == 'true'
-        run: pnpm check:docs
-
-      - name: Commit docs updates
-        if: steps.gate.outputs.run_agent == 'true'
-        env:
-          BASE_SHA: ${{ steps.gate.outputs.base_sha }}
-          GITHUB_TOKEN: ${{ github.token }}
-          TARGET_BRANCH: main
-        run: |
-          set -euo pipefail
-
-          if git diff --quiet; then
-            echo "No docs changes."
-            exit 0
-          fi
-
-          git config user.name "openclaw-docs-agent[bot]"
-          git config user.email "openclaw-docs-agent[bot]@users.noreply.github.com"
-          git add docs README.md CHANGELOG.md
-          git commit --no-verify -m "docs: refresh documentation"
-
-          for attempt in 1 2 3 4 5; do
-            if ! git fetch --no-tags origin "${TARGET_BRANCH}"; then
-              echo "Fetch attempt ${attempt} failed; retrying."
-              sleep $((attempt * 2))
-              continue
-            fi
-            if git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" HEAD:"${TARGET_BRANCH}"; then
-              exit 0
-            fi
-            remote_main="$(git rev-parse "origin/${TARGET_BRANCH}")"
-            if [ "$remote_main" != "$BASE_SHA" ]; then
-              echo "main advanced from ${BASE_SHA} to ${remote_main}; skipping stale docs update."
-              exit 0
-            fi
-            echo "Docs update attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to push docs updates after retries." >&2
-          exit 1

.github/workflows/docs-sync-publish.yml

@@ -22,15 +22,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Checkout ClawHub docs source
-        uses: actions/checkout@v6
-        with:
-          repository: openclaw/clawhub
-          path: clawhub-source
-          fetch-depth: 1
-          persist-credentials: false
-          token: ${{ secrets.OPENCLAW_DOCS_SYNC_TOKEN || github.token }}
-
       - name: Setup Node
         uses: actions/setup-node@v6
         with:
@@ -41,82 +32,37 @@ jobs:
           OPENCLAW_DOCS_SYNC_TOKEN: ${{ secrets.OPENCLAW_DOCS_SYNC_TOKEN }}
         run: |
           set -euo pipefail
-          for attempt in 1 2 3 4 5; do
-            rm -rf publish
-            if git clone \
-              "https://x-access-token:${OPENCLAW_DOCS_SYNC_TOKEN}@github.com/openclaw/docs.git" \
-              publish; then
-              exit 0
-            fi
-            echo "Clone attempt ${attempt} failed; retrying."
-            sleep $((attempt * 2))
-          done
-
-          echo "Failed to clone publish repo after retries." >&2
-          exit 1
+          git clone \
+            "https://x-access-token:${OPENCLAW_DOCS_SYNC_TOKEN}@github.com/openclaw/docs.git" \
+            publish
 
       - name: Sync docs into publish repo
         run: |
-          clawhub_sha="$(git -C "$GITHUB_WORKSPACE/clawhub-source" rev-parse HEAD)"
           node scripts/docs-sync-publish.mjs \
             --target "$GITHUB_WORKSPACE/publish" \
             --source-repo "$GITHUB_REPOSITORY" \
-            --source-sha "$GITHUB_SHA" \
-            --clawhub-repo "$GITHUB_WORKSPACE/clawhub-source" \
-            --clawhub-source-repo "openclaw/clawhub" \
-            --clawhub-source-sha "$clawhub_sha"
-
-      - name: Install docs MDX checker dependency
-        working-directory: publish
-        run: npm install --no-save --package-lock=false @mdx-js/mdx@3.1.1
-
-      - name: Check publish docs MDX
-        run: node "$GITHUB_WORKSPACE/publish/.openclaw-sync/check-docs-mdx.mjs" "$GITHUB_WORKSPACE/publish/docs"
+            --source-sha "$GITHUB_SHA"
 
       - name: Commit publish repo sync
         working-directory: publish
         run: |
           set -euo pipefail
-          remote_source_sha() {
-            git show refs/remotes/origin/main:.openclaw-sync/source.json 2>/dev/null \
-              | node -e 'const fs = require("node:fs"); try { const data = JSON.parse(fs.readFileSync(0, "utf8")); if (data.sha) process.stdout.write(data.sha); } catch {}' \
-              || true
-          }
-
-          skip_stale_source() {
-            current_source_sha="$(remote_source_sha)"
-            if [ -z "$current_source_sha" ] || [ "$current_source_sha" = "$GITHUB_SHA" ]; then
-              return
-            fi
-
-            if git -C "$GITHUB_WORKSPACE" merge-base --is-ancestor "$GITHUB_SHA" "$current_source_sha"; then
-              echo "Skipping stale publish sync for $GITHUB_SHA; origin/main already mirrors $current_source_sha."
-              exit 0
-            fi
-          }
-
           if git diff --quiet -- docs .openclaw-sync; then
             echo "No publish-repo changes."
             exit 0
           fi
 
-          if git fetch origin main:refs/remotes/origin/main; then
-            skip_stale_source
-          fi
-
           git config user.name "openclaw-docs-sync[bot]"
           git config user.email "openclaw-docs-sync[bot]@users.noreply.github.com"
           git add docs .openclaw-sync
           git commit -m "chore(sync): mirror docs from $GITHUB_REPOSITORY@$GITHUB_SHA"
           for attempt in 1 2 3 4 5; do
-            if git fetch origin main:refs/remotes/origin/main; then
-              skip_stale_source
-              if git rebase -X theirs origin/main && git push origin HEAD:main; then
-                exit 0
-              fi
+            git fetch origin main
+            git rebase origin/main
+            if git push origin HEAD:main; then
+              exit 0
             fi
-            git rebase --abort >/dev/null 2>&1 || true
-            echo "Publish sync attempt ${attempt} failed; retrying."
+            echo "Push attempt ${attempt} failed; retrying."
             sleep $((attempt * 2))
           done
 

.github/workflows/docs-translate-trigger-release.yml

@@ -1,4 +1,4 @@
-name: Docs Trigger Translations On Release
+name: Docs Trigger Locale Translate On Release
 
 on:
   release:
@@ -12,16 +12,31 @@ jobs:
   dispatch-translate:
     runs-on: ubuntu-latest
     steps:
-      - name: Trigger translation coordinator in publish repo
+      - name: Trigger locale translates in publish repo
         env:
           GH_TOKEN: ${{ secrets.OPENCLAW_DOCS_SYNC_TOKEN }}
           RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
           set -euo pipefail
-          gh api repos/openclaw/docs/dispatches \
-            --method POST \
-            -f event_type="translate-all-release" \
-            -f client_payload[mode]="incremental" \
-            -f client_payload[release_tag]="${RELEASE_TAG}" \
-            -f client_payload[source_repository]="${GITHUB_REPOSITORY}" \
-            -f client_payload[source_sha]="${GITHUB_SHA}"
+          for event_type in \
+            translate-zh-cn-release \
+            translate-ja-jp-release \
+            translate-es-release \
+            translate-pt-br-release \
+            translate-ko-release \
+            translate-de-release \
+            translate-fr-release \
+            translate-ar-release \
+            translate-it-release \
+            translate-tr-release \
+            translate-uk-release \
+            translate-id-release \
+            translate-pl-release
+          do
+            gh api repos/openclaw/docs/dispatches \
+              --method POST \
+              -f event_type="${event_type}" \
+              -f client_payload[release_tag]="${RELEASE_TAG}" \
+              -f client_payload[source_repository]="${GITHUB_REPOSITORY}" \
+              -f client_payload[source_sha]="${GITHUB_SHA}"
+          done

.github/workflows/docs.yml

@@ -1,39 +0,0 @@
-name: Docs
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "**/*.md"
-      - "docs/**"
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ format('{0}-{1}', github.workflow, github.ref) }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  docs:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-          fetch-tags: false
-          persist-credentials: false
-          submodules: false
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Check docs
-        run: pnpm check:docs

.github/workflows/duplicate-after-merge.yml

@@ -1,59 +0,0 @@
-name: Duplicate PRs After Merge
-
-on:
-  workflow_dispatch:
-    inputs:
-      landed_pr:
-        description: "Merged PR number that supersedes the duplicates"
-        required: true
-        type: string
-      duplicate_prs:
-        description: "Comma or whitespace separated duplicate PR numbers to close"
-        required: true
-        type: string
-      apply:
-        description: "When true, label/comment/close; otherwise dry-run only"
-        required: true
-        type: boolean
-        default: false
-
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-
-concurrency:
-  group: duplicate-after-merge-${{ github.event.inputs.landed_pr }}
-  cancel-in-progress: false
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  GH_TOKEN: ${{ github.token }}
-
-jobs:
-  close-duplicates:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Close confirmed duplicates
-        env:
-          APPLY: ${{ inputs.apply }}
-          DUPLICATE_PRS: ${{ inputs.duplicate_prs }}
-          LANDED_PR: ${{ inputs.landed_pr }}
-          REPO: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-
-          args=(
-            --repo "$REPO"
-            --landed-pr "$LANDED_PR"
-            --duplicates "$DUPLICATE_PRS"
-          )
-
-          if [[ "$APPLY" == "true" ]]; then
-            args+=(--apply)
-          fi
-
-          node scripts/close-duplicate-prs-after-merge.mjs "${args[@]}"

