diff --git a/.agents/skills/parallels-discord-roundtrip/SKILL.md b/.agents/skills/parallels-discord-roundtrip/SKILL.md
new file mode 100644
index 00000000000..8fda0da1a23
--- /dev/null
+++ b/.agents/skills/parallels-discord-roundtrip/SKILL.md
@@ -0,0 +1,59 @@
+---
+name: parallels-discord-roundtrip
+description: Run the macOS Parallels smoke harness with Discord end-to-end roundtrip verification, including guest send, host verification, host reply, and guest readback.
+---
+
+# Parallels Discord Roundtrip
+
+Use when macOS Parallels smoke must prove Discord two-way delivery end to end.
+
+## Goal
+
+Cover:
+
+- install on fresh macOS snapshot
+- onboard + gateway health
+- guest `message send` to Discord
+- host sees that message on Discord
+- host posts a new Discord message
+- guest `message read` sees that new message
+
+## Inputs
+
+- host env var with Discord bot token
+- Discord guild ID
+- Discord channel ID
+- `OPENAI_API_KEY`
+
+## Preferred run
+
+```bash
+export OPENCLAW_PARALLELS_DISCORD_TOKEN="$(
+  ssh peters-mac-studio-1 'jq -r ".channels.discord.token" ~/.openclaw/openclaw.json' | tr -d '\n'
+)"
+
+pnpm test:parallels:macos \
+  --discord-token-env OPENCLAW_PARALLELS_DISCORD_TOKEN \
+  --discord-guild-id 1456350064065904867 \
+  --discord-channel-id 1456744319972282449 \
+  --json
+```
+
+## Notes
+
+- Snapshot target: closest to `macOS 26.3.1 fresh`.
+- Harness configures Discord inside the guest; no checked-in token/config.
+- Use the `openclaw` wrapper for guest `message send/read`; `node openclaw.mjs message ...` does not expose the lazy message subcommands the same way.
+- Write `channels.discord.guilds` in one JSON object (`--strict-json`), not dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated like array indexes.
+- Avoid `prlctl enter` / expect for long Discord setup scripts; it line-wraps/corrupts long commands. Use `prlctl exec --current-user /bin/sh -lc ...` for the Discord config phase.
+- Harness cleanup deletes the temporary Discord smoke messages at exit.
+- Per-phase logs: `/tmp/openclaw-parallels-smoke.*`
+- Machine summary: pass `--json`
+- If roundtrip flakes, inspect `fresh.discord-roundtrip.log` and `discord-last-readback.json` in the run dir first.
+
+## Pass criteria
+
+- fresh lane or upgrade lane requested passes
+- summary reports `discord=pass` for that lane
+- guest outbound nonce appears in channel history
+- host inbound nonce appears in `openclaw message read` output
diff --git a/.github/labeler.yml b/.github/labeler.yml
index d980a8d096e..b6422060fea 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -198,14 +198,6 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/diagnostics-otel/**"
-"extensions: google-antigravity-auth":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/google-antigravity-auth/**"
-"extensions: google-gemini-cli-auth":
-  - changed-files:
-      - any-glob-to-any-file:
-          - "extensions/google-gemini-cli-auth/**"
 "extensions: llm-task":
   - changed-files:
       - any-glob-to-any-file:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9922ceb12f5..f82dea2f230 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -78,6 +78,50 @@ jobs:
 
           node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
 
+  changed-extensions:
+    needs: [docs-scope, changed-scope]
+    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    outputs:
+      has_changed_extensions: ${{ steps.changed.outputs.has_changed_extensions }}
+      changed_extensions_matrix: ${{ steps.changed.outputs.changed_extensions_matrix }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+          fetch-tags: false
+          submodules: false
+
+      - name: Ensure changed-extensions base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+          install-deps: "false"
+          use-sticky-disk: "false"
+
+      - name: Detect changed extensions
+        id: changed
+        env:
+          BASE_SHA: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+        run: |
+          node --input-type=module <<'EOF'
+          import { appendFileSync } from "node:fs";
+          import { listChangedExtensionIds } from "./scripts/test-extension.mjs";
+
+          const extensionIds = listChangedExtensionIds({ base: process.env.BASE_SHA, head: "HEAD" });
+          const matrix = JSON.stringify({ include: extensionIds.map((extension) => ({ extension })) });
+
+          appendFileSync(process.env.GITHUB_OUTPUT, `has_changed_extensions=${extensionIds.length > 0}\n`, "utf8");
+          appendFileSync(process.env.GITHUB_OUTPUT, `changed_extensions_matrix=${matrix}\n`, "utf8");
+          EOF
+
   # Build dist once for Node-relevant changes and share it with downstream jobs.
   build-artifacts:
     needs: [docs-scope, changed-scope]
@@ -205,6 +249,29 @@ jobs:
         if: matrix.runtime != 'bun' || github.event_name != 'pull_request'
         run: ${{ matrix.command }}
 
+  extension-fast:
+    name: "extension-fast (${{ matrix.extension }})"
+    needs: [docs-scope, changed-scope, changed-extensions]
+    if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' && needs.changed-extensions.outputs.has_changed_extensions == 'true'
+    runs-on: blacksmith-16vcpu-ubuntu-2404
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.changed-extensions.outputs.changed_extensions_matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: false
+
+      - name: Setup Node environment
+        uses: ./.github/actions/setup-node-env
+        with:
+          install-bun: "false"
+          use-sticky-disk: "false"
+
+      - name: Run changed extension tests
+        run: pnpm test:extension ${{ matrix.extension }}
+
   # Types, lint, and format check.
   check:
     name: "check"
diff --git a/.npmignore b/.npmignore
index 7cd53fdbc08..fcc490ae35d 100644
--- a/.npmignore
+++ b/.npmignore
@@ -1 +1,2 @@
 **/node_modules/
+docs/.generated/
diff --git a/AGENTS.md b/AGENTS.md
index 1197f6fb48f..df72efbe720 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -212,6 +212,11 @@
   - `prlctl exec` is fine for deterministic repo commands, but it can misrepresent interactive shell behavior (`PATH`, `HOME`, `curl | bash`, shebang resolution). For installer parity or shell-sensitive repros, prefer the guest Terminal or `prlctl enter`.
   - Fresh Tahoe snapshot current reality: `brew` exists, `node` may not be on `PATH` in noninteractive guest exec. Use absolute `/opt/homebrew/bin/node` for repo/CLI runs when needed.
   - Preferred automation entrypoint: `pnpm test:parallels:macos`. It restores the snapshot most closely matching `macOS 26.3.1 fresh`, serves the current `main` tarball from the host, then runs fresh-install and latest-release-to-main smoke lanes.
+  - Discord roundtrip smoke is opt-in. Pass `--discord-token-env <VAR> --discord-guild-id <guild> --discord-channel-id <channel>`; the harness will configure Discord in-guest, post a guest message, verify host-side visibility via the Discord REST API, post a fresh host-side message back into the channel, then verify `openclaw message read` sees it in-guest.
+  - Keep the Discord token in a host env var only. For Peter’s Mac Studio bot, fetch it into a temp env var from `~/.openclaw/openclaw.json` over SSH instead of hardcoding it in repo files/shell history.
+  - For Discord smoke on this snapshot: use `openclaw message send/read` via the installed wrapper, not `node openclaw.mjs message ...`; lazy `message` subcommands do not resolve the same way through the direct module entrypoint.
+  - For Discord guild allowlists: set `channels.discord.guilds` as one JSON object. Do not use dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated as array indexes.
+  - Avoid `prlctl enter` / expect for the Discord config phase; long lines get mangled. Use `prlctl exec --current-user /bin/sh -lc ...` with short commands or temp files.
   - Gateway verification in smoke runs should use `openclaw gateway status --deep --require-rpc`, not plain `--deep`, so probe failures go non-zero.
   - Latest-release pre-upgrade diagnostics still need compatibility fallback: stable `2026.3.12` does not know `--require-rpc`, so precheck status dumps should fall back to plain `gateway status --deep` until the guest is upgraded.
   - Harness output: pass `--json` for machine-readable summary; per-phase logs land under `/tmp/openclaw-parallels-smoke.*`.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca1d5cf8998..df03ad8fc5d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,73 +6,92 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
-- Android/mobile: add a system-aware dark theme across onboarding and post-onboarding screens so the app follows the device theme through setup, chat, and voice flows. (#46249) Thanks @sibbl.
 - Commands/btw: add `/btw` side questions for quick tool-less answers about the current session without changing future session context, with dismissible in-session TUI answers and explicit BTW replies on external channels. (#45444) Thanks @ngutman.
-- Gateway/health monitor: add configurable stale-event thresholds and restart limits, plus per-channel and per-account `healthMonitor.enabled` overrides, while keeping the existing global disable path on `gateway.channelHealthCheckMinutes=0`. (#42107) Thanks @rstar327.
-- Feishu/cards: add identity-aware structured card headers and note footers for Feishu replies and direct sends, while keeping that presentation wired through the shared outbound identity path. (#29938) Thanks @nszhsl.
-- Feishu/streaming: add `onReasoningStream` and `onReasoningEnd` support to streaming cards, so `/reasoning stream` renders thinking tokens as markdown blockquotes in the same card — matching the Telegram channel's reasoning lane behavior. (#46029)
-- Refactor/channels: remove the legacy channel shim directories and point channel-specific imports directly at the extension-owned implementations. (#45967) thanks @scoootscooob.
-- Android/nodes: add `callLog.search` plus shared Call Log permission wiring so Android nodes can search recent call history through the gateway. (#44073) Thanks @lxk7280.
-- Docs/Zalo: clarify the Marketplace-bot support matrix and config guidance so the Zalo channel docs match current Bot Creator behavior more closely. (#47552) Thanks @No898.
-- Install/update: allow package-manager installs from GitHub `main` via `openclaw update --tag main`, installer `--version main`, or direct npm/pnpm git specs.
-- Plugins/providers: move OpenRouter, GitHub Copilot, and OpenAI Codex provider/runtime logic into bundled plugins, including dynamic model fallback, runtime auth exchange, stream wrappers, capability hints, and cache-TTL policy.
+- Sandbox/runtime: add pluggable sandbox backends, ship an OpenShell backend with `mirror` and `remote` workspace modes, and make sandbox list/recreate/prune backend-aware instead of Docker-only.
+- Sandbox/SSH: add a core SSH sandbox backend with secret-backed key, certificate, and known_hosts inputs, move shared remote exec/filesystem tooling into core, and keep OpenShell focused on sandbox lifecycle plus optional `mirror` mode.
+- Web tools/Firecrawl: add Firecrawl as an `onboard`/configure search provider via a bundled plugin, expose explicit `firecrawl_search` and `firecrawl_scrape` tools, and align core `web_fetch` fallback behavior with Firecrawl base-URL/env fallback plus guarded endpoint fetches.
 - Plugins/bundles: add compatible Codex, Claude, and Cursor bundle discovery/install support, map bundle skills into OpenClaw skills, and apply Claude bundle `settings.json` defaults to embedded Pi with shell overrides sanitized.
+- Plugins/providers: move OpenRouter, GitHub Copilot, and OpenAI Codex provider/runtime logic into bundled plugins, including dynamic model fallback, runtime auth exchange, stream wrappers, capability hints, and cache-TTL policy.
 - Plugins/agent integrations: broaden the plugin surface for app-server integrations with channel-aware commands, interactive callbacks, inbound claims, and Discord/Telegram conversation binding support. (#45318) Thanks @huntharo and @vincentkoc.
+- Install/update: allow package-manager installs from GitHub `main` via `openclaw update --tag main`, installer `--version main`, or direct npm/pnpm git specs.
+- Gateway/health monitor: add configurable stale-event thresholds and restart limits, plus per-channel and per-account `healthMonitor.enabled` overrides, while keeping the existing global disable path on `gateway.channelHealthCheckMinutes=0`. (#42107) Thanks @rstar327.
+- Android/mobile: add a system-aware dark theme across onboarding and post-onboarding screens so the app follows the device theme through setup, chat, and voice flows. (#46249) Thanks @sibbl.
+- Feishu/ACP: add current-conversation ACP and subagent session binding for supported DMs and topic conversations, including completion delivery back to the originating Feishu conversation. (#46819)
+- Plugins/marketplaces: add Claude marketplace registry resolution, `plugin@marketplace` installs, marketplace listing, and update support, plus Docker E2E coverage for local and official marketplace flows. Thanks @vincentkoc.
+- Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
+- Feishu/streaming: add `onReasoningStream` and `onReasoningEnd` support to streaming cards, so `/reasoning stream` renders thinking tokens as markdown blockquotes in the same card — matching the Telegram channel's reasoning lane behavior. (#46029)
+- Feishu/cards: add identity-aware structured card headers and note footers for Feishu replies and direct sends, while keeping that presentation wired through the shared outbound identity path. (#29938) Thanks @nszhsl.
+- Android/nodes: add `callLog.search` plus shared Call Log permission wiring so Android nodes can search recent call history through the gateway. (#44073) Thanks @lxk7280.
+- Plugins/MiniMax: merge the bundled MiniMax API and MiniMax OAuth plugin surfaces into a single default-on `minimax` plugin, while keeping legacy `minimax-portal-auth` config ids aliased for compatibility.
+- Telegram/actions: add `topic-edit` for forum-topic renames and icon updates while sharing the same Telegram topic-edit transport used by the plugin runtime. (#47798) Thanks @obviyus.
+- Refactor/channels: remove the legacy channel shim directories and point channel-specific imports directly at the extension-owned implementations. (#45967) thanks @scoootscooob.
+- Docs/Zalo: clarify the Marketplace-bot support matrix and config guidance so the Zalo channel docs match current Bot Creator behavior more closely. (#47552) Thanks @No898.
+- secrets: harden read-only SecretRef command paths and diagnostics. (#47794) Thanks @joshavant.
+
+### Breaking
+
+- Browser/Chrome MCP: remove the legacy Chrome extension relay path, bundled extension assets, `driver: "extension"`, and `browser.relayBindHost`. Run `openclaw doctor --fix` to migrate host-local browser config to `existing-session` / `user`; Docker, headless, sandbox, and remote browser flows still use raw CDP. Thanks @vincentkoc.
 
 ### Fixes
 
-- Group mention gating: reject invalid and unsafe nested-repetition `mentionPatterns`, reuse the shared safe config-regex compiler across mention stripping and detection, and cache strip-time regex compilation so noisy groups avoid repeated recompiles.
-- Control UI/chat sessions: show human-readable labels in the grouped session dropdown again, keep unique scoped fallbacks when metadata is missing, and disambiguate duplicate labels only when needed. (#45130) thanks @luzhidong.
-- Control UI: scope persisted session selection per gateway, prevent stale session bleed across tokenized gateway opens, and cap stored gateway session history. (#47453) Thanks @sallyom.
-- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
-- Feishu/topic threads: fetch full thread context, including prior bot replies, when starting a topic-thread session so follow-up turns in Feishu topics keep the right conversation state. (#45254) Thanks @Coobiw.
-- Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) thanks @scoootscooob.
-- Control UI/dashboard: preserve structured gateway shutdown reasons across restart disconnects so config-triggered restarts no longer fall back to `disconnected (1006): no reason`. (#46532) Thanks @vincentkoc.
-- Android/chat: theme the thinking dropdown and TLS trust dialogs explicitly so popup surfaces match the active app theme instead of falling back to mismatched Material defaults.
-- Z.AI/onboarding: detect a working default model even for explicit `zai-coding-*` endpoint choices, so Coding Plan setup can keep the selected endpoint while defaulting to `glm-5` when available or `glm-4.7` as fallback. (#45969)
-- Models/OpenRouter runtime capabilities: fetch uncatalogued OpenRouter model metadata on first use so newly added vision models keep image input instead of silently degrading to text-only, with top-level capability field fallbacks for `/api/v1/models`. (#45824) Thanks @DJjjjhao.
-- Z.AI/onboarding: add `glm-5-turbo` to the default Z.AI provider catalog so onboarding-generated configs expose the new model alongside the existing GLM defaults. (#46670) Thanks @tomsun28.
-- Zalo Personal/group gating: stop reapplying `dmPolicy.allowFrom` as a sender gate for already-allowlisted groups when `groupAllowFrom` is unset, so any member of an allowed group can trigger replies while DMs stay restricted. (#40146)
+- Google auth/Node 25: patch `gaxios` to use native fetch without injecting `globalThis.window`, while translating proxy and mTLS transport settings so Google Vertex and Google Chat auth keep working on Node 25. (#47914) Thanks @pdd-cli.
+- Gateway/startup: load bundled channel plugins from compiled `dist/extensions` entries in built installs, so gateway boot no longer recompiles bundled extension TypeScript on every startup and WhatsApp-class cold starts drop back to seconds instead of tens of seconds or worse.
+- Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
 - Browser/remote CDP: honor strict browser SSRF policy during remote CDP reachability and `/json/version` discovery checks, redact sensitive `cdpUrl` tokens from status output, and warn when remote CDP targets private/internal hosts.
-- Plugins/install precedence: keep bundled plugins ahead of auto-discovered globals by default, but let an explicitly installed plugin record win its own duplicate-id tie so installed channel plugins load from `~/.openclaw/extensions` after `openclaw plugins install`.
-- ACP/acpx: resolve the bundled plugin root from the actual plugin directory so plugin-local installs stay under `dist/extensions/acpx` instead of escaping to `dist/extensions` and failing runtime setup.
+- Gateway/plugins: pin runtime webhook routes to the gateway startup registry so channel webhooks keep working across plugin-registry churn, and make plugin auth + dispatch resolve routes from the same live HTTP-route registry. Fixes #46924 and #47041.
 - Gateway/auth: ignore spoofed loopback hops in trusted forwarding chains and block device approvals that request scopes above the caller session. Thanks @vincentkoc.
-- Gateway/config views: strip embedded credentials from URL-based endpoint fields before returning read-only account and config snapshots. Thanks @vincentkoc.
-- Tools/apply-patch: revalidate workspace-only delete and directory targets immediately before mutating host paths. Thanks @vincentkoc.
-- Webhooks/runtime: move auth earlier and tighten pre-auth body limits and timeouts across bundled webhook handlers, including slow-body handling for Mattermost slash commands. Thanks @vincentkoc.
-- Subagents/follow-ups: require the same controller ownership checks for `/subagents send` as other control actions, so leaf sessions cannot message nested child runs they do not control. Thanks @vincentkoc.
-- Inbound policy hardening: tighten callback and webhook sender checks across Mattermost and Google Chat, match Nextcloud Talk rooms by stable room token, and treat explicit empty Twitch allowlists as deny-all. (#46787) Thanks @zpbrent, @ijxpwastaken and @vincentkoc.
-- macOS/canvas actions: keep unattended local agent actions on trusted in-app canvas surfaces only, and stop exposing the deep-link fallback key to arbitrary page scripts. (#46790) Thanks @vincentkoc.
-- Agents/compaction: extend the enclosing run deadline once while compaction is actively in flight, and abort the underlying SDK compaction on timeout/cancel so large-session compactions stop freezing mid-run. (#46889) Thanks @asyncjason.
-- Models/openai-completions: default non-native OpenAI-compatible providers to omit tool-definition `strict` fields unless users explicitly opt back in, so tool calling keeps working on providers that reject that option. (#45497) Thanks @sahancava.
-- WhatsApp/reconnect: restore the append recency filter in the extension inbox monitor and handle protobuf `Long` timestamps correctly, so fresh post-reconnect append messages are processed while stale history sync stays suppressed. (#42588) thanks @MonkeyLeeT.
-- WhatsApp/login: wait for pending creds writes before reopening after Baileys `515` pairing restarts in both QR login and `channels login` flows, and keep the restart coverage pinned to the real wrapped error shape plus per-account creds queues. (#27910) Thanks @asyncjason.
-- Agents/openai-compatible tool calls: deduplicate repeated tool call ids across live assistant messages and replayed history so OpenAI-compatible backends no longer reject duplicate `tool_call_id` values with HTTP 400. (#40996) Thanks @xaeon2026.
-- Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
-- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
-- Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
-- CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
-- Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#45777) Thanks @odysseus0.
-- Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
-- Email/webhook wrapping: sanitize sender and subject metadata before external-content wrapping so metadata fields cannot break the wrapper structure. Thanks @vincentkoc.
-- Node/startup: remove leftover debug `console.log("node host PATH: ...")` that printed the resolved PATH on every `openclaw node run` invocation. (#46411)
-- Nodes/pending actions: re-check queued foreground actions against the current node command policy before returning them to the node. (#46815) Thanks @zpbrent and @vincentkoc.
-- ACP/approvals: use canonical tool identity for prompting decisions and fail closed when conflicting tool identity hints are present. (#46817) Thanks @zpbrent and @vincentkoc.
-- Telegram/message send: forward `--force-document` through the `sendPayload` path as well as `sendMedia`, so Telegram payload sends with `channelData` keep uploading images as documents instead of silently falling back to compressed photo sends. (#47119) Thanks @thepagent.
-- Telegram/message chunking: preserve spaces, paragraph separators, and word boundaries when HTML overflow rechunking splits formatted replies. (#47274)
-- Plugins/scoped ids: preserve scoped plugin ids during install and config keying, and keep bundled plugins ahead of discovered duplicate ids by default so `@scope/name` plugins no longer collide with unscoped installs. Thanks @vincentkoc.
-- CLI: avoid loading provider discovery during startup model normalization. (#46522) Thanks @ItsAditya-xyz and @vincentkoc.
-- Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
-- ACP: require admin scope for mutating internal actions. (#46789) Thanks @tdjackey and @vincentkoc.
-- Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
+- Gateway/restart: defer externally signaled unmanaged restarts through the in-process idle drain, and preserve the restored subagent run as remap fallback during orphan recovery so resumed sessions do not duplicate work. (#47719) Thanks @joeykrug.
+- Control UI/session routing: preserve established external delivery routes when webchat views or sends in externally originated sessions, so subagent completions still return to the original channel instead of the dashboard. (#47797) Thanks @brokemac79.
+- Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) thanks @scoootscooob.
 - CLI/startup: lazy-load channel add and root help startup paths to trim avoidable RSS and help latency on constrained hosts. (#46784) Thanks @vincentkoc.
 - CLI/onboarding: import static provider definitions directly for onboarding model/config helpers so those paths no longer pull provider discovery just for built-in defaults. (#47467) Thanks @vincentkoc.
 - CLI/auth choice: lazy-load plugin/provider fallback resolution so mapped auth choices stay on the static path and only unknown choices pay the heavy provider load. (#47495) Thanks @vincentkoc.
-- CLI/completion: reduce recursive completion-script string churn and fix nested PowerShell command-path matching so generated nested completions resolve on PowerShell too. (#45537) Thanks @yiShanXin and @vincentkoc.
-- Gateway/startup: load bundled channel plugins from compiled `dist/extensions` entries in built installs, so gateway boot no longer recompiles bundled extension TypeScript on every startup and WhatsApp-class cold starts drop back to seconds instead of tens of seconds or worse.
+- CLI: avoid loading provider discovery during startup model normalization. (#46522) Thanks @ItsAditya-xyz and @vincentkoc.
+- Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
+- Inbound policy hardening: tighten callback and webhook sender checks across Mattermost and Google Chat, match Nextcloud Talk rooms by stable room token, and treat explicit empty Twitch allowlists as deny-all. (#46787) Thanks @zpbrent, @ijxpwastaken and @vincentkoc.
+- Webhooks/runtime: move auth earlier and tighten pre-auth body limits and timeouts across bundled webhook handlers, including slow-body handling for Mattermost slash commands. Thanks @vincentkoc.
+- Email/webhook wrapping: sanitize sender and subject metadata before external-content wrapping so metadata fields cannot break the wrapper structure. Thanks @vincentkoc.
+- Tools/apply-patch: revalidate workspace-only delete and directory targets immediately before mutating host paths. Thanks @vincentkoc.
+- Gateway/config views: strip embedded credentials from URL-based endpoint fields before returning read-only account and config snapshots. Thanks @vincentkoc.
+- ACP/approvals: use canonical tool identity for prompting decisions and fail closed when conflicting tool identity hints are present. (#46817) Thanks @zpbrent and @vincentkoc.
+- ACP: require admin scope for mutating internal actions. (#46789) Thanks @tdjackey and @vincentkoc.
+- Subagents/follow-ups: require the same controller ownership checks for `/subagents send` as other control actions, so leaf sessions cannot message nested child runs they do not control. Thanks @vincentkoc.
+- macOS/canvas actions: keep unattended local agent actions on trusted in-app canvas surfaces only, and stop exposing the deep-link fallback key to arbitrary page scripts. (#46790) Thanks @vincentkoc.
+- Agents/compaction: extend the enclosing run deadline once while compaction is actively in flight, and abort the underlying SDK compaction on timeout/cancel so large-session compactions stop freezing mid-run. (#46889) Thanks @asyncjason.
+- Agents/openai-compatible tool calls: deduplicate repeated tool call ids across live assistant messages and replayed history so OpenAI-compatible backends no longer reject duplicate `tool_call_id` values with HTTP 400. (#40996) Thanks @xaeon2026.
+- Models/openai-completions: default non-native OpenAI-compatible providers to omit tool-definition `strict` fields unless users explicitly opt back in, so tool calling keeps working on providers that reject that option. (#45497) Thanks @sahancava.
+- Models/OpenRouter runtime capabilities: fetch uncatalogued OpenRouter model metadata on first use so newly added vision models keep image input instead of silently degrading to text-only, with top-level capability field fallbacks for `/api/v1/models`. (#45824) Thanks @DJjjjhao.
+- Channels/plugins: keep shared interactive payloads merge-ready by fixing Slack custom callback routing and repeat-click dedupe, allowing interactive-only sends, and preserving ordered Discord shared text blocks. (#47715) Thanks @vincentkoc.
+- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Feishu/actions: expand the runtime action surface with message read/edit, explicit thread replies, pinning, and operator-facing chat/member inspection so Feishu can operate more of the workspace directly.
+- Feishu/topic threads: fetch full thread context, including prior bot replies, when starting a topic-thread session so follow-up turns in Feishu topics keep the right conversation state. (#45254) Thanks @Coobiw.
+- Feishu/media: keep native image, file, audio, and video/media handling aligned across outbound sends, inbound downloads, thread replies, directory/action aliases, and capability docs so unsupported areas are explicit instead of implied.
+- WhatsApp/reconnect: restore the append recency filter in the extension inbox monitor and handle protobuf `Long` timestamps correctly, so fresh post-reconnect append messages are processed while stale history sync stays suppressed. (#42588) thanks @MonkeyLeeT.
+- WhatsApp/login: wait for pending creds writes before reopening after Baileys `515` pairing restarts in both QR login and `channels login` flows, and keep the restart coverage pinned to the real wrapped error shape plus per-account creds queues. (#27910) Thanks @asyncjason.
+- Telegram/message send: forward `--force-document` through the `sendPayload` path as well as `sendMedia`, so Telegram payload sends with `channelData` keep uploading images as documents instead of silently falling back to compressed photo sends. (#47119) Thanks @thepagent.
+- Telegram/message chunking: preserve spaces, paragraph separators, and word boundaries when HTML overflow rechunking splits formatted replies. (#47274)
+- Z.AI/onboarding: detect a working default model even for explicit `zai-coding-*` endpoint choices, so Coding Plan setup can keep the selected endpoint while defaulting to `glm-5` when available or `glm-4.7` as fallback. (#45969)
+- Z.AI/onboarding: add `glm-5-turbo` to the default Z.AI provider catalog so onboarding-generated configs expose the new model alongside the existing GLM defaults. (#46670) Thanks @tomsun28.
+- Zalo Personal/group gating: stop reapplying `dmPolicy.allowFrom` as a sender gate for already-allowlisted groups when `groupAllowFrom` is unset, so any member of an allowed group can trigger replies while DMs stay restricted. (#40146)
+- Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
+- Plugins/install precedence: keep bundled plugins ahead of auto-discovered globals by default, but let an explicitly installed plugin record win its own duplicate-id tie so installed channel plugins load from `~/.openclaw/extensions` after `openclaw plugins install`.
+- Plugins/scoped ids: preserve scoped plugin ids during install and config keying, and keep bundled plugins ahead of discovered duplicate ids by default so `@scope/name` plugins no longer collide with unscoped installs. Thanks @vincentkoc.
 - Gateway/watch mode: restart on bundled-plugin package and manifest metadata changes, rebuild `dist` for extension source and `tsdown.config.ts` changes, and still ignore extension docs. (#47571) thanks @gumadeiras.
 - Gateway/watch mode: recreate bundled plugin runtime metadata after clean or stale `dist` states, so `pnpm gateway:watch` no longer fails on missing `dist/extensions/*/openclaw.plugin.json` manifests after a rebuild. Thanks @gumadeiras.
-- Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
+- Control UI/chat sessions: show human-readable labels in the grouped session dropdown again, keep unique scoped fallbacks when metadata is missing, and disambiguate duplicate labels only when needed. (#45130) thanks @luzhidong.
+- Control UI: scope persisted session selection per gateway, prevent stale session bleed across tokenized gateway opens, and cap stored gateway session history. (#47453) Thanks @sallyom.
+- Control UI/dashboard: preserve structured gateway shutdown reasons across restart disconnects so config-triggered restarts no longer fall back to `disconnected (1006): no reason`. (#46532) Thanks @vincentkoc.
+- Android/chat: theme the thinking dropdown and TLS trust dialogs explicitly so popup surfaces match the active app theme instead of falling back to mismatched Material defaults.
+- Group mention gating: reject invalid and unsafe nested-repetition `mentionPatterns`, reuse the shared safe config-regex compiler across mention stripping and detection, and cache strip-time regex compilation so noisy groups avoid repeated recompiles.
+- Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#45777) Thanks @odysseus0.
+- CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
+- Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
+- Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
+- Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
+- Nodes/pending actions: re-check queued foreground actions against the current node command policy before returning them to the node. (#46815) Thanks @zpbrent and @vincentkoc.
+- Node/startup: remove leftover debug `console.log("node host PATH: ...")` that printed the resolved PATH on every `openclaw node run` invocation. (#46411)
+- CLI/completion: reduce recursive completion-script string churn and fix nested PowerShell command-path matching so generated nested completions resolve on PowerShell too. (#45537) Thanks @yiShanXin and @vincentkoc.
 
 ## 2026.3.13
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4184a550691..9b1fa35d6a3 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -89,6 +89,9 @@ Welcome to the lobster tank! 🦞
 
 - Test locally with your OpenClaw instance
 - Run tests: `pnpm build && pnpm check && pnpm test`
+- For extension/plugin changes, run the fast local lane first:
+  - `pnpm test:extension <extension-name>`
+  - If you changed shared plugin or channel surfaces, still run the broader relevant lanes (`pnpm test:extensions`, `pnpm test:channels`, or `pnpm test`) before asking for review
 - If you have access to Codex, run `codex review --base origin/main` locally before opening or updating your PR. Treat this as the current highest standard of AI review, even if GitHub Codex review also runs.
 - Ensure CI checks pass
 - Keep PRs focused (one thing per PR; do not mix unrelated concerns)
diff --git a/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift b/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
index c81d4b59705..0599f4ab3a6 100644
--- a/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
+++ b/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
@@ -8,6 +8,24 @@ final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHandler {
     static let messageName = "openclawCanvasA2UIAction"
     static let allMessageNames = [messageName]
 
+    // Compatibility helper for debug/test shims. Runtime dispatch remains
+    // limited to in-app canvas schemes in `didReceive`.
+    static func isLocalNetworkCanvasURL(_ url: URL) -> Bool {
+        guard let scheme = url.scheme?.lowercased(), scheme == "http" || scheme == "https" else {
+            return false
+        }
+        guard let host = url.host?.lowercased(), !host.isEmpty else {
+            return false
+        }
+        if host == "localhost" {
+            return true
+        }
+        guard let ip = Self.parseIPv4(host) else {
+            return false
+        }
+        return Self.isLocalNetworkIPv4(ip)
+    }
+
     private let sessionKey: String
 
     init(sessionKey: String) {
@@ -104,5 +122,24 @@ final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHandler {
             }
         }
     }
+
+    private static func parseIPv4(_ host: String) -> (UInt8, UInt8, UInt8, UInt8)? {
+        let parts = host.split(separator: ".", omittingEmptySubsequences: false)
+        guard parts.count == 4 else { return nil }
+        let bytes = parts.compactMap { UInt8($0) }
+        guard bytes.count == 4 else { return nil }
+        return (bytes[0], bytes[1], bytes[2], bytes[3])
+    }
+
+    private static func isLocalNetworkIPv4(_ ip: (UInt8, UInt8, UInt8, UInt8)) -> Bool {
+        let (a, b, _, _) = ip
+        if a == 10 { return true }
+        if a == 172, (16...31).contains(Int(b)) { return true }
+        if a == 192, b == 168 { return true }
+        if a == 127 { return true }
+        if a == 169, b == 254 { return true }
+        if a == 100, (64...127).contains(Int(b)) { return true }
+        return false
+    }
     // Formatting helpers live in OpenClawKit (`OpenClawCanvasA2UIAction`).
 }
diff --git a/apps/macos/Sources/OpenClaw/CronModels.swift b/apps/macos/Sources/OpenClaw/CronModels.swift
index 40079453974..78016ff9f88 100644
--- a/apps/macos/Sources/OpenClaw/CronModels.swift
+++ b/apps/macos/Sources/OpenClaw/CronModels.swift
@@ -254,6 +254,71 @@ struct CronJob: Identifiable, Codable, Equatable {
         case state
     }
 
+    init(
+        id: String,
+        agentId: String?,
+        name: String,
+        description: String?,
+        enabled: Bool,
+        deleteAfterRun: Bool?,
+        createdAtMs: Int,
+        updatedAtMs: Int,
+        schedule: CronSchedule,
+        sessionTarget: CronSessionTarget,
+        wakeMode: CronWakeMode,
+        payload: CronPayload,
+        delivery: CronDelivery?,
+        state: CronJobState)
+    {
+        self.init(
+            id: id,
+            agentId: agentId,
+            name: name,
+            description: description,
+            enabled: enabled,
+            deleteAfterRun: deleteAfterRun,
+            createdAtMs: createdAtMs,
+            updatedAtMs: updatedAtMs,
+            schedule: schedule,
+            sessionTarget: .predefined(sessionTarget),
+            wakeMode: wakeMode,
+            payload: payload,
+            delivery: delivery,
+            state: state)
+    }
+
+    init(
+        id: String,
+        agentId: String?,
+        name: String,
+        description: String?,
+        enabled: Bool,
+        deleteAfterRun: Bool?,
+        createdAtMs: Int,
+        updatedAtMs: Int,
+        schedule: CronSchedule,
+        sessionTarget: CronCustomSessionTarget,
+        wakeMode: CronWakeMode,
+        payload: CronPayload,
+        delivery: CronDelivery?,
+        state: CronJobState)
+    {
+        self.id = id
+        self.agentId = agentId
+        self.name = name
+        self.description = description
+        self.enabled = enabled
+        self.deleteAfterRun = deleteAfterRun
+        self.createdAtMs = createdAtMs
+        self.updatedAtMs = updatedAtMs
+        self.schedule = schedule
+        self.sessionTargetRaw = sessionTarget.rawValue
+        self.wakeMode = wakeMode
+        self.payload = payload
+        self.delivery = delivery
+        self.state = state
+    }
+
     /// Parsed session target (predefined or custom session ID)
     var parsedSessionTarget: CronCustomSessionTarget {
         CronCustomSessionTarget.from(self.sessionTargetRaw)
diff --git a/assets/chrome-extension/README.md b/assets/chrome-extension/README.md
deleted file mode 100644
index 4ee072c1f2b..00000000000
--- a/assets/chrome-extension/README.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# OpenClaw Chrome Extension (Browser Relay)
-
-Purpose: attach OpenClaw to an existing Chrome tab so the Gateway can automate it (via the local CDP relay server).
-
-## Dev / load unpacked
-
-1. Build/run OpenClaw Gateway with browser control enabled.
-2. Ensure the relay server is reachable at `http://127.0.0.1:18792/` (default).
-3. Install the extension to a stable path:
-
-   ```bash
-   openclaw browser extension install
-   openclaw browser extension path
-   ```
-
-4. Chrome → `chrome://extensions` → enable “Developer mode”.
-5. “Load unpacked” → select the path printed above.
-6. Pin the extension. Click the icon on a tab to attach/detach.
-
-## Options
-
-- `Relay port`: defaults to `18792`.
-- `Gateway token`: required. Set this to `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
diff --git a/assets/chrome-extension/background-utils.js b/assets/chrome-extension/background-utils.js
deleted file mode 100644
index 82d43359c0a..00000000000
--- a/assets/chrome-extension/background-utils.js
+++ /dev/null
@@ -1,64 +0,0 @@
-export function reconnectDelayMs(
-  attempt,
-  opts = { baseMs: 1000, maxMs: 30000, jitterMs: 1000, random: Math.random },
-) {
-  const baseMs = Number.isFinite(opts.baseMs) ? opts.baseMs : 1000;
-  const maxMs = Number.isFinite(opts.maxMs) ? opts.maxMs : 30000;
-  const jitterMs = Number.isFinite(opts.jitterMs) ? opts.jitterMs : 1000;
-  const random = typeof opts.random === "function" ? opts.random : Math.random;
-  const safeAttempt = Math.max(0, Number.isFinite(attempt) ? attempt : 0);
-  const backoff = Math.min(baseMs * 2 ** safeAttempt, maxMs);
-  return backoff + Math.max(0, jitterMs) * random();
-}
-
-export async function deriveRelayToken(gatewayToken, port) {
-  const enc = new TextEncoder();
-  const key = await crypto.subtle.importKey(
-    "raw",
-    enc.encode(gatewayToken),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"],
-  );
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    enc.encode(`openclaw-extension-relay-v1:${port}`),
-  );
-  return [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-
-export async function buildRelayWsUrl(port, gatewayToken) {
-  const token = String(gatewayToken || "").trim();
-  if (!token) {
-    throw new Error(
-      "Missing gatewayToken in extension settings (chrome.storage.local.gatewayToken)",
-    );
-  }
-  const relayToken = await deriveRelayToken(token, port);
-  return `ws://127.0.0.1:${port}/extension?token=${encodeURIComponent(relayToken)}`;
-}
-
-export function isRetryableReconnectError(err) {
-  const message = err instanceof Error ? err.message : String(err || "");
-  if (message.includes("Missing gatewayToken")) {
-    return false;
-  }
-  return true;
-}
-
-export function isMissingTabError(err) {
-  const message = (err instanceof Error ? err.message : String(err || "")).toLowerCase();
-  return (
-    message.includes("no tab with id") ||
-    message.includes("no tab with given id") ||
-    message.includes("tab not found")
-  );
-}
-
-export function isLastRemainingTab(allTabs, tabIdToClose) {
-  if (!Array.isArray(allTabs)) {
-    return true;
-  }
-  return allTabs.filter((tab) => tab && tab.id !== tabIdToClose).length === 0;
-}
diff --git a/assets/chrome-extension/background.js b/assets/chrome-extension/background.js
deleted file mode 100644
index 9031a156489..00000000000
--- a/assets/chrome-extension/background.js
+++ /dev/null
@@ -1,1025 +0,0 @@
-import {
-  buildRelayWsUrl,
-  isLastRemainingTab,
-  isMissingTabError,
-  isRetryableReconnectError,
-  reconnectDelayMs,
-} from './background-utils.js'
-
-const DEFAULT_PORT = 18792
-
-const BADGE = {
-  on: { text: 'ON', color: '#FF5A36' },
-  off: { text: '', color: '#000000' },
-  connecting: { text: '…', color: '#F59E0B' },
-  error: { text: '!', color: '#B91C1C' },
-}
-
-/** @type {WebSocket|null} */
-let relayWs = null
-/** @type {Promise<void>|null} */
-let relayConnectPromise = null
-let relayGatewayToken = ''
-/** @type {string|null} */
-let relayConnectRequestId = null
-
-let nextSession = 1
-
-/** @type {Map<number, {state:'connecting'|'connected', sessionId?:string, targetId?:string, attachOrder?:number}>} */
-const tabs = new Map()
-/** @type {Map<string, number>} */
-const tabBySession = new Map()
-/** @type {Map<string, number>} */
-const childSessionToTab = new Map()
-
-/** @type {Map<number, {resolve:(v:any)=>void, reject:(e:Error)=>void}>} */
-const pending = new Map()
-
-// Per-tab operation locks prevent double-attach races.
-/** @type {Set<number>} */
-const tabOperationLocks = new Set()
-
-// Tabs currently in a detach/re-attach cycle after navigation.
-/** @type {Set<number>} */
-const reattachPending = new Set()
-
-// Reconnect state for exponential backoff.
-let reconnectAttempt = 0
-let reconnectTimer = null
-
-const TAB_VALIDATION_ATTEMPTS = 2
-const TAB_VALIDATION_RETRY_DELAY_MS = 1000
-
-function nowStack() {
-  try {
-    return new Error().stack || ''
-  } catch {
-    return ''
-  }
-}
-
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms))
-}
-
-async function validateAttachedTab(tabId) {
-  try {
-    await chrome.tabs.get(tabId)
-  } catch {
-    return false
-  }
-
-  for (let attempt = 0; attempt < TAB_VALIDATION_ATTEMPTS; attempt++) {
-    try {
-      await chrome.debugger.sendCommand({ tabId }, 'Runtime.evaluate', {
-        expression: '1',
-        returnByValue: true,
-      })
-      return true
-    } catch (err) {
-      if (isMissingTabError(err)) {
-        return false
-      }
-      if (attempt < TAB_VALIDATION_ATTEMPTS - 1) {
-        await sleep(TAB_VALIDATION_RETRY_DELAY_MS)
-      }
-    }
-  }
-
-  return false
-}
-
-async function getRelayPort() {
-  const stored = await chrome.storage.local.get(['relayPort'])
-  const raw = stored.relayPort
-  const n = Number.parseInt(String(raw || ''), 10)
-  if (!Number.isFinite(n) || n <= 0 || n > 65535) return DEFAULT_PORT
-  return n
-}
-
-async function getGatewayToken() {
-  const stored = await chrome.storage.local.get(['gatewayToken'])
-  const token = String(stored.gatewayToken || '').trim()
-  return token || ''
-}
-
-function setBadge(tabId, kind) {
-  const cfg = BADGE[kind]
-  void chrome.action.setBadgeText({ tabId, text: cfg.text })
-  void chrome.action.setBadgeBackgroundColor({ tabId, color: cfg.color })
-  void chrome.action.setBadgeTextColor({ tabId, color: '#FFFFFF' }).catch(() => {})
-}
-
-// Persist attached tab state to survive MV3 service worker restarts.
-async function persistState() {
-  try {
-    const tabEntries = []
-    for (const [tabId, tab] of tabs.entries()) {
-      if (tab.state === 'connected' && tab.sessionId && tab.targetId) {
-        tabEntries.push({ tabId, sessionId: tab.sessionId, targetId: tab.targetId, attachOrder: tab.attachOrder })
-      }
-    }
-    await chrome.storage.session.set({
-      persistedTabs: tabEntries,
-      nextSession,
-    })
-  } catch {
-    // chrome.storage.session may not be available in all contexts.
-  }
-}
-
-// Rehydrate tab state on service worker startup. Fast path — just restores
-// maps and badges. Relay reconnect happens separately in background.
-async function rehydrateState() {
-  try {
-    const stored = await chrome.storage.session.get(['persistedTabs', 'nextSession'])
-    if (stored.nextSession) {
-      nextSession = Math.max(nextSession, stored.nextSession)
-    }
-    const entries = stored.persistedTabs || []
-    // Phase 1: optimistically restore state and badges.
-    for (const entry of entries) {
-      tabs.set(entry.tabId, {
-        state: 'connected',
-        sessionId: entry.sessionId,
-        targetId: entry.targetId,
-        attachOrder: entry.attachOrder,
-      })
-      tabBySession.set(entry.sessionId, entry.tabId)
-      setBadge(entry.tabId, 'on')
-    }
-    // Retry once so transient busy/navigation states do not permanently drop
-    // a still-attached tab after a service worker restart.
-    for (const entry of entries) {
-      const valid = await validateAttachedTab(entry.tabId)
-      if (!valid) {
-        tabs.delete(entry.tabId)
-        tabBySession.delete(entry.sessionId)
-        setBadge(entry.tabId, 'off')
-      }
-    }
-  } catch {
-    // Ignore rehydration errors.
-  }
-}
-
-async function ensureRelayConnection() {
-  if (relayWs && relayWs.readyState === WebSocket.OPEN) return
-  if (relayConnectPromise) return await relayConnectPromise
-
-  relayConnectPromise = (async () => {
-    const port = await getRelayPort()
-    const gatewayToken = await getGatewayToken()
-    const httpBase = `http://127.0.0.1:${port}`
-    const wsUrl = await buildRelayWsUrl(port, gatewayToken)
-
-    // Fast preflight: is the relay server up?
-    try {
-      await fetch(`${httpBase}/`, { method: 'HEAD', signal: AbortSignal.timeout(2000) })
-    } catch (err) {
-      throw new Error(`Relay server not reachable at ${httpBase} (${String(err)})`)
-    }
-
-    const ws = new WebSocket(wsUrl)
-    relayWs = ws
-    relayGatewayToken = gatewayToken
-    // Bind message handler before open so an immediate first frame (for example
-    // gateway connect.challenge) cannot be missed.
-    ws.onmessage = (event) => {
-      if (ws !== relayWs) return
-      void whenReady(() => onRelayMessage(String(event.data || '')))
-    }
-
-    await new Promise((resolve, reject) => {
-      const t = setTimeout(() => reject(new Error('WebSocket connect timeout')), 5000)
-      ws.onopen = () => {
-        clearTimeout(t)
-        resolve()
-      }
-      ws.onerror = () => {
-        clearTimeout(t)
-        reject(new Error('WebSocket connect failed'))
-      }
-      ws.onclose = (ev) => {
-        clearTimeout(t)
-        reject(new Error(`WebSocket closed (${ev.code} ${ev.reason || 'no reason'})`))
-      }
-    })
-
-    // Bind permanent handlers. Guard against stale socket: if this WS was
-    // replaced before its close fires, the handler is a no-op.
-    ws.onclose = () => {
-      if (ws !== relayWs) return
-      onRelayClosed('closed')
-    }
-    ws.onerror = () => {
-      if (ws !== relayWs) return
-      onRelayClosed('error')
-    }
-  })()
-
-  try {
-    await relayConnectPromise
-    reconnectAttempt = 0
-  } finally {
-    relayConnectPromise = null
-  }
-}
-
-// Relay closed — update badges, reject pending requests, auto-reconnect.
-// Debugger sessions are kept alive so they survive transient WS drops.
-function onRelayClosed(reason) {
-  relayWs = null
-  relayGatewayToken = ''
-  relayConnectRequestId = null
-
-  for (const [id, p] of pending.entries()) {
-    pending.delete(id)
-    p.reject(new Error(`Relay disconnected (${reason})`))
-  }
-
-  reattachPending.clear()
-
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state === 'connected') {
-      setBadge(tabId, 'connecting')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay reconnecting…',
-      })
-    }
-  }
-
-  scheduleReconnect()
-}
-
-function scheduleReconnect() {
-  if (reconnectTimer) {
-    clearTimeout(reconnectTimer)
-    reconnectTimer = null
-  }
-
-  const delay = reconnectDelayMs(reconnectAttempt)
-  reconnectAttempt++
-
-  console.log(`Scheduling reconnect attempt ${reconnectAttempt} in ${Math.round(delay)}ms`)
-
-  reconnectTimer = setTimeout(async () => {
-    reconnectTimer = null
-    try {
-      await ensureRelayConnection()
-      reconnectAttempt = 0
-      console.log('Reconnected successfully')
-      await reannounceAttachedTabs()
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err)
-      console.warn(`Reconnect attempt ${reconnectAttempt} failed: ${message}`)
-      if (!isRetryableReconnectError(err)) {
-        return
-      }
-      scheduleReconnect()
-    }
-  }, delay)
-}
-
-function cancelReconnect() {
-  if (reconnectTimer) {
-    clearTimeout(reconnectTimer)
-    reconnectTimer = null
-  }
-  reconnectAttempt = 0
-}
-
-// Re-announce all attached tabs to the relay after reconnect.
-async function reannounceAttachedTabs() {
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state !== 'connected' || !tab.sessionId || !tab.targetId) continue
-
-    // Retry once here as well; reconnect races can briefly make an otherwise
-    // healthy tab look unavailable.
-    const valid = await validateAttachedTab(tabId)
-    if (!valid) {
-      tabs.delete(tabId)
-      if (tab.sessionId) tabBySession.delete(tab.sessionId)
-      setBadge(tabId, 'off')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay (click to attach/detach)',
-      })
-      continue
-    }
-
-    // Send fresh attach event to relay.
-    // Split into two try-catch blocks so debugger failures and relay send
-    // failures are handled independently. Previously, a relay send failure
-    // would fall into the outer catch and set the badge to 'on' even though
-    // the relay had no record of the tab — causing every subsequent browser
-    // tool call to fail with "no tab connected" until the next reconnect cycle.
-    let targetInfo
-    try {
-      const info = /** @type {any} */ (
-        await chrome.debugger.sendCommand({ tabId }, 'Target.getTargetInfo')
-      )
-      targetInfo = info?.targetInfo
-    } catch {
-      // Target.getTargetInfo failed. Preserve at least targetId from
-      // cached tab state so relay receives a stable identifier.
-      targetInfo = tab.targetId ? { targetId: tab.targetId } : undefined
-    }
-
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.attachedToTarget',
-          params: {
-            sessionId: tab.sessionId,
-            targetInfo: { ...targetInfo, attached: true },
-            waitingForDebugger: false,
-          },
-        },
-      })
-
-      setBadge(tabId, 'on')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: attached (click to detach)',
-      })
-    } catch {
-      // Relay send failed (e.g. WS closed in the gap between ensureRelayConnection
-      // resolving and this loop executing). The tab is still valid — leave badge
-      // as 'connecting' so the reconnect/keepalive cycle will retry rather than
-      // showing a false-positive 'on' that hides the broken state from the user.
-      setBadge(tabId, 'connecting')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay reconnecting…',
-      })
-    }
-  }
-
-  await persistState()
-}
-
-function sendToRelay(payload) {
-  const ws = relayWs
-  if (!ws || ws.readyState !== WebSocket.OPEN) {
-    throw new Error('Relay not connected')
-  }
-  ws.send(JSON.stringify(payload))
-}
-
-function ensureGatewayHandshakeStarted(payload) {
-  if (relayConnectRequestId) return
-  const nonce = typeof payload?.nonce === 'string' ? payload.nonce.trim() : ''
-  relayConnectRequestId = `ext-connect-${Date.now()}-${Math.random().toString(16).slice(2, 8)}`
-  sendToRelay({
-    type: 'req',
-    id: relayConnectRequestId,
-    method: 'connect',
-    params: {
-      minProtocol: 3,
-      maxProtocol: 3,
-      client: {
-        id: 'chrome-relay-extension',
-        version: '1.0.0',
-        platform: 'chrome-extension',
-        mode: 'webchat',
-      },
-      role: 'operator',
-      scopes: ['operator.read', 'operator.write'],
-      caps: [],
-      commands: [],
-      nonce: nonce || undefined,
-      auth: relayGatewayToken ? { token: relayGatewayToken } : undefined,
-    },
-  })
-}
-
-async function maybeOpenHelpOnce() {
-  try {
-    const stored = await chrome.storage.local.get(['helpOnErrorShown'])
-    if (stored.helpOnErrorShown === true) return
-    await chrome.storage.local.set({ helpOnErrorShown: true })
-    await chrome.runtime.openOptionsPage()
-  } catch {
-    // ignore
-  }
-}
-
-function requestFromRelay(command) {
-  const id = command.id
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => {
-      pending.delete(id)
-      reject(new Error('Relay request timeout (30s)'))
-    }, 30000)
-    pending.set(id, {
-      resolve: (v) => { clearTimeout(timer); resolve(v) },
-      reject: (e) => { clearTimeout(timer); reject(e) },
-    })
-    try {
-      sendToRelay(command)
-    } catch (err) {
-      clearTimeout(timer)
-      pending.delete(id)
-      reject(err instanceof Error ? err : new Error(String(err)))
-    }
-  })
-}
-
-async function onRelayMessage(text) {
-  /** @type {any} */
-  let msg
-  try {
-    msg = JSON.parse(text)
-  } catch {
-    return
-  }
-
-  if (msg && msg.type === 'event' && msg.event === 'connect.challenge') {
-    try {
-      ensureGatewayHandshakeStarted(msg.payload)
-    } catch (err) {
-      console.warn('gateway connect handshake start failed', err instanceof Error ? err.message : String(err))
-      relayConnectRequestId = null
-      const ws = relayWs
-      if (ws && ws.readyState === WebSocket.OPEN) {
-        ws.close(1008, 'gateway connect failed')
-      }
-    }
-    return
-  }
-
-  if (msg && msg.type === 'res' && relayConnectRequestId && msg.id === relayConnectRequestId) {
-    relayConnectRequestId = null
-    if (!msg.ok) {
-      const detail = msg?.error?.message || msg?.error || 'gateway connect failed'
-      console.warn('gateway connect handshake rejected', String(detail))
-      const ws = relayWs
-      if (ws && ws.readyState === WebSocket.OPEN) {
-        ws.close(1008, 'gateway connect failed')
-      }
-    }
-    return
-  }
-
-  if (msg && msg.method === 'ping') {
-    try {
-      sendToRelay({ method: 'pong' })
-    } catch {
-      // ignore
-    }
-    return
-  }
-
-  if (msg && typeof msg.id === 'number' && (msg.result !== undefined || msg.error !== undefined)) {
-    const p = pending.get(msg.id)
-    if (!p) return
-    pending.delete(msg.id)
-    if (msg.error) p.reject(new Error(String(msg.error)))
-    else p.resolve(msg.result)
-    return
-  }
-
-  if (msg && typeof msg.id === 'number' && msg.method === 'forwardCDPCommand') {
-    try {
-      const result = await handleForwardCdpCommand(msg)
-      sendToRelay({ id: msg.id, result })
-    } catch (err) {
-      sendToRelay({ id: msg.id, error: err instanceof Error ? err.message : String(err) })
-    }
-  }
-}
-
-function getTabBySessionId(sessionId) {
-  const direct = tabBySession.get(sessionId)
-  if (direct) return { tabId: direct, kind: 'main' }
-  const child = childSessionToTab.get(sessionId)
-  if (child) return { tabId: child, kind: 'child' }
-  return null
-}
-
-function getTabByTargetId(targetId) {
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.targetId === targetId) return tabId
-  }
-  return null
-}
-
-async function attachTab(tabId, opts = {}) {
-  const debuggee = { tabId }
-  await chrome.debugger.attach(debuggee, '1.3')
-  await chrome.debugger.sendCommand(debuggee, 'Page.enable').catch(() => {})
-
-  const info = /** @type {any} */ (await chrome.debugger.sendCommand(debuggee, 'Target.getTargetInfo'))
-  const targetInfo = info?.targetInfo
-  const targetId = String(targetInfo?.targetId || '').trim()
-  if (!targetId) {
-    throw new Error('Target.getTargetInfo returned no targetId')
-  }
-
-  const sid = nextSession++
-  const sessionId = `cb-tab-${sid}`
-  const attachOrder = sid
-
-  tabs.set(tabId, { state: 'connected', sessionId, targetId, attachOrder })
-  tabBySession.set(sessionId, tabId)
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: attached (click to detach)',
-  })
-
-  if (!opts.skipAttachedEvent) {
-    sendToRelay({
-      method: 'forwardCDPEvent',
-      params: {
-        method: 'Target.attachedToTarget',
-        params: {
-          sessionId,
-          targetInfo: { ...targetInfo, attached: true },
-          waitingForDebugger: false,
-        },
-      },
-    })
-  }
-
-  setBadge(tabId, 'on')
-  await persistState()
-
-  return { sessionId, targetId }
-}
-
-async function detachTab(tabId, reason) {
-  const tab = tabs.get(tabId)
-
-  // Send detach events for child sessions first.
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) {
-      try {
-        sendToRelay({
-          method: 'forwardCDPEvent',
-          params: {
-            method: 'Target.detachedFromTarget',
-            params: { sessionId: childSessionId, reason: 'parent_detached' },
-          },
-        })
-      } catch {
-        // Relay may be down.
-      }
-      childSessionToTab.delete(childSessionId)
-    }
-  }
-
-  // Send detach event for main session.
-  if (tab?.sessionId && tab?.targetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: tab.sessionId, targetId: tab.targetId, reason },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-
-  if (tab?.sessionId) tabBySession.delete(tab.sessionId)
-  tabs.delete(tabId)
-
-  try {
-    await chrome.debugger.detach({ tabId })
-  } catch {
-    // May already be detached.
-  }
-
-  setBadge(tabId, 'off')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay (click to attach/detach)',
-  })
-
-  await persistState()
-}
-
-async function connectOrToggleForActiveTab() {
-  const [active] = await chrome.tabs.query({ active: true, currentWindow: true })
-  const tabId = active?.id
-  if (!tabId) return
-
-  // Prevent concurrent operations on the same tab.
-  if (tabOperationLocks.has(tabId)) return
-  tabOperationLocks.add(tabId)
-
-  try {
-    if (reattachPending.has(tabId)) {
-      reattachPending.delete(tabId)
-      setBadge(tabId, 'off')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay (click to attach/detach)',
-      })
-      return
-    }
-
-    const existing = tabs.get(tabId)
-    if (existing?.state === 'connected') {
-      await detachTab(tabId, 'toggle')
-      return
-    }
-
-    // User is manually connecting — cancel any pending reconnect.
-    cancelReconnect()
-
-    tabs.set(tabId, { state: 'connecting' })
-    setBadge(tabId, 'connecting')
-    void chrome.action.setTitle({
-      tabId,
-      title: 'OpenClaw Browser Relay: connecting to local relay…',
-    })
-
-    try {
-      await ensureRelayConnection()
-      await attachTab(tabId)
-    } catch (err) {
-      tabs.delete(tabId)
-      setBadge(tabId, 'error')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay not running (open options for setup)',
-      })
-      void maybeOpenHelpOnce()
-      const message = err instanceof Error ? err.message : String(err)
-      console.warn('attach failed', message, nowStack())
-    }
-  } finally {
-    tabOperationLocks.delete(tabId)
-  }
-}
-
-async function handleForwardCdpCommand(msg) {
-  const method = String(msg?.params?.method || '').trim()
-  const params = msg?.params?.params || undefined
-  const sessionId = typeof msg?.params?.sessionId === 'string' ? msg.params.sessionId : undefined
-
-  const bySession = sessionId ? getTabBySessionId(sessionId) : null
-  const targetId = typeof params?.targetId === 'string' ? params.targetId : undefined
-  const tabId =
-    bySession?.tabId ||
-    (targetId ? getTabByTargetId(targetId) : null) ||
-    (() => {
-      for (const [id, tab] of tabs.entries()) {
-        if (tab.state === 'connected') return id
-      }
-      return null
-    })()
-
-  if (!tabId) throw new Error(`No attached tab for method ${method}`)
-
-  /** @type {chrome.debugger.DebuggerSession} */
-  const debuggee = { tabId }
-
-  if (method === 'Runtime.enable') {
-    try {
-      await chrome.debugger.sendCommand(debuggee, 'Runtime.disable')
-      await new Promise((r) => setTimeout(r, 50))
-    } catch {
-      // ignore
-    }
-    return await chrome.debugger.sendCommand(debuggee, 'Runtime.enable', params)
-  }
-
-  if (method === 'Target.createTarget') {
-    const url = typeof params?.url === 'string' ? params.url : 'about:blank'
-    const tab = await chrome.tabs.create({ url, active: false })
-    if (!tab.id) throw new Error('Failed to create tab')
-    await new Promise((r) => setTimeout(r, 100))
-    const attached = await attachTab(tab.id)
-    return { targetId: attached.targetId }
-  }
-
-  if (method === 'Target.closeTarget') {
-    const target = typeof params?.targetId === 'string' ? params.targetId : ''
-    const toClose = target ? getTabByTargetId(target) : tabId
-    if (!toClose) return { success: false }
-    try {
-      const allTabs = await chrome.tabs.query({})
-      if (isLastRemainingTab(allTabs, toClose)) {
-        console.warn('Refusing to close the last tab: this would kill the browser process')
-        return { success: false, error: 'Cannot close the last tab' }
-      }
-      await chrome.tabs.remove(toClose)
-    } catch {
-      return { success: false }
-    }
-    return { success: true }
-  }
-
-  if (method === 'Target.activateTarget') {
-    const target = typeof params?.targetId === 'string' ? params.targetId : ''
-    const toActivate = target ? getTabByTargetId(target) : tabId
-    if (!toActivate) return {}
-    const tab = await chrome.tabs.get(toActivate).catch(() => null)
-    if (!tab) return {}
-    if (tab.windowId) {
-      await chrome.windows.update(tab.windowId, { focused: true }).catch(() => {})
-    }
-    await chrome.tabs.update(toActivate, { active: true }).catch(() => {})
-    return {}
-  }
-
-  const tabState = tabs.get(tabId)
-  const mainSessionId = tabState?.sessionId
-  const debuggerSession =
-    sessionId && mainSessionId && sessionId !== mainSessionId
-      ? { ...debuggee, sessionId }
-      : debuggee
-
-  return await chrome.debugger.sendCommand(debuggerSession, method, params)
-}
-
-function onDebuggerEvent(source, method, params) {
-  const tabId = source.tabId
-  if (!tabId) return
-  const tab = tabs.get(tabId)
-  if (!tab?.sessionId) return
-
-  if (method === 'Target.attachedToTarget' && params?.sessionId) {
-    childSessionToTab.set(String(params.sessionId), tabId)
-  }
-
-  if (method === 'Target.detachedFromTarget' && params?.sessionId) {
-    childSessionToTab.delete(String(params.sessionId))
-  }
-
-  try {
-    sendToRelay({
-      method: 'forwardCDPEvent',
-      params: {
-        sessionId: source.sessionId || tab.sessionId,
-        method,
-        params,
-      },
-    })
-  } catch {
-    // Relay may be down.
-  }
-}
-
-async function onDebuggerDetach(source, reason) {
-  const tabId = source.tabId
-  if (!tabId) return
-  if (!tabs.has(tabId)) return
-
-  // User explicitly cancelled or DevTools replaced the connection — respect their intent
-  if (reason === 'canceled_by_user' || reason === 'replaced_with_devtools') {
-    void detachTab(tabId, reason)
-    return
-  }
-
-  // Check if tab still exists — distinguishes navigation from tab close
-  let tabInfo
-  try {
-    tabInfo = await chrome.tabs.get(tabId)
-  } catch {
-    // Tab is gone (closed) — normal cleanup
-    void detachTab(tabId, reason)
-    return
-  }
-
-  if (tabInfo.url?.startsWith('chrome://') || tabInfo.url?.startsWith('chrome-extension://')) {
-    void detachTab(tabId, reason)
-    return
-  }
-
-  if (reattachPending.has(tabId)) return
-
-  const oldTab = tabs.get(tabId)
-  const oldSessionId = oldTab?.sessionId
-  const oldTargetId = oldTab?.targetId
-
-  if (oldSessionId) tabBySession.delete(oldSessionId)
-  tabs.delete(tabId)
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) childSessionToTab.delete(childSessionId)
-  }
-
-  if (oldSessionId && oldTargetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: oldSessionId, targetId: oldTargetId, reason: 'navigation-reattach' },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-
-  reattachPending.add(tabId)
-  setBadge(tabId, 'connecting')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: re-attaching after navigation…',
-  })
-
-  // Extend re-attach window from 2.5 s to ~7.7 s (5 attempts).
-  // SPAs and pages with heavy JS can take >2.5 s before the Chrome debugger
-  // is attachable, causing all three original attempts to fail and leaving
-  // the badge permanently off after every navigation.
-  const delays = [200, 500, 1000, 2000, 4000]
-  for (let attempt = 0; attempt < delays.length; attempt++) {
-    await new Promise((r) => setTimeout(r, delays[attempt]))
-
-    if (!reattachPending.has(tabId)) return
-
-    try {
-      await chrome.tabs.get(tabId)
-    } catch {
-      reattachPending.delete(tabId)
-      setBadge(tabId, 'off')
-      return
-    }
-
-    const relayUp = relayWs && relayWs.readyState === WebSocket.OPEN
-
-    try {
-      // When relay is down, still attach the debugger but skip sending the
-      // relay event. reannounceAttachedTabs() will notify the relay once it
-      // reconnects, so the tab stays tracked across transient relay drops.
-      await attachTab(tabId, { skipAttachedEvent: !relayUp })
-      reattachPending.delete(tabId)
-      if (!relayUp) {
-        setBadge(tabId, 'connecting')
-        void chrome.action.setTitle({
-          tabId,
-          title: 'OpenClaw Browser Relay: attached, waiting for relay reconnect…',
-        })
-      }
-      return
-    } catch {
-      // continue retries
-    }
-  }
-
-  reattachPending.delete(tabId)
-  setBadge(tabId, 'off')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: re-attach failed (click to retry)',
-  })
-}
-
-// Tab lifecycle listeners — clean up stale entries.
-chrome.tabs.onRemoved.addListener((tabId) => void whenReady(() => {
-  reattachPending.delete(tabId)
-  if (!tabs.has(tabId)) return
-  const tab = tabs.get(tabId)
-  if (tab?.sessionId) tabBySession.delete(tab.sessionId)
-  tabs.delete(tabId)
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) childSessionToTab.delete(childSessionId)
-  }
-  if (tab?.sessionId && tab?.targetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: tab.sessionId, targetId: tab.targetId, reason: 'tab_closed' },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-  void persistState()
-}))
-
-chrome.tabs.onReplaced.addListener((addedTabId, removedTabId) => void whenReady(() => {
-  const tab = tabs.get(removedTabId)
-  if (!tab) return
-  tabs.delete(removedTabId)
-  tabs.set(addedTabId, tab)
-  if (tab.sessionId) {
-    tabBySession.set(tab.sessionId, addedTabId)
-  }
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === removedTabId) {
-      childSessionToTab.set(childSessionId, addedTabId)
-    }
-  }
-  setBadge(addedTabId, 'on')
-  void persistState()
-}))
-
-// Register debugger listeners at module scope so detach/event handling works
-// even when the relay WebSocket is down.
-chrome.debugger.onEvent.addListener((...args) => void whenReady(() => onDebuggerEvent(...args)))
-chrome.debugger.onDetach.addListener((...args) => void whenReady(() => onDebuggerDetach(...args)))
-
-chrome.action.onClicked.addListener(() => void whenReady(() => connectOrToggleForActiveTab()))
-
-// Refresh badge after navigation completes — service worker may have restarted
-// during navigation, losing ephemeral badge state.
-chrome.webNavigation.onCompleted.addListener(({ tabId, frameId }) => void whenReady(() => {
-  if (frameId !== 0) return
-  const tab = tabs.get(tabId)
-  if (tab?.state === 'connected') {
-    setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-  }
-}))
-
-// Refresh badge when user switches to an attached tab.
-chrome.tabs.onActivated.addListener(({ tabId }) => void whenReady(() => {
-  const tab = tabs.get(tabId)
-  if (tab?.state === 'connected') {
-    setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-  }
-}))
-
-chrome.runtime.onInstalled.addListener(() => {
-  void chrome.runtime.openOptionsPage()
-})
-
-// MV3 keepalive via chrome.alarms — more reliable than setInterval across
-// service worker restarts. Checks relay health and refreshes badges.
-chrome.alarms.create('relay-keepalive', { periodInMinutes: 0.5 })
-
-chrome.alarms.onAlarm.addListener(async (alarm) => {
-  if (alarm.name !== 'relay-keepalive') return
-  await initPromise
-
-  if (tabs.size === 0) return
-
-  // Refresh badges (ephemeral in MV3).
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state === 'connected') {
-      setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-    }
-  }
-
-  // If relay is down and no reconnect is in progress, trigger one.
-  if (!relayWs || relayWs.readyState !== WebSocket.OPEN) {
-    if (!relayConnectPromise && !reconnectTimer) {
-      console.log('Keepalive: WebSocket unhealthy, triggering reconnect')
-      await ensureRelayConnection().catch(() => {
-        // ensureRelayConnection may throw without triggering onRelayClosed
-        // (e.g. preflight fetch fails before WS is created), so ensure
-        // reconnect is always scheduled on failure.
-        if (!reconnectTimer) {
-          scheduleReconnect()
-        }
-      })
-    }
-  }
-})
-
-// Rehydrate state on service worker startup. Split: rehydration is the gate
-// (fast), relay reconnect runs in background (slow, non-blocking).
-const initPromise = rehydrateState()
-
-initPromise.then(() => {
-  if (tabs.size > 0) {
-    ensureRelayConnection().then(() => {
-      reconnectAttempt = 0
-      return reannounceAttachedTabs()
-    }).catch(() => {
-      scheduleReconnect()
-    })
-  }
-})
-
-// Shared gate: all state-dependent handlers await this before accessing maps.
-async function whenReady(fn) {
-  await initPromise
-  return fn()
-}
-
-// Relay check handler for the options page. The service worker has
-// host_permissions and bypasses CORS preflight, so the options page
-// delegates token-validation requests here.
-chrome.runtime.onMessage.addListener((msg, _sender, sendResponse) => {
-  if (msg?.type !== 'relayCheck') return false
-  const { url, token } = msg
-  const headers = token ? { 'x-openclaw-relay-token': token } : {}
-  fetch(url, { method: 'GET', headers, signal: AbortSignal.timeout(2000) })
-    .then(async (res) => {
-      const contentType = String(res.headers.get('content-type') || '')
-      let json = null
-      if (contentType.includes('application/json')) {
-        try {
-          json = await res.json()
-        } catch {
-          json = null
-        }
-      }
-      sendResponse({ status: res.status, ok: res.ok, contentType, json })
-    })
-    .catch((err) => sendResponse({ status: 0, ok: false, error: String(err) }))
-  return true
-})
diff --git a/assets/chrome-extension/manifest.json b/assets/chrome-extension/manifest.json
deleted file mode 100644
index 62038276cd7..00000000000
--- a/assets/chrome-extension/manifest.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  "manifest_version": 3,
-  "name": "OpenClaw Browser Relay",
-  "version": "0.1.0",
-  "description": "Attach OpenClaw to your existing Chrome tab via a local CDP relay server.",
-  "icons": {
-    "16": "icons/icon16.png",
-    "32": "icons/icon32.png",
-    "48": "icons/icon48.png",
-    "128": "icons/icon128.png"
-  },
-  "permissions": ["debugger", "tabs", "activeTab", "storage", "alarms", "webNavigation"],
-  "host_permissions": ["http://127.0.0.1/*", "http://localhost/*"],
-  "background": { "service_worker": "background.js", "type": "module" },
-  "action": {
-    "default_title": "OpenClaw Browser Relay (click to attach/detach)",
-    "default_icon": {
-      "16": "icons/icon16.png",
-      "32": "icons/icon32.png",
-      "48": "icons/icon48.png",
-      "128": "icons/icon128.png"
-    }
-  },
-  "options_ui": { "page": "options.html", "open_in_tab": true }
-}
diff --git a/assets/chrome-extension/options-validation.js b/assets/chrome-extension/options-validation.js
deleted file mode 100644
index 53e2cd55014..00000000000
--- a/assets/chrome-extension/options-validation.js
+++ /dev/null
@@ -1,57 +0,0 @@
-const PORT_GUIDANCE = 'Use gateway port + 3 (for gateway 18789, relay is 18792).'
-
-function hasCdpVersionShape(data) {
-  return !!data && typeof data === 'object' && 'Browser' in data && 'Protocol-Version' in data
-}
-
-export function classifyRelayCheckResponse(res, port) {
-  if (!res) {
-    return { action: 'throw', error: 'No response from service worker' }
-  }
-
-  if (res.status === 401) {
-    return { action: 'status', kind: 'error', message: 'Gateway token rejected. Check token and save again.' }
-  }
-
-  if (res.error) {
-    return { action: 'throw', error: res.error }
-  }
-
-  if (!res.ok) {
-    return { action: 'throw', error: `HTTP ${res.status}` }
-  }
-
-  const contentType = String(res.contentType || '')
-  if (!contentType.includes('application/json')) {
-    return {
-      action: 'status',
-      kind: 'error',
-      message: `Wrong port: this is likely the gateway, not the relay. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  if (!hasCdpVersionShape(res.json)) {
-    return {
-      action: 'status',
-      kind: 'error',
-      message: `Wrong port: expected relay /json/version response. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  return { action: 'status', kind: 'ok', message: `Relay reachable and authenticated at http://127.0.0.1:${port}/` }
-}
-
-export function classifyRelayCheckException(err, port) {
-  const message = String(err || '').toLowerCase()
-  if (message.includes('json') || message.includes('syntax')) {
-    return {
-      kind: 'error',
-      message: `Wrong port: this is not a relay endpoint. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  return {
-    kind: 'error',
-    message: `Relay not reachable/authenticated at http://127.0.0.1:${port}/. Start OpenClaw browser relay and verify token.`,
-  }
-}
diff --git a/assets/chrome-extension/options.html b/assets/chrome-extension/options.html
deleted file mode 100644
index 17fc6a79eed..00000000000
--- a/assets/chrome-extension/options.html
+++ /dev/null
@@ -1,200 +0,0 @@
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>OpenClaw Browser Relay</title>
-    <style>
-      :root {
-        color-scheme: light dark;
-        --accent: #ff5a36;
-        --panel: color-mix(in oklab, canvas 92%, canvasText 8%);
-        --border: color-mix(in oklab, canvasText 18%, transparent);
-        --muted: color-mix(in oklab, canvasText 70%, transparent);
-        --shadow: 0 10px 30px color-mix(in oklab, canvasText 18%, transparent);
-        font-family: ui-rounded, system-ui, -apple-system, BlinkMacSystemFont, "SF Pro Rounded",
-          "SF Pro Display", "Segoe UI", sans-serif;
-        line-height: 1.4;
-      }
-      body {
-        margin: 0;
-        min-height: 100vh;
-        background:
-          radial-gradient(1000px 500px at 10% 0%, color-mix(in oklab, var(--accent) 30%, transparent), transparent 70%),
-          radial-gradient(900px 450px at 90% 0%, color-mix(in oklab, var(--accent) 18%, transparent), transparent 75%),
-          canvas;
-        color: canvasText;
-      }
-      .wrap {
-        max-width: 820px;
-        margin: 36px auto;
-        padding: 0 24px 48px 24px;
-      }
-      header {
-        display: flex;
-        align-items: center;
-        gap: 12px;
-        margin-bottom: 18px;
-      }
-      .logo {
-        width: 44px;
-        height: 44px;
-        border-radius: 14px;
-        background: color-mix(in oklab, var(--accent) 18%, transparent);
-        border: 1px solid color-mix(in oklab, var(--accent) 35%, transparent);
-        box-shadow: var(--shadow);
-        display: grid;
-        place-items: center;
-      }
-      .logo img {
-        width: 28px;
-        height: 28px;
-        image-rendering: pixelated;
-      }
-      h1 {
-        font-size: 20px;
-        margin: 0;
-        letter-spacing: -0.01em;
-      }
-      .subtitle {
-        margin: 2px 0 0 0;
-        color: var(--muted);
-        font-size: 13px;
-      }
-      .grid {
-        display: grid;
-        grid-template-columns: 1fr;
-        gap: 14px;
-      }
-      .card {
-        background: var(--panel);
-        border: 1px solid var(--border);
-        border-radius: 16px;
-        padding: 16px;
-        box-shadow: var(--shadow);
-      }
-      .card h2 {
-        margin: 0 0 10px 0;
-        font-size: 14px;
-        letter-spacing: 0.01em;
-      }
-      .card p {
-        margin: 8px 0 0 0;
-        color: var(--muted);
-        font-size: 13px;
-      }
-      .row {
-        display: flex;
-        align-items: center;
-        gap: 8px;
-        flex-wrap: wrap;
-      }
-      label {
-        display: block;
-        font-size: 12px;
-        color: var(--muted);
-        margin-bottom: 6px;
-      }
-      input {
-        width: 160px;
-        padding: 10px 12px;
-        border-radius: 12px;
-        border: 1px solid var(--border);
-        background: color-mix(in oklab, canvas 92%, canvasText 8%);
-        color: canvasText;
-        outline: none;
-      }
-      input:focus {
-        border-color: color-mix(in oklab, var(--accent) 70%, transparent);
-        box-shadow: 0 0 0 4px color-mix(in oklab, var(--accent) 20%, transparent);
-      }
-      button {
-        padding: 10px 14px;
-        border-radius: 12px;
-        border: 1px solid color-mix(in oklab, var(--accent) 55%, transparent);
-        background: linear-gradient(
-          180deg,
-          color-mix(in oklab, var(--accent) 80%, white 20%),
-          var(--accent)
-        );
-        color: white;
-        font-weight: 650;
-        letter-spacing: 0.01em;
-        cursor: pointer;
-      }
-      button:active {
-        transform: translateY(1px);
-      }
-      .hint {
-        margin-top: 10px;
-        font-size: 12px;
-        color: var(--muted);
-      }
-      code {
-        font-family: ui-monospace, Menlo, Monaco, Consolas, "SF Mono", monospace;
-        font-size: 12px;
-      }
-      a {
-        color: color-mix(in oklab, var(--accent) 85%, canvasText 15%);
-      }
-      .status {
-        margin-top: 10px;
-        font-size: 12px;
-        color: color-mix(in oklab, var(--accent) 70%, canvasText 30%);
-        min-height: 16px;
-      }
-      .status[data-kind='ok'] {
-        color: color-mix(in oklab, #16a34a 75%, canvasText 25%);
-      }
-      .status[data-kind='error'] {
-        color: color-mix(in oklab, #ef4444 75%, canvasText 25%);
-      }
-    </style>
-  </head>
-  <body>
-    <div class="wrap">
-      <header>
-        <div class="logo" aria-hidden="true">
-          <img src="icons/icon128.png" alt="" />
-        </div>
-        <div>
-          <h1>OpenClaw Browser Relay</h1>
-          <p class="subtitle">Click the toolbar button on a tab to attach / detach.</p>
-        </div>
-      </header>
-
-      <div class="grid">
-        <div class="card">
-          <h2>Getting started</h2>
-          <p>
-            If you see a red <code>!</code> badge on the extension icon, the relay server is not reachable.
-            Start OpenClaw’s browser relay on this machine (Gateway or node host), then click the toolbar button again.
-          </p>
-          <p>
-            Full guide (install, remote Gateway, security): <a href="https://docs.openclaw.ai/tools/chrome-extension" target="_blank" rel="noreferrer">docs.openclaw.ai/tools/chrome-extension</a>
-          </p>
-        </div>
-
-        <div class="card">
-          <h2>Relay connection</h2>
-          <label for="port">Port</label>
-          <div class="row">
-            <input id="port" inputmode="numeric" pattern="[0-9]*" />
-          </div>
-          <label for="token" style="margin-top: 10px">Gateway token</label>
-          <div class="row">
-            <input id="token" type="password" autocomplete="off" style="width: min(520px, 100%)" />
-            <button id="save" type="button">Save</button>
-          </div>
-          <div class="hint">
-            Default port: <code>18792</code>. Extension connects to: <code id="relay-url">http://127.0.0.1:&lt;port&gt;/</code>.
-            Gateway token must match <code>gateway.auth.token</code> (or <code>OPENCLAW_GATEWAY_TOKEN</code>).
-          </div>
-          <div class="status" id="status"></div>
-        </div>
-      </div>
-
-      <script type="module" src="options.js"></script>
-    </div>
-  </body>
-</html>
diff --git a/assets/chrome-extension/options.js b/assets/chrome-extension/options.js
deleted file mode 100644
index aa6fcc4901f..00000000000
--- a/assets/chrome-extension/options.js
+++ /dev/null
@@ -1,74 +0,0 @@
-import { deriveRelayToken } from './background-utils.js'
-import { classifyRelayCheckException, classifyRelayCheckResponse } from './options-validation.js'
-
-const DEFAULT_PORT = 18792
-
-function clampPort(value) {
-  const n = Number.parseInt(String(value || ''), 10)
-  if (!Number.isFinite(n)) return DEFAULT_PORT
-  if (n <= 0 || n > 65535) return DEFAULT_PORT
-  return n
-}
-
-function updateRelayUrl(port) {
-  const el = document.getElementById('relay-url')
-  if (!el) return
-  el.textContent = `http://127.0.0.1:${port}/`
-}
-
-function setStatus(kind, message) {
-  const status = document.getElementById('status')
-  if (!status) return
-  status.dataset.kind = kind || ''
-  status.textContent = message || ''
-}
-
-async function checkRelayReachable(port, token) {
-  const url = `http://127.0.0.1:${port}/json/version`
-  const trimmedToken = String(token || '').trim()
-  if (!trimmedToken) {
-    setStatus('error', 'Gateway token required. Save your gateway token to connect.')
-    return
-  }
-  try {
-    const relayToken = await deriveRelayToken(trimmedToken, port)
-    // Delegate the fetch to the background service worker to bypass
-    // CORS preflight on the custom x-openclaw-relay-token header.
-    const res = await chrome.runtime.sendMessage({
-      type: 'relayCheck',
-      url,
-      token: relayToken,
-    })
-    const result = classifyRelayCheckResponse(res, port)
-    if (result.action === 'throw') throw new Error(result.error)
-    setStatus(result.kind, result.message)
-  } catch (err) {
-    const result = classifyRelayCheckException(err, port)
-    setStatus(result.kind, result.message)
-  }
-}
-
-async function load() {
-  const stored = await chrome.storage.local.get(['relayPort', 'gatewayToken'])
-  const port = clampPort(stored.relayPort)
-  const token = String(stored.gatewayToken || '').trim()
-  document.getElementById('port').value = String(port)
-  document.getElementById('token').value = token
-  updateRelayUrl(port)
-  await checkRelayReachable(port, token)
-}
-
-async function save() {
-  const portInput = document.getElementById('port')
-  const tokenInput = document.getElementById('token')
-  const port = clampPort(portInput.value)
-  const token = String(tokenInput.value || '').trim()
-  await chrome.storage.local.set({ relayPort: port, gatewayToken: token })
-  portInput.value = String(port)
-  tokenInput.value = token
-  updateRelayUrl(port)
-  await checkRelayReachable(port, token)
-}
-
-document.getElementById('save').addEventListener('click', () => void save())
-void load()
diff --git a/docs/.generated/config-baseline.json b/docs/.generated/config-baseline.json
index f6f854b2946..c63572a5e7f 100644
--- a/docs/.generated/config-baseline.json
+++ b/docs/.generated/config-baseline.json
@@ -2956,6 +2956,16 @@
       "tags": [],
       "hasChildren": true
     },
+    {
+      "path": "agents.defaults.sandbox.backend",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "agents.defaults.sandbox.browser",
       "kind": "core",
@@ -3540,6 +3550,234 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.defaults.sandbox.ssh",
+      "kind": "core",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.certificateData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.certificateData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.certificateData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.certificateData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.certificateFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.command",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.identityData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.identityData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.identityData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.identityData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.identityFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.knownHostsData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.knownHostsData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.knownHostsData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.knownHostsData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.knownHostsFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.strictHostKeyChecking",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.target",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.updateHostKeys",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.defaults.sandbox.ssh.workspaceRoot",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "agents.defaults.sandbox.workspaceAccess",
       "kind": "core",
@@ -5048,6 +5286,16 @@
       "tags": [],
       "hasChildren": true
     },
+    {
+      "path": "agents.list.*.sandbox.backend",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.sandbox.browser",
       "kind": "core",
@@ -5632,6 +5880,234 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "agents.list.*.sandbox.ssh",
+      "kind": "core",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.certificateData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.certificateData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.certificateData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.certificateData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.certificateFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.command",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.identityData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.identityData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.identityData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.identityData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.identityFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.knownHostsData",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "security",
+        "storage"
+      ],
+      "hasChildren": true
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.knownHostsData.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.knownHostsData.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.knownHostsData.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.knownHostsFile",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.strictHostKeyChecking",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.target",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.updateHostKeys",
+      "kind": "core",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "agents.list.*.sandbox.ssh.workspaceRoot",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "agents.list.*.sandbox.workspaceAccess",
       "kind": "core",
@@ -7559,21 +8035,7 @@
         "storage"
       ],
       "label": "Browser Profile Driver",
-      "help": "Per-profile browser driver mode: \"openclaw\" (or legacy \"clawd\") or \"extension\" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.",
-      "hasChildren": false
-    },
-    {
-      "path": "browser.relayBindHost",
-      "kind": "core",
-      "type": "string",
-      "required": false,
-      "deprecated": false,
-      "sensitive": false,
-      "tags": [
-        "advanced"
-      ],
-      "label": "Browser Relay Bind Address",
-      "help": "Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.",
+      "help": "Per-profile browser driver mode. Use \"openclaw\" (or legacy \"clawd\") for CDP-based profiles, or use \"existing-session\" for host-local Chrome MCP attachment.",
       "hasChildren": false
     },
     {
@@ -30047,6 +30509,16 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "channels.telegram.accounts.*.actions.editForumTopic",
+      "kind": "channel",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "channels.telegram.accounts.*.actions.editMessage",
       "kind": "channel",
@@ -31930,6 +32402,16 @@
       "tags": [],
       "hasChildren": false
     },
+    {
+      "path": "channels.telegram.actions.editForumTopic",
+      "kind": "channel",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
     {
       "path": "channels.telegram.actions.editMessage",
       "kind": "channel",
@@ -39770,6 +40252,22 @@
       "help": "Debounce window (ms) before applying config changes.",
       "hasChildren": false
     },
+    {
+      "path": "gateway.reload.deferralTimeoutMs",
+      "kind": "core",
+      "type": "integer",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "network",
+        "performance",
+        "reliability"
+      ],
+      "label": "Restart Deferral Timeout (ms)",
+      "help": "Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.",
+      "hasChildren": false
+    },
     {
       "path": "gateway.reload.mode",
       "kind": "core",
@@ -44497,6 +44995,144 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.amazon-bedrock",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/amazon-bedrock-provider",
+      "help": "OpenClaw Amazon Bedrock provider plugin (plugin: amazon-bedrock)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/amazon-bedrock-provider Config",
+      "help": "Plugin-defined config payload for amazon-bedrock.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/amazon-bedrock-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.anthropic",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/anthropic-provider",
+      "help": "OpenClaw Anthropic provider plugin (plugin: anthropic)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.anthropic.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/anthropic-provider Config",
+      "help": "Plugin-defined config payload for anthropic.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.anthropic.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/anthropic-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.anthropic.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.anthropic.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.bluebubbles",
       "kind": "plugin",
@@ -44566,6 +45202,213 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.brave",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/brave-plugin",
+      "help": "OpenClaw Brave plugin (plugin: brave)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.brave.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/brave-plugin Config",
+      "help": "Plugin-defined config payload for brave.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.brave.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/brave-plugin",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.brave.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.brave.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.byteplus",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/byteplus-provider",
+      "help": "OpenClaw BytePlus provider plugin (plugin: byteplus)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.byteplus.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/byteplus-provider Config",
+      "help": "Plugin-defined config payload for byteplus.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.byteplus.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/byteplus-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.byteplus.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.byteplus.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.cloudflare-ai-gateway",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/cloudflare-ai-gateway-provider",
+      "help": "OpenClaw Cloudflare AI Gateway provider plugin (plugin: cloudflare-ai-gateway)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.cloudflare-ai-gateway.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/cloudflare-ai-gateway-provider Config",
+      "help": "Plugin-defined config payload for cloudflare-ai-gateway.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.cloudflare-ai-gateway.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/cloudflare-ai-gateway-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.cloudflare-ai-gateway.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.cloudflare-ai-gateway.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.copilot-proxy",
       "kind": "plugin",
@@ -45332,7 +46175,7 @@
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.google-gemini-cli-auth",
+      "path": "plugins.entries.firecrawl",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -45341,12 +46184,12 @@
       "tags": [
         "advanced"
       ],
-      "label": "@openclaw/google-gemini-cli-auth",
-      "help": "OpenClaw Gemini CLI OAuth provider plugin (plugin: google-gemini-cli-auth)",
+      "label": "@openclaw/firecrawl-plugin",
+      "help": "OpenClaw Firecrawl plugin (plugin: firecrawl)",
       "hasChildren": true
     },
     {
-      "path": "plugins.entries.google-gemini-cli-auth.config",
+      "path": "plugins.entries.firecrawl.config",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -45355,12 +46198,12 @@
       "tags": [
         "advanced"
       ],
-      "label": "@openclaw/google-gemini-cli-auth Config",
-      "help": "Plugin-defined config payload for google-gemini-cli-auth.",
+      "label": "@openclaw/firecrawl-plugin Config",
+      "help": "Plugin-defined config payload for firecrawl.",
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.google-gemini-cli-auth.enabled",
+      "path": "plugins.entries.firecrawl.enabled",
       "kind": "plugin",
       "type": "boolean",
       "required": false,
@@ -45369,11 +46212,11 @@
       "tags": [
         "advanced"
       ],
-      "label": "Enable @openclaw/google-gemini-cli-auth",
+      "label": "Enable @openclaw/firecrawl-plugin",
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.google-gemini-cli-auth.hooks",
+      "path": "plugins.entries.firecrawl.hooks",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -45387,7 +46230,145 @@
       "hasChildren": true
     },
     {
-      "path": "plugins.entries.google-gemini-cli-auth.hooks.allowPromptInjection",
+      "path": "plugins.entries.firecrawl.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.github-copilot",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/github-copilot-provider",
+      "help": "OpenClaw GitHub Copilot provider plugin (plugin: github-copilot)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.github-copilot.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/github-copilot-provider Config",
+      "help": "Plugin-defined config payload for github-copilot.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.github-copilot.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/github-copilot-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.github-copilot.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.github-copilot.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.google",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/google-plugin",
+      "help": "OpenClaw Google plugin (plugin: google)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.google.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/google-plugin Config",
+      "help": "Plugin-defined config payload for google.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.google.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/google-plugin",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.google.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.google.hooks.allowPromptInjection",
       "kind": "plugin",
       "type": "boolean",
       "required": false,
@@ -45469,6 +46450,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.huggingface",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/huggingface-provider",
+      "help": "OpenClaw Hugging Face provider plugin (plugin: huggingface)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.huggingface.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/huggingface-provider Config",
+      "help": "Plugin-defined config payload for huggingface.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.huggingface.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/huggingface-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.huggingface.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.huggingface.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.imessage",
       "kind": "plugin",
@@ -45607,6 +46657,144 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.kilocode",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/kilocode-provider",
+      "help": "OpenClaw Kilo Gateway provider plugin (plugin: kilocode)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.kilocode.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/kilocode-provider Config",
+      "help": "Plugin-defined config payload for kilocode.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.kilocode.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/kilocode-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.kilocode.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.kilocode.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.kimi-coding",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/kimi-coding-provider",
+      "help": "OpenClaw Kimi Coding provider plugin (plugin: kimi-coding)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.kimi-coding.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/kimi-coding-provider Config",
+      "help": "Plugin-defined config payload for kimi-coding.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.kimi-coding.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/kimi-coding-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.kimi-coding.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.kimi-coding.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.line",
       "kind": "plugin",
@@ -46290,7 +47478,7 @@
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.minimax-portal-auth",
+      "path": "plugins.entries.minimax",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -46299,12 +47487,12 @@
       "tags": [
         "performance"
       ],
-      "label": "@openclaw/minimax-portal-auth",
-      "help": "OpenClaw MiniMax Portal OAuth provider plugin (plugin: minimax-portal-auth)",
+      "label": "@openclaw/minimax-provider",
+      "help": "OpenClaw MiniMax provider and OAuth plugin (plugin: minimax)",
       "hasChildren": true
     },
     {
-      "path": "plugins.entries.minimax-portal-auth.config",
+      "path": "plugins.entries.minimax.config",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -46313,12 +47501,12 @@
       "tags": [
         "performance"
       ],
-      "label": "@openclaw/minimax-portal-auth Config",
-      "help": "Plugin-defined config payload for minimax-portal-auth.",
+      "label": "@openclaw/minimax-provider Config",
+      "help": "Plugin-defined config payload for minimax.",
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.minimax-portal-auth.enabled",
+      "path": "plugins.entries.minimax.enabled",
       "kind": "plugin",
       "type": "boolean",
       "required": false,
@@ -46327,11 +47515,11 @@
       "tags": [
         "performance"
       ],
-      "label": "Enable @openclaw/minimax-portal-auth",
+      "label": "Enable @openclaw/minimax-provider",
       "hasChildren": false
     },
     {
-      "path": "plugins.entries.minimax-portal-auth.hooks",
+      "path": "plugins.entries.minimax.hooks",
       "kind": "plugin",
       "type": "object",
       "required": false,
@@ -46345,7 +47533,214 @@
       "hasChildren": true
     },
     {
-      "path": "plugins.entries.minimax-portal-auth.hooks.allowPromptInjection",
+      "path": "plugins.entries.minimax.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.mistral",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/mistral-provider",
+      "help": "OpenClaw Mistral provider plugin (plugin: mistral)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.mistral.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/mistral-provider Config",
+      "help": "Plugin-defined config payload for mistral.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.mistral.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/mistral-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.mistral.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.mistral.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.modelstudio",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/modelstudio-provider",
+      "help": "OpenClaw Model Studio provider plugin (plugin: modelstudio)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.modelstudio.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/modelstudio-provider Config",
+      "help": "Plugin-defined config payload for modelstudio.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.modelstudio.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/modelstudio-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.modelstudio.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.modelstudio.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.moonshot",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/moonshot-provider",
+      "help": "OpenClaw Moonshot provider plugin (plugin: moonshot)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.moonshot.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/moonshot-provider Config",
+      "help": "Plugin-defined config payload for moonshot.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.moonshot.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/moonshot-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.moonshot.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.moonshot.hooks.allowPromptInjection",
       "kind": "plugin",
       "type": "boolean",
       "required": false,
@@ -46565,6 +47960,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.nvidia",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/nvidia-provider",
+      "help": "OpenClaw NVIDIA provider plugin (plugin: nvidia)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.nvidia.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/nvidia-provider Config",
+      "help": "Plugin-defined config payload for nvidia.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.nvidia.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/nvidia-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.nvidia.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.nvidia.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.ollama",
       "kind": "plugin",
@@ -46703,6 +48167,587 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.openai",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/openai-provider",
+      "help": "OpenClaw OpenAI provider plugins (plugin: openai)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openai.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/openai-provider Config",
+      "help": "Plugin-defined config payload for openai.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openai.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/openai-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openai.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openai.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/opencode-provider",
+      "help": "OpenClaw OpenCode Zen provider plugin (plugin: opencode)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.opencode-go",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/opencode-go-provider",
+      "help": "OpenClaw OpenCode Go provider plugin (plugin: opencode-go)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.opencode-go.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/opencode-go-provider Config",
+      "help": "Plugin-defined config payload for opencode-go.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode-go.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/opencode-go-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode-go.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.opencode-go.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/opencode-provider Config",
+      "help": "Plugin-defined config payload for opencode.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/opencode-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.opencode.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.opencode.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openrouter",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/openrouter-provider",
+      "help": "OpenClaw OpenRouter provider plugin (plugin: openrouter)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openrouter.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/openrouter-provider Config",
+      "help": "Plugin-defined config payload for openrouter.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openrouter.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/openrouter-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openrouter.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openrouter.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "OpenShell Sandbox",
+      "help": "Sandbox backend powered by OpenShell with mirrored local workspaces and SSH-based command execution. (plugin: openshell)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openshell.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "OpenShell Sandbox Config",
+      "help": "Plugin-defined config payload for openshell.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openshell.config.autoProviders",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Auto-create Providers",
+      "help": "When enabled, pass --auto-providers during sandbox create.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.command",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "OpenShell Command",
+      "help": "Path or command name for the openshell CLI.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.from",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Sandbox Source",
+      "help": "OpenShell sandbox source for first-time create. Defaults to openclaw.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.gateway",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Gateway Name",
+      "help": "Optional OpenShell gateway name passed as --gateway.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.gatewayEndpoint",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Gateway Endpoint",
+      "help": "Optional OpenShell gateway endpoint passed as --gateway-endpoint.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.gpu",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "GPU",
+      "help": "Request GPU resources when creating the sandbox.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.policy",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Policy File",
+      "help": "Optional path to a custom OpenShell sandbox policy YAML.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.providers",
+      "kind": "plugin",
+      "type": "array",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Providers",
+      "help": "Provider names to attach when a sandbox is created.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openshell.config.providers.*",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.remoteAgentWorkspaceDir",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced",
+        "storage"
+      ],
+      "label": "Remote Agent Dir",
+      "help": "Mirror path for the real agent workspace when workspaceAccess is read-only.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.remoteWorkspaceDir",
+      "kind": "plugin",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced",
+        "storage"
+      ],
+      "label": "Remote Workspace Dir",
+      "help": "Primary writable workspace inside the OpenShell sandbox.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.config.timeoutSeconds",
+      "kind": "plugin",
+      "type": "number",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced",
+        "performance"
+      ],
+      "label": "Command Timeout Seconds",
+      "help": "Timeout for openshell CLI operations such as create/upload/download.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable OpenShell Sandbox",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.openshell.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.openshell.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.perplexity",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/perplexity-plugin",
+      "help": "OpenClaw Perplexity plugin (plugin: perplexity)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.perplexity.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/perplexity-plugin Config",
+      "help": "Plugin-defined config payload for perplexity.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.perplexity.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/perplexity-plugin",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.perplexity.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.perplexity.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.phone-control",
       "kind": "plugin",
@@ -46772,6 +48817,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.qianfan",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/qianfan-provider",
+      "help": "OpenClaw Qianfan provider plugin (plugin: qianfan)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.qianfan.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/qianfan-provider Config",
+      "help": "Plugin-defined config payload for qianfan.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.qianfan.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/qianfan-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.qianfan.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.qianfan.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.qwen-portal-auth",
       "kind": "plugin",
@@ -47117,6 +49231,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.synthetic",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/synthetic-provider",
+      "help": "OpenClaw Synthetic provider plugin (plugin: synthetic)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.synthetic.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/synthetic-provider Config",
+      "help": "Plugin-defined config payload for synthetic.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.synthetic.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/synthetic-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.synthetic.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.synthetic.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.talk-voice",
       "kind": "plugin",
@@ -47431,6 +49614,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.together",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/together-provider",
+      "help": "OpenClaw Together provider plugin (plugin: together)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.together.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/together-provider Config",
+      "help": "Plugin-defined config payload for together.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.together.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/together-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.together.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.together.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.twitch",
       "kind": "plugin",
@@ -47500,6 +49752,144 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.venice",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/venice-provider",
+      "help": "OpenClaw Venice provider plugin (plugin: venice)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.venice.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/venice-provider Config",
+      "help": "Plugin-defined config payload for venice.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.venice.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/venice-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.venice.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.venice.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.vercel-ai-gateway",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/vercel-ai-gateway-provider",
+      "help": "OpenClaw Vercel AI Gateway provider plugin (plugin: vercel-ai-gateway)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.vercel-ai-gateway.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/vercel-ai-gateway-provider Config",
+      "help": "Plugin-defined config payload for vercel-ai-gateway.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.vercel-ai-gateway.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/vercel-ai-gateway-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.vercel-ai-gateway.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.vercel-ai-gateway.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.vllm",
       "kind": "plugin",
@@ -48999,6 +51389,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.volcengine",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/volcengine-provider",
+      "help": "OpenClaw Volcengine provider plugin (plugin: volcengine)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.volcengine.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/volcengine-provider Config",
+      "help": "Plugin-defined config payload for volcengine.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.volcengine.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/volcengine-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.volcengine.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.volcengine.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.whatsapp",
       "kind": "plugin",
@@ -49068,6 +51527,213 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.xai",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/xai-plugin",
+      "help": "OpenClaw xAI plugin (plugin: xai)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.xai.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/xai-plugin Config",
+      "help": "Plugin-defined config payload for xai.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.xai.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/xai-plugin",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.xai.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.xai.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.xiaomi",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/xiaomi-provider",
+      "help": "OpenClaw Xiaomi provider plugin (plugin: xiaomi)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.xiaomi.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/xiaomi-provider Config",
+      "help": "Plugin-defined config payload for xiaomi.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.xiaomi.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/xiaomi-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.xiaomi.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.xiaomi.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.zai",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/zai-provider",
+      "help": "OpenClaw Z.AI provider plugin (plugin: zai)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.zai.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/zai-provider Config",
+      "help": "Plugin-defined config payload for zai.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.zai.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/zai-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.zai.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.zai.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.zalo",
       "kind": "plugin",
@@ -49272,6 +51938,48 @@
       "help": "Resolved npm dist integrity hash for the fetched artifact (if reported by npm).",
       "hasChildren": false
     },
+    {
+      "path": "plugins.installs.*.marketplaceName",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Marketplace Name",
+      "help": "Marketplace display name recorded for marketplace-backed plugin installs (if available).",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.installs.*.marketplacePlugin",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Marketplace Plugin",
+      "help": "Plugin entry name inside the source marketplace, used for later updates.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.installs.*.marketplaceSource",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Marketplace Source",
+      "help": "Original marketplace source used to resolve the install (for example a repo path or Git URL).",
+      "hasChildren": false
+    },
     {
       "path": "plugins.installs.*.resolvedAt",
       "kind": "core",
@@ -55443,6 +58151,79 @@
       "help": "Enable the web_search tool (requires a provider API key).",
       "hasChildren": false
     },
+    {
+      "path": "tools.web.search.firecrawl",
+      "kind": "core",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": true
+    },
+    {
+      "path": "tools.web.search.firecrawl.apiKey",
+      "kind": "core",
+      "type": [
+        "object",
+        "string"
+      ],
+      "required": false,
+      "deprecated": false,
+      "sensitive": true,
+      "tags": [
+        "auth",
+        "security",
+        "tools"
+      ],
+      "label": "Firecrawl Search API Key",
+      "help": "Firecrawl API key for web search (fallback: FIRECRAWL_API_KEY env var).",
+      "hasChildren": true
+    },
+    {
+      "path": "tools.web.search.firecrawl.apiKey.id",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "tools.web.search.firecrawl.apiKey.provider",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "tools.web.search.firecrawl.apiKey.source",
+      "kind": "core",
+      "type": "string",
+      "required": true,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [],
+      "hasChildren": false
+    },
+    {
+      "path": "tools.web.search.firecrawl.baseUrl",
+      "kind": "core",
+      "type": "string",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "tools"
+      ],
+      "label": "Firecrawl Search Base URL",
+      "help": "Firecrawl Search base URL override (default: \"https://api.firecrawl.dev\").",
+      "hasChildren": false
+    },
     {
       "path": "tools.web.search.gemini",
       "kind": "core",
@@ -55803,7 +58584,7 @@
         "tools"
       ],
       "label": "Web Search Provider",
-      "help": "Search provider (\"brave\", \"gemini\", \"grok\", \"kimi\", or \"perplexity\"). Auto-detected from available API keys if omitted.",
+      "help": "Search provider (\"brave\", \"firecrawl\", \"gemini\", \"grok\", \"kimi\", or \"perplexity\"). Auto-detected from available API keys if omitted.",
       "hasChildren": false
     },
     {
@@ -56136,7 +58917,7 @@
         "advanced"
       ],
       "label": "Setup Wizard State",
-      "help": "Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
+      "help": "Setup wizard state tracking fields that record the most recent guided setup run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
       "hasChildren": true
     },
     {
@@ -56150,7 +58931,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Timestamp",
-      "help": "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.",
+      "help": "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm setup recency during support and operational audits.",
       "hasChildren": false
     },
     {
@@ -56164,7 +58945,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Command",
-      "help": "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.",
+      "help": "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce setup steps when verifying setup regressions.",
       "hasChildren": false
     },
     {
@@ -56178,7 +58959,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Commit",
-      "help": "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.",
+      "help": "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate setup behavior with exact source state during debugging.",
       "hasChildren": false
     },
     {
@@ -56192,7 +58973,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Mode",
-      "help": "Wizard execution mode recorded as \"local\" or \"remote\" for the most recent onboarding flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.",
+      "help": "Wizard execution mode recorded as \"local\" or \"remote\" for the most recent setup flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.",
       "hasChildren": false
     },
     {
@@ -56206,7 +58987,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Version",
-      "help": "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.",
+      "help": "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version setup changes.",
       "hasChildren": false
     }
   ]
diff --git a/docs/.generated/config-baseline.jsonl b/docs/.generated/config-baseline.jsonl
index 18baeac12b9..f857ff2d7f4 100644
--- a/docs/.generated/config-baseline.jsonl
+++ b/docs/.generated/config-baseline.jsonl
@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":4889}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5101}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -245,6 +245,7 @@
 {"recordType":"path","path":"agents.defaults.pdfModel.primary","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"PDF Model","help":"Optional PDF model (provider/model) for the PDF analysis tool. Defaults to imageModel, then session model.","hasChildren":false}
 {"recordType":"path","path":"agents.defaults.repoRoot","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Repo Root","help":"Optional repository root shown in the system prompt runtime line (overrides auto-detect).","hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"agents.defaults.sandbox.backend","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.browser","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.defaults.sandbox.browser.allowHostControl","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.browser.autoStart","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -301,6 +302,27 @@
 {"recordType":"path","path":"agents.defaults.sandbox.prune.maxAgeDays","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.scope","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.sessionToolsVisibility","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.certificateData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.certificateData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.certificateData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.certificateData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.certificateFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.command","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.identityData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.identityData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.identityData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.identityData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.identityFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.knownHostsData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.knownHostsData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.knownHostsData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.knownHostsData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.knownHostsFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.strictHostKeyChecking","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.target","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.updateHostKeys","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.defaults.sandbox.ssh.workspaceRoot","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.workspaceAccess","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.sandbox.workspaceRoot","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.defaults.skipBootstrap","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -445,6 +467,7 @@
 {"recordType":"path","path":"agents.list.*.runtime.acp.mode","kind":"core","type":"string","required":false,"enumValues":["persistent","oneshot"],"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent ACP Mode","help":"Optional ACP session mode default for this agent (persistent or oneshot).","hasChildren":false}
 {"recordType":"path","path":"agents.list.*.runtime.type","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Runtime Type","help":"Runtime type for this agent: \"embedded\" (default OpenClaw runtime) or \"acp\" (ACP harness defaults).","hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"agents.list.*.sandbox.backend","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.browser","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"agents.list.*.sandbox.browser.allowHostControl","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.browser.autoStart","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -501,6 +524,27 @@
 {"recordType":"path","path":"agents.list.*.sandbox.prune.maxAgeDays","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.scope","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.sessionToolsVisibility","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.certificateData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.certificateData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.certificateData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.certificateData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.certificateFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.command","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.identityData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.identityData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.identityData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.identityData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.identityFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.knownHostsData","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["security","storage"],"hasChildren":true}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.knownHostsData.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.knownHostsData.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.knownHostsData.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.knownHostsFile","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.strictHostKeyChecking","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.target","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.updateHostKeys","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"agents.list.*.sandbox.ssh.workspaceRoot","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.workspaceAccess","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.sandbox.workspaceRoot","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"agents.list.*.skills","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Agent Skill Filter","help":"Optional allowlist of skills for this agent (omit = all skills; empty = no skills).","hasChildren":true}
@@ -663,8 +707,7 @@
 {"recordType":"path","path":"browser.profiles.*.cdpPort","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile CDP Port","help":"Per-profile local CDP port used when connecting to browser instances by port instead of URL. Use unique ports per profile to avoid connection collisions.","hasChildren":false}
 {"recordType":"path","path":"browser.profiles.*.cdpUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile CDP URL","help":"Per-profile CDP websocket URL used for explicit remote browser routing by profile name. Use this when profile connections terminate on remote hosts or tunnels.","hasChildren":false}
 {"recordType":"path","path":"browser.profiles.*.color","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Accent Color","help":"Per-profile accent color for visual differentiation in dashboards and browser-related UI hints. Use distinct colors for high-signal operator recognition of active profiles.","hasChildren":false}
-{"recordType":"path","path":"browser.profiles.*.driver","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Driver","help":"Per-profile browser driver mode: \"openclaw\" (or legacy \"clawd\") or \"extension\" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.","hasChildren":false}
-{"recordType":"path","path":"browser.relayBindHost","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Browser Relay Bind Address","help":"Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.","hasChildren":false}
+{"recordType":"path","path":"browser.profiles.*.driver","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Driver","help":"Per-profile browser driver mode. Use \"openclaw\" (or legacy \"clawd\") for CDP-based profiles, or use \"existing-session\" for host-local Chrome MCP attachment.","hasChildren":false}
 {"recordType":"path","path":"browser.remoteCdpHandshakeTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Remote CDP Handshake Timeout (ms)","help":"Timeout in milliseconds for post-connect CDP handshake readiness checks against remote browser targets. Raise this for slow-start remote browsers and lower to fail fast in automation loops.","hasChildren":false}
 {"recordType":"path","path":"browser.remoteCdpTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Remote CDP Timeout (ms)","help":"Timeout in milliseconds for connecting to a remote CDP endpoint before failing the browser attach attempt. Increase for high-latency tunnels, or lower for faster failure detection.","hasChildren":false}
 {"recordType":"path","path":"browser.snapshotDefaults","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Browser Snapshot Defaults","help":"Default snapshot capture configuration used when callers do not provide explicit snapshot options. Tune this for consistent capture behavior across channels and automation paths.","hasChildren":true}
@@ -2708,6 +2751,7 @@
 {"recordType":"path","path":"channels.telegram.accounts.*.actions","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"channels.telegram.accounts.*.actions.createForumTopic","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.accounts.*.actions.deleteMessage","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"channels.telegram.accounts.*.actions.editForumTopic","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.accounts.*.actions.editMessage","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.accounts.*.actions.poll","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.accounts.*.actions.reactions","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -2883,6 +2927,7 @@
 {"recordType":"path","path":"channels.telegram.actions","kind":"channel","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"channels.telegram.actions.createForumTopic","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.actions.deleteMessage","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"channels.telegram.actions.editForumTopic","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.actions.editMessage","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.actions.poll","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"channels.telegram.actions.reactions","kind":"channel","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -3558,6 +3603,7 @@
 {"recordType":"path","path":"gateway.push.apns.relay.timeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance"],"label":"Gateway APNs Relay Timeout (ms)","help":"Timeout in milliseconds for relay send requests from the gateway to the APNs relay (default: 10000). Increase for slower relays or networks, or lower to fail wake attempts faster.","hasChildren":false}
 {"recordType":"path","path":"gateway.reload","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["network","reliability"],"label":"Config Reload","help":"Live config-reload policy for how edits are applied and when full restarts are triggered. Keep hybrid behavior for safest operational updates unless debugging reload internals.","hasChildren":true}
 {"recordType":"path","path":"gateway.reload.debounceMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance","reliability"],"label":"Config Reload Debounce (ms)","help":"Debounce window (ms) before applying config changes.","hasChildren":false}
+{"recordType":"path","path":"gateway.reload.deferralTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance","reliability"],"label":"Restart Deferral Timeout (ms)","help":"Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.","hasChildren":false}
 {"recordType":"path","path":"gateway.reload.mode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["network","reliability"],"label":"Config Reload Mode","help":"Controls how config edits are applied: \"off\" ignores live edits, \"restart\" always restarts, \"hot\" applies in-process, and \"hybrid\" tries hot then restarts if required. Keep \"hybrid\" for safest routine updates.","hasChildren":false}
 {"recordType":"path","path":"gateway.remote","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["network"],"label":"Remote Gateway","help":"Remote gateway connection settings for direct or SSH transport when this instance proxies to another runtime host. Use remote mode only when split-host operation is intentionally configured.","hasChildren":true}
 {"recordType":"path","path":"gateway.remote.password","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["auth","network","security"],"label":"Remote Gateway Password","help":"Password credential used for remote gateway authentication when password mode is enabled. Keep this secret managed externally and avoid plaintext values in committed config.","hasChildren":true}
@@ -3940,11 +3986,36 @@
 {"recordType":"path","path":"plugins.entries.acpx.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable ACPX Runtime","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.acpx.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.acpx.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/amazon-bedrock-provider","help":"OpenClaw Amazon Bedrock provider plugin (plugin: amazon-bedrock)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/amazon-bedrock-provider Config","help":"Plugin-defined config payload for amazon-bedrock.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/amazon-bedrock-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.anthropic","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/anthropic-provider","help":"OpenClaw Anthropic provider plugin (plugin: anthropic)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.anthropic.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/anthropic-provider Config","help":"Plugin-defined config payload for anthropic.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.anthropic.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/anthropic-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.anthropic.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.anthropic.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.bluebubbles","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/bluebubbles","help":"OpenClaw BlueBubbles channel plugin (plugin: bluebubbles)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.bluebubbles.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/bluebubbles Config","help":"Plugin-defined config payload for bluebubbles.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.bluebubbles.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/bluebubbles","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.bluebubbles.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.bluebubbles.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.brave","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/brave-plugin","help":"OpenClaw Brave plugin (plugin: brave)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.brave.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/brave-plugin Config","help":"Plugin-defined config payload for brave.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.brave.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/brave-plugin","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.brave.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.brave.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.byteplus","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/byteplus-provider","help":"OpenClaw BytePlus provider plugin (plugin: byteplus)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.byteplus.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/byteplus-provider Config","help":"Plugin-defined config payload for byteplus.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.byteplus.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/byteplus-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.byteplus.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.byteplus.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.cloudflare-ai-gateway","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/cloudflare-ai-gateway-provider","help":"OpenClaw Cloudflare AI Gateway provider plugin (plugin: cloudflare-ai-gateway)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.cloudflare-ai-gateway.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/cloudflare-ai-gateway-provider Config","help":"Plugin-defined config payload for cloudflare-ai-gateway.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.cloudflare-ai-gateway.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/cloudflare-ai-gateway-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.cloudflare-ai-gateway.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.cloudflare-ai-gateway.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.copilot-proxy","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/copilot-proxy","help":"OpenClaw Copilot Proxy provider plugin (plugin: copilot-proxy)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.copilot-proxy.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/copilot-proxy Config","help":"Plugin-defined config payload for copilot-proxy.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.copilot-proxy.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/copilot-proxy","hasChildren":false}
@@ -3998,16 +4069,31 @@
 {"recordType":"path","path":"plugins.entries.feishu.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/feishu","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.feishu.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.feishu.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.google-gemini-cli-auth","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/google-gemini-cli-auth","help":"OpenClaw Gemini CLI OAuth provider plugin (plugin: google-gemini-cli-auth)","hasChildren":true}
-{"recordType":"path","path":"plugins.entries.google-gemini-cli-auth.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/google-gemini-cli-auth Config","help":"Plugin-defined config payload for google-gemini-cli-auth.","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.google-gemini-cli-auth.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/google-gemini-cli-auth","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.google-gemini-cli-auth.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
-{"recordType":"path","path":"plugins.entries.google-gemini-cli-auth.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.firecrawl","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/firecrawl-plugin","help":"OpenClaw Firecrawl plugin (plugin: firecrawl)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.firecrawl.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/firecrawl-plugin Config","help":"Plugin-defined config payload for firecrawl.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.firecrawl.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/firecrawl-plugin","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.firecrawl.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.firecrawl.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.github-copilot","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/github-copilot-provider","help":"OpenClaw GitHub Copilot provider plugin (plugin: github-copilot)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.github-copilot.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/github-copilot-provider Config","help":"Plugin-defined config payload for github-copilot.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.github-copilot.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/github-copilot-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.github-copilot.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.github-copilot.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.google","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/google-plugin","help":"OpenClaw Google plugin (plugin: google)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.google.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/google-plugin Config","help":"Plugin-defined config payload for google.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.google.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/google-plugin","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.google.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.google.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.googlechat","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/googlechat","help":"OpenClaw Google Chat channel plugin (plugin: googlechat)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.googlechat.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/googlechat Config","help":"Plugin-defined config payload for googlechat.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.googlechat.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/googlechat","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.googlechat.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.googlechat.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.huggingface","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/huggingface-provider","help":"OpenClaw Hugging Face provider plugin (plugin: huggingface)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.huggingface.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/huggingface-provider Config","help":"Plugin-defined config payload for huggingface.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.huggingface.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/huggingface-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.huggingface.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.huggingface.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.imessage","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/imessage","help":"OpenClaw iMessage channel plugin (plugin: imessage)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.imessage.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/imessage Config","help":"Plugin-defined config payload for imessage.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.imessage.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/imessage","hasChildren":false}
@@ -4018,6 +4104,16 @@
 {"recordType":"path","path":"plugins.entries.irc.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/irc","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.irc.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.irc.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kilocode","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/kilocode-provider","help":"OpenClaw Kilo Gateway provider plugin (plugin: kilocode)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.kilocode.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/kilocode-provider Config","help":"Plugin-defined config payload for kilocode.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kilocode.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/kilocode-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kilocode.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.kilocode.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kimi-coding","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/kimi-coding-provider","help":"OpenClaw Kimi Coding provider plugin (plugin: kimi-coding)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.kimi-coding.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/kimi-coding-provider Config","help":"Plugin-defined config payload for kimi-coding.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kimi-coding.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/kimi-coding-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.kimi-coding.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.kimi-coding.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.line","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/line","help":"OpenClaw LINE channel plugin (plugin: line)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.line.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/line Config","help":"Plugin-defined config payload for line.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.line.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/line","hasChildren":false}
@@ -4069,11 +4165,26 @@
 {"recordType":"path","path":"plugins.entries.memory-lancedb.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Enable @openclaw/memory-lancedb","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.memory-lancedb.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.memory-lancedb.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.minimax-portal-auth","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"@openclaw/minimax-portal-auth","help":"OpenClaw MiniMax Portal OAuth provider plugin (plugin: minimax-portal-auth)","hasChildren":true}
-{"recordType":"path","path":"plugins.entries.minimax-portal-auth.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"@openclaw/minimax-portal-auth Config","help":"Plugin-defined config payload for minimax-portal-auth.","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.minimax-portal-auth.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Enable @openclaw/minimax-portal-auth","hasChildren":false}
-{"recordType":"path","path":"plugins.entries.minimax-portal-auth.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
-{"recordType":"path","path":"plugins.entries.minimax-portal-auth.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.minimax","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"@openclaw/minimax-provider","help":"OpenClaw MiniMax provider and OAuth plugin (plugin: minimax)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.minimax.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"@openclaw/minimax-provider Config","help":"Plugin-defined config payload for minimax.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.minimax.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Enable @openclaw/minimax-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.minimax.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.minimax.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.mistral","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/mistral-provider","help":"OpenClaw Mistral provider plugin (plugin: mistral)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.mistral.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/mistral-provider Config","help":"Plugin-defined config payload for mistral.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.mistral.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/mistral-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.mistral.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.mistral.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.modelstudio","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/modelstudio-provider","help":"OpenClaw Model Studio provider plugin (plugin: modelstudio)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.modelstudio.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/modelstudio-provider Config","help":"Plugin-defined config payload for modelstudio.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.modelstudio.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/modelstudio-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.modelstudio.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.modelstudio.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.moonshot","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/moonshot-provider","help":"OpenClaw Moonshot provider plugin (plugin: moonshot)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.moonshot.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/moonshot-provider Config","help":"Plugin-defined config payload for moonshot.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.moonshot.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/moonshot-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.moonshot.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.moonshot.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.msteams","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/msteams","help":"OpenClaw Microsoft Teams channel plugin (plugin: msteams)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.msteams.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/msteams Config","help":"Plugin-defined config payload for msteams.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.msteams.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/msteams","hasChildren":false}
@@ -4089,6 +4200,11 @@
 {"recordType":"path","path":"plugins.entries.nostr.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/nostr","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.nostr.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.nostr.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.nvidia","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/nvidia-provider","help":"OpenClaw NVIDIA provider plugin (plugin: nvidia)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.nvidia.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/nvidia-provider Config","help":"Plugin-defined config payload for nvidia.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.nvidia.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/nvidia-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.nvidia.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.nvidia.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.ollama","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/ollama-provider","help":"OpenClaw Ollama provider plugin (plugin: ollama)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.ollama.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/ollama-provider Config","help":"Plugin-defined config payload for ollama.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.ollama.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/ollama-provider","hasChildren":false}
@@ -4099,11 +4215,58 @@
 {"recordType":"path","path":"plugins.entries.open-prose.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable OpenProse","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.open-prose.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.open-prose.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openai","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/openai-provider","help":"OpenClaw OpenAI provider plugins (plugin: openai)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openai.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/openai-provider Config","help":"Plugin-defined config payload for openai.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openai.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/openai-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openai.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openai.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/opencode-provider","help":"OpenClaw OpenCode Zen provider plugin (plugin: opencode)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.opencode-go","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/opencode-go-provider","help":"OpenClaw OpenCode Go provider plugin (plugin: opencode-go)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.opencode-go.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/opencode-go-provider Config","help":"Plugin-defined config payload for opencode-go.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode-go.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/opencode-go-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode-go.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.opencode-go.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/opencode-provider Config","help":"Plugin-defined config payload for opencode.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/opencode-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.opencode.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.opencode.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openrouter","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/openrouter-provider","help":"OpenClaw OpenRouter provider plugin (plugin: openrouter)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openrouter.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/openrouter-provider Config","help":"Plugin-defined config payload for openrouter.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openrouter.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/openrouter-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openrouter.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openrouter.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"OpenShell Sandbox","help":"Sandbox backend powered by OpenShell with mirrored local workspaces and SSH-based command execution. (plugin: openshell)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openshell.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"OpenShell Sandbox Config","help":"Plugin-defined config payload for openshell.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openshell.config.autoProviders","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Auto-create Providers","help":"When enabled, pass --auto-providers during sandbox create.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.command","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"OpenShell Command","help":"Path or command name for the openshell CLI.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.from","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Sandbox Source","help":"OpenShell sandbox source for first-time create. Defaults to openclaw.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.gateway","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Gateway Name","help":"Optional OpenShell gateway name passed as --gateway.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.gatewayEndpoint","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Gateway Endpoint","help":"Optional OpenShell gateway endpoint passed as --gateway-endpoint.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.gpu","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"GPU","help":"Request GPU resources when creating the sandbox.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.policy","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Policy File","help":"Optional path to a custom OpenShell sandbox policy YAML.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.providers","kind":"plugin","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Providers","help":"Provider names to attach when a sandbox is created.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openshell.config.providers.*","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.remoteAgentWorkspaceDir","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced","storage"],"label":"Remote Agent Dir","help":"Mirror path for the real agent workspace when workspaceAccess is read-only.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.remoteWorkspaceDir","kind":"plugin","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced","storage"],"label":"Remote Workspace Dir","help":"Primary writable workspace inside the OpenShell sandbox.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.config.timeoutSeconds","kind":"plugin","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["advanced","performance"],"label":"Command Timeout Seconds","help":"Timeout for openshell CLI operations such as create/upload/download.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable OpenShell Sandbox","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.openshell.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.openshell.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.perplexity","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/perplexity-plugin","help":"OpenClaw Perplexity plugin (plugin: perplexity)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.perplexity.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/perplexity-plugin Config","help":"Plugin-defined config payload for perplexity.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.perplexity.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/perplexity-plugin","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.perplexity.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.perplexity.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.phone-control","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Phone Control","help":"Arm/disarm high-risk phone node commands (camera/screen/writes) with an optional auto-expiry. (plugin: phone-control)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.phone-control.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Phone Control Config","help":"Plugin-defined config payload for phone-control.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.phone-control.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable Phone Control","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.phone-control.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.phone-control.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.qianfan","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/qianfan-provider","help":"OpenClaw Qianfan provider plugin (plugin: qianfan)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.qianfan.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/qianfan-provider Config","help":"Plugin-defined config payload for qianfan.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.qianfan.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/qianfan-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.qianfan.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.qianfan.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.qwen-portal-auth","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"qwen-portal-auth","help":"Plugin entry for qwen-portal-auth.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.qwen-portal-auth.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"qwen-portal-auth Config","help":"Plugin-defined config payload for qwen-portal-auth.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.qwen-portal-auth.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable qwen-portal-auth","hasChildren":false}
@@ -4129,6 +4292,11 @@
 {"recordType":"path","path":"plugins.entries.synology-chat.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/synology-chat","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.synology-chat.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.synology-chat.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.synthetic","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/synthetic-provider","help":"OpenClaw Synthetic provider plugin (plugin: synthetic)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.synthetic.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/synthetic-provider Config","help":"Plugin-defined config payload for synthetic.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.synthetic.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/synthetic-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.synthetic.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.synthetic.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.talk-voice","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Talk Voice","help":"Manage Talk voice selection (list/set). (plugin: talk-voice)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.talk-voice.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Talk Voice Config","help":"Plugin-defined config payload for talk-voice.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.talk-voice.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable Talk Voice","hasChildren":false}
@@ -4152,11 +4320,26 @@
 {"recordType":"path","path":"plugins.entries.tlon.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/tlon","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.tlon.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.tlon.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.together","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/together-provider","help":"OpenClaw Together provider plugin (plugin: together)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.together.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/together-provider Config","help":"Plugin-defined config payload for together.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.together.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/together-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.together.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.together.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.twitch","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/twitch","help":"OpenClaw Twitch channel plugin (plugin: twitch)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.twitch.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/twitch Config","help":"Plugin-defined config payload for twitch.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.twitch.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/twitch","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.twitch.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.twitch.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.venice","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/venice-provider","help":"OpenClaw Venice provider plugin (plugin: venice)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.venice.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/venice-provider Config","help":"Plugin-defined config payload for venice.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.venice.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/venice-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.venice.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.venice.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.vercel-ai-gateway","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/vercel-ai-gateway-provider","help":"OpenClaw Vercel AI Gateway provider plugin (plugin: vercel-ai-gateway)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.vercel-ai-gateway.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/vercel-ai-gateway-provider Config","help":"Plugin-defined config payload for vercel-ai-gateway.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.vercel-ai-gateway.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/vercel-ai-gateway-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.vercel-ai-gateway.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.vercel-ai-gateway.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.vllm","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/vllm-provider","help":"OpenClaw vLLM provider plugin (plugin: vllm)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.vllm.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/vllm-provider Config","help":"Plugin-defined config payload for vllm.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.vllm.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/vllm-provider","hasChildren":false}
@@ -4283,11 +4466,31 @@
 {"recordType":"path","path":"plugins.entries.voice-call.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/voice-call","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.voice-call.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.voice-call.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.volcengine","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/volcengine-provider","help":"OpenClaw Volcengine provider plugin (plugin: volcengine)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.volcengine.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/volcengine-provider Config","help":"Plugin-defined config payload for volcengine.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.volcengine.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/volcengine-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.volcengine.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.volcengine.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.whatsapp","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/whatsapp","help":"OpenClaw WhatsApp channel plugin (plugin: whatsapp)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.whatsapp.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/whatsapp Config","help":"Plugin-defined config payload for whatsapp.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.whatsapp.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/whatsapp","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.whatsapp.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.whatsapp.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xai","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/xai-plugin","help":"OpenClaw xAI plugin (plugin: xai)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.xai.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/xai-plugin Config","help":"Plugin-defined config payload for xai.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xai.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/xai-plugin","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xai.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.xai.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xiaomi","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/xiaomi-provider","help":"OpenClaw Xiaomi provider plugin (plugin: xiaomi)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.xiaomi.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/xiaomi-provider Config","help":"Plugin-defined config payload for xiaomi.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xiaomi.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/xiaomi-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.xiaomi.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.xiaomi.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.zai","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/zai-provider","help":"OpenClaw Z.AI provider plugin (plugin: zai)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.zai.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/zai-provider Config","help":"Plugin-defined config payload for zai.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.zai.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/zai-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.zai.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.zai.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.zalo","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/zalo","help":"OpenClaw Zalo channel plugin (plugin: zalo)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.zalo.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/zalo Config","help":"Plugin-defined config payload for zalo.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.zalo.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/zalo","hasChildren":false}
@@ -4303,6 +4506,9 @@
 {"recordType":"path","path":"plugins.installs.*.installedAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Install Time","help":"ISO timestamp of last install/update.","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.installPath","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Plugin Install Path","help":"Resolved install directory (usually ~/.openclaw/extensions/<id>).","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.integrity","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Resolved Integrity","help":"Resolved npm dist integrity hash for the fetched artifact (if reported by npm).","hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.marketplaceName","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Marketplace Name","help":"Marketplace display name recorded for marketplace-backed plugin installs (if available).","hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.marketplacePlugin","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Marketplace Plugin","help":"Plugin entry name inside the source marketplace, used for later updates.","hasChildren":false}
+{"recordType":"path","path":"plugins.installs.*.marketplaceSource","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Marketplace Source","help":"Original marketplace source used to resolve the install (for example a repo path or Git URL).","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.resolvedAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Resolution Time","help":"ISO timestamp when npm package metadata was last resolved for this install record.","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.resolvedName","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Resolved Package Name","help":"Resolved npm package name from the fetched artifact.","hasChildren":false}
 {"recordType":"path","path":"plugins.installs.*.resolvedSpec","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Resolved Package Spec","help":"Resolved exact npm spec (<name>@<version>) from the fetched artifact.","hasChildren":false}
@@ -4830,6 +5036,12 @@
 {"recordType":"path","path":"tools.web.search.brave.mode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Brave Search Mode","help":"Brave Search mode: \"web\" (URL results) or \"llm-context\" (pre-extracted page content for LLM grounding).","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.cacheTtlMinutes","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["performance","storage","tools"],"label":"Web Search Cache TTL (min)","help":"Cache TTL in minutes for web_search results.","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.enabled","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Enable Web Search Tool","help":"Enable the web_search tool (requires a provider API key).","hasChildren":false}
+{"recordType":"path","path":"tools.web.search.firecrawl","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
+{"recordType":"path","path":"tools.web.search.firecrawl.apiKey","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["auth","security","tools"],"label":"Firecrawl Search API Key","help":"Firecrawl API key for web search (fallback: FIRECRAWL_API_KEY env var).","hasChildren":true}
+{"recordType":"path","path":"tools.web.search.firecrawl.apiKey.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.search.firecrawl.apiKey.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.search.firecrawl.apiKey.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.search.firecrawl.baseUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Firecrawl Search Base URL","help":"Firecrawl Search base URL override (default: \"https://api.firecrawl.dev\").","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.gemini","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
 {"recordType":"path","path":"tools.web.search.gemini.apiKey","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["auth","security","tools"],"label":"Gemini Search API Key","help":"Gemini API key for Google Search grounding (fallback: GEMINI_API_KEY env var).","hasChildren":true}
 {"recordType":"path","path":"tools.web.search.gemini.apiKey.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -4858,7 +5070,7 @@
 {"recordType":"path","path":"tools.web.search.perplexity.apiKey.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"tools.web.search.perplexity.baseUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Perplexity Base URL","help":"Optional Perplexity/OpenRouter chat-completions base URL override. Setting this opts Perplexity into the legacy Sonar/OpenRouter compatibility path.","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.perplexity.model","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["models","tools"],"label":"Perplexity Model","help":"Optional Sonar/OpenRouter model override (default: \"perplexity/sonar-pro\"). Setting this opts Perplexity into the legacy chat-completions compatibility path.","hasChildren":false}
-{"recordType":"path","path":"tools.web.search.provider","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Web Search Provider","help":"Search provider (\"brave\", \"gemini\", \"grok\", \"kimi\", or \"perplexity\"). Auto-detected from available API keys if omitted.","hasChildren":false}
+{"recordType":"path","path":"tools.web.search.provider","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Web Search Provider","help":"Search provider (\"brave\", \"firecrawl\", \"gemini\", \"grok\", \"kimi\", or \"perplexity\"). Auto-detected from available API keys if omitted.","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.timeoutSeconds","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance","tools"],"label":"Web Search Timeout (sec)","help":"Timeout in seconds for web_search requests.","hasChildren":false}
 {"recordType":"path","path":"ui","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"UI","help":"UI presentation settings for accenting and assistant identity shown in control surfaces. Use this for branding and readability customization without changing runtime behavior.","hasChildren":true}
 {"recordType":"path","path":"ui.assistant","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Assistant Appearance","help":"Assistant display identity settings for name and avatar shown in UI surfaces. Keep these values aligned with your operator-facing persona and support expectations.","hasChildren":true}
@@ -4882,9 +5094,9 @@
 {"recordType":"path","path":"web.reconnect.jitter","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Web Reconnect Jitter","help":"Randomization factor (0-1) applied to reconnect delays to desynchronize clients after outage events. Keep non-zero jitter in multi-client deployments to reduce synchronized spikes.","hasChildren":false}
 {"recordType":"path","path":"web.reconnect.maxAttempts","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Web Reconnect Max Attempts","help":"Maximum reconnect attempts before giving up for the current failure sequence (0 means no retries). Use finite caps for controlled failure handling in automation-sensitive environments.","hasChildren":false}
 {"recordType":"path","path":"web.reconnect.maxMs","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Web Reconnect Max Delay (ms)","help":"Maximum reconnect backoff cap in milliseconds to bound retry delay growth over repeated failures. Use a reasonable cap so recovery remains timely after prolonged outages.","hasChildren":false}
-{"recordType":"path","path":"wizard","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Setup Wizard State","help":"Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.","hasChildren":true}
-{"recordType":"path","path":"wizard.lastRunAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Timestamp","help":"ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunCommand","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Command","help":"Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunCommit","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Commit","help":"Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunMode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Mode","help":"Wizard execution mode recorded as \"local\" or \"remote\" for the most recent onboarding flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunVersion","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Version","help":"OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.","hasChildren":false}
+{"recordType":"path","path":"wizard","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Setup Wizard State","help":"Setup wizard state tracking fields that record the most recent guided setup run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.","hasChildren":true}
+{"recordType":"path","path":"wizard.lastRunAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Timestamp","help":"ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm setup recency during support and operational audits.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunCommand","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Command","help":"Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce setup steps when verifying setup regressions.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunCommit","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Commit","help":"Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate setup behavior with exact source state during debugging.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunMode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Mode","help":"Wizard execution mode recorded as \"local\" or \"remote\" for the most recent setup flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunVersion","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Version","help":"OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version setup changes.","hasChildren":false}
diff --git a/docs/.i18n/glossary.zh-CN.json b/docs/.i18n/glossary.zh-CN.json
index f8941862b94..36e44b6d909 100644
--- a/docs/.i18n/glossary.zh-CN.json
+++ b/docs/.i18n/glossary.zh-CN.json
@@ -47,6 +47,18 @@
     "source": "Quick Start",
     "target": "快速开始"
   },
+  {
+    "source": "Setup Wizard Reference",
+    "target": "设置向导参考"
+  },
+  {
+    "source": "CLI Setup Reference",
+    "target": "CLI 设置参考"
+  },
+  {
+    "source": "Setup Wizard (CLI)",
+    "target": "设置向导（CLI）"
+  },
   {
     "source": "Docs directory",
     "target": "文档目录"
diff --git a/docs/channels/feishu.md b/docs/channels/feishu.md
index 2fc16aed5d4..41882e78264 100644
--- a/docs/channels/feishu.md
+++ b/docs/channels/feishu.md
@@ -30,9 +30,9 @@ openclaw plugins install @openclaw/feishu
 
 There are two ways to add the Feishu channel:
 
-### Method 1: onboarding wizard (recommended)
+### Method 1: setup wizard (recommended)
 
-If you just installed OpenClaw, run the wizard:
+If you just installed OpenClaw, run the setup wizard:
 
 ```bash
 openclaw onboard
@@ -711,7 +711,7 @@ Key options:
 - ✅ Images
 - ✅ Files
 - ✅ Audio
-- ✅ Video
+- ✅ Video/media
 - ✅ Stickers
 
 ### Send
@@ -720,4 +720,28 @@ Key options:
 - ✅ Images
 - ✅ Files
 - ✅ Audio
-- ⚠️ Rich text (partial support)
+- ✅ Video/media
+- ✅ Interactive cards
+- ⚠️ Rich text (post-style formatting and cards, not arbitrary Feishu authoring features)
+
+### Threads and replies
+
+- ✅ Inline replies
+- ✅ Topic-thread replies where Feishu exposes `reply_in_thread`
+- ✅ Media replies stay thread-aware when replying to a thread/topic message
+
+## Runtime action surface
+
+Feishu currently exposes these runtime actions:
+
+- `send`
+- `read`
+- `edit`
+- `thread-reply`
+- `pin`
+- `list-pins`
+- `unpin`
+- `member-info`
+- `channel-info`
+- `channel-list`
+- `react` and `reactions` when reactions are enabled in config
diff --git a/docs/channels/matrix.md b/docs/channels/matrix.md
index 9bb56d1ddb7..1536a7c08ac 100644
--- a/docs/channels/matrix.md
+++ b/docs/channels/matrix.md
@@ -31,7 +31,7 @@ Local checkout (when running from a git repo):
 openclaw plugins install ./extensions/matrix
 ```
 
-If you choose Matrix during configure/onboarding and a git checkout is detected,
+If you choose Matrix during setup and a git checkout is detected,
 OpenClaw will offer the local install path automatically.
 
 Details: [Plugins](/tools/plugin)
@@ -72,7 +72,7 @@ Details: [Plugins](/tools/plugin)
    - If both are set, config takes precedence.
    - With access token: user ID is fetched automatically via `/whoami`.
    - When set, `channels.matrix.userId` should be the full Matrix ID (example: `@bot:example.org`).
-5. Restart the gateway (or finish onboarding).
+5. Restart the gateway (or finish setup).
 6. Start a DM with the bot or invite it to a room from any Matrix client
    (Element, Beeper, etc.; see [https://matrix.org/ecosystem/clients/](https://matrix.org/ecosystem/clients/)). Beeper requires E2EE,
    so set `channels.matrix.encryption: true` and verify the device.
diff --git a/docs/channels/mattermost.md b/docs/channels/mattermost.md
index 1e3e3f4bad2..2ceb6c17626 100644
--- a/docs/channels/mattermost.md
+++ b/docs/channels/mattermost.md
@@ -28,7 +28,7 @@ Local checkout (when running from a git repo):
 openclaw plugins install ./extensions/mattermost
 ```
 
-If you choose Mattermost during configure/onboarding and a git checkout is detected,
+If you choose Mattermost during setup and a git checkout is detected,
 OpenClaw will offer the local install path automatically.
 
 Details: [Plugins](/tools/plugin)
diff --git a/docs/channels/msteams.md b/docs/channels/msteams.md
index a24f20c69df..88cba3ce6aa 100644
--- a/docs/channels/msteams.md
+++ b/docs/channels/msteams.md
@@ -33,7 +33,7 @@ Local checkout (when running from a git repo):
 openclaw plugins install ./extensions/msteams
 ```
 
-If you choose Teams during configure/onboarding and a git checkout is detected,
+If you choose Teams during setup and a git checkout is detected,
 OpenClaw will offer the local install path automatically.
 
 Details: [Plugins](/tools/plugin)
diff --git a/docs/channels/nextcloud-talk.md b/docs/channels/nextcloud-talk.md
index 7797b1276ff..f8be8d74f0c 100644
--- a/docs/channels/nextcloud-talk.md
+++ b/docs/channels/nextcloud-talk.md
@@ -25,7 +25,7 @@ Local checkout (when running from a git repo):
 openclaw plugins install ./extensions/nextcloud-talk
 ```
 
-If you choose Nextcloud Talk during configure/onboarding and a git checkout is detected,
+If you choose Nextcloud Talk during setup and a git checkout is detected,
 OpenClaw will offer the local install path automatically.
 
 Details: [Plugins](/tools/plugin)
@@ -43,7 +43,7 @@ Details: [Plugins](/tools/plugin)
 4. Configure OpenClaw:
    - Config: `channels.nextcloud-talk.baseUrl` + `channels.nextcloud-talk.botSecret`
    - Or env: `NEXTCLOUD_TALK_BOT_SECRET` (default account only)
-5. Restart the gateway (or finish onboarding).
+5. Restart the gateway (or finish setup).
 
 Minimal config:
 
diff --git a/docs/channels/nostr.md b/docs/channels/nostr.md
index 3368933d6c4..46888da0352 100644
--- a/docs/channels/nostr.md
+++ b/docs/channels/nostr.md
@@ -16,7 +16,7 @@ Nostr is a decentralized protocol for social networking. This channel enables Op
 
 ### Onboarding (recommended)
 
-- The onboarding wizard (`openclaw onboard`) and `openclaw channels add` list optional channel plugins.
+- The setup wizard (`openclaw onboard`) and `openclaw channels add` list optional channel plugins.
 - Selecting Nostr prompts you to install the plugin on demand.
 
 Install defaults:
@@ -40,6 +40,15 @@ openclaw plugins install --link <path-to-openclaw>/extensions/nostr
 
 Restart the Gateway after installing or enabling plugins.
 
+### Non-interactive setup
+
+```bash
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY"
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY" --relay-urls "wss://relay.damus.io,wss://relay.primal.net"
+```
+
+Use `--use-env` to keep `NOSTR_PRIVATE_KEY` in the environment instead of storing the key in config.
+
 ## Quick setup
 
 1. Generate a Nostr keypair (if needed):
diff --git a/docs/channels/synology-chat.md b/docs/channels/synology-chat.md
index 89e96b318a3..aae655f27b7 100644
--- a/docs/channels/synology-chat.md
+++ b/docs/channels/synology-chat.md
@@ -27,13 +27,17 @@ Details: [Plugins](/tools/plugin)
 ## Quick setup
 
 1. Install and enable the Synology Chat plugin.
+   - `openclaw onboard` now shows Synology Chat in the same channel setup list as `openclaw channels add`.
+   - Non-interactive setup: `openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
 2. In Synology Chat integrations:
    - Create an incoming webhook and copy its URL.
    - Create an outgoing webhook with your secret token.
 3. Point the outgoing webhook URL to your OpenClaw gateway:
    - `https://gateway-host/webhook/synology` by default.
    - Or your custom `channels.synology-chat.webhookPath`.
-4. Configure `channels.synology-chat` in OpenClaw.
+4. Finish setup in OpenClaw.
+   - Guided: `openclaw onboard`
+   - Direct: `openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
 5. Restart gateway and send a DM to the Synology Chat bot.
 
 Minimal config:
diff --git a/docs/channels/telegram.md b/docs/channels/telegram.md
index 37be3bf1111..b5700213830 100644
--- a/docs/channels/telegram.md
+++ b/docs/channels/telegram.md
@@ -115,7 +115,7 @@ Token resolution order is account-aware. In practice, config values win over env
 
     `channels.telegram.allowFrom` accepts numeric Telegram user IDs. `telegram:` / `tg:` prefixes are accepted and normalized.
     `dmPolicy: "allowlist"` with empty `allowFrom` blocks all DMs and is rejected by config validation.
-    The onboarding wizard accepts `@username` input and resolves it to numeric IDs.
+    The setup wizard accepts `@username` input and resolves it to numeric IDs.
     If you upgraded and your config contains `@username` allowlist entries, run `openclaw doctor --fix` to resolve them (best-effort; requires a Telegram bot token).
     If you previously relied on pairing-store allowlist files, `openclaw doctor --fix` can recover entries into `channels.telegram.allowFrom` in allowlist flows (for example when `dmPolicy: "allowlist"` has no explicit IDs yet).
 
diff --git a/docs/channels/whatsapp.md b/docs/channels/whatsapp.md
index cad9fe77ee3..850d88ffcac 100644
--- a/docs/channels/whatsapp.md
+++ b/docs/channels/whatsapp.md
@@ -76,7 +76,7 @@ openclaw pairing approve whatsapp <CODE>
 </Steps>
 
 <Note>
-OpenClaw recommends running WhatsApp on a separate number when possible. (The channel metadata and onboarding flow are optimized for that setup, but personal-number setups are also supported.)
+OpenClaw recommends running WhatsApp on a separate number when possible. (The channel metadata and setup flow are optimized for that setup, but personal-number setups are also supported.)
 </Note>
 
 ## Deployment patterns
diff --git a/docs/channels/zalo.md b/docs/channels/zalo.md
index cf53b574e42..b327f596f74 100644
--- a/docs/channels/zalo.md
+++ b/docs/channels/zalo.md
@@ -14,7 +14,7 @@ Status: experimental. DMs are supported. The [Capabilities](#capabilities) secti
 Zalo ships as a plugin and is not bundled with the core install.
 
 - Install via CLI: `openclaw plugins install @openclaw/zalo`
-- Or select **Zalo** during onboarding and confirm the install prompt
+- Or select **Zalo** during setup and confirm the install prompt
 - Details: [Plugins](/tools/plugin)
 
 ## Quick setup (beginner)
@@ -22,11 +22,11 @@ Zalo ships as a plugin and is not bundled with the core install.
 1. Install the Zalo plugin:
    - From a source checkout: `openclaw plugins install ./extensions/zalo`
    - From npm (if published): `openclaw plugins install @openclaw/zalo`
-   - Or pick **Zalo** in onboarding and confirm the install prompt
+   - Or pick **Zalo** in setup and confirm the install prompt
 2. Set the token:
    - Env: `ZALO_BOT_TOKEN=...`
    - Or config: `channels.zalo.accounts.default.botToken: "..."`.
-3. Restart the gateway (or finish onboarding).
+3. Restart the gateway (or finish setup).
 4. DM access is pairing by default; approve the pairing code on first contact.
 
 Minimal config:
diff --git a/docs/channels/zalouser.md b/docs/channels/zalouser.md
index 58bd2a43923..4847430c8ac 100644
--- a/docs/channels/zalouser.md
+++ b/docs/channels/zalouser.md
@@ -41,7 +41,7 @@ No external `zca`/`openzca` CLI binary is required.
 }
 ```
 
-4. Restart the Gateway (or finish onboarding).
+4. Restart the Gateway (or finish setup).
 5. DM access defaults to pairing; approve the pairing code on first contact.
 
 ## What it is
@@ -74,7 +74,7 @@ openclaw directory groups list --channel zalouser --query "work"
 
 `channels.zalouser.dmPolicy` supports: `pairing | allowlist | open | disabled` (default: `pairing`).
 
-`channels.zalouser.allowFrom` accepts user IDs or names. During onboarding, names are resolved to IDs using the plugin's in-process contact lookup.
+`channels.zalouser.allowFrom` accepts user IDs or names. During setup, names are resolved to IDs using the plugin's in-process contact lookup.
 
 Approve via:
 
diff --git a/docs/cli/browser.md b/docs/cli/browser.md
index f9ddc151717..42af08f84f3 100644
--- a/docs/cli/browser.md
+++ b/docs/cli/browser.md
@@ -1,9 +1,9 @@
 ---
-summary: "CLI reference for `openclaw browser` (profiles, tabs, actions, extension relay)"
+summary: "CLI reference for `openclaw browser` (profiles, tabs, actions, Chrome MCP, and CDP)"
 read_when:
   - You use `openclaw browser` and want examples for common tasks
   - You want to control a browser running on another machine via a node host
-  - You want to use the Chrome extension relay (attach/detach via toolbar button)
+  - You want to attach to your local signed-in Chrome via Chrome MCP
 title: "browser"
 ---
 
@@ -14,7 +14,6 @@ Manage OpenClaw’s browser control server and run browser actions (tabs, snapsh
 Related:
 
 - Browser tool + API: [Browser tool](/tools/browser)
-- Chrome extension relay: [Chrome extension](/tools/chrome-extension)
 
 ## Common flags
 
@@ -37,13 +36,14 @@ openclaw browser --browser-profile openclaw snapshot
 
 Profiles are named browser routing configs. In practice:
 
-- `openclaw`: launches/attaches to a dedicated OpenClaw-managed Chrome instance (isolated user data dir).
+- `openclaw`: launches or attaches to a dedicated OpenClaw-managed Chrome instance (isolated user data dir).
 - `user`: controls your existing signed-in Chrome session via Chrome DevTools MCP.
-- `chrome-relay`: controls your existing Chrome tab(s) via the Chrome extension relay.
+- custom CDP profiles: point at a local or remote CDP endpoint.
 
 ```bash
 openclaw browser profiles
 openclaw browser create-profile --name work --color "#FF5A36"
+openclaw browser create-profile --name chrome-live --driver existing-session
 openclaw browser delete-profile --name work
 ```
 
@@ -84,20 +84,17 @@ openclaw browser click <ref>
 openclaw browser type <ref> "hello"
 ```
 
-## Chrome extension relay (attach via toolbar button)
+## Existing Chrome via MCP
 
-This mode lets the agent control an existing Chrome tab that you attach manually (it does not auto-attach).
-
-Install the unpacked extension to a stable path:
+Use the built-in `user` profile, or create your own `existing-session` profile:
 
 ```bash
-openclaw browser extension install
-openclaw browser extension path
+openclaw browser --browser-profile user tabs
+openclaw browser create-profile --name chrome-live --driver existing-session
+openclaw browser --browser-profile chrome-live tabs
 ```
 
-Then Chrome → `chrome://extensions` → enable “Developer mode” → “Load unpacked” → select the printed folder.
-
-Full guide: [Chrome extension](/tools/chrome-extension)
+This path is host-only. For Docker, headless servers, Browserless, or other remote setups, use a CDP profile instead.
 
 ## Remote browser control (node host proxy)
 
diff --git a/docs/cli/channels.md b/docs/cli/channels.md
index 654fbef5fa9..96b9ef33f8c 100644
--- a/docs/cli/channels.md
+++ b/docs/cli/channels.md
@@ -30,10 +30,11 @@ openclaw channels logs --channel all
 
 ```bash
 openclaw channels add --channel telegram --token <bot-token>
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY"
 openclaw channels remove --channel telegram --delete
 ```
 
-Tip: `openclaw channels add --help` shows per-channel flags (token, app token, signal-cli paths, etc).
+Tip: `openclaw channels add --help` shows per-channel flags (token, private key, app token, signal-cli paths, etc).
 
 When you run `openclaw channels add` without flags, the interactive wizard can prompt:
 
diff --git a/docs/cli/daemon.md b/docs/cli/daemon.md
index 8f6042e7400..f21c3930ece 100644
--- a/docs/cli/daemon.md
+++ b/docs/cli/daemon.md
@@ -34,13 +34,15 @@ openclaw daemon uninstall
 
 ## Common options
 
-- `status`: `--url`, `--token`, `--password`, `--timeout`, `--no-probe`, `--deep`, `--json`
+- `status`: `--url`, `--token`, `--password`, `--timeout`, `--no-probe`, `--require-rpc`, `--deep`, `--json`
 - `install`: `--port`, `--runtime <node|bun>`, `--token`, `--force`, `--json`
 - lifecycle (`uninstall|start|stop|restart`): `--json`
 
 Notes:
 
 - `status` resolves configured auth SecretRefs for probe auth when possible.
+- If a required auth SecretRef is unresolved in this command path, `daemon status --json` reports `rpc.authWarning` when probe connectivity/auth fails; pass `--token`/`--password` explicitly or resolve the secret source first.
+- If the probe succeeds, unresolved auth-ref warnings are suppressed to avoid false positives.
 - On Linux systemd installs, `status` token-drift checks include both `Environment=` and `EnvironmentFile=` unit sources.
 - When token auth requires a token and `gateway.auth.token` is SecretRef-managed, `install` validates that the SecretRef is resolvable but does not persist the resolved token into service environment metadata.
 - If token auth requires a token and the configured token SecretRef is unresolved, install fails closed.
diff --git a/docs/cli/docs.md b/docs/cli/docs.md
index 6b79aabe6f1..744c50e1432 100644
--- a/docs/cli/docs.md
+++ b/docs/cli/docs.md
@@ -10,6 +10,6 @@ title: "docs"
 Search the live docs index.
 
 ```bash
-openclaw docs browser extension
+openclaw docs browser existing-session
 openclaw docs sandbox allowHostControl
 ```
diff --git a/docs/cli/doctor.md b/docs/cli/doctor.md
index 90e5fa7d7a2..4718135ee68 100644
--- a/docs/cli/doctor.md
+++ b/docs/cli/doctor.md
@@ -31,6 +31,7 @@ Notes:
 - Doctor also scans `~/.openclaw/cron/jobs.json` (or `cron.store`) for legacy cron job shapes and can rewrite them in place before the scheduler has to auto-normalize them at runtime.
 - Doctor includes a memory-search readiness check and can recommend `openclaw configure --section model` when embedding credentials are missing.
 - If sandbox mode is enabled but Docker is unavailable, doctor reports a high-signal warning with remediation (`install Docker` or `openclaw config set agents.defaults.sandbox.mode off`).
+- If `gateway.auth.token`/`gateway.auth.password` are SecretRef-managed and unavailable in the current command path, doctor reports a read-only warning and does not write plaintext fallback credentials.
 
 ## macOS: `launchctl` env overrides
 
diff --git a/docs/cli/gateway.md b/docs/cli/gateway.md
index 16b05baefce..d36fbde6c35 100644
--- a/docs/cli/gateway.md
+++ b/docs/cli/gateway.md
@@ -111,7 +111,8 @@ Options:
 Notes:
 
 - `gateway status` resolves configured auth SecretRefs for probe auth when possible.
-- If a required auth SecretRef is unresolved in this command path, probe auth can fail; pass `--token`/`--password` explicitly or resolve the secret source first.
+- If a required auth SecretRef is unresolved in this command path, `gateway status --json` reports `rpc.authWarning` when probe connectivity/auth fails; pass `--token`/`--password` explicitly or resolve the secret source first.
+- If the probe succeeds, unresolved auth-ref warnings are suppressed to avoid false positives.
 - Use `--require-rpc` in scripts and automation when a listening service is not enough and you need the Gateway RPC itself to be healthy.
 - On Linux systemd installs, service auth drift checks read both `Environment=` and `EnvironmentFile=` values from the unit (including `%h`, quoted paths, multiple files, and optional `-` files).
 
diff --git a/docs/cli/index.md b/docs/cli/index.md
index ddedc7ca1aa..9c4b58d1c35 100644
--- a/docs/cli/index.md
+++ b/docs/cli/index.md
@@ -284,7 +284,8 @@ Manage extensions and their config:
 
 - `openclaw plugins list` — discover plugins (use `--json` for machine output).
 - `openclaw plugins info <id>` — show details for a plugin.
-- `openclaw plugins install <path|.tgz|npm-spec>` — install a plugin (or add a plugin path to `plugins.load.paths`).
+- `openclaw plugins install <path|.tgz|npm-spec|plugin@marketplace>` — install a plugin (or add a plugin path to `plugins.load.paths`).
+- `openclaw plugins marketplace list <marketplace>` — list marketplace entries before install.
 - `openclaw plugins enable <id>` / `disable <id>` — toggle `plugins.entries.<id>.enabled`.
 - `openclaw plugins doctor` — report plugin load errors.
 
@@ -317,7 +318,7 @@ Initialize config + workspace.
 Options:
 
 - `--workspace <dir>`: agent workspace path (default `~/.openclaw/workspace`).
-- `--wizard`: run the onboarding wizard.
+- `--wizard`: run the setup wizard.
 - `--non-interactive`: run wizard without prompts.
 - `--mode <local|remote>`: wizard mode.
 - `--remote-url <url>`: remote Gateway URL.
@@ -676,7 +677,7 @@ Surfaces:
 Notes:
 
 - Data comes directly from provider usage endpoints (no estimates).
-- Providers: Anthropic, GitHub Copilot, OpenAI Codex OAuth, plus Gemini CLI/Antigravity when those provider plugins are enabled.
+- Providers: Anthropic, GitHub Copilot, OpenAI Codex OAuth, plus Gemini CLI via the bundled `google` plugin and Antigravity where configured.
 - If no matching credentials exist, usage is hidden.
 - Details: see [Usage tracking](/concepts/usage-tracking).
 
@@ -783,6 +784,7 @@ Notes:
 - `gateway status` supports `--no-probe`, `--deep`, `--require-rpc`, and `--json` for scripting.
 - `gateway status` also surfaces legacy or extra gateway services when it can detect them (`--deep` adds system-level scans). Profile-named OpenClaw services are treated as first-class and aren't flagged as "extra".
 - `gateway status` prints which config path the CLI uses vs which config the service likely uses (service env), plus the resolved probe target URL.
+- If gateway auth SecretRefs are unresolved in the current command path, `gateway status --json` reports `rpc.authWarning` only when probe connectivity/auth fails (warnings are suppressed when probe succeeds).
 - On Linux systemd installs, status token-drift checks include both `Environment=` and `EnvironmentFile=` unit sources.
 - `gateway install|uninstall|start|stop|restart` support `--json` for scripting (default output stays human-friendly).
 - `gateway install` defaults to Node runtime; bun is **not recommended** (WhatsApp/Telegram bugs).
diff --git a/docs/cli/onboard.md b/docs/cli/onboard.md
index 4b30e0d52b3..899ccd82713 100644
--- a/docs/cli/onboard.md
+++ b/docs/cli/onboard.md
@@ -1,5 +1,5 @@
 ---
-summary: "CLI reference for `openclaw onboard` (interactive onboarding wizard)"
+summary: "CLI reference for `openclaw onboard` (interactive setup wizard)"
 read_when:
   - You want guided setup for gateway, workspace, auth, channels, and skills
 title: "onboard"
@@ -7,13 +7,13 @@ title: "onboard"
 
 # `openclaw onboard`
 
-Interactive onboarding wizard (local or remote Gateway setup).
+Interactive setup wizard (local or remote Gateway setup).
 
 ## Related guides
 
-- CLI onboarding hub: [Onboarding Wizard (CLI)](/start/wizard)
+- CLI onboarding hub: [Setup Wizard (CLI)](/start/wizard)
 - Onboarding overview: [Onboarding Overview](/start/onboarding-overview)
-- CLI onboarding reference: [CLI Onboarding Reference](/start/wizard-cli-reference)
+- CLI onboarding reference: [CLI Setup Reference](/start/wizard-cli-reference)
 - CLI automation: [CLI Automation](/start/wizard-cli-automation)
 - macOS onboarding: [Onboarding (macOS App)](/start/onboarding)
 
@@ -140,7 +140,7 @@ Flow notes:
 
 - `quickstart`: minimal prompts, auto-generates a gateway token.
 - `manual`: full prompts for port/bind/auth (alias of `advanced`).
-- Local onboarding DM scope behavior: [CLI Onboarding Reference](/start/wizard-cli-reference#outputs-and-internals).
+- Local onboarding DM scope behavior: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals).
 - Fastest first chat: `openclaw dashboard` (Control UI, no channel setup).
 - Custom Provider: connect any OpenAI or Anthropic compatible endpoint,
   including hosted providers not listed. Use Unknown to auto-detect.
diff --git a/docs/cli/plugins.md b/docs/cli/plugins.md
index 4d9d1e8e80d..5e551a9c64f 100644
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -1,5 +1,5 @@
 ---
-summary: "CLI reference for `openclaw plugins` (list, install, uninstall, enable/disable, doctor)"
+summary: "CLI reference for `openclaw plugins` (list, install, marketplace, uninstall, enable/disable, doctor)"
 read_when:
   - You want to install or manage Gateway plugins or compatible bundles
   - You want to debug plugin load failures
@@ -28,6 +28,7 @@ openclaw plugins uninstall <id>
 openclaw plugins doctor
 openclaw plugins update <id>
 openclaw plugins update --all
+openclaw plugins marketplace list <marketplace>
 ```
 
 Bundled plugins ship with OpenClaw but start disabled. Use `plugins enable` to
@@ -46,6 +47,8 @@ capabilities.
 ```bash
 openclaw plugins install <path-or-spec>
 openclaw plugins install <npm-spec> --pin
+openclaw plugins install <plugin>@<marketplace>
+openclaw plugins install <plugin> --marketplace <marketplace>
 ```
 
 Security note: treat plugin installs like running code. Prefer pinned versions.
@@ -65,6 +68,31 @@ name, use an explicit scoped spec (for example `@scope/diffs`).
 
 Supported archives: `.zip`, `.tgz`, `.tar.gz`, `.tar`.
 
+Claude marketplace installs are also supported.
+
+Use `plugin@marketplace` shorthand when the marketplace name exists in Claude's
+local registry cache at `~/.claude/plugins/known_marketplaces.json`:
+
+```bash
+openclaw plugins marketplace list <marketplace-name>
+openclaw plugins install <plugin-name>@<marketplace-name>
+```
+
+Use `--marketplace` when you want to pass the marketplace source explicitly:
+
+```bash
+openclaw plugins install <plugin-name> --marketplace <marketplace-name>
+openclaw plugins install <plugin-name> --marketplace <owner/repo>
+openclaw plugins install <plugin-name> --marketplace ./my-marketplace
+```
+
+Marketplace sources can be:
+
+- a Claude known-marketplace name from `~/.claude/plugins/known_marketplaces.json`
+- a local marketplace root or `marketplace.json` path
+- a GitHub repo shorthand such as `owner/repo`
+- a git URL
+
 For local paths and archives, OpenClaw auto-detects:
 
 - native OpenClaw plugins (`openclaw.plugin.json`)
@@ -114,7 +142,8 @@ openclaw plugins update --all
 openclaw plugins update <id> --dry-run
 ```
 
-Updates only apply to plugins installed from npm (tracked in `plugins.installs`).
+Updates apply to tracked installs in `plugins.installs`, currently npm and
+marketplace installs.
 
 When a stored integrity hash exists and the fetched artifact hash changes,
 OpenClaw prints a warning and asks for confirmation before proceeding. Use
diff --git a/docs/cli/sandbox.md b/docs/cli/sandbox.md
index e8e4614a9ff..5764851dc70 100644
--- a/docs/cli/sandbox.md
+++ b/docs/cli/sandbox.md
@@ -1,17 +1,29 @@
 ---
 title: Sandbox CLI
-summary: "Manage sandbox containers and inspect effective sandbox policy"
-read_when: "You are managing sandbox containers or debugging sandbox/tool-policy behavior."
+summary: "Manage sandbox runtimes and inspect effective sandbox policy"
+read_when: "You are managing sandbox runtimes or debugging sandbox/tool-policy behavior."
 status: active
 ---
 
 # Sandbox CLI
 
-Manage Docker-based sandbox containers for isolated agent execution.
+Manage sandbox runtimes for isolated agent execution.
 
 ## Overview
 
-OpenClaw can run agents in isolated Docker containers for security. The `sandbox` commands help you manage these containers, especially after updates or configuration changes.
+OpenClaw can run agents in isolated sandbox runtimes for security. The `sandbox` commands help you inspect and recreate those runtimes after updates or configuration changes.
+
+Today that usually means:
+
+- Docker sandbox containers
+- SSH sandbox runtimes when `agents.defaults.sandbox.backend = "ssh"`
+- OpenShell sandbox runtimes when `agents.defaults.sandbox.backend = "openshell"`
+
+For `ssh` and OpenShell `remote`, recreate matters more than with Docker:
+
+- the remote workspace is canonical after the initial seed
+- `openclaw sandbox recreate` deletes that canonical remote workspace for the selected scope
+- next use seeds it again from the current local workspace
 
 ## Commands
 
@@ -28,7 +40,7 @@ openclaw sandbox explain --json
 
 ### `openclaw sandbox list`
 
-List all sandbox containers with their status and configuration.
+List all sandbox runtimes with their status and configuration.
 
 ```bash
 openclaw sandbox list
@@ -38,15 +50,16 @@ openclaw sandbox list --json     # JSON output
 
 **Output includes:**
 
-- Container name and status (running/stopped)
-- Docker image and whether it matches config
+- Runtime name and status
+- Backend (`docker`, `openshell`, etc.)
+- Config label and whether it matches current config
 - Age (time since creation)
 - Idle time (time since last use)
 - Associated session/agent
 
 ### `openclaw sandbox recreate`
 
-Remove sandbox containers to force recreation with updated images/config.
+Remove sandbox runtimes to force recreation with updated config.
 
 ```bash
 openclaw sandbox recreate --all                # Recreate all containers
@@ -64,11 +77,11 @@ openclaw sandbox recreate --all --force        # Skip confirmation
 - `--browser`: Only recreate browser containers
 - `--force`: Skip confirmation prompt
 
-**Important:** Containers are automatically recreated when the agent is next used.
+**Important:** Runtimes are automatically recreated when the agent is next used.
 
 ## Use Cases
 
-### After updating Docker images
+### After updating a Docker image
 
 ```bash
 # Pull new image
@@ -91,6 +104,37 @@ openclaw sandbox recreate --all
 openclaw sandbox recreate --all
 ```
 
+### After changing SSH target or SSH auth material
+
+```bash
+# Edit config:
+# - agents.defaults.sandbox.backend
+# - agents.defaults.sandbox.ssh.target
+# - agents.defaults.sandbox.ssh.workspaceRoot
+# - agents.defaults.sandbox.ssh.identityFile / certificateFile / knownHostsFile
+# - agents.defaults.sandbox.ssh.identityData / certificateData / knownHostsData
+
+openclaw sandbox recreate --all
+```
+
+For the core `ssh` backend, recreate deletes the per-scope remote workspace root
+on the SSH target. The next run seeds it again from the local workspace.
+
+### After changing OpenShell source, policy, or mode
+
+```bash
+# Edit config:
+# - agents.defaults.sandbox.backend
+# - plugins.entries.openshell.config.from
+# - plugins.entries.openshell.config.mode
+# - plugins.entries.openshell.config.policy
+
+openclaw sandbox recreate --all
+```
+
+For OpenShell `remote` mode, recreate deletes the canonical remote workspace
+for that scope. The next run seeds it again from the local workspace.
+
 ### After changing setupCommand
 
 ```bash
@@ -108,16 +152,16 @@ openclaw sandbox recreate --agent alfred
 
 ## Why is this needed?
 
-**Problem:** When you update sandbox Docker images or configuration:
+**Problem:** When you update sandbox configuration:
 
-- Existing containers continue running with old settings
-- Containers are only pruned after 24h of inactivity
-- Regularly-used agents keep old containers running indefinitely
+- Existing runtimes continue running with old settings
+- Runtimes are only pruned after 24h of inactivity
+- Regularly-used agents keep old runtimes alive indefinitely
 
-**Solution:** Use `openclaw sandbox recreate` to force removal of old containers. They'll be recreated automatically with current settings when next needed.
+**Solution:** Use `openclaw sandbox recreate` to force removal of old runtimes. They'll be recreated automatically with current settings when next needed.
 
-Tip: prefer `openclaw sandbox recreate` over manual `docker rm`. It uses the
-Gateway’s container naming and avoids mismatches when scope/session keys change.
+Tip: prefer `openclaw sandbox recreate` over manual backend-specific cleanup.
+It uses the Gateway’s runtime registry and avoids mismatches when scope/session keys change.
 
 ## Configuration
 
@@ -129,6 +173,7 @@ Sandbox settings live in `~/.openclaw/openclaw.json` under `agents.defaults.sand
     "defaults": {
       "sandbox": {
         "mode": "all", // off, non-main, all
+        "backend": "docker", // docker, ssh, openshell
         "scope": "agent", // session, agent, shared
         "docker": {
           "image": "openclaw-sandbox:bookworm-slim",
diff --git a/docs/cli/security.md b/docs/cli/security.md
index cc705b31a30..76a7ae75976 100644
--- a/docs/cli/security.md
+++ b/docs/cli/security.md
@@ -19,6 +19,8 @@ Related:
 ```bash
 openclaw security audit
 openclaw security audit --deep
+openclaw security audit --deep --password <password>
+openclaw security audit --deep --token <token>
 openclaw security audit --fix
 openclaw security audit --json
 ```
@@ -40,6 +42,12 @@ It warns when `gateway.auth.mode="none"` leaves Gateway HTTP APIs reachable with
 Settings prefixed with `dangerous`/`dangerously` are explicit break-glass operator overrides; enabling one is not, by itself, a security vulnerability report.
 For the complete dangerous-parameter inventory, see the "Insecure or dangerous flags summary" section in [Security](/gateway/security).
 
+SecretRef behavior:
+
+- `security audit` resolves supported SecretRefs in read-only mode for its targeted paths.
+- If a SecretRef is unavailable in the current command path, audit continues and reports `secretDiagnostics` (instead of crashing).
+- `--token` and `--password` only override deep-probe auth for that command invocation; they do not rewrite config or SecretRef mappings.
+
 ## JSON output
 
 Use `--json` for CI/policy checks:
diff --git a/docs/cli/setup.md b/docs/cli/setup.md
index 340a53a30d7..d8992ba8a43 100644
--- a/docs/cli/setup.md
+++ b/docs/cli/setup.md
@@ -1,7 +1,7 @@
 ---
 summary: "CLI reference for `openclaw setup` (initialize config + workspace)"
 read_when:
-  - You’re doing first-run setup without the full onboarding wizard
+  - You’re doing first-run setup without the full setup wizard
   - You want to set the default workspace path
 title: "setup"
 ---
diff --git a/docs/cli/status.md b/docs/cli/status.md
index 856c341b036..770bf6ab50d 100644
--- a/docs/cli/status.md
+++ b/docs/cli/status.md
@@ -26,3 +26,4 @@ Notes:
 - Update info surfaces in the Overview; if an update is available, status prints a hint to run `openclaw update` (see [Updating](/install/updating)).
 - Read-only status surfaces (`status`, `status --json`, `status --all`) resolve supported SecretRefs for their targeted config paths when possible.
 - If a supported channel SecretRef is configured but unavailable in the current command path, status stays read-only and reports degraded output instead of crashing. Human output shows warnings such as “configured token unavailable in this command path”, and JSON output includes `secretDiagnostics`.
+- When command-local SecretRef resolution succeeds, status prefers the resolved snapshot and clears transient “secret unavailable” channel markers from the final output.
diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md
index 3a29c373c1d..6adbb5d0f26 100644
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -19,10 +19,18 @@ For model selection rules, see [/concepts/models](/concepts/models).
 - Provider plugins can inject model catalogs via `registerProvider({ catalog })`;
   OpenClaw merges that output into `models.providers` before writing
   `models.json`.
+- Provider manifests can declare `providerAuthEnvVars` so generic env-based
+  auth probes do not need to load plugin runtime. The remaining core env-var
+  map is now just for non-plugin/core providers and a few generic-precedence
+  cases such as Anthropic API-key-first onboarding.
 - Provider plugins can also own provider runtime behavior via
   `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`,
-  `capabilities`, `prepareExtraParams`, `wrapStreamFn`,
-  `isCacheTtlEligible`, `prepareRuntimeAuth`, `resolveUsageAuth`, and
+  `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `formatApiKey`,
+  `refreshOAuth`, `buildAuthDoctorHint`,
+  `isCacheTtlEligible`, `buildMissingAuthMessage`,
+  `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`,
+  `supportsXHighThinking`, `resolveDefaultThinkingLevel`,
+  `isModernModelRef`, `prepareRuntimeAuth`, `resolveUsageAuth`, and
   `fetchUsageSnapshot`.
 
 ## Plugin-owned provider behavior
@@ -32,6 +40,10 @@ the generic inference loop.
 
 Typical split:
 
+- `auth[].run` / `auth[].runNonInteractive`: provider owns onboarding/login
+  flows for `openclaw onboard`, `openclaw models auth`, and headless setup
+- `wizard.setup` / `wizard.modelPicker`: provider owns auth-choice labels,
+  legacy aliases, onboarding allowlist hints, and setup entries in onboarding/model pickers
 - `catalog`: provider appears in `models.providers`
 - `resolveDynamicModel`: provider accepts model ids not present in the local
   static catalog yet
@@ -41,7 +53,24 @@ Typical split:
 - `capabilities`: provider publishes transcript/tooling/provider-family quirks
 - `prepareExtraParams`: provider defaults or normalizes per-model request params
 - `wrapStreamFn`: provider applies request headers/body/model compat wrappers
+- `formatApiKey`: provider formats stored auth profiles into the runtime
+  `apiKey` string expected by the transport
+- `refreshOAuth`: provider owns OAuth refresh when the shared `pi-ai`
+  refreshers are not enough
+- `buildAuthDoctorHint`: provider appends repair guidance when OAuth refresh
+  fails
 - `isCacheTtlEligible`: provider decides which upstream model ids support prompt-cache TTL
+- `buildMissingAuthMessage`: provider replaces the generic auth-store error
+  with a provider-specific recovery hint
+- `suppressBuiltInModel`: provider hides stale upstream rows and can return a
+  vendor-owned error for direct resolution failures
+- `augmentModelCatalog`: provider appends synthetic/final catalog rows after
+  discovery and config merging
+- `isBinaryThinking`: provider owns binary on/off thinking UX
+- `supportsXHighThinking`: provider opts selected models into `xhigh`
+- `resolveDefaultThinkingLevel`: provider owns default `/think` policy for a
+  model family
+- `isModernModelRef`: provider owns live/smoke preferred-model matching
 - `prepareRuntimeAuth`: provider turns a configured credential into a short
   lived runtime token
 - `resolveUsageAuth`: provider resolves usage/quota credentials for `/usage`
@@ -51,30 +80,36 @@ Typical split:
 
 Current bundled examples:
 
-- `anthropic`: Claude 4.6 forward-compat fallback, usage endpoint fetching,
-  and cache-TTL/provider-family metadata
+- `anthropic`: Claude 4.6 forward-compat fallback, auth repair hints, usage
+  endpoint fetching, and cache-TTL/provider-family metadata
 - `openrouter`: pass-through model ids, request wrappers, provider capability
   hints, and cache-TTL policy
-- `github-copilot`: forward-compat model fallback, Claude-thinking transcript
-  hints, runtime token exchange, and usage endpoint fetching
+- `github-copilot`: onboarding/device login, forward-compat model fallback,
+  Claude-thinking transcript hints, runtime token exchange, and usage endpoint
+  fetching
 - `openai`: GPT-5.4 forward-compat fallback, direct OpenAI transport
-  normalization, and provider-family metadata
-- `openai-codex`: forward-compat model fallback, transport normalization, and
-  default transport params plus usage endpoint fetching
-- `google-gemini-cli`: Gemini 3.1 forward-compat fallback plus usage-token
-  parsing and quota endpoint fetching for usage surfaces
+  normalization, Codex-aware missing-auth hints, Spark suppression, synthetic
+  OpenAI/Codex catalog rows, thinking/live-model policy, and
+  provider-family metadata
+- `google` and `google-gemini-cli`: Gemini 3.1 forward-compat fallback and
+  modern-model matching; Gemini CLI OAuth also owns auth-profile token
+  formatting, usage-token parsing, and quota endpoint fetching for usage
+  surfaces
 - `moonshot`: shared transport, plugin-owned thinking payload normalization
 - `kilocode`: shared transport, plugin-owned request headers, reasoning payload
   normalization, Gemini transcript hints, and cache-TTL policy
 - `zai`: GLM-5 forward-compat fallback, `tool_stream` defaults, cache-TTL
-  policy, and usage auth + quota fetching
+  policy, binary-thinking/live-model policy, and usage auth + quota fetching
 - `mistral`, `opencode`, and `opencode-go`: plugin-owned capability metadata
 - `byteplus`, `cloudflare-ai-gateway`, `huggingface`, `kimi-coding`,
-  `minimax-portal`, `modelstudio`, `nvidia`, `qianfan`, `qwen-portal`,
-  `synthetic`, `together`, `venice`, `vercel-ai-gateway`, and `volcengine`:
-  plugin-owned catalogs only
+  `modelstudio`, `nvidia`, `qianfan`, `synthetic`, `together`, `venice`,
+  `vercel-ai-gateway`, and `volcengine`: plugin-owned catalogs only
+- `qwen-portal`: plugin-owned catalog, OAuth login, and OAuth refresh
 - `minimax` and `xiaomi`: plugin-owned catalogs plus usage auth/snapshot logic
 
+The bundled `openai` plugin now owns both provider ids: `openai` and
+`openai-codex`.
+
 That covers providers that still fit OpenClaw's normal transports. A provider
 that needs a totally custom request executor is a separate, deeper extension
 surface.
@@ -176,16 +211,13 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Compatibility: legacy OpenClaw config using `google/gemini-3.1-flash-preview` is normalized to `google/gemini-3-flash-preview`
 - CLI: `openclaw onboard --auth-choice gemini-api-key`
 
-### Google Vertex, Antigravity, and Gemini CLI
+### Google Vertex and Gemini CLI
 
-- Providers: `google-vertex`, `google-antigravity`, `google-gemini-cli`
-- Auth: Vertex uses gcloud ADC; Antigravity/Gemini CLI use their respective auth flows
-- Caution: Antigravity and Gemini CLI OAuth in OpenClaw are unofficial integrations. Some users have reported Google account restrictions after using third-party clients. Review Google terms and use a non-critical account if you choose to proceed.
-- Antigravity OAuth is shipped as a bundled plugin (`google-antigravity-auth`, disabled by default).
-  - Enable: `openclaw plugins enable google-antigravity-auth`
-  - Login: `openclaw models auth login --provider google-antigravity --set-default`
-- Gemini CLI OAuth is shipped as a bundled plugin (`google-gemini-cli-auth`, disabled by default).
-  - Enable: `openclaw plugins enable google-gemini-cli-auth`
+- Providers: `google-vertex`, `google-gemini-cli`
+- Auth: Vertex uses gcloud ADC; Gemini CLI uses its OAuth flow
+- Caution: Gemini CLI OAuth in OpenClaw is an unofficial integration. Some users have reported Google account restrictions after using third-party clients. Review Google terms and use a non-critical account if you choose to proceed.
+- Gemini CLI OAuth is shipped as part of the bundled `google` plugin.
+  - Enable: `openclaw plugins enable google`
   - Login: `openclaw models auth login --provider google-gemini-cli --set-default`
   - Note: you do **not** paste a client id or secret into `openclaw.json`. The CLI login flow stores
     tokens in auth profiles on the gateway host.
diff --git a/docs/concepts/models.md b/docs/concepts/models.md
index 6323feef04e..e85e605456f 100644
--- a/docs/concepts/models.md
+++ b/docs/concepts/models.md
@@ -36,7 +36,7 @@ Related:
 
 ## Setup wizard (recommended)
 
-If you don’t want to hand-edit config, run the onboarding wizard:
+If you don’t want to hand-edit config, run the setup wizard:
 
 ```bash
 openclaw onboard
diff --git a/docs/design/kilo-gateway-integration.md b/docs/design/kilo-gateway-integration.md
index 4f34e553c0f..39088aaf5b2 100644
--- a/docs/design/kilo-gateway-integration.md
+++ b/docs/design/kilo-gateway-integration.md
@@ -492,8 +492,8 @@ const needsNonImageSanitize =
    - Test `resolveEnvApiKey("kilocode")` returns correct env var
 
 2. **Integration Tests:**
-   - Test onboarding flow with `--auth-choice kilocode-api-key`
-   - Test non-interactive onboarding with `--kilocode-api-key`
+   - Test setup flow with `--auth-choice kilocode-api-key`
+   - Test non-interactive setup with `--kilocode-api-key`
    - Test model selection with `kilocode/` prefix
 
 3. **E2E Tests:**
diff --git a/docs/docs.json b/docs/docs.json
index 229699ec37e..80409046397 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -1018,7 +1018,6 @@
                 "pages": [
                   "tools/browser",
                   "tools/browser-login",
-                  "tools/chrome-extension",
                   "tools/browser-linux-troubleshooting"
                 ]
               },
@@ -1613,7 +1612,6 @@
                 "pages": [
                   "zh-CN/tools/browser",
                   "zh-CN/tools/browser-login",
-                  "zh-CN/tools/chrome-extension",
                   "zh-CN/tools/browser-linux-troubleshooting"
                 ]
               },
diff --git a/docs/experiments/onboarding-config-protocol.md b/docs/experiments/onboarding-config-protocol.md
index 9427d47b7f6..e3b9d9dff10 100644
--- a/docs/experiments/onboarding-config-protocol.md
+++ b/docs/experiments/onboarding-config-protocol.md
@@ -1,6 +1,6 @@
 ---
-summary: "RPC protocol notes for onboarding wizard and config schema"
-read_when: "Changing onboarding wizard steps or config schema endpoints"
+summary: "RPC protocol notes for setup wizard and config schema"
+read_when: "Changing setup wizard steps or config schema endpoints"
 title: "Onboarding and Config Protocol"
 ---
 
diff --git a/docs/gateway/authentication.md b/docs/gateway/authentication.md
index 28314dd85a3..c25501e6cdd 100644
--- a/docs/gateway/authentication.md
+++ b/docs/gateway/authentication.md
@@ -49,7 +49,7 @@ openclaw models status
 openclaw doctor
 ```
 
-If you’d rather not manage env vars yourself, the onboarding wizard can store
+If you’d rather not manage env vars yourself, the setup wizard can store
 API keys for daemon use: `openclaw onboard`.
 
 See [Help](/help) for details on env inheritance (`env.shellEnv`,
diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md
index 78e58edc085..a46f342a360 100644
--- a/docs/gateway/configuration-reference.md
+++ b/docs/gateway/configuration-reference.md
@@ -1117,7 +1117,7 @@ See [Typing Indicators](/concepts/typing-indicators).
 
 ### `agents.defaults.sandbox`
 
-Optional **Docker sandboxing** for the embedded agent. See [Sandboxing](/gateway/sandboxing) for the full guide.
+Optional sandboxing for the embedded agent. See [Sandboxing](/gateway/sandboxing) for the full guide.
 
 ```json5
 {
@@ -1125,6 +1125,7 @@ Optional **Docker sandboxing** for the embedded agent. See [Sandboxing](/gateway
     defaults: {
       sandbox: {
         mode: "non-main", // off | non-main | all
+        backend: "docker", // docker | ssh | openshell
         scope: "agent", // session | agent | shared
         workspaceAccess: "none", // none | ro | rw
         workspaceRoot: "~/.openclaw/sandboxes",
@@ -1153,6 +1154,20 @@ Optional **Docker sandboxing** for the embedded agent. See [Sandboxing](/gateway
           extraHosts: ["internal.service:10.0.0.5"],
           binds: ["/home/user/source:/source:rw"],
         },
+        ssh: {
+          target: "user@gateway-host:22",
+          command: "ssh",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+          identityFile: "~/.ssh/id_ed25519",
+          certificateFile: "~/.ssh/id_ed25519-cert.pub",
+          knownHostsFile: "~/.ssh/known_hosts",
+          // SecretRefs / inline contents also supported:
+          // identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
+          // certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
+          // knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
+        },
         browser: {
           enabled: false,
           image: "openclaw-sandbox-browser:bookworm-slim",
@@ -1199,6 +1214,39 @@ Optional **Docker sandboxing** for the embedded agent. See [Sandboxing](/gateway
 
 <Accordion title="Sandbox details">
 
+**Backend:**
+
+- `docker`: local Docker runtime (default)
+- `ssh`: generic SSH-backed remote runtime
+- `openshell`: OpenShell runtime
+
+When `backend: "openshell"` is selected, runtime-specific settings move to
+`plugins.entries.openshell.config`.
+
+**SSH backend config:**
+
+- `target`: SSH target in `user@host[:port]` form
+- `command`: SSH client command (default: `ssh`)
+- `workspaceRoot`: absolute remote root used for per-scope workspaces
+- `identityFile` / `certificateFile` / `knownHostsFile`: existing local files passed to OpenSSH
+- `identityData` / `certificateData` / `knownHostsData`: inline contents or SecretRefs that OpenClaw materializes into temp files at runtime
+- `strictHostKeyChecking` / `updateHostKeys`: OpenSSH host-key policy knobs
+
+**SSH auth precedence:**
+
+- `identityData` wins over `identityFile`
+- `certificateData` wins over `certificateFile`
+- `knownHostsData` wins over `knownHostsFile`
+- SecretRef-backed `*Data` values are resolved from the active secrets runtime snapshot before the sandbox session starts
+
+**SSH backend behavior:**
+
+- seeds the remote workspace once after create or recreate
+- then keeps the remote SSH workspace canonical
+- routes `exec`, file tools, and media paths over SSH
+- does not sync remote changes back to the host automatically
+- does not support sandbox browser containers
+
 **Workspace access:**
 
 - `none`: per-scope sandbox workspace under `~/.openclaw/sandboxes`
@@ -1211,6 +1259,40 @@ Optional **Docker sandboxing** for the embedded agent. See [Sandboxing](/gateway
 - `agent`: one container + workspace per agent (default)
 - `shared`: shared container and workspace (no cross-session isolation)
 
+**OpenShell plugin config:**
+
+```json5
+{
+  plugins: {
+    entries: {
+      openshell: {
+        enabled: true,
+        config: {
+          mode: "mirror", // mirror | remote
+          from: "openclaw",
+          remoteWorkspaceDir: "/sandbox",
+          remoteAgentWorkspaceDir: "/agent",
+          gateway: "lab", // optional
+          gatewayEndpoint: "https://lab.example", // optional
+          policy: "strict", // optional OpenShell policy id
+          providers: ["openai"], // optional
+          autoProviders: true,
+          timeoutSeconds: 120,
+        },
+      },
+    },
+  },
+}
+```
+
+**OpenShell mode:**
+
+- `mirror`: seed remote from local before exec, sync back after exec; local workspace stays canonical
+- `remote`: seed remote once when the sandbox is created, then keep the remote workspace canonical
+
+In `remote` mode, host-local edits made outside OpenClaw are not synced into the sandbox automatically after the seed step.
+Transport is SSH into the OpenShell sandbox, but the plugin owns sandbox lifecycle and optional mirror sync.
+
 **`setupCommand`** runs once after container creation (via `sh -lc`). Needs network egress, writable root, root user.
 
 **Containers default to `network: "none"`** — set to `"bridge"` (or a custom bridge network) if the agent needs outbound access.
@@ -1260,6 +1342,8 @@ noVNC observer access uses VNC auth by default and OpenClaw emits a short-lived
 
 </Accordion>
 
+Browser sandboxing and `sandbox.docker.binds` are currently Docker-only.
+
 Build images:
 
 ```bash
@@ -2358,13 +2442,13 @@ See [Plugins](/tools/plugin).
     profiles: {
       openclaw: { cdpPort: 18800, color: "#FF4500" },
       work: { cdpPort: 18801, color: "#0066CC" },
+      user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
       remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
     },
     color: "#FF4500",
     // headless: false,
     // noSandbox: false,
     // extraArgs: [],
-    // relayBindHost: "0.0.0.0", // only when the extension relay must be reachable across namespaces (for example WSL2)
     // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
     // attachOnly: false,
   },
@@ -2378,11 +2462,11 @@ See [Plugins](/tools/plugin).
 - `ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias.
 - In strict mode, use `ssrfPolicy.hostnameAllowlist` and `ssrfPolicy.allowedHostnames` for explicit exceptions.
 - Remote profiles are attach-only (start/stop/reset disabled).
+- `existing-session` profiles are host-only and use Chrome MCP instead of CDP.
 - Auto-detect order: default browser if Chromium-based → Chrome → Brave → Edge → Chromium → Chrome Canary.
 - Control service: loopback only (port derived from `gateway.port`, default `18791`).
 - `extraArgs` appends extra launch flags to local Chromium startup (for example
   `--disable-gpu`, window sizing, or debug flags).
-- `relayBindHost` changes where the Chrome extension relay listens. Leave unset for loopback-only access; set an explicit non-loopback bind address such as `0.0.0.0` only when the relay must cross a namespace boundary (for example WSL2) and the host network is already trusted.
 
 ---
 
diff --git a/docs/gateway/doctor.md b/docs/gateway/doctor.md
index 95027906750..6c0711c7aea 100644
--- a/docs/gateway/doctor.md
+++ b/docs/gateway/doctor.md
@@ -63,6 +63,7 @@ cat ~/.openclaw/openclaw.json
 - Health check + restart prompt.
 - Skills status summary (eligible/missing/blocked).
 - Config normalization for legacy values.
+- Browser migration checks for legacy Chrome extension configs and Chrome MCP readiness.
 - OpenCode provider override warnings (`models.providers.opencode` / `models.providers.opencode-go`).
 - Legacy on-disk state migration (sessions/agent dir/WhatsApp auth).
 - Legacy cron store migration (`jobId`, `schedule.cron`, top-level delivery/payload fields, payload `provider`, simple `notify: true` webhook fallback jobs).
@@ -128,6 +129,8 @@ Current migrations:
 - `agent.model`/`allowedModels`/`modelAliases`/`modelFallbacks`/`imageModelFallbacks`
   → `agents.defaults.models` + `agents.defaults.model.primary/fallbacks` + `agents.defaults.imageModel.primary/fallbacks`
 - `browser.ssrfPolicy.allowPrivateNetwork` → `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork`
+- `browser.profiles.*.driver: "extension"` → `"existing-session"`
+- remove `browser.relayBindHost` (legacy extension relay setting)
 
 Doctor warnings also include account-default guidance for multi-account channels:
 
@@ -141,6 +144,33 @@ manually, it overrides the built-in OpenCode catalog from `@mariozechner/pi-ai`.
 That can force models onto the wrong API or zero out costs. Doctor warns so you
 can remove the override and restore per-model API routing + costs.
 
+### 2c) Browser migration and Chrome MCP readiness
+
+If your browser config still points at the removed Chrome extension path, doctor
+normalizes it to the current host-local Chrome MCP attach model:
+
+- `browser.profiles.*.driver: "extension"` becomes `"existing-session"`
+- `browser.relayBindHost` is removed
+
+Doctor also audits the host-local Chrome MCP path when you use `defaultProfile:
+"user"` or a configured `existing-session` profile:
+
+- checks whether Google Chrome is installed on the same host
+- checks the detected Chrome version and warns when it is below Chrome 144
+- reminds you to enable remote debugging in Chrome at
+  `chrome://inspect/#remote-debugging`
+
+Doctor cannot enable the Chrome-side setting for you. Host-local Chrome MCP
+still requires:
+
+- Google Chrome 144+ on the gateway/node host
+- Chrome running locally
+- remote debugging enabled in Chrome
+- approving the first attach consent prompt in Chrome
+
+This check does **not** apply to Docker, sandbox, remote-browser, or other
+headless flows. Those continue to use raw CDP.
+
 ### 3) Legacy state migrations (disk layout)
 
 Doctor can migrate older on-disk layouts into the current structure:
diff --git a/docs/gateway/multiple-gateways.md b/docs/gateway/multiple-gateways.md
index d6f35e08a46..6d1cf423b98 100644
--- a/docs/gateway/multiple-gateways.md
+++ b/docs/gateway/multiple-gateways.md
@@ -70,7 +70,7 @@ openclaw --profile rescue onboard
 #   better choose completely different base port, like 19789,
 # - rest of the onboarding is the same as normal
 
-# To install the service (if not happened automatically during onboarding)
+# To install the service (if not happened automatically during setup)
 openclaw --profile rescue gateway install
 ```
 
diff --git a/docs/gateway/sandboxing.md b/docs/gateway/sandboxing.md
index d62af2f4f7d..c6cf839e42d 100644
--- a/docs/gateway/sandboxing.md
+++ b/docs/gateway/sandboxing.md
@@ -7,7 +7,7 @@ status: active
 
 # Sandboxing
 
-OpenClaw can run **tools inside Docker containers** to reduce blast radius.
+OpenClaw can run **tools inside sandbox backends** to reduce blast radius.
 This is **optional** and controlled by configuration (`agents.defaults.sandbox` or
 `agents.list[].sandbox`). If sandboxing is off, tools run on the host.
 The Gateway stays on the host; tool execution runs in an isolated sandbox
@@ -54,6 +54,187 @@ Not sandboxed:
 - `"agent"`: one container per agent.
 - `"shared"`: one container shared by all sandboxed sessions.
 
+## Backend
+
+`agents.defaults.sandbox.backend` controls **which runtime** provides the sandbox:
+
+- `"docker"` (default): local Docker-backed sandbox runtime.
+- `"ssh"`: generic SSH-backed remote sandbox runtime.
+- `"openshell"`: OpenShell-backed sandbox runtime.
+
+SSH-specific config lives under `agents.defaults.sandbox.ssh`.
+OpenShell-specific config lives under `plugins.entries.openshell.config`.
+
+### SSH backend
+
+Use `backend: "ssh"` when you want OpenClaw to sandbox `exec`, file tools, and media reads on
+an arbitrary SSH-accessible machine.
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "all",
+        backend: "ssh",
+        scope: "session",
+        workspaceAccess: "rw",
+        ssh: {
+          target: "user@gateway-host:22",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+          identityFile: "~/.ssh/id_ed25519",
+          certificateFile: "~/.ssh/id_ed25519-cert.pub",
+          knownHostsFile: "~/.ssh/known_hosts",
+          // Or use SecretRefs / inline contents instead of local files:
+          // identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
+          // certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
+          // knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
+        },
+      },
+    },
+  },
+}
+```
+
+How it works:
+
+- OpenClaw creates a per-scope remote root under `sandbox.ssh.workspaceRoot`.
+- On first use after create or recreate, OpenClaw seeds that remote workspace from the local workspace once.
+- After that, `exec`, `read`, `write`, `edit`, `apply_patch`, prompt media reads, and inbound media staging run directly against the remote workspace over SSH.
+- OpenClaw does not sync remote changes back to the local workspace automatically.
+
+Authentication material:
+
+- `identityFile`, `certificateFile`, `knownHostsFile`: use existing local files and pass them through OpenSSH config.
+- `identityData`, `certificateData`, `knownHostsData`: use inline strings or SecretRefs. OpenClaw resolves them through the normal secrets runtime snapshot, writes them to temp files with `0600`, and deletes them when the SSH session ends.
+- If both `*File` and `*Data` are set for the same item, `*Data` wins for that SSH session.
+
+This is a **remote-canonical** model. The remote SSH workspace becomes the real sandbox state after the initial seed.
+
+Important consequences:
+
+- Host-local edits made outside OpenClaw after the seed step are not visible remotely until you recreate the sandbox.
+- `openclaw sandbox recreate` deletes the per-scope remote root and seeds again from local on next use.
+- Browser sandboxing is not supported on the SSH backend.
+- `sandbox.docker.*` settings do not apply to the SSH backend.
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "all",
+        backend: "openshell",
+        scope: "session",
+        workspaceAccess: "rw",
+      },
+    },
+  },
+  plugins: {
+    entries: {
+      openshell: {
+        enabled: true,
+        config: {
+          from: "openclaw",
+          mode: "remote", // mirror | remote
+          remoteWorkspaceDir: "/sandbox",
+          remoteAgentWorkspaceDir: "/agent",
+        },
+      },
+    },
+  },
+}
+```
+
+OpenShell modes:
+
+- `mirror` (default): local workspace stays canonical. OpenClaw syncs local files into OpenShell before exec and syncs the remote workspace back after exec.
+- `remote`: OpenShell workspace is canonical after the sandbox is created. OpenClaw seeds the remote workspace once from the local workspace, then file tools and exec run directly against the remote sandbox without syncing changes back.
+
+OpenShell reuses the same core SSH transport and remote filesystem bridge as the generic SSH backend.
+The plugin adds OpenShell-specific lifecycle (`sandbox create/get/delete`, `sandbox ssh-config`) and the optional `mirror` mode.
+
+Remote transport details:
+
+- OpenClaw asks OpenShell for sandbox-specific SSH config via `openshell sandbox ssh-config <name>`.
+- Core writes that SSH config to a temp file, opens the SSH session, and reuses the same remote filesystem bridge used by `backend: "ssh"`.
+- In `mirror` mode only the lifecycle differs: sync local to remote before exec, then sync back after exec.
+
+Current OpenShell limitations:
+
+- sandbox browser is not supported yet
+- `sandbox.docker.binds` is not supported on the OpenShell backend
+- Docker-specific runtime knobs under `sandbox.docker.*` still apply only to the Docker backend
+
+## OpenShell workspace modes
+
+OpenShell has two workspace models. This is the part that matters most in practice.
+
+### `mirror`
+
+Use `plugins.entries.openshell.config.mode: "mirror"` when you want the **local workspace to stay canonical**.
+
+Behavior:
+
+- Before `exec`, OpenClaw syncs the local workspace into the OpenShell sandbox.
+- After `exec`, OpenClaw syncs the remote workspace back to the local workspace.
+- File tools still operate through the sandbox bridge, but the local workspace remains the source of truth between turns.
+
+Use this when:
+
+- you edit files locally outside OpenClaw and want those changes to show up in the sandbox automatically
+- you want the OpenShell sandbox to behave as much like the Docker backend as possible
+- you want the host workspace to reflect sandbox writes after each exec turn
+
+Tradeoff:
+
+- extra sync cost before and after exec
+
+### `remote`
+
+Use `plugins.entries.openshell.config.mode: "remote"` when you want the **OpenShell workspace to become canonical**.
+
+Behavior:
+
+- When the sandbox is first created, OpenClaw seeds the remote workspace from the local workspace once.
+- After that, `exec`, `read`, `write`, `edit`, and `apply_patch` operate directly against the remote OpenShell workspace.
+- OpenClaw does **not** sync remote changes back into the local workspace after exec.
+- Prompt-time media reads still work because file and media tools read through the sandbox bridge instead of assuming a local host path.
+- Transport is SSH into the OpenShell sandbox returned by `openshell sandbox ssh-config`.
+
+Important consequences:
+
+- If you edit files on the host outside OpenClaw after the seed step, the remote sandbox will **not** see those changes automatically.
+- If the sandbox is recreated, the remote workspace is seeded from the local workspace again.
+- With `scope: "agent"` or `scope: "shared"`, that remote workspace is shared at that same scope.
+
+Use this when:
+
+- the sandbox should live primarily on the remote OpenShell side
+- you want lower per-turn sync overhead
+- you do not want host-local edits to silently overwrite remote sandbox state
+
+Choose `mirror` if you think of the sandbox as a temporary execution environment.
+Choose `remote` if you think of the sandbox as the real workspace.
+
+## OpenShell lifecycle
+
+OpenShell sandboxes are still managed through the normal sandbox lifecycle:
+
+- `openclaw sandbox list` shows OpenShell runtimes as well as Docker runtimes
+- `openclaw sandbox recreate` deletes the current runtime and lets OpenClaw recreate it on next use
+- prune logic is backend-aware too
+
+For `remote` mode, recreate is especially important:
+
+- recreate deletes the canonical remote workspace for that scope
+- the next use seeds a fresh remote workspace from the local workspace
+
+For `mirror` mode, recreate mainly resets the remote execution environment
+because the local workspace remains canonical anyway.
+
 ## Workspace access
 
 `agents.defaults.sandbox.workspaceAccess` controls **what the sandbox can see**:
@@ -62,6 +243,12 @@ Not sandboxed:
 - `"ro"`: mounts the agent workspace read-only at `/agent` (disables `write`/`edit`/`apply_patch`).
 - `"rw"`: mounts the agent workspace read/write at `/workspace`.
 
+With the OpenShell backend:
+
+- `mirror` mode still uses the local workspace as the canonical source between exec turns
+- `remote` mode uses the remote OpenShell workspace as the canonical source after the initial seed
+- `workspaceAccess: "ro"` and `"none"` still restrict write behavior the same way
+
 Inbound media is copied into the active sandbox workspace (`media/inbound/*`).
 Skills note: the `read` tool is sandbox-rooted. With `workspaceAccess: "none"`,
 OpenClaw mirrors eligible skills into the sandbox workspace (`.../skills`) so
@@ -116,7 +303,7 @@ Security notes:
 
 ## Images + setup
 
-Default image: `openclaw-sandbox:bookworm-slim`
+Default Docker image: `openclaw-sandbox:bookworm-slim`
 
 Build it once:
 
@@ -145,7 +332,7 @@ Sandboxed browser image:
 scripts/sandbox-browser-setup.sh
 ```
 
-By default, sandbox containers run with **no network**.
+By default, Docker sandbox containers run with **no network**.
 Override with `agents.defaults.sandbox.docker.network`.
 
 The bundled sandbox browser image also applies conservative Chromium startup defaults
diff --git a/docs/gateway/secrets.md b/docs/gateway/secrets.md
index 93cd508d4f1..1379d8e0202 100644
--- a/docs/gateway/secrets.md
+++ b/docs/gateway/secrets.md
@@ -41,6 +41,9 @@ Examples of inactive surfaces:
 - Web search provider-specific keys that are not selected by `tools.web.search.provider`.
   In auto mode (provider unset), keys are consulted by precedence for provider auto-detection until one resolves.
   After selection, non-selected provider keys are treated as inactive until selected.
+- Sandbox SSH auth material (`agents.defaults.sandbox.ssh.identityData`,
+  `certificateData`, `knownHostsData`, plus per-agent overrides) is active only
+  when the effective sandbox backend is `ssh` for the default agent or an enabled agent.
 - `gateway.remote.token` / `gateway.remote.password` SecretRefs are active if one of these is true:
   - `gateway.mode=remote`
   - `gateway.remote.url` is configured
@@ -67,7 +70,7 @@ active-surface policy, so you can see why a credential was treated as active or
 
 When onboarding runs in interactive mode and you choose SecretRef storage, OpenClaw runs preflight validation before saving:
 
-- Env refs: validates env var name and confirms a non-empty value is visible during onboarding.
+- Env refs: validates env var name and confirms a non-empty value is visible during setup.
 - Provider refs (`file` or `exec`): validates provider selection, resolves `id`, and checks resolved value type.
 - Quickstart reuse path: when `gateway.auth.token` is already a SecretRef, onboarding resolves it before probe/dashboard bootstrap (for `env`, `file`, and `exec` refs) using the same fail-fast gate.
 
@@ -285,6 +288,35 @@ Optional per-id errors:
 }
 ```
 
+## Sandbox SSH auth material
+
+The core `ssh` sandbox backend also supports SecretRefs for SSH auth material:
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "all",
+        backend: "ssh",
+        ssh: {
+          target: "user@gateway-host:22",
+          identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
+          certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
+          knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
+        },
+      },
+    },
+  },
+}
+```
+
+Runtime behavior:
+
+- OpenClaw resolves these refs during sandbox activation, not lazily during each SSH call.
+- Resolved values are written to temp files with restrictive permissions and used in generated SSH config.
+- If the effective sandbox backend is not `ssh`, these refs stay inactive and do not block startup.
+
 ## Supported credential surface
 
 Canonical supported and unsupported credentials are listed in:
@@ -348,7 +380,7 @@ Command paths can opt into supported SecretRef resolution via gateway snapshot R
 There are two broad behaviors:
 
 - Strict command paths (for example `openclaw memory` remote-memory paths and `openclaw qr --remote`) read from the active snapshot and fail fast when a required SecretRef is unavailable.
-- Read-only command paths (for example `openclaw status`, `openclaw status --all`, `openclaw channels status`, `openclaw channels resolve`, and read-only doctor/config repair flows) also prefer the active snapshot, but degrade instead of aborting when a targeted SecretRef is unavailable in that command path.
+- Read-only command paths (for example `openclaw status`, `openclaw status --all`, `openclaw channels status`, `openclaw channels resolve`, `openclaw security audit`, and read-only doctor/config repair flows) also prefer the active snapshot, but degrade instead of aborting when a targeted SecretRef is unavailable in that command path.
 
 Read-only behavior:
 
diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md
index f7f6583d794..68be08fbed5 100644
--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -738,7 +738,7 @@ In minimal mode, the Gateway still broadcasts enough for device discovery (`role
 Gateway auth is **required by default**. If no token/password is configured,
 the Gateway refuses WebSocket connections (fail‑closed).
 
-The onboarding wizard generates a token by default (even for loopback) so
+The setup wizard generates a token by default (even for loopback) so
 local clients must authenticate.
 
 Set a token so **all** WS clients must authenticate:
@@ -990,10 +990,9 @@ access those accounts and data. Treat browser profiles as **sensitive state**:
 - Treat browser downloads as untrusted input; prefer an isolated downloads directory.
 - Disable browser sync/password managers in the agent profile if possible (reduces blast radius).
 - For remote gateways, assume “browser control” is equivalent to “operator access” to whatever that profile can reach.
-- Keep the Gateway and node hosts tailnet-only; avoid exposing relay/control ports to LAN or public Internet.
-- The Chrome extension relay’s CDP endpoint is auth-gated; only OpenClaw clients can connect.
+- Keep the Gateway and node hosts tailnet-only; avoid exposing browser control ports to LAN or public Internet.
 - Disable browser proxy routing when you don’t need it (`gateway.nodes.browser.mode="off"`).
-- Chrome extension relay mode is **not** “safer”; it can take over your existing Chrome tabs. Assume it can act as you in whatever that tab/profile can reach.
+- Chrome MCP existing-session mode is **not** “safer”; it can act as you in whatever that host Chrome profile can reach.
 
 ### Browser SSRF policy (trusted-network default)
 
diff --git a/docs/gateway/troubleshooting.md b/docs/gateway/troubleshooting.md
index 41c697a67f1..aa75b9cf2b5 100644
--- a/docs/gateway/troubleshooting.md
+++ b/docs/gateway/troubleshooting.md
@@ -289,19 +289,18 @@ Look for:
 
 - Valid browser executable path.
 - CDP profile reachability.
-- Extension relay tab attachment (if an extension relay profile is configured).
+- Local Chrome availability for `existing-session` / `user` profiles.
 
 Common signatures:
 
 - `Failed to start Chrome CDP on port` → browser process failed to launch.
 - `browser.executablePath not found` → configured path is invalid.
-- `Chrome extension relay is running, but no tab is connected` → extension relay not attached.
+- `No Chrome tabs found for profile="user"` → the Chrome MCP attach profile has no open local Chrome tabs.
 - `Browser attachOnly is enabled ... not reachable` → attach-only profile has no reachable target.
 
 Related:
 
 - [/tools/browser-linux-troubleshooting](/tools/browser-linux-troubleshooting)
-- [/tools/chrome-extension](/tools/chrome-extension)
 - [/tools/browser](/tools/browser)
 
 ## If you upgraded and something suddenly broke
diff --git a/docs/help/faq.md b/docs/help/faq.md
index 236097634c1..b32b1aac8c5 100644
--- a/docs/help/faq.md
+++ b/docs/help/faq.md
@@ -36,7 +36,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
   - [How do I install OpenClaw on a VPS?](#how-do-i-install-openclaw-on-a-vps)
   - [Where are the cloud/VPS install guides?](#where-are-the-cloudvps-install-guides)
   - [Can I ask OpenClaw to update itself?](#can-i-ask-openclaw-to-update-itself)
-  - [What does the onboarding wizard actually do?](#what-does-the-onboarding-wizard-actually-do)
+  - [What does the setup wizard actually do?](#what-does-the-setup-wizard-actually-do)
   - [Do I need a Claude or OpenAI subscription to run this?](#do-i-need-a-claude-or-openai-subscription-to-run-this)
   - [Can I use Claude Max subscription without an API key](#can-i-use-claude-max-subscription-without-an-api-key)
   - [How does Anthropic "setup-token" auth work?](#how-does-anthropic-setuptoken-auth-work)
@@ -80,7 +80,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
   - [Can OpenClaw run tasks on a schedule or continuously in the background?](#can-openclaw-run-tasks-on-a-schedule-or-continuously-in-the-background)
   - [Can I run Apple macOS-only skills from Linux?](#can-i-run-apple-macos-only-skills-from-linux)
   - [Do you have a Notion or HeyGen integration?](#do-you-have-a-notion-or-heygen-integration)
-  - [How do I install the Chrome extension for browser takeover?](#how-do-i-install-the-chrome-extension-for-browser-takeover)
+  - [How do I use my existing signed-in Chrome with OpenClaw?](#how-do-i-use-my-existing-signed-in-chrome-with-openclaw)
 - [Sandboxing and memory](#sandboxing-and-memory)
   - [Is there a dedicated sandboxing doc?](#is-there-a-dedicated-sandboxing-doc)
   - [How do I bind a host folder into the sandbox?](#how-do-i-bind-a-host-folder-into-the-sandbox)
@@ -317,7 +317,7 @@ Install docs: [Install](/install), [Installer flags](/install/installer), [Updat
 
 ### What's the recommended way to install and set up OpenClaw
 
-The repo recommends running from source and using the onboarding wizard:
+The repo recommends running from source and using the setup wizard:
 
 ```bash
 curl -fsSL https://openclaw.ai/install.sh | bash
@@ -627,7 +627,7 @@ More detail: [Install](/install) and [Installer flags](/install/installer).
 
 ### How do I install OpenClaw on Linux
 
-Short answer: follow the Linux guide, then run the onboarding wizard.
+Short answer: follow the Linux guide, then run the setup wizard.
 
 - Linux quick path + service install: [Linux](/platforms/linux).
 - Full walkthrough: [Getting Started](/start/getting-started).
@@ -685,7 +685,7 @@ openclaw gateway restart
 
 Docs: [Update](/cli/update), [Updating](/install/updating).
 
-### What does the onboarding wizard actually do
+### What does the setup wizard actually do
 
 `openclaw onboard` is the recommended setup path. In **local mode** it walks you through:
 
@@ -773,7 +773,7 @@ OpenClaw supports **OpenAI Code (Codex)** via OAuth (ChatGPT sign-in). The wizar
 
 Yes. OpenClaw fully supports **OpenAI Code (Codex) subscription OAuth**.
 OpenAI explicitly allows subscription OAuth usage in external tools/workflows
-like OpenClaw. The onboarding wizard can run the OAuth flow for you.
+like OpenClaw. The setup wizard can run the OAuth flow for you.
 
 See [OAuth](/concepts/oauth), [Model providers](/concepts/model-providers), and [Wizard](/start/wizard).
 
@@ -783,7 +783,7 @@ Gemini CLI uses a **plugin auth flow**, not a client id or secret in `openclaw.j
 
 Steps:
 
-1. Enable the plugin: `openclaw plugins enable google-gemini-cli-auth`
+1. Enable the plugin: `openclaw plugins enable google`
 2. Login: `openclaw models auth login --provider google-gemini-cli --set-default`
 
 This stores OAuth tokens in auth profiles on the gateway host. Details: [Model providers](/concepts/model-providers).
@@ -844,7 +844,7 @@ without WhatsApp/Telegram.
 
 `channels.telegram.allowFrom` is **the human sender's Telegram user ID** (numeric). It is not the bot username.
 
-The onboarding wizard accepts `@username` input and resolves it to a numeric ID, but OpenClaw authorization uses numeric IDs only.
+The setup wizard accepts `@username` input and resolves it to a numeric ID, but OpenClaw authorization uses numeric IDs only.
 
 Safer (no third-party bot):
 
@@ -1214,22 +1214,23 @@ clawhub update --all
 
 ClawHub installs into `./skills` under your current directory (or falls back to your configured OpenClaw workspace); OpenClaw treats that as `<workspace>/skills` on the next session. For shared skills across agents, place them in `~/.openclaw/skills/<name>/SKILL.md`. Some skills expect binaries installed via Homebrew; on Linux that means Linuxbrew (see the Homebrew Linux FAQ entry above). See [Skills](/tools/skills) and [ClawHub](/tools/clawhub).
 
-### How do I install the Chrome extension for browser takeover
+### How do I use my existing signed-in Chrome with OpenClaw
 
-Use the built-in installer, then load the unpacked extension in Chrome:
+Use the built-in `user` browser profile, which attaches through Chrome DevTools MCP:
 
 ```bash
-openclaw browser extension install
-openclaw browser extension path
+openclaw browser --browser-profile user tabs
+openclaw browser --browser-profile user snapshot
 ```
 
-Then Chrome → `chrome://extensions` → enable "Developer mode" → "Load unpacked" → pick that folder.
+If you want a custom name, create an explicit MCP profile:
 
-Full guide (including remote Gateway + security notes): [Chrome extension](/tools/chrome-extension)
+```bash
+openclaw browser create-profile --name chrome-live --driver existing-session
+openclaw browser --browser-profile chrome-live tabs
+```
 
-If the Gateway runs on the same machine as Chrome (default setup), you usually **do not** need anything extra.
-If the Gateway runs elsewhere, run a node host on the browser machine so the Gateway can proxy browser actions.
-You still need to click the extension button on the tab you want to control (it doesn't auto-attach).
+This path is host-local. If the Gateway runs elsewhere, either run a node host on the browser machine or use remote CDP instead.
 
 ## Sandboxing and memory
 
@@ -1665,13 +1666,12 @@ setup is an always-on host plus your laptop as a node.
 - **No inbound SSH required.** Nodes connect out to the Gateway WebSocket and use device pairing.
 - **Safer execution controls.** `system.run` is gated by node allowlists/approvals on that laptop.
 - **More device tools.** Nodes expose `canvas`, `camera`, and `screen` in addition to `system.run`.
-- **Local browser automation.** Keep the Gateway on a VPS, but run Chrome locally and relay control
-  with the Chrome extension + a node host on the laptop.
+- **Local browser automation.** Keep the Gateway on a VPS, but run Chrome locally through a node host on the laptop, or attach to local Chrome on the host via Chrome MCP.
 
 SSH is fine for ad-hoc shell access, but nodes are simpler for ongoing agent workflows and
 device automation.
 
-Docs: [Nodes](/nodes), [Nodes CLI](/cli/nodes), [Chrome extension](/tools/chrome-extension).
+Docs: [Nodes](/nodes), [Nodes CLI](/cli/nodes), [Browser](/tools/browser).
 
 ### Should I install on a second laptop or just add a node
 
@@ -1901,7 +1901,7 @@ Non-interactive full reset:
 openclaw reset --scope full --yes --non-interactive
 ```
 
-Then re-run onboarding:
+Then re-run setup:
 
 ```bash
 openclaw onboard --install-daemon
@@ -1909,7 +1909,7 @@ openclaw onboard --install-daemon
 
 Notes:
 
-- The onboarding wizard also offers **Reset** if it sees an existing config. See [Wizard](/start/wizard).
+- The setup wizard also offers **Reset** if it sees an existing config. See [Wizard](/start/wizard).
 - If you used profiles (`--profile` / `OPENCLAW_PROFILE`), reset each state dir (defaults are `~/.openclaw-<profile>`).
 - Dev reset: `openclaw gateway --dev --reset` (dev-only; wipes dev config + credentials + sessions + workspace).
 
@@ -2039,18 +2039,18 @@ Yes. Use **Multi-Agent Routing** to run multiple isolated agents and route inbou
 channel/account/peer. Slack is supported as a channel and can be bound to specific agents.
 
 Browser access is powerful but not "do anything a human can" - anti-bot, CAPTCHAs, and MFA can
-still block automation. For the most reliable browser control, use the Chrome extension relay
-on the machine that runs the browser (and keep the Gateway anywhere).
+still block automation. For the most reliable browser control, use local Chrome MCP on the host,
+or use CDP on the machine that actually runs the browser.
 
 Best-practice setup:
 
 - Always-on Gateway host (VPS/Mac mini).
 - One agent per role (bindings).
 - Slack channel(s) bound to those agents.
-- Local browser via extension relay (or a node) when needed.
+- Local browser via Chrome MCP or a node when needed.
 
 Docs: [Multi-Agent Routing](/concepts/multi-agent), [Slack](/channels/slack),
-[Browser](/tools/browser), [Chrome extension](/tools/chrome-extension), [Nodes](/nodes).
+[Browser](/tools/browser), [Nodes](/nodes).
 
 ## Models: defaults, selection, aliases, switching
 
diff --git a/docs/help/testing.md b/docs/help/testing.md
index b2057e8a1da..09388dd769e 100644
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -61,7 +61,7 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
 
 - Command: `pnpm test:e2e`
 - Config: `vitest.e2e.config.ts`
-- Files: `src/**/*.e2e.test.ts`
+- Files: `src/**/*.e2e.test.ts`, `test/**/*.e2e.test.ts`
 - Runtime defaults:
   - Uses Vitest `vmForks` for faster file startup.
   - Uses adaptive workers (CI: 2-4, local: 4-8).
@@ -77,6 +77,23 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
   - No real keys required
   - More moving parts than unit tests (can be slower)
 
+### E2E: OpenShell backend smoke
+
+- Command: `pnpm test:e2e:openshell`
+- File: `test/openshell-sandbox.e2e.test.ts`
+- Scope:
+  - Starts an isolated OpenShell gateway on the host via Docker
+  - Creates a sandbox from a temporary local Dockerfile
+  - Exercises OpenClaw's OpenShell backend over real `sandbox ssh-config` + SSH exec
+  - Verifies remote-canonical filesystem behavior through the sandbox fs bridge
+- Expectations:
+  - Opt-in only; not part of the default `pnpm test:e2e` run
+  - Requires a local `openshell` CLI plus a working Docker daemon
+  - Uses isolated `HOME` / `XDG_CONFIG_HOME`, then destroys the test gateway and sandbox
+- Useful overrides:
+  - `OPENCLAW_E2E_OPENSHELL=1` to enable the test when running the broader e2e suite manually
+  - `OPENCLAW_E2E_OPENSHELL_COMMAND=/path/to/openshell` to point at a non-default CLI binary or wrapper script
+
 ### Live (real providers + real models)
 
 - Command: `pnpm test:live`
@@ -345,7 +362,7 @@ If you want to rely on env keys (e.g. exported in your `~/.profile`), run local
 
 ## Docker runners (optional “works in Linux” checks)
 
-These run `pnpm test:live` inside the repo Docker image, mounting your local config dir and workspace (and sourcing `~/.profile` if mounted):
+These run `pnpm test:live` inside the repo Docker image, mounting your local config dir and workspace (and sourcing `~/.profile` if mounted). They also bind-mount CLI auth homes like `~/.codex`, `~/.claude`, `~/.qwen`, and `~/.minimax` when present so external-CLI OAuth stays available in-container:
 
 - Direct models: `pnpm test:docker:live-models` (script: `scripts/test-live-models-docker.sh`)
 - Gateway + dev agent: `pnpm test:docker:live-gateway` (script: `scripts/test-live-gateway-models-docker.sh`)
@@ -367,6 +384,7 @@ Useful env vars:
 - `OPENCLAW_CONFIG_DIR=...` (default: `~/.openclaw`) mounted to `/home/node/.openclaw`
 - `OPENCLAW_WORKSPACE_DIR=...` (default: `~/.openclaw/workspace`) mounted to `/home/node/.openclaw/workspace`
 - `OPENCLAW_PROFILE_FILE=...` (default: `~/.profile`) mounted to `/home/node/.profile` and sourced before running tests
+- External CLI auth dirs under `$HOME` (`.codex`, `.claude`, `.qwen`, `.minimax`) are mounted read-only to the matching `/home/node/...` paths when present
 - `OPENCLAW_LIVE_GATEWAY_MODELS=...` / `OPENCLAW_LIVE_MODELS=...` to narrow the run
 - `OPENCLAW_LIVE_REQUIRE_PROFILE_KEYS=1` to ensure creds come from the profile store (not env)
 
diff --git a/docs/help/troubleshooting.md b/docs/help/troubleshooting.md
index a3988c4ea58..1660100ba8c 100644
--- a/docs/help/troubleshooting.md
+++ b/docs/help/troubleshooting.md
@@ -278,13 +278,13 @@ flowchart TD
     Good output looks like:
 
     - Browser status shows `running: true` and a chosen browser/profile.
-    - `openclaw` profile starts or `chrome` relay has an attached tab.
+    - `openclaw` starts, or `user` can see local Chrome tabs.
 
     Common log signatures:
 
     - `Failed to start Chrome CDP on port` → local browser launch failed.
     - `browser.executablePath not found` → configured binary path is wrong.
-    - `Chrome extension relay is running, but no tab is connected` → extension not attached.
+    - `No Chrome tabs found for profile="user"` → the Chrome MCP attach profile has no open local Chrome tabs.
     - `Browser attachOnly is enabled ... not reachable` → attach-only profile has no live CDP target.
 
     Deep pages:
@@ -292,7 +292,6 @@ flowchart TD
     - [/gateway/troubleshooting#browser-tool-fails](/gateway/troubleshooting#browser-tool-fails)
     - [/tools/browser-linux-troubleshooting](/tools/browser-linux-troubleshooting)
     - [/tools/browser-wsl2-windows-remote-cdp-troubleshooting](/tools/browser-wsl2-windows-remote-cdp-troubleshooting)
-    - [/tools/chrome-extension](/tools/chrome-extension)
 
   </Accordion>
 </AccordionGroup>
diff --git a/docs/install/docker.md b/docs/install/docker.md
index a68066dcd57..a9f6b578bd0 100644
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -51,7 +51,7 @@ From repo root:
 This script:
 
 - builds the gateway image locally (or pulls a remote image if `OPENCLAW_IMAGE` is set)
-- runs the onboarding wizard
+- runs the setup wizard
 - prints optional provider setup hints
 - starts the gateway via Docker Compose
 - generates a gateway token and writes it to `.env`
@@ -713,6 +713,7 @@ an optional noVNC observer (headful via Xvfb).
 
 Notes:
 
+- Docker and other headless/container browser flows stay on raw CDP. Chrome MCP `existing-session` is for host-local Chrome, not container takeover.
 - Headful (Xvfb) reduces bot blocking vs headless.
 - Headless can still be used by setting `agents.defaults.sandbox.browser.headless=true`.
 - No full desktop environment (GNOME) is needed; Xvfb provides the display.
diff --git a/docs/install/index.md b/docs/install/index.md
index 464a457a360..21adfdaa592 100644
--- a/docs/install/index.md
+++ b/docs/install/index.md
@@ -33,7 +33,7 @@ For VPS/cloud hosts, avoid third-party "1-click" marketplace images when possibl
 
 <AccordionGroup>
   <Accordion title="Installer script" icon="rocket" defaultOpen>
-    Downloads the CLI, installs it globally via npm, and launches the onboarding wizard.
+    Downloads the CLI, installs it globally via npm, and launches the setup wizard.
 
     <Tabs>
       <Tab title="macOS / Linux / WSL2">
diff --git a/docs/install/updating.md b/docs/install/updating.md
index e304fe0322b..a8161cc07f0 100644
--- a/docs/install/updating.md
+++ b/docs/install/updating.md
@@ -22,7 +22,7 @@ curl -fsSL https://openclaw.ai/install.sh | bash
 
 Notes:
 
-- Add `--no-onboard` if you don’t want the onboarding wizard to run again.
+- Add `--no-onboard` if you don’t want the setup wizard to run again.
 - For **source installs**, use:
 
   ```bash
diff --git a/docs/platforms/raspberry-pi.md b/docs/platforms/raspberry-pi.md
index 5e7e35c9544..2050b6395b4 100644
--- a/docs/platforms/raspberry-pi.md
+++ b/docs/platforms/raspberry-pi.md
@@ -321,7 +321,7 @@ Since the Pi is just the Gateway (models run in the cloud), use API-based models
 
 ## Auto-Start on Boot
 
-The onboarding wizard sets this up, but to verify:
+The setup wizard sets this up, but to verify:
 
 ```bash
 # Check service is enabled
diff --git a/docs/plugins/bundles.md b/docs/plugins/bundles.md
index b5f92f8f5ee..2fad626ccfe 100644
--- a/docs/plugins/bundles.md
+++ b/docs/plugins/bundles.md
@@ -259,12 +259,19 @@ openclaw plugins install ./my-codex-bundle
 openclaw plugins install ./my-claude-bundle
 openclaw plugins install ./my-cursor-bundle
 openclaw plugins install ./my-bundle.tgz
+openclaw plugins marketplace list <marketplace-name>
+openclaw plugins install <plugin-name>@<marketplace-name>
 openclaw plugins info my-bundle
 ```
 
 If the directory is a native OpenClaw plugin/package, the native install path
 still wins.
 
+For Claude marketplace names, OpenClaw reads the local Claude known-marketplace
+registry at `~/.claude/plugins/known_marketplaces.json`. Marketplace entries
+can resolve to bundle-compatible directories/archives or to native plugin
+sources; after resolution, the normal install rules still apply.
+
 ## Troubleshooting
 
 ### Bundle is detected but capabilities do not run
diff --git a/docs/plugins/manifest.md b/docs/plugins/manifest.md
index 9c266744b71..5ef77b9ef68 100644
--- a/docs/plugins/manifest.md
+++ b/docs/plugins/manifest.md
@@ -56,12 +56,52 @@ Optional keys:
 - `kind` (string): plugin kind (examples: `"memory"`, `"context-engine"`).
 - `channels` (array): channel ids registered by this plugin (example: `["matrix"]`).
 - `providers` (array): provider ids registered by this plugin.
+- `providerAuthEnvVars` (object): auth env vars keyed by provider id. Use this
+  when OpenClaw should resolve provider credentials from env without loading
+  plugin runtime first.
+- `providerAuthChoices` (array): cheap onboarding/auth-choice metadata keyed by
+  provider + auth method. Use this when OpenClaw should show a provider in
+  auth-choice pickers, preferred-provider resolution, and CLI help without
+  loading plugin runtime first.
 - `skills` (array): skill directories to load (relative to the plugin root).
 - `name` (string): display name for the plugin.
 - `description` (string): short plugin summary.
 - `uiHints` (object): config field labels/placeholders/sensitive flags for UI rendering.
 - `version` (string): plugin version (informational).
 
+### `providerAuthChoices` shape
+
+Each entry can declare:
+
+- `provider`: provider id
+- `method`: auth method id
+- `choiceId`: stable onboarding/auth-choice id
+- `choiceLabel` / `choiceHint`: picker label + short hint
+- `groupId` / `groupLabel` / `groupHint`: grouped onboarding bucket metadata
+- `optionKey` / `cliFlag` / `cliOption` / `cliDescription`: optional one-flag
+  CLI wiring for simple auth flows such as API keys
+
+Example:
+
+```json
+{
+  "providerAuthChoices": [
+    {
+      "provider": "openrouter",
+      "method": "api-key",
+      "choiceId": "openrouter-api-key",
+      "choiceLabel": "OpenRouter API key",
+      "groupId": "openrouter",
+      "groupLabel": "OpenRouter",
+      "optionKey": "openrouterApiKey",
+      "cliFlag": "--openrouter-api-key",
+      "cliOption": "--openrouter-api-key <key>",
+      "cliDescription": "OpenRouter API key"
+    }
+  ]
+}
+```
+
 ## JSON Schema requirements
 
 - **Every plugin must ship a JSON Schema**, even if it accepts no config.
@@ -84,6 +124,12 @@ Optional keys:
 - The manifest is **required for native OpenClaw plugins**, including local filesystem loads.
 - Runtime still loads the plugin module separately; the manifest is only for
   discovery + validation.
+- `providerAuthEnvVars` is the cheap metadata path for auth probes, env-marker
+  validation, and similar provider-auth surfaces that should not boot plugin
+  runtime just to inspect env names.
+- `providerAuthChoices` is the cheap metadata path for auth-choice pickers,
+  `--auth-choice` resolution, preferred-provider mapping, and simple onboarding
+  CLI flag registration before provider runtime loads.
 - Exclusive plugin kinds are selected through `plugins.slots.*`.
   - `kind: "memory"` is selected by `plugins.slots.memory`.
   - `kind: "context-engine"` is selected by `plugins.slots.contextEngine`
diff --git a/docs/providers/anthropic.md b/docs/providers/anthropic.md
index 8974bb2dd61..d16d76f6315 100644
--- a/docs/providers/anthropic.md
+++ b/docs/providers/anthropic.md
@@ -213,7 +213,7 @@ openclaw models auth paste-token --provider anthropic
 ### CLI setup (setup-token)
 
 ```bash
-# Paste a setup-token during onboarding
+# Paste a setup-token during setup
 openclaw onboard --auth-choice setup-token
 ```
 
diff --git a/docs/providers/huggingface.md b/docs/providers/huggingface.md
index d9746d5c166..7b33955f524 100644
--- a/docs/providers/huggingface.md
+++ b/docs/providers/huggingface.md
@@ -64,7 +64,7 @@ GET https://router.huggingface.co/v1/models
 
 (Optional: send `Authorization: Bearer $HUGGINGFACE_HUB_TOKEN` or `$HF_TOKEN` for the full list; some endpoints return a subset without auth.) The response is OpenAI-style `{ "object": "list", "data": [ { "id": "Qwen/Qwen3-8B", "owned_by": "Qwen", ... }, ... ] }`.
 
-When you configure a Hugging Face API key (via onboarding, `HUGGINGFACE_HUB_TOKEN`, or `HF_TOKEN`), OpenClaw uses this GET to discover available chat-completion models. During **interactive onboarding**, after you enter your token you see a **Default Hugging Face model** dropdown populated from that list (or the built-in catalog if the request fails). At runtime (e.g. Gateway startup), when a key is present, OpenClaw again calls **GET** `https://router.huggingface.co/v1/models` to refresh the catalog. The list is merged with a built-in catalog (for metadata like context window and cost). If the request fails or no key is set, only the built-in catalog is used.
+When you configure a Hugging Face API key (via onboarding, `HUGGINGFACE_HUB_TOKEN`, or `HF_TOKEN`), OpenClaw uses this GET to discover available chat-completion models. During **interactive setup**, after you enter your token you see a **Default Hugging Face model** dropdown populated from that list (or the built-in catalog if the request fails). At runtime (e.g. Gateway startup), when a key is present, OpenClaw again calls **GET** `https://router.huggingface.co/v1/models` to refresh the catalog. The list is merged with a built-in catalog (for metadata like context window and cost). If the request fails or no key is set, only the built-in catalog is used.
 
 ## Model names and editable options
 
diff --git a/docs/providers/minimax.md b/docs/providers/minimax.md
index 8cdc5b028f6..0d3635352cc 100644
--- a/docs/providers/minimax.md
+++ b/docs/providers/minimax.md
@@ -42,7 +42,7 @@ MiniMax highlights these improvements in M2.5:
 Enable the bundled OAuth plugin and authenticate:
 
 ```bash
-openclaw plugins enable minimax-portal-auth  # skip if already loaded.
+openclaw plugins enable minimax  # skip if already loaded.
 openclaw gateway restart  # restart if gateway is already running
 openclaw onboard --auth-choice minimax-portal
 ```
@@ -52,7 +52,7 @@ You will be prompted to select an endpoint:
 - **Global** - International users (`api.minimax.io`)
 - **CN** - Users in China (`api.minimaxi.com`)
 
-See [MiniMax OAuth plugin README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax-portal-auth) for details.
+See [MiniMax plugin README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax) for details.
 
 ### MiniMax M2.5 (API key)
 
diff --git a/docs/providers/ollama.md b/docs/providers/ollama.md
index c4604a8e350..5a1eb2bd27e 100644
--- a/docs/providers/ollama.md
+++ b/docs/providers/ollama.md
@@ -18,7 +18,7 @@ Ollama is a local LLM runtime that makes it easy to run open-source models on yo
 
 ### Onboarding wizard (recommended)
 
-The fastest way to set up Ollama is through the onboarding wizard:
+The fastest way to set up Ollama is through the setup wizard:
 
 ```bash
 openclaw onboard
@@ -231,7 +231,7 @@ Once configured, all your Ollama models are available:
 
 Cloud models let you run cloud-hosted models (for example `kimi-k2.5:cloud`, `minimax-m2.5:cloud`, `glm-5:cloud`) alongside your local models.
 
-To use cloud models, select **Cloud + Local** mode during onboarding. The wizard checks whether you are signed in and opens a browser sign-in flow when needed. If authentication cannot be verified, the wizard falls back to local model defaults.
+To use cloud models, select **Cloud + Local** mode during setup. The wizard checks whether you are signed in and opens a browser sign-in flow when needed. If authentication cannot be verified, the wizard falls back to local model defaults.
 
 You can also sign in directly at [ollama.com/signin](https://ollama.com/signin).
 
diff --git a/docs/providers/opencode.md b/docs/providers/opencode.md
index bf8d54afc9e..da44e5154c0 100644
--- a/docs/providers/opencode.md
+++ b/docs/providers/opencode.md
@@ -59,6 +59,6 @@ openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
 ## Notes
 
 - `OPENCODE_ZEN_API_KEY` is also supported.
-- Entering one OpenCode key during onboarding stores credentials for both runtime providers.
+- Entering one OpenCode key during setup stores credentials for both runtime providers.
 - You sign in to OpenCode, add billing details, and copy your API key.
 - Billing and catalog availability are managed from the OpenCode dashboard.
diff --git a/docs/refactor/cluster.md b/docs/refactor/cluster.md
index f3b13186972..1d9c8e6f119 100644
--- a/docs/refactor/cluster.md
+++ b/docs/refactor/cluster.md
@@ -87,11 +87,11 @@ Risk:
 
 - Low
 
-## 3. Onboarding prompt and config-patch steps
+## 3. Setup prompt and config-patch steps
 
 Large surface area.
 
-Many onboarding files repeat:
+Many setup files repeat:
 
 - resolve account id
 - prompt allowlist entries
@@ -102,18 +102,18 @@ Many onboarding files repeat:
 
 Strong examples:
 
-- `extensions/bluebubbles/src/onboarding.ts`
-- `extensions/googlechat/src/onboarding.ts`
-- `extensions/msteams/src/onboarding.ts`
-- `extensions/zalo/src/onboarding.ts`
-- `extensions/zalouser/src/onboarding.ts`
-- `extensions/nextcloud-talk/src/onboarding.ts`
-- `extensions/matrix/src/onboarding.ts`
-- `extensions/irc/src/onboarding.ts`
+- `extensions/bluebubbles/src/setup-surface.ts`
+- `extensions/googlechat/src/setup-surface.ts`
+- `extensions/msteams/src/setup-surface.ts`
+- `extensions/zalo/src/setup-surface.ts`
+- `extensions/zalouser/src/setup-surface.ts`
+- `extensions/nextcloud-talk/src/setup-surface.ts`
+- `extensions/matrix/src/setup-surface.ts`
+- `extensions/irc/src/setup-surface.ts`
 
 Existing helper seam:
 
-- `src/channels/plugins/onboarding/helpers.ts`
+- `src/channels/plugins/setup-wizard-helpers.ts`
 
 Likely extraction shape:
 
diff --git a/docs/refactor/firecrawl-extension.md b/docs/refactor/firecrawl-extension.md
new file mode 100644
index 00000000000..e25e010e7b1
--- /dev/null
+++ b/docs/refactor/firecrawl-extension.md
@@ -0,0 +1,260 @@
+---
+summary: "Design for an opt-in Firecrawl extension that adds search/scrape value without hardwiring Firecrawl into core defaults"
+read_when:
+  - Designing Firecrawl integration work
+  - Evaluating web_search/web_fetch plugin seams
+  - Deciding whether Firecrawl belongs in core or as an extension
+title: "Firecrawl Extension Design"
+---
+
+# Firecrawl Extension Design
+
+## Goal
+
+Ship Firecrawl as an **opt-in extension** that adds:
+
+- explicit Firecrawl tools for agents,
+- optional Firecrawl-backed `web_search` integration,
+- self-hosted support,
+- stronger security defaults than the current core fallback path,
+
+without pushing Firecrawl into the default setup/onboarding path.
+
+## Why this shape
+
+Recent Firecrawl issues/PRs cluster into three buckets:
+
+1. **Release/schema drift**
+   - Several releases rejected `tools.web.fetch.firecrawl` even though docs and runtime code supported it.
+2. **Security hardening**
+   - Current `fetchFirecrawlContent()` still posts to the Firecrawl endpoint with raw `fetch()`, while the main web-fetch path uses the SSRF guard.
+3. **Product pressure**
+   - Users want Firecrawl-native search/scrape flows, especially for self-hosted/private setups.
+   - Maintainers explicitly rejected wiring Firecrawl deeply into core defaults, setup flow, and browser behavior.
+
+That combination argues for an extension, not more Firecrawl-specific logic in the default core path.
+
+## Design principles
+
+- **Opt-in, vendor-scoped**: no auto-enable, no setup hijack, no default tool-profile widening.
+- **Extension owns Firecrawl-specific config**: prefer plugin config over growing `tools.web.*` again.
+- **Useful on day one**: works even if core `web_search` / `web_fetch` seams stay unchanged.
+- **Security-first**: endpoint fetches use the same guarded networking posture as other web tools.
+- **Self-hosted-friendly**: config + env fallback, explicit base URL, no hosted-only assumptions.
+
+## Proposed extension
+
+Plugin id: `firecrawl`
+
+### MVP capabilities
+
+Register explicit tools:
+
+- `firecrawl_search`
+- `firecrawl_scrape`
+
+Optional later:
+
+- `firecrawl_crawl`
+- `firecrawl_map`
+
+Do **not** add Firecrawl browser automation in the first version. That was the part of PR #32543 that pulled Firecrawl too far into core behavior and raised the most maintainership concern.
+
+## Config shape
+
+Use plugin-scoped config:
+
+```json5
+{
+  plugins: {
+    entries: {
+      firecrawl: {
+        enabled: true,
+        config: {
+          apiKey: "FIRECRAWL_API_KEY",
+          baseUrl: "https://api.firecrawl.dev",
+          timeoutSeconds: 60,
+          maxAgeMs: 172800000,
+          proxy: "auto",
+          storeInCache: true,
+          onlyMainContent: true,
+          search: {
+            enabled: true,
+            defaultLimit: 5,
+            sources: ["web"],
+            categories: [],
+            scrapeResults: false,
+          },
+          scrape: {
+            formats: ["markdown"],
+            fallbackForWebFetchLikeUse: false,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### Credential resolution
+
+Precedence:
+
+1. `plugins.entries.firecrawl.config.apiKey`
+2. `FIRECRAWL_API_KEY`
+
+Base URL precedence:
+
+1. `plugins.entries.firecrawl.config.baseUrl`
+2. `FIRECRAWL_BASE_URL`
+3. `https://api.firecrawl.dev`
+
+### Compatibility bridge
+
+For the first release, the extension may also **read** existing core config at `tools.web.fetch.firecrawl.*` as a fallback source so existing users do not need to migrate immediately.
+
+Write path stays plugin-local. Do not keep expanding core Firecrawl config surfaces.
+
+## Tool design
+
+### `firecrawl_search`
+
+Inputs:
+
+- `query`
+- `limit`
+- `sources`
+- `categories`
+- `scrapeResults`
+- `timeoutSeconds`
+
+Behavior:
+
+- Calls Firecrawl `v2/search`
+- Returns normalized OpenClaw-friendly result objects:
+  - `title`
+  - `url`
+  - `snippet`
+  - `source`
+  - optional `content`
+- Wraps result content as untrusted external content
+- Cache key includes query + relevant provider params
+
+Why explicit tool first:
+
+- Works today without changing `tools.web.search.provider`
+- Avoids current schema/loader constraints
+- Gives users Firecrawl value immediately
+
+### `firecrawl_scrape`
+
+Inputs:
+
+- `url`
+- `formats`
+- `onlyMainContent`
+- `maxAgeMs`
+- `proxy`
+- `storeInCache`
+- `timeoutSeconds`
+
+Behavior:
+
+- Calls Firecrawl `v2/scrape`
+- Returns markdown/text plus metadata:
+  - `title`
+  - `finalUrl`
+  - `status`
+  - `warning`
+- Wraps extracted content the same way `web_fetch` does
+- Shares cache semantics with web tool expectations where practical
+
+Why explicit scrape tool:
+
+- Sidesteps the unresolved `Readability -> Firecrawl -> basic HTML cleanup` ordering bug in core `web_fetch`
+- Gives users a deterministic “always use Firecrawl” path for JS-heavy/bot-protected sites
+
+## What the extension should not do
+
+- No auto-adding `browser`, `web_search`, or `web_fetch` to `tools.alsoAllow`
+- No default onboarding step in `openclaw setup`
+- No Firecrawl-specific browser session lifecycle in core
+- No change to built-in `web_fetch` fallback semantics in the extension MVP
+
+## Phase plan
+
+### Phase 1: extension-only, no core schema changes
+
+Implement:
+
+- `extensions/firecrawl/`
+- plugin config schema
+- `firecrawl_search`
+- `firecrawl_scrape`
+- tests for config resolution, endpoint selection, caching, error handling, and SSRF guard usage
+
+This phase is enough to ship real user value.
+
+### Phase 2: optional `web_search` provider integration
+
+Support `tools.web.search.provider = "firecrawl"` only after fixing two core constraints:
+
+1. `src/plugins/web-search-providers.ts` must load configured/installed web-search-provider plugins instead of a hardcoded bundled list.
+2. `src/config/types.tools.ts` and `src/config/zod-schema.agent-runtime.ts` must stop hardcoding the provider enum in a way that blocks plugin-registered ids.
+
+Recommended shape:
+
+- keep built-in providers documented,
+- allow any registered plugin provider id at runtime,
+- validate provider-specific config via the provider plugin or a generic provider bag.
+
+### Phase 3: optional `web_fetch` provider seam
+
+Do this only if maintainers want vendor-specific fetch backends to participate in `web_fetch`.
+
+Needed core addition:
+
+- `registerWebFetchProvider` or equivalent fetch-backend seam
+
+Without that seam, the extension should keep `firecrawl_scrape` as an explicit tool rather than trying to patch built-in `web_fetch`.
+
+## Security requirements
+
+The extension must treat Firecrawl as a **trusted operator-configured endpoint**, but still harden transport:
+
+- Use SSRF-guarded fetch for the Firecrawl endpoint call, not raw `fetch()`
+- Preserve self-hosted/private-network compatibility using the same trusted-web-tools endpoint policy used elsewhere
+- Never log the API key
+- Keep endpoint/base URL resolution explicit and predictable
+- Treat Firecrawl-returned content as untrusted external content
+
+This mirrors the intent behind the SSRF hardening PRs without assuming Firecrawl is a hostile multi-tenant surface.
+
+## Why not a skill
+
+The repo already closed a Firecrawl skill PR in favor of ClawHub distribution. That is fine for optional user-installed prompt workflows, but it does not solve:
+
+- deterministic tool availability,
+- provider-grade config/credential handling,
+- self-hosted endpoint support,
+- caching,
+- stable typed outputs,
+- security review on network behavior.
+
+This belongs as an extension, not a prompt-only skill.
+
+## Success criteria
+
+- Users can install/enable one extension and get reliable Firecrawl search/scrape without touching core defaults.
+- Self-hosted Firecrawl works with config/env fallback.
+- Extension endpoint fetches use guarded networking.
+- No new Firecrawl-specific core onboarding/default behavior.
+- Core can later adopt plugin-native `web_search` / `web_fetch` seams without redesigning the extension.
+
+## Recommended implementation order
+
+1. Build `firecrawl_scrape`
+2. Build `firecrawl_search`
+3. Add docs and examples
+4. If desired, generalize `web_search` provider loading so the extension can back `web_search`
+5. Only then consider a true `web_fetch` provider seam
diff --git a/docs/refactor/plugin-sdk.md b/docs/refactor/plugin-sdk.md
index 4722644083b..5a630982a97 100644
--- a/docs/refactor/plugin-sdk.md
+++ b/docs/refactor/plugin-sdk.md
@@ -28,7 +28,7 @@ Contents (examples):
 - Config helpers: `buildChannelConfigSchema`, `setAccountEnabledInConfigSection`, `deleteAccountFromConfigSection`,
   `applyAccountNameToChannelSection`.
 - Pairing helpers: `PAIRING_APPROVED_MESSAGE`, `formatPairingApproveHint`.
-- Onboarding helpers: `promptChannelAccessConfig`, `addWildcardAllowFrom`, onboarding types.
+- Setup entry points: host-owned `setup` + `setupWizard`; avoid broad public onboarding helpers.
 - Tool param helpers: `createActionGate`, `readStringParam`, `readNumberParam`, `readReactionParams`, `jsonResult`.
 - Docs link helper: `formatDocsLink`.
 
@@ -212,3 +212,27 @@ Notes:
 - External plugins can be developed and updated without core source access.
 
 Related docs: [Plugins](/tools/plugin), [Channels](/channels/index), [Configuration](/gateway/configuration).
+
+## Implemented channel-owned seams
+
+Recent refactor work widened the channel plugin contract so core can stop owning
+channel-specific UX and routing behavior:
+
+- `messaging.buildCrossContextComponents`: channel-owned cross-context UI markers
+  (for example Discord components v2 containers)
+- `messaging.enableInteractiveReplies`: channel-owned reply normalization toggles
+  (for example Slack interactive replies)
+- `messaging.resolveOutboundSessionRoute`: channel-owned outbound session routing
+- `status.formatCapabilitiesProbe` / `status.buildCapabilitiesDiagnostics`: channel-owned
+  `/channels capabilities` probe display and extra audits/scopes
+- `threading.resolveAutoThreadId`: channel-owned same-conversation auto-threading
+- `threading.resolveReplyTransport`: channel-owned reply-vs-thread delivery mapping
+- `actions.requiresTrustedRequesterSender`: channel-owned privileged action trust gates
+- `execApprovals.*`: channel-owned exec approval surface state, forwarding suppression,
+  pending payload UX, and pre-delivery hooks
+- `lifecycle.onAccountConfigChanged` / `lifecycle.onAccountRemoved`: channel-owned cleanup on
+  config mutation/removal
+- `allowlist.supportsScope`: channel-owned allowlist scope advertisement
+
+These hooks should be preferred over new `channel === "discord"` / `telegram`
+branches in shared core flows.
diff --git a/docs/reference/wizard.md b/docs/reference/wizard.md
index bbaebbdc84f..5bfa3da7f9f 100644
--- a/docs/reference/wizard.md
+++ b/docs/reference/wizard.md
@@ -1,17 +1,17 @@
 ---
-summary: "Full reference for the CLI onboarding wizard: every step, flag, and config field"
+summary: "Full reference for the CLI setup wizard: every step, flag, and config field"
 read_when:
   - Looking up a specific wizard step or flag
   - Automating onboarding with non-interactive mode
   - Debugging wizard behavior
-title: "Onboarding Wizard Reference"
+title: "Setup Wizard Reference"
 sidebarTitle: "Wizard Reference"
 ---
 
-# Onboarding Wizard Reference
+# Setup Wizard Reference
 
 This is the full reference for the `openclaw onboard` CLI wizard.
-For a high-level overview, see [Onboarding Wizard](/start/wizard).
+For a high-level overview, see [Setup Wizard](/start/wizard).
 
 ## Flow details (local mode)
 
@@ -73,12 +73,12 @@ For a high-level overview, see [Onboarding Wizard](/start/wizard).
   <Step title="Gateway">
     - Port, bind, auth mode, tailscale exposure.
     - Auth recommendation: keep **Token** even for loopback so local WS clients must authenticate.
-    - In token mode, interactive onboarding offers:
+    - In token mode, interactive setup offers:
       - **Generate/store plaintext token** (default)
       - **Use SecretRef** (opt-in)
       - Quickstart reuses existing `gateway.auth.token` SecretRefs across `env`, `file`, and `exec` providers for onboarding probe/dashboard bootstrap.
       - If that SecretRef is configured but cannot be resolved, onboarding fails early with a clear fix message instead of silently degrading runtime auth.
-    - In password mode, interactive onboarding also supports plaintext or SecretRef storage.
+    - In password mode, interactive setup also supports plaintext or SecretRef storage.
     - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
       - Requires a non-empty env var in the onboarding process environment.
       - Cannot be combined with `--gateway-token`.
@@ -208,7 +208,7 @@ Typical fields in `~/.openclaw/openclaw.json`:
 - `agents.defaults.model` / `models.providers` (if Minimax chosen)
 - `tools.profile` (local onboarding defaults to `"coding"` when unset; existing explicit values are preserved)
 - `gateway.*` (mode, bind, auth, tailscale)
-- `session.dmScope` (behavior details: [CLI Onboarding Reference](/start/wizard-cli-reference#outputs-and-internals))
+- `session.dmScope` (behavior details: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals))
 - `channels.telegram.botToken`, `channels.discord.token`, `channels.signal.*`, `channels.imessage.*`
 - Channel allowlists (Slack/Discord/Matrix/Microsoft Teams) when you opt in during the prompts (names resolve to IDs when possible).
 - `skills.install.nodeManager`
@@ -223,12 +223,12 @@ Typical fields in `~/.openclaw/openclaw.json`:
 WhatsApp credentials go under `~/.openclaw/credentials/whatsapp/<accountId>/`.
 Sessions are stored under `~/.openclaw/agents/<agentId>/sessions/`.
 
-Some channels are delivered as plugins. When you pick one during onboarding, the wizard
+Some channels are delivered as plugins. When you pick one during setup, the wizard
 will prompt to install it (npm or a local path) before it can be configured.
 
 ## Related docs
 
-- Wizard overview: [Onboarding Wizard](/start/wizard)
+- Wizard overview: [Setup Wizard](/start/wizard)
 - macOS app onboarding: [Onboarding](/start/onboarding)
 - Config reference: [Gateway configuration](/gateway/configuration)
 - Providers: [WhatsApp](/channels/whatsapp), [Telegram](/channels/telegram), [Discord](/channels/discord), [Google Chat](/channels/googlechat), [Signal](/channels/signal), [BlueBubbles](/channels/bluebubbles) (iMessage), [iMessage](/channels/imessage) (legacy)
diff --git a/docs/start/getting-started.md b/docs/start/getting-started.md
index 26b54b63f6f..3fc64e5087d 100644
--- a/docs/start/getting-started.md
+++ b/docs/start/getting-started.md
@@ -52,13 +52,13 @@ Check your Node version with `node --version` if you are unsure.
     </Note>
 
   </Step>
-  <Step title="Run the onboarding wizard">
+  <Step title="Run the setup wizard">
     ```bash
     openclaw onboard --install-daemon
     ```
 
     The wizard configures auth, gateway settings, and optional channels.
-    See [Onboarding Wizard](/start/wizard) for details.
+    See [Setup Wizard](/start/wizard) for details.
 
   </Step>
   <Step title="Check the Gateway">
@@ -114,7 +114,7 @@ Full environment variable reference: [Environment vars](/help/environment).
 ## Go deeper
 
 <Columns>
-  <Card title="Onboarding Wizard (details)" href="/start/wizard">
+  <Card title="Setup Wizard (details)" href="/start/wizard">
     Full CLI wizard reference and advanced options.
   </Card>
   <Card title="macOS app onboarding" href="/start/onboarding">
diff --git a/docs/start/onboarding-overview.md b/docs/start/onboarding-overview.md
index 6227cdc104b..1e94a4db64a 100644
--- a/docs/start/onboarding-overview.md
+++ b/docs/start/onboarding-overview.md
@@ -17,7 +17,7 @@ and how you prefer to configure providers.
 - **CLI wizard** for macOS, Linux, and Windows (via WSL2).
 - **macOS app** for a guided first run on Apple silicon or Intel Macs.
 
-## CLI onboarding wizard
+## CLI setup wizard
 
 Run the wizard in a terminal:
 
@@ -28,7 +28,7 @@ openclaw onboard
 Use the CLI wizard when you want full control of the Gateway, workspace,
 channels, and skills. Docs:
 
-- [Onboarding Wizard (CLI)](/start/wizard)
+- [Setup Wizard (CLI)](/start/wizard)
 - [`openclaw onboard` command](/cli/onboard)
 
 ## macOS app onboarding
diff --git a/docs/start/onboarding.md b/docs/start/onboarding.md
index 3e3401cad64..c1dfb90b676 100644
--- a/docs/start/onboarding.md
+++ b/docs/start/onboarding.md
@@ -1,5 +1,5 @@
 ---
-summary: "First-run onboarding flow for OpenClaw (macOS app)"
+summary: "First-run setup flow for OpenClaw (macOS app)"
 read_when:
   - Designing the macOS onboarding assistant
   - Implementing auth or identity setup
@@ -9,7 +9,7 @@ sidebarTitle: "Onboarding: macOS App"
 
 # Onboarding (macOS App)
 
-This doc describes the **current** first‑run onboarding flow. The goal is a
+This doc describes the **current** first‑run setup flow. The goal is a
 smooth “day 0” experience: pick where the Gateway runs, connect auth, run the
 wizard, and let the agent bootstrap itself.
 For a general overview of onboarding paths, see [Onboarding Overview](/start/onboarding-overview).
diff --git a/docs/start/wizard-cli-automation.md b/docs/start/wizard-cli-automation.md
index cd00787c5c7..884d49e143b 100644
--- a/docs/start/wizard-cli-automation.md
+++ b/docs/start/wizard-cli-automation.md
@@ -33,7 +33,7 @@ openclaw onboard --non-interactive \
 Add `--json` for a machine-readable summary.
 
 Use `--secret-input-mode ref` to store env-backed refs in auth profiles instead of plaintext values.
-Interactive selection between env refs and configured provider refs (`file` or `exec`) is available in the onboarding wizard flow.
+Interactive selection between env refs and configured provider refs (`file` or `exec`) is available in the setup wizard flow.
 
 In non-interactive `ref` mode, provider env vars must be set in the process environment.
 Passing inline key flags without the matching env var now fails fast.
@@ -210,6 +210,6 @@ Notes:
 
 ## Related docs
 
-- Onboarding hub: [Onboarding Wizard (CLI)](/start/wizard)
-- Full reference: [CLI Onboarding Reference](/start/wizard-cli-reference)
+- Onboarding hub: [Setup Wizard (CLI)](/start/wizard)
+- Full reference: [CLI Setup Reference](/start/wizard-cli-reference)
 - Command reference: [`openclaw onboard`](/cli/onboard)
diff --git a/docs/start/wizard-cli-reference.md b/docs/start/wizard-cli-reference.md
index 5d3e6be6e72..36bd836a13f 100644
--- a/docs/start/wizard-cli-reference.md
+++ b/docs/start/wizard-cli-reference.md
@@ -1,16 +1,16 @@
 ---
-summary: "Complete reference for CLI onboarding flow, auth/model setup, outputs, and internals"
+summary: "Complete reference for CLI setup flow, auth/model setup, outputs, and internals"
 read_when:
   - You need detailed behavior for openclaw onboard
   - You are debugging onboarding results or integrating onboarding clients
-title: "CLI Onboarding Reference"
+title: "CLI Setup Reference"
 sidebarTitle: "CLI reference"
 ---
 
-# CLI Onboarding Reference
+# CLI Setup Reference
 
 This page is the full reference for `openclaw onboard`.
-For the short guide, see [Onboarding Wizard (CLI)](/start/wizard).
+For the short guide, see [Setup Wizard (CLI)](/start/wizard).
 
 ## What the wizard does
 
@@ -51,10 +51,10 @@ It does not install or modify anything on the remote host.
   <Step title="Gateway">
     - Prompts for port, bind, auth mode, and tailscale exposure.
     - Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
-    - In token mode, interactive onboarding offers:
+    - In token mode, interactive setup offers:
       - **Generate/store plaintext token** (default)
       - **Use SecretRef** (opt-in)
-    - In password mode, interactive onboarding also supports plaintext or SecretRef storage.
+    - In password mode, interactive setup also supports plaintext or SecretRef storage.
     - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
       - Requires a non-empty env var in the onboarding process environment.
       - Cannot be combined with `--gateway-token`.
@@ -222,7 +222,7 @@ Credential storage mode:
 
 - Default onboarding behavior persists API keys as plaintext values in auth profiles.
 - `--secret-input-mode ref` enables reference mode instead of plaintext key storage.
-  In interactive onboarding, you can choose either:
+  In interactive setup, you can choose either:
   - environment variable ref (for example `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`)
   - configured provider ref (`file` or `exec`) with provider alias + id
 - Interactive reference mode runs a fast preflight validation before saving.
@@ -234,7 +234,7 @@ Credential storage mode:
   - Inline key flags (for example `--openai-api-key`) require that env var to be set; otherwise onboarding fails fast.
   - For custom providers, non-interactive `ref` mode stores `models.providers.<id>.apiKey` as `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`.
   - In that custom-provider case, `--custom-api-key` requires `CUSTOM_API_KEY` to be set; otherwise onboarding fails fast.
-- Gateway auth credentials support plaintext and SecretRef choices in interactive onboarding:
+- Gateway auth credentials support plaintext and SecretRef choices in interactive setup:
   - Token mode: **Generate/store plaintext token** (default) or **Use SecretRef**.
   - Password mode: plaintext or SecretRef.
 - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
@@ -270,7 +270,7 @@ WhatsApp credentials go under `~/.openclaw/credentials/whatsapp/<accountId>/`.
 Sessions are stored under `~/.openclaw/agents/<agentId>/sessions/`.
 
 <Note>
-Some channels are delivered as plugins. When selected during onboarding, the wizard
+Some channels are delivered as plugins. When selected during setup, the wizard
 prompts to install the plugin (npm or local path) before channel configuration.
 </Note>
 
@@ -294,6 +294,6 @@ Signal setup behavior:
 
 ## Related docs
 
-- Onboarding hub: [Onboarding Wizard (CLI)](/start/wizard)
+- Onboarding hub: [Setup Wizard (CLI)](/start/wizard)
 - Automation and scripts: [CLI Automation](/start/wizard-cli-automation)
 - Command reference: [`openclaw onboard`](/cli/onboard)
diff --git a/docs/start/wizard.md b/docs/start/wizard.md
index 05c09ed53fd..7bbe9df64cf 100644
--- a/docs/start/wizard.md
+++ b/docs/start/wizard.md
@@ -1,15 +1,15 @@
 ---
-summary: "CLI onboarding wizard: guided setup for gateway, workspace, channels, and skills"
+summary: "CLI setup wizard: guided setup for gateway, workspace, channels, and skills"
 read_when:
-  - Running or configuring the onboarding wizard
+  - Running or configuring the setup wizard
   - Setting up a new machine
-title: "Onboarding Wizard (CLI)"
+title: "Setup Wizard (CLI)"
 sidebarTitle: "Onboarding: CLI"
 ---
 
-# Onboarding Wizard (CLI)
+# Setup Wizard (CLI)
 
-The onboarding wizard is the **recommended** way to set up OpenClaw on macOS,
+The setup wizard is the **recommended** way to set up OpenClaw on macOS,
 Linux, or Windows (via WSL2; strongly recommended).
 It configures a local Gateway or a remote Gateway connection, plus channels, skills,
 and workspace defaults in one guided flow.
@@ -35,7 +35,7 @@ openclaw agents add <name>
 </Note>
 
 <Tip>
-The onboarding wizard includes a web search step where you can pick a provider
+The setup wizard includes a web search step where you can pick a provider
 (Perplexity, Brave, Gemini, Grok, or Kimi) and paste your API key so the agent
 can use `web_search`. You can also configure this later with
 `openclaw configure --section web`. Docs: [Web tools](/tools/web).
@@ -52,7 +52,7 @@ The wizard starts with **QuickStart** (defaults) vs **Advanced** (full control).
     - Gateway port **18789**
     - Gateway auth **Token** (auto‑generated, even on loopback)
     - Tool policy default for new local setups: `tools.profile: "coding"` (existing explicit profile is preserved)
-    - DM isolation default: local onboarding writes `session.dmScope: "per-channel-peer"` when unset. Details: [CLI Onboarding Reference](/start/wizard-cli-reference#outputs-and-internals)
+    - DM isolation default: local onboarding writes `session.dmScope: "per-channel-peer"` when unset. Details: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals)
     - Tailscale exposure **Off**
     - Telegram + WhatsApp DMs default to **allowlist** (you'll be prompted for your phone number)
   </Tab>
@@ -112,7 +112,7 @@ Notes:
 ## Full reference
 
 For detailed step-by-step breakdowns and config outputs, see
-[CLI Onboarding Reference](/start/wizard-cli-reference).
+[CLI Setup Reference](/start/wizard-cli-reference).
 For non-interactive examples, see [CLI Automation](/start/wizard-cli-automation).
 For the deeper technical reference, including RPC details, see
 [Wizard Reference](/reference/wizard).
diff --git a/docs/tools/browser-linux-troubleshooting.md b/docs/tools/browser-linux-troubleshooting.md
index 6f9940c1c67..2a5196c3739 100644
--- a/docs/tools/browser-linux-troubleshooting.md
+++ b/docs/tools/browser-linux-troubleshooting.md
@@ -121,19 +121,18 @@ curl -s http://127.0.0.1:18791/tabs
 | `browser.attachOnly`     | Don't launch browser, only attach to existing                        | `false`                                                     |
 | `browser.cdpPort`        | Chrome DevTools Protocol port                                        | `18800`                                                     |
 
-### Problem: "Chrome extension relay is running, but no tab is connected"
+### Problem: "No Chrome tabs found for profile=\"user\""
 
-You're using an extension relay profile. It expects the OpenClaw
-browser extension to be attached to a live tab.
+You're using an `existing-session` / Chrome MCP profile. OpenClaw can see local Chrome,
+but there are no open tabs available to attach to.
 
 Fix options:
 
 1. **Use the managed browser:** `openclaw browser start --browser-profile openclaw`
    (or set `browser.defaultProfile: "openclaw"`).
-2. **Use the extension relay:** install the extension, open a tab, and click the
-   OpenClaw extension icon to attach it.
+2. **Use Chrome MCP:** make sure local Chrome is running with at least one open tab, then retry with `--browser-profile user`.
 
 Notes:
 
-- The `chrome-relay` profile uses your **system default Chromium browser** when possible.
+- `user` is host-only. For Linux servers, containers, or remote hosts, prefer CDP profiles.
 - Local `openclaw` profiles auto-assign `cdpPort`/`cdpUrl`; only set those for remote CDP.
diff --git a/docs/tools/browser-login.md b/docs/tools/browser-login.md
index d570b3b2e87..52135a80673 100644
--- a/docs/tools/browser-login.md
+++ b/docs/tools/browser-login.md
@@ -24,7 +24,6 @@ For agent browser tool calls:
 
 - Default choice: the agent should use its isolated `openclaw` browser.
 - Use `profile="user"` only when existing logged-in sessions matter and the user is at the computer to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only for the Chrome extension / toolbar-button attach flow.
 - If you have multiple user-browser profiles, specify the profile explicitly instead of guessing.
 
 Two easy ways to access it:
diff --git a/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md b/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
index 2e7844860aa..6824cee6788 100644
--- a/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
+++ b/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
@@ -1,9 +1,9 @@
 ---
-summary: "Troubleshoot WSL2 Gateway + Windows Chrome remote CDP and extension-relay setups in layers"
+summary: "Troubleshoot WSL2 Gateway + Windows Chrome remote CDP in layers"
 read_when:
   - Running OpenClaw Gateway in WSL2 while Chrome lives on Windows
   - Seeing overlapping browser/control-ui errors across WSL2 and Windows
-  - Deciding between raw remote CDP and the Chrome extension relay in split-host setups
+  - Deciding between host-local Chrome MCP and raw remote CDP in split-host setups
 title: "WSL2 + Windows + remote Chrome CDP troubleshooting"
 ---
 
@@ -21,27 +21,27 @@ It also covers the layered failure pattern from [issue #39369](https://github.co
 
 You have two valid patterns:
 
-### Option 1: Raw remote CDP
+### Option 1: Raw remote CDP from WSL2 to Windows
 
 Use a remote browser profile that points from WSL2 to a Windows Chrome CDP endpoint.
 
 Choose this when:
 
-- you only need browser control
-- you are comfortable exposing Chrome remote debugging to WSL2
-- you do not need the Chrome extension relay
+- the Gateway stays inside WSL2
+- Chrome runs on Windows
+- you need browser control to cross the WSL2/Windows boundary
 
-### Option 2: Chrome extension relay
+### Option 2: Host-local Chrome MCP
 
-Use the built-in `chrome-relay` profile plus the OpenClaw Chrome extension.
+Use `existing-session` / `user` only when the Gateway itself runs on the same host as Chrome.
 
 Choose this when:
 
-- you want to attach to an existing Windows Chrome tab with the toolbar button
-- you want extension-based control instead of raw `--remote-debugging-port`
-- the relay itself must be reachable across the WSL2/Windows boundary
+- OpenClaw and Chrome are on the same machine
+- you want the local signed-in browser state
+- you do not need cross-host browser transport
 
-If you use the extension relay across namespaces, `browser.relayBindHost` is the important setting introduced in [Browser](/tools/browser) and [Chrome extension](/tools/chrome-extension).
+For WSL2 Gateway + Windows Chrome, prefer raw remote CDP. Chrome MCP is host-local, not a WSL2-to-Windows bridge.
 
 ## Working architecture
 
@@ -62,7 +62,6 @@ Several failures can overlap:
 - `gateway.controlUi.allowedOrigins` does not match the page origin
 - token or pairing is missing
 - the browser profile points at the wrong address
-- the extension relay is still loopback-only when you actually need cross-namespace access
 
 Because of that, fixing one layer can still leave a different error visible.
 
@@ -145,31 +144,7 @@ Notes:
 - keep `attachOnly: true` for externally managed browsers
 - test the same URL with `curl` before expecting OpenClaw to succeed
 
-### Layer 4: If you use the Chrome extension relay instead
-
-If the browser machine and the Gateway are separated by a namespace boundary, the relay may need a non-loopback bind address.
-
-Example:
-
-```json5
-{
-  browser: {
-    enabled: true,
-    defaultProfile: "chrome-relay",
-    relayBindHost: "0.0.0.0",
-  },
-}
-```
-
-Use this only when needed:
-
-- default behavior is safer because the relay stays loopback-only
-- `0.0.0.0` expands exposure surface
-- keep Gateway auth, node pairing, and the surrounding network private
-
-If you do not need the extension relay, prefer the raw remote CDP profile above.
-
-### Layer 5: Verify the Control UI layer separately
+### Layer 4: Verify the Control UI layer separately
 
 Open the UI from Windows:
 
@@ -185,7 +160,7 @@ Helpful page:
 
 - [Control UI](/web/control-ui)
 
-### Layer 6: Verify end-to-end browser control
+### Layer 5: Verify end-to-end browser control
 
 From WSL2:
 
@@ -194,12 +169,6 @@ openclaw browser open https://example.com --browser-profile remote
 openclaw browser tabs --browser-profile remote
 ```
 
-For the extension relay:
-
-```bash
-openclaw browser tabs --browser-profile chrome-relay
-```
-
 Good result:
 
 - the tab opens in Windows Chrome
@@ -220,8 +189,8 @@ Treat each message as a layer-specific clue:
   - WSL2 cannot reach the configured `cdpUrl`
 - `gateway timeout after 1500ms`
   - often still CDP reachability or a slow/unreachable remote endpoint
-- `Chrome extension relay is running, but no tab is connected`
-  - extension relay profile selected, but no attached tab exists yet
+- `No Chrome tabs found for profile="user"`
+  - local Chrome MCP profile selected where no host-local tabs are available
 
 ## Fast triage checklist
 
@@ -229,11 +198,11 @@ Treat each message as a layer-specific clue:
 2. WSL2: does `curl http://WINDOWS_HOST_OR_IP:9222/json/version` work?
 3. OpenClaw config: does `browser.profiles.<name>.cdpUrl` use that exact WSL2-reachable address?
 4. Control UI: are you opening `http://127.0.0.1:18789/` instead of a LAN IP?
-5. Extension relay only: do you actually need `browser.relayBindHost`, and if so is it set explicitly?
+5. Are you trying to use `existing-session` across WSL2 and Windows instead of raw remote CDP?
 
 ## Practical takeaway
 
-The setup is usually viable. The hard part is that browser transport, Control UI origin security, token/pairing, and extension-relay topology can each fail independently while looking similar from the user side.
+The setup is usually viable. The hard part is that browser transport, Control UI origin security, and token/pairing can each fail independently while looking similar from the user side.
 
 When in doubt:
 
diff --git a/docs/tools/browser.md b/docs/tools/browser.md
index c760c23998c..19ee23a25ca 100644
--- a/docs/tools/browser.md
+++ b/docs/tools/browser.md
@@ -18,8 +18,7 @@ Beginner view:
 - Think of it as a **separate, agent-only browser**.
 - The `openclaw` profile does **not** touch your personal browser profile.
 - The agent can **open tabs, read pages, click, and type** in a safe lane.
-- The built-in `user` profile attaches to your real signed-in Chrome session;
-  `chrome-relay` is the explicit extension-relay profile.
+- The built-in `user` profile attaches to your real signed-in Chrome session via Chrome MCP.
 
 ## What you get
 
@@ -43,21 +42,17 @@ openclaw browser --browser-profile openclaw snapshot
 If you get “Browser disabled”, enable it in config (see below) and restart the
 Gateway.
 
-## Profiles: `openclaw` vs `user` vs `chrome-relay`
+## Profiles: `openclaw` vs `user`
 
 - `openclaw`: managed, isolated browser (no extension required).
 - `user`: built-in Chrome MCP attach profile for your **real signed-in Chrome**
   session.
-- `chrome-relay`: extension relay to your **system browser** (requires the
-  OpenClaw extension to be attached to a tab).
 
 For agent browser tool calls:
 
 - Default: use the isolated `openclaw` browser.
 - Prefer `profile="user"` when existing logged-in sessions matter and the user
   is at the computer to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only when the user explicitly wants the Chrome
-  extension / toolbar-button attach flow.
 - `profile` is the explicit override when you want a specific browser mode.
 
 Set `browser.defaultProfile: "openclaw"` if you want managed mode by default.
@@ -93,11 +88,6 @@ Browser settings live in `~/.openclaw/openclaw.json`.
         attachOnly: true,
         color: "#00AA00",
       },
-      "chrome-relay": {
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:18792",
-        color: "#00AA00",
-      },
       remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
     },
   },
@@ -107,10 +97,10 @@ Browser settings live in `~/.openclaw/openclaw.json`.
 Notes:
 
 - The browser control service binds to loopback on a port derived from `gateway.port`
-  (default: `18791`, which is gateway + 2). The relay uses the next port (`18792`).
+  (default: `18791`, which is gateway + 2).
 - If you override the Gateway port (`gateway.port` or `OPENCLAW_GATEWAY_PORT`),
   the derived browser ports shift to stay in the same “family”.
-- `cdpUrl` defaults to the relay port when unset.
+- `cdpUrl` defaults to the managed local CDP port when unset.
 - `remoteCdpTimeoutMs` applies to remote (non-loopback) CDP reachability checks.
 - `remoteCdpHandshakeTimeoutMs` applies to remote CDP WebSocket reachability checks.
 - Browser navigation/open-tab is SSRF-guarded before navigation and best-effort re-checked on final `http(s)` URL after navigation.
@@ -119,7 +109,7 @@ Notes:
 - `browser.ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias for compatibility.
 - `attachOnly: true` means “never launch a local browser; only attach if it is already running.”
 - `color` + per-profile `color` tint the browser UI so you can see which profile is active.
-- Default profile is `openclaw` (OpenClaw-managed standalone browser). Use `defaultProfile: "user"` to opt into the signed-in user browser, or `defaultProfile: "chrome-relay"` for the extension relay.
+- Default profile is `openclaw` (OpenClaw-managed standalone browser). Use `defaultProfile: "user"` to opt into the signed-in user browser.
 - Auto-detect order: system default browser if Chromium-based; otherwise Chrome → Brave → Edge → Chromium → Chrome Canary.
 - Local `openclaw` profiles auto-assign `cdpPort`/`cdpUrl` — set those only for remote CDP.
 - `driver: "existing-session"` uses Chrome DevTools MCP instead of raw CDP. Do
@@ -287,77 +277,18 @@ OpenClaw supports multiple named profiles (routing configs). Profiles can be:
 
 - **openclaw-managed**: a dedicated Chromium-based browser instance with its own user data directory + CDP port
 - **remote**: an explicit CDP URL (Chromium-based browser running elsewhere)
-- **extension relay**: your existing Chrome tab(s) via the local relay + Chrome extension
 - **existing session**: your existing Chrome profile via Chrome DevTools MCP auto-connect
 
 Defaults:
 
 - The `openclaw` profile is auto-created if missing.
-- The `chrome-relay` profile is built-in for the Chrome extension relay (points at `http://127.0.0.1:18792` by default).
-- Existing-session profiles are opt-in; create them with `--driver existing-session`.
+- The `user` profile is built-in for Chrome MCP existing-session attach.
+- Existing-session profiles are opt-in beyond `user`; create them with `--driver existing-session`.
 - Local CDP ports allocate from **18800–18899** by default.
 - Deleting a profile moves its local data directory to Trash.
 
 All control endpoints accept `?profile=<name>`; the CLI uses `--browser-profile`.
 
-## Chrome extension relay (use your existing Chrome)
-
-OpenClaw can also drive **your existing Chrome tabs** (no separate “openclaw” Chrome instance) via a local CDP relay + a Chrome extension.
-
-Full guide: [Chrome extension](/tools/chrome-extension)
-
-Flow:
-
-- The Gateway runs locally (same machine) or a node host runs on the browser machine.
-- A local **relay server** listens at a loopback `cdpUrl` (default: `http://127.0.0.1:18792`).
-- You click the **OpenClaw Browser Relay** extension icon on a tab to attach (it does not auto-attach).
-- The agent controls that tab via the normal `browser` tool, by selecting the right profile.
-
-If the Gateway runs elsewhere, run a node host on the browser machine so the Gateway can proxy browser actions.
-
-### Sandboxed sessions
-
-If the agent session is sandboxed, the `browser` tool may default to `target="sandbox"` (sandbox browser).
-Chrome extension relay takeover requires host browser control, so either:
-
-- run the session unsandboxed, or
-- set `agents.defaults.sandbox.browser.allowHostControl: true` and use `target="host"` when calling the tool.
-
-### Setup
-
-1. Load the extension (dev/unpacked):
-
-```bash
-openclaw browser extension install
-```
-
-- Chrome → `chrome://extensions` → enable “Developer mode”
-- “Load unpacked” → select the directory printed by `openclaw browser extension path`
-- Pin the extension, then click it on the tab you want to control (badge shows `ON`).
-
-2. Use it:
-
-- CLI: `openclaw browser --browser-profile chrome-relay tabs`
-- Agent tool: `browser` with `profile="chrome-relay"`
-
-Optional: if you want a different name or relay port, create your own profile:
-
-```bash
-openclaw browser create-profile \
-  --name my-chrome \
-  --driver extension \
-  --cdp-url http://127.0.0.1:18792 \
-  --color "#00AA00"
-```
-
-Notes:
-
-- This mode relies on Playwright-on-CDP for most operations (screenshots/snapshots/actions).
-- Detach by clicking the extension icon again.
-- Agent use: prefer `profile="user"` for logged-in sites. Use `profile="chrome-relay"`
-  only when you specifically want the extension flow. The user must be present
-  to click the extension and attach the tab.
-
 ## Chrome existing-session via MCP
 
 OpenClaw can also attach to a running Chrome profile through the official
@@ -404,13 +335,14 @@ What to check if attach does not work:
 - Chrome is version `144+`
 - remote debugging is enabled at `chrome://inspect/#remote-debugging`
 - Chrome showed and you accepted the attach consent prompt
+- `openclaw doctor` migrates old extension-based browser config and checks that
+  Chrome is installed locally with a compatible version, but it cannot enable
+  Chrome-side remote debugging for you
 
 Agent use:
 
 - Use `profile="user"` when you need the user’s logged-in browser state.
 - If you use a custom existing-session profile, pass that explicit profile name.
-- Prefer `profile="user"` over `profile="chrome-relay"` unless the user
-  explicitly wants the extension / attach-tab flow.
 - Only choose this mode when the user is at the computer to approve the attach
   prompt.
 - the Gateway or node host can spawn `npx chrome-devtools-mcp@latest --autoConnect`
@@ -427,21 +359,10 @@ Notes:
   captures from snapshots, but not CSS `--element` selectors.
 - Existing-session `wait --url` supports exact, substring, and glob patterns
   like other browser drivers. `wait --load networkidle` is not supported yet.
-- Some features still require the extension relay or managed browser path, such
-  as PDF export and download interception.
-- Leave the relay loopback-only by default. If the relay must be reachable from a different network namespace (for example Gateway in WSL2, Chrome on Windows), set `browser.relayBindHost` to an explicit bind address such as `0.0.0.0` while keeping the surrounding network private and authenticated.
-
-WSL2 / cross-namespace example:
-
-```json5
-{
-  browser: {
-    enabled: true,
-    relayBindHost: "0.0.0.0",
-    defaultProfile: "chrome-relay",
-  },
-}
-```
+- Some features still require the managed browser path, such as PDF export and
+  download interception.
+- Existing-session is host-local. If Chrome lives on a different machine or a
+  different network namespace, use remote CDP or a node host instead.
 
 ## Isolation guarantees
 
@@ -496,7 +417,6 @@ If gateway auth is configured, browser HTTP routes require auth too:
 Some features (navigate/act/AI snapshot/role snapshot, element screenshots, PDF) require
 Playwright. If Playwright isn’t installed, those endpoints return a clear 501
 error. ARIA snapshots and basic screenshots still work for openclaw-managed Chrome.
-For the Chrome extension relay driver, ARIA snapshots and screenshots require Playwright.
 
 If you see `Playwright is not available in this gateway build`, install the full
 Playwright package (not `playwright-core`) and restart the gateway, or reinstall
diff --git a/docs/tools/chrome-extension.md b/docs/tools/chrome-extension.md
deleted file mode 100644
index 831897b9bde..00000000000
--- a/docs/tools/chrome-extension.md
+++ /dev/null
@@ -1,203 +0,0 @@
----
-summary: "Chrome extension: let OpenClaw drive your existing Chrome tab"
-read_when:
-  - You want the agent to drive an existing Chrome tab (toolbar button)
-  - You need remote Gateway + local browser automation via Tailscale
-  - You want to understand the security implications of browser takeover
-title: "Chrome Extension"
----
-
-# Chrome extension (browser relay)
-
-The OpenClaw Chrome extension lets the agent control your **existing Chrome tabs** (your normal Chrome window) instead of launching a separate openclaw-managed Chrome profile.
-
-Attach/detach happens via a **single Chrome toolbar button**.
-
-If you want Chrome’s official DevTools MCP attach flow instead of the OpenClaw
-extension relay, use an `existing-session` browser profile instead. See
-[Browser](/tools/browser#chrome-existing-session-via-mcp). For Chrome’s own
-setup docs, see [Chrome for Developers: Use Chrome DevTools MCP with your
-browser session](https://developer.chrome.com/blog/chrome-devtools-mcp-debug-your-browser-session)
-and the [Chrome DevTools MCP README](https://github.com/ChromeDevTools/chrome-devtools-mcp).
-
-## What it is (concept)
-
-There are three parts:
-
-- **Browser control service** (Gateway or node): the API the agent/tool calls (via the Gateway)
-- **Local relay server** (loopback CDP): bridges between the control server and the extension (`http://127.0.0.1:18792` by default)
-- **Chrome MV3 extension**: attaches to the active tab using `chrome.debugger` and pipes CDP messages to the relay
-
-OpenClaw then controls the attached tab through the normal `browser` tool surface (selecting the right profile).
-
-## Install / load (unpacked)
-
-1. Install the extension to a stable local path:
-
-```bash
-openclaw browser extension install
-```
-
-2. Print the installed extension directory path:
-
-```bash
-openclaw browser extension path
-```
-
-3. Chrome → `chrome://extensions`
-
-- Enable “Developer mode”
-- “Load unpacked” → select the directory printed above
-
-4. Pin the extension.
-
-## Updates (no build step)
-
-The extension ships inside the OpenClaw release (npm package) as static files. There is no separate “build” step.
-
-After upgrading OpenClaw:
-
-- Re-run `openclaw browser extension install` to refresh the installed files under your OpenClaw state directory.
-- Chrome → `chrome://extensions` → click “Reload” on the extension.
-
-## Use it (set gateway token once)
-
-To use the extension relay, create a browser profile for it:
-
-Before first attach, open extension Options and set:
-
-- `Port` (default `18792`)
-- `Gateway token` (must match `gateway.auth.token` / `OPENCLAW_GATEWAY_TOKEN`)
-
-Then create a profile:
-
-```bash
-openclaw browser create-profile \
-  --name my-chrome \
-  --driver extension \
-  --cdp-url http://127.0.0.1:18792 \
-  --color "#00AA00"
-```
-
-Use it:
-
-- CLI: `openclaw browser --browser-profile my-chrome tabs`
-- Agent tool: `browser` with `profile="my-chrome"`
-
-### Custom Gateway ports
-
-If you're using a custom gateway port, the extension relay port is automatically derived:
-
-**Extension Relay Port = Gateway Port + 3**
-
-Example: if `gateway.port: 19001`, then:
-
-- Extension relay port: `19004` (gateway + 3)
-
-Configure the extension to use the derived relay port in the extension Options page.
-
-## Attach / detach (toolbar button)
-
-- Open the tab you want OpenClaw to control.
-- Click the extension icon.
-  - Badge shows `ON` when attached.
-- Click again to detach.
-
-## Which tab does it control?
-
-- It does **not** automatically control “whatever tab you’re looking at”.
-- It controls **only the tab(s) you explicitly attached** by clicking the toolbar button.
-- To switch: open the other tab and click the extension icon there.
-
-## Badge + common errors
-
-- `ON`: attached; OpenClaw can drive that tab.
-- `…`: connecting to the local relay.
-- `!`: relay not reachable/authenticated (most common: relay server not running, or gateway token missing/wrong).
-
-If you see `!`:
-
-- Make sure the Gateway is running locally (default setup), or run a node host on this machine if the Gateway runs elsewhere.
-- Open the extension Options page; it validates relay reachability + gateway-token auth.
-
-## Remote Gateway (use a node host)
-
-### Local Gateway (same machine as Chrome) — usually **no extra steps**
-
-If the Gateway runs on the same machine as Chrome, it starts the browser control service on loopback
-and auto-starts the relay server. The extension talks to the local relay; the CLI/tool calls go to the Gateway.
-
-### Remote Gateway (Gateway runs elsewhere) — **run a node host**
-
-If your Gateway runs on another machine, start a node host on the machine that runs Chrome.
-The Gateway will proxy browser actions to that node; the extension + relay stay local to the browser machine.
-
-If multiple nodes are connected, pin one with `gateway.nodes.browser.node` or set `gateway.nodes.browser.mode`.
-
-## Sandboxing (tool containers)
-
-If your agent session is sandboxed (`agents.defaults.sandbox.mode != "off"`), the `browser` tool can be restricted:
-
-- By default, sandboxed sessions often target the **sandbox browser** (`target="sandbox"`), not your host Chrome.
-- Chrome extension relay takeover requires controlling the **host** browser control server.
-
-Options:
-
-- Easiest: use the extension from a **non-sandboxed** session/agent.
-- Or allow host browser control for sandboxed sessions:
-
-```json5
-{
-  agents: {
-    defaults: {
-      sandbox: {
-        browser: {
-          allowHostControl: true,
-        },
-      },
-    },
-  },
-}
-```
-
-Then ensure the tool isn’t denied by tool policy, and (if needed) call `browser` with `target="host"`.
-
-Debugging: `openclaw sandbox explain`
-
-## Remote access tips
-
-- Keep the Gateway and node host on the same tailnet; avoid exposing relay ports to LAN or public Internet.
-- Pair nodes intentionally; disable browser proxy routing if you don’t want remote control (`gateway.nodes.browser.mode="off"`).
-- Leave the relay on loopback unless you have a real cross-namespace need. For WSL2 or similar split-host setups, set `browser.relayBindHost` to an explicit bind address such as `0.0.0.0`, then keep access constrained with Gateway auth, node pairing, and a private network.
-
-## How “extension path” works
-
-`openclaw browser extension path` prints the **installed** on-disk directory containing the extension files.
-
-The CLI intentionally does **not** print a `node_modules` path. Always run `openclaw browser extension install` first to copy the extension to a stable location under your OpenClaw state directory.
-
-If you move or delete that install directory, Chrome will mark the extension as broken until you reload it from a valid path.
-
-## Security implications (read this)
-
-This is powerful and risky. Treat it like giving the model “hands on your browser”.
-
-- The extension uses Chrome’s debugger API (`chrome.debugger`). When attached, the model can:
-  - click/type/navigate in that tab
-  - read page content
-  - access whatever the tab’s logged-in session can access
-- **This is not isolated** like the dedicated openclaw-managed profile.
-  - If you attach to your daily-driver profile/tab, you’re granting access to that account state.
-
-Recommendations:
-
-- Prefer a dedicated Chrome profile (separate from your personal browsing) for extension relay usage.
-- Keep the Gateway and any node hosts tailnet-only; rely on Gateway auth + node pairing.
-- Avoid exposing relay ports over LAN (`0.0.0.0`) and avoid Funnel (public).
-- The relay blocks non-extension origins and requires gateway-token auth for both `/cdp` and `/extension`.
-
-Related:
-
-- Browser tool overview: [Browser](/tools/browser)
-- Security audit: [Security](/gateway/security)
-- Tailscale setup: [Tailscale](/gateway/tailscale)
diff --git a/docs/tools/firecrawl.md b/docs/tools/firecrawl.md
index 2cd90a06bf5..901890dfb0a 100644
--- a/docs/tools/firecrawl.md
+++ b/docs/tools/firecrawl.md
@@ -1,27 +1,71 @@
 ---
-summary: "Firecrawl fallback for web_fetch (anti-bot + cached extraction)"
+summary: "Firecrawl search, scrape, and web_fetch fallback"
 read_when:
   - You want Firecrawl-backed web extraction
   - You need a Firecrawl API key
+  - You want Firecrawl as a web_search provider
   - You want anti-bot extraction for web_fetch
 title: "Firecrawl"
 ---
 
 # Firecrawl
 
-OpenClaw can use **Firecrawl** as a fallback extractor for `web_fetch`. It is a hosted
-content extraction service that supports bot circumvention and caching, which helps
-with JS-heavy sites or pages that block plain HTTP fetches.
+OpenClaw can use **Firecrawl** in three ways:
+
+- as the `web_search` provider
+- as explicit plugin tools: `firecrawl_search` and `firecrawl_scrape`
+- as a fallback extractor for `web_fetch`
+
+It is a hosted extraction/search service that supports bot circumvention and caching,
+which helps with JS-heavy sites or pages that block plain HTTP fetches.
 
 ## Get an API key
 
 1. Create a Firecrawl account and generate an API key.
 2. Store it in config or set `FIRECRAWL_API_KEY` in the gateway environment.
 
-## Configure Firecrawl
+## Configure Firecrawl search
 
 ```json5
 {
+  plugins: {
+    entries: {
+      firecrawl: {
+        enabled: true,
+      },
+    },
+  },
+  tools: {
+    web: {
+      search: {
+        provider: "firecrawl",
+        firecrawl: {
+          apiKey: "FIRECRAWL_API_KEY_HERE",
+          baseUrl: "https://api.firecrawl.dev",
+        },
+      },
+    },
+  },
+}
+```
+
+Notes:
+
+- Choosing Firecrawl in onboarding or `openclaw configure --section web` enables the bundled Firecrawl plugin automatically.
+- `web_search` with Firecrawl supports `query` and `count`.
+- For Firecrawl-specific controls like `sources`, `categories`, or result scraping, use `firecrawl_search`.
+
+## Configure Firecrawl scrape + web_fetch fallback
+
+```json5
+{
+  plugins: {
+    entries: {
+      firecrawl: {
+        enabled: true,
+      },
+    },
+  },
   tools: {
     web: {
       fetch: {
@@ -44,6 +88,38 @@ Notes:
 - Firecrawl fallback attempts run only when an API key is available (`tools.web.fetch.firecrawl.apiKey` or `FIRECRAWL_API_KEY`).
 - `maxAgeMs` controls how old cached results can be (ms). Default is 2 days.
 
+`firecrawl_scrape` reuses the same `tools.web.fetch.firecrawl.*` settings and env vars.
+
+## Firecrawl plugin tools
+
+### `firecrawl_search`
+
+Use this when you want Firecrawl-specific search controls instead of generic `web_search`.
+
+Core parameters:
+
+- `query`
+- `count`
+- `sources`
+- `categories`
+- `scrapeResults`
+- `timeoutSeconds`
+
+### `firecrawl_scrape`
+
+Use this for JS-heavy or bot-protected pages where plain `web_fetch` is weak.
+
+Core parameters:
+
+- `url`
+- `extractMode`
+- `maxChars`
+- `onlyMainContent`
+- `maxAgeMs`
+- `proxy`
+- `storeInCache`
+- `timeoutSeconds`
+
 ## Stealth / bot circumvention
 
 Firecrawl exposes a **proxy mode** parameter for bot circumvention (`basic`, `stealth`, or `auto`).
diff --git a/docs/tools/index.md b/docs/tools/index.md
index bdd9b78456f..deb42b0d76a 100644
--- a/docs/tools/index.md
+++ b/docs/tools/index.md
@@ -256,7 +256,7 @@ Enable with `tools.loopDetection.enabled: true` (default is `false`).
 
 ### `web_search`
 
-Search the web using Perplexity, Brave, Gemini, Grok, or Kimi.
+Search the web using Brave, Firecrawl, Gemini, Grok, Kimi, or Perplexity.
 
 Core parameters:
 
@@ -318,8 +318,7 @@ Common parameters:
 - All actions accept optional `profile` parameter for multi-instance support.
 - Omit `profile` for the safe default: isolated OpenClaw-managed browser (`openclaw`).
 - Use `profile="user"` for the real local host browser when existing logins/cookies matter and the user is present to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only for the Chrome extension / toolbar-button attach flow.
-- `profile="user"` and `profile="chrome-relay"` are host-only; do not combine them with sandbox/node targets.
+- `profile="user"` is host-only; do not combine it with sandbox/node targets.
 - When `profile` is omitted, uses `browser.defaultProfile` (defaults to `openclaw`).
 - Profile names: lowercase alphanumeric + hyphens only (max 64 chars).
 - Port range: 18800-18899 (~100 profiles max).
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index 8aa7beefa42..770eaa215e0 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -57,6 +57,18 @@ openclaw plugins install ./my-bundle
 openclaw plugins install ./my-bundle.tgz
 ```
 
+For Claude marketplace installs, list the marketplace first, then install by
+marketplace entry name:
+
+```bash
+openclaw plugins marketplace list <marketplace-name>
+openclaw plugins install <plugin-name>@<marketplace-name>
+```
+
+OpenClaw resolves known Claude marketplace names from
+`~/.claude/plugins/known_marketplaces.json`. You can also pass an explicit
+marketplace source with `--marketplace`.
+
 ## Architecture
 
 OpenClaw's plugin system has four layers:
@@ -94,6 +106,10 @@ OpenClaw also recognizes two compatible external bundle layouts:
   component layout without a manifest
 - Cursor-style bundles: `.cursor-plugin/plugin.json`
 
+Claude marketplace entries can point at any of these compatible bundles, or at
+native OpenClaw plugin sources. OpenClaw resolves the marketplace entry first,
+then runs the normal install path for the resolved source.
+
 They are shown in the plugin list as `format=bundle`, with a subtype of
 `codex` or `claude` in verbose/info output.
 
@@ -167,20 +183,17 @@ Important trust note:
 - Anthropic provider runtime — bundled as `anthropic` (enabled by default)
 - BytePlus provider catalog — bundled as `byteplus` (enabled by default)
 - Cloudflare AI Gateway provider catalog — bundled as `cloudflare-ai-gateway` (enabled by default)
-- Google Antigravity OAuth (provider auth) — bundled as `google-antigravity-auth` (disabled by default)
-- Gemini CLI OAuth (provider auth) — bundled as `google-gemini-cli-auth` (disabled by default)
+- Google web search + Gemini CLI OAuth — bundled as `google` (web search auto-loads it; provider auth stays opt-in)
 - GitHub Copilot provider runtime — bundled as `github-copilot` (enabled by default)
 - Hugging Face provider catalog — bundled as `huggingface` (enabled by default)
 - Kilo Gateway provider runtime — bundled as `kilocode` (enabled by default)
 - Kimi Coding provider catalog — bundled as `kimi-coding` (enabled by default)
-- MiniMax provider catalog + usage — bundled as `minimax` (enabled by default)
-- MiniMax OAuth (provider auth + catalog) — bundled as `minimax-portal-auth` (enabled by default)
+- MiniMax provider catalog + usage + OAuth — bundled as `minimax` (enabled by default; owns `minimax` and `minimax-portal`)
 - Mistral provider capabilities — bundled as `mistral` (enabled by default)
 - Model Studio provider catalog — bundled as `modelstudio` (enabled by default)
 - Moonshot provider runtime — bundled as `moonshot` (enabled by default)
 - NVIDIA provider catalog — bundled as `nvidia` (enabled by default)
-- OpenAI provider runtime — bundled as `openai` (enabled by default)
-- OpenAI Codex provider runtime — bundled as `openai-codex` (enabled by default)
+- OpenAI provider runtime — bundled as `openai` (enabled by default; owns both `openai` and `openai-codex`)
 - OpenCode Go provider capabilities — bundled as `opencode-go` (enabled by default)
 - OpenCode Zen provider capabilities — bundled as `opencode` (enabled by default)
 - OpenRouter provider runtime — bundled as `openrouter` (enabled by default)
@@ -208,7 +221,7 @@ Native OpenClaw plugins can register:
 - Background services
 - Context engines
 - Provider auth flows and model catalogs
-- Provider runtime hooks for dynamic model ids, transport normalization, capability metadata, stream wrapping, cache TTL policy, runtime auth exchange, and usage/billing auth + snapshot resolution
+- Provider runtime hooks for dynamic model ids, transport normalization, capability metadata, stream wrapping, cache TTL policy, missing-auth hints, built-in model suppression, catalog augmentation, runtime auth exchange, and usage/billing auth + snapshot resolution
 - Optional config validation
 - **Skills** (by listing `skills` directories in the plugin manifest)
 - **Auto-reply commands** (execute without invoking the AI agent)
@@ -220,13 +233,24 @@ Tool authoring guide: [Plugin agent tools](/plugins/agent-tools).
 
 Provider plugins now have two layers:
 
+- manifest metadata: `providerAuthEnvVars` for cheap env-auth lookup before
+  runtime load, plus `providerAuthChoices` for cheap onboarding/auth-choice
+  labels and CLI flag metadata before runtime load
 - config-time hooks: `catalog` / legacy `discovery`
-- runtime hooks: `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`, `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `isCacheTtlEligible`, `prepareRuntimeAuth`, `resolveUsageAuth`, `fetchUsageSnapshot`
+- runtime hooks: `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`, `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `formatApiKey`, `refreshOAuth`, `buildAuthDoctorHint`, `isCacheTtlEligible`, `buildMissingAuthMessage`, `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`, `supportsXHighThinking`, `resolveDefaultThinkingLevel`, `isModernModelRef`, `prepareRuntimeAuth`, `resolveUsageAuth`, `fetchUsageSnapshot`
 
 OpenClaw still owns the generic agent loop, failover, transcript handling, and
 tool policy. These hooks are the seam for provider-specific behavior without
 needing a whole custom inference transport.
 
+Use manifest `providerAuthEnvVars` when the provider has env-based credentials
+that generic auth/status/model-picker paths should see without loading plugin
+runtime. Use manifest `providerAuthChoices` when onboarding/auth-choice CLI
+surfaces should know the provider's choice id, group labels, and simple
+one-flag auth wiring without loading provider runtime. Keep provider runtime
+`envVars` for operator-facing hints such as onboarding labels or OAuth
+client-id/client-secret setup vars.
+
 ### Hook order
 
 For model/provider plugins, OpenClaw uses hooks in this rough order:
@@ -250,15 +274,39 @@ For model/provider plugins, OpenClaw uses hooks in this rough order:
    Provider-owned request-param normalization before generic stream option wrappers.
 8. `wrapStreamFn`
    Provider-owned stream wrapper after generic wrappers are applied.
-9. `isCacheTtlEligible`
-   Provider-owned prompt-cache policy for proxy/backhaul providers.
-10. `prepareRuntimeAuth`
+9. `formatApiKey`
+   Provider-owned auth-profile formatter used when a stored auth profile needs
+   to become the runtime `apiKey` string.
+10. `refreshOAuth`
+    Provider-owned OAuth refresh override for custom refresh endpoints or
+    refresh-failure policy.
+11. `buildAuthDoctorHint`
+    Provider-owned repair hint appended when OAuth refresh fails.
+12. `isCacheTtlEligible`
+    Provider-owned prompt-cache policy for proxy/backhaul providers.
+13. `buildMissingAuthMessage`
+    Provider-owned replacement for the generic missing-auth recovery message.
+14. `suppressBuiltInModel`
+    Provider-owned stale upstream model suppression plus optional user-facing
+    error hint.
+15. `augmentModelCatalog`
+    Provider-owned synthetic/final catalog rows appended after discovery.
+16. `isBinaryThinking`
+    Provider-owned on/off reasoning toggle for binary-thinking providers.
+17. `supportsXHighThinking`
+    Provider-owned `xhigh` reasoning support for selected models.
+18. `resolveDefaultThinkingLevel`
+    Provider-owned default `/think` level for a specific model family.
+19. `isModernModelRef`
+    Provider-owned modern-model matcher used by live profile filters and smoke
+    selection.
+20. `prepareRuntimeAuth`
     Exchanges a configured credential into the actual runtime token/key just
     before inference.
-11. `resolveUsageAuth`
+21. `resolveUsageAuth`
     Resolves usage/billing credentials for `/usage` and related status
     surfaces.
-12. `fetchUsageSnapshot`
+22. `fetchUsageSnapshot`
     Fetches and normalizes provider-specific usage/quota snapshots after auth
     is resolved.
 
@@ -271,7 +319,17 @@ For model/provider plugins, OpenClaw uses hooks in this rough order:
 - `capabilities`: publish provider-family and transcript/tooling quirks without hardcoding provider ids in core
 - `prepareExtraParams`: set provider defaults or normalize provider-specific per-model params before generic stream wrapping
 - `wrapStreamFn`: add provider-specific headers/payload/model compat patches while still using the normal `pi-ai` execution path
+- `formatApiKey`: turn a stored auth profile into the runtime `apiKey` string without hardcoding provider token blobs in core
+- `refreshOAuth`: own OAuth refresh for providers that do not fit the shared `pi-ai` refreshers
+- `buildAuthDoctorHint`: append provider-owned auth repair guidance when refresh fails
 - `isCacheTtlEligible`: decide whether provider/model pairs should use cache TTL metadata
+- `buildMissingAuthMessage`: replace the generic auth-store error with a provider-specific recovery hint
+- `suppressBuiltInModel`: hide stale upstream rows and optionally return a provider-owned error for direct resolution failures
+- `augmentModelCatalog`: append synthetic/final catalog rows after discovery and config merging
+- `isBinaryThinking`: expose binary on/off reasoning UX without hardcoding provider ids in `/think`
+- `supportsXHighThinking`: opt specific models into the `xhigh` reasoning level
+- `resolveDefaultThinkingLevel`: keep provider/model default reasoning policy out of core
+- `isModernModelRef`: keep live/smoke model family inclusion rules with the provider
 - `prepareRuntimeAuth`: exchange a configured credential into the actual short-lived runtime token/key used for requests
 - `resolveUsageAuth`: resolve provider-owned credentials for usage/billing endpoints without hardcoding token parsing in core
 - `fetchUsageSnapshot`: own provider-specific usage endpoint fetch/parsing while core keeps summary fan-out and formatting
@@ -285,7 +343,17 @@ Rule of thumb:
 - provider needs transcript/provider-family quirks: use `capabilities`
 - provider needs default request params or per-provider param cleanup: use `prepareExtraParams`
 - provider needs request headers/body/model compat wrappers without a custom transport: use `wrapStreamFn`
+- provider stores extra metadata in auth profiles and needs a custom runtime token shape: use `formatApiKey`
+- provider needs a custom OAuth refresh endpoint or refresh failure policy: use `refreshOAuth`
+- provider needs provider-owned auth repair guidance after refresh failure: use `buildAuthDoctorHint`
 - provider needs proxy-specific cache TTL gating: use `isCacheTtlEligible`
+- provider needs a provider-specific missing-auth recovery hint: use `buildMissingAuthMessage`
+- provider needs to hide stale upstream rows or replace them with a vendor hint: use `suppressBuiltInModel`
+- provider needs synthetic forward-compat rows in `models list` and pickers: use `augmentModelCatalog`
+- provider exposes only binary thinking on/off: use `isBinaryThinking`
+- provider wants `xhigh` on only a subset of models: use `supportsXHighThinking`
+- provider owns default `/think` policy for a model family: use `resolveDefaultThinkingLevel`
+- provider owns live/smoke preferred-model matching: use `isModernModelRef`
 - provider needs a token exchange or short-lived request credential: use `prepareRuntimeAuth`
 - provider needs custom usage/quota token parsing or a different usage credential: use `resolveUsageAuth`
 - provider needs a provider-specific usage endpoint or payload parser: use `fetchUsageSnapshot`
@@ -350,28 +418,38 @@ api.registerProvider({
 
 ### Built-in examples
 
-- Anthropic uses `resolveDynamicModel`, `capabilities`, `resolveUsageAuth`,
-  `fetchUsageSnapshot`, and `isCacheTtlEligible` because it owns Claude 4.6
-  forward-compat, provider-family hints, usage endpoint integration, and
-  prompt-cache eligibility.
+- Anthropic uses `resolveDynamicModel`, `capabilities`, `buildAuthDoctorHint`,
+  `resolveUsageAuth`, `fetchUsageSnapshot`, `isCacheTtlEligible`,
+  `resolveDefaultThinkingLevel`, and `isModernModelRef` because it owns Claude
+  4.6 forward-compat, provider-family hints, auth repair guidance, usage
+  endpoint integration, prompt-cache eligibility, and Claude default/adaptive
+  thinking policy.
 - OpenAI uses `resolveDynamicModel`, `normalizeResolvedModel`, and
-  `capabilities` because it owns GPT-5.4 forward-compat plus the direct OpenAI
-  `openai-completions` -> `openai-responses` normalization.
+  `capabilities` plus `buildMissingAuthMessage`, `suppressBuiltInModel`,
+  `augmentModelCatalog`, `supportsXHighThinking`, and `isModernModelRef`
+  because it owns GPT-5.4 forward-compat, the direct OpenAI
+  `openai-completions` -> `openai-responses` normalization, Codex-aware auth
+  hints, Spark suppression, synthetic OpenAI list rows, and GPT-5 thinking /
+  live-model policy.
 - OpenRouter uses `catalog` plus `resolveDynamicModel` and
   `prepareDynamicModel` because the provider is pass-through and may expose new
   model ids before OpenClaw's static catalog updates.
-- GitHub Copilot uses `catalog`, `resolveDynamicModel`, and
+- GitHub Copilot uses `catalog`, `auth`, `resolveDynamicModel`, and
   `capabilities` plus `prepareRuntimeAuth` and `fetchUsageSnapshot` because it
-  needs model fallback behavior, Claude transcript quirks, a GitHub token ->
-  Copilot token exchange, and a provider-owned usage endpoint.
-- OpenAI Codex uses `catalog`, `resolveDynamicModel`, and
-  `normalizeResolvedModel` plus `prepareExtraParams`, `resolveUsageAuth`, and
-  `fetchUsageSnapshot` because it still runs on core OpenAI transports but owns
-  its transport/base URL normalization, default transport choice, and ChatGPT
-  usage endpoint integration.
-- Gemini CLI OAuth uses `resolveDynamicModel`, `resolveUsageAuth`, and
-  `fetchUsageSnapshot` because it owns Gemini 3.1 forward-compat fallback plus
-  the token parsing and quota endpoint wiring needed by `/usage`.
+  needs provider-owned device login, model fallback behavior, Claude transcript
+  quirks, a GitHub token -> Copilot token exchange, and a provider-owned usage
+  endpoint.
+- OpenAI Codex uses `catalog`, `resolveDynamicModel`,
+  `normalizeResolvedModel`, `refreshOAuth`, and `augmentModelCatalog` plus
+  `prepareExtraParams`, `resolveUsageAuth`, and `fetchUsageSnapshot` because it
+  still runs on core OpenAI transports but owns its transport/base URL
+  normalization, OAuth refresh fallback policy, default transport choice,
+  synthetic Codex catalog rows, and ChatGPT usage endpoint integration.
+- Google AI Studio and Gemini CLI OAuth use `resolveDynamicModel` and
+  `isModernModelRef` because they own Gemini 3.1 forward-compat fallback and
+  modern-model matching; Gemini CLI OAuth also uses `formatApiKey`,
+  `resolveUsageAuth`, and `fetchUsageSnapshot` for token formatting, token
+  parsing, and quota endpoint wiring.
 - OpenRouter uses `capabilities`, `wrapStreamFn`, and `isCacheTtlEligible`
   to keep provider-specific request headers, routing metadata, reasoning
   patches, and prompt-cache policy out of core.
@@ -382,15 +460,17 @@ api.registerProvider({
   reasoning payload normalization, Gemini transcript hints, and Anthropic
   cache-TTL gating.
 - Z.AI uses `resolveDynamicModel`, `prepareExtraParams`, `wrapStreamFn`,
-  `isCacheTtlEligible`, `resolveUsageAuth`, and `fetchUsageSnapshot` because it
-  owns GLM-5 fallback, `tool_stream` defaults, and both usage auth + quota
-  fetching.
+  `isCacheTtlEligible`, `isBinaryThinking`, `isModernModelRef`,
+  `resolveUsageAuth`, and `fetchUsageSnapshot` because it owns GLM-5 fallback,
+  `tool_stream` defaults, binary thinking UX, modern-model matching, and both
+  usage auth + quota fetching.
 - Mistral, OpenCode Zen, and OpenCode Go use `capabilities` only to keep
   transcript/tooling quirks out of core.
 - Catalog-only bundled providers such as `byteplus`, `cloudflare-ai-gateway`,
-  `huggingface`, `kimi-coding`, `minimax-portal`, `modelstudio`, `nvidia`,
-  `qianfan`, `qwen-portal`, `synthetic`, `together`, `venice`,
-  `vercel-ai-gateway`, and `volcengine` use `catalog` only.
+  `huggingface`, `kimi-coding`, `modelstudio`, `nvidia`, `qianfan`,
+  `synthetic`, `together`, `venice`, `vercel-ai-gateway`, and `volcengine` use
+  `catalog` only.
+- Qwen portal uses `catalog`, `auth`, and `refreshOAuth`.
 - MiniMax and Xiaomi use `catalog` plus usage hooks because their `/usage`
   behavior is plugin-owned even though inference still runs through the shared
   transports.
@@ -507,22 +587,21 @@ Notes:
 Use SDK subpaths instead of the monolithic `openclaw/plugin-sdk` import when
 authoring plugins:
 
-- `openclaw/plugin-sdk/core` for generic plugin APIs, provider auth types, and shared helpers.
+- `openclaw/plugin-sdk/core` for generic plugin APIs, provider auth types, and shared helpers such as routing/session utilities and logger-backed runtimes.
 - `openclaw/plugin-sdk/compat` for bundled/internal plugin code that needs broader shared runtime helpers than `core`.
-- `openclaw/plugin-sdk/telegram` for Telegram channel plugins.
-- `openclaw/plugin-sdk/discord` for Discord channel plugins.
-- `openclaw/plugin-sdk/slack` for Slack channel plugins.
-- `openclaw/plugin-sdk/signal` for Signal channel plugins.
-- `openclaw/plugin-sdk/imessage` for iMessage channel plugins.
-- `openclaw/plugin-sdk/whatsapp` for WhatsApp channel plugins.
+- `openclaw/plugin-sdk/telegram` for Telegram channel plugin types and shared channel-facing helpers. Built-in Telegram implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/discord` for Discord channel plugin types and shared channel-facing helpers. Built-in Discord implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/slack` for Slack channel plugin types and shared channel-facing helpers. Built-in Slack implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/signal` for Signal channel plugin types and shared channel-facing helpers. Built-in Signal implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/imessage` for iMessage channel plugin types and shared channel-facing helpers. Built-in iMessage implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/whatsapp` for WhatsApp channel plugin types and shared channel-facing helpers. Built-in WhatsApp implementation internals stay private to the bundled extension.
 - `openclaw/plugin-sdk/line` for LINE channel plugins.
 - `openclaw/plugin-sdk/msteams` for the bundled Microsoft Teams plugin surface.
 - Bundled extension-specific subpaths are also available:
   `openclaw/plugin-sdk/acpx`, `openclaw/plugin-sdk/bluebubbles`,
   `openclaw/plugin-sdk/copilot-proxy`, `openclaw/plugin-sdk/device-pair`,
   `openclaw/plugin-sdk/diagnostics-otel`, `openclaw/plugin-sdk/diffs`,
-  `openclaw/plugin-sdk/feishu`,
-  `openclaw/plugin-sdk/google-gemini-cli-auth`, `openclaw/plugin-sdk/googlechat`,
+  `openclaw/plugin-sdk/feishu`, `openclaw/plugin-sdk/googlechat`,
   `openclaw/plugin-sdk/irc`, `openclaw/plugin-sdk/llm-task`,
   `openclaw/plugin-sdk/lobster`, `openclaw/plugin-sdk/matrix`,
   `openclaw/plugin-sdk/mattermost`, `openclaw/plugin-sdk/memory-core`,
@@ -651,12 +730,12 @@ Default-on bundled plugin examples:
 - `kilocode`
 - `kimi-coding`
 - `minimax`
-- `minimax-portal-auth`
+- `minimax`
 - `modelstudio`
 - `moonshot`
 - `nvidia`
 - `ollama`
-- `openai-codex`
+- `openai`
 - `openrouter`
 - `phone-control`
 - `qianfan`
@@ -736,7 +815,8 @@ A plugin directory may include a `package.json` with `openclaw.extensions`:
 {
   "name": "my-pack",
   "openclaw": {
-    "extensions": ["./src/safety.ts", "./src/tools.ts"]
+    "extensions": ["./src/safety.ts", "./src/tools.ts"],
+    "setupEntry": "./src/setup-entry.ts"
   }
 }
 ```
@@ -755,9 +835,16 @@ Security note: `openclaw plugins install` installs plugin dependencies with
 `npm install --ignore-scripts` (no lifecycle scripts). Keep plugin dependency
 trees "pure JS/TS" and avoid packages that require `postinstall` builds.
 
+Optional: `openclaw.setupEntry` can point at a lightweight setup-only module.
+When OpenClaw needs setup surfaces for a disabled channel plugin, or
+when a channel plugin is enabled but still unconfigured, it loads `setupEntry`
+instead of the full plugin entry. This keeps startup and setup lighter
+when your main plugin entry also wires tools, hooks, or other runtime-only
+code.
+
 ### Channel catalog metadata
 
-Channel plugins can advertise onboarding metadata via `openclaw.channel` and
+Channel plugins can advertise setup/discovery metadata via `openclaw.channel` and
 install hints via `openclaw.install`. This keeps the core catalog data-free.
 
 Example:
@@ -1132,7 +1219,7 @@ A provider plugin can participate in five distinct phases:
    without prompts. Use this when the provider needs custom headless setup
    beyond the built-in simple API-key paths.
 3. **Wizard integration**
-   `wizard.onboarding` adds an entry to `openclaw onboard`.
+   `wizard.setup` adds an entry to `openclaw onboard`.
    `wizard.modelPicker` adds a setup entry to the model picker.
 4. **Implicit discovery**
    `discovery.run(ctx)` can contribute provider config automatically during
@@ -1181,7 +1268,8 @@ The non-interactive context includes:
 - the current and base config
 - parsed onboarding CLI options
 - runtime logging/error helpers
-- agent/workspace dirs
+- agent/workspace dirs so the provider can persist auth into the same scoped
+  store used by the rest of onboarding
 - `resolveApiKey(...)` to read provider keys from flags, env, or existing auth
   profiles while honoring `--secret-input-mode`
 - `toApiKeyCredential(...)` to convert a resolved key into an auth-profile
@@ -1198,7 +1286,17 @@ errors instead.
 
 ### Provider wizard metadata
 
-`wizard.onboarding` controls how the provider appears in grouped onboarding:
+Provider auth/onboarding metadata can live in two layers:
+
+- manifest `providerAuthChoices`: cheap labels, grouping, `--auth-choice`
+  ids, and simple CLI flag metadata available before runtime load
+- runtime `wizard.setup` / `auth[].wizard`: richer behavior that depends on
+  loaded provider code
+
+Use manifest metadata for static labels/flags. Use runtime wizard metadata when
+setup depends on dynamic auth methods, method fallback, or runtime validation.
+
+`wizard.setup` controls how the provider appears in grouped onboarding:
 
 - `choiceId`: auth-choice value
 - `choiceLabel`: option label
@@ -1207,6 +1305,7 @@ errors instead.
 - `groupLabel`: group label
 - `groupHint`: group hint
 - `methodId`: auth method to run
+- `modelAllowlist`: optional post-auth allowlist policy (`allowedKeys`, `initialSelections`, `message`)
 
 `wizard.modelPicker` controls how a provider appears as a "set this up now"
 entry in model selection:
@@ -1328,7 +1427,7 @@ api.registerProvider({
     },
   ],
   wizard: {
-    onboarding: {
+    setup: {
       choiceId: "acme",
       choiceLabel: "AcmeAI",
       groupId: "acme",
@@ -1358,14 +1457,22 @@ api.registerProvider({
 Notes:
 
 - `run` receives a `ProviderAuthContext` with `prompter`, `runtime`,
-  `openUrl`, and `oauth.createVpsAwareHandlers` helpers.
+  `openUrl`, `oauth.createVpsAwareHandlers`, `secretInputMode`, and
+  `allowSecretRefPrompt` helpers/state. Onboarding/configure flows can use
+  these to honor `--secret-input-mode` or offer env/file/exec secret-ref
+  capture, while `openclaw models auth` keeps a tighter prompt surface.
 - `runNonInteractive` receives a `ProviderAuthMethodNonInteractiveContext`
-  with `opts`, `resolveApiKey`, and `toApiKeyCredential` helpers for
-  headless onboarding.
+  with `opts`, `agentDir`, `resolveApiKey`, and `toApiKeyCredential` helpers
+  for headless onboarding.
 - Return `configPatch` when you need to add default models or provider config.
 - Return `defaultModel` so `--set-default` can update agent defaults.
-- `wizard.onboarding` adds a provider choice to `openclaw onboard`.
+- `wizard.setup` adds a provider choice to onboarding surfaces such as
+  `openclaw onboard` / `openclaw setup --wizard`.
+- `wizard.setup.modelAllowlist` lets the provider narrow the follow-up model
+  allowlist prompt during onboarding/configure.
 - `wizard.modelPicker` adds a “setup this provider” entry to the model picker.
+- `deprecatedProfileIds` lets the provider own `openclaw doctor` cleanup for
+  retired auth-profile ids.
 - `discovery.run` returns either `{ provider }` for the plugin’s own provider id
   or `{ providers }` for multi-provider discovery.
 - `discovery.order` controls when the provider runs relative to built-in
@@ -1424,16 +1531,6 @@ Preferred setup split:
 - `plugin.setup` owns account-id normalization, validation, and config writes.
 - `plugin.setupWizard` lets the host run the common wizard flow while the channel only supplies status, credential, DM allowlist, and channel-access descriptors.
 
-Use `plugin.onboarding` only when the host-owned setup wizard cannot express the flow and the
-channel needs to fully own prompting.
-
-Wizard precedence:
-
-1. `plugin.setupWizard` (preferred, host-owned prompts)
-2. `plugin.onboarding.configureInteractive`
-3. `plugin.onboarding.configureWhenConfigured` (already-configured channel only)
-4. `plugin.onboarding.configure`
-
 `plugin.setupWizard` is best for channels that fit the shared pattern:
 
 - one account picker driven by `plugin.config.listAccountIds`
@@ -1445,11 +1542,6 @@ Wizard precedence:
 - optional DM allowlist resolution (for example `@username` -> numeric id)
 - optional completion note after setup finishes
 
-`plugin.onboarding` hooks still return the same values as before:
-
-- `"skip"` leaves selection and account tracking unchanged.
-- `{ cfg, accountId? }` applies config updates and records account selection.
-
 ### Write a new messaging channel (step‑by‑step)
 
 Use this when you want a **new chat surface** (a "messaging channel"), not a model provider.
@@ -1659,6 +1751,7 @@ Recommended packaging:
 Publishing contract:
 
 - Plugin `package.json` must include `openclaw.extensions` with one or more entry files.
+- Optional: `openclaw.setupEntry` may point at a lightweight setup-only entry for disabled or still-unconfigured channel setup.
 - Entry files can be `.js` or `.ts` (jiti loads TS at runtime).
 - `openclaw plugins install <npm-spec>` uses `npm pack`, extracts into `~/.openclaw/extensions/<id>/`, and enables it in config.
 - Config key stability: scoped packages are normalized to the **unscoped** id for `plugins.entries.*`.
diff --git a/docs/tools/web.md b/docs/tools/web.md
index a2aa1d37bfd..7cc67c07710 100644
--- a/docs/tools/web.md
+++ b/docs/tools/web.md
@@ -1,5 +1,5 @@
 ---
-summary: "Web search + fetch tools (Brave, Gemini, Grok, Kimi, and Perplexity providers)"
+summary: "Web search + fetch tools (Brave, Firecrawl, Gemini, Grok, Kimi, and Perplexity providers)"
 read_when:
   - You want to enable web_search or web_fetch
   - You need provider API key setup
@@ -11,7 +11,7 @@ title: "Web Tools"
 
 OpenClaw ships two lightweight web tools:
 
-- `web_search` — Search the web using Brave Search API, Gemini with Google Search grounding, Grok, Kimi, or Perplexity Search API.
+- `web_search` — Search the web using Brave Search API, Firecrawl Search, Gemini with Google Search grounding, Grok, Kimi, or Perplexity Search API.
 - `web_fetch` — HTTP fetch + readable extraction (HTML → markdown/text).
 
 These are **not** browser automation. For JS-heavy sites or logins, use the
@@ -24,18 +24,20 @@ These are **not** browser automation. For JS-heavy sites or logins, use the
 - `web_fetch` does a plain HTTP GET and extracts readable content
   (HTML → markdown/text). It does **not** execute JavaScript.
 - `web_fetch` is enabled by default (unless explicitly disabled).
+- The bundled Firecrawl plugin also adds `firecrawl_search` and `firecrawl_scrape` when enabled.
 
 See [Brave Search setup](/brave-search) and [Perplexity Search setup](/perplexity) for provider-specific details.
 
 ## Choosing a search provider
 
-| Provider                  | Result shape                       | Provider-specific filters                    | Notes                                                                          | API key                                     |
-| ------------------------- | ---------------------------------- | -------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------- |
-| **Brave Search API**      | Structured results with snippets   | `country`, `language`, `ui_lang`, time       | Supports Brave `llm-context` mode                                              | `BRAVE_API_KEY`                             |
-| **Gemini**                | AI-synthesized answers + citations | —                                            | Uses Google Search grounding                                                   | `GEMINI_API_KEY`                            |
-| **Grok**                  | AI-synthesized answers + citations | —                                            | Uses xAI web-grounded responses                                                | `XAI_API_KEY`                               |
-| **Kimi**                  | AI-synthesized answers + citations | —                                            | Uses Moonshot web search                                                       | `KIMI_API_KEY` / `MOONSHOT_API_KEY`         |
-| **Perplexity Search API** | Structured results with snippets   | `country`, `language`, time, `domain_filter` | Supports content extraction controls; OpenRouter uses Sonar compatibility path | `PERPLEXITY_API_KEY` / `OPENROUTER_API_KEY` |
+| Provider                  | Result shape                       | Provider-specific filters                                    | Notes                                                                          | API key                                     |
+| ------------------------- | ---------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------------------ | ------------------------------------------- |
+| **Brave Search API**      | Structured results with snippets   | `country`, `language`, `ui_lang`, time                       | Supports Brave `llm-context` mode                                              | `BRAVE_API_KEY`                             |
+| **Firecrawl Search**      | Structured results with snippets   | Use `firecrawl_search` for Firecrawl-specific search options | Best for pairing search with Firecrawl scraping/extraction                     | `FIRECRAWL_API_KEY`                         |
+| **Gemini**                | AI-synthesized answers + citations | —                                                            | Uses Google Search grounding                                                   | `GEMINI_API_KEY`                            |
+| **Grok**                  | AI-synthesized answers + citations | —                                                            | Uses xAI web-grounded responses                                                | `XAI_API_KEY`                               |
+| **Kimi**                  | AI-synthesized answers + citations | —                                                            | Uses Moonshot web search                                                       | `KIMI_API_KEY` / `MOONSHOT_API_KEY`         |
+| **Perplexity Search API** | Structured results with snippets   | `country`, `language`, time, `domain_filter`                 | Supports content extraction controls; OpenRouter uses Sonar compatibility path | `PERPLEXITY_API_KEY` / `OPENROUTER_API_KEY` |
 
 ### Auto-detection
 
@@ -46,6 +48,7 @@ The table above is alphabetical. If no `provider` is explicitly set, runtime aut
 3. **Grok** — `XAI_API_KEY` env var or `tools.web.search.grok.apiKey` config
 4. **Kimi** — `KIMI_API_KEY` / `MOONSHOT_API_KEY` env var or `tools.web.search.kimi.apiKey` config
 5. **Perplexity** — `PERPLEXITY_API_KEY`, `OPENROUTER_API_KEY`, or `tools.web.search.perplexity.apiKey` config
+6. **Firecrawl** — `FIRECRAWL_API_KEY` env var or `tools.web.search.firecrawl.apiKey` config
 
 If no keys are found, it falls back to Brave (you'll get a missing-key error prompting you to configure one).
 
@@ -86,6 +89,7 @@ See [Perplexity Search API Docs](https://docs.perplexity.ai/guides/search-quicks
 **Via config:** run `openclaw configure --section web`. It stores the key under the provider-specific config path:
 
 - Brave: `tools.web.search.apiKey`
+- Firecrawl: `tools.web.search.firecrawl.apiKey`
 - Gemini: `tools.web.search.gemini.apiKey`
 - Grok: `tools.web.search.grok.apiKey`
 - Kimi: `tools.web.search.kimi.apiKey`
@@ -96,6 +100,7 @@ All of these fields also support SecretRef objects.
 **Via environment:** set provider env vars in the Gateway process environment:
 
 - Brave: `BRAVE_API_KEY`
+- Firecrawl: `FIRECRAWL_API_KEY`
 - Gemini: `GEMINI_API_KEY`
 - Grok: `XAI_API_KEY`
 - Kimi: `KIMI_API_KEY` or `MOONSHOT_API_KEY`
@@ -121,6 +126,34 @@ For a gateway install, put these in `~/.openclaw/.env` (or your service environm
 }
 ```
 
+**Firecrawl Search:**
+
+```json5
+{
+  plugins: {
+    entries: {
+      firecrawl: {
+        enabled: true,
+      },
+    },
+  },
+  tools: {
+    web: {
+      search: {
+        enabled: true,
+        provider: "firecrawl",
+        firecrawl: {
+          apiKey: "fc-...", // optional if FIRECRAWL_API_KEY is set
+          baseUrl: "https://api.firecrawl.dev",
+        },
+      },
+    },
+  },
+}
+```
+
+When you choose Firecrawl in onboarding or `openclaw configure --section web`, OpenClaw enables the bundled Firecrawl plugin automatically so `web_search`, `firecrawl_search`, and `firecrawl_scrape` are all available.
+
 **Brave LLM Context mode:**
 
 ```json5
@@ -234,6 +267,7 @@ Search the web using your configured provider.
 - `tools.web.search.enabled` must not be `false` (default: enabled)
 - API key for your chosen provider:
   - **Brave**: `BRAVE_API_KEY` or `tools.web.search.apiKey`
+  - **Firecrawl**: `FIRECRAWL_API_KEY` or `tools.web.search.firecrawl.apiKey`
   - **Gemini**: `GEMINI_API_KEY` or `tools.web.search.gemini.apiKey`
   - **Grok**: `XAI_API_KEY` or `tools.web.search.grok.apiKey`
   - **Kimi**: `KIMI_API_KEY`, `MOONSHOT_API_KEY`, or `tools.web.search.kimi.apiKey`
@@ -260,7 +294,7 @@ Search the web using your configured provider.
 
 ### Tool parameters
 
-All parameters work for Brave and for native Perplexity Search API unless noted.
+Parameters depend on the selected provider.
 
