fix(compaction): anchor forced manual boundary off trailing tool results

Force manual compaction past empty kept-tail cuts
fix(qa): use writable tmp in Telegram package runner
2026-06-17 19:48:59 +08:00 · 2026-06-17 21:21:25 +10:00 · 2026-06-17 21:21:25 +10:00 · 2026-06-17 16:45:34 +05:30 · 2026-06-17 19:11:20 +08:00 · 2026-06-17 21:06:44 +10:00
238 changed files with 4112 additions and 3495 deletions
--- a/.agents/skills/release-openclaw-ci/SKILL.md
+++ b/.agents/skills/release-openclaw-ci/SKILL.md
@@ -24,25 +24,6 @@ Use this with `$release-openclaw-maintainer` and `$openclaw-testing` when a rele
  fails, the parent cancels the remaining child matrix and prints the failed
  job summary. Inspect that first red job instead of waiting for unrelated
  matrix tails.
- In a sparse worktree or Testbox source sync, first confirm `package.json`,
-  `pnpm-lock.yaml`, and every source path the selected check reads. If any are
-  absent, that checkout cannot validate a release dependency or Docker lane:
-  stop and use the repo remote changed gate or a full task worktree. When the
-  inputs are present and a release fix changes `package.json` or
-  `pnpm-lock.yaml`, rebuild only the task-owned disposable box with
-  `CI=true pnpm install --frozen-lockfile`, then run an explicit
-  `require.resolve()` probe before Docker or focused tests. The CI flag permits
-  pnpm to recreate a prewarmed modules directory without an interactive
-  confirmation. Do not weaken the lockfile or label sparse-checkout failures
-  as product/Docker failures.
- If the candidate is rebased or its base SHA changes after warmup, stop the
-  task-owned box and warm a fresh one before testing. Testbox source sync is
-  relative to the warmed source tree; continuing can mix an old base file with
-  a new candidate diff and produce false lockfile or Docker failures.
- For a committed release candidate, warm the box with
-  `blacksmith testbox warmup ... --ref <candidate-branch-or-sha>`. Do not rely
-  on source sync to overlay committed branch changes onto the workflow's
-  default ref.

 ## Preflight

@@ -76,7 +57,7 @@ gh workflow run openclaw-performance.yml \
  -f repeat=3 \
  -f deep_profile=false \
  -f live_openai_candidate=false \
-  -f fail_on_regression=true
+  -f fail_on_regression=false
 ```

 - Do not wait for full release validation to start this early perf signal.
@@ -85,9 +66,8 @@ gh workflow run openclaw-performance.yml \
 - Call out any regression in the release proof. Treat a major regression as a
  release blocker until it is fixed, waived by the operator, or proven to be
  infrastructure noise.
- Full Release Validation records blocking product-performance evidence. The
-  early standalone run is for overlap and faster regression discovery, but a
-  regression or missing child run blocks the parent validation.
+- Full Release Validation also records advisory product-performance evidence;
+  the early standalone run is for overlap and faster regression discovery.

 Prefer the trusted workflow on `main`, target the exact release SHA:

@@ -109,7 +89,7 @@ gh workflow run full-release-validation.yml \
  -f rerun_group=all
 ```

-Use `release_profile=stable` unless the operator explicitly asks for the broad advisory provider/media matrix. Stable and full profiles force the release soak; the beta profile may opt in with `run_release_soak=true`. Use narrow `rerun_group` after focused fixes.
+Use `release_profile=stable` unless the operator explicitly asks for the broad advisory provider/media matrix. Use narrow `rerun_group` after focused fixes.
 Publish with `openclaw-release-publish.yml` using `release_profile=from-validation`
 unless a maintainer intentionally wants to cross-check a specific profile; the
 publish workflow reads the effective profile from the full-validation manifest.
--- a/.agents/skills/release-openclaw-maintainer/SKILL.md
+++ b/.agents/skills/release-openclaw-maintainer/SKILL.md
@@ -17,10 +17,6 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - This skill should be sufficient to drive the normal release flow end-to-end.
 - Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
 - Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
- Do not edit the root `README.md` as release prep, release closeout, or a
-  substitute for release notes. Package-root README validation is a hard
-  packaging gate, but a release only changes README content when an actual
-  user-facing documentation contract changed.
 - Normal release work happens on a branch cut from `main`, not directly on
  `main`. Use `release/YYYY.M.PATCH` for the branch name.
 - If the operator asks for a release without saying stable/full, default to
@@ -80,17 +76,6 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
  or clawgrit reports. Report regressions explicitly. A major regression is a
  release blocker unless the operator waives it or the data clearly proves
  infrastructure noise.
- Heal CI before tagging or publishing. The exact candidate SHA must have green
-  `Full Release Validation`, including the root Dockerfile/install-smoke path.
-  Treat a red Docker, package, or release workflow lane as a release-branch
-  defect until the smallest correct fix is landed and proven; do not waive it
-  because npm preflight or another sibling lane passed.
- Keep the canonical `scripts/pr` runner authoritative for prepare and merge
-  artifacts. A release-gate policy change may use focused candidate tests and
-  exact-SHA hosted CI for proof, but never route `prepare-*` or `merge-*`
-  through PR-controlled scripts or synthesize prepare artifacts to bootstrap
-  the change. If the current canonical gate cannot validate the new policy,
-  stop for explicit maintainer direction rather than weakening that boundary.
 - Generate the changelog before every beta, beta rerun, stable release, or
  stable rerun, before version/tag preparation. Use
  `$openclaw-changelog-update` for the rewrite. Do not continue release prep if
@@ -134,14 +119,6 @@ Stable publication is not complete until `main` carries the actual shipped relea
   `OPENCLAW_TESTBOX=1 pnpm check:changed`. Push, then verify `origin/main`
   contains the shipped version and changelog before calling the stable release
   done.
-6. Keep repository variables `RELEASE_ROLLBACK_DRILL_ID` and
-   `RELEASE_ROLLBACK_DRILL_DATE` current after each private rollback drill.
-   `openclaw-stable-main-closeout.yml` starts from the `main` push carrying the
-   shipped version, changelog, and appcast after stable publication, then binds
-   immutable evidence to the published tag. Do not declare stable complete
-   until it writes the immutable closeout manifest to the GitHub release. The
-   drill must be within 90 days; manual dispatch is only for repair/replay, and
-   private rollback commands remain in the maintainer-only runbook.

 ## Handle versions and release files consistently

--- a/.agents/skills/verify-release/SKILL.md
+++ b/.agents/skills/verify-release/SKILL.md
@@ -29,17 +29,11 @@ publish skill; use `$release-openclaw-maintainer` before changing release state.
   - Confirm release body has npm, CI, plugin npm, ClawHub, mac/appcast evidence
     links when expected.
   - Confirm assets expected for stable mac releases are uploaded: zip, dmg,
-     dSYM, dependency evidence, immutable full-validation manifest,
-     postpublish evidence, and stable-main closeout manifest.
-   - Download each immutable evidence asset and its `.sha256` companion, then
-     verify the checksum before trusting the release record.
+     dSYM, dependency evidence when present.
 2. Root npm:
   - `npm view openclaw@<VERSION> version dist-tags.latest dist.tarball dist.integrity time.<VERSION> --json`
   - `latest` must equal `<VERSION>` for stable.
   - Record tarball, integrity, publish time.
-   - Confirm the release postpublish evidence records
-     `npmRegistrySignaturesVerified: true` and
-     `npmProvenanceAttestationMatched: true`.
 3. Plugin publish set:
   - Get exact tag metadata from GitHub, not the local checkout when dirty:
     download `https://api.github.com/repos/openclaw/openclaw/tarball/v<VERSION>`
@@ -63,9 +57,6 @@ publish skill; use `$release-openclaw-maintainer` before changing release state.
     Full Release Validation, OpenClaw Release Checks, OpenClaw NPM Release,
     Plugin NPM Release, Plugin ClawHub Release, mac preflight/validation/publish
     when stable mac assets are expected.
-   - For stable, verify `OpenClaw Stable Main Closeout` succeeded and its
-     manifest records the matching release tag, current rollback drill, stable
-     soak, and blocking performance evidence.
   - Summarize only relevant successful/failed jobs; ignore routine skipped
     optional lanes unless the release body promised them.
 6. Published package smoke:
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -12,9 +12,14 @@
 /.github/workflows/codeql-android-critical-security.yml @openclaw/openclaw-secops
 /.github/workflows/codeql-critical-quality.yml @openclaw/openclaw-secops
 /.github/workflows/dependency-guard.yml @openclaw/openclaw-secops
+/.github/workflows/security-sensitive-guard.yml @openclaw/openclaw-secops
 /test/scripts/dependency-guard-workflow.test.ts @openclaw/openclaw-secops
 /test/scripts/dependency-guard-script.test.ts @openclaw/openclaw-secops
+/test/scripts/security-sensitive-guard-workflow.test.ts @openclaw/openclaw-secops
+/test/scripts/security-sensitive-guard-script.test.ts @openclaw/openclaw-secops
 /scripts/github/dependency-guard.mjs @openclaw/openclaw-secops
+/scripts/github/security-sensitive-guard.mjs @openclaw/openclaw-secops
+/.gitignore @openclaw/openclaw-secops
 /package-lock.json @openclaw/openclaw-secops
 /npm-shrinkwrap.json @openclaw/openclaw-secops
 /extensions/*/package-lock.json @openclaw/openclaw-secops
--- a/.github/actions/docker-e2e-plan/action.yml
+++ b/.github/actions/docker-e2e-plan/action.yml
@@ -113,7 +113,7 @@ runs:

    - name: Download OpenClaw Docker E2E package
      if: inputs.hydrate-artifacts == 'true' && steps.plan.outputs.needs_package == '1'
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      uses: actions/download-artifact@v8
      with:
        name: ${{ inputs.package-artifact-name }}
        path: .artifacts/docker-e2e-package
--- a/.github/actions/setup-node-env/action.yml
+++ b/.github/actions/setup-node-env/action.yml
@@ -139,7 +139,7 @@ runs:

    - name: Save pnpm store cache
      if: ${{ inputs.install-deps == 'true' && inputs.use-actions-cache == 'true' && inputs.save-actions-cache == 'true' && runner.os != 'Windows' && steps.setup-pnpm.outputs.store-cache-hit != 'true' }}
-      uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/save@v5
      with:
        path: ${{ steps.setup-pnpm.outputs.store-path }}
        key: ${{ steps.setup-pnpm.outputs.store-cache-primary-key }}
--- a/.github/actions/setup-pnpm-store-cache/action.yml
+++ b/.github/actions/setup-pnpm-store-cache/action.yml
@@ -92,7 +92,7 @@ runs:
    - name: Restore pnpm store cache
      id: pnpm-store-cache
      if: ${{ inputs.use-actions-cache == 'true' && runner.os != 'Windows' }}
-      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache/restore@v5
      with:
        path: ${{ steps.pnpm-store.outputs.path }}
        key: pnpm-store-${{ runner.os }}-${{ runner.arch }}-${{ inputs.node-version }}-${{ hashFiles(inputs.package-manager-file) }}-${{ hashFiles(inputs.lockfile-path) }}
--- a/.github/workflows/auto-response.yml
+++ b/.github/workflows/auto-response.yml
@@ -25,24 +25,24 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          persist-credentials: false
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
      - name: Run Barnacle auto-response
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
--- a/.github/workflows/ci-build-artifacts-testbox.yml
+++ b/.github/workflows/ci-build-artifacts-testbox.yml
@@ -140,7 +140,7 @@ jobs:

      - name: Restore dist build cache
        id: dist-cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/restore@v5
        with:
          path: |
            .artifacts/build-all-cache/
@@ -175,7 +175,7 @@ jobs:

      - name: Save dist build cache
        if: steps.dist-cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/save@v5
        with:
          path: |
            .artifacts/build-all-cache/
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -598,7 +598,7 @@ jobs:
          install-bun: "false"

      - name: Restore build-all step cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: .artifacts/build-all-cache
          key: ${{ runner.os }}-build-all-v3-${{ hashFiles('package.json', 'pnpm-lock.yaml', 'npm-shrinkwrap.json', 'packages/plugin-sdk/package.json', 'packages/llm-core/package.json', 'packages/model-catalog-core/package.json', 'packages/memory-host-sdk/package.json', 'scripts/build-all.mjs', 'scripts/write-plugin-sdk-entry-dts.ts', 'scripts/lib/plugin-sdk-entries.mjs', 'tsconfig.json', 'tsconfig.plugin-sdk.dts.json', 'src/plugin-sdk/**', 'packages/llm-core/src/**', 'packages/model-catalog-core/src/**', 'packages/memory-host-sdk/src/**', 'src/types/**', 'src/video-generation/dashscope-compatible.ts', 'src/video-generation/types.ts', 'scripts/copy-export-html-templates.ts', 'scripts/lib/copy-assets.ts', 'src/auto-reply/reply/export-html/**') }}
@@ -607,7 +607,7 @@ jobs:

      - name: Restore dist build cache
        id: dist_build_cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/restore@v5
        with:
          path: |
            dist/
@@ -630,14 +630,14 @@ jobs:
        run: tar --posix -cf dist-runtime-build.tar.zst --use-compress-program zstdmt dist dist-runtime

      - name: Upload built runtime artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: dist-runtime-build
          path: dist-runtime-build.tar.zst
          retention-days: 1

      - name: Upload bundled plugin asset artifacts
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: bundled-plugin-assets
          path: |
@@ -668,7 +668,7 @@ jobs:

      - name: Upload startup memory report
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: startup-memory
          path: .artifacts/startup-memory/
@@ -757,7 +757,7 @@ jobs:

      - name: Save dist build cache
        if: steps.dist_build_cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache/save@v5
        continue-on-error: true
        with:
          path: |
@@ -769,7 +769,7 @@ jobs:

      - name: Upload gateway watch regression artifacts
        if: always() && needs.preflight.outputs.run_check_additional == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: gateway-watch-regression
          path: .local/gateway-watch-regression/
@@ -1339,7 +1339,7 @@ jobs:

      - name: Upload deadcode reports
        if: ${{ always() && matrix.task == 'dependencies' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: deadcode-reports
          path: .artifacts/deadcode
@@ -1428,7 +1428,7 @@ jobs:
      - name: Cache extension package boundary artifacts
        id: extension-package-boundary-cache
        if: matrix.group == 'extension-package-boundary'
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: |
            dist/plugin-sdk
@@ -1696,7 +1696,7 @@ jobs:
          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout

      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

@@ -1965,7 +1965,7 @@ jobs:
          echo "key=$toolchain_key" >> "$GITHUB_OUTPUT"

      - name: Cache SwiftPM
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: ~/Library/Caches/org.swift.swiftpm
          key: ${{ runner.os }}-swiftpm-${{ hashFiles('apps/macos/Package.resolved') }}
@@ -1974,7 +1974,7 @@ jobs:

      - name: Cache Swift build directory
        id: swift-build-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: apps/macos/.build
          key: ${{ runner.os }}-swift-build-v2-${{ steps.swift-toolchain.outputs.key }}-${{ hashFiles('apps/macos/Package.swift', 'apps/macos/Package.resolved', 'apps/macos/Sources/**', 'apps/macos/Tests/**', 'apps/shared/OpenClawKit/Package.swift', 'apps/shared/OpenClawKit/Sources/**', 'apps/swabble/Package.swift', 'apps/swabble/Sources/**') }}
@@ -2105,7 +2105,7 @@ jobs:
          exit 1

      - name: Setup Java
-        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5
+        uses: actions/setup-java@v5
        with:
          distribution: temurin
          # Keep sdkmanager on the stable JDK path for Linux CI runners.
@@ -2117,7 +2117,7 @@ jobs:
            apps/android/gradle/libs.versions.toml

      - name: Cache Android SDK
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: ~/.android-sdk
          key: ${{ runner.os }}-android-sdk-v1-cmdline-14742923-platform-37.0-build-tools-36.0.0
@@ -2204,7 +2204,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout timing summary helper
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || needs.preflight.outputs.checkout_revision || github.sha }}
          fetch-depth: 1
@@ -2220,7 +2220,7 @@ jobs:
          cat ci-timings-summary.txt >> "$GITHUB_STEP_SUMMARY"

      - name: Upload CI timing summary
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: ci-timings-summary
          path: ci-timings-summary.txt
--- a/.github/workflows/control-ui-locale-refresh.yml
+++ b/.github/workflows/control-ui-locale-refresh.yml
@@ -35,7 +35,7 @@ jobs:
      locales_json: ${{ steps.plan.outputs.locales_json }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -112,7 +112,7 @@ jobs:
    name: Refresh ${{ matrix.locale }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          submodules: false
--- a/.github/workflows/crabbox-hydrate.yml
+++ b/.github/workflows/crabbox-hydrate.yml
@@ -45,12 +45,12 @@ jobs:
    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}

      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: "24"

@@ -328,12 +328,12 @@ jobs:
    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}

      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: "24"

@@ -561,7 +561,7 @@ jobs:
    runs-on: [self-hosted, "${{ inputs.crabbox_runner_label }}"]
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}

--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -49,7 +49,7 @@ jobs:
          fi

      - name: Checkout selected tag
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0
@@ -83,7 +83,7 @@ jobs:
      browser_digest: ${{ steps.build-browser.outputs.digest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
          fetch-depth: 0
@@ -293,7 +293,7 @@ jobs:
      browser_digest: ${{ steps.build-browser.outputs.digest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
          fetch-depth: 0
@@ -500,7 +500,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
          fetch-depth: 0
@@ -595,7 +595,7 @@ jobs:
      packages: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 1

--- a/.github/workflows/docs-agent.yml
+++ b/.github/workflows/docs-agent.yml
@@ -33,7 +33,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: main
          fetch-depth: 0
--- a/.github/workflows/docs-sync-publish.yml
+++ b/.github/workflows/docs-sync-publish.yml
@@ -25,13 +25,13 @@ jobs:

      - name: Checkout source repo
        if: env.OPENCLAW_DOCS_SYNC_TOKEN != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Checkout ClawHub docs source
        if: env.OPENCLAW_DOCS_SYNC_TOKEN != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: openclaw/clawhub
          path: clawhub-source
@@ -41,7 +41,7 @@ jobs:

      - name: Setup Node
        if: env.OPENCLAW_DOCS_SYNC_TOKEN != ''
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: "24.x"

--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -24,7 +24,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 1
          fetch-tags: false
@@ -37,7 +37,7 @@ jobs:
          install-bun: "false"

      - name: Checkout ClawHub docs source
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: openclaw/clawhub
          path: clawhub-source
--- a/.github/workflows/duplicate-after-merge.yml
+++ b/.github/workflows/duplicate-after-merge.yml
@@ -35,7 +35,8 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Close confirmed duplicates
        env:
          APPLY: ${{ inputs.apply }}
--- a/.github/workflows/full-release-validation.yml
+++ b/.github/workflows/full-release-validation.yml
@@ -36,7 +36,7 @@ on:
          - stable
          - full
      run_release_soak:
-        description: Run exhaustive live/Docker and upgrade-survivor soak lanes; forced on for stable and full release profiles
+        description: Run exhaustive live/Docker and upgrade-survivor soak lanes; forced on for release_profile=full
        required: false
        default: false
        type: boolean
@@ -130,7 +130,7 @@ jobs:
      sha: ${{ steps.resolve.outputs.sha }}
    steps:
      - name: Checkout trusted workflow helper
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.ref_name }}
          path: workflow
@@ -158,7 +158,7 @@ jobs:
          PACKAGE_ACCEPTANCE_PACKAGE_SPEC: ${{ inputs.package_acceptance_package_spec }}
          CODEX_PLUGIN_SPEC: ${{ inputs.codex_plugin_spec }}
          RELEASE_PROFILE: ${{ inputs.release_profile }}
-          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'stable' || inputs.release_profile == 'full' }}
+          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'full' }}
          RERUN_GROUP: ${{ inputs.rerun_group }}
          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
          CROSS_OS_SUITE_FILTER: ${{ inputs.cross_os_suite_filter }}
@@ -234,7 +234,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout target SHA
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.resolve_target.outputs.sha }}
          fetch-depth: 1
@@ -537,7 +537,7 @@ jobs:
          PROVIDER: ${{ inputs.provider }}
          MODE: ${{ inputs.mode }}
          RELEASE_PROFILE: ${{ inputs.release_profile }}
-          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'stable' || inputs.release_profile == 'full' }}
+          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'full' }}
          RERUN_GROUP: ${{ inputs.rerun_group }}
          LIVE_SUITE_FILTER: ${{ inputs.live_suite_filter }}
          CROSS_OS_SUITE_FILTER: ${{ inputs.cross_os_suite_filter }}
@@ -780,7 +780,7 @@ jobs:
      source_sha: ${{ steps.package.outputs.source_sha }}
    steps:
      - name: Checkout trusted workflow ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ github.ref_name }}
@@ -826,7 +826,7 @@ jobs:
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Upload release package artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-package-under-test
          path: |
@@ -1017,7 +1017,7 @@ jobs:
            echo "- Repeat: \`3\`"
            echo "- Deep profile: \`false\`"
            echo "- Live OpenAI candidate: \`false\`"
-            echo "- Release impact: blocking"
+            echo "- Release impact: advisory"
          } >> "$GITHUB_STEP_SUMMARY"

          dispatch_output="$(gh_with_retry workflow run openclaw-performance.yml \
@@ -1027,7 +1027,7 @@ jobs:
            -f repeat=3 \
            -f deep_profile=false \
            -f live_openai_candidate=false \
-            -f fail_on_regression=true)"
+            -f fail_on_regression=false)"
          printf '%s\n' "$dispatch_output"
          run_id="$(
            printf '%s\n' "$dispatch_output" |
@@ -1036,8 +1036,8 @@ jobs:
          )"

          if [[ -z "$run_id" ]]; then
-            echo "::error::gh workflow run openclaw-performance.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs." >&2
-            exit 1
+            echo "::warning::gh workflow run openclaw-performance.yml did not return an Actions run URL; refusing to guess from recent workflow_dispatch runs."
+            exit 0
          fi

          echo "Dispatched openclaw-performance.yml: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${run_id}"
@@ -1072,9 +1072,8 @@ jobs:
          echo "url=${url}" >> "$GITHUB_OUTPUT"
          echo "conclusion=${conclusion}" >> "$GITHUB_OUTPUT"
          if [[ "$conclusion" != "success" ]]; then
-            echo "::error::OpenClaw Performance ended with ${conclusion}: ${url}"
+            echo "::warning::OpenClaw Performance is advisory and ended with ${conclusion}: ${url}"
            gh_with_retry run view "$run_id" --json jobs --jq '.jobs[] | select(.conclusion != "success" and .conclusion != "skipped") | {name, conclusion, url}' || true
-            exit 1
          fi

  summary:
@@ -1365,7 +1364,6 @@ jobs:
          normal_ci_required=0
          plugin_prerelease_required=0
          release_checks_required=0
-          performance_required=0
          if [[ "$RERUN_GROUP" == "all" && "$DOCKER_RUNTIME_ASSETS_PREFLIGHT_RESULT" != "success" ]]; then
            echo "::error::Docker runtime-assets preflight ended with ${DOCKER_RUNTIME_ASSETS_PREFLIGHT_RESULT}."
            failed=1
@@ -1373,7 +1371,6 @@ jobs:
            normal_ci_required=1
            plugin_prerelease_required=1
            release_checks_required=1
-            performance_required=1
          else
            case "$RERUN_GROUP" in
              ci)
@@ -1385,9 +1382,6 @@ jobs:
              release-checks|install-smoke|cross-os|live-e2e|package|qa|qa-parity|qa-live)
                release_checks_required=1
                ;;
-              performance)
-                performance_required=1
-                ;;
            esac
          fi

@@ -1421,12 +1415,6 @@ jobs:
            check_child "npm_telegram" "$NPM_TELEGRAM_RUN_ID" 1 || failed=1
          fi