.github/workflows/full-release-validation.yml

@@ -1,951 +0,0 @@
-name: Full Release Validation
-
-on:
-  workflow_dispatch:
-    inputs:
-      ref:
-        description: Branch, tag, or full commit SHA to validate
-        required: true
-        default: main
-        type: string
-      provider:
-        description: Provider lane for cross-OS onboarding and the end-to-end agent turn
-        required: false
-        default: openai
-        type: choice
-        options:
-          - openai
-          - anthropic
-          - minimax
-      mode:
-        description: Which cross-OS release lanes to run
-        required: false
-        default: both
-        type: choice
-        options:
-          - fresh
-          - upgrade
-          - both
-      release_profile:
-        description: Release coverage profile for live/Docker/provider breadth
-        required: false
-        default: stable
-        type: choice
-        options:
-          - beta
-          - stable
-          - full
-      run_release_soak:
-        description: Run exhaustive live/Docker and upgrade-survivor soak lanes; forced on for release_profile=full
-        required: false
-        default: false
-        type: boolean
-      rerun_group:
-        description: Validation group to run
-        required: false
-        default: all
-        type: choice
-        options:
-          - all
-          - ci
-          - plugin-prerelease
-          - release-checks
-          - install-smoke
-          - cross-os
-          - live-e2e
-          - package
-          - qa
-          - qa-parity
-          - qa-live
-          - npm-telegram
-      live_suite_filter:
-        description: Optional exact live/E2E suite id, or comma-separated QA live lanes such as qa-live-matrix,qa-live-telegram; blank runs all selected live suites
-        required: false
-        default: ""
-        type: string
-      cross_os_suite_filter:
-        description: Optional focused cross-OS suite filter, e.g. windows/packaged-upgrade or packaged-fresh
-        required: false
-        default: ""
-        type: string
-      npm_telegram_package_spec:
-        description: Optional published package spec for the package Telegram E2E lane
-        required: false
-        default: ""
-        type: string
-      evidence_package_spec:
-        description: Optional published package spec to prove in the private release evidence report
-        required: false
-        default: ""
-        type: string
-      package_acceptance_package_spec:
-        description: Optional published package spec for Package Acceptance; blank uses the SHA-built release artifact
-        required: false
-        default: ""
-        type: string
-      npm_telegram_provider_mode:
-        description: Provider mode for the package Telegram E2E lane
-        required: false
-        default: mock-openai
-        type: choice
-        options:
-          - mock-openai
-          - live-frontier
-      npm_telegram_scenario:
-        description: Optional comma-separated Telegram scenario ids for the package Telegram lane
-        required: false
-        default: ""
-        type: string
-
-permissions:
-  actions: write
-  contents: read
-
-concurrency:
-  group: full-release-validation-${{ inputs.ref }}-${{ inputs.rerun_group }}
-  cancel-in-progress: ${{ inputs.ref == 'main' && inputs.rerun_group == 'all' }}
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-  GH_REPO: ${{ github.repository }}
-  NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.32.1"
-
-jobs:
-  resolve_target:
-    name: Resolve target ref
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    outputs:
-      sha: ${{ steps.resolve.outputs.sha }}
-    steps:
-      - name: Checkout trusted workflow helper
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.ref_name }}
-          path: workflow
-          fetch-depth: 1
-          persist-credentials: false
-          submodules: false
-
-      - name: Resolve target SHA
-        id: resolve
-        env:
-          TARGET_REF: ${{ inputs.ref }}
-        run: |
-          bash workflow/scripts/github/resolve-openclaw-ref.sh \
-            --ref "$TARGET_REF" \
-            --github-output "$GITHUB_OUTPUT"
-
-      - name: Summarize target
-        env:
-          TARGET_REF: ${{ inputs.ref }}
-          TARGET_SHA: ${{ steps.resolve.outputs.sha }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-          NPM_TELEGRAM_PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
-          EVIDENCE_PACKAGE_SPEC: ${{ inputs.evidence_package_spec }}
-          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
-          RELEASE_PROFILE: ${{ inputs.release_profile }}
-          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'full' }}
-          RERUN_GROUP: ${{ inputs.rerun_group }}
-          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
-          CROSS_OS_SUITE_FILTER: ${{ inputs.cross_os_suite_filter }}
-        run: |
-          {
-            echo "## Full release validation"
-            echo
-            echo "- Target ref: \`${TARGET_REF}\`"
-            echo "- Target SHA: \`${TARGET_SHA}\`"
-            echo "- Child workflow ref: \`${CHILD_WORKFLOW_REF}\`"
-            echo "- Release soak lanes: \`${RUN_RELEASE_SOAK}\`"
-            echo "- Rerun group: \`${RERUN_GROUP}\`"
-            if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
-              echo "- Live suite filter: \`${LIVE_SUITE_FILTER}\`"
-            fi
-            if [[ -n "${CROSS_OS_SUITE_FILTER// }" ]]; then
-              echo "- Cross-OS suite filter: \`${CROSS_OS_SUITE_FILTER}\`"
-            fi
-            if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "ci" ]]; then
-              echo "- Normal CI: \`CI\` with \`target_ref=${TARGET_SHA}\`"
-            else
-              echo "- Normal CI: skipped by rerun group"
-            fi
-            if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "plugin-prerelease" ]]; then
-              echo "- Plugin prerelease: \`Plugin Prerelease\` with \`target_ref=${TARGET_SHA}\`"
-            else
-              echo "- Plugin prerelease: skipped by rerun group"
-            fi
-            if [[ "$RERUN_GROUP" == "all" || "$RERUN_GROUP" == "release-checks" || "$RERUN_GROUP" == "install-smoke" || "$RERUN_GROUP" == "cross-os" || "$RERUN_GROUP" == "live-e2e" || "$RERUN_GROUP" == "package" || "$RERUN_GROUP" == "qa" || "$RERUN_GROUP" == "qa-parity" || "$RERUN_GROUP" == "qa-live" ]]; then
-              echo "- Release/live/Docker/package/QA: \`OpenClaw Release Checks\`"
-            else
-              echo "- Release/live/Docker/package/QA: skipped by rerun group"
-            fi
-            if [[ -n "${NPM_TELEGRAM_PACKAGE_SPEC// }" ]]; then
-              echo "- Published-package Telegram E2E: \`${NPM_TELEGRAM_PACKAGE_SPEC}\`"
-            elif [[ "$RERUN_GROUP" == "all" && "$RELEASE_PROFILE" == "full" ]]; then
-              echo "- Package Telegram E2E: parent \`release-package-under-test\` artifact"
-            else
-              echo "- Package Telegram E2E: skipped unless \`release_profile=full\` or \`npm_telegram_package_spec\` is provided"
-            fi
-            if [[ -n "${EVIDENCE_PACKAGE_SPEC// }" ]]; then
-              echo "- Private evidence package proof: \`${EVIDENCE_PACKAGE_SPEC}\`"
-            fi
-            if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
-              echo "- Package Acceptance package spec: \`${PACKAGE_ACCEPTANCE_PACKAGE_SPEC}\`"
-            else
-              echo "- Package Acceptance package spec: SHA-built release artifact"
-            fi
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  normal_ci:
-    name: Run normal full CI
-    needs: [resolve_target]
-    if: contains(fromJSON('["all","ci"]'), inputs.rerun_group)
-    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 240 || 60 }}
-    outputs:
-      run_id: ${{ steps.dispatch.outputs.run_id }}
-      url: ${{ steps.dispatch.outputs.url }}
-      conclusion: ${{ steps.dispatch.outputs.conclusion }}
-    steps:
-      - name: Dispatch and monitor CI
-        id: dispatch
-        env:
-          GH_TOKEN: ${{ github.token }}
-          TARGET_REF: ${{ inputs.ref }}
-          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-
-          dispatch_and_wait() {
-            local workflow="$1"
-            shift
-
-            local before_json dispatch_output run_id status conclusion url poll_count
-            before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
-
-            dispatch_output="$(gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
-            printf '%s\n' "$dispatch_output"
-            run_id="$(
-              printf '%s\n' "$dispatch_output" |
-                sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-                tail -n 1
-            )"
-
-            if [[ -z "$run_id" ]]; then
-              for _ in $(seq 1 60); do
-                run_id="$(
-                  BEFORE_IDS="$before_json" gh run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
-                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
-                )"
-                if [[ -n "$run_id" ]]; then
-                  break
-                fi
-                sleep 5
-              done
-            fi
-
-            if [[ -z "${run_id:-}" ]]; then
-              echo "Could not find dispatched run for ${workflow}." >&2
-              exit 1
-            fi
-
-            echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-            echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-
-            cancel_child() {
-              if [[ -n "${run_id:-}" ]]; then
-                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
-                gh run cancel "$run_id" >/dev/null 2>&1 || true