 Perplexity's OpenRouter / Sonar compatibility path supports only `query` and `freshness`.
 If you set `tools.web.search.perplexity.baseUrl` / `model`, use `OPENROUTER_API_KEY`, or configure an `sk-or-...` key, Search API-only filters return explicit errors.
@@ -279,6 +313,8 @@ If you set `tools.web.search.perplexity.baseUrl` / `model`, use `OPENROUTER_API_
 | `max_tokens`          | Total content budget, default 25000 (Perplexity only) |
 | `max_tokens_per_page` | Per-page token limit, default 2048 (Perplexity only)  |
 
+Firecrawl `web_search` supports `query` and `count`. For Firecrawl-specific controls like `sources`, `categories`, result scraping, or scrape timeout, use `firecrawl_search` from the bundled Firecrawl plugin.
+
 **Examples:**
 
 ```javascript
diff --git a/docs/web/control-ui.md b/docs/web/control-ui.md
index 73487cc0eae..204d68605d2 100644
--- a/docs/web/control-ui.md
+++ b/docs/web/control-ui.md
@@ -28,7 +28,7 @@ Auth is supplied during the WebSocket handshake via:
 - `connect.params.auth.token`
 - `connect.params.auth.password`
   The dashboard settings panel keeps a token for the current browser tab session and selected gateway URL; passwords are not persisted.
-  The onboarding wizard generates a gateway token by default, so paste it here on first connect.
+  The setup wizard generates a gateway token by default, so paste it here on first connect.
 
 ## Device pairing (first connection)
 
diff --git a/docs/zh-CN/automation/hooks.md b/docs/zh-CN/automation/hooks.md
index b5806e2bdd0..b0615569eec 100644
--- a/docs/zh-CN/automation/hooks.md
+++ b/docs/zh-CN/automation/hooks.md
@@ -1,60 +1,61 @@
 ---
 read_when:
-  - 你想为 /new、/reset、/stop 和智能体生命周期事件实现事件驱动自动化
-  - 你想构建、安装或调试 hooks
+  - 你希望为 `/new`、`/reset`、`/stop` 和智能体生命周期事件使用事件驱动自动化
+  - 你希望构建、安装或调试 Hooks
 summary: Hooks：用于命令和生命周期事件的事件驱动自动化
 title: Hooks
 x-i18n:
-  generated_at: "2026-02-03T07:50:59Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 853227a0f1abd20790b425fa64dda60efc6b5f93c1b13ecd2dcb788268f71d79
+  generated_at: "2026-03-16T06:21:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: fc1370a05127d778eb685f687ee9a52062aa6f5c895e80152b9de41c3a02c592
   source_path: automation/hooks.md
   workflow: 15
 ---
 
 # Hooks
 
-Hooks 提供了一个可扩展的事件驱动系统，用于响应智能体命令和事件自动执行操作。Hooks 从目录中自动发现，可以通过 CLI 命令管理，类似于 OpenClaw 中 Skills 的工作方式。
+Hooks 提供了一个可扩展的事件驱动系统，用于在响应智能体命令和事件时自动执行操作。Hooks 会从目录中自动发现，并且可以通过 CLI 命令进行管理，方式与 OpenClaw 中的 Skills 类似。
 
-## 入门指南
+## 熟悉基础
 
-Hooks 是在事件发生时运行的小脚本。有两种类型：
+Hooks 是在某些事情发生时运行的小脚本。它们有两种类型：
 
-- **Hooks**（本页）：当智能体事件触发时在 Gateway 网关内运行，如 `/new`、`/reset`、`/stop` 或生命周期事件。
-- **Webhooks**：外部 HTTP webhooks，让其他系统触发 OpenClaw 中的工作。参见 [Webhook Hooks](/automation/webhook) 或使用 `openclaw webhooks` 获取 Gmail 助手命令。
+- **Hooks**（本页）：当智能体事件触发时，在 Gateway 网关内运行，例如 `/new`、`/reset`、`/stop` 或生命周期事件。
+- **Webhooks**：外部 HTTP webhook，可让其他系统在 OpenClaw 中触发工作。请参阅 [Webhook Hooks](/automation/webhook)，或使用 `openclaw webhooks` 获取 Gmail 辅助命令。
 
-Hooks 也可以捆绑在插件中；参见 [插件](/tools/plugin#plugin-hooks)。
+Hooks 也可以打包在插件中；请参阅 [Plugins](/tools/plugin#plugin-hooks)。
 
 常见用途：
 
-- 重置会话时保存记忆快照
-- 保留命令审计跟踪用于故障排除或合规
-- 会话开始或结束时触发后续自动化
-- 事件触发时向智能体工作区写入文件或调用外部 API
+- 当你重置会话时保存一份内存快照
+- 为故障排除或合规保留命令审计轨迹
+- 当会话开始或结束时触发后续自动化
+- 当事件触发时，将文件写入智能体工作区或调用外部 API
 
-如果你能写一个小的 TypeScript 函数，你就能写一个 hook。Hooks 会自动发现，你可以通过 CLI 启用或禁用它们。
+如果你会写一个小型 TypeScript 函数，你就能编写一个 hook。Hooks 会被自动发现，你可以通过 CLI 启用或禁用它们。
 
-## 概述
+## 概览
 
-hooks 系统允许你：
+Hooks 系统允许你：
 
-- 在发出 `/new` 时将会话上下文保存到记忆
+- 当发出 `/new` 时，将会话上下文保存到 memory
 - 记录所有命令以供审计
 - 在智能体生命周期事件上触发自定义自动化
 - 在不修改核心代码的情况下扩展 OpenClaw 的行为
 
-## 入门
+## 入门指南
 
-### 捆绑的 Hooks
+### 内置 Hooks
 
-OpenClaw 附带三个自动发现的捆绑 hooks：
+OpenClaw 自带四个会被自动发现的内置 hook：
 
-- **💾 session-memory**：当你发出 `/new` 时将会话上下文保存到智能体工作区（默认 `~/.openclaw/workspace/memory/`）
+- **💾 session-memory**：当你发出 `/new` 时，将会话上下文保存到你的智能体工作区（默认是 `~/.openclaw/workspace/memory/`）
+- **📎 bootstrap-extra-files**：在 `agent:bootstrap` 期间，从已配置的 glob/路径模式中注入额外的工作区引导文件
 - **📝 command-logger**：将所有命令事件记录到 `~/.openclaw/logs/commands.log`
 - **🚀 boot-md**：当 Gateway 网关启动时运行 `BOOT.md`（需要启用内部 hooks）
 
-列出可用的 hooks：
+列出可用 hooks：
 
 ```bash
 openclaw hooks list
@@ -80,35 +81,40 @@ openclaw hooks info session-memory
 
 ### 新手引导
 
-在新手引导期间（`openclaw onboard`），你将被提示启用推荐的 hooks。向导会自动发现符合条件的 hooks 并呈现供选择。
+在新手引导期间（`openclaw onboard`），系统会提示你启用推荐的 hooks。向导会自动发现符合条件的 hooks 并供你选择。
 
 ## Hook 发现
 
-Hooks 从三个目录自动发现（按优先级顺序）：
+Hooks 会从三个目录中自动发现（按优先级顺序）：
 
-1. **工作区 hooks**：`<workspace>/hooks/`（每智能体，最高优先级）
-2. **托管 hooks**：`~/.openclaw/hooks/`（用户安装，跨工作区共享）
-3. **捆绑 hooks**：`<openclaw>/dist/hooks/bundled/`（随 OpenClaw 附带）
+1. **工作区 hooks**：`<workspace>/hooks/`（每个智能体单独配置，优先级最高）
+2. **托管 hooks**：`~/.openclaw/hooks/`（用户安装，在各工作区之间共享）
+3. **内置 hooks**：`<openclaw>/dist/hooks/bundled/`（随 OpenClaw 一起提供）
 
-托管 hook 目录可以是**单个 hook** 或 **hook 包**（包目录）。
+托管 hook 目录既可以是 **单个 hook**，也可以是 **hook 包**（包目录）。
 
-每个 hook 是一个包含以下内容的目录：
+每个 hook 都是一个包含以下内容的目录：
 
 ```
 my-hook/
 ├── HOOK.md          # 元数据 + 文档
-└── handler.ts       # 处理程序实现
+└── handler.ts       # 处理器实现
 ```
 
-## Hook 包（npm/archives）
+## Hook 包（npm/归档）
 
-Hook 包是标准的 npm 包，通过 `package.json` 中的 `openclaw.hooks` 导出一个或多个 hooks。使用以下命令安装：
+Hook 包是标准的 npm 包，它们通过 `package.json` 中的 `openclaw.hooks` 导出一个或多个 hook。使用以下命令安装它们：
 
 ```bash
 openclaw hooks install <path-or-spec>
 ```
 
-示例 `package.json`：
+npm spec 仅支持注册表形式（包名 + 可选的精确版本或 dist-tag）。
+Git/URL/file spec 和 semver 范围会被拒绝。
+
+裸 spec 和 `@latest` 会保持在稳定轨道上。如果 npm 将其中任意一种解析为预发布版本，OpenClaw 会停止并要求你通过预发布标签（例如 `@beta`/`@rc`）或精确的预发布版本显式选择加入。
+
+`package.json` 示例：
 
 ```json
 {
@@ -120,19 +126,23 @@ openclaw hooks install <path-or-spec>
 }
 ```
 
-每个条目指向包含 `HOOK.md` 和 `handler.ts`（或 `index.ts`）的 hook 目录。
-Hook 包可以附带依赖；它们将安装在 `~/.openclaw/hooks/<id>` 下。
+每个条目都指向一个包含 `HOOK.md` 和 `handler.ts`（或 `index.ts`）的 hook 目录。
+Hook 包可以携带依赖；它们会安装到 `~/.openclaw/hooks/<id>` 下。
+每个 `openclaw.hooks` 条目在解析符号链接后都必须保持在包目录内部；超出目录范围的条目会被拒绝。
+
+安全说明：`openclaw hooks install` 会使用 `npm install --ignore-scripts` 安装依赖
+（不运行生命周期脚本）。请保持 hook 包依赖树为“纯 JS/TS”，并避免依赖 `postinstall` 构建的包。
 
 ## Hook 结构
 
 ### HOOK.md 格式
 
-`HOOK.md` 文件在 YAML frontmatter 中包含元数据，加上 Markdown 文档：
+`HOOK.md` 文件包含 YAML frontmatter 中的元数据以及 Markdown 文档：
 
 ```markdown
 ---
 name: my-hook
-description: "Short description of what this hook does"
+description: "关于此 hook 功能的简短描述"
 homepage: https://docs.openclaw.ai/automation/hooks#my-hook
 metadata:
   { "openclaw": { "emoji": "🔗", "events": ["command:new"], "requires": { "bins": ["node"] } } }
@@ -140,49 +150,47 @@ metadata:
 
 # My Hook
 
-Detailed documentation goes here...
+详细文档写在这里……
 
-## What It Does
+## 它的作用
 
-- Listens for `/new` commands
-- Performs some action
-- Logs the result
+- 监听 `/new` 命令
+- 执行某些操作
+- 记录结果
 
-## Requirements
+## 要求
 
-- Node.js must be installed
+- 必须安装 Node.js
 
-## Configuration
+## 配置
 
-No configuration needed.
+无需配置。
 ```
 
 ### 元数据字段
 
 `metadata.openclaw` 对象支持：
 
-- **`emoji`**：CLI 的显示表情符号（例如 `"💾"`）
+- **`emoji`**：CLI 显示用 emoji（例如 `"💾"`）
 - **`events`**：要监听的事件数组（例如 `["command:new", "command:reset"]`）
 - **`export`**：要使用的命名导出（默认为 `"default"`）
 - **`homepage`**：文档 URL
 - **`requires`**：可选要求
-  - **`bins`**：PATH 中需要的二进制文件（例如 `["git", "node"]`）
-  - **`anyBins`**：这些二进制文件中至少有一个必须存在
-  - **`env`**：需要的环境变量
-  - **`config`**：需要的配置路径（例如 `["workspace.dir"]`）
-  - **`os`**：需要的平台（例如 `["darwin", "linux"]`）
+  - **`bins`**：PATH 中必须存在的二进制文件（例如 `["git", "node"]`）
+  - **`anyBins`**：这些二进制文件中至少要存在一个
+  - **`env`**：必需的环境变量
+  - **`config`**：必需的配置路径（例如 `["workspace.dir"]`）
+  - **`os`**：支持的平台（例如 `["darwin", "linux"]`）
 - **`always`**：绕过资格检查（布尔值）
-- **`install`**：安装方法（对于捆绑 hooks：`[{"id":"bundled","kind":"bundled"}]`）
+- **`install`**：安装方式（对于内置 hooks：`[{"id":"bundled","kind":"bundled"}]`）
 
-### 处理程序实现
+### 处理器实现
 
-`handler.ts` 文件导出一个 `HookHandler` 函数：
+`handler.ts` 文件会导出一个 `HookHandler` 函数：
 
 ```typescript
-import type { HookHandler } from "../../src/hooks/hooks.js";
-
-const myHandler: HookHandler = async (event) => {
-  // Only trigger on 'new' command
+const myHandler = async (event) => {
+  // 仅在 'new' 命令时触发
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
@@ -191,9 +199,9 @@ const myHandler: HookHandler = async (event) => {
   console.log(`  Session: ${event.sessionKey}`);
   console.log(`  Timestamp: ${event.timestamp.toISOString()}`);
 
-  // Your custom logic here
+  // 你的自定义逻辑写在这里
 
-  // Optionally send message to user
+  // 可选：向用户发送消息
   event.messages.push("✨ My hook executed!");
 };
 
@@ -202,24 +210,31 @@ export default myHandler;
 
 #### 事件上下文
 
-每个事件包含：
+每个事件都包含：
 
 ```typescript
 {
-  type: 'command' | 'session' | 'agent' | 'gateway',
-  action: string,              // e.g., 'new', 'reset', 'stop'
-  sessionKey: string,          // Session identifier
-  timestamp: Date,             // When the event occurred
-  messages: string[],          // Push messages here to send to user
+  type: 'command' | 'session' | 'agent' | 'gateway' | 'message',
+  action: string,              // 例如 'new'、'reset'、'stop'、'received'、'sent'
+  sessionKey: string,          // 会话标识符
+  timestamp: Date,             // 事件发生时间
+  messages: string[],          // 将消息推入这里以发送给用户
   context: {
+    // 命令事件：
     sessionEntry?: SessionEntry,
     sessionId?: string,
     sessionFile?: string,
-    commandSource?: string,    // e.g., 'whatsapp', 'telegram'
+    commandSource?: string,    // 例如 'whatsapp'、'telegram'
     senderId?: string,
     workspaceDir?: string,
     bootstrapFiles?: WorkspaceBootstrapFile[],
-    cfg?: OpenClawConfig
+    cfg?: OpenClawConfig,
+    // 消息事件（完整详情见“消息事件”部分）：
+    from?: string,             // message:received
+    to?: string,               // message:sent
+    content?: string,
+    channelId?: string,
+    success?: boolean,         // message:sent
   }
 }
 ```
@@ -228,28 +243,135 @@ export default myHandler;
 
 ### 命令事件
 
-当发出智能体命令时触发：
+在发出智能体命令时触发：
 
 - **`command`**：所有命令事件（通用监听器）
-- **`command:new`**：当发出 `/new` 命令时
-- **`command:reset`**：当发出 `/reset` 命令时
-- **`command:stop`**：当发出 `/stop` 命令时
+- **`command:new`**：发出 `/new` 命令时
+- **`command:reset`**：发出 `/reset` 命令时
+- **`command:stop`**：发出 `/stop` 命令时
+
+### 会话事件
+
+- **`session:compact:before`**：在压缩开始总结历史记录之前
+- **`session:compact:after`**：在压缩完成并带有摘要元数据之后
+
+内部 hook 负载会将这些事件表示为 `type: "session"`，并将 `action` 设为 `"compact:before"` / `"compact:after"`；监听器使用上面的组合键进行订阅。
+具体处理器注册使用字面量键格式 `${type}:${action}`。对于这些事件，请注册 `session:compact:before` 和 `session:compact:after`。
 
 ### 智能体事件
 
-- **`agent:bootstrap`**：在注入工作区引导文件之前（hooks 可以修改 `context.bootstrapFiles`）
+- **`agent:bootstrap`**：在工作区引导文件被注入之前（hooks 可以修改 `context.bootstrapFiles`）
 
 ### Gateway 网关事件
 
-当 Gateway 网关启动时触发：
+在 Gateway 网关启动时触发：
 
-- **`gateway:startup`**：在渠道启动和 hooks 加载之后
+- **`gateway:startup`**：在渠道启动且 hooks 已加载之后
+
+### 消息事件
+
+在消息被接收或发送时触发：
+
+- **`message`**：所有消息事件（通用监听器）
+- **`message:received`**：当从任意渠道收到入站消息时。在处理的早期阶段触发，此时媒体理解尚未完成。对于尚未处理的媒体附件，内容中可能包含类似 `<media:audio>` 的原始占位符。
+- **`message:transcribed`**：当一条消息已被完全处理，包括音频转写和链接理解时触发。此时，`transcript` 包含音频消息的完整转写文本。当你需要访问已转写的音频内容时，请使用此 hook。
+- **`message:preprocessed`**：在所有媒体 + 链接理解完成后，为每条消息触发，使 hooks 可以在智能体看到消息之前访问完全增强的正文（转写、图像描述、链接摘要）。
+- **`message:sent`**：当出站消息成功发送时
+
+#### 消息事件上下文
+
+消息事件包含关于消息的丰富上下文：
+
+```typescript
+// message:received context
+{
+  from: string,           // 发送者标识符（电话号码、用户 ID 等）
+  content: string,        // 消息内容
+  timestamp?: number,     // 接收时的 Unix 时间戳
+  channelId: string,      // 渠道（例如 "whatsapp"、"telegram"、"discord"）
+  accountId?: string,     // 多账号设置中的提供商账号 ID
+  conversationId?: string, // 聊天/会话 ID
+  messageId?: string,     // 提供商返回的消息 ID
+  metadata?: {            // 额外的提供商特定数据
+    to?: string,
+    provider?: string,
+    surface?: string,
+    threadId?: string,
+    senderId?: string,
+    senderName?: string,
+    senderUsername?: string,
+    senderE164?: string,
+  }
+}
+
+// message:sent context
+{
+  to: string,             // 接收者标识符
+  content: string,        // 已发送的消息内容
+  success: boolean,       // 发送是否成功
+  error?: string,         // 如果发送失败，则为错误消息
+  channelId: string,      // 渠道（例如 "whatsapp"、"telegram"、"discord"）
+  accountId?: string,     // 提供商账号 ID
+  conversationId?: string, // 聊天/会话 ID
+  messageId?: string,     // 提供商返回的消息 ID
+  isGroup?: boolean,      // 此出站消息是否属于群组/渠道上下文
+  groupId?: string,       // 用于与 message:received 关联的群组/渠道标识符
+}
+
+// message:transcribed context
+{
+  body?: string,          // 增强前的原始入站正文
+  bodyForAgent?: string,  // 对智能体可见的增强正文
+  transcript: string,     // 音频转写文本
+  channelId: string,      // 渠道（例如 "telegram"、"whatsapp"）
+  conversationId?: string,
+  messageId?: string,
+}
+
+// message:preprocessed context
+{
+  body?: string,          // 原始入站正文
+  bodyForAgent?: string,  // 媒体/链接理解后的最终增强正文
+  transcript?: string,    // 存在音频时的转写内容
+  channelId: string,      // 渠道（例如 "telegram"、"whatsapp"）
+  conversationId?: string,
+  messageId?: string,
+  isGroup?: boolean,
+  groupId?: string,
+}
+```
+
+#### 示例：消息记录器 Hook
+
+```typescript
+const isMessageReceivedEvent = (event: { type: string; action: string }) =>
+  event.type === "message" && event.action === "received";
+const isMessageSentEvent = (event: { type: string; action: string }) =>
+  event.type === "message" && event.action === "sent";
+
+const handler = async (event) => {
+  if (isMessageReceivedEvent(event as { type: string; action: string })) {
+    console.log(`[message-logger] Received from ${event.context.from}: ${event.context.content}`);
+  } else if (isMessageSentEvent(event as { type: string; action: string })) {
+    console.log(`[message-logger] Sent to ${event.context.to}: ${event.context.content}`);
+  }
+};
+
+export default handler;
+```
 
 ### 工具结果 Hooks（插件 API）
 
-这些 hooks 不是事件流监听器；它们让插件在 OpenClaw 持久化工具结果之前同步调整它们。
+这些 hooks 不是事件流监听器；它们允许插件在 OpenClaw 持久化工具结果之前同步调整工具结果。
 
-- **`tool_result_persist`**：在工具结果写入会话记录之前转换它们。必须是同步的；返回更新后的工具结果负载或 `undefined` 保持原样。参见 [智能体循环](/concepts/agent-loop)。
+- **`tool_result_persist`**：在工具结果写入会话转录之前对其进行转换。必须是同步的；返回更新后的工具结果负载，或返回 `undefined` 以保持原样。请参阅 [Agent Loop](/concepts/agent-loop)。
+
+### 插件 Hook 事件
+
+通过插件 hook 运行器公开的压缩生命周期 hooks：
+
+- **`before_compaction`**：在压缩前运行，并带有计数/token 元数据
+- **`after_compaction`**：在压缩后运行，并带有压缩摘要元数据
 
 ### 未来事件
 
@@ -258,14 +380,12 @@ export default myHandler;
 - **`session:start`**：当新会话开始时
 - **`session:end`**：当会话结束时
 - **`agent:error`**：当智能体遇到错误时
-- **`message:sent`**：当消息被发送时
-- **`message:received`**：当消息被接收时
 
 ## 创建自定义 Hooks
 
 ### 1. 选择位置
 
-- **工作区 hooks**（`<workspace>/hooks/`）：每智能体，最高优先级
+- **工作区 hooks**（`<workspace>/hooks/`）：每个智能体单独配置，优先级最高
 - **托管 hooks**（`~/.openclaw/hooks/`）：跨工作区共享
 
 ### 2. 创建目录结构
@@ -280,27 +400,25 @@ cd ~/.openclaw/hooks/my-hook
 ```markdown
 ---
 name: my-hook
-description: "Does something useful"
+description: "执行某些有用的事情"
 metadata: { "openclaw": { "emoji": "🎯", "events": ["command:new"] } }
 ---
 
 # My Custom Hook
 
-This hook does something useful when you issue `/new`.
+当你发出 `/new` 时，此 hook 会执行一些有用的事情。
 ```
 
 ### 4. 创建 handler.ts
 
 ```typescript
-import type { HookHandler } from "../../src/hooks/hooks.js";
-
-const handler: HookHandler = async (event) => {
+const handler = async (event) => {
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
 
   console.log("[my-hook] Running!");
-  // Your logic here
+  // 你的逻辑写在这里
 };
 
 export default handler;
@@ -309,16 +427,16 @@ export default handler;
 ### 5. 启用并测试
 
 ```bash
-# Verify hook is discovered
+# 验证 hook 已被发现
 openclaw hooks list
 
-# Enable it
+# 启用它
 openclaw hooks enable my-hook
 
-# Restart your gateway process (menu bar app restart on macOS, or restart your dev process)
+# 重启你的 Gateway 网关进程（macOS 上重启菜单栏应用，或重启你的开发进程）
 
-# Trigger the event
-# Send /new via your messaging channel
+# 触发事件
+# 通过你的消息渠道发送 /new
 ```
 
 ## 配置
@@ -339,9 +457,9 @@ openclaw hooks enable my-hook
 }
 ```
 
-### 每 Hook 配置
+### 每个 Hook 的配置
 
-Hooks 可以有自定义配置：
+Hooks 可以具有自定义配置：
 
 ```json
 {
@@ -378,9 +496,9 @@ Hooks 可以有自定义配置：
 }
 ```
 
-### 遗留配置格式（仍然支持）
+### 旧版配置格式（仍受支持）
 
-旧配置格式仍然有效以保持向后兼容：
+旧配置格式仍可用于向后兼容：
 
 ```json
 {
@@ -399,74 +517,76 @@ Hooks 可以有自定义配置：
 }
 ```
 
-**迁移**：对新 hooks 使用基于发现的新系统。遗留处理程序在基于目录的 hooks 之后加载。
+注意：`module` 必须是相对于工作区的路径。绝对路径和超出工作区范围的遍历路径会被拒绝。
+
+**迁移**：对于新的 hooks，请使用基于发现的新系统。旧版 handlers 会在基于目录的 hooks 之后加载。
 
 ## CLI 命令
 
 ### 列出 Hooks
 
 ```bash
-# List all hooks
+# 列出所有 hooks
 openclaw hooks list
 
-# Show only eligible hooks
+# 仅显示符合条件的 hooks
 openclaw hooks list --eligible
 
-# Verbose output (show missing requirements)
+# 详细输出（显示缺失的要求）
 openclaw hooks list --verbose
 
-# JSON output
+# JSON 输出
 openclaw hooks list --json
 ```
 
 ### Hook 信息
 
 ```bash
-# Show detailed info about a hook
+# 显示某个 hook 的详细信息
 openclaw hooks info session-memory
 
-# JSON output
+# JSON 输出
 openclaw hooks info session-memory --json
 ```
 
 ### 检查资格
 
 ```bash
-# Show eligibility summary
+# 显示资格摘要
 openclaw hooks check
 
-# JSON output
+# JSON 输出
 openclaw hooks check --json
 ```
 
 ### 启用/禁用
 
 ```bash
-# Enable a hook
+# 启用一个 hook
 openclaw hooks enable session-memory
 
-# Disable a hook
+# 禁用一个 hook
 openclaw hooks disable command-logger
 ```
 
-## 捆绑的 Hooks
+## 内置 hook 参考
 
 ### session-memory
 
-当你发出 `/new` 时将会话上下文保存到记忆。
+当你发出 `/new` 时，将会话上下文保存到 memory。
 
 **事件**：`command:new`
 
 **要求**：必须配置 `workspace.dir`
 
-**输出**：`<workspace>/memory/YYYY-MM-DD-slug.md`（默认为 `~/.openclaw/workspace`）
+**输出**：`<workspace>/memory/YYYY-MM-DD-slug.md`（默认是 `~/.openclaw/workspace`）
 
-**功能**：
+**它的作用**：
 
-1. 使用预重置会话条目定位正确的记录
-2. 提取最后 15 行对话
-3. 使用 LLM 生成描述性文件名 slug
-4. 将会话元数据保存到带日期的记忆文件
+1. 使用重置前的会话条目定位正确的转录
+2. 提取最近 15 行对话
+3. 使用 LLM 生成描述性的文件名 slug
+4. 将会话元数据保存到带日期的 memory 文件中
 
 **示例输出**：
 
@@ -482,7 +602,7 @@ openclaw hooks disable command-logger
 
 - `2026-01-16-vendor-pitch.md`
 - `2026-01-16-api-design.md`
-- `2026-01-16-1430.md`（如果 slug 生成失败则回退到时间戳）
+- `2026-01-16-1430.md`（如果 slug 生成失败，则回退为时间戳）
 
 **启用**：
 
@@ -490,9 +610,50 @@ openclaw hooks disable command-logger
 openclaw hooks enable session-memory
 ```
 
+### bootstrap-extra-files
+
+在 `agent:bootstrap` 期间注入额外的引导文件（例如 monorepo 本地的 `AGENTS.md` / `TOOLS.md`）。
+
+**事件**：`agent:bootstrap`
+
+**要求**：必须配置 `workspace.dir`
+
+**输出**：不写入文件；仅在内存中修改引导上下文。
+
+**配置**：
+
+```json
+{
+  "hooks": {
+    "internal": {
+      "enabled": true,
+      "entries": {
+        "bootstrap-extra-files": {
+          "enabled": true,
+          "paths": ["packages/*/AGENTS.md", "packages/*/TOOLS.md"]
+        }
+      }
+    }
+  }
+}
+```
+
+**说明**：
+
+- 路径相对于工作区解析。
+- 文件必须保持在工作区内部（通过 realpath 检查）。
+- 仅加载已识别的引导基础文件名。
+- 会保留子智能体允许列表（仅 `AGENTS.md` 和 `TOOLS.md`）。
+
+**启用**：
+
+```bash
+openclaw hooks enable bootstrap-extra-files
+```
+
 ### command-logger
 
-将所有命令事件记录到集中审计文件。
+将所有命令事件记录到集中式审计文件。
 
 **事件**：`command`
 
@@ -500,10 +661,10 @@ openclaw hooks enable session-memory
 
 **输出**：`~/.openclaw/logs/commands.log`
 
-**功能**：
+**它的作用**：
 
 1. 捕获事件详情（命令操作、时间戳、会话键、发送者 ID、来源）
-2. 以 JSONL 格式追加到日志文件
+2. 以 JSONL 格式附加到日志文件
 3. 在后台静默运行
 
 **示例日志条目**：
@@ -516,13 +677,13 @@ openclaw hooks enable session-memory
 **查看日志**：
 
 ```bash
-# View recent commands
+# 查看最近的命令
 tail -n 20 ~/.openclaw/logs/commands.log
 
-# Pretty-print with jq
+# 使用 jq 美化输出
 cat ~/.openclaw/logs/commands.log | jq .
 
-# Filter by action
+# 按操作筛选
 grep '"action":"new"' ~/.openclaw/logs/commands.log | jq .
 ```
 
@@ -534,18 +695,18 @@ openclaw hooks enable command-logger
 
 ### boot-md
 
-当 Gateway 网关启动时运行 `BOOT.md`（在渠道启动之后）。
-必须启用内部 hooks 才能运行。
+当 Gateway 网关启动时（渠道启动之后）运行 `BOOT.md`。
+必须启用内部 hooks，此功能才会运行。
 
 **事件**：`gateway:startup`
 
 **要求**：必须配置 `workspace.dir`
 
-**功能**：
+**它的作用**：
 
 1. 从你的工作区读取 `BOOT.md`
-2. 通过智能体运行器运行指令
-3. 通过 message 工具发送任何请求的出站消息
+2. 通过智能体运行器执行其中的指令
+3. 通过消息工具发送任何请求的出站消息
 
 **启用**：
 
@@ -555,26 +716,26 @@ openclaw hooks enable boot-md
 
 ## 最佳实践
 
-### 保持处理程序快速
+### 保持处理器快速
 
-Hooks 在命令处理期间运行。保持它们轻量：
+Hooks 在命令处理期间运行。请保持其轻量：
 
 ```typescript
-// ✓ Good - async work, returns immediately
+// ✓ 好 - 异步工作，立即返回
 const handler: HookHandler = async (event) => {
-  void processInBackground(event); // Fire and forget
+  void processInBackground(event); // 触发后不等待
 };
 
-// ✗ Bad - blocks command processing
+// ✗ 差 - 阻塞命令处理
 const handler: HookHandler = async (event) => {
   await slowDatabaseQuery(event);
   await evenSlowerAPICall(event);
 };
 ```
 
-### 优雅处理错误
+### 优雅地处理错误
 
-始终包装有风险的操作：
+始终包装高风险操作：
 
 ```typescript
 const handler: HookHandler = async (event) => {
@@ -582,112 +743,117 @@ const handler: HookHandler = async (event) => {
     await riskyOperation(event);
   } catch (err) {
     console.error("[my-handler] Failed:", err instanceof Error ? err.message : String(err));
-    // Don't throw - let other handlers run
+    // 不要抛出错误 - 让其他处理器继续运行
   }
 };
 ```
 
 ### 尽早过滤事件
 
-如果事件不相关则尽早返回：
+如果事件不相关，请尽早返回：
 
 ```typescript
 const handler: HookHandler = async (event) => {
-  // Only handle 'new' commands
+  // 仅处理 'new' 命令
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
 
-  // Your logic here
+  // 你的逻辑写在这里
 };
 ```
 
-### 使用特定事件键
+### 使用具体事件键
 
-尽可能在元数据中指定确切事件：
+如果可能，请在元数据中指定精确事件：
 
 ```yaml
-metadata: { "openclaw": { "events": ["command:new"] } } # Specific
+metadata: { "openclaw": { "events": ["command:new"] } } # 精确
 ```
 
 而不是：
 
 ```yaml
-metadata: { "openclaw": { "events": ["command"] } } # General - more overhead
+metadata: { "openclaw": { "events": ["command"] } } # 通用 - 开销更大
 ```
 
 ## 调试
 
 ### 启用 Hook 日志
 
-Gateway 网关在启动时记录 hook 加载：
+Gateway 网关会在启动时记录 hook 加载情况：
 
 ```
 Registered hook: session-memory -> command:new
+Registered hook: bootstrap-extra-files -> agent:bootstrap
 Registered hook: command-logger -> command
 Registered hook: boot-md -> gateway:startup
 ```
 
-### 检查发现
+### 检查发现情况
 
-列出所有发现的 hooks：
+列出所有已发现的 hooks：
 
 ```bash
 openclaw hooks list --verbose
 ```
 
-### 检查注册
+### 检查注册情况
 
-在你的处理程序中，记录它被调用的时间：
+在你的处理器中，记录它何时被调用：
 
 ```typescript
 const handler: HookHandler = async (event) => {
   console.log("[my-handler] Triggered:", event.type, event.action);
-  // Your logic
+  // 你的逻辑
 };
 ```
 
 ### 验证资格
 
-检查为什么 hook 不符合条件：
+检查某个 hook 为什么不符合条件：
 
 ```bash
 openclaw hooks info my-hook
 ```
 
-在输出中查找缺失的要求。
+查看输出中缺失的要求。
 
 ## 测试
 
 ### Gateway 网关日志
 
-监控 Gateway 网关日志以查看 hook 执行：
+监控 Gateway 网关日志以查看 hook 执行情况：
 
 ```bash
 # macOS
 ./scripts/clawlog.sh -f
 
-# Other platforms
+# 其他平台
 tail -f ~/.openclaw/gateway.log
 ```
 
 ### 直接测试 Hooks
 
-隔离测试你的处理程序：
+单独测试你的 handlers：
 
 ```typescript
 import { test } from "vitest";
-import { createHookEvent } from "./src/hooks/hooks.js";
 import myHandler from "./hooks/my-hook/handler.js";
 
 test("my handler works", async () => {
-  const event = createHookEvent("command", "new", "test-session", {
-    foo: "bar",
-  });
+  const event = {
+    type: "command",
+    action: "new",
+    sessionKey: "test-session",
+    timestamp: new Date(),
+    messages: [],
+    context: { foo: "bar" },
+  };
 
   await myHandler(event);
 
-  // Assert side effects
+  // 断言副作用
 });
 ```
 
@@ -696,8 +862,8 @@ test("my handler works", async () => {
 ### 核心组件
 
 - **`src/hooks/types.ts`**：类型定义
-- **`src/hooks/workspace.ts`**：目录扫描和加载
-- **`src/hooks/frontmatter.ts`**：HOOK.md 元数据解析
+- **`src/hooks/workspace.ts`**：目录扫描与加载
+- **`src/hooks/frontmatter.ts`**：`HOOK.md` 元数据解析
 - **`src/hooks/config.ts`**：资格检查
 - **`src/hooks/hooks-status.ts`**：状态报告
 - **`src/hooks/loader.ts`**：动态模块加载器
@@ -710,15 +876,15 @@ test("my handler works", async () => {
 ```
 Gateway 网关启动
     ↓
-扫描目录（工作区 → 托管 → 捆绑）
+扫描目录（工作区 → 托管 → 内置）
     ↓
 解析 HOOK.md 文件
     ↓
 检查资格（bins、env、config、os）
     ↓
-从符合条件的 hooks 加载处理程序
+从符合条件的 hooks 加载 handlers
     ↓
-为事件注册处理程序
+为事件注册 handlers
 ```
 
 ### 事件流程
@@ -726,11 +892,11 @@ Gateway 网关启动
 ```
 用户发送 /new
     ↓
-命令验证
+命令校验
     ↓
 创建 hook 事件
     ↓
-触发 hook（所有注册的处理程序）
+触发 hook（所有已注册的 handlers）
     ↓
 命令处理继续
     ↓
@@ -745,17 +911,18 @@ Gateway 网关启动
 
    ```bash
    ls -la ~/.openclaw/hooks/my-hook/
-   # Should show: HOOK.md, handler.ts
+   # 应显示：HOOK.md, handler.ts
    ```
 
 2. 验证 HOOK.md 格式：
 
    ```bash
    cat ~/.openclaw/hooks/my-hook/HOOK.md
-   # Should have YAML frontmatter with name and metadata
+   # 应包含带有 name 和 metadata 的 YAML frontmatter
    ```
 
-3. 列出所有发现的 hooks：
+3. 列出所有已发现的 hooks：
+
    ```bash
    openclaw hooks list
    ```
@@ -768,12 +935,12 @@ Gateway 网关启动
 openclaw hooks info my-hook
 ```
 
-查找缺失的：
+查看是否缺少：
 
 - 二进制文件（检查 PATH）
 - 环境变量
 - 配置值
-- 操作系统兼容性
+- OS 兼容性
 
 ### Hook 未执行
 
@@ -781,30 +948,31 @@ openclaw hooks info my-hook
 
    ```bash
    openclaw hooks list
-   # Should show ✓ next to enabled hooks
+   # 应在已启用的 hooks 旁显示 ✓
    ```
 
 2. 重启你的 Gateway 网关进程以重新加载 hooks。
 
 3. 检查 Gateway 网关日志中的错误：
+
    ```bash
    ./scripts/clawlog.sh | grep hook
    ```
 
-### 处理程序错误
+### 处理器错误
 
 检查 TypeScript/import 错误：
 
 ```bash
-# Test import directly
+# 直接测试导入
 node -e "import('./path/to/handler.ts').then(console.log)"
 ```
 
 ## 迁移指南
 
-### 从遗留配置到发现
+### 从旧版配置迁移到发现机制
 
-**之前**：
+**迁移前**：
 
 ```json
 {
@@ -822,7 +990,7 @@ node -e "import('./path/to/handler.ts').then(console.log)"
 }
 ```
 
-**之后**：
+**迁移后**：
 
 1. 创建 hook 目录：
 
@@ -836,13 +1004,13 @@ node -e "import('./path/to/handler.ts').then(console.log)"
    ```markdown
    ---
    name: my-hook
-   description: "My custom hook"
+   description: "我的自定义 hook"
    metadata: { "openclaw": { "emoji": "🎯", "events": ["command:new"] } }
    ---
 
    # My Hook
 
-   Does something useful.
+   执行某些有用的事情。
    ```
 
 3. 更新配置：
@@ -861,9 +1029,10 @@ node -e "import('./path/to/handler.ts').then(console.log)"
    ```
 
 4. 验证并重启你的 Gateway 网关进程：
+
    ```bash
    openclaw hooks list
-   # Should show: 🎯 my-hook ✓
+   # 应显示：🎯 my-hook ✓
    ```
 
 **迁移的好处**：
@@ -876,7 +1045,7 @@ node -e "import('./path/to/handler.ts').then(console.log)"
 
 ## 另请参阅
 
-- [CLI 参考：hooks](/cli/hooks)
-- [捆绑 Hooks README](https://github.com/openclaw/openclaw/tree/main/src/hooks/bundled)
+- [CLI Reference: hooks](/cli/hooks)
+- [Bundled Hooks README](https://github.com/openclaw/openclaw/tree/main/src/hooks/bundled)
 - [Webhook Hooks](/automation/webhook)
-- [配置](/gateway/configuration#hooks)
+- [Configuration](/gateway/configuration#hooks)
diff --git a/docs/zh-CN/channels/bluebubbles.md b/docs/zh-CN/channels/bluebubbles.md
index 4ee4cb71e3e..b7f8534065b 100644
--- a/docs/zh-CN/channels/bluebubbles.md
+++ b/docs/zh-CN/channels/bluebubbles.md
@@ -6,34 +6,35 @@ read_when:
 summary: 通过 BlueBubbles macOS 服务器使用 iMessage（REST 发送/接收、输入状态、回应、配对、高级操作）。
 title: BlueBubbles
 x-i18n:
-  generated_at: "2026-02-03T10:04:52Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 3aae277a8bec479800a7f6268bfbca912c65a4aadc6e513694057fb873597b69
+  generated_at: "2026-03-16T06:21:08Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 877592bf7b9b06abdddd7567d56e756eff229d6ffa5056ef33fa3356086aa580
   source_path: channels/bluebubbles.md
   workflow: 15
 ---
 
 # BlueBubbles（macOS REST）
 
-状态：内置插件，通过 HTTP 与 BlueBubbles macOS 服务器通信。由于其更丰富的 API 和更简便的设置，**推荐用于 iMessage 集成**，优于旧版 imsg 渠道。
+状态：内置插件，通过 HTTP 与 BlueBubbles macOS 服务器通信。由于其 API 更丰富且设置比旧版 imsg 渠道更简单，**推荐用于 iMessage 集成**。
 
-## 概述
+## 概览
 
 - 通过 BlueBubbles 辅助应用在 macOS 上运行（[bluebubbles.app](https://bluebubbles.app)）。
-- 推荐/已测试版本：macOS Sequoia (15)。macOS Tahoe (26) 可用；但在 Tahoe 上编辑功能目前不可用，群组图标更新可能显示成功但实际未同步。
-- OpenClaw 通过其 REST API 与之通信（`GET /api/v1/ping`、`POST /message/text`、`POST /chat/:id/*`）。
-- 传入消息通过 webhook 到达；发出的回复、输入指示器、已读回执和 tapback 均为 REST 调用。
-- 附件和贴纸作为入站媒体被接收（并在可能时呈现给智能体）。
-- 配对/白名单的工作方式与其他渠道相同（`/channels/pairing` 等），使用 `channels.bluebubbles.allowFrom` + 配对码。
-- 回应作为系统事件呈现，与 Slack/Telegram 类似，智能体可以在回复前"提及"它们。
+- 推荐/已测试：macOS Sequoia（15）。macOS Tahoe（26）可用；目前编辑功能在 Tahoe 上已损坏，群组图标更新可能会报告成功但不会同步。
+- OpenClaw 通过其 REST API 与其通信（`GET /api/v1/ping`、`POST /message/text`、`POST /chat/:id/*`）。
+- 传入消息通过 webhook 到达；传出回复、输入状态指示、已读回执和 tapback 都通过 REST 调用完成。
+- 附件和贴纸会作为入站媒体接收（并在可能时展示给智能体）。
+- 配对/allowlist 的工作方式与其他渠道相同（`/channels/pairing` 等），使用 `channels.bluebubbles.allowFrom` + 配对码。
+- 回应会像 Slack/Telegram 一样作为系统事件呈现，因此智能体可以在回复前“提及”它们。
 - 高级功能：编辑、撤回、回复线程、消息效果、群组管理。
 
 ## 快速开始
 
-1. 在你的 Mac 上安装 BlueBubbles 服务器（按照 [bluebubbles.app/install](https://bluebubbles.app/install) 的说明操作）。
-2. 在 BlueBubbles 配置中，启用 web API 并设置密码。
+1. 在你的 Mac 上安装 BlueBubbles 服务器（按照 [bluebubbles.app/install](https://bluebubbles.app/install) 上的说明操作）。
+2. 在 BlueBubbles 配置中启用 Web API 并设置密码。
 3. 运行 `openclaw onboard` 并选择 BlueBubbles，或手动配置：
+
    ```json5
    {
      channels: {
@@ -46,8 +47,89 @@ x-i18n:
      },
    }
    ```
+
 4. 将 BlueBubbles webhook 指向你的 Gateway 网关（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）。
-5. 启动 Gateway 网关；它将注册 webhook 处理程序并开始配对。
+5. 启动 Gateway 网关；它会注册 webhook 处理器并开始配对。
+
+安全说明：
+
+- 始终设置 webhook 密码。
+- 始终要求进行 webhook 身份验证。无论 loopback/代理拓扑如何，除非 BlueBubbles webhook 请求包含与 `channels.bluebubbles.password` 匹配的 password/guid（例如 `?password=<password>` 或 `x-password`），否则 OpenClaw 会拒绝该请求。
+- 在读取/解析完整 webhook 请求体之前就会检查密码身份验证。
+
+## 保持 Messages.app 处于活动状态（VM / 无头设置）
+
+某些 macOS VM / 常开设置可能会导致 Messages.app 进入“空闲”状态（传入事件会停止，直到应用被打开/切到前台）。一个简单的解决方法是使用 AppleScript + LaunchAgent **每 5 分钟“触碰”一次 Messages**。
+
+### 1）保存 AppleScript
+
+将以下内容保存为：
+
+- `~/Scripts/poke-messages.scpt`
+
+示例脚本（非交互式；不会抢占焦点）：
+
+```applescript
+try
+  tell application "Messages"
+    if not running then
+      launch
+    end if
+
+    -- Touch the scripting interface to keep the process responsive.
+    set _chatCount to (count of chats)
+  end tell
+on error
+  -- Ignore transient failures (first-run prompts, locked session, etc).
+end try
+```
+
+### 2）安装 LaunchAgent
+
+将以下内容保存为：
+
+- `~/Library/LaunchAgents/com.user.poke-messages.plist`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>com.user.poke-messages</string>
+
+    <key>ProgramArguments</key>
+    <array>
+      <string>/bin/bash</string>
+      <string>-lc</string>
+      <string>/usr/bin/osascript &quot;$HOME/Scripts/poke-messages.scpt&quot;</string>
+    </array>
+
+    <key>RunAtLoad</key>
+    <true/>
+
+    <key>StartInterval</key>
+    <integer>300</integer>
+
+    <key>StandardOutPath</key>
+    <string>/tmp/poke-messages.log</string>
+    <key>StandardErrorPath</key>
+    <string>/tmp/poke-messages.err</string>
+  </dict>
+</plist>
+```
+
+说明：
+
+- 这会**每 300 秒**运行一次，并且**在登录时**运行。
+- 首次运行可能会触发 macOS 的**自动化**权限提示（`osascript` → Messages）。请在运行该 LaunchAgent 的同一用户会话中批准这些提示。
+
+加载它：
+
+```bash
+launchctl unload ~/Library/LaunchAgents/com.user.poke-messages.plist 2>/dev/null || true
+launchctl load ~/Library/LaunchAgents/com.user.poke-messages.plist
+```
 
 ## 新手引导
 
@@ -60,10 +142,10 @@ openclaw onboard
 向导会提示输入：
 
 - **服务器 URL**（必填）：BlueBubbles 服务器地址（例如 `http://192.168.1.100:1234`）
-- **密码**（必填）：来自 BlueBubbles 服务器设置的 API 密码
+- **密码**（必填）：来自 BlueBubbles Server 设置的 API 密码
 - **Webhook 路径**（可选）：默认为 `/bluebubbles-webhook`
-- **私信策略**：配对、白名单、开放或禁用
-- **白名单**：电话号码、电子邮件或聊天目标
+- **私信策略**：pairing、allowlist、open 或 disabled
+- **允许列表**：电话号码、电子邮件或聊天目标
 
 你也可以通过 CLI 添加 BlueBubbles：
 
@@ -75,12 +157,12 @@ openclaw channels add bluebubbles --http-url http://192.168.1.100:1234 --passwor
 
 私信：
 
-- 默认：`channels.bluebubbles.dmPolicy = "pairing"`。
-- 未知发送者会收到配对码；在批准之前消息会被忽略（配对码 1 小时后过期）。
-- 批准方式：
+- 默认值：`channels.bluebubbles.dmPolicy = "pairing"`。
+- 未知发送者会收到一个配对码；在获得批准前，消息会被忽略（代码 1 小时后过期）。
+- 通过以下方式批准：
   - `openclaw pairing list bluebubbles`
   - `openclaw pairing approve bluebubbles <CODE>`
-- 配对是默认的令牌交换方式。详情：[配对](/channels/pairing)
+- 配对是默认的令牌交换方式。详情见：[配对](/channels/pairing)
 
 群组：
 
@@ -89,13 +171,13 @@ openclaw channels add bluebubbles --http-url http://192.168.1.100:1234 --passwor
 
 ### 提及门控（群组）
 
-BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
+BlueBubbles 支持群聊中的提及门控，与 iMessage/WhatsApp 的行为一致：
 
 - 使用 `agents.list[].groupChat.mentionPatterns`（或 `messages.groupChat.mentionPatterns`）检测提及。
-- 当群组启用 `requireMention` 时，智能体仅在被提及时响应。
+- 当某个群组启用 `requireMention` 时，智能体只有在被提及时才会响应。
 - 来自授权发送者的控制命令会绕过提及门控。
 
-单群组配置：
+每群组配置：
 
 ```json5
 {
@@ -104,8 +186,8 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
       groupPolicy: "allowlist",
       groupAllowFrom: ["+15555550123"],
       groups: {
-        "*": { requireMention: true }, // 所有群组的默认设置
-        "iMessage;-;chat123": { requireMention: false }, // 特定群组的覆盖设置
+        "*": { requireMention: true }, // 所有群组的默认值
+        "iMessage;-;chat123": { requireMention: false }, // 对特定群组覆盖
       },
     },
   },
@@ -115,14 +197,14 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
 ### 命令门控
 
 - 控制命令（例如 `/config`、`/model`）需要授权。
-- 使用 `allowFrom` 和 `groupAllowFrom` 确定命令授权。
-- 授权发送者即使在群组中未被提及也可以运行控制命令。
+- 使用 `allowFrom` 和 `groupAllowFrom` 来判断命令授权。
+- 授权发送者即使在群组中未提及，也可以运行控制命令。
 
 ## 输入状态 + 已读回执
 
-- **输入指示器**：在响应生成前和生成期间自动发送。
+- **输入状态指示**：会在生成响应之前和期间自动发送。
 - **已读回执**：由 `channels.bluebubbles.sendReadReceipts` 控制（默认：`true`）。
-- **输入指示器**：OpenClaw 发送输入开始事件；BlueBubbles 在发送或超时时自动清除输入状态（通过 DELETE 手动停止不可靠）。
+- **输入状态指示**：OpenClaw 会发送输入开始事件；BlueBubbles 会在发送后或超时后自动清除输入状态（通过 DELETE 手动停止并不可靠）。
 
 ```json5
 {
@@ -136,7 +218,7 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
 
 ## 高级操作
 
-BlueBubbles 在配置中启用时支持高级消息操作：
+在配置中启用后，BlueBubbles 支持高级消息操作：
 
 ```json5
 {
@@ -144,15 +226,15 @@ BlueBubbles 在配置中启用时支持高级消息操作：
     bluebubbles: {
       actions: {
         reactions: true, // tapback（默认：true）
-        edit: true, // 编辑已发送消息（macOS 13+，在 macOS 26 Tahoe 上不可用）
+        edit: true, // 编辑已发送消息（macOS 13+，在 macOS 26 Tahoe 上已损坏）
         unsend: true, // 撤回消息（macOS 13+）
-        reply: true, // 通过消息 GUID 进行回复线程
+        reply: true, // 按消息 GUID 回复线程
         sendWithEffect: true, // 消息效果（slam、loud 等）
         renameGroup: true, // 重命名群聊
         setGroupIcon: true, // 设置群聊图标/照片（在 macOS 26 Tahoe 上不稳定）
-        addParticipant: true, // 将参与者添加到群组
+        addParticipant: true, // 向群组添加参与者
         removeParticipant: true, // 从群组移除参与者
-        leaveGroup: true, // 离开群聊
+        leaveGroup: true, // 退出群聊
         sendAttachment: true, // 发送附件/媒体
       },
     },
@@ -163,37 +245,37 @@ BlueBubbles 在配置中启用时支持高级消息操作：
 可用操作：
 
 - **react**：添加/移除 tapback 回应（`messageId`、`emoji`、`remove`）
-- **edit**：编辑已发送的消息（`messageId`、`text`）
+- **edit**：编辑已发送消息（`messageId`、`text`）
 - **unsend**：撤回消息（`messageId`）
 - **reply**：回复特定消息（`messageId`、`text`、`to`）
 - **sendWithEffect**：带 iMessage 效果发送（`text`、`to`、`effectId`）
 - **renameGroup**：重命名群聊（`chatGuid`、`displayName`）
-- **setGroupIcon**：设置群聊图标/照片（`chatGuid`、`media`）— 在 macOS 26 Tahoe 上不稳定（API 可能返回成功但图标未同步）。
-- **addParticipant**：将某人添加到群组（`chatGuid`、`address`）
-- **removeParticipant**：将某人从群组移除（`chatGuid`、`address`）
-- **leaveGroup**：离开群聊（`chatGuid`）
+- **setGroupIcon**：设置群聊图标/照片（`chatGuid`、`media`）——在 macOS 26 Tahoe 上不稳定（API 可能返回成功，但图标不会同步）。
+- **addParticipant**：向群组添加某人（`chatGuid`、`address`）
+- **removeParticipant**：从群组移除某人（`chatGuid`、`address`）
+- **leaveGroup**：退出群聊（`chatGuid`）
 - **sendAttachment**：发送媒体/文件（`to`、`buffer`、`filename`、`asVoice`）
-  - 语音备忘录：将 `asVoice: true` 与 **MP3** 或 **CAF** 音频一起设置，以 iMessage 语音消息形式发送。BlueBubbles 在发送语音备忘录时会将 MP3 转换为 CAF。
+  - 语音备忘录：将 `asVoice: true` 与 **MP3** 或 **CAF** 音频一起设置，即可作为 iMessage 语音消息发送。BlueBubbles 在发送语音备忘录时会将 MP3 转换为 CAF。
 
-### 消息 ID（短格式 vs 完整格式）
+### 消息 ID（短 ID 与完整 ID）
 
 OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 
 - `MessageSid` / `ReplyToId` 可以是短 ID。
 - `MessageSidFull` / `ReplyToIdFull` 包含提供商的完整 ID。
-- 短 ID 存储在内存中；它们可能在重启或缓存清除后过期。
-- 操作接受短或完整的 `messageId`，但如果短 ID 不再可用将会报错。
+- 短 ID 存在于内存中；它们可能会在重启或缓存清除后失效。
+- 操作接受短或完整 `messageId`，但如果短 ID 不再可用，就会报错。
 
 对于持久化自动化和存储，请使用完整 ID：
 
 - 模板：`{{MessageSidFull}}`、`{{ReplyToIdFull}}`
 - 上下文：入站负载中的 `MessageSidFull` / `ReplyToIdFull`
 
-参见[配置](/gateway/configuration)了解模板变量。
+模板变量请参见[配置](/gateway/configuration)。
 
 ## 分块流式传输
 
-控制响应是作为单条消息发送还是分块流式传输：
+控制响应是作为单条消息发送，还是按块流式发送：
 
 ```json5
 {
@@ -208,8 +290,8 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 ## 媒体 + 限制
 
 - 入站附件会被下载并存储在媒体缓存中。
-- 媒体上限通过 `channels.bluebubbles.mediaMaxMb` 设置（默认：8 MB）。
-- 出站文本按 `channels.bluebubbles.textChunkLimit` 分块（默认：4000 字符）。
+- 通过 `channels.bluebubbles.mediaMaxMb` 控制入站和出站媒体大小上限（默认：8 MB）。
+- 出站文本会按 `channels.bluebubbles.textChunkLimit` 分块（默认：4000 个字符）。
 
 ## 配置参考
 
@@ -217,22 +299,23 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 
 提供商选项：
 
-- `channels.bluebubbles.enabled`：启用/禁用渠道。
+- `channels.bluebubbles.enabled`：启用/禁用该渠道。
 - `channels.bluebubbles.serverUrl`：BlueBubbles REST API 基础 URL。
 - `channels.bluebubbles.password`：API 密码。
 - `channels.bluebubbles.webhookPath`：Webhook 端点路径（默认：`/bluebubbles-webhook`）。
 - `channels.bluebubbles.dmPolicy`：`pairing | allowlist | open | disabled`（默认：`pairing`）。
-- `channels.bluebubbles.allowFrom`：私信白名单（句柄、电子邮件、E.164 号码、`chat_id:*`、`chat_guid:*`）。
+- `channels.bluebubbles.allowFrom`：私信 allowlist（handle、电子邮件、E.164 号码、`chat_id:*`、`chat_guid:*`）。
 - `channels.bluebubbles.groupPolicy`：`open | allowlist | disabled`（默认：`allowlist`）。
-- `channels.bluebubbles.groupAllowFrom`：群组发送者白名单。
-- `channels.bluebubbles.groups`：单群组配置（`requireMention` 等）。
+- `channels.bluebubbles.groupAllowFrom`：群组发送者 allowlist。
+- `channels.bluebubbles.groups`：每群组配置（`requireMention` 等）。
 - `channels.bluebubbles.sendReadReceipts`：发送已读回执（默认：`true`）。
-- `channels.bluebubbles.blockStreaming`：启用分块流式传输（默认：`false`；流式回复必需）。
-- `channels.bluebubbles.textChunkLimit`：出站分块大小（字符）（默认：4000）。
-- `channels.bluebubbles.chunkMode`：`length`（默认）仅在超过 `textChunkLimit` 时分割；`newline` 在长度分块前先按空行（段落边界）分割。
-- `channels.bluebubbles.mediaMaxMb`：入站媒体上限（MB）（默认：8）。
-- `channels.bluebubbles.historyLimit`：上下文的最大群组消息数（0 表示禁用）。
-- `channels.bluebubbles.dmHistoryLimit`：私信历史限制。
+- `channels.bluebubbles.blockStreaming`：启用分块流式传输（默认：`false`；流式回复所必需）。
+- `channels.bluebubbles.textChunkLimit`：出站分块大小（按字符计，默认：4000）。
+- `channels.bluebubbles.chunkMode`：`length`（默认）仅在超过 `textChunkLimit` 时拆分；`newline` 会先按空行（段落边界）拆分，再按长度分块。
+- `channels.bluebubbles.mediaMaxMb`：入站/出站媒体大小上限（MB，默认：8）。
+- `channels.bluebubbles.mediaLocalRoots`：允许用于出站本地媒体路径的绝对本地目录显式 allowlist。默认情况下，本地路径发送会被拒绝，除非配置了此项。每账户覆盖：`channels.bluebubbles.accounts.<accountId>.mediaLocalRoots`。
+- `channels.bluebubbles.historyLimit`：用于上下文的最大群组消息数（0 表示禁用）。
+- `channels.bluebubbles.dmHistoryLimit`：私信历史记录上限。
 - `channels.bluebubbles.actions`：启用/禁用特定操作。
 - `channels.bluebubbles.accounts`：多账户配置。
 
@@ -241,31 +324,31 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 - `agents.list[].groupChat.mentionPatterns`（或 `messages.groupChat.mentionPatterns`）。
 - `messages.responsePrefix`。
 
-## 地址 / 投递目标
+## 寻址 / 送达目标
 
-优先使用 `chat_guid` 以获得稳定的路由：
+优先使用 `chat_guid` 以获得稳定路由：
 
-- `chat_guid:iMessage;-;+15555550123`（群组推荐）
+- `chat_guid:iMessage;-;+15555550123`（群组首选）
 - `chat_id:123`
 - `chat_identifier:...`
-- 直接句柄：`+15555550123`、`user@example.com`
-  - 如果直接句柄没有现有的私信聊天，OpenClaw 将通过 `POST /api/v1/chat/new` 创建一个。这需要启用 BlueBubbles Private API。
+- 直接 handle：`+15555550123`、`user@example.com`
+  - 如果某个直接 handle 没有现有私信聊天，OpenClaw 会通过 `POST /api/v1/chat/new` 创建一个。这要求启用 BlueBubbles Private API。
 
-## 安全性
+## 安全
 
-- Webhook 请求通过比较 `guid`/`password` 查询参数或头部与 `channels.bluebubbles.password` 进行身份验证。来自 `localhost` 的请求也会被接受。
-- 保持 API 密码和 webhook 端点的机密性（将它们视为凭证）。
-- localhost 信任意味着同主机的反向代理可能无意中绕过密码验证。如果你使用代理 Gateway 网关，请在代理处要求身份验证并配置 `gateway.trustedProxies`。参见 [Gateway 网关安全性](/gateway/security#reverse-proxy-configuration)。
-- 如果将 BlueBubbles 服务器暴露在局域网之外，请启用 HTTPS + 防火墙规则。
+- 通过将查询参数或请求头中的 `guid`/`password` 与 `channels.bluebubbles.password` 进行比较来验证 webhook 请求。来自 `localhost` 的请求也会被接受。
+- 请妥善保管 API 密码和 webhook 端点（将它们视为凭证）。
+- 对 localhost 的信任意味着同主机上的反向代理可能会无意中绕过密码。如果你对 Gateway 网关进行了代理，请在代理层要求身份验证，并配置 `gateway.trustedProxies`。请参见 [Gateway 网关安全](/gateway/security#reverse-proxy-configuration)。
+- 如果要在局域网外暴露 BlueBubbles 服务器，请启用 HTTPS + 防火墙规则。
 
 ## 故障排除
 
-- 如果输入/已读事件停止工作，请检查 BlueBubbles webhook 日志并验证 Gateway 网关路径是否与 `channels.bluebubbles.webhookPath` 匹配。
-- 配对码在一小时后过期；使用 `openclaw pairing list bluebubbles` 和 `openclaw pairing approve bluebubbles <code>`。
-- 回应需要 BlueBubbles private API（`POST /api/v1/message/react`）；确保服务器版本支持它。
-- 编辑/撤回需要 macOS 13+ 和兼容的 BlueBubbles 服务器版本。在 macOS 26（Tahoe）上，由于 private API 变更，编辑功能目前不可用。
-- 在 macOS 26（Tahoe）上群组图标更新可能不稳定：API 可能返回成功但新图标未同步。
-- OpenClaw 会根据 BlueBubbles 服务器的 macOS 版本自动隐藏已知不可用的操作。如果在 macOS 26（Tahoe）上编辑仍然显示，请使用 `channels.bluebubbles.actions.edit=false` 手动禁用。
-- 查看状态/健康信息：`openclaw status --all` 或 `openclaw status --deep`。
+- 如果输入状态/已读事件停止工作，请检查 BlueBubbles webhook 日志，并验证 Gateway 网关路径与 `channels.bluebubbles.webhookPath` 一致。
+- 配对码会在一小时后过期；使用 `openclaw pairing list bluebubbles` 和 `openclaw pairing approve bluebubbles <code>`。
+- 回应需要 BlueBubbles private API（`POST /api/v1/message/react`）；请确保服务器版本提供该接口。
+- 编辑/撤回需要 macOS 13+ 以及兼容的 BlueBubbles 服务器版本。在 macOS 26（Tahoe）上，由于 private API 变更，编辑功能目前已损坏。
+- 群组图标更新在 macOS 26（Tahoe）上可能不稳定：API 可能返回成功，但新图标不会同步。
+- OpenClaw 会根据 BlueBubbles 服务器的 macOS 版本自动隐藏已知损坏的操作。如果在 macOS 26（Tahoe）上仍显示编辑操作，请手动使用 `channels.bluebubbles.actions.edit=false` 禁用它。
+- 状态/健康信息请使用：`openclaw status --all` 或 `openclaw status --deep`。
 
-有关通用渠道工作流参考，请参阅[渠道](/channels)和[插件](/tools/plugin)指南。
+有关通用渠道工作流程参考，请参见 [Channels](/channels) 和 [Plugins](/tools/plugin) 指南。
diff --git a/docs/zh-CN/channels/feishu.md b/docs/zh-CN/channels/feishu.md
index 6a8d8633af9..af561e3a8ea 100644
--- a/docs/zh-CN/channels/feishu.md
+++ b/docs/zh-CN/channels/feishu.md
@@ -1,22 +1,29 @@
 ---
-summary: "飞书机器人支持状态、功能和配置"
 read_when:
-  - 您想要连接飞书机器人
-  - 您正在配置飞书渠道
+  - 你想连接一个飞书/Lark 机器人
+  - 你正在配置飞书渠道
+summary: 飞书机器人概览、功能和配置
 title: 飞书
+x-i18n:
+  generated_at: "2026-03-16T06:21:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 951e78c5c7264471382f863fa896a15ddeaf0717ef782da20d0f1b3eb23396ba
+  source_path: channels/feishu.md
+  workflow: 15
 ---
 
 # 飞书机器人
 
-状态：生产就绪，支持机器人私聊和群组。使用 WebSocket 长连接模式接收消息。
+飞书（Lark）是企业用于消息沟通与协作的团队聊天平台。此插件通过平台的 WebSocket 事件订阅将 OpenClaw 连接到飞书/Lark 机器人，因此无需暴露公共 webhook URL 即可接收消息。
 
 ---
 
-## 内置插件
+## 捆绑插件
 
-当前版本的 OpenClaw 已内置 Feishu 插件，因此通常不需要单独安装。
+飞书随当前的 OpenClaw 版本一同捆绑提供，因此无需单独安装插件。
 
-如果你使用的是较旧版本，或是没有内置 Feishu 的自定义安装，可手动安装：
+如果你使用的是较旧版本，或使用了不包含捆绑飞书的自定义安装，请手动安装：
 
 ```bash
 openclaw plugins install @openclaw/feishu
@@ -26,75 +33,75 @@ openclaw plugins install @openclaw/feishu
 
 ## 快速开始
 
-添加飞书渠道有两种方式：
+有两种方式可添加飞书渠道：
 
-### 方式一：通过安装向导添加（推荐）
+### 方法 1：设置向导（推荐）
 
-如果您刚安装完 OpenClaw，可以直接运行向导，根据提示添加飞书：
+如果你刚安装 OpenClaw，请运行设置向导：
 
 ```bash
 openclaw onboard
 ```
 
-向导会引导您完成：
+向导会引导你完成以下步骤：
 
-1. 创建飞书应用并获取凭证
-2. 配置应用凭证
-3. 启动网关
+1. 创建飞书应用并收集凭证
+2. 在 OpenClaw 中配置应用凭证
+3. 启动 Gateway 网关
 
-✅ **完成配置后**，您可以使用以下命令检查网关状态：
+✅ **配置完成后**，检查 Gateway 网关状态：
 
-- `openclaw gateway status` - 查看网关运行状态
-- `openclaw logs --follow` - 查看实时日志
+- `openclaw gateway status`
+- `openclaw logs --follow`
 
-### 方式二：通过命令行添加
+### 方法 2：CLI 设置
 
-如果您已经完成了初始安装，可以用以下命令添加飞书渠道：
+如果你已经完成初始安装，可通过 CLI 添加该渠道：
 
 ```bash
 openclaw channels add
 ```
 
-然后根据交互式提示选择 Feishu，输入 App ID 和 App Secret 即可。
+选择 **Feishu**，然后输入 App ID 和 App Secret。
 
-✅ **完成配置后**，您可以使用以下命令管理网关：
+✅ **配置完成后**，管理 Gateway 网关：
 
-- `openclaw gateway status` - 查看网关运行状态
-- `openclaw gateway restart` - 重启网关以应用新配置
-- `openclaw logs --follow` - 查看实时日志
+- `openclaw gateway status`
+- `openclaw gateway restart`
+- `openclaw logs --follow`
 
 ---
 
-## 第一步：创建飞书应用
+## 第 1 步：创建飞书应用
 
 ### 1. 打开飞书开放平台
 
-访问 [飞书开放平台](https://open.feishu.cn/app)，使用飞书账号登录。
+访问 [Feishu Open Platform](https://open.feishu.cn/app) 并登录。
 
-Lark（国际版）请使用 https://open.larksuite.com/app，并在配置中设置 `domain: "lark"`。
+Lark（国际版）租户应使用 [https://open.larksuite.com/app](https://open.larksuite.com/app)，并在飞书配置中设置 `domain: "lark"`。
 
 ### 2. 创建应用
 
-1. 点击 **创建企业自建应用**
+1. 点击 **Create enterprise app**
 2. 填写应用名称和描述
 3. 选择应用图标
 
-![创建企业自建应用](/images/feishu-step2-create-app.png)
+![Create enterprise app](../images/feishu-step2-create-app.png)
 
-### 3. 获取应用凭证
+### 3. 复制凭证
 
-在应用的 **凭证与基础信息** 页面，复制：
+在 **Credentials & Basic Info** 中，复制：
 
-- **App ID**（格式如 `cli_xxx`）
+- **App ID**（格式：`cli_xxx`）
 - **App Secret**
 
-❗ **重要**：请妥善保管 App Secret，不要分享给他人。
+❗ **重要：**请将 App Secret 妥善保密。
 
-![获取应用凭证](/images/feishu-step3-credentials.png)
+![Get credentials](../images/feishu-step3-credentials.png)
 
-### 4. 配置应用权限
+### 4. 配置权限
 
-在 **权限管理** 页面，点击 **批量导入** 按钮，粘贴以下 JSON 配置一键导入所需权限：
+在 **Permissions** 中，点击 **Batch import** 并粘贴：
 
 ```json
 {
@@ -105,81 +112,71 @@ Lark（国际版）请使用 https://open.larksuite.com/app，并在配置中设
       "application:application.app_message_stats.overview:readonly",
       "application:application:self_manage",
       "application:bot.menu:write",
+      "cardkit:card:read",
       "cardkit:card:write",
       "contact:user.employee_id:readonly",
       "corehr:file:download",
-      "docs:document.content:read",
       "event:ip_list",
-      "im:chat",
       "im:chat.access_event.bot_p2p_chat:read",
       "im:chat.members:bot_access",
       "im:message",
       "im:message.group_at_msg:readonly",
-      "im:message.group_msg",
       "im:message.p2p_msg:readonly",
       "im:message:readonly",
       "im:message:send_as_bot",
-      "im:resource",
-      "sheets:spreadsheet",
-      "wiki:wiki:readonly"
+      "im:resource"
     ],
     "user": ["aily:file:read", "aily:file:write", "im:chat.access_event.bot_p2p_chat:read"]
   }
 }
 ```
 
-![配置应用权限](/images/feishu-step4-permissions.png)
+![Configure permissions](../images/feishu-step4-permissions.png)
 
 ### 5. 启用机器人能力
 
-在 **应用能力** > **机器人** 页面：
+在 **App Capability** > **Bot** 中：
 
-1. 开启机器人能力
-2. 配置机器人名称
+1. 启用机器人能力
+2. 设置机器人名称
 
-![启用机器人能力](/images/feishu-step5-bot-capability.png)
+![Enable bot capability](../images/feishu-step5-bot-capability.png)
 
 ### 6. 配置事件订阅
 
-⚠️ **重要提醒**：在配置事件订阅前，请务必确保已完成以下步骤：
+⚠️ **重要：**在设置事件订阅前，请确保：
 
-1. 运行 `openclaw channels add` 添加了 Feishu 渠道
-2. 网关处于启动状态（可通过 `openclaw gateway status` 检查状态）
+1. 你已经为飞书运行过 `openclaw channels add`
+2. Gateway 网关正在运行（`openclaw gateway status`）
 
-在 **事件订阅** 页面：
+在 **Event Subscription** 中：
 
-1. 选择 **使用长连接接收事件**（WebSocket 模式）
-2. 添加事件：
-   - `im.message.receive_v1`
-   - `im.message.reaction.created_v1`
-   - `im.message.reaction.deleted_v1`
-   - `application.bot.menu_v6`
+1. 选择 **Use long connection to receive events**（WebSocket）
+2. 添加事件：`im.message.receive_v1`
 
-⚠️ **注意**：如果网关未启动或渠道未添加，长连接设置将保存失败。
+⚠️ 如果 Gateway 网关未运行，长连接设置可能无法保存。
 
-![配置事件订阅](/images/feishu-step6-event-subscription.png)
+![Configure event subscription](../images/feishu-step6-event-subscription.png)
 
 ### 7. 发布应用
 
-1. 在 **版本管理与发布** 页面创建版本
+1. 在 **Version Management & Release** 中创建版本
 2. 提交审核并发布
-3. 等待管理员审批（企业自建应用通常自动通过）
+3. 等待管理员批准（企业应用通常会自动批准）
 
 ---
 
-## 第二步：配置 OpenClaw
+## 第 2 步：配置 OpenClaw
 
-### 通过向导配置（推荐）
-
-运行以下命令，根据提示粘贴 App ID 和 App Secret：
+### 使用向导配置（推荐）
 
 ```bash
 openclaw channels add
 ```
 
-选择 **Feishu**，然后输入您在第一步获取的凭证即可。
+选择 **Feishu**，然后粘贴你的 App ID 和 App Secret。
 
-### 通过配置文件配置
+### 通过配置文件进行配置
 
 编辑 `~/.openclaw/openclaw.json`：
 
@@ -193,7 +190,7 @@ openclaw channels add
         main: {
           appId: "cli_xxx",
           appSecret: "xxx",
-          botName: "我的AI助手",
+          botName: "My AI assistant",
         },
       },
     },
@@ -201,18 +198,20 @@ openclaw channels add
 }
 ```
 
-若使用 `connectionMode: "webhook"`，需设置 `verificationToken`。飞书 Webhook 服务默认绑定 `127.0.0.1`；仅在需要不同监听地址时设置 `webhookHost`。
+如果你使用 `connectionMode: "webhook"`，请同时设置 `verificationToken` 和 `encryptKey`。飞书 webhook 服务器默认绑定到 `127.0.0.1`；只有在你明确需要不同绑定地址时，才设置 `webhookHost`。
 
-#### 获取 Verification Token（仅 Webhook 模式）
+#### Verification Token 和 Encrypt Key（webhook 模式）
 
-使用 Webhook 模式时，需在配置中设置 `channels.feishu.verificationToken`。获取方式：
+使用 webhook 模式时，请在配置中同时设置 `channels.feishu.verificationToken` 和 `channels.feishu.encryptKey`。获取这些值的方法如下：
 
-1. 在飞书开放平台打开您的应用
-2. 进入 **开发配置** → **事件与回调**
-3. 打开 **加密策略** 选项卡
-4. 复制 **Verification Token**（校验令牌）
+1. 在飞书开放平台中，打开你的应用
+2. 前往 **Development** → **Events & Callbacks**（开发配置 → 事件与回调）
+3. 打开 **Encryption** 标签页（加密策略）
+4. 复制 **Verification Token** 和 **Encrypt Key**
 
-![Verification Token 位置](/images/feishu-verification-token.png)
+下图展示了 **Verification Token** 的位置。**Encrypt Key** 位于同一个 **Encryption** 区域中。
+
+![Verification Token location](../images/feishu-verification-token.png)
 
 ### 通过环境变量配置
 
@@ -223,7 +222,7 @@ export FEISHU_APP_SECRET="xxx"
 
 ### Lark（国际版）域名
 
-如果您的租户在 Lark（国际版），请设置域名为 `lark`（或完整域名），可配置 `channels.feishu.domain` 或 `channels.feishu.accounts.<id>.domain`：
+如果你的租户位于 Lark（国际版），请将域名设置为 `lark`（或完整域名字串）。你可以在 `channels.feishu.domain` 设置，也可以按账户设置（`channels.feishu.accounts.<id>.domain`）。
 
 ```json5
 {
@@ -241,14 +240,14 @@ export FEISHU_APP_SECRET="xxx"
 }
 ```
 
-### 配额优化
+### 配额优化标志
 
-可通过以下可选配置减少飞书 API 调用：
+你可以使用两个可选标志来减少飞书 API 使用量：
 
-- `typingIndicator`（默认 `true`）：设为 `false` 时不发送“正在输入”状态。
-- `resolveSenderNames`（默认 `true`）：设为 `false` 时不拉取发送者资料。
+- `typingIndicator`（默认 `true`）：设为 `false` 时，跳过“正在输入”反应调用。
+- `resolveSenderNames`（默认 `true`）：设为 `false` 时，跳过发送者资料查询调用。
 
-可在渠道级或账号级配置：
+你可以在顶层或按账户进行设置：
 
 ```json5
 {
@@ -271,9 +270,9 @@ export FEISHU_APP_SECRET="xxx"
 
 ---
 
-## 第三步：启动并测试
+## 第 3 步：启动并测试
 
-### 1. 启动网关
+### 1. 启动 Gateway 网关
 
 ```bash
 openclaw gateway
@@ -281,74 +280,74 @@ openclaw gateway
 
 ### 2. 发送测试消息
 
-在飞书中找到您创建的机器人，发送一条消息。
+在飞书中找到你的机器人并发送一条消息。
 
-### 3. 配对授权
+### 3. 批准配对
 
-默认情况下，机器人会回复一个 **配对码**。您需要批准此代码：
+默认情况下，机器人会回复一个配对码。批准它：
 
 ```bash
-openclaw pairing approve feishu <配对码>
+openclaw pairing approve feishu <CODE>
 ```
 
-批准后即可正常对话。
+批准后，你就可以正常聊天了。
 
 ---
 
-## 介绍
+## 概览
 
-- **飞书机器人渠道**：由网关管理的飞书机器人
-- **确定性路由**：回复始终返回飞书，模型不会选择渠道
-- **会话隔离**：私聊共享主会话；群组独立隔离
-- **WebSocket 连接**：使用飞书 SDK 的长连接模式，无需公网 URL
+- **飞书机器人渠道**：由 Gateway 网关管理的飞书机器人
+- **确定性路由**：回复始终返回到飞书
+- **会话隔离**：私信共享主会话；群组彼此隔离
+- **WebSocket 连接**：通过飞书 SDK 建立长连接，无需公共 URL
 
 ---
 
 ## 访问控制
 
-### 私聊访问
+### 私信
 
-- **默认**：`dmPolicy: "pairing"`，陌生用户会收到配对码
+- **默认**：`dmPolicy: "pairing"`（未知用户会收到配对码）
 - **批准配对**：
-  ```bash
-  openclaw pairing list feishu      # 查看待审批列表
-  openclaw pairing approve feishu <CODE>  # 批准
-  ```
-- **白名单模式**：通过 `channels.feishu.allowFrom` 配置允许的用户 Open ID
 
-### 群组访问
+  ```bash
+  openclaw pairing list feishu
+  openclaw pairing approve feishu <CODE>
+  ```
+
+- **Allowlist 模式**：设置 `channels.feishu.allowFrom`，填入允许的 Open ID
+
+### 群聊
 
 **1. 群组策略**（`channels.feishu.groupPolicy`）：
 
-- `"open"` = 允许群组中所有人（默认）
-- `"allowlist"` = 仅允许 `groupAllowFrom` 中的群组
-- `"disabled"` = 禁用群组消息
+- `"open"` = 允许群组中的所有人（默认）
+- `"allowlist"` = 仅允许 `groupAllowFrom`
+- `"disabled"` = 禁用群消息
 
-**2. @提及要求**（`channels.feishu.groups.<chat_id>.requireMention`）：
+**2. 提及要求**（`channels.feishu.groups.<chat_id>.requireMention`）：
 
-- `true` = 需要 @机器人才响应（默认）
-- `false` = 无需 @也响应
+- `true` = 需要 @ 提及（默认）
+- `false` = 无需提及也会回复
 
 ---
 
 ## 群组配置示例
 
-### 允许所有群组，需要 @提及（默认行为）
+### 允许所有群组，要求 @ 提及（默认）
 
 ```json5
 {
   channels: {
     feishu: {
       groupPolicy: "open",
-      // 默认 requireMention: true
+      // Default requireMention: true
     },
   },
 }
 ```
 
-### 允许所有群组，无需 @提及
-
-需要为特定群组配置：
+### 允许所有群组，无需 @ 提及
 
 ```json5
 {
@@ -369,16 +368,16 @@ openclaw pairing approve feishu <配对码>
   channels: {
     feishu: {
       groupPolicy: "allowlist",
-      // 群组 ID 格式为 oc_xxx
+      // Feishu group IDs (chat_id) look like: oc_xxx
       groupAllowFrom: ["oc_xxx", "oc_yyy"],
     },
   },
 }
 ```
 
-### 仅允许特定成员在群组中发信（发送者白名单）
+### 限制哪些发送者可以在群组中发消息（发送者 allowlist）
 
-除群组白名单外，该群组内**所有消息**均按发送者 open_id 校验：仅 `groups.<chat_id>.allowFrom` 中列出的用户消息会被处理，其他成员的消息会被忽略（此为发送者级白名单，不仅针对 /reset、/new 等控制命令）。
+除了允许群组本身外，该群组中的**所有消息**还会按发送者 `open_id` 进行限制：只有列在 `groups.<chat_id>.allowFrom` 中的用户，其消息才会被处理；其他成员发送的消息会被忽略（这是完整的发送者级限制，而不只是对 `/reset` 或 `/new` 等控制命令生效）。
 
 ```json5
 {
@@ -388,7 +387,7 @@ openclaw pairing approve feishu <配对码>
       groupAllowFrom: ["oc_xxx"],
       groups: {
         oc_xxx: {
-          // 用户 open_id 格式为 ou_xxx
+          // Feishu user IDs (open_id) look like: ou_xxx
           allowFrom: ["ou_user1", "ou_user2"],
         },
       },
@@ -401,29 +400,31 @@ openclaw pairing approve feishu <配对码>
 
 ## 获取群组/用户 ID
 
-### 获取群组 ID（chat_id）
+### 群组 ID（`chat_id`）
 
-群组 ID 格式为 `oc_xxx`，可以通过以下方式获取：
+群组 ID 看起来像 `oc_xxx`。
 
-**方法一**（推荐）：
+**方法 1（推荐）**
 
-1. 启动网关并在群组中 @机器人发消息
-2. 运行 `openclaw logs --follow` 查看日志中的 `chat_id`
+1. 启动 Gateway 网关并在群里 @ 提及机器人
+2. 运行 `openclaw logs --follow` 并查找 `chat_id`
 
-**方法二**：
-使用飞书 API 调试工具获取机器人所在群组列表。
+**方法 2**
 
-### 获取用户 ID（open_id）
+使用飞书 API 调试器列出群聊。
 
-用户 ID 格式为 `ou_xxx`，可以通过以下方式获取：
+### 用户 ID（`open_id`）
 
-**方法一**（推荐）：
+用户 ID 看起来像 `ou_xxx`。
 
-1. 启动网关并给机器人发消息
-2. 运行 `openclaw logs --follow` 查看日志中的 `open_id`
+**方法 1（推荐）**
 
-**方法二**：
-查看配对请求列表，其中包含用户的 Open ID：
+1. 启动 Gateway 网关并向机器人发送私信
+2. 运行 `openclaw logs --follow` 并查找 `open_id`
+
+**方法 2**
+
+检查配对请求中的用户 Open ID：
 
 ```bash
 openclaw pairing list feishu
@@ -433,65 +434,61 @@ openclaw pairing list feishu
 
 ## 常用命令
 
-| 命令      | 说明           |
+| Command   | Description    |
 | --------- | -------------- |
-| `/status` | 查看机器人状态 |
-| `/reset`  | 重置对话会话   |
-| `/model`  | 查看/切换模型  |
+| `/status` | 显示机器人状态 |
+| `/reset`  | 重置会话       |
+| `/model`  | 显示/切换模型  |
 
-飞书机器人菜单建议直接在飞书开放平台的机器人能力页面配置。OpenClaw 当前支持接收 `application.bot.menu_v6` 事件，并把点击事件转换成普通文本命令（例如 `/menu <eventKey>`）继续走现有消息路由，但不通过渠道配置自动创建或同步菜单。
+> 注意：飞书暂不支持原生命令菜单，因此命令必须以文本形式发送。
 
-## 网关管理命令
+## Gateway 网关管理命令
 
-在配置和使用飞书渠道时，您可能需要使用以下网关管理命令：
-
-| 命令                       | 说明              |
-| -------------------------- | ----------------- |
-| `openclaw gateway status`  | 查看网关运行状态  |
-| `openclaw gateway install` | 安装/启动网关服务 |
-| `openclaw gateway stop`    | 停止网关服务      |
-| `openclaw gateway restart` | 重启网关服务      |
-| `openclaw logs --follow`   | 实时查看日志输出  |
+| Command                    | Description                |
+| -------------------------- | -------------------------- |
+| `openclaw gateway status`  | 显示 Gateway 网关状态      |
+| `openclaw gateway install` | 安装/启动 Gateway 网关服务 |
+| `openclaw gateway stop`    | 停止 Gateway 网关服务      |
+| `openclaw gateway restart` | 重启 Gateway 网关服务      |
+| `openclaw logs --follow`   | 跟踪 Gateway 网关日志      |
 
 ---
 
 ## 故障排除
 
-### 机器人在群组中不响应
+### 机器人在群聊中没有响应
 
-1. 检查机器人是否已添加到群组
-2. 检查是否 @了机器人（默认需要 @提及）
-3. 检查 `groupPolicy` 是否为 `"disabled"`
-4. 查看日志：`openclaw logs --follow`
+1. 确保机器人已加入群组
+2. 确保你 @ 提及了机器人（默认行为）
+3. 检查 `groupPolicy` 未设置为 `"disabled"`
+4. 检查日志：`openclaw logs --follow`
 
-### 机器人收不到消息
+### 机器人未接收到消息
 
-1. 检查应用是否已发布并审批通过
-2. 检查事件订阅是否配置正确（`im.message.receive_v1`）
-3. 检查是否选择了 **长连接** 模式
-4. 检查应用权限是否完整
-5. 检查网关是否正在运行：`openclaw gateway status`
-6. 查看实时日志：`openclaw logs --follow`
+1. 确保应用已发布并获批准
+2. 确保事件订阅包含 `im.message.receive_v1`
+3. 确保已启用**长连接**
+4. 确保应用权限完整
+5. 确保 Gateway 网关正在运行：`openclaw gateway status`
+6. 检查日志：`openclaw logs --follow`
 
-### App Secret 泄露怎么办
+### App Secret 泄露
 
-1. 在飞书开放平台重置 App Secret
-2. 更新配置文件中的 App Secret
-3. 重启网关
+1. 在飞书开放平台中重置 App Secret
+2. 在你的配置中更新 App Secret
+3. 重启 Gateway 网关
 
-### 发送消息失败
+### 消息发送失败
 
-1. 检查应用是否有 `im:message:send_as_bot` 权限
-2. 检查应用是否已发布
-3. 查看日志获取详细错误信息
+1. 确保应用具有 `im:message:send_as_bot` 权限
+2. 确保应用已发布
+3. 查看日志以获取详细错误信息
 
 ---
 
 ## 高级配置
 
-### 多账号配置
-
-如果需要管理多个飞书机器人，可配置 `defaultAccount` 指定出站未显式指定 `accountId` 时使用的账号：
+### 多账户
 
 ```json5
 {
@@ -502,13 +499,13 @@ openclaw pairing list feishu
         main: {
           appId: "cli_xxx",
           appSecret: "xxx",
-          botName: "主机器人",
+          botName: "Primary bot",
         },
         backup: {
           appId: "cli_yyy",
           appSecret: "yyy",
-          botName: "备用机器人",
-          enabled: false, // 暂时禁用
+          botName: "Backup bot",
+          enabled: false,
         },
       },
     },
@@ -516,104 +513,102 @@ openclaw pairing list feishu
 }
 ```
 
+`defaultAccount` 用于控制当出站 API 未显式指定 `accountId` 时，使用哪个飞书账户。
+
 ### 消息限制
 
-- `textChunkLimit`：出站文本分块大小（默认 2000 字符）
-- `mediaMaxMb`：媒体上传/下载限制（默认 30MB）
+- `textChunkLimit`：出站文本分块大小（默认：2000 个字符）
+- `mediaMaxMb`：媒体上传/下载限制（默认：30 MB）
 
-### 流式输出
+### 流式传输
 
-飞书支持通过交互式卡片实现流式输出，机器人会实时更新卡片内容显示生成进度。默认配置：
+飞书通过交互式卡片支持流式回复。启用后，机器人会在生成文本时更新卡片。
 
 ```json5
 {
   channels: {
     feishu: {
       streaming: true, // 启用流式卡片输出（默认 true）
-      blockStreamingCoalesce: {
-        enabled: true,
-        minDelayMs: 50,
-        maxDelayMs: 250,
-      },
+      blockStreaming: true, // 启用分块流式传输（默认 true）
     },
   },
 }
 ```
 
-如需禁用流式输出（等待完整回复后一次性发送），可设置 `streaming: false`。
+将 `streaming: false` 设为等待完整回复生成后再发送。
 
-### 交互式卡片
+### ACP 会话
 
-OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的 Feishu 原生交互式卡片，也可以显式发送原始 `card` payload。
+飞书支持以下 ACP 场景：
 
-- 默认路径：文本自动渲染或 Markdown 卡片
-- 显式卡片：通过消息动作的 `card` 参数发送原始交互卡片
-- 更新卡片：同一消息支持后续 patch/update
+- 私信
+- 群组话题会话
 
-卡片按钮回调当前走文本回退路径：
+飞书 ACP 由文本命令驱动。没有原生斜杠命令菜单，因此请直接在会话中使用 `/acp ...` 消息。
 
-- 若 `action.value.text` 存在，则作为入站文本继续处理
-- 若 `action.value.command` 存在，则作为命令文本继续处理
-- 其他对象值会序列化为 JSON 文本
+#### 持久化 ACP 绑定
 
-这样可以保持与现有消息/命令路由兼容，而不要求下游先理解 Feishu 专有的交互 payload。
-
-### 表情反应
-
-飞书渠道现已完整支持表情反应生命周期：
-
-- 接收 `reaction created`
-- 接收 `reaction deleted`
-- 主动添加反应
-- 主动删除自身反应
-- 查询消息上的反应列表
-
-是否把入站反应转成内部消息，可通过 `reactionNotifications` 控制：
-
-| 值    | 行为                         |
-| ----- | ---------------------------- |
-| `off` | 不生成反应通知               |
-| `own` | 仅当反应发生在机器人消息上时 |
-| `all` | 所有可验证的反应都生成通知   |
-
-### 消息引用
-
-在群聊中，机器人的回复可以引用用户发送的原始消息，让对话上下文更加清晰。
-
-配置选项：
+使用顶层类型化 ACP 绑定，将飞书私信或话题会话固定到持久化 ACP 会话。
 
 ```json5
 {
-  channels: {
-    feishu: {
-      // 账户级别配置（默认 "all"）
-      replyToMode: "all",
-      groups: {
-        oc_xxx: {
-          // 特定群组可以覆盖
-          replyToMode: "first",
+  agents: {
+    list: [
+      {
+        id: "codex",
+        runtime: {
+          type: "acp",
+          acp: {
+            agent: "codex",
+            backend: "acpx",
+            mode: "persistent",
+            cwd: "/workspace/openclaw",
+          },
         },
       },
-    },
+    ],
   },
+  bindings: [
+    {
+      type: "acp",
+      agentId: "codex",
+      match: {
+        channel: "feishu",
+        accountId: "default",
+        peer: { kind: "direct", id: "ou_1234567890" },
+      },
+    },
+    {
+      type: "acp",
+      agentId: "codex",
+      match: {
+        channel: "feishu",
+        accountId: "default",
+        peer: { kind: "group", id: "oc_group_chat:topic:om_topic_root" },
+      },
+      acp: { label: "codex-feishu-topic" },
+    },
+  ],
 }
 ```
 
-`replyToMode` 值说明：
+#### 从聊天中按线程绑定 ACP 生成
 
-| 值        | 行为                               |
-| --------- | ---------------------------------- |
-| `"off"`   | 不引用原消息（私聊默认值）         |
-| `"first"` | 仅在第一条回复时引用原消息         |
-| `"all"`   | 所有回复都引用原消息（群聊默认值） |
+在飞书私信或话题会话中，你可以就地生成并绑定一个 ACP 会话：
 
-> 注意：消息引用功能与流式卡片输出（`streaming: true`）不能同时使用。当启用流式输出时，回复会以卡片形式呈现，不会显示引用。
+```text
+/acp spawn codex --thread here
+```
 
-### 多 Agent 路由
+说明：
 
-通过 `bindings` 配置，您可以用一个飞书机器人对接多个不同功能或性格的 Agent。系统会根据用户 ID 或群组 ID 自动将对话分发到对应的 Agent。
+- `--thread here` 适用于私信和飞书话题。
+- 绑定后的私信/话题中的后续消息会直接路由到该 ACP 会话。
+- v1 不支持针对通用的非话题群聊。
 
-配置示例：
+### 多智能体路由
+
+使用 `bindings` 将飞书私信或群组路由到不同的智能体。
 
 ```json5
 {
@@ -634,91 +629,81 @@ OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的
   },
   bindings: [
     {
-      // 用户 A 的私聊 → main agent
       agentId: "main",
       match: {
         channel: "feishu",
-        peer: { kind: "dm", id: "ou_28b31a88..." },
+        peer: { kind: "direct", id: "ou_xxx" },
       },
     },
     {
-      // 用户 B 的私聊 → clawd-fan agent
       agentId: "clawd-fan",
       match: {
         channel: "feishu",
-        peer: { kind: "dm", id: "ou_0fe6b1c9..." },
+        peer: { kind: "direct", id: "ou_yyy" },
       },
     },
     {
-      // 某个群组 → clawd-xi agent
       agentId: "clawd-xi",
       match: {
         channel: "feishu",
-        peer: { kind: "group", id: "oc_xxx..." },
+        peer: { kind: "group", id: "oc_zzz" },
       },
     },
   ],
 }
 ```
 
-匹配规则说明：
+路由字段：
 
-| 字段              | 说明                                          |
-| ----------------- | --------------------------------------------- |
-| `agentId`         | 目标 Agent 的 ID，需要在 `agents.list` 中定义 |
-| `match.channel`   | 渠道类型，这里固定为 `"feishu"`               |
-| `match.peer.kind` | 对话类型：`"dm"`（私聊）或 `"group"`（群组）  |
-| `match.peer.id`   | 用户 Open ID（`ou_xxx`）或群组 ID（`oc_xxx`） |
+- `match.channel`：`"feishu"`
+- `match.peer.kind`：`"direct"` 或 `"group"`
+- `match.peer.id`：用户 Open ID（`ou_xxx`）或群组 ID（`oc_xxx`）
 
-> 获取 ID 的方法：参见上文 [获取群组/用户 ID](#获取群组用户-id) 章节。
+查找提示请参见 [获取群组/用户 ID](#get-groupuser-ids)。
 
 ---
 
 ## 配置参考
 
-完整配置请参考：[网关配置](/gateway/configuration)
+完整配置：[Gateway 网关配置](/gateway/configuration)
 
-主要选项：
+关键选项：
 
-| 配置项                                            | 说明                              | 默认值           |
-| ------------------------------------------------- | --------------------------------- | ---------------- |
-| `channels.feishu.enabled`                         | 启用/禁用渠道                     | `true`           |
-| `channels.feishu.domain`                          | API 域名（`feishu` 或 `lark`）    | `feishu`         |
-| `channels.feishu.connectionMode`                  | 事件传输模式（websocket/webhook） | `websocket`      |
-| `channels.feishu.defaultAccount`                  | 出站路由默认账号 ID               | `default`        |
-| `channels.feishu.verificationToken`               | Webhook 模式必填                  | -                |
-| `channels.feishu.webhookPath`                     | Webhook 路由路径                  | `/feishu/events` |
-| `channels.feishu.webhookHost`                     | Webhook 监听地址                  | `127.0.0.1`      |
-| `channels.feishu.webhookPort`                     | Webhook 监听端口                  | `3000`           |
-| `channels.feishu.accounts.<id>.appId`             | 应用 App ID                       | -                |
-| `channels.feishu.accounts.<id>.appSecret`         | 应用 App Secret                   | -                |
-| `channels.feishu.accounts.<id>.domain`            | 单账号 API 域名覆盖               | `feishu`         |
-| `channels.feishu.dmPolicy`                        | 私聊策略                          | `pairing`        |
-| `channels.feishu.allowFrom`                       | 私聊白名单（open_id 列表）        | -                |
-| `channels.feishu.groupPolicy`                     | 群组策略                          | `allowlist`      |
-| `channels.feishu.groupAllowFrom`                  | 群组白名单                        | -                |
-| `channels.feishu.groups.<chat_id>.requireMention` | 是否需要 @提及                    | `true`           |
-| `channels.feishu.groups.<chat_id>.enabled`        | 是否启用该群组                    | `true`           |
-| `channels.feishu.replyInThread`                   | 群聊回复是否进入飞书话题线程      | `disabled`       |
-| `channels.feishu.groupSessionScope`               | 群聊会话隔离粒度                  | `group`          |
-| `channels.feishu.textChunkLimit`                  | 消息分块大小                      | `2000`           |
-| `channels.feishu.mediaMaxMb`                      | 媒体大小限制                      | `30`             |
-| `channels.feishu.streaming`                       | 启用流式卡片输出                  | `true`           |
-| `channels.feishu.blockStreamingCoalesce.enabled`  | 启用块级流式合并                  | `true`           |
-| `channels.feishu.typingIndicator`                 | 发送“正在输入”状态                | `true`           |
-| `channels.feishu.resolveSenderNames`              | 拉取发送者名称                    | `true`           |
-| `channels.feishu.reactionNotifications`           | 入站反应通知策略                  | `own`            |
+| Setting                                           | Description                      | Default          |
+| ------------------------------------------------- | -------------------------------- | ---------------- |
+| `channels.feishu.enabled`                         | 启用/禁用渠道                    | `true`           |
+| `channels.feishu.domain`                          | API 域名（`feishu` 或 `lark`）   | `feishu`         |
+| `channels.feishu.connectionMode`                  | 事件传输模式                     | `websocket`      |
+| `channels.feishu.defaultAccount`                  | 出站路由的默认账户 ID            | `default`        |
+| `channels.feishu.verificationToken`               | webhook 模式必填                 | -                |
+| `channels.feishu.encryptKey`                      | webhook 模式必填                 | -                |
+| `channels.feishu.webhookPath`                     | webhook 路由路径                 | `/feishu/events` |
+| `channels.feishu.webhookHost`                     | webhook 绑定主机                 | `127.0.0.1`      |
+| `channels.feishu.webhookPort`                     | webhook 绑定端口                 | `3000`           |
+| `channels.feishu.accounts.<id>.appId`             | App ID                           | -                |
+| `channels.feishu.accounts.<id>.appSecret`         | App Secret                       | -                |
+| `channels.feishu.accounts.<id>.domain`            | 按账户覆盖 API 域名              | `feishu`         |
+| `channels.feishu.dmPolicy`                        | 私信策略                         | `pairing`        |
+| `channels.feishu.allowFrom`                       | 私信 allowlist（`open_id` 列表） | -                |
+| `channels.feishu.groupPolicy`                     | 群组策略                         | `open`           |
+| `channels.feishu.groupAllowFrom`                  | 群组 allowlist                   | -                |
+| `channels.feishu.groups.<chat_id>.requireMention` | 要求 @ 提及                      | `true`           |
+| `channels.feishu.groups.<chat_id>.enabled`        | 启用群组                         | `true`           |
+| `channels.feishu.textChunkLimit`                  | 消息分块大小                     | `2000`           |
+| `channels.feishu.mediaMaxMb`                      | 媒体大小限制                     | `30`             |
+| `channels.feishu.streaming`                       | 启用流式卡片输出                 | `true`           |
+| `channels.feishu.blockStreaming`                  | 启用分块流式传输                 | `true`           |
 
 ---
 
-## dmPolicy 策略说明
+## dmPolicy 参考
 
-| 值            | 行为                                               |
-| ------------- | -------------------------------------------------- |
-| `"pairing"`   | **默认**。未知用户收到配对码，管理员批准后才能对话 |
-| `"allowlist"` | 仅 `allowFrom` 列表中的用户可对话，其他静默忽略    |
-| `"open"`      | 允许所有人对话（需在 allowFrom 中加 `"*"`）        |
-| `"disabled"`  | 完全禁止私聊                                       |
+| Value         | Behavior                                             |
+| ------------- | ---------------------------------------------------- |
+| `"pairing"`   | **默认。**未知用户会收到配对码；必须获批准后才能使用 |
+| `"allowlist"` | 只有 `allowFrom` 中的用户可以聊天                    |
+| `"open"`      | 允许所有用户（要求 `allowFrom` 中有 `"*"`）          |
+| `"disabled"`  | 禁用私信                                             |
 
 ---
 
@@ -726,17 +711,17 @@ OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的
 
 ### 接收
 
-- ✅ 文本消息
-- ✅ 富文本（帖子）
+- ✅ 文本
+- ✅ 富文本（post）
 - ✅ 图片
 - ✅ 文件
 - ✅ 音频
 - ✅ 视频
-- ✅ 表情包
+- ✅ 贴纸
 
 ### 发送
 
-- ✅ 文本消息
+- ✅ 文本
 - ✅ 图片
 - ✅ 文件
 - ✅ 音频
diff --git a/docs/zh-CN/channels/nostr.md b/docs/zh-CN/channels/nostr.md
index 7d0359ce21d..47efa40aedf 100644
--- a/docs/zh-CN/channels/nostr.md
+++ b/docs/zh-CN/channels/nostr.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 你希望 OpenClaw 通过 Nostr 接收私信
-  - 你正在设置去中心化消息
-summary: 通过 NIP-04 加密消息的 Nostr 私信渠道
+  - 你想让 OpenClaw 通过 Nostr 接收私信
+  - 你正在设置去中心化消息传递
+summary: 通过 NIP-04 加密消息实现的 Nostr 私信渠道
 title: Nostr
 x-i18n:
-  generated_at: "2026-02-03T07:44:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 6b9fe4c74bf5e7c0f59bbaa129ec5270fd29a248551a8a9a7dde6cff8fb46111
+  generated_at: "2026-03-16T06:20:37Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: fcce57da49256971420c4bb099aebb7944f8c7e8619b17b163da685add225001
   source_path: channels/nostr.md
   workflow: 15
 ---
@@ -17,21 +17,21 @@ x-i18n:
 
 **状态：** 可选插件（默认禁用）。
 
-Nostr 是一个去中心化的社交网络协议。此渠道使 OpenClaw 能够通过 NIP-04 接收和回复加密私信（DMs）。
+Nostr 是一种用于社交网络的去中心化协议。此渠道使 OpenClaw 能够通过 NIP-04 接收并回复加密私信。
 
 ## 安装（按需）
 
 ### 新手引导（推荐）
 
-- 新手引导向导（`openclaw onboard`）和 `openclaw channels add` 会列出可选的渠道插件。
-- 选择 Nostr 会提示你按需安装插件。
+- 设置向导（`openclaw onboard`）和 `openclaw channels add` 会列出可选渠道插件。
+- 选择 Nostr 时，系统会提示你按需安装该插件。
 
-安装默认值：
+安装默认行为：
 
-- **Dev 渠道 + git checkout 可用：** 使用本地插件路径。
-- **Stable/Beta：** 从 npm 下载。
+- **Dev 渠道 + 可用的 git 检出：** 使用本地插件路径。
+- **稳定版 / Beta：** 从 npm 下载。
 
-你可以随时在提示中覆盖选择。
+你始终可以在提示中覆盖该选择。
 
 ### 手动安装
 
@@ -39,24 +39,33 @@ Nostr 是一个去中心化的社交网络协议。此渠道使 OpenClaw 能够
 openclaw plugins install @openclaw/nostr
 ```
 
-使用本地 checkout（开发工作流）：
+使用本地检出（dev 工作流）：
 
 ```bash
 openclaw plugins install --link <path-to-openclaw>/extensions/nostr
 ```
 
-安装或启用插件后重启 Gateway 网关。
+安装或启用插件后，重启 Gateway 网关。
+
+### 非交互式设置
+
+```bash
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY"
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY" --relay-urls "wss://relay.damus.io,wss://relay.primal.net"
+```
+
+使用 `--use-env` 可将 `NOSTR_PRIVATE_KEY` 保留在环境中，而不是将密钥存储在配置里。
 
 ## 快速设置
 
-1. 生成 Nostr 密钥对（如需要）：
+1. 生成一个 Nostr 密钥对（如有需要）：
 
 ```bash
-# 使用 nak
+# Using nak
 nak key generate
 ```
 
-2. 添加到配置：
+2. 添加到配置中：
 
 ```json
 {
@@ -78,19 +87,19 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 
 ## 配置参考
 
-| 键           | 类型     | 默认值                                      | 描述                        |
+| 键           | 类型     | 默认值                                      | 说明                        |
 | ------------ | -------- | ------------------------------------------- | --------------------------- |
 | `privateKey` | string   | 必填                                        | `nsec` 或十六进制格式的私钥 |
 | `relays`     | string[] | `['wss://relay.damus.io', 'wss://nos.lol']` | 中继 URL（WebSocket）       |
 | `dmPolicy`   | string   | `pairing`                                   | 私信访问策略                |
-| `allowFrom`  | string[] | `[]`                                        | 允许的发送者公钥            |
-| `enabled`    | boolean  | `true`                                      | 启用/禁用渠道               |
+| `allowFrom`  | string[] | `[]`                                        | 允许的发送方公钥            |
+| `enabled`    | boolean  | `true`                                      | 启用 / 禁用渠道             |
 | `name`       | string   | -                                           | 显示名称                    |
-| `profile`    | object   | -                                           | NIP-01 个人资料元数据       |
+| `profile`    | object   | -                                           | NIP-01 资料元数据           |
 
-## 个人资料元数据
+## 资料元数据
 
-个人资料数据作为 NIP-01 `kind:0` 事件发布。你可以从控制界面（Channels -> Nostr -> Profile）管理它，或直接在配置中设置。
+资料数据会作为 NIP-01 `kind:0` 事件发布。你可以在控制 UI 中管理它（Channels -> Nostr -> Profile），也可以直接在配置中设置。
 
 示例：
 
@@ -114,19 +123,19 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 }
 ```
 
-注意事项：
+注意：
 
-- 个人资料 URL 必须使用 `https://`。
-- 从中继导入会合并字段并保留本地覆盖。
+- 资料 URL 必须使用 `https://`。
+- 从中继导入时会合并字段，并保留本地覆盖项。
 
 ## 访问控制
 
 ### 私信策略
 
-- **pairing**（默认）：未知发送者会收到配对码。
+- **pairing**（默认）：未知发送方会收到一个配对码。
 - **allowlist**：只有 `allowFrom` 中的公钥可以发送私信。
-- **open**：公开接收私信（需要 `allowFrom: ["*"]`）。
-- **disabled**：忽略接收的私信。
+- **open**：公开接收入站私信（要求 `allowFrom: ["*"]`）。
+- **disabled**：忽略入站私信。
 
 ### 允许列表示例
 
@@ -166,26 +175,26 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 
 提示：
 
-- 使用 2-3 个中继以实现冗余。
+- 使用 2 到 3 个中继以实现冗余。
 - 避免使用过多中继（延迟、重复）。
 - 付费中继可以提高可靠性。
-- 本地中继适合测试（`ws://localhost:7777`）。
+- 本地中继也适合测试（`ws://localhost:7777`）。
 
 ## 协议支持
 
-| NIP    | 状态   | 描述                          |
-| ------ | ------ | ----------------------------- |
-| NIP-01 | 已支持 | 基本事件格式 + 个人资料元数据 |
-| NIP-04 | 已支持 | 加密私信（`kind:4`）          |
-| NIP-17 | 计划中 | 礼物包装私信                  |
-| NIP-44 | 计划中 | 版本化加密                    |
+| NIP    | 状态   | 说明                      |
+| ------ | ------ | ------------------------- |
+| NIP-01 | 已支持 | 基础事件格式 + 资料元数据 |
+| NIP-04 | 已支持 | 加密私信（`kind:4`）      |
+| NIP-17 | 计划中 | Gift-wrapped 私信         |
+| NIP-44 | 计划中 | 版本化加密                |
 
 ## 测试
 
 ### 本地中继
 
 ```bash
-# 启动 strfry
+# Start strfry
 docker run -p 7777:7777 ghcr.io/hoytech/strfry
 ```
 
@@ -203,38 +212,38 @@ docker run -p 7777:7777 ghcr.io/hoytech/strfry
 ### 手动测试
 
 1. 从日志中记下机器人公钥（npub）。
-2. 打开 Nostr 客户端（Damus、Amethyst 等）。
-3. 向机器人公钥发送私信。
-4. 验证响应。
+2. 打开一个 Nostr 客户端（Damus、Amethyst 等）。
+3. 向该机器人公钥发送私信。
+4. 验证回复。
 
 ## 故障排除
 
-### 未收到消息
+### 未接收到消息
 
-- 验证私钥是否有效。
-- 确保中继 URL 可访问并使用 `wss://`（本地使用 `ws://`）。
+- 验证私钥有效。
+- 确保中继 URL 可访问，并使用 `wss://`（本地则使用 `ws://`）。
 - 确认 `enabled` 不是 `false`。
 - 检查 Gateway 网关日志中的中继连接错误。
 
-### 未发送响应
+### 未发送回复
 
 - 检查中继是否接受写入。
-- 验证出站连接。
+- 验证出站连接性。
 - 注意中继速率限制。
 
-### 重复响应
+### 重复回复
 
-- 使用多个中继时属于正常现象。
-- 消息按事件 ID 去重；只有首次投递会触发响应。
+- 使用多个中继时这是预期行为。
+- 消息会按事件 ID 去重；只有首次投递会触发回复。
 
-## 安全
+## 安全性
 
 - 切勿提交私钥。
-- 使用环境变量存储密钥。
-- 生产环境机器人考虑使用 `allowlist`。
+- 对密钥使用环境变量。
+- 对生产机器人考虑使用 `allowlist`。
 
 ## 限制（MVP）
 
 - 仅支持私信（不支持群聊）。
 - 不支持媒体附件。
-- 仅支持 NIP-04（计划支持 NIP-17 礼物包装）。
+- 仅支持 NIP-04（计划支持 NIP-17 gift-wrap）。
diff --git a/docs/zh-CN/channels/synology-chat.md b/docs/zh-CN/channels/synology-chat.md
new file mode 100644
index 00000000000..4323e5d12d7
--- /dev/null
+++ b/docs/zh-CN/channels/synology-chat.md
@@ -0,0 +1,138 @@
+---
+read_when:
+  - 设置 OpenClaw 与 Synology Chat
+  - 调试 Synology Chat webhook 路由
+summary: Synology Chat webhook 设置与 OpenClaw 配置
+title: Synology Chat
+x-i18n:
+  generated_at: "2026-03-16T06:20:51Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 7d77598ea759f89873a1edf0a3a7e7fedc1e4a7067709aaca6b999056a89eb1a
+  source_path: channels/synology-chat.md
+  workflow: 15
+---
+
+# Synology Chat（插件）
+
+状态：通过插件支持，作为使用 Synology Chat webhook 的私信渠道。
+该插件接受来自 Synology Chat 出站 webhook 的入站消息，并通过 Synology Chat 入站 webhook 发送回复。
+
+## 需要插件
+
+Synology Chat 基于插件，不属于默认的核心渠道安装内容。
+
+从本地检出安装：
+
+```bash
+openclaw plugins install ./extensions/synology-chat
+```
+
+详情：[插件](/tools/plugin)
+
+## 快速设置
+
+1. 安装并启用 Synology Chat 插件。
+   - `openclaw onboard` 现在会在与 `openclaw channels add` 相同的渠道设置列表中显示 Synology Chat。
+   - 非交互式设置：`openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
+2. 在 Synology Chat 集成中：
+   - 创建一个入站 webhook 并复制其 URL。
+   - 使用你的 secret token 创建一个出站 webhook。
+3. 将出站 webhook URL 指向你的 OpenClaw Gateway 网关：
+   - 默认是 `https://gateway-host/webhook/synology`。
+   - 或者使用你自定义的 `channels.synology-chat.webhookPath`。
+4. 在 OpenClaw 中完成设置。
+   - 引导式：`openclaw onboard`
+   - 直接设置：`openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
+5. 重启 Gateway 网关，并向 Synology Chat 机器人发送一条私信。
+
+最小配置：
+
+```json5
+{
+  channels: {
+    "synology-chat": {
+      enabled: true,
+      token: "synology-outgoing-token",
+      incomingUrl: "https://nas.example.com/webapi/entry.cgi?api=SYNO.Chat.External&method=incoming&version=2&token=...",
+      webhookPath: "/webhook/synology",
+      dmPolicy: "allowlist",
+      allowedUserIds: ["123456"],
+      rateLimitPerMinute: 30,
+      allowInsecureSsl: false,
+    },
+  },
+}
+```
+
+## 环境变量
+
+对于默认账户，你可以使用环境变量：
+
+- `SYNOLOGY_CHAT_TOKEN`
+- `SYNOLOGY_CHAT_INCOMING_URL`
+- `SYNOLOGY_NAS_HOST`
+- `SYNOLOGY_ALLOWED_USER_IDS`（逗号分隔）
+- `SYNOLOGY_RATE_LIMIT`
+- `OPENCLAW_BOT_NAME`
+
+配置值会覆盖环境变量。
+
+## 私信策略与访问控制
+
+- 推荐的默认值是 `dmPolicy: "allowlist"`。
+- `allowedUserIds` 接受 Synology 用户 ID 列表（或逗号分隔字符串）。
+- 在 `allowlist` 模式下，空的 `allowedUserIds` 列表会被视为配置错误，webhook 路由将不会启动（如需允许所有人，请使用 `dmPolicy: "open"`）。
+- `dmPolicy: "open"` 允许任何发送方。
+- `dmPolicy: "disabled"` 会阻止私信。
+- 配对批准可配合以下命令使用：
+  - `openclaw pairing list synology-chat`
+  - `openclaw pairing approve synology-chat <CODE>`
+
+## 出站投递
+
+使用数字形式的 Synology Chat 用户 ID 作为目标。
+
+示例：
+
+```bash
+openclaw message send --channel synology-chat --target 123456 --text "Hello from OpenClaw"
+openclaw message send --channel synology-chat --target synology-chat:123456 --text "Hello again"
+```
+
+支持通过基于 URL 的文件投递发送媒体。
+
+## 多账户
+
+支持在 `channels.synology-chat.accounts` 下配置多个 Synology Chat 账户。
+每个账户都可以覆盖 token、入站 URL、webhook 路径、私信策略和限制。
+
+```json5
+{
+  channels: {
+    "synology-chat": {
+      enabled: true,
+      accounts: {
+        default: {
+          token: "token-a",
+          incomingUrl: "https://nas-a.example.com/...token=...",
+        },
+        alerts: {
+          token: "token-b",
+          incomingUrl: "https://nas-b.example.com/...token=...",
+          webhookPath: "/webhook/synology-alerts",
+          dmPolicy: "allowlist",
+          allowedUserIds: ["987654"],
+        },
+      },
+    },
+  },
+}
+```
+
+## 安全说明
+
+- 妥善保管 `token`，如果泄露请轮换。
+- 除非你明确可信任本地 NAS 的自签名证书，否则请保持 `allowInsecureSsl: false`。
+- 入站 webhook 请求会按 token 验证，并按发送方进行速率限制。
+- 生产环境优先使用 `dmPolicy: "allowlist"`。
diff --git a/docs/zh-CN/cli/index.md b/docs/zh-CN/cli/index.md
index c22fad5c4b4..46be3ef8ab1 100644
--- a/docs/zh-CN/cli/index.md
+++ b/docs/zh-CN/cli/index.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 添加或修改 CLI 命令或选项
-  - 为新命令界面编写文档
-summary: OpenClaw `openclaw` 命令、子命令和选项的 CLI 参考
+  - 添加或修改 CLI 命令或选项时
+  - 为新的命令界面编写文档时
+summary: "`openclaw` 命令、子命令和选项的 OpenClaw CLI 参考"
 title: CLI 参考
 x-i18n:
-  generated_at: "2026-02-03T07:47:54Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a73923763d7b89d4b183f569d543927ffbfd1f3e02f9e66639913f6daf226850
+  generated_at: "2026-03-16T06:22:35Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: a2bca34fca64558a8d91fc640ad3880e79677e81d0f605083edc6cbe86bfba53
   source_path: cli/index.md
   workflow: 15
 ---
@@ -23,8 +23,10 @@ x-i18n:
 - [`onboard`](/cli/onboard)
 - [`configure`](/cli/configure)
 - [`config`](/cli/config)
+- [`completion`](/cli/completion)
 - [`doctor`](/cli/doctor)
 - [`dashboard`](/cli/dashboard)
+- [`backup`](/cli/backup)
 - [`reset`](/cli/reset)
 - [`uninstall`](/cli/uninstall)
 - [`update`](/cli/update)
@@ -40,6 +42,7 @@ x-i18n:
 - [`system`](/cli/system)
 - [`models`](/cli/models)
 - [`memory`](/cli/memory)
+- [`directory`](/cli/directory)
 - [`nodes`](/cli/nodes)
 - [`devices`](/cli/devices)
 - [`node`](/cli/node)
@@ -53,42 +56,46 @@ x-i18n:
 - [`hooks`](/cli/hooks)
 - [`webhooks`](/cli/webhooks)
 - [`pairing`](/cli/pairing)
+- [`qr`](/cli/qr)
 - [`plugins`](/cli/plugins)（插件命令）
 - [`channels`](/cli/channels)
 - [`security`](/cli/security)
+- [`secrets`](/cli/secrets)
 - [`skills`](/cli/skills)
+- [`daemon`](/cli/daemon)（Gateway 网关服务命令的旧别名）
+- [`clawbot`](/cli/clawbot)（旧别名命名空间）
 - [`voicecall`](/cli/voicecall)（插件；如已安装）
 
 ## 全局标志
 
-- `--dev`：将状态隔离到 `~/.openclaw-dev` 下并调整默认端口。
+- `--dev`：将状态隔离到 `~/.openclaw-dev` 下，并变更默认端口。
 - `--profile <name>`：将状态隔离到 `~/.openclaw-<name>` 下。
 - `--no-color`：禁用 ANSI 颜色。
-- `--update`：`openclaw update` 的简写（仅限源码安装）。
-- `-V`、`--version`、`-v`：打印版本并退出。
+- `--update`：`openclaw update` 的简写（仅适用于源码安装）。
+- `-V`, `--version`, `-v`：打印版本并退出。
 
 ## 输出样式
 
 - ANSI 颜色和进度指示器仅在 TTY 会话中渲染。
-- OSC-8 超链接在支持的终端中渲染为可点击链接；否则回退到纯 URL。
-- `--json`（以及支持的地方使用 `--plain`）禁用样式以获得干净输出。
-- `--no-color` 禁用 ANSI 样式；也支持 `NO_COLOR=1`。
-- 长时间运行的命令显示进度指示器（支持时使用 OSC 9;4）。
+- OSC-8 超链接会在受支持的终端中显示为可点击链接；否则会回退为纯 URL。
+- `--json`（以及在支持处的 `--plain`）会禁用样式，以获得干净输出。
+- `--no-color` 会禁用 ANSI 样式；同时也支持 `NO_COLOR=1`。
+- 长时间运行的命令会显示进度指示器（支持时使用 OSC 9;4）。
 
-## 颜色调色板
+## 调色板
 
-OpenClaw 在 CLI 输出中使用龙虾调色板。
+OpenClaw 在 CLI 输出中使用龙虾色调调色板。
 
-- `accent`（#FF5A2D）：标题、标签、主要高亮。
-- `accentBright`（#FF7A3D）：命令名称、强调。
-- `accentDim`（#D14A22）：次要高亮文本。
-- `info`（#FF8A5B）：信息性值。
-- `success`（#2FBF71）：成功状态。
-- `warn`（#FFB020）：警告、回退、注意。
-- `error`（#E23D2D）：错误、失败。
-- `muted`（#8B7F77）：弱化、元数据。
+- `accent` (#FF5A2D)：标题、标签、主要高亮。
+- `accentBright` (#FF7A3D)：命令名称、强调。
+- `accentDim` (#D14A22)：次级高亮文本。
+- `info` (#FF8A5B)：信息性值。
+- `success` (#2FBF71)：成功状态。
+- `warn` (#FFB020)：警告、回退、注意事项。
+- `error` (#E23D2D)：错误、失败。
+- `muted` (#8B7F77)：弱化显示、元数据。
 
-调色板权威来源：`src/terminal/palette.ts`（又名"lobster seam"）。
+调色板唯一来源：`src/terminal/palette.ts`（也称为 “lobster seam”）。
 
 ## 命令树
 
@@ -101,9 +108,17 @@ openclaw [--dev] [--profile <name>] <command>
     get
     set
     unset
+  completion
   doctor
+  dashboard
+  backup
+    create
+    verify
   security
     audit
+  secrets
+    reload
+    migrate
   reset
   uninstall
   update
@@ -115,6 +130,7 @@ openclaw [--dev] [--profile <name>] <command>
     remove
     login
     logout
+  directory
   skills
     list
     info
@@ -152,6 +168,13 @@ openclaw [--dev] [--profile <name>] <command>
     stop
     restart
     run
+  daemon
+    status
+    install
+    uninstall
+    start
+    stop
+    restart
   logs
   system
     event
@@ -238,49 +261,59 @@ openclaw [--dev] [--profile <name>] <command>
   pairing
     list
     approve
+  qr
+  clawbot
+    qr
   docs
   dns
     setup
   tui
 ```
 
-注意：插件可以添加额外的顶级命令（例如 `openclaw voicecall`）。
+注意：插件可以添加额外的顶层命令（例如 `openclaw voicecall`）。
 
 ## 安全
 
-- `openclaw security audit` — 审计配置 + 本地状态中常见的安全隐患。
+- `openclaw security audit` — 审计配置 + 本地状态中常见的安全陷阱。
 - `openclaw security audit --deep` — 尽力进行实时 Gateway 网关探测。
-- `openclaw security audit --fix` — 收紧安全默认值并 chmod 状态/配置。
+- `openclaw security audit --fix` — 收紧安全默认值并对状态 / 配置执行 chmod。
+
+## 密钥
+
+- `openclaw secrets reload` — 重新解析引用，并以原子方式替换运行时快照。
+- `openclaw secrets audit` — 扫描明文残留、未解析引用和优先级漂移。
+- `openclaw secrets configure` — 用于提供商设置 + SecretRef 映射 + 预检 / 应用的交互式助手。
+- `openclaw secrets apply --from <plan.json>` — 应用先前生成的计划（支持 `--dry-run`）。
 
 ## 插件
 
 管理扩展及其配置：
 
-- `openclaw plugins list` — 发现插件（使用 `--json` 获取机器可读输出）。
+- `openclaw plugins list` — 发现插件（机器输出请使用 `--json`）。
 - `openclaw plugins info <id>` — 显示插件详情。
 - `openclaw plugins install <path|.tgz|npm-spec>` — 安装插件（或将插件路径添加到 `plugins.load.paths`）。
 - `openclaw plugins enable <id>` / `disable <id>` — 切换 `plugins.entries.<id>.enabled`。
 - `openclaw plugins doctor` — 报告插件加载错误。
 
-大多数插件更改需要重启 Gateway 网关。参见 [/plugin](/tools/plugin)。
+大多数插件更改都需要重启 gateway。参见 [/plugin](/tools/plugin)。
 
-## 记忆
+## 内存
 
-对 `MEMORY.md` + `memory/*.md` 进行向量搜索：
+对 `MEMORY.md` + `memory/*.md` 执行向量搜索：
 
-- `openclaw memory status` — 显示索引统计。
-- `openclaw memory index` — 重新索引记忆文件。
-- `openclaw memory search "<query>"` — 对记忆进行语义搜索。
+- `openclaw memory status` — 显示索引统计信息。
+- `openclaw memory index` — 重新索引内存文件。
+- `openclaw memory search "<query>"`（或 `--query "<query>"`）— 对内存执行语义搜索。
 
 ## 聊天斜杠命令
 
 聊天消息支持 `/...` 命令（文本和原生）。参见 [/tools/slash-commands](/tools/slash-commands)。
 
-亮点：
+重点：
 
 - `/status` 用于快速诊断。
 - `/config` 用于持久化配置更改。
-- `/debug` 用于仅运行时的配置覆盖（内存中，不写入磁盘；需要 `commands.debug: true`）。
+- `/debug` 用于仅运行时的配置覆盖（内存中，不写磁盘；要求 `commands.debug: true`）。
 
 ## 设置 + 新手引导
 
@@ -291,32 +324,35 @@ openclaw [--dev] [--profile <name>] <command>
 选项：
 
 - `--workspace <dir>`：智能体工作区路径（默认 `~/.openclaw/workspace`）。
-- `--wizard`：运行新手引导向导。
+- `--wizard`：运行设置向导。
 - `--non-interactive`：无提示运行向导。
 - `--mode <local|remote>`：向导模式。
 - `--remote-url <url>`：远程 Gateway 网关 URL。
-- `--remote-token <token>`：远程 Gateway 网关令牌。
+- `--remote-token <token>`：远程 Gateway 网关 token。
 
-当存在任何向导标志（`--non-interactive`、`--mode`、`--remote-url`、`--remote-token`）时，向导自动运行。
+只要存在任意向导标志（`--non-interactive`, `--mode`, `--remote-url`, `--remote-token`），就会自动运行向导。
 
 ### `onboard`
 
-交互式向导，用于设置 Gateway 网关、工作区和 Skills。
+用于设置 gateway、工作区和 Skills 的交互式向导。
 
 选项：
 
 - `--workspace <dir>`
-- `--reset`（在向导之前重置配置 + 凭证 + 会话 + 工作区）
+- `--reset`（在运行向导前重置配置 + 凭据 + 会话）
+- `--reset-scope <config|config+creds+sessions|full>`（默认 `config+creds+sessions`；使用 `full` 还会删除工作区）
 - `--non-interactive`
 - `--mode <local|remote>`
-- `--flow <quickstart|advanced|manual>`（manual 是 advanced 的别名）
-- `--auth-choice <setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|synthetic-api-key|venice-api-key|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip>`
-- `--token-provider <id>`（非交互式；与 `--auth-choice token` 配合使用）
-- `--token <token>`（非交互式；与 `--auth-choice token` 配合使用）
+- `--flow <quickstart|advanced|manual>`（`manual` 是 `advanced` 的别名）
+- `--auth-choice <setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ollama|ai-gateway-api-key|moonshot-api-key|moonshot-api-key-cn|kimi-code-api-key|synthetic-api-key|venice-api-key|gemini-api-key|zai-api-key|mistral-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|opencode-go|custom-api-key|skip>`
+- `--token-provider <id>`（非交互式；与 `--auth-choice token` 一起使用）
+- `--token <token>`（非交互式；与 `--auth-choice token` 一起使用）
 - `--token-profile-id <id>`（非交互式；默认：`<provider>:manual`）
 - `--token-expires-in <duration>`（非交互式；例如 `365d`、`12h`）
+- `--secret-input-mode <plaintext|ref>`（默认 `plaintext`；使用 `ref` 可存储提供商默认环境引用，而非明文密钥）
 - `--anthropic-api-key <key>`
 - `--openai-api-key <key>`
+- `--mistral-api-key <key>`
 - `--openrouter-api-key <key>`
 - `--ai-gateway-api-key <key>`
 - `--moonshot-api-key <key>`
@@ -325,10 +361,17 @@ openclaw [--dev] [--profile <name>] <command>
 - `--zai-api-key <key>`
 - `--minimax-api-key <key>`
 - `--opencode-zen-api-key <key>`
+- `--opencode-go-api-key <key>`
+- `--custom-base-url <url>`（非交互式；与 `--auth-choice custom-api-key` 或 `--auth-choice ollama` 一起使用）
+- `--custom-model-id <id>`（非交互式；与 `--auth-choice custom-api-key` 或 `--auth-choice ollama` 一起使用）
+- `--custom-api-key <key>`（非交互式；可选；与 `--auth-choice custom-api-key` 一起使用；省略时回退到 `CUSTOM_API_KEY`）
+- `--custom-provider-id <id>`（非交互式；可选自定义提供商 id）
+- `--custom-compatibility <openai|anthropic>`（非交互式；可选；默认 `openai`）
 - `--gateway-port <port>`
 - `--gateway-bind <loopback|lan|tailnet|auto|custom>`
 - `--gateway-auth <token|password>`
 - `--gateway-token <token>`
+- `--gateway-token-ref-env <name>`（非交互式；将 `gateway.auth.token` 存储为环境 SecretRef；要求该环境变量已设置；不能与 `--gateway-token` 一起使用）
 - `--gateway-password <password>`
 - `--remote-url <url>`
 - `--remote-token <token>`
@@ -341,35 +384,39 @@ openclaw [--dev] [--profile <name>] <command>
 - `--skip-skills`
 - `--skip-health`
 - `--skip-ui`
-- `--node-manager <npm|pnpm|bun>`（推荐 pnpm；不建议将 bun 用于 Gateway 网关运行时）
+- `--node-manager <npm|pnpm|bun>`（推荐 pnpm；不推荐将 bun 用作 Gateway 网关运行时）
 - `--json`
 
 ### `configure`
 
-交互式配置向导（模型、渠道、Skills、Gateway 网关）。
+交互式配置向导（模型、渠道、Skills、gateway）。
 
 ### `config`
 
-非交互式配置辅助工具（get/set/unset）。不带子命令运行 `openclaw config` 会启动向导。
+非交互式配置助手（get/set/unset/file/validate）。直接运行 `openclaw config` 而不带
+子命令会启动向导。
 
 子命令：
 
-- `config get <path>`：打印配置值（点/括号路径）。
-- `config set <path> <value>`：设置值（JSON5 或原始字符串）。
-- `config unset <path>`：删除值。
+- `config get <path>`：打印一个配置值（点 / 方括号路径）。
+- `config set <path> <value>`：设置一个值（JSON5 或原始字符串）。
+- `config unset <path>`：移除一个值。
+- `config file`：打印当前活动配置文件路径。
+- `config validate`：根据 schema 验证当前配置，而不启动 gateway。
+- `config validate --json`：输出机器可读的 JSON。
 
 ### `doctor`
 
-健康检查 + 快速修复（配置 + Gateway 网关 + 旧版服务）。
+健康检查 + 快速修复（配置 + gateway + 旧版服务）。
 
 选项：
 
-- `--no-workspace-suggestions`：禁用工作区记忆提示。
-- `--yes`：无提示接受默认值（无头模式）。
+- `--no-workspace-suggestions`：禁用工作区内存提示。
+- `--yes`：接受默认值而不提示（无头）。
 - `--non-interactive`：跳过提示；仅应用安全迁移。
-- `--deep`：扫描系统服务以查找额外的 Gateway 网关安装。
+- `--deep`：扫描系统服务以查找额外的 gateway 安装。
 
-## 渠道辅助工具
+## 渠道助手
 
 ### `channels`
 
@@ -378,19 +425,21 @@ openclaw [--dev] [--profile <name>] <command>
 子命令：
 
 - `channels list`：显示已配置的渠道和认证配置文件。
-- `channels status`：检查 Gateway 网关可达性和渠道健康状况（`--probe` 运行额外检查；使用 `openclaw health` 或 `openclaw status --deep` 进行 Gateway 网关健康探测）。
-- 提示：`channels status` 在检测到常见配置错误时会打印带有建议修复的警告（然后指向 `openclaw doctor`）。
-- `channels logs`：显示 Gateway 网关日志文件中最近的渠道日志。
-- `channels add`：不传标志时使用向导式设置；标志切换到非交互模式。
-- `channels remove`：默认禁用；传 `--delete` 可无提示删除配置条目。
-- `channels login`：交互式渠道登录（仅限 WhatsApp Web）。
-- `channels logout`：登出渠道会话（如支持）。
+- `channels status`：检查 gateway 可达性和渠道健康状态（`--probe` 会运行额外检查；gateway 健康探测请使用 `openclaw health` 或 `openclaw status --deep`）。
+- 提示：如果能够检测到常见配置错误，`channels status` 会打印带建议修复方式的警告（随后指向 `openclaw doctor`）。
+- `channels logs`：显示 gateway 日志文件中的最近渠道日志。
+- `channels add`：未传入任何标志时为向导式设置；传入标志后切换为非交互模式。
+  - 当向仍使用单账户顶层配置的渠道添加非默认账户时，OpenClaw 会先将账户作用域值移动到 `channels.<channel>.accounts.default`，再写入新账户。
+  - 非交互式 `channels add` 不会自动创建 / 升级绑定；仅渠道绑定会继续匹配默认账户。
+- `channels remove`：默认执行禁用；传入 `--delete` 可在无提示下删除配置项。
+- `channels login`：交互式渠道登录（仅 WhatsApp Web）。
+- `channels logout`：登出某个渠道会话（如支持）。
 
 通用选项：
 
 - `--channel <name>`：`whatsapp|telegram|discord|googlechat|slack|mattermost|signal|imessage|msteams`
 - `--account <id>`：渠道账户 id（默认 `default`）
-- `--name <label>`：账户的显示名称
+- `--name <label>`：账户显示名称
 
 `channels login` 选项：
 
@@ -405,8 +454,8 @@ openclaw [--dev] [--profile <name>] <command>
 
 `channels list` 选项：
 
-- `--no-usage`：跳过模型提供商用量/配额快照（仅限 OAuth/API 支持的）。
-- `--json`：输出 JSON（除非设置 `--no-usage`，否则包含用量）。
+- `--no-usage`：跳过模型提供商用量 / 配额快照（仅 OAuth / API 支持）。
+- `--json`：输出 JSON（除非设置了 `--no-usage`，否则包含用量）。
 
 `channels logs` 选项：
 
@@ -414,7 +463,7 @@ openclaw [--dev] [--profile <name>] <command>
 - `--lines <n>`（默认 `200`）
 - `--json`
 
-更多详情：[/concepts/oauth](/concepts/oauth)
+更多细节：[/concepts/oauth](/concepts/oauth)
 
 示例：
 
@@ -428,19 +477,19 @@ openclaw status --deep
 
 ### `skills`
 
-列出和检查可用的 Skills 及就绪信息。
+列出并检查可用 Skills，以及就绪信息。
 
 子命令：
 
-- `skills list`：列出 Skills（无子命令时的默认行为）。
+- `skills list`：列出 Skills（未指定子命令时的默认行为）。
 - `skills info <name>`：显示单个 Skill 的详情。
-- `skills check`：就绪与缺失需求的摘要。
+- `skills check`：汇总已就绪与缺失的要求。
 
 选项：
 
-- `--eligible`：仅显示就绪的 Skills。
+- `--eligible`：仅显示已就绪的 Skills。
 - `--json`：输出 JSON（无样式）。
-- `-v`、`--verbose`：包含缺失需求详情。
+- `-v`, `--verbose`：包含缺失要求的详细信息。
 
 提示：使用 `npx clawhub` 搜索、安装和同步 Skills。
 
@@ -450,31 +499,46 @@ openclaw status --deep
 
 子命令：
 
-- `pairing list <channel> [--json]`
-- `pairing approve <channel> <code> [--notify]`
+- `pairing list [channel] [--channel <channel>] [--account <id>] [--json]`
+- `pairing approve <channel> <code> [--account <id>] [--notify]`
+- `pairing approve --channel <channel> [--account <id>] <code> [--notify]`
 
-### `webhooks gmail`
+### `devices`
 
-Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/automation/gmail-pubsub)。
+管理 gateway 设备配对条目和按角色划分的设备 token。
 
 子命令：
 
-- `webhooks gmail setup`（需要 `--account <email>`；支持 `--project`、`--topic`、`--subscription`、`--label`、`--hook-url`、`--hook-token`、`--push-token`、`--bind`、`--port`、`--path`、`--include-body`、`--max-bytes`、`--renew-minutes`、`--tailscale`、`--tailscale-path`、`--tailscale-target`、`--push-endpoint`、`--json`）
-- `webhooks gmail run`（相同标志的运行时覆盖）
+- `devices list [--json]`
+- `devices approve [requestId] [--latest]`
+- `devices reject <requestId>`
+- `devices remove <deviceId>`
+- `devices clear --yes [--pending]`
+- `devices rotate --device <id> --role <role> [--scope <scope...>]`
+- `devices revoke --device <id> --role <role>`
+
+### `webhooks gmail`
+
+Gmail Pub/Sub hook 设置 + 运行器。参见 [/automation/gmail-pubsub](/automation/gmail-pubsub)。
+
+子命令：
+
+- `webhooks gmail setup`（要求 `--account <email>`；支持 `--project`, `--topic`, `--subscription`, `--label`, `--hook-url`, `--hook-token`, `--push-token`, `--bind`, `--port`, `--path`, `--include-body`, `--max-bytes`, `--renew-minutes`, `--tailscale`, `--tailscale-path`, `--tailscale-target`, `--push-endpoint`, `--json`）
+- `webhooks gmail run`（对相同标志进行运行时覆盖）
 
 ### `dns setup`
 
-广域发现 DNS 辅助工具（CoreDNS + Tailscale）。参见 [/gateway/discovery](/gateway/discovery)。
+广域设备发现 DNS 助手（CoreDNS + Tailscale）。参见 [/gateway/discovery](/gateway/discovery)。
 
 选项：
 
-- `--apply`：安装/更新 CoreDNS 配置（需要 sudo；仅限 macOS）。
+- `--apply`：安装 / 更新 CoreDNS 配置（需要 sudo；仅 macOS）。
 
 ## 消息 + 智能体
 
 ### `message`
 
-统一的出站消息 + 渠道操作。
+统一的出站消息发送 + 渠道操作。
 
 参见：[/cli/message](/cli/message)
 
@@ -497,17 +561,17 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `agent`
 
-通过 Gateway 网关运行一个智能体回合（或使用 `--local` 嵌入式运行）。
+通过 Gateway 网关（或 `--local` 嵌入模式）运行一次智能体轮次。
 
-必需：
+必需项：
 
 - `--message <text>`
 
 选项：
 
-- `--to <dest>`（用于会话键和可选发送）
+- `--to <dest>`（用于会话键以及可选投递）
 - `--session-id <id>`
-- `--thinking <off|minimal|low|medium|high|xhigh>`（仅限 GPT-5.2 + Codex 模型）
+- `--thinking <off|minimal|low|medium|high|xhigh>`（仅适用于 GPT-5.2 + Codex 模型）
 - `--verbose <on|full|off>`
 - `--channel <whatsapp|telegram|discord|slack|mattermost|signal|imessage|msteams>`
 - `--local`
@@ -530,7 +594,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 #### `agents add [name]`
 
-添加新的隔离智能体。除非传入标志（或 `--non-interactive`），否则运行引导向导；非交互模式下 `--workspace` 是必需的。
+添加一个新的隔离智能体。除非传入标志（或 `--non-interactive`），否则会运行引导式向导；在非交互模式下必须提供 `--workspace`。
 
 选项：
 
@@ -541,11 +605,41 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--non-interactive`
 - `--json`
 
-绑定规范使用 `channel[:accountId]`。对于 WhatsApp，省略 `accountId` 时使用默认账户 id。
+绑定规范使用 `channel[:accountId]`。省略 `accountId` 时，OpenClaw 可能通过渠道默认值 / 插件 hook 解析账户作用域；否则这就是不带显式账户作用域的渠道绑定。
+
+#### `agents bindings`
+
+列出路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--json`
+
+#### `agents bind`
+
+为智能体添加路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--bind <channel[:accountId]>`（可重复）
+- `--json`
+
+#### `agents unbind`
+
+移除智能体的路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--bind <channel[:accountId]>`（可重复）
+- `--all`
+- `--json`
 
 #### `agents delete <id>`
 
-删除智能体并清理其工作区 + 状态。
+删除一个智能体并清理其工作区 + 状态。
 
 选项：
 
@@ -554,44 +648,44 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `acp`
 
-运行连接 IDE 到 Gateway 网关的 ACP 桥接。
+运行将 IDE 连接到 Gateway 网关的 ACP 桥接器。
 
-完整选项和示例参见 [`acp`](/cli/acp)。
+完整选项和示例请参见 [`acp`](/cli/acp)。
 
 ### `status`
 
-显示关联会话健康状况和最近的收件人。
+显示已链接会话的健康状态和最近收件人。
 
 选项：
 
 - `--json`
-- `--all`（完整诊断；只读，可粘贴）
+- `--all`（完整诊断；只读、可粘贴）
 - `--deep`（探测渠道）
-- `--usage`（显示模型提供商用量/配额）
+- `--usage`（显示模型提供商用量 / 配额）
 - `--timeout <ms>`
 - `--verbose`
 - `--debug`（`--verbose` 的别名）
 
 说明：
 
-- 概览包含 Gateway 网关 + 节点主机服务状态（如可用）。
+- 概览中会在可用时包含 Gateway 网关 + node host 服务状态。
 
 ### 用量跟踪
 
-当 OAuth/API 凭证可用时，OpenClaw 可以显示提供商用量/配额。
+在 OAuth / API 凭据可用时，OpenClaw 可以显示提供商用量 / 配额。
 
-显示位置：
+展示位置：
 
-- `/status`（可用时添加简短的提供商用量行）
+- `/status`（可用时添加一行简短的提供商用量信息）
 - `openclaw status --usage`（打印完整的提供商明细）
-- macOS 菜单栏（上下文下的用量部分）
+- macOS 菜单栏（Context 下的 Usage 部分）
 
 说明：
 
-- 数据直接来自提供商用量端点（非估算）。
-- 提供商：Anthropic、GitHub Copilot、OpenAI Codex OAuth，以及启用这些提供商插件时的 Gemini CLI/Antigravity。
-- 如果没有匹配的凭证，用量会被隐藏。
-- 详情：参见[用量跟踪](/concepts/usage-tracking)。
+- 数据直接来自提供商用量端点（不是估算值）。
+- 提供商：Anthropic、GitHub Copilot、OpenAI Codex OAuth，以及打包的 `google` 插件所提供的 Gemini CLI 和在已配置情况下的 Antigravity。
+- 如果不存在匹配的凭据，则不会显示用量。
+- 详情：参见 [用量跟踪](/concepts/usage-tracking)。
 
 ### `health`
 
@@ -605,7 +699,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `sessions`
 
-列出存储的对话会话。
+列出已存储的对话会话。
 
 选项：
 
@@ -614,11 +708,11 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--store <path>`
 - `--active <minutes>`
 
-## 重置/卸载
+## 重置 / 卸载
 
 ### `reset`
 
-重置本地配置/状态（保留 CLI 安装）。
+重置本地配置 / 状态（保留已安装的 CLI）。
 
 选项：
 
@@ -629,11 +723,11 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `--non-interactive` 需要 `--scope` 和 `--yes`。
+- `--non-interactive` 要求同时提供 `--scope` 和 `--yes`。
 
 ### `uninstall`
 
-卸载 Gateway 网关服务 + 本地数据（CLI 保留）。
+卸载 gateway 服务 + 本地数据（CLI 保留）。
 
 选项：
 
@@ -648,7 +742,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `--non-interactive` 需要 `--yes` 和明确的范围（或 `--all`）。
+- `--non-interactive` 要求 `--yes` 和显式作用域（或 `--all`）。
 
 ## Gateway 网关
 
@@ -663,12 +757,13 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--token <token>`
 - `--auth <token|password>`
 - `--password <password>`
+- `--password-file <path>`
 - `--tailscale <off|serve|funnel>`
 - `--tailscale-reset-on-exit`
 - `--allow-unconfigured`
 - `--dev`
-- `--reset`（重置 dev 配置 + 凭证 + 会话 + 工作区）
-- `--force`（终止端口上的现有监听器）
+- `--reset`（重置 dev 配置 + 凭据 + 会话 + 工作区）
+- `--force`（杀掉端口上的现有监听器）
 - `--verbose`
 - `--claude-cli-logs`
 - `--ws-log <auto|full|compact>`
@@ -683,7 +778,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 子命令：
 
 - `gateway status`（默认探测 Gateway 网关 RPC）
-- `gateway install`（服务安装）
+- `gateway install`（安装服务）
 - `gateway uninstall`
 - `gateway start`
 - `gateway stop`
@@ -691,12 +786,14 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `gateway status` 默认使用服务解析的端口/配置探测 Gateway 网关 RPC（使用 `--url/--token/--password` 覆盖）。
-- `gateway status` 支持 `--no-probe`、`--deep` 和 `--json` 用于脚本化。
-- `gateway status` 在检测到旧版或额外的 Gateway 网关服务时也会显示（`--deep` 添加系统级扫描）。配置文件命名的 OpenClaw 服务被视为一等公民，不会被标记为"额外"。
-- `gateway status` 打印 CLI 使用的配置路径与服务可能使用的配置（服务环境），以及解析的探测目标 URL。
-- `gateway install|uninstall|start|stop|restart` 支持 `--json` 用于脚本化（默认输出保持人类友好）。
-- `gateway install` 默认使用 Node 运行时；**不建议**使用 bun（WhatsApp/Telegram bug）。
+- `gateway status` 默认使用服务解析出的端口 / 配置来探测 Gateway 网关 RPC（可用 `--url/--token/--password` 覆盖）。
+- `gateway status` 支持 `--no-probe`、`--deep`、`--require-rpc` 和 `--json`，便于脚本化。
+- `gateway status` 还能在检测到时显示旧版或额外的 gateway 服务（`--deep` 会增加系统级扫描）。带 profile 名称的 OpenClaw 服务会被视为一等公民，不会标记为“额外”。
+- `gateway status` 会打印 CLI 使用的是哪个配置路径、服务可能使用的是哪个配置（服务环境），以及解析出的探测目标 URL。
+- 如果 gateway 认证 SecretRef 在当前命令路径中未解析，`gateway status --json` 仅会在探测连接 / 认证失败时报告 `rpc.authWarning`（探测成功时会抑制警告）。
+- 在 Linux systemd 安装中，状态 token 漂移检查同时包括 `Environment=` 和 `EnvironmentFile=` 单元来源。
+- `gateway install|uninstall|start|stop|restart` 支持 `--json`，便于脚本化（默认输出仍然更适合人类阅读）。
+- `gateway install` 默认使用 Node 运行时；**不推荐** bun（存在 WhatsApp / Telegram bug）。
 - `gateway install` 选项：`--port`、`--runtime`、`--token`、`--force`、`--json`。
 
 ### `logs`
@@ -705,8 +802,8 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- TTY 会话渲染彩色、结构化视图；非 TTY 回退到纯文本。
-- `--json` 输出行分隔的 JSON（每行一个日志事件）。
+- TTY 会话会渲染彩色的结构化视图；非 TTY 会回退为纯文本。
+- `--json` 会输出逐行 JSON（每行一个日志事件）。
 
 示例：
 
@@ -720,7 +817,9 @@ openclaw logs --no-color
 
 ### `gateway <subcommand>`
 
-Gateway 网关 CLI 辅助工具（RPC 子命令使用 `--url`、`--token`、`--password`、`--timeout`、`--expect-final`）。
+Gateway 网关 CLI 助手（RPC 子命令可使用 `--url`、`--token`、`--password`、`--timeout`、`--expect-final`）。
+当你传入 `--url` 时，CLI 不会自动应用配置或环境凭据。
+请显式包含 `--token` 或 `--password`。缺少显式凭据会报错。
 
 子命令：
 
@@ -738,13 +837,14 @@ Gateway 网关 CLI 辅助工具（RPC 子命令使用 `--url`、`--token`、`--p
 - `config.patch`（合并部分更新 + 重启 + 唤醒）
 - `update.run`（运行更新 + 重启 + 唤醒）
 
-提示：直接调用 `config.set`/`config.apply`/`config.patch` 时，如果配置已存在，请传入来自 `config.get` 的 `baseHash`。
+提示：直接调用 `config.set`/`config.apply`/`config.patch` 时，如果配置已存在，请从
+`config.get` 传入 `baseHash`。
 
 ## 模型
 
-回退行为和扫描策略参见 [/concepts/models](/concepts/models)。
+关于回退行为和扫描策略，请参见 [/concepts/models](/concepts/models)。
 
-首选 Anthropic 认证（setup-token）：
+Anthropic setup-token（已支持）：
 
 ```bash
 claude setup-token
@@ -752,6 +852,10 @@ openclaw models auth setup-token --provider anthropic
 openclaw models status
 ```
 
+策略说明：这是技术兼容性。Anthropic 过去曾阻止某些
+Claude Code 之外的订阅使用；在生产环境依赖 setup-token 之前，请确认当前的 Anthropic
+条款。
+
 ### `models`（根命令）
 
 `openclaw models` 是 `models status` 的别名。
@@ -777,15 +881,16 @@ openclaw models status
 
 - `--json`
 - `--plain`
-- `--check`（退出码 1=过期/缺失，2=即将过期）
+- `--check`（退出码 1=已过期 / 缺失，2=即将过期）
 - `--probe`（对已配置认证配置文件进行实时探测）
 - `--probe-provider <name>`
-- `--probe-profile <id>`（重复或逗号分隔）
+- `--probe-profile <id>`（可重复或逗号分隔）
 - `--probe-timeout <ms>`
 - `--probe-concurrency <n>`
 - `--probe-max-tokens <n>`
 
-始终包含认证概览和认证存储中配置文件的 OAuth 过期状态。`--probe` 运行实时请求（可能消耗令牌并触发速率限制）。
+始终包含认证总览以及认证存储中配置文件的 OAuth 过期状态。
+`--probe` 会发起实时请求（可能消耗 token 并触发速率限制）。
 
 ### `models set <model>`
 
@@ -842,7 +947,7 @@ openclaw models status
 
 选项：
 
-- `add`：交互式认证辅助工具
+- `add`：交互式认证助手
 - `setup-token`：`--provider <name>`（默认 `anthropic`）、`--yes`
 - `paste-token`：`--provider <name>`、`--profile-id <id>`、`--expires-in <duration>`
 
@@ -858,9 +963,9 @@ openclaw models status
 
 ### `system event`
 
-将系统事件加入队列并可选触发心跳（Gateway 网关 RPC）。
+将一个系统事件加入队列，并可选择触发一次 heartbeat（Gateway 网关 RPC）。
 
-必需：
+必需项：
 
 - `--text <text>`
 
@@ -868,47 +973,48 @@ openclaw models status
 
 - `--mode <now|next-heartbeat>`
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
 ### `system heartbeat last|enable|disable`
 
-心跳控制（Gateway 网关 RPC）。
+heartbeat 控制（Gateway 网关 RPC）。
 
 选项：
 
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
 ### `system presence`
 
-列出系统存在条目（Gateway 网关 RPC）。
+列出系统 presence 条目（Gateway 网关 RPC）。
 
 选项：
 
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
-## 定时任务
+## Cron
 
 管理计划任务（Gateway 网关 RPC）。参见 [/automation/cron-jobs](/automation/cron-jobs)。
 
 子命令：
 
 - `cron status [--json]`
-- `cron list [--all] [--json]`（默认表格输出；使用 `--json` 获取原始数据）
-- `cron add`（别名：`create`；需要 `--name` 和 `--at` | `--every` | `--cron` 三选一，以及 `--system-event` | `--message` 负载二选一）
-- `cron edit <id>`（补丁字段）
-- `cron rm <id>`（别名：`remove`、`delete`）
+- `cron list [--all] [--json]`（默认输出表格；原始输出请使用 `--json`）
+- `cron add`（别名：`create`；要求 `--name`，并且必须且只能提供 `--at` | `--every` | `--cron` 之一，以及 `--system-event` | `--message` 之一作为负载）
+- `cron edit <id>`（修补字段）
+- `cron rm <id>`（别名：`remove`, `delete`）
 - `cron enable <id>`
 - `cron disable <id>`
 - `cron runs --id <id> [--limit <n>]`
 - `cron run <id> [--force]`
 
-所有 `cron` 命令接受 `--url`、`--token`、`--timeout`、`--expect-final`。
+所有 `cron` 命令都接受 `--url`、`--token`、`--timeout`、`--expect-final`。
 
-## 节点主机
+## Node 主机
 
-`node` 运行**无头节点主机**或将其作为后台服务管理。参见 [`openclaw node`](/cli/node)。
+`node` 运行一个**无头 node host**，或将其作为后台服务进行管理。参见
+[`openclaw node`](/cli/node)。
 
 子命令：
 
@@ -919,13 +1025,18 @@ openclaw models status
 - `node stop`
 - `node restart`
 
-## 节点
+认证说明：
 
-`nodes` 与 Gateway 网关通信并针对已配对的节点。参见 [/nodes](/nodes)。
+- `node` 从环境 / 配置解析 gateway 认证（不支持 `--token`/`--password` 标志）：`OPENCLAW_GATEWAY_TOKEN` / `OPENCLAW_GATEWAY_PASSWORD`，然后是 `gateway.auth.*`。在本地模式下，node host 会有意忽略 `gateway.remote.*`；在 `gateway.mode=remote` 时，`gateway.remote.*` 会根据远程优先级规则参与解析。
+- 旧版 `CLAWDBOT_GATEWAY_*` 环境变量会被有意忽略，不用于 node-host 认证解析。
+
+## Nodes
+
+`nodes` 与 Gateway 网关通信，并以已配对节点为目标。参见 [/nodes](/nodes)。
 
 通用选项：
 
-- `--url`、`--token`、`--timeout`、`--json`
+- `--url`, `--token`, `--timeout`, `--json`
 
 子命令：
 
@@ -937,8 +1048,8 @@ openclaw models status
 - `nodes reject <requestId>`
 - `nodes rename --node <id|name|ip> --name <displayName>`
 - `nodes invoke --node <id|name|ip> --command <command> [--params <json>] [--invoke-timeout <ms>] [--idempotency-key <key>]`
-- `nodes run --node <id|name|ip> [--cwd <path>] [--env KEY=VAL] [--command-timeout <ms>] [--needs-screen-recording] [--invoke-timeout <ms>] <command...>`（mac 节点或无头节点主机）
-- `nodes notify --node <id|name|ip> [--title <text>] [--body <text>] [--sound <name>] [--priority <passive|active|timeSensitive>] [--delivery <system|overlay|auto>] [--invoke-timeout <ms>]`（仅限 mac）
+- `nodes run --node <id|name|ip> [--cwd <path>] [--env KEY=VAL] [--command-timeout <ms>] [--needs-screen-recording] [--invoke-timeout <ms>] <command...>`（mac 节点或无头 node host）
+- `nodes notify --node <id|name|ip> [--title <text>] [--body <text>] [--sound <name>] [--priority <passive|active|timeSensitive>] [--delivery <system|overlay|auto>] [--invoke-timeout <ms>]`（仅 mac）
 
 相机：
 
@@ -946,7 +1057,7 @@ openclaw models status
 - `nodes camera snap --node <id|name|ip> [--facing front|back|both] [--device-id <id>] [--max-width <px>] [--quality <0-1>] [--delay-ms <ms>] [--invoke-timeout <ms>]`
 - `nodes camera clip --node <id|name|ip> [--facing front|back] [--device-id <id>] [--duration <ms|10s|1m>] [--no-audio] [--invoke-timeout <ms>]`
 
-画布 + 屏幕：
+Canvas + 屏幕：
 
 - `nodes canvas snapshot --node <id|name|ip> [--format png|jpg|jpeg] [--max-width <px>] [--quality <0-1>] [--invoke-timeout <ms>]`
 - `nodes canvas present --node <id|name|ip> [--target <urlOrPath>] [--x <px>] [--y <px>] [--width <px>] [--height <px>] [--invoke-timeout <ms>]`
@@ -963,11 +1074,11 @@ openclaw models status
 
 ## 浏览器
 
-浏览器控制 CLI（专用 Chrome/Brave/Edge/Chromium）。参见 [`openclaw browser`](/cli/browser) 和[浏览器工具](/tools/browser)。
+浏览器控制 CLI（专用 Chrome/Brave/Edge/Chromium）。参见 [`openclaw browser`](/cli/browser) 和 [Browser 工具](/tools/browser)。
 
 通用选项：
 
-- `--url`、`--token`、`--timeout`、`--json`
+- `--url`, `--token`, `--timeout`, `--json`
 - `--browser-profile <name>`
 
 管理：
@@ -1011,7 +1122,7 @@ openclaw models status
 
 ### `docs [query...]`
 
-搜索在线文档索引。
+搜索实时文档索引。
 
 ## TUI
 
@@ -1028,5 +1139,5 @@ openclaw models status
 - `--deliver`
 - `--thinking <level>`
 - `--message <text>`
-- `--timeout-ms <ms>`（默认为 `agents.defaults.timeoutSeconds`）
+- `--timeout-ms <ms>`（默认值为 `agents.defaults.timeoutSeconds`）
 - `--history-limit <n>`
diff --git a/docs/zh-CN/cli/onboard.md b/docs/zh-CN/cli/onboard.md
index a68329d84cc..66588b9d795 100644
--- a/docs/zh-CN/cli/onboard.md
+++ b/docs/zh-CN/cli/onboard.md
@@ -1,24 +1,28 @@
 ---
 read_when:
-  - 你想要 Gateway 网关、工作区、认证、渠道和 Skills 的引导式设置
-summary: "`openclaw onboard` 的 CLI 参考（交互式新手引导向导）"
+  - 你想通过引导式设置来配置 Gateway 网关、工作区、身份验证、渠道和 Skills
+summary: "`openclaw onboard` 的 CLI 参考（交互式设置向导）"
 title: onboard
 x-i18n:
-  generated_at: "2026-02-03T07:45:00Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a661049a6983233986a880a68440a3bcc6869ee2c4c6f5e9f3ab8ff973e22f60
+  generated_at: "2026-03-16T06:21:32Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 04d7747342c582abcfcafff28847b4297f65ada665157d9cfbe3dbb258ee31d9
   source_path: cli/onboard.md
   workflow: 15
 ---
 
 # `openclaw onboard`
 
-交互式新手引导向导（本地或远程 Gateway 网关设置）。
+交互式设置向导（本地或远程 Gateway 网关设置）。
 
-相关内容：
+## 相关指南
 
-- 向导指南：[新手引导](/start/onboarding)
+- CLI 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 新手引导概览：[新手引导概览](/start/onboarding-overview)
+- CLI 新手引导参考：[CLI 设置参考](/start/wizard-cli-reference)
+- CLI 自动化：[CLI 自动化](/start/wizard-cli-automation)
+- macOS 新手引导：[新手引导（macOS 应用）](/start/onboarding)
 
 ## 示例
 
@@ -26,11 +30,135 @@ x-i18n:
 openclaw onboard
 openclaw onboard --flow quickstart
 openclaw onboard --flow manual
-openclaw onboard --mode remote --remote-url ws://gateway-host:18789
+openclaw onboard --mode remote --remote-url wss://gateway-host:18789
+```
+
+对于明文私有网络 `ws://` 目标（仅限受信任网络），请在新手引导进程环境中设置
+`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`。
+
+非交互式自定义提供商：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice custom-api-key \
+  --custom-base-url "https://llm.example.com/v1" \
+  --custom-model-id "foo-large" \
+  --custom-api-key "$CUSTOM_API_KEY" \
+  --secret-input-mode plaintext \
+  --custom-compatibility openai
+```
+
+在非交互式模式下，`--custom-api-key` 是可选的。如果省略，新手引导会检查 `CUSTOM_API_KEY`。
+
+非交互式 Ollama：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --custom-base-url "http://ollama-host:11434" \
+  --custom-model-id "qwen3.5:27b" \
+  --accept-risk
+```
+
+`--custom-base-url` 默认为 `http://127.0.0.1:11434`。`--custom-model-id` 是可选的；如果省略，新手引导会使用 Ollama 建议的默认值。像 `kimi-k2.5:cloud` 这样的云端模型 ID 在这里也可用。
+
+将提供商密钥存储为引用而不是明文：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice openai-api-key \
+  --secret-input-mode ref \
+  --accept-risk
+```
+
+使用 `--secret-input-mode ref` 时，新手引导会写入由环境变量支持的引用，而不是明文密钥值。
+对于由 auth-profile 支持的提供商，这会写入 `keyRef` 条目；对于自定义提供商，这会将 `models.providers.<id>.apiKey` 写为环境变量引用（例如 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`）。
+
+非交互式 `ref` 模式约定：
+
+- 在新手引导进程环境中设置提供商环境变量（例如 `OPENAI_API_KEY`）。
+- 不要传递内联密钥标志（例如 `--openai-api-key`），除非该环境变量也已设置。
+- 如果传递了内联密钥标志但未设置所需环境变量，新手引导会快速失败并提供指引。
+
+非交互式模式中的 Gateway 网关令牌选项：
+
+- `--gateway-auth token --gateway-token <token>` 存储明文令牌。
+- `--gateway-auth token --gateway-token-ref-env <name>` 将 `gateway.auth.token` 存储为环境变量 SecretRef。
+- `--gateway-token` 和 `--gateway-token-ref-env` 互斥。
+- `--gateway-token-ref-env` 要求在新手引导进程环境中存在一个非空环境变量。
+- 使用 `--install-daemon` 时，当令牌身份验证需要令牌时，由 SecretRef 管理的 Gateway 网关令牌会被验证，但不会以已解析的明文形式持久化到 supervisor 服务环境元数据中。
+- 使用 `--install-daemon` 时，如果令牌模式需要令牌，而配置的令牌 SecretRef 未解析，新手引导会以封闭失败方式终止，并提供修复指引。
+- 使用 `--install-daemon` 时，如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，且 `gateway.auth.mode` 未设置，新手引导会阻止安装，直到显式设置 mode。
+
+示例：
+
+```bash
+export OPENCLAW_GATEWAY_TOKEN="your-token"
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice skip \
+  --gateway-auth token \
+  --gateway-token-ref-env OPENCLAW_GATEWAY_TOKEN \
+  --accept-risk
+```
+
+非交互式本地 Gateway 网关健康检查：
+
+- 除非你传递 `--skip-health`，否则新手引导会等待本地 Gateway 网关可访问后才成功退出。
+- `--install-daemon` 会先启动受管 Gateway 网关安装路径。不使用它时，你必须已经有一个正在运行的本地 Gateway 网关，例如 `openclaw gateway run`。
+- 如果你只想在自动化中写入配置/工作区/bootstrap，请使用 `--skip-health`。
+- 在原生 Windows 上，`--install-daemon` 会先尝试 Scheduled Tasks；如果任务创建被拒绝，则回退到每用户 Startup 文件夹登录项。
+
+带引用模式的交互式新手引导行为：
+
+- 出现提示时，选择**使用密钥引用**。
+- 然后选择以下之一：
+  - 环境变量
+  - 已配置的密钥提供商（`file` 或 `exec`）
+- 新手引导会在保存引用前执行快速预检验证。
+  - 如果验证失败，新手引导会显示错误并让你重试。
+
+非交互式 Z.AI 端点选择：
+
+注意：`--auth-choice zai-api-key` 现在会为你的密钥自动检测最佳 Z.AI 端点（优先使用通用 API 搭配 `zai/glm-5`）。
+如果你明确想使用 GLM Coding Plan 端点，请选择 `zai-coding-global` 或 `zai-coding-cn`。
+
+```bash
+# 无提示端点选择
+openclaw onboard --non-interactive \
+  --auth-choice zai-coding-global \
+  --zai-api-key "$ZAI_API_KEY"
+
+# 其他 Z.AI 端点选择：
+# --auth-choice zai-coding-cn
+# --auth-choice zai-global
+# --auth-choice zai-cn
+```
+
+非交互式 Mistral 示例：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice mistral-api-key \
+  --mistral-api-key "$MISTRAL_API_KEY"
 ```
 
 流程说明：
 
 - `quickstart`：最少提示，自动生成 Gateway 网关令牌。
-- `manual`：完整的端口/绑定/认证提示（`advanced` 的别名）。
-- 最快开始聊天：`openclaw dashboard`（控制 UI，无需渠道设置）。
+- `manual`：提供端口/绑定/身份验证的完整提示（`advanced` 的别名）。
+- 本地新手引导私信范围行为：[CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)。
+- 最快开始第一次聊天：`openclaw dashboard`（控制 UI，无需设置渠道）。
+- 自定义提供商：连接任何兼容 OpenAI 或 Anthropic 的端点，
+  包括未列出的托管提供商。使用 Unknown 进行自动检测。
+
+## 常见后续命令
+
+```bash
+openclaw configure
+openclaw agents add <name>
+```
+
+<Note>
+`--json` 不代表非交互式模式。脚本请使用 `--non-interactive`。
+</Note>
diff --git a/docs/zh-CN/cli/setup.md b/docs/zh-CN/cli/setup.md
index ec67b889bca..18936b3bd24 100644
--- a/docs/zh-CN/cli/setup.md
+++ b/docs/zh-CN/cli/setup.md
@@ -1,16 +1,16 @@
 ---
 read_when:
-  - 你在不使用完整新手引导向导的情况下进行首次设置
+  - 你正在进行首次运行设置，但不使用完整的设置向导
   - 你想设置默认工作区路径
 summary: "`openclaw setup` 的 CLI 参考（初始化配置 + 工作区）"
 title: setup
 x-i18n:
-  generated_at: "2026-02-01T20:21:26Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 7f3fc8b246924edf48501785be2c0d356bd31bfbb133e75a139a5ee41dbf57f4
+  generated_at: "2026-03-16T06:21:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: b6d6fef6642a4fdf9880ea4f752981b5ed0404289274ee3429ee31702873e3ea
   source_path: cli/setup.md
-  workflow: 14
+  workflow: 15
 ---
 
 # `openclaw setup`
@@ -19,7 +19,7 @@ x-i18n:
 
 相关内容：
 
-- 快速开始：[快速开始](/start/getting-started)
+- 入门指南：[入门指南](/start/getting-started)
 - 向导：[新手引导](/start/onboarding)
 
 ## 示例
diff --git a/docs/zh-CN/concepts/agent-workspace.md b/docs/zh-CN/concepts/agent-workspace.md
index 7438a790d2c..698518691f6 100644
--- a/docs/zh-CN/concepts/agent-workspace.md
+++ b/docs/zh-CN/concepts/agent-workspace.md
@@ -5,28 +5,26 @@ read_when:
 summary: 智能体工作区：位置、布局和备份策略
 title: 智能体工作区
 x-i18n:
-  generated_at: "2026-02-03T07:45:49Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 84c550fd89b5f2474aeae586795485fd29d36effbb462f13342b31540fc18b82
+  generated_at: "2026-03-16T06:21:45Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 6854ddbebe2d21da08c4e1773da6a44f02c815070677821996dab4c91cfb9cd4
   source_path: concepts/agent-workspace.md
   workflow: 15
 ---
 
 # 智能体工作区
 
-工作区是智能体的家。它是文件工具和工作区上下文使用的唯一工作目录。请保持其私密性并将其视为记忆。
+工作区是智能体的“家”。它是文件工具和工作区上下文所使用的唯一工作目录。请将其保持为私有，并将其视为记忆。
 
-这与 `~/.openclaw/` 是分开的，后者存储配置、凭证和会话。
+这与存储配置、凭证和会话的 `~/.openclaw/` 是分开的。
 
-**重要：** 工作区是**默认 cwd**，而不是硬性沙箱。工具会根据工作区解析相对路径，但绝对路径仍然可以访问主机上的其他位置，除非启用了沙箱隔离。如果你需要隔离，请使用
-[`agents.defaults.sandbox`](/gateway/sandboxing)（和/或每智能体沙箱配置）。
-当启用沙箱隔离且 `workspaceAccess` 不是 `"rw"` 时，工具在 `~/.openclaw/sandboxes` 下的沙箱工作区内操作，而不是你的主机工作区。
+**重要：**工作区是**默认 cwd**，而不是硬性沙箱。工具会相对于工作区解析相对路径，但除非启用沙箱隔离，否则绝对路径仍然可以访问主机上的其他位置。如果你需要隔离，请使用 [`agents.defaults.sandbox`](/gateway/sandboxing)（和/或按智能体配置的沙箱）。启用沙箱隔离后，如果 `workspaceAccess` 不是 `"rw"`，工具会在 `~/.openclaw/sandboxes` 下的沙箱工作区中运行，而不是在你的主机工作区中运行。
 
 ## 默认位置
 
-- 默认：`~/.openclaw/workspace`
-- 如果设置了 `OPENCLAW_PROFILE` 且不是 `"default"`，默认值变为
+- 默认值：`~/.openclaw/workspace`
+- 如果设置了 `OPENCLAW_PROFILE` 且其值不是 `"default"`，默认值将变为
   `~/.openclaw/workspace-<profile>`。
 - 在 `~/.openclaw/openclaw.json` 中覆盖：
 
@@ -38,9 +36,10 @@ x-i18n:
 }
 ```
 
-`openclaw onboard`、`openclaw configure` 或 `openclaw setup` 将创建工作区并在缺失时填充引导文件。
+`openclaw onboard`、`openclaw configure` 或 `openclaw setup` 会在工作区缺失时创建工作区并植入引导文件。
+沙箱种子复制仅接受工作区内的常规文件；解析到源工作区外部的符号链接/硬链接别名会被忽略。
 
-如果你已经自己管理工作区文件，可以禁用引导文件创建：
+如果你已经自行管理工作区文件，可以禁用引导文件创建：
 
 ```json5
 { agent: { skipBootstrap: true } }
@@ -48,91 +47,92 @@ x-i18n:
 
 ## 额外的工作区文件夹
 
-旧版安装可能创建了 `~/openclaw`。保留多个工作区目录可能会导致混乱的认证或状态漂移，因为同一时间只有一个工作区是活动的。
+较旧的安装可能创建过 `~/openclaw`。保留多个工作区目录可能会导致令人困惑的凭证或状态漂移，因为同一时间只有一个工作区处于活动状态。
 
-**建议：** 保持单个活动工作区。如果你不再使用额外的文件夹，请归档或移至废纸篓（例如 `trash ~/openclaw`）。
-如果你有意保留多个工作区，请确保 `agents.defaults.workspace` 指向活动的那个。
+**建议：**只保留一个活动工作区。如果你不再使用额外的文件夹，请将其归档或移到废纸篓（例如 `trash ~/openclaw`）。
+如果你有意保留多个工作区，请确保
+`agents.defaults.workspace` 指向当前活动的那个。
 
-`openclaw doctor` 在检测到额外工作区目录时会发出警告。
+当 `openclaw doctor` 检测到额外的工作区目录时，会发出警告。
 
 ## 工作区文件映射（每个文件的含义）
 
-这些是 OpenClaw 在工作区内期望的标准文件：
+以下是 OpenClaw 在工作区内预期的标准文件：
 
 - `AGENTS.md`
-  - 智能体的操作指南以及它应该如何使用记忆。
-  - 在每个会话开始时加载。
-  - 适合放置规则、优先级和"如何行为"的详细信息。
+  - 智能体的操作说明，以及它应如何使用记忆。
+  - 每次会话开始时加载。
+  - 很适合放置规则、优先级和“如何表现”之类的细节。
 
 - `SOUL.md`
   - 人设、语气和边界。
-  - 每个会话加载。
+  - 每次会话都会加载。
 
 - `USER.md`
-  - 用户是谁以及如何称呼他们。
-  - 每个会话加载。
+  - 用户是谁，以及应如何称呼他们。
+  - 每次会话都会加载。
 
 - `IDENTITY.md`
-  - 智能体的名称、风格和表情符号。
+  - 智能体的名称、风格和 emoji。
   - 在引导仪式期间创建/更新。
 
 - `TOOLS.md`
-  - 关于你本地工具和惯例的注释。
-  - 不控制工具可用性；仅作为指导。
+  - 关于你的本地工具和约定的说明。
+  - 它不控制工具可用性；仅提供指导。
 
 - `HEARTBEAT.md`
-  - 可选的心跳运行小型检查清单。
-  - 保持简短以避免 token 消耗。
+  - 可选的心跳运行微型检查清单。
+  - 保持简短以避免消耗过多 token。
 
 - `BOOT.md`
-  - 当启用内部 hooks 时，在 Gateway 网关重启时执行的可选启动检查清单。
-  - 保持简短；使用 message 工具进行出站发送。
+  - 可选的启动检查清单；当启用内部 hooks 时，会在 Gateway 网关重启时执行。
+  - 保持简短；出站发送请使用消息工具。
 
 - `BOOTSTRAP.md`
-  - 一次性首次运行仪式。
-  - 仅为全新工作区创建。
-  - 仪式完成后删除它。
+  - 一次性的首次运行仪式。
+  - 仅为全新的工作区创建。
+  - 仪式完成后请将其删除。
 
 - `memory/YYYY-MM-DD.md`
   - 每日记忆日志（每天一个文件）。
-  - 建议在会话开始时读取今天 + 昨天的内容。
+  - 建议在会话开始时阅读今天和昨天的内容。
 
 - `MEMORY.md`（可选）
   - 精选的长期记忆。
-  - 仅在主私密会话中加载（不在共享/群组上下文中）。
+  - 仅在主私有会话中加载（不在共享/群组上下文中加载）。
 
-参见 [记忆](/concepts/memory) 了解工作流程和自动记忆刷新。
+有关工作流和自动记忆刷新，请参见[记忆](/concepts/memory)。
 
 - `skills/`（可选）
-  - 工作区特定的 Skills。
-  - 当名称冲突时覆盖托管/捆绑的 Skills。
+  - 工作区专用技能。
+  - 名称冲突时会覆盖托管/捆绑的 Skills。
 
 - `canvas/`（可选）
   - 用于节点显示的 Canvas UI 文件（例如 `canvas/index.html`）。
 
-如果任何引导文件缺失，OpenClaw 会在会话中注入"缺失文件"标记并继续。大型引导文件在注入时会被截断；使用 `agents.defaults.bootstrapMaxChars` 调整限制（默认：20000）。
-`openclaw setup` 可以重新创建缺失的默认值而不覆盖现有文件。
+如果任何引导文件缺失，OpenClaw 会在会话中注入一个“缺失文件”标记并继续执行。注入时，大型引导文件会被截断；可使用 `agents.defaults.bootstrapMaxChars`（默认：20000）和 `agents.defaults.bootstrapTotalMaxChars`（默认：150000）调整限制。
+`openclaw setup` 可以重新创建缺失的默认文件，而不会覆盖现有文件。
 
-## 工作区中不包含的内容
+## 不在工作区中的内容
 
-这些位于 `~/.openclaw/` 下，不应提交到工作区仓库：
+这些内容位于 `~/.openclaw/` 下，**不应**提交到工作区仓库：
 
 - `~/.openclaw/openclaw.json`（配置）
-- `~/.openclaw/credentials/`（OAuth token、API 密钥）
-- `~/.openclaw/agents/<agentId>/sessions/`（会话记录 + 元数据）
-- `~/.openclaw/skills/`（托管的 Skills）
+- `~/.openclaw/credentials/`（OAuth 令牌、API 密钥）
+- `~/.openclaw/agents/<agentId>/sessions/`（会话记录和元数据）
+- `~/.openclaw/skills/`（托管 Skills）
 
-如果你需要迁移会话或配置，请单独复制它们并将它们排除在版本控制之外。
+如果你需要迁移会话或配置，请单独复制它们，并确保不要将其纳入版本控制。
 
 ## Git 备份（推荐，私有）
 
-将工作区视为私密记忆。将其放入**私有** git 仓库以便备份和恢复。
+将工作区视为私有记忆。把它放进一个**私有** git 仓库，以便备份并可恢复。
 
-在运行 Gateway 网关的机器上执行这些步骤（工作区就在那里）。
+请在 Gateway 网关运行的机器上执行这些步骤（工作区就位于那里）。
 
 ### 1）初始化仓库
 
-如果安装了 git，全新工作区会自动初始化。如果此工作区还不是仓库，请运行：
+如果已安装 git，全新工作区会自动初始化。如果这个工作区还不是仓库，请运行：
 
 ```bash
 cd ~/.openclaw/workspace
@@ -141,14 +141,14 @@ git add AGENTS.md SOUL.md TOOLS.md IDENTITY.md USER.md HEARTBEAT.md memory/
 git commit -m "Add agent workspace"
 ```
 
-### 2）添加私有远程（适合初学者的选项）
+### 2）添加私有远程仓库（适合新手的选项）
 
-选项 A：GitHub 网页界面
+选项 A：GitHub Web UI
 
-1. 在 GitHub 上创建新的**私有**仓库。
-2. 不要用 README 初始化（避免合并冲突）。
+1. 在 GitHub 上创建一个新的**私有**仓库。
+2. 不要使用 README 初始化（以避免合并冲突）。
 3. 复制 HTTPS 远程 URL。
-4. 添加远程并推送：
+4. 添加远程仓库并推送：
 
 ```bash
 git branch -M main
@@ -163,12 +163,12 @@ gh auth login
 gh repo create openclaw-workspace --private --source . --remote origin --push
 ```
 
-选项 C：GitLab 网页界面
+选项 C：GitLab Web UI
 
-1. 在 GitLab 上创建新的**私有**仓库。
-2. 不要用 README 初始化（避免合并冲突）。
+1. 在 GitLab 上创建一个新的**私有**仓库。
+2. 不要使用 README 初始化（以避免合并冲突）。
 3. 复制 HTTPS 远程 URL。
-4. 添加远程并推送：
+4. 添加远程仓库并推送：
 
 ```bash
 git branch -M main
@@ -187,15 +187,15 @@ git push
 
 ## 不要提交密钥
 
-即使在私有仓库中，也要避免在工作区中存储密钥：
+即使在私有仓库中，也应避免在工作区中存储密钥：
 
-- API 密钥、OAuth token、密码或私有凭证。
+- API 密钥、OAuth 令牌、密码或私有凭证。
 - `~/.openclaw/` 下的任何内容。
-- 聊天的原始转储或敏感附件。
+- 聊天原始转储或敏感附件。
 
-如果你必须存储敏感引用，请使用占位符并将真正的密钥保存在其他地方（密码管理器、环境变量或 `~/.openclaw/`）。
+如果你必须存储敏感引用，请使用占位符，并将真实密钥保存在其他地方（密码管理器、环境变量或 `~/.openclaw/`）。
 
-建议的 `.gitignore` 起始配置：
+建议的 `.gitignore` 起始内容：
 
 ```gitignore
 .DS_Store
@@ -207,13 +207,13 @@ git push
 
 ## 将工作区迁移到新机器
 
-1. 将仓库克隆到所需路径（默认 `~/.openclaw/workspace`）。
+1. 将仓库克隆到所需路径（默认是 `~/.openclaw/workspace`）。
 2. 在 `~/.openclaw/openclaw.json` 中将 `agents.defaults.workspace` 设置为该路径。
-3. 运行 `openclaw setup --workspace <path>` 来填充任何缺失的文件。
-4. 如果你需要会话，请单独从旧机器复制 `~/.openclaw/agents/<agentId>/sessions/`。
+3. 运行 `openclaw setup --workspace <path>` 以植入任何缺失的文件。
+4. 如果你需要会话，请将旧机器上的 `~/.openclaw/agents/<agentId>/sessions/` 单独复制过来。
 
-## 高级注意事项
+## 高级说明
 
-- 多智能体路由可以为每个智能体使用不同的工作区。参见
-  [渠道路由](/channels/channel-routing) 了解路由配置。
-- 如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用每会话沙箱工作区。
+- 多智能体路由可以为不同智能体使用不同的工作区。有关路由配置，请参见
+  [渠道路由](/channels/channel-routing)。
+- 如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用按会话划分的沙箱工作区。
diff --git a/docs/zh-CN/concepts/model-providers.md b/docs/zh-CN/concepts/model-providers.md
index e55eb7d0e45..ebbe5af3271 100644
--- a/docs/zh-CN/concepts/model-providers.md
+++ b/docs/zh-CN/concepts/model-providers.md
@@ -1,153 +1,316 @@
 ---
 read_when:
-  - 你需要按提供商分类的模型设置参考
-  - 你需要模型提供商的示例配置或 CLI 新手引导命令
-summary: 模型提供商概述，包含示例配置和 CLI 流程
+  - 你需要按提供商划分的模型设置参考
+  - 你想要模型提供商的示例配置或 CLI 新手引导命令
+summary: 模型提供商概览，包含示例配置 + CLI 流程
 title: 模型提供商
 x-i18n:
-  generated_at: "2026-02-03T07:46:28Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 14f73e5a9f9b7c6f017d59a54633942dba95a3eb50f8848b836cfe0b9f6d7719
+  generated_at: "2026-03-16T06:22:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 1b84eea0103a59e77571f82c800c9c0ad9fc554e8c9b2c1fd15c2cc121e7f6b4
   source_path: concepts/model-providers.md
   workflow: 15
 ---
 
 # 模型提供商
 
-本页介绍 **LLM/模型提供商**（不是 WhatsApp/Telegram 等聊天渠道）。
-关于模型选择规则，请参阅 [/concepts/models](/concepts/models)。
+本页介绍的是 **LLM/模型提供商**（而不是像 WhatsApp/Telegram 这样的聊天渠道）。
+有关模型选择规则，请参见 [/concepts/models](/concepts/models)。
 
 ## 快速规则
 
-- 模型引用使用 `provider/model` 格式（例如：`opencode/claude-opus-4-5`）。
-- 如果设置了 `agents.defaults.models`，它将成为允许列表。
-- CLI 辅助工具：`openclaw onboard`、`openclaw models list`、`openclaw models set <provider/model>`。
+- 模型引用使用 `provider/model`（示例：`opencode/claude-opus-4-6`）。
+- 如果你设置了 `agents.defaults.models`，它就会成为 allowlist。
+- CLI 辅助命令：`openclaw onboard`、`openclaw models list`、`openclaw models set <provider/model>`。
+- 提供商插件可以通过 `registerProvider({ catalog })` 注入模型目录；
+  OpenClaw 会在写入
+  `models.json` 之前将该输出合并到 `models.providers` 中。
+- 提供商清单可以声明 `providerAuthEnvVars`，这样基于通用环境变量的
+  身份验证探测就不需要加载插件运行时。其余的核心环境变量映射
+  现在只用于非插件/核心提供商，以及少数通用优先级场景，
+  例如 Anthropic 以 API 密钥优先的新手引导。
+- 提供商插件还可以通过以下机制接管提供商运行时行为：
+  `resolveDynamicModel`、`prepareDynamicModel`、`normalizeResolvedModel`、
+  `capabilities`、`prepareExtraParams`、`wrapStreamFn`、`formatApiKey`、
+  `refreshOAuth`、`buildAuthDoctorHint`、
+  `isCacheTtlEligible`、`buildMissingAuthMessage`、
+  `suppressBuiltInModel`、`augmentModelCatalog`、`isBinaryThinking`、
+  `supportsXHighThinking`、`resolveDefaultThinkingLevel`、
+  `isModernModelRef`、`prepareRuntimeAuth`、`resolveUsageAuth`，以及
+  `fetchUsageSnapshot`。
+
+## 插件接管的提供商行为
+
+提供商插件现在可以接管大多数提供商特定逻辑，而 OpenClaw 保留
+通用推理循环。
+
+典型划分：
+
+- `auth[].run` / `auth[].runNonInteractive`：提供商接管 `openclaw onboard`、`openclaw models auth` 和无头设置的
+  新手引导/登录流程
+- `wizard.onboarding` / `wizard.modelPicker`：提供商接管新手引导/模型选择器中的身份验证选项标签、
+  提示和设置条目
+- `catalog`：提供商出现在 `models.providers` 中
+- `resolveDynamicModel`：提供商接受尚未出现在本地静态
+  目录中的模型 ID
+- `prepareDynamicModel`：提供商在重试
+  动态解析之前需要刷新元数据
+- `normalizeResolvedModel`：提供商需要重写传输或基础 URL
+- `capabilities`：提供商发布 transcript/工具/提供商家族的特殊行为
+- `prepareExtraParams`：提供商为每个模型请求参数提供默认值或进行标准化
+- `wrapStreamFn`：提供商应用请求头/请求体/模型兼容包装器
+- `formatApiKey`：提供商将存储的 auth profile 格式化为
+  传输层预期的运行时 `apiKey` 字符串
+- `refreshOAuth`：当共享的 `pi-ai`
+  刷新器不足时，由提供商接管 OAuth 刷新
+- `buildAuthDoctorHint`：当 OAuth 刷新
+  失败时，提供商附加修复指引
+- `isCacheTtlEligible`：提供商决定哪些上游模型 ID 支持 prompt-cache TTL
+- `buildMissingAuthMessage`：提供商用提供商特定的恢复提示
+  替换通用 auth-store 错误
+- `suppressBuiltInModel`：提供商隐藏过时的上游条目，并且可以在直接解析失败时返回
+  供应商自有错误
+- `augmentModelCatalog`：提供商在
+  发现和配置合并后追加合成/最终目录条目
+- `isBinaryThinking`：提供商接管二元开/关 thinking UX
+- `supportsXHighThinking`：提供商让选定模型支持 `xhigh`
+- `resolveDefaultThinkingLevel`：提供商接管某个
+  模型家族默认 `/think` 策略
+- `isModernModelRef`：提供商接管 live/smoke 首选模型匹配
+- `prepareRuntimeAuth`：提供商将已配置凭证转换为短期
+  运行时令牌
+- `resolveUsageAuth`：提供商为 `/usage`
+  以及相关状态/报告界面解析使用量/配额凭证
+- `fetchUsageSnapshot`：提供商接管使用量端点的获取/解析，而核心仍负责摘要外壳和格式化
+
+当前内置示例：
+
+- `anthropic`：Claude 4.6 前向兼容回退、身份验证修复提示、使用量
+  端点获取，以及 cache-TTL/提供商家族元数据
+- `openrouter`：直通模型 ID、请求包装器、提供商能力
+  提示，以及 cache-TTL 策略
+- `github-copilot`：新手引导/设备登录、前向兼容模型回退、
+  Claude-thinking transcript 提示、运行时令牌交换，以及使用量端点
+  获取
+- `openai`：GPT-5.4 前向兼容回退、直接 OpenAI 传输
+  标准化、Codex 感知的缺失身份验证提示、Spark 抑制、合成
+  OpenAI/Codex 目录条目、thinking/live-model 策略，以及
+  提供商家族元数据
+- `google` 和 `google-gemini-cli`：Gemini 3.1 前向兼容回退和
+  现代模型匹配；Gemini CLI OAuth 还接管 auth-profile 令牌
+  格式化、usage-token 解析，以及面向使用量界面的配额端点获取
+- `moonshot`：共享传输、插件接管的 thinking 负载标准化
+- `kilocode`：共享传输、插件接管的请求头、reasoning 负载
+  标准化、Gemini transcript 提示，以及 cache-TTL 策略
+- `zai`：GLM-5 前向兼容回退、`tool_stream` 默认值、cache-TTL
+  策略、二元 thinking/live-model 策略，以及使用量身份验证 + 配额获取
+- `mistral`、`opencode` 和 `opencode-go`：插件接管的能力元数据
+- `byteplus`、`cloudflare-ai-gateway`、`huggingface`、`kimi-coding`、
+  `modelstudio`、`nvidia`、`qianfan`、`synthetic`、`together`、`venice`、
+  `vercel-ai-gateway` 和 `volcengine`：仅插件接管的目录
+- `qwen-portal`：插件接管的目录、OAuth 登录和 OAuth 刷新
+- `minimax` 和 `xiaomi`：插件接管的目录，以及使用量身份验证/快照逻辑
+
+内置的 `openai` 插件现在接管两个提供商 ID：`openai` 和
+`openai-codex`。
+
+以上涵盖了仍适合 OpenClaw 常规传输的提供商。若某个提供商
+需要完全自定义的请求执行器，那就是另一个更深层的扩展接口。
+
+## API 密钥轮换
+
+- 支持为选定提供商进行通用提供商轮换。
+- 通过以下方式配置多个密钥：
+  - `OPENCLAW_LIVE_<PROVIDER>_KEY`（单个 live 覆盖，最高优先级）
+  - `<PROVIDER>_API_KEYS`（逗号或分号分隔列表）
+  - `<PROVIDER>_API_KEY`（主密钥）
+  - `<PROVIDER>_API_KEY_*`（编号列表，例如 `<PROVIDER>_API_KEY_1`）
+- 对于 Google 提供商，还会包含 `GOOGLE_API_KEY` 作为回退。
+- 密钥选择顺序会保留优先级并对值去重。
+- 仅在速率限制响应时才会使用下一个密钥重试请求（例如 `429`、`rate_limit`、`quota`、`resource exhausted`）。
+- 非速率限制失败会立即失败；不会尝试密钥轮换。
+- 当所有候选密钥都失败时，将返回最后一次尝试的最终错误。
 
 ## 内置提供商（pi-ai 目录）
 
-OpenClaw 附带 pi-ai 目录。这些提供商**不需要** `models.providers` 配置；只需设置认证 + 选择模型。
+OpenClaw 附带 pi‑ai 目录。这些提供商**不需要**
+`models.providers` 配置；只需设置身份验证 + 选择一个模型。
 
 ### OpenAI
 
 - 提供商：`openai`
-- 认证：`OPENAI_API_KEY`
-- 示例模型：`openai/gpt-5.2`
+- 身份验证：`OPENAI_API_KEY`
+- 可选轮换：`OPENAI_API_KEYS`、`OPENAI_API_KEY_1`、`OPENAI_API_KEY_2`，以及 `OPENCLAW_LIVE_OPENAI_KEY`（单个覆盖）
+- 示例模型：`openai/gpt-5.4`、`openai/gpt-5.4-pro`
 - CLI：`openclaw onboard --auth-choice openai-api-key`
+- 默认传输为 `auto`（优先 WebSocket，SSE 回退）
+- 通过 `agents.defaults.models["openai/<model>"].params.transport` 按模型覆盖（`"sse"`、`"websocket"` 或 `"auto"`）
+- OpenAI Responses WebSocket 预热默认通过 `params.openaiWsWarmup` 启用（`true`/`false`）
+- 可通过 `agents.defaults.models["openai/<model>"].params.serviceTier` 启用 OpenAI 优先处理
+- 可通过 `agents.defaults.models["<provider>/<model>"].params.fastMode` 为每个模型启用 OpenAI 快速模式
+- `openai/gpt-5.3-codex-spark` 在 OpenClaw 中被有意抑制，因为 live OpenAI API 会拒绝它；Spark 被视为仅限 Codex
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "openai/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai/gpt-5.4" } } },
 }
 ```
 
 ### Anthropic
 
 - 提供商：`anthropic`
-- 认证：`ANTHROPIC_API_KEY` 或 `claude setup-token`
-- 示例模型：`anthropic/claude-opus-4-5`
+- 身份验证：`ANTHROPIC_API_KEY` 或 `claude setup-token`
+- 可选轮换：`ANTHROPIC_API_KEYS`、`ANTHROPIC_API_KEY_1`、`ANTHROPIC_API_KEY_2`，以及 `OPENCLAW_LIVE_ANTHROPIC_KEY`（单个覆盖）
+- 示例模型：`anthropic/claude-opus-4-6`
 - CLI：`openclaw onboard --auth-choice token`（粘贴 setup-token）或 `openclaw models auth paste-token --provider anthropic`
+- 直接 API 密钥模型支持共享的 `/fast` 开关和 `params.fastMode`；OpenClaw 会将其映射到 Anthropic `service_tier`（`auto` 与 `standard_only`）
+- 策略说明：setup-token 支持属于技术兼容性；Anthropic 过去曾阻止某些在 Claude Code 之外的订阅用法。请核实当前 Anthropic 条款，并根据你的风险承受能力做出决定。
+- 建议：相比订阅 setup-token 身份验证，Anthropic API 密钥身份验证是更安全、也更推荐的路径。
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-### OpenAI Code (Codex)
+### OpenAI Code（Codex）
 
 - 提供商：`openai-codex`
-- 认证：OAuth (ChatGPT)
-- 示例模型：`openai-codex/gpt-5.2`
+- 身份验证：OAuth（ChatGPT）
+- 示例模型：`openai-codex/gpt-5.4`
 - CLI：`openclaw onboard --auth-choice openai-codex` 或 `openclaw models auth login --provider openai-codex`
+- 默认传输为 `auto`（优先 WebSocket，SSE 回退）
+- 通过 `agents.defaults.models["openai-codex/<model>"].params.transport` 按模型覆盖（`"sse"`、`"websocket"` 或 `"auto"`）
+- 与直接 `openai/*` 共享相同的 `/fast` 开关和 `params.fastMode` 配置
+- 当 Codex OAuth 目录暴露它时，`openai-codex/gpt-5.3-codex-spark` 仍然可用；取决于 entitlement
+- 策略说明：OpenAI Codex OAuth 明确支持 OpenClaw 这样的外部工具/工作流。
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "openai-codex/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai-codex/gpt-5.4" } } },
 }
 ```
 
-### OpenCode Zen
+### OpenCode
 
-- 提供商：`opencode`
-- 认证：`OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`）
-- 示例模型：`opencode/claude-opus-4-5`
-- CLI：`openclaw onboard --auth-choice opencode-zen`
+- 身份验证：`OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`）
+- Zen 运行时提供商：`opencode`
+- Go 运行时提供商：`opencode-go`
+- 示例模型：`opencode/claude-opus-4-6`、`opencode-go/kimi-k2.5`
+- CLI：`openclaw onboard --auth-choice opencode-zen` 或 `openclaw onboard --auth-choice opencode-go`
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "opencode/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "opencode/claude-opus-4-6" } } },
 }
 ```
 
 ### Google Gemini（API 密钥）
 
 - 提供商：`google`
-- 认证：`GEMINI_API_KEY`
-- 示例模型：`google/gemini-3-pro-preview`
+- 身份验证：`GEMINI_API_KEY`
+- 可选轮换：`GEMINI_API_KEYS`、`GEMINI_API_KEY_1`、`GEMINI_API_KEY_2`、`GOOGLE_API_KEY` 回退，以及 `OPENCLAW_LIVE_GEMINI_KEY`（单个覆盖）
+- 示例模型：`google/gemini-3.1-pro-preview`、`google/gemini-3-flash-preview`
+- 兼容性：使用 `google/gemini-3.1-flash-preview` 的旧版 OpenClaw 配置会被标准化为 `google/gemini-3-flash-preview`
 - CLI：`openclaw onboard --auth-choice gemini-api-key`
 
-### Google Vertex、Antigravity 和 Gemini CLI
+### Google Vertex 和 Gemini CLI
 
-- 提供商：`google-vertex`、`google-antigravity`、`google-gemini-cli`
-- 认证：Vertex 使用 gcloud ADC；Antigravity/Gemini CLI 使用各自的认证流程
-- Antigravity OAuth 作为捆绑插件提供（`google-antigravity-auth`，默认禁用）。
-  - 启用：`openclaw plugins enable google-antigravity-auth`
-  - 登录：`openclaw models auth login --provider google-antigravity --set-default`
-- Gemini CLI OAuth 作为捆绑插件提供（`google-gemini-cli-auth`，默认禁用）。
-  - 启用：`openclaw plugins enable google-gemini-cli-auth`
+- 提供商：`google-vertex`、`google-gemini-cli`
+- 身份验证：Vertex 使用 gcloud ADC；Gemini CLI 使用其 OAuth 流程
+- 注意：OpenClaw 中的 Gemini CLI OAuth 是非官方集成。一些用户报告在使用第三方客户端后遭遇 Google 账号限制。请查看 Google 条款，如果你决定继续，建议使用非关键账号。
+- Gemini CLI OAuth 作为内置 `google` 插件的一部分提供。
+  - 启用：`openclaw plugins enable google`
   - 登录：`openclaw models auth login --provider google-gemini-cli --set-default`
-  - 注意：你**不需要**将客户端 ID 或密钥粘贴到 `openclaw.json` 中。CLI 登录流程将令牌存储在 Gateway 网关主机的认证配置文件中。
+  - 注意：你**不需要**将客户端 ID 或密钥粘贴到 `openclaw.json` 中。CLI 登录流程会将
+    令牌存储在 Gateway 网关主机上的 auth profile 中。
 
-### Z.AI (GLM)
+### Z.AI（GLM）
 
 - 提供商：`zai`
-- 认证：`ZAI_API_KEY`
-- 示例模型：`zai/glm-4.7`
+- 身份验证：`ZAI_API_KEY`
+- 示例模型：`zai/glm-5`
 - CLI：`openclaw onboard --auth-choice zai-api-key`
-  - 别名：`z.ai/*` 和 `z-ai/*` 规范化为 `zai/*`
+  - 别名：`z.ai/*` 和 `z-ai/*` 会标准化为 `zai/*`
 
 ### Vercel AI Gateway
 
 - 提供商：`vercel-ai-gateway`
-- 认证：`AI_GATEWAY_API_KEY`
-- 示例模型：`vercel-ai-gateway/anthropic/claude-opus-4.5`
+- 身份验证：`AI_GATEWAY_API_KEY`
+- 示例模型：`vercel-ai-gateway/anthropic/claude-opus-4.6`
 - CLI：`openclaw onboard --auth-choice ai-gateway-api-key`
 
-### 其他内置提供商
+### Kilo Gateway
+
+- 提供商：`kilocode`
+- 身份验证：`KILOCODE_API_KEY`
+- 示例模型：`kilocode/anthropic/claude-opus-4.6`
+- CLI：`openclaw onboard --kilocode-api-key <key>`
+- 基础 URL：`https://api.kilo.ai/api/gateway/`
+- 扩展后的内置目录包括 GLM-5 Free、MiniMax M2.5 Free、GPT-5.2、Gemini 3 Pro Preview、Gemini 3 Flash Preview、Grok Code Fast 1 和 Kimi K2.5。
+
+设置详情请参见 [/providers/kilocode](/providers/kilocode)。
+
+### 其他内置提供商插件
 
 - OpenRouter：`openrouter`（`OPENROUTER_API_KEY`）
 - 示例模型：`openrouter/anthropic/claude-sonnet-4-5`
+- Kilo Gateway：`kilocode`（`KILOCODE_API_KEY`）
+- 示例模型：`kilocode/anthropic/claude-opus-4.6`
+- MiniMax：`minimax`（`MINIMAX_API_KEY`）
+- Moonshot：`moonshot`（`MOONSHOT_API_KEY`）
+- Kimi Coding：`kimi-coding`（`KIMI_API_KEY` 或 `KIMICODE_API_KEY`）
+- Qianfan：`qianfan`（`QIANFAN_API_KEY`）
+- Model Studio：`modelstudio`（`MODELSTUDIO_API_KEY`）
+- NVIDIA：`nvidia`（`NVIDIA_API_KEY`）
+- Together：`together`（`TOGETHER_API_KEY`）
+- Venice：`venice`（`VENICE_API_KEY`）
+- Xiaomi：`xiaomi`（`XIAOMI_API_KEY`）
+- Vercel AI Gateway：`vercel-ai-gateway`（`AI_GATEWAY_API_KEY`）
+- Hugging Face Inference：`huggingface`（`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`）
+- Cloudflare AI Gateway：`cloudflare-ai-gateway`（`CLOUDFLARE_AI_GATEWAY_API_KEY`）
+- Volcengine：`volcengine`（`VOLCANO_ENGINE_API_KEY`）
+- BytePlus：`byteplus`（`BYTEPLUS_API_KEY`）
 - xAI：`xai`（`XAI_API_KEY`）
+- Mistral：`mistral`（`MISTRAL_API_KEY`）
+- 示例模型：`mistral/mistral-large-latest`
+- CLI：`openclaw onboard --auth-choice mistral-api-key`
 - Groq：`groq`（`GROQ_API_KEY`）
 - Cerebras：`cerebras`（`CEREBRAS_API_KEY`）
   - Cerebras 上的 GLM 模型使用 ID `zai-glm-4.7` 和 `zai-glm-4.6`。
-  - OpenAI 兼容的基础 URL：`https://api.cerebras.ai/v1`。
-- Mistral：`mistral`（`MISTRAL_API_KEY`）
+  - OpenAI 兼容基础 URL：`https://api.cerebras.ai/v1`。
 - GitHub Copilot：`github-copilot`（`COPILOT_GITHUB_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN`）
+- Hugging Face Inference 示例模型：`huggingface/deepseek-ai/DeepSeek-R1`；CLI：`openclaw onboard --auth-choice huggingface-api-key`。请参见 [Hugging Face（Inference）](/providers/huggingface)。
 
 ## 通过 `models.providers` 配置的提供商（自定义/基础 URL）
 
-使用 `models.providers`（或 `models.json`）添加**自定义**提供商或 OpenAI/Anthropic 兼容的代理。
+使用 `models.providers`（或 `models.json`）来添加**自定义**提供商或
+兼容 OpenAI/Anthropic 的代理。
 
-### Moonshot AI (Kimi)
+下面许多内置提供商插件已经发布了默认目录。
+只有在你希望覆盖默认
+基础 URL、请求头或模型列表时，才使用显式 `models.providers.<id>` 条目。
 
-Moonshot 使用 OpenAI 兼容端点，因此将其配置为自定义提供商：
+### Moonshot AI（Kimi）
+
+Moonshot 使用兼容 OpenAI 的端点，因此将其配置为自定义提供商：
 
 - 提供商：`moonshot`
-- 认证：`MOONSHOT_API_KEY`
+- 身份验证：`MOONSHOT_API_KEY`
 - 示例模型：`moonshot/kimi-k2.5`
 
 Kimi K2 模型 ID：
 
-{/_ moonshot-kimi-k2-model-refs:start _/ && null}
+[//]: # "moonshot-kimi-k2-model-refs:start"
 
 - `moonshot/kimi-k2.5`
 - `moonshot/kimi-k2-0905-preview`
 - `moonshot/kimi-k2-turbo-preview`
 - `moonshot/kimi-k2-thinking`
 - `moonshot/kimi-k2-thinking-turbo`
-  {/_ moonshot-kimi-k2-model-refs:end _/ && null}
+
+[//]: # "moonshot-kimi-k2-model-refs:end"
 
 ```json5
 {
@@ -173,7 +336,7 @@ Kimi K2 模型 ID：
 Kimi Coding 使用 Moonshot AI 的 Anthropic 兼容端点：
 
 - 提供商：`kimi-coding`
-- 认证：`KIMI_API_KEY`
+- 身份验证：`KIMI_API_KEY`
 - 示例模型：`kimi-coding/k2p5`
 
 ```json5
@@ -185,13 +348,12 @@ Kimi Coding 使用 Moonshot AI 的 Anthropic 兼容端点：
 }
 ```
 
-### Qwen OAuth（免费层级）
+### Qwen OAuth（免费层）
 
-Qwen 通过设备码流程提供对 Qwen Coder + Vision 的 OAuth 访问。
-启用捆绑插件，然后登录：
+Qwen 通过设备代码流程提供对 Qwen Coder + Vision 的 OAuth 访问。
+内置提供商插件默认启用，因此只需登录：
 
 ```bash
-openclaw plugins enable qwen-portal-auth
 openclaw models auth login --provider qwen-portal --set-default
 ```
 
@@ -200,21 +362,85 @@ openclaw models auth login --provider qwen-portal --set-default
 - `qwen-portal/coder-model`
 - `qwen-portal/vision-model`
 
-参见 [/providers/qwen](/providers/qwen) 了解设置详情和注意事项。
+设置详情和说明请参见 [/providers/qwen](/providers/qwen)。
+
+### Volcano Engine（Doubao）
+
+Volcano Engine（火山引擎）为中国用户提供对 Doubao 和其他模型的访问。
+
+- 提供商：`volcengine`（编码：`volcengine-plan`）
+- 身份验证：`VOLCANO_ENGINE_API_KEY`
+- 示例模型：`volcengine/doubao-seed-1-8-251228`
+- CLI：`openclaw onboard --auth-choice volcengine-api-key`
+
+```json5
+{
+  agents: {
+    defaults: { model: { primary: "volcengine/doubao-seed-1-8-251228" } },
+  },
+}
+```
+
+可用模型：
+
+- `volcengine/doubao-seed-1-8-251228`（Doubao Seed 1.8）
+- `volcengine/doubao-seed-code-preview-251028`
+- `volcengine/kimi-k2-5-260127`（Kimi K2.5）
+- `volcengine/glm-4-7-251222`（GLM 4.7）
+- `volcengine/deepseek-v3-2-251201`（DeepSeek V3.2 128K）
+
+编码模型（`volcengine-plan`）：
+
+- `volcengine-plan/ark-code-latest`
+- `volcengine-plan/doubao-seed-code`
+- `volcengine-plan/kimi-k2.5`
+- `volcengine-plan/kimi-k2-thinking`
+- `volcengine-plan/glm-4.7`
+
+### BytePlus（国际版）
+
+BytePlus ARK 为国际用户提供与 Volcano Engine 相同模型的访问。
+
+- 提供商：`byteplus`（编码：`byteplus-plan`）
+- 身份验证：`BYTEPLUS_API_KEY`
+- 示例模型：`byteplus/seed-1-8-251228`
+- CLI：`openclaw onboard --auth-choice byteplus-api-key`
+
+```json5
+{
+  agents: {
+    defaults: { model: { primary: "byteplus/seed-1-8-251228" } },
+  },
+}
+```
+
+可用模型：
+
+- `byteplus/seed-1-8-251228`（Seed 1.8）
+- `byteplus/kimi-k2-5-260127`（Kimi K2.5）
+- `byteplus/glm-4-7-251222`（GLM 4.7）
+
+编码模型（`byteplus-plan`）：
+
+- `byteplus-plan/ark-code-latest`
+- `byteplus-plan/doubao-seed-code`
+- `byteplus-plan/kimi-k2.5`
+- `byteplus-plan/kimi-k2-thinking`
+- `byteplus-plan/glm-4.7`
 
 ### Synthetic
 
-Synthetic 通过 `synthetic` 提供商提供 Anthropic 兼容模型：
+Synthetic 通过 `synthetic` 提供商提供兼容 Anthropic 的模型：
 
 - 提供商：`synthetic`
-- 认证：`SYNTHETIC_API_KEY`
-- 示例模型：`synthetic/hf:MiniMaxAI/MiniMax-M2.1`
+- 身份验证：`SYNTHETIC_API_KEY`
+- 示例模型：`synthetic/hf:MiniMaxAI/MiniMax-M2.5`
 - CLI：`openclaw onboard --auth-choice synthetic-api-key`
 
 ```json5
 {
   agents: {
-    defaults: { model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.1" } },
+    defaults: { model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.5" } },
   },
   models: {
     mode: "merge",
@@ -223,7 +449,7 @@ Synthetic 通过 `synthetic` 提供商提供 Anthropic 兼容模型：
         baseUrl: "https://api.synthetic.new/anthropic",
         apiKey: "${SYNTHETIC_API_KEY}",
         api: "anthropic-messages",
-        models: [{ id: "hf:MiniMaxAI/MiniMax-M2.1", name: "MiniMax M2.1" }],
+        models: [{ id: "hf:MiniMaxAI/MiniMax-M2.5", name: "MiniMax M2.5" }],
       },
     },
   },
@@ -234,22 +460,22 @@ Synthetic 通过 `synthetic` 提供商提供 Anthropic 兼容模型：
 
 MiniMax 通过 `models.providers` 配置，因为它使用自定义端点：
 
-- MiniMax（Anthropic 兼容）：`--auth-choice minimax-api`
-- 认证：`MINIMAX_API_KEY`
+- MiniMax（兼容 Anthropic）：`--auth-choice minimax-api`
+- 身份验证：`MINIMAX_API_KEY`
 
-参见 [/providers/minimax](/providers/minimax) 了解设置详情、模型选项和配置片段。
+设置详情、模型选项和配置片段请参见 [/providers/minimax](/providers/minimax)。
 
 ### Ollama
 
-Ollama 是提供 OpenAI 兼容 API 的本地 LLM 运行时：
+Ollama 作为内置提供商插件提供，并使用 Ollama 的原生 API：
 
 - 提供商：`ollama`
-- 认证：无需（本地服务器）
+- 身份验证：无需（本地服务器）
 - 示例模型：`ollama/llama3.3`
-- 安装：https://ollama.ai
+- 安装：[https://ollama.com/download](https://ollama.com/download)
 
 ```bash
-# Install Ollama, then pull a model:
+# 安装 Ollama，然后拉取一个模型：
 ollama pull llama3.3
 ```
 
@@ -261,18 +487,75 @@ ollama pull llama3.3
 }
 ```
 
-当 Ollama 在本地 `http://127.0.0.1:11434/v1` 运行时会自动检测。参见 [/providers/ollama](/providers/ollama) 了解模型推荐和自定义配置。
+当你通过
+`OLLAMA_API_KEY` 选择加入时，Ollama 会在本地 `http://127.0.0.1:11434` 被检测到，内置提供商插件会将 Ollama 直接添加到
+`openclaw onboard` 和模型选择器中。有关新手引导、云端/本地模式和自定义配置，请参见 [/providers/ollama](/providers/ollama)。
+
+### vLLM
+
+vLLM 作为内置提供商插件提供，用于本地/自托管的 OpenAI 兼容
+服务器：
+
+- 提供商：`vllm`
+- 身份验证：可选（取决于你的服务器）
+- 默认基础 URL：`http://127.0.0.1:8000/v1`
+
+要选择加入本地自动发现（如果你的服务器不强制身份验证，则任意值均可）：
+
+```bash
+export VLLM_API_KEY="vllm-local"
+```
+
+然后设置一个模型（替换为 `/v1/models` 返回的某个 ID）：
+
+```json5
+{
+  agents: {
+    defaults: { model: { primary: "vllm/your-model-id" } },
+  },
+}
+```
+
+详情请参见 [/providers/vllm](/providers/vllm)。
+
+### SGLang
+
+SGLang 作为内置提供商插件提供，用于高速自托管
+OpenAI 兼容服务器：
+
+- 提供商：`sglang`
+- 身份验证：可选（取决于你的服务器）
+- 默认基础 URL：`http://127.0.0.1:30000/v1`
+
+要选择加入本地自动发现（如果你的服务器不
+强制身份验证，则任意值均可）：
+
+```bash
+export SGLANG_API_KEY="sglang-local"
+```
+
+然后设置一个模型（替换为 `/v1/models` 返回的某个 ID）：
+
+```json5
+{
+  agents: {
+    defaults: { model: { primary: "sglang/your-model-id" } },
+  },
+}
+```
+
+详情请参见 [/providers/sglang](/providers/sglang)。
 
 ### 本地代理（LM Studio、vLLM、LiteLLM 等）
 
-示例（OpenAI 兼容）：
+示例（兼容 OpenAI）：
 
 ```json5
 {
   agents: {
     defaults: {
-      model: { primary: "lmstudio/minimax-m2.1-gs32" },
-      models: { "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" } },
+      model: { primary: "lmstudio/minimax-m2.5-gs32" },
+      models: { "lmstudio/minimax-m2.5-gs32": { alias: "Minimax" } },
     },
   },
   models: {
@@ -283,8 +566,8 @@ ollama pull llama3.3
         api: "openai-completions",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1",
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -298,23 +581,26 @@ ollama pull llama3.3
 }
 ```
 
-注意事项：
+说明：
 
 - 对于自定义提供商，`reasoning`、`input`、`cost`、`contextWindow` 和 `maxTokens` 是可选的。
-  省略时，OpenClaw 默认为：
+  如果省略，OpenClaw 默认使用：
   - `reasoning: false`
   - `input: ["text"]`
   - `cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 }`
   - `contextWindow: 200000`
   - `maxTokens: 8192`
 - 建议：设置与你的代理/模型限制匹配的显式值。
+- 对于非原生端点上的 `api: "openai-completions"`（任何主机不是 `api.openai.com` 的非空 `baseUrl`），OpenClaw 会强制设置 `compat.supportsDeveloperRole: false`，以避免提供商因不支持 `developer` 角色而返回 400 错误。
+- 如果 `baseUrl` 为空/省略，OpenClaw 会保留默认 OpenAI 行为（即解析为 `api.openai.com`）。
+- 出于安全考虑，在非原生 `openai-completions` 端点上，显式的 `compat.supportsDeveloperRole: true` 仍会被覆盖。
 
 ## CLI 示例
 
 ```bash
 openclaw onboard --auth-choice opencode-zen
-openclaw models set opencode/claude-opus-4-5
+openclaw models set opencode/claude-opus-4-6
 openclaw models list
 ```
 
-另请参阅：[/gateway/configuration](/gateway/configuration) 了解完整配置示例。
+另请参见：[/gateway/configuration](/gateway/configuration) 了解完整配置示例。
diff --git a/docs/zh-CN/concepts/models.md b/docs/zh-CN/concepts/models.md
index 01bb8e14202..f81c68b069b 100644
--- a/docs/zh-CN/concepts/models.md
+++ b/docs/zh-CN/concepts/models.md
@@ -1,79 +1,85 @@
 ---
 read_when:
-  - 添加或修改模型 CLI（models list/set/scan/aliases/fallbacks）
-  - 更改模型回退行为或选择用户体验
-  - 更新模型扫描探测（工具/图像）
-summary: 模型 CLI：列表、设置、别名、回退、扫描、状态
-title: 模型 CLI
+  - 添加或修改 models CLI（models list/set/scan/aliases/fallbacks）
+  - 更改模型回退行为或选择 UX
+  - 更新模型扫描探测（tools/images）
+summary: Models CLI：列出、设置、别名、回退、扫描、状态
+title: Models CLI
 x-i18n:
-  generated_at: "2026-02-03T10:05:42Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: e8b54bb370b4f63a9b917594fb0f6ff48192e168196d30c713b8bbe72b78fef6
+  generated_at: "2026-03-16T06:22:01Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 26150aef638bc3375866dec736b98eac32384466a8ef2b0a471fb7ff7729b13c
   source_path: concepts/models.md
   workflow: 15
 ---
 
-# 模型 CLI
+# Models CLI
 
-参见 [/concepts/model-failover](/concepts/model-failover) 了解认证配置文件轮换、冷却时间及其与回退的交互。
-快速提供商概述 + 示例：[/concepts/model-providers](/concepts/model-providers)。
+关于凭证配置轮换、冷却时间以及它们如何与回退交互，请参阅 [/concepts/model-failover](/concepts/model-failover)。
+快速提供商概览 + 示例：[/concepts/model-providers](/concepts/model-providers)。
 
-## 模型选择工作原理
+## 模型选择的工作方式
 
 OpenClaw 按以下顺序选择模型：
 
-1. **主要**模型（`agents.defaults.model.primary` 或 `agents.defaults.model`）。
-2. `agents.defaults.model.fallbacks` 中的**回退**（按顺序）。
-3. **提供商认证故障转移**在移动到下一个模型之前在提供商内部发生。
+1. **主模型**（`agents.defaults.model.primary` 或 `agents.defaults.model`）。
+2. `agents.defaults.model.fallbacks` 中的 **回退模型**（按顺序）。
+3. **提供商凭证故障切换** 会在单个提供商内部发生，然后才会移动到下一个模型。
 
-相关：
+相关内容：
 
-- `agents.defaults.models` 是 OpenClaw 可使用的模型白名单/目录（加上别名）。
-- `agents.defaults.imageModel` **仅在**主要模型无法接受图像时使用。
-- 每个智能体的默认值可以通过 `agents.list[].model` 加绑定覆盖 `agents.defaults.model`（参见 [/concepts/multi-agent](/concepts/multi-agent)）。
+- `agents.defaults.models` 是 OpenClaw 可使用的模型允许列表/目录（以及别名）。
+- `agents.defaults.imageModel` **仅在** 主模型无法接受图像时使用。
+- 每个智能体的默认值可以通过 `agents.list[].model` 加上绑定来覆盖 `agents.defaults.model`（见 [/concepts/multi-agent](/concepts/multi-agent)）。
 
-## 快速模型推荐（经验之谈）
+## 快速模型策略
 
-- **GLM**：在编程/工具调用方面稍好。
-- **MiniMax**：在写作和氛围方面更好。
+- 将你的主模型设置为你可用的、最新一代中最强的模型。
+- 对于对成本/延迟敏感的任务和风险较低的聊天，使用回退模型。
+- 对于启用了工具的智能体或不受信任的输入，避免使用较旧/较弱的模型层级。
 
 ## 设置向导（推荐）
 
-如果你不想手动编辑配置，请运行新手引导向导：
+如果你不想手动编辑配置，请运行设置向导：
 
 ```bash
 openclaw onboard
 ```
 
-它可以为常见提供商设置模型 + 认证，包括 **OpenAI Code（Codex）订阅**（OAuth）和 **Anthropic**（推荐使用 API 密钥；也支持 `claude setup-token`）。
+它可以为常见提供商设置模型 + 凭证，包括 **OpenAI Code (Codex)**
+订阅（OAuth）和 **Anthropic**（API key 或 `claude setup-token`）。
 
-## 配置键（概述）
+## 配置键（概览）
 
 - `agents.defaults.model.primary` 和 `agents.defaults.model.fallbacks`
 - `agents.defaults.imageModel.primary` 和 `agents.defaults.imageModel.fallbacks`
-- `agents.defaults.models`（白名单 + 别名 + 提供商参数）
+- `agents.defaults.models`（允许列表 + 别名 + 提供商参数）
 - `models.providers`（写入 `models.json` 的自定义提供商）
 
-模型引用会规范化为小写。提供商别名如 `z.ai/*` 会规范化为 `zai/*`。
+模型引用会被规范化为小写。像 `z.ai/*` 这样的提供商别名会被规范化
+为 `zai/*`。
 
-提供商配置示例（包括 OpenCode Zen）在 [/gateway/configuration](/gateway/configuration#opencode-zen-multi-model-proxy)。
+提供商配置示例（包括 OpenCode）位于
+[/gateway/configuration](/gateway/configuration#opencode)。
 
-## "Model is not allowed"（以及为什么回复停止）
+## “Model is not allowed”（以及为什么回复会停止）
 
-如果设置了 `agents.defaults.models`，它将成为 `/model` 和会话覆盖的**白名单**。当用户选择不在该白名单中的模型时，OpenClaw 返回：
+如果设置了 `agents.defaults.models`，它就会成为 `/model` 和会话覆盖的 **允许列表**。当用户选择了不在该允许列表中的模型时，
+OpenClaw 会返回：
 
 ```
 Model "provider/model" is not allowed. Use /model to list available models.
 ```
 
-这发生在正常回复生成**之前**，所以消息可能感觉像"没有响应"。修复方法是：
+这会在生成正常回复 **之前** 发生，因此消息可能会让人觉得
+它“没有响应”。修复方法是：
 
-- 将模型添加到 `agents.defaults.models`，或
-- 清除白名单（删除 `agents.defaults.models`），或
+- 将该模型添加到 `agents.defaults.models`，或者
+- 清除允许列表（移除 `agents.defaults.models`），或者
 - 从 `/model list` 中选择一个模型。
 
-白名单配置示例：
+允许列表示例配置：
 
 ```json5
 {
@@ -81,7 +87,7 @@ Model "provider/model" is not allowed. Use /model to list available models.
     model: { primary: "anthropic/claude-sonnet-4-5" },
     models: {
       "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
-      "anthropic/claude-opus-4-5": { alias: "Opus" },
+      "anthropic/claude-opus-4-6": { alias: "Opus" },
     },
   },
 }
@@ -89,7 +95,7 @@ Model "provider/model" is not allowed. Use /model to list available models.
 
 ## 在聊天中切换模型（`/model`）
 
-你可以在不重启的情况下切换当前会话的模型：
+你可以在不重启的情况下为当前会话切换模型：
 
 ```
 /model
@@ -99,16 +105,17 @@ Model "provider/model" is not allowed. Use /model to list available models.
 /model status
 ```
 
-注意事项：
+说明：
 
-- `/model`（和 `/model list`）是紧凑的编号选择器（模型系列 + 可用提供商）。
-- `/model <#>` 从该选择器中选择。
-- `/model status` 是详细视图（认证候选项，以及配置时的提供商端点 `baseUrl` + `api` 模式）。
-- 模型引用通过在**第一个** `/` 处分割来解析。输入 `/model <ref>` 时使用 `provider/model`。
-- 如果模型 ID 本身包含 `/`（OpenRouter 风格），你必须包含提供商前缀（例如：`/model openrouter/moonshotai/kimi-k2`）。
-- 如果省略提供商，OpenClaw 将输入视为别名或**默认提供商**的模型（仅在模型 ID 中没有 `/` 时有效）。
+- `/model`（以及 `/model list`）是一个紧凑的编号选择器（模型家族 + 可用提供商）。
+- 在 Discord 上，`/model` 和 `/models` 会打开一个交互式选择器，其中包含提供商和模型下拉菜单，以及一个 Submit 步骤。
+- `/model <#>` 会从该选择器中进行选择。
+- `/model status` 是详细视图（凭证候选项，以及在已配置时显示提供商端点 `baseUrl` + `api` 模式）。
+- 模型引用是通过按 **第一个** `/` 进行分割来解析的。输入 `/model <ref>` 时请使用 `provider/model`。
+- 如果模型 ID 本身包含 `/`（OpenRouter 风格），你必须包含提供商前缀（示例：`/model openrouter/moonshotai/kimi-k2`）。
+- 如果你省略提供商，OpenClaw 会将输入视为别名或 **默认提供商** 的模型（仅在模型 ID 中没有 `/` 时有效）。
 
-完整命令行为/配置：[斜杠命令](/tools/slash-commands)。
+完整命令行为/配置： [Slash commands](/tools/slash-commands)。
 
 ## CLI 命令
 
@@ -137,7 +144,7 @@ openclaw models image-fallbacks clear
 
 ### `models list`
 
-默认显示已配置的模型。有用的标志：
+默认显示已配置的模型。常用标志：
 
 - `--all`：完整目录
 - `--local`：仅本地提供商
@@ -147,12 +154,18 @@ openclaw models image-fallbacks clear
 
 ### `models status`
 
-显示已解析的主要模型、回退、图像模型，以及已配置提供商的认证概述。它还显示认证存储中找到的配置文件的 OAuth 过期状态（默认在 24 小时内警告）。`--plain` 仅打印已解析的主要模型。
-OAuth 状态始终显示（并包含在 `--json` 输出中）。如果已配置的提供商没有凭证，`models status` 会打印 **Missing auth** 部分。
-JSON 包括 `auth.oauth`（警告窗口 + 配置文件）和 `auth.providers`（每个提供商的有效认证）。
-使用 `--check` 进行自动化（缺失/过期时退出 `1`，即将过期时退出 `2`）。
+显示已解析的主模型、回退模型、图像模型，以及已配置提供商的凭证概览。它还会显示凭证存储中找到的配置文件的 OAuth 过期状态
+（默认会在 24 小时内到期时警告）。`--plain` 仅打印已解析的
+主模型。
+OAuth 状态始终会显示（并包含在 `--json` 输出中）。如果某个已配置的
+提供商没有凭证，`models status` 会打印一个 **Missing auth** 部分。
+JSON 包含 `auth.oauth`（警告窗口 + 配置文件）和 `auth.providers`
+（每个提供商的有效凭证）。
+自动化场景请使用 `--check`（缺失/已过期时退出码为 `1`，即将过期时为 `2`）。
 
-首选的 Anthropic 认证是 Claude Code CLI setup-token（在任何地方运行；如需要在 Gateway 网关主机上粘贴）：
+凭证选择取决于提供商/账号。对于始终在线的 Gateway 网关主机，API key 通常最可预测；也支持订阅 token 流程。
+
+示例（Anthropic setup-token）：
 
 ```bash
 claude setup-token
@@ -161,21 +174,23 @@ openclaw models status
 
 ## 扫描（OpenRouter 免费模型）
 
-`openclaw models scan` 检查 OpenRouter 的**免费模型目录**，并可选择性地探测模型的工具和图像支持。
+`openclaw models scan` 会检查 OpenRouter 的 **免费模型目录**，并且可以
+选择性地探测模型对工具和图像的支持。
 
 关键标志：
 
 - `--no-probe`：跳过实时探测（仅元数据）
-- `--min-params <b>`：最小参数量（十亿）
-- `--max-age-days <days>`：跳过较旧的模型
+- `--min-params <b>`：最小参数规模（十亿）
+- `--max-age-days <days>`：跳过较旧模型
 - `--provider <name>`：提供商前缀筛选
 - `--max-candidates <n>`：回退列表大小
-- `--set-default`：将 `agents.defaults.model.primary` 设置为第一个选择
-- `--set-image`：将 `agents.defaults.imageModel.primary` 设置为第一个图像选择
+- `--set-default`：将 `agents.defaults.model.primary` 设置为第一个选择项
+- `--set-image`：将 `agents.defaults.imageModel.primary` 设置为第一个图像选择项
 
-探测需要 OpenRouter API 密钥（来自认证配置文件或 `OPENROUTER_API_KEY`）。没有密钥时，使用 `--no-probe` 仅列出候选项。
+探测需要 OpenRouter API key（来自凭证配置文件或
+`OPENROUTER_API_KEY`）。如果没有 key，请使用 `--no-probe` 仅列出候选项。
 
-扫描结果按以下顺序排名：
+扫描结果按以下顺序排序：
 
 1. 图像支持
 2. 工具延迟
@@ -185,12 +200,26 @@ openclaw models status
 输入
 
 - OpenRouter `/models` 列表（筛选 `:free`）
-- 需要来自认证配置文件或 `OPENROUTER_API_KEY` 的 OpenRouter API 密钥（参见 [/environment](/help/environment)）
+- 需要来自凭证配置文件或 `OPENROUTER_API_KEY` 的 OpenRouter API key（见 [/environment](/help/environment)）
 - 可选筛选器：`--max-age-days`、`--min-params`、`--provider`、`--max-candidates`
 - 探测控制：`--timeout`、`--concurrency`
 
-在 TTY 中运行时，你可以交互式选择回退。在非交互模式下，传递 `--yes` 接受默认值。
+在 TTY 中运行时，你可以交互式选择回退模型。在非交互
+模式下，传入 `--yes` 以接受默认值。
 
 ## 模型注册表（`models.json`）
 
-`models.providers` 中的自定义提供商会写入智能体目录下的 `models.json`（默认 `~/.openclaw/agents/<agentId>/models.json`）。除非 `models.mode` 设置为 `replace`，否则此文件默认会被合并。
+`models.providers` 中的自定义提供商会写入
+智能体目录下的 `models.json`（默认是 `~/.openclaw/agents/<agentId>/agent/models.json`）。默认会合并此文件，除非将 `models.mode` 设置为 `replace`。
+
+匹配提供商 ID 时的合并模式优先级：
+
+- 智能体 `models.json` 中已存在的非空 `baseUrl` 优先。
+- 智能体 `models.json` 中的非空 `apiKey` 仅在该提供商在当前配置/凭证配置文件上下文中不是 SecretRef 管理时才优先。
+- 由 SecretRef 管理的提供商 `apiKey` 值会从源标记（环境变量引用使用 `ENV_VAR_NAME`，文件/exec 引用使用 `secretref-managed`）刷新，而不是持久化已解析的 secret。
+- 由 SecretRef 管理的提供商 header 值会从源标记（环境变量引用使用 `secretref-env:ENV_VAR_NAME`，文件/exec 引用使用 `secretref-managed`）刷新。
+- 智能体中为空或缺失的 `apiKey`/`baseUrl` 会回退到配置中的 `models.providers`。
+- 其他提供商字段会从配置和规范化后的目录数据中刷新。
+
+标记持久化以源为准：OpenClaw 会根据活动源配置快照（预解析）写入标记，而不是根据运行时已解析的 secret 值写入。
+这适用于 OpenClaw 重新生成 `models.json` 的所有情况，包括像 `openclaw agent` 这样的命令驱动路径。
diff --git a/docs/zh-CN/concepts/oauth.md b/docs/zh-CN/concepts/oauth.md
index 74cf7b8f3c0..b7f37164b97 100644
--- a/docs/zh-CN/concepts/oauth.md
+++ b/docs/zh-CN/concepts/oauth.md
@@ -1,69 +1,80 @@
 ---
 read_when:
-  - 你想全面了解 OpenClaw 的 OAuth 流程
+  - 你想端到端了解 OpenClaw OAuth
   - 你遇到了令牌失效/登出问题
-  - 你想了解 setup-token 或 OAuth 认证流程
-  - 你想使用多账户或配置文件路由
+  - 你想使用 setup-token 或 OAuth 认证流程
+  - 你想使用多个账户或配置文件路由
 summary: OpenClaw 中的 OAuth：令牌交换、存储和多账户模式
 title: OAuth
 x-i18n:
-  generated_at: "2026-02-01T20:23:29Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: af714bdadc4a89295a18da1eba5f5b857c8d533ebabe9b0758b722fe60c36124
+  generated_at: "2026-03-16T06:22:05Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 976668c3e02ee50500fcaaa585a89af718398dc41988318ec3a583c2d5449df3
   source_path: concepts/oauth.md
-  workflow: 14
+  workflow: 15
 ---
 
 # OAuth
 
-OpenClaw 支持通过 OAuth 进行"订阅认证"，适用于提供此功能的提供商（特别是 **OpenAI Codex（ChatGPT OAuth）**）。对于 Anthropic 订阅，请使用 **setup-token** 流程。本页说明：
+OpenClaw 通过 OAuth 支持提供商提供的“订阅认证”，适用于支持此方式的提供商（尤其是 **OpenAI Codex（ChatGPT OAuth）**）。对于 Anthropic 订阅，请使用 **setup-token** 流程。过去有些用户在 Claude Code 之外使用 Anthropic 订阅时曾受限，因此这应视为用户自行选择承担的风险，你应自行核实 Anthropic 当前的政策。OpenAI Codex OAuth 明确支持在 OpenClaw 这样的外部工具中使用。本页说明：
 
-- OAuth **令牌交换**的工作原理（PKCE）
-- 令牌**存储**在哪里（以及原因）
-- 如何处理**多账户**（配置文件 + 按会话覆盖）
+对于生产环境中的 Anthropic，相比订阅 setup-token 认证，API 密钥认证是更安全、也更推荐的路径。
 
-OpenClaw 还支持**提供商插件**，它们自带 OAuth 或 API 密钥流程。通过以下命令运行：
+- OAuth **令牌交换** 如何工作（PKCE）
+- 令牌**存储**在哪里（以及为什么）
+- 如何处理**多个账户**（配置文件 + 按会话覆盖）
+
+OpenClaw 也支持自带 OAuth 或 API 密钥流程的**提供商插件**。运行方式如下：
 
 ```bash
 openclaw models auth login --provider <id>
 ```
 
-## 令牌汇聚点（为什么需要它）
+## 令牌汇点（为什么需要它）
 
-OAuth 提供商通常在登录/刷新流程中发放**新的刷新令牌**。某些提供商（或 OAuth 客户端）在为同一用户/应用发放新令牌时，可能会使旧的刷新令牌失效。
+OAuth 提供商通常会在登录/刷新流程中签发一个**新的刷新令牌**。某些提供商（或 OAuth 客户端）会在为同一用户/应用签发新令牌时使旧的刷新令牌失效。
 
 实际症状：
 
-- 你通过 OpenClaw _和_ Claude Code / Codex CLI 登录 → 其中一个稍后会随机"登出"
+- 你同时通过 OpenClaw _和_ Claude Code / Codex CLI 登录 → 之后其中一个会随机“被登出”
 
-为减少这种情况，OpenClaw 将 `auth-profiles.json` 视为**令牌汇聚点**：
+为减少这种情况，OpenClaw 将 `auth-profiles.json` 视为一个**令牌汇点**：
 
-- 运行时从**同一个位置**读取凭据
-- 我们可以保留多个配置文件并确定性地路由它们
+- 运行时从**同一个地方**读取凭证
+- 我们可以保留多个配置文件，并进行确定性路由
 
 ## 存储（令牌存放位置）
 
-密钥按**智能体**存储：
+密钥按**每个智能体**存储：
 
-- 认证配置文件（OAuth + API 密钥）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
-- 运行时缓存（自动管理；请勿编辑）：`~/.openclaw/agents/<agentId>/agent/auth.json`
+- 认证配置文件（OAuth + API 密钥 + 可选的值级引用）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+- 旧版兼容文件：`~/.openclaw/agents/<agentId>/agent/auth.json`
+  （发现静态 `api_key` 条目时会进行清理）
 
-仅用于导入的旧版文件（仍然支持，但不是主存储）：
+仅用于旧版导入的文件（仍受支持，但不是主存储）：
 
-- `~/.openclaw/credentials/oauth.json`（首次使用时导入到 `auth-profiles.json`）
+- `~/.openclaw/credentials/oauth.json`（首次使用时会导入到 `auth-profiles.json`）
 
-以上所有路径也遵循 `$OPENCLAW_STATE_DIR`（状态目录覆盖）。完整参考：[/gateway/configuration](/gateway/configuration#auth-storage-oauth--api-keys)
+以上所有位置也都遵循 `$OPENCLAW_STATE_DIR`（状态目录覆盖）。完整参考：[/gateway/configuration](/gateway/configuration#auth-storage-oauth--api-keys)
+
+有关静态密钥引用和运行时快照激活行为，请参见 [Secrets Management](/gateway/secrets)。
 
 ## Anthropic setup-token（订阅认证）
 
+<Warning>
+Anthropic setup-token 支持是技术兼容性，并非策略保证。
+Anthropic 过去曾阻止过某些在 Claude Code 之外的订阅使用。
+是否使用订阅认证由你自行决定，并请核实 Anthropic 当前的条款。
+</Warning>
+
 在任意机器上运行 `claude setup-token`，然后将其粘贴到 OpenClaw 中：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果你在其他地方生成了令牌，可以手动粘贴：
+如果你是在其他地方生成的令牌，可手动粘贴：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
@@ -75,77 +86,79 @@ openclaw models auth paste-token --provider anthropic
 openclaw models status
 ```
 
-## OAuth 交换（登录工作原理）
+## OAuth 交换（登录如何工作）
 
-OpenClaw 的交互式登录流程在 `@mariozechner/pi-ai` 中实现，并集成到向导/命令中。
+OpenClaw 的交互式登录流程在 `@mariozechner/pi-ai` 中实现，并接入到各类向导/命令中。
 
-### Anthropic（Claude Pro/Max）setup-token
+### Anthropic setup-token
 
-流程概要：
+流程形态：
 
 1. 运行 `claude setup-token`
 2. 将令牌粘贴到 OpenClaw
-3. 作为令牌认证配置文件存储（无刷新）
+3. 存储为令牌认证配置文件（不刷新）
 
 向导路径为 `openclaw onboard` → 认证选择 `setup-token`（Anthropic）。
 
 ### OpenAI Codex（ChatGPT OAuth）
 
-流程概要（PKCE）：
+OpenAI Codex OAuth 明确支持在 Codex CLI 之外使用，包括 OpenClaw 工作流。
 
-1. 生成 PKCE 验证器/质询 + 随机 `state`
+流程形态（PKCE）：
+
+1. 生成 PKCE verifier/challenge 和随机 `state`
 2. 打开 `https://auth.openai.com/oauth/authorize?...`
 3. 尝试在 `http://127.0.0.1:1455/auth/callback` 捕获回调
-4. 如果回调无法绑定（或你在远程/无头环境中），手动粘贴重定向 URL/代码
-5. 在 `https://auth.openai.com/oauth/token` 进行交换
+4. 如果回调无法绑定（或你是在远程/无头环境中），则粘贴重定向 URL/code
+5. 在 `https://auth.openai.com/oauth/token` 交换令牌
 6. 从访问令牌中提取 `accountId` 并存储 `{ access, refresh, expires, accountId }`
 
 向导路径为 `openclaw onboard` → 认证选择 `openai-codex`。
 
-## 刷新 + 过期
+## 刷新和过期
 
-配置文件存储 `expires` 时间戳。
+配置文件会存储一个 `expires` 时间戳。
 
-运行时：
+在运行时：
 
-- 如果 `expires` 在未来 → 使用已存储的访问令牌
-- 如果已过期 → 刷新（在文件锁下）并覆盖已存储的凭据
+- 如果 `expires` 尚未到期 → 使用已存储的访问令牌
+- 如果已过期 → 在文件锁下刷新，并覆盖已存储的凭证
 
-刷新流程是自动的；你通常不需要手动管理令牌。
+刷新流程是自动的；通常你不需要手动管理令牌。
 
-## 多账户（配置文件）+ 路由
+## 多个账户（配置文件）+ 路由
 
-两种模式：
+有两种模式：
 
-### 1）推荐：独立智能体
+### 1）推荐：分离的智能体
 
-如果你希望"个人"和"工作"永远不交叉，请使用隔离的智能体（独立的会话 + 凭据 + 工作区）：
+如果你希望“个人”和“工作”永不交叉，请使用隔离的智能体（独立的会话 + 凭证 + 工作区）：
 
 ```bash
 openclaw agents add work
 openclaw agents add personal
 ```
 
-然后按智能体配置认证（向导），并将聊天路由到正确的智能体。
+然后按智能体配置认证（使用向导），并将聊天路由到正确的智能体。
 
 ### 2）高级：单个智能体中的多个配置文件
 
-`auth-profiles.json` 支持同一提供商的多个配置文件 ID。
+`auth-profiles.json` 支持同一提供商下的多个配置文件 ID。
 
 选择使用哪个配置文件：
 
-- 通过配置顺序全局设置（`auth.order`）
-- 通过 `/model ...@<profileId>` 按会话设置
+- 通过配置排序全局选择（`auth.order`）
+- 通过 `/model ...@<profileId>` 按会话选择
 
 示例（会话覆盖）：
 
 - `/model Opus@anthropic:work`
 
-如何查看存在哪些配置文件 ID：
+查看现有配置文件 ID 的方法：
 
 - `openclaw channels list --json`（显示 `auth[]`）
 
 相关文档：
 
 - [/concepts/model-failover](/concepts/model-failover)（轮换 + 冷却规则）
-- [/tools/slash-commands](/tools/slash-commands)（命令界面）
+- [/tools/slash-commands](/tools/slash-commands)（命令入口）
diff --git a/docs/zh-CN/gateway/authentication.md b/docs/zh-CN/gateway/authentication.md
index 6d3ce45f20a..a1a5a06ffec 100644
--- a/docs/zh-CN/gateway/authentication.md
+++ b/docs/zh-CN/gateway/authentication.md
@@ -1,41 +1,50 @@
 ---
 read_when:
   - 调试模型认证或 OAuth 过期
-  - 记录认证或凭证存储
-summary: 模型认证：OAuth、API 密钥和 setup-token
+  - 编写有关认证或凭证存储的文档
+summary: 模型认证：OAuth、API key 和 setup-token
 title: 认证
 x-i18n:
-  generated_at: "2026-02-03T07:47:32Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 66fa2c64ff374c9cfcdb4e7a951b0d164d512295e65513eb682f12191b75e557
+  generated_at: "2026-03-16T06:22:17Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 219ac1acd7d192a5a12779e204cca65dae77a852fdc668271c45c01e0c69b7c9
   source_path: gateway/authentication.md
   workflow: 15
 ---
 
 # 认证
 
-OpenClaw 支持模型提供商的 OAuth 和 API 密钥。对于 Anthropic 账户，我们推荐使用 **API 密钥**。对于 Claude 订阅访问，使用 `claude setup-token` 创建的长期令牌。
+OpenClaw 支持模型提供商使用 OAuth 和 API key。对于始终在线的 Gateway 网关
+主机，API key 通常是最可预测的选项。当它们与你的提供商账号模型匹配时，
+也支持订阅/OAuth 流程。
 
-参阅 [/concepts/oauth](/concepts/oauth) 了解完整的 OAuth 流程和存储布局。
+完整的 OAuth 流程和存储布局，请参阅 [/concepts/oauth](/concepts/oauth)。
+关于基于 SecretRef 的认证（`env`/`file`/`exec` 提供商），请参阅 [Secrets Management](/gateway/secrets)。
+关于 `models status --probe` 使用的凭证资格/原因码规则，请参阅
+[Auth Credential Semantics](/auth-credential-semantics)。
 
-## 推荐的 Anthropic 设置（API 密钥）
+## 推荐设置（API key，任意提供商）
 
-如果你直接使用 Anthropic，请使用 API 密钥。
+如果你正在运行长期存活的 Gateway 网关，请先为你选择的
+提供商配置一个 API key。
+对于 Anthropic，API key 认证是更稳妥的方式，推荐优先于
+订阅 setup-token 认证。
 
-1. 在 Anthropic 控制台创建 API 密钥。
-2. 将其放在 **Gateway 网关主机**（运行 `openclaw gateway` 的机器）上。
+1. 在你的提供商控制台中创建一个 API key。
+2. 将它放在 **Gateway 网关主机** 上（运行 `openclaw gateway` 的机器）。
 
 ```bash
-export ANTHROPIC_API_KEY="..."
+export <PROVIDER>_API_KEY="..."
 openclaw models status
 ```
 
-3. 如果 Gateway 网关在 systemd/launchd 下运行，最好将密钥放在 `~/.openclaw/.env` 中以便守护进程可以读取：
+3. 如果 Gateway 通过 systemd/launchd 运行，建议将 key 放入
+   `~/.openclaw/.env`，这样守护进程就可以读取它：
 
 ```bash
 cat >> ~/.openclaw/.env <<'EOF'
-ANTHROPIC_API_KEY=...
+<PROVIDER>_API_KEY=...
 EOF
 ```
 
@@ -46,25 +55,28 @@ openclaw models status
 openclaw doctor
 ```
 
-如果你不想自己管理环境变量，新手引导向导可以为守护进程使用存储 API 密钥：`openclaw onboard`。
+如果你不想自己管理环境变量，设置向导可以为守护进程使用场景存储
+API key：`openclaw onboard`。
 
-参阅[帮助](/help)了解环境变量继承的详情（`env.shellEnv`、`~/.openclaw/.env`、systemd/launchd）。
+有关环境继承（`env.shellEnv`、
+`~/.openclaw/.env`、systemd/launchd）的详细信息，请参阅 [Help](/help)。
 
 ## Anthropic：setup-token（订阅认证）
 
-对于 Anthropic，推荐的路径是 **API 密钥**。如果你使用 Claude 订阅，也支持 setup-token 流程。在 **Gateway 网关主机**上运行：
+如果你使用的是 Claude 订阅，则支持 setup-token 流程。请在
+**Gateway 网关主机** 上运行：
 
 ```bash
 claude setup-token
 ```
 
-然后将其粘贴到 OpenClaw：
+然后将它粘贴到 OpenClaw 中：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果令牌是在另一台机器上创建的，手动粘贴：
+如果 token 是在另一台机器上创建的，请手动粘贴：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
@@ -76,22 +88,34 @@ openclaw models auth paste-token --provider anthropic
 This credential is only authorized for use with Claude Code and cannot be used for other API requests.
 ```
 
-…请改用 Anthropic API 密钥。
+……请改用 Anthropic API key。
 
-手动令牌输入（任何提供商；写入 `auth-profiles.json` + 更新配置）：
+<Warning>
+Anthropic setup-token 支持仅是技术兼容性。Anthropic 过去曾阻止
+Claude Code 之外的某些订阅用法。只有在你认为相关策略风险可接受时才使用它，
+并请你自行核实 Anthropic 当前的条款。
+</Warning>
+
+手动输入 token（任意提供商；会写入 `auth-profiles.json` + 更新配置）：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
 openclaw models auth paste-token --provider openrouter
 ```
 
-自动化友好检查（过期/缺失时退出 `1`，即将过期时退出 `2`）：
+静态凭证也支持凭证配置文件引用：
+
+- `api_key` 凭证可以使用 `keyRef: { source, provider, id }`
+- `token` 凭证可以使用 `tokenRef: { source, provider, id }`
+
+适合自动化的检查（已过期/缺失时退出码为 `1`，即将过期时为 `2`）：
 
 ```bash
 openclaw models status --check
 ```
 
-可选的运维脚本（systemd/Termux）在此处记录：[/automation/auth-monitoring](/automation/auth-monitoring)
+可选的运维脚本（systemd/Termux）记录在这里：
+[/automation/auth-monitoring](/automation/auth-monitoring)
 
 > `claude setup-token` 需要交互式 TTY。
 
@@ -102,17 +126,33 @@ openclaw models status
 openclaw doctor
 ```
 
+## API key 轮换行为（Gateway 网关）
+
+某些提供商支持在 API 调用触发提供商限流时，使用替代 key 重试请求。
+
+- 优先级顺序：
+  - `OPENCLAW_LIVE_<PROVIDER>_KEY`（单个覆盖值）
+  - `<PROVIDER>_API_KEYS`
+  - `<PROVIDER>_API_KEY`
+  - `<PROVIDER>_API_KEY_*`
+- Google 提供商还将 `GOOGLE_API_KEY` 作为额外回退项。
+- 使用前会对同一组 key 列表去重。
+- 仅当出现限流错误时，OpenClaw 才会使用下一个 key 重试（例如
+  `429`、`rate_limit`、`quota`、`resource exhausted`）。
+- 非限流错误不会使用替代 key 重试。
+- 如果所有 key 都失败，则返回最后一次尝试的最终错误。
+
 ## 控制使用哪个凭证
 
-### 每会话（聊天命令）
+### 每个会话（聊天命令）
 
-使用 `/model <alias-or-id>@<profileId>` 为当前会话固定特定的提供商凭证（示例配置文件 ID：`anthropic:default`、`anthropic:work`）。
+使用 `/model <alias-or-id>@<profileId>` 为当前会话固定使用特定的提供商凭证（示例配置文件 id：`anthropic:default`、`anthropic:work`）。
 
-使用 `/model`（或 `/model list`）获取紧凑的选择器；使用 `/model status` 获取完整视图（候选项 + 下一个认证配置文件，以及配置时的提供商端点详情）。
+使用 `/model`（或 `/model list`）查看紧凑选择器；使用 `/model status` 查看完整视图（候选项 + 下一个凭证配置文件，以及在已配置时显示提供商端点详情）。
 
-### 每智能体（CLI 覆盖）
+### 每个智能体（CLI 覆盖）
 
-为智能体设置显式的认证配置文件顺序覆盖（存储在该智能体的 `auth-profiles.json` 中）：
+为智能体设置显式的凭证配置文件顺序覆盖（存储在该智能体的 `auth-profiles.json` 中）：
 
 ```bash
 openclaw models auth order get --provider anthropic
@@ -120,23 +160,25 @@ openclaw models auth order set --provider anthropic anthropic:default
 openclaw models auth order clear --provider anthropic
 ```
 
-使用 `--agent <id>` 指定特定智能体；省略它则使用配置的默认智能体。
+使用 `--agent <id>` 指定特定智能体；省略它则使用已配置的默认智能体。
 
 ## 故障排除
 
-### "No credentials found"
+### “No credentials found”
 
-如果 Anthropic 令牌配置文件缺失，在 **Gateway 网关主机**上运行 `claude setup-token`，然后重新检查：
+如果缺少 Anthropic token 配置文件，请在
+**Gateway 网关主机** 上运行 `claude setup-token`，然后重新检查：
 
 ```bash
 openclaw models status
 ```
 
-### 令牌即将过期/已过期
+### Token 即将过期/已过期
 
-运行 `openclaw models status` 确认哪个配置文件即将过期。如果配置文件缺失，重新运行 `claude setup-token` 并再次粘贴令牌。
+运行 `openclaw models status` 以确认哪个配置文件即将过期。如果该配置文件
+缺失，请重新运行 `claude setup-token` 并再次粘贴 token。
 
 ## 要求
 
-- Claude Max 或 Pro 订阅（用于 `claude setup-token`）
+- Anthropic 订阅账号（用于 `claude setup-token`）
 - 已安装 Claude Code CLI（`claude` 命令可用）
diff --git a/docs/zh-CN/gateway/configuration-reference.md b/docs/zh-CN/gateway/configuration-reference.md
new file mode 100644
index 00000000000..0e46566c9ce
--- /dev/null
+++ b/docs/zh-CN/gateway/configuration-reference.md
@@ -0,0 +1,3103 @@
+---
+description: Complete field-by-field reference for ~/.openclaw/openclaw.json
+read_when:
+  - 你需要精确到字段级别的配置语义或默认值
+  - 你正在验证渠道、模型、Gateway 网关或工具配置块
+summary: 每个 OpenClaw 配置键、默认值和渠道设置的完整参考
+title: 配置参考
+x-i18n:
+  generated_at: "2026-03-16T06:27:43Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: c2926153fa94bbb3141ac7cd9ebfa381394c9c9ad7a1cf1d21fb91c879905d51
+  source_path: gateway/configuration-reference.md
+  workflow: 15
+---
+
+# 配置参考
+
+`~/.openclaw/openclaw.json` 中所有可用字段。若需面向任务的概览，请参见 [Configuration](/gateway/configuration)。
+
+配置格式为 **JSON5**（允许注释和尾随逗号）。所有字段都是可选的——省略时，OpenClaw 会使用安全默认值。
+
+---
+
+## 渠道
+
+只要某个渠道的配置节存在，它就会自动启动（除非设置了 `enabled: false`）。
+
+### 私信和群组访问
+
+所有渠道都支持私信策略和群组策略：
+
+| DM policy         | Behavior                                            |
+| ----------------- | --------------------------------------------------- |
+| `pairing`（默认） | 未知发送者会收到一次性配对码；所有者必须批准        |
+| `allowlist`       | 仅 `allowFrom` 中的发送者（或已配对的允许列表存储） |
+| `open`            | 允许所有入站私信（要求 `allowFrom: ["*"]`）         |
+| `disabled`        | 忽略所有入站私信                                    |
+
+| Group policy        | Behavior                               |
+| ------------------- | -------------------------------------- |
+| `allowlist`（默认） | 仅允许匹配已配置 allowlist 的群组      |
+| `open`              | 绕过群组 allowlist（仍会应用提及门控） |
+| `disabled`          | 阻止所有群组/房间消息                  |
+
+<Note>
+`channels.defaults.groupPolicy` 会在某个提供商的 `groupPolicy` 未设置时作为默认值。
+配对码会在 1 小时后过期。待处理的私信配对请求每个渠道最多 **3 个**。
+如果某个提供商配置块完全缺失（`channels.<provider>` 不存在），运行时群组策略会回退到 `allowlist`（默认拒绝），并在启动时发出警告。
+</Note>
+
+### 渠道模型覆盖
+
+使用 `channels.modelByChannel` 可将特定渠道 ID 固定到某个模型。值接受 `provider/model` 或已配置的模型别名。当会话尚未存在模型覆盖时（例如通过 `/model` 设置），才会应用渠道映射。
+
+```json5
+{
+  channels: {
+    modelByChannel: {
+      discord: {
+        "123456789012345678": "anthropic/claude-opus-4-6",
+      },
+      slack: {
+        C1234567890: "openai/gpt-4.1",
+      },
+      telegram: {
+        "-1001234567890": "openai/gpt-4.1-mini",
+        "-1001234567890:topic:99": "anthropic/claude-sonnet-4-6",
+      },
+    },
+  },
+}
+```
+
+### 渠道默认值和心跳
+
+使用 `channels.defaults` 为多个提供商共享群组策略和心跳行为：
+
+```json5
+{
+  channels: {
+    defaults: {
+      groupPolicy: "allowlist", // open | allowlist | disabled
+      heartbeat: {
+        showOk: false,
+        showAlerts: true,
+        useIndicator: true,
+      },
+    },
+  },
+}
+```
+
+- `channels.defaults.groupPolicy`：当提供商级 `groupPolicy` 未设置时使用的回退群组策略。
+- `channels.defaults.heartbeat.showOk`：在心跳输出中包含健康的渠道状态。
+- `channels.defaults.heartbeat.showAlerts`：在心跳输出中包含降级/错误状态。
+- `channels.defaults.heartbeat.useIndicator`：以紧凑的指示器样式渲染心跳输出。
+
+### WhatsApp
+
+WhatsApp 通过 Gateway 网关的 Web 渠道（Baileys Web）运行。当存在已关联的会话时，它会自动启动。
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      dmPolicy: "pairing", // pairing | allowlist | open | disabled
+      allowFrom: ["+15555550123", "+447700900123"],
+      textChunkLimit: 4000,
+      chunkMode: "length", // length | newline
+      mediaMaxMb: 50,
+      sendReadReceipts: true, // 蓝色双勾（自聊模式下为 false）
+      groups: {
+        "*": { requireMention: true },
+      },
+      groupPolicy: "allowlist",
+      groupAllowFrom: ["+15551234567"],
+    },
+  },
+  web: {
+    enabled: true,
+    heartbeatSeconds: 60,
+    reconnect: {
+      initialMs: 2000,
+      maxMs: 120000,
+      factor: 1.4,
+      jitter: 0.2,
+      maxAttempts: 0,
+    },
+  },
+}
+```
+
+<Accordion title="多账户 WhatsApp">
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      accounts: {
+        default: {},
+        personal: {},
+        biz: {
+          // authDir: "~/.openclaw/credentials/whatsapp/biz",
+        },
+      },
+    },
+  },
+}
+```
+
+- 出站命令默认使用账户 `default`（若存在）；否则使用第一个已配置的账户 ID（排序后）。
+- 可选的 `channels.whatsapp.defaultAccount` 会在其与某个已配置账户 ID 匹配时，覆盖该回退默认账户选择。
+- 旧版单账户 Baileys 认证目录会由 `openclaw doctor` 迁移到 `whatsapp/default`。
+- 按账户覆盖：`channels.whatsapp.accounts.<id>.sendReadReceipts`、`channels.whatsapp.accounts.<id>.dmPolicy`、`channels.whatsapp.accounts.<id>.allowFrom`。
+
+</Accordion>
+
+### Telegram
+
+```json5
+{
+  channels: {
+    telegram: {
+      enabled: true,
+      botToken: "your-bot-token",
+      dmPolicy: "pairing",
+      allowFrom: ["tg:123456789"],
+      groups: {
+        "*": { requireMention: true },
+        "-1001234567890": {
+          allowFrom: ["@admin"],
+          systemPrompt: "Keep answers brief.",
+          topics: {
+            "99": {
+              requireMention: false,
+              skills: ["search"],
+              systemPrompt: "Stay on topic.",
+            },
+          },
+        },
+      },
+      customCommands: [
+        { command: "backup", description: "Git backup" },
+        { command: "generate", description: "Create an image" },
+      ],
+      historyLimit: 50,
+      replyToMode: "first", // off | first | all
+      linkPreview: true,
+      streaming: "partial", // off | partial | block | progress（默认：off）
+      actions: { reactions: true, sendMessage: true },
+      reactionNotifications: "own", // off | own | all
+      mediaMaxMb: 100,
+      retry: {
+        attempts: 3,
+        minDelayMs: 400,
+        maxDelayMs: 30000,
+        jitter: 0.1,
+      },
+      network: {
+        autoSelectFamily: true,
+        dnsResultOrder: "ipv4first",
+      },
+      proxy: "socks5://localhost:9050",
+      webhookUrl: "https://example.com/telegram-webhook",
+      webhookSecret: "secret",
+      webhookPath: "/telegram-webhook",
+    },
+  },
+}
+```
+
+- 机器人令牌：`channels.telegram.botToken` 或 `channels.telegram.tokenFile`（仅常规文件；拒绝符号链接），默认账户还可回退到 `TELEGRAM_BOT_TOKEN`。
+- 可选的 `channels.telegram.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 在多账户设置（2 个及以上账户 ID）中，请设置显式默认值（`channels.telegram.defaultAccount` 或 `channels.telegram.accounts.default`），以避免回退路由；如果缺失或无效，`openclaw doctor` 会发出警告。
+- `configWrites: false` 会阻止 Telegram 发起的配置写入（超级群组 ID 迁移、`/config set|unset`）。
+- 顶层 `bindings[]` 中 `type: "acp"` 的条目会为论坛话题配置持久化 ACP 绑定（在 `match.peer.id` 中使用规范形式 `chatId:topic:topicId`）。字段语义与 [ACP Agents](/tools/acp-agents#channel-specific-settings) 共享。
+- Telegram 流式预览使用 `sendMessage` + `editMessageText`（适用于私聊和群聊）。
+- 重试策略：参见 [Retry policy](/concepts/retry)。
+
+### Discord
+
+```json5
+{
+  channels: {
+    discord: {
+      enabled: true,
+      token: "your-bot-token",
+      mediaMaxMb: 8,
+      allowBots: false,
+      actions: {
+        reactions: true,
+        stickers: true,
+        polls: true,
+        permissions: true,
+        messages: true,
+        threads: true,
+        pins: true,
+        search: true,
+        memberInfo: true,
+        roleInfo: true,
+        roles: false,
+        channelInfo: true,
+        voiceStatus: true,
+        events: true,
+        moderation: false,
+      },
+      replyToMode: "off", // off | first | all
+      dmPolicy: "pairing",
+      allowFrom: ["1234567890", "123456789012345678"],
+      dm: { enabled: true, groupEnabled: false, groupChannels: ["openclaw-dm"] },
+      guilds: {
+        "123456789012345678": {
+          slug: "friends-of-openclaw",
+          requireMention: false,
+          ignoreOtherMentions: true,
+          reactionNotifications: "own",
+          users: ["987654321098765432"],
+          channels: {
+            general: { allow: true },
+            help: {
+              allow: true,
+              requireMention: true,
+              users: ["987654321098765432"],
+              skills: ["docs"],
+              systemPrompt: "Short answers only.",
+            },
+          },
+        },
+      },
+      historyLimit: 20,
+      textChunkLimit: 2000,
+      chunkMode: "length", // length | newline
+      streaming: "off", // off | partial | block | progress（在 Discord 上 progress 映射为 partial）
+      maxLinesPerMessage: 17,
+      ui: {
+        components: {
+          accentColor: "#5865F2",
+        },
+      },
+      threadBindings: {
+        enabled: true,
+        idleHours: 24,
+        maxAgeHours: 0,
+        spawnSubagentSessions: false, // 为 `sessions_spawn({ thread: true })` 选择性启用
+      },
+      voice: {
+        enabled: true,
+        autoJoin: [
+          {
+            guildId: "123456789012345678",
+            channelId: "234567890123456789",
+          },
+        ],
+        daveEncryption: true,
+        decryptionFailureTolerance: 24,
+        tts: {
+          provider: "openai",
+          openai: { voice: "alloy" },
+        },
+      },
+      retry: {
+        attempts: 3,
+        minDelayMs: 500,
+        maxDelayMs: 30000,
+        jitter: 0.1,
+      },
+    },
+  },
+}
+```
+
+- 令牌：`channels.discord.token`，默认账户还可回退到 `DISCORD_BOT_TOKEN`。
+- 显式提供 Discord `token` 的直接出站调用会使用该令牌；账户重试/策略设置仍来自当前活动运行时快照中的所选账户。
+- 可选的 `channels.discord.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 对投递目标请使用 `user:<id>`（私信）或 `channel:<id>`（服务器频道）；裸数字 ID 会被拒绝。
+- 服务器 slug 为小写且空格替换为 `-`；频道键使用 slug 化名称（不含 `#`）。优先使用 guild ID。
+- 默认会忽略机器人自己发出的消息。`allowBots: true` 可启用；使用 `allowBots: "mentions"` 可仅接受提及该机器人的机器人消息（仍会过滤自己的消息）。
+- `channels.discord.guilds.<id>.ignoreOtherMentions`（及频道级覆盖）会丢弃那些提及了其他用户或角色但未提及机器人的消息（不含 @everyone/@here）。
+- `maxLinesPerMessage`（默认 17）会在消息过高时拆分，即便未超过 2000 个字符。
+- `channels.discord.threadBindings` 控制 Discord 线程绑定路由：
+  - `enabled`：线程绑定会话功能的 Discord 覆盖（`/focus`、`/unfocus`、`/agents`、`/session idle`、`/session max-age` 以及绑定后的投递/路由）
+  - `idleHours`：不活动自动取消聚焦的 Discord 覆盖值（小时，`0` 表示禁用）
+  - `maxAgeHours`：硬性最大年龄的 Discord 覆盖值（小时，`0` 表示禁用）
+  - `spawnSubagentSessions`：为 `sessions_spawn({ thread: true })` 自动创建/绑定线程的选择性开关
+- 顶层 `bindings[]` 中 `type: "acp"` 的条目会为频道和线程配置持久化 ACP 绑定（在 `match.peer.id` 中使用频道/线程 ID）。字段语义与 [ACP Agents](/tools/acp-agents#channel-specific-settings) 共享。
+- `channels.discord.ui.components.accentColor` 设置 Discord components v2 容器的强调色。
+- `channels.discord.voice` 启用 Discord 语音频道对话，以及可选的自动加入 + TTS 覆盖。
+- `channels.discord.voice.daveEncryption` 和 `channels.discord.voice.decryptionFailureTolerance` 会透传给 `@discordjs/voice` 的 DAVE 选项（默认分别为 `true` 和 `24`）。
+- 在重复解密失败后，OpenClaw 还会尝试通过离开/重新加入语音会话来恢复语音接收。
+- `channels.discord.streaming` 是规范的流式模式键。旧版 `streamMode` 和布尔型 `streaming` 值会自动迁移。
+- `channels.discord.autoPresence` 将运行时可用性映射为机器人状态（健康 => online，降级 => idle，耗尽 => dnd），并允许可选的状态文本覆盖。
+- `channels.discord.dangerouslyAllowNameMatching` 会重新启用可变名称/tag 匹配（紧急兼容模式）。
+
+**反应通知模式：**`off`（无）、`own`（机器人的消息，默认）、`all`（所有消息）、`allowlist`（`guilds.<id>.users` 中所有消息）。
+
+### Google Chat
+
+```json5
+{
+  channels: {
+    googlechat: {
+      enabled: true,
+      serviceAccountFile: "/path/to/service-account.json",
+      audienceType: "app-url", // app-url | project-number
+      audience: "https://gateway.example.com/googlechat",
+      webhookPath: "/googlechat",
+      botUser: "users/1234567890",
+      dm: {
+        enabled: true,
+        policy: "pairing",
+        allowFrom: ["users/1234567890"],
+      },
+      groupPolicy: "allowlist",
+      groups: {
+        "spaces/AAAA": { allow: true, requireMention: true },
+      },
+      actions: { reactions: true },
+      typingIndicator: "message",
+      mediaMaxMb: 20,
+    },
+  },
+}
+```
+
+- 服务账户 JSON：支持内联（`serviceAccount`）或基于文件（`serviceAccountFile`）。
+- 也支持服务账户 SecretRef（`serviceAccountRef`）。
+- 环境变量回退：`GOOGLE_CHAT_SERVICE_ACCOUNT` 或 `GOOGLE_CHAT_SERVICE_ACCOUNT_FILE`。
+- 对投递目标使用 `spaces/<spaceId>` 或 `users/<userId>`。
+- `channels.googlechat.dangerouslyAllowNameMatching` 会重新启用可变电子邮件主体匹配（紧急兼容模式）。
+
+### Slack
+
+```json5
+{
+  channels: {
+    slack: {
+      enabled: true,
+      botToken: "xoxb-...",
+      appToken: "xapp-...",
+      dmPolicy: "pairing",
+      allowFrom: ["U123", "U456", "*"],
+      dm: { enabled: true, groupEnabled: false, groupChannels: ["G123"] },
+      channels: {
+        C123: { allow: true, requireMention: true, allowBots: false },
+        "#general": {
+          allow: true,
+          requireMention: true,
+          allowBots: false,
+          users: ["U123"],
+          skills: ["docs"],
+          systemPrompt: "Short answers only.",
+        },
+      },
+      historyLimit: 50,
+      allowBots: false,
+      reactionNotifications: "own",
+      reactionAllowlist: ["U123"],
+      replyToMode: "off", // off | first | all
+      thread: {
+        historyScope: "thread", // thread | channel
+        inheritParent: false,
+      },
+      actions: {
+        reactions: true,
+        messages: true,
+        pins: true,
+        memberInfo: true,
+        emojiList: true,
+      },
+      slashCommand: {
+        enabled: true,
+        name: "openclaw",
+        sessionPrefix: "slack:slash",
+        ephemeral: true,
+      },
+      typingReaction: "hourglass_flowing_sand",
+      textChunkLimit: 4000,
+      chunkMode: "length",
+      streaming: "partial", // off | partial | block | progress（预览模式）
+      nativeStreaming: true, // 当 streaming=partial 时使用 Slack 原生流式 API
+      mediaMaxMb: 20,
+    },
+  },
+}
+```
+
+- **Socket mode** 需要同时提供 `botToken` 和 `appToken`（默认账户环境变量回退为 `SLACK_BOT_TOKEN` + `SLACK_APP_TOKEN`）。
+- **HTTP mode** 需要 `botToken`，外加 `signingSecret`（根级或按账户）。
+- `configWrites: false` 会阻止 Slack 发起的配置写入。
+- 可选的 `channels.slack.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- `channels.slack.streaming` 是规范的流式模式键。旧版 `streamMode` 和布尔型 `streaming` 值会自动迁移。
+- 对投递目标使用 `user:<id>`（私信）或 `channel:<id>`（频道）。
+
+**反应通知模式：**`off`、`own`（默认）、`all`、`allowlist`（来自 `reactionAllowlist`）。
+
+**线程会话隔离：**`thread.historyScope` 可设为按线程（默认）或在频道内共享。`thread.inheritParent` 会将父频道记录复制到新线程。
+
+- `typingReaction` 会在回复运行期间，为入站 Slack 消息添加一个临时反应，并在完成后移除。请使用 Slack emoji 短代码，例如 `"hourglass_flowing_sand"`。
+
+| Action group | Default | Notes               |
+| ------------ | ------- | ------------------- |
+| reactions    | 已启用  | 添加反应 + 列出反应 |
+| messages     | 已启用  | 读取/发送/编辑/删除 |
+| pins         | 已启用  | 置顶/取消置顶/列出  |
+| memberInfo   | 已启用  | 成员信息            |
+| emojiList    | 已启用  | 自定义 emoji 列表   |
+
+### Mattermost
+
+Mattermost 以插件形式提供：`openclaw plugins install @openclaw/mattermost`。
+
+```json5
+{
+  channels: {
+    mattermost: {
+      enabled: true,
+      botToken: "mm-token",
+      baseUrl: "https://chat.example.com",
+      dmPolicy: "pairing",
+      chatmode: "oncall", // oncall | onmessage | onchar
+      oncharPrefixes: [">", "!"],
+      commands: {
+        native: true, // 选择性启用
+        nativeSkills: true,
+        callbackPath: "/api/channels/mattermost/command",
+        // 为反向代理/公共部署提供可选的显式 URL
+        callbackUrl: "https://gateway.example.com/api/channels/mattermost/command",
+      },
+      textChunkLimit: 4000,
+      chunkMode: "length",
+    },
+  },
+}
+```
+
+聊天模式：`oncall`（在 @ 提及时回复，默认）、`onmessage`（每条消息都回复）、`onchar`（以触发前缀开头的消息）。
+
+启用 Mattermost 原生命令时：
+
+- `commands.callbackPath` 必须是路径（例如 `/api/channels/mattermost/command`），不能是完整 URL。
+- `commands.callbackUrl` 必须解析到 OpenClaw Gateway 网关端点，并且 Mattermost 服务器可以访问它。
+- 对于私有/tailnet/内网回调主机，Mattermost 可能要求
+  `ServiceSettings.AllowedUntrustedInternalConnections` 包含该回调主机/域名。
+  请使用主机/域名值，而不是完整 URL。
+- `channels.mattermost.configWrites`：允许或拒绝 Mattermost 发起的配置写入。
+- `channels.mattermost.requireMention`：在频道中回复前要求 `@mention`。
+- 可选的 `channels.mattermost.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+### Signal
+
+```json5
+{
+  channels: {
+    signal: {
+      enabled: true,
+      account: "+15555550123", // 可选账户绑定
+      dmPolicy: "pairing",
+      allowFrom: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
+      configWrites: true,
+      reactionNotifications: "own", // off | own | all | allowlist
+      reactionAllowlist: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
+      historyLimit: 50,
+    },
+  },
+}
+```
+
+**反应通知模式：**`off`、`own`（默认）、`all`、`allowlist`（来自 `reactionAllowlist`）。
+
+- `channels.signal.account`：将渠道启动固定到特定 Signal 账户身份。
+- `channels.signal.configWrites`：允许或拒绝 Signal 发起的配置写入。
+- 可选的 `channels.signal.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+### BlueBubbles
+
+BlueBubbles 是推荐的 iMessage 路径（由插件支持，配置在 `channels.bluebubbles` 下）。
+
+```json5
+{
+  channels: {
+    bluebubbles: {
+      enabled: true,
+      dmPolicy: "pairing",
+      // serverUrl、password、webhookPath、群组控制和高级操作：
+      // 见 /channels/bluebubbles
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.bluebubbles`、`channels.bluebubbles.dmPolicy`。
+- 可选的 `channels.bluebubbles.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 完整的 BlueBubbles 渠道配置文档见 [BlueBubbles](/channels/bluebubbles)。
+
+### iMessage
+
+OpenClaw 会启动 `imsg rpc`（通过 stdio 的 JSON-RPC）。不需要守护进程或端口。
+
+```json5
+{
+  channels: {
+    imessage: {
+      enabled: true,
+      cliPath: "imsg",
+      dbPath: "~/Library/Messages/chat.db",
+      remoteHost: "user@gateway-host",
+      dmPolicy: "pairing",
+      allowFrom: ["+15555550123", "user@example.com", "chat_id:123"],
+      historyLimit: 50,
+      includeAttachments: false,
+      attachmentRoots: ["/Users/*/Library/Messages/Attachments"],
+      remoteAttachmentRoots: ["/Users/*/Library/Messages/Attachments"],
+      mediaMaxMb: 16,
+      service: "auto",
+      region: "US",
+    },
+  },
+}
+```
+
+- 可选的 `channels.imessage.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+- 需要对 Messages DB 具有 Full Disk Access。
+- 优先使用 `chat_id:<id>` 目标。使用 `imsg chats --limit 20` 列出聊天。
+- `cliPath` 可以指向 SSH 包装器；设置 `remoteHost`（`host` 或 `user@host`）以通过 SCP 获取附件。
+- `attachmentRoots` 和 `remoteAttachmentRoots` 会限制入站附件路径（默认：`/Users/*/Library/Messages/Attachments`）。
+- SCP 使用严格主机密钥检查，因此请确保中继主机密钥已存在于 `~/.ssh/known_hosts`。
+- `channels.imessage.configWrites`：允许或拒绝 iMessage 发起的配置写入。
+
+<Accordion title="iMessage SSH 包装器示例">
+
+```bash
+#!/usr/bin/env bash
+exec ssh -T gateway-host imsg "$@"
+```
+
+</Accordion>
+
+### Microsoft Teams
+
+Microsoft Teams 由扩展支持，并配置在 `channels.msteams` 下。
+
+```json5
+{
+  channels: {
+    msteams: {
+      enabled: true,
+      configWrites: true,
+      // appId、appPassword、tenantId、webhook、团队/频道策略：
+      // 见 /channels/msteams
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.msteams`、`channels.msteams.configWrites`。
+- 完整的 Teams 配置（凭证、webhook、私信/群组策略、按团队/按频道覆盖）见 [Microsoft Teams](/channels/msteams)。
+
+### IRC
+
+IRC 由扩展支持，并配置在 `channels.irc` 下。
+
+```json5
+{
+  channels: {
+    irc: {
+      enabled: true,
+      dmPolicy: "pairing",
+      configWrites: true,
+      nickserv: {
+        enabled: true,
+        service: "NickServ",
+        password: "${IRC_NICKSERV_PASSWORD}",
+        register: false,
+        registerEmail: "bot@example.com",
+      },
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.irc`、`channels.irc.dmPolicy`、`channels.irc.configWrites`、`channels.irc.nickserv.*`。
+- 可选的 `channels.irc.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 完整的 IRC 渠道配置（主机/端口/TLS/频道/allowlist/提及门控）见 [IRC](/channels/irc)。
+
+### 多账户（所有渠道）
+
+按渠道运行多个账户（每个账户有自己的 `accountId`）：
+
+```json5
+{
+  channels: {
+    telegram: {
+      accounts: {
+        default: {
+          name: "Primary bot",
+          botToken: "123456:ABC...",
+        },
+        alerts: {
+          name: "Alerts bot",
+          botToken: "987654:XYZ...",
+        },
+      },
+    },
+  },
+}
+```
+
+- 省略 `accountId` 时使用 `default`（CLI + 路由）。
+- 环境变量令牌仅适用于 **default** 账户。
+- 基础渠道设置适用于所有账户，除非按账户覆盖。
+- 使用 `bindings[].match.accountId` 将每个账户路由到不同智能体。
+- 如果你通过 `openclaw channels add`（或渠道新手引导）添加了一个非默认账户，而当前仍是单账户顶层渠道配置，OpenClaw 会先将带账户作用域的顶层单账户值移动到 `channels.<channel>.accounts.default`，以便原始账户继续工作。
+- 现有仅渠道绑定（无 `accountId`）仍会匹配默认账户；账户作用域绑定仍是可选的。
+- 当存在命名账户但缺少 `default` 时，`openclaw doctor --fix` 也会通过将带账户作用域的顶层单账户值移动到 `accounts.default` 来修复混合形状。
+
+### 其他扩展渠道
+
+许多扩展渠道都配置为 `channels.<id>`，并在其专属渠道页面中记录（例如 Feishu、Matrix、LINE、Nostr、Zalo、Nextcloud Talk、Synology Chat 和 Twitch）。
+查看完整渠道索引：[Channels](/channels)。
+
+### 群聊提及门控
+
+群消息默认**要求提及**（元数据提及或安全正则模式）。适用于 WhatsApp、Telegram、Discord、Google Chat 和 iMessage 群聊。
+
+**提及类型：**
+
+- **元数据提及**：平台原生 @ 提及。在 WhatsApp 自聊模式中会被忽略。
+- **文本模式**：位于 `agents.list[].groupChat.mentionPatterns` 中的安全正则模式。无效模式和不安全的嵌套重复会被忽略。
+- 只有在可以检测提及的情况下（原生提及或至少一个模式），才会强制执行提及门控。
+
+```json5
+{
+  messages: {
+    groupChat: { historyLimit: 50 },
+  },
+  agents: {
+    list: [{ id: "main", groupChat: { mentionPatterns: ["@openclaw", "openclaw"] } }],
+  },
+}
+```
+
+`messages.groupChat.historyLimit` 设置全局默认值。渠道可通过 `channels.<channel>.historyLimit`（或按账户）覆盖。设为 `0` 可禁用。
+
+#### 私信历史限制
+
+```json5
+{
+  channels: {
+    telegram: {
+      dmHistoryLimit: 30,
+      dms: {
+        "123456789": { historyLimit: 50 },
+      },
+    },
+  },
+}
+```
+
+解析顺序：按私信覆盖 → 提供商默认值 → 无限制（全部保留）。
+
+支持：`telegram`、`whatsapp`、`discord`、`slack`、`signal`、`imessage`、`msteams`。
+
+#### 自聊模式
+
+将你自己的号码包含在 `allowFrom` 中可启用自聊模式（忽略原生 @ 提及，仅响应文本模式）：
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      allowFrom: ["+15555550123"],
+      groups: { "*": { requireMention: true } },
+    },
+  },
+  agents: {
+    list: [
+      {
+        id: "main",
+        groupChat: { mentionPatterns: ["reisponde", "@openclaw"] },
+      },
+    ],
+  },
+}
+```
+
+### 命令（聊天命令处理）
+
+```json5
+{
+  commands: {
+    native: "auto", // 在支持时注册原生命令
+    text: true, // 解析聊天消息中的 /commands
+    bash: false, // 允许 !（别名：/bash）
+    bashForegroundMs: 2000,
+    config: false, // 允许 /config
+    debug: false, // 允许 /debug
+    restart: false, // 允许 /restart + gateway restart 工具
+    allowFrom: {
+      "*": ["user1"],
+      discord: ["user:123"],
+    },
+    useAccessGroups: true,
+  },
+}
+```
+
+<Accordion title="命令详情">
+
+- 文本命令必须是以 `/` 开头的**独立**消息。
+- `native: "auto"` 会为 Discord/Telegram 打开原生命令，而让 Slack 保持关闭。
+- 可按渠道覆盖：`channels.discord.commands.native`（布尔值或 `"auto"`）。`false` 会清除先前已注册的命令。
+- `channels.telegram.customCommands` 可添加额外的 Telegram 机器人菜单项。
+- `bash: true` 会为主机 shell 启用 `! <cmd>`。要求 `tools.elevated.enabled` 已启用，且发送者在 `tools.elevated.allowFrom.<channel>` 中。
+- `config: true` 启用 `/config`（读取/写入 `openclaw.json`）。对于 gateway `chat.send` 客户端，持久化的 `/config set|unset` 写入还要求 `operator.admin`；只读的 `/config show` 对普通写作用域 operator 客户端仍然可用。
+- `channels.<provider>.configWrites` 按渠道控制配置变更（默认：true）。
+- 对多账户渠道，`channels.<provider>.accounts.<id>.configWrites` 也会控制针对该账户的写入（例如 `/allowlist --config --account <id>` 或 `/config set channels.<provider>.accounts.<id>...`）。
+- `allowFrom` 是按提供商配置的。设置后，它将成为**唯一**的授权来源（渠道 allowlist/配对和 `useAccessGroups` 都会被忽略）。
+- 当 `allowFrom` 未设置时，`useAccessGroups: false` 允许命令绕过访问组策略。
+
+</Accordion>
+
+---
+
+## 智能体默认值
+
+### `agents.defaults.workspace`
+
+默认值：`~/.openclaw/workspace`。
+
+```json5
+{
+  agents: { defaults: { workspace: "~/.openclaw/workspace" } },
+}
+```
+
+### `agents.defaults.repoRoot`
+
+可选的仓库根目录，会显示在系统提示的 Runtime 行中。如果未设置，OpenClaw 会从工作区向上遍历自动检测。
+
+```json5
+{
+  agents: { defaults: { repoRoot: "~/Projects/openclaw" } },
+}
+```
+
+### `agents.defaults.skipBootstrap`
+
+禁用自动创建工作区引导文件（`AGENTS.md`、`SOUL.md`、`TOOLS.md`、`IDENTITY.md`、`USER.md`、`HEARTBEAT.md`、`BOOTSTRAP.md`）。
+
+```json5
+{
+  agents: { defaults: { skipBootstrap: true } },
+}
+```
+
+### `agents.defaults.bootstrapMaxChars`
+
+单个工作区引导文件在截断前的最大字符数。默认：`20000`。
+
+```json5
+{
+  agents: { defaults: { bootstrapMaxChars: 20000 } },
+}
+```
+
+### `agents.defaults.bootstrapTotalMaxChars`
+
+所有工作区引导文件注入时的最大总字符数。默认：`150000`。
+
+```json5
+{
+  agents: { defaults: { bootstrapTotalMaxChars: 150000 } },
+}
+```
+
+### `agents.defaults.bootstrapPromptTruncationWarning`
+
+控制引导上下文被截断时，对智能体可见的警告文本。
+默认：`"once"`。
+
+- `"off"`：绝不向系统提示注入警告文本。
+- `"once"`：对每个唯一的截断签名仅注入一次警告（推荐）。
+- `"always"`：只要存在截断，就在每次运行时注入警告。
+
+```json5
+{
+  agents: { defaults: { bootstrapPromptTruncationWarning: "once" } }, // off | once | always
+}
+```
+
+### `agents.defaults.imageMaxDimensionPx`
+
+在调用提供商之前，记录/工具图像块中最长边的最大像素尺寸。
+默认：`1200`。
+
+较低的值通常会降低视觉 token 用量以及截图密集型运行的请求负载大小。
+较高的值可保留更多视觉细节。
+
+```json5
+{
+  agents: { defaults: { imageMaxDimensionPx: 1200 } },
+}
+```
+
+### `agents.defaults.userTimezone`
+
+系统提示上下文使用的时区（不是消息时间戳）。回退到主机时区。
+
+```json5
+{
+  agents: { defaults: { userTimezone: "America/Chicago" } },
+}
+```
+
+### `agents.defaults.timeFormat`
+
+系统提示中的时间格式。默认：`auto`（操作系统偏好）。
+
+```json5
+{
+  agents: { defaults: { timeFormat: "auto" } }, // auto | 12 | 24
+}
+```
+
+### `agents.defaults.model`
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-opus-4-6": { alias: "opus" },
+        "minimax/MiniMax-M2.5": { alias: "minimax" },
+      },
+      model: {
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["minimax/MiniMax-M2.5"],
+      },
+      imageModel: {
+        primary: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
+        fallbacks: ["openrouter/google/gemini-2.0-flash-vision:free"],
+      },
+      pdfModel: {
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["openai/gpt-5-mini"],
+      },
+      pdfMaxBytesMb: 10,
+      pdfMaxPages: 20,
+      thinkingDefault: "low",
+      verboseDefault: "off",
+      elevatedDefault: "on",
+      timeoutSeconds: 600,
+      mediaMaxMb: 5,
+      contextTokens: 200000,
+      maxConcurrent: 3,
+    },
+  },
+}
+```
+
+- `model`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 字符串形式只设置主模型。
+  - 对象形式设置主模型以及按顺序排列的故障切换模型。
+- `imageModel`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 由 `image` 工具路径作为其视觉模型配置使用。
+  - 当所选/默认模型无法接受图像输入时，也用作回退路由。
+- `pdfModel`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 由 `pdf` 工具用于模型路由。
+  - 如果省略，PDF 工具会回退到 `imageModel`，再回退到提供商的尽力默认值。
+- `pdfMaxBytesMb`：`pdf` 工具在调用时未传入 `maxBytesMb` 时使用的默认 PDF 大小限制。
+- `pdfMaxPages`：`pdf` 工具在提取回退模式下考虑的默认最大页数。
+- `model.primary`：格式为 `provider/model`（例如 `anthropic/claude-opus-4-6`）。如果省略 provider，OpenClaw 会假定为 `anthropic`（已弃用）。
+- `models`：为 `/model` 配置的模型目录和 allowlist。每项可包含 `alias`（快捷方式）和 `params`（提供商特定参数，例如 `temperature`、`maxTokens`、`cacheRetention`、`context1m`）。
+- `params` 合并优先级（配置）：`agents.defaults.models["provider/model"].params` 为基础，然后由 `agents.list[].params`（匹配的智能体 ID）按键覆盖。
+- 会修改这些字段的配置写入器（例如 `/models set`、`/models set-image` 以及故障切换增删命令）会保存为规范的对象形式，并尽可能保留现有故障切换列表。
+- `maxConcurrent`：会话之间并行的智能体运行最大数（每个会话本身仍是串行）。默认：1。
+
+**内置别名简写**（仅当模型位于 `agents.defaults.models` 中时适用）：
+
+| Alias               | Model                                  |
+| ------------------- | -------------------------------------- |
+| `opus`              | `anthropic/claude-opus-4-6`            |
+| `sonnet`            | `anthropic/claude-sonnet-4-6`          |
+| `gpt`               | `openai/gpt-5.4`                       |
+| `gpt-mini`          | `openai/gpt-5-mini`                    |
+| `gemini`            | `google/gemini-3.1-pro-preview`        |
+| `gemini-flash`      | `google/gemini-3-flash-preview`        |
+| `gemini-flash-lite` | `google/gemini-3.1-flash-lite-preview` |
+
+你配置的别名始终优先于默认值。
+
+Z.AI 的 GLM-4.x 模型会自动启用 thinking 模式，除非你设置 `--thinking off`，或自行定义 `agents.defaults.models["zai/<model>"].params.thinking`。
+Z.AI 模型默认启用 `tool_stream` 以支持工具调用流式传输。将 `agents.defaults.models["zai/<model>"].params.tool_stream` 设为 `false` 可禁用。
+Anthropic Claude 4.6 模型在未显式设置 thinking 级别时，默认使用 `adaptive` thinking。
+
+### `agents.defaults.cliBackends`
+
+文本专用回退运行（无工具调用）的可选 CLI 后端。当 API 提供商失败时，可作为备份。
+
+```json5
+{
+  agents: {
+    defaults: {
+      cliBackends: {
+        "claude-cli": {
+          command: "/opt/homebrew/bin/claude",
+        },
+        "my-cli": {
+          command: "my-cli",
+          args: ["--json"],
+          output: "json",
+          modelArg: "--model",
+          sessionArg: "--session",
+          sessionMode: "existing",
+          systemPromptArg: "--system",
+          systemPromptWhen: "first",
+          imageArg: "--image",
+          imageMode: "repeat",
+        },
+      },
+    },
+  },
+}
+```
+
+- CLI 后端以文本为主；工具始终禁用。
+- 设置了 `sessionArg` 时支持会话。
+- 当 `imageArg` 接受文件路径时，支持图像透传。
+
+### `agents.defaults.heartbeat`
+
+周期性心跳运行。
+
+```json5
+{
+  agents: {
+    defaults: {
+      heartbeat: {
+        every: "30m", // 0m 表示禁用
+        model: "openai/gpt-5.2-mini",
+        includeReasoning: false,
+        lightContext: false, // 默认：false；true 仅保留工作区引导文件中的 HEARTBEAT.md
+        isolatedSession: false, // 默认：false；true 表示每次心跳都在全新会话中运行（无对话历史）
+        session: "main",
+        to: "+15555550123",
+        directPolicy: "allow", // allow（默认）| block
+        target: "none", // 默认：none | 可选：last | whatsapp | telegram | discord | ...
+        prompt: "Read HEARTBEAT.md if it exists...",
+        ackMaxChars: 300,
+        suppressToolErrorWarnings: false,
+      },
+    },
+  },
+}
+```
+
+- `every`：时长字符串（ms/s/m/h）。默认：`30m`。
+- `suppressToolErrorWarnings`：为 true 时，在心跳运行期间抑制工具错误警告负载。
+- `directPolicy`：直接/私信投递策略。`allow`（默认）允许直接目标投递。`block` 会抑制直接目标投递，并发出 `reason=dm-blocked`。
+- `lightContext`：为 true 时，心跳运行使用轻量引导上下文，并且只保留工作区引导文件中的 `HEARTBEAT.md`。
+- `isolatedSession`：为 true 时，每次心跳都会在无先前对话历史的全新会话中运行。与 cron `sessionTarget: "isolated"` 使用相同的隔离模式。可将每次心跳的 token 成本从约 100K 降到约 2-5K。
+- 按智能体设置：使用 `agents.list[].heartbeat`。当任一智能体定义了 `heartbeat` 时，**只有这些智能体**会运行心跳。
+- 心跳会执行完整的智能体轮次——间隔越短，消耗的 token 越多。
+
+### `agents.defaults.compaction`
+
+```json5
+{
+  agents: {
+    defaults: {
+      compaction: {
+        mode: "safeguard", // default | safeguard
+        timeoutSeconds: 900,
+        reserveTokensFloor: 24000,
+        identifierPolicy: "strict", // strict | off | custom
+        identifierInstructions: "Preserve deployment IDs, ticket IDs, and host:port pairs exactly.", // 当 identifierPolicy=custom 时使用
+        postCompactionSections: ["Session Startup", "Red Lines"], // [] 表示禁用重新注入
+        model: "openrouter/anthropic/claude-sonnet-4-5", // 可选，仅用于压缩的模型覆盖
+        memoryFlush: {
+          enabled: true,
+          softThresholdTokens: 6000,
+          systemPrompt: "Session nearing compaction. Store durable memories now.",
+          prompt: "Write any lasting notes to memory/YYYY-MM-DD.md; reply with NO_REPLY if nothing to store.",
+        },
+      },
+    },
+  },
+}
+```
+
+- `mode`：`default` 或 `safeguard`（用于长历史的分块摘要）。见 [Compaction](/concepts/compaction)。
+- `timeoutSeconds`：OpenClaw 中止前，单次压缩操作允许的最大秒数。默认：`900`。
+- `identifierPolicy`：`strict`（默认）、`off` 或 `custom`。`strict` 会在压缩摘要时预置内置的不透明标识符保留指导。
+- `identifierInstructions`：当 `identifierPolicy=custom` 时使用的可选自定义标识符保留文本。
+- `postCompactionSections`：压缩后重新注入的可选 AGENTS.md H2/H3 节名称。默认是 `["Session Startup", "Red Lines"]`；设为 `[]` 可禁用重新注入。当未设置或显式设置为该默认组合时，旧版 `Every Session`/`Safety` 标题也会作为兼容回退被接受。
+- `model`：仅用于压缩摘要的可选 `provider/model-id` 覆盖。当主会话应保留一个模型，但压缩摘要应在另一个模型上运行时使用；未设置时，压缩会使用会话的主模型。
+- `memoryFlush`：自动压缩前的静默智能体轮次，用于存储持久记忆。工作区为只读时会跳过。
+
+### `agents.defaults.contextPruning`
+
+在发送到 LLM 之前，从内存上下文中裁剪**旧的工具结果**。**不会**修改磁盘上的会话历史。
+
+```json5
+{
+  agents: {
+    defaults: {
+      contextPruning: {
+        mode: "cache-ttl", // off | cache-ttl
+        ttl: "1h", // 时长（ms/s/m/h），默认单位：分钟
+        keepLastAssistants: 3,
+        softTrimRatio: 0.3,
+        hardClearRatio: 0.5,
+        minPrunableToolChars: 50000,
+        softTrim: { maxChars: 4000, headChars: 1500, tailChars: 1500 },
+        hardClear: { enabled: true, placeholder: "[Old tool result content cleared]" },
+        tools: { deny: ["browser", "canvas"] },
+      },
+    },
+  },
+}
+```
+
+<Accordion title="cache-ttl 模式行为">
+
+- `mode: "cache-ttl"` 启用裁剪过程。
+- `ttl` 控制在上次缓存触碰后，多久才能再次运行裁剪。
+- 裁剪会先对过大的工具结果进行软裁剪，如仍有需要，再对更旧的工具结果执行硬清除。
+
+**软裁剪**保留开头和结尾，并在中间插入 `...`。
+
+**硬清除**用占位符替换整个工具结果。
+
+说明：
+
+- 图像块永远不会被裁剪/清除。
+- 比例是基于字符的（近似），不是精确 token 数。
+- 如果 assistant 消息少于 `keepLastAssistants`，则跳过裁剪。
+
+</Accordion>
+
+行为细节见 [Session Pruning](/concepts/session-pruning)。
+
+### 分块流式传输
+
+```json5
+{
+  agents: {
+    defaults: {
+      blockStreamingDefault: "off", // on | off
+      blockStreamingBreak: "text_end", // text_end | message_end
+      blockStreamingChunk: { minChars: 800, maxChars: 1200 },
+      blockStreamingCoalesce: { idleMs: 1000 },
+      humanDelay: { mode: "natural" }, // off | natural | custom（使用 minMs/maxMs）
+    },
+  },
+}
+```
+
+- 非 Telegram 渠道需要显式设置 `*.blockStreaming: true` 才会启用分块回复。
+- 渠道覆盖：`channels.<channel>.blockStreamingCoalesce`（以及按账户变体）。Signal/Slack/Discord/Google Chat 默认 `minChars: 1500`。
+- `humanDelay`：分块回复之间的随机暂停。`natural` = 800–2500 ms。按智能体覆盖：`agents.list[].humanDelay`。
+
+行为和分块细节见 [Streaming](/concepts/streaming)。
+
+### 输入指示器
+
+```json5
+{
+  agents: {
+    defaults: {
+      typingMode: "instant", // never | instant | thinking | message
+      typingIntervalSeconds: 6,
+    },
+  },
+}
+```
+
+- 默认值：私聊/被提及时为 `instant`，未提及的群聊中为 `message`。
+- 按会话覆盖：`session.typingMode`、`session.typingIntervalSeconds`。
+
+见 [Typing Indicators](/concepts/typing-indicators)。
+
+### `agents.defaults.sandbox`
+
+嵌入式智能体的可选沙箱隔离。完整指南见 [沙箱隔离](/gateway/sandboxing)。
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "non-main", // off | non-main | all
+        backend: "docker", // docker | ssh | openshell
+        scope: "agent", // session | agent | shared
+        workspaceAccess: "none", // none | ro | rw
+        workspaceRoot: "~/.openclaw/sandboxes",
+        docker: {
+          image: "openclaw-sandbox:bookworm-slim",
+          containerPrefix: "openclaw-sbx-",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp", "/var/tmp", "/run"],
+          network: "none",
+          user: "1000:1000",
+          capDrop: ["ALL"],
+          env: { LANG: "C.UTF-8" },
+          setupCommand: "apt-get update && apt-get install -y git curl jq",
+          pidsLimit: 256,
+          memory: "1g",
+          memorySwap: "2g",
+          cpus: 1,
+          ulimits: {
+            nofile: { soft: 1024, hard: 2048 },
+            nproc: 256,
+          },
+          seccompProfile: "/path/to/seccomp.json",
+          apparmorProfile: "openclaw-sandbox",
+          dns: ["1.1.1.1", "8.8.8.8"],
+          extraHosts: ["internal.service:10.0.0.5"],
+          binds: ["/home/user/source:/source:rw"],
+        },
+        ssh: {
+          target: "user@gateway-host:22",
+          command: "ssh",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+          identityFile: "~/.ssh/id_ed25519",
+          certificateFile: "~/.ssh/id_ed25519-cert.pub",
+          knownHostsFile: "~/.ssh/known_hosts",
+          // 也支持 SecretRef / 内联内容：
+          // identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
+          // certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
+          // knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
+        },
+        browser: {
+          enabled: false,
+          image: "openclaw-sandbox-browser:bookworm-slim",
+          network: "openclaw-sandbox-browser",
+          cdpPort: 9222,
+          cdpSourceRange: "172.21.0.1/32",
+          vncPort: 5900,
+          noVncPort: 6080,
+          headless: false,
+          enableNoVnc: true,
+          allowHostControl: false,
+          autoStart: true,
+          autoStartTimeoutMs: 12000,
+        },
+        prune: {
+          idleHours: 24,
+          maxAgeDays: 7,
+        },
+      },
+    },
+  },
+  tools: {
+    sandbox: {
+      tools: {
+        allow: [
+          "exec",
+          "process",
+          "read",
+          "write",
+          "edit",
+          "apply_patch",
+          "sessions_list",
+          "sessions_history",
+          "sessions_send",
+          "sessions_spawn",
+          "session_status",
+        ],
+        deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"],
+      },
+    },
+  },
+}
+```
+
+<Accordion title="沙箱详情">
+
+**后端：**
+
+- `docker`：本地 Docker 运行时（默认）
+- `ssh`：通用的 SSH 远程运行时
+- `openshell`：OpenShell 运行时
+
+选择 `backend: "openshell"` 时，运行时特定设置会移动到
+`plugins.entries.openshell.config`。
+
+**SSH 后端配置：**
+
+- `target`：`user@host[:port]` 形式的 SSH 目标
+- `command`：SSH 客户端命令（默认：`ssh`）
+- `workspaceRoot`：按作用域工作区使用的远程绝对根目录
+- `identityFile` / `certificateFile` / `knownHostsFile`：传递给 OpenSSH 的现有本地文件
+- `identityData` / `certificateData` / `knownHostsData`：内联内容或 SecretRef，OpenClaw 会在运行时将其物化为临时文件
+- `strictHostKeyChecking` / `updateHostKeys`：OpenSSH 主机密钥策略开关
+
+**SSH 认证优先级：**
+
+- `identityData` 优先于 `identityFile`
+- `certificateData` 优先于 `certificateFile`
+- `knownHostsData` 优先于 `knownHostsFile`
+- 由 SecretRef 支持的 `*Data` 值会在沙箱会话启动前，从活动 secrets 运行时快照中解析
+
+**SSH 后端行为：**
+
+- 在创建或重建后，对远程工作区进行一次种子初始化
+- 之后保持远程 SSH 工作区为规范副本
+- 通过 SSH 路由 `exec`、文件工具和媒体路径
+- 不会自动将远程更改同步回主机
+- 不支持沙箱浏览器容器
+
+**工作区访问：**
+
+- `none`：位于 `~/.openclaw/sandboxes` 下的按作用域划分的沙箱工作区
+- `ro`：沙箱工作区位于 `/workspace`，智能体工作区以只读方式挂载到 `/agent`
+- `rw`：智能体工作区以读写方式挂载到 `/workspace`
+
+**作用域：**
+
+- `session`：每个会话一个容器 + 工作区
+- `agent`：每个智能体一个容器 + 工作区（默认）
+- `shared`：共享容器和工作区（无跨会话隔离）
+
+**OpenShell 插件配置：**
+
+```json5
+{
+  plugins: {
+    entries: {
+      openshell: {
+        enabled: true,
+        config: {
+          mode: "mirror", // mirror | remote
+          from: "openclaw",
+          remoteWorkspaceDir: "/sandbox",
+          remoteAgentWorkspaceDir: "/agent",
+          gateway: "lab", // 可选
+          gatewayEndpoint: "https://lab.example", // 可选
+          policy: "strict", // 可选的 OpenShell policy id
+          providers: ["openai"], // 可选
+          autoProviders: true,
+          timeoutSeconds: 120,
+        },
+      },
+    },
+  },
+}
+```
+
+**OpenShell 模式：**
+
+- `mirror`：执行前从本地为远程植入种子，执行后同步回本地；本地工作区保持为规范副本
+- `remote`：在创建沙箱时只为远程植入一次种子，之后保持远程工作区为规范副本
+
+在 `remote` 模式下，在 OpenClaw 外部对主机本地所做的编辑，不会在种子步骤后自动同步进沙箱。
+传输层是通过 SSH 进入 OpenShell 沙箱，但插件拥有沙箱生命周期以及可选的镜像同步。
+
+**`setupCommand`** 会在容器创建后运行一次（通过 `sh -lc`）。需要网络出口、可写根文件系统以及 root 用户。
+
+**容器默认使用 `network: "none"`** ——如果智能体需要出站访问，请设为 `"bridge"`（或自定义 bridge 网络）。
+默认会阻止 `"host"`。除非你显式设置
+`sandbox.docker.dangerouslyAllowContainerNamespaceJoin: true`（紧急模式），否则默认也会阻止 `"container:<id>"`。
+
+**入站附件** 会暂存到活动工作区中的 `media/inbound/*`。
+
+**`docker.binds`** 会挂载额外的主机目录；全局和按智能体的 binds 会合并。
+
+**沙箱浏览器**（`sandbox.browser.enabled`）：容器中的 Chromium + CDP。noVNC URL 会注入系统提示中。不要求在 `openclaw.json` 中启用 `browser.enabled`。
+noVNC 观察者访问默认使用 VNC 身份验证，OpenClaw 会发出一个短期有效的 token URL（而不是在共享 URL 中暴露密码）。
+
+- `allowHostControl: false`（默认）会阻止沙箱会话指向主机浏览器。
+- `network` 默认为 `openclaw-sandbox-browser`（专用 bridge 网络）。仅当你明确需要全局 bridge 连接时，才设为 `bridge`。
+- `cdpSourceRange` 可选地将容器边缘的 CDP 入站限制为某个 CIDR 范围（例如 `172.21.0.1/32`）。
+- `sandbox.browser.binds` 仅将额外主机目录挂载到沙箱浏览器容器中。设置后（包括 `[]`），它会替换浏览器容器的 `docker.binds`。
+- 启动默认值定义于 `scripts/sandbox-browser-entrypoint.sh` 中，并针对容器主机进行了调优：
+  - `--remote-debugging-address=127.0.0.1`
+  - `--remote-debugging-port=<derived from OPENCLAW_BROWSER_CDP_PORT>`
+  - `--user-data-dir=${HOME}/.chrome`
+  - `--no-first-run`
+  - `--no-default-browser-check`
+  - `--disable-3d-apis`
+  - `--disable-gpu`
+  - `--disable-software-rasterizer`
+  - `--disable-dev-shm-usage`
+  - `--disable-background-networking`
+  - `--disable-features=TranslateUI`
+  - `--disable-breakpad`
+  - `--disable-crash-reporter`
+  - `--renderer-process-limit=2`
+  - `--no-zygote`
+  - `--metrics-recording-only`
+  - `--disable-extensions`（默认启用）
+  - `--disable-3d-apis`、`--disable-software-rasterizer` 和 `--disable-gpu`
+    默认启用，如果 WebGL/3D 使用场景需要，可通过
+    `OPENCLAW_BROWSER_DISABLE_GRAPHICS_FLAGS=0` 禁用这些标志。
+  - `OPENCLAW_BROWSER_DISABLE_EXTENSIONS=0` 会重新启用扩展，如果你的工作流
+    依赖它们。
+  - `--renderer-process-limit=2` 可通过
+    `OPENCLAW_BROWSER_RENDERER_PROCESS_LIMIT=<N>` 更改；设为 `0` 将使用 Chromium 的
+    默认进程上限。
+  - 若启用了 `noSandbox`，还会额外加上 `--no-sandbox` 和 `--disable-setuid-sandbox`。
+  - 默认值是容器镜像的基线；若要更改容器默认值，请使用自定义浏览器镜像及自定义
+    entrypoint。
+
+</Accordion>
+
+浏览器沙箱隔离和 `sandbox.docker.binds` 当前仅支持 Docker。
+
+构建镜像：
+
+```bash
+scripts/sandbox-setup.sh           # 主沙箱镜像
+scripts/sandbox-browser-setup.sh   # 可选的浏览器镜像
+```
+
+### `agents.list`（按智能体覆盖）
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "main",
+        default: true,
+        name: "Main Agent",
+        workspace: "~/.openclaw/workspace",
+        agentDir: "~/.openclaw/agents/main/agent",
+        model: "anthropic/claude-opus-4-6", // 或 { primary, fallbacks }
+        params: { cacheRetention: "none" }, // 按键覆盖匹配的 defaults.models params
+        identity: {
+          name: "Samantha",
+          theme: "helpful sloth",
+          emoji: "🦥",
+          avatar: "avatars/samantha.png",
+        },
+        groupChat: { mentionPatterns: ["@openclaw"] },
+        sandbox: { mode: "off" },
+        runtime: {
+          type: "acp",
+          acp: {
+            agent: "codex",
+            backend: "acpx",
+            mode: "persistent",
+            cwd: "/workspace/openclaw",
+          },
+        },
+        subagents: { allowAgents: ["*"] },
+        tools: {
+          profile: "coding",
+          allow: ["browser"],
+          deny: ["canvas"],
+          elevated: { enabled: true },
+        },
+      },
+    ],
+  },
+}
+```
+
+- `id`：稳定的智能体 ID（必填）。
+- `default`：若设置了多个，则第一个生效（会记录警告）。若一个都未设，则列表第一项为默认。
+- `model`：字符串形式只覆盖 `primary`；对象形式 `{ primary, fallbacks }` 同时覆盖两者（`[]` 会禁用全局故障切换）。仅覆盖 `primary` 的 Cron 作业仍会继承默认故障切换，除非你设置 `fallbacks: []`。
+- `params`：按智能体的流参数，会合并到 `agents.defaults.models` 中所选模型条目之上。用于为智能体添加特定覆盖，例如 `cacheRetention`、`temperature` 或 `maxTokens`，而无需复制整个模型目录。
+- `runtime`：可选的按智能体运行时描述符。当智能体应默认使用 ACP harness 会话时，可使用 `type: "acp"`，并在 `runtime.acp` 中设置默认值（`agent`、`backend`、`mode`、`cwd`）。
+- `identity.avatar`：工作区相对路径、`http(s)` URL 或 `data:` URI。
+- `identity` 会派生默认值：从 `emoji` 派生 `ackReaction`，从 `name`/`emoji` 派生 `mentionPatterns`。
+- `subagents.allowAgents`：`sessions_spawn` 的智能体 ID allowlist（`["*"]` = 任意；默认：仅同一智能体）。
+- 沙箱继承保护：若请求方会话处于沙箱中，`sessions_spawn` 会拒绝那些将以非沙箱方式运行的目标。
+
+---
+
+## 多智能体路由
+
+在一个 Gateway 网关中运行多个隔离的智能体。见 [Multi-Agent](/concepts/multi-agent)。
+
+```json5
+{
+  agents: {
+    list: [
+      { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
+      { id: "work", workspace: "~/.openclaw/workspace-work" },
+    ],
+  },
+  bindings: [
+    { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
+    { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
+  ],
+}
+```
+
+### 绑定匹配字段
+
+- `type`（可选）：普通路由使用 `route`（缺失时默认为 route），持久化 ACP 对话绑定使用 `acp`。
+- `match.channel`（必填）
+- `match.accountId`（可选；`*` = 任意账户；省略 = 默认账户）
+- `match.peer`（可选；`{ kind: direct|group|channel, id }`）
+- `match.guildId` / `match.teamId`（可选；渠道特定）
+- `acp`（可选；仅用于 `type: "acp"`）：`{ mode, label, cwd, backend }`
+
+**确定性匹配顺序：**
+
+1. `match.peer`
+2. `match.guildId`
+3. `match.teamId`
+4. `match.accountId`（精确匹配，无 peer/guild/team）
+5. `match.accountId: "*"`（全渠道）
+6. 默认智能体
+
+在每一层内，第一个匹配的 `bindings` 条目胜出。
+
+对于 `type: "acp"` 条目，OpenClaw 会按精确对话身份（`match.channel` + account + `match.peer.id`）解析，不使用上述 route 绑定层级顺序。
+
+### 按智能体的访问配置
+
+<Accordion title="完全访问（无沙箱）">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "personal",
+        workspace: "~/.openclaw/workspace-personal",
+        sandbox: { mode: "off" },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+<Accordion title="只读工具 + 工作区">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "family",
+        workspace: "~/.openclaw/workspace-family",
+        sandbox: { mode: "all", scope: "agent", workspaceAccess: "ro" },
+        tools: {
+          allow: [
+            "read",
+            "sessions_list",
+            "sessions_history",
+            "sessions_send",
+            "sessions_spawn",
+            "session_status",
+          ],
+          deny: ["write", "edit", "apply_patch", "exec", "process", "browser"],
+        },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+<Accordion title="无文件系统访问（仅消息）">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "public",
+        workspace: "~/.openclaw/workspace-public",
+        sandbox: { mode: "all", scope: "agent", workspaceAccess: "none" },
+        tools: {
+          allow: [
+            "sessions_list",
+            "sessions_history",
+            "sessions_send",
+            "sessions_spawn",
+            "session_status",
+            "whatsapp",
+            "telegram",
+            "slack",
+            "discord",
+            "gateway",
+          ],
+          deny: [
+            "read",
+            "write",
+            "edit",
+            "apply_patch",
+            "exec",
+            "process",
+            "browser",
+            "canvas",
+            "nodes",
+            "cron",
+            "gateway",
+            "image",
+          ],
+        },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+优先级细节见 [Multi-Agent Sandbox & Tools](/tools/multi-agent-sandbox-tools)。
+
+---
+
+## 会话
+
+```json5
+{
+  session: {
+    scope: "per-sender",
+    dmScope: "main", // main | per-peer | per-channel-peer | per-account-channel-peer
+    identityLinks: {
+      alice: ["telegram:123456789", "discord:987654321012345678"],
+    },
+    reset: {
+      mode: "daily", // daily | idle
+      atHour: 4,
+      idleMinutes: 60,
+    },
+    resetByType: {
+      thread: { mode: "daily", atHour: 4 },
+      direct: { mode: "idle", idleMinutes: 240 },
+      group: { mode: "idle", idleMinutes: 120 },
+    },
+    resetTriggers: ["/new", "/reset"],
+    store: "~/.openclaw/agents/{agentId}/sessions/sessions.json",
+    parentForkMaxTokens: 100000, // 超过此 token 数则跳过父线程 fork（0 表示禁用）
+    maintenance: {
+      mode: "warn", // warn | enforce
+      pruneAfter: "30d",
+      maxEntries: 500,
+      rotateBytes: "10mb",
+      resetArchiveRetention: "30d", // 时长或 false
+      maxDiskBytes: "500mb", // 可选硬预算
+      highWaterBytes: "400mb", // 可选清理目标
+    },
+    threadBindings: {
+      enabled: true,
+      idleHours: 24, // 默认不活动自动取消聚焦时长（小时，`0` 表示禁用）
+      maxAgeHours: 0, // 默认硬性最大年龄（小时，`0` 表示禁用）
+    },
+    mainKey: "main", // 旧字段（运行时始终使用 "main"）
+    agentToAgent: { maxPingPongTurns: 5 },
+    sendPolicy: {
+      rules: [{ action: "deny", match: { channel: "discord", chatType: "group" } }],
+      default: "allow",
+    },
+  },
+}
+```
+
+<Accordion title="会话字段详情">
+
+- **`dmScope`**：私信如何分组。
+  - `main`：所有私信共享主会话。
+  - `per-peer`：按发送者 ID 跨渠道隔离。
+  - `per-channel-peer`：按渠道 + 发送者隔离（推荐用于多用户收件箱）。
+  - `per-account-channel-peer`：按账户 + 渠道 + 发送者隔离（推荐用于多账户）。
+- **`identityLinks`**：将规范 ID 映射到带提供商前缀的 peer，用于跨渠道共享会话。
+- **`reset`**：主重置策略。`daily` 会在本地时间 `atHour` 重置；`idle` 会在 `idleMinutes` 后重置。如果两者都配置，谁先到期谁生效。
+- **`resetByType`**：按类型覆盖（`direct`、`group`、`thread`）。旧版 `dm` 仍接受为 `direct` 的别名。
+- **`parentForkMaxTokens`**：创建分叉线程会话时，父会话允许的最大 `totalTokens`（默认 `100000`）。
+  - 如果父会话 `totalTokens` 高于该值，OpenClaw 会启动一个新的线程会话，而不是继承父会话的记录历史。
+  - 设为 `0` 可禁用此保护，并始终允许父会话分叉。
+- **`mainKey`**：旧字段。运行时现在始终为主直聊桶使用 `"main"`。
+- **`sendPolicy`**：可按 `channel`、`chatType`（`direct|group|channel`，旧版 `dm` 仍为别名）、`keyPrefix` 或 `rawKeyPrefix` 匹配。第一个 deny 生效。
+- **`maintenance`**：会话存储清理 + 保留控制。
+  - `mode`：`warn` 仅发出警告；`enforce` 应用清理。
+  - `pruneAfter`：过期条目的年龄阈值（默认 `30d`）。
+  - `maxEntries`：`sessions.json` 中的最大条目数（默认 `500`）。
+  - `rotateBytes`：当 `sessions.json` 超过此大小时轮转（默认 `10mb`）。
+  - `resetArchiveRetention`：`*.reset.<timestamp>` 会话记录归档的保留期限。默认跟随 `pruneAfter`；设为 `false` 可禁用。
+  - `maxDiskBytes`：可选的会话目录磁盘预算。在 `warn` 模式下会记录警告；在 `enforce` 模式下会优先删除最旧的工件/会话。
+  - `highWaterBytes`：预算清理后的可选目标值。默认是 `maxDiskBytes` 的 `80%`。
+- **`threadBindings`**：线程绑定会话功能的全局默认值。
+  - `enabled`：主默认开关（提供商可覆盖；Discord 使用 `channels.discord.threadBindings.enabled`）
+  - `idleHours`：默认不活动自动取消聚焦时长（小时，`0` 表示禁用；提供商可覆盖）
+  - `maxAgeHours`：默认硬性最大年龄（小时，`0` 表示禁用；提供商可覆盖）
+
+</Accordion>
+
+---
+
+## 消息
+
+```json5
+{
+  messages: {
+    responsePrefix: "🦞", // 或 "auto"
+    ackReaction: "👀",
+    ackReactionScope: "group-mentions", // group-mentions | group-all | direct | all
+    removeAckAfterReply: false,
+    queue: {
+      mode: "collect", // steer | followup | collect | steer-backlog | steer+backlog | queue | interrupt
+      debounceMs: 1000,
+      cap: 20,
+      drop: "summarize", // old | new | summarize
+      byChannel: {
+        whatsapp: "collect",
+        telegram: "collect",
+      },
+    },
+    inbound: {
+      debounceMs: 2000, // 0 表示禁用
+      byChannel: {
+        whatsapp: 5000,
+        slack: 1500,
+      },
+    },
+  },
+}
+```
+
+### 回复前缀
+
+按渠道/按账户覆盖：`channels.<channel>.responsePrefix`、`channels.<channel>.accounts.<id>.responsePrefix`。
+
+解析顺序（最具体者优先）：账户 → 渠道 → 全局。`""` 会禁用并停止级联。`"auto"` 会派生为 `[{identity.name}]`。
+
+**模板变量：**
+
+| Variable          | Description        | Example                     |
+| ----------------- | ------------------ | --------------------------- |
+| `{model}`         | 短模型名           | `claude-opus-4-6`           |
+| `{modelFull}`     | 完整模型标识符     | `anthropic/claude-opus-4-6` |
+| `{provider}`      | 提供商名称         | `anthropic`                 |
+| `{thinkingLevel}` | 当前 thinking 级别 | `high`、`low`、`off`        |
+| `{identity.name}` | 智能体身份名称     | （与 `"auto"` 相同）        |
+
+变量不区分大小写。`{think}` 是 `{thinkingLevel}` 的别名。
+
+### 确认反应
+
+- 默认取活动智能体的 `identity.emoji`，否则为 `"👀"`。设为 `""` 可禁用。
+- 按渠道覆盖：`channels.<channel>.ackReaction`、`channels.<channel>.accounts.<id>.ackReaction`。
+- 解析顺序：账户 → 渠道 → `messages.ackReaction` → identity 回退。
+- 作用域：`group-mentions`（默认）、`group-all`、`direct`、`all`。
+- `removeAckAfterReply`：回复后移除确认反应（仅 Slack/Discord/Telegram/Google Chat）。
+
+### 入站防抖
+
+将同一发送者快速连续发送的纯文本消息合并为一次智能体轮次。媒体/附件会立即冲刷。控制命令会绕过防抖。
+
+### TTS（文本转语音）
+
+```json5
+{
+  messages: {
+    tts: {
+      auto: "always", // off | always | inbound | tagged
+      mode: "final", // final | all
+      provider: "elevenlabs",
+      summaryModel: "openai/gpt-4.1-mini",
+      modelOverrides: { enabled: true },
+      maxTextLength: 4000,
+      timeoutMs: 30000,
+      prefsPath: "~/.openclaw/settings/tts.json",
+      elevenlabs: {
+        apiKey: "elevenlabs_api_key",
+        baseUrl: "https://api.elevenlabs.io",
+        voiceId: "voice_id",
+        modelId: "eleven_multilingual_v2",
+        seed: 42,
+        applyTextNormalization: "auto",
+        languageCode: "en",
+        voiceSettings: {
+          stability: 0.5,
+          similarityBoost: 0.75,
+          style: 0.0,
+          useSpeakerBoost: true,
+          speed: 1.0,
+        },
+      },
+      openai: {
+        apiKey: "openai_api_key",
+        baseUrl: "https://api.openai.com/v1",
+        model: "gpt-4o-mini-tts",
+        voice: "alloy",
+      },
+    },
+  },
+}
+```
+
+- `auto` 控制自动 TTS。`/tts off|always|inbound|tagged` 可按会话覆盖。
+- `summaryModel` 会覆盖 `agents.defaults.model.primary` 用于自动摘要。
+- `modelOverrides` 默认启用；`modelOverrides.allowProvider` 默认是 `false`（需显式选择启用）。
+- API 密钥回退到 `ELEVENLABS_API_KEY`/`XI_API_KEY` 和 `OPENAI_API_KEY`。
+- `openai.baseUrl` 会覆盖 OpenAI TTS 端点。解析顺序是配置、然后 `OPENAI_TTS_BASE_URL`、再然后 `https://api.openai.com/v1`。
+- 当 `openai.baseUrl` 指向非 OpenAI 端点时，OpenClaw 会将其视为兼容 OpenAI 的 TTS 服务器，并放宽模型/语音校验。
+
+---
+
+## Talk
+
+Talk 模式的默认值（macOS/iOS/Android）。
+
+```json5
+{
+  talk: {
+    voiceId: "elevenlabs_voice_id",
+    voiceAliases: {
+      Clawd: "EXAVITQu4vr4xnSDxMaL",
+      Roger: "CwhRBWXzGAHq8TQ4Fs17",
+    },
+    modelId: "eleven_v3",
+    outputFormat: "mp3_44100_128",
+    apiKey: "elevenlabs_api_key",
+    silenceTimeoutMs: 1500,
+    interruptOnSpeech: true,
+  },
+}
+```
+
+- 语音 ID 会回退到 `ELEVENLABS_VOICE_ID` 或 `SAG_VOICE_ID`。
+- `apiKey` 和 `providers.*.apiKey` 接受明文字符串或 SecretRef 对象。
+- 仅在未配置 Talk API key 时，才会回退到 `ELEVENLABS_API_KEY`。
+- `voiceAliases` 让 Talk 指令可以使用友好的名称。
+- `silenceTimeoutMs` 控制 Talk 模式在用户停止说话后等待多久才发送转录。未设置时使用平台默认暂停窗口（`macOS 和 Android 上为 700 ms，iOS 上为 900 ms`）。
+
+---
+
+## 工具
+
+### 工具配置文件
+
+`tools.profile` 会在 `tools.allow`/`tools.deny` 之前设置基础 allowlist：
+
+本地新手引导会在未设置时，把新的本地配置默认设为 `tools.profile: "coding"`（现有显式配置文件会保留）。
+
+| Profile     | Includes                                                                                  |
+| ----------- | ----------------------------------------------------------------------------------------- |
+| `minimal`   | 仅 `session_status`                                                                       |
+| `coding`    | `group:fs`、`group:runtime`、`group:sessions`、`group:memory`、`image`                    |
+| `messaging` | `group:messaging`、`sessions_list`、`sessions_history`、`sessions_send`、`session_status` |
+| `full`      | 不限制（等同于未设置）                                                                    |
+
+### 工具组
+
+| Group              | Tools                                                                                    |
+| ------------------ | ---------------------------------------------------------------------------------------- |
+| `group:runtime`    | `exec`、`process`（`bash` 可作为 `exec` 的别名）                                         |
+| `group:fs`         | `read`、`write`、`edit`、`apply_patch`                                                   |
+| `group:sessions`   | `sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status` |
+| `group:memory`     | `memory_search`、`memory_get`                                                            |
+| `group:web`        | `web_search`、`web_fetch`                                                                |
+| `group:ui`         | `browser`、`canvas`                                                                      |
+| `group:automation` | `cron`、`gateway`                                                                        |
+| `group:messaging`  | `message`                                                                                |
+| `group:nodes`      | `nodes`                                                                                  |
+| `group:openclaw`   | 所有内置工具（不含提供商插件）                                                           |
+
+### `tools.allow` / `tools.deny`
+
+全局工具 allow/deny 策略（deny 优先）。不区分大小写，支持 `*` 通配符。即使 Docker 沙箱关闭，也会应用。
+
+```json5
+{
+  tools: { deny: ["browser", "canvas"] },
+}
+```
+
+### `tools.byProvider`
+
+进一步限制特定提供商或模型的工具。顺序：基础配置文件 → 提供商配置文件 → allow/deny。
+
+```json5
+{
+  tools: {
+    profile: "coding",
+    byProvider: {
+      "google-antigravity": { profile: "minimal" },
+      "openai/gpt-5.2": { allow: ["group:fs", "sessions_list"] },
+    },
+  },
+}
+```
+
+### `tools.elevated`
+
+控制提升权限（主机）`exec` 访问：
+
+```json5
+{
+  tools: {
+    elevated: {
+      enabled: true,
+      allowFrom: {
+        whatsapp: ["+15555550123"],
+        discord: ["1234567890123", "987654321098765432"],
+      },
+    },
+  },
+}
+```
+
+- 按智能体覆盖（`agents.list[].tools.elevated`）只能进一步收紧限制。
+- `/elevated on|off|ask|full` 会按会话保存状态；内联指令仅作用于单条消息。
+- 提升权限的 `exec` 会在主机上运行，并绕过沙箱隔离。
+
+### `tools.exec`
+
+```json5
+{
+  tools: {
+    exec: {
+      backgroundMs: 10000,
+      timeoutSec: 1800,
+      cleanupMs: 1800000,
+      notifyOnExit: true,
+      notifyOnExitEmptySuccess: false,
+      applyPatch: {
+        enabled: false,
+        allowModels: ["gpt-5.2"],
+      },
+    },
+  },
+}
+```
+
+### `tools.loopDetection`
+
+工具循环安全检查**默认禁用**。设置 `enabled: true` 可启用检测。
+可在全局 `tools.loopDetection` 中定义设置，并在 `agents.list[].tools.loopDetection` 中按智能体覆盖。
+
+```json5
+{
+  tools: {
+    loopDetection: {
+      enabled: true,
+      historySize: 30,
+      warningThreshold: 10,
+      criticalThreshold: 20,
+      globalCircuitBreakerThreshold: 30,
+      detectors: {
+        genericRepeat: true,
+        knownPollNoProgress: true,
+        pingPong: true,
+      },
+    },
+  },
+}
+```
+
+- `historySize`：为循环分析保留的最大工具调用历史。
+- `warningThreshold`：用于发出警告的重复无进展模式阈值。
+- `criticalThreshold`：用于阻止严重循环的更高重复阈值。
+- `globalCircuitBreakerThreshold`：对任何无进展运行的硬性停止阈值。
+- `detectors.genericRepeat`：对重复的相同工具/相同参数调用发出警告。
+- `detectors.knownPollNoProgress`：对已知轮询工具（`process.poll`、`command_status` 等）的无进展情况发出警告/阻止。
+- `detectors.pingPong`：对交替出现的无进展成对模式发出警告/阻止。
+- 如果 `warningThreshold >= criticalThreshold` 或 `criticalThreshold >= globalCircuitBreakerThreshold`，校验会失败。
+
+### `tools.web`
+
+```json5
+{
+  tools: {
+    web: {
+      search: {
+        enabled: true,
+        apiKey: "brave_api_key", // 或 BRAVE_API_KEY 环境变量
+        maxResults: 5,
+        timeoutSeconds: 30,
+        cacheTtlMinutes: 15,
+      },
+      fetch: {
+        enabled: true,
+        maxChars: 50000,
+        maxCharsCap: 50000,
+        timeoutSeconds: 30,
+        cacheTtlMinutes: 15,
+        userAgent: "custom-ua",
+      },
+    },
+  },
+}
+```
+
+### `tools.media`
+
+配置入站媒体理解（图像/音频/视频）：
+
+```json5
+{
+  tools: {
+    media: {
+      concurrency: 2,
+      audio: {
+        enabled: true,
+        maxBytes: 20971520,
+        scope: {
+          default: "deny",
+          rules: [{ action: "allow", match: { chatType: "direct" } }],
+        },
+        models: [
+          { provider: "openai", model: "gpt-4o-mini-transcribe" },
+          { type: "cli", command: "whisper", args: ["--model", "base", "{{MediaPath}}"] },
+        ],
+      },
+      video: {
+        enabled: true,
+        maxBytes: 52428800,
+        models: [{ provider: "google", model: "gemini-3-flash-preview" }],
+      },
+    },
+  },
+}
+```
+
+<Accordion title="媒体模型条目字段">
+
+**提供商条目**（`type: "provider"` 或省略）：
+
+- `provider`：API 提供商 ID（`openai`、`anthropic`、`google`/`gemini`、`groq` 等）
+- `model`：模型 ID 覆盖
+- `profile` / `preferredProfile`：`auth-profiles.json` 配置文件选择
+
+**CLI 条目**（`type: "cli"`）：
+
+- `command`：要运行的可执行文件
+- `args`：模板化参数（支持 `{{MediaPath}}`、`{{Prompt}}`、`{{MaxChars}}` 等）
+
+**通用字段：**
+
+- `capabilities`：可选列表（`image`、`audio`、`video`）。默认值：`openai`/`anthropic`/`minimax` → 图像，`google` → 图像+音频+视频，`groq` → 音频。
+- `prompt`、`maxChars`、`maxBytes`、`timeoutSeconds`、`language`：按条目覆盖。
+- 失败时会回退到下一个条目。
+
+提供商认证遵循标准顺序：`auth-profiles.json` → 环境变量 → `models.providers.*.apiKey`。
+
+</Accordion>
+
+### `tools.agentToAgent`
+
+```json5
+{
+  tools: {
+    agentToAgent: {
+      enabled: false,
+      allow: ["home", "work"],
+    },
+  },
+}
+```
+
+### `tools.sessions`
+
+控制会话工具（`sessions_list`、`sessions_history`、`sessions_send`）可以定位哪些会话。
+
+默认值：`tree`（当前会话 + 由其派生的会话，例如子智能体）。
+
+```json5
+{
+  tools: {
+    sessions: {
+      // "self" | "tree" | "agent" | "all"
+      visibility: "tree",
+    },
+  },
+}
+```
+
+说明：
+
+- `self`：仅当前会话键。
+- `tree`：当前会话 + 由当前会话派生的会话（子智能体）。
+- `agent`：属于当前智能体 ID 的任意会话（如果你在相同智能体 ID 下运行按发送者划分的会话，可能包含其他用户）。
+- `all`：任意会话。跨智能体定位仍需要 `tools.agentToAgent`。
+- 沙箱钳制：当当前会话处于沙箱中且 `agents.defaults.sandbox.sessionToolsVisibility="spawned"` 时，即使 `tools.sessions.visibility="all"`，可见性也会被强制为 `tree`。
+
+### `tools.sessions_spawn`
+
+控制 `sessions_spawn` 的内联附件支持。
+
+```json5
+{
+  tools: {
+    sessions_spawn: {
+      attachments: {
+        enabled: false, // 选择性启用：设为 true 以允许内联文件附件
+        maxTotalBytes: 5242880, // 所有文件合计 5 MB
+        maxFiles: 50,
+        maxFileBytes: 1048576, // 每个文件 1 MB
+        retainOnSessionKeep: false, // 当 cleanup="keep" 时保留附件
+      },
+    },
+  },
+}
+```
+
+说明：
+
+- 仅 `runtime: "subagent"` 支持附件。ACP 运行时会拒绝它们。
+- 文件会被物化到子工作区中的 `.openclaw/attachments/<uuid>/`，并附带一个 `.manifest.json`。
+- 附件内容会自动从会话记录持久化中脱敏。
+- Base64 输入会通过严格的字母表/填充检查和解码前大小保护进行校验。
+- 文件权限为目录 `0700`、文件 `0600`。
+- 清理遵循 `cleanup` 策略：`delete` 总会删除附件；`keep` 仅在 `retainOnSessionKeep: true` 时保留。
+
+### `tools.subagents`
+
+```json5
+{
+  agents: {
+    defaults: {
+      subagents: {
+        model: "minimax/MiniMax-M2.5",
+        maxConcurrent: 1,
+        runTimeoutSeconds: 900,
+        archiveAfterMinutes: 60,
+      },
+    },
+  },
+}
+```
+
+- `model`：派生子智能体的默认模型。如果省略，子智能体会继承调用方的模型。
+- `runTimeoutSeconds`：当工具调用省略 `runTimeoutSeconds` 时，`sessions_spawn` 使用的默认超时（秒）。`0` 表示无超时。
+- 每个子智能体的工具策略：`tools.subagents.tools.allow` / `tools.subagents.tools.deny`。
+
+---
+
+## 自定义提供商和 base URL
+
+OpenClaw 使用 pi-coding-agent 模型目录。可通过配置中的 `models.providers` 或 `~/.openclaw/agents/<agentId>/agent/models.json` 添加自定义提供商。
+
+```json5
+{
+  models: {
+    mode: "merge", // merge（默认）| replace
+    providers: {
+      "custom-proxy": {
+        baseUrl: "http://localhost:4000/v1",
+        apiKey: "LITELLM_KEY",
+        api: "openai-completions", // openai-completions | openai-responses | anthropic-messages | google-generative-ai
+        models: [
+          {
+            id: "llama-3.1-8b",
+            name: "Llama 3.1 8B",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 128000,
+            maxTokens: 32000,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+- 对自定义认证需求可使用 `authHeader: true` + `headers`。
+- 使用 `OPENCLAW_AGENT_DIR`（或 `PI_CODING_AGENT_DIR`）覆盖智能体配置根目录。
+- 对匹配的 provider ID，合并优先级如下：
+  - 非空的智能体 `models.json` `baseUrl` 优先。
+  - 非空的智能体 `apiKey` 仅在该提供商未由当前配置/auth-profile 上下文中的 SecretRef 管理时优先。
+  - 由 SecretRef 管理的提供商 `apiKey` 会从源标记（环境变量引用为 `ENV_VAR_NAME`，file/exec 引用为 `secretref-managed`）刷新，而不是持久化已解析的密钥。
+  - 由 SecretRef 管理的提供商 header 值会从源标记刷新（环境变量引用为 `secretref-env:ENV_VAR_NAME`，file/exec 引用为 `secretref-managed`）。
+  - 为空或缺失的智能体 `apiKey`/`baseUrl` 会回退到配置中的 `models.providers`。
+  - 匹配模型的 `contextWindow`/`maxTokens` 会在显式配置值与隐式目录值之间取较大者。
+  - 当你希望配置完全重写 `models.json` 时，请使用 `models.mode: "replace"`。
+  - 标记持久化以源为准：写入的标记来自活动源配置快照（解析前），而不是解析后的运行时密钥值。
+
+### 提供商字段详情
+
+- `models.mode`：提供商目录行为（`merge` 或 `replace`）。
+- `models.providers`：以提供商 ID 为键的自定义提供商映射。
+- `models.providers.*.api`：请求适配器（`openai-completions`、`openai-responses`、`anthropic-messages`、`google-generative-ai` 等）。
+- `models.providers.*.apiKey`：提供商凭证（优先使用 SecretRef/环境变量替换）。
+- `models.providers.*.auth`：认证策略（`api-key`、`token`、`oauth`、`aws-sdk`）。
+- `models.providers.*.injectNumCtxForOpenAICompat`：对 Ollama + `openai-completions`，将 `options.num_ctx` 注入请求（默认：`true`）。
+- `models.providers.*.authHeader`：在需要时强制通过 `Authorization` 头传输凭证。
+- `models.providers.*.baseUrl`：上游 API base URL。
+- `models.providers.*.headers`：用于代理/租户路由的额外静态 header。
+- `models.providers.*.models`：显式的提供商模型目录条目。
+- `models.providers.*.models.*.compat.supportsDeveloperRole`：可选的兼容性提示。对 `api: "openai-completions"` 且非空、非原生 `baseUrl`（主机不是 `api.openai.com`）的情况，OpenClaw 会在运行时将其强制设为 `false`。空或省略的 `baseUrl` 会保留默认 OpenAI 行为。
+- `models.bedrockDiscovery`：Bedrock 自动发现设置根。
+- `models.bedrockDiscovery.enabled`：开启/关闭发现轮询。
+- `models.bedrockDiscovery.region`：发现使用的 AWS 区域。
+- `models.bedrockDiscovery.providerFilter`：用于定向发现的可选 provider-id 过滤器。
+- `models.bedrockDiscovery.refreshInterval`：发现刷新的轮询间隔。
+- `models.bedrockDiscovery.defaultContextWindow`：发现模型的回退上下文窗口。
+- `models.bedrockDiscovery.defaultMaxTokens`：发现模型的回退最大输出 token 数。
+
+### 提供商示例
+
+<Accordion title="Cerebras（GLM 4.6 / 4.7）">
+
+```json5
+{
+  env: { CEREBRAS_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: {
+        primary: "cerebras/zai-glm-4.7",
+        fallbacks: ["cerebras/zai-glm-4.6"],
+      },
+      models: {
+        "cerebras/zai-glm-4.7": { alias: "GLM 4.7 (Cerebras)" },
+        "cerebras/zai-glm-4.6": { alias: "GLM 4.6 (Cerebras)" },
+      },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      cerebras: {
+        baseUrl: "https://api.cerebras.ai/v1",
+        apiKey: "${CEREBRAS_API_KEY}",
+        api: "openai-completions",
+        models: [
+          { id: "zai-glm-4.7", name: "GLM 4.7 (Cerebras)" },
+          { id: "zai-glm-4.6", name: "GLM 4.6 (Cerebras)" },
+        ],
+      },
+    },
+  },
+}
+```
+
+对 Cerebras 使用 `cerebras/zai-glm-4.7`；对 Z.AI 直连使用 `zai/glm-4.7`。
+
+</Accordion>
+
+<Accordion title="OpenCode">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "opencode/claude-opus-4-6" },
+      models: { "opencode/claude-opus-4-6": { alias: "Opus" } },
+    },
+  },
+}
+```
+
+设置 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`）。Zen 目录使用 `opencode/...` 引用，Go 目录使用 `opencode-go/...` 引用。快捷方式：`openclaw onboard --auth-choice opencode-zen` 或 `openclaw onboard --auth-choice opencode-go`。
+
+</Accordion>
+
+<Accordion title="Z.AI（GLM-4.7）">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "zai/glm-4.7" },
+      models: { "zai/glm-4.7": {} },
+    },
+  },
+}
+```
+
+设置 `ZAI_API_KEY`。`z.ai/*` 和 `z-ai/*` 都是可接受的别名。快捷方式：`openclaw onboard --auth-choice zai-api-key`。
+
+- 通用端点：`https://api.z.ai/api/paas/v4`
+- 编码端点（默认）：`https://api.z.ai/api/coding/paas/v4`
+- 对于通用端点，请定义一个带有 base URL 覆盖的自定义提供商。
+
+</Accordion>
+
+<Accordion title="Moonshot AI（Kimi）">
+
+```json5
+{
+  env: { MOONSHOT_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "moonshot/kimi-k2.5" },
+      models: { "moonshot/kimi-k2.5": { alias: "Kimi K2.5" } },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      moonshot: {
+        baseUrl: "https://api.moonshot.ai/v1",
+        apiKey: "${MOONSHOT_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "kimi-k2.5",
+            name: "Kimi K2.5",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 256000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+中国端点可使用：`baseUrl: "https://api.moonshot.cn/v1"` 或 `openclaw onboard --auth-choice moonshot-api-key-cn`。
+
+</Accordion>
+
+<Accordion title="Kimi Coding">
+
+```json5
+{
+  env: { KIMI_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "kimi-coding/k2p5" },
+      models: { "kimi-coding/k2p5": { alias: "Kimi K2.5" } },
+    },
+  },
+}
+```
+
+兼容 Anthropic 的内置提供商。快捷方式：`openclaw onboard --auth-choice kimi-code-api-key`。
+
+</Accordion>
+
+<Accordion title="Synthetic（兼容 Anthropic）">
+
+```json5
+{
+  env: { SYNTHETIC_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.5" },
+      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.5": { alias: "MiniMax M2.5" } },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      synthetic: {
+        baseUrl: "https://api.synthetic.new/anthropic",
+        apiKey: "${SYNTHETIC_API_KEY}",
+        api: "anthropic-messages",
+        models: [
+          {
+            id: "hf:MiniMaxAI/MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 192000,
+            maxTokens: 65536,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+Base URL 不应包含 `/v1`（Anthropic 客户端会追加它）。快捷方式：`openclaw onboard --auth-choice synthetic-api-key`。
+
+</Accordion>
+
+<Accordion title="MiniMax M2.5（直连）">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "minimax/MiniMax-M2.5" },
+      models: {
+        "minimax/MiniMax-M2.5": { alias: "Minimax" },
+      },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      minimax: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        apiKey: "${MINIMAX_API_KEY}",
+        api: "anthropic-messages",
+        models: [
+          {
+            id: "MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
+            contextWindow: 200000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+设置 `MINIMAX_API_KEY`。快捷方式：`openclaw onboard --auth-choice minimax-api`。
+
+</Accordion>
+
+<Accordion title="本地模型（LM Studio）">
+
+参见 [Local Models](/gateway/local-models)。简而言之：在强劲硬件上通过 LM Studio Responses API 运行 MiniMax M2.5；并保留托管模型合并，以便故障切换。
+
+</Accordion>
+
+---
+
+## Skills
+
+```json5
+{
+  skills: {
+    allowBundled: ["gemini", "peekaboo"],
+    load: {
+      extraDirs: ["~/Projects/agent-scripts/skills"],
+    },
+    install: {
+      preferBrew: true,
+      nodeManager: "npm", // npm | pnpm | yarn
+    },
+    entries: {
+      "nano-banana-pro": {
+        apiKey: { source: "env", provider: "default", id: "GEMINI_API_KEY" }, // 或明文字符串
+        env: { GEMINI_API_KEY: "GEMINI_KEY_HERE" },
+      },
+      peekaboo: { enabled: true },
+      sag: { enabled: false },
+    },
+  },
+}
+```
+
+- `allowBundled`：仅针对捆绑 Skills 的可选 allowlist（托管/工作区 Skills 不受影响）。
+- `entries.<skillKey>.enabled: false`：即使某个技能已捆绑/已安装，也会禁用它。
+- `entries.<skillKey>.apiKey`：针对声明主环境变量的技能提供的便捷字段（明文字符串或 SecretRef 对象）。
+
+---
+
+## 插件
+
+```json5
+{
+  plugins: {
+    enabled: true,
+    allow: ["voice-call"],
+    deny: [],
+    load: {
+      paths: ["~/Projects/oss/voice-call-extension"],
+    },
+    entries: {
+      "voice-call": {
+        enabled: true,
+        hooks: {
+          allowPromptInjection: false,
+        },
+        config: { provider: "twilio" },
+      },
+    },
+  },
+}
+```
+
+- 从 `~/.openclaw/extensions`、`<workspace>/.openclaw/extensions` 以及 `plugins.load.paths` 加载。
+- 设备发现同时接受原生 OpenClaw 插件、兼容的 Codex bundle 和 Claude bundle，包括无 manifest 的 Claude 默认布局 bundle。
+- **配置更改需要重启 Gateway 网关。**
+- `allow`：可选 allowlist（仅加载列出的插件）。`deny` 优先。
+- `plugins.entries.<id>.apiKey`：插件级 API key 便捷字段（插件支持时）。
+- `plugins.entries.<id>.env`：插件作用域环境变量映射。
+- `plugins.entries.<id>.hooks.allowPromptInjection`：为 `false` 时，核心会阻止 `before_prompt_build`，并忽略旧版 `before_agent_start` 中会修改 prompt 的字段，同时保留旧版 `modelOverride` 和 `providerOverride`。适用于原生插件 hook 以及受支持 bundle 提供的 hook 目录。
+- `plugins.entries.<id>.config`：插件定义的配置对象（如有可用原生 OpenClaw 插件 schema，则会校验）。
+- 已启用的 Claude bundle 插件也可以从 `settings.json` 提供嵌入式 Pi 默认值；OpenClaw 会将其作为净化后的智能体设置应用，而不是作为原始 OpenClaw 配置补丁。
+- `plugins.slots.memory`：选择活动记忆插件 ID，或设为 `"none"` 以禁用记忆插件。
+- `plugins.slots.contextEngine`：选择活动上下文引擎插件 ID；默认是 `"legacy"`，除非你安装并选择了其他引擎。
+- `plugins.installs`：由 CLI 管理的安装元数据，供 `openclaw plugins update` 使用。
+  - 包括 `source`、`spec`、`sourcePath`、`installPath`、`version`、`resolvedName`、`resolvedVersion`、`resolvedSpec`、`integrity`、`shasum`、`resolvedAt`、`installedAt`。
+  - 请将 `plugins.installs.*` 视为托管状态；优先使用 CLI 命令，而不是手动编辑。
+
+见 [Plugins](/tools/plugin)。
+
+---
+
+## 浏览器
+
+```json5
+{
+  browser: {
+    enabled: true,
+    evaluateEnabled: true,
+    defaultProfile: "user",
+    ssrfPolicy: {
+      dangerouslyAllowPrivateNetwork: true, // 默认可信网络模式
+      // allowPrivateNetwork: true, // 旧别名
+      // hostnameAllowlist: ["*.example.com", "example.com"],
+      // allowedHostnames: ["localhost"],
+    },
+    profiles: {
+      openclaw: { cdpPort: 18800, color: "#FF4500" },
+      work: { cdpPort: 18801, color: "#0066CC" },
+      remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
+    },
+    color: "#FF4500",
+    // headless: false,
+    // noSandbox: false,
+    // extraArgs: [],
+    // relayBindHost: "0.0.0.0", // 仅在扩展 relay 需要跨命名空间可达时（例如 WSL2）
+    // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
+    // attachOnly: false,
+  },
+}
+```
+
+- `evaluateEnabled: false` 会禁用 `act:evaluate` 和 `wait --fn`。
+- `ssrfPolicy.dangerouslyAllowPrivateNetwork` 在未设置时默认为 `true`（可信网络模型）。
+- 若要启用严格的仅公共网络浏览导航，请设置 `ssrfPolicy.dangerouslyAllowPrivateNetwork: false`。
+- 在严格模式下，远程 CDP 配置文件端点（`profiles.*.cdpUrl`）在可达性/发现检查期间也受相同的私有网络阻止规则限制。
+- `ssrfPolicy.allowPrivateNetwork` 仍支持作为旧别名。
+- 在严格模式下，可使用 `ssrfPolicy.hostnameAllowlist` 和 `ssrfPolicy.allowedHostnames` 显式放行例外。
+- 远程配置文件为仅附加模式（禁止启动/停止/重置）。
+- 自动检测顺序：默认浏览器如果是基于 Chromium → Chrome → Brave → Edge → Chromium → Chrome Canary。
+- 控制服务：仅 loopback（端口由 `gateway.port` 派生，默认 `18791`）。
+- `extraArgs` 会向本地 Chromium 启动追加额外标志（例如
+  `--disable-gpu`、窗口大小设置或调试标志）。
+- `relayBindHost` 更改 Chrome 扩展 relay 的监听地址。若只需 loopback 访问请保持未设置；仅当 relay 必须跨命名空间边界可达（例如 WSL2）且主机网络已受信任时，才显式设置为非 loopback 地址，例如 `0.0.0.0`。
+
+---
+
+## UI
+
+```json5
+{
+  ui: {
+    seamColor: "#FF4500",
+    assistant: {
+      name: "OpenClaw",
+      avatar: "CB", // emoji、短文本、图片 URL 或 data URI
+    },
+  },
+}
+```
+
+- `seamColor`：原生应用 UI 外观的强调色（Talk 模式气泡着色等）。
+- `assistant`：Control UI 身份覆盖。回退到活动智能体身份。
+
+---
+
+## Gateway 网关
+
+```json5
+{
+  gateway: {
+    mode: "local", // local | remote
+    port: 18789,
+    bind: "loopback",
+    auth: {
+      mode: "token", // none | token | password | trusted-proxy
+      token: "your-token",
+      // password: "your-password", // 或 OPENCLAW_GATEWAY_PASSWORD
+      // trustedProxy: { userHeader: "x-forwarded-user" }, // 用于 mode=trusted-proxy；见 /gateway/trusted-proxy-auth
+      allowTailscale: true,
+      rateLimit: {
+        maxAttempts: 10,
+        windowMs: 60000,
+        lockoutMs: 300000,
+        exemptLoopback: true,
+      },
+    },
+    tailscale: {
+      mode: "off", // off | serve | funnel
+      resetOnExit: false,
+    },
+    controlUi: {
+      enabled: true,
+      basePath: "/openclaw",
+      // root: "dist/control-ui",
+      // allowedOrigins: ["https://control.example.com"], // 非 loopback Control UI 必需
+      // dangerouslyAllowHostHeaderOriginFallback: false, // 危险的 Host-header origin 回退模式
+      // allowInsecureAuth: false,
+      // dangerouslyDisableDeviceAuth: false,
+    },
+    remote: {
+      url: "ws://gateway.tailnet:18789",
+      transport: "ssh", // ssh | direct
+      token: "your-token",
+      // password: "your-password",
+    },
+    trustedProxies: ["10.0.0.1"],
+    // 可选。默认 false。
+    allowRealIpFallback: false,
+    tools: {
+      // 额外的 /tools/invoke HTTP deny
+      deny: ["browser"],
+      // 从默认 HTTP deny 列表中移除工具
+      allow: ["gateway"],
+    },
+    push: {
+      apns: {
+        relay: {
+          baseUrl: "https://relay.example.com",
+          timeoutMs: 10000,
+        },
+      },
+    },
+  },
+}
+```
+
+<Accordion title="Gateway 网关字段详情">
+
+- `mode`：`local`（运行网关）或 `remote`（连接远程网关）。除非为 `local`，否则 Gateway 网关拒绝启动。
+- `port`：用于 WS + HTTP 的单一复用端口。优先级：`--port` > `OPENCLAW_GATEWAY_PORT` > `gateway.port` > `18789`。
+- `bind`：`auto`、`loopback`（默认）、`lan`（`0.0.0.0`）、`tailnet`（仅 Tailscale IP）或 `custom`。
+- **旧版 bind 别名**：请在 `gateway.bind` 中使用 bind 模式值（`auto`、`loopback`、`lan`、`tailnet`、`custom`），不要使用主机别名（`0.0.0.0`、`127.0.0.1`、`localhost`、`::`、`::1`）。
+- **Docker 说明**：默认的 `loopback` bind 在容器内监听 `127.0.0.1`。在 Docker bridge 网络（`-p 18789:18789`）下，流量从 `eth0` 进入，因此网关不可达。请使用 `--network host`，或设置 `bind: "lan"`（或 `bind: "custom"` 并配合 `customBindHost: "0.0.0.0"`）以监听所有接口。
+- **认证**：默认要求认证。非 loopback bind 需要共享 token/password。新手引导默认会生成一个 token。
+- 如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`（包括 SecretRef），请显式设置 `gateway.auth.mode` 为 `token` 或 `password`。如果两者都已配置但 mode 未设置，启动和服务安装/修复流程都会失败。
+- `gateway.auth.mode: "none"`：显式无认证模式。仅用于受信任的本地 local loopback 设置；新手引导提示中故意不提供此选项。
+- `gateway.auth.mode: "trusted-proxy"`：将认证委托给具备身份感知能力的反向代理，并信任来自 `gateway.trustedProxies` 的身份头（见 [Trusted Proxy Auth](/gateway/trusted-proxy-auth)）。
+- `gateway.auth.allowTailscale`：为 `true` 时，Tailscale Serve 身份头可满足 Control UI/WebSocket 认证（通过 `tailscale whois` 验证）；HTTP API 端点仍要求 token/password 认证。这种无 token 流程假定网关主机是受信任的。当 `tailscale.mode = "serve"` 时默认值为 `true`。
+- `gateway.auth.rateLimit`：可选的认证失败限流器。按客户端 IP 和认证范围生效（共享密钥和设备 token 分别跟踪）。被阻止的尝试返回 `429` + `Retry-After`。
+  - `gateway.auth.rateLimit.exemptLoopback` 默认值为 `true`；当你有意希望 localhost 流量也受限流时（用于测试设置或严格代理部署），请设为 `false`。
+- 来自浏览器 origin 的 WS 认证尝试始终会在禁用 loopback 豁免的情况下限流（作为对基于浏览器的 localhost 暴力破解的纵深防御）。
+- `tailscale.mode`：`serve`（仅 tailnet，loopback bind）或 `funnel`（公开，需要认证）。
+- `controlUi.allowedOrigins`：用于 Gateway 网关 WebSocket 连接的显式浏览器 origin allowlist。当浏览器客户端预期来自非 loopback origin 时必须设置。
+- `controlUi.dangerouslyAllowHostHeaderOriginFallback`：危险模式，为那些刻意依赖 Host-header origin 策略的部署启用 Host-header origin 回退。
+- `remote.transport`：`ssh`（默认）或 `direct`（ws/wss）。对于 `direct`，`remote.url` 必须是 `ws://` 或 `wss://`。
+- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`：客户端侧的紧急覆盖，允许对受信任的私有网络 IP 使用明文 `ws://`；默认仍只允许 loopback 使用明文。
+- `gateway.remote.token` / `.password` 是远程客户端凭证字段。它们本身不会配置网关认证。
+- `gateway.push.apns.relay.baseUrl`：官方/TestFlight iOS 版本在将基于 relay 的注册发布到网关后，供网关使用的外部 APNs relay 基础 HTTPS URL。该 URL 必须与编译进 iOS 构建中的 relay URL 一致。
+- `gateway.push.apns.relay.timeoutMs`：网关到 relay 的发送超时（毫秒）。默认值为 `10000`。
+- 基于 relay 的注册会被委派给一个特定网关身份。配对的 iOS 应用会获取 `gateway.identity.get`，将该身份包含到 relay 注册中，并将带注册作用域的发送授权转发给网关。其他网关不能复用该已存储注册。
+- `OPENCLAW_APNS_RELAY_BASE_URL` / `OPENCLAW_APNS_RELAY_TIMEOUT_MS`：用于覆盖上述 relay 配置的临时环境变量。
+- `OPENCLAW_APNS_RELAY_ALLOW_HTTP=true`：仅开发用的逃生口，用于 loopback HTTP relay URL。生产 relay URL 应保持为 HTTPS。
+- `gateway.channelHealthCheckMinutes`：渠道健康检查监视间隔（分钟）。设为 `0` 可全局禁用健康检查重启。默认：`5`。
+- `gateway.channelStaleEventThresholdMinutes`：陈旧 socket 阈值（分钟）。请保持其大于或等于 `gateway.channelHealthCheckMinutes`。默认：`30`。
+- `gateway.channelMaxRestartsPerHour`：滚动一小时内，每个渠道/账户允许的最大健康检查重启次数。默认：`10`。
+- `channels.<provider>.healthMonitor.enabled`：按渠道选择退出健康检查重启，同时保留全局监视器开启。
+- `channels.<provider>.accounts.<accountId>.healthMonitor.enabled`：多账户渠道的按账户覆盖。设置后，它优先于渠道级覆盖。
+- 仅当 `gateway.auth.*` 未设置时，本地 Gateway 网关调用路径才可回退到 `gateway.remote.*`。
+- 如果 `gateway.auth.token` / `gateway.auth.password` 通过 SecretRef 显式配置但无法解析，解析会以默认拒绝方式失败（不会用 remote 回退掩盖）。
+- `trustedProxies`：终止 TLS 的反向代理 IP。仅列出你控制的代理。
+- `allowRealIpFallback`：为 `true` 时，当缺失 `X-Forwarded-For` 时，Gateway 网关接受 `X-Real-IP`。默认为 `false`，以实现默认拒绝行为。
+- `gateway.tools.deny`：对 HTTP `POST /tools/invoke` 额外阻止的工具名（扩展默认 deny 列表）。
+- `gateway.tools.allow`：从默认 HTTP deny 列表中移除工具名。
+
+</Accordion>
+
+### 兼容 OpenAI 的端点
+
+- Chat Completions：默认禁用。通过 `gateway.http.endpoints.chatCompletions.enabled: true` 启用。
+- Responses API：`gateway.http.endpoints.responses.enabled`。
+- Responses URL 输入加固：
+  - `gateway.http.endpoints.responses.maxUrlParts`
+  - `gateway.http.endpoints.responses.files.urlAllowlist`
+  - `gateway.http.endpoints.responses.images.urlAllowlist`
+- 可选的响应加固 header：
+  - `gateway.http.securityHeaders.strictTransportSecurity`（仅对你控制的 HTTPS origin 设置；见 [Trusted Proxy Auth](/gateway/trusted-proxy-auth#tls-termination-and-hsts)）
+
+### 多实例隔离
+
+使用不同端口和状态目录，在一台主机上运行多个网关：
+
+```bash
+OPENCLAW_CONFIG_PATH=~/.openclaw/a.json \
+OPENCLAW_STATE_DIR=~/.openclaw-a \
+openclaw gateway --port 19001
+```
+
+便捷标志：`--dev`（使用 `~/.openclaw-dev` + 端口 `19001`）、`--profile <name>`（使用 `~/.openclaw-<name>`）。
+
+见 [Multiple Gateways](/gateway/multiple-gateways)。
+
+---
+
+## Hooks
+
+```json5
+{
+  hooks: {
+    enabled: true,
+    token: "shared-secret",
+    path: "/hooks",
+    maxBodyBytes: 262144,
+    defaultSessionKey: "hook:ingress",
+    allowRequestSessionKey: false,
+    allowedSessionKeyPrefixes: ["hook:"],
+    allowedAgentIds: ["hooks", "main"],
+    presets: ["gmail"],
+    transformsDir: "~/.openclaw/hooks/transforms",
+    mappings: [
+      {
+        match: { path: "gmail" },
+        action: "agent",
+        agentId: "hooks",
+        wakeMode: "now",
+        name: "Gmail",
+        sessionKey: "hook:gmail:{{messages[0].id}}",
+        messageTemplate: "From: {{messages[0].from}}\nSubject: {{messages[0].subject}}\n{{messages[0].snippet}}",
+        deliver: true,
+        channel: "last",
+        model: "openai/gpt-5.2-mini",
+      },
+    ],
+  },
+}
+```
+
+认证：`Authorization: Bearer <token>` 或 `x-openclaw-token: <token>`。
+
+**端点：**
+
+- `POST /hooks/wake` → `{ text, mode?: "now"|"next-heartbeat" }`
+- `POST /hooks/agent` → `{ message, name?, agentId?, sessionKey?, wakeMode?, deliver?, channel?, to?, model?, thinking?, timeoutSeconds? }`
+  - 仅当 `hooks.allowRequestSessionKey=true`（默认：`false`）时，才接受请求负载中的 `sessionKey`。
+- `POST /hooks/<name>` → 通过 `hooks.mappings` 解析
+
+<Accordion title="映射详情">
+
+- `match.path` 匹配 `/hooks` 之后的子路径（例如 `/hooks/gmail` → `gmail`）。
+- `match.source` 匹配通用路径中的某个负载字段。
+- 像 `{{messages[0].subject}}` 这样的模板会从负载中读取。
+- `transform` 可指向返回 hook 操作的 JS/TS 模块。
+  - `transform.module` 必须是相对路径，并且始终位于 `hooks.transformsDir` 内（绝对路径和路径穿越会被拒绝）。
+- `agentId` 会路由到指定智能体；未知 ID 会回退到默认值。
+- `allowedAgentIds`：限制显式路由（`*` 或省略 = 允许全部，`[]` = 全部拒绝）。
+- `defaultSessionKey`：可选的固定会话键，用于未显式提供 `sessionKey` 的 hook 智能体运行。
+- `allowRequestSessionKey`：允许 `/hooks/agent` 调用方设置 `sessionKey`（默认：`false`）。
+- `allowedSessionKeyPrefixes`：针对显式 `sessionKey` 值（请求 + 映射）的可选前缀 allowlist，例如 `["hook:"]`。
+- `deliver: true` 会将最终回复发送到某个渠道；`channel` 默认为 `last`。
+- `model` 会覆盖此次 hook 运行的 LLM（如果已设置模型目录，则必须是允许的模型）。
+
+</Accordion>
+
+### Gmail 集成
+
+```json5
+{
+  hooks: {
+    gmail: {
+      account: "openclaw@gmail.com",
+      topic: "projects/<project-id>/topics/gog-gmail-watch",
+      subscription: "gog-gmail-watch-push",
+      pushToken: "shared-push-token",
+      hookUrl: "http://127.0.0.1:18789/hooks/gmail",
+      includeBody: true,
+      maxBytes: 20000,
+      renewEveryMinutes: 720,
+      serve: { bind: "127.0.0.1", port: 8788, path: "/" },
+      tailscale: { mode: "funnel", path: "/gmail-pubsub" },
+      model: "openrouter/meta-llama/llama-3.3-70b-instruct:free",
+      thinking: "off",
+    },
+  },
+}
+```
+
+- 配置后，Gateway 网关会在启动时自动启动 `gog gmail watch serve`。设置 `OPENCLAW_SKIP_GMAIL_WATCHER=1` 可禁用。
+- 不要与 Gateway 网关同时单独运行 `gog gmail watch serve`。
+
+---
+
+## Canvas host
+
+```json5
+{
+  canvasHost: {
+    root: "~/.openclaw/workspace/canvas",
+    liveReload: true,
+    // enabled: false, // 或 OPENCLAW_SKIP_CANVAS_HOST=1
+  },
+}
+```
+
+- 在 Gateway 网关端口下，通过 HTTP 提供可由智能体编辑的 HTML/CSS/JS 和 A2UI：
+  - `http://<gateway-host>:<gateway.port>/__openclaw__/canvas/`
+  - `http://<gateway-host>:<gateway.port>/__openclaw__/a2ui/`
+- 仅限本地：保持 `gateway.bind: "loopback"`（默认）。
+- 非 loopback bind：canvas 路由需要 Gateway 网关认证（token/password/trusted-proxy），与其他 Gateway 网关 HTTP 界面一致。
+- Node WebView 通常不会发送认证头；在某个节点完成配对并连接后，Gateway 网关会为 canvas/A2UI 访问通告带节点作用域的 capability URL。
+- Capability URL 绑定到活动节点 WS 会话，并且很快过期。不使用基于 IP 的回退。
+- 会向所服务的 HTML 中注入 live-reload 客户端。
+- 空目录时会自动创建起始 `index.html`。
+- 也会在 `/__openclaw__/a2ui/` 提供 A2UI。
+- 更改需要重启 Gateway 网关。
+- 对于大型目录或 `EMFILE` 错误，请禁用 live reload。
+
+---
+
+## 设备发现
+
+### mDNS（Bonjour）
+
+```json5
+{
+  discovery: {
+    mdns: {
+      mode: "minimal", // minimal | full | off
+    },
+  },
+}
+```
+
+- `minimal`（默认）：从 TXT 记录中省略 `cliPath` + `sshPort`。
+- `full`：包含 `cliPath` + `sshPort`。
+- 主机名默认为 `openclaw`。可使用 `OPENCLAW_MDNS_HOSTNAME` 覆盖。
+
+### 广域（DNS-SD）
+
+```json5
+{
+  discovery: {
+    wideArea: { enabled: true },
+  },
+}
+```
+
+在 `~/.openclaw/dns/` 下写入一个单播 DNS-SD 区域。对于跨网络设备发现，可与 DNS 服务器（推荐 CoreDNS）+ Tailscale split DNS 搭配使用。
+
+设置：`openclaw dns setup --apply`。
+
+---
+
+## 环境
+
+### `env`（内联环境变量）
+
+```json5
+{
+  env: {
+    OPENROUTER_API_KEY: "sk-or-...",
+    vars: {
+      GROQ_API_KEY: "gsk-...",
+    },
+    shellEnv: {
+      enabled: true,
+      timeoutMs: 15000,
+    },
+  },
+}
+```
+
+- 仅当进程环境中缺少该键时，才会应用内联环境变量。
+- `.env` 文件：当前工作目录 `.env` + `~/.openclaw/.env`（两者都不会覆盖现有变量）。
+- `shellEnv`：从你的登录 shell 配置文件导入缺失的预期键名。
+- 完整优先级见 [Environment](/help/environment)。
+
+### 环境变量替换
+
+可在任意配置字符串中使用 `${VAR_NAME}` 引用环境变量：
+
+```json5
+{
+  gateway: {
+    auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" },
+  },
+}
+```
+
+- 仅匹配大写名称：`[A-Z_][A-Z0-9_]*`。
+- 缺失/为空的变量会在配置加载时抛出错误。
+- 使用 `$${VAR}` 可转义为字面量 `${VAR}`。
+- 适用于 `$include`。
+
+---
+
+## 密钥
+
+Secret refs 是增量能力：明文值仍然可用。
+
+### `SecretRef`
+
+使用以下对象形式之一：
+
+```json5
+{ source: "env" | "file" | "exec", provider: "default", id: "..." }
+```
+
+校验：
+
+- `provider` 模式：`^[a-z][a-z0-9_-]{0,63}$`
+- `source: "env"` 的 id 模式：`^[A-Z][A-Z0-9_]{0,127}$`
+- `source: "file"` 的 id：绝对 JSON pointer（例如 `"/providers/openai/apiKey"`）
+- `source: "exec"` 的 id 模式：`^[A-Za-z0-9][A-Za-z0-9._:/-]{0,255}$`
+- `source: "exec"` 的 id 不能包含以斜杠分隔的 `.` 或 `..` 路径段（例如 `a/../b` 会被拒绝）
+
+### 支持的凭证表面
+
+- 规范矩阵：[SecretRef Credential Surface](/reference/secretref-credential-surface)
+- `secrets apply` 会定位受支持的 `openclaw.json` 凭证路径。
+- `auth-profiles.json` 中的 ref 也包含在运行时解析和审计覆盖范围内。
+
+### Secret providers 配置
+
+```json5
+{
+  secrets: {
+    providers: {
+      default: { source: "env" }, // 可选的显式环境变量提供商
+      filemain: {
+        source: "file",
+        path: "~/.openclaw/secrets.json",
+        mode: "json",
+        timeoutMs: 5000,
+      },
+      vault: {
+        source: "exec",
+        command: "/usr/local/bin/openclaw-vault-resolver",
+        passEnv: ["PATH", "VAULT_ADDR"],
+      },
+    },
+    defaults: {
+      env: "default",
+      file: "filemain",
+      exec: "vault",
+    },
+  },
+}
+```
+
+说明：
+
+- `file` 提供商支持 `mode: "json"` 和 `mode: "singleValue"`（在 singleValue 模式下，`id` 必须是 `"value"`）。
+- `exec` 提供商要求绝对 `command` 路径，并通过 stdin/stdout 使用协议负载。
+- 默认会拒绝符号链接命令路径。设置 `allowSymlinkCommand: true` 可允许符号链接路径，同时校验解析后的目标路径。
+- 如果配置了 `trustedDirs`，则受信任目录检查会应用到解析后的目标路径。
+- `exec` 子进程环境默认最小化；请通过 `passEnv` 显式传递所需变量。
+- Secret refs 会在激活时解析为内存快照，之后请求路径只读取该快照。
+- 激活期间会应用活动表面过滤：已启用表面上的未解析 ref 会导致启动/重载失败，而非活动表面会被跳过并记录诊断信息。
+
+---
+
+## 认证存储
+
+```json5
+{
+  auth: {
+    profiles: {
+      "anthropic:me@example.com": { provider: "anthropic", mode: "oauth", email: "me@example.com" },
+      "anthropic:work": { provider: "anthropic", mode: "api_key" },
+    },
+    order: {
+      anthropic: ["anthropic:me@example.com", "anthropic:work"],
+    },
+  },
+}
+```
+
+- 每个智能体的配置文件存储在 `<agentDir>/auth-profiles.json`。
+- `auth-profiles.json` 支持值级 ref（`api_key` 使用 `keyRef`，`token` 使用 `tokenRef`）。
+- 静态运行时凭证来自内存中的已解析快照；发现旧版静态 `auth.json` 条目时会进行清理。
+- 旧版 OAuth 会从 `~/.openclaw/credentials/oauth.json` 导入。
+- 见 [OAuth](/concepts/oauth)。
+- Secrets 运行时行为以及 `audit/configure/apply` 工具：见 [Secrets Management](/gateway/secrets)。
+
+---
+
+## 日志
+
+```json5
+{
+  logging: {
+    level: "info",
+    file: "/tmp/openclaw/openclaw.log",
+    consoleLevel: "info",
+    consoleStyle: "pretty", // pretty | compact | json
+    redactSensitive: "tools", // off | tools
+    redactPatterns: ["\\bTOKEN\\b\\s*[=:]\\s*([\"']?)([^\\s\"']+)\\1"],
+  },
+}
+```
+
+- 默认日志文件：`/tmp/openclaw/openclaw-YYYY-MM-DD.log`。
+- 设置 `logging.file` 以获得稳定路径。
+- 使用 `--verbose` 时，`consoleLevel` 会提升为 `debug`。
+
+---
+
+## CLI
+
+```json5
+{
+  cli: {
+    banner: {
+      taglineMode: "off", // random | default | off
+    },
+  },
+}
+```
+
+- `cli.banner.taglineMode` 控制横幅标语样式：
+  - `"random"`（默认）：轮换的有趣/季节性标语。
+  - `"default"`：固定的中性标语（`All your chats, one OpenClaw.`）。
+  - `"off"`：不显示标语文本（仍显示横幅标题/版本）。
+- 若要隐藏整个横幅（而不仅是标语），请设置环境变量 `OPENCLAW_HIDE_BANNER=1`。
+
+---
+
+## 向导
+
+由 CLI 向导（`onboard`、`configure`、`doctor`）写入的元数据：
+
+```json5
+{
+  wizard: {
+    lastRunAt: "2026-01-01T00:00:00.000Z",
+    lastRunVersion: "2026.1.4",
+    lastRunCommit: "abc1234",
+    lastRunCommand: "configure",
+    lastRunMode: "local",
+  },
+}
+```
+
+---
+
+## 身份
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "main",
+        identity: {
+          name: "Samantha",
+          theme: "helpful sloth",
+          emoji: "🦥",
+          avatar: "avatars/samantha.png",
+        },
+      },
+    ],
+  },
+}
+```
+
+由 macOS 新手引导助手写入。会派生默认值：
+
+- 从 `identity.emoji` 派生 `messages.ackReaction`（回退为 👀）
+- 从 `identity.name`/`identity.emoji` 派生 `mentionPatterns`
+- `avatar` 接受：工作区相对路径、`http(s)` URL 或 `data:` URI
+
+---
+
+## Bridge（旧版，已移除）
+
+当前版本不再包含 TCP bridge。节点通过 Gateway 网关 WebSocket 连接。`bridge.*` 键已不再属于配置 schema 的一部分（在移除前校验会失败；`openclaw doctor --fix` 可清除未知键）。
+
+<Accordion title="旧版 bridge 配置（历史参考）">
+
+```json
+{
+  "bridge": {
+    "enabled": true,
+    "port": 18790,
+    "bind": "tailnet",
+    "tls": {
+      "enabled": true,
+      "autoGenerate": true
+    }
+  }
+}
+```
+
+</Accordion>
+
+---
+
+## Cron
+
+```json5
+{
+  cron: {
+    enabled: true,
+    maxConcurrentRuns: 2,
+    webhook: "https://example.invalid/legacy", // 旧版回退，仅用于已存储的 notify:true 作业
+    webhookToken: "replace-with-dedicated-token", // 可选，用于出站 webhook 认证的 bearer token
+    sessionRetention: "24h", // 时长字符串或 false
+    runLog: {
+      maxBytes: "2mb", // 默认 2_000_000 字节
+      keepLines: 2000, // 默认 2000
+    },
+  },
+}
+```
+
+- `sessionRetention`：已完成的隔离 Cron 运行会话在从 `sessions.json` 清理前保留多久。也控制已归档、已删除的 Cron 记录清理。默认：`24h`；设为 `false` 可禁用。
+- `runLog.maxBytes`：每个运行日志文件（`cron/runs/<jobId>.jsonl`）在清理前的最大大小。默认：`2_000_000` 字节。
+- `runLog.keepLines`：触发运行日志清理时保留的最新行数。默认：`2000`。
+- `webhookToken`：用于 Cron webhook POST 投递（`delivery.mode = "webhook"`）的 bearer token；若省略则不发送认证头。
+- `webhook`：已弃用的旧版回退 webhook URL（http/https），仅用于仍然具有 `notify: true` 的已存储作业。
+
+见 [Cron Jobs](/automation/cron-jobs)。
+
+---
+
+## 媒体模型模板变量
+
+会在 `tools.media.models[].args` 中展开的模板占位符：
+
+| Variable           | Description                                  |
+| ------------------ | -------------------------------------------- |
+| `{{Body}}`         | 完整入站消息正文                             |
+| `{{RawBody}}`      | 原始正文（无历史/发送者包装）                |
+| `{{BodyStripped}}` | 去除群组提及后的正文                         |
+| `{{From}}`         | 发送者标识符                                 |
+| `{{To}}`           | 目标标识符                                   |
+| `{{MessageSid}}`   | 渠道消息 ID                                  |
+| `{{SessionId}}`    | 当前会话 UUID                                |
+| `{{IsNewSession}}` | 新建会话时为 `"true"`                        |
+| `{{MediaUrl}}`     | 入站媒体伪 URL                               |
+| `{{MediaPath}}`    | 本地媒体路径                                 |
+| `{{MediaType}}`    | 媒体类型（image/audio/document/…）           |
+| `{{Transcript}}`   | 音频转录                                     |
+| `{{Prompt}}`       | 为 CLI 条目解析后的媒体提示                  |
+| `{{MaxChars}}`     | 为 CLI 条目解析后的最大输出字符数            |
+| `{{ChatType}}`     | `"direct"` 或 `"group"`                      |
+| `{{GroupSubject}}` | 群组主题（尽力而为）                         |
+| `{{GroupMembers}}` | 群组成员预览（尽力而为）                     |
+| `{{SenderName}}`   | 发送者显示名（尽力而为）                     |
+| `{{SenderE164}}`   | 发送者电话号码（尽力而为）                   |
+| `{{Provider}}`     | 提供商提示（whatsapp、telegram、discord 等） |
+
+---
+
+## 配置 includes（`$include`）
+
+将配置拆分为多个文件：
+
+```json5
+// ~/.openclaw/openclaw.json
+{
+  gateway: { port: 18789 },
+  agents: { $include: "./agents.json5" },
+  broadcast: {
+    $include: ["./clients/mueller.json5", "./clients/schmidt.json5"],
+  },
+}
+```
+
+**合并行为：**
+
+- 单个文件：替换包含它的对象。
+- 文件数组：按顺序深度合并（后者覆盖前者）。
+- 同级键：在 include 之后再合并（覆盖被包含的值）。
+- 嵌套 include：最多 10 层。
+- 路径：相对于包含它的文件解析，但必须保持在顶层配置目录（`openclaw.json` 的 `dirname`）内。只有在最终解析结果仍位于该边界内时，才允许使用绝对路径/`../` 形式。
+- 错误：缺失文件、解析错误和循环 include 都会给出清晰错误信息。
+
+---
+
+_相关内容：[Configuration](/gateway/configuration) · [Configuration Examples](/gateway/configuration-examples) · [Doctor](/gateway/doctor)_
diff --git a/docs/zh-CN/gateway/configuration.md b/docs/zh-CN/gateway/configuration.md
index cd269cef3b8..49c62eea4c9 100644
--- a/docs/zh-CN/gateway/configuration.md
+++ b/docs/zh-CN/gateway/configuration.md
@@ -1,3332 +1,640 @@
 ---
 read_when:
-  - 添加或修改配置字段时
-summary: ~/.openclaw/openclaw.json 的所有配置选项及示例
+  - 首次设置 OpenClaw
+  - 查找常见配置模式
+  - 导航到特定配置部分
+summary: 配置概览：常见任务、快速设置，以及完整参考的链接
 title: 配置
 x-i18n:
-  generated_at: "2026-02-01T21:29:41Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: b5e51290bbc755acb259ad455878625aa894c115e5c0ac6a1a3397e10fff8b4b
+  generated_at: "2026-03-16T06:23:15Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 0047a255e8d3b6d280634437167486e2a81bf98b2d367071259b4b5c85b5ba9f
   source_path: gateway/configuration.md
   workflow: 15
 ---
 
-# 配置 🔧
+# 配置
 
-OpenClaw 从 `~/.openclaw/openclaw.json` 读取可选的 **JSON5** 配置（支持注释和尾逗号）。
+OpenClaw 会从 `~/.openclaw/openclaw.json` 读取可选的 <Tooltip tip="JSON5 supports comments and trailing commas">**JSON5**</Tooltip> 配置。
 
-如果文件不存在，OpenClaw 使用安全的默认值（内置 Pi 智能体 + 按发送者分会话 + 工作区 `~/.openclaw/workspace`）。通常只在以下情况需要配置：
+如果该文件缺失，OpenClaw 会使用安全的默认值。添加配置的常见原因包括：
 
-- 限制谁可以触发机器人（`channels.whatsapp.allowFrom`、`channels.telegram.allowFrom` 等）
-- 控制群组白名单 + 提及行为（`channels.whatsapp.groups`、`channels.telegram.groups`、`channels.discord.guilds`、`agents.list[].groupChat`）
-- 自定义消息前缀（`messages`）
-- 设置智能体工作区（`agents.defaults.workspace` 或 `agents.list[].workspace`）
-- 调整内置智能体默认值（`agents.defaults`）和会话行为（`session`）
-- 设置每个智能体的身份标识（`agents.list[].identity`）
+- 连接渠道并控制谁可以向 bot 发消息
+- 设置模型、工具、沙箱隔离或自动化（cron、hooks）
+- 调整会话、媒体、网络或 UI
 
-> **初次接触配置？** 请查阅[配置示例](/gateway/configuration-examples)指南，获取带有详细说明的完整示例！
+所有可用字段请参阅 [完整参考](/gateway/configuration-reference)。
 
-## 严格配置验证
+<Tip>
+**刚接触配置？** 从 `openclaw onboard` 开始进行交互式设置，或者查看 [Configuration Examples](/gateway/configuration-examples) 指南，获取完整的可复制粘贴配置。
+</Tip>
 
-OpenClaw 只接受完全匹配 schema 的配置。
-未知键、类型错误或无效值会导致 Gateway 网关 **拒绝启动**以确保安全。
-
-验证失败时：
-
-- Gateway 网关不会启动。
-- 只允许诊断命令（例如：`openclaw doctor`、`openclaw logs`、`openclaw health`、`openclaw status`、`openclaw service`、`openclaw help`）。
-- 运行 `openclaw doctor` 查看具体问题。
-- 运行 `openclaw doctor --fix`（或 `--yes`）应用迁移/修复。
-
-Doctor 不会写入任何更改，除非你明确选择了 `--fix`/`--yes`。
-
-## Schema + UI 提示
-
-Gateway 网关通过 `config.schema` 暴露配置的 JSON Schema 表示，供 UI 编辑器使用。
-控制台 UI 根据此 schema 渲染表单，并提供 **Raw JSON** 编辑器作为应急手段。
-
-渠道插件和扩展可以为其配置注册 schema + UI 提示，因此渠道设置
-在各应用间保持 schema 驱动，无需硬编码表单。
-
-提示信息（标签、分组、敏感字段）随 schema 一起提供，客户端无需硬编码配置知识即可渲染更好的表单。
-
-## 应用 + 重启（RPC）
-
-使用 `config.apply` 在一步中验证 + 写入完整配置并重启 Gateway 网关。
-它会写入重启哨兵文件，并在 Gateway 网关恢复后 ping 最后活跃的会话。
-
-警告：`config.apply` 会替换**整个配置**。如果你只想更改部分键，
-请使用 `config.patch` 或 `openclaw config set`。请备份 `~/.openclaw/openclaw.json`。
-
-参数：
-
-- `raw`（字符串）— 整个配置的 JSON5 负载
-- `baseHash`（可选）— 来自 `config.get` 的配置哈希（当配置已存在时为必需）
-- `sessionKey`（可选）— 最后活跃会话的键，用于唤醒 ping
-- `note`（可选）— 包含在重启哨兵中的备注
-- `restartDelayMs`（可选）— 重启前的延迟（默认 2000）
-
-示例（通过 `gateway call`）：
-
-```bash
-openclaw gateway call config.get --params '{}' # capture payload.hash
-openclaw gateway call config.apply --params '{
-  "raw": "{\\n  agents: { defaults: { workspace: \\"~/.openclaw/workspace\\" } }\\n}\\n",
-  "baseHash": "<hash-from-config.get>",
-  "sessionKey": "agent:main:whatsapp:dm:+15555550123",
-  "restartDelayMs": 1000
-}'
-```
-
-## 部分更新（RPC）
-
-使用 `config.patch` 将部分更新合并到现有配置中，而不会覆盖
-无关的键。它采用 JSON merge patch 语义：
-
-- 对象递归合并
-- `null` 删除键
-- 数组替换
-  与 `config.apply` 类似，它会验证、写入配置、存储重启哨兵，并调度
-  Gateway 网关重启（当提供 `sessionKey` 时可选择唤醒）。
-
-参数：
-
-- `raw`（字符串）— 仅包含要更改的键的 JSON5 负载
-- `baseHash`（必需）— 来自 `config.get` 的配置哈希
-- `sessionKey`（可选）— 最后活跃会话的键，用于唤醒 ping
-- `note`（可选）— 包含在重启哨兵中的备注
-- `restartDelayMs`（可选）— 重启前的延迟（默认 2000）
-
-示例：
-
-```bash
-openclaw gateway call config.get --params '{}' # capture payload.hash
-openclaw gateway call config.patch --params '{
-  "raw": "{\\n  channels: { telegram: { groups: { \\"*\\": { requireMention: false } } } }\\n}\\n",
-  "baseHash": "<hash-from-config.get>",
-  "sessionKey": "agent:main:whatsapp:dm:+15555550123",
-  "restartDelayMs": 1000
-}'
-```
-
-## 最小配置（推荐起点）
+## 最小配置
 
 ```json5
+// ~/.openclaw/openclaw.json
 {
   agents: { defaults: { workspace: "~/.openclaw/workspace" } },
   channels: { whatsapp: { allowFrom: ["+15555550123"] } },
 }
 ```
 
-首次构建默认镜像：
+## 编辑配置
 
-```bash
-scripts/sandbox-setup.sh
-```
+<Tabs>
+  <Tab title="Interactive wizard">
+    ```bash
+    openclaw onboard       # 完整设置向导
+    openclaw configure     # 配置向导
+    ```
+  </Tab>
+  <Tab title="CLI (one-liners)">
+    ```bash
+    openclaw config get agents.defaults.workspace
+    openclaw config set agents.defaults.heartbeat.every "2h"
+    openclaw config unset tools.web.search.apiKey
+    ```
+  </Tab>
+  <Tab title="Control UI">
+    打开 [http://127.0.0.1:18789](http://127.0.0.1:18789) 并使用 **Config** 标签页。
+    Control UI 会根据配置 schema 渲染表单，并提供 **Raw JSON** 编辑器作为后备方式。
+  </Tab>
+  <Tab title="Direct edit">
+    直接编辑 `~/.openclaw/openclaw.json`。Gateway 网关会监视该文件并自动应用更改（参见[热重载](#config-hot-reload)）。
+  </Tab>
+</Tabs>
 
-## 自聊天模式（推荐用于群组控制）
+## 严格校验
 
-防止机器人在群组中响应 WhatsApp @提及（仅响应特定文本触发器）：
+<Warning>
+OpenClaw 只接受完全符合 schema 的配置。未知键、类型格式错误或无效值都会导致 Gateway 网关**拒绝启动**。唯一的根级例外是 `$schema`（字符串），这样编辑器就可以附加 JSON Schema 元数据。
+</Warning>
 
-```json5
-{
-  agents: {
-    defaults: { workspace: "~/.openclaw/workspace" },
-    list: [
-      {
-        id: "main",
-        groupChat: { mentionPatterns: ["@openclaw", "reisponde"] },
+当校验失败时：
+
+- Gateway 网关不会启动
+- 只有诊断命令可用（`openclaw doctor`、`openclaw logs`、`openclaw health`、`openclaw status`）
+- 运行 `openclaw doctor` 以查看具体问题
+- 运行 `openclaw doctor --fix`（或 `--yes`）以应用修复
+
+## 常见任务
+
+<AccordionGroup>
+  <Accordion title="设置一个渠道（WhatsApp、Telegram、Discord 等）">
+    每个渠道在 `channels.<provider>` 下都有各自的配置部分。设置步骤请参阅对应的渠道页面：
+
+    - [WhatsApp](/channels/whatsapp) — `channels.whatsapp`
+    - [Telegram](/channels/telegram) — `channels.telegram`
+    - [Discord](/channels/discord) — `channels.discord`
+    - [Slack](/channels/slack) — `channels.slack`
+    - [Signal](/channels/signal) — `channels.signal`
+    - [iMessage](/channels/imessage) — `channels.imessage`
+    - [Google Chat](/channels/googlechat) — `channels.googlechat`
+    - [Mattermost](/channels/mattermost) — `channels.mattermost`
+    - [MS Teams](/channels/msteams) — `channels.msteams`
+
+    所有渠道都共享同一种私信策略模式：
+
+    ```json5
+    {
+      channels: {
+        telegram: {
+          enabled: true,
+          botToken: "123:abc",
+          dmPolicy: "pairing",   // pairing | allowlist | open | disabled
+          allowFrom: ["tg:123"], // 仅用于 allowlist/open
+        },
       },
-    ],
-  },
-  channels: {
-    whatsapp: {
-      // 白名单仅适用于私聊；包含你自己的号码可启用自聊天模式。
-      allowFrom: ["+15555550123"],
-      groups: { "*": { requireMention: true } },
-    },
+    }
+    ```
+
+  </Accordion>
+
+  <Accordion title="选择并配置模型">
+    设置主模型和可选回退模型：
+
+    ```json5
+    {
+      agents: {
+        defaults: {
+          model: {
+            primary: "anthropic/claude-sonnet-4-5",
+            fallbacks: ["openai/gpt-5.2"],
+          },
+          models: {
+            "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
+            "openai/gpt-5.2": { alias: "GPT" },
+          },
+        },
+      },
+    }
+    ```
+
+    - `agents.defaults.models` 定义模型目录，并充当 `/model` 的允许列表。
+    - 模型引用使用 `provider/model` 格式（例如 `anthropic/claude-opus-4-6`）。
+    - `agents.defaults.imageMaxDimensionPx` 控制转录/工具图像的缩放下限（默认 `1200`）；在截图较多的运行中，较低的值通常会减少视觉 token 使用量。
+    - 关于在聊天中切换模型，请参阅 [Models CLI](/concepts/models)；关于凭证轮换和回退行为，请参阅 [Model Failover](/concepts/model-failover)。
+    - 关于自定义/自托管提供商，请参阅参考中的 [Custom providers](/gateway/configuration-reference#custom-providers-and-base-urls)。
+
+  </Accordion>
+
+  <Accordion title="控制谁可以向 bot 发消息">
+    私信访问通过每个渠道的 `dmPolicy` 控制：
+
+    - `"pairing"`（默认）：未知发送者会收到一次性配对码以供批准
+    - `"allowlist"`：仅允许 `allowFrom`（或已配对允许存储）中的发送者
+    - `"open"`：允许所有入站私信（需要 `allowFrom: ["*"]`）
+    - `"disabled"`：忽略所有私信
+
+    对于群组，请使用 `groupPolicy` + `groupAllowFrom` 或特定渠道的允许列表。
+
+    有关每个渠道的详细信息，请参阅 [完整参考](/gateway/configuration-reference#dm-and-group-access)。
+
+  </Accordion>
+
+  <Accordion title="设置群聊提及门控">
+    群组消息默认设置为**需要提及**。可按智能体配置模式：
+
+    ```json5
+    {
+      agents: {
+        list: [
+          {
+            id: "main",
+            groupChat: {
+              mentionPatterns: ["@openclaw", "openclaw"],
+            },
+          },
+        ],
+      },
+      channels: {
+        whatsapp: {
+          groups: { "*": { requireMention: true } },
+        },
+      },
+    }
+    ```
+
+    - **元数据提及**：原生 @ 提及（WhatsApp 点按提及、Telegram @bot 等）
+    - **文本模式**：`mentionPatterns` 中的安全正则模式
+    - 关于每个渠道的覆盖和自聊模式，请参阅 [完整参考](/gateway/configuration-reference#group-chat-mention-gating)。
+
+  </Accordion>
+
+  <Accordion title="调整 Gateway 网关渠道健康监控">
+    控制 Gateway 网关对看起来失活的渠道执行重启的积极程度：
+
+    ```json5
+    {
+      gateway: {
+        channelHealthCheckMinutes: 5,
+        channelStaleEventThresholdMinutes: 30,
+        channelMaxRestartsPerHour: 10,
+      },
+      channels: {
+        telegram: {
+          healthMonitor: { enabled: false },
+          accounts: {
+            alerts: {
+              healthMonitor: { enabled: true },
+            },
+          },
+        },
+      },
+    }
+    ```
+
+    - 设置 `gateway.channelHealthCheckMinutes: 0` 可全局禁用健康监控重启。
+    - `channelStaleEventThresholdMinutes` 应大于或等于检查间隔。
+    - 使用 `channels.<provider>.healthMonitor.enabled` 或 `channels.<provider>.accounts.<id>.healthMonitor.enabled`，可为单个渠道或账号禁用自动重启，而无需禁用全局监控。
+    - 有关运维调试，请参阅 [Health Checks](/gateway/health)；所有字段请参阅 [完整参考](/gateway/configuration-reference#gateway)。
+
+  </Accordion>
+
+  <Accordion title="配置会话和重置">
+    会话控制对话的连续性和隔离性：
+
+    ```json5
+    {
+      session: {
+        dmScope: "per-channel-peer",  // 推荐用于多用户
+        threadBindings: {
+          enabled: true,
+          idleHours: 24,
+          maxAgeHours: 0,
+        },
+        reset: {
+          mode: "daily",
+          atHour: 4,
+          idleMinutes: 120,
+        },
+      },
+    }
+    ```
+
+    - `dmScope`：`main`（共享）| `per-peer` | `per-channel-peer` | `per-account-channel-peer`
+    - `threadBindings`：线程绑定会话路由的全局默认值（Discord 支持 `/focus`、`/unfocus`、`/agents`、`/session idle` 和 `/session max-age`）。
+    - 关于作用域、身份链接和发送策略，请参阅 [Session Management](/concepts/session)。
+    - 所有字段请参阅 [完整参考](/gateway/configuration-reference#session)。
+
+  </Accordion>
+
+  <Accordion title="启用沙箱隔离">
+    在隔离的 Docker 容器中运行智能体会话：
+
+    ```json5
+    {
+      agents: {
+        defaults: {
+          sandbox: {
+            mode: "non-main",  // off | non-main | all
+            scope: "agent",    // session | agent | shared
+          },
+        },
+      },
+    }
+    ```
+
+    先构建镜像：`scripts/sandbox-setup.sh`
+
+    完整指南请参阅 [Sandboxing](/gateway/sandboxing)，所有选项请参阅 [完整参考](/gateway/configuration-reference#sandbox)。
+
+  </Accordion>
+
+  <Accordion title="为官方 iOS 构建启用基于 relay 的推送">
+    基于 relay 的推送在 `openclaw.json` 中配置。
+
+    在 Gateway 网关配置中设置：
+
+    ```json5
+    {
+      gateway: {
+        push: {
+          apns: {
+            relay: {
+              baseUrl: "https://relay.example.com",
+              // 可选。默认值：10000
+              timeoutMs: 10000,
+            },
+          },
+        },
+      },
+    }
+    ```
+
+    等价 CLI：
+
+    ```bash
+    openclaw config set gateway.push.apns.relay.baseUrl https://relay.example.com
+    ```
+
+    这会带来以下效果：
+
+    - 让 Gateway 网关通过外部 relay 发送 `push.test`、唤醒提示和重连唤醒。
+    - 使用由已配对 iOS 应用转发的、以注册为范围的发送授权。Gateway 网关不需要部署范围的 relay token。
+    - 将每个基于 relay 的注册绑定到 iOS 应用配对的 Gateway 网关身份，因此其他 Gateway 网关无法复用已存储的注册。
+    - 保持本地/手动 iOS 构建继续使用直接 APNs。基于 relay 的发送仅适用于通过 relay 注册的官方分发构建。
+    - 必须与官方/TestFlight iOS 构建中固化的 relay 基础 URL 一致，这样注册和发送流量才能到达同一个 relay 部署。
+
+    端到端流程：
+
+    1. 安装一个使用相同 relay 基础 URL 编译的官方/TestFlight iOS 构建。
+    2. 在 Gateway 网关上配置 `gateway.push.apns.relay.baseUrl`。
+    3. 将 iOS 应用与 Gateway 网关配对，并让节点会话和操作员会话都连接。
+    4. iOS 应用获取 Gateway 网关身份，使用 App Attest 加上应用回执向 relay 注册，然后将基于 relay 的 `push.apns.register` 负载发布到已配对的 Gateway 网关。
+    5. Gateway 网关存储 relay handle 和发送授权，然后将它们用于 `push.test`、唤醒提示和重连唤醒。
+
+    运维说明：
+
+    - 如果你将 iOS 应用切换到另一个 Gateway 网关，请重新连接应用，以便它发布绑定到该 Gateway 网关的新 relay 注册。
+    - 如果你发布了一个指向不同 relay 部署的新 iOS 构建，应用会刷新其缓存的 relay 注册，而不是复用旧的 relay 来源。
+
+    兼容性说明：
+
+    - `OPENCLAW_APNS_RELAY_BASE_URL` 和 `OPENCLAW_APNS_RELAY_TIMEOUT_MS` 仍可作为临时环境变量覆盖使用。
+    - `OPENCLAW_APNS_RELAY_ALLOW_HTTP=true` 仍是仅限 loopback 的开发逃生口；不要在配置中持久化 HTTP relay URL。
+
+    关于端到端流程，请参阅 [iOS App](/platforms/ios#relay-backed-push-for-official-builds)；关于 relay 安全模型，请参阅 [Authentication and trust flow](/platforms/ios#authentication-and-trust-flow)。
+
+  </Accordion>
+
+  <Accordion title="设置 heartbeat（周期性报到）">
+    ```json5
+    {
+      agents: {
+        defaults: {
+          heartbeat: {
+            every: "30m",
+            target: "last",
+          },
+        },
+      },
+    }
+    ```
+
+    - `every`：时长字符串（`30m`、`2h`）。设置为 `0m` 可禁用。
+    - `target`：`last` | `whatsapp` | `telegram` | `discord` | `none`
+    - `directPolicy`：用于私信风格 heartbeat 目标时，设为 `allow`（默认）或 `block`
+    - 完整指南请参阅 [Heartbeat](/gateway/heartbeat)。
+
+  </Accordion>
+
+  <Accordion title="配置 cron 作业">
+    ```json5
+    {
+      cron: {
+        enabled: true,
+        maxConcurrentRuns: 2,
+        sessionRetention: "24h",
+        runLog: {
+          maxBytes: "2mb",
+          keepLines: 2000,
+        },
+      },
+    }
+    ```
+
+    - `sessionRetention`：从 `sessions.json` 中清理已完成的隔离运行会话（默认 `24h`；设置为 `false` 可禁用）。
+    - `runLog`：按大小和保留行数清理 `cron/runs/<jobId>.jsonl`。
+    - 功能概览和 CLI 示例请参阅 [Cron jobs](/automation/cron-jobs)。
+
+  </Accordion>
+
+  <Accordion title="设置 webhooks（hooks）">
+    在 Gateway 网关上启用 HTTP webhook 端点：
+
+    ```json5
+    {
+      hooks: {
+        enabled: true,
+        token: "shared-secret",
+        path: "/hooks",
+        defaultSessionKey: "hook:ingress",
+        allowRequestSessionKey: false,
+        allowedSessionKeyPrefixes: ["hook:"],
+        mappings: [
+          {
+            match: { path: "gmail" },
+            action: "agent",
+            agentId: "main",
+            deliver: true,
+          },
+        ],
+      },
+    }
+    ```
+
+    安全说明：
+    - 将所有 hook/webhook 负载内容都视为不受信任输入。
+    - 保持不安全内容绕过标志处于禁用状态（`hooks.gmail.allowUnsafeExternalContent`、`hooks.mappings[].allowUnsafeExternalContent`），除非是在进行严格限定的调试。
+    - 对于由 hook 驱动的智能体，优先使用强大的现代模型层级和严格的工具策略（例如尽可能仅允许消息传递并启用沙箱隔离）。
+
+    所有映射选项和 Gmail 集成请参阅 [完整参考](/gateway/configuration-reference#hooks)。
+
+  </Accordion>
+
+  <Accordion title="配置多智能体路由">
+    运行多个彼此隔离的智能体，并使用独立的工作区和会话：
+
+    ```json5
+    {
+      agents: {
+        list: [
+          { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
+          { id: "work", workspace: "~/.openclaw/workspace-work" },
+        ],
+      },
+      bindings: [
+        { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
+        { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
+      ],
+    }
+    ```
+
+    关于绑定规则和每个智能体的访问配置文件，请参阅 [Multi-Agent](/concepts/multi-agent) 和 [完整参考](/gateway/configuration-reference#multi-agent-routing)。
+
+  </Accordion>
+
+  <Accordion title="将配置拆分到多个文件中（$include）">
+    使用 `$include` 组织大型配置：
+
+    ```json5
+    // ~/.openclaw/openclaw.json
+    {
+      gateway: { port: 18789 },
+      agents: { $include: "./agents.json5" },
+      broadcast: {
+        $include: ["./clients/a.json5", "./clients/b.json5"],
+      },
+    }
+    ```
+
+    - **单个文件**：替换所在对象
+    - **文件数组**：按顺序深度合并（后者优先）
+    - **同级键**：在 include 之后合并（覆盖已包含的值）
+    - **嵌套 include**：支持，最多 10 层深
+    - **相对路径**：相对于包含它的文件解析
+    - **错误处理**：对于缺失文件、解析错误和循环 include，会提供清晰错误
+
+  </Accordion>
+</AccordionGroup>
+
+## 配置热重载
+
+Gateway 网关会监视 `~/.openclaw/openclaw.json` 并自动应用更改 —— 对于大多数设置，无需手动重启。
+
+### 重载模式
+
+| 模式                 | 行为                                                     |
+| -------------------- | -------------------------------------------------------- |
+| **`hybrid`**（默认） | 立即热应用安全更改。对关键更改会自动重启。               |
+| **`hot`**            | 仅热应用安全更改。需要重启时会记录警告 —— 由你自行处理。 |
+| **`restart`**        | 任何配置更改都会重启 Gateway 网关，无论是否安全。        |
+| **`off`**            | 禁用文件监视。更改会在下一次手动重启时生效。             |
+
+```json5
+{
+  gateway: {
+    reload: { mode: "hybrid", debounceMs: 300 },
   },
 }
 ```
 
-## 配置包含（`$include`）
+### 哪些可以热应用，哪些需要重启
 
-使用 `$include` 指令将配置拆分为多个文件。适用于：
+大多数字段都可以无停机热应用。在 `hybrid` 模式下，需要重启的更改会自动处理。
 
-- 组织大型配置（例如按客户定义智能体）
-- 跨环境共享通用设置
-- 将敏感配置单独存放
+| 类别               | 字段                                                  | 需要重启？ |
+| ------------------ | ----------------------------------------------------- | ---------- |
+| 渠道               | `channels.*`、`web`（WhatsApp）— 所有内置和扩展渠道   | 否         |
+| 智能体和模型       | `agent`、`agents`、`models`、`routing`                | 否         |
+| 自动化             | `hooks`、`cron`、`agent.heartbeat`                    | 否         |
+| 会话和消息         | `session`、`messages`                                 | 否         |
+| 工具和媒体         | `tools`、`browser`、`skills`、`audio`、`talk`         | 否         |
+| UI 和杂项          | `ui`、`logging`、`identity`、`bindings`               | 否         |
+| Gateway 网关服务器 | `gateway.*`（port、bind、auth、tailscale、TLS、HTTP） | **是**     |
+| 基础设施           | `discovery`、`canvasHost`、`plugins`                  | **是**     |
 
-### 基本用法
+<Note>
+`gateway.reload` 和 `gateway.remote` 是例外 —— 更改它们**不会**触发重启。
+</Note>
 
-```json5
-// ~/.openclaw/openclaw.json
-{
-  gateway: { port: 18789 },
+## 配置 RPC（程序化更新）
 
-  // 包含单个文件（替换该键的值）
-  agents: { $include: "./agents.json5" },
+<Note>
+控制平面写入 RPC（`config.apply`、`config.patch`、`update.run`）按每个 `deviceId+clientIp` 限制为**每 60 秒 3 个请求**。当触发限制时，RPC 会返回 `UNAVAILABLE` 和 `retryAfterMs`。
+</Note>
 
-  // 包含多个文件（按顺序深度合并）
-  broadcast: {
-    $include: ["./clients/mueller.json5", "./clients/schmidt.json5"],
-  },
-}
-```
+<AccordionGroup>
+  <Accordion title="config.apply（完整替换）">
+    校验 + 写入完整配置，并在一步中重启 Gateway 网关。
 
-```json5
-// ~/.openclaw/agents.json5
-{
-  defaults: { sandbox: { mode: "all", scope: "session" } },
-  list: [{ id: "main", workspace: "~/.openclaw/workspace" }],
-}
-```
+    <Warning>
+    `config.apply` 会替换**整个配置**。部分更新请使用 `config.patch`，单个键请使用 `openclaw config set`。
+    </Warning>
 
-### 合并行为
+    参数：
 
-- **单个文件**：替换包含 `$include` 的对象
-- **文件数组**：按顺序深度合并（后面的文件覆盖前面的）
-- **带兄弟键**：兄弟键在包含之后合并（覆盖被包含的值）
-- **兄弟键 + 数组/原始值**：不支持（被包含的内容必须是对象）
+    - `raw`（string）— 整个配置的 JSON5 负载
+    - `baseHash`（可选）— 来自 `config.get` 的配置 hash（配置已存在时必需）
+    - `sessionKey`（可选）— 重启后唤醒 ping 使用的会话键
+    - `note`（可选）— 重启哨兵的说明
+    - `restartDelayMs`（可选）— 重启前延迟（默认 2000）
 
-```json5
-// 兄弟键覆盖被包含的值
-{
-  $include: "./base.json5", // { a: 1, b: 2 }
-  b: 99, // 结果：{ a: 1, b: 99 }
-}
-```
+    当已有重启处于待处理/进行中时，重启请求会被合并，并且两次重启周期之间会应用 30 秒冷却。
 
-### 嵌套包含
+    ```bash
+    openclaw gateway call config.get --params '{}'  # 捕获 payload.hash
+    openclaw gateway call config.apply --params '{
+      "raw": "{ agents: { defaults: { workspace: \"~/.openclaw/workspace\" } } }",
+      "baseHash": "<hash>",
+      "sessionKey": "agent:main:whatsapp:direct:+15555550123"
+    }'
+    ```
 
-被包含的文件本身可以包含 `$include` 指令（最多 10 层深度）：
+  </Accordion>
 
-```json5
-// clients/mueller.json5
-{
-  agents: { $include: "./mueller/agents.json5" },
-  broadcast: { $include: "./mueller/broadcast.json5" },
-}
-```
+  <Accordion title="config.patch（部分更新）">
+    将部分更新合并到现有配置中（JSON merge patch 语义）：
 
-### 路径解析
+    - 对象递归合并
+    - `null` 删除键
+    - 数组整体替换
 
-- **相对路径**：相对于包含文件解析
-- **绝对路径**：直接使用
-- **父目录**：`../` 引用按预期工作
+    参数：
 
-```json5
-{ "$include": "./sub/config.json5" }      // 相对路径
-{ "$include": "/etc/openclaw/base.json5" } // 绝对路径
-{ "$include": "../shared/common.json5" }   // 父目录
-```
+    - `raw`（string）— 仅包含要更改键的 JSON5
+    - `baseHash`（必需）— 来自 `config.get` 的配置 hash
+    - `sessionKey`、`note`、`restartDelayMs` — 与 `config.apply` 相同
 
-### 错误处理
+    重启行为与 `config.apply` 一致：合并待处理重启，并在两次重启周期之间应用 30 秒冷却。
 
-- **文件缺失**：显示清晰的错误及解析后的路径
-- **解析错误**：显示哪个被包含的文件出错
-- **循环包含**：检测并报告包含链
+    ```bash
+    openclaw gateway call config.patch --params '{
+      "raw": "{ channels: { telegram: { groups: { \"*\": { requireMention: false } } } } }",
+      "baseHash": "<hash>"
+    }'
+    ```
 
-### 示例：多客户法律事务设置
+  </Accordion>
+</AccordionGroup>
 
-```json5
-// ~/.openclaw/openclaw.json
-{
-  gateway: { port: 18789, auth: { token: "secret" } },
+## 环境变量
 
-  // 通用智能体默认值
-  agents: {
-    defaults: {
-      sandbox: { mode: "all", scope: "session" },
-    },
-    // 合并所有客户的智能体列表
-    list: { $include: ["./clients/mueller/agents.json5", "./clients/schmidt/agents.json5"] },
-  },
-
-  // 合并广播配置
-  broadcast: {
-    $include: ["./clients/mueller/broadcast.json5", "./clients/schmidt/broadcast.json5"],
-  },
-
-  channels: { whatsapp: { groupPolicy: "allowlist" } },
-}
-```
-
-```json5
-// ~/.openclaw/clients/mueller/agents.json5
-[
-  { id: "mueller-transcribe", workspace: "~/clients/mueller/transcribe" },
-  { id: "mueller-docs", workspace: "~/clients/mueller/docs" },
-]
-```
-
-```json5
-// ~/.openclaw/clients/mueller/broadcast.json5
-{
-  "120363403215116621@g.us": ["mueller-transcribe", "mueller-docs"],
-}
-```
-
-## 常用选项
-
-### 环境变量 + `.env`
-
-OpenClaw 从父进程（shell、launchd/systemd、CI 等）读取环境变量。
-
-此外，它还会加载：
+OpenClaw 会从父进程读取环境变量，另外还会读取：
 
 - 当前工作目录中的 `.env`（如果存在）
-- `~/.openclaw/.env`（即 `$OPENCLAW_STATE_DIR/.env`）作为全局回退 `.env`
+- `~/.openclaw/.env`（全局回退）
 
-两个 `.env` 文件都不会覆盖已有的环境变量。
-
-你也可以在配置中提供内联环境变量。这些仅在进程环境中缺少该键时应用（相同的不覆盖规则）：
+这两个文件都不会覆盖现有环境变量。你也可以在配置中设置内联环境变量：
 