-          if [[ "$PERFORMANCE_RESULT" == "skipped" && -z "${PERFORMANCE_RUN_ID// }" ]]; then
-            check_child "product_performance" "" "$performance_required" || failed=1
-          else
-            check_child "product_performance" "$PERFORMANCE_RUN_ID" "$performance_required" || failed=1
-          fi
-
          summarize_child_timing "normal_ci" "$NORMAL_CI_RUN_ID"
          summarize_child_timing "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID"
          summarize_child_timing "release_checks" "$RELEASE_CHECKS_RUN_ID"
@@ -1438,7 +1426,6 @@ jobs:
            summarize_failed_child "plugin_prerelease" "$PLUGIN_PRERELEASE_RUN_ID"
            summarize_failed_child "release_checks" "$RELEASE_CHECKS_RUN_ID"
            summarize_failed_child "npm_telegram" "$NPM_TELEGRAM_RUN_ID"
-            summarize_failed_child "product_performance" "$PERFORMANCE_RUN_ID"
          fi

          exit "$failed"
@@ -1525,13 +1512,12 @@ jobs:
          TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
          RELEASE_PROFILE: ${{ inputs.release_profile }}
          RERUN_GROUP: ${{ inputs.rerun_group }}
-          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'stable' || inputs.release_profile == 'full' }}
+          RUN_RELEASE_SOAK: ${{ inputs.run_release_soak || inputs.release_profile == 'full' }}
          NORMAL_CI_RUN_ID: ${{ needs.normal_ci.outputs.run_id }}
          PLUGIN_PRERELEASE_RUN_ID: ${{ needs.plugin_prerelease.outputs.run_id }}
          RELEASE_CHECKS_RUN_ID: ${{ needs.release_checks.outputs.run_id }}
          NPM_TELEGRAM_RUN_ID: ${{ needs.npm_telegram.outputs.run_id }}
          PERFORMANCE_RUN_ID: ${{ needs.performance.outputs.run_id }}
-          PERFORMANCE_CONCLUSION: ${{ needs.performance.outputs.conclusion }}
        run: |
          set -euo pipefail
          manifest_dir="${RUNNER_TEMP}/full-release-validation"
@@ -1551,9 +1537,8 @@ jobs:
            --arg releaseChecksRunId "$RELEASE_CHECKS_RUN_ID" \
            --arg npmTelegramRunId "$NPM_TELEGRAM_RUN_ID" \
            --arg performanceRunId "$PERFORMANCE_RUN_ID" \
-            --arg performanceConclusion "$PERFORMANCE_CONCLUSION" \
            '{
-              version: 2,
+              version: 1,
              workflowName: $workflowName,
              runId: $runId,
              runAttempt: $runAttempt,
@@ -1563,26 +1548,18 @@ jobs:
              releaseProfile: $releaseProfile,
              rerunGroup: $rerunGroup,
              runReleaseSoak: $runReleaseSoak,
-              controls: {
-                stableSoakRequired: ($releaseProfile == "stable" or $releaseProfile == "full"),
-                performanceBlocking: true
-              },
              childRuns: {
                normalCi: $normalCiRunId,
                pluginPrerelease: $pluginPrereleaseRunId,
                releaseChecks: $releaseChecksRunId,
                npmTelegram: $npmTelegramRunId,
-                productPerformance: {
-                  runId: $performanceRunId,
-                  conclusion: $performanceConclusion,
-                  blocking: true
-                }
+                productPerformance: $performanceRunId
              }
            }' > "${manifest_dir}/full-release-validation-manifest.json"

      - name: Upload release validation manifest
        if: ${{ success() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: full-release-validation-${{ github.run_id }}
          path: ${{ runner.temp }}/full-release-validation
--- a/.github/workflows/install-smoke.yml
+++ b/.github/workflows/install-smoke.yml
@@ -56,7 +56,7 @@ jobs:
      dockerfile_image: ${{ steps.manifest.outputs.dockerfile_image }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          fetch-depth: 1
@@ -106,7 +106,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -217,7 +217,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -289,7 +289,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -305,7 +305,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -411,7 +411,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -499,7 +499,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
@@ -538,7 +538,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout CLI
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref || github.ref }}
          persist-credentials: false
--- a/.github/workflows/ios-periphery-comment.yml
+++ b/.github/workflows/ios-periphery-comment.yml
@@ -24,7 +24,7 @@ jobs:
      github.event.workflow_run.name == 'iOS Periphery Dead Code'
    steps:
      - name: Upsert Periphery PR comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const fs = require("node:fs");
--- a/.github/workflows/ios-periphery.yml
+++ b/.github/workflows/ios-periphery.yml
@@ -25,7 +25,7 @@ jobs:
    steps:
      - name: Detect changed paths
        id: scope
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            if (context.eventName === "workflow_dispatch") {
@@ -65,7 +65,7 @@ jobs:
    timeout-minutes: 45
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 1
          fetch-tags: false
@@ -216,7 +216,7 @@ jobs:

      - name: Upload Periphery report
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: ios-periphery-dead-code-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ runner.temp }}/ios-periphery
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -32,25 +32,25 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6
+      - uses: actions/labeler@v6
        with:
          configuration-path: .github/labeler.yml
          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          sync-labels: true
      - name: Apply PR size label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -139,7 +139,7 @@ jobs:
              labels: [targetSizeLabel],
            });
      - name: Apply maintainer or trusted-contributor label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -210,7 +210,7 @@ jobs:
            //   });
            // }
      - name: Apply beta-blocker title label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -263,7 +263,7 @@ jobs:
              });
            }
      - name: Apply too-many-prs label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -466,20 +466,20 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
      - name: Backfill PR labels
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -765,20 +765,20 @@ jobs:
      issues: write
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
      - name: Apply maintainer or trusted-contributor label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
@@ -849,7 +849,7 @@ jobs:
            //   });
            // }
      - name: Apply beta-blocker title label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          script: |
--- a/.github/workflows/live-media-runner-image.yml
+++ b/.github/workflows/live-media-runner-image.yml
@@ -26,7 +26,8 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Login to GHCR
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
--- a/.github/workflows/macos-release.yml
+++ b/.github/workflows/macos-release.yml
@@ -43,7 +43,7 @@ jobs:
          fi

      - name: Checkout selected tag
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0
--- a/.github/workflows/maintainer-command-reactions.yml
+++ b/.github/workflows/maintainer-command-reactions.yml
@@ -21,7 +21,7 @@ jobs:
      MAINTAINER_COMMAND_REACTIONS: ${{ vars.MAINTAINER_COMMAND_REACTIONS || '/autoclose,/clawsweeper autoclose,/clawsweeper automerge,/merge,/land,/landpr' }}
    steps:
      - name: React to maintainer slash command
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const comment = context.payload.comment;
--- a/.github/workflows/mantis-discord-smoke.yml
+++ b/.github/workflows/mantis-discord-smoke.yml
@@ -37,7 +37,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const allowed = new Set(["admin", "maintain", "write"]);
@@ -68,7 +68,7 @@ jobs:
      trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ inputs.ref }}
@@ -131,7 +131,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -166,7 +166,7 @@ jobs:

      - name: Upload Mantis artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-discord-smoke-${{ github.run_id }}-${{ github.run_attempt }}
          path: .artifacts/qa-e2e/mantis/
--- a/.github/workflows/mantis-discord-status-reactions.yml
+++ b/.github/workflows/mantis-discord-status-reactions.yml
@@ -56,7 +56,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
    steps:
      - name: Resolve refs and target PR
        id: resolve
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const defaultBaseline = "0bf06e953fdda290799fc9fb9244a8f67fdae593";
@@ -179,7 +179,7 @@ jobs:
      candidate_revision: ${{ steps.validate.outputs.candidate_revision }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -245,7 +245,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -260,7 +260,7 @@ jobs:
        run: pnpm build

      - name: Setup Go for Crabbox CLI
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.26.x"
          cache: false
@@ -535,7 +535,7 @@ jobs:
      - name: Upload Mantis status reaction artifacts
        id: upload_artifact
        if: ${{ always() && steps.run_mantis.outputs.output_dir != '' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-discord-status-reactions-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_mantis.outputs.output_dir }}
@@ -545,7 +545,7 @@ jobs:
      - name: Create Mantis GitHub App token
        id: mantis_app_token
        if: ${{ always() && needs.resolve_request.outputs.pr_number != '' }}
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
@@ -590,7 +590,7 @@ jobs:
      issues: write
    steps:
      - name: Remove workflow eyes reaction
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const { owner, repo } = context.repo;
--- a/.github/workflows/mantis-discord-thread-attachment.yml
+++ b/.github/workflows/mantis-discord-thread-attachment.yml
@@ -56,7 +56,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const allowed = new Set(["admin", "maintain", "write"]);
@@ -91,7 +91,7 @@ jobs:
    steps:
      - name: Resolve refs and target PR
        id: resolve
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const defaultBaseline = "synthetic-reverted-thread-filepath-fix";
@@ -177,7 +177,7 @@ jobs:
      candidate_revision: ${{ steps.validate.outputs.candidate_revision }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -235,7 +235,7 @@ jobs:
      output_dir: ${{ steps.run_mantis.outputs.output_dir }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -250,7 +250,7 @@ jobs:
        run: pnpm build

      - name: Setup Go for Crabbox CLI
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.26.x"
          cache: false
@@ -543,7 +543,7 @@ jobs:
      - name: Upload Mantis thread attachment artifacts
        id: upload_artifact
        if: ${{ always() && steps.run_mantis.outputs.output_dir != '' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-discord-thread-attachment-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_mantis.outputs.output_dir }}
@@ -553,7 +553,7 @@ jobs:
      - name: Create Mantis GitHub App token
        id: mantis_app_token
        if: ${{ always() && needs.resolve_request.outputs.pr_number != '' }}
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
@@ -612,7 +612,7 @@ jobs:
      issues: write
    steps:
      - name: Remove workflow eyes reaction
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const { owner, repo } = context.repo;
--- a/.github/workflows/mantis-slack-desktop-smoke.yml
+++ b/.github/workflows/mantis-slack-desktop-smoke.yml
@@ -81,7 +81,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const allowed = new Set(["admin", "maintain", "write"]);
@@ -111,7 +111,7 @@ jobs:
      candidate_revision: ${{ steps.validate.outputs.candidate_revision }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -165,7 +165,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -180,7 +180,7 @@ jobs:
        run: pnpm build

      - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: |
            ~/.local/share/pnpm/store
@@ -190,7 +190,7 @@ jobs:
            mantis-slack-pnpm-${{ runner.os }}-${{ env.NODE_VERSION }}-

      - name: Setup Go for Crabbox CLI
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.26.x"
          cache: false
@@ -453,7 +453,7 @@ jobs:
      - name: Upload Mantis Slack desktop artifacts
        id: upload_artifact
        if: ${{ always() && steps.run_mantis.outputs.output_dir != '' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-slack-desktop-smoke-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_mantis.outputs.output_dir }}
@@ -463,7 +463,7 @@ jobs:
      - name: Create Mantis GitHub App token
        id: mantis_app_token
        if: ${{ always() && inputs.pr_number != '' }}
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
--- a/.github/workflows/mantis-telegram-desktop-proof.yml
+++ b/.github/workflows/mantis-telegram-desktop-proof.yml
@@ -79,7 +79,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            if (context.eventName === "pull_request_target") {
@@ -125,7 +125,7 @@ jobs:
    steps:
      - name: Resolve refs and target PR
        id: resolve
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const eventName = context.eventName;
@@ -223,7 +223,7 @@ jobs:
      candidate_trust: ${{ steps.validate.outputs.candidate_trust }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: main
          persist-credentials: false
@@ -350,7 +350,7 @@ jobs:
          done

      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -362,7 +362,7 @@ jobs:
          install-bun: "true"

      - name: Setup Go for Crabbox CLI
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.26.x"
          cache: false
@@ -551,7 +551,7 @@ jobs:
      - name: Upload Mantis Telegram desktop artifacts
        id: upload_artifact
        if: ${{ always() && steps.inspect.outputs.output_dir != '' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-telegram-desktop-proof-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.inspect.outputs.output_dir }}
@@ -561,7 +561,7 @@ jobs:
      - name: Create Mantis GitHub App token
        id: mantis_app_token
        if: ${{ always() && needs.resolve_request.outputs.pr_number != '' }}
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
@@ -620,7 +620,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -663,7 +663,7 @@ jobs:

      - name: Create Mantis GitHub App token
        id: mantis_app_token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
@@ -709,7 +709,7 @@ jobs:
      issues: write
    steps:
      - name: Remove workflow eyes reaction
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const { owner, repo } = context.repo;
--- a/.github/workflows/mantis-telegram-live.yml
+++ b/.github/workflows/mantis-telegram-live.yml
@@ -68,7 +68,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const allowed = new Set(["admin", "maintain", "write"]);
@@ -105,7 +105,7 @@ jobs:
    steps:
      - name: Resolve refs and target PR
        id: resolve
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const eventName = context.eventName;
@@ -209,7 +209,7 @@ jobs:
      candidate_revision: ${{ steps.validate.outputs.candidate_revision }}
    steps:
      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -312,7 +312,7 @@ jobs:
          done

      - name: Checkout harness ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -327,7 +327,7 @@ jobs:
        run: pnpm build

      - name: Cache Mantis candidate pnpm store
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+        uses: actions/cache@v5
        with:
          path: |
            ~/.local/share/pnpm/store
@@ -337,7 +337,7 @@ jobs:
            mantis-telegram-pnpm-${{ runner.os }}-${{ env.NODE_VERSION }}-

      - name: Setup Go for Crabbox CLI
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "1.26.x"
          cache: false
@@ -501,7 +501,7 @@ jobs:
      - name: Upload Mantis Telegram artifacts
        id: upload_artifact
        if: ${{ always() && steps.run_mantis.outputs.output_dir != '' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: mantis-telegram-live-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_mantis.outputs.output_dir }}
@@ -511,7 +511,7 @@ jobs:
      - name: Create Mantis GitHub App token
        id: mantis_app_token
        if: ${{ always() && needs.resolve_request.outputs.pr_number != '' }}
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
          private-key: ${{ secrets.MANTIS_GITHUB_APP_PRIVATE_KEY }}
@@ -572,7 +572,7 @@ jobs:
      issues: write
    steps:
      - name: Remove workflow eyes reaction
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            const { owner, repo } = context.repo;
--- a/.github/workflows/npm-telegram-beta-e2e.yml
+++ b/.github/workflows/npm-telegram-beta-e2e.yml
@@ -120,7 +120,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout dispatch ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.harness_ref || github.sha }}
          fetch-depth: 1
@@ -190,14 +190,14 @@ jobs:

      - name: Download package-under-test artifact
        if: inputs.package_artifact_name != '' && inputs.package_artifact_run_id == ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name }}
          path: .artifacts/telegram-package-under-test

      - name: Download package-under-test artifact from release run
        if: inputs.package_artifact_name != '' && inputs.package_artifact_run_id != ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name }}
          path: .artifacts/telegram-package-under-test
@@ -268,7 +268,7 @@ jobs:

      - name: Upload npm Telegram E2E artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: npm-telegram-beta-e2e-${{ github.run_id }}-${{ github.run_attempt }}
          path: .artifacts/qa-e2e/
--- a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml
+++ b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml
@@ -332,7 +332,7 @@ jobs:
          esac

      - name: Checkout workflow repo
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: ${{ env.OPENCLAW_REPOSITORY }}
          ref: ${{ steps.workflow_ref.outputs.value }}
@@ -342,7 +342,7 @@ jobs:

      - name: Checkout public source ref
        if: inputs.candidate_artifact_name == ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: ${{ env.OPENCLAW_REPOSITORY }}
          ref: ${{ inputs.ref }}
@@ -352,7 +352,7 @@ jobs:
          submodules: recursive

      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -379,14 +379,14 @@ jobs:

      - name: Download current-run candidate artifact
        if: inputs.candidate_artifact_name != '' && inputs.candidate_artifact_run_id == ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.candidate_artifact_name }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/package

      - name: Download previous-run candidate artifact
        if: inputs.candidate_artifact_name != '' && inputs.candidate_artifact_run_id != ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.candidate_artifact_name }}
          run-id: ${{ inputs.candidate_artifact_run_id }}
@@ -510,7 +510,7 @@ jobs:
          NODE

      - name: Upload candidate artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-cross-os-release-checks-candidate-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/package/${{ steps.candidate_metadata.outputs.file_name }}
@@ -518,7 +518,7 @@ jobs:

      - name: Upload baseline artifact
        if: ${{ inputs.mode != 'fresh' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-cross-os-release-checks-baseline-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/prepare/baseline/${{ steps.baseline_metadata.outputs.file_name }}
@@ -558,7 +558,7 @@ jobs:
    timeout-minutes: 60
    steps:
      - name: Checkout workflow repo
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: ${{ env.OPENCLAW_REPOSITORY }}
          ref: ${{ needs.prepare.outputs.workflow_ref }}
@@ -567,7 +567,7 @@ jobs:
          persist-credentials: true

      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -582,14 +582,14 @@ jobs:
      - name: Download candidate artifact
        id: download_candidate
        continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: openclaw-cross-os-release-checks-candidate-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/candidate

      - name: Retry candidate artifact download
        if: ${{ steps.download_candidate.outcome == 'failure' }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: openclaw-cross-os-release-checks-candidate-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/candidate
@@ -598,14 +598,14 @@ jobs:
        if: ${{ matrix.suite == 'packaged-upgrade' }}
        id: download_baseline
        continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: openclaw-cross-os-release-checks-baseline-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/baseline

      - name: Retry baseline artifact download
        if: ${{ matrix.suite == 'packaged-upgrade' && steps.download_baseline.outcome == 'failure' }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: openclaw-cross-os-release-checks-baseline-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/baseline
@@ -684,7 +684,7 @@ jobs:

      - name: Upload release-check artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-cross-os-release-checks-${{ matrix.artifact_name }}-${{ matrix.suite }}-${{ github.run_id }}
          path: ${{ runner.temp }}/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }}
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -329,7 +329,7 @@ jobs:
      trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
    steps:
      - name: Checkout workflow repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -493,7 +493,7 @@ jobs:
      live_models_omitted_json: ${{ steps.plan.outputs.live_models_omitted_json }}
    steps:
      - name: Checkout trusted release harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.sha }}
@@ -523,7 +523,7 @@ jobs:
      OPENCLAW_LIVE_TEST: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1
@@ -570,7 +570,7 @@ jobs:
      OPENCLAW_VITEST_MAX_WORKERS: "2"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1
@@ -614,7 +614,7 @@ jobs:
      OPENCLAW_VITEST_MAX_WORKERS: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1
@@ -740,7 +740,7 @@ jobs:
    steps:
      - name: Checkout selected ref
        if: contains(matrix.profiles, inputs.release_test_profile)
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
@@ -748,7 +748,7 @@ jobs:

      - name: Checkout trusted release harness
        if: contains(matrix.profiles, inputs.release_test_profile)
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.sha }}
@@ -801,7 +801,7 @@ jobs:

      - name: Download OpenClaw Docker E2E package
        if: contains(matrix.profiles, inputs.release_test_profile) && steps.plan.outputs.needs_package == '1'
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name || 'docker-e2e-package' }}
          path: .artifacts/docker-e2e-package
@@ -894,7 +894,7 @@ jobs:

      - name: Upload Docker E2E chunk artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: docker-e2e-${{ matrix.chunk_id }}
          path: .artifacts/docker-tests/
@@ -910,7 +910,7 @@ jobs:
      groups_json: ${{ steps.groups.outputs.groups_json }}
    steps:
      - name: Checkout trusted release harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.sha }}
@@ -1002,14 +1002,14 @@ jobs:
      DOCKER_E2E_LANES: ${{ matrix.group.docker_lanes }}
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted release harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.sha }}
@@ -1062,7 +1062,7 @@ jobs:

      - name: Download OpenClaw Docker E2E package
        if: steps.plan.outputs.needs_package == '1'
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name || 'docker-e2e-package' }}
          path: .artifacts/docker-e2e-package
@@ -1154,7 +1154,7 @@ jobs:

      - name: Upload targeted Docker E2E artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: docker-e2e-${{ steps.plan.outputs.artifact_suffix }}
          path: .artifacts/docker-tests/
@@ -1179,13 +1179,13 @@ jobs:
      OPENCLAW_SKIP_DOCKER_BUILD: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted release harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -1229,7 +1229,7 @@ jobs:

      - name: Download OpenClaw Docker E2E package
        if: steps.plan.outputs.needs_package == '1'
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name || 'docker-e2e-package' }}
          path: .artifacts/docker-e2e-package
@@ -1281,7 +1281,7 @@ jobs:

      - name: Upload Open WebUI Docker E2E artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: docker-e2e-openwebui
          path: .artifacts/docker-tests/
@@ -1312,13 +1312,13 @@ jobs:
      OPENCLAW_DOCKER_E2E_REPO_ROOT: ${{ github.workspace }}
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted release harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -1364,14 +1364,14 @@ jobs:

      - name: Download current-run OpenClaw Docker E2E package
        if: steps.plan.outputs.needs_package == '1' && inputs.package_artifact_name != '' && inputs.package_artifact_run_id == ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name }}
          path: .artifacts/docker-e2e-package

      - name: Download previous-run OpenClaw Docker E2E package
        if: steps.plan.outputs.needs_package == '1' && inputs.package_artifact_run_id != ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.package_artifact_name || 'docker-e2e-package' }}
          path: .artifacts/docker-e2e-package
@@ -1421,7 +1421,7 @@ jobs:

      - name: Upload OpenClaw Docker E2E package
        if: steps.plan.outputs.needs_package == '1' && (inputs.package_artifact_name == '' || inputs.package_artifact_run_id != '')
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ inputs.package_artifact_name || 'docker-e2e-package' }}
          path: .artifacts/docker-e2e-package/openclaw-current.tgz
@@ -1581,7 +1581,7 @@ jobs:
      DOCKER_BUILD_RECORD_UPLOAD: "false"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1
@@ -1693,14 +1693,14 @@ jobs:
    steps:
      - name: Checkout selected ref
        if: contains(matrix.profiles, inputs.release_test_profile)
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted live Docker harness
        if: contains(matrix.profiles, inputs.release_test_profile)
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -1815,13 +1815,13 @@ jobs:
      OPENCLAW_VITEST_MAX_WORKERS: "2"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted live Docker harness
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -2187,14 +2187,14 @@ jobs:
    steps:
      - name: Checkout selected ref
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'native-live-src-gateway-profiles-anthropic' && startsWith(matrix.suite_id, 'native-live-src-gateway-profiles-anthropic-')) || (inputs.live_suite_filter == 'native-live-src-gateway-profiles-opencode-go' && startsWith(matrix.suite_id, 'native-live-src-gateway-profiles-opencode-go-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted live shard harness
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'native-live-src-gateway-profiles-anthropic' && startsWith(matrix.suite_id, 'native-live-src-gateway-profiles-anthropic-')) || (inputs.live_suite_filter == 'native-live-src-gateway-profiles-opencode-go' && startsWith(matrix.suite_id, 'native-live-src-gateway-profiles-opencode-go-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -2409,14 +2409,14 @@ jobs:
    steps:
      - name: Checkout selected ref
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'live-gateway-advisory-docker' && startsWith(matrix.suite_id, 'live-gateway-advisory-docker-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted live shard harness
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'live-gateway-advisory-docker' && startsWith(matrix.suite_id, 'live-gateway-advisory-docker-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
@@ -2623,14 +2623,14 @@ jobs:
    steps:
      - name: Checkout selected ref
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'native-live-extensions-media-video' && startsWith(matrix.suite_id, 'native-live-extensions-media-video-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.validate_selected_ref.outputs.selected_sha }}
          fetch-depth: 1

      - name: Checkout trusted live shard harness
        if: contains(matrix.profiles, inputs.release_test_profile) && (inputs.live_suite_filter == '' || inputs.live_suite_filter == matrix.suite_id || (inputs.live_suite_filter == 'native-live-extensions-media-video' && startsWith(matrix.suite_id, 'native-live-extensions-media-video-')))
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 1
--- a/.github/workflows/openclaw-npm-release.yml
+++ b/.github/workflows/openclaw-npm-release.yml
@@ -87,7 +87,7 @@ jobs:
          exit 1

      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.tag }}
          fetch-depth: 0
@@ -354,7 +354,7 @@ jobs:
          node --import tsx scripts/openclaw-npm-prepublish-verify.ts "$TARBALL_PATH" "$PACKAGE_VERSION"

      - name: Upload dependency release evidence
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-release-dependency-evidence-${{ inputs.tag }}
          path: ${{ steps.dependency_evidence.outputs.dir }}
@@ -362,14 +362,14 @@ jobs:

      - name: Upload dependency release evidence tag alias
        if: ${{ steps.packed_tarball.outputs.release_tag != inputs.tag }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-release-dependency-evidence-${{ steps.packed_tarball.outputs.release_tag }}
          path: ${{ steps.dependency_evidence.outputs.dir }}
          if-no-files-found: error

      - name: Upload prepared npm publish bundle
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-npm-preflight-${{ inputs.tag }}
          path: ${{ steps.packed_tarball.outputs.dir }}
@@ -377,7 +377,7 @@ jobs:

      - name: Upload prepared npm publish bundle tag alias
        if: ${{ steps.packed_tarball.outputs.release_tag != inputs.tag }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-npm-preflight-${{ steps.packed_tarball.outputs.release_tag }}
          path: ${{ steps.packed_tarball.outputs.dir }}
@@ -391,7 +391,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -492,7 +492,7 @@ jobs:
          fi

      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0
@@ -611,7 +611,7 @@ jobs:

      - name: Download full release validation manifest
        if: ${{ inputs.full_release_validation_run_id != '' }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: full-release-validation-${{ inputs.full_release_validation_run_id }}
          path: full-release-validation
@@ -677,8 +677,6 @@ jobs:

      - name: Verify full release validation target
        if: ${{ inputs.full_release_validation_run_id != '' }}
-        env:
-          RELEASE_TAG: ${{ inputs.tag }}
        run: |
          set -euo pipefail
          EXPECTED_RELEASE_SHA="$(git rev-parse HEAD)"
@@ -691,8 +689,6 @@ jobs:
          WORKFLOW_NAME="$(jq -r '.workflowName // ""' "$MANIFEST_FILE")"
          TARGET_SHA="$(jq -r '.targetSha // ""' "$MANIFEST_FILE")"
          RERUN_GROUP="$(jq -r '.rerunGroup // ""' "$MANIFEST_FILE")"
-          RUN_RELEASE_SOAK="$(jq -r '.runReleaseSoak // ""' "$MANIFEST_FILE")"
-          PERFORMANCE_BLOCKING="$(jq -r '.controls.performanceBlocking // false' "$MANIFEST_FILE")"
          if [[ "$WORKFLOW_NAME" != "Full Release Validation" ]]; then
            echo "Full release validation manifest workflow mismatch: $WORKFLOW_NAME" >&2
            exit 1
@@ -705,14 +701,6 @@ jobs:
            echo "Full release validation must run rerun_group=all before npm publish; got $RERUN_GROUP" >&2
            exit 1
          fi
-          if [[ "$PERFORMANCE_BLOCKING" != "true" ]]; then
-            echo "Full release validation manifest does not record blocking product performance evidence." >&2
-            exit 1
-          fi
-          if [[ "$RELEASE_TAG" != *"-alpha."* && "$RELEASE_TAG" != *"-beta."* && "$RUN_RELEASE_SOAK" != "true" ]]; then
-            echo "Stable releases require Full Release Validation with runReleaseSoak=true." >&2
-            exit 1
-          fi

      - name: Resolve publish tarball
        id: publish_tarball
--- a/.github/workflows/openclaw-performance.yml
+++ b/.github/workflows/openclaw-performance.yml
@@ -145,7 +145,7 @@ jobs:

      - name: Checkout OpenClaw
        if: steps.lane.outputs.run == 'true'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.target_ref || github.ref }}
          fetch-depth: 1
@@ -153,7 +153,7 @@ jobs:

      - name: Checkout performance workflow helpers
        if: steps.lane.outputs.run == 'true'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          path: .artifacts/performance-workflow
@@ -556,7 +556,7 @@ jobs:

      - name: Upload Kova artifacts
        if: ${{ always() && steps.lane.outputs.run == 'true' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-performance-${{ matrix.lane }}-${{ github.run_id }}-${{ github.run_attempt }}
          path: |
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -40,7 +40,7 @@ on:
          - stable
          - full
      run_release_soak:
-        description: Run exhaustive live/Docker and upgrade-survivor soak lanes; forced on for release_profile=stable and full
+        description: Run exhaustive live/Docker and upgrade-survivor soak lanes; forced on for release_profile=full
        required: false
        default: false
        type: boolean
@@ -152,7 +152,7 @@ jobs:
          fi

      - name: Checkout trusted workflow helper
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.ref_name }}
@@ -173,7 +173,7 @@ jobs:

      - name: Checkout selected ref for reachability fallback
        if: steps.fast_ref.outputs.fallback == 'true'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ inputs.ref }}
@@ -330,7 +330,7 @@ jobs:
              exit 1
              ;;
          esac
-          if [[ "$release_profile" == "stable" || "$release_profile" == "full" ]]; then
+          if [[ "$release_profile" == "full" ]]; then
            run_release_soak=true
          fi
          codex_plugin_spec="$RELEASE_CODEX_PLUGIN_SPEC_INPUT"
@@ -507,7 +507,7 @@ jobs:
      source_sha: ${{ steps.package.outputs.source_sha }}
    steps:
      - name: Checkout trusted workflow ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ github.ref_name }}
@@ -559,7 +559,7 @@ jobs:
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Upload release package artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-package-under-test
          path: |
@@ -798,7 +798,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -849,7 +849,7 @@ jobs:
      - name: Upload parity lane artifacts
        id: upload_parity_lane_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -895,7 +895,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_lab_parity_lane_release_checks-${{ matrix.lane }}.env
@@ -917,7 +917,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -930,7 +930,7 @@ jobs:
          install-bun: "true"

      - name: Download parity lane artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -955,7 +955,7 @@ jobs:
      - name: Upload parity artifacts
        id: upload_parity_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -999,7 +999,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-parity-report-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_lab_parity_report_release_checks.env
@@ -1028,7 +1028,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1127,7 +1127,7 @@ jobs:
      - name: Upload runtime parity artifacts
        id: upload_runtime_parity_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1171,7 +1171,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_lab_runtime_parity_release_checks.env
@@ -1192,7 +1192,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1205,7 +1205,7 @@ jobs:
          install-bun: "true"

      - name: Download runtime parity status
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: release-check-status-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/
@@ -1226,7 +1226,7 @@ jobs:

      - name: Download runtime parity artifacts
        if: steps.verify_runtime_parity_status.outputs.ready == 'true'
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: release-qa-runtime-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1243,7 +1243,7 @@ jobs:

      - name: Upload runtime tool coverage artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-runtime-tool-coverage-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/runtime-parity-standard-report/
@@ -1266,7 +1266,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1323,7 +1323,7 @@ jobs:
      - name: Upload Matrix QA artifacts
        id: upload_matrix_qa_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1367,7 +1367,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_live_matrix_release_checks.env
@@ -1390,7 +1390,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1463,7 +1463,7 @@ jobs:
      - name: Upload Telegram QA artifacts
        id: upload_telegram_qa_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1507,7 +1507,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_live_telegram_release_checks.env
@@ -1530,7 +1530,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1603,7 +1603,7 @@ jobs:
      - name: Upload Discord QA artifacts
        id: upload_discord_qa_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-live-discord-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1647,7 +1647,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-live-discord-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_live_discord_release_checks.env
@@ -1673,7 +1673,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1746,7 +1746,7 @@ jobs:
      - name: Upload WhatsApp QA artifacts
        id: upload_whatsapp_qa_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-live-whatsapp-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1790,7 +1790,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-live-whatsapp-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_live_whatsapp_release_checks.env
@@ -1813,7 +1813,7 @@ jobs:
      OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: true
          ref: ${{ needs.resolve_target.outputs.revision }}
@@ -1886,7 +1886,7 @@ jobs:
      - name: Upload Slack QA artifacts
        id: upload_slack_qa_artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-qa-live-slack-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
@@ -1930,7 +1930,7 @@ jobs:

      - name: Upload advisory status
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: release-check-status-qa-live-slack-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/release-check-status/qa_live_slack_release_checks.env
@@ -1964,7 +1964,7 @@ jobs:
      - name: Download advisory status artifacts
        if: always()
        continue-on-error: true
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          pattern: release-check-status-*
          path: .artifacts/release-check-status
--- a/.github/workflows/openclaw-release-publish.yml
+++ b/.github/workflows/openclaw-release-publish.yml
@@ -290,7 +290,7 @@ jobs:

      - name: Download full release validation manifest
        if: ${{ inputs.publish_openclaw_npm }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: full-release-validation-${{ inputs.full_release_validation_run_id }}
          path: ${{ runner.temp }}/full-release-validation-manifest
@@ -299,7 +299,7 @@ jobs:
          github-token: ${{ github.token }}

      - name: Checkout release tag
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0
@@ -359,7 +359,6 @@ jobs:
        env:
          GH_TOKEN: ${{ github.token }}
          FULL_RELEASE_VALIDATION_RUN_ID: ${{ inputs.full_release_validation_run_id }}
-          RELEASE_TAG: ${{ inputs.tag }}
          EXPECTED_SHA: ${{ steps.ref.outputs.sha }}
          EXPECTED_RELEASE_PROFILE: ${{ inputs.release_profile }}
          EXPECTED_WORKFLOW_BRANCH: ${{ github.ref_name }}
@@ -378,8 +377,6 @@ jobs:
          target_sha="$(jq -r '.targetSha // ""' "$manifest")"
          release_profile="$(jq -r '.releaseProfile // ""' "$manifest")"
          rerun_group="$(jq -r '.rerunGroup // ""' "$manifest")"
-          run_release_soak="$(jq -r '.runReleaseSoak // ""' "$manifest")"
-          performance_blocking="$(jq -r '.controls.performanceBlocking // false' "$manifest")"
          if [[ "$workflow_name" != "Full Release Validation" ]]; then
            echo "Full release validation manifest workflow mismatch: $workflow_name" >&2
            exit 1
@@ -396,14 +393,6 @@ jobs:
            echo "Full release validation must run rerun_group=all before npm publish; got $rerun_group" >&2
            exit 1
          fi
-          if [[ "$performance_blocking" != "true" ]]; then
-            echo "Full release validation manifest does not record blocking product performance evidence." >&2
-            exit 1
-          fi
-          if [[ "$RELEASE_TAG" != *"-alpha."* && "$RELEASE_TAG" != *"-beta."* && "$run_release_soak" != "true" ]]; then
-            echo "Stable releases require Full Release Validation with runReleaseSoak=true." >&2
-            exit 1
-          fi
          echo "release_profile=$release_profile" >> "$GITHUB_OUTPUT"

      - name: Validate release tag is reachable from a trusted release branch
@@ -466,22 +455,12 @@ jobs:
    environment: npm-release
    steps:
      - name: Checkout release SHA
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.resolve_release_target.outputs.sha }}
          fetch-depth: 1
          persist-credentials: false

-      - name: Download full release validation manifest
-        if: ${{ inputs.publish_openclaw_npm }}
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: full-release-validation-${{ inputs.full_release_validation_run_id }}
-          path: ${{ runner.temp }}/full-release-validation-manifest
-          repository: ${{ github.repository }}
-          run-id: ${{ inputs.full_release_validation_run_id }}
-          github-token: ${{ github.token }}
-
      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
@@ -505,7 +484,6 @@ jobs:
          WINDOWS_NODE_TAG: ${{ inputs.windows_node_tag }}
          WINDOWS_NODE_INSTALLER_DIGESTS: ${{ needs.resolve_release_target.outputs.windows_node_installer_digests }}
          POSTPUBLISH_EVIDENCE_DIR: ${{ runner.temp }}/openclaw-release-postpublish-evidence
-          FULL_RELEASE_VALIDATION_MANIFEST_DIR: ${{ runner.temp }}/full-release-validation-manifest
        run: |
          set -euo pipefail

@@ -1082,75 +1060,13 @@ jobs:
              exit 1
            fi

-            (
-              cd "${download_dir}"
-              find dependency-evidence -type f -print | LC_ALL=C sort | zip -X -q "${asset_path}" -@
-            )
-            attach_or_verify_release_asset "${asset_path}" "${asset_name}"
+            (cd "${download_dir}" && zip -qr "${asset_path}" dependency-evidence)
+            gh release upload "${RELEASE_TAG}" "${asset_path}#${asset_name}" \
+              --repo "${GITHUB_REPOSITORY}" \
+              --clobber
            echo "- Dependency evidence asset: \`${asset_name}\`" >> "$GITHUB_STEP_SUMMARY"
          }

-          attach_or_verify_release_asset() {
-            local source_path="$1"
-            local asset_name="$2"
-            local existing_dir="${RUNNER_TEMP}/openclaw-release-existing-assets/${asset_name}"
-            local existing_path="${existing_dir}/${asset_name}"
-
-            if gh release view "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}" --json assets |
-              jq -e --arg name "${asset_name}" 'any(.assets[]?; .name == $name)' >/dev/null; then
-              rm -rf "${existing_dir}"
-              mkdir -p "${existing_dir}"
-              gh release download "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}" \
-                --pattern "${asset_name}" --dir "${existing_dir}"
-              cmp --silent "${source_path}" "${existing_path}" || {
-                echo "Existing release evidence asset ${asset_name} differs from this release run." >&2
-                exit 1
-              }
-              return
-            fi
-
-            gh release upload "${RELEASE_TAG}" "${source_path}#${asset_name}" --repo "${GITHUB_REPOSITORY}"
-          }
-
-          upload_release_evidence_assets() {
-            local release_version manifest_path evidence_path manifest_asset evidence_asset
-            release_version="${RELEASE_TAG#v}"
-            manifest_path="${FULL_RELEASE_VALIDATION_MANIFEST_DIR}/full-release-validation-manifest.json"
-            evidence_path="${POSTPUBLISH_EVIDENCE_DIR}/release-postpublish-evidence.json"
-            manifest_asset="openclaw-${release_version}-release-manifest.json"
-            evidence_asset="openclaw-${release_version}-postpublish-evidence.json"
-
-            if [[ ! -f "${manifest_path}" ]]; then
-              echo "Full release validation manifest is missing from ${FULL_RELEASE_VALIDATION_MANIFEST_DIR}." >&2
-              exit 1
-            fi
-            if [[ ! -f "${evidence_path}" ]]; then
-              echo "Postpublish release evidence is missing from ${POSTPUBLISH_EVIDENCE_DIR}." >&2
-              exit 1
-            fi
-
-            cp "${manifest_path}" "${RUNNER_TEMP}/${manifest_asset}"
-            cp "${evidence_path}" "${RUNNER_TEMP}/${evidence_asset}"
-            (
-              cd "${RUNNER_TEMP}"
-              sha256sum "${manifest_asset}" > "${manifest_asset}.sha256"
-              sha256sum "${evidence_asset}" > "${evidence_asset}.sha256"
-            )
-
-            attach_or_verify_release_asset "${RUNNER_TEMP}/${manifest_asset}" "${manifest_asset}"
-            attach_or_verify_release_asset \
-              "${RUNNER_TEMP}/${manifest_asset}.sha256" \
-              "${manifest_asset}.sha256"
-            attach_or_verify_release_asset "${RUNNER_TEMP}/${evidence_asset}" "${evidence_asset}"
-            attach_or_verify_release_asset \
-              "${RUNNER_TEMP}/${evidence_asset}.sha256" \
-              "${evidence_asset}.sha256"
-            {
-              echo "- Immutable release manifest: \`${manifest_asset}\`"
-              echo "- Immutable postpublish evidence: \`${evidence_asset}\`"
-            } >> "$GITHUB_STEP_SUMMARY"
-          }
-
          verify_published_release() {
            local release_version evidence_path skip_clawhub clawhub_runtime_state_path
            local -a verify_args
@@ -1189,10 +1105,6 @@ jobs:
            fi

            pnpm "${verify_args[@]}"
-            jq --arg release_publish_run_id "$GITHUB_RUN_ID" \
-              '.releasePublishRunId = $release_publish_run_id' \
-              "${evidence_path}" > "${evidence_path}.next"
-            mv "${evidence_path}.next" "${evidence_path}"
            {
              echo "- Postpublish verification: passed"
              echo "- Postpublish evidence: \`${evidence_path}\`"
@@ -1470,7 +1382,6 @@ jobs:
            fi
            create_or_update_github_release
            upload_dependency_evidence_release_asset
-            upload_release_evidence_assets
            if ! promote_windows_release_assets; then
              failed=1
            fi
@@ -1487,7 +1398,7 @@ jobs:

      - name: Upload postpublish evidence
        if: ${{ always() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: openclaw-release-postpublish-evidence-${{ inputs.tag }}
          path: ${{ runner.temp }}/openclaw-release-postpublish-evidence
--- a/.github/workflows/openclaw-stable-main-closeout.yml
+++ b/.github/workflows/openclaw-stable-main-closeout.yml
@@ -1,384 +0,0 @@
-name: OpenClaw Stable Main Closeout
-
-on:
-  push:
-    branches: [main]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: Stable OpenClaw tag to replay or repair, for example v2026.6.8 or v2026.6.8-2
-        required: false
-        type: string
-      rollback_drill_id:
-        description: Opaque identifier for the current private rollback drill record
-        required: false
-        type: string
-      rollback_drill_date:
-        description: UTC date of the private rollback drill in YYYY-MM-DD form; must be within 90 days
-        required: false
-        type: string
-
-permissions:
-  actions: read
-  contents: write
-
-concurrency:
-  group: openclaw-stable-main-closeout
-  cancel-in-progress: false
-
-jobs:
-  resolve:
-    name: Resolve stable release closeout inputs
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    outputs:
-      full_release_validation_run_id: ${{ steps.inputs.outputs.full_release_validation_run_id }}
-      release_publish_run_id: ${{ steps.inputs.outputs.release_publish_run_id }}
-      rollback_drill_date: ${{ steps.inputs.outputs.rollback_drill_date }}
-      rollback_drill_id: ${{ steps.inputs.outputs.rollback_drill_id }}
-      evidence_tag: ${{ steps.inputs.outputs.evidence_tag }}
-      fallback_correction: ${{ steps.inputs.outputs.fallback_correction }}
-      main_ref: ${{ steps.inputs.outputs.main_ref }}
-      repair_partial_closeout: ${{ steps.inputs.outputs.repair_partial_closeout }}
-      should_closeout: ${{ steps.inputs.outputs.should_closeout }}
-      tag: ${{ steps.inputs.outputs.tag }}
-    steps:
-      - name: Checkout pushed main
-        if: ${{ github.event_name == 'push' }}
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
-        with:
-          ref: ${{ github.sha }}
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Resolve published stable release evidence
-        id: inputs
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GH_TOKEN: ${{ github.token }}
-          MANUAL_TAG: ${{ inputs.tag }}
-          ROLLBACK_DRILL_DATE: ${{ inputs.rollback_drill_date || vars.RELEASE_ROLLBACK_DRILL_DATE }}
-          ROLLBACK_DRILL_ID: ${{ inputs.rollback_drill_id || vars.RELEASE_ROLLBACK_DRILL_ID }}
-          TRIGGER_SHA: ${{ github.sha }}
-        run: |
-          set -euo pipefail
-          if [[ "$EVENT_NAME" == "push" ]]; then
-            main_ref="$TRIGGER_SHA"
-            tag="$(gh release list --repo "$GITHUB_REPOSITORY" --exclude-drafts --limit 100 \
-              --json tagName,isPrerelease,publishedAt \
-              --jq '[.[] | select(.isPrerelease | not) | select(.tagName | test("^v[0-9]{4}\\.[0-9]+\\.[0-9]+(-[0-9]+)?$"))] | sort_by(.publishedAt) | last | .tagName // empty')"
-            if [[ -z "$tag" ]]; then
-              echo "should_closeout=false" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-          else
-            tag="$MANUAL_TAG"
-          fi
-          if [[ ! "$tag" =~ ^v[0-9]{4}\.[0-9]+\.[0-9]+(-[0-9]+)?$ ]]; then
-            if [[ "$EVENT_NAME" == "push" ]]; then
-              echo "should_closeout=false" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-            echo "Stable main closeout accepts only a stable vYYYY.M.PATCH or vYYYY.M.PATCH-N tag, got $tag." >&2
-            exit 1
-          fi
-          release_asset_version="${tag#v}"
-          release_package_version="$release_asset_version"
-          fallback_package_version="$release_asset_version"
-          if [[ "$release_package_version" =~ ^(.+)-[0-9]+$ ]]; then
-            fallback_package_version="${BASH_REMATCH[1]}"
-          fi
-          tag_package_version="$(gh api "repos/$GITHUB_REPOSITORY/contents/package.json?ref=$tag" \
-            --jq '.content' | tr -d '\n' | base64 --decode | jq -r '.version // empty')"
-          fallback_correction=false
-          evidence_source_tag="$tag"
-          if [[ "$release_package_version" != "$fallback_package_version" &&
-            "$tag_package_version" == "$fallback_package_version" ]]; then
-            fallback_correction=true
-            evidence_source_tag="v$fallback_package_version"
-          elif [[ "$tag_package_version" != "$release_package_version" ]]; then
-            echo "Stable closeout requires $tag package.json to match $release_package_version, or the legacy fallback package version $fallback_package_version." >&2
-            exit 1
-          fi
-          evidence_version="${evidence_source_tag#v}"
-          evidence_asset="openclaw-${evidence_version}-postpublish-evidence.json"
-          evidence_checksum_asset="${evidence_asset}.sha256"
-          closeout_asset="openclaw-${release_asset_version}-stable-main-closeout.json"
-          closeout_checksum_asset="${closeout_asset}.sha256"
-          closeout_dir="$RUNNER_TEMP/release-closeout-evidence"
-          mkdir -p "$closeout_dir"
-          gh release download "$tag" --repo "$GITHUB_REPOSITORY" \
-            --pattern "$closeout_asset" --pattern "$closeout_checksum_asset" --dir "$closeout_dir" || true
-          closeout_json_path="$closeout_dir/$closeout_asset"
-          closeout_checksum_path="$closeout_dir/$closeout_checksum_asset"
-          repair_partial_closeout=false
-          existing_closeout_full_release_validation_run_id=""
-          existing_closeout_release_publish_run_id=""
-          if [[ -f "$closeout_json_path" && -f "$closeout_checksum_path" ]]; then
-            expected_closeout_digest="$(awk 'NF { print $1; exit }' "$closeout_checksum_path")"
-            actual_closeout_digest="$(sha256sum "$closeout_json_path" | awk '{print $1}')"
-            if [[ ! "$expected_closeout_digest" =~ ^[0-9a-f]{64}$ ||
-              "$expected_closeout_digest" != "$actual_closeout_digest" ]]; then
-              echo "Stable closeout evidence for $tag has an invalid checksum; refusing to repair it." >&2
-              exit 1
-            fi
-          fi
-          if [[ -f "$closeout_checksum_path" && ! -f "$closeout_json_path" ]]; then
-            echo "Stable closeout evidence for $tag has a checksum without its manifest; refusing to repair it." >&2
-            exit 1
-          fi
-          if [[ -f "$closeout_json_path" ]]; then
-            existing_closeout_tag="$(jq -r '.releaseTag // empty' "$closeout_json_path")"
-            existing_closeout_version="$(jq -r '.releaseVersion // empty' "$closeout_json_path")"
-            existing_closeout_release_tag_sha="$(jq -r '.releaseTagSha // empty' "$closeout_json_path")"
-            existing_closeout_main_ref="$(jq -r '.mainSha // empty' "$closeout_json_path")"
-            existing_closeout_full_release_validation_run_id="$(jq -r '.fullReleaseValidationRunId // empty' "$closeout_json_path")"
-            existing_closeout_release_publish_run_id="$(jq -r '.releasePublishRunId // empty' "$closeout_json_path")"
-            existing_closeout_rollback_drill_id="$(jq -r '.rollbackDrill.id // empty' "$closeout_json_path")"
-            existing_closeout_rollback_drill_date="$(jq -r '.rollbackDrill.date // empty' "$closeout_json_path")"
-            if [[ "$existing_closeout_tag" != "$tag" ||
-              "$existing_closeout_version" != "$tag_package_version" ||
-              ! "$existing_closeout_release_tag_sha" =~ ^[0-9a-f]{40}$ ||
-              ! "$existing_closeout_main_ref" =~ ^[0-9a-f]{40}$ ||
-              -z "$existing_closeout_full_release_validation_run_id" ||
-              -z "$existing_closeout_release_publish_run_id" ||
-              -z "$existing_closeout_rollback_drill_id" ||
-              ! "$existing_closeout_rollback_drill_date" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
-              echo "Stable closeout manifest for $tag is incomplete; refusing to repair it." >&2
-              exit 1
-            fi
-            main_ref="$existing_closeout_main_ref"
-            ROLLBACK_DRILL_ID="$existing_closeout_rollback_drill_id"
-            ROLLBACK_DRILL_DATE="$existing_closeout_rollback_drill_date"
-            repair_partial_closeout=true
-          elif [[ "$EVENT_NAME" == "push" ]]; then
-            main_version="$(jq -r '.version // empty' package.json)"
-            if [[ "$main_version" != "$release_package_version" &&
-              "$main_version" != "$fallback_package_version" ]]; then
-              echo "should_closeout=false" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-          else
-            main_ref="main"
-          fi
-          evidence_dir="$RUNNER_TEMP/release-postpublish-evidence"
-          mkdir -p "$evidence_dir"
-          if ! gh release download "$evidence_source_tag" --repo "$GITHUB_REPOSITORY" \
-            --pattern "$evidence_asset" --pattern "$evidence_checksum_asset" --dir "$evidence_dir"; then
-            if [[ "$EVENT_NAME" == "push" ]]; then
-              echo "Stable closeout skipped: $evidence_source_tag predates immutable postpublish evidence." >&2
-              echo "should_closeout=false" >> "$GITHUB_OUTPUT"
-              exit 0
-            fi
-            echo "Stable closeout is required for $tag, but immutable postpublish evidence from $evidence_source_tag is missing." >&2
-            exit 1
-          fi
-          evidence_path="$evidence_dir/$evidence_asset"
-          if ! (
-            cd "$evidence_dir"
-            sha256sum --strict --status -c "$evidence_checksum_asset"
-          ); then
-            echo "Postpublish evidence checksum failed for $tag." >&2
-            exit 1
-          fi
-          evidence_release_tag="$(jq -r '.releaseTag // empty' "$evidence_path")"
-          full_release_validation_run_id="$(jq -r '[.workflowRuns[]? | select(.label == "Full Release Validation") | .id] | if length == 1 then .[0] else empty end' "$evidence_path")"
-          release_publish_run_id="$(jq -r '.releasePublishRunId // empty' "$evidence_path")"
-          if [[ "$evidence_release_tag" != "$evidence_source_tag" || -z "$full_release_validation_run_id" || -z "$release_publish_run_id" ]]; then
-            echo "Stable closeout is required for $tag, but postpublish evidence does not bind $evidence_source_tag to exactly one Full Release Validation run and its Publish run." >&2
-            exit 1
-          fi
-          if [[ -n "$existing_closeout_full_release_validation_run_id" &&
-            ( "$existing_closeout_full_release_validation_run_id" != "$full_release_validation_run_id" ||
-              "$existing_closeout_release_publish_run_id" != "$release_publish_run_id" ) ]]; then
-            echo "Stable closeout manifest for $tag does not match immutable postpublish evidence; refusing to accept it." >&2
-            exit 1
-          fi
-          if [[ -z "$ROLLBACK_DRILL_ID" || -z "$ROLLBACK_DRILL_DATE" ]]; then
-            echo "Stable closeout requires repository variables RELEASE_ROLLBACK_DRILL_ID and RELEASE_ROLLBACK_DRILL_DATE, or explicit manual overrides." >&2
-            exit 1
-          fi
-          {
-            echo "full_release_validation_run_id=$full_release_validation_run_id"
-            echo "release_publish_run_id=$release_publish_run_id"
-            echo "rollback_drill_date=$ROLLBACK_DRILL_DATE"
-            echo "rollback_drill_id=$ROLLBACK_DRILL_ID"
-            echo "evidence_tag=$evidence_source_tag"
-            echo "fallback_correction=$fallback_correction"
-            echo "main_ref=$main_ref"
-            echo "repair_partial_closeout=$repair_partial_closeout"
-            echo "should_closeout=true"
-            echo "tag=$tag"
-          } >> "$GITHUB_OUTPUT"
-
-  verify:
-    name: Verify stable main closeout
-    needs: resolve
-    if: ${{ needs.resolve.outputs.should_closeout == 'true' }}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 20
-    steps:
-      - name: Checkout resolved main state
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
-        with:
-          ref: ${{ needs.resolve.outputs.main_ref }}
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Checkout shipped release tag
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
-        with:
-          ref: refs/tags/${{ needs.resolve.outputs.tag }}
-          path: release-tag
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Checkout fallback evidence tag
-        if: ${{ needs.resolve.outputs.fallback_correction == 'true' }}
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
-        with:
-          ref: refs/tags/${{ needs.resolve.outputs.evidence_tag }}
-          path: evidence-tag
-          fetch-depth: 1
-          persist-credentials: false
-
-      - name: Bind fallback correction to the published package source
-        if: ${{ needs.resolve.outputs.fallback_correction == 'true' }}
-        run: |
-          set -euo pipefail
-          correction_sha="$(git -C "$GITHUB_WORKSPACE/release-tag" rev-parse HEAD)"
-          evidence_sha="$(git -C "$GITHUB_WORKSPACE/evidence-tag" rev-parse HEAD)"
-          if [[ "$correction_sha" != "$evidence_sha" ]]; then
-            echo "Fallback correction ${{ needs.resolve.outputs.tag }} must point to the same source commit as ${{ needs.resolve.outputs.evidence_tag }} to reuse immutable package evidence." >&2
-            exit 1
-          fi
-
-      - name: Verify release workflow evidence
-        env:
-          GH_TOKEN: ${{ github.token }}
-          FULL_RELEASE_VALIDATION_RUN_ID: ${{ needs.resolve.outputs.full_release_validation_run_id }}
-          RELEASE_PUBLISH_RUN_ID: ${{ needs.resolve.outputs.release_publish_run_id }}
-        run: |
-          set -euo pipefail
-          gh run view "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
-            --json workflowName,event,status,conclusion \
-            > "$RUNNER_TEMP/full-release-validation-run.json"
-          node --input-type=module - "$RUNNER_TEMP/full-release-validation-run.json" <<'NODE'
-          import { readFileSync } from "node:fs";
-          const run = JSON.parse(readFileSync(process.argv[2], "utf8"));
-          for (const [key, expected] of [
-            ["workflowName", "Full Release Validation"],
-            ["event", "workflow_dispatch"],
-            ["status", "completed"],
-            ["conclusion", "success"],
-          ]) {
-            if (run[key] !== expected) {
-              throw new Error(`Full Release Validation must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`);
-            }
-          }
-          NODE
-          gh run view "$RELEASE_PUBLISH_RUN_ID" --repo "$GITHUB_REPOSITORY" \
-            --json workflowName,event,status,conclusion \
-            > "$RUNNER_TEMP/release-publish-run.json"
-          node --input-type=module - "$RUNNER_TEMP/release-publish-run.json" <<'NODE'
-          import { readFileSync } from "node:fs";
-          const run = JSON.parse(readFileSync(process.argv[2], "utf8"));
-          for (const [key, expected] of [
-            ["workflowName", "OpenClaw Release Publish"],
-            ["event", "workflow_dispatch"],
-            ["status", "completed"],
-            ["conclusion", "success"],
-          ]) {
-            if (run[key] !== expected) {
-              throw new Error(`OpenClaw Release Publish must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`);
-            }
-          }
-          NODE
-
-          manifest_dir="$RUNNER_TEMP/full-release-validation-manifest"
-          rm -rf "$manifest_dir"
-          mkdir -p "$manifest_dir"
-          gh run download "$FULL_RELEASE_VALIDATION_RUN_ID" --repo "$GITHUB_REPOSITORY" \
-            --name "full-release-validation-${FULL_RELEASE_VALIDATION_RUN_ID}" \
-            --dir "$manifest_dir"
-          tag_sha="$(git -C "$GITHUB_WORKSPACE/release-tag" rev-parse HEAD)"
-          jq -e --arg tag_sha "$tag_sha" '
-            .workflowName == "Full Release Validation" and
-            .targetSha == $tag_sha and
-            .rerunGroup == "all" and
-            .runReleaseSoak == "true" and
-            .controls.performanceBlocking == true and
-            .childRuns.productPerformance.conclusion == "success"
-          ' "$manifest_dir/full-release-validation-manifest.json" >/dev/null || {
-            echo "Full Release Validation manifest does not contain the required stable release controls." >&2
-            exit 1
-          }
-
-      - name: Verify stable state and write closeout manifest
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ needs.resolve.outputs.tag }}
-          FULL_RELEASE_VALIDATION_RUN_ID: ${{ needs.resolve.outputs.full_release_validation_run_id }}
-          RELEASE_PUBLISH_RUN_ID: ${{ needs.resolve.outputs.release_publish_run_id }}
-          ROLLBACK_DRILL_ID: ${{ needs.resolve.outputs.rollback_drill_id }}
-          ROLLBACK_DRILL_DATE: ${{ needs.resolve.outputs.rollback_drill_date }}
-          REPAIR_PARTIAL_CLOSEOUT: ${{ needs.resolve.outputs.repair_partial_closeout }}
-          CLOSEOUT_DIR: ${{ runner.temp }}/openclaw-stable-main-closeout
-        run: |
-          set -euo pipefail
-          mkdir -p "$CLOSEOUT_DIR"
-          gh release view "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
-            --json tagName,isDraft,isPrerelease,assets \
-            > "$CLOSEOUT_DIR/github-release.json"
-          node scripts/verify-stable-main-closeout.mjs \
-            --tag "$RELEASE_TAG" \
-            --main-dir "$GITHUB_WORKSPACE" \
-            --tag-dir "$GITHUB_WORKSPACE/release-tag" \
-            --release-json "$CLOSEOUT_DIR/github-release.json" \
-            --full-release-validation-run-id "$FULL_RELEASE_VALIDATION_RUN_ID" \
-            --release-publish-run-id "$RELEASE_PUBLISH_RUN_ID" \
-            --rollback-drill-id "$ROLLBACK_DRILL_ID" \
-            --rollback-drill-date "$ROLLBACK_DRILL_DATE" \
-            --allow-stale-rollback-drill "$REPAIR_PARTIAL_CLOSEOUT" \
-            --output "$CLOSEOUT_DIR/stable-main-closeout.json"
-          release_version="${RELEASE_TAG#v}"
-          sha256sum "$CLOSEOUT_DIR/stable-main-closeout.json" | awk -v asset="openclaw-${release_version}-stable-main-closeout.json" \
-            '{print $1 "  " asset}' \
-            > "$CLOSEOUT_DIR/stable-main-closeout.json.sha256"
-
-      - name: Attach immutable closeout evidence
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ needs.resolve.outputs.tag }}
-          CLOSEOUT_DIR: ${{ runner.temp }}/openclaw-stable-main-closeout
-        run: |
-          set -euo pipefail
-          release_version="${RELEASE_TAG#v}"
-          attach_or_verify() {
-            local source_path="$1"
-            local asset_name="$2"
-            local existing_dir="$CLOSEOUT_DIR/existing-${asset_name}"
-            mkdir -p "$existing_dir"
-            if gh release download "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
-              --pattern "$asset_name" --dir "$existing_dir"; then
-              cmp --silent "$source_path" "$existing_dir/$asset_name" || {
-                echo "Existing release asset $asset_name differs from closeout evidence." >&2
-                exit 1
-              }
-              return
-            fi
-            gh release upload "$RELEASE_TAG" "$source_path#$asset_name" --repo "$GITHUB_REPOSITORY"
-          }
-          attach_or_verify \
-            "$CLOSEOUT_DIR/stable-main-closeout.json" \
-            "openclaw-${release_version}-stable-main-closeout.json"
-          attach_or_verify \
-            "$CLOSEOUT_DIR/stable-main-closeout.json.sha256" \
-            "openclaw-${release_version}-stable-main-closeout.json.sha256"
-
-      - name: Upload closeout workflow evidence
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
-        with:
-          name: openclaw-stable-main-closeout-${{ needs.resolve.outputs.tag }}
-          path: ${{ runner.temp }}/openclaw-stable-main-closeout
-          if-no-files-found: error
--- a/.github/workflows/opengrep-precise-full.yml
+++ b/.github/workflows/opengrep-precise-full.yml
@@ -25,7 +25,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -53,7 +53,7 @@ jobs:
          scripts/run-opengrep.sh --sarif --error

      - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
+        uses: github/codeql-action/upload-sarif@v4.36.2
        # Only upload if the scan actually produced a SARIF file.
        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
        with:
@@ -62,7 +62,7 @@ jobs:

      - name: Upload SARIF as workflow artifact
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: opengrep-full-sarif
          path: .opengrep-out/precise.sarif
--- a/.github/workflows/opengrep-precise.yml
+++ b/.github/workflows/opengrep-precise.yml
@@ -41,7 +41,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.sha }}
          fetch-depth: 2
@@ -84,7 +84,7 @@ jobs:
          scripts/run-opengrep.sh --changed --sarif --error

      - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e
+        uses: github/codeql-action/upload-sarif@v4.36.2
        # Only upload if the scan actually produced a SARIF file.
        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
        with:
@@ -93,7 +93,7 @@ jobs:

      - name: Upload SARIF as workflow artifact
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: opengrep-pr-diff-sarif
          path: .opengrep-out/precise.sarif
--- a/.github/workflows/package-acceptance.yml
+++ b/.github/workflows/package-acceptance.yml
@@ -325,7 +325,7 @@ jobs:
      telegram_mode: ${{ steps.profile.outputs.telegram_mode }}
    steps:
      - name: Checkout package workflow ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.workflow_ref }}
          fetch-depth: 0
@@ -339,7 +339,7 @@ jobs:

      - name: Download current-run package artifact input
        if: inputs.source == 'artifact' && inputs.artifact_run_id == ''
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ inputs.artifact_name }}
          path: .artifacts/package-candidate-input
@@ -492,7 +492,7 @@ jobs:
          node scripts/resolve-upgrade-survivor-baselines.mjs "${args[@]}" >/dev/null

      - name: Upload package-under-test artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ env.PACKAGE_ARTIFACT_NAME }}
          path: |
@@ -541,13 +541,13 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Checkout package workflow ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.workflow_ref }}
          fetch-depth: 1

      - name: Download package-under-test artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          name: ${{ needs.resolve_package.outputs.package_artifact_name }}
          path: .artifacts/docker-e2e-package
--- a/.github/workflows/plugin-clawhub-new.yml
+++ b/.github/workflows/plugin-clawhub-new.yml
@@ -48,7 +48,7 @@ jobs:
      matrix: ${{ steps.plan.outputs.matrix }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
@@ -229,7 +229,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -303,7 +303,7 @@ jobs:
        plugin: ${{ fromJson(needs.resolve_bootstrap_plan.outputs.matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
--- a/.github/workflows/plugin-clawhub-release.yml
+++ b/.github/workflows/plugin-clawhub-release.yml
@@ -63,7 +63,7 @@ jobs:
      missing_trusted_publisher_matrix: ${{ steps.plan.outputs.missing_trusted_publisher_matrix }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
@@ -275,7 +275,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -315,7 +315,7 @@ jobs:
        plugin: ${{ fromJson(needs.preview_plugins_clawhub.outputs.matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
@@ -364,7 +364,7 @@ jobs:
        run: bash scripts/plugin-clawhub-publish.sh --pack "${PACKAGE_DIR}"

      - name: Upload ClawHub package artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: ${{ matrix.plugin.artifactName }}
          path: ${{ runner.temp }}/clawhub-package-artifact/*.tgz
--- a/.github/workflows/plugin-npm-release.yml
+++ b/.github/workflows/plugin-npm-release.yml
@@ -57,7 +57,7 @@ jobs:
      matrix: ${{ steps.plan.outputs.matrix }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
@@ -185,7 +185,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -224,7 +224,7 @@ jobs:
        plugin: ${{ fromJson(needs.preview_plugins_npm.outputs.matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
@@ -257,7 +257,7 @@ jobs:
        plugin: ${{ fromJson(needs.preview_plugins_npm.outputs.matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }}
--- a/.github/workflows/plugin-prerelease.yml
+++ b/.github/workflows/plugin-prerelease.yml
@@ -47,7 +47,7 @@ jobs:
      plugin_prerelease_docker_lanes: ${{ steps.manifest.outputs.plugin_prerelease_docker_lanes }}
    steps:
      - name: Checkout target
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.target_ref }}
          fetch-depth: 1
@@ -216,7 +216,7 @@ jobs:
      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_static_matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.preflight.outputs.checkout_revision }}
          fetch-depth: 1
@@ -252,7 +252,7 @@ jobs:
      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_node_matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.preflight.outputs.checkout_revision }}
          fetch-depth: 1
@@ -325,7 +325,7 @@ jobs:
      matrix: ${{ fromJson(needs.preflight.outputs.plugin_prerelease_extension_matrix) }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.preflight.outputs.checkout_revision }}
          fetch-depth: 1
@@ -357,7 +357,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ needs.preflight.outputs.checkout_revision }}
          fetch-depth: 1
@@ -519,7 +519,7 @@ jobs:

      - name: Upload plugin inspector advisory artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: plugin-inspector-advisory
          path: .artifacts/plugin-inspector/**
--- a/.github/workflows/qa-live-transports-convex.yml
+++ b/.github/workflows/qa-live-transports-convex.yml
@@ -65,7 +65,7 @@ jobs:
    steps:
      - name: Require maintainer-level repository access
        id: permission
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          script: |
            if (context.eventName === "schedule") {
@@ -101,7 +101,7 @@ jobs:
      trusted_reason: ${{ steps.validate.outputs.trusted_reason }}
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }}
@@ -172,7 +172,7 @@ jobs:
      OPENCLAW_LIVE_SETUP_TOKEN_VALUE: ""
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -221,7 +221,7 @@ jobs:

      - name: Upload parity artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-parity-${{ github.run_id }}-${{ github.run_attempt }}
          path: .artifacts/qa-e2e/
@@ -241,7 +241,7 @@ jobs:
      OPENCLAW_QA_REDACT_PUBLIC_METADATA: "1"
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -310,7 +310,7 @@ jobs:

      - name: Upload live runtime token-efficiency artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-runtime-token-efficiency-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -326,7 +326,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -386,7 +386,7 @@ jobs:

      - name: Upload Matrix QA artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-matrix-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -411,7 +411,7 @@ jobs:
          - e2ee-cli
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -470,7 +470,7 @@ jobs:

      - name: Upload Matrix QA shard artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-matrix-${{ matrix.profile }}-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -485,7 +485,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -564,7 +564,7 @@ jobs:

      - name: Upload Telegram QA artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-telegram-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -579,7 +579,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -658,7 +658,7 @@ jobs:

      - name: Upload Discord QA artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-discord-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -676,7 +676,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -755,7 +755,7 @@ jobs:

      - name: Upload WhatsApp QA artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-whatsapp-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
@@ -770,7 +770,7 @@ jobs:
    environment: qa-live-shared
    steps:
      - name: Checkout selected ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          ref: ${{ needs.validate_selected_ref.outputs.selected_revision }}
@@ -850,7 +850,7 @@ jobs:

      - name: Upload Slack QA artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: qa-live-slack-${{ github.run_id }}-${{ github.run_attempt }}
          path: ${{ steps.run_lane.outputs.output_dir }}
--- a/.github/workflows/real-behavior-proof.yml
+++ b/.github/workflows/real-behavior-proof.yml
@@ -22,11 +22,11 @@ jobs:
      pull-requests: read
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.base.sha }}
          persist-credentials: false
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
@@ -34,7 +34,7 @@ jobs:
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
          permission-issues: read
          permission-members: read
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        if: steps.app-token.outcome == 'failure'
        continue-on-error: true
--- a/.github/workflows/sandbox-common-smoke.yml
+++ b/.github/workflows/sandbox-common-smoke.yml
@@ -30,7 +30,7 @@ jobs:
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          submodules: false

--- a/.github/workflows/security-sensitive-guard.yml
+++ b/.github/workflows/security-sensitive-guard.yml
@@ -0,0 +1,55 @@
+name: Security Sensitive Guard
+
+on:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] checks trusted base script only; never checks out PR head
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: security-sensitive-guard-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  security-sensitive-guard-detect:
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Check out trusted base workflow scripts
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          persist-credentials: false
+
+      - name: Detect security-sensitive changes
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
+          OPENCLAW_SECURITY_SENSITIVE_GUARD_MODE: detect
+          OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
+        run: node scripts/github/security-sensitive-guard.mjs
+
+  security-sensitive-guard:
+    if: ${{ !github.event.pull_request.draft && always() }}
+    needs:
+      - security-sensitive-guard-detect
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Check out trusted base workflow scripts
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          persist-credentials: false
+
+      - name: Enforce security-sensitive guard
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
+          OPENCLAW_SECURITY_SENSITIVE_GUARD_MODE: enforce
+          OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
+        run: node scripts/github/security-sensitive-guard.mjs
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -44,13 +44,13 @@ jobs:
      pull-requests: write
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        continue-on-error: true
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token-fallback
        continue-on-error: true
        with:
@@ -59,7 +59,7 @@ jobs:
      - name: Mark stale unassigned issues and pull requests (primary)
        id: stale-primary
        continue-on-error: true
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: 14
@@ -92,7 +92,7 @@ jobs:
      - name: Mark stale assigned issues (primary)
        id: assigned-issue-stale-primary
        continue-on-error: true
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: 30
@@ -116,7 +116,7 @@ jobs:
      - name: Mark stale assigned pull requests (primary)
        id: assigned-stale-primary
        continue-on-error: true
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: -1
@@ -140,7 +140,7 @@ jobs:
      - name: Check stale state cache
        id: stale-state
        if: always()
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token-fallback.outputs.token || steps.app-token.outputs.token }}
          script: |
@@ -163,7 +163,7 @@ jobs:
            }
      - name: Mark stale unassigned issues and pull requests (fallback)
        if: (steps.stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: 14
@@ -195,7 +195,7 @@ jobs:
            That channel is the escape hatch for high-quality PRs that get auto-closed.
      - name: Mark stale assigned issues (fallback)
        if: (steps.assigned-issue-stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: 30
@@ -218,7 +218,7 @@ jobs:
          close-issue-reason: not_planned
      - name: Mark stale assigned pull requests (fallback)
        if: (steps.assigned-stale-primary.outcome == 'failure' || steps.stale-state.outputs.has_state == 'true') && steps.app-token-fallback.outputs.token != ''
-        uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10
+        uses: actions/stale@v10
        with:
          repo-token: ${{ steps.app-token-fallback.outputs.token }}
          days-before-issue-stale: -1
@@ -247,13 +247,13 @@ jobs:
      pull-requests: write
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
          app-id: "2971289"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
      - name: Backfill stale closures
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        env:
          DRY_RUN: ${{ inputs.dry_run }}
          INCLUDE_ISSUES: ${{ inputs.include_issues }}
@@ -494,13 +494,13 @@ jobs:
      issues: write
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Lock closed issues after 48h of no comments
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+        uses: actions/github-script@v9
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
--- a/.github/workflows/test-performance-agent.yml
+++ b/.github/workflows/test-performance-agent.yml
@@ -35,7 +35,7 @@ jobs:
    timeout-minutes: 240
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: main
          fetch-depth: 0
@@ -271,7 +271,7 @@ jobs:

      - name: Upload test performance artifacts
        if: steps.gate.outputs.run_agent == 'true' && always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        uses: actions/upload-artifact@v7
        with:
          name: test-performance-agent-${{ github.run_id }}
          path: .artifacts/test-perf/
--- a/.github/workflows/tui-pty.yml
+++ b/.github/workflows/tui-pty.yml
@@ -32,7 +32,8 @@ jobs:
      OPENCLAW_TUI_PTY_INCLUDE_LOCAL: "1"
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
--- a/.github/workflows/website-installer-sync.yml
+++ b/.github/workflows/website-installer-sync.yml
@@ -37,7 +37,8 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Install ShellCheck
        run: sudo apt-get update -y && sudo apt-get install -y shellcheck

@@ -70,7 +71,8 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: install.sh in Docker
        run: |
          timeout --kill-after=30s 20m docker run --rm \
@@ -91,9 +93,10 @@ jobs:
    runs-on: macos-15
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: 24

@@ -112,9 +115,10 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
+
      - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: 24

@@ -137,13 +141,13 @@ jobs:

      - name: Checkout OpenClaw
        if: env.OPENCLAW_GH_TOKEN != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          path: openclaw

      - name: Checkout openclaw.ai
        if: env.OPENCLAW_GH_TOKEN != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          repository: openclaw/openclaw.ai
          token: ${{ env.OPENCLAW_GH_TOKEN }}
@@ -171,13 +175,13 @@ jobs:

      - name: Setup Bun
        if: steps.changes.outputs.changed == 'true'
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Setup Node.js
        if: steps.changes.outputs.changed == 'true'
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@v6
        with:
          node-version: "24"

--- a/.github/workflows/windows-blacksmith-testbox.yml
+++ b/.github/workflows/windows-blacksmith-testbox.yml
@@ -120,7 +120,7 @@ jobs:
          chmod 600 ~/.ssh/authorized_keys

      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          submodules: false
--- a/.github/workflows/windows-testbox-probe.yml
+++ b/.github/workflows/windows-testbox-probe.yml
@@ -54,7 +54,7 @@ jobs:
        shell: pwsh
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.target_ref || github.ref }}
          persist-credentials: false
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -115,7 +115,7 @@ jobs:
          git -C "$GITHUB_WORKSPACE" checkout --detach refs/remotes/origin/checkout

      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

--- a/.gitignore
+++ b/.gitignore
@@ -77,6 +77,7 @@ extensions/canvas/src/host/a2ui/*.map

 # fastlane (iOS)
 apps/ios/fastlane/README.md
+apps/android/fastlane/README.md
 apps/ios/fastlane/report.xml
 apps/ios/fastlane/Preview.html
 apps/ios/fastlane/screenshots/
--- a/apps/android/CHANGELOG.md
+++ b/apps/android/CHANGELOG.md
@@ -0,0 +1,11 @@
+# OpenClaw Android Changelog
+
+## Unreleased
+
+Maintenance update for the current OpenClaw Android release.
+
+## 2026.6.2 - 2026-06-02
+
+OpenClaw is now available on Android.
+
+Connect to your OpenClaw Gateway to chat with your assistant, use realtime Talk mode, review approvals, and bring Android device capabilities like camera, location, screen, and notifications into your private automation workflows.
--- a/apps/android/Config/ReleaseSigning.json
+++ b/apps/android/Config/ReleaseSigning.json
@@ -0,0 +1,14 @@
+{
+  "signingRepo": "git@github.com:openclaw/apps-signing.git",
+  "signingBranch": "main",
+  "assetPath": "android/openclaw",
+  "uploadKeystoreEncryptedFile": "upload-keystore.jks.enc",
+  "gradlePropertiesEncryptedFile": "gradle.properties.enc",
+  "materializedRoot": "apps/android/build/release-signing",
+  "gradlePropertyNames": [
+    "OPENCLAW_ANDROID_STORE_FILE",
+    "OPENCLAW_ANDROID_STORE_PASSWORD",
+    "OPENCLAW_ANDROID_KEY_ALIAS",
+    "OPENCLAW_ANDROID_KEY_PASSWORD"
+  ]
+}
--- a/apps/android/README.md
+++ b/apps/android/README.md
@@ -53,6 +53,16 @@ pnpm android:version:pin -- --from-gateway
 pnpm android:version:pin -- --version 2026.6.5 --version-code 2026060501
 ```

+Release-owner signing sync:
+
+```bash
+pnpm android:release:signing:plan
+MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:sync:pull
+MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:check
+```
+
+The signing sync pulls encrypted Android upload-key assets from the shared `apps-signing` repo and materializes decrypted files under `apps/android/build/release-signing/`.
+
 Generate raw Google Play screenshots:

 ```bash
@@ -64,7 +74,7 @@ pnpm android:screenshots
 - Play build: `openclaw-<version>-play-release.aab`
 - Third-party build: `openclaw-<version>-third-party-release.apk`

-`pnpm android:bundle:release` is an alias for the same archive helper.
+`pnpm android:bundle:release` is an alias for the same Fastlane archive lane.

 See `apps/android/VERSIONING.md` and `apps/android/fastlane/SETUP.md` for the release workflow.