-              fi
-            }
-            trap cancel_child EXIT INT TERM
-
-            poll_count=0
-            while true; do
-              status="$(gh run view "$run_id" --json status --jq '.status')"
-              if [[ "$status" == "completed" ]]; then
-                break
-              fi
-              poll_count=$((poll_count + 1))
-              if (( poll_count % 10 == 0 )); then
-                echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-                gh run view "$run_id" --json jobs --jq '.jobs[] | select(.status != "completed") | {name, status, url}' || true
-              fi
-              sleep 30
-            done
-            trap - EXIT INT TERM
-
-            conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
-            url="$(gh run view "$run_id" --json url --jq '.url')"
-            echo "${workflow} finished with ${conclusion}: ${url}"
-            echo "url=${url}" >> "$GITHUB_OUTPUT"
-            echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
-            if [[ "$conclusion" != "success" ]]; then
-              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
-            fi
-          }
-
-          {
-            echo "### Normal CI"
-            echo
-            echo "- Target ref: \`${TARGET_REF}\`"
-            echo "- Target SHA: \`${TARGET_SHA}\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          dispatch_and_wait ci.yml -f target_ref="$TARGET_SHA" -f include_android=true
-
-  plugin_prerelease:
-    name: Run plugin prerelease validation
-    needs: [resolve_target]
-    if: contains(fromJSON('["all","plugin-prerelease"]'), inputs.rerun_group)
-    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 300 || 60 }}
-    outputs:
-      run_id: ${{ steps.dispatch.outputs.run_id }}
-      url: ${{ steps.dispatch.outputs.url }}
-      conclusion: ${{ steps.dispatch.outputs.conclusion }}
-    steps:
-      - name: Dispatch and monitor plugin prerelease
-        id: dispatch
-        env:
-          GH_TOKEN: ${{ github.token }}
-          TARGET_REF: ${{ inputs.ref }}
-          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-
-          dispatch_and_wait() {
-            local workflow="$1"
-            shift
-
-            local before_json dispatch_output run_id status conclusion url poll_count
-            before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
-
-            dispatch_output="$(gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
-            printf '%s\n' "$dispatch_output"
-            run_id="$(
-              printf '%s\n' "$dispatch_output" |
-                sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-                tail -n 1
-            )"
-
-            if [[ -z "$run_id" ]]; then
-              for _ in $(seq 1 60); do
-                run_id="$(
-                  BEFORE_IDS="$before_json" gh run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
-                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
-                )"
-                if [[ -n "$run_id" ]]; then
-                  break
-                fi
-                sleep 5
-              done
-            fi
-
-            if [[ -z "${run_id:-}" ]]; then
-              echo "Could not find dispatched run for ${workflow}." >&2
-              exit 1
-            fi
-
-            echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-            echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-
-            cancel_child() {
-              if [[ -n "${run_id:-}" ]]; then
-                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
-                gh run cancel "$run_id" >/dev/null 2>&1 || true
-              fi
-            }
-            trap cancel_child EXIT INT TERM
-
-            poll_count=0
-            while true; do
-              status="$(gh run view "$run_id" --json status --jq '.status')"
-              if [[ "$status" == "completed" ]]; then
-                break
-              fi
-              poll_count=$((poll_count + 1))
-              if (( poll_count % 10 == 0 )); then
-                echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-                gh run view "$run_id" --json jobs --jq '.jobs[] | select(.status != "completed") | {name, status, url}' || true
-              fi
-              sleep 30
-            done
-            trap - EXIT INT TERM
-
-            conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
-            url="$(gh run view "$run_id" --json url --jq '.url')"
-            echo "${workflow} finished with ${conclusion}: ${url}"
-            echo "url=${url}" >> "$GITHUB_OUTPUT"
-            echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
-            if [[ "$conclusion" != "success" ]]; then
-              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
-            fi
-          }
-
-          {
-            echo "### Plugin prerelease"
-            echo
-            echo "- Target ref: \`${TARGET_REF}\`"
-            echo "- Target SHA: \`${TARGET_SHA}\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          dispatch_and_wait plugin-prerelease.yml -f target_ref="$TARGET_SHA" -f expected_sha="$TARGET_SHA" -f full_release_validation=true
-
-  release_checks:
-    name: Run release/live/Docker/QA validation
-    needs: [resolve_target]
-    if: contains(fromJSON('["all","release-checks","install-smoke","cross-os","live-e2e","package","qa","qa-parity","qa-live"]'), inputs.rerun_group)
-    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 720 || 60 }}
-    outputs:
-      run_id: ${{ steps.dispatch.outputs.run_id }}
-      url: ${{ steps.dispatch.outputs.url }}
-      conclusion: ${{ steps.dispatch.outputs.conclusion }}
-    steps:
-      - name: Dispatch and monitor release checks
-        id: dispatch
-        env:
-          GH_TOKEN: ${{ github.token }}
-          TARGET_REF: ${{ inputs.ref }}
-          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-          PROVIDER: ${{ inputs.provider }}
-          MODE: ${{ inputs.mode }}
-          RELEASE_PROFILE: ${{ inputs.release_profile }}
-          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'full' }}
-          RERUN_GROUP: ${{ inputs.rerun_group }}
-          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
-          CROSS_OS_SUITE_FILTER: ${{ inputs.cross_os_suite_filter }}
-          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
-        run: |
-          set -euo pipefail
-
-          dispatch_and_wait() {
-            local workflow="$1"
-            shift
-
-            local before_json dispatch_output run_id status conclusion url poll_count
-            before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
-
-            dispatch_output="$(gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@" 2>&1)"
-            printf '%s\n' "$dispatch_output"
-            run_id="$(
-              printf '%s\n' "$dispatch_output" |
-                sed -nE 's#.*actions/runs/([0-9]+).*#\1#p' |
-                tail -n 1
-            )"
-
-            if [[ -z "$run_id" ]]; then
-              for _ in $(seq 1 60); do
-                run_id="$(
-                  BEFORE_IDS="$before_json" gh run list --workflow "$workflow" --event workflow_dispatch --limit 50 --json databaseId,createdAt \
-                    --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
-                )"
-                if [[ -n "$run_id" ]]; then
-                  break
-                fi
-                sleep 5
-              done
-            fi
-
-            if [[ -z "${run_id:-}" ]]; then
-              echo "Could not find dispatched run for ${workflow}." >&2
-              exit 1
-            fi
-
-            echo "Dispatched ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-            echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-
-            cancel_child() {
-              if [[ -n "${run_id:-}" ]]; then
-                echo "Cancelling child workflow ${workflow}: ${run_id}" >&2
-                gh run cancel "$run_id" >/dev/null 2>&1 || true
-              fi
-            }
-            trap cancel_child EXIT INT TERM
-
-            poll_count=0
-            while true; do
-              status="$(gh run view "$run_id" --json status --jq '.status')"
-              if [[ "$status" == "completed" ]]; then
-                break
-              fi
-              poll_count=$((poll_count + 1))
-              if (( poll_count % 10 == 0 )); then
-                echo "Still waiting on ${workflow}: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-                gh run view "$run_id" --json jobs --jq '.jobs[] | select(.status != "completed") | {name, status, url}' || true
-              fi
-              sleep 30
-            done
-            trap - EXIT INT TERM
-
-            conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
-            url="$(gh run view "$run_id" --json url --jq '.url')"
-            echo "${workflow} finished with ${conclusion}: ${url}"
-            echo "url=${url}" >> "$GITHUB_OUTPUT"
-            echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
-            if [[ "$conclusion" != "success" ]]; then
-              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
-            fi
-          }
-
-          {
-            echo "### Release/live/Docker/QA validation"
-            echo
-            echo "- Target ref: \`${TARGET_REF}\`"
-            echo "- Target SHA: \`${TARGET_SHA}\`"
-            echo "- Provider: \`${PROVIDER}\`"
-            echo "- Cross-OS mode: \`${MODE}\`"
-            echo "- Release profile: \`${RELEASE_PROFILE}\`"
-            echo "- Release soak lanes: \`${RUN_RELEASE_SOAK}\`"
-            echo "- Rerun group: \`${RERUN_GROUP}\`"
-            if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