 ```json5
 {
   env: {
     OPENROUTER_API_KEY: "sk-or-...",
-    vars: {
-      GROQ_API_KEY: "gsk-...",
-    },
+    vars: { GROQ_API_KEY: "gsk-..." },
   },
 }
 ```
 
-参见 [/environment](/help/environment) 了解优先级和来源详情。
-
-### `env.shellEnv`（可选）
-
-可选便利功能：如果启用且预期键均未设置，OpenClaw 会运行你的登录 shell 并仅导入缺失的预期键（不会覆盖）。
-这实际上会 source 你的 shell 配置文件。
+<Accordion title="Shell 环境变量导入（可选）">
+  如果启用，并且预期键名尚未设置，OpenClaw 会运行你的登录 shell，并且只导入缺失的键：
 
 ```json5
 {
   env: {
-    shellEnv: {
-      enabled: true,
-      timeoutMs: 15000,
-    },
+    shellEnv: { enabled: true, timeoutMs: 15000 },
   },
 }
 ```
 
-等效环境变量：
+环境变量等价项：`OPENCLAW_LOAD_SHELL_ENV=1`
+</Accordion>
 
-- `OPENCLAW_LOAD_SHELL_ENV=1`
-- `OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000`
+<Accordion title="在配置值中替换环境变量">
+  你可以在任何配置字符串值中使用 `${VAR_NAME}` 引用环境变量：
 
-### 配置中的环境变量替换
+```json5
+{
+  gateway: { auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" } },
+  models: { providers: { custom: { apiKey: "${CUSTOM_API_KEY}" } } },
+}
+```
 
-你可以在任何配置字符串值中使用 `${VAR_NAME}` 语法直接引用环境变量。变量在配置加载时、验证之前进行替换。
+规则：
+
+- 仅匹配大写名称：`[A-Z_][A-Z0-9_]*`
+- 缺失/为空的变量会在加载时抛出错误
+- 使用 `$${VAR}` 进行转义，以输出字面值
+- 在 `$include` 文件中也可用
+- 内联替换：`"${BASE}/v1"` → `"https://api.example.com/v1"`
+
+</Accordion>
+
+<Accordion title="Secret refs（env、file、exec）">
+  对于支持 SecretRef 对象的字段，你可以使用：
 
 ```json5
 {
   models: {
     providers: {
-      "vercel-gateway": {
-        apiKey: "${VERCEL_GATEWAY_API_KEY}",
-      },
+      openai: { apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" } },
     },
   },
-  gateway: {
-    auth: {
-      token: "${OPENCLAW_GATEWAY_TOKEN}",
-    },
-  },
-}
-```
-
-**规则：**
-
-- 仅匹配大写环境变量名：`[A-Z_][A-Z0-9_]*`
-- 缺失或为空的环境变量在配置加载时会抛出错误
-- 使用 `$${VAR}` 转义以输出字面量 `${VAR}`
-- 与 `$include` 配合使用（被包含的文件也会进行替换）
-
-**内联替换：**
-
-```json5
-{
-  models: {
-    providers: {
-      custom: {
-        baseUrl: "${CUSTOM_API_BASE}/v1", // → "https://api.example.com/v1"
-      },
-    },
-  },
-}
-```
-
-### 认证存储（OAuth + API 密钥）
-
-OpenClaw 在以下位置存储**每个智能体的**认证配置文件（OAuth + API 密钥）：
-
-- `<agentDir>/auth-profiles.json`（默认：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`）
-
-另请参阅：[/concepts/oauth](/concepts/oauth)
-
-旧版 OAuth 导入：
-
-- `~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）
-
-内置 Pi 智能体在以下位置维护运行时缓存：
-
-- `<agentDir>/auth.json`（自动管理；请勿手动编辑）
-
-旧版智能体目录（多智能体之前）：
-
-- `~/.openclaw/agent/*`（由 `openclaw doctor` 迁移到 `~/.openclaw/agents/<defaultAgentId>/agent/*`）
-
-覆盖：
-
-- OAuth 目录（仅旧版导入）：`OPENCLAW_OAUTH_DIR`
-- 智能体目录（默认智能体根目录覆盖）：`OPENCLAW_AGENT_DIR`（推荐）、`PI_CODING_AGENT_DIR`（旧版）
-
-首次使用时，OpenClaw 会将 `oauth.json` 条目导入到 `auth-profiles.json` 中。
-
-### `auth`
-
-认证配置文件的可选元数据。这**不**存储密钥；它将配置文件 ID 映射到提供商 + 模式（以及可选的邮箱），并定义用于故障转移的提供商轮换顺序。
-
-```json5
-{
-  auth: {
-    profiles: {
-      "anthropic:me@example.com": { provider: "anthropic", mode: "oauth", email: "me@example.com" },
-      "anthropic:work": { provider: "anthropic", mode: "api_key" },
-    },
-    order: {
-      anthropic: ["anthropic:me@example.com", "anthropic:work"],
-    },
-  },
-}
-```
-
-### `agents.list[].identity`
-
-用于默认值和用户体验的可选每智能体身份标识。由 macOS 新手引导助手写入。
-
-如果设置了，OpenClaw 会推导默认值（仅在你未明确设置时）：
-
-- `messages.ackReaction` 来自**活跃智能体**的 `identity.emoji`（回退到 👀）
-- `agents.list[].groupChat.mentionPatterns` 来自智能体的 `identity.name`/`identity.emoji`（因此 "@Samantha" 在 Telegram/Slack/Discord/Google Chat/iMessage/WhatsApp 的群组中均可使用）
-- `identity.avatar` 接受工作区相对图片路径或远程 URL/data URL。本地文件必须位于智能体工作区内。
-
-`identity.avatar` 接受：
-
-- 工作区相对路径（必须在智能体工作区内）
-- `http(s)` URL
-- `data:` URI
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "main",
-        identity: {
-          name: "Samantha",
-          theme: "helpful sloth",
-          emoji: "🦥",
-          avatar: "avatars/samantha.png",
-        },
-      },
-    ],
-  },
-}
-```
-
-### `wizard`
-
-由 CLI 向导（`onboard`、`configure`、`doctor`）写入的元数据。
-
-```json5
-{
-  wizard: {
-    lastRunAt: "2026-01-01T00:00:00.000Z",
-    lastRunVersion: "2026.1.4",
-    lastRunCommit: "abc1234",
-    lastRunCommand: "configure",
-    lastRunMode: "local",
-  },
-}
-```
-
-### `logging`
-
-- 默认日志文件：`/tmp/openclaw/openclaw-YYYY-MM-DD.log`
-- 如需稳定路径，将 `logging.file` 设为 `/tmp/openclaw/openclaw.log`。
-- 控制台输出可通过以下方式单独调整：
-  - `logging.consoleLevel`（默认 `info`，使用 `--verbose` 时提升为 `debug`）
-  - `logging.consoleStyle`（`pretty` | `compact` | `json`）
-- 工具摘要可以脱敏以避免泄露密钥：
-  - `logging.redactSensitive`（`off` | `tools`，默认：`tools`）
-  - `logging.redactPatterns`（正则表达式字符串数组；覆盖默认值）
-
-```json5
-{
-  logging: {
-    level: "info",
-    file: "/tmp/openclaw/openclaw.log",
-    consoleLevel: "info",
-    consoleStyle: "pretty",
-    redactSensitive: "tools",
-    redactPatterns: [
-      // 示例：用自定义规则覆盖默认值。
-      "\\bTOKEN\\b\\s*[=:]\\s*([\"']?)([^\\s\"']+)\\1",
-      "/\\bsk-[A-Za-z0-9_-]{8,}\\b/gi",
-    ],
-  },
-}
-```
-
-### `channels.whatsapp.dmPolicy`
-
-控制 WhatsApp 私聊（私信）的处理方式：
-
-- `"pairing"`（默认）：未知发送者会收到配对码；所有者必须批准
-- `"allowlist"`：仅允许 `channels.whatsapp.allowFrom`（或已配对的允许存储）中的发送者
-- `"open"`：允许所有入站私聊（**需要** `channels.whatsapp.allowFrom` 包含 `"*"`）
-- `"disabled"`：忽略所有入站私聊
-
-配对码在 1 小时后过期；机器人仅在创建新请求时发送配对码。待处理的私聊配对请求默认每个渠道上限为 **3 个**。
-
-配对批准：
-
-- `openclaw pairing list whatsapp`
-- `openclaw pairing approve whatsapp <code>`
-
-### `channels.whatsapp.allowFrom`
-
-允许触发 WhatsApp 自动回复的 E.164 电话号码白名单（**仅限私聊**）。
-如果为空且 `channels.whatsapp.dmPolicy="pairing"`，未知发送者将收到配对码。
-对于群组，使用 `channels.whatsapp.groupPolicy` + `channels.whatsapp.groupAllowFrom`。
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["+15555550123", "+447700900123"],
-      textChunkLimit: 4000, // 可选的出站分块大小（字符数）
-      chunkMode: "length", // 可选的分块模式（length | newline）
-      mediaMaxMb: 50, // 可选的入站媒体上限（MB）
-    },
-  },
-}
-```
-
-### `channels.whatsapp.sendReadReceipts`
-
-控制入站 WhatsApp 消息是否标记为已读（蓝色双勾）。默认：`true`。
-
-自聊天模式始终跳过已读回执，即使已启用。
-
-每账号覆盖：`channels.whatsapp.accounts.<id>.sendReadReceipts`。
-
-```json5
-{
-  channels: {
-    whatsapp: { sendReadReceipts: false },
-  },
-}
-```
-
-### `channels.whatsapp.accounts`（多账号）
-
-在一个 Gateway 网关中运行多个 WhatsApp 账号：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      accounts: {
-        default: {}, // 可选；保持默认 id 稳定
-        personal: {},
-        biz: {
-          // 可选覆盖。默认：~/.openclaw/credentials/whatsapp/biz
-          // authDir: "~/.openclaw/credentials/whatsapp/biz",
-        },
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 出站命令默认使用 `default` 账号（如果存在）；否则使用第一个配置的账号 id（排序后）。
-- 旧版单账号 Baileys 认证目录由 `openclaw doctor` 迁移到 `whatsapp/default`。
-
-### `channels.telegram.accounts` / `channels.discord.accounts` / `channels.googlechat.accounts` / `channels.slack.accounts` / `channels.mattermost.accounts` / `channels.signal.accounts` / `channels.imessage.accounts`
-
-每个渠道运行多个账号（每个账号有自己的 `accountId` 和可选的 `name`）：
-
-```json5
-{
-  channels: {
-    telegram: {
-      accounts: {
-        default: {
-          name: "Primary bot",
-          botToken: "123456:ABC...",
-        },
-        alerts: {
-          name: "Alerts bot",
-          botToken: "987654:XYZ...",
-        },
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 省略 `accountId` 时使用 `default`（CLI + 路由）。
-- 环境变量 token 仅适用于**默认**账号。
-- 基础渠道设置（群组策略、提及门控等）适用于所有账号，除非在每个账号中单独覆盖。
-- 使用 `bindings[].match.accountId` 将每个账号路由到不同的 agents.defaults。
-
-### 群聊提及门控（`agents.list[].groupChat` + `messages.groupChat`）
-
-群消息默认**需要提及**（元数据提及或正则模式）。适用于 WhatsApp、Telegram、Discord、Google Chat 和 iMessage 群聊。
-
-**提及类型：**
-
-- **元数据提及**：原生平台 @提及（例如 WhatsApp 点按提及）。在 WhatsApp 自聊天模式中被忽略（参见 `channels.whatsapp.allowFrom`）。
-- **文本模式**：在 `agents.list[].groupChat.mentionPatterns` 中定义的正则模式。无论自聊天模式如何始终检查。
-- 提及门控仅在可以检测提及时执行（原生提及或至少一个 `mentionPattern`）。
-
-```json5
-{
-  messages: {
-    groupChat: { historyLimit: 50 },
-  },
-  agents: {
-    list: [{ id: "main", groupChat: { mentionPatterns: ["@openclaw", "openclaw"] } }],
-  },
-}
-```
-
-`messages.groupChat.historyLimit` 设置群组历史上下文的全局默认值。渠道可以通过 `channels.<channel>.historyLimit`（或多账号的 `channels.<channel>.accounts.*.historyLimit`）覆盖。设为 `0` 禁用历史包装。
-
-#### 私聊历史限制
-
-私聊对话使用由智能体管理的基于会话的历史。你可以限制每个私聊会话保留的用户轮次数：
-
-```json5
-{
-  channels: {
-    telegram: {
-      dmHistoryLimit: 30, // 将私聊会话限制为 30 个用户轮次
-      dms: {
-        "123456789": { historyLimit: 50 }, // 每用户覆盖（用户 ID）
-      },
-    },
-  },
-}
-```
-
-解析顺序：
-
-1. 每私聊覆盖：`channels.<provider>.dms[userId].historyLimit`
-2. 提供商默认值：`channels.<provider>.dmHistoryLimit`
-3. 无限制（保留所有历史）
-
-支持的提供商：`telegram`、`whatsapp`、`discord`、`slack`、`signal`、`imessage`、`msteams`。
-
-每智能体覆盖（设置后优先，即使为 `[]`）：
-
-```json5
-{
-  agents: {
-    list: [
-      { id: "work", groupChat: { mentionPatterns: ["@workbot", "\\+15555550123"] } },
-      { id: "personal", groupChat: { mentionPatterns: ["@homebot", "\\+15555550999"] } },
-    ],
-  },
-}
-```
-
-提及门控默认值按渠道设置（`channels.whatsapp.groups`、`channels.telegram.groups`、`channels.imessage.groups`、`channels.discord.guilds`）。当设置了 `*.groups` 时，它也充当群组白名单；包含 `"*"` 以允许所有群组。
-
-仅响应特定文本触发器（忽略原生 @提及）：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      // 包含你自己的号码以启用自聊天模式（忽略原生 @提及）。
-      allowFrom: ["+15555550123"],
-      groups: { "*": { requireMention: true } },
-    },
-  },
-  agents: {
-    list: [
-      {
-        id: "main",
-        groupChat: {
-          // 仅这些文本模式会触发响应
-          mentionPatterns: ["reisponde", "@openclaw"],
-        },
-      },
-    ],
-  },
-}
-```
-
-### 群组策略（按渠道）
-
-使用 `channels.*.groupPolicy` 控制是否接受群组/房间消息：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["+15551234567"],
-    },
-    telegram: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["tg:123456789", "@alice"],
-    },
-    signal: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["+15551234567"],
-    },
-    imessage: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["chat_id:123"],
-    },
-    msteams: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["user@org.com"],
-    },
-    discord: {
-      groupPolicy: "allowlist",
-      guilds: {
-        GUILD_ID: {
-          channels: { help: { allow: true } },
-        },
-      },
-    },
-    slack: {
-      groupPolicy: "allowlist",
-      channels: { "#general": { allow: true } },
-    },
-  },
-}
-```
-
-说明：
-
-- `"open"`：群组绕过白名单；提及门控仍然适用。
-- `"disabled"`：阻止所有群组/房间消息。
-- `"allowlist"`：仅允许匹配配置白名单的群组/房间。
-- `channels.defaults.groupPolicy` 设置提供商的 `groupPolicy` 未设置时的默认值。
-- WhatsApp/Telegram/Signal/iMessage/Microsoft Teams 使用 `groupAllowFrom`（回退：显式 `allowFrom`）。
-- Discord/Slack 使用渠道白名单（`channels.discord.guilds.*.channels`、`channels.slack.channels`）。
-- 群组私聊（Discord/Slack）仍由 `dm.groupEnabled` + `dm.groupChannels` 控制。
-- 默认为 `groupPolicy: "allowlist"`（除非被 `channels.defaults.groupPolicy` 覆盖）；如果未配置白名单，群组消息将被阻止。
-
-### 多智能体路由（`agents.list` + `bindings`）
-
-在一个 Gateway 网关中运行多个隔离的智能体（独立的工作区、`agentDir`、会话）。
-入站消息通过绑定路由到智能体。
-
-- `agents.list[]`：每智能体覆盖。
-  - `id`：稳定的智能体 id（必需）。
-  - `default`：可选；当设置多个时，第一个获胜并记录警告。
-    如果未设置，列表中的**第一个条目**为默认智能体。
-  - `name`：智能体的显示名称。
-  - `workspace`：默认 `~/.openclaw/workspace-<agentId>`（对于 `main`，回退到 `agents.defaults.workspace`）。
-  - `agentDir`：默认 `~/.openclaw/agents/<agentId>/agent`。
-  - `model`：每智能体默认模型，覆盖该智能体的 `agents.defaults.model`。
-    - 字符串形式：`"provider/model"`，仅覆盖 `agents.defaults.model.primary`
-    - 对象形式：`{ primary, fallbacks }`（fallbacks 覆盖 `agents.defaults.model.fallbacks`；`[]` 为该智能体禁用全局回退）
-  - `identity`：每智能体的名称/主题/表情（用于提及模式 + 确认反应）。
-  - `groupChat`：每智能体的提及门控（`mentionPatterns`）。
-  - `sandbox`：每智能体的沙箱配置（覆盖 `agents.defaults.sandbox`）。
-    - `mode`：`"off"` | `"non-main"` | `"all"`
-    - `workspaceAccess`：`"none"` | `"ro"` | `"rw"`
-    - `scope`：`"session"` | `"agent"` | `"shared"`
-    - `workspaceRoot`：自定义沙箱工作区根目录
-    - `docker`：每智能体 docker 覆盖（例如 `image`、`network`、`env`、`setupCommand`、限制；`scope: "shared"` 时忽略）
-    - `browser`：每智能体沙箱浏览器覆盖（`scope: "shared"` 时忽略）
-    - `prune`：每智能体沙箱清理覆盖（`scope: "shared"` 时忽略）
-  - `subagents`：每智能体子智能体默认值。
-    - `allowAgents`：允许从此智能体执行 `sessions_spawn` 的智能体 id 白名单（`["*"]` = 允许任何；默认：仅同一智能体）
-  - `tools`：每智能体工具限制（在沙箱工具策略之前应用）。
-    - `profile`：基础工具配置文件（在 allow/deny 之前应用）
-    - `allow`：允许的工具名称数组
-    - `deny`：拒绝的工具名称数组（deny 优先）
-- `agents.defaults`：共享的智能体默认值（模型、工作区、沙箱等）。
-- `bindings[]`：将入站消息路由到 `agentId`。
-  - `match.channel`（必需）
-  - `match.accountId`（可选；`*` = 任何账号；省略 = 默认账号）
-  - `match.peer`（可选；`{ kind: dm|group|channel, id }`）
-  - `match.guildId` / `match.teamId`（可选；渠道特定）
-
-确定性匹配顺序：
-
-1. `match.peer`
-2. `match.guildId`
-3. `match.teamId`
-4. `match.accountId`（精确匹配，无 peer/guild/team）
-5. `match.accountId: "*"`（渠道范围，无 peer/guild/team）
-6. 默认智能体（`agents.list[].default`，否则第一个列表条目，否则 `"main"`）
-
-在每个匹配层级内，`bindings` 中的第一个匹配条目获胜。
-
-#### 每智能体访问配置（多智能体）
-
-每个智能体可以携带自己的沙箱 + 工具策略。用于在一个 Gateway 网关中混合访问级别：
-
-- **完全访问**（个人智能体）
-- **只读**工具 + 工作区
-- **无文件系统访问**（仅消息/会话工具）
-
-参见[多智能体沙箱与工具](/tools/multi-agent-sandbox-tools)了解优先级和更多示例。
-
-完全访问（无沙箱）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "personal",
-        workspace: "~/.openclaw/workspace-personal",
-        sandbox: { mode: "off" },
-      },
-    ],
-  },
-}
-```
-
-只读工具 + 只读工作区：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "family",
-        workspace: "~/.openclaw/workspace-family",
-        sandbox: {
-          mode: "all",
-          scope: "agent",
-          workspaceAccess: "ro",
-        },
-        tools: {
-          allow: [
-            "read",
-            "sessions_list",
-            "sessions_history",
-            "sessions_send",
-            "sessions_spawn",
-            "session_status",
-          ],
-          deny: ["write", "edit", "apply_patch", "exec", "process", "browser"],
-        },
-      },
-    ],
-  },
-}
-```
-
-无文件系统访问（启用消息/会话工具）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "public",
-        workspace: "~/.openclaw/workspace-public",
-        sandbox: {
-          mode: "all",
-          scope: "agent",
-          workspaceAccess: "none",
-        },
-        tools: {
-          allow: [
-            "sessions_list",
-            "sessions_history",
-            "sessions_send",
-            "sessions_spawn",
-            "session_status",
-            "whatsapp",
-            "telegram",
-            "slack",
-            "discord",
-            "gateway",
-          ],
-          deny: [
-            "read",
-            "write",
-            "edit",
-            "apply_patch",
-            "exec",
-            "process",
-            "browser",
-            "canvas",
-            "nodes",
-            "cron",
-            "gateway",
-            "image",
-          ],
-        },
-      },
-    ],
-  },
-}
-```
-
-示例：两个 WhatsApp 账号 → 两个智能体：
-
-```json5
-{
-  agents: {
-    list: [
-      { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
-      { id: "work", workspace: "~/.openclaw/workspace-work" },
-    ],
-  },
-  bindings: [
-    { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
-    { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
-  ],
-  channels: {
-    whatsapp: {
-      accounts: {
-        personal: {},
-        biz: {},
-      },
-    },
-  },
-}
-```
-
-### `tools.agentToAgent`（可选）
-
-智能体间消息传递为可选功能：
-
-```json5
-{
-  tools: {
-    agentToAgent: {
-      enabled: false,
-      allow: ["home", "work"],
-    },
-  },
-}
-```
-
-### `messages.queue`
-
-控制智能体运行已在执行时入站消息的行为。
-
-```json5
-{
-  messages: {
-    queue: {
-      mode: "collect", // steer | followup | collect | steer-backlog (steer+backlog ok) | interrupt (queue=steer legacy)
-      debounceMs: 1000,
-      cap: 20,
-      drop: "summarize", // old | new | summarize
-      byChannel: {
-        whatsapp: "collect",
-        telegram: "collect",
-        discord: "collect",
-        imessage: "collect",
-        webchat: "collect",
-      },
-    },
-  },
-}
-```
-
-### `messages.inbound`
-
-防抖**同一发送者**的快速入站消息，使多条连续消息合并为一个智能体轮次。防抖按渠道 + 对话进行范围限定，并使用最新消息进行回复线程/ID。
-
-```json5
-{
-  messages: {
-    inbound: {
-      debounceMs: 2000, // 0 禁用
-      byChannel: {
-        whatsapp: 5000,
-        slack: 1500,
-        discord: 1500,
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 防抖仅批量处理**纯文本**消息；媒体/附件立即刷新。
-- 控制命令（例如 `/queue`、`/new`）绕过防抖，保持独立。
-
-### `commands`（聊天命令处理）
-
-控制跨连接器的聊天命令启用方式。
-
-```json5
-{
-  commands: {
-    native: "auto", // 在支持的平台上注册原生命令（auto）
-    text: true, // 解析聊天消息中的斜杠命令
-    bash: false, // 允许 !（别名：/bash）（仅限主机；需要 tools.elevated 白名单）
-    bashForegroundMs: 2000, // bash 前台窗口（0 立即后台运行）
-    config: false, // 允许 /config（写入磁盘）
-    debug: false, // 允许 /debug（仅运行时覆盖）
-    restart: false, // 允许 /restart + gateway 重启工具
-    useAccessGroups: true, // 对命令执行访问组白名单/策略
-  },
-}
-```
-
-说明：
-
-- 文本命令必须作为**独立**消息发送，并使用前导 `/`（无纯文本别名）。
-- `commands.text: false` 禁用解析聊天消息中的命令。
-- `commands.native: "auto"`（默认）为 Discord/Telegram 启用原生命令，Slack 保持关闭；不支持的渠道保持纯文本。
-- 设为 `commands.native: true|false` 强制全部开启或关闭，或按渠道覆盖 `channels.discord.commands.native`、`channels.telegram.commands.native`、`channels.slack.commands.native`（bool 或 `"auto"`）。`false` 在启动时清除 Discord/Telegram 上先前注册的命令；Slack 命令在 Slack 应用中管理。
-- `channels.telegram.customCommands` 添加额外的 Telegram 机器人菜单项。名称会被规范化；与原生命令冲突的会被忽略。
-- `commands.bash: true` 启用 `! <cmd>` 运行主机 shell 命令（`/bash <cmd>` 也可作为别名）。需要 `tools.elevated.enabled` 并在 `tools.elevated.allowFrom.<channel>` 中添加发送者白名单。
-- `commands.bashForegroundMs` 控制 bash 在后台运行前等待的时间。当 bash 任务正在运行时，新的 `! <cmd>` 请求会被拒绝（一次一个）。
-- `commands.config: true` 启用 `/config`（读写 `openclaw.json`）。
-- `channels.<provider>.configWrites` 控制由该渠道发起的配置变更（默认：true）。适用于 `/config set|unset` 以及提供商特定的自动迁移（Telegram 超级群组 ID 变更、Slack 频道 ID 变更）。
-- `commands.debug: true` 启用 `/debug`（仅运行时覆盖）。
-- `commands.restart: true` 启用 `/restart` 和 gateway 工具重启动作。
-- `commands.useAccessGroups: false` 允许命令绕过访问组白名单/策略。
-- 斜杠命令和指令仅对**已授权发送者**有效。授权来自渠道白名单/配对以及 `commands.useAccessGroups`。
-
-### `web`（WhatsApp Web 渠道运行时）
-
-WhatsApp 通过 Gateway 网关的 Web 渠道（Baileys Web）运行。当存在已链接的会话时自动启动。
-设置 `web.enabled: false` 使其默认关闭。
-
-```json5
-{
-  web: {
-    enabled: true,
-    heartbeatSeconds: 60,
-    reconnect: {
-      initialMs: 2000,
-      maxMs: 120000,
-      factor: 1.4,
-      jitter: 0.2,
-      maxAttempts: 0,
-    },
-  },
-}
-```
-
-### `channels.telegram`（机器人传输）
-
-OpenClaw 仅在存在 `channels.telegram` 配置段时启动 Telegram。机器人 token 从 `channels.telegram.botToken`（或 `channels.telegram.tokenFile`）解析，`TELEGRAM_BOT_TOKEN` 作为默认账号的回退。
-设置 `channels.telegram.enabled: false` 禁用自动启动。
-多账号支持在 `channels.telegram.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-设置 `channels.telegram.configWrites: false` 阻止 Telegram 发起的配置写入（包括超级群组 ID 迁移和 `/config set|unset`）。
-
-```json5
-{
-  channels: {
-    telegram: {
-      enabled: true,
-      botToken: "your-bot-token",
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["tg:123456789"], // 可选；"open" 需要 ["*"]
-      groups: {
-        "*": { requireMention: true },
-        "-1001234567890": {
-          allowFrom: ["@admin"],
-          systemPrompt: "Keep answers brief.",
-          topics: {
-            "99": {
-              requireMention: false,
-              skills: ["search"],
-              systemPrompt: "Stay on topic.",
-            },
-          },
-        },
-      },
-      customCommands: [
-        { command: "backup", description: "Git backup" },
-        { command: "generate", description: "Create an image" },
-      ],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-      replyToMode: "first", // off | first | all
-      linkPreview: true, // 切换出站链接预览
-      streamMode: "partial", // off | partial | block（草稿流式传输；与分块流式传输分开）
-      draftChunk: {
-        // 可选；仅用于 streamMode=block
-        minChars: 200,
-        maxChars: 800,
-        breakPreference: "paragraph", // paragraph | newline | sentence
-      },
-      actions: { reactions: true, sendMessage: true }, // 工具动作开关（false 禁用）
-      reactionNotifications: "own", // off | own | all
-      mediaMaxMb: 5,
-      retry: {
-        // 出站重试策略
-        attempts: 3,
-        minDelayMs: 400,
-        maxDelayMs: 30000,
-        jitter: 0.1,
-      },
-      network: {
-        // 传输覆盖
-        autoSelectFamily: false,
-      },
-      proxy: "socks5://localhost:9050",
-      webhookUrl: "https://example.com/telegram-webhook", // 需要 webhookSecret
-      webhookSecret: "secret",
-      webhookPath: "/telegram-webhook",
-    },
-  },
-}
-```
-
-草稿流式传输说明：
-
-- 使用 Telegram `sendMessageDraft`（草稿气泡，不是真正的消息）。
-- 需要**私聊话题**（私信 中的 message_thread_id；机器人已启用话题）。
-- `/reasoning stream` 将推理过程流式传输到草稿中，然后发送最终答案。
-  重试策略默认值和行为记录在[重试策略](/concepts/retry)中。
-
-### `channels.discord`（机器人传输）
-
-通过设置机器人 token 和可选的门控配置 Discord 机器人：
-多账号支持在 `channels.discord.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-
-```json5
-{
-  channels: {
-    discord: {
-      enabled: true,
-      token: "your-bot-token",
-      mediaMaxMb: 8, // 限制入站媒体大小
-      allowBots: false, // 允许机器人发送的消息
-      actions: {
-        // 工具动作开关（false 禁用）
-        reactions: true,
-        stickers: true,
-        polls: true,
-        permissions: true,
-        messages: true,
-        threads: true,
-        pins: true,
-        search: true,
-        memberInfo: true,
-        roleInfo: true,
-        roles: false,
-        channelInfo: true,
-        voiceStatus: true,
-        events: true,
-        moderation: false,
-      },
-      replyToMode: "off", // off | first | all
-      dm: {
-        enabled: true, // 设为 false 时禁用所有私聊
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["1234567890", "steipete"], // 可选私聊白名单（"open" 需要 ["*"]）
-        groupEnabled: false, // 启用群组私聊
-        groupChannels: ["openclaw-dm"], // 可选群组私聊白名单
-      },
-      guilds: {
-        "123456789012345678": {
-          // 服务器 id（推荐）或 slug
-          slug: "friends-of-openclaw",
-          requireMention: false, // 每服务器默认值
-          reactionNotifications: "own", // off | own | all | allowlist
-          users: ["987654321098765432"], // 可选的每服务器用户白名单
-          channels: {
-            general: { allow: true },
-            help: {
-              allow: true,
-              requireMention: true,
-              users: ["987654321098765432"],
-              skills: ["docs"],
-              systemPrompt: "Short answers only.",
-            },
-          },
-        },
-      },
-      historyLimit: 20, // 包含最近 N 条服务器消息作为上下文
-      textChunkLimit: 2000, // 可选出站文本分块大小（字符数）
-      chunkMode: "length", // 可选分块模式（length | newline）
-      maxLinesPerMessage: 17, // 每条消息的软最大行数（Discord UI 裁剪）
-      retry: {
-        // 出站重试策略
-        attempts: 3,
-        minDelayMs: 500,
-        maxDelayMs: 30000,
-        jitter: 0.1,
-      },
-    },
-  },
-}
-```
-
-OpenClaw 仅在存在 `channels.discord` 配置段时启动 Discord。token 从 `channels.discord.token` 解析，`DISCORD_BOT_TOKEN` 作为默认账号的回退（除非 `channels.discord.enabled` 为 `false`）。在为 cron/CLI 命令指定投递目标时，使用 `user:<id>`（私聊）或 `channel:<id>`（服务器频道）；裸数字 ID 有歧义会被拒绝。
-服务器 slug 为小写，空格替换为 `-`；频道键使用 slug 化的频道名称（无前导 `#`）。建议使用服务器 id 作为键以避免重命名歧义。
-机器人发送的消息默认被忽略。通过 `channels.discord.allowBots` 启用（自身消息仍会被过滤以防止自回复循环）。
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`guilds.<id>.users` 中的用户在所有消息上的反应（空列表禁用）。
-  出站文本按 `channels.discord.textChunkLimit`（默认 2000）分块。设置 `channels.discord.chunkMode="newline"` 在长度分块前按空行（段落边界）分割。Discord 客户端可能裁剪过高的消息，因此 `channels.discord.maxLinesPerMessage`（默认 17）即使在 2000 字符以内也会分割长多行回复。
-  重试策略默认值和行为记录在[重试策略](/concepts/retry)中。
-
-### `channels.googlechat`（Chat API webhook）
-
-Google Chat 通过 HTTP webhook 运行，使用应用级认证（服务账号）。
-多账号支持在 `channels.googlechat.accounts` 下（参见上方多账号部分）。环境变量仅适用于默认账号。
-
-```json5
-{
-  channels: {
-    googlechat: {
-      enabled: true,
-      serviceAccountFile: "/path/to/service-account.json",
-      audienceType: "app-url", // app-url | project-number
-      audience: "https://gateway.example.com/googlechat",
-      webhookPath: "/googlechat",
-      botUser: "users/1234567890", // 可选；改善提及检测
-      dm: {
-        enabled: true,
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["users/1234567890"], // 可选；"open" 需要 ["*"]
-      },
-      groupPolicy: "allowlist",
-      groups: {
-        "spaces/AAAA": { allow: true, requireMention: true },
-      },
-      actions: { reactions: true },
-      typingIndicator: "message",
-      mediaMaxMb: 20,
-    },
-  },
-}
-```
-
-说明：
-
-- 服务账号 JSON 可以内联（`serviceAccount`）或基于文件（`serviceAccountFile`）。
-- 默认账号的环境变量回退：`GOOGLE_CHAT_SERVICE_ACCOUNT` 或 `GOOGLE_CHAT_SERVICE_ACCOUNT_FILE`。
-- `audienceType` + `audience` 必须与 Chat 应用的 webhook 认证配置匹配。
-- 设置投递目标时使用 `spaces/<spaceId>` 或 `users/<userId|email>`。
-
-### `channels.slack`（socket 模式）
-
-Slack 以 Socket Mode 运行，需要机器人 token 和应用 token：
-
-```json5
-{
-  channels: {
-    slack: {
-      enabled: true,
-      botToken: "xoxb-...",
-      appToken: "xapp-...",
-      dm: {
-        enabled: true,
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["U123", "U456", "*"], // 可选；"open" 需要 ["*"]
-        groupEnabled: false,
-        groupChannels: ["G123"],
-      },
-      channels: {
-        C123: { allow: true, requireMention: true, allowBots: false },
-        "#general": {
-          allow: true,
-          requireMention: true,
-          allowBots: false,
-          users: ["U123"],
-          skills: ["docs"],
-          systemPrompt: "Short answers only.",
-        },
-      },
-      historyLimit: 50, // 包含最近 N 条频道/群组消息作为上下文（0 禁用）
-      allowBots: false,
-      reactionNotifications: "own", // off | own | all | allowlist
-      reactionAllowlist: ["U123"],
-      replyToMode: "off", // off | first | all
-      thread: {
-        historyScope: "thread", // thread | channel
-        inheritParent: false,
-      },
-      actions: {
-        reactions: true,
-        messages: true,
-        pins: true,
-        memberInfo: true,
-        emojiList: true,
-      },
-      slashCommand: {
-        enabled: true,
-        name: "openclaw",
-        sessionPrefix: "slack:slash",
-        ephemeral: true,
-      },
-      textChunkLimit: 4000,
-      chunkMode: "length",
-      mediaMaxMb: 20,
-    },
-  },
-}
-```
-
-多账号支持在 `channels.slack.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-
-OpenClaw 在提供商启用且两个 token 都已设置时启动 Slack（通过配置或 `SLACK_BOT_TOKEN` + `SLACK_APP_TOKEN`）。在为 cron/CLI 命令指定投递目标时使用 `user:<id>`（私聊）或 `channel:<id>`。
-设置 `channels.slack.configWrites: false` 阻止 Slack 发起的配置写入（包括频道 ID 迁移和 `/config set|unset`）。
-
-机器人发送的消息默认被忽略。通过 `channels.slack.allowBots` 或 `channels.slack.channels.<id>.allowBots` 启用。
-
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`channels.slack.reactionAllowlist` 中的用户在所有消息上的反应（空列表禁用）。
-
-线程会话隔离：
-
-- `channels.slack.thread.historyScope` 控制线程历史是按线程（`thread`，默认）还是跨频道共享（`channel`）。
-- `channels.slack.thread.inheritParent` 控制新线程会话是否继承父频道的记录（默认：false）。
-
-Slack 动作组（控制 `slack` 工具动作）：
-| 动作组 | 默认 | 说明 |
-| --- | --- | --- |
-| reactions | 已启用 | 反应 + 列出反应 |
-| messages | 已启用 | 读取/发送/编辑/删除 |
-| pins | 已启用 | 固定/取消固定/列出 |
-| memberInfo | 已启用 | 成员信息 |
-| emojiList | 已启用 | 自定义表情列表 |
-
-### `channels.mattermost`（机器人 token）
-
-Mattermost 作为插件提供，不包含在核心安装中。
-请先安装：`openclaw plugins install @openclaw/mattermost`（或从 git checkout 使用 `./extensions/mattermost`）。
-
-Mattermost 需要机器人 token 加上服务器的基础 URL：
-
-```json5
-{
-  channels: {
-    mattermost: {
-      enabled: true,
-      botToken: "mm-token",
-      baseUrl: "https://chat.example.com",
-      dmPolicy: "pairing",
-      chatmode: "oncall", // oncall | onmessage | onchar
-      oncharPrefixes: [">", "!"],
-      textChunkLimit: 4000,
-      chunkMode: "length",
-    },
-  },
-}
-```
-
-OpenClaw 在账号已配置（机器人 token + 基础 URL）且已启用时启动 Mattermost。token + 基础 URL 从 `channels.mattermost.botToken` + `channels.mattermost.baseUrl` 或默认账号的 `MATTERMOST_BOT_TOKEN` + `MATTERMOST_URL` 解析（除非 `channels.mattermost.enabled` 为 `false`）。
-
-聊天模式：
-
-- `oncall`（默认）：仅在被 @提及时响应频道消息。
-- `onmessage`：响应每条频道消息。
-- `onchar`：当消息以触发前缀开头时响应（`channels.mattermost.oncharPrefixes`，默认 `[">", "!"]`）。
-
-访问控制：
-
-- 默认私聊：`channels.mattermost.dmPolicy="pairing"`（未知发送者收到配对码）。
-- 公开私聊：`channels.mattermost.dmPolicy="open"` 加上 `channels.mattermost.allowFrom=["*"]`。
-- 群组：`channels.mattermost.groupPolicy="allowlist"` 为默认值（提及门控）。使用 `channels.mattermost.groupAllowFrom` 限制发送者。
-
-多账号支持在 `channels.mattermost.accounts` 下（参见上方多账号部分）。环境变量仅适用于默认账号。
-指定投递目标时使用 `channel:<id>` 或 `user:<id>`（或 `@username`）；裸 id 被视为频道 id。
-
-### `channels.signal`（signal-cli）
-
-Signal 反应可以发出系统事件（共享反应工具）：
-
-```json5
-{
-  channels: {
-    signal: {
-      reactionNotifications: "own", // off | own | all | allowlist
-      reactionAllowlist: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-    },
-  },
-}
-```
-
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`channels.signal.reactionAllowlist` 中的用户在所有消息上的反应（空列表禁用）。
-
-### `channels.imessage`（imsg CLI）
-
-OpenClaw 会生成 `imsg rpc`（通过 stdio 的 JSON-RPC）。无需守护进程或端口。
-
-```json5
-{
-  channels: {
-    imessage: {
-      enabled: true,
-      cliPath: "imsg",
-      dbPath: "~/Library/Messages/chat.db",
-      remoteHost: "user@gateway-host", // 使用 SSH 包装器时通过 SCP 获取远程附件
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["+15555550123", "user@example.com", "chat_id:123"],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-      includeAttachments: false,
-      mediaMaxMb: 16,
-      service: "auto",
-      region: "US",
-    },
-  },
-}
-```
-
-多账号支持在 `channels.imessage.accounts` 下（参见上方多账号部分）。
-
-说明：
-
-- 需要对消息数据库的完全磁盘访问权限。
-- 首次发送时会提示请求消息自动化权限。
-- 建议使用 `chat_id:<id>` 目标。使用 `imsg chats --limit 20` 列出聊天。
-- `channels.imessage.cliPath` 可以指向包装脚本（例如 `ssh` 到另一台运行 `imsg rpc` 的 Mac）；使用 SSH 密钥避免密码提示。
-- 对于远程 SSH 包装器，设置 `channels.imessage.remoteHost` 以便在启用 `includeAttachments` 时通过 SCP 获取附件。
-
-示例包装器：
-
-```bash
-#!/usr/bin/env bash
-exec ssh -T gateway-host imsg "$@"
-```
-
-### `agents.defaults.workspace`
-
-设置智能体用于文件操作的**单一全局工作区目录**。
-
-默认：`~/.openclaw/workspace`。
-
-```json5
-{
-  agents: { defaults: { workspace: "~/.openclaw/workspace" } },
-}
-```
-
-如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用各自的每范围工作区来覆盖此设置。
-
-### `agents.defaults.repoRoot`
-
-在系统提示的 Runtime 行中显示的可选仓库根目录。如果未设置，OpenClaw 会从工作区（和当前工作目录）向上查找 `.git` 目录进行检测。路径必须存在才能使用。
-
-```json5
-{
-  agents: { defaults: { repoRoot: "~/Projects/openclaw" } },
-}
-```
-
-### `agents.defaults.skipBootstrap`
-
-禁用自动创建工作区引导文件（`AGENTS.md`、`SOUL.md`、`TOOLS.md`、`IDENTITY.md`、`USER.md` 和 `BOOTSTRAP.md`）。
-
-适用于工作区文件来自仓库的预置部署。
-
-```json5
-{
-  agents: { defaults: { skipBootstrap: true } },
-}
-```
-
-### `agents.defaults.bootstrapMaxChars`
-
-注入系统提示前每个工作区引导文件截断前的最大字符数。默认：`20000`。
-
-当文件超过此限制时，OpenClaw 会记录警告并注入带标记的头尾截断内容。
-
-```json5
-{
-  agents: { defaults: { bootstrapMaxChars: 20000 } },
-}
-```
-
-### `agents.defaults.userTimezone`
-
-设置用户时区用于**系统提示上下文**（不用于消息信封中的时间戳）。如果未设置，OpenClaw 在运行时使用主机时区。
-
-```json5
-{
-  agents: { defaults: { userTimezone: "America/Chicago" } },
-}
-```
-
-### `agents.defaults.timeFormat`
-
-控制系统提示中"当前日期和时间"部分显示的**时间格式**。
-默认：`auto`（操作系统偏好）。
-
-```json5
-{
-  agents: { defaults: { timeFormat: "auto" } }, // auto | 12 | 24
-}
-```
-
-### `messages`
-
-控制入站/出站前缀和可选的确认反应。
-参见[消息](/concepts/messages)了解排队、会话和流式上下文。
-
-```json5
-{
-  messages: {
-    responsePrefix: "🦞", // 或 "auto"
-    ackReaction: "👀",
-    ackReactionScope: "group-mentions",
-    removeAckAfterReply: false,
-  },
-}
-```
-
-`responsePrefix` 应用于跨渠道的**所有出站回复**（工具摘要、分块流式传输、最终回复），除非已存在。
-
-如果未设置 `messages.responsePrefix`，默认不应用前缀。WhatsApp 自聊天回复是例外：它们在设置时默认为 `[{identity.name}]`，否则为 `[openclaw]`，以保持同一手机上的对话可读性。
-设为 `"auto"` 可为路由的智能体推导 `[{identity.name}]`（当设置时）。
-
-#### 模板变量
-
-`responsePrefix` 字符串可以包含动态解析的模板变量：
-
-| 变量              | 描述           | 示例                        |
-| ----------------- | -------------- | --------------------------- |
-| `{model}`         | 短模型名称     | `claude-opus-4-5`、`gpt-4o` |
-| `{modelFull}`     | 完整模型标识符 | `anthropic/claude-opus-4-5` |
-| `{provider}`      | 提供商名称     | `anthropic`、`openai`       |
-| `{thinkingLevel}` | 当前思考级别   | `high`、`low`、`off`        |
-| `{identity.name}` | 智能体身份名称 | （与 `"auto"` 模式相同）    |
-
-变量不区分大小写（`{MODEL}` = `{model}`）。`{think}` 是 `{thinkingLevel}` 的别名。
-未解析的变量保持为字面文本。
-
-```json5
-{
-  messages: {
-    responsePrefix: "[{model} | think:{thinkingLevel}]",
-  },
-}
-```
-
-输出示例：`[claude-opus-4-5 | think:high] Here's my response...`
-
-WhatsApp 入站前缀通过 `channels.whatsapp.messagePrefix` 配置（已弃用：`messages.messagePrefix`）。默认保持**不变**：当 `channels.whatsapp.allowFrom` 为空时为 `"[openclaw]"`，否则为 `""`（无前缀）。使用 `"[openclaw]"` 时，如果路由的智能体设置了 `identity.name`，OpenClaw 会改用 `[{identity.name}]`。
-
-`ackReaction` 在支持反应的渠道（Slack/Discord/Telegram/Google Chat）上发送尽力而为的表情反应来确认入站消息。设置时默认为活跃智能体的 `identity.emoji`，否则为 `"👀"`。设为 `""` 禁用。
-
-`ackReactionScope` 控制反应触发时机：
-
-- `group-mentions`（默认）：仅在群组/房间要求提及**且**机器人被提及时
-- `group-all`：所有群组/房间消息
-- `direct`：仅私聊消息
-- `all`：所有消息
-
-`removeAckAfterReply` 在发送回复后移除机器人的确认反应（仅 Slack/Discord/Telegram/Google Chat）。默认：`false`。
-
-#### `messages.tts`
-
-为出站回复启用文字转语音。开启后，OpenClaw 使用 ElevenLabs 或 OpenAI 生成音频并附加到回复中。Telegram 使用 Opus 语音消息；其他渠道发送 MP3 音频。
-
-```json5
-{
-  messages: {
-    tts: {
-      auto: "always", // off | always | inbound | tagged
-      mode: "final", // final | all（包含工具/块回复）
-      provider: "elevenlabs",
-      summaryModel: "openai/gpt-4.1-mini",
-      modelOverrides: {
-        enabled: true,
-      },
-      maxTextLength: 4000,
-      timeoutMs: 30000,
-      prefsPath: "~/.openclaw/settings/tts.json",
-      elevenlabs: {
-        apiKey: "elevenlabs_api_key",
-        baseUrl: "https://api.elevenlabs.io",
-        voiceId: "voice_id",
-        modelId: "eleven_multilingual_v2",
-        seed: 42,
-        applyTextNormalization: "auto",
-        languageCode: "en",
-        voiceSettings: {
-          stability: 0.5,
-          similarityBoost: 0.75,
-          style: 0.0,
-          useSpeakerBoost: true,
-          speed: 1.0,
-        },
-      },
-      openai: {
-        apiKey: "openai_api_key",
-        model: "gpt-4o-mini-tts",
-        voice: "alloy",
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- `messages.tts.auto` 控制自动 TTS（`off`、`always`、`inbound`、`tagged`）。
-- `/tts off|always|inbound|tagged` 设置每会话的自动模式（覆盖配置）。
-- `messages.tts.enabled` 为旧版；doctor 会将其迁移为 `messages.tts.auto`。
-- `prefsPath` 存储本地覆盖（提供商/限制/摘要）。
-- `maxTextLength` 是 TTS 输入的硬上限；摘要会被截断以适应。
-- `summaryModel` 覆盖自动摘要的 `agents.defaults.model.primary`。
-  - 接受 `provider/model` 或来自 `agents.defaults.models` 的别名。
-- `modelOverrides` 启用模型驱动的覆盖如 `[[tts:...]]` 标签（默认开启）。
-- `/tts limit` 和 `/tts summary` 控制每用户的摘要设置。
-- `apiKey` 值回退到 `ELEVENLABS_API_KEY`/`XI_API_KEY` 和 `OPENAI_API_KEY`。
-- `elevenlabs.baseUrl` 覆盖 ElevenLabs API 基础 URL。
-- `elevenlabs.voiceSettings` 支持 `stability`/`similarityBoost`/`style`（0..1）、
-  `useSpeakerBoost` 和 `speed`（0.5..2.0）。
-
-### `talk`
-
-Talk 模式（macOS/iOS/Android）的默认值。语音 ID 在未设置时回退到 `ELEVENLABS_VOICE_ID` 或 `SAG_VOICE_ID`。
-`apiKey` 在未设置时回退到 `ELEVENLABS_API_KEY`（或 Gateway 网关的 shell 配置文件）。
-`voiceAliases` 允许 Talk 指令使用友好名称（例如 `"voice":"Clawd"`）。
-
-```json5
-{
-  talk: {
-    voiceId: "elevenlabs_voice_id",
-    voiceAliases: {
-      Clawd: "EXAVITQu4vr4xnSDxMaL",
-      Roger: "CwhRBWXzGAHq8TQ4Fs17",
-    },
-    modelId: "eleven_v3",
-    outputFormat: "mp3_44100_128",
-    apiKey: "elevenlabs_api_key",
-    interruptOnSpeech: true,
-  },
-}
-```
-
-### `agents.defaults`
-
-控制内置智能体运行时（模型/思考/详细/超时）。
-`agents.defaults.models` 定义已配置的模型目录（也充当 `/model` 的白名单）。
-`agents.defaults.model.primary` 设置默认模型；`agents.defaults.model.fallbacks` 是全局故障转移。
-`agents.defaults.imageModel` 是可选的，**仅在主模型缺少图像输入时使用**。
-每个 `agents.defaults.models` 条目可以包含：
-
-- `alias`（可选的模型快捷方式，例如 `/opus`）。
-- `params`（可选的提供商特定 API 参数，传递给模型请求）。
-
-`params` 也应用于流式运行（内置智能体 + 压缩）。目前支持的键：`temperature`、`maxTokens`。这些与调用时选项合并；调用方提供的值优先。`temperature` 是高级旋钮——除非你了解模型的默认值且需要更改，否则不要设置。
-
-示例：
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-sonnet-4-5-20250929": {
-          params: { temperature: 0.6 },
-        },
-        "openai/gpt-5.2": {
-          params: { maxTokens: 8192 },
-        },
-      },
-    },
-  },
-}
-```
-
-Z.AI GLM-4.x 模型会自动启用思考模式，除非你：
-
-- 设置 `--thinking off`，或
-- 自行定义 `agents.defaults.models["zai/<model>"].params.thinking`。
-
-OpenClaw 还内置了一些别名快捷方式。默认值仅在模型已存在于 `agents.defaults.models` 中时才应用：
-
-- `opus` -> `anthropic/claude-opus-4-5`
-- `sonnet` -> `anthropic/claude-sonnet-4-5`
-- `gpt` -> `openai/gpt-5.2`
-- `gpt-mini` -> `openai/gpt-5-mini`
-- `gemini` -> `google/gemini-3-pro-preview`
-- `gemini-flash` -> `google/gemini-3-flash-preview`
-
-如果你配置了相同的别名（不区分大小写），你的值优先（默认值不会覆盖）。
-
-示例：Opus 4.5 主模型，MiniMax M2.1 回退（托管 MiniMax）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-opus-4-5": { alias: "opus" },
-        "minimax/MiniMax-M2.1": { alias: "minimax" },
-      },
-      model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: ["minimax/MiniMax-M2.1"],
-      },
-    },
-  },
-}
-```
-
-MiniMax 认证：设置 `MINIMAX_API_KEY`（环境变量）或配置 `models.providers.minimax`。
-
-#### `agents.defaults.cliBackends`（CLI 回退）
-
-可选的 CLI 后端用于纯文本回退运行（无工具调用）。当 API 提供商失败时可作为备用路径。当你配置了接受文件路径的 `imageArg` 时支持图像透传。
-
-说明：
-
-- CLI 后端**以文本为主**；工具始终禁用。
-- 设置 `sessionArg` 时支持会话；会话 id 按后端持久化。
-- 对于 `claude-cli`，默认值已内置。如果 PATH 不完整（launchd/systemd），请覆盖命令路径。
-
-示例：
-
-```json5
-{
-  agents: {
-    defaults: {
-      cliBackends: {
-        "claude-cli": {
-          command: "/opt/homebrew/bin/claude",
-        },
-        "my-cli": {
-          command: "my-cli",
-          args: ["--json"],
-          output: "json",
-          modelArg: "--model",
-          sessionArg: "--session",
-          sessionMode: "existing",
-          systemPromptArg: "--system",
-          systemPromptWhen: "first",
-          imageArg: "--image",
-          imageMode: "repeat",
-        },
-      },
-    },
-  },
-}
-```
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
-        "anthropic/claude-sonnet-4-1": { alias: "Sonnet" },
-        "openrouter/deepseek/deepseek-r1:free": {},
-        "zai/glm-4.7": {
-          alias: "GLM",
-          params: {
-            thinking: {
-              type: "enabled",
-              clear_thinking: false,
-            },
-          },
-        },
-      },
-      model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: [
-          "openrouter/deepseek/deepseek-r1:free",
-          "openrouter/meta-llama/llama-3.3-70b-instruct:free",
-        ],
-      },
-      imageModel: {
-        primary: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
-        fallbacks: ["openrouter/google/gemini-2.0-flash-vision:free"],
-      },
-      thinkingDefault: "low",
-      verboseDefault: "off",
-      elevatedDefault: "on",
-      timeoutSeconds: 600,
-      mediaMaxMb: 5,
-      heartbeat: {
-        every: "30m",
-        target: "last",
-      },
-      maxConcurrent: 3,
-      subagents: {
-        model: "minimax/MiniMax-M2.1",
-        maxConcurrent: 1,
-        archiveAfterMinutes: 60,
-      },
-      exec: {
-        backgroundMs: 10000,
-        timeoutSec: 1800,
-        cleanupMs: 1800000,
-      },
-      contextTokens: 200000,
-    },
-  },
-}
-```
-
-#### `agents.defaults.contextPruning`（工具结果裁剪）
-
-`agents.defaults.contextPruning` 在请求发送到 LLM 之前裁剪内存上下文中的**旧工具结果**。
-它**不会**修改磁盘上的会话历史（`*.jsonl` 保持完整）。
-
-这旨在减少随时间积累大量工具输出的智能体的 token 消耗。
-
-概述：
-
-- 不触及用户/助手消息。
-- 保护最后 `keepLastAssistants` 条助手消息（该点之后的工具结果不会被裁剪）。
-- 保护引导前缀（第一条用户消息之前的内容不会被裁剪）。
-- 模式：
-  - `adaptive`：当估计的上下文比率超过 `softTrimRatio` 时，软裁剪过大的工具结果（保留头尾）。
-    然后当估计的上下文比率超过 `hardClearRatio` **且**有足够的可裁剪工具结果量（`minPrunableToolChars`）时，硬清除最旧的符合条件的工具结果。
-  - `aggressive`：始终用 `hardClear.placeholder` 替换截止点之前符合条件的工具结果（不做比率检查）。
-
-软裁剪 vs 硬裁剪（发送给 LLM 的上下文中的变化）：
-
-- **软裁剪**：仅针对*过大*的工具结果。保留开头 + 结尾，在中间插入 `...`。
-  - 之前：`toolResult("…很长的输出…")`
-  - 之后：`toolResult("HEAD…\n...\n…TAIL\n\n[Tool result trimmed: …]")`
-- **硬清除**：用占位符替换整个工具结果。
-  - 之前：`toolResult("…很长的输出…")`
-  - 之后：`toolResult("[Old tool result content cleared]")`
-
-说明 / 当前限制：
-
-- 目前包含**图像块的工具结果会被跳过**（不会被裁剪/清除）。
-- 估计的"上下文比率"基于**字符**（近似值），不是精确的 token 数。
-- 如果会话尚未包含至少 `keepLastAssistants` 条助手消息，则跳过裁剪。
-- 在 `aggressive` 模式下，`hardClear.enabled` 被忽略（符合条件的工具结果始终被替换为 `hardClear.placeholder`）。
-
-默认值（adaptive）：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "adaptive" } } },
-}
-```
-
-禁用：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "off" } } },
-}
-```
-
-默认值（当 `mode` 为 `"adaptive"` 或 `"aggressive"` 时）：
-
-- `keepLastAssistants`：`3`
-- `softTrimRatio`：`0.3`（仅 adaptive）
-- `hardClearRatio`：`0.5`（仅 adaptive）
-- `minPrunableToolChars`：`50000`（仅 adaptive）
-- `softTrim`：`{ maxChars: 4000, headChars: 1500, tailChars: 1500 }`（仅 adaptive）
-- `hardClear`：`{ enabled: true, placeholder: "[Old tool result content cleared]" }`
-
-示例（aggressive，最小化）：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "aggressive" } } },
-}
-```
-
-示例（调优的 adaptive）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      contextPruning: {
-        mode: "adaptive",
-        keepLastAssistants: 3,
-        softTrimRatio: 0.3,
-        hardClearRatio: 0.5,
-        minPrunableToolChars: 50000,
-        softTrim: { maxChars: 4000, headChars: 1500, tailChars: 1500 },
-        hardClear: { enabled: true, placeholder: "[Old tool result content cleared]" },
-        // 可选：限制裁剪仅针对特定工具（deny 优先；支持 "*" 通配符）
-        tools: { deny: ["browser", "canvas"] },
-      },
-    },
-  },
-}
-```
-
-参见 [/concepts/session-pruning](/concepts/session-pruning) 了解行为细节。
-
-#### `agents.defaults.compaction`（预留空间 + 记忆刷新）
-
-`agents.defaults.compaction.mode` 选择压缩摘要策略。默认为 `default`；设为 `safeguard` 可为超长历史启用分块摘要。参见 [/concepts/compaction](/concepts/compaction)。
-
-`agents.defaults.compaction.reserveTokensFloor` 为 Pi 压缩强制一个最小 `reserveTokens` 值（默认：`20000`）。设为 `0` 禁用此底线。
-
-`agents.defaults.compaction.memoryFlush` 在自动压缩前运行一个**静默**智能体轮次，指示模型将持久记忆存储到磁盘（例如 `memory/YYYY-MM-DD.md`）。当会话 token 估计值超过压缩限制以下的软阈值时触发。
-
-旧版默认值：
-
-- `memoryFlush.enabled`：`true`
-- `memoryFlush.softThresholdTokens`：`4000`
-- `memoryFlush.prompt` / `memoryFlush.systemPrompt`：带 `NO_REPLY` 的内置默认值
-- 注意：当会话工作区为只读时跳过记忆刷新（`agents.defaults.sandbox.workspaceAccess: "ro"` 或 `"none"`）。
-
-示例（调优）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      compaction: {
-        mode: "safeguard",
-        reserveTokensFloor: 24000,
-        memoryFlush: {
-          enabled: true,
-          softThresholdTokens: 6000,
-          systemPrompt: "Session nearing compaction. Store durable memories now.",
-          prompt: "Write any lasting notes to memory/YYYY-MM-DD.md; reply with NO_REPLY if nothing to store.",
-        },
-      },
-    },
-  },
-}
-```
-
-分块流式传输：
-
-- `agents.defaults.blockStreamingDefault`：`"on"`/`"off"`（默认 off）。
-- 渠道覆盖：`*.blockStreaming`（及每账号变体）强制分块流式传输开/关。
-  非 Telegram 渠道需要显式设置 `*.blockStreaming: true` 来启用块回复。
-- `agents.defaults.blockStreamingBreak`：`"text_end"` 或 `"message_end"`（默认：text_end）。
-- `agents.defaults.blockStreamingChunk`：流式块的软分块。默认 800–1200 字符，优先段落分隔（`\n\n`），然后换行，然后句子。
-  示例：
-  ```json5
-  {
-    agents: { defaults: { blockStreamingChunk: { minChars: 800, maxChars: 1200 } } },
-  }
-  ```
-- `agents.defaults.blockStreamingCoalesce`：发送前合并流式块。
-  默认为 `{ idleMs: 1000 }`，从 `blockStreamingChunk` 继承 `minChars`，
-  `maxChars` 上限为渠道文本限制。Signal/Slack/Discord/Google Chat 默认
-  `minChars: 1500`，除非被覆盖。
-  渠道覆盖：`channels.whatsapp.blockStreamingCoalesce`、`channels.telegram.blockStreamingCoalesce`、
-  `channels.discord.blockStreamingCoalesce`、`channels.slack.blockStreamingCoalesce`、`channels.mattermost.blockStreamingCoalesce`、
-  `channels.signal.blockStreamingCoalesce`、`channels.imessage.blockStreamingCoalesce`、`channels.msteams.blockStreamingCoalesce`、
-  `channels.googlechat.blockStreamingCoalesce`
-  （及每账号变体）。
-- `agents.defaults.humanDelay`：第一条之后**块回复**之间的随机延迟。
-  模式：`off`（默认）、`natural`（800–2500ms）、`custom`（使用 `minMs`/`maxMs`）。
-  每智能体覆盖：`agents.list[].humanDelay`。
-  示例：
-  ```json5
-  {
-    agents: { defaults: { humanDelay: { mode: "natural" } } },
-  }
-  ```
-  参见 [/concepts/streaming](/concepts/streaming) 了解行为 + 分块细节。
-
-输入指示器：
-
-- `agents.defaults.typingMode`：`"never" | "instant" | "thinking" | "message"`。私聊/提及默认为
-  `instant`，未被提及的群聊默认为 `message`。
-- `session.typingMode`：每会话的模式覆盖。
-- `agents.defaults.typingIntervalSeconds`：输入信号刷新频率（默认：6s）。
-- `session.typingIntervalSeconds`：每会话的刷新间隔覆盖。
-  参见 [/concepts/typing-indicators](/concepts/typing-indicators) 了解行为细节。
-
-`agents.defaults.model.primary` 应设为 `provider/model`（例如 `anthropic/claude-opus-4-5`）。
-别名来自 `agents.defaults.models.*.alias`（例如 `Opus`）。
-如果省略提供商，OpenClaw 目前假定 `anthropic` 作为临时弃用回退。
-Z.AI 模型可通过 `zai/<model>` 使用（例如 `zai/glm-4.7`），需要环境中设置
-`ZAI_API_KEY`（或旧版 `Z_AI_API_KEY`）。
-
-`agents.defaults.heartbeat` 配置定期心跳运行：
-
-- `every`：持续时间字符串（`ms`、`s`、`m`、`h`）；默认单位分钟。默认：
-  `30m`。设为 `0m` 禁用。
-- `model`：可选的心跳运行覆盖模型（`provider/model`）。
-- `includeReasoning`：为 `true` 时，心跳也会传递单独的 `Reasoning:` 消息（与 `/reasoning on` 相同形式）。默认：`false`。
-- `session`：可选的会话键，控制心跳在哪个会话中运行。默认：`main`。
-- `to`：可选的收件人覆盖（渠道特定 id，例如 WhatsApp 的 E.164，Telegram 的聊天 id）。
-- `target`：可选的投递渠道（`last`、`whatsapp`、`telegram`、`discord`、`slack`、`msteams`、`signal`、`imessage`、`none`）。默认：`last`。
-- `prompt`：可选的心跳内容覆盖（默认：`Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. Do not infer or repeat old tasks from prior chats. If nothing needs attention, reply HEARTBEAT_OK.`）。覆盖值按原样发送；如果仍需读取文件，请包含 `Read HEARTBEAT.md` 行。
-- `ackMaxChars`：`HEARTBEAT_OK` 之后投递前允许的最大字符数（默认：300）。
-
-每智能体心跳：
-
-- 设置 `agents.list[].heartbeat` 为特定智能体启用或覆盖心跳设置。
-- 如果任何智能体条目定义了 `heartbeat`，**仅那些智能体**运行心跳；默认值
-  成为那些智能体的共享基线。
-
-心跳运行完整的智能体轮次。较短的间隔消耗更多 token；请注意
-`every`，保持 `HEARTBEAT.md` 精简，和/或选择更便宜的 `model`。
-
-`tools.exec` 配置后台执行默认值：
-
-- `backgroundMs`：自动后台化前的时间（ms，默认 10000）
-- `timeoutSec`：超过此运行时间后自动终止（秒，默认 1800）
-- `cleanupMs`：完成的会话在内存中保留多久（ms，默认 1800000）
-- `notifyOnExit`：后台执行退出时加入系统事件 + 请求心跳（默认 true）
-- `applyPatch.enabled`：启用实验性 `apply_patch`（仅 OpenAI/OpenAI Codex；默认 false）
-- `applyPatch.allowModels`：可选的模型 id 白名单（例如 `gpt-5.2` 或 `openai/gpt-5.2`）
-  注意：`applyPatch` 仅在 `tools.exec` 下。
-
-`tools.web` 配置 Web 搜索 + 获取工具：
-
-- `tools.web.search.enabled`（默认：有密钥时为 true）
-- `tools.web.search.apiKey`（推荐：通过 `openclaw configure --section web` 设置，或使用 `BRAVE_API_KEY` 环境变量）
-- `tools.web.search.maxResults`（1–10，默认 5）
-- `tools.web.search.timeoutSeconds`（默认 30）
-- `tools.web.search.cacheTtlMinutes`（默认 15）
-- `tools.web.fetch.enabled`（默认 true）
-- `tools.web.fetch.maxChars`（默认 50000）
-- `tools.web.fetch.timeoutSeconds`（默认 30）
-- `tools.web.fetch.cacheTtlMinutes`（默认 15）
-- `tools.web.fetch.userAgent`（可选覆盖）
-- `tools.web.fetch.readability`（默认 true；禁用后仅使用基本 HTML 清理）
-- `tools.web.fetch.firecrawl.enabled`（默认：设置了 API 密钥时为 true）
-- `tools.web.fetch.firecrawl.apiKey`（可选；默认为 `FIRECRAWL_API_KEY`）
-- `tools.web.fetch.firecrawl.baseUrl`（默认 https://api.firecrawl.dev）
-- `tools.web.fetch.firecrawl.onlyMainContent`（默认 true）
-- `tools.web.fetch.firecrawl.maxAgeMs`（可选）
-- `tools.web.fetch.firecrawl.timeoutSeconds`（可选）
-
-`tools.media` 配置入站媒体理解（图片/音频/视频）：
-
-- `tools.media.models`：共享模型列表（按能力标记；在每能力列表之后使用）。
-- `tools.media.concurrency`：最大并发能力运行数（默认 2）。
-- `tools.media.image` / `tools.media.audio` / `tools.media.video`：
-  - `enabled`：选择退出开关（配置了模型时默认为 true）。
-  - `prompt`：可选的提示覆盖（图片/视频自动附加 `maxChars` 提示）。
-  - `maxChars`：最大输出字符数（图片/视频默认 500；音频未设置）。
-  - `maxBytes`：发送的最大媒体大小（默认：图片 10MB，音频 20MB，视频 50MB）。
-  - `timeoutSeconds`：请求超时（默认：图片 60s，音频 60s，视频 120s）。
-  - `language`：可选的音频提示。
-  - `attachments`：附件策略（`mode`、`maxAttachments`、`prefer`）。
-  - `scope`：可选的门控（第一个匹配获胜），带 `match.channel`、`match.chatType` 或 `match.keyPrefix`。
-  - `models`：有序的模型条目列表；失败或超大媒体回退到下一个条目。
-- 每个 `models[]` 条目：
-  - 提供商条目（`type: "provider"` 或省略）：
-    - `provider`：API 提供商 id（`openai`、`anthropic`、`google`/`gemini`、`groq` 等）。
-    - `model`：模型 id 覆盖（图片必需；音频提供商默认为 `gpt-4o-mini-transcribe`/`whisper-large-v3-turbo`，视频默认为 `gemini-3-flash-preview`）。
-    - `profile` / `preferredProfile`：认证配置文件选择。
-  - CLI 条目（`type: "cli"`）：
-    - `command`：要运行的可执行文件。
-    - `args`：模板化参数（支持 `{{MediaPath}}`、`{{Prompt}}`、`{{MaxChars}}` 等）。
-  - `capabilities`：可选的能力列表（`image`、`audio`、`video`）用于门控共享条目。省略时的默认值：`openai`/`anthropic`/`minimax` → image，`google` → image+audio+video，`groq` → audio。
-  - `prompt`、`maxChars`、`maxBytes`、`timeoutSeconds`、`language` 可在每个条目中覆盖。
-
-如果未配置模型（或 `enabled: false`），理解将被跳过；模型仍会接收原始附件。
-
-提供商认证遵循标准模型认证顺序（认证配置文件、环境变量如 `OPENAI_API_KEY`/`GROQ_API_KEY`/`GEMINI_API_KEY`，或 `models.providers.*.apiKey`）。
-
-示例：
-
-```json5
-{
-  tools: {
-    media: {
-      audio: {
-        enabled: true,
-        maxBytes: 20971520,
-        scope: {
-          default: "deny",
-          rules: [{ action: "allow", match: { chatType: "direct" } }],
-        },
-        models: [
-          { provider: "openai", model: "gpt-4o-mini-transcribe" },
-          { type: "cli", command: "whisper", args: ["--model", "base", "{{MediaPath}}"] },
-        ],
-      },
-      video: {
-        enabled: true,
-        maxBytes: 52428800,
-        models: [{ provider: "google", model: "gemini-3-flash-preview" }],
-      },
-    },
-  },
-}
-```
-
-`agents.defaults.subagents` 配置子智能体默认值：
-
-- `model`：生成的子智能体的默认模型（字符串或 `{ primary, fallbacks }`）。如果省略，子智能体继承调用者的模型，除非按智能体或按调用覆盖。
-- `maxConcurrent`：最大并发子智能体运行数（默认 1）
-- `archiveAfterMinutes`：N 分钟后自动归档子智能体会话（默认 60；设为 `0` 禁用）
-- 每子智能体工具策略：`tools.subagents.tools.allow` / `tools.subagents.tools.deny`（deny 优先）
-
-`tools.profile` 设置 `tools.allow`/`tools.deny` 之前的**基础工具白名单**：
-
-- `minimal`：仅 `session_status`
-- `coding`：`group:fs`、`group:runtime`、`group:sessions`、`group:memory`、`image`
-- `messaging`：`group:messaging`、`sessions_list`、`sessions_history`、`sessions_send`、`session_status`
-- `full`：无限制（与未设置相同）
-
-每智能体覆盖：`agents.list[].tools.profile`。
-
-示例（默认仅消息传递，另外允许 Slack + Discord 工具）：
-
-```json5
-{
-  tools: {
-    profile: "messaging",
-    allow: ["slack", "discord"],
-  },
-}
-```
-
-示例（编码配置文件，但全局拒绝 exec/process）：
-
-```json5
-{
-  tools: {
-    profile: "coding",
-    deny: ["group:runtime"],
-  },
-}
-```
-
-`tools.byProvider` 允许你为特定提供商（或单个 `provider/model`）**进一步限制**工具。
-每智能体覆盖：`agents.list[].tools.byProvider`。
-
-顺序：基础配置文件 → 提供商配置文件 → allow/deny 策略。
-提供商键接受 `provider`（例如 `google-antigravity`）或 `provider/model`
-（例如 `openai/gpt-5.2`）。
-
-示例（保持全局编码配置文件，但为 Google Antigravity 使用最小工具）：
-
-```json5
-{
-  tools: {
-    profile: "coding",
-    byProvider: {
-      "google-antigravity": { profile: "minimal" },
-    },
-  },
-}
-```
-
-示例（提供商/模型特定白名单）：
-
-```json5
-{
-  tools: {
-    allow: ["group:fs", "group:runtime", "sessions_list"],
-    byProvider: {
-      "openai/gpt-5.2": { allow: ["group:fs", "sessions_list"] },
-    },
-  },
-}
-```
-
-`tools.allow` / `tools.deny` 配置全局工具允许/拒绝策略（deny 优先）。
-匹配不区分大小写并支持 `*` 通配符（`"*"` 表示所有工具）。
-即使 Docker 沙箱**关闭**，此策略也会应用。
-
-示例（全局禁用 browser/canvas）：
-
-```json5
-{
-  tools: { deny: ["browser", "canvas"] },
-}
-```
-
-工具组（简写）在**全局**和**每智能体**工具策略中可用：
-
-- `group:runtime`：`exec`、`bash`、`process`
-- `group:fs`：`read`、`write`、`edit`、`apply_patch`
-- `group:sessions`：`sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status`
-- `group:memory`：`memory_search`、`memory_get`
-- `group:web`：`web_search`、`web_fetch`
-- `group:ui`：`browser`、`canvas`
-- `group:automation`：`cron`、`gateway`
-- `group:messaging`：`message`
-- `group:nodes`：`nodes`
-- `group:openclaw`：所有内置 OpenClaw 工具（不包含提供商插件）
-
-`tools.elevated` 控制提升（主机）执行访问：
-
-- `enabled`：允许提升模式（默认 true）
-- `allowFrom`：每渠道白名单（空 = 禁用）
-  - `whatsapp`：E.164 号码
-  - `telegram`：聊天 id 或用户名
-  - `discord`：用户 id 或用户名（省略时回退到 `channels.discord.dm.allowFrom`）
-  - `signal`：E.164 号码
-  - `imessage`：句柄/聊天 id
-  - `webchat`：会话 id 或用户名
-
-示例：
-
-```json5
-{
-  tools: {
-    elevated: {
-      enabled: true,
-      allowFrom: {
-        whatsapp: ["+15555550123"],
-        discord: ["steipete", "1234567890123"],
-      },
-    },
-  },
-}
-```
-
-每智能体覆盖（进一步限制）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "family",
-        tools: {
-          elevated: { enabled: false },
-        },
-      },
-    ],
-  },
-}
-```
-
-说明：
-
-- `tools.elevated` 是全局基线。`agents.list[].tools.elevated` 只能进一步限制（两者都必须允许）。
-- `/elevated on|off|ask|full` 按会话键存储状态；内联指令仅应用于单条消息。
-- 提升的 `exec` 在主机上运行并绕过沙箱。
-- 工具策略仍然适用；如果 `exec` 被拒绝，则无法使用提升。
-
-`agents.defaults.maxConcurrent` 设置跨会话可并行执行的内置智能体运行的最大数量。每个会话仍然是串行的（每个会话键同时只有一个运行）。默认：1。
-
-### `agents.defaults.sandbox`
-
-为内置智能体提供可选的 **Docker 沙箱**。适用于非主会话，使其无法访问你的主机系统。
-
-详情：[沙箱](/gateway/sandboxing)
-
-默认值（如果启用）：
-
-- scope：`"agent"`（每个智能体一个容器 + 工作区）
-- 基于 Debian bookworm-slim 的镜像
-- 智能体工作区访问：`workspaceAccess: "none"`（默认）
-  - `"none"`：在 `~/.openclaw/sandboxes` 下使用每范围的沙箱工作区
-- `"ro"`：将沙箱工作区保持在 `/workspace`，智能体工作区以只读方式挂载到 `/agent`（禁用 `write`/`edit`/`apply_patch`）
-  - `"rw"`：将智能体工作区以读写方式挂载到 `/workspace`
-- 自动清理：空闲超过 24h 或存在超过 7d
-- 工具策略：仅允许 `exec`、`process`、`read`、`write`、`edit`、`apply_patch`、`sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status`（deny 优先）
-  - 通过 `tools.sandbox.tools` 配置，通过 `agents.list[].tools.sandbox.tools` 进行每智能体覆盖
-  - 沙箱策略中支持工具组简写：`group:runtime`、`group:fs`、`group:sessions`、`group:memory`（参见[沙箱 vs 工具策略 vs 提升](/gateway/sandbox-vs-tool-policy-vs-elevated#tool-groups-shorthands)）
-- 可选的沙箱浏览器（Chromium + CDP，noVNC 观察器）
-- 加固旋钮：`network`、`user`、`pidsLimit`、`memory`、`cpus`、`ulimits`、`seccompProfile`、`apparmorProfile`
-
-警告：`scope: "shared"` 意味着共享容器和共享工作区。无跨会话隔离。使用 `scope: "session"` 获得每会话隔离。
-
-旧版：`perSession` 仍然支持（`true` → `scope: "session"`，`false` → `scope: "shared"`）。
-
-`setupCommand` 在容器创建后**运行一次**（在容器内通过 `sh -lc` 执行）。
-对于包安装，确保网络出口、可写根文件系统和 root 用户。
-
-```json5
-{
-  agents: {
-    defaults: {
-      sandbox: {
-        mode: "non-main", // off | non-main | all
-        scope: "agent", // session | agent | shared（agent 为默认）
-        workspaceAccess: "none", // none | ro | rw
-        workspaceRoot: "~/.openclaw/sandboxes",
-        docker: {
-          image: "openclaw-sandbox:bookworm-slim",
-          containerPrefix: "openclaw-sbx-",
-          workdir: "/workspace",
-          readOnlyRoot: true,
-          tmpfs: ["/tmp", "/var/tmp", "/run"],
-          network: "none",
-          user: "1000:1000",
-          capDrop: ["ALL"],
-          env: { LANG: "C.UTF-8" },
-          setupCommand: "apt-get update && apt-get install -y git curl jq",
-          // 每智能体覆盖（多智能体）：agents.list[].sandbox.docker.*
-          pidsLimit: 256,
-          memory: "1g",
-          memorySwap: "2g",
-          cpus: 1,
-          ulimits: {
-            nofile: { soft: 1024, hard: 2048 },
-            nproc: 256,
-          },
-          seccompProfile: "/path/to/seccomp.json",
-          apparmorProfile: "openclaw-sandbox",
-          dns: ["1.1.1.1", "8.8.8.8"],
-          extraHosts: ["internal.service:10.0.0.5"],
-          binds: ["/var/run/docker.sock:/var/run/docker.sock", "/home/user/source:/source:rw"],
-        },
-        browser: {
-          enabled: false,
-          image: "openclaw-sandbox-browser:bookworm-slim",
-          containerPrefix: "openclaw-sbx-browser-",
-          cdpPort: 9222,
-          vncPort: 5900,
-          noVncPort: 6080,
-          headless: false,
-          enableNoVnc: true,
-          allowHostControl: false,
-          allowedControlUrls: ["http://10.0.0.42:18791"],
-          allowedControlHosts: ["browser.lab.local", "10.0.0.42"],
-          allowedControlPorts: [18791],
-          autoStart: true,
-          autoStartTimeoutMs: 12000,
-        },
-        prune: {
-          idleHours: 24, // 0 禁用空闲清理
-          maxAgeDays: 7, // 0 禁用最大存活时间清理
-        },
-      },
-    },
-  },
-  tools: {
-    sandbox: {
-      tools: {
-        allow: [
-          "exec",
-          "process",
-          "read",
-          "write",
-          "edit",
-          "apply_patch",
-          "sessions_list",
-          "sessions_history",
-          "sessions_send",
-          "sessions_spawn",
-          "session_status",
-        ],
-        deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"],
-      },
-    },
-  },
-}
-```
-
-首次构建默认沙箱镜像：
-
-```bash
-scripts/sandbox-setup.sh
-```
-
-注意：沙箱容器默认为 `network: "none"`；如果智能体需要出站访问，请将 `agents.defaults.sandbox.docker.network` 设为 `"bridge"`（或你的自定义网络）。
-
-注意：入站附件会暂存到活跃工作区的 `media/inbound/*` 中。使用 `workspaceAccess: "rw"` 时，文件会写入智能体工作区。
-
-注意：`docker.binds` 挂载额外的主机目录；全局和每智能体的 binds 会合并。
-
-构建可选的浏览器镜像：
-
-```bash
-scripts/sandbox-browser-setup.sh
-```
-
-当 `agents.defaults.sandbox.browser.enabled=true` 时，浏览器工具使用沙箱化的
-Chromium 实例（CDP）。如果启用了 noVNC（headless=false 时默认启用），
-noVNC URL 会注入系统提示中，以便智能体可以引用它。
-这不需要主配置中的 `browser.enabled`；沙箱控制 URL 按会话注入。
-
-`agents.defaults.sandbox.browser.allowHostControl`（默认：false）允许
-沙箱会话通过浏览器工具显式访问**主机**浏览器控制服务器
-（`target: "host"`）。如果你需要严格的沙箱隔离，请保持关闭。
-
-远程控制白名单：
-
-- `allowedControlUrls`：`target: "custom"` 允许的精确控制 URL。
-- `allowedControlHosts`：允许的主机名（仅主机名，无端口）。
-- `allowedControlPorts`：允许的端口（默认：http=80，https=443）。
-  默认：所有白名单未设置（无限制）。`allowHostControl` 默认为 false。
-
-### `models`（自定义提供商 + 基础 URL）
-
-OpenClaw 使用 **pi-coding-agent** 模型目录。你可以通过编写
-`~/.openclaw/agents/<agentId>/agent/models.json` 或在 OpenClaw 配置中的 `models.providers` 下定义相同的 schema 来添加自定义提供商（LiteLLM、本地 OpenAI 兼容服务器、Anthropic 代理等）。
-按提供商的概述 + 示例：[/concepts/model-providers](/concepts/model-providers)。
-
-当存在 `models.providers` 时，OpenClaw 在启动时将 `models.json` 写入/合并到
-`~/.openclaw/agents/<agentId>/agent/`：
-
-- 默认行为：**合并**（保留现有提供商，按名称覆盖）
-- 设为 `models.mode: "replace"` 覆盖文件内容
-
-通过 `agents.defaults.model.primary`（provider/model）选择模型。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "custom-proxy/llama-3.1-8b" },
-      models: {
-        "custom-proxy/llama-3.1-8b": {},
-      },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      "custom-proxy": {
-        baseUrl: "http://localhost:4000/v1",
-        apiKey: "LITELLM_KEY",
-        api: "openai-completions",
-        models: [
-          {
-            id: "llama-3.1-8b",
-            name: "Llama 3.1 8B",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 128000,
-            maxTokens: 32000,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-### OpenCode Zen（多模型代理）
-
-OpenCode Zen 是一个具有每模型端点的多模型网关。OpenClaw 使用
-pi-ai 内置的 `opencode` 提供商；从 https://opencode.ai/auth 设置 `OPENCODE_API_KEY`（或
-`OPENCODE_ZEN_API_KEY`）。
-
-说明：
-
-- 模型引用使用 `opencode/<modelId>`（示例：`opencode/claude-opus-4-5`）。
-- 如果你通过 `agents.defaults.models` 启用白名单，请添加你计划使用的每个模型。
-- 快捷方式：`openclaw onboard --auth-choice opencode-zen`。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "opencode/claude-opus-4-5" },
-      models: { "opencode/claude-opus-4-5": { alias: "Opus" } },
-    },
-  },
-}
-```
-
-### Z.AI（GLM-4.7）— 提供商别名支持
-
-Z.AI 模型通过内置的 `zai` 提供商提供。在环境中设置 `ZAI_API_KEY`
-并通过 provider/model 引用模型。
-
-快捷方式：`openclaw onboard --auth-choice zai-api-key`。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "zai/glm-4.7" },
-      models: { "zai/glm-4.7": {} },
-    },
-  },
-}
-```
-
-说明：
-
-- `z.ai/*` 和 `z-ai/*` 是接受的别名，规范化为 `zai/*`。
-- 如果缺少 `ZAI_API_KEY`，对 `zai/*` 的请求将在运行时因认证错误失败。
-- 示例错误：`No API key found for provider "zai".`
-- Z.AI 的通用 API 端点是 `https://api.z.ai/api/paas/v4`。GLM 编码
-  请求使用专用编码端点 `https://api.z.ai/api/coding/paas/v4`。
-  内置的 `zai` 提供商使用编码端点。如果你需要通用
-  端点，请在 `models.providers` 中定义自定义提供商并覆盖基础 URL
-  （参见上方自定义提供商部分）。
-- 在文档/配置中使用假占位符；切勿提交真实 API 密钥。
-
-### Moonshot AI（Kimi）
-
-使用 Moonshot 的 OpenAI 兼容端点：
-
-```json5
-{
-  env: { MOONSHOT_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "moonshot/kimi-k2.5" },
-      models: { "moonshot/kimi-k2.5": { alias: "Kimi K2.5" } },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      moonshot: {
-        baseUrl: "https://api.moonshot.ai/v1",
-        apiKey: "${MOONSHOT_API_KEY}",
-        api: "openai-completions",
-        models: [
-          {
-            id: "kimi-k2.5",
-            name: "Kimi K2.5",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 256000,
-            maxTokens: 8192,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 在环境中设置 `MOONSHOT_API_KEY` 或使用 `openclaw onboard --auth-choice moonshot-api-key`。
-- 模型引用：`moonshot/kimi-k2.5`。
-- 如需中国端点，使用 `https://api.moonshot.cn/v1`。
-
-### Kimi Coding
-
-使用 Moonshot AI 的 Kimi Coding 端点（Anthropic 兼容，内置提供商）：
-
-```json5
-{
-  env: { KIMI_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "kimi-coding/k2p5" },
-      models: { "kimi-coding/k2p5": { alias: "Kimi K2.5" } },
-    },
-  },
-}
-```
-
-说明：
-
-- 在环境中设置 `KIMI_API_KEY` 或使用 `openclaw onboard --auth-choice kimi-code-api-key`。
-- 模型引用：`kimi-coding/k2p5`。
-
-### Synthetic（Anthropic 兼容）
-
-使用 Synthetic 的 Anthropic 兼容端点：
-
-```json5
-{
-  env: { SYNTHETIC_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.1" },
-      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.1": { alias: "MiniMax M2.1" } },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      synthetic: {
-        baseUrl: "https://api.synthetic.new/anthropic",
-        apiKey: "${SYNTHETIC_API_KEY}",
-        api: "anthropic-messages",
-        models: [
-          {
-            id: "hf:MiniMaxAI/MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 192000,
-            maxTokens: 65536,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 设置 `SYNTHETIC_API_KEY` 或使用 `openclaw onboard --auth-choice synthetic-api-key`。
-- 模型引用：`synthetic/hf:MiniMaxAI/MiniMax-M2.1`。
-- 基础 URL 应省略 `/v1`，因为 Anthropic 客户端会自动附加。
-
-### 本地模型（LM Studio）— 推荐设置
-
-参见 [/gateway/local-models](/gateway/local-models) 了解当前本地指南。简而言之：在高性能硬件上通过 LM Studio Responses API 运行 MiniMax M2.1；保留托管模型合并作为回退。
-
-### MiniMax M2.1
-
-不通过 LM Studio 直接使用 MiniMax M2.1：
-
-```json5
-{
-  agent: {
-    model: { primary: "minimax/MiniMax-M2.1" },
-    models: {
-      "anthropic/claude-opus-4-5": { alias: "Opus" },
-      "minimax/MiniMax-M2.1": { alias: "Minimax" },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      minimax: {
-        baseUrl: "https://api.minimax.io/anthropic",
-        apiKey: "${MINIMAX_API_KEY}",
-        api: "anthropic-messages",
-        models: [
-          {
-            id: "MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
-            input: ["text"],
-            // 定价：如需精确费用跟踪，请在 models.json 中更新。
-            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
-            contextWindow: 200000,
-            maxTokens: 8192,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 设置 `MINIMAX_API_KEY` 环境变量或使用 `openclaw onboard --auth-choice minimax-api`。
-- 可用模型：`MiniMax-M2.1`（默认）。
-- 如需精确费用跟踪，请在 `models.json` 中更新定价。
-
-### Cerebras（GLM 4.6 / 4.7）
-
-通过 Cerebras 的 OpenAI 兼容端点使用：
-
-```json5
-{
-  env: { CEREBRAS_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: {
-        primary: "cerebras/zai-glm-4.7",
-        fallbacks: ["cerebras/zai-glm-4.6"],
-      },
-      models: {
-        "cerebras/zai-glm-4.7": { alias: "GLM 4.7 (Cerebras)" },
-        "cerebras/zai-glm-4.6": { alias: "GLM 4.6 (Cerebras)" },
-      },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      cerebras: {
-        baseUrl: "https://api.cerebras.ai/v1",
-        apiKey: "${CEREBRAS_API_KEY}",
-        api: "openai-completions",
-        models: [
-          { id: "zai-glm-4.7", name: "GLM 4.7 (Cerebras)" },
-          { id: "zai-glm-4.6", name: "GLM 4.6 (Cerebras)" },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- Cerebras 使用 `cerebras/zai-glm-4.7`；Z.AI 直连使用 `zai/glm-4.7`。
-- 在环境或配置中设置 `CEREBRAS_API_KEY`。
-
-说明：
-
-- 支持的 API：`openai-completions`、`openai-responses`、`anthropic-messages`、
-  `google-generative-ai`
-- 对于自定义认证需求使用 `authHeader: true` + `headers`。
-- 如果你希望 `models.json` 存储在其他位置，请使用 `OPENCLAW_AGENT_DIR`（或 `PI_CODING_AGENT_DIR`）覆盖智能体配置根目录（默认：`~/.openclaw/agents/main/agent`）。
-
-### `session`
-
-控制会话作用域、重置策略、重置触发器以及会话存储的写入位置。
-
-```json5
-{
-  session: {
-    scope: "per-sender",
-    dmScope: "main",
-    identityLinks: {
-      alice: ["telegram:123456789", "discord:987654321012345678"],
-    },
-    reset: {
-      mode: "daily",
-      atHour: 4,
-      idleMinutes: 60,
-    },
-    resetByType: {
-      thread: { mode: "daily", atHour: 4 },
-      dm: { mode: "idle", idleMinutes: 240 },
-      group: { mode: "idle", idleMinutes: 120 },
-    },
-    resetTriggers: ["/new", "/reset"],
-    // 默认已按智能体存储在 ~/.openclaw/agents/<agentId>/sessions/sessions.json
-    // 你可以使用 {agentId} 模板进行覆盖：
-    store: "~/.openclaw/agents/{agentId}/sessions/sessions.json",
-    // 私聊折叠到 agent:<agentId>:<mainKey>（默认："main"）。
-    mainKey: "main",
-    agentToAgent: {
-      // 请求者/目标之间的最大乒乓回复轮次（0–5）。
-      maxPingPongTurns: 5,
-    },
-    sendPolicy: {
-      rules: [{ action: "deny", match: { channel: "discord", chatType: "group" } }],
-      default: "allow",
-    },
-  },
-}
-```
-
-字段：
-
-- `mainKey`：私聊桶键（默认：`"main"`）。当你想"重命名"主私聊线程而不更改 `agentId` 时有用。
-  - 沙箱说明：`agents.defaults.sandbox.mode: "non-main"` 使用此键检测主会话。任何不匹配 `mainKey` 的会话键（群组/频道）都会被沙箱化。
-- `dmScope`：私聊会话如何分组（默认：`"main"`）。
-  - `main`：所有私聊共享主会话以保持连续性。
-  - `per-peer`：按发送者 id 跨渠道隔离私聊。
-  - `per-channel-peer`：按渠道 + 发送者隔离私聊（推荐用于多用户收件箱）。
-  - `per-account-channel-peer`：按账号 + 渠道 + 发送者隔离私聊（推荐用于多账号收件箱）。
-- `identityLinks`：将规范 id 映射到提供商前缀的对等方，以便在使用 `per-peer`、`per-channel-peer` 或 `per-account-channel-peer` 时同一人跨渠道共享私聊会话。
-  - 示例：`alice: ["telegram:123456789", "discord:987654321012345678"]`。
-- `reset`：主重置策略。默认为 Gateway 网关主机上本地时间凌晨 4:00 每日重置。
-  - `mode`：`daily` 或 `idle`（当存在 `reset` 时默认：`daily`）。
-  - `atHour`：本地小时（0-23）作为每日重置边界。
-  - `idleMinutes`：滑动空闲窗口（分钟）。当 daily + idle 都配置时，先到期的获胜。
-- `resetByType`：`dm`、`group` 和 `thread` 的每会话覆盖。
-  - 如果你只设置了旧版 `session.idleMinutes` 而没有任何 `reset`/`resetByType`，OpenClaw 保持仅空闲模式以向后兼容。
-- `heartbeatIdleMinutes`：可选的心跳检查空闲覆盖（启用时每日重置仍然适用）。
-- `agentToAgent.maxPingPongTurns`：请求者/目标之间的最大回复轮次（0–5，默认 5）。
-- `sendPolicy.default`：无规则匹配时的 `allow` 或 `deny` 回退。
-- `sendPolicy.rules[]`：按 `channel`、`chatType`（`direct|group|room`）或 `keyPrefix`（例如 `cron:`）匹配。第一个 deny 获胜；否则 allow。
-
-### `skills`（Skills 配置）
-
-控制内置白名单、安装偏好、额外 Skills 文件夹和每 Skills 覆盖。适用于**内置**Skills 和 `~/.openclaw/skills`（工作区 Skills 在名称冲突时仍然优先）。
-
-字段：
-
-- `allowBundled`：可选的**仅内置**Skills 白名单。如果设置，仅那些内置 Skills 符合条件（管理/工作区 Skills 不受影响）。
-- `load.extraDirs`：额外要扫描的 Skills 目录（最低优先级）。
-- `install.preferBrew`：可用时优先使用 brew 安装程序（默认：true）。
-- `install.nodeManager`：node 安装偏好（`npm` | `pnpm` | `yarn`，默认：npm）。
-- `entries.<skillKey>`：每 Skills 配置覆盖。
-
-每 Skills 字段：
-
-- `enabled`：设为 `false` 禁用 Skills，即使它是内置/已安装的。
-- `env`：为智能体运行注入的环境变量（仅在尚未设置时）。
-- `apiKey`：对于声明了主环境变量的 Skills 的可选便利字段（例如 `nano-banana-pro` → `GEMINI_API_KEY`）。
-
-示例：
-
-```json5
-{
   skills: {
-    allowBundled: ["gemini", "peekaboo"],
-    load: {
-      extraDirs: ["~/Projects/agent-scripts/skills", "~/Projects/oss/some-skill-pack/skills"],
-    },
-    install: {
-      preferBrew: true,
-      nodeManager: "npm",
-    },
     entries: {
       "nano-banana-pro": {
-        apiKey: "GEMINI_KEY_HERE",
-        env: {
-          GEMINI_API_KEY: "GEMINI_KEY_HERE",
-        },
-      },
-      peekaboo: { enabled: true },
-      sag: { enabled: false },
-    },
-  },
-}
-```
-
-### `plugins`（扩展）
-
-控制插件发现、允许/拒绝和每插件配置。插件从 `~/.openclaw/extensions`、`<workspace>/.openclaw/extensions` 以及任何 `plugins.load.paths` 条目加载。**配置更改需要重启 Gateway 网关。**
-参见 [/plugin](/tools/plugin) 了解详情。
-
-字段：
-
-- `enabled`：插件加载的主开关（默认：true）。
-- `allow`：可选的插件 id 白名单；设置后仅加载列出的插件。
-- `deny`：可选的插件 id 拒绝列表（deny 优先）。
-- `load.paths`：要加载的额外插件文件或目录（绝对路径或 `~`）。
-- `entries.<pluginId>`：每插件覆盖。
-  - `enabled`：设为 `false` 禁用。
-  - `config`：插件特定的配置对象（如果提供，由插件验证）。
-
-示例：
-
-```json5
-{
-  plugins: {
-    enabled: true,
-    allow: ["voice-call"],
-    load: {
-      paths: ["~/Projects/oss/voice-call-extension"],
-    },
-    entries: {
-      "voice-call": {
-        enabled: true,
-        config: {
-          provider: "twilio",
+        apiKey: {
+          source: "file",
+          provider: "filemain",
+          id: "/skills/entries/nano-banana-pro/apiKey",
         },
       },
     },
   },
-}
-```
-
-### `browser`（OpenClaw 管理的浏览器）
-
-OpenClaw 可以为 OpenClaw 启动一个**专用、隔离的** Chrome/Brave/Edge/Chromium 实例并暴露一个小型 local loopback 控制服务。
-配置文件可以通过 `profiles.<name>.cdpUrl` 指向**远程** Chromium 浏览器。远程配置文件为仅附加模式（start/stop/reset 被禁用）。
-
-`browser.cdpUrl` 保留用于旧版单配置文件配置，以及作为仅设置 `cdpPort` 的配置文件的基础 scheme/host。
-
-默认值：
-
-- enabled：`true`
-- evaluateEnabled：`true`（设为 `false` 禁用 `act:evaluate` 和 `wait --fn`）
-- 控制服务：仅 local loopback（端口从 `gateway.port` 派生，默认 `18791`）
-- CDP URL：`http://127.0.0.1:18792`（控制服务 + 1，旧版单配置文件）
-- 配置文件颜色：`#FF4500`（龙虾橙）
-- 注意：控制服务器由运行中的 Gateway 网关（OpenClaw.app 菜单栏或 `openclaw gateway`）启动。
-- 自动检测顺序：如果为 Chromium 内核则使用默认浏览器；否则 Chrome → Brave → Edge → Chromium → Chrome Canary。
-
-```json5
-{
-  browser: {
-    enabled: true,
-    evaluateEnabled: true,
-    // cdpUrl: "http://127.0.0.1:18792", // 旧版单配置文件覆盖
-    defaultProfile: "chrome",
-    profiles: {
-      openclaw: { cdpPort: 18800, color: "#FF4500" },
-      work: { cdpPort: 18801, color: "#0066CC" },
-      remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
-    },
-    color: "#FF4500",
-    // 高级：
-    // headless: false,
-    // noSandbox: false,
-    // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
-    // attachOnly: false, // 将远程 CDP 隧道到 localhost 时设为 true
-  },
-}
-```
-
-### `ui`（外观）
-
-原生应用用于 UI 外观的可选强调色（例如 Talk 模式气泡着色）。
-
-如果未设置，客户端回退到柔和的浅蓝色。
-
-```json5
-{
-  ui: {
-    seamColor: "#FF4500", // 十六进制（RRGGBB 或 #RRGGBB）
-    // 可选：控制台 UI 助手身份覆盖。
-    // 如果未设置，控制台 UI 使用活跃智能体的身份（配置或 IDENTITY.md）。
-    assistant: {
-      name: "OpenClaw",
-      avatar: "CB", // 表情、短文本，或图片 URL/data URI
-    },
-  },
-}
-```
-
-### `gateway`（Gateway 网关服务器模式 + 绑定）
-
-使用 `gateway.mode` 明确声明此机器是否应运行 Gateway 网关。
-
-默认值：
-
-- mode：**未设置**（视为"不自动启动"）
-- bind：`loopback`
-- port：`18789`（WS + HTTP 单端口）
-
-```json5
-{
-  gateway: {
-    mode: "local", // 或 "remote"
-    port: 18789, // WS + HTTP 多路复用
-    bind: "loopback",
-    // controlUi: { enabled: true, basePath: "/openclaw" }
-    // auth: { mode: "token", token: "your-token" } // token 控制 WS + 控制台 UI 访问
-    // tailscale: { mode: "off" | "serve" | "funnel" }
-  },
-}
-```
-
-控制台 UI 基础路径：
-
-- `gateway.controlUi.basePath` 设置控制台 UI 提供服务的 URL 前缀。
-- 示例：`"/ui"`、`"/openclaw"`、`"/apps/openclaw"`。
-- 默认：根路径（`/`）（不变）。
-- `gateway.controlUi.root` 设置控制台 UI 资产的文件系统根目录（默认：`dist/control-ui`）。
-- `gateway.controlUi.allowInsecureAuth` 允许在省略设备身份时对控制台 UI 进行仅 token 认证（通常通过 HTTP）。默认：`false`。建议使用 HTTPS（Tailscale Serve）或 `127.0.0.1`。
-- `gateway.controlUi.dangerouslyDisableDeviceAuth` 禁用控制台 UI 的设备身份检查（仅 token/密码）。默认：`false`。仅用于紧急情况。
-
-相关文档：
-
-- [控制台 UI](/web/control-ui)
-- [Web 概述](/web)
-- [Tailscale](/gateway/tailscale)
-- [远程访问](/gateway/remote)
-
-信任的代理：
-
-- `gateway.trustedProxies`：在 Gateway 网关前面终止 TLS 的反向代理 IP 列表。
-- 当连接来自这些 IP 之一时，OpenClaw 使用 `x-forwarded-for`（或 `x-real-ip`）来确定客户端 IP，用于本地配对检查和 HTTP 认证/本地检查。
-- 仅列出你完全控制的代理，并确保它们**覆盖**传入的 `x-forwarded-for`。
-
-说明：
-
-- `openclaw gateway` 拒绝启动，除非 `gateway.mode` 设为 `local`（或你传递了覆盖标志）。
-- `gateway.port` 控制用于 WebSocket + HTTP（控制台 UI、hooks、A2UI）的单一多路复用端口。
-- OpenAI Chat Completions 端点：**默认禁用**；通过 `gateway.http.endpoints.chatCompletions.enabled: true` 启用。
-- 优先级：`--port` > `OPENCLAW_GATEWAY_PORT` > `gateway.port` > 默认 `18789`。
-- 默认需要 Gateway 网关认证（token/密码或 Tailscale Serve 身份）。非 local loopback 绑定需要共享 token/密码。
-- 新手引导向导默认生成 gateway token（即使在 local loopback 上）。
-- `gateway.remote.token` **仅**用于远程 CLI 调用；它不启用本地 gateway 认证。`gateway.token` 被忽略。
-
-认证和 Tailscale：
-
-- `gateway.auth.mode` 设置握手要求（`token` 或 `password`）。未设置时，假定 token 认证。
-- `gateway.auth.token` 存储 token 认证的共享 token（同一机器上的 CLI 使用）。
-- 当设置了 `gateway.auth.mode` 时，仅接受该方法（加上可选的 Tailscale 头部）。
-- `gateway.auth.password` 可在此设置，或通过 `OPENCLAW_GATEWAY_PASSWORD`（推荐）。
-- `gateway.auth.allowTailscale` 允许 Tailscale Serve 身份头部
-  （`tailscale-user-login`）在请求通过 local loopback 到达且带有 `x-forwarded-for`、
-  `x-forwarded-proto` 和 `x-forwarded-host` 时满足认证。OpenClaw 在接受之前
-  通过 `tailscale whois` 解析 `x-forwarded-for` 地址来验证身份。为 `true` 时，
-  Serve 请求不需要 token/密码；设为 `false` 要求显式凭据。当
-  `tailscale.mode = "serve"` 且认证模式不是 `password` 时默认为 `true`。
-- `gateway.tailscale.mode: "serve"` 使用 Tailscale Serve（仅 tailnet，local loopback 绑定）。
-- `gateway.tailscale.mode: "funnel"` 公开暴露仪表板；需要认证。
-- `gateway.tailscale.resetOnExit` 在关闭时重置 Serve/Funnel 配置。
-
-远程客户端默认值（CLI）：
-
-- `gateway.remote.url` 设置 `gateway.mode = "remote"` 时 CLI 调用的默认 Gateway 网关 WebSocket URL。
-- `gateway.remote.transport` 选择 macOS 远程传输（`ssh` 默认，`direct` 用于 ws/wss）。使用 `direct` 时，`gateway.remote.url` 必须为 `ws://` 或 `wss://`。`ws://host` 默认端口 `18789`。
-- `gateway.remote.token` 提供远程调用的 token（不需要认证时留空）。
-- `gateway.remote.password` 提供远程调用的密码（不需要认证时留空）。
-
-macOS 应用行为：
-
-- OpenClaw.app 监视 `~/.openclaw/openclaw.json`，当 `gateway.mode` 或 `gateway.remote.url` 变更时实时切换模式。
-- 如果 `gateway.mode` 未设置但 `gateway.remote.url` 已设置，macOS 应用将其视为远程模式。
-- 当你在 macOS 应用中更改连接模式时，它会将 `gateway.mode`（以及远程模式下的 `gateway.remote.url` + `gateway.remote.transport`）写回配置文件。
-
-```json5
-{
-  gateway: {
-    mode: "remote",
-    remote: {
-      url: "ws://gateway.tailnet:18789",
-      token: "your-token",
-      password: "your-password",
-    },
-  },
-}
-```
-
-直连传输示例（macOS 应用）：
-
-```json5
-{
-  gateway: {
-    mode: "remote",
-    remote: {
-      transport: "direct",
-      url: "wss://gateway.example.ts.net",
-      token: "your-token",
-    },
-  },
-}
-```
-
-### `gateway.reload`（配置热重载）
-
-Gateway 网关监视 `~/.openclaw/openclaw.json`（或 `OPENCLAW_CONFIG_PATH`）并自动应用更改。
-
-模式：
-
-- `hybrid`（默认）：安全更改热应用；关键更改重启 Gateway 网关。
-- `hot`：仅应用热安全更改；需要重启时记录日志。
-- `restart`：任何配置更改都重启 Gateway 网关。
-- `off`：禁用热重载。
-
-```json5
-{
-  gateway: {
-    reload: {
-      mode: "hybrid",
-      debounceMs: 300,
-    },
-  },
-}
-```
-
-#### 热重载矩阵（文件 + 影响）
-
-监视的文件：
-
-- `~/.openclaw/openclaw.json`（或 `OPENCLAW_CONFIG_PATH`）
-
-热应用（无需完全重启 Gateway 网关）：
-
-- `hooks`（webhook 认证/路径/映射）+ `hooks.gmail`（Gmail 监视器重启）
-- `browser`（浏览器控制服务器重启）
-- `cron`（cron 服务重启 + 并发更新）
-- `agents.defaults.heartbeat`（心跳运行器重启）
-- `web`（WhatsApp Web 渠道重启）
-- `telegram`、`discord`、`signal`、`imessage`（渠道重启）
-- `agent`、`models`、`routing`、`messages`、`session`、`whatsapp`、`logging`、`skills`、`ui`、`talk`、`identity`、`wizard`（动态读取）
-
-需要完全重启 Gateway 网关：
-
-- `gateway`（端口/绑定/认证/控制台 UI/tailscale）
-- `bridge`（旧版）
-- `discovery`
-- `canvasHost`
-- `plugins`
-- 任何未知/不支持的配置路径（为安全默认重启）
-
-### 多实例隔离
-
-要在一台主机上运行多个 Gateway 网关（用于冗余或救援机器人），请隔离每个实例的状态 + 配置并使用唯一端口：
-
-- `OPENCLAW_CONFIG_PATH`（每实例配置）
-- `OPENCLAW_STATE_DIR`（会话/凭据）
-- `agents.defaults.workspace`（记忆）
-- `gateway.port`（每实例唯一）
-
-便利标志（CLI）：
-
-- `openclaw --dev …` → 使用 `~/.openclaw-dev` + 端口从基础 `19001` 偏移
-- `openclaw --profile <name> …` → 使用 `~/.openclaw-<name>`（端口通过配置/环境变量/标志）
-
-参见 [Gateway 网关运维手册](/gateway) 了解派生的端口映射（gateway/browser/canvas）。
-参见[多 Gateway 网关](/gateway/multiple-gateways) 了解浏览器/CDP 端口隔离细节。
-
-示例：
-
-```bash
-OPENCLAW_CONFIG_PATH=~/.openclaw/a.json \
-OPENCLAW_STATE_DIR=~/.openclaw-a \
-openclaw gateway --port 19001
-```
-
-### `hooks`（Gateway 网关 webhook）
-
-在 Gateway 网关 HTTP 服务器上启用简单的 HTTP webhook 端点。
-
-默认值：
-
-- enabled：`false`
-- path：`/hooks`
-- maxBodyBytes：`262144`（256 KB）
-
-```json5
-{
-  hooks: {
-    enabled: true,
-    token: "shared-secret",
-    path: "/hooks",
-    presets: ["gmail"],
-    transformsDir: "~/.openclaw/hooks",
-    mappings: [
-      {
-        match: { path: "gmail" },
-        action: "agent",
-        wakeMode: "now",
-        name: "Gmail",
-        sessionKey: "hook:gmail:{{messages[0].id}}",
-        messageTemplate: "From: {{messages[0].from}}\nSubject: {{messages[0].subject}}\n{{messages[0].snippet}}",
-        deliver: true,
-        channel: "last",
-        model: "openai/gpt-5.2-mini",
+  channels: {
+    googlechat: {
+      serviceAccountRef: {
+        source: "exec",
+        provider: "vault",
+        id: "channels/googlechat/serviceAccount",
       },
-    ],
-  },
-}
-```
-
-请求必须包含 hook token：
-
-- `Authorization: Bearer <token>` **或**
-- `x-openclaw-token: <token>` **或**
-- `?token=<token>`
-
-端点：
-
-- `POST /hooks/wake` → `{ text, mode?: "now"|"next-heartbeat" }`
-- `POST /hooks/agent` → `{ message, name?, sessionKey?, wakeMode?, deliver?, channel?, to?, model?, thinking?, timeoutSeconds? }`
-- `POST /hooks/<name>` → 通过 `hooks.mappings` 解析
-
-`/hooks/agent` 始终将摘要发布到主会话（并可通过 `wakeMode: "now"` 可选地触发即时心跳）。
-
-映射说明：
-
-- `match.path` 匹配 `/hooks` 之后的子路径（例如 `/hooks/gmail` → `gmail`）。
-- `match.source` 匹配负载字段（例如 `{ source: "gmail" }`），以便使用通用的 `/hooks/ingest` 路径。
-- `{{messages[0].subject}}` 等模板从负载中读取。
-- `transform` 可以指向返回 hook 动作的 JS/TS 模块。
-- `deliver: true` 将最终回复发送到渠道；`channel` 默认为 `last`（回退到 WhatsApp）。
-- 如果没有先前的投递路由，请显式设置 `channel` + `to`（Telegram/Discord/Google Chat/Slack/Signal/iMessage/MS Teams 必需）。
-- `model` 覆盖此 hook 运行的 LLM（`provider/model` 或别名；如果设置了 `agents.defaults.models` 则必须被允许）。
-
-Gmail 辅助配置（由 `openclaw webhooks gmail setup` / `run` 使用）：
-
-```json5
-{
-  hooks: {
-    gmail: {
-      account: "openclaw@gmail.com",
-      topic: "projects/<project-id>/topics/gog-gmail-watch",
-      subscription: "gog-gmail-watch-push",
-      pushToken: "shared-push-token",
-      hookUrl: "http://127.0.0.1:18789/hooks/gmail",
-      includeBody: true,
-      maxBytes: 20000,
-      renewEveryMinutes: 720,
-      serve: { bind: "127.0.0.1", port: 8788, path: "/" },
-      tailscale: { mode: "funnel", path: "/gmail-pubsub" },
-
-      // 可选：为 Gmail hook 处理使用更便宜的模型
-      // 在认证/速率限制/超时时回退到 agents.defaults.model.fallbacks，然后 primary
-      model: "openrouter/meta-llama/llama-3.3-70b-instruct:free",
-      // 可选：Gmail hook 的默认思考级别
-      thinking: "off",
     },
   },
 }
 ```
 
-Gmail hook 的模型覆盖：
+SecretRef 详情（包括 `env`/`file`/`exec` 的 `secrets.providers`）请参阅 [Secrets Management](/gateway/secrets)。
+支持的凭证路径列在 [SecretRef Credential Surface](/reference/secretref-credential-surface) 中。
+</Accordion>
 
-- `hooks.gmail.model` 指定用于 Gmail hook 处理的模型（默认为会话主模型）。
-- 接受 `provider/model` 引用或来自 `agents.defaults.models` 的别名。
-- 在认证/速率限制/超时时回退到 `agents.defaults.model.fallbacks`，然后 `agents.defaults.model.primary`。
-- 如果设置了 `agents.defaults.models`，请将 hooks 模型包含在白名单中。
-- 启动时，如果配置的模型不在模型目录或白名单中，会发出警告。
-- `hooks.gmail.thinking` 设置 Gmail hook 的默认思考级别，被每 hook 的 `thinking` 覆盖。
+有关完整优先级和来源，请参阅 [Environment](/help/environment)。
 
-Gateway 网关自动启动：
+## 完整参考
 
-- 如果 `hooks.enabled=true` 且 `hooks.gmail.account` 已设置，Gateway 网关在启动时
-  启动 `gog gmail watch serve` 并自动续期监视。
-- 设置 `OPENCLAW_SKIP_GMAIL_WATCHER=1` 禁用自动启动（用于手动运行）。
-- 避免在 Gateway 网关旁边单独运行 `gog gmail watch serve`；它会
-  因 `listen tcp 127.0.0.1:8788: bind: address already in use` 而失败。
-
-注意：当 `tailscale.mode` 开启时，OpenClaw 将 `serve.path` 默认为 `/`，以便
-Tailscale 可以正确代理 `/gmail-pubsub`（它会去除设置的路径前缀）。
-如果你需要后端接收带前缀的路径，请将
-`hooks.gmail.tailscale.target` 设为完整 URL（并对齐 `serve.path`）。
-
-### `canvasHost`（LAN/tailnet Canvas 文件服务器 + 实时重载）
-
-Gateway 网关通过 HTTP 提供 HTML/CSS/JS 目录服务，以便 iOS/Android 节点可以简单地 `canvas.navigate` 到它。
-
-默认根目录：`~/.openclaw/workspace/canvas`
-默认端口：`18793`（选择此端口以避免 OpenClaw 浏览器 CDP 端口 `18792`）
-服务器监听 **Gateway 网关绑定主机**（LAN 或 Tailnet），以便节点可以访问。
-
-服务器：
-
-- 提供 `canvasHost.root` 下的文件
-- 向提供的 HTML 注入微型实时重载客户端
-- 监视目录并通过 `/__openclaw__/ws` 的 WebSocket 端点广播重载
-- 目录为空时自动创建起始 `index.html`（以便你立即看到内容）
-- 同时在 `/__openclaw__/a2ui/` 提供 A2UI，并作为 `canvasHostUrl` 通告给节点
-  （节点始终使用它来访问 Canvas/A2UI）
-
-如果目录很大或遇到 `EMFILE`，请禁用实时重载（和文件监视）：
-
-- 配置：`canvasHost: { liveReload: false }`
-
-```json5
-{
-  canvasHost: {
-    root: "~/.openclaw/workspace/canvas",
-    port: 18793,
-    liveReload: true,
-  },
-}
-```
-
-`canvasHost.*` 的更改需要重启 Gateway 网关（配置重载会触发重启）。
-
-禁用方式：
-
-- 配置：`canvasHost: { enabled: false }`
-- 环境变量：`OPENCLAW_SKIP_CANVAS_HOST=1`
-
-### `bridge`（旧版 TCP 桥接，已移除）
-
-当前版本不再包含 TCP 桥接监听器；`bridge.*` 配置键会被忽略。
-节点通过 Gateway 网关 WebSocket 连接。此部分仅保留供历史参考。
-
-旧版行为：
-
-- Gateway 网关可以为节点（iOS/Android）暴露简单的 TCP 桥接，通常在端口 `18790`。
-
-默认值：
-
-- enabled：`true`
-- port：`18790`
-- bind：`lan`（绑定到 `0.0.0.0`）
-
-绑定模式：
-
-- `lan`：`0.0.0.0`（可通过任何接口访问，包括 LAN/Wi‑Fi 和 Tailscale）
-- `tailnet`：仅绑定到机器的 Tailscale IP（推荐用于跨地域访问）
-- `loopback`：`127.0.0.1`（仅本地）
-- `auto`：如果存在 tailnet IP 则优先使用，否则 `lan`
-
-TLS：
-
-- `bridge.tls.enabled`：为桥接连接启用 TLS（启用时仅 TLS）。
-- `bridge.tls.autoGenerate`：当无证书/密钥时生成自签名证书（默认：true）。
-- `bridge.tls.certPath` / `bridge.tls.keyPath`：桥接证书 + 私钥的 PEM 路径。
-- `bridge.tls.caPath`：可选的 PEM CA 捆绑包（自定义根证书或未来的 mTLS）。
-
-启用 TLS 后，Gateway 网关在发现 TXT 记录中通告 `bridgeTls=1` 和 `bridgeTlsSha256`，以便节点可以固定证书。如果尚未存储指纹，手动连接使用首次信任。
-自动生成的证书需要 PATH 中有 `openssl`；如果生成失败，桥接不会启动。
-
-```json5
-{
-  bridge: {
-    enabled: true,
-    port: 18790,
-    bind: "tailnet",
-    tls: {
-      enabled: true,
-      // 省略时使用 ~/.openclaw/bridge/tls/bridge-{cert,key}.pem。
-      // certPath: "~/.openclaw/bridge/tls/bridge-cert.pem",
-      // keyPath: "~/.openclaw/bridge/tls/bridge-key.pem"
-    },
-  },
-}
-```
-
-### `discovery.mdns`（Bonjour / mDNS 广播模式）
-
-控制 LAN mDNS 发现广播（`_openclaw-gw._tcp`）。
-
-- `minimal`（默认）：从 TXT 记录中省略 `cliPath` + `sshPort`
-- `full`：在 TXT 记录中包含 `cliPath` + `sshPort`
-- `off`：完全禁用 mDNS 广播
-- 主机名：默认为 `openclaw`（通告 `openclaw.local`）。通过 `OPENCLAW_MDNS_HOSTNAME` 覆盖。
-
-```json5
-{
-  discovery: { mdns: { mode: "minimal" } },
-}
-```
-
-### `discovery.wideArea`（广域 Bonjour / 单播 DNS‑SD）
-
-启用后，Gateway 网关在 `~/.openclaw/dns/` 下使用配置的发现域（示例：`openclaw.internal.`）为 `_openclaw-gw._tcp` 写入单播 DNS-SD 区域。
-
-要使 iOS/Android 跨网络发现（跨地域访问），请配合以下使用：
-
-- 在 Gateway 网关主机上运行 DNS 服务器，为你选择的域名提供服务（推荐 CoreDNS）
-- Tailscale **split DNS**，使客户端通过 Gateway 网关 DNS 服务器解析该域名
-
-一次性设置助手（Gateway 网关主机）：
-
-```bash
-openclaw dns setup --apply
-```
-
-```json5
-{
-  discovery: { wideArea: { enabled: true } },
-}
-```
-
-## 模板变量
-
-模板占位符在 `tools.media.*.models[].args` 和 `tools.media.models[].args`（以及未来任何模板化参数字段）中展开。
-
-| 变量               | 描述                                                  |
-| ------------------ | ----------------------------------------------------- | -------- | ------- | ---------- | ----- | ------ | -------- | ------- | ------- | --- |
-| `{{Body}}`         | 完整的入站消息正文                                    |
-| `{{RawBody}}`      | 原始入站消息正文（无历史/发送者包装；最适合命令解析） |
-| `{{BodyStripped}}` | 去除群组提及的正文（最适合智能体的默认值）            |
-| `{{From}}`         | 发送者标识符（WhatsApp 为 E.164；按渠道可能不同）     |
-| `{{To}}`           | 目标标识符                                            |
-| `{{MessageSid}}`   | 渠道消息 id（如果可用）                               |
-| `{{SessionId}}`    | 当前会话 UUID                                         |
-| `{{IsNewSession}}` | 创建新会话时为 `"true"`                               |
-| `{{MediaUrl}}`     | 入站媒体伪 URL（如果存在）                            |
-| `{{MediaPath}}`    | 本地媒体路径（如果已下载）                            |
-| `{{MediaType}}`    | 媒体类型（image/audio/document/…）                    |
-| `{{Transcript}}`   | 音频转录（启用时）                                    |
-| `{{Prompt}}`       | CLI 条目的已解析媒体提示                              |
-| `{{MaxChars}}`     | CLI 条目的已解析最大输出字符数                        |
-| `{{ChatType}}`     | `"direct"` 或 `"group"`                               |
-| `{{GroupSubject}}` | 群组主题（尽力而为）                                  |
-| `{{GroupMembers}}` | 群组成员预览（尽力而为）                              |
-| `{{SenderName}}`   | 发送者显示名称（尽力而为）                            |
-| `{{SenderE164}}`   | 发送者电话号码（尽力而为）                            |
-| `{{Provider}}`     | 提供商提示（whatsapp                                  | telegram | discord | googlechat | slack | signal | imessage | msteams | webchat | …） |
-
-## Cron（Gateway 网关调度器）
-
-Cron 是 Gateway 网关自有的唤醒和定时任务调度器。参见 [Cron 任务](/automation/cron-jobs) 了解功能概述和 CLI 示例。
-
-```json5
-{
-  cron: {
-    enabled: true,
-    maxConcurrentRuns: 2,
-  },
-}
-```
+有关逐字段的完整参考，请参阅 **[Configuration Reference](/gateway/configuration-reference)**。
 
 ---
 
-_下一步：[智能体运行时](/concepts/agent)_ 🦞
+_相关内容：[Configuration Examples](/gateway/configuration-examples) · [Configuration Reference](/gateway/configuration-reference) · [Doctor](/gateway/doctor)_
diff --git a/docs/zh-CN/gateway/local-models.md b/docs/zh-CN/gateway/local-models.md
index c1cd9e3c29e..0f740aeef2e 100644
--- a/docs/zh-CN/gateway/local-models.md
+++ b/docs/zh-CN/gateway/local-models.md
@@ -1,35 +1,37 @@
 ---
 read_when:
-  - 你想从自己的 GPU 机器提供模型服务
-  - 你正在配置 LM Studio 或 OpenAI 兼容代理
+  - 你想从自己的 GPU 主机提供模型服务
+  - 你正在接入 LM Studio 或兼容 OpenAI 的代理
   - 你需要最安全的本地模型指南
 summary: 在本地 LLM 上运行 OpenClaw（LM Studio、vLLM、LiteLLM、自定义 OpenAI 端点）
 title: 本地模型
 x-i18n:
-  generated_at: "2026-02-03T07:48:15Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f72b424c3d8986319868dc4c552596bcd599cc79fab5a57c14bf4f0695c39690
+  generated_at: "2026-03-16T06:22:54Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 43ad6b91216e12be4d0c9395c981e0b5d8bd16ba4952efd02b7261052304a4ce
   source_path: gateway/local-models.md
   workflow: 15
 ---
 
 # 本地模型
 
-本地运行是可行的，但 OpenClaw 期望大上下文 + 强大的提示注入防御。小显存会截断上下文并泄露安全性。目标要高：**≥2 台满配 Mac Studio 或同等 GPU 配置（约 $30k+）**。单张 **24 GB** GPU 仅适用于较轻的提示，且延迟更高。使用**你能运行的最大/完整尺寸模型变体**；激进量化或"小型"检查点会增加提示注入风险（参见[安全](/gateway/security)）。
+本地部署是可行的，但 OpenClaw 需要大上下文和对提示注入的强防御能力。小显卡会截断上下文并削弱安全性。目标要高：**至少 2 台满配 Mac Studio 或同等 GPU 设备（约 3 万美元以上）**。单张 **24 GB** GPU 仅适用于较轻的提示，且延迟更高。请使用**你能运行的最大 / 完整尺寸模型变体**；激进量化或“small”检查点会提高提示注入风险（见 [安全](/gateway/security)）。
 
-## 推荐：LM Studio + MiniMax M2.1（Responses API，完整尺寸）
+如果你想要摩擦最小的本地设置，请从 [Ollama](/providers/ollama) 和 `openclaw onboard` 开始。本页是面向更高端本地栈和自定义兼容 OpenAI 的本地服务器的偏好型指南。
 
-当前最佳本地堆栈。在 LM Studio 中加载 MiniMax M2.1，启用本地服务器（默认 `http://127.0.0.1:1234`），并使用 Responses API 将推理与最终文本分开。
+## 推荐：LM Studio + MiniMax M2.5（Responses API，完整尺寸）
+
+当前最佳的本地栈。先在 LM Studio 中加载 MiniMax M2.5，启用本地服务器（默认 `http://127.0.0.1:1234`），然后使用 Responses API 将推理与最终文本分离。
 
 ```json5
 {
   agents: {
     defaults: {
-      model: { primary: "lmstudio/minimax-m2.1-gs32" },
+      model: { primary: "lmstudio/minimax-m2.5-gs32" },
       models: {
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
-        "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" },
+        "anthropic/claude-opus-4-6": { alias: "Opus" },
+        "lmstudio/minimax-m2.5-gs32": { alias: "Minimax" },
       },
     },
   },
@@ -42,8 +44,8 @@ x-i18n:
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -59,15 +61,15 @@ x-i18n:
 
 **设置清单**
 
-- 安装 LM Studio：https://lmstudio.ai
-- 在 LM Studio 中，下载**可用的最大 MiniMax M2.1 构建**（避免"小型"/重度量化变体），启动服务器，确认 `http://127.0.0.1:1234/v1/models` 列出了它。
-- 保持模型加载；冷加载会增加启动延迟。
-- 如果你的 LM Studio 构建不同，调整 `contextWindow`/`maxTokens`。
-- 对于 WhatsApp，坚持使用 Responses API，这样只发送最终文本。
+- 安装 LM Studio：[https://lmstudio.ai](https://lmstudio.ai)
+- 在 LM Studio 中，下载**可用的最大 MiniMax M2.5 构建版本**（避免 “small” / 重度量化变体），启动服务器，并确认 `http://127.0.0.1:1234/v1/models` 中列出了它。
+- 保持模型处于已加载状态；冷加载会增加启动延迟。
+- 如果你的 LM Studio 构建不同，请调整 `contextWindow` / `maxTokens`。
+- 对于 WhatsApp，请坚持使用 Responses API，这样只会发送最终文本。
 
-即使运行本地模型也要保持托管模型的配置；使用 `models.mode: "merge"` 以便备用方案保持可用。
+即使在本地运行时，也要保留托管模型配置；使用 `models.mode: "merge"`，以便回退模型始终可用。
 
-### 混合配置：托管为主，本地备用
+### 混合配置：托管主模型，本地回退
 
 ```json5
 {
@@ -75,12 +77,12 @@ x-i18n:
     defaults: {
       model: {
         primary: "anthropic/claude-sonnet-4-5",
-        fallbacks: ["lmstudio/minimax-m2.1-gs32", "anthropic/claude-opus-4-5"],
+        fallbacks: ["lmstudio/minimax-m2.5-gs32", "anthropic/claude-opus-4-6"],
       },
       models: {
         "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
-        "lmstudio/minimax-m2.1-gs32": { alias: "MiniMax Local" },
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
+        "lmstudio/minimax-m2.5-gs32": { alias: "MiniMax Local" },
+        "anthropic/claude-opus-4-6": { alias: "Opus" },
       },
     },
   },
@@ -93,8 +95,8 @@ x-i18n:
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -108,18 +110,18 @@ x-i18n:
 }
 ```
 
-### 本地优先，托管作为安全网
+### 本地优先，并保留托管安全网
 
-交换主要和备用的顺序；保持相同的 providers 块和 `models.mode: "merge"`，这样当本地机器宕机时可以回退到 Sonnet 或 Opus。
+交换主模型与回退模型的顺序；保留相同的 providers 块和 `models.mode: "merge"`，这样当本地主机不可用时，你仍然可以回退到 Sonnet 或 Opus。
 
-### 区域托管/数据路由
+### 区域托管 / 数据路由
 
-- 托管的 MiniMax/Kimi/GLM 变体也存在于 OpenRouter 上，带有区域固定端点（例如，美国托管）。在那里选择区域变体以将流量保持在你选择的管辖区内，同时仍使用 `models.mode: "merge"` 作为 Anthropic/OpenAI 备用。
-- 纯本地仍然是最强的隐私路径；当你需要提供商功能但又想控制数据流时，托管区域路由是折中方案。
+- OpenRouter 上也提供托管版 MiniMax / Kimi / GLM 变体，并带有区域固定端点（例如托管在美国）。可以在那里选择区域变体，将流量保留在你选定的司法辖区内，同时继续使用 `models.mode: "merge"` 作为 Anthropic / OpenAI 回退。
+- 纯本地仍然是最强的隐私方案；当你需要提供商功能但又想控制数据流向时，托管区域路由是折中方案。
 
-## 其他 OpenAI 兼容本地代理
+## 其他兼容 OpenAI 的本地代理
 
-vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作，只要它们暴露 OpenAI 风格的 `/v1` 端点。用你的端点和模型 ID 替换上面的 provider 块：
+只要暴露兼容 OpenAI 风格的 `/v1` 端点，vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作。将上面的 provider 块替换为你的端点和模型 ID：
 
 ```json5
 {
@@ -147,11 +149,11 @@ vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作，只要它们暴
 }
 ```
 
-保持 `models.mode: "merge"` 以便托管模型作为备用保持可用。
+保留 `models.mode: "merge"`，这样托管模型仍可作为回退使用。
 
 ## 故障排除
 
-- Gateway 网关能访问代理吗？`curl http://127.0.0.1:1234/v1/models`。
-- LM Studio 模型卸载了？重新加载；冷启动是常见的"卡住"原因。
-- 上下文错误？降低 `contextWindow` 或提高服务器限制。
-- 安全：本地模型跳过提供商端过滤器；保持智能体范围窄并开启压缩以限制提示注入的影响范围。
+- Gateway 网关能连接到代理吗？`curl http://127.0.0.1:1234/v1/models`
+- LM Studio 模型已卸载？重新加载；冷启动是常见的“卡住”原因。
+- 上下文错误？降低 `contextWindow` 或提高你的服务器限制。
+- 安全性：本地模型会跳过提供商侧过滤；请保持智能体职责范围狭窄，并开启压缩，以限制提示注入的影响范围。
diff --git a/docs/zh-CN/gateway/multiple-gateways.md b/docs/zh-CN/gateway/multiple-gateways.md
index f6efb6bfea3..36123ff7269 100644
--- a/docs/zh-CN/gateway/multiple-gateways.md
+++ b/docs/zh-CN/gateway/multiple-gateways.md
@@ -1,35 +1,35 @@
 ---
 read_when:
   - 在同一台机器上运行多个 Gateway 网关
-  - 你需要每个 Gateway 网关有隔离的配置/状态/端口
-summary: 在同一主机上运行多个 OpenClaw Gateway 网关（隔离、端口和配置文件）
-title: 多 Gateway 网关
+  - 你需要为每个 Gateway 网关隔离配置/状态/端口
+summary: 在一台主机上运行多个 OpenClaw Gateway 网关（隔离、端口和配置档案）
+title: 多个 Gateway 网关
 x-i18n:
-  generated_at: "2026-02-03T07:48:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 09b5035d4e5fb97c8d4596f7e23dea67224dad3b6d9e2c37ecb99840f28bd77d
+  generated_at: "2026-03-16T06:23:07Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 98c14bed7b7447481325d60ac379846ae379326400c4b0ed7f8d320ad8c50080
   source_path: gateway/multiple-gateways.md
   workflow: 15
 ---
 
-# 多 Gateway 网关（同一主机）
+# 多个 Gateway 网关（同一主机）
 
-大多数设置应该使用单个 Gateway 网关，因为一个 Gateway 网关可以处理多个消息连接和智能体。如果你需要更强的隔离或冗余（例如，救援机器人），请使用隔离的配置文件/端口运行多个 Gateway 网关。
+大多数设置应使用一个 Gateway 网关，因为单个 Gateway 网关可以处理多个消息连接和智能体。如果你需要更强的隔离或冗余（例如救援机器人），请运行使用隔离配置档案/端口的独立 Gateway 网关。
 
 ## 隔离检查清单（必需）
 
-- `OPENCLAW_CONFIG_PATH` — 每个实例的配置文件
-- `OPENCLAW_STATE_DIR` — 每个实例的会话、凭证、缓存
-- `agents.defaults.workspace` — 每个实例的工作区根目录
+- `OPENCLAW_CONFIG_PATH` — 每个实例单独的配置文件
+- `OPENCLAW_STATE_DIR` — 每个实例单独的会话、凭证、缓存
+- `agents.defaults.workspace` — 每个实例单独的工作区根目录
 - `gateway.port`（或 `--port`）— 每个实例唯一
-- 派生端口（浏览器/画布）不得重叠
+- 派生端口（browser/canvas）不得重叠
 
-如果这些是共享的，你将遇到配置竞争和端口冲突。
+如果这些被共享，你会遇到配置竞争和端口冲突。
 
-## 推荐：配置文件（`--profile`）
+## 推荐：配置档案（`--profile`）
 
-配置文件自动限定 `OPENCLAW_STATE_DIR` + `OPENCLAW_CONFIG_PATH` 范围并为服务名称添加后缀。
+配置档案会自动限定 `OPENCLAW_STATE_DIR` + `OPENCLAW_CONFIG_PATH`，并为服务名称添加后缀。
 
 ```bash
 # main
@@ -41,7 +41,7 @@ openclaw --profile rescue setup
 openclaw --profile rescue gateway --port 19001
 ```
 
-按配置文件的服务：
+每个配置档案的服务：
 
 ```bash
 openclaw --profile main gateway install
@@ -50,34 +50,34 @@ openclaw --profile rescue gateway install
 
 ## 救援机器人指南
 
-在同一主机上运行第二个 Gateway 网关，使用独立的：
+在同一主机上运行第二个 Gateway 网关，并为它单独设置：
 
-- 配置文件/配置
+- 配置档案/配置
 - 状态目录
 - 工作区
-- 基础端口（加上派生端口）
+- 基础端口（以及派生端口）
 
-这使救援机器人与主机器人隔离，以便在主机器人宕机时可以调试或应用配置更改。
+这样可以将救援机器人与主机器人隔离，因此当主机器人宕机时，它仍可用于调试或应用配置更改。
 
-端口间距：在基础端口之间至少留出 20 个端口，这样派生的浏览器/画布/CDP 端口永远不会冲突。
+端口间距：基础端口之间至少保留 20 个端口，以确保派生的 browser/canvas/CDP 端口永不冲突。
 
 ### 如何安装（救援机器人）
 
 ```bash
-# 主机器人（现有或新建，不带 --profile 参数）
+# Main bot（现有或全新，不带 --profile 参数）
 # 运行在端口 18789 + Chrome CDC/Canvas/... 端口
 openclaw onboard
 openclaw gateway install
 
-# 救援机器人（隔离的配置文件 + 端口）
+# Rescue bot（隔离的配置档案 + 端口）
 openclaw --profile rescue onboard
-# 注意：
-# - 工作区名称默认会添加 -rescue 后缀
-# - 端口应至少为 18789 + 20 个端口，
-#   最好选择完全不同的基础端口，如 19789，
-# - 其余的新手引导与正常相同
+# 说明：
+# - 工作区名称默认会追加 -rescue 后缀
+# - 端口至少应为 18789 + 20 个端口，
+#   最好选择完全不同的基础端口，例如 19789，
+# - 其余新手引导与正常情况相同
 
-# 安装服务（如果在新手引导期间没有自动完成）
+# 安装服务（如果设置期间未自动完成）
 openclaw --profile rescue gateway install
 ```
 
@@ -85,18 +85,18 @@ openclaw --profile rescue gateway install
 
 基础端口 = `gateway.port`（或 `OPENCLAW_GATEWAY_PORT` / `--port`）。
 
-- 浏览器控制服务端口 = 基础 + 2（仅 loopback）
-- `canvasHost.port = 基础 + 4`
-- 浏览器配置文件 CDP 端口从 `browser.controlPort + 9 .. + 108` 自动分配
+- browser 控制服务端口 = 基础端口 + 2（仅 loopback）
+- canvas host 由 Gateway 网关 HTTP 服务器提供（与 `gateway.port` 使用相同端口）
+- Browser profile CDP 端口会从 `browser.controlPort + 9 .. + 108` 自动分配
 
-如果你在配置或环境变量中覆盖了这些，必须确保每个实例都唯一。
+如果你在配置或环境变量中覆盖了其中任何一个，必须确保它们在每个实例之间保持唯一。
 
-## 浏览器/CDP 注意事项（常见陷阱）
+## Browser/CDP 说明（常见陷阱）
 
-- **不要**在多个实例上将 `browser.cdpUrl` 固定为相同的值。
-- 每个实例需要自己的浏览器控制端口和 CDP 范围（从其 Gateway 网关端口派生）。
-- 如果你需要显式的 CDP 端口，请为每个实例设置 `browser.profiles.<name>.cdpPort`。
-- 远程 Chrome：使用 `browser.profiles.<name>.cdpUrl`（每个配置文件，每个实例）。
+- **不要**在多个实例上将 `browser.cdpUrl` 固定为相同值。
+- 每个实例都需要自己的 browser 控制端口和 CDP 范围（从其 Gateway 网关端口派生）。
+- 如果你需要显式 CDP 端口，请为每个实例设置 `browser.profiles.<name>.cdpPort`。
+- 远程 Chrome：使用 `browser.profiles.<name>.cdpUrl`（按配置档案、按实例设置）。
 
 ## 手动环境变量示例
 
diff --git a/docs/zh-CN/help/faq.md b/docs/zh-CN/help/faq.md
index 3d9742c2b28..8543ea01f22 100644
--- a/docs/zh-CN/help/faq.md
+++ b/docs/zh-CN/help/faq.md
@@ -2,10 +2,10 @@
 summary: 关于 OpenClaw 安装、配置和使用的常见问题
 title: 常见问题
 x-i18n:
-  generated_at: "2026-02-01T21:32:04Z"
+  generated_at: "2026-03-16T06:52:18Z"
   model: claude-opus-4-5
   provider: pi
-  source_hash: 5a611f2fda3325b1c7a9ec518616d87c78be41e2bfbe86244ae4f48af3815a26
+  source_hash: 94f7c6ea1024d5606379ce80d65a006b3acc12a963d57ca2333fcee3e5a31872
   source_path: help/faq.md
   workflow: 15
 ---
@@ -687,7 +687,7 @@ Gemini CLI 使用**插件认证流程**，而不是 `openclaw.json` 中的 clien
 
 步骤：
 
-1. 启用插件：`openclaw plugins enable google-gemini-cli-auth`
+1. 启用插件：`openclaw plugins enable google`
 2. 登录：`openclaw models auth login --provider google-gemini-cli --set-default`
 
 这会在 Gateway 网关主机上将 OAuth 令牌存储为认证配置文件。详情：[模型提供商](/concepts/model-providers)。
diff --git a/docs/zh-CN/install/exe-dev.md b/docs/zh-CN/install/exe-dev.md
index 14e576218f8..5e0028cce79 100644
--- a/docs/zh-CN/install/exe-dev.md
+++ b/docs/zh-CN/install/exe-dev.md
@@ -1,50 +1,51 @@
 ---
 read_when:
-  - 你想要一个便宜的常驻 Linux 主机来运行 Gateway 网关
-  - 你想要远程控制 UI 访问而无需运行自己的 VPS
+  - 你想为 Gateway 网关使用一台便宜且始终在线的 Linux 主机
+  - 你想在不自行运行 VPS 的情况下远程访问控制 UI
 summary: 在 exe.dev 上运行 OpenClaw Gateway 网关（VM + HTTPS 代理）以实现远程访问
 title: exe.dev
 x-i18n:
-  generated_at: "2026-02-03T07:51:36Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 8d57ee7dd6029f0b778465c147092b824a0f1b0680af13032aaf116ff3d4d671
-  source_path: platforms/exe-dev.md
+  generated_at: "2026-03-16T06:23:23Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3c90f57e37145333429328477a3e12306586aa53283127daec75e065dbb85e39
+  source_path: install/exe-dev.md
   workflow: 15
 ---
 
 # exe.dev
 
-目标：OpenClaw Gateway 网关运行在 exe.dev VM 上，可从你的笔记本电脑通过以下地址访问：`https://<vm-name>.exe.xyz`
+目标：让 OpenClaw Gateway 网关运行在 exe.dev VM 上，并且可通过你的笔记本电脑访问：`https://<vm-name>.exe.xyz`
 
-本页假设使用 exe.dev 的默认 **exeuntu** 镜像。如果你选择了不同的发行版，请相应地映射软件包。
+本页假设你使用的是 exe.dev 默认的 **exeuntu** 镜像。如果你选择了不同的发行版，请相应调整软件包。
 
-## 新手快速路径
+## 面向初学者的快速路径
 
 1. [https://exe.new/openclaw](https://exe.new/openclaw)
-2. 根据需要填写你的认证密钥/令牌
-3. 点击 VM 旁边的"Agent"，然后等待...
+2. 根据需要填写你的身份验证密钥/令牌
+3. 点击你的 VM 旁边的 “Agent”，然后等待……
 4. ???
-5. 完成
+5. 成功
 
-## 你需要什么
+## 你需要准备的内容
 
 - exe.dev 账户
-- `ssh exe.dev` 访问 [exe.dev](https://exe.dev) 虚拟机（可选）
+- 对 [exe.dev](https://exe.dev) 虚拟机的 `ssh exe.dev` 访问权限（可选）
 
 ## 使用 Shelley 自动安装
 
-Shelley，[exe.dev](https://exe.dev) 的智能体，可以使用我们的提示立即安装 OpenClaw。使用的提示如下：
+Shelley 是 [exe.dev](https://exe.dev) 的智能体，可以使用我们的提示词立即安装 OpenClaw。
+使用的提示词如下：
 
 ```
-Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw onboarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw device approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
+Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw onboarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw devices approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
 ```
 
 ## 手动安装
 
-## 1) 创建 VM
+## 1）创建 VM
 
-从你的设备：
+在你的设备上运行：
 
 ```bash
 ssh exe.dev new
@@ -56,16 +57,16 @@ ssh exe.dev new
 ssh <vm-name>.exe.xyz
 ```
 
-提示：保持此 VM **有状态**。OpenClaw 在 `~/.openclaw/` 和 `~/.openclaw/workspace/` 下存储状态。
+提示：请让这个 VM 保持**有状态**。OpenClaw 会将状态存储在 `~/.openclaw/` 和 `~/.openclaw/workspace/` 下。
 
-## 2) 安装先决条件（在 VM 上）
+## 2）安装前置依赖（在 VM 上）
 
 ```bash
 sudo apt-get update
 sudo apt-get install -y git curl jq ca-certificates openssl
 ```
 
-## 3) 安装 OpenClaw
+## 3）安装 OpenClaw
 
 运行 OpenClaw 安装脚本：
 
@@ -73,9 +74,9 @@ sudo apt-get install -y git curl jq ca-certificates openssl
 curl -fsSL https://openclaw.ai/install.sh | bash
 ```
 
-## 4) 设置 nginx 将 OpenClaw 代理到端口 8000
+## 4）设置 nginx，将 OpenClaw 代理到端口 8000
 
-编辑 `/etc/nginx/sites-enabled/default`：
+编辑 `/etc/nginx/sites-enabled/default`，内容如下：
 
 ```
 server {
@@ -90,30 +91,35 @@ server {
         proxy_pass http://127.0.0.1:18789;
         proxy_http_version 1.1;
 
-        # WebSocket 支持
+        # WebSocket support
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # 标准代理头
+        # Standard proxy headers
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
 
-        # 长连接超时设置
+        # Timeout settings for long-lived connections
         proxy_read_timeout 86400s;
         proxy_send_timeout 86400s;
     }
 }
 ```
 
-## 5) 访问 OpenClaw 并授予权限
+## 5）访问 OpenClaw 并授予权限
 
-访问 `https://<vm-name>.exe.xyz/?token=YOUR-TOKEN-FROM-TERMINAL`（参阅新手引导中的控制 UI 输出）。使用 `openclaw devices list` 和 `openclaw devices approve <requestId>` 批准设备。如有疑问，从浏览器使用 Shelley！
+访问 `https://<vm-name>.exe.xyz/`（请查看新手引导输出中的控制 UI）。如果提示进行身份验证，请粘贴 VM 上的
+`gateway.auth.token` 中的令牌（可通过 `openclaw config get gateway.auth.token` 获取，或使用
+`openclaw doctor --generate-gateway-token` 生成）。使用 `openclaw devices list` 和
+`openclaw devices approve <requestId>` 批准设备。如果拿不准，请在浏览器中使用 Shelley！
 
 ## 远程访问
 
-远程访问由 [exe.dev](https://exe.dev) 的认证处理。默认情况下，来自端口 8000 的 HTTP 流量通过电子邮件认证转发到 `https://<vm-name>.exe.xyz`。
+远程访问由 [exe.dev](https://exe.dev) 的身份验证处理。默认情况下，
+来自端口 8000 的 HTTP 流量会被转发到 `https://<vm-name>.exe.xyz`，
+并使用电子邮件身份验证。
 
 ## 更新
 
@@ -124,4 +130,4 @@ openclaw gateway restart
 openclaw health
 ```
 
-指南：[更新](/install/updating)
+指南：[Updating](/install/updating)
diff --git a/docs/zh-CN/install/index.md b/docs/zh-CN/install/index.md
index b008633b8dd..701256cb62e 100644
--- a/docs/zh-CN/install/index.md
+++ b/docs/zh-CN/install/index.md
@@ -1,170 +1,204 @@
 ---
 read_when:
-  - 安装 OpenClaw
-  - 你想从 GitHub 安装
-summary: 安装 OpenClaw（推荐安装器、全局安装或从源代码安装）
+  - 你需要一种不同于“入门指南”快速开始的安装方式
+  - 你想部署到云平台
+  - 你需要更新、迁移或卸载
+summary: 安装 OpenClaw —— 安装脚本、npm/pnpm、从源码、Docker 等
 title: 安装
 x-i18n:
-  generated_at: "2026-02-03T10:07:43Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: b26f48c116c26c163ee0090fb4c3e29622951bd427ecaeccba7641d97cfdf17a
+  generated_at: "2026-03-16T06:23:36Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 14b80b6176b2a4ff5c60aad2db88460d8d980bd416faaa3103b38d90521496af
   source_path: install/index.md
   workflow: 15
 ---
 
 # 安装
 
-除非有特殊原因，否则请使用安装器。它会设置 CLI 并运行新手引导。
-
-## 快速安装（推荐）
-
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
-
-Windows（PowerShell）：
-
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
-
-下一步（如果你跳过了新手引导）：
-
-```bash
-openclaw onboard --install-daemon
-```
+已经按照 [入门指南](/start/getting-started) 操作过了吗？那你已经准备好了 —— 本页适用于其他安装方法、特定平台说明以及维护操作。
 
 ## 系统要求
 
-- **Node >=22**
-- macOS、Linux 或通过 WSL2 的 Windows
-- `pnpm` 仅在从源代码构建时需要
+- **[Node 24（推荐）](/install/node)**（出于兼容性考虑，仍支持 Node 22 LTS，目前为 `22.16+`；如果缺失，[安装脚本](#install-methods) 会安装 Node 24）
+- macOS、Linux 或 Windows
+- 仅当你从源码构建时需要 `pnpm`
 
-## 选择安装路径
+<Note>
+在 Windows 上，我们强烈建议你在 [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install) 下运行 OpenClaw。
+</Note>
 
-### 1）安装器脚本（推荐）
+## 安装方法
 
-通过 npm 全局安装 `openclaw` 并运行新手引导。
+<Tip>
+**安装脚本** 是安装 OpenClaw 的推荐方式。它会一步完成 Node 检测、安装和新手引导。
+</Tip>
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
+<Warning>
+对于 VPS/云主机，尽量避免使用第三方“一键式”市场镜像。优先选择干净的基础 OS 镜像（例如 Ubuntu LTS），然后使用安装脚本自行安装 OpenClaw。
+</Warning>
 
-安装器标志：
+<AccordionGroup>
+  <Accordion title="安装脚本" icon="rocket" defaultOpen>
+    下载 CLI，通过 npm 全局安装，并启动设置向导。
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --help
-```
+    <Tabs>
+      <Tab title="macOS / Linux / WSL2">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash
+        ```
+      </Tab>
+      <Tab title="Windows (PowerShell)">
+        ```powershell
+        iwr -useb https://openclaw.ai/install.ps1 | iex
+        ```
+      </Tab>
+    </Tabs>
 
-详情：[安装器内部原理](/install/installer)。
+    就这样 —— 脚本会处理 Node 检测、安装和新手引导。
 
-非交互式（跳过新手引导）：
+    如果要跳过新手引导，只安装二进制文件：
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
-```
+    <Tabs>
+      <Tab title="macOS / Linux / WSL2">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
+        ```
+      </Tab>
+      <Tab title="Windows (PowerShell)">
+        ```powershell
+        & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+        ```
+      </Tab>
+    </Tabs>
 
-### 2）全局安装（手动）
+    所有标志、环境变量以及 CI/自动化选项，请参阅 [Installer internals](/install/installer)。
 
-如果你已经有 Node：
+  </Accordion>
 
-```bash
-npm install -g openclaw@latest
-```
+  <Accordion title="npm / pnpm" icon="package">
+    如果你已经自行管理 Node，我们推荐使用 Node 24。出于兼容性考虑，OpenClaw 仍支持 Node 22 LTS，目前为 `22.16+`：
 
-如果你全局安装了 libvips（macOS 上通过 Homebrew 安装很常见）且 `sharp` 安装失败，请强制使用预构建二进制文件：
+    <Tabs>
+      <Tab title="npm">
+        ```bash
+        npm install -g openclaw@latest
+        openclaw onboard --install-daemon
+        ```
 
-```bash
-SHARP_IGNORE_GLOBAL_LIBVIPS=1 npm install -g openclaw@latest
-```
+        <Accordion title="sharp 构建错误？">
+          如果你全局安装了 libvips（在 macOS 上通过 Homebrew 很常见），并且 `sharp` 失败，请强制使用预构建二进制文件：
 
-如果你看到 `sharp: Please add node-gyp to your dependencies`，要么安装构建工具（macOS：Xcode CLT + `npm install -g node-gyp`），要么使用上面的 `SHARP_IGNORE_GLOBAL_LIBVIPS=1` 变通方法来跳过原生构建。
+          ```bash
+          SHARP_IGNORE_GLOBAL_LIBVIPS=1 npm install -g openclaw@latest
+          ```
 
-或使用 pnpm：
+          如果你看到 `sharp: Please add node-gyp to your dependencies`，请安装构建工具链（macOS：Xcode CLT + `npm install -g node-gyp`），或者使用上面的环境变量。
+        </Accordion>
+      </Tab>
+      <Tab title="pnpm">
+        ```bash
+        pnpm add -g openclaw@latest
+        pnpm approve-builds -g        # 批准 openclaw、node-llama-cpp、sharp 等
+        openclaw onboard --install-daemon
+        ```
 
-```bash
-pnpm add -g openclaw@latest
-pnpm approve-builds -g                # 批准 openclaw、node-llama-cpp、sharp 等
-pnpm add -g openclaw@latest           # 重新运行以执行 postinstall 脚本
-```
+        <Note>
+        `pnpm` 要求对带有构建脚本的包进行显式批准。首次安装出现 “Ignored build scripts” 警告后，运行 `pnpm approve-builds -g` 并选择列出的包。
+        </Note>
+      </Tab>
+    </Tabs>
 
-pnpm 需要显式批准带有构建脚本的包。在首次安装显示"Ignored build scripts"警告后，运行 `pnpm approve-builds -g` 并选择列出的包，然后重新运行安装以执行 postinstall 脚本。
+    想通过包管理器安装当前 GitHub `main` 分支最新版本？
 
-然后：
+    ```bash
+    npm install -g github:openclaw/openclaw#main
+    ```
 
-```bash
-openclaw onboard --install-daemon
-```
+    ```bash
+    pnpm add -g github:openclaw/openclaw#main
+    ```
 
-### 3）从源代码（贡献者/开发）
+  </Accordion>
 
-```bash
-git clone https://github.com/openclaw/openclaw.git
-cd openclaw
-pnpm install
-pnpm ui:build # 首次运行时自动安装 UI 依赖
-pnpm build
-openclaw onboard --install-daemon
-```
+  <Accordion title="从源码" icon="github">
+    适用于贡献者或任何想从本地检出运行的人。
 
-提示：如果你还没有全局安装，请通过 `pnpm openclaw ...` 运行仓库命令。
+    <Steps>
+      <Step title="克隆并构建">
+        克隆 [OpenClaw 仓库](https://github.com/openclaw/openclaw) 并构建：
 
-### 4）其他安装选项
+        ```bash
+        git clone https://github.com/openclaw/openclaw.git
+        cd openclaw
+        pnpm install
+        pnpm ui:build
+        pnpm build
+        ```
+      </Step>
+      <Step title="链接 CLI">
+        让 `openclaw` 命令在全局可用：
 
-- Docker：[Docker](/install/docker)
-- Nix：[Nix](/install/nix)
-- Ansible：[Ansible](/install/ansible)
-- Bun（仅 CLI）：[Bun](/install/bun)
+        ```bash
+        pnpm link --global
+        ```
+
+        或者，你也可以跳过链接，直接在仓库内通过 `pnpm openclaw ...` 运行命令。
+      </Step>
+      <Step title="运行新手引导">
+        ```bash
+        openclaw onboard --install-daemon
+        ```
+      </Step>
+    </Steps>
+
+    更深入的开发工作流请参阅 [Setup](/start/setup)。
+
+  </Accordion>
+</AccordionGroup>
+
+## 其他安装方法
+
+<CardGroup cols={2}>
+  <Card title="Docker" href="/install/docker" icon="container">
+    容器化或无头部署。
+  </Card>
+  <Card title="Podman" href="/install/podman" icon="container">
+    无 root 容器：先运行一次 `setup-podman.sh`，然后运行启动脚本。
+  </Card>
+  <Card title="Nix" href="/install/nix" icon="snowflake">
+    通过 Nix 进行声明式安装。
+  </Card>
+  <Card title="Ansible" href="/install/ansible" icon="server">
+    自动化批量配置。
+  </Card>
+  <Card title="Bun" href="/install/bun" icon="zap">
+    通过 Bun 运行时进行仅 CLI 使用。
+  </Card>
+</CardGroup>
 
 ## 安装后
 
-- 运行新手引导：`openclaw onboard --install-daemon`
-- 快速检查：`openclaw doctor`
-- 检查 Gateway 网关健康状态：`openclaw status` + `openclaw health`
-- 打开仪表板：`openclaw dashboard`
-
-## 安装方式：npm vs git（安装器）
-
-安装器支持两种方式：
-
-- `npm`（默认）：`npm install -g openclaw@latest`
-- `git`：从 GitHub 克隆/构建并从源代码 checkout 运行
-
-### CLI 标志
+验证一切是否正常工作：
 
 ```bash
-# 显式 npm
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method npm
-
-# 从 GitHub 安装（源代码 checkout）
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method git
+openclaw doctor         # 检查配置问题
+openclaw status         # Gateway 网关状态
+openclaw dashboard      # 打开浏览器 UI
 ```
 
-常用标志：
+如果你需要自定义运行时路径，请使用：
 
-- `--install-method npm|git`
-- `--git-dir <path>`（默认：`~/openclaw`）
-- `--no-git-update`（使用现有 checkout 时跳过 `git pull`）
-- `--no-prompt`（禁用提示；CI/自动化中必需）
-- `--dry-run`（打印将要执行的操作；不做任何更改）
-- `--no-onboard`（跳过新手引导）
+- `OPENCLAW_HOME` 用于基于主目录的内部路径
+- `OPENCLAW_STATE_DIR` 用于可变状态位置
+- `OPENCLAW_CONFIG_PATH` 用于配置文件位置
 
-### 环境变量
+有关优先级和完整细节，请参阅 [Environment vars](/help/environment)。
 
-等效的环境变量（对自动化有用）：
+## 故障排除：找不到 `openclaw`
 
-- `OPENCLAW_INSTALL_METHOD=git|npm`
-- `OPENCLAW_GIT_DIR=...`
-- `OPENCLAW_GIT_UPDATE=0|1`
-- `OPENCLAW_NO_PROMPT=1`
-- `OPENCLAW_DRY_RUN=1`
-- `OPENCLAW_NO_ONBOARD=1`
-- `SHARP_IGNORE_GLOBAL_LIBVIPS=0|1`（默认：`1`；避免 `sharp` 针对系统 libvips 构建）
-
-## 故障排除：找不到 `openclaw`（PATH）
-
-快速诊断：
+<Accordion title="PATH 诊断与修复">
+  快速诊断：
 
 ```bash
 node -v
@@ -173,21 +207,29 @@ npm prefix -g
 echo "$PATH"
 ```
 
-如果 `$(npm prefix -g)/bin`（macOS/Linux）或 `$(npm prefix -g)`（Windows）**不**在 `echo "$PATH"` 的输出中，你的 shell 无法找到全局 npm 二进制文件（包括 `openclaw`）。
+如果 `$(npm prefix -g)/bin`（macOS/Linux）或 `$(npm prefix -g)`（Windows）**不在**你的 `$PATH` 中，那么你的 shell 就找不到全局 npm 二进制文件（包括 `openclaw`）。
 
-修复：将其添加到你的 shell 启动文件（zsh：`~/.zshrc`，bash：`~/.bashrc`）：
+修复方法 —— 将其添加到你的 shell 启动文件（`~/.zshrc` 或 `~/.bashrc`）中：
 
 ```bash
-# macOS / Linux
 export PATH="$(npm prefix -g)/bin:$PATH"
 ```
 
-在 Windows 上，将 `npm prefix -g` 的输出添加到你的 PATH。
+在 Windows 上，将 `npm prefix -g` 的输出添加到你的 PATH 中。
 
-然后打开新终端（或在 zsh 中执行 `rehash` / 在 bash 中执行 `hash -r`）。
+然后打开一个新的终端（或者在 zsh 中运行 `rehash`，在 bash 中运行 `hash -r`）。
+</Accordion>
 
-## 更新/卸载
+## 更新 / 卸载
 
-- 更新：[更新](/install/updating)
-- 迁移到新机器：[迁移](/install/migrating)
-- 卸载：[卸载](/install/uninstall)
+<CardGroup cols={3}>
+  <Card title="更新" href="/install/updating" icon="refresh-cw">
+    让 OpenClaw 保持最新。
+  </Card>
+  <Card title="迁移" href="/install/migrating" icon="arrow-right">
+    迁移到新机器。
+  </Card>
+  <Card title="卸载" href="/install/uninstall" icon="trash-2">
+    完全移除 OpenClaw。
+  </Card>
+</CardGroup>
diff --git a/docs/zh-CN/install/installer.md b/docs/zh-CN/install/installer.md
index bdfe14e49e8..76ef469b3e5 100644
--- a/docs/zh-CN/install/installer.md
+++ b/docs/zh-CN/install/installer.md
@@ -1,128 +1,422 @@
 ---
 read_when:
-  - 你想了解 `openclaw.ai/install.sh` 的工作机制
-  - 你想自动化安装（CI / 无头环境）
+  - 你想了解 `openclaw.ai/install.sh`
+  - 你想自动化安装（CI / 无头）
   - 你想从 GitHub 检出安装
-summary: 安装器脚本的工作原理（install.sh + install-cli.sh）、参数和自动化
+summary: 安装脚本的工作原理（install.sh、install-cli.sh、install.ps1）、标志和自动化
 title: 安装器内部机制
 x-i18n:
-  generated_at: "2026-02-01T21:07:55Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 9e0a19ecb5da0a395030e1ccf0d4bedf16b83946b3432c5399d448fe5d298391
+  generated_at: "2026-03-16T06:24:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e389fa04140ecc98b7e83330d0d467165b23bd22e31807bbd36963c87394ddc4
   source_path: install/installer.md
-  workflow: 14
+  workflow: 15
 ---
 
 # 安装器内部机制
 
-OpenClaw 提供两个安装器脚本（托管在 `openclaw.ai`）：
+OpenClaw 提供三个安装脚本，由 `openclaw.ai` 提供。
 
-- `https://openclaw.ai/install.sh` — "推荐"安装器（默认全局 npm 安装；也可从 GitHub 检出安装）
-- `https://openclaw.ai/install-cli.sh` — 无需 root 权限的 CLI 安装器（安装到带有独立 Node 的前缀目录）
-- `https://openclaw.ai/install.ps1` — Windows PowerShell 安装器（默认 npm；可选 git 安装）
+| 脚本                               | 平台                  | 功能                                                                          |
+| ---------------------------------- | --------------------- | ----------------------------------------------------------------------------- |
+| [`install.sh`](#installsh)         | macOS / Linux / WSL   | 如有需要则安装 Node，通过 npm（默认）或 git 安装 OpenClaw，并可运行新手引导。 |
+| [`install-cli.sh`](#install-clish) | macOS / Linux / WSL   | 将 Node + OpenClaw 安装到本地前缀（`~/.openclaw`）中。无需 root。             |
+| [`install.ps1`](#installps1)       | Windows（PowerShell） | 如有需要则安装 Node，通过 npm（默认）或 git 安装 OpenClaw，并可运行新手引导。 |
 
-查看当前参数/行为，运行：
+## 快速命令
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --help
-```
+<Tabs>
+  <Tab title="install.sh">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
 
-Windows (PowerShell) 帮助：
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --help
+    ```
 
-```powershell
-& ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -?
-```
+  </Tab>
+  <Tab title="install-cli.sh">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash
+    ```
 
-如果安装器完成但在新终端中找不到 `openclaw`，通常是 Node/npm PATH 问题。参见：[安装](/install#nodejs--npm-path-sanity)。
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --help
+    ```
 
-## install.sh（推荐）
+  </Tab>
+  <Tab title="install.ps1">
+    ```powershell
+    iwr -useb https://openclaw.ai/install.ps1 | iex
+    ```
 
-功能概述：
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -Tag beta -NoOnboard -DryRun
+    ```
 
-- 检测操作系统（macOS / Linux / WSL）。
-- 确保 Node.js **22+**（macOS 通过 Homebrew；Linux 通过 NodeSource）。
-- 选择安装方式：
-  - `npm`（默认）：`npm install -g openclaw@latest`
-  - `git`：克隆/构建源码检出并安装包装脚本
-- 在 Linux 上：必要时将 npm 前缀切换到 `~/.npm-global`，以避免全局 npm 权限错误。
-- 如果是升级现有安装：运行 `openclaw doctor --non-interactive`（尽力执行）。
-- 对于 git 安装：安装/更新后运行 `openclaw doctor --non-interactive`（尽力执行）。
-- 通过默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1` 来缓解 `sharp` 原生安装问题（避免使用系统 libvips 编译）。
+  </Tab>
+</Tabs>
 
-如果你*希望* `sharp` 链接到全局安装的 libvips（或你正在调试），请设置：
+<Note>
+如果安装成功但在新终端中找不到 `openclaw`，请参见 [Node.js 故障排除](/install/node#troubleshooting)。
+</Note>
 
-```bash
-SHARP_IGNORE_GLOBAL_LIBVIPS=0 curl -fsSL https://openclaw.ai/install.sh | bash
-```
+---
 
-### 可发现性 / "git 安装"提示
+## install.sh
 
-如果你在**已有的 OpenClaw 源码检出目录中**运行安装器（通过 `package.json` + `pnpm-workspace.yaml` 检测），它会提示：
+<Tip>
+推荐用于大多数 macOS/Linux/WSL 上的交互式安装。
+</Tip>
 
-- 更新并使用此检出（`git`）
-- 或迁移到全局 npm 安装（`npm`）
+### 流程（install.sh）
 
-在非交互式上下文中（无 TTY / `--no-prompt`），你必须传入 `--install-method git|npm`（或设置 `OPENCLAW_INSTALL_METHOD`），否则脚本将以退出码 `2` 退出。
+<Steps>
+  <Step title="检测操作系统">
+    支持 macOS 和 Linux（包括 WSL）。如果检测到 macOS，则会在缺少 Homebrew 时安装它。
+  </Step>
+  <Step title="默认确保使用 Node.js 24">
+    检查 Node 版本，并在需要时安装 Node 24（macOS 上使用 Homebrew，Linux apt/dnf/yum 上使用 NodeSource 设置脚本）。为了兼容性，OpenClaw 仍支持 Node 22 LTS，目前为 `22.16+`。
+  </Step>
+  <Step title="确保安装 Git">
+    如果缺少 Git，则安装它。
+  </Step>
+  <Step title="安装 OpenClaw">
+    - `npm` 方法（默认）：全局 npm 安装
+    - `git` 方法：克隆/更新仓库，使用 pnpm 安装依赖，构建，然后将包装器安装到 `~/.local/bin/openclaw`
+  </Step>
+  <Step title="安装后任务">
+    - 在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力而为）
+    - 在适当情况下尝试运行新手引导（有 TTY、未禁用新手引导，并且 bootstrap/配置检查通过）
+    - 默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1`
+  </Step>
+</Steps>
 
-### 为什么需要 Git
+### 源码检出检测
 
-`--install-method git` 路径（克隆 / 拉取）需要 Git。
+如果在 OpenClaw 检出目录中运行（`package.json` + `pnpm-workspace.yaml`），脚本会提供：
 
-对于 `npm` 安装，Git *通常*不是必需的，但某些环境仍然需要它（例如通过 git URL 获取软件包或依赖时）。安装器目前会确保 Git 存在，以避免在全新发行版上出现 `spawn git ENOENT` 错误。
+- 使用检出目录（`git`），或
+- 使用全局安装（`npm`）
 
-### 为什么在全新 Linux 上 npm 会报 `EACCES`
+如果没有可用 TTY 且未设置安装方法，它将默认使用 `npm` 并发出警告。
 
-在某些 Linux 设置中（尤其是通过系统包管理器或 NodeSource 安装 Node 后），npm 的全局前缀指向 root 拥有的位置。此时 `npm install -g ...` 会报 `EACCES` / `mkdir` 权限错误。
+对于无效的方法选择或无效的 `--install-method` 值，脚本会以退出码 `2` 退出。
 
-`install.sh` 通过将前缀切换到以下位置来缓解此问题：
+### 示例（install.sh）
 
-- `~/.npm-global`（并在存在时将其添加到 `~/.bashrc` / `~/.zshrc` 的 `PATH` 中）
+<Tabs>
+  <Tab title="默认">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+  </Tab>
+  <Tab title="跳过新手引导">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --no-onboard
+    ```
+  </Tab>
+  <Tab title="Git 安装">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
+    ```
+  </Tab>
+  <Tab title="通过 npm 安装 GitHub main">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --version main
+    ```
+  </Tab>
+  <Tab title="试运行">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --dry-run
+    ```
+  </Tab>
+</Tabs>
 
-## install-cli.sh（无需 root 权限的 CLI 安装器）
+<AccordionGroup>
+  <Accordion title="标志参考">
 
-此脚本将 `openclaw` 安装到前缀目录（默认：`~/.openclaw`），同时在该前缀下安装专用的 Node 运行时，因此可以在不想改动系统 Node/npm 的机器上使用。
+| 标志                                  | 说明                                              |
+| ------------------------------------- | ------------------------------------------------- |
+| `--install-method npm\|git`           | 选择安装方法（默认：`npm`）。别名：`--method`     |
+| `--npm`                               | npm 方法快捷方式                                  |
+| `--git`                               | git 方法快捷方式。别名：`--github`                |
+| `--version <version\|dist-tag\|spec>` | npm 版本、dist-tag 或包规范（默认：`latest`）     |
+| `--beta`                              | 如有可用则使用 beta dist-tag，否则回退到 `latest` |
+| `--git-dir <path>`                    | 检出目录（默认：`~/openclaw`）。别名：`--dir`     |
+| `--no-git-update`                     | 对现有检出跳过 `git pull`                         |
+| `--no-prompt`                         | 禁用提示                                          |
+| `--no-onboard`                        | 跳过新手引导                                      |
+| `--onboard`                           | 启用新手引导                                      |
+| `--dry-run`                           | 打印操作但不应用更改                              |
+| `--verbose`                           | 启用调试输出（`set -x`、npm notice 级别日志）     |
+| `--help`                              | 显示用法（`-h`）                                  |
 
-帮助：
+  </Accordion>
 
-```bash
-curl -fsSL https://openclaw.ai/install-cli.sh | bash -s -- --help
-```
+  <Accordion title="环境变量参考">
 
-## install.ps1（Windows PowerShell）
+| 变量                                                    | 说明                                 |
+| ------------------------------------------------------- | ------------------------------------ |
+| `OPENCLAW_INSTALL_METHOD=git\|npm`                      | 安装方法                             |
+| `OPENCLAW_VERSION=latest\|next\|main\|<semver>\|<spec>` | npm 版本、dist-tag 或包规范          |
+| `OPENCLAW_BETA=0\|1`                                    | 如有可用则使用 beta                  |
+| `OPENCLAW_GIT_DIR=<path>`                               | 检出目录                             |
+| `OPENCLAW_GIT_UPDATE=0\|1`                              | 切换 git 更新                        |
+| `OPENCLAW_NO_PROMPT=1`                                  | 禁用提示                             |
+| `OPENCLAW_NO_ONBOARD=1`                                 | 跳过新手引导                         |
+| `OPENCLAW_DRY_RUN=1`                                    | 试运行模式                           |
+| `OPENCLAW_VERBOSE=1`                                    | 调试模式                             |
+| `OPENCLAW_NPM_LOGLEVEL=error\|warn\|notice`             | npm 日志级别                         |
+| `SHARP_IGNORE_GLOBAL_LIBVIPS=0\|1`                      | 控制 sharp/libvips 行为（默认：`1`） |
 
-功能概述：
+  </Accordion>
+</AccordionGroup>
 
-- 确保 Node.js **22+**（winget/Chocolatey/Scoop 或手动安装）。
-- 选择安装方式：
-  - `npm`（默认）：`npm install -g openclaw@latest`
-  - `git`：克隆/构建源码检出并安装包装脚本
-- 在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力执行）。
+---
 
-示例：
+## install-cli.sh
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
+<Info>
+适用于你希望所有内容都放在本地前缀（默认 `~/.openclaw`）下，并且不依赖系统 Node 的环境。
+</Info>
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex -InstallMethod git
-```
+### 流程（install-cli.sh）
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex -InstallMethod git -GitDir "C:\\openclaw"
-```
+<Steps>
+  <Step title="安装本地 Node 运行时">
+    将固定的受支持 Node tarball（当前默认 `22.22.0`）下载到 `<prefix>/tools/node-v<version>`，并验证 SHA-256。
+  </Step>
+  <Step title="确保安装 Git">
+    如果缺少 Git，则尝试在 Linux 上通过 apt/dnf/yum 安装，或在 macOS 上通过 Homebrew 安装。
+  </Step>
+  <Step title="在前缀下安装 OpenClaw">
+    使用 `--prefix <prefix>` 通过 npm 安装，然后将包装器写入 `<prefix>/bin/openclaw`。
+  </Step>
+</Steps>
 
-环境变量：
+### 示例（install-cli.sh）
 
-- `OPENCLAW_INSTALL_METHOD=git|npm`
-- `OPENCLAW_GIT_DIR=...`
+<Tabs>
+  <Tab title="默认">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash
+    ```
+  </Tab>
+  <Tab title="自定义前缀 + 版本">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --prefix /opt/openclaw --version latest
+    ```
+  </Tab>
+  <Tab title="自动化 JSON 输出">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --json --prefix /opt/openclaw
+    ```
+  </Tab>
+  <Tab title="运行新手引导">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --onboard
+    ```
+  </Tab>
+</Tabs>
 
-Git 要求：
+<AccordionGroup>
+  <Accordion title="标志参考">
 
-如果你选择 `-InstallMethod git` 但未安装 Git，安装器会打印 Git for Windows 的链接（`https://git-scm.com/download/win`）并退出。
+| 标志                   | 说明                                                                   |
+| ---------------------- | ---------------------------------------------------------------------- |
+| `--prefix <path>`      | 安装前缀（默认：`~/.openclaw`）                                        |
+| `--version <ver>`      | OpenClaw 版本或 dist-tag（默认：`latest`）                             |
+| `--node-version <ver>` | Node 版本（默认：`22.22.0`）                                           |
+| `--json`               | 输出 NDJSON 事件                                                       |
+| `--onboard`            | 安装后运行 `openclaw onboard`                                          |
+| `--no-onboard`         | 跳过新手引导（默认）                                                   |
+| `--set-npm-prefix`     | 在 Linux 上，如果当前前缀不可写，则强制将 npm 前缀设为 `~/.npm-global` |
+| `--help`               | 显示用法（`-h`）                                                       |
 
-常见 Windows 问题：
+  </Accordion>
 
-- **npm error spawn git / ENOENT**：安装 Git for Windows 并重新打开 PowerShell，然后重新运行安装器。
-- **"openclaw" 不是可识别的命令**：你的 npm 全局 bin 文件夹不在 PATH 中。大多数系统使用 `%AppData%\\npm`。你也可以运行 `npm config get prefix` 并将 `\\bin` 添加到 PATH，然后重新打开 PowerShell。
+  <Accordion title="环境变量参考">
+
+| 变量                                        | 说明                                                   |
+| ------------------------------------------- | ------------------------------------------------------ |
+| `OPENCLAW_PREFIX=<path>`                    | 安装前缀                                               |
+| `OPENCLAW_VERSION=<ver>`                    | OpenClaw 版本或 dist-tag                               |
+| `OPENCLAW_NODE_VERSION=<ver>`               | Node 版本                                              |
+| `OPENCLAW_NO_ONBOARD=1`                     | 跳过新手引导                                           |
+| `OPENCLAW_NPM_LOGLEVEL=error\|warn\|notice` | npm 日志级别                                           |
+| `OPENCLAW_GIT_DIR=<path>`                   | 旧版清理查找路径（用于删除旧的 `Peekaboo` 子模块检出） |
+| `SHARP_IGNORE_GLOBAL_LIBVIPS=0\|1`          | 控制 sharp/libvips 行为（默认：`1`）                   |
+
+  </Accordion>
+</AccordionGroup>
+
+---
+
+## install.ps1
+
+### 流程（install.ps1）
+
+<Steps>
+  <Step title="确保 PowerShell + Windows 环境">
+    需要 PowerShell 5+。
+  </Step>
+  <Step title="默认确保使用 Node.js 24">
+    如果缺少，则依次尝试通过 winget、Chocolatey、Scoop 安装。为了兼容性，Node 22 LTS（当前为 `22.16+`）仍然受支持。
+  </Step>
+  <Step title="安装 OpenClaw">
+    - `npm` 方法（默认）：使用所选 `-Tag` 进行全局 npm 安装
+    - `git` 方法：克隆/更新仓库，使用 pnpm 安装/构建，并将包装器安装到 `%USERPROFILE%\.local\bin\openclaw.cmd`
+  </Step>
+  <Step title="安装后任务">
+    在可能情况下将所需 bin 目录添加到用户 PATH，然后在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力而为）。
+  </Step>
+</Steps>
+
+### 示例（install.ps1）
+
+<Tabs>
+  <Tab title="默认">
+    ```powershell
+    iwr -useb https://openclaw.ai/install.ps1 | iex
+    ```
+  </Tab>
+  <Tab title="Git 安装">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -InstallMethod git
+    ```
+  </Tab>
+  <Tab title="通过 npm 安装 GitHub main">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -Tag main
+    ```
+  </Tab>
+  <Tab title="自定义 git 目录">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -InstallMethod git -GitDir "C:\openclaw"
+    ```
+  </Tab>
+  <Tab title="试运行">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -DryRun
+    ```
+  </Tab>
+  <Tab title="调试跟踪">
+    ```powershell
+    # install.ps1 目前还没有专门的 -Verbose 标志。
+    Set-PSDebug -Trace 1
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    Set-PSDebug -Trace 0
+    ```
+  </Tab>
+</Tabs>
+
+<AccordionGroup>
+  <Accordion title="标志参考">
+
+| 标志                        | 说明                                         |
+| --------------------------- | -------------------------------------------- |
+| `-InstallMethod npm\|git`   | 安装方法（默认：`npm`）                      |
+| `-Tag <tag\|version\|spec>` | npm dist-tag、版本或包规范（默认：`latest`） |
+| `-GitDir <path>`            | 检出目录（默认：`%USERPROFILE%\openclaw`）   |
+| `-NoOnboard`                | 跳过新手引导                                 |
+| `-NoGitUpdate`              | 跳过 `git pull`                              |
+| `-DryRun`                   | 仅打印操作                                   |
+
+  </Accordion>
+
+  <Accordion title="环境变量参考">
+
+| 变量                               | 说明          |
+| ---------------------------------- | ------------- |
+| `OPENCLAW_INSTALL_METHOD=git\|npm` | 安装方法      |
+| `OPENCLAW_GIT_DIR=<path>`          | 检出目录      |
+| `OPENCLAW_NO_ONBOARD=1`            | 跳过新手引导  |
+| `OPENCLAW_GIT_UPDATE=0`            | 禁用 git pull |
+| `OPENCLAW_DRY_RUN=1`               | 试运行模式    |
+
+  </Accordion>
+</AccordionGroup>
+
+<Note>
+如果使用 `-InstallMethod git` 且缺少 Git，脚本会退出并打印 Git for Windows 链接。
+</Note>
+
+---
+
+## CI 和自动化
+
+使用非交互式标志/环境变量以实现可预测的运行。
+
+<Tabs>
+  <Tab title="install.sh（非交互式 npm）">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --no-prompt --no-onboard
+    ```
+  </Tab>
+  <Tab title="install.sh（非交互式 git）">
+    ```bash
+    OPENCLAW_INSTALL_METHOD=git OPENCLAW_NO_PROMPT=1 \
+      curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+  </Tab>
+  <Tab title="install-cli.sh（JSON）">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --json --prefix /opt/openclaw
+    ```
+  </Tab>
+  <Tab title="install.ps1（跳过新手引导）">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    ```
+  </Tab>
+</Tabs>
+
+---
+
+## 故障排除
+
+<AccordionGroup>
+  <Accordion title="为什么需要 Git？">
+    `git` 安装方法需要 Git。对于 `npm` 安装，仍然会检查/安装 Git，以避免当依赖使用 git URL 时出现 `spawn git ENOENT` 失败。
+  </Accordion>
+
+  <Accordion title="为什么 npm 在 Linux 上会遇到 EACCES？">
+    某些 Linux 设置会将 npm 全局前缀指向 root 拥有的路径。`install.sh` 可以将前缀切换到 `~/.npm-global`，并将 PATH 导出追加到 shell rc 文件中（如果这些文件存在）。
+  </Accordion>
+
+  <Accordion title="sharp/libvips 问题">
+    这些脚本默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1`，以避免 sharp 针对系统 libvips 进行构建。若要覆盖：
+
+    ```bash
+    SHARP_IGNORE_GLOBAL_LIBVIPS=0 curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+
+  </Accordion>
+
+  <Accordion title='Windows：“npm error spawn git / ENOENT”'>
+    安装 Git for Windows，重新打开 PowerShell，然后重新运行安装器。
+  </Accordion>
+
+  <Accordion title='Windows：“openclaw is not recognized”'>
+    运行 `npm config get prefix`，并将该目录添加到你的用户 PATH（Windows 上不需要 `\bin` 后缀），然后重新打开 PowerShell。
+  </Accordion>
+
+  <Accordion title="Windows：如何获取详细安装器输出">
+    `install.ps1` 目前没有提供 `-Verbose` 开关。
+    对于脚本级诊断，请使用 PowerShell 跟踪：
+
+    ```powershell
+    Set-PSDebug -Trace 1
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    Set-PSDebug -Trace 0
+    ```
+
+  </Accordion>
+
+  <Accordion title="安装后找不到 openclaw">
+    通常是 PATH 问题。请参见 [Node.js 故障排除](/install/node#troubleshooting)。
+  </Accordion>
+</AccordionGroup>
diff --git a/docs/zh-CN/install/macos-vm.md b/docs/zh-CN/install/macos-vm.md
index 94b106dab39..e532c1718ef 100644
--- a/docs/zh-CN/install/macos-vm.md
+++ b/docs/zh-CN/install/macos-vm.md
@@ -1,75 +1,75 @@
 ---
 read_when:
-  - 你想让 OpenClaw 与你的主 macOS 环境隔离
-  - 你想在沙箱中集成 iMessage（BlueBubbles）
-  - 你想要一个可重置、可克隆的 macOS 环境
-  - 你想比较本地与托管 macOS VM 选项
-summary: 在沙箱隔离的 macOS VM（本地或托管）中运行 OpenClaw，当你需要隔离或 iMessage 时
-title: macOS 虚拟机
+  - 你希望 OpenClaw 与你的主 macOS 环境隔离
+  - 你希望在沙箱中集成 iMessage（BlueBubbles）
+  - 你希望拥有一个可重置且可克隆的 macOS 环境
+  - 你希望比较本地与托管 macOS VM 选项
+summary: 在沙箱化的 macOS VM（本地或托管）中运行 OpenClaw，适用于你需要隔离或 iMessage 的场景
+title: macOS VM
 x-i18n:
-  generated_at: "2026-02-03T07:53:09Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:23:59Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: 4d1c85a5e4945f9f0796038cd5960edecb71ec4dffb6f9686be50adb75180716
-  source_path: platforms/macos-vm.md
+  source_path: install/macos-vm.md
   workflow: 15
 ---
 
-# 在 macOS 虚拟机上运行 OpenClaw（沙箱隔离）
+# 在 macOS VM 上运行 OpenClaw（沙箱隔离）
 
-## 推荐默认方案（大多数用户）
+## 推荐默认方案（适用于大多数用户）
 
-- **小型 Linux VPS** 用于永久在线的 Gateway 网关，成本低。参见 [VPS 托管](/vps)。
-- **专用硬件**（Mac mini 或 Linux 机器）如果你想要完全控制和**住宅 IP** 用于浏览器自动化。许多网站会屏蔽数据中心 IP，所以本地浏览通常效果更好。
-- **混合方案：** 将 Gateway 网关保持在廉价 VPS 上，当你需要浏览器/UI 自动化时，将你的 Mac 作为**节点**连接。参见[节点](/nodes)和 [Gateway 网关远程](/gateway/remote)。
+- **小型 Linux VPS**：适合始终在线的 Gateway 网关，且成本较低。参见 [VPS hosting](/vps)。
+- **专用硬件**（Mac mini 或 Linux 主机）：如果你希望完全控制，并为浏览器自动化获得一个**住宅 IP**。许多网站会屏蔽数据中心 IP，因此本地浏览通常效果更好。
+- **混合方案：** 将 Gateway 网关放在便宜的 VPS 上，当你需要浏览器/UI 自动化时，再将你的 Mac 作为一个 **node** 连接进来。参见 [Nodes](/nodes) 和 [Gateway remote](/gateway/remote)。
 
-当你特别需要 macOS 独有功能（iMessage/BlueBubbles）或想要与日常 Mac 严格隔离时，使用 macOS VM。
+当你明确需要 macOS 独有能力（iMessage/BlueBubbles），或希望与你的日常 Mac 严格隔离时，再使用 macOS VM。
 
 ## macOS VM 选项
 
 ### 在你的 Apple Silicon Mac 上运行本地 VM（Lume）
 
-使用 [Lume](https://cua.ai/docs/lume) 在你现有的 Apple Silicon Mac 上的沙箱 macOS VM 中运行 OpenClaw。
+使用 [Lume](https://cua.ai/docs/lume) 在你现有的 Apple Silicon Mac 上的沙箱化 macOS VM 中运行 OpenClaw。
 
-这为你提供：
+这样你将获得：
 
-- 隔离的完整 macOS 环境（你的主机保持干净）
-- 通过 BlueBubbles 支持 iMessage（在 Linux/Windows 上不可能）
-- 通过克隆 VM 即时重置
+- 完全隔离的 macOS 环境（你的宿主机保持干净）
+- 通过 BlueBubbles 获得 iMessage 支持（在 Linux/Windows 上无法实现）
+- 通过克隆 VM 实现即时重置
 - 无需额外硬件或云成本
 
-### 托管 Mac 提供商（云）
+### 托管 Mac 提供商（云端）
 
-如果你想要云端的 macOS，托管 Mac 提供商也可以：
+如果你希望在云中使用 macOS，托管 Mac 提供商同样可行：
 
 - [MacStadium](https://www.macstadium.com/)（托管 Mac）
-- 其他托管 Mac 供应商也可以；按照他们的 VM + SSH 文档操作
+- 其他托管 Mac 供应商也可以；请遵循它们的 VM + SSH 文档
 
-一旦你有了 macOS VM 的 SSH 访问权限，继续下面的步骤 6。
+一旦你获得了对 macOS VM 的 SSH 访问权限，就继续执行下面的第 6 步。
 
 ---
 
-## 快速路径（Lume，有经验的用户）
+## 快速路径（Lume，适合有经验的用户）
 
 1. 安装 Lume
 2. `lume create openclaw --os macos --ipsw latest`
-3. 完成设置助手，启用远程登录（SSH）
+3. 完成设置助理，启用远程登录（SSH）
 4. `lume run openclaw --no-display`
-5. SSH 进入，安装 OpenClaw，配置渠道
+5. SSH 登录，安装 OpenClaw，配置渠道
 6. 完成
 
 ---
 
-## 你需要什么（Lume）
+## 你需要准备的内容（Lume）
 
 - Apple Silicon Mac（M1/M2/M3/M4）
-- 主机上安装 macOS Sequoia 或更高版本
-- 每个 VM 约 60 GB 可用磁盘空间
+- 宿主机运行 macOS Sequoia 或更高版本
+- 每个 VM 大约 60 GB 可用磁盘空间
 - 约 20 分钟
 
 ---
 
-## 1) 安装 Lume
+## 1）安装 Lume
 
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/trycua/cua/main/libs/lume/scripts/install.sh)"
@@ -87,11 +87,11 @@ echo 'export PATH="$PATH:$HOME/.local/bin"' >> ~/.zshrc && source ~/.zshrc
 lume --version
 ```
 
-文档：[Lume 安装](https://cua.ai/docs/lume/guide/getting-started/installation)
+文档： [Lume Installation](https://cua.ai/docs/lume/guide/getting-started/installation)
 
 ---
 
-## 2) 创建 macOS VM
+## 2）创建 macOS VM
 
 ```bash
 lume create openclaw --os macos --ipsw latest
@@ -99,47 +99,47 @@ lume create openclaw --os macos --ipsw latest
 
 这会下载 macOS 并创建 VM。VNC 窗口会自动打开。
 
-注意：下载可能需要一段时间，取决于你的网络连接。
+注意：下载可能需要一些时间，具体取决于你的网络连接。
 
 ---
 
-## 3) 完成设置助手
+## 3）完成设置助理
 
 在 VNC 窗口中：
 
 1. 选择语言和地区
-2. 跳过 Apple ID（或者如果你以后想要 iMessage 就登录）
-3. 创建用户账户（记住用户名和密码）
+2. 跳过 Apple ID（或者如果你之后想使用 iMessage，也可以登录）
+3. 创建一个用户账号（记住用户名和密码）
 4. 跳过所有可选功能
 
 设置完成后，启用 SSH：
 
-1. 打开系统设置 → 通用 → 共享
-2. 启用"远程登录"
+1. 打开“系统设置”→“通用”→“共享”
+2. 启用“远程登录”
 
 ---
 
-## 4) 获取 VM 的 IP 地址
+## 4）获取 VM 的 IP 地址
 
 ```bash
 lume get openclaw
 ```
 
-查找 IP 地址（通常是 `192.168.64.x`）。
+查找 IP 地址（通常为 `192.168.64.x`）。
 
 ---
 
-## 5) SSH 进入 VM
+## 5）通过 SSH 连接到 VM
 
 ```bash
 ssh youruser@192.168.64.X
 ```
 
-将 `youruser` 替换为你创建的账户，IP 替换为你 VM 的 IP。
+将 `youruser` 替换为你创建的账号，并将 IP 替换为你的 VM IP。
 
 ---
 
-## 6) 安装 OpenClaw
+## 6）安装 OpenClaw
 
 在 VM 内：
 
@@ -152,7 +152,7 @@ openclaw onboard --install-daemon
 
 ---
 
-## 7) 配置渠道
+## 7）配置渠道
 
 编辑配置文件：
 
@@ -176,7 +176,7 @@ nano ~/.openclaw/openclaw.json
 }
 ```
 
-然后登录 WhatsApp（扫描二维码）：
+然后登录 WhatsApp（扫描 QR 码）：
 
 ```bash
 openclaw channels login
@@ -184,16 +184,16 @@ openclaw channels login
 
 ---
 
-## 8) 无头运行 VM
+## 8）以无界面方式运行 VM
 
-停止 VM 并在无显示器模式下重启：
+停止 VM，然后在无显示模式下重启：
 
 ```bash
 lume stop openclaw
 lume run openclaw --no-display
 ```
 
-VM 在后台运行。OpenClaw 的守护进程保持 Gateway 网关运行。
+VM 会在后台运行。OpenClaw 的守护进程会保持 Gateway 网关持续运行。
 
 检查状态：
 
@@ -203,18 +203,18 @@ ssh youruser@192.168.64.X "openclaw status"
 
 ---
 
-## 额外：iMessage 集成
+## 加分项：iMessage 集成
 
-这是在 macOS 上运行的杀手级功能。使用 [BlueBubbles](https://bluebubbles.app) 将 iMessage 添加到 OpenClaw。
+这是在 macOS 上运行的杀手级特性。使用 [BlueBubbles](https://bluebubbles.app) 将 iMessage 添加到 OpenClaw。
 
 在 VM 内：
 
 1. 从 bluebubbles.app 下载 BlueBubbles
-2. 用你的 Apple ID 登录
-3. 启用 Web API 并设置密码
-4. 将 BlueBubbles webhooks 指向你的 Gateway 网关（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）
+2. 使用你的 Apple ID 登录
+3. 启用 Web API 并设置一个密码
+4. 将 BlueBubbles webhook 指向你的 gateway（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）
 
-添加到你的 OpenClaw 配置：
+添加到你的 OpenClaw 配置中：
 
 ```json
 {
@@ -228,15 +228,15 @@ ssh youruser@192.168.64.X "openclaw status"
 }
 ```
 
-重启 Gateway 网关。现在你的智能体可以发送和接收 iMessage 了。
+重启 Gateway 网关。现在你的智能体就可以发送和接收 iMessage 了。
 
-完整设置详情：[BlueBubbles 渠道](/channels/bluebubbles)
+完整设置细节： [BlueBubbles channel](/channels/bluebubbles)
 
 ---
 
 ## 保存黄金镜像
 
-在进一步自定义之前，快照你的干净状态：
+在进一步自定义之前，为你的干净状态创建快照：
 
 ```bash
 lume stop openclaw
@@ -253,36 +253,36 @@ lume run openclaw --no-display
 
 ---
 
-## 24/7 运行
+## 7×24 运行
 
-通过以下方式保持 VM 运行：
+通过以下方式保持 VM 持续运行：
 
-- 保持你的 Mac 插电
-- 在系统设置 → 节能中禁用睡眠
-- 如需要使用 `caffeinate`
+- 让你的 Mac 保持通电
+- 在“系统设置”→“节能”中禁用睡眠
+- 如有需要，使用 `caffeinate`
 
-对于真正的永久在线，考虑专用 Mac mini 或小型 VPS。参见 [VPS 托管](/vps)。
+如果你需要真正始终在线，请考虑使用专用 Mac mini 或小型 VPS。参见 [VPS hosting](/vps)。
 
 ---
 
 ## 故障排除
 
-| 问题                    | 解决方案                                                         |
-| ----------------------- | ---------------------------------------------------------------- |
-| 无法 SSH 进入 VM        | 检查 VM 的系统设置中是否启用了"远程登录"                         |
-| VM IP 未显示            | 等待 VM 完全启动，再次运行 `lume get openclaw`                   |
-| 找不到 Lume 命令        | 将 `~/.local/bin` 添加到你的 PATH                                |
-| WhatsApp 二维码扫描失败 | 确保运行 `openclaw channels login` 时你是登录到 VM（而不是主机） |
+| 问题                    | 解决方案                                                          |
+| ----------------------- | ----------------------------------------------------------------- |
+| 无法通过 SSH 连接到 VM  | 检查 VM 的“系统设置”中是否已启用“远程登录”                        |
+| 未显示 VM IP            | 等待 VM 完全启动后，再次运行 `lume get openclaw`                  |
+| 找不到 `lume` 命令      | 将 `~/.local/bin` 添加到你的 PATH                                 |
+| 无法扫描 WhatsApp QR 码 | 运行 `openclaw channels login` 时，确保你登录的是 VM 而不是宿主机 |
 
 ---
 
 ## 相关文档
 
-- [VPS 托管](/vps)
-- [节点](/nodes)
-- [Gateway 网关远程](/gateway/remote)
-- [BlueBubbles 渠道](/channels/bluebubbles)
-- [Lume 快速入门](https://cua.ai/docs/lume/guide/getting-started/quickstart)
-- [Lume CLI 参考](https://cua.ai/docs/lume/reference/cli-reference)
-- [无人值守 VM 设置](https://cua.ai/docs/lume/guide/fundamentals/unattended-setup)（高级）
-- [Docker 沙箱隔离](/install/docker)（替代隔离方案）
+- [VPS hosting](/vps)
+- [Nodes](/nodes)
+- [Gateway remote](/gateway/remote)
+- [BlueBubbles channel](/channels/bluebubbles)
+- [Lume Quickstart](https://cua.ai/docs/lume/guide/getting-started/quickstart)
+- [Lume CLI Reference](https://cua.ai/docs/lume/reference/cli-reference)
+- [Unattended VM Setup](https://cua.ai/docs/lume/guide/fundamentals/unattended-setup)（高级）
+- [Docker Sandboxing](/install/docker)（另一种隔离方案）
diff --git a/docs/zh-CN/platforms/digitalocean.md b/docs/zh-CN/platforms/digitalocean.md
index 2c6576e66fd..f96d11cdf1c 100644
--- a/docs/zh-CN/platforms/digitalocean.md
+++ b/docs/zh-CN/platforms/digitalocean.md
@@ -1,14 +1,14 @@
 ---
 read_when:
   - 在 DigitalOcean 上设置 OpenClaw
-  - 寻找便宜的 VPS 托管来运行 OpenClaw
+  - 寻找适合 OpenClaw 的低价 VPS 托管
 summary: 在 DigitalOcean 上运行 OpenClaw（简单的付费 VPS 选项）
 title: DigitalOcean
 x-i18n:
-  generated_at: "2026-02-03T07:51:55Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: d60559b8751da37413e5364e83c88254b476b2283386a0b07b2ca6b4e16157fc
+  generated_at: "2026-03-16T06:24:23Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f7cbbee2bdc2df08d2c255ee55fdf822c27924b41c4f4717cafb7e6e015d0966
   source_path: platforms/digitalocean.md
   workflow: 15
 ---
@@ -17,137 +17,141 @@ x-i18n:
 
 ## 目标
 
-以 **$6/月**（或使用预留定价 $4/月）在 DigitalOcean 上运行持久的 OpenClaw Gateway 网关。
+在 DigitalOcean 上以 **每月 6 美元**（或预留定价时每月 4 美元）运行一个持久化的 OpenClaw Gateway 网关。
 
-如果你想要 $0/月的选项且不介意 ARM + 特定提供商的设置，请参阅 [Oracle Cloud 指南](/platforms/oracle)。
+如果你想要每月 0 美元的方案，并且不介意 ARM + 提供商特定设置，请参阅 [Oracle Cloud 指南](/platforms/oracle)。
 
-## 成本比较（2026）
+## 成本对比（2026）
 
-| 提供商       | 方案            | 配置                  | 价格/月     | 备注                     |
-| ------------ | --------------- | --------------------- | ----------- | ------------------------ |
-| Oracle Cloud | Always Free ARM | 最高 4 OCPU、24GB RAM | $0          | ARM，容量有限 / 注册有坑 |
-| Hetzner      | CX22            | 2 vCPU、4GB RAM       | €3.79 (~$4) | 最便宜的付费选项         |
-| DigitalOcean | Basic           | 1 vCPU、1GB RAM       | $6          | 界面简单，文档完善       |
-| Vultr        | Cloud Compute   | 1 vCPU、1GB RAM       | $6          | 多地区可选               |
-| Linode       | Nanode          | 1 vCPU、1GB RAM       | $5          | 现为 Akamai 旗下         |
+| 提供商       | 套餐            | 规格                   | 每月价格       | 说明                             |
+| ------------ | --------------- | ---------------------- | -------------- | -------------------------------- |
+| Oracle Cloud | Always Free ARM | 最多 4 OCPU，24 GB RAM | $0             | ARM，容量有限 / 注册流程有些麻烦 |
+| Hetzner      | CX22            | 2 vCPU，4 GB RAM       | €3.79（约 $4） | 最便宜的付费选项                 |
+| DigitalOcean | Basic           | 1 vCPU，1 GB RAM       | $6             | UI 简单，文档完善                |
+| Vultr        | Cloud Compute   | 1 vCPU，1 GB RAM       | $6             | 机房位置多                       |
+| Linode       | Nanode          | 1 vCPU，1 GB RAM       | $5             | 现已并入 Akamai                  |
 
-**选择提供商：**
+**如何选择提供商：**
 
-- DigitalOcean：最简单的用户体验 + 可预测的设置（本指南）
-- Hetzner：性价比高（参见 [Hetzner 指南](/install/hetzner)）
-- Oracle Cloud：可以 $0/月，但更麻烦且仅限 ARM（参见 [Oracle 指南](/platforms/oracle)）
+- DigitalOcean：最简单的 UX + 可预测的设置（本指南）
+- Hetzner：性价比不错（见 [Hetzner guide](/install/hetzner)）
+- Oracle Cloud：可能做到每月 0 美元，但更挑环境且仅支持 ARM（见 [Oracle guide](/platforms/oracle)）
 
 ---
 
 ## 前提条件
 
-- DigitalOcean 账户（[注册可获 $200 免费额度](https://m.do.co/c/signup)）
+- DigitalOcean 账号（[注册可获 200 美元免费额度](https://m.do.co/c/signup)）
 - SSH 密钥对（或愿意使用密码认证）
 - 约 20 分钟
 
-## 1) 创建 Droplet
+## 1）创建 Droplet
+
+<Warning>
+请使用干净的基础镜像（Ubuntu 24.04 LTS）。除非你已经检查过其启动脚本和防火墙默认设置，否则请避免使用第三方 Marketplace 一键镜像。
+</Warning>
 
 1. 登录 [DigitalOcean](https://cloud.digitalocean.com/)
 2. 点击 **Create → Droplets**
 3. 选择：
-   - **Region：** 离你（或你的用户）最近的地区
+   - **Region：** 离你（或你的用户）最近
    - **Image：** Ubuntu 24.04 LTS
-   - **Size：** Basic → Regular → **$6/mo**（1 vCPU、1GB RAM、25GB SSD）
-   - **Authentication：** SSH 密钥（推荐）或密码
+   - **Size：** Basic → Regular → **$6/mo**（1 vCPU、1 GB RAM、25 GB SSD）
+   - **Authentication：** SSH key（推荐）或密码
 4. 点击 **Create Droplet**
 5. 记下 IP 地址
 
-## 2) 通过 SSH 连接
+## 2）通过 SSH 连接
 
 ```bash
 ssh root@YOUR_DROPLET_IP
 ```
 
-## 3) 安装 OpenClaw
+## 3）安装 OpenClaw
 
 ```bash
-# Update system
+# 更新系统
 apt update && apt upgrade -y
 
-# Install Node.js 22
-curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+# 安装 Node.js 24
+curl -fsSL https://deb.nodesource.com/setup_24.x | bash -
 apt install -y nodejs
 
-# Install OpenClaw
+# 安装 OpenClaw
 curl -fsSL https://openclaw.ai/install.sh | bash
 
-# Verify
+# 验证
 openclaw --version
 ```
 
-## 4) 运行新手引导
+## 4）运行新手引导
 
 ```bash
 openclaw onboard --install-daemon
 ```
 
-向导将引导你完成：
+向导会带你完成以下设置：
 
-- 模型认证（API 密钥或 OAuth）
+- 模型认证（API key 或 OAuth）
 - 渠道设置（Telegram、WhatsApp、Discord 等）
-- Gateway 网关令牌（自动生成）
+- Gateway 网关 token（自动生成）
 - 守护进程安装（systemd）
 
-## 5) 验证 Gateway 网关
+## 5）验证 Gateway 网关
 
 ```bash
-# Check status
+# 检查状态
 openclaw status
 
-# Check service
+# 检查服务
 systemctl --user status openclaw-gateway.service
 
-# View logs
+# 查看日志
 journalctl --user -u openclaw-gateway.service -f
 ```
 
-## 6) 访问控制面板
+## 6）访问 Dashboard
 
-Gateway 网关默认绑定到 loopback。要访问控制界面：
+Gateway 网关默认绑定到 loopback。要访问 Control UI：
 
 **选项 A：SSH 隧道（推荐）**
 
 ```bash
-# From your local machine
+# 在你的本地机器上
 ssh -L 18789:localhost:18789 root@YOUR_DROPLET_IP
 
-# Then open: http://localhost:18789
+# 然后打开：http://localhost:18789
 ```
 
 **选项 B：Tailscale Serve（HTTPS，仅 loopback）**
 
 ```bash
-# On the droplet
+# 在 droplet 上
 curl -fsSL https://tailscale.com/install.sh | sh
 tailscale up
 
-# Configure Gateway to use Tailscale Serve
+# 将 Gateway 网关配置为使用 Tailscale Serve
 openclaw config set gateway.tailscale.mode serve
 openclaw gateway restart
 ```
 
 打开：`https://<magicdns>/`
 
-注意事项：
+说明：
 
-- Serve 保持 Gateway 网关仅 loopback 并通过 Tailscale 身份头进行认证。
-- 要改为需要令牌/密码，请设置 `gateway.auth.allowTailscale: false` 或使用 `gateway.auth.mode: "password"`。
+- Serve 会让 Gateway 网关保持仅 loopback，并通过 Tailscale 身份头对 Control UI/WebSocket 流量进行认证（无 token 认证假定 Gateway 网关主机可信；HTTP API 仍然需要 token/password）。
+- 如果你想强制要求 token/password，请设置 `gateway.auth.allowTailscale: false` 或使用 `gateway.auth.mode: "password"`。
 
-**选项 C：Tailnet 绑定（不使用 Serve）**
+**选项 C：绑定到 tailnet（不使用 Serve）**
 
 ```bash
 openclaw config set gateway.bind tailnet
 openclaw gateway restart
 ```
 
-打开：`http://<tailscale-ip>:18789`（需要令牌）。
+打开：`http://<tailscale-ip>:18789`（需要 token）。
 
-## 7) 连接你的渠道
+## 7）连接你的渠道
 
 ### Telegram
 
@@ -160,16 +164,16 @@ openclaw pairing approve telegram <CODE>
 
 ```bash
 openclaw channels login whatsapp
-# Scan QR code
+# 扫描 QR 码
 ```
 
-参见[渠道](/channels)了解其他提供商。
+其他提供商请参阅 [Channels](/channels)。
 
 ---
 
-## 1GB RAM 的优化
+## 针对 1 GB RAM 的优化
 
-$6 的 droplet 只有 1GB RAM。为了保持运行流畅：
+6 美元的 droplet 只有 1 GB RAM。为了保持运行顺畅：
 
 ### 添加 swap（推荐）
 
@@ -183,9 +187,9 @@ echo '/swapfile none swap sw 0 0' >> /etc/fstab
 
 ### 使用更轻量的模型
 
-如果遇到 OOM，考虑：
+如果你遇到 OOM，可以考虑：
 
-- 使用基于 API 的模型（Claude、GPT）而不是本地模型
+- 使用基于 API 的模型（Claude、GPT），而不是本地模型
 - 将 `agents.defaults.model.primary` 设置为更小的模型
 
 ### 监控内存
@@ -199,12 +203,12 @@ htop
 
 ## 持久化
 
-所有状态存储在：
+所有状态都存储在：
 
 - `~/.openclaw/` — 配置、凭证、会话数据
-- `~/.openclaw/workspace/` — 工作区（SOUL.md、记忆等）
+- `~/.openclaw/workspace/` — 工作区（`SOUL.md`、memory 等）
 
-这些在重启后保留。定期备份：
+这些内容在重启后仍会保留。请定期备份：
 
 ```bash
 tar -czvf openclaw-backup.tar.gz ~/.openclaw ~/.openclaw/workspace
@@ -214,21 +218,21 @@ tar -czvf openclaw-backup.tar.gz ~/.openclaw ~/.openclaw/workspace
 
 ## Oracle Cloud 免费替代方案
 
-Oracle Cloud 提供 **Always Free** ARM 实例，比这里任何付费选项都强大得多 — 每月 $0。
+Oracle Cloud 提供 **Always Free** ARM 实例，性能显著强于这里列出的任何付费选项 —— 且每月 0 美元。
 
-| 你将获得       | 配置             |
-| -------------- | ---------------- |
-| **4 OCPUs**    | ARM Ampere A1    |
-| **24GB RAM**   | 绰绰有余         |
-| **200GB 存储** | 块存储卷         |
-| **永久免费**   | 不收取信用卡费用 |
+| 你将获得        | 规格               |
+| --------------- | ------------------ |
+| **4 OCPU**      | ARM Ampere A1      |
+| **24 GB RAM**   | 完全足够           |
+| **200 GB 存储** | 块存储卷           |
+| **永久免费**    | 不会产生信用卡费用 |
 
 **注意事项：**
 
-- 注册可能有点麻烦（失败了就重试）
-- ARM 架构 — 大多数东西都能工作，但有些二进制文件需要 ARM 构建
+- 注册过程可能比较挑剔（如果失败请重试）
+- ARM 架构 —— 大多数东西都能运行，但某些二进制文件需要 ARM 构建版本
 
-完整设置指南请参阅 [Oracle Cloud](/platforms/oracle)。关于注册技巧和注册流程故障排除，请参阅此[社区指南](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd)。
+完整设置指南请参阅 [Oracle Cloud](/platforms/oracle)。关于注册技巧和注册流程故障排除，请参阅这篇[社区指南](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd)。
 
 ---
 
@@ -242,7 +246,7 @@ openclaw doctor --non-interactive
 journalctl -u openclaw --no-pager -n 50
 ```
 
-### 端口已被使用
+### 端口已被占用
 
 ```bash
 lsof -i :18789
@@ -252,18 +256,18 @@ kill <PID>
 ### 内存不足
 
 ```bash
-# Check memory
+# 检查内存
 free -h
 
-# Add more swap
-# Or upgrade to $12/mo droplet (2GB RAM)
+# 添加更多 swap
+# 或升级到每月 12 美元的 droplet（2 GB RAM）
 ```
 
 ---
 
 ## 另请参阅
 
-- [Hetzner 指南](/install/hetzner) — 更便宜、更强大
-- [Docker 安装](/install/docker) — 容器化设置
-- [Tailscale](/gateway/tailscale) — 安全远程访问
-- [配置](/gateway/configuration) — 完整配置参考
+- [Hetzner guide](/install/hetzner) — 更便宜、性能更强
+- [Docker install](/install/docker) — 容器化设置
+- [Tailscale](/gateway/tailscale) — 安全的远程访问
+- [Configuration](/gateway/configuration) — 完整配置参考
diff --git a/docs/zh-CN/platforms/index.md b/docs/zh-CN/platforms/index.md
index 6609ed34aa3..c8d72360140 100644
--- a/docs/zh-CN/platforms/index.md
+++ b/docs/zh-CN/platforms/index.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 查找操作系统支持或安装路径时
-  - 决定在哪里运行 Gateway 网关时
-summary: 平台支持概述（Gateway 网关 + 配套应用）
+  - 查找操作系统支持或安装路径
+  - 决定在哪里运行 Gateway 网关
+summary: 平台支持概览（Gateway 网关 + 配套应用）
 title: 平台
 x-i18n:
-  generated_at: "2026-02-03T07:52:07Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 254852a5ed1996982a52eed4a72659477609e08d340c625d24ef6d99c21eece6
+  generated_at: "2026-03-16T06:24:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 653f395598b9558cb15b58ab42ed931dba47c70780be1c803d33dd795bad6503
   source_path: platforms/index.md
   workflow: 15
 ---
@@ -16,11 +16,11 @@ x-i18n:
 # 平台
 
 OpenClaw 核心使用 TypeScript 编写。**Node 是推荐的运行时**。
-不推荐 Bun 用于 Gateway 网关（WhatsApp/Telegram 存在 bug）。
+不建议将 Bun 用于 Gateway 网关（存在 WhatsApp/Telegram bug）。
 
-配套应用适用于 macOS（菜单栏应用）和移动节点（iOS/Android）。Windows 和
-Linux 配套应用已在计划中，但 Gateway 网关目前已完全支持。
-Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网关。
+已提供适用于 macOS（菜单栏应用）和移动节点（iOS/Android）的配套应用。Windows 和
+Linux 配套应用已在规划中，但 Gateway 网关目前已得到完全支持。
+适用于 Windows 的原生配套应用也在规划中；推荐通过 WSL2 运行 Gateway 网关。
 
 ## 选择你的操作系统
 
@@ -30,7 +30,7 @@ Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网
 - Windows：[Windows](/platforms/windows)
 - Linux：[Linux](/platforms/linux)
 
-## VPS 和托管
+## VPS 与托管
 
 - VPS 中心：[VPS 托管](/vps)
 - Fly.io：[Fly.io](/install/fly)
@@ -47,14 +47,14 @@ Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网
 
 ## Gateway 网关服务安装（CLI）
 
-使用以下任一方式（均支持）：
+使用以下任一方式（均受支持）：
 
 - 向导（推荐）：`openclaw onboard --install-daemon`
 - 直接安装：`openclaw gateway install`
-- 配置流程：`openclaw configure` → 选择 **Gateway service**
-- 修复/迁移：`openclaw doctor`（提供安装或修复服务）
+- 配置流程：`openclaw configure` → 选择 **Gateway 服务**
+- 修复/迁移：`openclaw doctor`（会提供安装或修复服务的选项）
 
 服务目标取决于操作系统：
 
-- macOS：LaunchAgent（`bot.molt.gateway` 或 `bot.molt.<profile>`；旧版 `com.openclaw.*`）
+- macOS：LaunchAgent（`ai.openclaw.gateway` 或 `ai.openclaw.<profile>`；旧版为 `com.openclaw.*`）
 - Linux/WSL2：systemd 用户服务（`openclaw-gateway[-<profile>].service`）
diff --git a/docs/zh-CN/platforms/linux.md b/docs/zh-CN/platforms/linux.md
index 3634f6c9d44..4c836960f94 100644
--- a/docs/zh-CN/platforms/linux.md
+++ b/docs/zh-CN/platforms/linux.md
@@ -1,31 +1,31 @@
 ---
 read_when:
-  - 查找 Linux 配套应用状态时
-  - 规划平台覆盖或贡献时
+  - 查找 Linux 配套应用状态
+  - 规划平台覆盖范围或贡献
 summary: Linux 支持 + 配套应用状态
 title: Linux 应用
 x-i18n:
-  generated_at: "2026-02-03T07:52:18Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a9bbbcecf2fd522a2f5ac8f3b9068febbc43658465bfb9276bff6c3e946789d2
+  generated_at: "2026-03-16T06:24:30Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 12f2a28ec8fc17769210bda97af11fda332355956d41bba69ac51cc523be6178
   source_path: platforms/linux.md
   workflow: 15
 ---
 
 # Linux 应用
 
-Gateway 网关在 Linux 上完全支持。**Node 是推荐的运行时**。
-不推荐 Bun 用于 Gateway 网关（WhatsApp/Telegram 存在 bug）。
+Gateway 网关在 Linux 上得到完全支持。**Node 是推荐的运行时**。
+不建议将 Bun 用于 Gateway 网关（存在 WhatsApp/Telegram bug）。
 
-原生 Linux 配套应用已在计划中。如果你想帮助构建，欢迎贡献。
+原生 Linux 配套应用已在规划中。如果你想帮助构建一个，欢迎贡献。
 
-## 新手快速路径（VPS）
+## 面向初学者的快速路径（VPS）
 
-1. 安装 Node 22+
+1. 安装 Node 24（推荐；Node 22 LTS，目前 `22.16+`，为了兼容性仍然可用）
 2. `npm i -g openclaw@latest`
 3. `openclaw onboard --install-daemon`
-4. 从你的笔记本电脑：`ssh -N -L 18789:127.0.0.1:18789 <user>@<host>`
+4. 在你的笔记本电脑上运行：`ssh -N -L 18789:127.0.0.1:18789 <user>@<host>`
 5. 打开 `http://127.0.0.1:18789/` 并粘贴你的令牌
 
 分步 VPS 指南：[exe.dev](/install/exe-dev)
@@ -49,19 +49,19 @@ Gateway 网关在 Linux 上完全支持。**Node 是推荐的运行时**。
 openclaw onboard --install-daemon
 ```
 
-或：
+或者：
 
 ```
 openclaw gateway install
 ```
 
-或：
+或者：
 
 ```
 openclaw configure
 ```
 
-出现提示时选择 **Gateway service**。
+出现提示时，选择 **Gateway 服务**。
 
 修复/迁移：
 
@@ -71,9 +71,8 @@ openclaw doctor
 
 ## 系统控制（systemd 用户单元）
 
-OpenClaw 默认安装 systemd **用户**服务。对于共享或常驻服务器使用**系统**
-服务。完整的单元示例和指南
-在 [Gateway 网关运行手册](/gateway) 中。
+OpenClaw 默认安装 systemd **用户**服务。对于共享或始终在线的服务器，请使用 **系统** 服务。完整的单元示例和指导
+请参见 [Gateway 网关运行手册](/gateway)。
 
 最小设置：
 
diff --git a/docs/zh-CN/platforms/raspberry-pi.md b/docs/zh-CN/platforms/raspberry-pi.md
index edffc432ed1..54459e1f251 100644
--- a/docs/zh-CN/platforms/raspberry-pi.md
+++ b/docs/zh-CN/platforms/raspberry-pi.md
@@ -1,15 +1,15 @@
 ---
 read_when:
-  - 在 Raspberry Pi 上设置 OpenClaw 时
-  - 在 ARM 设备上运行 OpenClaw 时
-  - 构建低成本常驻个人 AI 时
-summary: 在 Raspberry Pi 上运行 OpenClaw（低成本自托管设置）
+  - 在 Raspberry Pi 上设置 OpenClaw
+  - 在 ARM 设备上运行 OpenClaw
+  - 构建一个低成本、始终在线的个人 AI
+summary: 在 Raspberry Pi 上运行 OpenClaw（低预算自托管方案）
 title: Raspberry Pi
 x-i18n:
-  generated_at: "2026-02-03T07:53:30Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 6741eaf0115a4fa0efd6599a99e0526a20ceb30eda1d9b04cba9dd5dec84bee2
+  generated_at: "2026-03-16T06:24:58Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3106dea63b5a548622b82e3090e7fdb7f748b96bf0e23893496f1b60c095334a
   source_path: platforms/raspberry-pi.md
   workflow: 15
 ---
@@ -18,51 +18,51 @@ x-i18n:
 
 ## 目标
 
-在 Raspberry Pi 上运行持久、常驻的 OpenClaw Gateway 网关，**一次性成本约 $35-80**（无月费）。
+在 Raspberry Pi 上以 **约 35–80 美元**的一次性成本（无月费）运行一个持久化、始终在线的 OpenClaw Gateway 网关。
 
-适用于：
+非常适合：
 
-- 24/7 个人 AI 助手
-- 家庭自动化中心
-- 低功耗、随时可用的 Telegram/WhatsApp 机器人
+- 7×24 个人 AI 助手
+- 家庭自动化中枢
+- 低功耗、始终可用的 Telegram/WhatsApp bot
 
 ## 硬件要求
 
-| Pi 型号         | 内存    | 是否可用？ | 说明                       |
-| --------------- | ------- | ---------- | -------------------------- |
-| **Pi 5**        | 4GB/8GB | ✅ 最佳    | 最快，推荐                 |
-| **Pi 4**        | 4GB     | ✅ 良好    | 大多数用户的最佳选择       |
-| **Pi 4**        | 2GB     | ✅ 可以    | 可用，添加交换空间         |
-| **Pi 4**        | 1GB     | ⚠️ 紧张    | 使用交换空间可行，最小配置 |
-| **Pi 3B+**      | 1GB     | ⚠️ 慢      | 可用但较慢                 |
-| **Pi Zero 2 W** | 512MB   | ❌         | 不推荐                     |
+| Pi 型号         | RAM     | 可用？  | 说明                       |
+| --------------- | ------- | ------- | -------------------------- |
+| **Pi 5**        | 4GB/8GB | ✅ 最佳 | 最快，推荐                 |
+| **Pi 4**        | 4GB     | ✅ 良好 | 适合大多数用户的最佳平衡点 |
+| **Pi 4**        | 2GB     | ✅ 可以 | 可用，建议加 swap          |
+| **Pi 4**        | 1GB     | ⚠️ 紧张 | 配合 swap 和最小化配置可行 |
+| **Pi 3B+**      | 1GB     | ⚠️ 较慢 | 可用，但反应迟缓           |
+| **Pi Zero 2 W** | 512MB   | ❌      | 不推荐                     |
 
-**最低配置：** 1GB 内存，1 核，500MB 磁盘  
-**推荐：** 2GB+ 内存，64 位系统，16GB+ SD 卡（或 USB SSD）
+**最低规格：** 1 GB RAM、1 核、500 MB 磁盘  
+**推荐规格：** 2 GB 以上 RAM、64 位 OS、16 GB 以上 SD 卡（或 USB SSD）
 
-## 你需要准备
+## 你需要准备的内容
 
-- Raspberry Pi 4 或 5（推荐 2GB+）
-- MicroSD 卡（16GB+）或 USB SSD（性能更好）
-- 电源（推荐官方 Pi 电源）
-- 网络连接（以太网或 WiFi）
+- Raspberry Pi 4 或 5（推荐 2 GB 以上）
+- MicroSD 卡（16 GB 以上）或 USB SSD（性能更好）
+- 电源（推荐使用官方 Pi 电源）
+- 网络连接（以太网或 Wi‑Fi）
 - 约 30 分钟
 
-## 1) 刷写系统
+## 1）刷写 OS
 
-使用 **Raspberry Pi OS Lite (64-bit)** — 无头服务器不需要桌面。
+使用 **Raspberry Pi OS Lite（64 位）** —— 对于无头服务器，不需要桌面环境。
 
 1. 下载 [Raspberry Pi Imager](https://www.raspberrypi.com/software/)
-2. 选择系统：**Raspberry Pi OS Lite (64-bit)**
-3. 点击齿轮图标（⚙️）预配置：
+2. 选择 OS：**Raspberry Pi OS Lite（64 位）**
+3. 点击齿轮图标（⚙️）进行预配置：
    - 设置主机名：`gateway-host`
    - 启用 SSH
    - 设置用户名/密码
-   - 配置 WiFi（如果不使用以太网）
-4. 刷写到你的 SD 卡 / USB 驱动器
+   - 配置 Wi‑Fi（如果不使用以太网）
+4. 将系统写入你的 SD 卡 / USB 驱动器
 5. 插入并启动 Pi
 
-## 2) 通过 SSH 连接
+## 2）通过 SSH 连接
 
 ```bash
 ssh user@gateway-host
@@ -70,37 +70,37 @@ ssh user@gateway-host
 ssh user@192.168.x.x
 ```
 
-## 3) 系统设置
+## 3）系统设置
 
 ```bash
 # 更新系统
 sudo apt update && sudo apt upgrade -y
 
-# 安装必要软件包
+# 安装基础软件包
 sudo apt install -y git curl build-essential
 
 # 设置时区（对 cron/提醒很重要）
 sudo timedatectl set-timezone America/Chicago  # 改成你的时区
 ```
 
-## 4) 安装 Node.js 22（ARM64）
+## 4）安装 Node.js 24（ARM64）
 
 ```bash
 # 通过 NodeSource 安装 Node.js
-curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
+curl -fsSL https://deb.nodesource.com/setup_24.x | sudo -E bash -
 sudo apt install -y nodejs
 
 # 验证
-node --version  # 应显示 v22.x.x
+node --version  # 应显示 v24.x.x
 npm --version
 ```
 
-## 5) 添加交换空间（2GB 或更少内存时很重要）
+## 5）添加 swap（对于 2 GB 或更低内存很重要）
 
-交换空间可防止内存不足崩溃：
+swap 可以防止内存不足崩溃：
 
 ```bash
-# 创建 2GB 交换文件
+# 创建 2 GB swap 文件
 sudo fallocate -l 2G /swapfile
 sudo chmod 600 /swapfile
 sudo mkswap /swapfile
@@ -109,12 +109,12 @@ sudo swapon /swapfile
 # 永久生效
 echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
 
-# 优化低内存（降低 swappiness）
+# 针对低内存优化（降低 swappiness）
 echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p
 ```
 
-## 6) 安装 OpenClaw
+## 6）安装 OpenClaw
 
 ### 选项 A：标准安装（推荐）
 
@@ -122,7 +122,7 @@ sudo sysctl -p
 curl -fsSL https://openclaw.ai/install.sh | bash
 ```
 
-### 选项 B：可修改安装（用于调试）
+### 选项 B：可修改安装（适合折腾）
 
 ```bash
 git clone https://github.com/openclaw/openclaw.git
@@ -132,22 +132,22 @@ npm run build
 npm link
 ```
 
-可修改安装让你可以直接访问日志和代码 — 对调试 ARM 特定问题很有用。
+可修改安装会让你直接访问日志和代码 —— 这对于调试 ARM 特定问题很有帮助。
 
-## 7) 运行新手引导
+## 7）运行新手引导
 
 ```bash
 openclaw onboard --install-daemon
 ```
 
-按照向导操作：
+按向导完成设置：
 
 1. **Gateway 网关模式：** Local
-2. **认证：** 推荐 API 密钥（OAuth 在无头 Pi 上可能不稳定）
-3. **渠道：** Telegram 最容易上手
+2. **认证：** 推荐 API key（在无头 Pi 上 OAuth 可能比较挑环境）
+3. **渠道：** 最容易上手的是 Telegram
 4. **守护进程：** 是（systemd）
 
-## 8) 验证安装
+## 8）验证安装
 
 ```bash
 # 检查状态
@@ -160,52 +160,103 @@ sudo systemctl status openclaw
 journalctl -u openclaw -f
 ```
 
-## 9) 访问仪表板
+## 9）访问 OpenClaw Dashboard
 
-由于 Pi 是无头的，使用 SSH 隧道：
+将 `user@gateway-host` 替换为你的 Pi 用户名，以及主机名或 IP 地址。
+
+在你的电脑上，让 Pi 打印一个新的 Dashboard URL：
 
 ```bash
-# 从你的笔记本电脑/台式机
-ssh -L 18789:localhost:18789 user@gateway-host
-
-# 然后在浏览器中打开
-open http://localhost:18789
+ssh user@gateway-host 'openclaw dashboard --no-open'
 ```
 
-或使用 Tailscale 实现常驻访问：
+该命令会打印 `Dashboard URL:`。根据 `gateway.auth.token`
+的配置方式，URL 可能是普通的 `http://127.0.0.1:18789/` 链接，也可能是包含 `#token=...` 的链接。
+
+在你电脑上的另一个终端中，创建 SSH 隧道：
 
 ```bash
-# 在 Pi 上
-curl -fsSL https://tailscale.com/install.sh | sh
-sudo tailscale up
-
-# 更新配置
-openclaw config set gateway.bind tailnet
-sudo systemctl restart openclaw
+ssh -N -L 18789:127.0.0.1:18789 user@gateway-host
 ```
 
+然后在本地浏览器中打开打印出的 Dashboard URL。
+
+如果 UI 要求认证，请将 `gateway.auth.token`
+（或 `OPENCLAW_GATEWAY_TOKEN`）中的 token 粘贴到 Control UI 设置中。
+
+如需始终在线的远程访问，请参阅 [Tailscale](/gateway/tailscale)。
+
 ---
 
 ## 性能优化
 
-### 使用 USB SSD（巨大改进）
+### 使用 USB SSD（显著提升）
 
-SD 卡速度慢且会磨损。USB SSD 可大幅提升性能：
+SD 卡速度慢且易磨损。USB SSD 会显著提升性能：
 
 ```bash
 # 检查是否从 USB 启动
 lsblk
 ```
 
-设置请参见 [Pi USB 启动指南](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot)。
+设置方法请参阅 [Pi USB boot guide](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot)。
 
-### 减少内存使用
+### 加快 CLI 启动速度（模块编译缓存）
+
+在性能较弱的 Pi 主机上，启用 Node 的模块编译缓存可以加快重复 CLI 运行速度：
 
 ```bash
-# 禁用 GPU 内存分配（无头模式）
+grep -q 'NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc || cat >> ~/.bashrc <<'EOF' # pragma: allowlist secret
+export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
+mkdir -p /var/tmp/openclaw-compile-cache
+export OPENCLAW_NO_RESPAWN=1
+EOF
+source ~/.bashrc
+```
+
+说明：
+
+- `NODE_COMPILE_CACHE` 会加快后续运行（`status`、`health`、`--help`）。
+- `/var/tmp` 比 `/tmp` 更能在重启后保留内容。
+- `OPENCLAW_NO_RESPAWN=1` 可避免 CLI 自重启带来的额外启动开销。
+- 第一次运行会预热缓存；之后的运行收益最大。
+
+### systemd 启动调优（可选）
+
+如果这台 Pi 主要运行 OpenClaw，可以添加一个服务 drop-in，以减少重启抖动并保持稳定的启动环境：
+
+```bash
+sudo systemctl edit openclaw
+```
+
+```ini
+[Service]
+Environment=OPENCLAW_NO_RESPAWN=1
+Environment=NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
+Restart=always
+RestartSec=2
+TimeoutStartSec=90
+```
+
+然后应用：
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart openclaw
+```
+
+如果可能，请将 OpenClaw 状态/缓存放在 SSD 支持的存储上，以避免冷启动期间 SD 卡随机 I/O 成为瓶颈。
+
+关于 `Restart=` 策略如何帮助自动恢复：
+[systemd can automate service recovery](https://www.redhat.com/en/blog/systemd-automate-recovery)。
+
+### 减少内存占用
+
+```bash
+# 禁用 GPU 内存分配（无头）
 echo 'gpu_mem=16' | sudo tee -a /boot/config.txt
 
-# 如不需要则禁用蓝牙
+# 如果不需要，禁用蓝牙
 sudo systemctl disable bluetooth
 ```
 
@@ -228,32 +279,32 @@ htop
 
 ### 二进制兼容性
 
-大多数 OpenClaw 功能在 ARM64 上可用，但某些外部二进制文件可能需要 ARM 构建：
+OpenClaw 的大多数功能都可在 ARM64 上运行，但某些外部二进制文件可能需要 ARM 构建版本：
 
 | 工具               | ARM64 状态 | 说明                                |
 | ------------------ | ---------- | ----------------------------------- |
 | Node.js            | ✅         | 运行良好                            |
 | WhatsApp (Baileys) | ✅         | 纯 JS，无问题                       |
 | Telegram           | ✅         | 纯 JS，无问题                       |
-| gog (Gmail CLI)    | ⚠️         | 检查是否有 ARM 版本                 |
+| gog (Gmail CLI)    | ⚠️         | 请检查是否有 ARM 发布版本           |
 | Chromium (browser) | ✅         | `sudo apt install chromium-browser` |
 
-如果某个 skill 失败，检查其二进制文件是否有 ARM 构建。许多 Go/Rust 工具有；有些没有。
+如果某个 skill 失败，请检查其二进制文件是否有 ARM 构建版本。许多 Go/Rust 工具都有；有些则没有。
 
-### 32 位 vs 64 位
+### 32 位与 64 位
 
-**始终使用 64 位系统。** Node.js 和许多现代工具需要它。使用以下命令检查：
+**务必使用 64 位 OS。** Node.js 和许多现代工具都要求如此。使用以下命令检查：
 
 ```bash
 uname -m
-# 应显示：aarch64（64 位）而不是 armv7l（32 位）
+# 应显示：aarch64（64 位），而不是 armv7l（32 位）
 ```
 
 ---
 
 ## 推荐的模型设置
 
-由于 Pi 只是 Gateway 网关（模型在云端运行），使用基于 API 的模型：
+由于 Pi 只是 Gateway 网关（模型在云中运行），请使用基于 API 的模型：
 
 ```json
 {
@@ -268,19 +319,19 @@ uname -m
 }
 ```
 
-**不要尝试在 Pi 上运行本地 LLM** — 即使是小模型也太慢了。让 Claude/GPT 来做繁重的工作。
+**不要尝试在 Pi 上运行本地 LLM** —— 即使是小模型也太慢了。让 Claude/GPT 负责主要计算工作。
 
 ---
 
-## 开机自启
+## 开机自动启动
 
-新手引导向导会设置这个，但要验证：
+设置向导会帮你配置这个，但你也可以这样验证：
 
 ```bash
 # 检查服务是否已启用
 sudo systemctl is-enabled openclaw
 
-# 如果没有则启用
+# 如果没有，则启用
 sudo systemctl enable openclaw
 
 # 开机启动
@@ -297,15 +348,15 @@ sudo systemctl start openclaw
 # 检查内存
 free -h
 
-# 添加更多交换空间（见步骤 5）
+# 添加更多 swap（见第 5 步）
 # 或减少 Pi 上运行的服务
 ```
 
-### 性能慢
+### 性能缓慢
 
-- 使用 USB SSD 代替 SD 卡
+- 使用 USB SSD 替代 SD 卡
 - 禁用未使用的服务：`sudo systemctl disable cups bluetooth avahi-daemon`
-- 检查 CPU 降频：`vcgencmd get_throttled`（应返回 `0x0`）
+- 检查 CPU 限频：`vcgencmd get_throttled`（应返回 `0x0`）
 
 ### 服务无法启动
 
@@ -314,25 +365,25 @@ free -h
 journalctl -u openclaw --no-pager -n 100
 
 # 常见修复：重新构建
-cd ~/openclaw  # 如果使用可修改安装
+cd ~/openclaw  # 如果使用的是可修改安装
 npm run build
 sudo systemctl restart openclaw
 ```
 
 ### ARM 二进制问题
 
-如果某个 skill 失败并显示"exec format error"：
+如果某个 skill 因 “exec format error” 失败：
 
-1. 检查该二进制文件是否有 ARM64 构建
-2. 尝试从源代码构建
+1. 检查该二进制文件是否有 ARM64 构建版本
+2. 尝试从源码构建
 3. 或使用支持 ARM 的 Docker 容器
 
-### WiFi 断开
+### Wi‑Fi 掉线
 
-对于使用 WiFi 的无头 Pi：
+对于通过 Wi‑Fi 运行的无头 Pi：
 
 ```bash
-# 禁用 WiFi 电源管理
+# 禁用 Wi‑Fi 省电
 sudo iwconfig wlan0 power off
 
 # 永久生效
@@ -343,23 +394,23 @@ echo 'wireless-power off' | sudo tee -a /etc/network/interfaces
 
 ## 成本对比
 
-| 设置           | 一次性成本 | 月费     | 说明               |
-| -------------- | ---------- | -------- | ------------------ |
-| **Pi 4 (2GB)** | ~$45       | $0       | + 电费（约 $5/年） |
-| **Pi 4 (4GB)** | ~$55       | $0       | 推荐               |
-| **Pi 5 (4GB)** | ~$60       | $0       | 最佳性能           |
-| **Pi 5 (8GB)** | ~$80       | $0       | 过剩但面向未来     |
-| DigitalOcean   | $0         | $6/月    | $72/年             |
-| Hetzner        | $0         | €3.79/月 | 约 $50/年          |
+| 方案            | 一次性成本 | 月成本   | 说明                     |
+| --------------- | ---------- | -------- | ------------------------ |
+| **Pi 4（2GB）** | ~$45       | $0       | + 电费（约 $5/年）       |
+| **Pi 4（4GB）** | ~$55       | $0       | 推荐                     |
+| **Pi 5（4GB）** | ~$60       | $0       | 最佳性能                 |
+| **Pi 5（8GB）** | ~$80       | $0       | 有些超配，但更有未来余量 |
+| DigitalOcean    | $0         | $6/月    | $72/年                   |
+| Hetzner         | $0         | €3.79/月 | 约 $50/年                |
 
-**回本期：** 与云 VPS 相比，Pi 约 6-12 个月内回本。
+**回本周期：** 与云 VPS 相比，一台 Pi 大约 6–12 个月即可回本。
 
 ---
 
 ## 另请参阅
 
-- [Linux 指南](/platforms/linux) — 通用 Linux 设置
-- [DigitalOcean 指南](/platforms/digitalocean) — 云替代方案
-- [Hetzner 指南](/install/hetzner) — Docker 设置
+- [Linux guide](/platforms/linux) — 通用 Linux 设置
+- [DigitalOcean guide](/platforms/digitalocean) — 云端替代方案
+- [Hetzner guide](/install/hetzner) — Docker 设置
 - [Tailscale](/gateway/tailscale) — 远程访问
-- [节点](/nodes) — 将你的笔记本电脑/手机与 Pi Gateway 网关配对
+- [Nodes](/nodes) — 将你的笔记本电脑/手机与 Pi Gateway 网关配对
diff --git a/docs/zh-CN/platforms/windows.md b/docs/zh-CN/platforms/windows.md
index e51ca23c6f4..a2ec7e14de3 100644
--- a/docs/zh-CN/platforms/windows.md
+++ b/docs/zh-CN/platforms/windows.md
@@ -3,31 +3,72 @@ read_when:
   - 在 Windows 上安装 OpenClaw
   - 查找 Windows 配套应用状态
 summary: Windows（WSL2）支持 + 配套应用状态
-title: Windows (WSL2)
+title: Windows（WSL2）
 x-i18n:
-  generated_at: "2026-02-03T07:53:19Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: c93d2263b4e5b60cb6fbe9adcb1a0ca95b70cd6feb6e63cfc4459cb18b229da0
+  generated_at: "2026-03-16T06:24:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2e905b129f34ac31e30d5767504233411b306b5985252f1a285e09f1ece19962
   source_path: platforms/windows.md
   workflow: 15
 ---
 
-# Windows (WSL2)
+# Windows（WSL2）
 
-Windows 上的 OpenClaw 推荐**通过 WSL2**（推荐 Ubuntu）。CLI + Gateway 网关在 Linux 内运行，这保持了运行时的一致性并使工具兼容性大大提高（Node/Bun/pnpm、Linux 二进制文件、Skills）。原生 Windows 可能更棘手。WSL2 给你完整的 Linux 体验——一条命令安装：`wsl --install`。
+推荐在 Windows 上**通过 WSL2** 运行 OpenClaw（推荐 Ubuntu）。CLI + Gateway 网关在 Linux 内运行，这能保持运行时一致，并使
+工具链兼容性高得多（Node/Bun/pnpm、Linux 二进制文件、Skills）。原生
+Windows 可能会更棘手。WSL2 可提供完整的 Linux 体验 —— 只需一条命令
+即可安装：`wsl --install`。
 
-原生 Windows 配套应用已在计划中。
+原生 Windows 配套应用已在规划中。
 
 ## 安装（WSL2）
 
-- [入门指南](/start/getting-started)（在 WSL 内使用）
-- [安装和更新](/install/updating)
-- 官方 WSL2 指南（Microsoft）：https://learn.microsoft.com/windows/wsl/install
+- [入门指南](/start/getting-started)（请在 WSL 内使用）
+- [安装与更新](/install/updating)
+- 官方 WSL2 指南（Microsoft）：[https://learn.microsoft.com/windows/wsl/install](https://learn.microsoft.com/windows/wsl/install)
+
+## 原生 Windows 状态
+
+原生 Windows CLI 流程正在改进，但 WSL2 仍然是推荐路径。
+
+当前在原生 Windows 上运行良好的内容：
+
+- 通过 `install.ps1` 使用网站安装器
+- 本地 CLI 用法，例如 `openclaw --version`、`openclaw doctor` 和 `openclaw plugins list --json`
+- 嵌入式 local-agent/provider 冒烟测试，例如：
+
+```powershell
+openclaw agent --local --agent main --thinking low -m "Reply with exactly WINDOWS-HATCH-OK."
+```
+
+当前注意事项：
+
+- 除非你传递 `--skip-health`，否则 `openclaw onboard --non-interactive` 仍然要求本地 Gateway 网关可访问
+- `openclaw onboard --non-interactive --install-daemon` 和 `openclaw gateway install` 会优先尝试 Windows Scheduled Tasks
+- 如果拒绝创建 Scheduled Task，OpenClaw 会回退到每用户 Startup 文件夹登录项，并立即启动 Gateway 网关
+- 如果 `schtasks` 本身卡住或停止响应，OpenClaw 现在会快速中止该路径并回退，而不是无限挂起
+- 在可用时仍优先使用 Scheduled Tasks，因为它们能提供更好的 supervisor 状态
+
+如果你只想使用原生 CLI，而不安装 Gateway 网关服务，可使用以下任一方式：
+
+```powershell
+openclaw onboard --non-interactive --skip-health
+openclaw gateway run
+```
+
+如果你确实想在原生 Windows 上使用受管启动：
+
+```powershell
+openclaw gateway install
+openclaw gateway status --json
+```
+
+如果无法创建 Scheduled Task，回退服务模式仍会通过当前用户的 Startup 文件夹在登录后自动启动。
 
 ## Gateway 网关
 
-- [Gateway 网关操作手册](/gateway)
+- [Gateway 网关运行手册](/gateway)
 - [配置](/gateway/configuration)
 
 ## Gateway 网关服务安装（CLI）
@@ -38,19 +79,19 @@ Windows 上的 OpenClaw 推荐**通过 WSL2**（推荐 Ubuntu）。CLI + Gateway
 openclaw onboard --install-daemon
 ```
 
-或：
+或者：
 
 ```
 openclaw gateway install
 ```
 
-或：
+或者：
 
 ```
 openclaw configure
 ```
 
-出现提示时选择 **Gateway service**。
+出现提示时，选择 **Gateway 服务**。
 
 修复/迁移：
 
@@ -58,11 +99,58 @@ openclaw configure
 openclaw doctor
 ```
 
-## 高级：通过 LAN 暴露 WSL 服务（portproxy）
+## 在 Windows 登录前自动启动 Gateway 网关
 
-WSL 有自己的虚拟网络。如果另一台机器需要访问**在 WSL 内**运行的服务（SSH、本地 TTS 服务器或 Gateway 网关），你必须将 Windows 端口转发到当前的 WSL IP。WSL IP 在重启后会改变，因此你可能需要刷新转发规则。
+对于无头设置，请确保完整的启动链即使在无人登录
+Windows 时也能运行。
 
-示例（以**管理员身份**运行 PowerShell）：
+### 1）在未登录时保持用户服务运行
+
+在 WSL 内：
+
+```bash
+sudo loginctl enable-linger "$(whoami)"
+```
+
+### 2）安装 OpenClaw Gateway 网关用户服务
+
+在 WSL 内：
+
+```bash
+openclaw gateway install
+```
+
+### 3）在 Windows 启动时自动启动 WSL
+
+以管理员身份打开 PowerShell：
+
+```powershell
+schtasks /create /tn "WSL Boot" /tr "wsl.exe -d Ubuntu --exec /bin/true" /sc onstart /ru SYSTEM
+```
+
+将 `Ubuntu` 替换为以下命令输出中的发行版名称：
+
+```powershell
+wsl --list --verbose
+```
+
+### 验证启动链
+
+重启后（在 Windows 登录前），在 WSL 中检查：
+
+```bash
+systemctl --user is-enabled openclaw-gateway
+systemctl --user status openclaw-gateway --no-pager
+```
+
+## 高级：通过局域网暴露 WSL 服务（portproxy）
+
+WSL 有自己的虚拟网络。如果另一台机器需要访问
+**在 WSL 内运行**的服务（SSH、本地 TTS 服务器或 Gateway 网关），你必须
+将 Windows 端口转发到当前的 WSL IP。WSL IP 会在重启后变化，
+因此你可能需要刷新转发规则。
+
+示例（**以管理员身份**打开 PowerShell）：
 
 ```powershell
 $Distro = "Ubuntu-24.04"
@@ -76,7 +164,7 @@ netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=$ListenPor
   connectaddress=$WslIp connectport=$TargetPort
 ```
 
-允许端口通过 Windows 防火墙（一次性）：
+允许该端口通过 Windows 防火墙（一次性）：
 
 ```powershell
 New-NetFirewallRule -DisplayName "WSL SSH $ListenPort" -Direction Inbound `
@@ -91,14 +179,16 @@ netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=0.0.0.
   connectaddress=$WslIp connectport=$TargetPort | Out-Null
 ```
 
-注意事项：
+说明：
 
-- 从另一台机器 SSH 目标是 **Windows 主机 IP**（示例：`ssh user@windows-host -p 2222`）。
-- 远程节点必须指向**可访问的** Gateway 网关 URL（不是 `127.0.0.1`）；使用 `openclaw status --all` 确认。
-- 使用 `listenaddress=0.0.0.0` 进行 LAN 访问；`127.0.0.1` 仅保持本地访问。
-- 如果你想自动化，注册一个计划任务在登录时运行刷新步骤。
+- 来自另一台机器的 SSH 应指向**Windows 主机 IP**（例如：`ssh user@windows-host -p 2222`）。
+- 远程节点必须指向**可访问的** Gateway 网关 URL（而不是 `127.0.0.1`）；请使用
+  `openclaw status --all` 进行确认。
+- 使用 `listenaddress=0.0.0.0` 可供局域网访问；`127.0.0.1` 则仅限本地。
+- 如果你希望自动执行此操作，请注册一个 Scheduled Task，在登录时运行刷新
+  步骤。
 
-## WSL2 分步安装
+## 分步 WSL2 安装
 
 ### 1）安装 WSL2 + Ubuntu
 
@@ -106,14 +196,14 @@ netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=0.0.0.
 
 ```powershell
 wsl --install
-# Or pick a distro explicitly:
+# 或显式选择一个发行版：
 wsl --list --online
 wsl --install -d Ubuntu-24.04
 ```
 
-如果 Windows 要求则重启。
+如果 Windows 提示，请重启。
 
-### 2）启用 systemd（Gateway 网关安装所需）
+### 2）启用 systemd（Gateway 网关安装所必需）
 
 在你的 WSL 终端中：
 
@@ -124,7 +214,7 @@ systemd=true
 EOF
 ```
 
-然后从 PowerShell：
+然后在 PowerShell 中运行：
 
 ```powershell
 wsl --shutdown
@@ -138,13 +228,13 @@ systemctl --user status
 
 ### 3）安装 OpenClaw（在 WSL 内）
 
-在 WSL 内按照 Linux 入门指南流程：
+在 WSL 内按照 Linux 入门指南流程操作：
 
 ```bash
 git clone https://github.com/openclaw/openclaw.git
 cd openclaw
 pnpm install
-pnpm ui:build # auto-installs UI deps on first run
+pnpm ui:build # 首次运行时会自动安装 UI 依赖
 pnpm build
 openclaw onboard
 ```
@@ -153,4 +243,5 @@ openclaw onboard
 
 ## Windows 配套应用
 
-我们还没有 Windows 配套应用。如果你想让它实现，欢迎贡献。
+我们还没有 Windows 配套应用。如果你想推动这件事发生，欢迎
+贡献。
diff --git a/docs/zh-CN/providers/anthropic.md b/docs/zh-CN/providers/anthropic.md
index dfd99aefb9b..3c826b2bed5 100644
--- a/docs/zh-CN/providers/anthropic.md
+++ b/docs/zh-CN/providers/anthropic.md
@@ -5,31 +5,31 @@ read_when:
 summary: 在 OpenClaw 中通过 API 密钥或 setup-token 使用 Anthropic Claude
 title: Anthropic
 x-i18n:
-  generated_at: "2026-02-03T10:08:33Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a78ccd855810a93e71d7138af4d3fc7d66e877349815c4a3207cf2214b0150b3
+  generated_at: "2026-03-16T06:25:19Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: b18eff35b652d8dc4b6d55e9051d35682511909b3168be868fa172038294d20b
   source_path: providers/anthropic.md
   workflow: 15
 ---
 
 # Anthropic（Claude）
 
-Anthropic 构建了 **Claude** 模型系列，并通过 API 提供访问。
-在 OpenClaw 中，你可以使用 API 密钥或 **setup-token** 进行认证。
+Anthropic 构建了 **Claude** 模型家族，并通过 API 提供访问。
+在 OpenClaw 中，你可以使用 API 密钥或 **setup-token** 进行身份验证。
 
 ## 选项 A：Anthropic API 密钥
 
-**适用于：** 标准 API 访问和按用量计费。
-在 Anthropic Console 中创建你的 API 密钥。
+**最适合：** 标准 API 访问和按使用量计费。
+请在 Anthropic Console 中创建你的 API 密钥。
 
 ### CLI 设置
 
 ```bash
 openclaw onboard
-# 选择：Anthropic API key
+# choose: Anthropic API key
 
-# 或非交互式
+# or non-interactive
 openclaw onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ```
 
@@ -38,22 +38,59 @@ openclaw onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ```json5
 {
   env: { ANTHROPIC_API_KEY: "sk-ant-..." },
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 提示缓存（Anthropic API）
+## Thinking 默认值（Claude 4.6）
 
-OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅认证不支持缓存设置。
+- 当未设置显式 thinking 级别时，Anthropic Claude 4.6 模型在 OpenClaw 中默认使用 `adaptive` thinking。
+- 你可以按消息覆盖（`/think:<level>`），或在模型参数中覆盖：
+  `agents.defaults.models["anthropic/<model>"].params.thinking`。
+- 相关 Anthropic 文档：
+  - [Adaptive thinking](https://platform.claude.com/docs/en/build-with-claude/adaptive-thinking)
+  - [Extended thinking](https://platform.claude.com/docs/en/build-with-claude/extended-thinking)
+
+## 快速模式（Anthropic API）
+
+OpenClaw 的共享 `/fast` 开关也支持直接 Anthropic API 密钥流量。
+
+- `/fast on` 映射到 `service_tier: "auto"`
+- `/fast off` 映射到 `service_tier: "standard_only"`
+- 配置默认值：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-sonnet-4-5": {
+          params: { fastMode: true },
+        },
+      },
+    },
+  },
+}
+```
+
+重要限制：
+
+- 这**仅适用于 API 密钥**。Anthropic setup-token / OAuth 身份验证不会遵循 OpenClaw 的快速模式层级注入。
+- OpenClaw 仅对直接发往 `api.anthropic.com` 的请求注入 Anthropic 服务层级。如果你通过代理或网关路由 `anthropic/*`，`/fast` 不会修改 `service_tier`。
+- Anthropic 会在响应中的 `usage.service_tier` 下报告实际生效的层级。对于没有 Priority Tier 容量的账户，`service_tier: "auto"` 仍可能解析为 `standard`。
+
+## Prompt 缓存（Anthropic API）
+
+OpenClaw 支持 Anthropic 的 prompt 缓存功能。这**仅适用于 API**；订阅身份验证不会遵循缓存设置。
 
 ### 配置
 
-在模型配置中使用 `cacheRetention` 参数：
+在你的模型配置中使用 `cacheRetention` 参数：
 
-| 值      | 缓存时长 | 描述                       |
+| 值      | 缓存时长 | 说明                       |
 | ------- | -------- | -------------------------- |
-| `none`  | 无缓存   | 禁用提示缓存               |
-| `short` | 5 分钟   | API 密钥认证的默认值       |
+| `none`  | 不缓存   | 禁用 prompt 缓存           |
+| `short` | 5 分钟   | API 密钥身份验证的默认值   |
 | `long`  | 1 小时   | 扩展缓存（需要 beta 标志） |
 
 ```json5
@@ -61,7 +98,7 @@ OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅
   agents: {
     defaults: {
       models: {
-        "anthropic/claude-opus-4-5": {
+        "anthropic/claude-opus-4-6": {
           params: { cacheRetention: "long" },
         },
       },
@@ -72,88 +109,157 @@ OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅
 
 ### 默认值
 
-使用 Anthropic API 密钥认证时，OpenClaw 会自动为所有 Anthropic 模型应用 `cacheRetention: "short"`（5 分钟缓存）。你可以通过在配置中显式设置 `cacheRetention` 来覆盖此设置。
+当使用 Anthropic API 密钥身份验证时，OpenClaw 会自动对所有 Anthropic 模型应用 `cacheRetention: "short"`（5 分钟缓存）。你可以通过在配置中显式设置 `cacheRetention` 来覆盖此行为。
+
+### 每个智能体的 cacheRetention 覆盖
+
+将模型级参数用作基线，然后通过 `agents.list[].params` 覆盖特定智能体。
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "anthropic/claude-opus-4-6" },
+      models: {
+        "anthropic/claude-opus-4-6": {
+          params: { cacheRetention: "long" }, // 大多数智能体的基线
+        },
+      },
+    },
+    list: [
+      { id: "research", default: true },
+      { id: "alerts", params: { cacheRetention: "none" } }, // 仅对该智能体覆盖
+    ],
+  },
+}
+```
+
+与缓存相关参数的配置合并顺序：
+
+1. `agents.defaults.models["provider/model"].params`
+2. `agents.list[].params`（匹配 `id`，按键覆盖）
+
+这使得一个智能体可以保留长生命周期缓存，而同一模型上的另一个智能体可以禁用缓存，以避免在突发/低复用流量上产生写入成本。
+
+### Bedrock Claude 说明
+
+- 当已配置时，Bedrock 上的 Anthropic Claude 模型（`amazon-bedrock/*anthropic.claude*`）接受透传的 `cacheRetention`。
+- 非 Anthropic 的 Bedrock 模型会在运行时被强制设置为 `cacheRetention: "none"`。
+- 当未设置显式值时，Anthropic API 密钥的智能默认值也会为 Bedrock 上的 Claude 模型引用填入 `cacheRetention: "short"`。
 
 ### 旧版参数
 
-为了向后兼容，仍支持旧版 `cacheControlTtl` 参数：
+旧的 `cacheControlTtl` 参数仍受支持，以保持向后兼容：
 
-- `"5m"` 映射到 `short`
-- `"1h"` 映射到 `long`
+- `"5m"` 映射为 `short`
+- `"1h"` 映射为 `long`
 
 我们建议迁移到新的 `cacheRetention` 参数。
 
-OpenClaw 在 Anthropic API 请求中包含 `extended-cache-ttl-2025-04-11` beta 标志；
-如果你覆盖提供商头信息，请保留它（参见 [/gateway/configuration](/gateway/configuration)）。
+OpenClaw 会在 Anthropic API 请求中包含 `extended-cache-ttl-2025-04-11` beta 标志；
+如果你覆盖了提供商请求头，请保留它（参见 [/gateway/configuration](/gateway/configuration)）。
+
+## 1M 上下文窗口（Anthropic beta）
+
+Anthropic 的 1M 上下文窗口受 beta 门控。在 OpenClaw 中，可通过为受支持的 Opus/Sonnet 模型
+设置 `params.context1m: true` 按模型启用。
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-opus-4-6": {
+          params: { context1m: true },
+        },
+      },
+    },
+  },
+}
+```
+
+OpenClaw 会将其映射为 Anthropic 请求上的 `anthropic-beta: context-1m-2025-08-07`。
+
+仅当该模型的 `params.context1m` 被显式设置为 `true` 时，
+此功能才会激活。
+
+要求：Anthropic 必须允许该凭证使用长上下文
+（通常是 API 密钥计费，或启用了 Extra Usage 的订阅账户）。
+否则 Anthropic 会返回：
+`HTTP 429: rate_limit_error: Extra usage is required for long context requests`。
+
+注意：Anthropic 当前在使用
+OAuth/订阅令牌（`sk-ant-oat-*`）时会拒绝 `context-1m-*` beta 请求。OpenClaw 会自动跳过
+OAuth 身份验证的 `context1m` beta 请求头，并保留所需的 OAuth beta 标志。
 
 ## 选项 B：Claude setup-token
 
-**适用于：** 使用你的 Claude 订阅。
+**最适合：** 使用你的 Claude 订阅。
 
-### 在哪里获取 setup-token
+### 如何获取 setup-token
 
-setup-token 由 **Claude Code CLI** 创建，而不是 Anthropic Console。你可以在**任何机器**上运行：
+setup-token 由 **Claude Code CLI** 创建，而不是在 Anthropic Console 中创建。你可以在**任何机器**上运行：
 
 ```bash
 claude setup-token
 ```
 
-将令牌粘贴到 OpenClaw（向导：**Anthropic token (paste setup-token)**），或在 Gateway 网关主机上运行：
+将该令牌粘贴到 OpenClaw 中（向导：**Anthropic token（粘贴 setup-token）**），或在 Gateway 网关主机上运行：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果你在不同的机器上生成了令牌，请粘贴它：
+如果你是在另一台机器上生成该令牌，请粘贴它：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
 ```
 
-### CLI 设置
+### CLI 设置（setup-token）
 
 ```bash
-# 在新手引导期间粘贴 setup-token
+# Paste a setup-token during setup
 openclaw onboard --auth-choice setup-token
 ```
 
-### 配置片段
+### 配置片段（setup-token）
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- 使用 `claude setup-token` 生成 setup-token 并粘贴，或在 Gateway 网关主机上运行 `openclaw models auth setup-token`。
-- 如果你在 Claude 订阅上看到"OAuth token refresh failed …"，请使用 setup-token 重新认证。参见 [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription)。
-- 认证详情 + 重用规则在 [/concepts/oauth](/concepts/oauth)。
+- 使用 `claude setup-token` 生成 setup-token 并粘贴它，或者在 Gateway 网关主机上运行 `openclaw models auth setup-token`。
+- 如果你在 Claude 订阅上看到 “OAuth token refresh failed …”，请使用 setup-token 重新进行身份验证。请参见 [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription)。
+- 身份验证详情和复用规则见 [/concepts/oauth](/concepts/oauth)。
 
 ## 故障排除
 
-**401 错误/令牌突然失效**
+**401 错误 / 令牌突然无效**
 
-- Claude 订阅认证可能过期或被撤销。重新运行 `claude setup-token`
-  并将其粘贴到 **Gateway 网关主机**。
-- 如果 Claude CLI 登录在不同的机器上，在 Gateway 网关主机上使用
+- Claude 订阅身份验证可能会过期或被撤销。请重新运行 `claude setup-token`，
+  并将其粘贴到 **Gateway 网关主机** 上。
+- 如果 Claude CLI 登录位于另一台机器上，请在 Gateway 网关主机上使用
   `openclaw models auth paste-token --provider anthropic`。
 
 **No API key found for provider "anthropic"**
 
-- 认证是**按智能体**的。新智能体不会继承主智能体的密钥。
-- 为该智能体重新运行新手引导，或在 Gateway 网关主机上粘贴 setup-token / API 密钥，
-  然后使用 `openclaw models status` 验证。
+- 身份验证是**按智能体**区分的。新智能体不会继承主智能体的密钥。
+- 请为该智能体重新运行新手引导，或在
+  Gateway 网关主机上粘贴 setup-token / API 密钥，然后使用 `openclaw models status` 验证。
 
 **No credentials found for profile `anthropic:default`**
 
-- 运行 `openclaw models status` 查看哪个认证配置文件处于活动状态。
-- 重新运行新手引导，或为该配置文件粘贴 setup-token / API 密钥。
+- 运行 `openclaw models status` 查看当前活动的 auth profile。
+- 重新运行新手引导，或为该配置档案粘贴 setup-token / API 密钥。
 
 **No available auth profile (all in cooldown/unavailable)**
 
 - 检查 `openclaw models status --json` 中的 `auth.unusableProfiles`。
-- 添加另一个 Anthropic 配置文件或等待冷却期结束。
+- 添加另一个 Anthropic 配置档案，或等待冷却结束。
 
 更多信息：[/gateway/troubleshooting](/gateway/troubleshooting) 和 [/help/faq](/help/faq)。
diff --git a/docs/zh-CN/providers/cloudflare-ai-gateway.md b/docs/zh-CN/providers/cloudflare-ai-gateway.md
new file mode 100644
index 00000000000..350e995158f
--- /dev/null
+++ b/docs/zh-CN/providers/cloudflare-ai-gateway.md
@@ -0,0 +1,78 @@
+---
+read_when:
+  - 你想将 Cloudflare AI Gateway 与 OpenClaw 一起使用
+  - 你需要 account ID、gateway ID 或 API key 环境变量
+summary: Cloudflare AI Gateway 设置（认证 + 模型选择）
+title: Cloudflare AI Gateway
+x-i18n:
+  generated_at: "2026-03-16T06:25:05Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: db77652c37652ca20f7c50f32382dbaeaeb50ea5bdeaf1d4fd17dc394e58950c
+  source_path: providers/cloudflare-ai-gateway.md
+  workflow: 15
+---
+
+# Cloudflare AI Gateway
+
+Cloudflare AI Gateway 位于提供商 API 前方，让你能够添加分析、缓存和控制功能。对于 Anthropic，OpenClaw 会通过你的 Gateway 端点使用 Anthropic Messages API。
+
+- 提供商：`cloudflare-ai-gateway`
+- Base URL：`https://gateway.ai.cloudflare.com/v1/<account_id>/<gateway_id>/anthropic`
+- 默认模型：`cloudflare-ai-gateway/claude-sonnet-4-5`
+- API key：`CLOUDFLARE_AI_GATEWAY_API_KEY`（你用于通过 Gateway 发起请求的提供商 API key）
+
+对于 Anthropic 模型，请使用你的 Anthropic API key。
+
+## 快速开始
+
+1. 设置提供商 API key 和 Gateway 详细信息：
+
+```bash
+openclaw onboard --auth-choice cloudflare-ai-gateway-api-key
+```
+
+2. 设置默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "cloudflare-ai-gateway/claude-sonnet-4-5" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice cloudflare-ai-gateway-api-key \
+  --cloudflare-ai-gateway-account-id "your-account-id" \
+  --cloudflare-ai-gateway-gateway-id "your-gateway-id" \
+  --cloudflare-ai-gateway-api-key "$CLOUDFLARE_AI_GATEWAY_API_KEY"
+```
+
+## 已认证的 Gateway
+
+如果你在 Cloudflare 中启用了 Gateway 认证，请添加 `cf-aig-authorization` header（这是在你的提供商 API key 之外额外添加的）。
+
+```json5
+{
+  models: {
+    providers: {
+      "cloudflare-ai-gateway": {
+        headers: {
+          "cf-aig-authorization": "Bearer <cloudflare-ai-gateway-token>",
+        },
+      },
+    },
+  },
+}
+```
+
+## 环境说明
+
+如果 Gateway 作为守护进程运行（launchd/systemd），请确保 `CLOUDFLARE_AI_GATEWAY_API_KEY` 对该进程可用（例如放在 `~/.openclaw/.env` 中，或通过 `env.shellEnv` 提供）。
diff --git a/docs/zh-CN/providers/glm.md b/docs/zh-CN/providers/glm.md
index 77bce2c6643..f39631ca09f 100644
--- a/docs/zh-CN/providers/glm.md
+++ b/docs/zh-CN/providers/glm.md
@@ -1,26 +1,37 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 GLM 模型
-  - 你需要了解模型命名规范和设置方法
-summary: GLM 模型系列概述 + 如何在 OpenClaw 中使用
-title: GLM 模型
+  - 你需要了解模型命名约定和设置方法
+summary: GLM 模型家族概览 + 如何在 OpenClaw 中使用
+title: GLM Models
 x-i18n:
-  generated_at: "2026-02-01T21:34:53Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2d7b457f033f26f28c230a9cd2310151f825fc52c3ee4fb814d08fd2d022d041
+  generated_at: "2026-03-16T06:25:10Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 061254ebeedec7285d9c0c6e88145f89184ad4ab8d8d6132f1d692c7d3ca03a2
   source_path: providers/glm.md
   workflow: 15
 ---
 
 # GLM 模型
 
-GLM 是一个**模型系列**（而非公司），通过 Z.AI 平台提供。在 OpenClaw 中，GLM 模型通过 `zai` 提供商访问，模型 ID 格式如 `zai/glm-4.7`。
+GLM 是一个**模型家族**（不是公司），可通过 Z.AI 平台使用。在 OpenClaw 中，GLM
+模型通过 `zai` 提供商访问，模型 ID 形式如 `zai/glm-5`。
 
 ## CLI 设置
 
 ```bash
-openclaw onboard --auth-choice zai-api-key
+# Coding Plan Global，推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-global
+
+# Coding Plan CN（中国区域），推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-cn
+
+# 通用 API
+openclaw onboard --auth-choice zai-global
+
+# 通用 API CN（中国区域）
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## 配置片段
@@ -28,12 +39,12 @@ openclaw onboard --auth-choice zai-api-key
 ```json5
 {
   env: { ZAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "zai/glm-4.7" } } },
+  agents: { defaults: { model: { primary: "zai/glm-5" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- GLM 版本和可用性可能会变化；请查阅 Z.AI 的文档获取最新信息。
-- 示例模型 ID 包括 `glm-4.7` 和 `glm-4.6`。
-- 有关提供商的详细信息，请参阅 [/providers/zai](/providers/zai)。
+- GLM 版本和可用性可能会变化；请查看 Z.AI 的文档以获取最新信息。
+- 示例模型 ID 包括 `glm-5`、`glm-4.7` 和 `glm-4.6`。
+- 关于提供商详情，请参阅 [/providers/zai](/providers/zai)。
diff --git a/docs/zh-CN/providers/huggingface.md b/docs/zh-CN/providers/huggingface.md
new file mode 100644
index 00000000000..3028ae63d79
--- /dev/null
+++ b/docs/zh-CN/providers/huggingface.md
@@ -0,0 +1,216 @@
+---
+read_when:
+  - 你想将 Hugging Face Inference 与 OpenClaw 一起使用
+  - 你需要 HF token 环境变量或 CLI 认证选项
+summary: Hugging Face Inference 设置（认证 + 模型选择）
+title: Hugging Face（Inference）
+x-i18n:
+  generated_at: "2026-03-16T06:25:40Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e62b74915c9a26ab21954abcd9c03442cdd2133fba3371ddb9bcfc3a3458a002
+  source_path: providers/huggingface.md
+  workflow: 15
+---
+
+# Hugging Face（Inference）
+
+[Hugging Face Inference Providers](https://huggingface.co/docs/inference-providers) 通过单一路由器 API 提供与 OpenAI 兼容的 chat completions。你只需一个 token，即可访问许多模型（DeepSeek、Llama 等）。OpenClaw 使用 **OpenAI 兼容端点**（仅 chat completions）；如果要使用 text-to-image、embeddings 或 speech，请直接使用 [HF inference clients](https://huggingface.co/docs/api-inference/quicktour)。
+
+- 提供商：`huggingface`
+- 认证：`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`（带有 **Make calls to Inference Providers** 权限的细粒度 token）
+- API：OpenAI 兼容（`https://router.huggingface.co/v1`）
+- 计费：单个 HF token；[定价](https://huggingface.co/docs/inference-providers/pricing) 按提供商费率执行，并带有免费层。
+
+## 快速开始
+
+1. 在 [Hugging Face → Settings → Tokens](https://huggingface.co/settings/tokens/new?ownUserPermissions=inference.serverless.write&tokenType=fineGrained) 创建一个细粒度 token，并授予 **Make calls to Inference Providers** 权限。
+2. 运行新手引导，并在提供商下拉菜单中选择 **Hugging Face**，然后在提示时输入你的 API key：
+
+```bash
+openclaw onboard --auth-choice huggingface-api-key
+```
+
+3. 在 **Default Hugging Face model** 下拉菜单中，选择你想使用的模型（当你有有效 token 时，列表会从 Inference API 加载；否则会显示内置列表）。你的选择会保存为默认模型。
+4. 你也可以稍后在配置中设置或更改默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/deepseek-ai/DeepSeek-R1" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice huggingface-api-key \
+  --huggingface-api-key "$HF_TOKEN"
+```
+
+这会将 `huggingface/deepseek-ai/DeepSeek-R1` 设置为默认模型。
+
+## 环境说明
+
+如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`
+对此进程可用（例如放在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv` 提供）。
+
+## 模型发现和新手引导下拉菜单
+
+OpenClaw 通过直接调用 **Inference 端点** 来发现模型：
+
+```bash
+GET https://router.huggingface.co/v1/models
+```
+
+（可选：发送 `Authorization: Bearer $HUGGINGFACE_HUB_TOKEN` 或 `$HF_TOKEN` 以获取完整列表；某些端点在未认证时只返回子集。）响应采用 OpenAI 风格：`{ "object": "list", "data": [ { "id": "Qwen/Qwen3-8B", "owned_by": "Qwen", ... }, ... ] }`。
+
+当你配置 Hugging Face API key 时（通过新手引导、`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`），OpenClaw 会使用这个 GET 请求来发现可用的 chat-completion 模型。在**交互式设置**期间，你输入 token 后会看到一个 **Default Hugging Face model** 下拉菜单，其内容来自该列表（如果请求失败，则使用内置目录）。在运行时（例如 Gateway 网关启动时），只要存在 key，OpenClaw 就会再次调用 **GET** `https://router.huggingface.co/v1/models` 来刷新目录。该列表会与内置目录合并（以补充上下文窗口和成本等元数据）。如果请求失败或未设置 key，则只使用内置目录。
+
+## 模型名称和可编辑选项
+
+- **来自 API 的名称：** 当 API 返回 `name`、`title` 或 `display_name` 时，模型显示名称会从 **GET /v1/models** 中补全；否则会从模型 id 推导（例如 `deepseek-ai/DeepSeek-R1` → “DeepSeek R1”）。
+- **覆盖显示名称：** 你可以在配置中为每个模型设置自定义标签，使其在 CLI 和 UI 中按你希望的方式显示：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1": { alias: "DeepSeek R1 (fast)" },
+        "huggingface/deepseek-ai/DeepSeek-R1:cheapest": { alias: "DeepSeek R1 (cheap)" },
+      },
+    },
+  },
+}
+```
+
+- **提供商 / 策略选择：** 在**模型 id** 后附加后缀，以选择路由器如何挑选后端：
+  - **`:fastest`** — 最高吞吐量（由路由器选择；提供商选择会被**锁定** —— 不会显示交互式后端选择器）。
+  - **`:cheapest`** — 每输出 token 成本最低（由路由器选择；提供商选择会被**锁定**）。
+  - **`:provider`** — 强制使用特定后端（例如 `:sambanova`、`:together`）。
+
+  当你选择 **:cheapest** 或 **:fastest** 时（例如在新手引导的模型下拉菜单中），提供商会被锁定：路由器会按成本或速度决定，不会显示可选的“偏好特定后端”步骤。你可以将这些作为单独条目添加到 `models.providers.huggingface.models` 中，或为 `model.primary` 设置带后缀的值。你也可以在 [Inference Provider settings](https://hf.co/settings/inference-providers) 中设置默认顺序（无后缀 = 使用该顺序）。
+
+- **配置合并：** 当配置被合并时，`models.providers.huggingface.models` 中已有的条目（例如在 `models.json` 中）会被保留。因此，你在其中设置的任何自定义 `name`、`alias` 或模型选项都会保留。
+
+## 模型 ID 和配置示例
+
+模型引用使用 `huggingface/<org>/<model>` 形式（Hub 风格 ID）。下面的列表来自 **GET** `https://router.huggingface.co/v1/models`；你的目录中可能包含更多内容。
+
+**示例 ID（来自 inference 端点）：**
+
+| 模型                   | 引用（加上 `huggingface/` 前缀）    |
+| ---------------------- | ----------------------------------- |
+| DeepSeek R1            | `deepseek-ai/DeepSeek-R1`           |
+| DeepSeek V3.2          | `deepseek-ai/DeepSeek-V3.2`         |
+| Qwen3 8B               | `Qwen/Qwen3-8B`                     |
+| Qwen2.5 7B Instruct    | `Qwen/Qwen2.5-7B-Instruct`          |
+| Qwen3 32B              | `Qwen/Qwen3-32B`                    |
+| Llama 3.3 70B Instruct | `meta-llama/Llama-3.3-70B-Instruct` |
+| Llama 3.1 8B Instruct  | `meta-llama/Llama-3.1-8B-Instruct`  |
+| GPT-OSS 120B           | `openai/gpt-oss-120b`               |
+| GLM 4.7                | `zai-org/GLM-4.7`                   |
+| Kimi K2.5              | `moonshotai/Kimi-K2.5`              |
+
+你可以在模型 id 后附加 `:fastest`、`:cheapest` 或 `:provider`（例如 `:together`、`:sambanova`）。请在 [Inference Provider settings](https://hf.co/settings/inference-providers) 中设置默认顺序；完整列表请参阅 [Inference Providers](https://huggingface.co/docs/inference-providers) 和 **GET** `https://router.huggingface.co/v1/models`。
+
+### 完整配置示例
+
+**以 DeepSeek R1 为主模型，Qwen 作为回退：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: {
+        primary: "huggingface/deepseek-ai/DeepSeek-R1",
+        fallbacks: ["huggingface/Qwen/Qwen3-8B"],
+      },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1": { alias: "DeepSeek R1" },
+        "huggingface/Qwen/Qwen3-8B": { alias: "Qwen3 8B" },
+      },
+    },
+  },
+}
+```
+
+**以 Qwen 为默认模型，并包含 `:cheapest` 和 `:fastest` 变体：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/Qwen/Qwen3-8B" },
+      models: {
+        "huggingface/Qwen/Qwen3-8B": { alias: "Qwen3 8B" },
+        "huggingface/Qwen/Qwen3-8B:cheapest": { alias: "Qwen3 8B（最便宜）" },
+        "huggingface/Qwen/Qwen3-8B:fastest": { alias: "Qwen3 8B（最快）" },
+      },
+    },
+  },
+}
+```
+
+**带有别名的 DeepSeek + Llama + GPT-OSS：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: {
+        primary: "huggingface/deepseek-ai/DeepSeek-V3.2",
+        fallbacks: [
+          "huggingface/meta-llama/Llama-3.3-70B-Instruct",
+          "huggingface/openai/gpt-oss-120b",
+        ],
+      },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-V3.2": { alias: "DeepSeek V3.2" },
+        "huggingface/meta-llama/Llama-3.3-70B-Instruct": { alias: "Llama 3.3 70B" },
+        "huggingface/openai/gpt-oss-120b": { alias: "GPT-OSS 120B" },
+      },
+    },
+  },
+}
+```
+
+**使用 `:provider` 强制指定特定后端：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/deepseek-ai/DeepSeek-R1:together" },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1:together": { alias: "DeepSeek R1 (Together)" },
+      },
+    },
+  },
+}
+```
+
+**多个 Qwen 和 DeepSeek 模型，带策略后缀：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/Qwen/Qwen2.5-7B-Instruct:cheapest" },
+      models: {
+        "huggingface/Qwen/Qwen2.5-7B-Instruct": { alias: "Qwen2.5 7B" },
+        "huggingface/Qwen/Qwen2.5-7B-Instruct:cheapest": { alias: "Qwen2.5 7B（便宜）" },
+        "huggingface/deepseek-ai/DeepSeek-R1:fastest": { alias: "DeepSeek R1（快速）" },
+        "huggingface/meta-llama/Llama-3.1-8B-Instruct": { alias: "Llama 3.1 8B" },
+      },
+    },
+  },
+}
+```
diff --git a/docs/zh-CN/providers/index.md b/docs/zh-CN/providers/index.md
index 89ce5b27777..dbfabe119ea 100644
--- a/docs/zh-CN/providers/index.md
+++ b/docs/zh-CN/providers/index.md
@@ -1,41 +1,33 @@
 ---
 read_when:
   - 你想选择一个模型提供商
-  - 你需要快速了解支持的 LLM 后端
+  - 你需要支持的 LLM 后端的快速概览
 summary: OpenClaw 支持的模型提供商（LLM）
 title: 模型提供商
 x-i18n:
-  generated_at: "2026-02-03T07:53:32Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: eb4a97438adcf610499253afcf8b2af6624f4be098df389a6c3746f14c4a901b
+  generated_at: "2026-03-16T06:25:28Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 1d7ba79fd152a978e6eb3b8f8d5dfc44cebba77d2c74dc3892aae917d32ad2ee
   source_path: providers/index.md
   workflow: 15
 ---
 
 # 模型提供商
 
-OpenClaw 可以使用许多 LLM 提供商。选择一个提供商，进行认证，然后将默认模型设置为 `provider/model`。
+OpenClaw 可以使用许多 LLM 提供商。选择一个提供商，完成身份验证，然后将
+默认模型设置为 `provider/model`。
 
-正在寻找聊天渠道文档（WhatsApp/Telegram/Discord/Slack/Mattermost（插件）等）？参见[渠道](/channels)。
-
-## 亮点：Venice（Venice AI）
-
-Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并可选择使用 Opus 处理困难任务。
-
-- 默认：`venice/llama-3.3-70b`
-- 最佳综合：`venice/claude-opus-45`（Opus 仍然是最强的）
-
-参见 [Venice AI](/providers/venice)。
+在找聊天渠道文档（WhatsApp/Telegram/Discord/Slack/Mattermost（插件）/等）？请参见 [Channels](/channels)。
 
 ## 快速开始
 
-1. 与提供商进行认证（通常通过 `openclaw onboard`）。
+1. 使用该提供商进行身份验证（通常通过 `openclaw onboard`）。
 2. 设置默认模型：
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
@@ -43,15 +35,25 @@ Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并
 
 - [Amazon Bedrock](/providers/bedrock)
 - [Anthropic（API + Claude Code CLI）](/providers/anthropic)
+- [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
 - [GLM 模型](/providers/glm)
+- [Hugging Face（Inference）](/providers/huggingface)
+- [Kilocode](/providers/kilocode)
+- [LiteLLM（统一网关）](/providers/litellm)
 - [MiniMax](/providers/minimax)
+- [Mistral](/providers/mistral)
 - [Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
-- [Ollama（本地模型）](/providers/ollama)
+- [NVIDIA](/providers/nvidia)
+- [Ollama（云端 + 本地模型）](/providers/ollama)
 - [OpenAI（API + Codex）](/providers/openai)
-- [OpenCode Zen](/providers/opencode)
+- [OpenCode（Zen + Go）](/providers/opencode)
 - [OpenRouter](/providers/openrouter)
+- [Qianfan](/providers/qianfan)
 - [Qwen（OAuth）](/providers/qwen)
+- [Together AI](/providers/together)
+- [Vercel AI Gateway](/providers/vercel-ai-gateway)
 - [Venice（Venice AI，注重隐私）](/providers/venice)
+- [vLLM（本地模型）](/providers/vllm)
 - [Xiaomi](/providers/xiaomi)
 - [Z.AI](/providers/zai)
 
@@ -61,7 +63,7 @@ Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并
 
 ## 社区工具
 
-- [Claude Max API Proxy](/providers/claude-max-api-proxy) - 将 Claude Max/Pro 订阅作为 OpenAI 兼容的 API 端点使用
+- [Claude Max API Proxy](/providers/claude-max-api-proxy) - 面向 Claude 订阅凭证的社区代理（使用前请核实 Anthropic 政策/条款）
 
 有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，
-参见[模型提供商](/concepts/model-providers)。
+请参见 [模型提供商](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/kilocode.md b/docs/zh-CN/providers/kilocode.md
new file mode 100644
index 00000000000..0f541ca1d47
--- /dev/null
+++ b/docs/zh-CN/providers/kilocode.md
@@ -0,0 +1,80 @@
+---
+read_when:
+  - 你想用一个 API 密钥访问多种 LLM
+  - 你想在 OpenClaw 中通过 Kilo Gateway 运行模型
+summary: 使用 Kilo Gateway 的统一 API 在 OpenClaw 中访问多种模型
+x-i18n:
+  generated_at: "2026-03-16T06:25:35Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: acd4c29496abc1ef8d4da6c48575763dfe3b4c1319874f900532223ac3775257
+  source_path: providers/kilocode.md
+  workflow: 15
+---
+
+# Kilo Gateway
+
+Kilo Gateway 提供一个**统一 API**，可通过单一
+端点和 API 密钥将请求路由到多种模型。它兼容 OpenAI，因此大多数 OpenAI SDK 只需切换基础 URL 即可使用。
+
+## 获取 API 密钥
+
+1. 前往 [app.kilo.ai](https://app.kilo.ai)
+2. 登录或创建账户
+3. 进入 API Keys 并生成一个新密钥
+
+## CLI 设置
+
+```bash
+openclaw onboard --kilocode-api-key <key>
+```
+
+或者设置环境变量：
+
+```bash
+export KILOCODE_API_KEY="<your-kilocode-api-key>" # pragma: allowlist secret
+```
+
+## 配置片段
+
+```json5
+{
+  env: { KILOCODE_API_KEY: "<your-kilocode-api-key>" }, // pragma: allowlist secret
+  agents: {
+    defaults: {
+      model: { primary: "kilocode/kilo/auto" },
+    },
+  },
+}
+```
+
+## 默认模型
+
+默认模型是 `kilocode/kilo/auto`，这是一个智能路由模型，会根据任务自动选择
+最佳的底层模型：
+
+- 规划、调试和编排任务会路由到 Claude Opus
+- 代码编写和探索任务会路由到 Claude Sonnet
+
+## 可用模型
+
+OpenClaw 会在启动时从 Kilo Gateway 动态发现可用模型。使用
+`/models kilocode` 查看你的账户可用的完整模型列表。
+
+Gateway 网关上任何可用的模型都可以使用 `kilocode/` 前缀：
+
+```
+kilocode/kilo/auto              (default - smart routing)
+kilocode/anthropic/claude-sonnet-4
+kilocode/openai/gpt-5.2
+kilocode/google/gemini-3-pro-preview
+...and many more
+```
+
+## 说明
+
+- 模型引用格式为 `kilocode/<model-id>`（例如 `kilocode/anthropic/claude-sonnet-4`）。
+- 默认模型：`kilocode/kilo/auto`
+- 基础 URL：`https://api.kilo.ai/api/gateway/`
+- 更多模型/提供商选项，请参见 [/concepts/model-providers](/concepts/model-providers)。
+- Kilo Gateway 在底层使用带有你的 API 密钥的 Bearer token。
diff --git a/docs/zh-CN/providers/litellm.md b/docs/zh-CN/providers/litellm.md
new file mode 100644
index 00000000000..769cbbce78f
--- /dev/null
+++ b/docs/zh-CN/providers/litellm.md
@@ -0,0 +1,160 @@
+---
+read_when:
+  - 你想通过 LiteLLM 代理路由 OpenClaw
+  - 你需要通过 LiteLLM 进行成本跟踪、日志记录或模型路由
+summary: 通过 LiteLLM Proxy 运行 OpenClaw，以实现统一模型访问和成本跟踪
+x-i18n:
+  generated_at: "2026-03-16T06:25:50Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 269529671c60864972441606c730b5ca327546a45d3b264dbd03204c4401936f
+  source_path: providers/litellm.md
+  workflow: 15
+---
+
+# LiteLLM
+
+[LiteLLM](https://litellm.ai) 是一个开源 LLM 网关，可为 100+ 模型提供商提供统一 API。通过 LiteLLM 路由 OpenClaw，你可以获得集中式成本跟踪、日志记录，以及在不更改 OpenClaw 配置的情况下切换后端的灵活性。
+
+## 为什么要将 LiteLLM 与 OpenClaw 搭配使用？
+
+- **成本跟踪** —— 精确查看 OpenClaw 在所有模型上的花费
+- **模型路由** —— 无需更改配置，即可在 Claude、GPT-4、Gemini、Bedrock 之间切换
+- **虚拟密钥** —— 为 OpenClaw 创建带有支出限制的密钥
+- **日志记录** —— 提供完整的请求/响应日志，便于调试
+- **回退** —— 如果你的主要提供商宕机，可自动故障切换
+
+## 快速开始
+
+### 通过新手引导
+
+```bash
+openclaw onboard --auth-choice litellm-api-key
+```
+
+### 手动设置
+
+1. 启动 LiteLLM Proxy：
+
+```bash
+pip install 'litellm[proxy]'
+litellm --model claude-opus-4-6
+```
+
+2. 将 OpenClaw 指向 LiteLLM：
+
+```bash
+export LITELLM_API_KEY="your-litellm-key"
+
+openclaw
+```
+
+就是这样。OpenClaw 现在会通过 LiteLLM 进行路由。
+
+## 配置
+
+### 环境变量
+
+```bash
+export LITELLM_API_KEY="sk-litellm-key"
+```
+
+### 配置文件
+
+```json5
+{
+  models: {
+    providers: {
+      litellm: {
+        baseUrl: "http://localhost:4000",
+        apiKey: "${LITELLM_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "claude-opus-4-6",
+            name: "Claude Opus 4.6",
+            reasoning: true,
+            input: ["text", "image"],
+            contextWindow: 200000,
+            maxTokens: 64000,
+          },
+          {
+            id: "gpt-4o",
+            name: "GPT-4o",
+            reasoning: false,
+            input: ["text", "image"],
+            contextWindow: 128000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+  agents: {
+    defaults: {
+      model: { primary: "litellm/claude-opus-4-6" },
+    },
+  },
+}
+```
+
+## 虚拟密钥
+
+为 OpenClaw 创建一个带支出限制的专用密钥：
+
+```bash
+curl -X POST "http://localhost:4000/key/generate" \
+  -H "Authorization: Bearer $LITELLM_MASTER_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "key_alias": "openclaw",
+    "max_budget": 50.00,
+    "budget_duration": "monthly"
+  }'
+```
+
+将生成的密钥用作 `LITELLM_API_KEY`。
+
+## 模型路由
+
+LiteLLM 可以将模型请求路由到不同后端。在你的 LiteLLM `config.yaml` 中进行配置：
+
+```yaml
+model_list:
+  - model_name: claude-opus-4-6
+    litellm_params:
+      model: claude-opus-4-6
+      api_key: os.environ/ANTHROPIC_API_KEY
+
+  - model_name: gpt-4o
+    litellm_params:
+      model: gpt-4o
+      api_key: os.environ/OPENAI_API_KEY
+```
+
+OpenClaw 会继续请求 `claude-opus-4-6` —— 路由由 LiteLLM 处理。
+
+## 查看使用情况
+
+检查 LiteLLM 的仪表板或 API：
+
+```bash
+# 密钥信息
+curl "http://localhost:4000/key/info" \
+  -H "Authorization: Bearer sk-litellm-key"
+
+# 支出日志
+curl "http://localhost:4000/spend/logs" \
+  -H "Authorization: Bearer $LITELLM_MASTER_KEY"
+```
+
+## 说明
+
+- LiteLLM 默认运行在 `http://localhost:4000`
+- OpenClaw 通过兼容 OpenAI 的 `/v1/chat/completions` 端点连接
+- 所有 OpenClaw 功能都可通过 LiteLLM 使用 —— 没有限制
+
+## 另请参见
+
+- [LiteLLM 文档](https://docs.litellm.ai)
+- [模型提供商](/concepts/model-providers)
diff --git a/docs/zh-CN/providers/minimax.md b/docs/zh-CN/providers/minimax.md
index acaa6f8fe55..5a55e8ef7e4 100644
--- a/docs/zh-CN/providers/minimax.md
+++ b/docs/zh-CN/providers/minimax.md
@@ -2,75 +2,78 @@
 read_when:
   - 你想在 OpenClaw 中使用 MiniMax 模型
   - 你需要 MiniMax 设置指南
-summary: 在 OpenClaw 中使用 MiniMax M2.1
+summary: 在 OpenClaw 中使用 MiniMax M2.5
 title: MiniMax
 x-i18n:
-  generated_at: "2026-02-03T10:08:52Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 861e1ddc3c24be88f716bfb72d6015d62875a9087f8e89ea4ba3a35f548c7fae
+  generated_at: "2026-03-16T06:26:04Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: ffed28de9ecc5a1d2ad9f18adc08dd9cf39df40674b14c7ef078b16c92faacf2
   source_path: providers/minimax.md
   workflow: 15
 ---
 
 # MiniMax
 
-MiniMax 是一家构建 **M2/M2.1** 模型系列的 AI 公司。当前面向编程的版本是 **MiniMax M2.1**（2025 年 12 月 23 日），专为现实世界的复杂任务而构建。
+MiniMax 是一家 AI 公司，构建了 **M2/M2.5** 模型家族。当前
+面向编码的版本是 **MiniMax M2.5**（2025 年 12 月 23 日），专为
+现实世界中的复杂任务打造。
 
-来源：[MiniMax M2.1 发布说明](https://www.minimax.io/news/minimax-m21)
+来源：[MiniMax M2.5 发布说明](https://www.minimax.io/news/minimax-m25)
 
-## 模型概述（M2.1）
+## 模型概览（M2.5）
 
-MiniMax 强调 M2.1 的以下改进：
+MiniMax 在 M2.5 中重点强调了以下改进：
 
-- 更强的**多语言编程**能力（Rust、Java、Go、C++、Kotlin、Objective-C、TS/JS）。
-- 更好的 **Web/应用开发**和美观输出质量（包括原生移动端）。
-- 改进的**复合指令**处理，适用于办公风格的工作流程，基于交错思考和集成约束执行。
-- **更简洁的响应**，更低的 token 使用量和更快的迭代循环。
-- 更强的**工具/智能体框架**兼容性和上下文管理（Claude Code、Droid/Factory AI、Cline、Kilo Code、Roo Code、BlackBox）。
+- 更强的**多语言编码**能力（Rust、Java、Go、C++、Kotlin、Objective-C、TS/JS）。
+- 更好的**Web/应用开发**和美学输出质量（包括原生移动端）。
+- 在交错思考和集成约束执行的基础上，改进了面向办公类工作流的**复合指令**处理。
+- **更简洁的响应**，token 使用量更低，迭代循环更快。
+- 更强的**工具/智能体框架**兼容性和上下文管理能力（Claude Code、
+  Droid/Factory AI、Cline、Kilo Code、Roo Code、BlackBox）。
 - 更高质量的**对话和技术写作**输出。
 
-## MiniMax M2.1 vs MiniMax M2.1 Lightning
+## MiniMax M2.5 与 MiniMax M2.5 Highspeed
 
-- **速度：** Lightning 是 MiniMax 定价文档中的"快速"变体。
-- **成本：** 定价显示相同的输入成本，但 Lightning 的输出成本更高。
-- **编程计划路由：** Lightning 后端在 MiniMax 编程计划中不能直接使用。MiniMax 自动将大多数请求路由到 Lightning，但在流量高峰期会回退到常规 M2.1 后端。
+- **速度：** `MiniMax-M2.5-highspeed` 是 MiniMax 文档中的官方高速层级。
+- **成本：** MiniMax 定价显示，高速版的输入成本相同，而输出成本更高。
+- **当前模型 ID：** 使用 `MiniMax-M2.5` 或 `MiniMax-M2.5-highspeed`。
 
-## 选择设置方式
+## 选择一种设置方式
 
-### MiniMax OAuth（编程计划）— 推荐
+### MiniMax OAuth（Coding Plan）—— 推荐
 
-**适用于：** 通过 OAuth 快速设置 MiniMax 编程计划，无需 API 密钥。
+**最适合：** 通过 OAuth 使用 MiniMax Coding Plan 快速设置，无需 API key。
 
-启用内置 OAuth 插件并进行认证：
+启用内置 OAuth 插件并完成认证：
 
 ```bash
-openclaw plugins enable minimax-portal-auth  # 如果已加载则跳过
-openclaw gateway restart  # 如果 Gateway 网关已在运行则重启
+openclaw plugins enable minimax  # 如果已加载则跳过。
+openclaw gateway restart  # 如果 gateway 已在运行，则重启
 openclaw onboard --auth-choice minimax-portal
 ```
 
-系统会提示你选择端点：
+系统会提示你选择一个端点：
 
 - **Global** - 国际用户（`api.minimax.io`）
 - **CN** - 中国用户（`api.minimaxi.com`）
 
-详情参见 [MiniMax OAuth 插件 README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax-portal-auth)。
+详情请参阅 [MiniMax plugin README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax)。
 
-### MiniMax M2.1（API 密钥）
+### MiniMax M2.5（API key）
 
-**适用于：** 使用 Anthropic 兼容 API 的托管 MiniMax。
+**最适合：** 使用与 Anthropic 兼容 API 的托管 MiniMax。
 
 通过 CLI 配置：
 
 - 运行 `openclaw configure`
 - 选择 **Model/auth**
-- 选择 **MiniMax M2.1**
+- 选择 **MiniMax M2.5**
 
 ```json5
 {
   env: { MINIMAX_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "minimax/MiniMax-M2.1" } } },
+  agents: { defaults: { model: { primary: "minimax/MiniMax-M2.5" } } },
   models: {
     mode: "merge",
     providers: {
@@ -80,11 +83,20 @@ openclaw onboard --auth-choice minimax-portal
         api: "anthropic-messages",
         models: [
           {
-            id: "MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
+            id: "MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
             input: ["text"],
-            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
+            cost: { input: 0.3, output: 1.2, cacheRead: 0.03, cacheWrite: 0.12 },
+            contextWindow: 200000,
+            maxTokens: 8192,
+          },
+          {
+            id: "MiniMax-M2.5-highspeed",
+            name: "MiniMax M2.5 Highspeed",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 0.3, output: 1.2, cacheRead: 0.03, cacheWrite: 0.12 },
             contextWindow: 200000,
             maxTokens: 8192,
           },
@@ -95,9 +107,10 @@ openclaw onboard --auth-choice minimax-portal
 }
 ```
 
-### MiniMax M2.1 作为备用（Opus 为主）
+### 将 MiniMax M2.5 作为回退模型（示例）
 
-**适用于：** 保持 Opus 4.5 为主模型，故障时切换到 MiniMax M2.1。
+**最适合：** 保持你最强的最新一代模型作为主模型，并在失败时回退到 MiniMax M2.5。
+下面的示例使用 Opus 作为具体主模型；你可以替换成自己偏好的最新一代主模型。
 
 ```json5
 {
@@ -105,12 +118,12 @@ openclaw onboard --auth-choice minimax-portal
   agents: {
     defaults: {
       models: {
-        "anthropic/claude-opus-4-5": { alias: "opus" },
-        "minimax/MiniMax-M2.1": { alias: "minimax" },
+        "anthropic/claude-opus-4-6": { alias: "primary" },
+        "minimax/MiniMax-M2.5": { alias: "minimax" },
       },
       model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: ["minimax/MiniMax-M2.1"],
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["minimax/MiniMax-M2.5"],
       },
     },
   },
@@ -119,8 +132,8 @@ openclaw onboard --auth-choice minimax-portal
 
 ### 可选：通过 LM Studio 本地运行（手动）
 
-**适用于：** 使用 LM Studio 进行本地推理。
-我们在强大硬件（例如台式机/服务器）上使用 LM Studio 的本地服务器运行 MiniMax M2.1 时看到了出色的效果。
+**最适合：** 通过 LM Studio 进行本地推理。
+我们已经看到，在强力硬件上（例如台式机/服务器）使用 LM Studio 的本地服务器运行 MiniMax M2.5 时，效果非常强。
 
 通过 `openclaw.json` 手动配置：
 
@@ -128,8 +141,8 @@ openclaw onboard --auth-choice minimax-portal
 {
   agents: {
     defaults: {
-      model: { primary: "lmstudio/minimax-m2.1-gs32" },
-      models: { "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" } },
+      model: { primary: "lmstudio/minimax-m2.5-gs32" },
+      models: { "lmstudio/minimax-m2.5-gs32": { alias: "Minimax" } },
     },
   },
   models: {
@@ -141,9 +154,9 @@ openclaw onboard --auth-choice minimax-portal
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
-            reasoning: false,
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
+            reasoning: true,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
             contextWindow: 196608,
@@ -158,48 +171,51 @@ openclaw onboard --auth-choice minimax-portal
 
 ## 通过 `openclaw configure` 配置
 
-使用交互式配置向导设置 MiniMax，无需编辑 JSON：
+使用交互式配置向导设置 MiniMax，而无需编辑 JSON：
 
 1. 运行 `openclaw configure`。
 2. 选择 **Model/auth**。
-3. 选择 **MiniMax M2.1**。
+3. 选择 **MiniMax M2.5**。
 4. 在提示时选择你的默认模型。
 
 ## 配置选项
 
-- `models.providers.minimax.baseUrl`：推荐使用 `https://api.minimax.io/anthropic`（Anthropic 兼容）；`https://api.minimax.io/v1` 可选用于 OpenAI 兼容的负载。
-- `models.providers.minimax.api`：推荐使用 `anthropic-messages`；`openai-completions` 可选用于 OpenAI 兼容的负载。
-- `models.providers.minimax.apiKey`：MiniMax API 密钥（`MINIMAX_API_KEY`）。
+- `models.providers.minimax.baseUrl`：优先使用 `https://api.minimax.io/anthropic`（与 Anthropic 兼容）；`https://api.minimax.io/v1` 可选，用于与 OpenAI 兼容的负载。
+- `models.providers.minimax.api`：优先使用 `anthropic-messages`；`openai-completions` 可选，用于与 OpenAI 兼容的负载。
+- `models.providers.minimax.apiKey`：MiniMax API key（`MINIMAX_API_KEY`）。
 - `models.providers.minimax.models`：定义 `id`、`name`、`reasoning`、`contextWindow`、`maxTokens`、`cost`。
-- `agents.defaults.models`：为你想要在允许列表中的模型设置别名。
-- `models.mode`：如果你想将 MiniMax 与内置模型一起添加，保持 `merge`。
+- `agents.defaults.models`：为你希望放入允许列表的模型设置别名。
+- `models.mode`：如果你希望在内置模型之外添加 MiniMax，请保持为 `merge`。
 
-## 注意事项
+## 说明
 
 - 模型引用格式为 `minimax/<model>`。
-- 编程计划使用量 API：`https://api.minimaxi.com/v1/api/openplatform/coding_plan/remains`（需要编程计划密钥）。
-- 如果需要精确的成本跟踪，请更新 `models.json` 中的定价值。
-- MiniMax 编程计划推荐链接（9 折优惠）：https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link
-- 参见 [/concepts/model-providers](/concepts/model-providers) 了解提供商规则。
-- 使用 `openclaw models list` 和 `openclaw models set minimax/MiniMax-M2.1` 切换模型。
+- 推荐模型 ID：`MiniMax-M2.5` 和 `MiniMax-M2.5-highspeed`。
+- Coding Plan 用量 API：`https://api.minimaxi.com/v1/api/openplatform/coding_plan/remains`（需要 coding plan key）。
+- 如果你需要精确成本跟踪，请更新 `models.json` 中的定价值。
+- MiniMax Coding Plan 推荐链接（九折）：[https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link](https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link)
+- 关于提供商规则，请参阅 [/concepts/model-providers](/concepts/model-providers)。
+- 使用 `openclaw models list` 和 `openclaw models set minimax/MiniMax-M2.5` 进行切换。
 
 ## 故障排除
 
-### "Unknown model: minimax/MiniMax-M2.1"
+### “Unknown model: minimax/MiniMax-M2.5”
 
-这通常意味着 **MiniMax 提供商未配置**（没有提供商条目，也没有找到 MiniMax 认证配置文件/环境变量密钥）。此检测的修复在 **2026.1.12** 中（撰写本文时尚未发布）。修复方法：
+这通常意味着 **MiniMax 提供商未配置**（没有提供商条目，
+并且也未找到 MiniMax 凭证配置文件/环境变量 key）。对此检测问题的修复已包含在
+**2026.1.12** 中（在撰写本文时尚未发布）。修复方法：
 
-- 升级到 **2026.1.12**（或从源码 `main` 分支运行），然后重启 Gateway 网关。
-- 运行 `openclaw configure` 并选择 **MiniMax M2.1**，或
-- 手动添加 `models.providers.minimax` 块，或
-- 设置 `MINIMAX_API_KEY`（或 MiniMax 认证配置文件）以便注入提供商。
+- 升级到 **2026.1.12**（或从源码运行 `main`），然后重启 gateway。
+- 运行 `openclaw configure` 并选择 **MiniMax M2.5**，或者
+- 手动添加 `models.providers.minimax` 配置块，或者
+- 设置 `MINIMAX_API_KEY`（或 MiniMax 凭证配置文件），以便注入该提供商。
 
-确保模型 id **区分大小写**：
+请确保模型 id **区分大小写**：
 
-- `minimax/MiniMax-M2.1`
-- `minimax/MiniMax-M2.1-lightning`
+- `minimax/MiniMax-M2.5`
+- `minimax/MiniMax-M2.5-highspeed`
 
-然后重新检查：
+然后使用以下命令重新检查：
 
 ```bash
 openclaw models list
diff --git a/docs/zh-CN/providers/mistral.md b/docs/zh-CN/providers/mistral.md
new file mode 100644
index 00000000000..96f6a277ff9
--- /dev/null
+++ b/docs/zh-CN/providers/mistral.md
@@ -0,0 +1,61 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 Mistral 模型
+  - 你需要 Mistral API 密钥新手引导和模型引用
+summary: 在 OpenClaw 中使用 Mistral 模型和 Voxtral 转录
+title: Mistral
+x-i18n:
+  generated_at: "2026-03-16T06:25:57Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 4f3efe060cbaeb14e20439ade040e57d27e7d98fb9dd06e657f6a69ae808f24f
+  source_path: providers/mistral.md
+  workflow: 15
+---
+
+# Mistral
+
+OpenClaw 支持 Mistral，用于文本/图像模型路由（`mistral/...`）以及
+通过媒体理解中的 Voxtral 进行音频转录。
+Mistral 还可用于记忆嵌入（`memorySearch.provider = "mistral"`）。
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice mistral-api-key
+# or non-interactive
+openclaw onboard --mistral-api-key "$MISTRAL_API_KEY"
+```
+
+## 配置片段（LLM 提供商）
+
+```json5
+{
+  env: { MISTRAL_API_KEY: "sk-..." },
+  agents: { defaults: { model: { primary: "mistral/mistral-large-latest" } } },
+}
+```
+
+## 配置片段（使用 Voxtral 进行音频转录）
+
+```json5
+{
+  tools: {
+    media: {
+      audio: {
+        enabled: true,
+        models: [{ provider: "mistral", model: "voxtral-mini-latest" }],
+      },
+    },
+  },
+}
+```
+
+## 说明
+
+- Mistral 身份验证使用 `MISTRAL_API_KEY`。
+- 提供商基础 URL 默认为 `https://api.mistral.ai/v1`。
+- 新手引导默认模型为 `mistral/mistral-large-latest`。
+- Mistral 的媒体理解默认音频模型为 `voxtral-mini-latest`。
+- 媒体转录路径使用 `/v1/audio/transcriptions`。
+- 记忆嵌入路径使用 `/v1/embeddings`（默认模型：`mistral-embed`）。
diff --git a/docs/zh-CN/providers/models.md b/docs/zh-CN/providers/models.md
index dc5210b128b..872ad902351 100644
--- a/docs/zh-CN/providers/models.md
+++ b/docs/zh-CN/providers/models.md
@@ -1,55 +1,51 @@
 ---
 read_when:
   - 你想选择一个模型提供商
-  - 你想要 LLM 认证 + 模型选择的快速设置示例
+  - 你想要 LLM 身份验证 + 模型选择的快速设置示例
 summary: OpenClaw 支持的模型提供商（LLM）
-title: 模型提供商快速入门
+title: 模型提供商快速开始
 x-i18n:
-  generated_at: "2026-02-03T07:53:35Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2f5b99207dc7860e0a7b541b61e984791f5d7ab1953b3e917365a248a09b025b
+  generated_at: "2026-03-16T06:26:02Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 7a868ba56e93e6332f0e9dd3d3e2c79a08f369dbc96c400dfba141f347d40e8f
   source_path: providers/models.md
   workflow: 15
 ---
 
 # 模型提供商
 
-OpenClaw 可以使用许多 LLM 提供商。选择一个，进行认证，然后将默认模型设置为 `provider/model`。
+OpenClaw 可以使用许多 LLM 提供商。选择一个，完成身份验证，然后将默认
+模型设置为 `provider/model`。
 
-## 推荐：Venice（Venice AI）
+## 快速开始（两步）
 
-Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并可选择使用 Opus 处理最困难的任务。
-
-- 默认：`venice/llama-3.3-70b`
-- 最佳综合：`venice/claude-opus-45`（Opus 仍然是最强的）
-
-参见 [Venice AI](/providers/venice)。
-
-## 快速开始（两个步骤）
-
-1. 与提供商认证（通常通过 `openclaw onboard`）。
+1. 使用该提供商进行身份验证（通常通过 `openclaw onboard`）。
 2. 设置默认模型：
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 支持的提供商（入门集）
+## 支持的提供商（入门集合）
 
 - [OpenAI（API + Codex）](/providers/openai)
 - [Anthropic（API + Claude Code CLI）](/providers/anthropic)
 - [OpenRouter](/providers/openrouter)
 - [Vercel AI Gateway](/providers/vercel-ai-gateway)
+- [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
 - [Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
+- [Mistral](/providers/mistral)
 - [Synthetic](/providers/synthetic)
-- [OpenCode Zen](/providers/opencode)
+- [OpenCode（Zen + Go）](/providers/opencode)
 - [Z.AI](/providers/zai)
 - [GLM 模型](/providers/glm)
 - [MiniMax](/providers/minimax)
 - [Venice（Venice AI）](/providers/venice)
 - [Amazon Bedrock](/providers/bedrock)
+- [Qianfan](/providers/qianfan)
 
-有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，请参阅[模型提供商](/concepts/model-providers)。
+有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，
+请参见 [模型提供商](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/moonshot.md b/docs/zh-CN/providers/moonshot.md
index 1970c7d7266..28642b6952e 100644
--- a/docs/zh-CN/providers/moonshot.md
+++ b/docs/zh-CN/providers/moonshot.md
@@ -1,32 +1,36 @@
 ---
 read_when:
-  - 你想了解 Moonshot K2（Moonshot 开放平台）与 Kimi Coding 的配置
-  - 你需要了解独立的端点、密钥和模型引用
-  - 你想获取任一提供商的可复制粘贴配置
-summary: 配置 Moonshot K2 与 Kimi Coding（独立提供商和密钥）
+  - 你想了解 Moonshot K2（Moonshot Open Platform）与 Kimi Coding 的设置方式
+  - 你需要理解独立的端点、密钥和模型引用
+  - 你想要任一提供商的可直接复制粘贴配置
+summary: 配置 Moonshot K2 与 Kimi Coding（独立提供商 + 密钥）
 title: Moonshot AI
 x-i18n:
-  generated_at: "2026-02-01T21:35:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2de81b1a37a0e6e61e0e142fcd36760ecd00834e107dc9b5e38bbf971b27e18e
+  generated_at: "2026-03-16T06:26:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f95e6ffa9397e0c2bdbc247e6fb6f2892ca6a34b276ca9b773e6b875233539e3
   source_path: providers/moonshot.md
   workflow: 15
 ---
 
-# Moonshot AI (Kimi)
+# Moonshot AI（Kimi）
 
-Moonshot 提供兼容 OpenAI 端点的 Kimi API。配置提供商并将默认模型设置为 `moonshot/kimi-k2.5`，或使用 Kimi Coding 的 `kimi-coding/k2p5`。
+Moonshot 提供带有 OpenAI 兼容端点的 Kimi API。配置该
+提供商，并将默认模型设置为 `moonshot/kimi-k2.5`，或者使用
+`kimi-coding/k2p5` 作为 Kimi Coding。
 
 当前 Kimi K2 模型 ID：
-{/_ moonshot-kimi-k2-ids:start _/}
+
+[//]: # "moonshot-kimi-k2-ids:start"
 
 - `kimi-k2.5`
 - `kimi-k2-0905-preview`
 - `kimi-k2-turbo-preview`
 - `kimi-k2-thinking`
 - `kimi-k2-thinking-turbo`
-  {/_ moonshot-kimi-k2-ids:end _/}
+
+[//]: # "moonshot-kimi-k2-ids:end"
 
 ```bash
 openclaw onboard --auth-choice moonshot-api-key
@@ -38,7 +42,7 @@ Kimi Coding：
 openclaw onboard --auth-choice kimi-code-api-key
 ```
 
-注意：Moonshot 和 Kimi Coding 是独立的提供商。密钥不可互换，端点不同，模型引用也不同（Moonshot 使用 `moonshot/...`，Kimi Coding 使用 `kimi-coding/...`）。
+注意：Moonshot 和 Kimi Coding 是独立提供商。密钥不可互换，端点不同，模型引用也不同（Moonshot 使用 `moonshot/...`，Kimi Coding 使用 `kimi-coding/...`）。
 
 ## 配置片段（Moonshot API）
 
@@ -137,9 +141,42 @@ openclaw onboard --auth-choice kimi-code-api-key
 }
 ```
 
-## 注意事项
+## 说明
 
 - Moonshot 模型引用使用 `moonshot/<modelId>`。Kimi Coding 模型引用使用 `kimi-coding/<modelId>`。
 - 如有需要，可在 `models.providers` 中覆盖定价和上下文元数据。
-- 如果 Moonshot 发布了某个模型的不同上下文限制，请相应调整 `contextWindow`。
-- 如需使用中国端点，请使用 `https://api.moonshot.cn/v1`。
+- 如果 Moonshot 为某个模型发布了不同的上下文限制，请相应调整
+  `contextWindow`。
+- 国际端点使用 `https://api.moonshot.ai/v1`，中国端点使用 `https://api.moonshot.cn/v1`。
+
+## 原生 thinking 模式（Moonshot）
+
+Moonshot Kimi 支持二元原生 thinking：
+
+- `thinking: { type: "enabled" }`
+- `thinking: { type: "disabled" }`
+
+通过 `agents.defaults.models.<provider/model>.params` 为每个模型进行配置：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "moonshot/kimi-k2.5": {
+          params: {
+            thinking: { type: "disabled" },
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+OpenClaw 还会为 Moonshot 映射运行时 `/think` 级别：
+
+- `/think off` -> `thinking.type=disabled`
+- 任何非 off 的 thinking 级别 -> `thinking.type=enabled`
+
+当启用 Moonshot thinking 时，`tool_choice` 必须为 `auto` 或 `none`。为保持兼容性，OpenClaw 会将不兼容的 `tool_choice` 值标准化为 `auto`。
diff --git a/docs/zh-CN/providers/nvidia.md b/docs/zh-CN/providers/nvidia.md
new file mode 100644
index 00000000000..7d186540f23
--- /dev/null
+++ b/docs/zh-CN/providers/nvidia.md
@@ -0,0 +1,62 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 NVIDIA 模型
+  - 你需要设置 `NVIDIA_API_KEY`
+summary: 在 OpenClaw 中使用 NVIDIA 的 OpenAI 兼容 API
+title: NVIDIA
+x-i18n:
+  generated_at: "2026-03-16T06:26:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 81e7a1b6cd6821b68db9c71b864d36023b1ccfad1641bf88e2bc2957782edf8b
+  source_path: providers/nvidia.md
+  workflow: 15
+---
+
+# NVIDIA
+
+NVIDIA 在 `https://integrate.api.nvidia.com/v1` 提供一个与 OpenAI 兼容的 API，用于 Nemotron 和 NeMo 模型。请使用来自 [NVIDIA NGC](https://catalog.ngc.nvidia.com/) 的 API key 进行认证。
+
+## CLI 设置
+
+先导出 key，然后运行新手引导并设置一个 NVIDIA 模型：
+
+```bash
+export NVIDIA_API_KEY="nvapi-..."
+openclaw onboard --auth-choice skip
+openclaw models set nvidia/nvidia/llama-3.1-nemotron-70b-instruct
+```
+
+如果你仍然使用 `--token`，请记住它会出现在 shell 历史记录和 `ps` 输出中；如果可能，优先使用环境变量。
+
+## 配置片段
+
+```json5
+{
+  env: { NVIDIA_API_KEY: "nvapi-..." },
+  models: {
+    providers: {
+      nvidia: {
+        baseUrl: "https://integrate.api.nvidia.com/v1",
+        api: "openai-completions",
+      },
+    },
+  },
+  agents: {
+    defaults: {
+      model: { primary: "nvidia/nvidia/llama-3.1-nemotron-70b-instruct" },
+    },
+  },
+}
+```
+
+## 模型 ID
+
+- `nvidia/llama-3.1-nemotron-70b-instruct`（默认）
+- `meta/llama-3.3-70b-instruct`
+- `nvidia/mistral-nemo-minitron-8b-8k-instruct`
+
+## 说明
+
+- 使用与 OpenAI 兼容的 `/v1` 端点；请使用来自 NVIDIA NGC 的 API key。
+- 当设置了 `NVIDIA_API_KEY` 时，提供商会自动启用；使用静态默认值（131,072-token 上下文窗口，4,096 最大 tokens）。
diff --git a/docs/zh-CN/providers/ollama.md b/docs/zh-CN/providers/ollama.md
index b4ceb777f60..da1ce2274a5 100644
--- a/docs/zh-CN/providers/ollama.md
+++ b/docs/zh-CN/providers/ollama.md
@@ -1,37 +1,98 @@
 ---
 read_when:
-  - 你想通过 Ollama 使用本地模型运行 OpenClaw
-  - 你需要 Ollama 的安装和配置指导
-summary: 通过 Ollama（本地 LLM 运行时）运行 OpenClaw
+  - 你想通过 Ollama 在 OpenClaw 中运行云端或本地模型
+  - 你需要 Ollama 设置和配置指南
+summary: 通过 Ollama 运行 OpenClaw（云端和本地模型）
 title: Ollama
 x-i18n:
-  generated_at: "2026-02-01T21:35:22Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 157080ad90f449f622260a5f5bd293f79c15800527d36b15596e8ca232e3c957
+  generated_at: "2026-03-16T06:26:42Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 226b71bfd59614552f0b9cf1c9b1d18d82121a5fb05f6c71b11cc3cf4c23fd4e
   source_path: providers/ollama.md
   workflow: 15
 ---
 
 # Ollama
 
-Ollama 是一个本地 LLM 运行时，可以轻松在你的机器上运行开源模型。OpenClaw 通过 Ollama 的 OpenAI 兼容 API 进行集成，并且当你通过 `OLLAMA_API_KEY`（或认证配置）启用且未定义显式的 `models.providers.ollama` 条目时，可以**自动发现支持工具调用的模型**。
+Ollama 是一个本地 LLM 运行时，可以让你轻松在自己的机器上运行开源模型。OpenClaw 集成了 Ollama 的原生 API（`/api/chat`），支持流式传输和工具调用，并且在你选择使用 `OLLAMA_API_KEY`（或凭证配置文件）且未定义显式 `models.providers.ollama` 条目时，可以自动发现本地 Ollama 模型。
+
+<Warning>
+**远程 Ollama 用户：** 不要在 OpenClaw 中使用 `/v1` 的 OpenAI 兼容 URL（`http://host:11434/v1`）。这会破坏工具调用，而且模型可能会把原始工具 JSON 当作纯文本输出。请改用原生 Ollama API URL：`baseUrl: "http://host:11434"`（不要加 `/v1`）。
+</Warning>
 
 ## 快速开始
 
-1. 安装 Ollama：https://ollama.ai
+### 新手引导向导（推荐）
 
-2. 拉取模型：
+通过设置向导配置 Ollama 是最快的方法：
 
 ```bash
-ollama pull llama3.3
-# 或
-ollama pull qwen2.5-coder:32b
-# 或
-ollama pull deepseek-r1:32b
+openclaw onboard
 ```
 
-3. 为 OpenClaw 启用 Ollama（任意值即可；Ollama 不需要真实密钥）：
+从提供商列表中选择 **Ollama**。向导将会：
+
+1. 询问你的 Ollama base URL，也就是可以访问你的实例的地址（默认 `http://127.0.0.1:11434`）。
+2. 让你选择 **Cloud + Local**（云端模型和本地模型）或 **Local**（仅本地模型）。
+3. 如果你选择 **Cloud + Local** 且尚未登录 ollama.com，则打开浏览器登录流程。
+4. 发现可用模型并建议默认值。
+5. 如果所选模型本地不可用，则自动拉取它。
+
+也支持非交互模式：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --accept-risk
+```
+
+也可以选择指定自定义 base URL 或模型：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --custom-base-url "http://ollama-host:11434" \
+  --custom-model-id "qwen3.5:27b" \
+  --accept-risk
+```
+
+### 手动设置
+
+1. 安装 Ollama：[https://ollama.com/download](https://ollama.com/download)
+
+2. 如果你想进行本地推理，先拉取一个本地模型：
+
+```bash
+ollama pull glm-4.7-flash
+# 或
+ollama pull gpt-oss:20b
+# 或
+ollama pull llama3.3
+```
+
+3. 如果你也想使用云端模型，请先登录：
+
+```bash
+ollama signin
+```
+
+4. 运行新手引导并选择 `Ollama`：
+
+```bash
+openclaw onboard
+```
+
+- `Local`：仅本地模型
+- `Cloud + Local`：本地模型加云端模型
+- 云端模型如 `kimi-k2.5:cloud`、`minimax-m2.5:cloud` 和 `glm-5:cloud` **不需要** 本地执行 `ollama pull`
+
+OpenClaw 当前建议：
+
+- 本地默认：`glm-4.7-flash`
+- 云端默认：`kimi-k2.5:cloud`、`minimax-m2.5:cloud`、`glm-5:cloud`
+
+5. 如果你更喜欢手动设置，也可以直接为 OpenClaw 启用 Ollama（任意值都可以；Ollama 不需要真实 key）：
 
 ```bash
 # 设置环境变量
@@ -41,13 +102,20 @@ export OLLAMA_API_KEY="ollama-local"
 openclaw config set models.providers.ollama.apiKey "ollama-local"
 ```
 
-4. 使用 Ollama 模型：
+6. 查看或切换模型：
+
+```bash
+openclaw models list
+openclaw models set ollama/glm-4.7-flash
+```
+
+7. 或者在配置中设置默认值：
 
 ```json5
 {
   agents: {
     defaults: {
-      model: { primary: "ollama/llama3.3" },
+      model: { primary: "ollama/glm-4.7-flash" },
     },
   },
 }
@@ -55,39 +123,38 @@ openclaw config set models.providers.ollama.apiKey "ollama-local"
 
 ## 模型发现（隐式提供商）
 
-当你设置了 `OLLAMA_API_KEY`（或认证配置）且**未**定义 `models.providers.ollama` 时，OpenClaw 会从本地 Ollama 实例 `http://127.0.0.1:11434` 发现模型：
+当你设置 `OLLAMA_API_KEY`（或凭证配置文件），并且**未**定义 `models.providers.ollama` 时，OpenClaw 会从 `http://127.0.0.1:11434` 上的本地 Ollama 实例发现模型：
 
-- 查询 `/api/tags` 和 `/api/show`
-- 仅保留报告了 `tools` 能力的模型
-- 当模型报告 `thinking` 时标记为 `reasoning`
-- 在可用时从 `model_info["<arch>.context_length"]` 读取 `contextWindow`
-- 将 `maxTokens` 设置为上下文窗口的 10 倍
-- 所有费用设置为 `0`
+- 查询 `/api/tags`
+- 在可用时，尽力通过 `/api/show` 查找 `contextWindow`
+- 通过模型名称启发式规则标记 `reasoning`（`r1`、`reasoning`、`think`）
+- 将 `maxTokens` 设置为 OpenClaw 使用的默认 Ollama 最大 token 上限
+- 将所有成本设置为 `0`
 
-这样无需手动配置模型条目，同时保持目录与 Ollama 的能力对齐。
+这样无需手动维护模型条目，同时又能让目录与本地 Ollama 实例保持一致。
 
-查看可用模型：
+查看有哪些可用模型：
 
 ```bash
 ollama list
 openclaw models list
 ```
 
-要添加新模型，只需通过 Ollama 拉取：
+添加新模型时，只需通过 Ollama 拉取它：
 
 ```bash
 ollama pull mistral
 ```
 
-新模型将被自动发现并可供使用。
+新模型会被自动发现，并可立即使用。
 
-如果你显式设置了 `models.providers.ollama`，自动发现将被跳过，你必须手动定义模型（见下文）。
+如果你显式设置了 `models.providers.ollama`，则会跳过自动发现，你必须手动定义模型（见下文）。
 
 ## 配置
 
 ### 基本设置（隐式发现）
 
-启用 Ollama 最简单的方式是通过环境变量：
+启用 Ollama 的最简单方式是通过环境变量：
 
 ```bash
 export OLLAMA_API_KEY="ollama-local"
@@ -95,25 +162,24 @@ export OLLAMA_API_KEY="ollama-local"
 
 ### 显式设置（手动模型）
 
-在以下情况使用显式配置：
+以下情况适合使用显式配置：
 
 - Ollama 运行在其他主机/端口上。
-- 你想强制指定上下文窗口或模型列表。
-- 你想包含未报告工具支持的模型。
+- 你想强制指定特定的上下文窗口或模型列表。
+- 你希望完全手动定义模型。
 
 ```json5
 {
   models: {
     providers: {
       ollama: {
-        // 使用包含 /v1 的主机地址以兼容 OpenAI API
-        baseUrl: "http://ollama-host:11434/v1",
+        baseUrl: "http://ollama-host:11434",
         apiKey: "ollama-local",
-        api: "openai-completions",
+        api: "ollama",
         models: [
           {
-            id: "llama3.3",
-            name: "Llama 3.3",
+            id: "gpt-oss:20b",
+            name: "GPT-OSS 20B",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -127,11 +193,11 @@ export OLLAMA_API_KEY="ollama-local"
 }
 ```
 
-如果设置了 `OLLAMA_API_KEY`，你可以在提供商条目中省略 `apiKey`，OpenClaw 会自动填充以进行可用性检查。
+如果设置了 `OLLAMA_API_KEY`，你可以在提供商条目中省略 `apiKey`，OpenClaw 会在可用性检查时自动填充它。
 
-### 自定义基础 URL（显式配置）
+### 自定义 base URL（显式配置）
 
-如果 Ollama 运行在不同的主机或端口上（显式配置会禁用自动发现，因此需要手动定义模型）：
+如果 Ollama 运行在不同的主机或端口上（显式配置会禁用自动发现，因此你需要手动定义模型）：
 
 ```json5
 {
@@ -139,59 +205,120 @@ export OLLAMA_API_KEY="ollama-local"
     providers: {
       ollama: {
         apiKey: "ollama-local",
-        baseUrl: "http://ollama-host:11434/v1",
+        baseUrl: "http://ollama-host:11434", // 不要加 /v1 - 使用原生 Ollama API URL
+        api: "ollama", // 显式设置，以确保原生工具调用行为
       },
     },
   },
 }
 ```
 
+<Warning>
+不要在 URL 中添加 `/v1`。`/v1` 路径会启用 OpenAI 兼容模式，而在该模式下工具调用并不可靠。请使用不带路径后缀的基础 Ollama URL。
+</Warning>
+
 ### 模型选择
 
-配置完成后，所有 Ollama 模型即可使用：
+配置完成后，你的所有 Ollama 模型都可用：
 
 ```json5
 {
   agents: {
     defaults: {
       model: {
-        primary: "ollama/llama3.3",
-        fallbacks: ["ollama/qwen2.5-coder:32b"],
+        primary: "ollama/gpt-oss:20b",
+        fallbacks: ["ollama/llama3.3", "ollama/qwen2.5-coder:32b"],
       },
     },
   },
 }
 ```
 
+## 云端模型
+
+云端模型让你可以将云托管模型（例如 `kimi-k2.5:cloud`、`minimax-m2.5:cloud`、`glm-5:cloud`）与本地模型一起使用。
+
+要使用云端模型，请在设置期间选择 **Cloud + Local** 模式。向导会检查你是否已登录，并在需要时打开浏览器登录流程。如果无法验证认证状态，向导会回退到本地模型默认值。
+
+你也可以直接在 [ollama.com/signin](https://ollama.com/signin) 登录。
+
 ## 高级用法
 
 ### 推理模型
 
-当 Ollama 在 `/api/show` 中报告 `thinking` 时，OpenClaw 会将模型标记为具有推理能力：
+OpenClaw 默认会将名称中包含 `deepseek-r1`、`reasoning` 或 `think` 的模型视为支持推理的模型：
 
 ```bash
 ollama pull deepseek-r1:32b
 ```
 
-### 模型费用
+### 模型成本
 
-Ollama 免费且在本地运行，因此所有模型费用均设置为 $0。
+Ollama 是免费的，并且在本地运行，因此所有模型成本都设置为 $0。
+
+### 流式传输配置
+
+OpenClaw 的 Ollama 集成默认使用 **原生 Ollama API**（`/api/chat`），它完全支持同时进行流式传输和工具调用。无需任何特殊配置。
+
+#### 旧版 OpenAI 兼容模式
+
+<Warning>
+**在 OpenAI 兼容模式下，工具调用并不可靠。** 只有当你需要为代理使用 OpenAI 格式，并且不依赖原生工具调用行为时，才使用这种模式。
+</Warning>
+
+如果你确实需要改用 OpenAI 兼容端点（例如，在只支持 OpenAI 格式的代理之后），请显式设置 `api: "openai-completions"`：
+
+```json5
+{
+  models: {
+    providers: {
+      ollama: {
+        baseUrl: "http://ollama-host:11434/v1",
+        api: "openai-completions",
+        injectNumCtxForOpenAICompat: true, // 默认：true
+        apiKey: "ollama-local",
+        models: [...]
+      }
+    }
+  }
+}
+```
+
+这种模式可能不支持同时进行流式传输 + 工具调用。你可能需要在模型配置中通过 `params: { streaming: false }` 禁用流式传输。
+
+当 Ollama 使用 `api: "openai-completions"` 时，OpenClaw 默认会注入 `options.num_ctx`，这样 Ollama 就不会静默回退到 4096 上下文窗口。如果你的代理/上游拒绝未知的 `options` 字段，请禁用此行为：
+
+```json5
+{
+  models: {
+    providers: {
+      ollama: {
+        baseUrl: "http://ollama-host:11434/v1",
+        api: "openai-completions",
+        injectNumCtxForOpenAICompat: false,
+        apiKey: "ollama-local",
+        models: [...]
+      }
+    }
+  }
+}
+```
 
 ### 上下文窗口
 
-对于自动发现的模型，OpenClaw 会使用 Ollama 报告的上下文窗口（如果可用），否则默认为 `8192`。你可以在显式提供商配置中覆盖 `contextWindow` 和 `maxTokens`。
+对于自动发现的模型，OpenClaw 会在 Ollama 提供时使用其报告的上下文窗口，否则回退到 OpenClaw 使用的默认 Ollama 上下文窗口。你可以在显式提供商配置中覆盖 `contextWindow` 和 `maxTokens`。
 
 ## 故障排除
 
-### Ollama 未被检测到
+### 未检测到 Ollama
 
-确保 Ollama 正在运行，且你已设置 `OLLAMA_API_KEY`（或认证配置），并且**未**定义显式的 `models.providers.ollama` 条目：
+请确认 Ollama 正在运行，并且你已设置 `OLLAMA_API_KEY`（或凭证配置文件），而且**没有**定义显式的 `models.providers.ollama` 条目：
 
 ```bash
 ollama serve
 ```
 
-同时确认 API 可访问：
+并确认 API 可访问：
 
 ```bash
 curl http://localhost:11434/api/tags
@@ -199,24 +326,26 @@ curl http://localhost:11434/api/tags
 
 ### 没有可用模型
 
-OpenClaw 仅自动发现报告了工具支持的模型。如果你的模型未列出，可以：
+如果没有列出你的模型，可以：
 
-- 拉取一个支持工具调用的模型，或
+- 在本地拉取该模型，或者
 - 在 `models.providers.ollama` 中显式定义该模型。
 
 添加模型：
 
 ```bash
 ollama list  # 查看已安装的模型
-ollama pull llama3.3  # 拉取模型
+ollama pull glm-4.7-flash
+ollama pull gpt-oss:20b
+ollama pull llama3.3     # 或其他模型
 ```
 
 ### 连接被拒绝
 
-检查 Ollama 是否在正确的端口上运行：
+检查 Ollama 是否正在正确的端口上运行：
 
 ```bash
-# 检查 Ollama 是否在运行
+# 检查 Ollama 是否正在运行
 ps aux | grep ollama
 
 # 或重启 Ollama
@@ -225,6 +354,6 @@ ollama serve
 
 ## 另请参阅
 
-- [模型提供商](/concepts/model-providers) - 所有提供商概览
-- [模型选择](/concepts/models) - 如何选择模型
-- [配置](/gateway/configuration) - 完整配置参考
+- [Model Providers](/concepts/model-providers) - 所有提供商的概览
+- [Model Selection](/concepts/models) - 如何选择模型
+- [Configuration](/gateway/configuration) - 完整配置参考
diff --git a/docs/zh-CN/providers/openai.md b/docs/zh-CN/providers/openai.md
index 72c86e63a0a..74833aa1cfb 100644
--- a/docs/zh-CN/providers/openai.md
+++ b/docs/zh-CN/providers/openai.md
@@ -1,32 +1,34 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 OpenAI 模型
-  - 你想使用 Codex 订阅认证而非 API 密钥
+  - 你想使用 Codex 订阅身份验证而不是 API 密钥
 summary: 在 OpenClaw 中通过 API 密钥或 Codex 订阅使用 OpenAI
 title: OpenAI
 x-i18n:
-  generated_at: "2026-02-01T21:35:10Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f15365d5d616258f6035b986d80fe6acd1be5836a07e5bb68236688ef2952ef7
+  generated_at: "2026-03-16T06:26:45Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: a348d8fca7b809f84c6b90bf6a799e0a070a6e7b98a78b2cd2d747bb3d2b2212
   source_path: providers/openai.md
   workflow: 15
 ---
 
 # OpenAI
 
-OpenAI 提供 GPT 模型的开发者 API。Codex 支持**ChatGPT 登录**进行订阅访问，或**API 密钥**登录进行按量计费访问。Codex 云端需要 ChatGPT 登录。
+OpenAI 为 GPT 模型提供开发者 API。Codex 支持**ChatGPT 登录**以进行订阅
+访问，也支持**API 密钥**登录以进行按使用量计费的访问。Codex cloud 需要 ChatGPT 登录。
+OpenAI 明确支持在 OpenClaw 这样的外部工具/工作流中使用订阅 OAuth。
 
-## 方式 A：OpenAI API 密钥（OpenAI Platform）
+## 选项 A：OpenAI API 密钥（OpenAI Platform）
 
-**适用于：**直接 API 访问和按量计费。
+**最适合：** 直接 API 访问和按使用量计费。
 从 OpenAI 控制台获取你的 API 密钥。
 
 ### CLI 设置
 
 ```bash
 openclaw onboard --auth-choice openai-api-key
-# 或非交互式
+# or non-interactive
 openclaw onboard --openai-api-key "$OPENAI_API_KEY"
 ```
 
@@ -35,34 +37,272 @@ openclaw onboard --openai-api-key "$OPENAI_API_KEY"
 ```json5
 {
   env: { OPENAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "openai/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai/gpt-5.4" } } },
 }
 ```
 
-## 方式 B：OpenAI Code（Codex）订阅
+OpenAI 当前的 API 模型文档将 `gpt-5.4` 和 `gpt-5.4-pro` 列为直接
+OpenAI API 用法的模型。OpenClaw 会通过 `openai/*` Responses 路径转发这两者。
+OpenClaw 会有意隐藏过时的 `openai/gpt-5.3-codex-spark` 条目，
+因为直接 OpenAI API 调用会在实际流量中拒绝它。
 
-**适用于：**使用 ChatGPT/Codex 订阅访问而非 API 密钥。
-Codex 云端需要 ChatGPT 登录，而 Codex CLI 支持 ChatGPT 或 API 密钥登录。
+OpenClaw **不会**在直接 OpenAI
+API 路径上暴露 `openai/gpt-5.3-codex-spark`。`pi-ai` 仍然为该模型提供内置条目，但当前实际 OpenAI API
+请求会拒绝它。在 OpenClaw 中，Spark 被视为仅限 Codex。
 
-### CLI 设置
+## 选项 B：OpenAI Code（Codex）订阅
+
+**最适合：** 使用 ChatGPT/Codex 订阅访问，而不是 API 密钥。
+Codex cloud 需要 ChatGPT 登录，而 Codex CLI 支持 ChatGPT 或 API 密钥登录。
+
+### CLI 设置（Codex OAuth）
 
 ```bash
-# 在向导中运行 Codex OAuth
+# Run Codex OAuth in the wizard
 openclaw onboard --auth-choice openai-codex
 
-# 或直接运行 OAuth
+# Or run OAuth directly
 openclaw models auth login --provider openai-codex
 ```
 
-### 配置片段
+### 配置片段（Codex 订阅）
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "openai-codex/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai-codex/gpt-5.4" } } },
 }
 ```
 
-## 注意事项
+OpenAI 当前的 Codex 文档将 `gpt-5.4` 列为当前 Codex 模型。OpenClaw
+会将其映射为 `openai-codex/gpt-5.4`，用于 ChatGPT/Codex OAuth。
 
-- 模型引用始终使用 `provider/model` 格式（参见 [/concepts/models](/concepts/models)）。
-- 认证详情和复用规则请参阅 [/concepts/oauth](/concepts/oauth)。
+如果你的 Codex 账户有权使用 Codex Spark，OpenClaw 也支持：
+
+- `openai-codex/gpt-5.3-codex-spark`
+
+OpenClaw 将 Codex Spark 视为仅限 Codex。它不会暴露直接的
+`openai/gpt-5.3-codex-spark` API 密钥路径。
+
+当 `pi-ai`
+发现 `openai-codex/gpt-5.3-codex-spark` 时，OpenClaw 也会保留它。请将其视为依赖 entitlement 且处于实验阶段：Codex Spark 与 GPT-5.4 `/fast` 分开，是否可用取决于已登录的 Codex /
+ChatGPT 账户。
+
+### 默认传输
+
+OpenClaw 使用 `pi-ai` 进行模型流式传输。对于 `openai/*` 和
+`openai-codex/*`，默认传输都是 `"auto"`（优先 WebSocket，然后回退到 SSE）。
+
+你可以设置 `agents.defaults.models.<provider/model>.params.transport`：
+
+- `"sse"`：强制使用 SSE
+- `"websocket"`：强制使用 WebSocket
+- `"auto"`：尝试 WebSocket，然后回退到 SSE
+
+对于 `openai/*`（Responses API），当使用 WebSocket 传输时，
+OpenClaw 还会默认启用 WebSocket 预热
+（`openaiWsWarmup: true`）。
+
+相关 OpenAI 文档：
+
+- [Realtime API with WebSocket](https://platform.openai.com/docs/guides/realtime-websocket)
+- [Streaming API responses (SSE)](https://platform.openai.com/docs/guides/streaming-responses)
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "openai-codex/gpt-5.4" },
+      models: {
+        "openai-codex/gpt-5.4": {
+          params: {
+            transport: "auto",
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### OpenAI WebSocket 预热
+
+OpenAI 文档将预热描述为可选。OpenClaw 对
+`openai/*` 默认启用它，以在使用 WebSocket 传输时减少首次响应延迟。
+
+### 禁用预热
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            openaiWsWarmup: false,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 显式启用预热
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            openaiWsWarmup: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### OpenAI 优先处理
+
+OpenAI 的 API 通过 `service_tier=priority` 暴露优先处理。在
+OpenClaw 中，设置 `agents.defaults.models["openai/<model>"].params.serviceTier`，即可
+在直接 `openai/*` Responses 请求中透传该字段。
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            serviceTier: "priority",
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+支持的值为 `auto`、`default`、`flex` 和 `priority`。
+
+### OpenAI 快速模式
+
+OpenClaw 为 `openai/*` 和
+`openai-codex/*` 会话公开了共享快速模式开关：
+
+- 聊天/UI：`/fast status|on|off`
+- 配置：`agents.defaults.models["<provider>/<model>"].params.fastMode`
+
+启用快速模式后，OpenClaw 会应用低延迟 OpenAI 配置：
+
+- 当负载未明确指定 reasoning 时，设置 `reasoning.effort = "low"`
+- 当负载未明确指定 verbosity 时，设置 `text.verbosity = "low"`
+- 对直接发往 `api.openai.com` 的 `openai/*` Responses 调用设置 `service_tier = "priority"`
+
+示例：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            fastMode: true,
+          },
+        },
+        "openai-codex/gpt-5.4": {
+          params: {
+            fastMode: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+会话覆盖优先于配置。在会话 UI 中清除会话覆盖后，
+该会话会恢复为配置的默认值。
+
+### OpenAI Responses 服务端压缩
+
+对于直接 OpenAI Responses 模型（使用 `api: "openai-responses"` 的 `openai/*`，
+且 `baseUrl` 指向 `api.openai.com`），OpenClaw 现在会自动启用 OpenAI 服务端
+压缩负载提示：
+
+- 强制设置 `store: true`（除非模型兼容性设置 `supportsStore: false`）
+- 注入 `context_management: [{ type: "compaction", compact_threshold: ... }]`
+
+默认情况下，`compact_threshold` 为模型 `contextWindow` 的 `70%`（或在不可用时为 `80000`）。
+
+### 显式启用服务端压缩
+
+当你想在兼容的
+Responses 模型上强制注入 `context_management` 时使用此设置（例如 Azure OpenAI Responses）：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "azure-openai-responses/gpt-5.4": {
+          params: {
+            responsesServerCompaction: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 使用自定义阈值启用
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            responsesServerCompaction: true,
+            responsesCompactThreshold: 120000,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 禁用服务端压缩
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            responsesServerCompaction: false,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+`responsesServerCompaction` 仅控制 `context_management` 注入。
+直接 OpenAI Responses 模型仍会强制设置 `store: true`，除非兼容性设置
+了 `supportsStore: false`。
+
+## 说明
+
+- 模型引用始终使用 `provider/model`（参见 [/concepts/models](/concepts/models)）。
+- 身份验证详情和复用规则见 [/concepts/oauth](/concepts/oauth)。
diff --git a/docs/zh-CN/providers/opencode-go.md b/docs/zh-CN/providers/opencode-go.md
new file mode 100644
index 00000000000..2b916d057ff
--- /dev/null
+++ b/docs/zh-CN/providers/opencode-go.md
@@ -0,0 +1,52 @@
+---
+read_when:
+  - 你想使用 OpenCode Go 目录
+  - 你需要了解 Go 托管模型的运行时模型引用
+summary: 使用共享的 OpenCode 设置来使用 OpenCode Go 目录
+title: OpenCode Go
+x-i18n:
+  generated_at: "2026-03-16T06:26:48Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 8650af7c64220c14bab8c22472fff8bebd7abde253e972b6a11784ad833d321c
+  source_path: providers/opencode-go.md
+  workflow: 15
+---
+
+# OpenCode Go
+
+OpenCode Go 是 [OpenCode](/providers/opencode) 中的 Go 目录。
+它使用与 Zen 目录相同的 `OPENCODE_API_KEY`，但保留运行时
+提供商 id `opencode-go`，以便上游按模型路由保持正确。
+
+## 支持的模型
+
+- `opencode-go/kimi-k2.5`
+- `opencode-go/glm-5`
+- `opencode-go/minimax-m2.5`
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice opencode-go
+# 或非交互式
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
+```
+
+## 配置片段
+
+```json5
+{
+  env: { OPENCODE_API_KEY: "YOUR_API_KEY_HERE" }, // pragma: allowlist secret
+  agents: { defaults: { model: { primary: "opencode-go/kimi-k2.5" } } },
+}
+```
+
+## 路由行为
+
+当模型引用使用 `opencode-go/...` 时，OpenClaw 会自动处理按模型路由。
+
+## 说明
+
+- 共享的新手引导和目录概览请使用 [OpenCode](/providers/opencode)。
+- 运行时引用保持显式：Zen 使用 `opencode/...`，Go 使用 `opencode-go/...`。
diff --git a/docs/zh-CN/providers/opencode.md b/docs/zh-CN/providers/opencode.md
index 06b0c6b61fc..18056c43751 100644
--- a/docs/zh-CN/providers/opencode.md
+++ b/docs/zh-CN/providers/opencode.md
@@ -1,41 +1,71 @@
 ---
 read_when:
-  - 你想通过 OpenCode Zen 访问模型
-  - 你想要一个适合编程的精选模型列表
-summary: 在 OpenClaw 中使用 OpenCode Zen（精选模型）
-title: OpenCode Zen
+  - 你想使用 OpenCode 托管的模型访问
+  - 你想在 Zen 和 Go 目录之间进行选择
+summary: 在 OpenClaw 中使用 OpenCode Zen 和 Go 目录
+title: OpenCode
 x-i18n:
-  generated_at: "2026-02-01T21:35:16Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 1390f9803a3cac48cb40694dd69267e3ddccd203a4ce8babda3198b926b5f6a3
+  generated_at: "2026-03-16T06:26:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 9ffe65d152d1835163f9f5ae4cc966e29bd01a9dbb88187c24d149c960c8225d
   source_path: providers/opencode.md
   workflow: 15
 ---
 
-# OpenCode Zen
+# OpenCode
 
-OpenCode Zen 是由 OpenCode 团队推荐的一组**精选模型列表**，适用于编程智能体。它是一个可选的托管模型访问路径，使用 API 密钥和 `opencode` 提供商。Zen 目前处于测试阶段。
+OpenCode 在 OpenClaw 中提供两个托管目录：
+
+- `opencode/...` 用于 **Zen** 目录
+- `opencode-go/...` 用于 **Go** 目录
+
+两个目录都使用相同的 OpenCode API 密钥。OpenClaw 会将运行时提供商 ID
+保持拆分，以便上游按模型路由保持正确，但新手引导和文档将它们视为
+同一个 OpenCode 设置。
 
 ## CLI 设置
 
+### Zen 目录
+
 ```bash
 openclaw onboard --auth-choice opencode-zen
-# 或非交互式
 openclaw onboard --opencode-zen-api-key "$OPENCODE_API_KEY"
 ```
 
+### Go 目录
+
+```bash
+openclaw onboard --auth-choice opencode-go
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
+```
+
 ## 配置片段
 
 ```json5
 {
   env: { OPENCODE_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "opencode/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "opencode/claude-opus-4-6" } } },
 }
 ```
 
-## 注意事项
+## 目录
+
+### Zen
+
+- 运行时提供商：`opencode`
+- 示例模型：`opencode/claude-opus-4-6`、`opencode/gpt-5.2`、`opencode/gemini-3-pro`
+- 适合你想使用精选的 OpenCode 多模型代理时
+
+### Go
+
+- 运行时提供商：`opencode-go`
+- 示例模型：`opencode-go/kimi-k2.5`、`opencode-go/glm-5`、`opencode-go/minimax-m2.5`
+- 适合你想使用 OpenCode 托管的 Kimi/GLM/MiniMax 产品线时
+
+## 说明
 
 - 也支持 `OPENCODE_ZEN_API_KEY`。
-- 你需要登录 Zen，添加账单信息，然后复制你的 API 密钥。
-- OpenCode Zen 按请求计费；详情请查看 OpenCode 控制台。
+- 在设置期间输入一个 OpenCode 密钥，会为两个运行时提供商都存储凭证。
+- 你需要登录 OpenCode、添加计费信息，然后复制你的 API 密钥。
+- 计费和目录可用性由 OpenCode 仪表板管理。
diff --git a/docs/zh-CN/providers/openrouter.md b/docs/zh-CN/providers/openrouter.md
index 25e57f190b2..1f79bd9299d 100644
--- a/docs/zh-CN/providers/openrouter.md
+++ b/docs/zh-CN/providers/openrouter.md
@@ -1,13 +1,13 @@
 ---
 read_when:
-  - 你想用一个 API 密钥访问多种 LLM
-  - 你想在 OpenClaw 中通过 OpenRouter 运行模型
-summary: 使用 OpenRouter 的统一 API 在 OpenClaw 中访问多种模型
+  - 你想用一个 API key 访问许多 LLM
+  - 你想通过 OpenRouter 在 OpenClaw 中运行模型
+summary: 使用 OpenRouter 的统一 API 在 OpenClaw 中访问许多模型
 title: OpenRouter
 x-i18n:
-  generated_at: "2026-02-01T21:35:19Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:26:52Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: b7e29fc9c456c64d567dd909a85166e6dea8388ebd22155a31e69c970e081586
   source_path: providers/openrouter.md
   workflow: 15
@@ -15,7 +15,8 @@ x-i18n:
 
 # OpenRouter
 
-OpenRouter 提供了一个**统一 API**，通过单一端点和 API 密钥将请求路由到多种模型。它兼容 OpenAI，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
+OpenRouter 提供一个**统一 API**，可通过单个
+端点和 API key 将请求路由到许多模型。它与 OpenAI 兼容，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
 
 ## CLI 设置
 
@@ -36,8 +37,8 @@ openclaw onboard --auth-choice apiKey --token-provider openrouter --token "$OPEN
 }
 ```
 
-## 注意事项
+## 说明
 
 - 模型引用格式为 `openrouter/<provider>/<model>`。
-- 更多模型/提供商选项，请参阅[模型提供商](/concepts/model-providers)。
-- OpenRouter 底层使用 Bearer 令牌和你的 API 密钥进行认证。
+- 关于更多模型/提供商选项，请参阅 [/concepts/model-providers](/concepts/model-providers)。
+- OpenRouter 在底层使用带有你的 API key 的 Bearer token。
diff --git a/docs/zh-CN/providers/qianfan.md b/docs/zh-CN/providers/qianfan.md
index 4bb17cee5c8..67a438a2a69 100644
--- a/docs/zh-CN/providers/qianfan.md
+++ b/docs/zh-CN/providers/qianfan.md
@@ -1,8 +1,45 @@
 ---
-summary: 使用千帆统一 API 在 OpenClaw 中接入多种模型
-title: 千帆（Qianfan）
+read_when:
+  - 你想用一个 API key 访问许多 LLM
+  - 你需要 Baidu Qianfan 设置指南
+summary: 使用 Qianfan 的统一 API 在 OpenClaw 中访问许多模型
+title: Qianfan
+x-i18n:
+  generated_at: "2026-03-16T06:26:58Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2ca710b422f190b65d23db51a3219f0abd67074fb385251efeca6eae095d02e0
+  source_path: providers/qianfan.md
+  workflow: 15
 ---
 
-# 千帆（Qianfan）
+# Qianfan 提供商指南
 
-该页面是英文文档的中文占位版本，完整内容请先参考英文版：[Qianfan](/providers/qianfan)。
+Qianfan 是 Baidu 的 MaaS 平台，提供一个**统一 API**，可通过单个
+端点和 API key 将请求路由到许多模型。它与 OpenAI 兼容，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
+
+## 前提条件
+
+1. 一个已开通 Qianfan API 访问权限的 Baidu Cloud 账号
+2. 一个来自 Qianfan 控制台的 API key
+3. 已在你的系统上安装 OpenClaw
+
+## 获取 API key
+
+1. 访问 [Qianfan Console](https://console.bce.baidu.com/qianfan/ais/console/apiKey)
+2. 创建一个新应用，或选择一个现有应用
+3. 生成一个 API key（格式：`bce-v3/ALTAK-...`）
+4. 复制该 API key 以在 OpenClaw 中使用
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice qianfan-api-key
+```
+
+## 相关文档
+
+- [OpenClaw Configuration](/gateway/configuration)
+- [Model Providers](/concepts/model-providers)
+- [Agent Setup](/concepts/agent)
+- [Qianfan API Documentation](https://cloud.baidu.com/doc/qianfan-api/s/3m7of64lb)
diff --git a/docs/zh-CN/providers/sglang.md b/docs/zh-CN/providers/sglang.md
new file mode 100644
index 00000000000..6fb29dc94b9
--- /dev/null
+++ b/docs/zh-CN/providers/sglang.md
@@ -0,0 +1,111 @@
+---
+read_when:
+  - 你想让 OpenClaw 连接本地 SGLang 服务器运行
+  - 你想通过自己的模型使用兼容 OpenAI 的 `/v1` 端点
+summary: 让 OpenClaw 与 SGLang 一起运行（兼容 OpenAI 的自托管服务器）
+title: SGLang
+x-i18n:
+  generated_at: "2026-03-16T06:27:01Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 26ba858c46bc2b82088274c62270500ffc243e5fb505b8aaaffc096d835187b0
+  source_path: providers/sglang.md
+  workflow: 15
+---
+
+# SGLang
+
+SGLang 可以通过**兼容 OpenAI** 的 HTTP API 提供开源模型服务。
+OpenClaw 可以使用 `openai-completions` API 连接到 SGLang。
+
+当你通过 `SGLANG_API_KEY` 选择加入时，OpenClaw 还可以**自动发现**
+SGLang 提供的可用模型（如果你的服务器不强制身份验证，任意值都可）
+并且你没有定义显式的 `models.providers.sglang` 条目。
+
+## 快速开始
+
+1. 使用兼容 OpenAI 的服务器启动 SGLang。
+
+你的基础 URL 应暴露 `/v1` 端点（例如 `/v1/models`、
+`/v1/chat/completions`）。SGLang 通常运行在：
+
+- `http://127.0.0.1:30000/v1`
+
+2. 选择加入（如果未配置身份验证，任意值都可）：
+
+```bash
+export SGLANG_API_KEY="sglang-local"
+```
+
+3. 运行新手引导并选择 `SGLang`，或直接设置模型：
+
+```bash
+openclaw onboard
+```
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "sglang/your-model-id" },
+    },
+  },
+}
+```
+
+## 模型发现（隐式提供商）
+
+当设置了 `SGLANG_API_KEY`（或存在 auth profile），并且你**没有**
+定义 `models.providers.sglang` 时，OpenClaw 将查询：
+
+- `GET http://127.0.0.1:30000/v1/models`
+
+并将返回的 ID 转换为模型条目。
+
+如果你显式设置了 `models.providers.sglang`，则会跳过自动发现，
+你必须手动定义模型。
+
+## 显式配置（手动模型）
+
+在以下情况下使用显式配置：
+
+- SGLang 运行在不同的主机/端口上。
+- 你想固定 `contextWindow`/`maxTokens` 值。
+- 你的服务器需要真实 API 密钥（或者你想控制请求头）。
+
+```json5
+{
+  models: {
+    providers: {
+      sglang: {
+        baseUrl: "http://127.0.0.1:30000/v1",
+        apiKey: "${SGLANG_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "your-model-id",
+            name: "本地 SGLang 模型",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 128000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+## 故障排除
+
+- 检查服务器是否可访问：
+
+```bash
+curl http://127.0.0.1:30000/v1/models
+```
+
+- 如果请求因身份验证错误而失败，请设置与
+  你的服务器配置匹配的真实 `SGLANG_API_KEY`，或者在
+  `models.providers.sglang` 下显式配置该提供商。
diff --git a/docs/zh-CN/providers/synthetic.md b/docs/zh-CN/providers/synthetic.md
index 168cb440c38..ddb4498153e 100644
--- a/docs/zh-CN/providers/synthetic.md
+++ b/docs/zh-CN/providers/synthetic.md
@@ -1,35 +1,36 @@
 ---
 read_when:
-  - 你想使用 Synthetic 作为模型提供商
-  - 你需要配置 Synthetic API 密钥或 base URL
+  - 你想将 Synthetic 用作模型提供商
+  - 你需要 Synthetic API key 或 base URL 设置
 summary: 在 OpenClaw 中使用 Synthetic 的 Anthropic 兼容 API
 title: Synthetic
 x-i18n:
-  generated_at: "2026-02-01T21:35:34Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f3f6e3eb864661754cbe2276783c5bc96ae01cb85ee4a19c92bed7863a35a4f7
+  generated_at: "2026-03-16T06:27:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3a2adb0b831babe3e88b027772167748764d85ee72d402ff759571420a91757f
   source_path: providers/synthetic.md
   workflow: 15
 ---
 
 # Synthetic
 
-Synthetic 提供兼容 Anthropic 的端点。OpenClaw 将其注册为 `synthetic` 提供商，并使用 Anthropic Messages API。
+Synthetic 提供与 Anthropic 兼容的端点。OpenClaw 将其注册为
+`synthetic` 提供商，并使用 Anthropic Messages API。
 
 ## 快速设置
 
-1. 设置 `SYNTHETIC_API_KEY`（或运行以下向导）。
+1. 设置 `SYNTHETIC_API_KEY`（或运行下面的向导）。
 2. 运行新手引导：
 
 ```bash
 openclaw onboard --auth-choice synthetic-api-key
 ```
 
-默认模型设置为：
+默认模型会设置为：
 
 ```
-synthetic/hf:MiniMaxAI/MiniMax-M2.1
+synthetic/hf:MiniMaxAI/MiniMax-M2.5
 ```
 
 ## 配置示例
@@ -39,8 +40,8 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
   env: { SYNTHETIC_API_KEY: "sk-..." },
   agents: {
     defaults: {
-      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.1" },
-      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.1": { alias: "MiniMax M2.1" } },
+      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.5" },
+      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.5": { alias: "MiniMax M2.5" } },
     },
   },
   models: {
@@ -52,8 +53,8 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
         api: "anthropic-messages",
         models: [
           {
-            id: "hf:MiniMaxAI/MiniMax-M2.1",
-            name: "MiniMax M2.1",
+            id: "hf:MiniMaxAI/MiniMax-M2.5",
+            name: "MiniMax M2.5",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -67,36 +68,39 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
 }
 ```
 
-注意：OpenClaw 的 Anthropic 客户端会自动在 base URL 后追加 `/v1`，因此请使用 `https://api.synthetic.new/anthropic`（而非 `/anthropic/v1`）。如果 Synthetic 更改了其 base URL，请覆盖 `models.providers.synthetic.baseUrl`。
+注意：OpenClaw 的 Anthropic 客户端会将 `/v1` 追加到 base URL 后面，因此请使用
+`https://api.synthetic.new/anthropic`（而不是 `/anthropic/v1`）。如果 Synthetic 更改了
+其 base URL，请覆盖 `models.providers.synthetic.baseUrl`。
 
 ## 模型目录
 
-以下所有模型的费用均为 `0`（输入/输出/缓存）。
+下面所有模型的成本都为 `0`（输入/输出/缓存）。
 
-| 模型 ID                                                | 上下文窗口 | 最大令牌数 | 推理  | 输入         |
-| ------------------------------------------------------ | ---------- | ---------- | ----- | ------------ |
-| `hf:MiniMaxAI/MiniMax-M2.1`                            | 192000     | 65536      | false | text         |
-| `hf:moonshotai/Kimi-K2-Thinking`                       | 256000     | 8192       | true  | text         |
-| `hf:zai-org/GLM-4.7`                                   | 198000     | 128000     | false | text         |
-| `hf:deepseek-ai/DeepSeek-R1-0528`                      | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3-0324`                      | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.1`                         | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.1-Terminus`                | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.2`                         | 159000     | 8192       | false | text         |
-| `hf:meta-llama/Llama-3.3-70B-Instruct`                 | 128000     | 8192       | false | text         |
-| `hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8` | 524000     | 8192       | false | text         |
-| `hf:moonshotai/Kimi-K2-Instruct-0905`                  | 256000     | 8192       | false | text         |
-| `hf:openai/gpt-oss-120b`                               | 128000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-235B-A22B-Instruct-2507`                | 256000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-Coder-480B-A35B-Instruct`               | 256000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-VL-235B-A22B-Instruct`                  | 250000     | 8192       | false | text + image |
-| `hf:zai-org/GLM-4.5`                                   | 128000     | 128000     | false | text         |
-| `hf:zai-org/GLM-4.6`                                   | 198000     | 128000     | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3`                           | 128000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-235B-A22B-Thinking-2507`                | 256000     | 8192       | true  | text         |
+| 模型 ID                                                | 上下文窗口 | 最大 tokens | 推理  | 输入         |
+| ------------------------------------------------------ | ---------- | ----------- | ----- | ------------ |
+| `hf:MiniMaxAI/MiniMax-M2.5`                            | 192000     | 65536       | false | text         |
+| `hf:moonshotai/Kimi-K2-Thinking`                       | 256000     | 8192        | true  | text         |
+| `hf:zai-org/GLM-4.7`                                   | 198000     | 128000      | false | text         |
+| `hf:deepseek-ai/DeepSeek-R1-0528`                      | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3-0324`                      | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.1`                         | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.1-Terminus`                | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.2`                         | 159000     | 8192        | false | text         |
+| `hf:meta-llama/Llama-3.3-70B-Instruct`                 | 128000     | 8192        | false | text         |
+| `hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8` | 524000     | 8192        | false | text         |
+| `hf:moonshotai/Kimi-K2-Instruct-0905`                  | 256000     | 8192        | false | text         |
+| `hf:openai/gpt-oss-120b`                               | 128000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-235B-A22B-Instruct-2507`                | 256000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-Coder-480B-A35B-Instruct`               | 256000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-VL-235B-A22B-Instruct`                  | 250000     | 8192        | false | text + image |
+| `hf:zai-org/GLM-4.5`                                   | 128000     | 128000      | false | text         |
+| `hf:zai-org/GLM-4.6`                                   | 198000     | 128000      | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3`                           | 128000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-235B-A22B-Thinking-2507`                | 256000     | 8192        | true  | text         |
 
-## 注意事项
+## 说明
 
-- 模型引用格式为 `synthetic/<modelId>`。
-- 如果启用了模型允许列表（`agents.defaults.models`），请添加你计划使用的所有模型。
-- 参阅[模型提供商](/concepts/model-providers)了解提供商规则。
+- 模型引用使用 `synthetic/<modelId>`。
+- 如果你启用了模型允许列表（`agents.defaults.models`），请添加你
+  计划使用的每个模型。
+- 有关提供商规则，请参阅 [Model providers](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/together.md b/docs/zh-CN/providers/together.md
new file mode 100644
index 00000000000..c3d2bf533ef
--- /dev/null
+++ b/docs/zh-CN/providers/together.md
@@ -0,0 +1,72 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 Together AI
+  - 你需要 API 密钥环境变量或 CLI 身份验证选项
+summary: Together AI 设置（身份验证 + 模型选择）
+x-i18n:
+  generated_at: "2026-03-16T06:27:08Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 4f2ba5a12b03d0140feba4f54e0540bb57237cd131c8f1d826bc3629fde2d111
+  source_path: providers/together.md
+  workflow: 15
+---
+
+# Together AI
+
+[Together AI](https://together.ai) 通过统一 API 提供对领先开源模型的访问，包括 Llama、DeepSeek、Kimi 等。
+
+- 提供商：`together`
+- 身份验证：`TOGETHER_API_KEY`
+- API：兼容 OpenAI
+
+## 快速开始
+
+1. 设置 API 密钥（推荐：为 Gateway 网关存储它）：
+
+```bash
+openclaw onboard --auth-choice together-api-key
+```
+
+2. 设置默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "together/moonshotai/Kimi-K2.5" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice together-api-key \
+  --together-api-key "$TOGETHER_API_KEY"
+```
+
+这会将 `together/moonshotai/Kimi-K2.5` 设置为默认模型。
+
+## 环境说明
+
+如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `TOGETHER_API_KEY`
+对该进程可用（例如在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv`）。
+
+## 可用模型
+
+Together AI 提供对许多热门开源模型的访问：
+
+- **GLM 4.7 Fp8** - 具有 200K 上下文窗口的默认模型
+- **Llama 3.3 70B Instruct Turbo** - 快速、高效的指令跟随模型
+- **Llama 4 Scout** - 具备图像理解能力的视觉模型
+- **Llama 4 Maverick** - 高级视觉和推理模型
+- **DeepSeek V3.1** - 强大的编码和推理模型
+- **DeepSeek R1** - 高级推理模型
+- **Kimi K2 Instruct** - 具有 262K 上下文窗口的高性能模型
+
+所有模型都支持标准聊天补全，并兼容 OpenAI API。
diff --git a/docs/zh-CN/providers/venice.md b/docs/zh-CN/providers/venice.md
index cbc25ad8ad9..2cabcb88a40 100644
--- a/docs/zh-CN/providers/venice.md
+++ b/docs/zh-CN/providers/venice.md
@@ -1,50 +1,50 @@
 ---
 read_when:
-  - 你想在 OpenClaw 中使用注重隐私的推理服务
-  - 你需要 Venice AI 设置指导
+  - 你想在 OpenClaw 中使用注重隐私的推理
+  - 你想获得 Venice AI 设置指引
 summary: 在 OpenClaw 中使用 Venice AI 注重隐私的模型
 title: Venice AI
 x-i18n:
-  generated_at: "2026-02-01T21:36:03Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2453a6ec3a715c24c460f902dec1755edcad40328de2ef895e35a614a25624cf
+  generated_at: "2026-03-16T06:27:49Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e72c7ad24b045e9695530bee80ab7213986742354b7553b72bb230b75edf76e8
   source_path: providers/venice.md
   workflow: 15
 ---
 
-# Venice AI（Venice 精选）
+# Venice AI（Venice 亮点）
 
-**Venice** 是我们精选的 Venice 隐私优先推理配置，支持可选的匿名化访问专有模型。
+**Venice** 是我们重点推荐的 Venice 设置，适用于隐私优先的推理，并可选择通过匿名访问专有模型。
 
-Venice AI 提供注重隐私的 AI 推理服务，支持无审查模型，并可通过其匿名代理访问主流专有模型。所有推理默认私密——不会用你的数据训练，不会记录日志。
+Venice AI 提供注重隐私的 AI 推理，支持未审查模型，并可通过其匿名代理访问主要专有模型。所有推理默认都是私密的——不会使用你的数据进行训练，也不会记录日志。
 
 ## 为什么在 OpenClaw 中使用 Venice
 
-- **私密推理**，适用于开源模型（无日志记录）。
-- 需要时可使用**无审查模型**。
-- 在质量重要时，可**匿名访问**专有模型（Opus/GPT/Gemini）。
+- **私密推理**，适用于开源模型（不记录日志）。
+- 当你需要时可使用**未审查模型**。
+- 当质量更重要时，可**匿名访问**专有模型（Opus/GPT/Gemini）。
 - 兼容 OpenAI 的 `/v1` 端点。
 
 ## 隐私模式
 
-Venice 提供两种隐私级别——理解这一点是选择模型的关键：
+Venice 提供两个隐私级别 —— 理解这一点对于选择你的模型至关重要：
 
-| 模式       | 描述                                                                                  | 模型                                        |
-| ---------- | ------------------------------------------------------------------------------------- | ------------------------------------------- |
-| **私密**   | 完全私密。提示词/回复**从不存储或记录**。临时性处理。                                 | Llama、Qwen、DeepSeek、Venice Uncensored 等 |
-| **匿名化** | 通过 Venice 代理转发并剥离元数据。底层提供商（OpenAI、Anthropic）收到的是匿名化请求。 | Claude、GPT、Gemini、Grok、Kimi、MiniMax    |
+| 模式     | 说明                                                                                         | 模型                                                         |
+| -------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
+| **私密** | 完全私密。提示词/响应**绝不会被存储或记录**。临时性。                                        | Llama、Qwen、DeepSeek、Kimi、MiniMax、Venice Uncensored 等。 |
+| **匿名** | 通过 Venice 代理并剥离元数据。底层提供商（OpenAI、Anthropic、Google、xAI）看到的是匿名请求。 | Claude、GPT、Gemini、Grok                                    |
 
-## 功能特性
+## 功能
 
-- **注重隐私**：可选择"私密"（完全私密）和"匿名化"（代理转发）模式
-- **无审查模型**：访问无内容限制的模型
-- **主流模型访问**：通过 Venice 匿名代理使用 Claude、GPT-5.2、Gemini、Grok
-- **兼容 OpenAI API**：标准 `/v1` 端点，易于集成
-- **流式输出**：✅ 所有模型均支持
-- **函数调用**：✅ 部分模型支持（请检查模型能力）
-- **视觉**：✅ 具有视觉能力的模型支持
-- **无硬性速率限制**：极端使用情况下可能触发公平使用限流
+- **注重隐私**：可在 “private”（完全私密）和 “anonymized”（代理）模式之间选择
+- **未审查模型**：访问不受内容限制的模型
+- **主流模型访问**：通过 Venice 的匿名代理使用 Claude、GPT、Gemini 和 Grok
+- **兼容 OpenAI 的 API**：标准 `/v1` 端点，易于集成
+- **流式传输**：✅ 所有模型都支持
+- **函数调用**：✅ 选定模型支持（请检查模型能力）
+- **视觉**：✅ 具备视觉能力的模型支持
+- **无硬性速率限制**：极端使用情况下可能会应用公平使用节流
 
 ## 设置
 
@@ -56,26 +56,26 @@ Venice 提供两种隐私级别——理解这一点是选择模型的关键：
 
 ### 2. 配置 OpenClaw
 
-**方案 A：环境变量**
+**选项 A：环境变量**
 
 ```bash
 export VENICE_API_KEY="vapi_xxxxxxxxxxxx"
 ```
 
-**方案 B：交互式设置（推荐）**
+**选项 B：交互式设置（推荐）**
 
 ```bash
 openclaw onboard --auth-choice venice-api-key
 ```
 
-这将：
+这将会：
 
-1. 提示输入你的 API 密钥（或使用已有的 `VENICE_API_KEY`）
+1. 提示输入你的 API 密钥（或使用现有的 `VENICE_API_KEY`）
 2. 显示所有可用的 Venice 模型
 3. 让你选择默认模型
-4. 自动配置提供商
+4. 自动配置该提供商
 
-**方案 C：非交互式**
+**选项 C：非交互式**
 
 ```bash
 openclaw onboard --non-interactive \
@@ -86,23 +86,23 @@ openclaw onboard --non-interactive \
 ### 3. 验证设置
 
 ```bash
-openclaw chat --model venice/llama-3.3-70b "Hello, are you working?"
+openclaw agent --model venice/kimi-k2-5 --message "Hello, are you working?"
 ```
 
 ## 模型选择
 
-设置完成后，OpenClaw 会显示所有可用的 Venice 模型。根据你的需求选择：
+设置完成后，OpenClaw 会显示所有可用的 Venice 模型。请根据你的需要进行选择：
 
-- **默认（我们的推荐）**：`venice/llama-3.3-70b`，私密且性能均衡。
-- **最佳整体质量**：`venice/claude-opus-45`，适合复杂任务（Opus 仍然是最强的）。
-- **隐私**：选择"私密"模型以获得完全私密的推理。
-- **能力**：选择"匿名化"模型以通过 Venice 代理访问 Claude、GPT、Gemini。
+- **默认模型**：`venice/kimi-k2-5`，适合强大的私密推理 + 视觉。
+- **高能力选项**：`venice/claude-opus-4-6`，适合最强的匿名 Venice 路径。
+- **隐私**：选择 “private” 模型以获得完全私密的推理。
+- **能力**：选择 “anonymized” 模型，以通过 Venice 的代理访问 Claude、GPT、Gemini。
 
-随时更改默认模型：
+你可以随时更改默认模型：
 
 ```bash
-openclaw models set venice/claude-opus-45
-openclaw models set venice/llama-3.3-70b
+openclaw models set venice/kimi-k2-5
+openclaw models set venice/claude-opus-4-6
 ```
 