--- a/apps/android/VERSIONING.md
+++ b/apps/android/VERSIONING.md
@@ -8,6 +8,8 @@ Android release builds use pinned app metadata instead of auto-bumping `build.gr
 - `version` is the Play `versionName` and uses CalVer: `YYYY.M.D`.
 - `versionCode` uses `YYYYMMDDNN`, where `NN` is a two-digit build number for that pinned app version.
 - `apps/android/Config/Version.properties` is generated from `version.json` and read by Gradle.
+- `apps/android/CHANGELOG.md` is the Android-only changelog and release-note source.
+- `apps/android/fastlane/metadata/android/en-US/release_notes.txt` is generated from the changelog.

 Examples:

@@ -23,16 +25,41 @@ pnpm android:version:check
 pnpm android:version:sync
 pnpm android:version:pin -- --from-gateway
 pnpm android:version:pin -- --version 2026.6.5 --version-code 2026060501
+pnpm android:release:signing:plan
+MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:sync:pull
+pnpm android:release:preflight
 ```

+## Release-note resolution order
+
+When generating `apps/android/fastlane/metadata/android/en-US/release_notes.txt`, the tooling reads the first available changelog section in this order:
+
+1. exact pinned version, for example `## 2026.6.2`
+2. `## Unreleased`
+
+Recommended workflow:
+
+- while iterating on a Play internal testing train, keep pending notes under `## Unreleased`
+- before the production release, move or copy the final notes under `## <pinned version>` and run sync again
+
 ## Release Workflow

 1. Pin Android to the intended release version.
 2. Run `pnpm android:version:sync`.
-3. Update `apps/android/fastlane/metadata/android/en-US/release_notes.txt`.
-4. Run `pnpm android:screenshots` to refresh raw Google Play screenshots.
-5. Run `pnpm android:release:archive` to produce the signed Play AAB and third-party APK.
-6. Run `pnpm android:release:upload` to upload metadata, screenshots, and the Play AAB to Google Play internal testing.
-7. Promote to production manually in Google Play Console.
+3. Update `apps/android/CHANGELOG.md`, then run `pnpm android:version:sync` again if needed.
+4. Run `MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:sync:pull` to materialize encrypted Android signing assets from `apps-signing`.
+5. Run `pnpm android:release:preflight` to validate Play auth, signing, synced versioning, and release notes.
+6. Run `pnpm android:screenshots` to refresh raw Google Play screenshots.
+7. Run `pnpm android:release:archive` to produce the signed Play AAB and third-party APK.
+8. Run `pnpm android:release:upload` to upload metadata, screenshots, and the Play AAB to Google Play internal testing.
+9. Promote to production manually in Google Play Console.

 The third-party flavor is archived as a signed APK for non-Play distribution. It is not uploaded by the Play release lane.
+
+## Signing model
+
+`apps/android/Config/ReleaseSigning.json` pins the Android signing assets in the shared private `apps-signing` repo. The Android pipeline uses the same `MATCH_PASSWORD` release-owner secret as iOS, but the Android files are managed by `scripts/android-release-signing.mjs` instead of Fastlane `match`.
+
+`sync:pull` decrypts the Play upload keystore and Gradle signing properties into `apps/android/build/release-signing/`. That directory is gitignored, and Fastlane exports the materialized values as Gradle project properties for the current release command.
+
+If `MATCH_PASSWORD` is not set, the existing manual Gradle-property signing path still works: provide `OPENCLAW_ANDROID_STORE_FILE`, `OPENCLAW_ANDROID_STORE_PASSWORD`, `OPENCLAW_ANDROID_KEY_ALIAS`, and `OPENCLAW_ANDROID_KEY_PASSWORD` through your local Gradle user properties before running release tasks.
--- a/apps/android/fastlane/Fastfile
+++ b/apps/android/fastlane/Fastfile
@@ -9,6 +9,12 @@ default_platform(:android)
 DEFAULT_PLAY_PACKAGE_NAME = "ai.openclaw.app"
 DEFAULT_PLAY_TRACK = "internal"
 DEFAULT_PLAY_RELEASE_STATUS = "completed"
+ANDROID_RELEASE_SIGNING_GRADLE_PROPERTIES = [
+  "OPENCLAW_ANDROID_STORE_FILE",
+  "OPENCLAW_ANDROID_STORE_PASSWORD",
+  "OPENCLAW_ANDROID_KEY_ALIAS",
+  "OPENCLAW_ANDROID_KEY_PASSWORD"
+].freeze

 def load_env_file(path)
  return unless File.exist?(path)
@@ -36,6 +42,14 @@ def repo_root
  File.expand_path("../..", android_root)
 end

+def android_release_signing_script
+  File.join(repo_root, "scripts", "android-release-signing.mjs")
+end
+
+def android_release_signing_materialized_properties_path
+  File.join(android_root, "build", "release-signing", "gradle.properties")
+end
+
 def shell_join(args)
  args.shelljoin
 end
@@ -136,17 +150,22 @@ def android_release_notes_path
  File.join(__dir__, "metadata", "android", "en-US", "release_notes.txt")
 end

+def validate_android_release_notes!
+  release_notes_path = android_release_notes_path
+  UI.user_error!("Missing Android release notes at #{release_notes_path}. Run `pnpm android:version:sync`.") unless File.exist?(release_notes_path)
+  UI.user_error!("Android release notes at #{release_notes_path} are empty.") unless env_present?(File.read(release_notes_path))
+end
+
 def android_changelog_path(version_code)
  File.join(__dir__, "metadata", "android", "en-US", "changelogs", "#{version_code}.txt")
 end

 def sync_android_changelog!(version_code)
-  release_notes_path = android_release_notes_path
-  UI.user_error!("Missing Android release notes at #{release_notes_path}.") unless File.exist?(release_notes_path)
+  validate_android_release_notes!

  changelog_path = android_changelog_path(version_code)
  FileUtils.mkdir_p(File.dirname(changelog_path))
-  File.write(changelog_path, File.read(release_notes_path))
+  File.write(changelog_path, File.read(android_release_notes_path))
  changelog_path
 end

@@ -178,6 +197,69 @@ def capture_android_screenshots!
  sh(shell_join(["bash", File.join(repo_root, "scripts", "android-screenshots.sh")]))
 end

+def read_android_release_signing_properties!(path)
+  UI.user_error!("Missing materialized Android release signing properties at #{path}.") unless File.exist?(path)
+
+  properties = {}
+  File.foreach(path) do |line|
+    stripped = line.strip
+    next if stripped.empty? || stripped.start_with?("#")
+
+    key, value = stripped.split("=", 2)
+    next if key.nil? || key.empty? || value.nil?
+
+    properties[key] = value.strip
+  end
+
+  missing = ANDROID_RELEASE_SIGNING_GRADLE_PROPERTIES.reject { |key| env_present?(properties[key]) }
+  UI.user_error!("Materialized Android release signing properties are missing: #{missing.join(', ')}.") unless missing.empty?
+
+  properties
+end
+
+def export_android_release_signing_properties!(path)
+  read_android_release_signing_properties!(path).each do |key, value|
+    ENV["ORG_GRADLE_PROJECT_#{key}"] = value
+  end
+end
+
+def sync_android_release_signing!
+  sh(shell_join(["node", android_release_signing_script, "--mode", "sync-pull"]))
+  export_android_release_signing_properties!(android_release_signing_materialized_properties_path)
+end
+
+def prepare_android_release_signing!
+  if env_present?(ENV["MATCH_PASSWORD"])
+    sync_android_release_signing!
+  elsif File.exist?(android_release_signing_materialized_properties_path)
+    export_android_release_signing_properties!(android_release_signing_materialized_properties_path)
+  end
+end
+
+def validate_android_release_signing!
+  Dir.chdir(android_root) do
+    sh(shell_join(["./gradlew", ":app:bundlePlayRelease", "--dry-run"]))
+  end
+end
+
+def print_android_release_plan!(version_metadata)
+  UI.message("Android Play release plan:")
+  UI.message("  package: #{play_package_name}")
+  UI.message("  track: #{play_track}")
+  UI.message("  release_status: #{play_release_status}")
+  UI.message("  validate_only: #{play_validate_only?}")
+  UI.message("  versionName: #{version_metadata.fetch(:version)}")
+  UI.message("  versionCode: #{version_metadata.fetch(:version_code)}")
+end
+
+def validate_android_release_preflight!(version_metadata)
+  validate_play_auth!
+  prepare_android_release_signing!
+  validate_android_release_signing!
+  validate_android_release_notes!
+  print_android_release_plan!(version_metadata)
+end
+
 def upload_play_store_metadata!(version_metadata)
  validate_android_screenshots!
  sync_android_changelog!(version_metadata.fetch(:version_code))
@@ -230,6 +312,38 @@ platform :android do
    UI.success("Google Play API credentials are valid.")
  end

+  desc "Print the Android release signing plan"
+  lane :signing_plan do
+    sh(shell_join(["node", android_release_signing_script, "--mode", "plan"]))
+  end
+
+  desc "Pull encrypted Android release signing assets and validate Gradle release signing"
+  lane :signing_check do
+    sync_android_release_signing!
+    validate_android_release_signing!
+    UI.success("Android release signing assets are available locally.")
+  end
+
+  desc "Pull encrypted Android release signing assets from the shared signing repo"
+  lane :signing_sync_pull do
+    sync_android_release_signing!
+    UI.success("Pulled Android release signing assets.")
+  end
+
+  desc "Create or refresh encrypted Android release signing assets in the shared signing repo"
+  lane :signing_sync_push do
+    sh(shell_join(["node", android_release_signing_script, "--mode", "sync-push"]))
+    UI.success("Pushed Android release signing assets.")
+  end
+
+  desc "Validate Android Play release auth, signing, versioning, and release notes"
+  lane :release_preflight do
+    sync_android_versioning!
+    version_metadata = read_android_version_metadata
+    validate_android_release_preflight!(version_metadata)
+    UI.success("Android Play release preflight passed for #{version_metadata[:version]} (#{version_metadata[:version_code]}).")
+  end
+
  desc "Upload Google Play metadata, changelog, and optional screenshots"
  lane :metadata do
    sync_android_versioning!
@@ -242,6 +356,7 @@ platform :android do
  desc "Build signed Android release artifacts locally without uploading"
  lane :play_store_archive do
    sync_android_versioning!
+    prepare_android_release_signing!
    build_release_artifacts!
  end

@@ -260,9 +375,9 @@ platform :android do

  desc "Upload Android metadata, archive release artifacts, then upload the Play AAB"
  lane :release_upload do
-    auth_check
    sync_android_versioning!
    version_metadata = read_android_version_metadata
+    validate_android_release_preflight!(version_metadata)
    screenshots
    ENV["SUPPLY_UPLOAD_METADATA"] = "1"
    ENV["SUPPLY_UPLOAD_SCREENSHOTS"] = "1"
--- a/apps/android/fastlane/SETUP.md
+++ b/apps/android/fastlane/SETUP.md
@@ -20,6 +20,35 @@ Optional app targeting:
 GOOGLE_PLAY_PACKAGE_NAME=ai.openclaw.app
 ```

+Android release signing uses the same private `apps-signing` repository and `MATCH_PASSWORD` secret as iOS, but with Android-specific encrypted assets. Pull the shared upload key before release validation:
+
+```bash
+pnpm android:release:signing:plan
+MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:sync:pull
+MATCH_PASSWORD=<signing repo password> pnpm android:release:signing:check
+```
+
+The pull command materializes decrypted signing files under `apps/android/build/release-signing/`, which is gitignored. Later Fastlane release commands reload those materialized values and export them to Gradle for the current process.
+
+For the first setup or rotation, provide the Play upload keystore and a local signing properties file, then push encrypted assets to `apps-signing`:
+
+```bash
+MATCH_PASSWORD=<signing repo password> \
+OPENCLAW_ANDROID_UPLOAD_KEYSTORE=<path-to-upload-keystore.jks> \
+OPENCLAW_ANDROID_SIGNING_PROPERTIES=<path-to-android-signing.properties> \
+pnpm android:release:signing:sync:push
+```
+
+The source signing properties file must contain:
+
+```properties
+OPENCLAW_ANDROID_STORE_PASSWORD=<store-password>
+OPENCLAW_ANDROID_KEY_ALIAS=<upload-key-alias>
+OPENCLAW_ANDROID_KEY_PASSWORD=<key-password>
+```
+
+Store the Google Play upload key, not the irreplaceable app signing key, when Play App Signing is enabled.
+
 Validate auth:

 ```bash
@@ -56,12 +85,19 @@ Release rules:

 - `apps/android/version.json` is the pinned Android release version source.
 - `apps/android/Config/Version.properties` is generated from that source and read by Gradle.
+- `apps/android/CHANGELOG.md` is the Android-only changelog and release-note source.
+- `apps/android/fastlane/metadata/android/en-US/release_notes.txt` is generated from that changelog by `pnpm android:version:sync`.
+- `apps/android/Config/ReleaseSigning.json` pins the encrypted Android signing assets in the shared signing repo.
+- `MATCH_PASSWORD` enables Fastlane to pull encrypted Android signing assets into `apps/android/build/release-signing/` before release validation or archive builds.
 - Supported pinned Android versions use CalVer: `YYYY.M.D`.
 - `versionCode` uses `YYYYMMDDNN`, where `NN` is a two-digit build number for the pinned version.
 - `pnpm android:version:pin -- --from-gateway` promotes the current root gateway version into the pinned Android release version.
 - `pnpm android:version:pin -- --version 2026.6.5 --version-code 2026060502` increments another build on the same Android release train.
 - `pnpm android:version:sync` updates generated version artifacts.
 - `pnpm android:version:check` validates checked-in Android version artifacts.
+- `pnpm android:release:preflight` validates Google Play auth, Android release signing, synced versioning, release notes, and prints the package/track/version/versionCode that will be uploaded.
+- `pnpm android:release:signing:sync:pull` pulls encrypted Android signing assets from `apps-signing`.
+- `pnpm android:release:signing:sync:push` creates or refreshes encrypted Android signing assets in `apps-signing`.
 - `pnpm android:screenshots` builds and installs the Play debug app, launches deterministic screenshot scenes, and captures raw PNGs.
 - `pnpm android:release:archive` builds the signed Play AAB and third-party APK into `apps/android/build/release-artifacts/`.
 - `pnpm android:release:upload` uploads the Play AAB to the configured Google Play track. The default track is `internal`.
--- a/docs/.generated/plugin-sdk-api-baseline.sha256
+++ b/docs/.generated/plugin-sdk-api-baseline.sha256
@@ -1,2 +1,2 @@
-e1928b7528c130ebac4f8f5cf0d1de545c996898182b50cbdf4efdc89a8637cd  plugin-sdk-api-baseline.json
-d9c227be6d344676e36d6ccc37c3c8cf05f80dcc82eadc4a686b3dccd1667990  plugin-sdk-api-baseline.jsonl
+b810f3b17d1eb746a6fbc4c45095a3b2bb3e08c5cd62a5928f9add2c59bb95b9  plugin-sdk-api-baseline.json
+36174a54f2a9e11b822f499b5659d0b1351198ce98112946d95283b0ee1032dd  plugin-sdk-api-baseline.jsonl
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -189,7 +189,7 @@ Every lane uploads GitHub artifacts. When `CLAWGRIT_REPORTS_TOKEN` is configured

 ## Full Release Validation

-`Full Release Validation` is the manual umbrella workflow for "run everything before release." It accepts a branch, tag, or full commit SHA, dispatches the manual `CI` workflow with that target, dispatches `Plugin Prerelease` for release-only plugin/package/static/Docker proof, and dispatches `OpenClaw Release Checks` for install smoke, package acceptance, cross-OS package checks, QA Lab parity, Matrix, and Telegram lanes. Stable and full profiles always include exhaustive live/E2E and Docker release-path soak coverage; the beta profile can opt in with `run_release_soak=true`. With `rerun_group=all` and `release_profile=full`, it also runs `NPM Telegram Beta E2E` against the `release-package-under-test` artifact from release checks. After publishing, pass `release_package_spec` to reuse the shipped npm package across release checks, Package Acceptance, Docker, cross-OS, and Telegram without rebuilding. Use `npm_telegram_package_spec` only when Telegram must prove a different package. The Codex plugin live package lane uses the same selected state by default: published `release_package_spec=openclaw@<tag>` derives `codex_plugin_spec=npm:@openclaw/codex@<tag>`, while SHA/artifact runs pack `extensions/codex` from the selected ref. Set `codex_plugin_spec` explicitly for custom plugin sources such as `npm:`, `npm-pack:`, or `git:` specs.
+`Full Release Validation` is the manual umbrella workflow for "run everything before release." It accepts a branch, tag, or full commit SHA, dispatches the manual `CI` workflow with that target, dispatches `Plugin Prerelease` for release-only plugin/package/static/Docker proof, and dispatches `OpenClaw Release Checks` for install smoke, package acceptance, cross-OS package checks, QA Lab parity, Matrix, and Telegram lanes. Stable/default runs keep exhaustive live/E2E and Docker release-path coverage behind `run_release_soak=true`; `release_profile=full` forces that soak coverage on so broad advisory validation remains broad. With `rerun_group=all` and `release_profile=full`, it also runs `NPM Telegram Beta E2E` against the `release-package-under-test` artifact from release checks. After publishing, pass `release_package_spec` to reuse the shipped npm package across release checks, Package Acceptance, Docker, cross-OS, and Telegram without rebuilding. Use `npm_telegram_package_spec` only when Telegram must prove a different package. The Codex plugin live package lane uses the same selected state by default: published `release_package_spec=openclaw@<tag>` derives `codex_plugin_spec=npm:@openclaw/codex@<tag>`, while SHA/artifact runs pack `extensions/codex` from the selected ref. Set `codex_plugin_spec` explicitly for custom plugin sources such as `npm:`, `npm-pack:`, or `git:` specs.

 See [Full release validation](/reference/full-release-validation) for the
 stage matrix, exact workflow job names, profile differences, artifacts, and
@@ -232,9 +232,9 @@ different SHA.

 `release_profile` controls live/provider breadth passed into release checks. The
 manual release workflows default to `stable`; use `full` only when you
-intentionally want the broad advisory provider/media matrix. Stable and full
-release checks always run the exhaustive live/E2E and Docker release-path soak;
-the beta profile can opt in with `run_release_soak=true`.
+intentionally want the broad advisory provider/media matrix. `run_release_soak`
+controls whether stable/default release checks run the exhaustive live/E2E and
+Docker release-path soak; `full` forces soak on.

 - `minimum` keeps the fastest OpenAI/core release-critical lanes.
 - `stable` adds the stable provider/backend set.
--- a/docs/plugins/codex-harness.md
+++ b/docs/plugins/codex-harness.md
@@ -587,7 +587,7 @@ export default {
              },
              unixSockets: {
                "/tmp/proxy.sock": "allow",
-                "/tmp/blocked.sock": "deny",
+                "/tmp/blocked.sock": "none",
              },
              allowUpstreamProxy: true,
              proxyUrl: "http://127.0.0.1:3128",
@@ -605,7 +605,7 @@ If the normal app-server runtime would be `danger-full-access`, enabling
 permission profile. Codex managed network enforcement is sandboxed networking,
 so a full-access profile would not protect outbound traffic.
 Domain entries use `allow` or `deny`; Unix socket entries use Codex's
-`allow` or `deny` values.
+`allow` or `none` values.

 OpenClaw-owned dynamic tool calls are bounded independently from
 `appServer.requestTimeoutMs`: Codex `item/tool/call` requests use a 90 second
--- a/docs/reference/RELEASING.md
+++ b/docs/reference/RELEASING.md
@@ -118,8 +118,8 @@ the maintainer-only release runbook.
   `CHANGELOG.md` section. Stable releases published to npm `latest` become the
   GitHub latest release; stable maintenance releases kept on npm `beta` are
   created with GitHub `latest=false`. The workflow also uploads the preflight
-   dependency evidence, the full-validation manifest, and postpublish registry
-   verification evidence to the GitHub release for post-release incident
+   dependency evidence to the GitHub release as
+   `openclaw-<version>-dependency-evidence.zip` for post-release incident
   response. The publish workflow prints child run IDs immediately, auto-approves
   release environment gates the workflow token is allowed to approve, summarizes
   failed child jobs with log tails, closes out the GitHub release and dependency
@@ -178,27 +178,6 @@ release state.
   `OPENCLAW_TESTBOX=1 pnpm check:changed`. Push, then verify `origin/main`
   contains the shipped version and changelog before calling the stable release
   done.
-6. Keep the repository variables `RELEASE_ROLLBACK_DRILL_ID` and
-   `RELEASE_ROLLBACK_DRILL_DATE` current after each private rollback drill.
-   `OpenClaw Stable Main Closeout` starts from the `main` push that carries the
-   shipped version, changelog, and appcast after stable publication. It reads
-   immutable postpublish evidence to bind the shipped tag to its Full Release
-   Validation and Publish runs, then verifies the stable main state, release,
-   mandatory stable soak, and blocking performance evidence. It attaches an
-   immutable closeout manifest and checksum to the GitHub release. The automatic
-   push trigger skips legacy releases that predate immutable postpublish
-   evidence; it never treats that skip as a completed closeout. A complete
-   closeout requires both assets and a matching checksum. A partial manifest
-   replays its recorded `main` SHA and rollback drill to regenerate identical
-   bytes, then attaches the missing checksum; an invalid pair, or a checksum
-   without a manifest, stays blocking. A missing or more-than-90-day-old drill
-   record blocks a new evidence-backed closeout; private recovery commands
-   remain in the maintainer-only runbook. Use manual dispatch only to repair or
-   replay an evidence-backed stable closeout.
-   A legacy fallback correction tag may reuse base-package evidence only when
-   the correction tag resolves to the same source commit as the base stable tag.
-   A correction with different source must publish and verify its own package
-   evidence.

 ## Release preflight

@@ -226,9 +205,9 @@ release state.
  kick off all pre-release test boxes from one entrypoint. It accepts a branch,
  tag, or full commit SHA, dispatches manual `CI`, and dispatches
  `OpenClaw Release Checks` for install smoke, package acceptance, cross-OS
-  package checks, QA Lab parity, Matrix, and Telegram lanes. Stable and full
-  runs always include exhaustive live/E2E and Docker release-path soak;
-  `run_release_soak=true` is retained for an explicit beta soak. With
+  package checks, QA Lab parity, Matrix, and Telegram lanes. Stable/default runs
+  keep exhaustive live/E2E and Docker release-path soak behind
+  `run_release_soak=true`; `release_profile=full` forces soak on. With
  `release_profile=full` and `rerun_group=all`, it also runs package Telegram
  E2E against the `release-package-under-test` artifact from release checks.
  Provide `release_package_spec` after publishing a beta to reuse the shipped
@@ -493,12 +472,13 @@ Use `release_profile` to select live/provider breadth:
 - `stable`: minimum plus stable provider/backend coverage for release approval
 - `full`: stable plus broad advisory provider/media coverage

-Stable and full validation always run the exhaustive live/E2E, Docker
-release-path, and bounded published upgrade-survivor sweep before promotion.
-Use `run_release_soak=true` to request that same sweep for a beta. That sweep covers
+Use `run_release_soak=true` with `stable` when the release-blocking lanes are
+green and you want the exhaustive live/E2E, Docker release-path, and
+bounded published upgrade-survivor sweep before promotion. That sweep covers
 the latest four stable packages plus pinned `2026.4.23` and `2026.5.2`
 baselines plus older `2026.4.15` coverage, with duplicate baselines removed and
-each baseline sharded into its own Docker runner job.
+each baseline sharded into its own Docker runner job. `full` implies
+`run_release_soak=true`.

 `OpenClaw Release Checks` uses the trusted workflow ref to resolve the target
 ref once as `release-package-under-test` and reuses that artifact in cross-OS,
@@ -689,7 +669,7 @@ prepared release package artifact, `suite_profile=custom`,
 configured-auth update restart, live ClawHub skill install, stale plugin dependency cleanup, offline plugin
 fixtures, plugin update, and Telegram package QA against the same resolved
 tarball. Blocking release checks use the default latest published package
-baseline; the beta profile with `run_release_soak=true`, `release_profile=stable`, or
+baseline; `run_release_soak=true` or
 `release_profile=full` expands to every stable npm-published baseline from
 `2026.4.23` through `latest` plus reported-issue fixtures. Use
 Package Acceptance with `source=npm` for an already shipped candidate,
@@ -855,8 +835,8 @@ package cannot ship without every publishable official plugin, including
  require the resolved commit to be reachable from an OpenClaw branch or
  release tag.
 - `run_release_soak`: opt into exhaustive live/E2E, Docker release-path, and
-  all-since upgrade-survivor soak for beta release checks. It is forced on by
-  `release_profile=stable` and `release_profile=full`.
+  all-since upgrade-survivor soak on stable/default release checks. It is forced
+  on by `release_profile=full`.

 Rules:

--- a/docs/reference/code-mode.md
+++ b/docs/reference/code-mode.md
@@ -675,9 +675,10 @@ is disabled, uninstalled, or rolled back:
 clearCodeModeNamespacesForPlugin(pluginId);
 ```

-Use `unregisterCodeModeNamespace(namespaceId)` only when removing one known
-namespace. Tests can call `clearCodeModeNamespacesForTest()` to avoid leaking
-registrations across cases.
+Code-mode cleanup is plugin-owned; clear the plugin's namespace registrations
+when its lifecycle ends instead of keeping per-namespace teardown handles. Tests
+can call `clearCodeModeNamespacesForTest()` to avoid leaking registrations
+across cases.