-              echo "- Live suite filter: \`${LIVE_SUITE_FILTER}\`"
-            fi
-            if [[ -n "${CROSS_OS_SUITE_FILTER// }" ]]; then
-              echo "- Cross-OS suite filter: \`${CROSS_OS_SUITE_FILTER}\`"
-            fi
-            if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
-              echo "- Package Acceptance package spec: \`${PACKAGE_ACCEPTANCE_PACKAGE_SPEC}\`"
-            fi
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          child_rerun_group="$RERUN_GROUP"
-          if [[ "$child_rerun_group" == "release-checks" ]]; then
-            child_rerun_group=all
-          fi
-
-          args=(
-            -f ref="$TARGET_SHA"
-            -f expected_sha="$TARGET_SHA"
-            -f provider="$PROVIDER"
-            -f mode="$MODE"
-            -f release_profile="$RELEASE_PROFILE"
-            -f run_release_soak="$RUN_RELEASE_SOAK"
-            -f rerun_group="$child_rerun_group"
-          )
-          if [[ -n "${LIVE_SUITE_FILTER// }" ]]; then
-            args+=(-f live_suite_filter="$LIVE_SUITE_FILTER")
-          fi
-          if [[ -n "${CROSS_OS_SUITE_FILTER// }" ]]; then
-            args+=(-f cross_os_suite_filter="$CROSS_OS_SUITE_FILTER")
-          fi
-          if [[ -n "${PACKAGE_ACCEPTANCE_PACKAGE_SPEC// }" ]]; then
-            args+=(-f package_acceptance_package_spec="$PACKAGE_ACCEPTANCE_PACKAGE_SPEC")
-          fi
-
-          dispatch_and_wait openclaw-release-checks.yml "${args[@]}"
-
-  prepare_release_package:
-    name: Prepare release package artifact
-    needs: [resolve_target]
-    if: ${{ inputs.npm_telegram_package_spec == '' && inputs.rerun_group == 'all' && inputs.release_profile == 'full' }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 60
-    permissions:
-      contents: read
-      packages: write
-    outputs:
-      artifact_name: ${{ steps.artifact.outputs.name }}
-      package_sha256: ${{ steps.package.outputs.sha256 }}
-      package_version: ${{ steps.package.outputs.package_version }}
-      source_sha: ${{ steps.package.outputs.source_sha }}
-    steps:
-      - name: Checkout trusted workflow ref
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-          ref: ${{ github.ref_name }}
-          fetch-depth: 0
-
-      - name: Set artifact metadata
-        id: artifact
-        run: echo "name=release-package-under-test" >> "$GITHUB_OUTPUT"
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "true"
-          install-deps: "false"
-
-      - name: Resolve release package artifact
-        id: package
-        shell: bash
-        env:
-          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
-        run: |
-          set -euo pipefail
-          node scripts/resolve-openclaw-package-candidate.mjs \
-            --source ref \
-            --package-ref "$PACKAGE_REF" \
-            --output-dir .artifacts/docker-e2e-package \
-            --output-name openclaw-current.tgz \
-            --metadata .artifacts/docker-e2e-package/package-candidate.json \
-            --github-output "$GITHUB_OUTPUT"
-          digest="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).sha256")"
-          version="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).version")"
-          source_sha="$(node -p "JSON.parse(require('fs').readFileSync('.artifacts/docker-e2e-package/package-candidate.json', 'utf8')).packageSourceSha")"
-          echo "source_sha=$source_sha" >> "$GITHUB_OUTPUT"
-          {
-            echo "## Release package artifact"
-            echo
-            echo "- Artifact: \`release-package-under-test\`"
-            echo "- Package ref: \`$PACKAGE_REF\`"
-            echo "- SHA-256: \`$digest\`"
-            echo "- Version: \`$version\`"
-            echo "- Source SHA: \`$source_sha\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Upload release package artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: release-package-under-test
-          path: |
-            .artifacts/docker-e2e-package/openclaw-current.tgz
-            .artifacts/docker-e2e-package/package-candidate.json
-          if-no-files-found: error
-
-  npm_telegram:
-    name: Run package Telegram E2E
-    needs: [resolve_target, prepare_release_package]
-    if: ${{ always() && contains(fromJSON('["all","npm-telegram"]'), inputs.rerun_group) && (inputs.npm_telegram_package_spec != '' || (inputs.rerun_group == 'all' && inputs.release_profile == 'full')) }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: ${{ inputs.release_profile == 'full' && 120 || 60 }}
-    outputs:
-      run_id: ${{ steps.dispatch.outputs.run_id }}
-      url: ${{ steps.dispatch.outputs.url }}
-      conclusion: ${{ steps.dispatch.outputs.conclusion }}
-    steps:
-      - name: Dispatch and monitor npm Telegram E2E
-        id: dispatch
-        env:
-          GH_TOKEN: ${{ github.token }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
-          PACKAGE_ARTIFACT_NAME: ${{ needs.prepare_release_package.outputs.artifact_name }}
-          PREPARE_PACKAGE_RESULT: ${{ needs.prepare_release_package.result }}
-          PROVIDER_MODE: ${{ inputs.npm_telegram_provider_mode }}
-          SCENARIO: ${{ inputs.npm_telegram_scenario }}
-        run: |
-          set -euo pipefail
-
-          before_json="$(gh run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
-
-          args=(-f package_spec="${PACKAGE_SPEC:-openclaw@beta}" -f harness_ref="$TARGET_SHA" -f provider_mode="$PROVIDER_MODE")
-          if [[ -z "${PACKAGE_SPEC// }" ]]; then
-            if [[ "$PREPARE_PACKAGE_RESULT" != "success" || -z "${PACKAGE_ARTIFACT_NAME// }" ]]; then
-              echo "Full release Telegram requires either npm_telegram_package_spec or a prepared release-package-under-test artifact." >&2
-              exit 1
-            fi
-            args+=(
-              -f package_artifact_name="$PACKAGE_ARTIFACT_NAME"
-              -f package_artifact_run_id="${GITHUB_RUN_ID}"
-              -f package_label="full-release-${TARGET_SHA:0:12}"
-            )
-          fi
-          if [[ -n "${SCENARIO// }" ]]; then
-            args+=(-f scenario="$SCENARIO")
-          fi
-
-          gh workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}"
-
-          run_id=""
-          for _ in $(seq 1 60); do
-            run_id="$(
-              BEFORE_IDS="$before_json" gh run list --workflow npm-telegram-beta-e2e.yml --event workflow_dispatch --limit 50 --json databaseId,createdAt \
-                --jq 'map(select(.databaseId as $id | (env.BEFORE_IDS | fromjson | index($id) | not))) | sort_by(.createdAt) | reverse | .[0].databaseId // empty'
-            )"
-            if [[ -n "$run_id" ]]; then
-              break
-            fi
-            sleep 5
-          done
-
-          if [[ -z "$run_id" ]]; then
-            echo "Could not find dispatched run for npm-telegram-beta-e2e.yml." >&2
-            exit 1
-          fi
-
-          echo "Dispatched npm-telegram-beta-e2e.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-          echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
-
-          cancel_child() {
-            if [[ -n "${run_id:-}" ]]; then
-              echo "Cancelling child workflow npm-telegram-beta-e2e.yml: ${run_id}" >&2
-              gh run cancel "$run_id" >/dev/null 2>&1 || true
-            fi
-          }
-          trap cancel_child EXIT INT TERM
-
-          poll_count=0
-          while true; do
-            status="$(gh run view "$run_id" --json status --jq '.status')"
-            if [[ "$status" == "completed" ]]; then
-              break
-            fi
-            poll_count=$((poll_count + 1))
-            if (( poll_count % 10 == 0 )); then
-              echo "Still waiting on npm-telegram-beta-e2e.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
-              gh run view "$run_id" --json jobs --jq '.jobs[] | select(.status != "completed") | {name, status, url}' || true
-            fi
-            sleep 30
-          done
-          trap - EXIT INT TERM
-
-          conclusion="$(gh run view "$run_id" --json conclusion --jq '.conclusion')"
-          url="$(gh run view "$run_id" --json url --jq '.url')"
-          echo "npm-telegram-beta-e2e.yml finished with ${conclusion}: ${url}"
-          echo "url=${url}" >> "$GITHUB_OUTPUT"
-          echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
-          if [[ "$conclusion" != "success" ]]; then
-            gh run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
-          fi
-
-  summary:
-    name: Verify full validation
-    needs: [resolve_target, normal_ci, plugin_prerelease, release_checks, npm_telegram]
-    if: always()
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
-    steps:
-      - name: Request private evidence update
-        env:
-          RELEASE_PRIVATE_DISPATCH_TOKEN: ${{ secrets.OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN }}
-          TARGET_REF: ${{ inputs.ref }}
-          PACKAGE_SPEC: ${{ inputs.evidence_package_spec || inputs.npm_telegram_package_spec }}
-          GITHUB_RUN_ID_VALUE: ${{ github.run_id }}
-          RELEASE_CHECKS_RESULT: ${{ needs.release_checks.result }}
-        run: |
-          set -euo pipefail
-          if [[ "$RELEASE_CHECKS_RESULT" == "skipped" ]]; then
-            echo "Release checks were skipped by rerun group; skipping automatic private evidence update."
-            exit 0
-          fi
-          if [[ -z "${RELEASE_PRIVATE_DISPATCH_TOKEN// }" ]]; then
-            echo "OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN is not configured; skipping automatic private evidence update."
-            exit 0
-          fi
-
-          release_id="${TARGET_REF#refs/tags/}"
-          release_id="${release_id#v}"
-          if [[ "$PACKAGE_SPEC" =~ ^openclaw@(.+)$ ]]; then