 列出所有可用模型：
@@ -117,104 +117,119 @@ openclaw models list | grep venice
 2. 选择 **Model/auth**
 3. 选择 **Venice AI**
 
-## 应该使用哪个模型？
+## 我应该使用哪个模型？
 
-| 使用场景               | 推荐模型                         | 原因                         |
-| ---------------------- | -------------------------------- | ---------------------------- |
-| **通用对话**           | `llama-3.3-70b`                  | 综合表现好，完全私密         |
-| **最佳整体质量**       | `claude-opus-45`                 | Opus 在复杂任务上仍然最强    |
-| **隐私 + Claude 品质** | `claude-opus-45`                 | 通过匿名代理获得最佳推理能力 |
-| **编程**               | `qwen3-coder-480b-a35b-instruct` | 代码优化，262k 上下文        |
-| **视觉任务**           | `qwen3-vl-235b-a22b`             | 最佳私密视觉模型             |
-| **无审查**             | `venice-uncensored`              | 无内容限制                   |
-| **快速 + 低成本**      | `qwen3-4b`                       | 轻量级，仍有不错能力         |
-| **复杂推理**           | `deepseek-v3.2`                  | 推理能力强，私密             |
+| 使用场景             | 推荐模型                         | 原因                             |
+| -------------------- | -------------------------------- | -------------------------------- |
+| **通用聊天（默认）** | `kimi-k2-5`                      | 强大的私密推理 + 视觉            |
+| **整体最佳质量**     | `claude-opus-4-6`                | 最强的匿名 Venice 选项           |
+| **隐私 + 编码**      | `qwen3-coder-480b-a35b-instruct` | 具有大上下文的私密编码模型       |
+| **私密视觉**         | `kimi-k2-5`                      | 无需离开私密模式即可支持视觉     |
+| **快速 + 便宜**      | `qwen3-4b`                       | 轻量级推理模型                   |
+| **复杂私密任务**     | `deepseek-v3.2`                  | 推理能力强，但不支持 Venice 工具 |
+| **未审查**           | `venice-uncensored`              | 无内容限制                       |
 
-## 可用模型（共 25 个）
+## 可用模型（共 41 个）
 
-### 私密模型（15 个）— 完全私密，无日志记录
+### 私密模型（26 个）—— 完全私密，不记录日志
 
-| 模型 ID                          | 名称                    | 上下文（token） | 特性         |
-| -------------------------------- | ----------------------- | --------------- | ------------ |
-| `llama-3.3-70b`                  | Llama 3.3 70B           | 131k            | 通用         |
-| `llama-3.2-3b`                   | Llama 3.2 3B            | 131k            | 快速，轻量   |
-| `hermes-3-llama-3.1-405b`        | Hermes 3 Llama 3.1 405B | 131k            | 复杂任务     |
-| `qwen3-235b-a22b-thinking-2507`  | Qwen3 235B Thinking     | 131k            | 推理         |
-| `qwen3-235b-a22b-instruct-2507`  | Qwen3 235B Instruct     | 131k            | 通用         |
-| `qwen3-coder-480b-a35b-instruct` | Qwen3 Coder 480B        | 262k            | 编程         |
-| `qwen3-next-80b`                 | Qwen3 Next 80B          | 262k            | 通用         |
-| `qwen3-vl-235b-a22b`             | Qwen3 VL 235B           | 262k            | 视觉         |
-| `qwen3-4b`                       | Venice Small (Qwen3 4B) | 32k             | 快速，推理   |
-| `deepseek-v3.2`                  | DeepSeek V3.2           | 163k            | 推理         |
-| `venice-uncensored`              | Venice Uncensored       | 32k             | 无审查       |
-| `mistral-31-24b`                 | Venice Medium (Mistral) | 131k            | 视觉         |
-| `google-gemma-3-27b-it`          | Gemma 3 27B Instruct    | 202k            | 视觉         |
-| `openai-gpt-oss-120b`            | OpenAI GPT OSS 120B     | 131k            | 通用         |
-| `zai-org-glm-4.7`                | GLM 4.7                 | 202k            | 推理，多语言 |
+| 模型 ID                                | 名称                                 | 上下文 | 功能               |
+| -------------------------------------- | ------------------------------------ | ------ | ------------------ |
+| `kimi-k2-5`                            | Kimi K2.5                            | 256k   | 默认、推理、视觉   |
+| `kimi-k2-thinking`                     | Kimi K2 Thinking                     | 256k   | 推理               |
+| `llama-3.3-70b`                        | Llama 3.3 70B                        | 128k   | 通用               |
+| `llama-3.2-3b`                         | Llama 3.2 3B                         | 128k   | 通用               |
+| `hermes-3-llama-3.1-405b`              | Hermes 3 Llama 3.1 405B              | 128k   | 通用，工具已禁用   |
+| `qwen3-235b-a22b-thinking-2507`        | Qwen3 235B Thinking                  | 128k   | 推理               |
+| `qwen3-235b-a22b-instruct-2507`        | Qwen3 235B Instruct                  | 128k   | 通用               |
+| `qwen3-coder-480b-a35b-instruct`       | Qwen3 Coder 480B                     | 256k   | 编码               |
+| `qwen3-coder-480b-a35b-instruct-turbo` | Qwen3 Coder 480B Turbo               | 256k   | 编码               |
+| `qwen3-5-35b-a3b`                      | Qwen3.5 35B A3B                      | 256k   | 推理、视觉         |
+| `qwen3-next-80b`                       | Qwen3 Next 80B                       | 256k   | 通用               |
+| `qwen3-vl-235b-a22b`                   | Qwen3 VL 235B（视觉）                | 256k   | 视觉               |
+| `qwen3-4b`                             | Venice Small（Qwen3 4B）             | 32k    | 快速、推理         |
+| `deepseek-v3.2`                        | DeepSeek V3.2                        | 160k   | 推理，工具已禁用   |
+| `venice-uncensored`                    | Venice Uncensored（Dolphin-Mistral） | 32k    | 未审查，工具已禁用 |
+| `mistral-31-24b`                       | Venice Medium（Mistral）             | 128k   | 视觉               |
+| `google-gemma-3-27b-it`                | Google Gemma 3 27B Instruct          | 198k   | 视觉               |
+| `openai-gpt-oss-120b`                  | OpenAI GPT OSS 120B                  | 128k   | 通用               |
+| `nvidia-nemotron-3-nano-30b-a3b`       | NVIDIA Nemotron 3 Nano 30B           | 128k   | 通用               |
+| `olafangensan-glm-4.7-flash-heretic`   | GLM 4.7 Flash Heretic                | 128k   | 推理               |
+| `zai-org-glm-4.6`                      | GLM 4.6                              | 198k   | 通用               |
+| `zai-org-glm-4.7`                      | GLM 4.7                              | 198k   | 推理               |
+| `zai-org-glm-4.7-flash`                | GLM 4.7 Flash                        | 128k   | 推理               |
+| `zai-org-glm-5`                        | GLM 5                                | 198k   | 推理               |
+| `minimax-m21`                          | MiniMax M2.1                         | 198k   | 推理               |
+| `minimax-m25`                          | MiniMax M2.5                         | 198k   | 推理               |
 
-### 匿名化模型（10 个）— 通过 Venice 代理
+### 匿名模型（15 个）—— 通过 Venice 代理
 
-| 模型 ID                  | 原始模型          | 上下文（token） | 特性       |
-| ------------------------ | ----------------- | --------------- | ---------- |
-| `claude-opus-45`         | Claude Opus 4.5   | 202k            | 推理，视觉 |
-| `claude-sonnet-45`       | Claude Sonnet 4.5 | 202k            | 推理，视觉 |
-| `openai-gpt-52`          | GPT-5.2           | 262k            | 推理       |
-| `openai-gpt-52-codex`    | GPT-5.2 Codex     | 262k            | 推理，视觉 |
-| `gemini-3-pro-preview`   | Gemini 3 Pro      | 202k            | 推理，视觉 |
-| `gemini-3-flash-preview` | Gemini 3 Flash    | 262k            | 推理，视觉 |
-| `grok-41-fast`           | Grok 4.1 Fast     | 262k            | 推理，视觉 |
-| `grok-code-fast-1`       | Grok Code Fast 1  | 262k            | 推理，编程 |
-| `kimi-k2-thinking`       | Kimi K2 Thinking  | 262k            | 推理       |
-| `minimax-m21`            | MiniMax M2.1      | 202k            | 推理       |
+| 模型 ID                         | 名称                             | 上下文 | 功能             |
+| ------------------------------- | -------------------------------- | ------ | ---------------- |
+| `claude-opus-4-6`               | Claude Opus 4.6（通过 Venice）   | 1M     | 推理、视觉       |
+| `claude-opus-4-5`               | Claude Opus 4.5（通过 Venice）   | 198k   | 推理、视觉       |
+| `claude-sonnet-4-6`             | Claude Sonnet 4.6（通过 Venice） | 1M     | 推理、视觉       |
+| `claude-sonnet-4-5`             | Claude Sonnet 4.5（通过 Venice） | 198k   | 推理、视觉       |
+| `openai-gpt-54`                 | GPT-5.4（通过 Venice）           | 1M     | 推理、视觉       |
+| `openai-gpt-53-codex`           | GPT-5.3 Codex（通过 Venice）     | 400k   | 推理、视觉、编码 |
+| `openai-gpt-52`                 | GPT-5.2（通过 Venice）           | 256k   | 推理             |
+| `openai-gpt-52-codex`           | GPT-5.2 Codex（通过 Venice）     | 256k   | 推理、视觉、编码 |
+| `openai-gpt-4o-2024-11-20`      | GPT-4o（通过 Venice）            | 128k   | 视觉             |
+| `openai-gpt-4o-mini-2024-07-18` | GPT-4o Mini（通过 Venice）       | 128k   | 视觉             |
+| `gemini-3-1-pro-preview`        | Gemini 3.1 Pro（通过 Venice）    | 1M     | 推理、视觉       |
+| `gemini-3-pro-preview`          | Gemini 3 Pro（通过 Venice）      | 198k   | 推理、视觉       |
+| `gemini-3-flash-preview`        | Gemini 3 Flash（通过 Venice）    | 256k   | 推理、视觉       |
+| `grok-41-fast`                  | Grok 4.1 Fast（通过 Venice）     | 1M     | 推理、视觉       |
+| `grok-code-fast-1`              | Grok Code Fast 1（通过 Venice）  | 256k   | 推理、编码       |
 
 ## 模型发现
 
-当设置了 `VENICE_API_KEY` 时，OpenClaw 会自动从 Venice API 发现模型。如果 API 不可达，则回退到静态目录。
+当设置了 `VENICE_API_KEY` 时，OpenClaw 会自动从 Venice API 发现模型。如果 API 不可访问，则会回退到静态目录。
 
-`/models` 端点是公开的（列出模型无需认证），但推理需要有效的 API 密钥。
+`/models` 端点是公开的（列出模型无需身份验证），但推理需要有效的 API 密钥。
 
-## 流式输出与工具支持
+## 流式传输与工具支持
 
 | 功能          | 支持情况                                                   |
 | ------------- | ---------------------------------------------------------- |
-| **流式输出**  | ✅ 所有模型                                                |
+| **流式传输**  | ✅ 所有模型                                                |
 | **函数调用**  | ✅ 大多数模型（请检查 API 中的 `supportsFunctionCalling`） |
-| **视觉/图像** | ✅ 标记为"视觉"特性的模型                                  |
+| **视觉/图像** | ✅ 标有 “Vision” 功能的模型                                |
 | **JSON 模式** | ✅ 通过 `response_format` 支持                             |
 
 ## 定价
 
-Venice 使用积分制。请查看 [venice.ai/pricing](https://venice.ai/pricing) 了解当前费率：
+Venice 使用基于积分的系统。当前费率请查看 [venice.ai/pricing](https://venice.ai/pricing)：
 
-- **私密模型**：通常成本较低
-- **匿名化模型**：与直接 API 定价相近 + 少量 Venice 费用
+- **私密模型**：通常成本更低
+- **匿名模型**：与直接 API 定价相近，外加少量 Venice 费用
 
 ## 对比：Venice 与直接 API
 
-| 方面     | Venice（匿名化）   | 直接 API     |
-| -------- | ------------------ | ------------ |
-| **隐私** | 剥离元数据，匿名化 | 关联你的账户 |
-| **延迟** | +10-50ms（代理）   | 直连         |
-| **功能** | 支持大部分功能     | 完整功能     |
-| **计费** | Venice 积分        | 提供商计费   |
+| 方面     | Venice（匿名）       | 直接 API       |
+| -------- | -------------------- | -------------- |
+| **隐私** | 元数据被剥离，匿名化 | 关联到你的账户 |
+| **延迟** | +10-50ms（代理）     | 直接           |
+| **功能** | 支持大多数功能       | 完整功能       |
+| **计费** | Venice 积分          | 提供商计费     |
 
 ## 使用示例
 
 ```bash
 # 使用默认私密模型
-openclaw chat --model venice/llama-3.3-70b
+openclaw agent --model venice/kimi-k2-5 --message "Quick health check"
 
-# 通过 Venice 使用 Claude（匿名化）
-openclaw chat --model venice/claude-opus-45
+# 通过 Venice 使用 Claude Opus（匿名）
+openclaw agent --model venice/claude-opus-4-6 --message "Summarize this task"
 
-# 使用无审查模型
-openclaw chat --model venice/venice-uncensored
+# 使用未审查模型
+openclaw agent --model venice/venice-uncensored --message "Draft options"
 
-# 使用视觉模型处理图像
-openclaw chat --model venice/qwen3-vl-235b-a22b
+# 使用带图像的视觉模型
+openclaw agent --model venice/qwen3-vl-235b-a22b --message "Review attached image"
 
-# 使用编程模型
-openclaw chat --model venice/qwen3-coder-480b-a35b-instruct
+# 使用编码模型
+openclaw agent --model venice/qwen3-coder-480b-a35b-instruct --message "Refactor this function"
 ```
 
 ## 故障排除
@@ -226,22 +241,22 @@ echo $VENICE_API_KEY
 openclaw models list | grep venice
 ```
 
-确保密钥以 `vapi_` 开头。
+请确保该密钥以 `vapi_` 开头。
 
 ### 模型不可用
 
-Venice 模型目录会动态更新。运行 `openclaw models list` 查看当前可用的模型。部分模型可能暂时离线。
+Venice 模型目录会动态更新。运行 `openclaw models list` 以查看当前可用的模型。某些模型可能暂时离线。
 
 ### 连接问题
 
-Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 HTTPS 连接。
+Venice API 地址为 `https://api.venice.ai/api/v1`。请确保你的网络允许 HTTPS 连接。
 
 ## 配置文件示例
 
 ```json5
 {
   env: { VENICE_API_KEY: "vapi_..." },
-  agents: { defaults: { model: { primary: "venice/llama-3.3-70b" } } },
+  agents: { defaults: { model: { primary: "venice/kimi-k2-5" } } },
   models: {
     mode: "merge",
     providers: {
@@ -251,13 +266,13 @@ Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 H
         api: "openai-completions",
         models: [
           {
-            id: "llama-3.3-70b",
-            name: "Llama 3.3 70B",
-            reasoning: false,
-            input: ["text"],
+            id: "kimi-k2-5",
+            name: "Kimi K2.5",
+            reasoning: true,
+            input: ["text", "image"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 131072,
-            maxTokens: 8192,
+            contextWindow: 256000,
+            maxTokens: 65536,
           },
         ],
       },
@@ -269,6 +284,6 @@ Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 H
 ## 链接
 
 - [Venice AI](https://venice.ai)
-- [API 文档](https://docs.venice.ai)
-- [定价](https://venice.ai/pricing)
-- [状态页](https://status.venice.ai)
+- [API Documentation](https://docs.venice.ai)
+- [Pricing](https://venice.ai/pricing)
+- [Status](https://status.venice.ai)
diff --git a/docs/zh-CN/providers/vercel-ai-gateway.md b/docs/zh-CN/providers/vercel-ai-gateway.md
index 633fc8eb0f0..919573c9778 100644
--- a/docs/zh-CN/providers/vercel-ai-gateway.md
+++ b/docs/zh-CN/providers/vercel-ai-gateway.md
@@ -1,29 +1,31 @@
 ---
 read_when:
-  - 你想将 Vercel AI Gateway 与 OpenClaw 配合使用
-  - 你需要 API 密钥环境变量或 CLI 认证选择
+  - 你想将 Vercel AI Gateway 与 OpenClaw 一起使用
+  - 你需要 API key 环境变量或 CLI 认证选项
 summary: Vercel AI Gateway 设置（认证 + 模型选择）
 title: Vercel AI Gateway
 x-i18n:
-  generated_at: "2026-02-03T07:53:39Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: c6482f047a31b09c7a691d40babbd1f9fb3aa2042b61cc42956ad9b791da8285
+  generated_at: "2026-03-16T06:27:18Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f30768dc3db49708b25042d317906f7ad9a2c72b0fa03263bc04f5eefbf7a507
   source_path: providers/vercel-ai-gateway.md
   workflow: 15
 ---
 
 # Vercel AI Gateway
 
-[Vercel AI Gateway](https://vercel.com/ai-gateway) 提供了一个统一的 API，通过单一端点访问数百个模型。
+[Vercel AI Gateway](https://vercel.com/ai-gateway) 提供统一 API，可通过单个端点访问数百个模型。
 
 - 提供商：`vercel-ai-gateway`
 - 认证：`AI_GATEWAY_API_KEY`
 - API：兼容 Anthropic Messages
+- OpenClaw 会自动发现 Gateway 的 `/v1/models` 目录，因此 `/models vercel-ai-gateway`
+  会包含当前模型引用，例如 `vercel-ai-gateway/openai/gpt-5.4`。
 
 ## 快速开始
 
-1. 设置 API 密钥（推荐：为 Gateway 网关存储它）：
+1. 设置 API key（推荐：为 Gateway 网关持久保存它）：
 
 ```bash
 openclaw onboard --auth-choice ai-gateway-api-key
@@ -35,7 +37,7 @@ openclaw onboard --auth-choice ai-gateway-api-key
 {
   agents: {
     defaults: {
-      model: { primary: "vercel-ai-gateway/anthropic/claude-opus-4.5" },
+      model: { primary: "vercel-ai-gateway/anthropic/claude-opus-4.6" },
     },
   },
 }
@@ -50,8 +52,15 @@ openclaw onboard --non-interactive \
   --ai-gateway-api-key "$AI_GATEWAY_API_KEY"
 ```
 
-## 环境变量说明
+## 环境说明
 
-如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `AI_GATEWAY_API_KEY`
-对该进程可用（例如，在 `~/.openclaw/.env` 中或通过
-`env.shellEnv`）。
+如果 Gateway 作为守护进程运行（launchd/systemd），请确保 `AI_GATEWAY_API_KEY`
+对此进程可用（例如放在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv` 提供）。
+
+## 模型 ID 简写
+
+OpenClaw 接受 Vercel Claude 简写模型引用，并会在运行时将其规范化：
+
+- `vercel-ai-gateway/claude-opus-4.6` -> `vercel-ai-gateway/anthropic/claude-opus-4.6`
+- `vercel-ai-gateway/opus-4.6` -> `vercel-ai-gateway/anthropic/claude-opus-4-6`
diff --git a/docs/zh-CN/providers/xiaomi.md b/docs/zh-CN/providers/xiaomi.md
index 29a02427cf9..0670f99fa2a 100644
--- a/docs/zh-CN/providers/xiaomi.md
+++ b/docs/zh-CN/providers/xiaomi.md
@@ -1,13 +1,13 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 Xiaomi MiMo 模型
-  - 你需要设置 XIAOMI_API_KEY
-summary: 在 OpenClaw 中使用 Xiaomi MiMo (mimo-v2-flash)
+  - 你需要设置 `XIAOMI_API_KEY`
+summary: 在 OpenClaw 中使用 Xiaomi MiMo（`mimo-v2-flash`）
 title: Xiaomi MiMo
 x-i18n:
-  generated_at: "2026-02-01T21:36:15Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:27:26Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: 366fd2297b2caf8c5ad944d7f1b6d233b248fe43aedd22a28352ae7f370d2435
   source_path: providers/xiaomi.md
   workflow: 15
@@ -15,13 +15,16 @@ x-i18n:
 
 # Xiaomi MiMo
 
-Xiaomi MiMo 是 **MiMo** 模型的 API 平台。它提供与 OpenAI 和 Anthropic 格式兼容的 REST API，并使用 API 密钥进行身份验证。请在 [Xiaomi MiMo 控制台](https://platform.xiaomimimo.com/#/console/api-keys) 中创建你的 API 密钥。OpenClaw 使用 `xiaomi` 提供商配合 Xiaomi MiMo API 密钥。
+Xiaomi MiMo 是 **MiMo** 模型的 API 平台。它提供与
+OpenAI 和 Anthropic 格式兼容的 REST API，并使用 API key 进行认证。请在
+[Xiaomi MiMo console](https://platform.xiaomimimo.com/#/console/api-keys) 中创建你的 API key。OpenClaw 使用
+`xiaomi` 提供商配合 Xiaomi MiMo API key。
 
 ## 模型概览
 
-- **mimo-v2-flash**：262144 token 上下文窗口，兼容 Anthropic Messages API。
-- 基础 URL：`https://api.xiaomimimo.com/anthropic`
-- 授权方式：`Bearer $XIAOMI_API_KEY`
+- **mimo-v2-flash**：262144-token 上下文窗口，兼容 Anthropic Messages API。
+- Base URL：`https://api.xiaomimimo.com/anthropic`
+- 认证方式：`Bearer $XIAOMI_API_KEY`
 
 ## CLI 设置
 
@@ -61,8 +64,8 @@ openclaw onboard --auth-choice xiaomi-api-key --xiaomi-api-key "$XIAOMI_API_KEY"
 }
 ```
 
-## 备注
+## 说明
 
 - 模型引用：`xiaomi/mimo-v2-flash`。
-- 当设置了 `XIAOMI_API_KEY`（或存在身份验证配置文件）时，该提供商会自动注入。
+- 当设置了 `XIAOMI_API_KEY`（或存在凭证配置文件）时，提供商会自动注入。
 - 有关提供商规则，请参阅 [/concepts/model-providers](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/zai.md b/docs/zh-CN/providers/zai.md
index 4585b96abf6..3e8f19af06a 100644
--- a/docs/zh-CN/providers/zai.md
+++ b/docs/zh-CN/providers/zai.md
@@ -1,28 +1,38 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 Z.AI / GLM 模型
-  - 你需要简单的 ZAI_API_KEY 配置
-summary: 在 OpenClaw 中使用智谱 AI（GLM 模型）
+  - 你需要简单的 `ZAI_API_KEY` 设置
+summary: 在 OpenClaw 中使用 Z.AI（GLM 模型）
 title: Z.AI
 x-i18n:
-  generated_at: "2026-02-01T21:36:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2c24bbad86cf86c38675a58e22f9e1b494f78a18fdc3051c1be80d2d9a800711
+  generated_at: "2026-03-16T06:27:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 79ea8f3d6c286b5fef090e54257eb7c60c82b29630cee3f54e96161e55349bf5
   source_path: providers/zai.md
   workflow: 15
 ---
 
 # Z.AI
 
-Z.AI 是 **GLM** 模型的 API 平台。它为 GLM 提供 REST API，并使用 API 密钥进行身份验证。请在 Z.AI 控制台中创建你的 API 密钥。OpenClaw 通过 `zai` 提供商配合 Z.AI API 密钥使用。
+Z.AI 是 **GLM** 模型的 API 平台。它为 GLM 提供 REST API，并使用 API key
+进行认证。请在 Z.AI 控制台中创建你的 API key。OpenClaw 使用 `zai` 提供商
+配合 Z.AI API key。
 
 ## CLI 设置
 
 ```bash
-openclaw onboard --auth-choice zai-api-key
-# 或非交互式
-openclaw onboard --zai-api-key "$ZAI_API_KEY"
+# Coding Plan Global，推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-global
+
+# Coding Plan CN（中国区域），推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-cn
+
+# 通用 API
+openclaw onboard --auth-choice zai-global
+
+# 通用 API CN（中国区域）
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## 配置片段
@@ -30,12 +40,14 @@ openclaw onboard --zai-api-key "$ZAI_API_KEY"
 ```json5
 {
   env: { ZAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "zai/glm-4.7" } } },
+  agents: { defaults: { model: { primary: "zai/glm-5" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- GLM 模型以 `zai/<model>` 的形式提供（例如：`zai/glm-4.7`）。
-- 参阅 [/providers/glm](/providers/glm) 了解模型系列概览。
-- Z.AI 使用 Bearer 认证方式配合你的 API 密钥。
+- GLM 模型可用作 `zai/<model>`（例如：`zai/glm-5`）。
+- `tool_stream` 默认启用，用于 Z.AI 工具调用流式传输。若要禁用，请设置
+  `agents.defaults.models["zai/<model>"].params.tool_stream` 为 `false`。
+- 关于模型家族概览，请参阅 [/providers/glm](/providers/glm)。
+- Z.AI 使用带有你的 API key 的 Bearer 认证。
diff --git a/docs/zh-CN/reference/wizard.md b/docs/zh-CN/reference/wizard.md
index 766c6899946..1bf988de3c9 100644
--- a/docs/zh-CN/reference/wizard.md
+++ b/docs/zh-CN/reference/wizard.md
@@ -1,9 +1,242 @@
 ---
-summary: Onboarding 向导参考：完整步骤、参数与配置字段
-title: 向导参考
-sidebarTitle: 向导参考
+read_when:
+  - 查找特定的向导步骤或标志
+  - 使用非交互模式自动执行新手引导
+  - 调试向导行为
+sidebarTitle: Wizard Reference
+summary: CLI 设置向导的完整参考：每个步骤、标志和配置字段
+title: 设置向导参考
+x-i18n:
+  generated_at: "2026-03-16T06:28:28Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f6560ef9921e58e4fe7f9b23872c0f8bbf3a0a3c4449d686752fc5b5b50bb216
+  source_path: reference/wizard.md
+  workflow: 15
 ---
 
-# 向导参考
+# 设置向导参考
 
-该页面是英文文档的中文占位版本，完整内容请先参考英文版：[Onboarding Wizard Reference](/reference/wizard)。
+这是 `openclaw onboard` CLI 向导的完整参考。
+有关高层概览，请参阅 [设置向导](/start/wizard)。
+
+## 流程详情（本地模式）
+
+<Steps>
+  <Step title="现有配置检测">
+    - 如果 `~/.openclaw/openclaw.json` 存在，请选择 **Keep / Modify / Reset**。
+    - 重新运行向导**不会**清除任何内容，除非你明确选择 **Reset**
+      （或传入 `--reset`）。
+    - CLI `--reset` 默认值为 `config+creds+sessions`；使用 `--reset-scope full`
+      可额外移除工作区。
+    - 如果配置无效或包含旧版键，向导会停止，并要求
+      你先运行 `openclaw doctor` 再继续。
+    - 重置会使用 `trash`（绝不使用 `rm`），并提供以下范围：
+      - 仅配置
+      - 配置 + 凭证 + 会话
+      - 完整重置（也会移除工作区）
+  </Step>
+  <Step title="模型/认证">
+    - **Anthropic API key**：如果存在则使用 `ANTHROPIC_API_KEY`，否则提示输入 key，然后保存以供守护进程使用。
+    - **Anthropic OAuth（Claude Code CLI）**：在 macOS 上，向导会检查钥匙串项目 “Claude Code-credentials”（请选择 “Always Allow”，这样 launchd 启动时就不会被阻塞）；在 Linux/Windows 上，如果存在，则会重用 `~/.claude/.credentials.json`。
+    - **Anthropic token（粘贴 setup-token）**：在任意机器上运行 `claude setup-token`，然后粘贴该 token（你可以为其命名；留空 = default）。
+    - **OpenAI Code (Codex) 订阅（Codex CLI）**：如果 `~/.codex/auth.json` 存在，向导可以重用它。
+    - **OpenAI Code (Codex) 订阅（OAuth）**：浏览器流程；粘贴 `code#state`。
+      - 当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.2`。
+    - **OpenAI API key**：如果存在则使用 `OPENAI_API_KEY`，否则提示输入 key，然后将其存储到凭证配置文件中。
+    - **xAI（Grok）API key**：提示输入 `XAI_API_KEY`，并将 xAI 配置为模型提供商。
+    - **OpenCode**：提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`，可从 https://opencode.ai/auth 获取），并让你选择 Zen 或 Go 目录。
+    - **Ollama**：提示输入 Ollama base URL，提供 **Cloud + Local** 或 **Local** 模式，发现可用模型，并在需要时自动拉取所选本地模型。
+    - 更多细节： [Ollama](/providers/ollama)
+    - **API key**：为你存储该 key。
+    - **Vercel AI Gateway（多模型代理）**：提示输入 `AI_GATEWAY_API_KEY`。
+    - 更多细节： [Vercel AI Gateway](/providers/vercel-ai-gateway)
+    - **Cloudflare AI Gateway**：提示输入 Account ID、Gateway ID 和 `CLOUDFLARE_AI_GATEWAY_API_KEY`。
+    - 更多细节： [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
+    - **MiniMax M2.5**：自动写入配置。
+    - 更多细节： [MiniMax](/providers/minimax)
+    - **Synthetic（Anthropic 兼容）**：提示输入 `SYNTHETIC_API_KEY`。
+    - 更多细节： [Synthetic](/providers/synthetic)
+    - **Moonshot（Kimi K2）**：自动写入配置。
+    - **Kimi Coding**：自动写入配置。
+    - 更多细节： [Moonshot AI (Kimi + Kimi Coding)](/providers/moonshot)
+    - **Skip**：暂不配置认证。
+    - 从已检测到的选项中选择默认模型（或手动输入 `provider/model`）。为了获得最佳质量并降低 prompt injection 风险，请选择你在提供商栈中可用的最强最新一代模型。
+    - 向导会运行模型检查，并在所配置模型未知或缺少认证时发出警告。
+    - API key 存储模式默认为明文 auth-profile 值。使用 `--secret-input-mode ref` 可改为存储基于环境变量的引用（例如 `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`）。
+    - OAuth 凭证保存在 `~/.openclaw/credentials/oauth.json`；auth-profile 保存在 `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`（API key + OAuth）。
+    - 更多细节： [/concepts/oauth](/concepts/oauth)
+    <Note>
+    无头/服务器提示：在有浏览器的机器上完成 OAuth，然后将
+    `~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）复制到
+    Gateway 网关主机上。
+    </Note>
+  </Step>
+  <Step title="工作区">
+    - 默认为 `~/.openclaw/workspace`（可配置）。
+    - 为工作区植入智能体引导仪式所需的文件。
+    - 完整工作区布局 + 备份指南： [智能体工作区](/concepts/agent-workspace)
+  </Step>
+  <Step title="Gateway 网关">
+    - Port、bind、auth mode、tailscale 暴露方式。
+    - 认证建议：即使是 loopback，也保留 **Token**，这样本地 WS 客户端也必须进行认证。
+    - 在 token 模式下，交互式设置提供：
+      - **生成/存储明文 token**（默认）
+      - **使用 SecretRef**（可选启用）
+      - 快速开始会在新手引导探测/dashboard 引导期间，跨 `env`、`file` 和 `exec` 提供商重用现有的 `gateway.auth.token` SecretRef。
+      - 如果该 SecretRef 已配置但无法解析，则新手引导会提前失败，并给出明确修复信息，而不是静默降级运行时认证。
+    - 在 password 模式下，交互式设置也支持明文或 SecretRef 存储。
+    - 非交互式 token SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+      - 要求新手引导进程环境中存在非空环境变量。
+      - 不能与 `--gateway-token` 组合使用。
+    - 仅当你完全信任每个本地进程时，才禁用认证。
+    - 非 loopback 绑定仍然需要认证。
+  </Step>
+  <Step title="渠道">
+    - [WhatsApp](/channels/whatsapp)：可选 QR 登录。
+    - [Telegram](/channels/telegram)：bot token。
+    - [Discord](/channels/discord)：bot token。
+    - [Google Chat](/channels/googlechat)：服务账号 JSON + webhook audience。
+    - [Mattermost](/channels/mattermost)（插件）：bot token + base URL。
+    - [Signal](/channels/signal)：可选安装 `signal-cli` + 账号配置。
+    - [BlueBubbles](/channels/bluebubbles)：**iMessage 推荐方案**；server URL + password + webhook。
+    - [iMessage](/channels/imessage)：旧版 `imsg` CLI 路径 + 数据库访问。
+    - 私信安全：默认为 pairing。首次私信会发送一个代码；通过 `openclaw pairing approve <channel> <code>` 批准，或使用允许列表。
+  </Step>
+  <Step title="Web 搜索">
+    - 选择一个提供商：Perplexity、Brave、Gemini、Grok 或 Kimi（也可跳过）。
+    - 粘贴你的 API key（QuickStart 会自动从环境变量或现有配置中检测 key）。
+    - 使用 `--skip-search` 跳过。
+    - 之后再配置：`openclaw configure --section web`。
+  </Step>
+  <Step title="守护进程安装">
+    - macOS：LaunchAgent
+      - 需要已登录的用户会话；无头场景请使用自定义 LaunchDaemon（未随产品提供）。
+    - Linux（以及通过 WSL2 的 Windows）：systemd 用户单元
+      - 向导会尝试启用 lingering：`loginctl enable-linger <user>`，以便 Gateway 网关在注销后仍保持运行。
+      - 可能会提示输入 sudo（会写入 `/var/lib/systemd/linger`）；它会先尝试不使用 sudo。
+    - **运行时选择：** Node（推荐；WhatsApp/Telegram 必需）。**不推荐** Bun。
+    - 如果 token 认证需要 token，并且 `gateway.auth.token` 由 SecretRef 管理，则守护进程安装会验证它，但不会将解析出的明文 token 值持久化到 supervisor 服务环境元数据中。
+    - 如果 token 认证需要 token，但配置的 token SecretRef 尚未解析，则会阻止守护进程安装，并给出可执行指导。
+    - 如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，且 `gateway.auth.mode` 未设置，则会阻止守护进程安装，直到显式设置 mode。
+  </Step>
+  <Step title="健康检查">
+    - 启动 Gateway 网关（如果需要）并运行 `openclaw health`。
+    - 提示：`openclaw status --deep` 会在状态输出中添加 Gateway 网关健康探测（需要能访问到 Gateway 网关）。
+  </Step>
+  <Step title="Skills（推荐）">
+    - 读取可用的 Skills 并检查要求。
+    - 让你选择一个 node manager：**npm / pnpm**（不推荐 bun）。
+    - 安装可选依赖（某些在 macOS 上使用 Homebrew）。
+  </Step>
+  <Step title="完成">
+    - 摘要 + 后续步骤，包括可提供额外功能的 iOS/Android/macOS 应用。
+  </Step>
+</Steps>
+
+<Note>
+如果未检测到 GUI，向导会打印用于访问 Control UI 的 SSH 端口转发说明，而不是打开浏览器。
+如果缺少 Control UI 资源，向导会尝试构建它们；回退方式是 `pnpm ui:build`（会自动安装 UI 依赖）。
+</Note>
+
+## 非交互模式
+
+使用 `--non-interactive` 自动化或脚本化新手引导：
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice apiKey \
+  --anthropic-api-key "$ANTHROPIC_API_KEY" \
+  --gateway-port 18789 \
+  --gateway-bind loopback \
+  --install-daemon \
+  --daemon-runtime node \
+  --skip-skills
+```
+
+添加 `--json` 可获得机器可读摘要。
+
+在非交互模式中使用 Gateway token SecretRef：
+
+```bash
+export OPENCLAW_GATEWAY_TOKEN="your-token"
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice skip \
+  --gateway-auth token \
+  --gateway-token-ref-env OPENCLAW_GATEWAY_TOKEN
+```
+
+`--gateway-token` 和 `--gateway-token-ref-env` 互斥。
+
+<Note>
+`--json` **并不**意味着非交互模式。脚本中请使用 `--non-interactive`（以及 `--workspace`）。
+</Note>
+
+特定提供商的命令示例位于 [CLI Automation](/start/wizard-cli-automation#provider-specific-examples)。
+本参考页用于说明标志语义和步骤顺序。
+
+### 添加智能体（非交互）
+
+```bash
+openclaw agents add work \
+  --workspace ~/.openclaw/workspace-work \
+  --model openai/gpt-5.2 \
+  --bind whatsapp:biz \
+  --non-interactive \
+  --json
+```
+
+## Gateway 网关向导 RPC
+
+Gateway 网关通过 RPC 暴露向导流程（`wizard.start`、`wizard.next`、`wizard.cancel`、`wizard.status`）。
+客户端（macOS 应用、Control UI）可以渲染这些步骤，而无需重新实现新手引导逻辑。
+
+## Signal 设置（signal-cli）
+
+向导可以从 GitHub releases 安装 `signal-cli`：
+
+- 下载适合的发布资源。
+- 将其存储到 `~/.openclaw/tools/signal-cli/<version>/` 下。
+- 将 `channels.signal.cliPath` 写入你的配置。
+
+说明：
+
+- JVM 构建需要 **Java 21**。
+- 在可用时会使用原生构建。
+- Windows 使用 WSL2；`signal-cli` 安装会在 WSL 中遵循 Linux 流程。
+
+## 向导会写入的内容
+
+`~/.openclaw/openclaw.json` 中的典型字段：
+
+- `agents.defaults.workspace`
+- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
+- `tools.profile`（本地新手引导在未设置时默认为 `"coding"`；已有的显式值会被保留）
+- `gateway.*`（mode、bind、auth、tailscale）
+- `session.dmScope`（行为细节： [CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)）
+- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
+- 当你在提示中选择启用时，渠道允许列表（Slack/Discord/Matrix/Microsoft Teams）（名称会在可能时解析为 ID）。
+- `skills.install.nodeManager`
+- `wizard.lastRunAt`
+- `wizard.lastRunVersion`
+- `wizard.lastRunCommit`
+- `wizard.lastRunCommand`
+- `wizard.lastRunMode`
+
+`openclaw agents add` 会写入 `agents.list[]` 和可选的 `bindings`。
+
+WhatsApp 凭证位于 `~/.openclaw/credentials/whatsapp/<accountId>/` 下。
+会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
+
+某些渠道以插件形式提供。当你在设置期间选择其中一个时，向导
+会提示先安装它（npm 或本地路径），然后才能配置。
+
+## 相关文档
+
+- 向导概览： [设置向导](/start/wizard)
+- macOS 应用新手引导： [新手引导](/start/onboarding)
+- 配置参考： [Gateway 配置](/gateway/configuration)
+- 提供商： [WhatsApp](/channels/whatsapp)、[Telegram](/channels/telegram)、[Discord](/channels/discord)、[Google Chat](/channels/googlechat)、[Signal](/channels/signal)、[BlueBubbles](/channels/bluebubbles)（iMessage）、[iMessage](/channels/imessage)（旧版）
+- Skills： [Skills](/tools/skills)、[Skills 配置](/tools/skills-config)
diff --git a/docs/zh-CN/start/getting-started.md b/docs/zh-CN/start/getting-started.md
index c144bd053bc..39e3fb3829f 100644
--- a/docs/zh-CN/start/getting-started.md
+++ b/docs/zh-CN/start/getting-started.md
@@ -1,206 +1,143 @@
 ---
 read_when:
-  - 从零开始首次设置
-  - 你想要从安装 → 新手引导 → 第一条消息的最快路径
-summary: 新手指南：从零到第一条消息（向导、认证、渠道、配对）
+  - 从零开始进行首次设置
+  - 你想用最快的路径开始可用聊天
+summary: 在几分钟内安装 OpenClaw 并开始你的第一次聊天。
 title: 入门指南
 x-i18n:
-  generated_at: "2026-02-03T07:54:14Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 78cfa02eb2e4ea1a83e18edd99d142dbae707ec063e8d74c9a54f94581aa067f
+  generated_at: "2026-03-16T06:27:55Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 47583047c1a603c1254d2540846452ad321d12bc7fc3f24e5def9282ee96f415
   source_path: start/getting-started.md
   workflow: 15
 ---
 
 # 入门指南
 
-目标：尽快从**零**到**第一个可用聊天**（使用合理的默认值）。
+目标：以最少的设置，从零开始到完成第一次可用聊天。
 
-最快聊天：打开 Control UI（无需渠道设置）。运行 `openclaw dashboard` 并在浏览器中聊天，或在 Gateway 网关主机上打开 `http://127.0.0.1:18789/`。文档：[Dashboard](/web/dashboard) 和 [Control UI](/web/control-ui)。
+<Info>
+最快的聊天方式：打开 Control UI（无需设置渠道）。运行 `openclaw dashboard`
+并在浏览器中聊天，或在
+<Tooltip headline="Gateway host" tip="运行 OpenClaw Gateway 网关服务的机器。">网关主机</Tooltip>
+上打开 `http://127.0.0.1:18789/`。
+文档：[Dashboard](/web/dashboard) 和 [Control UI](/web/control-ui)。
+</Info>
 
-推荐路径：使用 **CLI 新手引导向导**（`openclaw onboard`）。它设置：
+## 前置条件
 
-- 模型/认证（推荐 OAuth）
-- Gateway 网关设置
-- 渠道（WhatsApp/Telegram/Discord/Mattermost（插件）/...）
-- 配对默认值（安全私信）
-- 工作区引导 + Skills
-- 可选的后台服务
+- 推荐使用 Node 24（Node 22 LTS，目前为 `22.16+`，仍因兼容性而受支持）
 
-如果你想要更深入的参考页面，跳转到：[向导](/start/wizard)、[设置](/start/setup)、[配对](/channels/pairing)、[安全](/gateway/security)。
+<Tip>
+如果你不确定，请使用 `node --version` 检查你的 Node 版本。
+</Tip>
 
-沙箱注意事项：`agents.defaults.sandbox.mode: "non-main"` 使用 `session.mainKey`（默认 `"main"`），因此群组/渠道会话会被沙箱隔离。如果你想要主智能体始终在主机上运行，设置显式的每智能体覆盖：
+## 快速设置（CLI）
 
-```json
-{
-  "routing": {
-    "agents": {
-      "main": {
-        "workspace": "~/.openclaw/workspace",
-        "sandbox": { "mode": "off" }
-      }
-    }
-  }
-}
-```
+<Steps>
+  <Step title="安装 OpenClaw（推荐）">
+    <Tabs>
+      <Tab title="macOS/Linux">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash
+        ```
+        <img
+  src="/assets/install-script.svg"
+  alt="安装脚本流程"
+  className="rounded-lg"
+/>
+      </Tab>
+      <Tab title="Windows（PowerShell）">
+        ```powershell
+        iwr -useb https://openclaw.ai/install.ps1 | iex
+        ```
+      </Tab>
+    </Tabs>
 
-## 0) 前置条件
+    <Note>
+    其他安装方式和要求： [Install](/install)。
+    </Note>
 
-- Node `>=22`
-- `pnpm`（可选；如果从源代码构建则推荐）
-- **推荐：**Brave Search API 密钥用于网页搜索。最简单的方式：`openclaw configure --section web`（存储 `tools.web.search.apiKey`）。参见 [Web 工具](/tools/web)。
+  </Step>
+  <Step title="运行设置向导">
+    ```bash
+    openclaw onboard --install-daemon
+    ```
 
-macOS：如果你计划构建应用，安装 Xcode / CLT。仅用于 CLI + Gateway 网关的话，Node 就足够了。
-Windows：使用 **WSL2**（推荐 Ubuntu）。强烈推荐 WSL2；原生 Windows 未经测试，问题更多，工具兼容性更差。先安装 WSL2，然后在 WSL 内运行 Linux 步骤。参见 [Windows (WSL2)](/platforms/windows)。
+    向导会配置认证、Gateway 网关设置和可选渠道。
+    详情请参见 [Setup Wizard](/start/wizard)。
 
-## 1) 安装 CLI（推荐）
+  </Step>
+  <Step title="检查 Gateway 网关">
+    如果你已安装服务，它应该已经在运行：
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
+    ```bash
+    openclaw gateway status
+    ```
 
-安装程序选项（安装方法、非交互式、从 GitHub）：[安装](/install)。
+  </Step>
+  <Step title="打开 Control UI">
+    ```bash
+    openclaw dashboard
+    ```
+  </Step>
+</Steps>
 
-Windows (PowerShell)：
+<Check>
+如果 Control UI 能加载，你的 Gateway 网关就已准备就绪，可以使用。
+</Check>
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
+## 可选检查和附加内容
 
-替代方案（全局安装）：
+<AccordionGroup>
+  <Accordion title="在前台运行 Gateway 网关">
+    适合快速测试或故障排除。
 
-```bash
-npm install -g openclaw@latest
-```
+    ```bash
+    openclaw gateway --port 18789
+    ```
 
-```bash
-pnpm add -g openclaw@latest
-```
+  </Accordion>
+  <Accordion title="发送一条测试消息">
+    需要已配置的渠道。
 
-## 2) 运行新手引导向导（并安装服务）
+    ```bash
+    openclaw message send --target +15555550123 --message "Hello from OpenClaw"
+    ```
 
-```bash
-openclaw onboard --install-daemon
-```
+  </Accordion>
+</AccordionGroup>
 
-你将选择：
+## 常用环境变量
 
-- **本地 vs 远程** Gateway 网关
-- **认证**：OpenAI Code (Codex) 订阅（OAuth）或 API 密钥。对于 Anthropic 我们推荐 API 密钥；也支持 `claude setup-token`。
-- **提供商**：WhatsApp QR 登录、Telegram/Discord 机器人令牌、Mattermost 插件令牌等。
-- **守护进程**：后台安装（launchd/systemd；WSL2 使用 systemd）
-  - **运行时**：Node（推荐；WhatsApp/Telegram 必需）。**不推荐** Bun。
-- **Gateway 网关令牌**：向导默认生成一个（即使在 loopback 上）并存储在 `gateway.auth.token`。
+如果你将 OpenClaw 作为服务账户运行，或想使用自定义配置/状态位置：
 
-向导文档：[向导](/start/wizard)
+- `OPENCLAW_HOME` 设置用于内部路径解析的主目录。
+- `OPENCLAW_STATE_DIR` 覆盖状态目录。
+- `OPENCLAW_CONFIG_PATH` 覆盖配置文件路径。
 
-### 凭证：存储位置（重要）
+完整的环境变量参考： [环境变量](/help/environment)。
 
-- **推荐的 Anthropic 路径：**设置 API 密钥（向导可以为服务使用存储它）。如果你想复用 Claude Code 凭证，也支持 `claude setup-token`。
+## 深入了解
 
-- OAuth 凭证（旧版导入）：`~/.openclaw/credentials/oauth.json`
-- 认证配置文件（OAuth + API 密钥）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+<Columns>
+  <Card title="设置向导（详情）" href="/start/wizard">
+    完整的 CLI 向导参考和高级选项。
+  </Card>
+  <Card title="macOS 应用新手引导" href="/start/onboarding">
+    macOS 应用的首次运行流程。
+  </Card>
+</Columns>
 
-无头/服务器提示：先在普通机器上完成 OAuth，然后将 `oauth.json` 复制到 Gateway 网关主机。
+## 你将获得什么
 
-## 3) 启动 Gateway 网关
+- 一个正在运行的 Gateway 网关
+- 已配置好的认证
+- Control UI 访问权限或一个已连接的渠道
 
-如果你在新手引导期间安装了服务，Gateway 网关应该已经在运行：
+## 后续步骤
 
-```bash
-openclaw gateway status
-```
-
-手动运行（前台）：
-
-```bash
-openclaw gateway --port 18789 --verbose
-```
-
-Dashboard（local loopback）：`http://127.0.0.1:18789/`
-如果配置了令牌，将其粘贴到 Control UI 设置中（存储为 `connect.params.auth.token`）。
-
-⚠️ **Bun 警告（WhatsApp + Telegram）：**Bun 与这些渠道存在已知问题。如果你使用 WhatsApp 或 Telegram，请使用 **Node** 运行 Gateway 网关。
-
-## 3.5) 快速验证（2 分钟）
-
-```bash
-openclaw status
-openclaw health
-openclaw security audit --deep
-```
-
-## 4) 配对 + 连接你的第一个聊天界面
-
-### WhatsApp（QR 登录）
-
-```bash
-openclaw channels login
-```
-
-通过 WhatsApp → 设置 → 链接设备扫描。
-
-WhatsApp 文档：[WhatsApp](/channels/whatsapp)
-
-### Telegram / Discord / 其他
-
-向导可以为你写入令牌/配置。如果你更喜欢手动配置，从这里开始：
-
-- Telegram：[Telegram](/channels/telegram)
-- Discord：[Discord](/channels/discord)
-- Mattermost（插件）：[Mattermost](/channels/mattermost)
-
-**Telegram 私信提示：**你的第一条私信会返回配对码。批准它（见下一步），否则机器人不会响应。
-
-## 5) 私信安全（配对审批）
-
-默认姿态：未知私信会获得一个短代码，消息在批准之前不会被处理。如果你的第一条私信没有收到回复，批准配对：
-
-```bash
-openclaw pairing list whatsapp
-openclaw pairing approve whatsapp <code>
-```
-
-配对文档：[配对](/channels/pairing)
-
-## 从源代码（开发）
-
-如果你正在开发 OpenClaw 本身，从源代码运行：
-
-```bash
-git clone https://github.com/openclaw/openclaw.git
-cd openclaw
-pnpm install
-pnpm ui:build # 首次运行时自动安装 UI 依赖
-pnpm build
-openclaw onboard --install-daemon
-```
-
-如果你还没有全局安装，从仓库通过 `pnpm openclaw ...` 运行新手引导步骤。`pnpm build` 也会打包 A2UI 资源；如果你只需要运行那个步骤，使用 `pnpm canvas:a2ui:bundle`。
-
-Gateway 网关（从此仓库）：
-
-```bash
-node openclaw.mjs gateway --port 18789 --verbose
-```
-
-## 7) 验证端到端
-
-在新终端中，发送测试消息：
-
-```bash
-openclaw message send --target +15555550123 --message "Hello from OpenClaw"
-```
-
-如果 `openclaw health` 显示"未配置认证"，回到向导设置 OAuth/密钥认证——没有它智能体将无法响应。
-
-提示：`openclaw status --all` 是最佳的可粘贴、只读调试报告。
-健康探测：`openclaw health`（或 `openclaw status --deep`）向运行中的 Gateway 网关请求健康快照。
-
-## 下一步（可选，但很棒）
-
-- macOS 菜单栏应用 + 语音唤醒：[macOS 应用](/platforms/macos)
-- iOS/Android 节点（Canvas/相机/语音）：[节点](/nodes)
-- 远程访问（SSH 隧道 / Tailscale Serve）：[远程访问](/gateway/remote) 和 [Tailscale](/gateway/tailscale)
-- 常开 / VPN 设置：[远程访问](/gateway/remote)、[exe.dev](/install/exe-dev)、[Hetzner](/install/hetzner)、[macOS 远程](/platforms/mac/remote)
+- 私信安全和批准：[Pairing](/channels/pairing)
+- 连接更多渠道：[Channels](/channels)
+- 高级工作流和源码安装：[Setup](/start/setup)
diff --git a/docs/zh-CN/start/onboarding-overview.md b/docs/zh-CN/start/onboarding-overview.md
new file mode 100644
index 00000000000..524bd8b33f5
--- /dev/null
+++ b/docs/zh-CN/start/onboarding-overview.md
@@ -0,0 +1,58 @@
+---
+read_when:
+  - 选择一种新手引导路径
+  - 设置新环境
+sidebarTitle: Onboarding Overview
+summary: OpenClaw 新手引导选项与流程概览
+title: 新手引导概览
+x-i18n:
+  generated_at: "2026-03-16T06:27:56Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 8a22945f0780515be7ec1b94b5ff486828cf9b8f060ab598a31eb17ee0a5c60b
+  source_path: start/onboarding-overview.md
+  workflow: 15
+---
+
+# 新手引导概览
+
+OpenClaw 支持多种新手引导路径，具体取决于 Gateway 网关运行的位置
+以及你偏好的提供商配置方式。
+
+## 选择你的新手引导路径
+
+- 适用于 macOS、Linux 和 Windows（通过 WSL2）的 **CLI 向导**。
+- 适用于 Apple silicon 或 Intel Mac 的 **macOS 应用**，提供引导式首次运行体验。
+
+## CLI 设置向导
+
+在终端中运行向导：
+
+```bash
+openclaw onboard
+```
+
+当你希望完全控制 Gateway 网关、工作区、
+渠道和 Skills 时，请使用 CLI 向导。文档：
+
+- [设置向导（CLI）](/start/wizard)
+- [`openclaw onboard` 命令](/cli/onboard)
+
+## macOS 应用新手引导
+
+如果你希望在 macOS 上使用完全引导式设置，请使用 OpenClaw 应用。文档：
+
+- [新手引导（macOS 应用）](/start/onboarding)
+
+## 自定义提供商
+
+如果你需要一个未列出的端点，包括那些
+公开标准 OpenAI 或 Anthropic API 的托管提供商，请在
+CLI 向导中选择 **Custom Provider**。系统会要求你：
+
+- 选择兼容 OpenAI、兼容 Anthropic，或 **Unknown**（自动检测）。
+- 输入基础 URL 和 API 密钥（如果提供商需要）。
+- 提供模型 ID 和可选别名。
+- 选择一个 Endpoint ID，以便多个自定义端点可以共存。
+
+如需详细步骤，请按照上面的 CLI 新手引导文档操作。
diff --git a/docs/zh-CN/start/wizard-cli-automation.md b/docs/zh-CN/start/wizard-cli-automation.md
new file mode 100644
index 00000000000..7a13cd2a10e
--- /dev/null
+++ b/docs/zh-CN/start/wizard-cli-automation.md
@@ -0,0 +1,222 @@
+---
+read_when:
+  - 你正在脚本或 CI 中自动化新手引导
+  - 你需要特定提供商的非交互式示例
+sidebarTitle: CLI automation
+summary: 用于 OpenClaw CLI 的脚本化新手引导和智能体设置
+title: CLI 自动化
+x-i18n:
+  generated_at: "2026-03-16T06:28:19Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2a82c491616e8c1c2aa6ef5e19bde80b8cccd1e5f7684838b9ce704c33e41b0e
+  source_path: start/wizard-cli-automation.md
+  workflow: 15
+---
+
+# CLI 自动化
+
+使用 `--non-interactive` 自动化 `openclaw onboard`。
+
+<Note>
+`--json` 并不意味着非交互模式。对于脚本，请使用 `--non-interactive`（以及 `--workspace`）。
+</Note>
+
+## 基础非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice apiKey \
+  --anthropic-api-key "$ANTHROPIC_API_KEY" \
+  --secret-input-mode plaintext \
+  --gateway-port 18789 \
+  --gateway-bind loopback \
+  --install-daemon \
+  --daemon-runtime node \
+  --skip-skills
+```
+
+添加 `--json` 可获得机器可读的摘要。
+
+使用 `--secret-input-mode ref` 可在认证配置文件中存储基于环境变量的引用，而不是明文值。
+在设置向导流程中，支持在环境变量引用与已配置的提供商引用（`file` 或 `exec`）之间进行交互式选择。
+
+在非交互式 `ref` 模式下，必须在进程环境中设置提供商环境变量。
+如果传入了内联密钥标志，但缺少匹配的环境变量，现在会快速失败。
+
+示例：
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice openai-api-key \
+  --secret-input-mode ref \
+  --accept-risk
+```
+
+## 提供商专用示例
+
+<AccordionGroup>
+  <Accordion title="Gemini 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice gemini-api-key \
+      --gemini-api-key "$GEMINI_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Z.AI 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice zai-api-key \
+      --zai-api-key "$ZAI_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Vercel AI Gateway 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice ai-gateway-api-key \
+      --ai-gateway-api-key "$AI_GATEWAY_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Cloudflare AI Gateway 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice cloudflare-ai-gateway-api-key \
+      --cloudflare-ai-gateway-account-id "your-account-id" \
+      --cloudflare-ai-gateway-gateway-id "your-gateway-id" \
+      --cloudflare-ai-gateway-api-key "$CLOUDFLARE_AI_GATEWAY_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Moonshot 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice moonshot-api-key \
+      --moonshot-api-key "$MOONSHOT_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Mistral 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice mistral-api-key \
+      --mistral-api-key "$MISTRAL_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Synthetic 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice synthetic-api-key \
+      --synthetic-api-key "$SYNTHETIC_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="OpenCode 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice opencode-zen \
+      --opencode-zen-api-key "$OPENCODE_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+    对 Go 目录，可改用 `--auth-choice opencode-go --opencode-go-api-key "$OPENCODE_API_KEY"`。
+  </Accordion>
+  <Accordion title="Ollama 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice ollama \
+      --custom-model-id "qwen3.5:27b" \
+      --accept-risk \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="自定义提供商示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice custom-api-key \
+      --custom-base-url "https://llm.example.com/v1" \
+      --custom-model-id "foo-large" \
+      --custom-api-key "$CUSTOM_API_KEY" \
+      --custom-provider-id "my-custom" \
+      --custom-compatibility anthropic \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+
+    `--custom-api-key` 是可选的。如果省略，新手引导会检查 `CUSTOM_API_KEY`。
+
+    `ref` 模式变体：
+
+    ```bash
+    export CUSTOM_API_KEY="your-key"
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice custom-api-key \
+      --custom-base-url "https://llm.example.com/v1" \
+      --custom-model-id "foo-large" \
+      --secret-input-mode ref \
+      --custom-provider-id "my-custom" \
+      --custom-compatibility anthropic \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+
+    在此模式下，新手引导会将 `apiKey` 存储为 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`。
+
+  </Accordion>
+</AccordionGroup>
+
+## 添加另一个智能体
+
+使用 `openclaw agents add <name>` 创建一个单独的智能体，它拥有自己的工作区、
+会话和认证配置文件。不带 `--workspace` 运行会启动向导。
+
+```bash
+openclaw agents add work \
+  --workspace ~/.openclaw/workspace-work \
+  --model openai/gpt-5.2 \
+  --bind whatsapp:biz \
+  --non-interactive \
+  --json
+```
+
+它会设置：
+
+- `agents.list[].name`
+- `agents.list[].workspace`
+- `agents.list[].agentDir`
+
+说明：
+
+- 默认工作区遵循 `~/.openclaw/workspace-<agentId>`。
+- 添加 `bindings` 以路由入站消息（向导可以完成这项操作）。
+- 非交互式标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
+
+## 相关文档
+
+- 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 完整参考：[CLI 设置参考](/start/wizard-cli-reference)
+- 命令参考：[`openclaw onboard`](/cli/onboard)
diff --git a/docs/zh-CN/start/wizard-cli-reference.md b/docs/zh-CN/start/wizard-cli-reference.md
new file mode 100644
index 00000000000..16d69e9b896
--- /dev/null
+++ b/docs/zh-CN/start/wizard-cli-reference.md
@@ -0,0 +1,306 @@
+---
+read_when:
+  - 你需要了解 `openclaw onboard` 的详细行为
+  - 你正在调试新手引导结果或集成新手引导客户端
+sidebarTitle: CLI reference
+summary: CLI 设置流程、身份验证/模型设置、输出和内部机制的完整参考
+title: CLI 设置参考
+x-i18n:
+  generated_at: "2026-03-16T06:28:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 6b9460013b6a0fbd59f639ade6b255c8d7f7412238495e78b942859ade695e86
+  source_path: start/wizard-cli-reference.md
+  workflow: 15
+---
+
+# CLI 设置参考
+
+本页是 `openclaw onboard` 的完整参考。
+简短指南请参见 [设置向导（CLI）](/start/wizard)。
+
+## 向导会执行什么
+
+本地模式（默认）会引导你完成以下内容：
+
+- 模型和身份验证设置（OpenAI Code 订阅 OAuth、Anthropic API 密钥或 setup token，以及 MiniMax、GLM、Ollama、Moonshot 和 AI Gateway 选项）
+- 工作区位置和 bootstrap 文件
+- Gateway 网关设置（端口、绑定、身份验证、tailscale）
+- 渠道和提供商（Telegram、WhatsApp、Discord、Google Chat、Mattermost 插件、Signal）
+- 守护进程安装（LaunchAgent 或 systemd 用户单元）
+- 健康检查
+- Skills 设置
+
+远程模式会将此机器配置为连接到其他位置的网关。
+它不会在远程主机上安装或修改任何内容。
+
+## 本地流程详情
+
+<Steps>
+  <Step title="现有配置检测">
+    - 如果 `~/.openclaw/openclaw.json` 存在，可选择 Keep、Modify 或 Reset。
+    - 重新运行向导不会清除任何内容，除非你明确选择 Reset（或传递 `--reset`）。
+    - CLI `--reset` 默认作用于 `config+creds+sessions`；使用 `--reset-scope full` 还会删除工作区。
+    - 如果配置无效或包含旧版键，向导会停止，并要求你先运行 `openclaw doctor` 再继续。
+    - Reset 使用 `trash`，并提供以下范围：
+      - 仅配置
+      - 配置 + 凭证 + 会话
+      - 完全重置（也会删除工作区）
+  </Step>
+  <Step title="模型和身份验证">
+    - 完整选项矩阵见 [身份验证和模型选项](#auth-and-model-options)。
+  </Step>
+  <Step title="工作区">
+    - 默认值为 `~/.openclaw/workspace`（可配置）。
+    - 会植入首次运行 bootstrap 仪式所需的工作区文件。
+    - 工作区布局：[智能体工作区](/concepts/agent-workspace)。
+  </Step>
+  <Step title="Gateway 网关">
+    - 会提示你输入端口、绑定、身份验证模式和 tailscale 暴露设置。
+    - 建议：即使仅用于 loopback，也保持启用令牌身份验证，这样本地 WS 客户端也必须进行身份验证。
+    - 在令牌模式下，交互式设置提供：
+      - **生成/存储明文令牌**（默认）
+      - **使用 SecretRef**（可选）
+    - 在密码模式下，交互式设置也支持明文或 SecretRef 存储。
+    - 非交互式令牌 SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+      - 要求在新手引导进程环境中存在一个非空环境变量。
+      - 不能与 `--gateway-token` 组合使用。
+    - 仅当你完全信任每个本地进程时才禁用身份验证。
+    - 非 loopback 绑定仍然需要身份验证。
+  </Step>
+  <Step title="渠道">
+    - [WhatsApp](/channels/whatsapp)：可选 QR 登录
+    - [Telegram](/channels/telegram)：bot 令牌
+    - [Discord](/channels/discord)：bot 令牌
+    - [Google Chat](/channels/googlechat)：服务账号 JSON + webhook audience
+    - [Mattermost](/channels/mattermost) 插件：bot 令牌 + 基础 URL
+    - [Signal](/channels/signal)：可选 `signal-cli` 安装 + 账户配置
+    - [BlueBubbles](/channels/bluebubbles)：推荐用于 iMessage；服务器 URL + 密码 + webhook
+    - [iMessage](/channels/imessage)：旧版 `imsg` CLI 路径 + 数据库访问
+    - 私信安全：默认是配对。首次私信会发送一个代码；通过
+      `openclaw pairing approve <channel> <code>` 批准，或使用 allowlist。
+  </Step>
+  <Step title="守护进程安装">
+    - macOS：LaunchAgent
+      - 需要已登录的用户会话；对于无头环境，请使用自定义 LaunchDaemon（未随附）。
+    - Linux 和通过 WSL2 的 Windows：systemd 用户单元
+      - 向导会尝试执行 `loginctl enable-linger <user>`，使网关在注销后仍保持运行。
+      - 可能会提示输入 sudo（写入 `/var/lib/systemd/linger`）；会先尝试不使用 sudo。
+    - 运行时选择：Node（推荐；WhatsApp 和 Telegram 必需）。不建议使用 Bun。
+  </Step>
+  <Step title="健康检查">
+    - 启动 Gateway 网关（如有需要），并运行 `openclaw health`。
+    - `openclaw status --deep` 会在状态输出中添加 Gateway 网关健康探测。
+  </Step>
+  <Step title="Skills">
+    - 读取可用的 Skills 并检查要求。
+    - 让你选择 node 管理器：npm 或 pnpm（不建议使用 bun）。
+    - 安装可选依赖（部分依赖在 macOS 上使用 Homebrew）。
+  </Step>
+  <Step title="完成">
+    - 显示摘要和后续步骤，包括 iOS、Android 和 macOS 应用选项。
+  </Step>
+</Steps>
+
+<Note>
+如果未检测到 GUI，向导会打印用于控制 UI 的 SSH 端口转发说明，而不是打开浏览器。
+如果缺少控制 UI 资源，向导会尝试构建它们；回退命令为 `pnpm ui:build`（首次运行会自动安装 UI 依赖）。
+</Note>
+
+## 远程模式详情
+
+远程模式会将此机器配置为连接到其他位置的网关。
+
+<Info>
+远程模式不会在远程主机上安装或修改任何内容。
+</Info>
+
+你需要设置的内容：
+
+- 远程 Gateway 网关 URL（`ws://...`）
+- 如果远程 Gateway 网关需要身份验证，则设置令牌（推荐）
+
+<Note>
+- 如果网关仅绑定到 loopback，请使用 SSH 隧道或 tailnet。
+- 发现提示：
+  - macOS：Bonjour（`dns-sd`）
+  - Linux：Avahi（`avahi-browse`）
+</Note>
+
+## 身份验证和模型选项
+
+<AccordionGroup>
+  <Accordion title="Anthropic API 密钥">
+    如果存在 `ANTHROPIC_API_KEY` 则使用它，否则提示输入密钥，然后保存以供守护进程使用。
+  </Accordion>
+  <Accordion title="Anthropic OAuth（Claude Code CLI）">
+    - macOS：检查 Keychain 条目 “Claude Code-credentials”
+    - Linux 和 Windows：如果存在，则复用 `~/.claude/.credentials.json`
+
+    在 macOS 上，请选择 “Always Allow”，以免 launchd 启动被阻塞。
+
+  </Accordion>
+  <Accordion title="Anthropic token（粘贴 setup token）">
+    在任意机器上运行 `claude setup-token`，然后粘贴该令牌。
+    你可以为其命名；留空则使用默认值。
+  </Accordion>
+  <Accordion title="OpenAI Code 订阅（复用 Codex CLI）">
+    如果存在 `~/.codex/auth.json`，向导可以复用它。
+  </Accordion>
+  <Accordion title="OpenAI Code 订阅（OAuth）">
+    浏览器流程；粘贴 `code#state`。
+
+    当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.4`。
+
+  </Accordion>
+  <Accordion title="OpenAI API 密钥">
+    如果存在 `OPENAI_API_KEY` 则使用它，否则提示输入密钥，然后将该凭证存储在 auth profile 中。
+
+    当模型未设置、为 `openai/*` 或 `openai-codex/*` 时，将 `agents.defaults.model` 设置为 `openai/gpt-5.1-codex`。
+
+  </Accordion>
+  <Accordion title="xAI（Grok）API 密钥">
+    提示输入 `XAI_API_KEY`，并将 xAI 配置为模型提供商。
+  </Accordion>
+  <Accordion title="OpenCode">
+    提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`），并让你选择 Zen 或 Go 目录。
+    设置 URL：[opencode.ai/auth](https://opencode.ai/auth)。
+  </Accordion>
+  <Accordion title="API 密钥（通用）">
+    会为你存储该密钥。
+  </Accordion>
+  <Accordion title="Vercel AI Gateway">
+    提示输入 `AI_GATEWAY_API_KEY`。
+    更多详情：[Vercel AI Gateway](/providers/vercel-ai-gateway)。
+  </Accordion>
+  <Accordion title="Cloudflare AI Gateway">
+    提示输入账户 ID、Gateway ID 和 `CLOUDFLARE_AI_GATEWAY_API_KEY`。
+    更多详情：[Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)。
+  </Accordion>
+  <Accordion title="MiniMax M2.5">
+    配置会自动写入。
+    更多详情：[MiniMax](/providers/minimax)。
+  </Accordion>
+  <Accordion title="Synthetic（兼容 Anthropic）">
+    提示输入 `SYNTHETIC_API_KEY`。
+    更多详情：[Synthetic](/providers/synthetic)。
+  </Accordion>
+  <Accordion title="Ollama（Cloud 和本地开放模型）">
+    提示输入基础 URL（默认 `http://127.0.0.1:11434`），然后提供 Cloud + Local 或 Local 模式。
+    会发现可用模型并建议默认值。
+    更多详情：[Ollama](/providers/ollama)。
+  </Accordion>
+  <Accordion title="Moonshot 和 Kimi Coding">
+    Moonshot（Kimi K2）和 Kimi Coding 配置会自动写入。
+    更多详情：[Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)。
+  </Accordion>
+  <Accordion title="自定义提供商">
+    适用于兼容 OpenAI 和兼容 Anthropic 的端点。
+
+    交互式新手引导支持与其他提供商 API 密钥流程相同的 API 密钥存储选项：
+    - **现在粘贴 API 密钥**（明文）
+    - **使用密钥引用**（环境变量引用或已配置提供商引用，并带有预检验证）
+
+    非交互式标志：
+    - `--auth-choice custom-api-key`
+    - `--custom-base-url`
+    - `--custom-model-id`
+    - `--custom-api-key`（可选；回退到 `CUSTOM_API_KEY`）
+    - `--custom-provider-id`（可选）
+    - `--custom-compatibility <openai|anthropic>`（可选；默认 `openai`）
+
+  </Accordion>
+  <Accordion title="跳过">
+    保持身份验证未配置。
+  </Accordion>
+</AccordionGroup>
+
+模型行为：
+
+- 从检测到的选项中选择默认模型，或手动输入提供商和模型。
+- 向导会执行模型检查，并在配置的模型未知或缺少身份验证时发出警告。
+
+凭证和配置档案路径：
+
+- OAuth 凭证：`~/.openclaw/credentials/oauth.json`
+- Auth profile（API 密钥 + OAuth）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+
+凭证存储模式：
+
+- 默认新手引导行为会将 API 密钥作为明文值持久化到 auth profile 中。
+- `--secret-input-mode ref` 会启用引用模式，而不是明文密钥存储。
+  在交互式设置中，你可以选择：
+  - 环境变量引用（例如 `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`）
+  - 已配置提供商引用（`file` 或 `exec`），带提供商别名 + id
+- 交互式引用模式会在保存前运行快速预检验证。
+  - 环境变量引用：验证变量名 + 当前新手引导环境中的非空值。
+  - 提供商引用：验证提供商配置并解析所请求的 id。
+  - 如果预检失败，新手引导会显示错误并让你重试。
+- 在非交互式模式下，`--secret-input-mode ref` 仅支持由环境变量支持的引用。
+  - 在新手引导进程环境中设置提供商环境变量。
+  - 内联密钥标志（例如 `--openai-api-key`）要求设置该环境变量；否则新手引导会快速失败。
+  - 对于自定义提供商，非交互式 `ref` 模式会将 `models.providers.<id>.apiKey` 存储为 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`。
+  - 在这种自定义提供商场景下，`--custom-api-key` 要求设置 `CUSTOM_API_KEY`；否则新手引导会快速失败。
+- Gateway 网关身份验证凭证在交互式设置中支持明文和 SecretRef 选项：
+  - 令牌模式：**生成/存储明文令牌**（默认）或 **使用 SecretRef**。
+  - 密码模式：明文或 SecretRef。
+- 非交互式令牌 SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+- 现有的明文设置会继续保持不变并正常工作。
+
+<Note>
+无头和服务器提示：在有浏览器的机器上完成 OAuth，然后复制
+`~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）
+到 Gateway 网关主机。
+</Note>
+
+## 输出和内部机制
+
+`~/.openclaw/openclaw.json` 中的典型字段：
+
+- `agents.defaults.workspace`
+- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
+- `tools.profile`（本地新手引导在未设置时默认设为 `"coding"`；现有显式值会保留）
+- `gateway.*`（模式、绑定、身份验证、tailscale）
+- `session.dmScope`（本地新手引导在未设置时默认设为 `per-channel-peer`；现有显式值会保留）
+- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
+- 当你在提示中选择加入时的渠道 allowlist（Slack、Discord、Matrix、Microsoft Teams）（如果可能，名称会解析为 ID）
+- `skills.install.nodeManager`
+- `wizard.lastRunAt`
+- `wizard.lastRunVersion`
+- `wizard.lastRunCommit`
+- `wizard.lastRunCommand`
+- `wizard.lastRunMode`
+
+`openclaw agents add` 会写入 `agents.list[]` 和可选的 `bindings`。
+
+WhatsApp 凭证位于 `~/.openclaw/credentials/whatsapp/<accountId>/`。
+会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
+
+<Note>
+某些渠道以插件形式交付。在设置期间选择这些渠道时，向导
+会先提示安装插件（npm 或本地路径），然后再进行渠道配置。
+</Note>
+
+Gateway 网关向导 RPC：
+
+- `wizard.start`
+- `wizard.next`
+- `wizard.cancel`
+- `wizard.status`
+
+客户端（macOS 应用和控制 UI）可以在不重新实现新手引导逻辑的情况下渲染步骤。
+
+Signal 设置行为：
+
+- 下载适当的发布资源
+- 将其存储在 `~/.openclaw/tools/signal-cli/<version>/`
+- 在配置中写入 `channels.signal.cliPath`
+- JVM 构建需要 Java 21
+- 在可用时使用原生构建
+- Windows 使用 WSL2，并在 WSL 内遵循 Linux 的 signal-cli 流程
+
+## 相关文档
+
+- 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 自动化和脚本：[CLI 自动化](/start/wizard-cli-automation)
+- 命令参考：[`openclaw onboard`](/cli/onboard)
diff --git a/docs/zh-CN/start/wizard.md b/docs/zh-CN/start/wizard.md
index 80569b671dd..0be36f3cdfb 100644
--- a/docs/zh-CN/start/wizard.md
+++ b/docs/zh-CN/start/wizard.md
@@ -1,331 +1,132 @@
 ---
 read_when:
-  - 运行或配置新手引导向导
-  - 设置新机器
-summary: CLI 新手引导向导：引导式配置 Gateway 网关、工作区、渠道和 Skills
-title: 新手引导向导
+  - 运行或配置设置向导
+  - 设置一台新机器
+sidebarTitle: "Onboarding: CLI"
+summary: CLI 设置向导：用于 Gateway 网关、工作区、渠道和 Skills 的引导式设置
+title: 设置向导（CLI）
 x-i18n:
-  generated_at: "2026-02-03T09:20:27Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 45e10d31048d927ee6546e35b050914f0e6e21a4dee298b3b277eebe7c133732
+  generated_at: "2026-03-16T06:28:38Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 99fd87dddd78798eb0087ad9433e5a32de2af110b6e65ee351b1a194a11c7df3
   source_path: start/wizard.md
   workflow: 15
 ---
 
-# 新手引导向导（CLI）
+# 设置向导（CLI）
 
-新手引导向导是在 macOS、Linux 或 Windows（通过 WSL2；强烈推荐）上设置 OpenClaw 的**推荐**方式。
-它可以在一个引导式流程中配置本地 Gateway 网关或远程 Gateway 网关连接，以及渠道、Skills 和工作区默认值。
-
-主要入口：
+设置向导是在 macOS、
+Linux 或 Windows（通过 WSL2；强烈推荐）上设置 OpenClaw 的**推荐**方式。
+它可在一次引导式流程中配置本地 Gateway 网关或远程 Gateway 网关连接，以及渠道、Skills
+和工作区默认值。
 
 ```bash
 openclaw onboard
 ```
 
-最快开始聊天的方式：打开控制界面（无需设置渠道）。运行 `openclaw dashboard` 并在浏览器中聊天。文档：[控制面板](/web/dashboard)。
+<Info>
+最快的首次聊天方式：打开 Control UI（无需设置渠道）。运行
+`openclaw dashboard` 并在浏览器中聊天。文档：[Dashboard](/web/dashboard)。
+</Info>
 
-后续重新配置：
+若要稍后重新配置：
 
 ```bash
 openclaw configure
-```
-
-推荐：设置 Brave Search API 密钥，以便智能体可以使用 `web_search`（`web_fetch` 无需密钥即可使用）。最简单的方式：`openclaw configure --section web`，它会存储 `tools.web.search.apiKey`。文档：[Web 工具](/tools/web)。
-
-## 快速开始 vs 高级
-
-向导从**快速开始**（默认值）vs **高级**（完全控制）开始。
-
-**快速开始**保持默认值：
-
-- 本地 Gateway 网关（loopback）
-- 默认工作区（或现有工作区）
-- Gateway 网关端口 **18789**
-- Gateway 网关认证 **Token**（自动生成，即使在 loopback 上）
-- Tailscale 暴露 **关闭**
-- Telegram + WhatsApp 私信默认使用**允许列表**（系统会提示你输入电话号码）
-
-**高级**暴露每个步骤（模式、工作区、Gateway 网关、渠道、守护进程、Skills）。
-
-## 向导做了什么
-
-**本地模式（默认）**引导你完成：
-
-- 模型/认证（OpenAI Code (Codex) 订阅 OAuth、Anthropic API 密钥（推荐）或 setup-token（粘贴），以及 MiniMax/GLM/Moonshot/AI Gateway 选项）
-- 工作区位置 + 引导文件
-- Gateway 网关设置（端口/绑定/认证/tailscale）
-- 提供商（Telegram、WhatsApp、Discord、Google Chat、Mattermost（插件）、Signal）
-- 守护进程安装（LaunchAgent / systemd 用户单元）
-- 健康检查
-- Skills（推荐）
-
-**远程模式**仅配置本地客户端连接到其他位置的 Gateway 网关。
-它**不会**在远程主机上安装或更改任何内容。
-
-要添加更多隔离的智能体（独立的工作区 + 会话 + 认证），使用：
-
-```bash
 openclaw agents add <name>
 ```
 
-提示：`--json` **不**意味着非交互模式。脚本中请使用 `--non-interactive`（和 `--workspace`）。
+<Note>
+`--json` 并不意味着非交互模式。对于脚本，请使用 `--non-interactive`。
+</Note>
 
-## 流程详情（本地）
+<Tip>
+设置向导包含一个 web search 步骤，你可以选择一个提供商
+（Perplexity、Brave、Gemini、Grok 或 Kimi），并粘贴你的 API 密钥，以便智能体
+可以使用 `web_search`。你也可以稍后通过
+`openclaw configure --section web` 进行配置。文档：[Web 工具](/tools/web)。
+</Tip>
 
-1. **现有配置检测**
-   - 如果 `~/.openclaw/openclaw.json` 存在，选择**保留 / 修改 / 重置**。
-   - 重新运行向导**不会**清除任何内容，除非你明确选择**重置**（或传递 `--reset`）。
-   - 如果配置无效或包含遗留键名，向导会停止并要求你在继续之前运行 `openclaw doctor`。
-   - 重置使用 `trash`（永不使用 `rm`）并提供范围选项：
-     - 仅配置
-     - 配置 + 凭证 + 会话
-     - 完全重置（同时删除工作区）
+## 快速开始与高级模式
 
-2. **模型/认证**
-   - **Anthropic API 密钥（推荐）**：如果存在则使用 `ANTHROPIC_API_KEY`，否则提示输入密钥，然后保存供守护进程使用。
-   - **Anthropic OAuth（Claude Code CLI）**：在 macOS 上，向导检查钥匙串项目"Claude Code-credentials"（选择"始终允许"以便 launchd 启动不会阻塞）；在 Linux/Windows 上，如果存在则复用 `~/.claude/.credentials.json`。
-   - **Anthropic 令牌（粘贴 setup-token）**：在任何机器上运行 `claude setup-token`，然后粘贴令牌（你可以命名它；空白 = 默认）。
-   - **OpenAI Code (Codex) 订阅（Codex CLI）**：如果 `~/.codex/auth.json` 存在，向导可以复用它。
-   - **OpenAI Code (Codex) 订阅（OAuth）**：浏览器流程；粘贴 `code#state`。
-     - 当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.2`。
-   - **OpenAI API 密钥**：如果存在则使用 `OPENAI_API_KEY`，否则提示输入密钥，然后保存到 `~/.openclaw/.env` 以便 launchd 可以读取。
-   - **OpenCode Zen（多模型代理）**：提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`，在 https://opencode.ai/auth 获取）。
-   - **API 密钥**：为你存储密钥。
-   - **Vercel AI Gateway（多模型代理）**：提示输入 `AI_GATEWAY_API_KEY`。
-   - 更多详情：[Vercel AI Gateway](/providers/vercel-ai-gateway)
-   - **MiniMax M2.1**：自动写入配置。
-   - 更多详情：[MiniMax](/providers/minimax)
-   - **Synthetic（Anthropic 兼容）**：提示输入 `SYNTHETIC_API_KEY`。
-   - 更多详情：[Synthetic](/providers/synthetic)
-   - **Moonshot（Kimi K2）**：自动写入配置。
-   - **Kimi Coding**：自动写入配置。
-   - 更多详情：[Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
-   - **跳过**：尚未配置认证。
-   - 从检测到的选项中选择默认模型（或手动输入提供商/模型）。
-   - 向导运行模型检查，如果配置的模型未知或缺少认证则发出警告。
+向导开始时会让你选择**快速开始**（默认值）或**高级模式**（完全控制）。
 
-- OAuth 凭证存储在 `~/.openclaw/credentials/oauth.json`；认证配置文件存储在 `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`（API 密钥 + OAuth）。
-- 更多详情：[/concepts/oauth](/concepts/oauth)
+<Tabs>
+  <Tab title="快速开始（默认值）">
+    - 本地网关（loopback）
+    - 默认工作区（或现有工作区）
+    - Gateway 网关端口 **18789**
+    - Gateway 网关认证 **Token**（即使在 loopback 上也会自动生成）
+    - 新本地设置的默认工具策略：`tools.profile: "coding"`（会保留现有显式配置文件）
+    - 私信隔离默认值：本地新手引导会在未设置时写入 `session.dmScope: "per-channel-peer"`。详情见：[CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)
+    - Tailscale 暴露 **关闭**
+    - Telegram + WhatsApp 私信默认使用 **allowlist**（系统会提示你输入电话号码）
+  </Tab>
+  <Tab title="高级模式（完全控制）">
+    - 暴露每一个步骤（模式、工作区、Gateway 网关、渠道、守护进程、Skills）。
+  </Tab>
+</Tabs>
 
-3. **工作区**
-   - 默认 `~/.openclaw/workspace`（可配置）。
-   - 为智能体引导仪式播种所需的工作区文件。
-   - 完整的工作区布局 + 备份指南：[智能体工作区](/concepts/agent-workspace)
+## 向导会配置什么
 
-4. **Gateway 网关**
-   - 端口、绑定、认证模式、tailscale 暴露。
-   - 认证建议：即使对于 loopback 也保持 **Token**，以便本地 WS 客户端必须进行认证。
-   - 仅当你完全信任每个本地进程时才禁用认证。
-   - 非 loopback 绑定仍需要认证。
+**本地模式（默认）**会引导你完成以下步骤：
 
-5. **渠道**
-   - [WhatsApp](/channels/whatsapp)：可选的二维码登录。
-   - [Telegram](/channels/telegram)：机器人令牌。
-   - [Discord](/channels/discord)：机器人令牌。
-   - [Google Chat](/channels/googlechat)：服务账户 JSON + webhook 受众。
-   - [Mattermost](/channels/mattermost)（插件）：机器人令牌 + 基础 URL。
-   - [Signal](/channels/signal)：可选的 `signal-cli` 安装 + 账户配置。
-   - [iMessage](/channels/imessage)：本地 `imsg` CLI 路径 + 数据库访问。
-   - 私信安全：默认为配对。第一条私信发送验证码；通过 `openclaw pairing approve <channel> <code>` 批准或使用允许列表。
+1. **模型/认证** —— 选择任意受支持的提供商/认证流程（API 密钥、OAuth 或 setup-token），包括自定义提供商
+   （兼容 OpenAI、兼容 Anthropic，或未知自动检测）。选择一个默认模型。
+   安全说明：如果这个智能体将运行工具或处理 webhook/hooks 内容，请优先选择当前可用的最强最新一代模型，并保持严格的工具策略。较弱/较旧的层级更容易被 prompt 注入。
+   对于非交互式运行，`--secret-input-mode ref` 会在认证配置文件中存储基于环境变量的引用，而不是明文 API 密钥值。
+   在非交互式 `ref` 模式下，必须设置提供商环境变量；如果传入内联密钥标志但缺少该环境变量，则会快速失败。
+   在交互式运行中，选择 secret reference 模式后，你可以指向环境变量或已配置的 provider ref（`file` 或 `exec`），并在保存前进行快速预检校验。
+2. **工作区** —— 智能体文件的位置（默认 `~/.openclaw/workspace`）。会植入引导文件。
+3. **Gateway 网关** —— 端口、绑定地址、认证模式、Tailscale 暴露。
+   在交互式 token 模式中，你可以选择默认的明文 token 存储，或选择启用 SecretRef。
+   非交互式 token SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+4. **渠道** —— WhatsApp、Telegram、Discord、Google Chat、Mattermost、Signal、BlueBubbles 或 iMessage。
+5. **守护进程** —— 安装 LaunchAgent（macOS）或 systemd 用户单元（Linux/WSL2）。
+   如果 token 认证需要 token，且 `gateway.auth.token` 由 SecretRef 管理，守护进程安装会验证它，但不会将已解析的 token 持久化到监督服务的环境元数据中。
+   如果 token 认证需要 token，而已配置的 token SecretRef 无法解析，守护进程安装会被阻止，并提供可执行的指导。
+   如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，而 `gateway.auth.mode` 未设置，守护进程安装会被阻止，直到显式设置 mode。
+6. **健康检查** —— 启动 Gateway 网关并验证其正在运行。
+7. **Skills** —— 安装推荐的 Skills 和可选依赖项。
 
-6. **守护进程安装**
-   - macOS：LaunchAgent
-     - 需要已登录的用户会话；对于无头环境，使用自定义 LaunchDaemon（未提供）。
-   - Linux（和通过 WSL2 的 Windows）：systemd 用户单元
-     - 向导尝试通过 `loginctl enable-linger <user>` 启用 lingering，以便 Gateway 网关在注销后保持运行。
-     - 可能提示 sudo（写入 `/var/lib/systemd/linger`）；它首先尝试不使用 sudo。
-   - **运行时选择：**Node（推荐；WhatsApp/Telegram 需要）。**不推荐** Bun。
+<Note>
+重新运行向导**不会**清除任何内容，除非你显式选择 **Reset**（或传入 `--reset`）。
+CLI `--reset` 默认会重置配置、凭证和会话；如需包含工作区，请使用 `--reset-scope full`。
+如果配置无效或包含旧版键，向导会先要求你运行 `openclaw doctor`。
+</Note>
 
-7. **健康检查**
-   - 启动 Gateway 网关（如果需要）并运行 `openclaw health`。
-   - 提示：`openclaw status --deep` 在状态输出中添加 Gateway 网关健康探测（需要可达的 Gateway 网关）。
-
-8. **Skills（推荐）**
-   - 读取可用的 Skills 并检查要求。
-   - 让你选择节点管理器：**npm / pnpm**（不推荐 bun）。
-   - 安装可选依赖项（某些在 macOS 上使用 Homebrew）。
-
-9. **完成**
-   - 总结 + 后续步骤，包括用于额外功能的 iOS/Android/macOS 应用。
-
-- 如果未检测到 GUI，向导会打印控制界面的 SSH 端口转发说明，而不是打开浏览器。
-- 如果控制界面资源缺失，向导会尝试构建它们；回退方案是 `pnpm ui:build`（自动安装 UI 依赖）。
-
-## 远程模式
-
-远程模式配置本地客户端连接到其他位置的 Gateway 网关。
-
-你将设置的内容：
-
-- 远程 Gateway 网关 URL（`ws://...`）
-- 如果远程 Gateway 网关需要认证则需要令牌（推荐）
-
-注意事项：
-
-- 不执行远程安装或守护进程更改。
-- 如果 Gateway 网关仅限 loopback，使用 SSH 隧道或 tailnet。
-- 发现提示：
-  - macOS：Bonjour（`dns-sd`）
-  - Linux：Avahi（`avahi-browse`）
+**远程模式**只会配置本地客户端以连接到其他地方的 Gateway 网关。
+它**不会**在远程主机上安装或更改任何内容。
 
 ## 添加另一个智能体
 
-使用 `openclaw agents add <name>` 创建一个具有独立工作区、会话和认证配置文件的单独智能体。不带 `--workspace` 运行会启动向导。
+使用 `openclaw agents add <name>` 创建一个单独的智能体，它拥有自己的工作区、
+会话和认证配置文件。不带 `--workspace` 运行会启动向导。
 
-它设置的内容：
+它会设置：
 
 - `agents.list[].name`
 - `agents.list[].workspace`
 - `agents.list[].agentDir`
 
-注意事项：
+说明：
 
 - 默认工作区遵循 `~/.openclaw/workspace-<agentId>`。
-- 添加 `bindings` 以路由入站消息（向导可以执行此操作）。
-- 非交互标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
+- 添加 `bindings` 以路由入站消息（向导可以完成这项操作）。
+- 非交互式标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
 
-## 非交互模式
+## 完整参考
 
-使用 `--non-interactive` 自动化或脚本化新手引导：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice apiKey \
-  --anthropic-api-key "$ANTHROPIC_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback \
-  --install-daemon \
-  --daemon-runtime node \
-  --skip-skills
-```
-
-添加 `--json` 以获取机器可读的摘要。
-
-Gemini 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice gemini-api-key \
-  --gemini-api-key "$GEMINI_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Z.AI 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice zai-api-key \
-  --zai-api-key "$ZAI_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Vercel AI Gateway 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice ai-gateway-api-key \
-  --ai-gateway-api-key "$AI_GATEWAY_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Moonshot 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice moonshot-api-key \
-  --moonshot-api-key "$MOONSHOT_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Synthetic 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice synthetic-api-key \
-  --synthetic-api-key "$SYNTHETIC_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-OpenCode Zen 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice opencode-zen \
-  --opencode-zen-api-key "$OPENCODE_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-添加智能体（非交互）示例：
-
-```bash
-openclaw agents add work \
-  --workspace ~/.openclaw/workspace-work \
-  --model openai/gpt-5.2 \
-  --bind whatsapp:biz \
-  --non-interactive \
-  --json
-```
-
-## Gateway 网关向导 RPC
-
-Gateway 网关通过 RPC 暴露向导流程（`wizard.start`、`wizard.next`、`wizard.cancel`、`wizard.status`）。
-客户端（macOS 应用、控制界面）可以渲染步骤而无需重新实现新手引导逻辑。
-
-## Signal 设置（signal-cli）
-
-向导可以从 GitHub releases 安装 `signal-cli`：
-
-- 下载适当的发布资源。
-- 存储在 `~/.openclaw/tools/signal-cli/<version>/` 下。
-- 将 `channels.signal.cliPath` 写入你的配置。
-
-注意事项：
-
-- JVM 构建需要 **Java 21**。
-- 可用时使用原生构建。
-- Windows 使用 WSL2；signal-cli 安装在 WSL 内遵循 Linux 流程。
-
-## 向导写入的内容
-
-`~/.openclaw/openclaw.json` 中的典型字段：
-
-- `agents.defaults.workspace`
-- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
-- `gateway.*`（模式、绑定、认证、tailscale）
-- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
-- 当你在提示中选择加入时的渠道允许列表（Slack/Discord/Matrix/Microsoft Teams）（名称在可能时解析为 ID）。
-- `skills.install.nodeManager`
-- `wizard.lastRunAt`
-- `wizard.lastRunVersion`
-- `wizard.lastRunCommit`
-- `wizard.lastRunCommand`
-- `wizard.lastRunMode`
-
-`openclaw agents add` 写入 `agents.list[]` 和可选的 `bindings`。
-
-WhatsApp 凭证存储在 `~/.openclaw/credentials/whatsapp/<accountId>/` 下。
-会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
-
-某些渠道以插件形式提供。当你在新手引导期间选择一个时，向导会在配置之前提示安装它（npm 或本地路径）。
+有关详细的分步骤拆解和配置输出，请参见
+[CLI 设置参考](/start/wizard-cli-reference)。
+有关非交互式示例，请参见 [CLI 自动化](/start/wizard-cli-automation)。
+有关更深入的技术参考（包括 RPC 细节），请参见
+[向导参考](/reference/wizard)。
 
 ## 相关文档
 
+- CLI 命令参考：[`openclaw onboard`](/cli/onboard)
+- 新手引导概览：[Onboarding Overview](/start/onboarding-overview)
 - macOS 应用新手引导：[新手引导](/start/onboarding)
-- 配置参考：[Gateway 网关配置](/gateway/configuration)
-- 提供商：[WhatsApp](/channels/whatsapp)、[Telegram](/channels/telegram)、[Discord](/channels/discord)、[Google Chat](/channels/googlechat)、[Signal](/channels/signal)、[iMessage](/channels/imessage)
-- Skills：[Skills](/tools/skills)、[Skills 配置](/tools/skills-config)
+- 智能体首次运行仪式：[智能体引导](/start/bootstrapping)
diff --git a/docs/zh-CN/tools/plugin.md b/docs/zh-CN/tools/plugin.md
index fde337fc3a4..a2ade46ffbc 100644
--- a/docs/zh-CN/tools/plugin.md
+++ b/docs/zh-CN/tools/plugin.md
@@ -1,79 +1,414 @@
 ---
 read_when:
-  - 添加或修改插件/扩展
-  - 记录插件安装或加载规则
-summary: OpenClaw 插件/扩展：发现、配置和安全
+  - 添加或修改插件/扩展时
+  - 记录插件安装或加载规则时
+  - 使用与 Codex/Claude 兼容的插件包时
+summary: OpenClaw 插件/扩展：发现、配置与安全
 title: 插件
 x-i18n:
-  generated_at: "2026-02-03T07:55:25Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: b36ca6b90ca03eaae25c00f9b12f2717fcd17ac540ba616ee03b398b234c2308
+  generated_at: "2026-03-16T06:36:16Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: d84a98f113817836c829b6e6f8a1cae441d2f0ee284fdd7194d193fd1aa34ff9
   source_path: tools/plugin.md
   workflow: 15
 ---
 
 # 插件（扩展）
 
-## 快速开始（插件新手？）
+## 快速开始（刚接触插件？）
 
-插件只是一个**小型代码模块**，用额外功能（命令、工具和 Gateway 网关 RPC）扩展 OpenClaw。
+插件可以是以下两种之一：
 
-大多数时候，当你想要一个尚未内置到核心 OpenClaw 的功能（或你想将可选功能排除在主安装之外）时，你会使用插件。
+- 原生 **OpenClaw 插件**（`openclaw.plugin.json` + 运行时模块），或
+- 兼容的 **bundle**（`.codex-plugin/plugin.json` 或 `.claude-plugin/plugin.json`）
 
-快速路径：
+两者都会显示在 `openclaw plugins` 下，但只有原生 OpenClaw 插件会在进程内执行运行时代码。
 
-1. 查看已加载的内容：
+大多数情况下，当你想要某项核心 OpenClaw 尚未内置的功能时，就会使用插件（或者你希望将可选功能保留在主安装之外）。
+
+快捷路径：
+
+1. 查看当前已加载的内容：
 
 ```bash
 openclaw plugins list
 ```
 
-2. 安装官方插件（例如：Voice Call）：
+2. 安装官方插件（示例：Voice Call）：
 
 ```bash
 openclaw plugins install @openclaw/voice-call
 ```
 
-3. 重启 Gateway 网关，然后在 `plugins.entries.<id>.config` 下配置。
+Npm 规格仅支持 **registry-only**（包名 + 可选的 **精确版本** 或 **dist-tag**）。
 
-参见 [Voice Call](/plugins/voice-call) 了解具体的插件示例。
+Git/URL/file 规格和 semver 范围都会被拒绝。
+
+裸规格和 `@latest` 会停留在稳定通道。如果 npm 将其中任一解析为预发布版本，OpenClaw 会停止并要求你通过预发布标签（例如 `@beta`/`@rc`）或精确的预发布版本显式选择加入。
+
+3. 重启 Gateway 网关，然后在 `plugins.entries.<id>.config` 下进行配置。
+
+查看 [Voice Call](/plugins/voice-call) 获取一个具体的插件示例。
+想找第三方列表？请查看 [Community plugins](/plugins/community)。
+需要了解 bundle 兼容性细节？请查看 [Plugin bundles](/plugins/bundles)。
+
+对于兼容的 bundle，可从本地目录或归档文件安装：
+
+```bash
+openclaw plugins install ./my-bundle
+openclaw plugins install ./my-bundle.tgz
+```
+
+## 架构
+
+OpenClaw 的插件系统有四层：
+
+1. **清单 + 发现**
+   OpenClaw 会从已配置路径、工作区根目录、全局扩展根目录以及随附扩展中查找候选插件。发现过程会先读取原生 `openclaw.plugin.json` 清单以及受支持的 bundle 清单。
+2. **启用 + 验证**
+   核心会决定某个已发现插件是启用、禁用、阻止，还是被选用于某个独占插槽（例如内存）。
+3. **运行时加载**
+   原生 OpenClaw 插件通过 jiti 在进程内加载，并将功能注册到一个中央注册表中。兼容的 bundle 会被规范化为注册表记录，而不会导入运行时代码。
+4. **表面消费**
+   OpenClaw 的其余部分会读取注册表，以公开工具、渠道、提供商设置、hooks、HTTP 路由、CLI 命令和服务。
+
+重要的设计边界：
+
+- 发现 + 配置验证应基于 **manifest/schema 元数据** 运行，而不执行插件代码
+- 原生运行时行为来自插件模块的 `register(api)` 路径
+
+这种拆分让 OpenClaw 能够在完整运行时激活之前，就验证配置、解释缺失/被禁用的插件，并构建 UI/schema 提示。
+
+## 兼容的 bundle
+
+OpenClaw 还识别两种兼容的外部 bundle 布局：
+
+- Codex 风格 bundle：`.codex-plugin/plugin.json`
+- Claude 风格 bundle：`.claude-plugin/plugin.json`，或者没有清单的默认 Claude 组件布局
+- Cursor 风格 bundle：`.cursor-plugin/plugin.json`
+
+它们会在插件列表中显示为 `format=bundle`，并在详细/info 输出中显示 `codex` 或 `claude` 子类型。
+
+有关精确的检测规则、映射行为和当前支持矩阵，请参阅 [Plugin bundles](/plugins/bundles)。
+
+目前，OpenClaw 将这些内容视为 **能力包**，而不是原生运行时插件：
+
+- 当前支持：捆绑的 `skills`
+- 当前支持：Claude `commands/` markdown 根目录，映射到常规 OpenClaw 技能加载器
+- 当前支持：Claude bundle `settings.json` 默认值，用于嵌入式 Pi 智能体设置（会清理 shell override 键）
+- 当前支持：Cursor `.cursor/commands/*.md` 根目录，映射到常规 OpenClaw 技能加载器
+- 当前支持：使用 OpenClaw hook-pack 布局的 Codex bundle hook 目录（`HOOK.md` + `handler.ts`/`handler.js`）
+- 已检测但尚未接线：其他已声明的 bundle 能力，例如 agents、Claude hook 自动化、Cursor rules/hooks/MCP 元数据、MCP/app/LSP 元数据、输出样式
+
+这意味着 bundle 的安装/发现/列表/info/启用都可正常工作，并且当 bundle 被启用时，bundle skills、Claude command-skills、Claude bundle settings 默认值以及兼容的 Codex hook 目录都会被加载，但 bundle 运行时代码不会在进程内执行。
+
+Bundle hook 支持仅限于常规 OpenClaw hook 目录格式（在声明的 hook 根目录下使用 `HOOK.md` 加上 `handler.ts`/`handler.js`）。
+供应商特定的 shell/JSON hook 运行时，包括 Claude `hooks.json`，当前仅会被检测，不会被直接执行。
+
+## 执行模型
+
+原生 OpenClaw 插件与 Gateway 网关 **在同一进程内** 运行。它们不会进行沙箱隔离。已加载的原生插件与核心代码处于相同的进程级信任边界。
+
+这意味着：
+
+- 原生插件可以注册工具、网络处理器、hooks 和服务
+- 原生插件中的 bug 可能导致 gateway 崩溃或不稳定
+- 恶意原生插件等同于在 OpenClaw 进程内部执行任意代码
+
+兼容的 bundle 默认更安全，因为 OpenClaw 目前将它们视为元数据/内容包。在当前版本中，这主要意味着捆绑的技能。
+
+对于非捆绑插件，请使用 allowlist 和显式安装/加载路径。将工作区插件视为开发期代码，而不是生产默认项。
+
+重要信任说明：
+
+- `plugins.allow` 信任的是 **plugin id**，而不是来源出处。
+- 如果某个工作区插件与某个捆绑插件具有相同 id，那么启用/加入 allowlist 后，工作区插件会有意覆盖捆绑副本。
+- 这是一种正常且有用的行为，适合本地开发、补丁测试和热修复。
 
 ## 可用插件（官方）
 
-- 从 2026.1.15 起 Microsoft Teams 仅作为插件提供；如果使用 Teams，请安装 `@openclaw/msteams`。
-- Memory (Core) — 捆绑的记忆搜索插件（通过 `plugins.slots.memory` 默认启用）
-- Memory (LanceDB) — 捆绑的长期记忆插件（自动召回/捕获；设置 `plugins.slots.memory = "memory-lancedb"`）
+- Microsoft Teams 自 `2026.1.15` 起仅以插件形式提供；如果你使用 Teams，请安装 `@openclaw/msteams`。
+- Memory（Core）— 捆绑的内存搜索插件（默认通过 `plugins.slots.memory` 启用）
+- Memory（LanceDB）— 捆绑的长期记忆插件（自动召回/捕获；设置 `plugins.slots.memory = "memory-lancedb"`）
 - [Voice Call](/plugins/voice-call) — `@openclaw/voice-call`
 - [Zalo Personal](/plugins/zalouser) — `@openclaw/zalouser`
 - [Matrix](/channels/matrix) — `@openclaw/matrix`
 - [Nostr](/channels/nostr) — `@openclaw/nostr`
 - [Zalo](/channels/zalo) — `@openclaw/zalo`
 - [Microsoft Teams](/channels/msteams) — `@openclaw/msteams`
-- Google Antigravity OAuth（提供商认证）— 作为 `google-antigravity-auth` 捆绑（默认禁用）
-- Gemini CLI OAuth（提供商认证）— 作为 `google-gemini-cli-auth` 捆绑（默认禁用）
-- Qwen OAuth（提供商认证）— 作为 `qwen-portal-auth` 捆绑（默认禁用）
-- Copilot Proxy（提供商认证）— 本地 VS Code Copilot Proxy 桥接；与内置 `github-copilot` 设备登录不同（捆绑，默认禁用）
+- Anthropic provider 运行时 — 以 `anthropic` 形式捆绑（默认启用）
+- BytePlus provider catalog — 以 `byteplus` 形式捆绑（默认启用）
+- Cloudflare AI Gateway provider catalog — 以 `cloudflare-ai-gateway` 形式捆绑（默认启用）
+- Google 网络搜索 + Gemini CLI OAuth — 以 `google` 形式捆绑（网页搜索会自动加载；provider 身份验证仍需选择启用）
+- GitHub Copilot provider 运行时 — 以 `github-copilot` 形式捆绑（默认启用）
+- Hugging Face provider catalog — 以 `huggingface` 形式捆绑（默认启用）
+- Kilo Gateway provider 运行时 — 以 `kilocode` 形式捆绑（默认启用）
+- Kimi Coding provider catalog — 以 `kimi-coding` 形式捆绑（默认启用）
+- MiniMax provider catalog + usage + OAuth — 以 `minimax` 形式捆绑（默认启用；拥有 `minimax` 和 `minimax-portal`）
+- Mistral provider 能力 — 以 `mistral` 形式捆绑（默认启用）
+- Model Studio provider catalog — 以 `modelstudio` 形式捆绑（默认启用）
+- Moonshot provider 运行时 — 以 `moonshot` 形式捆绑（默认启用）
+- NVIDIA provider catalog — 以 `nvidia` 形式捆绑（默认启用）
+- OpenAI provider 运行时 — 以 `openai` 形式捆绑（默认启用；同时拥有 `openai` 和 `openai-codex`）
+- OpenCode Go provider 能力 — 以 `opencode-go` 形式捆绑（默认启用）
+- OpenCode Zen provider 能力 — 以 `opencode` 形式捆绑（默认启用）
+- OpenRouter provider 运行时 — 以 `openrouter` 形式捆绑（默认启用）
+- Qianfan provider catalog — 以 `qianfan` 形式捆绑（默认启用）
+- Qwen OAuth（provider 身份验证 + catalog）— 以 `qwen-portal-auth` 形式捆绑（默认启用）
+- Synthetic provider catalog — 以 `synthetic` 形式捆绑（默认启用）
+- Together provider catalog — 以 `together` 形式捆绑（默认启用）
+- Venice provider catalog — 以 `venice` 形式捆绑（默认启用）
+- Vercel AI Gateway provider catalog — 以 `vercel-ai-gateway` 形式捆绑（默认启用）
+- Volcengine provider catalog — 以 `volcengine` 形式捆绑（默认启用）
+- Xiaomi provider catalog + usage — 以 `xiaomi` 形式捆绑（默认启用）
+- Z.AI provider 运行时 — 以 `zai` 形式捆绑（默认启用）
+- Copilot Proxy（provider 身份验证）— 本地 VS Code Copilot Proxy 桥接；不同于内置的 `github-copilot` 设备登录（已捆绑，默认禁用）
 
-OpenClaw 插件是通过 jiti 在运行时加载的 **TypeScript 模块**。**配置验证不会执行插件代码**；它使用插件清单和 JSON Schema。参见 [插件清单](/plugins/manifest)。
+原生 OpenClaw 插件是通过 jiti 在运行时加载的 **TypeScript 模块**。
+**配置验证不会执行插件代码**；它使用的是插件 manifest 和 JSON Schema。请参阅 [Plugin manifest](/plugins/manifest)。
 
-插件可以注册：
+原生 OpenClaw 插件可以注册：
 
-- Gateway 网关 RPC 方法
-- Gateway 网关 HTTP 处理程序
+- Gateway RPC 方法
+- Gateway HTTP 路由
 - 智能体工具
 - CLI 命令
 - 后台服务
-- 可选的配置验证
-- **Skills**（通过在插件清单中列出 `skills` 目录）
-- **自动回复命令**（不调用 AI 智能体即可执行）
+- 上下文引擎
+- provider 身份验证流程和模型目录
+- 用于动态模型 id、传输规范化、能力元数据、流包装、缓存 TTL 策略、缺失身份验证提示、内置模型抑制、目录增强、运行时身份验证交换以及 usage/billing 身份验证 + 快照解析的 provider 运行时 hooks
+- 可选配置验证
+- **Skills**（通过在插件 manifest 中列出 `skills` 目录）
+- **自动回复命令**（无需调用 AI 智能体即可执行）
 
-插件与 Gateway 网关**在同一进程中**运行，因此将它们视为受信任的代码。
-工具编写指南：[插件智能体工具](/plugins/agent-tools)。
+原生 OpenClaw 插件与 Gateway 网关 **在同一进程内** 运行，因此应将其视为受信任代码。
+工具编写指南：[Plugin agent tools](/plugins/agent-tools)。
+
+## Provider 运行时 hooks
+
+Provider 插件现在有两层：
+
+- manifest 元数据：`providerAuthEnvVars`，用于在运行时加载前进行低成本的环境身份验证查找
+- 配置时 hooks：`catalog` / 旧版 `discovery`
+- 运行时 hooks：`resolveDynamicModel`、`prepareDynamicModel`、`normalizeResolvedModel`、`capabilities`、`prepareExtraParams`、`wrapStreamFn`、`formatApiKey`、`refreshOAuth`、`buildAuthDoctorHint`、`isCacheTtlEligible`、`buildMissingAuthMessage`、`suppressBuiltInModel`、`augmentModelCatalog`、`isBinaryThinking`、`supportsXHighThinking`、`resolveDefaultThinkingLevel`、`isModernModelRef`、`prepareRuntimeAuth`、`resolveUsageAuth`、`fetchUsageSnapshot`
+
+OpenClaw 仍然负责通用的智能体循环、故障切换、转录处理和工具策略。这些 hooks 是 provider 特定行为的接缝，而无需整个自定义推理传输层。
+
+当 provider 具有基于环境变量的凭据，并且你希望通用 auth/status/model-picker 路径在不加载插件运行时的情况下就能看到这些凭据时，请使用 manifest `providerAuthEnvVars`。
+保留 provider 运行时 `envVars` 用于面向操作员的提示，例如新手引导标签或 OAuth client-id/client-secret 设置环境变量。
+
+### Hook 顺序
+
+对于 model/provider 插件，OpenClaw 大致按以下顺序使用 hooks：
+
+1. `catalog`
+   在生成 `models.json` 期间，将 provider 配置发布到 `models.providers` 中。
+2. 内置/已发现模型查找
+   OpenClaw 会先尝试常规注册表/目录路径。
+3. `resolveDynamicModel`
+   对于本地注册表中尚不存在的 provider 自有 model id，进行同步后备解析。
+4. `prepareDynamicModel`
+   仅在异步模型解析路径上执行异步预热，然后再次运行 `resolveDynamicModel`。
+5. `normalizeResolvedModel`
+   在嵌入式运行器使用已解析模型之前进行最终重写。
+6. `capabilities`
+   由共享核心逻辑使用的 provider 自有转录/工具元数据。
+7. `prepareExtraParams`
+   在通用流选项包装器之前执行 provider 自有请求参数规范化。
+8. `wrapStreamFn`
+   在应用通用包装器之后执行 provider 自有流包装器。
+9. `formatApiKey`
+   当存储的 auth profile 需要转换为运行时 `apiKey` 字符串时，使用 provider 自有身份验证配置器。
+10. `refreshOAuth`
+    对自定义刷新端点或刷新失败策略执行 provider 自有 OAuth 刷新覆盖。
+11. `buildAuthDoctorHint`
+    当 OAuth 刷新失败时，追加 provider 自有修复提示。
+12. `isCacheTtlEligible`
+    为代理/backhaul provider 提供 provider 自有提示词缓存策略。
+13. `buildMissingAuthMessage`
+    用 provider 自有内容替换通用的缺失身份验证恢复消息。
+14. `suppressBuiltInModel`
+    执行 provider 自有的过时上游模型抑制，并可返回面向用户的错误提示。
+15. `augmentModelCatalog`
+    在发现后附加 provider 自有的合成/最终目录行。
+16. `isBinaryThinking`
+    为二元 thinking provider 提供 provider 自有的开/关推理切换。
+17. `supportsXHighThinking`
+    为选定模型提供 provider 自有的 `xhigh` 推理支持。
+18. `resolveDefaultThinkingLevel`
+    为特定模型家族提供 provider 自有的默认 `/think` 级别。
+19. `isModernModelRef`
+    提供 provider 自有的现代模型匹配器，用于 live profile 过滤器和 smoke 选择。
+20. `prepareRuntimeAuth`
+    在推理前将已配置的凭据交换为实际的运行时令牌/密钥。
+21. `resolveUsageAuth`
+    为 `/usage` 及相关状态表面解析 usage/billing 凭据。
+22. `fetchUsageSnapshot`
+    在身份验证解析完成后，抓取并规范化 provider 特定的 usage/quota 快照。
+
+### 应该使用哪个 hook
+
+- `catalog`：将 provider 配置和模型目录发布到 `models.providers`
+- `resolveDynamicModel`：处理本地注册表中尚未存在的透传或前向兼容 model id
+- `prepareDynamicModel`：在重试动态解析之前执行异步预热（例如刷新 provider 元数据缓存）
+- `normalizeResolvedModel`：在推理前重写已解析模型的传输/base URL/兼容性
+- `capabilities`：发布 provider 家族和转录/工具差异，而不在核心中硬编码 provider id
+- `prepareExtraParams`：在通用流包装之前设置 provider 默认值或规范化 provider 特定的每模型参数
+- `wrapStreamFn`：在仍使用常规 `pi-ai` 执行路径时，添加 provider 特定的 header/payload/model 兼容补丁
+- `formatApiKey`：将存储的 auth profile 转换为运行时 `apiKey` 字符串，而不在核心中硬编码 provider 令牌 blob
+- `refreshOAuth`：为不适配共享 `pi-ai` 刷新器的 provider 自主管理 OAuth 刷新
+- `buildAuthDoctorHint`：在刷新失败时追加 provider 自有的身份验证修复指导
+- `isCacheTtlEligible`：决定 provider/模型组合是否应使用 cache TTL 元数据
+- `buildMissingAuthMessage`：用 provider 特定恢复提示替换通用 auth-store 错误
+- `suppressBuiltInModel`：隐藏过时上游条目，并可在直接解析失败时返回 provider 自有错误
+- `augmentModelCatalog`：在发现和配置合并后附加合成/最终目录行
+- `isBinaryThinking`：在 `/think` 中公开二元开/关推理 UX，而不硬编码 provider id
+- `supportsXHighThinking`：让特定模型启用 `xhigh` 推理级别
+- `resolveDefaultThinkingLevel`：将 provider/模型默认推理策略移出核心
+- `isModernModelRef`：将 live/smoke 模型家族包含规则保留在 provider 中
+- `prepareRuntimeAuth`：将已配置凭据交换为请求所用的实际短期运行时令牌/密钥
+- `resolveUsageAuth`：为 usage/billing 端点解析 provider 自有凭据，而不在核心中硬编码令牌解析
+- `fetchUsageSnapshot`：由 provider 自主管理 usage 端点抓取/解析，而核心继续负责摘要扇出和格式化
+
+经验法则：
+
+- provider 拥有目录或 base URL 默认值：使用 `catalog`
+- provider 接受任意上游 model id：使用 `resolveDynamicModel`
+- provider 在解析未知 id 前需要网络元数据：添加 `prepareDynamicModel`
+- provider 需要传输重写但仍使用核心传输：使用 `normalizeResolvedModel`
+- provider 需要转录/provider 家族差异：使用 `capabilities`
+- provider 需要默认请求参数或按 provider 清理参数：使用 `prepareExtraParams`
+- provider 需要请求 header/body/model 兼容包装而不使用自定义传输：使用 `wrapStreamFn`
+- provider 在 auth profile 中存储额外元数据并需要自定义运行时令牌格式：使用 `formatApiKey`
+- provider 需要自定义 OAuth 刷新端点或刷新失败策略：使用 `refreshOAuth`
+- provider 在刷新失败后需要 provider 自有身份验证修复指导：使用 `buildAuthDoctorHint`
+- provider 需要特定于代理的 cache TTL 门控：使用 `isCacheTtlEligible`
+- provider 需要 provider 特定的缺失身份验证恢复提示：使用 `buildMissingAuthMessage`
+- provider 需要隐藏过时上游条目或用厂商提示替换它们：使用 `suppressBuiltInModel`
+- provider 需要在 `models list` 和选择器中添加合成的前向兼容条目：使用 `augmentModelCatalog`
+- provider 仅提供二元 thinking 开/关：使用 `isBinaryThinking`
+- provider 只希望部分模型启用 `xhigh`：使用 `supportsXHighThinking`
+- provider 拥有某个模型家族默认 `/think` 策略：使用 `resolveDefaultThinkingLevel`
+- provider 拥有 live/smoke 首选模型匹配：使用 `isModernModelRef`
+- provider 需要令牌交换或短期请求凭据：使用 `prepareRuntimeAuth`
+- provider 需要自定义 usage/quota 令牌解析或不同的 usage 凭据：使用 `resolveUsageAuth`
+- provider 需要 provider 特定的 usage 端点或负载解析器：使用 `fetchUsageSnapshot`
+
+如果 provider 需要完全自定义的线协议或自定义请求执行器，那属于另一类扩展。这些 hooks 适用于仍运行在 OpenClaw 常规推理循环上的 provider 行为。
+
+### Provider 示例
+
+```ts
+api.registerProvider({
+  id: "example-proxy",
+  label: "Example Proxy",
+  auth: [],
+  catalog: {
+    order: "simple",
+    run: async (ctx) => {
+      const apiKey = ctx.resolveProviderApiKey("example-proxy").apiKey;
+      if (!apiKey) {
+        return null;
+      }
+      return {
+        provider: {
+          baseUrl: "https://proxy.example.com/v1",
+          apiKey,
+          api: "openai-completions",
+          models: [{ id: "auto", name: "Auto" }],
+        },
+      };
+    },
+  },
+  resolveDynamicModel: (ctx) => ({
+    id: ctx.modelId,
+    name: ctx.modelId,
+    provider: "example-proxy",
+    api: "openai-completions",
+    baseUrl: "https://proxy.example.com/v1",
+    reasoning: false,
+    input: ["text"],
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: 128000,
+    maxTokens: 8192,
+  }),
+  prepareRuntimeAuth: async (ctx) => {
+    const exchanged = await exchangeToken(ctx.apiKey);
+    return {
+      apiKey: exchanged.token,
+      baseUrl: exchanged.baseUrl,
+      expiresAt: exchanged.expiresAt,
+    };
+  },
+  resolveUsageAuth: async (ctx) => {
+    const auth = await ctx.resolveOAuthToken();
+    return auth ? { token: auth.token } : null;
+  },
+  fetchUsageSnapshot: async (ctx) => {
+    return await fetchExampleProxyUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn);
+  },
+});
+```
+
+### 内置示例
+
+- Anthropic 使用 `resolveDynamicModel`、`capabilities`、`buildAuthDoctorHint`、`resolveUsageAuth`、`fetchUsageSnapshot`、`isCacheTtlEligible`、`resolveDefaultThinkingLevel` 和 `isModernModelRef`，因为它拥有 Claude 4.6 前向兼容、provider 家族提示、身份验证修复指导、usage 端点集成、提示词缓存资格以及 Claude 默认/自适应 thinking 策略。
+- OpenAI 使用 `resolveDynamicModel`、`normalizeResolvedModel` 和 `capabilities`，以及 `buildMissingAuthMessage`、`suppressBuiltInModel`、`augmentModelCatalog`、`supportsXHighThinking` 和 `isModernModelRef`，因为它拥有 GPT-5.4 前向兼容、直接 OpenAI `openai-completions` -> `openai-responses` 规范化、支持 Codex 的身份验证提示、Spark 抑制、合成 OpenAI 列表行以及 GPT-5 thinking / live-model 策略。
+- OpenRouter 使用 `catalog` 以及 `resolveDynamicModel` 和 `prepareDynamicModel`，因为该 provider 是透传型的，可能会在 OpenClaw 静态目录更新之前暴露新的 model id。
+- GitHub Copilot 使用 `catalog`、`auth`、`resolveDynamicModel` 和 `capabilities`，以及 `prepareRuntimeAuth` 和 `fetchUsageSnapshot`，因为它需要 provider 自有设备登录、模型回退行为、Claude 转录差异、GitHub token -> Copilot token 交换，以及 provider 自有 usage 端点。
+- OpenAI Codex 使用 `catalog`、`resolveDynamicModel`、`normalizeResolvedModel`、`refreshOAuth` 和 `augmentModelCatalog`，以及 `prepareExtraParams`、`resolveUsageAuth` 和 `fetchUsageSnapshot`，因为它仍运行在核心 OpenAI 传输之上，但拥有自己的传输/base URL 规范化、OAuth 刷新后备策略、默认传输选择、合成 Codex 目录行以及 ChatGPT usage 端点集成。
+- Google AI Studio 和 Gemini CLI OAuth 使用 `resolveDynamicModel` 和 `isModernModelRef`，因为它们拥有 Gemini 3.1 前向兼容后备和现代模型匹配；Gemini CLI OAuth 还使用 `formatApiKey`、`resolveUsageAuth` 和 `fetchUsageSnapshot` 来处理令牌格式化、令牌解析和 quota 端点接线。
+- OpenRouter 使用 `capabilities`、`wrapStreamFn` 和 `isCacheTtlEligible`，以便将 provider 特定的请求头、路由元数据、reasoning 补丁和提示词缓存策略从核心中移出。
+- Moonshot 使用 `catalog` 和 `wrapStreamFn`，因为它仍使用共享 OpenAI 传输，但需要 provider 自有 thinking 负载规范化。
+- Kilocode 使用 `catalog`、`capabilities`、`wrapStreamFn` 和 `isCacheTtlEligible`，因为它需要 provider 自有请求头、reasoning 负载规范化、Gemini 转录提示和 Anthropic cache-TTL 门控。
+- Z.AI 使用 `resolveDynamicModel`、`prepareExtraParams`、`wrapStreamFn`、`isCacheTtlEligible`、`isBinaryThinking`、`isModernModelRef`、`resolveUsageAuth` 和 `fetchUsageSnapshot`，因为它拥有 GLM-5 后备、`tool_stream` 默认值、二元 thinking UX、现代模型匹配，以及 usage 身份验证 + quota 抓取。
+- Mistral、OpenCode Zen 和 OpenCode Go 仅使用 `capabilities`，以便将转录/工具差异移出核心。
+- 仅目录型的捆绑 provider，例如 `byteplus`、`cloudflare-ai-gateway`、`huggingface`、`kimi-coding`、`modelstudio`、`nvidia`、`qianfan`、`synthetic`、`together`、`venice`、`vercel-ai-gateway` 和 `volcengine`，仅使用 `catalog`。
+- Qwen portal 使用 `catalog`、`auth` 和 `refreshOAuth`。
+- MiniMax 和 Xiaomi 使用 `catalog` 加 usage hooks，因为尽管推理仍通过共享传输运行，但它们的 `/usage` 行为由插件拥有。
+
+## 加载流水线
+
+启动时，OpenClaw 大致会执行以下步骤：
+
+1. 发现候选插件根目录
+2. 读取原生或兼容 bundle 的 manifest 和包元数据
+3. 拒绝不安全的候选项
+4. 规范化插件配置（`plugins.enabled`、`allow`、`deny`、`entries`、`slots`、`load.paths`）
+5. 决定每个候选项的启用状态
+6. 通过 jiti 加载已启用的原生模块
+7. 调用原生 `register(api)` hooks，并将注册内容收集到插件注册表中
+8. 将注册表暴露给命令/运行时表面
+
+安全门会在运行时执行 **之前** 发生。
+当条目逃逸出插件根目录、路径对所有人可写，或对于非捆绑插件来说路径所有权看起来可疑时，候选项会被阻止。
+
+### 清单优先行为
+
+Manifest 是控制面的事实来源。OpenClaw 用它来：
+
+- 识别插件
+- 发现声明的渠道/skills/配置 schema 或 bundle 能力
+- 验证 `plugins.entries.<id>.config`
+- 增强 Control UI 标签/占位符
+- 显示安装/目录元数据
+
+对于原生插件，运行时模块是数据面部分。它注册实际行为，例如 hooks、工具、命令或 provider 流程。
+
+### 加载器缓存了什么
+
+OpenClaw 会保留短期进程内缓存，用于：
+
+- 发现结果
+- manifest 注册表数据
+- 已加载的插件注册表
+
+这些缓存可以减少突发启动和重复命令开销。你可以将它们理解为短生命周期的性能缓存，而不是持久化存储。
 
 ## 运行时辅助工具
 
-插件可以通过 `api.runtime` 访问选定的核心辅助工具。对于电话 TTS：
+插件可以通过 `api.runtime` 访问部分核心辅助工具。对于电话 TTS：
 
 ```ts
 const result = await api.runtime.tts.textToSpeechTelephony({
@@ -82,15 +417,161 @@ const result = await api.runtime.tts.textToSpeechTelephony({
 });
 ```
 
-注意事项：
+说明：
 
 - 使用核心 `messages.tts` 配置（OpenAI 或 ElevenLabs）。
-- 返回 PCM 音频缓冲区 + 采样率。插件必须为提供商重新采样/编码。
-- Edge TTS 不支持电话。
+- 返回 PCM 音频缓冲区 + 采样率。插件必须为 provider 重新采样/编码。
+- Edge TTS 不支持电话场景。
 
-## 发现和优先级
+对于 STT/转录，插件可以调用：
 
-OpenClaw 按顺序扫描：
+```ts
+const { text } = await api.runtime.stt.transcribeAudioFile({
+  filePath: "/tmp/inbound-audio.ogg",
+  cfg: api.config,
+  // 当无法可靠推断 MIME 时可选：
+  mime: "audio/ogg",
+});
+```
+
+说明：
+
+- 使用核心媒体理解音频配置（`tools.media.audio`）和 provider 后备顺序。
+- 当没有生成转录输出时（例如输入被跳过/不受支持），返回 `{ text: undefined }`。
+
+## Gateway HTTP 路由
+
+插件可以使用 `api.registerHttpRoute(...)` 公开 HTTP 端点。
+
+```ts
+api.registerHttpRoute({
+  path: "/acme/webhook",
+  auth: "plugin",
+  match: "exact",
+  handler: async (_req, res) => {
+    res.statusCode = 200;
+    res.end("ok");
+    return true;
+  },
+});
+```
+
+路由字段：
+
+- `path`：Gateway 网关 HTTP 服务器下的路由路径。
+- `auth`：必填。使用 `"gateway"` 以要求常规 gateway 身份验证，或使用 `"plugin"` 以进行插件管理的身份验证/webhook 验证。
+- `match`：可选。`"exact"`（默认）或 `"prefix"`。
+- `replaceExisting`：可选。允许同一插件替换自身现有的路由注册。
+- `handler`：当路由处理了请求时返回 `true`。
+
+说明：
+
+- `api.registerHttpHandler(...)` 已过时。请使用 `api.registerHttpRoute(...)`。
+- 插件路由必须显式声明 `auth`。
+- 除非设置 `replaceExisting: true`，否则精确 `path + match` 冲突会被拒绝，而且一个插件不能替换另一个插件的路由。
+- 具有不同 `auth` 级别的重叠路由会被拒绝。请仅在相同 auth 级别上保留 `exact`/`prefix` 贯穿链。
+
+## Plugin SDK 导入路径
+
+编写插件时，请使用 SDK 子路径，而不是单体式 `openclaw/plugin-sdk` 导入：
+
+- `openclaw/plugin-sdk/core` 用于通用插件 API、provider 身份验证类型和共享辅助工具。
+- `openclaw/plugin-sdk/compat` 用于比 `core` 需要更广泛共享运行时辅助工具的捆绑/内部插件代码。
+- `openclaw/plugin-sdk/telegram` 用于 Telegram 渠道插件。
+- `openclaw/plugin-sdk/discord` 用于 Discord 渠道插件。
+- `openclaw/plugin-sdk/slack` 用于 Slack 渠道插件。
+- `openclaw/plugin-sdk/signal` 用于 Signal 渠道插件。
+- `openclaw/plugin-sdk/imessage` 用于 iMessage 渠道插件。
+- `openclaw/plugin-sdk/whatsapp` 用于 WhatsApp 渠道插件。
+- `openclaw/plugin-sdk/line` 用于 LINE 渠道插件。
+- `openclaw/plugin-sdk/msteams` 用于捆绑的 Microsoft Teams 插件表面。
+- 也提供捆绑扩展专用子路径：
+  `openclaw/plugin-sdk/acpx`、`openclaw/plugin-sdk/bluebubbles`、
+  `openclaw/plugin-sdk/copilot-proxy`、`openclaw/plugin-sdk/device-pair`、
+  `openclaw/plugin-sdk/diagnostics-otel`、`openclaw/plugin-sdk/diffs`、
+  `openclaw/plugin-sdk/feishu`、`openclaw/plugin-sdk/googlechat`、
+  `openclaw/plugin-sdk/irc`、`openclaw/plugin-sdk/llm-task`、
+  `openclaw/plugin-sdk/lobster`、`openclaw/plugin-sdk/matrix`、
+  `openclaw/plugin-sdk/mattermost`、`openclaw/plugin-sdk/memory-core`、
+  `openclaw/plugin-sdk/memory-lancedb`、
+  `openclaw/plugin-sdk/minimax-portal-auth`、
+  `openclaw/plugin-sdk/nextcloud-talk`、`openclaw/plugin-sdk/nostr`、
+  `openclaw/plugin-sdk/open-prose`、`openclaw/plugin-sdk/phone-control`、
+  `openclaw/plugin-sdk/qwen-portal-auth`、`openclaw/plugin-sdk/synology-chat`、
+  `openclaw/plugin-sdk/talk-voice`、`openclaw/plugin-sdk/test-utils`、
+  `openclaw/plugin-sdk/thread-ownership`、`openclaw/plugin-sdk/tlon`、
+  `openclaw/plugin-sdk/twitch`、`openclaw/plugin-sdk/voice-call`、
+  `openclaw/plugin-sdk/zalo` 和 `openclaw/plugin-sdk/zalouser`。
+
+## Provider 目录
+
+Provider 插件可以使用
+`registerProvider({ catalog: { run(...) { ... } } })`
+定义用于推理的模型目录。
+
+`catalog.run(...)` 返回与 OpenClaw 写入
+`models.providers` 相同的结构：
+
+- `{ provider }` 表示一个 provider 条目
+- `{ providers }` 表示多个 provider 条目
+
+当插件拥有 provider 特定的 model id、base URL 默认值或由身份验证控制的模型元数据时，请使用 `catalog`。
+
+`catalog.order` 控制插件目录相对于 OpenClaw 内置隐式 provider 的合并时机：
+
+- `simple`：纯 API 密钥或环境变量驱动的 provider
+- `profile`：当存在 auth profile 时出现的 provider
+- `paired`：会合成多个相关 provider 条目的 provider
+- `late`：最后一轮，在其他隐式 provider 之后
+
+后出现的 provider 会在键冲突时胜出，因此插件可以有意用相同 provider id 覆盖内置 provider 条目。
+
+兼容性：
+
+- `discovery` 仍可作为旧版别名使用
+- 如果同时注册了 `catalog` 和 `discovery`，OpenClaw 会使用 `catalog`
+
+兼容性说明：
+
+- `openclaw/plugin-sdk` 仍支持现有外部插件。
+- 新的和已迁移的捆绑插件应使用渠道或扩展专用子路径；通用表面使用 `core`，只有在确实需要更广泛共享辅助工具时才使用 `compat`。
+
+## 只读渠道检查
+
+如果你的插件注册了一个渠道，建议与 `resolveAccount(...)` 一起实现
+`plugin.config.inspectAccount(cfg, accountId)`。
+
+原因：
+
+- `resolveAccount(...)` 是运行时路径。它可以假定凭据已完全实体化，并在缺少所需 secret 时快速失败。
+- 只读命令路径，例如 `openclaw status`、`openclaw status --all`、
+  `openclaw channels status`、`openclaw channels resolve` 以及 Doctor/配置修复流程，不应仅为了描述配置就必须实体化运行时凭据。
+
+推荐的 `inspectAccount(...)` 行为：
+
+- 仅返回描述性的账户状态。
+- 保留 `enabled` 和 `configured`。
+- 在相关时包含凭据来源/状态字段，例如：
+  - `tokenSource`、`tokenStatus`
+  - `botTokenSource`、`botTokenStatus`
+  - `appTokenSource`、`appTokenStatus`
+  - `signingSecretSource`、`signingSecretStatus`
+- 你无需为了报告只读可用性而返回原始令牌值。返回 `tokenStatus: "available"`（以及匹配的 source 字段）就足够支持状态类命令。
+- 当凭据通过 SecretRef 配置，但在当前命令路径中不可用时，请使用 `configured_unavailable`。
+
+这使得只读命令可以报告“已配置，但在此命令路径中不可用”，而不是崩溃或错误地将账户报告为未配置。
+
+性能说明：
+
+- 插件发现和 manifest 元数据使用短期进程内缓存，以减少突发启动/重载工作。
+- 设置 `OPENCLAW_DISABLE_PLUGIN_DISCOVERY_CACHE=1` 或
+  `OPENCLAW_DISABLE_PLUGIN_MANIFEST_CACHE=1` 可禁用这些缓存。
+- 使用 `OPENCLAW_PLUGIN_DISCOVERY_CACHE_MS` 和
+  `OPENCLAW_PLUGIN_MANIFEST_CACHE_MS` 调整缓存窗口。
+
+## 设备发现 + 传输协议优先级
+
+OpenClaw 按以下顺序扫描：
 
 1. 配置路径
 
@@ -106,15 +587,92 @@ OpenClaw 按顺序扫描：
 - `~/.openclaw/extensions/*.ts`
 - `~/.openclaw/extensions/*/index.ts`
 
-4. 捆绑扩展（随 OpenClaw 一起发布，**默认禁用**）
+4. 捆绑扩展（随 OpenClaw 一起提供；默认开启/关闭混合）
 
 - `<openclaw>/extensions/*`
 
-捆绑插件必须通过 `plugins.entries.<id>.enabled` 或 `openclaw plugins enable <id>` 显式启用。已安装的插件默认启用，但可以用相同方式禁用。
+许多捆绑的 provider 插件默认启用，这样模型目录/运行时 hooks 无需额外设置即可使用。其他插件仍需要通过 `plugins.entries.<id>.enabled` 或
+`openclaw plugins enable <id>` 显式启用。
 
-每个插件必须在其根目录中包含 `openclaw.plugin.json` 文件。如果路径指向文件，则插件根目录是文件的目录，必须包含清单。
+默认开启的捆绑插件示例：
 
-如果多个插件解析到相同的 id，上述顺序中的第一个匹配项获胜，较低优先级的副本被忽略。
+- `byteplus`
+- `cloudflare-ai-gateway`
+- `device-pair`
+- `github-copilot`
+- `huggingface`
+- `kilocode`
+- `kimi-coding`
+- `minimax`
+- `minimax`
+- `modelstudio`
+- `moonshot`
+- `nvidia`
+- `ollama`
+- `openai`
+- `openrouter`
+- `phone-control`
+- `qianfan`
+- `qwen-portal-auth`
+- `sglang`
+- `synthetic`
+- `talk-voice`
+- `together`
+- `venice`
+- `vercel-ai-gateway`
+- `vllm`
+- `volcengine`
+- `xiaomi`
+- 活跃的 memory 插槽插件（默认插槽：`memory-core`）
+
+已安装的插件默认启用，但也可以用同样方式禁用。
+
+工作区插件 **默认禁用**，除非你显式启用它们或将其加入 allowlist。这是有意设计的：已检出的仓库不应悄悄变成生产 gateway 代码。
+
+加固说明：
+
+- 如果 `plugins.allow` 为空且可发现非捆绑插件，OpenClaw 会在启动时记录一条警告，其中包含 plugin id 和来源。
+- 候选路径在被接受进入发现流程前会经过安全检查。当出现以下情况时，OpenClaw 会阻止候选项：
+  - 扩展条目解析到插件根目录之外（包括符号链接/路径遍历逃逸），
+  - 插件根目录/来源路径对所有人可写，
+  - 对于非捆绑插件来说，路径所有权可疑（POSIX owner 既不是当前 uid 也不是 root）。
+- 对于缺少安装/加载路径来源信息的已加载非捆绑插件，会发出警告，以便你固定信任（`plugins.allow`）或安装跟踪（`plugins.installs`）。
+
+每个原生 OpenClaw 插件都必须在其根目录中包含一个 `openclaw.plugin.json` 文件。
+如果某条路径指向一个文件，则插件根目录是该文件所在目录，并且该目录必须包含该 manifest。
+
+兼容的 bundle 可以改为提供以下之一：
+
+- `.codex-plugin/plugin.json`
+- `.claude-plugin/plugin.json`
+
+Bundle 目录会从与原生插件相同的根目录中被发现。
+
+如果多个插件解析为同一个 id，则以上顺序中的第一个匹配项胜出，优先级更低的副本会被忽略。
+
+这意味着：
+
+- 工作区插件会有意覆盖具有相同 id 的捆绑插件
+- `plugins.allow: ["foo"]` 按 id 授权活动的 `foo` 插件，即使活动副本来自工作区而非捆绑扩展根目录
+- 如果你需要更严格的来源控制，请使用显式安装/加载路径，并在启用前检查解析后的插件来源
+
+### 启用规则
+
+启用状态在发现后解析：
+
+- `plugins.enabled: false` 会禁用所有插件
+- `plugins.deny` 总是优先
+- `plugins.entries.<id>.enabled: false` 会禁用该插件
+- 来源于工作区的插件默认禁用
+- 当 `plugins.allow` 非空时，allowlist 会限制活动集合
+- allowlist 是 **基于 id** 的，而不是基于来源
+- 捆绑插件默认禁用，除非：
+  - 捆绑 id 位于内置默认开启集合中，或
+  - 你显式启用了它，或
+  - 渠道配置隐式启用了捆绑渠道插件
+- 独占插槽可强制启用为该插槽选择的插件
+
+在当前核心中，默认开启的捆绑 id 包括上面的本地/provider 辅助工具以及当前活跃的 memory 插槽插件。
 
 ### 包集合
 
@@ -124,18 +682,29 @@ OpenClaw 按顺序扫描：
 {
   "name": "my-pack",
   "openclaw": {
-    "extensions": ["./src/safety.ts", "./src/tools.ts"]
+    "extensions": ["./src/safety.ts", "./src/tools.ts"],
+    "setupEntry": "./src/setup-entry.ts"
   }
 }
 ```
 
-每个条目成为一个插件。如果包列出多个扩展，插件 id 变为 `name/<fileBase>`。
+每个条目都会成为一个插件。如果该集合列出多个扩展，则插件 id 将变为 `name/<fileBase>`。
 
-如果你的插件导入 npm 依赖，请在该目录中安装它们以便 `node_modules` 可用（`npm install` / `pnpm install`）。
+如果你的插件导入 npm 依赖，请在该目录中安装它们，以便 `node_modules` 可用（`npm install` / `pnpm install`）。
+
+安全护栏：每个 `openclaw.extensions` 条目在解析符号链接后都必须保持在插件目录内。逃逸出包目录的条目会被拒绝。
+
+安全说明：`openclaw plugins install` 会使用
+`npm install --ignore-scripts` 安装插件依赖（不会运行生命周期脚本）。
+请保持插件依赖树为“纯 JS/TS”，并避免需要 `postinstall` 构建的包。
+
+可选项：`openclaw.setupEntry` 可以指向一个轻量级、仅用于 setup 的模块。
+当 OpenClaw 需要为一个已禁用的渠道插件提供 setup 表面，或某个渠道插件虽然已启用但仍未配置时，它会加载 `setupEntry`，而不是完整插件入口。
+当你的主插件入口还连接了工具、hooks 或其他仅运行时代码时，这能让启动和 setup 更轻量。
 
 ### 渠道目录元数据
 
-渠道插件可以通过 `openclaw.channel` 广播新手引导元数据，通过 `openclaw.install` 广播安装提示。这使核心目录保持无数据。
+渠道插件可以通过 `openclaw.channel` 公布 setup/discovery 元数据，并通过 `openclaw.install` 公布安装提示。这使核心目录保持无数据化。
 
 示例：
 
@@ -150,7 +719,7 @@ OpenClaw 按顺序扫描：
       "selectionLabel": "Nextcloud Talk (self-hosted)",
       "docsPath": "/channels/nextcloud-talk",
       "docsLabel": "nextcloud-talk",
-      "blurb": "Self-hosted chat via Nextcloud Talk webhook bots.",
+      "blurb": "通过 Nextcloud Talk webhook bot 提供的自托管聊天。",
       "order": 65,
       "aliases": ["nc-talk", "nc"]
     },
@@ -163,22 +732,49 @@ OpenClaw 按顺序扫描：
 }
 ```
 
-OpenClaw 还可以合并**外部渠道目录**（例如，MPM 注册表导出）。将 JSON 文件放在以下位置之一：
+OpenClaw 还可以合并 **外部渠道目录**（例如 MPM registry 导出）。
+将 JSON 文件放到以下任一位置：
 
 - `~/.openclaw/mpm/plugins.json`
 - `~/.openclaw/mpm/catalog.json`
 - `~/.openclaw/plugins/catalog.json`
 
-或将 `OPENCLAW_PLUGIN_CATALOG_PATHS`（或 `OPENCLAW_MPM_CATALOG_PATHS`）指向一个或多个 JSON 文件（逗号/分号/`PATH` 分隔）。每个文件应包含 `{ "entries": [ { "name": "@scope/pkg", "openclaw": { "channel": {...}, "install": {...} } } ] }`。
+或者将 `OPENCLAW_PLUGIN_CATALOG_PATHS`（或 `OPENCLAW_MPM_CATALOG_PATHS`）指向一个或多个 JSON 文件（用逗号/分号/`PATH` 分隔）。
+每个文件应包含
+`{ "entries": [ { "name": "@scope/pkg", "openclaw": { "channel": {...}, "install": {...} } } ] }`。
 
-## 插件 ID
+## Plugin ID
 
-默认插件 id：
+默认 plugin id：
 
-- 包集合：`package.json` 的 `name`
-- 独立文件：文件基本名称（`~/.../voice-call.ts` → `voice-call`）
+- 包集合：`package.json` 中的 `name`
+- 独立文件：文件基础名（`~/.../voice-call.ts` → `voice-call`）
 
-如果插件导出 `id`，OpenClaw 会使用它，但当它与配置的 id 不匹配时会发出警告。
+如果插件导出 `id`，OpenClaw 会使用它，但如果它与配置的 id 不匹配，则会发出警告。
+
+## 注册表模型
+
+已加载的插件不会直接修改任意核心全局对象。它们会注册到一个中央插件注册表中。
+
+该注册表跟踪：
+
+- 插件记录（身份、来源、出处、状态、诊断）
+- 工具
+- 旧版 hooks 和类型化 hooks
+- 渠道
+- providers
+- Gateway RPC 处理器
+- HTTP 路由
+- CLI 注册器
+- 后台服务
+- 插件自有命令
+
+然后，核心功能会从这个注册表中读取，而不是直接与插件模块交互。这样可以保持单向加载：
+
+- 插件模块 -> 注册表注册
+- 核心运行时 -> 注册表消费
+
+这种分离对可维护性非常重要。这意味着大多数核心表面只需要一个集成点：“读取注册表”，而不是“为每个插件模块做特殊处理”。
 
 ## 配置
 
@@ -198,48 +794,75 @@ OpenClaw 还可以合并**外部渠道目录**（例如，MPM 注册表导出）
 
 字段：
 
-- `enabled`：主开关（默认：true）
-- `allow`：允许列表（可选）
-- `deny`：拒绝列表（可选；deny 优先）
+- `enabled`：总开关（默认：true）
+- `allow`：allowlist（可选）
+- `deny`：denylist（可选；deny 优先）
 - `load.paths`：额外的插件文件/目录
-- `entries.<id>`：每个插件的开关 + 配置
+- `slots`：独占插槽选择器，例如 `memory` 和 `contextEngine`
+- `entries.<id>`：每插件开关 + 配置
 
-配置更改**需要重启 Gateway 网关**。
+配置更改 **需要重启 gateway**。
 
 验证规则（严格）：
 
-- `entries`、`allow`、`deny` 或 `slots` 中的未知插件 id 是**错误**。
-- 未知的 `channels.<id>` 键是**错误**，除非插件清单声明了渠道 id。
-- 插件配置使用嵌入在 `openclaw.plugin.json`（`configSchema`）中的 JSON Schema 进行验证。
-- 如果插件被禁用，其配置会保留并发出**警告**。
+- `entries`、`allow`、`deny` 或 `slots` 中出现未知 plugin id 都是 **错误**。
+- 未知的 `channels.<id>` 键都是 **错误**，除非某个插件 manifest 声明了该渠道 id。
+- 原生插件配置使用嵌入在 `openclaw.plugin.json` 中的 JSON Schema（`configSchema`）进行验证。
+- 兼容的 bundle 当前不公开原生 OpenClaw 配置 schema。
+- 如果某个插件被禁用，其配置会被保留，并发出 **警告**。
 
-## 插件槽位（独占类别）
+### 禁用 vs 缺失 vs 无效
 
-某些插件类别是**独占的**（一次只有一个活跃）。使用 `plugins.slots` 选择哪个插件拥有该槽位：
+这些状态有意区分：
+
+- **disabled**：插件存在，但启用规则将其关闭
+- **missing**：配置引用了某个 plugin id，但发现过程没有找到它
+- **invalid**：插件存在，但其配置与声明的 schema 不匹配
+
+OpenClaw 会保留已禁用插件的配置，因此重新启用它们不会造成破坏。
+
+## Plugin 插槽（独占类别）
+
+某些插件类别是 **独占的**（一次只能有一个处于活动状态）。使用
+`plugins.slots` 选择由哪个插件拥有该插槽：
 
 ```json5
 {
   plugins: {
     slots: {
-      memory: "memory-core", // or "none" to disable memory plugins
+      memory: "memory-core", // 或 "none" 以禁用 memory 插件
+      contextEngine: "legacy", // 或某个 plugin id，例如 "lossless-claw"
     },
   },
 }
 ```
 
-如果多个插件声明 `kind: "memory"`，只有选定的那个加载。其他的被禁用并带有诊断信息。
+支持的独占插槽：
 
-## 控制界面（schema + 标签）
+- `memory`：活动 memory 插件（`"none"` 会禁用 memory 插件）
+- `contextEngine`：活动上下文引擎插件（`"legacy"` 是内置默认值）
 
-控制界面使用 `config.schema`（JSON Schema + `uiHints`）来渲染更好的表单。
+如果多个插件声明了 `kind: "memory"` 或 `kind: "context-engine"`，则只有为该插槽选中的插件会加载。其他插件会被禁用并附带诊断信息。
 
-OpenClaw 在运行时根据发现的插件增强 `uiHints`：
+### 上下文引擎插件
+
+上下文引擎插件拥有会话上下文编排能力，包括摄取、组装和压缩。
+通过插件中的 `api.registerContextEngine(id, factory)` 注册它们，然后使用
+`plugins.slots.contextEngine` 选择活动引擎。
+
+当你的插件需要替换或扩展默认上下文流水线，而不是仅添加内存搜索或 hooks 时，请使用此方式。
+
+## Control UI（schema + 标签）
+
+Control UI 使用 `config.schema`（JSON Schema + `uiHints`）来渲染更好的表单。
+
+OpenClaw 会在运行时根据已发现的插件增强 `uiHints`：
 
 - 为 `plugins.entries.<id>` / `.enabled` / `.config` 添加每插件标签
-- 在以下位置合并可选的插件提供的配置字段提示：
+- 合并可选的插件提供配置字段提示，路径为：
   `plugins.entries.<id>.config.<field>`
 
-如果你希望插件配置字段显示良好的标签/占位符（并将密钥标记为敏感），请在插件清单中提供 `uiHints` 和 JSON Schema。
+如果你希望插件配置字段显示更好的标签/占位符（并将 secret 标记为敏感），请在插件 manifest 中连同 JSON Schema 一起提供 `uiHints`。
 
 示例：
 
@@ -266,12 +889,13 @@ OpenClaw 在运行时根据发现的插件增强 `uiHints`：
 ```bash
 openclaw plugins list
 openclaw plugins info <id>
-openclaw plugins install <path>                 # copy a local file/dir into ~/.openclaw/extensions/<id>
-openclaw plugins install ./extensions/voice-call # relative path ok
-openclaw plugins install ./plugin.tgz           # install from a local tarball
-openclaw plugins install ./plugin.zip           # install from a local zip
-openclaw plugins install -l ./extensions/voice-call # link (no copy) for dev
-openclaw plugins install @openclaw/voice-call # install from npm
+openclaw plugins install <path>                 # 将本地文件/目录复制到 ~/.openclaw/extensions/<id>
+openclaw plugins install ./extensions/voice-call # 支持相对路径
+openclaw plugins install ./plugin.tgz           # 从本地 tarball 安装
+openclaw plugins install ./plugin.zip           # 从本地 zip 安装
+openclaw plugins install -l ./extensions/voice-call # link（不复制），用于开发
+openclaw plugins install @openclaw/voice-call # 从 npm 安装
+openclaw plugins install @openclaw/voice-call --pin # 存储精确解析后的 name@version
 openclaw plugins update <id>
 openclaw plugins update --all
 openclaw plugins enable <id>
@@ -279,45 +903,307 @@ openclaw plugins disable <id>
 openclaw plugins doctor
 ```
 
+`openclaw plugins list` 会将顶层格式显示为 `openclaw` 或 `bundle`。
+详细列表/info 输出还会显示 bundle 子类型（`codex` 或 `claude`）以及已检测到的 bundle 能力。
+
 `plugins update` 仅适用于在 `plugins.installs` 下跟踪的 npm 安装。
+如果更新之间存储的完整性元数据发生变化，OpenClaw 会发出警告并要求确认（使用全局 `--yes` 可绕过提示）。
 
-插件也可以注册自己的顶级命令（例如：`openclaw voicecall`）。
+插件也可以注册自己的顶层命令（例如：`openclaw voicecall`）。
 
-## 插件 API（概述）
+## Plugin API（概览）
 
-插件导出以下之一：
+插件导出形式可以是：
 
-- 函数：`(api) => { ... }`
-- 对象：`{ id, name, configSchema, register(api) { ... } }`
+- 一个函数：`(api) => { ... }`
+- 一个对象：`{ id, name, configSchema, register(api) { ... } }`
 
-## 插件钩子
+`register(api)` 是插件挂接行为的地方。常见注册包括：
 
-插件可以附带钩子并在运行时注册它们。这让插件可以捆绑事件驱动的自动化，而无需单独安装钩子包。
+- `registerTool`
+- `registerHook`
+- `on(...)` 用于类型化生命周期 hooks
+- `registerChannel`
+- `registerProvider`
+- `registerHttpRoute`
+- `registerCommand`
+- `registerCli`
+- `registerContextEngine`
+- `registerService`
 
-### 示例
+上下文引擎插件还可以注册一个由运行时拥有的上下文管理器：
 
-```
-import { registerPluginHooksFromDir } from "openclaw/plugin-sdk";
-
-export default function register(api) {
-  registerPluginHooksFromDir(api, "./hooks");
+```ts
+export default function (api) {
+  api.registerContextEngine("lossless-claw", () => ({
+    info: { id: "lossless-claw", name: "Lossless Claw", ownsCompaction: true },
+    async ingest() {
+      return { ingested: true };
+    },
+    async assemble({ messages }) {
+      return { messages, estimatedTokens: 0 };
+    },
+    async compact() {
+      return { ok: true, compacted: false };
+    },
+  }));
 }
 ```
 
-注意事项：
+然后在配置中启用它：
 
-- 钩子目录遵循正常的钩子结构（`HOOK.md` + `handler.ts`）。
-- 钩子资格规则仍然适用（操作系统/二进制文件/环境/配置要求）。
-- 插件管理的钩子在 `openclaw hooks list` 中显示为 `plugin:<id>`。
-- 你不能通过 `openclaw hooks` 启用/禁用插件管理的钩子；而是启用/禁用插件。
+```json5
+{
+  plugins: {
+    slots: {
+      contextEngine: "lossless-claw",
+    },
+  },
+}
+```
 
-## 提供商插件（模型认证）
+## Plugin hooks
 
-插件可以注册**模型提供商认证**流程，以便用户可以在 OpenClaw 内运行 OAuth 或 API 密钥设置（无需外部脚本）。
+插件可以在运行时注册 hooks。这让插件能够打包事件驱动自动化，而无需单独安装 hook pack。
 
-通过 `api.registerProvider(...)` 注册提供商。每个提供商暴露一个或多个认证方法（OAuth、API 密钥、设备码等）。这些方法驱动：
+### 示例
+
+```ts
+export default function register(api) {
+  api.registerHook(
+    "command:new",
+    async () => {
+      // Hook 逻辑写在这里。
+    },
+    {
+      name: "my-plugin.command-new",
+      description: "当 /new 被调用时运行",
+    },
+  );
+}
+```
+
+说明：
+
+- 通过 `api.registerHook(...)` 显式注册 hooks。
+- Hook 资格规则仍然适用（OS/bins/env/config 要求）。
+- 插件管理的 hooks 会在 `openclaw hooks list` 中显示为 `plugin:<id>`。
+- 你不能通过 `openclaw hooks` 启用/禁用插件管理的 hooks；应改为启用/禁用插件本身。
+
+### 智能体生命周期 hooks（`api.on`）
+
+对于类型化运行时生命周期 hooks，请使用 `api.on(...)`：
+
+```ts
+export default function register(api) {
+  api.on(
+    "before_prompt_build",
+    (event, ctx) => {
+      return {
+        prependSystemContext: "Follow company style guide.",
+      };
+    },
+    { priority: 10 },
+  );
+}
+```
+
+用于提示词构建的重要 hooks：
+
+- `before_model_resolve`：在加载会话之前运行（`messages` 不可用）。用它来确定性地覆盖 `modelOverride` 或 `providerOverride`。
+- `before_prompt_build`：在加载会话之后运行（`messages` 可用）。用它来塑造提示词输入。
+- `before_agent_start`：旧版兼容 hook。优先使用上面两个更明确的 hooks。
+
+核心强制执行的 hook 策略：
+
+- 操作员可以通过 `plugins.entries.<id>.hooks.allowPromptInjection: false` 按插件禁用提示词变更 hooks。
+- 禁用后，OpenClaw 会阻止 `before_prompt_build`，并忽略旧版 `before_agent_start` 返回的提示词变更字段，同时保留旧版 `modelOverride` 和 `providerOverride`。
+
+`before_prompt_build` 结果字段：
+
+- `prependContext`：为本次运行在用户提示词前插入文本。最适合按轮次变化或动态内容。
+- `systemPrompt`：完整的系统提示词覆盖。
+- `prependSystemContext`：在当前系统提示词前插入文本。
+- `appendSystemContext`：在当前系统提示词后追加文本。
+
+嵌入式运行时中的提示词构建顺序：
+
+1. 将 `prependContext` 应用到用户提示词。
+2. 如果提供了 `systemPrompt`，则应用其覆盖。
+3. 应用 `prependSystemContext + 当前系统提示词 + appendSystemContext`。
+
+合并与优先级说明：
+
+- Hook 处理器按优先级运行（高者优先）。
+- 对于合并型上下文字段，值会按执行顺序拼接。
+- `before_prompt_build` 的值会在旧版 `before_agent_start` 后备值之前应用。
+
+迁移指导：
+
+- 将静态指导从 `prependContext` 移到 `prependSystemContext`（或 `appendSystemContext`），这样 provider 就可以缓存稳定的系统前缀内容。
+- 将 `prependContext` 保留给每轮动态上下文，这类内容应继续与用户消息绑定。
+
+## Provider 插件（模型身份验证）
+
+插件可以注册 **模型 providers**，从而让用户能够在 OpenClaw 内完成 OAuth 或 API 密钥设置、在新手引导/模型选择器中显示 provider 设置，并参与隐式 provider 发现。
+
+Provider 插件现在是模型 provider 设置的模块化扩展接缝。它们不再只是“OAuth 辅助工具”。
+
+### Provider 插件生命周期
+
+一个 provider 插件可以参与五个不同阶段：
+
+1. **身份验证**
+   `auth[].run(ctx)` 执行 OAuth、API 密钥采集、设备码或自定义设置，并返回 auth profile 以及可选的配置补丁。
+2. **非交互式设置**
+   `auth[].runNonInteractive(ctx)` 处理 `openclaw onboard --non-interactive`，且不进行提示。当 provider 需要超出内置简单 API 密钥路径之外的自定义无头设置时，请使用它。
+3. **向导集成**
+   `wizard.setup` 会向 `openclaw onboard` 添加一个条目。
+   `wizard.modelPicker` 会向模型选择器添加一个 setup 条目。
+4. **隐式发现**
+   `discovery.run(ctx)` 可以在模型解析/列出期间自动贡献 provider 配置。
+5. **选择后跟进**
+   `onModelSelected(ctx)` 会在模型被选中后运行。可用于 provider 特定的后续工作，例如下载本地模型。
+
+这是推荐的拆分方式，因为这些阶段具有不同的生命周期要求：
+
+- auth 是交互式的，并会写入凭据/配置
+- 非交互式设置由 flag/env 驱动，且不能提示
+- 向导元数据是静态且面向 UI 的
+- discovery 应安全、快速且能容忍失败
+- 选择后 hooks 是与所选模型绑定的副作用
+
+### Provider 身份验证契约
+
+`auth[].run(ctx)` 返回：
+
+- `profiles`：要写入的 auth profile
+- `configPatch`：可选的 `openclaw.json` 变更
+- `defaultModel`：可选的 `provider/model` 引用
+- `notes`：可选的面向用户备注
+
+然后核心会：
+
+1. 写入返回的 auth profile
+2. 应用 auth-profile 配置接线
+3. 合并配置补丁
+4. 可选地应用默认模型
+5. 在适当时运行 provider 的 `onModelSelected` hook
+
+这意味着 provider 插件拥有 provider 特定的设置逻辑，而核心拥有通用的持久化和配置合并路径。
+
+### Provider 非交互式契约
+
+`auth[].runNonInteractive(ctx)` 是可选的。当 provider 需要无法通过内置通用 API 密钥流表达的无头设置时，请实现它。
+
+非交互式上下文包括：
+
+- 当前配置和基础配置
+- 解析后的 onboarding CLI 选项
+- 运行时日志/错误辅助工具
+- 智能体/工作区目录，以便 provider 将 auth 持久化到与其余 onboarding 相同的作用域存储中
+- `resolveApiKey(...)`：在遵守 `--secret-input-mode` 的同时，从 flags、环境变量或现有 auth profile 中读取 provider 密钥
+- `toApiKeyCredential(...)`：将解析后的密钥转换为 auth-profile 凭据，并使用正确的明文或 secret-ref 存储方式
+
+适合使用此表面的 provider 包括：
+
+- 需要 `--custom-base-url` + `--custom-model-id` 的自托管 OpenAI 兼容运行时
+- 需要 provider 特定非交互式验证或配置合成的场景
+
+不要从 `runNonInteractive` 中发出提示。对于缺失输入，请改为返回可操作的错误。
+
+### Provider 向导元数据
+
+`wizard.setup` 控制 provider 在分组新手引导中的显示方式：
+
+- `choiceId`：auth-choice 值
+- `choiceLabel`：选项标签
+- `choiceHint`：简短提示
+- `groupId`：分组桶 id
+- `groupLabel`：分组标签
+- `groupHint`：分组提示
+- `methodId`：要运行的身份验证方法
+
+`wizard.modelPicker` 控制 provider 在模型选择中作为“现在设置它”条目的显示方式：
+
+- `label`
+- `hint`
+- `methodId`
+
+当 provider 具有多种身份验证方法时，向导可以显式指向其中一种方法，也可以让 OpenClaw 为每种方法自动生成选择项。
+
+在插件注册时，OpenClaw 会验证 provider 向导元数据：
+
+- 重复或空白的 auth-method id 会被拒绝
+- 当 provider 没有身份验证方法时，向导元数据会被忽略
+- 无效的 `methodId` 绑定会降级为警告，并回退到 provider 剩余的身份验证方法
+
+### Provider discovery 契约
+
+`discovery.run(ctx)` 返回以下之一：
+
+- `{ provider }`
+- `{ providers }`
+- `null`
+
+当插件拥有一个 provider id 时，请使用 `{ provider }` 这一常见情况。
+当插件发现多个 provider 条目时，请使用 `{ providers }`。
+
+Discovery 上下文包括：
+
+- 当前配置
+- 智能体/工作区目录
+- 进程环境变量
+- 一个用于解析 provider API 密钥以及发现安全 API 密钥值的辅助工具
+
+Discovery 应该：
+
+- 快速
+- 尽力而为
+- 在失败时可安全跳过
+- 谨慎处理副作用
+
+它不应依赖提示或长时间运行的设置。
+
+### 发现顺序
+
+Provider discovery 按有序阶段运行：
+
+- `simple`
+- `profile`
+- `paired`
+- `late`
+
+使用建议：
+
+- `simple`：用于廉价的纯环境变量发现
+- `profile`：当发现依赖 auth profile 时使用
+- `paired`：用于需要与另一步发现协作的 provider
+- `late`：用于昂贵或本地网络探测
+
+大多数自托管 provider 应使用 `late`。
+
+### 良好的 provider-plugin 边界
+
+适合做成 provider 插件的情况：
+
+- 具有自定义设置流程的本地/自托管 providers
+- provider 特定的 OAuth/设备码登录
+- 对本地模型服务器的隐式发现
+- 选择后的副作用，例如拉取模型
+
+不太有说服力的情况：
+
+- 仅在 env var、base URL 和一个默认模型上不同的简单 API 密钥型 provider
+
+这些仍然可以做成插件，但最大的模块化收益来自先抽离那些行为丰富的 providers。
+
+通过 `api.registerProvider(...)` 注册 provider。每个 provider 暴露一个或多个身份验证方法（OAuth、API key、device code 等）。这些方法可以驱动：
 
 - `openclaw models auth login --provider <id> [--method <id>]`
+- `openclaw onboard`
+- 模型选择器中的“自定义 provider”设置条目
+- 模型解析/列出期间的隐式 provider 发现
 
 示例：
 
@@ -331,7 +1217,7 @@ api.registerProvider({
       label: "OAuth",
       kind: "oauth",
       run: async (ctx) => {
-        // Run OAuth flow and return auth profiles.
+        // 运行 OAuth 流并返回 auth profile。
         return {
           profiles: [
             {
@@ -350,18 +1236,53 @@ api.registerProvider({
       },
     },
   ],
+  wizard: {
+    setup: {
+      choiceId: "acme",
+      choiceLabel: "AcmeAI",
+      groupId: "acme",
+      groupLabel: "AcmeAI",
+      methodId: "oauth",
+    },
+    modelPicker: {
+      label: "AcmeAI（自定义）",
+      hint: "连接一个自托管 AcmeAI 端点",
+      methodId: "oauth",
+    },
+  },
+  discovery: {
+    order: "late",
+    run: async () => ({
+      provider: {
+        baseUrl: "https://acme.example/v1",
+        api: "openai-completions",
+        apiKey: "${ACME_API_KEY}",
+        models: [],
+      },
+    }),
+  },
 });
 ```
 
-注意事项：
+说明：
 
-- `run` 接收带有 `prompter`、`runtime`、`openUrl` 和 `oauth.createVpsAwareHandlers` 辅助工具的 `ProviderAuthContext`。
-- 当需要添加默认模型或提供商配置时返回 `configPatch`。
-- 返回 `defaultModel` 以便 `--set-default` 可以更新智能体默认值。
+- `run` 会接收一个 `ProviderAuthContext`，其中包含 `prompter`、`runtime`、
+  `openUrl`、`oauth.createVpsAwareHandlers`、`secretInputMode` 和
+  `allowSecretRefPrompt` 辅助工具/状态。新手引导/配置流程可以用它们来遵守 `--secret-input-mode`，或提供 env/file/exec secret-ref 采集，而 `openclaw models auth` 会保持更严格的提示表面。
+- `runNonInteractive` 会接收一个 `ProviderAuthMethodNonInteractiveContext`，
+  其中包含 `opts`、`agentDir`、`resolveApiKey` 和 `toApiKeyCredential` 辅助工具，用于无头 onboarding。
+- 当你需要添加默认模型或 provider 配置时，请返回 `configPatch`。
+- 返回 `defaultModel`，这样 `--set-default` 就能更新智能体默认值。
+- `wizard.setup` 会向 `openclaw onboard` 添加一个 provider 选项。
+- `wizard.modelPicker` 会向模型选择器添加一个“设置此 provider”条目。
+- `discovery.run` 对于插件自有 provider id 返回 `{ provider }`，对于多 provider 发现返回 `{ providers }`。
+- `discovery.order` 控制该 provider 相对于内置发现阶段的运行时机：`simple`、`profile`、`paired` 或 `late`。
+- `onModelSelected` 是选择后的 hook，用于 provider 特定的后续工作，例如拉取本地模型。
 
-### 注册消息渠道
+### 注册一个消息渠道
 
-插件可以注册**渠道插件**，其行为类似于内置渠道（WhatsApp、Telegram 等）。渠道配置位于 `channels.<id>` 下，由你的渠道插件代码验证。
+插件可以注册 **渠道插件**，其行为类似内置渠道
+（WhatsApp、Telegram 等）。渠道配置位于 `channels.<id>` 下，并由你的渠道插件代码进行验证。
 
 ```ts
 const myChannel = {
@@ -371,7 +1292,7 @@ const myChannel = {
     label: "AcmeChat",
     selectionLabel: "AcmeChat (API)",
     docsPath: "/channels/acmechat",
-    blurb: "demo channel plugin.",
+    blurb: "演示渠道插件。",
     aliases: ["acme"],
   },
   capabilities: { chatTypes: ["direct"] },
@@ -393,44 +1314,62 @@ export default function (api) {
 }
 ```
 
-注意事项：
+说明：
 
 - 将配置放在 `channels.<id>` 下（而不是 `plugins.entries`）。
 - `meta.label` 用于 CLI/UI 列表中的标签。
-- `meta.aliases` 添加用于规范化和 CLI 输入的备用 id。
-- `meta.preferOver` 列出当两者都配置时要跳过自动启用的渠道 id。
-- `meta.detailLabel` 和 `meta.systemImage` 让 UI 显示更丰富的渠道标签/图标。
+- `meta.aliases` 会为规范化和 CLI 输入添加备用 id。
+- `meta.preferOver` 列出当两者都已配置时应跳过自动启用的渠道 id。
+- `meta.detailLabel` 和 `meta.systemImage` 让 UI 能显示更丰富的渠道标签/图标。
 
-### 编写新的消息渠道（分步指南）
+### 渠道 setup hooks
 
-当你想要一个**新的聊天界面**（"消息渠道"）而不是模型提供商时使用此方法。
-模型提供商文档位于 `/providers/*` 下。
+推荐的 setup 拆分：
 
-1. 选择 id + 配置结构
+- `plugin.setup` 负责账户 id 规范化、验证和配置写入。
+- `plugin.setupWizard` 让宿主运行通用向导流程，而渠道只提供状态、凭据、私信 allowlist 和渠道访问描述符。
 
-- 所有渠道配置位于 `channels.<id>` 下。
+`plugin.setupWizard` 最适合符合共享模式的渠道：
+
+- 一个由 `plugin.config.listAccountIds` 驱动的账户选择器
+- 在提示前执行可选的预检/准备步骤（例如安装器/引导工作）
+- 为捆绑凭据集提供可选的环境变量快捷提示（例如成对 bot/app token）
+- 一个或多个凭据提示，每一步要么通过 `plugin.setup.applyAccountConfig` 写入，要么通过渠道自有部分补丁写入
+- 可选的非 secret 文本提示（例如 CLI 路径、base URL、账户 id）
+- 可选的由宿主解析的渠道/群组访问 allowlist 提示
+- 可选的私信 allowlist 解析（例如 `@username` -> 数字 id）
+- setup 完成后的可选完成说明
+
+### 编写一个新的消息渠道（分步说明）
+
+当你想要一个 **新的聊天表面**（即“消息渠道”），而不是模型 provider 时，请使用本节。
+模型 provider 文档位于 `/providers/*`。
+
+1. 选择一个 id + 配置结构
+
+- 所有渠道配置都位于 `channels.<id>` 下。
 - 对于多账户设置，优先使用 `channels.<id>.accounts.<accountId>`。
 
 2. 定义渠道元数据
 
 - `meta.label`、`meta.selectionLabel`、`meta.docsPath`、`meta.blurb` 控制 CLI/UI 列表。
-- `meta.docsPath` 应指向像 `/channels/<id>` 这样的文档页面。
-- `meta.preferOver` 让插件替换另一个渠道（自动启用优先选择它）。
-- `meta.detailLabel` 和 `meta.systemImage` 被 UI 用于详细文本/图标。
+- `meta.docsPath` 应指向类似 `/channels/<id>` 的文档页面。
+- `meta.preferOver` 允许一个插件替换另一个渠道（自动启用时优先它）。
+- `meta.detailLabel` 和 `meta.systemImage` 供 UI 用于详情文字/图标。
 
-3. 实现必需的适配器
+3. 实现所需适配器
 
 - `config.listAccountIds` + `config.resolveAccount`
 - `capabilities`（聊天类型、媒体、线程等）
-- `outbound.deliveryMode` + `outbound.sendText`（用于基本发送）
+- `outbound.deliveryMode` + `outbound.sendText`（基础发送）
 
-4. 根据需要添加可选适配器
+4. 视需要添加可选适配器
 
-- `setup`（向导）、`security`（私信策略）、`status`（健康/诊断）
+- `setup`（验证 + 配置写入）、`setupWizard`（宿主拥有的向导）、`security`（私信策略）、`status`（健康/诊断）
 - `gateway`（启动/停止/登录）、`mentions`、`threading`、`streaming`
-- `actions`（消息操作）、`commands`（原生命令行为）
+- `actions`（消息动作）、`commands`（原生命令行为）
 
-5. 在插件中注册渠道
+5. 在你的插件中注册该渠道
 
 - `api.registerChannel({ plugin })`
 
@@ -458,7 +1397,7 @@ const plugin = {
     label: "AcmeChat",
     selectionLabel: "AcmeChat (API)",
     docsPath: "/channels/acmechat",
-    blurb: "AcmeChat messaging channel.",
+    blurb: "AcmeChat 消息渠道。",
     aliases: ["acme"],
   },
   capabilities: { chatTypes: ["direct"] },
@@ -472,7 +1411,7 @@ const plugin = {
   outbound: {
     deliveryMode: "direct",
     sendText: async ({ text }) => {
-      // deliver `text` to your channel here
+      // 在这里将 `text` 发送到你的渠道
       return { ok: true };
     },
   },
@@ -483,13 +1422,14 @@ export default function (api) {
 }
 ```
 
-加载插件（扩展目录或 `plugins.load.paths`），重启 Gateway 网关，然后在配置中配置 `channels.<id>`。
+加载插件（扩展目录或 `plugins.load.paths`），重启 gateway，
+然后在配置中设置 `channels.<id>`。
 
 ### 智能体工具
 
-参见专门指南：[插件智能体工具](/plugins/agent-tools)。
+请参阅专门指南：[Plugin agent tools](/plugins/agent-tools)。
 
-### 注册 Gateway 网关 RPC 方法
+### 注册一个 Gateway RPC 方法
 
 ```ts
 export default function (api) {
@@ -516,61 +1456,63 @@ export default function (api) {
 
 ### 注册自动回复命令
 
-插件可以注册自定义斜杠命令，**无需调用 AI 智能体**即可执行。这对于切换命令、状态检查或不需要 LLM 处理的快速操作很有用。
+插件可以注册自定义 slash 命令，这些命令 **无需调用 AI 智能体** 即可执行。
+这对开关命令、状态检查或不需要 LLM 处理的快捷操作非常有用。
 
 ```ts
 export default function (api) {
   api.registerCommand({
     name: "mystatus",
-    description: "Show plugin status",
+    description: "显示插件状态",
     handler: (ctx) => ({
-      text: `Plugin is running! Channel: ${ctx.channel}`,
+      text: `插件正在运行！渠道：${ctx.channel}`,
     }),
   });
 }
 ```
 
-命令处理程序上下文：
+命令处理器上下文：
 
-- `senderId`：发送者的 ID（如可用）
+- `senderId`：发送者的 ID（如果可用）
 - `channel`：发送命令的渠道
-- `isAuthorizedSender`：发送者是否是授权用户
-- `args`：命令后传递的参数（如果 `acceptsArgs: true`）
-- `commandBody`：完整的命令文本
+- `isAuthorizedSender`：发送者是否为已授权用户
+- `args`：命令后的参数（如果 `acceptsArgs: true`）
+- `commandBody`：完整命令文本
 - `config`：当前 OpenClaw 配置
 
 命令选项：
 
-- `name`：命令名称（不带前导 `/`）
-- `description`：命令列表中显示的帮助文本
-- `acceptsArgs`：命令是否接受参数（默认：false）。如果为 false 且提供了参数，命令不会匹配，消息会传递给其他处理程序
-- `requireAuth`：是否需要授权发送者（默认：true）
-- `handler`：返回 `{ text: string }` 的函数（可以是异步的）
+- `name`：命令名（不含前导 `/`）
+- `nativeNames`：可选的原生命令别名，用于 slash/menu 表面。对所有原生 provider 使用 `default`，或使用如 `discord` 这样的 provider 特定键
+- `description`：在命令列表中显示的帮助文本
+- `acceptsArgs`：命令是否接受参数（默认：false）。如果为 false 且提供了参数，则命令不会匹配，消息会继续传递给其他处理器
+- `requireAuth`：是否要求发送者已授权（默认：true）
+- `handler`：返回 `{ text: string }` 的函数（可以是异步）
 
 带授权和参数的示例：
 