 ### Test checklist

--- a/docs/reference/full-release-validation.md
+++ b/docs/reference/full-release-validation.md
@@ -27,10 +27,10 @@ Child workflows use the trusted workflow ref for the harness and the input
 `ref` for the candidate under test. That keeps new validation logic available
 when validating an older release branch or tag.

-`release_profile=stable` and `release_profile=full` always run the exhaustive
-live/Docker soak. Pass `run_release_soak=true` to include the same soak lanes
-with the beta profile. Stable publication rejects a validation manifest without this
-soak and blocking product-performance evidence.
+By default, `release_profile=stable` runs the release-blocking lanes and skips
+the exhaustive live/Docker soak. Pass `run_release_soak=true` to include the
+soak lanes on a stable run. `release_profile=full` always enables soak lanes so
+the broad advisory profile never drops coverage silently.

 Package Acceptance normally builds the candidate tarball from the resolved
 `ref`, including full-SHA runs dispatched with `pnpm ci:full-release`. After a
@@ -47,15 +47,15 @@ that plugin, then runs Codex CLI preflight and same-session OpenAI agent turns.

 ## Top-level stages

-| Stage                | Details                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Target resolution    | **Job:** `Resolve target ref`<br />**Child workflow:** none<br />**Proves:** resolves the release branch, tag, or full commit SHA and records selected inputs.<br />**Rerun:** rerun the umbrella if this fails.                                                                                                                                                                                                                                             |
-| Vitest and normal CI | **Job:** `Run normal full CI`<br />**Child workflow:** `CI`<br />**Proves:** manual full CI graph against the target ref, including Linux Node lanes, bundled plugin shards, plugin and channel contract shards, Node 22 compatibility, `check-*`, `check-additional-*`, built-artifact smoke checks, docs checks, Python skills, Windows, macOS, Control UI i18n, and Android via the umbrella.<br />**Rerun:** `rerun_group=ci`.                           |
-| Plugin prerelease    | **Job:** `Run plugin prerelease validation`<br />**Child workflow:** `Plugin Prerelease`<br />**Proves:** release-only plugin static checks, agentic plugin coverage, full extension batch shards, plugin prerelease Docker lanes, and a non-blocking `plugin-inspector-advisory` artifact for compatibility triage.<br />**Rerun:** `rerun_group=plugin-prerelease`.                                                                                        |
-| Release checks       | **Job:** `Run release/live/Docker/QA validation`<br />**Child workflow:** `OpenClaw Release Checks`<br />**Proves:** install smoke, cross-OS package checks, Package Acceptance, QA Lab parity, live Matrix, and live Telegram. Stable and full profiles also run exhaustive live/E2E suites and Docker release-path chunks; beta can opt in with `run_release_soak=true`.<br />**Rerun:** `rerun_group=release-checks` or a narrower release-checks handle. |
-| Package artifact     | **Job:** `Prepare release package artifact`<br />**Child workflow:** none<br />**Proves:** creates the parent `release-package-under-test` tarball early enough for package-facing checks that do not need to wait for `OpenClaw Release Checks`.<br />**Rerun:** rerun the umbrella or provide `release_package_spec` for published-package reruns.                                                                                                         |
-| Package Telegram     | **Job:** `Run package Telegram E2E`<br />**Child workflow:** `NPM Telegram Beta E2E`<br />**Proves:** parent-artifact-backed Telegram package proof for `rerun_group=all` with `release_profile=full`, or published-package Telegram proof when `release_package_spec` or `npm_telegram_package_spec` is set.<br />**Rerun:** `rerun_group=npm-telegram` with `release_package_spec` or `npm_telegram_package_spec`.                                         |
-| Umbrella verifier    | **Job:** `Verify full validation`<br />**Child workflow:** none<br />**Proves:** re-checks recorded child run conclusions and appends slowest-job tables from child workflows.<br />**Rerun:** rerun only this job after rerunning a failed child to green.                                                                                                                                                                                                  |
+| Stage                | Details                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Target resolution    | **Job:** `Resolve target ref`<br />**Child workflow:** none<br />**Proves:** resolves the release branch, tag, or full commit SHA and records selected inputs.<br />**Rerun:** rerun the umbrella if this fails.                                                                                                                                                                                                                               |
+| Vitest and normal CI | **Job:** `Run normal full CI`<br />**Child workflow:** `CI`<br />**Proves:** manual full CI graph against the target ref, including Linux Node lanes, bundled plugin shards, plugin and channel contract shards, Node 22 compatibility, `check-*`, `check-additional-*`, built-artifact smoke checks, docs checks, Python skills, Windows, macOS, Control UI i18n, and Android via the umbrella.<br />**Rerun:** `rerun_group=ci`.             |
+| Plugin prerelease    | **Job:** `Run plugin prerelease validation`<br />**Child workflow:** `Plugin Prerelease`<br />**Proves:** release-only plugin static checks, agentic plugin coverage, full extension batch shards, plugin prerelease Docker lanes, and a non-blocking `plugin-inspector-advisory` artifact for compatibility triage.<br />**Rerun:** `rerun_group=plugin-prerelease`.                                                                          |
+| Release checks       | **Job:** `Run release/live/Docker/QA validation`<br />**Child workflow:** `OpenClaw Release Checks`<br />**Proves:** install smoke, cross-OS package checks, Package Acceptance, QA Lab parity, live Matrix, and live Telegram. With `run_release_soak=true` or `release_profile=full`, also runs exhaustive live/E2E suites and Docker release-path chunks.<br />**Rerun:** `rerun_group=release-checks` or a narrower release-checks handle. |
+| Package artifact     | **Job:** `Prepare release package artifact`<br />**Child workflow:** none<br />**Proves:** creates the parent `release-package-under-test` tarball early enough for package-facing checks that do not need to wait for `OpenClaw Release Checks`.<br />**Rerun:** rerun the umbrella or provide `release_package_spec` for published-package reruns.                                                                                           |
+| Package Telegram     | **Job:** `Run package Telegram E2E`<br />**Child workflow:** `NPM Telegram Beta E2E`<br />**Proves:** parent-artifact-backed Telegram package proof for `rerun_group=all` with `release_profile=full`, or published-package Telegram proof when `release_package_spec` or `npm_telegram_package_spec` is set.<br />**Rerun:** `rerun_group=npm-telegram` with `release_package_spec` or `npm_telegram_package_spec`.                           |
+| Umbrella verifier    | **Job:** `Verify full validation`<br />**Child workflow:** none<br />**Proves:** re-checks recorded child run conclusions and appends slowest-job tables from child workflows.<br />**Rerun:** rerun only this job after rerunning a failed child to green.                                                                                                                                                                                    |

 For `ref=main` and `rerun_group=all`, a newer umbrella supersedes an older one.
 When the parent is cancelled, its monitor cancels any child workflow it already
@@ -105,11 +105,11 @@ commands with package artifact and image reuse inputs when available.

 `release_profile` mostly controls live/provider breadth inside release checks.
 It does not remove normal full CI, Plugin Prerelease, install smoke, package
-acceptance, or QA Lab. Stable and full profiles always run exhaustive repo/live
-E2E and Docker release-path soak coverage. The beta profile can opt in with
-`run_release_soak=true`. The full profile also makes the umbrella run package
-Telegram E2E against the parent release package artifact when `rerun_group=all`,
-so a full pre-publish candidate does not silently skip that Telegram package lane.
+acceptance, or QA Lab. For `stable`, exhaustive repo/live E2E and Docker
+release-path chunks are soak coverage and run when `run_release_soak=true`.
+`full` forces soak coverage on and also makes the umbrella run package Telegram
+E2E against the parent release package artifact when `rerun_group=all`, so a full
+pre-publish candidate does not silently skip that Telegram package lane.

 | Profile   | Intended use                      | Included live/provider coverage                                                                                                                                                     |
 | --------- | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
--- a/extensions/codex/openclaw.plugin.json
+++ b/extensions/codex/openclaw.plugin.json
@@ -221,7 +221,7 @@
                "type": "object",
                "additionalProperties": {
                  "type": "string",
-                  "enum": ["allow", "deny"]
+                  "enum": ["allow", "none"]
                }
              },
              "proxyUrl": { "type": "string" },
@@ -453,7 +453,7 @@
    },
    "appServer.networkProxy.unixSockets": {
      "label": "Unix Sockets",
-      "help": "Unix socket allow and deny rules for Codex sandboxed networking.",
+      "help": "Unix socket allow and none rules for Codex sandboxed networking.",
      "advanced": true
    },
    "appServer.networkProxy.proxyUrl": {
--- a/extensions/codex/src/app-server/config.test.ts
+++ b/extensions/codex/src/app-server/config.test.ts
@@ -156,7 +156,7 @@ describe("Codex app-server config", () => {
            },
            unixSockets: {
              " /tmp/mock-proxy.sock ": "allow",
-              "/tmp/blocked.sock": "deny",
+              "/tmp/blocked.sock": "none",
            },
            proxyUrl: "http://127.0.0.1:3128",
            socksUrl: "socks5h://127.0.0.1:8081",
@@ -183,7 +183,7 @@ describe("Codex app-server config", () => {
          "mock-proxy": {
            filesystem: {
              ":minimal": "read",
-              ":workspace_roots": {
+              ":project_roots": {
                ".": "write",
              },
            },
@@ -196,7 +196,7 @@ describe("Codex app-server config", () => {
              },
              unix_sockets: {
                "/tmp/mock-proxy.sock": "allow",
-                "/tmp/blocked.sock": "deny",
+                "/tmp/blocked.sock": "none",
              },
              proxy_url: "http://127.0.0.1:3128",
              socks_url: "socks5h://127.0.0.1:8081",
@@ -229,12 +229,12 @@ describe("Codex app-server config", () => {
    const profileName = runtime.networkProxy?.profileName;
    const permissions = runtime.networkProxy?.configPatch.permissions as Record<
      string,
-      { filesystem: { ":workspace_roots": { ".": string } } }
+      { filesystem: { ":project_roots": { ".": string } } }
    >;

    expect(profileName).toMatch(/^openclaw-network-[a-f0-9]{16}$/u);
    expect(runtime.networkProxy?.configPatch.default_permissions).toBe(profileName);
-    expect(permissions[profileName ?? ""]?.filesystem[":workspace_roots"]["."]).toBe("read");
+    expect(permissions[profileName ?? ""]?.filesystem[":project_roots"]["."]).toBe("read");
  });

  it("clamps oversized app-server timer config", () => {
--- a/extensions/codex/src/app-server/config.ts
+++ b/extensions/codex/src/app-server/config.ts
@@ -112,7 +112,7 @@ export type CodexAppServerExperimentalConfig = {
 };

 export type CodexAppServerNetworkProxyDomainPermission = "allow" | "deny";
-export type CodexAppServerNetworkProxyUnixSocketPermission = "allow" | "deny";
+export type CodexAppServerNetworkProxyUnixSocketPermission = "allow" | "none";
 export type CodexAppServerNetworkProxyBaseProfile = "read-only" | "workspace";
 export type CodexAppServerNetworkProxyMode = "limited" | "full";

@@ -310,7 +310,7 @@ const codexAppServerExperimentalSchema = z
  })
  .strict();
 const codexAppServerNetworkProxyDomainPermissionSchema = z.enum(["allow", "deny"]);
-const codexAppServerNetworkProxyUnixSocketPermissionSchema = z.enum(["allow", "deny"]);
+const codexAppServerNetworkProxyUnixSocketPermissionSchema = z.enum(["allow", "none"]);
 const codexAppServerNetworkProxySchema = z
  .object({
    enabled: z.boolean().optional(),
@@ -908,7 +908,7 @@ function resolveCodexAppServerNetworkProxy(
  const profile = {
    filesystem: {
      ":minimal": "read",
-      ":workspace_roots": {
+      ":project_roots": {
        ".": fileSystemMode,
      },
    },
--- a/extensions/codex/src/app-server/protocol-generated/json/v2/ThreadResumeResponse.json
+++ b/extensions/codex/src/app-server/protocol-generated/json/v2/ThreadResumeResponse.json
@@ -1055,14 +1055,6 @@
          "description": "Usually the first user message in the thread, if available.",
          "type": "string"
        },
-        "recencyAt": {
-          "description": "Unix timestamp (in seconds) used for thread recency ordering.",
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "sessionId": {
          "description": "Session id shared by threads that belong to the same session tree.",
          "type": "string"
--- a/extensions/codex/src/app-server/protocol-generated/json/v2/ThreadStartResponse.json
+++ b/extensions/codex/src/app-server/protocol-generated/json/v2/ThreadStartResponse.json
@@ -1055,14 +1055,6 @@
          "description": "Usually the first user message in the thread, if available.",
          "type": "string"
        },
-        "recencyAt": {
-          "description": "Unix timestamp (in seconds) used for thread recency ordering.",
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "sessionId": {
          "description": "Session id shared by threads that belong to the same session tree.",
          "type": "string"
--- a/extensions/codex/src/app-server/side-question.test.ts
+++ b/extensions/codex/src/app-server/side-question.test.ts
@@ -1182,7 +1182,7 @@ describe("runCodexAppServerSideQuestion", () => {
        "side-proxy": {
          filesystem: {
            ":minimal": "read",
-            ":workspace_roots": { ".": "write" },
+            ":project_roots": { ".": "write" },
          },
          network: {
            enabled: true,
--- a/extensions/codex/src/app-server/thread-lifecycle.binding.test.ts
+++ b/extensions/codex/src/app-server/thread-lifecycle.binding.test.ts
@@ -42,7 +42,7 @@ function createNetworkProxyThreadLifecycleAppServerOptions() {
      "openclaw-network": {
        filesystem: {
          ":minimal": "read",
-          ":workspace_roots": {
+          ":project_roots": {
            ".": "write",
          },
        },
--- a/extensions/codex/src/app-server/thread-lifecycle.test.ts
+++ b/extensions/codex/src/app-server/thread-lifecycle.test.ts
@@ -95,7 +95,7 @@ function createNetworkProxyAppServerOptions() {
      "mock-proxy": {
        filesystem: {
          ":minimal": "read",
-          ":workspace_roots": {
+          ":project_roots": {
            ".": "write",
          },
        },
--- a/extensions/llama-cpp/npm-shrinkwrap.json
+++ b/extensions/llama-cpp/npm-shrinkwrap.json
@@ -1363,9 +1363,9 @@
      }
    },
    "node_modules/semver": {
-      "version": "7.8.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
-      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
+      "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
--- a/extensions/msteams/npm-shrinkwrap.json
+++ b/extensions/msteams/npm-shrinkwrap.json
@@ -1467,9 +1467,9 @@
      "license": "MIT"
    },
    "node_modules/semver": {
-      "version": "7.8.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
-      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
+      "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
--- a/extensions/msteams/src/monitor-handler.adaptive-card.test.ts
+++ b/extensions/msteams/src/monitor-handler.adaptive-card.test.ts
@@ -94,12 +94,57 @@ function createActivityHandler() {
  return { handler, run };
 }

+async function runAdaptiveCardInvoke(
+  registered: MSTeamsActivityHandler & {
+    run: NonNullable<MSTeamsActivityHandler["run"]>;
+  },
+  value: unknown,
+) {
+  await registered.run({
+    activity: {
+      id: "invoke-1",
+      type: "invoke",
+      name: "adaptiveCard/action",
+      channelId: "msteams",
+      serviceUrl: "https://service.example.test",
+      from: {
+        id: "user-bf",
+        aadObjectId: "user-aad",
+        name: "User",
+      },
+      recipient: {
+        id: "bot-id",
+        name: "Bot",
+      },
+      conversation: {
+        id: "19:personal-chat;messageid=abc123",
+        conversationType: "personal",
+      },
+      channelData: {},
+      attachments: [],
+      value,
+    },
+    sendActivity: vi.fn(async () => ({ id: "activity-id" })),
+    sendActivities: async () => [],
+  } as unknown as MSTeamsTurnContext);
+}
+
+function lastDispatchedCtxPayload(): Record<string, unknown> {
+  const dispatched = runtimeApiMockState.dispatchReplyFromConfigWithSettledDispatcher.mock.calls.at(
+    -1,
+  )?.[0] as { ctxPayload?: Record<string, unknown> } | undefined;
+  if (!dispatched?.ctxPayload) {
+    throw new Error("expected dispatched context payload");
+  }
+  return dispatched.ctxPayload;
+}
+
 describe("msteams adaptive card action invoke", () => {
  beforeEach(() => {
    runtimeApiMockState.dispatchReplyFromConfigWithSettledDispatcher.mockClear();
  });

-  it("forwards adaptive card invoke values to the agent as message text", async () => {
+  it("forwards adaptive card submitted data to the agent as message text", async () => {
    const deps = createDeps();
    const { handler, run } = createActivityHandler();
    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
@@ -116,44 +161,117 @@ describe("msteams adaptive card action invoke", () => {
      trigger: "button-click",
    };

-    await registered.run({
-      activity: {
-        id: "invoke-1",
-        type: "invoke",
-        name: "adaptiveCard/action",
-        channelId: "msteams",
-        serviceUrl: "https://service.example.test",
-        from: {
-          id: "user-bf",
-          aadObjectId: "user-aad",
-          name: "User",
-        },
-        recipient: {
-          id: "bot-id",
-          name: "Bot",
-        },
-        conversation: {
-          id: "19:personal-chat;messageid=abc123",
-          conversationType: "personal",
-        },
-        channelData: {},
-        attachments: [],
-        value: payload,
-      },
-      sendActivity: vi.fn(async () => ({ id: "activity-id" })),
-      sendActivities: async () => [],
-    } as unknown as MSTeamsTurnContext);
+    await runAdaptiveCardInvoke(registered, payload);

    expect(run).not.toHaveBeenCalled();
    expect(runtimeApiMockState.dispatchReplyFromConfigWithSettledDispatcher).toHaveBeenCalledTimes(
      1,
    );
-    const dispatched = runtimeApiMockState.dispatchReplyFromConfigWithSettledDispatcher.mock
-      .calls[0]?.[0] as { ctxPayload?: Record<string, unknown> } | undefined;
-    expect(dispatched?.ctxPayload?.RawBody).toBe(JSON.stringify(payload));
-    expect(dispatched?.ctxPayload?.BodyForAgent).toBe(JSON.stringify(payload));
-    expect(dispatched?.ctxPayload?.CommandBody).toBe(JSON.stringify(payload));
-    expect(dispatched?.ctxPayload?.SessionKey).toBe("msteams:direct:user-aad");
-    expect(dispatched?.ctxPayload?.SenderId).toBe("user-aad");
+    const expectedBody = JSON.stringify(payload.action.data);
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.RawBody).toBe(expectedBody);
+    expect(ctxPayload.BodyForAgent).toBe(expectedBody);
+    expect(ctxPayload.CommandBody).toBe(expectedBody);
+    expect(ctxPayload.SessionKey).toBe("msteams:direct:user-aad");
+    expect(ctxPayload.SenderId).toBe("user-aad");
+  });
+
+  it("routes Teams imBack actions as the submitted message text", async () => {
+    const deps = createDeps();
+    const { handler } = createActivityHandler();
+    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
+      run: NonNullable<MSTeamsActivityHandler["run"]>;
+    };
+
+    await runAdaptiveCardInvoke(registered, {
+      action: {
+        type: "Action.Submit",
+        data: { msteams: { type: "imBack", value: "Summarize my last meeting" } },
+      },
+    });
+
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.BodyForAgent).toBe("Summarize my last meeting");
+    expect(ctxPayload.CommandBody).toBe("Summarize my last meeting");
+  });
+
+  it("routes typed command submit actions as command text", async () => {
+    const deps = createDeps();
+    const { handler } = createActivityHandler();
+    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
+      run: NonNullable<MSTeamsActivityHandler["run"]>;
+    };
+
+    await runAdaptiveCardInvoke(registered, {
+      action: {
+        type: "Action.Submit",
+        data: "/codex plugins menu",
+      },
+    });
+
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.BodyForAgent).toBe("/codex plugins menu");
+    expect(ctxPayload.CommandBody).toBe("/codex plugins menu");
+  });
+
+  it("preserves legacy presentation submit values as structured data", async () => {
+    const deps = createDeps();
+    const { handler } = createActivityHandler();
+    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
+      run: NonNullable<MSTeamsActivityHandler["run"]>;
+    };
+    const data = { value: "/codex permissions yolo", label: "Run" };
+
+    await runAdaptiveCardInvoke(registered, {
+      action: {
+        type: "Action.Submit",
+        data,
+      },
+    });
+
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.BodyForAgent).toBe(JSON.stringify(data));
+    expect(ctxPayload.CommandBody).toBe(JSON.stringify(data));
+  });
+
+  it("preserves arbitrary submitted data with a value field", async () => {
+    const deps = createDeps();
+    const { handler } = createActivityHandler();
+    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
+      run: NonNullable<MSTeamsActivityHandler["run"]>;
+    };
+    const data = { value: "selected", formId: "deploy-approval", choices: ["canary"] };
+
+    await runAdaptiveCardInvoke(registered, {
+      action: {
+        type: "Action.Submit",
+        data,
+      },
+    });
+
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.BodyForAgent).toBe(JSON.stringify(data));
+    expect(ctxPayload.CommandBody).toBe(JSON.stringify(data));
+  });
+
+  it("preserves generic Action.Execute verb metadata", async () => {
+    const deps = createDeps();
+    const { handler } = createActivityHandler();
+    const registered = registerMSTeamsHandlers(handler, deps) as MSTeamsActivityHandler & {
+      run: NonNullable<MSTeamsActivityHandler["run"]>;
+    };
+    const payload = {
+      action: {
+        type: "Action.Execute",
+        verb: "ticket.approve",
+        data: { ticketId: "ticket-123" },
+      },
+    };
+
+    await runAdaptiveCardInvoke(registered, payload);
+
+    const ctxPayload = lastDispatchedCtxPayload();
+    expect(ctxPayload.BodyForAgent).toBe(JSON.stringify(payload));
+    expect(ctxPayload.CommandBody).toBe(JSON.stringify(payload));
  });
 });
--- a/extensions/msteams/src/monitor-handler.ts
+++ b/extensions/msteams/src/monitor-handler.ts
@@ -1,5 +1,9 @@
 // Msteams plugin module implements monitor handler behavior.
-import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import {
+  isRecord,
+  normalizeOptionalLowercaseString,
+  normalizeOptionalString,
+} from "openclaw/plugin-sdk/string-coerce-runtime";
 import { formatUnknownError } from "./errors.js";
 import { resolveMSTeamsSenderAccess } from "./monitor-handler/access.js";
 import { createMSTeamsMessageHandler } from "./monitor-handler/message-handler.js";
@@ -25,16 +29,43 @@ export type MSTeamsActivityHandler = {
  run?: (context: unknown) => Promise<void>;
 };

+function extractAdaptiveCardSubmittedData(value: unknown): unknown {
+  if (!isRecord(value)) {
+    return value;
+  }
+  const action = isRecord(value.action) ? value.action : undefined;
+  if (action && normalizeOptionalLowercaseString(action.type) === "action.submit" && "data" in action) {
+    return action.data;
+  }
+  return value;
+}
+
+function readMSTeamsImBackValue(value: unknown): string | null {
+  if (!isRecord(value)) {
+    return null;
+  }
+  const msteams = isRecord(value.msteams) ? value.msteams : undefined;
+  if (!msteams || normalizeOptionalLowercaseString(msteams.type) !== "imback") {
+    return null;
+  }
+  return normalizeOptionalString(msteams.value) ?? null;
+}
+
 function serializeAdaptiveCardActionValue(value: unknown): string | null {
-  if (typeof value === "string") {
-    const trimmed = value.trim();
+  const submittedValue = extractAdaptiveCardSubmittedData(value);
+  if (typeof submittedValue === "string") {
+    const trimmed = submittedValue.trim();
    return trimmed ? trimmed : null;
  }
-  if (value === undefined) {
+  const imBackValue = readMSTeamsImBackValue(submittedValue);
+  if (imBackValue) {
+    return imBackValue;
+  }
+  if (submittedValue == null) {
    return null;
  }
  try {
-    return JSON.stringify(value);
+    return JSON.stringify(submittedValue);
  } catch {
    return null;
  }
--- a/extensions/qa-lab/src/cli.runtime.test.ts
+++ b/extensions/qa-lab/src/cli.runtime.test.ts
@@ -75,6 +75,7 @@ vi.mock("./model-selection.runtime.js", () => ({
 import { resolveRepoRelativeOutputDir } from "./cli-paths.js";
 import {
  runQaLabSelfCheckCommand,
+  runQaCredentialsAddCommand,
  runQaDockerBuildImageCommand,
  runQaDockerScaffoldCommand,
  runQaDockerUpCommand,
@@ -2188,6 +2189,30 @@ describe("qa cli runtime", () => {
    expectWriteContains(stdoutWrite, "QA self-check report: /tmp/failed-report.md");
  });