-            release_id="${BASH_REMATCH[1]}"
-          fi
-          release_id="$(printf '%s' "$release_id" | tr '/:@ ' '----' | tr -cd 'A-Za-z0-9._-')"
-          if [[ -z "$release_id" ]]; then
-            echo "::error::Could not derive release evidence id from target ref '${TARGET_REF}'."
-            exit 1
-          fi
-
-          payload="$(
-            jq -cn \
-              --arg full_validation_run_id "$GITHUB_RUN_ID_VALUE" \
-              --arg release_id "$release_id" \
-              --arg release_ref "$TARGET_REF" \
-              --arg package_spec "$PACKAGE_SPEC" \
-              --arg notes "Automatically requested by Full Release Validation ${GITHUB_RUN_ID_VALUE} after child workflows completed; the parent summary re-checks current child run conclusions." \
-              '{
-                event_type: "openclaw_full_release_validation_completed",
-                client_payload: {
-                  full_validation_run_id: $full_validation_run_id,
-                  release_id: $release_id,
-                  release_ref: $release_ref,
-                  package_spec: $package_spec,
-                  notes: $notes
-                }
-              }'
-          )"
-
-          curl --fail-with-body \
-            -X POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${RELEASE_PRIVATE_DISPATCH_TOKEN}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/openclaw/releases-private/dispatches \
-            -d "$payload"
-
-      - name: Verify child workflow results
-        env:
-          GH_TOKEN: ${{ github.token }}
-          NORMAL_CI_RUN_ID: ${{ needs.normal_ci.outputs.run_id }}
-          PLUGIN_PRERELEASE_RUN_ID: ${{ needs.plugin_prerelease.outputs.run_id }}
-          RELEASE_CHECKS_RUN_ID: ${{ needs.release_checks.outputs.run_id }}
-          NPM_TELEGRAM_RUN_ID: ${{ needs.npm_telegram.outputs.run_id }}
-          NORMAL_CI_RESULT: ${{ needs.normal_ci.result }}
-          PLUGIN_PRERELEASE_RESULT: ${{ needs.plugin_prerelease.result }}
-          RELEASE_CHECKS_RESULT: ${{ needs.release_checks.result }}
-          NPM_TELEGRAM_RESULT: ${{ needs.npm_telegram.result }}
-          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-
-          check_child() {
-            local label="$1"
-            local run_id="$2"
-            local required="$3"
-
-            if [[ -z "${run_id// }" ]]; then
-              if [[ "$required" == "0" ]]; then
-                echo "${label}: skipped"
-                return 0
-              fi
-              echo "::error::${label} did not record a child run id."
-              return 1
-            fi
-
-            local run_json status conclusion url attempt head_sha
-            run_json="$(gh run view "$run_id" --json status,conclusion,url,attempt,headSha,jobs)"
-            status="$(jq -r '.status' <<< "$run_json")"
-            conclusion="$(jq -r '.conclusion' <<< "$run_json")"
-            url="$(jq -r '.url' <<< "$run_json")"
-            attempt="$(jq -r '.attempt' <<< "$run_json")"
-            head_sha="$(jq -r '.headSha // ""' <<< "$run_json")"
-            echo "${label}: ${status}/${conclusion} attempt ${attempt} head ${head_sha}: ${url}"
-
-            if [[ "$CHILD_WORKFLOW_REF" == release-ci/* && -n "${TARGET_SHA// }" && "$head_sha" != "$TARGET_SHA" ]]; then
-              echo "::error::${label} child run used ${head_sha}, expected ${TARGET_SHA}. Dispatch Full Release Validation from a ref pinned to the target SHA, not a moving branch."
-              return 1
-            fi
-
-            if [[ "$status" != "completed" || "$conclusion" != "success" ]]; then
-              echo "::error::${label} child run ended with ${status}/${conclusion}: ${url}"
-              jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, status, conclusion, url}' <<< "$run_json" || true
-              return 1
-            fi
-          }
-
-          append_child_overview() {
-            {
-              echo
-              echo "### Child workflow overview"
-              echo
-              echo "| Child | Result | Minutes | Head SHA | Run |"
-              echo "| --- | --- | ---: | --- | --- |"
-            } >> "$GITHUB_STEP_SUMMARY"
-
-            append_child_row() {
-              local label="$1"
-              local run_id="$2"
-              local result="$3"
-
-              if [[ -z "${run_id// }" ]]; then
-                echo "| \`${label}\` | \`${result}\` |  | skipped |" >> "$GITHUB_STEP_SUMMARY"
-                return 0
-              fi
-
-              local run_json row
-              run_json="$(gh run view "$run_id" --json status,conclusion,url,createdAt,updatedAt,headSha)"
-              row="$(
-                jq -r --arg label "$label" '
-                  def ts: fromdateiso8601;
-                  . as $run |
-                  ($run.createdAt // "") as $created |
-                  ($run.updatedAt // "") as $updated |
-                  (if ($created | length) > 0 and ($updated | length) > 0
-                    then (((($updated | ts) - ($created | ts)) / 60) * 10 | round / 10 | tostring)
-                    else ""
-                  end) as $minutes |
-                  ($run.headSha // "") as $head |
-                  "| `" + $label + "` | `" + ($run.status // "") + "/" + ($run.conclusion // "") + "` | " + $minutes + " | `" + $head + "` | [run](" + ($run.url // "") + ") |"
-                ' <<< "$run_json"
-              )"
-              echo "$row" >> "$GITHUB_STEP_SUMMARY"
-            }
-
-            append_child_row "normal_ci" "$NORMAL_CI_RUN_ID" "$NORMAL_CI_RESULT"
-            append_child_row "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID" "$PLUGIN_PRERELEASE_RESULT"
-            append_child_row "release_checks" "$RELEASE_CHECKS_RUN_ID" "$RELEASE_CHECKS_RESULT"
-            append_child_row "npm_telegram" "$NPM_TELEGRAM_RUN_ID" "$NPM_TELEGRAM_RESULT"
-          }
-
-          summarize_child_timing() {
-            local label="$1"
-            local run_id="$2"
-            if [[ -z "${run_id// }" ]]; then
-              return 0
-            fi
-
-            {
-              echo
-              echo "### Slowest jobs: ${label}"
-              echo
-              gh run view "$run_id" --json jobs --jq '
-                def ts: fromdateiso8601;
-                "| Job | Result | Minutes |",
-                "| --- | --- | ---: |",
-                ([.jobs[]
-                  | select(.startedAt != "0001-01-01T00:00:00Z" and .completedAt != "0001-01-01T00:00:00Z")
-                  | . + {durationMin: ((((.completedAt | ts) - (.startedAt | ts)) / 60) * 10 | round / 10)}
-                  | {name, conclusion, durationMin}]
-                  | sort_by(.durationMin)
-                  | reverse
-                  | .[0:10]
-                  | map("| `" + (.name | gsub("\\|"; "\\|")) + "` | `" + ((.conclusion // "") | tostring) + "` | " + (.durationMin | tostring) + " |")
-                  | .[])
-              ' || echo "_Unable to summarize jobs for run ${run_id}._"
-              echo
-              echo "### Longest queues: ${label}"
-              echo
-              gh api --paginate "repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/jobs?per_page=100" --jq ".jobs[] | @json" | jq -sr '
-                def ts: fromdateiso8601;
-                "| Job | Result | Queue minutes | Run minutes |",
-                "| --- | --- | ---: | ---: |",
-                ([.[]
-                  | select(.created_at != null and .started_at != null)
-                  | . + {
-                      queueMin: ((((.started_at | ts) - (.created_at | ts)) / 60) * 10 | round / 10),
-                      durationMin: (if .completed_at == null then null else ((((.completed_at | ts) - (.started_at | ts)) / 60) * 10 | round / 10) end)
-                    }
-                  | select(.queueMin > 0)
-                  | {name, conclusion, queueMin, durationMin}]
-                  | sort_by(.queueMin)
-                  | reverse
-                  | .[0:10]
-                  | map("| `" + (.name | gsub("\\|"; "\\|")) + "` | `" + ((.conclusion // "") | tostring) + "` | " + (.queueMin | tostring) + " | " + ((.durationMin // "") | tostring) + " |")
-                  | .[])
-              ' || echo "_Unable to summarize queue times for run ${run_id}._"
-            } >> "$GITHUB_STEP_SUMMARY"
-          }
-
-          failed=0
-
-          append_child_overview
-
-          if [[ "$NORMAL_CI_RESULT" == "skipped" && -z "${NORMAL_CI_RUN_ID// }" ]]; then
-            check_child "normal_ci" "" 0 || failed=1
-          else
-            check_child "normal_ci" "$NORMAL_CI_RUN_ID" 1 || failed=1
-          fi
-
-          if [[ "$PLUGIN_PRERELEASE_RESULT" == "skipped" && -z "${PLUGIN_PRERELEASE_RUN_ID// }" ]]; then
-            check_child "plugin_prerelease" "" 0 || failed=1
-          else
-            check_child "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID" 1 || failed=1
-          fi
-
-          if [[ "$RELEASE_CHECKS_RESULT" == "skipped" && -z "${RELEASE_CHECKS_RUN_ID// }" ]]; then
-            check_child "release_checks" "" 0 || failed=1
-          else
-            check_child "release_checks" "$RELEASE_CHECKS_RUN_ID" 1 || failed=1
-          fi
-
-          if [[ "$NPM_TELEGRAM_RESULT" == "skipped" && -z "${NPM_TELEGRAM_RUN_ID// }" ]]; then
-            check_child "npm_telegram" "" 0 || failed=1
-          else
-            check_child "npm_telegram" "$NPM_TELEGRAM_RUN_ID" 1 || failed=1
-          fi
-
-          summarize_child_timing "normal_ci" "$NORMAL_CI_RUN_ID"
-          summarize_child_timing "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID"
-          summarize_child_timing "release_checks" "$RELEASE_CHECKS_RUN_ID"
-          summarize_child_timing "npm_telegram" "$NPM_TELEGRAM_RUN_ID"
-
-          exit "$failed"