 ```ts
 api.registerCommand({
   name: "setmode",
-  description: "Set plugin mode",
+  description: "设置插件模式",
   acceptsArgs: true,
   requireAuth: true,
   handler: async (ctx) => {
     const mode = ctx.args?.trim() || "default";
     await saveMode(mode);
-    return { text: `Mode set to: ${mode}` };
+    return { text: `模式已设置为：${mode}` };
   },
 });
 ```
 
-注意事项：
+说明：
 
-- 插件命令在内置命令和 AI 智能体**之前**处理
-- 命令全局注册，适用于所有渠道
-- 命令名称不区分大小写（`/MyStatus` 匹配 `/mystatus`）
-- 命令名称必须以字母开头，只能包含字母、数字、连字符和下划线
-- 保留的命令名称（如 `help`、`status`、`reset` 等）不能被插件覆盖
-- 跨插件的重复命令注册将失败并显示诊断错误
+- 插件命令会在内置命令和 AI 智能体 **之前** 处理
+- 命令是全局注册的，适用于所有渠道
+- 命令名不区分大小写（`/MyStatus` 可匹配 `/mystatus`）
+- 命令名必须以字母开头，并且只能包含字母、数字、连字符和下划线
+- 保留命令名（如 `help`、`status`、`reset` 等）不能被插件覆盖
+- 插件间重复注册命令会因诊断错误而失败
 
 ### 注册后台服务
 
@@ -586,54 +1528,56 @@ export default function (api) {
 
 ## 命名约定
 
-- Gateway 网关方法：`pluginId.action`（例如：`voicecall.status`）
+- Gateway 方法：`pluginId.action`（例如：`voicecall.status`）
 - 工具：`snake_case`（例如：`voice_call`）
 - CLI 命令：kebab 或 camel，但避免与核心命令冲突
 
 ## Skills
 
-插件可以在仓库中附带 Skills（`skills/<name>/SKILL.md`）。
-使用 `plugins.entries.<id>.enabled`（或其他配置门控）启用它，并确保它存在于你的工作区/托管 Skills 位置。
+插件可以在仓库中附带一个 skill（`skills/<name>/SKILL.md`）。
+通过 `plugins.entries.<id>.enabled`（或其他配置门控）启用它，并确保它存在于你的工作区/托管 skills 位置中。
 
 ## 分发（npm）
 
-推荐的打包方式：
+推荐打包方式：
 
 - 主包：`openclaw`（本仓库）
-- 插件：`@openclaw/*` 下的独立 npm 包（例如：`@openclaw/voice-call`）
+- 插件：位于 `@openclaw/*` 下的独立 npm 包（例如：`@openclaw/voice-call`）
 
 发布契约：
 
-- 插件 `package.json` 必须包含带有一个或多个入口文件的 `openclaw.extensions`。
-- 入口文件可以是 `.js` 或 `.ts`（jiti 在运行时加载 TS）。
-- `openclaw plugins install <npm-spec>` 使用 `npm pack`，提取到 `~/.openclaw/extensions/<id>/`，并在配置中启用它。
-- 配置键稳定性：作用域包被规范化为 `plugins.entries.*` 的**无作用域** id。
+- 插件 `package.json` 必须包含 `openclaw.extensions`，并指向一个或多个入口文件。
+- 可选：`openclaw.setupEntry` 可指向一个轻量级的仅 setup 入口，用于已禁用或尚未配置完成的渠道 setup。
+- 入口文件可以是 `.js` 或 `.ts`（jiti 会在运行时加载 TS）。
+- `openclaw plugins install <npm-spec>` 会使用 `npm pack`，提取到 `~/.openclaw/extensions/<id>/`，并在配置中启用它。
+- 配置键稳定性：带 scope 的包会被规范化为 **无 scope** 的 id，用于 `plugins.entries.*`。
 
 ## 示例插件：Voice Call
 
-本仓库包含一个语音通话插件（Twilio 或 log 回退）：
+本仓库包含一个 voice-call 插件（Twilio 或日志回退）：
 
 - 源码：`extensions/voice-call`
-- Skills：`skills/voice-call`
+- Skill：`skills/voice-call`
 - CLI：`openclaw voicecall start|status`
 - 工具：`voice_call`
 - RPC：`voicecall.start`、`voicecall.status`
 - 配置（twilio）：`provider: "twilio"` + `twilio.accountSid/authToken/from`（可选 `statusCallbackUrl`、`twimlUrl`）
-- 配置（dev）：`provider: "log"`（无网络）
+- 配置（开发）：`provider: "log"`（无网络）
 
-参见 [Voice Call](/plugins/voice-call) 和 `extensions/voice-call/README.md` 了解设置和用法。
+有关设置和用法，请参阅 [Voice Call](/plugins/voice-call) 和 `extensions/voice-call/README.md`。
 
-## 安全注意事项
+## 安全说明
 
-插件与 Gateway 网关在同一进程中运行。将它们视为受信任的代码：
+插件与 Gateway 网关在同一进程内运行。请将它们视为受信任代码：
 
 - 只安装你信任的插件。
-- 优先使用 `plugins.allow` 允许列表。
-- 更改后重启 Gateway 网关。
+- 优先使用 `plugins.allow` allowlist。
+- 请记住，`plugins.allow` 是基于 id 的，因此已启用的工作区插件可以有意覆盖具有相同 id 的捆绑插件。
+- 更改后请重启 Gateway 网关。
 
 ## 测试插件
 
 插件可以（也应该）附带测试：
 
-- 仓库内插件可以在 `src/**` 下保留 Vitest 测试（例如：`src/plugins/voice-call.plugin.test.ts`）。
-- 单独发布的插件应运行自己的 CI（lint/构建/测试）并验证 `openclaw.extensions` 指向构建的入口点（`dist/index.js`）。
+- 仓库内插件可以将 Vitest 测试放在 `src/**` 下（例如：`src/plugins/voice-call.plugin.test.ts`）。
+- 单独发布的插件应运行自己的 CI（lint/build/test），并验证 `openclaw.extensions` 指向构建后的入口点（`dist/index.js`）。
diff --git a/extensions/amazon-bedrock/index.test.ts b/extensions/amazon-bedrock/index.test.ts
new file mode 100644
index 00000000000..641173cd6ce
--- /dev/null
+++ b/extensions/amazon-bedrock/index.test.ts
@@ -0,0 +1,22 @@
+import { describe, expect, it } from "vitest";
+import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
+import amazonBedrockPlugin from "./index.js";
+
+describe("amazon-bedrock provider plugin", () => {
+  it("marks Claude 4.6 Bedrock models as adaptive by default", () => {
+    const provider = registerSingleProviderPlugin(amazonBedrockPlugin);
+
+    expect(
+      provider.resolveDefaultThinkingLevel?.({
+        provider: "amazon-bedrock",
+        modelId: "us.anthropic.claude-opus-4-6-v1",
+      } as never),
+    ).toBe("adaptive");
+    expect(
+      provider.resolveDefaultThinkingLevel?.({
+        provider: "amazon-bedrock",
+        modelId: "amazon.nova-micro-v1:0",
+      } as never),
+    ).toBeUndefined();
+  });
+});
diff --git a/extensions/amazon-bedrock/index.ts b/extensions/amazon-bedrock/index.ts
new file mode 100644
index 00000000000..33fa3a08d32
--- /dev/null
+++ b/extensions/amazon-bedrock/index.ts
@@ -0,0 +1,23 @@
+import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+
+const PROVIDER_ID = "amazon-bedrock";
+const CLAUDE_46_MODEL_RE = /claude-(?:opus|sonnet)-4(?:\.|-)6(?:$|[-.])/i;
+
+const amazonBedrockPlugin = {
+  id: PROVIDER_ID,
+  name: "Amazon Bedrock Provider",
+  description: "Bundled Amazon Bedrock provider policy plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerProvider({
+      id: PROVIDER_ID,
+      label: "Amazon Bedrock",
+      docsPath: "/providers/models",
+      auth: [],
+      resolveDefaultThinkingLevel: ({ modelId }) =>
+        CLAUDE_46_MODEL_RE.test(modelId.trim()) ? "adaptive" : undefined,
+    });
+  },
+};
+
+export default amazonBedrockPlugin;
diff --git a/extensions/minimax-portal-auth/openclaw.plugin.json b/extensions/amazon-bedrock/openclaw.plugin.json
similarity index 61%
rename from extensions/minimax-portal-auth/openclaw.plugin.json
rename to extensions/amazon-bedrock/openclaw.plugin.json
index 4645b6907eb..9239ea19146 100644
--- a/extensions/minimax-portal-auth/openclaw.plugin.json
+++ b/extensions/amazon-bedrock/openclaw.plugin.json
@@ -1,6 +1,6 @@
 {
-  "id": "minimax-portal-auth",
-  "providers": ["minimax-portal"],
+  "id": "amazon-bedrock",
+  "providers": ["amazon-bedrock"],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/google-gemini-cli-auth/package.json b/extensions/amazon-bedrock/package.json
similarity index 55%
rename from extensions/google-gemini-cli-auth/package.json
rename to extensions/amazon-bedrock/package.json
index 61ae5be803c..6c1471c92c3 100644
--- a/extensions/google-gemini-cli-auth/package.json
+++ b/extensions/amazon-bedrock/package.json
@@ -1,8 +1,8 @@
 {
-  "name": "@openclaw/google-gemini-cli-auth",
+  "name": "@openclaw/amazon-bedrock-provider",
   "version": "2026.3.14",
   "private": true,
-  "description": "OpenClaw Gemini CLI OAuth provider plugin",
+  "description": "OpenClaw Amazon Bedrock provider plugin",
   "type": "module",
   "openclaw": {
     "extensions": [
diff --git a/extensions/anthropic/index.test.ts b/extensions/anthropic/index.test.ts
deleted file mode 100644
index 00fe6ba74ee..00000000000
--- a/extensions/anthropic/index.test.ts
+++ /dev/null
@@ -1,102 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import anthropicPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  anthropicPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("anthropic plugin", () => {
-  it("owns anthropic 4.6 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "anthropic",
-      modelId: "claude-sonnet-4.6-20260219",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "claude-sonnet-4.5-20260219"
-            ? {
-                id,
-                name: id,
-                api: "anthropic-messages",
-                provider: "anthropic",
-                baseUrl: "https://api.anthropic.com",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "claude-sonnet-4.6-20260219",
-      provider: "anthropic",
-      api: "anthropic-messages",
-      baseUrl: "https://api.anthropic.com",
-    });
-  });
-
-  it("owns usage auth resolution", async () => {
-    const provider = registerProvider();
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "anthropic",
-        resolveApiKeyFromConfigAndStore: () => undefined,
-        resolveOAuthToken: async () => ({
-          token: "anthropic-oauth-token",
-        }),
-      }),
-    ).resolves.toEqual({
-      token: "anthropic-oauth-token",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("api.anthropic.com/api/oauth/usage")) {
-        return makeResponse(200, {
-          five_hour: { utilization: 20, resets_at: "2026-01-07T01:00:00Z" },
-          seven_day: { utilization: 35, resets_at: "2026-01-09T01:00:00Z" },
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    const snapshot = await provider.fetchUsageSnapshot?.({
-      config: {} as never,
-      env: {} as NodeJS.ProcessEnv,
-      provider: "anthropic",
-      token: "anthropic-oauth-token",
-      timeoutMs: 5_000,
-      fetchFn: mockFetch as unknown as typeof fetch,
-    });
-
-    expect(snapshot).toEqual({
-      provider: "anthropic",
-      displayName: "Claude",
-      windows: [
-        { label: "5h", usedPercent: 20, resetAt: Date.parse("2026-01-07T01:00:00Z") },
-        { label: "Week", usedPercent: 35, resetAt: Date.parse("2026-01-09T01:00:00Z") },
-      ],
-    });
-  });
-});
diff --git a/extensions/anthropic/index.ts b/extensions/anthropic/index.ts
index bb17f9d4dc1..a2491dfbd87 100644
--- a/extensions/anthropic/index.ts
+++ b/extensions/anthropic/index.ts
@@ -1,19 +1,54 @@
 import {
   emptyPluginConfigSchema,
   type OpenClawPluginApi,
+  type ProviderAuthContext,
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
+import {
+  CLAUDE_CLI_PROFILE_ID,
+  listProfilesForProvider,
+  upsertAuthProfile,
+} from "../../src/agents/auth-profiles.js";
+import { suggestOAuthProfileIdForLegacyDefault } from "../../src/agents/auth-profiles/repair.js";
+import type { AuthProfileStore } from "../../src/agents/auth-profiles/types.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import { formatCliCommand } from "../../src/cli/command-format.js";
+import { parseDurationMs } from "../../src/cli/parse-duration.js";
+import {
+  normalizeSecretInputModeInput,
+  promptSecretRefForSetup,
+  resolveSecretInputModeForEnvSelection,
+} from "../../src/commands/auth-choice.apply-helpers.js";
+import { buildTokenProfileId, validateAnthropicSetupToken } from "../../src/commands/auth-token.js";
+import { applyAuthProfileConfig } from "../../src/commands/onboard-auth.js";
 import { fetchClaudeUsage } from "../../src/infra/provider-usage.fetch.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import type { ProviderAuthResult } from "../../src/plugins/types.js";
+import { normalizeSecretInput } from "../../src/utils/normalize-secret-input.js";
 
 const PROVIDER_ID = "anthropic";
+const DEFAULT_ANTHROPIC_MODEL = "anthropic/claude-sonnet-4-6";
 const ANTHROPIC_OPUS_46_MODEL_ID = "claude-opus-4-6";
 const ANTHROPIC_OPUS_46_DOT_MODEL_ID = "claude-opus-4.6";
 const ANTHROPIC_OPUS_TEMPLATE_MODEL_IDS = ["claude-opus-4-5", "claude-opus-4.5"] as const;
 const ANTHROPIC_SONNET_46_MODEL_ID = "claude-sonnet-4-6";
 const ANTHROPIC_SONNET_46_DOT_MODEL_ID = "claude-sonnet-4.6";
 const ANTHROPIC_SONNET_TEMPLATE_MODEL_IDS = ["claude-sonnet-4-5", "claude-sonnet-4.5"] as const;
+const ANTHROPIC_MODERN_MODEL_PREFIXES = [
+  "claude-opus-4-6",
+  "claude-sonnet-4-6",
+  "claude-opus-4-5",
+  "claude-sonnet-4-5",
+  "claude-haiku-4-5",
+] as const;
+const ANTHROPIC_OAUTH_ALLOWLIST = [
+  "anthropic/claude-sonnet-4-6",
+  "anthropic/claude-opus-4-6",
+  "anthropic/claude-opus-4-5",
+  "anthropic/claude-sonnet-4-5",
+  "anthropic/claude-haiku-4-5",
+] as const;
 
 function cloneFirstTemplateModel(params: {
   modelId: string;
@@ -96,6 +131,184 @@ function resolveAnthropicForwardCompatModel(
   );
 }
 
+function matchesAnthropicModernModel(modelId: string): boolean {
+  const lower = modelId.trim().toLowerCase();
+  return ANTHROPIC_MODERN_MODEL_PREFIXES.some((prefix) => lower.startsWith(prefix));
+}
+
+function buildAnthropicAuthDoctorHint(params: {
+  config?: ProviderAuthContext["config"];
+  store: AuthProfileStore;
+  profileId?: string;
+}): string {
+  const legacyProfileId = params.profileId ?? "anthropic:default";
+  const suggested = suggestOAuthProfileIdForLegacyDefault({
+    cfg: params.config,
+    store: params.store,
+    provider: PROVIDER_ID,
+    legacyProfileId,
+  });
+  if (!suggested || suggested === legacyProfileId) {
+    return "";
+  }
+
+  const storeOauthProfiles = listProfilesForProvider(params.store, PROVIDER_ID)
+    .filter((id) => params.store.profiles[id]?.type === "oauth")
+    .join(", ");
+
+  const cfgMode = params.config?.auth?.profiles?.[legacyProfileId]?.mode;
+  const cfgProvider = params.config?.auth?.profiles?.[legacyProfileId]?.provider;
+
+  return [
+    "Doctor hint (for GitHub issue):",
+    `- provider: ${PROVIDER_ID}`,
+    `- config: ${legacyProfileId}${
+      cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""
+    }`,
+    `- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
+    `- suggested profile: ${suggested}`,
+    `Fix: run "${formatCliCommand("openclaw doctor --yes")}"`,
+  ].join("\n");
+}
+
+async function runAnthropicSetupToken(ctx: ProviderAuthContext): Promise<ProviderAuthResult> {
+  await ctx.prompter.note(
+    ["Run `claude setup-token` in your terminal.", "Then paste the generated token below."].join(
+      "\n",
+    ),
+    "Anthropic setup-token",
+  );
+
+  const requestedSecretInputMode = normalizeSecretInputModeInput(ctx.secretInputMode);
+  const selectedMode = ctx.allowSecretRefPrompt
+    ? await resolveSecretInputModeForEnvSelection({
+        prompter: ctx.prompter,
+        explicitMode: requestedSecretInputMode,
+        copy: {
+          modeMessage: "How do you want to provide this setup token?",
+          plaintextLabel: "Paste setup token now",
+          plaintextHint: "Stores the token directly in the auth profile",
+        },
+      })
+    : "plaintext";
+
+  let token = "";
+  let tokenRef: { source: "env" | "file" | "exec"; provider: string; id: string } | undefined;
+  if (selectedMode === "ref") {
+    const resolved = await promptSecretRefForSetup({
+      provider: "anthropic-setup-token",
+      config: ctx.config,
+      prompter: ctx.prompter,
+      preferredEnvVar: "ANTHROPIC_SETUP_TOKEN",
+      copy: {
+        sourceMessage: "Where is this Anthropic setup token stored?",
+        envVarPlaceholder: "ANTHROPIC_SETUP_TOKEN",
+      },
+    });
+    token = resolved.resolvedValue.trim();
+    tokenRef = resolved.ref;
+  } else {
+    const tokenRaw = await ctx.prompter.text({
+      message: "Paste Anthropic setup-token",
+      validate: (value) => validateAnthropicSetupToken(String(value ?? "")),
+    });
+    token = String(tokenRaw ?? "").trim();
+  }
+  const tokenError = validateAnthropicSetupToken(token);
+  if (tokenError) {
+    throw new Error(tokenError);
+  }
+
+  const profileNameRaw = await ctx.prompter.text({
+    message: "Token name (blank = default)",
+    placeholder: "default",
+  });
+
+  return {
+    profiles: [
+      {
+        profileId: buildTokenProfileId({
+          provider: PROVIDER_ID,
+          name: String(profileNameRaw ?? ""),
+        }),
+        credential: {
+          type: "token",
+          provider: PROVIDER_ID,
+          token,
+          ...(tokenRef ? { tokenRef } : {}),
+        },
+      },
+    ],
+  };
+}
+
+async function runAnthropicSetupTokenNonInteractive(ctx: {
+  config: ProviderAuthContext["config"];
+  opts: {
+    tokenProvider?: string;
+    token?: string;
+    tokenExpiresIn?: string;
+    tokenProfileId?: string;
+  };
+  runtime: ProviderAuthContext["runtime"];
+  agentDir?: string;
+}): Promise<ProviderAuthContext["config"] | null> {
+  const provider = ctx.opts.tokenProvider?.trim().toLowerCase();
+  if (!provider) {
+    ctx.runtime.error("Missing --token-provider for --auth-choice token.");
+    ctx.runtime.exit(1);
+    return null;
+  }
+  if (provider !== PROVIDER_ID) {
+    ctx.runtime.error("Only --token-provider anthropic is supported for --auth-choice token.");
+    ctx.runtime.exit(1);
+    return null;
+  }
+
+  const token = normalizeSecretInput(ctx.opts.token);
+  if (!token) {
+    ctx.runtime.error("Missing --token for --auth-choice token.");
+    ctx.runtime.exit(1);
+    return null;
+  }
+  const tokenError = validateAnthropicSetupToken(token);
+  if (tokenError) {
+    ctx.runtime.error(tokenError);
+    ctx.runtime.exit(1);
+    return null;
+  }
+
+  let expires: number | undefined;
+  const expiresInRaw = ctx.opts.tokenExpiresIn?.trim();
+  if (expiresInRaw) {
+    try {
+      expires = Date.now() + parseDurationMs(expiresInRaw, { defaultUnit: "d" });
+    } catch (err) {
+      ctx.runtime.error(`Invalid --token-expires-in: ${String(err)}`);
+      ctx.runtime.exit(1);
+      return null;
+    }
+  }
+
+  const profileId =
+    ctx.opts.tokenProfileId?.trim() || buildTokenProfileId({ provider: PROVIDER_ID, name: "" });
+  upsertAuthProfile({
+    profileId,
+    agentDir: ctx.agentDir,
+    credential: {
+      type: "token",
+      provider: PROVIDER_ID,
+      token,
+      ...(expires ? { expires } : {}),
+    },
+  });
+  return applyAuthProfileConfig(ctx.config, {
+    profileId,
+    provider: PROVIDER_ID,
+    mode: "token",
+  });
+}
+
 const anthropicPlugin = {
   id: PROVIDER_ID,
   name: "Anthropic Provider",
@@ -107,16 +320,79 @@ const anthropicPlugin = {
       label: "Anthropic",
       docsPath: "/providers/models",
       envVars: ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"],
-      auth: [],
+      deprecatedProfileIds: [CLAUDE_CLI_PROFILE_ID],
+      auth: [
+        {
+          id: "setup-token",
+          label: "setup-token (claude)",
+          hint: "Paste a setup-token from `claude setup-token`",
+          kind: "token",
+          wizard: {
+            choiceId: "token",
+            choiceLabel: "Anthropic token (paste setup-token)",
+            choiceHint: "Run `claude setup-token` elsewhere, then paste the token here",
+            groupId: "anthropic",
+            groupLabel: "Anthropic",
+            groupHint: "setup-token + API key",
+            modelAllowlist: {
+              allowedKeys: [...ANTHROPIC_OAUTH_ALLOWLIST],
+              initialSelections: ["anthropic/claude-sonnet-4-6"],
+              message: "Anthropic OAuth models",
+            },
+          },
+          run: async (ctx: ProviderAuthContext) => await runAnthropicSetupToken(ctx),
+          runNonInteractive: async (ctx) =>
+            await runAnthropicSetupTokenNonInteractive({
+              config: ctx.config,
+              opts: ctx.opts,
+              runtime: ctx.runtime,
+              agentDir: ctx.agentDir,
+            }),
+        },
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Anthropic API key",
+          hint: "Direct Anthropic API key",
+          optionKey: "anthropicApiKey",
+          flagName: "--anthropic-api-key",
+          envVar: "ANTHROPIC_API_KEY",
+          promptMessage: "Enter Anthropic API key",
+          defaultModel: DEFAULT_ANTHROPIC_MODEL,
+          expectedProviders: ["anthropic"],
+          wizard: {
+            choiceId: "apiKey",
+            choiceLabel: "Anthropic API key",
+            groupId: "anthropic",
+            groupLabel: "Anthropic",
+            groupHint: "setup-token + API key",
+          },
+        }),
+      ],
       resolveDynamicModel: (ctx) => resolveAnthropicForwardCompatModel(ctx),
       capabilities: {
         providerFamily: "anthropic",
         dropThinkingBlockModelHints: ["claude"],
       },
+      isModernModelRef: ({ modelId }) => matchesAnthropicModernModel(modelId),
+      resolveDefaultThinkingLevel: ({ modelId }) =>
+        matchesAnthropicModernModel(modelId) &&
+        (modelId.toLowerCase().startsWith(ANTHROPIC_OPUS_46_MODEL_ID) ||
+          modelId.toLowerCase().startsWith(ANTHROPIC_OPUS_46_DOT_MODEL_ID) ||
+          modelId.toLowerCase().startsWith(ANTHROPIC_SONNET_46_MODEL_ID) ||
+          modelId.toLowerCase().startsWith(ANTHROPIC_SONNET_46_DOT_MODEL_ID))
+          ? "adaptive"
+          : undefined,
       resolveUsageAuth: async (ctx) => await ctx.resolveOAuthToken(),
       fetchUsageSnapshot: async (ctx) =>
         await fetchClaudeUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn),
       isCacheTtlEligible: () => true,
+      buildAuthDoctorHint: (ctx) =>
+        buildAnthropicAuthDoctorHint({
+          config: ctx.config,
+          store: ctx.store,
+          profileId: ctx.profileId,
+        }),
     });
   },
 };
diff --git a/extensions/anthropic/openclaw.plugin.json b/extensions/anthropic/openclaw.plugin.json
index 5342e849e52..65a57bd0381 100644
--- a/extensions/anthropic/openclaw.plugin.json
+++ b/extensions/anthropic/openclaw.plugin.json
@@ -1,6 +1,34 @@
 {
   "id": "anthropic",
   "providers": ["anthropic"],
+  "providerAuthEnvVars": {
+    "anthropic": ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "anthropic",
+      "method": "setup-token",
+      "choiceId": "token",
+      "choiceLabel": "Anthropic token (paste setup-token)",
+      "choiceHint": "Run `claude setup-token` elsewhere, then paste the token here",
+      "groupId": "anthropic",
+      "groupLabel": "Anthropic",
+      "groupHint": "setup-token + API key"
+    },
+    {
+      "provider": "anthropic",
+      "method": "api-key",
+      "choiceId": "apiKey",
+      "choiceLabel": "Anthropic API key",
+      "groupId": "anthropic",
+      "groupLabel": "Anthropic",
+      "groupHint": "setup-token + API key",
+      "optionKey": "anthropicApiKey",
+      "cliFlag": "--anthropic-api-key",
+      "cliOption": "--anthropic-api-key <key>",
+      "cliDescription": "Anthropic API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/bluebubbles/README.md b/extensions/bluebubbles/README.md
index 46fdd04e7f4..dbd16b95cfe 100644
--- a/extensions/bluebubbles/README.md
+++ b/extensions/bluebubbles/README.md
@@ -13,7 +13,7 @@ If you’re looking for **how to use BlueBubbles as an agent/tool user**, see:
 - Webhook handling: `extensions/bluebubbles/src/monitor.ts` (register per-account route via `registerPluginHttpRoute`).
 - REST helpers: `extensions/bluebubbles/src/send.ts` + `extensions/bluebubbles/src/probe.ts`.
 - Runtime bridge: `extensions/bluebubbles/src/runtime.ts` (set via `api.runtime`).
-- Catalog entry for onboarding: `src/channels/plugins/catalog.ts`.
+- Catalog entry for setup selection: `src/channels/plugins/catalog.ts`.
 
 ## Internal helpers (use these, not raw API calls)
 
diff --git a/extensions/bluebubbles/package.json b/extensions/bluebubbles/package.json
index 67df516b8d7..2426958d346 100644
--- a/extensions/bluebubbles/package.json
+++ b/extensions/bluebubbles/package.json
@@ -10,6 +10,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "bluebubbles",
       "label": "BlueBubbles",
diff --git a/extensions/bluebubbles/setup-entry.ts b/extensions/bluebubbles/setup-entry.ts
new file mode 100644
index 00000000000..5e05d9c8bb2
--- /dev/null
+++ b/extensions/bluebubbles/setup-entry.ts
@@ -0,0 +1,5 @@
+import { bluebubblesPlugin } from "./src/channel.js";
+
+export default {
+  plugin: bluebubblesPlugin,
+};
diff --git a/extensions/bluebubbles/src/actions.runtime.ts b/extensions/bluebubbles/src/actions.runtime.ts
new file mode 100644
index 00000000000..53285c19f17
--- /dev/null
+++ b/extensions/bluebubbles/src/actions.runtime.ts
@@ -0,0 +1,13 @@
+export { sendBlueBubblesAttachment } from "./attachments.js";
+export {
+  addBlueBubblesParticipant,
+  editBlueBubblesMessage,
+  leaveBlueBubblesChat,
+  removeBlueBubblesParticipant,
+  renameBlueBubblesChat,
+  setGroupIconBlueBubbles,
+  unsendBlueBubblesMessage,
+} from "./chat.js";
+export { resolveBlueBubblesMessageId } from "./monitor.js";
+export { sendBlueBubblesReaction } from "./reactions.js";
+export { resolveChatGuidForTarget, sendMessageBlueBubbles } from "./send.js";
diff --git a/extensions/bluebubbles/src/actions.ts b/extensions/bluebubbles/src/actions.ts
index a8ce9f62c5f..4e6476afa3f 100644
--- a/extensions/bluebubbles/src/actions.ts
+++ b/extensions/bluebubbles/src/actions.ts
@@ -12,24 +12,18 @@ import {
   type ChannelMessageActionName,
 } from "openclaw/plugin-sdk/bluebubbles";
 import { resolveBlueBubblesAccount } from "./accounts.js";
-import { sendBlueBubblesAttachment } from "./attachments.js";
-import {
-  editBlueBubblesMessage,
-  unsendBlueBubblesMessage,
-  renameBlueBubblesChat,
-  setGroupIconBlueBubbles,
-  addBlueBubblesParticipant,
-  removeBlueBubblesParticipant,
-  leaveBlueBubblesChat,
-} from "./chat.js";
-import { resolveBlueBubblesMessageId } from "./monitor.js";
 import { getCachedBlueBubblesPrivateApiStatus, isMacOS26OrHigher } from "./probe.js";
-import { sendBlueBubblesReaction } from "./reactions.js";
 import { normalizeSecretInputString } from "./secret-input.js";
-import { resolveChatGuidForTarget, sendMessageBlueBubbles } from "./send.js";
 import { normalizeBlueBubblesHandle, parseBlueBubblesTarget } from "./targets.js";
 import type { BlueBubblesSendTarget } from "./types.js";
 
+let actionsRuntimePromise: Promise<typeof import("./actions.runtime.js")> | null = null;
+
+function loadBlueBubblesActionsRuntime() {
+  actionsRuntimePromise ??= import("./actions.runtime.js");
+  return actionsRuntimePromise;
+}
+
 const providerId = "bluebubbles";
 
 function mapTarget(raw: string): BlueBubblesSendTarget {
@@ -99,6 +93,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
   supportsAction: ({ action }) => SUPPORTED_ACTIONS.has(action),
   extractToolSend: ({ args }) => extractToolSend(args, "sendMessage"),
   handleAction: async ({ action, params, cfg, accountId, toolContext }) => {
+    const runtime = await loadBlueBubblesActionsRuntime();
     const account = resolveBlueBubblesAccount({
       cfg: cfg,
       accountId: accountId ?? undefined,
@@ -147,7 +142,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         throw new Error(`BlueBubbles ${action} requires serverUrl and password.`);
       }
 
-      const resolved = await resolveChatGuidForTarget({ baseUrl, password, target });
+      const resolved = await runtime.resolveChatGuidForTarget({ baseUrl, password, target });
       if (!resolved) {
         throw new Error(`BlueBubbles ${action} failed: chatGuid not found for target.`);
       }
@@ -173,11 +168,13 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         );
       }
       // Resolve short ID (e.g., "1", "2") to full UUID
-      const messageId = resolveBlueBubblesMessageId(rawMessageId, { requireKnownShortId: true });
+      const messageId = runtime.resolveBlueBubblesMessageId(rawMessageId, {
+        requireKnownShortId: true,
+      });
       const partIndex = readNumberParam(params, "partIndex", { integer: true });
       const resolvedChatGuid = await resolveChatGuid();
 
-      await sendBlueBubblesReaction({
+      await runtime.sendBlueBubblesReaction({
         chatGuid: resolvedChatGuid,
         messageGuid: messageId,
         emoji,
@@ -218,11 +215,13 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         );
       }
       // Resolve short ID (e.g., "1", "2") to full UUID
-      const messageId = resolveBlueBubblesMessageId(rawMessageId, { requireKnownShortId: true });
+      const messageId = runtime.resolveBlueBubblesMessageId(rawMessageId, {
+        requireKnownShortId: true,
+      });
       const partIndex = readNumberParam(params, "partIndex", { integer: true });
       const backwardsCompatMessage = readStringParam(params, "backwardsCompatMessage");
 
-      await editBlueBubblesMessage(messageId, newText, {
+      await runtime.editBlueBubblesMessage(messageId, newText, {
         ...opts,
         partIndex: typeof partIndex === "number" ? partIndex : undefined,
         backwardsCompatMessage: backwardsCompatMessage ?? undefined,
@@ -242,10 +241,12 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         );
       }
       // Resolve short ID (e.g., "1", "2") to full UUID
-      const messageId = resolveBlueBubblesMessageId(rawMessageId, { requireKnownShortId: true });
+      const messageId = runtime.resolveBlueBubblesMessageId(rawMessageId, {
+        requireKnownShortId: true,
+      });
       const partIndex = readNumberParam(params, "partIndex", { integer: true });
 
-      await unsendBlueBubblesMessage(messageId, {
+      await runtime.unsendBlueBubblesMessage(messageId, {
         ...opts,
         partIndex: typeof partIndex === "number" ? partIndex : undefined,
       });
@@ -276,10 +277,12 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         );
       }
       // Resolve short ID (e.g., "1", "2") to full UUID
-      const messageId = resolveBlueBubblesMessageId(rawMessageId, { requireKnownShortId: true });
+      const messageId = runtime.resolveBlueBubblesMessageId(rawMessageId, {
+        requireKnownShortId: true,
+      });
       const partIndex = readNumberParam(params, "partIndex", { integer: true });
 
-      const result = await sendMessageBlueBubbles(to, text, {
+      const result = await runtime.sendMessageBlueBubbles(to, text, {
         ...opts,
         replyToMessageGuid: messageId,
         replyToPartIndex: typeof partIndex === "number" ? partIndex : undefined,
@@ -313,7 +316,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         );
       }
 
-      const result = await sendMessageBlueBubbles(to, text, {
+      const result = await runtime.sendMessageBlueBubbles(to, text, {
         ...opts,
         effectId,
       });
@@ -330,7 +333,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         throw new Error("BlueBubbles renameGroup requires displayName or name parameter.");
       }
 
-      await renameBlueBubblesChat(resolvedChatGuid, displayName, opts);
+      await runtime.renameBlueBubblesChat(resolvedChatGuid, displayName, opts);
 
       return jsonResult({ ok: true, renamed: resolvedChatGuid, displayName });
     }
@@ -355,7 +358,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
       // Decode base64 to buffer
       const buffer = Uint8Array.from(atob(base64Buffer), (c) => c.charCodeAt(0));
 
-      await setGroupIconBlueBubbles(resolvedChatGuid, buffer, filename, {
+      await runtime.setGroupIconBlueBubbles(resolvedChatGuid, buffer, filename, {
         ...opts,
         contentType: contentType ?? undefined,
       });
@@ -372,7 +375,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         throw new Error("BlueBubbles addParticipant requires address or participant parameter.");
       }
 
-      await addBlueBubblesParticipant(resolvedChatGuid, address, opts);
+      await runtime.addBlueBubblesParticipant(resolvedChatGuid, address, opts);
 
       return jsonResult({ ok: true, added: address, chatGuid: resolvedChatGuid });
     }
@@ -386,7 +389,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         throw new Error("BlueBubbles removeParticipant requires address or participant parameter.");
       }
 
-      await removeBlueBubblesParticipant(resolvedChatGuid, address, opts);
+      await runtime.removeBlueBubblesParticipant(resolvedChatGuid, address, opts);
 
       return jsonResult({ ok: true, removed: address, chatGuid: resolvedChatGuid });
     }
@@ -396,7 +399,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
       assertPrivateApiEnabled();
       const resolvedChatGuid = await resolveChatGuid();
 
-      await leaveBlueBubblesChat(resolvedChatGuid, opts);
+      await runtime.leaveBlueBubblesChat(resolvedChatGuid, opts);
 
       return jsonResult({ ok: true, left: resolvedChatGuid });
     }
@@ -427,7 +430,7 @@ export const bluebubblesMessageActions: ChannelMessageActionAdapter = {
         throw new Error("BlueBubbles sendAttachment requires buffer (base64) parameter.");
       }
 
-      const result = await sendBlueBubblesAttachment({
+      const result = await runtime.sendBlueBubblesAttachment({
         to,
         buffer,
         filename,
diff --git a/extensions/bluebubbles/src/channel.runtime.ts b/extensions/bluebubbles/src/channel.runtime.ts
new file mode 100644
index 00000000000..32bf567dcf5
--- /dev/null
+++ b/extensions/bluebubbles/src/channel.runtime.ts
@@ -0,0 +1,6 @@
+export { sendBlueBubblesMedia } from "./media-send.js";
+export { resolveBlueBubblesMessageId } from "./monitor.js";
+export { monitorBlueBubblesProvider, resolveWebhookPathFromConfig } from "./monitor.js";
+export { type BlueBubblesProbe, probeBlueBubbles } from "./probe.js";
+export { sendMessageBlueBubbles } from "./send.js";
+export { blueBubblesSetupWizard } from "./setup-surface.js";
diff --git a/extensions/bluebubbles/src/channel.ts b/extensions/bluebubbles/src/channel.ts
index a482632ebea..2fe2fc3f3fb 100644
--- a/extensions/bluebubbles/src/channel.ts
+++ b/extensions/bluebubbles/src/channel.ts
@@ -25,13 +25,10 @@ import {
   resolveDefaultBlueBubblesAccountId,
 } from "./accounts.js";
 import { bluebubblesMessageActions } from "./actions.js";
+import type { BlueBubblesProbe } from "./channel.runtime.js";
 import { BlueBubblesConfigSchema } from "./config-schema.js";
-import { sendBlueBubblesMedia } from "./media-send.js";
-import { resolveBlueBubblesMessageId } from "./monitor.js";
-import { monitorBlueBubblesProvider, resolveWebhookPathFromConfig } from "./monitor.js";
-import { probeBlueBubbles, type BlueBubblesProbe } from "./probe.js";
-import { sendMessageBlueBubbles } from "./send.js";
-import { blueBubblesSetupAdapter, blueBubblesSetupWizard } from "./setup-surface.js";
+import { blueBubblesSetupAdapter } from "./setup-core.js";
+import { blueBubblesSetupWizard } from "./setup-surface.js";
 import {
   extractHandleFromChatGuid,
   looksLikeBlueBubblesTargetId,
@@ -40,6 +37,13 @@ import {
   parseBlueBubblesTarget,
 } from "./targets.js";
 
+let blueBubblesChannelRuntimePromise: Promise<typeof import("./channel.runtime.js")> | null = null;
+
+function loadBlueBubblesChannelRuntime() {
+  blueBubblesChannelRuntimePromise ??= import("./channel.runtime.js");
+  return blueBubblesChannelRuntimePromise;
+}
+
 const meta = {
   id: "bluebubbles",
   label: "BlueBubbles",
@@ -220,7 +224,9 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
     idLabel: "bluebubblesSenderId",
     normalizeAllowEntry: (entry) => normalizeBlueBubblesHandle(entry.replace(/^bluebubbles:/i, "")),
     notifyApproval: async ({ cfg, id }) => {
-      await sendMessageBlueBubbles(id, PAIRING_APPROVED_MESSAGE, {
+      await (
+        await loadBlueBubblesChannelRuntime()
+      ).sendMessageBlueBubbles(id, PAIRING_APPROVED_MESSAGE, {
         cfg: cfg,
       });
     },
@@ -239,12 +245,13 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
       return { ok: true, to: trimmed };
     },
     sendText: async ({ cfg, to, text, accountId, replyToId }) => {
+      const runtime = await loadBlueBubblesChannelRuntime();
       const rawReplyToId = typeof replyToId === "string" ? replyToId.trim() : "";
       // Resolve short ID (e.g., "5") to full UUID
       const replyToMessageGuid = rawReplyToId
-        ? resolveBlueBubblesMessageId(rawReplyToId, { requireKnownShortId: true })
+        ? runtime.resolveBlueBubblesMessageId(rawReplyToId, { requireKnownShortId: true })
         : "";
-      const result = await sendMessageBlueBubbles(to, text, {
+      const result = await runtime.sendMessageBlueBubbles(to, text, {
         cfg: cfg,
         accountId: accountId ?? undefined,
         replyToMessageGuid: replyToMessageGuid || undefined,
@@ -252,6 +259,7 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
       return { channel: "bluebubbles", ...result };
     },
     sendMedia: async (ctx) => {
+      const runtime = await loadBlueBubblesChannelRuntime();
       const { cfg, to, text, mediaUrl, accountId, replyToId } = ctx;
       const { mediaPath, mediaBuffer, contentType, filename, caption } = ctx as {
         mediaPath?: string;
@@ -261,7 +269,7 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
         caption?: string;
       };
       const resolvedCaption = caption ?? text;
-      const result = await sendBlueBubblesMedia({
+      const result = await runtime.sendBlueBubblesMedia({
         cfg: cfg,
         to,
         mediaUrl,
@@ -289,7 +297,7 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
     buildChannelSummary: ({ snapshot }) =>
       buildProbeChannelStatusSummary(snapshot, { baseUrl: snapshot.baseUrl ?? null }),
     probeAccount: async ({ account, timeoutMs }) =>
-      probeBlueBubbles({
+      (await loadBlueBubblesChannelRuntime()).probeBlueBubbles({
         baseUrl: account.baseUrl,
         password: account.config.password ?? null,
         timeoutMs,
@@ -314,8 +322,9 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
   },
   gateway: {
     startAccount: async (ctx) => {
+      const runtime = await loadBlueBubblesChannelRuntime();
       const account = ctx.account;
-      const webhookPath = resolveWebhookPathFromConfig(account.config);
+      const webhookPath = runtime.resolveWebhookPathFromConfig(account.config);
       const statusSink = createAccountStatusSink({
         accountId: ctx.accountId,
         setStatus: ctx.setStatus,
@@ -324,7 +333,7 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
         baseUrl: account.baseUrl,
       });
       ctx.log?.info(`[${account.accountId}] starting provider (webhook=${webhookPath})`);
-      return monitorBlueBubblesProvider({
+      return runtime.monitorBlueBubblesProvider({
         account,
         config: ctx.cfg,
         runtime: ctx.runtime,
diff --git a/extensions/bluebubbles/src/setup-core.ts b/extensions/bluebubbles/src/setup-core.ts
new file mode 100644
index 00000000000..83a079dbaab
--- /dev/null
+++ b/extensions/bluebubbles/src/setup-core.ts
@@ -0,0 +1,84 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+  patchScopedAccountConfig,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import { setTopLevelChannelDmPolicyWithAllowFrom } from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DmPolicy } from "../../../src/config/types.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { applyBlueBubblesConnectionConfig } from "./config-apply.js";
+
+const channel = "bluebubbles" as const;
+
+export function setBlueBubblesDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy): OpenClawConfig {
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel,
+    dmPolicy,
+  });
+}
+
+export function setBlueBubblesAllowFrom(
+  cfg: OpenClawConfig,
+  accountId: string,
+  allowFrom: string[],
+): OpenClawConfig {
+  return patchScopedAccountConfig({
+    cfg,
+    channelKey: channel,
+    accountId,
+    patch: { allowFrom },
+    ensureChannelEnabled: false,
+    ensureAccountEnabled: false,
+  });
+}
+
+export const blueBubblesSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ input }) => {
+    if (!input.httpUrl && !input.password) {
+      return "BlueBubbles requires --http-url and --password.";
+    }
+    if (!input.httpUrl) {
+      return "BlueBubbles requires --http-url.";
+    }
+    if (!input.password) {
+      return "BlueBubbles requires --password.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    return applyBlueBubblesConnectionConfig({
+      cfg: next,
+      accountId,
+      patch: {
+        serverUrl: input.httpUrl,
+        password: input.password,
+        webhookPath: input.webhookPath,
+      },
+      onlyDefinedFields: true,
+    });
+  },
+};
diff --git a/extensions/bluebubbles/src/setup-surface.test.ts b/extensions/bluebubbles/src/setup-surface.test.ts
index bc9c93735b7..95130666e60 100644
--- a/extensions/bluebubbles/src/setup-surface.test.ts
+++ b/extensions/bluebubbles/src/setup-surface.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import { resolveBlueBubblesAccount } from "./accounts.js";
@@ -27,8 +27,8 @@ async function createBlueBubblesConfigureAdapter() {
         }).config.allowFrom ?? [],
     },
     setup: blueBubblesSetupAdapter,
-  } as Parameters<typeof buildChannelOnboardingAdapterFromSetupWizard>[0]["plugin"];
-  return buildChannelOnboardingAdapterFromSetupWizard({
+  } as Parameters<typeof buildChannelSetupWizardAdapterFromSetupWizard>[0]["plugin"];
+  return buildChannelSetupWizardAdapterFromSetupWizard({
     plugin,
     wizard: blueBubblesSetupWizard,
   });
diff --git a/extensions/bluebubbles/src/setup-surface.ts b/extensions/bluebubbles/src/setup-surface.ts
index 0cb23998663..1a138b8e73d 100644
--- a/extensions/bluebubbles/src/setup-surface.ts
+++ b/extensions/bluebubbles/src/setup-surface.ts
@@ -1,19 +1,12 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
   mergeAllowFromEntries,
-  resolveOnboardingAccountId,
-  setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-  patchScopedAccountConfig,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  resolveSetupAccountId,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import type { DmPolicy } from "../../../src/config/types.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import {
@@ -24,35 +17,17 @@ import {
 import { applyBlueBubblesConnectionConfig } from "./config-apply.js";
 import { DEFAULT_WEBHOOK_PATH } from "./monitor-shared.js";
 import { hasConfiguredSecretInput, normalizeSecretInputString } from "./secret-input.js";
+import {
+  blueBubblesSetupAdapter,
+  setBlueBubblesAllowFrom,
+  setBlueBubblesDmPolicy,
+} from "./setup-core.js";
 import { parseBlueBubblesAllowTarget } from "./targets.js";
 import { normalizeBlueBubblesServerUrl } from "./types.js";
 
 const channel = "bluebubbles" as const;
 const CONFIGURE_CUSTOM_WEBHOOK_FLAG = "__bluebubblesConfigureCustomWebhookPath";
 
-function setBlueBubblesDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy): OpenClawConfig {
-  return setTopLevelChannelDmPolicyWithAllowFrom({
-    cfg,
-    channel,
-    dmPolicy,
-  });
-}
-
-function setBlueBubblesAllowFrom(
-  cfg: OpenClawConfig,
-  accountId: string,
-  allowFrom: string[],
-): OpenClawConfig {
-  return patchScopedAccountConfig({
-    cfg,
-    channelKey: channel,
-    accountId,
-    patch: { allowFrom },
-    ensureChannelEnabled: false,
-    ensureAccountEnabled: false,
-  });
-}
-
 function parseBlueBubblesAllowFromInput(raw: string): string[] {
   return raw
     .split(/[\n,]+/g)
@@ -80,7 +55,7 @@ async function promptBlueBubblesAllowFrom(params: {
   prompter: WizardPrompter;
   accountId?: string;
 }): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
+  const accountId = resolveSetupAccountId({
     accountId: params.accountId,
     defaultAccountId: resolveDefaultBlueBubblesAccountId(params.cfg),
   });
@@ -173,7 +148,7 @@ function validateBlueBubblesWebhookPath(value: string): string | undefined {
   return undefined;
 }
 
-const dmPolicy: ChannelOnboardingDmPolicy = {
+const dmPolicy: ChannelSetupDmPolicy = {
   label: "BlueBubbles",
   channel,
   policyKey: "channels.bluebubbles.dmPolicy",
@@ -183,54 +158,6 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptBlueBubblesAllowFrom,
 };
 
-export const blueBubblesSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ input }) => {
-    if (!input.httpUrl && !input.password) {
-      return "BlueBubbles requires --http-url and --password.";
-    }
-    if (!input.httpUrl) {
-      return "BlueBubbles requires --http-url.";
-    }
-    if (!input.password) {
-      return "BlueBubbles requires --password.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    return applyBlueBubblesConnectionConfig({
-      cfg: next,
-      accountId,
-      patch: {
-        serverUrl: input.httpUrl,
-        password: input.password,
-        webhookPath: input.webhookPath,
-      },
-      onlyDefinedFields: true,
-    });
-  },
-};
-
 export const blueBubblesSetupWizard: ChannelSetupWizard = {
   channel,
   stepOrder: "text-first",
@@ -383,3 +310,5 @@ export const blueBubblesSetupWizard: ChannelSetupWizard = {
     },
   }),
 };
+
+export { blueBubblesSetupAdapter };
diff --git a/extensions/brave/index.ts b/extensions/brave/index.ts
new file mode 100644
index 00000000000..1150dec5d80
--- /dev/null
+++ b/extensions/brave/index.ts
@@ -0,0 +1,32 @@
+import {
+  createPluginBackedWebSearchProvider,
+  getTopLevelCredentialValue,
+  setTopLevelCredentialValue,
+} from "../../src/agents/tools/web-search-plugin-factory.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
+
+const bravePlugin = {
+  id: "brave",
+  name: "Brave Plugin",
+  description: "Bundled Brave plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerWebSearchProvider(
+      createPluginBackedWebSearchProvider({
+        id: "brave",
+        label: "Brave Search",
+        hint: "Structured results · country/language/time filters",
+        envVars: ["BRAVE_API_KEY"],
+        placeholder: "BSA...",
+        signupUrl: "https://brave.com/search/api/",
+        docsUrl: "https://docs.openclaw.ai/brave-search",
+        autoDetectOrder: 10,
+        getCredentialValue: getTopLevelCredentialValue,
+        setCredentialValue: setTopLevelCredentialValue,
+      }),
+    );
+  },
+};
+
+export default bravePlugin;
diff --git a/extensions/openai-codex/openclaw.plugin.json b/extensions/brave/openclaw.plugin.json
similarity index 65%
rename from extensions/openai-codex/openclaw.plugin.json
rename to extensions/brave/openclaw.plugin.json
index 0dfd4106a9a..404382996d7 100644
--- a/extensions/openai-codex/openclaw.plugin.json
+++ b/extensions/brave/openclaw.plugin.json
@@ -1,6 +1,5 @@
 {
-  "id": "openai-codex",
-  "providers": ["openai-codex"],
+  "id": "brave",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openai-codex/package.json b/extensions/brave/package.json
similarity index 56%
rename from extensions/openai-codex/package.json
rename to extensions/brave/package.json
index 49730240ff8..6756c616e9a 100644
--- a/extensions/openai-codex/package.json
+++ b/extensions/brave/package.json
@@ -1,8 +1,8 @@
 {
-  "name": "@openclaw/openai-codex-provider",
+  "name": "@openclaw/brave-plugin",
   "version": "2026.3.14",
   "private": true,
-  "description": "OpenClaw OpenAI Codex provider plugin",
+  "description": "OpenClaw Brave plugin",
   "type": "module",
   "openclaw": {
     "extensions": [
diff --git a/extensions/byteplus/index.ts b/extensions/byteplus/index.ts
index 35050f2c789..d32263014c6 100644
--- a/extensions/byteplus/index.ts
+++ b/extensions/byteplus/index.ts
@@ -3,8 +3,11 @@ import {
   buildBytePlusCodingProvider,
   buildBytePlusProvider,
 } from "../../src/agents/models-config.providers.static.js";
+import { ensureModelAllowlistEntry } from "../../src/commands/model-allowlist.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "byteplus";
+const BYTEPLUS_DEFAULT_MODEL_REF = "byteplus-plan/ark-code-latest";
 
 const byteplusPlugin = {
   id: PROVIDER_ID,
@@ -17,7 +20,32 @@ const byteplusPlugin = {
       label: "BytePlus",
       docsPath: "/concepts/model-providers#byteplus-international",
       envVars: ["BYTEPLUS_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "BytePlus API key",
+          hint: "API key",
+          optionKey: "byteplusApiKey",
+          flagName: "--byteplus-api-key",
+          envVar: "BYTEPLUS_API_KEY",
+          promptMessage: "Enter BytePlus API key",
+          defaultModel: BYTEPLUS_DEFAULT_MODEL_REF,
+          expectedProviders: ["byteplus"],
+          applyConfig: (cfg) =>
+            ensureModelAllowlistEntry({
+              cfg,
+              modelRef: BYTEPLUS_DEFAULT_MODEL_REF,
+            }),
+          wizard: {
+            choiceId: "byteplus-api-key",
+            choiceLabel: "BytePlus API key",
+            groupId: "byteplus",
+            groupLabel: "BytePlus",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "paired",
         run: async (ctx) => {
diff --git a/extensions/byteplus/openclaw.plugin.json b/extensions/byteplus/openclaw.plugin.json
index 8885280bf32..f24abe730a3 100644
--- a/extensions/byteplus/openclaw.plugin.json
+++ b/extensions/byteplus/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "byteplus",
   "providers": ["byteplus", "byteplus-plan"],
+  "providerAuthEnvVars": {
+    "byteplus": ["BYTEPLUS_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "byteplus",
+      "method": "api-key",
+      "choiceId": "byteplus-api-key",
+      "choiceLabel": "BytePlus API key",
+      "groupId": "byteplus",
+      "groupLabel": "BytePlus",
+      "groupHint": "API key",
+      "optionKey": "byteplusApiKey",
+      "cliFlag": "--byteplus-api-key",
+      "cliOption": "--byteplus-api-key <key>",
+      "cliDescription": "BytePlus API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/cloudflare-ai-gateway/index.ts b/extensions/cloudflare-ai-gateway/index.ts
index 173c9eaf48b..ddc0bd7405a 100644
--- a/extensions/cloudflare-ai-gateway/index.ts
+++ b/extensions/cloudflare-ai-gateway/index.ts
@@ -1,14 +1,29 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { upsertAuthProfile } from "../../src/agents/auth-profiles.js";
 import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
 import {
   buildCloudflareAiGatewayModelDefinition,
   resolveCloudflareAiGatewayBaseUrl,
 } from "../../src/agents/cloudflare-ai-gateway.js";
 import { resolveNonEnvSecretRefApiKeyMarker } from "../../src/agents/model-auth-markers.js";
+import {
+  normalizeApiKeyInput,
+  validateApiKeyInput,
+} from "../../src/commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../../src/commands/auth-choice.apply-helpers.js";
+import { buildApiKeyCredential } from "../../src/commands/onboard-auth.credentials.js";
+import {
+  applyCloudflareAiGatewayConfig,
+  applyAuthProfileConfig,
+  CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import type { SecretInput } from "../../src/config/types.secrets.js";
 import { coerceSecretRef } from "../../src/config/types.secrets.js";
+import { normalizeOptionalSecretInput } from "../../src/utils/normalize-secret-input.js";
 
 const PROVIDER_ID = "cloudflare-ai-gateway";
 const PROVIDER_ENV_VAR = "CLOUDFLARE_AI_GATEWAY_API_KEY";
+const PROFILE_ID = "cloudflare-ai-gateway:default";
 
 function resolveApiKeyFromCredential(
   cred: ReturnType<typeof ensureAuthProfileStore>["profiles"][string] | undefined,
@@ -26,6 +41,71 @@ function resolveApiKeyFromCredential(
   return cred.key?.trim() || undefined;
 }
 
+function resolveMetadataFromCredential(
+  cred: ReturnType<typeof ensureAuthProfileStore>["profiles"][string] | undefined,
+): { accountId?: string; gatewayId?: string } {
+  if (!cred || cred.type !== "api_key") {
+    return {};
+  }
+  return {
+    accountId: cred?.metadata?.accountId?.trim() || undefined,
+    gatewayId: cred?.metadata?.gatewayId?.trim() || undefined,
+  };
+}
+
+function buildCloudflareConfigPatch(params: { accountId: string; gatewayId: string }) {
+  const baseUrl = resolveCloudflareAiGatewayBaseUrl(params);
+  return {
+    models: {
+      providers: {
+        [PROVIDER_ID]: {
+          baseUrl,
+          api: "anthropic-messages" as const,
+          models: [buildCloudflareAiGatewayModelDefinition()],
+        },
+      },
+    },
+    agents: {
+      defaults: {
+        models: {
+          [CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF]: {
+            alias: "Cloudflare AI Gateway",
+          },
+        },
+      },
+    },
+  };
+}
+
+async function resolveCloudflareGatewayMetadataInteractive(ctx: {
+  accountId?: string;
+  gatewayId?: string;
+  prompter: {
+    text: (params: {
+      message: string;
+      validate?: (value: unknown) => string | undefined;
+    }) => Promise<unknown>;
+  };
+}) {
+  let accountId = ctx.accountId?.trim() ?? "";
+  let gatewayId = ctx.gatewayId?.trim() ?? "";
+  if (!accountId) {
+    const value = await ctx.prompter.text({
+      message: "Enter Cloudflare Account ID",
+      validate: (val) => (String(val ?? "").trim() ? undefined : "Account ID is required"),
+    });
+    accountId = String(value ?? "").trim();
+  }
+  if (!gatewayId) {
+    const value = await ctx.prompter.text({
+      message: "Enter Cloudflare AI Gateway ID",
+      validate: (val) => (String(val ?? "").trim() ? undefined : "Gateway ID is required"),
+    });
+    gatewayId = String(value ?? "").trim();
+  }
+  return { accountId, gatewayId };
+}
+
 const cloudflareAiGatewayPlugin = {
   id: PROVIDER_ID,
   name: "Cloudflare AI Gateway Provider",
@@ -37,7 +117,124 @@ const cloudflareAiGatewayPlugin = {
       label: "Cloudflare AI Gateway",
       docsPath: "/providers/cloudflare-ai-gateway",
       envVars: ["CLOUDFLARE_AI_GATEWAY_API_KEY"],
-      auth: [],
+      auth: [
+        {
+          id: "api-key",
+          label: "Cloudflare AI Gateway",
+          hint: "Account ID + Gateway ID + API key",
+          kind: "api_key",
+          wizard: {
+            choiceId: "cloudflare-ai-gateway-api-key",
+            choiceLabel: "Cloudflare AI Gateway",
+            choiceHint: "Account ID + Gateway ID + API key",
+            groupId: "cloudflare-ai-gateway",
+            groupLabel: "Cloudflare AI Gateway",
+            groupHint: "Account ID + Gateway ID + API key",
+          },
+          run: async (ctx) => {
+            const metadata = await resolveCloudflareGatewayMetadataInteractive({
+              accountId: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayAccountId),
+              gatewayId: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayGatewayId),
+              prompter: ctx.prompter,
+            });
+            let capturedSecretInput: SecretInput | undefined;
+            let capturedCredential = false;
+            let capturedMode: "plaintext" | "ref" | undefined;
+            await ensureApiKeyFromOptionEnvOrPrompt({
+              token: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayApiKey),
+              tokenProvider: "cloudflare-ai-gateway",
+              secretInputMode:
+                ctx.allowSecretRefPrompt === false
+                  ? (ctx.secretInputMode ?? "plaintext")
+                  : ctx.secretInputMode,
+              config: ctx.config,
+              expectedProviders: [PROVIDER_ID],
+              provider: PROVIDER_ID,
+              envLabel: PROVIDER_ENV_VAR,
+              promptMessage: "Enter Cloudflare AI Gateway API key",
+              normalize: normalizeApiKeyInput,
+              validate: validateApiKeyInput,
+              prompter: ctx.prompter,
+              setCredential: async (apiKey, mode) => {
+                capturedSecretInput = apiKey;
+                capturedCredential = true;
+                capturedMode = mode;
+              },
+            });
+            if (!capturedCredential) {
+              throw new Error("Missing Cloudflare AI Gateway API key.");
+            }
+            const credentialInput = capturedSecretInput ?? "";
+            return {
+              profiles: [
+                {
+                  profileId: PROFILE_ID,
+                  credential: buildApiKeyCredential(
+                    PROVIDER_ID,
+                    credentialInput,
+                    {
+                      accountId: metadata.accountId,
+                      gatewayId: metadata.gatewayId,
+                    },
+                    capturedMode ? { secretInputMode: capturedMode } : undefined,
+                  ),
+                },
+              ],
+              configPatch: buildCloudflareConfigPatch(metadata),
+              defaultModel: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
+            };
+          },
+          runNonInteractive: async (ctx) => {
+            const authStore = ensureAuthProfileStore(ctx.agentDir, {
+              allowKeychainPrompt: false,
+            });
+            const storedMetadata = resolveMetadataFromCredential(authStore.profiles[PROFILE_ID]);
+            const accountId =
+              normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayAccountId) ??
+              storedMetadata.accountId;
+            const gatewayId =
+              normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayGatewayId) ??
+              storedMetadata.gatewayId;
+            if (!accountId || !gatewayId) {
+              ctx.runtime.error(
+                "Cloudflare AI Gateway setup requires --cloudflare-ai-gateway-account-id and --cloudflare-ai-gateway-gateway-id.",
+              );
+              ctx.runtime.exit(1);
+              return null;
+            }
+            const resolved = await ctx.resolveApiKey({
+              provider: PROVIDER_ID,
+              flagValue: normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayApiKey),
+              flagName: "--cloudflare-ai-gateway-api-key",
+              envVar: PROVIDER_ENV_VAR,
+            });
+            if (!resolved) {
+              return null;
+            }
+            if (resolved.source !== "profile") {
+              const credential = ctx.toApiKeyCredential({
+                provider: PROVIDER_ID,
+                resolved,
+                metadata: { accountId, gatewayId },
+              });
+              if (!credential) {
+                return null;
+              }
+              upsertAuthProfile({
+                profileId: PROFILE_ID,
+                credential,
+                agentDir: ctx.agentDir,
+              });
+            }
+            const next = applyAuthProfileConfig(ctx.config, {
+              profileId: PROFILE_ID,
+              provider: PROVIDER_ID,
+              mode: "api_key",
+            });
+            return applyCloudflareAiGatewayConfig(next, { accountId, gatewayId });
+          },
+        },
+      ],
       catalog: {
         order: "late",
         run: async (ctx) => {
diff --git a/extensions/cloudflare-ai-gateway/openclaw.plugin.json b/extensions/cloudflare-ai-gateway/openclaw.plugin.json
index fc7a41f77bb..daa9d363b54 100644
--- a/extensions/cloudflare-ai-gateway/openclaw.plugin.json
+++ b/extensions/cloudflare-ai-gateway/openclaw.plugin.json
@@ -1,6 +1,25 @@
 {
   "id": "cloudflare-ai-gateway",
   "providers": ["cloudflare-ai-gateway"],
+  "providerAuthEnvVars": {
+    "cloudflare-ai-gateway": ["CLOUDFLARE_AI_GATEWAY_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "cloudflare-ai-gateway",
+      "method": "api-key",
+      "choiceId": "cloudflare-ai-gateway-api-key",
+      "choiceLabel": "Cloudflare AI Gateway",
+      "choiceHint": "Account ID + Gateway ID + API key",
+      "groupId": "cloudflare-ai-gateway",
+      "groupLabel": "Cloudflare AI Gateway",
+      "groupHint": "Account ID + Gateway ID + API key",
+      "optionKey": "cloudflareAiGatewayApiKey",
+      "cliFlag": "--cloudflare-ai-gateway-api-key",
+      "cliOption": "--cloudflare-ai-gateway-api-key <key>",
+      "cliDescription": "Cloudflare AI Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/copilot-proxy/index.ts b/extensions/copilot-proxy/index.ts
index 6fad48228cd..2c517d9c26c 100644
--- a/extensions/copilot-proxy/index.ts
+++ b/extensions/copilot-proxy/index.ts
@@ -147,6 +147,14 @@ const copilotProxyPlugin = {
           },
         },
       ],
+      wizard: {
+        setup: {
+          choiceId: "copilot-proxy",
+          choiceLabel: "Copilot Proxy",
+          choiceHint: "Configure base URL + model ids",
+          methodId: "local",
+        },
+      },
     });
   },
 };
diff --git a/extensions/copilot-proxy/openclaw.plugin.json b/extensions/copilot-proxy/openclaw.plugin.json
index 90e2011f014..88b5ee0e7b3 100644
--- a/extensions/copilot-proxy/openclaw.plugin.json
+++ b/extensions/copilot-proxy/openclaw.plugin.json
@@ -1,6 +1,18 @@
 {
   "id": "copilot-proxy",
   "providers": ["copilot-proxy"],
+  "providerAuthChoices": [
+    {
+      "provider": "copilot-proxy",
+      "method": "local",
+      "choiceId": "copilot-proxy",
+      "choiceLabel": "Copilot Proxy",
+      "choiceHint": "Configure base URL + model ids",
+      "groupId": "copilot",
+      "groupLabel": "Copilot",
+      "groupHint": "GitHub + local proxy"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/discord/index.ts b/extensions/discord/index.ts
index ad441b09bc1..13b32f08bb1 100644
--- a/extensions/discord/index.ts
+++ b/extensions/discord/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/discord";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/discord";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { discordPlugin } from "./src/channel.js";
 import { setDiscordRuntime } from "./src/runtime.js";
 import { registerDiscordSubagentHooks } from "./src/subagent-hooks.js";
@@ -12,6 +12,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setDiscordRuntime(api.runtime);
     api.registerChannel({ plugin: discordPlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
     registerDiscordSubagentHooks(api);
   },
 };
diff --git a/extensions/discord/package.json b/extensions/discord/package.json
index a85eb37b85f..43e00315f28 100644
--- a/extensions/discord/package.json
+++ b/extensions/discord/package.json
@@ -6,6 +6,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/discord/setup-entry.ts b/extensions/discord/setup-entry.ts
new file mode 100644
index 00000000000..329a9376c9f
--- /dev/null
+++ b/extensions/discord/setup-entry.ts
@@ -0,0 +1,3 @@
+import { discordSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: discordSetupPlugin };
diff --git a/extensions/discord/src/actions/handle-action.ts b/extensions/discord/src/actions/handle-action.ts
index b0842ce25b2..4beb7d76de4 100644
--- a/extensions/discord/src/actions/handle-action.ts
+++ b/extensions/discord/src/actions/handle-action.ts
@@ -8,7 +8,9 @@ import { readDiscordParentIdParam } from "../../../../src/agents/tools/discord-a
 import { handleDiscordAction } from "../../../../src/agents/tools/discord-actions.js";
 import { resolveReactionMessageId } from "../../../../src/channels/plugins/actions/reaction-message-id.js";
 import type { ChannelMessageActionContext } from "../../../../src/channels/plugins/types.js";
+import { normalizeInteractiveReply } from "../../../../src/interactive/payload.js";
 import { readBooleanParam } from "../../../../src/plugin-sdk/boolean-param.js";
+import { buildDiscordInteractiveComponents } from "../shared-interactive.js";
 import { resolveDiscordChannelId } from "../targets.js";
 import { tryHandleDiscordMessageActionGuildAdmin } from "./handle-action.guild-admin.js";
 
@@ -40,7 +42,9 @@ export async function handleDiscordMessageAction(
   if (action === "send") {
     const to = readStringParam(params, "to", { required: true });
     const asVoice = readBooleanParam(params, "asVoice") === true;
-    const rawComponents = params.components;
+    const rawComponents =
+      params.components ??
+      buildDiscordInteractiveComponents(normalizeInteractiveReply(params.interactive));
     const hasComponents =
       Boolean(rawComponents) &&
       (typeof rawComponents === "function" || typeof rawComponents === "object");
diff --git a/extensions/discord/src/channel-actions.ts b/extensions/discord/src/channel-actions.ts
index bf35b788e3e..049eb4a320c 100644
--- a/extensions/discord/src/channel-actions.ts
+++ b/extensions/discord/src/channel-actions.ts
@@ -106,6 +106,10 @@ export const discordMessageActions: ChannelMessageActionAdapter = {
     }
     return Array.from(actions);
   },
+  getCapabilities: ({ cfg }) =>
+    listTokenSourcedAccounts(listEnabledDiscordAccounts(cfg)).length > 0
+      ? (["interactive", "components"] as const)
+      : [],
   extractToolSend: ({ args }) => {
     const action = typeof args.action === "string" ? args.action.trim() : "";
     if (action === "sendMessage") {
diff --git a/extensions/discord/src/channel.runtime.ts b/extensions/discord/src/channel.runtime.ts
new file mode 100644
index 00000000000..bc22b64706a
--- /dev/null
+++ b/extensions/discord/src/channel.runtime.ts
@@ -0,0 +1 @@
+export { discordSetupWizard } from "./setup-surface.js";
diff --git a/extensions/discord/src/channel.setup.ts b/extensions/discord/src/channel.setup.ts
new file mode 100644
index 00000000000..ee157e3c9bb
--- /dev/null
+++ b/extensions/discord/src/channel.setup.ts
@@ -0,0 +1,77 @@
+import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
+import {
+  createScopedAccountConfigAccessors,
+  formatAllowFromLowercase,
+} from "openclaw/plugin-sdk/compat";
+import {
+  buildChannelConfigSchema,
+  DiscordConfigSchema,
+  getChatChannelMeta,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/discord";
+import { inspectDiscordAccount } from "./account-inspect.js";
+import {
+  listDiscordAccountIds,
+  resolveDefaultDiscordAccountId,
+  resolveDiscordAccount,
+  type ResolvedDiscordAccount,
+} from "./accounts.js";
+import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
+
+async function loadDiscordChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const discordConfigAccessors = createScopedAccountConfigAccessors({
+  resolveAccount: ({ cfg, accountId }) => resolveDiscordAccount({ cfg, accountId }),
+  resolveAllowFrom: (account: ResolvedDiscordAccount) => account.config.dm?.allowFrom,
+  formatAllowFrom: (allowFrom) => formatAllowFromLowercase({ allowFrom }),
+  resolveDefaultTo: (account: ResolvedDiscordAccount) => account.config.defaultTo,
+});
+
+const discordConfigBase = createScopedChannelConfigBase({
+  sectionKey: "discord",
+  listAccountIds: listDiscordAccountIds,
+  resolveAccount: (cfg, accountId) => resolveDiscordAccount({ cfg, accountId }),
+  inspectAccount: (cfg, accountId) => inspectDiscordAccount({ cfg, accountId }),
+  defaultAccountId: resolveDefaultDiscordAccountId,
+  clearBaseFields: ["token", "name"],
+});
+
+const discordSetupWizard = createDiscordSetupWizardProxy(async () => ({
+  discordSetupWizard: (await loadDiscordChannelRuntime()).discordSetupWizard,
+}));
+
+export const discordSetupPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
+  id: "discord",
+  meta: {
+    ...getChatChannelMeta("discord"),
+  },
+  setupWizard: discordSetupWizard,
+  capabilities: {
+    chatTypes: ["direct", "channel", "thread"],
+    polls: true,
+    reactions: true,
+    threads: true,
+    media: true,
+    nativeCommands: true,
+  },
+  streaming: {
+    blockStreamingCoalesceDefaults: { minChars: 1500, idleMs: 1000 },
+  },
+  reload: { configPrefixes: ["channels.discord"] },
+  configSchema: buildChannelConfigSchema(DiscordConfigSchema),
+  config: {
+    ...discordConfigBase,
+    isConfigured: (account) => Boolean(account.token?.trim()),
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: Boolean(account.token?.trim()),
+      tokenSource: account.tokenSource,
+    }),
+    ...discordConfigAccessors,
+  },
+  setup: discordSetupAdapter,
+};
diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 0123553fcb7..966a5a1cbcd 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -1,51 +1,95 @@
+import { Separator, TextDisplay } from "@buape/carbon";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectOpenProviderGroupPolicyWarnings,
   collectOpenGroupPolicyConfiguredRouteWarnings,
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
-  collectDiscordAuditChannelIds,
-  collectDiscordStatusIssues,
   DEFAULT_ACCOUNT_ID,
   DiscordConfigSchema,
   getChatChannelMeta,
-  inspectDiscordAccount,
-  listDiscordAccountIds,
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
   PAIRING_APPROVED_MESSAGE,
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
-  resolveDiscordAccount,
-  resolveDefaultDiscordAccountId,
   resolveDiscordGroupRequireMention,
   resolveDiscordGroupToolPolicy,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
-  type ResolvedDiscordAccount,
+  type OpenClawConfig,
 } from "openclaw/plugin-sdk/discord";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { inspectDiscordAccount } from "./account-inspect.js";
+import {
+  listDiscordAccountIds,
+  resolveDiscordAccount,
+  resolveDefaultDiscordAccountId,
+  type ResolvedDiscordAccount,
+} from "./accounts.js";
+import { collectDiscordAuditChannelIds } from "./audit.js";
+import {
+  isDiscordExecApprovalClientEnabled,
+  shouldSuppressLocalDiscordExecApprovalPrompt,
+} from "./exec-approvals.js";
+import {
+  looksLikeDiscordTargetId,
+  normalizeDiscordMessagingTarget,
+  normalizeDiscordOutboundTarget,
+} from "./normalize.js";
+import type { DiscordProbe } from "./probe.js";
+import { resolveDiscordUserAllowlist } from "./resolve-users.js";
 import { getDiscordRuntime } from "./runtime.js";
-import { discordSetupAdapter, discordSetupWizard } from "./setup-surface.js";
+import { fetchChannelPermissionsDiscord } from "./send.js";
+import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
+import { collectDiscordStatusIssues } from "./status-issues.js";
+import { parseDiscordTarget } from "./targets.js";
+import { DiscordUiContainer } from "./ui.js";
 
 type DiscordSendFn = ReturnType<
   typeof getDiscordRuntime
 >["channel"]["discord"]["sendMessageDiscord"];
 
 const meta = getChatChannelMeta("discord");
+const REQUIRED_DISCORD_PERMISSIONS = ["ViewChannel", "SendMessages"] as const;
+
+async function loadDiscordChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+function formatDiscordIntents(intents?: {
+  messageContent?: string;
+  guildMembers?: string;
+  presence?: string;
+}) {
+  if (!intents) {
+    return "unknown";
+  }
+  return [
+    `messageContent=${intents.messageContent ?? "unknown"}`,
+    `guildMembers=${intents.guildMembers ?? "unknown"}`,
+    `presence=${intents.presence ?? "unknown"}`,
+  ].join(" ");
+}
 
 const discordMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getDiscordRuntime().channel.discord.messageActions?.listActions?.(ctx) ?? [],
+  getCapabilities: (ctx) =>
+    getDiscordRuntime().channel.discord.messageActions?.getCapabilities?.(ctx) ?? [],
   extractToolSend: (ctx) =>
     getDiscordRuntime().channel.discord.messageActions?.extractToolSend?.(ctx) ?? null,
   handleAction: async (ctx) => {
@@ -55,8 +99,211 @@ const discordMessageActions: ChannelMessageActionAdapter = {
     }
     return ma.handleAction(ctx);
   },
+  requiresTrustedRequesterSender: ({ action, toolContext }) =>
+    Boolean(toolContext && (action === "timeout" || action === "kick" || action === "ban")),
 };
 
+function buildDiscordCrossContextComponents(params: {
+  originLabel: string;
+  message: string;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+}) {
+  const trimmed = params.message.trim();
+  const components: Array<TextDisplay | Separator> = [];
+  if (trimmed) {
+    components.push(new TextDisplay(params.message));
+    components.push(new Separator({ divider: true, spacing: "small" }));
+  }
+  components.push(new TextDisplay(`*From ${params.originLabel}*`));
+  return [new DiscordUiContainer({ cfg: params.cfg, accountId: params.accountId, components })];
+}
+
+function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listDiscordAccountIds(cfg).some((accountId) => {
+    const execApprovals = resolveDiscordAccount({ cfg, accountId }).config.execApprovals;
+    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
+      return false;
+    }
+    const target = execApprovals.target ?? "dm";
+    return target === "dm" || target === "both";
+  });
+}
+
+function readDiscordAllowlistConfig(account: ResolvedDiscordAccount) {
+  const groupOverrides: Array<{ label: string; entries: string[] }> = [];
+  for (const [guildKey, guildCfg] of Object.entries(account.config.guilds ?? {})) {
+    const entries = (guildCfg?.users ?? []).map(String).filter(Boolean);
+    if (entries.length > 0) {
+      groupOverrides.push({ label: `guild ${guildKey}`, entries });
+    }
+    for (const [channelKey, channelCfg] of Object.entries(guildCfg?.channels ?? {})) {
+      const channelEntries = (channelCfg?.users ?? []).map(String).filter(Boolean);
+      if (channelEntries.length > 0) {
+        groupOverrides.push({
+          label: `guild ${guildKey} / channel ${channelKey}`,
+          entries: channelEntries,
+        });
+      }
+    }
+  }
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String),
+    groupPolicy: account.config.groupPolicy,
+    groupOverrides,
+  };
+}
+
+async function resolveDiscordAllowlistNames(params: {
+  cfg: Parameters<typeof resolveDiscordAccount>[0]["cfg"];
+  accountId?: string | null;
+  entries: string[];
+}) {
+  const account = resolveDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const token = account.token?.trim();
+  if (!token) {
+    return [];
+  }
+  return await resolveDiscordUserAllowlist({ token, entries: params.entries });
+}
+
+function normalizeDiscordAcpConversationId(conversationId: string) {
+  const normalized = conversationId.trim();
+  return normalized ? { conversationId: normalized } : null;
+}
+
+function matchDiscordAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  if (params.bindingConversationId === params.conversationId) {
+    return { conversationId: params.conversationId, matchPriority: 2 };
+  }
+  if (
+    params.parentConversationId &&
+    params.parentConversationId !== params.conversationId &&
+    params.bindingConversationId === params.parentConversationId
+  ) {
+    return {
+      conversationId: params.parentConversationId,
+      matchPriority: 1,
+    };
+  }
+  return null;
+}
+
+function parseDiscordExplicitTarget(raw: string) {
+  try {
+    const target = parseDiscordTarget(raw, { defaultKind: "channel" });
+    if (!target) {
+      return null;
+    }
+    return {
+      to: target.id,
+      chatType: target.kind === "user" ? ("direct" as const) : ("channel" as const),
+    };
+  } catch {
+    return null;
+  }
+}
+
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildDiscordBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "discord",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveDiscordOutboundTargetKindHint(params: {
+  target: string;
+  resolvedTarget?: { kind: string };
+}): "user" | "channel" | undefined {
+  const resolvedKind = params.resolvedTarget?.kind;
+  if (resolvedKind === "user") {
+    return "user";
+  }
+  if (resolvedKind === "group" || resolvedKind === "channel") {
+    return "channel";
+  }
+
+  const target = params.target.trim();
+  if (/^channel:/i.test(target)) {
+    return "channel";
+  }
+  if (/^(user:|discord:|@|<@!?)/i.test(target)) {
+    return "user";
+  }
+  return undefined;
+}
+
+function resolveDiscordOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  resolvedTarget?: { kind: string };
+  replyToId?: string | null;
+  threadId?: string | number | null;
+}) {
+  const parsed = parseDiscordTarget(params.target, {
+    defaultKind: resolveDiscordOutboundTargetKindHint(params),
+  });
+  if (!parsed) {
+    return null;
+  }
+  const isDm = parsed.kind === "user";
+  const peer: RoutePeer = {
+    kind: isDm ? "direct" : "channel",
+    id: parsed.id,
+  };
+  const baseSessionKey = buildDiscordBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const explicitThreadId = normalizeOutboundThreadId(params.threadId);
+  const threadCandidate = explicitThreadId ?? normalizeOutboundThreadId(params.replyToId);
+  const threadKeys = resolveThreadSessionKeys({
+    baseSessionKey,
+    threadId: threadCandidate,
+    useSuffix: false,
+  });
+  return {
+    sessionKey: threadKeys.sessionKey,
+    baseSessionKey,
+    peer,
+    chatType: isDm ? ("direct" as const) : ("channel" as const),
+    from: isDm ? `discord:${parsed.id}` : `discord:channel:${parsed.id}`,
+    to: isDm ? `user:${parsed.id}` : `channel:${parsed.id}`,
+    threadId: explicitThreadId ?? undefined,
+  };
+}
+
 const discordConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveDiscordAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedDiscordAccount) => account.config.dm?.allowFrom,
@@ -73,6 +320,10 @@ const discordConfigBase = createScopedChannelConfigBase({
   clearBaseFields: ["token", "name"],
 });
 
+const discordSetupWizard = createDiscordSetupWizardProxy(async () => ({
+  discordSetupWizard: (await loadDiscordChannelRuntime()).discordSetupWizard,
+}));
+
 export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
   id: "discord",
   meta: {
@@ -114,6 +365,26 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
     }),
     ...discordConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm",
+    readConfig: ({ cfg, accountId }) =>
+      readDiscordAllowlistConfig(resolveDiscordAccount({ cfg, accountId })),
+    resolveNames: async ({ cfg, accountId, entries }) =>
+      await resolveDiscordAllowlistNames({ cfg, accountId, entries }),
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "discord",
+      normalize: ({ cfg, accountId, values }) =>
+        discordConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) =>
+        scope === "dm"
+          ? {
+              readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+              writePath: ["allowFrom"],
+              cleanupPaths: [["dm", "allowFrom"]],
+            }
+          : null,
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -175,11 +446,31 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeDiscordMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseDiscordExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseDiscordExplicitTarget(to)?.chatType,
+    buildCrossContextComponents: buildDiscordCrossContextComponents,
+    resolveOutboundSessionRoute: (params) => resolveDiscordOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeDiscordTargetId,
       hint: "<channelId|user:ID|channel:ID>",
     },
   },
+  execApprovals: {
+    getInitiatingSurfaceState: ({ cfg, accountId }) =>
+      isDiscordExecApprovalClientEnabled({ cfg, accountId })
+        ? { kind: "enabled" }
+        : { kind: "disabled" },
+    shouldSuppressLocalPrompt: ({ cfg, accountId, payload }) =>
+      shouldSuppressLocalDiscordExecApprovalPrompt({
+        cfg,
+        accountId,
+        payload,
+      }),
+    hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
+    shouldSuppressForwardingFallback: ({ cfg, target }) =>
+      (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
+      isDiscordExecApprovalClientEnabled({ cfg, accountId: target.accountId }),
+  },
   directory: {
     self: async () => null,
     listPeers: async (params) => listDiscordDirectoryPeersFromConfig(params),
@@ -282,6 +573,12 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
         silent: silent ?? undefined,
       }),
   },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeDiscordAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchDiscordAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
+  },
   status: {
     defaultRuntime: {
       accountId: DEFAULT_ACCOUNT_ID,
@@ -302,6 +599,91 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
       getDiscordRuntime().channel.discord.probeDiscord(account.token, timeoutMs, {
         includeApplication: true,
       }),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const discordProbe = probe as DiscordProbe | undefined;
+      const lines = [];
+      if (discordProbe?.bot?.username) {
+        const botId = discordProbe.bot.id ? ` (${discordProbe.bot.id})` : "";
+        lines.push({ text: `Bot: @${discordProbe.bot.username}${botId}` });
+      }
+      if (discordProbe?.application?.intents) {
+        lines.push({ text: `Intents: ${formatDiscordIntents(discordProbe.application.intents)}` });
+      }
+      return lines;
+    },
+    buildCapabilitiesDiagnostics: async ({ account, timeoutMs, target }) => {
+      if (!target?.trim()) {
+        return undefined;
+      }
+      const parsedTarget = parseDiscordTarget(target.trim(), { defaultKind: "channel" });
+      const details: Record<string, unknown> = {
+        target: {
+          raw: target,
+          normalized: parsedTarget?.normalized,
+          kind: parsedTarget?.kind,
+          channelId: parsedTarget?.kind === "channel" ? parsedTarget.id : undefined,
+        },
+      };
+      if (!parsedTarget || parsedTarget.kind !== "channel") {
+        return {
+          details,
+          lines: [
+            {
+              text: "Permissions: Target looks like a DM user; pass channel:<id> to audit channel permissions.",
+              tone: "error",
+            },
+          ],
+        };
+      }
+      const token = account.token?.trim();
+      if (!token) {
+        return {
+          details,
+          lines: [
+            {
+              text: "Permissions: Discord bot token missing for permission audit.",
+              tone: "error",
+            },
+          ],
+        };
+      }
+      try {
+        const perms = await fetchChannelPermissionsDiscord(parsedTarget.id, {
+          token,
+          accountId: account.accountId ?? undefined,
+        });
+        const missingRequired = REQUIRED_DISCORD_PERMISSIONS.filter(
+          (permission) => !perms.permissions.includes(permission),
+        );
+        details.permissions = {
+          channelId: perms.channelId,
+          guildId: perms.guildId,
+          isDm: perms.isDm,
+          channelType: perms.channelType,
+          permissions: perms.permissions,
+          missingRequired,
+          raw: perms.raw,
+        };
+        return {
+          details,
+          lines: [
+            {
+              text: `Permissions (${perms.channelId}): ${perms.permissions.length ? perms.permissions.join(", ") : "none"}`,
+            },
+            missingRequired.length > 0
+              ? { text: `Missing required: ${missingRequired.join(", ")}`, tone: "warn" }
+              : { text: "Missing required: none", tone: "success" },
+          ],
+        };
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        details.permissions = { channelId: parsedTarget.id, error: message };
+        return {
+          details,
+          lines: [{ text: `Permissions: ${message}`, tone: "error" }],
+        };
+      }
+    },
     auditAccount: async ({ account, timeoutMs, cfg }) => {
       const { channelIds, unresolvedChannels } = collectDiscordAuditChannelIds({
         cfg,
diff --git a/extensions/discord/src/components.ts b/extensions/discord/src/components.ts
index 272da58170a..27d29c0dbd7 100644
--- a/extensions/discord/src/components.ts
+++ b/extensions/discord/src/components.ts
@@ -211,6 +211,7 @@ export type DiscordComponentBuildResult = {
   entries: DiscordComponentEntry[];
   modals: DiscordModalEntry[];
 };
+export { buildDiscordInteractiveComponents } from "./shared-interactive.js";
 
 const BLOCK_ALIASES = new Map<string, DiscordComponentBlock["type"]>([
   ["row", "actions"],
diff --git a/extensions/discord/src/draft-chunking.ts b/extensions/discord/src/draft-chunking.ts
index ce4048379d1..1d56841577a 100644
--- a/extensions/discord/src/draft-chunking.ts
+++ b/extensions/discord/src/draft-chunking.ts
@@ -1,8 +1,8 @@
 import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
-import { getChannelDock } from "../../../src/channels/dock.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { resolveAccountEntry } from "../../../src/routing/account-lookup.js";
 import { normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DISCORD_TEXT_CHUNK_LIMIT } from "./outbound-adapter.js";
 
 const DEFAULT_DISCORD_DRAFT_STREAM_MIN = 200;
 const DEFAULT_DISCORD_DRAFT_STREAM_MAX = 800;
@@ -15,9 +15,8 @@ export function resolveDiscordDraftStreamingChunking(
   maxChars: number;
   breakPreference: "paragraph" | "newline" | "sentence";
 } {
-  const providerChunkLimit = getChannelDock("discord")?.outbound?.textChunkLimit;
   const textLimit = resolveTextChunkLimit(cfg, "discord", accountId, {
-    fallbackLimit: providerChunkLimit,
+    fallbackLimit: DISCORD_TEXT_CHUNK_LIMIT,
   });
   const normalizedAccountId = normalizeAccountId(accountId);
   const accountCfg = resolveAccountEntry(cfg?.channels?.discord?.accounts, normalizedAccountId);
diff --git a/extensions/discord/src/monitor/message-handler.inbound-contract.test.ts b/extensions/discord/src/monitor/message-handler.inbound-contract.test.ts
index 97d18985460..6421d24a61a 100644
--- a/extensions/discord/src/monitor/message-handler.inbound-contract.test.ts
+++ b/extensions/discord/src/monitor/message-handler.inbound-contract.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../../../src/channels/plugins/contracts/suites.js";
 import { inboundCtxCapture as capture } from "../../../../test/helpers/inbound-contract-dispatch-mock.js";
-import { expectInboundContextContract } from "../../../../test/helpers/inbound-contract.js";
 import type { DiscordMessagePreflightContext } from "./message-handler.preflight.js";
 import { processDiscordMessage } from "./message-handler.process.js";
 import {
diff --git a/extensions/discord/src/monitor/provider.group-policy.test.ts b/extensions/discord/src/monitor/provider.group-policy.test.ts
deleted file mode 100644
index 995c6f66e31..00000000000
--- a/extensions/discord/src/monitor/provider.group-policy.test.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { installProviderRuntimeGroupPolicyFallbackSuite } from "../../../../src/test-utils/runtime-group-policy-contract.js";
-import { __testing } from "./provider.js";
-
-describe("resolveDiscordRuntimeGroupPolicy", () => {
-  installProviderRuntimeGroupPolicyFallbackSuite({
-    resolve: __testing.resolveDiscordRuntimeGroupPolicy,
-    configuredLabel: "keeps open default when channels.discord is configured",
-    defaultGroupPolicyUnderTest: "open",
-    missingConfigLabel: "fails closed when channels.discord is missing and no defaults are set",
-    missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
-  });
-
-  it("respects explicit provider policy", () => {
-    const resolved = __testing.resolveDiscordRuntimeGroupPolicy({
-      providerConfigPresent: false,
-      groupPolicy: "disabled",
-    });
-    expect(resolved.groupPolicy).toBe("disabled");
-    expect(resolved.providerMissingFallbackApplied).toBe(false);
-  });
-});
diff --git a/extensions/discord/src/monitor/provider.test.ts b/extensions/discord/src/monitor/provider.test.ts
index 81f8fa9f5e1..f00baf73ff8 100644
--- a/extensions/discord/src/monitor/provider.test.ts
+++ b/extensions/discord/src/monitor/provider.test.ts
@@ -46,9 +46,13 @@ const {
   resolveDiscordAllowlistConfigMock,
   resolveNativeCommandsEnabledMock,
   resolveNativeSkillsEnabledMock,
+  isVerboseMock,
+  shouldLogVerboseMock,
   voiceRuntimeModuleLoadedMock,
 } = vi.hoisted(() => {
   const createdBindingManagers: Array<{ stop: ReturnType<typeof vi.fn> }> = [];
+  const isVerboseMock = vi.fn(() => false);
+  const shouldLogVerboseMock = vi.fn(() => false);
   return {
     clientHandleDeployRequestMock: vi.fn(async () => undefined),
     clientConstructorOptionsMock: vi.fn(),
@@ -110,6 +114,8 @@ const {
     })),
     resolveNativeCommandsEnabledMock: vi.fn(() => true),
     resolveNativeSkillsEnabledMock: vi.fn(() => false),
+    isVerboseMock,
+    shouldLogVerboseMock,
     voiceRuntimeModuleLoadedMock: vi.fn(),
   };
 });
@@ -210,8 +216,9 @@ vi.mock("../../../../src/config/config.js", () => ({
 
 vi.mock("../../../../src/globals.js", () => ({
   danger: (v: string) => v,
+  isVerbose: isVerboseMock,
   logVerbose: vi.fn(),
-  shouldLogVerbose: () => false,
+  shouldLogVerbose: shouldLogVerboseMock,
   warn: (v: string) => v,
 }));
 
@@ -435,6 +442,8 @@ describe("monitorDiscordProvider", () => {
     });
     resolveNativeCommandsEnabledMock.mockClear().mockReturnValue(true);
     resolveNativeSkillsEnabledMock.mockClear().mockReturnValue(false);
+    isVerboseMock.mockClear().mockReturnValue(false);
+    shouldLogVerboseMock.mockClear().mockReturnValue(false);
     voiceRuntimeModuleLoadedMock.mockClear();
   });
 
@@ -842,6 +851,7 @@ describe("monitorDiscordProvider", () => {
       emitter.emit("debug", "WebSocket connection opened");
       return { id: "bot-1", username: "Molty" };
     });
+    isVerboseMock.mockReturnValue(true);
 
     await monitorDiscordProvider({
       config: baseConfig(),
@@ -861,4 +871,17 @@ describe("monitorDiscordProvider", () => {
       ),
     ).toBe(true);
   });
+
+  it("keeps Discord startup chatter quiet by default", async () => {
+    const { monitorDiscordProvider } = await import("./provider.js");
+    const runtime = baseRuntime();
+
+    await monitorDiscordProvider({
+      config: baseConfig(),
+      runtime,
+    });
+
+    const messages = vi.mocked(runtime.log).mock.calls.map((call) => String(call[0]));
+    expect(messages.some((msg) => msg.includes("discord startup ["))).toBe(false);
+  });
 });
diff --git a/extensions/discord/src/monitor/provider.ts b/extensions/discord/src/monitor/provider.ts
index de174b9d8bf..d4ef01ab0d8 100644
--- a/extensions/discord/src/monitor/provider.ts
+++ b/extensions/discord/src/monitor/provider.ts
@@ -38,7 +38,7 @@ import {
   warnMissingProviderGroupPolicyFallbackOnce,
 } from "../../../../src/config/runtime-group-policy.js";
 import { createConnectedChannelStatusPatch } from "../../../../src/gateway/channel-status-patches.js";
-import { danger, logVerbose, shouldLogVerbose, warn } from "../../../../src/globals.js";
+import { danger, isVerbose, logVerbose, shouldLogVerbose, warn } from "../../../../src/globals.js";
 import { formatErrorMessage } from "../../../../src/infra/errors.js";
 import { createSubsystemLogger } from "../../../../src/logging/subsystem.js";
 import { getPluginCommandSpecs } from "../../../../src/plugins/commands.js";
@@ -273,14 +273,18 @@ async function deployDiscordCommands(params: {
       body === undefined
         ? undefined
         : Buffer.byteLength(typeof body === "string" ? body : JSON.stringify(body), "utf8");
-    params.runtime.log?.(
-      `discord startup [${accountId}] deploy-rest:put:start ${Math.max(0, Date.now() - startupStartedAt)}ms path=${path}${typeof commandCount === "number" ? ` commands=${commandCount}` : ""}${typeof bodyBytes === "number" ? ` bytes=${bodyBytes}` : ""}`,
-    );
+    if (shouldLogVerbose()) {
+      params.runtime.log?.(
+        `discord startup [${accountId}] deploy-rest:put:start ${Math.max(0, Date.now() - startupStartedAt)}ms path=${path}${typeof commandCount === "number" ? ` commands=${commandCount}` : ""}${typeof bodyBytes === "number" ? ` bytes=${bodyBytes}` : ""}`,
+      );
+    }
     try {
       const result = await originalPut(path, data, query);
-      params.runtime.log?.(
-        `discord startup [${accountId}] deploy-rest:put:done ${Math.max(0, Date.now() - startupStartedAt)}ms path=${path} requestMs=${Date.now() - startedAt}`,
-      );
+      if (shouldLogVerbose()) {
+        params.runtime.log?.(
+          `discord startup [${accountId}] deploy-rest:put:done ${Math.max(0, Date.now() - startupStartedAt)}ms path=${path} requestMs=${Date.now() - startedAt}`,
+        );
+      }
       return result;
     } catch (err) {
       params.runtime.error?.(
@@ -359,6 +363,9 @@ function logDiscordStartupPhase(params: {
   gateway?: GatewayPlugin;
   details?: string;
 }) {
+  if (!isVerbose()) {
+    return;
+  }
   const elapsedMs = Math.max(0, Date.now() - params.startAt);
   const suffix = [params.details, formatDiscordStartupGatewayState(params.gateway)]
     .filter((value): value is string => Boolean(value))
@@ -768,6 +775,9 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {
     const lifecycleGateway = client.getPlugin<GatewayPlugin>("gateway");
     earlyGatewayEmitter = getDiscordGatewayEmitter(lifecycleGateway);
     onEarlyGatewayDebug = (msg: unknown) => {
+      if (!isVerbose()) {
+        return;
+      }
       runtime.log?.(
         `discord startup [${account.accountId}] gateway-debug ${Math.max(0, Date.now() - startupStartedAt)}ms ${String(msg)}`,
       );
diff --git a/extensions/discord/src/outbound-adapter.interactive-order.test.ts b/extensions/discord/src/outbound-adapter.interactive-order.test.ts
new file mode 100644
index 00000000000..e2c8b749d24
--- /dev/null
+++ b/extensions/discord/src/outbound-adapter.interactive-order.test.ts
@@ -0,0 +1,88 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const hoisted = vi.hoisted(() => ({
+  sendDiscordComponentMessageMock: vi.fn(),
+  sendMessageDiscordMock: vi.fn(),
+  sendPollDiscordMock: vi.fn(),
+  sendWebhookMessageDiscordMock: vi.fn(),
+  getThreadBindingManagerMock: vi.fn(),
+}));
+
+vi.mock("./send.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./send.js")>();
+  return {
+    ...actual,
+    sendDiscordComponentMessage: (...args: unknown[]) =>
+      hoisted.sendDiscordComponentMessageMock(...args),
+    sendMessageDiscord: (...args: unknown[]) => hoisted.sendMessageDiscordMock(...args),
+    sendPollDiscord: (...args: unknown[]) => hoisted.sendPollDiscordMock(...args),
+    sendWebhookMessageDiscord: (...args: unknown[]) =>
+      hoisted.sendWebhookMessageDiscordMock(...args),
+  };
+});
+
+vi.mock("./monitor/thread-bindings.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./monitor/thread-bindings.js")>();
+  return {
+    ...actual,
+    getThreadBindingManager: (...args: unknown[]) => hoisted.getThreadBindingManagerMock(...args),
+  };
+});
+
+const { discordOutbound } = await import("./outbound-adapter.js");
+
+describe("discordOutbound shared interactive ordering", () => {
+  beforeEach(() => {
+    hoisted.sendDiscordComponentMessageMock.mockReset().mockResolvedValue({
+      messageId: "msg-1",
+      channelId: "123456",
+    });
+    hoisted.sendMessageDiscordMock.mockReset();
+    hoisted.sendPollDiscordMock.mockReset();
+    hoisted.sendWebhookMessageDiscordMock.mockReset();
+    hoisted.getThreadBindingManagerMock.mockReset().mockReturnValue(null);
+  });
+
+  it("keeps shared text blocks in authored order without hoisting fallback text", async () => {
+    const result = await discordOutbound.sendPayload!({
+      cfg: {},
+      to: "channel:123456",
+      text: "",
+      payload: {
+        interactive: {
+          blocks: [
+            { type: "text", text: "First" },
+            {
+              type: "buttons",
+              buttons: [{ label: "Approve", value: "approve" }],
+            },
+            { type: "text", text: "Last" },
+          ],
+        },
+      },
+    });
+
+    expect(hoisted.sendDiscordComponentMessageMock).toHaveBeenCalledWith(
+      "channel:123456",
+      {
+        blocks: [
+          { type: "text", text: "First" },
+          {
+            type: "actions",
+            buttons: [{ label: "Approve", style: "secondary", callbackData: "approve" }],
+          },
+          { type: "text", text: "Last" },
+        ],
+      },
+      expect.objectContaining({
+        cfg: {},
+      }),
+    );
+    expect(hoisted.sendMessageDiscordMock).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      channel: "discord",
+      messageId: "msg-1",
+      channelId: "123456",
+    });
+  });
+});
diff --git a/extensions/discord/src/outbound-adapter.sendpayload.test.ts b/extensions/discord/src/outbound-adapter.sendpayload.test.ts
deleted file mode 100644
index ae5d86f8700..00000000000
--- a/extensions/discord/src/outbound-adapter.sendpayload.test.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import { describe, vi } from "vitest";
-import type { ReplyPayload } from "../../../src/auto-reply/types.js";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../src/test-utils/send-payload-contract.js";
-import { discordOutbound } from "./outbound-adapter.js";
-
-function createHarness(params: {
-  payload: ReplyPayload;
-  sendResults?: Array<{ messageId: string }>;
-}) {
-  const sendDiscord = vi.fn();
-  primeSendMock(sendDiscord, { messageId: "dc-1", channelId: "123456" }, params.sendResults);
-  const ctx = {
-    cfg: {},
-    to: "channel:123456",
-    text: "",
-    payload: params.payload,
-    deps: {
-      sendDiscord,
-    },
-  };
-  return {
-    run: async () => await discordOutbound.sendPayload!(ctx),
-    sendMock: sendDiscord,
-    to: ctx.to,
-  };
-}
-
-describe("discordOutbound sendPayload", () => {
-  installSendPayloadContractSuite({
-    channel: "discord",
-    chunking: { mode: "passthrough", longTextLength: 3000 },
-    createHarness,
-  });
-});
diff --git a/extensions/discord/src/outbound-adapter.ts b/extensions/discord/src/outbound-adapter.ts
index 4c17960791d..bc2f5f8c2d1 100644
--- a/extensions/discord/src/outbound-adapter.ts
+++ b/extensions/discord/src/outbound-adapter.ts
@@ -1,11 +1,24 @@
-import { sendTextMediaPayload } from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import {
+  resolvePayloadMediaUrls,
+  sendPayloadMediaSequence,
+  sendTextMediaPayload,
+} from "../../../src/channels/plugins/outbound/direct-text-media.js";
 import type { ChannelOutboundAdapter } from "../../../src/channels/plugins/types.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import type { OutboundIdentity } from "../../../src/infra/outbound/identity.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import type { DiscordComponentMessageSpec } from "./components.js";
 import { getThreadBindingManager, type ThreadBindingRecord } from "./monitor/thread-bindings.js";
 import { normalizeDiscordOutboundTarget } from "./normalize.js";
-import { sendMessageDiscord, sendPollDiscord, sendWebhookMessageDiscord } from "./send.js";
+import {
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendWebhookMessageDiscord,
+} from "./send.js";
+import { buildDiscordInteractiveComponents } from "./shared-interactive.js";
+
+export const DISCORD_TEXT_CHUNK_LIMIT = 2000;
 
 function resolveDiscordOutboundTarget(params: {
   to: string;
@@ -75,11 +88,79 @@ async function maybeSendDiscordWebhookText(params: {
 export const discordOutbound: ChannelOutboundAdapter = {
   deliveryMode: "direct",
   chunker: null,
-  textChunkLimit: 2000,
+  textChunkLimit: DISCORD_TEXT_CHUNK_LIMIT,
   pollMaxOptions: 10,
   resolveTarget: ({ to }) => normalizeDiscordOutboundTarget(to),
-  sendPayload: async (ctx) =>
-    await sendTextMediaPayload({ channel: "discord", ctx, adapter: discordOutbound }),
+  sendPayload: async (ctx) => {
+    const payload = {
+      ...ctx.payload,
+      text: ctx.payload.text ?? "",
+    };
+    const discordData = payload.channelData?.discord as
+      | { components?: DiscordComponentMessageSpec }
+      | undefined;
+    const rawComponentSpec =
+      discordData?.components ?? buildDiscordInteractiveComponents(payload.interactive);
+    const componentSpec = rawComponentSpec
+      ? rawComponentSpec.text
+        ? rawComponentSpec
+        : {
+            ...rawComponentSpec,
+            text: payload.text?.trim() ? payload.text : undefined,
+          }
+      : undefined;
+    if (!componentSpec) {
+      return await sendTextMediaPayload({
+        channel: "discord",
+        ctx: {
+          ...ctx,
+          payload,
+        },
+        adapter: discordOutbound,
+      });
+    }
+    const send =
+      resolveOutboundSendDep<typeof sendMessageDiscord>(ctx.deps, "discord") ?? sendMessageDiscord;
+    const target = resolveDiscordOutboundTarget({ to: ctx.to, threadId: ctx.threadId });
+    const mediaUrls = resolvePayloadMediaUrls(payload);
+    if (mediaUrls.length === 0) {
+      const result = await sendDiscordComponentMessage(target, componentSpec, {
+        replyTo: ctx.replyToId ?? undefined,
+        accountId: ctx.accountId ?? undefined,
+        silent: ctx.silent ?? undefined,
+        cfg: ctx.cfg,
+      });
+      return { channel: "discord", ...result };
+    }
+    const lastResult = await sendPayloadMediaSequence({
+      text: payload.text ?? "",
+      mediaUrls,
+      send: async ({ text, mediaUrl, isFirst }) => {
+        if (isFirst) {
+          return await sendDiscordComponentMessage(target, componentSpec, {
+            mediaUrl,
+            mediaLocalRoots: ctx.mediaLocalRoots,
+            replyTo: ctx.replyToId ?? undefined,
+            accountId: ctx.accountId ?? undefined,
+            silent: ctx.silent ?? undefined,
+            cfg: ctx.cfg,
+          });
+        }
+        return await send(target, text, {
+          verbose: false,
+          mediaUrl,
+          mediaLocalRoots: ctx.mediaLocalRoots,
+          replyTo: ctx.replyToId ?? undefined,
+          accountId: ctx.accountId ?? undefined,
+          silent: ctx.silent ?? undefined,
+          cfg: ctx.cfg,
+        });
+      },
+    });
+    return lastResult
+      ? { channel: "discord", ...lastResult }
+      : { channel: "discord", messageId: "" };
+  },
   sendText: async ({ cfg, to, text, accountId, deps, replyToId, threadId, identity, silent }) => {
     if (!silent) {
       const webhookResult = await maybeSendDiscordWebhookText({
diff --git a/extensions/discord/src/runtime.ts b/extensions/discord/src/runtime.ts
index 2cc0074f457..2dc10a295fd 100644
--- a/extensions/discord/src/runtime.ts
+++ b/extensions/discord/src/runtime.ts
@@ -1,5 +1,5 @@
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/discord";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setDiscordRuntime, getRuntime: getDiscordRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Discord runtime not initialized");
diff --git a/extensions/discord/src/setup-core.ts b/extensions/discord/src/setup-core.ts
new file mode 100644
index 00000000000..3c9ab69059b
--- /dev/null
+++ b/extensions/discord/src/setup-core.ts
@@ -0,0 +1,348 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  noteChannelLookupFailure,
+  noteChannelLookupSummary,
+  parseMentionOrPrefixedId,
+  patchChannelConfigForAccount,
+  setLegacyChannelDmPolicyWithAllowFrom,
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DiscordGuildEntry } from "../../../src/config/types.discord.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { inspectDiscordAccount } from "./account-inspect.js";
+import { listDiscordAccountIds, resolveDiscordAccount } from "./accounts.js";
+
+const channel = "discord" as const;
+
+export const DISCORD_TOKEN_HELP_LINES = [
+  "1) Discord Developer Portal -> Applications -> New Application",
+  "2) Bot -> Add Bot -> Reset Token -> copy token",
+  "3) OAuth2 -> URL Generator -> scope 'bot' -> invite to your server",
+  "Tip: enable Message Content Intent if you need message text. (Bot -> Privileged Gateway Intents -> Message Content Intent)",
+  `Docs: ${formatDocsLink("/discord", "discord")}`,
+];
+
+export function setDiscordGuildChannelAllowlist(
+  cfg: OpenClawConfig,
+  accountId: string,
+  entries: Array<{
+    guildKey: string;
+    channelKey?: string;
+  }>,
+): OpenClawConfig {
+  const baseGuilds =
+    accountId === DEFAULT_ACCOUNT_ID
+      ? (cfg.channels?.discord?.guilds ?? {})
+      : (cfg.channels?.discord?.accounts?.[accountId]?.guilds ?? {});
+  const guilds: Record<string, DiscordGuildEntry> = { ...baseGuilds };
+  for (const entry of entries) {
+    const guildKey = entry.guildKey || "*";
+    const existing = guilds[guildKey] ?? {};
+    if (entry.channelKey) {
+      const channels = { ...existing.channels };
+      channels[entry.channelKey] = { allow: true };
+      guilds[guildKey] = { ...existing, channels };
+    } else {
+      guilds[guildKey] = existing;
+    }
+  }
+  return patchChannelConfigForAccount({
+    cfg,
+    channel,
+    accountId,
+    patch: { guilds },
+  });
+}
+
+export function parseDiscordAllowFromId(value: string): string | null {
+  return parseMentionOrPrefixedId({
+    value,
+    mentionPattern: /^<@!?(\d+)>$/,
+    prefixPattern: /^(user:|discord:)/i,
+    idPattern: /^\d+$/,
+  });
+}
+
+export const discordSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "DISCORD_BOT_TOKEN can only be used for the default account.";
+    }
+    if (!input.useEnv && !input.token) {
+      return "Discord requires token (or --use-env).";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (accountId === DEFAULT_ACCOUNT_ID) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          discord: {
+            ...next.channels?.discord,
+            enabled: true,
+            ...(input.useEnv ? {} : input.token ? { token: input.token } : {}),
+          },
+        },
+      };
+    }
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        discord: {
+          ...next.channels?.discord,
+          enabled: true,
+          accounts: {
+            ...next.channels?.discord?.accounts,
+            [accountId]: {
+              ...next.channels?.discord?.accounts?.[accountId],
+              enabled: true,
+              ...(input.token ? { token: input.token } : {}),
+            },
+          },
+        },
+      },
+    };
+  },
+};
+
+export function createDiscordSetupWizardProxy(
+  loadWizard: () => Promise<{ discordSetupWizard: ChannelSetupWizard }>,
+) {
+  const discordDmPolicy: ChannelSetupDmPolicy = {
+    label: "Discord",
+    channel,
+    policyKey: "channels.discord.dmPolicy",
+    allowFromKey: "channels.discord.allowFrom",
+    getCurrent: (cfg: OpenClawConfig) =>
+      cfg.channels?.discord?.dmPolicy ?? cfg.channels?.discord?.dm?.policy ?? "pairing",
+    setPolicy: (cfg: OpenClawConfig, policy) =>
+      setLegacyChannelDmPolicyWithAllowFrom({
+        cfg,
+        channel,
+        dmPolicy: policy,
+      }),
+    promptAllowFrom: async ({ cfg, prompter, accountId }) => {
+      const wizard = (await loadWizard()).discordSetupWizard;
+      if (!wizard.dmPolicy?.promptAllowFrom) {
+        return cfg;
+      }
+      return await wizard.dmPolicy.promptAllowFrom({ cfg, prompter, accountId });
+    },
+  };
+
+  return {
+    channel,
+    status: {
+      configuredLabel: "configured",
+      unconfiguredLabel: "needs token",
+      configuredHint: "configured",
+      unconfiguredHint: "needs token",
+      configuredScore: 2,
+      unconfiguredScore: 1,
+      resolveConfigured: ({ cfg }) =>
+        listDiscordAccountIds(cfg).some((accountId) => {
+          const account = inspectDiscordAccount({ cfg, accountId });
+          return account.configured;
+        }),
+    },
+    credentials: [
+      {
+        inputKey: "token",
+        providerHint: channel,
+        credentialLabel: "Discord bot token",
+        preferredEnvVar: "DISCORD_BOT_TOKEN",
+        helpTitle: "Discord bot token",
+        helpLines: DISCORD_TOKEN_HELP_LINES,
+        envPrompt: "DISCORD_BOT_TOKEN detected. Use env var?",
+        keepPrompt: "Discord token already configured. Keep it?",
+        inputPrompt: "Enter Discord bot token",
+        allowEnv: ({ accountId }: { accountId: string }) => accountId === DEFAULT_ACCOUNT_ID,
+        inspect: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) => {
+          const account = inspectDiscordAccount({ cfg, accountId });
+          return {
+            accountConfigured: account.configured,
+            hasConfiguredValue: account.tokenStatus !== "missing",
+            resolvedValue: account.token?.trim() || undefined,
+            envValue:
+              accountId === DEFAULT_ACCOUNT_ID
+                ? process.env.DISCORD_BOT_TOKEN?.trim() || undefined
+                : undefined,
+          };
+        },
+      },
+    ],
+    groupAccess: {
+      label: "Discord channels",
+      placeholder: "My Server/#general, guildId/channelId, #support",
+      currentPolicy: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        resolveDiscordAccount({ cfg, accountId }).config.groupPolicy ?? "allowlist",
+      currentEntries: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        Object.entries(resolveDiscordAccount({ cfg, accountId }).config.guilds ?? {}).flatMap(
+          ([guildKey, value]) => {
+            const channels = value?.channels ?? {};
+            const channelKeys = Object.keys(channels);
+            if (channelKeys.length === 0) {
+              const input = /^\d+$/.test(guildKey) ? `guild:${guildKey}` : guildKey;
+              return [input];
+            }
+            return channelKeys.map((channelKey) => `${guildKey}/${channelKey}`);
+          },
+        ),
+      updatePrompt: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        Boolean(resolveDiscordAccount({ cfg, accountId }).config.guilds),
+      setPolicy: ({
+        cfg,
+        accountId,
+        policy,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        policy: "open" | "allowlist" | "disabled";
+      }) =>
+        patchChannelConfigForAccount({
+          cfg,
+          channel,
+          accountId,
+          patch: { groupPolicy: policy },
+        }),
+      resolveAllowlist: async ({
+        cfg,
+        accountId,
+        credentialValues,
+        entries,
+        prompter,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        credentialValues: { token?: string };
+        entries: string[];
+        prompter: { note: (message: string, title?: string) => Promise<void> };
+      }) => {
+        const wizard = (await loadWizard()).discordSetupWizard;
+        if (!wizard.groupAccess?.resolveAllowlist) {
+          return entries.map((input) => ({ input, resolved: false }));
+        }
+        try {
+          return await wizard.groupAccess.resolveAllowlist({
+            cfg,
+            accountId,
+            credentialValues,
+            entries,
+            prompter,
+          });
+        } catch (error) {
+          await noteChannelLookupFailure({
+            prompter,
+            label: "Discord channels",
+            error,
+          });
+          await noteChannelLookupSummary({
+            prompter,
+            label: "Discord channels",
+            resolvedSections: [],
+            unresolved: entries,
+          });
+          return entries.map((input) => ({ input, resolved: false }));
+        }
+      },
+      applyAllowlist: ({
+        cfg,
+        accountId,
+        resolved,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        resolved: unknown;
+      }) => setDiscordGuildChannelAllowlist(cfg, accountId, resolved as never),
+    },
+    allowFrom: {
+      credentialInputKey: "token",
+      helpTitle: "Discord allowlist",
+      helpLines: [
+        "Allowlist Discord DMs by username (we resolve to user ids).",
+        "Examples:",
+        "- 123456789012345678",
+        "- @alice",
+        "- alice#1234",
+        "Multiple entries: comma-separated.",
+        `Docs: ${formatDocsLink("/discord", "discord")}`,
+      ],
+      message: "Discord allowFrom (usernames or ids)",
+      placeholder: "@alice, 123456789012345678",
+      invalidWithoutCredentialNote:
+        "Bot token missing; use numeric user ids (or mention form) only.",
+      parseId: parseDiscordAllowFromId,
+      resolveEntries: async ({
+        cfg,
+        accountId,
+        credentialValues,
+        entries,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        credentialValues: { token?: string };
+        entries: string[];
+      }) => {
+        const wizard = (await loadWizard()).discordSetupWizard;
+        if (!wizard.allowFrom) {
+          return entries.map((input) => ({ input, resolved: false, id: null }));
+        }
+        return await wizard.allowFrom.resolveEntries({
+          cfg,
+          accountId,
+          credentialValues,
+          entries,
+        });
+      },
+      apply: async ({
+        cfg,
+        accountId,
+        allowFrom,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        allowFrom: string[];
+      }) =>
+        patchChannelConfigForAccount({
+          cfg,
+          channel,
+          accountId,
+          patch: { dmPolicy: "allowlist", allowFrom },
+        }),
+    },
+    dmPolicy: discordDmPolicy,
+    disable: (cfg: OpenClawConfig) => setSetupChannelEnabled(cfg, channel, false),
+  } satisfies ChannelSetupWizard;
+}
diff --git a/extensions/discord/src/setup-surface.ts b/extensions/discord/src/setup-surface.ts
index e03c7ef1e16..ce7c6e789e4 100644
--- a/extensions/discord/src/setup-surface.ts
+++ b/extensions/discord/src/setup-surface.ts
@@ -1,23 +1,17 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
   noteChannelLookupFailure,
   noteChannelLookupSummary,
   parseMentionOrPrefixedId,
   patchChannelConfigForAccount,
   promptLegacyChannelAllowFrom,
-  resolveOnboardingAccountId,
+  resolveSetupAccountId,
   setLegacyChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
-import type { DiscordGuildEntry } from "../../../src/config/types.discord.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import { inspectDiscordAccount } from "./account-inspect.js";
@@ -32,58 +26,15 @@ import {
   type DiscordChannelResolution,
 } from "./resolve-channels.js";
 import { resolveDiscordUserAllowlist } from "./resolve-users.js";
+import {
+  discordSetupAdapter,
+  DISCORD_TOKEN_HELP_LINES,
+  parseDiscordAllowFromId,
+  setDiscordGuildChannelAllowlist,
+} from "./setup-core.js";
 
 const channel = "discord" as const;
 
-const DISCORD_TOKEN_HELP_LINES = [
-  "1) Discord Developer Portal -> Applications -> New Application",
-  "2) Bot -> Add Bot -> Reset Token -> copy token",
-  "3) OAuth2 -> URL Generator -> scope 'bot' -> invite to your server",
-  "Tip: enable Message Content Intent if you need message text. (Bot -> Privileged Gateway Intents -> Message Content Intent)",
-  `Docs: ${formatDocsLink("/discord", "discord")}`,
-];
-
-function setDiscordGuildChannelAllowlist(
-  cfg: OpenClawConfig,
-  accountId: string,
-  entries: Array<{
-    guildKey: string;
-    channelKey?: string;
-  }>,
-): OpenClawConfig {
-  const baseGuilds =
-    accountId === DEFAULT_ACCOUNT_ID
-      ? (cfg.channels?.discord?.guilds ?? {})
-      : (cfg.channels?.discord?.accounts?.[accountId]?.guilds ?? {});
-  const guilds: Record<string, DiscordGuildEntry> = { ...baseGuilds };
-  for (const entry of entries) {
-    const guildKey = entry.guildKey || "*";
-    const existing = guilds[guildKey] ?? {};
-    if (entry.channelKey) {
-      const channels = { ...existing.channels };
-      channels[entry.channelKey] = { allow: true };
-      guilds[guildKey] = { ...existing, channels };
-    } else {
-      guilds[guildKey] = existing;
-    }
-  }
-  return patchChannelConfigForAccount({
-    cfg,
-    channel,
-    accountId,
-    patch: { guilds },
-  });
-}
-
-function parseDiscordAllowFromId(value: string): string | null {
-  return parseMentionOrPrefixedId({
-    value,
-    mentionPattern: /^<@!?(\d+)>$/,
-    prefixPattern: /^(user:|discord:)/i,
-    idPattern: /^\d+$/,
-  });
-}
-
 async function resolveDiscordAllowFromEntries(params: { token?: string; entries: string[] }) {
   if (!params.token?.trim()) {
     return params.entries.map((input) => ({
@@ -108,7 +59,7 @@ async function promptDiscordAllowFrom(params: {
   prompter: WizardPrompter;
   accountId?: string;
 }): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
+  const accountId = resolveSetupAccountId({
     accountId: params.accountId,
     defaultAccountId: resolveDefaultDiscordAccountId(params.cfg),
   });
@@ -141,7 +92,7 @@ async function promptDiscordAllowFrom(params: {
   });
 }
 
-const discordDmPolicy: ChannelOnboardingDmPolicy = {
+const discordDmPolicy: ChannelSetupDmPolicy = {
   label: "Discord",
   channel,
   policyKey: "channels.discord.dmPolicy",
@@ -157,72 +108,6 @@ const discordDmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptDiscordAllowFrom,
 };
 
-export const discordSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "DISCORD_BOT_TOKEN can only be used for the default account.";
-    }
-    if (!input.useEnv && !input.token) {
-      return "Discord requires token (or --use-env).";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    if (accountId === DEFAULT_ACCOUNT_ID) {
-      return {
-        ...next,
-        channels: {
-          ...next.channels,
-          discord: {
-            ...next.channels?.discord,
-            enabled: true,
-            ...(input.useEnv ? {} : input.token ? { token: input.token } : {}),
-          },
-        },
-      };
-    }
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        discord: {
-          ...next.channels?.discord,
-          enabled: true,
-          accounts: {
-            ...next.channels?.discord?.accounts,
-            [accountId]: {
-              ...next.channels?.discord?.accounts?.[accountId],
-              enabled: true,
-              ...(input.token ? { token: input.token } : {}),
-            },
-          },
-        },
-      },
-    };
-  },
-};
-
 export const discordSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -388,5 +273,5 @@ export const discordSetupWizard: ChannelSetupWizard = {
       }),
   },
   dmPolicy: discordDmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
diff --git a/extensions/discord/src/shared-interactive.test.ts b/extensions/discord/src/shared-interactive.test.ts
new file mode 100644
index 00000000000..33ce8f68ec1
--- /dev/null
+++ b/extensions/discord/src/shared-interactive.test.ts
@@ -0,0 +1,104 @@
+import { describe, expect, it } from "vitest";
+import { buildDiscordInteractiveComponents } from "./shared-interactive.js";
+
+describe("buildDiscordInteractiveComponents", () => {
+  it("maps shared buttons and selects into Discord component blocks", () => {
+    expect(
+      buildDiscordInteractiveComponents({
+        blocks: [
+          {
+            type: "buttons",
+            buttons: [
+              { label: "Approve", value: "approve", style: "success" },
+              { label: "Reject", value: "reject", style: "danger" },
+            ],
+          },
+          {
+            type: "select",
+            placeholder: "Pick one",
+            options: [{ label: "Alpha", value: "alpha" }],
+          },
+        ],
+      }),
+    ).toEqual({
+      blocks: [
+        {
+          type: "actions",
+          buttons: [
+            { label: "Approve", style: "success", callbackData: "approve" },
+            { label: "Reject", style: "danger", callbackData: "reject" },
+          ],
+        },
+        {
+          type: "actions",
+          select: {
+            type: "string",
+            placeholder: "Pick one",
+            options: [{ label: "Alpha", value: "alpha" }],
+          },
+        },
+      ],
+    });
+  });
+
+  it("preserves authored shared text blocks around controls", () => {
+    expect(
+      buildDiscordInteractiveComponents({
+        blocks: [
+          { type: "text", text: "First" },
+          {
+            type: "buttons",
+            buttons: [{ label: "Approve", value: "approve", style: "success" }],
+          },
+          { type: "text", text: "Last" },
+        ],
+      }),
+    ).toEqual({
+      blocks: [
+        { type: "text", text: "First" },
+        {
+          type: "actions",
+          buttons: [{ label: "Approve", style: "success", callbackData: "approve" }],
+        },
+        { type: "text", text: "Last" },
+      ],
+    });
+  });
+
+  it("splits long shared button rows to stay within Discord action limits", () => {
+    expect(
+      buildDiscordInteractiveComponents({
+        blocks: [
+          {
+            type: "buttons",
+            buttons: [
+              { label: "One", value: "1" },
+              { label: "Two", value: "2" },
+              { label: "Three", value: "3" },
+              { label: "Four", value: "4" },
+              { label: "Five", value: "5" },
+              { label: "Six", value: "6" },
+            ],
+          },
+        ],
+      }),
+    ).toEqual({
+      blocks: [
+        {
+          type: "actions",
+          buttons: [
+            { label: "One", style: "secondary", callbackData: "1" },
+            { label: "Two", style: "secondary", callbackData: "2" },
+            { label: "Three", style: "secondary", callbackData: "3" },
+            { label: "Four", style: "secondary", callbackData: "4" },
+            { label: "Five", style: "secondary", callbackData: "5" },
+          ],
+        },
+        {
+          type: "actions",
+          buttons: [{ label: "Six", style: "secondary", callbackData: "6" }],
+        },
+      ],
+    });
+  });
+});
diff --git a/extensions/discord/src/shared-interactive.ts b/extensions/discord/src/shared-interactive.ts
new file mode 100644
index 00000000000..d99f964f5c9
--- /dev/null
+++ b/extensions/discord/src/shared-interactive.ts
@@ -0,0 +1,66 @@
+import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
+import type { InteractiveButtonStyle, InteractiveReply } from "../../../src/interactive/payload.js";
+import type { DiscordComponentButtonStyle, DiscordComponentMessageSpec } from "./components.js";
+
+function resolveDiscordInteractiveButtonStyle(
+  style?: InteractiveButtonStyle,
+): DiscordComponentButtonStyle | undefined {
+  return style ?? "secondary";
+}
+
+const DISCORD_INTERACTIVE_BUTTON_ROW_SIZE = 5;
+
+export function buildDiscordInteractiveComponents(
+  interactive?: InteractiveReply,
+): DiscordComponentMessageSpec | undefined {
+  const blocks = reduceInteractiveReply(
+    interactive,
+    [] as NonNullable<DiscordComponentMessageSpec["blocks"]>,
+    (state, block) => {
+      if (block.type === "text") {
+        const text = block.text.trim();
+        if (text) {
+          state.push({ type: "text", text });
+        }
+        return state;
+      }
+      if (block.type === "buttons") {
+        if (block.buttons.length === 0) {
+          return state;
+        }
+        for (
+          let index = 0;
+          index < block.buttons.length;
+          index += DISCORD_INTERACTIVE_BUTTON_ROW_SIZE
+        ) {
+          state.push({
+            type: "actions",
+            buttons: block.buttons
+              .slice(index, index + DISCORD_INTERACTIVE_BUTTON_ROW_SIZE)
+              .map((button) => ({
+                label: button.label,
+                style: resolveDiscordInteractiveButtonStyle(button.style),
+                callbackData: button.value,
+              })),
+          });
+        }
+        return state;
+      }
+      if (block.type === "select" && block.options.length > 0) {
+        state.push({
+          type: "actions",
+          select: {
+            type: "string",
+            placeholder: block.placeholder,
+            options: block.options.map((option) => ({
+              label: option.label,
+              value: option.value,
+            })),
+          },
+        });
+      }
+      return state;
+    },
+  );
+  return blocks.length > 0 ? { blocks } : undefined;
+}
diff --git a/extensions/discord/src/subagent-hooks.ts b/extensions/discord/src/subagent-hooks.ts
index f6e6056538b..c9ba7b97984 100644
--- a/extensions/discord/src/subagent-hooks.ts
+++ b/extensions/discord/src/subagent-hooks.ts
@@ -1,10 +1,10 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/discord";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { resolveDiscordAccount } from "./accounts.js";
 import {
   autoBindSpawnedDiscordSubagent,
   listThreadBindingsBySessionKey,
-  resolveDiscordAccount,
   unbindThreadBindingsBySessionKey,
-} from "openclaw/plugin-sdk/discord";
+} from "./monitor/thread-bindings.js";
 
 function summarizeError(err: unknown): string {
   if (err instanceof Error) {
diff --git a/extensions/feishu/index.test.ts b/extensions/feishu/index.test.ts
index 5236e4bb542..90de46ff6ab 100644
--- a/extensions/feishu/index.test.ts
+++ b/extensions/feishu/index.test.ts
@@ -51,6 +51,7 @@ describe("feishu plugin register", () => {
       registerChannel,
       on: vi.fn(),
       config: {},
+      registrationMode: "full",
     } as unknown as OpenClawPluginApi;
 
     plugin.register(api);
diff --git a/extensions/feishu/index.ts b/extensions/feishu/index.ts
index e01a975615a..ba7ac26922b 100644
--- a/extensions/feishu/index.ts
+++ b/extensions/feishu/index.ts
@@ -54,6 +54,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setFeishuRuntime(api.runtime);
     api.registerChannel({ plugin: feishuPlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
     registerFeishuSubagentHooks(api);
     registerFeishuDocTools(api);
     registerFeishuChatTools(api);
diff --git a/extensions/feishu/package.json b/extensions/feishu/package.json
index 805dd389b0a..d5dfe64f369 100644
--- a/extensions/feishu/package.json
+++ b/extensions/feishu/package.json
@@ -13,6 +13,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "feishu",
       "label": "Feishu",
diff --git a/extensions/feishu/setup-entry.ts b/extensions/feishu/setup-entry.ts
new file mode 100644
index 00000000000..3e4df4faee8
--- /dev/null
+++ b/extensions/feishu/setup-entry.ts
@@ -0,0 +1,5 @@
+import { feishuPlugin } from "./src/channel.js";
+
+export default {
+  plugin: feishuPlugin,
+};
diff --git a/extensions/feishu/src/accounts.ts b/extensions/feishu/src/accounts.ts
index b528f6ae0e5..40400445935 100644
--- a/extensions/feishu/src/accounts.ts
+++ b/extensions/feishu/src/accounts.ts
@@ -143,7 +143,7 @@ export function resolveFeishuCredentials(
       return asString;
     }
 
-    // In relaxed/onboarding paths only: allow direct env SecretRef reads for UX.
+    // In relaxed/setup paths only: allow direct env SecretRef reads for UX.
     // Default resolution path must preserve unresolved-ref diagnostics/policy semantics.
     if (options?.allowUnresolvedSecretRef && typeof value === "object" && value !== null) {
       const rec = value as Record<string, unknown>;
diff --git a/extensions/feishu/src/bot.card-action.test.ts b/extensions/feishu/src/bot.card-action.test.ts
index 90967b593bd..2df1ce361a1 100644
--- a/extensions/feishu/src/bot.card-action.test.ts
+++ b/extensions/feishu/src/bot.card-action.test.ts
@@ -1,5 +1,15 @@
-import { describe, it, expect, vi } from "vitest";
-import { handleFeishuCardAction, type FeishuCardActionEvent } from "./card-action.js";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import {
+  handleFeishuCardAction,
+  resetProcessedFeishuCardActionTokensForTests,
+  type FeishuCardActionEvent,
+} from "./card-action.js";
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import {
+  FEISHU_APPROVAL_CANCEL_ACTION,
+  FEISHU_APPROVAL_CONFIRM_ACTION,
+  FEISHU_APPROVAL_REQUEST_ACTION,
+} from "./card-ux-approval.js";
 
 // Mock resolveFeishuAccount
 vi.mock("./accounts.js", () => ({
@@ -11,12 +21,25 @@ vi.mock("./bot.js", () => ({
   handleFeishuMessage: vi.fn(),
 }));
 
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+const sendMessageFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./send.js", () => ({
+  sendCardFeishu: sendCardFeishuMock,
+  sendMessageFeishu: sendMessageFeishuMock,
+}));
+
 import { handleFeishuMessage } from "./bot.js";
 
 describe("Feishu Card Action Handler", () => {
   const cfg = {} as any; // Minimal mock
   const runtime = { log: vi.fn(), error: vi.fn() } as any;
 
+  beforeEach(() => {
+    vi.clearAllMocks();
+    resetProcessedFeishuCardActionTokensForTests();
+  });
+
   it("handles card action with text payload", async () => {
     const event: FeishuCardActionEvent = {
       operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
@@ -60,4 +83,321 @@ describe("Feishu Card Action Handler", () => {
       }),
     );
   });
+
+  it("routes quick command actions with operator and conversation context", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok3",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          sender: expect.objectContaining({
+            sender_id: expect.objectContaining({
+              open_id: "u123",
+              user_id: "uid1",
+              union_id: "un1",
+            }),
+          }),
+          message: expect.objectContaining({
+            chat_id: "chat1",
+            content: '{"text":"/help"}',
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("opens an approval card for metadata actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok4",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "meta",
+          a: FEISHU_APPROVAL_REQUEST_ACTION,
+          m: {
+            command: "/new",
+            prompt: "Start a fresh session?",
+          },
+          c: {
+            u: "u123",
+            h: "chat1",
+            t: "group",
+            s: "agent:codex:feishu:chat:chat1",
+            e: Date.now() + 60_000,
+          },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime, accountId: "main" });
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        accountId: "main",
+        card: expect.objectContaining({
+          header: expect.objectContaining({
+            title: expect.objectContaining({ content: "Confirm action" }),
+          }),
+          body: expect.objectContaining({
+            elements: expect.arrayContaining([
+              expect.objectContaining({
+                tag: "action",
+                actions: expect.arrayContaining([
+                  expect.objectContaining({
+                    value: expect.objectContaining({
+                      c: expect.objectContaining({
+                        u: "u123",
+                        h: "chat1",
+                        t: "group",
+                        s: "agent:codex:feishu:chat:chat1",
+                      }),
+                    }),
+                  }),
+                ]),
+              }),
+            ]),
+          }),
+        }),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("runs approval confirmation through the normal message path", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok5",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: FEISHU_APPROVAL_CONFIRM_ACTION,
+          q: "/new",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            content: '{"text":"/new"}',
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("safely rejects stale structured actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok6",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() - 1 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        text: expect.stringContaining("expired"),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("safely rejects wrong-user structured actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u999", user_id: "uid1", union_id: "un1" },
+      token: "tok7",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u999", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        text: expect.stringContaining("different user"),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("sends a lightweight cancellation notice", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok8",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "button",
+          a: FEISHU_APPROVAL_CANCEL_ACTION,
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        text: "Cancelled.",
+      }),
+    );
+  });
+
+  it("preserves p2p callbacks for DM quick actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok9",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "p2p-chat-1", t: "p2p", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "p2p-chat-1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            chat_id: "p2p-chat-1",
+            chat_type: "p2p",
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("drops duplicate structured callback tokens", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok10",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(1);
+  });
+
+  it("releases a claimed token when dispatch fails so retries can succeed", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok11",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+    vi.mocked(handleFeishuMessage)
+      .mockRejectedValueOnce(new Error("transient"))
+      .mockResolvedValueOnce(undefined as never);
+
+    await expect(handleFeishuCardAction({ cfg, event, runtime })).rejects.toThrow("transient");
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(2);
+  });
+
+  it("keeps an in-flight token claimed while a slow dispatch is still running", async () => {
+    vi.useFakeTimers();
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok12",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    let resolveDispatch: (() => void) | undefined;
+    vi.mocked(handleFeishuMessage).mockImplementation(
+      () =>
+        new Promise<void>((resolve) => {
+          resolveDispatch = resolve;
+        }) as never,
+    );
+
+    const first = handleFeishuCardAction({ cfg, event, runtime });
+    await vi.advanceTimersByTimeAsync(61_000);
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(1);
+
+    resolveDispatch?.();
+    await first;
+    vi.useRealTimers();
+  });
 });
diff --git a/extensions/feishu/src/bot.test.ts b/extensions/feishu/src/bot.test.ts
index 3e14bcdadd5..df787b0106a 100644
--- a/extensions/feishu/src/bot.test.ts
+++ b/extensions/feishu/src/bot.test.ts
@@ -1163,6 +1163,51 @@ describe("handleFeishuMessage command authorization", () => {
     );
   });
 
+  it("falls back to the message payload filename when download metadata omits it", async () => {
+    mockShouldComputeCommandAuthorized.mockReturnValue(false);
+    mockDownloadMessageResourceFeishu.mockResolvedValueOnce({
+      buffer: Buffer.from("video"),
+      contentType: "video/mp4",
+    });
+
+    const cfg: ClawdbotConfig = {
+      channels: {
+        feishu: {
+          dmPolicy: "open",
+        },
+      },
+    } as ClawdbotConfig;
+
+    const event: FeishuMessageEvent = {
+      sender: {
+        sender_id: {
+          open_id: "ou-sender",
+        },
+      },
+      message: {
+        message_id: "msg-media-payload-name",
+        chat_id: "oc-dm",
+        chat_type: "p2p",
+        message_type: "media",
+        content: JSON.stringify({
+          file_key: "file_media_payload",
+          image_key: "img_media_thumb",
+          file_name: "payload-name.mp4",
+        }),
+      },
+    };
+
+    await dispatchMessage({ cfg, event });
+
+    expect(mockSaveMediaBuffer).toHaveBeenCalledWith(
+      expect.any(Buffer),
+      "video/mp4",
+      "inbound",
+      expect.any(Number),
+      "payload-name.mp4",
+    );
+  });
+
   it("downloads embedded media tags from post messages as files", async () => {
     mockShouldComputeCommandAuthorized.mockReturnValue(false);
 
diff --git a/extensions/feishu/src/bot.ts b/extensions/feishu/src/bot.ts
index fc84801b124..728bb9a8ffc 100644
--- a/extensions/feishu/src/bot.ts
+++ b/extensions/feishu/src/bot.ts
@@ -551,17 +551,17 @@ function parseMediaKeys(
     const fileKey = normalizeFeishuExternalKey(parsed.file_key);
     switch (messageType) {
       case "image":
-        return { imageKey };
+        return { imageKey, fileName: parsed.file_name };
       case "file":
         return { fileKey, fileName: parsed.file_name };
       case "audio":
-        return { fileKey };
+        return { fileKey, fileName: parsed.file_name };
       case "video":
       case "media":
         // Video/media has both file_key (video) and image_key (thumbnail)
-        return { fileKey, imageKey };
+        return { fileKey, imageKey, fileName: parsed.file_name };
       case "sticker":
-        return { fileKey };
+        return { fileKey, fileName: parsed.file_name };
       default:
         return {};
     }
diff --git a/extensions/feishu/src/card-action.ts b/extensions/feishu/src/card-action.ts
index e4f76846316..d664b8d6af2 100644
--- a/extensions/feishu/src/card-action.ts
+++ b/extensions/feishu/src/card-action.ts
@@ -1,6 +1,14 @@
 import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
 import { resolveFeishuAccount } from "./accounts.js";
 import { handleFeishuMessage, type FeishuMessageEvent } from "./bot.js";
+import { decodeFeishuCardAction, buildFeishuCardActionTextFallback } from "./card-interaction.js";
+import {
+  createApprovalCard,
+  FEISHU_APPROVAL_CANCEL_ACTION,
+  FEISHU_APPROVAL_CONFIRM_ACTION,
+  FEISHU_APPROVAL_REQUEST_ACTION,
+} from "./card-ux-approval.js";
+import { sendCardFeishu, sendMessageFeishu } from "./send.js";
 
 export type FeishuCardActionEvent = {
   operator: {
@@ -20,18 +28,142 @@ export type FeishuCardActionEvent = {
   };
 };
 
-function buildCardActionTextFallback(event: FeishuCardActionEvent): string {
-  const actionValue = event.action.value;
-  if (typeof actionValue === "object" && actionValue !== null) {
-    if ("text" in actionValue && typeof actionValue.text === "string") {
-      return actionValue.text;
+const FEISHU_APPROVAL_CARD_TTL_MS = 5 * 60_000;
+const FEISHU_CARD_ACTION_TOKEN_TTL_MS = 15 * 60_000;
+const processedCardActionTokens = new Map<
+  string,
+  { status: "inflight" | "completed"; expiresAt: number }
+>();
+
+export function resetProcessedFeishuCardActionTokensForTests(): void {
+  processedCardActionTokens.clear();
+}
+
+function pruneProcessedCardActionTokens(now: number): void {
+  for (const [key, entry] of processedCardActionTokens.entries()) {
+    if (entry.expiresAt <= now) {
+      processedCardActionTokens.delete(key);
     }
-    if ("command" in actionValue && typeof actionValue.command === "string") {
-      return actionValue.command;
-    }
-    return JSON.stringify(actionValue);
   }
-  return String(actionValue);
+}
+
+function beginFeishuCardActionToken(params: {
+  token: string;
+  accountId: string;
+  now?: number;
+}): boolean {
+  const now = params.now ?? Date.now();
+  pruneProcessedCardActionTokens(now);
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return true;
+  }
+  const key = `${params.accountId}:${normalizedToken}`;
+  const existing = processedCardActionTokens.get(key);
+  if (existing && existing.expiresAt > now) {
+    return false;
+  }
+  processedCardActionTokens.set(key, {
+    status: "inflight",
+    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
+  });
+  return true;
+}
+
+function completeFeishuCardActionToken(params: {
+  token: string;
+  accountId: string;
+  now?: number;
+}): void {
+  const now = params.now ?? Date.now();
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return;
+  }
+  processedCardActionTokens.set(`${params.accountId}:${normalizedToken}`, {
+    status: "completed",
+    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
+  });
+}
+
+function releaseFeishuCardActionToken(params: { token: string; accountId: string }): void {
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return;
+  }
+  processedCardActionTokens.delete(`${params.accountId}:${normalizedToken}`);
+}
+
+function buildSyntheticMessageEvent(
+  event: FeishuCardActionEvent,
+  content: string,
+  chatType?: "p2p" | "group",
+): FeishuMessageEvent {
+  return {
+    sender: {
+      sender_id: {
+        open_id: event.operator.open_id,
+        user_id: event.operator.user_id,
+        union_id: event.operator.union_id,
+      },
+    },
+    message: {
+      message_id: `card-action-${event.token}`,
+      chat_id: event.context.chat_id || event.operator.open_id,
+      chat_type: chatType ?? (event.context.chat_id ? "group" : "p2p"),
+      message_type: "text",
+      content: JSON.stringify({ text: content }),
+    },
+  };
+}
+
+function resolveCallbackTarget(event: FeishuCardActionEvent): string {
+  const chatId = event.context.chat_id?.trim();
+  if (chatId) {
+    return `chat:${chatId}`;
+  }
+  return `user:${event.operator.open_id}`;
+}
+
+async function dispatchSyntheticCommand(params: {
+  cfg: ClawdbotConfig;
+  event: FeishuCardActionEvent;
+  command: string;
+  botOpenId?: string;
+  runtime?: RuntimeEnv;
+  accountId?: string;
+  chatType?: "p2p" | "group";
+}): Promise<void> {
+  await handleFeishuMessage({
+    cfg: params.cfg,
+    event: buildSyntheticMessageEvent(params.event, params.command, params.chatType),
+    botOpenId: params.botOpenId,
+    runtime: params.runtime,
+    accountId: params.accountId,
+  });
+}
+
+async function sendInvalidInteractionNotice(params: {
+  cfg: ClawdbotConfig;
+  event: FeishuCardActionEvent;
+  reason: "malformed" | "stale" | "wrong_user" | "wrong_conversation";
+  accountId?: string;
+}): Promise<void> {
+  const reasonText =
+    params.reason === "stale"
+      ? "This card action has expired. Open a fresh launcher card and try again."
+      : params.reason === "wrong_user"
+        ? "This card action belongs to a different user."
+        : params.reason === "wrong_conversation"
+          ? "This card action belongs to a different conversation."
+          : "This card action payload is invalid.";
+
+  await sendMessageFeishu({
+    cfg: params.cfg,
+    to: resolveCallbackTarget(params.event),
+    text: `⚠️ ${reasonText}`,
+    accountId: params.accountId,
+  });
 }
 
 export async function handleFeishuCardAction(params: {
@@ -44,36 +176,135 @@ export async function handleFeishuCardAction(params: {
   const { cfg, event, runtime, accountId } = params;
   const account = resolveFeishuAccount({ cfg, accountId });
   const log = runtime?.log ?? console.log;
-  const content = buildCardActionTextFallback(event);
-
-  // Construct a synthetic message event
-  const messageEvent: FeishuMessageEvent = {
-    sender: {
-      sender_id: {
-        open_id: event.operator.open_id,
-        user_id: event.operator.user_id,
-        union_id: event.operator.union_id,
-      },
-    },
-    message: {
-      message_id: `card-action-${event.token}`,
-      chat_id: event.context.chat_id || event.operator.open_id,
-      chat_type: event.context.chat_id ? "group" : "p2p",
-      message_type: "text",
-      content: JSON.stringify({ text: content }),
-    },
-  };
-
-  log(
-    `feishu[${account.accountId}]: handling card action from ${event.operator.open_id}: ${content}`,
-  );
-
-  // Dispatch as normal message
-  await handleFeishuMessage({
-    cfg,
-    event: messageEvent,
-    botOpenId: params.botOpenId,
-    runtime,
-    accountId,
+  const decoded = decodeFeishuCardAction({ event });
+  const claimedToken = beginFeishuCardActionToken({
+    token: event.token,
+    accountId: account.accountId,
   });
+  if (!claimedToken) {
+    log(`feishu[${account.accountId}]: skipping duplicate card action token ${event.token}`);
+    return;
+  }
+
+  try {
+    if (decoded.kind === "invalid") {
+      log(
+        `feishu[${account.accountId}]: rejected card action from ${event.operator.open_id}: ${decoded.reason}`,
+      );
+      await sendInvalidInteractionNotice({
+        cfg,
+        event,
+        reason: decoded.reason,
+        accountId,
+      });
+      completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+      return;
+    }
+
+    if (decoded.kind === "structured") {
+      const { envelope } = decoded;
+      log(
+        `feishu[${account.accountId}]: handling structured card action ${envelope.a} from ${event.operator.open_id}`,
+      );
+
+      if (envelope.a === FEISHU_APPROVAL_REQUEST_ACTION) {
+        const command = typeof envelope.m?.command === "string" ? envelope.m.command.trim() : "";
+        if (!command) {
+          await sendInvalidInteractionNotice({
+            cfg,
+            event,
+            reason: "malformed",
+            accountId,
+          });
+          completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+          return;
+        }
+        const prompt =
+          typeof envelope.m?.prompt === "string" && envelope.m.prompt.trim()
+            ? envelope.m.prompt
+            : `Run \`${command}\` in this Feishu conversation?`;
+        await sendCardFeishu({
+          cfg,
+          to: resolveCallbackTarget(event),
+          card: createApprovalCard({
+            operatorOpenId: event.operator.open_id,
+            chatId: event.context.chat_id || undefined,
+            command,
+            prompt,
+            sessionKey: envelope.c?.s,
+            expiresAt: Date.now() + FEISHU_APPROVAL_CARD_TTL_MS,
+            chatType: envelope.c?.t ?? (event.context.chat_id ? "group" : "p2p"),
+            confirmLabel: command === "/reset" ? "Reset" : "Confirm",
+          }),
+          accountId,
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      if (envelope.a === FEISHU_APPROVAL_CANCEL_ACTION) {
+        await sendMessageFeishu({
+          cfg,
+          to: resolveCallbackTarget(event),
+          text: "Cancelled.",
+          accountId,
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      if (envelope.a === FEISHU_APPROVAL_CONFIRM_ACTION || envelope.k === "quick") {
+        const command = envelope.q?.trim();
+        if (!command) {
+          await sendInvalidInteractionNotice({
+            cfg,
+            event,
+            reason: "malformed",
+            accountId,
+          });
+          completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+          return;
+        }
+        await dispatchSyntheticCommand({
+          cfg,
+          event,
+          command,
+          botOpenId: params.botOpenId,
+          runtime,
+          accountId,
+          chatType: envelope.c?.t ?? (event.context.chat_id ? "group" : "p2p"),
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      await sendInvalidInteractionNotice({
+        cfg,
+        event,
+        reason: "malformed",
+        accountId,
+      });
+      completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+      return;
+    }
+
+    const content = buildFeishuCardActionTextFallback(event);
+
+    log(
+      `feishu[${account.accountId}]: handling card action from ${event.operator.open_id}: ${content}`,
+    );
+
+    await dispatchSyntheticCommand({
+      cfg,
+      event,
+      command: content,
+      botOpenId: params.botOpenId,
+      runtime,
+      accountId,
+    });
+    completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+  } catch (err) {
+    releaseFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+    throw err;
+  }
 }
diff --git a/extensions/feishu/src/card-interaction.test.ts b/extensions/feishu/src/card-interaction.test.ts
new file mode 100644
index 00000000000..58aee261162
--- /dev/null
+++ b/extensions/feishu/src/card-interaction.test.ts
@@ -0,0 +1,129 @@
+import { describe, expect, it } from "vitest";
+import {
+  buildFeishuCardActionTextFallback,
+  createFeishuCardInteractionEnvelope,
+  decodeFeishuCardAction,
+} from "./card-interaction.js";
+
+describe("feishu card interaction decoder", () => {
+  it("decodes valid structured payloads", () => {
+    const result = decodeFeishuCardAction({
+      now: 1_700_000_000_000,
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "quick",
+            a: "feishu.quick_actions.help",
+            q: "/help",
+            c: { u: "u123", h: "chat1", t: "group", e: 1_700_000_060_000 },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual(
+      expect.objectContaining({
+        kind: "structured",
+        envelope: expect.objectContaining({
+          q: "/help",
+        }),
+      }),
+    );
+  });
+
+  it("falls back for legacy text-like payloads", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: { value: { text: "/ping" } },
+      },
+    });
+
+    expect(result).toEqual({ kind: "legacy", text: "/ping" });
+    expect(
+      buildFeishuCardActionTextFallback({
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: { value: { command: "/new" } },
+      }),
+    ).toBe("/new");
+  });
+
+  it("rejects malformed structured payloads", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: {
+            oc: "ocf1",
+            k: "quick",
+            a: "broken",
+            m: { bad: { nested: true } },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "malformed" });
+  });
+
+  it("rejects stale payloads", () => {
+    const result = decodeFeishuCardAction({
+      now: 100,
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "button",
+            a: "stale",
+            c: { e: 99, t: "group" },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "stale" });
+  });
+
+  it("rejects wrong-conversation payloads when chat context is enforced", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat2" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "button",
+            a: "scoped",
+            c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "wrong_conversation" });
+  });
+
+  it("rejects malformed chat-type context", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: {
+            oc: "ocf1",
+            k: "button",
+            a: "bad",
+            c: { t: "private" },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "malformed" });
+  });
+});
diff --git a/extensions/feishu/src/card-interaction.ts b/extensions/feishu/src/card-interaction.ts
new file mode 100644
index 00000000000..1da2df05baf
--- /dev/null
+++ b/extensions/feishu/src/card-interaction.ts
@@ -0,0 +1,168 @@
+export const FEISHU_CARD_INTERACTION_VERSION = "ocf1";
+
+export type FeishuCardInteractionKind = "button" | "quick" | "meta";
+export type FeishuCardInteractionReason =
+  | "malformed"
+  | "stale"
+  | "wrong_user"
+  | "wrong_conversation";
+
+export type FeishuCardInteractionMetadata = Record<
+  string,
+  string | number | boolean | null | undefined
+>;
+
+export type FeishuCardInteractionEnvelope = {
+  oc: typeof FEISHU_CARD_INTERACTION_VERSION;
+  k: FeishuCardInteractionKind;
+  a: string;
+  q?: string;
+  m?: FeishuCardInteractionMetadata;
+  c?: {
+    u?: string;
+    h?: string;
+    s?: string;
+    e?: number;
+    t?: "p2p" | "group";
+  };
+};
+
+export type FeishuCardActionEventLike = {
+  operator: {
+    open_id?: string;
+  };
+  action: {
+    value: unknown;
+  };
+  context: {
+    chat_id?: string;
+  };
+};
+
+export type DecodedFeishuCardAction =
+  | {
+      kind: "structured";
+      envelope: FeishuCardInteractionEnvelope;
+    }
+  | {
+      kind: "legacy";
+      text: string;
+    }
+  | {
+      kind: "invalid";
+      reason: FeishuCardInteractionReason;
+    };
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
+function isInteractionKind(value: unknown): value is FeishuCardInteractionKind {
+  return value === "button" || value === "quick" || value === "meta";
+}
+
+function isMetadataValue(value: unknown): value is string | number | boolean | null | undefined {
+  return (
+    value === null ||
+    value === undefined ||
+    typeof value === "string" ||
+    typeof value === "number" ||
+    typeof value === "boolean"
+  );
+}
+
+export function createFeishuCardInteractionEnvelope(
+  envelope: Omit<FeishuCardInteractionEnvelope, "oc">,
+): FeishuCardInteractionEnvelope {
+  return {
+    oc: FEISHU_CARD_INTERACTION_VERSION,
+    ...envelope,
+  };
+}
+
+export function buildFeishuCardActionTextFallback(event: FeishuCardActionEventLike): string {
+  const actionValue = event.action.value;
+  if (isRecord(actionValue)) {
+    if (typeof actionValue.text === "string") {
+      return actionValue.text;
+    }
+    if (typeof actionValue.command === "string") {
+      return actionValue.command;
+    }
+    return JSON.stringify(actionValue);
+  }
+  return String(actionValue);
+}
+
+export function decodeFeishuCardAction(params: {
+  event: FeishuCardActionEventLike;
+  now?: number;
+}): DecodedFeishuCardAction {
+  const { event, now = Date.now() } = params;
+  const actionValue = event.action.value;
+  if (!isRecord(actionValue) || actionValue.oc !== FEISHU_CARD_INTERACTION_VERSION) {
+    return {
+      kind: "legacy",
+      text: buildFeishuCardActionTextFallback(event),
+    };
+  }
+
+  if (!isInteractionKind(actionValue.k) || typeof actionValue.a !== "string" || !actionValue.a) {
+    return { kind: "invalid", reason: "malformed" };
+  }
+
+  if (actionValue.q !== undefined && typeof actionValue.q !== "string") {
+    return { kind: "invalid", reason: "malformed" };
+  }
+
+  if (actionValue.m !== undefined) {
+    if (!isRecord(actionValue.m)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    for (const value of Object.values(actionValue.m)) {
+      if (!isMetadataValue(value)) {
+        return { kind: "invalid", reason: "malformed" };
+      }
+    }
+  }
+
+  if (actionValue.c !== undefined) {
+    if (!isRecord(actionValue.c)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.u !== undefined && typeof actionValue.c.u !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.h !== undefined && typeof actionValue.c.h !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.s !== undefined && typeof actionValue.c.s !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.e !== undefined && !Number.isFinite(actionValue.c.e)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.t !== undefined && actionValue.c.t !== "p2p" && actionValue.c.t !== "group") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+
+    if (typeof actionValue.c.e === "number" && actionValue.c.e < now) {
+      return { kind: "invalid", reason: "stale" };
+    }
+
+    const expectedUser = actionValue.c.u?.trim();
+    if (expectedUser && expectedUser !== (event.operator.open_id ?? "").trim()) {
+      return { kind: "invalid", reason: "wrong_user" };
+    }
+
+    const expectedChat = actionValue.c.h?.trim();
+    if (expectedChat && expectedChat !== (event.context.chat_id ?? "").trim()) {
+      return { kind: "invalid", reason: "wrong_conversation" };
+    }
+  }
+
+  return {
+    kind: "structured",
+    envelope: actionValue as FeishuCardInteractionEnvelope,
+  };
+}
diff --git a/extensions/feishu/src/card-ux-approval.ts b/extensions/feishu/src/card-ux-approval.ts
new file mode 100644
index 00000000000..944ace931ea
--- /dev/null
+++ b/extensions/feishu/src/card-ux-approval.ts
@@ -0,0 +1,65 @@
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import { buildFeishuCardButton, buildFeishuCardInteractionContext } from "./card-ux-shared.js";
+
+export const FEISHU_APPROVAL_REQUEST_ACTION = "feishu.quick_actions.request_approval";
+export const FEISHU_APPROVAL_CONFIRM_ACTION = "feishu.approval.confirm";
+export const FEISHU_APPROVAL_CANCEL_ACTION = "feishu.approval.cancel";
+
+export function createApprovalCard(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  command: string;
+  prompt: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+  confirmLabel?: string;
+  cancelLabel?: string;
+}): Record<string, unknown> {
+  const context = buildFeishuCardInteractionContext(params);
+
+  return {
+    schema: "2.0",
+    config: {
+      wide_screen_mode: true,
+    },
+    header: {
+      title: {
+        tag: "plain_text",
+        content: "Confirm action",
+      },
+      template: "orange",
+    },
+    body: {
+      elements: [
+        {
+          tag: "markdown",
+          content: params.prompt,
+        },
+        {
+          tag: "action",
+          actions: [
+            buildFeishuCardButton({
+              label: params.confirmLabel ?? "Confirm",
+              type: "primary",
+              value: createFeishuCardInteractionEnvelope({
+                k: "quick",
+                a: FEISHU_APPROVAL_CONFIRM_ACTION,
+                q: params.command,
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: params.cancelLabel ?? "Cancel",
+              value: createFeishuCardInteractionEnvelope({
+                k: "button",
+                a: FEISHU_APPROVAL_CANCEL_ACTION,
+                c: context,
+              }),
+            }),
+          ],
+        },
+      ],
+    },
+  };
+}
diff --git a/extensions/feishu/src/card-ux-launcher.test.ts b/extensions/feishu/src/card-ux-launcher.test.ts
new file mode 100644
index 00000000000..6f9f7917daf
--- /dev/null
+++ b/extensions/feishu/src/card-ux-launcher.test.ts
@@ -0,0 +1,98 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+import {
+  createQuickActionLauncherCard,
+  isFeishuQuickActionMenuEventKey,
+  maybeHandleFeishuQuickActionMenu,
+} from "./card-ux-launcher.js";
+
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./send.js", () => ({
+  sendCardFeishu: sendCardFeishuMock,
+}));
+
+describe("feishu quick-action launcher", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("recognizes the quick-actions bot menu key", () => {
+    expect(isFeishuQuickActionMenuEventKey("quick-actions")).toBe(true);
+    expect(isFeishuQuickActionMenuEventKey("other")).toBe(false);
+  });
+
+  it("builds a launcher card with interactive actions", () => {
+    const card = createQuickActionLauncherCard({
+      operatorOpenId: "u123",
+      chatId: "chat1",
+      expiresAt: 123,
+      sessionKey: "agent:codex:feishu:chat:chat1",
+    }) as {
+      body: {
+        elements: Array<{
+          tag: string;
+          actions?: Array<{ value?: { oc?: string; c?: { s?: string; t?: string } } }>;
+        }>;
+      };
+    };
+
+    const actionBlock = card.body.elements.find((entry) => entry.tag === "action");
+    expect(actionBlock?.actions).toHaveLength(3);
+    expect(actionBlock?.actions?.[0]?.value?.oc).toBe("ocf1");
+    expect(actionBlock?.actions?.[0]?.value?.c?.s).toBe("agent:codex:feishu:chat:chat1");
+    expect(actionBlock?.actions?.[0]?.value?.c?.t).toBeUndefined();
+  });
+
+  it("opens the launcher from a supported bot menu event", async () => {
+    sendCardFeishuMock.mockResolvedValue({ messageId: "m1", chatId: "c1" });
+
+    const handled = await maybeHandleFeishuQuickActionMenu({
+      cfg: {} as any,
+      eventKey: "quick-actions",
+      operatorOpenId: "u123",
+      accountId: "main",
+      now: 100,
+    });
+
+    expect(handled).toBe(true);
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "user:u123",
+        accountId: "main",
+        card: expect.objectContaining({
+          body: expect.objectContaining({
+            elements: expect.arrayContaining([
+              expect.objectContaining({
+                tag: "action",
+                actions: expect.arrayContaining([
+                  expect.objectContaining({
+                    value: expect.objectContaining({
+                      c: expect.objectContaining({
+                        t: "p2p",
+                      }),
+                    }),
+                  }),
+                ]),
+              }),
+            ]),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("falls back to legacy menu handling when launcher send fails", async () => {
+    sendCardFeishuMock.mockRejectedValueOnce(new Error("network"));
+
+    const handled = await maybeHandleFeishuQuickActionMenu({
+      cfg: {} as any,
+      eventKey: "quick-actions",
+      operatorOpenId: "u123",
+      accountId: "main",
+      runtime: { log: vi.fn() } as any,
+      now: 100,
+    });
+
+    expect(handled).toBe(false);
+  });
+});
diff --git a/extensions/feishu/src/card-ux-launcher.ts b/extensions/feishu/src/card-ux-launcher.ts
new file mode 100644
index 00000000000..3303bc2ed77
--- /dev/null
+++ b/extensions/feishu/src/card-ux-launcher.ts
@@ -0,0 +1,120 @@
+import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import { FEISHU_APPROVAL_REQUEST_ACTION } from "./card-ux-approval.js";
+import { buildFeishuCardButton, buildFeishuCardInteractionContext } from "./card-ux-shared.js";
+import { sendCardFeishu } from "./send.js";
+
+export const FEISHU_QUICK_ACTION_CARD_TTL_MS = 10 * 60_000;
+
+const QUICK_ACTION_MENU_KEYS = new Set(["quick-actions", "quick_actions", "launcher"]);
+
+export function isFeishuQuickActionMenuEventKey(eventKey: string): boolean {
+  return QUICK_ACTION_MENU_KEYS.has(eventKey.trim().toLowerCase());
+}
+
+export function createQuickActionLauncherCard(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+}): Record<string, unknown> {
+  const context = buildFeishuCardInteractionContext(params);
+  return {
+    schema: "2.0",
+    config: {
+      wide_screen_mode: true,
+    },
+    header: {
+      title: {
+        tag: "plain_text",
+        content: "Quick actions",
+      },
+      template: "indigo",
+    },
+    body: {
+      elements: [
+        {
+          tag: "markdown",
+          content: "Run common actions without typing raw commands.",
+        },
+        {
+          tag: "action",
+          actions: [
+            buildFeishuCardButton({
+              label: "Help",
+              value: createFeishuCardInteractionEnvelope({
+                k: "quick",
+                a: "feishu.quick_actions.help",
+                q: "/help",
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: "New session",
+              type: "primary",
+              value: createFeishuCardInteractionEnvelope({
+                k: "meta",
+                a: FEISHU_APPROVAL_REQUEST_ACTION,
+                m: {
+                  command: "/new",
+                  prompt: "Start a fresh session? This will reset the current chat context.",
+                },
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: "Reset",
+              type: "danger",
+              value: createFeishuCardInteractionEnvelope({
+                k: "meta",
+                a: FEISHU_APPROVAL_REQUEST_ACTION,
+                m: {
+                  command: "/reset",
+                  prompt: "Reset this session now? Any active conversation state will be cleared.",
+                },
+                c: context,
+              }),
+            }),
+          ],
+        },
+      ],
+    },
+  };
+}
+
+export async function maybeHandleFeishuQuickActionMenu(params: {
+  cfg: ClawdbotConfig;
+  eventKey: string;
+  operatorOpenId: string;
+  runtime?: RuntimeEnv;
+  accountId?: string;
+  now?: number;
+}): Promise<boolean> {
+  if (!isFeishuQuickActionMenuEventKey(params.eventKey)) {
+    return false;
+  }
+
+  const expiresAt = (params.now ?? Date.now()) + FEISHU_QUICK_ACTION_CARD_TTL_MS;
+  try {
+    await sendCardFeishu({
+      cfg: params.cfg,
+      to: `user:${params.operatorOpenId}`,
+      card: createQuickActionLauncherCard({
+        operatorOpenId: params.operatorOpenId,
+        expiresAt,
+        chatType: "p2p",
+      }),
+      accountId: params.accountId,
+    });
+  } catch (err) {
+    params.runtime?.log?.(
+      `feishu[${params.accountId ?? "default"}]: failed to open quick-action launcher for ${params.operatorOpenId}: ${String(err)}`,
+    );
+    return false;
+  }
+  params.runtime?.log?.(
+    `feishu[${params.accountId ?? "default"}]: opened quick-action launcher for ${params.operatorOpenId}`,
+  );
+  return true;
+}
diff --git a/extensions/feishu/src/card-ux-shared.ts b/extensions/feishu/src/card-ux-shared.ts
new file mode 100644
index 00000000000..02133c39a5c
--- /dev/null
+++ b/extensions/feishu/src/card-ux-shared.ts
@@ -0,0 +1,33 @@
+import type { FeishuCardInteractionEnvelope } from "./card-interaction.js";
+
+export function buildFeishuCardButton(params: {
+  label: string;
+  value: FeishuCardInteractionEnvelope;
+  type?: "default" | "primary" | "danger";
+}) {
+  return {
+    tag: "button",
+    text: {
+      tag: "plain_text",
+      content: params.label,
+    },
+    type: params.type ?? "default",
+    value: params.value,
+  };
+}
+
+export function buildFeishuCardInteractionContext(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+}) {
+  return {
+    u: params.operatorOpenId,
+    ...(params.chatId ? { h: params.chatId } : {}),
+    ...(params.sessionKey ? { s: params.sessionKey } : {}),
+    e: params.expiresAt,
+    ...(params.chatType ? { t: params.chatType } : {}),
+  };
+}
diff --git a/extensions/feishu/src/channel.runtime.ts b/extensions/feishu/src/channel.runtime.ts
new file mode 100644
index 00000000000..0e4d9fc7583
--- /dev/null
+++ b/extensions/feishu/src/channel.runtime.ts
@@ -0,0 +1,7 @@
+export { listFeishuDirectoryGroupsLive, listFeishuDirectoryPeersLive } from "./directory.js";
+export { feishuOutbound } from "./outbound.js";
+export { createPinFeishu, listPinsFeishu, removePinFeishu } from "./pins.js";
+export { probeFeishu } from "./probe.js";
+export { addReactionFeishu, listReactionsFeishu, removeReactionFeishu } from "./reactions.js";
+export { getChatInfo, getChatMembers, getFeishuMemberInfo } from "./chat.js";
+export { editMessageFeishu, getMessageFeishu, sendCardFeishu, sendMessageFeishu } from "./send.js";
diff --git a/extensions/feishu/src/channel.test.ts b/extensions/feishu/src/channel.test.ts
index e7db645be0b..826ca1c26fb 100644
--- a/extensions/feishu/src/channel.test.ts
+++ b/extensions/feishu/src/channel.test.ts
@@ -1,17 +1,49 @@
 import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
-import { describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());
+const createFeishuClientMock = vi.hoisted(() => vi.fn());
+const addReactionFeishuMock = vi.hoisted(() => vi.fn());
 const listReactionsFeishuMock = vi.hoisted(() => vi.fn());
+const removeReactionFeishuMock = vi.hoisted(() => vi.fn());
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+const sendMessageFeishuMock = vi.hoisted(() => vi.fn());
+const getMessageFeishuMock = vi.hoisted(() => vi.fn());
+const editMessageFeishuMock = vi.hoisted(() => vi.fn());
+const createPinFeishuMock = vi.hoisted(() => vi.fn());
+const listPinsFeishuMock = vi.hoisted(() => vi.fn());
+const removePinFeishuMock = vi.hoisted(() => vi.fn());
+const getChatInfoMock = vi.hoisted(() => vi.fn());
+const getChatMembersMock = vi.hoisted(() => vi.fn());
+const getFeishuMemberInfoMock = vi.hoisted(() => vi.fn());
+const listFeishuDirectoryPeersLiveMock = vi.hoisted(() => vi.fn());
+const listFeishuDirectoryGroupsLiveMock = vi.hoisted(() => vi.fn());
 
 vi.mock("./probe.js", () => ({
   probeFeishu: probeFeishuMock,
 }));
 
-vi.mock("./reactions.js", () => ({
-  addReactionFeishu: vi.fn(),
+vi.mock("./client.js", () => ({
+  createFeishuClient: createFeishuClientMock,
+}));
+
+vi.mock("./channel.runtime.js", () => ({
+  addReactionFeishu: addReactionFeishuMock,
+  createPinFeishu: createPinFeishuMock,
+  editMessageFeishu: editMessageFeishuMock,
+  getChatInfo: getChatInfoMock,
+  getChatMembers: getChatMembersMock,
+  getFeishuMemberInfo: getFeishuMemberInfoMock,
+  getMessageFeishu: getMessageFeishuMock,
+  listFeishuDirectoryGroupsLive: listFeishuDirectoryGroupsLiveMock,
+  listFeishuDirectoryPeersLive: listFeishuDirectoryPeersLiveMock,
+  listPinsFeishu: listPinsFeishuMock,
   listReactionsFeishu: listReactionsFeishuMock,
-  removeReactionFeishu: vi.fn(),
+  probeFeishu: probeFeishuMock,
+  removePinFeishu: removePinFeishuMock,
+  removeReactionFeishu: removeReactionFeishuMock,
+  sendCardFeishu: sendCardFeishuMock,
+  sendMessageFeishu: sendMessageFeishuMock,
 }));
 
 import { feishuPlugin } from "./channel.js";
@@ -68,6 +100,28 @@ describe("feishuPlugin actions", () => {
     },
   } as OpenClawConfig;
 
+  beforeEach(() => {
+    vi.clearAllMocks();
+    createFeishuClientMock.mockReturnValue({ tag: "client" });
+  });
+
+  it("advertises the expanded Feishu action surface", () => {
+    expect(feishuPlugin.actions?.listActions?.({ cfg })).toEqual([
+      "send",
+      "read",
+      "edit",
+      "thread-reply",
+      "pin",
+      "list-pins",
+      "unpin",
+      "member-info",
+      "channel-info",
+      "channel-list",
+      "react",
+      "reactions",
+    ]);
+  });
+
   it("does not advertise reactions when disabled via actions config", () => {
     const disabledCfg = {
       channels: {
@@ -82,41 +136,355 @@ describe("feishuPlugin actions", () => {
       },
     } as OpenClawConfig;
 
-    expect(feishuPlugin.actions?.listActions?.({ cfg: disabledCfg })).toEqual([]);
+    expect(feishuPlugin.actions?.listActions?.({ cfg: disabledCfg })).toEqual([
+      "send",
+      "read",
+      "edit",
+      "thread-reply",
+      "pin",
+      "list-pins",
+      "unpin",
+      "member-info",
+      "channel-info",
+      "channel-list",
+    ]);
   });
 
-  it("advertises reactions when any enabled configured account allows them", () => {
-    const cfg = {
-      channels: {
-        feishu: {
-          enabled: true,
-          defaultAccount: "main",
-          actions: {
-            reactions: false,
-          },
-          accounts: {
-            main: {
-              appId: "cli_main",
-              appSecret: "secret_main",
-              enabled: true,
-              actions: {
-                reactions: false,
-              },
-            },
-            secondary: {
-              appId: "cli_secondary",
-              appSecret: "secret_secondary",
-              enabled: true,
-              actions: {
-                reactions: true,
-              },
-            },
-          },
-        },
-      },
-    } as OpenClawConfig;
+  it("sends text messages", async () => {
+    sendMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_sent", chatId: "oc_group_1" });
 
-    expect(feishuPlugin.actions?.listActions?.({ cfg })).toEqual(["react", "reactions"]);
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "send",
+      params: { to: "chat:oc_group_1", message: "hello" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      text: "hello",
+      accountId: undefined,
+      replyToMessageId: undefined,
+      replyInThread: false,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_sent", chatId: "oc_group_1" });
+  });
+
+  it("sends card messages", async () => {
+    sendCardFeishuMock.mockResolvedValueOnce({ messageId: "om_card", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "send",
+      params: { to: "chat:oc_group_1", card: { schema: "2.0" } },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      card: { schema: "2.0" },
+      accountId: undefined,
+      replyToMessageId: undefined,
+      replyInThread: false,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_card", chatId: "oc_group_1" });
+  });
+
+  it("reads messages", async () => {
+    getMessageFeishuMock.mockResolvedValueOnce({
+      messageId: "om_1",
+      content: "hello",
+      contentType: "text",
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "read",
+      params: { messageId: "om_1" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(getMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_1",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      message: expect.objectContaining({ messageId: "om_1", content: "hello" }),
+    });
+  });
+
+  it("returns an error result when message reads fail", async () => {
+    getMessageFeishuMock.mockResolvedValueOnce(null);
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "read",
+      params: { messageId: "om_missing" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect((result as { isError?: boolean } | undefined)?.isError).toBe(true);
+    expect(result?.details).toEqual({
+      error: "Feishu read failed or message not found: om_missing",
+    });
+  });
+
+  it("edits messages", async () => {
+    editMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_2", contentType: "post" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "edit",
+      params: { messageId: "om_2", text: "updated" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(editMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_2",
+      text: "updated",
+      card: undefined,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_2", contentType: "post" });
+  });
+
+  it("sends explicit thread replies with reply_in_thread semantics", async () => {
+    sendMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_reply", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "thread-reply",
+      params: { to: "chat:oc_group_1", messageId: "om_parent", text: "reply body" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      text: "reply body",
+      accountId: undefined,
+      replyToMessageId: "om_parent",
+      replyInThread: true,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      action: "thread-reply",
+      messageId: "om_reply",
+    });
+  });
+
+  it("creates pins", async () => {
+    createPinFeishuMock.mockResolvedValueOnce({ messageId: "om_pin", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "pin",
+      params: { messageId: "om_pin" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(createPinFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_pin",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      pin: expect.objectContaining({ messageId: "om_pin" }),
+    });
+  });
+
+  it("lists pins", async () => {
+    listPinsFeishuMock.mockResolvedValueOnce({
+      chatId: "oc_group_1",
+      pins: [{ messageId: "om_pin" }],
+      hasMore: false,
+      pageToken: undefined,
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "list-pins",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(listPinsFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      chatId: "oc_group_1",
+      startTime: undefined,
+      endTime: undefined,
+      pageSize: undefined,
+      pageToken: undefined,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      pins: [expect.objectContaining({ messageId: "om_pin" })],
+    });
+  });
+
+  it("removes pins", async () => {
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "unpin",
+      params: { messageId: "om_pin" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(removePinFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_pin",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_pin" });
+  });
+
+  it("fetches channel info", async () => {
+    getChatInfoMock.mockResolvedValueOnce({ chat_id: "oc_group_1", name: "Eng" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "channel-info",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(createFeishuClientMock).toHaveBeenCalled();
+    expect(getChatInfoMock).toHaveBeenCalledWith({ tag: "client" }, "oc_group_1");
+    expect(result?.details).toMatchObject({
+      ok: true,
+      channel: expect.objectContaining({ chat_id: "oc_group_1", name: "Eng" }),
+    });
+  });
+
+  it("fetches member lists from a chat", async () => {
+    getChatMembersMock.mockResolvedValueOnce({
+      chat_id: "oc_group_1",
+      members: [{ member_id: "ou_1", name: "Alice" }],
+      has_more: false,
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getChatMembersMock).toHaveBeenCalledWith(
+      { tag: "client" },
+      "oc_group_1",
+      undefined,
+      undefined,
+      "open_id",
+    );
+    expect(result?.details).toMatchObject({
+      ok: true,
+      members: [expect.objectContaining({ member_id: "ou_1", name: "Alice" })],
+    });
+  });
+
+  it("fetches individual member info", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "ou_1", name: "Alice" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { memberId: "ou_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "ou_1", "open_id");
+    expect(result?.details).toMatchObject({
+      ok: true,
+      member: expect.objectContaining({ member_id: "ou_1", name: "Alice" }),
+    });
+  });
+
+  it("infers user_id lookups from the userId alias", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "u_1", name: "Alice" });
+
+    await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { userId: "u_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "u_1", "user_id");
+  });
+
+  it("honors explicit open_id over alias heuristics", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "u_1", name: "Alice" });
+
+    await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { userId: "u_1", memberIdType: "open_id" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "u_1", "open_id");
+  });
+
+  it("lists directory-backed peers and groups", async () => {
+    listFeishuDirectoryGroupsLiveMock.mockResolvedValueOnce([{ kind: "group", id: "oc_group_1" }]);
+    listFeishuDirectoryPeersLiveMock.mockResolvedValueOnce([{ kind: "user", id: "ou_1" }]);
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "channel-list",
+      params: { query: "eng", limit: 5 },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(listFeishuDirectoryGroupsLiveMock).toHaveBeenCalledWith({
+      cfg,
+      query: "eng",
+      limit: 5,
+      fallbackToStatic: false,
+      accountId: undefined,
+    });
+    expect(listFeishuDirectoryPeersLiveMock).toHaveBeenCalledWith({
+      cfg,
+      query: "eng",
+      limit: 5,
+      fallbackToStatic: false,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      groups: [expect.objectContaining({ id: "oc_group_1" })],
+      peers: [expect.objectContaining({ id: "ou_1" })],
+    });
+  });
+
+  it("fails channel-list when live discovery fails", async () => {
+    listFeishuDirectoryGroupsLiveMock.mockRejectedValueOnce(new Error("token expired"));
+
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "channel-list",
+        params: { query: "eng", limit: 5, scope: "groups" },
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow("token expired");
   });
 
   it("requires clearAll=true before removing all bot reactions", async () => {
@@ -132,17 +500,6 @@ describe("feishuPlugin actions", () => {
     );
   });
 
-  it("throws for unsupported Feishu send actions without card payload", async () => {
-    await expect(
-      feishuPlugin.actions?.handleAction?.({
-        action: "send",
-        params: { to: "chat:oc_group_1", message: "hello" },
-        cfg,
-        accountId: undefined,
-      } as never),
-    ).rejects.toThrow('Unsupported Feishu action: "send"');
-  });
-
   it("allows explicit clearAll=true when removing all bot reactions", async () => {
     listReactionsFeishuMock.mockResolvedValueOnce([
       { reactionId: "r1", operatorType: "app" },
@@ -161,6 +518,29 @@ describe("feishuPlugin actions", () => {
       messageId: "om_msg1",
       accountId: undefined,
     });
+    expect(removeReactionFeishuMock).toHaveBeenCalledTimes(2);
     expect(result?.details).toMatchObject({ ok: true, removed: 2 });
   });
+
+  it("fails for missing params on supported actions", async () => {
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "thread-reply",
+        params: { to: "chat:oc_group_1", message: "reply body" },
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow("Feishu thread-reply requires messageId.");
+  });
+
+  it("fails for unsupported action names", async () => {
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "search",
+        params: {},
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow('Unsupported Feishu action: "search"');
+  });
 });
diff --git a/extensions/feishu/src/channel.ts b/extensions/feishu/src/channel.ts
index 3baa7c916a2..5d47c55e16b 100644
--- a/extensions/feishu/src/channel.ts
+++ b/extensions/feishu/src/channel.ts
@@ -21,19 +21,14 @@ import {
   listEnabledFeishuAccounts,
   resolveDefaultFeishuAccountId,
 } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
 import { FeishuConfigSchema } from "./config-schema.js";
-import {
-  listFeishuDirectoryPeers,
-  listFeishuDirectoryGroups,
-  listFeishuDirectoryPeersLive,
-  listFeishuDirectoryGroupsLive,
-} from "./directory.js";
-import { feishuOnboardingAdapter } from "./onboarding.js";
-import { feishuOutbound } from "./outbound.js";
+import { parseFeishuConversationId } from "./conversation-id.js";
+import { listFeishuDirectoryPeers, listFeishuDirectoryGroups } from "./directory.static.js";
 import { resolveFeishuGroupToolPolicy } from "./policy.js";
-import { probeFeishu } from "./probe.js";
-import { addReactionFeishu, listReactionsFeishu, removeReactionFeishu } from "./reactions.js";
-import { sendCardFeishu, sendMessageFeishu } from "./send.js";
+import { getFeishuRuntime } from "./runtime.js";
+import { feishuSetupAdapter } from "./setup-core.js";
+import { feishuSetupWizard } from "./setup-surface.js";
 import { normalizeFeishuTarget, looksLikeFeishuId, formatFeishuTarget } from "./targets.js";
 import type { ResolvedFeishuAccount, FeishuConfig } from "./types.js";
 
@@ -48,6 +43,10 @@ const meta: ChannelMeta = {
   order: 70,
 };
 
+async function loadFeishuChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
 function setFeishuNamedAccountEnabled(
   cfg: ClawdbotConfig,
   accountId: string,
@@ -98,6 +97,189 @@ function areAnyFeishuReactionActionsEnabled(cfg: ClawdbotConfig): boolean {
   return false;
 }
 
+function isSupportedFeishuDirectConversationId(conversationId: string): boolean {
+  const trimmed = conversationId.trim();
+  if (!trimmed || trimmed.includes(":")) {
+    return false;
+  }
+  if (trimmed.startsWith("oc_") || trimmed.startsWith("on_")) {
+    return false;
+  }
+  return true;
+}
+
+function normalizeFeishuAcpConversationId(conversationId: string) {
+  const parsed = parseFeishuConversationId({ conversationId });
+  if (
+    !parsed ||
+    (parsed.scope !== "group_topic" &&
+      parsed.scope !== "group_topic_sender" &&
+      !isSupportedFeishuDirectConversationId(parsed.canonicalConversationId))
+  ) {
+    return null;
+  }
+  return {
+    conversationId: parsed.canonicalConversationId,
+    parentConversationId:
+      parsed.scope === "group_topic" || parsed.scope === "group_topic_sender"
+        ? parsed.chatId
+        : undefined,
+  };
+}
+
+function matchFeishuAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  const binding = normalizeFeishuAcpConversationId(params.bindingConversationId);
+  if (!binding) {
+    return null;
+  }
+  const incoming = parseFeishuConversationId({
+    conversationId: params.conversationId,
+    parentConversationId: params.parentConversationId,
+  });
+  if (
+    !incoming ||
+    (incoming.scope !== "group_topic" &&
+      incoming.scope !== "group_topic_sender" &&
+      !isSupportedFeishuDirectConversationId(incoming.canonicalConversationId))
+  ) {
+    return null;
+  }
+  const matchesCanonicalConversation = binding.conversationId === incoming.canonicalConversationId;
+  const matchesParentTopicForSenderScopedConversation =
+    incoming.scope === "group_topic_sender" &&
+    binding.parentConversationId === incoming.chatId &&
+    binding.conversationId === `${incoming.chatId}:topic:${incoming.topicId}`;
+  if (!matchesCanonicalConversation && !matchesParentTopicForSenderScopedConversation) {
+    return null;
+  }
+  return {
+    conversationId: matchesParentTopicForSenderScopedConversation
+      ? binding.conversationId
+      : incoming.canonicalConversationId,
+    parentConversationId:
+      incoming.scope === "group_topic" || incoming.scope === "group_topic_sender"
+        ? incoming.chatId
+        : undefined,
+    matchPriority: matchesCanonicalConversation ? 2 : 1,
+  };
+}
+
+function jsonActionResult(details: Record<string, unknown>) {
+  return {
+    content: [{ type: "text" as const, text: JSON.stringify(details) }],
+    details,
+  };
+}
+
+function readFirstString(
+  params: Record<string, unknown>,
+  keys: string[],
+  fallback?: string | null,
+): string | undefined {
+  for (const key of keys) {
+    const value = params[key];
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  if (typeof fallback === "string" && fallback.trim()) {
+    return fallback.trim();
+  }
+  return undefined;
+}
+
+function readOptionalNumber(params: Record<string, unknown>, keys: string[]): number | undefined {
+  for (const key of keys) {
+    const value = params[key];
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return value;
+    }
+    if (typeof value === "string" && value.trim()) {
+      const parsed = Number(value);
+      if (Number.isFinite(parsed)) {
+        return parsed;
+      }
+    }
+  }
+  return undefined;
+}
+
+function resolveFeishuActionTarget(ctx: {
+  params: Record<string, unknown>;
+  toolContext?: { currentChannelId?: string } | null;
+}): string | undefined {
+  return readFirstString(ctx.params, ["to", "target"], ctx.toolContext?.currentChannelId);
+}
+
+function resolveFeishuChatId(ctx: {
+  params: Record<string, unknown>;
+  toolContext?: { currentChannelId?: string } | null;
+}): string | undefined {
+  const raw = readFirstString(
+    ctx.params,
+    ["chatId", "chat_id", "channelId", "channel_id", "to", "target"],
+    ctx.toolContext?.currentChannelId,
+  );
+  if (!raw) {
+    return undefined;
+  }
+  if (/^(user|dm|open_id):/i.test(raw)) {
+    return undefined;
+  }
+  if (/^(chat|group|channel):/i.test(raw)) {
+    return normalizeFeishuTarget(raw) ?? undefined;
+  }
+  return raw;
+}
+
+function resolveFeishuMessageId(params: Record<string, unknown>): string | undefined {
+  return readFirstString(params, ["messageId", "message_id", "replyTo", "reply_to"]);
+}
+
+function resolveFeishuMemberId(params: Record<string, unknown>): string | undefined {
+  return readFirstString(params, [
+    "memberId",
+    "member_id",
+    "userId",
+    "user_id",
+    "openId",
+    "open_id",
+    "unionId",
+    "union_id",
+  ]);
+}
+
+function resolveFeishuMemberIdType(
+  params: Record<string, unknown>,
+): "open_id" | "user_id" | "union_id" {
+  const raw = readFirstString(params, [
+    "memberIdType",
+    "member_id_type",
+    "userIdType",
+    "user_id_type",
+  ]);
+  if (raw === "open_id" || raw === "user_id" || raw === "union_id") {
+    return raw;
+  }
+  if (
+    readFirstString(params, ["userId", "user_id"]) &&
+    !readFirstString(params, ["openId", "open_id", "unionId", "union_id"])
+  ) {
+    return "user_id";
+  }
+  if (
+    readFirstString(params, ["unionId", "union_id"]) &&
+    !readFirstString(params, ["openId", "open_id"])
+  ) {
+    return "union_id";
+  }
+  return "open_id";
+}
+
 export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
   id: "feishu",
   meta: {
@@ -107,6 +289,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
     idLabel: "feishuUserId",
     normalizeAllowEntry: (entry) => entry.replace(/^(feishu|user|open_id):/i, ""),
     notifyApproval: async ({ cfg, id }) => {
+      const { sendMessageFeishu } = await loadFeishuChannelRuntime();
       await sendMessageFeishu({
         cfg,
         to: id,
@@ -126,7 +309,8 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
   agentPrompt: {
     messageToolHints: () => [
       "- Feishu targeting: omit `target` to reply to the current conversation (auto-inferred). Explicit targets: `user:open_id` or `chat:chat_id`.",
-      "- Feishu supports interactive cards for rich messages.",
+      "- Feishu supports interactive cards plus native image, file, audio, and video/media delivery.",
+      "- Feishu supports `send`, `read`, `edit`, `thread-reply`, pins, and channel/member lookup, plus reactions when enabled.",
     ],
   },
   groups: {
@@ -214,18 +398,29 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       if (listEnabledFeishuAccounts(cfg).length === 0) {
         return [];
       }
-      const actions = new Set<ChannelMessageActionName>();
+      const actions = new Set<ChannelMessageActionName>([
+        "send",
+        "read",
+        "edit",
+        "thread-reply",
+        "pin",
+        "list-pins",
+        "unpin",
+        "member-info",
+        "channel-info",
+        "channel-list",
+      ]);
       if (areAnyFeishuReactionActionsEnabled(cfg)) {
         actions.add("react");
         actions.add("reactions");
       }
       return Array.from(actions);
     },
-    supportsCards: ({ cfg }) => {
-      return (
-        cfg.channels?.feishu?.enabled !== false &&
+    getCapabilities: ({ cfg }) => {
+      return cfg.channels?.feishu?.enabled !== false &&
         Boolean(resolveFeishuCredentials(cfg.channels?.feishu as FeishuConfig | undefined))
-      );
+        ? (["cards"] as const)
+        : [];
     },
     handleAction: async (ctx) => {
       const account = resolveFeishuAccount({ cfg: ctx.cfg, accountId: ctx.accountId ?? undefined });
@@ -235,48 +430,303 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       ) {
         throw new Error("Feishu reactions are disabled via actions.reactions.");
       }
-      if (ctx.action === "send" && ctx.params.card) {
-        const card = ctx.params.card as Record<string, unknown>;
-        const to =
-          typeof ctx.params.to === "string"
-            ? ctx.params.to.trim()
-            : typeof ctx.params.target === "string"
-              ? ctx.params.target.trim()
-              : "";
+      if (ctx.action === "send" || ctx.action === "thread-reply") {
+        const to = resolveFeishuActionTarget(ctx);
         if (!to) {
-          return {
-            isError: true,
-            content: [{ type: "text" as const, text: "Feishu card send requires a target (to)." }],
-            details: { error: "Feishu card send requires a target (to)." },
-          };
+          throw new Error(`Feishu ${ctx.action} requires a target (to).`);
         }
         const replyToMessageId =
-          typeof ctx.params.replyTo === "string"
-            ? ctx.params.replyTo.trim() || undefined
+          ctx.action === "thread-reply" ? resolveFeishuMessageId(ctx.params) : undefined;
+        if (ctx.action === "thread-reply" && !replyToMessageId) {
+          throw new Error("Feishu thread-reply requires messageId.");
+        }
+        const card =
+          ctx.params.card && typeof ctx.params.card === "object"
+            ? (ctx.params.card as Record<string, unknown>)
             : undefined;
-        const result = await sendCardFeishu({
+        const text = readFirstString(ctx.params, ["text", "message"]);
+        if (!card && !text) {
+          throw new Error(`Feishu ${ctx.action} requires text/message or card.`);
+        }
+        const runtime = await loadFeishuChannelRuntime();
+        const result = card
+          ? await runtime.sendCardFeishu({
+              cfg: ctx.cfg,
+              to,
+              card,
+              accountId: ctx.accountId ?? undefined,
+              replyToMessageId,
+              replyInThread: ctx.action === "thread-reply",
+            })
+          : await runtime.sendMessageFeishu({
+              cfg: ctx.cfg,
+              to,
+              text: text!,
+              accountId: ctx.accountId ?? undefined,
+              replyToMessageId,
+              replyInThread: ctx.action === "thread-reply",
+            });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: ctx.action,
+          ...result,
+        });
+      }
+
+      if (ctx.action === "read") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu read requires messageId.");
+        }
+        const { getMessageFeishu } = await loadFeishuChannelRuntime();
+        const message = await getMessageFeishu({
           cfg: ctx.cfg,
-          to,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        if (!message) {
+          return {
+            isError: true,
+            content: [
+              {
+                type: "text" as const,
+                text: JSON.stringify({
+                  error: `Feishu read failed or message not found: ${messageId}`,
+                }),
+              },
+            ],
+            details: { error: `Feishu read failed or message not found: ${messageId}` },
+          };
+        }
+        return jsonActionResult({ ok: true, channel: "feishu", action: "read", message });
+      }
+
+      if (ctx.action === "edit") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu edit requires messageId.");
+        }
+        const text = readFirstString(ctx.params, ["text", "message"]);
+        const card =
+          ctx.params.card && typeof ctx.params.card === "object"
+            ? (ctx.params.card as Record<string, unknown>)
+            : undefined;
+        const { editMessageFeishu } = await loadFeishuChannelRuntime();
+        const result = await editMessageFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          text,
           card,
           accountId: ctx.accountId ?? undefined,
-          replyToMessageId,
         });
-        return {
-          content: [
-            {
-              type: "text" as const,
-              text: JSON.stringify({ ok: true, channel: "feishu", ...result }),
-            },
-          ],
-          details: { ok: true, channel: "feishu", ...result },
-        };
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "edit",
+          ...result,
+        });
+      }
+
+      if (ctx.action === "pin") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu pin requires messageId.");
+        }
+        const { createPinFeishu } = await loadFeishuChannelRuntime();
+        const pin = await createPinFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({ ok: true, channel: "feishu", action: "pin", pin });
+      }
+
+      if (ctx.action === "unpin") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu unpin requires messageId.");
+        }
+        const { removePinFeishu } = await loadFeishuChannelRuntime();
+        await removePinFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "unpin",
+          messageId,
+        });
+      }
+
+      if (ctx.action === "list-pins") {
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu list-pins requires chatId or channelId.");
+        }
+        const { listPinsFeishu } = await loadFeishuChannelRuntime();
+        const result = await listPinsFeishu({
+          cfg: ctx.cfg,
+          chatId,
+          startTime: readFirstString(ctx.params, ["startTime", "start_time"]),
+          endTime: readFirstString(ctx.params, ["endTime", "end_time"]),
+          pageSize: readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          pageToken: readFirstString(ctx.params, ["pageToken", "page_token"]),
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "list-pins",
+          ...result,
+        });
+      }
+
+      if (ctx.action === "channel-info") {
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu channel-info requires chatId or channelId.");
+        }
+        const runtime = await loadFeishuChannelRuntime();
+        const client = createFeishuClient(account);
+        const channel = await runtime.getChatInfo(client, chatId);
+        const includeMembers = ctx.params.includeMembers === true || ctx.params.members === true;
+        if (!includeMembers) {
+          return jsonActionResult({
+            ok: true,
+            provider: "feishu",
+            action: "channel-info",
+            channel,
+          });
+        }
+        const members = await runtime.getChatMembers(
+          client,
+          chatId,
+          readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          readFirstString(ctx.params, ["pageToken", "page_token"]),
+          resolveFeishuMemberIdType(ctx.params),
+        );
+        return jsonActionResult({
+          ok: true,
+          provider: "feishu",
+          action: "channel-info",
+          channel,
+          members,
+        });
+      }
+
+      if (ctx.action === "member-info") {
+        const runtime = await loadFeishuChannelRuntime();
+        const client = createFeishuClient(account);
+        const memberId = resolveFeishuMemberId(ctx.params);
+        if (memberId) {
+          const member = await runtime.getFeishuMemberInfo(
+            client,
+            memberId,
+            resolveFeishuMemberIdType(ctx.params),
+          );
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "member-info",
+            member,
+          });
+        }
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu member-info requires memberId or chatId/channelId.");
+        }
+        const members = await runtime.getChatMembers(
+          client,
+          chatId,
+          readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          readFirstString(ctx.params, ["pageToken", "page_token"]),
+          resolveFeishuMemberIdType(ctx.params),
+        );
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "member-info",
+          ...members,
+        });
+      }
+
+      if (ctx.action === "channel-list") {
+        const runtime = await loadFeishuChannelRuntime();
+        const query = readFirstString(ctx.params, ["query"]);
+        const limit = readOptionalNumber(ctx.params, ["limit"]);
+        const scope = readFirstString(ctx.params, ["scope", "kind"]) ?? "all";
+        if (
+          scope === "groups" ||
+          scope === "group" ||
+          scope === "channels" ||
+          scope === "channel"
+        ) {
+          const groups = await runtime.listFeishuDirectoryGroupsLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          });
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "channel-list",
+            groups,
+          });
+        }
+        if (
+          scope === "peers" ||
+          scope === "peer" ||
+          scope === "members" ||
+          scope === "member" ||
+          scope === "users" ||
+          scope === "user"
+        ) {
+          const peers = await runtime.listFeishuDirectoryPeersLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          });
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "channel-list",
+            peers,
+          });
+        }
+        const [groups, peers] = await Promise.all([
+          runtime.listFeishuDirectoryGroupsLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          }),
+          runtime.listFeishuDirectoryPeersLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          }),
+        ]);
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "channel-list",
+          groups,
+          peers,
+        });
       }
 
       if (ctx.action === "react") {
-        const messageId =
-          (typeof ctx.params.messageId === "string" && ctx.params.messageId.trim()) ||
-          (typeof ctx.params.message_id === "string" && ctx.params.message_id.trim()) ||
-          undefined;
+        const messageId = resolveFeishuMessageId(ctx.params);
         if (!messageId) {
           throw new Error("Feishu reaction requires messageId.");
         }
@@ -287,6 +737,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
           if (!emoji) {
             throw new Error("Emoji is required to remove a Feishu reaction.");
           }
+          const { listReactionsFeishu, removeReactionFeishu } = await loadFeishuChannelRuntime();
           const matches = await listReactionsFeishu({
             cfg: ctx.cfg,
             messageId,
@@ -295,12 +746,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
           });
           const ownReaction = matches.find((entry) => entry.operatorType === "app");
           if (!ownReaction) {
-            return {
-              content: [
-                { type: "text" as const, text: JSON.stringify({ ok: true, removed: null }) },
-              ],
-              details: { ok: true, removed: null },
-            };
+            return jsonActionResult({ ok: true, removed: null });
           }
           await removeReactionFeishu({
             cfg: ctx.cfg,
@@ -308,12 +754,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
             reactionId: ownReaction.reactionId,
             accountId: ctx.accountId ?? undefined,
           });
-          return {
-            content: [
-              { type: "text" as const, text: JSON.stringify({ ok: true, removed: emoji }) },
-            ],
-            details: { ok: true, removed: emoji },
-          };
+          return jsonActionResult({ ok: true, removed: emoji });
         }
         if (!emoji) {
           if (!clearAll) {
@@ -321,6 +762,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
               "Emoji is required to add a Feishu reaction. Set clearAll=true to remove all bot reactions.",
             );
           }
+          const { listReactionsFeishu, removeReactionFeishu } = await loadFeishuChannelRuntime();
           const reactions = await listReactionsFeishu({
             cfg: ctx.cfg,
             messageId,
@@ -336,40 +778,30 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
             });
             removed += 1;
           }
-          return {
-            content: [{ type: "text" as const, text: JSON.stringify({ ok: true, removed }) }],
-            details: { ok: true, removed },
-          };
+          return jsonActionResult({ ok: true, removed });
         }
+        const { addReactionFeishu } = await loadFeishuChannelRuntime();
         await addReactionFeishu({
           cfg: ctx.cfg,
           messageId,
           emojiType: emoji,
           accountId: ctx.accountId ?? undefined,
         });
-        return {
-          content: [{ type: "text" as const, text: JSON.stringify({ ok: true, added: emoji }) }],
-          details: { ok: true, added: emoji },
-        };
+        return jsonActionResult({ ok: true, added: emoji });
       }
 
       if (ctx.action === "reactions") {
-        const messageId =
-          (typeof ctx.params.messageId === "string" && ctx.params.messageId.trim()) ||
-          (typeof ctx.params.message_id === "string" && ctx.params.message_id.trim()) ||
-          undefined;
+        const messageId = resolveFeishuMessageId(ctx.params);
         if (!messageId) {
           throw new Error("Feishu reactions lookup requires messageId.");
         }
+        const { listReactionsFeishu } = await loadFeishuChannelRuntime();
         const reactions = await listReactionsFeishu({
           cfg: ctx.cfg,
           messageId,
           accountId: ctx.accountId ?? undefined,
         });
-        return {
-          content: [{ type: "text" as const, text: JSON.stringify({ ok: true, reactions }) }],
-          details: { ok: true, reactions },
-        };
+        return jsonActionResult({ ok: true, reactions });
       }
 
       throw new Error(`Unsupported Feishu action: "${String(ctx.action)}"`);
@@ -390,28 +822,14 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       });
     },
   },
-  setup: {
-    resolveAccountId: () => DEFAULT_ACCOUNT_ID,
-    applyAccountConfig: ({ cfg, accountId }) => {
-      const isDefault = !accountId || accountId === DEFAULT_ACCOUNT_ID;
-
-      if (isDefault) {
-        return {
-          ...cfg,
-          channels: {
-            ...cfg.channels,
-            feishu: {
-              ...cfg.channels?.feishu,
-              enabled: true,
-            },
-          },
-        };
-      }
-
-      return setFeishuNamedAccountEnabled(cfg, accountId, true);
-    },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeFeishuAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchFeishuAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
   },
-  onboarding: feishuOnboardingAdapter,
+  setup: feishuSetupAdapter,
+  setupWizard: feishuSetupWizard,
   messaging: {
     normalizeTarget: (raw) => normalizeFeishuTarget(raw) ?? undefined,
     targetResolver: {
@@ -436,28 +854,37 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
         accountId: accountId ?? undefined,
       }),
     listPeersLive: async ({ cfg, query, limit, accountId }) =>
-      listFeishuDirectoryPeersLive({
+      (await loadFeishuChannelRuntime()).listFeishuDirectoryPeersLive({
         cfg,
         query: query ?? undefined,
         limit: limit ?? undefined,
         accountId: accountId ?? undefined,
       }),
     listGroupsLive: async ({ cfg, query, limit, accountId }) =>
-      listFeishuDirectoryGroupsLive({
+      (await loadFeishuChannelRuntime()).listFeishuDirectoryGroupsLive({
         cfg,
         query: query ?? undefined,
         limit: limit ?? undefined,
         accountId: accountId ?? undefined,
       }),
   },
-  outbound: feishuOutbound,
+  outbound: {
+    deliveryMode: "direct",
+    chunker: (text, limit) => getFeishuRuntime().channel.text.chunkMarkdownText(text, limit),
+    chunkerMode: "markdown",
+    textChunkLimit: 4000,
+    sendText: async (params) => (await loadFeishuChannelRuntime()).feishuOutbound.sendText!(params),
+    sendMedia: async (params) =>
+      (await loadFeishuChannelRuntime()).feishuOutbound.sendMedia!(params),
+  },
   status: {
     defaultRuntime: createDefaultChannelRuntimeState(DEFAULT_ACCOUNT_ID, { port: null }),
     buildChannelSummary: ({ snapshot }) =>
       buildProbeChannelStatusSummary(snapshot, {
         port: snapshot.port ?? null,
       }),
-    probeAccount: async ({ account }) => await probeFeishu(account),
+    probeAccount: async ({ account }) =>
+      await (await loadFeishuChannelRuntime()).probeFeishu(account),
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       accountId: account.accountId,
       enabled: account.enabled,
diff --git a/extensions/feishu/src/chat-schema.ts b/extensions/feishu/src/chat-schema.ts
index 5f7bdd6a5c7..5460f11dcc9 100644
--- a/extensions/feishu/src/chat-schema.ts
+++ b/extensions/feishu/src/chat-schema.ts
@@ -1,15 +1,16 @@
 import { Type, type Static } from "@sinclair/typebox";
 
-const CHAT_ACTION_VALUES = ["members", "info"] as const;
+const CHAT_ACTION_VALUES = ["members", "info", "member_info"] as const;
 const MEMBER_ID_TYPE_VALUES = ["open_id", "user_id", "union_id"] as const;
 
 export const FeishuChatSchema = Type.Object({
   action: Type.Unsafe<(typeof CHAT_ACTION_VALUES)[number]>({
     type: "string",
     enum: [...CHAT_ACTION_VALUES],
-    description: "Action to run: members | info",
+    description: "Action to run: members | info | member_info",
   }),
-  chat_id: Type.String({ description: "Chat ID (from URL or event payload)" }),
+  chat_id: Type.Optional(Type.String({ description: "Chat ID (from URL or event payload)" })),
+  member_id: Type.Optional(Type.String({ description: "Member ID for member_info lookups" })),
   page_size: Type.Optional(Type.Number({ description: "Page size (1-100, default 50)" })),
   page_token: Type.Optional(Type.String({ description: "Pagination token" })),
   member_id_type: Type.Optional(
diff --git a/extensions/feishu/src/chat.test.ts b/extensions/feishu/src/chat.test.ts
index 9ebf579f962..d06442b12f8 100644
--- a/extensions/feishu/src/chat.test.ts
+++ b/extensions/feishu/src/chat.test.ts
@@ -2,15 +2,15 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import { registerFeishuChatTools } from "./chat.js";
 
 const createFeishuClientMock = vi.hoisted(() => vi.fn());
+const chatGetMock = vi.hoisted(() => vi.fn());
+const chatMembersGetMock = vi.hoisted(() => vi.fn());
+const contactUserGetMock = vi.hoisted(() => vi.fn());
 
 vi.mock("./client.js", () => ({
   createFeishuClient: createFeishuClientMock,
 }));
 
 describe("registerFeishuChatTools", () => {
-  const chatGetMock = vi.hoisted(() => vi.fn());
-  const chatMembersGetMock = vi.hoisted(() => vi.fn());
-
   beforeEach(() => {
     vi.clearAllMocks();
     createFeishuClientMock.mockReturnValue({
@@ -18,6 +18,9 @@ describe("registerFeishuChatTools", () => {
         chat: { get: chatGetMock },
         chatMembers: { get: chatMembersGetMock },
       },
+      contact: {
+        user: { get: contactUserGetMock },
+      },
     });
   });
 
@@ -66,6 +69,31 @@ describe("registerFeishuChatTools", () => {
         members: [expect.objectContaining({ member_id: "ou_1", name: "member1" })],
       }),
     );
+
+    contactUserGetMock.mockResolvedValueOnce({
+      code: 0,
+      data: {
+        user: {
+          open_id: "ou_1",
+          name: "member1",
+          email: "member1@example.com",
+          department_ids: ["od_1"],
+        },
+      },
+    });
+    const memberInfoResult = await tool.execute("tc_3", {
+      action: "member_info",
+      member_id: "ou_1",
+    });
+    expect(memberInfoResult.details).toEqual(
+      expect.objectContaining({
+        member_id: "ou_1",
+        open_id: "ou_1",
+        name: "member1",
+        email: "member1@example.com",
+        department_ids: ["od_1"],
+      }),
+    );
   });
 
   it("skips registration when chat tool is disabled", () => {
diff --git a/extensions/feishu/src/chat.ts b/extensions/feishu/src/chat.ts
index df168d579ee..9c62e5648b2 100644
--- a/extensions/feishu/src/chat.ts
+++ b/extensions/feishu/src/chat.ts
@@ -12,7 +12,7 @@ function json(data: unknown) {
   };
 }
 
-async function getChatInfo(client: Lark.Client, chatId: string) {
+export async function getChatInfo(client: Lark.Client, chatId: string) {
   const res = await client.im.chat.get({ path: { chat_id: chatId } });
   if (res.code !== 0) {
     throw new Error(res.msg);
@@ -36,7 +36,7 @@ async function getChatInfo(client: Lark.Client, chatId: string) {
   };
 }
 
-async function getChatMembers(
+export async function getChatMembers(
   client: Lark.Client,
   chatId: string,
   pageSize?: number,
@@ -71,6 +71,55 @@ async function getChatMembers(
   };
 }
 
+export async function getFeishuMemberInfo(
+  client: Lark.Client,
+  memberId: string,
+  memberIdType: "open_id" | "user_id" | "union_id" = "open_id",
+) {
+  const res = await client.contact.user.get({
+    path: { user_id: memberId },
+    params: {
+      user_id_type: memberIdType,
+      department_id_type: "open_department_id",
+    },
+  });
+
+  if (res.code !== 0) {
+    throw new Error(res.msg);
+  }
+
+  const user = res.data?.user;
+  return {
+    member_id: memberId,
+    member_id_type: memberIdType,
+    open_id: user?.open_id,
+    user_id: user?.user_id,
+    union_id: user?.union_id,
+    name: user?.name,
+    en_name: user?.en_name,
+    nickname: user?.nickname,
+    email: user?.email,
+    enterprise_email: user?.enterprise_email,
+    mobile: user?.mobile,
+    mobile_visible: user?.mobile_visible,
+    status: user?.status,
+    avatar: user?.avatar,
+    department_ids: user?.department_ids,
+    department_path: user?.department_path,
+    leader_user_id: user?.leader_user_id,
+    city: user?.city,
+    country: user?.country,
+    work_station: user?.work_station,
+    join_time: user?.join_time,
+    is_tenant_manager: user?.is_tenant_manager,
+    employee_no: user?.employee_no,
+    employee_type: user?.employee_type,
+    description: user?.description,
+    job_title: user?.job_title,
+    geo: user?.geo,
+  };
+}
+
 export function registerFeishuChatTools(api: OpenClawPluginApi) {
   if (!api.config) {
     api.logger.debug?.("feishu_chat: No config available, skipping chat tools");
@@ -96,7 +145,7 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
     {
       name: "feishu_chat",
       label: "Feishu Chat",
-      description: "Feishu chat operations. Actions: members, info",
+      description: "Feishu chat operations. Actions: members, info, member_info",
       parameters: FeishuChatSchema,
       async execute(_toolCallId, params) {
         const p = params as FeishuChatParams;
@@ -104,6 +153,9 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
           const client = getClient();
           switch (p.action) {
             case "members":
+              if (!p.chat_id) {
+                return json({ error: "chat_id is required for action members" });
+              }
               return json(
                 await getChatMembers(
                   client,
@@ -114,7 +166,17 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
                 ),
               );
             case "info":
+              if (!p.chat_id) {
+                return json({ error: "chat_id is required for action info" });
+              }
               return json(await getChatInfo(client, p.chat_id));
+            case "member_info":
+              if (!p.member_id) {
+                return json({ error: "member_id is required for action member_info" });
+              }
+              return json(
+                await getFeishuMemberInfo(client, p.member_id, p.member_id_type ?? "open_id"),
+              );
             default:
               return json({ error: `Unknown action: ${String(p.action)}` });
           }
diff --git a/extensions/feishu/src/directory.static.ts b/extensions/feishu/src/directory.static.ts
new file mode 100644
index 00000000000..b79e4e94f77
--- /dev/null
+++ b/extensions/feishu/src/directory.static.ts
@@ -0,0 +1,61 @@
+import {
+  listDirectoryGroupEntriesFromMapKeysAndAllowFrom,
+  listDirectoryUserEntriesFromAllowFromAndMapKeys,
+} from "openclaw/plugin-sdk/compat";
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { resolveFeishuAccount } from "./accounts.js";
+import { normalizeFeishuTarget } from "./targets.js";
+
+export type FeishuDirectoryPeer = {
+  kind: "user";
+  id: string;
+  name?: string;
+};
+
+export type FeishuDirectoryGroup = {
+  kind: "group";
+  id: string;
+  name?: string;
+};
+
+function toFeishuDirectoryPeers(ids: string[]): FeishuDirectoryPeer[] {
+  return ids.map((id) => ({ kind: "user", id }));
+}
+
+function toFeishuDirectoryGroups(ids: string[]): FeishuDirectoryGroup[] {
+  return ids.map((id) => ({ kind: "group", id }));
+}
+
+export async function listFeishuDirectoryPeers(params: {
+  cfg: ClawdbotConfig;
+  query?: string;
+  limit?: number;
+  accountId?: string;
+}): Promise<FeishuDirectoryPeer[]> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  const entries = listDirectoryUserEntriesFromAllowFromAndMapKeys({
+    allowFrom: account.config.allowFrom,
+    map: account.config.dms,
+    query: params.query,
+    limit: params.limit,
+    normalizeAllowFromId: (entry) => normalizeFeishuTarget(entry) ?? entry,
+    normalizeMapKeyId: (entry) => normalizeFeishuTarget(entry) ?? entry,
+  });
+  return toFeishuDirectoryPeers(entries.map((entry) => entry.id));
+}
+
+export async function listFeishuDirectoryGroups(params: {
+  cfg: ClawdbotConfig;
+  query?: string;
+  limit?: number;
+  accountId?: string;
+}): Promise<FeishuDirectoryGroup[]> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  const entries = listDirectoryGroupEntriesFromMapKeysAndAllowFrom({
+    groups: account.config.groups,
+    allowFrom: account.config.groupAllowFrom,
+    query: params.query,
+    limit: params.limit,
+  });
+  return toFeishuDirectoryGroups(entries.map((entry) => entry.id));
+}
diff --git a/extensions/feishu/src/directory.test.ts b/extensions/feishu/src/directory.test.ts
index c06b2fb6c80..805f2f006e9 100644
--- a/extensions/feishu/src/directory.test.ts
+++ b/extensions/feishu/src/directory.test.ts
@@ -1,27 +1,45 @@
 import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { describe, expect, it, vi } from "vitest";
 
+const resolveFeishuAccountMock = vi.hoisted(() => vi.fn());
+const createFeishuClientMock = vi.hoisted(() => vi.fn());
+
 vi.mock("./accounts.js", () => ({
-  resolveFeishuAccount: vi.fn(() => ({
-    configured: false,
-    config: {
-      allowFrom: ["user:alice", "user:bob"],
-      dms: {
-        "user:carla": {},
-      },
-      groups: {
-        "chat-1": {},
-      },
-      groupAllowFrom: ["chat-2"],
-    },
-  })),
+  resolveFeishuAccount: resolveFeishuAccountMock,
 }));
 
-import { listFeishuDirectoryGroups, listFeishuDirectoryPeers } from "./directory.js";
+vi.mock("./client.js", () => ({
+  createFeishuClient: createFeishuClientMock,
+}));
+
+import {
+  listFeishuDirectoryGroups,
+  listFeishuDirectoryGroupsLive,
+  listFeishuDirectoryPeers,
+  listFeishuDirectoryPeersLive,
+} from "./directory.js";
 
 describe("feishu directory (config-backed)", () => {
   const cfg = {} as ClawdbotConfig;
 
+  function makeStaticAccount() {
+    return {
+      configured: false,
+      config: {
+        allowFrom: ["user:alice", "user:bob"],
+        dms: {
+          "user:carla": {},
+        },
+        groups: {
+          "chat-1": {},
+        },
+        groupAllowFrom: ["chat-2"],
+      },
+    };
+  }
+
+  resolveFeishuAccountMock.mockImplementation(() => makeStaticAccount());
+
   it("merges allowFrom + dms into peer entries", async () => {
     const peers = await listFeishuDirectoryPeers({ cfg, query: "a" });
     expect(peers).toEqual([
@@ -37,4 +55,64 @@ describe("feishu directory (config-backed)", () => {
       { kind: "group", id: "chat-2" },
     ]);
   });
+
+  it("falls back to static peers on live lookup failure by default", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      contact: {
+        user: {
+          list: vi.fn(async () => {
+            throw new Error("token expired");
+          }),
+        },
+      },
+    });
+
+    const peers = await listFeishuDirectoryPeersLive({ cfg, query: "a" });
+    expect(peers).toEqual([
+      { kind: "user", id: "alice" },
+      { kind: "user", id: "carla" },
+    ]);
+  });
+
+  it("surfaces live peer lookup failures when fallback is disabled", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      contact: {
+        user: {
+          list: vi.fn(async () => {
+            throw new Error("token expired");
+          }),
+        },
+      },
+    });
+
+    await expect(listFeishuDirectoryPeersLive({ cfg, fallbackToStatic: false })).rejects.toThrow(
+      "token expired",
+    );
+  });
+
+  it("surfaces live group lookup failures when fallback is disabled", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      im: {
+        chat: {
+          list: vi.fn(async () => ({ code: 999, msg: "forbidden" })),
+        },
+      },
+    });
+
+    await expect(listFeishuDirectoryGroupsLive({ cfg, fallbackToStatic: false })).rejects.toThrow(
+      "forbidden",
+    );
+  });
 });
diff --git a/extensions/feishu/src/directory.ts b/extensions/feishu/src/directory.ts
index 4b5ca584a99..af6ed8859cf 100644
--- a/extensions/feishu/src/directory.ts
+++ b/extensions/feishu/src/directory.ts
@@ -1,71 +1,21 @@
-import {
-  listDirectoryGroupEntriesFromMapKeysAndAllowFrom,
-  listDirectoryUserEntriesFromAllowFromAndMapKeys,
-} from "openclaw/plugin-sdk/compat";
 import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
-import { normalizeFeishuTarget } from "./targets.js";
+import {
+  listFeishuDirectoryGroups,
+  listFeishuDirectoryPeers,
+  type FeishuDirectoryGroup,
+  type FeishuDirectoryPeer,
+} from "./directory.static.js";
 
-export type FeishuDirectoryPeer = {
-  kind: "user";
-  id: string;
-  name?: string;
-};
-
-export type FeishuDirectoryGroup = {
-  kind: "group";
-  id: string;
-  name?: string;
-};
-
-function toFeishuDirectoryPeers(ids: string[]): FeishuDirectoryPeer[] {
-  return ids.map((id) => ({ kind: "user", id }));
-}
-
-function toFeishuDirectoryGroups(ids: string[]): FeishuDirectoryGroup[] {
-  return ids.map((id) => ({ kind: "group", id }));
-}
-
-export async function listFeishuDirectoryPeers(params: {
-  cfg: ClawdbotConfig;
-  query?: string;
-  limit?: number;
-  accountId?: string;
-}): Promise<FeishuDirectoryPeer[]> {
-  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
-  const entries = listDirectoryUserEntriesFromAllowFromAndMapKeys({
-    allowFrom: account.config.allowFrom,
-    map: account.config.dms,
-    query: params.query,
-    limit: params.limit,
-    normalizeAllowFromId: (entry) => normalizeFeishuTarget(entry) ?? entry,
-    normalizeMapKeyId: (entry) => normalizeFeishuTarget(entry) ?? entry,
-  });
-  return toFeishuDirectoryPeers(entries.map((entry) => entry.id));
-}
-
-export async function listFeishuDirectoryGroups(params: {
-  cfg: ClawdbotConfig;
-  query?: string;
-  limit?: number;
-  accountId?: string;
-}): Promise<FeishuDirectoryGroup[]> {
-  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
-  const entries = listDirectoryGroupEntriesFromMapKeysAndAllowFrom({
-    groups: account.config.groups,
-    allowFrom: account.config.groupAllowFrom,
-    query: params.query,
-    limit: params.limit,
-  });
-  return toFeishuDirectoryGroups(entries.map((entry) => entry.id));
-}
+export { listFeishuDirectoryGroups, listFeishuDirectoryPeers } from "./directory.static.js";
 
 export async function listFeishuDirectoryPeersLive(params: {
   cfg: ClawdbotConfig;
   query?: string;
   limit?: number;
   accountId?: string;
+  fallbackToStatic?: boolean;
 }): Promise<FeishuDirectoryPeer[]> {
   const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
   if (!account.configured) {
@@ -83,27 +33,32 @@ export async function listFeishuDirectoryPeersLive(params: {
       },
     });
 
-    if (response.code === 0 && response.data?.items) {
-      for (const user of response.data.items) {
-        if (user.open_id) {
-          const q = params.query?.trim().toLowerCase() || "";
-          const name = user.name || "";
-          if (!q || user.open_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
-            peers.push({
-              kind: "user",
-              id: user.open_id,
-              name: name || undefined,
-            });
-          }
-        }
-        if (peers.length >= limit) {
-          break;
+    if (response.code !== 0) {
+      throw new Error(response.msg || `code ${response.code}`);
+    }
+
+    for (const user of response.data?.items ?? []) {
+      if (user.open_id) {
+        const q = params.query?.trim().toLowerCase() || "";
+        const name = user.name || "";
+        if (!q || user.open_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
+          peers.push({
+            kind: "user",
+            id: user.open_id,
+            name: name || undefined,
+          });
         }
       }
+      if (peers.length >= limit) {
+        break;
+      }
     }
 
     return peers;
-  } catch {
+  } catch (err) {
+    if (params.fallbackToStatic === false) {
+      throw err instanceof Error ? err : new Error("Feishu live peer lookup failed");
+    }
     return listFeishuDirectoryPeers(params);
   }
 }
@@ -113,6 +68,7 @@ export async function listFeishuDirectoryGroupsLive(params: {
   query?: string;
   limit?: number;
   accountId?: string;
+  fallbackToStatic?: boolean;
 }): Promise<FeishuDirectoryGroup[]> {
   const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
   if (!account.configured) {
@@ -130,27 +86,32 @@ export async function listFeishuDirectoryGroupsLive(params: {
       },
     });
 
-    if (response.code === 0 && response.data?.items) {
-      for (const chat of response.data.items) {
-        if (chat.chat_id) {
-          const q = params.query?.trim().toLowerCase() || "";
-          const name = chat.name || "";
-          if (!q || chat.chat_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
-            groups.push({
-              kind: "group",
-              id: chat.chat_id,
-              name: name || undefined,
-            });
-          }
-        }
-        if (groups.length >= limit) {
-          break;
+    if (response.code !== 0) {
+      throw new Error(response.msg || `code ${response.code}`);
+    }
+
+    for (const chat of response.data?.items ?? []) {
+      if (chat.chat_id) {
+        const q = params.query?.trim().toLowerCase() || "";
+        const name = chat.name || "";
+        if (!q || chat.chat_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
+          groups.push({
+            kind: "group",
+            id: chat.chat_id,
+            name: name || undefined,
+          });
         }
       }
+      if (groups.length >= limit) {
+        break;
+      }
     }
 
     return groups;
-  } catch {
+  } catch (err) {
+    if (params.fallbackToStatic === false) {
+      throw err instanceof Error ? err : new Error("Feishu live group lookup failed");
+    }
     return listFeishuDirectoryGroups(params);
   }
 }
diff --git a/extensions/feishu/src/media.test.ts b/extensions/feishu/src/media.test.ts
index 80555c294ae..67ea2c1b77f 100644
--- a/extensions/feishu/src/media.test.ts
+++ b/extensions/feishu/src/media.test.ts
@@ -195,6 +195,58 @@ describe("sendMediaFeishu msg_type routing", () => {
     );
   });
 
+  it("uses msg_type=media for remote mp4 content even when the filename is generic", async () => {
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("remote-video"),
+      fileName: "download",
+      kind: "video",
+      contentType: "video/mp4",
+    });
+
+    await sendMediaFeishu({
+      cfg: {} as any,
+      to: "user:ou_target",
+      mediaUrl: "https://example.com/video",
+    });
+
+    expect(fileCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ file_type: "mp4" }),
+      }),
+    );
+    expect(messageCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ msg_type: "media" }),
+      }),
+    );
+  });
+
+  it("falls back to generic file for unsupported audio formats", async () => {
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("remote-mp3"),
+      fileName: "song.mp3",
+      kind: "audio",
+      contentType: "audio/mpeg",
+    });
+
+    await sendMediaFeishu({
+      cfg: {} as any,
+      to: "user:ou_target",
+      mediaUrl: "https://example.com/song.mp3",
+    });
+
+    expect(fileCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ file_type: "stream" }),
+      }),
+    );
+    expect(messageCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ msg_type: "file" }),
+      }),
+    );
+  });
+
   it("configures the media client timeout for image uploads", async () => {
     await sendMediaFeishu({
       cfg: {} as any,
@@ -520,4 +572,27 @@ describe("downloadMessageResourceFeishu", () => {
     expectMediaTimeoutClientConfigured();
     expect(result.buffer).toBeInstanceOf(Buffer);
   });
+
+  it("extracts content-type and filename metadata from download headers", async () => {
+    messageResourceGetMock.mockResolvedValueOnce({
+      data: Buffer.from("fake-video-data"),
+      headers: {
+        "content-type": "video/mp4",
+        "content-disposition": `attachment; filename="clip.mp4"`,
+      },
+    });
+
+    const result = await downloadMessageResourceFeishu({
+      cfg: {} as any,
+      messageId: "om_video_msg",
+      fileKey: "file_key_video",
+      type: "file",
+    });
+
+    expect(result).toMatchObject({
+      buffer: Buffer.from("fake-video-data"),
+      contentType: "video/mp4",
+      fileName: "clip.mp4",
+    });
+  });
 });
diff --git a/extensions/feishu/src/media.ts b/extensions/feishu/src/media.ts
index 45596fe45ed..b7888b7069e 100644
--- a/extensions/feishu/src/media.ts
+++ b/extensions/feishu/src/media.ts
@@ -2,6 +2,7 @@ import fs from "fs";
 import path from "path";
 import { Readable } from "stream";
 import { withTempDownloadPath, type ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { mediaKindFromMime } from "../../../src/media/constants.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
 import { normalizeFeishuExternalKey } from "./external-keys.js";
@@ -61,6 +62,75 @@ function extractFeishuUploadKey(
   return key;
 }
 
+function readHeaderValue(
+  headers: Record<string, unknown> | undefined,
+  name: string,
+): string | undefined {
+  if (!headers) {
+    return undefined;
+  }
+  const target = name.toLowerCase();
+  for (const [key, value] of Object.entries(headers)) {
+    if (key.toLowerCase() !== target) {
+      continue;
+    }
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+    if (Array.isArray(value)) {
+      const first = value.find((entry) => typeof entry === "string" && entry.trim());
+      if (typeof first === "string") {
+        return first.trim();
+      }
+    }
+  }
+  return undefined;
+}
+
+function decodeDispositionFileName(value: string): string | undefined {
+  const utf8Match = value.match(/filename\*=UTF-8''([^;]+)/i);
+  if (utf8Match?.[1]) {
+    try {
+      return decodeURIComponent(utf8Match[1].trim().replace(/^"(.*)"$/, "$1"));
+    } catch {
+      return utf8Match[1].trim().replace(/^"(.*)"$/, "$1");
+    }
+  }
+
+  const plainMatch = value.match(/filename="?([^";]+)"?/i);
+  return plainMatch?.[1]?.trim();
+}
+
+function extractFeishuDownloadMetadata(response: unknown): {
+  contentType?: string;
+  fileName?: string;
+} {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK response type
+  const responseAny = response as any;
+  const headers =
+    (responseAny.headers as Record<string, unknown> | undefined) ??
+    (responseAny.header as Record<string, unknown> | undefined);
+
+  const contentType =
+    readHeaderValue(headers, "content-type") ??
+    (typeof responseAny.contentType === "string" ? responseAny.contentType : undefined) ??
+    (typeof responseAny.mime_type === "string" ? responseAny.mime_type : undefined) ??
+    (typeof responseAny.data?.contentType === "string"
+      ? responseAny.data.contentType
+      : undefined) ??
+    (typeof responseAny.data?.mime_type === "string" ? responseAny.data.mime_type : undefined);
+
+  const disposition = readHeaderValue(headers, "content-disposition");
+  const fileName =
+    (disposition ? decodeDispositionFileName(disposition) : undefined) ??
+    (typeof responseAny.file_name === "string" ? responseAny.file_name : undefined) ??
+    (typeof responseAny.fileName === "string" ? responseAny.fileName : undefined) ??
+    (typeof responseAny.data?.file_name === "string" ? responseAny.data.file_name : undefined) ??
+    (typeof responseAny.data?.fileName === "string" ? responseAny.data.fileName : undefined);
+
+  return { contentType, fileName };
+}
+
 async function readFeishuResponseBuffer(params: {
   response: unknown;
   tmpDirPrefix: string;
@@ -144,7 +214,8 @@ export async function downloadImageFeishu(params: {
     tmpDirPrefix: "openclaw-feishu-img-",
     errorPrefix: "Feishu image download failed",
   });
-  return { buffer };
+  const meta = extractFeishuDownloadMetadata(response);
+  return { buffer, contentType: meta.contentType };
 }
 
 /**
@@ -175,7 +246,7 @@ export async function downloadMessageResourceFeishu(params: {
     tmpDirPrefix: "openclaw-feishu-resource-",
     errorPrefix: "Feishu message resource download failed",
   });
-  return { buffer };
+  return { buffer, ...extractFeishuDownloadMetadata(response) };
 }
 
 export type UploadImageResult = {
@@ -401,6 +472,53 @@ export function detectFileType(
   }
 }
 
+function resolveFeishuOutboundMediaKind(params: { fileName: string; contentType?: string }): {
+  fileType?: "opus" | "mp4" | "pdf" | "doc" | "xls" | "ppt" | "stream";
+  msgType: "image" | "file" | "audio" | "media";
+} {
+  const { fileName, contentType } = params;
+  const ext = path.extname(fileName).toLowerCase();
+  const mimeKind = mediaKindFromMime(contentType);
+
+  const isImageExt = [".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".ico", ".tiff"].includes(
+    ext,
+  );
+  if (isImageExt || mimeKind === "image") {
+    return { msgType: "image" };
+  }
+
+  if (
+    ext === ".opus" ||
+    ext === ".ogg" ||
+    contentType === "audio/ogg" ||
+    contentType === "audio/opus"
+  ) {
+    return { fileType: "opus", msgType: "audio" };
+  }
+
+  if (
+    [".mp4", ".mov", ".avi"].includes(ext) ||
+    contentType === "video/mp4" ||
+    contentType === "video/quicktime" ||
+    contentType === "video/x-msvideo"
+  ) {
+    return { fileType: "mp4", msgType: "media" };
+  }
+
+  const fileType = detectFileType(fileName);
+  return {
+    fileType,
+    msgType:
+      fileType === "stream"
+        ? "file"
+        : fileType === "opus"
+          ? "audio"
+          : fileType === "mp4"
+            ? "media"
+            : "file",
+  };
+}
+
 /**
  * Upload and send media (image or file) from URL, local path, or buffer.
  * When mediaUrl is a local path, mediaLocalRoots (from core outbound context)
@@ -437,6 +555,7 @@ export async function sendMediaFeishu(params: {
 
   let buffer: Buffer;
   let name: string;
+  let contentType: string | undefined;
 
   if (mediaBuffer) {
     buffer = mediaBuffer;
@@ -449,33 +568,29 @@ export async function sendMediaFeishu(params: {
     });
     buffer = loaded.buffer;
     name = fileName ?? loaded.fileName ?? "file";
+    contentType = loaded.contentType;
   } else {
     throw new Error("Either mediaUrl or mediaBuffer must be provided");
   }
 
-  // Determine if it's an image based on extension
-  const ext = path.extname(name).toLowerCase();
-  const isImage = [".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".ico", ".tiff"].includes(ext);
+  const routing = resolveFeishuOutboundMediaKind({ fileName: name, contentType });
 
-  if (isImage) {
+  if (routing.msgType === "image") {
     const { imageKey } = await uploadImageFeishu({ cfg, image: buffer, accountId });
     return sendImageFeishu({ cfg, to, imageKey, replyToMessageId, replyInThread, accountId });
   } else {
-    const fileType = detectFileType(name);
     const { fileKey } = await uploadFileFeishu({
       cfg,
       file: buffer,
       fileName: name,
-      fileType,
+      fileType: routing.fileType ?? "stream",
       accountId,
     });
-    // Feishu API: opus -> "audio", mp4/video -> "media" (playable), others -> "file"
-    const msgType = fileType === "opus" ? "audio" : fileType === "mp4" ? "media" : "file";
     return sendFileFeishu({
       cfg,
       to,
       fileKey,
-      msgType,
+      msgType: routing.msgType,
       replyToMessageId,
       replyInThread,
       accountId,
diff --git a/extensions/feishu/src/monitor.account.ts b/extensions/feishu/src/monitor.account.ts
index 3d761631399..241376ac0ba 100644
--- a/extensions/feishu/src/monitor.account.ts
+++ b/extensions/feishu/src/monitor.account.ts
@@ -10,6 +10,7 @@ import {
   type FeishuBotAddedEvent,
 } from "./bot.js";
 import { handleFeishuCardAction, type FeishuCardActionEvent } from "./card-action.js";
+import { maybeHandleFeishuQuickActionMenu } from "./card-ux-launcher.js";
 import { createEventDispatcher } from "./client.js";
 import {
   hasProcessedFeishuMessage,
@@ -513,7 +514,7 @@ function registerEventHandlers(
       try {
         const event = data as {
           event_key?: string;
-          timestamp?: number;
+          timestamp?: string | number;
           operator?: {
             operator_name?: string;
             operator_id?: { open_id?: string; user_id?: string; union_id?: string };
@@ -543,14 +544,28 @@ function registerEventHandlers(
             }),
           },
         };
-        const promise = handleFeishuMessage({
+        const handleLegacyMenu = () =>
+          handleFeishuMessage({
+            cfg,
+            event: syntheticEvent,
+            botOpenId: botOpenIds.get(accountId),
+            botName: botNames.get(accountId),
+            runtime,
+            chatHistories,
+            accountId,
+          });
+
+        const promise = maybeHandleFeishuQuickActionMenu({
           cfg,
-          event: syntheticEvent,
-          botOpenId: botOpenIds.get(accountId),
-          botName: botNames.get(accountId),
+          eventKey,
+          operatorOpenId,
           runtime,
-          chatHistories,
           accountId,
+        }).then((handledMenu) => {
+          if (handledMenu) {
+            return;
+          }
+          return handleLegacyMenu();
         });
         if (fireAndForget) {
           promise.catch((err) => {
diff --git a/extensions/feishu/src/monitor.bot-menu.test.ts b/extensions/feishu/src/monitor.bot-menu.test.ts
new file mode 100644
index 00000000000..cecb0b0512c
--- /dev/null
+++ b/extensions/feishu/src/monitor.bot-menu.test.ts
@@ -0,0 +1,229 @@
+import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { hasControlCommand } from "../../../src/auto-reply/command-detection.js";
+import {
+  createInboundDebouncer,
+  resolveInboundDebounceMs,
+} from "../../../src/auto-reply/inbound-debounce.js";
+import { createPluginRuntimeMock } from "../../test-utils/plugin-runtime-mock.js";
+import { monitorSingleAccount } from "./monitor.account.js";
+import { setFeishuRuntime } from "./runtime.js";
+import type { ResolvedFeishuAccount } from "./types.js";
+
+const createEventDispatcherMock = vi.hoisted(() => vi.fn());
+const monitorWebSocketMock = vi.hoisted(() => vi.fn(async () => {}));
+const monitorWebhookMock = vi.hoisted(() => vi.fn(async () => {}));
+const handleFeishuMessageMock = vi.hoisted(() => vi.fn(async () => {}));
+const sendCardFeishuMock = vi.hoisted(() => vi.fn(async () => ({ messageId: "m1", chatId: "c1" })));
+const createFeishuThreadBindingManagerMock = vi.hoisted(() => vi.fn(() => ({ stop: vi.fn() })));
+
+let handlers: Record<string, (data: unknown) => Promise<void>> = {};
+
+vi.mock("./client.js", () => ({
+  createEventDispatcher: createEventDispatcherMock,
+}));
+
+vi.mock("./monitor.transport.js", () => ({
+  monitorWebSocket: monitorWebSocketMock,
+  monitorWebhook: monitorWebhookMock,
+}));
+
+vi.mock("./bot.js", async () => {
+  const actual = await vi.importActual<typeof import("./bot.js")>("./bot.js");
+  return {
+    ...actual,
+    handleFeishuMessage: handleFeishuMessageMock,
+  };
+});
+
+vi.mock("./send.js", async () => {
+  const actual = await vi.importActual<typeof import("./send.js")>("./send.js");
+  return {
+    ...actual,
+    sendCardFeishu: sendCardFeishuMock,
+  };
+});
+
+vi.mock("./thread-bindings.js", () => ({
+  createFeishuThreadBindingManager: createFeishuThreadBindingManagerMock,
+}));
+
+function buildAccount(): ResolvedFeishuAccount {
+  return {
+    accountId: "default",
+    enabled: true,
+    configured: true,
+    appId: "cli_test",
+    appSecret: "secret_test", // pragma: allowlist secret
+    domain: "feishu",
+    config: {
+      enabled: true,
+      connectionMode: "websocket",
+    },
+  } as ResolvedFeishuAccount;
+}
+
+async function registerHandlers() {
+  setFeishuRuntime(
+    createPluginRuntimeMock({
+      channel: {
+        debounce: {
+          createInboundDebouncer,
+          resolveInboundDebounceMs,
+        },
+        text: {
+          hasControlCommand,
+        },
+      },
+    }),
+  );
+  const register = vi.fn((registered: Record<string, (data: unknown) => Promise<void>>) => {
+    handlers = registered;
+  });
+  createEventDispatcherMock.mockReturnValue({ register });
+
+  await monitorSingleAccount({
+    cfg: {} as ClawdbotConfig,
+    account: buildAccount(),
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(),
+    } as RuntimeEnv,
+    botOpenIdSource: {
+      kind: "prefetched",
+      botOpenId: "ou_bot",
+      botName: "Bot",
+    },
+  });
+
+  const onBotMenu = handlers["application.bot.menu_v6"];
+  if (!onBotMenu) {
+    throw new Error("missing application.bot.menu_v6 handler");
+  }
+  return onBotMenu;
+}
+
+describe("Feishu bot menu handler", () => {
+  beforeEach(() => {
+    handlers = {};
+    vi.clearAllMocks();
+  });
+
+  it("opens the quick-action launcher card at the webhook/event layer", async () => {
+    const onBotMenu = await registerHandlers();
+
+    await onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "user:ou_user1",
+        card: expect.objectContaining({
+          header: expect.objectContaining({
+            title: expect.objectContaining({ content: "Quick actions" }),
+          }),
+        }),
+      }),
+    );
+    expect(handleFeishuMessageMock).not.toHaveBeenCalled();
+  });
+
+  it("does not block bot-menu handling on quick-action launcher send", async () => {
+    const onBotMenu = await registerHandlers();
+    let resolveSend: (() => void) | undefined;
+    sendCardFeishuMock.mockImplementationOnce(
+      () =>
+        new Promise((resolve) => {
+          resolveSend = () => resolve({ messageId: "m1", chatId: "c1" });
+        }),
+    );
+
+    const pending = onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+    let settled = false;
+    pending.finally(() => {
+      settled = true;
+    });
+
+    await Promise.resolve();
+    expect(settled).toBe(true);
+
+    resolveSend?.();
+    await pending;
+  });
+
+  it("falls back to the legacy /menu synthetic message path for unrelated bot menu keys", async () => {
+    const onBotMenu = await registerHandlers();
+
+    await onBotMenu({
+      event_key: "custom-key",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    expect(handleFeishuMessageMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            content: '{"text":"/menu custom-key"}',
+          }),
+        }),
+      }),
+    );
+    expect(sendCardFeishuMock).not.toHaveBeenCalled();
+  });
+
+  it("falls back to the legacy /menu path when launcher rendering fails", async () => {
+    const onBotMenu = await registerHandlers();
+    sendCardFeishuMock.mockRejectedValueOnce(new Error("boom"));
+
+    await onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    await vi.waitFor(() => {
+      expect(handleFeishuMessageMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          event: expect.objectContaining({
+            message: expect.objectContaining({
+              content: '{"text":"/menu quick-actions"}',
+            }),
+          }),
+        }),
+      );
+    });
+  });
+});
diff --git a/extensions/feishu/src/pins.ts b/extensions/feishu/src/pins.ts
new file mode 100644
index 00000000000..0205acf3aa3
--- /dev/null
+++ b/extensions/feishu/src/pins.ts
@@ -0,0 +1,108 @@
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { resolveFeishuAccount } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
+
+export type FeishuPin = {
+  messageId: string;
+  chatId?: string;
+  operatorId?: string;
+  operatorIdType?: string;
+  createTime?: string;
+};
+
+function assertFeishuPinApiSuccess(response: { code?: number; msg?: string }, action: string) {
+  if (response.code !== 0) {
+    throw new Error(`Feishu ${action} failed: ${response.msg || `code ${response.code}`}`);
+  }
+}
+
+function normalizePin(pin: {
+  message_id: string;
+  chat_id?: string;
+  operator_id?: string;
+  operator_id_type?: string;
+  create_time?: string;
+}): FeishuPin {
+  return {
+    messageId: pin.message_id,
+    chatId: pin.chat_id,
+    operatorId: pin.operator_id,
+    operatorIdType: pin.operator_id_type,
+    createTime: pin.create_time,
+  };
+}
+
+export async function createPinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<FeishuPin | null> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.create({
+    data: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin create");
+  return response.data?.pin ? normalizePin(response.data.pin) : null;
+}
+
+export async function removePinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<void> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.delete({
+    path: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin delete");
+}
+
+export async function listPinsFeishu(params: {
+  cfg: ClawdbotConfig;
+  chatId: string;
+  startTime?: string;
+  endTime?: string;
+  pageSize?: number;
+  pageToken?: string;
+  accountId?: string;
+}): Promise<{ chatId: string; pins: FeishuPin[]; hasMore: boolean; pageToken?: string }> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.list({
+    params: {
+      chat_id: params.chatId,
+      ...(params.startTime ? { start_time: params.startTime } : {}),
+      ...(params.endTime ? { end_time: params.endTime } : {}),
+      ...(typeof params.pageSize === "number"
+        ? { page_size: Math.max(1, Math.min(100, Math.floor(params.pageSize))) }
+        : {}),
+      ...(params.pageToken ? { page_token: params.pageToken } : {}),
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin list");
+
+  return {
+    chatId: params.chatId,
+    pins: (response.data?.items ?? []).map(normalizePin),
+    hasMore: response.data?.has_more === true,
+    pageToken: response.data?.page_token,
+  };
+}
diff --git a/extensions/feishu/src/send.reply-fallback.test.ts b/extensions/feishu/src/send.reply-fallback.test.ts
index 610ded167fd..d4a2f023ac1 100644
--- a/extensions/feishu/src/send.reply-fallback.test.ts
+++ b/extensions/feishu/src/send.reply-fallback.test.ts
@@ -171,6 +171,75 @@ describe("Feishu reply fallback for withdrawn/deleted targets", () => {
     expect(createMock).not.toHaveBeenCalled();
   });
 
+  it("fails thread replies instead of falling back to a top-level send", async () => {
+    replyMock.mockResolvedValue({
+      code: 230011,
+      msg: "The message was withdrawn.",
+    });
+
+    await expect(
+      sendMessageFeishu({
+        cfg: {} as never,
+        to: "chat:oc_group_1",
+        text: "hello",
+        replyToMessageId: "om_parent",
+        replyInThread: true,
+      }),
+    ).rejects.toThrow(
+      "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+    );
+
+    expect(createMock).not.toHaveBeenCalled();
+    expect(replyMock).toHaveBeenCalledWith({
+      path: { message_id: "om_parent" },
+      data: expect.objectContaining({
+        reply_in_thread: true,
+      }),
+    });
+  });
+
+  it("fails thrown withdrawn thread replies instead of falling back to create", async () => {
+    const sdkError = Object.assign(new Error("request failed"), { code: 230011 });
+    replyMock.mockRejectedValue(sdkError);
+
+    await expect(
+      sendMessageFeishu({
+        cfg: {} as never,
+        to: "chat:oc_group_1",
+        text: "hello",
+        replyToMessageId: "om_parent",
+        replyInThread: true,
+      }),
+    ).rejects.toThrow(
+      "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+    );
+
+    expect(createMock).not.toHaveBeenCalled();
+  });
+
+  it("still falls back for non-thread replies to withdrawn targets", async () => {
+    replyMock.mockResolvedValue({
+      code: 230011,
+      msg: "The message was withdrawn.",
+    });
+    createMock.mockResolvedValue({
+      code: 0,
+      data: { message_id: "om_non_thread_fallback" },
+    });
+
+    await expectFallbackResult(
+      () =>
+        sendMessageFeishu({
+          cfg: {} as never,
+          to: "user:ou_target",
+          text: "hello",
+          replyToMessageId: "om_parent",
+          replyInThread: false,
+        }),
+      "om_non_thread_fallback",
+    );
+  });
+
   it("re-throws non-withdrawn thrown errors for card messages", async () => {
     const sdkError = Object.assign(new Error("permission denied"), { code: 99991401 });
     replyMock.mockRejectedValue(sdkError);
diff --git a/extensions/feishu/src/send.test.ts b/extensions/feishu/src/send.test.ts
index 21ef7e53a1a..ecad7a6332e 100644
--- a/extensions/feishu/src/send.test.ts
+++ b/extensions/feishu/src/send.test.ts
@@ -2,18 +2,25 @@ import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import {
   buildStructuredCard,
+  editMessageFeishu,
   getMessageFeishu,
   listFeishuThreadMessages,
   resolveFeishuCardTemplate,
 } from "./send.js";
 
-const { mockClientGet, mockClientList, mockCreateFeishuClient, mockResolveFeishuAccount } =
-  vi.hoisted(() => ({
-    mockClientGet: vi.fn(),
-    mockClientList: vi.fn(),
-    mockCreateFeishuClient: vi.fn(),
-    mockResolveFeishuAccount: vi.fn(),
-  }));
+const {
+  mockClientGet,
+  mockClientList,
+  mockClientPatch,
+  mockCreateFeishuClient,
+  mockResolveFeishuAccount,
+} = vi.hoisted(() => ({
+  mockClientGet: vi.fn(),
+  mockClientList: vi.fn(),
+  mockClientPatch: vi.fn(),
+  mockCreateFeishuClient: vi.fn(),
+  mockResolveFeishuAccount: vi.fn(),
+}));
 
 vi.mock("./client.js", () => ({
   createFeishuClient: mockCreateFeishuClient,
@@ -23,6 +30,17 @@ vi.mock("./accounts.js", () => ({
   resolveFeishuAccount: mockResolveFeishuAccount,
 }));
 
+vi.mock("./runtime.js", () => ({
+  getFeishuRuntime: () => ({
+    channel: {
+      text: {
+        resolveMarkdownTableMode: () => "preserve",
+        convertMarkdownTables: (text: string) => text,
+      },
+    },
+  }),
+}));
+
 describe("getMessageFeishu", () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -35,6 +53,7 @@ describe("getMessageFeishu", () => {
         message: {
           get: mockClientGet,
           list: mockClientList,
+          patch: mockClientPatch,
         },
       },
     });
@@ -239,6 +258,70 @@ describe("getMessageFeishu", () => {
   });
 });
 
+describe("editMessageFeishu", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockResolveFeishuAccount.mockReturnValue({
+      accountId: "default",
+      configured: true,
+    });
+    mockCreateFeishuClient.mockReturnValue({
+      im: {
+        message: {
+          patch: mockClientPatch,
+        },
+      },
+    });
+  });
+
+  it("patches post content for text edits", async () => {
+    mockClientPatch.mockResolvedValueOnce({ code: 0 });
+
+    const result = await editMessageFeishu({
+      cfg: {} as ClawdbotConfig,
+      messageId: "om_edit",
+      text: "updated body",
+    });
+
+    expect(mockClientPatch).toHaveBeenCalledWith({
+      path: { message_id: "om_edit" },
+      data: {
+        content: JSON.stringify({
+          zh_cn: {
+            content: [
+              [
+                {
+                  tag: "md",
+                  text: "updated body",
+                },
+              ],
+            ],
+          },
+        }),
+      },
+    });
+    expect(result).toEqual({ messageId: "om_edit", contentType: "post" });
+  });
+
+  it("patches interactive content for card edits", async () => {
+    mockClientPatch.mockResolvedValueOnce({ code: 0 });
+
+    const result = await editMessageFeishu({
+      cfg: {} as ClawdbotConfig,
+      messageId: "om_card",
+      card: { schema: "2.0" },
+    });
+
+    expect(mockClientPatch).toHaveBeenCalledWith({
+      path: { message_id: "om_card" },
+      data: {
+        content: JSON.stringify({ schema: "2.0" }),
+      },
+    });
+    expect(result).toEqual({ messageId: "om_card", contentType: "interactive" });
+  });
+});
+
 describe("resolveFeishuCardTemplate", () => {
   it("accepts supported Feishu templates", () => {
     expect(resolveFeishuCardTemplate(" purple ")).toBe("purple");
diff --git a/extensions/feishu/src/send.ts b/extensions/feishu/src/send.ts
index 57c0fbc0600..09015ee593b 100644
--- a/extensions/feishu/src/send.ts
+++ b/extensions/feishu/src/send.ts
@@ -139,6 +139,12 @@ async function sendReplyOrFallbackDirect(
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
 
+  const threadReplyFallbackError = params.replyInThread
+    ? new Error(
+        "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+      )
+    : null;
+
   let response: { code?: number; msg?: string; data?: { message_id?: string } };
   try {
     response = await client.im.message.reply({
@@ -153,9 +159,15 @@ async function sendReplyOrFallbackDirect(
     if (!isWithdrawnReplyError(err)) {
       throw err;
     }
+    if (threadReplyFallbackError) {
+      throw threadReplyFallbackError;
+    }
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
   if (shouldFallbackFromReplyTarget(response)) {
+    if (threadReplyFallbackError) {
+      throw threadReplyFallbackError;
+    }
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
   assertFeishuMessageApiSuccess(response, params.replyErrorPrefix);
@@ -406,7 +418,7 @@ export type SendFeishuMessageParams = {
   accountId?: string;
 };
 
-function buildFeishuPostMessagePayload(params: { messageText: string }): {
+export function buildFeishuPostMessagePayload(params: { messageText: string }): {
   content: string;
   msgType: string;
 } {
@@ -486,6 +498,59 @@ export async function sendCardFeishu(params: SendFeishuCardParams): Promise<Feis
   });
 }
 
+export async function editMessageFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  text?: string;
+  card?: Record<string, unknown>;
+  accountId?: string;
+}): Promise<{ messageId: string; contentType: "post" | "interactive" }> {
+  const { cfg, messageId, text, card, accountId } = params;
+  const account = resolveFeishuAccount({ cfg, accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const hasText = typeof text === "string" && text.trim().length > 0;
+  const hasCard = Boolean(card);
+  if (hasText === hasCard) {
+    throw new Error("Feishu edit requires exactly one of text or card.");
+  }
+
+  const client = createFeishuClient(account);
+
+  if (card) {
+    const content = JSON.stringify(card);
+    const response = await client.im.message.patch({
+      path: { message_id: messageId },
+      data: { content },
+    });
+
+    if (response.code !== 0) {
+      throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
+    }
+
+    return { messageId, contentType: "interactive" };
+  }
+
+  const tableMode = getFeishuRuntime().channel.text.resolveMarkdownTableMode({
+    cfg,
+    channel: "feishu",
+  });
+  const messageText = getFeishuRuntime().channel.text.convertMarkdownTables(text!, tableMode);
+  const payload = buildFeishuPostMessagePayload({ messageText });
+  const response = await client.im.message.patch({
+    path: { message_id: messageId },
+    data: { content: payload.content },
+  });
+
+  if (response.code !== 0) {
+    throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
+  }
+
+  return { messageId, contentType: "post" };
+}
+
 export async function updateCardFeishu(params: {
   cfg: ClawdbotConfig;
   messageId: string;
@@ -627,41 +692,3 @@ export async function sendMarkdownCardFeishu(params: {
   const card = buildMarkdownCard(cardText);
   return sendCardFeishu({ cfg, to, card, replyToMessageId, replyInThread, accountId });
 }
-
-/**
- * Edit an existing text message.
- * Note: Feishu only allows editing messages within 24 hours.
- */
-export async function editMessageFeishu(params: {
-  cfg: ClawdbotConfig;
-  messageId: string;
-  text: string;
-  accountId?: string;
-}): Promise<void> {
-  const { cfg, messageId, text, accountId } = params;
-  const account = resolveFeishuAccount({ cfg, accountId });
-  if (!account.configured) {
-    throw new Error(`Feishu account "${account.accountId}" not configured`);
-  }
-
-  const client = createFeishuClient(account);
-  const tableMode = getFeishuRuntime().channel.text.resolveMarkdownTableMode({
-    cfg,
-    channel: "feishu",
-  });
-  const messageText = getFeishuRuntime().channel.text.convertMarkdownTables(text ?? "", tableMode);
-
-  const { content, msgType } = buildFeishuPostMessagePayload({ messageText });
-
-  const response = await client.im.message.update({
-    path: { message_id: messageId },
-    data: {
-      msg_type: msgType,
-      content,
-    },
-  });
-
-  if (response.code !== 0) {
-    throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
-  }
-}
diff --git a/extensions/feishu/src/setup-core.ts b/extensions/feishu/src/setup-core.ts
new file mode 100644
index 00000000000..ada8ef79933
--- /dev/null
+++ b/extensions/feishu/src/setup-core.ts
@@ -0,0 +1,48 @@
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import type { FeishuConfig } from "./types.js";
+
+export function setFeishuNamedAccountEnabled(
+  cfg: OpenClawConfig,
+  accountId: string,
+  enabled: boolean,
+): OpenClawConfig {
+  const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
+  return {
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      feishu: {
+        ...feishuCfg,
+        accounts: {
+          ...feishuCfg?.accounts,
+          [accountId]: {
+            ...feishuCfg?.accounts?.[accountId],
+            enabled,
+          },
+        },
+      },
+    },
+  };
+}
+
+export const feishuSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: () => DEFAULT_ACCOUNT_ID,
+  applyAccountConfig: ({ cfg, accountId }) => {
+    const isDefault = !accountId || accountId === DEFAULT_ACCOUNT_ID;
+    if (isDefault) {
+      return {
+        ...cfg,
+        channels: {
+          ...cfg.channels,
+          feishu: {
+            ...cfg.channels?.feishu,
+            enabled: true,
+          },
+        },
+      };
+    }
+    return setFeishuNamedAccountEnabled(cfg, accountId, true);
+  },
+};
diff --git a/extensions/feishu/src/onboarding.status.test.ts b/extensions/feishu/src/setup-status.test.ts
similarity index 58%
rename from extensions/feishu/src/onboarding.status.test.ts
rename to extensions/feishu/src/setup-status.test.ts
index eda2bafa242..e145bf8a753 100644
--- a/extensions/feishu/src/onboarding.status.test.ts
+++ b/extensions/feishu/src/setup-status.test.ts
@@ -1,10 +1,16 @@
 import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
 import { describe, expect, it } from "vitest";
-import { feishuOnboardingAdapter } from "./onboarding.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { feishuPlugin } from "./channel.js";
 
-describe("feishu onboarding status", () => {
+const feishuConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: feishuPlugin,
+  wizard: feishuPlugin.setupWizard!,
+});
+
+describe("feishu setup wizard status", () => {
   it("treats SecretRef appSecret as configured when appId is present", async () => {
-    const status = await feishuOnboardingAdapter.getStatus({
+    const status = await feishuConfigureAdapter.getStatus({
       cfg: {
         channels: {
           feishu: {
diff --git a/extensions/feishu/src/onboarding.test.ts b/extensions/feishu/src/setup-surface.test.ts
similarity index 87%
rename from extensions/feishu/src/onboarding.test.ts
rename to extensions/feishu/src/setup-surface.test.ts
index d3ace4faae0..33ab8ad7989 100644
--- a/extensions/feishu/src/onboarding.test.ts
+++ b/extensions/feishu/src/setup-surface.test.ts
@@ -1,10 +1,11 @@
 import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 
 vi.mock("./probe.js", () => ({
   probeFeishu: vi.fn(async () => ({ ok: false, error: "mocked" })),
 }));
 
-import { feishuOnboardingAdapter } from "./onboarding.js";
+import { feishuPlugin } from "./channel.js";
 
 const baseConfigureContext = {
   runtime: {} as never,
@@ -42,7 +43,7 @@ async function withEnvVars(values: Record<string, string | undefined>, run: () =
 }
 
 async function getStatusWithEnvRefs(params: { appIdKey: string; appSecretKey: string }) {
-  return await feishuOnboardingAdapter.getStatus({
+  return await feishuConfigureAdapter.getStatus({
     cfg: {
       channels: {
         feishu: {
@@ -55,7 +56,12 @@ async function getStatusWithEnvRefs(params: { appIdKey: string; appSecretKey: st
   });
 }
 
-describe("feishuOnboardingAdapter.configure", () => {
+const feishuConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: feishuPlugin,
+  wizard: feishuPlugin.setupWizard!,
+});
+
+describe("feishu setup wizard", () => {
   it("does not throw when config appId/appSecret are SecretRef objects", async () => {
     const text = vi
       .fn()
@@ -73,7 +79,7 @@ describe("feishuOnboardingAdapter.configure", () => {
     } as never;
 
     await expect(
-      feishuOnboardingAdapter.configure({
+      feishuConfigureAdapter.configure({
         cfg: {
           channels: {
             feishu: {
@@ -89,9 +95,9 @@ describe("feishuOnboardingAdapter.configure", () => {
   });
 });
 
-describe("feishuOnboardingAdapter.getStatus", () => {
+describe("feishu setup wizard status", () => {
   it("does not fallback to top-level appId when account explicitly sets empty appId", async () => {
-    const status = await feishuOnboardingAdapter.getStatus({
+    const status = await feishuConfigureAdapter.getStatus({
       cfg: {
         channels: {
           feishu: {
diff --git a/extensions/feishu/src/onboarding.ts b/extensions/feishu/src/setup-surface.ts
similarity index 64%
rename from extensions/feishu/src/onboarding.ts
rename to extensions/feishu/src/setup-surface.ts
index 24d3bbcc413..4f92b07a804 100644
--- a/extensions/feishu/src/onboarding.ts
+++ b/extensions/feishu/src/setup-surface.ts
@@ -1,25 +1,23 @@
-import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-  ClawdbotConfig,
-  DmPolicy,
-  SecretInput,
-  WizardPrompter,
-} from "openclaw/plugin-sdk/feishu";
 import {
   buildSingleChannelSecretPromptState,
-  DEFAULT_ACCOUNT_ID,
-  formatDocsLink,
-  hasConfiguredSecretInput,
   mergeAllowFromEntries,
   promptSingleChannelSecretInput,
   setTopLevelChannelAllowFrom,
   setTopLevelChannelDmPolicyWithAllowFrom,
   setTopLevelChannelGroupPolicy,
-  splitOnboardingEntries,
-} from "openclaw/plugin-sdk/feishu";
-import { resolveFeishuCredentials } from "./accounts.js";
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DmPolicy } from "../../../src/config/types.js";
+import type { SecretInput } from "../../../src/config/types.secrets.js";
+import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { listFeishuAccountIds, resolveFeishuCredentials } from "./accounts.js";
 import { probeFeishu } from "./probe.js";
+import { feishuSetupAdapter } from "./setup-core.js";
 import type { FeishuConfig } from "./types.js";
 
 const channel = "feishu" as const;
@@ -32,26 +30,93 @@ function normalizeString(value: unknown): string | undefined {
   return trimmed || undefined;
 }
 
-function setFeishuDmPolicy(cfg: ClawdbotConfig, dmPolicy: DmPolicy): ClawdbotConfig {
+function setFeishuDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy): OpenClawConfig {
   return setTopLevelChannelDmPolicyWithAllowFrom({
     cfg,
-    channel: "feishu",
+    channel,
     dmPolicy,
-  }) as ClawdbotConfig;
+  }) as OpenClawConfig;
 }
 
-function setFeishuAllowFrom(cfg: ClawdbotConfig, allowFrom: string[]): ClawdbotConfig {
+function setFeishuAllowFrom(cfg: OpenClawConfig, allowFrom: string[]): OpenClawConfig {
   return setTopLevelChannelAllowFrom({
     cfg,
-    channel: "feishu",
+    channel,
     allowFrom,
-  }) as ClawdbotConfig;
+  }) as OpenClawConfig;
+}
+
+function setFeishuGroupPolicy(
+  cfg: OpenClawConfig,
+  groupPolicy: "open" | "allowlist" | "disabled",
+): OpenClawConfig {
+  return setTopLevelChannelGroupPolicy({
+    cfg,
+    channel,
+    groupPolicy,
+    enabled: true,
+  }) as OpenClawConfig;
+}
+
+function setFeishuGroupAllowFrom(cfg: OpenClawConfig, groupAllowFrom: string[]): OpenClawConfig {
+  return {
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      feishu: {
+        ...cfg.channels?.feishu,
+        groupAllowFrom,
+      },
+    },
+  };
+}
+
+function isFeishuConfigured(cfg: OpenClawConfig): boolean {
+  const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
+
+  const isAppIdConfigured = (value: unknown): boolean => {
+    const asString = normalizeString(value);
+    if (asString) {
+      return true;
+    }
+    if (!value || typeof value !== "object") {
+      return false;
+    }
+    const rec = value as Record<string, unknown>;
+    const source = normalizeString(rec.source)?.toLowerCase();
+    const id = normalizeString(rec.id);
+    if (source === "env" && id) {
+      return Boolean(normalizeString(process.env[id]));
+    }
+    return hasConfiguredSecretInput(value);
+  };
+
+  const topLevelConfigured = Boolean(
+    isAppIdConfigured(feishuCfg?.appId) && hasConfiguredSecretInput(feishuCfg?.appSecret),
+  );
+
+  const accountConfigured = Object.values(feishuCfg?.accounts ?? {}).some((account) => {
+    if (!account || typeof account !== "object") {
+      return false;
+    }
+    const hasOwnAppId = Object.prototype.hasOwnProperty.call(account, "appId");
+    const hasOwnAppSecret = Object.prototype.hasOwnProperty.call(account, "appSecret");
+    const accountAppIdConfigured = hasOwnAppId
+      ? isAppIdConfigured((account as Record<string, unknown>).appId)
+      : isAppIdConfigured(feishuCfg?.appId);
+    const accountSecretConfigured = hasOwnAppSecret
+      ? hasConfiguredSecretInput((account as Record<string, unknown>).appSecret)
+      : hasConfiguredSecretInput(feishuCfg?.appSecret);
+    return Boolean(accountAppIdConfigured && accountSecretConfigured);
+  });
+
+  return topLevelConfigured || accountConfigured;
 }
 
 async function promptFeishuAllowFrom(params: {
-  cfg: ClawdbotConfig;
-  prompter: WizardPrompter;
-}): Promise<ClawdbotConfig> {
+  cfg: OpenClawConfig;
+  prompter: Parameters<NonNullable<ChannelSetupDmPolicy["promptAllowFrom"]>>[0]["prompter"];
+}): Promise<OpenClawConfig> {
   const existing = params.cfg.channels?.feishu?.allowFrom ?? [];
   await params.prompter.note(
     [
@@ -71,7 +136,7 @@ async function promptFeishuAllowFrom(params: {
       initialValue: existing[0] ? String(existing[0]) : undefined,
       validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
     });
-    const parts = splitOnboardingEntries(String(entry));
+    const parts = splitSetupEntries(String(entry));
     if (parts.length === 0) {
       await params.prompter.note("Enter at least one user.", "Feishu allowlist");
       continue;
@@ -82,7 +147,9 @@ async function promptFeishuAllowFrom(params: {
   }
 }
 
-async function noteFeishuCredentialHelp(prompter: WizardPrompter): Promise<void> {
+async function noteFeishuCredentialHelp(
+  prompter: Parameters<NonNullable<ChannelSetupWizard["finalize"]>>[0]["prompter"],
+): Promise<void> {
   await prompter.note(
     [
       "1) Go to Feishu Open Platform (open.feishu.cn)",
@@ -98,131 +165,64 @@ async function noteFeishuCredentialHelp(prompter: WizardPrompter): Promise<void>
 }
 
 async function promptFeishuAppId(params: {
-  prompter: WizardPrompter;
+  prompter: Parameters<NonNullable<ChannelSetupWizard["finalize"]>>[0]["prompter"];
   initialValue?: string;
 }): Promise<string> {
-  const appId = String(
+  return String(
     await params.prompter.text({
       message: "Enter Feishu App ID",
       initialValue: params.initialValue,
       validate: (value) => (value?.trim() ? undefined : "Required"),
     }),
   ).trim();
-  return appId;
 }
 
-function setFeishuGroupPolicy(
-  cfg: ClawdbotConfig,
-  groupPolicy: "open" | "allowlist" | "disabled",
-): ClawdbotConfig {
-  return setTopLevelChannelGroupPolicy({
-    cfg,
-    channel: "feishu",
-    groupPolicy,
-    enabled: true,
-  }) as ClawdbotConfig;
-}
-
-function setFeishuGroupAllowFrom(cfg: ClawdbotConfig, groupAllowFrom: string[]): ClawdbotConfig {
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      feishu: {
-        ...cfg.channels?.feishu,
-        groupAllowFrom,
-      },
-    },
-  };
-}
-
-const dmPolicy: ChannelOnboardingDmPolicy = {
+const feishuDmPolicy: ChannelSetupDmPolicy = {
   label: "Feishu",
   channel,
   policyKey: "channels.feishu.dmPolicy",
   allowFromKey: "channels.feishu.allowFrom",
   getCurrent: (cfg) => (cfg.channels?.feishu as FeishuConfig | undefined)?.dmPolicy ?? "pairing",
-  setPolicy: (cfg, policy) => setFeishuDmPolicy(cfg, policy),
+  setPolicy: (cfg, policy) => setFeishuDmPolicy(cfg as OpenClawConfig, policy),
   promptAllowFrom: promptFeishuAllowFrom,
 };
 
-export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
+export { feishuSetupAdapter } from "./setup-core.js";
+
+export const feishuSetupWizard: ChannelSetupWizard = {
   channel,
-  getStatus: async ({ cfg }) => {
-    const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
-
-    const isAppIdConfigured = (value: unknown): boolean => {
-      const asString = normalizeString(value);
-      if (asString) {
-        return true;
+  resolveAccountIdForConfigure: () => DEFAULT_ACCOUNT_ID,
+  resolveShouldPromptAccountIds: () => false,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs app credentials",
+    configuredHint: "configured",
+    unconfiguredHint: "needs app creds",
+    configuredScore: 2,
+    unconfiguredScore: 0,
+    resolveConfigured: ({ cfg }) => isFeishuConfigured(cfg),
+    resolveStatusLines: async ({ cfg, configured }) => {
+      const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
+      const resolvedCredentials = resolveFeishuCredentials(feishuCfg, {
+        allowUnresolvedSecretRef: true,
+      });
+      let probeResult = null;
+      if (configured && resolvedCredentials) {
+        try {
+          probeResult = await probeFeishu(resolvedCredentials);
+        } catch {}
       }
-      if (!value || typeof value !== "object") {
-        return false;
+      if (!configured) {
+        return ["Feishu: needs app credentials"];
       }
-      const rec = value as Record<string, unknown>;
-      const source = normalizeString(rec.source)?.toLowerCase();
-      const id = normalizeString(rec.id);
-      if (source === "env" && id) {
-        return Boolean(normalizeString(process.env[id]));
+      if (probeResult?.ok) {
+        return [`Feishu: connected as ${probeResult.botName ?? probeResult.botOpenId ?? "bot"}`];
       }
-      return hasConfiguredSecretInput(value);
-    };
-
-    const topLevelConfigured = Boolean(
-      isAppIdConfigured(feishuCfg?.appId) && hasConfiguredSecretInput(feishuCfg?.appSecret),
-    );
-
-    const accountConfigured = Object.values(feishuCfg?.accounts ?? {}).some((account) => {
-      if (!account || typeof account !== "object") {
-        return false;
-      }
-      const hasOwnAppId = Object.prototype.hasOwnProperty.call(account, "appId");
-      const hasOwnAppSecret = Object.prototype.hasOwnProperty.call(account, "appSecret");
-      const accountAppIdConfigured = hasOwnAppId
-        ? isAppIdConfigured((account as Record<string, unknown>).appId)
-        : isAppIdConfigured(feishuCfg?.appId);
-      const accountSecretConfigured = hasOwnAppSecret
-        ? hasConfiguredSecretInput((account as Record<string, unknown>).appSecret)
-        : hasConfiguredSecretInput(feishuCfg?.appSecret);
-      return Boolean(accountAppIdConfigured && accountSecretConfigured);
-    });
-
-    const configured = topLevelConfigured || accountConfigured;
-    const resolvedCredentials = resolveFeishuCredentials(feishuCfg, {
-      allowUnresolvedSecretRef: true,
-    });
-
-    // Try to probe if configured
-    let probeResult = null;
-    if (configured && resolvedCredentials) {
-      try {
-        probeResult = await probeFeishu(resolvedCredentials);
-      } catch {
-        // Ignore probe errors
-      }
-    }
-
-    const statusLines: string[] = [];
-    if (!configured) {
-      statusLines.push("Feishu: needs app credentials");
-    } else if (probeResult?.ok) {
-      statusLines.push(
-        `Feishu: connected as ${probeResult.botName ?? probeResult.botOpenId ?? "bot"}`,
-      );
-    } else {
-      statusLines.push("Feishu: configured (connection not verified)");
-    }
-
-    return {
-      channel,
-      configured,
-      statusLines,
-      selectionHint: configured ? "configured" : "needs app creds",
-      quickstartScore: configured ? 2 : 0,
-    };
+      return ["Feishu: configured (connection not verified)"];
+    },
   },
-
-  configure: async ({ cfg, prompter }) => {
+  credentials: [],
+  finalize: async ({ cfg, prompter, options }) => {
     const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
     const resolved = resolveFeishuCredentials(feishuCfg, {
       allowUnresolvedSecretRef: true,
@@ -252,6 +252,7 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       prompter,
       providerHint: "feishu",
       credentialLabel: "App Secret",
+      secretInputMode: options?.secretInputMode,
       accountConfigured: appSecretPromptState.accountConfigured,
       canUseEnv: appSecretPromptState.canUseEnv,
       hasConfigToken: appSecretPromptState.hasConfigToken,
@@ -293,7 +294,6 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
         },
       };
 
-      // Test connection
       try {
         const probe = await probeFeishu({
           appId,
@@ -340,19 +340,17 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
     if (connectionMode === "webhook") {
       const currentVerificationToken = (next.channels?.feishu as FeishuConfig | undefined)
         ?.verificationToken;
-      const verificationTokenPromptState = buildSingleChannelSecretPromptState({
-        accountConfigured: hasConfiguredSecretInput(currentVerificationToken),
-        hasConfigToken: hasConfiguredSecretInput(currentVerificationToken),
-        allowEnv: false,
-      });
       const verificationTokenResult = await promptSingleChannelSecretInput({
         cfg: next,
         prompter,
         providerHint: "feishu-webhook",
         credentialLabel: "verification token",
-        accountConfigured: verificationTokenPromptState.accountConfigured,
-        canUseEnv: verificationTokenPromptState.canUseEnv,
-        hasConfigToken: verificationTokenPromptState.hasConfigToken,
+        secretInputMode: options?.secretInputMode,
+        ...buildSingleChannelSecretPromptState({
+          accountConfigured: hasConfiguredSecretInput(currentVerificationToken),
+          hasConfigToken: hasConfiguredSecretInput(currentVerificationToken),
+          allowEnv: false,
+        }),
         envPrompt: "",
         keepPrompt: "Feishu verification token already configured. Keep it?",
         inputPrompt: "Enter Feishu verification token",
@@ -370,20 +368,19 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
           },
         };
       }
+
       const currentEncryptKey = (next.channels?.feishu as FeishuConfig | undefined)?.encryptKey;
-      const encryptKeyPromptState = buildSingleChannelSecretPromptState({
-        accountConfigured: hasConfiguredSecretInput(currentEncryptKey),
-        hasConfigToken: hasConfiguredSecretInput(currentEncryptKey),
-        allowEnv: false,
-      });
       const encryptKeyResult = await promptSingleChannelSecretInput({
         cfg: next,
         prompter,
         providerHint: "feishu-webhook",
         credentialLabel: "encrypt key",
-        accountConfigured: encryptKeyPromptState.accountConfigured,
-        canUseEnv: encryptKeyPromptState.canUseEnv,
-        hasConfigToken: encryptKeyPromptState.hasConfigToken,
+        secretInputMode: options?.secretInputMode,
+        ...buildSingleChannelSecretPromptState({
+          accountConfigured: hasConfiguredSecretInput(currentEncryptKey),
+          hasConfigToken: hasConfiguredSecretInput(currentEncryptKey),
+          allowEnv: false,
+        }),
         envPrompt: "",
         keepPrompt: "Feishu encrypt key already configured. Keep it?",
         inputPrompt: "Enter Feishu encrypt key",
@@ -401,6 +398,7 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
           },
         };
       }
+
       const currentWebhookPath = (next.channels?.feishu as FeishuConfig | undefined)?.webhookPath;
       const webhookPath = String(
         await prompter.text({
@@ -421,7 +419,6 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       };
     }
 
-    // Domain selection
     const currentDomain = (next.channels?.feishu as FeishuConfig | undefined)?.domain ?? "feishu";
     const domain = await prompter.select({
       message: "Which Feishu domain?",
@@ -431,21 +428,18 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       ],
       initialValue: currentDomain,
     });
-    if (domain) {
-      next = {
-        ...next,
-        channels: {
-          ...next.channels,
-          feishu: {
-            ...next.channels?.feishu,
-            domain: domain as "feishu" | "lark",
-          },
+    next = {
+      ...next,
+      channels: {
+        ...next.channels,
+        feishu: {
+          ...next.channels?.feishu,
+          domain: domain as "feishu" | "lark",
         },
-      };
-    }
+      },
+    };
 
-    // Group policy
-    const groupPolicy = await prompter.select({
+    const groupPolicy = (await prompter.select({
       message: "Group chat policy",
       options: [
         { value: "allowlist", label: "Allowlist - only respond in specific groups" },
@@ -453,12 +447,9 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
         { value: "disabled", label: "Disabled - don't respond in groups" },
       ],
       initialValue: (next.channels?.feishu as FeishuConfig | undefined)?.groupPolicy ?? "allowlist",
-    });
-    if (groupPolicy) {
-      next = setFeishuGroupPolicy(next, groupPolicy as "open" | "allowlist" | "disabled");
-    }
+    })) as "allowlist" | "open" | "disabled";
+    next = setFeishuGroupPolicy(next, groupPolicy);
 
-    // Group allowlist if needed
     if (groupPolicy === "allowlist") {
       const existing = (next.channels?.feishu as FeishuConfig | undefined)?.groupAllowFrom ?? [];
       const entry = await prompter.text({
@@ -467,18 +458,16 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
         initialValue: existing.length > 0 ? existing.map(String).join(", ") : undefined,
       });
       if (entry) {
-        const parts = splitOnboardingEntries(String(entry));
+        const parts = splitSetupEntries(String(entry));
         if (parts.length > 0) {
           next = setFeishuGroupAllowFrom(next, parts);
         }
       }
     }
 
-    return { cfg: next, accountId: DEFAULT_ACCOUNT_ID };
+    return { cfg: next };
   },
-
-  dmPolicy,
-
+  dmPolicy: feishuDmPolicy,
   disable: (cfg) => ({
     ...cfg,
     channels: {
diff --git a/extensions/firecrawl/index.test.ts b/extensions/firecrawl/index.test.ts
new file mode 100644
index 00000000000..d4777161656
--- /dev/null
+++ b/extensions/firecrawl/index.test.ts
@@ -0,0 +1,82 @@
+import { describe, expect, it } from "vitest";
+import plugin from "./index.js";
+import { __testing as firecrawlClientTesting } from "./src/firecrawl-client.js";
+
+describe("firecrawl plugin", () => {
+  it("parses scrape payloads into wrapped external-content results", () => {
+    const result = firecrawlClientTesting.parseFirecrawlScrapePayload({
+      payload: {
+        success: true,
+        data: {
+          markdown: "# Hello\n\nWorld",
+          metadata: {
+            title: "Example page",
+            sourceURL: "https://example.com/final",
+            statusCode: 200,
+          },
+        },
+      },
+      url: "https://example.com/start",
+      extractMode: "text",
+      maxChars: 1000,
+    });
+
+    expect(result.finalUrl).toBe("https://example.com/final");
+    expect(result.status).toBe(200);
+    expect(result.extractor).toBe("firecrawl");
+    expect(typeof result.text).toBe("string");
+  });
+
+  it("extracts search items from flexible Firecrawl payload shapes", () => {
+    const items = firecrawlClientTesting.resolveSearchItems({
+      success: true,
+      data: [
+        {
+          title: "Docs",
+          url: "https://docs.example.com/path",
+          description: "Reference docs",
+          markdown: "Body",
+        },
+      ],
+    });
+
+    expect(items).toEqual([
+      {
+        title: "Docs",
+        url: "https://docs.example.com/path",
+        description: "Reference docs",
+        content: "Body",
+        published: undefined,
+        siteName: "docs.example.com",
+      },
+    ]);
+  });
+
+  it("extracts search items from Firecrawl v2 data.web payloads", () => {
+    const items = firecrawlClientTesting.resolveSearchItems({
+      success: true,
+      data: {
+        web: [
+          {
+            title: "API Platform - OpenAI",
+            url: "https://openai.com/api/",
+            description: "Build on the OpenAI API platform.",
+            markdown: "# API Platform",
+            position: 1,
+          },
+        ],
+      },
+    });
+
+    expect(items).toEqual([
+      {
+        title: "API Platform - OpenAI",
+        url: "https://openai.com/api/",
+        description: "Build on the OpenAI API platform.",
+        content: "# API Platform",
+        published: undefined,
+        siteName: "openai.com",
+      },
+    ]);
+  });
+});
diff --git a/extensions/firecrawl/index.ts b/extensions/firecrawl/index.ts
new file mode 100644
index 00000000000..42bd1a3252f
--- /dev/null
+++ b/extensions/firecrawl/index.ts
@@ -0,0 +1,20 @@
+import type { AnyAgentTool } from "../../src/agents/tools/common.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
+import { createFirecrawlScrapeTool } from "./src/firecrawl-scrape-tool.js";
+import { createFirecrawlWebSearchProvider } from "./src/firecrawl-search-provider.js";
+import { createFirecrawlSearchTool } from "./src/firecrawl-search-tool.js";
+
+const firecrawlPlugin = {
+  id: "firecrawl",
+  name: "Firecrawl Plugin",
+  description: "Bundled Firecrawl search and scrape plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerWebSearchProvider(createFirecrawlWebSearchProvider());
+    api.registerTool(createFirecrawlSearchTool(api) as AnyAgentTool);
+    api.registerTool(createFirecrawlScrapeTool(api) as AnyAgentTool);
+  },
+};
+
+export default firecrawlPlugin;
diff --git a/extensions/google-gemini-cli-auth/openclaw.plugin.json b/extensions/firecrawl/openclaw.plugin.json
similarity index 59%
rename from extensions/google-gemini-cli-auth/openclaw.plugin.json
rename to extensions/firecrawl/openclaw.plugin.json
index c8f632da0c8..52289f0711a 100644
--- a/extensions/google-gemini-cli-auth/openclaw.plugin.json
+++ b/extensions/firecrawl/openclaw.plugin.json
@@ -1,6 +1,5 @@
 {
-  "id": "google-gemini-cli-auth",
-  "providers": ["google-gemini-cli"],
+  "id": "firecrawl",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/minimax-portal-auth/package.json b/extensions/firecrawl/package.json
similarity index 55%
rename from extensions/minimax-portal-auth/package.json
rename to extensions/firecrawl/package.json
index 093d42dad1d..e891b8293ba 100644
--- a/extensions/minimax-portal-auth/package.json
+++ b/extensions/firecrawl/package.json
@@ -1,8 +1,8 @@
 {
-  "name": "@openclaw/minimax-portal-auth",
+  "name": "@openclaw/firecrawl-plugin",
   "version": "2026.3.14",
   "private": true,
-  "description": "OpenClaw MiniMax Portal OAuth provider plugin",
+  "description": "OpenClaw Firecrawl plugin",
   "type": "module",
   "openclaw": {
     "extensions": [
diff --git a/extensions/firecrawl/src/config.ts b/extensions/firecrawl/src/config.ts
new file mode 100644
index 00000000000..808b81891f1
--- /dev/null
+++ b/extensions/firecrawl/src/config.ts
@@ -0,0 +1,159 @@
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { normalizeResolvedSecretInputString } from "../../../src/config/types.secrets.js";
+import { normalizeSecretInput } from "../../../src/utils/normalize-secret-input.js";
+
+export const DEFAULT_FIRECRAWL_BASE_URL = "https://api.firecrawl.dev";
+export const DEFAULT_FIRECRAWL_SEARCH_TIMEOUT_SECONDS = 30;
+export const DEFAULT_FIRECRAWL_SCRAPE_TIMEOUT_SECONDS = 60;
+export const DEFAULT_FIRECRAWL_MAX_AGE_MS = 172_800_000;
+
+type WebSearchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer Web
+  ? Web extends { search?: infer Search }
+    ? Search
+    : undefined
+  : undefined;
+
+type WebFetchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer Web
+  ? Web extends { fetch?: infer Fetch }
+    ? Fetch
+    : undefined
+  : undefined;
+
+type FirecrawlSearchConfig =
+  | {
+      apiKey?: unknown;
+      baseUrl?: string;
+    }
+  | undefined;
+
+type FirecrawlFetchConfig =
+  | {
+      apiKey?: unknown;
+      baseUrl?: string;
+      onlyMainContent?: boolean;
+      maxAgeMs?: number;
+      timeoutSeconds?: number;
+    }
+  | undefined;
+
+function resolveSearchConfig(cfg?: OpenClawConfig): WebSearchConfig {
+  const search = cfg?.tools?.web?.search;
+  if (!search || typeof search !== "object") {
+    return undefined;
+  }
+  return search as WebSearchConfig;
+}
+
+function resolveFetchConfig(cfg?: OpenClawConfig): WebFetchConfig {
+  const fetch = cfg?.tools?.web?.fetch;
+  if (!fetch || typeof fetch !== "object") {
+    return undefined;
+  }
+  return fetch as WebFetchConfig;
+}
+
+export function resolveFirecrawlSearchConfig(cfg?: OpenClawConfig): FirecrawlSearchConfig {
+  const search = resolveSearchConfig(cfg);
+  if (!search || typeof search !== "object") {
+    return undefined;
+  }
+  const firecrawl = "firecrawl" in search ? search.firecrawl : undefined;
+  if (!firecrawl || typeof firecrawl !== "object") {
+    return undefined;
+  }
+  return firecrawl as FirecrawlSearchConfig;
+}
+
+export function resolveFirecrawlFetchConfig(cfg?: OpenClawConfig): FirecrawlFetchConfig {
+  const fetch = resolveFetchConfig(cfg);
+  if (!fetch || typeof fetch !== "object") {
+    return undefined;
+  }
+  const firecrawl = "firecrawl" in fetch ? fetch.firecrawl : undefined;
+  if (!firecrawl || typeof firecrawl !== "object") {
+    return undefined;
+  }
+  return firecrawl as FirecrawlFetchConfig;
+}
+
+function normalizeConfiguredSecret(value: unknown, path: string): string | undefined {
+  return normalizeSecretInput(
+    normalizeResolvedSecretInputString({
+      value,
+      path,
+    }),
+  );
+}
+
+export function resolveFirecrawlApiKey(cfg?: OpenClawConfig): string | undefined {
+  const search = resolveFirecrawlSearchConfig(cfg);
+  const fetch = resolveFirecrawlFetchConfig(cfg);
+  return (
+    normalizeConfiguredSecret(search?.apiKey, "tools.web.search.firecrawl.apiKey") ||
+    normalizeConfiguredSecret(fetch?.apiKey, "tools.web.fetch.firecrawl.apiKey") ||
+    normalizeSecretInput(process.env.FIRECRAWL_API_KEY) ||
+    undefined
+  );
+}
+
+export function resolveFirecrawlBaseUrl(cfg?: OpenClawConfig): string {
+  const search = resolveFirecrawlSearchConfig(cfg);
+  const fetch = resolveFirecrawlFetchConfig(cfg);
+  const configured =
+    (typeof search?.baseUrl === "string" ? search.baseUrl.trim() : "") ||
+    (typeof fetch?.baseUrl === "string" ? fetch.baseUrl.trim() : "") ||
+    normalizeSecretInput(process.env.FIRECRAWL_BASE_URL) ||
+    "";
+  return configured || DEFAULT_FIRECRAWL_BASE_URL;
+}
+
+export function resolveFirecrawlOnlyMainContent(cfg?: OpenClawConfig, override?: boolean): boolean {
+  if (typeof override === "boolean") {
+    return override;
+  }
+  const fetch = resolveFirecrawlFetchConfig(cfg);
+  if (typeof fetch?.onlyMainContent === "boolean") {
+    return fetch.onlyMainContent;
+  }
+  return true;
+}
+
+export function resolveFirecrawlMaxAgeMs(cfg?: OpenClawConfig, override?: number): number {
+  if (typeof override === "number" && Number.isFinite(override) && override >= 0) {
+    return Math.floor(override);
+  }
+  const fetch = resolveFirecrawlFetchConfig(cfg);
+  if (
+    typeof fetch?.maxAgeMs === "number" &&
+    Number.isFinite(fetch.maxAgeMs) &&
+    fetch.maxAgeMs >= 0
+  ) {
+    return Math.floor(fetch.maxAgeMs);
+  }
+  return DEFAULT_FIRECRAWL_MAX_AGE_MS;
+}
+
+export function resolveFirecrawlScrapeTimeoutSeconds(
+  cfg?: OpenClawConfig,
+  override?: number,
+): number {
+  if (typeof override === "number" && Number.isFinite(override) && override > 0) {
+    return Math.floor(override);
+  }
+  const fetch = resolveFirecrawlFetchConfig(cfg);
+  if (
+    typeof fetch?.timeoutSeconds === "number" &&
+    Number.isFinite(fetch.timeoutSeconds) &&
+    fetch.timeoutSeconds > 0
+  ) {
+    return Math.floor(fetch.timeoutSeconds);
+  }
+  return DEFAULT_FIRECRAWL_SCRAPE_TIMEOUT_SECONDS;
+}
+
+export function resolveFirecrawlSearchTimeoutSeconds(override?: number): number {
+  if (typeof override === "number" && Number.isFinite(override) && override > 0) {
+    return Math.floor(override);
+  }
+  return DEFAULT_FIRECRAWL_SEARCH_TIMEOUT_SECONDS;
+}
diff --git a/extensions/firecrawl/src/firecrawl-client.ts b/extensions/firecrawl/src/firecrawl-client.ts
new file mode 100644
index 00000000000..2929f2f9dde
--- /dev/null
+++ b/extensions/firecrawl/src/firecrawl-client.ts
@@ -0,0 +1,446 @@
+import { markdownToText, truncateText } from "../../../src/agents/tools/web-fetch-utils.js";
+import { withTrustedWebToolsEndpoint } from "../../../src/agents/tools/web-guarded-fetch.js";
+import {
+  DEFAULT_CACHE_TTL_MINUTES,
+  normalizeCacheKey,
+  readCache,
+  readResponseText,
+  resolveCacheTtlMs,
+  writeCache,
+} from "../../../src/agents/tools/web-shared.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { wrapExternalContent, wrapWebContent } from "../../../src/security/external-content.js";
+import {
+  resolveFirecrawlApiKey,
+  resolveFirecrawlBaseUrl,
+  resolveFirecrawlMaxAgeMs,
+  resolveFirecrawlOnlyMainContent,
+  resolveFirecrawlScrapeTimeoutSeconds,
+  resolveFirecrawlSearchTimeoutSeconds,
+} from "./config.js";
+
+const SEARCH_CACHE = new Map<
+  string,
+  { value: Record<string, unknown>; expiresAt: number; insertedAt: number }
+>();
+const SCRAPE_CACHE = new Map<
+  string,
+  { value: Record<string, unknown>; expiresAt: number; insertedAt: number }
+>();
+const DEFAULT_SEARCH_COUNT = 5;
+const DEFAULT_SCRAPE_MAX_CHARS = 50_000;
+const DEFAULT_ERROR_MAX_BYTES = 64_000;
+
+type FirecrawlSearchItem = {
+  title: string;
+  url: string;
+  description?: string;
+  content?: string;
+  published?: string;
+  siteName?: string;
+};
+
+export type FirecrawlSearchParams = {
+  cfg?: OpenClawConfig;
+  query: string;
+  count?: number;
+  timeoutSeconds?: number;
+  sources?: string[];
+  categories?: string[];
+  scrapeResults?: boolean;
+};
+
+export type FirecrawlScrapeParams = {
+  cfg?: OpenClawConfig;
+  url: string;
+  extractMode: "markdown" | "text";
+  maxChars?: number;
+  onlyMainContent?: boolean;
+  maxAgeMs?: number;
+  proxy?: "auto" | "basic" | "stealth";
+  storeInCache?: boolean;
+  timeoutSeconds?: number;
+};
+
+function resolveEndpoint(baseUrl: string, pathname: "/v2/search" | "/v2/scrape"): string {
+  const trimmed = baseUrl.trim();
+  if (!trimmed) {
+    return new URL(pathname, "https://api.firecrawl.dev").toString();
+  }
+  try {
+    const url = new URL(trimmed);
+    if (url.pathname && url.pathname !== "/") {
+      return url.toString();
+    }
+    url.pathname = pathname;
+    return url.toString();
+  } catch {
+    return new URL(pathname, "https://api.firecrawl.dev").toString();
+  }
+}
+
+function resolveSiteName(urlRaw: string): string | undefined {
+  try {
+    const host = new URL(urlRaw).hostname.replace(/^www\./, "");
+    return host || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+async function postFirecrawlJson(params: {
+  baseUrl: string;
+  pathname: "/v2/search" | "/v2/scrape";
+  apiKey: string;
+  body: Record<string, unknown>;
+  timeoutSeconds: number;
+  errorLabel: string;
+}): Promise<Record<string, unknown>> {
+  const endpoint = resolveEndpoint(params.baseUrl, params.pathname);
+  return await withTrustedWebToolsEndpoint(
+    {
+      url: endpoint,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          Authorization: `Bearer ${params.apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(params.body),
+      },
+    },
+    async ({ response }) => {
+      if (!response.ok) {
+        const detail = await readResponseText(response, { maxBytes: DEFAULT_ERROR_MAX_BYTES });
+        throw new Error(
+          `${params.errorLabel} API error (${response.status}): ${detail.text || response.statusText}`,
+        );
+      }
+      const payload = (await response.json()) as Record<string, unknown>;
+      if (payload.success === false) {
+        const error =
+          typeof payload.error === "string"
+            ? payload.error
+            : typeof payload.message === "string"
+              ? payload.message
+              : "unknown error";
+        throw new Error(`${params.errorLabel} API error: ${error}`);
+      }
+      return payload;
+    },
+  );
+}
+
+function resolveSearchItems(payload: Record<string, unknown>): FirecrawlSearchItem[] {
+  const candidates = [
+    payload.data,
+    payload.results,
+    (payload.data as { results?: unknown } | undefined)?.results,
+    (payload.data as { data?: unknown } | undefined)?.data,
+    (payload.data as { web?: unknown } | undefined)?.web,
+    (payload.web as { results?: unknown } | undefined)?.results,
+  ];
+  const rawItems = candidates.find((candidate) => Array.isArray(candidate));
+  if (!Array.isArray(rawItems)) {
+    return [];
+  }
+  const items: FirecrawlSearchItem[] = [];
+  for (const entry of rawItems) {
+    if (!entry || typeof entry !== "object") {
+      continue;
+    }
+    const record = entry as Record<string, unknown>;
+    const metadata =
+      record.metadata && typeof record.metadata === "object"
+        ? (record.metadata as Record<string, unknown>)
+        : undefined;
+    const url =
+      (typeof record.url === "string" && record.url) ||
+      (typeof record.sourceURL === "string" && record.sourceURL) ||
+      (typeof record.sourceUrl === "string" && record.sourceUrl) ||
+      (typeof metadata?.sourceURL === "string" && metadata.sourceURL) ||
+      "";
+    if (!url) {
+      continue;
+    }
+    const title =
+      (typeof record.title === "string" && record.title) ||
+      (typeof metadata?.title === "string" && metadata.title) ||
+      "";
+    const description =
+      (typeof record.description === "string" && record.description) ||
+      (typeof record.snippet === "string" && record.snippet) ||
+      (typeof record.summary === "string" && record.summary) ||
+      undefined;
+    const content =
+      (typeof record.markdown === "string" && record.markdown) ||
+      (typeof record.content === "string" && record.content) ||
+      (typeof record.text === "string" && record.text) ||
+      undefined;
+    const published =
+      (typeof record.publishedDate === "string" && record.publishedDate) ||
+      (typeof record.published === "string" && record.published) ||
+      (typeof metadata?.publishedTime === "string" && metadata.publishedTime) ||
+      (typeof metadata?.publishedDate === "string" && metadata.publishedDate) ||
+      undefined;
+    items.push({
+      title,
+      url,
+      description,
+      content,
+      published,
+      siteName: resolveSiteName(url),
+    });
+  }
+  return items;
+}
+
+function buildSearchPayload(params: {
+  query: string;
+  provider: "firecrawl";
+  items: FirecrawlSearchItem[];
+  tookMs: number;
+  scrapeResults: boolean;
+}): Record<string, unknown> {
+  return {
+    query: params.query,
+    provider: params.provider,
+    count: params.items.length,
+    tookMs: params.tookMs,
+    externalContent: {
+      untrusted: true,
+      source: "web_search",
+      provider: params.provider,
+      wrapped: true,
+    },
+    results: params.items.map((entry) => ({
+      title: entry.title ? wrapWebContent(entry.title, "web_search") : "",
+      url: entry.url,
+      description: entry.description ? wrapWebContent(entry.description, "web_search") : "",
+      ...(entry.published ? { published: entry.published } : {}),
+      ...(entry.siteName ? { siteName: entry.siteName } : {}),
+      ...(params.scrapeResults && entry.content
+        ? { content: wrapWebContent(entry.content, "web_search") }
+        : {}),
+    })),
+  };
+}
+
+export async function runFirecrawlSearch(
+  params: FirecrawlSearchParams,
+): Promise<Record<string, unknown>> {
+  const apiKey = resolveFirecrawlApiKey(params.cfg);
+  if (!apiKey) {
+    throw new Error(
+      "web_search (firecrawl) needs a Firecrawl API key. Set FIRECRAWL_API_KEY in the Gateway environment, or configure tools.web.search.firecrawl.apiKey.",
+    );
+  }
+  const count =
+    typeof params.count === "number" && Number.isFinite(params.count)
+      ? Math.max(1, Math.min(10, Math.floor(params.count)))
+      : DEFAULT_SEARCH_COUNT;
+  const timeoutSeconds = resolveFirecrawlSearchTimeoutSeconds(params.timeoutSeconds);
+  const scrapeResults = params.scrapeResults === true;
+  const sources = Array.isArray(params.sources) ? params.sources.filter(Boolean) : [];
+  const categories = Array.isArray(params.categories) ? params.categories.filter(Boolean) : [];
+  const baseUrl = resolveFirecrawlBaseUrl(params.cfg);
+  const cacheKey = normalizeCacheKey(
+    JSON.stringify({
+      type: "firecrawl-search",
+      q: params.query,
+      count,
+      baseUrl,
+      sources,
+      categories,
+      scrapeResults,
+    }),
+  );
+  const cached = readCache(SEARCH_CACHE, cacheKey);
+  if (cached) {
+    return { ...cached.value, cached: true };
+  }
+
+  const body: Record<string, unknown> = {
+    query: params.query,
+    limit: count,
+  };
+  if (sources.length > 0) {
+    body.sources = sources;
+  }
+  if (categories.length > 0) {
+    body.categories = categories;
+  }
+  if (scrapeResults) {
+    body.scrapeOptions = {
+      formats: ["markdown"],
+    };
+  }
+
+  const start = Date.now();
+  const payload = await postFirecrawlJson({
+    baseUrl,
+    pathname: "/v2/search",
+    apiKey,
+    body,
+    timeoutSeconds,
+    errorLabel: "Firecrawl Search",
+  });
+  const result = buildSearchPayload({
+    query: params.query,
+    provider: "firecrawl",
+    items: resolveSearchItems(payload),
+    tookMs: Date.now() - start,
+    scrapeResults,
+  });
+  writeCache(
+    SEARCH_CACHE,
+    cacheKey,
+    result,
+    resolveCacheTtlMs(undefined, DEFAULT_CACHE_TTL_MINUTES),
+  );
+  return result;
+}
+
+function resolveScrapeData(payload: Record<string, unknown>): Record<string, unknown> {
+  const data = payload.data;
+  if (data && typeof data === "object") {
+    return data as Record<string, unknown>;
+  }
+  return {};
+}
+
+export function parseFirecrawlScrapePayload(params: {
+  payload: Record<string, unknown>;
+  url: string;
+  extractMode: "markdown" | "text";
+  maxChars: number;
+}): Record<string, unknown> {
+  const data = resolveScrapeData(params.payload);
+  const metadata =
+    data.metadata && typeof data.metadata === "object"
+      ? (data.metadata as Record<string, unknown>)
+      : undefined;
+  const markdown =
+    (typeof data.markdown === "string" && data.markdown) ||
+    (typeof data.content === "string" && data.content) ||
+    "";
+  if (!markdown) {
+    throw new Error("Firecrawl scrape returned no content.");
+  }
+  const rawText = params.extractMode === "text" ? markdownToText(markdown) : markdown;
+  const truncated = truncateText(rawText, params.maxChars);
+  return {
+    url: params.url,
+    finalUrl:
+      (typeof metadata?.sourceURL === "string" && metadata.sourceURL) ||
+      (typeof data.url === "string" && data.url) ||
+      params.url,
+    status:
+      (typeof metadata?.statusCode === "number" && metadata.statusCode) ||
+      (typeof data.statusCode === "number" && data.statusCode) ||
+      undefined,
+    title:
+      typeof metadata?.title === "string" && metadata.title
+        ? wrapExternalContent(metadata.title, { source: "web_fetch", includeWarning: false })
+        : undefined,
+    extractor: "firecrawl",
+    extractMode: params.extractMode,
+    externalContent: {
+      untrusted: true,
+      source: "web_fetch",
+      wrapped: true,
+    },
+    truncated: truncated.truncated,
+    rawLength: rawText.length,
+    wrappedLength: wrapExternalContent(truncated.text, {
+      source: "web_fetch",
+      includeWarning: false,
+    }).length,
+    text: wrapExternalContent(truncated.text, {
+      source: "web_fetch",
+      includeWarning: false,
+    }),
+    warning:
+      typeof params.payload.warning === "string" && params.payload.warning
+        ? wrapExternalContent(params.payload.warning, {
+            source: "web_fetch",
+            includeWarning: false,
+          })
+        : undefined,
+  };
+}
+
+export async function runFirecrawlScrape(
+  params: FirecrawlScrapeParams,
+): Promise<Record<string, unknown>> {
+  const apiKey = resolveFirecrawlApiKey(params.cfg);
+  if (!apiKey) {
+    throw new Error(
+      "firecrawl_scrape needs a Firecrawl API key. Set FIRECRAWL_API_KEY in the Gateway environment, or configure tools.web.fetch.firecrawl.apiKey.",
+    );
+  }
+  const baseUrl = resolveFirecrawlBaseUrl(params.cfg);
+  const timeoutSeconds = resolveFirecrawlScrapeTimeoutSeconds(params.cfg, params.timeoutSeconds);
+  const onlyMainContent = resolveFirecrawlOnlyMainContent(params.cfg, params.onlyMainContent);
+  const maxAgeMs = resolveFirecrawlMaxAgeMs(params.cfg, params.maxAgeMs);
+  const proxy = params.proxy ?? "auto";
+  const storeInCache = params.storeInCache ?? true;
+  const maxChars =
+    typeof params.maxChars === "number" && Number.isFinite(params.maxChars) && params.maxChars > 0
+      ? Math.floor(params.maxChars)
+      : DEFAULT_SCRAPE_MAX_CHARS;
+  const cacheKey = normalizeCacheKey(
+    JSON.stringify({
+      type: "firecrawl-scrape",
+      url: params.url,
+      extractMode: params.extractMode,
+      baseUrl,
+      onlyMainContent,
+      maxAgeMs,
+      proxy,
+      storeInCache,
+      maxChars,
+    }),
+  );
+  const cached = readCache(SCRAPE_CACHE, cacheKey);
+  if (cached) {
+    return { ...cached.value, cached: true };
+  }
+
+  const payload = await postFirecrawlJson({
+    baseUrl,
+    pathname: "/v2/scrape",
+    apiKey,
+    timeoutSeconds,
+    errorLabel: "Firecrawl",
+    body: {
+      url: params.url,
+      formats: ["markdown"],
+      onlyMainContent,
+      timeout: timeoutSeconds * 1000,
+      maxAge: maxAgeMs,
+      proxy,
+      storeInCache,
+    },
+  });
+  const result = parseFirecrawlScrapePayload({
+    payload,
+    url: params.url,
+    extractMode: params.extractMode,
+    maxChars,
+  });
+  writeCache(
+    SCRAPE_CACHE,
+    cacheKey,
+    result,
+    resolveCacheTtlMs(undefined, DEFAULT_CACHE_TTL_MINUTES),
+  );
+  return result;
+}
+
+export const __testing = {
+  parseFirecrawlScrapePayload,
+  resolveSearchItems,
+};
diff --git a/extensions/firecrawl/src/firecrawl-scrape-tool.ts b/extensions/firecrawl/src/firecrawl-scrape-tool.ts
new file mode 100644
index 00000000000..509b3d5fbd6
--- /dev/null
+++ b/extensions/firecrawl/src/firecrawl-scrape-tool.ts
@@ -0,0 +1,89 @@
+import { Type } from "@sinclair/typebox";
+import { optionalStringEnum } from "../../../src/agents/schema/typebox.js";
+import { jsonResult, readNumberParam, readStringParam } from "../../../src/agents/tools/common.js";
+import type { OpenClawPluginApi } from "../../../src/plugins/types.js";
+import { runFirecrawlScrape } from "./firecrawl-client.js";
+
+const FirecrawlScrapeToolSchema = Type.Object(
+  {
+    url: Type.String({ description: "HTTP or HTTPS URL to scrape via Firecrawl." }),
+    extractMode: optionalStringEnum(["markdown", "text"] as const, {
+      description: 'Extraction mode ("markdown" or "text"). Default: markdown.',
+    }),
+    maxChars: Type.Optional(
+      Type.Number({
+        description: "Maximum characters to return.",
+        minimum: 100,
+      }),
+    ),
+    onlyMainContent: Type.Optional(
+      Type.Boolean({
+        description: "Keep only main content when Firecrawl supports it.",
+      }),
+    ),
+    maxAgeMs: Type.Optional(
+      Type.Number({
+        description: "Maximum Firecrawl cache age in milliseconds.",
+        minimum: 0,
+      }),
+    ),
+    proxy: optionalStringEnum(["auto", "basic", "stealth"] as const, {
+      description: 'Firecrawl proxy mode ("auto", "basic", or "stealth").',
+    }),
+    storeInCache: Type.Optional(
+      Type.Boolean({
+        description: "Whether Firecrawl should store the scrape in its cache.",
+      }),
+    ),
+    timeoutSeconds: Type.Optional(
+      Type.Number({
+        description: "Timeout in seconds for the Firecrawl scrape request.",
+        minimum: 1,
+      }),
+    ),
+  },
+  { additionalProperties: false },
+);
+
+export function createFirecrawlScrapeTool(api: OpenClawPluginApi) {
+  return {
+    name: "firecrawl_scrape",
+    label: "Firecrawl Scrape",
+    description:
+      "Scrape a page using Firecrawl v2/scrape. Useful for JS-heavy or bot-protected pages where plain web_fetch is weak.",
+    parameters: FirecrawlScrapeToolSchema,
+    execute: async (_toolCallId: string, rawParams: Record<string, unknown>) => {
+      const url = readStringParam(rawParams, "url", { required: true });
+      const extractMode =
+        readStringParam(rawParams, "extractMode") === "text" ? "text" : "markdown";
+      const maxChars = readNumberParam(rawParams, "maxChars", { integer: true });
+      const maxAgeMs = readNumberParam(rawParams, "maxAgeMs", { integer: true });
+      const timeoutSeconds = readNumberParam(rawParams, "timeoutSeconds", {
+        integer: true,
+      });
+      const proxyRaw = readStringParam(rawParams, "proxy");
+      const proxy =
+        proxyRaw === "basic" || proxyRaw === "stealth" || proxyRaw === "auto"
+          ? proxyRaw
+          : undefined;
+      const onlyMainContent =
+        typeof rawParams.onlyMainContent === "boolean" ? rawParams.onlyMainContent : undefined;
+      const storeInCache =
+        typeof rawParams.storeInCache === "boolean" ? rawParams.storeInCache : undefined;
+
+      return jsonResult(
+        await runFirecrawlScrape({
+          cfg: api.config,
+          url,
+          extractMode,
+          maxChars,
+          onlyMainContent,
+          maxAgeMs,
+          proxy,
+          storeInCache,
+          timeoutSeconds,
+        }),
+      );
+    },
+  };
+}
diff --git a/extensions/firecrawl/src/firecrawl-search-provider.ts b/extensions/firecrawl/src/firecrawl-search-provider.ts
new file mode 100644
index 00000000000..60489e9618e
--- /dev/null
+++ b/extensions/firecrawl/src/firecrawl-search-provider.ts
@@ -0,0 +1,63 @@
+import { Type } from "@sinclair/typebox";
+import type { WebSearchProviderPlugin } from "../../../src/plugins/types.js";
+import { runFirecrawlSearch } from "./firecrawl-client.js";
+
+const GenericFirecrawlSearchSchema = Type.Object(
+  {
+    query: Type.String({ description: "Search query string." }),
+    count: Type.Optional(
+      Type.Number({
+        description: "Number of results to return (1-10).",
+        minimum: 1,
+        maximum: 10,
+      }),
+    ),
+  },
+  { additionalProperties: false },
+);
+
+function getScopedCredentialValue(searchConfig?: Record<string, unknown>): unknown {
+  const scoped = searchConfig?.firecrawl;
+  if (!scoped || typeof scoped !== "object" || Array.isArray(scoped)) {
+    return undefined;
+  }
+  return (scoped as Record<string, unknown>).apiKey;
+}
+
+function setScopedCredentialValue(
+  searchConfigTarget: Record<string, unknown>,
+  value: unknown,
+): void {
+  const scoped = searchConfigTarget.firecrawl;
+  if (!scoped || typeof scoped !== "object" || Array.isArray(scoped)) {
+    searchConfigTarget.firecrawl = { apiKey: value };
+    return;
+  }
+  (scoped as Record<string, unknown>).apiKey = value;
+}
+
+export function createFirecrawlWebSearchProvider(): WebSearchProviderPlugin {
+  return {
+    id: "firecrawl",
+    label: "Firecrawl Search",
+    hint: "Structured results with optional result scraping",
+    envVars: ["FIRECRAWL_API_KEY"],
+    placeholder: "fc-...",
+    signupUrl: "https://www.firecrawl.dev/",
+    docsUrl: "https://docs.openclaw.ai/tools/firecrawl",
+    autoDetectOrder: 60,
+    getCredentialValue: getScopedCredentialValue,
+    setCredentialValue: setScopedCredentialValue,
+    createTool: (ctx) => ({
+      description:
+        "Search the web using Firecrawl. Returns structured results with snippets from Firecrawl Search. Use firecrawl_search for Firecrawl-specific knobs like sources or categories.",
+      parameters: GenericFirecrawlSearchSchema,
+      execute: async (args) =>
+        await runFirecrawlSearch({
+          cfg: ctx.config,
+          query: typeof args.query === "string" ? args.query : "",
+          count: typeof args.count === "number" ? args.count : undefined,
+        }),
+    }),
+  };
+}
diff --git a/extensions/firecrawl/src/firecrawl-search-tool.ts b/extensions/firecrawl/src/firecrawl-search-tool.ts
new file mode 100644
index 00000000000..f2f133fd7ec
--- /dev/null
+++ b/extensions/firecrawl/src/firecrawl-search-tool.ts
@@ -0,0 +1,76 @@
+import { Type } from "@sinclair/typebox";
+import {
+  jsonResult,
+  readNumberParam,
+  readStringArrayParam,
+  readStringParam,
+} from "../../../src/agents/tools/common.js";
+import type { OpenClawPluginApi } from "../../../src/plugins/types.js";
+import { runFirecrawlSearch } from "./firecrawl-client.js";
+
+const FirecrawlSearchToolSchema = Type.Object(
+  {
+    query: Type.String({ description: "Search query string." }),
+    count: Type.Optional(
+      Type.Number({
+        description: "Number of results to return (1-10).",
+        minimum: 1,
+        maximum: 10,
+      }),
+    ),
+    sources: Type.Optional(
+      Type.Array(Type.String(), {
+        description: 'Optional sources list, for example ["web"], ["news"], or ["images"].',
+      }),
+    ),
+    categories: Type.Optional(
+      Type.Array(Type.String(), {
+        description: 'Optional Firecrawl categories, for example ["github"] or ["research"].',
+      }),
+    ),
+    scrapeResults: Type.Optional(
+      Type.Boolean({
+        description: "Include scraped result content when Firecrawl returns it.",
+      }),
+    ),
+    timeoutSeconds: Type.Optional(
+      Type.Number({
+        description: "Timeout in seconds for the Firecrawl Search request.",
+        minimum: 1,
+      }),
+    ),
+  },
+  { additionalProperties: false },
+);
+
+export function createFirecrawlSearchTool(api: OpenClawPluginApi) {
+  return {
+    name: "firecrawl_search",
+    label: "Firecrawl Search",
+    description:
+      "Search the web using Firecrawl v2/search. Can optionally include scraped content from result pages.",
+    parameters: FirecrawlSearchToolSchema,
+    execute: async (_toolCallId: string, rawParams: Record<string, unknown>) => {
+      const query = readStringParam(rawParams, "query", { required: true });
+      const count = readNumberParam(rawParams, "count", { integer: true });
+      const timeoutSeconds = readNumberParam(rawParams, "timeoutSeconds", {
+        integer: true,
+      });
+      const sources = readStringArrayParam(rawParams, "sources");
+      const categories = readStringArrayParam(rawParams, "categories");
+      const scrapeResults = rawParams.scrapeResults === true;
+
+      return jsonResult(
+        await runFirecrawlSearch({
+          cfg: api.config,
+          query,
+          count,
+          timeoutSeconds,
+          sources,
+          categories,
+          scrapeResults,
+        }),
+      );
+    },
+  };
+}
diff --git a/extensions/github-copilot/index.test.ts b/extensions/github-copilot/index.test.ts
deleted file mode 100644
index e69fee13b88..00000000000
--- a/extensions/github-copilot/index.test.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import githubCopilotPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  githubCopilotPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("github-copilot plugin", () => {
-  it("owns Copilot-specific forward-compat fallbacks", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "github-copilot",
-      modelId: "gpt-5.3-codex",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-codex"
-            ? {
-                id,
-                name: id,
-                api: "openai-codex-responses",
-                provider: "github-copilot",
-                baseUrl: "https://api.copilot.example",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 128_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.3-codex",
-      provider: "github-copilot",
-      api: "openai-codex-responses",
-    });
-  });
-});
diff --git a/extensions/github-copilot/index.ts b/extensions/github-copilot/index.ts
index 19114472830..8dadad31903 100644
--- a/extensions/github-copilot/index.ts
+++ b/extensions/github-copilot/index.ts
@@ -1,6 +1,7 @@
 import {
   emptyPluginConfigSchema,
   type OpenClawPluginApi,
+  type ProviderAuthContext,
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
@@ -8,16 +9,15 @@ import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles
 import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { coerceSecretRef } from "../../src/config/types.secrets.js";
-import { fetchCopilotUsage } from "../../src/infra/provider-usage.fetch.js";
-import {
-  DEFAULT_COPILOT_API_BASE_URL,
-  resolveCopilotApiToken,
-} from "../../src/providers/github-copilot-token.js";
+import { githubCopilotLoginCommand } from "../../src/providers/github-copilot-auth.js";
+import { DEFAULT_COPILOT_API_BASE_URL, resolveCopilotApiToken } from "./token.js";
+import { fetchCopilotUsage } from "./usage.js";
 
 const PROVIDER_ID = "github-copilot";
 const COPILOT_ENV_VARS = ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
 const CODEX_GPT_53_MODEL_ID = "gpt-5.3-codex";
 const CODEX_TEMPLATE_MODEL_IDS = ["gpt-5.2-codex"] as const;
+const COPILOT_XHIGH_MODEL_IDS = ["gpt-5.2", "gpt-5.2-codex"] as const;
 
 function resolveFirstGithubToken(params: { agentDir?: string; env: NodeJS.ProcessEnv }): {
   githubToken: string;
@@ -74,6 +74,46 @@ function resolveCopilotForwardCompatModel(
   return undefined;
 }
 
+async function runGitHubCopilotAuth(ctx: ProviderAuthContext) {
+  await ctx.prompter.note(
+    [
+      "This will open a GitHub device login to authorize Copilot.",
+      "Requires an active GitHub Copilot subscription.",
+    ].join("\n"),
+    "GitHub Copilot",
+  );
+
+  if (!process.stdin.isTTY) {
+    await ctx.prompter.note("GitHub Copilot login requires an interactive TTY.", "GitHub Copilot");
+    return { profiles: [] };
+  }
+
+  try {
+    await githubCopilotLoginCommand({ yes: true, profileId: "github-copilot:github" }, ctx.runtime);
+  } catch (err) {
+    await ctx.prompter.note(`GitHub Copilot login failed: ${String(err)}`, "GitHub Copilot");
+    return { profiles: [] };
+  }
+
+  const authStore = ensureAuthProfileStore(undefined, {
+    allowKeychainPrompt: false,
+  });
+  const credential = authStore.profiles["github-copilot:github"];
+  if (!credential || credential.type !== "token") {
+    return { profiles: [] };
+  }
+
+  return {
+    profiles: [
+      {
+        profileId: "github-copilot:github",
+        credential,
+      },
+    ],
+    defaultModel: "github-copilot/gpt-4o",
+  };
+}
+
 const githubCopilotPlugin = {
   id: "github-copilot",
   name: "GitHub Copilot Provider",
@@ -85,7 +125,23 @@ const githubCopilotPlugin = {
       label: "GitHub Copilot",
       docsPath: "/providers/models",
       envVars: COPILOT_ENV_VARS,
-      auth: [],
+      auth: [
+        {
+          id: "device",
+          label: "GitHub device login",
+          hint: "Browser device-code flow",
+          kind: "device_code",
+          run: async (ctx) => await runGitHubCopilotAuth(ctx),
+        },
+      ],
+      wizard: {
+        setup: {
+          choiceId: "github-copilot",
+          choiceLabel: "GitHub Copilot",
+          choiceHint: "Device login with your GitHub account",
+          methodId: "device",
+        },
+      },
       catalog: {
         order: "late",
         run: async (ctx) => {
@@ -120,6 +176,8 @@ const githubCopilotPlugin = {
       capabilities: {
         dropThinkingBlockModelHints: ["claude"],
       },
+      supportsXHighThinking: ({ modelId }) =>
+        COPILOT_XHIGH_MODEL_IDS.includes(modelId.trim().toLowerCase() as never),
       prepareRuntimeAuth: async (ctx) => {
         const token = await resolveCopilotApiToken({
           githubToken: ctx.apiKey,
diff --git a/extensions/github-copilot/openclaw.plugin.json b/extensions/github-copilot/openclaw.plugin.json
index ec3f8690eee..ec05c52b48c 100644
--- a/extensions/github-copilot/openclaw.plugin.json
+++ b/extensions/github-copilot/openclaw.plugin.json
@@ -1,6 +1,21 @@
 {
   "id": "github-copilot",
   "providers": ["github-copilot"],
+  "providerAuthEnvVars": {
+    "github-copilot": ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "github-copilot",
+      "method": "device",
+      "choiceId": "github-copilot",
+      "choiceLabel": "GitHub Copilot",
+      "choiceHint": "Device login with your GitHub account",
+      "groupId": "copilot",
+      "groupLabel": "Copilot",
+      "groupHint": "GitHub + local proxy"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/src/providers/github-copilot-token.test.ts b/extensions/github-copilot/token.test.ts
similarity index 91%
rename from src/providers/github-copilot-token.test.ts
rename to extensions/github-copilot/token.test.ts
index 4f7664364a0..8aa489e7a8b 100644
--- a/src/providers/github-copilot-token.test.ts
+++ b/extensions/github-copilot/token.test.ts
@@ -1,8 +1,5 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import {
-  deriveCopilotApiBaseUrlFromToken,
-  resolveCopilotApiToken,
-} from "./github-copilot-token.js";
+import { deriveCopilotApiBaseUrlFromToken, resolveCopilotApiToken } from "./token.js";
 
 describe("github-copilot token", () => {
   const loadJsonFile = vi.fn();
@@ -58,7 +55,7 @@ describe("github-copilot token", () => {
       }),
     });
 
-    const { resolveCopilotApiToken } = await import("./github-copilot-token.js");
+    const { resolveCopilotApiToken } = await import("./token.js");
 
     const res = await resolveCopilotApiToken({
       githubToken: "gh",
diff --git a/src/providers/github-copilot-token.ts b/extensions/github-copilot/token.ts
similarity index 97%
rename from src/providers/github-copilot-token.ts
rename to extensions/github-copilot/token.ts
index a5d9a6b1e8e..afb1eb03b61 100644
--- a/src/providers/github-copilot-token.ts
+++ b/extensions/github-copilot/token.ts
@@ -1,6 +1,6 @@
 import path from "node:path";
-import { resolveStateDir } from "../config/paths.js";
-import { loadJsonFile, saveJsonFile } from "../infra/json-file.js";
+import { resolveStateDir } from "../../src/config/paths.js";
+import { loadJsonFile, saveJsonFile } from "../../src/infra/json-file.js";
 
 const COPILOT_TOKEN_URL = "https://api.github.com/copilot_internal/v2/token";
 
diff --git a/src/infra/provider-usage.fetch.copilot.test.ts b/extensions/github-copilot/usage.test.ts
similarity index 93%
rename from src/infra/provider-usage.fetch.copilot.test.ts
rename to extensions/github-copilot/usage.test.ts
index 0abfd5f782f..b4044c7f5f9 100644
--- a/src/infra/provider-usage.fetch.copilot.test.ts
+++ b/extensions/github-copilot/usage.test.ts
@@ -1,6 +1,9 @@
 import { describe, expect, it } from "vitest";
-import { createProviderUsageFetch, makeResponse } from "../test-utils/provider-usage-fetch.js";
-import { fetchCopilotUsage } from "./provider-usage.fetch.copilot.js";
+import {
+  createProviderUsageFetch,
+  makeResponse,
+} from "../../src/test-utils/provider-usage-fetch.js";
+import { fetchCopilotUsage } from "./usage.js";
 
 describe("fetchCopilotUsage", () => {
   it("returns HTTP errors for failed requests", async () => {
diff --git a/src/infra/provider-usage.fetch.copilot.ts b/extensions/github-copilot/usage.ts
similarity index 83%
rename from src/infra/provider-usage.fetch.copilot.ts
rename to extensions/github-copilot/usage.ts
index 40d4adcd3aa..9035027890c 100644
--- a/src/infra/provider-usage.fetch.copilot.ts
+++ b/extensions/github-copilot/usage.ts
@@ -1,6 +1,9 @@
-import { buildUsageHttpErrorSnapshot, fetchJson } from "./provider-usage.fetch.shared.js";
-import { clampPercent, PROVIDER_LABELS } from "./provider-usage.shared.js";
-import type { ProviderUsageSnapshot, UsageWindow } from "./provider-usage.types.js";
+import {
+  buildUsageHttpErrorSnapshot,
+  fetchJson,
+} from "../../src/infra/provider-usage.fetch.shared.js";
+import { clampPercent, PROVIDER_LABELS } from "../../src/infra/provider-usage.shared.js";
+import type { ProviderUsageSnapshot, UsageWindow } from "../../src/infra/provider-usage.types.js";
 
 type CopilotUsageResponse = {
   quota_snapshots?: {
diff --git a/extensions/google-gemini-cli-auth/README.md b/extensions/google-gemini-cli-auth/README.md
deleted file mode 100644
index bbca53ba1ce..00000000000
--- a/extensions/google-gemini-cli-auth/README.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# Google Gemini CLI Auth (OpenClaw plugin)
-
-OAuth provider plugin for **Gemini CLI** (Google Code Assist).
-
-## Account safety caution
-
-- This plugin is an unofficial integration and is not endorsed by Google.
-- Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.
-- Use caution, review the applicable Google terms, and avoid using a mission-critical account.
-
-## Enable
-
-Bundled plugins are disabled by default. Enable this one:
-
-```bash
-openclaw plugins enable google-gemini-cli-auth
-```
-
-Restart the Gateway after enabling.
-
-## Authenticate
-
-```bash
-openclaw models auth login --provider google-gemini-cli --set-default
-```
-
-## Requirements
-
-Requires the Gemini CLI to be installed (credentials are extracted automatically):
-
-```bash
-brew install gemini-cli
-# or: npm install -g @google/gemini-cli
-```
-
-## Env vars (optional)
-
-Override auto-detected credentials with:
-
-- `OPENCLAW_GEMINI_OAUTH_CLIENT_ID` / `GEMINI_CLI_OAUTH_CLIENT_ID`
-- `OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET` / `GEMINI_CLI_OAUTH_CLIENT_SECRET`
diff --git a/extensions/google-gemini-cli-auth/index.test.ts b/extensions/google-gemini-cli-auth/index.test.ts
deleted file mode 100644
index d0542e3473c..00000000000
--- a/extensions/google-gemini-cli-auth/index.test.ts
+++ /dev/null
@@ -1,104 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import geminiCliPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  geminiCliPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("google-gemini-cli-auth plugin", () => {
-  it("owns gemini 3.1 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "google-gemini-cli",
-      modelId: "gemini-3.1-pro-preview",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gemini-3-pro-preview"
-            ? {
-                id,
-                name: id,
-                api: "google-gemini-cli",
-                provider: "google-gemini-cli",
-                baseUrl: "https://cloudcode-pa.googleapis.com",
-                reasoning: false,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 1_048_576,
-                maxTokens: 65_536,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gemini-3.1-pro-preview",
-      provider: "google-gemini-cli",
-      reasoning: true,
-    });
-  });
-
-  it("owns usage-token parsing", async () => {
-    const provider = registerProvider();
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "google-gemini-cli",
-        resolveApiKeyFromConfigAndStore: () => undefined,
-        resolveOAuthToken: async () => ({
-          token: '{"token":"google-oauth-token"}',
-          accountId: "google-account",
-        }),
-      }),
-    ).resolves.toEqual({
-      token: "google-oauth-token",
-      accountId: "google-account",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("cloudcode-pa.googleapis.com/v1internal:retrieveUserQuota")) {
-        return makeResponse(200, {
-          buckets: [
-            { modelId: "gemini-3.1-pro-preview", remainingFraction: 0.4 },
-            { modelId: "gemini-3.1-flash-preview", remainingFraction: 0.8 },
-          ],
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    const snapshot = await provider.fetchUsageSnapshot?.({
-      config: {} as never,
-      env: {} as NodeJS.ProcessEnv,
-      provider: "google-gemini-cli",
-      token: "google-oauth-token",
-      timeoutMs: 5_000,
-      fetchFn: mockFetch as unknown as typeof fetch,
-    });
-
-    expect(snapshot).toMatchObject({
-      provider: "google-gemini-cli",
-      displayName: "Gemini",
-    });
-    expect(snapshot?.windows[0]).toEqual({ label: "Pro", usedPercent: 60 });
-    expect(snapshot?.windows[1]?.label).toBe("Flash");
-    expect(snapshot?.windows[1]?.usedPercent).toBeCloseTo(20);
-  });
-});
diff --git a/extensions/google-gemini-cli-auth/index.ts b/extensions/google-gemini-cli-auth/index.ts
deleted file mode 100644
index 290cc19598f..00000000000
--- a/extensions/google-gemini-cli-auth/index.ts
+++ /dev/null
@@ -1,158 +0,0 @@
-import {
-  buildOauthProviderAuthResult,
-  emptyPluginConfigSchema,
-  type ProviderFetchUsageSnapshotContext,
-  type OpenClawPluginApi,
-  type ProviderAuthContext,
-  type ProviderResolveDynamicModelContext,
-  type ProviderRuntimeModel,
-} from "openclaw/plugin-sdk/google-gemini-cli-auth";
-import { normalizeModelCompat } from "../../src/agents/model-compat.js";
-import { fetchGeminiUsage } from "../../src/infra/provider-usage.fetch.js";
-import { loginGeminiCliOAuth } from "./oauth.js";
-
-const PROVIDER_ID = "google-gemini-cli";
-const PROVIDER_LABEL = "Gemini CLI OAuth";
-const DEFAULT_MODEL = "google-gemini-cli/gemini-3.1-pro-preview";
-const GEMINI_3_1_PRO_PREFIX = "gemini-3.1-pro";
-const GEMINI_3_1_FLASH_PREFIX = "gemini-3.1-flash";
-const GEMINI_3_1_PRO_TEMPLATE_IDS = ["gemini-3-pro-preview"] as const;
-const GEMINI_3_1_FLASH_TEMPLATE_IDS = ["gemini-3-flash-preview"] as const;
-const ENV_VARS = [
-  "OPENCLAW_GEMINI_OAUTH_CLIENT_ID",
-  "OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET",
-  "GEMINI_CLI_OAUTH_CLIENT_ID",
-  "GEMINI_CLI_OAUTH_CLIENT_SECRET",
-];
-
-function cloneFirstTemplateModel(params: {
-  modelId: string;
-  templateIds: readonly string[];
-  ctx: ProviderResolveDynamicModelContext;
-}): ProviderRuntimeModel | undefined {
-  const trimmedModelId = params.modelId.trim();
-  for (const templateId of [...new Set(params.templateIds)].filter(Boolean)) {
-    const template = params.ctx.modelRegistry.find(
-      PROVIDER_ID,
-      templateId,
-    ) as ProviderRuntimeModel | null;
-    if (!template) {
-      continue;
-    }
-    return normalizeModelCompat({
-      ...template,
-      id: trimmedModelId,
-      name: trimmedModelId,
-      reasoning: true,
-    } as ProviderRuntimeModel);
-  }
-  return undefined;
-}
-
-function parseGoogleUsageToken(apiKey: string): string {
-  try {
-    const parsed = JSON.parse(apiKey) as { token?: unknown };
-    if (typeof parsed?.token === "string") {
-      return parsed.token;
-    }
-  } catch {
-    // ignore
-  }
-  return apiKey;
-}
-
-async function fetchGeminiCliUsage(ctx: ProviderFetchUsageSnapshotContext) {
-  return await fetchGeminiUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn, PROVIDER_ID);
-}
-
-function resolveGeminiCliForwardCompatModel(
-  ctx: ProviderResolveDynamicModelContext,
-): ProviderRuntimeModel | undefined {
-  const trimmed = ctx.modelId.trim();
-  const lower = trimmed.toLowerCase();
-
-  let templateIds: readonly string[];
-  if (lower.startsWith(GEMINI_3_1_PRO_PREFIX)) {
-    templateIds = GEMINI_3_1_PRO_TEMPLATE_IDS;
-  } else if (lower.startsWith(GEMINI_3_1_FLASH_PREFIX)) {
-    templateIds = GEMINI_3_1_FLASH_TEMPLATE_IDS;
-  } else {
-    return undefined;
-  }
-
-  return cloneFirstTemplateModel({
-    modelId: trimmed,
-    templateIds,
-    ctx,
-  });
-}
-
-const geminiCliPlugin = {
-  id: "google-gemini-cli-auth",
-  name: "Google Gemini CLI Auth",
-  description: "OAuth flow for Gemini CLI (Google Code Assist)",
-  configSchema: emptyPluginConfigSchema(),
-  register(api: OpenClawPluginApi) {
-    api.registerProvider({
-      id: PROVIDER_ID,
-      label: PROVIDER_LABEL,
-      docsPath: "/providers/models",
-      aliases: ["gemini-cli"],
-      envVars: ENV_VARS,
-      auth: [
-        {
-          id: "oauth",
-          label: "Google OAuth",
-          hint: "PKCE + localhost callback",
-          kind: "oauth",
-          run: async (ctx: ProviderAuthContext) => {
-            const spin = ctx.prompter.progress("Starting Gemini CLI OAuth…");
-            try {
-              const result = await loginGeminiCliOAuth({
-                isRemote: ctx.isRemote,
-                openUrl: ctx.openUrl,
-                log: (msg) => ctx.runtime.log(msg),
-                note: ctx.prompter.note,
-                prompt: async (message) => String(await ctx.prompter.text({ message })),
-                progress: spin,
-              });
-
-              spin.stop("Gemini CLI OAuth complete");
-              return buildOauthProviderAuthResult({
-                providerId: PROVIDER_ID,
-                defaultModel: DEFAULT_MODEL,
-                access: result.access,
-                refresh: result.refresh,
-                expires: result.expires,
-                email: result.email,
-                credentialExtra: { projectId: result.projectId },
-                notes: ["If requests fail, set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID."],
-              });
-            } catch (err) {
-              spin.stop("Gemini CLI OAuth failed");
-              await ctx.prompter.note(
-                "Trouble with OAuth? Ensure your Google account has Gemini CLI access.",
-                "OAuth help",
-              );
-              throw err;
-            }
-          },
-        },
-      ],
-      resolveDynamicModel: (ctx) => resolveGeminiCliForwardCompatModel(ctx),
-      resolveUsageAuth: async (ctx) => {
-        const auth = await ctx.resolveOAuthToken();
-        if (!auth) {
-          return null;
-        }
-        return {
-          ...auth,
-          token: parseGoogleUsageToken(auth.token),
-        };
-      },
-      fetchUsageSnapshot: async (ctx) => await fetchGeminiCliUsage(ctx),
-    });
-  },
-};
-
-export default geminiCliPlugin;
diff --git a/extensions/google-gemini-cli-auth/oauth.ts b/extensions/google-gemini-cli-auth/oauth.ts
deleted file mode 100644
index 62881ec3a73..00000000000
--- a/extensions/google-gemini-cli-auth/oauth.ts
+++ /dev/null
@@ -1,734 +0,0 @@
-import { createHash, randomBytes } from "node:crypto";
-import { existsSync, readFileSync, readdirSync, realpathSync } from "node:fs";
-import { createServer } from "node:http";
-import { delimiter, dirname, join } from "node:path";
-import { fetchWithSsrFGuard, isWSL2Sync } from "openclaw/plugin-sdk/google-gemini-cli-auth";
-
-const CLIENT_ID_KEYS = ["OPENCLAW_GEMINI_OAUTH_CLIENT_ID", "GEMINI_CLI_OAUTH_CLIENT_ID"];
-const CLIENT_SECRET_KEYS = [
-  "OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET",
-  "GEMINI_CLI_OAUTH_CLIENT_SECRET",
-];
-const REDIRECT_URI = "http://localhost:8085/oauth2callback";
-const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
-const TOKEN_URL = "https://oauth2.googleapis.com/token";
-const USERINFO_URL = "https://www.googleapis.com/oauth2/v1/userinfo?alt=json";
-const CODE_ASSIST_ENDPOINT_PROD = "https://cloudcode-pa.googleapis.com";
-const CODE_ASSIST_ENDPOINT_DAILY = "https://daily-cloudcode-pa.sandbox.googleapis.com";
-const CODE_ASSIST_ENDPOINT_AUTOPUSH = "https://autopush-cloudcode-pa.sandbox.googleapis.com";
-const LOAD_CODE_ASSIST_ENDPOINTS = [
-  CODE_ASSIST_ENDPOINT_PROD,
-  CODE_ASSIST_ENDPOINT_DAILY,
-  CODE_ASSIST_ENDPOINT_AUTOPUSH,
-];
-const DEFAULT_FETCH_TIMEOUT_MS = 10_000;
-const SCOPES = [
-  "https://www.googleapis.com/auth/cloud-platform",
-  "https://www.googleapis.com/auth/userinfo.email",
-  "https://www.googleapis.com/auth/userinfo.profile",
-];
-
-const TIER_FREE = "free-tier";
-const TIER_LEGACY = "legacy-tier";
-const TIER_STANDARD = "standard-tier";
-
-export type GeminiCliOAuthCredentials = {
-  access: string;
-  refresh: string;
-  expires: number;
-  email?: string;
-  projectId: string;
-};
-
-export type GeminiCliOAuthContext = {
-  isRemote: boolean;
-  openUrl: (url: string) => Promise<void>;
-  log: (msg: string) => void;
-  note: (message: string, title?: string) => Promise<void>;
-  prompt: (message: string) => Promise<string>;
-  progress: { update: (msg: string) => void; stop: (msg?: string) => void };
-};
-
-function resolveEnv(keys: string[]): string | undefined {
-  for (const key of keys) {
-    const value = process.env[key]?.trim();
-    if (value) {
-      return value;
-    }
-  }
-  return undefined;
-}
-
-let cachedGeminiCliCredentials: { clientId: string; clientSecret: string } | null = null;
-
-/** @internal */
-export function clearCredentialsCache(): void {
-  cachedGeminiCliCredentials = null;
-}
-
-/** Extracts OAuth credentials from the installed Gemini CLI's bundled oauth2.js. */
-export function extractGeminiCliCredentials(): { clientId: string; clientSecret: string } | null {
-  if (cachedGeminiCliCredentials) {
-    return cachedGeminiCliCredentials;
-  }
-
-  try {
-    const geminiPath = findInPath("gemini");
-    if (!geminiPath) {
-      return null;
-    }
-
-    const resolvedPath = realpathSync(geminiPath);
-    const geminiCliDirs = resolveGeminiCliDirs(geminiPath, resolvedPath);
-
-    let content: string | null = null;
-    for (const geminiCliDir of geminiCliDirs) {
-      const searchPaths = [
-        join(
-          geminiCliDir,
-          "node_modules",
-          "@google",
-          "gemini-cli-core",
-          "dist",
-          "src",
-          "code_assist",
-          "oauth2.js",
-        ),
-        join(
-          geminiCliDir,
-          "node_modules",
-          "@google",
-          "gemini-cli-core",
-          "dist",
-          "code_assist",
-          "oauth2.js",
-        ),
-      ];
-
-      for (const p of searchPaths) {
-        if (existsSync(p)) {
-          content = readFileSync(p, "utf8");
-          break;
-        }
-      }
-      if (content) {
-        break;
-      }
-      const found = findFile(geminiCliDir, "oauth2.js", 10);
-      if (found) {
-        content = readFileSync(found, "utf8");
-        break;
-      }
-    }
-    if (!content) {
-      return null;
-    }
-
-    const idMatch = content.match(/(\d+-[a-z0-9]+\.apps\.googleusercontent\.com)/);
-    const secretMatch = content.match(/(GOCSPX-[A-Za-z0-9_-]+)/);
-    if (idMatch && secretMatch) {
-      cachedGeminiCliCredentials = { clientId: idMatch[1], clientSecret: secretMatch[1] };
-      return cachedGeminiCliCredentials;
-    }
-  } catch {
-    // Gemini CLI not installed or extraction failed
-  }
-  return null;
-}
-
-function resolveGeminiCliDirs(geminiPath: string, resolvedPath: string): string[] {
-  const binDir = dirname(geminiPath);
-  const candidates = [
-    dirname(dirname(resolvedPath)),
-    join(dirname(resolvedPath), "node_modules", "@google", "gemini-cli"),
-    join(binDir, "node_modules", "@google", "gemini-cli"),
-    join(dirname(binDir), "node_modules", "@google", "gemini-cli"),
-    join(dirname(binDir), "lib", "node_modules", "@google", "gemini-cli"),
-  ];
-
-  const deduped: string[] = [];
-  const seen = new Set<string>();
-  for (const candidate of candidates) {
-    const key =
-      process.platform === "win32" ? candidate.replace(/\\/g, "/").toLowerCase() : candidate;
-    if (seen.has(key)) {
-      continue;
-    }
-    seen.add(key);
-    deduped.push(candidate);
-  }
-  return deduped;
-}
-
-function findInPath(name: string): string | null {
-  const exts = process.platform === "win32" ? [".cmd", ".bat", ".exe", ""] : [""];
-  for (const dir of (process.env.PATH ?? "").split(delimiter)) {
-    for (const ext of exts) {
-      const p = join(dir, name + ext);
-      if (existsSync(p)) {
-        return p;
-      }
-    }
-  }
-  return null;
-}
-
-function findFile(dir: string, name: string, depth: number): string | null {
-  if (depth <= 0) {
-    return null;
-  }
-  try {
-    for (const e of readdirSync(dir, { withFileTypes: true })) {
-      const p = join(dir, e.name);
-      if (e.isFile() && e.name === name) {
-        return p;
-      }
-      if (e.isDirectory() && !e.name.startsWith(".")) {
-        const found = findFile(p, name, depth - 1);
-        if (found) {
-          return found;
-        }
-      }
-    }
-  } catch {}
-  return null;
-}
-
-function resolveOAuthClientConfig(): { clientId: string; clientSecret?: string } {
-  // 1. Check env vars first (user override)
-  const envClientId = resolveEnv(CLIENT_ID_KEYS);
-  const envClientSecret = resolveEnv(CLIENT_SECRET_KEYS);
-  if (envClientId) {
-    return { clientId: envClientId, clientSecret: envClientSecret };
-  }
-
-  // 2. Try to extract from installed Gemini CLI
-  const extracted = extractGeminiCliCredentials();
-  if (extracted) {
-    return extracted;
-  }
-
-  // 3. No credentials available
-  throw new Error(
-    "Gemini CLI not found. Install it first: brew install gemini-cli (or npm install -g @google/gemini-cli), or set GEMINI_CLI_OAUTH_CLIENT_ID.",
-  );
-}
-
-function shouldUseManualOAuthFlow(isRemote: boolean): boolean {
-  return isRemote || isWSL2Sync();
-}
-
-function generatePkce(): { verifier: string; challenge: string } {
-  const verifier = randomBytes(32).toString("hex");
-  const challenge = createHash("sha256").update(verifier).digest("base64url");
-  return { verifier, challenge };
-}
-
-function resolvePlatform(): "WINDOWS" | "MACOS" | "PLATFORM_UNSPECIFIED" {
-  if (process.platform === "win32") {
-    return "WINDOWS";
-  }
-  if (process.platform === "darwin") {
-    return "MACOS";
-  }
-  // Google's loadCodeAssist API rejects "LINUX" as an invalid Platform enum value.
-  // Use "PLATFORM_UNSPECIFIED" for Linux and other platforms to match the pi-ai runtime.
-  return "PLATFORM_UNSPECIFIED";
-}
-
-async function fetchWithTimeout(
-  url: string,
-  init: RequestInit,
-  timeoutMs = DEFAULT_FETCH_TIMEOUT_MS,
-): Promise<Response> {
-  const { response, release } = await fetchWithSsrFGuard({
-    url,
-    init,
-    timeoutMs,
-  });
-  try {
-    const body = await response.arrayBuffer();
-    return new Response(body, {
-      status: response.status,
-      statusText: response.statusText,
-      headers: response.headers,
-    });
-  } finally {
-    await release();
-  }
-}
-
-function buildAuthUrl(challenge: string, verifier: string): string {
-  const { clientId } = resolveOAuthClientConfig();
-  const params = new URLSearchParams({
-    client_id: clientId,
-    response_type: "code",
-    redirect_uri: REDIRECT_URI,
-    scope: SCOPES.join(" "),
-    code_challenge: challenge,
-    code_challenge_method: "S256",
-    state: verifier,
-    access_type: "offline",
-    prompt: "consent",
-  });
-  return `${AUTH_URL}?${params.toString()}`;
-}
-
-function parseCallbackInput(
-  input: string,
-  expectedState: string,
-): { code: string; state: string } | { error: string } {
-  const trimmed = input.trim();
-  if (!trimmed) {
-    return { error: "No input provided" };
-  }
-
-  try {
-    const url = new URL(trimmed);
-    const code = url.searchParams.get("code");
-    const state = url.searchParams.get("state") ?? expectedState;
-    if (!code) {
-      return { error: "Missing 'code' parameter in URL" };
-    }
-    if (!state) {
-      return { error: "Missing 'state' parameter. Paste the full URL." };
-    }
-    return { code, state };
-  } catch {
-    if (!expectedState) {
-      return { error: "Paste the full redirect URL, not just the code." };
-    }
-    return { code: trimmed, state: expectedState };
-  }
-}
-
-async function waitForLocalCallback(params: {
-  expectedState: string;
-  timeoutMs: number;
-  onProgress?: (message: string) => void;
-}): Promise<{ code: string; state: string }> {
-  const port = 8085;
-  const hostname = "localhost";
-  const expectedPath = "/oauth2callback";
-
-  return new Promise<{ code: string; state: string }>((resolve, reject) => {
-    let timeout: NodeJS.Timeout | null = null;
-    const server = createServer((req, res) => {
-      try {
-        const requestUrl = new URL(req.url ?? "/", `http://${hostname}:${port}`);
-        if (requestUrl.pathname !== expectedPath) {
-          res.statusCode = 404;
-          res.setHeader("Content-Type", "text/plain");
-          res.end("Not found");
-          return;
-        }
-
-        const error = requestUrl.searchParams.get("error");
-        const code = requestUrl.searchParams.get("code")?.trim();
-        const state = requestUrl.searchParams.get("state")?.trim();
-
-        if (error) {
-          res.statusCode = 400;
-          res.setHeader("Content-Type", "text/plain");
-          res.end(`Authentication failed: ${error}`);
-          finish(new Error(`OAuth error: ${error}`));
-          return;
-        }
-
-        if (!code || !state) {
-          res.statusCode = 400;
-          res.setHeader("Content-Type", "text/plain");
-          res.end("Missing code or state");
-          finish(new Error("Missing OAuth code or state"));
-          return;
-        }
-
-        if (state !== params.expectedState) {
-          res.statusCode = 400;
-          res.setHeader("Content-Type", "text/plain");
-          res.end("Invalid state");
-          finish(new Error("OAuth state mismatch"));
-          return;
-        }
-
-        res.statusCode = 200;
-        res.setHeader("Content-Type", "text/html; charset=utf-8");
-        res.end(
-          "<!doctype html><html><head><meta charset='utf-8'/></head>" +
-            "<body><h2>Gemini CLI OAuth complete</h2>" +
-            "<p>You can close this window and return to OpenClaw.</p></body></html>",
-        );
-
-        finish(undefined, { code, state });
-      } catch (err) {
-        finish(err instanceof Error ? err : new Error("OAuth callback failed"));
-      }
-    });
-
-    const finish = (err?: Error, result?: { code: string; state: string }) => {
-      if (timeout) {
-        clearTimeout(timeout);
-      }
-      try {
-        server.close();
-      } catch {
-        // ignore close errors
-      }
-      if (err) {
-        reject(err);
-      } else if (result) {
-        resolve(result);
-      }
-    };
-
-    server.once("error", (err) => {
-      finish(err instanceof Error ? err : new Error("OAuth callback server error"));
-    });
-
-    server.listen(port, hostname, () => {
-      params.onProgress?.(`Waiting for OAuth callback on ${REDIRECT_URI}…`);
-    });
-
-    timeout = setTimeout(() => {
-      finish(new Error("OAuth callback timeout"));
-    }, params.timeoutMs);
-  });
-}
-
-async function exchangeCodeForTokens(
-  code: string,
-  verifier: string,
-): Promise<GeminiCliOAuthCredentials> {
-  const { clientId, clientSecret } = resolveOAuthClientConfig();
-  const body = new URLSearchParams({
-    client_id: clientId,
-    code,
-    grant_type: "authorization_code",
-    redirect_uri: REDIRECT_URI,
-    code_verifier: verifier,
-  });
-  if (clientSecret) {
-    body.set("client_secret", clientSecret);
-  }
-
-  const response = await fetchWithTimeout(TOKEN_URL, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
-      Accept: "*/*",
-      "User-Agent": "google-api-nodejs-client/9.15.1",
-    },
-    body,
-  });
-
-  if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Token exchange failed: ${errorText}`);
-  }
-
-  const data = (await response.json()) as {
-    access_token: string;
-    refresh_token: string;
-    expires_in: number;
-  };
-
-  if (!data.refresh_token) {
-    throw new Error("No refresh token received. Please try again.");
-  }
-
-  const email = await getUserEmail(data.access_token);
-  const projectId = await discoverProject(data.access_token);
-  const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000;
-
-  return {
-    refresh: data.refresh_token,
-    access: data.access_token,
-    expires: expiresAt,
-    projectId,
-    email,
-  };
-}
-
-async function getUserEmail(accessToken: string): Promise<string | undefined> {
-  try {
-    const response = await fetchWithTimeout(USERINFO_URL, {
-      headers: { Authorization: `Bearer ${accessToken}` },
-    });
-    if (response.ok) {
-      const data = (await response.json()) as { email?: string };
-      return data.email;
-    }
-  } catch {
-    // ignore
-  }
-  return undefined;
-}
-
-async function discoverProject(accessToken: string): Promise<string> {
-  const envProject = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
-  const platform = resolvePlatform();
-  const metadata = {
-    ideType: "ANTIGRAVITY",
-    platform,
-    pluginType: "GEMINI",
-  };
-  const headers = {
-    Authorization: `Bearer ${accessToken}`,
-    "Content-Type": "application/json",
-    "User-Agent": "google-api-nodejs-client/9.15.1",
-    "X-Goog-Api-Client": `gl-node/${process.versions.node}`,
-    "Client-Metadata": JSON.stringify(metadata),
-  };
-
-  const loadBody = {
-    ...(envProject ? { cloudaicompanionProject: envProject } : {}),
-    metadata: {
-      ...metadata,
-      ...(envProject ? { duetProject: envProject } : {}),
-    },
-  };
-
-  let data: {
-    currentTier?: { id?: string };
-    cloudaicompanionProject?: string | { id?: string };
-    allowedTiers?: Array<{ id?: string; isDefault?: boolean }>;
-  } = {};
-  let activeEndpoint = CODE_ASSIST_ENDPOINT_PROD;
-  let loadError: Error | undefined;
-  for (const endpoint of LOAD_CODE_ASSIST_ENDPOINTS) {
-    try {
-      const response = await fetchWithTimeout(`${endpoint}/v1internal:loadCodeAssist`, {
-        method: "POST",
-        headers,
-        body: JSON.stringify(loadBody),
-      });
-
-      if (!response.ok) {
-        const errorPayload = await response.json().catch(() => null);
-        if (isVpcScAffected(errorPayload)) {
-          data = { currentTier: { id: TIER_STANDARD } };
-          activeEndpoint = endpoint;
-          loadError = undefined;
-          break;
-        }
-        loadError = new Error(`loadCodeAssist failed: ${response.status} ${response.statusText}`);
-        continue;
-      }
-
-      data = (await response.json()) as typeof data;
-      activeEndpoint = endpoint;
-      loadError = undefined;
-      break;
-    } catch (err) {
-      loadError = err instanceof Error ? err : new Error("loadCodeAssist failed", { cause: err });
-    }
-  }
-
-  const hasLoadCodeAssistData =
-    Boolean(data.currentTier) ||
-    Boolean(data.cloudaicompanionProject) ||
-    Boolean(data.allowedTiers?.length);
-  if (!hasLoadCodeAssistData && loadError) {
-    if (envProject) {
-      return envProject;
-    }
-    throw loadError;
-  }
-
-  if (data.currentTier) {
-    const project = data.cloudaicompanionProject;
-    if (typeof project === "string" && project) {
-      return project;
-    }
-    if (typeof project === "object" && project?.id) {
-      return project.id;
-    }
-    if (envProject) {
-      return envProject;
-    }
-    throw new Error(
-      "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.",
-    );
-  }
-
-  const tier = getDefaultTier(data.allowedTiers);
-  const tierId = tier?.id || TIER_FREE;
-  if (tierId !== TIER_FREE && !envProject) {
-    throw new Error(
-      "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.",
-    );
-  }
-
-  const onboardBody: Record<string, unknown> = {
-    tierId,
-    metadata: {
-      ...metadata,
-    },
-  };
-  if (tierId !== TIER_FREE && envProject) {
-    onboardBody.cloudaicompanionProject = envProject;
-    (onboardBody.metadata as Record<string, unknown>).duetProject = envProject;
-  }
-
-  const onboardResponse = await fetchWithTimeout(`${activeEndpoint}/v1internal:onboardUser`, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(onboardBody),
-  });
-
-  if (!onboardResponse.ok) {
-    throw new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}`);
-  }
-
-  let lro = (await onboardResponse.json()) as {
-    done?: boolean;
-    name?: string;
-    response?: { cloudaicompanionProject?: { id?: string } };
-  };
-
-  if (!lro.done && lro.name) {
-    lro = await pollOperation(activeEndpoint, lro.name, headers);
-  }
-
-  const projectId = lro.response?.cloudaicompanionProject?.id;
-  if (projectId) {
-    return projectId;
-  }
-  if (envProject) {
-    return envProject;
-  }
-
-  throw new Error(
-    "Could not discover or provision a Google Cloud project. Set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID.",
-  );
-}
-
-function isVpcScAffected(payload: unknown): boolean {
-  if (!payload || typeof payload !== "object") {
-    return false;
-  }
-  const error = (payload as { error?: unknown }).error;
-  if (!error || typeof error !== "object") {
-    return false;
-  }
-  const details = (error as { details?: unknown[] }).details;
-  if (!Array.isArray(details)) {
-    return false;
-  }
-  return details.some(
-    (item) =>
-      typeof item === "object" &&
-      item &&
-      (item as { reason?: string }).reason === "SECURITY_POLICY_VIOLATED",
-  );
-}
-
-function getDefaultTier(
-  allowedTiers?: Array<{ id?: string; isDefault?: boolean }>,
-): { id?: string } | undefined {
-  if (!allowedTiers?.length) {
-    return { id: TIER_LEGACY };
-  }
-  return allowedTiers.find((tier) => tier.isDefault) ?? { id: TIER_LEGACY };
-}
-
-async function pollOperation(
-  endpoint: string,
-  operationName: string,
-  headers: Record<string, string>,
-): Promise<{ done?: boolean; response?: { cloudaicompanionProject?: { id?: string } } }> {
-  for (let attempt = 0; attempt < 24; attempt += 1) {
-    await new Promise((resolve) => setTimeout(resolve, 5000));
-    const response = await fetchWithTimeout(`${endpoint}/v1internal/${operationName}`, {
-      headers,
-    });
-    if (!response.ok) {
-      continue;
-    }
-    const data = (await response.json()) as {
-      done?: boolean;
-      response?: { cloudaicompanionProject?: { id?: string } };
-    };
-    if (data.done) {
-      return data;
-    }
-  }
-  throw new Error("Operation polling timeout");
-}
-
-export async function loginGeminiCliOAuth(
-  ctx: GeminiCliOAuthContext,
-): Promise<GeminiCliOAuthCredentials> {
-  const needsManual = shouldUseManualOAuthFlow(ctx.isRemote);
-  await ctx.note(
-    needsManual
-      ? [
-          "You are running in a remote/VPS environment.",
-          "A URL will be shown for you to open in your LOCAL browser.",
-          "After signing in, copy the redirect URL and paste it back here.",
-        ].join("\n")
-      : [
-          "Browser will open for Google authentication.",
-          "Sign in with your Google account for Gemini CLI access.",
-          "The callback will be captured automatically on localhost:8085.",
-        ].join("\n"),
-    "Gemini CLI OAuth",
-  );
-
-  const { verifier, challenge } = generatePkce();
-  const authUrl = buildAuthUrl(challenge, verifier);
-
-  if (needsManual) {
-    ctx.progress.update("OAuth URL ready");
-    ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`);
-    ctx.progress.update("Waiting for you to paste the callback URL...");
-    const callbackInput = await ctx.prompt("Paste the redirect URL here: ");
-    const parsed = parseCallbackInput(callbackInput, verifier);
-    if ("error" in parsed) {
-      throw new Error(parsed.error);
-    }
-    if (parsed.state !== verifier) {
-      throw new Error("OAuth state mismatch - please try again");
-    }
-    ctx.progress.update("Exchanging authorization code for tokens...");
-    return exchangeCodeForTokens(parsed.code, verifier);
-  }
-
-  ctx.progress.update("Complete sign-in in browser...");
-  try {
-    await ctx.openUrl(authUrl);
-  } catch {
-    ctx.log(`\nOpen this URL in your browser:\n\n${authUrl}\n`);
-  }
-
-  try {
-    const { code } = await waitForLocalCallback({
-      expectedState: verifier,
-      timeoutMs: 5 * 60 * 1000,
-      onProgress: (msg) => ctx.progress.update(msg),
-    });
-    ctx.progress.update("Exchanging authorization code for tokens...");
-    return await exchangeCodeForTokens(code, verifier);
-  } catch (err) {
-    if (
-      err instanceof Error &&
-      (err.message.includes("EADDRINUSE") ||
-        err.message.includes("port") ||
-        err.message.includes("listen"))
-    ) {
-      ctx.progress.update("Local callback server failed. Switching to manual mode...");
-      ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`);
-      const callbackInput = await ctx.prompt("Paste the redirect URL here: ");
-      const parsed = parseCallbackInput(callbackInput, verifier);
-      if ("error" in parsed) {
-        throw new Error(parsed.error, { cause: err });
-      }
-      if (parsed.state !== verifier) {
-        throw new Error("OAuth state mismatch - please try again", { cause: err });
-      }
-      ctx.progress.update("Exchanging authorization code for tokens...");
-      return exchangeCodeForTokens(parsed.code, verifier);
-    }
-    throw err;
-  }
-}
diff --git a/extensions/google/gemini-cli-provider.ts b/extensions/google/gemini-cli-provider.ts
new file mode 100644
index 00000000000..926913f7390
--- /dev/null
+++ b/extensions/google/gemini-cli-provider.ts
@@ -0,0 +1,140 @@
+import { fetchGeminiUsage } from "../../src/infra/provider-usage.fetch.js";
+import { buildOauthProviderAuthResult } from "../../src/plugin-sdk/provider-auth-result.js";
+import type {
+  OpenClawPluginApi,
+  ProviderAuthContext,
+  ProviderFetchUsageSnapshotContext,
+} from "../../src/plugins/types.js";
+import { loginGeminiCliOAuth } from "./oauth.js";
+import { isModernGoogleModel, resolveGoogle31ForwardCompatModel } from "./provider-models.js";
+
+const PROVIDER_ID = "google-gemini-cli";
+const PROVIDER_LABEL = "Gemini CLI OAuth";
+const DEFAULT_MODEL = "google-gemini-cli/gemini-3.1-pro-preview";
+const ENV_VARS = [
+  "OPENCLAW_GEMINI_OAUTH_CLIENT_ID",
+  "OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET",
+  "GEMINI_CLI_OAUTH_CLIENT_ID",
+  "GEMINI_CLI_OAUTH_CLIENT_SECRET",
+];
+
+function parseGoogleUsageToken(apiKey: string): string {
+  try {
+    const parsed = JSON.parse(apiKey) as { token?: unknown };
+    if (typeof parsed?.token === "string") {
+      return parsed.token;
+    }
+  } catch {
+    // ignore
+  }
+  return apiKey;
+}
+
+function formatGoogleOauthApiKey(cred: {
+  type?: string;
+  access?: string;
+  projectId?: string;
+}): string {
+  if (cred.type !== "oauth" || typeof cred.access !== "string" || !cred.access.trim()) {
+    return "";
+  }
+  return JSON.stringify({
+    token: cred.access,
+    projectId: cred.projectId,
+  });
+}
+
+async function fetchGeminiCliUsage(ctx: ProviderFetchUsageSnapshotContext) {
+  return await fetchGeminiUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn, PROVIDER_ID);
+}
+
+export function registerGoogleGeminiCliProvider(api: OpenClawPluginApi) {
+  api.registerProvider({
+    id: PROVIDER_ID,
+    label: PROVIDER_LABEL,
+    docsPath: "/providers/models",
+    aliases: ["gemini-cli"],
+    envVars: ENV_VARS,
+    auth: [
+      {
+        id: "oauth",
+        label: "Google OAuth",
+        hint: "PKCE + localhost callback",
+        kind: "oauth",
+        run: async (ctx: ProviderAuthContext) => {
+          await ctx.prompter.note(
+            [
+              "This is an unofficial integration and is not endorsed by Google.",
+              "Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.",
+              "Proceed only if you understand and accept this risk.",
+            ].join("\n"),
+            "Google Gemini CLI caution",
+          );
+
+          const proceed = await ctx.prompter.confirm({
+            message: "Continue with Google Gemini CLI OAuth?",
+            initialValue: false,
+          });
+          if (!proceed) {
+            await ctx.prompter.note("Skipped Google Gemini CLI OAuth setup.", "Setup skipped");
+            return { profiles: [] };
+          }
+
+          const spin = ctx.prompter.progress("Starting Gemini CLI OAuth…");
+          try {
+            const result = await loginGeminiCliOAuth({
+              isRemote: ctx.isRemote,
+              openUrl: ctx.openUrl,
+              log: (msg) => ctx.runtime.log(msg),
+              note: ctx.prompter.note,
+              prompt: async (message) => String(await ctx.prompter.text({ message })),
+              progress: spin,
+            });
+
+            spin.stop("Gemini CLI OAuth complete");
+            return buildOauthProviderAuthResult({
+              providerId: PROVIDER_ID,
+              defaultModel: DEFAULT_MODEL,
+              access: result.access,
+              refresh: result.refresh,
+              expires: result.expires,
+              email: result.email,
+              credentialExtra: { projectId: result.projectId },
+              notes: ["If requests fail, set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID."],
+            });
+          } catch (err) {
+            spin.stop("Gemini CLI OAuth failed");
+            await ctx.prompter.note(
+              "Trouble with OAuth? Ensure your Google account has Gemini CLI access.",
+              "OAuth help",
+            );
+            throw err;
+          }
+        },
+      },
+    ],
+    wizard: {
+      setup: {
+        choiceId: "google-gemini-cli",
+        choiceLabel: "Gemini CLI OAuth",
+        choiceHint: "Google OAuth with project-aware token payload",
+        methodId: "oauth",
+      },
+    },
+    resolveDynamicModel: (ctx) =>
+      resolveGoogle31ForwardCompatModel({ providerId: PROVIDER_ID, ctx }),
+    isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
+    formatApiKey: (cred) => formatGoogleOauthApiKey(cred),
+    resolveUsageAuth: async (ctx) => {
+      const auth = await ctx.resolveOAuthToken();
+      if (!auth) {
+        return null;
+      }
+      return {
+        ...auth,
+        token: parseGoogleUsageToken(auth.token),
+      };
+    },
+    fetchUsageSnapshot: async (ctx) => await fetchGeminiCliUsage(ctx),
+  });
+}
diff --git a/extensions/google/index.ts b/extensions/google/index.ts
new file mode 100644
index 00000000000..59d417e9349
--- /dev/null
+++ b/extensions/google/index.ts
@@ -0,0 +1,72 @@
+import {
+  createPluginBackedWebSearchProvider,
+  getScopedCredentialValue,
+  setScopedCredentialValue,
+} from "../../src/agents/tools/web-search-plugin-factory.js";
+import {
+  GOOGLE_GEMINI_DEFAULT_MODEL,
+  applyGoogleGeminiModelDefault,
+} from "../../src/commands/google-gemini-model-default.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
+import { registerGoogleGeminiCliProvider } from "./gemini-cli-provider.js";
+import { isModernGoogleModel, resolveGoogle31ForwardCompatModel } from "./provider-models.js";
+
+const googlePlugin = {
+  id: "google",
+  name: "Google Plugin",
+  description: "Bundled Google plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerProvider({
+      id: "google",
+      label: "Google AI Studio",
+      docsPath: "/providers/models",
+      envVars: ["GEMINI_API_KEY", "GOOGLE_API_KEY"],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: "google",
+          methodId: "api-key",
+          label: "Google Gemini API key",
+          hint: "AI Studio / Gemini API key",
+          optionKey: "geminiApiKey",
+          flagName: "--gemini-api-key",
+          envVar: "GEMINI_API_KEY",
+          promptMessage: "Enter Gemini API key",
+          defaultModel: GOOGLE_GEMINI_DEFAULT_MODEL,
+          expectedProviders: ["google"],
+          applyConfig: (cfg) => applyGoogleGeminiModelDefault(cfg).next,
+          wizard: {
+            choiceId: "gemini-api-key",
+            choiceLabel: "Google Gemini API key",
+            groupId: "google",
+            groupLabel: "Google",
+            groupHint: "Gemini API key + OAuth",
+          },
+        }),
+      ],
+      resolveDynamicModel: (ctx) =>
+        resolveGoogle31ForwardCompatModel({ providerId: "google", ctx }),
+      isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
+    });
+    registerGoogleGeminiCliProvider(api);
+    api.registerWebSearchProvider(
+      createPluginBackedWebSearchProvider({
+        id: "gemini",
+        label: "Gemini (Google Search)",
+        hint: "Google Search grounding · AI-synthesized",
+        envVars: ["GEMINI_API_KEY"],
+        placeholder: "AIza...",
+        signupUrl: "https://aistudio.google.com/apikey",
+        docsUrl: "https://docs.openclaw.ai/tools/web",
+        autoDetectOrder: 20,
+        getCredentialValue: (searchConfig) => getScopedCredentialValue(searchConfig, "gemini"),
+        setCredentialValue: (searchConfigTarget, value) =>
+          setScopedCredentialValue(searchConfigTarget, "gemini", value),
+      }),
+    );
+  },
+};
+
+export default googlePlugin;
diff --git a/extensions/google/oauth.credentials.ts b/extensions/google/oauth.credentials.ts
new file mode 100644
index 00000000000..1c1e88db042
--- /dev/null
+++ b/extensions/google/oauth.credentials.ts
@@ -0,0 +1,163 @@
+import { existsSync, readFileSync, readdirSync, realpathSync } from "node:fs";
+import { delimiter, dirname, join } from "node:path";
+import { CLIENT_ID_KEYS, CLIENT_SECRET_KEYS } from "./oauth.shared.js";
+
+function resolveEnv(keys: string[]): string | undefined {
+  for (const key of keys) {
+    const value = process.env[key]?.trim();
+    if (value) {
+      return value;
+    }
+  }
+  return undefined;
+}
+
+let cachedGeminiCliCredentials: { clientId: string; clientSecret: string } | null = null;
+
+export function clearCredentialsCache(): void {
+  cachedGeminiCliCredentials = null;
+}
+
+export function extractGeminiCliCredentials(): { clientId: string; clientSecret: string } | null {
+  if (cachedGeminiCliCredentials) {
+    return cachedGeminiCliCredentials;
+  }
+
+  try {
+    const geminiPath = findInPath("gemini");
+    if (!geminiPath) {
+      return null;
+    }
+
+    const resolvedPath = realpathSync(geminiPath);
+    const geminiCliDirs = resolveGeminiCliDirs(geminiPath, resolvedPath);
+
+    let content: string | null = null;
+    for (const geminiCliDir of geminiCliDirs) {
+      const searchPaths = [
+        join(
+          geminiCliDir,
+          "node_modules",
+          "@google",
+          "gemini-cli-core",
+          "dist",
+          "src",
+          "code_assist",
+          "oauth2.js",
+        ),
+        join(
+          geminiCliDir,
+          "node_modules",
+          "@google",
+          "gemini-cli-core",
+          "dist",
+          "code_assist",
+          "oauth2.js",
+        ),
+      ];
+
+      for (const path of searchPaths) {
+        if (existsSync(path)) {
+          content = readFileSync(path, "utf8");
+          break;
+        }
+      }
+      if (content) {
+        break;
+      }
+      const found = findFile(geminiCliDir, "oauth2.js", 10);
+      if (found) {
+        content = readFileSync(found, "utf8");
+        break;
+      }
+    }
+    if (!content) {
+      return null;
+    }
+
+    const idMatch = content.match(/(\d+-[a-z0-9]+\.apps\.googleusercontent\.com)/);
+    const secretMatch = content.match(/(GOCSPX-[A-Za-z0-9_-]+)/);
+    if (idMatch && secretMatch) {
+      cachedGeminiCliCredentials = { clientId: idMatch[1], clientSecret: secretMatch[1] };
+      return cachedGeminiCliCredentials;
+    }
+  } catch {
+    // Gemini CLI not installed or extraction failed
+  }
+  return null;
+}
+
+function resolveGeminiCliDirs(geminiPath: string, resolvedPath: string): string[] {
+  const binDir = dirname(geminiPath);
+  const candidates = [
+    dirname(dirname(resolvedPath)),
+    join(dirname(resolvedPath), "node_modules", "@google", "gemini-cli"),
+    join(binDir, "node_modules", "@google", "gemini-cli"),
+    join(dirname(binDir), "node_modules", "@google", "gemini-cli"),
+    join(dirname(binDir), "lib", "node_modules", "@google", "gemini-cli"),
+  ];
+
+  const deduped: string[] = [];
+  const seen = new Set<string>();
+  for (const candidate of candidates) {
+    const key =
+      process.platform === "win32" ? candidate.replace(/\\/g, "/").toLowerCase() : candidate;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    deduped.push(candidate);
+  }
+  return deduped;
+}
+
+function findInPath(name: string): string | null {
+  const exts = process.platform === "win32" ? [".cmd", ".bat", ".exe", ""] : [""];
+  for (const dir of (process.env.PATH ?? "").split(delimiter)) {
+    for (const ext of exts) {
+      const path = join(dir, name + ext);
+      if (existsSync(path)) {
+        return path;
+      }
+    }
+  }
+  return null;
+}
+
+function findFile(dir: string, name: string, depth: number): string | null {
+  if (depth <= 0) {
+    return null;
+  }
+  try {
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+      const path = join(dir, entry.name);
+      if (entry.isFile() && entry.name === name) {
+        return path;
+      }
+      if (entry.isDirectory() && !entry.name.startsWith(".")) {
+        const found = findFile(path, name, depth - 1);
+        if (found) {
+          return found;
+        }
+      }
+    }
+  } catch {}
+  return null;
+}
+
+export function resolveOAuthClientConfig(): { clientId: string; clientSecret?: string } {
+  const envClientId = resolveEnv(CLIENT_ID_KEYS);
+  const envClientSecret = resolveEnv(CLIENT_SECRET_KEYS);
+  if (envClientId) {
+    return { clientId: envClientId, clientSecret: envClientSecret };
+  }
+
+  const extracted = extractGeminiCliCredentials();
+  if (extracted) {
+    return extracted;
+  }
+
+  throw new Error(
+    "Gemini CLI not found. Install it first: brew install gemini-cli (or npm install -g @google/gemini-cli), or set GEMINI_CLI_OAUTH_CLIENT_ID.",
+  );
+}
diff --git a/extensions/google/oauth.flow.ts b/extensions/google/oauth.flow.ts
new file mode 100644
index 00000000000..00cab07dc68
--- /dev/null
+++ b/extensions/google/oauth.flow.ts
@@ -0,0 +1,152 @@
+import { createHash, randomBytes } from "node:crypto";
+import { createServer } from "node:http";
+import { isWSL2Sync } from "../../src/infra/wsl.js";
+import { resolveOAuthClientConfig } from "./oauth.credentials.js";
+import { AUTH_URL, REDIRECT_URI, SCOPES } from "./oauth.shared.js";
+
+export function shouldUseManualOAuthFlow(isRemote: boolean): boolean {
+  return isRemote || isWSL2Sync();
+}
+
+export function generatePkce(): { verifier: string; challenge: string } {
+  const verifier = randomBytes(32).toString("hex");
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+export function buildAuthUrl(challenge: string, verifier: string): string {
+  const { clientId } = resolveOAuthClientConfig();
+  const params = new URLSearchParams({
+    client_id: clientId,
+    response_type: "code",
+    redirect_uri: REDIRECT_URI,
+    scope: SCOPES.join(" "),
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+    state: verifier,
+    access_type: "offline",
+    prompt: "consent",
+  });
+  return `${AUTH_URL}?${params.toString()}`;
+}
+
+export function parseCallbackInput(
+  input: string,
+  expectedState: string,
+): { code: string; state: string } | { error: string } {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    return { error: "No input provided" };
+  }
+
+  try {
+    const url = new URL(trimmed);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state") ?? expectedState;
+    if (!code) {
+      return { error: "Missing 'code' parameter in URL" };
+    }
+    if (!state) {
+      return { error: "Missing 'state' parameter. Paste the full URL." };
+    }
+    return { code, state };
+  } catch {
+    if (!expectedState) {
+      return { error: "Paste the full redirect URL, not just the code." };
+    }
+    return { code: trimmed, state: expectedState };
+  }
+}
+
+export async function waitForLocalCallback(params: {
+  expectedState: string;
+  timeoutMs: number;
+  onProgress?: (message: string) => void;
+}): Promise<{ code: string; state: string }> {
+  const port = 8085;
+  const hostname = "localhost";
+  const expectedPath = "/oauth2callback";
+
+  return new Promise<{ code: string; state: string }>((resolve, reject) => {
+    let timeout: NodeJS.Timeout | null = null;
+    const server = createServer((req, res) => {
+      try {
+        const requestUrl = new URL(req.url ?? "/", `http://${hostname}:${port}`);
+        if (requestUrl.pathname !== expectedPath) {
+          res.statusCode = 404;
+          res.setHeader("Content-Type", "text/plain");
+          res.end("Not found");
+          return;
+        }
+
+        const error = requestUrl.searchParams.get("error");
+        const code = requestUrl.searchParams.get("code")?.trim();
+        const state = requestUrl.searchParams.get("state")?.trim();
+
+        if (error) {
+          res.statusCode = 400;
+          res.setHeader("Content-Type", "text/plain");
+          res.end(`Authentication failed: ${error}`);
+          finish(new Error(`OAuth error: ${error}`));
+          return;
+        }
+
+        if (!code || !state) {
+          res.statusCode = 400;
+          res.setHeader("Content-Type", "text/plain");
+          res.end("Missing code or state");
+          finish(new Error("Missing OAuth code or state"));
+          return;
+        }
+
+        if (state !== params.expectedState) {
+          res.statusCode = 400;
+          res.setHeader("Content-Type", "text/plain");
+          res.end("Invalid state");
+          finish(new Error("OAuth state mismatch"));
+          return;
+        }
+
+        res.statusCode = 200;
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(
+          "<!doctype html><html><head><meta charset='utf-8'/></head>" +
+            "<body><h2>Gemini CLI OAuth complete</h2>" +
+            "<p>You can close this window and return to OpenClaw.</p></body></html>",
+        );
+
+        finish(undefined, { code, state });
+      } catch (err) {
+        finish(err instanceof Error ? err : new Error("OAuth callback failed"));
+      }
+    });
+
+    const finish = (err?: Error, result?: { code: string; state: string }) => {
+      if (timeout) {
+        clearTimeout(timeout);
+      }
+      try {
+        server.close();
+      } catch {
+        // ignore close errors
+      }
+      if (err) {
+        reject(err);
+      } else if (result) {
+        resolve(result);
+      }
+    };
+
+    server.once("error", (err) => {
+      finish(err instanceof Error ? err : new Error("OAuth callback server error"));
+    });
+
+    server.listen(port, hostname, () => {
+      params.onProgress?.(`Waiting for OAuth callback on ${REDIRECT_URI}…`);
+    });
+
+    timeout = setTimeout(() => {
+      finish(new Error("OAuth callback timeout"));
+    }, params.timeoutMs);
+  });
+}
diff --git a/extensions/google/oauth.http.ts b/extensions/google/oauth.http.ts
new file mode 100644
index 00000000000..6c07c447143
--- /dev/null
+++ b/extensions/google/oauth.http.ts
@@ -0,0 +1,24 @@
+import { fetchWithSsrFGuard } from "../../src/infra/net/fetch-guard.js";
+import { DEFAULT_FETCH_TIMEOUT_MS } from "./oauth.shared.js";
+
+export async function fetchWithTimeout(
+  url: string,
+  init: RequestInit,
+  timeoutMs = DEFAULT_FETCH_TIMEOUT_MS,
+): Promise<Response> {
+  const { response, release } = await fetchWithSsrFGuard({
+    url,
+    init,
+    timeoutMs,
+  });
+  try {
+    const body = await response.arrayBuffer();
+    return new Response(body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: response.headers,
+    });
+  } finally {
+    await release();
+  }
+}
diff --git a/extensions/google/oauth.project.ts b/extensions/google/oauth.project.ts
new file mode 100644
index 00000000000..fa163b12f19
--- /dev/null
+++ b/extensions/google/oauth.project.ts
@@ -0,0 +1,235 @@
+import { fetchWithTimeout } from "./oauth.http.js";
+import {
+  CODE_ASSIST_ENDPOINT_PROD,
+  LOAD_CODE_ASSIST_ENDPOINTS,
+  TIER_FREE,
+  TIER_LEGACY,
+  TIER_STANDARD,
+  USERINFO_URL,
+} from "./oauth.shared.js";
+
+function resolvePlatform(): "WINDOWS" | "MACOS" | "PLATFORM_UNSPECIFIED" {
+  if (process.platform === "win32") {
+    return "WINDOWS";
+  }
+  if (process.platform === "darwin") {
+    return "MACOS";
+  }
+  return "PLATFORM_UNSPECIFIED";
+}
+
+async function getUserEmail(accessToken: string): Promise<string | undefined> {
+  try {
+    const response = await fetchWithTimeout(USERINFO_URL, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (response.ok) {
+      const data = (await response.json()) as { email?: string };
+      return data.email;
+    }
+  } catch {
+    // ignore
+  }
+  return undefined;
+}
+
+function isVpcScAffected(payload: unknown): boolean {
+  if (!payload || typeof payload !== "object") {
+    return false;
+  }
+  const error = (payload as { error?: unknown }).error;
+  if (!error || typeof error !== "object") {
+    return false;
+  }
+  const details = (error as { details?: unknown[] }).details;
+  if (!Array.isArray(details)) {
+    return false;
+  }
+  return details.some(
+    (item) =>
+      typeof item === "object" &&
+      item &&
+      (item as { reason?: string }).reason === "SECURITY_POLICY_VIOLATED",
+  );
+}
+
+function getDefaultTier(
+  allowedTiers?: Array<{ id?: string; isDefault?: boolean }>,
+): { id?: string } | undefined {
+  if (!allowedTiers?.length) {
+    return { id: TIER_LEGACY };
+  }
+  return allowedTiers.find((tier) => tier.isDefault) ?? { id: TIER_LEGACY };
+}
+
+async function pollOperation(
+  endpoint: string,
+  operationName: string,
+  headers: Record<string, string>,
+): Promise<{ done?: boolean; response?: { cloudaicompanionProject?: { id?: string } } }> {
+  for (let attempt = 0; attempt < 24; attempt += 1) {
+    await new Promise((resolve) => setTimeout(resolve, 5000));
+    const response = await fetchWithTimeout(`${endpoint}/v1internal/${operationName}`, {
+      headers,
+    });
+    if (!response.ok) {
+      continue;
+    }
+    const data = (await response.json()) as {
+      done?: boolean;
+      response?: { cloudaicompanionProject?: { id?: string } };
+    };
+    if (data.done) {
+      return data;
+    }
+  }
+  throw new Error("Operation polling timeout");
+}
+
+export async function resolveGoogleOAuthIdentity(accessToken: string): Promise<{
+  email?: string;
+  projectId: string;
+}> {
+  const email = await getUserEmail(accessToken);
+  const projectId = await discoverProject(accessToken);
+  return { email, projectId };
+}
+
+async function discoverProject(accessToken: string): Promise<string> {
+  const envProject = process.env.GOOGLE_CLOUD_PROJECT || process.env.GOOGLE_CLOUD_PROJECT_ID;
+  const platform = resolvePlatform();
+  const metadata = {
+    ideType: "ANTIGRAVITY",
+    platform,
+    pluginType: "GEMINI",
+  };
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    "Content-Type": "application/json",
+    "User-Agent": "google-api-nodejs-client/9.15.1",
+    "X-Goog-Api-Client": `gl-node/${process.versions.node}`,
+    "Client-Metadata": JSON.stringify(metadata),
+  };
+
+  const loadBody = {
+    ...(envProject ? { cloudaicompanionProject: envProject } : {}),
+    metadata: {
+      ...metadata,
+      ...(envProject ? { duetProject: envProject } : {}),
+    },
+  };
+
+  let data: {
+    currentTier?: { id?: string };
+    cloudaicompanionProject?: string | { id?: string };
+    allowedTiers?: Array<{ id?: string; isDefault?: boolean }>;
+  } = {};
+  let activeEndpoint = CODE_ASSIST_ENDPOINT_PROD;
+  let loadError: Error | undefined;
+  for (const endpoint of LOAD_CODE_ASSIST_ENDPOINTS) {
+    try {
+      const response = await fetchWithTimeout(`${endpoint}/v1internal:loadCodeAssist`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(loadBody),
+      });
+
+      if (!response.ok) {
+        const errorPayload = await response.json().catch(() => null);
+        if (isVpcScAffected(errorPayload)) {
+          data = { currentTier: { id: TIER_STANDARD } };
+          activeEndpoint = endpoint;
+          loadError = undefined;
+          break;
+        }
+        loadError = new Error(`loadCodeAssist failed: ${response.status} ${response.statusText}`);
+        continue;
+      }
+
+      data = (await response.json()) as typeof data;
+      activeEndpoint = endpoint;
+      loadError = undefined;
+      break;
+    } catch (err) {
+      loadError = err instanceof Error ? err : new Error("loadCodeAssist failed", { cause: err });
+    }
+  }
+
+  const hasLoadCodeAssistData =
+    Boolean(data.currentTier) ||
+    Boolean(data.cloudaicompanionProject) ||
+    Boolean(data.allowedTiers?.length);
+  if (!hasLoadCodeAssistData && loadError) {
+    if (envProject) {
+      return envProject;
+    }
+    throw loadError;
+  }
+
+  if (data.currentTier) {
+    const project = data.cloudaicompanionProject;
+    if (typeof project === "string" && project) {
+      return project;
+    }
+    if (typeof project === "object" && project?.id) {
+      return project.id;
+    }
+    if (envProject) {
+      return envProject;
+    }
+    throw new Error(
+      "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.",
+    );
+  }
+
+  const tier = getDefaultTier(data.allowedTiers);
+  const tierId = tier?.id || TIER_FREE;
+  if (tierId !== TIER_FREE && !envProject) {
+    throw new Error(
+      "This account requires GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID to be set.",
+    );
+  }
+
+  const onboardBody: Record<string, unknown> = {
+    tierId,
+    metadata: {
+      ...metadata,
+    },
+  };
+  if (tierId !== TIER_FREE && envProject) {
+    onboardBody.cloudaicompanionProject = envProject;
+    (onboardBody.metadata as Record<string, unknown>).duetProject = envProject;
+  }
+
+  const onboardResponse = await fetchWithTimeout(`${activeEndpoint}/v1internal:onboardUser`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(onboardBody),
+  });
+
+  if (!onboardResponse.ok) {
+    throw new Error(`onboardUser failed: ${onboardResponse.status} ${onboardResponse.statusText}`);
+  }
+
+  let lro = (await onboardResponse.json()) as {
+    done?: boolean;
+    name?: string;
+    response?: { cloudaicompanionProject?: { id?: string } };
+  };
+
+  if (!lro.done && lro.name) {
+    lro = await pollOperation(activeEndpoint, lro.name, headers);
+  }
+
+  const projectId = lro.response?.cloudaicompanionProject?.id;
+  if (projectId) {
+    return projectId;
+  }
+  if (envProject) {
+    return envProject;
+  }
+
+  throw new Error(
+    "Could not discover or provision a Google Cloud project. Set GOOGLE_CLOUD_PROJECT or GOOGLE_CLOUD_PROJECT_ID.",
+  );
+}
diff --git a/extensions/google/oauth.shared.ts b/extensions/google/oauth.shared.ts
new file mode 100644
index 00000000000..2b8186737a2
--- /dev/null
+++ b/extensions/google/oauth.shared.ts
@@ -0,0 +1,44 @@
+export const CLIENT_ID_KEYS = ["OPENCLAW_GEMINI_OAUTH_CLIENT_ID", "GEMINI_CLI_OAUTH_CLIENT_ID"];
+export const CLIENT_SECRET_KEYS = [
+  "OPENCLAW_GEMINI_OAUTH_CLIENT_SECRET",
+  "GEMINI_CLI_OAUTH_CLIENT_SECRET",
+];
+export const REDIRECT_URI = "http://localhost:8085/oauth2callback";
+export const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+export const TOKEN_URL = "https://oauth2.googleapis.com/token";
+export const USERINFO_URL = "https://www.googleapis.com/oauth2/v1/userinfo?alt=json";
+export const CODE_ASSIST_ENDPOINT_PROD = "https://cloudcode-pa.googleapis.com";
+export const CODE_ASSIST_ENDPOINT_DAILY = "https://daily-cloudcode-pa.sandbox.googleapis.com";
+export const CODE_ASSIST_ENDPOINT_AUTOPUSH = "https://autopush-cloudcode-pa.sandbox.googleapis.com";
+export const LOAD_CODE_ASSIST_ENDPOINTS = [
+  CODE_ASSIST_ENDPOINT_PROD,
+  CODE_ASSIST_ENDPOINT_DAILY,
+  CODE_ASSIST_ENDPOINT_AUTOPUSH,
+];
+export const DEFAULT_FETCH_TIMEOUT_MS = 10_000;
+export const SCOPES = [
+  "https://www.googleapis.com/auth/cloud-platform",
+  "https://www.googleapis.com/auth/userinfo.email",
+  "https://www.googleapis.com/auth/userinfo.profile",
+];
+
+export const TIER_FREE = "free-tier";
+export const TIER_LEGACY = "legacy-tier";
+export const TIER_STANDARD = "standard-tier";
+
+export type GeminiCliOAuthCredentials = {
+  access: string;
+  refresh: string;
+  expires: number;
+  email?: string;
+  projectId: string;
+};
+
+export type GeminiCliOAuthContext = {
+  isRemote: boolean;
+  openUrl: (url: string) => Promise<void>;
+  log: (msg: string) => void;
+  note: (message: string, title?: string) => Promise<void>;
+  prompt: (message: string) => Promise<string>;
+  progress: { update: (msg: string) => void; stop: (msg?: string) => void };
+};
diff --git a/extensions/google-gemini-cli-auth/oauth.test.ts b/extensions/google/oauth.test.ts
similarity index 99%
rename from extensions/google-gemini-cli-auth/oauth.test.ts
rename to extensions/google/oauth.test.ts
index 02100b73b1f..8aec64d528d 100644
--- a/extensions/google-gemini-cli-auth/oauth.test.ts
+++ b/extensions/google/oauth.test.ts
@@ -1,8 +1,11 @@
 import { join, parse } from "node:path";
 import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
 
-vi.mock("openclaw/plugin-sdk/google-gemini-cli-auth", () => ({
+vi.mock("../../src/infra/wsl.js", () => ({
   isWSL2Sync: () => false,
+}));
+
+vi.mock("../../src/infra/net/fetch-guard.js", () => ({
   fetchWithSsrFGuard: async (params: {
     url: string;
     init?: RequestInit;
diff --git a/extensions/google/oauth.token.ts b/extensions/google/oauth.token.ts
new file mode 100644
index 00000000000..6e2b68c4403
--- /dev/null
+++ b/extensions/google/oauth.token.ts
@@ -0,0 +1,57 @@
+import { resolveOAuthClientConfig } from "./oauth.credentials.js";
+import { fetchWithTimeout } from "./oauth.http.js";
+import { resolveGoogleOAuthIdentity } from "./oauth.project.js";
+import { REDIRECT_URI, TOKEN_URL, type GeminiCliOAuthCredentials } from "./oauth.shared.js";
+
+export async function exchangeCodeForTokens(
+  code: string,
+  verifier: string,
+): Promise<GeminiCliOAuthCredentials> {
+  const { clientId, clientSecret } = resolveOAuthClientConfig();
+  const body = new URLSearchParams({
+    client_id: clientId,
+    code,
+    grant_type: "authorization_code",
+    redirect_uri: REDIRECT_URI,
+    code_verifier: verifier,
+  });
+  if (clientSecret) {
+    body.set("client_secret", clientSecret);
+  }
+
+  const response = await fetchWithTimeout(TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
+      Accept: "*/*",
+      "User-Agent": "google-api-nodejs-client/9.15.1",
+    },
+    body,
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Token exchange failed: ${errorText}`);
+  }
+
+  const data = (await response.json()) as {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+  };
+
+  if (!data.refresh_token) {
+    throw new Error("No refresh token received. Please try again.");
+  }
+
+  const identity = await resolveGoogleOAuthIdentity(data.access_token);
+  const expiresAt = Date.now() + data.expires_in * 1000 - 5 * 60 * 1000;
+
+  return {
+    refresh: data.refresh_token,
+    access: data.access_token,
+    expires: expiresAt,
+    projectId: identity.projectId,
+    email: identity.email,
+  };
+}
diff --git a/extensions/google/oauth.ts b/extensions/google/oauth.ts
new file mode 100644
index 00000000000..be12c64a4e1
--- /dev/null
+++ b/extensions/google/oauth.ts
@@ -0,0 +1,90 @@
+import { clearCredentialsCache, extractGeminiCliCredentials } from "./oauth.credentials.js";
+import {
+  buildAuthUrl,
+  generatePkce,
+  parseCallbackInput,
+  shouldUseManualOAuthFlow,
+  waitForLocalCallback,
+} from "./oauth.flow.js";
+import type { GeminiCliOAuthContext, GeminiCliOAuthCredentials } from "./oauth.shared.js";
+import { exchangeCodeForTokens } from "./oauth.token.js";
+
+export { clearCredentialsCache, extractGeminiCliCredentials };
+export type { GeminiCliOAuthContext, GeminiCliOAuthCredentials };
+
+export async function loginGeminiCliOAuth(
+  ctx: GeminiCliOAuthContext,
+): Promise<GeminiCliOAuthCredentials> {
+  const needsManual = shouldUseManualOAuthFlow(ctx.isRemote);
+  await ctx.note(
+    needsManual
+      ? [
+          "You are running in a remote/VPS environment.",
+          "A URL will be shown for you to open in your LOCAL browser.",
+          "After signing in, copy the redirect URL and paste it back here.",
+        ].join("\n")
+      : [
+          "Browser will open for Google authentication.",
+          "Sign in with your Google account for Gemini CLI access.",
+          "The callback will be captured automatically on localhost:8085.",
+        ].join("\n"),
+    "Gemini CLI OAuth",
+  );
+
+  const { verifier, challenge } = generatePkce();
+  const authUrl = buildAuthUrl(challenge, verifier);
+
+  if (needsManual) {
+    ctx.progress.update("OAuth URL ready");
+    ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`);
+    ctx.progress.update("Waiting for you to paste the callback URL...");
+    const callbackInput = await ctx.prompt("Paste the redirect URL here: ");
+    const parsed = parseCallbackInput(callbackInput, verifier);
+    if ("error" in parsed) {
+      throw new Error(parsed.error);
+    }
+    if (parsed.state !== verifier) {
+      throw new Error("OAuth state mismatch - please try again");
+    }
+    ctx.progress.update("Exchanging authorization code for tokens...");
+    return exchangeCodeForTokens(parsed.code, verifier);
+  }
+
+  ctx.progress.update("Complete sign-in in browser...");
+  try {
+    await ctx.openUrl(authUrl);
+  } catch {
+    ctx.log(`\nOpen this URL in your browser:\n\n${authUrl}\n`);
+  }
+
+  try {
+    const { code } = await waitForLocalCallback({
+      expectedState: verifier,
+      timeoutMs: 5 * 60 * 1000,
+      onProgress: (msg) => ctx.progress.update(msg),
+    });
+    ctx.progress.update("Exchanging authorization code for tokens...");
+    return await exchangeCodeForTokens(code, verifier);
+  } catch (err) {
+    if (
+      err instanceof Error &&
+      (err.message.includes("EADDRINUSE") ||
+        err.message.includes("port") ||
+        err.message.includes("listen"))
+    ) {
+      ctx.progress.update("Local callback server failed. Switching to manual mode...");
+      ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`);
+      const callbackInput = await ctx.prompt("Paste the redirect URL here: ");
+      const parsed = parseCallbackInput(callbackInput, verifier);
+      if ("error" in parsed) {
+        throw new Error(parsed.error, { cause: err });
+      }
+      if (parsed.state !== verifier) {
+        throw new Error("OAuth state mismatch - please try again", { cause: err });
+      }
+      ctx.progress.update("Exchanging authorization code for tokens...");
+      return exchangeCodeForTokens(parsed.code, verifier);
+    }
+    throw err;
+  }
+}
diff --git a/extensions/google/openclaw.plugin.json b/extensions/google/openclaw.plugin.json
new file mode 100644
index 00000000000..b779c292375
--- /dev/null
+++ b/extensions/google/openclaw.plugin.json
@@ -0,0 +1,37 @@
+{
+  "id": "google",
+  "providers": ["google", "google-gemini-cli"],
+  "providerAuthEnvVars": {
+    "google": ["GEMINI_API_KEY", "GOOGLE_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "google",
+      "method": "api-key",
+      "choiceId": "gemini-api-key",
+      "choiceLabel": "Google Gemini API key",
+      "groupId": "google",
+      "groupLabel": "Google",
+      "groupHint": "Gemini API key + OAuth",
+      "optionKey": "geminiApiKey",
+      "cliFlag": "--gemini-api-key",
+      "cliOption": "--gemini-api-key <key>",
+      "cliDescription": "Gemini API key"
+    },
+    {
+      "provider": "google-gemini-cli",
+      "method": "oauth",
+      "choiceId": "google-gemini-cli",
+      "choiceLabel": "Gemini CLI OAuth",
+      "choiceHint": "Google OAuth with project-aware token payload",
+      "groupId": "google",
+      "groupLabel": "Google",
+      "groupHint": "Gemini API key + OAuth"
+    }
+  ],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}
diff --git a/extensions/google/package.json b/extensions/google/package.json
new file mode 100644
index 00000000000..64c04bc67da
--- /dev/null
+++ b/extensions/google/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@openclaw/google-plugin",
+  "version": "2026.3.14",
+  "private": true,
+  "description": "OpenClaw Google plugin",
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}
diff --git a/extensions/google/provider-models.ts b/extensions/google/provider-models.ts
new file mode 100644
index 00000000000..0a086780b1a
--- /dev/null
+++ b/extensions/google/provider-models.ts
@@ -0,0 +1,63 @@
+import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import type {
+  ProviderResolveDynamicModelContext,
+  ProviderRuntimeModel,
+} from "../../src/plugins/types.js";
+
+const GEMINI_3_1_PRO_PREFIX = "gemini-3.1-pro";
+const GEMINI_3_1_FLASH_PREFIX = "gemini-3.1-flash";
+const GEMINI_3_1_PRO_TEMPLATE_IDS = ["gemini-3-pro-preview"] as const;
+const GEMINI_3_1_FLASH_TEMPLATE_IDS = ["gemini-3-flash-preview"] as const;
+
+function cloneFirstTemplateModel(params: {
+  providerId: string;
+  modelId: string;
+  templateIds: readonly string[];
+  ctx: ProviderResolveDynamicModelContext;
+}): ProviderRuntimeModel | undefined {
+  const trimmedModelId = params.modelId.trim();
+  for (const templateId of [...new Set(params.templateIds)].filter(Boolean)) {
+    const template = params.ctx.modelRegistry.find(
+      params.providerId,
+      templateId,
+    ) as ProviderRuntimeModel | null;
+    if (!template) {
+      continue;
+    }
+    return normalizeModelCompat({
+      ...template,
+      id: trimmedModelId,
+      name: trimmedModelId,
+      reasoning: true,
+    } as ProviderRuntimeModel);
+  }
+  return undefined;
+}
+
+export function resolveGoogle31ForwardCompatModel(params: {
+  providerId: string;
+  ctx: ProviderResolveDynamicModelContext;
+}): ProviderRuntimeModel | undefined {
+  const trimmed = params.ctx.modelId.trim();
+  const lower = trimmed.toLowerCase();
+
+  let templateIds: readonly string[];
+  if (lower.startsWith(GEMINI_3_1_PRO_PREFIX)) {
+    templateIds = GEMINI_3_1_PRO_TEMPLATE_IDS;
+  } else if (lower.startsWith(GEMINI_3_1_FLASH_PREFIX)) {
+    templateIds = GEMINI_3_1_FLASH_TEMPLATE_IDS;
+  } else {
+    return undefined;
+  }
+
+  return cloneFirstTemplateModel({
+    providerId: params.providerId,
+    modelId: trimmed,
+    templateIds,
+    ctx: params.ctx,
+  });
+}
+
+export function isModernGoogleModel(modelId: string): boolean {
+  return modelId.trim().toLowerCase().startsWith("gemini-3");
+}
diff --git a/extensions/googlechat/index.ts b/extensions/googlechat/index.ts
index e218a15c8de..892694f93b4 100644
--- a/extensions/googlechat/index.ts
+++ b/extensions/googlechat/index.ts
@@ -1,6 +1,6 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk/googlechat";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/googlechat";
-import { googlechatDock, googlechatPlugin } from "./src/channel.js";
+import { googlechatPlugin } from "./src/channel.js";
 import { setGoogleChatRuntime } from "./src/runtime.js";
 
 const plugin = {
@@ -10,7 +10,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setGoogleChatRuntime(api.runtime);
-    api.registerChannel({ plugin: googlechatPlugin, dock: googlechatDock });
+    api.registerChannel(googlechatPlugin);
   },
 };
 
diff --git a/extensions/googlechat/package.json b/extensions/googlechat/package.json
index 3514ac52b90..2c4469163db 100644
--- a/extensions/googlechat/package.json
+++ b/extensions/googlechat/package.json
@@ -19,6 +19,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "googlechat",
       "label": "Google Chat",
diff --git a/extensions/googlechat/setup-entry.ts b/extensions/googlechat/setup-entry.ts
new file mode 100644
index 00000000000..be33127799f
--- /dev/null
+++ b/extensions/googlechat/setup-entry.ts
@@ -0,0 +1,5 @@
+import { googlechatPlugin } from "./src/channel.js";
+
+export default {
+  plugin: googlechatPlugin,
+};
diff --git a/extensions/googlechat/src/channel.runtime.ts b/extensions/googlechat/src/channel.runtime.ts
new file mode 100644
index 00000000000..fdf060f9fd4
--- /dev/null
+++ b/extensions/googlechat/src/channel.runtime.ts
@@ -0,0 +1,2 @@
+export { probeGoogleChat, sendGoogleChatMessage, uploadGoogleChatAttachment } from "./api.js";
+export { resolveGoogleChatWebhookPath, startGoogleChatMonitor } from "./monitor.js";
diff --git a/extensions/googlechat/src/channel.ts b/extensions/googlechat/src/channel.ts
index ef8e92d8ce2..bd06b33f8df 100644
--- a/extensions/googlechat/src/channel.ts
+++ b/extensions/googlechat/src/channel.ts
@@ -19,7 +19,6 @@ import {
   resolveChannelMediaMaxBytes,
   resolveGoogleChatGroupRequireMention,
   runPassiveAccountLifecycle,
-  type ChannelDock,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
   type ChannelStatusIssue,
@@ -34,10 +33,9 @@ import {
   type ResolvedGoogleChatAccount,
 } from "./accounts.js";
 import { googlechatMessageActions } from "./actions.js";
-import { sendGoogleChatMessage, uploadGoogleChatAttachment, probeGoogleChat } from "./api.js";
-import { resolveGoogleChatWebhookPath, startGoogleChatMonitor } from "./monitor.js";
 import { getGoogleChatRuntime } from "./runtime.js";
-import { googlechatSetupAdapter, googlechatSetupWizard } from "./setup-surface.js";
+import { googlechatSetupAdapter } from "./setup-core.js";
+import { googlechatSetupWizard } from "./setup-surface.js";
 import {
   isGoogleChatSpaceTarget,
   isGoogleChatUserTarget,
@@ -47,6 +45,10 @@ import {
 
 const meta = getChatChannelMeta("googlechat");
 
+async function loadGoogleChatChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
 const formatAllowFromEntry = (entry: string) =>
   entry
     .trim()
@@ -91,33 +93,6 @@ const resolveGoogleChatDmPolicy = createScopedDmSecurityResolver<ResolvedGoogleC
   normalizeEntry: (raw) => formatAllowFromEntry(raw),
 });
 
-export const googlechatDock: ChannelDock = {
-  id: "googlechat",
-  capabilities: {
-    chatTypes: ["direct", "group", "thread"],
-    reactions: true,
-    media: true,
-    threads: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 4000 },
-  config: googleChatConfigAccessors,
-  groups: {
-    resolveRequireMention: resolveGoogleChatGroupRequireMention,
-  },
-  threading: {
-    resolveReplyToMode: ({ cfg }) => cfg.channels?.["googlechat"]?.replyToMode ?? "off",
-    buildToolContext: ({ context, hasRepliedRef }) => {
-      const threadId = context.MessageThreadId ?? context.ReplyToId;
-      return {
-        currentChannelId: context.To?.trim() || undefined,
-        currentThreadTs: threadId != null ? String(threadId) : undefined,
-        hasRepliedRef,
-      };
-    },
-  },
-};
-
 const googlechatActions: ChannelMessageActionAdapter = {
   listActions: (ctx) => googlechatMessageActions.listActions?.(ctx) ?? [],
   extractToolSend: (ctx) => googlechatMessageActions.extractToolSend?.(ctx) ?? null,
@@ -145,6 +120,7 @@ export const googlechatPlugin: ChannelPlugin<ResolvedGoogleChatAccount> = {
       const user = normalizeGoogleChatTarget(id) ?? id;
       const target = isGoogleChatUserTarget(user) ? user : `users/${user}`;
       const space = await resolveGoogleChatOutboundSpace({ account, target });
+      const { sendGoogleChatMessage } = await loadGoogleChatChannelRuntime();
       await sendGoogleChatMessage({
         account,
         space,
@@ -300,6 +276,7 @@ export const googlechatPlugin: ChannelPlugin<ResolvedGoogleChatAccount> = {
       });
       const space = await resolveGoogleChatOutboundSpace({ account, target: to });
       const thread = (threadId ?? replyToId ?? undefined) as string | undefined;
+      const { sendGoogleChatMessage } = await loadGoogleChatChannelRuntime();
       const result = await sendGoogleChatMessage({
         account,
         space,
@@ -353,6 +330,8 @@ export const googlechatPlugin: ChannelPlugin<ResolvedGoogleChatAccount> = {
             maxBytes: effectiveMaxBytes,
             localRoots: mediaLocalRoots?.length ? mediaLocalRoots : undefined,
           });
+      const { sendGoogleChatMessage, uploadGoogleChatAttachment } =
+        await loadGoogleChatChannelRuntime();
       const upload = await uploadGoogleChatAttachment({
         account,
         space,
@@ -421,7 +400,8 @@ export const googlechatPlugin: ChannelPlugin<ResolvedGoogleChatAccount> = {
         webhookPath: snapshot.webhookPath ?? null,
         webhookUrl: snapshot.webhookUrl ?? null,
       }),
-    probeAccount: async ({ account }) => probeGoogleChat(account),
+    probeAccount: async ({ account }) =>
+      (await loadGoogleChatChannelRuntime()).probeGoogleChat(account),
     buildAccountSnapshot: ({ account, runtime, probe }) => {
       const base = buildComputedAccountStatusSnapshot({
         accountId: account.accountId,
@@ -450,6 +430,8 @@ export const googlechatPlugin: ChannelPlugin<ResolvedGoogleChatAccount> = {
         setStatus: ctx.setStatus,
       });
       ctx.log?.info(`[${account.accountId}] starting Google Chat webhook`);
+      const { resolveGoogleChatWebhookPath, startGoogleChatMonitor } =
+        await loadGoogleChatChannelRuntime();
       statusSink({
         running: true,
         lastStartAt: Date.now(),
diff --git a/extensions/googlechat/src/resolve-target.test.ts b/extensions/googlechat/src/resolve-target.test.ts
index 2f898c48b8c..97ce8ae489a 100644
--- a/extensions/googlechat/src/resolve-target.test.ts
+++ b/extensions/googlechat/src/resolve-target.test.ts
@@ -45,8 +45,12 @@ vi.mock("./monitor.js", () => ({
   startGoogleChatMonitor: vi.fn(),
 }));
 
-vi.mock("./onboarding.js", () => ({
-  googlechatOnboardingAdapter: {},
+vi.mock("./setup-core.js", () => ({
+  googlechatSetupAdapter: {},
+}));
+
+vi.mock("./setup-surface.js", () => ({
+  googlechatSetupWizard: {},
 }));
 
 vi.mock("./runtime.js", () => ({
diff --git a/extensions/googlechat/src/setup-core.ts b/extensions/googlechat/src/setup-core.ts