+  it("rejects oversized credential payload files before broker setup", async () => {
+    const previousMaxBytes = process.env.OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES;
+    const payloadPath = path.join(suiteArtifactsDir, "oversized-credential.json");
+    await fs.writeFile(payloadPath, JSON.stringify({ blob: "x".repeat(64) }), "utf8");
+    process.env.OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES = "32";
+
+    try {
+      await expect(
+        runQaCredentialsAddCommand({
+          kind: "telegram",
+          payloadFile: payloadPath,
+        }),
+      ).rejects.toThrow(
+        "Payload file exceeds OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES (32 bytes).",
+      );
+    } finally {
+      if (previousMaxBytes === undefined) {
+        delete process.env.OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES;
+      } else {
+        process.env.OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES = previousMaxBytes;
+      }
+    }
+  });
+
  it("resolves docker scaffold paths relative to the explicit repo root", async () => {
    await runQaDockerScaffoldCommand({
      repoRoot: "/tmp/openclaw-repo",
--- a/extensions/qa-lab/src/cli.runtime.ts
+++ b/extensions/qa-lab/src/cli.runtime.ts
@@ -2,6 +2,7 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import { parseStrictPositiveInteger } from "openclaw/plugin-sdk/number-runtime";
 import { uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";
 import {
  buildQaAgenticParityComparison,
@@ -90,6 +91,8 @@ import {
 } from "./tool-coverage-report.js";

 const QA_SUITE_INFRA_RETRY_LIMIT = 1;
+const QA_CREDENTIAL_PAYLOAD_MAX_BYTES_ENV = "OPENCLAW_QA_CREDENTIAL_PAYLOAD_MAX_BYTES";
+const DEFAULT_QA_CREDENTIAL_PAYLOAD_MAX_BYTES = 64 * 1024 * 1024;
 const QA_SUITE_INFRA_RETRY_NETWORK_ERROR_CODES = new Set([
  "ECONNRESET",
  "ECONNREFUSED",
@@ -543,7 +546,29 @@ async function runInterruptibleServer(label: string, server: InterruptibleServer
  await new Promise(() => {});
 }

+function resolveQaCredentialPayloadFileMaxBytes(env: NodeJS.ProcessEnv = process.env) {
+  const raw = env[QA_CREDENTIAL_PAYLOAD_MAX_BYTES_ENV]?.trim();
+  if (!raw) {
+    return DEFAULT_QA_CREDENTIAL_PAYLOAD_MAX_BYTES;
+  }
+  const parsed = parseStrictPositiveInteger(raw);
+  if (parsed === undefined) {
+    throw new Error(`${QA_CREDENTIAL_PAYLOAD_MAX_BYTES_ENV} must be a positive integer.`);
+  }
+  return parsed;
+}
+
 async function readQaCredentialPayloadFile(filePath: string) {
+  const maxBytes = resolveQaCredentialPayloadFileMaxBytes();
+  const stat = await fs.stat(filePath);
+  if (!stat.isFile()) {
+    throw new Error("Payload file must be a regular JSON file.");
+  }
+  if (stat.size > maxBytes) {
+    throw new Error(
+      `Payload file exceeds ${QA_CREDENTIAL_PAYLOAD_MAX_BYTES_ENV} (${maxBytes} bytes).`,
+    );
+  }
  const text = await fs.readFile(filePath, "utf8");
  let payload: unknown;
  try {
--- a/extensions/slack/npm-shrinkwrap.json
+++ b/extensions/slack/npm-shrinkwrap.json
@@ -1156,9 +1156,9 @@
      "license": "MIT"
    },
    "node_modules/semver": {
-      "version": "7.8.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
-      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
+      "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
--- a/extensions/telegram/src/format.test.ts
+++ b/extensions/telegram/src/format.test.ts
@@ -424,4 +424,47 @@ describe("markdownToTelegramHtml", () => {
  it("fails loudly when tag overhead leaves no room for text", () => {
    expect(() => splitTelegramHtmlChunks("<b><i><u>x</u></i></b>", 10)).toThrow(/tag overhead/i);
  });
+
+  it("does not split an astral char across the chunk boundary", () => {
+    // Emoji surrogate pair straddles index 10 (limit): high at 9, low at 10.
+    const input = `${"A".repeat(9)}😀${"B".repeat(20)}`;
+    const chunks = splitTelegramHtmlChunks(input, 10);
+    expect(chunks.length).toBeGreaterThan(1);
+    expect(chunks.join("")).toBe(input);
+    for (const chunk of chunks) {
+      expect(containsLoneSurrogate(chunk)).toBe(false);
+    }
+  });
+
+  it("keeps an astral char whole when a positive limit starts on its pair", () => {
+    expect(splitTelegramHtmlChunks("A😀B", 1)).toEqual(["A", "😀", "B"]);
+  });
+
+  it("keeps astral chars whole in rendered Markdown chunks", () => {
+    const chunks = markdownToTelegramChunks("A😀B", 1);
+
+    expect(chunks.map((chunk) => chunk.text)).toEqual(["A", "😀", "B"]);
+    for (const chunk of chunks) {
+      expect(containsLoneSurrogate(chunk.html)).toBe(false);
+      expect(containsLoneSurrogate(chunk.text)).toBe(false);
+    }
+  });
 });
+
+function containsLoneSurrogate(text: string): boolean {
+  for (let index = 0; index < text.length; index += 1) {
+    const code = text.charCodeAt(index);
+    const isHigh = code >= 0xd800 && code <= 0xdbff;
+    const isLow = code >= 0xdc00 && code <= 0xdfff;
+    if (isHigh) {
+      const next = text.charCodeAt(index + 1);
+      if (!(next >= 0xdc00 && next <= 0xdfff)) {
+        return true;
+      }
+      index += 1;
+    } else if (isLow) {
+      return true;
+    }
+  }
+  return false;
+}
--- a/extensions/telegram/src/format.ts
+++ b/extensions/telegram/src/format.ts
@@ -1070,11 +1070,30 @@ function findTelegramHtmlEntityEnd(text: string, start: number): number {
  return text[index] === ";" ? index : -1;
 }

+// Never return a split index that lands between a UTF-16 surrogate pair, or
+// both chunks would carry a lone surrogate that re-encodes to U+FFFD. If the
+// pair starts the segment, keep it whole so chunking still advances.
+function clampToSurrogateBoundary(text: string, index: number): number {
+  const high = text.charCodeAt(index - 1);
+  const low = text.charCodeAt(index);
+  const splitsPair =
+    index > 0 && high >= 0xd800 && high <= 0xdbff && low >= 0xdc00 && low <= 0xdfff;
+  if (!splitsPair) {
+    return index;
+  }
+  return index > 1 ? index - 1 : index + 1;
+}
+
 function findTelegramHtmlSafeSplitIndex(text: string, maxLength: number): number {
  if (text.length <= maxLength) {
    return text.length;
  }
  const normalizedMaxLength = Math.max(1, Math.floor(maxLength));
+  const splitIndex = findTelegramHtmlEntitySafeSplitIndex(text, normalizedMaxLength);
+  return clampToSurrogateBoundary(text, splitIndex);
+}
+
+function findTelegramHtmlEntitySafeSplitIndex(text: string, normalizedMaxLength: number): number {
  const lastAmpersand = text.lastIndexOf("&", normalizedMaxLength - 1);
  if (lastAmpersand === -1) {
    return normalizedMaxLength;
--- a/extensions/telegram/src/send.chunks.test.ts
+++ b/extensions/telegram/src/send.chunks.test.ts
@@ -0,0 +1,57 @@
+// Telegram tests cover plain-text chunk-splitting behavior.
+import { describe, expect, it } from "vitest";
+import { splitTelegramPlainTextChunksForTests } from "./send.js";
+
+function containsLoneSurrogate(text: string): boolean {
+  for (let index = 0; index < text.length; index += 1) {
+    const code = text.charCodeAt(index);
+    const isHigh = code >= 0xd800 && code <= 0xdbff;
+    const isLow = code >= 0xdc00 && code <= 0xdfff;
+    if (isHigh) {
+      const next = text.charCodeAt(index + 1);
+      if (!(next >= 0xdc00 && next <= 0xdfff)) {
+        return true;
+      }
+      index += 1;
+    } else if (isLow) {
+      return true;
+    }
+  }
+  return false;
+}
+
+describe("splitTelegramPlainTextChunks", () => {
+  it("does not split an astral char across the chunk boundary", () => {
+    // Emoji surrogate pair straddles index 10 (limit): high at 9, low at 10.
+    const input = `${"A".repeat(9)}😀${"B".repeat(20)}`;
+    const chunks = splitTelegramPlainTextChunksForTests(input, 10);
+    expect(chunks.length).toBeGreaterThan(1);
+    expect(chunks.join("")).toBe(input);
+    for (const chunk of chunks) {
+      expect(containsLoneSurrogate(chunk)).toBe(false);
+    }
+  });
+
+  it("does not hang when limit=1 and text starts with an astral char", () => {
+    // Regression: with limit=1 the clamp would return start (no advance),
+    // causing the while-loop to spin forever. The surrogate pair must be
+    // emitted as a unit (2 code units) so the loop always advances.
+    const input = "😀X";
+    const chunks = splitTelegramPlainTextChunksForTests(input, 1);
+    expect(chunks.join("")).toBe(input);
+    for (const chunk of chunks) {
+      expect(containsLoneSurrogate(chunk)).toBe(false);
+    }
+  });
+
+  it("does not hang when limit=1 and an astral char appears mid-string at a chunk boundary", () => {
+    // 'A' + emoji: with limit=1, second iteration starts at index 1 (high
+    // surrogate) — same stall condition as above, now mid-string.
+    const input = "A😀B";
+    const chunks = splitTelegramPlainTextChunksForTests(input, 1);
+    expect(chunks.join("")).toBe(input);
+    for (const chunk of chunks) {
+      expect(containsLoneSurrogate(chunk)).toBe(false);
+    }
+  });
+});
--- a/extensions/telegram/src/send.ts
+++ b/extensions/telegram/src/send.ts
@@ -179,14 +179,40 @@ function resolveTelegramMessageIdOrThrow(
  throw new Error(`Telegram ${context} returned no message_id`);
 }

+// Pull a chunk end back off a UTF-16 surrogate pair so neither chunk carries a
+// lone surrogate that re-encodes to U+FFFD. Mirrors the guard in
+// bot/native-quote.ts `truncateUtf16Safe`; shared by both plain-text splitters.
+//
+// `start` is the beginning of the current chunk — the return value is
+// guaranteed to be > start, so callers that loop on `start = end` always
+// advance. When clamping would land on `start` (i.e. the surrogate pair begins
+// exactly at `start`), we emit both surrogates together (end = start + 2)
+// rather than emitting a lone surrogate or stalling.
+function surrogateSafeChunkEnd(text: string, end: number, start: number): number {
+  const high = text.charCodeAt(end - 1);
+  const low = text.charCodeAt(end);
+  const splitsPair = end > 0 && high >= 0xd800 && high <= 0xdbff && low >= 0xdc00 && low <= 0xdfff;
+  if (!splitsPair) {
+    return end;
+  }
+  const clamped = end - 1;
+  // Guard: never return an index that would stall the loop. If clamped equals
+  // start the surrogate pair's high unit is the very first char of this chunk;
+  // emit both surrogates together instead of splitting or stalling.
+  return clamped > start ? clamped : start + 2;
+}
+
 function splitTelegramPlainTextChunks(text: string, limit: number): string[] {
  if (!text) {
    return [];
  }
  const normalizedLimit = Math.max(1, Math.floor(limit));
  const chunks: string[] = [];
-  for (let start = 0; start < text.length; start += normalizedLimit) {
-    chunks.push(text.slice(start, start + normalizedLimit));
+  let start = 0;
+  while (start < text.length) {
+    const end = surrogateSafeChunkEnd(text, start + normalizedLimit, start);
+    chunks.push(text.slice(start, end));
+    start = end;
  }
  return chunks;
 }
@@ -209,12 +235,19 @@ function splitTelegramPlainTextFallback(text: string, chunkCount: number, limit:
      remainingChunks === 1
        ? remainingChars
        : Math.min(normalizedLimit, Math.ceil(remainingChars / remainingChunks));
-    chunks.push(text.slice(offset, offset + nextChunkLength));
-    offset += nextChunkLength;
+    const end = surrogateSafeChunkEnd(text, offset + nextChunkLength, offset);
+    chunks.push(text.slice(offset, end));
+    offset = end;
  }
  return chunks;
 }

+// Test-only handle: the plain-text splitter is internal, but its surrogate-safe
+// chunk boundary needs direct behavior coverage.
+export function splitTelegramPlainTextChunksForTests(text: string, limit: number): string[] {
+  return splitTelegramPlainTextChunks(text, limit);
+}
+
 function logTelegramOutboundSendOk(params: TelegramOutboundSuccessLogParams): void {
  const parts = [
    "telegram outbound send ok",
--- a/extensions/telegram/src/telegram-outbound.test.ts
+++ b/extensions/telegram/src/telegram-outbound.test.ts
@@ -43,6 +43,17 @@ describe("telegramPlugin outbound", () => {
    expect(telegramOutbound.chunker?.(text, 4000)).toEqual([text]);
  });

+  it("keeps astral characters whole at positive configured chunk limits", () => {
+    clearTelegramRuntime();
+
+    expect(telegramOutbound.chunker?.("A😀B", 1)).toEqual(["A", "😀", "B"]);
+    expect(telegramOutbound.chunker?.("A😀B", 1, { formatting: { parseMode: "HTML" } })).toEqual([
+      "A",
+      "😀",
+      "B",
+    ]);
+  });
+
  it("preserves markdown tables for the configured delivery renderer", () => {
    clearTelegramRuntime();
    const text = ["| Name | Value |", "|------|-------|", "| A | 1 |"].join("\n");
--- a/extensions/zalouser/npm-shrinkwrap.json
+++ b/extensions/zalouser/npm-shrinkwrap.json
@@ -348,9 +348,9 @@
      "license": "MIT"
    },
    "node_modules/semver": {
-      "version": "7.8.4",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
-      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
+      "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
--- a/package.json
+++ b/package.json
@@ -1432,7 +1432,7 @@
  "scripts": {
    "android:assemble": "node scripts/run-android-gradle.mjs :app:assemblePlayDebug",
    "android:assemble:third-party": "node scripts/run-android-gradle.mjs :app:assembleThirdPartyDebug",
-    "android:bundle:release": "bun apps/android/scripts/build-release-artifacts.ts",
+    "android:bundle:release": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android play_store_archive'",
    "android:format": "cd apps/android && ./gradlew :app:ktlintFormat :benchmark:ktlintFormat",
    "android:install": "node scripts/run-android-gradle.mjs :app:installPlayDebug",
    "android:install:third-party": "node scripts/run-android-gradle.mjs :app:installThirdPartyDebug",
@@ -1441,9 +1441,14 @@
    "android:run": "node scripts/run-android-gradle.mjs :app:installPlayDebug -- adb shell am start -n ai.openclaw.app/.MainActivity",
    "android:run:third-party": "node scripts/run-android-gradle.mjs :app:installThirdPartyDebug -- adb shell am start -n ai.openclaw.app/.MainActivity",
    "android:release": "bash scripts/android-release.sh",
-    "android:release:archive": "bun apps/android/scripts/build-release-artifacts.ts",
+    "android:release:archive": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android play_store_archive'",
    "android:release:auth:check": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android auth_check'",
    "android:release:metadata": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android metadata'",
+    "android:release:preflight": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android release_preflight'",
+    "android:release:signing:check": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android signing_check'",
+    "android:release:signing:plan": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android signing_plan'",
+    "android:release:signing:sync:pull": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android signing_sync_pull'",
+    "android:release:signing:sync:push": "bash -lc 'source ./scripts/lib/android-fastlane.sh && cd apps/android && run_android_fastlane android signing_sync_push'",
    "android:release:upload": "bash scripts/android-release-upload.sh",
    "android:screenshots": "bash scripts/android-screenshots.sh",
    "android:test": "node scripts/run-android-gradle.mjs :app:testPlayDebugUnitTest",
@@ -1977,7 +1982,6 @@
    "oxlint-tsgolint": "0.23.0",
    "shiki": "4.1.0",
    "signal-utils": "0.21.1",
-    "sigstore": "4.1.1",
    "tsdown": "0.22.1",
    "tsx": "4.22.3",
    "unrun": "0.3.0",
--- a/packages/agent-core/src/harness/agent-harness.ts
+++ b/packages/agent-core/src/harness/agent-harness.ts
@@ -825,7 +825,9 @@ export class CoreAgentHarness<
        throw new AgentHarnessError("auth", "No auth available for compaction");
      }
      const branchEntries = await this.session.getBranch();
-      const preparationResult = prepareCompaction(branchEntries, DEFAULT_COMPACTION_SETTINGS);
+      const preparationResult = prepareCompaction(branchEntries, DEFAULT_COMPACTION_SETTINGS, {
+        force: true,
+      });
      if (!preparationResult.ok) {
        throw preparationResult.error;
      }
--- a/packages/agent-core/src/harness/compaction/compaction.test.ts
+++ b/packages/agent-core/src/harness/compaction/compaction.test.ts
@@ -1,7 +1,9 @@
 import { describe, expect, it, vi } from "vitest";
 import { createAssistantMessageEventStream } from "../../llm.js";
 import type { AssistantMessage, Model, StreamFn } from "../../llm.js";
-import { generateSummary } from "./compaction.js";
+import { buildSessionContext } from "../session/session.js";
+import type { SessionTreeEntry } from "../types.js";
+import { DEFAULT_COMPACTION_SETTINGS, prepareCompaction, generateSummary } from "./compaction.js";

 describe("generateSummary thinking options", () => {
  it("maps explicit Fable off to low effort for compaction", async () => {
@@ -60,3 +62,197 @@ describe("generateSummary thinking options", () => {
    expect(streamFn).toHaveBeenCalledOnce();
  });
 });
+
+describe("prepareCompaction", () => {
+  function createHighUsageSmallTranscriptEntries(): SessionTreeEntry[] {
+    return [
+      {
+        type: "message",
+        id: "user-1",
+        parentId: null,
+        timestamp: "2026-06-17T08:45:00.000Z",
+        message: { role: "user", content: "What do you see in your history?", timestamp: 1 },
+      },
+      {
+        type: "message",
+        id: "assistant-1",
+        parentId: "user-1",
+        timestamp: "2026-06-17T08:45:10.000Z",
+        message: {
+          role: "assistant",
+          content: [{ type: "text", text: "Stored." }],
+          api: "openai-responses",
+          provider: "openai",
+          model: "gpt-test",
+          usage: {
+            input: 625,
+            output: 6,
+            cacheRead: 172_928,
+            cacheWrite: 0,
+            totalTokens: 173_559,
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+          },
+          stopReason: "stop",
+          timestamp: 2,
+        },
+      },
+    ];
+  }
+
+  it("skips automatic no-op summaries when usage is high but transcript text is below the kept-tail budget", () => {
+    const entries = createHighUsageSmallTranscriptEntries();
+
+    const preparation = prepareCompaction(entries, DEFAULT_COMPACTION_SETTINGS);
+
+    expect(preparation).toEqual({ ok: true, value: undefined });
+  });
+
+  it("forces manual preparation when usage is high but transcript text is below the kept-tail budget", () => {
+    const entries = createHighUsageSmallTranscriptEntries();
+
+    const preparation = prepareCompaction(entries, DEFAULT_COMPACTION_SETTINGS, { force: true });
+
+    expect(preparation).toEqual({
+      ok: true,
+      value: expect.objectContaining({
+        firstKeptEntryId: "assistant-1",
+        messagesToSummarize: entries.map((entry) =>
+          entry.type === "message" ? entry.message : undefined,
+        ),
+        tokensBefore: 173_559,
+        turnPrefixMessages: [],
+      }),
+    });
+  });
+
+  it("anchors a forced boundary on the assistant tool call, not a trailing tool result", () => {
+    const entries: SessionTreeEntry[] = [
+      {
+        type: "message",
+        id: "user-1",
+        parentId: null,
+        timestamp: "2026-06-17T08:45:00.000Z",
+        message: { role: "user", content: "Read the notes file.", timestamp: 1 },
+      },
+      {
+        type: "message",
+        id: "assistant-1",
+        parentId: "user-1",
+        timestamp: "2026-06-17T08:45:10.000Z",
+        message: {
+          role: "assistant",
+          content: [
+            { type: "toolCall", id: "call-1", name: "read_file", arguments: { path: "notes.md" } },
+          ],
+          api: "openai-responses",
+          provider: "openai",
+          model: "gpt-test",
+          usage: {
+            input: 625,
+            output: 6,
+            cacheRead: 172_928,
+            cacheWrite: 0,
+            totalTokens: 173_559,
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+          },
+          stopReason: "toolUse",
+          timestamp: 2,
+        },
+      },
+      {
+        type: "message",
+        id: "tool-1",
+        parentId: "assistant-1",
+        timestamp: "2026-06-17T08:45:11.000Z",
+        message: {
+          role: "toolResult",
+          toolCallId: "call-1",
+          toolName: "read_file",
+          content: [{ type: "text", text: "notes body" }],
+          isError: false,
+          timestamp: 3,
+        },
+      },
+    ];
+
+    const preparation = prepareCompaction(entries, DEFAULT_COMPACTION_SETTINGS, { force: true });
+
+    // Anchor must be the assistant that owns the tool call, never the trailing
+    // tool result, or the rebuilt context would replay an orphaned tool result.
+    expect(preparation).toEqual({
+      ok: true,
+      value: expect.objectContaining({ firstKeptEntryId: "assistant-1" }),
+    });
+
+    const compactedContext = buildSessionContext([
+      ...entries,
+      {
+        type: "compaction",
+        id: "compaction-1",
+        parentId: "tool-1",
+        timestamp: "2026-06-17T08:45:20.000Z",
+        summary: "Checkpoint of the file read.",
+        firstKeptEntryId: "assistant-1",
+        tokensBefore: 173_559,
+      },
+    ]);
+    expect(compactedContext.messages.map((message) => message.role)).toEqual([
+      "compactionSummary",
+      "assistant",
+      "toolResult",
+    ]);
+  });
+
+  it("shows why the old empty-summary compaction replayed the whole transcript", () => {
+    const entries: SessionTreeEntry[] = [
+      {
+        type: "message",
+        id: "user-1",
+        parentId: null,
+        timestamp: "2026-06-17T08:45:00.000Z",
+        message: { role: "user", content: "What do you see in your history?", timestamp: 1 },
+      },
+      {
+        type: "message",
+        id: "assistant-1",
+        parentId: "user-1",
+        timestamp: "2026-06-17T08:45:10.000Z",
+        message: {
+          role: "assistant",
+          content: [{ type: "text", text: "Stored." }],
+          api: "openai-responses",
+          provider: "openai",
+          model: "gpt-test",
+          usage: {
+            input: 625,
+            output: 6,
+            cacheRead: 172_928,
+            cacheWrite: 0,
+            totalTokens: 173_559,
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, total: 0 },
+          },
+          stopReason: "stop",
+          timestamp: 2,
+        },
+      },
+    ];
+
+    const compactedContext = buildSessionContext([
+      ...entries,
+      {
+        type: "compaction",
+        id: "compaction-1",
+        parentId: "assistant-1",
+        timestamp: "2026-06-17T08:45:20.000Z",
+        summary: "No prior conversation content provided.",
+        firstKeptEntryId: "user-1",
+        tokensBefore: 173_559,
+      },
+    ]);
+    expect(compactedContext.messages.map((message) => message.role)).toEqual([
+      "compactionSummary",
+      "user",
+      "assistant",
+    ]);
+  });
+});
--- a/packages/agent-core/src/harness/compaction/compaction.ts
+++ b/packages/agent-core/src/harness/compaction/compaction.ts
@@ -626,10 +626,16 @@ export interface CompactionPreparation {
  settings: CompactionSettings;
 }

+export interface CompactionPreparationOptions {
+  /** Prepare a real summary even when the kept-tail heuristic would otherwise summarize nothing. */
+  force?: boolean;
+}
+
 /** Prepare session entries for compaction, or return undefined when compaction is not applicable. */
 export function prepareCompaction(
  pathEntries: SessionTreeEntry[],
  settings: CompactionSettings,
+  options: CompactionPreparationOptions = {},
 ): Result<CompactionPreparation | undefined, CompactionError> {
  if (pathEntries.length === 0 || pathEntries[pathEntries.length - 1].type === "compaction") {
    return ok(undefined);
@@ -686,6 +692,41 @@ export function prepareCompaction(
      }
    }
  }
+  if (messagesToSummarize.length === 0 && turnPrefixMessages.length === 0) {
+    if (options.force === true) {
+      const forcedMessagesToSummarize: AgentMessage[] = [];
+      for (let i = boundaryStart; i < boundaryEnd; i++) {
+        const msg = getMessageFromEntryForCompaction(pathEntries[i]);
+        if (msg) {
+          forcedMessagesToSummarize.push(msg);
+        }
+      }
+      // Anchor the kept tail on the last valid cut point, not the raw final entry.
+      // findValidCutPoints excludes tool results, so a forced boundary that is not
+      // collapsed to summary-only later never keeps an orphaned tool result.
+      const forcedCutPoints = findValidCutPoints(pathEntries, boundaryStart, boundaryEnd);
+      const forcedKeepIndex =
+        forcedCutPoints.length > 0 ? forcedCutPoints[forcedCutPoints.length - 1] : -1;
+      if (forcedMessagesToSummarize.length > 0 && forcedKeepIndex >= 0) {
+        const forcedFileOps = extractFileOperations(
+          forcedMessagesToSummarize,
+          pathEntries,
+          prevCompactionIndex,
+        );
+        return ok({
+          firstKeptEntryId: pathEntries[forcedKeepIndex].id,
+          messagesToSummarize: forcedMessagesToSummarize,
+          turnPrefixMessages: [],
+          isSplitTurn: false,
+          tokensBefore,
+          previousSummary,
+          fileOps: forcedFileOps,
+          settings,
+        });
+      }
+    }
+    return ok(undefined);
+  }
  const fileOps = extractFileOperations(messagesToSummarize, pathEntries, prevCompactionIndex);
  if (cutPoint.isSplitTurn) {
    for (const msg of turnPrefixMessages) {
--- a/packages/agent-core/src/index.ts
+++ b/packages/agent-core/src/index.ts
@@ -46,6 +46,7 @@ export {
  shouldCompact,
  type CompactionDetails,
  type CompactionPreparation,
+  type CompactionPreparationOptions,
  type CompactionResult,
  type CompactionSettings,
  type ContextUsageEstimate,
--- a/packages/markdown-core/src/chunk-text.ts
+++ b/packages/markdown-core/src/chunk-text.ts
@@ -42,6 +42,23 @@ function scanParenAwareBreakpoints(text: string): { lastNewline: number; lastWhi
  return { lastNewline, lastWhitespace };
 }