.github/workflows/install-smoke.yml

@@ -1,105 +1,83 @@
 name: Install Smoke
 
 on:
-  schedule:
-    - cron: "17 3 * * *"
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
   workflow_dispatch:
-    inputs:
-      run_bun_global_install_smoke:
-        description: Run the Bun global install image-provider smoke
-        required: false
-        default: false
-        type: boolean
-      update_baseline_version:
-        description: Baseline openclaw version or dist-tag for installer update smoke
-        required: false
-        default: latest
-        type: string
-  workflow_call:
-    inputs:
-      ref:
-        description: Git ref to validate
-        required: false
-        type: string
-      run_bun_global_install_smoke:
-        description: Run the Bun global install image-provider smoke
-        required: false
-        default: true
-        type: boolean
-      update_baseline_version:
-        description: Baseline openclaw version or dist-tag for installer update smoke
-        required: false
-        default: latest
-        type: string
 
 permissions:
   contents: read
-  packages: write
 
 concurrency:
-  group: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && format('{0}-{1}-{2}', github.workflow, github.event_name, github.run_id) || format('{0}-{1}', github.workflow, github.ref) }}
-  cancel-in-progress: ${{ github.event_name != 'workflow_call' }}
+  group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.event.pull_request.number) || format('{0}-{1}', github.workflow, github.ref) }}
+  cancel-in-progress: true
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
 jobs:
   preflight:
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-24.04
     outputs:
       docs_only: ${{ steps.manifest.outputs.docs_only }}
       run_install_smoke: ${{ steps.manifest.outputs.run_install_smoke }}
-      run_fast_install_smoke: ${{ steps.manifest.outputs.run_fast_install_smoke }}
-      run_full_install_smoke: ${{ steps.manifest.outputs.run_full_install_smoke }}
-      run_bun_global_install_smoke: ${{ steps.manifest.outputs.run_bun_global_install_smoke }}
-      target_sha: ${{ steps.manifest.outputs.target_sha }}
-      dockerfile_image: ${{ steps.manifest.outputs.dockerfile_image }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.ref || github.ref }}
           fetch-depth: 1
           fetch-tags: false
           persist-credentials: false
           submodules: false
 
+      - name: Ensure preflight base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
+
+      - name: Detect docs-only changes
+        id: docs_scope
+        uses: ./.github/actions/detect-docs-changes
+
+      - name: Detect changed smoke scope
+        id: changed_scope
+        if: steps.docs_scope.outputs.docs_only != 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [ "${{ github.event_name }}" = "push" ]; then
+            BASE="${{ github.event.before }}"
+          else
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+
+          node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
+
       - name: Build install-smoke CI manifest
         id: manifest
         env:
-          OPENCLAW_CI_EVENT_NAME: ${{ github.event_name }}
-          OPENCLAW_CI_WORKFLOW_BUN_GLOBAL_INSTALL_SMOKE: ${{ inputs.run_bun_global_install_smoke || 'false' }}
+          OPENCLAW_CI_DOCS_ONLY: ${{ steps.docs_scope.outputs.docs_only }}
+          OPENCLAW_CI_RUN_CHANGED_SMOKE: ${{ steps.changed_scope.outputs.run_changed_smoke || 'false' }}
         run: |
-          event_name="${OPENCLAW_CI_EVENT_NAME:-}"
-          workflow_bun_global_install_smoke="${OPENCLAW_CI_WORKFLOW_BUN_GLOBAL_INSTALL_SMOKE:-false}"
-          docs_only=false
-          run_fast_install_smoke=true
-          run_full_install_smoke=true
-          run_bun_global_install_smoke=false
-          run_install_smoke=true
-          target_sha="$(git rev-parse HEAD)"
-          owner="$(printf '%s' "${GITHUB_REPOSITORY_OWNER:-openclaw}" | tr '[:upper:]' '[:lower:]')"
-          dockerfile_image="ghcr.io/${owner}/openclaw-dockerfile-smoke:${target_sha}"
-          if [ "$event_name" = "schedule" ]; then
-            run_bun_global_install_smoke=true
-          elif [ "$event_name" = "workflow_dispatch" ] || [ "$event_name" = "workflow_call" ]; then
-            if [ "$workflow_bun_global_install_smoke" = "true" ]; then
-              run_bun_global_install_smoke=true
-            fi
+          docs_only="${OPENCLAW_CI_DOCS_ONLY:-false}"
+          run_changed_smoke="${OPENCLAW_CI_RUN_CHANGED_SMOKE:-false}"
+          run_install_smoke=false
+          if [ "$docs_only" != "true" ] && [ "$run_changed_smoke" = "true" ]; then
+            run_install_smoke=true
           fi
           {
             echo "docs_only=$docs_only"
             echo "run_install_smoke=$run_install_smoke"
-            echo "run_fast_install_smoke=$run_fast_install_smoke"
-            echo "run_full_install_smoke=$run_full_install_smoke"
-            echo "run_bun_global_install_smoke=$run_bun_global_install_smoke"
-            echo "target_sha=$target_sha"
-            echo "dockerfile_image=$dockerfile_image"
           } >> "$GITHUB_OUTPUT"
 
-  install-smoke-fast:
+  install-smoke:
     needs: [preflight]
-    if: needs.preflight.outputs.run_fast_install_smoke == 'true' && needs.preflight.outputs.run_full_install_smoke != 'true'
+    if: needs.preflight.outputs.run_install_smoke == 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
     env:
       DOCKER_BUILD_SUMMARY: "false"
@@ -107,51 +85,32 @@ jobs:
     steps:
       - name: Checkout CLI
         uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
-        with:
-          max-cache-size-mb: 800000
+        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+
+      # Blacksmith's builder owns the Docker layer cache; keep smoke builds off
+      # explicit gha cache directives so local tags still load cleanly.
+      - name: Run QR package install smoke
+        env:
+          OPENCLAW_QR_SMOKE_FORCE_INSTALL: "1"
+        run: bash scripts/e2e/qr-import-docker.sh
 
-      # Keep release smoke builds bounded and log-producing. The Blacksmith
-      # build action can leave jobs in-progress without step logs when a remote
-      # builder stalls; an explicit buildx invocation fails closed instead.
       - name: Build root Dockerfile smoke image
-        run: |
-          timeout 45m docker buildx build \
-            --progress=plain \
-            --load \
-            --build-arg OPENCLAW_EXTENSIONS=matrix \
-            -t openclaw-dockerfile-smoke:local \
-            -t openclaw-ext-smoke:local \
-            -f ./Dockerfile \
-            .
+        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        with:
+          context: .
+          file: ./Dockerfile
+          build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
+          tags: openclaw-dockerfile-smoke:local
+          load: true
+          push: false
+          provenance: false
 
       - name: Run root Dockerfile CLI smoke
         run: |
-          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc '
-            which openclaw &&
-            openclaw --version &&
-            node -e "
-              const fs = require(\"node:fs\");
-              const path = require(\"node:path\");
-              const pkg = require(\"/app/package.json\");
-              for (const [dep, rel] of Object.entries(pkg.pnpm?.patchedDependencies ?? {})) {
-                const absolute = path.join(\"/app\", rel);
-                if (!fs.existsSync(absolute)) {
-                  throw new Error(`missing patch for ${dep}: ${rel}`);
-                }
-              }
-            "
-          '
-
-      - name: Run agents delete shared workspace Docker CLI smoke
-        env:
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: openclaw-dockerfile-smoke:local
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/agents-delete-shared-workspace-docker.sh
+          docker run --rm --entrypoint sh openclaw-dockerfile-smoke:local -lc 'which openclaw && openclaw --version'
 