new file mode 100644
index 00000000000..d4d2de49e06
--- /dev/null
+++ b/extensions/googlechat/src/setup-core.ts
@@ -0,0 +1,67 @@
+import {
+  applyAccountNameToChannelSection,
+  applySetupAccountConfigPatch,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+
+const channel = "googlechat" as const;
+
+export const googlechatSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "GOOGLE_CHAT_SERVICE_ACCOUNT env vars can only be used for the default account.";
+    }
+    if (!input.useEnv && !input.token && !input.tokenFile) {
+      return "Google Chat requires --token (service account JSON) or --token-file.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    const patch = input.useEnv
+      ? {}
+      : input.tokenFile
+        ? { serviceAccountFile: input.tokenFile }
+        : input.token
+          ? { serviceAccount: input.token }
+          : {};
+    const audienceType = input.audienceType?.trim();
+    const audience = input.audience?.trim();
+    const webhookPath = input.webhookPath?.trim();
+    const webhookUrl = input.webhookUrl?.trim();
+    return applySetupAccountConfigPatch({
+      cfg: next,
+      channelKey: channel,
+      accountId,
+      patch: {
+        ...patch,
+        ...(audienceType ? { audienceType } : {}),
+        ...(audience ? { audience } : {}),
+        ...(webhookPath ? { webhookPath } : {}),
+        ...(webhookUrl ? { webhookUrl } : {}),
+      },
+    });
+  },
+};
diff --git a/extensions/googlechat/src/setup-surface.test.ts b/extensions/googlechat/src/setup-surface.test.ts
index ab09435f67e..e8855648c99 100644
--- a/extensions/googlechat/src/setup-surface.test.ts
+++ b/extensions/googlechat/src/setup-surface.test.ts
@@ -1,6 +1,6 @@
 import type { OpenClawConfig, WizardPrompter } from "openclaw/plugin-sdk/googlechat";
 import { describe, expect, it, vi } from "vitest";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
 import { googlechatPlugin } from "./channel.js";
 
@@ -26,7 +26,7 @@ function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
   };
 }
 
-const googlechatConfigureAdapter = buildChannelOnboardingAdapterFromSetupWizard({
+const googlechatConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
   plugin: googlechatPlugin,
   wizard: googlechatPlugin.setupWizard!,
 });
diff --git a/extensions/googlechat/src/setup-surface.ts b/extensions/googlechat/src/setup-surface.ts
index e812561f674..5561989543f 100644
--- a/extensions/googlechat/src/setup-surface.ts
+++ b/extensions/googlechat/src/setup-surface.ts
@@ -1,26 +1,25 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
+import {
+  applySetupAccountConfigPatch,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
 import {
   addWildcardAllowFrom,
   mergeAllowFromEntries,
   setTopLevelChannelDmPolicyWithAllowFrom,
-  splitOnboardingEntries,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  applySetupAccountConfigPatch,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import type { DmPolicy } from "../../../src/config/types.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import {
   listGoogleChatAccountIds,
   resolveDefaultGoogleChatAccountId,
   resolveGoogleChatAccount,
 } from "./accounts.js";
+import { googlechatSetupAdapter } from "./setup-core.js";
 
 const channel = "googlechat" as const;
 const ENV_SERVICE_ACCOUNT = "GOOGLE_CHAT_SERVICE_ACCOUNT";
@@ -49,7 +48,7 @@ function setGoogleChatDmPolicy(cfg: OpenClawConfig, policy: DmPolicy) {
 
 async function promptAllowFrom(params: {
   cfg: OpenClawConfig;
-  prompter: Parameters<NonNullable<ChannelOnboardingDmPolicy["promptAllowFrom"]>>[0]["prompter"];
+  prompter: Parameters<NonNullable<ChannelSetupDmPolicy["promptAllowFrom"]>>[0]["prompter"];
 }): Promise<OpenClawConfig> {
   const current = params.cfg.channels?.googlechat?.dm?.allowFrom ?? [];
   const entry = await params.prompter.text({
@@ -58,7 +57,7 @@ async function promptAllowFrom(params: {
     initialValue: current[0] ? String(current[0]) : undefined,
     validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
   });
-  const parts = splitOnboardingEntries(String(entry));
+  const parts = splitSetupEntries(String(entry));
   const unique = mergeAllowFromEntries(undefined, parts);
   return {
     ...params.cfg,
@@ -77,7 +76,7 @@ async function promptAllowFrom(params: {
   };
 }
 
-const googlechatDmPolicy: ChannelOnboardingDmPolicy = {
+const googlechatDmPolicy: ChannelSetupDmPolicy = {
   label: "Google Chat",
   channel,
   policyKey: "channels.googlechat.dm.policy",
@@ -87,63 +86,7 @@ const googlechatDmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom,
 };
 
-export const googlechatSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "GOOGLE_CHAT_SERVICE_ACCOUNT env vars can only be used for the default account.";
-    }
-    if (!input.useEnv && !input.token && !input.tokenFile) {
-      return "Google Chat requires --token (service account JSON) or --token-file.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    const patch = input.useEnv
-      ? {}
-      : input.tokenFile
-        ? { serviceAccountFile: input.tokenFile }
-        : input.token
-          ? { serviceAccount: input.token }
-          : {};
-    const audienceType = input.audienceType?.trim();
-    const audience = input.audience?.trim();
-    const webhookPath = input.webhookPath?.trim();
-    const webhookUrl = input.webhookUrl?.trim();
-    return applySetupAccountConfigPatch({
-      cfg: next,
-      channelKey: channel,
-      accountId,
-      patch: {
-        ...patch,
-        ...(audienceType ? { audienceType } : {}),
-        ...(audience ? { audience } : {}),
-        ...(webhookPath ? { webhookPath } : {}),
-        ...(webhookUrl ? { webhookUrl } : {}),
-      },
-    });
-  },
-};
+export { googlechatSetupAdapter } from "./setup-core.js";
 
 export const googlechatSetupWizard: ChannelSetupWizard = {
   channel,
diff --git a/extensions/huggingface/index.ts b/extensions/huggingface/index.ts
index c6407954811..c1cea578349 100644
--- a/extensions/huggingface/index.ts
+++ b/extensions/huggingface/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildHuggingfaceProvider } from "../../src/agents/models-config.providers.discovery.js";
+import {
+  applyHuggingfaceConfig,
+  HUGGINGFACE_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "huggingface";
 
@@ -14,7 +19,29 @@ const huggingfacePlugin = {
       label: "Hugging Face",
       docsPath: "/providers/huggingface",
       envVars: ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Hugging Face API key",
+          hint: "Inference API (HF token)",
+          optionKey: "huggingfaceApiKey",
+          flagName: "--huggingface-api-key",
+          envVar: "HUGGINGFACE_HUB_TOKEN",
+          promptMessage: "Enter Hugging Face API key",
+          defaultModel: HUGGINGFACE_DEFAULT_MODEL_REF,
+          expectedProviders: ["huggingface"],
+          applyConfig: (cfg) => applyHuggingfaceConfig(cfg),
+          wizard: {
+            choiceId: "huggingface-api-key",
+            choiceLabel: "Hugging Face API key",
+            choiceHint: "Inference API (HF token)",
+            groupId: "huggingface",
+            groupLabel: "Hugging Face",
+            groupHint: "Inference API (HF token)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/huggingface/openclaw.plugin.json b/extensions/huggingface/openclaw.plugin.json
index 4b68bcedb26..84d8fd0e6bf 100644
--- a/extensions/huggingface/openclaw.plugin.json
+++ b/extensions/huggingface/openclaw.plugin.json
@@ -1,6 +1,25 @@
 {
   "id": "huggingface",
   "providers": ["huggingface"],
+  "providerAuthEnvVars": {
+    "huggingface": ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "huggingface",
+      "method": "api-key",
+      "choiceId": "huggingface-api-key",
+      "choiceLabel": "Hugging Face API key",
+      "choiceHint": "Inference API (HF token)",
+      "groupId": "huggingface",
+      "groupLabel": "Hugging Face",
+      "groupHint": "Inference API (HF token)",
+      "optionKey": "huggingfaceApiKey",
+      "cliFlag": "--huggingface-api-key",
+      "cliOption": "--huggingface-api-key <key>",
+      "cliDescription": "Hugging Face API key (HF token)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/imessage/index.ts b/extensions/imessage/index.ts
index cf0c6b3d8bd..e87d421cf2e 100644
--- a/extensions/imessage/index.ts
+++ b/extensions/imessage/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/imessage";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/imessage";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { imessagePlugin } from "./src/channel.js";
 import { setIMessageRuntime } from "./src/runtime.js";
 
diff --git a/extensions/imessage/package.json b/extensions/imessage/package.json
index c0988ee601c..591deea559b 100644
--- a/extensions/imessage/package.json
+++ b/extensions/imessage/package.json
@@ -7,6 +7,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/imessage/setup-entry.ts b/extensions/imessage/setup-entry.ts
new file mode 100644
index 00000000000..6b4c642d0ae
--- /dev/null
+++ b/extensions/imessage/setup-entry.ts
@@ -0,0 +1,3 @@
+import { imessageSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: imessageSetupPlugin };
diff --git a/extensions/imessage/src/channel.runtime.ts b/extensions/imessage/src/channel.runtime.ts
new file mode 100644
index 00000000000..81229e49ff9
--- /dev/null
+++ b/extensions/imessage/src/channel.runtime.ts
@@ -0,0 +1 @@
+export { imessageSetupWizard } from "./setup-surface.js";
diff --git a/extensions/imessage/src/channel.setup.ts b/extensions/imessage/src/channel.setup.ts
new file mode 100644
index 00000000000..a4e58844b3b
--- /dev/null
+++ b/extensions/imessage/src/channel.setup.ts
@@ -0,0 +1,101 @@
+import {
+  buildAccountScopedDmSecurityPolicy,
+  collectAllowlistProviderRestrictSendersWarnings,
+} from "openclaw/plugin-sdk/compat";
+import {
+  buildChannelConfigSchema,
+  DEFAULT_ACCOUNT_ID,
+  deleteAccountFromConfigSection,
+  formatTrimmedAllowFromEntries,
+  getChatChannelMeta,
+  IMessageConfigSchema,
+  resolveIMessageConfigAllowFrom,
+  resolveIMessageConfigDefaultTo,
+  setAccountEnabledInConfigSection,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/imessage";
+import {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+  type ResolvedIMessageAccount,
+} from "./accounts.js";
+import { createIMessageSetupWizardProxy, imessageSetupAdapter } from "./setup-core.js";
+
+async function loadIMessageChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const imessageSetupWizard = createIMessageSetupWizardProxy(async () => ({
+  imessageSetupWizard: (await loadIMessageChannelRuntime()).imessageSetupWizard,
+}));
+
+export const imessageSetupPlugin: ChannelPlugin<ResolvedIMessageAccount> = {
+  id: "imessage",
+  meta: {
+    ...getChatChannelMeta("imessage"),
+    aliases: ["imsg"],
+    showConfigured: false,
+  },
+  setupWizard: imessageSetupWizard,
+  capabilities: {
+    chatTypes: ["direct", "group"],
+    media: true,
+  },
+  reload: { configPrefixes: ["channels.imessage"] },
+  configSchema: buildChannelConfigSchema(IMessageConfigSchema),
+  config: {
+    listAccountIds: (cfg) => listIMessageAccountIds(cfg),
+    resolveAccount: (cfg, accountId) => resolveIMessageAccount({ cfg, accountId }),
+    defaultAccountId: (cfg) => resolveDefaultIMessageAccountId(cfg),
+    setAccountEnabled: ({ cfg, accountId, enabled }) =>
+      setAccountEnabledInConfigSection({
+        cfg,
+        sectionKey: "imessage",
+        accountId,
+        enabled,
+        allowTopLevel: true,
+      }),
+    deleteAccount: ({ cfg, accountId }) =>
+      deleteAccountFromConfigSection({
+        cfg,
+        sectionKey: "imessage",
+        accountId,
+        clearBaseFields: ["cliPath", "dbPath", "service", "region", "name"],
+      }),
+    isConfigured: (account) => account.configured,
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: account.configured,
+    }),
+    resolveAllowFrom: ({ cfg, accountId }) => resolveIMessageConfigAllowFrom({ cfg, accountId }),
+    formatAllowFrom: ({ allowFrom }) => formatTrimmedAllowFromEntries(allowFrom),
+    resolveDefaultTo: ({ cfg, accountId }) => resolveIMessageConfigDefaultTo({ cfg, accountId }),
+  },
+  security: {
+    resolveDmPolicy: ({ cfg, accountId, account }) =>
+      buildAccountScopedDmSecurityPolicy({
+        cfg,
+        channelKey: "imessage",
+        accountId,
+        fallbackAccountId: account.accountId ?? DEFAULT_ACCOUNT_ID,
+        policy: account.config.dmPolicy,
+        allowFrom: account.config.allowFrom ?? [],
+        policyPathSuffix: "dmPolicy",
+      }),
+    collectWarnings: ({ account, cfg }) =>
+      collectAllowlistProviderRestrictSendersWarnings({
+        cfg,
+        providerConfigPresent: cfg.channels?.imessage !== undefined,
+        configuredGroupPolicy: account.config.groupPolicy,
+        surface: "iMessage groups",
+        openScope: "any member",
+        groupPolicyPath: "channels.imessage.groupPolicy",
+        groupAllowFromPath: "channels.imessage.groupAllowFrom",
+        mentionGated: false,
+      }),
+  },
+  setup: imessageSetupAdapter,
+};
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 5760d1c2fb3..b0d94a1a437 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -1,7 +1,9 @@
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   collectStatusIssuesFromLastError,
@@ -10,28 +12,39 @@ import {
   formatTrimmedAllowFromEntries,
   getChatChannelMeta,
   IMessageConfigSchema,
-  listIMessageAccountIds,
   looksLikeIMessageTargetId,
   normalizeIMessageMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
   resolveChannelMediaMaxBytes,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
   resolveIMessageConfigAllowFrom,
   resolveIMessageConfigDefaultTo,
   resolveIMessageGroupRequireMention,
   resolveIMessageGroupToolPolicy,
   setAccountEnabledInConfigSection,
   type ChannelPlugin,
-  type ResolvedIMessageAccount,
 } from "openclaw/plugin-sdk/imessage";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
+import {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+  type ResolvedIMessageAccount,
+} from "./accounts.js";
 import { getIMessageRuntime } from "./runtime.js";
-import { imessageSetupAdapter, imessageSetupWizard } from "./setup-surface.js";
+import { createIMessageSetupWizardProxy, imessageSetupAdapter } from "./setup-core.js";
+import { normalizeIMessageHandle, parseIMessageTarget } from "./targets.js";
 
 const meta = getChatChannelMeta("imessage");
 
+async function loadIMessageChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const imessageSetupWizard = createIMessageSetupWizardProxy(async () => ({
+  imessageSetupWizard: (await loadIMessageChannelRuntime()).imessageSetupWizard,
+}));
+
 type IMessageSendFn = ReturnType<
   typeof getIMessageRuntime
 >["channel"]["imessage"]["sendMessageIMessage"];
@@ -66,6 +79,83 @@ async function sendIMessageOutbound(params: {
   });
 }
 
+function buildIMessageBaseSessionKey(params: {
+  cfg: Parameters<typeof resolveIMessageAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "imessage",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveIMessageOutboundSessionRoute(params: {
+  cfg: Parameters<typeof resolveIMessageAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+}) {
+  const parsed = parseIMessageTarget(params.target);
+  if (parsed.kind === "handle") {
+    const handle = normalizeIMessageHandle(parsed.to);
+    if (!handle) {
+      return null;
+    }
+    const peer: RoutePeer = { kind: "direct", id: handle };
+    const baseSessionKey = buildIMessageBaseSessionKey({
+      cfg: params.cfg,
+      agentId: params.agentId,
+      accountId: params.accountId,
+      peer,
+    });
+    return {
+      sessionKey: baseSessionKey,
+      baseSessionKey,
+      peer,
+      chatType: "direct" as const,
+      from: `imessage:${handle}`,
+      to: `imessage:${handle}`,
+    };
+  }
+
+  const peerId =
+    parsed.kind === "chat_id"
+      ? String(parsed.chatId)
+      : parsed.kind === "chat_guid"
+        ? parsed.chatGuid
+        : parsed.chatIdentifier;
+  if (!peerId) {
+    return null;
+  }
+  const peer: RoutePeer = { kind: "group", id: peerId };
+  const baseSessionKey = buildIMessageBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const toPrefix =
+    parsed.kind === "chat_id"
+      ? "chat_id"
+      : parsed.kind === "chat_guid"
+        ? "chat_guid"
+        : "chat_identifier";
+  return {
+    sessionKey: baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: "group" as const,
+    from: `imessage:group:${peerId}`,
+    to: `${toPrefix}:${peerId}`,
+  };
+}
+
 export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
   id: "imessage",
   meta: {
@@ -116,6 +206,26 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
     formatAllowFrom: ({ allowFrom }) => formatTrimmedAllowFromEntries(allowFrom),
     resolveDefaultTo: ({ cfg, accountId }) => resolveIMessageConfigDefaultTo({ cfg, accountId }),
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveIMessageAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.config.dmPolicy,
+        groupPolicy: account.config.groupPolicy,
+      };
+    },
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "imessage",
+      normalize: ({ values }) => formatTrimmedAllowFromEntries(values),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -147,6 +257,7 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeIMessageMessagingTarget,
+    resolveOutboundSessionRoute: (params) => resolveIMessageOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeIMessageTargetId,
       hint: "<handle|chat_id:ID>",
diff --git a/extensions/imessage/src/monitor/provider.group-policy.test.ts b/extensions/imessage/src/monitor/provider.group-policy.test.ts
deleted file mode 100644
index d6a7b1f880b..00000000000
--- a/extensions/imessage/src/monitor/provider.group-policy.test.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { describe } from "vitest";
-import { installProviderRuntimeGroupPolicyFallbackSuite } from "../../../../src/test-utils/runtime-group-policy-contract.js";
-import { __testing } from "./monitor-provider.js";
-
-describe("resolveIMessageRuntimeGroupPolicy", () => {
-  installProviderRuntimeGroupPolicyFallbackSuite({
-    resolve: __testing.resolveIMessageRuntimeGroupPolicy,
-    configuredLabel: "keeps open fallback when channels.imessage is configured",
-    defaultGroupPolicyUnderTest: "disabled",
-    missingConfigLabel: "fails closed when channels.imessage is missing and no defaults are set",
-    missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
-  });
-});
diff --git a/src/channels/plugins/outbound/imessage.ts b/extensions/imessage/src/outbound-adapter.ts
similarity index 85%
rename from src/channels/plugins/outbound/imessage.ts
rename to extensions/imessage/src/outbound-adapter.ts
index b916c1e37df..ae5e7c2836a 100644
--- a/src/channels/plugins/outbound/imessage.ts
+++ b/extensions/imessage/src/outbound-adapter.ts
@@ -1,12 +1,12 @@
-import { sendMessageIMessage } from "../../../../extensions/imessage/src/send.js";
-import {
-  resolveOutboundSendDep,
-  type OutboundSendDeps,
-} from "../../../infra/outbound/send-deps.js";
 import {
   createScopedChannelMediaMaxBytesResolver,
   createDirectTextMediaOutbound,
-} from "./direct-text-media.js";
+} from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import {
+  resolveOutboundSendDep,
+  type OutboundSendDeps,
+} from "../../../src/infra/outbound/send-deps.js";
+import { sendMessageIMessage } from "./send.js";
 
 function resolveIMessageSender(deps: OutboundSendDeps | undefined) {
   return (
diff --git a/extensions/imessage/src/runtime.ts b/extensions/imessage/src/runtime.ts
index 7bc726cb089..08c9b6ccbbd 100644
--- a/extensions/imessage/src/runtime.ts
+++ b/extensions/imessage/src/runtime.ts
@@ -1,5 +1,5 @@
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/imessage";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setIMessageRuntime, getRuntime: getIMessageRuntime } =
   createPluginRuntimeStore<PluginRuntime>("iMessage runtime not initialized");
diff --git a/src/channels/plugins/onboarding/imessage.test.ts b/extensions/imessage/src/setup-allow-from.test.ts
similarity index 88%
rename from src/channels/plugins/onboarding/imessage.test.ts
rename to extensions/imessage/src/setup-allow-from.test.ts
index 4fa8f277d21..24082342e68 100644
--- a/src/channels/plugins/onboarding/imessage.test.ts
+++ b/extensions/imessage/src/setup-allow-from.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import { parseIMessageAllowFromEntries } from "../../../../extensions/imessage/src/setup-surface.js";
+import { parseIMessageAllowFromEntries } from "./setup-surface.js";
 
 describe("parseIMessageAllowFromEntries", () => {
   it("parses handles and chat targets", () => {
diff --git a/extensions/imessage/src/setup-core.ts b/extensions/imessage/src/setup-core.ts
new file mode 100644
index 00000000000..38f280852c0
--- /dev/null
+++ b/extensions/imessage/src/setup-core.ts
@@ -0,0 +1,236 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  parseSetupEntriesAllowingWildcard,
+  promptParsedAllowFromForScopedChannel,
+  setChannelDmPolicyWithAllowFrom,
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+} from "./accounts.js";
+import { normalizeIMessageHandle } from "./targets.js";
+
+const channel = "imessage" as const;
+
+export function parseIMessageAllowFromEntries(raw: string): { entries: string[]; error?: string } {
+  return parseSetupEntriesAllowingWildcard(raw, (entry) => {
+    const lower = entry.toLowerCase();
+    if (lower.startsWith("chat_id:")) {
+      const id = entry.slice("chat_id:".length).trim();
+      if (!/^\d+$/.test(id)) {
+        return { error: `Invalid chat_id: ${entry}` };
+      }
+      return { value: entry };
+    }
+    if (lower.startsWith("chat_guid:")) {
+      if (!entry.slice("chat_guid:".length).trim()) {
+        return { error: "Invalid chat_guid entry" };
+      }
+      return { value: entry };
+    }
+    if (lower.startsWith("chat_identifier:")) {
+      if (!entry.slice("chat_identifier:".length).trim()) {
+        return { error: "Invalid chat_identifier entry" };
+      }
+      return { value: entry };
+    }
+    if (!normalizeIMessageHandle(entry)) {
+      return { error: `Invalid handle: ${entry}` };
+    }
+    return { value: entry };
+  });
+}
+
+function buildIMessageSetupPatch(input: {
+  cliPath?: string;
+  dbPath?: string;
+  service?: "imessage" | "sms" | "auto";
+  region?: string;
+}) {
+  return {
+    ...(input.cliPath ? { cliPath: input.cliPath } : {}),
+    ...(input.dbPath ? { dbPath: input.dbPath } : {}),
+    ...(input.service ? { service: input.service } : {}),
+    ...(input.region ? { region: input.region } : {}),
+  };
+}
+
+async function promptIMessageAllowFrom(params: {
+  cfg: OpenClawConfig;
+  prompter: WizardPrompter;
+  accountId?: string;
+}): Promise<OpenClawConfig> {
+  return promptParsedAllowFromForScopedChannel({
+    cfg: params.cfg,
+    channel,
+    accountId: params.accountId,
+    defaultAccountId: resolveDefaultIMessageAccountId(params.cfg),
+    prompter: params.prompter,
+    noteTitle: "iMessage allowlist",
+    noteLines: [
+      "Allowlist iMessage DMs by handle or chat target.",
+      "Examples:",
+      "- +15555550123",
+      "- user@example.com",
+      "- chat_id:123",
+      "- chat_guid:... or chat_identifier:...",
+      "Multiple entries: comma-separated.",
+      `Docs: ${formatDocsLink("/imessage", "imessage")}`,
+    ],
+    message: "iMessage allowFrom (handle or chat_id)",
+    placeholder: "+15555550123, user@example.com, chat_id:123",
+    parseEntries: parseIMessageAllowFromEntries,
+    getExistingAllowFrom: ({ cfg, accountId }) =>
+      resolveIMessageAccount({ cfg, accountId }).config.allowFrom ?? [],
+  });
+}
+
+export const imessageSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (accountId === DEFAULT_ACCOUNT_ID) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          imessage: {
+            ...next.channels?.imessage,
+            enabled: true,
+            ...buildIMessageSetupPatch(input),
+          },
+        },
+      };
+    }
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        imessage: {
+          ...next.channels?.imessage,
+          enabled: true,
+          accounts: {
+            ...next.channels?.imessage?.accounts,
+            [accountId]: {
+              ...next.channels?.imessage?.accounts?.[accountId],
+              enabled: true,
+              ...buildIMessageSetupPatch(input),
+            },
+          },
+        },
+      },
+    };
+  },
+};
+
+export function createIMessageSetupWizardProxy(
+  loadWizard: () => Promise<{ imessageSetupWizard: ChannelSetupWizard }>,
+) {
+  const imessageDmPolicy: ChannelSetupDmPolicy = {
+    label: "iMessage",
+    channel,
+    policyKey: "channels.imessage.dmPolicy",
+    allowFromKey: "channels.imessage.allowFrom",
+    getCurrent: (cfg: OpenClawConfig) => cfg.channels?.imessage?.dmPolicy ?? "pairing",
+    setPolicy: (cfg: OpenClawConfig, policy) =>
+      setChannelDmPolicyWithAllowFrom({
+        cfg,
+        channel,
+        dmPolicy: policy,
+      }),
+    promptAllowFrom: promptIMessageAllowFrom,
+  };
+
+  return {
+    channel,
+    status: {
+      configuredLabel: "configured",
+      unconfiguredLabel: "needs setup",
+      configuredHint: "imsg found",
+      unconfiguredHint: "imsg missing",
+      configuredScore: 1,
+      unconfiguredScore: 0,
+      resolveConfigured: ({ cfg }) =>
+        listIMessageAccountIds(cfg).some((accountId) => {
+          const account = resolveIMessageAccount({ cfg, accountId });
+          return Boolean(
+            account.config.cliPath ||
+            account.config.dbPath ||
+            account.config.allowFrom ||
+            account.config.service ||
+            account.config.region,
+          );
+        }),
+      resolveStatusLines: async (params) =>
+        (await loadWizard()).imessageSetupWizard.status.resolveStatusLines?.(params) ?? [],
+      resolveSelectionHint: async (params) =>
+        await (await loadWizard()).imessageSetupWizard.status.resolveSelectionHint?.(params),
+      resolveQuickstartScore: async (params) =>
+        await (await loadWizard()).imessageSetupWizard.status.resolveQuickstartScore?.(params),
+    },
+    credentials: [],
+    textInputs: [
+      {
+        inputKey: "cliPath",
+        message: "imsg CLI path",
+        initialValue: ({ cfg, accountId }) =>
+          resolveIMessageAccount({ cfg, accountId }).config.cliPath ?? "imsg",
+        currentValue: ({ cfg, accountId }) =>
+          resolveIMessageAccount({ cfg, accountId }).config.cliPath ?? "imsg",
+        shouldPrompt: async (params) => {
+          const input = (await loadWizard()).imessageSetupWizard.textInputs?.find(
+            (entry) => entry.inputKey === "cliPath",
+          );
+          return (await input?.shouldPrompt?.(params)) ?? false;
+        },
+        confirmCurrentValue: false,
+        applyCurrentValue: true,
+        helpTitle: "iMessage",
+        helpLines: ["imsg CLI path required to enable iMessage."],
+      },
+    ],
+    completionNote: {
+      title: "iMessage next steps",
+      lines: [
+        "This is still a work in progress.",
+        "Ensure OpenClaw has Full Disk Access to Messages DB.",
+        "Grant Automation permission for Messages when prompted.",
+        "List chats with: imsg chats --limit 20",
+        `Docs: ${formatDocsLink("/imessage", "imessage")}`,
+      ],
+    },
+    dmPolicy: imessageDmPolicy,
+    disable: (cfg: OpenClawConfig) => setSetupChannelEnabled(cfg, channel, false),
+  } satisfies ChannelSetupWizard;
+}
diff --git a/extensions/imessage/src/setup-surface.ts b/extensions/imessage/src/setup-surface.ts
index 69382ff4014..0d0de246d7b 100644
--- a/extensions/imessage/src/setup-surface.ts
+++ b/extensions/imessage/src/setup-surface.ts
@@ -1,19 +1,14 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
-  parseOnboardingEntriesAllowingWildcard,
+  parseSetupEntriesAllowingWildcard,
   promptParsedAllowFromForScopedChannel,
   setChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import { detectBinary } from "../../../src/commands/onboard-helpers.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import {
@@ -21,53 +16,10 @@ import {
   resolveDefaultIMessageAccountId,
   resolveIMessageAccount,
 } from "./accounts.js";
-import { normalizeIMessageHandle } from "./targets.js";
+import { imessageSetupAdapter, parseIMessageAllowFromEntries } from "./setup-core.js";
 
 const channel = "imessage" as const;
 
-export function parseIMessageAllowFromEntries(raw: string): { entries: string[]; error?: string } {
-  return parseOnboardingEntriesAllowingWildcard(raw, (entry) => {
-    const lower = entry.toLowerCase();
-    if (lower.startsWith("chat_id:")) {
-      const id = entry.slice("chat_id:".length).trim();
-      if (!/^\d+$/.test(id)) {
-        return { error: `Invalid chat_id: ${entry}` };
-      }
-      return { value: entry };
-    }
-    if (lower.startsWith("chat_guid:")) {
-      if (!entry.slice("chat_guid:".length).trim()) {
-        return { error: "Invalid chat_guid entry" };
-      }
-      return { value: entry };
-    }
-    if (lower.startsWith("chat_identifier:")) {
-      if (!entry.slice("chat_identifier:".length).trim()) {
-        return { error: "Invalid chat_identifier entry" };
-      }
-      return { value: entry };
-    }
-    if (!normalizeIMessageHandle(entry)) {
-      return { error: `Invalid handle: ${entry}` };
-    }
-    return { value: entry };
-  });
-}
-
-function buildIMessageSetupPatch(input: {
-  cliPath?: string;
-  dbPath?: string;
-  service?: "imessage" | "sms" | "auto";
-  region?: string;
-}) {
-  return {
-    ...(input.cliPath ? { cliPath: input.cliPath } : {}),
-    ...(input.dbPath ? { dbPath: input.dbPath } : {}),
-    ...(input.service ? { service: input.service } : {}),
-    ...(input.region ? { region: input.region } : {}),
-  };
-}
-
 async function promptIMessageAllowFrom(params: {
   cfg: OpenClawConfig;
   prompter: WizardPrompter;
@@ -98,7 +50,7 @@ async function promptIMessageAllowFrom(params: {
   });
 }
 
-const imessageDmPolicy: ChannelOnboardingDmPolicy = {
+const imessageDmPolicy: ChannelSetupDmPolicy = {
   label: "iMessage",
   channel,
   policyKey: "channels.imessage.dmPolicy",
@@ -113,63 +65,6 @@ const imessageDmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptIMessageAllowFrom,
 };
 
-export const imessageSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    if (accountId === DEFAULT_ACCOUNT_ID) {
-      return {
-        ...next,
-        channels: {
-          ...next.channels,
-          imessage: {
-            ...next.channels?.imessage,
-            enabled: true,
-            ...buildIMessageSetupPatch(input),
-          },
-        },
-      };
-    }
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        imessage: {
-          ...next.channels?.imessage,
-          enabled: true,
-          accounts: {
-            ...next.channels?.imessage?.accounts,
-            [accountId]: {
-              ...next.channels?.imessage?.accounts?.[accountId],
-              enabled: true,
-              ...buildIMessageSetupPatch(input),
-            },
-          },
-        },
-      },
-    };
-  },
-};
-
 export const imessageSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -234,5 +129,7 @@ export const imessageSetupWizard: ChannelSetupWizard = {
     ],
   },
   dmPolicy: imessageDmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
+
+export { imessageSetupAdapter, parseIMessageAllowFromEntries };
diff --git a/extensions/irc/package.json b/extensions/irc/package.json
index 8d162b9ac20..774fa993dbd 100644
--- a/extensions/irc/package.json
+++ b/extensions/irc/package.json
@@ -9,6 +9,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/irc/setup-entry.ts b/extensions/irc/setup-entry.ts
new file mode 100644
index 00000000000..fe8bea1814d
--- /dev/null
+++ b/extensions/irc/setup-entry.ts
@@ -0,0 +1,5 @@
+import { ircPlugin } from "./src/channel.js";
+
+export default {
+  plugin: ircPlugin,
+};
diff --git a/extensions/irc/src/channel.ts b/extensions/irc/src/channel.ts
index b1fd0fc89d8..ca53d53a93d 100644
--- a/extensions/irc/src/channel.ts
+++ b/extensions/irc/src/channel.ts
@@ -36,7 +36,8 @@ import { resolveIrcGroupMatch, resolveIrcRequireMention } from "./policy.js";
 import { probeIrc } from "./probe.js";
 import { getIrcRuntime } from "./runtime.js";
 import { sendMessageIrc } from "./send.js";
-import { ircSetupAdapter, ircSetupWizard } from "./setup-surface.js";
+import { ircSetupAdapter } from "./setup-core.js";
+import { ircSetupWizard } from "./setup-surface.js";
 import type { CoreConfig, IrcProbe } from "./types.js";
 
 const meta = getChatChannelMeta("irc");
diff --git a/extensions/irc/src/setup-core.ts b/extensions/irc/src/setup-core.ts
new file mode 100644
index 00000000000..c793098063b
--- /dev/null
+++ b/extensions/irc/src/setup-core.ts
@@ -0,0 +1,147 @@
+import {
+  applyAccountNameToChannelSection,
+  patchScopedAccountConfig,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  setTopLevelChannelAllowFrom,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
+import type { DmPolicy } from "../../../src/config/types.js";
+import { normalizeAccountId } from "../../../src/routing/session-key.js";
+import type { CoreConfig, IrcAccountConfig, IrcNickServConfig } from "./types.js";
+
+const channel = "irc" as const;
+
+type IrcSetupInput = ChannelSetupInput & {
+  host?: string;
+  port?: number | string;
+  tls?: boolean;
+  nick?: string;
+  username?: string;
+  realname?: string;
+  channels?: string[];
+  password?: string;
+};
+
+export function parsePort(raw: string, fallback: number): number {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return fallback;
+  }
+  const parsed = Number.parseInt(trimmed, 10);
+  if (!Number.isFinite(parsed) || parsed < 1 || parsed > 65535) {
+    return fallback;
+  }
+  return parsed;
+}
+
+export function updateIrcAccountConfig(
+  cfg: CoreConfig,
+  accountId: string,
+  patch: Partial<IrcAccountConfig>,
+): CoreConfig {
+  return patchScopedAccountConfig({
+    cfg,
+    channelKey: channel,
+    accountId,
+    patch,
+    ensureChannelEnabled: false,
+    ensureAccountEnabled: false,
+  }) as CoreConfig;
+}
+
+export function setIrcDmPolicy(cfg: CoreConfig, dmPolicy: DmPolicy): CoreConfig {
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel,
+    dmPolicy,
+  }) as CoreConfig;
+}
+
+export function setIrcAllowFrom(cfg: CoreConfig, allowFrom: string[]): CoreConfig {
+  return setTopLevelChannelAllowFrom({
+    cfg,
+    channel,
+    allowFrom,
+  }) as CoreConfig;
+}
+
+export function setIrcNickServ(
+  cfg: CoreConfig,
+  accountId: string,
+  nickserv?: IrcNickServConfig,
+): CoreConfig {
+  return updateIrcAccountConfig(cfg, accountId, { nickserv });
+}
+
+export function setIrcGroupAccess(
+  cfg: CoreConfig,
+  accountId: string,
+  policy: "open" | "allowlist" | "disabled",
+  entries: string[],
+  normalizeGroupEntry: (raw: string) => string | null,
+): CoreConfig {
+  if (policy !== "allowlist") {
+    return updateIrcAccountConfig(cfg, accountId, { enabled: true, groupPolicy: policy });
+  }
+  const normalizedEntries = [
+    ...new Set(entries.map((entry) => normalizeGroupEntry(entry)).filter(Boolean)),
+  ];
+  const groups = Object.fromEntries(normalizedEntries.map((entry) => [entry, {}]));
+  return updateIrcAccountConfig(cfg, accountId, {
+    enabled: true,
+    groupPolicy: "allowlist",
+    groups,
+  });
+}
+
+export const ircSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ input }) => {
+    const setupInput = input as IrcSetupInput;
+    if (!setupInput.host?.trim()) {
+      return "IRC requires host.";
+    }
+    if (!setupInput.nick?.trim()) {
+      return "IRC requires nick.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const setupInput = input as IrcSetupInput;
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: setupInput.name,
+    });
+    const portInput =
+      typeof setupInput.port === "number" ? String(setupInput.port) : String(setupInput.port ?? "");
+    const patch: Partial<IrcAccountConfig> = {
+      enabled: true,
+      host: setupInput.host?.trim(),
+      port: portInput ? parsePort(portInput, setupInput.tls === false ? 6667 : 6697) : undefined,
+      tls: setupInput.tls,
+      nick: setupInput.nick?.trim(),
+      username: setupInput.username?.trim(),
+      realname: setupInput.realname?.trim(),
+      password: setupInput.password?.trim(),
+      channels: setupInput.channels,
+    };
+    return patchScopedAccountConfig({
+      cfg: namedConfig,
+      channelKey: channel,
+      accountId,
+      patch,
+    }) as CoreConfig;
+  },
+};
diff --git a/extensions/irc/src/onboarding.test.ts b/extensions/irc/src/setup-surface.test.ts
similarity index 94%
rename from extensions/irc/src/onboarding.test.ts
rename to extensions/irc/src/setup-surface.test.ts
index 38738d1e484..147432b6131 100644
--- a/extensions/irc/src/onboarding.test.ts
+++ b/extensions/irc/src/setup-surface.test.ts
@@ -1,6 +1,6 @@
 import type { RuntimeEnv, WizardPrompter } from "openclaw/plugin-sdk/irc";
 import { describe, expect, it, vi } from "vitest";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
 import { ircPlugin } from "./channel.js";
 import type { CoreConfig } from "./types.js";
@@ -27,13 +27,13 @@ function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
   };
 }
 
-const ircConfigureAdapter = buildChannelOnboardingAdapterFromSetupWizard({
+const ircConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
   plugin: ircPlugin,
   wizard: ircPlugin.setupWizard!,
 });
 
 describe("irc setup wizard", () => {
-  it("configures host and nick via onboarding prompts", async () => {
+  it("configures host and nick via setup prompts", async () => {
     const prompter = createPrompter({
       text: vi.fn(async ({ message }: { message: string }) => {
         if (message === "IRC server host") {
diff --git a/extensions/irc/src/setup-surface.ts b/extensions/irc/src/setup-surface.ts
index aaee61a9532..1607a9bdd54 100644
--- a/extensions/irc/src/setup-surface.ts
+++ b/extensions/irc/src/setup-surface.ts
@@ -1,19 +1,11 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
-  resolveOnboardingAccountId,
-  setOnboardingChannelEnabled,
-  setTopLevelChannelAllowFrom,
-  setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  patchScopedAccountConfig,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  resolveSetupAccountId,
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
-import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
 import type { DmPolicy } from "../../../src/config/types.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import { listIrcAccountIds, resolveDefaultIrcAccountId, resolveIrcAccount } from "./accounts.js";
@@ -22,23 +14,21 @@ import {
   normalizeIrcAllowEntry,
   normalizeIrcMessagingTarget,
 } from "./normalize.js";
+import {
+  ircSetupAdapter,
+  parsePort,
+  setIrcAllowFrom,
+  setIrcDmPolicy,
+  setIrcGroupAccess,
+  setIrcNickServ,
+  updateIrcAccountConfig,
+} from "./setup-core.js";
 import type { CoreConfig, IrcAccountConfig, IrcNickServConfig } from "./types.js";
 
 const channel = "irc" as const;
 const USE_ENV_FLAG = "__ircUseEnv";
 const TLS_FLAG = "__ircTls";
 
-type IrcSetupInput = ChannelSetupInput & {
-  host?: string;
-  port?: number | string;
-  tls?: boolean;
-  nick?: string;
-  username?: string;
-  realname?: string;
-  channels?: string[];
-  password?: string;
-};
-
 function parseListInput(raw: string): string[] {
   return raw
     .split(/[\n,;]+/g)
@@ -46,18 +36,6 @@ function parseListInput(raw: string): string[] {
     .filter(Boolean);
 }
 
-function parsePort(raw: string, fallback: number): number {
-  const trimmed = raw.trim();
-  if (!trimmed) {
-    return fallback;
-  }
-  const parsed = Number.parseInt(trimmed, 10);
-  if (!Number.isFinite(parsed) || parsed < 1 || parsed > 65535) {
-    return fallback;
-  }
-  return parsed;
-}
-
 function normalizeGroupEntry(raw: string): string | null {
   const trimmed = raw.trim();
   if (!trimmed) {
@@ -73,65 +51,6 @@ function normalizeGroupEntry(raw: string): string | null {
   return `#${normalized.replace(/^#+/, "")}`;
 }
 
-function updateIrcAccountConfig(
-  cfg: CoreConfig,
-  accountId: string,
-  patch: Partial<IrcAccountConfig>,
-): CoreConfig {
-  return patchScopedAccountConfig({
-    cfg,
-    channelKey: channel,
-    accountId,
-    patch,
-    ensureChannelEnabled: false,
-    ensureAccountEnabled: false,
-  }) as CoreConfig;
-}
-
-function setIrcDmPolicy(cfg: CoreConfig, dmPolicy: DmPolicy): CoreConfig {
-  return setTopLevelChannelDmPolicyWithAllowFrom({
-    cfg,
-    channel,
-    dmPolicy,
-  }) as CoreConfig;
-}
-
-function setIrcAllowFrom(cfg: CoreConfig, allowFrom: string[]): CoreConfig {
-  return setTopLevelChannelAllowFrom({
-    cfg,
-    channel,
-    allowFrom,
-  }) as CoreConfig;
-}
-
-function setIrcNickServ(
-  cfg: CoreConfig,
-  accountId: string,
-  nickserv?: IrcNickServConfig,
-): CoreConfig {
-  return updateIrcAccountConfig(cfg, accountId, { nickserv });
-}
-
-function setIrcGroupAccess(
-  cfg: CoreConfig,
-  accountId: string,
-  policy: "open" | "allowlist" | "disabled",
-  entries: string[],
-): CoreConfig {
-  if (policy !== "allowlist") {
-    return updateIrcAccountConfig(cfg, accountId, { enabled: true, groupPolicy: policy });
-  }
-  const normalizedEntries = [
-    ...new Set(entries.map((entry) => normalizeGroupEntry(entry)).filter(Boolean)),
-  ];
-  const groups = Object.fromEntries(normalizedEntries.map((entry) => [entry, {}]));
-  return updateIrcAccountConfig(cfg, accountId, {
-    enabled: true,
-    groupPolicy: "allowlist",
-    groups,
-  });
-}
-
 async function promptIrcAllowFrom(params: {
   cfg: CoreConfig;
   prompter: WizardPrompter;
@@ -246,7 +165,7 @@ async function promptIrcNickServConfig(params: {
   });
 }
 
-const ircDmPolicy: ChannelOnboardingDmPolicy = {
+const ircDmPolicy: ChannelSetupDmPolicy = {
   label: "IRC",
   channel,
   policyKey: "channels.irc.dmPolicy",
@@ -257,62 +176,13 @@ const ircDmPolicy: ChannelOnboardingDmPolicy = {
     await promptIrcAllowFrom({
       cfg: cfg as CoreConfig,
       prompter,
-      accountId: resolveOnboardingAccountId({
+      accountId: resolveSetupAccountId({
         accountId,
         defaultAccountId: resolveDefaultIrcAccountId(cfg as CoreConfig),
       }),
     }),
 };
 
-export const ircSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ input }) => {
-    const setupInput = input as IrcSetupInput;
-    if (!setupInput.host?.trim()) {
-      return "IRC requires host.";
-    }
-    if (!setupInput.nick?.trim()) {
-      return "IRC requires nick.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const setupInput = input as IrcSetupInput;
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: setupInput.name,
-    });
-    const portInput =
-      typeof setupInput.port === "number" ? String(setupInput.port) : String(setupInput.port ?? "");
-    const patch: Partial<IrcAccountConfig> = {
-      enabled: true,
-      host: setupInput.host?.trim(),
-      port: portInput ? parsePort(portInput, setupInput.tls === false ? 6667 : 6697) : undefined,
-      tls: setupInput.tls,
-      nick: setupInput.nick?.trim(),
-      username: setupInput.username?.trim(),
-      realname: setupInput.realname?.trim(),
-      password: setupInput.password?.trim(),
-      channels: setupInput.channels,
-    };
-    return patchScopedAccountConfig({
-      cfg: namedConfig,
-      channelKey: channel,
-      accountId,
-      patch,
-    }) as CoreConfig;
-  },
-};
-
 export const ircSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -509,11 +379,17 @@ export const ircSetupWizard: ChannelSetupWizard = {
     updatePrompt: ({ cfg, accountId }) =>
       Boolean(resolveIrcAccount({ cfg: cfg as CoreConfig, accountId }).config.groups),
     setPolicy: ({ cfg, accountId, policy }) =>
-      setIrcGroupAccess(cfg as CoreConfig, accountId, policy, []),
+      setIrcGroupAccess(cfg as CoreConfig, accountId, policy, [], normalizeGroupEntry),
     resolveAllowlist: async ({ entries }) =>
       [...new Set(entries.map((entry) => normalizeGroupEntry(entry)).filter(Boolean))] as string[],
     applyAllowlist: ({ cfg, accountId, resolved }) =>
-      setIrcGroupAccess(cfg as CoreConfig, accountId, "allowlist", resolved as string[]),
+      setIrcGroupAccess(
+        cfg as CoreConfig,
+        accountId,
+        "allowlist",
+        resolved as string[],
+        normalizeGroupEntry,
+      ),
   },
   allowFrom: {
     helpTitle: "IRC allowlist",
@@ -582,5 +458,7 @@ export const ircSetupWizard: ChannelSetupWizard = {
     ],
   },
   dmPolicy: ircDmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
+
+export { ircSetupAdapter };
diff --git a/extensions/kilocode/index.ts b/extensions/kilocode/index.ts
index 10fc30f67d4..5fff1fd061b 100644
--- a/extensions/kilocode/index.ts
+++ b/extensions/kilocode/index.ts
@@ -4,6 +4,11 @@ import {
   createKilocodeWrapper,
   isProxyReasoningUnsupported,
 } from "../../src/agents/pi-embedded-runner/proxy-stream-wrappers.js";
+import {
+  applyKilocodeConfig,
+  KILOCODE_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "kilocode";
 
@@ -18,7 +23,28 @@ const kilocodePlugin = {
       label: "Kilo Gateway",
       docsPath: "/providers/kilocode",
       envVars: ["KILOCODE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kilo Gateway API key",
+          hint: "API key (OpenRouter-compatible)",
+          optionKey: "kilocodeApiKey",
+          flagName: "--kilocode-api-key",
+          envVar: "KILOCODE_API_KEY",
+          promptMessage: "Enter Kilo Gateway API key",
+          defaultModel: KILOCODE_DEFAULT_MODEL_REF,
+          expectedProviders: ["kilocode"],
+          applyConfig: (cfg) => applyKilocodeConfig(cfg),
+          wizard: {
+            choiceId: "kilocode-api-key",
+            choiceLabel: "Kilo Gateway API key",
+            groupId: "kilocode",
+            groupLabel: "Kilo Gateway",
+            groupHint: "API key (OpenRouter-compatible)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/kilocode/openclaw.plugin.json b/extensions/kilocode/openclaw.plugin.json
index ec078c33ab7..3aa51875bb6 100644
--- a/extensions/kilocode/openclaw.plugin.json
+++ b/extensions/kilocode/openclaw.plugin.json
@@ -1,6 +1,25 @@
 {
   "id": "kilocode",
   "providers": ["kilocode"],
+  "providerAuthEnvVars": {
+    "kilocode": ["KILOCODE_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "kilocode",
+      "method": "api-key",
+      "choiceId": "kilocode-api-key",
+      "choiceLabel": "Kilo Gateway API key",
+      "choiceHint": "API key (OpenRouter-compatible)",
+      "groupId": "kilocode",
+      "groupLabel": "Kilo Gateway",
+      "groupHint": "API key (OpenRouter-compatible)",
+      "optionKey": "kilocodeApiKey",
+      "cliFlag": "--kilocode-api-key",
+      "cliOption": "--kilocode-api-key <key>",
+      "cliDescription": "Kilo Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/kimi-coding/index.ts b/extensions/kimi-coding/index.ts
index d6e6e1d74a7..853eee98bef 100644
--- a/extensions/kimi-coding/index.ts
+++ b/extensions/kimi-coding/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildKimiCodingProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyKimiCodeConfig, KIMI_CODING_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import { isRecord } from "../../src/utils.js";
 
 const PROVIDER_ID = "kimi-coding";
@@ -16,7 +18,33 @@ const kimiCodingPlugin = {
       aliases: ["kimi-code"],
       docsPath: "/providers/moonshot",
       envVars: ["KIMI_API_KEY", "KIMICODE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kimi Code API key (subscription)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "kimiCodeApiKey",
+          flagName: "--kimi-code-api-key",
+          envVar: "KIMI_API_KEY",
+          promptMessage: "Enter Kimi Coding API key",
+          defaultModel: KIMI_CODING_MODEL_REF,
+          expectedProviders: ["kimi-code", "kimi-coding"],
+          applyConfig: (cfg) => applyKimiCodeConfig(cfg),
+          noteMessage: [
+            "Kimi Coding uses a dedicated endpoint and API key.",
+            "Get your API key at: https://www.kimi.com/code/en",
+          ].join("\n"),
+          noteTitle: "Kimi Coding",
+          wizard: {
+            choiceId: "kimi-code-api-key",
+            choiceLabel: "Kimi Code API key (subscription)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/kimi-coding/openclaw.plugin.json b/extensions/kimi-coding/openclaw.plugin.json
index 8874fb6501b..c86d7211031 100644
--- a/extensions/kimi-coding/openclaw.plugin.json
+++ b/extensions/kimi-coding/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "kimi-coding",
   "providers": ["kimi-coding"],
+  "providerAuthEnvVars": {
+    "kimi-coding": ["KIMI_API_KEY", "KIMICODE_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "kimi-coding",
+      "method": "api-key",
+      "choiceId": "kimi-code-api-key",
+      "choiceLabel": "Kimi Code API key (subscription)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "kimiCodeApiKey",
+      "cliFlag": "--kimi-code-api-key",
+      "cliOption": "--kimi-code-api-key <key>",
+      "cliDescription": "Kimi Coding API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/line/index.ts b/extensions/line/index.ts
index 961baf1f01b..59b1d97920d 100644
--- a/extensions/line/index.ts
+++ b/extensions/line/index.ts
@@ -12,6 +12,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setLineRuntime(api.runtime);
     api.registerChannel({ plugin: linePlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
     registerLineCardCommand(api);
   },
 };
diff --git a/extensions/line/package.json b/extensions/line/package.json
index 85bfac7f0ac..3fa098460d6 100644
--- a/extensions/line/package.json
+++ b/extensions/line/package.json
@@ -8,6 +8,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "line",
       "label": "LINE",
diff --git a/extensions/line/setup-entry.ts b/extensions/line/setup-entry.ts
new file mode 100644
index 00000000000..ca25d243155
--- /dev/null
+++ b/extensions/line/setup-entry.ts
@@ -0,0 +1,5 @@
+import { lineSetupPlugin } from "./src/channel.setup.js";
+
+export default {
+  plugin: lineSetupPlugin,
+};
diff --git a/extensions/line/src/channel.setup.ts b/extensions/line/src/channel.setup.ts
new file mode 100644
index 00000000000..71a1d87c45d
--- /dev/null
+++ b/extensions/line/src/channel.setup.ts
@@ -0,0 +1,69 @@
+import {
+  buildChannelConfigSchema,
+  LineConfigSchema,
+  type ChannelPlugin,
+  type OpenClawConfig,
+  type ResolvedLineAccount,
+} from "openclaw/plugin-sdk/line";
+import {
+  listLineAccountIds,
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+} from "../../../src/line/accounts.js";
+import { lineSetupAdapter } from "./setup-core.js";
+import { lineSetupWizard } from "./setup-surface.js";
+
+const meta = {
+  id: "line",
+  label: "LINE",
+  selectionLabel: "LINE (Messaging API)",
+  detailLabel: "LINE Bot",
+  docsPath: "/channels/line",
+  docsLabel: "line",
+  blurb: "LINE Messaging API bot for Japan/Taiwan/Thailand markets.",
+  systemImage: "message.fill",
+} as const;
+
+const normalizeLineAllowFrom = (entry: string) => entry.replace(/^line:(?:user:)?/i, "");
+
+export const lineSetupPlugin: ChannelPlugin<ResolvedLineAccount> = {
+  id: "line",
+  meta: {
+    ...meta,
+    quickstartAllowFrom: true,
+  },
+  capabilities: {
+    chatTypes: ["direct", "group"],
+    reactions: false,
+    threads: false,
+    media: true,
+    nativeCommands: false,
+    blockStreaming: true,
+  },
+  reload: { configPrefixes: ["channels.line"] },
+  configSchema: buildChannelConfigSchema(LineConfigSchema),
+  config: {
+    listAccountIds: (cfg: OpenClawConfig) => listLineAccountIds(cfg),
+    resolveAccount: (cfg: OpenClawConfig, accountId?: string | null) =>
+      resolveLineAccount({ cfg, accountId: accountId ?? undefined }),
+    defaultAccountId: (cfg: OpenClawConfig) => resolveDefaultLineAccountId(cfg),
+    isConfigured: (account) =>
+      Boolean(account.channelAccessToken?.trim() && account.channelSecret?.trim()),
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: Boolean(account.channelAccessToken?.trim() && account.channelSecret?.trim()),
+      tokenSource: account.tokenSource ?? undefined,
+    }),
+    resolveAllowFrom: ({ cfg, accountId }) =>
+      resolveLineAccount({ cfg, accountId: accountId ?? undefined }).config.allowFrom,
+    formatAllowFrom: ({ allowFrom }) =>
+      allowFrom
+        .map((entry) => String(entry).trim())
+        .filter(Boolean)
+        .map((entry) => normalizeLineAllowFrom(entry)),
+  },
+  setupWizard: lineSetupWizard,
+  setup: lineSetupAdapter,
+};
diff --git a/extensions/line/src/channel.ts b/extensions/line/src/channel.ts
index 982d7670082..b184ebe8482 100644
--- a/extensions/line/src/channel.ts
+++ b/extensions/line/src/channel.ts
@@ -20,6 +20,8 @@ import {
   type ResolvedLineAccount,
 } from "openclaw/plugin-sdk/line";
 import { getLineRuntime } from "./runtime.js";
+import { lineSetupAdapter } from "./setup-core.js";
+import { lineSetupWizard } from "./setup-surface.js";
 
 // LINE channel metadata
 const meta = {
@@ -62,42 +64,6 @@ const resolveLineDmPolicy = createScopedDmSecurityResolver<ResolvedLineAccount>(
   normalizeEntry: (raw) => raw.replace(/^line:(?:user:)?/i, ""),
 });
 
-function patchLineAccountConfig(
-  cfg: OpenClawConfig,
-  lineConfig: LineConfig,
-  accountId: string,
-  patch: Record<string, unknown>,
-): OpenClawConfig {
-  if (accountId === DEFAULT_ACCOUNT_ID) {
-    return {
-      ...cfg,
-      channels: {
-        ...cfg.channels,
-        line: {
-          ...lineConfig,
-          ...patch,
-        },
-      },
-    };
-  }
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      line: {
-        ...lineConfig,
-        accounts: {
-          ...lineConfig.accounts,
-          [accountId]: {
-            ...lineConfig.accounts?.[accountId],
-            ...patch,
-          },
-        },
-      },
-    },
-  };
-}
-
 export const linePlugin: ChannelPlugin<ResolvedLineAccount> = {
   id: "line",
   meta: {
@@ -131,6 +97,7 @@ export const linePlugin: ChannelPlugin<ResolvedLineAccount> = {
   },
   reload: { configPrefixes: ["channels.line"] },
   configSchema: buildChannelConfigSchema(LineConfigSchema),
+  setupWizard: lineSetupWizard,
   config: {
     ...lineConfigBase,
     isConfigured: (account) =>
@@ -200,101 +167,7 @@ export const linePlugin: ChannelPlugin<ResolvedLineAccount> = {
     listPeers: async () => [],
     listGroups: async () => [],
   },
-  setup: {
-    resolveAccountId: ({ accountId }) =>
-      getLineRuntime().channel.line.normalizeAccountId(accountId),
-    applyAccountName: ({ cfg, accountId, name }) => {
-      const lineConfig = (cfg.channels?.line ?? {}) as LineConfig;
-      return patchLineAccountConfig(cfg, lineConfig, accountId, { name });
-    },
-    validateInput: ({ accountId, input }) => {
-      const typedInput = input as {
-        useEnv?: boolean;
-        channelAccessToken?: string;
-        channelSecret?: string;
-        tokenFile?: string;
-        secretFile?: string;
-      };
-      if (typedInput.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-        return "LINE_CHANNEL_ACCESS_TOKEN can only be used for the default account.";
-      }
-      if (!typedInput.useEnv && !typedInput.channelAccessToken && !typedInput.tokenFile) {
-        return "LINE requires channelAccessToken or --token-file (or --use-env).";
-      }
-      if (!typedInput.useEnv && !typedInput.channelSecret && !typedInput.secretFile) {
-        return "LINE requires channelSecret or --secret-file (or --use-env).";
-      }
-      return null;
-    },
-    applyAccountConfig: ({ cfg, accountId, input }) => {
-      const typedInput = input as {
-        name?: string;
-        useEnv?: boolean;
-        channelAccessToken?: string;
-        channelSecret?: string;
-        tokenFile?: string;
-        secretFile?: string;
-      };
-      const lineConfig = (cfg.channels?.line ?? {}) as LineConfig;
-
-      if (accountId === DEFAULT_ACCOUNT_ID) {
-        return {
-          ...cfg,
-          channels: {
-            ...cfg.channels,
-            line: {
-              ...lineConfig,
-              enabled: true,
-              ...(typedInput.name ? { name: typedInput.name } : {}),
-              ...(typedInput.useEnv
-                ? {}
-                : typedInput.tokenFile
-                  ? { tokenFile: typedInput.tokenFile }
-                  : typedInput.channelAccessToken
-                    ? { channelAccessToken: typedInput.channelAccessToken }
-                    : {}),
-              ...(typedInput.useEnv
-                ? {}
-                : typedInput.secretFile
-                  ? { secretFile: typedInput.secretFile }
-                  : typedInput.channelSecret
-                    ? { channelSecret: typedInput.channelSecret }
-                    : {}),
-            },
-          },
-        };
-      }
-
-      return {
-        ...cfg,
-        channels: {
-          ...cfg.channels,
-          line: {
-            ...lineConfig,
-            enabled: true,
-            accounts: {
-              ...lineConfig.accounts,
-              [accountId]: {
-                ...lineConfig.accounts?.[accountId],
-                enabled: true,
-                ...(typedInput.name ? { name: typedInput.name } : {}),
-                ...(typedInput.tokenFile
-                  ? { tokenFile: typedInput.tokenFile }
-                  : typedInput.channelAccessToken
-                    ? { channelAccessToken: typedInput.channelAccessToken }
-                    : {}),
-                ...(typedInput.secretFile
-                  ? { secretFile: typedInput.secretFile }
-                  : typedInput.channelSecret
-                    ? { channelSecret: typedInput.channelSecret }
-                    : {}),
-              },
-            },
-          },
-        },
-      };
-    },
-  },
+  setup: lineSetupAdapter,
   outbound: {
     deliveryMode: "direct",
     chunker: (text, limit) => getLineRuntime().channel.text.chunkMarkdownText(text, limit),
diff --git a/extensions/line/src/setup-core.ts b/extensions/line/src/setup-core.ts
new file mode 100644
index 00000000000..67c9c674df5
--- /dev/null
+++ b/extensions/line/src/setup-core.ts
@@ -0,0 +1,162 @@
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import {
+  listLineAccountIds,
+  normalizeAccountId,
+  resolveLineAccount,
+} from "../../../src/line/accounts.js";
+import type { LineConfig } from "../../../src/line/types.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+
+const channel = "line" as const;
+
+export function patchLineAccountConfig(params: {
+  cfg: OpenClawConfig;
+  accountId: string;
+  patch: Record<string, unknown>;
+  clearFields?: string[];
+  enabled?: boolean;
+}): OpenClawConfig {
+  const accountId = normalizeAccountId(params.accountId);
+  const lineConfig = (params.cfg.channels?.line ?? {}) as LineConfig;
+  const clearFields = params.clearFields ?? [];
+
+  if (accountId === DEFAULT_ACCOUNT_ID) {
+    const nextLine = { ...lineConfig } as Record<string, unknown>;
+    for (const field of clearFields) {
+      delete nextLine[field];
+    }
+    return {
+      ...params.cfg,
+      channels: {
+        ...params.cfg.channels,
+        line: {
+          ...nextLine,
+          ...(params.enabled ? { enabled: true } : {}),
+          ...params.patch,
+        },
+      },
+    };
+  }
+
+  const nextAccount = {
+    ...(lineConfig.accounts?.[accountId] ?? {}),
+  } as Record<string, unknown>;
+  for (const field of clearFields) {
+    delete nextAccount[field];
+  }
+
+  return {
+    ...params.cfg,
+    channels: {
+      ...params.cfg.channels,
+      line: {
+        ...lineConfig,
+        ...(params.enabled ? { enabled: true } : {}),
+        accounts: {
+          ...lineConfig.accounts,
+          [accountId]: {
+            ...nextAccount,
+            ...(params.enabled ? { enabled: true } : {}),
+            ...params.patch,
+          },
+        },
+      },
+    },
+  };
+}
+
+export function isLineConfigured(cfg: OpenClawConfig, accountId: string): boolean {
+  const resolved = resolveLineAccount({ cfg, accountId });
+  return Boolean(resolved.channelAccessToken.trim() && resolved.channelSecret.trim());
+}
+
+export function parseLineAllowFromId(raw: string): string | null {
+  const trimmed = raw.trim().replace(/^line:(?:user:)?/i, "");
+  if (!/^U[a-f0-9]{32}$/i.test(trimmed)) {
+    return null;
+  }
+  return trimmed;
+}
+
+export const lineSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    patchLineAccountConfig({
+      cfg,
+      accountId,
+      patch: name?.trim() ? { name: name.trim() } : {},
+    }),
+  validateInput: ({ accountId, input }) => {
+    const typedInput = input as {
+      useEnv?: boolean;
+      channelAccessToken?: string;
+      channelSecret?: string;
+      tokenFile?: string;
+      secretFile?: string;
+    };
+    if (typedInput.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "LINE_CHANNEL_ACCESS_TOKEN can only be used for the default account.";
+    }
+    if (!typedInput.useEnv && !typedInput.channelAccessToken && !typedInput.tokenFile) {
+      return "LINE requires channelAccessToken or --token-file (or --use-env).";
+    }
+    if (!typedInput.useEnv && !typedInput.channelSecret && !typedInput.secretFile) {
+      return "LINE requires channelSecret or --secret-file (or --use-env).";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const typedInput = input as {
+      useEnv?: boolean;
+      channelAccessToken?: string;
+      channelSecret?: string;
+      tokenFile?: string;
+      secretFile?: string;
+    };
+    const normalizedAccountId = normalizeAccountId(accountId);
+    if (normalizedAccountId === DEFAULT_ACCOUNT_ID) {
+      return patchLineAccountConfig({
+        cfg,
+        accountId: normalizedAccountId,
+        enabled: true,
+        clearFields: typedInput.useEnv
+          ? ["channelAccessToken", "channelSecret", "tokenFile", "secretFile"]
+          : undefined,
+        patch: typedInput.useEnv
+          ? {}
+          : {
+              ...(typedInput.tokenFile
+                ? { tokenFile: typedInput.tokenFile }
+                : typedInput.channelAccessToken
+                  ? { channelAccessToken: typedInput.channelAccessToken }
+                  : {}),
+              ...(typedInput.secretFile
+                ? { secretFile: typedInput.secretFile }
+                : typedInput.channelSecret
+                  ? { channelSecret: typedInput.channelSecret }
+                  : {}),
+            },
+      });
+    }
+    return patchLineAccountConfig({
+      cfg,
+      accountId: normalizedAccountId,
+      enabled: true,
+      patch: {
+        ...(typedInput.tokenFile
+          ? { tokenFile: typedInput.tokenFile }
+          : typedInput.channelAccessToken
+            ? { channelAccessToken: typedInput.channelAccessToken }
+            : {}),
+        ...(typedInput.secretFile
+          ? { secretFile: typedInput.secretFile }
+          : typedInput.channelSecret
+            ? { channelSecret: typedInput.channelSecret }
+            : {}),
+      },
+    });
+  },
+};
+
+export { listLineAccountIds };
diff --git a/extensions/line/src/setup-surface.test.ts b/extensions/line/src/setup-surface.test.ts
new file mode 100644
index 00000000000..3fd98df4b2e
--- /dev/null
+++ b/extensions/line/src/setup-surface.test.ts
@@ -0,0 +1,77 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/line";
+import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import {
+  listLineAccountIds,
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+} from "../../../src/line/accounts.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import { lineSetupAdapter, lineSetupWizard } from "./setup-surface.js";
+
+function createPrompter(overrides: Partial<WizardPrompter> = {}): WizardPrompter {
+  return {
+    intro: vi.fn(async () => {}),
+    outro: vi.fn(async () => {}),
+    note: vi.fn(async () => {}),
+    select: vi.fn(async ({ options }: { options: Array<{ value: string }> }) => {
+      const first = options[0];
+      if (!first) {
+        throw new Error("no options");
+      }
+      return first.value;
+    }) as WizardPrompter["select"],
+    multiselect: vi.fn(async () => []),
+    text: vi.fn(async () => "") as WizardPrompter["text"],
+    confirm: vi.fn(async () => false),
+    progress: vi.fn(() => ({ update: vi.fn(), stop: vi.fn() })),
+    ...overrides,
+  };
+}
+
+const lineConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: {
+    id: "line",
+    meta: { label: "LINE" },
+    config: {
+      listAccountIds: listLineAccountIds,
+      defaultAccountId: resolveDefaultLineAccountId,
+      resolveAllowFrom: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId?: string | null }) =>
+        resolveLineAccount({ cfg, accountId: accountId ?? undefined }).config.allowFrom,
+    },
+    setup: lineSetupAdapter,
+  } as Parameters<typeof buildChannelSetupWizardAdapterFromSetupWizard>[0]["plugin"],
+  wizard: lineSetupWizard,
+});
+
+describe("line setup wizard", () => {
+  it("configures token and secret for the default account", async () => {
+    const prompter = createPrompter({
+      text: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Enter LINE channel access token") {
+          return "line-token";
+        }
+        if (message === "Enter LINE channel secret") {
+          return "line-secret";
+        }
+        throw new Error(`Unexpected prompt: ${message}`);
+      }) as WizardPrompter["text"],
+    });
+
+    const result = await lineConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime: createRuntimeEnv(),
+      prompter,
+      options: {},
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: false,
+    });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.line?.enabled).toBe(true);
+    expect(result.cfg.channels?.line?.channelAccessToken).toBe("line-token");
+    expect(result.cfg.channels?.line?.channelSecret).toBe("line-secret");
+  });
+});
diff --git a/extensions/line/src/setup-surface.ts b/extensions/line/src/setup-surface.ts
new file mode 100644
index 00000000000..9ea7dd4ce68
--- /dev/null
+++ b/extensions/line/src/setup-surface.ts
@@ -0,0 +1,202 @@
+import {
+  setSetupChannelEnabled,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { resolveLineAccount } from "../../../src/line/accounts.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import {
+  isLineConfigured,
+  listLineAccountIds,
+  parseLineAllowFromId,
+  patchLineAccountConfig,
+} from "./setup-core.js";
+
+const channel = "line" as const;
+
+const LINE_SETUP_HELP_LINES = [
+  "1) Open the LINE Developers Console and create or pick a Messaging API channel",
+  "2) Copy the channel access token and channel secret",
+  "3) Enable Use webhook in the Messaging API settings",
+  "4) Point the webhook at https://<gateway-host>/line/webhook",
+  `Docs: ${formatDocsLink("/channels/line", "channels/line")}`,
+];
+
+const LINE_ALLOW_FROM_HELP_LINES = [
+  "Allowlist LINE DMs by user id.",
+  "LINE ids are case-sensitive.",
+  "Examples:",
+  "- U1234567890abcdef1234567890abcdef",
+  "- line:user:U1234567890abcdef1234567890abcdef",
+  "Multiple entries: comma-separated.",
+  `Docs: ${formatDocsLink("/channels/line", "channels/line")}`,
+];
+
+const lineDmPolicy: ChannelSetupDmPolicy = {
+  label: "LINE",
+  channel,
+  policyKey: "channels.line.dmPolicy",
+  allowFromKey: "channels.line.allowFrom",
+  getCurrent: (cfg) => cfg.channels?.line?.dmPolicy ?? "pairing",
+  setPolicy: (cfg, policy) =>
+    setTopLevelChannelDmPolicyWithAllowFrom({
+      cfg,
+      channel,
+      dmPolicy: policy,
+    }),
+};
+
+export { lineSetupAdapter } from "./setup-core.js";
+
+export const lineSetupWizard: ChannelSetupWizard = {
+  channel,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs token + secret",
+    configuredHint: "configured",
+    unconfiguredHint: "needs token + secret",
+    configuredScore: 1,
+    unconfiguredScore: 0,
+    resolveConfigured: ({ cfg }) =>
+      listLineAccountIds(cfg).some((accountId) => isLineConfigured(cfg, accountId)),
+    resolveStatusLines: ({ cfg, configured }) => [
+      `LINE: ${configured ? "configured" : "needs token + secret"}`,
+      `Accounts: ${listLineAccountIds(cfg).length || 0}`,
+    ],
+  },
+  introNote: {
+    title: "LINE Messaging API",
+    lines: LINE_SETUP_HELP_LINES,
+    shouldShow: ({ cfg, accountId }) => !isLineConfigured(cfg, accountId),
+  },
+  credentials: [
+    {
+      inputKey: "token",
+      providerHint: channel,
+      credentialLabel: "channel access token",
+      preferredEnvVar: "LINE_CHANNEL_ACCESS_TOKEN",
+      helpTitle: "LINE Messaging API",
+      helpLines: LINE_SETUP_HELP_LINES,
+      envPrompt: "LINE_CHANNEL_ACCESS_TOKEN detected. Use env var?",
+      keepPrompt: "LINE channel access token already configured. Keep it?",
+      inputPrompt: "Enter LINE channel access token",
+      allowEnv: ({ accountId }) => accountId === DEFAULT_ACCOUNT_ID,
+      inspect: ({ cfg, accountId }) => {
+        const resolved = resolveLineAccount({ cfg, accountId });
+        return {
+          accountConfigured: Boolean(
+            resolved.channelAccessToken.trim() && resolved.channelSecret.trim(),
+          ),
+          hasConfiguredValue: Boolean(
+            resolved.config.channelAccessToken?.trim() || resolved.config.tokenFile?.trim(),
+          ),
+          resolvedValue: resolved.channelAccessToken.trim() || undefined,
+          envValue:
+            accountId === DEFAULT_ACCOUNT_ID
+              ? process.env.LINE_CHANNEL_ACCESS_TOKEN?.trim() || undefined
+              : undefined,
+        };
+      },
+      applyUseEnv: ({ cfg, accountId }) =>
+        patchLineAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: ["channelAccessToken", "tokenFile"],
+          patch: {},
+        }),
+      applySet: ({ cfg, accountId, resolvedValue }) =>
+        patchLineAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: ["tokenFile"],
+          patch: { channelAccessToken: resolvedValue },
+        }),
+    },
+    {
+      inputKey: "password",
+      providerHint: "line-secret",
+      credentialLabel: "channel secret",
+      preferredEnvVar: "LINE_CHANNEL_SECRET",
+      helpTitle: "LINE Messaging API",
+      helpLines: LINE_SETUP_HELP_LINES,
+      envPrompt: "LINE_CHANNEL_SECRET detected. Use env var?",
+      keepPrompt: "LINE channel secret already configured. Keep it?",
+      inputPrompt: "Enter LINE channel secret",
+      allowEnv: ({ accountId }) => accountId === DEFAULT_ACCOUNT_ID,
+      inspect: ({ cfg, accountId }) => {
+        const resolved = resolveLineAccount({ cfg, accountId });
+        return {
+          accountConfigured: Boolean(
+            resolved.channelAccessToken.trim() && resolved.channelSecret.trim(),
+          ),
+          hasConfiguredValue: Boolean(
+            resolved.config.channelSecret?.trim() || resolved.config.secretFile?.trim(),
+          ),
+          resolvedValue: resolved.channelSecret.trim() || undefined,
+          envValue:
+            accountId === DEFAULT_ACCOUNT_ID
+              ? process.env.LINE_CHANNEL_SECRET?.trim() || undefined
+              : undefined,
+        };
+      },
+      applyUseEnv: ({ cfg, accountId }) =>
+        patchLineAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: ["channelSecret", "secretFile"],
+          patch: {},
+        }),
+      applySet: ({ cfg, accountId, resolvedValue }) =>
+        patchLineAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: ["secretFile"],
+          patch: { channelSecret: resolvedValue },
+        }),
+    },
+  ],
+  allowFrom: {
+    helpTitle: "LINE allowlist",
+    helpLines: LINE_ALLOW_FROM_HELP_LINES,
+    message: "LINE allowFrom (user id)",
+    placeholder: "U1234567890abcdef1234567890abcdef",
+    invalidWithoutCredentialNote:
+      "LINE allowFrom requires raw user ids like U1234567890abcdef1234567890abcdef.",
+    parseInputs: splitSetupEntries,
+    parseId: parseLineAllowFromId,
+    resolveEntries: async ({ entries }) =>
+      entries.map((entry) => {
+        const id = parseLineAllowFromId(entry);
+        return {
+          input: entry,
+          resolved: Boolean(id),
+          id,
+        };
+      }),
+    apply: ({ cfg, accountId, allowFrom }) =>
+      patchLineAccountConfig({
+        cfg,
+        accountId,
+        enabled: true,
+        patch: { dmPolicy: "allowlist", allowFrom },
+      }),
+  },
+  dmPolicy: lineDmPolicy,
+  completionNote: {
+    title: "LINE webhook",
+    lines: [
+      "Enable Use webhook in the LINE console after saving credentials.",
+      "Default webhook URL: https://<gateway-host>/line/webhook",
+      "If you set channels.line.webhookPath, update the URL to match.",
+      `Docs: ${formatDocsLink("/channels/line", "channels/line")}`,
+    ],
+  },
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
+};
diff --git a/extensions/lobster/src/lobster-tool.test.ts b/extensions/lobster/src/lobster-tool.test.ts
index 7c62501aa6f..21d090846b0 100644
--- a/extensions/lobster/src/lobster-tool.test.ts
+++ b/extensions/lobster/src/lobster-tool.test.ts
@@ -32,6 +32,7 @@ function fakeApi(overrides: Partial<OpenClawPluginApi> = {}): OpenClawPluginApi
     id: "lobster",
     name: "lobster",
     source: "test",
+    registrationMode: "full",
     config: {},
     pluginConfig: {},
     // oxlint-disable-next-line typescript/no-explicit-any
@@ -43,6 +44,7 @@ function fakeApi(overrides: Partial<OpenClawPluginApi> = {}): OpenClawPluginApi
     registerCli() {},
     registerService() {},
     registerProvider() {},
+    registerWebSearchProvider() {},
     registerInteractiveHandler() {},
     registerHook() {},
     registerHttpRoute() {},
diff --git a/extensions/matrix/package.json b/extensions/matrix/package.json
index 5b973b88635..bebd410fae9 100644
--- a/extensions/matrix/package.json
+++ b/extensions/matrix/package.json
@@ -15,6 +15,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "matrix",
       "label": "Matrix",
diff --git a/extensions/matrix/setup-entry.ts b/extensions/matrix/setup-entry.ts
new file mode 100644
index 00000000000..4cbabfe6333
--- /dev/null
+++ b/extensions/matrix/setup-entry.ts
@@ -0,0 +1,5 @@
+import { matrixPlugin } from "./src/channel.js";
+
+export default {
+  plugin: matrixPlugin,
+};
diff --git a/extensions/matrix/src/channel.ts b/extensions/matrix/src/channel.ts
index c9f95d3d671..6b0380bc19e 100644
--- a/extensions/matrix/src/channel.ts
+++ b/extensions/matrix/src/channel.ts
@@ -6,12 +6,10 @@ import {
   createScopedDmSecurityResolver,
 } from "openclaw/plugin-sdk/compat";
 import {
-  applyAccountNameToChannelSection,
   buildChannelConfigSchema,
   buildProbeChannelStatusSummary,
   collectStatusIssuesFromLastError,
   DEFAULT_ACCOUNT_ID,
-  normalizeAccountId,
   PAIRING_APPROVED_MESSAGE,
   type ChannelPlugin,
 } from "openclaw/plugin-sdk/matrix";
@@ -30,9 +28,9 @@ import {
   type ResolvedMatrixAccount,
 } from "./matrix/accounts.js";
 import { normalizeMatrixAllowList, normalizeMatrixUserId } from "./matrix/monitor/allowlist.js";
-import { matrixOnboardingAdapter } from "./onboarding.js";
 import { getMatrixRuntime } from "./runtime.js";
-import { normalizeSecretInputString } from "./secret-input.js";
+import { matrixSetupAdapter } from "./setup-core.js";
+import { matrixSetupWizard } from "./setup-surface.js";
 import type { CoreConfig } from "./types.js";
 
 // Mutex for serializing account startup (workaround for concurrent dynamic import race condition)
@@ -66,38 +64,6 @@ function normalizeMatrixMessagingTarget(raw: string): string | undefined {
   return stripped || undefined;
 }
 
-function buildMatrixConfigUpdate(
-  cfg: CoreConfig,
-  input: {
-    homeserver?: string;
-    userId?: string;
-    accessToken?: string;
-    password?: string;
-    deviceName?: string;
-    initialSyncLimit?: number;
-  },
-): CoreConfig {
-  const existing = cfg.channels?.matrix ?? {};
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      matrix: {
-        ...existing,
-        enabled: true,
-        ...(input.homeserver ? { homeserver: input.homeserver } : {}),
-        ...(input.userId ? { userId: input.userId } : {}),
-        ...(input.accessToken ? { accessToken: input.accessToken } : {}),
-        ...(input.password ? { password: input.password } : {}),
-        ...(input.deviceName ? { deviceName: input.deviceName } : {}),
-        ...(typeof input.initialSyncLimit === "number"
-          ? { initialSyncLimit: input.initialSyncLimit }
-          : {}),
-      },
-    },
-  };
-}
-
 const matrixConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) =>
     resolveMatrixAccountConfig({ cfg: cfg as CoreConfig, accountId }),
@@ -132,7 +98,7 @@ const resolveMatrixDmPolicy = createScopedDmSecurityResolver<ResolvedMatrixAccou
 export const matrixPlugin: ChannelPlugin<ResolvedMatrixAccount> = {
   id: "matrix",
   meta,
-  onboarding: matrixOnboardingAdapter,
+  setupWizard: matrixSetupWizard,
   pairing: {
     idLabel: "matrixUserId",
     normalizeAllowEntry: (entry) => entry.replace(/^matrix:/i, ""),
@@ -316,76 +282,33 @@ export const matrixPlugin: ChannelPlugin<ResolvedMatrixAccount> = {
       (await loadMatrixChannelRuntime()).resolveMatrixTargets({ cfg, inputs, kind, runtime }),
   },
   actions: matrixMessageActions,
-  setup: {
-    resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-    applyAccountName: ({ cfg, accountId, name }) =>
-      applyAccountNameToChannelSection({
-        cfg: cfg as CoreConfig,
-        channelKey: "matrix",
-        accountId,
-        name,
-      }),
-    validateInput: ({ input }) => {
-      if (input.useEnv) {
-        return null;
-      }
-      if (!input.homeserver?.trim()) {
-        return "Matrix requires --homeserver";
-      }
-      const accessToken = input.accessToken?.trim();
-      const password = normalizeSecretInputString(input.password);
-      const userId = input.userId?.trim();
-      if (!accessToken && !password) {
-        return "Matrix requires --access-token or --password";
-      }
-      if (!accessToken) {
-        if (!userId) {
-          return "Matrix requires --user-id when using --password";
-        }
-        if (!password) {
-          return "Matrix requires --password when using --user-id";
-        }
-      }
-      return null;
-    },
-    applyAccountConfig: ({ cfg, input }) => {
-      const namedConfig = applyAccountNameToChannelSection({
-        cfg: cfg as CoreConfig,
-        channelKey: "matrix",
-        accountId: DEFAULT_ACCOUNT_ID,
-        name: input.name,
-      });
-      if (input.useEnv) {
-        return {
-          ...namedConfig,
-          channels: {
-            ...namedConfig.channels,
-            matrix: {
-              ...namedConfig.channels?.matrix,
-              enabled: true,
-            },
-          },
-        } as CoreConfig;
-      }
-      return buildMatrixConfigUpdate(namedConfig as CoreConfig, {
-        homeserver: input.homeserver?.trim(),
-        userId: input.userId?.trim(),
-        accessToken: input.accessToken?.trim(),
-        password: normalizeSecretInputString(input.password),
-        deviceName: input.deviceName?.trim(),
-        initialSyncLimit: input.initialSyncLimit,
-      });
-    },
-  },
+  setup: matrixSetupAdapter,
   outbound: {
     deliveryMode: "direct",
-    chunker: (text, limit) => getMatrixRuntime().channel.text.chunkMarkdownText(text, limit),
+    chunker: (text, limit) => getMatrixRuntime().channel.text.chunkMarkdownText!(text, limit),
     chunkerMode: "markdown",
     textChunkLimit: 4000,
-    sendText: async (params) => (await loadMatrixChannelRuntime()).matrixOutbound.sendText(params),
-    sendMedia: async (params) =>
-      (await loadMatrixChannelRuntime()).matrixOutbound.sendMedia(params),
-    sendPoll: async (params) => (await loadMatrixChannelRuntime()).matrixOutbound.sendPoll(params),
+    sendText: async (params) => {
+      const outbound = (await loadMatrixChannelRuntime()).matrixOutbound;
+      if (!outbound.sendText) {
+        throw new Error("Matrix outbound text delivery is unavailable");
+      }
+      return await outbound.sendText(params);
+    },
+    sendMedia: async (params) => {
+      const outbound = (await loadMatrixChannelRuntime()).matrixOutbound;
+      if (!outbound.sendMedia) {
+        throw new Error("Matrix outbound media delivery is unavailable");
+      }
+      return await outbound.sendMedia(params);
+    },
+    sendPoll: async (params) => {
+      const outbound = (await loadMatrixChannelRuntime()).matrixOutbound;
+      if (!outbound.sendPoll) {
+        throw new Error("Matrix outbound poll delivery is unavailable");
+      }
+      return await outbound.sendPoll(params);
+    },
   },
   status: {
     defaultRuntime: {
diff --git a/extensions/matrix/src/setup-core.ts b/extensions/matrix/src/setup-core.ts
new file mode 100644
index 00000000000..f0fc395a344
--- /dev/null
+++ b/extensions/matrix/src/setup-core.ts
@@ -0,0 +1,111 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { normalizeSecretInputString } from "../../../src/config/types.secrets.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import type { CoreConfig } from "./types.js";
+
+const channel = "matrix" as const;
+
+export function buildMatrixConfigUpdate(
+  cfg: CoreConfig,
+  input: {
+    homeserver?: string;
+    userId?: string;
+    accessToken?: string;
+    password?: string;
+    deviceName?: string;
+    initialSyncLimit?: number;
+  },
+): CoreConfig {
+  const existing = cfg.channels?.matrix ?? {};
+  return {
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      matrix: {
+        ...existing,
+        enabled: true,
+        ...(input.homeserver ? { homeserver: input.homeserver } : {}),
+        ...(input.userId ? { userId: input.userId } : {}),
+        ...(input.accessToken ? { accessToken: input.accessToken } : {}),
+        ...(input.password ? { password: input.password } : {}),
+        ...(input.deviceName ? { deviceName: input.deviceName } : {}),
+        ...(typeof input.initialSyncLimit === "number"
+          ? { initialSyncLimit: input.initialSyncLimit }
+          : {}),
+      },
+    },
+  };
+}
+
+export const matrixSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg: cfg as CoreConfig,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ input }) => {
+    if (input.useEnv) {
+      return null;
+    }
+    if (!input.homeserver?.trim()) {
+      return "Matrix requires --homeserver";
+    }
+    const accessToken = input.accessToken?.trim();
+    const password = normalizeSecretInputString(input.password);
+    const userId = input.userId?.trim();
+    if (!accessToken && !password) {
+      return "Matrix requires --access-token or --password";
+    }
+    if (!accessToken) {
+      if (!userId) {
+        return "Matrix requires --user-id when using --password";
+      }
+      if (!password) {
+        return "Matrix requires --password when using --user-id";
+      }
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg: cfg as CoreConfig,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (input.useEnv) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          matrix: {
+            ...next.channels?.matrix,
+            enabled: true,
+          },
+        },
+      } as CoreConfig;
+    }
+    return buildMatrixConfigUpdate(next as CoreConfig, {
+      homeserver: input.homeserver?.trim(),
+      userId: input.userId?.trim(),
+      accessToken: input.accessToken?.trim(),
+      password: normalizeSecretInputString(input.password),
+      deviceName: input.deviceName?.trim(),
+      initialSyncLimit: input.initialSyncLimit,
+    });
+  },
+};
diff --git a/extensions/matrix/src/onboarding.ts b/extensions/matrix/src/setup-surface.ts
similarity index 70%
rename from extensions/matrix/src/onboarding.ts
rename to extensions/matrix/src/setup-surface.ts
index 642522dbc50..0f79545358e 100644
--- a/extensions/matrix/src/onboarding.ts
+++ b/extensions/matrix/src/setup-surface.ts
@@ -1,23 +1,25 @@
-import type { DmPolicy } from "openclaw/plugin-sdk/matrix";
 import {
   addWildcardAllowFrom,
   buildSingleChannelSecretPromptState,
-  formatResolvedUnresolvedNote,
-  formatDocsLink,
-  hasConfiguredSecretInput,
   mergeAllowFromEntries,
   promptSingleChannelSecretInput,
-  promptChannelAccessConfig,
   setTopLevelChannelGroupPolicy,
-  type SecretInput,
-  type ChannelOnboardingAdapter,
-  type ChannelOnboardingDmPolicy,
-  type WizardPrompter,
-} from "openclaw/plugin-sdk/matrix";
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DmPolicy } from "../../../src/config/types.js";
+import type { SecretInput } from "../../../src/config/types.secrets.js";
+import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
+import { formatResolvedUnresolvedNote } from "../../../src/plugin-sdk/resolution-notes.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import { listMatrixDirectoryGroupsLive } from "./directory-live.js";
 import { resolveMatrixAccount } from "./matrix/accounts.js";
 import { ensureMatrixSdkInstalled, isMatrixSdkAvailable } from "./matrix/deps.js";
 import { resolveMatrixTargets } from "./resolve-targets.js";
+import { buildMatrixConfigUpdate, matrixSetupAdapter } from "./setup-core.js";
 import type { CoreConfig } from "./types.js";
 
 const channel = "matrix" as const;
@@ -168,7 +170,79 @@ function setMatrixGroupRooms(cfg: CoreConfig, roomKeys: string[]) {
   };
 }
 
-const dmPolicy: ChannelOnboardingDmPolicy = {
+async function resolveMatrixGroupRooms(params: {
+  cfg: CoreConfig;
+  entries: string[];
+  prompter: Pick<WizardPrompter, "note">;
+}): Promise<string[]> {
+  if (params.entries.length === 0) {
+    return [];
+  }
+  try {
+    const resolvedIds: string[] = [];
+    const unresolved: string[] = [];
+    for (const entry of params.entries) {
+      const trimmed = entry.trim();
+      if (!trimmed) {
+        continue;
+      }
+      const cleaned = trimmed.replace(/^(room|channel):/i, "").trim();
+      if (cleaned.startsWith("!") && cleaned.includes(":")) {
+        resolvedIds.push(cleaned);
+        continue;
+      }
+      const matches = await listMatrixDirectoryGroupsLive({
+        cfg: params.cfg,
+        query: trimmed,
+        limit: 10,
+      });
+      const exact = matches.find(
+        (match) => (match.name ?? "").toLowerCase() === trimmed.toLowerCase(),
+      );
+      const best = exact ?? matches[0];
+      if (best?.id) {
+        resolvedIds.push(best.id);
+      } else {
+        unresolved.push(entry);
+      }
+    }
+    const roomKeys = [...resolvedIds, ...unresolved.map((entry) => entry.trim()).filter(Boolean)];
+    const resolution = formatResolvedUnresolvedNote({
+      resolved: resolvedIds,
+      unresolved,
+    });
+    if (resolution) {
+      await params.prompter.note(resolution, "Matrix rooms");
+    }
+    return roomKeys;
+  } catch (err) {
+    await params.prompter.note(
+      `Room lookup failed; keeping entries as typed. ${String(err)}`,
+      "Matrix rooms",
+    );
+    return params.entries.map((entry) => entry.trim()).filter(Boolean);
+  }
+}
+
+const matrixGroupAccess: NonNullable<ChannelSetupWizard["groupAccess"]> = {
+  label: "Matrix rooms",
+  placeholder: "!roomId:server, #alias:server, Project Room",
+  currentPolicy: ({ cfg }) => cfg.channels?.matrix?.groupPolicy ?? "allowlist",
+  currentEntries: ({ cfg }) =>
+    Object.keys(cfg.channels?.matrix?.groups ?? cfg.channels?.matrix?.rooms ?? {}),
+  updatePrompt: ({ cfg }) => Boolean(cfg.channels?.matrix?.groups ?? cfg.channels?.matrix?.rooms),
+  setPolicy: ({ cfg, policy }) => setMatrixGroupPolicy(cfg as CoreConfig, policy),
+  resolveAllowlist: async ({ cfg, entries, prompter }) =>
+    await resolveMatrixGroupRooms({
+      cfg: cfg as CoreConfig,
+      entries,
+      prompter,
+    }),
+  applyAllowlist: ({ cfg, resolved }) =>
+    setMatrixGroupRooms(cfg as CoreConfig, resolved as string[]),
+};
+
+const matrixDmPolicy: ChannelSetupDmPolicy = {
   label: "Matrix",
   channel,
   policyKey: "channels.matrix.dm.policy",
@@ -178,26 +252,33 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptMatrixAllowFrom,
 };
 
-export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
+export { matrixSetupAdapter } from "./setup-core.js";
+
+export const matrixSetupWizard: ChannelSetupWizard = {
   channel,
-  getStatus: async ({ cfg }) => {
-    const account = resolveMatrixAccount({ cfg: cfg as CoreConfig });
-    const configured = account.configured;
-    const sdkReady = isMatrixSdkAvailable();
-    return {
-      channel,
-      configured,
-      statusLines: [
+  resolveAccountIdForConfigure: () => DEFAULT_ACCOUNT_ID,
+  resolveShouldPromptAccountIds: () => false,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs homeserver + access token or password",
+    configuredHint: "configured",
+    unconfiguredHint: "needs auth",
+    resolveConfigured: ({ cfg }) => resolveMatrixAccount({ cfg: cfg as CoreConfig }).configured,
+    resolveStatusLines: ({ cfg }) => {
+      const configured = resolveMatrixAccount({ cfg: cfg as CoreConfig }).configured;
+      return [
         `Matrix: ${configured ? "configured" : "needs homeserver + access token or password"}`,
-      ],
-      selectionHint: !sdkReady
-        ? "install @vector-im/matrix-bot-sdk"
-        : configured
-          ? "configured"
-          : "needs auth",
-    };
+      ];
+    },
+    resolveSelectionHint: ({ cfg, configured }) => {
+      if (!isMatrixSdkAvailable()) {
+        return "install @vector-im/matrix-bot-sdk";
+      }
+      return configured ? "configured" : "needs auth";
+    },
   },
-  configure: async ({ cfg, runtime, prompter, forceAllowFrom }) => {
+  credentials: [],
+  finalize: async ({ cfg, runtime, prompter, forceAllowFrom }) => {
     let next = cfg as CoreConfig;
     await ensureMatrixSdkInstalled({
       runtime,
@@ -231,16 +312,11 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
         initialValue: true,
       });
       if (useEnv) {
-        next = {
-          ...next,
-          channels: {
-            ...next.channels,
-            matrix: {
-              ...next.channels?.matrix,
-              enabled: true,
-            },
-          },
-        };
+        next = matrixSetupAdapter.applyAccountConfig({
+          cfg: next,
+          accountId: DEFAULT_ACCOUNT_ID,
+          input: { useEnv: true },
+        }) as CoreConfig;
         if (forceAllowFrom) {
           next = await promptMatrixAllowFrom({ cfg: next, prompter });
         }
@@ -284,7 +360,6 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
     }
 
     if (!accessToken && !passwordConfigured()) {
-      // Ask auth method FIRST before asking for user ID
       const authMode = await prompter.select({
         message: "Matrix auth method",
         options: [
@@ -300,11 +375,8 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
             validate: (value) => (value?.trim() ? undefined : "Required"),
           }),
         ).trim();
-        // With access token, we can fetch the userId automatically - don't prompt for it
-        // The client.ts will use whoami() to get it
         userId = "";
       } else {
-        // Password auth requires user ID upfront
         userId = String(
           await prompter.text({
             message: "Matrix user ID",
@@ -333,7 +405,7 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
         const passwordResult = await promptSingleChannelSecretInput({
           cfg: next,
           prompter,
-          providerHint: "matrix",
+          providerHint: channel,
           credentialLabel: "password",
           accountConfigured: passwordPromptState.accountConfigured,
           canUseEnv: passwordPromptState.canUseEnv,
@@ -359,7 +431,6 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
       }),
     ).trim();
 
-    // Ask about E2EE encryption
     const enableEncryption = await prompter.confirm({
       message: "Enable end-to-end encryption (E2EE)?",
       initialValue: existing.encryption ?? false,
@@ -375,7 +446,7 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
           homeserver,
           userId: userId || undefined,
           accessToken: accessToken || undefined,
-          password: password,
+          password,
           deviceName: deviceName || undefined,
           encryption: enableEncryption || undefined,
         },
@@ -386,72 +457,10 @@ export const matrixOnboardingAdapter: ChannelOnboardingAdapter = {
       next = await promptMatrixAllowFrom({ cfg: next, prompter });
     }
 
-    const existingGroups = next.channels?.matrix?.groups ?? next.channels?.matrix?.rooms;
-    const accessConfig = await promptChannelAccessConfig({
-      prompter,
-      label: "Matrix rooms",
-      currentPolicy: next.channels?.matrix?.groupPolicy ?? "allowlist",
-      currentEntries: Object.keys(existingGroups ?? {}),
-      placeholder: "!roomId:server, #alias:server, Project Room",
-      updatePrompt: Boolean(existingGroups),
-    });
-    if (accessConfig) {
-      if (accessConfig.policy !== "allowlist") {
-        next = setMatrixGroupPolicy(next, accessConfig.policy);
-      } else {
-        let roomKeys = accessConfig.entries;
-        if (accessConfig.entries.length > 0) {
-          try {
-            const resolvedIds: string[] = [];
-            const unresolved: string[] = [];
-            for (const entry of accessConfig.entries) {
-              const trimmed = entry.trim();
-              if (!trimmed) {
-                continue;
-              }
-              const cleaned = trimmed.replace(/^(room|channel):/i, "").trim();
-              if (cleaned.startsWith("!") && cleaned.includes(":")) {
-                resolvedIds.push(cleaned);
-                continue;
-              }
-              const matches = await listMatrixDirectoryGroupsLive({
-                cfg: next,
-                query: trimmed,
-                limit: 10,
-              });
-              const exact = matches.find(
-                (match) => (match.name ?? "").toLowerCase() === trimmed.toLowerCase(),
-              );
-              const best = exact ?? matches[0];
-              if (best?.id) {
-                resolvedIds.push(best.id);
-              } else {
-                unresolved.push(entry);
-              }
-            }
-            roomKeys = [...resolvedIds, ...unresolved.map((entry) => entry.trim()).filter(Boolean)];
-            const resolution = formatResolvedUnresolvedNote({
-              resolved: resolvedIds,
-              unresolved,
-            });
-            if (resolution) {
-              await prompter.note(resolution, "Matrix rooms");
-            }
-          } catch (err) {
-            await prompter.note(
-              `Room lookup failed; keeping entries as typed. ${String(err)}`,
-              "Matrix rooms",
-            );
-          }
-        }
-        next = setMatrixGroupPolicy(next, "allowlist");
-        next = setMatrixGroupRooms(next, roomKeys);
-      }
-    }
-
     return { cfg: next };
   },
-  dmPolicy,
+  dmPolicy: matrixDmPolicy,
+  groupAccess: matrixGroupAccess,
   disable: (cfg) => ({
     ...(cfg as CoreConfig),
     channels: {
diff --git a/extensions/mattermost/index.test.ts b/extensions/mattermost/index.test.ts
new file mode 100644
index 00000000000..b2ef565c4d2
--- /dev/null
+++ b/extensions/mattermost/index.test.ts
@@ -0,0 +1,43 @@
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/mattermost";
+import { describe, expect, it, vi } from "vitest";
+import { createTestPluginApi } from "../test-utils/plugin-api.js";
+import plugin from "./index.js";
+
+function createApi(
+  registrationMode: OpenClawPluginApi["registrationMode"],
+  registerHttpRoute = vi.fn(),
+): OpenClawPluginApi {
+  return createTestPluginApi({
+    id: "mattermost",
+    name: "Mattermost",
+    source: "test",
+    config: {},
+    runtime: {} as OpenClawPluginApi["runtime"],
+    registrationMode,
+    registerHttpRoute,
+  });
+}
+
+describe("mattermost plugin register", () => {
+  it("skips slash callback registration in setup-only mode", () => {
+    const registerHttpRoute = vi.fn();
+
+    plugin.register(createApi("setup-only", registerHttpRoute));
+
+    expect(registerHttpRoute).not.toHaveBeenCalled();
+  });
+
+  it("registers slash callback routes in full mode", () => {
+    const registerHttpRoute = vi.fn();
+
+    plugin.register(createApi("full", registerHttpRoute));
+
+    expect(registerHttpRoute).toHaveBeenCalledTimes(1);
+    expect(registerHttpRoute).toHaveBeenCalledWith(
+      expect.objectContaining({
+        path: "/api/channels/mattermost/command",
+        auth: "plugin",
+      }),
+    );
+  });
+});
diff --git a/extensions/mattermost/index.ts b/extensions/mattermost/index.ts
index 1dbf616c061..de6f4e1d8a0 100644
--- a/extensions/mattermost/index.ts
+++ b/extensions/mattermost/index.ts
@@ -12,6 +12,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setMattermostRuntime(api.runtime);
     api.registerChannel({ plugin: mattermostPlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
 
     // Register the HTTP route for slash command callbacks.
     // The actual command registration with MM happens in the monitor
diff --git a/extensions/mattermost/package.json b/extensions/mattermost/package.json
index 17f8add1b1f..3c414f52f29 100644
--- a/extensions/mattermost/package.json
+++ b/extensions/mattermost/package.json
@@ -11,6 +11,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "mattermost",
       "label": "Mattermost",
diff --git a/extensions/mattermost/setup-entry.ts b/extensions/mattermost/setup-entry.ts
new file mode 100644
index 00000000000..64c02fcbe9d
--- /dev/null
+++ b/extensions/mattermost/setup-entry.ts
@@ -0,0 +1,5 @@
+import { mattermostPlugin } from "./src/channel.js";
+
+export default {
+  plugin: mattermostPlugin,
+};
diff --git a/extensions/mattermost/src/channel.ts b/extensions/mattermost/src/channel.ts
index b28766d6db9..4bf52904b3f 100644
--- a/extensions/mattermost/src/channel.ts
+++ b/extensions/mattermost/src/channel.ts
@@ -38,7 +38,8 @@ import { sendMessageMattermost } from "./mattermost/send.js";
 import { resolveMattermostOpaqueTarget } from "./mattermost/target-resolution.js";
 import { looksLikeMattermostTargetId, normalizeMattermostMessagingTarget } from "./normalize.js";
 import { getMattermostRuntime } from "./runtime.js";
-import { mattermostSetupAdapter, mattermostSetupWizard } from "./setup-surface.js";
+import { mattermostSetupAdapter } from "./setup-core.js";
+import { mattermostSetupWizard } from "./setup-surface.js";
 
 const mattermostMessageActions: ChannelMessageActionAdapter = {
   listActions: ({ cfg }) => {
@@ -70,11 +71,11 @@ const mattermostMessageActions: ChannelMessageActionAdapter = {
   supportsAction: ({ action }) => {
     return action === "send" || action === "react";
   },
-  supportsButtons: ({ cfg }) => {
+  getCapabilities: ({ cfg }) => {
     const accounts = listMattermostAccountIds(cfg)
       .map((id) => resolveMattermostAccount({ cfg, accountId: id }))
       .filter((a) => a.enabled && a.botToken?.trim() && a.baseUrl?.trim());
-    return accounts.length > 0;
+    return accounts.length > 0 ? (["buttons"] as const) : [];
   },
   handleAction: async ({ action, params, cfg, accountId }) => {
     if (action === "react") {
diff --git a/extensions/mattermost/src/onboarding-helpers.ts b/extensions/mattermost/src/onboarding-helpers.ts
deleted file mode 100644
index e78abf5ebec..00000000000
--- a/extensions/mattermost/src/onboarding-helpers.ts
+++ /dev/null
@@ -1 +0,0 @@
-export { promptAccountId, resolveAccountIdForConfigure } from "openclaw/plugin-sdk/mattermost";
diff --git a/extensions/mattermost/src/setup-core.ts b/extensions/mattermost/src/setup-core.ts
new file mode 100644
index 00000000000..946b1af728e
--- /dev/null
+++ b/extensions/mattermost/src/setup-core.ts
@@ -0,0 +1,81 @@
+import {
+  applyAccountNameToChannelSection,
+  applySetupAccountConfigPatch,
+  DEFAULT_ACCOUNT_ID,
+  hasConfiguredSecretInput,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  type OpenClawConfig,
+} from "openclaw/plugin-sdk/mattermost";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { resolveMattermostAccount, type ResolvedMattermostAccount } from "./mattermost/accounts.js";
+import { normalizeMattermostBaseUrl } from "./mattermost/client.js";
+
+const channel = "mattermost" as const;
+
+export function isMattermostConfigured(account: ResolvedMattermostAccount): boolean {
+  const tokenConfigured =
+    Boolean(account.botToken?.trim()) || hasConfiguredSecretInput(account.config.botToken);
+  return tokenConfigured && Boolean(account.baseUrl);
+}
+
+export function resolveMattermostAccountWithSecrets(cfg: OpenClawConfig, accountId: string) {
+  return resolveMattermostAccount({
+    cfg,
+    accountId,
+    allowUnresolvedSecretRef: true,
+  });
+}
+
+export const mattermostSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    const token = input.botToken ?? input.token;
+    const baseUrl = normalizeMattermostBaseUrl(input.httpUrl);
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "Mattermost env vars can only be used for the default account.";
+    }
+    if (!input.useEnv && (!token || !baseUrl)) {
+      return "Mattermost requires --bot-token and --http-url (or --use-env).";
+    }
+    if (input.httpUrl && !baseUrl) {
+      return "Mattermost --http-url must include a valid base URL.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const token = input.botToken ?? input.token;
+    const baseUrl = normalizeMattermostBaseUrl(input.httpUrl);
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    return applySetupAccountConfigPatch({
+      cfg: next,
+      channelKey: channel,
+      accountId,
+      patch: input.useEnv
+        ? {}
+        : {
+            ...(token ? { botToken: token } : {}),
+            ...(baseUrl ? { baseUrl } : {}),
+          },
+    });
+  },
+};
diff --git a/extensions/mattermost/src/onboarding.status.test.ts b/extensions/mattermost/src/setup-status.test.ts
similarity index 93%
rename from extensions/mattermost/src/onboarding.status.test.ts
rename to extensions/mattermost/src/setup-status.test.ts
index 023ea48cfa8..f1b440315e3 100644
--- a/extensions/mattermost/src/onboarding.status.test.ts
+++ b/extensions/mattermost/src/setup-status.test.ts
@@ -2,7 +2,7 @@ import type { OpenClawConfig } from "openclaw/plugin-sdk/mattermost";
 import { describe, expect, it } from "vitest";
 import { mattermostSetupWizard } from "./setup-surface.js";
 
-describe("mattermost onboarding status", () => {
+describe("mattermost setup status", () => {
   it("treats SecretRef botToken as configured when baseUrl is present", async () => {
     const configured = await mattermostSetupWizard.status.resolveConfigured({
       cfg: {
diff --git a/extensions/mattermost/src/setup-surface.ts b/extensions/mattermost/src/setup-surface.ts
index a201a24d82f..13b69542d02 100644
--- a/extensions/mattermost/src/setup-surface.ts
+++ b/extensions/mattermost/src/setup-surface.ts
@@ -1,90 +1,21 @@
 import {
-  applyAccountNameToChannelSection,
   applySetupAccountConfigPatch,
   DEFAULT_ACCOUNT_ID,
   hasConfiguredSecretInput,
-  migrateBaseNameToDefaultAccount,
-  normalizeAccountId,
   type OpenClawConfig,
 } from "openclaw/plugin-sdk/mattermost";
 import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
-import {
-  listMattermostAccountIds,
-  resolveMattermostAccount,
-  type ResolvedMattermostAccount,
-} from "./mattermost/accounts.js";
+import { listMattermostAccountIds } from "./mattermost/accounts.js";
 import { normalizeMattermostBaseUrl } from "./mattermost/client.js";
+import {
+  isMattermostConfigured,
+  mattermostSetupAdapter,
+  resolveMattermostAccountWithSecrets,
+} from "./setup-core.js";
 
 const channel = "mattermost" as const;
-
-function isMattermostConfigured(account: ResolvedMattermostAccount): boolean {
-  const tokenConfigured =
-    Boolean(account.botToken?.trim()) || hasConfiguredSecretInput(account.config.botToken);
-  return tokenConfigured && Boolean(account.baseUrl);
-}
-
-function resolveMattermostAccountWithSecrets(cfg: OpenClawConfig, accountId: string) {
-  return resolveMattermostAccount({
-    cfg,
-    accountId,
-    allowUnresolvedSecretRef: true,
-  });
-}
-
-export const mattermostSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    const token = input.botToken ?? input.token;
-    const baseUrl = normalizeMattermostBaseUrl(input.httpUrl);
-    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "Mattermost env vars can only be used for the default account.";
-    }
-    if (!input.useEnv && (!token || !baseUrl)) {
-      return "Mattermost requires --bot-token and --http-url (or --use-env).";
-    }
-    if (input.httpUrl && !baseUrl) {
-      return "Mattermost --http-url must include a valid base URL.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const token = input.botToken ?? input.token;
-    const baseUrl = normalizeMattermostBaseUrl(input.httpUrl);
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    return applySetupAccountConfigPatch({
-      cfg: next,
-      channelKey: channel,
-      accountId,
-      patch: input.useEnv
-        ? {}
-        : {
-            ...(token ? { botToken: token } : {}),
-            ...(baseUrl ? { baseUrl } : {}),
-          },
-    });
-  },
-};
+export { mattermostSetupAdapter } from "./setup-core.js";
 
 export const mattermostSetupWizard: ChannelSetupWizard = {
   channel,
diff --git a/extensions/minimax-portal-auth/README.md b/extensions/minimax-portal-auth/README.md
deleted file mode 100644
index 3c29ab8ac22..00000000000
--- a/extensions/minimax-portal-auth/README.md
+++ /dev/null
@@ -1,33 +0,0 @@
-# MiniMax OAuth (OpenClaw plugin)
-
-OAuth provider plugin for **MiniMax** (OAuth).
-
-## Enable
-
-Bundled plugins are disabled by default. Enable this one:
-
-```bash
-openclaw plugins enable minimax-portal-auth
-```
-
-Restart the Gateway after enabling.
-
-```bash
-openclaw gateway restart
-```
-
-## Authenticate
-
-```bash
-openclaw models auth login --provider minimax-portal --set-default
-```
-
-You will be prompted to select an endpoint:
-
-- **Global** - International users, optimized for overseas access (`api.minimax.io`)
-- **China** - Optimized for users in China (`api.minimaxi.com`)
-
-## Notes
-
-- MiniMax OAuth uses a user-code login flow.
-- Currently, OAuth login is supported only for the Coding plan
diff --git a/extensions/minimax-portal-auth/index.ts b/extensions/minimax-portal-auth/index.ts
deleted file mode 100644
index eda0b72227c..00000000000
--- a/extensions/minimax-portal-auth/index.ts
+++ /dev/null
@@ -1,163 +0,0 @@
-import {
-  buildOauthProviderAuthResult,
-  emptyPluginConfigSchema,
-  type OpenClawPluginApi,
-  type ProviderAuthContext,
-  type ProviderAuthResult,
-  type ProviderCatalogContext,
-} from "openclaw/plugin-sdk/minimax-portal-auth";
-import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
-import { MINIMAX_OAUTH_MARKER } from "../../src/agents/model-auth-markers.js";
-import { buildMinimaxPortalProvider } from "../../src/agents/models-config.providers.static.js";
-import { loginMiniMaxPortalOAuth, type MiniMaxRegion } from "./oauth.js";
-
-const PROVIDER_ID = "minimax-portal";
-const PROVIDER_LABEL = "MiniMax";
-const DEFAULT_MODEL = "MiniMax-M2.5";
-const DEFAULT_BASE_URL_CN = "https://api.minimaxi.com/anthropic";
-const DEFAULT_BASE_URL_GLOBAL = "https://api.minimax.io/anthropic";
-
-function getDefaultBaseUrl(region: MiniMaxRegion): string {
-  return region === "cn" ? DEFAULT_BASE_URL_CN : DEFAULT_BASE_URL_GLOBAL;
-}
-
-function modelRef(modelId: string): string {
-  return `${PROVIDER_ID}/${modelId}`;
-}
-
-function buildProviderCatalog(params: { baseUrl: string; apiKey: string }) {
-  return {
-    ...buildMinimaxPortalProvider(),
-    baseUrl: params.baseUrl,
-    apiKey: params.apiKey,
-  };
-}
-
-function resolveCatalog(ctx: ProviderCatalogContext) {
-  const explicitProvider = ctx.config.models?.providers?.[PROVIDER_ID];
-  const envApiKey = ctx.resolveProviderApiKey(PROVIDER_ID).apiKey;
-  const authStore = ensureAuthProfileStore(ctx.agentDir, {
-    allowKeychainPrompt: false,
-  });
-  const hasProfiles = listProfilesForProvider(authStore, PROVIDER_ID).length > 0;
-  const explicitApiKey =
-    typeof explicitProvider?.apiKey === "string" ? explicitProvider.apiKey.trim() : undefined;
-  const apiKey = envApiKey ?? explicitApiKey ?? (hasProfiles ? MINIMAX_OAUTH_MARKER : undefined);
-  if (!apiKey) {
-    return null;
-  }
-
-  const explicitBaseUrl =
-    typeof explicitProvider?.baseUrl === "string" ? explicitProvider.baseUrl.trim() : undefined;
-
-  return {
-    provider: buildProviderCatalog({
-      baseUrl: explicitBaseUrl || DEFAULT_BASE_URL_GLOBAL,
-      apiKey,
-    }),
-  };
-}
-
-function createOAuthHandler(region: MiniMaxRegion) {
-  const defaultBaseUrl = getDefaultBaseUrl(region);
-  const regionLabel = region === "cn" ? "CN" : "Global";
-
-  return async (ctx: ProviderAuthContext): Promise<ProviderAuthResult> => {
-    const progress = ctx.prompter.progress(`Starting MiniMax OAuth (${regionLabel})…`);
-    try {
-      const result = await loginMiniMaxPortalOAuth({
-        openUrl: ctx.openUrl,
-        note: ctx.prompter.note,
-        progress,
-        region,
-      });
-
-      progress.stop("MiniMax OAuth complete");
-
-      if (result.notification_message) {
-        await ctx.prompter.note(result.notification_message, "MiniMax OAuth");
-      }
-
-      const baseUrl = result.resourceUrl || defaultBaseUrl;
-
-      return buildOauthProviderAuthResult({
-        providerId: PROVIDER_ID,
-        defaultModel: modelRef(DEFAULT_MODEL),
-        access: result.access,
-        refresh: result.refresh,
-        expires: result.expires,
-        configPatch: {
-          models: {
-            providers: {
-              [PROVIDER_ID]: {
-                baseUrl,
-                models: [],
-              },
-            },
-          },
-          agents: {
-            defaults: {
-              models: {
-                [modelRef("MiniMax-M2.5")]: { alias: "minimax-m2.5" },
-                [modelRef("MiniMax-M2.5-highspeed")]: {
-                  alias: "minimax-m2.5-highspeed",
-                },
-                [modelRef("MiniMax-M2.5-Lightning")]: {
-                  alias: "minimax-m2.5-lightning",
-                },
-              },
-            },
-          },
-        },
-        notes: [
-          "MiniMax OAuth tokens auto-refresh. Re-run login if refresh fails or access is revoked.",
-          `Base URL defaults to ${defaultBaseUrl}. Override models.providers.${PROVIDER_ID}.baseUrl if needed.`,
-          ...(result.notification_message ? [result.notification_message] : []),
-        ],
-      });
-    } catch (err) {
-      const errorMsg = err instanceof Error ? err.message : String(err);
-      progress.stop(`MiniMax OAuth failed: ${errorMsg}`);
-      await ctx.prompter.note(
-        "If OAuth fails, verify your MiniMax account has portal access and try again.",
-        "MiniMax OAuth",
-      );
-      throw err;
-    }
-  };
-}
-
-const minimaxPortalPlugin = {
-  id: "minimax-portal-auth",
-  name: "MiniMax OAuth",
-  description: "OAuth flow for MiniMax models",
-  configSchema: emptyPluginConfigSchema(),
-  register(api: OpenClawPluginApi) {
-    api.registerProvider({
-      id: PROVIDER_ID,
-      label: PROVIDER_LABEL,
-      docsPath: "/providers/minimax",
-      catalog: {
-        run: async (ctx: ProviderCatalogContext) => resolveCatalog(ctx),
-      },
-      auth: [
-        {
-          id: "oauth",
-          label: "MiniMax OAuth (Global)",
-          hint: "Global endpoint - api.minimax.io",
-          kind: "device_code",
-          run: createOAuthHandler("global"),
-        },
-        {
-          id: "oauth-cn",
-          label: "MiniMax OAuth (CN)",
-          hint: "CN endpoint - api.minimaxi.com",
-          kind: "device_code",
-          run: createOAuthHandler("cn"),
-        },
-      ],
-    });
-  },
-};
-
-export default minimaxPortalPlugin;
diff --git a/extensions/minimax/README.md b/extensions/minimax/README.md
new file mode 100644
index 00000000000..fa343894525
--- /dev/null
+++ b/extensions/minimax/README.md
@@ -0,0 +1,37 @@
+# MiniMax (OpenClaw plugin)
+
+Bundled MiniMax plugin for both:
+
+- API-key provider setup (`minimax`)
+- Coding Plan OAuth setup (`minimax-portal`)
+
+## Enable
+
+```bash
+openclaw plugins enable minimax
+```
+
+Restart the Gateway after enabling.
+
+```bash
+openclaw gateway restart
+```
+
+## Authenticate
+
+OAuth:
+
+```bash
+openclaw models auth login --provider minimax-portal --set-default
+```
+
+API key:
+
+```bash
+openclaw setup --wizard --auth-choice minimax-global-api
+```
+
+## Notes
+
+- MiniMax OAuth uses a user-code login flow.
+- OAuth currently targets the Coding Plan path.
diff --git a/extensions/minimax/index.ts b/extensions/minimax/index.ts
index 6585e27d7cf..604e8627d22 100644
--- a/extensions/minimax/index.ts
+++ b/extensions/minimax/index.ts
@@ -1,35 +1,227 @@
-import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
-import { buildMinimaxProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  buildOauthProviderAuthResult,
+  emptyPluginConfigSchema,
+  type OpenClawPluginApi,
+  type ProviderAuthContext,
+  type ProviderAuthResult,
+  type ProviderCatalogContext,
+} from "openclaw/plugin-sdk/minimax-portal-auth";
+import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
+import { MINIMAX_OAUTH_MARKER } from "../../src/agents/model-auth-markers.js";
+import {
+  buildMinimaxPortalProvider,
+  buildMinimaxProvider,
+} from "../../src/agents/models-config.providers.static.js";
+import {
+  applyMinimaxApiConfig,
+  applyMinimaxApiConfigCn,
+} from "../../src/commands/onboard-auth.config-minimax.js";
 import { fetchMinimaxUsage } from "../../src/infra/provider-usage.fetch.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import { loginMiniMaxPortalOAuth, type MiniMaxRegion } from "./oauth.js";
 
-const PROVIDER_ID = "minimax";
+const API_PROVIDER_ID = "minimax";
+const PORTAL_PROVIDER_ID = "minimax-portal";
+const PROVIDER_LABEL = "MiniMax";
+const DEFAULT_MODEL = "MiniMax-M2.5";
+const DEFAULT_BASE_URL_CN = "https://api.minimaxi.com/anthropic";
+const DEFAULT_BASE_URL_GLOBAL = "https://api.minimax.io/anthropic";
+
+function getDefaultBaseUrl(region: MiniMaxRegion): string {
+  return region === "cn" ? DEFAULT_BASE_URL_CN : DEFAULT_BASE_URL_GLOBAL;
+}
+
+function apiModelRef(modelId: string): string {
+  return `${API_PROVIDER_ID}/${modelId}`;
+}
+
+function portalModelRef(modelId: string): string {
+  return `${PORTAL_PROVIDER_ID}/${modelId}`;
+}
+
+function isModernMiniMaxModel(modelId: string): boolean {
+  return modelId.trim().toLowerCase().startsWith("minimax-m2.5");
+}
+
+function buildPortalProviderCatalog(params: { baseUrl: string; apiKey: string }) {
+  return {
+    ...buildMinimaxPortalProvider(),
+    baseUrl: params.baseUrl,
+    apiKey: params.apiKey,
+  };
+}
+
+function resolveApiCatalog(ctx: ProviderCatalogContext) {
+  const apiKey = ctx.resolveProviderApiKey(API_PROVIDER_ID).apiKey;
+  if (!apiKey) {
+    return null;
+  }
+  return {
+    provider: {
+      ...buildMinimaxProvider(),
+      apiKey,
+    },
+  };
+}
+
+function resolvePortalCatalog(ctx: ProviderCatalogContext) {
+  const explicitProvider = ctx.config.models?.providers?.[PORTAL_PROVIDER_ID];
+  const envApiKey = ctx.resolveProviderApiKey(PORTAL_PROVIDER_ID).apiKey;
+  const authStore = ensureAuthProfileStore(ctx.agentDir, {
+    allowKeychainPrompt: false,
+  });
+  const hasProfiles = listProfilesForProvider(authStore, PORTAL_PROVIDER_ID).length > 0;
+  const explicitApiKey =
+    typeof explicitProvider?.apiKey === "string" ? explicitProvider.apiKey.trim() : undefined;
+  const apiKey = envApiKey ?? explicitApiKey ?? (hasProfiles ? MINIMAX_OAUTH_MARKER : undefined);
+  if (!apiKey) {
+    return null;
+  }
+
+  const explicitBaseUrl =
+    typeof explicitProvider?.baseUrl === "string" ? explicitProvider.baseUrl.trim() : undefined;
+
+  return {
+    provider: buildPortalProviderCatalog({
+      baseUrl: explicitBaseUrl || DEFAULT_BASE_URL_GLOBAL,
+      apiKey,
+    }),
+  };
+}
+
+function createOAuthHandler(region: MiniMaxRegion) {
+  const defaultBaseUrl = getDefaultBaseUrl(region);
+  const regionLabel = region === "cn" ? "CN" : "Global";
+
+  return async (ctx: ProviderAuthContext): Promise<ProviderAuthResult> => {
+    const progress = ctx.prompter.progress(`Starting MiniMax OAuth (${regionLabel})…`);
+    try {
+      const result = await loginMiniMaxPortalOAuth({
+        openUrl: ctx.openUrl,
+        note: ctx.prompter.note,
+        progress,
+        region,
+      });
+
+      progress.stop("MiniMax OAuth complete");
+
+      if (result.notification_message) {
+        await ctx.prompter.note(result.notification_message, "MiniMax OAuth");
+      }
+
+      const baseUrl = result.resourceUrl || defaultBaseUrl;
+
+      return buildOauthProviderAuthResult({
+        providerId: PORTAL_PROVIDER_ID,
+        defaultModel: portalModelRef(DEFAULT_MODEL),
+        access: result.access,
+        refresh: result.refresh,
+        expires: result.expires,
+        configPatch: {
+          models: {
+            providers: {
+              [PORTAL_PROVIDER_ID]: {
+                baseUrl,
+                models: [],
+              },
+            },
+          },
+          agents: {
+            defaults: {
+              models: {
+                [portalModelRef("MiniMax-M2.5")]: { alias: "minimax-m2.5" },
+                [portalModelRef("MiniMax-M2.5-highspeed")]: {
+                  alias: "minimax-m2.5-highspeed",
+                },
+                [portalModelRef("MiniMax-M2.5-Lightning")]: {
+                  alias: "minimax-m2.5-lightning",
+                },
+              },
+            },
+          },
+        },
+        notes: [
+          "MiniMax OAuth tokens auto-refresh. Re-run login if refresh fails or access is revoked.",
+          `Base URL defaults to ${defaultBaseUrl}. Override models.providers.${PORTAL_PROVIDER_ID}.baseUrl if needed.`,
+          ...(result.notification_message ? [result.notification_message] : []),
+        ],
+      });
+    } catch (err) {
+      const errorMsg = err instanceof Error ? err.message : String(err);
+      progress.stop(`MiniMax OAuth failed: ${errorMsg}`);
+      await ctx.prompter.note(
+        "If OAuth fails, verify your MiniMax account has portal access and try again.",
+        "MiniMax OAuth",
+      );
+      throw err;
+    }
+  };
+}
 
 const minimaxPlugin = {
-  id: PROVIDER_ID,
-  name: "MiniMax Provider",
-  description: "Bundled MiniMax provider plugin",
+  id: API_PROVIDER_ID,
+  name: "MiniMax",
+  description: "Bundled MiniMax API-key and OAuth provider plugin",
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     api.registerProvider({
-      id: PROVIDER_ID,
-      label: "MiniMax",
+      id: API_PROVIDER_ID,
+      label: PROVIDER_LABEL,
       docsPath: "/providers/minimax",
       envVars: ["MINIMAX_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: API_PROVIDER_ID,
+          methodId: "api-global",
+          label: "MiniMax API key (Global)",
+          hint: "Global endpoint - api.minimax.io",
+          optionKey: "minimaxApiKey",
+          flagName: "--minimax-api-key",
+          envVar: "MINIMAX_API_KEY",
+          promptMessage:
+            "Enter MiniMax API key (sk-api- or sk-cp-)\nhttps://platform.minimax.io/user-center/basic-information/interface-key",
+          profileId: "minimax:global",
+          allowProfile: false,
+          defaultModel: apiModelRef(DEFAULT_MODEL),
+          expectedProviders: ["minimax"],
+          applyConfig: (cfg) => applyMinimaxApiConfig(cfg),
+          wizard: {
+            choiceId: "minimax-global-api",
+            choiceLabel: "MiniMax API key (Global)",
+            choiceHint: "Global endpoint - api.minimax.io",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: API_PROVIDER_ID,
+          methodId: "api-cn",
+          label: "MiniMax API key (CN)",
+          hint: "CN endpoint - api.minimaxi.com",
+          optionKey: "minimaxApiKey",
+          flagName: "--minimax-api-key",
+          envVar: "MINIMAX_API_KEY",
+          promptMessage:
+            "Enter MiniMax CN API key (sk-api- or sk-cp-)\nhttps://platform.minimaxi.com/user-center/basic-information/interface-key",
+          profileId: "minimax:cn",
+          allowProfile: false,
+          defaultModel: apiModelRef(DEFAULT_MODEL),
+          expectedProviders: ["minimax", "minimax-cn"],
+          applyConfig: (cfg) => applyMinimaxApiConfigCn(cfg),
+          wizard: {
+            choiceId: "minimax-cn-api",
+            choiceLabel: "MiniMax API key (CN)",
+            choiceHint: "CN endpoint - api.minimaxi.com",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
-        run: async (ctx) => {
-          const apiKey = ctx.resolveProviderApiKey(PROVIDER_ID).apiKey;
-          if (!apiKey) {
-            return null;
-          }
-          return {
-            provider: {
-              ...buildMinimaxProvider(),
-              apiKey,
-            },
-          };
-        },
+        run: async (ctx) => resolveApiCatalog(ctx),
       },
       resolveUsageAuth: async (ctx) => {
         const apiKey = ctx.resolveApiKeyFromConfigAndStore({
@@ -37,9 +229,53 @@ const minimaxPlugin = {
         });
         return apiKey ? { token: apiKey } : null;
       },
+      isModernModelRef: ({ modelId }) => isModernMiniMaxModel(modelId),
       fetchUsageSnapshot: async (ctx) =>
         await fetchMinimaxUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn),
     });
+
+    api.registerProvider({
+      id: PORTAL_PROVIDER_ID,
+      label: PROVIDER_LABEL,
+      docsPath: "/providers/minimax",
+      envVars: ["MINIMAX_OAUTH_TOKEN", "MINIMAX_API_KEY"],
+      catalog: {
+        run: async (ctx) => resolvePortalCatalog(ctx),
+      },
+      auth: [
+        {
+          id: "oauth",
+          label: "MiniMax OAuth (Global)",
+          hint: "Global endpoint - api.minimax.io",
+          kind: "device_code",
+          wizard: {
+            choiceId: "minimax-global-oauth",
+            choiceLabel: "MiniMax OAuth (Global)",
+            choiceHint: "Global endpoint - api.minimax.io",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+          run: createOAuthHandler("global"),
+        },
+        {
+          id: "oauth-cn",
+          label: "MiniMax OAuth (CN)",
+          hint: "CN endpoint - api.minimaxi.com",
+          kind: "device_code",
+          wizard: {
+            choiceId: "minimax-cn-oauth",
+            choiceLabel: "MiniMax OAuth (CN)",
+            choiceHint: "CN endpoint - api.minimaxi.com",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+          run: createOAuthHandler("cn"),
+        },
+      ],
+      isModernModelRef: ({ modelId }) => isModernMiniMaxModel(modelId),
+    });
   },
 };
 
diff --git a/extensions/minimax-portal-auth/oauth.ts b/extensions/minimax/oauth.ts
similarity index 90%
rename from extensions/minimax-portal-auth/oauth.ts
rename to extensions/minimax/oauth.ts
index 5b18c13d3a4..fb405cd5559 100644
--- a/extensions/minimax-portal-auth/oauth.ts
+++ b/extensions/minimax/oauth.ts
@@ -161,7 +161,7 @@ async function pollOAuthToken(params: {
     return { status: "error", message: "An error occurred. Please try again later" };
   }
 
-  if (tokenPayload.status != "success") {
+  if (tokenPayload.status !== "success") {
     return { status: "pending", message: "current user code is not authorized" };
   }
 
@@ -216,29 +216,17 @@ export async function loginMiniMaxPortalOAuth(params: {
       region,
     });
 
-    // // Debug: print poll result
-    // await params.note(
-    //   `status: ${result.status}` +
-    //     (result.status === "success" ? `\ntoken: ${JSON.stringify(result.token, null, 2)}` : "") +
-    //     (result.status === "error" ? `\nmessage: ${result.message}` : "") +
-    //     (result.status === "pending" && result.message ? `\nmessage: ${result.message}` : ""),
-    //   "MiniMax OAuth Poll Result",
-    // );
-
     if (result.status === "success") {
       return result.token;
     }
 
     if (result.status === "error") {
-      throw new Error(`MiniMax OAuth failed: ${result.message}`);
-    }
-
-    if (result.status === "pending") {
-      pollIntervalMs = Math.min(pollIntervalMs * 1.5, 10000);
+      throw new Error(result.message);
     }
 
     await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    pollIntervalMs = Math.max(pollIntervalMs, 2000);
   }
 
-  throw new Error("MiniMax OAuth timed out waiting for authorization.");
+  throw new Error("MiniMax OAuth timed out before authorization completed.");
 }
diff --git a/extensions/minimax/openclaw.plugin.json b/extensions/minimax/openclaw.plugin.json
index 01f3e5efbea..848ce80699a 100644
--- a/extensions/minimax/openclaw.plugin.json
+++ b/extensions/minimax/openclaw.plugin.json
@@ -1,6 +1,60 @@
 {
   "id": "minimax",
-  "providers": ["minimax"],
+  "providers": ["minimax", "minimax-portal"],
+  "providerAuthEnvVars": {
+    "minimax": ["MINIMAX_API_KEY"],
+    "minimax-portal": ["MINIMAX_OAUTH_TOKEN", "MINIMAX_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "minimax-portal",
+      "method": "oauth",
+      "choiceId": "minimax-global-oauth",
+      "choiceLabel": "MiniMax OAuth (Global)",
+      "choiceHint": "Global endpoint - api.minimax.io",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)"
+    },
+    {
+      "provider": "minimax",
+      "method": "api-global",
+      "choiceId": "minimax-global-api",
+      "choiceLabel": "MiniMax API key (Global)",
+      "choiceHint": "Global endpoint - api.minimax.io",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)",
+      "optionKey": "minimaxApiKey",
+      "cliFlag": "--minimax-api-key",
+      "cliOption": "--minimax-api-key <key>",
+      "cliDescription": "MiniMax API key"
+    },
+    {
+      "provider": "minimax-portal",
+      "method": "oauth-cn",
+      "choiceId": "minimax-cn-oauth",
+      "choiceLabel": "MiniMax OAuth (CN)",
+      "choiceHint": "CN endpoint - api.minimaxi.com",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)"
+    },
+    {
+      "provider": "minimax",
+      "method": "api-cn",
+      "choiceId": "minimax-cn-api",
+      "choiceLabel": "MiniMax API key (CN)",
+      "choiceHint": "CN endpoint - api.minimaxi.com",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)",
+      "optionKey": "minimaxApiKey",
+      "cliFlag": "--minimax-api-key",
+      "cliOption": "--minimax-api-key <key>",
+      "cliDescription": "MiniMax API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/minimax/package.json b/extensions/minimax/package.json
index 6650cf1e456..f6c99e0e756 100644
--- a/extensions/minimax/package.json
+++ b/extensions/minimax/package.json
@@ -2,7 +2,7 @@
   "name": "@openclaw/minimax-provider",
   "version": "2026.3.14",
   "private": true,
-  "description": "OpenClaw MiniMax provider plugin",
+  "description": "OpenClaw MiniMax provider and OAuth plugin",
   "type": "module",
   "openclaw": {
     "extensions": [
diff --git a/extensions/mistral/index.ts b/extensions/mistral/index.ts
index 355c957282b..56e24f8560c 100644
--- a/extensions/mistral/index.ts
+++ b/extensions/mistral/index.ts
@@ -1,4 +1,6 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyMistralConfig, MISTRAL_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "mistral";
 
@@ -13,7 +15,28 @@ const mistralPlugin = {
       label: "Mistral",
       docsPath: "/providers/models",
       envVars: ["MISTRAL_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Mistral API key",
+          hint: "API key",
+          optionKey: "mistralApiKey",
+          flagName: "--mistral-api-key",
+          envVar: "MISTRAL_API_KEY",
+          promptMessage: "Enter Mistral API key",
+          defaultModel: MISTRAL_DEFAULT_MODEL_REF,
+          expectedProviders: ["mistral"],
+          applyConfig: (cfg) => applyMistralConfig(cfg),
+          wizard: {
+            choiceId: "mistral-api-key",
+            choiceLabel: "Mistral API key",
+            groupId: "mistral",
+            groupLabel: "Mistral AI",
+            groupHint: "API key",
+          },
+        }),
+      ],
       capabilities: {
         transcriptToolCallIdMode: "strict9",
         transcriptToolCallIdModelHints: [
diff --git a/extensions/mistral/openclaw.plugin.json b/extensions/mistral/openclaw.plugin.json
index dd38282811b..93f115cf719 100644
--- a/extensions/mistral/openclaw.plugin.json
+++ b/extensions/mistral/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "mistral",
   "providers": ["mistral"],
+  "providerAuthEnvVars": {
+    "mistral": ["MISTRAL_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "mistral",
+      "method": "api-key",
+      "choiceId": "mistral-api-key",
+      "choiceLabel": "Mistral API key",
+      "groupId": "mistral",
+      "groupLabel": "Mistral AI",
+      "groupHint": "API key",
+      "optionKey": "mistralApiKey",
+      "cliFlag": "--mistral-api-key",
+      "cliOption": "--mistral-api-key <key>",
+      "cliDescription": "Mistral API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/modelstudio/index.ts b/extensions/modelstudio/index.ts
index 487f14498b1..2e3e7c6b3c8 100644
--- a/extensions/modelstudio/index.ts
+++ b/extensions/modelstudio/index.ts
@@ -1,5 +1,11 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildModelStudioProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applyModelStudioConfig,
+  applyModelStudioConfigCn,
+  MODELSTUDIO_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "modelstudio";
 
@@ -14,7 +20,62 @@ const modelStudioPlugin = {
       label: "Model Studio",
       docsPath: "/providers/models",
       envVars: ["MODELSTUDIO_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key-cn",
+          label: "Coding Plan API Key for China (subscription)",
+          hint: "Endpoint: coding.dashscope.aliyuncs.com",
+          optionKey: "modelstudioApiKeyCn",
+          flagName: "--modelstudio-api-key-cn",
+          envVar: "MODELSTUDIO_API_KEY",
+          promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (China)",
+          defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
+          expectedProviders: ["modelstudio"],
+          applyConfig: (cfg) => applyModelStudioConfigCn(cfg),
+          noteMessage: [
+            "Get your API key at: https://bailian.console.aliyun.com/",
+            "Endpoint: coding.dashscope.aliyuncs.com",
+            "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
+          ].join("\n"),
+          noteTitle: "Alibaba Cloud Model Studio Coding Plan (China)",
+          wizard: {
+            choiceId: "modelstudio-api-key-cn",
+            choiceLabel: "Coding Plan API Key for China (subscription)",
+            choiceHint: "Endpoint: coding.dashscope.aliyuncs.com",
+            groupId: "modelstudio",
+            groupLabel: "Alibaba Cloud Model Studio",
+            groupHint: "Coding Plan API key (CN / Global)",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Coding Plan API Key for Global/Intl (subscription)",
+          hint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
+          optionKey: "modelstudioApiKey",
+          flagName: "--modelstudio-api-key",
+          envVar: "MODELSTUDIO_API_KEY",
+          promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
+          defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
+          expectedProviders: ["modelstudio"],
+          applyConfig: (cfg) => applyModelStudioConfig(cfg),
+          noteMessage: [
+            "Get your API key at: https://bailian.console.aliyun.com/",
+            "Endpoint: coding-intl.dashscope.aliyuncs.com",
+            "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
+          ].join("\n"),
+          noteTitle: "Alibaba Cloud Model Studio Coding Plan (Global/Intl)",
+          wizard: {
+            choiceId: "modelstudio-api-key",
+            choiceLabel: "Coding Plan API Key for Global/Intl (subscription)",
+            choiceHint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
+            groupId: "modelstudio",
+            groupLabel: "Alibaba Cloud Model Studio",
+            groupHint: "Coding Plan API key (CN / Global)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/modelstudio/openclaw.plugin.json b/extensions/modelstudio/openclaw.plugin.json
index 1a8d9e71c75..e6c20db50c7 100644
--- a/extensions/modelstudio/openclaw.plugin.json
+++ b/extensions/modelstudio/openclaw.plugin.json
@@ -1,6 +1,39 @@
 {
   "id": "modelstudio",
   "providers": ["modelstudio"],
+  "providerAuthEnvVars": {
+    "modelstudio": ["MODELSTUDIO_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "modelstudio",
+      "method": "api-key-cn",
+      "choiceId": "modelstudio-api-key-cn",
+      "choiceLabel": "Coding Plan API Key for China (subscription)",
+      "choiceHint": "Endpoint: coding.dashscope.aliyuncs.com",
+      "groupId": "modelstudio",
+      "groupLabel": "Alibaba Cloud Model Studio",
+      "groupHint": "Coding Plan API key (CN / Global)",
+      "optionKey": "modelstudioApiKeyCn",
+      "cliFlag": "--modelstudio-api-key-cn",
+      "cliOption": "--modelstudio-api-key-cn <key>",
+      "cliDescription": "Alibaba Cloud Model Studio Coding Plan API key (China)"
+    },
+    {
+      "provider": "modelstudio",
+      "method": "api-key",
+      "choiceId": "modelstudio-api-key",
+      "choiceLabel": "Coding Plan API Key for Global/Intl (subscription)",
+      "choiceHint": "Endpoint: coding-intl.dashscope.aliyuncs.com",
+      "groupId": "modelstudio",
+      "groupLabel": "Alibaba Cloud Model Studio",
+      "groupHint": "Coding Plan API key (CN / Global)",
+      "optionKey": "modelstudioApiKey",
+      "cliFlag": "--modelstudio-api-key",
+      "cliOption": "--modelstudio-api-key <key>",
+      "cliDescription": "Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/moonshot/index.ts b/extensions/moonshot/index.ts
index 59176e42c15..3b57a5134ba 100644
--- a/extensions/moonshot/index.ts
+++ b/extensions/moonshot/index.ts
@@ -1,9 +1,21 @@
-import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildMoonshotProvider } from "../../src/agents/models-config.providers.static.js";
 import {
   createMoonshotThinkingWrapper,
   resolveMoonshotThinkingType,
 } from "../../src/agents/pi-embedded-runner/moonshot-stream-wrappers.js";
+import {
+  createPluginBackedWebSearchProvider,
+  getScopedCredentialValue,
+  setScopedCredentialValue,
+} from "../../src/agents/tools/web-search-plugin-factory.js";
+import {
+  applyMoonshotConfig,
+  applyMoonshotConfigCn,
+} from "../../src/commands/onboard-auth.config-core.js";
+import { MOONSHOT_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.models.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
 
 const PROVIDER_ID = "moonshot";
 
@@ -18,7 +30,48 @@ const moonshotPlugin = {
       label: "Moonshot",
       docsPath: "/providers/moonshot",
       envVars: ["MOONSHOT_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kimi API key (.ai)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "moonshotApiKey",
+          flagName: "--moonshot-api-key",
+          envVar: "MOONSHOT_API_KEY",
+          promptMessage: "Enter Moonshot API key",
+          defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
+          expectedProviders: ["moonshot"],
+          applyConfig: (cfg) => applyMoonshotConfig(cfg),
+          wizard: {
+            choiceId: "moonshot-api-key",
+            choiceLabel: "Kimi API key (.ai)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key-cn",
+          label: "Kimi API key (.cn)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "moonshotApiKey",
+          flagName: "--moonshot-api-key",
+          envVar: "MOONSHOT_API_KEY",
+          promptMessage: "Enter Moonshot API key (.cn)",
+          defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
+          expectedProviders: ["moonshot"],
+          applyConfig: (cfg) => applyMoonshotConfigCn(cfg),
+          wizard: {
+            choiceId: "moonshot-api-key-cn",
+            choiceLabel: "Kimi API key (.cn)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
@@ -46,6 +99,21 @@ const moonshotPlugin = {
         return createMoonshotThinkingWrapper(ctx.streamFn, thinkingType);
       },
     });
+    api.registerWebSearchProvider(
+      createPluginBackedWebSearchProvider({
+        id: "kimi",
+        label: "Kimi (Moonshot)",
+        hint: "Moonshot web search",
+        envVars: ["KIMI_API_KEY", "MOONSHOT_API_KEY"],
+        placeholder: "sk-...",
+        signupUrl: "https://platform.moonshot.cn/",
+        docsUrl: "https://docs.openclaw.ai/tools/web",
+        autoDetectOrder: 40,
+        getCredentialValue: (searchConfig) => getScopedCredentialValue(searchConfig, "kimi"),
+        setCredentialValue: (searchConfigTarget, value) =>
+          setScopedCredentialValue(searchConfigTarget, "kimi", value),
+      }),
+    );
   },
 };
 
diff --git a/extensions/moonshot/openclaw.plugin.json b/extensions/moonshot/openclaw.plugin.json
index e02cb3d21c5..cad9e255a2b 100644
--- a/extensions/moonshot/openclaw.plugin.json
+++ b/extensions/moonshot/openclaw.plugin.json
@@ -1,6 +1,37 @@
 {
   "id": "moonshot",
   "providers": ["moonshot"],
+  "providerAuthEnvVars": {
+    "moonshot": ["MOONSHOT_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "moonshot",
+      "method": "api-key",
+      "choiceId": "moonshot-api-key",
+      "choiceLabel": "Kimi API key (.ai)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "moonshotApiKey",
+      "cliFlag": "--moonshot-api-key",
+      "cliOption": "--moonshot-api-key <key>",
+      "cliDescription": "Moonshot API key"
+    },
+    {
+      "provider": "moonshot",
+      "method": "api-key-cn",
+      "choiceId": "moonshot-api-key-cn",
+      "choiceLabel": "Kimi API key (.cn)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "moonshotApiKey",
+      "cliFlag": "--moonshot-api-key",
+      "cliOption": "--moonshot-api-key <key>",
+      "cliDescription": "Moonshot API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/msteams/package.json b/extensions/msteams/package.json
index 4784334d1d5..eb02c9cee13 100644
--- a/extensions/msteams/package.json
+++ b/extensions/msteams/package.json
@@ -11,6 +11,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "msteams",
       "label": "Microsoft Teams",
diff --git a/extensions/msteams/setup-entry.ts b/extensions/msteams/setup-entry.ts
new file mode 100644
index 00000000000..fb850b60e18
--- /dev/null
+++ b/extensions/msteams/setup-entry.ts
@@ -0,0 +1,5 @@
+import { msteamsPlugin } from "./src/channel.js";
+
+export default {
+  plugin: msteamsPlugin,
+};
diff --git a/extensions/msteams/src/channel.ts b/extensions/msteams/src/channel.ts
index a5c8f0bbe58..c4d3f41054c 100644
--- a/extensions/msteams/src/channel.ts
+++ b/extensions/msteams/src/channel.ts
@@ -16,8 +16,8 @@ import {
   MSTeamsConfigSchema,
   PAIRING_APPROVED_MESSAGE,
 } from "openclaw/plugin-sdk/msteams";
-import { msteamsOnboardingAdapter } from "./onboarding.js";
 import { resolveMSTeamsGroupToolPolicy } from "./policy.js";
+import type { ProbeMSTeamsResult } from "./probe.js";
 import {
   normalizeMSTeamsMessagingTarget,
   normalizeMSTeamsUserInput,
@@ -27,6 +27,8 @@ import {
   resolveMSTeamsUserAllowlist,
 } from "./resolve-allowlist.js";
 import { getMSTeamsRuntime } from "./runtime.js";
+import { msteamsSetupAdapter } from "./setup-core.js";
+import { msteamsSetupWizard } from "./setup-surface.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
 type ResolvedMSTeamsAccount = {
@@ -46,6 +48,16 @@ const meta = {
   order: 60,
 } as const;
 
+const TEAMS_GRAPH_PERMISSION_HINTS: Record<string, string> = {
+  "ChannelMessage.Read.All": "channel history",
+  "Chat.Read.All": "chat history",
+  "Channel.ReadBasic.All": "channel list",
+  "Team.ReadBasic.All": "team list",
+  "TeamsActivity.Read.All": "teams activity",
+  "Sites.Read.All": "files (SharePoint)",
+  "Files.Read.All": "files (OneDrive)",
+};
+
 async function loadMSTeamsChannelRuntime() {
   return await import("./channel.runtime.js");
 }
@@ -56,7 +68,7 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
     ...meta,
     aliases: [...meta.aliases],
   },
-  onboarding: msteamsOnboardingAdapter,
+  setupWizard: msteamsSetupWizard,
   pairing: {
     idLabel: "msteamsUserId",
     normalizeAllowEntry: (entry) => entry.replace(/^(msteams|user):/i, ""),
@@ -145,19 +157,7 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       });
     },
   },
-  setup: {
-    resolveAccountId: () => DEFAULT_ACCOUNT_ID,
-    applyAccountConfig: ({ cfg }) => ({
-      ...cfg,
-      channels: {
-        ...cfg.channels,
-        msteams: {
-          ...cfg.channels?.msteams,
-          enabled: true,
-        },
-      },
-    }),
-  },
+  setup: msteamsSetupAdapter,
   messaging: {
     normalizeTarget: normalizeMSTeamsMessagingTarget,
     targetResolver: {
@@ -377,11 +377,11 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       }
       return ["poll"] satisfies ChannelMessageActionName[];
     },
-    supportsCards: ({ cfg }) => {
-      return (
-        cfg.channels?.msteams?.enabled !== false &&
+    getCapabilities: ({ cfg }) => {
+      return cfg.channels?.msteams?.enabled !== false &&
         Boolean(resolveMSTeamsCredentials(cfg.channels?.msteams))
-      );
+        ? (["cards"] as const)
+        : [];
     },
     handleAction: async (ctx) => {
       // Handle send action with card parameter
@@ -446,6 +446,40 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       }),
     probeAccount: async ({ cfg }) =>
       await (await loadMSTeamsChannelRuntime()).probeMSTeams(cfg.channels?.msteams),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const teamsProbe = probe as ProbeMSTeamsResult | undefined;
+      const lines: Array<{ text: string; tone?: "error" }> = [];
+      const appId = typeof teamsProbe?.appId === "string" ? teamsProbe.appId.trim() : "";
+      if (appId) {
+        lines.push({ text: `App: ${appId}` });
+      }
+      const graph = teamsProbe?.graph;
+      if (graph) {
+        const roles = Array.isArray(graph.roles)
+          ? graph.roles.map((role) => String(role).trim()).filter(Boolean)
+          : [];
+        const scopes = Array.isArray(graph.scopes)
+          ? graph.scopes.map((scope) => String(scope).trim()).filter(Boolean)
+          : [];
+        const formatPermission = (permission: string) => {
+          const hint = TEAMS_GRAPH_PERMISSION_HINTS[permission];
+          return hint ? `${permission} (${hint})` : permission;
+        };
+        if (graph.ok === false) {
+          lines.push({ text: `Graph: ${graph.error ?? "failed"}`, tone: "error" });
+        } else if (roles.length > 0 || scopes.length > 0) {
+          if (roles.length > 0) {
+            lines.push({ text: `Graph roles: ${roles.map(formatPermission).join(", ")}` });
+          }
+          if (scopes.length > 0) {
+            lines.push({ text: `Graph scopes: ${scopes.map(formatPermission).join(", ")}` });
+          }
+        } else if (graph.ok === true) {
+          lines.push({ text: "Graph: ok" });
+        }
+      }
+      return lines;
+    },
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       accountId: account.accountId,
       enabled: account.enabled,
diff --git a/extensions/msteams/src/graph-upload.test.ts b/extensions/msteams/src/graph-upload.test.ts
index 484075984dd..b79086f54ca 100644
--- a/extensions/msteams/src/graph-upload.test.ts
+++ b/extensions/msteams/src/graph-upload.test.ts
@@ -1,4 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
+import { withFetchPreconnect } from "../../../src/test-utils/fetch-mock.js";
 import { uploadToOneDrive, uploadToSharePoint } from "./graph-upload.js";
 
 describe("graph upload helpers", () => {
@@ -22,7 +23,7 @@ describe("graph upload helpers", () => {
       buffer: Buffer.from("hello"),
       filename: "a.txt",
       tokenProvider,
-      fetchFn: fetchFn as typeof fetch,
+      fetchFn: withFetchPreconnect(fetchFn),
     });
 
     expect(fetchFn).toHaveBeenCalledWith(
@@ -59,7 +60,7 @@ describe("graph upload helpers", () => {
       filename: "b.txt",
       siteId: "site-123",
       tokenProvider,
-      fetchFn: fetchFn as typeof fetch,
+      fetchFn: withFetchPreconnect(fetchFn),
     });
 
     expect(fetchFn).toHaveBeenCalledWith(
@@ -94,7 +95,7 @@ describe("graph upload helpers", () => {
         filename: "bad.txt",
         siteId: "site-123",
         tokenProvider,
-        fetchFn: fetchFn as typeof fetch,
+        fetchFn: withFetchPreconnect(fetchFn),
       }),
     ).rejects.toThrow("SharePoint upload response missing required fields");
   });
diff --git a/extensions/msteams/src/setup-core.ts b/extensions/msteams/src/setup-core.ts
new file mode 100644
index 00000000000..74079aaf389
--- /dev/null
+++ b/extensions/msteams/src/setup-core.ts
@@ -0,0 +1,16 @@
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+
+export const msteamsSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: () => DEFAULT_ACCOUNT_ID,
+  applyAccountConfig: ({ cfg }) => ({
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      msteams: {
+        ...cfg.channels?.msteams,
+        enabled: true,
+      },
+    },
+  }),
+};
diff --git a/extensions/msteams/src/onboarding.ts b/extensions/msteams/src/setup-surface.ts
similarity index 57%
rename from extensions/msteams/src/onboarding.ts
rename to extensions/msteams/src/setup-surface.ts
index 11207e8ee49..e3bc6169f6c 100644
--- a/extensions/msteams/src/onboarding.ts
+++ b/extensions/msteams/src/setup-surface.ts
@@ -1,27 +1,24 @@
-import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-  OpenClawConfig,
-  DmPolicy,
-  WizardPrompter,
-  MSTeamsTeamConfig,
-} from "openclaw/plugin-sdk/msteams";
 import {
-  DEFAULT_ACCOUNT_ID,
-  formatDocsLink,
   mergeAllowFromEntries,
-  promptChannelAccessConfig,
   setTopLevelChannelAllowFrom,
   setTopLevelChannelDmPolicyWithAllowFrom,
   setTopLevelChannelGroupPolicy,
-  splitOnboardingEntries,
-} from "openclaw/plugin-sdk/msteams";
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DmPolicy, MSTeamsTeamConfig } from "../../../src/config/types.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import {
   parseMSTeamsTeamEntry,
   resolveMSTeamsChannelAllowlist,
   resolveMSTeamsUserAllowlist,
 } from "./resolve-allowlist.js";
 import { normalizeSecretInputString } from "./secret-input.js";
+import { msteamsSetupAdapter } from "./setup-core.js";
 import { hasConfiguredMSTeamsCredentials, resolveMSTeamsCredentials } from "./token.js";
 
 const channel = "msteams" as const;
@@ -29,7 +26,7 @@ const channel = "msteams" as const;
 function setMSTeamsDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy) {
   return setTopLevelChannelDmPolicyWithAllowFrom({
     cfg,
-    channel: "msteams",
+    channel,
     dmPolicy,
   });
 }
@@ -37,7 +34,7 @@ function setMSTeamsDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy) {
 function setMSTeamsAllowFrom(cfg: OpenClawConfig, allowFrom: string[]): OpenClawConfig {
   return setTopLevelChannelAllowFrom({
     cfg,
-    channel: "msteams",
+    channel,
     allowFrom,
   });
 }
@@ -96,7 +93,7 @@ async function promptMSTeamsAllowFrom(params: {
       initialValue: existing[0] ? String(existing[0]) : undefined,
       validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
     });
-    const parts = splitOnboardingEntries(String(entry));
+    const parts = splitSetupEntries(String(entry));
     if (parts.length === 0) {
       await params.prompter.note("Enter at least one user.", "MS Teams allowlist");
       continue;
@@ -138,7 +135,7 @@ async function promptMSTeamsAllowFrom(params: {
 async function noteMSTeamsCredentialHelp(prompter: WizardPrompter): Promise<void> {
   await prompter.note(
     [
-      "1) Azure Bot registration → get App ID + Tenant ID",
+      "1) Azure Bot registration -> get App ID + Tenant ID",
       "2) Add a client secret (App Password)",
       "3) Set webhook URL + messaging endpoint",
       "Tip: you can also set MSTEAMS_APP_ID / MSTEAMS_APP_PASSWORD / MSTEAMS_TENANT_ID.",
@@ -154,7 +151,7 @@ function setMSTeamsGroupPolicy(
 ): OpenClawConfig {
   return setTopLevelChannelGroupPolicy({
     cfg,
-    channel: "msteams",
+    channel,
     groupPolicy,
     enabled: true,
   });
@@ -193,7 +190,97 @@ function setMSTeamsTeamsAllowlist(
   };
 }
 
-const dmPolicy: ChannelOnboardingDmPolicy = {
+function listMSTeamsGroupEntries(cfg: OpenClawConfig): string[] {
+  return Object.entries(cfg.channels?.msteams?.teams ?? {}).flatMap(([teamKey, value]) => {
+    const channels = value?.channels ?? {};
+    const channelKeys = Object.keys(channels);
+    if (channelKeys.length === 0) {
+      return [teamKey];
+    }
+    return channelKeys.map((channelKey) => `${teamKey}/${channelKey}`);
+  });
+}
+
+async function resolveMSTeamsGroupAllowlist(params: {
+  cfg: OpenClawConfig;
+  entries: string[];
+  prompter: Pick<WizardPrompter, "note">;
+}): Promise<Array<{ teamKey: string; channelKey?: string }>> {
+  let resolvedEntries = params.entries
+    .map((entry) => parseMSTeamsTeamEntry(entry))
+    .filter(Boolean) as Array<{ teamKey: string; channelKey?: string }>;
+  if (params.entries.length === 0 || !resolveMSTeamsCredentials(params.cfg.channels?.msteams)) {
+    return resolvedEntries;
+  }
+  try {
+    const lookups = await resolveMSTeamsChannelAllowlist({
+      cfg: params.cfg,
+      entries: params.entries,
+    });
+    const resolvedChannels = lookups.filter(
+      (entry) => entry.resolved && entry.teamId && entry.channelId,
+    );
+    const resolvedTeams = lookups.filter(
+      (entry) => entry.resolved && entry.teamId && !entry.channelId,
+    );
+    const unresolved = lookups.filter((entry) => !entry.resolved).map((entry) => entry.input);
+    resolvedEntries = [
+      ...resolvedChannels.map((entry) => ({
+        teamKey: entry.teamId as string,
+        channelKey: entry.channelId as string,
+      })),
+      ...resolvedTeams.map((entry) => ({
+        teamKey: entry.teamId as string,
+      })),
+      ...unresolved.map((entry) => parseMSTeamsTeamEntry(entry)).filter(Boolean),
+    ] as Array<{ teamKey: string; channelKey?: string }>;
+    const summary: string[] = [];
+    if (resolvedChannels.length > 0) {
+      summary.push(
+        `Resolved channels: ${resolvedChannels
+          .map((entry) => entry.channelId)
+          .filter(Boolean)
+          .join(", ")}`,
+      );
+    }
+    if (resolvedTeams.length > 0) {
+      summary.push(
+        `Resolved teams: ${resolvedTeams
+          .map((entry) => entry.teamId)
+          .filter(Boolean)
+          .join(", ")}`,
+      );
+    }
+    if (unresolved.length > 0) {
+      summary.push(`Unresolved (kept as typed): ${unresolved.join(", ")}`);
+    }
+    if (summary.length > 0) {
+      await params.prompter.note(summary.join("\n"), "MS Teams channels");
+    }
+    return resolvedEntries;
+  } catch (err) {
+    await params.prompter.note(
+      `Channel lookup failed; keeping entries as typed. ${String(err)}`,
+      "MS Teams channels",
+    );
+    return resolvedEntries;
+  }
+}
+
+const msteamsGroupAccess: NonNullable<ChannelSetupWizard["groupAccess"]> = {
+  label: "MS Teams channels",
+  placeholder: "Team Name/Channel Name, teamId/conversationId",
+  currentPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy ?? "allowlist",
+  currentEntries: ({ cfg }) => listMSTeamsGroupEntries(cfg),
+  updatePrompt: ({ cfg }) => Boolean(cfg.channels?.msteams?.teams),
+  setPolicy: ({ cfg, policy }) => setMSTeamsGroupPolicy(cfg, policy),
+  resolveAllowlist: async ({ cfg, entries, prompter }) =>
+    await resolveMSTeamsGroupAllowlist({ cfg, entries, prompter }),
+  applyAllowlist: ({ cfg, resolved }) =>
+    setMSTeamsTeamsAllowlist(cfg, resolved as Array<{ teamKey: string; channelKey?: string }>),
+};
+
+const msteamsDmPolicy: ChannelSetupDmPolicy = {
   label: "MS Teams",
   channel,
   policyKey: "channels.msteams.dmPolicy",
@@ -203,21 +290,34 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptMSTeamsAllowFrom,
 };
 
-export const msteamsOnboardingAdapter: ChannelOnboardingAdapter = {
+export { msteamsSetupAdapter } from "./setup-core.js";
+
+export const msteamsSetupWizard: ChannelSetupWizard = {
   channel,
-  getStatus: async ({ cfg }) => {
-    const configured =
-      Boolean(resolveMSTeamsCredentials(cfg.channels?.msteams)) ||
-      hasConfiguredMSTeamsCredentials(cfg.channels?.msteams);
-    return {
-      channel,
-      configured,
-      statusLines: [`MS Teams: ${configured ? "configured" : "needs app credentials"}`],
-      selectionHint: configured ? "configured" : "needs app creds",
-      quickstartScore: configured ? 2 : 0,
-    };
+  resolveAccountIdForConfigure: () => DEFAULT_ACCOUNT_ID,
+  resolveShouldPromptAccountIds: () => false,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs app credentials",
+    configuredHint: "configured",
+    unconfiguredHint: "needs app creds",
+    configuredScore: 2,
+    unconfiguredScore: 0,
+    resolveConfigured: ({ cfg }) => {
+      return (
+        Boolean(resolveMSTeamsCredentials(cfg.channels?.msteams)) ||
+        hasConfiguredMSTeamsCredentials(cfg.channels?.msteams)
+      );
+    },
+    resolveStatusLines: ({ cfg }) => {
+      const configured =
+        Boolean(resolveMSTeamsCredentials(cfg.channels?.msteams)) ||
+        hasConfiguredMSTeamsCredentials(cfg.channels?.msteams);
+      return [`MS Teams: ${configured ? "configured" : "needs app credentials"}`];
+    },
   },
-  configure: async ({ cfg, prompter }) => {
+  credentials: [],
+  finalize: async ({ cfg, prompter }) => {
     const resolved = resolveMSTeamsCredentials(cfg.channels?.msteams);
     const hasConfigCreds = hasConfiguredMSTeamsCredentials(cfg.channels?.msteams);
     const canUseEnv = Boolean(
@@ -243,13 +343,11 @@ export const msteamsOnboardingAdapter: ChannelOnboardingAdapter = {
         initialValue: true,
       });
       if (keepEnv) {
-        next = {
-          ...next,
-          channels: {
-            ...next.channels,
-            msteams: { ...next.channels?.msteams, enabled: true },
-          },
-        };
+        next = msteamsSetupAdapter.applyAccountConfig({
+          cfg: next,
+          accountId: DEFAULT_ACCOUNT_ID,
+          input: {},
+        });
       } else {
         ({ appId, appPassword, tenantId } = await promptMSTeamsCredentials(prompter));
       }
@@ -281,96 +379,10 @@ export const msteamsOnboardingAdapter: ChannelOnboardingAdapter = {
       };
     }
 
-    const currentEntries = Object.entries(next.channels?.msteams?.teams ?? {}).flatMap(
-      ([teamKey, value]) => {
-        const channels = value?.channels ?? {};
-        const channelKeys = Object.keys(channels);
-        if (channelKeys.length === 0) {
-          return [teamKey];
-        }
-        return channelKeys.map((channelKey) => `${teamKey}/${channelKey}`);
-      },
-    );
-    const accessConfig = await promptChannelAccessConfig({
-      prompter,
-      label: "MS Teams channels",
-      currentPolicy: next.channels?.msteams?.groupPolicy ?? "allowlist",
-      currentEntries,
-      placeholder: "Team Name/Channel Name, teamId/conversationId",
-      updatePrompt: Boolean(next.channels?.msteams?.teams),
-    });
-    if (accessConfig) {
-      if (accessConfig.policy !== "allowlist") {
-        next = setMSTeamsGroupPolicy(next, accessConfig.policy);
-      } else {
-        let entries = accessConfig.entries
-          .map((entry) => parseMSTeamsTeamEntry(entry))
-          .filter(Boolean) as Array<{ teamKey: string; channelKey?: string }>;
-        if (accessConfig.entries.length > 0 && resolveMSTeamsCredentials(next.channels?.msteams)) {
-          try {
-            const resolved = await resolveMSTeamsChannelAllowlist({
-              cfg: next,
-              entries: accessConfig.entries,
-            });
-            const resolvedChannels = resolved.filter(
-              (entry) => entry.resolved && entry.teamId && entry.channelId,
-            );
-            const resolvedTeams = resolved.filter(
-              (entry) => entry.resolved && entry.teamId && !entry.channelId,
-            );
-            const unresolved = resolved
-              .filter((entry) => !entry.resolved)
-              .map((entry) => entry.input);
-
-            entries = [
-              ...resolvedChannels.map((entry) => ({
-                teamKey: entry.teamId as string,
-                channelKey: entry.channelId as string,
-              })),
-              ...resolvedTeams.map((entry) => ({
-                teamKey: entry.teamId as string,
-              })),
-              ...unresolved.map((entry) => parseMSTeamsTeamEntry(entry)).filter(Boolean),
-            ] as Array<{ teamKey: string; channelKey?: string }>;
-
-            if (resolvedChannels.length > 0 || resolvedTeams.length > 0 || unresolved.length > 0) {
-              const summary: string[] = [];
-              if (resolvedChannels.length > 0) {
-                summary.push(
-                  `Resolved channels: ${resolvedChannels
-                    .map((entry) => entry.channelId)
-                    .filter(Boolean)
-                    .join(", ")}`,
-                );
-              }
-              if (resolvedTeams.length > 0) {
-                summary.push(
-                  `Resolved teams: ${resolvedTeams
-                    .map((entry) => entry.teamId)
-                    .filter(Boolean)
-                    .join(", ")}`,
-                );
-              }
-              if (unresolved.length > 0) {
-                summary.push(`Unresolved (kept as typed): ${unresolved.join(", ")}`);
-              }
-              await prompter.note(summary.join("\n"), "MS Teams channels");
-            }
-          } catch (err) {
-            await prompter.note(
-              `Channel lookup failed; keeping entries as typed. ${String(err)}`,
-              "MS Teams channels",
-            );
-          }
-        }
-        next = setMSTeamsGroupPolicy(next, "allowlist");
-        next = setMSTeamsTeamsAllowlist(next, entries);
-      }
-    }
-
     return { cfg: next, accountId: DEFAULT_ACCOUNT_ID };
   },
-  dmPolicy,
+  dmPolicy: msteamsDmPolicy,
+  groupAccess: msteamsGroupAccess,
   disable: (cfg) => ({
     ...cfg,
     channels: {
diff --git a/extensions/nextcloud-talk/package.json b/extensions/nextcloud-talk/package.json
index c217d0f0ce7..d594a67b96f 100644
--- a/extensions/nextcloud-talk/package.json
+++ b/extensions/nextcloud-talk/package.json
@@ -10,6 +10,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "nextcloud-talk",
       "label": "Nextcloud Talk",
diff --git a/extensions/nextcloud-talk/setup-entry.ts b/extensions/nextcloud-talk/setup-entry.ts
new file mode 100644
index 00000000000..f33df37c7dc
--- /dev/null
+++ b/extensions/nextcloud-talk/setup-entry.ts
@@ -0,0 +1,5 @@
+import { nextcloudTalkPlugin } from "./src/channel.js";
+
+export default {
+  plugin: nextcloudTalkPlugin,
+};
diff --git a/extensions/nextcloud-talk/src/channel.ts b/extensions/nextcloud-talk/src/channel.ts
index b6a2c2ad5ca..77ca7ed36f9 100644
--- a/extensions/nextcloud-talk/src/channel.ts
+++ b/extensions/nextcloud-talk/src/channel.ts
@@ -33,7 +33,8 @@ import {
 import { resolveNextcloudTalkGroupToolPolicy } from "./policy.js";
 import { getNextcloudTalkRuntime } from "./runtime.js";
 import { sendMessageNextcloudTalk } from "./send.js";
-import { nextcloudTalkSetupAdapter, nextcloudTalkSetupWizard } from "./setup-surface.js";
+import { nextcloudTalkSetupAdapter } from "./setup-core.js";
+import { nextcloudTalkSetupWizard } from "./setup-surface.js";
 import type { CoreConfig } from "./types.js";
 
 const meta = {
diff --git a/extensions/nextcloud-talk/src/setup-core.ts b/extensions/nextcloud-talk/src/setup-core.ts
new file mode 100644
index 00000000000..1d45a392fd1
--- /dev/null
+++ b/extensions/nextcloud-talk/src/setup-core.ts
@@ -0,0 +1,235 @@
+import {
+  applyAccountNameToChannelSection,
+  patchScopedAccountConfig,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  mergeAllowFromEntries,
+  resolveSetupAccountId,
+  setSetupChannelEnabled,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import {
+  listNextcloudTalkAccountIds,
+  resolveDefaultNextcloudTalkAccountId,
+  resolveNextcloudTalkAccount,
+} from "./accounts.js";
+import type { CoreConfig, DmPolicy } from "./types.js";
+
+const channel = "nextcloud-talk" as const;
+
+type NextcloudSetupInput = ChannelSetupInput & {
+  baseUrl?: string;
+  secret?: string;
+  secretFile?: string;
+};
+type NextcloudTalkSection = NonNullable<CoreConfig["channels"]>["nextcloud-talk"];
+
+export function normalizeNextcloudTalkBaseUrl(value: string | undefined): string {
+  return value?.trim().replace(/\/+$/, "") ?? "";
+}
+
+export function validateNextcloudTalkBaseUrl(value: string): string | undefined {
+  if (!value) {
+    return "Required";
+  }
+  if (!value.startsWith("http://") && !value.startsWith("https://")) {
+    return "URL must start with http:// or https://";
+  }
+  return undefined;
+}
+
+function setNextcloudTalkDmPolicy(cfg: CoreConfig, dmPolicy: DmPolicy): CoreConfig {
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel,
+    dmPolicy,
+  }) as CoreConfig;
+}
+
+export function setNextcloudTalkAccountConfig(
+  cfg: CoreConfig,
+  accountId: string,
+  updates: Record<string, unknown>,
+): CoreConfig {
+  return patchScopedAccountConfig({
+    cfg,
+    channelKey: channel,
+    accountId,
+    patch: updates,
+  }) as CoreConfig;
+}
+
+export function clearNextcloudTalkAccountFields(
+  cfg: CoreConfig,
+  accountId: string,
+  fields: string[],
+): CoreConfig {
+  const section = cfg.channels?.["nextcloud-talk"];
+  if (!section) {
+    return cfg;
+  }
+
+  if (accountId === DEFAULT_ACCOUNT_ID) {
+    const nextSection = { ...section } as Record<string, unknown>;
+    for (const field of fields) {
+      delete nextSection[field];
+    }
+    return {
+      ...cfg,
+      channels: {
+        ...(cfg.channels ?? {}),
+        "nextcloud-talk": nextSection as NextcloudTalkSection,
+      },
+    } as CoreConfig;
+  }
+
+  const currentAccount = section.accounts?.[accountId];
+  if (!currentAccount) {
+    return cfg;
+  }
+
+  const nextAccount = { ...currentAccount } as Record<string, unknown>;
+  for (const field of fields) {
+    delete nextAccount[field];
+  }
+  return {
+    ...cfg,
+    channels: {
+      ...(cfg.channels ?? {}),
+      "nextcloud-talk": {
+        ...section,
+        accounts: {
+          ...section.accounts,
+          [accountId]: nextAccount as NonNullable<typeof section.accounts>[string],
+        },
+      },
+    },
+  } as CoreConfig;
+}
+
+async function promptNextcloudTalkAllowFrom(params: {
+  cfg: CoreConfig;
+  prompter: WizardPrompter;
+  accountId: string;
+}): Promise<CoreConfig> {
+  const resolved = resolveNextcloudTalkAccount({ cfg: params.cfg, accountId: params.accountId });
+  const existingAllowFrom = resolved.config.allowFrom ?? [];
+  await params.prompter.note(
+    [
+      "1) Check the Nextcloud admin panel for user IDs",
+      "2) Or look at the webhook payload logs when someone messages",
+      "3) User IDs are typically lowercase usernames in Nextcloud",
+      `Docs: ${formatDocsLink("/channels/nextcloud-talk", "nextcloud-talk")}`,
+    ].join("\n"),
+    "Nextcloud Talk user id",
+  );
+
+  let resolvedIds: string[] = [];
+  while (resolvedIds.length === 0) {
+    const entry = await params.prompter.text({
+      message: "Nextcloud Talk allowFrom (user id)",
+      placeholder: "username",
+      initialValue: existingAllowFrom[0] ? String(existingAllowFrom[0]) : undefined,
+      validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
+    });
+    resolvedIds = String(entry)
+      .split(/[\n,;]+/g)
+      .map((value) => value.trim().toLowerCase())
+      .filter(Boolean);
+    if (resolvedIds.length === 0) {
+      await params.prompter.note("Please enter at least one valid user ID.", "Nextcloud Talk");
+    }
+  }
+
+  return setNextcloudTalkAccountConfig(params.cfg, params.accountId, {
+    dmPolicy: "allowlist",
+    allowFrom: mergeAllowFromEntries(
+      existingAllowFrom.map((value) => String(value).trim().toLowerCase()),
+      resolvedIds,
+    ),
+  });
+}
+
+async function promptNextcloudTalkAllowFromForAccount(params: {
+  cfg: OpenClawConfig;
+  prompter: WizardPrompter;
+  accountId?: string;
+}): Promise<OpenClawConfig> {
+  const accountId = resolveSetupAccountId({
+    accountId: params.accountId,
+    defaultAccountId: resolveDefaultNextcloudTalkAccountId(params.cfg as CoreConfig),
+  });
+  return await promptNextcloudTalkAllowFrom({
+    cfg: params.cfg as CoreConfig,
+    prompter: params.prompter,
+    accountId,
+  });
+}
+
+const nextcloudTalkDmPolicy: ChannelSetupDmPolicy = {
+  label: "Nextcloud Talk",
+  channel,
+  policyKey: "channels.nextcloud-talk.dmPolicy",
+  allowFromKey: "channels.nextcloud-talk.allowFrom",
+  getCurrent: (cfg) => cfg.channels?.["nextcloud-talk"]?.dmPolicy ?? "pairing",
+  setPolicy: (cfg, policy) => setNextcloudTalkDmPolicy(cfg as CoreConfig, policy as DmPolicy),
+  promptAllowFrom: promptNextcloudTalkAllowFromForAccount,
+};
+
+export const nextcloudTalkSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    const setupInput = input as NextcloudSetupInput;
+    if (setupInput.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "NEXTCLOUD_TALK_BOT_SECRET can only be used for the default account.";
+    }
+    if (!setupInput.useEnv && !setupInput.secret && !setupInput.secretFile) {
+      return "Nextcloud Talk requires bot secret or --secret-file (or --use-env).";
+    }
+    if (!setupInput.baseUrl) {
+      return "Nextcloud Talk requires --base-url.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const setupInput = input as NextcloudSetupInput;
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: setupInput.name,
+    });
+    const next = setupInput.useEnv
+      ? clearNextcloudTalkAccountFields(namedConfig as CoreConfig, accountId, [
+          "botSecret",
+          "botSecretFile",
+        ])
+      : namedConfig;
+    const patch = {
+      baseUrl: normalizeNextcloudTalkBaseUrl(setupInput.baseUrl),
+      ...(setupInput.useEnv
+        ? {}
+        : setupInput.secretFile
+          ? { botSecretFile: setupInput.secretFile }
+          : setupInput.secret
+            ? { botSecret: setupInput.secret }
+            : {}),
+    };
+    return setNextcloudTalkAccountConfig(next as CoreConfig, accountId, patch);
+  },
+};
diff --git a/extensions/nextcloud-talk/src/setup-surface.ts b/extensions/nextcloud-talk/src/setup-surface.ts
index 758ae4d3214..da839359ff2 100644
--- a/extensions/nextcloud-talk/src/setup-surface.ts
+++ b/extensions/nextcloud-talk/src/setup-surface.ts
@@ -1,20 +1,15 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
   mergeAllowFromEntries,
-  resolveOnboardingAccountId,
-  setOnboardingChannelEnabled,
+  resolveSetupAccountId,
+  setSetupChannelEnabled,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  patchScopedAccountConfig,
-} from "../../../src/channels/plugins/setup-helpers.js";
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import {
@@ -22,32 +17,18 @@ import {
   resolveDefaultNextcloudTalkAccountId,
   resolveNextcloudTalkAccount,
 } from "./accounts.js";
+import {
+  clearNextcloudTalkAccountFields,
+  nextcloudTalkSetupAdapter,
+  normalizeNextcloudTalkBaseUrl,
+  setNextcloudTalkAccountConfig,
+  validateNextcloudTalkBaseUrl,
+} from "./setup-core.js";
 import type { CoreConfig, DmPolicy } from "./types.js";
 
 const channel = "nextcloud-talk" as const;
 const CONFIGURE_API_FLAG = "__nextcloudTalkConfigureApiCredentials";
 
-type NextcloudSetupInput = ChannelSetupInput & {
-  baseUrl?: string;
-  secret?: string;
-  secretFile?: string;
-};
-type NextcloudTalkSection = NonNullable<CoreConfig["channels"]>["nextcloud-talk"];
-
-function normalizeNextcloudTalkBaseUrl(value: string | undefined): string {
-  return value?.trim().replace(/\/+$/, "") ?? "";
-}
-
-function validateNextcloudTalkBaseUrl(value: string): string | undefined {
-  if (!value) {
-    return "Required";
-  }
-  if (!value.startsWith("http://") && !value.startsWith("https://")) {
-    return "URL must start with http:// or https://";
-  }
-  return undefined;
-}
-
 function setNextcloudTalkDmPolicy(cfg: CoreConfig, dmPolicy: DmPolicy): CoreConfig {
   return setTopLevelChannelDmPolicyWithAllowFrom({
     cfg,
@@ -56,67 +37,6 @@ function setNextcloudTalkDmPolicy(cfg: CoreConfig, dmPolicy: DmPolicy): CoreConf
   }) as CoreConfig;
 }
 
-function setNextcloudTalkAccountConfig(
-  cfg: CoreConfig,
-  accountId: string,
-  updates: Record<string, unknown>,
-): CoreConfig {
-  return patchScopedAccountConfig({
-    cfg,
-    channelKey: channel,
-    accountId,
-    patch: updates,
-  }) as CoreConfig;
-}
-
-function clearNextcloudTalkAccountFields(
-  cfg: CoreConfig,
-  accountId: string,
-  fields: string[],
-): CoreConfig {
-  const section = cfg.channels?.["nextcloud-talk"];
-  if (!section) {
-    return cfg;
-  }
-
-  if (accountId === DEFAULT_ACCOUNT_ID) {
-    const nextSection = { ...section } as Record<string, unknown>;
-    for (const field of fields) {
-      delete nextSection[field];
-    }
-    return {
-      ...cfg,
-      channels: {
-        ...(cfg.channels ?? {}),
-        "nextcloud-talk": nextSection as NextcloudTalkSection,
-      },
-    } as CoreConfig;
-  }
-
-  const currentAccount = section.accounts?.[accountId];
-  if (!currentAccount) {
-    return cfg;
-  }
-
-  const nextAccount = { ...currentAccount } as Record<string, unknown>;
-  for (const field of fields) {
-    delete nextAccount[field];
-  }
-  return {
-    ...cfg,
-    channels: {
-      ...(cfg.channels ?? {}),
-      "nextcloud-talk": {
-        ...section,
-        accounts: {
-          ...section.accounts,
-          [accountId]: nextAccount as NonNullable<typeof section.accounts>[string],
-        },
-      },
-    },
-  } as CoreConfig;
-}
-
 async function promptNextcloudTalkAllowFrom(params: {
   cfg: CoreConfig;
   prompter: WizardPrompter;
@@ -165,7 +85,7 @@ async function promptNextcloudTalkAllowFromForAccount(params: {
   prompter: WizardPrompter;
   accountId?: string;
 }): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
+  const accountId = resolveSetupAccountId({
     accountId: params.accountId,
     defaultAccountId: resolveDefaultNextcloudTalkAccountId(params.cfg as CoreConfig),
   });
@@ -176,7 +96,7 @@ async function promptNextcloudTalkAllowFromForAccount(params: {
   });
 }
 
-const nextcloudTalkDmPolicy: ChannelOnboardingDmPolicy = {
+const nextcloudTalkDmPolicy: ChannelSetupDmPolicy = {
   label: "Nextcloud Talk",
   channel,
   policyKey: "channels.nextcloud-talk.dmPolicy",
@@ -186,56 +106,6 @@ const nextcloudTalkDmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptNextcloudTalkAllowFromForAccount,
 };
 
-export const nextcloudTalkSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    const setupInput = input as NextcloudSetupInput;
-    if (setupInput.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "NEXTCLOUD_TALK_BOT_SECRET can only be used for the default account.";
-    }
-    if (!setupInput.useEnv && !setupInput.secret && !setupInput.secretFile) {
-      return "Nextcloud Talk requires bot secret or --secret-file (or --use-env).";
-    }
-    if (!setupInput.baseUrl) {
-      return "Nextcloud Talk requires --base-url.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const setupInput = input as NextcloudSetupInput;
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: setupInput.name,
-    });
-    const next = setupInput.useEnv
-      ? clearNextcloudTalkAccountFields(namedConfig as CoreConfig, accountId, [
-          "botSecret",
-          "botSecretFile",
-        ])
-      : namedConfig;
-    const patch = {
-      baseUrl: normalizeNextcloudTalkBaseUrl(setupInput.baseUrl),
-      ...(setupInput.useEnv
-        ? {}
-        : setupInput.secretFile
-          ? { botSecretFile: setupInput.secretFile }
-          : setupInput.secret
-            ? { botSecret: setupInput.secret }
-            : {}),
-    };
-    return setNextcloudTalkAccountConfig(next as CoreConfig, accountId, patch);
-  },
-};
-
 export const nextcloudTalkSetupWizard: ChannelSetupWizard = {
   channel,
   stepOrder: "text-first",
@@ -402,5 +272,7 @@ export const nextcloudTalkSetupWizard: ChannelSetupWizard = {
     },
   ],
   dmPolicy: nextcloudTalkDmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
+
+export { nextcloudTalkSetupAdapter };
diff --git a/extensions/nostr/index.ts b/extensions/nostr/index.ts
index aa8901bd2b9..d8fdb203924 100644
--- a/extensions/nostr/index.ts
+++ b/extensions/nostr/index.ts
@@ -14,6 +14,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setNostrRuntime(api.runtime);
     api.registerChannel({ plugin: nostrPlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
 
     // Register HTTP handler for profile management
     const httpHandler = createNostrProfileHttpHandler({
diff --git a/extensions/nostr/package.json b/extensions/nostr/package.json
index 19ef7cc03e7..991bd54f3d4 100644
--- a/extensions/nostr/package.json
+++ b/extensions/nostr/package.json
@@ -11,6 +11,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "nostr",
       "label": "Nostr",
diff --git a/extensions/nostr/setup-entry.ts b/extensions/nostr/setup-entry.ts
new file mode 100644
index 00000000000..8884a71cc80
--- /dev/null
+++ b/extensions/nostr/setup-entry.ts
@@ -0,0 +1,5 @@
+import { nostrPlugin } from "./src/channel.js";
+
+export default {
+  plugin: nostrPlugin,
+};
diff --git a/extensions/nostr/src/channel.ts b/extensions/nostr/src/channel.ts
index 937c698bd47..21dfce3a9da 100644
--- a/extensions/nostr/src/channel.ts
+++ b/extensions/nostr/src/channel.ts
@@ -17,6 +17,7 @@ import type { MetricEvent, MetricsSnapshot } from "./metrics.js";
 import { normalizePubkey, startNostrBus, type NostrBusHandle } from "./nostr-bus.js";
 import type { ProfilePublishResult } from "./nostr-profile.js";
 import { getNostrRuntime } from "./runtime.js";
+import { nostrSetupAdapter, nostrSetupWizard } from "./setup-surface.js";
 import {
   listNostrAccountIds,
   resolveDefaultNostrAccountId,
@@ -47,6 +48,8 @@ export const nostrPlugin: ChannelPlugin<ResolvedNostrAccount> = {
   },
   reload: { configPrefixes: ["channels.nostr"] },
   configSchema: buildChannelConfigSchema(NostrConfigSchema),
+  setup: nostrSetupAdapter,
+  setupWizard: nostrSetupWizard,
 
   config: {
     listAccountIds: (cfg) => listNostrAccountIds(cfg),
diff --git a/extensions/nostr/src/default-relays.ts b/extensions/nostr/src/default-relays.ts
new file mode 100644
index 00000000000..f9b6be01cba
--- /dev/null
+++ b/extensions/nostr/src/default-relays.ts
@@ -0,0 +1 @@
+export const DEFAULT_RELAYS = ["wss://relay.damus.io", "wss://nos.lol"];
diff --git a/extensions/nostr/src/nostr-bus.ts b/extensions/nostr/src/nostr-bus.ts
index 0b015dad29f..f7fa1d4d94f 100644
--- a/extensions/nostr/src/nostr-bus.ts
+++ b/extensions/nostr/src/nostr-bus.ts
@@ -8,6 +8,7 @@ import {
 } from "nostr-tools";
 import { decrypt, encrypt } from "nostr-tools/nip04";
 import type { NostrProfile } from "./config-schema.js";
+import { DEFAULT_RELAYS } from "./default-relays.js";
 import {
   createMetrics,
   createNoopMetrics,
@@ -25,8 +26,6 @@ import {
 } from "./nostr-state-store.js";
 import { createSeenTracker, type SeenTracker } from "./seen-tracker.js";
 
-export const DEFAULT_RELAYS = ["wss://relay.damus.io", "wss://nos.lol"];
-
 // ============================================================================
 // Constants
 // ============================================================================
diff --git a/extensions/nostr/src/setup-surface.test.ts b/extensions/nostr/src/setup-surface.test.ts
new file mode 100644
index 00000000000..0a46946f8f9
--- /dev/null
+++ b/extensions/nostr/src/setup-surface.test.ts
@@ -0,0 +1,67 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/nostr";
+import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import { nostrPlugin } from "./channel.js";
+
+function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
+  return {
+    intro: vi.fn(async () => {}),
+    outro: vi.fn(async () => {}),
+    note: vi.fn(async () => {}),
+    select: vi.fn(async ({ options }: { options: Array<{ value: string }> }) => {
+      const first = options[0];
+      if (!first) {
+        throw new Error("no options");
+      }
+      return first.value;
+    }) as WizardPrompter["select"],
+    multiselect: vi.fn(async () => []),
+    text: vi.fn(async () => "") as WizardPrompter["text"],
+    confirm: vi.fn(async () => false),
+    progress: vi.fn(() => ({ update: vi.fn(), stop: vi.fn() })),
+    ...overrides,
+  };
+}
+
+const nostrConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: nostrPlugin,
+  wizard: nostrPlugin.setupWizard!,
+});
+
+describe("nostr setup wizard", () => {
+  it("configures a private key and relay URLs", async () => {
+    const prompter = createPrompter({
+      text: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Nostr private key (nsec... or hex)") {
+          return "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
+        }
+        if (message === "Relay URLs (comma-separated, optional)") {
+          return "wss://relay.damus.io, wss://relay.primal.net";
+        }
+        throw new Error(`Unexpected prompt: ${message}`);
+      }) as WizardPrompter["text"],
+    });
+
+    const result = await nostrConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime: createRuntimeEnv(),
+      prompter,
+      options: {},
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: false,
+    });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.nostr?.enabled).toBe(true);
+    expect(result.cfg.channels?.nostr?.privateKey).toBe(
+      "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+    );
+    expect(result.cfg.channels?.nostr?.relays).toEqual([
+      "wss://relay.damus.io",
+      "wss://relay.primal.net",
+    ]);
+  });
+});
diff --git a/extensions/nostr/src/setup-surface.ts b/extensions/nostr/src/setup-surface.ts
new file mode 100644
index 00000000000..e284d7b68a6
--- /dev/null
+++ b/extensions/nostr/src/setup-surface.ts
@@ -0,0 +1,298 @@
+import {
+  mergeAllowFromEntries,
+  parseSetupEntriesWithParser,
+  setTopLevelChannelAllowFrom,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { DmPolicy } from "../../../src/config/types.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import { DEFAULT_RELAYS } from "./default-relays.js";
+import { getPublicKeyFromPrivate, normalizePubkey } from "./nostr-bus.js";
+import { resolveNostrAccount } from "./types.js";
+
+const channel = "nostr" as const;
+
+const NOSTR_SETUP_HELP_LINES = [
+  "Use a Nostr private key in nsec or 64-character hex format.",
+  "Relay URLs are optional. Leave blank to keep the default relay set.",
+  "Env vars supported: NOSTR_PRIVATE_KEY (default account only).",
+  `Docs: ${formatDocsLink("/channels/nostr", "channels/nostr")}`,
+];
+
+const NOSTR_ALLOW_FROM_HELP_LINES = [
+  "Allowlist Nostr DMs by npub or hex pubkey.",
+  "Examples:",
+  "- npub1...",
+  "- nostr:npub1...",
+  "- 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+  "Multiple entries: comma-separated.",
+  `Docs: ${formatDocsLink("/channels/nostr", "channels/nostr")}`,
+];
+
+function patchNostrConfig(params: {
+  cfg: OpenClawConfig;
+  patch: Record<string, unknown>;
+  clearFields?: string[];
+  enabled?: boolean;
+}): OpenClawConfig {
+  const existing = (params.cfg.channels?.nostr ?? {}) as Record<string, unknown>;
+  const nextNostr = { ...existing };
+  for (const field of params.clearFields ?? []) {
+    delete nextNostr[field];
+  }
+  return {
+    ...params.cfg,
+    channels: {
+      ...params.cfg.channels,
+      nostr: {
+        ...nextNostr,
+        ...(params.enabled ? { enabled: true } : {}),
+        ...params.patch,
+      },
+    },
+  };
+}
+
+function setNostrDmPolicy(cfg: OpenClawConfig, dmPolicy: DmPolicy): OpenClawConfig {
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel,
+    dmPolicy,
+  });
+}
+
+function setNostrAllowFrom(cfg: OpenClawConfig, allowFrom: string[]): OpenClawConfig {
+  return setTopLevelChannelAllowFrom({
+    cfg,
+    channel,
+    allowFrom,
+  });
+}
+
+function parseRelayUrls(raw: string): { relays: string[]; error?: string } {
+  const entries = splitSetupEntries(raw);
+  const relays: string[] = [];
+  for (const entry of entries) {
+    try {
+      const parsed = new URL(entry);
+      if (parsed.protocol !== "ws:" && parsed.protocol !== "wss:") {
+        return { relays: [], error: `Relay must use ws:// or wss:// (${entry})` };
+      }
+    } catch {
+      return { relays: [], error: `Invalid relay URL: ${entry}` };
+    }
+    relays.push(entry);
+  }
+  return { relays: [...new Set(relays)] };
+}
+
+function parseNostrAllowFrom(raw: string): { entries: string[]; error?: string } {
+  return parseSetupEntriesWithParser(raw, (entry) => {
+    const cleaned = entry.replace(/^nostr:/i, "").trim();
+    try {
+      return { value: normalizePubkey(cleaned) };
+    } catch {
+      return { error: `Invalid Nostr pubkey: ${entry}` };
+    }
+  });
+}
+
+async function promptNostrAllowFrom(params: {
+  cfg: OpenClawConfig;
+  prompter: WizardPrompter;
+}): Promise<OpenClawConfig> {
+  const existing = params.cfg.channels?.nostr?.allowFrom ?? [];
+  await params.prompter.note(NOSTR_ALLOW_FROM_HELP_LINES.join("\n"), "Nostr allowlist");
+  const entry = await params.prompter.text({
+    message: "Nostr allowFrom",
+    placeholder: "npub1..., 0123abcd...",
+    initialValue: existing[0] ? String(existing[0]) : undefined,
+    validate: (value) => {
+      const raw = String(value ?? "").trim();
+      if (!raw) {
+        return "Required";
+      }
+      return parseNostrAllowFrom(raw).error;
+    },
+  });
+  const parsed = parseNostrAllowFrom(String(entry));
+  return setNostrAllowFrom(params.cfg, mergeAllowFromEntries(existing, parsed.entries));
+}
+
+const nostrDmPolicy: ChannelSetupDmPolicy = {
+  label: "Nostr",
+  channel,
+  policyKey: "channels.nostr.dmPolicy",
+  allowFromKey: "channels.nostr.allowFrom",
+  getCurrent: (cfg) => cfg.channels?.nostr?.dmPolicy ?? "pairing",
+  setPolicy: (cfg, policy) => setNostrDmPolicy(cfg, policy),
+  promptAllowFrom: promptNostrAllowFrom,
+};
+
+export const nostrSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: () => DEFAULT_ACCOUNT_ID,
+  applyAccountName: ({ cfg, name }) =>
+    patchNostrConfig({
+      cfg,
+      patch: name?.trim() ? { name: name.trim() } : {},
+    }),
+  validateInput: ({ input }) => {
+    const typedInput = input as {
+      useEnv?: boolean;
+      privateKey?: string;
+      relayUrls?: string;
+    };
+    if (!typedInput.useEnv) {
+      const privateKey = typedInput.privateKey?.trim();
+      if (!privateKey) {
+        return "Nostr requires --private-key or --use-env.";
+      }
+      try {
+        getPublicKeyFromPrivate(privateKey);
+      } catch {
+        return "Nostr private key must be valid nsec or 64-character hex.";
+      }
+    }
+    if (typedInput.relayUrls?.trim()) {
+      return parseRelayUrls(typedInput.relayUrls).error ?? null;
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, input }) => {
+    const typedInput = input as {
+      useEnv?: boolean;
+      privateKey?: string;
+      relayUrls?: string;
+    };
+    const relayResult = typedInput.relayUrls?.trim()
+      ? parseRelayUrls(typedInput.relayUrls)
+      : { relays: [] };
+    return patchNostrConfig({
+      cfg,
+      enabled: true,
+      clearFields: typedInput.useEnv ? ["privateKey"] : undefined,
+      patch: {
+        ...(typedInput.useEnv ? {} : { privateKey: typedInput.privateKey?.trim() }),
+        ...(relayResult.relays.length > 0 ? { relays: relayResult.relays } : {}),
+      },
+    });
+  },
+};
+
+export const nostrSetupWizard: ChannelSetupWizard = {
+  channel,
+  resolveAccountIdForConfigure: () => DEFAULT_ACCOUNT_ID,
+  resolveShouldPromptAccountIds: () => false,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs private key",
+    configuredHint: "configured",
+    unconfiguredHint: "needs private key",
+    configuredScore: 1,
+    unconfiguredScore: 0,
+    resolveConfigured: ({ cfg }) => resolveNostrAccount({ cfg }).configured,
+    resolveStatusLines: ({ cfg, configured }) => {
+      const account = resolveNostrAccount({ cfg });
+      return [
+        `Nostr: ${configured ? "configured" : "needs private key"}`,
+        `Relays: ${account.relays.length || DEFAULT_RELAYS.length}`,
+      ];
+    },
+  },
+  introNote: {
+    title: "Nostr setup",
+    lines: NOSTR_SETUP_HELP_LINES,
+  },
+  envShortcut: {
+    prompt: "NOSTR_PRIVATE_KEY detected. Use env var?",
+    preferredEnvVar: "NOSTR_PRIVATE_KEY",
+    isAvailable: ({ cfg, accountId }) =>
+      accountId === DEFAULT_ACCOUNT_ID &&
+      Boolean(process.env.NOSTR_PRIVATE_KEY?.trim()) &&
+      !resolveNostrAccount({ cfg, accountId }).config.privateKey?.trim(),
+    apply: async ({ cfg }) =>
+      patchNostrConfig({
+        cfg,
+        enabled: true,
+        clearFields: ["privateKey"],
+        patch: {},
+      }),
+  },
+  credentials: [
+    {
+      inputKey: "privateKey",
+      providerHint: channel,
+      credentialLabel: "private key",
+      preferredEnvVar: "NOSTR_PRIVATE_KEY",
+      helpTitle: "Nostr private key",
+      helpLines: NOSTR_SETUP_HELP_LINES,
+      envPrompt: "NOSTR_PRIVATE_KEY detected. Use env var?",
+      keepPrompt: "Nostr private key already configured. Keep it?",
+      inputPrompt: "Nostr private key (nsec... or hex)",
+      allowEnv: ({ accountId }) => accountId === DEFAULT_ACCOUNT_ID,
+      inspect: ({ cfg, accountId }) => {
+        const account = resolveNostrAccount({ cfg, accountId });
+        return {
+          accountConfigured: account.configured,
+          hasConfiguredValue: Boolean(account.config.privateKey?.trim()),
+          resolvedValue: account.config.privateKey?.trim(),
+          envValue: process.env.NOSTR_PRIVATE_KEY?.trim(),
+        };
+      },
+      applyUseEnv: async ({ cfg }) =>
+        patchNostrConfig({
+          cfg,
+          enabled: true,
+          clearFields: ["privateKey"],
+          patch: {},
+        }),
+      applySet: async ({ cfg, resolvedValue }) =>
+        patchNostrConfig({
+          cfg,
+          enabled: true,
+          patch: { privateKey: resolvedValue },
+        }),
+    },
+  ],
+  textInputs: [
+    {
+      inputKey: "relayUrls",
+      message: "Relay URLs (comma-separated, optional)",
+      placeholder: DEFAULT_RELAYS.join(", "),
+      required: false,
+      applyEmptyValue: true,
+      helpTitle: "Nostr relays",
+      helpLines: ["Use ws:// or wss:// relay URLs.", "Leave blank to keep the default relay set."],
+      currentValue: ({ cfg, accountId }) => {
+        const account = resolveNostrAccount({ cfg, accountId });
+        const relays =
+          cfg.channels?.nostr?.relays && cfg.channels.nostr.relays.length > 0 ? account.relays : [];
+        return relays.join(", ");
+      },
+      keepPrompt: (value) => `Relay URLs set (${value}). Keep them?`,
+      validate: ({ value }) => parseRelayUrls(value).error,
+      applySet: async ({ cfg, value }) => {
+        const relayResult = parseRelayUrls(value);
+        return patchNostrConfig({
+          cfg,
+          enabled: true,
+          clearFields: relayResult.relays.length > 0 ? undefined : ["relays"],
+          patch: relayResult.relays.length > 0 ? { relays: relayResult.relays } : {},
+        });
+      },
+    },
+  ],
+  dmPolicy: nostrDmPolicy,
+  disable: (cfg) =>
+    patchNostrConfig({
+      cfg,
+      patch: { enabled: false },
+    }),
+};
diff --git a/extensions/nostr/src/types.ts b/extensions/nostr/src/types.ts
index 9baf78a0ca8..e2419c44ac3 100644
--- a/extensions/nostr/src/types.ts
+++ b/extensions/nostr/src/types.ts
@@ -5,8 +5,8 @@ import {
 } from "openclaw/plugin-sdk/account-id";
 import type { OpenClawConfig } from "openclaw/plugin-sdk/nostr";
 import type { NostrProfile } from "./config-schema.js";
+import { DEFAULT_RELAYS } from "./default-relays.js";
 import { getPublicKeyFromPrivate } from "./nostr-bus.js";
-import { DEFAULT_RELAYS } from "./nostr-bus.js";
 
 export interface NostrAccountConfig {
   enabled?: boolean;
diff --git a/extensions/nvidia/openclaw.plugin.json b/extensions/nvidia/openclaw.plugin.json
index 268bfa2dafd..3b46534911b 100644
--- a/extensions/nvidia/openclaw.plugin.json
+++ b/extensions/nvidia/openclaw.plugin.json
@@ -1,6 +1,9 @@
 {
   "id": "nvidia",
   "providers": ["nvidia"],
+  "providerAuthEnvVars": {
+    "nvidia": ["NVIDIA_API_KEY"]
+  },
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/ollama/index.ts b/extensions/ollama/index.ts
index c0b325e5a64..0609c597dc4 100644
--- a/extensions/ollama/index.ts
+++ b/extensions/ollama/index.ts
@@ -96,7 +96,7 @@ const ollamaPlugin = {
         },
       },
       wizard: {
-        onboarding: {
+        setup: {
           choiceId: "ollama",
           choiceLabel: "Ollama",
           choiceHint: "Cloud and local open models",
diff --git a/extensions/ollama/openclaw.plugin.json b/extensions/ollama/openclaw.plugin.json
index 3df1002d1ac..bace5f2816f 100644
--- a/extensions/ollama/openclaw.plugin.json
+++ b/extensions/ollama/openclaw.plugin.json
@@ -1,6 +1,21 @@
 {
   "id": "ollama",
   "providers": ["ollama"],
+  "providerAuthEnvVars": {
+    "ollama": ["OLLAMA_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "ollama",
+      "method": "local",
+      "choiceId": "ollama",
+      "choiceLabel": "Ollama",
+      "choiceHint": "Cloud and local open models",
+      "groupId": "ollama",
+      "groupLabel": "Ollama",
+      "groupHint": "Cloud and local open models"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openai-codex/index.test.ts b/extensions/openai-codex/index.test.ts
deleted file mode 100644
index 53bbd700f17..00000000000
--- a/extensions/openai-codex/index.test.ts
+++ /dev/null
@@ -1,101 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import openAICodexPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  openAICodexPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("openai-codex plugin", () => {
-  it("owns forward-compat codex models", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "openai-codex",
-      modelId: "gpt-5.4",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-codex"
-            ? {
-                id,
-                name: id,
-                api: "openai-codex-responses",
-                provider: "openai-codex",
-                baseUrl: "https://chatgpt.com/backend-api",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.4",
-      provider: "openai-codex",
-      api: "openai-codex-responses",
-      contextWindow: 1_050_000,
-      maxTokens: 128_000,
-    });
-  });
-
-  it("owns codex transport defaults", () => {
-    const provider = registerProvider();
-    expect(
-      provider.prepareExtraParams?.({
-        provider: "openai-codex",
-        modelId: "gpt-5.4",
-        extraParams: { temperature: 0.2 },
-      }),
-    ).toEqual({
-      temperature: 0.2,
-      transport: "auto",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("chatgpt.com/backend-api/wham/usage")) {
-        return makeResponse(200, {
-          rate_limit: {
-            primary_window: { used_percent: 12, limit_window_seconds: 10800, reset_at: 1_705_000 },
-          },
-          plan_type: "Plus",
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    await expect(
-      provider.fetchUsageSnapshot?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "openai-codex",
-        token: "codex-token",
-        accountId: "acc-1",
-        timeoutMs: 5_000,
-        fetchFn: mockFetch as unknown as typeof fetch,
-      }),
-    ).resolves.toEqual({
-      provider: "openai-codex",
-      displayName: "Codex",
-      windows: [{ label: "3h", usedPercent: 12, resetAt: 1_705_000_000 }],
-      plan: "Plus",
-    });
-  });
-});
diff --git a/extensions/openai-codex/index.ts b/extensions/openai-codex/index.ts
deleted file mode 100644
index 9d8ee0769af..00000000000
--- a/extensions/openai-codex/index.ts
+++ /dev/null
@@ -1,193 +0,0 @@
-import {
-  emptyPluginConfigSchema,
-  type OpenClawPluginApi,
-  type ProviderResolveDynamicModelContext,
-  type ProviderRuntimeModel,
-} from "openclaw/plugin-sdk/core";
-import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles.js";
-import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
-import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
-import { normalizeModelCompat } from "../../src/agents/model-compat.js";
-import { normalizeProviderId } from "../../src/agents/model-selection.js";
-import { buildOpenAICodexProvider } from "../../src/agents/models-config.providers.static.js";
-import { fetchCodexUsage } from "../../src/infra/provider-usage.fetch.js";
-
-const PROVIDER_ID = "openai-codex";
-const OPENAI_CODEX_BASE_URL = "https://chatgpt.com/backend-api";
-const OPENAI_CODEX_GPT_54_MODEL_ID = "gpt-5.4";
-const OPENAI_CODEX_GPT_54_CONTEXT_TOKENS = 1_050_000;
-const OPENAI_CODEX_GPT_54_MAX_TOKENS = 128_000;
-const OPENAI_CODEX_GPT_54_TEMPLATE_MODEL_IDS = ["gpt-5.3-codex", "gpt-5.2-codex"] as const;
-const OPENAI_CODEX_GPT_53_MODEL_ID = "gpt-5.3-codex";
-const OPENAI_CODEX_GPT_53_SPARK_MODEL_ID = "gpt-5.3-codex-spark";
-const OPENAI_CODEX_GPT_53_SPARK_CONTEXT_TOKENS = 128_000;
-const OPENAI_CODEX_GPT_53_SPARK_MAX_TOKENS = 128_000;
-const OPENAI_CODEX_TEMPLATE_MODEL_IDS = ["gpt-5.2-codex"] as const;
-
-function isOpenAIApiBaseUrl(baseUrl?: string): boolean {
-  const trimmed = baseUrl?.trim();
-  if (!trimmed) {
-    return false;
-  }
-  return /^https?:\/\/api\.openai\.com(?:\/v1)?\/?$/i.test(trimmed);
-}
-
-function isOpenAICodexBaseUrl(baseUrl?: string): boolean {
-  const trimmed = baseUrl?.trim();
-  if (!trimmed) {
-    return false;
-  }
-  return /^https?:\/\/chatgpt\.com\/backend-api\/?$/i.test(trimmed);
-}
-
-function normalizeCodexTransport(model: ProviderRuntimeModel): ProviderRuntimeModel {
-  const useCodexTransport =
-    !model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl) || isOpenAICodexBaseUrl(model.baseUrl);
-  const api =
-    useCodexTransport && model.api === "openai-responses" ? "openai-codex-responses" : model.api;
-  const baseUrl =
-    api === "openai-codex-responses" && (!model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl))
-      ? OPENAI_CODEX_BASE_URL
-      : model.baseUrl;
-  if (api === model.api && baseUrl === model.baseUrl) {
-    return model;
-  }
-  return {
-    ...model,
-    api,
-    baseUrl,
-  };
-}
-
-function cloneFirstTemplateModel(params: {
-  modelId: string;
-  templateIds: readonly string[];
-  ctx: ProviderResolveDynamicModelContext;
-  patch?: Partial<ProviderRuntimeModel>;
-}): ProviderRuntimeModel | undefined {
-  const trimmedModelId = params.modelId.trim();
-  for (const templateId of [...new Set(params.templateIds)].filter(Boolean)) {
-    const template = params.ctx.modelRegistry.find(
-      PROVIDER_ID,
-      templateId,
-    ) as ProviderRuntimeModel | null;
-    if (!template) {
-      continue;
-    }
-    return normalizeModelCompat({
-      ...template,
-      id: trimmedModelId,
-      name: trimmedModelId,
-      ...params.patch,
-    } as ProviderRuntimeModel);
-  }
-  return undefined;
-}
-
-function resolveCodexForwardCompatModel(
-  ctx: ProviderResolveDynamicModelContext,
-): ProviderRuntimeModel | undefined {
-  const trimmedModelId = ctx.modelId.trim();
-  const lower = trimmedModelId.toLowerCase();
-
-  let templateIds: readonly string[];
-  let patch: Partial<ProviderRuntimeModel> | undefined;
-  if (lower === OPENAI_CODEX_GPT_54_MODEL_ID) {
-    templateIds = OPENAI_CODEX_GPT_54_TEMPLATE_MODEL_IDS;
-    patch = {
-      contextWindow: OPENAI_CODEX_GPT_54_CONTEXT_TOKENS,
-      maxTokens: OPENAI_CODEX_GPT_54_MAX_TOKENS,
-    };
-  } else if (lower === OPENAI_CODEX_GPT_53_SPARK_MODEL_ID) {
-    templateIds = [OPENAI_CODEX_GPT_53_MODEL_ID, ...OPENAI_CODEX_TEMPLATE_MODEL_IDS];
-    patch = {
-      api: "openai-codex-responses",
-      provider: PROVIDER_ID,
-      baseUrl: OPENAI_CODEX_BASE_URL,
-      reasoning: true,
-      input: ["text"],
-      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-      contextWindow: OPENAI_CODEX_GPT_53_SPARK_CONTEXT_TOKENS,
-      maxTokens: OPENAI_CODEX_GPT_53_SPARK_MAX_TOKENS,
-    };
-  } else if (lower === OPENAI_CODEX_GPT_53_MODEL_ID) {
-    templateIds = OPENAI_CODEX_TEMPLATE_MODEL_IDS;
-  } else {
-    return undefined;
-  }
-
-  return (
-    cloneFirstTemplateModel({
-      modelId: trimmedModelId,
-      templateIds,
-      ctx,
-      patch,
-    }) ??
-    normalizeModelCompat({
-      id: trimmedModelId,
-      name: trimmedModelId,
-      api: "openai-codex-responses",
-      provider: PROVIDER_ID,
-      baseUrl: OPENAI_CODEX_BASE_URL,
-      reasoning: true,
-      input: ["text", "image"],
-      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-      contextWindow: patch?.contextWindow ?? DEFAULT_CONTEXT_TOKENS,
-      maxTokens: patch?.maxTokens ?? DEFAULT_CONTEXT_TOKENS,
-    } as ProviderRuntimeModel)
-  );
-}
-
-const openAICodexPlugin = {
-  id: "openai-codex",
-  name: "OpenAI Codex Provider",
-  description: "Bundled OpenAI Codex provider plugin",
-  configSchema: emptyPluginConfigSchema(),
-  register(api: OpenClawPluginApi) {
-    api.registerProvider({
-      id: PROVIDER_ID,
-      label: "OpenAI Codex",
-      docsPath: "/providers/models",
-      auth: [],
-      catalog: {
-        order: "profile",
-        run: async (ctx) => {
-          const authStore = ensureAuthProfileStore(ctx.agentDir, {
-            allowKeychainPrompt: false,
-          });
-          if (listProfilesForProvider(authStore, PROVIDER_ID).length === 0) {
-            return null;
-          }
-          return {
-            provider: buildOpenAICodexProvider(),
-          };
-        },
-      },
-      resolveDynamicModel: (ctx) => resolveCodexForwardCompatModel(ctx),
-      capabilities: {
-        providerFamily: "openai",
-      },
-      prepareExtraParams: (ctx) => {
-        const transport = ctx.extraParams?.transport;
-        if (transport === "auto" || transport === "sse" || transport === "websocket") {
-          return ctx.extraParams;
-        }
-        return {
-          ...ctx.extraParams,
-          transport: "auto",
-        };
-      },
-      normalizeResolvedModel: (ctx) => {
-        if (normalizeProviderId(ctx.provider) !== PROVIDER_ID) {
-          return undefined;
-        }
-        return normalizeCodexTransport(ctx.model);
-      },
-      resolveUsageAuth: async (ctx) => await ctx.resolveOAuthToken(),
-      fetchUsageSnapshot: async (ctx) =>
-        await fetchCodexUsage(ctx.token, ctx.accountId, ctx.timeoutMs, ctx.fetchFn),
-    });
-  },
-};
-
-export default openAICodexPlugin;
diff --git a/extensions/openai/index.test.ts b/extensions/openai/index.test.ts
deleted file mode 100644
index cdf2d1f8a27..00000000000
--- a/extensions/openai/index.test.ts
+++ /dev/null
@@ -1,76 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import openAIPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  openAIPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("openai plugin", () => {
-  it("owns openai gpt-5.4 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "openai",
-      modelId: "gpt-5.4-pro",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-pro"
-            ? {
-                id,
-                name: id,
-                api: "openai-responses",
-                provider: "openai",
-                baseUrl: "https://api.openai.com/v1",
-                reasoning: true,
-                input: ["text", "image"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.4-pro",
-      provider: "openai",
-      api: "openai-responses",
-      baseUrl: "https://api.openai.com/v1",
-      contextWindow: 1_050_000,
-      maxTokens: 128_000,
-    });
-  });
-
-  it("owns direct openai transport normalization", () => {
-    const provider = registerProvider();
-    expect(
-      provider.normalizeResolvedModel?.({
-        provider: "openai",
-        modelId: "gpt-5.4",
-        model: {
-          id: "gpt-5.4",
-          name: "gpt-5.4",
-          api: "openai-completions",
-          provider: "openai",
-          baseUrl: "https://api.openai.com/v1",
-          reasoning: true,
-          input: ["text", "image"],
-          cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-          contextWindow: 1_050_000,
-          maxTokens: 128_000,
-        },
-      }),
-    ).toMatchObject({
-      api: "openai-responses",
-    });
-  });
-});
diff --git a/extensions/openai/index.ts b/extensions/openai/index.ts
index cc2ca6fe4a0..3a01aad8db9 100644
--- a/extensions/openai/index.ts
+++ b/extensions/openai/index.ts
@@ -1,136 +1,15 @@
-import {
-  emptyPluginConfigSchema,
-  type OpenClawPluginApi,
-  type ProviderResolveDynamicModelContext,
-  type ProviderRuntimeModel,
-} from "openclaw/plugin-sdk/core";
-import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
-import { normalizeModelCompat } from "../../src/agents/model-compat.js";
-import { normalizeProviderId } from "../../src/agents/model-selection.js";
-
-const PROVIDER_ID = "openai";
-const OPENAI_BASE_URL = "https://api.openai.com/v1";
-const OPENAI_GPT_54_MODEL_ID = "gpt-5.4";
-const OPENAI_GPT_54_PRO_MODEL_ID = "gpt-5.4-pro";
-const OPENAI_GPT_54_CONTEXT_TOKENS = 1_050_000;
-const OPENAI_GPT_54_MAX_TOKENS = 128_000;
-const OPENAI_GPT_54_TEMPLATE_MODEL_IDS = ["gpt-5.2"] as const;
-const OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS = ["gpt-5.2-pro", "gpt-5.2"] as const;
-
-function isOpenAIApiBaseUrl(baseUrl?: string): boolean {
-  const trimmed = baseUrl?.trim();
-  if (!trimmed) {
-    return false;
-  }
-  return /^https?:\/\/api\.openai\.com(?:\/v1)?\/?$/i.test(trimmed);
-}
-
-function normalizeOpenAITransport(model: ProviderRuntimeModel): ProviderRuntimeModel {
-  const useResponsesTransport =
-    model.api === "openai-completions" && (!model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl));
-
-  if (!useResponsesTransport) {
-    return model;
-  }
-
-  return {
-    ...model,
-    api: "openai-responses",
-  };
-}
-
-function cloneFirstTemplateModel(params: {
-  modelId: string;
-  templateIds: readonly string[];
-  ctx: ProviderResolveDynamicModelContext;
-  patch?: Partial<ProviderRuntimeModel>;
-}): ProviderRuntimeModel | undefined {
-  const trimmedModelId = params.modelId.trim();
-  for (const templateId of [...new Set(params.templateIds)].filter(Boolean)) {
-    const template = params.ctx.modelRegistry.find(
-      PROVIDER_ID,
-      templateId,
-    ) as ProviderRuntimeModel | null;
-    if (!template) {
-      continue;
-    }
-    return normalizeModelCompat({
-      ...template,
-      id: trimmedModelId,
-      name: trimmedModelId,
-      ...params.patch,
-    } as ProviderRuntimeModel);
-  }
-  return undefined;
-}
-
-function resolveOpenAIGpt54ForwardCompatModel(
-  ctx: ProviderResolveDynamicModelContext,
-): ProviderRuntimeModel | undefined {
-  const trimmedModelId = ctx.modelId.trim();
-  const lower = trimmedModelId.toLowerCase();
-  let templateIds: readonly string[];
-  if (lower === OPENAI_GPT_54_MODEL_ID) {
-    templateIds = OPENAI_GPT_54_TEMPLATE_MODEL_IDS;
-  } else if (lower === OPENAI_GPT_54_PRO_MODEL_ID) {
-    templateIds = OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS;
-  } else {
-    return undefined;
-  }
-
-  return (
-    cloneFirstTemplateModel({
-      modelId: trimmedModelId,
-      templateIds,
-      ctx,
-      patch: {
-        api: "openai-responses",
-        provider: PROVIDER_ID,
-        baseUrl: OPENAI_BASE_URL,
-        reasoning: true,
-        input: ["text", "image"],
-        contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
-        maxTokens: OPENAI_GPT_54_MAX_TOKENS,
-      },
-    }) ??
-    normalizeModelCompat({
-      id: trimmedModelId,
-      name: trimmedModelId,
-      api: "openai-responses",
-      provider: PROVIDER_ID,
-      baseUrl: OPENAI_BASE_URL,
-      reasoning: true,
-      input: ["text", "image"],
-      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-      contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
-      maxTokens: OPENAI_GPT_54_MAX_TOKENS,
-    } as ProviderRuntimeModel)
-  );
-}
+import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { buildOpenAICodexProviderPlugin } from "./openai-codex-provider.js";
+import { buildOpenAIProvider } from "./openai-provider.js";
 
 const openAIPlugin = {
-  id: PROVIDER_ID,
+  id: "openai",
   name: "OpenAI Provider",
-  description: "Bundled OpenAI provider plugin",
+  description: "Bundled OpenAI provider plugins",
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
-    api.registerProvider({
-      id: PROVIDER_ID,
-      label: "OpenAI",
-      docsPath: "/providers/models",
-      envVars: ["OPENAI_API_KEY"],
-      auth: [],
-      resolveDynamicModel: (ctx) => resolveOpenAIGpt54ForwardCompatModel(ctx),
-      normalizeResolvedModel: (ctx) => {
-        if (normalizeProviderId(ctx.provider) !== PROVIDER_ID) {
-          return undefined;
-        }
-        return normalizeOpenAITransport(ctx.model);
-      },
-      capabilities: {
-        providerFamily: "openai",
-      },
-    });
+    api.registerProvider(buildOpenAIProvider());
+    api.registerProvider(buildOpenAICodexProviderPlugin());
   },
 };
 
diff --git a/extensions/openai/openai-codex-provider.ts b/extensions/openai/openai-codex-provider.ts
new file mode 100644
index 00000000000..c0ae2c12210
--- /dev/null
+++ b/extensions/openai/openai-codex-provider.ts
@@ -0,0 +1,286 @@
+import { getOAuthApiKey } from "@mariozechner/pi-ai/oauth";
+import type {
+  ProviderAuthContext,
+  ProviderResolveDynamicModelContext,
+  ProviderRuntimeModel,
+} from "openclaw/plugin-sdk/core";
+import { CODEX_CLI_PROFILE_ID } from "../../src/agents/auth-profiles.js";
+import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles.js";
+import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
+import type { OAuthCredential } from "../../src/agents/auth-profiles/types.js";
+import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
+import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import { normalizeProviderId } from "../../src/agents/model-selection.js";
+import { buildOpenAICodexProvider } from "../../src/agents/models-config.providers.static.js";
+import { loginOpenAICodexOAuth } from "../../src/commands/openai-codex-oauth.js";
+import { fetchCodexUsage } from "../../src/infra/provider-usage.fetch.js";
+import { buildOauthProviderAuthResult } from "../../src/plugin-sdk/provider-auth-result.js";
+import type { ProviderPlugin } from "../../src/plugins/types.js";
+import {
+  cloneFirstTemplateModel,
+  findCatalogTemplate,
+  isOpenAIApiBaseUrl,
+  matchesExactOrPrefix,
+} from "./shared.js";
+
+const PROVIDER_ID = "openai-codex";
+const OPENAI_CODEX_BASE_URL = "https://chatgpt.com/backend-api";
+const OPENAI_CODEX_GPT_54_MODEL_ID = "gpt-5.4";
+const OPENAI_CODEX_GPT_54_CONTEXT_TOKENS = 1_050_000;
+const OPENAI_CODEX_GPT_54_MAX_TOKENS = 128_000;
+const OPENAI_CODEX_GPT_54_TEMPLATE_MODEL_IDS = ["gpt-5.3-codex", "gpt-5.2-codex"] as const;
+const OPENAI_CODEX_GPT_53_MODEL_ID = "gpt-5.3-codex";
+const OPENAI_CODEX_GPT_53_SPARK_MODEL_ID = "gpt-5.3-codex-spark";
+const OPENAI_CODEX_GPT_53_SPARK_CONTEXT_TOKENS = 128_000;
+const OPENAI_CODEX_GPT_53_SPARK_MAX_TOKENS = 128_000;
+const OPENAI_CODEX_TEMPLATE_MODEL_IDS = ["gpt-5.2-codex"] as const;
+const OPENAI_CODEX_DEFAULT_MODEL = `${PROVIDER_ID}/${OPENAI_CODEX_GPT_54_MODEL_ID}`;
+const OPENAI_CODEX_XHIGH_MODEL_IDS = [
+  OPENAI_CODEX_GPT_54_MODEL_ID,
+  OPENAI_CODEX_GPT_53_MODEL_ID,
+  OPENAI_CODEX_GPT_53_SPARK_MODEL_ID,
+  "gpt-5.2-codex",
+  "gpt-5.1-codex",
+] as const;
+const OPENAI_CODEX_MODERN_MODEL_IDS = [
+  OPENAI_CODEX_GPT_54_MODEL_ID,
+  "gpt-5.2",
+  "gpt-5.2-codex",
+  OPENAI_CODEX_GPT_53_MODEL_ID,
+  OPENAI_CODEX_GPT_53_SPARK_MODEL_ID,
+  "gpt-5.1-codex",
+  "gpt-5.1-codex-mini",
+  "gpt-5.1-codex-max",
+] as const;
+
+function isOpenAICodexBaseUrl(baseUrl?: string): boolean {
+  const trimmed = baseUrl?.trim();
+  if (!trimmed) {
+    return false;
+  }
+  return /^https?:\/\/chatgpt\.com\/backend-api\/?$/i.test(trimmed);
+}
+
+function normalizeCodexTransport(model: ProviderRuntimeModel): ProviderRuntimeModel {
+  const useCodexTransport =
+    !model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl) || isOpenAICodexBaseUrl(model.baseUrl);
+  const api =
+    useCodexTransport && model.api === "openai-responses" ? "openai-codex-responses" : model.api;
+  const baseUrl =
+    api === "openai-codex-responses" && (!model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl))
+      ? OPENAI_CODEX_BASE_URL
+      : model.baseUrl;
+  if (api === model.api && baseUrl === model.baseUrl) {
+    return model;
+  }
+  return {
+    ...model,
+    api,
+    baseUrl,
+  };
+}
+
+function resolveCodexForwardCompatModel(
+  ctx: ProviderResolveDynamicModelContext,
+): ProviderRuntimeModel | undefined {
+  const trimmedModelId = ctx.modelId.trim();
+  const lower = trimmedModelId.toLowerCase();
+
+  let templateIds: readonly string[];
+  let patch: Partial<ProviderRuntimeModel> | undefined;
+  if (lower === OPENAI_CODEX_GPT_54_MODEL_ID) {
+    templateIds = OPENAI_CODEX_GPT_54_TEMPLATE_MODEL_IDS;
+    patch = {
+      contextWindow: OPENAI_CODEX_GPT_54_CONTEXT_TOKENS,
+      maxTokens: OPENAI_CODEX_GPT_54_MAX_TOKENS,
+    };
+  } else if (lower === OPENAI_CODEX_GPT_53_SPARK_MODEL_ID) {
+    templateIds = [OPENAI_CODEX_GPT_53_MODEL_ID, ...OPENAI_CODEX_TEMPLATE_MODEL_IDS];
+    patch = {
+      api: "openai-codex-responses",
+      provider: PROVIDER_ID,
+      baseUrl: OPENAI_CODEX_BASE_URL,
+      reasoning: true,
+      input: ["text"],
+      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+      contextWindow: OPENAI_CODEX_GPT_53_SPARK_CONTEXT_TOKENS,
+      maxTokens: OPENAI_CODEX_GPT_53_SPARK_MAX_TOKENS,
+    };
+  } else if (lower === OPENAI_CODEX_GPT_53_MODEL_ID) {
+    templateIds = OPENAI_CODEX_TEMPLATE_MODEL_IDS;
+  } else {
+    return undefined;
+  }
+
+  return (
+    cloneFirstTemplateModel({
+      providerId: PROVIDER_ID,
+      modelId: trimmedModelId,
+      templateIds,
+      ctx,
+      patch,
+    }) ??
+    normalizeModelCompat({
+      id: trimmedModelId,
+      name: trimmedModelId,
+      api: "openai-codex-responses",
+      provider: PROVIDER_ID,
+      baseUrl: OPENAI_CODEX_BASE_URL,
+      reasoning: true,
+      input: ["text", "image"],
+      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+      contextWindow: patch?.contextWindow ?? DEFAULT_CONTEXT_TOKENS,
+      maxTokens: patch?.maxTokens ?? DEFAULT_CONTEXT_TOKENS,
+    } as ProviderRuntimeModel)
+  );
+}
+
+async function refreshOpenAICodexOAuthCredential(cred: OAuthCredential) {
+  try {
+    const refreshed = await getOAuthApiKey("openai-codex", {
+      "openai-codex": cred,
+    });
+    if (!refreshed) {
+      throw new Error("OpenAI Codex OAuth refresh returned no credentials.");
+    }
+    return {
+      ...cred,
+      ...refreshed.newCredentials,
+      type: "oauth" as const,
+      provider: PROVIDER_ID,
+      email: cred.email,
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (
+      /extract\s+accountid\s+from\s+token/i.test(message) &&
+      typeof cred.access === "string" &&
+      cred.access.trim().length > 0
+    ) {
+      return cred;
+    }
+    throw error;
+  }
+}
+
+async function runOpenAICodexOAuth(ctx: ProviderAuthContext) {
+  let creds;
+  try {
+    creds = await loginOpenAICodexOAuth({
+      prompter: ctx.prompter,
+      runtime: ctx.runtime,
+      isRemote: ctx.isRemote,
+      openUrl: ctx.openUrl,
+      localBrowserMessage: "Complete sign-in in browser…",
+    });
+  } catch {
+    return { profiles: [] };
+  }
+  if (!creds) {
+    return { profiles: [] };
+  }
+
+  return buildOauthProviderAuthResult({
+    providerId: PROVIDER_ID,
+    defaultModel: OPENAI_CODEX_DEFAULT_MODEL,
+    access: creds.access,
+    refresh: creds.refresh,
+    expires: creds.expires,
+    email: typeof creds.email === "string" ? creds.email : undefined,
+  });
+}
+
+export function buildOpenAICodexProviderPlugin(): ProviderPlugin {
+  return {
+    id: PROVIDER_ID,
+    label: "OpenAI Codex",
+    docsPath: "/providers/models",
+    deprecatedProfileIds: [CODEX_CLI_PROFILE_ID],
+    auth: [
+      {
+        id: "oauth",
+        label: "ChatGPT OAuth",
+        hint: "Browser sign-in",
+        kind: "oauth",
+        run: async (ctx) => await runOpenAICodexOAuth(ctx),
+      },
+    ],
+    wizard: {
+      setup: {
+        choiceId: "openai-codex",
+        choiceLabel: "OpenAI Codex (ChatGPT OAuth)",
+        choiceHint: "Browser sign-in",
+        methodId: "oauth",
+      },
+    },
+    catalog: {
+      order: "profile",
+      run: async (ctx) => {
+        const authStore = ensureAuthProfileStore(ctx.agentDir, {
+          allowKeychainPrompt: false,
+        });
+        if (listProfilesForProvider(authStore, PROVIDER_ID).length === 0) {
+          return null;
+        }
+        return {
+          provider: buildOpenAICodexProvider(),
+        };
+      },
+    },
+    resolveDynamicModel: (ctx) => resolveCodexForwardCompatModel(ctx),
+    capabilities: {
+      providerFamily: "openai",
+    },
+    supportsXHighThinking: ({ modelId }) =>
+      matchesExactOrPrefix(modelId, OPENAI_CODEX_XHIGH_MODEL_IDS),
+    isModernModelRef: ({ modelId }) => matchesExactOrPrefix(modelId, OPENAI_CODEX_MODERN_MODEL_IDS),
+    prepareExtraParams: (ctx) => {
+      const transport = ctx.extraParams?.transport;
+      if (transport === "auto" || transport === "sse" || transport === "websocket") {
+        return ctx.extraParams;
+      }
+      return {
+        ...ctx.extraParams,
+        transport: "auto",
+      };
+    },
+    normalizeResolvedModel: (ctx) => {
+      if (normalizeProviderId(ctx.provider) !== PROVIDER_ID) {
+        return undefined;
+      }
+      return normalizeCodexTransport(ctx.model);
+    },
+    resolveUsageAuth: async (ctx) => await ctx.resolveOAuthToken(),
+    fetchUsageSnapshot: async (ctx) =>
+      await fetchCodexUsage(ctx.token, ctx.accountId, ctx.timeoutMs, ctx.fetchFn),
+    refreshOAuth: async (cred) => await refreshOpenAICodexOAuthCredential(cred),
+    augmentModelCatalog: (ctx) => {
+      const gpt54Template = findCatalogTemplate({
+        entries: ctx.entries,
+        providerId: PROVIDER_ID,
+        templateIds: OPENAI_CODEX_GPT_54_TEMPLATE_MODEL_IDS,
+      });
+      const sparkTemplate = findCatalogTemplate({
+        entries: ctx.entries,
+        providerId: PROVIDER_ID,
+        templateIds: [OPENAI_CODEX_GPT_53_MODEL_ID, ...OPENAI_CODEX_TEMPLATE_MODEL_IDS],
+      });
+      return [
+        gpt54Template
+          ? {
+              ...gpt54Template,
+              id: OPENAI_CODEX_GPT_54_MODEL_ID,
+              name: OPENAI_CODEX_GPT_54_MODEL_ID,
+            }
+          : undefined,
+        sparkTemplate
+          ? {
+              ...sparkTemplate,
+              id: OPENAI_CODEX_GPT_53_SPARK_MODEL_ID,
+              name: OPENAI_CODEX_GPT_53_SPARK_MODEL_ID,
+            }
+          : undefined,
+      ].filter((entry): entry is NonNullable<typeof entry> => entry !== undefined);
+    },
+  };
+}
diff --git a/extensions/openai/openai-provider.ts b/extensions/openai/openai-provider.ts
new file mode 100644
index 00000000000..9155fb3cd30
--- /dev/null
+++ b/extensions/openai/openai-provider.ts
@@ -0,0 +1,178 @@
+import {
+  type ProviderResolveDynamicModelContext,
+  type ProviderRuntimeModel,
+} from "openclaw/plugin-sdk/core";
+import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import { normalizeProviderId } from "../../src/agents/model-selection.js";
+import {
+  applyOpenAIConfig,
+  OPENAI_DEFAULT_MODEL,
+} from "../../src/commands/openai-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import type { ProviderPlugin } from "../../src/plugins/types.js";
+import {
+  cloneFirstTemplateModel,
+  findCatalogTemplate,
+  isOpenAIApiBaseUrl,
+  matchesExactOrPrefix,
+} from "./shared.js";
+
+const PROVIDER_ID = "openai";
+const OPENAI_GPT_54_MODEL_ID = "gpt-5.4";
+const OPENAI_GPT_54_PRO_MODEL_ID = "gpt-5.4-pro";
+const OPENAI_GPT_54_CONTEXT_TOKENS = 1_050_000;
+const OPENAI_GPT_54_MAX_TOKENS = 128_000;
+const OPENAI_GPT_54_TEMPLATE_MODEL_IDS = ["gpt-5.2"] as const;
+const OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS = ["gpt-5.2-pro", "gpt-5.2"] as const;
+const OPENAI_XHIGH_MODEL_IDS = ["gpt-5.4", "gpt-5.4-pro", "gpt-5.2"] as const;
+const OPENAI_MODERN_MODEL_IDS = ["gpt-5.4", "gpt-5.4-pro", "gpt-5.2", "gpt-5.0"] as const;
+const OPENAI_DIRECT_SPARK_MODEL_ID = "gpt-5.3-codex-spark";
+const SUPPRESSED_SPARK_PROVIDERS = new Set(["openai", "azure-openai-responses"]);
+
+function normalizeOpenAITransport(model: ProviderRuntimeModel): ProviderRuntimeModel {
+  const useResponsesTransport =
+    model.api === "openai-completions" && (!model.baseUrl || isOpenAIApiBaseUrl(model.baseUrl));
+
+  if (!useResponsesTransport) {
+    return model;
+  }
+
+  return {
+    ...model,
+    api: "openai-responses",
+  };
+}
+
+function resolveOpenAIGpt54ForwardCompatModel(
+  ctx: ProviderResolveDynamicModelContext,
+): ProviderRuntimeModel | undefined {
+  const trimmedModelId = ctx.modelId.trim();
+  const lower = trimmedModelId.toLowerCase();
+  let templateIds: readonly string[];
+  if (lower === OPENAI_GPT_54_MODEL_ID) {
+    templateIds = OPENAI_GPT_54_TEMPLATE_MODEL_IDS;
+  } else if (lower === OPENAI_GPT_54_PRO_MODEL_ID) {
+    templateIds = OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS;
+  } else {
+    return undefined;
+  }
+
+  return (
+    cloneFirstTemplateModel({
+      providerId: PROVIDER_ID,
+      modelId: trimmedModelId,
+      templateIds,
+      ctx,
+      patch: {
+        api: "openai-responses",
+        provider: PROVIDER_ID,
+        baseUrl: "https://api.openai.com/v1",
+        reasoning: true,
+        input: ["text", "image"],
+        contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
+        maxTokens: OPENAI_GPT_54_MAX_TOKENS,
+      },
+    }) ??
+    normalizeModelCompat({
+      id: trimmedModelId,
+      name: trimmedModelId,
+      api: "openai-responses",
+      provider: PROVIDER_ID,
+      baseUrl: "https://api.openai.com/v1",
+      reasoning: true,
+      input: ["text", "image"],
+      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+      contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
+      maxTokens: OPENAI_GPT_54_MAX_TOKENS,
+    } as ProviderRuntimeModel)
+  );
+}
+
+export function buildOpenAIProvider(): ProviderPlugin {
+  return {
+    id: PROVIDER_ID,
+    label: "OpenAI",
+    docsPath: "/providers/models",
+    envVars: ["OPENAI_API_KEY"],
+    auth: [
+      createProviderApiKeyAuthMethod({
+        providerId: PROVIDER_ID,
+        methodId: "api-key",
+        label: "OpenAI API key",
+        hint: "Direct OpenAI API key",
+        optionKey: "openaiApiKey",
+        flagName: "--openai-api-key",
+        envVar: "OPENAI_API_KEY",
+        promptMessage: "Enter OpenAI API key",
+        defaultModel: OPENAI_DEFAULT_MODEL,
+        expectedProviders: ["openai"],
+        applyConfig: (cfg) => applyOpenAIConfig(cfg),
+        wizard: {
+          choiceId: "openai-api-key",
+          choiceLabel: "OpenAI API key",
+          groupId: "openai",
+          groupLabel: "OpenAI",
+          groupHint: "Codex OAuth + API key",
+        },
+      }),
+    ],
+    resolveDynamicModel: (ctx) => resolveOpenAIGpt54ForwardCompatModel(ctx),
+    normalizeResolvedModel: (ctx) => {
+      if (normalizeProviderId(ctx.provider) !== PROVIDER_ID) {
+        return undefined;
+      }
+      return normalizeOpenAITransport(ctx.model);
+    },
+    capabilities: {
+      providerFamily: "openai",
+    },
+    supportsXHighThinking: ({ modelId }) => matchesExactOrPrefix(modelId, OPENAI_XHIGH_MODEL_IDS),
+    isModernModelRef: ({ modelId }) => matchesExactOrPrefix(modelId, OPENAI_MODERN_MODEL_IDS),
+    buildMissingAuthMessage: (ctx) => {
+      if (ctx.provider !== PROVIDER_ID || ctx.listProfileIds("openai-codex").length === 0) {
+        return undefined;
+      }
+      return 'No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.4 (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.4.';
+    },
+    suppressBuiltInModel: (ctx) => {
+      if (
+        !SUPPRESSED_SPARK_PROVIDERS.has(normalizeProviderId(ctx.provider)) ||
+        ctx.modelId.toLowerCase() !== OPENAI_DIRECT_SPARK_MODEL_ID
+      ) {
+        return undefined;
+      }
+      return {
+        suppress: true,
+        errorMessage: `Unknown model: ${ctx.provider}/${OPENAI_DIRECT_SPARK_MODEL_ID}. ${OPENAI_DIRECT_SPARK_MODEL_ID} is only supported via openai-codex OAuth. Use openai-codex/${OPENAI_DIRECT_SPARK_MODEL_ID}.`,
+      };
+    },
+    augmentModelCatalog: (ctx) => {
+      const openAiGpt54Template = findCatalogTemplate({
+        entries: ctx.entries,
+        providerId: PROVIDER_ID,
+        templateIds: OPENAI_GPT_54_TEMPLATE_MODEL_IDS,
+      });
+      const openAiGpt54ProTemplate = findCatalogTemplate({
+        entries: ctx.entries,
+        providerId: PROVIDER_ID,
+        templateIds: OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS,
+      });
+      return [
+        openAiGpt54Template
+          ? {
+              ...openAiGpt54Template,
+              id: OPENAI_GPT_54_MODEL_ID,
+              name: OPENAI_GPT_54_MODEL_ID,
+            }
+          : undefined,
+        openAiGpt54ProTemplate
+          ? {
+              ...openAiGpt54ProTemplate,
+              id: OPENAI_GPT_54_PRO_MODEL_ID,
+              name: OPENAI_GPT_54_PRO_MODEL_ID,
+            }
+          : undefined,
+      ].filter((entry): entry is NonNullable<typeof entry> => entry !== undefined);
+    },
+  };
+}
diff --git a/extensions/openai/openclaw.plugin.json b/extensions/openai/openclaw.plugin.json
index 4bae96f3619..6a492ec3cae 100644
--- a/extensions/openai/openclaw.plugin.json
+++ b/extensions/openai/openclaw.plugin.json
@@ -1,6 +1,34 @@
 {
   "id": "openai",
-  "providers": ["openai"],
+  "providers": ["openai", "openai-codex"],
+  "providerAuthEnvVars": {
+    "openai": ["OPENAI_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "openai-codex",
+      "method": "oauth",
+      "choiceId": "openai-codex",
+      "choiceLabel": "OpenAI Codex (ChatGPT OAuth)",
+      "choiceHint": "Browser sign-in",
+      "groupId": "openai",
+      "groupLabel": "OpenAI",
+      "groupHint": "Codex OAuth + API key"
+    },
+    {
+      "provider": "openai",
+      "method": "api-key",
+      "choiceId": "openai-api-key",
+      "choiceLabel": "OpenAI API key",
+      "groupId": "openai",
+      "groupLabel": "OpenAI",
+      "groupHint": "Codex OAuth + API key",
+      "optionKey": "openaiApiKey",
+      "cliFlag": "--openai-api-key",
+      "cliOption": "--openai-api-key <key>",
+      "cliDescription": "OpenAI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openai/package.json b/extensions/openai/package.json
index c5e73ed8120..1e4599dc157 100644
--- a/extensions/openai/package.json
+++ b/extensions/openai/package.json
@@ -2,7 +2,7 @@
   "name": "@openclaw/openai-provider",
   "version": "2026.3.14",
   "private": true,
-  "description": "OpenClaw OpenAI provider plugin",
+  "description": "OpenClaw OpenAI provider plugins",
   "type": "module",
   "openclaw": {
     "extensions": [
diff --git a/extensions/openai/shared.ts b/extensions/openai/shared.ts
new file mode 100644
index 00000000000..4e4c8c2d850
--- /dev/null
+++ b/extensions/openai/shared.ts
@@ -0,0 +1,65 @@
+import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import type {
+  ProviderResolveDynamicModelContext,
+  ProviderRuntimeModel,
+} from "../../src/plugins/types.js";
+
+export const OPENAI_API_BASE_URL = "https://api.openai.com/v1";
+
+export function matchesExactOrPrefix(id: string, values: readonly string[]): boolean {
+  const normalizedId = id.trim().toLowerCase();
+  return values.some((value) => {
+    const normalizedValue = value.trim().toLowerCase();
+    return normalizedId === normalizedValue || normalizedId.startsWith(normalizedValue);
+  });
+}
+
+export function isOpenAIApiBaseUrl(baseUrl?: string): boolean {
+  const trimmed = baseUrl?.trim();
+  if (!trimmed) {
+    return false;
+  }
+  return /^https?:\/\/api\.openai\.com(?:\/v1)?\/?$/i.test(trimmed);
+}
+
+export function cloneFirstTemplateModel(params: {
+  providerId: string;
+  modelId: string;
+  templateIds: readonly string[];
+  ctx: ProviderResolveDynamicModelContext;
+  patch?: Partial<ProviderRuntimeModel>;
+}): ProviderRuntimeModel | undefined {
+  const trimmedModelId = params.modelId.trim();
+  for (const templateId of [...new Set(params.templateIds)].filter(Boolean)) {
+    const template = params.ctx.modelRegistry.find(
+      params.providerId,
+      templateId,
+    ) as ProviderRuntimeModel | null;
+    if (!template) {
+      continue;
+    }
+    return normalizeModelCompat({
+      ...template,
+      id: trimmedModelId,
+      name: trimmedModelId,
+      ...params.patch,
+    } as ProviderRuntimeModel);
+  }
+  return undefined;
+}
+
+export function findCatalogTemplate(params: {
+  entries: ReadonlyArray<{ provider: string; id: string }>;
+  providerId: string;
+  templateIds: readonly string[];
+}) {
+  return params.templateIds
+    .map((templateId) =>
+      params.entries.find(
+        (entry) =>
+          entry.provider.toLowerCase() === params.providerId.toLowerCase() &&
+          entry.id.toLowerCase() === templateId.toLowerCase(),
+      ),
+    )
+    .find((entry) => entry !== undefined);
+}
diff --git a/extensions/opencode-go/index.ts b/extensions/opencode-go/index.ts
index 3740c0190c4..c0a8cea9b91 100644
--- a/extensions/opencode-go/index.ts
+++ b/extensions/opencode-go/index.ts
@@ -1,4 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyOpencodeGoConfig } from "../../src/commands/onboard-auth.config-opencode-go.js";
+import { OPENCODE_GO_DEFAULT_MODEL_REF } from "../../src/commands/opencode-go-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "opencode-go";
 
@@ -13,12 +16,41 @@ const opencodeGoPlugin = {
       label: "OpenCode Go",
       docsPath: "/providers/models",
       envVars: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenCode Go catalog",
+          hint: "Shared API key for Zen + Go catalogs",
+          optionKey: "opencodeGoApiKey",
+          flagName: "--opencode-go-api-key",
+          envVar: "OPENCODE_API_KEY",
+          promptMessage: "Enter OpenCode API key",
+          profileIds: ["opencode:default", "opencode-go:default"],
+          defaultModel: OPENCODE_GO_DEFAULT_MODEL_REF,
+          expectedProviders: ["opencode", "opencode-go"],
+          applyConfig: (cfg) => applyOpencodeGoConfig(cfg),
+          noteMessage: [
+            "OpenCode uses one API key across the Zen and Go catalogs.",
+            "Go focuses on Kimi, GLM, and MiniMax coding models.",
+            "Get your API key at: https://opencode.ai/auth",
+          ].join("\n"),
+          noteTitle: "OpenCode",
+          wizard: {
+            choiceId: "opencode-go",
+            choiceLabel: "OpenCode Go catalog",
+            groupId: "opencode",
+            groupLabel: "OpenCode",
+            groupHint: "Shared API key for Zen + Go catalogs",
+          },
+        }),
+      ],
       capabilities: {
         openAiCompatTurnValidation: false,
         geminiThoughtSignatureSanitization: true,
         geminiThoughtSignatureModelHints: ["gemini"],
       },
+      isModernModelRef: () => true,
     });
   },
 };
diff --git a/extensions/opencode-go/openclaw.plugin.json b/extensions/opencode-go/openclaw.plugin.json
index 09d48bcf314..9972dc633ff 100644
--- a/extensions/opencode-go/openclaw.plugin.json
+++ b/extensions/opencode-go/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "opencode-go",
   "providers": ["opencode-go"],
+  "providerAuthEnvVars": {
+    "opencode-go": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "opencode-go",
+      "method": "api-key",
+      "choiceId": "opencode-go",
+      "choiceLabel": "OpenCode Go catalog",
+      "groupId": "opencode",
+      "groupLabel": "OpenCode",
+      "groupHint": "Shared API key for Zen + Go catalogs",
+      "optionKey": "opencodeGoApiKey",
+      "cliFlag": "--opencode-go-api-key",
+      "cliOption": "--opencode-go-api-key <key>",
+      "cliDescription": "OpenCode API key (Go catalog)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/opencode/index.ts b/extensions/opencode/index.ts
index 81175fc5613..d00ae301bc5 100644
--- a/extensions/opencode/index.ts
+++ b/extensions/opencode/index.ts
@@ -1,6 +1,18 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyOpencodeZenConfig } from "../../src/commands/onboard-auth.config-opencode.js";
+import { OPENCODE_ZEN_DEFAULT_MODEL } from "../../src/commands/opencode-zen-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "opencode";
+const MINIMAX_PREFIX = "minimax-m2.5";
+
+function isModernOpencodeModel(modelId: string): boolean {
+  const lower = modelId.trim().toLowerCase();
+  if (lower.endsWith("-free") || lower === "alpha-glm-4.7") {
+    return false;
+  }
+  return !lower.startsWith(MINIMAX_PREFIX);
+}
 
 const opencodePlugin = {
   id: PROVIDER_ID,
@@ -13,12 +25,42 @@ const opencodePlugin = {
       label: "OpenCode Zen",
       docsPath: "/providers/models",
       envVars: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenCode Zen catalog",
+          hint: "Shared API key for Zen + Go catalogs",
+          optionKey: "opencodeZenApiKey",
+          flagName: "--opencode-zen-api-key",
+          envVar: "OPENCODE_API_KEY",
+          promptMessage: "Enter OpenCode API key",
+          profileIds: ["opencode:default", "opencode-go:default"],
+          defaultModel: OPENCODE_ZEN_DEFAULT_MODEL,
+          expectedProviders: ["opencode", "opencode-go"],
+          applyConfig: (cfg) => applyOpencodeZenConfig(cfg),
+          noteMessage: [
+            "OpenCode uses one API key across the Zen and Go catalogs.",
+            "Zen provides access to Claude, GPT, Gemini, and more models.",
+            "Get your API key at: https://opencode.ai/auth",
+            "Choose the Zen catalog when you want the curated multi-model proxy.",
+          ].join("\n"),
+          noteTitle: "OpenCode",
+          wizard: {
+            choiceId: "opencode-zen",
+            choiceLabel: "OpenCode Zen catalog",
+            groupId: "opencode",
+            groupLabel: "OpenCode",
+            groupHint: "Shared API key for Zen + Go catalogs",
+          },
+        }),
+      ],
       capabilities: {
         openAiCompatTurnValidation: false,
         geminiThoughtSignatureSanitization: true,
         geminiThoughtSignatureModelHints: ["gemini"],
       },
+      isModernModelRef: ({ modelId }) => isModernOpencodeModel(modelId),
     });
   },
 };
diff --git a/extensions/opencode/openclaw.plugin.json b/extensions/opencode/openclaw.plugin.json
index f61e9b99b67..9352896340b 100644
--- a/extensions/opencode/openclaw.plugin.json
+++ b/extensions/opencode/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "opencode",
   "providers": ["opencode"],
+  "providerAuthEnvVars": {
+    "opencode": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "opencode",
+      "method": "api-key",
+      "choiceId": "opencode-zen",
+      "choiceLabel": "OpenCode Zen catalog",
+      "groupId": "opencode",
+      "groupLabel": "OpenCode",
+      "groupHint": "Shared API key for Zen + Go catalogs",
+      "optionKey": "opencodeZenApiKey",
+      "cliFlag": "--opencode-zen-api-key",
+      "cliOption": "--opencode-zen-api-key <key>",
+      "cliDescription": "OpenCode API key (Zen catalog)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openrouter/index.ts b/extensions/openrouter/index.ts
index faa7b338cf1..ec4afaa873c 100644
--- a/extensions/openrouter/index.ts
+++ b/extensions/openrouter/index.ts
@@ -16,6 +16,11 @@ import {
   createOpenRouterWrapper,
   isProxyReasoningUnsupported,
 } from "../../src/agents/pi-embedded-runner/proxy-stream-wrappers.js";
+import {
+  applyOpenrouterConfig,
+  OPENROUTER_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "openrouter";
 const OPENROUTER_BASE_URL = "https://openrouter.ai/api/v1";
@@ -85,7 +90,28 @@ const openRouterPlugin = {
       label: "OpenRouter",
       docsPath: "/providers/models",
       envVars: ["OPENROUTER_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenRouter API key",
+          hint: "API key",
+          optionKey: "openrouterApiKey",
+          flagName: "--openrouter-api-key",
+          envVar: "OPENROUTER_API_KEY",
+          promptMessage: "Enter OpenRouter API key",
+          defaultModel: OPENROUTER_DEFAULT_MODEL_REF,
+          expectedProviders: ["openrouter"],
+          applyConfig: (cfg) => applyOpenrouterConfig(cfg),
+          wizard: {
+            choiceId: "openrouter-api-key",
+            choiceLabel: "OpenRouter API key",
+            groupId: "openrouter",
+            groupLabel: "OpenRouter",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
@@ -110,6 +136,7 @@ const openRouterPlugin = {
         geminiThoughtSignatureSanitization: true,
         geminiThoughtSignatureModelHints: ["gemini"],
       },
+      isModernModelRef: () => true,
       wrapStreamFn: (ctx) => {
         let streamFn = ctx.streamFn;
         const providerRouting =
diff --git a/extensions/openrouter/openclaw.plugin.json b/extensions/openrouter/openclaw.plugin.json
index 7e7840cb1c9..8151f24e677 100644
--- a/extensions/openrouter/openclaw.plugin.json
+++ b/extensions/openrouter/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "openrouter",
   "providers": ["openrouter"],
+  "providerAuthEnvVars": {
+    "openrouter": ["OPENROUTER_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "openrouter",
+      "method": "api-key",
+      "choiceId": "openrouter-api-key",
+      "choiceLabel": "OpenRouter API key",
+      "groupId": "openrouter",
+      "groupLabel": "OpenRouter",
+      "groupHint": "API key",
+      "optionKey": "openrouterApiKey",
+      "cliFlag": "--openrouter-api-key",
+      "cliOption": "--openrouter-api-key <key>",
+      "cliDescription": "OpenRouter API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openshell/index.ts b/extensions/openshell/index.ts
new file mode 100644
index 00000000000..910abe31b44
--- /dev/null
+++ b/extensions/openshell/index.ts
@@ -0,0 +1,30 @@
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { registerSandboxBackend } from "openclaw/plugin-sdk/core";
+import {
+  createOpenShellSandboxBackendFactory,
+  createOpenShellSandboxBackendManager,
+} from "./src/backend.js";
+import { createOpenShellPluginConfigSchema, resolveOpenShellPluginConfig } from "./src/config.js";
+
+const plugin = {
+  id: "openshell",
+  name: "OpenShell Sandbox",
+  description: "OpenShell-backed sandbox runtime for agent exec and file tools.",
+  configSchema: createOpenShellPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    if (api.registrationMode !== "full") {
+      return;
+    }
+    const pluginConfig = resolveOpenShellPluginConfig(api.pluginConfig);
+    registerSandboxBackend("openshell", {
+      factory: createOpenShellSandboxBackendFactory({
+        pluginConfig,
+      }),
+      manager: createOpenShellSandboxBackendManager({
+        pluginConfig,
+      }),
+    });
+  },
+};
+
+export default plugin;
diff --git a/extensions/openshell/openclaw.plugin.json b/extensions/openshell/openclaw.plugin.json
new file mode 100644
index 00000000000..cf3f9ad5579
--- /dev/null
+++ b/extensions/openshell/openclaw.plugin.json
@@ -0,0 +1,99 @@
+{
+  "id": "openshell",
+  "name": "OpenShell Sandbox",
+  "description": "Sandbox backend powered by OpenShell with mirrored local workspaces and SSH-based command execution.",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {
+      "command": {
+        "type": "string"
+      },
+      "gateway": {
+        "type": "string"
+      },
+      "gatewayEndpoint": {
+        "type": "string"
+      },
+      "from": {
+        "type": "string"
+      },
+      "policy": {
+        "type": "string"
+      },
+      "providers": {
+        "type": "array",
+        "items": {
+          "type": "string"
+        }
+      },
+      "gpu": {
+        "type": "boolean"
+      },
+      "autoProviders": {
+        "type": "boolean"
+      },
+      "remoteWorkspaceDir": {
+        "type": "string"
+      },
+      "remoteAgentWorkspaceDir": {
+        "type": "string"
+      },
+      "timeoutSeconds": {
+        "type": "number",
+        "minimum": 1
+      }
+    }
+  },
+  "uiHints": {
+    "command": {
+      "label": "OpenShell Command",
+      "help": "Path or command name for the openshell CLI."
+    },
+    "gateway": {
+      "label": "Gateway Name",
+      "help": "Optional OpenShell gateway name passed as --gateway."
+    },
+    "gatewayEndpoint": {
+      "label": "Gateway Endpoint",
+      "help": "Optional OpenShell gateway endpoint passed as --gateway-endpoint."
+    },
+    "from": {
+      "label": "Sandbox Source",
+      "help": "OpenShell sandbox source for first-time create. Defaults to openclaw."
+    },
+    "policy": {
+      "label": "Policy File",
+      "help": "Optional path to a custom OpenShell sandbox policy YAML."
+    },
+    "providers": {
+      "label": "Providers",
+      "help": "Provider names to attach when a sandbox is created."
+    },
+    "gpu": {
+      "label": "GPU",
+      "help": "Request GPU resources when creating the sandbox.",
+      "advanced": true
+    },
+    "autoProviders": {
+      "label": "Auto-create Providers",
+      "help": "When enabled, pass --auto-providers during sandbox create.",
+      "advanced": true
+    },
+    "remoteWorkspaceDir": {
+      "label": "Remote Workspace Dir",
+      "help": "Primary writable workspace inside the OpenShell sandbox.",
+      "advanced": true
+    },
+    "remoteAgentWorkspaceDir": {
+      "label": "Remote Agent Dir",
+      "help": "Mirror path for the real agent workspace when workspaceAccess is read-only.",
+      "advanced": true
+    },
+    "timeoutSeconds": {
+      "label": "Command Timeout Seconds",
+      "help": "Timeout for openshell CLI operations such as create/upload/download.",
+      "advanced": true
+    }
+  }
+}
diff --git a/extensions/openshell/package.json b/extensions/openshell/package.json
new file mode 100644
index 00000000000..464c749ea34
--- /dev/null
+++ b/extensions/openshell/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@openclaw/openshell-sandbox",
+  "version": "2026.3.14",
+  "private": true,
+  "description": "OpenClaw OpenShell sandbox backend",
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}
diff --git a/extensions/openshell/src/backend.test.ts b/extensions/openshell/src/backend.test.ts
new file mode 100644
index 00000000000..2685d7effa8
--- /dev/null
+++ b/extensions/openshell/src/backend.test.ts
@@ -0,0 +1,118 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+
+const cliMocks = vi.hoisted(() => ({
+  runOpenShellCli: vi.fn(),
+}));
+
+vi.mock("./cli.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./cli.js")>();
+  return {
+    ...actual,
+    runOpenShellCli: cliMocks.runOpenShellCli,
+  };
+});
+
+import { createOpenShellSandboxBackendManager } from "./backend.js";
+import { resolveOpenShellPluginConfig } from "./config.js";
+
+describe("openshell backend manager", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("checks runtime status with config override from OpenClaw config", async () => {
+    cliMocks.runOpenShellCli.mockResolvedValue({
+      code: 0,
+      stdout: "{}",
+      stderr: "",
+    });
+
+    const manager = createOpenShellSandboxBackendManager({
+      pluginConfig: resolveOpenShellPluginConfig({
+        command: "openshell",
+        from: "openclaw",
+      }),
+    });
+
+    const result = await manager.describeRuntime({
+      entry: {
+        containerName: "openclaw-session-1234",
+        backendId: "openshell",
+        runtimeLabel: "openclaw-session-1234",
+        sessionKey: "agent:main",
+        createdAtMs: 1,
+        lastUsedAtMs: 1,
+        image: "custom-source",
+        configLabelKind: "Source",
+      },
+      config: {
+        plugins: {
+          entries: {
+            openshell: {
+              enabled: true,
+              config: {
+                command: "openshell",
+                from: "custom-source",
+              },
+            },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({
+      running: true,
+      actualConfigLabel: "custom-source",
+      configLabelMatch: true,
+    });
+    expect(cliMocks.runOpenShellCli).toHaveBeenCalledWith({
+      context: expect.objectContaining({
+        sandboxName: "openclaw-session-1234",
+        config: expect.objectContaining({
+          from: "custom-source",
+        }),
+      }),
+      args: ["sandbox", "get", "openclaw-session-1234"],
+    });
+  });
+
+  it("removes runtimes via openshell sandbox delete", async () => {
+    cliMocks.runOpenShellCli.mockResolvedValue({
+      code: 0,
+      stdout: "",
+      stderr: "",
+    });
+
+    const manager = createOpenShellSandboxBackendManager({
+      pluginConfig: resolveOpenShellPluginConfig({
+        command: "/usr/local/bin/openshell",
+        gateway: "lab",
+      }),
+    });
+
+    await manager.removeRuntime({
+      entry: {
+        containerName: "openclaw-session-5678",
+        backendId: "openshell",
+        runtimeLabel: "openclaw-session-5678",
+        sessionKey: "agent:main",
+        createdAtMs: 1,
+        lastUsedAtMs: 1,
+        image: "openclaw",
+        configLabelKind: "Source",
+      },
+      config: {},
+    });
+
+    expect(cliMocks.runOpenShellCli).toHaveBeenCalledWith({
+      context: expect.objectContaining({
+        sandboxName: "openclaw-session-5678",
+        config: expect.objectContaining({
+          command: "/usr/local/bin/openshell",
+          gateway: "lab",
+        }),
+      }),
+      args: ["sandbox", "delete", "openclaw-session-5678"],
+    });
+  });
+});
diff --git a/extensions/openshell/src/backend.ts b/extensions/openshell/src/backend.ts
new file mode 100644
index 00000000000..d87b1c92af8
--- /dev/null
+++ b/extensions/openshell/src/backend.ts
@@ -0,0 +1,489 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import type {
+  CreateSandboxBackendParams,
+  OpenClawConfig,
+  RemoteShellSandboxHandle,
+  SandboxBackendCommandParams,
+  SandboxBackendCommandResult,
+  SandboxBackendFactory,
+  SandboxBackendHandle,
+  SandboxBackendManager,
+  SshSandboxSession,
+} from "openclaw/plugin-sdk/core";
+import {
+  createRemoteShellSandboxFsBridge,
+  disposeSshSandboxSession,
+  resolvePreferredOpenClawTmpDir,
+  runSshSandboxCommand,
+} from "openclaw/plugin-sdk/core";
+import {
+  buildExecRemoteCommand,
+  buildRemoteCommand,
+  createOpenShellSshSession,
+  runOpenShellCli,
+  type OpenShellExecContext,
+} from "./cli.js";
+import { resolveOpenShellPluginConfig, type ResolvedOpenShellPluginConfig } from "./config.js";
+import { createOpenShellFsBridge } from "./fs-bridge.js";
+import { replaceDirectoryContents } from "./mirror.js";
+
+type CreateOpenShellSandboxBackendFactoryParams = {
+  pluginConfig: ResolvedOpenShellPluginConfig;
+};
+
+type PendingExec = {
+  sshSession: SshSandboxSession;
+};
+
+export type OpenShellSandboxBackend = SandboxBackendHandle &
+  RemoteShellSandboxHandle & {
+    mode: "mirror" | "remote";
+    syncLocalPathToRemote(localPath: string, remotePath: string): Promise<void>;
+  };
+
+export function createOpenShellSandboxBackendFactory(
+  params: CreateOpenShellSandboxBackendFactoryParams,
+): SandboxBackendFactory {
+  return async (createParams) =>
+    await createOpenShellSandboxBackend({
+      ...params,
+      createParams,
+    });
+}
+
+export function createOpenShellSandboxBackendManager(params: {
+  pluginConfig: ResolvedOpenShellPluginConfig;
+}): SandboxBackendManager {
+  return {
+    async describeRuntime({ entry, config }) {
+      const execContext: OpenShellExecContext = {
+        config: resolveOpenShellPluginConfigFromConfig(config, params.pluginConfig),
+        sandboxName: entry.containerName,
+      };
+      const result = await runOpenShellCli({
+        context: execContext,
+        args: ["sandbox", "get", entry.containerName],
+      });
+      const configuredSource = execContext.config.from;
+      return {
+        running: result.code === 0,
+        actualConfigLabel: entry.image,
+        configLabelMatch: entry.image === configuredSource,
+      };
+    },
+    async removeRuntime({ entry }) {
+      const execContext: OpenShellExecContext = {
+        config: params.pluginConfig,
+        sandboxName: entry.containerName,
+      };
+      await runOpenShellCli({
+        context: execContext,
+        args: ["sandbox", "delete", entry.containerName],
+      });
+    },
+  };
+}
+
+async function createOpenShellSandboxBackend(params: {
+  pluginConfig: ResolvedOpenShellPluginConfig;
+  createParams: CreateSandboxBackendParams;
+}): Promise<OpenShellSandboxBackend> {
+  if ((params.createParams.cfg.docker.binds?.length ?? 0) > 0) {
+    throw new Error("OpenShell sandbox backend does not support sandbox.docker.binds.");
+  }
+
+  const sandboxName = buildOpenShellSandboxName(params.createParams.scopeKey);
+  const execContext: OpenShellExecContext = {
+    config: params.pluginConfig,
+    sandboxName,
+  };
+  const impl = new OpenShellSandboxBackendImpl({
+    createParams: params.createParams,
+    execContext,
+    remoteWorkspaceDir: params.pluginConfig.remoteWorkspaceDir,
+    remoteAgentWorkspaceDir: params.pluginConfig.remoteAgentWorkspaceDir,
+  });
+
+  return {
+    id: "openshell",
+    runtimeId: sandboxName,
+    runtimeLabel: sandboxName,
+    workdir: params.pluginConfig.remoteWorkspaceDir,
+    env: params.createParams.cfg.docker.env,
+    mode: params.pluginConfig.mode,
+    configLabel: params.pluginConfig.from,
+    configLabelKind: "Source",
+    buildExecSpec: async ({ command, workdir, env, usePty }) => {
+      const pending = await impl.prepareExec({ command, workdir, env, usePty });
+      return {
+        argv: pending.argv,
+        env: process.env,
+        stdinMode: "pipe-open",
+        finalizeToken: pending.token,
+      };
+    },
+    finalizeExec: async ({ token }) => {
+      await impl.finalizeExec(token as PendingExec | undefined);
+    },
+    runShellCommand: async (command) => await impl.runRemoteShellScript(command),
+    createFsBridge: ({ sandbox }) =>
+      params.pluginConfig.mode === "remote"
+        ? createRemoteShellSandboxFsBridge({
+            sandbox,
+            runtime: impl.asHandle(),
+          })
+        : createOpenShellFsBridge({
+            sandbox,
+            backend: impl.asHandle(),
+          }),
+    remoteWorkspaceDir: params.pluginConfig.remoteWorkspaceDir,
+    remoteAgentWorkspaceDir: params.pluginConfig.remoteAgentWorkspaceDir,
+    runRemoteShellScript: async (command) => await impl.runRemoteShellScript(command),
+    syncLocalPathToRemote: async (localPath, remotePath) =>
+      await impl.syncLocalPathToRemote(localPath, remotePath),
+  };
+}
+
+class OpenShellSandboxBackendImpl {
+  private ensurePromise: Promise<void> | null = null;
+  private remoteSeedPending = false;
+
+  constructor(
+    private readonly params: {
+      createParams: CreateSandboxBackendParams;
+      execContext: OpenShellExecContext;
+      remoteWorkspaceDir: string;
+      remoteAgentWorkspaceDir: string;
+    },
+  ) {}
+
+  asHandle(): OpenShellSandboxBackend {
+    const self = this;
+    return {
+      id: "openshell",
+      runtimeId: this.params.execContext.sandboxName,
+      runtimeLabel: this.params.execContext.sandboxName,
+      workdir: this.params.remoteWorkspaceDir,
+      env: this.params.createParams.cfg.docker.env,
+      mode: this.params.execContext.config.mode,
+      configLabel: this.params.execContext.config.from,
+      configLabelKind: "Source",
+      remoteWorkspaceDir: this.params.remoteWorkspaceDir,
+      remoteAgentWorkspaceDir: this.params.remoteAgentWorkspaceDir,
+      buildExecSpec: async ({ command, workdir, env, usePty }) => {
+        const pending = await self.prepareExec({ command, workdir, env, usePty });
+        return {
+          argv: pending.argv,
+          env: process.env,
+          stdinMode: "pipe-open",
+          finalizeToken: pending.token,
+        };
+      },
+      finalizeExec: async ({ token }) => {
+        await self.finalizeExec(token as PendingExec | undefined);
+      },
+      runShellCommand: async (command) => await self.runRemoteShellScript(command),
+      createFsBridge: ({ sandbox }) =>
+        this.params.execContext.config.mode === "remote"
+          ? createRemoteShellSandboxFsBridge({
+              sandbox,
+              runtime: self.asHandle(),
+            })
+          : createOpenShellFsBridge({
+              sandbox,
+              backend: self.asHandle(),
+            }),
+      runRemoteShellScript: async (command) => await self.runRemoteShellScript(command),
+      syncLocalPathToRemote: async (localPath, remotePath) =>
+        await self.syncLocalPathToRemote(localPath, remotePath),
+    };
+  }
+
+  async prepareExec(params: {
+    command: string;
+    workdir?: string;
+    env: Record<string, string>;
+    usePty: boolean;
+  }): Promise<{ argv: string[]; token: PendingExec }> {
+    await this.ensureSandboxExists();
+    if (this.params.execContext.config.mode === "mirror") {
+      await this.syncWorkspaceToRemote();
+    } else {
+      await this.maybeSeedRemoteWorkspace();
+    }
+    const sshSession = await createOpenShellSshSession({
+      context: this.params.execContext,
+    });
+    const remoteCommand = buildExecRemoteCommand({
+      command: params.command,
+      workdir: params.workdir ?? this.params.remoteWorkspaceDir,
+      env: params.env,
+    });
+    return {
+      argv: [
+        "ssh",
+        "-F",
+        sshSession.configPath,
+        ...(params.usePty
+          ? ["-tt", "-o", "RequestTTY=force", "-o", "SetEnv=TERM=xterm-256color"]
+          : ["-T", "-o", "RequestTTY=no"]),
+        sshSession.host,
+        remoteCommand,
+      ],
+      token: { sshSession },
+    };
+  }
+
+  async finalizeExec(token?: PendingExec): Promise<void> {
+    try {
+      if (this.params.execContext.config.mode === "mirror") {
+        await this.syncWorkspaceFromRemote();
+      }
+    } finally {
+      if (token?.sshSession) {
+        await disposeSshSandboxSession(token.sshSession);
+      }
+    }
+  }
+
+  async runRemoteShellScript(
+    params: SandboxBackendCommandParams,
+  ): Promise<SandboxBackendCommandResult> {
+    await this.ensureSandboxExists();
+    await this.maybeSeedRemoteWorkspace();
+    return await this.runRemoteShellScriptInternal(params);
+  }
+
+  private async runRemoteShellScriptInternal(
+    params: SandboxBackendCommandParams,
+  ): Promise<SandboxBackendCommandResult> {
+    const session = await createOpenShellSshSession({
+      context: this.params.execContext,
+    });
+    try {
+      return await runSshSandboxCommand({
+        session,
+        remoteCommand: buildRemoteCommand([
+          "/bin/sh",
+          "-c",
+          params.script,
+          "openclaw-openshell-fs",
+          ...(params.args ?? []),
+        ]),
+        stdin: params.stdin,
+        allowFailure: params.allowFailure,
+        signal: params.signal,
+      });
+    } finally {
+      await disposeSshSandboxSession(session);
+    }
+  }
+
+  async syncLocalPathToRemote(localPath: string, remotePath: string): Promise<void> {
+    await this.ensureSandboxExists();
+    await this.maybeSeedRemoteWorkspace();
+    const stats = await fs.lstat(localPath).catch(() => null);
+    if (!stats) {
+      await this.runRemoteShellScript({
+        script: 'rm -rf -- "$1"',
+        args: [remotePath],
+        allowFailure: true,
+      });
+      return;
+    }
+    if (stats.isDirectory()) {
+      await this.runRemoteShellScript({
+        script: 'mkdir -p -- "$1"',
+        args: [remotePath],
+      });
+      return;
+    }
+    await this.runRemoteShellScript({
+      script: 'mkdir -p -- "$(dirname -- "$1")"',
+      args: [remotePath],
+    });
+    const result = await runOpenShellCli({
+      context: this.params.execContext,
+      args: [
+        "sandbox",
+        "upload",
+        "--no-git-ignore",
+        this.params.execContext.sandboxName,
+        localPath,
+        path.posix.dirname(remotePath),
+      ],
+      cwd: this.params.createParams.workspaceDir,
+    });
+    if (result.code !== 0) {
+      throw new Error(result.stderr.trim() || "openshell sandbox upload failed");
+    }
+  }
+
+  private async ensureSandboxExists(): Promise<void> {
+    if (this.ensurePromise) {
+      return await this.ensurePromise;
+    }
+    this.ensurePromise = this.ensureSandboxExistsInner();
+    try {
+      await this.ensurePromise;
+    } catch (error) {
+      this.ensurePromise = null;
+      throw error;
+    }
+  }
+
+  private async ensureSandboxExistsInner(): Promise<void> {
+    const getResult = await runOpenShellCli({
+      context: this.params.execContext,
+      args: ["sandbox", "get", this.params.execContext.sandboxName],
+      cwd: this.params.createParams.workspaceDir,
+    });
+    if (getResult.code === 0) {
+      return;
+    }
+    const createArgs = [
+      "sandbox",
+      "create",
+      "--name",
+      this.params.execContext.sandboxName,
+      "--from",
+      this.params.execContext.config.from,
+      ...(this.params.execContext.config.policy
+        ? ["--policy", this.params.execContext.config.policy]
+        : []),
+      ...(this.params.execContext.config.gpu ? ["--gpu"] : []),
+      ...(this.params.execContext.config.autoProviders
+        ? ["--auto-providers"]
+        : ["--no-auto-providers"]),
+      ...this.params.execContext.config.providers.flatMap((provider) => ["--provider", provider]),
+      "--",
+      "true",
+    ];
+    const createResult = await runOpenShellCli({
+      context: this.params.execContext,
+      args: createArgs,
+      cwd: this.params.createParams.workspaceDir,
+      timeoutMs: Math.max(this.params.execContext.config.timeoutMs, 300_000),
+    });
+    if (createResult.code !== 0) {
+      throw new Error(createResult.stderr.trim() || "openshell sandbox create failed");
+    }
+    this.remoteSeedPending = true;
+  }
+
+  private async syncWorkspaceToRemote(): Promise<void> {
+    await this.runRemoteShellScriptInternal({
+      script: 'mkdir -p -- "$1" && find "$1" -mindepth 1 -maxdepth 1 -exec rm -rf -- {} +',
+      args: [this.params.remoteWorkspaceDir],
+    });
+    await this.uploadPathToRemote(
+      this.params.createParams.workspaceDir,
+      this.params.remoteWorkspaceDir,
+    );
+
+    if (
+      this.params.createParams.cfg.workspaceAccess !== "none" &&
+      path.resolve(this.params.createParams.agentWorkspaceDir) !==
+        path.resolve(this.params.createParams.workspaceDir)
+    ) {
+      await this.runRemoteShellScriptInternal({
+        script: 'mkdir -p -- "$1" && find "$1" -mindepth 1 -maxdepth 1 -exec rm -rf -- {} +',
+        args: [this.params.remoteAgentWorkspaceDir],
+      });
+      await this.uploadPathToRemote(
+        this.params.createParams.agentWorkspaceDir,
+        this.params.remoteAgentWorkspaceDir,
+      );
+    }
+  }
+
+  private async syncWorkspaceFromRemote(): Promise<void> {
+    const tmpDir = await fs.mkdtemp(
+      path.join(resolveOpenShellTmpRoot(), "openclaw-openshell-sync-"),
+    );
+    try {
+      const result = await runOpenShellCli({
+        context: this.params.execContext,
+        args: [
+          "sandbox",
+          "download",
+          this.params.execContext.sandboxName,
+          this.params.remoteWorkspaceDir,
+          tmpDir,
+        ],
+        cwd: this.params.createParams.workspaceDir,
+      });
+      if (result.code !== 0) {
+        throw new Error(result.stderr.trim() || "openshell sandbox download failed");
+      }
+      await replaceDirectoryContents({
+        sourceDir: tmpDir,
+        targetDir: this.params.createParams.workspaceDir,
+      });
+    } finally {
+      await fs.rm(tmpDir, { recursive: true, force: true });
+    }
+  }
+
+  private async uploadPathToRemote(localPath: string, remotePath: string): Promise<void> {
+    const result = await runOpenShellCli({
+      context: this.params.execContext,
+      args: [
+        "sandbox",
+        "upload",
+        "--no-git-ignore",
+        this.params.execContext.sandboxName,
+        localPath,
+        remotePath,
+      ],
+      cwd: this.params.createParams.workspaceDir,
+    });
+    if (result.code !== 0) {
+      throw new Error(result.stderr.trim() || "openshell sandbox upload failed");
+    }
+  }
+
+  private async maybeSeedRemoteWorkspace(): Promise<void> {
+    if (!this.remoteSeedPending) {
+      return;
+    }
+    this.remoteSeedPending = false;
+    try {
+      await this.syncWorkspaceToRemote();
+    } catch (error) {
+      this.remoteSeedPending = true;
+      throw error;
+    }
+  }
+}
+
+function resolveOpenShellPluginConfigFromConfig(
+  config: OpenClawConfig,
+  fallback: ResolvedOpenShellPluginConfig,
+): ResolvedOpenShellPluginConfig {
+  const pluginConfig = config.plugins?.entries?.openshell?.config;
+  if (!pluginConfig) {
+    return fallback;
+  }
+  return resolveOpenShellPluginConfig(pluginConfig);
+}
+
+function buildOpenShellSandboxName(scopeKey: string): string {
+  const trimmed = scopeKey.trim() || "session";
+  const safe = trimmed
+    .toLowerCase()
+    .replace(/[^a-z0-9._-]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, 32);
+  const hash = Array.from(trimmed).reduce(
+    (acc, char) => ((acc * 33) ^ char.charCodeAt(0)) >>> 0,
+    5381,
+  );
+  return `openclaw-${safe || "session"}-${hash.toString(16).slice(0, 8)}`;
+}
+
+function resolveOpenShellTmpRoot(): string {
+  return path.resolve(resolvePreferredOpenClawTmpDir() ?? os.tmpdir());
+}
diff --git a/extensions/openshell/src/cli.test.ts b/extensions/openshell/src/cli.test.ts
new file mode 100644
index 00000000000..d039a571ebc
--- /dev/null
+++ b/extensions/openshell/src/cli.test.ts
@@ -0,0 +1,37 @@
+import { describe, expect, it } from "vitest";
+import { buildExecRemoteCommand, buildOpenShellBaseArgv, shellEscape } from "./cli.js";
+import { resolveOpenShellPluginConfig } from "./config.js";
+
+describe("openshell cli helpers", () => {
+  it("builds base argv with gateway overrides", () => {
+    const config = resolveOpenShellPluginConfig({
+      command: "/usr/local/bin/openshell",
+      gateway: "lab",
+      gatewayEndpoint: "https://lab.example",
+    });
+    expect(buildOpenShellBaseArgv(config)).toEqual([
+      "/usr/local/bin/openshell",
+      "--gateway",
+      "lab",
+      "--gateway-endpoint",
+      "https://lab.example",
+    ]);
+  });
+
+  it("shell escapes single quotes", () => {
+    expect(shellEscape(`a'b`)).toBe(`'a'"'"'b'`);
+  });
+
+  it("wraps exec commands with env and workdir", () => {
+    const command = buildExecRemoteCommand({
+      command: "pwd && printenv TOKEN",
+      workdir: "/sandbox/project",
+      env: {
+        TOKEN: "abc 123",
+      },
+    });
+    expect(command).toContain(`'env'`);
+    expect(command).toContain(`'TOKEN=abc 123'`);
+    expect(command).toContain(`'cd '"'"'/sandbox/project'"'"' && pwd && printenv TOKEN'`);
+  });
+});
diff --git a/extensions/openshell/src/cli.ts b/extensions/openshell/src/cli.ts
new file mode 100644
index 00000000000..411166520e7
--- /dev/null
+++ b/extensions/openshell/src/cli.ts
@@ -0,0 +1,60 @@
+import {
+  buildExecRemoteCommand,
+  createSshSandboxSessionFromConfigText,
+  runPluginCommandWithTimeout,
+  shellEscape,
+  type SshSandboxSession,
+} from "openclaw/plugin-sdk/core";
+import type { ResolvedOpenShellPluginConfig } from "./config.js";
+
+export { buildExecRemoteCommand, shellEscape } from "openclaw/plugin-sdk/core";
+
+export type OpenShellExecContext = {
+  config: ResolvedOpenShellPluginConfig;
+  sandboxName: string;
+  timeoutMs?: number;
+};
+
+export function buildOpenShellBaseArgv(config: ResolvedOpenShellPluginConfig): string[] {
+  const argv = [config.command];
+  if (config.gateway) {
+    argv.push("--gateway", config.gateway);
+  }
+  if (config.gatewayEndpoint) {
+    argv.push("--gateway-endpoint", config.gatewayEndpoint);
+  }
+  return argv;
+}
+
+export function buildRemoteCommand(argv: string[]): string {
+  return argv.map((entry) => shellEscape(entry)).join(" ");
+}
+
+export async function runOpenShellCli(params: {
+  context: OpenShellExecContext;
+  args: string[];
+  cwd?: string;
+  timeoutMs?: number;
+}): Promise<{ code: number; stdout: string; stderr: string }> {
+  return await runPluginCommandWithTimeout({
+    argv: [...buildOpenShellBaseArgv(params.context.config), ...params.args],
+    cwd: params.cwd,
+    timeoutMs: params.timeoutMs ?? params.context.timeoutMs ?? params.context.config.timeoutMs,
+    env: process.env,
+  });
+}
+
+export async function createOpenShellSshSession(params: {
+  context: OpenShellExecContext;
+}): Promise<SshSandboxSession> {
+  const result = await runOpenShellCli({
+    context: params.context,
+    args: ["sandbox", "ssh-config", params.context.sandboxName],
+  });
+  if (result.code !== 0) {
+    throw new Error(result.stderr.trim() || "openshell sandbox ssh-config failed");
+  }
+  return await createSshSandboxSessionFromConfigText({
+    configText: result.stdout,
+  });
+}
diff --git a/extensions/openshell/src/config.test.ts b/extensions/openshell/src/config.test.ts
new file mode 100644
index 00000000000..f46fec1cd46
--- /dev/null
+++ b/extensions/openshell/src/config.test.ts
@@ -0,0 +1,41 @@
+import { describe, expect, it } from "vitest";
+import { resolveOpenShellPluginConfig } from "./config.js";
+
+describe("openshell plugin config", () => {
+  it("applies defaults", () => {
+    expect(resolveOpenShellPluginConfig(undefined)).toEqual({
+      mode: "mirror",
+      command: "openshell",
+      gateway: undefined,
+      gatewayEndpoint: undefined,
+      from: "openclaw",
+      policy: undefined,
+      providers: [],
+      gpu: false,
+      autoProviders: true,
+      remoteWorkspaceDir: "/sandbox",
+      remoteAgentWorkspaceDir: "/agent",
+      timeoutMs: 120_000,
+    });
+  });
+
+  it("accepts remote mode", () => {
+    expect(resolveOpenShellPluginConfig({ mode: "remote" }).mode).toBe("remote");
+  });
+
+  it("rejects relative remote paths", () => {
+    expect(() =>
+      resolveOpenShellPluginConfig({
+        remoteWorkspaceDir: "sandbox",
+      }),
+    ).toThrow("OpenShell remote path must be absolute");
+  });
+
+  it("rejects unknown mode", () => {
+    expect(() =>
+      resolveOpenShellPluginConfig({
+        mode: "bogus",
+      }),
+    ).toThrow("mode must be one of mirror, remote");
+  });
+});
diff --git a/extensions/openshell/src/config.ts b/extensions/openshell/src/config.ts
new file mode 100644
index 00000000000..58b40180cd9
--- /dev/null
+++ b/extensions/openshell/src/config.ts
@@ -0,0 +1,236 @@
+import path from "node:path";
+import type { OpenClawPluginConfigSchema } from "openclaw/plugin-sdk/core";
+
+export type OpenShellPluginConfig = {
+  mode?: string;
+  command?: string;
+  gateway?: string;
+  gatewayEndpoint?: string;
+  from?: string;
+  policy?: string;
+  providers?: string[];
+  gpu?: boolean;
+  autoProviders?: boolean;
+  remoteWorkspaceDir?: string;
+  remoteAgentWorkspaceDir?: string;
+  timeoutSeconds?: number;
+};
+
+export type ResolvedOpenShellPluginConfig = {
+  mode: "mirror" | "remote";
+  command: string;
+  gateway?: string;
+  gatewayEndpoint?: string;
+  from: string;
+  policy?: string;
+  providers: string[];
+  gpu: boolean;
+  autoProviders: boolean;
+  remoteWorkspaceDir: string;
+  remoteAgentWorkspaceDir: string;
+  timeoutMs: number;
+};
+
+const DEFAULT_COMMAND = "openshell";
+const DEFAULT_MODE = "mirror";
+const DEFAULT_SOURCE = "openclaw";
+const DEFAULT_REMOTE_WORKSPACE_DIR = "/sandbox";
+const DEFAULT_REMOTE_AGENT_WORKSPACE_DIR = "/agent";
+const DEFAULT_TIMEOUT_MS = 120_000;
+
+type ParseSuccess = { success: true; data?: OpenShellPluginConfig };
+type ParseFailure = {
+  success: false;
+  error: {
+    issues: Array<{ path: Array<string | number>; message: string }>;
+  };
+};
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function trimString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}
+
+function normalizeProviders(value: unknown): string[] | null {
+  if (value === undefined) {
+    return [];
+  }
+  if (!Array.isArray(value)) {
+    return null;
+  }
+  const seen = new Set<string>();
+  const providers: string[] = [];
+  for (const entry of value) {
+    if (typeof entry !== "string" || !entry.trim()) {
+      return null;
+    }
+    const normalized = entry.trim();
+    if (seen.has(normalized)) {
+      continue;
+    }
+    seen.add(normalized);
+    providers.push(normalized);
+  }
+  return providers;
+}
+
+function normalizeRemotePath(value: string | undefined, fallback: string): string {
+  const candidate = value ?? fallback;
+  const normalized = path.posix.normalize(candidate.trim() || fallback);
+  if (!normalized.startsWith("/")) {
+    throw new Error(`OpenShell remote path must be absolute: ${candidate}`);
+  }
+  return normalized;
+}
+
+export function createOpenShellPluginConfigSchema(): OpenClawPluginConfigSchema {
+  const safeParse = (value: unknown): ParseSuccess | ParseFailure => {
+    if (value === undefined) {
+      return { success: true, data: undefined };
+    }
+    if (!isRecord(value)) {
+      return {
+        success: false,
+        error: { issues: [{ path: [], message: "expected config object" }] },
+      };
+    }
+    const allowedKeys = new Set([
+      "mode",
+      "command",
+      "gateway",
+      "gatewayEndpoint",
+      "from",
+      "policy",
+      "providers",
+      "gpu",
+      "autoProviders",
+      "remoteWorkspaceDir",
+      "remoteAgentWorkspaceDir",
+      "timeoutSeconds",
+    ]);
+    for (const key of Object.keys(value)) {
+      if (!allowedKeys.has(key)) {
+        return {
+          success: false,
+          error: { issues: [{ path: [key], message: `unknown config key: ${key}` }] },
+        };
+      }
+    }
+
+    const providers = normalizeProviders(value.providers);
+    if (providers === null) {
+      return {
+        success: false,
+        error: {
+          issues: [{ path: ["providers"], message: "providers must be an array of strings" }],
+        },
+      };
+    }
+
+    const timeoutSeconds = value.timeoutSeconds;
+    if (
+      timeoutSeconds !== undefined &&
+      (typeof timeoutSeconds !== "number" || !Number.isFinite(timeoutSeconds) || timeoutSeconds < 1)
+    ) {
+      return {
+        success: false,
+        error: {
+          issues: [{ path: ["timeoutSeconds"], message: "timeoutSeconds must be a number >= 1" }],
+        },
+      };
+    }
+
+    for (const key of ["gpu", "autoProviders"] as const) {
+      const candidate = value[key];
+      if (candidate !== undefined && typeof candidate !== "boolean") {
+        return {
+          success: false,
+          error: { issues: [{ path: [key], message: `${key} must be a boolean` }] },
+        };
+      }
+    }
+
+    return {
+      success: true,
+      data: {
+        mode: trimString(value.mode),
+        command: trimString(value.command),
+        gateway: trimString(value.gateway),
+        gatewayEndpoint: trimString(value.gatewayEndpoint),
+        from: trimString(value.from),
+        policy: trimString(value.policy),
+        providers,
+        gpu: value.gpu as boolean | undefined,
+        autoProviders: value.autoProviders as boolean | undefined,
+        remoteWorkspaceDir: trimString(value.remoteWorkspaceDir),
+        remoteAgentWorkspaceDir: trimString(value.remoteAgentWorkspaceDir),
+        timeoutSeconds: timeoutSeconds as number | undefined,
+      },
+    };
+  };
+
+  return {
+    safeParse,
+    jsonSchema: {
+      type: "object",
+      additionalProperties: false,
+      properties: {
+        command: { type: "string" },
+        mode: { type: "string", enum: ["mirror", "remote"] },
+        gateway: { type: "string" },
+        gatewayEndpoint: { type: "string" },
+        from: { type: "string" },
+        policy: { type: "string" },
+        providers: { type: "array", items: { type: "string" } },
+        gpu: { type: "boolean" },
+        autoProviders: { type: "boolean" },
+        remoteWorkspaceDir: { type: "string" },
+        remoteAgentWorkspaceDir: { type: "string" },
+        timeoutSeconds: { type: "number", minimum: 1 },
+      },
+    },
+  };
+}
+
+export function resolveOpenShellPluginConfig(value: unknown): ResolvedOpenShellPluginConfig {
+  const parsed = createOpenShellPluginConfigSchema().safeParse?.(value);
+  if (!parsed || !parsed.success) {
+    const issues = parsed && !parsed.success ? parsed.error?.issues : undefined;
+    const message =
+      issues?.map((issue: { message: string }) => issue.message).join(", ") || "invalid config";
+    throw new Error(`Invalid openshell plugin config: ${message}`);
+  }
+  const raw = parsed.data ?? {};
+  const cfg = (raw ?? {}) as OpenShellPluginConfig;
+  const mode = cfg.mode ?? DEFAULT_MODE;
+  if (mode !== "mirror" && mode !== "remote") {
+    throw new Error(`Invalid openshell plugin config: mode must be one of mirror, remote`);
+  }
+  return {
+    mode,
+    command: cfg.command ?? DEFAULT_COMMAND,
+    gateway: cfg.gateway,
+    gatewayEndpoint: cfg.gatewayEndpoint,
+    from: cfg.from ?? DEFAULT_SOURCE,
+    policy: cfg.policy,
+    providers: cfg.providers ?? [],
+    gpu: cfg.gpu ?? false,
+    autoProviders: cfg.autoProviders ?? true,
+    remoteWorkspaceDir: normalizeRemotePath(cfg.remoteWorkspaceDir, DEFAULT_REMOTE_WORKSPACE_DIR),
+    remoteAgentWorkspaceDir: normalizeRemotePath(
+      cfg.remoteAgentWorkspaceDir,
+      DEFAULT_REMOTE_AGENT_WORKSPACE_DIR,
+    ),
+    timeoutMs:
+      typeof cfg.timeoutSeconds === "number"
+        ? Math.floor(cfg.timeoutSeconds * 1000)
+        : DEFAULT_TIMEOUT_MS,
+  };
+}
diff --git a/extensions/openshell/src/fs-bridge.test.ts b/extensions/openshell/src/fs-bridge.test.ts
new file mode 100644
index 00000000000..67a3edc5bcc
--- /dev/null
+++ b/extensions/openshell/src/fs-bridge.test.ts
@@ -0,0 +1,88 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { createSandboxTestContext } from "../../../src/agents/sandbox/test-fixtures.js";
+import type { OpenShellSandboxBackend } from "./backend.js";
+import { createOpenShellFsBridge } from "./fs-bridge.js";
+
+const tempDirs: string[] = [];
+
+async function makeTempDir() {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-openshell-fs-"));
+  tempDirs.push(dir);
+  return dir;
+}
+
+afterEach(async () => {
+  await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
+});
+
+function createBackendMock(): OpenShellSandboxBackend {
+  return {
+    id: "openshell",
+    runtimeId: "openshell-test",
+    runtimeLabel: "openshell-test",
+    workdir: "/sandbox",
+    env: {},
+    remoteWorkspaceDir: "/sandbox",
+    remoteAgentWorkspaceDir: "/agent",
+    buildExecSpec: vi.fn(),
+    runShellCommand: vi.fn(),
+    runRemoteShellScript: vi.fn().mockResolvedValue({
+      stdout: Buffer.alloc(0),
+      stderr: Buffer.alloc(0),
+      code: 0,
+    }),
+    syncLocalPathToRemote: vi.fn().mockResolvedValue(undefined),
+  } as unknown as OpenShellSandboxBackend;
+}
+
+describe("openshell fs bridge", () => {
+  it("writes locally and syncs the file to the remote workspace", async () => {
+    const workspaceDir = await makeTempDir();
+    const backend = createBackendMock();
+    const sandbox = createSandboxTestContext({
+      overrides: {
+        backendId: "openshell",
+        workspaceDir,
+        agentWorkspaceDir: workspaceDir,
+        containerWorkdir: "/sandbox",
+      },
+    });
+
+    const bridge = createOpenShellFsBridge({ sandbox, backend });
+    await bridge.writeFile({
+      filePath: "nested/file.txt",
+      data: "hello",
+      mkdir: true,
+    });
+
+    expect(await fs.readFile(path.join(workspaceDir, "nested", "file.txt"), "utf8")).toBe("hello");
+    expect(backend.syncLocalPathToRemote).toHaveBeenCalledWith(
+      path.join(workspaceDir, "nested", "file.txt"),
+      "/sandbox/nested/file.txt",
+    );
+  });
+
+  it("maps agent mount paths when the sandbox workspace is read-only", async () => {
+    const workspaceDir = await makeTempDir();
+    const agentWorkspaceDir = await makeTempDir();
+    await fs.writeFile(path.join(agentWorkspaceDir, "note.txt"), "agent", "utf8");
+    const backend = createBackendMock();
+    const sandbox = createSandboxTestContext({
+      overrides: {
+        backendId: "openshell",
+        workspaceDir,
+        agentWorkspaceDir,
+        workspaceAccess: "ro",
+        containerWorkdir: "/sandbox",
+      },
+    });
+
+    const bridge = createOpenShellFsBridge({ sandbox, backend });
+    const resolved = bridge.resolvePath({ filePath: "/agent/note.txt" });
+    expect(resolved.hostPath).toBe(path.join(agentWorkspaceDir, "note.txt"));
+    expect(await bridge.readFile({ filePath: "/agent/note.txt" })).toEqual(Buffer.from("agent"));
+  });
+});
diff --git a/extensions/openshell/src/fs-bridge.ts b/extensions/openshell/src/fs-bridge.ts
new file mode 100644
index 00000000000..00257e81be4
--- /dev/null
+++ b/extensions/openshell/src/fs-bridge.ts
@@ -0,0 +1,355 @@
+import fsPromises from "node:fs/promises";
+import path from "node:path";
+import type {
+  SandboxContext,
+  SandboxFsBridge,
+  SandboxFsStat,
+  SandboxResolvedPath,
+} from "openclaw/plugin-sdk/core";
+import type { OpenShellSandboxBackend } from "./backend.js";
+import { movePathWithCopyFallback } from "./mirror.js";
+
+type ResolvedMountPath = SandboxResolvedPath & {
+  mountHostRoot: string;
+  writable: boolean;
+  source: "workspace" | "agent";
+};
+
+export function createOpenShellFsBridge(params: {
+  sandbox: SandboxContext;
+  backend: OpenShellSandboxBackend;
+}): SandboxFsBridge {
+  return new OpenShellFsBridge(params.sandbox, params.backend);
+}
+
+class OpenShellFsBridge implements SandboxFsBridge {
+  constructor(
+    private readonly sandbox: SandboxContext,
+    private readonly backend: OpenShellSandboxBackend,
+  ) {}
+
+  resolvePath(params: { filePath: string; cwd?: string }): SandboxResolvedPath {
+    const target = this.resolveTarget(params);
+    return {
+      hostPath: target.hostPath,
+      relativePath: target.relativePath,
+      containerPath: target.containerPath,
+    };
+  }
+
+  async readFile(params: {
+    filePath: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<Buffer> {
+    const target = this.resolveTarget(params);
+    const hostPath = this.requireHostPath(target);
+    await assertLocalPathSafety({
+      target,
+      root: target.mountHostRoot,
+      allowMissingLeaf: false,
+      allowFinalSymlinkForUnlink: false,
+    });
+    return await fsPromises.readFile(hostPath);
+  }
+
+  async writeFile(params: {
+    filePath: string;
+    cwd?: string;
+    data: Buffer | string;
+    encoding?: BufferEncoding;
+    mkdir?: boolean;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const target = this.resolveTarget(params);
+    const hostPath = this.requireHostPath(target);
+    this.ensureWritable(target, "write files");
+    await assertLocalPathSafety({
+      target,
+      root: target.mountHostRoot,
+      allowMissingLeaf: true,
+      allowFinalSymlinkForUnlink: false,
+    });
+    const buffer = Buffer.isBuffer(params.data)
+      ? params.data
+      : Buffer.from(params.data, params.encoding ?? "utf8");
+    const parentDir = path.dirname(hostPath);
+    if (params.mkdir !== false) {
+      await fsPromises.mkdir(parentDir, { recursive: true });
+    }
+    const tempPath = path.join(
+      parentDir,
+      `.openclaw-openshell-write-${path.basename(hostPath)}-${process.pid}-${Date.now()}`,
+    );
+    await fsPromises.writeFile(tempPath, buffer);
+    await fsPromises.rename(tempPath, hostPath);
+    await this.backend.syncLocalPathToRemote(hostPath, target.containerPath);
+  }
+
+  async mkdirp(params: { filePath: string; cwd?: string; signal?: AbortSignal }): Promise<void> {
+    const target = this.resolveTarget(params);
+    const hostPath = this.requireHostPath(target);
+    this.ensureWritable(target, "create directories");
+    await assertLocalPathSafety({
+      target,
+      root: target.mountHostRoot,
+      allowMissingLeaf: true,
+      allowFinalSymlinkForUnlink: false,
+    });
+    await fsPromises.mkdir(hostPath, { recursive: true });
+    await this.backend.runRemoteShellScript({
+      script: 'mkdir -p -- "$1"',
+      args: [target.containerPath],
+      signal: params.signal,
+    });
+  }
+
+  async remove(params: {
+    filePath: string;
+    cwd?: string;
+    recursive?: boolean;
+    force?: boolean;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const target = this.resolveTarget(params);
+    const hostPath = this.requireHostPath(target);
+    this.ensureWritable(target, "remove files");
+    await assertLocalPathSafety({
+      target,
+      root: target.mountHostRoot,
+      allowMissingLeaf: params.force !== false,
+      allowFinalSymlinkForUnlink: true,
+    });
+    await fsPromises.rm(hostPath, {
+      recursive: params.recursive ?? false,
+      force: params.force !== false,
+    });
+    await this.backend.runRemoteShellScript({
+      script: params.recursive
+        ? 'rm -rf -- "$1"'
+        : 'if [ -d "$1" ] && [ ! -L "$1" ]; then rmdir -- "$1"; elif [ -e "$1" ] || [ -L "$1" ]; then rm -f -- "$1"; fi',
+      args: [target.containerPath],
+      signal: params.signal,
+      allowFailure: params.force !== false,
+    });
+  }
+
+  async rename(params: {
+    from: string;
+    to: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const from = this.resolveTarget({ filePath: params.from, cwd: params.cwd });
+    const to = this.resolveTarget({ filePath: params.to, cwd: params.cwd });
+    const fromHostPath = this.requireHostPath(from);
+    const toHostPath = this.requireHostPath(to);
+    this.ensureWritable(from, "rename files");
+    this.ensureWritable(to, "rename files");
+    await assertLocalPathSafety({
+      target: from,
+      root: from.mountHostRoot,
+      allowMissingLeaf: false,
+      allowFinalSymlinkForUnlink: true,
+    });
+    await assertLocalPathSafety({
+      target: to,
+      root: to.mountHostRoot,
+      allowMissingLeaf: true,
+      allowFinalSymlinkForUnlink: false,
+    });
+    await fsPromises.mkdir(path.dirname(toHostPath), { recursive: true });
+    await movePathWithCopyFallback({ from: fromHostPath, to: toHostPath });
+    await this.backend.runRemoteShellScript({
+      script: 'mkdir -p -- "$(dirname -- "$2")" && mv -- "$1" "$2"',
+      args: [from.containerPath, to.containerPath],
+      signal: params.signal,
+    });
+  }
+
+  async stat(params: {
+    filePath: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<SandboxFsStat | null> {
+    const target = this.resolveTarget(params);
+    const hostPath = this.requireHostPath(target);
+    const stats = await fsPromises.lstat(hostPath).catch(() => null);
+    if (!stats) {
+      return null;
+    }
+    await assertLocalPathSafety({
+      target,
+      root: target.mountHostRoot,
+      allowMissingLeaf: false,
+      allowFinalSymlinkForUnlink: false,
+    });
+    return {
+      type: stats.isDirectory() ? "directory" : stats.isFile() ? "file" : "other",
+      size: stats.size,
+      mtimeMs: stats.mtimeMs,
+    };
+  }
+
+  private ensureWritable(target: ResolvedMountPath, action: string) {
+    if (this.sandbox.workspaceAccess !== "rw" || !target.writable) {
+      throw new Error(`Sandbox path is read-only; cannot ${action}: ${target.containerPath}`);
+    }
+  }
+
+  private requireHostPath(target: ResolvedMountPath): string {
+    if (!target.hostPath) {
+      throw new Error(
+        `OpenShell mirror bridge requires a local host path: ${target.containerPath}`,
+      );
+    }
+    return target.hostPath;
+  }
+
+  private resolveTarget(params: { filePath: string; cwd?: string }): ResolvedMountPath {
+    const workspaceRoot = path.resolve(this.sandbox.workspaceDir);
+    const agentRoot = path.resolve(this.sandbox.agentWorkspaceDir);
+    const hasAgentMount = this.sandbox.workspaceAccess !== "none" && workspaceRoot !== agentRoot;
+    const agentContainerRoot = (this.backend.remoteAgentWorkspaceDir || "/agent").replace(
+      /\\/g,
+      "/",
+    );
+    const workspaceContainerRoot = this.sandbox.containerWorkdir.replace(/\\/g, "/");
+    const input = params.filePath.trim();
+
+    if (input.startsWith(`${workspaceContainerRoot}/`) || input === workspaceContainerRoot) {
+      const relative = path.posix.relative(workspaceContainerRoot, input) || "";
+      const hostPath = relative
+        ? path.resolve(workspaceRoot, ...relative.split("/"))
+        : workspaceRoot;
+      return {
+        hostPath,
+        relativePath: relative,
+        containerPath: relative
+          ? path.posix.join(workspaceContainerRoot, relative)
+          : workspaceContainerRoot,
+        mountHostRoot: workspaceRoot,
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "workspace",
+      };
+    }
+
+    if (
+      hasAgentMount &&
+      (input.startsWith(`${agentContainerRoot}/`) || input === agentContainerRoot)
+    ) {
+      const relative = path.posix.relative(agentContainerRoot, input) || "";
+      const hostPath = relative ? path.resolve(agentRoot, ...relative.split("/")) : agentRoot;
+      return {
+        hostPath,
+        relativePath: relative ? agentContainerRoot + "/" + relative : agentContainerRoot,
+        containerPath: relative
+          ? path.posix.join(agentContainerRoot, relative)
+          : agentContainerRoot,
+        mountHostRoot: agentRoot,
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "agent",
+      };
+    }
+
+    const cwd = params.cwd ? path.resolve(params.cwd) : workspaceRoot;
+    const hostPath = path.isAbsolute(input) ? path.resolve(input) : path.resolve(cwd, input);
+
+    if (isPathInside(workspaceRoot, hostPath)) {
+      const relative = path.relative(workspaceRoot, hostPath).split(path.sep).join(path.posix.sep);
+      return {
+        hostPath,
+        relativePath: relative,
+        containerPath: relative
+          ? path.posix.join(workspaceContainerRoot, relative)
+          : workspaceContainerRoot,
+        mountHostRoot: workspaceRoot,
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "workspace",
+      };
+    }
+
+    if (hasAgentMount && isPathInside(agentRoot, hostPath)) {
+      const relative = path.relative(agentRoot, hostPath).split(path.sep).join(path.posix.sep);
+      return {
+        hostPath,
+        relativePath: relative ? `${agentContainerRoot}/${relative}` : agentContainerRoot,
+        containerPath: relative
+          ? path.posix.join(agentContainerRoot, relative)
+          : agentContainerRoot,
+        mountHostRoot: agentRoot,
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "agent",
+      };
+    }
+
+    throw new Error(`Path escapes sandbox root (${workspaceRoot}): ${params.filePath}`);
+  }
+}
+
+function isPathInside(root: string, target: string): boolean {
+  const relative = path.relative(root, target);
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+
+async function assertLocalPathSafety(params: {
+  target: ResolvedMountPath;
+  root: string;
+  allowMissingLeaf: boolean;
+  allowFinalSymlinkForUnlink: boolean;
+}): Promise<void> {
+  if (!params.target.hostPath) {
+    throw new Error(`Missing local host path for ${params.target.containerPath}`);
+  }
+  const canonicalRoot = await fsPromises
+    .realpath(params.root)
+    .catch(() => path.resolve(params.root));
+  const candidate = await resolveCanonicalCandidate(params.target.hostPath);
+  if (!isPathInside(canonicalRoot, candidate)) {
+    throw new Error(
+      `Sandbox path escapes allowed mounts; cannot access: ${params.target.containerPath}`,
+    );
+  }
+
+  const relative = path.relative(params.root, params.target.hostPath);
+  const segments = relative
+    .split(path.sep)
+    .filter(Boolean)
+    .slice(0, Math.max(0, relative.split(path.sep).filter(Boolean).length));
+  let cursor = params.root;
+  for (let index = 0; index < segments.length; index += 1) {
+    cursor = path.join(cursor, segments[index]!);
+    const stats = await fsPromises.lstat(cursor).catch(() => null);
+    if (!stats) {
+      if (index === segments.length - 1 && params.allowMissingLeaf) {
+        return;
+      }
+      continue;
+    }
+    const isFinal = index === segments.length - 1;
+    if (stats.isSymbolicLink() && (!isFinal || !params.allowFinalSymlinkForUnlink)) {
+      throw new Error(`Sandbox boundary checks failed: ${params.target.containerPath}`);
+    }
+  }
+}
+
+async function resolveCanonicalCandidate(targetPath: string): Promise<string> {
+  const missing: string[] = [];
+  let cursor = path.resolve(targetPath);
+  while (true) {
+    const exists = await fsPromises
+      .lstat(cursor)
+      .then(() => true)
+      .catch(() => false);
+    if (exists) {
+      const canonical = await fsPromises.realpath(cursor).catch(() => cursor);
+      return path.resolve(canonical, ...missing);
+    }
+    const parent = path.dirname(cursor);
+    if (parent === cursor) {
+      return path.resolve(cursor, ...missing);
+    }
+    missing.unshift(path.basename(cursor));
+    cursor = parent;
+  }
+}
diff --git a/extensions/openshell/src/mirror.ts b/extensions/openshell/src/mirror.ts
new file mode 100644
index 00000000000..ee5024850d6
--- /dev/null
+++ b/extensions/openshell/src/mirror.ts
@@ -0,0 +1,47 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+export async function replaceDirectoryContents(params: {
+  sourceDir: string;
+  targetDir: string;
+}): Promise<void> {
+  await fs.mkdir(params.targetDir, { recursive: true });
+  const existing = await fs.readdir(params.targetDir);
+  await Promise.all(
+    existing.map((entry) =>
+      fs.rm(path.join(params.targetDir, entry), {
+        recursive: true,
+        force: true,
+      }),
+    ),
+  );
+  const sourceEntries = await fs.readdir(params.sourceDir);
+  for (const entry of sourceEntries) {
+    await fs.cp(path.join(params.sourceDir, entry), path.join(params.targetDir, entry), {
+      recursive: true,
+      force: true,
+      dereference: false,
+    });
+  }
+}
+
+export async function movePathWithCopyFallback(params: {
+  from: string;
+  to: string;
+}): Promise<void> {
+  try {
+    await fs.rename(params.from, params.to);
+    return;
+  } catch (error) {
+    const code = (error as NodeJS.ErrnoException | null)?.code;
+    if (code !== "EXDEV") {
+      throw error;
+    }
+  }
+  await fs.cp(params.from, params.to, {
+    recursive: true,
+    force: true,
+    dereference: false,
+  });
+  await fs.rm(params.from, { recursive: true, force: true });
+}
diff --git a/extensions/openshell/src/remote-fs-bridge.test.ts b/extensions/openshell/src/remote-fs-bridge.test.ts
new file mode 100644
index 00000000000..5a245e1d8fb
--- /dev/null
+++ b/extensions/openshell/src/remote-fs-bridge.test.ts
@@ -0,0 +1,191 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { createSandboxTestContext } from "../../../src/agents/sandbox/test-fixtures.js";
+import type { OpenShellSandboxBackend } from "./backend.js";
+import { createOpenShellRemoteFsBridge } from "./remote-fs-bridge.js";
+
+const tempDirs: string[] = [];
+
+async function makeTempDir(prefix: string) {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), prefix));
+  tempDirs.push(dir);
+  return dir;
+}
+
+afterEach(async () => {
+  await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
+});
+
+function translateRemotePath(value: string, roots: { workspace: string; agent: string }) {
+  if (value === "/sandbox" || value.startsWith("/sandbox/")) {
+    return path.join(roots.workspace, value.slice("/sandbox".length));
+  }
+  if (value === "/agent" || value.startsWith("/agent/")) {
+    return path.join(roots.agent, value.slice("/agent".length));
+  }
+  return value;
+}
+
+async function runLocalShell(params: {
+  script: string;
+  args?: string[];
+  stdin?: Buffer | string;
+  allowFailure?: boolean;
+  roots: { workspace: string; agent: string };
+}) {
+  const translatedArgs = (params.args ?? []).map((arg) => translateRemotePath(arg, params.roots));
+  const script = normalizeScriptForLocalShell(params.script);
+  const result = await new Promise<{ stdout: Buffer; stderr: Buffer; code: number }>(
+    (resolve, reject) => {
+      const child = spawn("/bin/sh", ["-c", script, "openshell-test", ...translatedArgs], {
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+      const stdoutChunks: Buffer[] = [];
+      const stderrChunks: Buffer[] = [];
+      child.stdout.on("data", (chunk) => stdoutChunks.push(Buffer.from(chunk)));
+      child.stderr.on("data", (chunk) => stderrChunks.push(Buffer.from(chunk)));
+      child.on("error", reject);
+      child.on("close", (code) => {
+        const result = {
+          stdout: Buffer.concat(stdoutChunks),
+          stderr: Buffer.concat(stderrChunks),
+          code: code ?? 0,
+        };
+        if (result.code !== 0 && !params.allowFailure) {
+          reject(
+            new Error(
+              result.stderr.toString("utf8").trim() || `script exited with code ${result.code}`,
+            ),
+          );
+          return;
+        }
+        resolve(result);
+      });
+      if (params.stdin !== undefined) {
+        child.stdin.end(params.stdin);
+        return;
+      }
+      child.stdin.end();
+    },
+  );
+  return {
+    ...result,
+    stdout: Buffer.from(rewriteLocalPaths(result.stdout.toString("utf8"), params.roots), "utf8"),
+  };
+}
+
+function createBackendMock(roots: { workspace: string; agent: string }): OpenShellSandboxBackend {
+  return {
+    id: "openshell",
+    runtimeId: "openshell-test",
+    runtimeLabel: "openshell-test",
+    workdir: "/sandbox",
+    env: {},
+    mode: "remote",
+    remoteWorkspaceDir: "/sandbox",
+    remoteAgentWorkspaceDir: "/agent",
+    buildExecSpec: vi.fn(),
+    runShellCommand: vi.fn(),
+    runRemoteShellScript: vi.fn(
+      async (params) =>
+        await runLocalShell({
+          ...params,
+          roots,
+        }),
+    ),
+    syncLocalPathToRemote: vi.fn().mockResolvedValue(undefined),
+  } as unknown as OpenShellSandboxBackend;
+}
+
+function rewriteLocalPaths(value: string, roots: { workspace: string; agent: string }) {
+  return value.replaceAll(roots.workspace, "/sandbox").replaceAll(roots.agent, "/agent");
+}
+
+function normalizeScriptForLocalShell(script: string) {
+  return script
+    .replace(
+      'stats=$(stat -c "%F|%h" -- "$1")',
+      `stats=$(python3 - "$1" <<'PY'
+import os, stat, sys
+st = os.stat(sys.argv[1])
+kind = 'directory' if stat.S_ISDIR(st.st_mode) else 'regular file' if stat.S_ISREG(st.st_mode) else 'other'
+print(f"{kind}|{st.st_nlink}")
+PY
+)`,
+    )
+    .replace(
+      'stat -c "%F|%s|%Y" -- "$1"',
+      `python3 - "$1" <<'PY'
+import os, stat, sys
+st = os.stat(sys.argv[1])
+kind = 'directory' if stat.S_ISDIR(st.st_mode) else 'regular file' if stat.S_ISREG(st.st_mode) else 'other'
+print(f"{kind}|{st.st_size}|{int(st.st_mtime)}")
+PY`,
+    );
+}
+
+describe("openshell remote fs bridge", () => {
+  it("writes, reads, renames, and removes files without local host paths", async () => {
+    const workspaceDir = await makeTempDir("openclaw-openshell-remote-local-");
+    const remoteWorkspaceDir = await makeTempDir("openclaw-openshell-remote-workspace-");
+    const remoteAgentDir = await makeTempDir("openclaw-openshell-remote-agent-");
+    const remoteWorkspaceRealDir = await fs.realpath(remoteWorkspaceDir);
+    const remoteAgentRealDir = await fs.realpath(remoteAgentDir);
+    const backend = createBackendMock({
+      workspace: remoteWorkspaceRealDir,
+      agent: remoteAgentRealDir,
+    });
+    const sandbox = createSandboxTestContext({
+      overrides: {
+        backendId: "openshell",
+        workspaceDir,
+        agentWorkspaceDir: workspaceDir,
+        containerWorkdir: "/sandbox",
+      },
+    });
+
+    const bridge = createOpenShellRemoteFsBridge({ sandbox, backend });
+    await bridge.writeFile({
+      filePath: "nested/file.txt",
+      data: "hello",
+      mkdir: true,
+    });
+
+    expect(await fs.readFile(path.join(remoteWorkspaceRealDir, "nested", "file.txt"), "utf8")).toBe(
+      "hello",
+    );
+    expect(await fs.readdir(workspaceDir)).toEqual([]);
+
+    const resolved = bridge.resolvePath({ filePath: "nested/file.txt" });
+    expect(resolved.hostPath).toBeUndefined();
+    expect(resolved.containerPath).toBe("/sandbox/nested/file.txt");
+    expect(await bridge.readFile({ filePath: "nested/file.txt" })).toEqual(Buffer.from("hello"));
+    expect(await bridge.stat({ filePath: "nested/file.txt" })).toEqual(
+      expect.objectContaining({
+        type: "file",
+        size: 5,
+      }),
+    );
+
+    await bridge.rename({
+      from: "nested/file.txt",
+      to: "nested/renamed.txt",
+    });
+    await expect(
+      fs.readFile(path.join(remoteWorkspaceRealDir, "nested", "file.txt"), "utf8"),
+    ).rejects.toBeDefined();
+    expect(
+      await fs.readFile(path.join(remoteWorkspaceRealDir, "nested", "renamed.txt"), "utf8"),
+    ).toBe("hello");
+
+    await bridge.remove({
+      filePath: "nested/renamed.txt",
+    });
+    await expect(
+      fs.readFile(path.join(remoteWorkspaceRealDir, "nested", "renamed.txt"), "utf8"),
+    ).rejects.toBeDefined();
+  });
+});
diff --git a/extensions/openshell/src/remote-fs-bridge.ts b/extensions/openshell/src/remote-fs-bridge.ts
new file mode 100644
index 00000000000..9cc1ddf704d
--- /dev/null
+++ b/extensions/openshell/src/remote-fs-bridge.ts
@@ -0,0 +1,16 @@
+import {
+  createRemoteShellSandboxFsBridge,
+  type RemoteShellSandboxHandle,
+  type SandboxContext,
+  type SandboxFsBridge,
+} from "openclaw/plugin-sdk/core";
+
+export function createOpenShellRemoteFsBridge(params: {
+  sandbox: SandboxContext;
+  backend: RemoteShellSandboxHandle;
+}): SandboxFsBridge {
+  return createRemoteShellSandboxFsBridge({
+    sandbox: params.sandbox,
+    runtime: params.backend,
+  });
+}
diff --git a/extensions/perplexity/index.ts b/extensions/perplexity/index.ts
new file mode 100644
index 00000000000..513c70d131d
--- /dev/null
+++ b/extensions/perplexity/index.ts
@@ -0,0 +1,33 @@
+import {
+  createPluginBackedWebSearchProvider,
+  getScopedCredentialValue,
+  setScopedCredentialValue,
+} from "../../src/agents/tools/web-search-plugin-factory.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
+
+const perplexityPlugin = {
+  id: "perplexity",
+  name: "Perplexity Plugin",
+  description: "Bundled Perplexity plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerWebSearchProvider(
+      createPluginBackedWebSearchProvider({
+        id: "perplexity",
+        label: "Perplexity Search",
+        hint: "Structured results · domain/country/language/time filters",
+        envVars: ["PERPLEXITY_API_KEY", "OPENROUTER_API_KEY"],
+        placeholder: "pplx-...",
+        signupUrl: "https://www.perplexity.ai/settings/api",
+        docsUrl: "https://docs.openclaw.ai/perplexity",
+        autoDetectOrder: 50,
+        getCredentialValue: (searchConfig) => getScopedCredentialValue(searchConfig, "perplexity"),
+        setCredentialValue: (searchConfigTarget, value) =>
+          setScopedCredentialValue(searchConfigTarget, "perplexity", value),
+      }),
+    );
+  },
+};
+
+export default perplexityPlugin;
diff --git a/extensions/perplexity/openclaw.plugin.json b/extensions/perplexity/openclaw.plugin.json
new file mode 100644
index 00000000000..6b976506b65
--- /dev/null
+++ b/extensions/perplexity/openclaw.plugin.json
@@ -0,0 +1,8 @@
+{
+  "id": "perplexity",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}
diff --git a/extensions/perplexity/package.json b/extensions/perplexity/package.json
new file mode 100644
index 00000000000..2a6321ba56c
--- /dev/null
+++ b/extensions/perplexity/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@openclaw/perplexity-plugin",
+  "version": "2026.3.14",
+  "private": true,
+  "description": "OpenClaw Perplexity plugin",
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}
diff --git a/extensions/qianfan/index.ts b/extensions/qianfan/index.ts
index 1da228d3772..88b5fee122d 100644
--- a/extensions/qianfan/index.ts
+++ b/extensions/qianfan/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildQianfanProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyQianfanConfig, QIANFAN_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "qianfan";
 
@@ -14,7 +16,28 @@ const qianfanPlugin = {
       label: "Qianfan",
       docsPath: "/providers/qianfan",
       envVars: ["QIANFAN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Qianfan API key",
+          hint: "API key",
+          optionKey: "qianfanApiKey",
+          flagName: "--qianfan-api-key",
+          envVar: "QIANFAN_API_KEY",
+          promptMessage: "Enter Qianfan API key",
+          defaultModel: QIANFAN_DEFAULT_MODEL_REF,
+          expectedProviders: ["qianfan"],
+          applyConfig: (cfg) => applyQianfanConfig(cfg),
+          wizard: {
+            choiceId: "qianfan-api-key",
+            choiceLabel: "Qianfan API key",
+            groupId: "qianfan",
+            groupLabel: "Qianfan",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/qianfan/openclaw.plugin.json b/extensions/qianfan/openclaw.plugin.json
index 9bd75d78c4b..d2ac243e261 100644
--- a/extensions/qianfan/openclaw.plugin.json
+++ b/extensions/qianfan/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "qianfan",
   "providers": ["qianfan"],
+  "providerAuthEnvVars": {
+    "qianfan": ["QIANFAN_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "qianfan",
+      "method": "api-key",
+      "choiceId": "qianfan-api-key",
+      "choiceLabel": "Qianfan API key",
+      "groupId": "qianfan",
+      "groupLabel": "Qianfan",
+      "groupHint": "API key",
+      "optionKey": "qianfanApiKey",
+      "cliFlag": "--qianfan-api-key",
+      "cliOption": "--qianfan-api-key <key>",
+      "cliDescription": "QIANFAN API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/qwen-portal-auth/index.ts b/extensions/qwen-portal-auth/index.ts
index 919fa927e57..774b1329acf 100644
--- a/extensions/qwen-portal-auth/index.ts
+++ b/extensions/qwen-portal-auth/index.ts
@@ -7,6 +7,7 @@ import {
 } from "openclaw/plugin-sdk/qwen-portal-auth";
 import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
 import { QWEN_OAUTH_MARKER } from "../../src/agents/model-auth-markers.js";
+import { refreshQwenPortalCredentials } from "../../src/providers/qwen-portal-oauth.js";
 import { loginQwenPortalOAuth } from "./oauth.js";
 
 const PROVIDER_ID = "qwen-portal";
@@ -94,6 +95,7 @@ const qwenPortalPlugin = {
       label: PROVIDER_LABEL,
       docsPath: "/providers/qwen",
       aliases: ["qwen"],
+      envVars: ["QWEN_OAUTH_TOKEN", "QWEN_PORTAL_API_KEY"],
       catalog: {
         run: async (ctx: ProviderCatalogContext) => resolveCatalog(ctx),
       },
@@ -156,6 +158,21 @@ const qwenPortalPlugin = {
           },
         },
       ],
+      wizard: {
+        setup: {
+          choiceId: "qwen-portal",
+          choiceLabel: "Qwen OAuth",
+          choiceHint: "Device code login",
+          methodId: "device",
+        },
+      },
+      refreshOAuth: async (cred) => ({
+        ...cred,
+        ...(await refreshQwenPortalCredentials(cred)),
+        type: "oauth",
+        provider: PROVIDER_ID,
+        email: cred.email,
+      }),
     });
   },
 };
diff --git a/extensions/qwen-portal-auth/openclaw.plugin.json b/extensions/qwen-portal-auth/openclaw.plugin.json
index be200d11f04..5a6a8d555b7 100644
--- a/extensions/qwen-portal-auth/openclaw.plugin.json
+++ b/extensions/qwen-portal-auth/openclaw.plugin.json
@@ -1,6 +1,21 @@
 {
   "id": "qwen-portal-auth",
   "providers": ["qwen-portal"],
+  "providerAuthEnvVars": {
+    "qwen-portal": ["QWEN_OAUTH_TOKEN", "QWEN_PORTAL_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "qwen-portal",
+      "method": "device",
+      "choiceId": "qwen-portal",
+      "choiceLabel": "Qwen OAuth",
+      "choiceHint": "Device code login",
+      "groupId": "qwen",
+      "groupLabel": "Qwen",
+      "groupHint": "OAuth"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/sglang/index.ts b/extensions/sglang/index.ts
index 64143026592..5672034ad9c 100644
--- a/extensions/sglang/index.ts
+++ b/extensions/sglang/index.ts
@@ -59,7 +59,7 @@ const sglangPlugin = {
           }),
       },
       wizard: {
-        onboarding: {
+        setup: {
           choiceId: "sglang",
           choiceLabel: "SGLang",
           choiceHint: "Fast self-hosted OpenAI-compatible server",
diff --git a/extensions/sglang/openclaw.plugin.json b/extensions/sglang/openclaw.plugin.json
index 161ea4c635a..d9f7f92eb52 100644
--- a/extensions/sglang/openclaw.plugin.json
+++ b/extensions/sglang/openclaw.plugin.json
@@ -1,6 +1,21 @@
 {
   "id": "sglang",
   "providers": ["sglang"],
+  "providerAuthEnvVars": {
+    "sglang": ["SGLANG_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "sglang",
+      "method": "custom",
+      "choiceId": "sglang",
+      "choiceLabel": "SGLang",
+      "choiceHint": "Fast self-hosted OpenAI-compatible server",
+      "groupId": "sglang",
+      "groupLabel": "SGLang",
+      "groupHint": "Fast self-hosted server"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/shared/passive-monitor.ts b/extensions/shared/passive-monitor.ts
index e5ffb3f03ff..0be48afd014 100644
--- a/extensions/shared/passive-monitor.ts
+++ b/extensions/shared/passive-monitor.ts
@@ -1,4 +1,4 @@
-import { runPassiveAccountLifecycle } from "openclaw/plugin-sdk";
+import { runPassiveAccountLifecycle } from "openclaw/plugin-sdk/core";
 
 type StoppableMonitor = {
   stop: () => void;
diff --git a/extensions/shared/runtime.ts b/extensions/shared/runtime.ts
index a1950ba6be0..2a75360aa20 100644
--- a/extensions/shared/runtime.ts
+++ b/extensions/shared/runtime.ts
@@ -1,4 +1,4 @@
-import { createLoggerBackedRuntime } from "openclaw/plugin-sdk";
+import { createLoggerBackedRuntime } from "openclaw/plugin-sdk/core";
 
 export function resolveLoggerBackedRuntime<TRuntime>(
   runtime: TRuntime | undefined,
diff --git a/extensions/signal/index.ts b/extensions/signal/index.ts
index 0a7b988d7f0..0a686851120 100644
--- a/extensions/signal/index.ts
+++ b/extensions/signal/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/signal";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/signal";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { signalPlugin } from "./src/channel.js";
 import { setSignalRuntime } from "./src/runtime.js";
 
diff --git a/extensions/signal/package.json b/extensions/signal/package.json
index 67d6eae6506..f63128914c9 100644
--- a/extensions/signal/package.json
+++ b/extensions/signal/package.json
@@ -7,6 +7,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/signal/setup-entry.ts b/extensions/signal/setup-entry.ts
new file mode 100644
index 00000000000..18c27ec5a16
--- /dev/null
+++ b/extensions/signal/setup-entry.ts
@@ -0,0 +1,3 @@
+import { signalSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: signalSetupPlugin };
diff --git a/extensions/signal/src/channel.runtime.ts b/extensions/signal/src/channel.runtime.ts
new file mode 100644
index 00000000000..0403246478f
--- /dev/null
+++ b/extensions/signal/src/channel.runtime.ts
@@ -0,0 +1 @@
+export { signalSetupWizard } from "./setup-surface.js";
diff --git a/extensions/signal/src/channel.setup.ts b/extensions/signal/src/channel.setup.ts
new file mode 100644
index 00000000000..88a7035c199
--- /dev/null
+++ b/extensions/signal/src/channel.setup.ts
@@ -0,0 +1,114 @@
+import {
+  createScopedAccountConfigAccessors,
+  buildAccountScopedDmSecurityPolicy,
+  collectAllowlistProviderRestrictSendersWarnings,
+} from "openclaw/plugin-sdk/compat";
+import {
+  buildChannelConfigSchema,
+  DEFAULT_ACCOUNT_ID,
+  deleteAccountFromConfigSection,
+  getChatChannelMeta,
+  normalizeE164,
+  setAccountEnabledInConfigSection,
+  SignalConfigSchema,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/signal";
+import {
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+  type ResolvedSignalAccount,
+} from "./accounts.js";
+import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
+
+async function loadSignalChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const signalSetupWizard = createSignalSetupWizardProxy(async () => ({
+  signalSetupWizard: (await loadSignalChannelRuntime()).signalSetupWizard,
+}));
+
+const signalConfigAccessors = createScopedAccountConfigAccessors({
+  resolveAccount: ({ cfg, accountId }) => resolveSignalAccount({ cfg, accountId }),
+  resolveAllowFrom: (account: ResolvedSignalAccount) => account.config.allowFrom,
+  formatAllowFrom: (allowFrom) =>
+    allowFrom
+      .map((entry) => String(entry).trim())
+      .filter(Boolean)
+      .map((entry) => (entry === "*" ? "*" : normalizeE164(entry.replace(/^signal:/i, ""))))
+      .filter(Boolean),
+  resolveDefaultTo: (account: ResolvedSignalAccount) => account.config.defaultTo,
+});
+
+export const signalSetupPlugin: ChannelPlugin<ResolvedSignalAccount> = {
+  id: "signal",
+  meta: {
+    ...getChatChannelMeta("signal"),
+  },
+  setupWizard: signalSetupWizard,
+  capabilities: {
+    chatTypes: ["direct", "group"],
+    media: true,
+    reactions: true,
+  },
+  streaming: {
+    blockStreamingCoalesceDefaults: { minChars: 1500, idleMs: 1000 },
+  },
+  reload: { configPrefixes: ["channels.signal"] },
+  configSchema: buildChannelConfigSchema(SignalConfigSchema),
+  config: {
+    listAccountIds: (cfg) => listSignalAccountIds(cfg),
+    resolveAccount: (cfg, accountId) => resolveSignalAccount({ cfg, accountId }),
+    defaultAccountId: (cfg) => resolveDefaultSignalAccountId(cfg),
+    setAccountEnabled: ({ cfg, accountId, enabled }) =>
+      setAccountEnabledInConfigSection({
+        cfg,
+        sectionKey: "signal",
+        accountId,
+        enabled,
+        allowTopLevel: true,
+      }),
+    deleteAccount: ({ cfg, accountId }) =>
+      deleteAccountFromConfigSection({
+        cfg,
+        sectionKey: "signal",
+        accountId,
+        clearBaseFields: ["account", "httpUrl", "httpHost", "httpPort", "cliPath", "name"],
+      }),
+    isConfigured: (account) => account.configured,
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: account.configured,
+      baseUrl: account.baseUrl,
+    }),
+    ...signalConfigAccessors,
+  },
+  security: {
+    resolveDmPolicy: ({ cfg, accountId, account }) =>
+      buildAccountScopedDmSecurityPolicy({
+        cfg,
+        channelKey: "signal",
+        accountId,
+        fallbackAccountId: account.accountId ?? DEFAULT_ACCOUNT_ID,
+        policy: account.config.dmPolicy,
+        allowFrom: account.config.allowFrom ?? [],
+        policyPathSuffix: "dmPolicy",
+        normalizeEntry: (raw) => normalizeE164(raw.replace(/^signal:/i, "").trim()),
+      }),
+    collectWarnings: ({ account, cfg }) =>
+      collectAllowlistProviderRestrictSendersWarnings({
+        cfg,
+        providerConfigPresent: cfg.channels?.signal !== undefined,
+        configuredGroupPolicy: account.config.groupPolicy,
+        surface: "Signal groups",
+        openScope: "any member",
+        groupPolicyPath: "channels.signal.groupPolicy",
+        groupAllowFromPath: "channels.signal.groupAllowFrom",
+        mentionGated: false,
+      }),
+  },
+  setup: signalSetupAdapter,
+};
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index ccf635e60cf..e1675a019d1 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -1,8 +1,10 @@
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   createScopedAccountConfigAccessors,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildBaseAccountStatusSnapshot,
   buildBaseChannelStatusSummary,
@@ -12,23 +14,43 @@ import {
   DEFAULT_ACCOUNT_ID,
   deleteAccountFromConfigSection,
   getChatChannelMeta,
-  listSignalAccountIds,
   looksLikeSignalTargetId,
   normalizeE164,
   normalizeSignalMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
   resolveChannelMediaMaxBytes,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
   setAccountEnabledInConfigSection,
   SignalConfigSchema,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
-  type ResolvedSignalAccount,
 } from "openclaw/plugin-sdk/signal";
+import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
+import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import {
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+  type ResolvedSignalAccount,
+} from "./accounts.js";
+import { markdownToSignalTextChunks } from "./format.js";
+import {
+  looksLikeUuid,
+  resolveSignalPeerId,
+  resolveSignalRecipient,
+  resolveSignalSender,
+} from "./identity.js";
+import type { SignalProbe } from "./probe.js";
 import { getSignalRuntime } from "./runtime.js";
-import { signalSetupAdapter, signalSetupWizard } from "./setup-surface.js";
+import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
+
+async function loadSignalChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const signalSetupWizard = createSignalSetupWizardProxy(async () => ({
+  signalSetupWizard: (await loadSignalChannelRuntime()).signalSetupWizard,
+}));
 
 const signalMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) => getSignalRuntime().channel.signal.messageActions?.listActions?.(ctx) ?? [],
@@ -57,12 +79,8 @@ const signalConfigAccessors = createScopedAccountConfigAccessors({
 
 type SignalSendFn = ReturnType<typeof getSignalRuntime>["channel"]["signal"]["sendMessageSignal"];
 
-async function sendSignalOutbound(params: {
+function resolveSignalSendContext(params: {
   cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
-  to: string;
-  text: string;
-  mediaUrl?: string;
-  mediaLocalRoots?: readonly string[];
   accountId?: string;
   deps?: { [channelId: string]: unknown };
 }) {
@@ -75,6 +93,19 @@ async function sendSignalOutbound(params: {
       cfg.channels?.signal?.accounts?.[accountId]?.mediaMaxMb ?? cfg.channels?.signal?.mediaMaxMb,
     accountId: params.accountId,
   });
+  return { send, maxBytes };
+}
+
+async function sendSignalOutbound(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  mediaUrl?: string;
+  mediaLocalRoots?: readonly string[];
+  accountId?: string;
+  deps?: { [channelId: string]: unknown };
+}) {
+  const { send, maxBytes } = resolveSignalSendContext(params);
   return await send(params.to, params.text, {
     cfg: params.cfg,
     ...(params.mediaUrl ? { mediaUrl: params.mediaUrl } : {}),
@@ -84,6 +115,202 @@ async function sendSignalOutbound(params: {
   });
 }
 
+function inferSignalTargetChatType(rawTo: string) {
+  let to = rawTo.trim();
+  if (!to) {
+    return undefined;
+  }
+  if (/^signal:/i.test(to)) {
+    to = to.replace(/^signal:/i, "").trim();
+  }
+  if (!to) {
+    return undefined;
+  }
+  const lower = to.toLowerCase();
+  if (lower.startsWith("group:")) {
+    return "group" as const;
+  }
+  if (lower.startsWith("username:") || lower.startsWith("u:")) {
+    return "direct" as const;
+  }
+  return "direct" as const;
+}
+
+function parseSignalExplicitTarget(raw: string) {
+  const normalized = normalizeSignalMessagingTarget(raw);
+  if (!normalized) {
+    return null;
+  }
+  return {
+    to: normalized,
+    chatType: inferSignalTargetChatType(normalized),
+  };
+}
+
+function buildSignalBaseSessionKey(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "signal",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveSignalOutboundSessionRoute(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+}) {
+  const stripped = params.target.replace(/^signal:/i, "").trim();
+  const lowered = stripped.toLowerCase();
+  if (lowered.startsWith("group:")) {
+    const groupId = stripped.slice("group:".length).trim();
+    if (!groupId) {
+      return null;
+    }
+    const peer: RoutePeer = { kind: "group", id: groupId };
+    const baseSessionKey = buildSignalBaseSessionKey({
+      cfg: params.cfg,
+      agentId: params.agentId,
+      accountId: params.accountId,
+      peer,
+    });
+    return {
+      sessionKey: baseSessionKey,
+      baseSessionKey,
+      peer,
+      chatType: "group" as const,
+      from: `group:${groupId}`,
+      to: `group:${groupId}`,
+    };
+  }
+
+  let recipient = stripped.trim();
+  if (lowered.startsWith("username:")) {
+    recipient = stripped.slice("username:".length).trim();
+  } else if (lowered.startsWith("u:")) {
+    recipient = stripped.slice("u:".length).trim();
+  }
+  if (!recipient) {
+    return null;
+  }
+
+  const uuidCandidate = recipient.toLowerCase().startsWith("uuid:")
+    ? recipient.slice("uuid:".length)
+    : recipient;
+  const sender = resolveSignalSender({
+    sourceUuid: looksLikeUuid(uuidCandidate) ? uuidCandidate : null,
+    sourceNumber: looksLikeUuid(uuidCandidate) ? null : recipient,
+  });
+  const peerId = sender ? resolveSignalPeerId(sender) : recipient;
+  const displayRecipient = sender ? resolveSignalRecipient(sender) : recipient;
+  const peer: RoutePeer = { kind: "direct", id: peerId };
+  const baseSessionKey = buildSignalBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  return {
+    sessionKey: baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: "direct" as const,
+    from: `signal:${displayRecipient}`,
+    to: `signal:${displayRecipient}`,
+  };
+}
+
+async function sendFormattedSignalText(ctx: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  accountId?: string | null;
+  deps?: { [channelId: string]: unknown };
+  abortSignal?: AbortSignal;
+}) {
+  const { send, maxBytes } = resolveSignalSendContext({
+    cfg: ctx.cfg,
+    accountId: ctx.accountId ?? undefined,
+    deps: ctx.deps,
+  });
+  const limit = resolveTextChunkLimit(ctx.cfg, "signal", ctx.accountId ?? undefined, {
+    fallbackLimit: 4000,
+  });
+  const tableMode = resolveMarkdownTableMode({
+    cfg: ctx.cfg,
+    channel: "signal",
+    accountId: ctx.accountId ?? undefined,
+  });
+  let chunks =
+    limit === undefined
+      ? markdownToSignalTextChunks(ctx.text, Number.POSITIVE_INFINITY, { tableMode })
+      : markdownToSignalTextChunks(ctx.text, limit, { tableMode });
+  if (chunks.length === 0 && ctx.text) {
+    chunks = [{ text: ctx.text, styles: [] }];
+  }
+  const results = [];
+  for (const chunk of chunks) {
+    ctx.abortSignal?.throwIfAborted();
+    const result = await send(ctx.to, chunk.text, {
+      cfg: ctx.cfg,
+      maxBytes,
+      accountId: ctx.accountId ?? undefined,
+      textMode: "plain",
+      textStyles: chunk.styles,
+    });
+    results.push({ channel: "signal" as const, ...result });
+  }
+  return results;
+}
+
+async function sendFormattedSignalMedia(ctx: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  mediaUrl: string;
+  mediaLocalRoots?: readonly string[];
+  accountId?: string | null;
+  deps?: { [channelId: string]: unknown };
+  abortSignal?: AbortSignal;
+}) {
+  ctx.abortSignal?.throwIfAborted();
+  const { send, maxBytes } = resolveSignalSendContext({
+    cfg: ctx.cfg,
+    accountId: ctx.accountId ?? undefined,
+    deps: ctx.deps,
+  });
+  const tableMode = resolveMarkdownTableMode({
+    cfg: ctx.cfg,
+    channel: "signal",
+    accountId: ctx.accountId ?? undefined,
+  });
+  const formatted = markdownToSignalTextChunks(ctx.text, Number.POSITIVE_INFINITY, {
+    tableMode,
+  })[0] ?? {
+    text: ctx.text,
+    styles: [],
+  };
+  const result = await send(ctx.to, formatted.text, {
+    cfg: ctx.cfg,
+    mediaUrl: ctx.mediaUrl,
+    mediaLocalRoots: ctx.mediaLocalRoots,
+    maxBytes,
+    accountId: ctx.accountId ?? undefined,
+    textMode: "plain",
+    textStyles: formatted.styles,
+  });
+  return { channel: "signal" as const, ...result };
+}
+
 export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
   id: "signal",
   meta: {
@@ -137,6 +364,27 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
     }),
     ...signalConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveSignalAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.config.dmPolicy,
+        groupPolicy: account.config.groupPolicy,
+      };
+    },
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "signal",
+      normalize: ({ cfg, accountId, values }) =>
+        signalConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -165,6 +413,9 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeSignalMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseSignalExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => inferSignalTargetChatType(to),
+    resolveOutboundSessionRoute: (params) => resolveSignalOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeSignalTargetId,
       hint: "<E.164|uuid:ID|group:ID|signal:group:ID|signal:+E.164>",
@@ -176,6 +427,35 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
     chunker: (text, limit) => getSignalRuntime().channel.text.chunkText(text, limit),
     chunkerMode: "text",
     textChunkLimit: 4000,
+    sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) =>
+      await sendFormattedSignalText({
+        cfg,
+        to,
+        text,
+        accountId,
+        deps,
+        abortSignal,
+      }),
+    sendFormattedMedia: async ({
+      cfg,
+      to,
+      text,
+      mediaUrl,
+      mediaLocalRoots,
+      accountId,
+      deps,
+      abortSignal,
+    }) =>
+      await sendFormattedSignalMedia({
+        cfg,
+        to,
+        text,
+        mediaUrl,
+        mediaLocalRoots,
+        accountId,
+        deps,
+        abortSignal,
+      }),
     sendText: async ({ cfg, to, text, accountId, deps }) => {
       const result = await sendSignalOutbound({
         cfg,
@@ -212,6 +492,10 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
       const baseUrl = account.baseUrl;
       return await getSignalRuntime().channel.signal.probeSignal(baseUrl, timeoutMs);
     },
+    formatCapabilitiesProbe: ({ probe }) =>
+      (probe as SignalProbe | undefined)?.version
+        ? [{ text: `Signal daemon: ${(probe as SignalProbe).version}` }]
+        : [],
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       ...buildBaseAccountStatusSnapshot({ account, runtime, probe }),
       baseUrl: account.baseUrl,
diff --git a/extensions/signal/src/monitor/event-handler.inbound-contract.test.ts b/extensions/signal/src/monitor/event-handler.inbound-contract.test.ts
index 62593156756..9a6cfc0e90e 100644
--- a/extensions/signal/src/monitor/event-handler.inbound-contract.test.ts
+++ b/extensions/signal/src/monitor/event-handler.inbound-contract.test.ts
@@ -1,6 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { MsgContext } from "../../../../src/auto-reply/templating.js";
-import { expectInboundContextContract } from "../../../../test/helpers/inbound-contract.js";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../../../src/channels/plugins/contracts/suites.js";
 import { createSignalEventHandler } from "./event-handler.js";
 import {
   createBaseSignalEventHandlerDeps,
diff --git a/extensions/signal/src/outbound-adapter.ts b/extensions/signal/src/outbound-adapter.ts
new file mode 100644
index 00000000000..b0d77c12bd0
--- /dev/null
+++ b/extensions/signal/src/outbound-adapter.ts
@@ -0,0 +1,125 @@
+import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
+import { createScopedChannelMediaMaxBytesResolver } from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import type { ChannelOutboundAdapter } from "../../../src/channels/plugins/types.js";
+import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
+import {
+  resolveOutboundSendDep,
+  type OutboundSendDeps,
+} from "../../../src/infra/outbound/send-deps.js";
+import { markdownToSignalTextChunks } from "./format.js";
+import { sendMessageSignal } from "./send.js";
+
+function resolveSignalSender(deps: OutboundSendDeps | undefined) {
+  return resolveOutboundSendDep<typeof sendMessageSignal>(deps, "signal") ?? sendMessageSignal;
+}
+
+const resolveSignalMaxBytes = createScopedChannelMediaMaxBytesResolver("signal");
+type SignalSendOpts = NonNullable<Parameters<typeof sendMessageSignal>[2]>;
+
+function inferSignalTableMode(params: { cfg: SignalSendOpts["cfg"]; accountId?: string | null }) {
+  return resolveMarkdownTableMode({
+    cfg: params.cfg,
+    channel: "signal",
+    accountId: params.accountId ?? undefined,
+  });
+}
+
+export const signalOutbound: ChannelOutboundAdapter = {
+  deliveryMode: "direct",
+  chunker: (text, _limit) => text.split(/\n{2,}/).flatMap((chunk) => (chunk ? [chunk] : [])),
+  chunkerMode: "text",
+  textChunkLimit: 4000,
+  sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const limit = resolveTextChunkLimit(cfg, "signal", accountId ?? undefined, {
+      fallbackLimit: 4000,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    let chunks =
+      limit === undefined
+        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, { tableMode })
+        : markdownToSignalTextChunks(text, limit, { tableMode });
+    if (chunks.length === 0 && text) {
+      chunks = [{ text, styles: [] }];
+    }
+    const results = [];
+    for (const chunk of chunks) {
+      abortSignal?.throwIfAborted();
+      const result = await send(to, chunk.text, {
+        cfg,
+        maxBytes,
+        accountId: accountId ?? undefined,
+        textMode: "plain",
+        textStyles: chunk.styles,
+      });
+      results.push({ channel: "signal" as const, ...result });
+    }
+    return results;
+  },
+  sendFormattedMedia: async ({
+    cfg,
+    to,
+    text,
+    mediaUrl,
+    mediaLocalRoots,
+    accountId,
+    deps,
+    abortSignal,
+  }) => {
+    abortSignal?.throwIfAborted();
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    const formatted = markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
+      tableMode,
+    })[0] ?? {
+      text,
+      styles: [],
+    };
+    const result = await send(to, formatted.text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      textMode: "plain",
+      textStyles: formatted.styles,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendText: async ({ cfg, to, text, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      maxBytes,
+      accountId: accountId ?? undefined,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendMedia: async ({ cfg, to, text, mediaUrl, mediaLocalRoots, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+};
diff --git a/extensions/signal/src/runtime.ts b/extensions/signal/src/runtime.ts
index 480c174ab26..b7cc4160f1c 100644
--- a/extensions/signal/src/runtime.ts
+++ b/extensions/signal/src/runtime.ts
@@ -1,5 +1,5 @@
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/signal";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setSignalRuntime, getRuntime: getSignalRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Signal runtime not initialized");
diff --git a/src/channels/plugins/onboarding/signal.test.ts b/extensions/signal/src/setup-allow-from.test.ts
similarity index 90%
rename from src/channels/plugins/onboarding/signal.test.ts
rename to extensions/signal/src/setup-allow-from.test.ts
index 61656952489..959082a2582 100644
--- a/src/channels/plugins/onboarding/signal.test.ts
+++ b/extensions/signal/src/setup-allow-from.test.ts
@@ -1,8 +1,5 @@
 import { describe, expect, it } from "vitest";
-import {
-  normalizeSignalAccountInput,
-  parseSignalAllowFromEntries,
-} from "../../../../extensions/signal/src/setup-surface.js";
+import { normalizeSignalAccountInput, parseSignalAllowFromEntries } from "./setup-surface.js";
 
 describe("normalizeSignalAccountInput", () => {
   it("normalizes valid E.164 numbers", () => {
diff --git a/extensions/signal/src/setup-core.ts b/extensions/signal/src/setup-core.ts
new file mode 100644
index 00000000000..40cc99add6e
--- /dev/null
+++ b/extensions/signal/src/setup-core.ts
@@ -0,0 +1,275 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  parseSetupEntriesAllowingWildcard,
+  promptParsedAllowFromForScopedChannel,
+  setChannelDmPolicyWithAllowFrom,
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { formatCliCommand } from "../../../src/cli/command-format.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { normalizeE164 } from "../../../src/utils.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import {
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+} from "./accounts.js";
+
+const channel = "signal" as const;
+const MIN_E164_DIGITS = 5;
+const MAX_E164_DIGITS = 15;
+const DIGITS_ONLY = /^\d+$/;
+const INVALID_SIGNAL_ACCOUNT_ERROR =
+  "Invalid E.164 phone number (must start with + and country code, e.g. +15555550123)";
+
+export function normalizeSignalAccountInput(value: string | null | undefined): string | null {
+  const trimmed = value?.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const normalized = normalizeE164(trimmed);
+  const digits = normalized.slice(1);
+  if (!DIGITS_ONLY.test(digits)) {
+    return null;
+  }
+  if (digits.length < MIN_E164_DIGITS || digits.length > MAX_E164_DIGITS) {
+    return null;
+  }
+  return `+${digits}`;
+}
+
+function isUuidLike(value: string): boolean {
+  return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
+}
+
+export function parseSignalAllowFromEntries(raw: string): { entries: string[]; error?: string } {
+  return parseSetupEntriesAllowingWildcard(raw, (entry) => {
+    if (entry.toLowerCase().startsWith("uuid:")) {
+      const id = entry.slice("uuid:".length).trim();
+      if (!id) {
+        return { error: "Invalid uuid entry" };
+      }
+      return { value: `uuid:${id}` };
+    }
+    if (isUuidLike(entry)) {
+      return { value: `uuid:${entry}` };
+    }
+    const normalized = normalizeSignalAccountInput(entry);
+    if (!normalized) {
+      return { error: `Invalid entry: ${entry}` };
+    }
+    return { value: normalized };
+  });
+}
+
+function buildSignalSetupPatch(input: {
+  signalNumber?: string;
+  cliPath?: string;
+  httpUrl?: string;
+  httpHost?: string;
+  httpPort?: string;
+}) {
+  return {
+    ...(input.signalNumber ? { account: input.signalNumber } : {}),
+    ...(input.cliPath ? { cliPath: input.cliPath } : {}),
+    ...(input.httpUrl ? { httpUrl: input.httpUrl } : {}),
+    ...(input.httpHost ? { httpHost: input.httpHost } : {}),
+    ...(input.httpPort ? { httpPort: Number(input.httpPort) } : {}),
+  };
+}
+
+async function promptSignalAllowFrom(params: {
+  cfg: OpenClawConfig;
+  prompter: WizardPrompter;
+  accountId?: string;
+}): Promise<OpenClawConfig> {
+  return promptParsedAllowFromForScopedChannel({
+    cfg: params.cfg,
+    channel,
+    accountId: params.accountId,
+    defaultAccountId: resolveDefaultSignalAccountId(params.cfg),
+    prompter: params.prompter,
+    noteTitle: "Signal allowlist",
+    noteLines: [
+      "Allowlist Signal DMs by sender id.",
+      "Examples:",
+      "- +15555550123",
+      "- uuid:123e4567-e89b-12d3-a456-426614174000",
+      "Multiple entries: comma-separated.",
+      `Docs: ${formatDocsLink("/signal", "signal")}`,
+    ],
+    message: "Signal allowFrom (E.164 or uuid)",
+    placeholder: "+15555550123, uuid:123e4567-e89b-12d3-a456-426614174000",
+    parseEntries: parseSignalAllowFromEntries,
+    getExistingAllowFrom: ({ cfg, accountId }) =>
+      resolveSignalAccount({ cfg, accountId }).config.allowFrom ?? [],
+  });
+}
+
+export const signalSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ input }) => {
+    if (
+      !input.signalNumber &&
+      !input.httpUrl &&
+      !input.httpHost &&
+      !input.httpPort &&
+      !input.cliPath
+    ) {
+      return "Signal requires --signal-number or --http-url/--http-host/--http-port/--cli-path.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (accountId === DEFAULT_ACCOUNT_ID) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          signal: {
+            ...next.channels?.signal,
+            enabled: true,
+            ...buildSignalSetupPatch(input),
+          },
+        },
+      };
+    }
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        signal: {
+          ...next.channels?.signal,
+          enabled: true,
+          accounts: {
+            ...next.channels?.signal?.accounts,
+            [accountId]: {
+              ...next.channels?.signal?.accounts?.[accountId],
+              enabled: true,
+              ...buildSignalSetupPatch(input),
+            },
+          },
+        },
+      },
+    };
+  },
+};
+
+export function createSignalSetupWizardProxy(
+  loadWizard: () => Promise<{ signalSetupWizard: ChannelSetupWizard }>,
+) {
+  const signalDmPolicy: ChannelSetupDmPolicy = {
+    label: "Signal",
+    channel,
+    policyKey: "channels.signal.dmPolicy",
+    allowFromKey: "channels.signal.allowFrom",
+    getCurrent: (cfg: OpenClawConfig) => cfg.channels?.signal?.dmPolicy ?? "pairing",
+    setPolicy: (cfg: OpenClawConfig, policy) =>
+      setChannelDmPolicyWithAllowFrom({
+        cfg,
+        channel,
+        dmPolicy: policy,
+      }),
+    promptAllowFrom: promptSignalAllowFrom,
+  };
+
+  return {
+    channel,
+    status: {
+      configuredLabel: "configured",
+      unconfiguredLabel: "needs setup",
+      configuredHint: "signal-cli found",
+      unconfiguredHint: "signal-cli missing",
+      configuredScore: 1,
+      unconfiguredScore: 0,
+      resolveConfigured: ({ cfg }) =>
+        listSignalAccountIds(cfg).some(
+          (accountId) => resolveSignalAccount({ cfg, accountId }).configured,
+        ),
+      resolveStatusLines: async (params) =>
+        (await loadWizard()).signalSetupWizard.status.resolveStatusLines?.(params) ?? [],
+      resolveSelectionHint: async (params) =>
+        await (await loadWizard()).signalSetupWizard.status.resolveSelectionHint?.(params),
+      resolveQuickstartScore: async (params) =>
+        await (await loadWizard()).signalSetupWizard.status.resolveQuickstartScore?.(params),
+    },
+    prepare: async (params) => await (await loadWizard()).signalSetupWizard.prepare?.(params),
+    credentials: [],
+    textInputs: [
+      {
+        inputKey: "cliPath",
+        message: "signal-cli path",
+        currentValue: ({ cfg, accountId, credentialValues }) =>
+          (typeof credentialValues.cliPath === "string" ? credentialValues.cliPath : undefined) ??
+          resolveSignalAccount({ cfg, accountId }).config.cliPath ??
+          "signal-cli",
+        initialValue: ({ cfg, accountId, credentialValues }) =>
+          (typeof credentialValues.cliPath === "string" ? credentialValues.cliPath : undefined) ??
+          resolveSignalAccount({ cfg, accountId }).config.cliPath ??
+          "signal-cli",
+        shouldPrompt: async (params) => {
+          const input = (await loadWizard()).signalSetupWizard.textInputs?.find(
+            (entry) => entry.inputKey === "cliPath",
+          );
+          return (await input?.shouldPrompt?.(params)) ?? false;
+        },
+        confirmCurrentValue: false,
+        applyCurrentValue: true,
+        helpTitle: "Signal",
+        helpLines: [
+          "signal-cli not found. Install it, then rerun this step or set channels.signal.cliPath.",
+        ],
+      },
+      {
+        inputKey: "signalNumber",
+        message: "Signal bot number (E.164)",
+        currentValue: ({ cfg, accountId }) =>
+          normalizeSignalAccountInput(resolveSignalAccount({ cfg, accountId }).config.account) ??
+          undefined,
+        keepPrompt: (value) => `Signal account set (${value}). Keep it?`,
+        validate: ({ value }) =>
+          normalizeSignalAccountInput(value) ? undefined : INVALID_SIGNAL_ACCOUNT_ERROR,
+        normalizeValue: ({ value }) => normalizeSignalAccountInput(value) ?? value,
+      },
+    ],
+    completionNote: {
+      title: "Signal next steps",
+      lines: [
+        'Link device with: signal-cli link -n "OpenClaw"',
+        "Scan QR in Signal -> Linked Devices",
+        `Then run: ${formatCliCommand("openclaw gateway call channels.status --params '{\"probe\":true}'")}`,
+        `Docs: ${formatDocsLink("/signal", "signal")}`,
+      ],
+    },
+    dmPolicy: signalDmPolicy,
+    disable: (cfg: OpenClawConfig) => setSetupChannelEnabled(cfg, channel, false),
+  } satisfies ChannelSetupWizard;
+}
diff --git a/extensions/signal/src/setup-surface.ts b/extensions/signal/src/setup-surface.ts
index 6a7b7604450..d3bd8e0b6de 100644
--- a/extensions/signal/src/setup-surface.ts
+++ b/extensions/signal/src/setup-surface.ts
@@ -1,93 +1,33 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
-  parseOnboardingEntriesAllowingWildcard,
+  parseSetupEntriesAllowingWildcard,
   promptParsedAllowFromForScopedChannel,
   setChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import { formatCliCommand } from "../../../src/cli/command-format.js";
 import { detectBinary } from "../../../src/commands/onboard-helpers.js";
 import { installSignalCli } from "../../../src/commands/signal-install.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
-import { normalizeE164 } from "../../../src/utils.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import {
   listSignalAccountIds,
   resolveDefaultSignalAccountId,
   resolveSignalAccount,
 } from "./accounts.js";
+import {
+  normalizeSignalAccountInput,
+  parseSignalAllowFromEntries,
+  signalSetupAdapter,
+} from "./setup-core.js";
 
 const channel = "signal" as const;
-const MIN_E164_DIGITS = 5;
-const MAX_E164_DIGITS = 15;
-const DIGITS_ONLY = /^\d+$/;
 const INVALID_SIGNAL_ACCOUNT_ERROR =
   "Invalid E.164 phone number (must start with + and country code, e.g. +15555550123)";
 
-export function normalizeSignalAccountInput(value: string | null | undefined): string | null {
-  const trimmed = value?.trim();
-  if (!trimmed) {
-    return null;
-  }
-  const normalized = normalizeE164(trimmed);
-  const digits = normalized.slice(1);
-  if (!DIGITS_ONLY.test(digits)) {
-    return null;
-  }
-  if (digits.length < MIN_E164_DIGITS || digits.length > MAX_E164_DIGITS) {
-    return null;
-  }
-  return `+${digits}`;
-}
-
-function isUuidLike(value: string): boolean {
-  return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
-}
-
-export function parseSignalAllowFromEntries(raw: string): { entries: string[]; error?: string } {
-  return parseOnboardingEntriesAllowingWildcard(raw, (entry) => {
-    if (entry.toLowerCase().startsWith("uuid:")) {
-      const id = entry.slice("uuid:".length).trim();
-      if (!id) {
-        return { error: "Invalid uuid entry" };
-      }
-      return { value: `uuid:${id}` };
-    }
-    if (isUuidLike(entry)) {
-      return { value: `uuid:${entry}` };
-    }
-    const normalized = normalizeSignalAccountInput(entry);
-    if (!normalized) {
-      return { error: `Invalid entry: ${entry}` };
-    }
-    return { value: normalized };
-  });
-}
-
-function buildSignalSetupPatch(input: {
-  signalNumber?: string;
-  cliPath?: string;
-  httpUrl?: string;
-  httpHost?: string;
-  httpPort?: string;
-}) {
-  return {
-    ...(input.signalNumber ? { account: input.signalNumber } : {}),
-    ...(input.cliPath ? { cliPath: input.cliPath } : {}),
-    ...(input.httpUrl ? { httpUrl: input.httpUrl } : {}),
-    ...(input.httpHost ? { httpHost: input.httpHost } : {}),
-    ...(input.httpPort ? { httpPort: Number(input.httpPort) } : {}),
-  };
-}
-
 async function promptSignalAllowFrom(params: {
   cfg: OpenClawConfig;
   prompter: WizardPrompter;
@@ -116,7 +56,7 @@ async function promptSignalAllowFrom(params: {
   });
 }
 
-const signalDmPolicy: ChannelOnboardingDmPolicy = {
+const signalDmPolicy: ChannelSetupDmPolicy = {
   label: "Signal",
   channel,
   policyKey: "channels.signal.dmPolicy",
@@ -131,75 +71,6 @@ const signalDmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptSignalAllowFrom,
 };
 
-export const signalSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ input }) => {
-    if (
-      !input.signalNumber &&
-      !input.httpUrl &&
-      !input.httpHost &&
-      !input.httpPort &&
-      !input.cliPath
-    ) {
-      return "Signal requires --signal-number or --http-url/--http-host/--http-port/--cli-path.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    if (accountId === DEFAULT_ACCOUNT_ID) {
-      return {
-        ...next,
-        channels: {
-          ...next.channels,
-          signal: {
-            ...next.channels?.signal,
-            enabled: true,
-            ...buildSignalSetupPatch(input),
-          },
-        },
-      };
-    }
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        signal: {
-          ...next.channels?.signal,
-          enabled: true,
-          accounts: {
-            ...next.channels?.signal?.accounts,
-            [accountId]: {
-              ...next.channels?.signal?.accounts?.[accountId],
-              enabled: true,
-              ...buildSignalSetupPatch(input),
-            },
-          },
-        },
-      },
-    };
-  },
-};
-
 export const signalSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -308,5 +179,7 @@ export const signalSetupWizard: ChannelSetupWizard = {
     ],
   },
   dmPolicy: signalDmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
+
+export { normalizeSignalAccountInput, parseSignalAllowFromEntries, signalSetupAdapter };
diff --git a/extensions/slack/index.ts b/extensions/slack/index.ts
index 57d855141be..f1147cb9c91 100644
--- a/extensions/slack/index.ts
+++ b/extensions/slack/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/slack";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/slack";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { slackPlugin } from "./src/channel.js";
 import { setSlackRuntime } from "./src/runtime.js";
 
diff --git a/extensions/slack/package.json b/extensions/slack/package.json
index 183cdce7ad4..51439a37170 100644
--- a/extensions/slack/package.json
+++ b/extensions/slack/package.json
@@ -7,6 +7,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/slack/setup-entry.ts b/extensions/slack/setup-entry.ts
new file mode 100644
index 00000000000..1bd6eabde59
--- /dev/null
+++ b/extensions/slack/setup-entry.ts
@@ -0,0 +1,3 @@
+import { slackSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: slackSetupPlugin };
diff --git a/extensions/slack/src/blocks-render.ts b/extensions/slack/src/blocks-render.ts
new file mode 100644
index 00000000000..f22b179223d
--- /dev/null
+++ b/extensions/slack/src/blocks-render.ts
@@ -0,0 +1,85 @@
+import type { Block, KnownBlock } from "@slack/web-api";
+import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
+import type { InteractiveReply } from "../../../src/interactive/payload.js";
+import { truncateSlackText } from "./truncate.js";
+
+export const SLACK_REPLY_BUTTON_ACTION_ID = "openclaw:reply_button";
+export const SLACK_REPLY_SELECT_ACTION_ID = "openclaw:reply_select";
+const SLACK_SECTION_TEXT_MAX = 3000;
+const SLACK_PLAIN_TEXT_MAX = 75;
+
+export type SlackBlock = Block | KnownBlock;
+
+export function buildSlackInteractiveBlocks(interactive?: InteractiveReply): SlackBlock[] {
+  const initialState = {
+    blocks: [] as SlackBlock[],
+    buttonIndex: 0,
+    selectIndex: 0,
+  };
+  return reduceInteractiveReply(interactive, initialState, (state, block) => {
+    if (block.type === "text") {
+      const trimmed = block.text.trim();
+      if (!trimmed) {
+        return state;
+      }
+      state.blocks.push({
+        type: "section",
+        text: {
+          type: "mrkdwn",
+          text: truncateSlackText(trimmed, SLACK_SECTION_TEXT_MAX),
+        },
+      });
+      return state;
+    }
+    if (block.type === "buttons") {
+      if (block.buttons.length === 0) {
+        return state;
+      }
+      state.blocks.push({
+        type: "actions",
+        block_id: `openclaw_reply_buttons_${++state.buttonIndex}`,
+        elements: block.buttons.map((button, choiceIndex) => ({
+          type: "button",
+          action_id: SLACK_REPLY_BUTTON_ACTION_ID,
+          text: {
+            type: "plain_text",
+            text: truncateSlackText(button.label, SLACK_PLAIN_TEXT_MAX),
+            emoji: true,
+          },
+          value: button.value,
+        })),
+      });
+      return state;
+    }
+    if (block.options.length === 0) {
+      return state;
+    }
+    state.blocks.push({
+      type: "actions",
+      block_id: `openclaw_reply_select_${++state.selectIndex}`,
+      elements: [
+        {
+          type: "static_select",
+          action_id: SLACK_REPLY_SELECT_ACTION_ID,
+          placeholder: {
+            type: "plain_text",
+            text: truncateSlackText(
+              block.placeholder?.trim() || "Choose an option",
+              SLACK_PLAIN_TEXT_MAX,
+            ),
+            emoji: true,
+          },
+          options: block.options.map((option, choiceIndex) => ({
+            text: {
+              type: "plain_text",
+              text: truncateSlackText(option.label, SLACK_PLAIN_TEXT_MAX),
+              emoji: true,
+            },
+            value: option.value,
+          })),
+        },
+      ],
+    });
+    return state;
+  }).blocks;
+}
diff --git a/extensions/slack/src/channel.runtime.ts b/extensions/slack/src/channel.runtime.ts
new file mode 100644
index 00000000000..eefcc2c6215
--- /dev/null
+++ b/extensions/slack/src/channel.runtime.ts
@@ -0,0 +1 @@
+export { slackSetupWizard } from "./setup-surface.js";
diff --git a/extensions/slack/src/channel.setup.ts b/extensions/slack/src/channel.setup.ts
new file mode 100644
index 00000000000..b5723ea5130
--- /dev/null
+++ b/extensions/slack/src/channel.setup.ts
@@ -0,0 +1,102 @@
+import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
+import {
+  createScopedAccountConfigAccessors,
+  formatAllowFromLowercase,
+} from "openclaw/plugin-sdk/compat";
+import {
+  buildChannelConfigSchema,
+  getChatChannelMeta,
+  SlackConfigSchema,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/slack";
+import { inspectSlackAccount } from "./account-inspect.js";
+import {
+  listSlackAccountIds,
+  resolveDefaultSlackAccountId,
+  resolveSlackAccount,
+  type ResolvedSlackAccount,
+} from "./accounts.js";
+import { isSlackInteractiveRepliesEnabled } from "./interactive-replies.js";
+import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
+
+async function loadSlackChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+function isSlackAccountConfigured(account: ResolvedSlackAccount): boolean {
+  const mode = account.config.mode ?? "socket";
+  const hasBotToken = Boolean(account.botToken?.trim());
+  if (!hasBotToken) {
+    return false;
+  }
+  if (mode === "http") {
+    return Boolean(account.config.signingSecret?.trim());
+  }
+  return Boolean(account.appToken?.trim());
+}
+
+const slackConfigAccessors = createScopedAccountConfigAccessors({
+  resolveAccount: ({ cfg, accountId }) => resolveSlackAccount({ cfg, accountId }),
+  resolveAllowFrom: (account: ResolvedSlackAccount) => account.dm?.allowFrom,
+  formatAllowFrom: (allowFrom) => formatAllowFromLowercase({ allowFrom }),
+  resolveDefaultTo: (account: ResolvedSlackAccount) => account.config.defaultTo,
+});
+
+const slackConfigBase = createScopedChannelConfigBase({
+  sectionKey: "slack",
+  listAccountIds: listSlackAccountIds,
+  resolveAccount: (cfg, accountId) => resolveSlackAccount({ cfg, accountId }),
+  inspectAccount: (cfg, accountId) => inspectSlackAccount({ cfg, accountId }),
+  defaultAccountId: resolveDefaultSlackAccountId,
+  clearBaseFields: ["botToken", "appToken", "name"],
+});
+
+const slackSetupWizard = createSlackSetupWizardProxy(async () => ({
+  slackSetupWizard: (await loadSlackChannelRuntime()).slackSetupWizard,
+}));
+
+export const slackSetupPlugin: ChannelPlugin<ResolvedSlackAccount> = {
+  id: "slack",
+  meta: {
+    ...getChatChannelMeta("slack"),
+    preferSessionLookupForAnnounceTarget: true,
+  },
+  setupWizard: slackSetupWizard,
+  capabilities: {
+    chatTypes: ["direct", "channel", "thread"],
+    reactions: true,
+    threads: true,
+    media: true,
+    nativeCommands: true,
+  },
+  agentPrompt: {
+    messageToolHints: ({ cfg, accountId }) =>
+      isSlackInteractiveRepliesEnabled({ cfg, accountId })
+        ? [
+            "- Slack interactive replies: use `[[slack_buttons: Label:value, Other:other]]` to add action buttons that route clicks back as Slack interaction system events.",
+            "- Slack selects: use `[[slack_select: Placeholder | Label:value, Other:other]]` to add a static select menu that routes the chosen value back as a Slack interaction system event.",
+          ]
+        : [
+            "- Slack interactive replies are disabled. If needed, ask to set `channels.slack.capabilities.interactiveReplies=true` (or the same under `channels.slack.accounts.<account>.capabilities`).",
+          ],
+  },
+  streaming: {
+    blockStreamingCoalesceDefaults: { minChars: 1500, idleMs: 1000 },
+  },
+  reload: { configPrefixes: ["channels.slack"] },
+  configSchema: buildChannelConfigSchema(SlackConfigSchema),
+  config: {
+    ...slackConfigBase,
+    isConfigured: (account) => isSlackAccountConfigured(account),
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: isSlackAccountConfigured(account),
+      botTokenSource: account.botTokenSource,
+      appTokenSource: account.appTokenSource,
+    }),
+    ...slackConfigAccessors,
+  },
+  setup: slackSetupAdapter,
+};
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 5903e5755b2..a07608d836a 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -1,21 +1,22 @@
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectOpenProviderGroupPolicyWarnings,
   collectOpenGroupPolicyConfiguredRouteWarnings,
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
   DEFAULT_ACCOUNT_ID,
-  extractSlackToolSend,
   getChatChannelMeta,
-  handleSlackMessageAction,
-  inspectSlackAccount,
-  listSlackMessageActions,
-  listSlackAccountIds,
   listSlackDirectoryGroupsFromConfig,
   listSlackDirectoryPeersFromConfig,
   looksLikeSlackTargetId,
@@ -23,23 +24,43 @@ import {
   PAIRING_APPROVED_MESSAGE,
   projectCredentialSnapshotFields,
   resolveConfiguredFromRequiredCredentialStatuses,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-  isSlackInteractiveRepliesEnabled,
   resolveSlackGroupRequireMention,
   resolveSlackGroupToolPolicy,
-  buildSlackThreadingToolContext,
   SlackConfigSchema,
   type ChannelPlugin,
-  type ResolvedSlackAccount,
+  type OpenClawConfig,
 } from "openclaw/plugin-sdk/slack";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
+import { inspectSlackAccount } from "./account-inspect.js";
+import {
+  listEnabledSlackAccounts,
+  listSlackAccountIds,
+  resolveDefaultSlackAccountId,
+  resolveSlackAccount,
+  resolveSlackReplyToMode,
+  type ResolvedSlackAccount,
+} from "./accounts.js";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import { createSlackWebClient } from "./client.js";
+import { isSlackInteractiveRepliesEnabled } from "./interactive-replies.js";
+import { handleSlackMessageAction } from "./message-action-dispatch.js";
+import { extractSlackToolSend, listSlackMessageActions } from "./message-actions.js";
+import { normalizeAllowListLower } from "./monitor/allow-list.js";
+import type { SlackProbe } from "./probe.js";
+import { resolveSlackUserAllowlist } from "./resolve-users.js";
 import { getSlackRuntime } from "./runtime.js";
-import { slackSetupAdapter, slackSetupWizard } from "./setup-surface.js";
+import { fetchSlackScopes } from "./scopes.js";
+import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
+import { parseSlackTarget } from "./targets.js";
+import { buildSlackThreadingToolContext } from "./threading-tool-context.js";
 
 const meta = getChatChannelMeta("slack");
+const SLACK_CHANNEL_TYPE_CACHE = new Map<string, "channel" | "group" | "dm" | "unknown">();
+
+async function loadSlackChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
 
 // Select the appropriate Slack token for read/write operations.
 function getTokenForOperation(
@@ -90,6 +111,240 @@ function resolveSlackSendContext(params: {
   return { send, threadTsValue, tokenOverride };
 }
 
+function resolveSlackAutoThreadId(params: {
+  cfg: Parameters<typeof resolveSlackAccount>[0]["cfg"];
+  accountId?: string | null;
+  to: string;
+  toolContext?: {
+    currentChannelId?: string;
+    currentThreadTs?: string;
+    replyToMode?: "off" | "first" | "all";
+    hasRepliedRef?: { value: boolean };
+  };
+}): string | undefined {
+  const context = params.toolContext;
+  if (!context?.currentThreadTs || !context.currentChannelId) {
+    return undefined;
+  }
+  if (context.replyToMode !== "all" && context.replyToMode !== "first") {
+    return undefined;
+  }
+  const parsedTarget = parseSlackTarget(params.to, { defaultKind: "channel" });
+  if (!parsedTarget || parsedTarget.kind !== "channel") {
+    return undefined;
+  }
+  if (parsedTarget.id.toLowerCase() !== context.currentChannelId.toLowerCase()) {
+    return undefined;
+  }
+  if (context.replyToMode === "first" && context.hasRepliedRef?.value) {
+    return undefined;
+  }
+  return context.currentThreadTs;
+}
+
+function parseSlackExplicitTarget(raw: string) {
+  const target = parseSlackTarget(raw, { defaultKind: "channel" });
+  if (!target) {
+    return null;
+  }
+  return {
+    to: target.id,
+    chatType: target.kind === "user" ? ("direct" as const) : ("channel" as const),
+  };
+}
+
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildSlackBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "slack",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+async function resolveSlackChannelType(params: {
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  channelId: string;
+}): Promise<"channel" | "group" | "dm" | "unknown"> {
+  const channelId = params.channelId.trim();
+  if (!channelId) {
+    return "unknown";
+  }
+  const cacheKey = `${params.accountId ?? "default"}:${channelId}`;
+  const cached = SLACK_CHANNEL_TYPE_CACHE.get(cacheKey);
+  if (cached) {
+    return cached;
+  }
+
+  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const groupChannels = normalizeAllowListLower(account.dm?.groupChannels);
+  const channelIdLower = channelId.toLowerCase();
+  if (
+    groupChannels.includes(channelIdLower) ||
+    groupChannels.includes(`slack:${channelIdLower}`) ||
+    groupChannels.includes(`channel:${channelIdLower}`) ||
+    groupChannels.includes(`group:${channelIdLower}`) ||
+    groupChannels.includes(`mpim:${channelIdLower}`)
+  ) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "group");
+    return "group";
+  }
+
+  const channelKeys = Object.keys(account.channels ?? {});
+  if (
+    channelKeys.some((key) => {
+      const normalized = key.trim().toLowerCase();
+      return (
+        normalized === channelIdLower ||
+        normalized === `channel:${channelIdLower}` ||
+        normalized.replace(/^#/, "") === channelIdLower
+      );
+    })
+  ) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "channel");
+    return "channel";
+  }
+
+  const token = account.botToken?.trim() || account.config.userToken?.trim() || "";
+  if (!token) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "unknown");
+    return "unknown";
+  }
+
+  try {
+    const client = createSlackWebClient(token);
+    const info = await client.conversations.info({ channel: channelId });
+    const channel = info.channel as { is_im?: boolean; is_mpim?: boolean } | undefined;
+    const type = channel?.is_im ? "dm" : channel?.is_mpim ? "group" : "channel";
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, type);
+    return type;
+  } catch {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "unknown");
+    return "unknown";
+  }
+}
+
+async function resolveSlackOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  replyToId?: string | null;
+  threadId?: string | number | null;
+}) {
+  const parsed = parseSlackTarget(params.target, { defaultKind: "channel" });
+  if (!parsed) {
+    return null;
+  }
+  const isDm = parsed.kind === "user";
+  let peerKind: "direct" | "channel" | "group" = isDm ? "direct" : "channel";
+  if (!isDm && /^G/i.test(parsed.id)) {
+    const channelType = await resolveSlackChannelType({
+      cfg: params.cfg,
+      accountId: params.accountId,
+      channelId: parsed.id,
+    });
+    if (channelType === "group") {
+      peerKind = "group";
+    }
+    if (channelType === "dm") {
+      peerKind = "direct";
+    }
+  }
+  const peer: RoutePeer = {
+    kind: peerKind,
+    id: parsed.id,
+  };
+  const baseSessionKey = buildSlackBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const threadId = normalizeOutboundThreadId(params.threadId ?? params.replyToId);
+  const threadKeys = resolveThreadSessionKeys({
+    baseSessionKey,
+    threadId,
+  });
+  return {
+    sessionKey: threadKeys.sessionKey,
+    baseSessionKey,
+    peer,
+    chatType: peerKind === "direct" ? ("direct" as const) : ("channel" as const),
+    from:
+      peerKind === "direct"
+        ? `slack:${parsed.id}`
+        : peerKind === "group"
+          ? `slack:group:${parsed.id}`
+          : `slack:channel:${parsed.id}`,
+    to: peerKind === "direct" ? `user:${parsed.id}` : `channel:${parsed.id}`,
+    threadId,
+  };
+}
+
+function formatSlackScopeDiagnostic(params: {
+  tokenType: "bot" | "user";
+  result: Awaited<ReturnType<typeof fetchSlackScopes>>;
+}) {
+  const source = params.result.source ? ` (${params.result.source})` : "";
+  const label = params.tokenType === "user" ? "User scopes" : "Bot scopes";
+  if (params.result.ok && params.result.scopes?.length) {
+    return { text: `${label}${source}: ${params.result.scopes.join(", ")}` } as const;
+  }
+  return {
+    text: `${label}: ${params.result.error ?? "scope lookup failed"}`,
+    tone: "error",
+  } as const;
+}
+
+function readSlackAllowlistConfig(account: ResolvedSlackAccount) {
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String),
+    groupPolicy: account.groupPolicy,
+    groupOverrides: Object.entries(account.channels ?? {})
+      .map(([key, value]) => {
+        const entries = (value?.users ?? []).map(String).filter(Boolean);
+        return entries.length > 0 ? { label: key, entries } : null;
+      })
+      .filter(Boolean) as Array<{ label: string; entries: string[] }>,
+  };
+}
+
+async function resolveSlackAllowlistNames(params: {
+  cfg: Parameters<typeof resolveSlackAccount>[0]["cfg"];
+  accountId?: string | null;
+  entries: string[];
+}) {
+  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const token = account.config.userToken?.trim() || account.botToken?.trim();
+  if (!token) {
+    return [];
+  }
+  return await resolveSlackUserAllowlist({ token, entries: params.entries });
+}
+
 const slackConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveSlackAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedSlackAccount) => account.dm?.allowFrom,
@@ -106,6 +361,10 @@ const slackConfigBase = createScopedChannelConfigBase({
   clearBaseFields: ["botToken", "appToken", "name"],
 });
 
+const slackSetupWizard = createSlackSetupWizardProxy(async () => ({
+  slackSetupWizard: (await loadSlackChannelRuntime()).slackSetupWizard,
+}));
+
 export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
   id: "slack",
   meta: {
@@ -177,6 +436,26 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
     }),
     ...slackConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm",
+    readConfig: ({ cfg, accountId }) =>
+      readSlackAllowlistConfig(resolveSlackAccount({ cfg, accountId })),
+    resolveNames: async ({ cfg, accountId, entries }) =>
+      await resolveSlackAllowlistNames({ cfg, accountId, entries }),
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "slack",
+      normalize: ({ cfg, accountId, values }) =>
+        slackConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) =>
+        scope === "dm"
+          ? {
+              readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+              writePath: ["allowFrom"],
+              cleanupPaths: [["dm", "allowFrom"]],
+            }
+          : null,
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -227,9 +506,38 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
       resolveSlackReplyToMode(resolveSlackAccount({ cfg, accountId }), chatType),
     allowExplicitReplyTagsWhenOff: false,
     buildToolContext: (params) => buildSlackThreadingToolContext(params),
+    resolveAutoThreadId: ({ cfg, accountId, to, toolContext, replyToId }) =>
+      replyToId
+        ? undefined
+        : resolveSlackAutoThreadId({
+            cfg,
+            accountId,
+            to,
+            toolContext,
+          }),
+    resolveReplyTransport: ({ threadId, replyToId }) => ({
+      replyToId: replyToId ?? (threadId != null && threadId !== "" ? String(threadId) : undefined),
+      threadId: null,
+    }),
   },
   messaging: {
     normalizeTarget: normalizeSlackMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseSlackExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseSlackExplicitTarget(to)?.chatType,
+    resolveOutboundSessionRoute: async (params) => await resolveSlackOutboundSessionRoute(params),
+    enableInteractiveReplies: ({ cfg, accountId }) =>
+      isSlackInteractiveRepliesEnabled({ cfg, accountId }),
+    hasStructuredReplyPayload: ({ payload }) => {
+      const slackData = payload.channelData?.slack;
+      if (!slackData || typeof slackData !== "object" || Array.isArray(slackData)) {
+        return false;
+      }
+      try {
+        return Boolean(parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks)?.length);
+      } catch {
+        return false;
+      }
+    },
     targetResolver: {
       looksLikeId: looksLikeSlackTargetId,
       hint: "<channelId|user:ID|channel:ID>",
@@ -284,6 +592,16 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
   },
   actions: {
     listActions: ({ cfg }) => listSlackMessageActions(cfg),
+    getCapabilities: ({ cfg }) => {
+      const capabilities = new Set<"interactive" | "blocks">();
+      if (listSlackMessageActions(cfg).includes("send")) {
+        capabilities.add("blocks");
+      }
+      if (isSlackInteractiveRepliesEnabled({ cfg })) {
+        capabilities.add("interactive");
+      }
+      return Array.from(capabilities);
+    },
     extractToolSend: ({ args }) => extractSlackToolSend(args),
     handleAction: async (ctx) =>
       await handleSlackMessageAction({
@@ -364,6 +682,35 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
       }
       return await getSlackRuntime().channel.slack.probeSlack(token, timeoutMs);
     },
+    formatCapabilitiesProbe: ({ probe }) => {
+      const slackProbe = probe as SlackProbe | undefined;
+      const lines = [];
+      if (slackProbe?.bot?.name) {
+        lines.push({ text: `Bot: @${slackProbe.bot.name}` });
+      }
+      if (slackProbe?.team?.name || slackProbe?.team?.id) {
+        const id = slackProbe.team?.id ? ` (${slackProbe.team.id})` : "";
+        lines.push({ text: `Team: ${slackProbe.team?.name ?? "unknown"}${id}` });
+      }
+      return lines;
+    },
+    buildCapabilitiesDiagnostics: async ({ account, timeoutMs }) => {
+      const lines = [];
+      const details: Record<string, unknown> = {};
+      const botToken = account.botToken?.trim();
+      const userToken = account.config.userToken?.trim();
+      const botScopes = botToken
+        ? await fetchSlackScopes(botToken, timeoutMs)
+        : { ok: false, error: "Slack bot token missing." };
+      lines.push(formatSlackScopeDiagnostic({ tokenType: "bot", result: botScopes }));
+      details.botScopes = botScopes;
+      if (userToken) {
+        const userScopes = await fetchSlackScopes(userToken, timeoutMs);
+        lines.push(formatSlackScopeDiagnostic({ tokenType: "user", result: userScopes }));
+        details.userScopes = userScopes;
+      }
+      return { lines, details };
+    },
     buildAccountSnapshot: ({ account, runtime, probe }) => {
       const mode = account.config.mode ?? "socket";
       const configured =
diff --git a/extensions/slack/src/message-action-dispatch.ts b/extensions/slack/src/message-action-dispatch.ts
new file mode 100644
index 00000000000..fc902f49558
--- /dev/null
+++ b/extensions/slack/src/message-action-dispatch.ts
@@ -0,0 +1,334 @@
+import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { ChannelMessageActionContext } from "openclaw/plugin-sdk/core";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import { buildSlackInteractiveBlocks } from "./blocks-render.js";
+
+type SlackActionInvoke = (
+  action: Record<string, unknown>,
+  cfg: ChannelMessageActionContext["cfg"],
+  toolContext?: ChannelMessageActionContext["toolContext"],
+) => Promise<AgentToolResult<unknown>>;
+
+type InteractiveButtonStyle = "primary" | "secondary" | "success" | "danger";
+
+type InteractiveReplyButton = {
+  label: string;
+  value: string;
+  style?: InteractiveButtonStyle;
+};
+
+type InteractiveReplyOption = {
+  label: string;
+  value: string;
+};
+
+type InteractiveReplyBlock =
+  | { type: "text"; text: string }
+  | { type: "buttons"; buttons: InteractiveReplyButton[] }
+  | { type: "select"; placeholder?: string; options: InteractiveReplyOption[] };
+
+type InteractiveReply = {
+  blocks: InteractiveReplyBlock[];
+};
+
+function readTrimmedString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}
+
+function normalizeButtonStyle(value: unknown): InteractiveButtonStyle | undefined {
+  const style = readTrimmedString(value)?.toLowerCase();
+  return style === "primary" || style === "secondary" || style === "success" || style === "danger"
+    ? style
+    : undefined;
+}
+
+function normalizeInteractiveButton(raw: unknown): InteractiveReplyButton | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value =
+    readTrimmedString(record.value) ??
+    readTrimmedString(record.callbackData) ??
+    readTrimmedString(record.callback_data);
+  if (!label || !value) {
+    return undefined;
+  }
+  return { label, value, style: normalizeButtonStyle(record.style) };
+}
+
+function normalizeInteractiveOption(raw: unknown): InteractiveReplyOption | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value = readTrimmedString(record.value);
+  return label && value ? { label, value } : undefined;
+}
+
+function normalizeInteractiveReply(raw: unknown): InteractiveReply | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const blocks = Array.isArray(record.blocks)
+    ? record.blocks
+        .map((entry) => {
+          if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            return undefined;
+          }
+          const block = entry as Record<string, unknown>;
+          const type = readTrimmedString(block.type)?.toLowerCase();
+          if (type === "text") {
+            const text = readTrimmedString(block.text);
+            return text ? ({ type: "text", text } as const) : undefined;
+          }
+          if (type === "buttons") {
+            const buttons = Array.isArray(block.buttons)
+              ? block.buttons
+                  .map((button) => normalizeInteractiveButton(button))
+                  .filter((button): button is InteractiveReplyButton => Boolean(button))
+              : [];
+            return buttons.length > 0 ? ({ type: "buttons", buttons } as const) : undefined;
+          }
+          if (type === "select") {
+            const options = Array.isArray(block.options)
+              ? block.options
+                  .map((option) => normalizeInteractiveOption(option))
+                  .filter((option): option is InteractiveReplyOption => Boolean(option))
+              : [];
+            return options.length > 0
+              ? ({
+                  type: "select",
+                  placeholder: readTrimmedString(block.placeholder),
+                  options,
+                } as const)
+              : undefined;
+          }
+          return undefined;
+        })
+        .filter((entry): entry is InteractiveReplyBlock => Boolean(entry))
+    : [];
+  return blocks.length > 0 ? { blocks } : undefined;
+}
+
+function readStringParam(
+  params: Record<string, unknown>,
+  key: string,
+  options: { required?: boolean; trim?: boolean; label?: string; allowEmpty?: boolean } = {},
+): string | undefined {
+  const { required = false, trim = true, label = key, allowEmpty = false } = options;
+  const raw = params[key];
+  if (typeof raw !== "string") {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  const value = trim ? raw.trim() : raw;
+  if (!value && !allowEmpty) {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  return value;
+}
+
+function readNumberParam(
+  params: Record<string, unknown>,
+  key: string,
+  options: { required?: boolean; label?: string; integer?: boolean; strict?: boolean } = {},
+): number | undefined {
+  const { required = false, label = key, integer = false, strict = false } = options;
+  const raw = params[key];
+  let value: number | undefined;
+  if (typeof raw === "number" && Number.isFinite(raw)) {
+    value = raw;
+  } else if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (trimmed) {
+      const parsed = strict ? Number(trimmed) : Number.parseFloat(trimmed);
+      if (Number.isFinite(parsed)) {
+        value = parsed;
+      }
+    }
+  }
+  if (value === undefined) {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  return integer ? Math.trunc(value) : value;
+}
+
+function readSlackBlocksParam(actionParams: Record<string, unknown>) {
+  return parseSlackBlocksInput(actionParams.blocks) as Record<string, unknown>[] | undefined;
+}
+
+export async function handleSlackMessageAction(params: {
+  providerId: string;
+  ctx: ChannelMessageActionContext;
+  invoke: SlackActionInvoke;
+  normalizeChannelId?: (channelId: string) => string;
+  includeReadThreadId?: boolean;
+}): Promise<AgentToolResult<unknown>> {
+  const { providerId, ctx, invoke, normalizeChannelId, includeReadThreadId = false } = params;
+  const { action, cfg, params: actionParams } = ctx;
+  const accountId = ctx.accountId ?? undefined;
+  const resolveChannelId = () => {
+    const channelId =
+      readStringParam(actionParams, "channelId") ??
+      readStringParam(actionParams, "to", { required: true });
+    if (!channelId) {
+      throw new Error("channelId required");
+    }
+    return normalizeChannelId ? normalizeChannelId(channelId) : channelId;
+  };
+
+  if (action === "send") {
+    const to = readStringParam(actionParams, "to", { required: true });
+    const content = readStringParam(actionParams, "message", { allowEmpty: true });
+    const mediaUrl = readStringParam(actionParams, "media", { trim: false });
+    const interactive = normalizeInteractiveReply(actionParams.interactive);
+    const interactiveBlocks = interactive ? buildSlackInteractiveBlocks(interactive) : undefined;
+    const blocks = readSlackBlocksParam(actionParams) ?? interactiveBlocks;
+    if (!content && !mediaUrl && !blocks) {
+      throw new Error("Slack send requires message, blocks, or media.");
+    }
+    if (mediaUrl && blocks) {
+      throw new Error("Slack send does not support blocks with media.");
+    }
+    const threadId = readStringParam(actionParams, "threadId");
+    const replyTo = readStringParam(actionParams, "replyTo");
+    return await invoke(
+      {
+        action: "sendMessage",
+        to,
+        content: content ?? "",
+        mediaUrl: mediaUrl ?? undefined,
+        accountId,
+        threadTs: threadId ?? replyTo ?? undefined,
+        ...(blocks ? { blocks } : {}),
+      },
+      cfg,
+      ctx.toolContext,
+    );
+  }
+
+  if (action === "react") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const emoji = readStringParam(actionParams, "emoji", { allowEmpty: true });
+    const remove = typeof actionParams.remove === "boolean" ? actionParams.remove : undefined;
+    return await invoke(
+      { action: "react", channelId: resolveChannelId(), messageId, emoji, remove, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "reactions") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    return await invoke(
+      { action: "reactions", channelId: resolveChannelId(), messageId, limit, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "read") {
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    const readAction: Record<string, unknown> = {
+      action: "readMessages",
+      channelId: resolveChannelId(),
+      limit,
+      before: readStringParam(actionParams, "before"),
+      after: readStringParam(actionParams, "after"),
+      accountId,
+    };
+    if (includeReadThreadId) {
+      readAction.threadId = readStringParam(actionParams, "threadId");
+    }
+    return await invoke(readAction, cfg);
+  }
+
+  if (action === "edit") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const content = readStringParam(actionParams, "message", { allowEmpty: true });
+    const blocks = readSlackBlocksParam(actionParams);
+    if (!content && !blocks) {
+      throw new Error("Slack edit requires message or blocks.");
+    }
+    return await invoke(
+      {
+        action: "editMessage",
+        channelId: resolveChannelId(),
+        messageId,
+        content: content ?? "",
+        blocks,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  if (action === "delete") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    return await invoke(
+      { action: "deleteMessage", channelId: resolveChannelId(), messageId, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "pin" || action === "unpin" || action === "list-pins") {
+    const messageId =
+      action === "list-pins"
+        ? undefined
+        : readStringParam(actionParams, "messageId", { required: true });
+    return await invoke(
+      {
+        action: action === "pin" ? "pinMessage" : action === "unpin" ? "unpinMessage" : "listPins",
+        channelId: resolveChannelId(),
+        messageId,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  if (action === "member-info") {
+    const userId = readStringParam(actionParams, "userId", { required: true });
+    return await invoke({ action: "memberInfo", userId, accountId }, cfg);
+  }
+
+  if (action === "emoji-list") {
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    return await invoke({ action: "emojiList", limit, accountId }, cfg);
+  }
+
+  if (action === "download-file") {
+    const fileId = readStringParam(actionParams, "fileId", { required: true });
+    const channelId =
+      readStringParam(actionParams, "channelId") ?? readStringParam(actionParams, "to");
+    const threadId =
+      readStringParam(actionParams, "threadId") ?? readStringParam(actionParams, "replyTo");
+    return await invoke(
+      {
+        action: "downloadFile",
+        fileId,
+        channelId: channelId ?? undefined,
+        threadId: threadId ?? undefined,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  throw new Error(`Action ${action} is not supported for provider ${providerId}.`);
+}
diff --git a/extensions/slack/src/monitor/events/interactions.block-actions.ts b/extensions/slack/src/monitor/events/interactions.block-actions.ts
new file mode 100644
index 00000000000..1f54df45a5d
--- /dev/null
+++ b/extensions/slack/src/monitor/events/interactions.block-actions.ts
@@ -0,0 +1,773 @@
+import type { SlackActionMiddlewareArgs } from "@slack/bolt";
+import type { Block, KnownBlock } from "@slack/web-api";
+import { enqueueSystemEvent } from "../../../../../src/infra/system-events.js";
+import {
+  buildPluginBindingResolvedText,
+  parsePluginBindingApprovalCustomId,
+  resolvePluginConversationBindingApproval,
+} from "../../../../../src/plugins/conversation-binding.js";
+import { dispatchPluginInteractiveHandler } from "../../../../../src/plugins/interactive.js";
+import { SLACK_REPLY_BUTTON_ACTION_ID, SLACK_REPLY_SELECT_ACTION_ID } from "../../blocks-render.js";
+import { authorizeSlackSystemEventSender } from "../auth.js";
+import type { SlackMonitorContext } from "../context.js";
+import { escapeSlackMrkdwn } from "../mrkdwn.js";
+
+type InteractionMessageBlock = {
+  type?: string;
+  block_id?: string;
+  elements?: Array<{ action_id?: string }>;
+};
+
+type SelectOption = {
+  value?: string;
+  text?: { text?: string };
+};
+
+type InteractionSelectionFields = {
+  blockId?: string;
+  callbackId?: string;
+  value?: string;
+  inputKind?: "number" | "text" | "url" | "email" | "rich_text";
+  inputValue?: string;
+  inputNumber?: number;
+  inputEmail?: string;
+  inputUrl?: string;
+  richTextValue?: unknown;
+  richTextPreview?: string;
+  selectedValues?: string[];
+  selectedUsers?: string[];
+  selectedChannels?: string[];
+  selectedConversations?: string[];
+  selectedLabels?: string[];
+  selectedDate?: string;
+  selectedTime?: string;
+  selectedDateTime?: number;
+  actionType?: string;
+  viewId?: string;
+  privateMetadata?: string;
+  viewHash?: string;
+  inputs?: unknown[];
+  isCleared?: boolean;
+  routedChannelType?: string;
+  routedChannelId?: string;
+};
+
+export type InteractionSummary = InteractionSelectionFields & {
+  interactionType?: "block_action" | "view_submission" | "view_closed";
+  actionId: string;
+  userId?: string;
+  teamId?: string;
+  triggerId?: string;
+  responseUrl?: string;
+  workflowTriggerUrl?: string;
+  workflowId?: string;
+  channelId?: string;
+  messageTs?: string;
+  threadTs?: string;
+};
+
+type SlackActionSummary = Omit<InteractionSummary, "actionId" | "blockId">;
+
+type SlackBlockActionBody = {
+  user?: { id?: string };
+  team?: { id?: string };
+  trigger_id?: string;
+  response_url?: string;
+  channel?: { id?: string };
+  container?: { channel_id?: string; message_ts?: string; thread_ts?: string };
+  message?: { ts?: string; text?: string; blocks?: unknown[] };
+};
+
+type SlackBlockActionRespond = NonNullable<SlackActionMiddlewareArgs["respond"]>;
+
+type ParsedSlackBlockAction = {
+  typedBody: SlackBlockActionBody;
+  typedAction: Record<string, unknown>;
+  typedActionWithText: {
+    action_id?: string;
+    block_id?: string;
+    type?: string;
+    text?: { text?: string };
+  };
+  actionId: string;
+  blockId?: string;
+  userId: string;
+  channelId?: string;
+  messageTs?: string;
+  threadTs?: string;
+  actionSummary: SlackActionSummary;
+};
+
+function readOptionValues(options: unknown): string[] | undefined {
+  if (!Array.isArray(options)) {
+    return undefined;
+  }
+  const values = options
+    .map((option) => (option && typeof option === "object" ? (option as SelectOption).value : null))
+    .filter((value): value is string => typeof value === "string" && value.trim().length > 0);
+  return values.length > 0 ? values : undefined;
+}
+
+function readOptionLabels(options: unknown): string[] | undefined {
+  if (!Array.isArray(options)) {
+    return undefined;
+  }
+  const labels = options
+    .map((option) =>
+      option && typeof option === "object" ? ((option as SelectOption).text?.text ?? null) : null,
+    )
+    .filter((label): label is string => typeof label === "string" && label.trim().length > 0);
+  return labels.length > 0 ? labels : undefined;
+}
+
+function uniqueNonEmptyStrings(values: string[]): string[] {
+  const unique: string[] = [];
+  const seen = new Set<string>();
+  for (const entry of values) {
+    if (typeof entry !== "string") {
+      continue;
+    }
+    const trimmed = entry.trim();
+    if (!trimmed || seen.has(trimmed)) {
+      continue;
+    }
+    seen.add(trimmed);
+    unique.push(trimmed);
+  }
+  return unique;
+}
+
+function collectRichTextFragments(value: unknown, out: string[]): void {
+  if (!value || typeof value !== "object") {
+    return;
+  }
+  const typed = value as { text?: unknown; elements?: unknown };
+  if (typeof typed.text === "string" && typed.text.trim().length > 0) {
+    out.push(typed.text.trim());
+  }
+  if (Array.isArray(typed.elements)) {
+    for (const child of typed.elements) {
+      collectRichTextFragments(child, out);
+    }
+  }
+}
+
+function summarizeRichTextPreview(value: unknown): string | undefined {
+  const fragments: string[] = [];
+  collectRichTextFragments(value, fragments);
+  if (fragments.length === 0) {
+    return undefined;
+  }
+  const joined = fragments.join(" ").replace(/\s+/g, " ").trim();
+  if (!joined) {
+    return undefined;
+  }
+  const max = 120;
+  return joined.length <= max ? joined : `${joined.slice(0, max - 1)}…`;
+}
+
+function readInteractionAction(raw: unknown) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  return raw as Record<string, unknown>;
+}
+
+export function summarizeAction(action: Record<string, unknown>): SlackActionSummary {
+  const typed = action as {
+    type?: string;
+    selected_option?: SelectOption;
+    selected_options?: SelectOption[];
+    selected_user?: string;
+    selected_users?: string[];
+    selected_channel?: string;
+    selected_channels?: string[];
+    selected_conversation?: string;
+    selected_conversations?: string[];
+    selected_date?: string;
+    selected_time?: string;
+    selected_date_time?: number;
+    value?: string;
+    rich_text_value?: unknown;
+    workflow?: {
+      trigger_url?: string;
+      workflow_id?: string;
+    };
+  };
+  const actionType = typed.type;
+  const selectedUsers = uniqueNonEmptyStrings([
+    ...(typed.selected_user ? [typed.selected_user] : []),
+    ...(Array.isArray(typed.selected_users) ? typed.selected_users : []),
+  ]);
+  const selectedChannels = uniqueNonEmptyStrings([
+    ...(typed.selected_channel ? [typed.selected_channel] : []),
+    ...(Array.isArray(typed.selected_channels) ? typed.selected_channels : []),
+  ]);
+  const selectedConversations = uniqueNonEmptyStrings([
+    ...(typed.selected_conversation ? [typed.selected_conversation] : []),
+    ...(Array.isArray(typed.selected_conversations) ? typed.selected_conversations : []),
+  ]);
+  const selectedValues = uniqueNonEmptyStrings([
+    ...(typed.selected_option?.value ? [typed.selected_option.value] : []),
+    ...(readOptionValues(typed.selected_options) ?? []),
+    ...selectedUsers,
+    ...selectedChannels,
+    ...selectedConversations,
+  ]);
+  const selectedLabels = uniqueNonEmptyStrings([
+    ...(typed.selected_option?.text?.text ? [typed.selected_option.text.text] : []),
+    ...(readOptionLabels(typed.selected_options) ?? []),
+  ]);
+  const inputValue = typeof typed.value === "string" ? typed.value : undefined;
+  const inputNumber =
+    actionType === "number_input" && inputValue != null ? Number.parseFloat(inputValue) : undefined;
+  const parsedNumber = Number.isFinite(inputNumber) ? inputNumber : undefined;
+  const inputEmail =
+    actionType === "email_text_input" && inputValue?.includes("@") ? inputValue : undefined;
+  let inputUrl: string | undefined;
+  if (actionType === "url_text_input" && inputValue) {
+    try {
+      inputUrl = new URL(inputValue).toString();
+    } catch {
+      inputUrl = undefined;
+    }
+  }
+  const richTextValue = actionType === "rich_text_input" ? typed.rich_text_value : undefined;
+  const richTextPreview = summarizeRichTextPreview(richTextValue);
+  const inputKind =
+    actionType === "number_input"
+      ? "number"
+      : actionType === "email_text_input"
+        ? "email"
+        : actionType === "url_text_input"
+          ? "url"
+          : actionType === "rich_text_input"
+            ? "rich_text"
+            : inputValue != null
+              ? "text"
+              : undefined;
+
+  return {
+    actionType,
+    inputKind,
+    value: typed.value,
+    selectedValues: selectedValues.length > 0 ? selectedValues : undefined,
+    selectedUsers: selectedUsers.length > 0 ? selectedUsers : undefined,
+    selectedChannels: selectedChannels.length > 0 ? selectedChannels : undefined,
+    selectedConversations: selectedConversations.length > 0 ? selectedConversations : undefined,
+    selectedLabels: selectedLabels.length > 0 ? selectedLabels : undefined,
+    selectedDate: typed.selected_date,
+    selectedTime: typed.selected_time,
+    selectedDateTime:
+      typeof typed.selected_date_time === "number" ? typed.selected_date_time : undefined,
+    inputValue,
+    inputNumber: parsedNumber,
+    inputEmail,
+    inputUrl,
+    richTextValue,
+    richTextPreview,
+    workflowTriggerUrl: typed.workflow?.trigger_url,
+    workflowId: typed.workflow?.workflow_id,
+  };
+}
+
+function isBulkActionsBlock(block: InteractionMessageBlock): boolean {
+  return (
+    block.type === "actions" &&
+    Array.isArray(block.elements) &&
+    block.elements.length > 0 &&
+    block.elements.every((el) => typeof el.action_id === "string" && el.action_id.includes("_all_"))
+  );
+}
+
+function formatInteractionSelectionLabel(params: {
+  actionId: string;
+  summary: SlackActionSummary;
+  buttonText?: string;
+}): string {
+  if (params.summary.actionType === "button" && params.buttonText?.trim()) {
+    return params.buttonText.trim();
+  }
+  if (params.summary.selectedLabels?.length) {
+    if (params.summary.selectedLabels.length <= 3) {
+      return params.summary.selectedLabels.join(", ");
+    }
+    return `${params.summary.selectedLabels.slice(0, 3).join(", ")} +${
+      params.summary.selectedLabels.length - 3
+    }`;
+  }
+  if (params.summary.selectedValues?.length) {
+    if (params.summary.selectedValues.length <= 3) {
+      return params.summary.selectedValues.join(", ");
+    }
+    return `${params.summary.selectedValues.slice(0, 3).join(", ")} +${
+      params.summary.selectedValues.length - 3
+    }`;
+  }
+  if (params.summary.selectedDate) {
+    return params.summary.selectedDate;
+  }
+  if (params.summary.selectedTime) {
+    return params.summary.selectedTime;
+  }
+  if (typeof params.summary.selectedDateTime === "number") {
+    return new Date(params.summary.selectedDateTime * 1000).toISOString();
+  }
+  if (params.summary.richTextPreview) {
+    return params.summary.richTextPreview;
+  }
+  if (params.summary.value?.trim()) {
+    return params.summary.value.trim();
+  }
+  return params.actionId;
+}
+
+function formatInteractionConfirmationText(params: {
+  selectedLabel: string;
+  userId?: string;
+}): string {
+  const actor = params.userId?.trim() ? ` by <@${params.userId.trim()}>` : "";
+  return `:white_check_mark: *${escapeSlackMrkdwn(params.selectedLabel)}* selected${actor}`;
+}
+
+function buildSlackPluginInteractionData(params: {
+  actionId: string;
+  summary: SlackActionSummary;
+}): string | null {
+  const actionId = params.actionId.trim();
+  if (!actionId) {
+    return null;
+  }
+  const payload =
+    params.summary.value?.trim() ||
+    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
+    "";
+  if (actionId === SLACK_REPLY_BUTTON_ACTION_ID || actionId === SLACK_REPLY_SELECT_ACTION_ID) {
+    return payload || null;
+  }
+  return payload ? `${actionId}:${payload}` : actionId;
+}
+
+function buildSlackPluginInteractionId(params: {
+  userId?: string;
+  channelId?: string;
+  messageTs?: string;
+  triggerId?: string;
+  actionId: string;
+  summary: SlackActionSummary;
+}): string {
+  const primaryValue =
+    params.summary.value?.trim() ||
+    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
+    "";
+  return [
+    params.userId?.trim() || "",
+    params.channelId?.trim() || "",
+    params.messageTs?.trim() || "",
+    params.triggerId?.trim() || "",
+    params.actionId.trim(),
+    primaryValue,
+  ].join(":");
+}
+
+function parseSlackBlockAction(params: {
+  body: unknown;
+  action: unknown;
+  log?: (message: string) => void;
+}): ParsedSlackBlockAction | null {
+  const typedBody = params.body as SlackBlockActionBody;
+  const typedAction = readInteractionAction(params.action);
+  if (!typedAction) {
+    params.log?.(
+      `slack:interaction malformed action payload channel=${typedBody.channel?.id ?? typedBody.container?.channel_id ?? "unknown"} user=${
+        typedBody.user?.id ?? "unknown"
+      }`,
+    );
+    return null;
+  }
+  const typedActionWithText = typedAction as {
+    action_id?: string;
+    block_id?: string;
+    type?: string;
+    text?: { text?: string };
+  };
+  return {
+    typedBody,
+    typedAction,
+    typedActionWithText,
+    actionId:
+      typeof typedActionWithText.action_id === "string" ? typedActionWithText.action_id : "unknown",
+    blockId: typedActionWithText.block_id,
+    userId: typedBody.user?.id ?? "unknown",
+    channelId: typedBody.channel?.id ?? typedBody.container?.channel_id,
+    messageTs: typedBody.message?.ts ?? typedBody.container?.message_ts,
+    threadTs: typedBody.container?.thread_ts,
+    actionSummary: summarizeAction(typedAction),
+  };
+}
+
+async function respondEphemeral(
+  respond: SlackBlockActionRespond | undefined,
+  text: string,
+): Promise<void> {
+  if (!respond) {
+    return;
+  }
+  try {
+    await respond({
+      text,
+      response_type: "ephemeral",
+    });
+  } catch {
+    // Best-effort feedback only.
+  }
+}
+
+async function updateSlackInteractionMessage(params: {
+  ctx: SlackMonitorContext;
+  channelId?: string;
+  messageTs?: string;
+  text: string;
+  blocks?: (Block | KnownBlock)[];
+}): Promise<void> {
+  if (!params.channelId || !params.messageTs) {
+    return;
+  }
+  await params.ctx.app.client.chat.update({
+    channel: params.channelId,
+    ts: params.messageTs,
+    text: params.text,
+    ...(params.blocks ? { blocks: params.blocks } : {}),
+  });
+}
+
+async function authorizeSlackBlockAction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  respond?: SlackBlockActionRespond;
+}): Promise<
+  | {
+      allowed: true;
+      channelType?: "im" | "mpim" | "channel" | "group";
+    }
+  | { allowed: false }
+> {
+  const auth = await authorizeSlackSystemEventSender({
+    ctx: params.ctx,
+    senderId: params.parsed.userId,
+    channelId: params.parsed.channelId,
+  });
+  if (auth.allowed) {
+    return auth;
+  }
+  params.ctx.runtime.log?.(
+    `slack:interaction drop action=${params.parsed.actionId} user=${params.parsed.userId} channel=${params.parsed.channelId ?? "unknown"} reason=${auth.reason ?? "unauthorized"}`,
+  );
+  await respondEphemeral(params.respond, "You are not authorized to use this control.");
+  return { allowed: false };
+}
+
+async function handleSlackPluginBindingApproval(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  pluginInteractionData: string;
+  respond?: SlackBlockActionRespond;
+}): Promise<boolean> {
+  const pluginBindingApproval = parsePluginBindingApprovalCustomId(params.pluginInteractionData);
+  if (!pluginBindingApproval) {
+    return false;
+  }
+  const resolved = await resolvePluginConversationBindingApproval({
+    approvalId: pluginBindingApproval.approvalId,
+    decision: pluginBindingApproval.decision,
+    senderId: params.parsed.userId,
+  });
+  try {
+    await updateSlackInteractionMessage({
+      ctx: params.ctx,
+      channelId: params.parsed.channelId,
+      messageTs: params.parsed.messageTs,
+      text: params.parsed.typedBody.message?.text ?? "",
+      blocks: [],
+    });
+  } catch {
+    // Best-effort cleanup only; continue with follow-up feedback.
+  }
+  await respondEphemeral(params.respond, buildPluginBindingResolvedText(resolved));
+  return true;
+}
+
+async function dispatchSlackPluginInteraction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  pluginInteractionData: string;
+  auth: { isAuthorizedSender: boolean };
+  respond?: SlackBlockActionRespond;
+}): Promise<boolean> {
+  const pluginInteractionId = buildSlackPluginInteractionId({
+    userId: params.parsed.userId,
+    channelId: params.parsed.channelId,
+    messageTs: params.parsed.messageTs,
+    triggerId: params.parsed.typedBody.trigger_id,
+    actionId: params.parsed.actionId,
+    summary: params.parsed.actionSummary,
+  });
+  if (
+    await handleSlackPluginBindingApproval({
+      ctx: params.ctx,
+      parsed: params.parsed,
+      pluginInteractionData: params.pluginInteractionData,
+      respond: params.respond,
+    })
+  ) {
+    return true;
+  }
+  const pluginResult = await dispatchPluginInteractiveHandler({
+    channel: "slack",
+    data: params.pluginInteractionData,
+    interactionId: pluginInteractionId,
+    ctx: {
+      accountId: params.ctx.accountId,
+      interactionId: pluginInteractionId,
+      conversationId: params.parsed.channelId ?? "",
+      parentConversationId: undefined,
+      threadId: params.parsed.threadTs,
+      senderId: params.parsed.userId,
+      senderUsername: undefined,
+      auth: params.auth,
+      interaction: {
+        kind: params.parsed.actionSummary.actionType === "button" ? "button" : "select",
+        actionId: params.parsed.actionId,
+        blockId: params.parsed.blockId,
+        messageTs: params.parsed.messageTs,
+        threadTs: params.parsed.threadTs,
+        value: params.parsed.actionSummary.value,
+        selectedValues: params.parsed.actionSummary.selectedValues,
+        selectedLabels: params.parsed.actionSummary.selectedLabels,
+        triggerId: params.parsed.typedBody.trigger_id,
+        responseUrl: params.parsed.typedBody.response_url,
+      },
+    },
+    respond: {
+      acknowledge: async () => {},
+      reply: async ({ text, responseType }) => {
+        if (!text) {
+          return;
+        }
+        await params.respond?.({
+          text,
+          response_type: responseType ?? "ephemeral",
+        });
+      },
+      followUp: async ({ text, responseType }) => {
+        if (!text) {
+          return;
+        }
+        await params.respond?.({
+          text,
+          response_type: responseType ?? "ephemeral",
+        });
+      },
+      editMessage: async ({ text, blocks }) => {
+        await updateSlackInteractionMessage({
+          ctx: params.ctx,
+          channelId: params.parsed.channelId,
+          messageTs: params.parsed.messageTs,
+          text: text ?? params.parsed.typedBody.message?.text ?? "",
+          blocks: Array.isArray(blocks) ? (blocks as (Block | KnownBlock)[]) : undefined,
+        });
+      },
+    },
+  });
+  return pluginResult.matched && pluginResult.handled;
+}
+
+function enqueueSlackBlockActionEvent(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  auth: { channelType?: "im" | "mpim" | "channel" | "group" };
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): void {
+  const eventPayload: InteractionSummary = {
+    interactionType: "block_action",
+    actionId: params.parsed.actionId,
+    blockId: params.parsed.blockId,
+    ...params.parsed.actionSummary,
+    userId: params.parsed.userId,
+    teamId: params.parsed.typedBody.team?.id,
+    triggerId: params.parsed.typedBody.trigger_id,
+    responseUrl: params.parsed.typedBody.response_url,
+    channelId: params.parsed.channelId,
+    messageTs: params.parsed.messageTs,
+    threadTs: params.parsed.threadTs,
+  };
+  params.ctx.runtime.log?.(
+    `slack:interaction action=${params.parsed.actionId} type=${params.parsed.actionSummary.actionType ?? "unknown"} user=${params.parsed.userId} channel=${params.parsed.channelId}`,
+  );
+  const sessionKey = params.ctx.resolveSlackSystemEventSessionKey({
+    channelId: params.parsed.channelId,
+    channelType: params.auth.channelType,
+    senderId: params.parsed.userId,
+  });
+  const contextParts = [
+    "slack:interaction",
+    params.parsed.channelId,
+    params.parsed.messageTs,
+    params.parsed.actionId,
+  ].filter(Boolean);
+  enqueueSystemEvent(params.formatSystemEvent(eventPayload), {
+    sessionKey,
+    contextKey: contextParts.join(":"),
+  });
+}
+
+function buildSlackConfirmationBlocks(params: {
+  parsed: ParsedSlackBlockAction;