+/**
+ * Keeps UTF-16 chunk boundaries from separating a supplementary-plane character.
+ * A one-unit positive limit still needs to emit an entire surrogate pair.
+ */
+export function avoidTrailingHighSurrogateBreak(text: string, start: number, end: number): number {
+  if (
+    end >= text.length ||
+    text.charCodeAt(end - 1) < 0xd800 ||
+    text.charCodeAt(end - 1) > 0xdbff ||
+    text.charCodeAt(end) < 0xdc00 ||
+    text.charCodeAt(end) > 0xdfff
+  ) {
+    return end;
+  }
+  return end - 1 > start ? end - 1 : end + 1;
+}
+
 /**
 * Splits plain text into size-bounded chunks at readable boundaries.
 *
@@ -66,7 +83,11 @@ export function chunkText(text: string, limit: number): string[] {
    // Prefer block boundaries, then spaces, then a hard size cut when no
    // readable breakpoint exists inside this window.
    const breakOffset = lastNewline > 0 ? lastNewline : lastWhitespace;
-    const end = breakOffset > 0 ? cursor + breakOffset : windowEnd;
+    const end = avoidTrailingHighSurrogateBreak(
+      text,
+      cursor,
+      breakOffset > 0 ? cursor + breakOffset : windowEnd,
+    );
    chunks.push(text.slice(cursor, end));
    cursor = end;
    while (cursor < text.length && /\s/.test(text[cursor] ?? "")) {
--- a/packages/markdown-core/src/render-aware-chunking.test.ts
+++ b/packages/markdown-core/src/render-aware-chunking.test.ts
@@ -85,6 +85,28 @@ describe("renderMarkdownIRChunksWithinLimit", () => {
    expect(chunks.every((chunk) => chunk.rendered.length <= 1)).toBe(true);
  });

+  it("keeps astral characters whole when a positive limit reaches their pair", () => {
+    const chunks = renderMarkdownIRChunksWithinLimit({
+      ir: markdownToIR("A😀B"),
+      limit: 1,
+      renderChunk: (chunk) => chunk.text,
+      measureRendered: (rendered) => rendered.length,
+    });
+
+    expect(chunks.map((chunk) => chunk.source.text)).toEqual(["A", "😀", "B"]);
+  });
+
+  it("keeps astral characters whole when rendered size requires a retry split", () => {
+    const chunks = renderMarkdownIRChunksWithinLimit({
+      ir: markdownToIR("A😀"),
+      limit: 3,
+      renderChunk: (chunk) => (chunk.text === "A😀" ? "too long" : chunk.text),
+      measureRendered: (rendered) => rendered.length,
+    });
+
+    expect(chunks.map((chunk) => chunk.source.text)).toEqual(["A", "😀"]);
+  });
+
  it("treats Infinity as no size cap and returns a single chunk", () => {
    const text = "one two three four five six seven eight nine ten";
    const ir = markdownToIR(text);
--- a/packages/markdown-core/src/render-aware-chunking.ts
+++ b/packages/markdown-core/src/render-aware-chunking.ts
@@ -1,3 +1,4 @@
+import { avoidTrailingHighSurrogateBreak } from "./chunk-text.js";
 // Markdown Core module implements render aware chunking behavior.
 import {
  chunkMarkdownIR,
@@ -127,10 +128,11 @@ function findLargestChunkTextLengthWithinRenderedLimit<TRendered>(
  // Rendered length is not guaranteed to be monotonic after escaping/link or
  // file-reference rewriting, so test exact candidates from longest to shortest.
  for (let candidateLength = currentTextLength - 1; candidateLength >= 1; candidateLength -= 1) {
-    const candidate = sliceMarkdownIR(chunk, 0, candidateLength);
+    const safeCandidateLength = avoidTrailingHighSurrogateBreak(chunk.text, 0, candidateLength);
+    const candidate = sliceMarkdownIR(chunk, 0, safeCandidateLength);
    const rendered = options.renderChunk(candidate);
    if (options.measureRendered(rendered) <= renderedLimit) {
-      return candidateLength;
+      return safeCandidateLength;
    }
  }
  return 0;
@@ -215,7 +217,7 @@ function findMarkdownIRPreservedSplitIndex(text: string, start: number, limit: n
  if (lastAnyWhitespaceBreak > start) {
    return resolveWhitespaceBreak(lastAnyWhitespaceBreak, lastAnyWhitespaceRunStart);
  }
-  return maxEnd;
+  return avoidTrailingHighSurrogateBreak(text, start, maxEnd);
 }

 function splitMarkdownIRPreserveWhitespace(ir: MarkdownIR, limit: number): MarkdownIR[] {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -284,9 +284,6 @@ importers:
      signal-utils:
        specifier: 0.21.1
        version: 0.21.1(signal-polyfill@0.2.2)
-      sigstore:
-        specifier: 4.1.1
-        version: 4.1.1
      tsdown:
        specifier: 0.22.1
        version: 0.22.1(@typescript/native-preview@7.0.0-dev.20260527.2)(tsx@4.22.3)(typescript@6.0.3)(unrun@0.3.0)
@@ -7709,131 +7706,6 @@ packages:
  zwitch@2.0.4:
    resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}

-
-  '@gar/promise-retry@1.0.3':
-    resolution: {integrity: sha512-GmzA9ckNokPypTg10pgpeHNQe7ph+iIKKmhKu3Ob9ANkswreCx7R3cKmY781K8QK3AqVL3xVh9A42JvIAbkkSA==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@npmcli/agent@4.0.2':
-    resolution: {integrity: sha512-EUEuWAxnL07Sp5/iC/1X6Xj+XThUvnbei9zfRWZdEXa7lss9RTHMhAHBeg+MZ5To9s/gGaSI+UwZTPdYMvKSeg==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@npmcli/fs@5.0.0':
-    resolution: {integrity: sha512-7OsC1gNORBEawOa5+j2pXN9vsicaIOH5cPXxoR6fJOmH6/EXpJB2CajXOu1fPRFun2m1lktEFX11+P89hqO/og==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@npmcli/redact@4.0.0':
-    resolution: {integrity: sha512-gOBg5YHMfZy+TfHArfVogwgfBeQnKbbGo3pSUyK/gSI0AVu+pEiDVcKlQb0D8Mg1LNRZILZ6XG8I5dJ4KuAd9Q==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@sigstore/bundle@4.0.0':
-    resolution: {integrity: sha512-NwCl5Y0V6Di0NexvkTqdoVfmjTaQwoLM236r89KEojGmq/jMls8S+zb7yOwAPdXvbwfKDlP+lmXgAL4vKSQT+A==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@sigstore/core@3.2.1':
-    resolution: {integrity: sha512-qRsxPnCrbC/puegGxKuynfnxgLiHqWStrSjxkoB4YKqq3Z3s4cyZyj42ZdWFAEblNP65C+rBH8EuREHIXoi83g==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@sigstore/protobuf-specs@0.5.1':
-    resolution: {integrity: sha512-/ScWUhhoFasJsSRGTVBwId1loQjjnjAfE4djL6ZhrXRpNCmPTnUKF5Jokd58ILseOMjzET3UrMOtJPS9sYeI0g==}
-    engines: {node: ^18.17.0 || >=20.5.0}
-
-  '@sigstore/sign@4.1.1':
-    resolution: {integrity: sha512-Hf4xglukg0XXQ2RiD5vSoLjdPe8OBUPA8XeVjUObheuDcWdYWrnH/BNmxZCzkAy68MzmNCxXLeurJvs6hcP2OQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@sigstore/tuf@4.0.2':
-    resolution: {integrity: sha512-TCAzTy0xzdP79EnxSjq9KQ3eaR7+FmudLC6eRKknVKZbV7ZNlGLClAAQb/HMNJ5n2OBNk2GT1tEmU0xuPr+SLQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@sigstore/verify@3.1.1':
-    resolution: {integrity: sha512-qv7+G3J2cc6wwFj3yKvXOamzqhMwSk1ogPGmhpS8iXllcPrJaIIBA+4HbttlHVu1pqWTdmaCH/WE7UOC51kdoA==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  '@tufjs/canonical-json@2.0.0':
-    resolution: {integrity: sha512-yVtV8zsdo8qFHe+/3kw81dSLyF7D576A5cCFCi4X7B39tWT7SekaEFUnvnWJHz+9qO7qJTah1JbrDjWKqFtdWA==}
-    engines: {node: ^16.14.0 || >=18.0.0}
-
-  '@tufjs/models@4.1.0':
-    resolution: {integrity: sha512-Y8cK9aggNRsqJVaKUlEYs4s7CvQ1b1ta2DVPyAimb0I2qhzjNk+A+mxvll/klL0RlfuIUei8BF7YWiua4kQqww==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  cacache@20.0.4:
-    resolution: {integrity: sha512-M3Lab8NPYlZU2exsL3bMVvMrMqgwCnMWfdZbK28bn3pK6APT/Te/I8hjRPNu1uwORY9a1eEQoifXbKPQMfMTOA==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  fs-minipass@3.0.3:
-    resolution: {integrity: sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==}
-    engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
-
-  http-cache-semantics@4.2.0:
-    resolution: {integrity: sha512-dTxcvPXqPvXBQpq5dUr6mEMJX4oIEFv6bwom3FDwKRDsuIjjJGANqhBuoAn9c1RQJIdAKav33ED65E2ys+87QQ==}
-
-  make-fetch-happen@15.0.6:
-    resolution: {integrity: sha512-Je0fLJ0F5atA7F+eIlLzk+Wkcl57JDf4kf+EW8xiP5E31xOQxkIxTbgf1Oi1Lw9tRI9UEMRdI5Vz2xTzoNU1Jw==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  minipass-collect@2.0.1:
-    resolution: {integrity: sha512-D7V8PO9oaz7PWGLbCACuI1qEOsq7UKfLotx/C0Aet43fCUB/wfQ7DYeq2oR/svFJGYDHPr38SHATeaj/ZoKHKw==}
-    engines: {node: '>=16 || 14 >=14.17'}
-
-  minipass-fetch@5.0.2:
-    resolution: {integrity: sha512-2d0q2a8eCi2IRg/IGubCNRJoYbA1+YPXAzQVRFmB45gdGZafyivnZ5YSEfo3JikbjGxOdntGFvBQGqaSMXlAFQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  minipass-flush@1.0.7:
-    resolution: {integrity: sha512-TbqTz9cUwWyHS2Dy89P3ocAGUGxKjjLuR9z8w4WUTGAVgEj17/4nhgo2Du56i0Fm3Pm30g4iA8Lcqctc76jCzA==}
-    engines: {node: '>= 8'}
-
-  minipass-pipeline@1.2.4:
-    resolution: {integrity: sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==}
-    engines: {node: '>=8'}
-
-  minipass-sized@2.0.0:
-    resolution: {integrity: sha512-zSsHhto5BcUVM2m1LurnXY6M//cGhVaegT71OfOXoprxT6o780GZd792ea6FfrQkuU4usHZIUczAQMRUE2plzA==}
-    engines: {node: '>=8'}
-
-  minipass@3.3.6:
-    resolution: {integrity: sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==}
-    engines: {node: '>=8'}
-
-  p-map@7.0.4:
-    resolution: {integrity: sha512-tkAQEw8ysMzmkhgw8k+1U/iPhWNhykKnSk4Rd5zLoPJCuJaGRPo6YposrZgaxHKzDHdDWWZvE/Sk7hsL2X/CpQ==}
-    engines: {node: '>=18'}
-
-  proc-log@6.1.0:
-    resolution: {integrity: sha512-iG+GYldRf2BQ0UDUAd6JQ/RwzaQy6mXmsk/IzlYyal4A4SNFw54MeH4/tLkF4I5WoWG9SQwuqWzS99jaFQHBuQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  semver@7.8.4:
-    resolution: {integrity: sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==}
-    engines: {node: '>=10'}
-    hasBin: true
-
-  sigstore@4.1.1:
-    resolution: {integrity: sha512-endqECJkfhozrXMK5ngu/UAA0xVcVEFdnHJCElGaExypjW+HK5i6zu3NteLoaX/iFbRUbC3+DjttQs0GARr+5w==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  smart-buffer@4.2.0:
-    resolution: {integrity: sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==}
-    engines: {node: '>= 6.0.0', npm: '>= 3.0.0'}
-
-  socks-proxy-agent@8.0.5:
-    resolution: {integrity: sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==}
-    engines: {node: '>= 14'}
-
-  socks@2.8.9:
-    resolution: {integrity: sha512-LJhUYUvItdQ0LkJTmPeaEObWXAqFyfmP85x0tch/ez9cahmhlBBLbIqDFnvBnUJGagb0JbIQrkBs1wJ+yRYpEw==}
-    engines: {node: '>= 10.0.0', npm: '>= 3.0.0'}
-
-  ssri@13.0.1:
-    resolution: {integrity: sha512-QUiRf1+u9wPTL/76GTYlKttDEBWV1ga9ZXW8BG6kfdeyyM8LGPix9gROyg9V2+P0xNyF3X2Go526xKFdMZrHSQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
-  tuf-js@4.1.0:
-    resolution: {integrity: sha512-50QV99kCKH5P/Vs4E2Gzp7BopNV+KzTXqWeaxrfu5IQJBOULRsTIS9seSsOVT8ZnGXzCyx55nYWAi4qJzpZKEQ==}
-    engines: {node: ^20.17.0 || >=22.9.0}
-
 snapshots:

  '@a2ui/lit@0.10.0(signal-polyfill@0.2.2)':
@@ -14208,168 +14080,3 @@ snapshots:
  zod@4.4.3: {}

  zwitch@2.0.4: {}
-
-  '@gar/promise-retry@1.0.3': {}
-
-  '@npmcli/agent@4.0.2':
-    dependencies:
-      agent-base: 7.1.4
-      http-proxy-agent: 7.0.2
-      https-proxy-agent: 7.0.6
-      lru-cache: 11.5.1
-      socks-proxy-agent: 8.0.5
-    transitivePeerDependencies:
-      - supports-color
-
-  '@npmcli/fs@5.0.0':
-    dependencies:
-      semver: 7.8.4
-
-  '@npmcli/redact@4.0.0': {}
-
-  '@sigstore/bundle@4.0.0':
-    dependencies:
-      '@sigstore/protobuf-specs': 0.5.1
-
-  '@sigstore/core@3.2.1': {}
-
-  '@sigstore/protobuf-specs@0.5.1': {}
-
-  '@sigstore/sign@4.1.1':
-    dependencies:
-      '@gar/promise-retry': 1.0.3
-      '@sigstore/bundle': 4.0.0
-      '@sigstore/core': 3.2.1
-      '@sigstore/protobuf-specs': 0.5.1
-      make-fetch-happen: 15.0.6
-      proc-log: 6.1.0
-    transitivePeerDependencies:
-      - supports-color
-
-  '@sigstore/tuf@4.0.2':
-    dependencies:
-      '@sigstore/protobuf-specs': 0.5.1
-      tuf-js: 4.1.0
-    transitivePeerDependencies:
-      - supports-color
-
-  '@sigstore/verify@3.1.1':
-    dependencies:
-      '@sigstore/bundle': 4.0.0
-      '@sigstore/core': 3.2.1
-      '@sigstore/protobuf-specs': 0.5.1
-
-  '@tufjs/canonical-json@2.0.0': {}
-
-  '@tufjs/models@4.1.0':
-    dependencies:
-      '@tufjs/canonical-json': 2.0.0
-      minimatch: 10.2.5
-
-  cacache@20.0.4:
-    dependencies:
-      '@npmcli/fs': 5.0.0
-      fs-minipass: 3.0.3
-      glob: 13.0.6
-      lru-cache: 11.5.1
-      minipass: 7.1.3
-      minipass-collect: 2.0.1
-      minipass-flush: 1.0.7
-      minipass-pipeline: 1.2.4
-      p-map: 7.0.4
-      ssri: 13.0.1
-
-  fs-minipass@3.0.3:
-    dependencies:
-      minipass: 7.1.3
-
-  http-cache-semantics@4.2.0: {}
-
-  make-fetch-happen@15.0.6:
-    dependencies:
-      '@gar/promise-retry': 1.0.3
-      '@npmcli/agent': 4.0.2
-      '@npmcli/redact': 4.0.0
-      cacache: 20.0.4
-      http-cache-semantics: 4.2.0
-      minipass: 7.1.3
-      minipass-fetch: 5.0.2
-      minipass-flush: 1.0.7
-      minipass-pipeline: 1.2.4
-      negotiator: 1.0.0
-      proc-log: 6.1.0
-      ssri: 13.0.1
-    transitivePeerDependencies:
-      - supports-color
-
-  minipass-collect@2.0.1:
-    dependencies:
-      minipass: 7.1.3
-
-  minipass-fetch@5.0.2:
-    dependencies:
-      minipass: 7.1.3
-      minipass-sized: 2.0.0
-      minizlib: 3.1.0
-    optionalDependencies:
-      iconv-lite: 0.7.2
-
-  minipass-flush@1.0.7:
-    dependencies:
-      minipass: 3.3.6
-
-  minipass-pipeline@1.2.4:
-    dependencies:
-      minipass: 3.3.6
-
-  minipass-sized@2.0.0:
-    dependencies:
-      minipass: 7.1.3
-
-  minipass@3.3.6:
-    dependencies:
-      yallist: 4.0.0
-
-  p-map@7.0.4: {}
-
-  proc-log@6.1.0: {}
-
-  semver@7.8.4: {}
-
-  sigstore@4.1.1:
-    dependencies:
-      '@sigstore/bundle': 4.0.0
-      '@sigstore/core': 3.2.1
-      '@sigstore/protobuf-specs': 0.5.1
-      '@sigstore/sign': 4.1.1
-      '@sigstore/tuf': 4.0.2
-      '@sigstore/verify': 3.1.1
-    transitivePeerDependencies:
-      - supports-color
-
-  smart-buffer@4.2.0: {}
-
-  socks-proxy-agent@8.0.5:
-    dependencies:
-      agent-base: 7.1.4
-      debug: 4.4.3
-      socks: 2.8.9
-    transitivePeerDependencies:
-      - supports-color
-
-  socks@2.8.9:
-    dependencies:
-      ip-address: 10.2.0
-      smart-buffer: 4.2.0
-
-  ssri@13.0.1:
-    dependencies:
-      minipass: 7.1.3
-
-  tuf-js@4.1.0:
-    dependencies:
-      '@tufjs/models': 4.1.0
-      debug: 4.4.3
-      make-fetch-happen: 15.0.6
-    transitivePeerDependencies:
-      - supports-color
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alex Knight	fd09d2e7d0	fix(compaction): anchor forced manual boundary off trailing tool results	2026-06-17 21:21:25 +10:00
Alex Knight	3aecc4ee9d	Force manual compaction past empty kept-tail cuts	2026-06-17 21:21:25 +10:00
Ayaan Zaidi	02330f372c	fix(qa): use writable tmp in Telegram package runner Set TMPDIR=/tmp inside the package Telegram Docker runner so runtime scratch files are written to a writable container path. Proof: - pnpm test test/scripts/npm-telegram-live.test.ts - git diff --check	2026-06-17 16:45:34 +05:30
Vincent Koc	5645dd4d22	refactor(agents): delete unused helper paths	2026-06-17 19:11:20 +08:00
Alex Knight	5a7857dc18	feat(agents): trace compaction summarization model calls Compaction summarization consumes the model stream via result() only (no iteration), so it never emitted model.call diagnostic spans. Observe the stream's result() in the diagnostic wrapper and wire the wrapper into the direct compaction path so these LLM calls are traced (request/response content, byte accounting, traceparent). Decouple underlying-iterator cleanup from terminal-event dedup. The agent loop awaits result() on the terminal event then abandons the iterator, so once result() also emits the terminal event, gating safeReturnIterator on terminalEventEmitted skipped provider cleanup (idle-timeout abort listeners on the long-lived run signal, SSE readers). Track iterator settlement separately so return() cleanup always runs; emit dedup stays on terminalEventEmitted. Parent compaction model-call spans to the active run/harness trace rather than a phantom child trace that emits no span of its own.	2026-06-17 21:06:44 +10:00
Vincent Koc	25bd8a7191	fix(ci): install docker heartbeat traps before launch	2026-06-17 19:04:31 +08:00
nas	df87b40bec	fix(telegram): guard UTF-16 surrogate pairs in outbound chunkers (#93938 ) Merged via squash. Prepared head SHA: `583b22354d` Co-authored-by: Nas01010101 <156536069+Nas01010101@users.noreply.github.com> Co-authored-by: vincentkoc <25068+vincentkoc@users.noreply.github.com> Reviewed-by: @vincentkoc	2026-06-17 18:56:25 +08:00
joshavant	5d9c010628	ci: add security-sensitive file guard	2026-06-17 12:50:18 +02:00
Vincent Koc	03ca096e84	test(qa): cover otel smoke safety checks	2026-06-17 12:42:28 +02:00
joshavant	22ddf87d2c	docs: explain Android signing sync	2026-06-17 12:37:29 +02:00
joshavant	2147312aa2	android: add release signing sync	2026-06-17 12:37:29 +02:00
Vincent Koc	9698070939	fix(qa): allow safe otel log bodies	2026-06-17 12:33:45 +02:00
Vincent Koc	1c0b38f960	fix(sdk): refresh plugin surface baselines	2026-06-17 12:25:42 +02:00
Vincent Koc	0842cb71eb	refactor(runtime): hide default constants	2026-06-17 18:20:05 +08:00
Vincent Koc	392bd16a1d	refactor(config): hide io constants	2026-06-17 18:14:08 +08:00
Vincent Koc	f3050ab614	refactor(config): hide default constants	2026-06-17 18:11:28 +08:00
Vincent Koc	6e798c02d8	fix(codex): refresh app server protocol mirrors	2026-06-17 12:10:52 +02:00
Vincent Koc	911cd683d5	refactor(commands): hide onboarding defaults	2026-06-17 18:08:16 +08:00
Vincent Koc	4637b65470	refactor(agents): hide compaction warning helpers	2026-06-17 18:05:16 +08:00
Vincent Koc	e2b6753b87	fix(qa-lab): bound credential payload reads	2026-06-17 11:59:55 +02:00
Vincent Koc	366ef93641	test(agents): inline auth profile ordering fixtures	2026-06-17 17:56:13 +08:00
Vincent Koc	dc881a6a31	refactor(acp): hide policy helpers	2026-06-17 17:53:31 +08:00
Vincent Koc	ea72a3382d	refactor(acp): remove file event ledger runtime	2026-06-17 17:50:53 +08:00
Vincent Koc	19677bd4ef	refactor(acp): hide permission relay helpers	2026-06-17 17:47:13 +08:00
Vincent Koc	9c9c884526	refactor(entry): hide respawn internals	2026-06-17 17:44:12 +08:00
Vincent Koc	120fd2f702	refactor(cli): hide shell support internals	2026-06-17 17:41:44 +08:00
Vincent Koc	582c2d41b9	fix(msteams): unwrap adaptive card submit data	2026-06-17 11:40:52 +02:00
Vincent Koc	30955d3660	refactor(channels): narrow status helper exports	2026-06-17 17:33:40 +08:00
Vincent Koc	5370e73ee9	refactor(channels): hide internal channel types	2026-06-17 17:31:04 +08:00
Vincent Koc	cf7850040e	fix(codex): align network proxy profile config	2026-06-17 17:27:34 +08:00
Vincent Koc	1380a9e094	refactor(auto-reply): hide local reply types	2026-06-17 17:23:32 +08:00
Vincent Koc	5055f32ee3	refactor(auto-reply): hide internal command types	2026-06-17 17:18:39 +08:00
Vincent Koc	1075f3819c	refactor(utils): narrow helper exports	2026-06-17 17:13:29 +08:00
Vincent Koc	c09ed1954f	refactor(utils): trim delivery queue helpers	2026-06-17 17:10:12 +08:00
joshavant	5372c7146b	android: add release preflight lane	2026-06-17 11:05:53 +02:00
joshavant	529150868c	android: derive release notes from changelog	2026-06-17 11:05:53 +02:00