       - name: Run Docker gateway network e2e
         env:
@@ -159,6 +118,22 @@ jobs:
           OPENCLAW_GATEWAY_NETWORK_E2E_SKIP_BUILD: "1"
         run: bash scripts/e2e/gateway-network-docker.sh
 
+      # This smoke validates that the build-arg path preinstalls the matrix
+      # runtime deps declared by the plugin and that matrix discovery stays
+      # healthy in the final runtime image.
+      - name: Build extension Dockerfile smoke image
+        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        with:
+          context: .
+          file: ./Dockerfile
+          build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
+            OPENCLAW_EXTENSIONS=matrix
+          tags: openclaw-ext-smoke:local
+          load: true
+          push: false
+          provenance: false
+
       - name: Smoke test Dockerfile with matrix extension build arg
         run: |
           docker run --rm --entrypoint sh openclaw-ext-smoke:local -lc '
@@ -204,233 +179,28 @@ jobs:
             "
           '
 
-  root_dockerfile_image:
-    needs: [preflight]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    outputs:
-      image_ref: ${{ steps.image.outputs.image_ref }}
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Log in to GHCR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Check for existing root Dockerfile smoke image
-        id: existing
-        env:
-          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
-        run: |
-          set -euo pipefail
-          if timeout 180s docker pull "$IMAGE_REF"; then
-            echo "exists=true" >> "$GITHUB_OUTPUT"
-            echo "Using existing root Dockerfile smoke image: \`$IMAGE_REF\`" >> "$GITHUB_STEP_SUMMARY"
-          else
-            echo "exists=false" >> "$GITHUB_OUTPUT"
-            echo "No existing root Dockerfile smoke image found for \`$IMAGE_REF\`; building it." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
-      - name: Set up Blacksmith Docker Builder
-        if: steps.existing.outputs.exists != 'true'
-        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
-        with:
-          max-cache-size-mb: 800000
-
-      # Build once with the matrix extension and publish by target SHA. Use a
-      # direct buildx command so release jobs emit Docker progress and time out.
-      - name: Build and push root Dockerfile smoke image
-        if: steps.existing.outputs.exists != 'true'
-        env:
-          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
-        run: |
-          timeout 45m docker buildx build \
-            --progress=plain \
-            --push \
-            --build-arg OPENCLAW_EXTENSIONS=matrix \
-            -t "$IMAGE_REF" \
-            -f ./Dockerfile \
-            .
-
-      - name: Record root image output
-        id: image
-        env:
-          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
-        run: echo "image_ref=$IMAGE_REF" >> "$GITHUB_OUTPUT"
-
-      - name: Summarize root image
-        env:
-          IMAGE_REF: ${{ needs.preflight.outputs.dockerfile_image }}
-          TARGET_SHA: ${{ needs.preflight.outputs.target_sha }}
-        run: |
-          {
-            echo "## Root Dockerfile smoke image"
-            echo
-            echo "- Target SHA: \`${TARGET_SHA}\`"
-            echo "- Image: \`${IMAGE_REF}\`"
-            echo "- Reused existing image: \`${{ steps.existing.outputs.exists }}\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  qr_package_install_smoke:
-    needs: [preflight]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Run QR package install smoke
-        env:
-          OPENCLAW_QR_SMOKE_FORCE_INSTALL: "1"
-        run: bash scripts/e2e/qr-import-docker.sh
-
-  root_dockerfile_smokes:
-    needs: [preflight, root_dockerfile_image]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Log in to GHCR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Pull root Dockerfile smoke image
-        env:
-          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout 600s docker pull "$IMAGE_REF"
-
-      - name: Run root Dockerfile CLI smoke
-        env:
-          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: |
-          docker run --rm --entrypoint sh "$IMAGE_REF" -lc 'which openclaw && openclaw --version'
-
-      - name: Run agents delete shared workspace Docker CLI smoke
-        env:
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-          OPENCLAW_AGENTS_DELETE_SHARED_WORKSPACE_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/agents-delete-shared-workspace-docker.sh
-
-      - name: Run Docker gateway network e2e
-        env:
-          OPENCLAW_GATEWAY_NETWORK_E2E_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-          OPENCLAW_GATEWAY_NETWORK_E2E_SKIP_BUILD: "1"
-        run: bash scripts/e2e/gateway-network-docker.sh
-
-      - name: Smoke test Dockerfile with matrix extension build arg
-        env:
-          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: |
-          docker run --rm --entrypoint sh "$IMAGE_REF" -lc '
-            which openclaw &&
-            openclaw --version &&
-            node -e "
-              const Module = require(\"node:module\");
-              const matrixPackage = require(\"/app/extensions/matrix/package.json\");
-              const requireFromMatrix = Module.createRequire(\"/app/extensions/matrix/package.json\");
-              const runtimeDeps = Object.keys(matrixPackage.dependencies ?? {});
-              if (runtimeDeps.length === 0) {
-                throw new Error(
-                  \"matrix package has no declared runtime dependencies; smoke cannot validate install mirroring\",
-                );
-              }
-              for (const dep of runtimeDeps) {
-                requireFromMatrix.resolve(dep);
-              }
-              const { spawnSync } = require(\"node:child_process\");
-              const run = spawnSync(\"openclaw\", [\"plugins\", \"list\", \"--json\"], { encoding: \"utf8\" });
-              if (run.status !== 0) {
-                process.stderr.write(run.stderr || run.stdout || \"plugins list failed\\n\");
-                process.exit(run.status ?? 1);
-              }
-              const parsed = JSON.parse(run.stdout);
-              const matrix = (parsed.plugins || []).find((entry) => entry.id === \"matrix\");
-              if (!matrix) {
-                throw new Error(\"matrix plugin missing from bundled plugin list\");
-              }
-              const matrixDiag = (parsed.diagnostics || []).filter(
-                (diag) =>
-                  typeof diag.source === \"string\" &&
-                  diag.source.includes(\"/extensions/matrix\") &&
-                  typeof diag.message === \"string\" &&
-                  diag.message.includes(\"extension entry escapes package directory\"),
-              );
-              if (matrixDiag.length > 0) {
-                throw new Error(
-                  \"unexpected matrix diagnostics: \" +
-                    matrixDiag.map((diag) => diag.message).join(\"; \"),
-                );
-              }
-            "
-          '
-
-  installer_smoke:
-    needs: [preflight, root_dockerfile_image]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    env:
-      DOCKER_BUILD_SUMMARY: "false"
-      DOCKER_BUILD_RECORD_UPLOAD: "false"
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Log in to GHCR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Pull root Dockerfile smoke image
-        env:
-          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout 600s docker pull "$IMAGE_REF"
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
-        with:
-          max-cache-size-mb: 800000
-
       - name: Build installer smoke image
-        run: |
-          timeout 20m docker buildx build \
-            --progress=plain \
-            --load \
-            -t openclaw-install-smoke:local \
-            -f ./scripts/docker/install-sh-smoke/Dockerfile \
-            ./scripts/docker
+        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        with:
+          context: ./scripts/docker
+          file: ./scripts/docker/install-sh-smoke/Dockerfile
+          tags: openclaw-install-smoke:local
+          load: true
+          push: false
+          provenance: false
 
       - name: Build installer non-root image
-        run: |
-          timeout 20m docker buildx build \
-            --progress=plain \
-            --load \
-            -t openclaw-install-nonroot:local \
-            -f ./scripts/docker/install-sh-nonroot/Dockerfile \
-            ./scripts/docker
+        if: github.event_name != 'pull_request'
+        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
+        with:
+          context: ./scripts/docker
+          file: ./scripts/docker/install-sh-nonroot/Dockerfile
+          tags: openclaw-install-nonroot:local
+          load: true
+          push: false
+          provenance: false
 
-      - name: Setup Node environment for installer smoke
+      - name: Setup Node environment for local pack smoke
         uses: ./.github/actions/setup-node-env
         with:
           install-bun: "false"
@@ -443,70 +213,35 @@ jobs:
           OPENCLAW_NO_ONBOARD: "1"
           OPENCLAW_INSTALL_SMOKE_SKIP_CLI: "1"
           OPENCLAW_INSTALL_SMOKE_SKIP_IMAGE_BUILD: "1"
-          OPENCLAW_INSTALL_NONROOT_SKIP_IMAGE_BUILD: "1"
-          OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT: "0"
-          OPENCLAW_INSTALL_SMOKE_SKIP_NPM_GLOBAL: "1"
+          OPENCLAW_INSTALL_NONROOT_SKIP_IMAGE_BUILD: ${{ github.event_name == 'pull_request' && '0' || '1' }}
+          OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT: ${{ github.event_name == 'pull_request' && '1' || '0' }}
           OPENCLAW_INSTALL_SMOKE_SKIP_PREVIOUS: "1"
-          OPENCLAW_INSTALL_SMOKE_UPDATE_BASELINE: ${{ inputs.update_baseline_version || 'latest' }}
-          OPENCLAW_INSTALL_SMOKE_UPDATE_DIST_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
+          OPENCLAW_INSTALL_SMOKE_UPDATE_DIST_IMAGE: openclaw-dockerfile-smoke:local
           OPENCLAW_INSTALL_SMOKE_UPDATE_SKIP_LOCAL_BUILD: "1"
         run: bash scripts/test-install-sh-docker.sh
 