+  originalBlocks: unknown[];
+}): (Block | KnownBlock)[] {
+  const selectedLabel = formatInteractionSelectionLabel({
+    actionId: params.parsed.actionId,
+    summary: params.parsed.actionSummary,
+    buttonText: params.parsed.typedActionWithText.text?.text,
+  });
+  let updatedBlocks = params.originalBlocks.map((block) => {
+    const typedBlock = block as InteractionMessageBlock;
+    if (typedBlock.type === "actions" && typedBlock.block_id === params.parsed.blockId) {
+      return {
+        type: "context",
+        elements: [
+          {
+            type: "mrkdwn",
+            text: formatInteractionConfirmationText({
+              selectedLabel,
+              userId: params.parsed.userId,
+            }),
+          },
+        ],
+      };
+    }
+    return block;
+  });
+  const hasRemainingIndividualActionRows = updatedBlocks.some((block) => {
+    const typedBlock = block as InteractionMessageBlock;
+    return typedBlock.type === "actions" && !isBulkActionsBlock(typedBlock);
+  });
+  if (!hasRemainingIndividualActionRows) {
+    updatedBlocks = updatedBlocks.filter((block, index) => {
+      const typedBlock = block as InteractionMessageBlock;
+      if (isBulkActionsBlock(typedBlock)) {
+        return false;
+      }
+      if (typedBlock.type !== "divider") {
+        return true;
+      }
+      const next = updatedBlocks[index + 1] as InteractionMessageBlock | undefined;
+      return !next || !isBulkActionsBlock(next);
+    });
+  }
+  return updatedBlocks as (Block | KnownBlock)[];
+}
+
+async function updateSlackLegacyBlockAction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  respond?: SlackBlockActionRespond;
+}): Promise<void> {
+  const originalBlocks = params.parsed.typedBody.message?.blocks;
+  if (
+    !Array.isArray(originalBlocks) ||
+    !params.parsed.channelId ||
+    !params.parsed.messageTs ||
+    !params.parsed.blockId
+  ) {
+    return;
+  }
+  try {
+    await updateSlackInteractionMessage({
+      ctx: params.ctx,
+      channelId: params.parsed.channelId,
+      messageTs: params.parsed.messageTs,
+      text: params.parsed.typedBody.message?.text ?? "",
+      blocks: buildSlackConfirmationBlocks({
+        parsed: params.parsed,
+        originalBlocks,
+      }),
+    });
+  } catch {
+    await respondEphemeral(params.respond, `Button "${params.parsed.actionId}" clicked!`);
+  }
+}
+
+async function handleSlackBlockAction(params: {
+  ctx: SlackMonitorContext;
+  args: SlackActionMiddlewareArgs;
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): Promise<void> {
+  const { ack, body, action, respond } = params.args;
+  await ack();
+  if (params.ctx.shouldDropMismatchedSlackEvent?.(body)) {
+    params.ctx.runtime.log?.("slack:interaction drop block action payload (mismatched app/team)");
+    return;
+  }
+  const parsed = parseSlackBlockAction({
+    body,
+    action,
+    log: params.ctx.runtime.log,
+  });
+  if (!parsed) {
+    return;
+  }
+  const auth = await authorizeSlackBlockAction({
+    ctx: params.ctx,
+    parsed,
+    respond,
+  });
+  if (!auth.allowed) {
+    return;
+  }
+  const pluginInteractionData = buildSlackPluginInteractionData({
+    actionId: parsed.actionId,
+    summary: parsed.actionSummary,
+  });
+  if (pluginInteractionData) {
+    const handled = await dispatchSlackPluginInteraction({
+      ctx: params.ctx,
+      parsed,
+      pluginInteractionData,
+      auth: {
+        isAuthorizedSender: true,
+      },
+      respond,
+    });
+    if (handled) {
+      return;
+    }
+  }
+  enqueueSlackBlockActionEvent({
+    ctx: params.ctx,
+    parsed,
+    auth,
+    formatSystemEvent: params.formatSystemEvent,
+  });
+  await updateSlackLegacyBlockAction({
+    ctx: params.ctx,
+    parsed,
+    respond,
+  });
+}
+
+export function registerSlackBlockActionHandler(params: {
+  ctx: SlackMonitorContext;
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): void {
+  if (typeof params.ctx.app.action !== "function") {
+    return;
+  }
+  params.ctx.app.action(/.+/, async (args: SlackActionMiddlewareArgs) => {
+    await handleSlackBlockAction({
+      ctx: params.ctx,
+      args,
+      formatSystemEvent: params.formatSystemEvent,
+    });
+  });
+}
diff --git a/extensions/slack/src/monitor/events/interactions.test.ts b/extensions/slack/src/monitor/events/interactions.test.ts
index 6de5ce3f229..5b71ebd11fd 100644
--- a/extensions/slack/src/monitor/events/interactions.test.ts
+++ b/extensions/slack/src/monitor/events/interactions.test.ts
@@ -1,12 +1,40 @@
-import { describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 import { registerSlackInteractionEvents } from "./interactions.js";
 
 const enqueueSystemEventMock = vi.fn();
+const dispatchPluginInteractiveHandlerMock = vi.fn(async () => ({
+  matched: false,
+  handled: false,
+  duplicate: false,
+}));
+const resolvePluginConversationBindingApprovalMock = vi.fn();
+const buildPluginBindingResolvedTextMock = vi.fn(() => "Binding updated.");
 
 vi.mock("../../../../../src/infra/system-events.js", () => ({
-  enqueueSystemEvent: (...args: unknown[]) => enqueueSystemEventMock(...args),
+  enqueueSystemEvent: (...args: unknown[]) =>
+    (enqueueSystemEventMock as (...innerArgs: unknown[]) => unknown)(...args),
 }));
 
+vi.mock("../../../../../src/plugins/interactive.js", () => ({
+  dispatchPluginInteractiveHandler: (...args: unknown[]) =>
+    (dispatchPluginInteractiveHandlerMock as (...innerArgs: unknown[]) => unknown)(...args),
+}));
+
+vi.mock("../../../../../src/plugins/conversation-binding.js", async () => {
+  const actual = await vi.importActual<
+    typeof import("../../../../../src/plugins/conversation-binding.js")
+  >("../../../../../src/plugins/conversation-binding.js");
+  return {
+    ...actual,
+    resolvePluginConversationBindingApproval: (...args: unknown[]) =>
+      (resolvePluginConversationBindingApprovalMock as (...innerArgs: unknown[]) => unknown)(
+        ...args,
+      ),
+    buildPluginBindingResolvedText: (...args: unknown[]) =>
+      (buildPluginBindingResolvedTextMock as (...innerArgs: unknown[]) => unknown)(...args),
+  };
+});
+
 type RegisteredHandler = (args: {
   ack: () => Promise<void>;
   body: {
@@ -78,10 +106,12 @@ function createContext(overrides?: {
   }>;
 }) {
   let handler: RegisteredHandler | null = null;
+  let actionMatcher: RegExp | null = null;
   let viewHandler: RegisteredViewHandler | null = null;
   let viewClosedHandler: RegisteredViewClosedHandler | null = null;
   const app = {
-    action: vi.fn((_matcher: RegExp, next: RegisteredHandler) => {
+    action: vi.fn((matcher: RegExp, next: RegisteredHandler) => {
+      actionMatcher = matcher;
       handler = next;
     }),
     view: vi.fn((_matcher: RegExp, next: RegisteredViewHandler) => {
@@ -122,6 +152,7 @@ function createContext(overrides?: {
     );
   const ctx = {
     app,
+    accountId: "default",
     runtime: { log: runtimeLog },
     dmEnabled: overrides?.dmEnabled ?? true,
     dmPolicy: overrides?.dmPolicy ?? ("open" as const),
@@ -144,6 +175,7 @@ function createContext(overrides?: {
     isChannelAllowed,
     resolveUserName,
     resolveChannelName,
+    getActionMatcher: () => actionMatcher,
     getHandler: () => handler,
     getViewHandler: () => viewHandler,
     getViewClosedHandler: () => viewClosedHandler,
@@ -151,8 +183,21 @@ function createContext(overrides?: {
 }
 
 describe("registerSlackInteractionEvents", () => {
-  it("enqueues structured events and updates button rows", async () => {
+  beforeEach(() => {
     enqueueSystemEventMock.mockClear();
+    dispatchPluginInteractiveHandlerMock.mockClear();
+    resolvePluginConversationBindingApprovalMock.mockClear();
+    resolvePluginConversationBindingApprovalMock.mockResolvedValue({ status: "expired" });
+    buildPluginBindingResolvedTextMock.mockClear();
+    buildPluginBindingResolvedTextMock.mockReturnValue("Binding updated.");
+    dispatchPluginInteractiveHandlerMock.mockResolvedValue({
+      matched: false,
+      handled: false,
+      duplicate: false,
+    });
+  });
+
+  it("enqueues structured events and updates button rows", async () => {
     const { ctx, app, getHandler, resolveSessionKey } = createContext();
     registerSlackInteractionEvents({ ctx: ctx as never });
 
@@ -228,6 +273,236 @@ describe("registerSlackInteractionEvents", () => {
     expect(app.client.chat.update).toHaveBeenCalledTimes(1);
   });
 
+  it("registers a matcher that accepts plugin action ids beyond the OpenClaw prefix", () => {
+    const { ctx, getActionMatcher } = createContext();
+    registerSlackInteractionEvents({ ctx: ctx as never });
+
+    const matcher = getActionMatcher();
+    expect(matcher).toBeTruthy();
+    expect(matcher?.test("openclaw:verify")).toBe(true);
+    expect(matcher?.test("codex")).toBe(true);
+  });
+
+  it("routes matching Slack actions through the shared plugin interactive dispatcher", async () => {
+    dispatchPluginInteractiveHandlerMock.mockResolvedValueOnce({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+    const { ctx, app, getHandler } = createContext();
+    registerSlackInteractionEvents({ ctx: ctx as never });
+
+    const handler = getHandler();
+    expect(handler).toBeTruthy();
+
+    const ack = vi.fn().mockResolvedValue(undefined);
+    const respond = vi.fn().mockResolvedValue(undefined);
+    await handler!({
+      ack,
+      respond,
+      body: {
+        user: { id: "U123" },
+        team: { id: "T9" },
+        trigger_id: "123.trigger",
+        response_url: "https://hooks.slack.test/response",
+        channel: { id: "C1" },
+        container: { channel_id: "C1", message_ts: "100.200", thread_ts: "100.100" },
+        message: {
+          ts: "100.200",
+          text: "fallback",
+          blocks: [
+            {
+              type: "actions",
+              block_id: "codex_actions",
+              elements: [{ type: "button", action_id: "codex" }],
+            },
+          ],
+        },
+      },
+      action: {
+        type: "button",
+        action_id: "codex",
+        block_id: "codex_actions",
+        value: "approve:thread-1",
+        text: { type: "plain_text", text: "Approve" },
+      },
+    });
+
+    expect(ack).toHaveBeenCalled();
+    expect(dispatchPluginInteractiveHandlerMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channel: "slack",
+        data: "codex:approve:thread-1",
+        interactionId: "U123:C1:100.200:123.trigger:codex:approve:thread-1",
+        ctx: expect.objectContaining({
+          accountId: ctx.accountId,
+          conversationId: "C1",
+          interactionId: "U123:C1:100.200:123.trigger:codex:approve:thread-1",
+          threadId: "100.100",
+          interaction: expect.objectContaining({
+            actionId: "codex",
+            value: "approve:thread-1",
+          }),
+        }),
+      }),
+    );
+    expect(enqueueSystemEventMock).not.toHaveBeenCalled();
+    expect(app.client.chat.update).not.toHaveBeenCalled();
+  });
+
+  it("uses unique interaction ids for repeated Slack actions on the same message", async () => {
+    dispatchPluginInteractiveHandlerMock.mockResolvedValue({
+      matched: true,
+      handled: false,
+      duplicate: false,
+    });
+    const { ctx, getHandler } = createContext();
+    registerSlackInteractionEvents({ ctx: ctx as never });
+
+    const handler = getHandler();
+    expect(handler).toBeTruthy();
+
+    const ack = vi.fn().mockResolvedValue(undefined);
+    await handler!({
+      ack,
+      body: {
+        user: { id: "U123" },
+        channel: { id: "C1" },
+        container: { channel_id: "C1", message_ts: "100.200", thread_ts: "100.100" },
+        trigger_id: "trigger-1",
+        message: {
+          ts: "100.200",
+          text: "fallback",
+          blocks: [
+            {
+              type: "actions",
+              block_id: "codex_actions",
+              elements: [{ type: "button", action_id: "codex" }],
+            },
+          ],
+        },
+      },
+      action: {
+        type: "button",
+        action_id: "codex",
+        block_id: "codex_actions",
+        value: "approve:thread-1",
+        text: { type: "plain_text", text: "Approve" },
+      },
+    });
+    await handler!({
+      ack,
+      body: {
+        user: { id: "U123" },
+        channel: { id: "C1" },
+        container: { channel_id: "C1", message_ts: "100.200", thread_ts: "100.100" },
+        trigger_id: "trigger-2",
+        message: {
+          ts: "100.200",
+          text: "fallback",
+          blocks: [
+            {
+              type: "actions",
+              block_id: "codex_actions",
+              elements: [{ type: "button", action_id: "codex" }],
+            },
+          ],
+        },
+      },
+      action: {
+        type: "button",
+        action_id: "codex",
+        block_id: "codex_actions",
+        value: "approve:thread-1",
+        text: { type: "plain_text", text: "Approve" },
+      },
+    });
+
+    expect(dispatchPluginInteractiveHandlerMock).toHaveBeenCalledTimes(2);
+    const calls = dispatchPluginInteractiveHandlerMock.mock.calls as unknown[][];
+    const firstCall = calls[0]?.[0] as
+      | {
+          interactionId?: string;
+        }
+      | undefined;
+    const secondCall = calls[1]?.[0] as
+      | {
+          interactionId?: string;
+        }
+      | undefined;
+    expect(firstCall?.interactionId).toContain(":trigger-1:");
+    expect(secondCall?.interactionId).toContain(":trigger-2:");
+    expect(firstCall?.interactionId).not.toBe(secondCall?.interactionId);
+  });
+
+  it("resolves plugin binding approvals from shared interactive Slack actions", async () => {
+    resolvePluginConversationBindingApprovalMock.mockResolvedValueOnce({
+      status: "approved",
+      decision: "allow-once",
+      request: {
+        pluginId: "codex",
+        pluginName: "Codex",
+        summary: "for this thread",
+      },
+    });
+    const { ctx, app, getHandler } = createContext();
+    registerSlackInteractionEvents({ ctx: ctx as never });
+
+    const handler = getHandler();
+    expect(handler).toBeTruthy();
+
+    const ack = vi.fn().mockResolvedValue(undefined);
+    const respond = vi.fn().mockResolvedValue(undefined);
+    await handler!({
+      ack,
+      respond,
+      body: {
+        user: { id: "U123" },
+        channel: { id: "C1" },
+        container: { channel_id: "C1", message_ts: "100.200", thread_ts: "100.100" },
+        message: {
+          ts: "100.200",
+          text: "Approve this bind?",
+          blocks: [
+            {
+              type: "actions",
+              block_id: "bind_actions",
+              elements: [{ type: "button", action_id: "openclaw:reply_button" }],
+            },
+          ],
+        },
+      },
+      action: {
+        type: "button",
+        action_id: "openclaw:reply_button",
+        block_id: "bind_actions",
+        value: "pluginbind:approval-123:o",
+        text: { type: "plain_text", text: "Allow once" },
+      },
+    });
+
+    expect(ack).toHaveBeenCalled();
+    expect(resolvePluginConversationBindingApprovalMock).toHaveBeenCalledWith({
+      approvalId: "approval-123",
+      decision: "allow-once",
+      senderId: "U123",
+    });
+    expect(dispatchPluginInteractiveHandlerMock).not.toHaveBeenCalled();
+    expect(app.client.chat.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channel: "C1",
+        ts: "100.200",
+        text: "Approve this bind?",
+        blocks: [],
+      }),
+    );
+    expect(respond).toHaveBeenCalledWith({
+      text: "Binding updated.",
+      response_type: "ephemeral",
+    });
+    expect(enqueueSystemEventMock).not.toHaveBeenCalled();
+  });
+
   it("drops block actions when mismatch guard triggers", async () => {
     enqueueSystemEventMock.mockClear();
     const { ctx, app, getHandler } = createContext({
diff --git a/extensions/slack/src/monitor/events/interactions.ts b/extensions/slack/src/monitor/events/interactions.ts
index 1d542fd9665..384498ac5fe 100644
--- a/extensions/slack/src/monitor/events/interactions.ts
+++ b/extensions/slack/src/monitor/events/interactions.ts
@@ -1,10 +1,10 @@
-import type { SlackActionMiddlewareArgs } from "@slack/bolt";
-import type { Block, KnownBlock } from "@slack/web-api";
-import { enqueueSystemEvent } from "../../../../../src/infra/system-events.js";
 import { truncateSlackText } from "../../truncate.js";
-import { authorizeSlackSystemEventSender } from "../auth.js";
 import type { SlackMonitorContext } from "../context.js";
-import { escapeSlackMrkdwn } from "../mrkdwn.js";
+import {
+  registerSlackBlockActionHandler,
+  summarizeAction,
+  type InteractionSummary,
+} from "./interactions.block-actions.js";
 import {
   registerModalLifecycleHandler,
   type ModalInputSummary,
@@ -27,33 +27,6 @@ const SLACK_INTERACTION_REDACTED_KEYS = new Set([
   "viewHash",
 ]);
 
-type InteractionMessageBlock = {
-  type?: string;
-  block_id?: string;
-  elements?: Array<{ action_id?: string }>;
-};
-
-type SelectOption = {
-  value?: string;
-  text?: { text?: string };
-};
-
-type InteractionSelectionFields = Partial<ModalInputSummary>;
-
-type InteractionSummary = InteractionSelectionFields & {
-  interactionType?: "block_action" | "view_submission" | "view_closed";
-  actionId: string;
-  userId?: string;
-  teamId?: string;
-  triggerId?: string;
-  responseUrl?: string;
-  workflowTriggerUrl?: string;
-  workflowId?: string;
-  channelId?: string;
-  messageTs?: string;
-  threadTs?: string;
-};
-
 function sanitizeSlackInteractionPayloadValue(value: unknown, key?: string): unknown {
   if (value === undefined) {
     return undefined;
@@ -182,241 +155,6 @@ function formatSlackInteractionSystemEvent(payload: Record<string, unknown>): st
   });
 }
 
-function readOptionValues(options: unknown): string[] | undefined {
-  if (!Array.isArray(options)) {
-    return undefined;
-  }
-  const values = options
-    .map((option) => (option && typeof option === "object" ? (option as SelectOption).value : null))
-    .filter((value): value is string => typeof value === "string" && value.trim().length > 0);
-  return values.length > 0 ? values : undefined;
-}
-
-function readOptionLabels(options: unknown): string[] | undefined {
-  if (!Array.isArray(options)) {
-    return undefined;
-  }
-  const labels = options
-    .map((option) =>
-      option && typeof option === "object" ? ((option as SelectOption).text?.text ?? null) : null,
-    )
-    .filter((label): label is string => typeof label === "string" && label.trim().length > 0);
-  return labels.length > 0 ? labels : undefined;
-}
-
-function uniqueNonEmptyStrings(values: string[]): string[] {
-  const unique: string[] = [];
-  const seen = new Set<string>();
-  for (const entry of values) {
-    if (typeof entry !== "string") {
-      continue;
-    }
-    const trimmed = entry.trim();
-    if (!trimmed || seen.has(trimmed)) {
-      continue;
-    }
-    seen.add(trimmed);
-    unique.push(trimmed);
-  }
-  return unique;
-}
-
-function collectRichTextFragments(value: unknown, out: string[]): void {
-  if (!value || typeof value !== "object") {
-    return;
-  }
-  const typed = value as { text?: unknown; elements?: unknown };
-  if (typeof typed.text === "string" && typed.text.trim().length > 0) {
-    out.push(typed.text.trim());
-  }
-  if (Array.isArray(typed.elements)) {
-    for (const child of typed.elements) {
-      collectRichTextFragments(child, out);
-    }
-  }
-}
-
-function summarizeRichTextPreview(value: unknown): string | undefined {
-  const fragments: string[] = [];
-  collectRichTextFragments(value, fragments);
-  if (fragments.length === 0) {
-    return undefined;
-  }
-  const joined = fragments.join(" ").replace(/\s+/g, " ").trim();
-  if (!joined) {
-    return undefined;
-  }
-  const max = 120;
-  return joined.length <= max ? joined : `${joined.slice(0, max - 1)}…`;
-}
-
-function readInteractionAction(raw: unknown) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
-    return undefined;
-  }
-  return raw as Record<string, unknown>;
-}
-
-function summarizeAction(
-  action: Record<string, unknown>,
-): Omit<InteractionSummary, "actionId" | "blockId"> {
-  const typed = action as {
-    type?: string;
-    selected_option?: SelectOption;
-    selected_options?: SelectOption[];
-    selected_user?: string;
-    selected_users?: string[];
-    selected_channel?: string;
-    selected_channels?: string[];
-    selected_conversation?: string;
-    selected_conversations?: string[];
-    selected_date?: string;
-    selected_time?: string;
-    selected_date_time?: number;
-    value?: string;
-    rich_text_value?: unknown;
-    workflow?: {
-      trigger_url?: string;
-      workflow_id?: string;
-    };
-  };
-  const actionType = typed.type;
-  const selectedUsers = uniqueNonEmptyStrings([
-    ...(typed.selected_user ? [typed.selected_user] : []),
-    ...(Array.isArray(typed.selected_users) ? typed.selected_users : []),
-  ]);
-  const selectedChannels = uniqueNonEmptyStrings([
-    ...(typed.selected_channel ? [typed.selected_channel] : []),
-    ...(Array.isArray(typed.selected_channels) ? typed.selected_channels : []),
-  ]);
-  const selectedConversations = uniqueNonEmptyStrings([
-    ...(typed.selected_conversation ? [typed.selected_conversation] : []),
-    ...(Array.isArray(typed.selected_conversations) ? typed.selected_conversations : []),
-  ]);
-  const selectedValues = uniqueNonEmptyStrings([
-    ...(typed.selected_option?.value ? [typed.selected_option.value] : []),
-    ...(readOptionValues(typed.selected_options) ?? []),
-    ...selectedUsers,
-    ...selectedChannels,
-    ...selectedConversations,
-  ]);
-  const selectedLabels = uniqueNonEmptyStrings([
-    ...(typed.selected_option?.text?.text ? [typed.selected_option.text.text] : []),
-    ...(readOptionLabels(typed.selected_options) ?? []),
-  ]);
-  const inputValue = typeof typed.value === "string" ? typed.value : undefined;
-  const inputNumber =
-    actionType === "number_input" && inputValue != null ? Number.parseFloat(inputValue) : undefined;
-  const parsedNumber = Number.isFinite(inputNumber) ? inputNumber : undefined;
-  const inputEmail =
-    actionType === "email_text_input" && inputValue?.includes("@") ? inputValue : undefined;
-  let inputUrl: string | undefined;
-  if (actionType === "url_text_input" && inputValue) {
-    try {
-      // Normalize to a canonical URL string so downstream handlers do not need to reparse.
-      inputUrl = new URL(inputValue).toString();
-    } catch {
-      inputUrl = undefined;
-    }
-  }
-  const richTextValue = actionType === "rich_text_input" ? typed.rich_text_value : undefined;
-  const richTextPreview = summarizeRichTextPreview(richTextValue);
-  const inputKind =
-    actionType === "number_input"
-      ? "number"
-      : actionType === "email_text_input"
-        ? "email"
-        : actionType === "url_text_input"
-          ? "url"
-          : actionType === "rich_text_input"
-            ? "rich_text"
-            : inputValue != null
-              ? "text"
-              : undefined;
-
-  return {
-    actionType,
-    inputKind,
-    value: typed.value,
-    selectedValues: selectedValues.length > 0 ? selectedValues : undefined,
-    selectedUsers: selectedUsers.length > 0 ? selectedUsers : undefined,
-    selectedChannels: selectedChannels.length > 0 ? selectedChannels : undefined,
-    selectedConversations: selectedConversations.length > 0 ? selectedConversations : undefined,
-    selectedLabels: selectedLabels.length > 0 ? selectedLabels : undefined,
-    selectedDate: typed.selected_date,
-    selectedTime: typed.selected_time,
-    selectedDateTime:
-      typeof typed.selected_date_time === "number" ? typed.selected_date_time : undefined,
-    inputValue,
-    inputNumber: parsedNumber,
-    inputEmail,
-    inputUrl,
-    richTextValue,
-    richTextPreview,
-    workflowTriggerUrl: typed.workflow?.trigger_url,
-    workflowId: typed.workflow?.workflow_id,
-  };
-}
-
-function isBulkActionsBlock(block: InteractionMessageBlock): boolean {
-  return (
-    block.type === "actions" &&
-    Array.isArray(block.elements) &&
-    block.elements.length > 0 &&
-    block.elements.every((el) => typeof el.action_id === "string" && el.action_id.includes("_all_"))
-  );
-}
-
-function formatInteractionSelectionLabel(params: {
-  actionId: string;
-  summary: Omit<InteractionSummary, "actionId" | "blockId">;
-  buttonText?: string;
-}): string {
-  if (params.summary.actionType === "button" && params.buttonText?.trim()) {
-    return params.buttonText.trim();
-  }
-  if (params.summary.selectedLabels?.length) {
-    if (params.summary.selectedLabels.length <= 3) {
-      return params.summary.selectedLabels.join(", ");
-    }
-    return `${params.summary.selectedLabels.slice(0, 3).join(", ")} +${
-      params.summary.selectedLabels.length - 3
-    }`;
-  }
-  if (params.summary.selectedValues?.length) {
-    if (params.summary.selectedValues.length <= 3) {
-      return params.summary.selectedValues.join(", ");
-    }
-    return `${params.summary.selectedValues.slice(0, 3).join(", ")} +${
-      params.summary.selectedValues.length - 3
-    }`;
-  }
-  if (params.summary.selectedDate) {
-    return params.summary.selectedDate;
-  }
-  if (params.summary.selectedTime) {
-    return params.summary.selectedTime;
-  }
-  if (typeof params.summary.selectedDateTime === "number") {
-    return new Date(params.summary.selectedDateTime * 1000).toISOString();
-  }
-  if (params.summary.richTextPreview) {
-    return params.summary.richTextPreview;
-  }
-  if (params.summary.value?.trim()) {
-    return params.summary.value.trim();
-  }
-  return params.actionId;
-}
-
-function formatInteractionConfirmationText(params: {
-  selectedLabel: string;
-  userId?: string;
-}): string {
-  const actor = params.userId?.trim() ? ` by <@${params.userId.trim()}>` : "";
-  return `:white_check_mark: *${escapeSlackMrkdwn(params.selectedLabel)}* selected${actor}`;
-}
-
 function summarizeViewState(values: unknown): ModalInputSummary[] {
   if (!values || typeof values !== "object") {
     return [];
@@ -443,189 +181,10 @@ function summarizeViewState(values: unknown): ModalInputSummary[] {
 
 export function registerSlackInteractionEvents(params: { ctx: SlackMonitorContext }) {
   const { ctx } = params;
-  if (typeof ctx.app.action !== "function") {
-    return;
-  }
-
-  // Handle Block Kit button clicks from OpenClaw-generated messages
-  // Only matches action_ids that start with our prefix to avoid interfering
-  // with other Slack integrations or future features
-  ctx.app.action(
-    new RegExp(`^${OPENCLAW_ACTION_PREFIX}`),
-    async (args: SlackActionMiddlewareArgs) => {
-      const { ack, body, action, respond } = args;
-      const typedBody = body as unknown as {
-        user?: { id?: string };
-        team?: { id?: string };
-        trigger_id?: string;
-        response_url?: string;
-        channel?: { id?: string };
-        container?: { channel_id?: string; message_ts?: string; thread_ts?: string };
-        message?: { ts?: string; text?: string; blocks?: unknown[] };
-      };
-
-      // Acknowledge the action immediately to prevent the warning icon
-      await ack();
-      if (ctx.shouldDropMismatchedSlackEvent?.(body)) {
-        ctx.runtime.log?.("slack:interaction drop block action payload (mismatched app/team)");
-        return;
-      }
-
-      // Extract action details using proper Bolt types
-      const typedAction = readInteractionAction(action);
-      if (!typedAction) {
-        ctx.runtime.log?.(
-          `slack:interaction malformed action payload channel=${typedBody.channel?.id ?? typedBody.container?.channel_id ?? "unknown"} user=${
-            typedBody.user?.id ?? "unknown"
-          }`,
-        );
-        return;
-      }
-      const typedActionWithText = typedAction as {
-        action_id?: string;
-        block_id?: string;
-        type?: string;
-        text?: { text?: string };
-      };
-      const actionId =
-        typeof typedActionWithText.action_id === "string"
-          ? typedActionWithText.action_id
-          : "unknown";
-      const blockId = typedActionWithText.block_id;
-      const userId = typedBody.user?.id ?? "unknown";
-      const channelId = typedBody.channel?.id ?? typedBody.container?.channel_id;
-      const messageTs = typedBody.message?.ts ?? typedBody.container?.message_ts;
-      const threadTs = typedBody.container?.thread_ts;
-      const auth = await authorizeSlackSystemEventSender({
-        ctx,
-        senderId: userId,
-        channelId,
-      });
-      if (!auth.allowed) {
-        ctx.runtime.log?.(
-          `slack:interaction drop action=${actionId} user=${userId} channel=${channelId ?? "unknown"} reason=${auth.reason ?? "unauthorized"}`,
-        );
-        if (respond) {
-          try {
-            await respond({
-              text: "You are not authorized to use this control.",
-              response_type: "ephemeral",
-            });
-          } catch {
-            // Best-effort feedback only.
-          }
-        }
-        return;
-      }
-      const actionSummary = summarizeAction(typedAction);
-      const eventPayload: InteractionSummary = {
-        interactionType: "block_action",
-        actionId,
-        blockId,
-        ...actionSummary,
-        userId,
-        teamId: typedBody.team?.id,
-        triggerId: typedBody.trigger_id,
-        responseUrl: typedBody.response_url,
-        channelId,
-        messageTs,
-        threadTs,
-      };
-
-      // Log the interaction for debugging
-      ctx.runtime.log?.(
-        `slack:interaction action=${actionId} type=${actionSummary.actionType ?? "unknown"} user=${userId} channel=${channelId}`,
-      );
-
-      // Send a system event to notify the agent about the button click
-      // Pass undefined (not "unknown") to allow proper main session fallback
-      const sessionKey = ctx.resolveSlackSystemEventSessionKey({
-        channelId: channelId,
-        channelType: auth.channelType,
-        senderId: userId,
-      });
-
-      // Build context key - only include defined values to avoid "unknown" noise
-      const contextParts = ["slack:interaction", channelId, messageTs, actionId].filter(Boolean);
-      const contextKey = contextParts.join(":");
-
-      enqueueSystemEvent(formatSlackInteractionSystemEvent(eventPayload), {
-        sessionKey,
-        contextKey,
-      });
-
-      const originalBlocks = typedBody.message?.blocks;
-      if (!Array.isArray(originalBlocks) || !channelId || !messageTs) {
-        return;
-      }
-
-      if (!blockId) {
-        return;
-      }
-
-      const selectedLabel = formatInteractionSelectionLabel({
-        actionId,
-        summary: actionSummary,
-        buttonText: typedActionWithText.text?.text,
-      });
-      let updatedBlocks = originalBlocks.map((block) => {
-        const typedBlock = block as InteractionMessageBlock;
-        if (typedBlock.type === "actions" && typedBlock.block_id === blockId) {
-          return {
-            type: "context",
-            elements: [
-              {
-                type: "mrkdwn",
-                text: formatInteractionConfirmationText({ selectedLabel, userId }),
-              },
-            ],
-          };
-        }
-        return block;
-      });
-
-      const hasRemainingIndividualActionRows = updatedBlocks.some((block) => {
-        const typedBlock = block as InteractionMessageBlock;
-        return typedBlock.type === "actions" && !isBulkActionsBlock(typedBlock);
-      });
-
-      if (!hasRemainingIndividualActionRows) {
-        updatedBlocks = updatedBlocks.filter((block, index) => {
-          const typedBlock = block as InteractionMessageBlock;
-          if (isBulkActionsBlock(typedBlock)) {
-            return false;
-          }
-          if (typedBlock.type !== "divider") {
-            return true;
-          }
-          const next = updatedBlocks[index + 1] as InteractionMessageBlock | undefined;
-          return !next || !isBulkActionsBlock(next);
-        });
-      }
-
-      try {
-        await ctx.app.client.chat.update({
-          channel: channelId,
-          ts: messageTs,
-          text: typedBody.message?.text ?? "",
-          blocks: updatedBlocks as (Block | KnownBlock)[],
-        });
-      } catch {
-        // If update fails, fallback to ephemeral confirmation for immediate UX feedback.
-        if (!respond) {
-          return;
-        }
-        try {
-          await respond({
-            text: `Button "${actionId}" clicked!`,
-            response_type: "ephemeral",
-          });
-        } catch {
-          // Action was acknowledged and system event enqueued even when response updates fail.
-        }
-      }
-    },
-  );
+  registerSlackBlockActionHandler({
+    ctx,
+    formatSystemEvent: formatSlackInteractionSystemEvent,
+  });
 
   if (typeof ctx.app.view !== "function") {
     return;
diff --git a/extensions/slack/src/monitor/message-handler/prepare.test.ts b/extensions/slack/src/monitor/message-handler/prepare.test.ts
index a6858e529af..a57614afaeb 100644
--- a/extensions/slack/src/monitor/message-handler/prepare.test.ts
+++ b/extensions/slack/src/monitor/message-handler/prepare.test.ts
@@ -3,10 +3,10 @@ import os from "node:os";
 import path from "node:path";
 import type { App } from "@slack/bolt";
 import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../../../../src/channels/plugins/contracts/suites.js";
 import type { OpenClawConfig } from "../../../../../src/config/config.js";
 import { resolveAgentRoute } from "../../../../../src/routing/resolve-route.js";
 import { resolveThreadSessionKeys } from "../../../../../src/routing/session-key.js";
-import { expectInboundContextContract } from "../../../../../test/helpers/inbound-contract.js";
 import type { ResolvedSlackAccount } from "../../accounts.js";
 import type { SlackMessageEvent } from "../../types.js";
 import type { SlackMonitorContext } from "../context.js";
diff --git a/extensions/slack/src/monitor/provider.group-policy.test.ts b/extensions/slack/src/monitor/provider.group-policy.test.ts
deleted file mode 100644
index 392003ad5f5..00000000000
--- a/extensions/slack/src/monitor/provider.group-policy.test.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { describe } from "vitest";
-import { installProviderRuntimeGroupPolicyFallbackSuite } from "../../../../src/test-utils/runtime-group-policy-contract.js";
-import { __testing } from "./provider.js";
-
-describe("resolveSlackRuntimeGroupPolicy", () => {
-  installProviderRuntimeGroupPolicyFallbackSuite({
-    resolve: __testing.resolveSlackRuntimeGroupPolicy,
-    configuredLabel: "keeps open default when channels.slack is configured",
-    defaultGroupPolicyUnderTest: "open",
-    missingConfigLabel: "fails closed when channels.slack is missing and no defaults are set",
-    missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
-  });
-});
diff --git a/src/channels/plugins/outbound/slack.ts b/extensions/slack/src/outbound-adapter.ts
similarity index 56%
rename from src/channels/plugins/outbound/slack.ts
rename to extensions/slack/src/outbound-adapter.ts
index 923317c7d58..1c851c8f69e 100644
--- a/src/channels/plugins/outbound/slack.ts
+++ b/extensions/slack/src/outbound-adapter.ts
@@ -1,10 +1,31 @@
-import { parseSlackBlocksInput } from "../../../../extensions/slack/src/blocks-input.js";
-import { sendMessageSlack, type SlackSendIdentity } from "../../../../extensions/slack/src/send.js";
-import type { OutboundIdentity } from "../../../infra/outbound/identity.js";
-import { resolveOutboundSendDep } from "../../../infra/outbound/send-deps.js";
-import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
-import type { ChannelOutboundAdapter } from "../types.js";
-import { sendTextMediaPayload } from "./direct-text-media.js";
+import {
+  resolvePayloadMediaUrls,
+  sendPayloadMediaSequence,
+  sendTextMediaPayload,
+} from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import type { ChannelOutboundAdapter } from "../../../src/channels/plugins/types.js";
+import type { OutboundIdentity } from "../../../src/infra/outbound/identity.js";
+import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import {
+  resolveInteractiveTextFallback,
+  type InteractiveReply,
+} from "../../../src/interactive/payload.js";
+import { getGlobalHookRunner } from "../../../src/plugins/hook-runner-global.js";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import { buildSlackInteractiveBlocks, type SlackBlock } from "./blocks-render.js";
+import { sendMessageSlack, type SlackSendIdentity } from "./send.js";
+
+const SLACK_MAX_BLOCKS = 50;
+
+function resolveRenderedInteractiveBlocks(
+  interactive?: InteractiveReply,
+): SlackBlock[] | undefined {
+  if (!interactive) {
+    return undefined;
+  }
+  const blocks = buildSlackInteractiveBlocks(interactive);
+  return blocks.length > 0 ? blocks : undefined;
+}
 
 function resolveSlackSendIdentity(identity?: OutboundIdentity): SlackSendIdentity | undefined {
   if (!identity) {
@@ -64,7 +85,6 @@ async function sendSlackOutboundMessage(params: {
 }) {
   const send =
     resolveOutboundSendDep<typeof sendMessageSlack>(params.deps, "slack") ?? sendMessageSlack;
-  // Use threadId fallback so routed tool notifications stay in the Slack thread.
   const threadTs =
     params.replyToId ?? (params.threadId != null ? String(params.threadId) : undefined);
   const hookResult = await applySlackMessageSendingHooks({
@@ -97,12 +117,28 @@ async function sendSlackOutboundMessage(params: {
   return { channel: "slack" as const, ...result };
 }
 
-function resolveSlackBlocks(channelData: Record<string, unknown> | undefined) {
-  const slackData = channelData?.slack;
+function resolveSlackBlocks(payload: {
+  channelData?: Record<string, unknown>;
+  interactive?: InteractiveReply;
+}) {
+  const slackData = payload.channelData?.slack;
+  const renderedInteractive = resolveRenderedInteractiveBlocks(payload.interactive);
   if (!slackData || typeof slackData !== "object" || Array.isArray(slackData)) {
+    return renderedInteractive;
+  }
+  const existingBlocks = parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks) as
+    | SlackBlock[]
+    | undefined;
+  const mergedBlocks = [...(existingBlocks ?? []), ...(renderedInteractive ?? [])];
+  if (mergedBlocks.length === 0) {
     return undefined;
   }
-  return parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks);
+  if (mergedBlocks.length > SLACK_MAX_BLOCKS) {
+    throw new Error(
+      `Slack blocks cannot exceed ${SLACK_MAX_BLOCKS} items after interactive render`,
+    );
+  }
+  return mergedBlocks;
 }
 
 export const slackOutbound: ChannelOutboundAdapter = {
@@ -110,15 +146,61 @@ export const slackOutbound: ChannelOutboundAdapter = {
   chunker: null,
   textChunkLimit: 4000,
   sendPayload: async (ctx) => {
-    const blocks = resolveSlackBlocks(ctx.payload.channelData);
+    const payload = {
+      ...ctx.payload,
+      text:
+        resolveInteractiveTextFallback({
+          text: ctx.payload.text,
+          interactive: ctx.payload.interactive,
+        }) ?? "",
+    };
+    const blocks = resolveSlackBlocks(payload);
     if (!blocks) {
-      return await sendTextMediaPayload({ channel: "slack", ctx, adapter: slackOutbound });
+      return await sendTextMediaPayload({
+        channel: "slack",
+        ctx: {
+          ...ctx,
+          payload,
+        },
+        adapter: slackOutbound,
+      });
     }
+    const mediaUrls = resolvePayloadMediaUrls(payload);
+    if (mediaUrls.length === 0) {
+      return await sendSlackOutboundMessage({
+        cfg: ctx.cfg,
+        to: ctx.to,
+        text: payload.text ?? "",
+        mediaLocalRoots: ctx.mediaLocalRoots,
+        blocks,
+        accountId: ctx.accountId,
+        deps: ctx.deps,
+        replyToId: ctx.replyToId,
+        threadId: ctx.threadId,
+        identity: ctx.identity,
+      });
+    }
+    await sendPayloadMediaSequence({
+      text: "",
+      mediaUrls,
+      send: async ({ text, mediaUrl }) =>
+        await sendSlackOutboundMessage({
+          cfg: ctx.cfg,
+          to: ctx.to,
+          text,
+          mediaUrl,
+          mediaLocalRoots: ctx.mediaLocalRoots,
+          accountId: ctx.accountId,
+          deps: ctx.deps,
+          replyToId: ctx.replyToId,
+          threadId: ctx.threadId,
+          identity: ctx.identity,
+        }),
+    });
     return await sendSlackOutboundMessage({
       cfg: ctx.cfg,
       to: ctx.to,
-      text: ctx.payload.text ?? "",
-      mediaUrl: ctx.payload.mediaUrl,
+      text: payload.text ?? "",
       mediaLocalRoots: ctx.mediaLocalRoots,
       blocks,
       accountId: ctx.accountId,
diff --git a/extensions/slack/src/runtime.ts b/extensions/slack/src/runtime.ts
index 7961547004c..313f472eec4 100644
--- a/extensions/slack/src/runtime.ts
+++ b/extensions/slack/src/runtime.ts
@@ -1,5 +1,5 @@
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/slack";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setSlackRuntime, getRuntime: getSlackRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Slack runtime not initialized");
diff --git a/extensions/slack/src/setup-core.ts b/extensions/slack/src/setup-core.ts
new file mode 100644
index 00000000000..6b32f206d2e
--- /dev/null
+++ b/extensions/slack/src/setup-core.ts
@@ -0,0 +1,495 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  noteChannelLookupFailure,
+  noteChannelLookupSummary,
+  parseMentionOrPrefixedId,
+  patchChannelConfigForAccount,
+  setAccountGroupPolicyForChannel,
+  setLegacyChannelDmPolicyWithAllowFrom,
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type {
+  ChannelSetupWizard,
+  ChannelSetupWizardAllowFromEntry,
+} from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { inspectSlackAccount } from "./account-inspect.js";
+import { listSlackAccountIds, resolveSlackAccount, type ResolvedSlackAccount } from "./accounts.js";
+
+const channel = "slack" as const;
+
+function buildSlackManifest(botName: string) {
+  const safeName = botName.trim() || "OpenClaw";
+  const manifest = {
+    display_information: {
+      name: safeName,
+      description: `${safeName} connector for OpenClaw`,
+    },
+    features: {
+      bot_user: {
+        display_name: safeName,
+        always_online: false,
+      },
+      app_home: {
+        messages_tab_enabled: true,
+        messages_tab_read_only_enabled: false,
+      },
+      slash_commands: [
+        {
+          command: "/openclaw",
+          description: "Send a message to OpenClaw",
+          should_escape: false,
+        },
+      ],
+    },
+    oauth_config: {
+      scopes: {
+        bot: [
+          "chat:write",
+          "channels:history",
+          "channels:read",
+          "groups:history",
+          "im:history",
+          "mpim:history",
+          "users:read",
+          "app_mentions:read",
+          "reactions:read",
+          "reactions:write",
+          "pins:read",
+          "pins:write",
+          "emoji:read",
+          "commands",
+          "files:read",
+          "files:write",
+        ],
+      },
+    },
+    settings: {
+      socket_mode_enabled: true,
+      event_subscriptions: {
+        bot_events: [
+          "app_mention",
+          "message.channels",
+          "message.groups",
+          "message.im",
+          "message.mpim",
+          "reaction_added",
+          "reaction_removed",
+          "member_joined_channel",
+          "member_left_channel",
+          "channel_rename",
+          "pin_added",
+          "pin_removed",
+        ],
+      },
+    },
+  };
+  return JSON.stringify(manifest, null, 2);
+}
+
+function buildSlackSetupLines(botName = "OpenClaw"): string[] {
+  return [
+    "1) Slack API -> Create App -> From scratch or From manifest (with the JSON below)",
+    "2) Add Socket Mode + enable it to get the app-level token (xapp-...)",
+    "3) Install App to workspace to get the xoxb- bot token",
+    "4) Enable Event Subscriptions (socket) for message events",
+    "5) App Home -> enable the Messages tab for DMs",
+    "Tip: set SLACK_BOT_TOKEN + SLACK_APP_TOKEN in your env.",
+    `Docs: ${formatDocsLink("/slack", "slack")}`,
+    "",
+    "Manifest (JSON):",
+    buildSlackManifest(botName),
+  ];
+}
+
+function enableSlackAccount(cfg: OpenClawConfig, accountId: string): OpenClawConfig {
+  return patchChannelConfigForAccount({
+    cfg,
+    channel,
+    accountId,
+    patch: { enabled: true },
+  });
+}
+
+function setSlackChannelAllowlist(
+  cfg: OpenClawConfig,
+  accountId: string,
+  channelKeys: string[],
+): OpenClawConfig {
+  const channels = Object.fromEntries(channelKeys.map((key) => [key, { allow: true }]));
+  return patchChannelConfigForAccount({
+    cfg,
+    channel,
+    accountId,
+    patch: { channels },
+  });
+}
+
+function isSlackAccountConfigured(account: ResolvedSlackAccount): boolean {
+  const hasConfiguredBotToken =
+    Boolean(account.botToken?.trim()) || hasConfiguredSecretInput(account.config.botToken);
+  const hasConfiguredAppToken =
+    Boolean(account.appToken?.trim()) || hasConfiguredSecretInput(account.config.appToken);
+  return hasConfiguredBotToken && hasConfiguredAppToken;
+}
+
+export const slackSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "Slack env tokens can only be used for the default account.";
+    }
+    if (!input.useEnv && (!input.botToken || !input.appToken)) {
+      return "Slack requires --bot-token and --app-token (or --use-env).";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (accountId === DEFAULT_ACCOUNT_ID) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          slack: {
+            ...next.channels?.slack,
+            enabled: true,
+            ...(input.useEnv
+              ? {}
+              : {
+                  ...(input.botToken ? { botToken: input.botToken } : {}),
+                  ...(input.appToken ? { appToken: input.appToken } : {}),
+                }),
+          },
+        },
+      };
+    }
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        slack: {
+          ...next.channels?.slack,
+          enabled: true,
+          accounts: {
+            ...next.channels?.slack?.accounts,
+            [accountId]: {
+              ...next.channels?.slack?.accounts?.[accountId],
+              enabled: true,
+              ...(input.botToken ? { botToken: input.botToken } : {}),
+              ...(input.appToken ? { appToken: input.appToken } : {}),
+            },
+          },
+        },
+      },
+    };
+  },
+};
+
+export function createSlackSetupWizardProxy(
+  loadWizard: () => Promise<{ slackSetupWizard: ChannelSetupWizard }>,
+) {
+  const slackDmPolicy: ChannelSetupDmPolicy = {
+    label: "Slack",
+    channel,
+    policyKey: "channels.slack.dmPolicy",
+    allowFromKey: "channels.slack.allowFrom",
+    getCurrent: (cfg: OpenClawConfig) =>
+      cfg.channels?.slack?.dmPolicy ?? cfg.channels?.slack?.dm?.policy ?? "pairing",
+    setPolicy: (cfg: OpenClawConfig, policy) =>
+      setLegacyChannelDmPolicyWithAllowFrom({
+        cfg,
+        channel,
+        dmPolicy: policy,
+      }),
+    promptAllowFrom: async ({ cfg, prompter, accountId }) => {
+      const wizard = (await loadWizard()).slackSetupWizard;
+      if (!wizard.dmPolicy?.promptAllowFrom) {
+        return cfg;
+      }
+      return await wizard.dmPolicy.promptAllowFrom({ cfg, prompter, accountId });
+    },
+  };
+
+  return {
+    channel,
+    status: {
+      configuredLabel: "configured",
+      unconfiguredLabel: "needs tokens",
+      configuredHint: "configured",
+      unconfiguredHint: "needs tokens",
+      configuredScore: 2,
+      unconfiguredScore: 1,
+      resolveConfigured: ({ cfg }) =>
+        listSlackAccountIds(cfg).some((accountId) => {
+          const account = inspectSlackAccount({ cfg, accountId });
+          return account.configured;
+        }),
+    },
+    introNote: {
+      title: "Slack socket mode tokens",
+      lines: buildSlackSetupLines(),
+      shouldShow: ({ cfg, accountId }) =>
+        !isSlackAccountConfigured(resolveSlackAccount({ cfg, accountId })),
+    },
+    envShortcut: {
+      prompt: "SLACK_BOT_TOKEN + SLACK_APP_TOKEN detected. Use env vars?",
+      preferredEnvVar: "SLACK_BOT_TOKEN",
+      isAvailable: ({ cfg, accountId }) =>
+        accountId === DEFAULT_ACCOUNT_ID &&
+        Boolean(process.env.SLACK_BOT_TOKEN?.trim()) &&
+        Boolean(process.env.SLACK_APP_TOKEN?.trim()) &&
+        !isSlackAccountConfigured(resolveSlackAccount({ cfg, accountId })),
+      apply: ({ cfg, accountId }) => enableSlackAccount(cfg, accountId),
+    },
+    credentials: [
+      {
+        inputKey: "botToken",
+        providerHint: "slack-bot",
+        credentialLabel: "Slack bot token",
+        preferredEnvVar: "SLACK_BOT_TOKEN",
+        envPrompt: "SLACK_BOT_TOKEN detected. Use env var?",
+        keepPrompt: "Slack bot token already configured. Keep it?",
+        inputPrompt: "Enter Slack bot token (xoxb-...)",
+        allowEnv: ({ accountId }: { accountId: string }) => accountId === DEFAULT_ACCOUNT_ID,
+        inspect: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) => {
+          const resolved = resolveSlackAccount({ cfg, accountId });
+          return {
+            accountConfigured:
+              Boolean(resolved.botToken) || hasConfiguredSecretInput(resolved.config.botToken),
+            hasConfiguredValue: hasConfiguredSecretInput(resolved.config.botToken),
+            resolvedValue: resolved.botToken?.trim() || undefined,
+            envValue:
+              accountId === DEFAULT_ACCOUNT_ID ? process.env.SLACK_BOT_TOKEN?.trim() : undefined,
+          };
+        },
+        applyUseEnv: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+          enableSlackAccount(cfg, accountId),
+        applySet: ({
+          cfg,
+          accountId,
+          value,
+        }: {
+          cfg: OpenClawConfig;
+          accountId: string;
+          value: unknown;
+        }) =>
+          patchChannelConfigForAccount({
+            cfg,
+            channel,
+            accountId,
+            patch: {
+              enabled: true,
+              botToken: value,
+            },
+          }),
+      },
+      {
+        inputKey: "appToken",
+        providerHint: "slack-app",
+        credentialLabel: "Slack app token",
+        preferredEnvVar: "SLACK_APP_TOKEN",
+        envPrompt: "SLACK_APP_TOKEN detected. Use env var?",
+        keepPrompt: "Slack app token already configured. Keep it?",
+        inputPrompt: "Enter Slack app token (xapp-...)",
+        allowEnv: ({ accountId }: { accountId: string }) => accountId === DEFAULT_ACCOUNT_ID,
+        inspect: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) => {
+          const resolved = resolveSlackAccount({ cfg, accountId });
+          return {
+            accountConfigured:
+              Boolean(resolved.appToken) || hasConfiguredSecretInput(resolved.config.appToken),
+            hasConfiguredValue: hasConfiguredSecretInput(resolved.config.appToken),
+            resolvedValue: resolved.appToken?.trim() || undefined,
+            envValue:
+              accountId === DEFAULT_ACCOUNT_ID ? process.env.SLACK_APP_TOKEN?.trim() : undefined,
+          };
+        },
+        applyUseEnv: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+          enableSlackAccount(cfg, accountId),
+        applySet: ({
+          cfg,
+          accountId,
+          value,
+        }: {
+          cfg: OpenClawConfig;
+          accountId: string;
+          value: unknown;
+        }) =>
+          patchChannelConfigForAccount({
+            cfg,
+            channel,
+            accountId,
+            patch: {
+              enabled: true,
+              appToken: value,
+            },
+          }),
+      },
+    ],
+    dmPolicy: slackDmPolicy,
+    allowFrom: {
+      helpTitle: "Slack allowlist",
+      helpLines: [
+        "Allowlist Slack DMs by username (we resolve to user ids).",
+        "Examples:",
+        "- U12345678",
+        "- @alice",
+        "Multiple entries: comma-separated.",
+        `Docs: ${formatDocsLink("/slack", "slack")}`,
+      ],
+      credentialInputKey: "botToken",
+      message: "Slack allowFrom (usernames or ids)",
+      placeholder: "@alice, U12345678",
+      invalidWithoutCredentialNote: "Slack token missing; use user ids (or mention form) only.",
+      parseId: (value: string) =>
+        parseMentionOrPrefixedId({
+          value,
+          mentionPattern: /^<@([A-Z0-9]+)>$/i,
+          prefixPattern: /^(slack:|user:)/i,
+          idPattern: /^[A-Z][A-Z0-9]+$/i,
+          normalizeId: (id) => id.toUpperCase(),
+        }),
+      resolveEntries: async ({
+        cfg,
+        accountId,
+        credentialValues,
+        entries,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        credentialValues: { botToken?: string };
+        entries: string[];
+      }) => {
+        const wizard = (await loadWizard()).slackSetupWizard;
+        if (!wizard.allowFrom) {
+          return entries.map((input) => ({ input, resolved: false, id: null }));
+        }
+        return await wizard.allowFrom.resolveEntries({
+          cfg,
+          accountId,
+          credentialValues,
+          entries,
+        });
+      },
+      apply: ({
+        cfg,
+        accountId,
+        allowFrom,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        allowFrom: string[];
+      }) =>
+        patchChannelConfigForAccount({
+          cfg,
+          channel,
+          accountId,
+          patch: { dmPolicy: "allowlist", allowFrom },
+        }),
+    },
+    groupAccess: {
+      label: "Slack channels",
+      placeholder: "#general, #private, C123",
+      currentPolicy: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        resolveSlackAccount({ cfg, accountId }).config.groupPolicy ?? "allowlist",
+      currentEntries: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        Object.entries(resolveSlackAccount({ cfg, accountId }).config.channels ?? {})
+          .filter(([, value]) => value?.allow !== false && value?.enabled !== false)
+          .map(([key]) => key),
+      updatePrompt: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId: string }) =>
+        Boolean(resolveSlackAccount({ cfg, accountId }).config.channels),
+      setPolicy: ({
+        cfg,
+        accountId,
+        policy,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        policy: "open" | "allowlist" | "disabled";
+      }) =>
+        setAccountGroupPolicyForChannel({
+          cfg,
+          channel,
+          accountId,
+          groupPolicy: policy,
+        }),
+      resolveAllowlist: async ({
+        cfg,
+        accountId,
+        credentialValues,
+        entries,
+        prompter,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        credentialValues: { botToken?: string };
+        entries: string[];
+        prompter: { note: (message: string, title?: string) => Promise<void> };
+      }) => {
+        try {
+          const wizard = (await loadWizard()).slackSetupWizard;
+          if (!wizard.groupAccess?.resolveAllowlist) {
+            return entries;
+          }
+          return await wizard.groupAccess.resolveAllowlist({
+            cfg,
+            accountId,
+            credentialValues,
+            entries,
+            prompter,
+          });
+        } catch (error) {
+          await noteChannelLookupFailure({
+            prompter,
+            label: "Slack channels",
+            error,
+          });
+          await noteChannelLookupSummary({
+            prompter,
+            label: "Slack channels",
+            resolvedSections: [],
+            unresolved: entries,
+          });
+          return entries;
+        }
+      },
+      applyAllowlist: ({
+        cfg,
+        accountId,
+        resolved,
+      }: {
+        cfg: OpenClawConfig;
+        accountId: string;
+        resolved: unknown;
+      }) => setSlackChannelAllowlist(cfg, accountId, resolved as string[]),
+    },
+    disable: (cfg: OpenClawConfig) => setSetupChannelEnabled(cfg, channel, false),
+  } satisfies ChannelSetupWizard;
+}
diff --git a/extensions/slack/src/setup-surface.ts b/extensions/slack/src/setup-surface.ts
index ad743ffa080..5769c4c6d77 100644
--- a/extensions/slack/src/setup-surface.ts
+++ b/extensions/slack/src/setup-surface.ts
@@ -1,24 +1,19 @@
-import type { ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
   noteChannelLookupFailure,
   noteChannelLookupSummary,
   parseMentionOrPrefixedId,
   patchChannelConfigForAccount,
   promptLegacyChannelAllowFrom,
-  resolveOnboardingAccountId,
+  resolveSetupAccountId,
   setAccountGroupPolicyForChannel,
   setLegacyChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  setSetupChannelEnabled,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import type {
   ChannelSetupWizard,
   ChannelSetupWizardAllowFromEntry,
 } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
 import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
@@ -33,6 +28,7 @@ import {
 } from "./accounts.js";
 import { resolveSlackChannelAllowlist } from "./resolve-channels.js";
 import { resolveSlackUserAllowlist } from "./resolve-users.js";
+import { slackSetupAdapter } from "./setup-core.js";
 
 const channel = "slack" as const;
 
@@ -170,7 +166,7 @@ async function promptSlackAllowFrom(params: {
   prompter: WizardPrompter;
   accountId?: string;
 }): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
+  const accountId = resolveSetupAccountId({
     accountId: params.accountId,
     defaultAccountId: resolveDefaultSlackAccountId(params.cfg),
   });
@@ -214,7 +210,7 @@ async function promptSlackAllowFrom(params: {
   });
 }
 
-const slackDmPolicy: ChannelOnboardingDmPolicy = {
+const slackDmPolicy: ChannelSetupDmPolicy = {
   label: "Slack",
   channel,
   policyKey: "channels.slack.dmPolicy",
@@ -238,78 +234,6 @@ function isSlackAccountConfigured(account: ResolvedSlackAccount): boolean {
   return hasConfiguredBotToken && hasConfiguredAppToken;
 }
 
-export const slackSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "Slack env tokens can only be used for the default account.";
-    }
-    if (!input.useEnv && (!input.botToken || !input.appToken)) {
-      return "Slack requires --bot-token and --app-token (or --use-env).";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    if (accountId === DEFAULT_ACCOUNT_ID) {
-      return {
-        ...next,
-        channels: {
-          ...next.channels,
-          slack: {
-            ...next.channels?.slack,
-            enabled: true,
-            ...(input.useEnv
-              ? {}
-              : {
-                  ...(input.botToken ? { botToken: input.botToken } : {}),
-                  ...(input.appToken ? { appToken: input.appToken } : {}),
-                }),
-          },
-        },
-      };
-    }
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        slack: {
-          ...next.channels?.slack,
-          enabled: true,
-          accounts: {
-            ...next.channels?.slack?.accounts,
-            [accountId]: {
-              ...next.channels?.slack?.accounts?.[accountId],
-              enabled: true,
-              ...(input.botToken ? { botToken: input.botToken } : {}),
-              ...(input.appToken ? { appToken: input.appToken } : {}),
-            },
-          },
-        },
-      },
-    };
-  },
-};
-
 export const slackSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -500,5 +424,5 @@ export const slackSetupWizard: ChannelSetupWizard = {
     applyAllowlist: ({ cfg, accountId, resolved }) =>
       setSlackChannelAllowlist(cfg, accountId, resolved as string[]),
   },
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
diff --git a/extensions/slack/src/shared-interactive.test.ts b/extensions/slack/src/shared-interactive.test.ts
new file mode 100644
index 00000000000..fab37abe33f
--- /dev/null
+++ b/extensions/slack/src/shared-interactive.test.ts
@@ -0,0 +1,85 @@
+import { describe, expect, it } from "vitest";
+import { buildSlackInteractiveBlocks } from "./blocks-render.js";
+
+describe("buildSlackInteractiveBlocks", () => {
+  it("renders shared interactive blocks in authored order", () => {
+    expect(
+      buildSlackInteractiveBlocks({
+        blocks: [
+          {
+            type: "select",
+            placeholder: "Pick one",
+            options: [{ label: "Alpha", value: "alpha" }],
+          },
+          { type: "text", text: "then" },
+          { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+        ],
+      }),
+    ).toEqual([
+      expect.objectContaining({
+        type: "actions",
+        block_id: "openclaw_reply_select_1",
+      }),
+      expect.objectContaining({
+        type: "section",
+        text: expect.objectContaining({ text: "then" }),
+      }),
+      expect.objectContaining({
+        type: "actions",
+        block_id: "openclaw_reply_buttons_1",
+      }),
+    ]);
+  });
+
+  it("truncates Slack render strings to Block Kit limits", () => {
+    const long = "x".repeat(120);
+    const blocks = buildSlackInteractiveBlocks({
+      blocks: [
+        { type: "text", text: "y".repeat(3100) },
+        { type: "select", placeholder: long, options: [{ label: long, value: long }] },
+        { type: "buttons", buttons: [{ label: long, value: long }] },
+      ],
+    });
+    const section = blocks[0] as { text?: { text?: string } };
+    const selectBlock = blocks[1] as {
+      elements?: Array<{ placeholder?: { text?: string } }>;
+    };
+    const buttonBlock = blocks[2] as {
+      elements?: Array<{ value?: string }>;
+    };
+
+    expect((section.text?.text ?? "").length).toBeLessThanOrEqual(3000);
+    expect((selectBlock.elements?.[0]?.placeholder?.text ?? "").length).toBeLessThanOrEqual(75);
+    expect(buttonBlock.elements?.[0]?.value).toBe(long);
+  });
+
+  it("preserves original callback payloads for round-tripping", () => {
+    const blocks = buildSlackInteractiveBlocks({
+      blocks: [
+        {
+          type: "buttons",
+          buttons: [{ label: "Allow", value: "pluginbind:approval-123:o" }],
+        },
+        {
+          type: "select",
+          options: [{ label: "Approve", value: "codex:approve:thread-1" }],
+        },
+      ],
+    });
+
+    const buttonBlock = blocks[0] as {
+      elements?: Array<{ action_id?: string; value?: string }>;
+    };
+    const selectBlock = blocks[1] as {
+      elements?: Array<{
+        action_id?: string;
+        options?: Array<{ value?: string }>;
+      }>;
+    };
+
+    expect(buttonBlock.elements?.[0]?.action_id).toBe("openclaw:reply_button");
+    expect(buttonBlock.elements?.[0]?.value).toBe("pluginbind:approval-123:o");
+    expect(selectBlock.elements?.[0]?.action_id).toBe("openclaw:reply_select");
+    expect(selectBlock.elements?.[0]?.options?.[0]?.value).toBe("codex:approve:thread-1");
+  });
+});
diff --git a/extensions/synology-chat/index.ts b/extensions/synology-chat/index.ts
index 69dbfb9edbf..9078b9f86c7 100644
--- a/extensions/synology-chat/index.ts
+++ b/extensions/synology-chat/index.ts
@@ -1,6 +1,6 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk/synology-chat";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/synology-chat";
-import { createSynologyChatPlugin } from "./src/channel.js";
+import { synologyChatPlugin } from "./src/channel.js";
 import { setSynologyRuntime } from "./src/runtime.js";
 
 const plugin = {
@@ -10,7 +10,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setSynologyRuntime(api.runtime);
-    api.registerChannel({ plugin: createSynologyChatPlugin() });
+    api.registerChannel({ plugin: synologyChatPlugin });
   },
 };
 
diff --git a/extensions/synology-chat/package.json b/extensions/synology-chat/package.json
index c6148c856a3..d8ff22d6361 100644
--- a/extensions/synology-chat/package.json
+++ b/extensions/synology-chat/package.json
@@ -10,6 +10,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "synology-chat",
       "label": "Synology Chat",
diff --git a/extensions/synology-chat/setup-entry.ts b/extensions/synology-chat/setup-entry.ts
new file mode 100644
index 00000000000..45cc966e082
--- /dev/null
+++ b/extensions/synology-chat/setup-entry.ts
@@ -0,0 +1,5 @@
+import { synologyChatPlugin } from "./src/channel.js";
+
+export default {
+  plugin: synologyChatPlugin,
+};
diff --git a/extensions/synology-chat/src/channel.test.ts b/extensions/synology-chat/src/channel.test.ts
index bdce5f37d79..b45f8c355e4 100644
--- a/extensions/synology-chat/src/channel.test.ts
+++ b/extensions/synology-chat/src/channel.test.ts
@@ -22,6 +22,8 @@ describe("createSynologyChatPlugin", () => {
     expect(plugin.meta).toBeDefined();
     expect(plugin.capabilities).toBeDefined();
     expect(plugin.config).toBeDefined();
+    expect(plugin.setup).toBeDefined();
+    expect(plugin.setupWizard).toBeDefined();
     expect(plugin.security).toBeDefined();
     expect(plugin.outbound).toBeDefined();
     expect(plugin.gateway).toBeDefined();
diff --git a/extensions/synology-chat/src/channel.ts b/extensions/synology-chat/src/channel.ts
index d84516dbda5..0bc771a7d26 100644
--- a/extensions/synology-chat/src/channel.ts
+++ b/extensions/synology-chat/src/channel.ts
@@ -14,6 +14,7 @@ import { z } from "zod";
 import { listAccountIds, resolveAccount } from "./accounts.js";
 import { sendMessage, sendFileUrl } from "./client.js";
 import { getSynologyRuntime } from "./runtime.js";
+import { synologyChatSetupAdapter, synologyChatSetupWizard } from "./setup-surface.js";
 import type { ResolvedSynologyChatAccount } from "./types.js";
 import { createWebhookHandler } from "./webhook-handler.js";
 
@@ -68,6 +69,8 @@ export function createSynologyChatPlugin() {
     reload: { configPrefixes: [`channels.${CHANNEL_ID}`] },
 
     configSchema: SynologyChatConfigSchema,
+    setup: synologyChatSetupAdapter,
+    setupWizard: synologyChatSetupWizard,
 
     config: {
       listAccountIds: (cfg: any) => listAccountIds(cfg),
@@ -377,3 +380,5 @@ export function createSynologyChatPlugin() {
     },
   };
 }
+
+export const synologyChatPlugin = createSynologyChatPlugin();
diff --git a/extensions/synology-chat/src/setup-surface.test.ts b/extensions/synology-chat/src/setup-surface.test.ts
new file mode 100644
index 00000000000..6c1289a8a84
--- /dev/null
+++ b/extensions/synology-chat/src/setup-surface.test.ts
@@ -0,0 +1,101 @@
+import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
+import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import { synologyChatPlugin } from "./channel.js";
+import { synologyChatSetupWizard } from "./setup-surface.js";
+
+function createPrompter(overrides: Partial<WizardPrompter> = {}): WizardPrompter {
+  return {
+    intro: vi.fn(async () => {}),
+    outro: vi.fn(async () => {}),
+    note: vi.fn(async () => {}),
+    select: vi.fn(async ({ options }: { options: Array<{ value: string }> }) => {
+      const first = options[0];
+      if (!first) {
+        throw new Error("no options");
+      }
+      return first.value;
+    }) as WizardPrompter["select"],
+    multiselect: vi.fn(async () => []),
+    text: vi.fn(async () => "") as WizardPrompter["text"],
+    confirm: vi.fn(async () => false),
+    progress: vi.fn(() => ({ update: vi.fn(), stop: vi.fn() })),
+    ...overrides,
+  };
+}
+
+const synologyChatConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: synologyChatPlugin,
+  wizard: synologyChatSetupWizard,
+});
+
+describe("synology-chat setup wizard", () => {
+  it("configures token and incoming webhook for the default account", async () => {
+    const prompter = createPrompter({
+      text: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Enter Synology Chat outgoing webhook token") {
+          return "synology-token";
+        }
+        if (message === "Incoming webhook URL") {
+          return "https://nas.example.com/webapi/entry.cgi?token=incoming";
+        }
+        if (message === "Outgoing webhook path (optional)") {
+          return "";
+        }
+        throw new Error(`Unexpected prompt: ${message}`);
+      }) as WizardPrompter["text"],
+    });
+
+    const result = await synologyChatConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime: createRuntimeEnv(),
+      prompter,
+      options: {},
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: false,
+    });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.["synology-chat"]?.enabled).toBe(true);
+    expect(result.cfg.channels?.["synology-chat"]?.token).toBe("synology-token");
+    expect(result.cfg.channels?.["synology-chat"]?.incomingUrl).toBe(
+      "https://nas.example.com/webapi/entry.cgi?token=incoming",
+    );
+  });
+
+  it("records allowed user ids when setup forces allowFrom", async () => {
+    const prompter = createPrompter({
+      text: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Enter Synology Chat outgoing webhook token") {
+          return "synology-token";
+        }
+        if (message === "Incoming webhook URL") {
+          return "https://nas.example.com/webapi/entry.cgi?token=incoming";
+        }
+        if (message === "Outgoing webhook path (optional)") {
+          return "";
+        }
+        if (message === "Allowed Synology Chat user ids") {
+          return "123456, synology-chat:789012";
+        }
+        throw new Error(`Unexpected prompt: ${message}`);
+      }) as WizardPrompter["text"],
+    });
+
+    const result = await synologyChatConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime: createRuntimeEnv(),
+      prompter,
+      options: {},
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: true,
+    });
+
+    expect(result.cfg.channels?.["synology-chat"]?.dmPolicy).toBe("allowlist");
+    expect(result.cfg.channels?.["synology-chat"]?.allowedUserIds).toEqual(["123456", "789012"]);
+  });
+});
diff --git a/extensions/synology-chat/src/setup-surface.ts b/extensions/synology-chat/src/setup-surface.ts
new file mode 100644
index 00000000000..d998022365b
--- /dev/null
+++ b/extensions/synology-chat/src/setup-surface.ts
@@ -0,0 +1,324 @@
+import {
+  mergeAllowFromEntries,
+  setSetupChannelEnabled,
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { listAccountIds, resolveAccount } from "./accounts.js";
+import type { SynologyChatAccountRaw, SynologyChatChannelConfig } from "./types.js";
+
+const channel = "synology-chat" as const;
+const DEFAULT_WEBHOOK_PATH = "/webhook/synology";
+
+const SYNOLOGY_SETUP_HELP_LINES = [
+  "1) Create an incoming webhook in Synology Chat and copy its URL",
+  "2) Create an outgoing webhook and copy its secret token",
+  `3) Point the outgoing webhook to https://<gateway-host>${DEFAULT_WEBHOOK_PATH}`,
+  "4) Keep allowed user IDs handy for DM allowlisting",
+  `Docs: ${formatDocsLink("/channels/synology-chat", "channels/synology-chat")}`,
+];
+
+const SYNOLOGY_ALLOW_FROM_HELP_LINES = [
+  "Allowlist Synology Chat DMs by numeric user id.",
+  "Examples:",
+  "- 123456",
+  "- synology-chat:123456",
+  "Multiple entries: comma-separated.",
+  `Docs: ${formatDocsLink("/channels/synology-chat", "channels/synology-chat")}`,
+];
+
+function getChannelConfig(cfg: OpenClawConfig): SynologyChatChannelConfig {
+  return (cfg.channels?.[channel] as SynologyChatChannelConfig | undefined) ?? {};
+}
+
+function getRawAccountConfig(cfg: OpenClawConfig, accountId: string): SynologyChatAccountRaw {
+  const channelConfig = getChannelConfig(cfg);
+  if (accountId === DEFAULT_ACCOUNT_ID) {
+    return channelConfig;
+  }
+  return channelConfig.accounts?.[accountId] ?? {};
+}
+
+function patchSynologyChatAccountConfig(params: {
+  cfg: OpenClawConfig;
+  accountId: string;
+  patch: Record<string, unknown>;
+  clearFields?: string[];
+  enabled?: boolean;
+}): OpenClawConfig {
+  const channelConfig = getChannelConfig(params.cfg);
+  if (params.accountId === DEFAULT_ACCOUNT_ID) {
+    const nextChannelConfig = { ...channelConfig } as Record<string, unknown>;
+    for (const field of params.clearFields ?? []) {
+      delete nextChannelConfig[field];
+    }
+    return {
+      ...params.cfg,
+      channels: {
+        ...params.cfg.channels,
+        [channel]: {
+          ...nextChannelConfig,
+          ...(params.enabled ? { enabled: true } : {}),
+          ...params.patch,
+        },
+      },
+    };
+  }
+
+  const nextAccounts = { ...(channelConfig.accounts ?? {}) } as Record<
+    string,
+    Record<string, unknown>
+  >;
+  const nextAccountConfig = { ...(nextAccounts[params.accountId] ?? {}) };
+  for (const field of params.clearFields ?? []) {
+    delete nextAccountConfig[field];
+  }
+  nextAccounts[params.accountId] = {
+    ...nextAccountConfig,
+    ...(params.enabled ? { enabled: true } : {}),
+    ...params.patch,
+  };
+
+  return {
+    ...params.cfg,
+    channels: {
+      ...params.cfg.channels,
+      [channel]: {
+        ...channelConfig,
+        ...(params.enabled ? { enabled: true } : {}),
+        accounts: nextAccounts,
+      },
+    },
+  };
+}
+
+function isSynologyChatConfigured(cfg: OpenClawConfig, accountId: string): boolean {
+  const account = resolveAccount(cfg, accountId);
+  return Boolean(account.token.trim() && account.incomingUrl.trim());
+}
+
+function validateWebhookUrl(value: string): string | undefined {
+  try {
+    const parsed = new URL(value);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return "Incoming webhook must use http:// or https://.";
+    }
+  } catch {
+    return "Incoming webhook must be a valid URL.";
+  }
+  return undefined;
+}
+
+function validateWebhookPath(value: string): string | undefined {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+  return trimmed.startsWith("/") ? undefined : "Webhook path must start with /.";
+}
+
+function parseSynologyUserId(value: string): string | null {
+  const cleaned = value.replace(/^synology-chat:/i, "").trim();
+  return /^\d+$/.test(cleaned) ? cleaned : null;
+}
+
+function resolveExistingAllowedUserIds(cfg: OpenClawConfig, accountId: string): string[] {
+  const raw = getRawAccountConfig(cfg, accountId).allowedUserIds;
+  if (Array.isArray(raw)) {
+    return raw.map((value) => String(value).trim()).filter(Boolean);
+  }
+  return String(raw ?? "")
+    .split(",")
+    .map((value) => value.trim())
+    .filter(Boolean);
+}
+
+export const synologyChatSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId) ?? DEFAULT_ACCOUNT_ID,
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "Synology Chat env credentials only support the default account.";
+    }
+    if (!input.useEnv && !input.token?.trim()) {
+      return "Synology Chat requires --token or --use-env.";
+    }
+    if (!input.url?.trim()) {
+      return "Synology Chat requires --url for the incoming webhook.";
+    }
+    const urlError = validateWebhookUrl(input.url.trim());
+    if (urlError) {
+      return urlError;
+    }
+    if (input.webhookPath?.trim()) {
+      return validateWebhookPath(input.webhookPath.trim()) ?? null;
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) =>
+    patchSynologyChatAccountConfig({
+      cfg,
+      accountId,
+      enabled: true,
+      clearFields: input.useEnv ? ["token"] : undefined,
+      patch: {
+        ...(input.useEnv ? {} : { token: input.token?.trim() }),
+        incomingUrl: input.url?.trim(),
+        ...(input.webhookPath?.trim() ? { webhookPath: input.webhookPath.trim() } : {}),
+      },
+    }),
+};
+
+export const synologyChatSetupWizard: ChannelSetupWizard = {
+  channel,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs token + incoming webhook",
+    configuredHint: "configured",
+    unconfiguredHint: "needs token + incoming webhook",
+    configuredScore: 1,
+    unconfiguredScore: 0,
+    resolveConfigured: ({ cfg }) =>
+      listAccountIds(cfg).some((accountId) => isSynologyChatConfigured(cfg, accountId)),
+    resolveStatusLines: ({ cfg, configured }) => [
+      `Synology Chat: ${configured ? "configured" : "needs token + incoming webhook"}`,
+      `Accounts: ${listAccountIds(cfg).length || 0}`,
+    ],
+  },
+  introNote: {
+    title: "Synology Chat webhook setup",
+    lines: SYNOLOGY_SETUP_HELP_LINES,
+  },
+  credentials: [
+    {
+      inputKey: "token",
+      providerHint: channel,
+      credentialLabel: "outgoing webhook token",
+      preferredEnvVar: "SYNOLOGY_CHAT_TOKEN",
+      helpTitle: "Synology Chat webhook token",
+      helpLines: SYNOLOGY_SETUP_HELP_LINES,
+      envPrompt: "SYNOLOGY_CHAT_TOKEN detected. Use env var?",
+      keepPrompt: "Synology Chat webhook token already configured. Keep it?",
+      inputPrompt: "Enter Synology Chat outgoing webhook token",
+      allowEnv: ({ accountId }) => accountId === DEFAULT_ACCOUNT_ID,
+      inspect: ({ cfg, accountId }) => {
+        const account = resolveAccount(cfg, accountId);
+        const raw = getRawAccountConfig(cfg, accountId);
+        return {
+          accountConfigured: isSynologyChatConfigured(cfg, accountId),
+          hasConfiguredValue: Boolean(raw.token?.trim()),
+          resolvedValue: account.token.trim() || undefined,
+          envValue:
+            accountId === DEFAULT_ACCOUNT_ID
+              ? process.env.SYNOLOGY_CHAT_TOKEN?.trim() || undefined
+              : undefined,
+        };
+      },
+      applyUseEnv: async ({ cfg, accountId }) =>
+        patchSynologyChatAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: ["token"],
+          patch: {},
+        }),
+      applySet: async ({ cfg, accountId, resolvedValue }) =>
+        patchSynologyChatAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          patch: { token: resolvedValue },
+        }),
+    },
+  ],
+  textInputs: [
+    {
+      inputKey: "url",
+      message: "Incoming webhook URL",
+      placeholder:
+        "https://nas.example.com/webapi/entry.cgi?api=SYNO.Chat.External&method=incoming...",
+      helpTitle: "Synology Chat incoming webhook",
+      helpLines: [
+        "Use the incoming webhook URL from Synology Chat integrations.",
+        "This is the URL OpenClaw uses to send replies back to Chat.",
+      ],
+      currentValue: ({ cfg, accountId }) => getRawAccountConfig(cfg, accountId).incomingUrl?.trim(),
+      keepPrompt: (value) => `Incoming webhook URL set (${value}). Keep it?`,
+      validate: ({ value }) => validateWebhookUrl(value),
+      applySet: async ({ cfg, accountId, value }) =>
+        patchSynologyChatAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          patch: { incomingUrl: value.trim() },
+        }),
+    },
+    {
+      inputKey: "webhookPath",
+      message: "Outgoing webhook path (optional)",
+      placeholder: DEFAULT_WEBHOOK_PATH,
+      required: false,
+      applyEmptyValue: true,
+      helpTitle: "Synology Chat outgoing webhook path",
+      helpLines: [
+        `Default path: ${DEFAULT_WEBHOOK_PATH}`,
+        "Change this only if you need multiple Synology Chat webhook routes.",
+      ],
+      currentValue: ({ cfg, accountId }) => getRawAccountConfig(cfg, accountId).webhookPath?.trim(),
+      keepPrompt: (value) => `Outgoing webhook path set (${value}). Keep it?`,
+      validate: ({ value }) => validateWebhookPath(value),
+      applySet: async ({ cfg, accountId, value }) =>
+        patchSynologyChatAccountConfig({
+          cfg,
+          accountId,
+          enabled: true,
+          clearFields: value.trim() ? undefined : ["webhookPath"],
+          patch: value.trim() ? { webhookPath: value.trim() } : {},
+        }),
+    },
+  ],
+  allowFrom: {
+    helpTitle: "Synology Chat allowlist",
+    helpLines: SYNOLOGY_ALLOW_FROM_HELP_LINES,
+    message: "Allowed Synology Chat user ids",
+    placeholder: "123456, 987654",
+    invalidWithoutCredentialNote: "Synology Chat user ids must be numeric.",
+    parseInputs: splitSetupEntries,
+    parseId: parseSynologyUserId,
+    resolveEntries: async ({ entries }) =>
+      entries.map((entry) => {
+        const id = parseSynologyUserId(entry);
+        return {
+          input: entry,
+          resolved: Boolean(id),
+          id,
+        };
+      }),
+    apply: async ({ cfg, accountId, allowFrom }) =>
+      patchSynologyChatAccountConfig({
+        cfg,
+        accountId,
+        enabled: true,
+        patch: {
+          dmPolicy: "allowlist",
+          allowedUserIds: mergeAllowFromEntries(
+            resolveExistingAllowedUserIds(cfg, accountId),
+            allowFrom,
+          ),
+        },
+      }),
+  },
+  completionNote: {
+    title: "Synology Chat access control",
+    lines: [
+      `Default outgoing webhook path: ${DEFAULT_WEBHOOK_PATH}`,
+      'Set allowed user IDs, or manually switch `channels.synology-chat.dmPolicy` to `"open"` for public DMs.',
+      'With `dmPolicy="allowlist"`, an empty allowedUserIds list blocks the route from starting.',
+      `Docs: ${formatDocsLink("/channels/synology-chat", "channels/synology-chat")}`,
+    ],
+  },
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
+};
diff --git a/extensions/synthetic/index.ts b/extensions/synthetic/index.ts
index c22dcc11f8b..080245606da 100644
--- a/extensions/synthetic/index.ts
+++ b/extensions/synthetic/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildSyntheticProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applySyntheticConfig,
+  SYNTHETIC_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "synthetic";
 
@@ -14,7 +19,28 @@ const syntheticPlugin = {
       label: "Synthetic",
       docsPath: "/providers/synthetic",
       envVars: ["SYNTHETIC_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Synthetic API key",
+          hint: "Anthropic-compatible (multi-model)",
+          optionKey: "syntheticApiKey",
+          flagName: "--synthetic-api-key",
+          envVar: "SYNTHETIC_API_KEY",
+          promptMessage: "Enter Synthetic API key",
+          defaultModel: SYNTHETIC_DEFAULT_MODEL_REF,
+          expectedProviders: ["synthetic"],
+          applyConfig: (cfg) => applySyntheticConfig(cfg),
+          wizard: {
+            choiceId: "synthetic-api-key",
+            choiceLabel: "Synthetic API key",
+            groupId: "synthetic",
+            groupLabel: "Synthetic",
+            groupHint: "Anthropic-compatible (multi-model)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/synthetic/openclaw.plugin.json b/extensions/synthetic/openclaw.plugin.json
index fab1326ca34..a0c519a72b2 100644
--- a/extensions/synthetic/openclaw.plugin.json
+++ b/extensions/synthetic/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "synthetic",
   "providers": ["synthetic"],
+  "providerAuthEnvVars": {
+    "synthetic": ["SYNTHETIC_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "synthetic",
+      "method": "api-key",
+      "choiceId": "synthetic-api-key",
+      "choiceLabel": "Synthetic API key",
+      "groupId": "synthetic",
+      "groupLabel": "Synthetic",
+      "groupHint": "Anthropic-compatible (multi-model)",
+      "optionKey": "syntheticApiKey",
+      "cliFlag": "--synthetic-api-key",
+      "cliOption": "--synthetic-api-key <key>",
+      "cliDescription": "Synthetic API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/telegram/index.ts b/extensions/telegram/index.ts
index 37367c5280c..d47ae46b6ce 100644
--- a/extensions/telegram/index.ts
+++ b/extensions/telegram/index.ts
@@ -1,5 +1,5 @@
-import type { ChannelPlugin, OpenClawPluginApi } from "openclaw/plugin-sdk/telegram";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/telegram";
+import type { ChannelPlugin, OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { telegramPlugin } from "./src/channel.js";
 import { setTelegramRuntime } from "./src/runtime.js";
 
diff --git a/extensions/telegram/package.json b/extensions/telegram/package.json
index 92054ca01a3..deed30477a9 100644
--- a/extensions/telegram/package.json
+++ b/extensions/telegram/package.json
@@ -7,6 +7,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/telegram/setup-entry.ts b/extensions/telegram/setup-entry.ts
new file mode 100644
index 00000000000..030f4bb3295
--- /dev/null
+++ b/extensions/telegram/setup-entry.ts
@@ -0,0 +1,3 @@
+import { telegramSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: telegramSetupPlugin };
diff --git a/extensions/telegram/src/bot-access.ts b/extensions/telegram/src/bot-access.ts
index 57b242afc3d..bee8392e686 100644
--- a/extensions/telegram/src/bot-access.ts
+++ b/extensions/telegram/src/bot-access.ts
@@ -33,7 +33,7 @@ function warnInvalidAllowFromEntries(entries: string[]) {
         JSON.stringify(entry),
         "- allowFrom/groupAllowFrom authorization expects numeric Telegram sender user IDs only.",
         'To allow a Telegram group or supergroup, add its negative chat ID under "channels.telegram.groups" instead.',
-        'If you had "@username" entries, re-run onboarding (it resolves @username to IDs) or replace them manually.',
+        'If you had "@username" entries, re-run setup (it resolves @username to IDs) or replace them manually.',
       ].join(" "),
     );
   }
diff --git a/extensions/telegram/src/bot.test.ts b/extensions/telegram/src/bot.test.ts
index 9468f64c789..17f6870a964 100644
--- a/extensions/telegram/src/bot.test.ts
+++ b/extensions/telegram/src/bot.test.ts
@@ -1,12 +1,12 @@
 import { rm } from "node:fs/promises";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../../src/channels/plugins/contracts/suites.js";
 import {
   clearPluginInteractiveHandlers,
   registerPluginInteractiveHandler,
 } from "../../../src/plugins/interactive.js";
 import type { PluginInteractiveTelegramHandlerContext } from "../../../src/plugins/types.js";
 import { escapeRegExp, formatEnvelopeTimestamp } from "../../../test/helpers/envelope-timestamp.js";
-import { expectInboundContextContract } from "../../../test/helpers/inbound-contract.js";
 import {
   answerCallbackQuerySpy,
   commandSpy,
diff --git a/extensions/telegram/src/button-types.test.ts b/extensions/telegram/src/button-types.test.ts
new file mode 100644
index 00000000000..849caac62ac
--- /dev/null
+++ b/extensions/telegram/src/button-types.test.ts
@@ -0,0 +1,69 @@
+import { describe, expect, it } from "vitest";
+import { buildTelegramInteractiveButtons, resolveTelegramInlineButtons } from "./button-types.js";
+
+describe("buildTelegramInteractiveButtons", () => {
+  it("maps shared buttons and selects into Telegram inline rows", () => {
+    expect(
+      buildTelegramInteractiveButtons({
+        blocks: [
+          {
+            type: "buttons",
+            buttons: [
+              { label: "Approve", value: "approve", style: "success" },
+              { label: "Reject", value: "reject", style: "danger" },
+              { label: "Later", value: "later" },
+              { label: "Archive", value: "archive" },
+            ],
+          },
+          {
+            type: "select",
+            options: [{ label: "Alpha", value: "alpha" }],
+          },
+        ],
+      }),
+    ).toEqual([
+      [
+        { text: "Approve", callback_data: "approve", style: "success" },
+        { text: "Reject", callback_data: "reject", style: "danger" },
+        { text: "Later", callback_data: "later", style: undefined },
+      ],
+      [{ text: "Archive", callback_data: "archive", style: undefined }],
+      [{ text: "Alpha", callback_data: "alpha", style: undefined }],
+    ]);
+  });
+});
+
+describe("resolveTelegramInlineButtons", () => {
+  it("prefers explicit buttons over shared interactive blocks", () => {
+    const explicit = [[{ text: "Keep", callback_data: "keep" }]] as const;
+
+    expect(
+      resolveTelegramInlineButtons({
+        buttons: explicit,
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Override", value: "override" }],
+            },
+          ],
+        },
+      }),
+    ).toBe(explicit);
+  });
+
+  it("derives buttons from raw interactive payloads", () => {
+    expect(
+      resolveTelegramInlineButtons({
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Retry", value: "retry", style: "primary" }],
+            },
+          ],
+        },
+      }),
+    ).toEqual([[{ text: "Retry", callback_data: "retry", style: "primary" }]]);
+  });
+});
diff --git a/extensions/telegram/src/button-types.ts b/extensions/telegram/src/button-types.ts
index 922b72acd9f..a6eae71995b 100644
--- a/extensions/telegram/src/button-types.ts
+++ b/extensions/telegram/src/button-types.ts
@@ -1,3 +1,10 @@
+import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
+import {
+  normalizeInteractiveReply,
+  type InteractiveReply,
+  type InteractiveReplyButton,
+} from "../../../src/interactive/payload.js";
+
 export type TelegramButtonStyle = "danger" | "success" | "primary";
 
 export type TelegramInlineButton = {
@@ -7,3 +14,62 @@ export type TelegramInlineButton = {
 };
 
 export type TelegramInlineButtons = ReadonlyArray<ReadonlyArray<TelegramInlineButton>>;
+
+const TELEGRAM_INTERACTIVE_ROW_SIZE = 3;
+
+function toTelegramButtonStyle(
+  style?: InteractiveReplyButton["style"],
+): TelegramInlineButton["style"] {
+  return style === "danger" || style === "success" || style === "primary" ? style : undefined;
+}
+
+function chunkInteractiveButtons(
+  buttons: readonly InteractiveReplyButton[],
+  rows: TelegramInlineButton[][],
+) {
+  for (let i = 0; i < buttons.length; i += TELEGRAM_INTERACTIVE_ROW_SIZE) {
+    const row = buttons.slice(i, i + TELEGRAM_INTERACTIVE_ROW_SIZE).map((button) => ({
+      text: button.label,
+      callback_data: button.value,
+      style: toTelegramButtonStyle(button.style),
+    }));
+    if (row.length > 0) {
+      rows.push(row);
+    }
+  }
+}
+
+export function buildTelegramInteractiveButtons(
+  interactive?: InteractiveReply,
+): TelegramInlineButtons | undefined {
+  const rows = reduceInteractiveReply(
+    interactive,
+    [] as TelegramInlineButton[][],
+    (state, block) => {
+      if (block.type === "buttons") {
+        chunkInteractiveButtons(block.buttons, state);
+        return state;
+      }
+      if (block.type === "select") {
+        chunkInteractiveButtons(
+          block.options.map((option) => ({
+            label: option.label,
+            value: option.value,
+          })),
+          state,
+        );
+      }
+      return state;
+    },
+  );
+  return rows.length > 0 ? rows : undefined;
+}
+
+export function resolveTelegramInlineButtons(params: {
+  buttons?: TelegramInlineButtons;
+  interactive?: unknown;
+}): TelegramInlineButtons | undefined {
+  return (
+    params.buttons ?? buildTelegramInteractiveButtons(normalizeInteractiveReply(params.interactive))
+  );
+}
diff --git a/extensions/telegram/src/channel-actions.test.ts b/extensions/telegram/src/channel-actions.test.ts
new file mode 100644
index 00000000000..0e5170431b1
--- /dev/null
+++ b/extensions/telegram/src/channel-actions.test.ts
@@ -0,0 +1,53 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const handleTelegramActionMock = vi.hoisted(() => vi.fn());
+
+vi.mock("../../../src/agents/tools/telegram-actions.js", () => ({
+  handleTelegramAction: (...args: unknown[]) => handleTelegramActionMock(...args),
+}));
+
+import { telegramMessageActions } from "./channel-actions.js";
+
+describe("telegramMessageActions", () => {
+  beforeEach(() => {
+    handleTelegramActionMock.mockReset().mockResolvedValue({
+      ok: true,
+      content: [],
+      details: {},
+    });
+  });
+
+  it("allows interactive-only sends", async () => {
+    await telegramMessageActions.handleAction!({
+      action: "send",
+      params: {
+        to: "123456",
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Approve", value: "approve", style: "success" }],
+            },
+          ],
+        },
+      },
+      cfg: {} as never,
+      accountId: "default",
+      mediaLocalRoots: [],
+    } as never);
+
+    expect(handleTelegramActionMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "sendMessage",
+        to: "123456",
+        content: "",
+        buttons: [[{ text: "Approve", callback_data: "approve", style: "success" }]],
+        accountId: "default",
+      }),
+      expect.anything(),
+      expect.objectContaining({
+        mediaLocalRoots: [],
+      }),
+    );
+  });
+});
diff --git a/extensions/telegram/src/channel-actions.ts b/extensions/telegram/src/channel-actions.ts
index 29095e7bc7c..84548374f05 100644
--- a/extensions/telegram/src/channel-actions.ts
+++ b/extensions/telegram/src/channel-actions.ts
@@ -23,6 +23,7 @@ import {
   listEnabledTelegramAccounts,
   resolveTelegramPollActionGateState,
 } from "./accounts.js";
+import { resolveTelegramInlineButtons } from "./button-types.js";
 import { isTelegramInlineButtonsEnabled } from "./inline-buttons.js";
 
 const providerId = "telegram";
@@ -30,12 +31,19 @@ const providerId = "telegram";
 function readTelegramSendParams(params: Record<string, unknown>) {
   const to = readStringParam(params, "to", { required: true });
   const mediaUrl = readStringParam(params, "media", { trim: false });
-  const message = readStringParam(params, "message", { required: !mediaUrl, allowEmpty: true });
+  const buttons = resolveTelegramInlineButtons({
+    buttons: params.buttons as ReturnType<typeof resolveTelegramInlineButtons>,
+    interactive: params.interactive,
+  });
+  const hasButtons = Array.isArray(buttons) && buttons.length > 0;
+  const message = readStringParam(params, "message", {
+    required: !mediaUrl && !hasButtons,
+    allowEmpty: true,
+  });
   const caption = readStringParam(params, "caption", { allowEmpty: true });
   const content = message || caption || "";
   const replyTo = readStringParam(params, "replyTo");
   const threadId = readStringParam(params, "threadId");
-  const buttons = params.buttons;
   const asVoice = readBooleanParam(params, "asVoice");
   const silent = readBooleanParam(params, "silent");
   const forceDocument = readBooleanParam(params, "forceDocument");
@@ -115,16 +123,20 @@ export const telegramMessageActions: ChannelMessageActionAdapter = {
     if (isEnabled("createForumTopic")) {
       actions.add("topic-create");
     }
+    if (isEnabled("editForumTopic")) {
+      actions.add("topic-edit");
+    }
     return Array.from(actions);
   },
-  supportsButtons: ({ cfg }) => {
+  getCapabilities: ({ cfg }) => {
     const accounts = listTokenSourcedAccounts(listEnabledTelegramAccounts(cfg));
     if (accounts.length === 0) {
-      return false;
+      return [];
     }
-    return accounts.some((account) =>
+    const buttonsEnabled = accounts.some((account) =>
       isTelegramInlineButtonsEnabled({ cfg, accountId: account.accountId }),
     );
+    return buttonsEnabled ? (["interactive", "buttons"] as const) : [];
   },
   extractToolSend: ({ args }) => {
     return extractToolSend(args, "sendMessage");
@@ -290,6 +302,30 @@ export const telegramMessageActions: ChannelMessageActionAdapter = {
       );
     }
 
+    if (action === "topic-edit") {
+      const chatId = readTelegramChatIdParam(params);
+      const messageThreadId =
+        readNumberParam(params, "messageThreadId", { integer: true }) ??
+        readNumberParam(params, "threadId", { integer: true });
+      if (typeof messageThreadId !== "number") {
+        throw new Error("messageThreadId or threadId is required.");
+      }
+      const name = readStringParam(params, "name");
+      const iconCustomEmojiId = readStringParam(params, "iconCustomEmojiId");
+      return await handleTelegramAction(
+        {
+          action: "editForumTopic",
+          chatId,
+          messageThreadId,
+          name: name ?? undefined,
+          iconCustomEmojiId: iconCustomEmojiId ?? undefined,
+          accountId: accountId ?? undefined,
+        },
+        cfg,
+        { mediaLocalRoots },
+      );
+    }
+
     throw new Error(`Action ${action} is not supported for provider ${providerId}.`);
   },
 };
diff --git a/extensions/telegram/src/channel.setup.ts b/extensions/telegram/src/channel.setup.ts
new file mode 100644
index 00000000000..f28a96afff7
--- /dev/null
+++ b/extensions/telegram/src/channel.setup.ts
@@ -0,0 +1,127 @@
+import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
+import {
+  createScopedAccountConfigAccessors,
+  formatAllowFromLowercase,
+} from "openclaw/plugin-sdk/compat";
+import {
+  buildChannelConfigSchema,
+  getChatChannelMeta,
+  normalizeAccountId,
+  TelegramConfigSchema,
+  type ChannelPlugin,
+  type OpenClawConfig,
+} from "openclaw/plugin-sdk/telegram";
+import { inspectTelegramAccount } from "./account-inspect.js";
+import {
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramAccount,
+  type ResolvedTelegramAccount,
+} from "./accounts.js";
+import type { TelegramProbe } from "./probe.js";
+import { telegramSetupAdapter } from "./setup-core.js";
+import { telegramSetupWizard } from "./setup-surface.js";
+
+function findTelegramTokenOwnerAccountId(params: {
+  cfg: OpenClawConfig;
+  accountId: string;
+}): string | null {
+  const normalizedAccountId = normalizeAccountId(params.accountId);
+  const tokenOwners = new Map<string, string>();
+  for (const id of listTelegramAccountIds(params.cfg)) {
+    const account = inspectTelegramAccount({ cfg: params.cfg, accountId: id });
+    const token = (account.token ?? "").trim();
+    if (!token) {
+      continue;
+    }
+    const ownerAccountId = tokenOwners.get(token);
+    if (!ownerAccountId) {
+      tokenOwners.set(token, account.accountId);
+      continue;
+    }
+    if (account.accountId === normalizedAccountId) {
+      return ownerAccountId;
+    }
+  }
+  return null;
+}
+
+function formatDuplicateTelegramTokenReason(params: {
+  accountId: string;
+  ownerAccountId: string;
+}): string {
+  return (
+    `Duplicate Telegram bot token: account "${params.accountId}" shares a token with ` +
+    `account "${params.ownerAccountId}". Keep one owner account per bot token.`
+  );
+}
+
+const telegramConfigAccessors = createScopedAccountConfigAccessors({
+  resolveAccount: ({ cfg, accountId }) => resolveTelegramAccount({ cfg, accountId }),
+  resolveAllowFrom: (account: ResolvedTelegramAccount) => account.config.allowFrom,
+  formatAllowFrom: (allowFrom) =>
+    formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(telegram|tg):/i }),
+  resolveDefaultTo: (account: ResolvedTelegramAccount) => account.config.defaultTo,
+});
+
+const telegramConfigBase = createScopedChannelConfigBase<ResolvedTelegramAccount>({
+  sectionKey: "telegram",
+  listAccountIds: listTelegramAccountIds,
+  resolveAccount: (cfg, accountId) => resolveTelegramAccount({ cfg, accountId }),
+  inspectAccount: (cfg, accountId) => inspectTelegramAccount({ cfg, accountId }),
+  defaultAccountId: resolveDefaultTelegramAccountId,
+  clearBaseFields: ["botToken", "tokenFile", "name"],
+});
+
+export const telegramSetupPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProbe> = {
+  id: "telegram",
+  meta: {
+    ...getChatChannelMeta("telegram"),
+    quickstartAllowFrom: true,
+  },
+  setupWizard: telegramSetupWizard,
+  capabilities: {
+    chatTypes: ["direct", "group", "channel", "thread"],
+    reactions: true,
+    threads: true,
+    media: true,
+    polls: true,
+    nativeCommands: true,
+    blockStreaming: true,
+  },
+  reload: { configPrefixes: ["channels.telegram"] },
+  configSchema: buildChannelConfigSchema(TelegramConfigSchema),
+  config: {
+    ...telegramConfigBase,
+    isConfigured: (account, cfg) => {
+      if (!account.token?.trim()) {
+        return false;
+      }
+      return !findTelegramTokenOwnerAccountId({ cfg, accountId: account.accountId });
+    },
+    unconfiguredReason: (account, cfg) => {
+      if (!account.token?.trim()) {
+        return "not configured";
+      }
+      const ownerAccountId = findTelegramTokenOwnerAccountId({ cfg, accountId: account.accountId });
+      if (!ownerAccountId) {
+        return "not configured";
+      }
+      return formatDuplicateTelegramTokenReason({
+        accountId: account.accountId,
+        ownerAccountId,
+      });
+    },
+    describeAccount: (account, cfg) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured:
+        Boolean(account.token?.trim()) &&
+        !findTelegramTokenOwnerAccountId({ cfg, accountId: account.accountId }),
+      tokenSource: account.tokenSource,
+    }),
+    ...telegramConfigAccessors,
+  },
+  setup: telegramSetupAdapter,
+};
diff --git a/extensions/telegram/src/channel.test.ts b/extensions/telegram/src/channel.test.ts
index 965a66d0f2c..476260f2969 100644
--- a/extensions/telegram/src/channel.test.ts
+++ b/extensions/telegram/src/channel.test.ts
@@ -3,10 +3,10 @@ import type {
   ChannelGatewayContext,
   OpenClawConfig,
   PluginRuntime,
-  ResolvedTelegramAccount,
 } from "openclaw/plugin-sdk/telegram";
 import { describe, expect, it, vi } from "vitest";
 import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import type { ResolvedTelegramAccount } from "./accounts.js";
 import { telegramPlugin } from "./channel.js";
 import { setTelegramRuntime } from "./runtime.js";
 
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 51dc7811764..cfb5e8a5f8d 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -1,48 +1,67 @@
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   collectAllowlistProviderGroupPolicyWarnings,
   collectOpenGroupPolicyRouteAllowlistWarnings,
   createScopedAccountConfigAccessors,
   createScopedDmSecurityResolver,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
   clearAccountEntryFields,
-  collectTelegramStatusIssues,
   DEFAULT_ACCOUNT_ID,
   getChatChannelMeta,
-  inspectTelegramAccount,
-  listTelegramAccountIds,
   listTelegramDirectoryGroupsFromConfig,
   listTelegramDirectoryPeersFromConfig,
-  looksLikeTelegramTargetId,
   normalizeAccountId,
-  normalizeTelegramMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
   resolveTelegramGroupRequireMention,
   resolveTelegramGroupToolPolicy,
-  sendTelegramPayloadMessages,
   TelegramConfigSchema,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
   type OpenClawConfig,
-  type ResolvedTelegramAccount,
-  type TelegramProbe,
 } from "openclaw/plugin-sdk/telegram";
+import { parseTelegramTopicConversation } from "../../../src/acp/conversation-id.js";
+import { resolveExecApprovalCommandDisplay } from "../../../src/infra/exec-approval-command-display.js";
+import { buildExecApprovalPendingReplyPayload } from "../../../src/infra/exec-approval-reply.js";
 import {
   type OutboundSendDeps,
   resolveOutboundSendDep,
 } from "../../../src/infra/outbound/send-deps.js";
+import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { inspectTelegramAccount } from "./account-inspect.js";
+import {
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramAccount,
+  type ResolvedTelegramAccount,
+} from "./accounts.js";
+import { buildTelegramExecApprovalButtons } from "./approval-buttons.js";
+import { buildTelegramGroupPeerId } from "./bot/helpers.js";
+import {
+  isTelegramExecApprovalClientEnabled,
+  resolveTelegramExecApprovalTarget,
+} from "./exec-approvals.js";
+import { looksLikeTelegramTargetId, normalizeTelegramMessagingTarget } from "./normalize.js";
+import { sendTelegramPayloadMessages } from "./outbound-adapter.js";
+import { parseTelegramReplyToMessageId, parseTelegramThreadId } from "./outbound-params.js";
+import type { TelegramProbe } from "./probe.js";
 import { getTelegramRuntime } from "./runtime.js";
-import { telegramSetupAdapter, telegramSetupWizard } from "./setup-surface.js";
+import { sendTypingTelegram } from "./send.js";
+import { telegramSetupAdapter } from "./setup-core.js";
+import { telegramSetupWizard } from "./setup-surface.js";
+import { collectTelegramStatusIssues } from "./status-issues.js";
+import { parseTelegramTarget } from "./targets.js";
 
 type TelegramSendFn = ReturnType<
   typeof getTelegramRuntime
@@ -139,9 +158,164 @@ async function sendTelegramOutbound(params: {
   );
 }
 
+function resolveTelegramAutoThreadId(params: {
+  to: string;
+  toolContext?: { currentThreadTs?: string; currentChannelId?: string };
+}): string | undefined {
+  const context = params.toolContext;
+  if (!context?.currentThreadTs || !context.currentChannelId) {
+    return undefined;
+  }
+  const parsedTo = parseTelegramTarget(params.to);
+  const parsedChannel = parseTelegramTarget(context.currentChannelId);
+  if (parsedTo.chatId.toLowerCase() !== parsedChannel.chatId.toLowerCase()) {
+    return undefined;
+  }
+  return context.currentThreadTs;
+}
+
+function normalizeTelegramAcpConversationId(conversationId: string) {
+  const parsed = parseTelegramTopicConversation({ conversationId });
+  if (!parsed || !parsed.chatId.startsWith("-")) {
+    return null;
+  }
+  return {
+    conversationId: parsed.canonicalConversationId,
+    parentConversationId: parsed.chatId,
+  };
+}
+
+function matchTelegramAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  const binding = normalizeTelegramAcpConversationId(params.bindingConversationId);
+  if (!binding) {
+    return null;
+  }
+  const incoming = parseTelegramTopicConversation({
+    conversationId: params.conversationId,
+    parentConversationId: params.parentConversationId,
+  });
+  if (!incoming || !incoming.chatId.startsWith("-")) {
+    return null;
+  }
+  if (binding.conversationId !== incoming.canonicalConversationId) {
+    return null;
+  }
+  return {
+    conversationId: incoming.canonicalConversationId,
+    parentConversationId: incoming.chatId,
+    matchPriority: 2,
+  };
+}
+
+function parseTelegramExplicitTarget(raw: string) {
+  const target = parseTelegramTarget(raw);
+  return {
+    to: target.chatId,
+    threadId: target.messageThreadId,
+    chatType: target.chatType === "unknown" ? undefined : target.chatType,
+  };
+}
+
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildTelegramBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "telegram",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveTelegramOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  resolvedTarget?: { kind: string };
+  threadId?: string | number | null;
+}) {
+  const parsed = parseTelegramTarget(params.target);
+  const chatId = parsed.chatId.trim();
+  if (!chatId) {
+    return null;
+  }
+  const fallbackThreadId = normalizeOutboundThreadId(params.threadId);
+  const resolvedThreadId = parsed.messageThreadId ?? parseTelegramThreadId(fallbackThreadId);
+  const isGroup =
+    parsed.chatType === "group" ||
+    (parsed.chatType === "unknown" &&
+      params.resolvedTarget?.kind &&
+      params.resolvedTarget.kind !== "user");
+  const peerId =
+    isGroup && resolvedThreadId ? buildTelegramGroupPeerId(chatId, resolvedThreadId) : chatId;
+  const peer: RoutePeer = {
+    kind: isGroup ? "group" : "direct",
+    id: peerId,
+  };
+  const baseSessionKey = buildTelegramBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const threadKeys =
+    resolvedThreadId && !isGroup
+      ? resolveThreadSessionKeys({ baseSessionKey, threadId: String(resolvedThreadId) })
+      : null;
+  return {
+    sessionKey: threadKeys?.sessionKey ?? baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: isGroup ? ("group" as const) : ("direct" as const),
+    from: isGroup
+      ? `telegram:group:${peerId}`
+      : resolvedThreadId
+        ? `telegram:${chatId}:topic:${resolvedThreadId}`
+        : `telegram:${chatId}`,
+    to: `telegram:${chatId}`,
+    threadId: resolvedThreadId,
+  };
+}
+
+function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listTelegramAccountIds(cfg).some((accountId) => {
+    if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
+      return false;
+    }
+    const target = resolveTelegramExecApprovalTarget({ cfg, accountId });
+    return target === "dm" || target === "both";
+  });
+}
+
 const telegramMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getTelegramRuntime().channel.telegram.messageActions?.listActions?.(ctx) ?? [],
+  getCapabilities: (ctx) =>
+    getTelegramRuntime().channel.telegram.messageActions?.getCapabilities?.(ctx) ?? [],
   extractToolSend: (ctx) =>
     getTelegramRuntime().channel.telegram.messageActions?.extractToolSend?.(ctx) ?? null,
   handleAction: async (ctx) => {
@@ -178,6 +352,29 @@ const resolveTelegramDmPolicy = createScopedDmSecurityResolver<ResolvedTelegramA
   normalizeEntry: (raw) => raw.replace(/^(telegram|tg):/i, ""),
 });
 
+function readTelegramAllowlistConfig(account: ResolvedTelegramAccount) {
+  const groupOverrides: Array<{ label: string; entries: string[] }> = [];
+  for (const [groupId, groupCfg] of Object.entries(account.config.groups ?? {})) {
+    const entries = (groupCfg?.allowFrom ?? []).map(String).filter(Boolean);
+    if (entries.length > 0) {
+      groupOverrides.push({ label: groupId, entries });
+    }
+    for (const [topicId, topicCfg] of Object.entries(groupCfg?.topics ?? {})) {
+      const topicEntries = (topicCfg?.allowFrom ?? []).map(String).filter(Boolean);
+      if (topicEntries.length > 0) {
+        groupOverrides.push({ label: `${groupId} topic ${topicId}`, entries: topicEntries });
+      }
+    }
+  }
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+    groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+    dmPolicy: account.config.dmPolicy,
+    groupPolicy: account.config.groupPolicy,
+    groupOverrides,
+  };
+}
+
 export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProbe> = {
   id: "telegram",
   meta: {
@@ -245,6 +442,26 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     }),
     ...telegramConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) =>
+      readTelegramAllowlistConfig(resolveTelegramAccount({ cfg, accountId })),
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "telegram",
+      normalize: ({ cfg, accountId, values }) =>
+        telegramConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
+    }),
+  },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeTelegramAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchTelegramAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
+  },
   security: {
     resolveDmPolicy: resolveTelegramDmPolicy,
     collectWarnings: ({ account, cfg }) => {
@@ -281,14 +498,99 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
   },
   threading: {
     resolveReplyToMode: ({ cfg }) => cfg.channels?.telegram?.replyToMode ?? "off",
+    resolveAutoThreadId: ({ to, toolContext, replyToId }) =>
+      replyToId ? undefined : resolveTelegramAutoThreadId({ to, toolContext }),
   },
   messaging: {
     normalizeTarget: normalizeTelegramMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseTelegramExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseTelegramExplicitTarget(to).chatType,
+    resolveOutboundSessionRoute: (params) => resolveTelegramOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeTelegramTargetId,
       hint: "<chatId>",
     },
   },
+  lifecycle: {
+    onAccountConfigChanged: async ({ prevCfg, nextCfg, accountId }) => {
+      const previousToken = resolveTelegramAccount({ cfg: prevCfg, accountId }).token.trim();
+      const nextToken = resolveTelegramAccount({ cfg: nextCfg, accountId }).token.trim();
+      if (previousToken !== nextToken) {
+        const { deleteTelegramUpdateOffset } = await import("./update-offset-store.js");
+        await deleteTelegramUpdateOffset({ accountId });
+      }
+    },
+    onAccountRemoved: async ({ accountId }) => {
+      const { deleteTelegramUpdateOffset } = await import("./update-offset-store.js");
+      await deleteTelegramUpdateOffset({ accountId });
+    },
+  },
+  execApprovals: {
+    getInitiatingSurfaceState: ({ cfg, accountId }) =>
+      isTelegramExecApprovalClientEnabled({ cfg, accountId })
+        ? { kind: "enabled" }
+        : { kind: "disabled" },
+    hasConfiguredDmRoute: ({ cfg }) => hasTelegramExecApprovalDmRoute(cfg),
+    shouldSuppressForwardingFallback: ({ cfg, target, request }) => {
+      const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+      if (channel !== "telegram") {
+        return false;
+      }
+      const requestChannel = normalizeMessageChannel(request.request.turnSourceChannel ?? "");
+      if (requestChannel !== "telegram") {
+        return false;
+      }
+      const accountId = target.accountId?.trim() || request.request.turnSourceAccountId?.trim();
+      return isTelegramExecApprovalClientEnabled({ cfg, accountId });
+    },
+    buildPendingPayload: ({ request, nowMs }) => {
+      const payload = buildExecApprovalPendingReplyPayload({
+        approvalId: request.id,
+        approvalSlug: request.id.slice(0, 8),
+        approvalCommandId: request.id,
+        command: resolveExecApprovalCommandDisplay(request.request).commandText,
+        cwd: request.request.cwd ?? undefined,
+        host: request.request.host === "node" ? "node" : "gateway",
+        nodeId: request.request.nodeId ?? undefined,
+        expiresAtMs: request.expiresAtMs,
+        nowMs,
+      });
+      const buttons = buildTelegramExecApprovalButtons(request.id);
+      if (!buttons) {
+        return payload;
+      }
+      return {
+        ...payload,
+        channelData: {
+          ...payload.channelData,
+          telegram: {
+            buttons,
+          },
+        },
+      };
+    },
+    beforeDeliverPending: async ({ cfg, target, payload }) => {
+      const hasExecApprovalData =
+        payload.channelData &&
+        typeof payload.channelData === "object" &&
+        !Array.isArray(payload.channelData) &&
+        payload.channelData.execApproval;
+      if (!hasExecApprovalData) {
+        return;
+      }
+      const threadId =
+        typeof target.threadId === "number"
+          ? target.threadId
+          : typeof target.threadId === "string"
+            ? Number.parseInt(target.threadId, 10)
+            : undefined;
+      await sendTypingTelegram(target.to, {
+        cfg,
+        accountId: target.accountId ?? undefined,
+        ...(Number.isFinite(threadId) ? { messageThreadId: threadId } : {}),
+      }).catch(() => {});
+    },
+  },
   directory: {
     self: async () => null,
     listPeers: async (params) => listTelegramDirectoryPeersFromConfig(params),
@@ -302,6 +604,9 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     chunkerMode: "markdown",
     textChunkLimit: 4000,
     pollMaxOptions: 10,
+    shouldSkipPlainTextSanitization: ({ payload }) => Boolean(payload.channelData),
+    resolveEffectiveTextChunkLimit: ({ fallbackLimit }) =>
+      typeof fallbackLimit === "number" ? Math.min(fallbackLimit, 4096) : 4096,
     sendPayload: async ({
       cfg,
       to,
@@ -397,6 +702,30 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
         proxyUrl: account.config.proxy,
         network: account.config.network,
       }),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const lines = [];
+      if (probe?.bot?.username) {
+        const botId = probe.bot.id ? ` (${probe.bot.id})` : "";
+        lines.push({ text: `Bot: @${probe.bot.username}${botId}` });
+      }
+      const flags: string[] = [];
+      if (typeof probe?.bot?.canJoinGroups === "boolean") {
+        flags.push(`joinGroups=${probe.bot.canJoinGroups}`);
+      }
+      if (typeof probe?.bot?.canReadAllGroupMessages === "boolean") {
+        flags.push(`readAllGroupMessages=${probe.bot.canReadAllGroupMessages}`);
+      }
+      if (typeof probe?.bot?.supportsInlineQueries === "boolean") {
+        flags.push(`inlineQueries=${probe.bot.supportsInlineQueries}`);
+      }
+      if (flags.length > 0) {
+        lines.push({ text: `Flags: ${flags.join(" ")}` });
+      }
+      if (probe?.webhook?.url !== undefined) {
+        lines.push({ text: `Webhook: ${probe.webhook.url || "none"}` });
+      }
+      return lines;
+    },
     auditAccount: async ({ account, timeoutMs, probe, cfg }) => {
       const groups =
         cfg.channels?.telegram?.accounts?.[account.accountId]?.groups ??
diff --git a/extensions/telegram/src/draft-chunking.ts b/extensions/telegram/src/draft-chunking.ts
index f907faf02f8..951fbb41951 100644
--- a/extensions/telegram/src/draft-chunking.ts
+++ b/extensions/telegram/src/draft-chunking.ts
@@ -1,8 +1,8 @@
 import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
-import { getChannelDock } from "../../../src/channels/dock.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { resolveAccountEntry } from "../../../src/routing/account-lookup.js";
 import { normalizeAccountId } from "../../../src/routing/session-key.js";
+import { TELEGRAM_TEXT_CHUNK_LIMIT } from "./outbound-adapter.js";
 
 const DEFAULT_TELEGRAM_DRAFT_STREAM_MIN = 200;
 const DEFAULT_TELEGRAM_DRAFT_STREAM_MAX = 800;
@@ -15,9 +15,8 @@ export function resolveTelegramDraftStreamingChunking(
   maxChars: number;
   breakPreference: "paragraph" | "newline" | "sentence";
 } {
-  const providerChunkLimit = getChannelDock("telegram")?.outbound?.textChunkLimit;
   const textLimit = resolveTextChunkLimit(cfg, "telegram", accountId, {
-    fallbackLimit: providerChunkLimit,
+    fallbackLimit: TELEGRAM_TEXT_CHUNK_LIMIT,
   });
   const normalizedAccountId = normalizeAccountId(accountId);
   const accountCfg = resolveAccountEntry(cfg?.channels?.telegram?.accounts, normalizedAccountId);
diff --git a/extensions/telegram/src/group-access.group-policy.test.ts b/extensions/telegram/src/group-access.group-policy.test.ts
deleted file mode 100644
index 8b93c52d160..00000000000
--- a/extensions/telegram/src/group-access.group-policy.test.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { describe } from "vitest";
-import { installProviderRuntimeGroupPolicyFallbackSuite } from "../../../src/test-utils/runtime-group-policy-contract.js";
-import { resolveTelegramRuntimeGroupPolicy } from "./group-access.js";
-
-describe("resolveTelegramRuntimeGroupPolicy", () => {
-  installProviderRuntimeGroupPolicyFallbackSuite({
-    resolve: resolveTelegramRuntimeGroupPolicy,
-    configuredLabel: "keeps open fallback when channels.telegram is configured",
-    defaultGroupPolicyUnderTest: "disabled",
-    missingConfigLabel: "fails closed when channels.telegram is missing and no defaults are set",
-    missingDefaultLabel: "ignores explicit defaults when provider config is missing",
-  });
-});
diff --git a/extensions/telegram/src/outbound-adapter.ts b/extensions/telegram/src/outbound-adapter.ts
index 729580f97b0..25bd2329ed7 100644
--- a/extensions/telegram/src/outbound-adapter.ts
+++ b/extensions/telegram/src/outbound-adapter.ts
@@ -8,11 +8,15 @@ import {
   resolveOutboundSendDep,
   type OutboundSendDeps,
 } from "../../../src/infra/outbound/send-deps.js";
+import { resolveInteractiveTextFallback } from "../../../src/interactive/payload.js";
 import type { TelegramInlineButtons } from "./button-types.js";
+import { resolveTelegramInlineButtons } from "./button-types.js";
 import { markdownToTelegramHtmlChunks } from "./format.js";
 import { parseTelegramReplyToMessageId, parseTelegramThreadId } from "./outbound-params.js";
 import { sendMessageTelegram } from "./send.js";
 
+export const TELEGRAM_TEXT_CHUNK_LIMIT = 4000;
+
 type TelegramSendFn = typeof sendMessageTelegram;
 type TelegramSendOpts = Parameters<TelegramSendFn>[2];
 
@@ -59,8 +63,16 @@ export async function sendTelegramPayloadMessages(params: {
     | undefined;
   const quoteText =
     typeof telegramData?.quoteText === "string" ? telegramData.quoteText : undefined;
-  const text = params.payload.text ?? "";
+  const text =
+    resolveInteractiveTextFallback({
+      text: params.payload.text,
+      interactive: params.payload.interactive,
+    }) ?? "";
   const mediaUrls = resolvePayloadMediaUrls(params.payload);
+  const buttons = resolveTelegramInlineButtons({
+    buttons: telegramData?.buttons,
+    interactive: params.payload.interactive,
+  });
   const payloadOpts = {
     ...params.baseOpts,
     quoteText,
@@ -69,7 +81,7 @@ export async function sendTelegramPayloadMessages(params: {
   if (mediaUrls.length === 0) {
     return await params.send(params.to, text, {
       ...payloadOpts,
-      buttons: telegramData?.buttons,
+      buttons,
     });
   }
 
@@ -81,7 +93,7 @@ export async function sendTelegramPayloadMessages(params: {
       await params.send(params.to, text, {
         ...payloadOpts,
         mediaUrl,
-        ...(isFirst ? { buttons: telegramData?.buttons } : {}),
+        ...(isFirst ? { buttons } : {}),
       }),
   });
   return finalResult ?? { messageId: "unknown", chatId: params.to };
@@ -91,7 +103,10 @@ export const telegramOutbound: ChannelOutboundAdapter = {
   deliveryMode: "direct",
   chunker: markdownToTelegramHtmlChunks,
   chunkerMode: "markdown",
-  textChunkLimit: 4000,
+  textChunkLimit: TELEGRAM_TEXT_CHUNK_LIMIT,
+  shouldSkipPlainTextSanitization: ({ payload }) => Boolean(payload.channelData),
+  resolveEffectiveTextChunkLimit: ({ fallbackLimit }) =>
+    typeof fallbackLimit === "number" ? Math.min(fallbackLimit, 4096) : 4096,
   sendText: async ({ cfg, to, text, accountId, deps, replyToId, threadId }) => {
     const { send, baseOpts } = resolveTelegramSendContext({
       cfg,
diff --git a/extensions/telegram/src/runtime.ts b/extensions/telegram/src/runtime.ts
index 8923cdd3e8d..d4e15f463d9 100644
--- a/extensions/telegram/src/runtime.ts
+++ b/extensions/telegram/src/runtime.ts
@@ -1,5 +1,5 @@
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/telegram";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setTelegramRuntime, getRuntime: getTelegramRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Telegram runtime not initialized");
diff --git a/extensions/telegram/src/send.test.ts b/extensions/telegram/src/send.test.ts
index 8a234ce92cb..78804cac8a8 100644
--- a/extensions/telegram/src/send.test.ts
+++ b/extensions/telegram/src/send.test.ts
@@ -15,6 +15,7 @@ const { botApi, botCtorSpy, loadConfig, loadWebMedia, maybePersistResolvedTelegr
 const {
   buildInlineKeyboard,
   createForumTopicTelegram,
+  editForumTopicTelegram,
   editMessageTelegram,
   pinMessageTelegram,
   reactMessageTelegram,
@@ -257,6 +258,62 @@ describe("sendMessageTelegram", () => {
     });
   });
 
+  it("edits a Telegram forum topic name and icon via the shared helper", async () => {
+    loadConfig.mockReturnValue({
+      channels: {
+        telegram: {
+          botToken: "tok",
+        },
+      },
+    });
+    botApi.editForumTopic.mockResolvedValue(true);
+
+    await editForumTopicTelegram("-1001234567890", 271, {
+      accountId: "default",
+      name: "Codex Thread",
+      iconCustomEmojiId: "emoji-123",
+    });
+
+    expect(botApi.editForumTopic).toHaveBeenCalledWith("-1001234567890", 271, {
+      name: "Codex Thread",
+      icon_custom_emoji_id: "emoji-123",
+    });
+  });
+
+  it("strips topic suffixes before editing a Telegram forum topic", async () => {
+    loadConfig.mockReturnValue({
+      channels: {
+        telegram: {
+          botToken: "tok",
+        },
+      },
+    });
+    botApi.editForumTopic.mockResolvedValue(true);
+
+    await editForumTopicTelegram("telegram:group:-1001234567890:topic:271", 271, {
+      accountId: "default",
+      name: "Codex Thread",
+    });
+
+    expect(botApi.editForumTopic).toHaveBeenCalledWith("-1001234567890", 271, {
+      name: "Codex Thread",
+    });
+  });
+
+  it("rejects empty topic edits", async () => {
+    await expect(
+      editForumTopicTelegram("-1001234567890", 271, {
+        accountId: "default",
+      }),
+    ).rejects.toThrow("Telegram forum topic update requires a name or iconCustomEmojiId");
+    await expect(
+      editForumTopicTelegram("-1001234567890", 271, {
+        accountId: "default",
+        iconCustomEmojiId: "   ",
+      }),
+    ).rejects.toThrow("Telegram forum topic icon custom emoji ID is required");
+  });
+
   it("applies timeoutSeconds config precedence", async () => {
     const cases = [
       {
diff --git a/extensions/telegram/src/send.ts b/extensions/telegram/src/send.ts
index 89d6f7d337d..b215be835e8 100644
--- a/extensions/telegram/src/send.ts
+++ b/extensions/telegram/src/send.ts
@@ -1128,25 +1128,46 @@ export async function unpinMessageTelegram(
   };
 }
 
-export async function renameForumTopicTelegram(
+type TelegramEditForumTopicOpts = TelegramDeleteOpts & {
+  name?: string;
+  iconCustomEmojiId?: string;
+};
+
+export async function editForumTopicTelegram(
   chatIdInput: string | number,
   messageThreadIdInput: string | number,
-  name: string,
-  opts: TelegramDeleteOpts = {},
-): Promise<{ ok: true; chatId: string; messageThreadId: number; name: string }> {
-  const trimmedName = name.trim();
-  if (!trimmedName) {
+  opts: TelegramEditForumTopicOpts = {},
+): Promise<{
+  ok: true;
+  chatId: string;
+  messageThreadId: number;
+  name?: string;
+  iconCustomEmojiId?: string;
+}> {
+  const nameProvided = opts.name !== undefined;
+  const trimmedName = opts.name?.trim();
+  if (nameProvided && !trimmedName) {
     throw new Error("Telegram forum topic name is required");
   }
-  if (trimmedName.length > 128) {
+  if (trimmedName && trimmedName.length > 128) {
     throw new Error("Telegram forum topic name must be 128 characters or fewer");
   }
+  const iconProvided = opts.iconCustomEmojiId !== undefined;
+  const trimmedIconCustomEmojiId = opts.iconCustomEmojiId?.trim();
+  if (iconProvided && !trimmedIconCustomEmojiId) {
+    throw new Error("Telegram forum topic icon custom emoji ID is required");
+  }
+  if (!trimmedName && !trimmedIconCustomEmojiId) {
+    throw new Error("Telegram forum topic update requires a name or iconCustomEmojiId");
+  }
+
   const { cfg, account, api } = resolveTelegramApiContext(opts);
   const rawTarget = String(chatIdInput);
+  const target = parseTelegramTarget(rawTarget);
   const chatId = await resolveAndPersistChatId({
     cfg,
     api,
-    lookupTarget: rawTarget,
+    lookupTarget: target.chatId,
     persistTarget: rawTarget,
     verbose: opts.verbose,
   });
@@ -1157,16 +1178,39 @@ export async function renameForumTopicTelegram(
     retry: opts.retry,
     verbose: opts.verbose,
   });
+  const payload = {
+    ...(trimmedName ? { name: trimmedName } : {}),
+    ...(trimmedIconCustomEmojiId ? { icon_custom_emoji_id: trimmedIconCustomEmojiId } : {}),
+  };
   await requestWithDiag(
-    () => api.editForumTopic(chatId, messageThreadId, { name: trimmedName }),
+    () => api.editForumTopic(chatId, messageThreadId, payload),
     "editForumTopic",
   );
-  logVerbose(`[telegram] Renamed forum topic ${messageThreadId} in chat ${chatId}`);
+  logVerbose(`[telegram] Edited forum topic ${messageThreadId} in chat ${chatId}`);
   return {
     ok: true,
     chatId,
     messageThreadId,
-    name: trimmedName,
+    ...(trimmedName ? { name: trimmedName } : {}),
+    ...(trimmedIconCustomEmojiId ? { iconCustomEmojiId: trimmedIconCustomEmojiId } : {}),
+  };
+}
+
+export async function renameForumTopicTelegram(
+  chatIdInput: string | number,
+  messageThreadIdInput: string | number,
+  name: string,
+  opts: TelegramDeleteOpts = {},
+): Promise<{ ok: true; chatId: string; messageThreadId: number; name: string }> {
+  const result = await editForumTopicTelegram(chatIdInput, messageThreadIdInput, {
+    ...opts,
+    name,
+  });
+  return {
+    ok: true,
+    chatId: result.chatId,
+    messageThreadId: result.messageThreadId,
+    name: result.name ?? name.trim(),
   };
 }
 
diff --git a/extensions/telegram/src/setup-core.ts b/extensions/telegram/src/setup-core.ts
new file mode 100644
index 00000000000..dedf2ca8527
--- /dev/null
+++ b/extensions/telegram/src/setup-core.ts
@@ -0,0 +1,191 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import {
+  patchChannelConfigForAccount,
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { formatCliCommand } from "../../../src/cli/command-format.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import { resolveDefaultTelegramAccountId, resolveTelegramAccount } from "./accounts.js";
+import { fetchTelegramChatId } from "./api-fetch.js";
+
+const channel = "telegram" as const;
+
+export const TELEGRAM_TOKEN_HELP_LINES = [
+  "1) Open Telegram and chat with @BotFather",
+  "2) Run /newbot (or /mybots)",
+  "3) Copy the token (looks like 123456:ABC...)",
+  "Tip: you can also set TELEGRAM_BOT_TOKEN in your env.",
+  `Docs: ${formatDocsLink("/telegram")}`,
+  "Website: https://openclaw.ai",
+];
+
+export const TELEGRAM_USER_ID_HELP_LINES = [
+  `1) DM your bot, then read from.id in \`${formatCliCommand("openclaw logs --follow")}\` (safest)`,
+  "2) Or call https://api.telegram.org/bot<bot_token>/getUpdates and read message.from.id",
+  "3) Third-party: DM @userinfobot or @getidsbot",
+  `Docs: ${formatDocsLink("/telegram")}`,
+  "Website: https://openclaw.ai",
+];
+
+export function normalizeTelegramAllowFromInput(raw: string): string {
+  return raw
+    .trim()
+    .replace(/^(telegram|tg):/i, "")
+    .trim();
+}
+
+export function parseTelegramAllowFromId(raw: string): string | null {
+  const stripped = normalizeTelegramAllowFromInput(raw);
+  return /^\d+$/.test(stripped) ? stripped : null;
+}
+
+export async function resolveTelegramAllowFromEntries(params: {
+  entries: string[];
+  credentialValue?: string;
+}) {
+  return await Promise.all(
+    params.entries.map(async (entry) => {
+      const numericId = parseTelegramAllowFromId(entry);
+      if (numericId) {
+        return { input: entry, resolved: true, id: numericId };
+      }
+      const stripped = normalizeTelegramAllowFromInput(entry);
+      if (!stripped || !params.credentialValue?.trim()) {
+        return { input: entry, resolved: false, id: null };
+      }
+      const username = stripped.startsWith("@") ? stripped : `@${stripped}`;
+      const id = await fetchTelegramChatId({
+        token: params.credentialValue,
+        chatId: username,
+      });
+      return { input: entry, resolved: Boolean(id), id };
+    }),
+  );
+}
+
+export async function promptTelegramAllowFromForAccount(params: {
+  cfg: OpenClawConfig;
+  prompter: Parameters<
+    NonNullable<
+      import("../../../src/channels/plugins/setup-wizard-types.js").ChannelSetupDmPolicy["promptAllowFrom"]
+    >
+  >[0]["prompter"];
+  accountId?: string;
+}) {
+  const accountId = params.accountId ?? resolveDefaultTelegramAccountId(params.cfg);
+  const resolved = resolveTelegramAccount({ cfg: params.cfg, accountId });
+  await params.prompter.note(TELEGRAM_USER_ID_HELP_LINES.join("\n"), "Telegram user id");
+  if (!resolved.token?.trim()) {
+    await params.prompter.note(
+      "Telegram token missing; username lookup is unavailable.",
+      "Telegram",
+    );
+  }
+  const { promptResolvedAllowFrom } =
+    await import("../../../src/channels/plugins/setup-wizard-helpers.runtime.js");
+  const unique = await promptResolvedAllowFrom({
+    prompter: params.prompter,
+    existing: resolved.config.allowFrom ?? [],
+    token: resolved.token,
+    message: "Telegram allowFrom (numeric sender id; @username resolves to id)",
+    placeholder: "@username",
+    label: "Telegram allowlist",
+    parseInputs: splitSetupEntries,
+    parseId: parseTelegramAllowFromId,
+    invalidWithoutTokenNote:
+      "Telegram token missing; use numeric sender ids (usernames require a bot token).",
+    resolveEntries: async ({ entries, token }) =>
+      resolveTelegramAllowFromEntries({
+        credentialValue: token,
+        entries,
+      }),
+  });
+  return patchChannelConfigForAccount({
+    cfg: params.cfg,
+    channel,
+    accountId,
+    patch: { dmPolicy: "allowlist", allowFrom: unique },
+  });
+}
+
+export const telegramSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "TELEGRAM_BOT_TOKEN can only be used for the default account.";
+    }
+    if (!input.useEnv && !input.token && !input.tokenFile) {
+      return "Telegram requires token or --token-file (or --use-env).";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    if (accountId === DEFAULT_ACCOUNT_ID) {
+      return {
+        ...next,
+        channels: {
+          ...next.channels,
+          telegram: {
+            ...next.channels?.telegram,
+            enabled: true,
+            ...(input.useEnv
+              ? {}
+              : input.tokenFile
+                ? { tokenFile: input.tokenFile }
+                : input.token
+                  ? { botToken: input.token }
+                  : {}),
+          },
+        },
+      };
+    }
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        telegram: {
+          ...next.channels?.telegram,
+          enabled: true,
+          accounts: {
+            ...next.channels?.telegram?.accounts,
+            [accountId]: {
+              ...next.channels?.telegram?.accounts?.[accountId],
+              enabled: true,
+              ...(input.tokenFile
+                ? { tokenFile: input.tokenFile }
+                : input.token
+                  ? { botToken: input.token }
+                  : {}),
+            },
+          },
+        },
+      },
+    };
+  },
+};
diff --git a/extensions/telegram/src/setup-surface.ts b/extensions/telegram/src/setup-surface.ts
index bb46fc963ac..d0f122af174 100644
--- a/extensions/telegram/src/setup-surface.ts
+++ b/extensions/telegram/src/setup-surface.ts
@@ -1,129 +1,28 @@
-import { type ChannelOnboardingDmPolicy } from "../../../src/channels/plugins/onboarding-types.js";
 import {
   patchChannelConfigForAccount,
-  promptResolvedAllowFrom,
-  resolveOnboardingAccountId,
   setChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-  splitOnboardingEntries,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  setSetupChannelEnabled,
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import { type ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
 import { type ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
-import { formatCliCommand } from "../../../src/cli/command-format.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
-import { formatDocsLink } from "../../../src/terminal/links.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { inspectTelegramAccount } from "./account-inspect.js";
+import { listTelegramAccountIds, resolveTelegramAccount } from "./accounts.js";
 import {
-  listTelegramAccountIds,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
-} from "./accounts.js";
-import { fetchTelegramChatId } from "./api-fetch.js";
+  parseTelegramAllowFromId,
+  promptTelegramAllowFromForAccount,
+  resolveTelegramAllowFromEntries,
+  TELEGRAM_TOKEN_HELP_LINES,
+  TELEGRAM_USER_ID_HELP_LINES,
+  telegramSetupAdapter,
+} from "./setup-core.js";
 
 const channel = "telegram" as const;
 
-const TELEGRAM_TOKEN_HELP_LINES = [
-  "1) Open Telegram and chat with @BotFather",
-  "2) Run /newbot (or /mybots)",
-  "3) Copy the token (looks like 123456:ABC...)",
-  "Tip: you can also set TELEGRAM_BOT_TOKEN in your env.",
-  `Docs: ${formatDocsLink("/telegram")}`,
-  "Website: https://openclaw.ai",
-];
-
-const TELEGRAM_USER_ID_HELP_LINES = [
-  `1) DM your bot, then read from.id in \`${formatCliCommand("openclaw logs --follow")}\` (safest)`,
-  "2) Or call https://api.telegram.org/bot<bot_token>/getUpdates and read message.from.id",
-  "3) Third-party: DM @userinfobot or @getidsbot",
-  `Docs: ${formatDocsLink("/telegram")}`,
-  "Website: https://openclaw.ai",
-];
-
-export function normalizeTelegramAllowFromInput(raw: string): string {
-  return raw
-    .trim()
-    .replace(/^(telegram|tg):/i, "")
-    .trim();
-}
-
-export function parseTelegramAllowFromId(raw: string): string | null {
-  const stripped = normalizeTelegramAllowFromInput(raw);
-  return /^\d+$/.test(stripped) ? stripped : null;
-}
-
-async function resolveTelegramAllowFromEntries(params: {
-  entries: string[];
-  credentialValue?: string;
-}) {
-  return await Promise.all(
-    params.entries.map(async (entry) => {
-      const numericId = parseTelegramAllowFromId(entry);
-      if (numericId) {
-        return { input: entry, resolved: true, id: numericId };
-      }
-      const stripped = normalizeTelegramAllowFromInput(entry);
-      if (!stripped || !params.credentialValue?.trim()) {
-        return { input: entry, resolved: false, id: null };
-      }
-      const username = stripped.startsWith("@") ? stripped : `@${stripped}`;
-      const id = await fetchTelegramChatId({
-        token: params.credentialValue,
-        chatId: username,
-      });
-      return { input: entry, resolved: Boolean(id), id };
-    }),
-  );
-}
-
-async function promptTelegramAllowFromForAccount(params: {
-  cfg: OpenClawConfig;
-  prompter: Parameters<NonNullable<ChannelOnboardingDmPolicy["promptAllowFrom"]>>[0]["prompter"];
-  accountId?: string;
-}): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
-    accountId: params.accountId,
-    defaultAccountId: resolveDefaultTelegramAccountId(params.cfg),
-  });
-  const resolved = resolveTelegramAccount({ cfg: params.cfg, accountId });
-  await params.prompter.note(TELEGRAM_USER_ID_HELP_LINES.join("\n"), "Telegram user id");
-  if (!resolved.token?.trim()) {
-    await params.prompter.note(
-      "Telegram token missing; username lookup is unavailable.",
-      "Telegram",
-    );
-  }
-  const unique = await promptResolvedAllowFrom({
-    prompter: params.prompter,
-    existing: resolved.config.allowFrom ?? [],
-    token: resolved.token,
-    message: "Telegram allowFrom (numeric sender id; @username resolves to id)",
-    placeholder: "@username",
-    label: "Telegram allowlist",
-    parseInputs: splitOnboardingEntries,
-    parseId: parseTelegramAllowFromId,
-    invalidWithoutTokenNote:
-      "Telegram token missing; use numeric sender ids (usernames require a bot token).",
-    resolveEntries: async ({ entries, token }) =>
-      resolveTelegramAllowFromEntries({
-        credentialValue: token,
-        entries,
-      }),
-  });
-  return patchChannelConfigForAccount({
-    cfg: params.cfg,
-    channel,
-    accountId,
-    patch: { dmPolicy: "allowlist", allowFrom: unique },
-  });
-}
-
-const dmPolicy: ChannelOnboardingDmPolicy = {
+const dmPolicy: ChannelSetupDmPolicy = {
   label: "Telegram",
   channel,
   policyKey: "channels.telegram.dmPolicy",
@@ -138,82 +37,6 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
   promptAllowFrom: promptTelegramAllowFromForAccount,
 };
 
-export const telegramSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ accountId, input }) => {
-    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-      return "TELEGRAM_BOT_TOKEN can only be used for the default account.";
-    }
-    if (!input.useEnv && !input.token && !input.tokenFile) {
-      return "Telegram requires token or --token-file (or --use-env).";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-    });
-    const next =
-      accountId !== DEFAULT_ACCOUNT_ID
-        ? migrateBaseNameToDefaultAccount({
-            cfg: namedConfig,
-            channelKey: channel,
-          })
-        : namedConfig;
-    if (accountId === DEFAULT_ACCOUNT_ID) {
-      return {
-        ...next,
-        channels: {
-          ...next.channels,
-          telegram: {
-            ...next.channels?.telegram,
-            enabled: true,
-            ...(input.useEnv
-              ? {}
-              : input.tokenFile
-                ? { tokenFile: input.tokenFile }
-                : input.token
-                  ? { botToken: input.token }
-                  : {}),
-          },
-        },
-      };
-    }
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        telegram: {
-          ...next.channels?.telegram,
-          enabled: true,
-          accounts: {
-            ...next.channels?.telegram?.accounts,
-            [accountId]: {
-              ...next.channels?.telegram?.accounts?.[accountId],
-              enabled: true,
-              ...(input.tokenFile
-                ? { tokenFile: input.tokenFile }
-                : input.token
-                  ? { botToken: input.token }
-                  : {}),
-            },
-          },
-        },
-      },
-    };
-  },
-};
-
 export const telegramSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -266,7 +89,7 @@ export const telegramSetupWizard: ChannelSetupWizard = {
     placeholder: "@username",
     invalidWithoutCredentialNote:
       "Telegram token missing; use numeric sender ids (usernames require a bot token).",
-    parseInputs: splitOnboardingEntries,
+    parseInputs: splitSetupEntries,
     parseId: parseTelegramAllowFromId,
     resolveEntries: async ({ credentialValues, entries }) =>
       resolveTelegramAllowFromEntries({
@@ -282,5 +105,7 @@ export const telegramSetupWizard: ChannelSetupWizard = {
       }),
   },
   dmPolicy,
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
 };
+
+export { parseTelegramAllowFromId, telegramSetupAdapter };
diff --git a/extensions/test-utils/plugin-api.ts b/extensions/test-utils/plugin-api.ts
index a757344bd31..5c621700602 100644
--- a/extensions/test-utils/plugin-api.ts
+++ b/extensions/test-utils/plugin-api.ts
@@ -5,6 +5,7 @@ type TestPluginApiInput = Partial<OpenClawPluginApi> &
 
 export function createTestPluginApi(api: TestPluginApiInput): OpenClawPluginApi {
   return {
+    registrationMode: "full",
     logger: { info() {}, warn() {}, error() {}, debug() {} },
     registerTool() {},
     registerHook() {},
@@ -14,6 +15,7 @@ export function createTestPluginApi(api: TestPluginApiInput): OpenClawPluginApi
     registerCli() {},
     registerService() {},
     registerProvider() {},
+    registerWebSearchProvider() {},
     registerInteractiveHandler() {},
     registerCommand() {},
     registerContextEngine() {},
diff --git a/extensions/tlon/index.ts b/extensions/tlon/index.ts
index 36be4651b1d..2927a9a4b53 100644
--- a/extensions/tlon/index.ts
+++ b/extensions/tlon/index.ts
@@ -138,6 +138,9 @@ const plugin = {
   register(api: OpenClawPluginApi) {
     setTlonRuntime(api.runtime);
     api.registerChannel({ plugin: tlonPlugin });
+    if (api.registrationMode !== "full") {
+      return;
+    }
 
     api.logger.debug?.("[tlon] Registering tlon tool");
     api.registerTool({
diff --git a/extensions/tlon/package.json b/extensions/tlon/package.json
index 40ec9aeedde..071280374a3 100644
--- a/extensions/tlon/package.json
+++ b/extensions/tlon/package.json
@@ -13,6 +13,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "tlon",
       "label": "Tlon",
diff --git a/extensions/tlon/setup-entry.ts b/extensions/tlon/setup-entry.ts
new file mode 100644
index 00000000000..667e917c8da
--- /dev/null
+++ b/extensions/tlon/setup-entry.ts
@@ -0,0 +1,5 @@
+import { tlonPlugin } from "./src/channel.js";
+
+export default {
+  plugin: tlonPlugin,
+};
diff --git a/extensions/tlon/src/channel.ts b/extensions/tlon/src/channel.ts
index 7a460a6adb8..9282fcf92f9 100644
--- a/extensions/tlon/src/channel.ts
+++ b/extensions/tlon/src/channel.ts
@@ -7,7 +7,8 @@ import type {
 } from "openclaw/plugin-sdk/tlon";
 import { tlonChannelConfigSchema } from "./config-schema.js";
 import { monitorTlonProvider } from "./monitor/index.js";
-import { tlonSetupAdapter, tlonSetupWizard } from "./setup-surface.js";
+import { tlonSetupAdapter } from "./setup-core.js";
+import { tlonSetupWizard } from "./setup-surface.js";
 import { formatTargetHint, normalizeShip, parseTlonTarget } from "./targets.js";
 import { resolveTlonAccount, listTlonAccountIds } from "./types.js";
 import { authenticate } from "./urbit/auth.js";
diff --git a/extensions/tlon/src/setup-core.ts b/extensions/tlon/src/setup-core.ts
new file mode 100644
index 00000000000..a237a813edf
--- /dev/null
+++ b/extensions/tlon/src/setup-core.ts
@@ -0,0 +1,101 @@
+import {
+  applyAccountNameToChannelSection,
+  patchScopedAccountConfig,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { buildTlonAccountFields } from "./account-fields.js";
+import { resolveTlonAccount } from "./types.js";
+
+const channel = "tlon" as const;
+
+export type TlonSetupInput = ChannelSetupInput & {
+  ship?: string;
+  url?: string;
+  code?: string;
+  allowPrivateNetwork?: boolean;
+  groupChannels?: string[];
+  dmAllowlist?: string[];
+  autoDiscoverChannels?: boolean;
+  ownerShip?: string;
+};
+
+export function applyTlonSetupConfig(params: {
+  cfg: OpenClawConfig;
+  accountId: string;
+  input: TlonSetupInput;
+}): OpenClawConfig {
+  const { cfg, accountId, input } = params;
+  const useDefault = accountId === DEFAULT_ACCOUNT_ID;
+  const namedConfig = applyAccountNameToChannelSection({
+    cfg,
+    channelKey: channel,
+    accountId,
+    name: input.name,
+  });
+  const base = namedConfig.channels?.tlon ?? {};
+  const payload = buildTlonAccountFields(input);
+
+  if (useDefault) {
+    return {
+      ...namedConfig,
+      channels: {
+        ...namedConfig.channels,
+        tlon: {
+          ...base,
+          enabled: true,
+          ...payload,
+        },
+      },
+    };
+  }
+
+  return patchScopedAccountConfig({
+    cfg: namedConfig,
+    channelKey: channel,
+    accountId,
+    patch: { enabled: base.enabled ?? true },
+    accountPatch: {
+      enabled: true,
+      ...payload,
+    },
+    ensureChannelEnabled: false,
+    ensureAccountEnabled: false,
+  });
+}
+
+export const tlonSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ cfg, accountId, input }) => {
+    const setupInput = input as TlonSetupInput;
+    const resolved = resolveTlonAccount(cfg, accountId ?? undefined);
+    const ship = setupInput.ship?.trim() || resolved.ship;
+    const url = setupInput.url?.trim() || resolved.url;
+    const code = setupInput.code?.trim() || resolved.code;
+    if (!ship) {
+      return "Tlon requires --ship.";
+    }
+    if (!url) {
+      return "Tlon requires --url.";
+    }
+    if (!code) {
+      return "Tlon requires --code.";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) =>
+    applyTlonSetupConfig({
+      cfg,
+      accountId,
+      input: input as TlonSetupInput,
+    }),
+};
diff --git a/extensions/tlon/src/setup-surface.test.ts b/extensions/tlon/src/setup-surface.test.ts
index bb638fc3018..d54db2c75a1 100644
--- a/extensions/tlon/src/setup-surface.test.ts
+++ b/extensions/tlon/src/setup-surface.test.ts
@@ -1,6 +1,6 @@
 import type { OpenClawConfig, RuntimeEnv, WizardPrompter } from "openclaw/plugin-sdk/tlon";
 import { describe, expect, it, vi } from "vitest";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
 import { tlonPlugin } from "./channel.js";
 
@@ -26,7 +26,7 @@ function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
   };
 }
 
-const tlonConfigureAdapter = buildChannelOnboardingAdapterFromSetupWizard({
+const tlonConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
   plugin: tlonPlugin,
   wizard: tlonPlugin.setupWizard!,
 });
diff --git a/extensions/tlon/src/setup-surface.ts b/extensions/tlon/src/setup-surface.ts
index 4cf0d006ebd..ec6258277bd 100644
--- a/extensions/tlon/src/setup-surface.ts
+++ b/extensions/tlon/src/setup-surface.ts
@@ -1,31 +1,13 @@
-import {
-  applyAccountNameToChannelSection,
-  patchScopedAccountConfig,
-} from "../../../src/channels/plugins/setup-helpers.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
-import type { ChannelSetupInput } from "../../../src/channels/plugins/types.core.js";
-import type { OpenClawConfig } from "../../../src/config/config.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import { formatDocsLink } from "../../../src/terminal/links.js";
-import { buildTlonAccountFields } from "./account-fields.js";
+import { applyTlonSetupConfig, type TlonSetupInput, tlonSetupAdapter } from "./setup-core.js";
 import { normalizeShip } from "./targets.js";
 import { listTlonAccountIds, resolveTlonAccount, type TlonResolvedAccount } from "./types.js";
 import { isBlockedUrbitHostname, validateUrbitBaseUrl } from "./urbit/base-url.js";
 
 const channel = "tlon" as const;
 
-type TlonSetupInput = ChannelSetupInput & {
-  ship?: string;
-  url?: string;
-  code?: string;
-  allowPrivateNetwork?: boolean;
-  groupChannels?: string[];
-  dmAllowlist?: string[];
-  autoDiscoverChannels?: boolean;
-  ownerShip?: string;
-};
-
 function isConfigured(account: TlonResolvedAccount): boolean {
   return Boolean(account.ship && account.url && account.code);
 }
@@ -37,83 +19,7 @@ function parseList(value: string): string[] {
     .filter(Boolean);
 }
 
-function applyTlonSetupConfig(params: {
-  cfg: OpenClawConfig;
-  accountId: string;
-  input: TlonSetupInput;
-}): OpenClawConfig {
-  const { cfg, accountId, input } = params;
-  const useDefault = accountId === DEFAULT_ACCOUNT_ID;
-  const namedConfig = applyAccountNameToChannelSection({
-    cfg,
-    channelKey: channel,
-    accountId,
-    name: input.name,
-  });
-  const base = namedConfig.channels?.tlon ?? {};
-  const payload = buildTlonAccountFields(input);
-
-  if (useDefault) {
-    return {
-      ...namedConfig,
-      channels: {
-        ...namedConfig.channels,
-        tlon: {
-          ...base,
-          enabled: true,
-          ...payload,
-        },
-      },
-    };
-  }
-
-  return patchScopedAccountConfig({
-    cfg: namedConfig,
-    channelKey: channel,
-    accountId,
-    patch: { enabled: base.enabled ?? true },
-    accountPatch: {
-      enabled: true,
-      ...payload,
-    },
-    ensureChannelEnabled: false,
-    ensureAccountEnabled: false,
-  });
-}
-
-export const tlonSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-    }),
-  validateInput: ({ cfg, accountId, input }) => {
-    const setupInput = input as TlonSetupInput;
-    const resolved = resolveTlonAccount(cfg, accountId ?? undefined);
-    const ship = setupInput.ship?.trim() || resolved.ship;
-    const url = setupInput.url?.trim() || resolved.url;
-    const code = setupInput.code?.trim() || resolved.code;
-    if (!ship) {
-      return "Tlon requires --ship.";
-    }
-    if (!url) {
-      return "Tlon requires --url.";
-    }
-    if (!code) {
-      return "Tlon requires --code.";
-    }
-    return null;
-  },
-  applyAccountConfig: ({ cfg, accountId, input }) =>
-    applyTlonSetupConfig({
-      cfg,
-      accountId,
-      input: input as TlonSetupInput,
-    }),
-};
+export { tlonSetupAdapter } from "./setup-core.js";
 
 export const tlonSetupWizard: ChannelSetupWizard = {
   channel,
diff --git a/extensions/together/index.ts b/extensions/together/index.ts
index 5b1f6ced62f..7408fbea140 100644
--- a/extensions/together/index.ts
+++ b/extensions/together/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildTogetherProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applyTogetherConfig,
+  TOGETHER_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "together";
 
@@ -14,7 +19,28 @@ const togetherPlugin = {
       label: "Together",
       docsPath: "/providers/together",
       envVars: ["TOGETHER_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Together AI API key",
+          hint: "API key",
+          optionKey: "togetherApiKey",
+          flagName: "--together-api-key",
+          envVar: "TOGETHER_API_KEY",
+          promptMessage: "Enter Together AI API key",
+          defaultModel: TOGETHER_DEFAULT_MODEL_REF,
+          expectedProviders: ["together"],
+          applyConfig: (cfg) => applyTogetherConfig(cfg),
+          wizard: {
+            choiceId: "together-api-key",
+            choiceLabel: "Together AI API key",
+            groupId: "together",
+            groupLabel: "Together AI",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/together/openclaw.plugin.json b/extensions/together/openclaw.plugin.json
index 2a868251f34..f185492aa54 100644
--- a/extensions/together/openclaw.plugin.json
+++ b/extensions/together/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "together",
   "providers": ["together"],
+  "providerAuthEnvVars": {
+    "together": ["TOGETHER_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "together",
+      "method": "api-key",
+      "choiceId": "together-api-key",
+      "choiceLabel": "Together AI API key",
+      "groupId": "together",
+      "groupLabel": "Together AI",
+      "groupHint": "API key",
+      "optionKey": "togetherApiKey",
+      "cliFlag": "--together-api-key",
+      "cliOption": "--together-api-key <key>",
+      "cliDescription": "Together AI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/twitch/src/plugin.ts b/extensions/twitch/src/plugin.ts
index 11cf90b8893..3958a05fd8b 100644
--- a/extensions/twitch/src/plugin.ts
+++ b/extensions/twitch/src/plugin.ts
@@ -12,10 +12,10 @@ import { twitchMessageActions } from "./actions.js";
 import { removeClientManager } from "./client-manager-registry.js";
 import { TwitchConfigSchema } from "./config-schema.js";
 import { DEFAULT_ACCOUNT_ID, getAccountConfig, listAccountIds } from "./config.js";
-import { twitchOnboardingAdapter } from "./onboarding.js";
 import { twitchOutbound } from "./outbound.js";
 import { probeTwitch } from "./probe.js";
 import { resolveTwitchTargets } from "./resolver.js";
+import { twitchSetupAdapter, twitchSetupWizard } from "./setup-surface.js";
 import { collectTwitchStatusIssues } from "./status.js";
 import { resolveTwitchToken } from "./token.js";
 import type {
@@ -51,8 +51,9 @@ export const twitchPlugin: ChannelPlugin<TwitchAccountConfig> = {
     aliases: ["twitch-chat"],
   } satisfies ChannelMeta,
 
-  /** Onboarding adapter */
-  onboarding: twitchOnboardingAdapter,
+  /** Setup wizard surface */
+  setup: twitchSetupAdapter,
+  setupWizard: twitchSetupWizard,
 
   /** Pairing configuration */
   pairing: {
diff --git a/extensions/twitch/src/onboarding.test.ts b/extensions/twitch/src/setup-surface.test.ts
similarity index 87%
rename from extensions/twitch/src/onboarding.test.ts
rename to extensions/twitch/src/setup-surface.test.ts
index b8946eefc49..611e0fca66d 100644
--- a/extensions/twitch/src/onboarding.test.ts
+++ b/extensions/twitch/src/setup-surface.test.ts
@@ -1,5 +1,5 @@
 /**
- * Tests for onboarding.ts helpers
+ * Tests for setup-surface.ts helpers.
  *
  * Tests cover:
  * - promptToken helper
@@ -15,11 +15,6 @@ import type { WizardPrompter } from "openclaw/plugin-sdk/twitch";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import type { TwitchAccountConfig } from "./types.js";
 
-vi.mock("openclaw/plugin-sdk/twitch", () => ({
-  formatDocsLink: (url: string, fallback: string) => fallback || url,
-  promptChannelAccessConfig: vi.fn(async () => null),
-}));
-
 // Mock the helpers we're testing
 const mockPromptText = vi.fn();
 const mockPromptConfirm = vi.fn();
@@ -35,7 +30,7 @@ const mockAccount: TwitchAccountConfig = {
   channel: "#testchannel",
 };
 
-describe("onboarding helpers", () => {
+describe("setup surface helpers", () => {
   beforeEach(() => {
     vi.clearAllMocks();
   });
@@ -46,7 +41,7 @@ describe("onboarding helpers", () => {
 
   describe("promptToken", () => {
     it("should return existing token when user confirms to keep it", async () => {
-      const { promptToken } = await import("./onboarding.js");
+      const { promptToken } = await import("./setup-surface.js");
 
       mockPromptConfirm.mockResolvedValue(true);
 
@@ -61,7 +56,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should prompt for new token when user doesn't keep existing", async () => {
-      const { promptToken } = await import("./onboarding.js");
+      const { promptToken } = await import("./setup-surface.js");
 
       mockPromptConfirm.mockResolvedValue(false);
       mockPromptText.mockResolvedValue("oauth:newtoken123");
@@ -77,7 +72,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should use env token as initial value when provided", async () => {
-      const { promptToken } = await import("./onboarding.js");
+      const { promptToken } = await import("./setup-surface.js");
 
       mockPromptConfirm.mockResolvedValue(false);
       mockPromptText.mockResolvedValue("oauth:fromenv");
@@ -92,7 +87,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should validate token format", async () => {
-      const { promptToken } = await import("./onboarding.js");
+      const { promptToken } = await import("./setup-surface.js");
 
       // Set up mocks - user doesn't want to keep existing token
       mockPromptConfirm.mockResolvedValueOnce(false);
@@ -124,7 +119,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should return early when no existing token and no env token", async () => {
-      const { promptToken } = await import("./onboarding.js");
+      const { promptToken } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("oauth:newtoken");
 
@@ -137,7 +132,7 @@ describe("onboarding helpers", () => {
 
   describe("promptUsername", () => {
     it("should prompt for username with validation", async () => {
-      const { promptUsername } = await import("./onboarding.js");
+      const { promptUsername } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("mybot");
 
@@ -152,7 +147,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should use existing username as initial value", async () => {
-      const { promptUsername } = await import("./onboarding.js");
+      const { promptUsername } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("testbot");
 
@@ -168,7 +163,7 @@ describe("onboarding helpers", () => {
 
   describe("promptClientId", () => {
     it("should prompt for client ID with validation", async () => {
-      const { promptClientId } = await import("./onboarding.js");
+      const { promptClientId } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("abc123xyz");
 
@@ -185,7 +180,7 @@ describe("onboarding helpers", () => {
 
   describe("promptChannelName", () => {
     it("should return channel name when provided", async () => {
-      const { promptChannelName } = await import("./onboarding.js");
+      const { promptChannelName } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("#mychannel");
 
@@ -195,7 +190,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should require a non-empty channel name", async () => {
-      const { promptChannelName } = await import("./onboarding.js");
+      const { promptChannelName } = await import("./setup-surface.js");
 
       mockPromptText.mockResolvedValue("");
 
@@ -210,7 +205,7 @@ describe("onboarding helpers", () => {
 
   describe("promptRefreshTokenSetup", () => {
     it("should return empty object when user declines", async () => {
-      const { promptRefreshTokenSetup } = await import("./onboarding.js");
+      const { promptRefreshTokenSetup } = await import("./setup-surface.js");
 
       mockPromptConfirm.mockResolvedValue(false);
 
@@ -224,7 +219,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should prompt for credentials when user accepts", async () => {
-      const { promptRefreshTokenSetup } = await import("./onboarding.js");
+      const { promptRefreshTokenSetup } = await import("./setup-surface.js");
 
       mockPromptConfirm
         .mockResolvedValueOnce(true) // First call: useRefresh
@@ -242,7 +237,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should use existing values as initial prompts", async () => {
-      const { promptRefreshTokenSetup } = await import("./onboarding.js");
+      const { promptRefreshTokenSetup } = await import("./setup-surface.js");
 
       const accountWithRefresh = {
         ...mockAccount,
@@ -267,7 +262,7 @@ describe("onboarding helpers", () => {
 
   describe("configureWithEnvToken", () => {
     it("should return null when user declines env token", async () => {
-      const { configureWithEnvToken } = await import("./onboarding.js");
+      const { configureWithEnvToken } = await import("./setup-surface.js");
 
       // Reset and set up mock - user declines env token
       mockPromptConfirm.mockReset().mockResolvedValue(false as never);
@@ -287,7 +282,7 @@ describe("onboarding helpers", () => {
     });
 
     it("should prompt for username and clientId when using env token", async () => {
-      const { configureWithEnvToken } = await import("./onboarding.js");
+      const { configureWithEnvToken } = await import("./setup-surface.js");
 
       // Reset and set up mocks - user accepts env token
       mockPromptConfirm.mockReset().mockResolvedValue(true as never);
diff --git a/extensions/twitch/src/onboarding.ts b/extensions/twitch/src/setup-surface.ts
similarity index 67%
rename from extensions/twitch/src/onboarding.ts
rename to extensions/twitch/src/setup-surface.ts
index 060857bf383..3113bfd9e3b 100644
--- a/extensions/twitch/src/onboarding.ts
+++ b/extensions/twitch/src/setup-surface.ts
@@ -1,25 +1,20 @@
 /**
- * Twitch onboarding adapter for CLI setup wizard.
+ * Twitch setup wizard surface for CLI setup.
  */
 
-import type { OpenClawConfig } from "openclaw/plugin-sdk/twitch";
-import {
-  formatDocsLink,
-  promptChannelAccessConfig,
-  type ChannelOnboardingAdapter,
-  type ChannelOnboardingDmPolicy,
-  type WizardPrompter,
-} from "openclaw/plugin-sdk/twitch";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
+import type { WizardPrompter } from "../../../src/wizard/prompts.js";
 import { DEFAULT_ACCOUNT_ID, getAccountConfig } from "./config.js";
 import type { TwitchAccountConfig, TwitchRole } from "./types.js";
 import { isAccountConfigured } from "./utils/twitch.js";
 
 const channel = "twitch" as const;
 
-/**
- * Set Twitch account configuration
- */
-function setTwitchAccount(
+export function setTwitchAccount(
   cfg: OpenClawConfig,
   account: Partial<TwitchAccountConfig>,
 ): OpenClawConfig {
@@ -59,9 +54,6 @@ function setTwitchAccount(
   };
 }
 
-/**
- * Note about Twitch setup
- */
 async function noteTwitchSetupHelp(prompter: WizardPrompter): Promise<void> {
   await prompter.note(
     [
@@ -77,17 +69,13 @@ async function noteTwitchSetupHelp(prompter: WizardPrompter): Promise<void> {
   );
 }
 
-/**
- * Prompt for Twitch OAuth token with early returns.
- */
-async function promptToken(
+export async function promptToken(
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
   envToken: string | undefined,
 ): Promise<string> {
   const existingToken = account?.accessToken ?? "";
 
-  // If we have an existing token and no env var, ask if we should keep it
   if (existingToken && !envToken) {
     const keepToken = await prompter.confirm({
       message: "Access token already configured. Keep it?",
@@ -98,7 +86,6 @@ async function promptToken(
     }
   }
 
-  // Prompt for new token
   return String(
     await prompter.text({
       message: "Twitch OAuth token (oauth:...)",
@@ -117,10 +104,7 @@ async function promptToken(
   ).trim();
 }
 
-/**
- * Prompt for Twitch username.
- */
-async function promptUsername(
+export async function promptUsername(
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
 ): Promise<string> {
@@ -133,10 +117,7 @@ async function promptUsername(
   ).trim();
 }
 
-/**
- * Prompt for Twitch Client ID.
- */
-async function promptClientId(
+export async function promptClientId(
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
 ): Promise<string> {
@@ -149,27 +130,20 @@ async function promptClientId(
   ).trim();
 }
 
-/**
- * Prompt for optional channel name.
- */
-async function promptChannelName(
+export async function promptChannelName(
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
 ): Promise<string> {
-  const channelName = String(
+  return String(
     await prompter.text({
       message: "Channel to join",
       initialValue: account?.channel ?? "",
       validate: (value) => (value?.trim() ? undefined : "Required"),
     }),
   ).trim();
-  return channelName;
 }
 
-/**
- * Prompt for token refresh credentials (client secret and refresh token).
- */
-async function promptRefreshTokenSetup(
+export async function promptRefreshTokenSetup(
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
 ): Promise<{ clientSecret?: string; refreshToken?: string }> {
@@ -203,16 +177,13 @@ async function promptRefreshTokenSetup(
   return { clientSecret, refreshToken };
 }
 
-/**
- * Configure with env token path (returns early if user chooses env token).
- */
-async function configureWithEnvToken(
+export async function configureWithEnvToken(
   cfg: OpenClawConfig,
   prompter: WizardPrompter,
   account: TwitchAccountConfig | null,
   envToken: string,
   forceAllowFrom: boolean,
-  dmPolicy: ChannelOnboardingDmPolicy,
+  dmPolicy: ChannelSetupDmPolicy,
 ): Promise<{ cfg: OpenClawConfig } | null> {
   const useEnv = await prompter.confirm({
     message: "Twitch env var OPENCLAW_TWITCH_ACCESS_TOKEN detected. Use env token?",
@@ -228,7 +199,7 @@ async function configureWithEnvToken(
   const cfgWithAccount = setTwitchAccount(cfg, {
     username,
     clientId,
-    accessToken: "", // Will use env var
+    accessToken: "",
     enabled: true,
   });
 
@@ -239,9 +210,6 @@ async function configureWithEnvToken(
   return { cfg: cfgWithAccount };
 }
 
-/**
- * Set Twitch access control (role-based)
- */
 function setTwitchAccessControl(
   cfg: OpenClawConfig,
   allowedRoles: TwitchRole[],
@@ -259,14 +227,33 @@ function setTwitchAccessControl(
   });
 }
 
-const dmPolicy: ChannelOnboardingDmPolicy = {
+function resolveTwitchGroupPolicy(cfg: OpenClawConfig): "open" | "allowlist" | "disabled" {
+  const account = getAccountConfig(cfg, DEFAULT_ACCOUNT_ID);
+  if (account?.allowedRoles?.includes("all")) {
+    return "open";
+  }
+  if (account?.allowedRoles?.includes("moderator")) {
+    return "allowlist";
+  }
+  return "disabled";
+}
+
+function setTwitchGroupPolicy(
+  cfg: OpenClawConfig,
+  policy: "open" | "allowlist" | "disabled",
+): OpenClawConfig {
+  const allowedRoles: TwitchRole[] =
+    policy === "open" ? ["all"] : policy === "allowlist" ? ["moderator", "vip"] : [];
+  return setTwitchAccessControl(cfg, allowedRoles, true);
+}
+
+const twitchDmPolicy: ChannelSetupDmPolicy = {
   label: "Twitch",
   channel,
-  policyKey: "channels.twitch.allowedRoles", // Twitch uses roles instead of DM policy
+  policyKey: "channels.twitch.allowedRoles",
   allowFromKey: "channels.twitch.accounts.default.allowFrom",
   getCurrent: (cfg) => {
-    const account = getAccountConfig(cfg, DEFAULT_ACCOUNT_ID);
-    // Map allowedRoles to policy equivalent
+    const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
     if (account?.allowedRoles?.includes("all")) {
       return "open";
     }
@@ -278,10 +265,10 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
   setPolicy: (cfg, policy) => {
     const allowedRoles: TwitchRole[] =
       policy === "open" ? ["all"] : policy === "allowlist" ? [] : ["moderator"];
-    return setTwitchAccessControl(cfg, allowedRoles, true);
+    return setTwitchAccessControl(cfg as OpenClawConfig, allowedRoles, true);
   },
   promptAllowFrom: async ({ cfg, prompter }) => {
-    const account = getAccountConfig(cfg, DEFAULT_ACCOUNT_ID);
+    const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
     const existingAllowFrom = account?.allowFrom ?? [];
 
     const entry = await prompter.text({
@@ -295,28 +282,61 @@ const dmPolicy: ChannelOnboardingDmPolicy = {
       .map((s) => s.trim())
       .filter(Boolean);
 
-    return setTwitchAccount(cfg, {
+    return setTwitchAccount(cfg as OpenClawConfig, {
       ...(account ?? undefined),
       allowFrom,
     });
   },
 };
 
-export const twitchOnboardingAdapter: ChannelOnboardingAdapter = {
-  channel,
-  getStatus: async ({ cfg }) => {
-    const account = getAccountConfig(cfg, DEFAULT_ACCOUNT_ID);
-    const configured = account ? isAccountConfigured(account) : false;
-
-    return {
-      channel,
-      configured,
-      statusLines: [`Twitch: ${configured ? "configured" : "needs username, token, and clientId"}`],
-      selectionHint: configured ? "configured" : "needs setup",
-    };
+const twitchGroupAccess: NonNullable<ChannelSetupWizard["groupAccess"]> = {
+  label: "Twitch chat",
+  placeholder: "",
+  skipAllowlistEntries: true,
+  currentPolicy: ({ cfg }) => resolveTwitchGroupPolicy(cfg as OpenClawConfig),
+  currentEntries: ({ cfg }) => {
+    const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
+    return account?.allowFrom ?? [];
   },
-  configure: async ({ cfg, prompter, forceAllowFrom }) => {
-    const account = getAccountConfig(cfg, DEFAULT_ACCOUNT_ID);
+  updatePrompt: ({ cfg }) => {
+    const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
+    return Boolean(account?.allowedRoles?.length || account?.allowFrom?.length);
+  },
+  setPolicy: ({ cfg, policy }) => setTwitchGroupPolicy(cfg as OpenClawConfig, policy),
+  resolveAllowlist: async () => [],
+  applyAllowlist: ({ cfg }) => cfg as OpenClawConfig,
+};
+
+export const twitchSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: () => DEFAULT_ACCOUNT_ID,
+  applyAccountConfig: ({ cfg }) =>
+    setTwitchAccount(cfg, {
+      enabled: true,
+    }),
+};
+
+export const twitchSetupWizard: ChannelSetupWizard = {
+  channel,
+  resolveAccountIdForConfigure: () => DEFAULT_ACCOUNT_ID,
+  resolveShouldPromptAccountIds: () => false,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs username, token, and clientId",
+    configuredHint: "configured",
+    unconfiguredHint: "needs setup",
+    resolveConfigured: ({ cfg }) => {
+      const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
+      return account ? isAccountConfigured(account) : false;
+    },
+    resolveStatusLines: ({ cfg }) => {
+      const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
+      const configured = account ? isAccountConfigured(account) : false;
+      return [`Twitch: ${configured ? "configured" : "needs username, token, and clientId"}`];
+    },
+  },
+  credentials: [],
+  finalize: async ({ cfg, prompter, forceAllowFrom }) => {
+    const account = getAccountConfig(cfg as OpenClawConfig, DEFAULT_ACCOUNT_ID);
 
     if (!account || !isAccountConfigured(account)) {
       await noteTwitchSetupHelp(prompter);
@@ -324,29 +344,27 @@ export const twitchOnboardingAdapter: ChannelOnboardingAdapter = {
 
     const envToken = process.env.OPENCLAW_TWITCH_ACCESS_TOKEN?.trim();
 
-    // Check if env var is set and config is empty
     if (envToken && !account?.accessToken) {
       const envResult = await configureWithEnvToken(
-        cfg,
+        cfg as OpenClawConfig,
         prompter,
         account,
         envToken,
         forceAllowFrom,
-        dmPolicy,
+        twitchDmPolicy,
       );
       if (envResult) {
         return envResult;
       }
     }
 
-    // Prompt for credentials
     const username = await promptUsername(prompter, account);
     const token = await promptToken(prompter, account, envToken);
     const clientId = await promptClientId(prompter, account);
     const channelName = await promptChannelName(prompter, account);
     const { clientSecret, refreshToken } = await promptRefreshTokenSetup(prompter, account);
 
-    const cfgWithAccount = setTwitchAccount(cfg, {
+    const cfgWithAccount = setTwitchAccount(cfg as OpenClawConfig, {
       username,
       accessToken: token,
       clientId,
@@ -357,41 +375,14 @@ export const twitchOnboardingAdapter: ChannelOnboardingAdapter = {
     });
 
     const cfgWithAllowFrom =
-      forceAllowFrom && dmPolicy.promptAllowFrom
-        ? await dmPolicy.promptAllowFrom({ cfg: cfgWithAccount, prompter })
+      forceAllowFrom && twitchDmPolicy.promptAllowFrom
+        ? await twitchDmPolicy.promptAllowFrom({ cfg: cfgWithAccount, prompter })
         : cfgWithAccount;
 
-    // Prompt for access control if allowFrom not set
-    if (!account?.allowFrom || account.allowFrom.length === 0) {
-      const accessConfig = await promptChannelAccessConfig({
-        prompter,
-        label: "Twitch chat",
-        currentPolicy: account?.allowedRoles?.includes("all")
-          ? "open"
-          : account?.allowedRoles?.includes("moderator")
-            ? "allowlist"
-            : "disabled",
-        currentEntries: [],
-        placeholder: "",
-        updatePrompt: false,
-      });
-
-      if (accessConfig) {
-        const allowedRoles: TwitchRole[] =
-          accessConfig.policy === "open"
-            ? ["all"]
-            : accessConfig.policy === "allowlist"
-              ? ["moderator", "vip"]
-              : [];
-
-        const cfgWithAccessControl = setTwitchAccessControl(cfgWithAllowFrom, allowedRoles, true);
-        return { cfg: cfgWithAccessControl };
-      }
-    }
-
     return { cfg: cfgWithAllowFrom };
   },
-  dmPolicy,
+  dmPolicy: twitchDmPolicy,
+  groupAccess: twitchGroupAccess,
   disable: (cfg) => {
     const twitch = (cfg.channels as Record<string, unknown>)?.twitch as
       | Record<string, unknown>
@@ -405,13 +396,3 @@ export const twitchOnboardingAdapter: ChannelOnboardingAdapter = {
     };
   },
 };
-
-// Export helper functions for testing
-export {
-  promptToken,
-  promptUsername,
-  promptClientId,
-  promptChannelName,
-  promptRefreshTokenSetup,
-  configureWithEnvToken,
-};
diff --git a/extensions/venice/index.ts b/extensions/venice/index.ts
index 75cd6adbaf1..12714fc2666 100644
--- a/extensions/venice/index.ts
+++ b/extensions/venice/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildVeniceProvider } from "../../src/agents/models-config.providers.discovery.js";
+import { applyVeniceConfig, VENICE_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "venice";
 
@@ -14,7 +16,34 @@ const venicePlugin = {
       label: "Venice",
       docsPath: "/providers/venice",
       envVars: ["VENICE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Venice AI API key",
+          hint: "Privacy-focused (uncensored models)",
+          optionKey: "veniceApiKey",
+          flagName: "--venice-api-key",
+          envVar: "VENICE_API_KEY",
+          promptMessage: "Enter Venice AI API key",
+          defaultModel: VENICE_DEFAULT_MODEL_REF,
+          expectedProviders: ["venice"],
+          applyConfig: (cfg) => applyVeniceConfig(cfg),
+          noteMessage: [
+            "Venice AI provides privacy-focused inference with uncensored models.",
+            "Get your API key at: https://venice.ai/settings/api",
+            "Supports 'private' (fully private) and 'anonymized' (proxy) modes.",
+          ].join("\n"),
+          noteTitle: "Venice AI",
+          wizard: {
+            choiceId: "venice-api-key",
+            choiceLabel: "Venice AI API key",
+            groupId: "venice",
+            groupLabel: "Venice AI",
+            groupHint: "Privacy-focused (uncensored models)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/venice/openclaw.plugin.json b/extensions/venice/openclaw.plugin.json
index 6262595509e..6667907b5e4 100644
--- a/extensions/venice/openclaw.plugin.json
+++ b/extensions/venice/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "venice",
   "providers": ["venice"],
+  "providerAuthEnvVars": {
+    "venice": ["VENICE_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "venice",
+      "method": "api-key",
+      "choiceId": "venice-api-key",
+      "choiceLabel": "Venice AI API key",
+      "groupId": "venice",
+      "groupLabel": "Venice AI",
+      "groupHint": "Privacy-focused (uncensored models)",
+      "optionKey": "veniceApiKey",
+      "cliFlag": "--venice-api-key",
+      "cliOption": "--venice-api-key <key>",
+      "cliDescription": "Venice API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/vercel-ai-gateway/index.ts b/extensions/vercel-ai-gateway/index.ts
index c3098130f3e..a656cf400a7 100644
--- a/extensions/vercel-ai-gateway/index.ts
+++ b/extensions/vercel-ai-gateway/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildVercelAiGatewayProvider } from "../../src/agents/models-config.providers.discovery.js";
+import {
+  applyVercelAiGatewayConfig,
+  VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "vercel-ai-gateway";
 
@@ -14,7 +19,28 @@ const vercelAiGatewayPlugin = {
       label: "Vercel AI Gateway",
       docsPath: "/providers/vercel-ai-gateway",
       envVars: ["AI_GATEWAY_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Vercel AI Gateway API key",
+          hint: "API key",
+          optionKey: "aiGatewayApiKey",
+          flagName: "--ai-gateway-api-key",
+          envVar: "AI_GATEWAY_API_KEY",
+          promptMessage: "Enter Vercel AI Gateway API key",
+          defaultModel: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
+          expectedProviders: ["vercel-ai-gateway"],
+          applyConfig: (cfg) => applyVercelAiGatewayConfig(cfg),
+          wizard: {
+            choiceId: "ai-gateway-api-key",
+            choiceLabel: "Vercel AI Gateway API key",
+            groupId: "ai-gateway",
+            groupLabel: "Vercel AI Gateway",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/vercel-ai-gateway/openclaw.plugin.json b/extensions/vercel-ai-gateway/openclaw.plugin.json
index 14f4a214605..e86c3943c9a 100644
--- a/extensions/vercel-ai-gateway/openclaw.plugin.json
+++ b/extensions/vercel-ai-gateway/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "vercel-ai-gateway",
   "providers": ["vercel-ai-gateway"],
+  "providerAuthEnvVars": {
+    "vercel-ai-gateway": ["AI_GATEWAY_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "vercel-ai-gateway",
+      "method": "api-key",
+      "choiceId": "ai-gateway-api-key",
+      "choiceLabel": "Vercel AI Gateway API key",
+      "groupId": "ai-gateway",
+      "groupLabel": "Vercel AI Gateway",
+      "groupHint": "API key",
+      "optionKey": "aiGatewayApiKey",
+      "cliFlag": "--ai-gateway-api-key",
+      "cliOption": "--ai-gateway-api-key <key>",
+      "cliDescription": "Vercel AI Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/vllm/index.ts b/extensions/vllm/index.ts
index cb865de4dfd..571692c6585 100644
--- a/extensions/vllm/index.ts
+++ b/extensions/vllm/index.ts
@@ -59,7 +59,7 @@ const vllmPlugin = {
           }),
       },
       wizard: {
-        onboarding: {
+        setup: {
           choiceId: "vllm",
           choiceLabel: "vLLM",
           choiceHint: "Local/self-hosted OpenAI-compatible server",
diff --git a/extensions/vllm/openclaw.plugin.json b/extensions/vllm/openclaw.plugin.json
index 5a9f9a778ee..bc3ad68c407 100644
--- a/extensions/vllm/openclaw.plugin.json
+++ b/extensions/vllm/openclaw.plugin.json
@@ -1,6 +1,21 @@
 {
   "id": "vllm",
   "providers": ["vllm"],
+  "providerAuthEnvVars": {
+    "vllm": ["VLLM_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "vllm",
+      "method": "custom",
+      "choiceId": "vllm",
+      "choiceLabel": "vLLM",
+      "choiceHint": "Local/self-hosted OpenAI-compatible server",
+      "groupId": "vllm",
+      "groupLabel": "vLLM",
+      "groupHint": "Local/self-hosted OpenAI-compatible"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/volcengine/index.ts b/extensions/volcengine/index.ts
index 7d907b5f53e..2e6063365df 100644
--- a/extensions/volcengine/index.ts
+++ b/extensions/volcengine/index.ts
@@ -3,8 +3,11 @@ import {
   buildDoubaoCodingProvider,
   buildDoubaoProvider,
 } from "../../src/agents/models-config.providers.static.js";
+import { ensureModelAllowlistEntry } from "../../src/commands/model-allowlist.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "volcengine";
+const VOLCENGINE_DEFAULT_MODEL_REF = "volcengine-plan/ark-code-latest";
 
 const volcenginePlugin = {
   id: PROVIDER_ID,
@@ -17,7 +20,32 @@ const volcenginePlugin = {
       label: "Volcengine",
       docsPath: "/concepts/model-providers#volcano-engine-doubao",
       envVars: ["VOLCANO_ENGINE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Volcano Engine API key",
+          hint: "API key",
+          optionKey: "volcengineApiKey",
+          flagName: "--volcengine-api-key",
+          envVar: "VOLCANO_ENGINE_API_KEY",
+          promptMessage: "Enter Volcano Engine API key",
+          defaultModel: VOLCENGINE_DEFAULT_MODEL_REF,
+          expectedProviders: ["volcengine"],
+          applyConfig: (cfg) =>
+            ensureModelAllowlistEntry({
+              cfg,
+              modelRef: VOLCENGINE_DEFAULT_MODEL_REF,
+            }),
+          wizard: {
+            choiceId: "volcengine-api-key",
+            choiceLabel: "Volcano Engine API key",
+            groupId: "volcengine",
+            groupLabel: "Volcano Engine",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "paired",
         run: async (ctx) => {
diff --git a/extensions/volcengine/openclaw.plugin.json b/extensions/volcengine/openclaw.plugin.json
index 0773577aef9..4fd6d192281 100644
--- a/extensions/volcengine/openclaw.plugin.json
+++ b/extensions/volcengine/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "volcengine",
   "providers": ["volcengine", "volcengine-plan"],
+  "providerAuthEnvVars": {
+    "volcengine": ["VOLCANO_ENGINE_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "volcengine",
+      "method": "api-key",
+      "choiceId": "volcengine-api-key",
+      "choiceLabel": "Volcano Engine API key",
+      "groupId": "volcengine",
+      "groupLabel": "Volcano Engine",
+      "groupHint": "API key",
+      "optionKey": "volcengineApiKey",
+      "cliFlag": "--volcengine-api-key",
+      "cliOption": "--volcengine-api-key <key>",
+      "cliDescription": "Volcano Engine API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/whatsapp/index.ts b/extensions/whatsapp/index.ts
index 9279a2c038d..c0f097ddf7d 100644
--- a/extensions/whatsapp/index.ts
+++ b/extensions/whatsapp/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/whatsapp";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/whatsapp";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/core";
 import { whatsappPlugin } from "./src/channel.js";
 import { setWhatsAppRuntime } from "./src/runtime.js";
 
diff --git a/extensions/whatsapp/package.json b/extensions/whatsapp/package.json
index ec73a1b0613..356b2e3894b 100644
--- a/extensions/whatsapp/package.json
+++ b/extensions/whatsapp/package.json
@@ -7,6 +7,7 @@
   "openclaw": {
     "extensions": [
       "./index.ts"
-    ]
+    ],
+    "setupEntry": "./setup-entry.ts"
   }
 }
diff --git a/extensions/whatsapp/setup-entry.ts b/extensions/whatsapp/setup-entry.ts
new file mode 100644
index 00000000000..5b18e10073b
--- /dev/null
+++ b/extensions/whatsapp/setup-entry.ts
@@ -0,0 +1,3 @@
+import { whatsappSetupPlugin } from "./src/channel.setup.js";
+
+export default { plugin: whatsappSetupPlugin };
diff --git a/extensions/whatsapp/src/auto-reply/monitor/process-message.inbound-contract.test.ts b/extensions/whatsapp/src/auto-reply/monitor/process-message.inbound-contract.test.ts
index 238c675e12d..566c8a76e1e 100644
--- a/extensions/whatsapp/src/auto-reply/monitor/process-message.inbound-contract.test.ts
+++ b/extensions/whatsapp/src/auto-reply/monitor/process-message.inbound-contract.test.ts
@@ -2,7 +2,7 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { expectInboundContextContract } from "../../../../../test/helpers/inbound-contract.js";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../../../../src/channels/plugins/contracts/suites.js";
 
 let capturedCtx: unknown;
 let capturedDispatchParams: unknown;
diff --git a/extensions/whatsapp/src/channel.runtime.ts b/extensions/whatsapp/src/channel.runtime.ts
new file mode 100644
index 00000000000..ff67d34ee10
--- /dev/null
+++ b/extensions/whatsapp/src/channel.runtime.ts
@@ -0,0 +1 @@
+export { whatsappSetupWizard } from "./setup-surface.js";
diff --git a/extensions/whatsapp/src/channel.setup.ts b/extensions/whatsapp/src/channel.setup.ts
new file mode 100644
index 00000000000..b352bd2ed73
--- /dev/null
+++ b/extensions/whatsapp/src/channel.setup.ts
@@ -0,0 +1,198 @@
+import {
+  buildAccountScopedDmSecurityPolicy,
+  buildChannelConfigSchema,
+  collectAllowlistProviderGroupPolicyWarnings,
+  collectOpenGroupPolicyRouteAllowlistWarnings,
+  DEFAULT_ACCOUNT_ID,
+  formatWhatsAppConfigAllowFromEntries,
+  getChatChannelMeta,
+  normalizeE164,
+  resolveWhatsAppConfigAllowFrom,
+  resolveWhatsAppConfigDefaultTo,
+  resolveWhatsAppGroupIntroHint,
+  resolveWhatsAppGroupRequireMention,
+  resolveWhatsAppGroupToolPolicy,
+  WhatsAppConfigSchema,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/whatsapp";
+import {
+  listWhatsAppAccountIds,
+  resolveDefaultWhatsAppAccountId,
+  resolveWhatsAppAccount,
+  type ResolvedWhatsAppAccount,
+} from "./accounts.js";
+import { webAuthExists } from "./auth-store.js";
+import { whatsappSetupAdapter } from "./setup-core.js";
+
+async function loadWhatsAppChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+const whatsappSetupWizardProxy = {
+  channel: "whatsapp",
+  status: {
+    configuredLabel: "linked",
+    unconfiguredLabel: "not linked",
+    configuredHint: "linked",
+    unconfiguredHint: "not linked",
+    configuredScore: 5,
+    unconfiguredScore: 4,
+    resolveConfigured: async ({ cfg }) =>
+      await (
+        await loadWhatsAppChannelRuntime()
+      ).whatsappSetupWizard.status.resolveConfigured({
+        cfg,
+      }),
+    resolveStatusLines: async ({ cfg, configured }) =>
+      (await (
+        await loadWhatsAppChannelRuntime()
+      ).whatsappSetupWizard.status.resolveStatusLines?.({
+        cfg,
+        configured,
+      })) ?? [],
+  },
+  resolveShouldPromptAccountIds: (params) =>
+    (params.shouldPromptAccountIds || params.options?.promptWhatsAppAccountId) ?? false,
+  credentials: [],
+  finalize: async (params) =>
+    await (
+      await loadWhatsAppChannelRuntime()
+    ).whatsappSetupWizard.finalize!(params),
+  disable: (cfg) => ({
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      whatsapp: {
+        ...cfg.channels?.whatsapp,
+        enabled: false,
+      },
+    },
+  }),
+  onAccountRecorded: (accountId, options) => {
+    options?.onWhatsAppAccountId?.(accountId);
+  },
+} satisfies NonNullable<ChannelPlugin<ResolvedWhatsAppAccount>["setupWizard"]>;
+
+export const whatsappSetupPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
+  id: "whatsapp",
+  meta: {
+    ...getChatChannelMeta("whatsapp"),
+    showConfigured: false,
+    quickstartAllowFrom: true,
+    forceAccountBinding: true,
+    preferSessionLookupForAnnounceTarget: true,
+  },
+  setupWizard: whatsappSetupWizardProxy,
+  capabilities: {
+    chatTypes: ["direct", "group"],
+    polls: true,
+    reactions: true,
+    media: true,
+  },
+  reload: { configPrefixes: ["web"], noopPrefixes: ["channels.whatsapp"] },
+  gatewayMethods: ["web.login.start", "web.login.wait"],
+  configSchema: buildChannelConfigSchema(WhatsAppConfigSchema),
+  config: {
+    listAccountIds: (cfg) => listWhatsAppAccountIds(cfg),
+    resolveAccount: (cfg, accountId) => resolveWhatsAppAccount({ cfg, accountId }),
+    defaultAccountId: (cfg) => resolveDefaultWhatsAppAccountId(cfg),
+    setAccountEnabled: ({ cfg, accountId, enabled }) => {
+      const accountKey = accountId || DEFAULT_ACCOUNT_ID;
+      const accounts = { ...cfg.channels?.whatsapp?.accounts };
+      const existing = accounts[accountKey] ?? {};
+      return {
+        ...cfg,
+        channels: {
+          ...cfg.channels,
+          whatsapp: {
+            ...cfg.channels?.whatsapp,
+            accounts: {
+              ...accounts,
+              [accountKey]: {
+                ...existing,
+                enabled,
+              },
+            },
+          },
+        },
+      };
+    },
+    deleteAccount: ({ cfg, accountId }) => {
+      const accountKey = accountId || DEFAULT_ACCOUNT_ID;
+      const accounts = { ...cfg.channels?.whatsapp?.accounts };
+      delete accounts[accountKey];
+      return {
+        ...cfg,
+        channels: {
+          ...cfg.channels,
+          whatsapp: {
+            ...cfg.channels?.whatsapp,
+            accounts: Object.keys(accounts).length ? accounts : undefined,
+          },
+        },
+      };
+    },
+    isEnabled: (account, cfg) => account.enabled && cfg.web?.enabled !== false,
+    disabledReason: () => "disabled",
+    isConfigured: async (account) => await webAuthExists(account.authDir),
+    unconfiguredReason: () => "not linked",
+    describeAccount: (account) => ({
+      accountId: account.accountId,
+      name: account.name,
+      enabled: account.enabled,
+      configured: Boolean(account.authDir),
+      linked: Boolean(account.authDir),
+      dmPolicy: account.dmPolicy,
+      allowFrom: account.allowFrom,
+    }),
+    resolveAllowFrom: ({ cfg, accountId }) => resolveWhatsAppConfigAllowFrom({ cfg, accountId }),
+    formatAllowFrom: ({ allowFrom }) => formatWhatsAppConfigAllowFromEntries(allowFrom),
+    resolveDefaultTo: ({ cfg, accountId }) => resolveWhatsAppConfigDefaultTo({ cfg, accountId }),
+  },
+  security: {
+    resolveDmPolicy: ({ cfg, accountId, account }) =>
+      buildAccountScopedDmSecurityPolicy({
+        cfg,
+        channelKey: "whatsapp",
+        accountId,
+        fallbackAccountId: account.accountId ?? DEFAULT_ACCOUNT_ID,
+        policy: account.dmPolicy,
+        allowFrom: account.allowFrom ?? [],
+        policyPathSuffix: "dmPolicy",
+        normalizeEntry: (raw) => normalizeE164(raw),
+      }),
+    collectWarnings: ({ account, cfg }) => {
+      const groupAllowlistConfigured =
+        Boolean(account.groups) && Object.keys(account.groups ?? {}).length > 0;
+      return collectAllowlistProviderGroupPolicyWarnings({
+        cfg,
+        providerConfigPresent: cfg.channels?.whatsapp !== undefined,
+        configuredGroupPolicy: account.groupPolicy,
+        collect: (groupPolicy) =>
+          collectOpenGroupPolicyRouteAllowlistWarnings({
+            groupPolicy,
+            routeAllowlistConfigured: groupAllowlistConfigured,
+            restrictSenders: {
+              surface: "WhatsApp groups",
+              openScope: "any member in allowed groups",
+              groupPolicyPath: "channels.whatsapp.groupPolicy",
+              groupAllowFromPath: "channels.whatsapp.groupAllowFrom",
+            },
+            noRouteAllowlist: {
+              surface: "WhatsApp groups",
+              routeAllowlistPath: "channels.whatsapp.groups",
+              routeScope: "group",
+              groupPolicyPath: "channels.whatsapp.groupPolicy",
+              groupAllowFromPath: "channels.whatsapp.groupAllowFrom",
+            },
+          }),
+      });
+    },
+  },
+  setup: whatsappSetupAdapter,
+  groups: {
+    resolveRequireMention: resolveWhatsAppGroupRequireMention,
+    resolveToolPolicy: resolveWhatsAppGroupToolPolicy,
+    resolveGroupIntroHint: resolveWhatsAppGroupIntroHint,
+  },
+};
diff --git a/extensions/whatsapp/src/channel.ts b/extensions/whatsapp/src/channel.ts
index e240824c743..d7f437d3204 100644
--- a/extensions/whatsapp/src/channel.ts
+++ b/extensions/whatsapp/src/channel.ts
@@ -1,3 +1,4 @@
+import { buildAccountScopedAllowlistConfigEditor } from "openclaw/plugin-sdk/compat";
 import {
   buildChannelConfigSchema,
   buildAccountScopedDmSecurityPolicy,
@@ -24,6 +25,7 @@ import {
   type ChannelMessageActionName,
   type ChannelPlugin,
 } from "openclaw/plugin-sdk/whatsapp";
+import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../../src/whatsapp/normalize.js";
 // WhatsApp-specific imports from local extension code (moved from src/web/ and src/channels/plugins/)
 import {
   listWhatsAppAccountIds,
@@ -33,11 +35,75 @@ import {
 } from "./accounts.js";
 import { looksLikeWhatsAppTargetId, normalizeWhatsAppMessagingTarget } from "./normalize.js";
 import { getWhatsAppRuntime } from "./runtime.js";
-import { whatsappSetupAdapter, whatsappSetupWizard } from "./setup-surface.js";
+import { whatsappSetupAdapter } from "./setup-core.js";
 import { collectWhatsAppStatusIssues } from "./status-issues.js";
 
 const meta = getChatChannelMeta("whatsapp");
 
+async function loadWhatsAppChannelRuntime() {
+  return await import("./channel.runtime.js");
+}
+
+function normalizeWhatsAppPayloadText(text: string | undefined): string {
+  return (text ?? "").replace(/^(?:[ \t]*\r?\n)+/, "");
+}
+
+function parseWhatsAppExplicitTarget(raw: string) {
+  const normalized = normalizeWhatsAppTarget(raw);
+  if (!normalized) {
+    return null;
+  }
+  return {
+    to: normalized,
+    chatType: isWhatsAppGroupJid(normalized) ? ("group" as const) : ("direct" as const),
+  };
+}
+
+const whatsappSetupWizardProxy = {
+  channel: "whatsapp",
+  status: {
+    configuredLabel: "linked",
+    unconfiguredLabel: "not linked",
+    configuredHint: "linked",
+    unconfiguredHint: "not linked",
+    configuredScore: 5,
+    unconfiguredScore: 4,
+    resolveConfigured: async ({ cfg }) =>
+      await (
+        await loadWhatsAppChannelRuntime()
+      ).whatsappSetupWizard.status.resolveConfigured({
+        cfg,
+      }),
+    resolveStatusLines: async ({ cfg, configured }) =>
+      (await (
+        await loadWhatsAppChannelRuntime()
+      ).whatsappSetupWizard.status.resolveStatusLines?.({
+        cfg,
+        configured,
+      })) ?? [],
+  },
+  resolveShouldPromptAccountIds: (params) =>
+    (params.shouldPromptAccountIds || params.options?.promptWhatsAppAccountId) ?? false,
+  credentials: [],
+  finalize: async (params) =>
+    await (
+      await loadWhatsAppChannelRuntime()
+    ).whatsappSetupWizard.finalize!(params),
+  disable: (cfg) => ({
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      whatsapp: {
+        ...cfg.channels?.whatsapp,
+        enabled: false,
+      },
+    },
+  }),
+  onAccountRecorded: (accountId, options) => {
+    options?.onWhatsAppAccountId?.(accountId);
+  },
+} satisfies NonNullable<ChannelPlugin<ResolvedWhatsAppAccount>["setupWizard"]>;
+
 export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
   id: "whatsapp",
   meta: {
@@ -47,7 +113,7 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
     forceAccountBinding: true,
     preferSessionLookupForAnnounceTarget: true,
   },
-  setupWizard: whatsappSetupWizard,
+  setupWizard: whatsappSetupWizardProxy,
   agentTools: () => [getWhatsAppRuntime().channel.whatsapp.createLoginTool()],
   pairing: {
     idLabel: "whatsappSenderId",
@@ -119,6 +185,26 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
     formatAllowFrom: ({ allowFrom }) => formatWhatsAppConfigAllowFromEntries(allowFrom),
     resolveDefaultTo: ({ cfg, accountId }) => resolveWhatsAppConfigDefaultTo({ cfg, accountId }),
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveWhatsAppAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.dmPolicy,
+        groupPolicy: account.groupPolicy,
+      };
+    },
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "whatsapp",
+      normalize: ({ values }) => formatWhatsAppConfigAllowFromEntries(values),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -175,6 +261,8 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeWhatsAppMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseWhatsAppExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseWhatsAppExplicitTarget(to)?.chatType,
     targetResolver: {
       looksLikeId: looksLikeWhatsAppTargetId,
       hint: "<E.164|group JID>",
@@ -239,16 +327,22 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
       );
     },
   },
-  outbound: createWhatsAppOutboundBase({
-    chunker: (text, limit) => getWhatsAppRuntime().channel.text.chunkText(text, limit),
-    sendMessageWhatsApp: async (...args) =>
-      await getWhatsAppRuntime().channel.whatsapp.sendMessageWhatsApp(...args),
-    sendPollWhatsApp: async (...args) =>
-      await getWhatsAppRuntime().channel.whatsapp.sendPollWhatsApp(...args),
-    shouldLogVerbose: () => getWhatsAppRuntime().logging.shouldLogVerbose(),
-    resolveTarget: ({ to, allowFrom, mode }) =>
-      resolveWhatsAppOutboundTarget({ to, allowFrom, mode }),
-  }),
+  outbound: {
+    ...createWhatsAppOutboundBase({
+      chunker: (text, limit) => getWhatsAppRuntime().channel.text.chunkText(text, limit),
+      sendMessageWhatsApp: async (...args) =>
+        await getWhatsAppRuntime().channel.whatsapp.sendMessageWhatsApp(...args),
+      sendPollWhatsApp: async (...args) =>
+        await getWhatsAppRuntime().channel.whatsapp.sendPollWhatsApp(...args),
+      shouldLogVerbose: () => getWhatsAppRuntime().logging.shouldLogVerbose(),
+      resolveTarget: ({ to, allowFrom, mode }) =>
+        resolveWhatsAppOutboundTarget({ to, allowFrom, mode }),
+    }),
+    normalizePayload: ({ payload }) => ({
+      ...payload,
+      text: normalizeWhatsAppPayloadText(payload.text),
+    }),
+  },
   auth: {
     login: async ({ cfg, accountId, runtime, verbose }) => {
       const resolvedAccountId = accountId?.trim() || resolveDefaultWhatsAppAccountId(cfg);
diff --git a/extensions/whatsapp/src/inbound/access-control.group-policy.test.ts b/extensions/whatsapp/src/inbound/access-control.group-policy.test.ts
deleted file mode 100644
index 0a508f9739b..00000000000
--- a/extensions/whatsapp/src/inbound/access-control.group-policy.test.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { describe } from "vitest";
-import { installProviderRuntimeGroupPolicyFallbackSuite } from "../../../../src/test-utils/runtime-group-policy-contract.js";
-import { __testing } from "./access-control.js";
-
-describe("resolveWhatsAppRuntimeGroupPolicy", () => {
-  installProviderRuntimeGroupPolicyFallbackSuite({
-    resolve: __testing.resolveWhatsAppRuntimeGroupPolicy,
-    configuredLabel: "keeps open fallback when channels.whatsapp is configured",
-    defaultGroupPolicyUnderTest: "disabled",
-    missingConfigLabel: "fails closed when channels.whatsapp is missing and no defaults are set",
-    missingDefaultLabel: "ignores explicit default policy when provider config is missing",
-  });
-});
diff --git a/extensions/whatsapp/src/outbound-adapter.sendpayload.test.ts b/extensions/whatsapp/src/outbound-adapter.sendpayload.test.ts
index 81f30ea1c71..52b44de49e7 100644
--- a/extensions/whatsapp/src/outbound-adapter.sendpayload.test.ts
+++ b/extensions/whatsapp/src/outbound-adapter.sendpayload.test.ts
@@ -1,40 +1,7 @@
 import { describe, expect, it, vi } from "vitest";
-import type { ReplyPayload } from "../../../src/auto-reply/types.js";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../src/test-utils/send-payload-contract.js";
 import { whatsappOutbound } from "./outbound-adapter.js";
 
-function createHarness(params: {
-  payload: ReplyPayload;
-  sendResults?: Array<{ messageId: string }>;
-}) {
-  const sendWhatsApp = vi.fn();
-  primeSendMock(sendWhatsApp, { messageId: "wa-1" }, params.sendResults);
-  const ctx = {
-    cfg: {},
-    to: "5511999999999@c.us",
-    text: "",
-    payload: params.payload,
-    deps: {
-      sendWhatsApp,
-    },
-  };
-  return {
-    run: async () => await whatsappOutbound.sendPayload!(ctx),
-    sendMock: sendWhatsApp,
-    to: ctx.to,
-  };
-}
-
 describe("whatsappOutbound sendPayload", () => {
-  installSendPayloadContractSuite({
-    channel: "whatsapp",
-    chunking: { mode: "split", longTextLength: 5000, maxChunkLength: 4000 },
-    createHarness,
-  });
-
   it("trims leading whitespace for direct text sends", async () => {
     const sendWhatsApp = vi.fn(async () => ({ messageId: "wa-1", toJid: "jid" }));
 
diff --git a/extensions/whatsapp/src/runtime.ts b/extensions/whatsapp/src/runtime.ts
index bf415eb17db..07dd4e3d688 100644
--- a/extensions/whatsapp/src/runtime.ts
+++ b/extensions/whatsapp/src/runtime.ts
@@ -1,4 +1,5 @@
-import { createPluginRuntimeStore, type PluginRuntime } from "openclaw/plugin-sdk/whatsapp";
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
+import type { PluginRuntime } from "openclaw/plugin-sdk/core";
 
 const { setRuntime: setWhatsAppRuntime, getRuntime: getWhatsAppRuntime } =
   createPluginRuntimeStore<PluginRuntime>("WhatsApp runtime not initialized");
diff --git a/extensions/whatsapp/src/setup-core.ts b/extensions/whatsapp/src/setup-core.ts
new file mode 100644
index 00000000000..2b243743076
--- /dev/null
+++ b/extensions/whatsapp/src/setup-core.ts
@@ -0,0 +1,52 @@
+import {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { normalizeAccountId } from "../../../src/routing/session-key.js";
+
+const channel = "whatsapp" as const;
+
+export const whatsappSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+      alwaysUseAccounts: true,
+    }),
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+      alwaysUseAccounts: true,
+    });
+    const next = migrateBaseNameToDefaultAccount({
+      cfg: namedConfig,
+      channelKey: channel,
+      alwaysUseAccounts: true,
+    });
+    const entry = {
+      ...next.channels?.whatsapp?.accounts?.[accountId],
+      ...(input.authDir ? { authDir: input.authDir } : {}),
+      enabled: true,
+    };
+    return {
+      ...next,
+      channels: {
+        ...next.channels,
+        whatsapp: {
+          ...next.channels?.whatsapp,
+          accounts: {
+            ...next.channels?.whatsapp?.accounts,
+            [accountId]: entry,
+          },
+        },
+      },
+    };
+  },
+};
diff --git a/extensions/whatsapp/src/onboarding.test.ts b/extensions/whatsapp/src/setup-surface.test.ts
similarity index 97%
rename from extensions/whatsapp/src/onboarding.test.ts
rename to extensions/whatsapp/src/setup-surface.test.ts
index bf816e3f03d..51295d30a1b 100644
--- a/extensions/whatsapp/src/onboarding.test.ts
+++ b/extensions/whatsapp/src/setup-surface.test.ts
@@ -1,5 +1,5 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
 import { DEFAULT_ACCOUNT_ID } from "../../../src/routing/session-key.js";
 import type { RuntimeEnv } from "../../../src/runtime.js";
 import type { WizardPrompter } from "../../../src/wizard/prompts.js";
@@ -83,7 +83,7 @@ function createRuntime(): RuntimeEnv {
   } as unknown as RuntimeEnv;
 }
 
-const whatsappConfigureAdapter = buildChannelOnboardingAdapterFromSetupWizard({
+const whatsappConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
   plugin: whatsappPlugin,
   wizard: whatsappPlugin.setupWizard!,
 });
diff --git a/extensions/whatsapp/src/setup-surface.ts b/extensions/whatsapp/src/setup-surface.ts
index 180f84a3fbf..4210b5772af 100644
--- a/extensions/whatsapp/src/setup-surface.ts
+++ b/extensions/whatsapp/src/setup-surface.ts
@@ -2,15 +2,10 @@ import path from "node:path";
 import { loginWeb } from "../../../src/channel-web.js";
 import {
   normalizeAllowFromEntries,
-  splitOnboardingEntries,
-} from "../../../src/channels/plugins/onboarding/helpers.js";
-import { setOnboardingChannelEnabled } from "../../../src/channels/plugins/onboarding/helpers.js";
-import {
-  applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../../../src/channels/plugins/setup-helpers.js";
+  splitSetupEntries,
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import { setSetupChannelEnabled } from "../../../src/channels/plugins/setup-wizard-helpers.js";
 import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
-import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
 import { formatCliCommand } from "../../../src/cli/command-format.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { mergeWhatsAppConfig } from "../../../src/config/merge-config.js";
@@ -19,6 +14,7 @@ import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/ses
 import { formatDocsLink } from "../../../src/terminal/links.js";
 import { normalizeE164, pathExists } from "../../../src/utils.js";
 import { listWhatsAppAccountIds, resolveWhatsAppAuthDir } from "./accounts.js";
+import { whatsappSetupAdapter } from "./setup-core.js";
 
 const channel = "whatsapp" as const;
 
@@ -100,7 +96,7 @@ async function applyWhatsAppOwnerAllowlist(params: {
 }
 
 function parseWhatsAppAllowFromEntries(raw: string): { entries: string[]; invalidEntry?: string } {
-  const parts = splitOnboardingEntries(raw);
+  const parts = splitSetupEntries(raw);
   if (parts.length === 0) {
     return { entries: [] };
   }
@@ -247,50 +243,6 @@ async function promptWhatsAppDmAccess(params: {
   return setWhatsAppAllowFrom(next, parsed.entries);
 }
 
-export const whatsappSetupAdapter: ChannelSetupAdapter = {
-  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-  applyAccountName: ({ cfg, accountId, name }) =>
-    applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name,
-      alwaysUseAccounts: true,
-    }),
-  applyAccountConfig: ({ cfg, accountId, input }) => {
-    const namedConfig = applyAccountNameToChannelSection({
-      cfg,
-      channelKey: channel,
-      accountId,
-      name: input.name,
-      alwaysUseAccounts: true,
-    });
-    const next = migrateBaseNameToDefaultAccount({
-      cfg: namedConfig,
-      channelKey: channel,
-      alwaysUseAccounts: true,
-    });
-    const entry = {
-      ...next.channels?.whatsapp?.accounts?.[accountId],
-      ...(input.authDir ? { authDir: input.authDir } : {}),
-      enabled: true,
-    };
-    return {
-      ...next,
-      channels: {
-        ...next.channels,
-        whatsapp: {
-          ...next.channels?.whatsapp,
-          accounts: {
-            ...next.channels?.whatsapp?.accounts,
-            [accountId]: entry,
-          },
-        },
-      },
-    };
-  },
-};
-
 export const whatsappSetupWizard: ChannelSetupWizard = {
   channel,
   status: {
@@ -378,7 +330,7 @@ export const whatsappSetupWizard: ChannelSetupWizard = {
     });
     return { cfg: next };
   },
-  disable: (cfg) => setOnboardingChannelEnabled(cfg, channel, false),
+  disable: (cfg) => setSetupChannelEnabled(cfg, channel, false),
   onAccountRecorded: (accountId, options) => {
     options?.onWhatsAppAccountId?.(accountId);
   },
diff --git a/extensions/xai/index.ts b/extensions/xai/index.ts
new file mode 100644
index 00000000000..98731023653
--- /dev/null
+++ b/extensions/xai/index.ts
@@ -0,0 +1,74 @@
+import { normalizeProviderId } from "../../src/agents/model-selection.js";
+import {
+  createPluginBackedWebSearchProvider,
+  getScopedCredentialValue,
+  setScopedCredentialValue,
+} from "../../src/agents/tools/web-search-plugin-factory.js";
+import { applyXaiConfig, XAI_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
+import type { OpenClawPluginApi } from "../../src/plugins/types.js";
+
+const PROVIDER_ID = "xai";
+const XAI_MODERN_MODEL_PREFIXES = ["grok-4"] as const;
+
+function matchesModernXaiModel(modelId: string): boolean {
+  const normalized = modelId.trim().toLowerCase();
+  return XAI_MODERN_MODEL_PREFIXES.some((prefix) => normalized.startsWith(prefix));
+}
+
+const xaiPlugin = {
+  id: "xai",
+  name: "xAI Plugin",
+  description: "Bundled xAI plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerProvider({
+      id: PROVIDER_ID,
+      label: "xAI",
+      docsPath: "/providers/models",
+      envVars: ["XAI_API_KEY"],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "xAI API key",
+          hint: "API key",
+          optionKey: "xaiApiKey",
+          flagName: "--xai-api-key",
+          envVar: "XAI_API_KEY",
+          promptMessage: "Enter xAI API key",
+          defaultModel: XAI_DEFAULT_MODEL_REF,
+          expectedProviders: ["xai"],
+          applyConfig: (cfg) => applyXaiConfig(cfg),
+          wizard: {
+            choiceId: "xai-api-key",
+            choiceLabel: "xAI API key",
+            groupId: "xai",
+            groupLabel: "xAI (Grok)",
+            groupHint: "API key",
+          },
+        }),
+      ],
+      isModernModelRef: ({ provider, modelId }) =>
+        normalizeProviderId(provider) === "xai" ? matchesModernXaiModel(modelId) : undefined,
+    });
+    api.registerWebSearchProvider(
+      createPluginBackedWebSearchProvider({
+        id: "grok",
+        label: "Grok (xAI)",
+        hint: "xAI web-grounded responses",
+        envVars: ["XAI_API_KEY"],
+        placeholder: "xai-...",
+        signupUrl: "https://console.x.ai/",
+        docsUrl: "https://docs.openclaw.ai/tools/web",
+        autoDetectOrder: 30,
+        getCredentialValue: (searchConfig) => getScopedCredentialValue(searchConfig, "grok"),
+        setCredentialValue: (searchConfigTarget, value) =>
+          setScopedCredentialValue(searchConfigTarget, "grok", value),
+      }),
+    );
+  },
+};
+
+export default xaiPlugin;
diff --git a/extensions/xai/openclaw.plugin.json b/extensions/xai/openclaw.plugin.json
new file mode 100644
index 00000000000..8cb2d8f5cfc
--- /dev/null
+++ b/extensions/xai/openclaw.plugin.json
@@ -0,0 +1,27 @@
+{
+  "id": "xai",
+  "providers": ["xai"],
+  "providerAuthEnvVars": {
+    "xai": ["XAI_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "xai",
+      "method": "api-key",
+      "choiceId": "xai-api-key",
+      "choiceLabel": "xAI API key",
+      "groupId": "xai",
+      "groupLabel": "xAI (Grok)",
+      "groupHint": "API key",
+      "optionKey": "xaiApiKey",
+      "cliFlag": "--xai-api-key",
+      "cliOption": "--xai-api-key <key>",
+      "cliDescription": "xAI API key"
+    }
+  ],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}
diff --git a/extensions/xai/package.json b/extensions/xai/package.json
new file mode 100644
index 00000000000..be904ee3c89
--- /dev/null
+++ b/extensions/xai/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@openclaw/xai-plugin",
+  "version": "2026.3.14",
+  "private": true,
+  "description": "OpenClaw xAI plugin",
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}
diff --git a/extensions/xiaomi/index.ts b/extensions/xiaomi/index.ts
index 37d7d799691..4987b18c8fd 100644
--- a/extensions/xiaomi/index.ts
+++ b/extensions/xiaomi/index.ts
@@ -1,6 +1,8 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildXiaomiProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyXiaomiConfig, XIAOMI_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
 import { PROVIDER_LABELS } from "../../src/infra/provider-usage.shared.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "xiaomi";
 
@@ -15,7 +17,28 @@ const xiaomiPlugin = {
       label: "Xiaomi",
       docsPath: "/providers/xiaomi",
       envVars: ["XIAOMI_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Xiaomi API key",
+          hint: "API key",
+          optionKey: "xiaomiApiKey",
+          flagName: "--xiaomi-api-key",
+          envVar: "XIAOMI_API_KEY",
+          promptMessage: "Enter Xiaomi API key",
+          defaultModel: XIAOMI_DEFAULT_MODEL_REF,
+          expectedProviders: ["xiaomi"],
+          applyConfig: (cfg) => applyXiaomiConfig(cfg),
+          wizard: {
+            choiceId: "xiaomi-api-key",
+            choiceLabel: "Xiaomi API key",
+            groupId: "xiaomi",
+            groupLabel: "Xiaomi",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/xiaomi/openclaw.plugin.json b/extensions/xiaomi/openclaw.plugin.json
index 78c758c6571..61bec4e1473 100644
--- a/extensions/xiaomi/openclaw.plugin.json
+++ b/extensions/xiaomi/openclaw.plugin.json
@@ -1,6 +1,24 @@
 {
   "id": "xiaomi",
   "providers": ["xiaomi"],
+  "providerAuthEnvVars": {
+    "xiaomi": ["XIAOMI_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "xiaomi",
+      "method": "api-key",
+      "choiceId": "xiaomi-api-key",
+      "choiceLabel": "Xiaomi API key",
+      "groupId": "xiaomi",
+      "groupLabel": "Xiaomi",
+      "groupHint": "API key",
+      "optionKey": "xiaomiApiKey",
+      "cliFlag": "--xiaomi-api-key",
+      "cliOption": "--xiaomi-api-key <key>",
+      "cliDescription": "Xiaomi API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/zai/detect.ts b/extensions/zai/detect.ts
new file mode 100644
index 00000000000..07f06a9f052
--- /dev/null
+++ b/extensions/zai/detect.ts
@@ -0,0 +1,21 @@
+import {
+  detectZaiEndpoint as detectZaiEndpointCore,
+  type ZaiDetectedEndpoint,
+  type ZaiEndpointId,
+} from "../../src/commands/zai-endpoint-detect.js";
+
+type DetectZaiEndpointFn = typeof detectZaiEndpointCore;
+
+let detectZaiEndpointImpl: DetectZaiEndpointFn = detectZaiEndpointCore;
+
+export function setDetectZaiEndpointForTesting(fn?: DetectZaiEndpointFn): void {
+  detectZaiEndpointImpl = fn ?? detectZaiEndpointCore;
+}
+
+export async function detectZaiEndpoint(
+  ...args: Parameters<DetectZaiEndpointFn>
+): ReturnType<DetectZaiEndpointFn> {
+  return await detectZaiEndpointImpl(...args);
+}
+
+export type { ZaiDetectedEndpoint, ZaiEndpointId };
diff --git a/extensions/zai/index.test.ts b/extensions/zai/index.test.ts
deleted file mode 100644
index 119309d31a3..00000000000
--- a/extensions/zai/index.test.ts
+++ /dev/null
@@ -1,112 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import zaiPlugin from "./index.js";
-
-function registerProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  zaiPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      provider = nextProvider;
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("zai plugin", () => {
-  it("owns glm-5 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "zai",
-      modelId: "glm-5",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "glm-4.7"
-            ? {
-                id,
-                name: id,
-                api: "openai-completions",
-                provider: "zai",
-                baseUrl: "https://api.z.ai/api/paas/v4",
-                reasoning: false,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 202_752,
-                maxTokens: 16_384,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "glm-5",
-      provider: "zai",
-      api: "openai-completions",
-      reasoning: true,
-    });
-  });
-
-  it("owns usage auth resolution", async () => {
-    const provider = registerProvider();
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {
-          ZAI_API_KEY: "env-zai-token",
-        } as NodeJS.ProcessEnv,
-        provider: "zai",
-        resolveApiKeyFromConfigAndStore: () => "env-zai-token",
-        resolveOAuthToken: async () => null,
-      }),
-    ).resolves.toEqual({
-      token: "env-zai-token",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("api.z.ai/api/monitor/usage/quota/limit")) {
-        return makeResponse(200, {
-          success: true,
-          code: 200,
-          data: {
-            planName: "Pro",
-            limits: [
-              {
-                type: "TOKENS_LIMIT",
-                percentage: 25,
-                unit: 3,
-                number: 6,
-                nextResetTime: "2026-01-07T06:00:00Z",
-              },
-            ],
-          },
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    await expect(
-      provider.fetchUsageSnapshot?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "zai",
-        token: "env-zai-token",
-        timeoutMs: 5_000,
-        fetchFn: mockFetch as unknown as typeof fetch,
-      }),
-    ).resolves.toEqual({
-      provider: "zai",
-      displayName: "z.ai",
-      windows: [{ label: "Tokens (6h)", usedPercent: 25, resetAt: 1_767_765_600_000 }],
-      plan: "Pro",
-    });
-  });
-});
diff --git a/extensions/zai/index.ts b/extensions/zai/index.ts
index d9b81b87dda..16f1c311ea3 100644
--- a/extensions/zai/index.ts
+++ b/extensions/zai/index.ts
@@ -4,18 +4,38 @@ import path from "node:path";
 import {
   emptyPluginConfigSchema,
   type OpenClawPluginApi,
+  type ProviderAuthContext,
+  type ProviderAuthMethod,
+  type ProviderAuthMethodNonInteractiveContext,
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
+import { upsertAuthProfile } from "../../src/agents/auth-profiles.js";
 import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { createZaiToolStreamWrapper } from "../../src/agents/pi-embedded-runner/zai-stream-wrappers.js";
+import {
+  normalizeApiKeyInput,
+  validateApiKeyInput,
+} from "../../src/commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../../src/commands/auth-choice.apply-helpers.js";
+import { buildApiKeyCredential } from "../../src/commands/onboard-auth.credentials.js";
+import {
+  applyAuthProfileConfig,
+  applyZaiConfig,
+  applyZaiProviderConfig,
+  ZAI_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import type { SecretInput } from "../../src/config/types.secrets.js";
 import { resolveRequiredHomeDir } from "../../src/infra/home-dir.js";
 import { fetchZaiUsage } from "../../src/infra/provider-usage.fetch.js";
+import { normalizeOptionalSecretInput } from "../../src/utils/normalize-secret-input.js";
+import { detectZaiEndpoint, type ZaiEndpointId } from "./detect.js";
 
 const PROVIDER_ID = "zai";
 const GLM5_MODEL_ID = "glm-5";
 const GLM5_TEMPLATE_MODEL_ID = "glm-4.7";
+const PROFILE_ID = "zai:default";
 
 function resolveGlm5ForwardCompatModel(
   ctx: ProviderResolveDynamicModelContext,
@@ -73,6 +93,168 @@ function resolveLegacyZaiUsageToken(env: NodeJS.ProcessEnv): string | undefined
   }
 }
 
+function resolveZaiDefaultModel(modelIdOverride?: string): string {
+  return modelIdOverride ? `zai/${modelIdOverride}` : ZAI_DEFAULT_MODEL_REF;
+}
+
+async function promptForZaiEndpoint(ctx: ProviderAuthContext): Promise<ZaiEndpointId> {
+  return await ctx.prompter.select<ZaiEndpointId>({
+    message: "Select Z.AI endpoint",
+    initialValue: "global",
+    options: [
+      { value: "global", label: "Global", hint: "Z.AI Global (api.z.ai)" },
+      { value: "cn", label: "CN", hint: "Z.AI CN (open.bigmodel.cn)" },
+      {
+        value: "coding-global",
+        label: "Coding-Plan-Global",
+        hint: "GLM Coding Plan Global (api.z.ai)",
+      },
+      {
+        value: "coding-cn",
+        label: "Coding-Plan-CN",
+        hint: "GLM Coding Plan CN (open.bigmodel.cn)",
+      },
+    ],
+  });
+}
+
+async function runZaiApiKeyAuth(
+  ctx: ProviderAuthContext,
+  endpoint?: ZaiEndpointId,
+): Promise<{
+  profiles: Array<{ profileId: string; credential: ReturnType<typeof buildApiKeyCredential> }>;
+  configPatch: ReturnType<typeof applyZaiProviderConfig>;
+  defaultModel: string;
+  notes?: string[];
+}> {
+  let capturedSecretInput: SecretInput | undefined;
+  let capturedCredential = false;
+  let capturedMode: "plaintext" | "ref" | undefined;
+  const apiKey = await ensureApiKeyFromOptionEnvOrPrompt({
+    token:
+      normalizeOptionalSecretInput(ctx.opts?.zaiApiKey) ??
+      normalizeOptionalSecretInput(ctx.opts?.token),
+    tokenProvider: normalizeOptionalSecretInput(ctx.opts?.zaiApiKey)
+      ? PROVIDER_ID
+      : normalizeOptionalSecretInput(ctx.opts?.tokenProvider),
+    secretInputMode:
+      ctx.allowSecretRefPrompt === false
+        ? (ctx.secretInputMode ?? "plaintext")
+        : ctx.secretInputMode,
+    config: ctx.config,
+    expectedProviders: [PROVIDER_ID, "z-ai"],
+    provider: PROVIDER_ID,
+    envLabel: "ZAI_API_KEY",
+    promptMessage: "Enter Z.AI API key",
+    normalize: normalizeApiKeyInput,
+    validate: validateApiKeyInput,
+    prompter: ctx.prompter,
+    setCredential: async (key, mode) => {
+      capturedSecretInput = key;
+      capturedCredential = true;
+      capturedMode = mode;
+    },
+  });
+  if (!capturedCredential) {
+    throw new Error("Missing Z.AI API key.");
+  }
+  const credentialInput = capturedSecretInput ?? "";
+
+  const detected = await detectZaiEndpoint({ apiKey, ...(endpoint ? { endpoint } : {}) });
+  const modelIdOverride = detected?.modelId;
+  const nextEndpoint = detected?.endpoint ?? endpoint ?? (await promptForZaiEndpoint(ctx));
+  return {
+    profiles: [
+      {
+        profileId: PROFILE_ID,
+        credential: buildApiKeyCredential(
+          PROVIDER_ID,
+          credentialInput,
+          undefined,
+          capturedMode ? { secretInputMode: capturedMode } : undefined,
+        ),
+      },
+    ],
+    configPatch: applyZaiProviderConfig(ctx.config, {
+      ...(nextEndpoint ? { endpoint: nextEndpoint } : {}),
+      ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
+    }),
+    defaultModel: resolveZaiDefaultModel(modelIdOverride),
+    ...(detected?.note ? { notes: [detected.note] } : {}),
+  };
+}
+
+async function runZaiApiKeyAuthNonInteractive(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+  endpoint?: ZaiEndpointId,
+) {
+  const resolved = await ctx.resolveApiKey({
+    provider: PROVIDER_ID,
+    flagValue: normalizeOptionalSecretInput(ctx.opts.zaiApiKey),
+    flagName: "--zai-api-key",
+    envVar: "ZAI_API_KEY",
+  });
+  if (!resolved) {
+    return null;
+  }
+  const detected = await detectZaiEndpoint({
+    apiKey: resolved.key,
+    ...(endpoint ? { endpoint } : {}),
+  });
+  const modelIdOverride = detected?.modelId;
+  const nextEndpoint = detected?.endpoint ?? endpoint;
+
+  if (resolved.source !== "profile") {
+    const credential = ctx.toApiKeyCredential({
+      provider: PROVIDER_ID,
+      resolved,
+    });
+    if (!credential) {
+      return null;
+    }
+    upsertAuthProfile({
+      profileId: PROFILE_ID,
+      credential,
+      agentDir: ctx.agentDir,
+    });
+  }
+
+  const next = applyAuthProfileConfig(ctx.config, {
+    profileId: PROFILE_ID,
+    provider: PROVIDER_ID,
+    mode: "api_key",
+  });
+  return applyZaiConfig(next, {
+    ...(nextEndpoint ? { endpoint: nextEndpoint } : {}),
+    ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
+  });
+}
+
+function buildZaiApiKeyMethod(params: {
+  id: string;
+  choiceId: string;
+  choiceLabel: string;
+  choiceHint?: string;
+  endpoint?: ZaiEndpointId;
+}): ProviderAuthMethod {
+  return {
+    id: params.id,
+    label: params.choiceLabel,
+    hint: params.choiceHint,
+    kind: "api_key",
+    wizard: {
+      choiceId: params.choiceId,
+      choiceLabel: params.choiceLabel,
+      ...(params.choiceHint ? { choiceHint: params.choiceHint } : {}),
+      groupId: "zai",
+      groupLabel: "Z.AI",
+      groupHint: "GLM Coding Plan / Global / CN",
+    },
+    run: async (ctx) => await runZaiApiKeyAuth(ctx, params.endpoint),
+    runNonInteractive: async (ctx) => await runZaiApiKeyAuthNonInteractive(ctx, params.endpoint),
+  };
+}
+
 const zaiPlugin = {
   id: PROVIDER_ID,
   name: "Z.AI Provider",
@@ -85,7 +267,41 @@ const zaiPlugin = {
       aliases: ["z-ai", "z.ai"],
       docsPath: "/providers/models",
       envVars: ["ZAI_API_KEY", "Z_AI_API_KEY"],
-      auth: [],
+      auth: [
+        buildZaiApiKeyMethod({
+          id: "api-key",
+          choiceId: "zai-api-key",
+          choiceLabel: "Z.AI API key",
+        }),
+        buildZaiApiKeyMethod({
+          id: "coding-global",
+          choiceId: "zai-coding-global",
+          choiceLabel: "Coding-Plan-Global",
+          choiceHint: "GLM Coding Plan Global (api.z.ai)",
+          endpoint: "coding-global",
+        }),
+        buildZaiApiKeyMethod({
+          id: "coding-cn",
+          choiceId: "zai-coding-cn",
+          choiceLabel: "Coding-Plan-CN",
+          choiceHint: "GLM Coding Plan CN (open.bigmodel.cn)",
+          endpoint: "coding-cn",
+        }),
+        buildZaiApiKeyMethod({
+          id: "global",
+          choiceId: "zai-global",
+          choiceLabel: "Global",
+          choiceHint: "Z.AI Global (api.z.ai)",
+          endpoint: "global",
+        }),
+        buildZaiApiKeyMethod({
+          id: "cn",
+          choiceId: "zai-cn",
+          choiceLabel: "CN",
+          choiceHint: "Z.AI CN (open.bigmodel.cn)",
+          endpoint: "cn",
+        }),
+      ],
       resolveDynamicModel: (ctx) => resolveGlm5ForwardCompatModel(ctx),
       prepareExtraParams: (ctx) => {
         if (ctx.extraParams?.tool_stream !== undefined) {
@@ -98,6 +314,16 @@ const zaiPlugin = {
       },
       wrapStreamFn: (ctx) =>
         createZaiToolStreamWrapper(ctx.streamFn, ctx.extraParams?.tool_stream !== false),
+      isBinaryThinking: () => true,
+      isModernModelRef: ({ modelId }) => {
+        const lower = modelId.trim().toLowerCase();
+        return (
+          lower.startsWith("glm-5") ||
+          lower.startsWith("glm-4.7") ||
+          lower.startsWith("glm-4.7-flash") ||
+          lower.startsWith("glm-4.7-flashx")
+        );
+      },
       resolveUsageAuth: async (ctx) => {
         const apiKey = ctx.resolveApiKeyFromConfigAndStore({
           providerIds: [PROVIDER_ID, "z-ai"],
diff --git a/extensions/zai/openclaw.plugin.json b/extensions/zai/openclaw.plugin.json
index 5e23160ddb6..2a7e1c8b40a 100644
--- a/extensions/zai/openclaw.plugin.json
+++ b/extensions/zai/openclaw.plugin.json
@@ -1,6 +1,80 @@
 {
   "id": "zai",
   "providers": ["zai"],
+  "providerAuthEnvVars": {
+    "zai": ["ZAI_API_KEY", "Z_AI_API_KEY"]
+  },
+  "providerAuthChoices": [
+    {
+      "provider": "zai",
+      "method": "api-key",
+      "choiceId": "zai-api-key",
+      "choiceLabel": "Z.AI API key",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "coding-global",
+      "choiceId": "zai-coding-global",
+      "choiceLabel": "Coding-Plan-Global",
+      "choiceHint": "GLM Coding Plan Global (api.z.ai)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "coding-cn",
+      "choiceId": "zai-coding-cn",
+      "choiceLabel": "Coding-Plan-CN",
+      "choiceHint": "GLM Coding Plan CN (open.bigmodel.cn)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "global",
+      "choiceId": "zai-global",
+      "choiceLabel": "Global",
+      "choiceHint": "Z.AI Global (api.z.ai)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "cn",
+      "choiceId": "zai-cn",
+      "choiceLabel": "CN",
+      "choiceHint": "Z.AI CN (open.bigmodel.cn)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/zalo/index.ts b/extensions/zalo/index.ts
index 3028b8b492f..ef62ee6e560 100644
--- a/extensions/zalo/index.ts
+++ b/extensions/zalo/index.ts
@@ -1,6 +1,6 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk/zalo";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/zalo";
-import { zaloDock, zaloPlugin } from "./src/channel.js";
+import { zaloPlugin } from "./src/channel.js";
 import { setZaloRuntime } from "./src/runtime.js";
 
 const plugin = {
@@ -10,7 +10,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setZaloRuntime(api.runtime);
-    api.registerChannel({ plugin: zaloPlugin, dock: zaloDock });
+    api.registerChannel(zaloPlugin);
   },
 };
 
diff --git a/extensions/zalo/package.json b/extensions/zalo/package.json
index a72aabbb29e..b6ab61f7cee 100644
--- a/extensions/zalo/package.json
+++ b/extensions/zalo/package.json
@@ -11,6 +11,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "zalo",
       "label": "Zalo",
diff --git a/extensions/zalo/setup-entry.ts b/extensions/zalo/setup-entry.ts
new file mode 100644
index 00000000000..dd8ca1b70f8
--- /dev/null
+++ b/extensions/zalo/setup-entry.ts
@@ -0,0 +1,5 @@
+import { zaloPlugin } from "./src/channel.js";
+
+export default {
+  plugin: zaloPlugin,
+};
diff --git a/extensions/zalo/src/actions.ts b/extensions/zalo/src/actions.ts
index 4604cc77310..4f6108fa892 100644
--- a/extensions/zalo/src/actions.ts
+++ b/extensions/zalo/src/actions.ts
@@ -24,7 +24,7 @@ export const zaloMessageActions: ChannelMessageActionAdapter = {
     const actions = new Set<ChannelMessageActionName>(["send"]);
     return Array.from(actions);
   },
-  supportsButtons: () => false,
+  getCapabilities: () => [],
   extractToolSend: ({ args }) => extractToolSend(args, "sendMessage"),
   handleAction: async ({ action, params, cfg, accountId }) => {
     if (action === "send") {
diff --git a/extensions/zalo/src/channel.sendpayload.test.ts b/extensions/zalo/src/channel.sendpayload.test.ts
deleted file mode 100644
index 27acb737f9f..00000000000
--- a/extensions/zalo/src/channel.sendpayload.test.ts
+++ /dev/null
@@ -1,44 +0,0 @@
-import type { ReplyPayload } from "openclaw/plugin-sdk/zalo";
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../src/test-utils/send-payload-contract.js";
-import { zaloPlugin } from "./channel.js";
-
-vi.mock("./send.js", () => ({
-  sendMessageZalo: vi.fn().mockResolvedValue({ ok: true, messageId: "zl-1" }),
-}));
-
-function baseCtx(payload: ReplyPayload) {
-  return {
-    cfg: {},
-    to: "123456789",
-    text: "",
-    payload,
-  };
-}
-
-describe("zaloPlugin outbound sendPayload", () => {
-  let mockedSend: ReturnType<typeof vi.mocked<(typeof import("./send.js"))["sendMessageZalo"]>>;
-
-  beforeEach(async () => {
-    const mod = await import("./send.js");
-    mockedSend = vi.mocked(mod.sendMessageZalo);
-    mockedSend.mockClear();
-    mockedSend.mockResolvedValue({ ok: true, messageId: "zl-1" });
-  });
-
-  installSendPayloadContractSuite({
-    channel: "zalo",
-    chunking: { mode: "split", longTextLength: 3000, maxChunkLength: 2000 },
-    createHarness: ({ payload, sendResults }) => {
-      primeSendMock(mockedSend, { ok: true, messageId: "zl-1" }, sendResults);
-      return {
-        run: async () => await zaloPlugin.outbound!.sendPayload!(baseCtx(payload)),
-        sendMock: mockedSend,
-        to: "123456789",
-      };
-    },
-  });
-});
diff --git a/extensions/zalo/src/channel.ts b/extensions/zalo/src/channel.ts
index b374ecfbd63..32ceeeff110 100644
--- a/extensions/zalo/src/channel.ts
+++ b/extensions/zalo/src/channel.ts
@@ -8,13 +8,10 @@ import {
 } from "openclaw/plugin-sdk/compat";
 import type {
   ChannelAccountSnapshot,
-  ChannelDock,
   ChannelPlugin,
   OpenClawConfig,
 } from "openclaw/plugin-sdk/zalo";
 import {
-  applyAccountNameToChannelSection,
-  applySetupAccountConfigPatch,
   buildBaseAccountStatusSnapshot,
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
@@ -23,9 +20,7 @@ import {
   deleteAccountFromConfigSection,
   chunkTextForOutbound,
   formatAllowFromLowercase,
-  migrateBaseNameToDefaultAccount,
   listDirectoryUserEntriesFromAllowFrom,
-  normalizeAccountId,
   isNumericTargetId,
   PAIRING_APPROVED_MESSAGE,
   resolveOutboundMediaUrls,
@@ -40,11 +35,12 @@ import {
 } from "./accounts.js";
 import { zaloMessageActions } from "./actions.js";
 import { ZaloConfigSchema } from "./config-schema.js";
-import { zaloOnboardingAdapter } from "./onboarding.js";
 import { probeZalo } from "./probe.js";
 import { resolveZaloProxyFetch } from "./proxy.js";
 import { normalizeSecretInputString } from "./secret-input.js";
 import { sendMessageZalo } from "./send.js";
+import { zaloSetupAdapter } from "./setup-core.js";
+import { zaloSetupWizard } from "./setup-surface.js";
 import { collectZaloStatusIssues } from "./status-issues.js";
 
 const meta = {
@@ -67,32 +63,11 @@ function normalizeZaloMessagingTarget(raw: string): string | undefined {
   return trimmed.replace(/^(zalo|zl):/i, "");
 }
 
-export const zaloDock: ChannelDock = {
-  id: "zalo",
-  capabilities: {
-    chatTypes: ["direct", "group"],
-    media: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 2000 },
-  config: {
-    resolveAllowFrom: ({ cfg, accountId }) =>
-      mapAllowFromEntries(resolveZaloAccount({ cfg: cfg, accountId }).config.allowFrom),
-    formatAllowFrom: ({ allowFrom }) =>
-      formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalo|zl):/i }),
-  },
-  groups: {
-    resolveRequireMention: () => true,
-  },
-  threading: {
-    resolveReplyToMode: () => "off",
-  },
-};
-
 export const zaloPlugin: ChannelPlugin<ResolvedZaloAccount> = {
   id: "zalo",
   meta,
-  onboarding: zaloOnboardingAdapter,
+  setup: zaloSetupAdapter,
+  setupWizard: zaloSetupWizard,
   capabilities: {
     chatTypes: ["direct", "group"],
     media: true,
@@ -212,53 +187,6 @@ export const zaloPlugin: ChannelPlugin<ResolvedZaloAccount> = {
     },
     listGroups: async () => [],
   },
-  setup: {
-    resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-    applyAccountName: ({ cfg, accountId, name }) =>
-      applyAccountNameToChannelSection({
-        cfg: cfg,
-        channelKey: "zalo",
-        accountId,
-        name,
-      }),
-    validateInput: ({ accountId, input }) => {
-      if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
-        return "ZALO_BOT_TOKEN can only be used for the default account.";
-      }
-      if (!input.useEnv && !input.token && !input.tokenFile) {
-        return "Zalo requires token or --token-file (or --use-env).";
-      }
-      return null;
-    },
-    applyAccountConfig: ({ cfg, accountId, input }) => {
-      const namedConfig = applyAccountNameToChannelSection({
-        cfg: cfg,
-        channelKey: "zalo",
-        accountId,
-        name: input.name,
-      });
-      const next =
-        accountId !== DEFAULT_ACCOUNT_ID
-          ? migrateBaseNameToDefaultAccount({
-              cfg: namedConfig,
-              channelKey: "zalo",
-            })
-          : namedConfig;
-      const patch = input.useEnv
-        ? {}
-        : input.tokenFile
-          ? { tokenFile: input.tokenFile }
-          : input.token
-            ? { botToken: input.token }
-            : {};
-      return applySetupAccountConfigPatch({
-        cfg: next,
-        channelKey: "zalo",
-        accountId,
-        patch,
-      });
-    },
-  },
   pairing: {
     idLabel: "zaloUserId",
     normalizeAllowEntry: (entry) => entry.replace(/^(zalo|zl):/i, ""),
diff --git a/extensions/zalo/src/monitor.group-policy.test.ts b/extensions/zalo/src/monitor.group-policy.test.ts
index 2ce0b1be2a2..7a44caab83d 100644
--- a/extensions/zalo/src/monitor.group-policy.test.ts
+++ b/extensions/zalo/src/monitor.group-policy.test.ts
@@ -2,18 +2,6 @@ import { describe, expect, it } from "vitest";
 import { __testing } from "./monitor.js";
 
 describe("zalo group policy access", () => {
-  it("defaults missing provider config to allowlist", () => {
-    const resolved = __testing.resolveZaloRuntimeGroupPolicy({
-      providerConfigPresent: false,
-      groupPolicy: undefined,
-      defaultGroupPolicy: "open",
-    });
-    expect(resolved).toEqual({
-      groupPolicy: "allowlist",
-      providerMissingFallbackApplied: true,
-    });
-  });
-
   it("blocks all group messages when policy is disabled", () => {
     const decision = __testing.evaluateZaloGroupAccess({
       providerConfigPresent: true,
diff --git a/extensions/zalo/src/setup-core.ts b/extensions/zalo/src/setup-core.ts
new file mode 100644
index 00000000000..6e194a41652
--- /dev/null
+++ b/extensions/zalo/src/setup-core.ts
@@ -0,0 +1,57 @@
+import {
+  applyAccountNameToChannelSection,
+  applySetupAccountConfigPatch,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+
+const channel = "zalo" as const;
+
+export const zaloSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: ({ accountId, input }) => {
+    if (input.useEnv && accountId !== DEFAULT_ACCOUNT_ID) {
+      return "ZALO_BOT_TOKEN can only be used for the default account.";
+    }
+    if (!input.useEnv && !input.token && !input.tokenFile) {
+      return "Zalo requires token or --token-file (or --use-env).";
+    }
+    return null;
+  },
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    const patch = input.useEnv
+      ? {}
+      : input.tokenFile
+        ? { tokenFile: input.tokenFile }
+        : input.token
+          ? { botToken: input.token }
+          : {};
+    return applySetupAccountConfigPatch({
+      cfg: next,
+      channelKey: channel,
+      accountId,
+      patch,
+    });
+  },
+};
diff --git a/extensions/zalo/src/onboarding.status.test.ts b/extensions/zalo/src/setup-status.test.ts
similarity index 56%
rename from extensions/zalo/src/onboarding.status.test.ts
rename to extensions/zalo/src/setup-status.test.ts
index fed5ea95f89..d8ba9d53d03 100644
--- a/extensions/zalo/src/onboarding.status.test.ts
+++ b/extensions/zalo/src/setup-status.test.ts
@@ -1,10 +1,16 @@
 import type { OpenClawConfig } from "openclaw/plugin-sdk/zalo";
 import { describe, expect, it } from "vitest";
-import { zaloOnboardingAdapter } from "./onboarding.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { zaloPlugin } from "./channel.js";
 
-describe("zalo onboarding status", () => {
+const zaloConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: zaloPlugin,
+  wizard: zaloPlugin.setupWizard!,
+});
+
+describe("zalo setup wizard status", () => {
   it("treats SecretRef botToken as configured", async () => {
-    const status = await zaloOnboardingAdapter.getStatus({
+    const status = await zaloConfigureAdapter.getStatus({
       cfg: {
         channels: {
           zalo: {
diff --git a/extensions/zalo/src/setup-surface.test.ts b/extensions/zalo/src/setup-surface.test.ts
new file mode 100644
index 00000000000..f00060b50c6
--- /dev/null
+++ b/extensions/zalo/src/setup-surface.test.ts
@@ -0,0 +1,60 @@
+import type { OpenClawConfig, RuntimeEnv, WizardPrompter } from "openclaw/plugin-sdk/zalo";
+import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import { zaloPlugin } from "./channel.js";
+
+function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
+  return {
+    intro: vi.fn(async () => {}),
+    outro: vi.fn(async () => {}),
+    note: vi.fn(async () => {}),
+    select: vi.fn(async () => "plaintext") as WizardPrompter["select"],
+    multiselect: vi.fn(async () => []),
+    text: vi.fn(async () => "") as WizardPrompter["text"],
+    confirm: vi.fn(async () => false),
+    progress: vi.fn(() => ({ update: vi.fn(), stop: vi.fn() })),
+    ...overrides,
+  };
+}
+
+const zaloConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: zaloPlugin,
+  wizard: zaloPlugin.setupWizard!,
+});
+
+describe("zalo setup wizard", () => {
+  it("configures a polling token flow", async () => {
+    const prompter = createPrompter({
+      text: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Enter Zalo bot token") {
+          return "12345689:abc-xyz";
+        }
+        throw new Error(`Unexpected prompt: ${message}`);
+      }) as WizardPrompter["text"],
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Use webhook mode for Zalo?") {
+          return false;
+        }
+        return false;
+      }),
+    });
+
+    const runtime: RuntimeEnv = createRuntimeEnv();
+
+    const result = await zaloConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime,
+      prompter,
+      options: { secretInputMode: "plaintext" },
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: false,
+    });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.zalo?.enabled).toBe(true);
+    expect(result.cfg.channels?.zalo?.botToken).toBe("12345689:abc-xyz");
+    expect(result.cfg.channels?.zalo?.webhookUrl).toBeUndefined();
+  });
+});
diff --git a/extensions/zalo/src/onboarding.ts b/extensions/zalo/src/setup-surface.ts
similarity index 73%
rename from extensions/zalo/src/onboarding.ts
rename to extensions/zalo/src/setup-surface.ts
index 4c6f7cbe4de..6ae6a78be0f 100644
--- a/extensions/zalo/src/onboarding.ts
+++ b/extensions/zalo/src/setup-surface.ts
@@ -1,22 +1,19 @@
-import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-  OpenClawConfig,
-  SecretInput,
-  WizardPrompter,
-} from "openclaw/plugin-sdk/zalo";
 import {
   buildSingleChannelSecretPromptState,
-  DEFAULT_ACCOUNT_ID,
-  hasConfiguredSecretInput,
   mergeAllowFromEntries,
-  normalizeAccountId,
   promptSingleChannelSecretInput,
   runSingleChannelSecretStep,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "openclaw/plugin-sdk/zalo";
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import type { SecretInput } from "../../../src/config/types.secrets.js";
+import { hasConfiguredSecretInput } from "../../../src/config/types.secrets.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
 import { listZaloAccountIds, resolveDefaultZaloAccountId, resolveZaloAccount } from "./accounts.js";
+import { zaloSetupAdapter } from "./setup-core.js";
 
 const channel = "zalo" as const;
 
@@ -28,7 +25,7 @@ function setZaloDmPolicy(
 ) {
   return setTopLevelChannelDmPolicyWithAllowFrom({
     cfg,
-    channel: "zalo",
+    channel,
     dmPolicy,
   }) as OpenClawConfig;
 }
@@ -108,14 +105,16 @@ function setZaloUpdateMode(
   } as OpenClawConfig;
 }
 
-async function noteZaloTokenHelp(prompter: WizardPrompter): Promise<void> {
+async function noteZaloTokenHelp(
+  prompter: Parameters<NonNullable<ChannelSetupWizard["finalize"]>>[0]["prompter"],
+): Promise<void> {
   await prompter.note(
     [
       "1) Open Zalo Bot Platform: https://bot.zaloplatforms.com",
       "2) Create a bot and get the token",
       "3) Token looks like 12345689:abc-xyz",
       "Tip: you can also set ZALO_BOT_TOKEN in your env.",
-      "Docs: https://docs.openclaw.ai/channels/zalo",
+      `Docs: ${formatDocsLink("/channels/zalo", "zalo")}`,
     ].join("\n"),
     "Zalo bot token",
   );
@@ -123,7 +122,7 @@ async function noteZaloTokenHelp(prompter: WizardPrompter): Promise<void> {
 
 async function promptZaloAllowFrom(params: {
   cfg: OpenClawConfig;
-  prompter: WizardPrompter;
+  prompter: Parameters<NonNullable<ChannelSetupDmPolicy["promptAllowFrom"]>>[0]["prompter"];
   accountId: string;
 }): Promise<OpenClawConfig> {
   const { cfg, prompter, accountId } = params;
@@ -183,76 +182,65 @@ async function promptZaloAllowFrom(params: {
   } as OpenClawConfig;
 }
 
-const dmPolicy: ChannelOnboardingDmPolicy = {
+const zaloDmPolicy: ChannelSetupDmPolicy = {
   label: "Zalo",
   channel,
   policyKey: "channels.zalo.dmPolicy",
   allowFromKey: "channels.zalo.allowFrom",
   getCurrent: (cfg) => (cfg.channels?.zalo?.dmPolicy ?? "pairing") as "pairing",
-  setPolicy: (cfg, policy) => setZaloDmPolicy(cfg, policy),
+  setPolicy: (cfg, policy) => setZaloDmPolicy(cfg as OpenClawConfig, policy),
   promptAllowFrom: async ({ cfg, prompter, accountId }) => {
     const id =
       accountId && normalizeAccountId(accountId)
         ? (normalizeAccountId(accountId) ?? DEFAULT_ACCOUNT_ID)
-        : resolveDefaultZaloAccountId(cfg);
-    return promptZaloAllowFrom({
-      cfg: cfg,
+        : resolveDefaultZaloAccountId(cfg as OpenClawConfig);
+    return await promptZaloAllowFrom({
+      cfg: cfg as OpenClawConfig,
       prompter,
       accountId: id,
     });
   },
 };
 
-export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
-  channel,
-  dmPolicy,
-  getStatus: async ({ cfg }) => {
-    const configured = listZaloAccountIds(cfg).some((accountId) => {
-      const account = resolveZaloAccount({
-        cfg: cfg,
-        accountId,
-        allowUnresolvedSecretRef: true,
-      });
-      return (
-        Boolean(account.token) ||
-        hasConfiguredSecretInput(account.config.botToken) ||
-        Boolean(account.config.tokenFile?.trim())
-      );
-    });
-    return {
-      channel,
-      configured,
-      statusLines: [`Zalo: ${configured ? "configured" : "needs token"}`],
-      selectionHint: configured ? "recommended · configured" : "recommended · newcomer-friendly",
-      quickstartScore: configured ? 1 : 10,
-    };
-  },
-  configure: async ({
-    cfg,
-    prompter,
-    accountOverrides,
-    shouldPromptAccountIds,
-    forceAllowFrom,
-  }) => {
-    const defaultZaloAccountId = resolveDefaultZaloAccountId(cfg);
-    const zaloAccountId = await resolveAccountIdForConfigure({
-      cfg,
-      prompter,
-      label: "Zalo",
-      accountOverride: accountOverrides.zalo,
-      shouldPromptAccountIds,
-      listAccountIds: listZaloAccountIds,
-      defaultAccountId: defaultZaloAccountId,
-    });
+export { zaloSetupAdapter } from "./setup-core.js";
 
+export const zaloSetupWizard: ChannelSetupWizard = {
+  channel,
+  status: {
+    configuredLabel: "configured",
+    unconfiguredLabel: "needs token",
+    configuredHint: "recommended · configured",
+    unconfiguredHint: "recommended · newcomer-friendly",
+    configuredScore: 1,
+    unconfiguredScore: 10,
+    resolveConfigured: ({ cfg }) =>
+      listZaloAccountIds(cfg).some((accountId) => {
+        const account = resolveZaloAccount({
+          cfg,
+          accountId,
+          allowUnresolvedSecretRef: true,
+        });
+        return (
+          Boolean(account.token) ||
+          hasConfiguredSecretInput(account.config.botToken) ||
+          Boolean(account.config.tokenFile?.trim())
+        );
+      }),
+    resolveStatusLines: ({ cfg, configured }) => {
+      void cfg;
+      return [`Zalo: ${configured ? "configured" : "needs token"}`];
+    },
+  },
+  credentials: [],
+  finalize: async ({ cfg, accountId, forceAllowFrom, options, prompter }) => {
     let next = cfg;
     const resolvedAccount = resolveZaloAccount({
       cfg: next,
-      accountId: zaloAccountId,
+      accountId,
       allowUnresolvedSecretRef: true,
     });
     const accountConfigured = Boolean(resolvedAccount.token);
-    const allowEnv = zaloAccountId === DEFAULT_ACCOUNT_ID;
+    const allowEnv = accountId === DEFAULT_ACCOUNT_ID;
     const hasConfigToken = Boolean(
       hasConfiguredSecretInput(resolvedAccount.config.botToken) || resolvedAccount.config.tokenFile,
     );
@@ -261,6 +249,7 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
       prompter,
       providerHint: "zalo",
       credentialLabel: "bot token",
+      secretInputMode: options?.secretInputMode,
       accountConfigured,
       hasConfigToken,
       allowEnv,
@@ -270,43 +259,43 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
       inputPrompt: "Enter Zalo bot token",
       preferredEnvVar: "ZALO_BOT_TOKEN",
       onMissingConfigured: async () => await noteZaloTokenHelp(prompter),
-      applyUseEnv: async (cfg) =>
-        zaloAccountId === DEFAULT_ACCOUNT_ID
+      applyUseEnv: async (currentCfg) =>
+        accountId === DEFAULT_ACCOUNT_ID
           ? ({
-              ...cfg,
+              ...currentCfg,
               channels: {
-                ...cfg.channels,
+                ...currentCfg.channels,
                 zalo: {
-                  ...cfg.channels?.zalo,
+                  ...currentCfg.channels?.zalo,
                   enabled: true,
                 },
               },
             } as OpenClawConfig)
-          : cfg,
-      applySet: async (cfg, value) =>
-        zaloAccountId === DEFAULT_ACCOUNT_ID
+          : currentCfg,
+      applySet: async (currentCfg, value) =>
+        accountId === DEFAULT_ACCOUNT_ID
           ? ({
-              ...cfg,
+              ...currentCfg,
               channels: {
-                ...cfg.channels,
+                ...currentCfg.channels,
                 zalo: {
-                  ...cfg.channels?.zalo,
+                  ...currentCfg.channels?.zalo,
                   enabled: true,
                   botToken: value,
                 },
               },
             } as OpenClawConfig)
           : ({
-              ...cfg,
+              ...currentCfg,
               channels: {
-                ...cfg.channels,
+                ...currentCfg.channels,
                 zalo: {
-                  ...cfg.channels?.zalo,
+                  ...currentCfg.channels?.zalo,
                   enabled: true,
                   accounts: {
-                    ...cfg.channels?.zalo?.accounts,
-                    [zaloAccountId]: {
-                      ...cfg.channels?.zalo?.accounts?.[zaloAccountId],
+                    ...currentCfg.channels?.zalo?.accounts,
+                    [accountId]: {
+                      ...currentCfg.channels?.zalo?.accounts?.[accountId],
                       enabled: true,
                       botToken: value,
                     },
@@ -337,11 +326,13 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
           return "/zalo-webhook";
         }
       })();
+
       let webhookSecretResult = await promptSingleChannelSecretInput({
         cfg: next,
         prompter,
         providerHint: "zalo-webhook",
         credentialLabel: "webhook secret",
+        secretInputMode: options?.secretInputMode,
         ...buildSingleChannelSecretPromptState({
           accountConfigured: hasConfiguredSecretInput(resolvedAccount.config.webhookSecret),
           hasConfigToken: hasConfiguredSecretInput(resolvedAccount.config.webhookSecret),
@@ -363,6 +354,7 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
           prompter,
           providerHint: "zalo-webhook",
           credentialLabel: "webhook secret",
+          secretInputMode: options?.secretInputMode,
           ...buildSingleChannelSecretPromptState({
             accountConfigured: false,
             hasConfigToken: false,
@@ -386,24 +378,25 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
       ).trim();
       next = setZaloUpdateMode(
         next,
-        zaloAccountId,
+        accountId,
         "webhook",
         webhookUrl,
         webhookSecret,
         webhookPath || undefined,
       );
     } else {
-      next = setZaloUpdateMode(next, zaloAccountId, "polling");
+      next = setZaloUpdateMode(next, accountId, "polling");
     }
 
     if (forceAllowFrom) {
       next = await promptZaloAllowFrom({
         cfg: next,
         prompter,
-        accountId: zaloAccountId,
+        accountId,
       });
     }
 
-    return { cfg: next, accountId: zaloAccountId };
+    return { cfg: next };
   },
+  dmPolicy: zaloDmPolicy,
 };
diff --git a/extensions/zalouser/README.md b/extensions/zalouser/README.md
index c271de8bd4d..ea55c343edb 100644
--- a/extensions/zalouser/README.md
+++ b/extensions/zalouser/README.md
@@ -6,7 +6,7 @@ OpenClaw extension for Zalo Personal Account messaging via native `zca-js` integ
 
 ## Features
 
-- Channel plugin integration with onboarding + QR login
+- Channel plugin integration with setup wizard + QR login
 - In-process listener/sender via `zca-js` (no external CLI)
 - Multi-account support
 - Agent tool integration (`zalouser`)
diff --git a/extensions/zalouser/index.ts b/extensions/zalouser/index.ts
index b169292e954..8d470b043e3 100644
--- a/extensions/zalouser/index.ts
+++ b/extensions/zalouser/index.ts
@@ -1,6 +1,6 @@
 import type { AnyAgentTool, OpenClawPluginApi } from "openclaw/plugin-sdk/zalouser";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/zalouser";
-import { zalouserDock, zalouserPlugin } from "./src/channel.js";
+import { zalouserPlugin } from "./src/channel.js";
 import { setZalouserRuntime } from "./src/runtime.js";
 import { ZalouserToolSchema, executeZalouserTool } from "./src/tool.js";
 
@@ -11,7 +11,10 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setZalouserRuntime(api.runtime);
-    api.registerChannel({ plugin: zalouserPlugin, dock: zalouserDock });
+    api.registerChannel(zalouserPlugin);
+    if (api.registrationMode !== "full") {
+      return;
+    }
 
     api.registerTool({
       name: "zalouser",
diff --git a/extensions/zalouser/package.json b/extensions/zalouser/package.json
index e7c12c9b4b2..5e3a1070237 100644
--- a/extensions/zalouser/package.json
+++ b/extensions/zalouser/package.json
@@ -12,6 +12,7 @@
     "extensions": [
       "./index.ts"
     ],
+    "setupEntry": "./setup-entry.ts",
     "channel": {
       "id": "zalouser",
       "label": "Zalo Personal",
diff --git a/extensions/zalouser/setup-entry.ts b/extensions/zalouser/setup-entry.ts
new file mode 100644
index 00000000000..f983cad8f80
--- /dev/null
+++ b/extensions/zalouser/setup-entry.ts
@@ -0,0 +1,5 @@
+import { zalouserPlugin } from "./src/channel.js";
+
+export default {
+  plugin: zalouserPlugin,
+};
diff --git a/extensions/zalouser/src/channel.sendpayload.test.ts b/extensions/zalouser/src/channel.sendpayload.test.ts
index 27a8adf2c0d..2c9d5240ba9 100644
--- a/extensions/zalouser/src/channel.sendpayload.test.ts
+++ b/extensions/zalouser/src/channel.sendpayload.test.ts
@@ -1,10 +1,7 @@
 import type { ReplyPayload } from "openclaw/plugin-sdk/zalouser";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import "./accounts.test-mocks.js";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../src/test-utils/send-payload-contract.js";
+import { primeChannelOutboundSendMock } from "../../../src/channels/plugins/contracts/suites.js";
 import { zalouserPlugin } from "./channel.js";
 import { setZalouserRuntime } from "./runtime.js";
 
@@ -36,8 +33,7 @@ describe("zalouserPlugin outbound sendPayload", () => {
     } as never);
     const mod = await import("./send.js");
     mockedSend = vi.mocked(mod.sendMessageZalouser);
-    mockedSend.mockClear();
-    mockedSend.mockResolvedValue({ ok: true, messageId: "zlu-1" });
+    primeChannelOutboundSendMock(mockedSend, { ok: true, messageId: "zlu-1" });
   });
 
   it("group target delegates with isGroup=true and stripped threadId", async () => {
@@ -110,19 +106,6 @@ describe("zalouserPlugin outbound sendPayload", () => {
     );
     expect(result).toMatchObject({ channel: "zalouser", messageId: "zlu-code" });
   });
-
-  installSendPayloadContractSuite({
-    channel: "zalouser",
-    chunking: { mode: "passthrough", longTextLength: 3000 },
-    createHarness: ({ payload, sendResults }) => {
-      primeSendMock(mockedSend, { ok: true, messageId: "zlu-1" }, sendResults);
-      return {
-        run: async () => await zalouserPlugin.outbound!.sendPayload!(baseCtx(payload)),
-        sendMock: mockedSend,
-        to: "987654321",
-      };
-    },
-  });
 });
 
 describe("zalouserPlugin messaging target normalization", () => {
diff --git a/extensions/zalouser/src/channel.ts b/extensions/zalouser/src/channel.ts
index 81fce5e3ab9..7e79b186c3d 100644
--- a/extensions/zalouser/src/channel.ts
+++ b/extensions/zalouser/src/channel.ts
@@ -6,7 +6,6 @@ import {
 import type {
   ChannelAccountSnapshot,
   ChannelDirectoryEntry,
-  ChannelDock,
   ChannelGroupContext,
   ChannelMessageActionAdapter,
   ChannelPlugin,
@@ -14,8 +13,6 @@ import type {
   GroupToolPolicyConfig,
 } from "openclaw/plugin-sdk/zalouser";
 import {
-  applyAccountNameToChannelSection,
-  applySetupAccountConfigPatch,
   buildChannelSendResult,
   buildBaseAccountStatusSnapshot,
   buildChannelConfigSchema,
@@ -24,7 +21,6 @@ import {
   formatAllowFromLowercase,
   isDangerousNameMatchingEnabled,
   isNumericTargetId,
-  migrateBaseNameToDefaultAccount,
   normalizeAccountId,
   sendPayloadWithChunkedTextAndMedia,
   setAccountEnabledInConfigSection,
@@ -41,11 +37,12 @@ import {
 import { ZalouserConfigSchema } from "./config-schema.js";
 import { buildZalouserGroupCandidates, findZalouserGroupEntry } from "./group-policy.js";
 import { resolveZalouserReactionMessageIds } from "./message-sid.js";
-import { zalouserOnboardingAdapter } from "./onboarding.js";
 import { probeZalouser } from "./probe.js";
 import { writeQrDataUrlToTempFile } from "./qr-temp-file.js";
 import { getZalouserRuntime } from "./runtime.js";
 import { sendMessageZalouser, sendReactionZalouser } from "./send.js";
+import { zalouserSetupAdapter } from "./setup-core.js";
+import { zalouserSetupWizard } from "./setup-surface.js";
 import { collectZalouserStatusIssues } from "./status-issues.js";
 import {
   listZaloFriendsMatching,
@@ -69,6 +66,8 @@ const meta = {
   quickstartAllowFrom: true,
 };
 
+const ZALOUSER_TEXT_CHUNK_LIMIT = 2000;
+
 function stripZalouserTargetPrefix(raw: string): string {
   return raw
     .trim()
@@ -174,7 +173,7 @@ function resolveZalouserOutboundChunkMode(cfg: OpenClawConfig, accountId?: strin
 
 function resolveZalouserOutboundTextChunkLimit(cfg: OpenClawConfig, accountId?: string) {
   return getZalouserRuntime().channel.text.resolveTextChunkLimit(cfg, "zalouser", accountId, {
-    fallbackLimit: zalouserDock.outbound?.textChunkLimit ?? 2000,
+    fallbackLimit: ZALOUSER_TEXT_CHUNK_LIMIT,
   });
 }
 
@@ -306,33 +305,11 @@ const zalouserMessageActions: ChannelMessageActionAdapter = {
   },
 };
 
-export const zalouserDock: ChannelDock = {
-  id: "zalouser",
-  capabilities: {
-    chatTypes: ["direct", "group"],
-    media: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 2000 },
-  config: {
-    resolveAllowFrom: ({ cfg, accountId }) =>
-      mapAllowFromEntries(resolveZalouserAccountSync({ cfg: cfg, accountId }).config.allowFrom),
-    formatAllowFrom: ({ allowFrom }) =>
-      formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalouser|zlu):/i }),
-  },
-  groups: {
-    resolveRequireMention: resolveZalouserRequireMention,
-    resolveToolPolicy: resolveZalouserGroupToolPolicy,
-  },
-  threading: {
-    resolveReplyToMode: () => "off",
-  },
-};
-
 export const zalouserPlugin: ChannelPlugin<ResolvedZalouserAccount> = {
   id: "zalouser",
   meta,
-  onboarding: zalouserOnboardingAdapter,
+  setup: zalouserSetupAdapter,
+  setupWizard: zalouserSetupWizard,
   capabilities: {
     chatTypes: ["direct", "group"],
     media: true,
@@ -407,38 +384,6 @@ export const zalouserPlugin: ChannelPlugin<ResolvedZalouserAccount> = {
     resolveReplyToMode: () => "off",
   },
   actions: zalouserMessageActions,
-  setup: {
-    resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
-    applyAccountName: ({ cfg, accountId, name }) =>
-      applyAccountNameToChannelSection({
-        cfg: cfg,
-        channelKey: "zalouser",
-        accountId,
-        name,
-      }),
-    validateInput: () => null,
-    applyAccountConfig: ({ cfg, accountId, input }) => {
-      const namedConfig = applyAccountNameToChannelSection({
-        cfg: cfg,
-        channelKey: "zalouser",
-        accountId,
-        name: input.name,
-      });
-      const next =
-        accountId !== DEFAULT_ACCOUNT_ID
-          ? migrateBaseNameToDefaultAccount({
-              cfg: namedConfig,
-              channelKey: "zalouser",
-            })
-          : namedConfig;
-      return applySetupAccountConfigPatch({
-        cfg: next,
-        channelKey: "zalouser",
-        accountId,
-        patch: {},
-      });
-    },
-  },
   messaging: {
     normalizeTarget: (raw) => normalizePrefixedTarget(raw),
     targetResolver: {
diff --git a/extensions/zalouser/src/setup-core.ts b/extensions/zalouser/src/setup-core.ts
new file mode 100644
index 00000000000..45f412ed9f6
--- /dev/null
+++ b/extensions/zalouser/src/setup-core.ts
@@ -0,0 +1,42 @@
+import {
+  applyAccountNameToChannelSection,
+  applySetupAccountConfigPatch,
+  migrateBaseNameToDefaultAccount,
+} from "../../../src/channels/plugins/setup-helpers.js";
+import type { ChannelSetupAdapter } from "../../../src/channels/plugins/types.adapters.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+
+const channel = "zalouser" as const;
+
+export const zalouserSetupAdapter: ChannelSetupAdapter = {
+  resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),
+  applyAccountName: ({ cfg, accountId, name }) =>
+    applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name,
+    }),
+  validateInput: () => null,
+  applyAccountConfig: ({ cfg, accountId, input }) => {
+    const namedConfig = applyAccountNameToChannelSection({
+      cfg,
+      channelKey: channel,
+      accountId,
+      name: input.name,
+    });
+    const next =
+      accountId !== DEFAULT_ACCOUNT_ID
+        ? migrateBaseNameToDefaultAccount({
+            cfg: namedConfig,
+            channelKey: channel,
+          })
+        : namedConfig;
+    return applySetupAccountConfigPatch({
+      cfg: next,
+      channelKey: channel,
+      accountId,
+      patch: {},
+    });
+  },
+};
diff --git a/extensions/zalouser/src/setup-surface.test.ts b/extensions/zalouser/src/setup-surface.test.ts
new file mode 100644
index 00000000000..fc95b90ab8d
--- /dev/null
+++ b/extensions/zalouser/src/setup-surface.test.ts
@@ -0,0 +1,86 @@
+import type { OpenClawConfig, WizardPrompter } from "openclaw/plugin-sdk/zalouser";
+import { describe, expect, it, vi } from "vitest";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+
+vi.mock("./zalo-js.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./zalo-js.js")>();
+  return {
+    ...actual,
+    checkZaloAuthenticated: vi.fn(async () => false),
+    logoutZaloProfile: vi.fn(async () => {}),
+    startZaloQrLogin: vi.fn(async () => ({
+      message: "qr pending",
+      qrDataUrl: undefined,
+    })),
+    waitForZaloQrLogin: vi.fn(async () => ({
+      connected: false,
+      message: "login pending",
+    })),
+    resolveZaloAllowFromEntries: vi.fn(async ({ entries }: { entries: string[] }) =>
+      entries.map((entry) => ({ input: entry, resolved: true, id: entry, note: undefined })),
+    ),
+    resolveZaloGroupsByEntries: vi.fn(async ({ entries }: { entries: string[] }) =>
+      entries.map((entry) => ({ input: entry, resolved: true, id: entry, note: undefined })),
+    ),
+  };
+});
+
+import { zalouserPlugin } from "./channel.js";
+
+const selectFirstOption = async <T>(params: { options: Array<{ value: T }> }): Promise<T> => {
+  const first = params.options[0];
+  if (!first) {
+    throw new Error("no options");
+  }
+  return first.value;
+};
+
+function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
+  return {
+    intro: vi.fn(async () => {}),
+    outro: vi.fn(async () => {}),
+    note: vi.fn(async () => {}),
+    select: selectFirstOption as WizardPrompter["select"],
+    multiselect: vi.fn(async () => []),
+    text: vi.fn(async () => "") as WizardPrompter["text"],
+    confirm: vi.fn(async () => false),
+    progress: vi.fn(() => ({ update: vi.fn(), stop: vi.fn() })),
+    ...overrides,
+  };
+}
+
+const zalouserConfigureAdapter = buildChannelSetupWizardAdapterFromSetupWizard({
+  plugin: zalouserPlugin,
+  wizard: zalouserPlugin.setupWizard!,
+});
+
+describe("zalouser setup wizard", () => {
+  it("enables the account without forcing QR login", async () => {
+    const runtime = createRuntimeEnv();
+    const prompter = createPrompter({
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Login via QR code now?") {
+          return false;
+        }
+        if (message === "Configure Zalo groups access?") {
+          return false;
+        }
+        return false;
+      }),
+    });
+
+    const result = await zalouserConfigureAdapter.configure({
+      cfg: {} as OpenClawConfig,
+      runtime,
+      prompter,
+      options: {},
+      accountOverrides: {},
+      shouldPromptAccountIds: false,
+      forceAllowFrom: false,
+    });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.zalouser?.enabled).toBe(true);
+  });
+});
diff --git a/extensions/zalouser/src/onboarding.ts b/extensions/zalouser/src/setup-surface.ts
similarity index 61%
rename from extensions/zalouser/src/onboarding.ts
rename to extensions/zalouser/src/setup-surface.ts
index d5b828b6711..74f940e5077 100644
--- a/extensions/zalouser/src/onboarding.ts
+++ b/extensions/zalouser/src/setup-surface.ts
@@ -1,19 +1,14 @@
-import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-  OpenClawConfig,
-  WizardPrompter,
-} from "openclaw/plugin-sdk/zalouser";
+import { patchScopedAccountConfig } from "../../../src/channels/plugins/setup-helpers.js";
 import {
-  DEFAULT_ACCOUNT_ID,
-  formatResolvedUnresolvedNote,
   mergeAllowFromEntries,
-  normalizeAccountId,
-  patchScopedAccountConfig,
-  promptChannelAccessConfig,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "openclaw/plugin-sdk/zalouser";
+} from "../../../src/channels/plugins/setup-wizard-helpers.js";
+import type { ChannelSetupDmPolicy } from "../../../src/channels/plugins/setup-wizard-types.js";
+import type { ChannelSetupWizard } from "../../../src/channels/plugins/setup-wizard.js";
+import type { OpenClawConfig } from "../../../src/config/config.js";
+import { formatResolvedUnresolvedNote } from "../../../src/plugin-sdk/resolution-notes.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../src/routing/session-key.js";
+import { formatDocsLink } from "../../../src/terminal/links.js";
 import {
   listZalouserAccountIds,
   resolveDefaultZalouserAccountId,
@@ -21,6 +16,7 @@ import {
   checkZcaAuthenticated,
 } from "./accounts.js";
 import { writeQrDataUrlToTempFile } from "./qr-temp-file.js";
+import { zalouserSetupAdapter } from "./setup-core.js";
 import {
   logoutZaloProfile,
   resolveZaloAllowFromEntries,
@@ -52,19 +48,42 @@ function setZalouserDmPolicy(
 ): OpenClawConfig {
   return setTopLevelChannelDmPolicyWithAllowFrom({
     cfg,
-    channel: "zalouser",
+    channel,
     dmPolicy,
   }) as OpenClawConfig;
 }
 
-async function noteZalouserHelp(prompter: WizardPrompter): Promise<void> {
+function setZalouserGroupPolicy(
+  cfg: OpenClawConfig,
+  accountId: string,
+  groupPolicy: "open" | "allowlist" | "disabled",
+): OpenClawConfig {
+  return setZalouserAccountScopedConfig(cfg, accountId, {
+    groupPolicy,
+  });
+}
+
+function setZalouserGroupAllowlist(
+  cfg: OpenClawConfig,
+  accountId: string,
+  groupKeys: string[],
+): OpenClawConfig {
+  const groups = Object.fromEntries(groupKeys.map((key) => [key, { allow: true }]));
+  return setZalouserAccountScopedConfig(cfg, accountId, {
+    groups,
+  });
+}
+
+async function noteZalouserHelp(
+  prompter: Parameters<NonNullable<ChannelSetupWizard["prepare"]>>[0]["prompter"],
+): Promise<void> {
   await prompter.note(
     [
       "Zalo Personal Account login via QR code.",
       "",
       "This plugin uses zca-js directly (no external CLI dependency).",
       "",
-      "Docs: https://docs.openclaw.ai/channels/zalouser",
+      `Docs: ${formatDocsLink("/channels/zalouser", "zalouser")}`,
     ].join("\n"),
     "Zalo Personal Setup",
   );
@@ -72,7 +91,7 @@ async function noteZalouserHelp(prompter: WizardPrompter): Promise<void> {
 
 async function promptZalouserAllowFrom(params: {
   cfg: OpenClawConfig;
-  prompter: WizardPrompter;
+  prompter: Parameters<NonNullable<ChannelSetupDmPolicy["promptAllowFrom"]>>[0]["prompter"];
   accountId: string;
 }): Promise<OpenClawConfig> {
   const { cfg, prompter, accountId } = params;
@@ -125,94 +144,59 @@ async function promptZalouserAllowFrom(params: {
   }
 }
 
-function setZalouserGroupPolicy(
-  cfg: OpenClawConfig,
-  accountId: string,
-  groupPolicy: "open" | "allowlist" | "disabled",
-): OpenClawConfig {
-  return setZalouserAccountScopedConfig(cfg, accountId, {
-    groupPolicy,
-  });
-}
-
-function setZalouserGroupAllowlist(
-  cfg: OpenClawConfig,
-  accountId: string,
-  groupKeys: string[],
-): OpenClawConfig {
-  const groups = Object.fromEntries(groupKeys.map((key) => [key, { allow: true }]));
-  return setZalouserAccountScopedConfig(cfg, accountId, {
-    groups,
-  });
-}
-
-const dmPolicy: ChannelOnboardingDmPolicy = {
+const zalouserDmPolicy: ChannelSetupDmPolicy = {
   label: "Zalo Personal",
   channel,
   policyKey: "channels.zalouser.dmPolicy",
   allowFromKey: "channels.zalouser.allowFrom",
   getCurrent: (cfg) => (cfg.channels?.zalouser?.dmPolicy ?? "pairing") as "pairing",
-  setPolicy: (cfg, policy) => setZalouserDmPolicy(cfg, policy),
+  setPolicy: (cfg, policy) => setZalouserDmPolicy(cfg as OpenClawConfig, policy),
   promptAllowFrom: async ({ cfg, prompter, accountId }) => {
     const id =
       accountId && normalizeAccountId(accountId)
         ? (normalizeAccountId(accountId) ?? DEFAULT_ACCOUNT_ID)
-        : resolveDefaultZalouserAccountId(cfg);
-    return promptZalouserAllowFrom({
-      cfg,
+        : resolveDefaultZalouserAccountId(cfg as OpenClawConfig);
+    return await promptZalouserAllowFrom({
+      cfg: cfg as OpenClawConfig,
       prompter,
       accountId: id,
     });
   },
 };
 
-export const zalouserOnboardingAdapter: ChannelOnboardingAdapter = {
-  channel,
-  dmPolicy,
-  getStatus: async ({ cfg }) => {
-    const ids = listZalouserAccountIds(cfg);
-    let configured = false;
-    for (const accountId of ids) {
-      const account = resolveZalouserAccountSync({ cfg, accountId });
-      const isAuth = await checkZcaAuthenticated(account.profile);
-      if (isAuth) {
-        configured = true;
-        break;
-      }
-    }
-    return {
-      channel,
-      configured,
-      statusLines: [`Zalo Personal: ${configured ? "logged in" : "needs QR login"}`],
-      selectionHint: configured ? "recommended · logged in" : "recommended · QR login",
-      quickstartScore: configured ? 1 : 15,
-    };
-  },
-  configure: async ({
-    cfg,
-    prompter,
-    accountOverrides,
-    shouldPromptAccountIds,
-    forceAllowFrom,
-  }) => {
-    const defaultAccountId = resolveDefaultZalouserAccountId(cfg);
-    const accountId = await resolveAccountIdForConfigure({
-      cfg,
-      prompter,
-      label: "Zalo Personal",
-      accountOverride: accountOverrides.zalouser,
-      shouldPromptAccountIds,
-      listAccountIds: listZalouserAccountIds,
-      defaultAccountId,
-    });
+export { zalouserSetupAdapter } from "./setup-core.js";
 
+export const zalouserSetupWizard: ChannelSetupWizard = {
+  channel,
+  status: {
+    configuredLabel: "logged in",
+    unconfiguredLabel: "needs QR login",
+    configuredHint: "recommended · logged in",
+    unconfiguredHint: "recommended · QR login",
+    configuredScore: 1,
+    unconfiguredScore: 15,
+    resolveConfigured: async ({ cfg }) => {
+      const ids = listZalouserAccountIds(cfg);
+      for (const accountId of ids) {
+        const account = resolveZalouserAccountSync({ cfg, accountId });
+        if (await checkZcaAuthenticated(account.profile)) {
+          return true;
+        }
+      }
+      return false;
+    },
+    resolveStatusLines: async ({ cfg, configured }) => {
+      void cfg;
+      return [`Zalo Personal: ${configured ? "logged in" : "needs QR login"}`];
+    },
+  },
+  prepare: async ({ cfg, accountId, prompter }) => {
     let next = cfg;
     const account = resolveZalouserAccountSync({ cfg: next, accountId });
     const alreadyAuthenticated = await checkZcaAuthenticated(account.profile);
 
     if (!alreadyAuthenticated) {
       await noteZalouserHelp(prompter);
-
       const wantsLogin = await prompter.confirm({
         message: "Login via QR code now?",
         initialValue: true,
@@ -280,6 +264,56 @@ export const zalouserOnboardingAdapter: ChannelOnboardingAdapter = {
       { profile: account.profile, enabled: true },
     );
 
+    return { cfg: next };
+  },
+  credentials: [],
+  groupAccess: {
+    label: "Zalo groups",
+    placeholder: "Family, Work, 123456789",
+    currentPolicy: ({ cfg, accountId }) =>
+      resolveZalouserAccountSync({ cfg, accountId }).config.groupPolicy ?? "allowlist",
+    currentEntries: ({ cfg, accountId }) =>
+      Object.keys(resolveZalouserAccountSync({ cfg, accountId }).config.groups ?? {}),
+    updatePrompt: ({ cfg, accountId }) =>
+      Boolean(resolveZalouserAccountSync({ cfg, accountId }).config.groups),
+    setPolicy: ({ cfg, accountId, policy }) =>
+      setZalouserGroupPolicy(cfg as OpenClawConfig, accountId, policy),
+    resolveAllowlist: async ({ cfg, accountId, entries, prompter }) => {
+      if (entries.length === 0) {
+        return [];
+      }
+      const updatedAccount = resolveZalouserAccountSync({ cfg: cfg as OpenClawConfig, accountId });
+      try {
+        const resolved = await resolveZaloGroupsByEntries({
+          profile: updatedAccount.profile,
+          entries,
+        });
+        const resolvedIds = resolved
+          .filter((entry) => entry.resolved && entry.id)
+          .map((entry) => entry.id as string);
+        const unresolved = resolved.filter((entry) => !entry.resolved).map((entry) => entry.input);
+        const keys = [...resolvedIds, ...unresolved.map((entry) => entry.trim()).filter(Boolean)];
+        const resolution = formatResolvedUnresolvedNote({
+          resolved: resolvedIds,
+          unresolved,
+        });
+        if (resolution) {
+          await prompter.note(resolution, "Zalo groups");
+        }
+        return keys;
+      } catch (err) {
+        await prompter.note(
+          `Group lookup failed; keeping entries as typed. ${String(err)}`,
+          "Zalo groups",
+        );
+        return entries.map((entry) => entry.trim()).filter(Boolean);
+      }
+    },
+    applyAllowlist: ({ cfg, accountId, resolved }) =>
+      setZalouserGroupAllowlist(cfg as OpenClawConfig, accountId, resolved as string[]),
+  },
+  finalize: async ({ cfg, accountId, forceAllowFrom, prompter }) => {
+    let next = cfg;
     if (forceAllowFrom) {
       next = await promptZalouserAllowFrom({
         cfg: next,
@@ -287,54 +321,7 @@ export const zalouserOnboardingAdapter: ChannelOnboardingAdapter = {
         accountId,
       });
     }
-
-    const updatedAccount = resolveZalouserAccountSync({ cfg: next, accountId });
-    const accessConfig = await promptChannelAccessConfig({
-      prompter,
-      label: "Zalo groups",
-      currentPolicy: updatedAccount.config.groupPolicy ?? "allowlist",
-      currentEntries: Object.keys(updatedAccount.config.groups ?? {}),
-      placeholder: "Family, Work, 123456789",
-      updatePrompt: Boolean(updatedAccount.config.groups),
-    });
-
-    if (accessConfig) {
-      if (accessConfig.policy !== "allowlist") {
-        next = setZalouserGroupPolicy(next, accountId, accessConfig.policy);
-      } else {
-        let keys = accessConfig.entries;
-        if (accessConfig.entries.length > 0) {
-          try {
-            const resolved = await resolveZaloGroupsByEntries({
-              profile: updatedAccount.profile,
-              entries: accessConfig.entries,
-            });
-            const resolvedIds = resolved
-              .filter((entry) => entry.resolved && entry.id)
-              .map((entry) => entry.id as string);
-            const unresolved = resolved
-              .filter((entry) => !entry.resolved)
-              .map((entry) => entry.input);
-            keys = [...resolvedIds, ...unresolved.map((entry) => entry.trim()).filter(Boolean)];
-            const resolution = formatResolvedUnresolvedNote({
-              resolved: resolvedIds,
-              unresolved,
-            });
-            if (resolution) {
-              await prompter.note(resolution, "Zalo groups");
-            }
-          } catch (err) {
-            await prompter.note(
-              `Group lookup failed; keeping entries as typed. ${String(err)}`,
-              "Zalo groups",
-            );
-          }
-        }
-        next = setZalouserGroupPolicy(next, accountId, "allowlist");
-        next = setZalouserGroupAllowlist(next, accountId, keys);
-      }
-    }
-
-    return { cfg: next, accountId };
+    return { cfg: next };
   },
+  dmPolicy: zalouserDmPolicy,
 };
diff --git a/extensions/zalouser/src/zca-client.ts b/extensions/zalouser/src/zca-client.ts
index 00a1c8c1be0..f7bc1a358b3 100644
--- a/extensions/zalouser/src/zca-client.ts
+++ b/extensions/zalouser/src/zca-client.ts
@@ -1,16 +1,18 @@
-import {
-  LoginQRCallbackEventType as LoginQRCallbackEventTypeRuntime,
-  Reactions as ReactionsRuntime,
-  ThreadType as ThreadTypeRuntime,
-  Zalo as ZaloRuntime,
-} from "zca-js";
+import * as zcaJsRuntime from "zca-js";
 
-export const ThreadType = ThreadTypeRuntime as {
+const zcaJs = zcaJsRuntime as unknown as {
+  ThreadType: unknown;
+  LoginQRCallbackEventType: unknown;
+  Reactions: unknown;
+  Zalo: unknown;
+};
+
+export const ThreadType = zcaJs.ThreadType as {
   User: 0;
   Group: 1;
 };
 
-export const LoginQRCallbackEventType = LoginQRCallbackEventTypeRuntime as {
+export const LoginQRCallbackEventType = zcaJs.LoginQRCallbackEventType as {
   QRCodeGenerated: 0;
   QRCodeExpired: 1;
   QRCodeScanned: 2;
@@ -18,7 +20,7 @@ export const LoginQRCallbackEventType = LoginQRCallbackEventTypeRuntime as {
   GotLoginInfo: 4;
 };
 
-export const Reactions = ReactionsRuntime as Record<string, string> & {
+export const Reactions = zcaJs.Reactions as Record<string, string> & {
   HEART: string;
   LIKE: string;
   HAHA: string;
@@ -290,4 +292,4 @@ type ZaloCtor = new (options?: { logging?: boolean; selfListen?: boolean }) => {
   ): Promise<API>;
 };
 
-export const Zalo = ZaloRuntime as unknown as ZaloCtor;
+export const Zalo = zcaJs.Zalo as unknown as ZaloCtor;
diff --git a/git-hooks/pre-commit b/git-hooks/pre-commit
index 948f2087ada..469ccd28b88 100755
--- a/git-hooks/pre-commit
+++ b/git-hooks/pre-commit
@@ -43,7 +43,7 @@ if [ "${#lint_files[@]}" -gt 0 ]; then
 fi
 
 if [ "${#format_files[@]}" -gt 0 ]; then
-  "$RUN_NODE_TOOL" oxfmt --write -- "${format_files[@]}"
+  "$RUN_NODE_TOOL" oxfmt --write --no-error-on-unmatched-pattern "${format_files[@]}"
 fi
 
 git add -- "${files[@]}"
diff --git a/package.json b/package.json
index 2fc0ec447d0..ebaa3607ad1 100644
--- a/package.json
+++ b/package.json
@@ -29,6 +29,8 @@
     "assets/",
     "dist/",
     "docs/",
+    "!docs/.generated/**",
+    "!docs/.i18n/zh-CN.tm.jsonl",
     "extensions/",
     "skills/"
   ],
@@ -48,6 +50,10 @@
       "types": "./dist/plugin-sdk/compat.d.ts",
       "default": "./dist/plugin-sdk/compat.js"
     },
+    "./plugin-sdk/routing": {
+      "types": "./dist/plugin-sdk/routing.d.ts",
+      "default": "./dist/plugin-sdk/routing.js"
+    },
     "./plugin-sdk/telegram": {
       "types": "./dist/plugin-sdk/telegram.d.ts",
       "default": "./dist/plugin-sdk/telegram.js"
@@ -108,10 +114,6 @@
       "types": "./dist/plugin-sdk/feishu.d.ts",
       "default": "./dist/plugin-sdk/feishu.js"
     },
-    "./plugin-sdk/google-gemini-cli-auth": {
-      "types": "./dist/plugin-sdk/google-gemini-cli-auth.d.ts",
-      "default": "./dist/plugin-sdk/google-gemini-cli-auth.js"
-    },
     "./plugin-sdk/googlechat": {
       "types": "./dist/plugin-sdk/googlechat.d.ts",
       "default": "./dist/plugin-sdk/googlechat.js"
@@ -230,7 +232,7 @@
     "build:plugin-sdk:dts": "tsc -p tsconfig.plugin-sdk.dts.json || true",
     "build:strict-smoke": "pnpm canvas:a2ui:bundle && node scripts/tsdown-build.mjs && node scripts/runtime-postbuild.mjs && pnpm build:plugin-sdk:dts",
     "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh",
-    "check": "pnpm check:host-env-policy:swift && pnpm format:check && pnpm tsgo && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope",
+    "check": "pnpm check:host-env-policy:swift && pnpm format:check && pnpm tsgo && pnpm plugin-sdk:check-exports && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope",
     "check:docs": "pnpm format:docs:check && pnpm lint:docs && pnpm docs:check-i18n-glossary && pnpm docs:check-links",
     "check:host-env-policy:swift": "node scripts/generate-host-env-security-policy-swift.mjs --check",
     "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500",
@@ -296,6 +298,8 @@
     "moltbot:rpc": "node scripts/run-node.mjs agent --mode rpc --json",
     "openclaw": "node scripts/run-node.mjs",
     "openclaw:rpc": "node scripts/run-node.mjs agent --mode rpc --json",
+    "plugin-sdk:check-exports": "node scripts/sync-plugin-sdk-exports.mjs --check",
+    "plugin-sdk:sync-exports": "node scripts/sync-plugin-sdk-exports.mjs",
     "plugins:sync": "node --import tsx scripts/sync-plugin-versions.ts",
     "prepack": "pnpm build && pnpm ui:build",
     "prepare": "command -v git >/dev/null 2>&1 && git rev-parse --is-inside-work-tree >/dev/null 2>&1 && git config core.hooksPath git-hooks || exit 0",
@@ -309,6 +313,7 @@
     "test:all": "pnpm lint && pnpm build && pnpm test && pnpm test:e2e && pnpm test:live && pnpm test:docker:all",
     "test:auth:compat": "vitest run --config vitest.gateway.config.ts src/gateway/server.auth.compat-baseline.test.ts src/gateway/client.test.ts src/gateway/reconnect-gating.test.ts src/gateway/protocol/connect-error-details.test.ts",
     "test:channels": "vitest run --config vitest.channels.config.ts",
+    "test:contracts": "pnpm test -- src/channels/plugins/contracts src/plugins/contracts",
     "test:coverage": "vitest run --config vitest.unit.config.ts --coverage",
     "test:docker:all": "pnpm test:docker:live-models && pnpm test:docker:live-gateway && pnpm test:docker:onboard && pnpm test:docker:gateway-network && pnpm test:docker:qr && pnpm test:docker:doctor-switch && pnpm test:docker:plugins && pnpm test:docker:cleanup",
     "test:docker:cleanup": "bash scripts/test-cleanup-docker.sh",
@@ -320,6 +325,8 @@
     "test:docker:plugins": "bash scripts/e2e/plugins-docker.sh",
     "test:docker:qr": "bash scripts/e2e/qr-import-docker.sh",
     "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "test:e2e:openshell": "OPENCLAW_E2E_OPENSHELL=1 vitest run --config vitest.e2e.config.ts test/openshell-sandbox.e2e.test.ts",
+    "test:extension": "node scripts/test-extension.mjs",
     "test:extensions": "vitest run --config vitest.extensions.config.ts",
     "test:fast": "vitest run --config vitest.unit.config.ts",
     "test:force": "node --import tsx scripts/test-force.ts",
@@ -355,6 +362,7 @@
     "@grammyjs/runner": "^2.0.3",
     "@grammyjs/transformer-throttler": "^1.2.1",
     "@homebridge/ciao": "^1.3.5",
+    "@lancedb/lancedb": "^0.26.2",
     "@larksuiteoapi/node-sdk": "^1.59.0",
     "@line/bot-sdk": "^10.6.0",
     "@lydell/node-pty": "1.2.0-beta.3",
@@ -378,6 +386,7 @@
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
     "file-type": "^21.3.2",
+    "gaxios": "^7.1.3",
     "grammy": "^1.41.1",
     "hono": "4.12.7",
     "https-proxy-agent": "^8.0.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a334570e909..90ebda912b0 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -50,6 +50,9 @@ importers:
       '@homebridge/ciao':
         specifier: ^1.3.5
         version: 1.3.5
+      '@lancedb/lancedb':
+        specifier: ^0.26.2
+        version: 0.26.2(apache-arrow@18.1.0)
       '@larksuiteoapi/node-sdk':
         specifier: ^1.59.0
         version: 1.59.0
@@ -122,6 +125,9 @@ importers:
       file-type:
         specifier: 21.3.2
         version: 21.3.2
+      gaxios:
+        specifier: ^7.1.3
+        version: 7.1.3
       grammy:
         specifier: ^1.41.1
         version: 1.41.1
@@ -268,12 +274,22 @@ importers:
         specifier: 0.3.0
         version: 0.3.0(zod@4.3.6)
 
+  extensions/amazon-bedrock: {}
+
+  extensions/anthropic: {}
+
   extensions/bluebubbles:
     dependencies:
       zod:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/brave: {}
+
+  extensions/byteplus: {}
+
+  extensions/cloudflare-ai-gateway: {}
+
   extensions/copilot-proxy: {}
 
   extensions/diagnostics-otel:
@@ -341,7 +357,11 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
-  extensions/google-gemini-cli-auth: {}
+  extensions/firecrawl: {}
+
+  extensions/github-copilot: {}
+
+  extensions/google: {}
 
   extensions/googlechat:
     dependencies:
@@ -352,6 +372,8 @@ importers:
         specifier: '>=2026.3.11'
         version: 2026.3.13(@discordjs/opus@0.10.0)(@napi-rs/canvas@0.1.95)(@types/express@5.0.6)(audio-decode@2.2.3)(node-llama-cpp@3.16.2(typescript@5.9.3))
 
+  extensions/huggingface: {}
+
   extensions/imessage: {}
 
   extensions/irc:
@@ -360,6 +382,10 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/kilocode: {}
+
+  extensions/kimi-coding: {}
+
   extensions/line: {}
 
   extensions/llm-task:
@@ -425,7 +451,13 @@ importers:
         specifier: ^6.29.0
         version: 6.29.0(ws@8.19.0)(zod@4.3.6)
 
-  extensions/minimax-portal-auth: {}
+  extensions/minimax: {}
+
+  extensions/mistral: {}
+
+  extensions/modelstudio: {}
+
+  extensions/moonshot: {}
 
   extensions/msteams:
     dependencies:
@@ -451,10 +483,26 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/nvidia: {}
+
   extensions/ollama: {}
 
   extensions/open-prose: {}
 
+  extensions/openai: {}
+
+  extensions/opencode: {}
+
+  extensions/opencode-go: {}
+
+  extensions/openrouter: {}
+
+  extensions/openshell: {}
+
+  extensions/perplexity: {}
+
+  extensions/qianfan: {}
+
   extensions/sglang: {}
 
   extensions/signal: {}
@@ -467,6 +515,8 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/synthetic: {}
+
   extensions/telegram: {}
 
   extensions/tlon:
@@ -484,6 +534,8 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/together: {}
+
   extensions/twitch:
     dependencies:
       '@twurple/api':
@@ -499,6 +551,10 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/venice: {}
+
+  extensions/vercel-ai-gateway: {}
+
   extensions/vllm: {}
 
   extensions/voice-call:
@@ -516,8 +572,16 @@ importers:
         specifier: ^4.3.6
         version: 4.3.6
 
+  extensions/volcengine: {}
+
   extensions/whatsapp: {}
 
+  extensions/xai: {}
+
+  extensions/xiaomi: {}
+
+  extensions/zai: {}
+
   extensions/zalo:
     dependencies:
       undici:
diff --git a/scripts/check-cli-startup-memory.mjs b/scripts/check-cli-startup-memory.mjs
index dbf666e1bfb..ce452d1a7ab 100644
--- a/scripts/check-cli-startup-memory.mjs
+++ b/scripts/check-cli-startup-memory.mjs
@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { spawnSync } from "node:child_process";
-import { mkdtempSync, rmSync } from "node:fs";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 
@@ -15,10 +15,25 @@ if (!isLinux && !isMac) {
 
 const repoRoot = process.cwd();
 const tmpHome = mkdtempSync(path.join(os.tmpdir(), "openclaw-startup-memory-"));
+const tmpDir = process.env.TMPDIR || process.env.TEMP || process.env.TMP || os.tmpdir();
+const rssHookPath = path.join(tmpHome, "measure-rss.mjs");
+const MAX_RSS_MARKER = "__OPENCLAW_MAX_RSS_KB__=";
+
+writeFileSync(
+  rssHookPath,
+  [
+    "process.on('exit', () => {",
+    "  const usage = typeof process.resourceUsage === 'function' ? process.resourceUsage() : null;",
+    `  if (usage && typeof usage.maxRSS === 'number') console.error('${MAX_RSS_MARKER}' + String(usage.maxRSS));`,
+    "});",
+    "",
+  ].join("\n"),
+  "utf8",
+);
 
 const DEFAULT_LIMITS_MB = {
   help: 500,
-  statusJson: 900,
+  statusJson: 925,
   gatewayStatus: 900,
 };
 
@@ -26,13 +41,13 @@ const cases = [
   {
     id: "help",
     label: "--help",
-    args: ["node", "openclaw.mjs", "--help"],
+    args: ["openclaw.mjs", "--help"],
     limitMb: Number(process.env.OPENCLAW_STARTUP_MEMORY_HELP_MB ?? DEFAULT_LIMITS_MB.help),
   },
   {
     id: "statusJson",
     label: "status --json",
-    args: ["node", "openclaw.mjs", "status", "--json"],
+    args: ["openclaw.mjs", "status", "--json"],
     limitMb: Number(
       process.env.OPENCLAW_STARTUP_MEMORY_STATUS_JSON_MB ?? DEFAULT_LIMITS_MB.statusJson,
     ),
@@ -40,7 +55,7 @@ const cases = [
   {
     id: "gatewayStatus",
     label: "gateway status",
-    args: ["node", "openclaw.mjs", "gateway", "status"],
+    args: ["openclaw.mjs", "gateway", "status"],
     limitMb: Number(
       process.env.OPENCLAW_STARTUP_MEMORY_GATEWAY_STATUS_MB ?? DEFAULT_LIMITS_MB.gatewayStatus,
     ),
@@ -48,30 +63,52 @@ const cases = [
 ];
 
 function parseMaxRssMb(stderr) {
-  if (isLinux) {
-    const match = stderr.match(/^\s*Maximum resident set size \(kbytes\):\s*(\d+)\s*$/im);
-    if (!match) {
-      return null;
-    }
-    return Number(match[1]) / 1024;
-  }
-  const match = stderr.match(/^\s*(\d+)\s+maximum resident set size\s*$/im);
-  if (!match) {
+  const matches = [...stderr.matchAll(new RegExp(`^${MAX_RSS_MARKER}(\\d+)\\s*$`, "gm"))];
+  const lastMatch = matches.at(-1);
+  if (!lastMatch) {
     return null;
   }
-  return Number(match[1]) / (1024 * 1024);
+  return Number(lastMatch[1]) / 1024;
 }
 
-function runCase(testCase) {
+function buildBenchEnv() {
   const env = {
-    ...process.env,
     HOME: tmpHome,
+    USERPROFILE: tmpHome,
     XDG_CONFIG_HOME: path.join(tmpHome, ".config"),
     XDG_DATA_HOME: path.join(tmpHome, ".local", "share"),
     XDG_CACHE_HOME: path.join(tmpHome, ".cache"),
+    PATH: process.env.PATH ?? "",
+    TMPDIR: tmpDir,
+    TEMP: tmpDir,
+    TMP: tmpDir,
+    LANG: process.env.LANG ?? "C.UTF-8",
+    TERM: process.env.TERM ?? "dumb",
   };
-  const timeArgs = isLinux ? ["-v", ...testCase.args] : ["-l", ...testCase.args];
-  const result = spawnSync("/usr/bin/time", timeArgs, {
+
+  if (process.env.LC_ALL) {
+    env.LC_ALL = process.env.LC_ALL;
+  }
+  if (process.env.CI) {
+    env.CI = process.env.CI;
+  }
+  if (process.env.NODE_DISABLE_COMPILE_CACHE) {
+    env.NODE_DISABLE_COMPILE_CACHE = process.env.NODE_DISABLE_COMPILE_CACHE;
+  } else {
+    // Keep the regression check focused on app/runtime startup, not Node's
+    // one-shot compile cache overhead, which varies across runner builds.
+    env.NODE_DISABLE_COMPILE_CACHE = "1";
+  }
+  // Keep the benchmark on a single process so RSS reflects the actual command
+  // path rather than the warning-suppression respawn wrapper.
+  env.OPENCLAW_NO_RESPAWN = "1";
+
+  return env;
+}
+
+function runCase(testCase) {
+  const env = buildBenchEnv();
+  const result = spawnSync(process.execPath, ["--import", rssHookPath, ...testCase.args], {
     cwd: repoRoot,
     env,
     encoding: "utf8",
diff --git a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
index 9b77ae9cf61..dacf30b5623 100644
--- a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
+++ b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
@@ -5,11 +5,16 @@ import { discoverOpenClawPlugins } from "../src/plugins/discovery.js";
 // Match exact monolithic-root specifier in any code path:
 // imports/exports, require/dynamic import, and test mocks (vi.mock/jest.mock).
 const ROOT_IMPORT_PATTERN = /["']openclaw\/plugin-sdk["']/;
+const LEGACY_ROUTING_IMPORT_PATTERN = /["']openclaw\/plugin-sdk\/routing["']/;
 
 function hasMonolithicRootImport(content: string): boolean {
   return ROOT_IMPORT_PATTERN.test(content);
 }
 
+function hasLegacyRoutingImport(content: string): boolean {
+  return LEGACY_ROUTING_IMPORT_PATTERN.test(content);
+}
+
 function isSourceFile(filePath: string): boolean {
   if (filePath.endsWith(".d.ts")) {
     return false;
@@ -59,6 +64,10 @@ function collectPluginSourceFiles(rootDir: string): string[] {
   return files;
 }
 
+function collectSharedExtensionSourceFiles(): string[] {
+  return collectPluginSourceFiles(path.join(process.cwd(), "extensions", "shared"));
+}
+
 function main() {
   const discovery = discoverOpenClawPlugins({});
   const bundledCandidates = discovery.candidates.filter((c) => c.origin === "bundled");
@@ -69,8 +78,12 @@ function main() {
       filesToCheck.add(srcFile);
     }
   }
+  for (const sharedFile of collectSharedExtensionSourceFiles()) {
+    filesToCheck.add(sharedFile);
+  }
 
-  const offenders: string[] = [];
+  const monolithicOffenders: string[] = [];
+  const legacyRoutingOffenders: string[] = [];
   for (const entryFile of filesToCheck) {
     let content = "";
     try {
@@ -79,19 +92,35 @@ function main() {
       continue;
     }
     if (hasMonolithicRootImport(content)) {
-      offenders.push(entryFile);
+      monolithicOffenders.push(entryFile);
+    }
+    if (hasLegacyRoutingImport(content)) {
+      legacyRoutingOffenders.push(entryFile);
     }
   }
 
-  if (offenders.length > 0) {
-    console.error("Bundled plugin source files must not import monolithic openclaw/plugin-sdk.");
-    for (const file of offenders.toSorted()) {
-      const relative = path.relative(process.cwd(), file) || file;
-      console.error(`- ${relative}`);
+  if (monolithicOffenders.length > 0 || legacyRoutingOffenders.length > 0) {
+    if (monolithicOffenders.length > 0) {
+      console.error("Bundled plugin source files must not import monolithic openclaw/plugin-sdk.");
+      for (const file of monolithicOffenders.toSorted()) {
+        const relative = path.relative(process.cwd(), file) || file;
+        console.error(`- ${relative}`);
+      }
+    }
+    if (legacyRoutingOffenders.length > 0) {
+      console.error(
+        "Bundled plugin source files must not import legacy openclaw/plugin-sdk/routing.",
+      );
+      for (const file of legacyRoutingOffenders.toSorted()) {
+        const relative = path.relative(process.cwd(), file) || file;
+        console.error(`- ${relative}`);
+      }
+    }
+    if (monolithicOffenders.length > 0 || legacyRoutingOffenders.length > 0) {
+      console.error(
+        "Use openclaw/plugin-sdk/<channel> for channel plugins, /core for shared routing and startup surfaces, or /compat for broader internals.",
+      );
     }
-    console.error(
-      "Use openclaw/plugin-sdk/<channel> for channel plugins, /core for startup surfaces, or /compat for broader internals.",
-    );
     process.exit(1);
   }
 
diff --git a/scripts/check-no-raw-channel-fetch.mjs b/scripts/check-no-raw-channel-fetch.mjs
index 788585b8c54..57adb600c81 100644
--- a/scripts/check-no-raw-channel-fetch.mjs
+++ b/scripts/check-no-raw-channel-fetch.mjs
@@ -14,11 +14,6 @@ const allowedRawFetchCallsites = new Set([
   "extensions/feishu/src/streaming-card.ts:101",
   "extensions/feishu/src/streaming-card.ts:143",
   "extensions/feishu/src/streaming-card.ts:199",
-  "extensions/google-gemini-cli-auth/oauth.ts:372",
-  "extensions/google-gemini-cli-auth/oauth.ts:408",
-  "extensions/google-gemini-cli-auth/oauth.ts:447",
-  "extensions/google-gemini-cli-auth/oauth.ts:507",
-  "extensions/google-gemini-cli-auth/oauth.ts:575",
   "extensions/googlechat/src/api.ts:22",
   "extensions/googlechat/src/api.ts:43",
   "extensions/googlechat/src/api.ts:63",
@@ -29,8 +24,8 @@ const allowedRawFetchCallsites = new Set([
   "extensions/mattermost/src/mattermost/client.ts:211",
   "extensions/mattermost/src/mattermost/monitor.ts:230",
   "extensions/mattermost/src/mattermost/probe.ts:27",
-  "extensions/minimax-portal-auth/oauth.ts:71",
-  "extensions/minimax-portal-auth/oauth.ts:112",
+  "extensions/minimax/oauth.ts:62",
+  "extensions/minimax/oauth.ts:93",
   "extensions/msteams/src/graph.ts:39",
   "extensions/nextcloud-talk/src/room-info.ts:92",
   "extensions/nextcloud-talk/src/send.ts:107",
diff --git a/scripts/check-plugin-sdk-exports.mjs b/scripts/check-plugin-sdk-exports.mjs
index 03ff9dfde8f..60c89056ca0 100755
--- a/scripts/check-plugin-sdk-exports.mjs
+++ b/scripts/check-plugin-sdk-exports.mjs
@@ -11,6 +11,7 @@
 import { readFileSync, existsSync } from "node:fs";
 import { resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
+import { pluginSdkSubpaths } from "./lib/plugin-sdk-entries.mjs";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const distFile = resolve(__dirname, "..", "dist", "plugin-sdk", "index.js");
@@ -41,52 +42,6 @@ const exportedNames = exportMatch[1]
 
 const exportSet = new Set(exportedNames);
 
-const requiredSubpathEntries = [
-  "core",
-  "compat",
-  "telegram",
-  "discord",
-  "slack",
-  "signal",
-  "imessage",
-  "whatsapp",
-  "line",
-  "msteams",
-  "acpx",
-  "bluebubbles",
-  "copilot-proxy",
-  "device-pair",
-  "diagnostics-otel",
-  "diffs",
-  "feishu",
-  "google-gemini-cli-auth",
-  "googlechat",
-  "irc",
-  "llm-task",
-  "lobster",
-  "matrix",
-  "mattermost",
-  "memory-core",
-  "memory-lancedb",
-  "minimax-portal-auth",
-  "nextcloud-talk",
-  "nostr",
-  "open-prose",
-  "phone-control",
-  "qwen-portal-auth",
-  "synology-chat",
-  "talk-voice",
-  "test-utils",
-  "thread-ownership",
-  "tlon",
-  "twitch",
-  "voice-call",
-  "zalo",
-  "zalouser",
-  "account-id",
-  "keyed-async-queue",
-];
-
 const requiredRuntimeShimEntries = ["root-alias.cjs"];
 
 // Critical functions that channel extension plugins import from openclaw/plugin-sdk.
@@ -124,7 +79,7 @@ for (const name of requiredExports) {
   }
 }
 
-for (const entry of requiredSubpathEntries) {
+for (const entry of pluginSdkSubpaths) {
   const jsPath = resolve(__dirname, "..", "dist", "plugin-sdk", `${entry}.js`);
   const dtsPath = resolve(__dirname, "..", "dist", "plugin-sdk", `${entry}.d.ts`);
   if (!existsSync(jsPath)) {
diff --git a/scripts/copy-bundled-plugin-metadata.mjs b/scripts/copy-bundled-plugin-metadata.mjs
index 426f319c02c..12211f9b29b 100644
--- a/scripts/copy-bundled-plugin-metadata.mjs
+++ b/scripts/copy-bundled-plugin-metadata.mjs
@@ -8,6 +8,8 @@ import {
 } from "./runtime-postbuild-shared.mjs";
 
 const GENERATED_BUNDLED_SKILLS_DIR = "bundled-skills";
+const TRANSIENT_COPY_ERROR_CODES = new Set(["EEXIST", "ENOENT", "ENOTEMPTY", "EBUSY"]);
+const COPY_RETRY_DELAYS_MS = [10, 25, 50];
 
 export function rewritePackageExtensions(entries) {
   if (!Array.isArray(entries)) {
@@ -23,6 +25,15 @@ export function rewritePackageExtensions(entries) {
     });
 }
 
+function rewritePackageEntry(entry) {
+  if (typeof entry !== "string" || entry.trim().length === 0) {
+    return undefined;
+  }
+  const normalized = entry.replace(/^\.\//, "");
+  const rewritten = normalized.replace(/\.[^.]+$/u, ".js");
+  return `./${rewritten}`;
+}
+
 function ensurePathInsideRoot(rootDir, rawPath) {
   const resolved = path.resolve(rootDir, rawPath);
   const relative = path.relative(rootDir, resolved);
@@ -73,6 +84,39 @@ function resolveBundledSkillTarget(rawPath) {
   };
 }
 
+function isTransientCopyError(error) {
+  return (
+    !!error &&
+    typeof error === "object" &&
+    typeof error.code === "string" &&
+    TRANSIENT_COPY_ERROR_CODES.has(error.code)
+  );
+}
+
+function sleepSync(ms) {
+  if (!Number.isFinite(ms) || ms <= 0) {
+    return;
+  }
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+
+function copySkillPathWithRetry(params) {
+  const maxAttempts = COPY_RETRY_DELAYS_MS.length + 1;
+  for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+    try {
+      removePathIfExists(params.targetPath);
+      fs.mkdirSync(path.dirname(params.targetPath), { recursive: true });
+      fs.cpSync(params.sourcePath, params.targetPath, params.copyOptions);
+      return;
+    } catch (error) {
+      if (!isTransientCopyError(error) || attempt === maxAttempts - 1) {
+        throw error;
+      }
+      sleepSync(COPY_RETRY_DELAYS_MS[attempt] ?? 0);
+    }
+  }
+}
+
 function copyDeclaredPluginSkillPaths(params) {
   const skills = Array.isArray(params.manifest.skills) ? params.manifest.skills : [];
   const copiedSkills = [];
@@ -95,21 +139,23 @@ function copyDeclaredPluginSkillPaths(params) {
       continue;
     }
     const targetPath = ensurePathInsideRoot(params.distPluginDir, target.outputPath);
-    removePathIfExists(targetPath);
-    fs.mkdirSync(path.dirname(targetPath), { recursive: true });
     const shouldExcludeNestedNodeModules = /^node_modules(?:\/|$)/u.test(
       normalizeManifestRelativePath(raw),
     );
-    fs.cpSync(sourcePath, targetPath, {
-      dereference: true,
-      force: true,
-      recursive: true,
-      filter: (candidatePath) => {
-        if (!shouldExcludeNestedNodeModules || candidatePath === sourcePath) {
-          return true;
-        }
-        const relativeCandidate = path.relative(sourcePath, candidatePath).replaceAll("\\", "/");
-        return !relativeCandidate.split("/").includes("node_modules");
+    copySkillPathWithRetry({
+      sourcePath,
+      targetPath,
+      copyOptions: {
+        dereference: true,
+        force: true,
+        recursive: true,
+        filter: (candidatePath) => {
+          if (!shouldExcludeNestedNodeModules || candidatePath === sourcePath) {
+            return true;
+          }
+          const relativeCandidate = path.relative(sourcePath, candidatePath).replaceAll("\\", "/");
+          return !relativeCandidate.split("/").includes("node_modules");
+        },
       },
     });
     copiedSkills.push(target.manifestPath);
@@ -126,13 +172,6 @@ export function copyBundledPluginMetadata(params = {}) {
   }
 
   const sourcePluginDirs = new Set();
-  const removeGeneratedPluginArtifacts = (distPluginDir) => {
-    removeFileIfExists(path.join(distPluginDir, "openclaw.plugin.json"));
-    removeFileIfExists(path.join(distPluginDir, "package.json"));
-    removePathIfExists(path.join(distPluginDir, GENERATED_BUNDLED_SKILLS_DIR));
-    removePathIfExists(path.join(distPluginDir, "node_modules"));
-  };
-
   for (const dirent of fs.readdirSync(extensionsRoot, { withFileTypes: true })) {
     if (!dirent.isDirectory()) {
       continue;
@@ -145,7 +184,7 @@ export function copyBundledPluginMetadata(params = {}) {
     const distManifestPath = path.join(distPluginDir, "openclaw.plugin.json");
     const distPackageJsonPath = path.join(distPluginDir, "package.json");
     if (!fs.existsSync(manifestPath)) {
-      removeGeneratedPluginArtifacts(distPluginDir);
+      removePathIfExists(distPluginDir);
       continue;
     }
 
@@ -176,6 +215,9 @@ export function copyBundledPluginMetadata(params = {}) {
       packageJson.openclaw = {
         ...packageJson.openclaw,
         extensions: rewritePackageExtensions(packageJson.openclaw.extensions),
+        ...(typeof packageJson.openclaw.setupEntry === "string"
+          ? { setupEntry: rewritePackageEntry(packageJson.openclaw.setupEntry) }
+          : {}),
       };
     }
 
@@ -191,7 +233,7 @@ export function copyBundledPluginMetadata(params = {}) {
       continue;
     }
     const distPluginDir = path.join(distExtensionsRoot, dirent.name);
-    removeGeneratedPluginArtifacts(distPluginDir);
+    removePathIfExists(distPluginDir);
   }
 }
 
diff --git a/scripts/docs-i18n/pi_command.go b/scripts/docs-i18n/pi_command.go
new file mode 100644
index 00000000000..c11c9134453
--- /dev/null
+++ b/scripts/docs-i18n/pi_command.go
@@ -0,0 +1,120 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	envDocsPiExecutable     = "OPENCLAW_DOCS_I18N_PI_EXECUTABLE"
+	envDocsPiArgs           = "OPENCLAW_DOCS_I18N_PI_ARGS"
+	envDocsPiPackageVersion = "OPENCLAW_DOCS_I18N_PI_PACKAGE_VERSION"
+	defaultPiPackageVersion = "0.58.3"
+)
+
+type docsPiCommand struct {
+	Executable string
+	Args       []string
+}
+
+var (
+	materializedPiRuntimeMu      sync.Mutex
+	materializedPiRuntimeCommand docsPiCommand
+	materializedPiRuntimeErr     error
+)
+
+func resolveDocsPiCommand(ctx context.Context) (docsPiCommand, error) {
+	if executable := strings.TrimSpace(os.Getenv(envDocsPiExecutable)); executable != "" {
+		return docsPiCommand{
+			Executable: executable,
+			Args:       strings.Fields(os.Getenv(envDocsPiArgs)),
+		}, nil
+	}
+
+	piPath, err := exec.LookPath("pi")
+	if err == nil && !shouldMaterializePiRuntime(piPath) {
+		return docsPiCommand{Executable: piPath}, nil
+	}
+
+	return ensureMaterializedPiRuntime(ctx)
+}
+
+func shouldMaterializePiRuntime(piPath string) bool {
+	realPath, err := filepath.EvalSymlinks(piPath)
+	if err != nil {
+		realPath = piPath
+	}
+	return strings.Contains(filepath.ToSlash(realPath), "/Projects/pi-mono/")
+}
+
+func ensureMaterializedPiRuntime(ctx context.Context) (docsPiCommand, error) {
+	materializedPiRuntimeMu.Lock()
+	defer materializedPiRuntimeMu.Unlock()
+
+	if materializedPiRuntimeErr == nil && materializedPiRuntimeCommand.Executable != "" {
+		return materializedPiRuntimeCommand, nil
+	}
+
+	runtimeDir, err := getMaterializedPiRuntimeDir()
+	if err != nil {
+		materializedPiRuntimeErr = err
+		return docsPiCommand{}, err
+	}
+	cliPath := filepath.Join(runtimeDir, "node_modules", "@mariozechner", "pi-coding-agent", "dist", "cli.js")
+	if _, err := os.Stat(cliPath); errors.Is(err, os.ErrNotExist) {
+		installCtx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+		defer cancel()
+
+		if err := os.MkdirAll(runtimeDir, 0o755); err != nil {
+			materializedPiRuntimeErr = err
+			return docsPiCommand{}, err
+		}
+
+		packageVersion := getMaterializedPiPackageVersion()
+		install := exec.CommandContext(
+			installCtx,
+			"npm",
+			"install",
+			"--silent",
+			"--no-audit",
+			"--no-fund",
+			fmt.Sprintf("@mariozechner/pi-coding-agent@%s", packageVersion),
+		)
+		install.Dir = runtimeDir
+		install.Env = os.Environ()
+		output, err := install.CombinedOutput()
+		if err != nil {
+			materializedPiRuntimeErr = fmt.Errorf("materialize pi runtime: %w (%s)", err, strings.TrimSpace(string(output)))
+			return docsPiCommand{}, materializedPiRuntimeErr
+		}
+	}
+
+	materializedPiRuntimeCommand = docsPiCommand{
+		Executable: "node",
+		Args:       []string{cliPath},
+	}
+	materializedPiRuntimeErr = nil
+	return materializedPiRuntimeCommand, nil
+}
+
+func getMaterializedPiRuntimeDir() (string, error) {
+	cacheDir, err := os.UserCacheDir()
+	if err != nil {
+		cacheDir = os.TempDir()
+	}
+	return filepath.Join(cacheDir, "openclaw", "docs-i18n", "pi-runtime", getMaterializedPiPackageVersion()), nil
+}
+
+func getMaterializedPiPackageVersion() string {
+	if version := strings.TrimSpace(os.Getenv(envDocsPiPackageVersion)); version != "" {
+		return version
+	}
+	return defaultPiPackageVersion
+}
diff --git a/scripts/docs-i18n/pi_rpc_client.go b/scripts/docs-i18n/pi_rpc_client.go
new file mode 100644
index 00000000000..7535b04799b
--- /dev/null
+++ b/scripts/docs-i18n/pi_rpc_client.go
@@ -0,0 +1,302 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"syscall"
+	"time"
+)
+
+type docsPiClientOptions struct {
+	SystemPrompt string
+	Thinking     string
+}
+
+type docsPiClient struct {
+	process    *exec.Cmd
+	stdin      io.WriteCloser
+	stderr     bytes.Buffer
+	events     chan piEvent
+	promptLock sync.Mutex
+	closeOnce  sync.Once
+	closed     chan struct{}
+	requestID  uint64
+}
+
+type piEvent struct {
+	Type string
+	Raw  json.RawMessage
+}
+
+type agentEndPayload struct {
+	Type     string         `json:"type,omitempty"`
+	Messages []agentMessage `json:"messages"`
+}
+
+type rpcResponse struct {
+	ID      string `json:"id,omitempty"`
+	Type    string `json:"type"`
+	Command string `json:"command,omitempty"`
+	Success bool   `json:"success"`
+	Error   string `json:"error,omitempty"`
+}
+
+type agentMessage struct {
+	Role         string          `json:"role"`
+	Content      json.RawMessage `json:"content"`
+	StopReason   string          `json:"stopReason,omitempty"`
+	ErrorMessage string          `json:"errorMessage,omitempty"`
+}
+
+type contentBlock struct {
+	Type string `json:"type"`
+	Text string `json:"text,omitempty"`
+}
+
+func startDocsPiClient(ctx context.Context, options docsPiClientOptions) (*docsPiClient, error) {
+	command, err := resolveDocsPiCommand(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	args := append([]string{}, command.Args...)
+	args = append(args,
+		"--mode", "rpc",
+		"--provider", docsPiProvider(),
+		"--model", docsPiModel(),
+		"--thinking", options.Thinking,
+		"--no-session",
+	)
+	if strings.TrimSpace(options.SystemPrompt) != "" {
+		args = append(args, "--system-prompt", options.SystemPrompt)
+	}
+
+	process := exec.Command(command.Executable, args...)
+	agentDir, err := getDocsPiAgentDir()
+	if err != nil {
+		return nil, err
+	}
+	process.Env = append(os.Environ(), fmt.Sprintf("PI_CODING_AGENT_DIR=%s", agentDir))
+	stdin, err := process.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+	stdout, err := process.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	stderr, err := process.StderrPipe()
+	if err != nil {
+		return nil, err
+	}
+
+	client := &docsPiClient{
+		process: process,
+		stdin:   stdin,
+		events:  make(chan piEvent, 256),
+		closed:  make(chan struct{}),
+	}
+
+	if err := process.Start(); err != nil {
+		return nil, err
+	}
+
+	go client.captureStderr(stderr)
+	go client.readStdout(stdout)
+
+	return client, nil
+}
+
+func (client *docsPiClient) Prompt(ctx context.Context, message string) (string, error) {
+	client.promptLock.Lock()
+	defer client.promptLock.Unlock()
+
+	command := map[string]string{
+		"type":    "prompt",
+		"id":      fmt.Sprintf("req-%d", atomic.AddUint64(&client.requestID, 1)),
+		"message": message,
+	}
+	payload, err := json.Marshal(command)
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := client.stdin.Write(append(payload, '\n')); err != nil {
+		return "", err
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return "", ctx.Err()
+		case <-client.closed:
+			return "", errors.New("pi process closed")
+		case event, ok := <-client.events:
+			if !ok {
+				return "", errors.New("pi event stream closed")
+			}
+			if event.Type == "response" {
+				response, err := decodeRpcResponse(event.Raw)
+				if err != nil {
+					return "", err
+				}
+				if !response.Success {
+					if strings.TrimSpace(response.Error) == "" {
+						return "", errors.New("pi prompt failed")
+					}
+					return "", errors.New(strings.TrimSpace(response.Error))
+				}
+				continue
+			}
+			if event.Type == "agent_end" {
+				return extractTranslationResult(event.Raw)
+			}
+		}
+	}
+}
+
+func (client *docsPiClient) Stderr() string {
+	return client.stderr.String()
+}
+
+func (client *docsPiClient) Close() error {
+	client.closeOnce.Do(func() {
+		close(client.closed)
+		if client.stdin != nil {
+			_ = client.stdin.Close()
+		}
+		if client.process != nil && client.process.Process != nil {
+			_ = client.process.Process.Signal(syscall.SIGTERM)
+		}
+
+		done := make(chan struct{})
+		go func() {
+			if client.process != nil {
+				_ = client.process.Wait()
+			}
+			close(done)
+		}()
+
+		select {
+		case <-done:
+		case <-time.After(2 * time.Second):
+			if client.process != nil && client.process.Process != nil {
+				_ = client.process.Process.Kill()
+			}
+		}
+	})
+	return nil
+}
+
+func (client *docsPiClient) captureStderr(stderr io.Reader) {
+	_, _ = io.Copy(&client.stderr, stderr)
+}
+
+func (client *docsPiClient) readStdout(stdout io.Reader) {
+	defer close(client.events)
+
+	reader := bufio.NewReader(stdout)
+	for {
+		line, err := reader.ReadBytes('\n')
+		line = bytes.TrimSpace(line)
+		if len(line) > 0 {
+			var envelope struct {
+				Type string `json:"type"`
+			}
+			if json.Unmarshal(line, &envelope) == nil && envelope.Type != "" {
+				select {
+				case client.events <- piEvent{Type: envelope.Type, Raw: append([]byte{}, line...)}:
+				case <-client.closed:
+					return
+				}
+			}
+		}
+		if err != nil {
+			return
+		}
+	}
+}
+
+func extractTranslationResult(raw json.RawMessage) (string, error) {
+	var payload agentEndPayload
+	if err := json.Unmarshal(raw, &payload); err != nil {
+		return "", err
+	}
+	for index := len(payload.Messages) - 1; index >= 0; index-- {
+		message := payload.Messages[index]
+		if message.Role != "assistant" {
+			continue
+		}
+		if message.ErrorMessage != "" || strings.EqualFold(message.StopReason, "error") {
+			msg := strings.TrimSpace(message.ErrorMessage)
+			if msg == "" {
+				msg = "unknown error"
+			}
+			return "", fmt.Errorf("pi error: %s", msg)
+		}
+		text, err := extractContentText(message.Content)
+		if err != nil {
+			return "", err
+		}
+		return text, nil
+	}
+	return "", errors.New("assistant message not found")
+}
+
+func extractContentText(content json.RawMessage) (string, error) {
+	trimmed := strings.TrimSpace(string(content))
+	if trimmed == "" {
+		return "", nil
+	}
+	if strings.HasPrefix(trimmed, "\"") {
+		var text string
+		if err := json.Unmarshal(content, &text); err != nil {
+			return "", err
+		}
+		return text, nil
+	}
+
+	var blocks []contentBlock
+	if err := json.Unmarshal(content, &blocks); err != nil {
+		return "", err
+	}
+
+	var parts []string
+	for _, block := range blocks {
+		if block.Type == "text" && block.Text != "" {
+			parts = append(parts, block.Text)
+		}
+	}
+	return strings.Join(parts, ""), nil
+}
+
+func decodeRpcResponse(raw json.RawMessage) (rpcResponse, error) {
+	var response rpcResponse
+	if err := json.Unmarshal(raw, &response); err != nil {
+		return rpcResponse{}, err
+	}
+	return response, nil
+}
+
+func getDocsPiAgentDir() (string, error) {
+	cacheDir, err := os.UserCacheDir()
+	if err != nil {
+		cacheDir = os.TempDir()
+	}
+	dir := filepath.Join(cacheDir, "openclaw", "docs-i18n", "agent")
+	if err := os.MkdirAll(dir, 0o700); err != nil {
+		return "", err
+	}
+	return dir, nil
+}
diff --git a/scripts/docs-i18n/process.go b/scripts/docs-i18n/process.go
index c792d3c11bc..cbcd1d4abc2 100644
--- a/scripts/docs-i18n/process.go
+++ b/scripts/docs-i18n/process.go
@@ -64,8 +64,8 @@ func processFile(ctx context.Context, translator *PiTranslator, tm *TranslationM
 			TextHash:   seg.TextHash,
 			Text:       seg.Text,
 			Translated: translated,
-			Provider:   providerName,
-			Model:      modelVersion,
+			Provider:   docsPiProvider(),
+			Model:      docsPiModel(),
 			SrcLang:    srcLang,
 			TgtLang:    tgtLang,
 			UpdatedAt:  time.Now().UTC().Format(time.RFC3339),
@@ -121,8 +121,8 @@ func encodeFrontMatter(frontData map[string]any, relPath string, source []byte)
 	frontData["x-i18n"] = map[string]any{
 		"source_path":  relPath,
 		"source_hash":  hashBytes(source),
-		"provider":     providerName,
-		"model":        modelVersion,
+		"provider":     docsPiProvider(),
+		"model":        docsPiModel(),
 		"workflow":     workflowVersion,
 		"generated_at": time.Now().UTC().Format(time.RFC3339),
 	}
@@ -191,8 +191,8 @@ func translateSnippet(ctx context.Context, translator *PiTranslator, tm *Transla
 		TextHash:   textHash,
 		Text:       textValue,
 		Translated: translated,
-		Provider:   providerName,
-		Model:      modelVersion,
+		Provider:   docsPiProvider(),
+		Model:      docsPiModel(),
 		SrcLang:    srcLang,
 		TgtLang:    tgtLang,
 		UpdatedAt:  time.Now().UTC().Format(time.RFC3339),
diff --git a/scripts/docs-i18n/translator.go b/scripts/docs-i18n/translator.go
index aac2afc5f80..59a41959af1 100644
--- a/scripts/docs-i18n/translator.go
+++ b/scripts/docs-i18n/translator.go
@@ -2,38 +2,31 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
-
-	pi "github.com/joshp123/pi-golang"
 )
 
 const (
-	translateMaxAttempts = 3
-	translateBaseDelay   = 15 * time.Second
+	translateMaxAttempts     = 3
+	translateBaseDelay       = 15 * time.Second
+	defaultPromptTimeout     = 2 * time.Minute
+	envDocsI18nPromptTimeout = "OPENCLAW_DOCS_I18N_PROMPT_TIMEOUT"
 )
 
 var errEmptyTranslation = errors.New("empty translation")
 
 type PiTranslator struct {
-	client *pi.OneShotClient
+	client *docsPiClient
 }
 
 func NewPiTranslator(srcLang, tgtLang string, glossary []GlossaryEntry, thinking string) (*PiTranslator, error) {
-	options := pi.DefaultOneShotOptions()
-	options.AppName = "openclaw-docs-i18n"
-	options.WorkDir = "/tmp"
-	options.Mode = pi.ModeDragons
-	options.Dragons = pi.DragonsOptions{
-		Provider: "anthropic",
-		Model:    modelVersion,
-		Thinking: normalizeThinking(thinking),
-	}
-	options.SystemPrompt = translationPrompt(srcLang, tgtLang, glossary)
-	client, err := pi.StartOneShot(options)
+	client, err := startDocsPiClient(context.Background(), docsPiClientOptions{
+		SystemPrompt: translationPrompt(srcLang, tgtLang, glossary),
+		Thinking:     normalizeThinking(thinking),
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -121,10 +114,16 @@ func isRetryableTranslateError(err error) bool {
 	if err == nil {
 		return false
 	}
+	if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+		return false
+	}
 	if errors.Is(err, errEmptyTranslation) {
 		return true
 	}
 	message := strings.ToLower(err.Error())
+	if strings.Contains(message, "authentication failed") {
+		return false
+	}
 	return strings.Contains(message, "placeholder missing") || strings.Contains(message, "rate limit") || strings.Contains(message, "429")
 }
 
@@ -145,96 +144,31 @@ func (t *PiTranslator) Close() {
 	}
 }
 
-type agentEndPayload struct {
-	Messages []agentMessage `json:"messages"`
+type promptRunner interface {
+	Prompt(context.Context, string) (string, error)
+	Stderr() string
 }
 
-type agentMessage struct {
-	Role         string          `json:"role"`
-	Content      json.RawMessage `json:"content"`
-	StopReason   string          `json:"stopReason,omitempty"`
-	ErrorMessage string          `json:"errorMessage,omitempty"`
-}
-
-type contentBlock struct {
-	Type string `json:"type"`
-	Text string `json:"text,omitempty"`
-}
-
-func runPrompt(ctx context.Context, client *pi.OneShotClient, message string) (string, error) {
-	events, cancel := client.Subscribe(256)
+func runPrompt(ctx context.Context, client promptRunner, message string) (string, error) {
+	promptCtx, cancel := context.WithTimeout(ctx, docsI18nPromptTimeout())
 	defer cancel()
 
-	if err := client.Prompt(ctx, message); err != nil {
-		return "", err
-	}
-
-	for {
-		select {
-		case <-ctx.Done():
-			return "", ctx.Err()
-		case event, ok := <-events:
-			if !ok {
-				return "", errors.New("event stream closed")
-			}
-			if event.Type == "agent_end" {
-				return extractTranslationResult(event.Raw)
-			}
-		}
+	result, err := client.Prompt(promptCtx, message)
+	if err != nil {
+		return "", decoratePromptError(err, client.Stderr())
 	}
+	return result, nil
 }
 
-func extractTranslationResult(raw json.RawMessage) (string, error) {
-	var payload agentEndPayload
-	if err := json.Unmarshal(raw, &payload); err != nil {
-		return "", err
+func decoratePromptError(err error, stderr string) error {
+	if err == nil {
+		return nil
 	}
-	for index := len(payload.Messages) - 1; index >= 0; index-- {
-		message := payload.Messages[index]
-		if message.Role != "assistant" {
-			continue
-		}
-		if message.ErrorMessage != "" || strings.EqualFold(message.StopReason, "error") {
-			msg := strings.TrimSpace(message.ErrorMessage)
-			if msg == "" {
-				msg = "unknown error"
-			}
-			return "", fmt.Errorf("pi error: %s", msg)
-		}
-		text, err := extractContentText(message.Content)
-		if err != nil {
-			return "", err
-		}
-		return text, nil
-	}
-	return "", errors.New("assistant message not found")
-}
-
-func extractContentText(content json.RawMessage) (string, error) {
-	trimmed := strings.TrimSpace(string(content))
+	trimmed := strings.TrimSpace(stderr)
 	if trimmed == "" {
-		return "", nil
+		return err
 	}
-	if strings.HasPrefix(trimmed, "\"") {
-		var text string
-		if err := json.Unmarshal(content, &text); err != nil {
-			return "", err
-		}
-		return text, nil
-	}
-
-	var blocks []contentBlock
-	if err := json.Unmarshal(content, &blocks); err != nil {
-		return "", err
-	}
-
-	var parts []string
-	for _, block := range blocks {
-		if block.Type == "text" && block.Text != "" {
-			parts = append(parts, block.Text)
-		}
-	}
-	return strings.Join(parts, ""), nil
+	return fmt.Errorf("%w (pi stderr: %s)", err, trimmed)
 }
 
 func normalizeThinking(value string) string {
@@ -245,3 +179,15 @@ func normalizeThinking(value string) string {
 		return "high"
 	}
 }
+
+func docsI18nPromptTimeout() time.Duration {
+	value := strings.TrimSpace(os.Getenv(envDocsI18nPromptTimeout))
+	if value == "" {
+		return defaultPromptTimeout
+	}
+	parsed, err := time.ParseDuration(value)
+	if err != nil || parsed <= 0 {
+		return defaultPromptTimeout
+	}
+	return parsed
+}
diff --git a/scripts/docs-i18n/translator_test.go b/scripts/docs-i18n/translator_test.go
new file mode 100644
index 00000000000..759f3aa276a
--- /dev/null
+++ b/scripts/docs-i18n/translator_test.go
@@ -0,0 +1,160 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+)
+
+type fakePromptRunner struct {
+	prompt func(context.Context, string) (string, error)
+	stderr string
+}
+
+func (runner fakePromptRunner) Prompt(ctx context.Context, message string) (string, error) {
+	return runner.prompt(ctx, message)
+}
+
+func (runner fakePromptRunner) Stderr() string {
+	return runner.stderr
+}
+
+func TestRunPromptAddsTimeout(t *testing.T) {
+	t.Parallel()
+
+	var deadline time.Time
+	client := fakePromptRunner{
+		prompt: func(ctx context.Context, message string) (string, error) {
+			var ok bool
+			deadline, ok = ctx.Deadline()
+			if !ok {
+				t.Fatal("expected prompt deadline")
+			}
+			if message != "Translate me" {
+				t.Fatalf("unexpected message %q", message)
+			}
+			return "translated", nil
+		},
+	}
+
+	got, err := runPrompt(context.Background(), client, "Translate me")
+	if err != nil {
+		t.Fatalf("runPrompt returned error: %v", err)
+	}
+	if got != "translated" {
+		t.Fatalf("unexpected translation %q", got)
+	}
+
+	remaining := time.Until(deadline)
+	if remaining <= time.Minute || remaining > docsI18nPromptTimeout() {
+		t.Fatalf("unexpected timeout window %s", remaining)
+	}
+}
+
+func TestDocsI18nPromptTimeoutUsesEnvOverride(t *testing.T) {
+	t.Setenv(envDocsI18nPromptTimeout, "5m")
+
+	if got := docsI18nPromptTimeout(); got != 5*time.Minute {
+		t.Fatalf("expected 5m timeout, got %s", got)
+	}
+}
+
+func TestIsRetryableTranslateErrorRejectsDeadlineExceeded(t *testing.T) {
+	t.Parallel()
+
+	if isRetryableTranslateError(context.DeadlineExceeded) {
+		t.Fatal("deadline exceeded should not retry")
+	}
+}
+
+func TestIsRetryableTranslateErrorRejectsAuthenticationFailures(t *testing.T) {
+	t.Parallel()
+
+	if isRetryableTranslateError(errors.New(`Authentication failed for "openai"`)) {
+		t.Fatal("auth failures should not retry")
+	}
+}
+
+func TestRunPromptIncludesStderr(t *testing.T) {
+	t.Parallel()
+
+	rootErr := errors.New("context deadline exceeded")
+	client := fakePromptRunner{
+		prompt: func(context.Context, string) (string, error) {
+			return "", rootErr
+		},
+		stderr: "boom",
+	}
+
+	_, err := runPrompt(context.Background(), client, "Translate me")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !errors.Is(err, rootErr) {
+		t.Fatalf("expected wrapped root error, got %v", err)
+	}
+	if !strings.Contains(err.Error(), "pi stderr: boom") {
+		t.Fatalf("expected stderr in error, got %v", err)
+	}
+}
+
+func TestDecoratePromptErrorLeavesCleanErrorsAlone(t *testing.T) {
+	t.Parallel()
+
+	rootErr := errors.New("plain failure")
+	got := decoratePromptError(rootErr, "  ")
+	if !errors.Is(got, rootErr) {
+		t.Fatalf("expected original error, got %v", got)
+	}
+	if got.Error() != rootErr.Error() {
+		t.Fatalf("expected unchanged message, got %v", got)
+	}
+}
+
+func TestResolveDocsPiCommandUsesOverrideEnv(t *testing.T) {
+	t.Setenv(envDocsPiExecutable, "/tmp/custom-pi")
+	t.Setenv(envDocsPiArgs, "--mode rpc --foo bar")
+
+	command, err := resolveDocsPiCommand(context.Background())
+	if err != nil {
+		t.Fatalf("resolveDocsPiCommand returned error: %v", err)
+	}
+
+	if command.Executable != "/tmp/custom-pi" {
+		t.Fatalf("unexpected executable %q", command.Executable)
+	}
+	if strings.Join(command.Args, " ") != "--mode rpc --foo bar" {
+		t.Fatalf("unexpected args %v", command.Args)
+	}
+}
+
+func TestShouldMaterializePiRuntimeForPiMonoWrapper(t *testing.T) {
+	t.Parallel()
+
+	root := t.TempDir()
+	sourceDir := filepath.Join(root, "Projects", "pi-mono", "packages", "coding-agent", "dist")
+	binDir := filepath.Join(root, "bin")
+	if err := os.MkdirAll(sourceDir, 0o755); err != nil {
+		t.Fatalf("mkdir source dir: %v", err)
+	}
+	if err := os.MkdirAll(binDir, 0o755); err != nil {
+		t.Fatalf("mkdir bin dir: %v", err)
+	}
+
+	target := filepath.Join(sourceDir, "cli.js")
+	if err := os.WriteFile(target, []byte("console.log('pi');\n"), 0o644); err != nil {
+		t.Fatalf("write target: %v", err)
+	}
+	link := filepath.Join(binDir, "pi")
+	if err := os.Symlink(target, link); err != nil {
+		t.Fatalf("symlink: %v", err)
+	}
+
+	if !shouldMaterializePiRuntime(link) {
+		t.Fatal("expected pi-mono wrapper to materialize runtime")
+	}
+}
diff --git a/scripts/docs-i18n/util.go b/scripts/docs-i18n/util.go
index 3be70ee3076..e7a8e6daaf3 100644
--- a/scripts/docs-i18n/util.go
+++ b/scripts/docs-i18n/util.go
@@ -10,13 +10,24 @@ import (
 )
 
 const (
-	workflowVersion = 15
-	providerName    = "pi"
-	modelVersion    = "claude-opus-4-6"
+	workflowVersion          = 15
+	docsI18nEngineName       = "pi"
+	envDocsI18nProvider      = "OPENCLAW_DOCS_I18N_PROVIDER"
+	envDocsI18nModel         = "OPENCLAW_DOCS_I18N_MODEL"
+	defaultOpenAIModel       = "gpt-5.4"
+	defaultAnthropicModel    = "claude-opus-4-6"
+	defaultFallbackProvider  = "openai"
+	defaultFallbackModelName = defaultOpenAIModel
 )
 
 func cacheNamespace() string {
-	return fmt.Sprintf("wf=%d|provider=%s|model=%s", workflowVersion, providerName, modelVersion)
+	return fmt.Sprintf(
+		"wf=%d|engine=%s|provider=%s|model=%s",
+		workflowVersion,
+		docsI18nEngineName,
+		docsPiProvider(),
+		docsPiModel(),
+	)
 }
 
 func cacheKey(namespace, srcLang, tgtLang, segmentID, textHash string) string {
@@ -40,6 +51,33 @@ func normalizeText(text string) string {
 	return strings.Join(strings.Fields(strings.TrimSpace(text)), " ")
 }
 
+func docsPiProvider() string {
+	if value := strings.TrimSpace(os.Getenv(envDocsI18nProvider)); value != "" {
+		return value
+	}
+	if strings.TrimSpace(os.Getenv("OPENAI_API_KEY")) != "" {
+		return "openai"
+	}
+	if strings.TrimSpace(os.Getenv("ANTHROPIC_API_KEY")) != "" {
+		return "anthropic"
+	}
+	return defaultFallbackProvider
+}
+
+func docsPiModel() string {
+	if value := strings.TrimSpace(os.Getenv(envDocsI18nModel)); value != "" {
+		return value
+	}
+	switch docsPiProvider() {
+	case "anthropic":
+		return defaultAnthropicModel
+	case "openai":
+		return defaultOpenAIModel
+	default:
+		return defaultFallbackModelName
+	}
+}
+
 func segmentID(relPath, textHash string) string {
 	shortHash := textHash
 	if len(shortHash) > 16 {
diff --git a/scripts/docs-i18n/util_test.go b/scripts/docs-i18n/util_test.go
new file mode 100644
index 00000000000..77b5ca82a73
--- /dev/null
+++ b/scripts/docs-i18n/util_test.go
@@ -0,0 +1,41 @@
+package main
+
+import "testing"
+
+func TestDocsPiProviderPrefersExplicitOverride(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "anthropic")
+	t.Setenv("OPENAI_API_KEY", "openai-key")
+	t.Setenv("ANTHROPIC_API_KEY", "anthropic-key")
+
+	if got := docsPiProvider(); got != "anthropic" {
+		t.Fatalf("expected anthropic override, got %q", got)
+	}
+}
+
+func TestDocsPiProviderPrefersOpenAIEnvWhenAvailable(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "")
+	t.Setenv("OPENAI_API_KEY", "openai-key")
+	t.Setenv("ANTHROPIC_API_KEY", "anthropic-key")
+
+	if got := docsPiProvider(); got != "openai" {
+		t.Fatalf("expected openai provider, got %q", got)
+	}
+}
+
+func TestDocsPiModelUsesProviderDefault(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "anthropic")
+	t.Setenv(envDocsI18nModel, "")
+
+	if got := docsPiModel(); got != defaultAnthropicModel {
+		t.Fatalf("expected anthropic default model, got %q", got)
+	}
+}
+
+func TestDocsPiModelPrefersExplicitOverride(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "openai")
+	t.Setenv(envDocsI18nModel, "gpt-5.2")
+
+	if got := docsPiModel(); got != "gpt-5.2" {
+		t.Fatalf("expected explicit model override, got %q", got)
+	}
+}
diff --git a/scripts/docs-link-audit.mjs b/scripts/docs-link-audit.mjs
index 2b9bb91de16..2419fc2d8f5 100644
--- a/scripts/docs-link-audit.mjs
+++ b/scripts/docs-link-audit.mjs
@@ -63,7 +63,17 @@ for (const item of docsConfig.redirects || []) {
 const allFiles = walk(DOCS_DIR);
 const relAllFiles = new Set(allFiles.map((abs) => normalizeSlashes(path.relative(DOCS_DIR, abs))));
 
-const markdownFiles = allFiles.filter((abs) => /\.(md|mdx)$/i.test(abs));
+function isGeneratedTranslatedDoc(relPath) {
+  return relPath.startsWith("zh-CN/");
+}
+
+const markdownFiles = allFiles.filter((abs) => {
+  if (!/\.(md|mdx)$/i.test(abs)) {
+    return false;
+  }
+  const rel = normalizeSlashes(path.relative(DOCS_DIR, abs));
+  return !isGeneratedTranslatedDoc(rel);
+});
 const routes = new Set();
 
 for (const abs of markdownFiles) {
@@ -257,6 +267,9 @@ for (const abs of markdownFiles) {
 }
 
 for (const page of collectNavPageEntries(docsConfig.navigation || [])) {
+  if (isGeneratedTranslatedDoc(String(page))) {
+    continue;
+  }
   checked++;
   const route = normalizeRoute(page);
   const resolvedRoute = resolveRoute(route);
diff --git a/scripts/e2e/Dockerfile b/scripts/e2e/Dockerfile
index fb390c1190b..4669e762c4a 100644
--- a/scripts/e2e/Dockerfile
+++ b/scripts/e2e/Dockerfile
@@ -1,38 +1,44 @@
 # syntax=docker/dockerfile:1.7
 
-FROM node:24-bookworm@sha256:9f3b13503acdf9bc1e0213ccb25ebe86ac881cad17636733a1da1be1d44509df
+FROM node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates git \
+ && rm -rf /var/lib/apt/lists/*
 
 RUN corepack enable
 
-WORKDIR /app
+RUN useradd --create-home --shell /bin/bash appuser \
+ && mkdir -p /app \
+ && chown appuser:appuser /app
 
+ENV HOME="/home/appuser"
 ENV NODE_OPTIONS="--disable-warning=ExperimentalWarning"
 
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
-COPY ui/package.json ./ui/package.json
-COPY extensions/memory-core/package.json ./extensions/memory-core/package.json
-COPY patches ./patches
+USER appuser
+WORKDIR /app
 
-RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
+COPY --chown=appuser:appuser package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY --chown=appuser:appuser ui/package.json ./ui/package.json
+COPY --chown=appuser:appuser extensions/memory-core/package.json ./extensions/memory-core/package.json
+COPY --chown=appuser:appuser patches ./patches
+
+RUN --mount=type=cache,id=openclaw-pnpm-store,target=/home/appuser/.local/share/pnpm/store,sharing=locked \
     pnpm install --frozen-lockfile
 
-COPY tsconfig.json tsconfig.plugin-sdk.dts.json tsdown.config.ts vitest.config.ts vitest.e2e.config.ts openclaw.mjs ./
-COPY src ./src
-COPY test ./test
-COPY scripts ./scripts
-COPY docs ./docs
-COPY skills ./skills
-COPY ui ./ui
-COPY extensions/memory-core ./extensions/memory-core
-COPY vendor/a2ui/renderers/lit ./vendor/a2ui/renderers/lit
-COPY apps/shared/OpenClawKit/Sources/OpenClawKit/Resources ./apps/shared/OpenClawKit/Sources/OpenClawKit/Resources
-COPY apps/shared/OpenClawKit/Tools/CanvasA2UI ./apps/shared/OpenClawKit/Tools/CanvasA2UI
+COPY --chown=appuser:appuser tsconfig.json tsconfig.plugin-sdk.dts.json tsdown.config.ts vitest.config.ts vitest.e2e.config.ts openclaw.mjs ./
+COPY --chown=appuser:appuser src ./src
+COPY --chown=appuser:appuser test ./test
+COPY --chown=appuser:appuser scripts ./scripts
+COPY --chown=appuser:appuser docs ./docs
+COPY --chown=appuser:appuser skills ./skills
+COPY --chown=appuser:appuser ui ./ui
+COPY --chown=appuser:appuser extensions ./extensions
+COPY --chown=appuser:appuser vendor/a2ui/renderers/lit ./vendor/a2ui/renderers/lit
+COPY --chown=appuser:appuser apps/shared/OpenClawKit/Sources/OpenClawKit/Resources ./apps/shared/OpenClawKit/Sources/OpenClawKit/Resources
+COPY --chown=appuser:appuser apps/shared/OpenClawKit/Tools/CanvasA2UI ./apps/shared/OpenClawKit/Tools/CanvasA2UI
 
 RUN pnpm build
 RUN pnpm ui:build
 
-RUN useradd --create-home --shell /bin/bash appuser \
-  && chown -R appuser:appuser /app
-USER appuser
-
 CMD ["bash"]
diff --git a/scripts/e2e/Dockerfile.qr-import b/scripts/e2e/Dockerfile.qr-import
index a8c611a9516..4b572a705b3 100644
--- a/scripts/e2e/Dockerfile.qr-import
+++ b/scripts/e2e/Dockerfile.qr-import
@@ -1,23 +1,26 @@
 # syntax=docker/dockerfile:1.7
 
-FROM node:24-bookworm@sha256:9f3b13503acdf9bc1e0213ccb25ebe86ac881cad17636733a1da1be1d44509df
+FROM node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b
 
 RUN corepack enable
 
+RUN useradd --create-home --shell /bin/bash appuser \
+ && mkdir -p /app \
+ && chown appuser:appuser /app
+
+ENV HOME="/home/appuser"
+
+USER appuser
 WORKDIR /app
 
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
-COPY ui/package.json ./ui/package.json
-COPY patches ./patches
+COPY --chown=appuser:appuser package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY --chown=appuser:appuser ui/package.json ./ui/package.json
+COPY --chown=appuser:appuser patches ./patches
 
 # This image only exercises the root qrcode-terminal dependency path.
 # Keep the pre-install copy set limited to the manifests needed for root
 # workspace resolution so unrelated extension edits do not bust the layer.
-RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
+RUN --mount=type=cache,id=openclaw-pnpm-store,target=/home/appuser/.local/share/pnpm/store,sharing=locked \
     pnpm install --frozen-lockfile
 
-COPY . .
-
-RUN useradd --create-home --shell /bin/bash appuser \
-  && chown -R appuser:appuser /app
-USER appuser
+COPY --chown=appuser:appuser . .
diff --git a/scripts/e2e/parallels-macos-smoke.sh b/scripts/e2e/parallels-macos-smoke.sh
index 0b790346358..fcdb940161f 100644
--- a/scripts/e2e/parallels-macos-smoke.sh
+++ b/scripts/e2e/parallels-macos-smoke.sh
@@ -17,6 +17,10 @@ TARGET_PACKAGE_SPEC=""
 KEEP_SERVER=0
 CHECK_LATEST_REF=1
 JSON_OUTPUT=0
+DISCORD_TOKEN_ENV=""
+DISCORD_TOKEN_VALUE=""
+DISCORD_GUILD_ID=""
+DISCORD_CHANNEL_ID=""
 GUEST_OPENCLAW_BIN="/opt/homebrew/bin/openclaw"
 GUEST_OPENCLAW_ENTRY="/opt/homebrew/lib/node_modules/openclaw/openclaw.mjs"
 GUEST_NODE_BIN="/opt/homebrew/bin/node"
@@ -35,6 +39,7 @@ TIMEOUT_GATEWAY_S=60
 TIMEOUT_AGENT_S=120
 TIMEOUT_PERMISSION_S=60
 TIMEOUT_SNAPSHOT_S=180
+TIMEOUT_DISCORD_S=180
 
 FRESH_MAIN_VERSION="skip"
 LATEST_INSTALLED_VERSION="skip"
@@ -43,6 +48,8 @@ FRESH_GATEWAY_STATUS="skip"
 UPGRADE_GATEWAY_STATUS="skip"
 FRESH_AGENT_STATUS="skip"
 UPGRADE_AGENT_STATUS="skip"
+FRESH_DISCORD_STATUS="skip"
+UPGRADE_DISCORD_STATUS="skip"
 
 say() {
   printf '==> %s\n' "$*"
@@ -66,6 +73,9 @@ die() {
 }
 
 cleanup() {
+  if command -v cleanup_discord_smoke_messages >/dev/null 2>&1; then
+    cleanup_discord_smoke_messages
+  fi
   if [[ -n "${SERVER_PID:-}" ]]; then
     kill "$SERVER_PID" >/dev/null 2>&1 || true
   fi
@@ -106,6 +116,9 @@ Options:
                              Example: openclaw@2026.3.13-beta.1
   --skip-latest-ref-check    Skip the known latest-release ref-mode precheck in upgrade lane.
   --keep-server              Leave temp host HTTP server running.
+  --discord-token-env <var>  Host env var name for Discord bot token.
+  --discord-guild-id <id>    Discord guild ID for smoke roundtrip.
+  --discord-channel-id <id>  Discord channel ID for smoke roundtrip.
   --json                     Print machine-readable JSON summary.
   -h, --help                 Show help.
 EOF
@@ -154,6 +167,18 @@ while [[ $# -gt 0 ]]; do
       TARGET_PACKAGE_SPEC="$2"
       shift 2
       ;;
+    --discord-token-env)
+      DISCORD_TOKEN_ENV="$2"
+      shift 2
+      ;;
+    --discord-guild-id)
+      DISCORD_GUILD_ID="$2"
+      shift 2
+      ;;
+    --discord-channel-id)
+      DISCORD_CHANNEL_ID="$2"
+      shift 2
+      ;;
     --skip-latest-ref-check)
       CHECK_LATEST_REF=0
       shift
@@ -186,6 +211,86 @@ esac
 OPENAI_API_KEY_VALUE="${!OPENAI_API_KEY_ENV:-}"
 [[ -n "$OPENAI_API_KEY_VALUE" ]] || die "$OPENAI_API_KEY_ENV is required"
 
+if [[ -n "$DISCORD_TOKEN_ENV" || -n "$DISCORD_GUILD_ID" || -n "$DISCORD_CHANNEL_ID" ]]; then
+  [[ -n "$DISCORD_TOKEN_ENV" ]] || die "--discord-token-env is required when Discord smoke args are set"
+  [[ -n "$DISCORD_GUILD_ID" ]] || die "--discord-guild-id is required when Discord smoke args are set"
+  [[ -n "$DISCORD_CHANNEL_ID" ]] || die "--discord-channel-id is required when Discord smoke args are set"
+  DISCORD_TOKEN_VALUE="${!DISCORD_TOKEN_ENV:-}"
+  [[ -n "$DISCORD_TOKEN_VALUE" ]] || die "$DISCORD_TOKEN_ENV is required for Discord smoke"
+fi
+
+discord_smoke_enabled() {
+  [[ -n "$DISCORD_TOKEN_VALUE" && -n "$DISCORD_GUILD_ID" && -n "$DISCORD_CHANNEL_ID" ]]
+}
+
+discord_api_request() {
+  local method="$1"
+  local path="$2"
+  local payload="${3:-}"
+  local url="https://discord.com/api/v10$path"
+  if [[ -n "$payload" ]]; then
+    curl -fsS -X "$method" \
+      -H "Authorization: Bot $DISCORD_TOKEN_VALUE" \
+      -H "Content-Type: application/json" \
+      --data "$payload" \
+      "$url"
+    return
+  fi
+  curl -fsS -X "$method" \
+    -H "Authorization: Bot $DISCORD_TOKEN_VALUE" \
+    "$url"
+}
+
+json_contains_string() {
+  local needle="$1"
+  python3 - "$needle" <<'PY'
+import json
+import sys
+
+needle = sys.argv[1]
+try:
+    payload = json.load(sys.stdin)
+except Exception:
+    raise SystemExit(1)
+
+def contains(value):
+    if isinstance(value, str):
+        return needle in value
+    if isinstance(value, list):
+        return any(contains(item) for item in value)
+    if isinstance(value, dict):
+        return any(contains(item) for item in value.values())
+    return False
+
+raise SystemExit(0 if contains(payload) else 1)
+PY
+}
+
+discord_delete_message_id_file() {
+  local path="$1"
+  [[ -f "$path" ]] || return 0
+  [[ -s "$path" ]] || return 0
+  discord_smoke_enabled || return 0
+
+  local message_id
+  message_id="$(tr -d '\r\n' <"$path")"
+  [[ -n "$message_id" ]] || return 0
+
+  set +e
+  discord_api_request DELETE "/channels/$DISCORD_CHANNEL_ID/messages/$message_id" >/dev/null
+  set -e
+}
+
+cleanup_discord_smoke_messages() {
+  discord_smoke_enabled || return 0
+  [[ -d "$RUN_DIR" ]] || return 0
+
+  discord_delete_message_id_file "$RUN_DIR/fresh.discord-sent-message-id"
+  discord_delete_message_id_file "$RUN_DIR/fresh.discord-host-message-id"
+  discord_delete_message_id_file "$RUN_DIR/upgrade.discord-sent-message-id"
+  discord_delete_message_id_file "$RUN_DIR/upgrade.discord-host-message-id"
+}
+
 resolve_snapshot_id() {
   local json hint
   json="$(prlctl snapshot-list "$VM_NAME" --json)"
@@ -286,7 +391,7 @@ wait_for_current_user() {
 
 guest_current_user_exec() {
   prlctl exec "$VM_NAME" --current-user /usr/bin/env \
-    PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
+    PATH=/opt/homebrew/bin:/opt/homebrew/opt/node/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
     "$@"
 }
 
@@ -553,6 +658,180 @@ verify_turn() {
   guest_current_user_exec "$GUEST_NODE_BIN" "$GUEST_OPENCLAW_ENTRY" agent --agent main --message ping --json
 }
 
+configure_discord_smoke() {
+  local guilds_json script
+  guilds_json="$(
+    DISCORD_GUILD_ID="$DISCORD_GUILD_ID" DISCORD_CHANNEL_ID="$DISCORD_CHANNEL_ID" python3 - <<'PY'
+import json
+import os
+
+print(
+    json.dumps(
+        {
+            os.environ["DISCORD_GUILD_ID"]: {
+                "channels": {
+                    os.environ["DISCORD_CHANNEL_ID"]: {
+                        "allow": True,
+                        "requireMention": False,
+                    }
+                }
+            }
+        }
+    )
+)
+PY
+  )"
+  script="$(cat <<EOF
+cat >/tmp/openclaw-discord-token <<'__OPENCLAW_TOKEN__'
+$DISCORD_TOKEN_VALUE
+__OPENCLAW_TOKEN__
+cat >/tmp/openclaw-discord-guilds.json <<'__OPENCLAW_GUILDS__'
+$guilds_json
+__OPENCLAW_GUILDS__
+token="\$(tr -d '\n' </tmp/openclaw-discord-token)"
+guilds_json="\$(cat /tmp/openclaw-discord-guilds.json)"
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.token "\$token"
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.enabled true
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.groupPolicy allowlist
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.guilds "\$guilds_json" --strict-json
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY gateway restart
+for _ in 1 2 3 4 5 6 7 8; do
+  if $GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY gateway status --deep --require-rpc >/dev/null 2>&1; then
+    break
+  fi
+  sleep 2
+done
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY channels status --probe --json
+rm -f /tmp/openclaw-discord-token /tmp/openclaw-discord-guilds.json
+EOF
+)"
+  prlctl exec "$VM_NAME" --current-user /usr/bin/env \
+    PATH=/opt/homebrew/bin:/opt/homebrew/opt/node/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
+    /bin/sh -lc "$script"
+}
+
+discord_message_id_from_send_log() {
+  local path="$1"
+  python3 - "$path" <<'PY'
+import json
+import pathlib
+import sys
+
+payload = json.loads(pathlib.Path(sys.argv[1]).read_text())
+message_id = payload.get("payload", {}).get("messageId")
+if not message_id:
+    message_id = payload.get("payload", {}).get("result", {}).get("messageId")
+if not message_id:
+    raise SystemExit("messageId missing from send output")
+print(message_id)
+PY
+}
+
+wait_for_discord_host_visibility() {
+  local nonce="$1"
+  local response
+  local deadline=$((SECONDS + TIMEOUT_DISCORD_S))
+  while (( SECONDS < deadline )); do
+    set +e
+    response="$(discord_api_request GET "/channels/$DISCORD_CHANNEL_ID/messages?limit=20")"
+    local rc=$?
+    set -e
+    if [[ $rc -eq 0 ]] && [[ -n "$response" ]] && printf '%s' "$response" | json_contains_string "$nonce"; then
+      return 0
+    fi
+    sleep 2
+  done
+  return 1
+}
+
+post_host_discord_message() {
+  local nonce="$1"
+  local id_file="$2"
+  local payload response
+  payload="$(
+    NONCE="$nonce" python3 - <<'PY'
+import json
+import os
+
+print(
+    json.dumps(
+        {
+            "content": f"parallels-macos-smoke-inbound-{os.environ['NONCE']}",
+            "flags": 4096,
+        }
+    )
+)
+PY
+  )"
+  response="$(discord_api_request POST "/channels/$DISCORD_CHANNEL_ID/messages" "$payload")"
+  printf '%s' "$response" | python3 - "$id_file" <<'PY'
+import json
+import pathlib
+import sys
+
+payload = json.load(sys.stdin)
+message_id = payload.get("id")
+if not isinstance(message_id, str) or not message_id:
+    raise SystemExit("host Discord post missing message id")
+pathlib.Path(sys.argv[1]).write_text(f"{message_id}\n", encoding="utf-8")
+PY
+}
+
+wait_for_guest_discord_readback() {
+  local nonce="$1"
+  local response rc
+  local last_response_path="$RUN_DIR/discord-last-readback.json"
+  local deadline=$((SECONDS + TIMEOUT_DISCORD_S))
+  while (( SECONDS < deadline )); do
+    set +e
+    response="$(
+      guest_current_user_exec \
+      "$GUEST_OPENCLAW_BIN" \
+      message read \
+      --channel discord \
+      --target "channel:$DISCORD_CHANNEL_ID" \
+      --limit 20 \
+      --json
+    )"
+    rc=$?
+    set -e
+    if [[ -n "$response" ]]; then
+      printf '%s' "$response" >"$last_response_path"
+    fi
+    if [[ $rc -eq 0 ]] && [[ -n "$response" ]] && printf '%s' "$response" | json_contains_string "$nonce"; then
+      return 0
+    fi
+    sleep 3
+  done
+  return 1
+}
+
+run_discord_roundtrip_smoke() {
+  local phase="$1"
+  local nonce outbound_nonce inbound_nonce outbound_message outbound_log sent_id_file host_id_file
+  nonce="$(date +%s)-$RANDOM"
+  outbound_nonce="$phase-out-$nonce"
+  inbound_nonce="$phase-in-$nonce"
+  outbound_message="parallels-macos-smoke-outbound-$outbound_nonce"
+  outbound_log="$RUN_DIR/$phase.discord-send.json"
+  sent_id_file="$RUN_DIR/$phase.discord-sent-message-id"
+  host_id_file="$RUN_DIR/$phase.discord-host-message-id"
+
+  guest_current_user_exec \
+    "$GUEST_OPENCLAW_BIN" \
+    message send \
+    --channel discord \
+    --target "channel:$DISCORD_CHANNEL_ID" \
+    --message "$outbound_message" \
+    --silent \
+    --json >"$outbound_log"
+
+  discord_message_id_from_send_log "$outbound_log" >"$sent_id_file"
+  wait_for_discord_host_visibility "$outbound_nonce"
+  post_host_discord_message "$inbound_nonce" "$host_id_file"
+  wait_for_guest_discord_readback "$inbound_nonce"
+}
+
 phase_log_path() {
   printf '%s/%s.log\n' "$RUN_DIR" "$1"
 }
@@ -646,6 +925,7 @@ summary = {
         "version": os.environ["SUMMARY_FRESH_MAIN_VERSION"],
         "gateway": os.environ["SUMMARY_FRESH_GATEWAY_STATUS"],
         "agent": os.environ["SUMMARY_FRESH_AGENT_STATUS"],
+        "discord": os.environ["SUMMARY_FRESH_DISCORD_STATUS"],
     },
     "upgrade": {
         "precheck": os.environ["SUMMARY_UPGRADE_PRECHECK_STATUS"],
@@ -654,6 +934,7 @@ summary = {
         "mainVersion": os.environ["SUMMARY_UPGRADE_MAIN_VERSION"],
         "gateway": os.environ["SUMMARY_UPGRADE_GATEWAY_STATUS"],
         "agent": os.environ["SUMMARY_UPGRADE_AGENT_STATUS"],
+        "discord": os.environ["SUMMARY_UPGRADE_DISCORD_STATUS"],
     },
 }
 with open(sys.argv[1], "w", encoding="utf-8") as handle:
@@ -691,6 +972,12 @@ run_fresh_main_lane() {
   FRESH_GATEWAY_STATUS="pass"
   phase_run "fresh.first-agent-turn" "$TIMEOUT_AGENT_S" verify_turn
   FRESH_AGENT_STATUS="pass"
+  if discord_smoke_enabled; then
+    FRESH_DISCORD_STATUS="fail"
+    phase_run "fresh.discord-config" "$TIMEOUT_GATEWAY_S" configure_discord_smoke
+    phase_run "fresh.discord-roundtrip" "$TIMEOUT_DISCORD_S" run_discord_roundtrip_smoke "fresh"
+    FRESH_DISCORD_STATUS="pass"
+  fi
 }
 
 run_upgrade_lane() {
@@ -718,6 +1005,12 @@ run_upgrade_lane() {
   UPGRADE_GATEWAY_STATUS="pass"
   phase_run "upgrade.first-agent-turn" "$TIMEOUT_AGENT_S" verify_turn
   UPGRADE_AGENT_STATUS="pass"
+  if discord_smoke_enabled; then
+    UPGRADE_DISCORD_STATUS="fail"
+    phase_run "upgrade.discord-config" "$TIMEOUT_GATEWAY_S" configure_discord_smoke
+    phase_run "upgrade.discord-roundtrip" "$TIMEOUT_DISCORD_S" run_discord_roundtrip_smoke "upgrade"
+    UPGRADE_DISCORD_STATUS="pass"
+  fi
 }
 
 FRESH_MAIN_STATUS="skip"
@@ -733,6 +1026,11 @@ say "VM: $VM_NAME"
 say "Snapshot hint: $SNAPSHOT_HINT"
 say "Latest npm version: $LATEST_VERSION"
 say "Current head: $(git rev-parse --short HEAD)"
+if discord_smoke_enabled; then
+  say "Discord smoke: guild=$DISCORD_GUILD_ID channel=$DISCORD_CHANNEL_ID"
+else
+  say "Discord smoke: disabled"
+fi
 say "Run logs: $RUN_DIR"
 
 pack_main_tgz
@@ -781,12 +1079,14 @@ SUMMARY_JSON_PATH="$(
   SUMMARY_FRESH_MAIN_VERSION="$FRESH_MAIN_VERSION" \
   SUMMARY_FRESH_GATEWAY_STATUS="$FRESH_GATEWAY_STATUS" \
   SUMMARY_FRESH_AGENT_STATUS="$FRESH_AGENT_STATUS" \
+  SUMMARY_FRESH_DISCORD_STATUS="$FRESH_DISCORD_STATUS" \
   SUMMARY_UPGRADE_PRECHECK_STATUS="$UPGRADE_PRECHECK_STATUS" \
   SUMMARY_UPGRADE_STATUS="$UPGRADE_STATUS" \
   SUMMARY_LATEST_INSTALLED_VERSION="$LATEST_INSTALLED_VERSION" \
   SUMMARY_UPGRADE_MAIN_VERSION="$UPGRADE_MAIN_VERSION" \
   SUMMARY_UPGRADE_GATEWAY_STATUS="$UPGRADE_GATEWAY_STATUS" \
   SUMMARY_UPGRADE_AGENT_STATUS="$UPGRADE_AGENT_STATUS" \
+  SUMMARY_UPGRADE_DISCORD_STATUS="$UPGRADE_DISCORD_STATUS" \
   write_summary_json
 )"
 
@@ -800,9 +1100,9 @@ else
   if [[ -n "$INSTALL_VERSION" ]]; then
     printf '  baseline-install-version: %s\n' "$INSTALL_VERSION"
   fi
-  printf '  fresh-main: %s (%s)\n' "$FRESH_MAIN_STATUS" "$FRESH_MAIN_VERSION"
+  printf '  fresh-main: %s (%s) discord=%s\n' "$FRESH_MAIN_STATUS" "$FRESH_MAIN_VERSION" "$FRESH_DISCORD_STATUS"
   printf '  latest->main precheck: %s (%s)\n' "$UPGRADE_PRECHECK_STATUS" "$LATEST_INSTALLED_VERSION"
-  printf '  latest->main: %s (%s)\n' "$UPGRADE_STATUS" "$UPGRADE_MAIN_VERSION"
+  printf '  latest->main: %s (%s) discord=%s\n' "$UPGRADE_STATUS" "$UPGRADE_MAIN_VERSION" "$UPGRADE_DISCORD_STATUS"
   printf '  logs: %s\n' "$RUN_DIR"
   printf '  summary: %s\n' "$SUMMARY_JSON_PATH"
 fi
diff --git a/scripts/e2e/parallels-windows-smoke.sh b/scripts/e2e/parallels-windows-smoke.sh
index cd144511f49..e7016d22062 100644
--- a/scripts/e2e/parallels-windows-smoke.sh
+++ b/scripts/e2e/parallels-windows-smoke.sh
@@ -371,9 +371,10 @@ phase_run() {
   local timeout_s="$2"
   shift 2
 
-  local log_path pid rc timed_out
+  local log_path pid start rc timed_out
   log_path="$(phase_log_path "$phase_id")"
   say "$phase_id"
+  start=$SECONDS
   timed_out=0
 
   (
@@ -381,26 +382,22 @@ phase_run() {
   ) >"$log_path" 2>&1 &
   pid=$!
 
-  (
-    sleep "$timeout_s"
-    kill "$pid" >/dev/null 2>&1 || true
-    sleep 2
-    kill -9 "$pid" >/dev/null 2>&1 || true
-  ) &
-  local killer_pid=$!
+  while kill -0 "$pid" >/dev/null 2>&1; do
+    if (( SECONDS - start >= timeout_s )); then
+      timed_out=1
+      kill "$pid" >/dev/null 2>&1 || true
+      sleep 2
+      kill -9 "$pid" >/dev/null 2>&1 || true
+      break
+    fi
+    sleep 1
+  done
 
   set +e
   wait "$pid"
   rc=$?
   set -e
 
-  if kill -0 "$killer_pid" >/dev/null 2>&1; then
-    kill "$killer_pid" >/dev/null 2>&1 || true
-    wait "$killer_pid" >/dev/null 2>&1 || true
-  else
-    timed_out=1
-  fi
-
   if (( timed_out )); then
     warn "$phase_id timed out after ${timeout_s}s"
     printf 'timeout after %ss\n' "$timeout_s" >>"$log_path"
@@ -770,7 +767,7 @@ show_gateway_status_compat() {
 }
 
 verify_turn() {
-  guest_run_openclaw "" "" agent --agent main --message ping --json
+  guest_run_openclaw "" "" agent --agent main --message "Reply with exact ASCII text OK only." --json
 }
 
 capture_latest_ref_failure() {
diff --git a/scripts/e2e/plugins-docker.sh b/scripts/e2e/plugins-docker.sh
index 854a92606ed..587840ec93a 100755
--- a/scripts/e2e/plugins-docker.sh
+++ b/scripts/e2e/plugins-docker.sh
@@ -8,24 +8,69 @@ echo "Building Docker image..."
 docker build -t "$IMAGE_NAME" -f "$ROOT_DIR/scripts/e2e/Dockerfile" "$ROOT_DIR"
 
 echo "Running plugins Docker E2E..."
-	docker run --rm -t "$IMAGE_NAME" bash -lc '
-	  set -euo pipefail
-	  if [ -f dist/index.mjs ]; then
-	    OPENCLAW_ENTRY="dist/index.mjs"
-	  elif [ -f dist/index.js ]; then
-	    OPENCLAW_ENTRY="dist/index.js"
-	  else
-	    echo "Missing dist/index.(m)js (build output):"
-	    ls -la dist || true
-	    exit 1
-	  fi
-	  export OPENCLAW_ENTRY
+docker run --rm -i "$IMAGE_NAME" bash -s <<'EOF'
+set -euo pipefail
 
-	  home_dir=$(mktemp -d "/tmp/openclaw-plugins-e2e.XXXXXX")
-	  export HOME="$home_dir"
-  mkdir -p "$HOME/.openclaw/extensions/demo-plugin"
+if [ -f dist/index.mjs ]; then
+  OPENCLAW_ENTRY="dist/index.mjs"
+elif [ -f dist/index.js ]; then
+  OPENCLAW_ENTRY="dist/index.js"
+else
+  echo "Missing dist/index.(m)js (build output):"
+  ls -la dist || true
+  exit 1
+fi
+export OPENCLAW_ENTRY
 
-  cat > "$HOME/.openclaw/extensions/demo-plugin/index.js" <<'"'"'JS'"'"'
+home_dir=$(mktemp -d "/tmp/openclaw-plugins-e2e.XXXXXX")
+export HOME="$home_dir"
+
+write_fixture_plugin() {
+  local dir="$1"
+  local id="$2"
+  local version="$3"
+  local method="$4"
+  local name="$5"
+
+  mkdir -p "$dir"
+  cat > "$dir/package.json" <<JSON
+{
+  "name": "@openclaw/$id",
+  "version": "$version",
+  "openclaw": { "extensions": ["./index.js"] }
+}
+JSON
+  cat > "$dir/index.js" <<JS
+module.exports = {
+  id: "$id",
+  name: "$name",
+  register(api) {
+    api.registerGatewayMethod("$method", async () => ({ ok: true }));
+  },
+};
+JS
+  cat > "$dir/openclaw.plugin.json" <<'JSON'
+{
+  "id": "placeholder",
+  "configSchema": {
+    "type": "object",
+    "properties": {}
+  }
+}
+JSON
+  node - <<'NODE' "$dir/openclaw.plugin.json" "$id"
+const fs = require("node:fs");
+const file = process.argv[2];
+const id = process.argv[3];
+const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
+parsed.id = id;
+fs.writeFileSync(file, `${JSON.stringify(parsed, null, 2)}\n`);
+NODE
+}
+
+mkdir -p "$HOME/.openclaw/extensions/demo-plugin"
+
+cat > "$HOME/.openclaw/extensions/demo-plugin/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin",
   name: "Demo Plugin",
@@ -38,7 +83,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$HOME/.openclaw/extensions/demo-plugin/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$HOME/.openclaw/extensions/demo-plugin/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin",
   "configSchema": {
@@ -48,9 +93,9 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins.json
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins.json", "utf8"));
@@ -79,17 +124,17 @@ if (diagErrors.length > 0) {
 console.log("ok");
 NODE
 
-  echo "Testing tgz install flow..."
-  pack_dir="$(mktemp -d "/tmp/openclaw-plugin-pack.XXXXXX")"
-  mkdir -p "$pack_dir/package"
-  cat > "$pack_dir/package/package.json" <<'"'"'JSON'"'"'
+echo "Testing tgz install flow..."
+pack_dir="$(mktemp -d "/tmp/openclaw-plugin-pack.XXXXXX")"
+mkdir -p "$pack_dir/package"
+cat > "$pack_dir/package/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-tgz",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$pack_dir/package/index.js" <<'"'"'JS'"'"'
+cat > "$pack_dir/package/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-tgz",
   name: "Demo Plugin TGZ",
@@ -98,7 +143,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$pack_dir/package/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$pack_dir/package/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-tgz",
   "configSchema": {
@@ -107,12 +152,12 @@ JS
   }
 }
 JSON
-  tar -czf /tmp/demo-plugin-tgz.tgz -C "$pack_dir" package
+tar -czf /tmp/demo-plugin-tgz.tgz -C "$pack_dir" package
 
-	  node "$OPENCLAW_ENTRY" plugins install /tmp/demo-plugin-tgz.tgz
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins2.json
+node "$OPENCLAW_ENTRY" plugins install /tmp/demo-plugin-tgz.tgz
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins2.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins2.json", "utf8"));
@@ -127,16 +172,16 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Testing install from local folder (plugins.load.paths)..."
-  dir_plugin="$(mktemp -d "/tmp/openclaw-plugin-dir.XXXXXX")"
-  cat > "$dir_plugin/package.json" <<'"'"'JSON'"'"'
+echo "Testing install from local folder (plugins.load.paths)..."
+dir_plugin="$(mktemp -d "/tmp/openclaw-plugin-dir.XXXXXX")"
+cat > "$dir_plugin/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-dir",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$dir_plugin/index.js" <<'"'"'JS'"'"'
+cat > "$dir_plugin/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-dir",
   name: "Demo Plugin DIR",
@@ -145,7 +190,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$dir_plugin/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$dir_plugin/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-dir",
   "configSchema": {
@@ -155,10 +200,10 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins install "$dir_plugin"
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins3.json
+node "$OPENCLAW_ENTRY" plugins install "$dir_plugin"
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins3.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins3.json", "utf8"));
@@ -173,17 +218,17 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Testing install from npm spec (file:)..."
-  file_pack_dir="$(mktemp -d "/tmp/openclaw-plugin-filepack.XXXXXX")"
-  mkdir -p "$file_pack_dir/package"
-  cat > "$file_pack_dir/package/package.json" <<'"'"'JSON'"'"'
+echo "Testing install from npm spec (file:)..."
+file_pack_dir="$(mktemp -d "/tmp/openclaw-plugin-filepack.XXXXXX")"
+mkdir -p "$file_pack_dir/package"
+cat > "$file_pack_dir/package/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-file",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$file_pack_dir/package/index.js" <<'"'"'JS'"'"'
+cat > "$file_pack_dir/package/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-file",
   name: "Demo Plugin FILE",
@@ -192,7 +237,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$file_pack_dir/package/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$file_pack_dir/package/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-file",
   "configSchema": {
@@ -202,10 +247,10 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins install "file:$file_pack_dir/package"
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins4.json
+node "$OPENCLAW_ENTRY" plugins install "file:$file_pack_dir/package"
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins4.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins4.json", "utf8"));
@@ -220,8 +265,155 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Running bundle MCP CLI-agent e2e..."
-  pnpm exec vitest run --config vitest.e2e.config.ts src/agents/cli-runner.bundle-mcp.e2e.test.ts
-'
+echo "Testing marketplace install and update flows..."
+marketplace_root="$HOME/.claude/plugins/marketplaces/fixture-marketplace"
+mkdir -p "$HOME/.claude/plugins" "$marketplace_root/.claude-plugin"
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-shortcut" \
+  "marketplace-shortcut" \
+  "0.0.1" \
+  "demo.marketplace.shortcut.v1" \
+  "Marketplace Shortcut"
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-direct" \
+  "marketplace-direct" \
+  "0.0.1" \
+  "demo.marketplace.direct.v1" \
+  "Marketplace Direct"
+cat > "$marketplace_root/.claude-plugin/marketplace.json" <<'JSON'
+{
+  "name": "Fixture Marketplace",
+  "version": "1.0.0",
+  "plugins": [
+    {
+      "name": "marketplace-shortcut",
+      "version": "0.0.1",
+      "description": "Shortcut install fixture",
+      "source": "./plugins/marketplace-shortcut"
+    },
+    {
+      "name": "marketplace-direct",
+      "version": "0.0.1",
+      "description": "Explicit marketplace fixture",
+      "source": {
+        "type": "path",
+        "path": "./plugins/marketplace-direct"
+      }
+    }
+  ]
+}
+JSON
+cat > "$HOME/.claude/plugins/known_marketplaces.json" <<JSON
+{
+  "claude-fixtures": {
+    "installLocation": "$marketplace_root",
+    "source": {
+      "type": "github",
+      "repo": "openclaw/fixture-marketplace"
+    }
+  }
+}
+JSON
+
+node "$OPENCLAW_ENTRY" plugins marketplace list claude-fixtures --json > /tmp/marketplace-list.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/marketplace-list.json", "utf8"));
+const names = (data.plugins || []).map((entry) => entry.name).sort();
+if (data.name !== "Fixture Marketplace") {
+  throw new Error(`unexpected marketplace name: ${data.name}`);
+}
+if (!names.includes("marketplace-shortcut") || !names.includes("marketplace-direct")) {
+  throw new Error(`unexpected marketplace plugins: ${names.join(", ")}`);
+}
+console.log("ok");
+NODE
+
+node "$OPENCLAW_ENTRY" plugins install marketplace-shortcut@claude-fixtures
+node "$OPENCLAW_ENTRY" plugins install marketplace-direct --marketplace claude-fixtures
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins-marketplace.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/plugins-marketplace.json", "utf8"));
+const getPlugin = (id) => {
+  const plugin = (data.plugins || []).find((entry) => entry.id === id);
+  if (!plugin) throw new Error(`plugin not found: ${id}`);
+  if (plugin.status !== "loaded") {
+    throw new Error(`unexpected status for ${id}: ${plugin.status}`);
+  }
+  return plugin;
+};
+
+const shortcut = getPlugin("marketplace-shortcut");
+const direct = getPlugin("marketplace-direct");
+if (shortcut.version !== "0.0.1") {
+  throw new Error(`unexpected shortcut version: ${shortcut.version}`);
+}
+if (direct.version !== "0.0.1") {
+  throw new Error(`unexpected direct version: ${direct.version}`);
+}
+if (!shortcut.gatewayMethods.includes("demo.marketplace.shortcut.v1")) {
+  throw new Error("expected marketplace shortcut gateway method");
+}
+if (!direct.gatewayMethods.includes("demo.marketplace.direct.v1")) {
+  throw new Error("expected marketplace direct gateway method");
+}
+console.log("ok");
+NODE
+
+node - <<'NODE'
+const fs = require("node:fs");
+const path = require("node:path");
+
+const configPath = path.join(process.env.HOME, ".openclaw", "openclaw.json");
+const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+for (const id of ["marketplace-shortcut", "marketplace-direct"]) {
+  const record = config.plugins?.installs?.[id];
+  if (!record) throw new Error(`missing install record for ${id}`);
+  if (record.source !== "marketplace") {
+    throw new Error(`unexpected source for ${id}: ${record.source}`);
+  }
+  if (record.marketplaceSource !== "claude-fixtures") {
+    throw new Error(`unexpected marketplace source for ${id}: ${record.marketplaceSource}`);
+  }
+  if (record.marketplacePlugin !== id) {
+    throw new Error(`unexpected marketplace plugin for ${id}: ${record.marketplacePlugin}`);
+  }
+}
+console.log("ok");
+NODE
+
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-shortcut" \
+  "marketplace-shortcut" \
+  "0.0.2" \
+  "demo.marketplace.shortcut.v2" \
+  "Marketplace Shortcut"
+node "$OPENCLAW_ENTRY" plugins update marketplace-shortcut --dry-run
+node "$OPENCLAW_ENTRY" plugins update marketplace-shortcut
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins-marketplace-updated.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/plugins-marketplace-updated.json", "utf8"));
+const plugin = (data.plugins || []).find((entry) => entry.id === "marketplace-shortcut");
+if (!plugin) throw new Error("updated marketplace plugin not found");
+if (plugin.version !== "0.0.2") {
+  throw new Error(`unexpected updated version: ${plugin.version}`);
+}
+if (!plugin.gatewayMethods.includes("demo.marketplace.shortcut.v2")) {
+  throw new Error(`expected updated gateway method, got ${plugin.gatewayMethods.join(", ")}`);
+}
+console.log("ok");
+NODE
+
+echo "Running bundle MCP CLI-agent e2e..."
+pnpm exec vitest run --config vitest.e2e.config.ts src/agents/cli-runner.bundle-mcp.e2e.test.ts
+EOF
 
 echo "OK"
diff --git a/scripts/lib/plugin-sdk-entries.d.mts b/scripts/lib/plugin-sdk-entries.d.mts
new file mode 100644
index 00000000000..e5d493b3d46
--- /dev/null
+++ b/scripts/lib/plugin-sdk-entries.d.mts
@@ -0,0 +1,13 @@
+export const pluginSdkEntrypoints: string[];
+export const pluginSdkSubpaths: string[];
+
+export function buildPluginSdkEntrySources(): Record<string, string>;
+export function buildPluginSdkSpecifiers(): string[];
+export function buildPluginSdkPackageExports(): Record<
+  string,
+  {
+    types: string;
+    default: string;
+  }
+>;
+export function listPluginSdkDistArtifacts(): string[];
diff --git a/scripts/lib/plugin-sdk-entries.mjs b/scripts/lib/plugin-sdk-entries.mjs
new file mode 100644
index 00000000000..c2ce28484ae
--- /dev/null
+++ b/scripts/lib/plugin-sdk-entries.mjs
@@ -0,0 +1,36 @@
+import pluginSdkEntryList from "./plugin-sdk-entrypoints.json" with { type: "json" };
+
+export const pluginSdkEntrypoints = [...pluginSdkEntryList];
+
+export const pluginSdkSubpaths = pluginSdkEntrypoints.filter((entry) => entry !== "index");
+
+export function buildPluginSdkEntrySources() {
+  return Object.fromEntries(
+    pluginSdkEntrypoints.map((entry) => [entry, `src/plugin-sdk/${entry}.ts`]),
+  );
+}
+
+export function buildPluginSdkSpecifiers() {
+  return pluginSdkEntrypoints.map((entry) =>
+    entry === "index" ? "openclaw/plugin-sdk" : `openclaw/plugin-sdk/${entry}`,
+  );
+}
+
+export function buildPluginSdkPackageExports() {
+  return Object.fromEntries(
+    pluginSdkEntrypoints.map((entry) => [
+      entry === "index" ? "./plugin-sdk" : `./plugin-sdk/${entry}`,
+      {
+        types: `./dist/plugin-sdk/${entry}.d.ts`,
+        default: `./dist/plugin-sdk/${entry}.js`,
+      },
+    ]),
+  );
+}
+
+export function listPluginSdkDistArtifacts() {
+  return pluginSdkEntrypoints.flatMap((entry) => [
+    `dist/plugin-sdk/${entry}.js`,
+    `dist/plugin-sdk/${entry}.d.ts`,
+  ]);
+}
diff --git a/scripts/lib/plugin-sdk-entrypoints.json b/scripts/lib/plugin-sdk-entrypoints.json
new file mode 100644
index 00000000000..91b16c36450
--- /dev/null
+++ b/scripts/lib/plugin-sdk-entrypoints.json
@@ -0,0 +1,46 @@
+[
+  "index",
+  "core",
+  "compat",
+  "routing",
+  "telegram",
+  "discord",
+  "slack",
+  "signal",
+  "imessage",
+  "whatsapp",
+  "line",
+  "msteams",
+  "acpx",
+  "bluebubbles",
+  "copilot-proxy",
+  "device-pair",
+  "diagnostics-otel",
+  "diffs",
+  "feishu",
+  "googlechat",
+  "irc",
+  "llm-task",
+  "lobster",
+  "matrix",
+  "mattermost",
+  "memory-core",
+  "memory-lancedb",
+  "minimax-portal-auth",
+  "nextcloud-talk",
+  "nostr",
+  "open-prose",
+  "phone-control",
+  "qwen-portal-auth",
+  "synology-chat",
+  "talk-voice",
+  "test-utils",
+  "thread-ownership",
+  "tlon",
+  "twitch",
+  "voice-call",
+  "zalo",
+  "zalouser",
+  "account-id",
+  "keyed-async-queue"
+]
diff --git a/scripts/release-check.ts b/scripts/release-check.ts
index 34d37634d6f..7eedc970103 100755
--- a/scripts/release-check.ts
+++ b/scripts/release-check.ts
@@ -10,6 +10,7 @@ import {
   type BundledExtension,
   type ExtensionPackageJson as PackageJson,
 } from "./lib/bundled-extension-manifest.ts";
+import { listPluginSdkDistArtifacts } from "./lib/plugin-sdk-entries.mjs";
 import { sparkleBuildFloorsFromShortVersion, type SparkleBuildFloors } from "./sparkle-build.ts";
 
 export { collectBundledExtensionManifestErrors } from "./lib/bundled-extension-manifest.ts";
@@ -20,95 +21,8 @@ type PackResult = { files?: PackFile[]; filename?: string; unpackedSize?: number
 const requiredPathGroups = [
   ["dist/index.js", "dist/index.mjs"],
   ["dist/entry.js", "dist/entry.mjs"],
-  "dist/plugin-sdk/index.js",
-  "dist/plugin-sdk/index.d.ts",
-  "dist/plugin-sdk/core.js",
-  "dist/plugin-sdk/core.d.ts",
+  ...listPluginSdkDistArtifacts(),
   "dist/plugin-sdk/root-alias.cjs",
-  "dist/plugin-sdk/compat.js",
-  "dist/plugin-sdk/compat.d.ts",
-  "dist/plugin-sdk/telegram.js",
-  "dist/plugin-sdk/telegram.d.ts",
-  "dist/plugin-sdk/discord.js",
-  "dist/plugin-sdk/discord.d.ts",
-  "dist/plugin-sdk/slack.js",
-  "dist/plugin-sdk/slack.d.ts",
-  "dist/plugin-sdk/signal.js",
-  "dist/plugin-sdk/signal.d.ts",
-  "dist/plugin-sdk/imessage.js",
-  "dist/plugin-sdk/imessage.d.ts",
-  "dist/plugin-sdk/whatsapp.js",
-  "dist/plugin-sdk/whatsapp.d.ts",
-  "dist/plugin-sdk/line.js",
-  "dist/plugin-sdk/line.d.ts",
-  "dist/plugin-sdk/msteams.js",
-  "dist/plugin-sdk/msteams.d.ts",
-  "dist/plugin-sdk/acpx.js",
-  "dist/plugin-sdk/acpx.d.ts",
-  "dist/plugin-sdk/bluebubbles.js",
-  "dist/plugin-sdk/bluebubbles.d.ts",
-  "dist/plugin-sdk/copilot-proxy.js",
-  "dist/plugin-sdk/copilot-proxy.d.ts",
-  "dist/plugin-sdk/device-pair.js",
-  "dist/plugin-sdk/device-pair.d.ts",
-  "dist/plugin-sdk/diagnostics-otel.js",
-  "dist/plugin-sdk/diagnostics-otel.d.ts",
-  "dist/plugin-sdk/diffs.js",
-  "dist/plugin-sdk/diffs.d.ts",
-  "dist/plugin-sdk/feishu.js",
-  "dist/plugin-sdk/feishu.d.ts",
-  "dist/plugin-sdk/google-gemini-cli-auth.js",
-  "dist/plugin-sdk/google-gemini-cli-auth.d.ts",
-  "dist/plugin-sdk/googlechat.js",
-  "dist/plugin-sdk/googlechat.d.ts",
-  "dist/plugin-sdk/irc.js",
-  "dist/plugin-sdk/irc.d.ts",
-  "dist/plugin-sdk/llm-task.js",
-  "dist/plugin-sdk/llm-task.d.ts",
-  "dist/plugin-sdk/lobster.js",
-  "dist/plugin-sdk/lobster.d.ts",
-  "dist/plugin-sdk/matrix.js",
-  "dist/plugin-sdk/matrix.d.ts",
-  "dist/plugin-sdk/mattermost.js",
-  "dist/plugin-sdk/mattermost.d.ts",
-  "dist/plugin-sdk/memory-core.js",
-  "dist/plugin-sdk/memory-core.d.ts",
-  "dist/plugin-sdk/memory-lancedb.js",
-  "dist/plugin-sdk/memory-lancedb.d.ts",
-  "dist/plugin-sdk/minimax-portal-auth.js",
-  "dist/plugin-sdk/minimax-portal-auth.d.ts",
-  "dist/plugin-sdk/nextcloud-talk.js",
-  "dist/plugin-sdk/nextcloud-talk.d.ts",
-  "dist/plugin-sdk/nostr.js",
-  "dist/plugin-sdk/nostr.d.ts",
-  "dist/plugin-sdk/open-prose.js",
-  "dist/plugin-sdk/open-prose.d.ts",
-  "dist/plugin-sdk/phone-control.js",
-  "dist/plugin-sdk/phone-control.d.ts",
-  "dist/plugin-sdk/qwen-portal-auth.js",
-  "dist/plugin-sdk/qwen-portal-auth.d.ts",
-  "dist/plugin-sdk/synology-chat.js",
-  "dist/plugin-sdk/synology-chat.d.ts",
-  "dist/plugin-sdk/talk-voice.js",
-  "dist/plugin-sdk/talk-voice.d.ts",
-  "dist/plugin-sdk/test-utils.js",
-  "dist/plugin-sdk/test-utils.d.ts",
-  "dist/plugin-sdk/thread-ownership.js",
-  "dist/plugin-sdk/thread-ownership.d.ts",
-  "dist/plugin-sdk/tlon.js",
-  "dist/plugin-sdk/tlon.d.ts",
-  "dist/plugin-sdk/twitch.js",
-  "dist/plugin-sdk/twitch.d.ts",
-  "dist/plugin-sdk/voice-call.js",
-  "dist/plugin-sdk/voice-call.d.ts",
-  "dist/plugin-sdk/zalo.js",
-  "dist/plugin-sdk/zalo.d.ts",
-  "dist/plugin-sdk/zalouser.js",
-  "dist/plugin-sdk/zalouser.d.ts",
-  "dist/plugin-sdk/account-id.js",
-  "dist/plugin-sdk/account-id.d.ts",
-  "dist/plugin-sdk/keyed-async-queue.js",
-  "dist/plugin-sdk/keyed-async-queue.d.ts",
   "dist/build-info.json",
 ];
 const forbiddenPrefixes = ["dist/OpenClaw.app/"];
diff --git a/scripts/sync-plugin-sdk-exports.mjs b/scripts/sync-plugin-sdk-exports.mjs
new file mode 100644
index 00000000000..b7e0aa29ae5
--- /dev/null
+++ b/scripts/sync-plugin-sdk-exports.mjs
@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+import { buildPluginSdkPackageExports } from "./lib/plugin-sdk-entries.mjs";
+
+const checkOnly = process.argv.includes("--check");
+const packageJsonPath = path.join(process.cwd(), "package.json");
+const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
+const currentExports = packageJson.exports ?? {};
+const syncedPluginSdkExports = buildPluginSdkPackageExports();
+
+const nextExports = {};
+let insertedPluginSdkExports = false;
+for (const [key, value] of Object.entries(currentExports)) {
+  if (key.startsWith("./plugin-sdk")) {
+    if (!insertedPluginSdkExports) {
+      Object.assign(nextExports, syncedPluginSdkExports);
+      insertedPluginSdkExports = true;
+    }
+    continue;
+  }
+  nextExports[key] = value;
+  if (key === "." && !insertedPluginSdkExports) {
+    Object.assign(nextExports, syncedPluginSdkExports);
+    insertedPluginSdkExports = true;
+  }
+}
+
+if (!insertedPluginSdkExports) {
+  Object.assign(nextExports, syncedPluginSdkExports);
+}
+
+const nextExportsJson = JSON.stringify(nextExports);
+const currentExportsJson = JSON.stringify(currentExports);
+if (checkOnly) {
+  if (currentExportsJson !== nextExportsJson) {
+    console.error("plugin-sdk exports out of sync. Run `pnpm plugin-sdk:sync-exports`.");
+    process.exit(1);
+  }
+  console.log("plugin-sdk exports synced.");
+  process.exit(0);
+}
+
+packageJson.exports = nextExports;
+fs.writeFileSync(packageJsonPath, `${JSON.stringify(packageJson, null, 2)}\n`, "utf8");
diff --git a/scripts/test-extension.mjs b/scripts/test-extension.mjs
new file mode 100644
index 00000000000..84fd91b0436
--- /dev/null
+++ b/scripts/test-extension.mjs
@@ -0,0 +1,283 @@
+#!/usr/bin/env node
+
+import { execFileSync, spawn } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { channelTestRoots } from "../vitest.channel-paths.mjs";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const repoRoot = path.resolve(__dirname, "..");
+const pnpm = "pnpm";
+
+function normalizeRelative(inputPath) {
+  return inputPath.split(path.sep).join("/");
+}
+
+function isTestFile(filePath) {
+  return filePath.endsWith(".test.ts") || filePath.endsWith(".test.tsx");
+}
+
+function collectTestFiles(rootPath) {
+  const results = [];
+  const stack = [rootPath];
+
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (!current || !fs.existsSync(current)) {
+      continue;
+    }
+    for (const entry of fs.readdirSync(current, { withFileTypes: true })) {
+      const fullPath = path.join(current, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === "node_modules" || entry.name === "dist") {
+          continue;
+        }
+        stack.push(fullPath);
+        continue;
+      }
+      if (entry.isFile() && isTestFile(fullPath)) {
+        results.push(fullPath);
+      }
+    }
+  }
+
+  return results.toSorted((left, right) => left.localeCompare(right));
+}
+
+function listChangedPaths(base, head = "HEAD") {
+  if (!base) {
+    throw new Error("A git base revision is required to list changed extensions.");
+  }
+
+  return execFileSync("git", ["diff", "--name-only", base, head], {
+    cwd: repoRoot,
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8",
+  })
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0);
+}
+
+function hasExtensionPackage(extensionId) {
+  return fs.existsSync(path.join(repoRoot, "extensions", extensionId, "package.json"));
+}
+
+export function detectChangedExtensionIds(changedPaths) {
+  const extensionIds = new Set();
+
+  for (const rawPath of changedPaths) {
+    const relativePath = normalizeRelative(String(rawPath).trim());
+    if (!relativePath) {
+      continue;
+    }
+
+    const extensionMatch = relativePath.match(/^extensions\/([^/]+)(?:\/|$)/);
+    if (extensionMatch) {
+      extensionIds.add(extensionMatch[1]);
+      continue;
+    }
+
+    const pairedCoreMatch = relativePath.match(/^src\/([^/]+)(?:\/|$)/);
+    if (pairedCoreMatch && hasExtensionPackage(pairedCoreMatch[1])) {
+      extensionIds.add(pairedCoreMatch[1]);
+    }
+  }
+
+  return [...extensionIds].toSorted((left, right) => left.localeCompare(right));
+}
+
+export function listChangedExtensionIds(params = {}) {
+  const base = params.base;
+  const head = params.head ?? "HEAD";
+  return detectChangedExtensionIds(listChangedPaths(base, head));
+}
+
+function resolveExtensionDirectory(targetArg, cwd = process.cwd()) {
+  if (targetArg) {
+    const asGiven = path.resolve(cwd, targetArg);
+    if (fs.existsSync(path.join(asGiven, "package.json"))) {
+      return asGiven;
+    }
+
+    const byName = path.join(repoRoot, "extensions", targetArg);
+    if (fs.existsSync(path.join(byName, "package.json"))) {
+      return byName;
+    }
+
+    throw new Error(
+      `Unknown extension target "${targetArg}". Use an extension name like "slack" or a path under extensions/.`,
+    );
+  }
+
+  let current = cwd;
+  while (true) {
+    if (
+      normalizeRelative(path.relative(repoRoot, current)).startsWith("extensions/") &&
+      fs.existsSync(path.join(current, "package.json"))
+    ) {
+      return current;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+
+  throw new Error(
+    "No extension target provided, and current working directory is not inside extensions/.",
+  );
+}
+
+export function resolveExtensionTestPlan(params = {}) {
+  const cwd = params.cwd ?? process.cwd();
+  const targetArg = params.targetArg;
+  const extensionDir = resolveExtensionDirectory(targetArg, cwd);
+  const extensionId = path.basename(extensionDir);
+  const relativeExtensionDir = normalizeRelative(path.relative(repoRoot, extensionDir));
+
+  const roots = [relativeExtensionDir];
+  const pairedCoreRoot = path.join(repoRoot, "src", extensionId);
+  if (fs.existsSync(pairedCoreRoot)) {
+    const pairedRelativeRoot = normalizeRelative(path.relative(repoRoot, pairedCoreRoot));
+    if (collectTestFiles(pairedCoreRoot).length > 0) {
+      roots.push(pairedRelativeRoot);
+    }
+  }
+
+  const usesChannelConfig = roots.some((root) => channelTestRoots.includes(root));
+  const config = usesChannelConfig ? "vitest.channels.config.ts" : "vitest.extensions.config.ts";
+  const testFiles = roots.flatMap((root) => collectTestFiles(path.join(repoRoot, root)));
+
+  return {
+    config,
+    extensionDir: relativeExtensionDir,
+    extensionId,
+    roots,
+    testFiles: testFiles.map((filePath) => normalizeRelative(path.relative(repoRoot, filePath))),
+  };
+}
+
+function printUsage() {
+  console.error("Usage: pnpm test:extension <extension-name|path> [vitest args...]");
+  console.error("       node scripts/test-extension.mjs [extension-name|path] [vitest args...]");
+  console.error(
+    "       node scripts/test-extension.mjs --list-changed --base <git-ref> [--head <git-ref>]",
+  );
+}
+
+async function run() {
+  const rawArgs = process.argv.slice(2);
+  const dryRun = rawArgs.includes("--dry-run");
+  const json = rawArgs.includes("--json");
+  const listChanged = rawArgs.includes("--list-changed");
+  const args = rawArgs.filter(
+    (arg) => arg !== "--" && arg !== "--dry-run" && arg !== "--json" && arg !== "--list-changed",
+  );
+
+  let base = "";
+  let head = "HEAD";
+  const passthroughArgs = [];
+
+  if (listChanged) {
+    for (let index = 0; index < args.length; index += 1) {
+      const arg = args[index];
+      if (arg === "--base") {
+        base = args[index + 1] ?? "";
+        index += 1;
+        continue;
+      }
+      if (arg === "--head") {
+        head = args[index + 1] ?? "HEAD";
+        index += 1;
+        continue;
+      }
+      passthroughArgs.push(arg);
+    }
+  } else {
+    passthroughArgs.push(...args);
+  }
+
+  if (listChanged) {
+    let extensionIds;
+    try {
+      extensionIds = listChangedExtensionIds({ base, head });
+    } catch (error) {
+      printUsage();
+      console.error(error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    }
+
+    if (json) {
+      process.stdout.write(`${JSON.stringify({ base, head, extensionIds }, null, 2)}\n`);
+    } else {
+      for (const extensionId of extensionIds) {
+        console.log(extensionId);
+      }
+    }
+    return;
+  }
+
+  let targetArg;
+  if (passthroughArgs[0] && !passthroughArgs[0].startsWith("-")) {
+    targetArg = passthroughArgs.shift();
+  }
+
+  let plan;
+  try {
+    plan = resolveExtensionTestPlan({ cwd: process.cwd(), targetArg });
+  } catch (error) {
+    printUsage();
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+
+  if (plan.testFiles.length === 0) {
+    console.error(`No tests found for ${plan.extensionDir}.`);
+    process.exit(1);
+  }
+
+  if (dryRun) {
+    if (json) {
+      process.stdout.write(`${JSON.stringify(plan, null, 2)}\n`);
+    } else {
+      console.log(`[test-extension] ${plan.extensionId}`);
+      console.log(`config: ${plan.config}`);
+      console.log(`roots: ${plan.roots.join(", ")}`);
+      console.log(`tests: ${plan.testFiles.length}`);
+    }
+    return;
+  }
+
+  console.log(
+    `[test-extension] Running ${plan.testFiles.length} test files for ${plan.extensionId} with ${plan.config}`,
+  );
+
+  const child = spawn(
+    pnpm,
+    ["exec", "vitest", "run", "--config", plan.config, ...plan.testFiles, ...passthroughArgs],
+    {
+      cwd: repoRoot,
+      stdio: "inherit",
+      shell: process.platform === "win32",
+      env: process.env,
+    },
+  );
+
+  child.on("exit", (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal);
+      return;
+    }
+    process.exit(code ?? 1);
+  });
+}
+
+const entryHref = process.argv[1] ? pathToFileURL(path.resolve(process.argv[1])).href : "";
+
+if (import.meta.url === entryHref) {
+  await run();
+}
diff --git a/scripts/test-live-gateway-models-docker.sh b/scripts/test-live-gateway-models-docker.sh
index 3998110efa6..f40e064910b 100755
--- a/scripts/test-live-gateway-models-docker.sh
+++ b/scripts/test-live-gateway-models-docker.sh
@@ -13,6 +13,14 @@ if [[ -f "$PROFILE_FILE" ]]; then
   PROFILE_MOUNT=(-v "$PROFILE_FILE":/home/node/.profile:ro)
 fi
 
+EXTERNAL_AUTH_MOUNTS=()
+for auth_dir in .claude .codex .minimax .qwen; do
+  host_path="$HOME/$auth_dir"
+  if [[ -d "$host_path" ]]; then
+    EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/home/node/"$auth_dir":ro)
+  fi
+done
+
 read -r -d '' LIVE_TEST_CMD <<'EOF' || true
 set -euo pipefail
 [ -f "$HOME/.profile" ] && source "$HOME/.profile" || true
@@ -51,6 +59,7 @@ docker run --rm -t \
   -v "$ROOT_DIR":/src:ro \
   -v "$CONFIG_DIR":/home/node/.openclaw \
   -v "$WORKSPACE_DIR":/home/node/.openclaw/workspace \
+  "${EXTERNAL_AUTH_MOUNTS[@]}" \
   "${PROFILE_MOUNT[@]}" \
   "$LIVE_IMAGE_NAME" \
   -lc "$LIVE_TEST_CMD"
diff --git a/scripts/test-live-models-docker.sh b/scripts/test-live-models-docker.sh
index cca4202710d..52257cd3230 100755
--- a/scripts/test-live-models-docker.sh
+++ b/scripts/test-live-models-docker.sh
@@ -13,6 +13,14 @@ if [[ -f "$PROFILE_FILE" ]]; then
   PROFILE_MOUNT=(-v "$PROFILE_FILE":/home/node/.profile:ro)
 fi
 
+EXTERNAL_AUTH_MOUNTS=()
+for auth_dir in .claude .codex .minimax .qwen; do
+  host_path="$HOME/$auth_dir"
+  if [[ -d "$host_path" ]]; then
+    EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/home/node/"$auth_dir":ro)
+  fi
+done
+
 read -r -d '' LIVE_TEST_CMD <<'EOF' || true
 set -euo pipefail
 [ -f "$HOME/.profile" ] && source "$HOME/.profile" || true
@@ -52,6 +60,7 @@ docker run --rm -t \
   -v "$ROOT_DIR":/src:ro \
   -v "$CONFIG_DIR":/home/node/.openclaw \
   -v "$WORKSPACE_DIR":/home/node/.openclaw/workspace \
+  "${EXTERNAL_AUTH_MOUNTS[@]}" \
   "${PROFILE_MOUNT[@]}" \
   "$LIVE_IMAGE_NAME" \
   -lc "$LIVE_TEST_CMD"
diff --git a/scripts/test-parallel.mjs b/scripts/test-parallel.mjs
index c818344f886..76a0be3b466 100644
--- a/scripts/test-parallel.mjs
+++ b/scripts/test-parallel.mjs
@@ -60,7 +60,6 @@ const unitIsolatedFilesRaw = [
   // Skills discovery/snapshot suites are filesystem-heavy and high-variance in vmForks lanes.
   "src/agents/skills.test.ts",
   "src/agents/skills.buildworkspaceskillsnapshot.test.ts",
-  "src/browser/extension-relay.test.ts",
   "extensions/acpx/src/runtime.test.ts",
   // Shell-heavy script harness can contend under vmForks startup bursts.
   "test/scripts/ios-team-id.test.ts",
diff --git a/scripts/write-plugin-sdk-entry-dts.ts b/scripts/write-plugin-sdk-entry-dts.ts
index beb5db5481b..832368bbcd3 100644
--- a/scripts/write-plugin-sdk-entry-dts.ts
+++ b/scripts/write-plugin-sdk-entry-dts.ts
@@ -1,58 +1,13 @@
 import fs from "node:fs";
 import path from "node:path";
+import { pluginSdkEntrypoints } from "./lib/plugin-sdk-entries.mjs";
 
 // `tsc` emits declarations under `dist/plugin-sdk/src/plugin-sdk/*` because the source lives
 // at `src/plugin-sdk/*` and `rootDir` is `.` (repo root, to support cross-src/extensions refs).
 //
 // Our package export map points subpath `types` at `dist/plugin-sdk/<entry>.d.ts`, so we
 // generate stable entry d.ts files that re-export the real declarations.
-const entrypoints = [
-  "index",
-  "core",
-  "compat",
-  "telegram",
-  "discord",
-  "slack",
-  "signal",
-  "imessage",
-  "whatsapp",
-  "line",
-  "msteams",
-  "acpx",
-  "bluebubbles",
-  "copilot-proxy",
-  "device-pair",
-  "diagnostics-otel",
-  "diffs",
-  "feishu",
-  "google-gemini-cli-auth",
-  "googlechat",
-  "irc",
-  "llm-task",
-  "lobster",
-  "matrix",
-  "mattermost",
-  "memory-core",
-  "memory-lancedb",
-  "minimax-portal-auth",
-  "nextcloud-talk",
-  "nostr",
-  "open-prose",
-  "phone-control",
-  "qwen-portal-auth",
-  "synology-chat",
-  "talk-voice",
-  "test-utils",
-  "thread-ownership",
-  "tlon",
-  "twitch",
-  "voice-call",
-  "zalo",
-  "zalouser",
-  "account-id",
-  "keyed-async-queue",
-] as const;
-for (const entry of entrypoints) {
+for (const entry of pluginSdkEntrypoints) {
   const out = path.join(process.cwd(), `dist/plugin-sdk/${entry}.d.ts`);
   fs.mkdirSync(path.dirname(out), { recursive: true });
   // NodeNext: reference the runtime specifier with `.js`, TS will map it to `.d.ts`.
diff --git a/src/acp/persistent-bindings.resolve.ts b/src/acp/persistent-bindings.resolve.ts
index 66464535eae..d0039078378 100644
--- a/src/acp/persistent-bindings.resolve.ts
+++ b/src/acp/persistent-bindings.resolve.ts
@@ -1,4 +1,4 @@
-import { parseFeishuConversationId } from "../../extensions/feishu/src/conversation-id.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import { listAcpBindings } from "../config/bindings.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { AgentAcpBinding } from "../config/types.js";
@@ -8,7 +8,6 @@ import {
   normalizeAccountId,
   parseAgentSessionKey,
 } from "../routing/session-key.js";
-import { parseTelegramTopicConversation } from "./conversation-id.js";
 import {
   buildConfiguredAcpSessionKey,
   normalizeBindingConfig,
@@ -22,21 +21,11 @@ import {
 
 function normalizeBindingChannel(value: string | undefined): ConfiguredAcpBindingChannel | null {
   const normalized = (value ?? "").trim().toLowerCase();
-  if (normalized === "discord" || normalized === "telegram" || normalized === "feishu") {
-    return normalized;
+  if (!normalized) {
+    return null;
   }
-  return null;
-}
-
-function isSupportedFeishuDirectConversationId(conversationId: string): boolean {
-  const trimmed = conversationId.trim();
-  if (!trimmed || trimmed.includes(":")) {
-    return false;
-  }
-  if (trimmed.startsWith("oc_") || trimmed.startsWith("on_")) {
-    return false;
-  }
-  return true;
+  const plugin = getChannelPlugin(normalized);
+  return plugin?.acpBindings ? plugin.id : null;
 }
 
 function resolveAccountMatchPriority(match: string | undefined, actual: string): 0 | 1 | 2 {
@@ -71,10 +60,9 @@ function parseConfiguredBindingSessionKey(params: {
   if (!channel) {
     return null;
   }
-  const accountId = normalizeAccountId(tokens[3]);
   return {
     channel,
-    accountId,
+    accountId: normalizeAccountId(tokens[3]),
   };
 }
 
@@ -231,6 +219,12 @@ export function resolveConfiguredAcpBindingSpecBySessionKey(params: {
   if (!parsedSessionKey) {
     return null;
   }
+  const plugin = getChannelPlugin(parsedSessionKey.channel);
+  const acpBindings = plugin?.acpBindings;
+  if (!acpBindings?.normalizeConfiguredBindingTarget) {
+    return null;
+  }
+
   let wildcardMatch: ConfiguredAcpBindingSpec | null = null;
   for (const binding of listAcpBindings(params.cfg)) {
     const channel = normalizeBindingChannel(binding.match.channel);
@@ -248,81 +242,29 @@ export function resolveConfiguredAcpBindingSpecBySessionKey(params: {
     if (!targetConversationId) {
       continue;
     }
-    if (channel === "discord") {
-      const spec = toConfiguredBindingSpec({
-        cfg: params.cfg,
-        channel: "discord",
-        accountId: parsedSessionKey.accountId,
-        conversationId: targetConversationId,
-        binding,
-      });
-      if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-        if (accountMatchPriority === 2) {
-          return spec;
-        }
-        if (!wildcardMatch) {
-          wildcardMatch = spec;
-        }
-      }
-      continue;
-    }
-    if (channel === "feishu") {
-      const targetParsed = parseFeishuConversationId({
-        conversationId: targetConversationId,
-      });
-      if (
-        !targetParsed ||
-        (targetParsed.scope !== "group_topic" &&
-          targetParsed.scope !== "group_topic_sender" &&
-          !isSupportedFeishuDirectConversationId(targetParsed.canonicalConversationId))
-      ) {
-        continue;
-      }
-      const spec = toConfiguredBindingSpec({
-        cfg: params.cfg,
-        channel: "feishu",
-        accountId: parsedSessionKey.accountId,
-        conversationId: targetParsed.canonicalConversationId,
-        // Session-key recovery deliberately collapses sender-scoped topic bindings onto the
-        // canonical topic conversation id so `group_topic` and `group_topic_sender` reuse
-        // the same configured ACP session identity.
-        parentConversationId:
-          targetParsed.scope === "group_topic" || targetParsed.scope === "group_topic_sender"
-            ? targetParsed.chatId
-            : undefined,
-        binding,
-      });
-      if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-        if (accountMatchPriority === 2) {
-          return spec;
-        }
-        if (!wildcardMatch) {
-          wildcardMatch = spec;
-        }
-      }
-      continue;
-    }
-    const parsedTopic = parseTelegramTopicConversation({
+    const target = acpBindings.normalizeConfiguredBindingTarget({
+      binding,
       conversationId: targetConversationId,
     });
-    if (!parsedTopic || !parsedTopic.chatId.startsWith("-")) {
+    if (!target) {
       continue;
     }
     const spec = toConfiguredBindingSpec({
       cfg: params.cfg,
-      channel: "telegram",
+      channel,
       accountId: parsedSessionKey.accountId,
-      conversationId: parsedTopic.canonicalConversationId,
-      parentConversationId: parsedTopic.chatId,
+      conversationId: target.conversationId,
+      parentConversationId: target.parentConversationId,
       binding,
     });
-    if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-      if (accountMatchPriority === 2) {
-        return spec;
-      }
-      if (!wildcardMatch) {
-        wildcardMatch = spec;
-      }
+    if (buildConfiguredAcpSessionKey(spec) !== sessionKey) {
+      continue;
+    }
+    if (accountMatchPriority === 2) {
+      return spec;
+    }
+    if (!wildcardMatch) {
+      wildcardMatch = spec;
     }
   }
   return wildcardMatch;
@@ -335,136 +277,36 @@ export function resolveConfiguredAcpBindingRecord(params: {
   conversationId: string;
   parentConversationId?: string;
 }): ResolvedConfiguredAcpBinding | null {
-  const channel = params.channel.trim().toLowerCase();
+  const channel = normalizeBindingChannel(params.channel);
   const accountId = normalizeAccountId(params.accountId);
   const conversationId = params.conversationId.trim();
   const parentConversationId = params.parentConversationId?.trim() || undefined;
-  if (!conversationId) {
+  if (!channel || !conversationId) {
     return null;
   }
+  const plugin = getChannelPlugin(channel);
+  const acpBindings = plugin?.acpBindings;
+  if (!acpBindings?.matchConfiguredBinding) {
+    return null;
+  }
+  const matchConfiguredBinding = acpBindings.matchConfiguredBinding;
 
-  if (channel === "discord") {
-    const bindings = listAcpBindings(params.cfg);
-    const resolveDiscordBindingForConversation = (targetConversationId: string) =>
-      resolveConfiguredBindingRecord({
-        cfg: params.cfg,
-        bindings,
-        channel: "discord",
-        accountId,
-        selectConversation: (binding) => {
-          const bindingConversationId = resolveBindingConversationId(binding);
-          if (!bindingConversationId || bindingConversationId !== targetConversationId) {
-            return null;
-          }
-          return { conversationId: targetConversationId };
-        },
-      });
-
-    const directMatch = resolveDiscordBindingForConversation(conversationId);
-    if (directMatch) {
-      return directMatch;
-    }
-    if (parentConversationId && parentConversationId !== conversationId) {
-      const inheritedMatch = resolveDiscordBindingForConversation(parentConversationId);
-      if (inheritedMatch) {
-        return inheritedMatch;
+  return resolveConfiguredBindingRecord({
+    cfg: params.cfg,
+    bindings: listAcpBindings(params.cfg),
+    channel,
+    accountId,
+    selectConversation: (binding) => {
+      const bindingConversationId = resolveBindingConversationId(binding);
+      if (!bindingConversationId) {
+        return null;
       }
-    }
-    return null;
-  }
-
-  if (channel === "telegram") {
-    const parsed = parseTelegramTopicConversation({
-      conversationId,
-      parentConversationId,
-    });
-    if (!parsed || !parsed.chatId.startsWith("-")) {
-      return null;
-    }
-    return resolveConfiguredBindingRecord({
-      cfg: params.cfg,
-      bindings: listAcpBindings(params.cfg),
-      channel: "telegram",
-      accountId,
-      selectConversation: (binding) => {
-        const targetConversationId = resolveBindingConversationId(binding);
-        if (!targetConversationId) {
-          return null;
-        }
-        const targetParsed = parseTelegramTopicConversation({
-          conversationId: targetConversationId,
-        });
-        if (!targetParsed || !targetParsed.chatId.startsWith("-")) {
-          return null;
-        }
-        if (targetParsed.canonicalConversationId !== parsed.canonicalConversationId) {
-          return null;
-        }
-        return {
-          conversationId: parsed.canonicalConversationId,
-          parentConversationId: parsed.chatId,
-        };
-      },
-    });
-  }
-
-  if (channel === "feishu") {
-    const parsed = parseFeishuConversationId({
-      conversationId,
-      parentConversationId,
-    });
-    if (
-      !parsed ||
-      (parsed.scope !== "group_topic" &&
-        parsed.scope !== "group_topic_sender" &&
-        !isSupportedFeishuDirectConversationId(parsed.canonicalConversationId))
-    ) {
-      return null;
-    }
-    return resolveConfiguredBindingRecord({
-      cfg: params.cfg,
-      bindings: listAcpBindings(params.cfg),
-      channel: "feishu",
-      accountId,
-      selectConversation: (binding) => {
-        const targetConversationId = resolveBindingConversationId(binding);
-        if (!targetConversationId) {
-          return null;
-        }
-        const targetParsed = parseFeishuConversationId({
-          conversationId: targetConversationId,
-        });
-        if (
-          !targetParsed ||
-          (targetParsed.scope !== "group_topic" &&
-            targetParsed.scope !== "group_topic_sender" &&
-            !isSupportedFeishuDirectConversationId(targetParsed.canonicalConversationId))
-        ) {
-          return null;
-        }
-        const matchesCanonicalConversation =
-          targetParsed.canonicalConversationId === parsed.canonicalConversationId;
-        const matchesParentTopicForSenderScopedConversation =
-          parsed.scope === "group_topic_sender" &&
-          targetParsed.scope === "group_topic" &&
-          parsed.chatId === targetParsed.chatId &&
-          parsed.topicId === targetParsed.topicId;
-        if (!matchesCanonicalConversation && !matchesParentTopicForSenderScopedConversation) {
-          return null;
-        }
-        return {
-          conversationId: matchesParentTopicForSenderScopedConversation
-            ? targetParsed.canonicalConversationId
-            : parsed.canonicalConversationId,
-          parentConversationId:
-            parsed.scope === "group_topic" || parsed.scope === "group_topic_sender"
-              ? parsed.chatId
-              : undefined,
-          matchPriority: matchesCanonicalConversation ? 2 : 1,
-        };
-      },
-    });
-  }
-
-  return null;
+      return matchConfiguredBinding({
+        binding,
+        bindingConversationId,
+        conversationId,
+        parentConversationId,
+      });
+    },
+  });
 }
diff --git a/src/acp/persistent-bindings.test.ts b/src/acp/persistent-bindings.test.ts
index 06bfba46d57..147c4a455c9 100644
--- a/src/acp/persistent-bindings.test.ts
+++ b/src/acp/persistent-bindings.test.ts
@@ -1,5 +1,10 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { feishuPlugin } from "../../extensions/feishu/src/channel.js";
+import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { setActivePluginRegistry } from "../plugins/runtime.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 const managerMocks = vi.hoisted(() => ({
   resolveSession: vi.fn(),
   closeSession: vi.fn(),
@@ -162,6 +167,13 @@ function mockReadySession(params: { spec: BindingSpec; cwd: string }) {
 }
 
 beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([
+      { pluginId: "discord", plugin: discordPlugin, source: "test" },
+      { pluginId: "telegram", plugin: telegramPlugin, source: "test" },
+      { pluginId: "feishu", plugin: feishuPlugin, source: "test" },
+    ]),
+  );
   managerMocks.resolveSession.mockReset();
   managerMocks.closeSession.mockReset().mockResolvedValue({
     runtimeClosed: true,
diff --git a/src/acp/persistent-bindings.types.ts b/src/acp/persistent-bindings.types.ts
index 3864392c96c..3583fc4cd9f 100644
--- a/src/acp/persistent-bindings.types.ts
+++ b/src/acp/persistent-bindings.types.ts
@@ -1,9 +1,10 @@
 import { createHash } from "node:crypto";
+import type { ChannelId } from "../channels/plugins/types.js";
 import type { SessionBindingRecord } from "../infra/outbound/session-binding-service.js";
 import { sanitizeAgentId } from "../routing/session-key.js";
 import type { AcpRuntimeSessionMode } from "./runtime/types.js";
 
-export type ConfiguredAcpBindingChannel = "discord" | "telegram" | "feishu";
+export type ConfiguredAcpBindingChannel = ChannelId;
 
 export type ConfiguredAcpBindingSpec = {
   channel: ConfiguredAcpBindingChannel;
diff --git a/src/agents/apply-patch.test.ts b/src/agents/apply-patch.test.ts
index 1f305379b5d..5182dfdf0af 100644
--- a/src/agents/apply-patch.test.ts
+++ b/src/agents/apply-patch.test.ts
@@ -361,4 +361,46 @@ describe("applyPatch", () => {
       }
     });
   });
+
+  it("uses container paths when the sandbox bridge has no local host path", async () => {
+    const files = new Map<string, string>([["/sandbox/source.txt", "before\n"]]);
+    const bridge = {
+      resolvePath: ({ filePath }: { filePath: string }) => ({
+        relativePath: filePath,
+        containerPath: `/sandbox/${filePath}`,
+      }),