-  bun_global_install_smoke:
-    needs: [preflight, root_dockerfile_image]
-    if: needs.preflight.outputs.run_full_install_smoke == 'true' && needs.preflight.outputs.run_bun_global_install_smoke == 'true'
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    steps:
-      - name: Checkout CLI
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
-
-      - name: Log in to GHCR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Pull root Dockerfile smoke image
-        env:
-          IMAGE_REF: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-        run: timeout 600s docker pull "$IMAGE_REF"
-
-      - name: Setup Node environment for Bun smoke
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "true"
-          install-deps: "true"
-
-      - name: Run Bun global install image-provider smoke
-        env:
-          OPENCLAW_BUN_GLOBAL_SMOKE_DIST_IMAGE: ${{ needs.root_dockerfile_image.outputs.image_ref }}
-          OPENCLAW_BUN_GLOBAL_SMOKE_HOST_BUILD: "0"
-        run: bash scripts/e2e/bun-global-install-smoke.sh
-
   docker-e2e-fast:
     needs: [preflight]
-    if: needs.preflight.outputs.run_fast_install_smoke == 'true' || needs.preflight.outputs.run_full_install_smoke == 'true'
+    if: needs.preflight.outputs.run_install_smoke == 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
-    timeout-minutes: 12
+    timeout-minutes: 8
     env:
       DOCKER_BUILD_SUMMARY: "false"
       DOCKER_BUILD_RECORD_UPLOAD: "false"
     steps:
       - name: Checkout CLI
         uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.ref || github.ref }}
 
       - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
-        with:
-          max-cache-size-mb: 800000
+        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
 
       - name: Setup Node environment for package smoke
         uses: ./.github/actions/setup-node-env
         with:
           install-bun: "false"
           install-deps: "true"
+
+      - name: Run fast bundled plugin Docker E2E
+        env:
+          OPENCLAW_BUNDLED_CHANNEL_DEPS_E2E_IMAGE: openclaw-bundled-channel-fast:local
+        run: timeout 120s pnpm test:docker:bundled-channel-deps:fast

.github/workflows/labeler.yml

@@ -92,7 +92,7 @@ jobs:
             const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
             const totalChangedLines = files.reduce((total, file) => {
               const path = file.filename ?? "";
-              if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
+              if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
                 return total;
               }
               return total + (file.additions ?? 0) + (file.deletions ?? 0);
@@ -274,11 +274,10 @@ jobs:
 
             const activePrLimitLabel = "r: too-many-prs";
             const activePrLimitOverrideLabel = "r: too-many-prs-override";
-            const activePrLimit = 20;
+            const activePrLimit = 10;
             const labelColor = "B60205";
             const labelDescription = `Author has more than ${activePrLimit} active PRs in this repo`;
             const authorLogin = pullRequest.user?.login;
-            const headRefName = pullRequest.head?.ref ?? "";
             if (!authorLogin) {
               return;
             }
@@ -296,25 +295,6 @@ jobs:
                 .filter((name) => typeof name === "string"),
             );
 
-            if (pullRequest.user?.type === "Bot" || /\[bot\]$/i.test(authorLogin) || authorLogin.startsWith("app/")) {
-              if (labelNames.has(activePrLimitLabel)) {
-                try {
-                  await github.rest.issues.removeLabel({
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    issue_number: pullRequest.number,
-                    name: activePrLimitLabel,
-                  });
-                } catch (error) {
-                  if (error?.status !== 404) {
-                    throw error;
-                  }
-                }
-              }
-              core.info(`Skipping active PR limit for GitHub App author ${authorLogin}.`);
-              return;
-            }
-
             if (labelNames.has(activePrLimitOverrideLabel)) {
               if (labelNames.has(activePrLimitLabel)) {
                 try {
@@ -394,12 +374,7 @@ jobs:
               return false;
             };
 
-            const automationPrHeadPrefixes = ["clawsweeper/", "clownfish/"];
-            const isAutomationPullRequest =
-              typeof headRefName === "string" &&
-              automationPrHeadPrefixes.some((prefix) => headRefName.startsWith(prefix));
-
-            if ((await isPrivilegedAuthor()) || isAutomationPullRequest) {
+            if (await isPrivilegedAuthor()) {
               if (labelNames.has(activePrLimitLabel)) {
                 try {
                   await github.rest.issues.removeLabel({
@@ -606,7 +581,7 @@ jobs:
               const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
               const totalChangedLines = files.reduce((total, file) => {
                 const path = file.filename ?? "";
-                if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
+                if (path === "docs.acp.md" || path.startsWith("docs/") || excludedLockfiles.has(path)) {
                   return total;
                 }
                 return total + (file.additions ?? 0) + (file.deletions ?? 0);

.github/workflows/live-media-runner-image.yml

@@ -1,54 +0,0 @@
-name: Live Media Runner Image
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [main]
-    paths:
-      - ".github/images/live-media-runner/Dockerfile"
-      - ".github/workflows/live-media-runner-image.yml"
-
-permissions:
-  contents: read
-  packages: write
-
-concurrency:
-  group: live-media-runner-image-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-
-jobs:
-  build:
-    name: Build live media runner image
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 30
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Login to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-
-      - name: Set up Blacksmith Docker Builder
-        uses: useblacksmith/setup-docker-builder@722e97d12b1d06a961800dd6c05d79d951ad3c80 # v1
-        with:
-          max-cache-size-mb: 800000
-
-      - name: Build and push live media runner image
-        uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2
-        with:
-          context: .github/images/live-media-runner
-          file: .github/images/live-media-runner/Dockerfile
-          platforms: linux/amd64
-          tags: |
-            ghcr.io/openclaw/openclaw-live-media-runner:ubuntu-24.04
-            ghcr.io/openclaw/openclaw-live-media-runner:${{ github.sha }}
-          sbom: true
-          provenance: mode=max
-          push: true

.github/workflows/macos-release.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22, v2026.3.22-alpha.1, or v2026.3.22-beta.1)
+        description: Existing release tag to validate for macOS release handoff (for example v2026.3.22 or v2026.3.22-beta.1)
         required: true
         type: string
       preflight_only:
@@ -12,11 +12,6 @@ on:
         required: true
         default: true
         type: boolean
-      public_release_branch:
-        description: Public branch that contains the release tag commit, usually main or release/YYYY.M.D
-        required: false
-        default: main
-        type: string
 
 concurrency:
   group: macos-release-${{ inputs.tag }}
@@ -38,7 +33,7 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-(alpha|beta)\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
             echo "Invalid release tag format: ${RELEASE_TAG}"
             exit 1
           fi
@@ -71,17 +66,13 @@ jobs:
       - name: Validate release tag and package metadata
         env:
           RELEASE_TAG: ${{ inputs.tag }}
-          PUBLIC_RELEASE_BRANCH: ${{ inputs.public_release_branch }}
+          WORKFLOW_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          if [[ "${PUBLIC_RELEASE_BRANCH}" != "main" && ! "${PUBLIC_RELEASE_BRANCH}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
-            echo "public_release_branch must be main or release/YYYY.M.D, got ${PUBLIC_RELEASE_BRANCH}." >&2
-            exit 1
-          fi
           RELEASE_SHA=$(git rev-parse HEAD)
-          RELEASE_MAIN_REF="refs/remotes/origin/${PUBLIC_RELEASE_BRANCH}"
+          RELEASE_MAIN_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
           export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          git fetch --no-tags origin "+refs/heads/${PUBLIC_RELEASE_BRANCH}:refs/remotes/origin/${PUBLIC_RELEASE_BRANCH}"
+          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
           pnpm release:openclaw:npm:check
 
       - name: Summarize next step
@@ -98,5 +89,5 @@ jobs:
             echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml\` with tag \`${RELEASE_TAG}\` and wait for the private mac validation lane to pass."
             echo "- Run \`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml\` with tag \`${RELEASE_TAG}\` and \`preflight_only=true\` for the full private mac preflight."
             echo "- For the real publish path, run the same private mac publish workflow from \`main\` with the successful private preflight \`preflight_run_id\` so it promotes the prepared artifacts instead of rebuilding them."
-            echo "- For stable releases, the private publish workflow also publishes the signed \`appcast.xml\` to public \`main\`, or opens an appcast PR if direct push is blocked."
+            echo "- For stable releases, also download \`macos-appcast-${RELEASE_TAG}\` from the successful private run and commit \`appcast.xml\` back to \`main\` in \`openclaw/openclaw\`."
           } >> "$GITHUB_STEP_SUMMARY"