+      readFile: vi.fn(async ({ filePath }: { filePath: string }) =>
+        Buffer.from(files.get(filePath) ?? "", "utf8"),
+      ),
+      writeFile: vi.fn(async ({ filePath, data }: { filePath: string; data: Buffer | string }) => {
+        files.set(filePath, Buffer.isBuffer(data) ? data.toString("utf8") : data);
+      }),
+      remove: vi.fn(async ({ filePath }: { filePath: string }) => {
+        files.delete(filePath);
+      }),
+      mkdirp: vi.fn(async () => {}),
+    };
+
+    const patch = `*** Begin Patch
+*** Update File: source.txt
+@@
+-before
++after
+*** End Patch`;
+
+    const result = await applyPatch(patch, {
+      cwd: "/local/workspace",
+      sandbox: {
+        root: "/local/workspace",
+        bridge: bridge as never,
+      },
+    });
+
+    expect(files.get("/sandbox/source.txt")).toBe("after\n");
+    expect(result.summary.modified).toEqual(["source.txt"]);
+    expect(bridge.readFile).toHaveBeenCalledWith({
+      filePath: "/sandbox/source.txt",
+      cwd: "/local/workspace",
+    });
+  });
 });
diff --git a/src/agents/apply-patch.ts b/src/agents/apply-patch.ts
index d7a5dc1e0ff..0fc612923c1 100644
--- a/src/agents/apply-patch.ts
+++ b/src/agents/apply-patch.ts
@@ -313,7 +313,7 @@ async function resolvePatchPath(
       filePath,
       cwd: options.cwd,
     });
-    if (options.workspaceOnly !== false) {
+    if (options.workspaceOnly !== false && resolved.hostPath) {
       await assertSandboxPath({
         filePath: resolved.hostPath,
         cwd: options.cwd,
@@ -323,8 +323,8 @@ async function resolvePatchPath(
       });
     }
     return {
-      resolved: resolved.hostPath,
-      display: resolved.relativePath || resolved.hostPath,
+      resolved: resolved.hostPath ?? resolved.containerPath,
+      display: resolved.relativePath || resolved.containerPath,
     };
   }
 
diff --git a/src/agents/auth-profiles/doctor.ts b/src/agents/auth-profiles/doctor.ts
index ee743a06000..e2ce1a7efca 100644
--- a/src/agents/auth-profiles/doctor.ts
+++ b/src/agents/auth-profiles/doctor.ts
@@ -1,47 +1,35 @@
-import { formatCliCommand } from "../../cli/command-format.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { normalizeProviderId } from "../model-selection.js";
-import { listProfilesForProvider } from "./profiles.js";
-import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import type { AuthProfileStore } from "./types.js";
 
-export function formatAuthDoctorHint(params: {
+let providerRuntimePromise:
+  | Promise<typeof import("../../plugins/provider-runtime.runtime.js")>
+  | undefined;
+
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
+
+export async function formatAuthDoctorHint(params: {
   cfg?: OpenClawConfig;
   store: AuthProfileStore;
   provider: string;
   profileId?: string;
-}): string {
-  const providerKey = normalizeProviderId(params.provider);
-  if (providerKey !== "anthropic") {
-    return "";
-  }
-
-  const legacyProfileId = params.profileId ?? "anthropic:default";
-  const suggested = suggestOAuthProfileIdForLegacyDefault({
-    cfg: params.cfg,
-    store: params.store,
-    provider: providerKey,
-    legacyProfileId,
+}): Promise<string> {
+  const normalizedProvider = normalizeProviderId(params.provider);
+  const { buildProviderAuthDoctorHintWithPlugin } = await loadProviderRuntime();
+  const pluginHint = await buildProviderAuthDoctorHintWithPlugin({
+    provider: normalizedProvider,
+    context: {
+      config: params.cfg,
+      store: params.store,
+      provider: normalizedProvider,
+      profileId: params.profileId,
+    },
   });
-  if (!suggested || suggested === legacyProfileId) {
-    return "";
+  if (typeof pluginHint === "string" && pluginHint.trim()) {
+    return pluginHint;
   }
-
-  const storeOauthProfiles = listProfilesForProvider(params.store, providerKey)
-    .filter((id) => params.store.profiles[id]?.type === "oauth")
-    .join(", ");
-
-  const cfgMode = params.cfg?.auth?.profiles?.[legacyProfileId]?.mode;
-  const cfgProvider = params.cfg?.auth?.profiles?.[legacyProfileId]?.provider;
-
-  return [
-    "Doctor hint (for GitHub issue):",
-    `- provider: ${providerKey}`,
-    `- config: ${legacyProfileId}${
-      cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""
-    }`,
-    `- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
-    `- suggested profile: ${suggested}`,
-    `Fix: run "${formatCliCommand("openclaw doctor --yes")}"`,
-  ].join("\n");
+  return "";
 }
diff --git a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
index 23381d89a05..eff06553752 100644
--- a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
+++ b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
@@ -17,6 +17,18 @@ const { getOAuthApiKeyMock } = vi.hoisted(() => ({
   }),
 }));
 
+const {
+  refreshProviderOAuthCredentialWithPluginMock,
+  formatProviderAuthProfileApiKeyWithPluginMock,
+  buildProviderAuthDoctorHintWithPluginMock,
+} = vi.hoisted(() => ({
+  refreshProviderOAuthCredentialWithPluginMock: vi.fn(
+    async (_params?: { context?: unknown }) => undefined,
+  ),
+  formatProviderAuthProfileApiKeyWithPluginMock: vi.fn(() => undefined),
+  buildProviderAuthDoctorHintWithPluginMock: vi.fn(async () => undefined),
+}));
+
 vi.mock("@mariozechner/pi-ai/oauth", () => ({
   getOAuthApiKey: getOAuthApiKeyMock,
   getOAuthProviders: () => [
@@ -25,6 +37,12 @@ vi.mock("@mariozechner/pi-ai/oauth", () => ({
   ],
 }));
 
+vi.mock("../../plugins/provider-runtime.runtime.js", () => ({
+  refreshProviderOAuthCredentialWithPlugin: refreshProviderOAuthCredentialWithPluginMock,
+  formatProviderAuthProfileApiKeyWithPlugin: formatProviderAuthProfileApiKeyWithPluginMock,
+  buildProviderAuthDoctorHintWithPlugin: buildProviderAuthDoctorHintWithPluginMock,
+}));
+
 function createExpiredOauthStore(params: {
   profileId: string;
   provider: string;
@@ -55,6 +73,12 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
 
   beforeEach(async () => {
     getOAuthApiKeyMock.mockClear();
+    refreshProviderOAuthCredentialWithPluginMock.mockReset();
+    refreshProviderOAuthCredentialWithPluginMock.mockResolvedValue(undefined);
+    formatProviderAuthProfileApiKeyWithPluginMock.mockReset();
+    formatProviderAuthProfileApiKeyWithPluginMock.mockReturnValue(undefined);
+    buildProviderAuthDoctorHintWithPluginMock.mockReset();
+    buildProviderAuthDoctorHintWithPluginMock.mockResolvedValue(undefined);
     clearRuntimeAuthProfileStoreSnapshots();
     tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-codex-refresh-fallback-"));
     agentDir = path.join(tempRoot, "agents", "main", "agent");
@@ -72,6 +96,9 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
 
   it("falls back to cached access token when openai-codex refresh fails on accountId extraction", async () => {
     const profileId = "openai-codex:default";
+    refreshProviderOAuthCredentialWithPluginMock.mockImplementationOnce(
+      async (params?: { context?: unknown }) => params?.context as never,
+    );
     saveAuthProfileStore(
       createExpiredOauthStore({
         profileId,
@@ -91,7 +118,7 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
       provider: "openai-codex",
       email: undefined,
     });
-    expect(getOAuthApiKeyMock).toHaveBeenCalledTimes(1);
+    expect(refreshProviderOAuthCredentialWithPluginMock).toHaveBeenCalledTimes(1);
   });
 
   it("keeps throwing for non-codex providers on the same refresh error", async () => {
@@ -122,7 +149,7 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
       }),
       agentDir,
     );
-    getOAuthApiKeyMock.mockImplementationOnce(async () => {
+    refreshProviderOAuthCredentialWithPluginMock.mockImplementationOnce(async () => {
       throw new Error("invalid_grant");
     });
 
diff --git a/src/agents/auth-profiles/oauth.ts b/src/agents/auth-profiles/oauth.ts
index edc1ddfb24e..f09b972fd36 100644
--- a/src/agents/auth-profiles/oauth.ts
+++ b/src/agents/auth-profiles/oauth.ts
@@ -7,20 +7,27 @@ import {
 import { loadConfig, type OpenClawConfig } from "../../config/config.js";
 import { coerceSecretRef } from "../../config/types.secrets.js";
 import { withFileLock } from "../../infra/file-lock.js";
-import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
 import { resolveSecretRefString, type SecretRefResolveCache } from "../../secrets/resolve.js";
 import { refreshChutesTokens } from "../chutes-oauth.js";
-import { normalizeProviderId } from "../model-selection.js";
 import { AUTH_STORE_LOCK_OPTIONS, log } from "./constants.js";
 import { resolveTokenExpiryState } from "./credential-state.js";
 import { formatAuthDoctorHint } from "./doctor.js";
 import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import { ensureAuthProfileStore, saveAuthProfileStore } from "./store.js";
-import type { AuthProfileStore } from "./types.js";
+import type { AuthProfileStore, OAuthCredential } from "./types.js";
 
 const OAUTH_PROVIDER_IDS = new Set<string>(getOAuthProviders().map((provider) => provider.id));
 
+let providerRuntimePromise:
+  | Promise<typeof import("../../plugins/provider-runtime.runtime.js")>
+  | undefined;
+
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
+
 const isOAuthProvider = (provider: string): provider is OAuthProvider =>
   OAUTH_PROVIDER_IDS.has(provider);
 
@@ -58,14 +65,13 @@ function isProfileConfigCompatible(params: {
   return true;
 }
 
-function buildOAuthApiKey(provider: string, credentials: OAuthCredentials): string {
-  const needsProjectId = provider === "google-gemini-cli";
-  return needsProjectId
-    ? JSON.stringify({
-        token: credentials.access,
-        projectId: credentials.projectId,
-      })
-    : credentials.access;
+async function buildOAuthApiKey(provider: string, credentials: OAuthCredential): Promise<string> {
+  const { formatProviderAuthProfileApiKeyWithPlugin } = await loadProviderRuntime();
+  const formatted = formatProviderAuthProfileApiKeyWithPlugin({
+    provider,
+    context: credentials,
+  });
+  return typeof formatted === "string" && formatted.length > 0 ? formatted : credentials.access;
 }
 
 function buildApiKeyProfileResult(params: { apiKey: string; provider: string; email?: string }) {
@@ -76,13 +82,13 @@ function buildApiKeyProfileResult(params: { apiKey: string; provider: string; em
   };
 }
 
-function buildOAuthProfileResult(params: {
+async function buildOAuthProfileResult(params: {
   provider: string;
-  credentials: OAuthCredentials;
+  credentials: OAuthCredential;
   email?: string;
 }) {
   return buildApiKeyProfileResult({
-    apiKey: buildOAuthApiKey(params.provider, params.credentials),
+    apiKey: await buildOAuthApiKey(params.provider, params.credentials),
     provider: params.provider,
     email: params.email,
   });
@@ -92,23 +98,6 @@ function extractErrorMessage(error: unknown): string {
   return error instanceof Error ? error.message : String(error);
 }
 
-function shouldUseOpenaiCodexRefreshFallback(params: {
-  provider: string;
-  credentials: OAuthCredentials;
-  error: unknown;
-}): boolean {
-  if (normalizeProviderId(params.provider) !== "openai-codex") {
-    return false;
-  }
-  const message = extractErrorMessage(params.error);
-  if (!/extract\s+accountid\s+from\s+token/i.test(message)) {
-    return false;
-  }
-  return (
-    typeof params.credentials.access === "string" && params.credentials.access.trim().length > 0
-  );
-}
-
 type ResolveApiKeyForProfileParams = {
   cfg?: OpenClawConfig;
   store: AuthProfileStore;
@@ -171,15 +160,24 @@ async function refreshOAuthTokenWithLock(params: {
 
     if (Date.now() < cred.expires) {
       return {
-        apiKey: buildOAuthApiKey(cred.provider, cred),
+        apiKey: await buildOAuthApiKey(cred.provider, cred),
         newCredentials: cred,
       };
     }
 
-    const oauthCreds: Record<string, OAuthCredentials> = {
-      [cred.provider]: cred,
-    };
+    const { refreshProviderOAuthCredentialWithPlugin } = await loadProviderRuntime();
+    const pluginRefreshed = await refreshProviderOAuthCredentialWithPlugin({
+      provider: cred.provider,
+      context: cred,
+    });
+    if (pluginRefreshed) {
+      return {
+        apiKey: await buildOAuthApiKey(cred.provider, pluginRefreshed),
+        newCredentials: pluginRefreshed,
+      };
+    }
 
+    const oauthCreds: Record<string, OAuthCredentials> = { [cred.provider]: cred };
     const result =
       String(cred.provider) === "chutes"
         ? await (async () => {
@@ -188,18 +186,13 @@ async function refreshOAuthTokenWithLock(params: {
             });
             return { apiKey: newCredentials.access, newCredentials };
           })()
-        : String(cred.provider) === "qwen-portal"
-          ? await (async () => {
-              const newCredentials = await refreshQwenPortalCredentials(cred);
-              return { apiKey: newCredentials.access, newCredentials };
-            })()
-          : await (async () => {
-              const oauthProvider = resolveOAuthProvider(cred.provider);
-              if (!oauthProvider) {
-                return null;
-              }
-              return await getOAuthApiKey(oauthProvider, oauthCreds);
-            })();
+        : await (async () => {
+            const oauthProvider = resolveOAuthProvider(cred.provider);
+            if (!oauthProvider) {
+              return null;
+            }
+            return await getOAuthApiKey(oauthProvider, oauthCreds);
+          })();
     if (!result) {
       return null;
     }
@@ -234,7 +227,7 @@ async function tryResolveOAuthProfile(
   }
 
   if (Date.now() < cred.expires) {
-    return buildOAuthProfileResult({
+    return await buildOAuthProfileResult({
       provider: cred.provider,
       credentials: cred,
       email: cred.email,
@@ -379,7 +372,7 @@ export async function resolveApiKeyForProfile(
     }) ?? cred;
 
   if (Date.now() < oauthCred.expires) {
-    return buildOAuthProfileResult({
+    return await buildOAuthProfileResult({
       provider: oauthCred.provider,
       credentials: oauthCred,
       email: oauthCred.email,
@@ -403,7 +396,7 @@ export async function resolveApiKeyForProfile(
     const refreshedStore = ensureAuthProfileStore(params.agentDir);
     const refreshed = refreshedStore.profiles[profileId];
     if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) {
-      return buildOAuthProfileResult({
+      return await buildOAuthProfileResult({
         provider: refreshed.provider,
         credentials: refreshed,
         email: refreshed.email ?? cred.email,
@@ -445,7 +438,7 @@ export async function resolveApiKeyForProfile(
             agentDir: params.agentDir,
             expires: new Date(mainCred.expires).toISOString(),
           });
-          return buildOAuthProfileResult({
+          return await buildOAuthProfileResult({
             provider: mainCred.provider,
             credentials: mainCred,
             email: mainCred.email,
@@ -456,26 +449,8 @@ export async function resolveApiKeyForProfile(
       }
     }
 
-    if (
-      shouldUseOpenaiCodexRefreshFallback({
-        provider: cred.provider,
-        credentials: cred,
-        error,
-      })
-    ) {
-      log.warn("openai-codex oauth refresh failed; using cached access token fallback", {
-        profileId,
-        provider: cred.provider,
-      });
-      return buildApiKeyProfileResult({
-        apiKey: cred.access,
-        provider: cred.provider,
-        email: cred.email,
-      });
-    }
-
     const message = extractErrorMessage(error);
-    const hint = formatAuthDoctorHint({
+    const hint = await formatAuthDoctorHint({
       cfg,
       store: refreshedStore,
       provider: cred.provider,
diff --git a/src/agents/auth-profiles/order.ts b/src/agents/auth-profiles/order.ts
index d653b7198cb..fba2e9ed35c 100644
--- a/src/agents/auth-profiles/order.ts
+++ b/src/agents/auth-profiles/order.ts
@@ -104,7 +104,7 @@ export function resolveAuthProfileOrder(params: {
     }).eligible;
   let filtered = baseOrder.filter(isValidProfile);
 
-  // Repair config/store profile-id drift from older onboarding flows:
+  // Repair config/store profile-id drift from older setup flows:
   // if configured profile ids no longer exist in auth-profiles.json, scan the
   // provider's stored credentials and use any valid entries.
   const allBaseProfilesMissing = baseOrder.every((profileId) => !store.profiles[profileId]);
diff --git a/src/agents/bash-tools.exec-runtime.ts b/src/agents/bash-tools.exec-runtime.ts
index 5c3301414b9..72367deb33d 100644
--- a/src/agents/bash-tools.exec-runtime.ts
+++ b/src/agents/bash-tools.exec-runtime.ts
@@ -384,6 +384,7 @@ export async function runExecProcess(opts: {
     typeof opts.timeoutSec === "number" && opts.timeoutSec > 0
       ? Math.floor(opts.timeoutSec * 1000)
       : undefined;
+  let sandboxFinalizeToken: unknown;
 
   const spawnSpec:
     | {
@@ -398,11 +399,18 @@ export async function runExecProcess(opts: {
         childFallbackArgv: string[];
         env: NodeJS.ProcessEnv;
         stdinMode: "pipe-open";
-      } = (() => {
+      } = await (async () => {
     if (opts.sandbox) {
+      const backendExecSpec = await opts.sandbox.buildExecSpec?.({
+        command: execCommand,
+        workdir: opts.containerWorkdir ?? opts.sandbox.containerWorkdir,
+        env: shellRuntimeEnv,
+        usePty: opts.usePty,
+      });
+      sandboxFinalizeToken = backendExecSpec?.finalizeToken;
       return {
         mode: "child" as const,
-        argv: [
+        argv: backendExecSpec?.argv ?? [
           "docker",
           ...buildDockerExecArgs({
             containerName: opts.sandbox.containerName,
@@ -412,8 +420,10 @@ export async function runExecProcess(opts: {
             tty: opts.usePty,
           }),
         ],
-        env: process.env,
-        stdinMode: opts.usePty ? ("pipe-open" as const) : ("pipe-closed" as const),
+        env: backendExecSpec?.env ?? process.env,
+        stdinMode:
+          backendExecSpec?.stdinMode ??
+          (opts.usePty ? ("pipe-open" as const) : ("pipe-closed" as const)),
       };
     }
     const { shell, args: shellArgs } = getShellConfig();
@@ -519,7 +529,7 @@ export async function runExecProcess(opts: {
 
   const promise = managedRun
     .wait()
-    .then((exit): ExecProcessOutcome => {
+    .then(async (exit): Promise<ExecProcessOutcome> => {
       const durationMs = Date.now() - startedAt;
       const isNormalExit = exit.reason === "exit";
       const exitCode = exit.exitCode ?? 0;
@@ -536,6 +546,14 @@ export async function runExecProcess(opts: {
         session.stdin.destroyed = true;
       }
       const aggregated = session.aggregated.trim();
+      if (opts.sandbox?.finalizeExec) {
+        await opts.sandbox.finalizeExec({
+          status,
+          exitCode: exit.exitCode ?? null,
+          timedOut: exit.timedOut,
+          token: sandboxFinalizeToken,
+        });
+      }
       if (status === "completed") {
         const exitMsg = exitCode !== 0 ? `\n\n(Command exited with code ${exitCode})` : "";
         return {
diff --git a/src/agents/bash-tools.shared.ts b/src/agents/bash-tools.shared.ts
index 3cfb92655e2..25f1fb5bd8d 100644
--- a/src/agents/bash-tools.shared.ts
+++ b/src/agents/bash-tools.shared.ts
@@ -4,6 +4,7 @@ import { homedir } from "node:os";
 import path from "node:path";
 import { sliceUtf16Safe } from "../utils.js";
 import { assertSandboxPath } from "./sandbox-paths.js";
+import type { SandboxBackendExecSpec } from "./sandbox/backend.js";
 
 const CHUNK_LIMIT = 8 * 1024;
 
@@ -12,6 +13,18 @@ export type BashSandboxConfig = {
   workspaceDir: string;
   containerWorkdir: string;
   env?: Record<string, string>;
+  buildExecSpec?: (params: {
+    command: string;
+    workdir?: string;
+    env: Record<string, string>;
+    usePty: boolean;
+  }) => Promise<SandboxBackendExecSpec>;
+  finalizeExec?: (params: {
+    status: "completed" | "failed";
+    exitCode: number | null;
+    timedOut: boolean;
+    token?: unknown;
+  }) => Promise<void>;
 };
 
 export function buildSandboxEnv(params: {
diff --git a/src/agents/channel-tools.ts b/src/agents/channel-tools.ts
index e49a090f509..242cce868c1 100644
--- a/src/agents/channel-tools.ts
+++ b/src/agents/channel-tools.ts
@@ -1,4 +1,3 @@
-import { getChannelDock } from "../channels/dock.js";
 import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
 import type {
   ChannelAgentTool,
@@ -73,8 +72,7 @@ export function resolveChannelMessageToolHints(params: {
   if (!channelId) {
     return [];
   }
-  const dock = getChannelDock(channelId);
-  const resolve = dock?.agentPrompt?.messageToolHints;
+  const resolve = getChannelPlugin(channelId)?.agentPrompt?.messageToolHints;
   if (!resolve) {
     return [];
   }
diff --git a/src/agents/context.lookup.test.ts b/src/agents/context.lookup.test.ts
index e5025b36c76..0f33ada0d1b 100644
--- a/src/agents/context.lookup.test.ts
+++ b/src/agents/context.lookup.test.ts
@@ -104,6 +104,34 @@ describe("lookupContextTokens", () => {
     }
   });
 
+  it("skips eager warmup for status commands that only read model metadata opportunistically", async () => {
+    const loadConfigMock = vi.fn(() => ({ models: {} }));
+    mockContextModuleDeps(loadConfigMock);
+
+    const argvSnapshot = process.argv;
+    process.argv = ["node", "openclaw", "status", "--json"];
+    try {
+      await import("./context.js");
+      expect(loadConfigMock).not.toHaveBeenCalled();
+    } finally {
+      process.argv = argvSnapshot;
+    }
+  });
+
+  it("skips eager warmup for gateway commands that do not need model metadata at startup", async () => {
+    const loadConfigMock = vi.fn(() => ({ models: {} }));
+    mockContextModuleDeps(loadConfigMock);
+
+    const argvSnapshot = process.argv;
+    process.argv = ["node", "openclaw", "gateway", "status", "--json"];
+    try {
+      await import("./context.js");
+      expect(loadConfigMock).not.toHaveBeenCalled();
+    } finally {
+      process.argv = argvSnapshot;
+    }
+  });
+
   it("retries config loading after backoff when an initial load fails", async () => {
     vi.useFakeTimers();
     const loadConfigMock = vi
diff --git a/src/agents/context.ts b/src/agents/context.ts
index 5550f67e3b7..cfeee26cd60 100644
--- a/src/agents/context.ts
+++ b/src/agents/context.ts
@@ -114,11 +114,13 @@ const SKIP_EAGER_WARMUP_PRIMARY_COMMANDS = new Set([
   "config",
   "directory",
   "doctor",
+  "gateway",
   "health",
   "hooks",
   "logs",
   "plugins",
   "secrets",
+  "status",
   "update",
   "webhooks",
 ]);
diff --git a/src/agents/live-model-filter.ts b/src/agents/live-model-filter.ts
index 059e12d9711..591f41c324c 100644
--- a/src/agents/live-model-filter.ts
+++ b/src/agents/live-model-filter.ts
@@ -1,39 +1,10 @@
+import { resolveProviderModernModelRef } from "../plugins/provider-runtime.js";
+
 export type ModelRef = {
   provider?: string | null;
   id?: string | null;
 };
 
-const ANTHROPIC_PREFIXES = [
-  "claude-opus-4-6",
-  "claude-sonnet-4-6",
-  "claude-opus-4-5",
-  "claude-sonnet-4-5",
-  "claude-haiku-4-5",
-];
-const OPENAI_MODELS = ["gpt-5.4", "gpt-5.2", "gpt-5.0"];
-const CODEX_MODELS = [
-  "gpt-5.4",
-  "gpt-5.2",
-  "gpt-5.2-codex",
-  "gpt-5.3-codex",
-  "gpt-5.3-codex-spark",
-  "gpt-5.1-codex",
-  "gpt-5.1-codex-mini",
-  "gpt-5.1-codex-max",
-];
-const GOOGLE_PREFIXES = ["gemini-3"];
-const ZAI_PREFIXES = ["glm-5", "glm-4.7", "glm-4.7-flash", "glm-4.7-flashx"];
-const MINIMAX_PREFIXES = ["minimax-m2.5", "minimax-m2.5"];
-const XAI_PREFIXES = ["grok-4"];
-
-function matchesPrefix(id: string, prefixes: string[]): boolean {
-  return prefixes.some((prefix) => id.startsWith(prefix));
-}
-
-function matchesExactOrPrefix(id: string, values: string[]): boolean {
-  return values.some((value) => id === value || id.startsWith(value));
-}
-
 export function isModernModelRef(ref: ModelRef): boolean {
   const provider = ref.provider?.trim().toLowerCase() ?? "";
   const id = ref.id?.trim().toLowerCase() ?? "";
@@ -41,51 +12,15 @@ export function isModernModelRef(ref: ModelRef): boolean {
     return false;
   }
 
-  if (provider === "anthropic") {
-    return matchesPrefix(id, ANTHROPIC_PREFIXES);
+  const pluginDecision = resolveProviderModernModelRef({
+    provider,
+    context: {
+      provider,
+      modelId: id,
+    },
+  });
+  if (typeof pluginDecision === "boolean") {
+    return pluginDecision;
   }
-
-  if (provider === "openai") {
-    return matchesExactOrPrefix(id, OPENAI_MODELS);
-  }
-
-  if (provider === "openai-codex") {
-    return matchesExactOrPrefix(id, CODEX_MODELS);
-  }
-
-  if (provider === "google" || provider === "google-gemini-cli") {
-    return matchesPrefix(id, GOOGLE_PREFIXES);
-  }
-
-  if (provider === "zai") {
-    return matchesPrefix(id, ZAI_PREFIXES);
-  }
-
-  if (provider === "minimax") {
-    return matchesPrefix(id, MINIMAX_PREFIXES);
-  }
-
-  if (provider === "xai") {
-    return matchesPrefix(id, XAI_PREFIXES);
-  }
-
-  if (provider === "opencode" && id.endsWith("-free")) {
-    return false;
-  }
-  if (provider === "opencode" && id === "alpha-glm-4.7") {
-    return false;
-  }
-  // Opencode MiniMax variants have been intermittently unstable in live runs;
-  // prefer the rest of the modern catalog for deterministic smoke coverage.
-  if (provider === "opencode" && matchesPrefix(id, MINIMAX_PREFIXES)) {
-    return false;
-  }
-
-  if (provider === "openrouter" || provider === "opencode" || provider === "opencode-go") {
-    // OpenRouter/opencode are pass-through proxies; accept any model ID
-    // rather than restricting to a static prefix list.
-    return true;
-  }
-
   return false;
 }
diff --git a/src/agents/model-auth-env-vars.ts b/src/agents/model-auth-env-vars.ts
index c9cb9159138..e318cd2e9c8 100644
--- a/src/agents/model-auth-env-vars.ts
+++ b/src/agents/model-auth-env-vars.ts
@@ -1,45 +1,10 @@
-export const PROVIDER_ENV_API_KEY_CANDIDATES: Record<string, string[]> = {
-  "github-copilot": ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"],
-  anthropic: ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"],
-  chutes: ["CHUTES_OAUTH_TOKEN", "CHUTES_API_KEY"],
-  zai: ["ZAI_API_KEY", "Z_AI_API_KEY"],
-  opencode: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-  "opencode-go": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-  "qwen-portal": ["QWEN_OAUTH_TOKEN", "QWEN_PORTAL_API_KEY"],
-  volcengine: ["VOLCANO_ENGINE_API_KEY"],
-  "volcengine-plan": ["VOLCANO_ENGINE_API_KEY"],
-  byteplus: ["BYTEPLUS_API_KEY"],
-  "byteplus-plan": ["BYTEPLUS_API_KEY"],
-  "minimax-portal": ["MINIMAX_OAUTH_TOKEN", "MINIMAX_API_KEY"],
-  "kimi-coding": ["KIMI_API_KEY", "KIMICODE_API_KEY"],
-  huggingface: ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"],
-  openai: ["OPENAI_API_KEY"],
-  google: ["GEMINI_API_KEY"],
-  voyage: ["VOYAGE_API_KEY"],
-  groq: ["GROQ_API_KEY"],
-  deepgram: ["DEEPGRAM_API_KEY"],
-  cerebras: ["CEREBRAS_API_KEY"],
-  xai: ["XAI_API_KEY"],
-  openrouter: ["OPENROUTER_API_KEY"],
-  litellm: ["LITELLM_API_KEY"],
-  "vercel-ai-gateway": ["AI_GATEWAY_API_KEY"],
-  "cloudflare-ai-gateway": ["CLOUDFLARE_AI_GATEWAY_API_KEY"],
-  moonshot: ["MOONSHOT_API_KEY"],
-  minimax: ["MINIMAX_API_KEY"],
-  nvidia: ["NVIDIA_API_KEY"],
-  xiaomi: ["XIAOMI_API_KEY"],
-  synthetic: ["SYNTHETIC_API_KEY"],
-  venice: ["VENICE_API_KEY"],
-  mistral: ["MISTRAL_API_KEY"],
-  together: ["TOGETHER_API_KEY"],
-  qianfan: ["QIANFAN_API_KEY"],
-  modelstudio: ["MODELSTUDIO_API_KEY"],
-  ollama: ["OLLAMA_API_KEY"],
-  sglang: ["SGLANG_API_KEY"],
-  vllm: ["VLLM_API_KEY"],
-  kilocode: ["KILOCODE_API_KEY"],
-};
+import {
+  PROVIDER_AUTH_ENV_VAR_CANDIDATES,
+  listKnownProviderAuthEnvVarNames,
+} from "../secrets/provider-env-vars.js";
+
+export const PROVIDER_ENV_API_KEY_CANDIDATES = PROVIDER_AUTH_ENV_VAR_CANDIDATES;
 
 export function listKnownProviderEnvApiKeyNames(): string[] {
-  return [...new Set(Object.values(PROVIDER_ENV_API_KEY_CANDIDATES).flat())];
+  return listKnownProviderAuthEnvVarNames();
 }
diff --git a/src/agents/model-auth.profiles.test.ts b/src/agents/model-auth.profiles.test.ts
index a1fc511aaf8..f9395373024 100644
--- a/src/agents/model-auth.profiles.test.ts
+++ b/src/agents/model-auth.profiles.test.ts
@@ -5,7 +5,12 @@ import type { Api, Model } from "@mariozechner/pi-ai";
 import { describe, expect, it } from "vitest";
 import { withEnvAsync } from "../test-utils/env.js";
 import { ensureAuthProfileStore } from "./auth-profiles.js";
-import { getApiKeyForModel, resolveApiKeyForProvider, resolveEnvApiKey } from "./model-auth.js";
+import {
+  getApiKeyForModel,
+  hasAvailableAuthForProvider,
+  resolveApiKeyForProvider,
+  resolveEnvApiKey,
+} from "./model-auth.js";
 
 const envVar = (...parts: string[]) => parts.join("_");
 
@@ -206,6 +211,40 @@ describe("getApiKeyForModel", () => {
     );
   });
 
+  it("hasAvailableAuthForProvider('google') accepts GOOGLE_API_KEY fallback", async () => {
+    await withEnvAsync(
+      {
+        GEMINI_API_KEY: undefined,
+        GOOGLE_API_KEY: "google-test-key", // pragma: allowlist secret
+      },
+      async () => {
+        await expect(
+          hasAvailableAuthForProvider({
+            provider: "google",
+            store: { version: 1, profiles: {} },
+          }),
+        ).resolves.toBe(true);
+      },
+    );
+  });
+
+  it("hasAvailableAuthForProvider returns false when no provider auth is available", async () => {
+    await withEnvAsync(
+      {
+        ZAI_API_KEY: undefined,
+        Z_AI_API_KEY: undefined,
+      },
+      async () => {
+        await expect(
+          hasAvailableAuthForProvider({
+            provider: "zai",
+            store: { version: 1, profiles: {} },
+          }),
+        ).resolves.toBe(false);
+      },
+    );
+  });
+
   it("resolves Synthetic API key from env", async () => {
     await withEnvAsync({ [envVar("SYNTHETIC", "API", "KEY")]: "synthetic-test-key" }, async () => {
       // pragma: allowlist secret
@@ -426,4 +465,45 @@ describe("getApiKeyForModel", () => {
       },
     );
   });
+
+  it("resolveEnvApiKey('qwen-portal') accepts QWEN_OAUTH_TOKEN", async () => {
+    await withEnvAsync(
+      {
+        QWEN_OAUTH_TOKEN: "qwen-oauth-token",
+        QWEN_PORTAL_API_KEY: undefined,
+      },
+      async () => {
+        const resolved = resolveEnvApiKey("qwen");
+        expect(resolved?.apiKey).toBe("qwen-oauth-token");
+        expect(resolved?.source).toContain("QWEN_OAUTH_TOKEN");
+      },
+    );
+  });
+
+  it("resolveEnvApiKey('minimax-portal') accepts MINIMAX_OAUTH_TOKEN", async () => {
+    await withEnvAsync(
+      {
+        MINIMAX_OAUTH_TOKEN: "minimax-oauth-token",
+        MINIMAX_API_KEY: undefined,
+      },
+      async () => {
+        const resolved = resolveEnvApiKey("minimax-portal");
+        expect(resolved?.apiKey).toBe("minimax-oauth-token");
+        expect(resolved?.source).toContain("MINIMAX_OAUTH_TOKEN");
+      },
+    );
+  });
+
+  it("resolveEnvApiKey('volcengine-plan') uses volcengine auth candidates", async () => {
+    await withEnvAsync(
+      {
+        VOLCANO_ENGINE_API_KEY: "volcengine-plan-key",
+      },
+      async () => {
+        const resolved = resolveEnvApiKey("volcengine-plan");
+        expect(resolved?.apiKey).toBe("volcengine-plan-key");
+        expect(resolved?.source).toContain("VOLCANO_ENGINE_API_KEY");
+      },
+    );
+  });
 });
diff --git a/src/agents/model-auth.test.ts b/src/agents/model-auth.test.ts
index de8f0f1b752..31fdee5496c 100644
--- a/src/agents/model-auth.test.ts
+++ b/src/agents/model-auth.test.ts
@@ -1,5 +1,6 @@
 import { streamSimpleOpenAICompletions, type Model } from "@mariozechner/pi-ai";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import { withFetchPreconnect } from "../test-utils/fetch-mock.js";
 import type { AuthProfileStore } from "./auth-profiles.js";
 import { CUSTOM_LOCAL_AUTH_MARKER, NON_ENV_SECRETREF_MARKER } from "./model-auth-markers.js";
 import {
@@ -503,16 +504,18 @@ describe("applyLocalNoAuthHeaderOverride", () => {
     const requestSeen = new Promise<void>((resolve) => {
       resolveRequest = resolve;
     });
-    globalThis.fetch = vi.fn(async (_input, init) => {
-      const headers = new Headers(init?.headers);
-      capturedAuthorization = headers.get("Authorization");
-      capturedXTest = headers.get("X-Test");
-      resolveRequest?.();
-      return new Response(JSON.stringify({ error: { message: "unauthorized" } }), {
-        status: 401,
-        headers: { "content-type": "application/json" },
-      });
-    }) as typeof fetch;
+    globalThis.fetch = withFetchPreconnect(
+      vi.fn(async (_input, init) => {
+        const headers = new Headers(init?.headers);
+        capturedAuthorization = headers.get("Authorization");
+        capturedXTest = headers.get("X-Test");
+        resolveRequest?.();
+        return new Response(JSON.stringify({ error: { message: "unauthorized" } }), {
+          status: 401,
+          headers: { "content-type": "application/json" },
+        });
+      }),
+    );
 
     const model = applyLocalNoAuthHeaderOverride(
       {
diff --git a/src/agents/model-auth.ts b/src/agents/model-auth.ts
index fb3abd1571e..e494cc71b8c 100644
--- a/src/agents/model-auth.ts
+++ b/src/agents/model-auth.ts
@@ -25,7 +25,7 @@ import {
   isNonSecretApiKeyMarker,
   OLLAMA_LOCAL_AUTH_MARKER,
 } from "./model-auth-markers.js";
-import { normalizeProviderId } from "./model-selection.js";
+import { normalizeProviderId, normalizeProviderIdForAuth } from "./model-selection.js";
 
 export { ensureAuthProfileStore, resolveAuthProfileOrder } from "./auth-profiles.js";
 
@@ -35,6 +35,14 @@ const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
 const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
 const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
 const AWS_PROFILE_ENV = "AWS_PROFILE";
+let providerRuntimePromise:
+  | Promise<typeof import("../plugins/provider-runtime.runtime.js")>
+  | undefined;
+
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
 
 function resolveProviderConfig(
   cfg: OpenClawConfig | undefined,
@@ -194,7 +202,7 @@ function resolveSyntheticLocalProviderAuth(params: {
 
   // Custom providers pointing at a local server (e.g. llama.cpp, vLLM, LocalAI)
   // typically don't require auth. Synthesize a local key so the auth resolver
-  // doesn't reject them when the user left the API key blank during onboarding.
+  // doesn't reject them when the user left the API key blank during setup.
   if (providerConfig.baseUrl && isLocalBaseUrl(providerConfig.baseUrl)) {
     return {
       apiKey: CUSTOM_LOCAL_AUTH_MARKER,
@@ -358,13 +366,20 @@ export async function resolveApiKeyForProvider(params: {
     return resolveAwsSdkAuthInfo();
   }
 
-  if (provider === "openai") {
-    const hasCodex = listProfilesForProvider(store, "openai-codex").length > 0;
-    if (hasCodex) {
-      throw new Error(
-        'No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.4 (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.4.',
-      );
-    }
+  const { buildProviderMissingAuthMessageWithPlugin } = await loadProviderRuntime();
+  const pluginMissingAuthMessage = buildProviderMissingAuthMessageWithPlugin({
+    provider,
+    config: cfg,
+    context: {
+      config: cfg,
+      agentDir: params.agentDir,
+      env: process.env,
+      provider,
+      listProfileIds: (providerId) => listProfilesForProvider(store, providerId),
+    },
+  });
+  if (pluginMissingAuthMessage) {
+    throw new Error(pluginMissingAuthMessage);
   }
 
   const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
@@ -385,7 +400,7 @@ export function resolveEnvApiKey(
   provider: string,
   env: NodeJS.ProcessEnv = process.env,
 ): EnvApiKeyResult | null {
-  const normalized = normalizeProviderId(provider);
+  const normalized = normalizeProviderIdForAuth(provider);
   const applied = new Set(getShellEnvAppliedKeys());
   const pick = (envVar: string): EnvApiKeyResult | null => {
     const value = normalizeOptionalSecretInput(env[envVar]);
@@ -472,6 +487,56 @@ export function resolveModelAuthMode(
   return "unknown";
 }
 
+export async function hasAvailableAuthForProvider(params: {
+  provider: string;
+  cfg?: OpenClawConfig;
+  preferredProfile?: string;
+  store?: AuthProfileStore;
+  agentDir?: string;
+}): Promise<boolean> {
+  const { provider, cfg, preferredProfile } = params;
+  const store = params.store ?? ensureAuthProfileStore(params.agentDir);
+
+  const authOverride = resolveProviderAuthOverride(cfg, provider);
+  if (authOverride === "aws-sdk") {
+    return true;
+  }
+
+  const order = resolveAuthProfileOrder({
+    cfg,
+    store,
+    provider,
+    preferredProfile,
+  });
+  for (const candidate of order) {
+    try {
+      const resolved = await resolveApiKeyForProfile({
+        cfg,
+        store,
+        profileId: candidate,
+        agentDir: params.agentDir,
+      });
+      if (resolved) {
+        return true;
+      }
+    } catch (err) {
+      log.debug?.(`auth profile "${candidate}" failed for provider "${provider}": ${String(err)}`);
+    }
+  }
+
+  if (resolveEnvApiKey(provider)) {
+    return true;
+  }
+  if (resolveUsableCustomProviderApiKey({ cfg, provider })) {
+    return true;
+  }
+  if (resolveSyntheticLocalProviderAuth({ cfg, provider })) {
+    return true;
+  }
+
+  return authOverride === undefined && normalizeProviderId(provider) === "amazon-bedrock";
+}
+
 export async function getApiKeyForModel(params: {
   model: Model<Api>;
   cfg?: OpenClawConfig;
diff --git a/src/agents/model-catalog.ts b/src/agents/model-catalog.ts
index 6f66e85c49c..983150f8d36 100644
--- a/src/agents/model-catalog.ts
+++ b/src/agents/model-catalog.ts
@@ -1,7 +1,6 @@
 import { type OpenClawConfig, loadConfig } from "../config/config.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveOpenClawAgentDir } from "./agent-paths.js";
-import { shouldSuppressBuiltInModel } from "./model-suppression.js";
 import { ensureOpenClawModelsJson } from "./models-config.js";
 
 const log = createSubsystemLogger("model-catalog");
@@ -32,69 +31,21 @@ let modelCatalogPromise: Promise<ModelCatalogEntry[]> | null = null;
 let hasLoggedModelCatalogError = false;
 const defaultImportPiSdk = () => import("./pi-model-discovery-runtime.js");
 let importPiSdk = defaultImportPiSdk;
+let providerRuntimePromise:
+  | Promise<typeof import("../plugins/provider-runtime.runtime.js")>
+  | undefined;
+let modelSuppressionPromise: Promise<typeof import("./model-suppression.runtime.js")> | undefined;
 
-const CODEX_PROVIDER = "openai-codex";
-const OPENAI_PROVIDER = "openai";
-const OPENAI_GPT54_MODEL_ID = "gpt-5.4";
-const OPENAI_GPT54_PRO_MODEL_ID = "gpt-5.4-pro";
-const OPENAI_CODEX_GPT53_MODEL_ID = "gpt-5.3-codex";
-const OPENAI_CODEX_GPT53_SPARK_MODEL_ID = "gpt-5.3-codex-spark";
-const OPENAI_CODEX_GPT54_MODEL_ID = "gpt-5.4";
 const NON_PI_NATIVE_MODEL_PROVIDERS = new Set(["kilocode"]);
 
-type SyntheticCatalogFallback = {
-  provider: string;
-  id: string;
-  templateIds: readonly string[];
-};
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
 
-const SYNTHETIC_CATALOG_FALLBACKS: readonly SyntheticCatalogFallback[] = [
-  {
-    provider: OPENAI_PROVIDER,
-    id: OPENAI_GPT54_MODEL_ID,
-    templateIds: ["gpt-5.2"],
-  },
-  {
-    provider: OPENAI_PROVIDER,
-    id: OPENAI_GPT54_PRO_MODEL_ID,
-    templateIds: ["gpt-5.2-pro", "gpt-5.2"],
-  },
-  {
-    provider: CODEX_PROVIDER,
-    id: OPENAI_CODEX_GPT54_MODEL_ID,
-    templateIds: ["gpt-5.3-codex", "gpt-5.2-codex"],
-  },
-  {
-    provider: CODEX_PROVIDER,
-    id: OPENAI_CODEX_GPT53_SPARK_MODEL_ID,
-    templateIds: [OPENAI_CODEX_GPT53_MODEL_ID],
-  },
-] as const;
-
-function applySyntheticCatalogFallbacks(models: ModelCatalogEntry[]): void {
-  const findCatalogEntry = (provider: string, id: string) =>
-    models.find(
-      (entry) =>
-        entry.provider.toLowerCase() === provider.toLowerCase() &&
-        entry.id.toLowerCase() === id.toLowerCase(),
-    );
-
-  for (const fallback of SYNTHETIC_CATALOG_FALLBACKS) {
-    if (findCatalogEntry(fallback.provider, fallback.id)) {
-      continue;
-    }
-    const template = fallback.templateIds
-      .map((templateId) => findCatalogEntry(fallback.provider, templateId))
-      .find((entry) => entry !== undefined);
-    if (!template) {
-      continue;
-    }
-    models.push({
-      ...template,
-      id: fallback.id,
-      name: fallback.id,
-    });
-  }
+function loadModelSuppression() {
+  modelSuppressionPromise ??= import("./model-suppression.runtime.js");
+  return modelSuppressionPromise;
 }
 
 function normalizeConfiguredModelInput(input: unknown): ModelInputType[] | undefined {
@@ -221,6 +172,8 @@ export async function loadModelCatalog(params?: {
       // will keep failing until restart).
       const piSdk = await importPiSdk();
       const agentDir = resolveOpenClawAgentDir();
+      const [{ shouldSuppressBuiltInModel }, { augmentModelCatalogWithProviderPlugins }] =
+        await Promise.all([loadModelSuppression(), loadProviderRuntime()]);
       const { join } = await import("node:path");
       const authStorage = piSdk.discoverAuthStorage(agentDir);
       const registry = new (piSdk.ModelRegistry as unknown as {
@@ -256,7 +209,31 @@ export async function loadModelCatalog(params?: {
         models.push({ id, name, provider, contextWindow, reasoning, input });
       }
       mergeConfiguredOptInProviderModels({ config: cfg, models });
-      applySyntheticCatalogFallbacks(models);
+      const supplemental = await augmentModelCatalogWithProviderPlugins({
+        config: cfg,
+        env: process.env,
+        context: {
+          config: cfg,
+          agentDir,
+          env: process.env,
+          entries: [...models],
+        },
+      });
+      if (supplemental.length > 0) {
+        const seen = new Set(
+          models.map(
+            (entry) => `${entry.provider.toLowerCase().trim()}::${entry.id.toLowerCase().trim()}`,
+          ),
+        );
+        for (const entry of supplemental) {
+          const key = `${entry.provider.toLowerCase().trim()}::${entry.id.toLowerCase().trim()}`;
+          if (seen.has(key)) {
+            continue;
+          }
+          models.push(entry);
+          seen.add(key);
+        }
+      }
 
       if (models.length === 0) {
         // If we found nothing, don't cache this result so we can try again.
diff --git a/src/agents/model-compat.test.ts b/src/agents/model-compat.test.ts
index 9bb1bf76eff..4c35f87dd62 100644
--- a/src/agents/model-compat.test.ts
+++ b/src/agents/model-compat.test.ts
@@ -1,9 +1,16 @@
 import type { Api, Model } from "@mariozechner/pi-ai";
-import type { ModelRegistry } from "@mariozechner/pi-coding-agent";
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const providerRuntimeMocks = vi.hoisted(() => ({
+  resolveProviderModernModelRef: vi.fn(),
+}));
+
+vi.mock("../plugins/provider-runtime.js", () => ({
+  resolveProviderModernModelRef: providerRuntimeMocks.resolveProviderModernModelRef,
+}));
+
 import { isModernModelRef } from "./live-model-filter.js";
 import { normalizeModelCompat } from "./model-compat.js";
-import { resolveForwardCompatModel } from "./model-forward-compat.js";
 
 const baseModel = (): Model<Api> =>
   ({
@@ -32,43 +39,6 @@ function supportsStrictMode(model: Model<Api>): boolean | undefined {
   return (model.compat as { supportsStrictMode?: boolean } | undefined)?.supportsStrictMode;
 }
 
-function createTemplateModel(provider: string, id: string): Model<Api> {
-  return {
-    id,
-    name: id,
-    provider,
-    api: "anthropic-messages",
-    input: ["text"],
-    reasoning: true,
-    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-    contextWindow: 200_000,
-    maxTokens: 8_192,
-  } as Model<Api>;
-}
-
-function createOpenAITemplateModel(id: string): Model<Api> {
-  return {
-    id,
-    name: id,
-    provider: "openai",
-    api: "openai-responses",
-    baseUrl: "https://api.openai.com/v1",
-    input: ["text", "image"],
-    reasoning: true,
-    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-    contextWindow: 400_000,
-    maxTokens: 32_768,
-  } as Model<Api>;
-}
-
-function createRegistry(models: Record<string, Model<Api>>): ModelRegistry {
-  return {
-    find(provider: string, modelId: string) {
-      return models[`${provider}/${modelId}`] ?? null;
-    },
-  } as ModelRegistry;
-}
-
 function expectSupportsDeveloperRoleForcedOff(overrides?: Partial<Model<Api>>): void {
   const model = { ...baseModel(), ...overrides };
   delete (model as { compat?: unknown }).compat;
@@ -90,14 +60,10 @@ function expectSupportsStrictModeForcedOff(overrides?: Partial<Model<Api>>): voi
   expect(supportsStrictMode(normalized)).toBe(false);
 }
 
-function expectResolvedForwardCompat(
-  model: Model<Api> | undefined,
-  expected: { provider: string; id: string },
-): void {
-  expect(model?.id).toBe(expected.id);
-  expect(model?.name).toBe(expected.id);
-  expect(model?.provider).toBe(expected.provider);
-}
+beforeEach(() => {
+  providerRuntimeMocks.resolveProviderModernModelRef.mockReset();
+  providerRuntimeMocks.resolveProviderModernModelRef.mockReturnValue(undefined);
+});
 
 describe("normalizeModelCompat — Anthropic baseUrl", () => {
   const anthropicBase = (): Model<Api> =>
@@ -373,93 +339,40 @@ describe("normalizeModelCompat", () => {
 });
 
 describe("isModernModelRef", () => {
-  it("includes OpenAI gpt-5.4 variants in modern selection", () => {
+  it("uses provider runtime hooks before fallback heuristics", () => {
+    providerRuntimeMocks.resolveProviderModernModelRef.mockReturnValue(false);
+
+    expect(isModernModelRef({ provider: "openrouter", id: "claude-opus-4-6" })).toBe(false);
+  });
+
+  it("includes plugin-advertised modern models", () => {
+    providerRuntimeMocks.resolveProviderModernModelRef.mockImplementation(({ provider, context }) =>
+      provider === "openai" && ["gpt-5.4", "gpt-5.4-pro"].includes(context.modelId)
+        ? true
+        : provider === "openai-codex" && context.modelId === "gpt-5.4"
+          ? true
+          : provider === "opencode" && ["claude-opus-4-6", "gemini-3-pro"].includes(context.modelId)
+            ? true
+            : provider === "opencode-go"
+              ? true
+              : undefined,
+    );
+
     expect(isModernModelRef({ provider: "openai", id: "gpt-5.4" })).toBe(true);
     expect(isModernModelRef({ provider: "openai", id: "gpt-5.4-pro" })).toBe(true);
     expect(isModernModelRef({ provider: "openai-codex", id: "gpt-5.4" })).toBe(true);
-  });
-
-  it("excludes opencode minimax variants from modern selection", () => {
-    expect(isModernModelRef({ provider: "opencode", id: "minimax-m2.5" })).toBe(false);
-    expect(isModernModelRef({ provider: "opencode", id: "minimax-m2.5" })).toBe(false);
-  });
-
-  it("keeps non-minimax opencode modern models", () => {
     expect(isModernModelRef({ provider: "opencode", id: "claude-opus-4-6" })).toBe(true);
     expect(isModernModelRef({ provider: "opencode", id: "gemini-3-pro" })).toBe(true);
-  });
-
-  it("accepts all opencode-go models without zen exclusions", () => {
     expect(isModernModelRef({ provider: "opencode-go", id: "kimi-k2.5" })).toBe(true);
     expect(isModernModelRef({ provider: "opencode-go", id: "glm-5" })).toBe(true);
     expect(isModernModelRef({ provider: "opencode-go", id: "minimax-m2.5" })).toBe(true);
   });
-});
 
-describe("resolveForwardCompatModel", () => {
-  it("resolves openai gpt-5.4 via gpt-5.2 template", () => {
-    const registry = createRegistry({
-      "openai/gpt-5.2": createOpenAITemplateModel("gpt-5.2"),
-    });
-    const model = resolveForwardCompatModel("openai", "gpt-5.4", registry);
-    expectResolvedForwardCompat(model, { provider: "openai", id: "gpt-5.4" });
-    expect(model?.api).toBe("openai-responses");
-    expect(model?.baseUrl).toBe("https://api.openai.com/v1");
-    expect(model?.contextWindow).toBe(1_050_000);
-    expect(model?.maxTokens).toBe(128_000);
-  });
+  it("excludes provider-declined modern models", () => {
+    providerRuntimeMocks.resolveProviderModernModelRef.mockImplementation(({ provider, context }) =>
+      provider === "opencode" && context.modelId === "minimax-m2.5" ? false : undefined,
+    );
 
-  it("resolves openai gpt-5.4 without templates using normalized fallback defaults", () => {
-    const registry = createRegistry({});
-
-    const model = resolveForwardCompatModel("openai", "gpt-5.4", registry);
-
-    expectResolvedForwardCompat(model, { provider: "openai", id: "gpt-5.4" });
-    expect(model?.api).toBe("openai-responses");
-    expect(model?.baseUrl).toBe("https://api.openai.com/v1");
-    expect(model?.input).toEqual(["text", "image"]);
-    expect(model?.reasoning).toBe(true);
-    expect(model?.contextWindow).toBe(1_050_000);
-    expect(model?.maxTokens).toBe(128_000);
-    expect(model?.cost).toEqual({ input: 0, output: 0, cacheRead: 0, cacheWrite: 0 });
-  });
-
-  it("resolves openai gpt-5.4-pro via template fallback", () => {
-    const registry = createRegistry({
-      "openai/gpt-5.2": createOpenAITemplateModel("gpt-5.2"),
-    });
-    const model = resolveForwardCompatModel("openai", "gpt-5.4-pro", registry);
-    expectResolvedForwardCompat(model, { provider: "openai", id: "gpt-5.4-pro" });
-    expect(model?.api).toBe("openai-responses");
-    expect(model?.baseUrl).toBe("https://api.openai.com/v1");
-    expect(model?.contextWindow).toBe(1_050_000);
-    expect(model?.maxTokens).toBe(128_000);
-  });
-
-  it("resolves anthropic opus 4.6 via 4.5 template", () => {
-    const registry = createRegistry({
-      "anthropic/claude-opus-4-5": createTemplateModel("anthropic", "claude-opus-4-5"),
-    });
-    const model = resolveForwardCompatModel("anthropic", "claude-opus-4-6", registry);
-    expectResolvedForwardCompat(model, { provider: "anthropic", id: "claude-opus-4-6" });
-  });
-
-  it("resolves anthropic sonnet 4.6 dot variant with suffix", () => {
-    const registry = createRegistry({
-      "anthropic/claude-sonnet-4.5-20260219": createTemplateModel(
-        "anthropic",
-        "claude-sonnet-4.5-20260219",
-      ),
-    });
-    const model = resolveForwardCompatModel("anthropic", "claude-sonnet-4.6-20260219", registry);
-    expectResolvedForwardCompat(model, { provider: "anthropic", id: "claude-sonnet-4.6-20260219" });
-  });
-
-  it("does not resolve anthropic 4.6 fallback for other providers", () => {
-    const registry = createRegistry({
-      "anthropic/claude-opus-4-5": createTemplateModel("anthropic", "claude-opus-4-5"),
-    });
-    const model = resolveForwardCompatModel("openai", "claude-opus-4-6", registry);
-    expect(model).toBeUndefined();
+    expect(isModernModelRef({ provider: "opencode", id: "minimax-m2.5" })).toBe(false);
   });
 });
diff --git a/src/agents/model-forward-compat.ts b/src/agents/model-forward-compat.ts
deleted file mode 100644
index 709afc2ee4d..00000000000
--- a/src/agents/model-forward-compat.ts
+++ /dev/null
@@ -1,273 +0,0 @@
-import type { Api, Model } from "@mariozechner/pi-ai";
-import type { ModelRegistry } from "@mariozechner/pi-coding-agent";
-import { DEFAULT_CONTEXT_TOKENS } from "./defaults.js";
-import { normalizeModelCompat } from "./model-compat.js";
-import { normalizeProviderId } from "./model-selection.js";
-
-const OPENAI_GPT_54_MODEL_ID = "gpt-5.4";
-const OPENAI_GPT_54_PRO_MODEL_ID = "gpt-5.4-pro";
-const OPENAI_GPT_54_CONTEXT_TOKENS = 1_050_000;
-const OPENAI_GPT_54_MAX_TOKENS = 128_000;
-const OPENAI_GPT_54_TEMPLATE_MODEL_IDS = ["gpt-5.2"] as const;
-const OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS = ["gpt-5.2-pro", "gpt-5.2"] as const;
-
-const ANTHROPIC_OPUS_46_MODEL_ID = "claude-opus-4-6";
-const ANTHROPIC_OPUS_46_DOT_MODEL_ID = "claude-opus-4.6";
-const ANTHROPIC_OPUS_TEMPLATE_MODEL_IDS = ["claude-opus-4-5", "claude-opus-4.5"] as const;
-const ANTHROPIC_SONNET_46_MODEL_ID = "claude-sonnet-4-6";
-const ANTHROPIC_SONNET_46_DOT_MODEL_ID = "claude-sonnet-4.6";
-const ANTHROPIC_SONNET_TEMPLATE_MODEL_IDS = ["claude-sonnet-4-5", "claude-sonnet-4.5"] as const;
-
-const ZAI_GLM5_MODEL_ID = "glm-5";
-const ZAI_GLM5_TEMPLATE_MODEL_IDS = ["glm-4.7"] as const;
-
-// gemini-3.1-pro-preview / gemini-3.1-flash-preview are not yet in pi-ai's built-in
-// google-gemini-cli catalog. Clone the gemini-3-pro/flash-preview template so users
-// don't get "Unknown model" errors when Google releases a new minor version.
-const GEMINI_3_1_PRO_PREFIX = "gemini-3.1-pro";
-const GEMINI_3_1_FLASH_PREFIX = "gemini-3.1-flash";
-const GEMINI_3_1_PRO_TEMPLATE_IDS = ["gemini-3-pro-preview"] as const;
-const GEMINI_3_1_FLASH_TEMPLATE_IDS = ["gemini-3-flash-preview"] as const;
-
-function resolveOpenAIGpt54ForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  const normalizedProvider = normalizeProviderId(provider);
-  if (normalizedProvider !== "openai") {
-    return undefined;
-  }
-
-  const trimmedModelId = modelId.trim();
-  const lower = trimmedModelId.toLowerCase();
-  let templateIds: readonly string[];
-  if (lower === OPENAI_GPT_54_MODEL_ID) {
-    templateIds = OPENAI_GPT_54_TEMPLATE_MODEL_IDS;
-  } else if (lower === OPENAI_GPT_54_PRO_MODEL_ID) {
-    templateIds = OPENAI_GPT_54_PRO_TEMPLATE_MODEL_IDS;
-  } else {
-    return undefined;
-  }
-
-  return (
-    cloneFirstTemplateModel({
-      normalizedProvider,
-      trimmedModelId,
-      templateIds: [...templateIds],
-      modelRegistry,
-      patch: {
-        api: "openai-responses",
-        provider: normalizedProvider,
-        baseUrl: "https://api.openai.com/v1",
-        reasoning: true,
-        input: ["text", "image"],
-        contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
-        maxTokens: OPENAI_GPT_54_MAX_TOKENS,
-      },
-    }) ??
-    normalizeModelCompat({
-      id: trimmedModelId,
-      name: trimmedModelId,
-      api: "openai-responses",
-      provider: normalizedProvider,
-      baseUrl: "https://api.openai.com/v1",
-      reasoning: true,
-      input: ["text", "image"],
-      cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-      contextWindow: OPENAI_GPT_54_CONTEXT_TOKENS,
-      maxTokens: OPENAI_GPT_54_MAX_TOKENS,
-    } as Model<Api>)
-  );
-}
-
-function cloneFirstTemplateModel(params: {
-  normalizedProvider: string;
-  trimmedModelId: string;
-  templateIds: string[];
-  modelRegistry: ModelRegistry;
-  patch?: Partial<Model<Api>>;
-}): Model<Api> | undefined {
-  const { normalizedProvider, trimmedModelId, templateIds, modelRegistry } = params;
-  for (const templateId of [...new Set(templateIds)].filter(Boolean)) {
-    const template = modelRegistry.find(normalizedProvider, templateId) as Model<Api> | null;
-    if (!template) {
-      continue;
-    }
-    return normalizeModelCompat({
-      ...template,
-      id: trimmedModelId,
-      name: trimmedModelId,
-      ...params.patch,
-    } as Model<Api>);
-  }
-  return undefined;
-}
-
-function resolveAnthropic46ForwardCompatModel(params: {
-  provider: string;
-  modelId: string;
-  modelRegistry: ModelRegistry;
-  dashModelId: string;
-  dotModelId: string;
-  dashTemplateId: string;
-  dotTemplateId: string;
-  fallbackTemplateIds: readonly string[];
-}): Model<Api> | undefined {
-  const { provider, modelId, modelRegistry, dashModelId, dotModelId } = params;
-  const normalizedProvider = normalizeProviderId(provider);
-  if (normalizedProvider !== "anthropic") {
-    return undefined;
-  }
-
-  const trimmedModelId = modelId.trim();
-  const lower = trimmedModelId.toLowerCase();
-  const is46Model =
-    lower === dashModelId ||
-    lower === dotModelId ||
-    lower.startsWith(`${dashModelId}-`) ||
-    lower.startsWith(`${dotModelId}-`);
-  if (!is46Model) {
-    return undefined;
-  }
-
-  const templateIds: string[] = [];
-  if (lower.startsWith(dashModelId)) {
-    templateIds.push(lower.replace(dashModelId, params.dashTemplateId));
-  }
-  if (lower.startsWith(dotModelId)) {
-    templateIds.push(lower.replace(dotModelId, params.dotTemplateId));
-  }
-  templateIds.push(...params.fallbackTemplateIds);
-
-  return cloneFirstTemplateModel({
-    normalizedProvider,
-    trimmedModelId,
-    templateIds,
-    modelRegistry,
-  });
-}
-
-function resolveAnthropicOpus46ForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  return resolveAnthropic46ForwardCompatModel({
-    provider,
-    modelId,
-    modelRegistry,
-    dashModelId: ANTHROPIC_OPUS_46_MODEL_ID,
-    dotModelId: ANTHROPIC_OPUS_46_DOT_MODEL_ID,
-    dashTemplateId: "claude-opus-4-5",
-    dotTemplateId: "claude-opus-4.5",
-    fallbackTemplateIds: ANTHROPIC_OPUS_TEMPLATE_MODEL_IDS,
-  });
-}
-
-function resolveAnthropicSonnet46ForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  return resolveAnthropic46ForwardCompatModel({
-    provider,
-    modelId,
-    modelRegistry,
-    dashModelId: ANTHROPIC_SONNET_46_MODEL_ID,
-    dotModelId: ANTHROPIC_SONNET_46_DOT_MODEL_ID,
-    dashTemplateId: "claude-sonnet-4-5",
-    dotTemplateId: "claude-sonnet-4.5",
-    fallbackTemplateIds: ANTHROPIC_SONNET_TEMPLATE_MODEL_IDS,
-  });
-}
-
-// gemini-3.1-pro-preview / gemini-3.1-flash-preview are not present in some pi-ai
-// Google catalogs yet. Clone the nearest gemini-3 template so users don't get
-// "Unknown model" errors when Google ships new minor-version models before pi-ai
-// updates its built-in registry.
-function resolveGoogle31ForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  const normalizedProvider = normalizeProviderId(provider);
-  if (normalizedProvider !== "google" && normalizedProvider !== "google-gemini-cli") {
-    return undefined;
-  }
-  const trimmed = modelId.trim();
-  const lower = trimmed.toLowerCase();
-
-  let templateIds: readonly string[];
-  if (lower.startsWith(GEMINI_3_1_PRO_PREFIX)) {
-    templateIds = GEMINI_3_1_PRO_TEMPLATE_IDS;
-  } else if (lower.startsWith(GEMINI_3_1_FLASH_PREFIX)) {
-    templateIds = GEMINI_3_1_FLASH_TEMPLATE_IDS;
-  } else {
-    return undefined;
-  }
-
-  return cloneFirstTemplateModel({
-    normalizedProvider,
-    trimmedModelId: trimmed,
-    templateIds: [...templateIds],
-    modelRegistry,
-    patch: { reasoning: true },
-  });
-}
-
-// Z.ai's GLM-5 may not be present in pi-ai's built-in model catalog yet.
-// When a user configures zai/glm-5 without a models.json entry, clone glm-4.7 as a forward-compat fallback.
-function resolveZaiGlm5ForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  if (normalizeProviderId(provider) !== "zai") {
-    return undefined;
-  }
-  const trimmed = modelId.trim();
-  const lower = trimmed.toLowerCase();
-  if (lower !== ZAI_GLM5_MODEL_ID && !lower.startsWith(`${ZAI_GLM5_MODEL_ID}-`)) {
-    return undefined;
-  }
-
-  for (const templateId of ZAI_GLM5_TEMPLATE_MODEL_IDS) {
-    const template = modelRegistry.find("zai", templateId) as Model<Api> | null;
-    if (!template) {
-      continue;
-    }
-    return normalizeModelCompat({
-      ...template,
-      id: trimmed,
-      name: trimmed,
-      reasoning: true,
-    } as Model<Api>);
-  }
-
-  return normalizeModelCompat({
-    id: trimmed,
-    name: trimmed,
-    api: "openai-completions",
-    provider: "zai",
-    reasoning: true,
-    input: ["text"],
-    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-    contextWindow: DEFAULT_CONTEXT_TOKENS,
-    maxTokens: DEFAULT_CONTEXT_TOKENS,
-  } as Model<Api>);
-}
-
-export function resolveForwardCompatModel(
-  provider: string,
-  modelId: string,
-  modelRegistry: ModelRegistry,
-): Model<Api> | undefined {
-  return (
-    resolveOpenAIGpt54ForwardCompatModel(provider, modelId, modelRegistry) ??
-    resolveAnthropicOpus46ForwardCompatModel(provider, modelId, modelRegistry) ??
-    resolveAnthropicSonnet46ForwardCompatModel(provider, modelId, modelRegistry) ??
-    resolveZaiGlm5ForwardCompatModel(provider, modelId, modelRegistry) ??
-    resolveGoogle31ForwardCompatModel(provider, modelId, modelRegistry)
-  );
-}
diff --git a/src/agents/model-suppression.runtime.ts b/src/agents/model-suppression.runtime.ts
new file mode 100644
index 00000000000..472a662b810
--- /dev/null
+++ b/src/agents/model-suppression.runtime.ts
@@ -0,0 +1 @@
+export { shouldSuppressBuiltInModel } from "./model-suppression.js";
diff --git a/src/agents/model-suppression.ts b/src/agents/model-suppression.ts
index 378096ea732..ac1dcccdb74 100644
--- a/src/agents/model-suppression.ts
+++ b/src/agents/model-suppression.ts
@@ -1,27 +1,32 @@
+import { resolveProviderBuiltInModelSuppression } from "../plugins/provider-runtime.js";
 import { normalizeProviderId } from "./model-selection.js";
 
-const OPENAI_DIRECT_SPARK_MODEL_ID = "gpt-5.3-codex-spark";
-const SUPPRESSED_SPARK_PROVIDERS = new Set(["openai", "azure-openai-responses"]);
+function resolveBuiltInModelSuppression(params: { provider?: string | null; id?: string | null }) {
+  const provider = normalizeProviderId(params.provider?.trim().toLowerCase() ?? "");
+  const modelId = params.id?.trim().toLowerCase() ?? "";
+  if (!provider || !modelId) {
+    return undefined;
+  }
+  return resolveProviderBuiltInModelSuppression({
+    env: process.env,
+    context: {
+      env: process.env,
+      provider,
+      modelId,
+    },
+  });
+}
 
 export function shouldSuppressBuiltInModel(params: {
   provider?: string | null;
   id?: string | null;
 }) {
-  const provider = normalizeProviderId(params.provider?.trim().toLowerCase() ?? "");
-  const id = params.id?.trim().toLowerCase() ?? "";
-
-  // pi-ai still ships non-Codex Spark rows, but OpenClaw treats Spark as
-  // Codex-only until upstream availability is proven on direct API paths.
-  return SUPPRESSED_SPARK_PROVIDERS.has(provider) && id === OPENAI_DIRECT_SPARK_MODEL_ID;
+  return resolveBuiltInModelSuppression(params)?.suppress ?? false;
 }
 
 export function buildSuppressedBuiltInModelError(params: {
   provider?: string | null;
   id?: string | null;
 }): string | undefined {
-  if (!shouldSuppressBuiltInModel(params)) {
-    return undefined;
-  }
-  const provider = normalizeProviderId(params.provider?.trim().toLowerCase() ?? "") || "openai";
-  return `Unknown model: ${provider}/${OPENAI_DIRECT_SPARK_MODEL_ID}. ${OPENAI_DIRECT_SPARK_MODEL_ID} is only supported via openai-codex OAuth. Use openai-codex/${OPENAI_DIRECT_SPARK_MODEL_ID}.`;
+  return resolveBuiltInModelSuppression(params)?.errorMessage;
 }
diff --git a/src/agents/models-config.falls-back-default-baseurl-token-exchange-fails.test.ts b/src/agents/models-config.falls-back-default-baseurl-token-exchange-fails.test.ts
index ed4b0a7100c..efcba001638 100644
--- a/src/agents/models-config.falls-back-default-baseurl-token-exchange-fails.test.ts
+++ b/src/agents/models-config.falls-back-default-baseurl-token-exchange-fails.test.ts
@@ -1,7 +1,7 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { describe, expect, it, vi } from "vitest";
-import { DEFAULT_COPILOT_API_BASE_URL } from "../providers/github-copilot-token.js";
+import { DEFAULT_COPILOT_API_BASE_URL } from "../../extensions/github-copilot/token.js";
 import { withEnvAsync } from "../test-utils/env.js";
 import {
   installModelsConfigTestHooks,
diff --git a/src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts b/src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts
index 8b225ff89cb..52289130690 100644
--- a/src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts
+++ b/src/agents/pi-embedded-runner.buildembeddedsandboxinfo.test.ts
@@ -5,10 +5,13 @@ import type { SandboxContext } from "./sandbox.js";
 function createSandboxContext(overrides?: Partial<SandboxContext>): SandboxContext {
   const base = {
     enabled: true,
+    backendId: "docker",
     sessionKey: "session:test",
     workspaceDir: "/tmp/openclaw-sandbox",
     agentWorkspaceDir: "/tmp/openclaw-workspace",
     workspaceAccess: "none",
+    runtimeId: "openclaw-sbx-test",
+    runtimeLabel: "openclaw-sbx-test",
     containerName: "openclaw-sbx-test",
     containerWorkdir: "/workspace",
     docker: {
diff --git a/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts b/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts
index f9f9934f453..cbea9e5f21b 100644
--- a/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts
+++ b/src/agents/pi-embedded-runner.run-embedded-pi-agent.auth-profile-rotation.e2e.test.ts
@@ -33,7 +33,7 @@ vi.mock("../infra/backoff.js", () => ({
   sleepWithAbort: (ms: number, abortSignal?: AbortSignal) => sleepWithAbortMock(ms, abortSignal),
 }));
 
-vi.mock("../providers/github-copilot-token.js", () => ({
+vi.mock("../../extensions/github-copilot/token.js", () => ({
   DEFAULT_COPILOT_API_BASE_URL: "https://api.individual.githubcopilot.com",
   resolveCopilotApiToken: (...args: unknown[]) => resolveCopilotApiTokenMock(...args),
 }));
diff --git a/src/agents/pi-embedded-runner/cache-ttl.test.ts b/src/agents/pi-embedded-runner/cache-ttl.test.ts
index d968b6b79eb..f5ff8be2827 100644
--- a/src/agents/pi-embedded-runner/cache-ttl.test.ts
+++ b/src/agents/pi-embedded-runner/cache-ttl.test.ts
@@ -3,12 +3,20 @@ import { describe, expect, it, vi } from "vitest";
 vi.mock("../../plugins/provider-runtime.js", () => ({
   resolveProviderCacheTtlEligibility: (params: {
     context: { provider: string; modelId: string };
-  }) =>
-    params.context.provider === "openrouter"
-      ? ["anthropic/", "moonshot/", "moonshotai/", "zai/"].some((prefix) =>
-          params.context.modelId.startsWith(prefix),
-        )
-      : undefined,
+  }) => {
+    if (params.context.provider === "anthropic") {
+      return true;
+    }
+    if (params.context.provider === "moonshot" || params.context.provider === "zai") {
+      return true;
+    }
+    if (params.context.provider === "openrouter") {
+      return ["anthropic/", "moonshot/", "moonshotai/", "zai/"].some((prefix) =>
+        params.context.modelId.startsWith(prefix),
+      );
+    }
+    return undefined;
+  },
 }));
 
 import { isCacheTtlEligibleProvider } from "./cache-ttl.js";
diff --git a/src/agents/pi-embedded-runner/cache-ttl.ts b/src/agents/pi-embedded-runner/cache-ttl.ts
index e5e577d331a..dfea1c714b9 100644
--- a/src/agents/pi-embedded-runner/cache-ttl.ts
+++ b/src/agents/pi-embedded-runner/cache-ttl.ts
@@ -10,8 +10,6 @@ export type CacheTtlEntryData = {
   modelId?: string;
 };
 
-const CACHE_TTL_NATIVE_PROVIDERS = new Set(["moonshot", "zai"]);
-
 export function isCacheTtlEligibleProvider(provider: string, modelId: string): boolean {
   const normalizedProvider = provider.toLowerCase();
   const normalizedModelId = modelId.toLowerCase();
@@ -25,17 +23,6 @@ export function isCacheTtlEligibleProvider(provider: string, modelId: string): b
   if (pluginEligibility !== undefined) {
     return pluginEligibility;
   }
-  if (normalizedProvider === "kilocode" && normalizedModelId.startsWith("anthropic/")) {
-    return true;
-  }
-  // Legacy fallback for tests / plugin-disabled contexts. The Anthropic plugin
-  // owns this policy in normal runtime.
-  if (normalizedProvider === "anthropic") {
-    return true;
-  }
-  if (CACHE_TTL_NATIVE_PROVIDERS.has(normalizedProvider)) {
-    return true;
-  }
   return false;
 }
 
diff --git a/src/agents/pi-embedded-runner/compact.ts b/src/agents/pi-embedded-runner/compact.ts
index 908c323c676..67c5b8184b2 100644
--- a/src/agents/pi-embedded-runner/compact.ts
+++ b/src/agents/pi-embedded-runner/compact.ts
@@ -7,9 +7,6 @@ import {
   estimateTokens,
   SessionManager,
 } from "@mariozechner/pi-coding-agent";
-import { resolveSignalReactionLevel } from "../../../extensions/signal/src/reaction-level.js";
-import { resolveTelegramInlineButtonsScope } from "../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../extensions/telegram/src/reaction-level.js";
 import { resolveHeartbeatPrompt } from "../../auto-reply/heartbeat.js";
 import type { ReasoningLevel, ThinkLevel } from "../../auto-reply/thinking.js";
 import { resolveChannelCapabilities } from "../../config/channel-capabilities.js";
@@ -22,6 +19,11 @@ import { createInternalHookEvent, triggerInternalHook } from "../../hooks/intern
 import { getMachineDisplayName } from "../../infra/machine-name.js";
 import { generateSecureToken } from "../../infra/secure-random.js";
 import { getMemorySearchManager } from "../../memory/index.js";
+import { resolveSignalReactionLevel } from "../../plugin-sdk-internal/signal.js";
+import {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramReactionLevel,
+} from "../../plugin-sdk-internal/telegram.js";
 import { getGlobalHookRunner } from "../../plugins/hook-runner-global.js";
 import { prepareProviderRuntimeAuth } from "../../plugins/provider-runtime.js";
 import { type enqueueCommand, enqueueCommandInLane } from "../../process/command-queue.js";
diff --git a/src/agents/pi-embedded-runner/model.ts b/src/agents/pi-embedded-runner/model.ts
index 7263155c1ad..5bf97a683d0 100644
--- a/src/agents/pi-embedded-runner/model.ts
+++ b/src/agents/pi-embedded-runner/model.ts
@@ -13,7 +13,6 @@ import { DEFAULT_CONTEXT_TOKENS } from "../defaults.js";
 import { buildModelAliasLines } from "../model-alias-lines.js";
 import { isSecretRefHeaderValueMarker } from "../model-auth-markers.js";
 import { normalizeModelCompat } from "../model-compat.js";
-import { resolveForwardCompatModel } from "../model-forward-compat.js";
 import { findNormalizedProviderValue, normalizeProviderId } from "../model-selection.js";
 import {
   buildSuppressedBuiltInModelError,
@@ -34,8 +33,6 @@ type InlineProviderConfig = {
   headers?: unknown;
 };
 
-const PLUGIN_FIRST_DYNAMIC_PROVIDERS = new Set(["anthropic", "google-gemini-cli", "openai", "zai"]);
-
 function sanitizeModelHeaders(
   headers: unknown,
   opts?: { stripSecretRefMarkers?: boolean },
@@ -232,53 +229,6 @@ function resolveExplicitModelWithRegistry(params: {
     };
   }
 
-  if (PLUGIN_FIRST_DYNAMIC_PROVIDERS.has(normalizeProviderId(provider))) {
-    // Give migrated provider plugins first shot at ids that still keep a core
-    // forward-compat fallback for disabled-plugin/test compatibility.
-    const pluginDynamicModel = runProviderDynamicModel({
-      provider,
-      config: cfg,
-      context: {
-        config: cfg,
-        agentDir,
-        provider,
-        modelId,
-        modelRegistry,
-        providerConfig,
-      },
-    });
-    if (pluginDynamicModel) {
-      return {
-        kind: "resolved",
-        model: normalizeResolvedModel({
-          provider,
-          cfg,
-          agentDir,
-          model: pluginDynamicModel,
-        }),
-      };
-    }
-  }
-
-  // Forward-compat fallbacks must be checked BEFORE the generic providerCfg fallback.
-  // Otherwise, configured providers can default to a generic API and break specific transports.
-  const forwardCompat = resolveForwardCompatModel(provider, modelId, modelRegistry);
-  if (forwardCompat) {
-    return {
-      kind: "resolved",
-      model: normalizeResolvedModel({
-        provider,
-        cfg,
-        agentDir,
-        model: applyConfiguredProviderOverrides({
-          discoveredModel: forwardCompat,
-          providerConfig,
-          modelId,
-        }),
-      }),
-    };
-  }
-
   return undefined;
 }
 
diff --git a/src/agents/pi-embedded-runner/run/attempt.ts b/src/agents/pi-embedded-runner/run/attempt.ts
index b02e8a59fb8..bb2cad960bd 100644
--- a/src/agents/pi-embedded-runner/run/attempt.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.ts
@@ -7,9 +7,6 @@ import {
   DefaultResourceLoader,
   SessionManager,
 } from "@mariozechner/pi-coding-agent";
-import { resolveSignalReactionLevel } from "../../../../extensions/signal/src/reaction-level.js";
-import { resolveTelegramInlineButtonsScope } from "../../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../../extensions/telegram/src/reaction-level.js";
 import { resolveHeartbeatPrompt } from "../../../auto-reply/heartbeat.js";
 import { resolveChannelCapabilities } from "../../../config/channel-capabilities.js";
 import type { OpenClawConfig } from "../../../config/config.js";
@@ -19,6 +16,11 @@ import {
   ensureGlobalUndiciStreamTimeouts,
 } from "../../../infra/net/undici-global-dispatcher.js";
 import { MAX_IMAGE_BYTES } from "../../../media/constants.js";
+import { resolveSignalReactionLevel } from "../../../plugin-sdk-internal/signal.js";
+import {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramReactionLevel,
+} from "../../../plugin-sdk-internal/telegram.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
 import type {
   PluginHookAgentContext,
diff --git a/src/agents/pi-embedded-runner/run/images.ts b/src/agents/pi-embedded-runner/run/images.ts
index a1899bb99af..193fad8b94e 100644
--- a/src/agents/pi-embedded-runner/run/images.ts
+++ b/src/agents/pi-embedded-runner/run/images.ts
@@ -1,7 +1,7 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { ImageContent } from "@mariozechner/pi-ai";
-import { loadWebMedia } from "../../../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "../../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../../utils.js";
 import type { ImageSanitizationLimits } from "../../image-sanitization.js";
 import {
diff --git a/src/agents/pi-tools-agent-config.test.ts b/src/agents/pi-tools-agent-config.test.ts
index e24186e0b30..353b0333759 100644
--- a/src/agents/pi-tools-agent-config.test.ts
+++ b/src/agents/pi-tools-agent-config.test.ts
@@ -574,10 +574,13 @@ describe("Agent-specific tool filtering", () => {
       agentDir: "/tmp/agent-restricted",
       sandbox: {
         enabled: true,
+        backendId: "docker",
         sessionKey: "agent:restricted:main",
         workspaceDir: "/tmp/sandbox",
         agentWorkspaceDir: "/tmp/test-restricted",
         workspaceAccess: "none",
+        runtimeId: "test-container",
+        runtimeLabel: "test-container",
         containerName: "test-container",
         containerWorkdir: "/workspace",
         docker: {
diff --git a/src/agents/pi-tools.policy.ts b/src/agents/pi-tools.policy.ts
index 0353c454865..4e7cea7c94e 100644
--- a/src/agents/pi-tools.policy.ts
+++ b/src/agents/pi-tools.policy.ts
@@ -1,4 +1,4 @@
-import { getChannelDock } from "../channels/dock.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import { DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH } from "../config/agent-limits.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveChannelGroupToolsPolicy } from "../config/group-policy.js";
@@ -7,7 +7,6 @@ import { normalizeAgentId } from "../routing/session-key.js";
 import { resolveThreadParentSessionKey } from "../sessions/session-key-utils.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { resolveAgentConfig, resolveAgentIdFromSessionKey } from "./agent-scope.js";
-import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
 import type { AnyAgentTool } from "./pi-tools.types.js";
 import { pickSandboxToolPolicy } from "./sandbox-tool-policy.js";
 import type { SandboxToolPolicy } from "./sandbox.js";
@@ -15,34 +14,8 @@ import {
   resolveStoredSubagentCapabilities,
   type SubagentSessionRole,
 } from "./subagent-capabilities.js";
-import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
-
-function makeToolPolicyMatcher(policy: SandboxToolPolicy) {
-  const deny = compileGlobPatterns({
-    raw: expandToolGroups(policy.deny ?? []),
-    normalize: normalizeToolName,
-  });
-  const allow = compileGlobPatterns({
-    raw: expandToolGroups(policy.allow ?? []),
-    normalize: normalizeToolName,
-  });
-  return (name: string) => {
-    const normalized = normalizeToolName(name);
-    if (matchesAnyGlobPattern(normalized, deny)) {
-      return false;
-    }
-    if (allow.length === 0) {
-      return true;
-    }
-    if (matchesAnyGlobPattern(normalized, allow)) {
-      return true;
-    }
-    if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
-      return true;
-    }
-    return false;
-  };
-}
+import { isToolAllowedByPolicies, isToolAllowedByPolicyName } from "./tool-policy-match.js";
+import { normalizeToolName } from "./tool-policy.js";
 
 /**
  * Tools always denied for sub-agents regardless of depth.
@@ -140,19 +113,11 @@ export function resolveSubagentToolPolicyForSession(
   return { allow: mergedAllow, deny };
 }
 
-export function isToolAllowedByPolicyName(name: string, policy?: SandboxToolPolicy): boolean {
-  if (!policy) {
-    return true;
-  }
-  return makeToolPolicyMatcher(policy)(name);
-}
-
 export function filterToolsByPolicy(tools: AnyAgentTool[], policy?: SandboxToolPolicy) {
   if (!policy) {
     return tools;
   }
-  const matcher = makeToolPolicyMatcher(policy);
-  return tools.filter((tool) => matcher(tool.name));
+  return tools.filter((tool) => isToolAllowedByPolicyName(tool.name, policy));
 }
 
 type ToolPolicyConfig = {
@@ -350,14 +315,14 @@ export function resolveGroupToolPolicy(params: {
   if (!channel) {
     return undefined;
   }
-  let dock;
+  let plugin;
   try {
-    dock = getChannelDock(channel);
+    plugin = getChannelPlugin(channel);
   } catch {
-    dock = undefined;
+    plugin = undefined;
   }
   const toolsConfig =
-    dock?.groups?.resolveToolPolicy?.({
+    plugin?.groups?.resolveToolPolicy?.({
       cfg: params.config,
       groupId,
       groupChannel: params.groupChannel,
@@ -381,9 +346,4 @@ export function resolveGroupToolPolicy(params: {
   return pickSandboxToolPolicy(toolsConfig);
 }
 
-export function isToolAllowedByPolicies(
-  name: string,
-  policies: Array<SandboxToolPolicy | undefined>,
-) {
-  return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
-}
+export { isToolAllowedByPolicies, isToolAllowedByPolicyName } from "./tool-policy-match.js";
diff --git a/src/agents/pi-tools.ts b/src/agents/pi-tools.ts
index 6536e9dfbb5..9c7aafbd56e 100644
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@@ -438,7 +438,9 @@ export function createOpenClawCodingTools(options?: {
           containerName: sandbox.containerName,
           workspaceDir: sandbox.workspaceDir,
           containerWorkdir: sandbox.containerWorkdir,
-          env: sandbox.docker.env,
+          env: sandbox.backend?.env ?? sandbox.docker.env,
+          buildExecSpec: sandbox.backend?.buildExecSpec.bind(sandbox.backend),
+          finalizeExec: sandbox.backend?.finalizeExec?.bind(sandbox.backend),
         }
       : undefined,
   });
diff --git a/src/agents/sandbox-media-paths.test.ts b/src/agents/sandbox-media-paths.test.ts
index 4179c2a68ef..0007e943fdd 100644
--- a/src/agents/sandbox-media-paths.test.ts
+++ b/src/agents/sandbox-media-paths.test.ts
@@ -1,5 +1,8 @@
 import { describe, expect, it, vi } from "vitest";
-import { createSandboxBridgeReadFile } from "./sandbox-media-paths.js";
+import {
+  createSandboxBridgeReadFile,
+  resolveSandboxedBridgeMediaPath,
+} from "./sandbox-media-paths.js";
 import type { SandboxFsBridge } from "./sandbox/fs-bridge.js";
 
 describe("createSandboxBridgeReadFile", () => {
@@ -19,4 +22,24 @@ describe("createSandboxBridgeReadFile", () => {
       cwd: "/tmp/sandbox-root",
     });
   });
+
+  it("falls back to container paths when the bridge has no host path", async () => {
+    const stat = vi.fn(async () => ({ type: "file", size: 1, mtimeMs: 1 }));
+    const resolved = await resolveSandboxedBridgeMediaPath({
+      sandbox: {
+        root: "/tmp/sandbox-root",
+        bridge: {
+          resolvePath: ({ filePath }: { filePath: string }) => ({
+            relativePath: filePath,
+            containerPath: `/sandbox/${filePath}`,
+          }),
+          stat,
+        } as unknown as SandboxFsBridge,
+      },
+      mediaPath: "image.png",
+    });
+
+    expect(resolved).toEqual({ resolved: "/sandbox/image.png" });
+    expect(stat).not.toHaveBeenCalled();
+  });
 });
diff --git a/src/agents/sandbox-media-paths.ts b/src/agents/sandbox-media-paths.ts
index 3c6b2614c94..1c46f392482 100644
--- a/src/agents/sandbox-media-paths.ts
+++ b/src/agents/sandbox-media-paths.ts
@@ -44,8 +44,10 @@ export async function resolveSandboxedBridgeMediaPath(params: {
     });
   try {
     const resolved = resolveDirect();
-    await enforceWorkspaceBoundary(resolved.hostPath);
-    return { resolved: resolved.hostPath };
+    if (resolved.hostPath) {
+      await enforceWorkspaceBoundary(resolved.hostPath);
+    }
+    return { resolved: resolved.hostPath ?? resolved.containerPath };
   } catch (err) {
     const fallbackDir = params.inboundFallbackDir?.trim();
     if (!fallbackDir) {
@@ -67,7 +69,12 @@ export async function resolveSandboxedBridgeMediaPath(params: {
       filePath: fallbackPath,
       cwd: params.sandbox.root,
     });
-    await enforceWorkspaceBoundary(resolvedFallback.hostPath);
-    return { resolved: resolvedFallback.hostPath, rewrittenFrom: filePath };
+    if (resolvedFallback.hostPath) {
+      await enforceWorkspaceBoundary(resolvedFallback.hostPath);
+    }
+    return {
+      resolved: resolvedFallback.hostPath ?? resolvedFallback.containerPath,
+      rewrittenFrom: filePath,
+    };
   }
 }
diff --git a/src/agents/sandbox-merge.test.ts b/src/agents/sandbox-merge.test.ts
index 0635703b8bb..742701017d2 100644
--- a/src/agents/sandbox-merge.test.ts
+++ b/src/agents/sandbox-merge.test.ts
@@ -1,9 +1,11 @@
 import { describe, expect, it } from "vitest";
 import {
   resolveSandboxBrowserConfig,
+  resolveSandboxConfigForAgent,
   resolveSandboxDockerConfig,
   resolveSandboxPruneConfig,
   resolveSandboxScope,
+  resolveSandboxSshConfig,
 } from "./sandbox/config.js";
 
 describe("sandbox config merges", () => {
@@ -128,4 +130,43 @@ describe("sandbox config merges", () => {
     });
     expect(pruneShared).toEqual({ idleHours: 24, maxAgeDays: 7 });
   });
+
+  it("merges sandbox ssh settings and ignores agent overrides under shared scope", () => {
+    const ssh = resolveSandboxSshConfig({
+      scope: "agent",
+      globalSsh: {
+        target: "global@example.com:22",
+        command: "ssh",
+        identityFile: "~/.ssh/global",
+        strictHostKeyChecking: true,
+      },
+      agentSsh: {
+        target: "agent@example.com:2222",
+        certificateFile: "~/.ssh/agent-cert.pub",
+        strictHostKeyChecking: false,
+      },
+    });
+    expect(ssh).toMatchObject({
+      target: "agent@example.com:2222",
+      command: "ssh",
+      identityFile: "~/.ssh/global",
+      certificateFile: "~/.ssh/agent-cert.pub",
+      strictHostKeyChecking: false,
+    });
+
+    const sshShared = resolveSandboxSshConfig({
+      scope: "shared",
+      globalSsh: {
+        target: "global@example.com:22",
+      },
+      agentSsh: {
+        target: "agent@example.com:2222",
+      },
+    });
+    expect(sshShared.target).toBe("global@example.com:22");
+  });
+
+  it("defaults sandbox backend to docker", () => {
+    expect(resolveSandboxConfigForAgent().backend).toBe("docker");
+  });
 });
diff --git a/src/agents/sandbox.resolveSandboxContext.test.ts b/src/agents/sandbox.resolveSandboxContext.test.ts
index 2ecec621a70..0fa62a364e2 100644
--- a/src/agents/sandbox.resolveSandboxContext.test.ts
+++ b/src/agents/sandbox.resolveSandboxContext.test.ts
@@ -1,5 +1,6 @@
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
+import { registerSandboxBackend } from "./sandbox/backend.js";
 import { ensureSandboxWorkspaceForSession, resolveSandboxContext } from "./sandbox/context.js";
 
 describe("resolveSandboxContext", () => {
@@ -84,4 +85,45 @@ describe("resolveSandboxContext", () => {
       }),
     ).toBeNull();
   }, 15_000);
+
+  it("resolves a registered non-docker backend", async () => {
+    const restore = registerSandboxBackend("test-backend", async () => ({
+      id: "test-backend",
+      runtimeId: "test-runtime",
+      runtimeLabel: "Test Runtime",
+      workdir: "/workspace",
+      buildExecSpec: async () => ({
+        argv: ["test-backend", "exec"],
+        env: process.env,
+        stdinMode: "pipe-closed",
+      }),
+      runShellCommand: async () => ({
+        stdout: Buffer.alloc(0),
+        stderr: Buffer.alloc(0),
+        code: 0,
+      }),
+    }));
+    try {
+      const cfg: OpenClawConfig = {
+        agents: {
+          defaults: {
+            sandbox: { mode: "all", backend: "test-backend", scope: "session" },
+          },
+        },
+      };
+
+      const result = await resolveSandboxContext({
+        config: cfg,
+        sessionKey: "agent:worker:task",
+        workspaceDir: "/tmp/openclaw-test",
+      });
+
+      expect(result?.backendId).toBe("test-backend");
+      expect(result?.runtimeId).toBe("test-runtime");
+      expect(result?.containerName).toBe("test-runtime");
+      expect(result?.backend?.id).toBe("test-backend");
+    } finally {
+      restore();
+    }
+  }, 15_000);
 });
diff --git a/src/agents/sandbox.ts b/src/agents/sandbox.ts
index 8ac65795d0f..d26dc75204d 100644
--- a/src/agents/sandbox.ts
+++ b/src/agents/sandbox.ts
@@ -11,6 +11,12 @@ export {
   DEFAULT_SANDBOX_IMAGE,
 } from "./sandbox/constants.js";
 export { ensureSandboxWorkspaceForSession, resolveSandboxContext } from "./sandbox/context.js";
+export {
+  getSandboxBackendFactory,
+  getSandboxBackendManager,
+  registerSandboxBackend,
+  requireSandboxBackendFactory,
+} from "./sandbox/backend.js";
 
 export { buildSandboxCreateArgs } from "./sandbox/docker.js";
 export {
@@ -27,6 +33,38 @@ export {
 } from "./sandbox/runtime-status.js";
 
 export { resolveSandboxToolPolicyForAgent } from "./sandbox/tool-policy.js";
+export type { SandboxFsBridge, SandboxFsStat, SandboxResolvedPath } from "./sandbox/fs-bridge.js";
+export {
+  buildExecRemoteCommand,
+  buildRemoteCommand,
+  buildSshSandboxArgv,
+  createSshSandboxSessionFromConfigText,
+  createSshSandboxSessionFromSettings,
+  disposeSshSandboxSession,
+  runSshSandboxCommand,
+  shellEscape,
+  uploadDirectoryToSshTarget,
+} from "./sandbox/ssh.js";
+export { createRemoteShellSandboxFsBridge } from "./sandbox/remote-fs-bridge.js";
+
+export type {
+  CreateSandboxBackendParams,
+  SandboxBackendCommandParams,
+  SandboxBackendCommandResult,
+  SandboxBackendExecSpec,
+  SandboxBackendFactory,
+  SandboxBackendHandle,
+  SandboxBackendId,
+  SandboxBackendManager,
+  SandboxBackendRegistration,
+  SandboxBackendRuntimeInfo,
+} from "./sandbox/backend.js";
+export type { RemoteShellSandboxHandle } from "./sandbox/remote-fs-bridge.js";
+export type {
+  RunSshSandboxCommandParams,
+  SshSandboxSession,
+  SshSandboxSettings,
+} from "./sandbox/ssh.js";
 
 export type {
   SandboxBrowserConfig,
@@ -36,6 +74,7 @@ export type {
   SandboxDockerConfig,
   SandboxPruneConfig,
   SandboxScope,
+  SandboxSshConfig,
   SandboxToolPolicy,
   SandboxToolPolicyResolved,
   SandboxToolPolicySource,
diff --git a/src/agents/sandbox/backend.test.ts b/src/agents/sandbox/backend.test.ts
new file mode 100644
index 00000000000..6878e768945
--- /dev/null
+++ b/src/agents/sandbox/backend.test.ts
@@ -0,0 +1,39 @@
+import { describe, expect, it } from "vitest";
+import {
+  getSandboxBackendFactory,
+  getSandboxBackendManager,
+  registerSandboxBackend,
+} from "./backend.js";
+
+describe("sandbox backend registry", () => {
+  it("registers and restores backend factories", () => {
+    const factory = async () => {
+      throw new Error("not used");
+    };
+    const restore = registerSandboxBackend("test-backend", factory);
+    expect(getSandboxBackendFactory("test-backend")).toBe(factory);
+    restore();
+    expect(getSandboxBackendFactory("test-backend")).toBeNull();
+  });
+
+  it("registers backend managers alongside factories", () => {
+    const factory = async () => {
+      throw new Error("not used");
+    };
+    const manager = {
+      describeRuntime: async () => ({
+        running: true,
+        configLabelMatch: true,
+      }),
+      removeRuntime: async () => {},
+    };
+    const restore = registerSandboxBackend("test-managed", {
+      factory,
+      manager,
+    });
+    expect(getSandboxBackendFactory("test-managed")).toBe(factory);
+    expect(getSandboxBackendManager("test-managed")).toBe(manager);
+    restore();
+    expect(getSandboxBackendManager("test-managed")).toBeNull();
+  });
+});
diff --git a/src/agents/sandbox/backend.ts b/src/agents/sandbox/backend.ts
new file mode 100644
index 00000000000..013cb565176
--- /dev/null
+++ b/src/agents/sandbox/backend.ts
@@ -0,0 +1,158 @@
+import type { OpenClawConfig } from "../../config/config.js";
+import type { SandboxFsBridge } from "./fs-bridge.js";
+import type { SandboxRegistryEntry } from "./registry.js";
+import type { SandboxConfig, SandboxContext } from "./types.js";
+
+export type SandboxBackendId = string;
+
+export type SandboxBackendExecSpec = {
+  argv: string[];
+  env: NodeJS.ProcessEnv;
+  stdinMode: "pipe-open" | "pipe-closed";
+  finalizeToken?: unknown;
+};
+
+export type SandboxBackendCommandParams = {
+  script: string;
+  args?: string[];
+  stdin?: Buffer | string;
+  allowFailure?: boolean;
+  signal?: AbortSignal;
+};
+
+export type SandboxBackendCommandResult = {
+  stdout: Buffer;
+  stderr: Buffer;
+  code: number;
+};
+
+export type SandboxBackendHandle = {
+  id: SandboxBackendId;
+  runtimeId: string;
+  runtimeLabel: string;
+  workdir: string;
+  env?: Record<string, string>;
+  configLabel?: string;
+  configLabelKind?: string;
+  capabilities?: {
+    browser?: boolean;
+  };
+  buildExecSpec(params: {
+    command: string;
+    workdir?: string;
+    env: Record<string, string>;
+    usePty: boolean;
+  }): Promise<SandboxBackendExecSpec>;
+  finalizeExec?: (params: {
+    status: "completed" | "failed";
+    exitCode: number | null;
+    timedOut: boolean;
+    token?: unknown;
+  }) => Promise<void>;
+  runShellCommand(params: SandboxBackendCommandParams): Promise<SandboxBackendCommandResult>;
+  createFsBridge?: (params: { sandbox: SandboxContext }) => SandboxFsBridge;
+};
+
+export type SandboxBackendRuntimeInfo = {
+  running: boolean;
+  actualConfigLabel?: string;
+  configLabelMatch: boolean;
+};
+
+export type SandboxBackendManager = {
+  describeRuntime(params: {
+    entry: SandboxRegistryEntry;
+    config: OpenClawConfig;
+    agentId?: string;
+  }): Promise<SandboxBackendRuntimeInfo>;
+  removeRuntime(params: {
+    entry: SandboxRegistryEntry;
+    config: OpenClawConfig;
+    agentId?: string;
+  }): Promise<void>;
+};
+
+export type CreateSandboxBackendParams = {
+  sessionKey: string;
+  scopeKey: string;
+  workspaceDir: string;
+  agentWorkspaceDir: string;
+  cfg: SandboxConfig;
+};
+
+export type SandboxBackendFactory = (
+  params: CreateSandboxBackendParams,
+) => Promise<SandboxBackendHandle>;
+
+export type SandboxBackendRegistration =
+  | SandboxBackendFactory
+  | {
+      factory: SandboxBackendFactory;
+      manager?: SandboxBackendManager;
+    };
+
+type RegisteredSandboxBackend = {
+  factory: SandboxBackendFactory;
+  manager?: SandboxBackendManager;
+};
+
+const SANDBOX_BACKEND_FACTORIES = new Map<SandboxBackendId, RegisteredSandboxBackend>();
+
+function normalizeSandboxBackendId(id: string): SandboxBackendId {
+  const normalized = id.trim().toLowerCase();
+  if (!normalized) {
+    throw new Error("Sandbox backend id must not be empty.");
+  }
+  return normalized;
+}
+
+export function registerSandboxBackend(
+  id: string,
+  registration: SandboxBackendRegistration,
+): () => void {
+  const normalizedId = normalizeSandboxBackendId(id);
+  const resolved = typeof registration === "function" ? { factory: registration } : registration;
+  const previous = SANDBOX_BACKEND_FACTORIES.get(normalizedId);
+  SANDBOX_BACKEND_FACTORIES.set(normalizedId, resolved);
+  return () => {
+    if (previous) {
+      SANDBOX_BACKEND_FACTORIES.set(normalizedId, previous);
+      return;
+    }
+    SANDBOX_BACKEND_FACTORIES.delete(normalizedId);
+  };
+}
+
+export function getSandboxBackendFactory(id: string): SandboxBackendFactory | null {
+  return SANDBOX_BACKEND_FACTORIES.get(normalizeSandboxBackendId(id))?.factory ?? null;
+}
+
+export function getSandboxBackendManager(id: string): SandboxBackendManager | null {
+  return SANDBOX_BACKEND_FACTORIES.get(normalizeSandboxBackendId(id))?.manager ?? null;
+}
+
+export function requireSandboxBackendFactory(id: string): SandboxBackendFactory {
+  const factory = getSandboxBackendFactory(id);
+  if (factory) {
+    return factory;
+  }
+  throw new Error(
+    [
+      `Sandbox backend "${id}" is not registered.`,
+      "Load the plugin that provides it, or set agents.defaults.sandbox.backend=docker.",
+    ].join("\n"),
+  );
+}
+
+import { createDockerSandboxBackend, dockerSandboxBackendManager } from "./docker-backend.js";
+import { createSshSandboxBackend, sshSandboxBackendManager } from "./ssh-backend.js";
+
+registerSandboxBackend("docker", {
+  factory: createDockerSandboxBackend,
+  manager: dockerSandboxBackendManager,
+});
+
+registerSandboxBackend("ssh", {
+  factory: createSshSandboxBackend,
+  manager: sshSandboxBackendManager,
+});
diff --git a/src/agents/sandbox/browser.create.test.ts b/src/agents/sandbox/browser.create.test.ts
index 077db23c53b..88b5feccccc 100644
--- a/src/agents/sandbox/browser.create.test.ts
+++ b/src/agents/sandbox/browser.create.test.ts
@@ -48,6 +48,7 @@ vi.mock("../../browser/bridge-server.js", () => ({
 function buildConfig(enableNoVnc: boolean): SandboxConfig {
   return {
     mode: "all",
+    backend: "docker",
     scope: "session",
     workspaceAccess: "none",
     workspaceRoot: "/tmp/openclaw-sandboxes",
@@ -61,6 +62,12 @@ function buildConfig(enableNoVnc: boolean): SandboxConfig {
       capDrop: ["ALL"],
       env: { LANG: "C.UTF-8" },
     },
+    ssh: {
+      command: "ssh",
+      workspaceRoot: "/tmp/openclaw-sandboxes",
+      strictHostKeyChecking: true,
+      updateHostKeys: true,
+    },
     browser: {
       enabled: true,
       image: "openclaw-sandbox-browser:bookworm-slim",
diff --git a/src/agents/sandbox/config.ts b/src/agents/sandbox/config.ts
index b7595ae8c4b..c5bd29e9d11 100644
--- a/src/agents/sandbox/config.ts
+++ b/src/agents/sandbox/config.ts
@@ -1,4 +1,6 @@
 import type { OpenClawConfig } from "../../config/config.js";
+import type { SandboxSshSettings } from "../../config/types.sandbox.js";
+import { normalizeSecretInputString } from "../../config/types.secrets.js";
 import { resolveAgentConfig } from "../agent-scope.js";
 import {
   DEFAULT_SANDBOX_BROWSER_AUTOSTART_TIMEOUT_MS,
@@ -22,6 +24,7 @@ import type {
   SandboxDockerConfig,
   SandboxPruneConfig,
   SandboxScope,
+  SandboxSshConfig,
 } from "./types.js";
 
 export const DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS = [
@@ -30,6 +33,9 @@ export const DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS = [
   "dangerouslyAllowContainerNamespaceJoin",
 ] as const;
 
+const DEFAULT_SANDBOX_SSH_COMMAND = "ssh";
+const DEFAULT_SANDBOX_SSH_WORKSPACE_ROOT = "/tmp/openclaw-sandboxes";
+
 type DangerousSandboxDockerBooleanKey = (typeof DANGEROUS_SANDBOX_DOCKER_BOOLEAN_KEYS)[number];
 type DangerousSandboxDockerBooleans = Pick<SandboxDockerConfig, DangerousSandboxDockerBooleanKey>;
 
@@ -167,6 +173,54 @@ export function resolveSandboxPruneConfig(params: {
   };
 }
 
+function normalizeOptionalString(value: string | undefined): string | undefined {
+  const trimmed = value?.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function normalizeRemoteRoot(value: string | undefined, fallback: string): string {
+  const normalized = normalizeOptionalString(value) ?? fallback;
+  const posix = normalized.replaceAll("\\", "/");
+  if (!posix.startsWith("/")) {
+    throw new Error(`Sandbox SSH workspaceRoot must be an absolute POSIX path: ${normalized}`);
+  }
+  return posix.replace(/\/+$/g, "") || "/";
+}
+
+export function resolveSandboxSshConfig(params: {
+  scope: SandboxScope;
+  globalSsh?: Partial<SandboxSshSettings>;
+  agentSsh?: Partial<SandboxSshSettings>;
+}): SandboxSshConfig {
+  const agentSsh = params.scope === "shared" ? undefined : params.agentSsh;
+  const globalSsh = params.globalSsh;
+  return {
+    target: normalizeOptionalString(agentSsh?.target ?? globalSsh?.target),
+    command:
+      normalizeOptionalString(agentSsh?.command ?? globalSsh?.command) ??
+      DEFAULT_SANDBOX_SSH_COMMAND,
+    workspaceRoot: normalizeRemoteRoot(
+      agentSsh?.workspaceRoot ?? globalSsh?.workspaceRoot,
+      DEFAULT_SANDBOX_SSH_WORKSPACE_ROOT,
+    ),
+    strictHostKeyChecking:
+      agentSsh?.strictHostKeyChecking ?? globalSsh?.strictHostKeyChecking ?? true,
+    updateHostKeys: agentSsh?.updateHostKeys ?? globalSsh?.updateHostKeys ?? true,
+    identityFile: normalizeOptionalString(agentSsh?.identityFile ?? globalSsh?.identityFile),
+    certificateFile: normalizeOptionalString(
+      agentSsh?.certificateFile ?? globalSsh?.certificateFile,
+    ),
+    knownHostsFile: normalizeOptionalString(agentSsh?.knownHostsFile ?? globalSsh?.knownHostsFile),
+    identityData: normalizeSecretInputString(agentSsh?.identityData ?? globalSsh?.identityData),
+    certificateData: normalizeSecretInputString(
+      agentSsh?.certificateData ?? globalSsh?.certificateData,
+    ),
+    knownHostsData: normalizeSecretInputString(
+      agentSsh?.knownHostsData ?? globalSsh?.knownHostsData,
+    ),
+  };
+}
+
 export function resolveSandboxConfigForAgent(
   cfg?: OpenClawConfig,
   agentId?: string,
@@ -189,6 +243,7 @@ export function resolveSandboxConfigForAgent(
 
   return {
     mode: agentSandbox?.mode ?? agent?.mode ?? "off",
+    backend: agentSandbox?.backend?.trim() || agent?.backend?.trim() || "docker",
     scope,
     workspaceAccess: agentSandbox?.workspaceAccess ?? agent?.workspaceAccess ?? "none",
     workspaceRoot:
@@ -198,6 +253,11 @@ export function resolveSandboxConfigForAgent(
       globalDocker: agent?.docker,
       agentDocker: agentSandbox?.docker,
     }),
+    ssh: resolveSandboxSshConfig({
+      scope,
+      globalSsh: agent?.ssh,
+      agentSsh: agentSandbox?.ssh,
+    }),
     browser: resolveSandboxBrowserConfig({
       scope,
       globalBrowser: agent?.browser,
diff --git a/src/agents/sandbox/context.ts b/src/agents/sandbox/context.ts
index 8468dd2c556..031b7c45998 100644
--- a/src/agents/sandbox/context.ts
+++ b/src/agents/sandbox/context.ts
@@ -7,11 +7,12 @@ import { defaultRuntime } from "../../runtime.js";
 import { resolveUserPath } from "../../utils.js";
 import { syncSkillsToWorkspace } from "../skills.js";
 import { DEFAULT_AGENT_WORKSPACE_DIR } from "../workspace.js";
+import { requireSandboxBackendFactory } from "./backend.js";
 import { ensureSandboxBrowser } from "./browser.js";
 import { resolveSandboxConfigForAgent } from "./config.js";
-import { ensureSandboxContainer } from "./docker.js";
 import { createSandboxFsBridge } from "./fs-bridge.js";
 import { maybePruneSandboxes } from "./prune.js";
+import { updateRegistry } from "./registry.js";
 import { resolveSandboxRuntimeStatus } from "./runtime-status.js";
 import { resolveSandboxScopeKey, resolveSandboxWorkspaceDir } from "./shared.js";
 import type { SandboxContext, SandboxDockerConfig, SandboxWorkspaceInfo } from "./types.js";
@@ -131,12 +132,24 @@ export async function resolveSandboxContext(params: {
   });
   const resolvedCfg = docker === cfg.docker ? cfg : { ...cfg, docker };
 
-  const containerName = await ensureSandboxContainer({
+  const backendFactory = requireSandboxBackendFactory(resolvedCfg.backend);
+  const backend = await backendFactory({
     sessionKey: rawSessionKey,
+    scopeKey,
     workspaceDir,
     agentWorkspaceDir,
     cfg: resolvedCfg,
   });
+  await updateRegistry({
+    containerName: backend.runtimeId,
+    backendId: backend.id,
+    runtimeLabel: backend.runtimeLabel,
+    sessionKey: scopeKey,
+    createdAtMs: Date.now(),
+    lastUsedAtMs: Date.now(),
+    image: backend.configLabel ?? resolvedCfg.docker.image,
+    configLabelKind: backend.configLabelKind ?? "Image",
+  });
 
   const evaluateEnabled =
     params.config?.browser?.evaluateEnabled ?? DEFAULT_BROWSER_EVALUATE_ENABLED;
@@ -157,30 +170,44 @@ export async function resolveSandboxContext(params: {
         return browserAuth;
       })()
     : undefined;
-  const browser = await ensureSandboxBrowser({
-    scopeKey,
-    workspaceDir,
-    agentWorkspaceDir,
-    cfg: resolvedCfg,
-    evaluateEnabled,
-    bridgeAuth,
-  });
+  if (resolvedCfg.browser.enabled && backend.capabilities?.browser !== true) {
+    throw new Error(
+      `Sandbox backend "${resolvedCfg.backend}" does not support browser sandboxes yet.`,
+    );
+  }
+  const browser =
+    resolvedCfg.browser.enabled && backend.capabilities?.browser === true
+      ? await ensureSandboxBrowser({
+          scopeKey,
+          workspaceDir,
+          agentWorkspaceDir,
+          cfg: resolvedCfg,
+          evaluateEnabled,
+          bridgeAuth,
+        })
+      : null;
 
   const sandboxContext: SandboxContext = {
     enabled: true,
+    backendId: backend.id,
     sessionKey: rawSessionKey,
     workspaceDir,
     agentWorkspaceDir,
     workspaceAccess: resolvedCfg.workspaceAccess,
-    containerName,
-    containerWorkdir: resolvedCfg.docker.workdir,
+    runtimeId: backend.runtimeId,
+    runtimeLabel: backend.runtimeLabel,
+    containerName: backend.runtimeId,
+    containerWorkdir: backend.workdir,
     docker: resolvedCfg.docker,
     tools: resolvedCfg.tools,
     browserAllowHostControl: resolvedCfg.browser.allowHostControl,
     browser: browser ?? undefined,
+    backend,
   };
 
-  sandboxContext.fsBridge = createSandboxFsBridge({ sandbox: sandboxContext });
+  sandboxContext.fsBridge =
+    backend.createFsBridge?.({ sandbox: sandboxContext }) ??
+    createSandboxFsBridge({ sandbox: sandboxContext });
 
   return sandboxContext;
 }
diff --git a/src/agents/sandbox/docker-backend.ts b/src/agents/sandbox/docker-backend.ts
new file mode 100644
index 00000000000..9686dc4b612
--- /dev/null
+++ b/src/agents/sandbox/docker-backend.ts
@@ -0,0 +1,130 @@
+import { buildDockerExecArgs } from "../bash-tools.shared.js";
+import type {
+  CreateSandboxBackendParams,
+  SandboxBackendManager,
+  SandboxBackendCommandParams,
+  SandboxBackendHandle,
+} from "./backend.js";
+import { resolveSandboxConfigForAgent } from "./config.js";
+import {
+  dockerContainerState,
+  ensureSandboxContainer,
+  execDocker,
+  execDockerRaw,
+} from "./docker.js";
+
+export async function createDockerSandboxBackend(
+  params: CreateSandboxBackendParams,
+): Promise<SandboxBackendHandle> {
+  const containerName = await ensureSandboxContainer({
+    sessionKey: params.sessionKey,
+    workspaceDir: params.workspaceDir,
+    agentWorkspaceDir: params.agentWorkspaceDir,
+    cfg: params.cfg,
+  });
+  return createDockerSandboxBackendHandle({
+    containerName,
+    workdir: params.cfg.docker.workdir,
+    env: params.cfg.docker.env,
+    image: params.cfg.docker.image,
+  });
+}
+
+export function createDockerSandboxBackendHandle(params: {
+  containerName: string;
+  workdir: string;
+  env?: Record<string, string>;
+  image: string;
+}): SandboxBackendHandle {
+  return {
+    id: "docker",
+    runtimeId: params.containerName,
+    runtimeLabel: params.containerName,
+    workdir: params.workdir,
+    env: params.env,
+    configLabel: params.image,
+    configLabelKind: "Image",
+    capabilities: {
+      browser: true,
+    },
+    async buildExecSpec({ command, workdir, env, usePty }) {
+      return {
+        argv: [
+          "docker",
+          ...buildDockerExecArgs({
+            containerName: params.containerName,
+            command,
+            workdir: workdir ?? params.workdir,
+            env,
+            tty: usePty,
+          }),
+        ],
+        env: process.env,
+        stdinMode: usePty ? "pipe-open" : "pipe-closed",
+      };
+    },
+    runShellCommand(command) {
+      return runDockerSandboxShellCommand({
+        containerName: params.containerName,
+        ...command,
+      });
+    },
+  };
+}
+
+export function runDockerSandboxShellCommand(
+  params: {
+    containerName: string;
+  } & SandboxBackendCommandParams,
+) {
+  const dockerArgs = [
+    "exec",
+    "-i",
+    params.containerName,
+    "sh",
+    "-c",
+    params.script,
+    "moltbot-sandbox-fs",
+  ];
+  if (params.args?.length) {
+    dockerArgs.push(...params.args);
+  }
+  return execDockerRaw(dockerArgs, {
+    input: params.stdin,
+    allowFailure: params.allowFailure,
+    signal: params.signal,
+  });
+}
+
+export const dockerSandboxBackendManager: SandboxBackendManager = {
+  async describeRuntime({ entry, config, agentId }) {
+    const state = await dockerContainerState(entry.containerName);
+    let actualConfigLabel = entry.image;
+    if (state.exists) {
+      try {
+        const result = await execDocker(
+          ["inspect", "-f", "{{.Config.Image}}", entry.containerName],
+          { allowFailure: true },
+        );
+        if (result.code === 0) {
+          actualConfigLabel = result.stdout.trim() || actualConfigLabel;
+        }
+      } catch {
+        // ignore inspect failures
+      }
+    }
+    const configuredImage = resolveSandboxConfigForAgent(config, agentId).docker.image;
+    return {
+      running: state.running,
+      actualConfigLabel,
+      configLabelMatch: actualConfigLabel === configuredImage,
+    };
+  },
+  async removeRuntime({ entry }) {
+    try {
+      await execDocker(["rm", "-f", entry.containerName], { allowFailure: true });
+    } catch {
+      // ignore removal failures
+    }
+  },
+};
diff --git a/src/agents/sandbox/docker.config-hash-recreate.test.ts b/src/agents/sandbox/docker.config-hash-recreate.test.ts
index b2cd24c6630..46d37f9fd61 100644
--- a/src/agents/sandbox/docker.config-hash-recreate.test.ts
+++ b/src/agents/sandbox/docker.config-hash-recreate.test.ts
@@ -91,6 +91,7 @@ function createSandboxConfig(
 ): SandboxConfig {
   return {
     mode: "all",
+    backend: "docker",
     scope: "shared",
     workspaceAccess,
     workspaceRoot: "~/.openclaw/sandboxes",
@@ -108,6 +109,12 @@ function createSandboxConfig(
       binds: binds ?? ["/tmp/workspace:/workspace:rw"],
       dangerouslyAllowReservedContainerTargets: true,
     },
+    ssh: {
+      command: "ssh",
+      workspaceRoot: "/tmp/openclaw-sandboxes",
+      strictHostKeyChecking: true,
+      updateHostKeys: true,
+    },
     browser: {
       enabled: false,
       image: "openclaw-browser:test",
diff --git a/src/agents/sandbox/docker.ts b/src/agents/sandbox/docker.ts
index aefceb08495..80a2921cb6b 100644
--- a/src/agents/sandbox/docker.ts
+++ b/src/agents/sandbox/docker.ts
@@ -557,10 +557,13 @@ export async function ensureSandboxContainer(params: {
   }
   await updateRegistry({
     containerName,
+    backendId: "docker",
+    runtimeLabel: containerName,
     sessionKey: scopeKey,
     createdAtMs: now,
     lastUsedAtMs: now,
     image: params.cfg.docker.image,
+    configLabelKind: "Image",
     configHash: hashMismatch && running ? (currentHash ?? undefined) : expectedHash,
   });
   return containerName;
diff --git a/src/agents/sandbox/fs-bridge.ts b/src/agents/sandbox/fs-bridge.ts
index 7a9a22d4459..7941b2b6828 100644
--- a/src/agents/sandbox/fs-bridge.ts
+++ b/src/agents/sandbox/fs-bridge.ts
@@ -1,5 +1,6 @@
 import fs from "node:fs";
-import { execDockerRaw, type ExecDockerRawResult } from "./docker.js";
+import type { SandboxBackendCommandResult } from "./backend.js";
+import { runDockerSandboxShellCommand } from "./docker-backend.js";
 import {
   buildPinnedMkdirpPlan,
   buildPinnedRemovePlan,
@@ -23,7 +24,7 @@ type RunCommandOptions = {
 };
 
 export type SandboxResolvedPath = {
-  hostPath: string;
+  hostPath?: string;
   relativePath: string;
   containerPath: string;
 };
@@ -248,21 +249,22 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
   private async runCommand(
     script: string,
     options: RunCommandOptions = {},
-  ): Promise<ExecDockerRawResult> {
-    const dockerArgs = [
-      "exec",
-      "-i",
-      this.sandbox.containerName,
-      "sh",
-      "-c",
-      script,
-      "moltbot-sandbox-fs",
-    ];
-    if (options.args?.length) {
-      dockerArgs.push(...options.args);
+  ): Promise<SandboxBackendCommandResult> {
+    const backend = this.sandbox.backend;
+    if (backend) {
+      return await backend.runShellCommand({
+        script,
+        args: options.args,
+        stdin: options.stdin,
+        allowFailure: options.allowFailure,
+        signal: options.signal,
+      });
     }
-    return execDockerRaw(dockerArgs, {
-      input: options.stdin,
+    return await runDockerSandboxShellCommand({
+      containerName: this.sandbox.containerName,
+      script,
+      args: options.args,
+      stdin: options.stdin,
       allowFailure: options.allowFailure,
       signal: options.signal,
     });
@@ -279,7 +281,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
 
   private async runCheckedCommand(
     plan: SandboxFsCommandPlan & { stdin?: Buffer | string; signal?: AbortSignal },
-  ): Promise<ExecDockerRawResult> {
+  ): Promise<SandboxBackendCommandResult> {
     await this.pathGuard.assertPathChecks(plan.checks);
     if (plan.recheckBeforeCommand) {
       await this.pathGuard.assertPathChecks(plan.checks);
@@ -295,7 +297,7 @@ class SandboxFsBridgeImpl implements SandboxFsBridge {
   private async runPlannedCommand(
     plan: SandboxFsCommandPlan,
     signal?: AbortSignal,
-  ): Promise<ExecDockerRawResult> {
+  ): Promise<SandboxBackendCommandResult> {
     return await this.runCheckedCommand({ ...plan, signal });
   }
 
diff --git a/src/agents/sandbox/manage.ts b/src/agents/sandbox/manage.ts
index f6988146e90..c6e6f3fd7bf 100644
--- a/src/agents/sandbox/manage.ts
+++ b/src/agents/sandbox/manage.ts
@@ -1,8 +1,8 @@
 import { stopBrowserBridgeServer } from "../../browser/bridge-server.js";
 import { loadConfig } from "../../config/config.js";
+import { getSandboxBackendManager } from "./backend.js";
 import { BROWSER_BRIDGES } from "./browser-bridges.js";
-import { resolveSandboxConfigForAgent } from "./config.js";
-import { dockerContainerState, execDocker } from "./docker.js";
+import { dockerSandboxBackendManager } from "./docker-backend.js";
 import {
   readBrowserRegistry,
   readRegistry,
@@ -23,80 +23,99 @@ export type SandboxBrowserInfo = SandboxBrowserRegistryEntry & {
   imageMatch: boolean;
 };
 
-async function listSandboxRegistryItems<
-  TEntry extends { containerName: string; image: string; sessionKey: string },
->(params: {
-  read: () => Promise<{ entries: TEntry[] }>;
-  resolveConfiguredImage: (agentId?: string) => string;
-}): Promise<Array<TEntry & { running: boolean; imageMatch: boolean }>> {
-  const registry = await params.read();
-  const results: Array<TEntry & { running: boolean; imageMatch: boolean }> = [];
+export async function listSandboxContainers(): Promise<SandboxContainerInfo[]> {
+  const config = loadConfig();
+  const registry = await readRegistry();
+  const results: SandboxContainerInfo[] = [];
 
   for (const entry of registry.entries) {
-    const state = await dockerContainerState(entry.containerName);
-    // Get actual image from container.
-    let actualImage = entry.image;
-    if (state.exists) {
-      try {
-        const result = await execDocker(
-          ["inspect", "-f", "{{.Config.Image}}", entry.containerName],
-          { allowFailure: true },
-        );
-        if (result.code === 0) {
-          actualImage = result.stdout.trim();
-        }
-      } catch {
-        // ignore
-      }
+    const backendId = entry.backendId ?? "docker";
+    const manager = getSandboxBackendManager(backendId);
+    if (!manager) {
+      results.push({
+        ...entry,
+        running: false,
+        imageMatch: true,
+      });
+      continue;
     }
     const agentId = resolveSandboxAgentId(entry.sessionKey);
-    const configuredImage = params.resolveConfiguredImage(agentId);
+    const runtime = await manager.describeRuntime({
+      entry,
+      config,
+      agentId,
+    });
     results.push({
       ...entry,
-      image: actualImage,
-      running: state.running,
-      imageMatch: actualImage === configuredImage,
+      image: runtime.actualConfigLabel ?? entry.image,
+      running: runtime.running,
+      imageMatch: runtime.configLabelMatch,
     });
   }
 
   return results;
 }
 
-export async function listSandboxContainers(): Promise<SandboxContainerInfo[]> {
-  const config = loadConfig();
-  return listSandboxRegistryItems<SandboxRegistryEntry>({
-    read: readRegistry,
-    resolveConfiguredImage: (agentId) => resolveSandboxConfigForAgent(config, agentId).docker.image,
-  });
-}
-
 export async function listSandboxBrowsers(): Promise<SandboxBrowserInfo[]> {
   const config = loadConfig();
-  return listSandboxRegistryItems<SandboxBrowserRegistryEntry>({
-    read: readBrowserRegistry,
-    resolveConfiguredImage: (agentId) =>
-      resolveSandboxConfigForAgent(config, agentId).browser.image,
-  });
+  const registry = await readBrowserRegistry();
+  const results: SandboxBrowserInfo[] = [];
+
+  for (const entry of registry.entries) {
+    const agentId = resolveSandboxAgentId(entry.sessionKey);
+    const runtime = await dockerSandboxBackendManager.describeRuntime({
+      entry: {
+        ...entry,
+        backendId: "docker",
+        runtimeLabel: entry.containerName,
+        configLabelKind: "Image",
+      },
+      config,
+      agentId,
+    });
+    results.push({
+      ...entry,
+      image: runtime.actualConfigLabel ?? entry.image,
+      running: runtime.running,
+      imageMatch: runtime.configLabelMatch,
+    });
+  }
+
+  return results;
 }
 
 export async function removeSandboxContainer(containerName: string): Promise<void> {
-  try {
-    await execDocker(["rm", "-f", containerName], { allowFailure: true });
-  } catch {
-    // ignore removal failures
+  const config = loadConfig();
+  const registry = await readRegistry();
+  const entry = registry.entries.find((item) => item.containerName === containerName);
+  if (entry) {
+    const manager = getSandboxBackendManager(entry.backendId ?? "docker");
+    await manager?.removeRuntime({
+      entry,
+      config,
+      agentId: resolveSandboxAgentId(entry.sessionKey),
+    });
   }
   await removeRegistryEntry(containerName);
 }
 
 export async function removeSandboxBrowserContainer(containerName: string): Promise<void> {
-  try {
-    await execDocker(["rm", "-f", containerName], { allowFailure: true });
-  } catch {
-    // ignore removal failures
+  const config = loadConfig();
+  const registry = await readBrowserRegistry();
+  const entry = registry.entries.find((item) => item.containerName === containerName);
+  if (entry) {
+    await dockerSandboxBackendManager.removeRuntime({
+      entry: {
+        ...entry,
+        backendId: "docker",
+        runtimeLabel: entry.containerName,
+        configLabelKind: "Image",
+      },
+      config,
+    });
   }
   await removeBrowserRegistryEntry(containerName);
 
-  // Stop browser bridge if active
   for (const [sessionKey, bridge] of BROWSER_BRIDGES.entries()) {
     if (bridge.containerName === containerName) {
       await stopBrowserBridgeServer(bridge.bridge.server).catch(() => undefined);
diff --git a/src/agents/sandbox/prune.ts b/src/agents/sandbox/prune.ts
index 45e7fda6308..8005c23330e 100644
--- a/src/agents/sandbox/prune.ts
+++ b/src/agents/sandbox/prune.ts
@@ -1,7 +1,9 @@
 import { stopBrowserBridgeServer } from "../../browser/bridge-server.js";
+import { loadConfig } from "../../config/config.js";
 import { defaultRuntime } from "../../runtime.js";
+import { getSandboxBackendManager } from "./backend.js";
 import { BROWSER_BRIDGES } from "./browser-bridges.js";
-import { dockerContainerState, execDocker } from "./docker.js";
+import { dockerSandboxBackendManager } from "./docker-backend.js";
 import {
   readBrowserRegistry,
   readRegistry,
@@ -16,7 +18,7 @@ let lastPruneAtMs = 0;
 
 type PruneableRegistryEntry = Pick<
   SandboxRegistryEntry,
-  "containerName" | "createdAtMs" | "lastUsedAtMs"
+  "containerName" | "backendId" | "createdAtMs" | "lastUsedAtMs"
 >;
 
 function shouldPruneSandboxEntry(cfg: SandboxConfig, now: number, entry: PruneableRegistryEntry) {
@@ -33,10 +35,11 @@ function shouldPruneSandboxEntry(cfg: SandboxConfig, now: number, entry: Pruneab
   );
 }
 
-async function pruneSandboxRegistryEntries<TEntry extends PruneableRegistryEntry>(params: {
+async function pruneSandboxRegistryEntries<TEntry extends SandboxRegistryEntry>(params: {
   cfg: SandboxConfig;
   read: () => Promise<{ entries: TEntry[] }>;
   remove: (containerName: string) => Promise<void>;
+  removeRuntime: (entry: TEntry) => Promise<void>;
   onRemoved?: (entry: TEntry) => Promise<void>;
 }) {
   const now = Date.now();
@@ -49,9 +52,7 @@ async function pruneSandboxRegistryEntries<TEntry extends PruneableRegistryEntry
       continue;
     }
     try {
-      await execDocker(["rm", "-f", entry.containerName], {
-        allowFailure: true,
-      });
+      await params.removeRuntime(entry);
     } catch {
       // ignore prune failures
     } finally {
@@ -62,18 +63,44 @@ async function pruneSandboxRegistryEntries<TEntry extends PruneableRegistryEntry
 }
 
 async function pruneSandboxContainers(cfg: SandboxConfig) {
+  const config = loadConfig();
   await pruneSandboxRegistryEntries<SandboxRegistryEntry>({
     cfg,
     read: readRegistry,
     remove: removeRegistryEntry,
+    removeRuntime: async (entry) => {
+      const manager = getSandboxBackendManager(entry.backendId ?? "docker");
+      await manager?.removeRuntime({
+        entry,
+        config,
+      });
+    },
   });
 }
 
 async function pruneSandboxBrowsers(cfg: SandboxConfig) {
-  await pruneSandboxRegistryEntries<SandboxBrowserRegistryEntry>({
+  const config = loadConfig();
+  await pruneSandboxRegistryEntries<
+    SandboxBrowserRegistryEntry & {
+      backendId?: string;
+      runtimeLabel?: string;
+      configLabelKind?: string;
+    }
+  >({
     cfg,
     read: readBrowserRegistry,
     remove: removeBrowserRegistryEntry,
+    removeRuntime: async (entry) => {
+      await dockerSandboxBackendManager.removeRuntime({
+        entry: {
+          ...entry,
+          backendId: "docker",
+          runtimeLabel: entry.containerName,
+          configLabelKind: "Image",
+        },
+        config,
+      });
+    },
     onRemoved: async (entry) => {
       const bridge = BROWSER_BRIDGES.get(entry.sessionKey);
       if (bridge?.containerName === entry.containerName) {
@@ -103,10 +130,3 @@ export async function maybePruneSandboxes(cfg: SandboxConfig) {
     defaultRuntime.error?.(`Sandbox prune failed: ${message ?? "unknown error"}`);
   }
 }
-
-export async function ensureDockerContainerIsRunning(containerName: string) {
-  const state = await dockerContainerState(containerName);
-  if (state.exists && !state.running) {
-    await execDocker(["start", containerName]);
-  }
-}
diff --git a/src/agents/sandbox/registry.test.ts b/src/agents/sandbox/registry.test.ts
index 2de75190bf8..059e6f77c88 100644
--- a/src/agents/sandbox/registry.test.ts
+++ b/src/agents/sandbox/registry.test.ts
@@ -172,6 +172,28 @@ async function seedBrowserRegistry(entries: SandboxBrowserRegistryEntry[]) {
 }
 
 describe("registry race safety", () => {
+  it("normalizes legacy registry entries on read", async () => {
+    await seedContainerRegistry([
+      {
+        containerName: "legacy-container",
+        sessionKey: "agent:main",
+        createdAtMs: 1,
+        lastUsedAtMs: 1,
+        image: "openclaw-sandbox:test",
+      },
+    ]);
+
+    const registry = await readRegistry();
+    expect(registry.entries).toEqual([
+      expect.objectContaining({
+        containerName: "legacy-container",
+        backendId: "docker",
+        runtimeLabel: "legacy-container",
+        configLabelKind: "Image",
+      }),
+    ]);
+  });
+
   it("keeps both container updates under concurrent writes", async () => {
     await Promise.all([
       updateRegistry(containerEntry({ containerName: "container-a" })),
diff --git a/src/agents/sandbox/registry.ts b/src/agents/sandbox/registry.ts
index 54bb361934b..f8efebbf32b 100644
--- a/src/agents/sandbox/registry.ts
+++ b/src/agents/sandbox/registry.ts
@@ -5,10 +5,13 @@ import { SANDBOX_BROWSER_REGISTRY_PATH, SANDBOX_REGISTRY_PATH } from "./constant
 
 export type SandboxRegistryEntry = {
   containerName: string;
+  backendId?: string;
+  runtimeLabel?: string;
   sessionKey: string;
   createdAtMs: number;
   lastUsedAtMs: number;
   image: string;
+  configLabelKind?: string;
   configHash?: string;
 };
 
@@ -42,8 +45,11 @@ type RegistryFile<T extends RegistryEntry> = {
 };
 
 type UpsertEntry = RegistryEntry & {
+  backendId?: string;
+  runtimeLabel?: string;
   createdAtMs: number;
   image: string;
+  configLabelKind?: string;
   configHash?: string;
 };
 
@@ -55,6 +61,15 @@ function isRegistryEntry(value: unknown): value is RegistryEntry {
   return isRecord(value) && typeof value.containerName === "string";
 }
 
+function normalizeSandboxRegistryEntry(entry: SandboxRegistryEntry): SandboxRegistryEntry {
+  return {
+    ...entry,
+    backendId: entry.backendId?.trim() || "docker",
+    runtimeLabel: entry.runtimeLabel?.trim() || entry.containerName,
+    configLabelKind: entry.configLabelKind?.trim() || "Image",
+  };
+}
+
 function isRegistryFile<T extends RegistryEntry>(value: unknown): value is RegistryFile<T> {
   if (!isRecord(value)) {
     return false;
@@ -110,7 +125,13 @@ async function writeRegistryFile<T extends RegistryEntry>(
 }
 
 export async function readRegistry(): Promise<SandboxRegistry> {
-  return await readRegistryFromFile<SandboxRegistryEntry>(SANDBOX_REGISTRY_PATH, "fallback");
+  const registry = await readRegistryFromFile<SandboxRegistryEntry>(
+    SANDBOX_REGISTRY_PATH,
+    "fallback",
+  );
+  return {
+    entries: registry.entries.map((entry) => normalizeSandboxRegistryEntry(entry)),
+  };
 }
 
 function upsertEntry<T extends UpsertEntry>(entries: T[], entry: T): T[] {
@@ -118,8 +139,11 @@ function upsertEntry<T extends UpsertEntry>(entries: T[], entry: T): T[] {
   const next = entries.filter((item) => item.containerName !== entry.containerName);
   next.push({
     ...entry,
+    backendId: entry.backendId ?? existing?.backendId,
+    runtimeLabel: entry.runtimeLabel ?? existing?.runtimeLabel,
     createdAtMs: existing?.createdAtMs ?? entry.createdAtMs,
     image: existing?.image ?? entry.image,
+    configLabelKind: entry.configLabelKind ?? existing?.configLabelKind,
     configHash: entry.configHash ?? existing?.configHash,
   });
   return next;
diff --git a/src/agents/sandbox/remote-fs-bridge.ts b/src/agents/sandbox/remote-fs-bridge.ts
new file mode 100644
index 00000000000..ef70e928eac
--- /dev/null
+++ b/src/agents/sandbox/remote-fs-bridge.ts
@@ -0,0 +1,518 @@
+import path from "node:path";
+import type { SandboxBackendCommandParams, SandboxBackendCommandResult } from "./backend.js";
+import { SANDBOX_PINNED_MUTATION_PYTHON } from "./fs-bridge-mutation-helper.js";
+import type { SandboxFsBridge, SandboxFsStat, SandboxResolvedPath } from "./fs-bridge.js";
+import type { SandboxContext } from "./types.js";
+
+type ResolvedRemotePath = SandboxResolvedPath & {
+  writable: boolean;
+  mountRootPath: string;
+  source: "workspace" | "agent";
+};
+
+type MountInfo = {
+  containerRoot: string;
+  writable: boolean;
+  source: "workspace" | "agent";
+};
+
+export type RemoteShellSandboxHandle = {
+  remoteWorkspaceDir: string;
+  remoteAgentWorkspaceDir: string;
+  runRemoteShellScript(params: SandboxBackendCommandParams): Promise<SandboxBackendCommandResult>;
+};
+
+export function createRemoteShellSandboxFsBridge(params: {
+  sandbox: SandboxContext;
+  runtime: RemoteShellSandboxHandle;
+}): SandboxFsBridge {
+  return new RemoteShellSandboxFsBridge(params.sandbox, params.runtime);
+}
+
+class RemoteShellSandboxFsBridge implements SandboxFsBridge {
+  constructor(
+    private readonly sandbox: SandboxContext,
+    private readonly runtime: RemoteShellSandboxHandle,
+  ) {}
+
+  resolvePath(params: { filePath: string; cwd?: string }): SandboxResolvedPath {
+    const target = this.resolveTarget(params);
+    return {
+      relativePath: target.relativePath,
+      containerPath: target.containerPath,
+    };
+  }
+
+  async readFile(params: {
+    filePath: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<Buffer> {
+    const target = this.resolveTarget(params);
+    const canonical = await this.resolveCanonicalPath({
+      containerPath: target.containerPath,
+      action: "read files",
+      signal: params.signal,
+    });
+    await this.assertNoHardlinkedFile({
+      containerPath: canonical,
+      action: "read files",
+      signal: params.signal,
+    });
+    const result = await this.runRemoteScript({
+      script: 'set -eu\ncat -- "$1"',
+      args: [canonical],
+      signal: params.signal,
+    });
+    return result.stdout;
+  }
+
+  async writeFile(params: {
+    filePath: string;
+    cwd?: string;
+    data: Buffer | string;
+    encoding?: BufferEncoding;
+    mkdir?: boolean;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const target = this.resolveTarget(params);
+    this.ensureWritable(target, "write files");
+    const pinned = await this.resolvePinnedParent({
+      containerPath: target.containerPath,
+      action: "write files",
+      requireWritable: true,
+    });
+    await this.assertNoHardlinkedFile({
+      containerPath: target.containerPath,
+      action: "write files",
+      signal: params.signal,
+    });
+    const buffer = Buffer.isBuffer(params.data)
+      ? params.data
+      : Buffer.from(params.data, params.encoding ?? "utf8");
+    await this.runMutation({
+      args: [
+        "write",
+        pinned.mountRootPath,
+        pinned.relativeParentPath,
+        pinned.basename,
+        params.mkdir !== false ? "1" : "0",
+      ],
+      stdin: buffer,
+      signal: params.signal,
+    });
+  }
+
+  async mkdirp(params: { filePath: string; cwd?: string; signal?: AbortSignal }): Promise<void> {
+    const target = this.resolveTarget(params);
+    this.ensureWritable(target, "create directories");
+    const relativePath = path.posix.relative(target.mountRootPath, target.containerPath);
+    if (relativePath.startsWith("..") || path.posix.isAbsolute(relativePath)) {
+      throw new Error(
+        `Sandbox path escapes allowed mounts; cannot create directories: ${target.containerPath}`,
+      );
+    }
+    await this.runMutation({
+      args: ["mkdirp", target.mountRootPath, relativePath === "." ? "" : relativePath],
+      signal: params.signal,
+    });
+  }
+
+  async remove(params: {
+    filePath: string;
+    cwd?: string;
+    recursive?: boolean;
+    force?: boolean;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const target = this.resolveTarget(params);
+    this.ensureWritable(target, "remove files");
+    const exists = await this.remotePathExists(target.containerPath, params.signal);
+    if (!exists) {
+      if (params.force === false) {
+        throw new Error(`Sandbox path not found; cannot remove files: ${target.containerPath}`);
+      }
+      return;
+    }
+    const pinned = await this.resolvePinnedParent({
+      containerPath: target.containerPath,
+      action: "remove files",
+      requireWritable: true,
+      allowFinalSymlinkForUnlink: true,
+    });
+    await this.runMutation({
+      args: [
+        "remove",
+        pinned.mountRootPath,
+        pinned.relativeParentPath,
+        pinned.basename,
+        params.recursive ? "1" : "0",
+        params.force === false ? "0" : "1",
+      ],
+      signal: params.signal,
+      allowFailure: params.force !== false,
+    });
+  }
+
+  async rename(params: {
+    from: string;
+    to: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const from = this.resolveTarget({ filePath: params.from, cwd: params.cwd });
+    const to = this.resolveTarget({ filePath: params.to, cwd: params.cwd });
+    this.ensureWritable(from, "rename files");
+    this.ensureWritable(to, "rename files");
+    const fromPinned = await this.resolvePinnedParent({
+      containerPath: from.containerPath,
+      action: "rename files",
+      requireWritable: true,
+      allowFinalSymlinkForUnlink: true,
+    });
+    const toPinned = await this.resolvePinnedParent({
+      containerPath: to.containerPath,
+      action: "rename files",
+      requireWritable: true,
+    });
+    await this.runMutation({
+      args: [
+        "rename",
+        fromPinned.mountRootPath,
+        fromPinned.relativeParentPath,
+        fromPinned.basename,
+        toPinned.mountRootPath,
+        toPinned.relativeParentPath,
+        toPinned.basename,
+        "1",
+      ],
+      signal: params.signal,
+    });
+  }
+
+  async stat(params: {
+    filePath: string;
+    cwd?: string;
+    signal?: AbortSignal;
+  }): Promise<SandboxFsStat | null> {
+    const target = this.resolveTarget(params);
+    const exists = await this.remotePathExists(target.containerPath, params.signal);
+    if (!exists) {
+      return null;
+    }
+    const canonical = await this.resolveCanonicalPath({
+      containerPath: target.containerPath,
+      action: "stat files",
+      signal: params.signal,
+    });
+    await this.assertNoHardlinkedFile({
+      containerPath: canonical,
+      action: "stat files",
+      signal: params.signal,
+    });
+    const result = await this.runRemoteScript({
+      script: 'set -eu\nstat -c "%F|%s|%Y" -- "$1"',
+      args: [canonical],
+      signal: params.signal,
+    });
+    const output = result.stdout.toString("utf8").trim();
+    const [kindRaw = "", sizeRaw = "0", mtimeRaw = "0"] = output.split("|");
+    return {
+      type: kindRaw === "directory" ? "directory" : kindRaw === "regular file" ? "file" : "other",
+      size: Number(sizeRaw),
+      mtimeMs: Number(mtimeRaw) * 1000,
+    };
+  }
+
+  private getMounts(): MountInfo[] {
+    const mounts: MountInfo[] = [
+      {
+        containerRoot: normalizeContainerPath(this.runtime.remoteWorkspaceDir),
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "workspace",
+      },
+    ];
+    if (
+      this.sandbox.workspaceAccess !== "none" &&
+      path.resolve(this.sandbox.agentWorkspaceDir) !== path.resolve(this.sandbox.workspaceDir)
+    ) {
+      mounts.push({
+        containerRoot: normalizeContainerPath(this.runtime.remoteAgentWorkspaceDir),
+        writable: this.sandbox.workspaceAccess === "rw",
+        source: "agent",
+      });
+    }
+    return mounts;
+  }
+
+  private resolveTarget(params: { filePath: string; cwd?: string }): ResolvedRemotePath {
+    const workspaceRoot = path.resolve(this.sandbox.workspaceDir);
+    const agentRoot = path.resolve(this.sandbox.agentWorkspaceDir);
+    const workspaceContainerRoot = normalizeContainerPath(this.runtime.remoteWorkspaceDir);
+    const agentContainerRoot = normalizeContainerPath(this.runtime.remoteAgentWorkspaceDir);
+    const mounts = this.getMounts();
+    const input = params.filePath.trim();
+    const inputPosix = input.replace(/\\/g, "/");
+    const maybeContainerMount = path.posix.isAbsolute(inputPosix)
+      ? this.resolveMountByContainerPath(mounts, normalizeContainerPath(inputPosix))
+      : null;
+    if (maybeContainerMount) {
+      return this.toResolvedPath({
+        mount: maybeContainerMount,
+        containerPath: normalizeContainerPath(inputPosix),
+      });
+    }
+
+    const hostCwd = params.cwd ? path.resolve(params.cwd) : workspaceRoot;
+    const hostCandidate = path.isAbsolute(input)
+      ? path.resolve(input)
+      : path.resolve(hostCwd, input);
+    if (isPathInside(workspaceRoot, hostCandidate)) {
+      const relative = toPosixRelative(workspaceRoot, hostCandidate);
+      return this.toResolvedPath({
+        mount: mounts[0],
+        containerPath: relative
+          ? path.posix.join(workspaceContainerRoot, relative)
+          : workspaceContainerRoot,
+      });
+    }
+    if (mounts[1] && isPathInside(agentRoot, hostCandidate)) {
+      const relative = toPosixRelative(agentRoot, hostCandidate);
+      return this.toResolvedPath({
+        mount: mounts[1],
+        containerPath: relative
+          ? path.posix.join(agentContainerRoot, relative)
+          : agentContainerRoot,
+      });
+    }
+
+    if (params.cwd) {
+      const cwdPosix = params.cwd.replace(/\\/g, "/");
+      if (path.posix.isAbsolute(cwdPosix)) {
+        const cwdContainer = normalizeContainerPath(cwdPosix);
+        const cwdMount = this.resolveMountByContainerPath(mounts, cwdContainer);
+        if (cwdMount) {
+          return this.toResolvedPath({
+            mount: cwdMount,
+            containerPath: normalizeContainerPath(path.posix.resolve(cwdContainer, inputPosix)),
+          });
+        }
+      }
+    }
+
+    throw new Error(`Sandbox path escapes allowed mounts; cannot access: ${params.filePath}`);
+  }
+
+  private toResolvedPath(params: { mount: MountInfo; containerPath: string }): ResolvedRemotePath {
+    const relative = path.posix.relative(params.mount.containerRoot, params.containerPath);
+    if (relative.startsWith("..") || path.posix.isAbsolute(relative)) {
+      throw new Error(
+        `Sandbox path escapes allowed mounts; cannot access: ${params.containerPath}`,
+      );
+    }
+    return {
+      relativePath:
+        params.mount.source === "workspace"
+          ? relative === "."
+            ? ""
+            : relative
+          : relative === "."
+            ? params.mount.containerRoot
+            : `${params.mount.containerRoot}/${relative}`,
+      containerPath: params.containerPath,
+      writable: params.mount.writable,
+      mountRootPath: params.mount.containerRoot,
+      source: params.mount.source,
+    };
+  }
+
+  private resolveMountByContainerPath(
+    mounts: MountInfo[],
+    containerPath: string,
+  ): MountInfo | null {
+    const ordered = [...mounts].toSorted((a, b) => b.containerRoot.length - a.containerRoot.length);
+    for (const mount of ordered) {
+      if (isPathInsideContainerRoot(mount.containerRoot, containerPath)) {
+        return mount;
+      }
+    }
+    return null;
+  }
+
+  private ensureWritable(target: ResolvedRemotePath, action: string) {
+    if (this.sandbox.workspaceAccess !== "rw" || !target.writable) {
+      throw new Error(`Sandbox path is read-only; cannot ${action}: ${target.containerPath}`);
+    }
+  }
+
+  private async remotePathExists(containerPath: string, signal?: AbortSignal): Promise<boolean> {
+    const result = await this.runRemoteScript({
+      script: 'if [ -e "$1" ] || [ -L "$1" ]; then printf "1\\n"; else printf "0\\n"; fi',
+      args: [containerPath],
+      signal,
+    });
+    return result.stdout.toString("utf8").trim() === "1";
+  }
+
+  private async resolveCanonicalPath(params: {
+    containerPath: string;
+    action: string;
+    allowFinalSymlinkForUnlink?: boolean;
+    signal?: AbortSignal;
+  }): Promise<string> {
+    const script = [
+      "set -eu",
+      'target="$1"',
+      'allow_final="$2"',
+      'suffix=""',
+      'probe="$target"',
+      'if [ "$allow_final" = "1" ] && [ -L "$target" ]; then probe=$(dirname -- "$target"); fi',
+      'cursor="$probe"',
+      'while [ ! -e "$cursor" ] && [ ! -L "$cursor" ]; do',
+      '  parent=$(dirname -- "$cursor")',
+      '  if [ "$parent" = "$cursor" ]; then break; fi',
+      '  base=$(basename -- "$cursor")',
+      '  suffix="/$base$suffix"',
+      '  cursor="$parent"',
+      "done",
+      'canonical=$(readlink -f -- "$cursor")',
+      'printf "%s%s\\n" "$canonical" "$suffix"',
+    ].join("\n");
+    const result = await this.runRemoteScript({
+      script,
+      args: [params.containerPath, params.allowFinalSymlinkForUnlink ? "1" : "0"],
+      signal: params.signal,
+    });
+    const canonical = normalizeContainerPath(result.stdout.toString("utf8").trim());
+    if (!this.resolveMountByContainerPath(this.getMounts(), canonical)) {
+      throw new Error(
+        `Sandbox path escapes allowed mounts; cannot ${params.action}: ${params.containerPath}`,
+      );
+    }
+    return canonical;
+  }
+
+  private async assertNoHardlinkedFile(params: {
+    containerPath: string;
+    action: string;
+    signal?: AbortSignal;
+  }): Promise<void> {
+    const result = await this.runRemoteScript({
+      script: [
+        'if [ ! -e "$1" ] && [ ! -L "$1" ]; then exit 0; fi',
+        'stats=$(stat -c "%F|%h" -- "$1")',
+        'printf "%s\\n" "$stats"',
+      ].join("\n"),
+      args: [params.containerPath],
+      signal: params.signal,
+      allowFailure: true,
+    });
+    const output = result.stdout.toString("utf8").trim();
+    if (!output) {
+      return;
+    }
+    const [kind = "", linksRaw = "1"] = output.split("|");
+    if (kind === "regular file" && Number(linksRaw) > 1) {
+      throw new Error(
+        `Hardlinked path is not allowed under sandbox mount root: ${params.containerPath}`,
+      );
+    }
+  }
+
+  private async resolvePinnedParent(params: {
+    containerPath: string;
+    action: string;
+    requireWritable?: boolean;
+    allowFinalSymlinkForUnlink?: boolean;
+  }): Promise<{ mountRootPath: string; relativeParentPath: string; basename: string }> {
+    const basename = path.posix.basename(params.containerPath);
+    if (!basename || basename === "." || basename === "/") {
+      throw new Error(`Invalid sandbox entry target: ${params.containerPath}`);
+    }
+    const canonicalParent = await this.resolveCanonicalPath({
+      containerPath: normalizeContainerPath(path.posix.dirname(params.containerPath)),
+      action: params.action,
+      allowFinalSymlinkForUnlink: params.allowFinalSymlinkForUnlink,
+    });
+    const mount = this.resolveMountByContainerPath(this.getMounts(), canonicalParent);
+    if (!mount) {
+      throw new Error(
+        `Sandbox path escapes allowed mounts; cannot ${params.action}: ${params.containerPath}`,
+      );
+    }
+    if (params.requireWritable && !mount.writable) {
+      throw new Error(
+        `Sandbox path is read-only; cannot ${params.action}: ${params.containerPath}`,
+      );
+    }
+    const relativeParentPath = path.posix.relative(mount.containerRoot, canonicalParent);
+    if (relativeParentPath.startsWith("..") || path.posix.isAbsolute(relativeParentPath)) {
+      throw new Error(
+        `Sandbox path escapes allowed mounts; cannot ${params.action}: ${params.containerPath}`,
+      );
+    }
+    return {
+      mountRootPath: mount.containerRoot,
+      relativeParentPath: relativeParentPath === "." ? "" : relativeParentPath,
+      basename,
+    };
+  }
+
+  private async runMutation(params: {
+    args: string[];
+    stdin?: Buffer | string;
+    signal?: AbortSignal;
+    allowFailure?: boolean;
+  }) {
+    await this.runRemoteScript({
+      script: [
+        "set -eu",
+        "python3 /dev/fd/3 \"$@\" 3<<'PY'",
+        SANDBOX_PINNED_MUTATION_PYTHON,
+        "PY",
+      ].join("\n"),
+      args: params.args,
+      stdin: params.stdin,
+      signal: params.signal,
+      allowFailure: params.allowFailure,
+    });
+  }
+
+  private async runRemoteScript(params: {
+    script: string;
+    args?: string[];
+    stdin?: Buffer | string;
+    signal?: AbortSignal;
+    allowFailure?: boolean;
+  }) {
+    return await this.runtime.runRemoteShellScript({
+      script: params.script,
+      args: params.args,
+      stdin: params.stdin,
+      signal: params.signal,
+      allowFailure: params.allowFailure,
+    });
+  }
+}
+
+function normalizeContainerPath(value: string): string {
+  const normalized = path.posix.normalize(value.trim() || "/");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+
+function isPathInsideContainerRoot(root: string, candidate: string): boolean {
+  const normalizedRoot = normalizeContainerPath(root);
+  const normalizedCandidate = normalizeContainerPath(candidate);
+  return (
+    normalizedCandidate === normalizedRoot || normalizedCandidate.startsWith(`${normalizedRoot}/`)
+  );
+}
+
+function isPathInside(root: string, candidate: string): boolean {
+  const relative = path.relative(root, candidate);
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+
+function toPosixRelative(root: string, candidate: string): string {
+  return path.relative(root, candidate).split(path.sep).filter(Boolean).join(path.posix.sep);
+}
diff --git a/src/agents/sandbox/ssh-backend.test.ts b/src/agents/sandbox/ssh-backend.test.ts
new file mode 100644
index 00000000000..c8ec3b5f750
--- /dev/null
+++ b/src/agents/sandbox/ssh-backend.test.ts
@@ -0,0 +1,338 @@
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+
+const sshMocks = vi.hoisted(() => ({
+  createSshSandboxSessionFromSettings: vi.fn(),
+  disposeSshSandboxSession: vi.fn(),
+  runSshSandboxCommand: vi.fn(),
+  uploadDirectoryToSshTarget: vi.fn(),
+  buildSshSandboxArgv: vi.fn(),
+}));
+
+vi.mock("./ssh.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./ssh.js")>();
+  return {
+    ...actual,
+    createSshSandboxSessionFromSettings: sshMocks.createSshSandboxSessionFromSettings,
+    disposeSshSandboxSession: sshMocks.disposeSshSandboxSession,
+    runSshSandboxCommand: sshMocks.runSshSandboxCommand,
+    uploadDirectoryToSshTarget: sshMocks.uploadDirectoryToSshTarget,
+    buildSshSandboxArgv: sshMocks.buildSshSandboxArgv,
+  };
+});
+
+import { createSshSandboxBackend, sshSandboxBackendManager } from "./ssh-backend.js";
+
+function createConfig(): OpenClawConfig {
+  return {
+    agents: {
+      defaults: {
+        sandbox: {
+          mode: "all",
+          backend: "ssh",
+          scope: "session",
+          workspaceAccess: "rw",
+          ssh: {
+            target: "peter@example.com:2222",
+            command: "ssh",
+            workspaceRoot: "/remote/openclaw",
+            strictHostKeyChecking: true,
+            updateHostKeys: true,
+          },
+        },
+      },
+    },
+  };
+}
+
+function createSession() {
+  return {
+    command: "ssh",
+    configPath: path.join(os.tmpdir(), "openclaw-test-ssh-config"),
+    host: "openclaw-sandbox",
+  };
+}
+
+describe("ssh sandbox backend", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    sshMocks.createSshSandboxSessionFromSettings.mockResolvedValue(createSession());
+    sshMocks.disposeSshSandboxSession.mockResolvedValue(undefined);
+    sshMocks.runSshSandboxCommand.mockResolvedValue({
+      stdout: Buffer.from("1\n"),
+      stderr: Buffer.alloc(0),
+      code: 0,
+    });
+    sshMocks.uploadDirectoryToSshTarget.mockResolvedValue(undefined);
+    sshMocks.buildSshSandboxArgv.mockImplementation(({ session, remoteCommand, tty }) => [
+      session.command,
+      "-F",
+      session.configPath,
+      tty ? "-tt" : "-T",
+      session.host,
+      remoteCommand,
+    ]);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("describes runtimes via the configured ssh target", async () => {
+    const result = await sshSandboxBackendManager.describeRuntime({
+      entry: {
+        containerName: "openclaw-ssh-worker-abcd1234",
+        backendId: "ssh",
+        runtimeLabel: "openclaw-ssh-worker-abcd1234",
+        sessionKey: "agent:worker",
+        createdAtMs: 1,
+        lastUsedAtMs: 1,
+        image: "peter@example.com:2222",
+        configLabelKind: "Target",
+      },
+      config: createConfig(),
+    });
+
+    expect(result).toEqual({
+      running: true,
+      actualConfigLabel: "peter@example.com:2222",
+      configLabelMatch: true,
+    });
+    expect(sshMocks.createSshSandboxSessionFromSettings).toHaveBeenCalledWith(
+      expect.objectContaining({
+        target: "peter@example.com:2222",
+        workspaceRoot: "/remote/openclaw",
+      }),
+    );
+    expect(sshMocks.runSshSandboxCommand).toHaveBeenCalledWith(
+      expect.objectContaining({
+        remoteCommand: expect.stringContaining("/remote/openclaw/openclaw-ssh-agent-worker"),
+      }),
+    );
+  });
+
+  it("removes runtimes by deleting the remote scope root", async () => {
+    await sshSandboxBackendManager.removeRuntime({
+      entry: {
+        containerName: "openclaw-ssh-worker-abcd1234",
+        backendId: "ssh",
+        runtimeLabel: "openclaw-ssh-worker-abcd1234",
+        sessionKey: "agent:worker",
+        createdAtMs: 1,
+        lastUsedAtMs: 1,
+        image: "peter@example.com:2222",
+        configLabelKind: "Target",
+      },
+      config: createConfig(),
+    });
+
+    expect(sshMocks.runSshSandboxCommand).toHaveBeenCalledWith(
+      expect.objectContaining({
+        allowFailure: true,
+        remoteCommand: expect.stringContaining('rm -rf -- "$1"'),
+      }),
+    );
+  });
+
+  it("creates a remote-canonical backend that seeds once and reuses ssh exec", async () => {
+    sshMocks.runSshSandboxCommand
+      .mockResolvedValueOnce({
+        stdout: Buffer.from("0\n"),
+        stderr: Buffer.alloc(0),
+        code: 0,
+      })
+      .mockResolvedValueOnce({
+        stdout: Buffer.alloc(0),
+        stderr: Buffer.alloc(0),
+        code: 0,
+      })
+      .mockResolvedValueOnce({
+        stdout: Buffer.alloc(0),
+        stderr: Buffer.alloc(0),
+        code: 0,
+      });
+
+    const backend = await createSshSandboxBackend({
+      sessionKey: "agent:worker:task",
+      scopeKey: "agent:worker",
+      workspaceDir: "/tmp/workspace",
+      agentWorkspaceDir: "/tmp/agent",
+      cfg: {
+        mode: "all",
+        backend: "ssh",
+        scope: "session",
+        workspaceAccess: "rw",
+        workspaceRoot: "~/.openclaw/sandboxes",
+        docker: {
+          image: "openclaw-sandbox:bookworm-slim",
+          containerPrefix: "openclaw-sbx-",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp"],
+          network: "none",
+          capDrop: ["ALL"],
+          env: { LANG: "C.UTF-8" },
+        },
+        ssh: {
+          target: "peter@example.com:2222",
+          command: "ssh",
+          workspaceRoot: "/remote/openclaw",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+        },
+        browser: {
+          enabled: false,
+          image: "openclaw-browser",
+          containerPrefix: "openclaw-browser-",
+          network: "bridge",
+          cdpPort: 9222,
+          vncPort: 5900,
+          noVncPort: 6080,
+          headless: true,
+          enableNoVnc: false,
+          allowHostControl: false,
+          autoStart: false,
+          autoStartTimeoutMs: 1000,
+        },
+        tools: { allow: [], deny: [] },
+        prune: { idleHours: 24, maxAgeDays: 7 },
+      },
+    });
+
+    const execSpec = await backend.buildExecSpec({
+      command: "pwd",
+      env: { TEST_TOKEN: "1" },
+      usePty: false,
+    });
+
+    expect(execSpec.argv).toEqual(
+      expect.arrayContaining(["ssh", "-F", createSession().configPath, "-T", createSession().host]),
+    );
+    expect(execSpec.argv.at(-1)).toContain("/remote/openclaw/openclaw-ssh-agent-worker");
+    expect(sshMocks.uploadDirectoryToSshTarget).toHaveBeenCalledTimes(2);
+    expect(sshMocks.uploadDirectoryToSshTarget).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({
+        localDir: "/tmp/workspace",
+        remoteDir: expect.stringContaining("/workspace"),
+      }),
+    );
+    expect(sshMocks.uploadDirectoryToSshTarget).toHaveBeenNthCalledWith(
+      2,
+      expect.objectContaining({
+        localDir: "/tmp/agent",
+        remoteDir: expect.stringContaining("/agent"),
+      }),
+    );
+
+    await backend.finalizeExec?.({
+      status: "completed",
+      exitCode: 0,
+      timedOut: false,
+      token: execSpec.finalizeToken,
+    });
+    expect(sshMocks.disposeSshSandboxSession).toHaveBeenCalled();
+  });
+
+  it("rejects docker binds and missing ssh target", async () => {
+    await expect(
+      createSshSandboxBackend({
+        sessionKey: "s",
+        scopeKey: "s",
+        workspaceDir: "/tmp/workspace",
+        agentWorkspaceDir: "/tmp/workspace",
+        cfg: {
+          mode: "all",
+          backend: "ssh",
+          scope: "session",
+          workspaceAccess: "rw",
+          workspaceRoot: "~/.openclaw/sandboxes",
+          docker: {
+            image: "img",
+            containerPrefix: "prefix-",
+            workdir: "/workspace",
+            readOnlyRoot: true,
+            tmpfs: ["/tmp"],
+            network: "none",
+            capDrop: ["ALL"],
+            env: {},
+            binds: ["/tmp:/tmp:rw"],
+          },
+          ssh: {
+            target: "peter@example.com:22",
+            command: "ssh",
+            workspaceRoot: "/remote/openclaw",
+            strictHostKeyChecking: true,
+            updateHostKeys: true,
+          },
+          browser: {
+            enabled: false,
+            image: "img",
+            containerPrefix: "prefix-",
+            network: "bridge",
+            cdpPort: 1,
+            vncPort: 2,
+            noVncPort: 3,
+            headless: true,
+            enableNoVnc: false,
+            allowHostControl: false,
+            autoStart: false,
+            autoStartTimeoutMs: 1,
+          },
+          tools: { allow: [], deny: [] },
+          prune: { idleHours: 24, maxAgeDays: 7 },
+        },
+      }),
+    ).rejects.toThrow("does not support sandbox.docker.binds");
+
+    await expect(
+      createSshSandboxBackend({
+        sessionKey: "s",
+        scopeKey: "s",
+        workspaceDir: "/tmp/workspace",
+        agentWorkspaceDir: "/tmp/workspace",
+        cfg: {
+          mode: "all",
+          backend: "ssh",
+          scope: "session",
+          workspaceAccess: "rw",
+          workspaceRoot: "~/.openclaw/sandboxes",
+          docker: {
+            image: "img",
+            containerPrefix: "prefix-",
+            workdir: "/workspace",
+            readOnlyRoot: true,
+            tmpfs: ["/tmp"],
+            network: "none",
+            capDrop: ["ALL"],
+            env: {},
+          },
+          ssh: {
+            command: "ssh",
+            workspaceRoot: "/remote/openclaw",
+            strictHostKeyChecking: true,
+            updateHostKeys: true,
+          },
+          browser: {
+            enabled: false,
+            image: "img",
+            containerPrefix: "prefix-",
+            network: "bridge",
+            cdpPort: 1,
+            vncPort: 2,
+            noVncPort: 3,
+            headless: true,
+            enableNoVnc: false,
+            allowHostControl: false,
+            autoStart: false,
+            autoStartTimeoutMs: 1,
+          },
+          tools: { allow: [], deny: [] },
+          prune: { idleHours: 24, maxAgeDays: 7 },
+        },
+      }),
+    ).rejects.toThrow("requires agents.defaults.sandbox.ssh.target");
+  });
+});
diff --git a/src/agents/sandbox/ssh-backend.ts b/src/agents/sandbox/ssh-backend.ts
new file mode 100644
index 00000000000..f241103fc19
--- /dev/null
+++ b/src/agents/sandbox/ssh-backend.ts
@@ -0,0 +1,303 @@
+import path from "node:path";
+import type {
+  CreateSandboxBackendParams,
+  SandboxBackendCommandParams,
+  SandboxBackendCommandResult,
+  SandboxBackendHandle,
+  SandboxBackendManager,
+} from "./backend.js";
+import { resolveSandboxConfigForAgent } from "./config.js";
+import {
+  createRemoteShellSandboxFsBridge,
+  type RemoteShellSandboxHandle,
+} from "./remote-fs-bridge.js";
+import {
+  buildExecRemoteCommand,
+  buildRemoteCommand,
+  buildSshSandboxArgv,
+  createSshSandboxSessionFromSettings,
+  disposeSshSandboxSession,
+  runSshSandboxCommand,
+  uploadDirectoryToSshTarget,
+  type SshSandboxSession,
+} from "./ssh.js";
+
+type PendingExec = {
+  sshSession: SshSandboxSession;
+};
+
+type ResolvedSshRuntimePaths = {
+  runtimeId: string;
+  runtimeRootDir: string;
+  remoteWorkspaceDir: string;
+  remoteAgentWorkspaceDir: string;
+};
+
+export const sshSandboxBackendManager: SandboxBackendManager = {
+  async describeRuntime({ entry, config, agentId }) {
+    const cfg = resolveSandboxConfigForAgent(config, agentId);
+    if (cfg.backend !== "ssh" || !cfg.ssh.target) {
+      return {
+        running: false,
+        actualConfigLabel: cfg.ssh.target,
+        configLabelMatch: false,
+      };
+    }
+    const runtimePaths = resolveSshRuntimePaths(cfg.ssh.workspaceRoot, entry.sessionKey);
+    const session = await createSshSandboxSessionFromSettings({
+      ...cfg.ssh,
+      target: cfg.ssh.target,
+    });
+    try {
+      const result = await runSshSandboxCommand({
+        session,
+        remoteCommand: buildRemoteCommand([
+          "/bin/sh",
+          "-c",
+          'if [ -d "$1" ]; then printf "1\\n"; else printf "0\\n"; fi',
+          "openclaw-sandbox-check",
+          runtimePaths.runtimeRootDir,
+        ]),
+      });
+      return {
+        running: result.stdout.toString("utf8").trim() === "1",
+        actualConfigLabel: cfg.ssh.target,
+        configLabelMatch: entry.image === cfg.ssh.target,
+      };
+    } finally {
+      await disposeSshSandboxSession(session);
+    }
+  },
+  async removeRuntime({ entry, config, agentId }) {
+    const cfg = resolveSandboxConfigForAgent(config, agentId);
+    if (cfg.backend !== "ssh" || !cfg.ssh.target) {
+      return;
+    }
+    const runtimePaths = resolveSshRuntimePaths(cfg.ssh.workspaceRoot, entry.sessionKey);
+    const session = await createSshSandboxSessionFromSettings({
+      ...cfg.ssh,
+      target: cfg.ssh.target,
+    });
+    try {
+      await runSshSandboxCommand({
+        session,
+        remoteCommand: buildRemoteCommand([
+          "/bin/sh",
+          "-c",
+          'rm -rf -- "$1"',
+          "openclaw-sandbox-remove",
+          runtimePaths.runtimeRootDir,
+        ]),
+        allowFailure: true,
+      });
+    } finally {
+      await disposeSshSandboxSession(session);
+    }
+  },
+};
+
+export async function createSshSandboxBackend(
+  params: CreateSandboxBackendParams,
+): Promise<SandboxBackendHandle> {
+  if ((params.cfg.docker.binds?.length ?? 0) > 0) {
+    throw new Error("SSH sandbox backend does not support sandbox.docker.binds.");
+  }
+  const target = params.cfg.ssh.target;
+  if (!target) {
+    throw new Error('Sandbox backend "ssh" requires agents.defaults.sandbox.ssh.target.');
+  }
+
+  const runtimePaths = resolveSshRuntimePaths(params.cfg.ssh.workspaceRoot, params.scopeKey);
+  const impl = new SshSandboxBackendImpl({
+    createParams: params,
+    target,
+    runtimePaths,
+  });
+  return impl.asHandle();
+}
+
+class SshSandboxBackendImpl {
+  private ensurePromise: Promise<void> | null = null;
+
+  constructor(
+    private readonly params: {
+      createParams: CreateSandboxBackendParams;
+      target: string;
+      runtimePaths: ResolvedSshRuntimePaths;
+    },
+  ) {}
+
+  asHandle(): SandboxBackendHandle & RemoteShellSandboxHandle {
+    return {
+      id: "ssh",
+      runtimeId: this.params.runtimePaths.runtimeId,
+      runtimeLabel: this.params.runtimePaths.runtimeId,
+      workdir: this.params.runtimePaths.remoteWorkspaceDir,
+      env: this.params.createParams.cfg.docker.env,
+      configLabel: this.params.target,
+      configLabelKind: "Target",
+      remoteWorkspaceDir: this.params.runtimePaths.remoteWorkspaceDir,
+      remoteAgentWorkspaceDir: this.params.runtimePaths.remoteAgentWorkspaceDir,
+      buildExecSpec: async ({ command, workdir, env, usePty }) => {
+        await this.ensureRuntime();
+        const sshSession = await this.createSession();
+        const remoteCommand = buildExecRemoteCommand({
+          command,
+          workdir: workdir ?? this.params.runtimePaths.remoteWorkspaceDir,
+          env,
+        });
+        return {
+          argv: buildSshSandboxArgv({
+            session: sshSession,
+            remoteCommand,
+            tty: usePty,
+          }),
+          env: process.env,
+          stdinMode: "pipe-open",
+          finalizeToken: { sshSession } satisfies PendingExec,
+        };
+      },
+      finalizeExec: async ({ token }) => {
+        const sshSession = (token as PendingExec | undefined)?.sshSession;
+        if (sshSession) {
+          await disposeSshSandboxSession(sshSession);
+        }
+      },
+      runShellCommand: async (command) => await this.runRemoteShellScript(command),
+      createFsBridge: ({ sandbox }) =>
+        createRemoteShellSandboxFsBridge({
+          sandbox,
+          runtime: this.asHandle(),
+        }),
+      runRemoteShellScript: async (command) => await this.runRemoteShellScript(command),
+    };
+  }
+
+  private async createSession(): Promise<SshSandboxSession> {
+    return await createSshSandboxSessionFromSettings({
+      ...this.params.createParams.cfg.ssh,
+      target: this.params.target,
+    });
+  }
+
+  private async ensureRuntime(): Promise<void> {
+    if (this.ensurePromise) {
+      return await this.ensurePromise;
+    }
+    this.ensurePromise = this.ensureRuntimeInner();
+    try {
+      await this.ensurePromise;
+    } catch (error) {
+      this.ensurePromise = null;
+      throw error;
+    }
+  }
+
+  private async ensureRuntimeInner(): Promise<void> {
+    const session = await this.createSession();
+    try {
+      const exists = await runSshSandboxCommand({
+        session,
+        remoteCommand: buildRemoteCommand([
+          "/bin/sh",
+          "-c",
+          'if [ -d "$1" ]; then printf "1\\n"; else printf "0\\n"; fi',
+          "openclaw-sandbox-check",
+          this.params.runtimePaths.runtimeRootDir,
+        ]),
+      });
+      if (exists.stdout.toString("utf8").trim() === "1") {
+        return;
+      }
+      await this.replaceRemoteDirectoryFromLocal(
+        session,
+        this.params.createParams.workspaceDir,
+        this.params.runtimePaths.remoteWorkspaceDir,
+      );
+      if (
+        this.params.createParams.cfg.workspaceAccess !== "none" &&
+        path.resolve(this.params.createParams.agentWorkspaceDir) !==
+          path.resolve(this.params.createParams.workspaceDir)
+      ) {
+        await this.replaceRemoteDirectoryFromLocal(
+          session,
+          this.params.createParams.agentWorkspaceDir,
+          this.params.runtimePaths.remoteAgentWorkspaceDir,
+        );
+      }
+    } finally {
+      await disposeSshSandboxSession(session);
+    }
+  }
+
+  private async replaceRemoteDirectoryFromLocal(
+    session: SshSandboxSession,
+    localDir: string,
+    remoteDir: string,
+  ): Promise<void> {
+    await runSshSandboxCommand({
+      session,
+      remoteCommand: buildRemoteCommand([
+        "/bin/sh",
+        "-c",
+        'mkdir -p -- "$1" && find "$1" -mindepth 1 -maxdepth 1 -exec rm -rf -- {} +',
+        "openclaw-sandbox-clear",
+        remoteDir,
+      ]),
+    });
+    await uploadDirectoryToSshTarget({
+      session,
+      localDir,
+      remoteDir,
+    });
+  }
+
+  async runRemoteShellScript(
+    params: SandboxBackendCommandParams,
+  ): Promise<SandboxBackendCommandResult> {
+    await this.ensureRuntime();
+    const session = await this.createSession();
+    try {
+      return await runSshSandboxCommand({
+        session,
+        remoteCommand: buildRemoteCommand([
+          "/bin/sh",
+          "-c",
+          params.script,
+          "openclaw-sandbox-fs",
+          ...(params.args ?? []),
+        ]),
+        stdin: params.stdin,
+        allowFailure: params.allowFailure,
+        signal: params.signal,
+      });
+    } finally {
+      await disposeSshSandboxSession(session);
+    }
+  }
+}
+
+function resolveSshRuntimePaths(workspaceRoot: string, scopeKey: string): ResolvedSshRuntimePaths {
+  const runtimeId = buildSshSandboxRuntimeId(scopeKey);
+  const runtimeRootDir = path.posix.join(workspaceRoot, runtimeId);
+  return {
+    runtimeId,
+    runtimeRootDir,
+    remoteWorkspaceDir: path.posix.join(runtimeRootDir, "workspace"),
+    remoteAgentWorkspaceDir: path.posix.join(runtimeRootDir, "agent"),
+  };
+}
+
+function buildSshSandboxRuntimeId(scopeKey: string): string {
+  const trimmed = scopeKey.trim() || "session";
+  const safe = trimmed
+    .toLowerCase()
+    .replace(/[^a-z0-9._-]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, 32);
+  const hash = Array.from(trimmed).reduce(
+    (acc, char) => ((acc * 33) ^ char.charCodeAt(0)) >>> 0,
+    5381,
+  );
+  return `openclaw-ssh-${safe || "session"}-${hash.toString(16).slice(0, 8)}`;
+}
diff --git a/src/agents/sandbox/ssh.test.ts b/src/agents/sandbox/ssh.test.ts
new file mode 100644
index 00000000000..c2c07a3bf11
--- /dev/null
+++ b/src/agents/sandbox/ssh.test.ts
@@ -0,0 +1,61 @@
+import fs from "node:fs/promises";
+import { afterEach, describe, expect, it } from "vitest";
+import {
+  buildExecRemoteCommand,
+  createSshSandboxSessionFromSettings,
+  disposeSshSandboxSession,
+  type SshSandboxSession,
+} from "./ssh.js";
+
+const sessions: SshSandboxSession[] = [];
+
+afterEach(async () => {
+  await Promise.all(
+    sessions.splice(0).map(async (session) => {
+      await disposeSshSandboxSession(session);
+    }),
+  );
+});
+
+describe("sandbox ssh helpers", () => {
+  it("materializes inline ssh auth data into a temp config", async () => {
+    const session = await createSshSandboxSessionFromSettings({
+      command: "ssh",
+      target: "peter@example.com:2222",
+      strictHostKeyChecking: true,
+      updateHostKeys: false,
+      identityData: "PRIVATE KEY",
+      certificateData: "SSH CERT",
+      knownHostsData: "example.com ssh-ed25519 AAAATEST",
+    });
+    sessions.push(session);
+
+    const config = await fs.readFile(session.configPath, "utf8");
+    expect(config).toContain("Host openclaw-sandbox");
+    expect(config).toContain("HostName example.com");
+    expect(config).toContain("User peter");
+    expect(config).toContain("Port 2222");
+    expect(config).toContain("StrictHostKeyChecking yes");
+    expect(config).toContain("UpdateHostKeys no");
+
+    const configDir = session.configPath.slice(0, session.configPath.lastIndexOf("/"));
+    expect(await fs.readFile(`${configDir}/identity`, "utf8")).toBe("PRIVATE KEY");
+    expect(await fs.readFile(`${configDir}/certificate.pub`, "utf8")).toBe("SSH CERT");
+    expect(await fs.readFile(`${configDir}/known_hosts`, "utf8")).toBe(
+      "example.com ssh-ed25519 AAAATEST",
+    );
+  });
+
+  it("wraps remote exec commands with env and workdir", () => {
+    const command = buildExecRemoteCommand({
+      command: "pwd && printenv TOKEN",
+      workdir: "/sandbox/project",
+      env: {
+        TOKEN: "abc 123",
+      },
+    });
+    expect(command).toContain(`'env'`);
+    expect(command).toContain(`'TOKEN=abc 123'`);
+    expect(command).toContain(`'cd '"'"'/sandbox/project'"'"' && pwd && printenv TOKEN'`);
+  });
+});
diff --git a/src/agents/sandbox/ssh.ts b/src/agents/sandbox/ssh.ts
new file mode 100644
index 00000000000..1590b515e8f
--- /dev/null
+++ b/src/agents/sandbox/ssh.ts
@@ -0,0 +1,334 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { parseSshTarget } from "../../infra/ssh-tunnel.js";
+import { resolvePreferredOpenClawTmpDir } from "../../infra/tmp-openclaw-dir.js";
+import { resolveUserPath } from "../../utils.js";
+import type { SandboxBackendCommandResult } from "./backend.js";
+
+export type SshSandboxSettings = {
+  command: string;
+  target: string;
+  strictHostKeyChecking: boolean;
+  updateHostKeys: boolean;
+  identityFile?: string;
+  certificateFile?: string;
+  knownHostsFile?: string;
+  identityData?: string;
+  certificateData?: string;
+  knownHostsData?: string;
+};
+
+export type SshSandboxSession = {
+  command: string;
+  configPath: string;
+  host: string;
+};
+
+export type RunSshSandboxCommandParams = {
+  session: SshSandboxSession;
+  remoteCommand: string;
+  stdin?: Buffer | string;
+  allowFailure?: boolean;
+  signal?: AbortSignal;
+  tty?: boolean;
+};
+
+export function shellEscape(value: string): string {
+  return `'${value.replaceAll("'", `'"'"'`)}'`;
+}
+
+export function buildRemoteCommand(argv: string[]): string {
+  return argv.map((entry) => shellEscape(entry)).join(" ");
+}
+
+export function buildExecRemoteCommand(params: {
+  command: string;
+  workdir?: string;
+  env: Record<string, string>;
+}): string {
+  const body = params.workdir
+    ? `cd ${shellEscape(params.workdir)} && ${params.command}`
+    : params.command;
+  const argv =
+    Object.keys(params.env).length > 0
+      ? [
+          "env",
+          ...Object.entries(params.env).map(([key, value]) => `${key}=${value}`),
+          "/bin/sh",
+          "-c",
+          body,
+        ]
+      : ["/bin/sh", "-c", body];
+  return buildRemoteCommand(argv);
+}
+
+export function buildSshSandboxArgv(params: {
+  session: SshSandboxSession;
+  remoteCommand: string;
+  tty?: boolean;
+}): string[] {
+  return [
+    params.session.command,
+    "-F",
+    params.session.configPath,
+    ...(params.tty
+      ? ["-tt", "-o", "RequestTTY=force", "-o", "SetEnv=TERM=xterm-256color"]
+      : ["-T", "-o", "RequestTTY=no"]),
+    params.session.host,
+    params.remoteCommand,
+  ];
+}
+
+export async function createSshSandboxSessionFromConfigText(params: {
+  configText: string;
+  host?: string;
+  command?: string;
+}): Promise<SshSandboxSession> {
+  const host = params.host?.trim() || parseSshConfigHost(params.configText);
+  if (!host) {
+    throw new Error("Failed to parse SSH config output.");
+  }
+  const configDir = await fs.mkdtemp(path.join(resolveSshTmpRoot(), "openclaw-sandbox-ssh-"));
+  const configPath = path.join(configDir, "config");
+  await fs.writeFile(configPath, params.configText, { encoding: "utf8", mode: 0o600 });
+  await fs.chmod(configPath, 0o600);
+  return {
+    command: params.command?.trim() || "ssh",
+    configPath,
+    host,
+  };
+}
+
+export async function createSshSandboxSessionFromSettings(
+  settings: SshSandboxSettings,
+): Promise<SshSandboxSession> {
+  const parsed = parseSshTarget(settings.target);
+  if (!parsed) {
+    throw new Error(`Invalid sandbox SSH target: ${settings.target}`);
+  }
+
+  const configDir = await fs.mkdtemp(path.join(resolveSshTmpRoot(), "openclaw-sandbox-ssh-"));
+  try {
+    const materializedIdentity = settings.identityData
+      ? await writeSecretMaterial(configDir, "identity", settings.identityData)
+      : undefined;
+    const materializedCertificate = settings.certificateData
+      ? await writeSecretMaterial(configDir, "certificate.pub", settings.certificateData)
+      : undefined;
+    const materializedKnownHosts = settings.knownHostsData
+      ? await writeSecretMaterial(configDir, "known_hosts", settings.knownHostsData)
+      : undefined;
+    const identityFile = materializedIdentity ?? resolveOptionalLocalPath(settings.identityFile);
+    const certificateFile =
+      materializedCertificate ?? resolveOptionalLocalPath(settings.certificateFile);
+    const knownHostsFile =
+      materializedKnownHosts ?? resolveOptionalLocalPath(settings.knownHostsFile);
+    const hostAlias = "openclaw-sandbox";
+    const configPath = path.join(configDir, "config");
+    const lines = [
+      `Host ${hostAlias}`,
+      `  HostName ${parsed.host}`,
+      `  Port ${parsed.port}`,
+      "  BatchMode yes",
+      "  ConnectTimeout 5",
+      "  ServerAliveInterval 15",
+      "  ServerAliveCountMax 3",
+      `  StrictHostKeyChecking ${settings.strictHostKeyChecking ? "yes" : "no"}`,
+      `  UpdateHostKeys ${settings.updateHostKeys ? "yes" : "no"}`,
+    ];
+    if (parsed.user) {
+      lines.push(`  User ${parsed.user}`);
+    }
+    if (knownHostsFile) {
+      lines.push(`  UserKnownHostsFile ${knownHostsFile}`);
+    } else if (!settings.strictHostKeyChecking) {
+      lines.push("  UserKnownHostsFile /dev/null");
+    }
+    if (identityFile) {
+      lines.push(`  IdentityFile ${identityFile}`);
+    }
+    if (certificateFile) {
+      lines.push(`  CertificateFile ${certificateFile}`);
+    }
+    if (identityFile || certificateFile) {
+      lines.push("  IdentitiesOnly yes");
+    }
+    await fs.writeFile(configPath, `${lines.join("\n")}\n`, {
+      encoding: "utf8",
+      mode: 0o600,
+    });
+    await fs.chmod(configPath, 0o600);
+    return {
+      command: settings.command.trim() || "ssh",
+      configPath,
+      host: hostAlias,
+    };
+  } catch (error) {
+    await fs.rm(configDir, { recursive: true, force: true });
+    throw error;
+  }
+}
+
+export async function disposeSshSandboxSession(session: SshSandboxSession): Promise<void> {
+  await fs.rm(path.dirname(session.configPath), { recursive: true, force: true });
+}
+
+export async function runSshSandboxCommand(
+  params: RunSshSandboxCommandParams,
+): Promise<SandboxBackendCommandResult> {
+  const argv = buildSshSandboxArgv({
+    session: params.session,
+    remoteCommand: params.remoteCommand,
+    tty: params.tty,
+  });
+  return await new Promise<SandboxBackendCommandResult>((resolve, reject) => {
+    const child = spawn(argv[0], argv.slice(1), {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: process.env,
+      signal: params.signal,
+    });
+    const stdoutChunks: Buffer[] = [];
+    const stderrChunks: Buffer[] = [];
+
+    child.stdout.on("data", (chunk) => stdoutChunks.push(Buffer.from(chunk)));
+    child.stderr.on("data", (chunk) => stderrChunks.push(Buffer.from(chunk)));
+    child.on("error", reject);
+    child.on("close", (code) => {
+      const stdout = Buffer.concat(stdoutChunks);
+      const stderr = Buffer.concat(stderrChunks);
+      const exitCode = code ?? 0;
+      if (exitCode !== 0 && !params.allowFailure) {
+        reject(
+          Object.assign(
+            new Error(stderr.toString("utf8").trim() || `ssh exited with code ${exitCode}`),
+            {
+              code: exitCode,
+              stdout,
+              stderr,
+            },
+          ),
+        );
+        return;
+      }
+      resolve({ stdout, stderr, code: exitCode });
+    });
+
+    if (params.stdin !== undefined) {
+      child.stdin.end(params.stdin);
+      return;
+    }
+    child.stdin.end();
+  });
+}
+
+export async function uploadDirectoryToSshTarget(params: {
+  session: SshSandboxSession;
+  localDir: string;
+  remoteDir: string;
+  signal?: AbortSignal;
+}): Promise<void> {
+  const remoteCommand = buildRemoteCommand([
+    "/bin/sh",
+    "-c",
+    'mkdir -p -- "$1" && tar -xf - -C "$1"',
+    "openclaw-sandbox-upload",
+    params.remoteDir,
+  ]);
+  const sshArgv = buildSshSandboxArgv({
+    session: params.session,
+    remoteCommand,
+  });
+  await new Promise<void>((resolve, reject) => {
+    const tar = spawn("tar", ["-C", params.localDir, "-cf", "-", "."], {
+      stdio: ["ignore", "pipe", "pipe"],
+      signal: params.signal,
+    });
+    const ssh = spawn(sshArgv[0], sshArgv.slice(1), {
+      stdio: ["pipe", "pipe", "pipe"],
+      env: process.env,
+      signal: params.signal,
+    });
+    const tarStderr: Buffer[] = [];
+    const sshStdout: Buffer[] = [];
+    const sshStderr: Buffer[] = [];
+    let tarClosed = false;
+    let sshClosed = false;
+    let tarCode = 0;
+    let sshCode = 0;
+
+    tar.stderr.on("data", (chunk) => tarStderr.push(Buffer.from(chunk)));
+    ssh.stdout.on("data", (chunk) => sshStdout.push(Buffer.from(chunk)));
+    ssh.stderr.on("data", (chunk) => sshStderr.push(Buffer.from(chunk)));
+
+    const fail = (error: unknown) => {
+      tar.kill("SIGKILL");
+      ssh.kill("SIGKILL");
+      reject(error);
+    };
+
+    tar.on("error", fail);
+    ssh.on("error", fail);
+    tar.stdout.pipe(ssh.stdin);
+
+    tar.on("close", (code) => {
+      tarClosed = true;
+      tarCode = code ?? 0;
+      maybeResolve();
+    });
+    ssh.on("close", (code) => {
+      sshClosed = true;
+      sshCode = code ?? 0;
+      maybeResolve();
+    });
+
+    function maybeResolve() {
+      if (!tarClosed || !sshClosed) {
+        return;
+      }
+      if (tarCode !== 0) {
+        reject(
+          new Error(
+            Buffer.concat(tarStderr).toString("utf8").trim() || `tar exited with code ${tarCode}`,
+          ),
+        );
+        return;
+      }
+      if (sshCode !== 0) {
+        reject(
+          new Error(
+            Buffer.concat(sshStderr).toString("utf8").trim() || `ssh exited with code ${sshCode}`,
+          ),
+        );
+        return;
+      }
+      resolve();
+    }
+  });
+}
+
+function parseSshConfigHost(configText: string): string | null {
+  const hostMatch = configText.match(/^\s*Host\s+(\S+)/m);
+  return hostMatch?.[1]?.trim() || null;
+}
+
+function resolveSshTmpRoot(): string {
+  return path.resolve(resolvePreferredOpenClawTmpDir() ?? os.tmpdir());
+}
+
+function resolveOptionalLocalPath(value: string | undefined): string | undefined {
+  const trimmed = value?.trim();
+  return trimmed ? resolveUserPath(trimmed) : undefined;
+}
+
+async function writeSecretMaterial(
+  dir: string,
+  filename: string,
+  contents: string,
+): Promise<string> {
+  const pathname = path.join(dir, filename);
+  await fs.writeFile(pathname, contents, { encoding: "utf8", mode: 0o600 });
+  await fs.chmod(pathname, 0o600);
+  return pathname;
+}
diff --git a/src/agents/sandbox/test-fixtures.ts b/src/agents/sandbox/test-fixtures.ts
index db3835dcba5..b20b5b452f7 100644
--- a/src/agents/sandbox/test-fixtures.ts
+++ b/src/agents/sandbox/test-fixtures.ts
@@ -28,10 +28,13 @@ export function createSandboxTestContext(params?: {
 
   return {
     enabled: true,
+    backendId: "docker",
     sessionKey: "sandbox:test",
     workspaceDir: "/tmp/workspace",
     agentWorkspaceDir: "/tmp/workspace",
     workspaceAccess: "rw",
+    runtimeId: "openclaw-sbx-test",
+    runtimeLabel: "openclaw-sbx-test",
     containerName: "openclaw-sbx-test",
     containerWorkdir: "/workspace",
     tools: { allow: ["*"], deny: [] },
diff --git a/src/agents/sandbox/types.ts b/src/agents/sandbox/types.ts
index 4ccfd691cfb..482ce6a922e 100644
--- a/src/agents/sandbox/types.ts
+++ b/src/agents/sandbox/types.ts
@@ -1,3 +1,4 @@
+import type { SandboxBackendHandle, SandboxBackendId } from "./backend.js";
 import type { SandboxFsBridge } from "./fs-bridge.js";
 import type { SandboxDockerConfig } from "./types.docker.js";
 
@@ -50,14 +51,30 @@ export type SandboxPruneConfig = {
   maxAgeDays: number;
 };
 
+export type SandboxSshConfig = {
+  target?: string;
+  command: string;
+  workspaceRoot: string;
+  strictHostKeyChecking: boolean;
+  updateHostKeys: boolean;
+  identityFile?: string;
+  certificateFile?: string;
+  knownHostsFile?: string;
+  identityData?: string;
+  certificateData?: string;
+  knownHostsData?: string;
+};
+
 export type SandboxScope = "session" | "agent" | "shared";
 
 export type SandboxConfig = {
   mode: "off" | "non-main" | "all";
+  backend: SandboxBackendId;
   scope: SandboxScope;
   workspaceAccess: SandboxWorkspaceAccess;
   workspaceRoot: string;
   docker: SandboxDockerConfig;
+  ssh: SandboxSshConfig;
   browser: SandboxBrowserConfig;
   tools: SandboxToolPolicy;
   prune: SandboxPruneConfig;
@@ -71,10 +88,13 @@ export type SandboxBrowserContext = {
 
 export type SandboxContext = {
   enabled: boolean;
+  backendId: SandboxBackendId;
   sessionKey: string;
   workspaceDir: string;
   agentWorkspaceDir: string;
   workspaceAccess: SandboxWorkspaceAccess;
+  runtimeId: string;
+  runtimeLabel: string;
   containerName: string;
   containerWorkdir: string;
   docker: SandboxDockerConfig;
@@ -82,6 +102,7 @@ export type SandboxContext = {
   browserAllowHostControl: boolean;
   browser?: SandboxBrowserContext;
   fsBridge?: SandboxFsBridge;
+  backend?: SandboxBackendHandle;
 };
 
 export type SandboxWorkspaceInfo = {
diff --git a/src/agents/subagent-orphan-recovery.test.ts b/src/agents/subagent-orphan-recovery.test.ts
new file mode 100644
index 00000000000..66b8097154c
--- /dev/null
+++ b/src/agents/subagent-orphan-recovery.test.ts
@@ -0,0 +1,437 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import type { SubagentRunRecord } from "./subagent-registry.types.js";
+
+// Mock dependencies before importing the module under test
+vi.mock("../config/config.js", () => ({
+  loadConfig: vi.fn(() => ({
+    session: { store: undefined },
+  })),
+}));
+
+vi.mock("../config/sessions.js", () => ({
+  loadSessionStore: vi.fn(() => ({})),
+  resolveAgentIdFromSessionKey: vi.fn(() => "main"),
+  resolveStorePath: vi.fn(() => "/tmp/test-sessions.json"),
+  updateSessionStore: vi.fn(async () => {}),
+}));
+
+vi.mock("../gateway/call.js", () => ({
+  callGateway: vi.fn(async () => ({ runId: "test-run-id" })),
+}));
+
+vi.mock("../gateway/session-utils.fs.js", () => ({
+  readSessionMessages: vi.fn(() => []),
+}));
+
+vi.mock("./subagent-registry.js", () => ({
+  replaceSubagentRunAfterSteer: vi.fn(() => true),
+}));
+
+function createTestRunRecord(overrides: Partial<SubagentRunRecord> = {}): SubagentRunRecord {
+  return {
+    runId: "run-1",
+    childSessionKey: "agent:main:subagent:test-session-1",
+    requesterSessionKey: "agent:main:signal:direct:+1234567890",
+    requesterDisplayKey: "main",
+    task: "Test task: implement feature X",
+    cleanup: "delete",
+    createdAt: Date.now() - 60_000,
+    startedAt: Date.now() - 55_000,
+    ...overrides,
+  };
+}
+
+describe("subagent-orphan-recovery", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("recovers orphaned sessions with abortedLastRun=true", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+    const subagentRegistry = await import("./subagent-registry.js");
+
+    const sessionEntry = {
+      sessionId: "session-abc",
+      updatedAt: Date.now(),
+      abortedLastRun: true,
+    };
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": sessionEntry,
+    });
+
+    const run = createTestRunRecord();
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", run);
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(1);
+    expect(result.failed).toBe(0);
+    expect(result.skipped).toBe(0);
+
+    // Should have called callGateway to resume the session
+    expect(gateway.callGateway).toHaveBeenCalledOnce();
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const opts = callArgs[0];
+    expect(opts.method).toBe("agent");
+    const params = opts.params as Record<string, unknown>;
+    expect(params.sessionKey).toBe("agent:main:subagent:test-session-1");
+    expect(params.message).toContain("gateway reload");
+    expect(params.message).toContain("Test task: implement feature X");
+    expect(subagentRegistry.replaceSubagentRunAfterSteer).toHaveBeenCalledWith(
+      expect.objectContaining({
+        previousRunId: "run-1",
+        nextRunId: "test-run-id",
+        fallback: run,
+      }),
+    );
+  });
+
+  it("skips sessions that are not aborted", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: false,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("skips runs that have already ended", async () => {
+    const gateway = await import("../gateway/call.js");
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set(
+      "run-1",
+      createTestRunRecord({
+        endedAt: Date.now() - 1000,
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("handles multiple orphaned sessions", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:session-a": {
+        sessionId: "id-a",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+      "agent:main:subagent:session-b": {
+        sessionId: "id-b",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+      "agent:main:subagent:session-c": {
+        sessionId: "id-c",
+        updatedAt: Date.now(),
+        abortedLastRun: false,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set(
+      "run-a",
+      createTestRunRecord({
+        runId: "run-a",
+        childSessionKey: "agent:main:subagent:session-a",
+        task: "Task A",
+      }),
+    );
+    activeRuns.set(
+      "run-b",
+      createTestRunRecord({
+        runId: "run-b",
+        childSessionKey: "agent:main:subagent:session-b",
+        task: "Task B",
+      }),
+    );
+    activeRuns.set(
+      "run-c",
+      createTestRunRecord({
+        runId: "run-c",
+        childSessionKey: "agent:main:subagent:session-c",
+        task: "Task C",
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(2);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).toHaveBeenCalledTimes(2);
+  });
+
+  it("handles callGateway failure gracefully and preserves abortedLastRun flag", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    vi.mocked(gateway.callGateway).mockRejectedValue(new Error("gateway unavailable"));
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.failed).toBe(1);
+
+    // abortedLastRun flag should NOT be cleared on failure,
+    // so the next restart can retry the recovery
+    expect(sessions.updateSessionStore).not.toHaveBeenCalled();
+  });
+
+  it("returns empty results when no active runs exist", async () => {
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => new Map(),
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.failed).toBe(0);
+    expect(result.skipped).toBe(0);
+  });
+
+  it("skips sessions with missing session entry in store", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    // Store has no matching entry
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({});
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("clears abortedLastRun flag after successful resume", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    // Ensure callGateway succeeds for this test
+    vi.mocked(gateway.callGateway).mockResolvedValue({ runId: "resumed-run" } as never);
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    // updateSessionStore should have been called AFTER successful resume to clear the flag
+    expect(sessions.updateSessionStore).toHaveBeenCalledOnce();
+    const calls = vi.mocked(sessions.updateSessionStore).mock.calls;
+    const [storePath, updater] = calls[0];
+    expect(storePath).toBe("/tmp/test-sessions.json");
+
+    // Simulate the updater to verify it clears abortedLastRun
+    const mockStore: Record<string, { abortedLastRun?: boolean; updatedAt?: number }> = {
+      "agent:main:subagent:test-session-1": {
+        abortedLastRun: true,
+        updatedAt: 0,
+      },
+    };
+    (updater as (store: Record<string, unknown>) => void)(mockStore);
+    expect(mockStore["agent:main:subagent:test-session-1"]?.abortedLastRun).toBe(false);
+  });
+
+  it("truncates long task descriptions in resume message", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const longTask = "x".repeat(5000);
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord({ task: longTask }));
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const opts = callArgs[0];
+    const params = opts.params as Record<string, unknown>;
+    const message = params.message as string;
+    // Message should contain truncated task (2000 chars + "...")
+    expect(message.length).toBeLessThan(5000);
+    expect(message).toContain("...");
+  });
+
+  it("includes last human message in resume when available", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+    const sessionUtils = await import("../gateway/session-utils.fs.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+        sessionFile: "session-abc.jsonl",
+      },
+    });
+
+    vi.mocked(sessionUtils.readSessionMessages).mockReturnValue([
+      { role: "user", content: [{ type: "text", text: "Please build feature Y" }] },
+      { role: "assistant", content: [{ type: "text", text: "Working on it..." }] },
+      { role: "user", content: [{ type: "text", text: "Also add tests for it" }] },
+      { role: "assistant", content: [{ type: "text", text: "Sure, adding tests now." }] },
+    ]);
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const params = callArgs[0].params as Record<string, unknown>;
+    const message = params.message as string;
+    expect(message).toContain("Also add tests for it");
+    expect(message).toContain("last message from the user");
+  });
+
+  it("adds config change hint when assistant messages reference config modifications", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+    const sessionUtils = await import("../gateway/session-utils.fs.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    vi.mocked(sessionUtils.readSessionMessages).mockReturnValue([
+      { role: "user", content: "Update the config" },
+      { role: "assistant", content: "I've modified openclaw.json to add the new setting." },
+    ]);
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const params = callArgs[0].params as Record<string, unknown>;
+    const message = params.message as string;
+    expect(message).toContain("config changes from your previous run were already applied");
+  });
+
+  it("prevents duplicate resume when updateSessionStore fails", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(gateway.callGateway).mockResolvedValue({ runId: "new-run" } as never);
+    vi.mocked(sessions.updateSessionStore).mockRejectedValue(new Error("write failed"));
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+    activeRuns.set(
+      "run-2",
+      createTestRunRecord({
+        runId: "run-2",
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    const result = await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    expect(result.recovered).toBe(1);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).toHaveBeenCalledOnce();
+  });
+});
diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
new file mode 100644
index 00000000000..60408c09ae9
--- /dev/null
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -0,0 +1,314 @@
+/**
+ * Post-restart orphan recovery for subagent sessions.
+ *
+ * After a SIGUSR1 gateway reload aborts in-flight subagent LLM calls,
+ * this module scans for orphaned sessions (those with `abortedLastRun: true`
+ * that are still tracked as active in the subagent registry) and sends a
+ * synthetic resume message to restart their work.
+ *
+ * @see https://github.com/openclaw/openclaw/issues/47711
+ */
+
+import crypto from "node:crypto";
+import { loadConfig } from "../config/config.js";
+import {
+  loadSessionStore,
+  resolveAgentIdFromSessionKey,
+  resolveStorePath,
+  updateSessionStore,
+  type SessionEntry,
+} from "../config/sessions.js";
+import { callGateway } from "../gateway/call.js";
+import { readSessionMessages } from "../gateway/session-utils.fs.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+import { replaceSubagentRunAfterSteer } from "./subagent-registry.js";
+import type { SubagentRunRecord } from "./subagent-registry.types.js";
+
+const log = createSubsystemLogger("subagent-orphan-recovery");
+
+/** Delay before attempting recovery to let the gateway finish bootstrapping. */
+const DEFAULT_RECOVERY_DELAY_MS = 5_000;
+
+/**
+ * Build the resume message for an orphaned subagent.
+ */
+function buildResumeMessage(task: string, lastHumanMessage?: string): string {
+  const maxTaskLen = 2000;
+  const truncatedTask = task.length > maxTaskLen ? `${task.slice(0, maxTaskLen)}...` : task;
+
+  let message =
+    `[System] Your previous turn was interrupted by a gateway reload. ` +
+    `Your original task was:\n\n${truncatedTask}\n\n`;
+
+  if (lastHumanMessage) {
+    message += `The last message from the user before the interruption was:\n\n${lastHumanMessage}\n\n`;
+  }
+
+  message += `Please continue where you left off.`;
+  return message;
+}
+
+function extractMessageText(msg: unknown): string | undefined {
+  if (!msg || typeof msg !== "object") {
+    return undefined;
+  }
+  const m = msg as Record<string, unknown>;
+  if (typeof m.content === "string") {
+    return m.content;
+  }
+  if (Array.isArray(m.content)) {
+    const text = m.content
+      .filter(
+        (c: unknown) =>
+          typeof c === "object" &&
+          c !== null &&
+          (c as Record<string, unknown>).type === "text" &&
+          typeof (c as Record<string, unknown>).text === "string",
+      )
+      .map((c: unknown) => (c as Record<string, string>).text)
+      .filter(Boolean)
+      .join("\n");
+    return text || undefined;
+  }
+  return undefined;
+}
+
+/**
+ * Send a resume message to an orphaned subagent session via the gateway agent method.
+ */
+async function resumeOrphanedSession(params: {
+  sessionKey: string;
+  task: string;
+  lastHumanMessage?: string;
+  configChangeHint?: string;
+  originalRunId: string;
+  originalRun: SubagentRunRecord;
+}): Promise<boolean> {
+  let resumeMessage = buildResumeMessage(params.task, params.lastHumanMessage);
+  if (params.configChangeHint) {
+    resumeMessage += params.configChangeHint;
+  }
+
+  try {
+    const result = await callGateway<{ runId: string }>({
+      method: "agent",
+      params: {
+        message: resumeMessage,
+        sessionKey: params.sessionKey,
+        idempotencyKey: crypto.randomUUID(),
+        deliver: false,
+        lane: "subagent",
+      },
+      timeoutMs: 10_000,
+    });
+    const remapped = replaceSubagentRunAfterSteer({
+      previousRunId: params.originalRunId,
+      nextRunId: result.runId,
+      fallback: params.originalRun,
+    });
+    if (!remapped) {
+      log.warn(
+        `resumed orphaned session ${params.sessionKey} but remap failed (old run already removed); treating as failure`,
+      );
+      return false;
+    }
+    log.info(`resumed orphaned session: ${params.sessionKey}`);
+    return true;
+  } catch (err) {
+    log.warn(`failed to resume orphaned session ${params.sessionKey}: ${String(err)}`);
+    return false;
+  }
+}
+
+/**
+ * Scan for and resume orphaned subagent sessions after a gateway restart.
+ *
+ * An orphaned session is one where:
+ * 1. It has an active (not ended) entry in the subagent run registry
+ * 2. Its session store entry has `abortedLastRun: true`
+ *
+ * For each orphaned session found, we:
+ * 1. Clear the `abortedLastRun` flag
+ * 2. Send a synthetic resume message to trigger a new LLM turn
+ */
+export async function recoverOrphanedSubagentSessions(params: {
+  getActiveRuns: () => Map<string, SubagentRunRecord>;
+  /** Persisted across retries so already-resumed sessions are not resumed again. */
+  resumedSessionKeys?: Set<string>;
+}): Promise<{ recovered: number; failed: number; skipped: number }> {
+  const result = { recovered: 0, failed: 0, skipped: 0 };
+  const resumedSessionKeys = params.resumedSessionKeys ?? new Set<string>();
+  const configChangePattern = /openclaw\.json|openclaw gateway restart|config\.patch/i;
+
+  try {
+    const activeRuns = params.getActiveRuns();
+    if (activeRuns.size === 0) {
+      return result;
+    }
+
+    const cfg = loadConfig();
+    const storeCache = new Map<string, Record<string, SessionEntry>>();
+
+    for (const [runId, runRecord] of activeRuns.entries()) {
+      // Only consider runs that haven't ended yet
+      if (typeof runRecord.endedAt === "number" && runRecord.endedAt > 0) {
+        continue;
+      }
+
+      const childSessionKey = runRecord.childSessionKey?.trim();
+      if (!childSessionKey) {
+        continue;
+      }
+      if (resumedSessionKeys.has(childSessionKey)) {
+        result.skipped++;
+        continue;
+      }
+
+      try {
+        const agentId = resolveAgentIdFromSessionKey(childSessionKey);
+        const storePath = resolveStorePath(cfg.session?.store, { agentId });
+
+        let store = storeCache.get(storePath);
+        if (!store) {
+          store = loadSessionStore(storePath);
+          storeCache.set(storePath, store);
+        }
+
+        const entry = store[childSessionKey];
+        if (!entry) {
+          result.skipped++;
+          continue;
+        }
+
+        // Check if this session was aborted by the restart
+        if (!entry.abortedLastRun) {
+          result.skipped++;
+          continue;
+        }
+
+        log.info(`found orphaned subagent session: ${childSessionKey} (run=${runId})`);
+
+        const messages = readSessionMessages(entry.sessionId, storePath, entry.sessionFile);
+        const lastHumanMessage = [...messages]
+          .toReversed()
+          .find((msg) => (msg as { role?: unknown } | null)?.role === "user");
+        const configChangeDetected = messages.some((msg) => {
+          if ((msg as { role?: unknown } | null)?.role !== "assistant") {
+            return false;
+          }
+          const text = extractMessageText(msg);
+          return typeof text === "string" && configChangePattern.test(text);
+        });
+
+        // Resume the session with the original task context.
+        // We intentionally do NOT clear abortedLastRun before attempting
+        // the resume — if callGateway fails (e.g. gateway still booting),
+        // the flag stays true so the next restart can retry.
+        const resumed = await resumeOrphanedSession({
+          sessionKey: childSessionKey,
+          task: runRecord.task,
+          lastHumanMessage: extractMessageText(lastHumanMessage),
+          configChangeHint: configChangeDetected
+            ? "\n\n[config changes from your previous run were already applied — do not re-modify openclaw.json or restart the gateway]"
+            : undefined,
+          originalRunId: runId,
+          originalRun: runRecord,
+        });
+
+        if (resumed) {
+          resumedSessionKeys.add(childSessionKey);
+          // Only clear the aborted flag after confirmed successful resume.
+          try {
+            await updateSessionStore(storePath, (currentStore) => {
+              const current = currentStore[childSessionKey];
+              if (current) {
+                current.abortedLastRun = false;
+                current.updatedAt = Date.now();
+                currentStore[childSessionKey] = current;
+              }
+            });
+          } catch (err) {
+            log.warn(
+              `resume succeeded but failed to update session store for ${childSessionKey}: ${String(err)}`,
+            );
+          }
+          result.recovered++;
+        } else {
+          // Flag stays as abortedLastRun=true so next restart can retry
+          log.warn(
+            `resume failed for ${childSessionKey}; abortedLastRun flag preserved for retry on next restart`,
+          );
+          result.failed++;
+        }
+      } catch (err) {
+        log.warn(`error processing orphaned session ${childSessionKey}: ${String(err)}`);
+        result.failed++;
+      }
+    }
+  } catch (err) {
+    log.warn(`orphan recovery scan failed: ${String(err)}`);
+    // Ensure retry logic fires for scan-level exceptions.
+    if (result.failed === 0) {
+      result.failed = 1;
+    }
+  }
+
+  if (result.recovered > 0 || result.failed > 0) {
+    log.info(
+      `orphan recovery complete: recovered=${result.recovered} failed=${result.failed} skipped=${result.skipped}`,
+    );
+  }
+
+  return result;
+}
+
+/** Maximum number of retry attempts for orphan recovery. */
+const MAX_RECOVERY_RETRIES = 3;
+/** Backoff multiplier between retries (exponential). */
+const RETRY_BACKOFF_MULTIPLIER = 2;
+
+/**
+ * Schedule orphan recovery after a delay, with retry logic.
+ * The delay gives the gateway time to fully bootstrap after restart.
+ * If recovery fails (e.g. gateway not yet ready), retries with exponential backoff.
+ */
+export function scheduleOrphanRecovery(params: {
+  getActiveRuns: () => Map<string, SubagentRunRecord>;
+  delayMs?: number;
+  maxRetries?: number;
+}): void {
+  const initialDelay = params.delayMs ?? DEFAULT_RECOVERY_DELAY_MS;
+  const maxRetries = params.maxRetries ?? MAX_RECOVERY_RETRIES;
+
+  const resumedSessionKeys = new Set<string>();
+
+  const attemptRecovery = (attempt: number, delay: number) => {
+    setTimeout(() => {
+      void recoverOrphanedSubagentSessions({ ...params, resumedSessionKeys })
+        .then((result) => {
+          if (result.failed > 0 && attempt < maxRetries) {
+            const nextDelay = delay * RETRY_BACKOFF_MULTIPLIER;
+            log.info(
+              `orphan recovery had ${result.failed} failure(s); retrying in ${nextDelay}ms (attempt ${attempt + 1}/${maxRetries})`,
+            );
+            attemptRecovery(attempt + 1, nextDelay);
+          }
+        })
+        .catch((err) => {
+          if (attempt < maxRetries) {
+            const nextDelay = delay * RETRY_BACKOFF_MULTIPLIER;
+            log.warn(
+              `scheduled orphan recovery failed: ${String(err)}; retrying in ${nextDelay}ms (attempt ${attempt + 1}/${maxRetries})`,
+            );
+            attemptRecovery(attempt + 1, nextDelay);
+          } else {
+            log.warn(
+              `scheduled orphan recovery failed after ${maxRetries} retries: ${String(err)}`,
+            );
+          }
+        });
+    }, delay).unref?.();
+  };
+
+  attemptRecovery(0, initialDelay);
+}
diff --git a/src/agents/subagent-registry.ts b/src/agents/subagent-registry.ts
index d9c593c3e84..c1cab60dd82 100644
--- a/src/agents/subagent-registry.ts
+++ b/src/agents/subagent-registry.ts
@@ -684,6 +684,19 @@ function restoreSubagentRunsOnce() {
     for (const runId of subagentRuns.keys()) {
       resumeSubagentRun(runId);
     }
+
+    // Schedule orphan recovery for subagent sessions that were aborted
+    // by a SIGUSR1 reload. This runs after a short delay to let the
+    // gateway fully bootstrap first. Dynamic import to avoid increasing
+    // startup memory footprint. (#47711)
+    void import("./subagent-orphan-recovery.js").then(
+      ({ scheduleOrphanRecovery }) => {
+        scheduleOrphanRecovery({ getActiveRuns: () => subagentRuns });
+      },
+      () => {
+        // Ignore import failures — orphan recovery is best-effort.
+      },
+    );
   } catch {
     // ignore restore failures
   }
diff --git a/src/agents/test-helpers/host-sandbox-fs-bridge.ts b/src/agents/test-helpers/host-sandbox-fs-bridge.ts
index 93bb34969a8..fc466f0ea67 100644
--- a/src/agents/test-helpers/host-sandbox-fs-bridge.ts
+++ b/src/agents/test-helpers/host-sandbox-fs-bridge.ts
@@ -10,10 +10,16 @@ export function createSandboxFsBridgeFromResolver(
     resolvePath: ({ filePath, cwd }) => resolvePath(filePath, cwd),
     readFile: async ({ filePath, cwd }) => {
       const target = resolvePath(filePath, cwd);
+      if (!target.hostPath) {
+        throw new Error(`Expected hostPath for ${target.containerPath}`);
+      }
       return fs.readFile(target.hostPath);
     },
     writeFile: async ({ filePath, cwd, data, mkdir = true }) => {
       const target = resolvePath(filePath, cwd);
+      if (!target.hostPath) {
+        throw new Error(`Expected hostPath for ${target.containerPath}`);
+      }
       if (mkdir) {
         await fs.mkdir(path.dirname(target.hostPath), { recursive: true });
       }
@@ -22,10 +28,16 @@ export function createSandboxFsBridgeFromResolver(
     },
     mkdirp: async ({ filePath, cwd }) => {
       const target = resolvePath(filePath, cwd);
+      if (!target.hostPath) {
+        throw new Error(`Expected hostPath for ${target.containerPath}`);
+      }
       await fs.mkdir(target.hostPath, { recursive: true });
     },
     remove: async ({ filePath, cwd, recursive, force }) => {
       const target = resolvePath(filePath, cwd);
+      if (!target.hostPath) {
+        throw new Error(`Expected hostPath for ${target.containerPath}`);
+      }
       await fs.rm(target.hostPath, {
         recursive: recursive ?? false,
         force: force ?? false,
@@ -34,12 +46,20 @@ export function createSandboxFsBridgeFromResolver(
     rename: async ({ from, to, cwd }) => {
       const source = resolvePath(from, cwd);
       const target = resolvePath(to, cwd);
+      if (!source.hostPath || !target.hostPath) {
+        throw new Error(
+          `Expected hostPath for rename: ${source.containerPath} -> ${target.containerPath}`,
+        );
+      }
       await fs.mkdir(path.dirname(target.hostPath), { recursive: true });
       await fs.rename(source.hostPath, target.hostPath);
     },
     stat: async ({ filePath, cwd }) => {
       try {
         const target = resolvePath(filePath, cwd);
+        if (!target.hostPath) {
+          throw new Error(`Expected hostPath for ${target.containerPath}`);
+        }
         const stats = await fs.stat(target.hostPath);
         return {
           type: stats.isDirectory() ? "directory" : stats.isFile() ? "file" : "other",
diff --git a/src/agents/test-helpers/pi-tools-sandbox-context.ts b/src/agents/test-helpers/pi-tools-sandbox-context.ts
index 286c5eed685..abf712c2c0b 100644
--- a/src/agents/test-helpers/pi-tools-sandbox-context.ts
+++ b/src/agents/test-helpers/pi-tools-sandbox-context.ts
@@ -18,10 +18,13 @@ export function createPiToolsSandboxContext(params: PiToolsSandboxContextParams)
   const workspaceDir = params.workspaceDir;
   return {
     enabled: true,
+    backendId: "docker",
     sessionKey: params.sessionKey ?? "sandbox:test",
     workspaceDir,
     agentWorkspaceDir: params.agentWorkspaceDir ?? workspaceDir,
     workspaceAccess: params.workspaceAccess ?? "rw",
+    runtimeId: params.containerName ?? "openclaw-sbx-test",
+    runtimeLabel: params.containerName ?? "openclaw-sbx-test",
     containerName: params.containerName ?? "openclaw-sbx-test",
     containerWorkdir: params.containerWorkdir ?? "/workspace",
     fsBridge: params.fsBridge,
diff --git a/src/agents/tool-policy-match.ts b/src/agents/tool-policy-match.ts
new file mode 100644
index 00000000000..112bd94be10
--- /dev/null
+++ b/src/agents/tool-policy-match.ts
@@ -0,0 +1,44 @@
+import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
+import type { SandboxToolPolicy } from "./sandbox/types.js";
+import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
+
+function makeToolPolicyMatcher(policy: SandboxToolPolicy) {
+  const deny = compileGlobPatterns({
+    raw: expandToolGroups(policy.deny ?? []),
+    normalize: normalizeToolName,
+  });
+  const allow = compileGlobPatterns({
+    raw: expandToolGroups(policy.allow ?? []),
+    normalize: normalizeToolName,
+  });
+  return (name: string) => {
+    const normalized = normalizeToolName(name);
+    if (matchesAnyGlobPattern(normalized, deny)) {
+      return false;
+    }
+    if (allow.length === 0) {
+      return true;
+    }
+    if (matchesAnyGlobPattern(normalized, allow)) {
+      return true;
+    }
+    if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
+      return true;
+    }
+    return false;
+  };
+}
+
+export function isToolAllowedByPolicyName(name: string, policy?: SandboxToolPolicy): boolean {
+  if (!policy) {
+    return true;
+  }
+  return makeToolPolicyMatcher(policy)(name);
+}
+
+export function isToolAllowedByPolicies(
+  name: string,
+  policies: Array<SandboxToolPolicy | undefined>,
+) {
+  return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
+}
diff --git a/src/agents/tools/browser-tool.actions.ts b/src/agents/tools/browser-tool.actions.ts
index 0d0f5e26abb..dc78557eab2 100644
--- a/src/agents/tools/browser-tool.actions.ts
+++ b/src/agents/tools/browser-tool.actions.ts
@@ -1,7 +1,9 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import { browserAct, browserConsoleMessages } from "../../browser/client-actions.js";
 import { browserSnapshot, browserTabs } from "../../browser/client.js";
+import { resolveBrowserConfig, resolveProfile } from "../../browser/config.js";
 import { DEFAULT_AI_SNAPSHOT_MAX_CHARS } from "../../browser/constants.js";
+import { getBrowserProfileCapabilities } from "../../browser/profile-capabilities.js";
 import { loadConfig } from "../../config/config.js";
 import { wrapExternalContent } from "../../security/external-content.js";
 import { imageResultFromFile, jsonResult } from "./common.js";
@@ -74,7 +76,17 @@ function formatConsoleToolResult(result: {
 }
 
 function isChromeStaleTargetError(profile: string | undefined, err: unknown): boolean {
-  if (profile !== "chrome-relay" && profile !== "chrome" && profile !== "user") {
+  if (!profile) {
+    return false;
+  }
+  if (profile === "user") {
+    const msg = String(err);
+    return msg.includes("404:") && msg.includes("tab not found");
+  }
+  const cfg = loadConfig();
+  const resolved = resolveBrowserConfig(cfg.browser, cfg);
+  const browserProfile = resolveProfile(resolved, profile);
+  if (!browserProfile || !getBrowserProfileCapabilities(browserProfile).usesChromeMcp) {
     return false;
   }
   const msg = String(err);
@@ -334,12 +346,8 @@ export async function executeActAction(params: {
         }
       }
       if (!tabs.length) {
-        // Extension relay profiles need the toolbar icon click; Chrome MCP just needs Chrome running.
-        const isRelayProfile = profile === "chrome-relay" || profile === "chrome";
         throw new Error(
-          isRelayProfile
-            ? "No Chrome tabs are attached via the OpenClaw Browser Relay extension. Click the toolbar icon on the tab you want to control (badge ON), then retry."
-            : `No Chrome tabs found for profile="${profile}". Make sure Chrome (v146+) is running and has open tabs, then retry.`,
+          `No Chrome tabs found for profile="${profile}". Make sure Chrome (v144+) is running and has open tabs, then retry.`,
           { cause: err },
         );
       }
diff --git a/src/agents/tools/browser-tool.test.ts b/src/agents/tools/browser-tool.test.ts
index b938d177624..622fa7ed8b3 100644
--- a/src/agents/tools/browser-tool.test.ts
+++ b/src/agents/tools/browser-tool.test.ts
@@ -64,12 +64,7 @@ const browserConfigMocks = vi.hoisted(() => ({
     if (!profile) {
       return null;
     }
-    const driver =
-      profile.driver === "extension"
-        ? "extension"
-        : profile.driver === "existing-session"
-          ? "existing-session"
-          : "openclaw";
+    const driver = profile.driver === "existing-session" ? "existing-session" : "openclaw";
     if (driver === "existing-session") {
       return {
         name,
@@ -287,29 +282,6 @@ describe("browser tool snapshot maxChars", () => {
     expect(opts?.mode).toBeUndefined();
   });
 
-  it("defaults to host when using an explicit extension relay profile (even in sandboxed sessions)", async () => {
-    setResolvedBrowserProfiles({
-      relay: {
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:18792",
-        color: "#0066CC",
-      },
-    });
-    const tool = createBrowserTool({ sandboxBridgeUrl: "http://127.0.0.1:9999" });
-    await tool.execute?.("call-1", {
-      action: "snapshot",
-      profile: "relay",
-      snapshotFormat: "ai",
-    });
-
-    expect(browserClientMocks.browserSnapshot).toHaveBeenCalledWith(
-      undefined,
-      expect.objectContaining({
-        profile: "relay",
-      }),
-    );
-  });
-
   it("defaults to host when using profile=user (even in sandboxed sessions)", async () => {
     setResolvedBrowserProfiles({
       user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
diff --git a/src/agents/tools/browser-tool.ts b/src/agents/tools/browser-tool.ts
index 54ddab2cb1f..c0111ab9977 100644
--- a/src/agents/tools/browser-tool.ts
+++ b/src/agents/tools/browser-tool.ts
@@ -290,7 +290,7 @@ function shouldPreferHostForProfile(profileName: string | undefined) {
     return false;
   }
   const capabilities = getBrowserProfileCapabilities(profile);
-  return capabilities.requiresRelay || capabilities.usesChromeMcp;
+  return capabilities.usesChromeMcp;
 }
 
 export function createBrowserTool(opts?: {
@@ -307,7 +307,7 @@ export function createBrowserTool(opts?: {
     description: [
       "Control the browser via OpenClaw's browser control server (status/start/stop/profiles/tabs/open/snapshot/screenshot/actions).",
       "Browser choice: omit profile by default for the isolated OpenClaw-managed browser (`openclaw`).",
-      'For the logged-in user browser on the local host, use profile="user". Chrome (v146+) must be running. Use only when existing logins/cookies matter and the user is present.',
+      'For the logged-in user browser on the local host, use profile="user". Chrome (v144+) must be running. Use only when existing logins/cookies matter and the user is present.',
       'When a node-hosted browser proxy is available, the tool may auto-route to it. Pin a node with node=<id|name> or target="node".',
       "When using refs from snapshot (e.g. e12), keep the same tab: prefer passing targetId from the snapshot response into subsequent actions (act/click/type/etc).",
       'For stable, self-resolving refs across calls, use snapshot with refs="aria" (Playwright aria-ref ids). Default refs="role" are role+name-based.',
@@ -326,7 +326,7 @@ export function createBrowserTool(opts?: {
       if (requestedNode && target && target !== "node") {
         throw new Error('node is only supported with target="node".');
       }
-      // User-browser profiles (existing-session, extension relay) are host-only.
+      // User-browser profiles (existing-session) are host-only.
       const isUserBrowserProfile = shouldPreferHostForProfile(profile);
       if (isUserBrowserProfile) {
         if (requestedNode || target === "node") {
diff --git a/src/agents/tools/discord-actions-guild.ts b/src/agents/tools/discord-actions-guild.ts
index 6e08c87a276..54386ad4267 100644
--- a/src/agents/tools/discord-actions-guild.ts
+++ b/src/agents/tools/discord-actions-guild.ts
@@ -1,5 +1,5 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { getPresence } from "../../../extensions/discord/src/monitor/presence-cache.js";
+import type { DiscordActionConfig } from "../../config/config.js";
 import {
   addRoleDiscord,
   createChannelDiscord,
@@ -19,8 +19,8 @@ import {
   setChannelPermissionDiscord,
   uploadEmojiDiscord,
   uploadStickerDiscord,
-} from "../../../extensions/discord/src/send.js";
-import type { DiscordActionConfig } from "../../config/config.js";
+} from "../../plugin-sdk-internal/discord.js";
+import { getPresence } from "../../plugin-sdk-internal/discord.js";
 import {
   type ActionGate,
   jsonResult,
diff --git a/src/agents/tools/discord-actions-messaging.ts b/src/agents/tools/discord-actions-messaging.ts
index c38f2d7066f..8a7f93aacbb 100644
--- a/src/agents/tools/discord-actions-messaging.ts
+++ b/src/agents/tools/discord-actions-messaging.ts
@@ -1,5 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { readDiscordComponentSpec } from "../../../extensions/discord/src/components.js";
+import type { DiscordActionConfig } from "../../config/config.js";
+import type { OpenClawConfig } from "../../config/config.js";
 import {
   createThreadDiscord,
   deleteMessageDiscord,
@@ -21,14 +22,15 @@ import {
   sendStickerDiscord,
   sendVoiceMessageDiscord,
   unpinMessageDiscord,
-} from "../../../extensions/discord/src/send.js";
+} from "../../plugin-sdk-internal/discord.js";
 import type {
   DiscordSendComponents,
   DiscordSendEmbeds,
-} from "../../../extensions/discord/src/send.shared.js";
-import { resolveDiscordChannelId } from "../../../extensions/discord/src/targets.js";
-import type { DiscordActionConfig } from "../../config/config.js";
-import type { OpenClawConfig } from "../../config/config.js";
+} from "../../plugin-sdk-internal/discord.js";
+import {
+  readDiscordComponentSpec,
+  resolveDiscordChannelId,
+} from "../../plugin-sdk-internal/discord.js";
 import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import { withNormalizedTimestamp } from "../date-time.js";
diff --git a/src/agents/tools/discord-actions-moderation.ts b/src/agents/tools/discord-actions-moderation.ts
index 68db19d1d7f..63c3cc601bc 100644
--- a/src/agents/tools/discord-actions-moderation.ts
+++ b/src/agents/tools/discord-actions-moderation.ts
@@ -1,11 +1,11 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { DiscordActionConfig } from "../../config/config.js";
 import {
   banMemberDiscord,
   hasAnyGuildPermissionDiscord,
   kickMemberDiscord,
   timeoutMemberDiscord,
-} from "../../../extensions/discord/src/send.js";
-import type { DiscordActionConfig } from "../../config/config.js";
+} from "../../plugin-sdk-internal/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 import {
   isDiscordModerationAction,
diff --git a/src/agents/tools/discord-actions-presence.ts b/src/agents/tools/discord-actions-presence.ts
index 46f476bafec..fdfa53e2323 100644
--- a/src/agents/tools/discord-actions-presence.ts
+++ b/src/agents/tools/discord-actions-presence.ts
@@ -1,7 +1,7 @@
 import type { Activity, UpdatePresenceData } from "@buape/carbon/gateway";
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { getGateway } from "../../../extensions/discord/src/monitor/gateway-registry.js";
 import type { DiscordActionConfig } from "../../config/config.js";
+import { getGateway } from "../../plugin-sdk-internal/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 
 const ACTIVITY_TYPE_MAP: Record<string, number> = {
diff --git a/src/agents/tools/discord-actions.ts b/src/agents/tools/discord-actions.ts
index 9b1c57bb240..0e380b8d383 100644
--- a/src/agents/tools/discord-actions.ts
+++ b/src/agents/tools/discord-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { createDiscordActionGate } from "../../../extensions/discord/src/accounts.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { createDiscordActionGate } from "../../plugin-sdk-internal/discord.js";
 import { readStringParam } from "./common.js";
 import { handleDiscordGuildAction } from "./discord-actions-guild.js";
 import { handleDiscordMessagingAction } from "./discord-actions-messaging.js";
diff --git a/src/agents/tools/image-tool.ts b/src/agents/tools/image-tool.ts
index 4a50263cada..402ee0b3eda 100644
--- a/src/agents/tools/image-tool.ts
+++ b/src/agents/tools/image-tool.ts
@@ -1,7 +1,7 @@
 import { type Context, complete } from "@mariozechner/pi-ai";
 import { Type } from "@sinclair/typebox";
-import { loadWebMedia } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { loadWebMedia } from "../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../utils.js";
 import { isMinimaxVlmModel, isMinimaxVlmProvider, minimaxUnderstandImage } from "../minimax-vlm.js";
 import {
diff --git a/src/agents/tools/media-tool-shared.ts b/src/agents/tools/media-tool-shared.ts
index 8ad943a4b91..56f4a92ca97 100644
--- a/src/agents/tools/media-tool-shared.ts
+++ b/src/agents/tools/media-tool-shared.ts
@@ -1,6 +1,6 @@
 import { type Api, type Model } from "@mariozechner/pi-ai";
-import { getDefaultLocalRoots } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { getDefaultLocalRoots } from "../../plugin-sdk/web-media.js";
 import type { ImageModelConfig } from "./image-tool.helpers.js";
 import { getApiKeyForModel, normalizeWorkspaceDir, requireApiKey } from "./tool-runtime.helpers.js";
 
diff --git a/src/agents/tools/message-tool.test.ts b/src/agents/tools/message-tool.test.ts
index 930f8d95a25..a148494c8de 100644
--- a/src/agents/tools/message-tool.test.ts
+++ b/src/agents/tools/message-tool.test.ts
@@ -1,4 +1,5 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
+import type { ChannelMessageCapability } from "../../channels/plugins/message-capabilities.js";
 import type { ChannelMessageActionName, ChannelPlugin } from "../../channels/plugins/types.js";
 import type { MessageActionRunResult } from "../../infra/outbound/message-action-runner.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
@@ -47,9 +48,10 @@ function createChannelPlugin(params: {
   blurb: string;
   actions?: ChannelMessageActionName[];
   listActions?: NonNullable<NonNullable<ChannelPlugin["actions"]>["listActions"]>;
-  supportsButtons?: boolean;
+  capabilities?: readonly ChannelMessageCapability[];
   messaging?: ChannelPlugin["messaging"];
 }): ChannelPlugin {
+  const actionCapabilities = params.capabilities;
   return {
     id: params.id as ChannelPlugin["id"],
     meta: {
@@ -71,7 +73,9 @@ function createChannelPlugin(params: {
         (() => {
           return (params.actions ?? []) as never;
         }),
-      ...(params.supportsButtons ? { supportsButtons: () => true } : {}),
+      ...(actionCapabilities
+        ? { getCapabilities: (_params: { cfg: unknown }) => actionCapabilities }
+        : {}),
     },
   };
 }
@@ -145,7 +149,7 @@ describe("message tool schema scoping", () => {
     docsPath: "/channels/telegram",
     blurb: "Telegram test plugin.",
     actions: ["send", "react", "poll"],
-    supportsButtons: true,
+    capabilities: ["interactive", "buttons"],
   });
 
   const discordPlugin = createChannelPlugin({
@@ -154,6 +158,16 @@ describe("message tool schema scoping", () => {
     docsPath: "/channels/discord",
     blurb: "Discord test plugin.",
     actions: ["send", "poll", "poll-vote"],
+    capabilities: ["interactive", "components"],
+  });
+
+  const slackPlugin = createChannelPlugin({
+    id: "slack",
+    label: "Slack",
+    docsPath: "/channels/slack",
+    blurb: "Slack test plugin.",
+    actions: ["send", "react"],
+    capabilities: ["interactive", "blocks"],
   });
 
   afterEach(() => {
@@ -164,6 +178,7 @@ describe("message tool schema scoping", () => {
     {
       provider: "telegram",
       expectComponents: false,
+      expectBlocks: false,
       expectButtons: true,
       expectButtonStyle: true,
       expectTelegramPollExtras: true,
@@ -172,16 +187,27 @@ describe("message tool schema scoping", () => {
     {
       provider: "discord",
       expectComponents: true,
+      expectBlocks: false,
       expectButtons: false,
       expectButtonStyle: false,
       expectTelegramPollExtras: true,
       expectedActions: ["send", "poll", "poll-vote", "react"],
     },
+    {
+      provider: "slack",
+      expectComponents: false,
+      expectBlocks: true,
+      expectButtons: false,
+      expectButtonStyle: false,
+      expectTelegramPollExtras: true,
+      expectedActions: ["send", "react", "poll", "poll-vote"],
+    },
   ])(
     "scopes schema fields for $provider",
     ({
       provider,
       expectComponents,
+      expectBlocks,
       expectButtons,
       expectButtonStyle,
       expectTelegramPollExtras,
@@ -191,6 +217,7 @@ describe("message tool schema scoping", () => {
         createTestRegistry([
           { pluginId: "telegram", source: "test", plugin: telegramPlugin },
           { pluginId: "discord", source: "test", plugin: discordPlugin },
+          { pluginId: "slack", source: "test", plugin: slackPlugin },
         ]),
       );
 
@@ -206,6 +233,11 @@ describe("message tool schema scoping", () => {
       } else {
         expect(properties.components).toBeUndefined();
       }
+      if (expectBlocks) {
+        expect(properties.blocks).toBeDefined();
+      } else {
+        expect(properties.blocks).toBeUndefined();
+      }
       if (expectButtons) {
         expect(properties.buttons).toBeDefined();
       } else {
@@ -263,7 +295,7 @@ describe("message tool schema scoping", () => {
           .channels?.telegram;
         return telegramCfg?.actions?.poll === false ? ["send", "react"] : ["send", "react", "poll"];
       },
-      supportsButtons: true,
+      capabilities: ["interactive", "buttons"],
     });
 
     setActivePluginRegistry(
diff --git a/src/agents/tools/message-tool.ts b/src/agents/tools/message-tool.ts
index 63963ab5f38..0e6c846e75d 100644
--- a/src/agents/tools/message-tool.ts
+++ b/src/agents/tools/message-tool.ts
@@ -2,16 +2,17 @@ import { Type } from "@sinclair/typebox";
 import { BLUEBUBBLES_GROUP_ACTIONS } from "../../channels/plugins/bluebubbles-actions.js";
 import { listChannelPlugins } from "../../channels/plugins/index.js";
 import {
+  channelSupportsMessageCapability,
+  channelSupportsMessageCapabilityForChannel,
   listChannelMessageActions,
-  supportsChannelMessageButtons,
-  supportsChannelMessageButtonsForChannel,
-  supportsChannelMessageCards,
-  supportsChannelMessageCardsForChannel,
 } from "../../channels/plugins/message-actions.js";
+import type { ChannelMessageCapability } from "../../channels/plugins/message-capabilities.js";
 import {
   CHANNEL_MESSAGE_ACTION_NAMES,
   type ChannelMessageActionName,
 } from "../../channels/plugins/types.js";
+import { resolveCommandSecretRefsViaGateway } from "../../cli/command-secret-gateway.js";
+import { getChannelsCommandSecretTargetIds } from "../../cli/command-secret-targets.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { loadConfig } from "../../config/config.js";
 import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../../gateway/protocol/client-info.js";
@@ -161,10 +162,41 @@ const discordComponentMessageSchema = Type.Object(
   },
 );
 
+const interactiveOptionSchema = Type.Object({
+  label: Type.String(),
+  value: Type.String(),
+});
+
+const interactiveButtonSchema = Type.Object({
+  label: Type.String(),
+  value: Type.String(),
+  style: Type.Optional(stringEnum(["primary", "secondary", "success", "danger"])),
+});
+
+const interactiveBlockSchema = Type.Object({
+  type: stringEnum(["text", "buttons", "select"]),
+  text: Type.Optional(Type.String()),
+  buttons: Type.Optional(Type.Array(interactiveButtonSchema)),
+  placeholder: Type.Optional(Type.String()),
+  options: Type.Optional(Type.Array(interactiveOptionSchema)),
+});
+
+const interactiveMessageSchema = Type.Object(
+  {
+    blocks: Type.Array(interactiveBlockSchema),
+  },
+  {
+    description:
+      "Shared interactive message payload for buttons and selects. Channels render this into their native components when supported.",
+  },
+);
+
 function buildSendSchema(options: {
+  includeInteractive: boolean;
   includeButtons: boolean;
   includeCards: boolean;
   includeComponents: boolean;
+  includeBlocks: boolean;
 }) {
   const props: Record<string, unknown> = {
     message: Type.Optional(Type.String()),
@@ -206,6 +238,7 @@ function buildSendSchema(options: {
         description: "Send image/GIF as document to avoid Telegram compression (Telegram only).",
       }),
     ),
+    interactive: Type.Optional(interactiveMessageSchema),
     buttons: Type.Optional(
       Type.Array(
         Type.Array(
@@ -230,16 +263,33 @@ function buildSendSchema(options: {
       ),
     ),
     components: Type.Optional(discordComponentMessageSchema),
+    blocks: Type.Optional(
+      Type.Array(
+        Type.Object(
+          {},
+          {
+            additionalProperties: true,
+            description: "Slack Block Kit payload blocks (Slack only).",
+          },
+        ),
+      ),
+    ),
   };
   if (!options.includeButtons) {
     delete props.buttons;
   }
+  if (!options.includeInteractive) {
+    delete props.interactive;
+  }
   if (!options.includeCards) {
     delete props.card;
   }
   if (!options.includeComponents) {
     delete props.components;
   }
+  if (!options.includeBlocks) {
+    delete props.blocks;
+  }
   return props;
 }
 
@@ -269,6 +319,8 @@ function buildReactionSchema() {
 function buildFetchSchema() {
   return {
     limit: Type.Optional(Type.Number()),
+    pageSize: Type.Optional(Type.Number()),
+    pageToken: Type.Optional(Type.String()),
     before: Type.Optional(Type.String()),
     after: Type.Optional(Type.String()),
     around: Type.Optional(Type.String()),
@@ -336,16 +388,27 @@ function buildChannelTargetSchema() {
     channelId: Type.Optional(
       Type.String({ description: "Channel id filter (search/thread list/event create)." }),
     ),
+    chatId: Type.Optional(
+      Type.String({ description: "Chat id for chat-scoped metadata actions." }),
+    ),
     channelIds: Type.Optional(
       Type.Array(Type.String({ description: "Channel id filter (repeatable)." })),
     ),
+    memberId: Type.Optional(Type.String()),
+    memberIdType: Type.Optional(Type.String()),
     guildId: Type.Optional(Type.String()),
     userId: Type.Optional(Type.String()),
+    openId: Type.Optional(Type.String()),
+    unionId: Type.Optional(Type.String()),
     authorId: Type.Optional(Type.String()),
     authorIds: Type.Optional(Type.Array(Type.String())),
     roleId: Type.Optional(Type.String()),
     roleIds: Type.Optional(Type.Array(Type.String())),
     participant: Type.Optional(Type.String()),
+    includeMembers: Type.Optional(Type.Boolean()),
+    members: Type.Optional(Type.Boolean()),
+    scope: Type.Optional(Type.String()),
+    kind: Type.Optional(Type.String()),
   };
 }
 
@@ -445,9 +508,11 @@ function buildChannelManagementSchema() {
 }
 
 function buildMessageToolSchemaProps(options: {
+  includeInteractive: boolean;
   includeButtons: boolean;
   includeCards: boolean;
   includeComponents: boolean;
+  includeBlocks: boolean;
   includeTelegramPollExtras: boolean;
 }) {
   return {
@@ -470,9 +535,11 @@ function buildMessageToolSchemaProps(options: {
 function buildMessageToolSchemaFromActions(
   actions: readonly string[],
   options: {
+    includeInteractive: boolean;
     includeButtons: boolean;
     includeCards: boolean;
     includeComponents: boolean;
+    includeBlocks: boolean;
     includeTelegramPollExtras: boolean;
   },
 ) {
@@ -484,9 +551,11 @@ function buildMessageToolSchemaFromActions(
 }
 
 const MessageToolSchema = buildMessageToolSchemaFromActions(AllMessageActions, {
+  includeInteractive: true,
   includeButtons: true,
   includeCards: true,
   includeComponents: true,
+  includeBlocks: true,
   includeTelegramPollExtras: true,
 });
 
@@ -537,16 +606,59 @@ function resolveMessageToolSchemaActions(params: {
   return actions.length > 0 ? actions : ["send"];
 }
 
+function resolveIncludeCapability(
+  params: {
+    cfg: OpenClawConfig;
+    currentChannelProvider?: string;
+  },
+  capability: ChannelMessageCapability,
+): boolean {
+  const currentChannel = normalizeMessageChannel(params.currentChannelProvider);
+  if (currentChannel) {
+    return channelSupportsMessageCapabilityForChannel(
+      {
+        cfg: params.cfg,
+        channel: currentChannel,
+      },
+      capability,
+    );
+  }
+  return channelSupportsMessageCapability(params.cfg, capability);
+}
+
 function resolveIncludeComponents(params: {
   cfg: OpenClawConfig;
   currentChannelProvider?: string;
 }): boolean {
-  const currentChannel = normalizeMessageChannel(params.currentChannelProvider);
-  if (currentChannel) {
-    return currentChannel === "discord";
-  }
-  // Components are currently Discord-specific.
-  return listChannelSupportedActions({ cfg: params.cfg, channel: "discord" }).length > 0;
+  return resolveIncludeCapability(params, "components");
+}
+
+function resolveIncludeInteractive(params: {
+  cfg: OpenClawConfig;
+  currentChannelProvider?: string;
+}): boolean {
+  return resolveIncludeCapability(params, "interactive");
+}
+
+function resolveIncludeButtons(params: {
+  cfg: OpenClawConfig;
+  currentChannelProvider?: string;
+}): boolean {
+  return resolveIncludeCapability(params, "buttons");
+}
+
+function resolveIncludeCards(params: {
+  cfg: OpenClawConfig;
+  currentChannelProvider?: string;
+}): boolean {
+  return resolveIncludeCapability(params, "cards");
+}
+
+function resolveIncludeBlocks(params: {
+  cfg: OpenClawConfig;
+  currentChannelProvider?: string;
+}): boolean {
+  return resolveIncludeCapability(params, "blocks");
 }
 
 function resolveIncludeTelegramPollExtras(params: {
@@ -564,20 +676,19 @@ function buildMessageToolSchema(params: {
   currentChannelProvider?: string;
   currentChannelId?: string;
 }) {
-  const currentChannel = normalizeMessageChannel(params.currentChannelProvider);
   const actions = resolveMessageToolSchemaActions(params);
-  const includeButtons = currentChannel
-    ? supportsChannelMessageButtonsForChannel({ cfg: params.cfg, channel: currentChannel })
-    : supportsChannelMessageButtons(params.cfg);
-  const includeCards = currentChannel
-    ? supportsChannelMessageCardsForChannel({ cfg: params.cfg, channel: currentChannel })
-    : supportsChannelMessageCards(params.cfg);
+  const includeInteractive = resolveIncludeInteractive(params);
+  const includeButtons = resolveIncludeButtons(params);
+  const includeCards = resolveIncludeCards(params);
   const includeComponents = resolveIncludeComponents(params);
+  const includeBlocks = resolveIncludeBlocks(params);
   const includeTelegramPollExtras = resolveIncludeTelegramPollExtras(params);
   return buildMessageToolSchemaFromActions(actions.length > 0 ? actions : ["send"], {
+    includeInteractive,
     includeButtons,
     includeCards,
     includeComponents,
+    includeBlocks,
     includeTelegramPollExtras,
   });
 }
@@ -709,7 +820,16 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
         }
       }
 
-      const cfg = options?.config ?? loadConfig();
+      const cfg = options?.config
+        ? options.config
+        : (
+            await resolveCommandSecretRefsViaGateway({
+              config: loadConfig(),
+              commandName: "tools.message",
+              targetIds: getChannelsCommandSecretTargetIds(),
+              mode: "enforce_resolved",
+            })
+          ).resolvedConfig;
       const action = readStringParam(params, "action", {
         required: true,
       }) as ChannelMessageActionName;
diff --git a/src/agents/tools/pdf-tool.ts b/src/agents/tools/pdf-tool.ts
index 8f229dd7b10..c20bec5936a 100644
--- a/src/agents/tools/pdf-tool.ts
+++ b/src/agents/tools/pdf-tool.ts
@@ -1,8 +1,8 @@
 import { type Context, complete } from "@mariozechner/pi-ai";
 import { Type } from "@sinclair/typebox";
-import { loadWebMediaRaw } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { extractPdfContent, type PdfExtractedContent } from "../../media/pdf-extract.js";
+import { loadWebMediaRaw } from "../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../utils.js";
 import {
   coerceImageModelConfig,
diff --git a/src/agents/tools/slack-actions.ts b/src/agents/tools/slack-actions.ts
index 5ed58d5960f..c7fc16ed8b1 100644
--- a/src/agents/tools/slack-actions.ts
+++ b/src/agents/tools/slack-actions.ts
@@ -1,5 +1,5 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
+import type { OpenClawConfig } from "../../config/config.js";
 import {
   deleteSlackMessage,
   downloadSlackFile,
@@ -15,11 +15,14 @@ import {
   removeSlackReaction,
   sendSlackMessage,
   unpinSlackMessage,
-} from "../../../extensions/slack/src/actions.js";
-import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-input.js";
-import { recordSlackThreadParticipation } from "../../../extensions/slack/src/sent-thread-cache.js";
-import { parseSlackTarget, resolveSlackChannelId } from "../../../extensions/slack/src/targets.js";
-import type { OpenClawConfig } from "../../config/config.js";
+} from "../../plugin-sdk-internal/slack.js";
+import {
+  parseSlackBlocksInput,
+  parseSlackTarget,
+  recordSlackThreadParticipation,
+  resolveSlackAccount,
+  resolveSlackChannelId,
+} from "../../plugin-sdk-internal/slack.js";
 import { withNormalizedTimestamp } from "../date-time.js";
 import {
   createActionGate,
diff --git a/src/agents/tools/telegram-actions.test.ts b/src/agents/tools/telegram-actions.test.ts
index 5963a64b667..997de707765 100644
--- a/src/agents/tools/telegram-actions.test.ts
+++ b/src/agents/tools/telegram-actions.test.ts
@@ -23,6 +23,12 @@ const editMessageTelegram = vi.fn(async () => ({
   messageId: "456",
   chatId: "123",
 }));
+const editForumTopicTelegram = vi.fn(async () => ({
+  ok: true,
+  chatId: "123",
+  messageThreadId: 42,
+  name: "Renamed",
+}));
 const createForumTopicTelegram = vi.fn(async () => ({
   topicId: 99,
   name: "Topic",
@@ -42,6 +48,8 @@ vi.mock("../../../extensions/telegram/src/send.js", () => ({
     deleteMessageTelegram(...args),
   editMessageTelegram: (...args: Parameters<typeof editMessageTelegram>) =>
     editMessageTelegram(...args),
+  editForumTopicTelegram: (...args: Parameters<typeof editForumTopicTelegram>) =>
+    editForumTopicTelegram(...args),
   createForumTopicTelegram: (...args: Parameters<typeof createForumTopicTelegram>) =>
     createForumTopicTelegram(...args),
 }));
@@ -105,6 +113,7 @@ describe("handleTelegramAction", () => {
     sendStickerTelegram.mockClear();
     deleteMessageTelegram.mockClear();
     editMessageTelegram.mockClear();
+    editForumTopicTelegram.mockClear();
     createForumTopicTelegram.mockClear();
     process.env.TELEGRAM_BOT_TOKEN = "tok";
   });
@@ -457,6 +466,14 @@ describe("handleTelegramAction", () => {
         readCallOpts: (calls: unknown[][], argIndex: number) => Record<string, unknown>,
       ) => readCallOpts(createForumTopicTelegram.mock.calls as unknown[][], 2),
     },
+    {
+      name: "editForumTopic",
+      params: { action: "editForumTopic", chatId: "123", messageThreadId: 42, name: "New" },
+      cfg: telegramConfig({ actions: { editForumTopic: true } }),
+      assertCall: (
+        readCallOpts: (calls: unknown[][], argIndex: number) => Record<string, unknown>,
+      ) => readCallOpts(editForumTopicTelegram.mock.calls as unknown[][], 2),
+    },
   ])("forwards resolved cfg for $name action", async ({ params, cfg, assertCall }) => {
     const readCallOpts = (calls: unknown[][], argIndex: number): Record<string, unknown> => {
       const args = calls[0];
diff --git a/src/agents/tools/telegram-actions.ts b/src/agents/tools/telegram-actions.ts
index 6c8d4f84204..9f2d48831c3 100644
--- a/src/agents/tools/telegram-actions.ts
+++ b/src/agents/tools/telegram-actions.ts
@@ -1,29 +1,33 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { OpenClawConfig } from "../../config/config.js";
 import {
   createTelegramActionGate,
   resolveTelegramPollActionGateState,
-} from "../../../extensions/telegram/src/accounts.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import type {
   TelegramButtonStyle,
   TelegramInlineButtons,
-} from "../../../extensions/telegram/src/button-types.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import {
   resolveTelegramInlineButtonsScope,
   resolveTelegramTargetChatType,
-} from "../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../extensions/telegram/src/reaction-level.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import {
   createForumTopicTelegram,
   deleteMessageTelegram,
+  editForumTopicTelegram,
   editMessageTelegram,
   reactMessageTelegram,
   sendMessageTelegram,
   sendPollTelegram,
   sendStickerTelegram,
-} from "../../../extensions/telegram/src/send.js";
-import { getCacheStats, searchStickers } from "../../../extensions/telegram/src/sticker-cache.js";
-import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
-import type { OpenClawConfig } from "../../config/config.js";
+} from "../../plugin-sdk-internal/telegram.js";
+import {
+  getCacheStats,
+  resolveTelegramReactionLevel,
+  resolveTelegramToken,
+  searchStickers,
+} from "../../plugin-sdk-internal/telegram.js";
 import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import {
@@ -478,5 +482,36 @@ export async function handleTelegramAction(
     });
   }
 
+  if (action === "editForumTopic") {
+    if (!isActionEnabled("editForumTopic")) {
+      throw new Error("Telegram editForumTopic is disabled.");
+    }
+    const chatId = readStringOrNumberParam(params, "chatId", {
+      required: true,
+    });
+    const messageThreadId =
+      readNumberParam(params, "messageThreadId", { integer: true }) ??
+      readNumberParam(params, "threadId", { integer: true });
+    if (typeof messageThreadId !== "number") {
+      throw new Error("messageThreadId or threadId is required.");
+    }
+    const name = readStringParam(params, "name");
+    const iconCustomEmojiId = readStringParam(params, "iconCustomEmojiId");
+    const token = resolveTelegramToken(cfg, { accountId }).token;
+    if (!token) {
+      throw new Error(
+        "Telegram bot token missing. Set TELEGRAM_BOT_TOKEN or channels.telegram.botToken.",
+      );
+    }
+    const result = await editForumTopicTelegram(chatId ?? "", messageThreadId, {
+      cfg,
+      token,
+      accountId: accountId ?? undefined,
+      name: name ?? undefined,
+      iconCustomEmojiId: iconCustomEmojiId ?? undefined,
+    });
+    return jsonResult(result);
+  }
+
   throw new Error(`Unsupported Telegram action: ${action}`);
 }
diff --git a/src/agents/tools/web-fetch-utils.ts b/src/agents/tools/web-fetch-utils.ts
index 4dc57abf80d..86d03650eb6 100644
--- a/src/agents/tools/web-fetch-utils.ts
+++ b/src/agents/tools/web-fetch-utils.ts
@@ -206,27 +206,33 @@ function exceedsEstimatedHtmlNestingDepth(html: string, maxDepth: number): boole
   return false;
 }
 
+export async function extractBasicHtmlContent(params: {
+  html: string;
+  extractMode: ExtractMode;
+}): Promise<{ text: string; title?: string } | null> {
+  const cleanHtml = await sanitizeHtml(params.html);
+  const rendered = htmlToMarkdown(cleanHtml);
+  if (params.extractMode === "text") {
+    const text =
+      stripInvisibleUnicode(markdownToText(rendered.text)) ||
+      stripInvisibleUnicode(normalizeWhitespace(stripTags(cleanHtml)));
+    return text ? { text, title: rendered.title } : null;
+  }
+  const text = stripInvisibleUnicode(rendered.text);
+  return text ? { text, title: rendered.title } : null;
+}
+
 export async function extractReadableContent(params: {
   html: string;
   url: string;
   extractMode: ExtractMode;
 }): Promise<{ text: string; title?: string } | null> {
   const cleanHtml = await sanitizeHtml(params.html);
-  const fallback = (): { text: string; title?: string } => {
-    const rendered = htmlToMarkdown(cleanHtml);
-    if (params.extractMode === "text") {
-      const text =
-        stripInvisibleUnicode(markdownToText(rendered.text)) ||
-        stripInvisibleUnicode(normalizeWhitespace(stripTags(cleanHtml)));
-      return { text, title: rendered.title };
-    }
-    return { text: stripInvisibleUnicode(rendered.text), title: rendered.title };
-  };
   if (
     cleanHtml.length > READABILITY_MAX_HTML_CHARS ||
     exceedsEstimatedHtmlNestingDepth(cleanHtml, READABILITY_MAX_ESTIMATED_NESTING_DEPTH)
   ) {
-    return fallback();
+    return null;
   }
   try {
     const { Readability, parseHTML } = await loadReadabilityDeps();
@@ -239,16 +245,17 @@ export async function extractReadableContent(params: {
     const reader = new Readability(document, { charThreshold: 0 });
     const parsed = reader.parse();
     if (!parsed?.content) {
-      return fallback();
+      return null;
     }
     const title = parsed.title || undefined;
     if (params.extractMode === "text") {
       const text = stripInvisibleUnicode(normalizeWhitespace(parsed.textContent ?? ""));
-      return text ? { text, title } : fallback();
+      return text ? { text, title } : null;
     }
     const rendered = htmlToMarkdown(parsed.content);
-    return { text: stripInvisibleUnicode(rendered.text), title: title ?? rendered.title };
+    const text = stripInvisibleUnicode(rendered.text);
+    return text ? { text, title: title ?? rendered.title } : null;
   } catch {
-    return fallback();
+    return null;
   }
 }
diff --git a/src/agents/tools/web-fetch.ts b/src/agents/tools/web-fetch.ts
index f4cc88e2d83..92f94bf3a28 100644
--- a/src/agents/tools/web-fetch.ts
+++ b/src/agents/tools/web-fetch.ts
@@ -10,13 +10,14 @@ import { stringEnum } from "../schema/typebox.js";
 import type { AnyAgentTool } from "./common.js";
 import { jsonResult, readNumberParam, readStringParam } from "./common.js";
 import {
+  extractBasicHtmlContent,
   extractReadableContent,
   htmlToMarkdown,
   markdownToText,
   truncateText,
   type ExtractMode,
 } from "./web-fetch-utils.js";
-import { fetchWithWebToolsNetworkGuard } from "./web-guarded-fetch.js";
+import { fetchWithWebToolsNetworkGuard, withTrustedWebToolsEndpoint } from "./web-guarded-fetch.js";
 import {
   CacheEntry,
   DEFAULT_CACHE_TTL_MINUTES,
@@ -26,7 +27,6 @@ import {
   readResponseText,
   resolveCacheTtlMs,
   resolveTimeoutSeconds,
-  withTimeout,
   writeCache,
 } from "./web-shared.js";
 
@@ -161,11 +161,12 @@ function resolveFirecrawlEnabled(params: {
 }
 
 function resolveFirecrawlBaseUrl(firecrawl?: FirecrawlFetchConfig): string {
-  const raw =
+  const fromConfig =
     firecrawl && "baseUrl" in firecrawl && typeof firecrawl.baseUrl === "string"
       ? firecrawl.baseUrl.trim()
       : "";
-  return raw || DEFAULT_FIRECRAWL_BASE_URL;
+  const fromEnv = normalizeSecretInput(process.env.FIRECRAWL_BASE_URL);
+  return fromConfig || fromEnv || DEFAULT_FIRECRAWL_BASE_URL;
 }
 
 function resolveFirecrawlOnlyMainContent(firecrawl?: FirecrawlFetchConfig): boolean {
@@ -381,54 +382,59 @@ export async function fetchFirecrawlContent(params: {
     proxy: params.proxy,
     storeInCache: params.storeInCache,
   };
-
-  const res = await fetch(endpoint, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${params.apiKey}`,
-      "Content-Type": "application/json",
+  return await withTrustedWebToolsEndpoint(
+    {
+      url: endpoint,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${params.apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(body),
+      },
     },
-    body: JSON.stringify(body),
-    signal: withTimeout(undefined, params.timeoutSeconds * 1000),
-  });
-
-  const payload = (await res.json()) as {
-    success?: boolean;
-    data?: {
-      markdown?: string;
-      content?: string;
-      metadata?: {
-        title?: string;
-        sourceURL?: string;
-        statusCode?: number;
+    async ({ response }) => {
+      const payload = (await response.json()) as {
+        success?: boolean;
+        data?: {
+          markdown?: string;
+          content?: string;
+          metadata?: {
+            title?: string;
+            sourceURL?: string;
+            statusCode?: number;
+          };
+        };
+        warning?: string;
+        error?: string;
       };
-    };
-    warning?: string;
-    error?: string;
-  };
 
-  if (!res.ok || payload?.success === false) {
-    const detail = payload?.error ?? "";
-    throw new Error(
-      `Firecrawl fetch failed (${res.status}): ${wrapWebContent(detail || res.statusText, "web_fetch")}`.trim(),
-    );
-  }
+      if (!response.ok || payload?.success === false) {
+        const detail = payload?.error ?? "";
+        throw new Error(
+          `Firecrawl fetch failed (${response.status}): ${wrapWebContent(detail || response.statusText, "web_fetch")}`.trim(),
+        );
+      }
 
-  const data = payload?.data ?? {};
-  const rawText =
-    typeof data.markdown === "string"
-      ? data.markdown
-      : typeof data.content === "string"
-        ? data.content
-        : "";
-  const text = params.extractMode === "text" ? markdownToText(rawText) : rawText;
-  return {
-    text,
-    title: data.metadata?.title,
-    finalUrl: data.metadata?.sourceURL,
-    status: data.metadata?.statusCode,
-    warning: payload?.warning,
-  };
+      const data = payload?.data ?? {};
+      const rawText =
+        typeof data.markdown === "string"
+          ? data.markdown
+          : typeof data.content === "string"
+            ? data.content
+            : "";
+      const text = params.extractMode === "text" ? markdownToText(rawText) : rawText;
+      return {
+        text,
+        title: data.metadata?.title,
+        finalUrl: data.metadata?.sourceURL,
+        status: data.metadata?.statusCode,
+        warning: payload?.warning,
+      };
+    },
+  );
 }
 
 type FirecrawlRuntimeParams = {
@@ -629,9 +635,19 @@ async function runWebFetch(params: WebFetchRuntimeParams): Promise<Record<string
             title = firecrawl.title;
             extractor = "firecrawl";
           } else {
-            throw new Error(
-              "Web fetch extraction failed: Readability and Firecrawl returned no content.",
-            );
+            const basic = await extractBasicHtmlContent({
+              html: body,
+              extractMode: params.extractMode,
+            });
+            if (basic?.text) {
+              text = basic.text;
+              title = basic.title;
+              extractor = "raw-html";
+            } else {
+              throw new Error(
+                "Web fetch extraction failed: Readability, Firecrawl, and basic HTML cleanup returned no content.",
+              );
+            }
           }
         }
       } else {
@@ -784,3 +800,7 @@ export function createWebFetchTool(options?: {
     },
   };
 }
+
+export const __testing = {
+  resolveFirecrawlBaseUrl,
+};
diff --git a/src/agents/tools/web-search-core.ts b/src/agents/tools/web-search-core.ts
new file mode 100644
index 00000000000..bebc659c306
--- /dev/null
+++ b/src/agents/tools/web-search-core.ts
@@ -0,0 +1,2242 @@
+import { Type } from "@sinclair/typebox";
+import { formatCliCommand } from "../../cli/command-format.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { normalizeResolvedSecretInputString } from "../../config/types.secrets.js";
+import { logVerbose } from "../../globals.js";
+import type { RuntimeWebSearchMetadata } from "../../secrets/runtime-web-tools.types.js";
+import { wrapWebContent } from "../../security/external-content.js";
+import { normalizeSecretInput } from "../../utils/normalize-secret-input.js";
+import type { AnyAgentTool } from "./common.js";
+import { jsonResult, readNumberParam, readStringArrayParam, readStringParam } from "./common.js";
+import { withTrustedWebToolsEndpoint } from "./web-guarded-fetch.js";
+import { resolveCitationRedirectUrl } from "./web-search-citation-redirect.js";
+import {
+  CacheEntry,
+  DEFAULT_CACHE_TTL_MINUTES,
+  DEFAULT_TIMEOUT_SECONDS,
+  normalizeCacheKey,
+  readCache,
+  readResponseText,
+  resolveCacheTtlMs,
+  resolveTimeoutSeconds,
+  writeCache,
+} from "./web-shared.js";
+
+const SEARCH_PROVIDERS = ["brave", "gemini", "grok", "kimi", "perplexity"] as const;
+type SearchProvider = (typeof SEARCH_PROVIDERS)[number];
+const DEFAULT_SEARCH_COUNT = 5;
+const MAX_SEARCH_COUNT = 10;
+
+const BRAVE_SEARCH_ENDPOINT = "https://api.search.brave.com/res/v1/web/search";
+const BRAVE_LLM_CONTEXT_ENDPOINT = "https://api.search.brave.com/res/v1/llm/context";
+const DEFAULT_PERPLEXITY_BASE_URL = "https://openrouter.ai/api/v1";
+const PERPLEXITY_DIRECT_BASE_URL = "https://api.perplexity.ai";
+const PERPLEXITY_SEARCH_ENDPOINT = "https://api.perplexity.ai/search";
+const DEFAULT_PERPLEXITY_MODEL = "perplexity/sonar-pro";
+const PERPLEXITY_KEY_PREFIXES = ["pplx-"];
+const OPENROUTER_KEY_PREFIXES = ["sk-or-"];
+
+const XAI_API_ENDPOINT = "https://api.x.ai/v1/responses";
+const DEFAULT_GROK_MODEL = "grok-4-1-fast";
+const DEFAULT_KIMI_BASE_URL = "https://api.moonshot.ai/v1";
+const DEFAULT_KIMI_MODEL = "moonshot-v1-128k";
+const KIMI_WEB_SEARCH_TOOL = {
+  type: "builtin_function",
+  function: { name: "$web_search" },
+} as const;
+
+const SEARCH_CACHE_KEY = Symbol.for("openclaw.web-search.cache");
+
+function getSharedSearchCache(): Map<string, CacheEntry<Record<string, unknown>>> {
+  const root = globalThis as Record<PropertyKey, unknown>;
+  const existing = root[SEARCH_CACHE_KEY];
+  if (existing instanceof Map) {
+    return existing as Map<string, CacheEntry<Record<string, unknown>>>;
+  }
+  const next = new Map<string, CacheEntry<Record<string, unknown>>>();
+  root[SEARCH_CACHE_KEY] = next;
+  return next;
+}
+
+const SEARCH_CACHE = getSharedSearchCache();
+const BRAVE_FRESHNESS_SHORTCUTS = new Set(["pd", "pw", "pm", "py"]);
+const BRAVE_FRESHNESS_RANGE = /^(\d{4}-\d{2}-\d{2})to(\d{4}-\d{2}-\d{2})$/;
+const BRAVE_SEARCH_LANG_CODES = new Set([
+  "ar",
+  "eu",
+  "bn",
+  "bg",
+  "ca",
+  "zh-hans",
+  "zh-hant",
+  "hr",
+  "cs",
+  "da",
+  "nl",
+  "en",
+  "en-gb",
+  "et",
+  "fi",
+  "fr",
+  "gl",
+  "de",
+  "el",
+  "gu",
+  "he",
+  "hi",
+  "hu",
+  "is",
+  "it",
+  "jp",
+  "kn",
+  "ko",
+  "lv",
+  "lt",
+  "ms",
+  "ml",
+  "mr",
+  "nb",
+  "pl",
+  "pt-br",
+  "pt-pt",
+  "pa",
+  "ro",
+  "ru",
+  "sr",
+  "sk",
+  "sl",
+  "es",
+  "sv",
+  "ta",
+  "te",
+  "th",
+  "tr",
+  "uk",
+  "vi",
+]);
+const BRAVE_SEARCH_LANG_ALIASES: Record<string, string> = {
+  ja: "jp",
+  zh: "zh-hans",
+  "zh-cn": "zh-hans",
+  "zh-hk": "zh-hant",
+  "zh-sg": "zh-hans",
+  "zh-tw": "zh-hant",
+};
+const BRAVE_UI_LANG_LOCALE = /^([a-z]{2})-([a-z]{2})$/i;
+const PERPLEXITY_RECENCY_VALUES = new Set(["day", "week", "month", "year"]);
+
+const FRESHNESS_TO_RECENCY: Record<string, string> = {
+  pd: "day",
+  pw: "week",
+  pm: "month",
+  py: "year",
+};
+const RECENCY_TO_FRESHNESS: Record<string, string> = {
+  day: "pd",
+  week: "pw",
+  month: "pm",
+  year: "py",
+};
+
+const ISO_DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/;
+const PERPLEXITY_DATE_PATTERN = /^(\d{1,2})\/(\d{1,2})\/(\d{4})$/;
+
+function isoToPerplexityDate(iso: string): string | undefined {
+  const match = iso.match(ISO_DATE_PATTERN);
+  if (!match) {
+    return undefined;
+  }
+  const [, year, month, day] = match;
+  return `${parseInt(month, 10)}/${parseInt(day, 10)}/${year}`;
+}
+
+function normalizeToIsoDate(value: string): string | undefined {
+  const trimmed = value.trim();
+  if (ISO_DATE_PATTERN.test(trimmed)) {
+    return isValidIsoDate(trimmed) ? trimmed : undefined;
+  }
+  const match = trimmed.match(PERPLEXITY_DATE_PATTERN);
+  if (match) {
+    const [, month, day, year] = match;
+    const iso = `${year}-${month.padStart(2, "0")}-${day.padStart(2, "0")}`;
+    return isValidIsoDate(iso) ? iso : undefined;
+  }
+  return undefined;
+}
+
+function createWebSearchSchema(params: {
+  provider: (typeof SEARCH_PROVIDERS)[number];
+  perplexityTransport?: PerplexityTransport;
+}) {
+  const querySchema = {
+    query: Type.String({ description: "Search query string." }),
+    count: Type.Optional(
+      Type.Number({
+        description: "Number of results to return (1-10).",
+        minimum: 1,
+        maximum: MAX_SEARCH_COUNT,
+      }),
+    ),
+  } as const;
+
+  const filterSchema = {
+    country: Type.Optional(
+      Type.String({
+        description:
+          "2-letter country code for region-specific results (e.g., 'DE', 'US', 'ALL'). Default: 'US'.",
+      }),
+    ),
+    language: Type.Optional(
+      Type.String({
+        description: "ISO 639-1 language code for results (e.g., 'en', 'de', 'fr').",
+      }),
+    ),
+    freshness: Type.Optional(
+      Type.String({
+        description: "Filter by time: 'day' (24h), 'week', 'month', or 'year'.",
+      }),
+    ),
+    date_after: Type.Optional(
+      Type.String({
+        description: "Only results published after this date (YYYY-MM-DD).",
+      }),
+    ),
+    date_before: Type.Optional(
+      Type.String({
+        description: "Only results published before this date (YYYY-MM-DD).",
+      }),
+    ),
+  } as const;
+
+  const perplexityStructuredFilterSchema = {
+    country: Type.Optional(
+      Type.String({
+        description:
+          "Native Perplexity Search API only. 2-letter country code for region-specific results (e.g., 'DE', 'US', 'ALL'). Default: 'US'.",
+      }),
+    ),
+    language: Type.Optional(
+      Type.String({
+        description:
+          "Native Perplexity Search API only. ISO 639-1 language code for results (e.g., 'en', 'de', 'fr').",
+      }),
+    ),
+    date_after: Type.Optional(
+      Type.String({
+        description:
+          "Native Perplexity Search API only. Only results published after this date (YYYY-MM-DD).",
+      }),
+    ),
+    date_before: Type.Optional(
+      Type.String({
+        description:
+          "Native Perplexity Search API only. Only results published before this date (YYYY-MM-DD).",
+      }),
+    ),
+  } as const;
+
+  if (params.provider === "brave") {
+    return Type.Object({
+      ...querySchema,
+      ...filterSchema,
+      search_lang: Type.Optional(
+        Type.String({
+          description:
+            "Brave language code for search results (e.g., 'en', 'de', 'en-gb', 'zh-hans', 'zh-hant', 'pt-br').",
+        }),
+      ),
+      ui_lang: Type.Optional(
+        Type.String({
+          description:
+            "Locale code for UI elements in language-region format (e.g., 'en-US', 'de-DE', 'fr-FR', 'tr-TR'). Must include region subtag.",
+        }),
+      ),
+    });
+  }
+
+  if (params.provider === "perplexity") {
+    if (params.perplexityTransport === "chat_completions") {
+      return Type.Object({
+        ...querySchema,
+        freshness: filterSchema.freshness,
+      });
+    }
+    return Type.Object({
+      ...querySchema,
+      freshness: filterSchema.freshness,
+      ...perplexityStructuredFilterSchema,
+      domain_filter: Type.Optional(
+        Type.Array(Type.String(), {
+          description:
+            "Native Perplexity Search API only. Domain filter (max 20). Allowlist: ['nature.com'] or denylist: ['-reddit.com']. Cannot mix.",
+        }),
+      ),
+      max_tokens: Type.Optional(
+        Type.Number({
+          description:
+            "Native Perplexity Search API only. Total content budget across all results (default: 25000, max: 1000000).",
+          minimum: 1,
+          maximum: 1000000,
+        }),
+      ),
+      max_tokens_per_page: Type.Optional(
+        Type.Number({
+          description:
+            "Native Perplexity Search API only. Max tokens extracted per page (default: 2048).",
+          minimum: 1,
+        }),
+      ),
+    });
+  }
+
+  // grok, gemini, kimi, etc.
+  return Type.Object({
+    ...querySchema,
+    ...filterSchema,
+  });
+}
+
+type WebSearchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer Web
+  ? Web extends { search?: infer Search }
+    ? Search
+    : undefined
+  : undefined;
+
+type BraveSearchResult = {
+  title?: string;
+  url?: string;
+  description?: string;
+  age?: string;
+};
+
+type BraveSearchResponse = {
+  web?: {
+    results?: BraveSearchResult[];
+  };
+};
+
+type BraveLlmContextResult = { url: string; title: string; snippets: string[] };
+type BraveLlmContextResponse = {
+  grounding: { generic?: BraveLlmContextResult[] };
+  sources?: { url?: string; hostname?: string; date?: string }[];
+};
+
+type BraveConfig = {
+  mode?: string;
+};
+
+type PerplexityConfig = {
+  apiKey?: string;
+  baseUrl?: string;
+  model?: string;
+};
+
+type PerplexityApiKeySource = "config" | "perplexity_env" | "openrouter_env" | "none";
+type PerplexityTransport = "search_api" | "chat_completions";
+type PerplexityBaseUrlHint = "direct" | "openrouter";
+
+type GrokConfig = {
+  apiKey?: string;
+  model?: string;
+  inlineCitations?: boolean;
+};
+
+type KimiConfig = {
+  apiKey?: string;
+  baseUrl?: string;
+  model?: string;
+};
+
+type GrokSearchResponse = {
+  output?: Array<{
+    type?: string;
+    role?: string;
+    text?: string; // present when type === "output_text" (top-level output_text block)
+    content?: Array<{
+      type?: string;
+      text?: string;
+      annotations?: Array<{
+        type?: string;
+        url?: string;
+        start_index?: number;
+        end_index?: number;
+      }>;
+    }>;
+    annotations?: Array<{
+      type?: string;
+      url?: string;
+      start_index?: number;
+      end_index?: number;
+    }>;
+  }>;
+  output_text?: string; // deprecated field - kept for backwards compatibility
+  citations?: string[];
+  inline_citations?: Array<{
+    start_index: number;
+    end_index: number;
+    url: string;
+  }>;
+};
+
+type KimiToolCall = {
+  id?: string;
+  type?: string;
+  function?: {
+    name?: string;
+    arguments?: string;
+  };
+};
+
+type KimiMessage = {
+  role?: string;
+  content?: string;
+  reasoning_content?: string;
+  tool_calls?: KimiToolCall[];
+};
+
+type KimiSearchResponse = {
+  choices?: Array<{
+    finish_reason?: string;
+    message?: KimiMessage;
+  }>;
+  search_results?: Array<{
+    title?: string;
+    url?: string;
+    content?: string;
+  }>;
+};
+
+type PerplexitySearchResponse = {
+  choices?: Array<{
+    message?: {
+      content?: string;
+      annotations?: Array<{
+        type?: string;
+        url?: string;
+        url_citation?: {
+          url?: string;
+          title?: string;
+          start_index?: number;
+          end_index?: number;
+        };
+      }>;
+    };
+  }>;
+  citations?: string[];
+};
+
+type PerplexitySearchApiResult = {
+  title?: string;
+  url?: string;
+  snippet?: string;
+  date?: string;
+  last_updated?: string;
+};
+
+type PerplexitySearchApiResponse = {
+  results?: PerplexitySearchApiResult[];
+  id?: string;
+};
+
+function extractPerplexityCitations(data: PerplexitySearchResponse): string[] {
+  const normalizeUrl = (value: unknown): string | undefined => {
+    if (typeof value !== "string") {
+      return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed ? trimmed : undefined;
+  };
+
+  const topLevel = (data.citations ?? [])
+    .map(normalizeUrl)
+    .filter((url): url is string => Boolean(url));
+  if (topLevel.length > 0) {
+    return [...new Set(topLevel)];
+  }
+
+  const citations: string[] = [];
+  for (const choice of data.choices ?? []) {
+    for (const annotation of choice.message?.annotations ?? []) {
+      if (annotation.type !== "url_citation") {
+        continue;
+      }
+      const url = normalizeUrl(annotation.url_citation?.url ?? annotation.url);
+      if (url) {
+        citations.push(url);
+      }
+    }
+  }
+
+  return [...new Set(citations)];
+}
+
+function extractGrokContent(data: GrokSearchResponse): {
+  text: string | undefined;
+  annotationCitations: string[];
+} {
+  // xAI Responses API format: find the message output with text content
+  for (const output of data.output ?? []) {
+    if (output.type === "message") {
+      for (const block of output.content ?? []) {
+        if (block.type === "output_text" && typeof block.text === "string" && block.text) {
+          const urls = (block.annotations ?? [])
+            .filter((a) => a.type === "url_citation" && typeof a.url === "string")
+            .map((a) => a.url as string);
+          return { text: block.text, annotationCitations: [...new Set(urls)] };
+        }
+      }
+    }
+    // Some xAI responses place output_text blocks directly in the output array
+    // without a message wrapper.
+    if (
+      output.type === "output_text" &&
+      "text" in output &&
+      typeof output.text === "string" &&
+      output.text
+    ) {
+      const rawAnnotations =
+        "annotations" in output && Array.isArray(output.annotations) ? output.annotations : [];
+      const urls = rawAnnotations
+        .filter(
+          (a: Record<string, unknown>) => a.type === "url_citation" && typeof a.url === "string",
+        )
+        .map((a: Record<string, unknown>) => a.url as string);
+      return { text: output.text, annotationCitations: [...new Set(urls)] };
+    }
+  }
+  // Fallback: deprecated output_text field
+  const text = typeof data.output_text === "string" ? data.output_text : undefined;
+  return { text, annotationCitations: [] };
+}
+
+type GeminiConfig = {
+  apiKey?: string;
+  model?: string;
+};
+
+type GeminiGroundingResponse = {
+  candidates?: Array<{
+    content?: {
+      parts?: Array<{
+        text?: string;
+      }>;
+    };
+    groundingMetadata?: {
+      groundingChunks?: Array<{
+        web?: {
+          uri?: string;
+          title?: string;
+        };
+      }>;
+      searchEntryPoint?: {
+        renderedContent?: string;
+      };
+      webSearchQueries?: string[];
+    };
+  }>;
+  error?: {
+    code?: number;
+    message?: string;
+    status?: string;
+  };
+};
+
+const DEFAULT_GEMINI_MODEL = "gemini-2.5-flash";
+const GEMINI_API_BASE = "https://generativelanguage.googleapis.com/v1beta";
+
+function resolveSearchConfig(cfg?: OpenClawConfig): WebSearchConfig {
+  const search = cfg?.tools?.web?.search;
+  if (!search || typeof search !== "object") {
+    return undefined;
+  }
+  return search as WebSearchConfig;
+}
+
+function resolveSearchEnabled(params: { search?: WebSearchConfig; sandboxed?: boolean }): boolean {
+  if (typeof params.search?.enabled === "boolean") {
+    return params.search.enabled;
+  }
+  if (params.sandboxed) {
+    return true;
+  }
+  return true;
+}
+
+function resolveSearchApiKey(search?: WebSearchConfig): string | undefined {
+  const fromConfigRaw =
+    search && "apiKey" in search
+      ? normalizeResolvedSecretInputString({
+          value: search.apiKey,
+          path: "tools.web.search.apiKey",
+        })
+      : undefined;
+  const fromConfig = normalizeSecretInput(fromConfigRaw);
+  const fromEnv = normalizeSecretInput(process.env.BRAVE_API_KEY);
+  return fromConfig || fromEnv || undefined;
+}
+
+function missingSearchKeyPayload(provider: (typeof SEARCH_PROVIDERS)[number]) {
+  if (provider === "brave") {
+    return {
+      error: "missing_brave_api_key",
+      message: `web_search (brave) needs a Brave Search API key. Run \`${formatCliCommand("openclaw configure --section web")}\` to store it, or set BRAVE_API_KEY in the Gateway environment.`,
+      docs: "https://docs.openclaw.ai/tools/web",
+    };
+  }
+  if (provider === "gemini") {
+    return {
+      error: "missing_gemini_api_key",
+      message:
+        "web_search (gemini) needs an API key. Set GEMINI_API_KEY in the Gateway environment, or configure tools.web.search.gemini.apiKey.",
+      docs: "https://docs.openclaw.ai/tools/web",
+    };
+  }
+  if (provider === "grok") {
+    return {
+      error: "missing_xai_api_key",
+      message:
+        "web_search (grok) needs an xAI API key. Set XAI_API_KEY in the Gateway environment, or configure tools.web.search.grok.apiKey.",
+      docs: "https://docs.openclaw.ai/tools/web",
+    };
+  }
+  if (provider === "kimi") {
+    return {
+      error: "missing_kimi_api_key",
+      message:
+        "web_search (kimi) needs a Moonshot API key. Set KIMI_API_KEY or MOONSHOT_API_KEY in the Gateway environment, or configure tools.web.search.kimi.apiKey.",
+      docs: "https://docs.openclaw.ai/tools/web",
+    };
+  }
+  return {
+    error: "missing_perplexity_api_key",
+    message:
+      "web_search (perplexity) needs an API key. Set PERPLEXITY_API_KEY or OPENROUTER_API_KEY in the Gateway environment, or configure tools.web.search.perplexity.apiKey.",
+    docs: "https://docs.openclaw.ai/tools/web",
+  };
+}
+
+function isSearchProvider(value: string): value is SearchProvider {
+  return SEARCH_PROVIDERS.includes(value as SearchProvider);
+}
+
+function resolveSearchProvider(search?: WebSearchConfig): (typeof SEARCH_PROVIDERS)[number] {
+  const raw =
+    search && "provider" in search && typeof search.provider === "string"
+      ? search.provider.trim().toLowerCase()
+      : "";
+  if (raw === "brave") {
+    return "brave";
+  }
+  if (raw === "gemini") {
+    return "gemini";
+  }
+  if (raw === "grok") {
+    return "grok";
+  }
+  if (raw === "kimi") {
+    return "kimi";
+  }
+  if (raw === "perplexity") {
+    return "perplexity";
+  }
+
+  // Auto-detect provider from available API keys (alphabetical order)
+  if (raw === "") {
+    // Brave
+    if (resolveSearchApiKey(search)) {
+      logVerbose(
+        'web_search: no provider configured, auto-detected "brave" from available API keys',
+      );
+      return "brave";
+    }
+    // Gemini
+    const geminiConfig = resolveGeminiConfig(search);
+    if (resolveGeminiApiKey(geminiConfig)) {
+      logVerbose(
+        'web_search: no provider configured, auto-detected "gemini" from available API keys',
+      );
+      return "gemini";
+    }
+    // Grok
+    const grokConfig = resolveGrokConfig(search);
+    if (resolveGrokApiKey(grokConfig)) {
+      logVerbose(
+        'web_search: no provider configured, auto-detected "grok" from available API keys',
+      );
+      return "grok";
+    }
+    // Kimi
+    const kimiConfig = resolveKimiConfig(search);
+    if (resolveKimiApiKey(kimiConfig)) {
+      logVerbose(
+        'web_search: no provider configured, auto-detected "kimi" from available API keys',
+      );
+      return "kimi";
+    }
+    // Perplexity
+    const perplexityConfig = resolvePerplexityConfig(search);
+    const { apiKey: perplexityKey } = resolvePerplexityApiKey(perplexityConfig);
+    if (perplexityKey) {
+      logVerbose(
+        'web_search: no provider configured, auto-detected "perplexity" from available API keys',
+      );
+      return "perplexity";
+    }
+  }
+
+  return "brave";
+}
+
+function resolveBraveConfig(search?: WebSearchConfig): BraveConfig {
+  if (!search || typeof search !== "object") {
+    return {};
+  }
+  const brave = "brave" in search ? search.brave : undefined;
+  if (!brave || typeof brave !== "object") {
+    return {};
+  }
+  return brave as BraveConfig;
+}
+
+function resolveBraveMode(brave: BraveConfig): "web" | "llm-context" {
+  return brave.mode === "llm-context" ? "llm-context" : "web";
+}
+
+function resolvePerplexityConfig(search?: WebSearchConfig): PerplexityConfig {
+  if (!search || typeof search !== "object") {
+    return {};
+  }
+  const perplexity = "perplexity" in search ? search.perplexity : undefined;
+  if (!perplexity || typeof perplexity !== "object") {
+    return {};
+  }
+  return perplexity as PerplexityConfig;
+}
+
+function resolvePerplexityApiKey(perplexity?: PerplexityConfig): {
+  apiKey?: string;
+  source: PerplexityApiKeySource;
+} {
+  const fromConfig = normalizeApiKey(perplexity?.apiKey);
+  if (fromConfig) {
+    return { apiKey: fromConfig, source: "config" };
+  }
+
+  const fromEnvPerplexity = normalizeApiKey(process.env.PERPLEXITY_API_KEY);
+  if (fromEnvPerplexity) {
+    return { apiKey: fromEnvPerplexity, source: "perplexity_env" };
+  }
+
+  const fromEnvOpenRouter = normalizeApiKey(process.env.OPENROUTER_API_KEY);
+  if (fromEnvOpenRouter) {
+    return { apiKey: fromEnvOpenRouter, source: "openrouter_env" };
+  }
+
+  return { apiKey: undefined, source: "none" };
+}
+
+function normalizeApiKey(key: unknown): string {
+  return normalizeSecretInput(key);
+}
+
+function inferPerplexityBaseUrlFromApiKey(apiKey?: string): PerplexityBaseUrlHint | undefined {
+  if (!apiKey) {
+    return undefined;
+  }
+  const normalized = apiKey.toLowerCase();
+  if (PERPLEXITY_KEY_PREFIXES.some((prefix) => normalized.startsWith(prefix))) {
+    return "direct";
+  }
+  if (OPENROUTER_KEY_PREFIXES.some((prefix) => normalized.startsWith(prefix))) {
+    return "openrouter";
+  }
+  return undefined;
+}
+
+function resolvePerplexityBaseUrl(
+  perplexity?: PerplexityConfig,
+  authSource: PerplexityApiKeySource = "none", // pragma: allowlist secret
+  configuredKey?: string,
+): string {
+  const fromConfig =
+    perplexity && "baseUrl" in perplexity && typeof perplexity.baseUrl === "string"
+      ? perplexity.baseUrl.trim()
+      : "";
+  if (fromConfig) {
+    return fromConfig;
+  }
+  if (authSource === "perplexity_env") {
+    return PERPLEXITY_DIRECT_BASE_URL;
+  }
+  if (authSource === "openrouter_env") {
+    return DEFAULT_PERPLEXITY_BASE_URL;
+  }
+  if (authSource === "config") {
+    const inferred = inferPerplexityBaseUrlFromApiKey(configuredKey);
+    if (inferred === "openrouter") {
+      return DEFAULT_PERPLEXITY_BASE_URL;
+    }
+    return PERPLEXITY_DIRECT_BASE_URL;
+  }
+  return DEFAULT_PERPLEXITY_BASE_URL;
+}
+
+function resolvePerplexityModel(perplexity?: PerplexityConfig): string {
+  const fromConfig =
+    perplexity && "model" in perplexity && typeof perplexity.model === "string"
+      ? perplexity.model.trim()
+      : "";
+  return fromConfig || DEFAULT_PERPLEXITY_MODEL;
+}
+
+function isDirectPerplexityBaseUrl(baseUrl: string): boolean {
+  const trimmed = baseUrl.trim();
+  if (!trimmed) {
+    return false;
+  }
+  try {
+    return new URL(trimmed).hostname.toLowerCase() === "api.perplexity.ai";
+  } catch {
+    return false;
+  }
+}
+
+function resolvePerplexityRequestModel(baseUrl: string, model: string): string {
+  if (!isDirectPerplexityBaseUrl(baseUrl)) {
+    return model;
+  }
+  return model.startsWith("perplexity/") ? model.slice("perplexity/".length) : model;
+}
+
+function resolvePerplexityTransport(perplexity?: PerplexityConfig): {
+  apiKey?: string;
+  source: PerplexityApiKeySource;
+  baseUrl: string;
+  model: string;
+  transport: PerplexityTransport;
+} {
+  const auth = resolvePerplexityApiKey(perplexity);
+  const baseUrl = resolvePerplexityBaseUrl(perplexity, auth.source, auth.apiKey);
+  const model = resolvePerplexityModel(perplexity);
+  const hasLegacyOverride = Boolean(
+    (perplexity?.baseUrl && perplexity.baseUrl.trim()) ||
+    (perplexity?.model && perplexity.model.trim()),
+  );
+  return {
+    ...auth,
+    baseUrl,
+    model,
+    transport:
+      hasLegacyOverride || !isDirectPerplexityBaseUrl(baseUrl) ? "chat_completions" : "search_api",
+  };
+}
+
+function resolvePerplexitySchemaTransportHint(
+  perplexity?: PerplexityConfig,
+): PerplexityTransport | undefined {
+  const hasLegacyOverride = Boolean(
+    (perplexity?.baseUrl && perplexity.baseUrl.trim()) ||
+    (perplexity?.model && perplexity.model.trim()),
+  );
+  return hasLegacyOverride ? "chat_completions" : undefined;
+}
+
+function resolveGrokConfig(search?: WebSearchConfig): GrokConfig {
+  if (!search || typeof search !== "object") {
+    return {};
+  }
+  const grok = "grok" in search ? search.grok : undefined;
+  if (!grok || typeof grok !== "object") {
+    return {};
+  }
+  return grok as GrokConfig;
+}
+
+function resolveGrokApiKey(grok?: GrokConfig): string | undefined {
+  const fromConfig = normalizeApiKey(grok?.apiKey);
+  if (fromConfig) {
+    return fromConfig;
+  }
+  const fromEnv = normalizeApiKey(process.env.XAI_API_KEY);
+  return fromEnv || undefined;
+}
+
+function resolveGrokModel(grok?: GrokConfig): string {
+  const fromConfig =
+    grok && "model" in grok && typeof grok.model === "string" ? grok.model.trim() : "";
+  return fromConfig || DEFAULT_GROK_MODEL;
+}
+
+function resolveGrokInlineCitations(grok?: GrokConfig): boolean {
+  return grok?.inlineCitations === true;
+}
+
+function resolveKimiConfig(search?: WebSearchConfig): KimiConfig {
+  if (!search || typeof search !== "object") {
+    return {};
+  }
+  const kimi = "kimi" in search ? search.kimi : undefined;
+  if (!kimi || typeof kimi !== "object") {
+    return {};
+  }
+  return kimi as KimiConfig;
+}
+
+function resolveKimiApiKey(kimi?: KimiConfig): string | undefined {
+  const fromConfig = normalizeApiKey(kimi?.apiKey);
+  if (fromConfig) {
+    return fromConfig;
+  }
+  const fromEnvKimi = normalizeApiKey(process.env.KIMI_API_KEY);
+  if (fromEnvKimi) {
+    return fromEnvKimi;
+  }
+  const fromEnvMoonshot = normalizeApiKey(process.env.MOONSHOT_API_KEY);
+  return fromEnvMoonshot || undefined;
+}
+
+function resolveKimiModel(kimi?: KimiConfig): string {
+  const fromConfig =
+    kimi && "model" in kimi && typeof kimi.model === "string" ? kimi.model.trim() : "";
+  return fromConfig || DEFAULT_KIMI_MODEL;
+}
+
+function resolveKimiBaseUrl(kimi?: KimiConfig): string {
+  const fromConfig =
+    kimi && "baseUrl" in kimi && typeof kimi.baseUrl === "string" ? kimi.baseUrl.trim() : "";
+  return fromConfig || DEFAULT_KIMI_BASE_URL;
+}
+
+function resolveGeminiConfig(search?: WebSearchConfig): GeminiConfig {
+  if (!search || typeof search !== "object") {
+    return {};
+  }
+  const gemini = "gemini" in search ? search.gemini : undefined;
+  if (!gemini || typeof gemini !== "object") {
+    return {};
+  }
+  return gemini as GeminiConfig;
+}
+
+function resolveGeminiApiKey(gemini?: GeminiConfig): string | undefined {
+  const fromConfig = normalizeApiKey(gemini?.apiKey);
+  if (fromConfig) {
+    return fromConfig;
+  }
+  const fromEnv = normalizeApiKey(process.env.GEMINI_API_KEY);
+  return fromEnv || undefined;
+}
+
+function resolveGeminiModel(gemini?: GeminiConfig): string {
+  const fromConfig =
+    gemini && "model" in gemini && typeof gemini.model === "string" ? gemini.model.trim() : "";
+  return fromConfig || DEFAULT_GEMINI_MODEL;
+}
+
+async function withTrustedWebSearchEndpoint<T>(
+  params: {
+    url: string;
+    timeoutSeconds: number;
+    init: RequestInit;
+  },
+  run: (response: Response) => Promise<T>,
+): Promise<T> {
+  return withTrustedWebToolsEndpoint(
+    {
+      url: params.url,
+      init: params.init,
+      timeoutSeconds: params.timeoutSeconds,
+    },
+    async ({ response }) => run(response),
+  );
+}
+
+async function runGeminiSearch(params: {
+  query: string;
+  apiKey: string;
+  model: string;
+  timeoutSeconds: number;
+}): Promise<{ content: string; citations: Array<{ url: string; title?: string }> }> {
+  const endpoint = `${GEMINI_API_BASE}/models/${params.model}:generateContent`;
+
+  return withTrustedWebSearchEndpoint(
+    {
+      url: endpoint,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-goog-api-key": params.apiKey,
+        },
+        body: JSON.stringify({
+          contents: [
+            {
+              parts: [{ text: params.query }],
+            },
+          ],
+          tools: [{ google_search: {} }],
+        }),
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
+        // Strip API key from any error detail to prevent accidental key leakage in logs
+        const safeDetail = (detailResult.text || res.statusText).replace(
+          /key=[^&\s]+/gi,
+          "key=***",
+        );
+        throw new Error(`Gemini API error (${res.status}): ${safeDetail}`);
+      }
+
+      let data: GeminiGroundingResponse;
+      try {
+        data = (await res.json()) as GeminiGroundingResponse;
+      } catch (err) {
+        const safeError = String(err).replace(/key=[^&\s]+/gi, "key=***");
+        throw new Error(`Gemini API returned invalid JSON: ${safeError}`, { cause: err });
+      }
+
+      if (data.error) {
+        const rawMsg = data.error.message || data.error.status || "unknown";
+        const safeMsg = rawMsg.replace(/key=[^&\s]+/gi, "key=***");
+        throw new Error(`Gemini API error (${data.error.code}): ${safeMsg}`);
+      }
+
+      const candidate = data.candidates?.[0];
+      const content =
+        candidate?.content?.parts
+          ?.map((p) => p.text)
+          .filter(Boolean)
+          .join("\n") ?? "No response";
+
+      const groundingChunks = candidate?.groundingMetadata?.groundingChunks ?? [];
+      const rawCitations = groundingChunks
+        .filter((chunk) => chunk.web?.uri)
+        .map((chunk) => ({
+          url: chunk.web!.uri!,
+          title: chunk.web?.title || undefined,
+        }));
+
+      // Resolve Google grounding redirect URLs to direct URLs with concurrency cap.
+      // Gemini typically returns 3-8 citations; cap at 10 concurrent to be safe.
+      const MAX_CONCURRENT_REDIRECTS = 10;
+      const citations: Array<{ url: string; title?: string }> = [];
+      for (let i = 0; i < rawCitations.length; i += MAX_CONCURRENT_REDIRECTS) {
+        const batch = rawCitations.slice(i, i + MAX_CONCURRENT_REDIRECTS);
+        const resolved = await Promise.all(
+          batch.map(async (citation) => {
+            const resolvedUrl = await resolveCitationRedirectUrl(citation.url);
+            return { ...citation, url: resolvedUrl };
+          }),
+        );
+        citations.push(...resolved);
+      }
+
+      return { content, citations };
+    },
+  );
+}
+
+function resolveSearchCount(value: unknown, fallback: number): number {
+  const parsed = typeof value === "number" && Number.isFinite(value) ? value : fallback;
+  const clamped = Math.max(1, Math.min(MAX_SEARCH_COUNT, Math.floor(parsed)));
+  return clamped;
+}
+
+function normalizeBraveSearchLang(value: string | undefined): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+  const canonical = BRAVE_SEARCH_LANG_ALIASES[trimmed.toLowerCase()] ?? trimmed.toLowerCase();
+  if (!BRAVE_SEARCH_LANG_CODES.has(canonical)) {
+    return undefined;
+  }
+  return canonical;
+}
+
+function normalizeBraveUiLang(value: string | undefined): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+  const match = trimmed.match(BRAVE_UI_LANG_LOCALE);
+  if (!match) {
+    return undefined;
+  }
+  const [, language, region] = match;
+  return `${language.toLowerCase()}-${region.toUpperCase()}`;
+}
+
+function normalizeBraveLanguageParams(params: { search_lang?: string; ui_lang?: string }): {
+  search_lang?: string;
+  ui_lang?: string;
+  invalidField?: "search_lang" | "ui_lang";
+} {
+  const rawSearchLang = params.search_lang?.trim() || undefined;
+  const rawUiLang = params.ui_lang?.trim() || undefined;
+  let searchLangCandidate = rawSearchLang;
+  let uiLangCandidate = rawUiLang;
+
+  // Recover common LLM mix-up: locale in search_lang + short code in ui_lang.
+  if (normalizeBraveUiLang(rawSearchLang) && normalizeBraveSearchLang(rawUiLang)) {
+    searchLangCandidate = rawUiLang;
+    uiLangCandidate = rawSearchLang;
+  }
+
+  const search_lang = normalizeBraveSearchLang(searchLangCandidate);
+  if (searchLangCandidate && !search_lang) {
+    return { invalidField: "search_lang" };
+  }
+
+  const ui_lang = normalizeBraveUiLang(uiLangCandidate);
+  if (uiLangCandidate && !ui_lang) {
+    return { invalidField: "ui_lang" };
+  }
+
+  return { search_lang, ui_lang };
+}
+
+/**
+ * Normalizes freshness shortcut to the provider's expected format.
+ * Accepts both Brave format (pd/pw/pm/py) and Perplexity format (day/week/month/year).
+ * For Brave, also accepts date ranges (YYYY-MM-DDtoYYYY-MM-DD).
+ */
+function normalizeFreshness(
+  value: string | undefined,
+  provider: (typeof SEARCH_PROVIDERS)[number],
+): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+
+  const lower = trimmed.toLowerCase();
+
+  if (BRAVE_FRESHNESS_SHORTCUTS.has(lower)) {
+    return provider === "brave" ? lower : FRESHNESS_TO_RECENCY[lower];
+  }
+
+  if (PERPLEXITY_RECENCY_VALUES.has(lower)) {
+    return provider === "perplexity" ? lower : RECENCY_TO_FRESHNESS[lower];
+  }
+
+  // Brave date range support
+  if (provider === "brave") {
+    const match = trimmed.match(BRAVE_FRESHNESS_RANGE);
+    if (match) {
+      const [, start, end] = match;
+      if (isValidIsoDate(start) && isValidIsoDate(end) && start <= end) {
+        return `${start}to${end}`;
+      }
+    }
+  }
+
+  return undefined;
+}
+
+function isValidIsoDate(value: string): boolean {
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    return false;
+  }
+  const [year, month, day] = value.split("-").map((part) => Number.parseInt(part, 10));
+  if (!Number.isFinite(year) || !Number.isFinite(month) || !Number.isFinite(day)) {
+    return false;
+  }
+
+  const date = new Date(Date.UTC(year, month - 1, day));
+  return (
+    date.getUTCFullYear() === year && date.getUTCMonth() === month - 1 && date.getUTCDate() === day
+  );
+}
+
+function resolveSiteName(url: string | undefined): string | undefined {
+  if (!url) {
+    return undefined;
+  }
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return undefined;
+  }
+}
+
+async function throwWebSearchApiError(res: Response, providerLabel: string): Promise<never> {
+  const detailResult = await readResponseText(res, { maxBytes: 64_000 });
+  const detail = detailResult.text;
+  throw new Error(`${providerLabel} API error (${res.status}): ${detail || res.statusText}`);
+}
+
+async function runPerplexitySearchApi(params: {
+  query: string;
+  apiKey: string;
+  count: number;
+  timeoutSeconds: number;
+  country?: string;
+  searchDomainFilter?: string[];
+  searchRecencyFilter?: string;
+  searchLanguageFilter?: string[];
+  searchAfterDate?: string;
+  searchBeforeDate?: string;
+  maxTokens?: number;
+  maxTokensPerPage?: number;
+}): Promise<
+  Array<{ title: string; url: string; description: string; published?: string; siteName?: string }>
+> {
+  const body: Record<string, unknown> = {
+    query: params.query,
+    max_results: params.count,
+  };
+
+  if (params.country) {
+    body.country = params.country;
+  }
+  if (params.searchDomainFilter && params.searchDomainFilter.length > 0) {
+    body.search_domain_filter = params.searchDomainFilter;
+  }
+  if (params.searchRecencyFilter) {
+    body.search_recency_filter = params.searchRecencyFilter;
+  }
+  if (params.searchLanguageFilter && params.searchLanguageFilter.length > 0) {
+    body.search_language_filter = params.searchLanguageFilter;
+  }
+  if (params.searchAfterDate) {
+    body.search_after_date = params.searchAfterDate;
+  }
+  if (params.searchBeforeDate) {
+    body.search_before_date = params.searchBeforeDate;
+  }
+  if (params.maxTokens !== undefined) {
+    body.max_tokens = params.maxTokens;
+  }
+  if (params.maxTokensPerPage !== undefined) {
+    body.max_tokens_per_page = params.maxTokensPerPage;
+  }
+
+  return withTrustedWebSearchEndpoint(
+    {
+      url: PERPLEXITY_SEARCH_ENDPOINT,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+          Authorization: `Bearer ${params.apiKey}`,
+          "HTTP-Referer": "https://openclaw.ai",
+          "X-Title": "OpenClaw Web Search",
+        },
+        body: JSON.stringify(body),
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        return await throwWebSearchApiError(res, "Perplexity Search");
+      }
+
+      const data = (await res.json()) as PerplexitySearchApiResponse;
+      const results = Array.isArray(data.results) ? data.results : [];
+
+      return results.map((entry) => {
+        const title = entry.title ?? "";
+        const url = entry.url ?? "";
+        const snippet = entry.snippet ?? "";
+        return {
+          title: title ? wrapWebContent(title, "web_search") : "",
+          url,
+          description: snippet ? wrapWebContent(snippet, "web_search") : "",
+          published: entry.date ?? undefined,
+          siteName: resolveSiteName(url) || undefined,
+        };
+      });
+    },
+  );
+}
+
+async function runPerplexitySearch(params: {
+  query: string;
+  apiKey: string;
+  baseUrl: string;
+  model: string;
+  timeoutSeconds: number;
+  freshness?: string;
+}): Promise<{ content: string; citations: string[] }> {
+  const baseUrl = params.baseUrl.trim().replace(/\/$/, "");
+  const endpoint = `${baseUrl}/chat/completions`;
+  const model = resolvePerplexityRequestModel(baseUrl, params.model);
+
+  const body: Record<string, unknown> = {
+    model,
+    messages: [
+      {
+        role: "user",
+        content: params.query,
+      },
+    ],
+  };
+
+  if (params.freshness) {
+    body.search_recency_filter = params.freshness;
+  }
+
+  return withTrustedWebSearchEndpoint(
+    {
+      url: endpoint,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${params.apiKey}`,
+          "HTTP-Referer": "https://openclaw.ai",
+          "X-Title": "OpenClaw Web Search",
+        },
+        body: JSON.stringify(body),
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        return await throwWebSearchApiError(res, "Perplexity");
+      }
+
+      const data = (await res.json()) as PerplexitySearchResponse;
+      const content = data.choices?.[0]?.message?.content ?? "No response";
+      // Prefer top-level citations; fall back to OpenRouter-style message annotations.
+      const citations = extractPerplexityCitations(data);
+
+      return { content, citations };
+    },
+  );
+}
+
+async function runGrokSearch(params: {
+  query: string;
+  apiKey: string;
+  model: string;
+  timeoutSeconds: number;
+  inlineCitations: boolean;
+}): Promise<{
+  content: string;
+  citations: string[];
+  inlineCitations?: GrokSearchResponse["inline_citations"];
+}> {
+  const body: Record<string, unknown> = {
+    model: params.model,
+    input: [
+      {
+        role: "user",
+        content: params.query,
+      },
+    ],
+    tools: [{ type: "web_search" }],
+  };
+
+  // Note: xAI's /v1/responses endpoint does not support the `include`
+  // parameter (returns 400 "Argument not supported: include"). Inline
+  // citations are returned automatically when available — we just parse
+  // them from the response without requesting them explicitly (#12910).
+
+  return withTrustedWebSearchEndpoint(
+    {
+      url: XAI_API_ENDPOINT,
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${params.apiKey}`,
+        },
+        body: JSON.stringify(body),
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        return await throwWebSearchApiError(res, "xAI");
+      }
+
+      const data = (await res.json()) as GrokSearchResponse;
+      const { text: extractedText, annotationCitations } = extractGrokContent(data);
+      const content = extractedText ?? "No response";
+      // Prefer top-level citations; fall back to annotation-derived ones
+      const citations = (data.citations ?? []).length > 0 ? data.citations! : annotationCitations;
+      const inlineCitations = data.inline_citations;
+
+      return { content, citations, inlineCitations };
+    },
+  );
+}
+
+function extractKimiMessageText(message: KimiMessage | undefined): string | undefined {
+  const content = message?.content?.trim();
+  if (content) {
+    return content;
+  }
+  const reasoning = message?.reasoning_content?.trim();
+  return reasoning || undefined;
+}
+
+function extractKimiCitations(data: KimiSearchResponse): string[] {
+  const citations = (data.search_results ?? [])
+    .map((entry) => entry.url?.trim())
+    .filter((url): url is string => Boolean(url));
+
+  for (const toolCall of data.choices?.[0]?.message?.tool_calls ?? []) {
+    const rawArguments = toolCall.function?.arguments;
+    if (!rawArguments) {
+      continue;
+    }
+    try {
+      const parsed = JSON.parse(rawArguments) as {
+        search_results?: Array<{ url?: string }>;
+        url?: string;
+      };
+      if (typeof parsed.url === "string" && parsed.url.trim()) {
+        citations.push(parsed.url.trim());
+      }
+      for (const result of parsed.search_results ?? []) {
+        if (typeof result.url === "string" && result.url.trim()) {
+          citations.push(result.url.trim());
+        }
+      }
+    } catch {
+      // ignore malformed tool arguments
+    }
+  }
+
+  return [...new Set(citations)];
+}
+
+function buildKimiToolResultContent(data: KimiSearchResponse): string {
+  return JSON.stringify({
+    search_results: (data.search_results ?? []).map((entry) => ({
+      title: entry.title ?? "",
+      url: entry.url ?? "",
+      content: entry.content ?? "",
+    })),
+  });
+}
+
+async function runKimiSearch(params: {
+  query: string;
+  apiKey: string;
+  baseUrl: string;
+  model: string;
+  timeoutSeconds: number;
+}): Promise<{ content: string; citations: string[] }> {
+  const baseUrl = params.baseUrl.trim().replace(/\/$/, "");
+  const endpoint = `${baseUrl}/chat/completions`;
+  const messages: Array<Record<string, unknown>> = [
+    {
+      role: "user",
+      content: params.query,
+    },
+  ];
+  const collectedCitations = new Set<string>();
+  const MAX_ROUNDS = 3;
+
+  for (let round = 0; round < MAX_ROUNDS; round += 1) {
+    const nextResult = await withTrustedWebSearchEndpoint(
+      {
+        url: endpoint,
+        timeoutSeconds: params.timeoutSeconds,
+        init: {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${params.apiKey}`,
+          },
+          body: JSON.stringify({
+            model: params.model,
+            messages,
+            tools: [KIMI_WEB_SEARCH_TOOL],
+          }),
+        },
+      },
+      async (
+        res,
+      ): Promise<{ done: true; content: string; citations: string[] } | { done: false }> => {
+        if (!res.ok) {
+          return await throwWebSearchApiError(res, "Kimi");
+        }
+
+        const data = (await res.json()) as KimiSearchResponse;
+        for (const citation of extractKimiCitations(data)) {
+          collectedCitations.add(citation);
+        }
+        const choice = data.choices?.[0];
+        const message = choice?.message;
+        const text = extractKimiMessageText(message);
+        const toolCalls = message?.tool_calls ?? [];
+
+        if (choice?.finish_reason !== "tool_calls" || toolCalls.length === 0) {
+          return { done: true, content: text ?? "No response", citations: [...collectedCitations] };
+        }
+
+        messages.push({
+          role: "assistant",
+          content: message?.content ?? "",
+          ...(message?.reasoning_content
+            ? {
+                reasoning_content: message.reasoning_content,
+              }
+            : {}),
+          tool_calls: toolCalls,
+        });
+
+        const toolContent = buildKimiToolResultContent(data);
+        let pushedToolResult = false;
+        for (const toolCall of toolCalls) {
+          const toolCallId = toolCall.id?.trim();
+          if (!toolCallId) {
+            continue;
+          }
+          pushedToolResult = true;
+          messages.push({
+            role: "tool",
+            tool_call_id: toolCallId,
+            content: toolContent,
+          });
+        }
+
+        if (!pushedToolResult) {
+          return { done: true, content: text ?? "No response", citations: [...collectedCitations] };
+        }
+
+        return { done: false };
+      },
+    );
+
+    if (nextResult.done) {
+      return { content: nextResult.content, citations: nextResult.citations };
+    }
+  }
+
+  return {
+    content: "Search completed but no final answer was produced.",
+    citations: [...collectedCitations],
+  };
+}
+
+function mapBraveLlmContextResults(
+  data: BraveLlmContextResponse,
+): { url: string; title: string; snippets: string[]; siteName?: string }[] {
+  const genericResults = Array.isArray(data.grounding?.generic) ? data.grounding.generic : [];
+  return genericResults.map((entry) => ({
+    url: entry.url ?? "",
+    title: entry.title ?? "",
+    snippets: (entry.snippets ?? []).filter((s) => typeof s === "string" && s.length > 0),
+    siteName: resolveSiteName(entry.url) || undefined,
+  }));
+}
+
+async function runBraveLlmContextSearch(params: {
+  query: string;
+  apiKey: string;
+  timeoutSeconds: number;
+  country?: string;
+  search_lang?: string;
+  freshness?: string;
+}): Promise<{
+  results: Array<{
+    url: string;
+    title: string;
+    snippets: string[];
+    siteName?: string;
+  }>;
+  sources?: BraveLlmContextResponse["sources"];
+}> {
+  const url = new URL(BRAVE_LLM_CONTEXT_ENDPOINT);
+  url.searchParams.set("q", params.query);
+  if (params.country) {
+    url.searchParams.set("country", params.country);
+  }
+  if (params.search_lang) {
+    url.searchParams.set("search_lang", params.search_lang);
+  }
+  if (params.freshness) {
+    url.searchParams.set("freshness", params.freshness);
+  }
+
+  return withTrustedWebSearchEndpoint(
+    {
+      url: url.toString(),
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "GET",
+        headers: {
+          Accept: "application/json",
+          "X-Subscription-Token": params.apiKey,
+        },
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
+        const detail = detailResult.text;
+        throw new Error(`Brave LLM Context API error (${res.status}): ${detail || res.statusText}`);
+      }
+
+      const data = (await res.json()) as BraveLlmContextResponse;
+      const mapped = mapBraveLlmContextResults(data);
+
+      return { results: mapped, sources: data.sources };
+    },
+  );
+}
+
+async function runWebSearch(params: {
+  query: string;
+  count: number;
+  apiKey: string;
+  timeoutSeconds: number;
+  cacheTtlMs: number;
+  provider: (typeof SEARCH_PROVIDERS)[number];
+  country?: string;
+  language?: string;
+  search_lang?: string;
+  ui_lang?: string;
+  freshness?: string;
+  dateAfter?: string;
+  dateBefore?: string;
+  searchDomainFilter?: string[];
+  maxTokens?: number;
+  maxTokensPerPage?: number;
+  perplexityBaseUrl?: string;
+  perplexityModel?: string;
+  perplexityTransport?: PerplexityTransport;
+  grokModel?: string;
+  grokInlineCitations?: boolean;
+  geminiModel?: string;
+  kimiBaseUrl?: string;
+  kimiModel?: string;
+  braveMode?: "web" | "llm-context";
+}): Promise<Record<string, unknown>> {
+  const effectiveBraveMode = params.braveMode ?? "web";
+  const providerSpecificKey =
+    params.provider === "perplexity"
+      ? `${params.perplexityTransport ?? "search_api"}:${params.perplexityBaseUrl ?? PERPLEXITY_DIRECT_BASE_URL}:${params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL}`
+      : params.provider === "grok"
+        ? `${params.grokModel ?? DEFAULT_GROK_MODEL}:${String(params.grokInlineCitations ?? false)}`
+        : params.provider === "gemini"
+          ? (params.geminiModel ?? DEFAULT_GEMINI_MODEL)
+          : params.provider === "kimi"
+            ? `${params.kimiBaseUrl ?? DEFAULT_KIMI_BASE_URL}:${params.kimiModel ?? DEFAULT_KIMI_MODEL}`
+            : "";
+  const cacheKey = normalizeCacheKey(
+    params.provider === "brave" && effectiveBraveMode === "llm-context"
+      ? `${params.provider}:llm-context:${params.query}:${params.country || "default"}:${params.search_lang || params.language || "default"}:${params.freshness || "default"}`
+      : `${params.provider}:${effectiveBraveMode}:${params.query}:${params.count}:${params.country || "default"}:${params.search_lang || params.language || "default"}:${params.ui_lang || "default"}:${params.freshness || "default"}:${params.dateAfter || "default"}:${params.dateBefore || "default"}:${params.searchDomainFilter?.join(",") || "default"}:${params.maxTokens || "default"}:${params.maxTokensPerPage || "default"}:${providerSpecificKey}`,
+  );
+  const cached = readCache(SEARCH_CACHE, cacheKey);
+  if (cached) {
+    return { ...cached.value, cached: true };
+  }
+
+  const start = Date.now();
+
+  if (params.provider === "perplexity") {
+    if (params.perplexityTransport === "chat_completions") {
+      const { content, citations } = await runPerplexitySearch({
+        query: params.query,
+        apiKey: params.apiKey,
+        baseUrl: params.perplexityBaseUrl ?? DEFAULT_PERPLEXITY_BASE_URL,
+        model: params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL,
+        timeoutSeconds: params.timeoutSeconds,
+        freshness: params.freshness,
+      });
+
+      const payload = {
+        query: params.query,
+        provider: params.provider,
+        model: params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL,
+        tookMs: Date.now() - start,
+        externalContent: {
+          untrusted: true,
+          source: "web_search",
+          provider: params.provider,
+          wrapped: true,
+        },
+        content: wrapWebContent(content, "web_search"),
+        citations,
+      };
+      writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+      return payload;
+    }
+
+    const results = await runPerplexitySearchApi({
+      query: params.query,
+      apiKey: params.apiKey,
+      count: params.count,
+      timeoutSeconds: params.timeoutSeconds,
+      country: params.country,
+      searchDomainFilter: params.searchDomainFilter,
+      searchRecencyFilter: params.freshness,
+      searchLanguageFilter: params.language ? [params.language] : undefined,
+      searchAfterDate: params.dateAfter ? isoToPerplexityDate(params.dateAfter) : undefined,
+      searchBeforeDate: params.dateBefore ? isoToPerplexityDate(params.dateBefore) : undefined,
+      maxTokens: params.maxTokens,
+      maxTokensPerPage: params.maxTokensPerPage,
+    });
+
+    const payload = {
+      query: params.query,
+      provider: params.provider,
+      count: results.length,
+      tookMs: Date.now() - start,
+      externalContent: {
+        untrusted: true,
+        source: "web_search",
+        provider: params.provider,
+        wrapped: true,
+      },
+      results,
+    };
+    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  }
+
+  if (params.provider === "grok") {
+    const { content, citations, inlineCitations } = await runGrokSearch({
+      query: params.query,
+      apiKey: params.apiKey,
+      model: params.grokModel ?? DEFAULT_GROK_MODEL,
+      timeoutSeconds: params.timeoutSeconds,
+      inlineCitations: params.grokInlineCitations ?? false,
+    });
+
+    const payload = {
+      query: params.query,
+      provider: params.provider,
+      model: params.grokModel ?? DEFAULT_GROK_MODEL,
+      tookMs: Date.now() - start,
+      externalContent: {
+        untrusted: true,
+        source: "web_search",
+        provider: params.provider,
+        wrapped: true,
+      },
+      content: wrapWebContent(content),
+      citations,
+      inlineCitations,
+    };
+    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  }
+
+  if (params.provider === "kimi") {
+    const { content, citations } = await runKimiSearch({
+      query: params.query,
+      apiKey: params.apiKey,
+      baseUrl: params.kimiBaseUrl ?? DEFAULT_KIMI_BASE_URL,
+      model: params.kimiModel ?? DEFAULT_KIMI_MODEL,
+      timeoutSeconds: params.timeoutSeconds,
+    });
+
+    const payload = {
+      query: params.query,
+      provider: params.provider,
+      model: params.kimiModel ?? DEFAULT_KIMI_MODEL,
+      tookMs: Date.now() - start,
+      externalContent: {
+        untrusted: true,
+        source: "web_search",
+        provider: params.provider,
+        wrapped: true,
+      },
+      content: wrapWebContent(content),
+      citations,
+    };
+    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  }
+
+  if (params.provider === "gemini") {
+    const geminiResult = await runGeminiSearch({
+      query: params.query,
+      apiKey: params.apiKey,
+      model: params.geminiModel ?? DEFAULT_GEMINI_MODEL,
+      timeoutSeconds: params.timeoutSeconds,
+    });
+
+    const payload = {
+      query: params.query,
+      provider: params.provider,
+      model: params.geminiModel ?? DEFAULT_GEMINI_MODEL,
+      tookMs: Date.now() - start, // Includes redirect URL resolution time
+      externalContent: {
+        untrusted: true,
+        source: "web_search",
+        provider: params.provider,
+        wrapped: true,
+      },
+      content: wrapWebContent(geminiResult.content),
+      citations: geminiResult.citations,
+    };
+    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  }
+
+  if (params.provider !== "brave") {
+    throw new Error("Unsupported web search provider.");
+  }
+
+  if (effectiveBraveMode === "llm-context") {
+    const { results: llmResults, sources } = await runBraveLlmContextSearch({
+      query: params.query,
+      apiKey: params.apiKey,
+      timeoutSeconds: params.timeoutSeconds,
+      country: params.country,
+      search_lang: params.search_lang,
+      freshness: params.freshness,
+    });
+
+    const mapped = llmResults.map((entry) => ({
+      title: entry.title ? wrapWebContent(entry.title, "web_search") : "",
+      url: entry.url,
+      snippets: entry.snippets.map((s) => wrapWebContent(s, "web_search")),
+      siteName: entry.siteName,
+    }));
+
+    const payload = {
+      query: params.query,
+      provider: params.provider,
+      mode: "llm-context" as const,
+      count: mapped.length,
+      tookMs: Date.now() - start,
+      externalContent: {
+        untrusted: true,
+        source: "web_search",
+        provider: params.provider,
+        wrapped: true,
+      },
+      results: mapped,
+      sources,
+    };
+    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  }
+
+  const url = new URL(BRAVE_SEARCH_ENDPOINT);
+  url.searchParams.set("q", params.query);
+  url.searchParams.set("count", String(params.count));
+  if (params.country) {
+    url.searchParams.set("country", params.country);
+  }
+  if (params.search_lang || params.language) {
+    url.searchParams.set("search_lang", (params.search_lang || params.language)!);
+  }
+  if (params.ui_lang) {
+    url.searchParams.set("ui_lang", params.ui_lang);
+  }
+  if (params.freshness) {
+    url.searchParams.set("freshness", params.freshness);
+  } else if (params.dateAfter && params.dateBefore) {
+    url.searchParams.set("freshness", `${params.dateAfter}to${params.dateBefore}`);
+  } else if (params.dateAfter) {
+    url.searchParams.set(
+      "freshness",
+      `${params.dateAfter}to${new Date().toISOString().slice(0, 10)}`,
+    );
+  } else if (params.dateBefore) {
+    url.searchParams.set("freshness", `1970-01-01to${params.dateBefore}`);
+  }
+
+  const mapped = await withTrustedWebSearchEndpoint(
+    {
+      url: url.toString(),
+      timeoutSeconds: params.timeoutSeconds,
+      init: {
+        method: "GET",
+        headers: {
+          Accept: "application/json",
+          "X-Subscription-Token": params.apiKey,
+        },
+      },
+    },
+    async (res) => {
+      if (!res.ok) {
+        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
+        const detail = detailResult.text;
+        throw new Error(`Brave Search API error (${res.status}): ${detail || res.statusText}`);
+      }
+
+      const data = (await res.json()) as BraveSearchResponse;
+      const results = Array.isArray(data.web?.results) ? (data.web?.results ?? []) : [];
+      return results.map((entry) => {
+        const description = entry.description ?? "";
+        const title = entry.title ?? "";
+        const url = entry.url ?? "";
+        const rawSiteName = resolveSiteName(url);
+        return {
+          title: title ? wrapWebContent(title, "web_search") : "",
+          url, // Keep raw for tool chaining
+          description: description ? wrapWebContent(description, "web_search") : "",
+          published: entry.age || undefined,
+          siteName: rawSiteName || undefined,
+        };
+      });
+    },
+  );
+
+  const payload = {
+    query: params.query,
+    provider: params.provider,
+    count: mapped.length,
+    tookMs: Date.now() - start,
+    externalContent: {
+      untrusted: true,
+      source: "web_search",
+      provider: params.provider,
+      wrapped: true,
+    },
+    results: mapped,
+  };
+  writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+  return payload;
+}
+
+export function createWebSearchTool(options?: {
+  config?: OpenClawConfig;
+  sandboxed?: boolean;
+  runtimeWebSearch?: RuntimeWebSearchMetadata;
+}): AnyAgentTool | null {
+  const search = resolveSearchConfig(options?.config);
+  if (!resolveSearchEnabled({ search, sandboxed: options?.sandboxed })) {
+    return null;
+  }
+
+  const runtimeProviderCandidate =
+    options?.runtimeWebSearch?.selectedProvider ?? options?.runtimeWebSearch?.providerConfigured;
+  const provider =
+    runtimeProviderCandidate && isSearchProvider(runtimeProviderCandidate)
+      ? runtimeProviderCandidate
+      : resolveSearchProvider(search);
+  const perplexityConfig = resolvePerplexityConfig(search);
+  const perplexitySchemaTransportHint =
+    options?.runtimeWebSearch?.perplexityTransport ??
+    resolvePerplexitySchemaTransportHint(perplexityConfig);
+  const grokConfig = resolveGrokConfig(search);
+  const geminiConfig = resolveGeminiConfig(search);
+  const kimiConfig = resolveKimiConfig(search);
+  const braveConfig = resolveBraveConfig(search);
+  const braveMode = resolveBraveMode(braveConfig);
+
+  const description =
+    provider === "perplexity"
+      ? perplexitySchemaTransportHint === "chat_completions"
+        ? "Search the web using Perplexity Sonar via Perplexity/OpenRouter chat completions. Returns AI-synthesized answers with citations from web-grounded search."
+        : "Search the web using Perplexity. Runtime routing decides between native Search API and Sonar chat-completions compatibility. Structured filters are available on the native Search API path."
+      : provider === "grok"
+        ? "Search the web using xAI Grok. Returns AI-synthesized answers with citations from real-time web search."
+        : provider === "kimi"
+          ? "Search the web using Kimi by Moonshot. Returns AI-synthesized answers with citations from native $web_search."
+          : provider === "gemini"
+            ? "Search the web using Gemini with Google Search grounding. Returns AI-synthesized answers with citations from Google Search."
+            : braveMode === "llm-context"
+              ? "Search the web using Brave Search LLM Context API. Returns pre-extracted page content (text chunks, tables, code blocks) optimized for LLM grounding."
+              : "Search the web using Brave Search API. Supports region-specific and localized search via country and language parameters. Returns titles, URLs, and snippets for fast research.";
+
+  return {
+    label: "Web Search",
+    name: "web_search",
+    description,
+    parameters: createWebSearchSchema({
+      provider,
+      perplexityTransport: provider === "perplexity" ? perplexitySchemaTransportHint : undefined,
+    }),
+    execute: async (_toolCallId, args) => {
+      // Resolve Perplexity auth/transport lazily at execution time so unrelated providers
+      // do not touch Perplexity-only credential surfaces during tool construction.
+      const perplexityRuntime =
+        provider === "perplexity" ? resolvePerplexityTransport(perplexityConfig) : undefined;
+      const apiKey =
+        provider === "perplexity"
+          ? perplexityRuntime?.apiKey
+          : provider === "grok"
+            ? resolveGrokApiKey(grokConfig)
+            : provider === "kimi"
+              ? resolveKimiApiKey(kimiConfig)
+              : provider === "gemini"
+                ? resolveGeminiApiKey(geminiConfig)
+                : resolveSearchApiKey(search);
+
+      if (!apiKey) {
+        return jsonResult(missingSearchKeyPayload(provider));
+      }
+
+      const supportsStructuredPerplexityFilters =
+        provider === "perplexity" && perplexityRuntime?.transport === "search_api";
+      const params = args as Record<string, unknown>;
+      const query = readStringParam(params, "query", { required: true });
+      const count =
+        readNumberParam(params, "count", { integer: true }) ?? search?.maxResults ?? undefined;
+      const country = readStringParam(params, "country");
+      if (
+        country &&
+        provider !== "brave" &&
+        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
+      ) {
+        return jsonResult({
+          error: "unsupported_country",
+          message:
+            provider === "perplexity"
+              ? "country filtering is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
+              : `country filtering is not supported by the ${provider} provider. Only Brave and Perplexity support country filtering.`,
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const language = readStringParam(params, "language");
+      if (
+        language &&
+        provider !== "brave" &&
+        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
+      ) {
+        return jsonResult({
+          error: "unsupported_language",
+          message:
+            provider === "perplexity"
+              ? "language filtering is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
+              : `language filtering is not supported by the ${provider} provider. Only Brave and Perplexity support language filtering.`,
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if (language && provider === "perplexity" && !/^[a-z]{2}$/i.test(language)) {
+        return jsonResult({
+          error: "invalid_language",
+          message: "language must be a 2-letter ISO 639-1 code like 'en', 'de', or 'fr'.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const search_lang = readStringParam(params, "search_lang");
+      const ui_lang = readStringParam(params, "ui_lang");
+      // For Brave, accept both `language` (unified) and `search_lang`
+      const normalizedBraveLanguageParams =
+        provider === "brave"
+          ? normalizeBraveLanguageParams({ search_lang: search_lang || language, ui_lang })
+          : { search_lang: language, ui_lang };
+      if (normalizedBraveLanguageParams.invalidField === "search_lang") {
+        return jsonResult({
+          error: "invalid_search_lang",
+          message:
+            "search_lang must be a Brave-supported language code like 'en', 'en-gb', 'zh-hans', or 'zh-hant'.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if (normalizedBraveLanguageParams.invalidField === "ui_lang") {
+        return jsonResult({
+          error: "invalid_ui_lang",
+          message: "ui_lang must be a language-region locale like 'en-US'.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const resolvedSearchLang = normalizedBraveLanguageParams.search_lang;
+      const resolvedUiLang = normalizedBraveLanguageParams.ui_lang;
+      if (resolvedUiLang && provider === "brave" && braveMode === "llm-context") {
+        return jsonResult({
+          error: "unsupported_ui_lang",
+          message:
+            "ui_lang is not supported by Brave llm-context mode. Remove ui_lang or use Brave web mode for locale-based UI hints.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const rawFreshness = readStringParam(params, "freshness");
+      if (rawFreshness && provider !== "brave" && provider !== "perplexity") {
+        return jsonResult({
+          error: "unsupported_freshness",
+          message: `freshness filtering is not supported by the ${provider} provider. Only Brave and Perplexity support freshness.`,
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if (rawFreshness && provider === "brave" && braveMode === "llm-context") {
+        return jsonResult({
+          error: "unsupported_freshness",
+          message:
+            "freshness filtering is not supported by Brave llm-context mode. Remove freshness or use Brave web mode.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const freshness = rawFreshness ? normalizeFreshness(rawFreshness, provider) : undefined;
+      if (rawFreshness && !freshness) {
+        return jsonResult({
+          error: "invalid_freshness",
+          message: "freshness must be day, week, month, or year.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const rawDateAfter = readStringParam(params, "date_after");
+      const rawDateBefore = readStringParam(params, "date_before");
+      if (rawFreshness && (rawDateAfter || rawDateBefore)) {
+        return jsonResult({
+          error: "conflicting_time_filters",
+          message:
+            "freshness and date_after/date_before cannot be used together. Use either freshness (day/week/month/year) or a date range (date_after/date_before), not both.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if (
+        (rawDateAfter || rawDateBefore) &&
+        provider !== "brave" &&
+        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
+      ) {
+        return jsonResult({
+          error: "unsupported_date_filter",
+          message:
+            provider === "perplexity"
+              ? "date_after/date_before are only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable them."
+              : `date_after/date_before filtering is not supported by the ${provider} provider. Only Brave and Perplexity support date filtering.`,
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if ((rawDateAfter || rawDateBefore) && provider === "brave" && braveMode === "llm-context") {
+        return jsonResult({
+          error: "unsupported_date_filter",
+          message:
+            "date_after/date_before filtering is not supported by Brave llm-context mode. Use Brave web mode for date filters.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const dateAfter = rawDateAfter ? normalizeToIsoDate(rawDateAfter) : undefined;
+      if (rawDateAfter && !dateAfter) {
+        return jsonResult({
+          error: "invalid_date",
+          message: "date_after must be YYYY-MM-DD format.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const dateBefore = rawDateBefore ? normalizeToIsoDate(rawDateBefore) : undefined;
+      if (rawDateBefore && !dateBefore) {
+        return jsonResult({
+          error: "invalid_date",
+          message: "date_before must be YYYY-MM-DD format.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      if (dateAfter && dateBefore && dateAfter > dateBefore) {
+        return jsonResult({
+          error: "invalid_date_range",
+          message: "date_after must be before date_before.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+      const domainFilter = readStringArrayParam(params, "domain_filter");
+      if (
+        domainFilter &&
+        domainFilter.length > 0 &&
+        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
+      ) {
+        return jsonResult({
+          error: "unsupported_domain_filter",
+          message:
+            provider === "perplexity"
+              ? "domain_filter is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
+              : `domain_filter is not supported by the ${provider} provider. Only Perplexity supports domain filtering.`,
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+
+      if (domainFilter && domainFilter.length > 0) {
+        const hasDenylist = domainFilter.some((d) => d.startsWith("-"));
+        const hasAllowlist = domainFilter.some((d) => !d.startsWith("-"));
+        if (hasDenylist && hasAllowlist) {
+          return jsonResult({
+            error: "invalid_domain_filter",
+            message:
+              "domain_filter cannot mix allowlist and denylist entries. Use either all positive entries (allowlist) or all entries prefixed with '-' (denylist).",
+            docs: "https://docs.openclaw.ai/tools/web",
+          });
+        }
+        if (domainFilter.length > 20) {
+          return jsonResult({
+            error: "invalid_domain_filter",
+            message: "domain_filter supports a maximum of 20 domains.",
+            docs: "https://docs.openclaw.ai/tools/web",
+          });
+        }
+      }
+
+      const maxTokens = readNumberParam(params, "max_tokens", { integer: true });
+      const maxTokensPerPage = readNumberParam(params, "max_tokens_per_page", { integer: true });
+      if (
+        provider === "perplexity" &&
+        perplexityRuntime?.transport === "chat_completions" &&
+        (maxTokens !== undefined || maxTokensPerPage !== undefined)
+      ) {
+        return jsonResult({
+          error: "unsupported_content_budget",
+          message:
+            "max_tokens and max_tokens_per_page are only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable them.",
+          docs: "https://docs.openclaw.ai/tools/web",
+        });
+      }
+
+      const result = await runWebSearch({
+        query,
+        count: resolveSearchCount(count, DEFAULT_SEARCH_COUNT),
+        apiKey,
+        timeoutSeconds: resolveTimeoutSeconds(search?.timeoutSeconds, DEFAULT_TIMEOUT_SECONDS),
+        cacheTtlMs: resolveCacheTtlMs(search?.cacheTtlMinutes, DEFAULT_CACHE_TTL_MINUTES),
+        provider,
+        country,
+        language,
+        search_lang: resolvedSearchLang,
+        ui_lang: resolvedUiLang,
+        freshness,
+        dateAfter,
+        dateBefore,
+        searchDomainFilter: domainFilter,
+        maxTokens: maxTokens ?? undefined,
+        maxTokensPerPage: maxTokensPerPage ?? undefined,
+        perplexityBaseUrl: perplexityRuntime?.baseUrl,
+        perplexityModel: perplexityRuntime?.model,
+        perplexityTransport: perplexityRuntime?.transport,
+        grokModel: resolveGrokModel(grokConfig),
+        grokInlineCitations: resolveGrokInlineCitations(grokConfig),
+        geminiModel: resolveGeminiModel(geminiConfig),
+        kimiBaseUrl: resolveKimiBaseUrl(kimiConfig),
+        kimiModel: resolveKimiModel(kimiConfig),
+        braveMode,
+      });
+      return jsonResult(result);
+    },
+  };
+}
+
+export const __testing = {
+  resolveSearchProvider,
+  inferPerplexityBaseUrlFromApiKey,
+  resolvePerplexityBaseUrl,
+  resolvePerplexityModel,
+  resolvePerplexityTransport,
+  isDirectPerplexityBaseUrl,
+  resolvePerplexityRequestModel,
+  resolvePerplexityApiKey,
+  normalizeBraveLanguageParams,
+  normalizeFreshness,
+  normalizeToIsoDate,
+  isoToPerplexityDate,
+  SEARCH_CACHE,
+  FRESHNESS_TO_RECENCY,
+  RECENCY_TO_FRESHNESS,
+  resolveGrokApiKey,
+  resolveGrokModel,
+  resolveGrokInlineCitations,
+  extractGrokContent,
+  resolveKimiApiKey,
+  resolveKimiModel,
+  resolveKimiBaseUrl,
+  extractKimiCitations,
+  resolveRedirectUrl: resolveCitationRedirectUrl,
+  resolveBraveMode,
+  mapBraveLlmContextResults,
+} as const;
diff --git a/src/agents/tools/web-search-plugin-factory.ts b/src/agents/tools/web-search-plugin-factory.ts
new file mode 100644
index 00000000000..ab80702a6ed
--- /dev/null
+++ b/src/agents/tools/web-search-plugin-factory.ts
@@ -0,0 +1,94 @@
+import type { OpenClawConfig } from "../../config/config.js";
+import type { WebSearchProviderPlugin } from "../../plugins/types.js";
+import { createWebSearchTool as createLegacyWebSearchTool } from "./web-search-core.js";
+
+type ConfiguredWebSearchProvider = NonNullable<
+  NonNullable<NonNullable<OpenClawConfig["tools"]>["web"]>["search"]
+>["provider"];
+
+function cloneWithDescriptors<T extends object>(value: T | undefined): T {
+  const next = Object.create(Object.getPrototypeOf(value ?? {})) as T;
+  if (value) {
+    Object.defineProperties(next, Object.getOwnPropertyDescriptors(value));
+  }
+  return next;
+}
+
+function withForcedProvider(
+  config: OpenClawConfig | undefined,
+  provider: ConfiguredWebSearchProvider,
+): OpenClawConfig {
+  const next = cloneWithDescriptors(config ?? {});
+  const tools = cloneWithDescriptors(next.tools ?? {});
+  const web = cloneWithDescriptors(tools.web ?? {});
+  const search = cloneWithDescriptors(web.search ?? {});
+
+  search.provider = provider;
+  web.search = search;
+  tools.web = web;
+  next.tools = tools;
+
+  return next;
+}
+
+export function createPluginBackedWebSearchProvider(
+  provider: Omit<WebSearchProviderPlugin, "createTool"> & {
+    id: ConfiguredWebSearchProvider;
+  },
+): WebSearchProviderPlugin {
+  return {
+    ...provider,
+    createTool: (ctx) => {
+      const tool = createLegacyWebSearchTool({
+        config: withForcedProvider(ctx.config, provider.id),
+        runtimeWebSearch: ctx.runtimeMetadata,
+      });
+      if (!tool) {
+        return null;
+      }
+      return {
+        description: tool.description,
+        parameters: tool.parameters as Record<string, unknown>,
+        execute: async (args) => {
+          const result = await tool.execute(`web-search:${provider.id}`, args);
+          return (result.details ?? {}) as Record<string, unknown>;
+        },
+      };
+    },
+  };
+}
+
+export function getTopLevelCredentialValue(searchConfig?: Record<string, unknown>): unknown {
+  return searchConfig?.apiKey;
+}
+
+export function setTopLevelCredentialValue(
+  searchConfigTarget: Record<string, unknown>,
+  value: unknown,
+): void {
+  searchConfigTarget.apiKey = value;
+}
+
+export function getScopedCredentialValue(
+  searchConfig: Record<string, unknown> | undefined,
+  key: string,
+): unknown {
+  const scoped = searchConfig?.[key];
+  if (!scoped || typeof scoped !== "object" || Array.isArray(scoped)) {
+    return undefined;
+  }
+  return (scoped as Record<string, unknown>).apiKey;
+}
+
+export function setScopedCredentialValue(
+  searchConfigTarget: Record<string, unknown>,
+  key: string,
+  value: unknown,
+): void {
+  const scoped = searchConfigTarget[key];
+  if (!scoped || typeof scoped !== "object" || Array.isArray(scoped)) {
+    searchConfigTarget[key] = { apiKey: value };
+    return;
+  }
+  (scoped as Record<string, unknown>).apiKey = value;
+}
diff --git a/src/agents/tools/web-search.redirect.test.ts b/src/agents/tools/web-search.redirect.test.ts
index cac014d7e9a..d00c6a31995 100644
--- a/src/agents/tools/web-search.redirect.test.ts
+++ b/src/agents/tools/web-search.redirect.test.ts
@@ -1,48 +1,48 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
-const { fetchWithSsrFGuardMock } = vi.hoisted(() => ({
-  fetchWithSsrFGuardMock: vi.fn(),
+const { withStrictWebToolsEndpointMock } = vi.hoisted(() => ({
+  withStrictWebToolsEndpointMock: vi.fn(),
 }));
 
-vi.mock("../../infra/net/fetch-guard.js", () => ({
-  fetchWithSsrFGuard: fetchWithSsrFGuardMock,
+vi.mock("./web-guarded-fetch.js", () => ({
+  withStrictWebToolsEndpoint: withStrictWebToolsEndpointMock,
 }));
 
-import { __testing } from "./web-search.js";
-
 describe("web_search redirect resolution hardening", () => {
-  const { resolveRedirectUrl } = __testing;
+  async function resolveRedirectUrl() {
+    const module = await import("./web-search-citation-redirect.js");
+    return module.resolveCitationRedirectUrl;
+  }
 
   beforeEach(() => {
-    fetchWithSsrFGuardMock.mockReset();
+    vi.resetModules();
+    withStrictWebToolsEndpointMock.mockReset();
   });
 
   it("resolves redirects via SSRF-guarded HEAD requests", async () => {
-    const release = vi.fn(async () => {});
-    fetchWithSsrFGuardMock.mockResolvedValue({
-      response: new Response(null, { status: 200 }),
-      finalUrl: "https://example.com/final",
-      release,
+    const resolve = await resolveRedirectUrl();
+    withStrictWebToolsEndpointMock.mockImplementation(async (_params, run) => {
+      return await run({
+        response: new Response(null, { status: 200 }),
+        finalUrl: "https://example.com/final",
+      });
     });
 
-    const resolved = await resolveRedirectUrl("https://example.com/start");
+    const resolved = await resolve("https://example.com/start");
     expect(resolved).toBe("https://example.com/final");
-    expect(fetchWithSsrFGuardMock).toHaveBeenCalledWith(
+    expect(withStrictWebToolsEndpointMock).toHaveBeenCalledWith(
       expect.objectContaining({
         url: "https://example.com/start",
         timeoutMs: 5000,
         init: { method: "HEAD" },
       }),
+      expect.any(Function),
     );
-    expect(fetchWithSsrFGuardMock.mock.calls[0]?.[0]?.proxy).toBeUndefined();
-    expect(fetchWithSsrFGuardMock.mock.calls[0]?.[0]?.policy).toBeUndefined();
-    expect(release).toHaveBeenCalledTimes(1);
   });
 
   it("falls back to the original URL when guarded resolution fails", async () => {
-    fetchWithSsrFGuardMock.mockRejectedValue(new Error("blocked"));
-    await expect(resolveRedirectUrl("https://example.com/start")).resolves.toBe(
-      "https://example.com/start",
-    );
+    const resolve = await resolveRedirectUrl();
+    withStrictWebToolsEndpointMock.mockRejectedValue(new Error("blocked"));
+    await expect(resolve("https://example.com/start")).resolves.toBe("https://example.com/start");
   });
 });
diff --git a/src/agents/tools/web-search.ts b/src/agents/tools/web-search.ts
index 6e9518f1ede..869da014d45 100644
--- a/src/agents/tools/web-search.ts
+++ b/src/agents/tools/web-search.ts
@@ -1,286 +1,12 @@
-import { Type } from "@sinclair/typebox";
-import { formatCliCommand } from "../../cli/command-format.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { normalizeResolvedSecretInputString } from "../../config/types.secrets.js";
 import { logVerbose } from "../../globals.js";
-import type { RuntimeWebSearchMetadata } from "../../secrets/runtime-web-tools.js";
-import { wrapWebContent } from "../../security/external-content.js";
+import { resolvePluginWebSearchProviders } from "../../plugins/web-search-providers.js";
+import type { RuntimeWebSearchMetadata } from "../../secrets/runtime-web-tools.types.js";
 import { normalizeSecretInput } from "../../utils/normalize-secret-input.js";
 import type { AnyAgentTool } from "./common.js";
-import { jsonResult, readNumberParam, readStringArrayParam, readStringParam } from "./common.js";
-import { withTrustedWebToolsEndpoint } from "./web-guarded-fetch.js";
-import { resolveCitationRedirectUrl } from "./web-search-citation-redirect.js";
-import {
-  CacheEntry,
-  DEFAULT_CACHE_TTL_MINUTES,
-  DEFAULT_TIMEOUT_SECONDS,
-  normalizeCacheKey,
-  readCache,
-  readResponseText,
-  resolveCacheTtlMs,
-  resolveTimeoutSeconds,
-  writeCache,
-} from "./web-shared.js";
-
-const SEARCH_PROVIDERS = ["brave", "gemini", "grok", "kimi", "perplexity"] as const;
-const DEFAULT_SEARCH_COUNT = 5;
-const MAX_SEARCH_COUNT = 10;
-
-const BRAVE_SEARCH_ENDPOINT = "https://api.search.brave.com/res/v1/web/search";
-const BRAVE_LLM_CONTEXT_ENDPOINT = "https://api.search.brave.com/res/v1/llm/context";
-const DEFAULT_PERPLEXITY_BASE_URL = "https://openrouter.ai/api/v1";
-const PERPLEXITY_DIRECT_BASE_URL = "https://api.perplexity.ai";
-const PERPLEXITY_SEARCH_ENDPOINT = "https://api.perplexity.ai/search";
-const DEFAULT_PERPLEXITY_MODEL = "perplexity/sonar-pro";
-const PERPLEXITY_KEY_PREFIXES = ["pplx-"];
-const OPENROUTER_KEY_PREFIXES = ["sk-or-"];
-
-const XAI_API_ENDPOINT = "https://api.x.ai/v1/responses";
-const DEFAULT_GROK_MODEL = "grok-4-1-fast";
-const DEFAULT_KIMI_BASE_URL = "https://api.moonshot.ai/v1";
-const DEFAULT_KIMI_MODEL = "moonshot-v1-128k";
-const KIMI_WEB_SEARCH_TOOL = {
-  type: "builtin_function",
-  function: { name: "$web_search" },
-} as const;
-
-const SEARCH_CACHE = new Map<string, CacheEntry<Record<string, unknown>>>();
-const BRAVE_FRESHNESS_SHORTCUTS = new Set(["pd", "pw", "pm", "py"]);
-const BRAVE_FRESHNESS_RANGE = /^(\d{4}-\d{2}-\d{2})to(\d{4}-\d{2}-\d{2})$/;
-const BRAVE_SEARCH_LANG_CODES = new Set([
-  "ar",
-  "eu",
-  "bn",
-  "bg",
-  "ca",
-  "zh-hans",
-  "zh-hant",
-  "hr",
-  "cs",
-  "da",
-  "nl",
-  "en",
-  "en-gb",
-  "et",
-  "fi",
-  "fr",
-  "gl",
-  "de",
-  "el",
-  "gu",
-  "he",
-  "hi",
-  "hu",
-  "is",
-  "it",
-  "jp",
-  "kn",
-  "ko",
-  "lv",
-  "lt",
-  "ms",
-  "ml",
-  "mr",
-  "nb",
-  "pl",
-  "pt-br",
-  "pt-pt",
-  "pa",
-  "ro",
-  "ru",
-  "sr",
-  "sk",
-  "sl",
-  "es",
-  "sv",
-  "ta",
-  "te",
-  "th",
-  "tr",
-  "uk",
-  "vi",
-]);
-const BRAVE_SEARCH_LANG_ALIASES: Record<string, string> = {
-  ja: "jp",
-  zh: "zh-hans",
-  "zh-cn": "zh-hans",
-  "zh-hk": "zh-hant",
-  "zh-sg": "zh-hans",
-  "zh-tw": "zh-hant",
-};
-const BRAVE_UI_LANG_LOCALE = /^([a-z]{2})-([a-z]{2})$/i;
-const PERPLEXITY_RECENCY_VALUES = new Set(["day", "week", "month", "year"]);
-
-const FRESHNESS_TO_RECENCY: Record<string, string> = {
-  pd: "day",
-  pw: "week",
-  pm: "month",
-  py: "year",
-};
-const RECENCY_TO_FRESHNESS: Record<string, string> = {
-  day: "pd",
-  week: "pw",
-  month: "pm",
-  year: "py",
-};
-
-const ISO_DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/;
-const PERPLEXITY_DATE_PATTERN = /^(\d{1,2})\/(\d{1,2})\/(\d{4})$/;
-
-function isoToPerplexityDate(iso: string): string | undefined {
-  const match = iso.match(ISO_DATE_PATTERN);
-  if (!match) {
-    return undefined;
-  }
-  const [, year, month, day] = match;
-  return `${parseInt(month, 10)}/${parseInt(day, 10)}/${year}`;
-}
-
-function normalizeToIsoDate(value: string): string | undefined {
-  const trimmed = value.trim();
-  if (ISO_DATE_PATTERN.test(trimmed)) {
-    return isValidIsoDate(trimmed) ? trimmed : undefined;
-  }
-  const match = trimmed.match(PERPLEXITY_DATE_PATTERN);
-  if (match) {
-    const [, month, day, year] = match;
-    const iso = `${year}-${month.padStart(2, "0")}-${day.padStart(2, "0")}`;
-    return isValidIsoDate(iso) ? iso : undefined;
-  }
-  return undefined;
-}
-
-function createWebSearchSchema(params: {
-  provider: (typeof SEARCH_PROVIDERS)[number];
-  perplexityTransport?: PerplexityTransport;
-}) {
-  const querySchema = {
-    query: Type.String({ description: "Search query string." }),
-    count: Type.Optional(
-      Type.Number({
-        description: "Number of results to return (1-10).",
-        minimum: 1,
-        maximum: MAX_SEARCH_COUNT,
-      }),
-    ),
-  } as const;
-
-  const filterSchema = {
-    country: Type.Optional(
-      Type.String({
-        description:
-          "2-letter country code for region-specific results (e.g., 'DE', 'US', 'ALL'). Default: 'US'.",
-      }),
-    ),
-    language: Type.Optional(
-      Type.String({
-        description: "ISO 639-1 language code for results (e.g., 'en', 'de', 'fr').",
-      }),
-    ),
-    freshness: Type.Optional(
-      Type.String({
-        description: "Filter by time: 'day' (24h), 'week', 'month', or 'year'.",
-      }),
-    ),
-    date_after: Type.Optional(
-      Type.String({
-        description: "Only results published after this date (YYYY-MM-DD).",
-      }),
-    ),
-    date_before: Type.Optional(
-      Type.String({
-        description: "Only results published before this date (YYYY-MM-DD).",
-      }),
-    ),
-  } as const;
-
-  const perplexityStructuredFilterSchema = {
-    country: Type.Optional(
-      Type.String({
-        description:
-          "Native Perplexity Search API only. 2-letter country code for region-specific results (e.g., 'DE', 'US', 'ALL'). Default: 'US'.",
-      }),
-    ),
-    language: Type.Optional(
-      Type.String({
-        description:
-          "Native Perplexity Search API only. ISO 639-1 language code for results (e.g., 'en', 'de', 'fr').",
-      }),
-    ),
-    date_after: Type.Optional(
-      Type.String({
-        description:
-          "Native Perplexity Search API only. Only results published after this date (YYYY-MM-DD).",
-      }),
-    ),
-    date_before: Type.Optional(
-      Type.String({
-        description:
-          "Native Perplexity Search API only. Only results published before this date (YYYY-MM-DD).",
-      }),
-    ),
-  } as const;
-
-  if (params.provider === "brave") {
-    return Type.Object({
-      ...querySchema,
-      ...filterSchema,
-      search_lang: Type.Optional(
-        Type.String({
-          description:
-            "Brave language code for search results (e.g., 'en', 'de', 'en-gb', 'zh-hans', 'zh-hant', 'pt-br').",
-        }),
-      ),
-      ui_lang: Type.Optional(
-        Type.String({
-          description:
-            "Locale code for UI elements in language-region format (e.g., 'en-US', 'de-DE', 'fr-FR', 'tr-TR'). Must include region subtag.",
-        }),
-      ),
-    });
-  }
-
-  if (params.provider === "perplexity") {
-    if (params.perplexityTransport === "chat_completions") {
-      return Type.Object({
-        ...querySchema,
-        freshness: filterSchema.freshness,
-      });
-    }
-    return Type.Object({
-      ...querySchema,
-      freshness: filterSchema.freshness,
-      ...perplexityStructuredFilterSchema,
-      domain_filter: Type.Optional(
-        Type.Array(Type.String(), {
-          description:
-            "Native Perplexity Search API only. Domain filter (max 20). Allowlist: ['nature.com'] or denylist: ['-reddit.com']. Cannot mix.",
-        }),
-      ),
-      max_tokens: Type.Optional(
-        Type.Number({
-          description:
-            "Native Perplexity Search API only. Total content budget across all results (default: 25000, max: 1000000).",
-          minimum: 1,
-          maximum: 1000000,
-        }),
-      ),
-      max_tokens_per_page: Type.Optional(
-        Type.Number({
-          description:
-            "Native Perplexity Search API only. Max tokens extracted per page (default: 2048).",
-          minimum: 1,
-        }),
-      ),
-    });
-  }
-
-  // grok, gemini, kimi, etc.
-  return Type.Object({
-    ...querySchema,
-    ...filterSchema,
-  });
-}
+import { jsonResult } from "./common.js";
+import { __testing as coreTesting } from "./web-search-core.js";
 
 type WebSearchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer Web
   ? Web extends { search?: infer Search }
@@ -288,248 +14,6 @@ type WebSearchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer
     : undefined
   : undefined;
 
-type BraveSearchResult = {
-  title?: string;
-  url?: string;
-  description?: string;
-  age?: string;
-};
-
-type BraveSearchResponse = {
-  web?: {
-    results?: BraveSearchResult[];
-  };
-};
-
-type BraveLlmContextResult = { url: string; title: string; snippets: string[] };
-type BraveLlmContextResponse = {
-  grounding: { generic?: BraveLlmContextResult[] };
-  sources?: { url?: string; hostname?: string; date?: string }[];
-};
-
-type BraveConfig = {
-  mode?: string;
-};
-
-type PerplexityConfig = {
-  apiKey?: string;
-  baseUrl?: string;
-  model?: string;
-};
-
-type PerplexityApiKeySource = "config" | "perplexity_env" | "openrouter_env" | "none";
-type PerplexityTransport = "search_api" | "chat_completions";
-type PerplexityBaseUrlHint = "direct" | "openrouter";
-
-type GrokConfig = {
-  apiKey?: string;
-  model?: string;
-  inlineCitations?: boolean;
-};
-
-type KimiConfig = {
-  apiKey?: string;
-  baseUrl?: string;
-  model?: string;
-};
-
-type GrokSearchResponse = {
-  output?: Array<{
-    type?: string;
-    role?: string;
-    text?: string; // present when type === "output_text" (top-level output_text block)
-    content?: Array<{
-      type?: string;
-      text?: string;
-      annotations?: Array<{
-        type?: string;
-        url?: string;
-        start_index?: number;
-        end_index?: number;
-      }>;
-    }>;
-    annotations?: Array<{
-      type?: string;
-      url?: string;
-      start_index?: number;
-      end_index?: number;
-    }>;
-  }>;
-  output_text?: string; // deprecated field - kept for backwards compatibility
-  citations?: string[];
-  inline_citations?: Array<{
-    start_index: number;
-    end_index: number;
-    url: string;
-  }>;
-};
-
-type KimiToolCall = {
-  id?: string;
-  type?: string;
-  function?: {
-    name?: string;
-    arguments?: string;
-  };
-};
-
-type KimiMessage = {
-  role?: string;
-  content?: string;
-  reasoning_content?: string;
-  tool_calls?: KimiToolCall[];
-};
-
-type KimiSearchResponse = {
-  choices?: Array<{
-    finish_reason?: string;
-    message?: KimiMessage;
-  }>;
-  search_results?: Array<{
-    title?: string;
-    url?: string;
-    content?: string;
-  }>;
-};
-
-type PerplexitySearchResponse = {
-  choices?: Array<{
-    message?: {
-      content?: string;
-      annotations?: Array<{
-        type?: string;
-        url?: string;
-        url_citation?: {
-          url?: string;
-          title?: string;
-          start_index?: number;
-          end_index?: number;
-        };
-      }>;
-    };
-  }>;
-  citations?: string[];
-};
-
-type PerplexitySearchApiResult = {
-  title?: string;
-  url?: string;
-  snippet?: string;
-  date?: string;
-  last_updated?: string;
-};
-
-type PerplexitySearchApiResponse = {
-  results?: PerplexitySearchApiResult[];
-  id?: string;
-};
-
-function extractPerplexityCitations(data: PerplexitySearchResponse): string[] {
-  const normalizeUrl = (value: unknown): string | undefined => {
-    if (typeof value !== "string") {
-      return undefined;
-    }
-    const trimmed = value.trim();
-    return trimmed ? trimmed : undefined;
-  };
-
-  const topLevel = (data.citations ?? [])
-    .map(normalizeUrl)
-    .filter((url): url is string => Boolean(url));
-  if (topLevel.length > 0) {
-    return [...new Set(topLevel)];
-  }
-
-  const citations: string[] = [];
-  for (const choice of data.choices ?? []) {
-    for (const annotation of choice.message?.annotations ?? []) {
-      if (annotation.type !== "url_citation") {
-        continue;
-      }
-      const url = normalizeUrl(annotation.url_citation?.url ?? annotation.url);
-      if (url) {
-        citations.push(url);
-      }
-    }
-  }
-
-  return [...new Set(citations)];
-}
-
-function extractGrokContent(data: GrokSearchResponse): {
-  text: string | undefined;
-  annotationCitations: string[];
-} {
-  // xAI Responses API format: find the message output with text content
-  for (const output of data.output ?? []) {
-    if (output.type === "message") {
-      for (const block of output.content ?? []) {
-        if (block.type === "output_text" && typeof block.text === "string" && block.text) {
-          const urls = (block.annotations ?? [])
-            .filter((a) => a.type === "url_citation" && typeof a.url === "string")
-            .map((a) => a.url as string);
-          return { text: block.text, annotationCitations: [...new Set(urls)] };
-        }
-      }
-    }
-    // Some xAI responses place output_text blocks directly in the output array
-    // without a message wrapper.
-    if (
-      output.type === "output_text" &&
-      "text" in output &&
-      typeof output.text === "string" &&
-      output.text
-    ) {
-      const rawAnnotations =
-        "annotations" in output && Array.isArray(output.annotations) ? output.annotations : [];
-      const urls = rawAnnotations
-        .filter(
-          (a: Record<string, unknown>) => a.type === "url_citation" && typeof a.url === "string",
-        )
-        .map((a: Record<string, unknown>) => a.url as string);
-      return { text: output.text, annotationCitations: [...new Set(urls)] };
-    }
-  }
-  // Fallback: deprecated output_text field
-  const text = typeof data.output_text === "string" ? data.output_text : undefined;
-  return { text, annotationCitations: [] };
-}
-
-type GeminiConfig = {
-  apiKey?: string;
-  model?: string;
-};
-
-type GeminiGroundingResponse = {
-  candidates?: Array<{
-    content?: {
-      parts?: Array<{
-        text?: string;
-      }>;
-    };
-    groundingMetadata?: {
-      groundingChunks?: Array<{
-        web?: {
-          uri?: string;
-          title?: string;
-        };
-      }>;
-      searchEntryPoint?: {
-        renderedContent?: string;
-      };
-      webSearchQueries?: string[];
-    };
-  }>;
-  error?: {
-    code?: number;
-    message?: string;
-    status?: string;
-  };
-};
-
-const DEFAULT_GEMINI_MODEL = "gemini-2.5-flash";
-const GEMINI_API_BASE = "https://generativelanguage.googleapis.com/v1beta";
-
 function resolveSearchConfig(cfg?: OpenClawConfig): WebSearchConfig {
   const search = cfg?.tools?.web?.search;
   if (!search || typeof search !== "object") {
@@ -548,1344 +32,66 @@ function resolveSearchEnabled(params: { search?: WebSearchConfig; sandboxed?: bo
   return true;
 }
 
-function resolveSearchApiKey(search?: WebSearchConfig): string | undefined {
-  const fromConfigRaw =
-    search && "apiKey" in search
-      ? normalizeResolvedSecretInputString({
-          value: search.apiKey,
-          path: "tools.web.search.apiKey",
-        })
-      : undefined;
-  const fromConfig = normalizeSecretInput(fromConfigRaw);
-  const fromEnv = normalizeSecretInput(process.env.BRAVE_API_KEY);
-  return fromConfig || fromEnv || undefined;
+function readProviderEnvValue(envVars: string[]): string | undefined {
+  for (const envVar of envVars) {
+    const value = normalizeSecretInput(process.env[envVar]);
+    if (value) {
+      return value;
+    }
+  }
+  return undefined;
 }
 
-function missingSearchKeyPayload(provider: (typeof SEARCH_PROVIDERS)[number]) {
-  if (provider === "brave") {
-    return {
-      error: "missing_brave_api_key",
-      message: `web_search (brave) needs a Brave Search API key. Run \`${formatCliCommand("openclaw configure --section web")}\` to store it, or set BRAVE_API_KEY in the Gateway environment.`,
-      docs: "https://docs.openclaw.ai/tools/web",
-    };
+function hasProviderCredential(providerId: string, search: WebSearchConfig | undefined): boolean {
+  const providers = resolvePluginWebSearchProviders({
+    bundledAllowlistCompat: true,
+  });
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    return false;
   }
-  if (provider === "gemini") {
-    return {
-      error: "missing_gemini_api_key",
-      message:
-        "web_search (gemini) needs an API key. Set GEMINI_API_KEY in the Gateway environment, or configure tools.web.search.gemini.apiKey.",
-      docs: "https://docs.openclaw.ai/tools/web",
-    };
-  }
-  if (provider === "grok") {
-    return {
-      error: "missing_xai_api_key",
-      message:
-        "web_search (grok) needs an xAI API key. Set XAI_API_KEY in the Gateway environment, or configure tools.web.search.grok.apiKey.",
-      docs: "https://docs.openclaw.ai/tools/web",
-    };
-  }
-  if (provider === "kimi") {
-    return {
-      error: "missing_kimi_api_key",
-      message:
-        "web_search (kimi) needs a Moonshot API key. Set KIMI_API_KEY or MOONSHOT_API_KEY in the Gateway environment, or configure tools.web.search.kimi.apiKey.",
-      docs: "https://docs.openclaw.ai/tools/web",
-    };
-  }
-  return {
-    error: "missing_perplexity_api_key",
-    message:
-      "web_search (perplexity) needs an API key. Set PERPLEXITY_API_KEY or OPENROUTER_API_KEY in the Gateway environment, or configure tools.web.search.perplexity.apiKey.",
-    docs: "https://docs.openclaw.ai/tools/web",
-  };
+  const rawValue = provider.getCredentialValue(search as Record<string, unknown> | undefined);
+  const fromConfig = normalizeSecretInput(
+    normalizeResolvedSecretInputString({
+      value: rawValue,
+      path:
+        providerId === "brave"
+          ? "tools.web.search.apiKey"
+          : `tools.web.search.${providerId}.apiKey`,
+    }),
+  );
+  return Boolean(fromConfig || readProviderEnvValue(provider.envVars));
 }
 
-function resolveSearchProvider(search?: WebSearchConfig): (typeof SEARCH_PROVIDERS)[number] {
+function resolveSearchProvider(search?: WebSearchConfig): string {
+  const providers = resolvePluginWebSearchProviders({
+    bundledAllowlistCompat: true,
+  });
   const raw =
     search && "provider" in search && typeof search.provider === "string"
       ? search.provider.trim().toLowerCase()
       : "";
-  if (raw === "brave") {
-    return "brave";
-  }
-  if (raw === "gemini") {
-    return "gemini";
-  }
-  if (raw === "grok") {
-    return "grok";
-  }
-  if (raw === "kimi") {
-    return "kimi";
-  }
-  if (raw === "perplexity") {
-    return "perplexity";
+
+  if (raw) {
+    const explicit = providers.find((provider) => provider.id === raw);
+    if (explicit) {
+      return explicit.id;
+    }
   }
 
-  // Auto-detect provider from available API keys (alphabetical order)
-  if (raw === "") {
-    // Brave
-    if (resolveSearchApiKey(search)) {
+  if (!raw) {
+    for (const provider of providers) {
+      if (!hasProviderCredential(provider.id, search)) {
+        continue;
+      }
       logVerbose(
-        'web_search: no provider configured, auto-detected "brave" from available API keys',
+        `web_search: no provider configured, auto-detected "${provider.id}" from available API keys`,
       );
-      return "brave";
-    }
-    // Gemini
-    const geminiConfig = resolveGeminiConfig(search);
-    if (resolveGeminiApiKey(geminiConfig)) {
-      logVerbose(
-        'web_search: no provider configured, auto-detected "gemini" from available API keys',
-      );
-      return "gemini";
-    }
-    // Grok
-    const grokConfig = resolveGrokConfig(search);
-    if (resolveGrokApiKey(grokConfig)) {
-      logVerbose(
-        'web_search: no provider configured, auto-detected "grok" from available API keys',
-      );
-      return "grok";
-    }
-    // Kimi
-    const kimiConfig = resolveKimiConfig(search);
-    if (resolveKimiApiKey(kimiConfig)) {
-      logVerbose(
-        'web_search: no provider configured, auto-detected "kimi" from available API keys',
-      );
-      return "kimi";
-    }
-    // Perplexity
-    const perplexityConfig = resolvePerplexityConfig(search);
-    const { apiKey: perplexityKey } = resolvePerplexityApiKey(perplexityConfig);
-    if (perplexityKey) {
-      logVerbose(
-        'web_search: no provider configured, auto-detected "perplexity" from available API keys',
-      );
-      return "perplexity";
+      return provider.id;
     }
   }
 
-  return "brave";
-}
-
-function resolveBraveConfig(search?: WebSearchConfig): BraveConfig {
-  if (!search || typeof search !== "object") {
-    return {};
-  }
-  const brave = "brave" in search ? search.brave : undefined;
-  if (!brave || typeof brave !== "object") {
-    return {};
-  }
-  return brave as BraveConfig;
-}
-
-function resolveBraveMode(brave: BraveConfig): "web" | "llm-context" {
-  return brave.mode === "llm-context" ? "llm-context" : "web";
-}
-
-function resolvePerplexityConfig(search?: WebSearchConfig): PerplexityConfig {
-  if (!search || typeof search !== "object") {
-    return {};
-  }
-  const perplexity = "perplexity" in search ? search.perplexity : undefined;
-  if (!perplexity || typeof perplexity !== "object") {
-    return {};
-  }
-  return perplexity as PerplexityConfig;
-}
-
-function resolvePerplexityApiKey(perplexity?: PerplexityConfig): {
-  apiKey?: string;
-  source: PerplexityApiKeySource;
-} {
-  const fromConfig = normalizeApiKey(perplexity?.apiKey);
-  if (fromConfig) {
-    return { apiKey: fromConfig, source: "config" };
-  }
-
-  const fromEnvPerplexity = normalizeApiKey(process.env.PERPLEXITY_API_KEY);
-  if (fromEnvPerplexity) {
-    return { apiKey: fromEnvPerplexity, source: "perplexity_env" };
-  }
-
-  const fromEnvOpenRouter = normalizeApiKey(process.env.OPENROUTER_API_KEY);
-  if (fromEnvOpenRouter) {
-    return { apiKey: fromEnvOpenRouter, source: "openrouter_env" };
-  }
-
-  return { apiKey: undefined, source: "none" };
-}
-
-function normalizeApiKey(key: unknown): string {
-  return normalizeSecretInput(key);
-}
-
-function inferPerplexityBaseUrlFromApiKey(apiKey?: string): PerplexityBaseUrlHint | undefined {
-  if (!apiKey) {
-    return undefined;
-  }
-  const normalized = apiKey.toLowerCase();
-  if (PERPLEXITY_KEY_PREFIXES.some((prefix) => normalized.startsWith(prefix))) {
-    return "direct";
-  }
-  if (OPENROUTER_KEY_PREFIXES.some((prefix) => normalized.startsWith(prefix))) {
-    return "openrouter";
-  }
-  return undefined;
-}
-
-function resolvePerplexityBaseUrl(
-  perplexity?: PerplexityConfig,
-  authSource: PerplexityApiKeySource = "none", // pragma: allowlist secret
-  configuredKey?: string,
-): string {
-  const fromConfig =
-    perplexity && "baseUrl" in perplexity && typeof perplexity.baseUrl === "string"
-      ? perplexity.baseUrl.trim()
-      : "";
-  if (fromConfig) {
-    return fromConfig;
-  }
-  if (authSource === "perplexity_env") {
-    return PERPLEXITY_DIRECT_BASE_URL;
-  }
-  if (authSource === "openrouter_env") {
-    return DEFAULT_PERPLEXITY_BASE_URL;
-  }
-  if (authSource === "config") {
-    const inferred = inferPerplexityBaseUrlFromApiKey(configuredKey);
-    if (inferred === "openrouter") {
-      return DEFAULT_PERPLEXITY_BASE_URL;
-    }
-    return PERPLEXITY_DIRECT_BASE_URL;
-  }
-  return DEFAULT_PERPLEXITY_BASE_URL;
-}
-
-function resolvePerplexityModel(perplexity?: PerplexityConfig): string {
-  const fromConfig =
-    perplexity && "model" in perplexity && typeof perplexity.model === "string"
-      ? perplexity.model.trim()
-      : "";
-  return fromConfig || DEFAULT_PERPLEXITY_MODEL;
-}
-
-function isDirectPerplexityBaseUrl(baseUrl: string): boolean {
-  const trimmed = baseUrl.trim();
-  if (!trimmed) {
-    return false;
-  }
-  try {
-    return new URL(trimmed).hostname.toLowerCase() === "api.perplexity.ai";
-  } catch {
-    return false;
-  }
-}
-
-function resolvePerplexityRequestModel(baseUrl: string, model: string): string {
-  if (!isDirectPerplexityBaseUrl(baseUrl)) {
-    return model;
-  }
-  return model.startsWith("perplexity/") ? model.slice("perplexity/".length) : model;
-}
-
-function resolvePerplexityTransport(perplexity?: PerplexityConfig): {
-  apiKey?: string;
-  source: PerplexityApiKeySource;
-  baseUrl: string;
-  model: string;
-  transport: PerplexityTransport;
-} {
-  const auth = resolvePerplexityApiKey(perplexity);
-  const baseUrl = resolvePerplexityBaseUrl(perplexity, auth.source, auth.apiKey);
-  const model = resolvePerplexityModel(perplexity);
-  const hasLegacyOverride = Boolean(
-    (perplexity?.baseUrl && perplexity.baseUrl.trim()) ||
-    (perplexity?.model && perplexity.model.trim()),
-  );
-  return {
-    ...auth,
-    baseUrl,
-    model,
-    transport:
-      hasLegacyOverride || !isDirectPerplexityBaseUrl(baseUrl) ? "chat_completions" : "search_api",
-  };
-}
-
-function resolvePerplexitySchemaTransportHint(
-  perplexity?: PerplexityConfig,
-): PerplexityTransport | undefined {
-  const hasLegacyOverride = Boolean(
-    (perplexity?.baseUrl && perplexity.baseUrl.trim()) ||
-    (perplexity?.model && perplexity.model.trim()),
-  );
-  return hasLegacyOverride ? "chat_completions" : undefined;
-}
-
-function resolveGrokConfig(search?: WebSearchConfig): GrokConfig {
-  if (!search || typeof search !== "object") {
-    return {};
-  }
-  const grok = "grok" in search ? search.grok : undefined;
-  if (!grok || typeof grok !== "object") {
-    return {};
-  }
-  return grok as GrokConfig;
-}
-
-function resolveGrokApiKey(grok?: GrokConfig): string | undefined {
-  const fromConfig = normalizeApiKey(grok?.apiKey);
-  if (fromConfig) {
-    return fromConfig;
-  }
-  const fromEnv = normalizeApiKey(process.env.XAI_API_KEY);
-  return fromEnv || undefined;
-}
-
-function resolveGrokModel(grok?: GrokConfig): string {
-  const fromConfig =
-    grok && "model" in grok && typeof grok.model === "string" ? grok.model.trim() : "";
-  return fromConfig || DEFAULT_GROK_MODEL;
-}
-
-function resolveGrokInlineCitations(grok?: GrokConfig): boolean {
-  return grok?.inlineCitations === true;
-}
-
-function resolveKimiConfig(search?: WebSearchConfig): KimiConfig {
-  if (!search || typeof search !== "object") {
-    return {};
-  }
-  const kimi = "kimi" in search ? search.kimi : undefined;
-  if (!kimi || typeof kimi !== "object") {
-    return {};
-  }
-  return kimi as KimiConfig;
-}
-
-function resolveKimiApiKey(kimi?: KimiConfig): string | undefined {
-  const fromConfig = normalizeApiKey(kimi?.apiKey);
-  if (fromConfig) {
-    return fromConfig;
-  }
-  const fromEnvKimi = normalizeApiKey(process.env.KIMI_API_KEY);
-  if (fromEnvKimi) {
-    return fromEnvKimi;
-  }
-  const fromEnvMoonshot = normalizeApiKey(process.env.MOONSHOT_API_KEY);
-  return fromEnvMoonshot || undefined;
-}
-
-function resolveKimiModel(kimi?: KimiConfig): string {
-  const fromConfig =
-    kimi && "model" in kimi && typeof kimi.model === "string" ? kimi.model.trim() : "";
-  return fromConfig || DEFAULT_KIMI_MODEL;
-}
-
-function resolveKimiBaseUrl(kimi?: KimiConfig): string {
-  const fromConfig =
-    kimi && "baseUrl" in kimi && typeof kimi.baseUrl === "string" ? kimi.baseUrl.trim() : "";
-  return fromConfig || DEFAULT_KIMI_BASE_URL;
-}
-
-function resolveGeminiConfig(search?: WebSearchConfig): GeminiConfig {
-  if (!search || typeof search !== "object") {
-    return {};
-  }
-  const gemini = "gemini" in search ? search.gemini : undefined;
-  if (!gemini || typeof gemini !== "object") {
-    return {};
-  }
-  return gemini as GeminiConfig;
-}
-
-function resolveGeminiApiKey(gemini?: GeminiConfig): string | undefined {
-  const fromConfig = normalizeApiKey(gemini?.apiKey);
-  if (fromConfig) {
-    return fromConfig;
-  }
-  const fromEnv = normalizeApiKey(process.env.GEMINI_API_KEY);
-  return fromEnv || undefined;
-}
-
-function resolveGeminiModel(gemini?: GeminiConfig): string {
-  const fromConfig =
-    gemini && "model" in gemini && typeof gemini.model === "string" ? gemini.model.trim() : "";
-  return fromConfig || DEFAULT_GEMINI_MODEL;
-}
-
-async function withTrustedWebSearchEndpoint<T>(
-  params: {
-    url: string;
-    timeoutSeconds: number;
-    init: RequestInit;
-  },
-  run: (response: Response) => Promise<T>,
-): Promise<T> {
-  return withTrustedWebToolsEndpoint(
-    {
-      url: params.url,
-      init: params.init,
-      timeoutSeconds: params.timeoutSeconds,
-    },
-    async ({ response }) => run(response),
-  );
-}
-
-async function runGeminiSearch(params: {
-  query: string;
-  apiKey: string;
-  model: string;
-  timeoutSeconds: number;
-}): Promise<{ content: string; citations: Array<{ url: string; title?: string }> }> {
-  const endpoint = `${GEMINI_API_BASE}/models/${params.model}:generateContent`;
-
-  return withTrustedWebSearchEndpoint(
-    {
-      url: endpoint,
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "x-goog-api-key": params.apiKey,
-        },
-        body: JSON.stringify({
-          contents: [
-            {
-              parts: [{ text: params.query }],
-            },
-          ],
-          tools: [{ google_search: {} }],
-        }),
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
-        // Strip API key from any error detail to prevent accidental key leakage in logs
-        const safeDetail = (detailResult.text || res.statusText).replace(
-          /key=[^&\s]+/gi,
-          "key=***",
-        );
-        throw new Error(`Gemini API error (${res.status}): ${safeDetail}`);
-      }
-
-      let data: GeminiGroundingResponse;
-      try {
-        data = (await res.json()) as GeminiGroundingResponse;
-      } catch (err) {
-        const safeError = String(err).replace(/key=[^&\s]+/gi, "key=***");
-        throw new Error(`Gemini API returned invalid JSON: ${safeError}`, { cause: err });
-      }
-
-      if (data.error) {
-        const rawMsg = data.error.message || data.error.status || "unknown";
-        const safeMsg = rawMsg.replace(/key=[^&\s]+/gi, "key=***");
-        throw new Error(`Gemini API error (${data.error.code}): ${safeMsg}`);
-      }
-
-      const candidate = data.candidates?.[0];
-      const content =
-        candidate?.content?.parts
-          ?.map((p) => p.text)
-          .filter(Boolean)
-          .join("\n") ?? "No response";
-
-      const groundingChunks = candidate?.groundingMetadata?.groundingChunks ?? [];
-      const rawCitations = groundingChunks
-        .filter((chunk) => chunk.web?.uri)
-        .map((chunk) => ({
-          url: chunk.web!.uri!,
-          title: chunk.web?.title || undefined,
-        }));
-
-      // Resolve Google grounding redirect URLs to direct URLs with concurrency cap.
-      // Gemini typically returns 3-8 citations; cap at 10 concurrent to be safe.
-      const MAX_CONCURRENT_REDIRECTS = 10;
-      const citations: Array<{ url: string; title?: string }> = [];
-      for (let i = 0; i < rawCitations.length; i += MAX_CONCURRENT_REDIRECTS) {
-        const batch = rawCitations.slice(i, i + MAX_CONCURRENT_REDIRECTS);
-        const resolved = await Promise.all(
-          batch.map(async (citation) => {
-            const resolvedUrl = await resolveCitationRedirectUrl(citation.url);
-            return { ...citation, url: resolvedUrl };
-          }),
-        );
-        citations.push(...resolved);
-      }
-
-      return { content, citations };
-    },
-  );
-}
-
-function resolveSearchCount(value: unknown, fallback: number): number {
-  const parsed = typeof value === "number" && Number.isFinite(value) ? value : fallback;
-  const clamped = Math.max(1, Math.min(MAX_SEARCH_COUNT, Math.floor(parsed)));
-  return clamped;
-}
-
-function normalizeBraveSearchLang(value: string | undefined): string | undefined {
-  if (!value) {
-    return undefined;
-  }
-  const trimmed = value.trim();
-  if (!trimmed) {
-    return undefined;
-  }
-  const canonical = BRAVE_SEARCH_LANG_ALIASES[trimmed.toLowerCase()] ?? trimmed.toLowerCase();
-  if (!BRAVE_SEARCH_LANG_CODES.has(canonical)) {
-    return undefined;
-  }
-  return canonical;
-}
-
-function normalizeBraveUiLang(value: string | undefined): string | undefined {
-  if (!value) {
-    return undefined;
-  }
-  const trimmed = value.trim();
-  if (!trimmed) {
-    return undefined;
-  }
-  const match = trimmed.match(BRAVE_UI_LANG_LOCALE);
-  if (!match) {
-    return undefined;
-  }
-  const [, language, region] = match;
-  return `${language.toLowerCase()}-${region.toUpperCase()}`;
-}
-
-function normalizeBraveLanguageParams(params: { search_lang?: string; ui_lang?: string }): {
-  search_lang?: string;
-  ui_lang?: string;
-  invalidField?: "search_lang" | "ui_lang";
-} {
-  const rawSearchLang = params.search_lang?.trim() || undefined;
-  const rawUiLang = params.ui_lang?.trim() || undefined;
-  let searchLangCandidate = rawSearchLang;
-  let uiLangCandidate = rawUiLang;
-
-  // Recover common LLM mix-up: locale in search_lang + short code in ui_lang.
-  if (normalizeBraveUiLang(rawSearchLang) && normalizeBraveSearchLang(rawUiLang)) {
-    searchLangCandidate = rawUiLang;
-    uiLangCandidate = rawSearchLang;
-  }
-
-  const search_lang = normalizeBraveSearchLang(searchLangCandidate);
-  if (searchLangCandidate && !search_lang) {
-    return { invalidField: "search_lang" };
-  }
-
-  const ui_lang = normalizeBraveUiLang(uiLangCandidate);
-  if (uiLangCandidate && !ui_lang) {
-    return { invalidField: "ui_lang" };
-  }
-
-  return { search_lang, ui_lang };
-}
-
-/**
- * Normalizes freshness shortcut to the provider's expected format.
- * Accepts both Brave format (pd/pw/pm/py) and Perplexity format (day/week/month/year).
- * For Brave, also accepts date ranges (YYYY-MM-DDtoYYYY-MM-DD).
- */
-function normalizeFreshness(
-  value: string | undefined,
-  provider: (typeof SEARCH_PROVIDERS)[number],
-): string | undefined {
-  if (!value) {
-    return undefined;
-  }
-  const trimmed = value.trim();
-  if (!trimmed) {
-    return undefined;
-  }
-
-  const lower = trimmed.toLowerCase();
-
-  if (BRAVE_FRESHNESS_SHORTCUTS.has(lower)) {
-    return provider === "brave" ? lower : FRESHNESS_TO_RECENCY[lower];
-  }
-
-  if (PERPLEXITY_RECENCY_VALUES.has(lower)) {
-    return provider === "perplexity" ? lower : RECENCY_TO_FRESHNESS[lower];
-  }
-
-  // Brave date range support
-  if (provider === "brave") {
-    const match = trimmed.match(BRAVE_FRESHNESS_RANGE);
-    if (match) {
-      const [, start, end] = match;
-      if (isValidIsoDate(start) && isValidIsoDate(end) && start <= end) {
-        return `${start}to${end}`;
-      }
-    }
-  }
-
-  return undefined;
-}
-
-function isValidIsoDate(value: string): boolean {
-  if (!/^\d{4}-\d{2}-\d{2}$/.test(value)) {
-    return false;
-  }
-  const [year, month, day] = value.split("-").map((part) => Number.parseInt(part, 10));
-  if (!Number.isFinite(year) || !Number.isFinite(month) || !Number.isFinite(day)) {
-    return false;
-  }
-
-  const date = new Date(Date.UTC(year, month - 1, day));
-  return (
-    date.getUTCFullYear() === year && date.getUTCMonth() === month - 1 && date.getUTCDate() === day
-  );
-}
-
-function resolveSiteName(url: string | undefined): string | undefined {
-  if (!url) {
-    return undefined;
-  }
-  try {
-    return new URL(url).hostname;
-  } catch {
-    return undefined;
-  }
-}
-
-async function throwWebSearchApiError(res: Response, providerLabel: string): Promise<never> {
-  const detailResult = await readResponseText(res, { maxBytes: 64_000 });
-  const detail = detailResult.text;
-  throw new Error(`${providerLabel} API error (${res.status}): ${detail || res.statusText}`);
-}
-
-async function runPerplexitySearchApi(params: {
-  query: string;
-  apiKey: string;
-  count: number;
-  timeoutSeconds: number;
-  country?: string;
-  searchDomainFilter?: string[];
-  searchRecencyFilter?: string;
-  searchLanguageFilter?: string[];
-  searchAfterDate?: string;
-  searchBeforeDate?: string;
-  maxTokens?: number;
-  maxTokensPerPage?: number;
-}): Promise<
-  Array<{ title: string; url: string; description: string; published?: string; siteName?: string }>
-> {
-  const body: Record<string, unknown> = {
-    query: params.query,
-    max_results: params.count,
-  };
-
-  if (params.country) {
-    body.country = params.country;
-  }
-  if (params.searchDomainFilter && params.searchDomainFilter.length > 0) {
-    body.search_domain_filter = params.searchDomainFilter;
-  }
-  if (params.searchRecencyFilter) {
-    body.search_recency_filter = params.searchRecencyFilter;
-  }
-  if (params.searchLanguageFilter && params.searchLanguageFilter.length > 0) {
-    body.search_language_filter = params.searchLanguageFilter;
-  }
-  if (params.searchAfterDate) {
-    body.search_after_date = params.searchAfterDate;
-  }
-  if (params.searchBeforeDate) {
-    body.search_before_date = params.searchBeforeDate;
-  }
-  if (params.maxTokens !== undefined) {
-    body.max_tokens = params.maxTokens;
-  }
-  if (params.maxTokensPerPage !== undefined) {
-    body.max_tokens_per_page = params.maxTokensPerPage;
-  }
-
-  return withTrustedWebSearchEndpoint(
-    {
-      url: PERPLEXITY_SEARCH_ENDPOINT,
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Accept: "application/json",
-          Authorization: `Bearer ${params.apiKey}`,
-          "HTTP-Referer": "https://openclaw.ai",
-          "X-Title": "OpenClaw Web Search",
-        },
-        body: JSON.stringify(body),
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        return await throwWebSearchApiError(res, "Perplexity Search");
-      }
-
-      const data = (await res.json()) as PerplexitySearchApiResponse;
-      const results = Array.isArray(data.results) ? data.results : [];
-
-      return results.map((entry) => {
-        const title = entry.title ?? "";
-        const url = entry.url ?? "";
-        const snippet = entry.snippet ?? "";
-        return {
-          title: title ? wrapWebContent(title, "web_search") : "",
-          url,
-          description: snippet ? wrapWebContent(snippet, "web_search") : "",
-          published: entry.date ?? undefined,
-          siteName: resolveSiteName(url) || undefined,
-        };
-      });
-    },
-  );
-}
-
-async function runPerplexitySearch(params: {
-  query: string;
-  apiKey: string;
-  baseUrl: string;
-  model: string;
-  timeoutSeconds: number;
-  freshness?: string;
-}): Promise<{ content: string; citations: string[] }> {
-  const baseUrl = params.baseUrl.trim().replace(/\/$/, "");
-  const endpoint = `${baseUrl}/chat/completions`;
-  const model = resolvePerplexityRequestModel(baseUrl, params.model);
-
-  const body: Record<string, unknown> = {
-    model,
-    messages: [
-      {
-        role: "user",
-        content: params.query,
-      },
-    ],
-  };
-
-  if (params.freshness) {
-    body.search_recency_filter = params.freshness;
-  }
-
-  return withTrustedWebSearchEndpoint(
-    {
-      url: endpoint,
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${params.apiKey}`,
-          "HTTP-Referer": "https://openclaw.ai",
-          "X-Title": "OpenClaw Web Search",
-        },
-        body: JSON.stringify(body),
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        return await throwWebSearchApiError(res, "Perplexity");
-      }
-
-      const data = (await res.json()) as PerplexitySearchResponse;
-      const content = data.choices?.[0]?.message?.content ?? "No response";
-      // Prefer top-level citations; fall back to OpenRouter-style message annotations.
-      const citations = extractPerplexityCitations(data);
-
-      return { content, citations };
-    },
-  );
-}
-
-async function runGrokSearch(params: {
-  query: string;
-  apiKey: string;
-  model: string;
-  timeoutSeconds: number;
-  inlineCitations: boolean;
-}): Promise<{
-  content: string;
-  citations: string[];
-  inlineCitations?: GrokSearchResponse["inline_citations"];
-}> {
-  const body: Record<string, unknown> = {
-    model: params.model,
-    input: [
-      {
-        role: "user",
-        content: params.query,
-      },
-    ],
-    tools: [{ type: "web_search" }],
-  };
-
-  // Note: xAI's /v1/responses endpoint does not support the `include`
-  // parameter (returns 400 "Argument not supported: include"). Inline
-  // citations are returned automatically when available — we just parse
-  // them from the response without requesting them explicitly (#12910).
-
-  return withTrustedWebSearchEndpoint(
-    {
-      url: XAI_API_ENDPOINT,
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${params.apiKey}`,
-        },
-        body: JSON.stringify(body),
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        return await throwWebSearchApiError(res, "xAI");
-      }
-
-      const data = (await res.json()) as GrokSearchResponse;
-      const { text: extractedText, annotationCitations } = extractGrokContent(data);
-      const content = extractedText ?? "No response";
-      // Prefer top-level citations; fall back to annotation-derived ones
-      const citations = (data.citations ?? []).length > 0 ? data.citations! : annotationCitations;
-      const inlineCitations = data.inline_citations;
-
-      return { content, citations, inlineCitations };
-    },
-  );
-}
-
-function extractKimiMessageText(message: KimiMessage | undefined): string | undefined {
-  const content = message?.content?.trim();
-  if (content) {
-    return content;
-  }
-  const reasoning = message?.reasoning_content?.trim();
-  return reasoning || undefined;
-}
-
-function extractKimiCitations(data: KimiSearchResponse): string[] {
-  const citations = (data.search_results ?? [])
-    .map((entry) => entry.url?.trim())
-    .filter((url): url is string => Boolean(url));
-
-  for (const toolCall of data.choices?.[0]?.message?.tool_calls ?? []) {
-    const rawArguments = toolCall.function?.arguments;
-    if (!rawArguments) {
-      continue;
-    }
-    try {
-      const parsed = JSON.parse(rawArguments) as {
-        search_results?: Array<{ url?: string }>;
-        url?: string;
-      };
-      if (typeof parsed.url === "string" && parsed.url.trim()) {
-        citations.push(parsed.url.trim());
-      }
-      for (const result of parsed.search_results ?? []) {
-        if (typeof result.url === "string" && result.url.trim()) {
-          citations.push(result.url.trim());
-        }
-      }
-    } catch {
-      // ignore malformed tool arguments
-    }
-  }
-
-  return [...new Set(citations)];
-}
-
-function buildKimiToolResultContent(data: KimiSearchResponse): string {
-  return JSON.stringify({
-    search_results: (data.search_results ?? []).map((entry) => ({
-      title: entry.title ?? "",
-      url: entry.url ?? "",
-      content: entry.content ?? "",
-    })),
-  });
-}
-
-async function runKimiSearch(params: {
-  query: string;
-  apiKey: string;
-  baseUrl: string;
-  model: string;
-  timeoutSeconds: number;
-}): Promise<{ content: string; citations: string[] }> {
-  const baseUrl = params.baseUrl.trim().replace(/\/$/, "");
-  const endpoint = `${baseUrl}/chat/completions`;
-  const messages: Array<Record<string, unknown>> = [
-    {
-      role: "user",
-      content: params.query,
-    },
-  ];
-  const collectedCitations = new Set<string>();
-  const MAX_ROUNDS = 3;
-
-  for (let round = 0; round < MAX_ROUNDS; round += 1) {
-    const nextResult = await withTrustedWebSearchEndpoint(
-      {
-        url: endpoint,
-        timeoutSeconds: params.timeoutSeconds,
-        init: {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${params.apiKey}`,
-          },
-          body: JSON.stringify({
-            model: params.model,
-            messages,
-            tools: [KIMI_WEB_SEARCH_TOOL],
-          }),
-        },
-      },
-      async (
-        res,
-      ): Promise<{ done: true; content: string; citations: string[] } | { done: false }> => {
-        if (!res.ok) {
-          return await throwWebSearchApiError(res, "Kimi");
-        }
-
-        const data = (await res.json()) as KimiSearchResponse;
-        for (const citation of extractKimiCitations(data)) {
-          collectedCitations.add(citation);
-        }
-        const choice = data.choices?.[0];
-        const message = choice?.message;
-        const text = extractKimiMessageText(message);
-        const toolCalls = message?.tool_calls ?? [];
-
-        if (choice?.finish_reason !== "tool_calls" || toolCalls.length === 0) {
-          return { done: true, content: text ?? "No response", citations: [...collectedCitations] };
-        }
-
-        messages.push({
-          role: "assistant",
-          content: message?.content ?? "",
-          ...(message?.reasoning_content
-            ? {
-                reasoning_content: message.reasoning_content,
-              }
-            : {}),
-          tool_calls: toolCalls,
-        });
-
-        const toolContent = buildKimiToolResultContent(data);
-        let pushedToolResult = false;
-        for (const toolCall of toolCalls) {
-          const toolCallId = toolCall.id?.trim();
-          if (!toolCallId) {
-            continue;
-          }
-          pushedToolResult = true;
-          messages.push({
-            role: "tool",
-            tool_call_id: toolCallId,
-            content: toolContent,
-          });
-        }
-
-        if (!pushedToolResult) {
-          return { done: true, content: text ?? "No response", citations: [...collectedCitations] };
-        }
-
-        return { done: false };
-      },
-    );
-
-    if (nextResult.done) {
-      return { content: nextResult.content, citations: nextResult.citations };
-    }
-  }
-
-  return {
-    content: "Search completed but no final answer was produced.",
-    citations: [...collectedCitations],
-  };
-}
-
-function mapBraveLlmContextResults(
-  data: BraveLlmContextResponse,
-): { url: string; title: string; snippets: string[]; siteName?: string }[] {
-  const genericResults = Array.isArray(data.grounding?.generic) ? data.grounding.generic : [];
-  return genericResults.map((entry) => ({
-    url: entry.url ?? "",
-    title: entry.title ?? "",
-    snippets: (entry.snippets ?? []).filter((s) => typeof s === "string" && s.length > 0),
-    siteName: resolveSiteName(entry.url) || undefined,
-  }));
-}
-
-async function runBraveLlmContextSearch(params: {
-  query: string;
-  apiKey: string;
-  timeoutSeconds: number;
-  country?: string;
-  search_lang?: string;
-  freshness?: string;
-}): Promise<{
-  results: Array<{
-    url: string;
-    title: string;
-    snippets: string[];
-    siteName?: string;
-  }>;
-  sources?: BraveLlmContextResponse["sources"];
-}> {
-  const url = new URL(BRAVE_LLM_CONTEXT_ENDPOINT);
-  url.searchParams.set("q", params.query);
-  if (params.country) {
-    url.searchParams.set("country", params.country);
-  }
-  if (params.search_lang) {
-    url.searchParams.set("search_lang", params.search_lang);
-  }
-  if (params.freshness) {
-    url.searchParams.set("freshness", params.freshness);
-  }
-
-  return withTrustedWebSearchEndpoint(
-    {
-      url: url.toString(),
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "GET",
-        headers: {
-          Accept: "application/json",
-          "X-Subscription-Token": params.apiKey,
-        },
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
-        const detail = detailResult.text;
-        throw new Error(`Brave LLM Context API error (${res.status}): ${detail || res.statusText}`);
-      }
-
-      const data = (await res.json()) as BraveLlmContextResponse;
-      const mapped = mapBraveLlmContextResults(data);
-
-      return { results: mapped, sources: data.sources };
-    },
-  );
-}
-
-async function runWebSearch(params: {
-  query: string;
-  count: number;
-  apiKey: string;
-  timeoutSeconds: number;
-  cacheTtlMs: number;
-  provider: (typeof SEARCH_PROVIDERS)[number];
-  country?: string;
-  language?: string;
-  search_lang?: string;
-  ui_lang?: string;
-  freshness?: string;
-  dateAfter?: string;
-  dateBefore?: string;
-  searchDomainFilter?: string[];
-  maxTokens?: number;
-  maxTokensPerPage?: number;
-  perplexityBaseUrl?: string;
-  perplexityModel?: string;
-  perplexityTransport?: PerplexityTransport;
-  grokModel?: string;
-  grokInlineCitations?: boolean;
-  geminiModel?: string;
-  kimiBaseUrl?: string;
-  kimiModel?: string;
-  braveMode?: "web" | "llm-context";
-}): Promise<Record<string, unknown>> {
-  const effectiveBraveMode = params.braveMode ?? "web";
-  const providerSpecificKey =
-    params.provider === "perplexity"
-      ? `${params.perplexityTransport ?? "search_api"}:${params.perplexityBaseUrl ?? PERPLEXITY_DIRECT_BASE_URL}:${params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL}`
-      : params.provider === "grok"
-        ? `${params.grokModel ?? DEFAULT_GROK_MODEL}:${String(params.grokInlineCitations ?? false)}`
-        : params.provider === "gemini"
-          ? (params.geminiModel ?? DEFAULT_GEMINI_MODEL)
-          : params.provider === "kimi"
-            ? `${params.kimiBaseUrl ?? DEFAULT_KIMI_BASE_URL}:${params.kimiModel ?? DEFAULT_KIMI_MODEL}`
-            : "";
-  const cacheKey = normalizeCacheKey(
-    params.provider === "brave" && effectiveBraveMode === "llm-context"
-      ? `${params.provider}:llm-context:${params.query}:${params.country || "default"}:${params.search_lang || params.language || "default"}:${params.freshness || "default"}`
-      : `${params.provider}:${effectiveBraveMode}:${params.query}:${params.count}:${params.country || "default"}:${params.search_lang || params.language || "default"}:${params.ui_lang || "default"}:${params.freshness || "default"}:${params.dateAfter || "default"}:${params.dateBefore || "default"}:${params.searchDomainFilter?.join(",") || "default"}:${params.maxTokens || "default"}:${params.maxTokensPerPage || "default"}:${providerSpecificKey}`,
-  );
-  const cached = readCache(SEARCH_CACHE, cacheKey);
-  if (cached) {
-    return { ...cached.value, cached: true };
-  }
-
-  const start = Date.now();
-
-  if (params.provider === "perplexity") {
-    if (params.perplexityTransport === "chat_completions") {
-      const { content, citations } = await runPerplexitySearch({
-        query: params.query,
-        apiKey: params.apiKey,
-        baseUrl: params.perplexityBaseUrl ?? DEFAULT_PERPLEXITY_BASE_URL,
-        model: params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL,
-        timeoutSeconds: params.timeoutSeconds,
-        freshness: params.freshness,
-      });
-
-      const payload = {
-        query: params.query,
-        provider: params.provider,
-        model: params.perplexityModel ?? DEFAULT_PERPLEXITY_MODEL,
-        tookMs: Date.now() - start,
-        externalContent: {
-          untrusted: true,
-          source: "web_search",
-          provider: params.provider,
-          wrapped: true,
-        },
-        content: wrapWebContent(content, "web_search"),
-        citations,
-      };
-      writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-      return payload;
-    }
-
-    const results = await runPerplexitySearchApi({
-      query: params.query,
-      apiKey: params.apiKey,
-      count: params.count,
-      timeoutSeconds: params.timeoutSeconds,
-      country: params.country,
-      searchDomainFilter: params.searchDomainFilter,
-      searchRecencyFilter: params.freshness,
-      searchLanguageFilter: params.language ? [params.language] : undefined,
-      searchAfterDate: params.dateAfter ? isoToPerplexityDate(params.dateAfter) : undefined,
-      searchBeforeDate: params.dateBefore ? isoToPerplexityDate(params.dateBefore) : undefined,
-      maxTokens: params.maxTokens,
-      maxTokensPerPage: params.maxTokensPerPage,
-    });
-
-    const payload = {
-      query: params.query,
-      provider: params.provider,
-      count: results.length,
-      tookMs: Date.now() - start,
-      externalContent: {
-        untrusted: true,
-        source: "web_search",
-        provider: params.provider,
-        wrapped: true,
-      },
-      results,
-    };
-    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-    return payload;
-  }
-
-  if (params.provider === "grok") {
-    const { content, citations, inlineCitations } = await runGrokSearch({
-      query: params.query,
-      apiKey: params.apiKey,
-      model: params.grokModel ?? DEFAULT_GROK_MODEL,
-      timeoutSeconds: params.timeoutSeconds,
-      inlineCitations: params.grokInlineCitations ?? false,
-    });
-
-    const payload = {
-      query: params.query,
-      provider: params.provider,
-      model: params.grokModel ?? DEFAULT_GROK_MODEL,
-      tookMs: Date.now() - start,
-      externalContent: {
-        untrusted: true,
-        source: "web_search",
-        provider: params.provider,
-        wrapped: true,
-      },
-      content: wrapWebContent(content),
-      citations,
-      inlineCitations,
-    };
-    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-    return payload;
-  }
-
-  if (params.provider === "kimi") {
-    const { content, citations } = await runKimiSearch({
-      query: params.query,
-      apiKey: params.apiKey,
-      baseUrl: params.kimiBaseUrl ?? DEFAULT_KIMI_BASE_URL,
-      model: params.kimiModel ?? DEFAULT_KIMI_MODEL,
-      timeoutSeconds: params.timeoutSeconds,
-    });
-
-    const payload = {
-      query: params.query,
-      provider: params.provider,
-      model: params.kimiModel ?? DEFAULT_KIMI_MODEL,
-      tookMs: Date.now() - start,
-      externalContent: {
-        untrusted: true,
-        source: "web_search",
-        provider: params.provider,
-        wrapped: true,
-      },
-      content: wrapWebContent(content),
-      citations,
-    };
-    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-    return payload;
-  }
-
-  if (params.provider === "gemini") {
-    const geminiResult = await runGeminiSearch({
-      query: params.query,
-      apiKey: params.apiKey,
-      model: params.geminiModel ?? DEFAULT_GEMINI_MODEL,
-      timeoutSeconds: params.timeoutSeconds,
-    });
-
-    const payload = {
-      query: params.query,
-      provider: params.provider,
-      model: params.geminiModel ?? DEFAULT_GEMINI_MODEL,
-      tookMs: Date.now() - start, // Includes redirect URL resolution time
-      externalContent: {
-        untrusted: true,
-        source: "web_search",
-        provider: params.provider,
-        wrapped: true,
-      },
-      content: wrapWebContent(geminiResult.content),
-      citations: geminiResult.citations,
-    };
-    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-    return payload;
-  }
-
-  if (params.provider !== "brave") {
-    throw new Error("Unsupported web search provider.");
-  }
-
-  if (effectiveBraveMode === "llm-context") {
-    const { results: llmResults, sources } = await runBraveLlmContextSearch({
-      query: params.query,
-      apiKey: params.apiKey,
-      timeoutSeconds: params.timeoutSeconds,
-      country: params.country,
-      search_lang: params.search_lang,
-      freshness: params.freshness,
-    });
-
-    const mapped = llmResults.map((entry) => ({
-      title: entry.title ? wrapWebContent(entry.title, "web_search") : "",
-      url: entry.url,
-      snippets: entry.snippets.map((s) => wrapWebContent(s, "web_search")),
-      siteName: entry.siteName,
-    }));
-
-    const payload = {
-      query: params.query,
-      provider: params.provider,
-      mode: "llm-context" as const,
-      count: mapped.length,
-      tookMs: Date.now() - start,
-      externalContent: {
-        untrusted: true,
-        source: "web_search",
-        provider: params.provider,
-        wrapped: true,
-      },
-      results: mapped,
-      sources,
-    };
-    writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-    return payload;
-  }
-
-  const url = new URL(BRAVE_SEARCH_ENDPOINT);
-  url.searchParams.set("q", params.query);
-  url.searchParams.set("count", String(params.count));
-  if (params.country) {
-    url.searchParams.set("country", params.country);
-  }
-  if (params.search_lang || params.language) {
-    url.searchParams.set("search_lang", (params.search_lang || params.language)!);
-  }
-  if (params.ui_lang) {
-    url.searchParams.set("ui_lang", params.ui_lang);
-  }
-  if (params.freshness) {
-    url.searchParams.set("freshness", params.freshness);
-  } else if (params.dateAfter && params.dateBefore) {
-    url.searchParams.set("freshness", `${params.dateAfter}to${params.dateBefore}`);
-  } else if (params.dateAfter) {
-    url.searchParams.set(
-      "freshness",
-      `${params.dateAfter}to${new Date().toISOString().slice(0, 10)}`,
-    );
-  } else if (params.dateBefore) {
-    url.searchParams.set("freshness", `1970-01-01to${params.dateBefore}`);
-  }
-
-  const mapped = await withTrustedWebSearchEndpoint(
-    {
-      url: url.toString(),
-      timeoutSeconds: params.timeoutSeconds,
-      init: {
-        method: "GET",
-        headers: {
-          Accept: "application/json",
-          "X-Subscription-Token": params.apiKey,
-        },
-      },
-    },
-    async (res) => {
-      if (!res.ok) {
-        const detailResult = await readResponseText(res, { maxBytes: 64_000 });
-        const detail = detailResult.text;
-        throw new Error(`Brave Search API error (${res.status}): ${detail || res.statusText}`);
-      }
-
-      const data = (await res.json()) as BraveSearchResponse;
-      const results = Array.isArray(data.web?.results) ? (data.web?.results ?? []) : [];
-      return results.map((entry) => {
-        const description = entry.description ?? "";
-        const title = entry.title ?? "";
-        const url = entry.url ?? "";
-        const rawSiteName = resolveSiteName(url);
-        return {
-          title: title ? wrapWebContent(title, "web_search") : "",
-          url, // Keep raw for tool chaining
-          description: description ? wrapWebContent(description, "web_search") : "",
-          published: entry.age || undefined,
-          siteName: rawSiteName || undefined,
-        };
-      });
-    },
-  );
-
-  const payload = {
-    query: params.query,
-    provider: params.provider,
-    count: mapped.length,
-    tookMs: Date.now() - start,
-    externalContent: {
-      untrusted: true,
-      source: "web_search",
-      provider: params.provider,
-      wrapped: true,
-    },
-    results: mapped,
-  };
-  writeCache(SEARCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-  return payload;
+  return providers[0]?.id ?? "brave";
 }
 
 export function createWebSearchTool(options?: {
@@ -1898,325 +104,45 @@ export function createWebSearchTool(options?: {
     return null;
   }
 
-  const provider =
+  const providers = resolvePluginWebSearchProviders({
+    config: options?.config,
+    bundledAllowlistCompat: true,
+  });
+  if (providers.length === 0) {
+    return null;
+  }
+
+  const providerId =
     options?.runtimeWebSearch?.selectedProvider ??
     options?.runtimeWebSearch?.providerConfigured ??
     resolveSearchProvider(search);
-  const perplexityConfig = resolvePerplexityConfig(search);
-  const perplexitySchemaTransportHint =
-    options?.runtimeWebSearch?.perplexityTransport ??
-    resolvePerplexitySchemaTransportHint(perplexityConfig);
-  const grokConfig = resolveGrokConfig(search);
-  const geminiConfig = resolveGeminiConfig(search);
-  const kimiConfig = resolveKimiConfig(search);
-  const braveConfig = resolveBraveConfig(search);
-  const braveMode = resolveBraveMode(braveConfig);
+  const provider =
+    providers.find((entry) => entry.id === providerId) ??
+    providers.find((entry) => entry.id === resolveSearchProvider(search)) ??
+    providers[0];
+  if (!provider) {
+    return null;
+  }
 
-  const description =
-    provider === "perplexity"
-      ? perplexitySchemaTransportHint === "chat_completions"
-        ? "Search the web using Perplexity Sonar via Perplexity/OpenRouter chat completions. Returns AI-synthesized answers with citations from web-grounded search."
-        : "Search the web using Perplexity. Runtime routing decides between native Search API and Sonar chat-completions compatibility. Structured filters are available on the native Search API path."
-      : provider === "grok"
-        ? "Search the web using xAI Grok. Returns AI-synthesized answers with citations from real-time web search."
-        : provider === "kimi"
-          ? "Search the web using Kimi by Moonshot. Returns AI-synthesized answers with citations from native $web_search."
-          : provider === "gemini"
-            ? "Search the web using Gemini with Google Search grounding. Returns AI-synthesized answers with citations from Google Search."
-            : braveMode === "llm-context"
-              ? "Search the web using Brave Search LLM Context API. Returns pre-extracted page content (text chunks, tables, code blocks) optimized for LLM grounding."
-              : "Search the web using Brave Search API. Supports region-specific and localized search via country and language parameters. Returns titles, URLs, and snippets for fast research.";
+  const definition = provider.createTool({
+    config: options?.config,
+    searchConfig: search as Record<string, unknown> | undefined,
+    runtimeMetadata: options?.runtimeWebSearch,
+  });
+  if (!definition) {
+    return null;
+  }
 
   return {
     label: "Web Search",
     name: "web_search",
-    description,
-    parameters: createWebSearchSchema({
-      provider,
-      perplexityTransport: provider === "perplexity" ? perplexitySchemaTransportHint : undefined,
-    }),
-    execute: async (_toolCallId, args) => {
-      // Resolve Perplexity auth/transport lazily at execution time so unrelated providers
-      // do not touch Perplexity-only credential surfaces during tool construction.
-      const perplexityRuntime =
-        provider === "perplexity" ? resolvePerplexityTransport(perplexityConfig) : undefined;
-      const apiKey =
-        provider === "perplexity"
-          ? perplexityRuntime?.apiKey
-          : provider === "grok"
-            ? resolveGrokApiKey(grokConfig)
-            : provider === "kimi"
-              ? resolveKimiApiKey(kimiConfig)
-              : provider === "gemini"
-                ? resolveGeminiApiKey(geminiConfig)
-                : resolveSearchApiKey(search);
-
-      if (!apiKey) {
-        return jsonResult(missingSearchKeyPayload(provider));
-      }
-
-      const supportsStructuredPerplexityFilters =
-        provider === "perplexity" && perplexityRuntime?.transport === "search_api";
-      const params = args as Record<string, unknown>;
-      const query = readStringParam(params, "query", { required: true });
-      const count =
-        readNumberParam(params, "count", { integer: true }) ?? search?.maxResults ?? undefined;
-      const country = readStringParam(params, "country");
-      if (
-        country &&
-        provider !== "brave" &&
-        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
-      ) {
-        return jsonResult({
-          error: "unsupported_country",
-          message:
-            provider === "perplexity"
-              ? "country filtering is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
-              : `country filtering is not supported by the ${provider} provider. Only Brave and Perplexity support country filtering.`,
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const language = readStringParam(params, "language");
-      if (
-        language &&
-        provider !== "brave" &&
-        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
-      ) {
-        return jsonResult({
-          error: "unsupported_language",
-          message:
-            provider === "perplexity"
-              ? "language filtering is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
-              : `language filtering is not supported by the ${provider} provider. Only Brave and Perplexity support language filtering.`,
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if (language && provider === "perplexity" && !/^[a-z]{2}$/i.test(language)) {
-        return jsonResult({
-          error: "invalid_language",
-          message: "language must be a 2-letter ISO 639-1 code like 'en', 'de', or 'fr'.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const search_lang = readStringParam(params, "search_lang");
-      const ui_lang = readStringParam(params, "ui_lang");
-      // For Brave, accept both `language` (unified) and `search_lang`
-      const normalizedBraveLanguageParams =
-        provider === "brave"
-          ? normalizeBraveLanguageParams({ search_lang: search_lang || language, ui_lang })
-          : { search_lang: language, ui_lang };
-      if (normalizedBraveLanguageParams.invalidField === "search_lang") {
-        return jsonResult({
-          error: "invalid_search_lang",
-          message:
-            "search_lang must be a Brave-supported language code like 'en', 'en-gb', 'zh-hans', or 'zh-hant'.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if (normalizedBraveLanguageParams.invalidField === "ui_lang") {
-        return jsonResult({
-          error: "invalid_ui_lang",
-          message: "ui_lang must be a language-region locale like 'en-US'.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const resolvedSearchLang = normalizedBraveLanguageParams.search_lang;
-      const resolvedUiLang = normalizedBraveLanguageParams.ui_lang;
-      if (resolvedUiLang && provider === "brave" && braveMode === "llm-context") {
-        return jsonResult({
-          error: "unsupported_ui_lang",
-          message:
-            "ui_lang is not supported by Brave llm-context mode. Remove ui_lang or use Brave web mode for locale-based UI hints.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const rawFreshness = readStringParam(params, "freshness");
-      if (rawFreshness && provider !== "brave" && provider !== "perplexity") {
-        return jsonResult({
-          error: "unsupported_freshness",
-          message: `freshness filtering is not supported by the ${provider} provider. Only Brave and Perplexity support freshness.`,
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if (rawFreshness && provider === "brave" && braveMode === "llm-context") {
-        return jsonResult({
-          error: "unsupported_freshness",
-          message:
-            "freshness filtering is not supported by Brave llm-context mode. Remove freshness or use Brave web mode.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const freshness = rawFreshness ? normalizeFreshness(rawFreshness, provider) : undefined;
-      if (rawFreshness && !freshness) {
-        return jsonResult({
-          error: "invalid_freshness",
-          message: "freshness must be day, week, month, or year.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const rawDateAfter = readStringParam(params, "date_after");
-      const rawDateBefore = readStringParam(params, "date_before");
-      if (rawFreshness && (rawDateAfter || rawDateBefore)) {
-        return jsonResult({
-          error: "conflicting_time_filters",
-          message:
-            "freshness and date_after/date_before cannot be used together. Use either freshness (day/week/month/year) or a date range (date_after/date_before), not both.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if (
-        (rawDateAfter || rawDateBefore) &&
-        provider !== "brave" &&
-        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
-      ) {
-        return jsonResult({
-          error: "unsupported_date_filter",
-          message:
-            provider === "perplexity"
-              ? "date_after/date_before are only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable them."
-              : `date_after/date_before filtering is not supported by the ${provider} provider. Only Brave and Perplexity support date filtering.`,
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if ((rawDateAfter || rawDateBefore) && provider === "brave" && braveMode === "llm-context") {
-        return jsonResult({
-          error: "unsupported_date_filter",
-          message:
-            "date_after/date_before filtering is not supported by Brave llm-context mode. Use Brave web mode for date filters.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const dateAfter = rawDateAfter ? normalizeToIsoDate(rawDateAfter) : undefined;
-      if (rawDateAfter && !dateAfter) {
-        return jsonResult({
-          error: "invalid_date",
-          message: "date_after must be YYYY-MM-DD format.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const dateBefore = rawDateBefore ? normalizeToIsoDate(rawDateBefore) : undefined;
-      if (rawDateBefore && !dateBefore) {
-        return jsonResult({
-          error: "invalid_date",
-          message: "date_before must be YYYY-MM-DD format.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      if (dateAfter && dateBefore && dateAfter > dateBefore) {
-        return jsonResult({
-          error: "invalid_date_range",
-          message: "date_after must be before date_before.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-      const domainFilter = readStringArrayParam(params, "domain_filter");
-      if (
-        domainFilter &&
-        domainFilter.length > 0 &&
-        !(provider === "perplexity" && supportsStructuredPerplexityFilters)
-      ) {
-        return jsonResult({
-          error: "unsupported_domain_filter",
-          message:
-            provider === "perplexity"
-              ? "domain_filter is only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable it."
-              : `domain_filter is not supported by the ${provider} provider. Only Perplexity supports domain filtering.`,
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-
-      if (domainFilter && domainFilter.length > 0) {
-        const hasDenylist = domainFilter.some((d) => d.startsWith("-"));
-        const hasAllowlist = domainFilter.some((d) => !d.startsWith("-"));
-        if (hasDenylist && hasAllowlist) {
-          return jsonResult({
-            error: "invalid_domain_filter",
-            message:
-              "domain_filter cannot mix allowlist and denylist entries. Use either all positive entries (allowlist) or all entries prefixed with '-' (denylist).",
-            docs: "https://docs.openclaw.ai/tools/web",
-          });
-        }
-        if (domainFilter.length > 20) {
-          return jsonResult({
-            error: "invalid_domain_filter",
-            message: "domain_filter supports a maximum of 20 domains.",
-            docs: "https://docs.openclaw.ai/tools/web",
-          });
-        }
-      }
-
-      const maxTokens = readNumberParam(params, "max_tokens", { integer: true });
-      const maxTokensPerPage = readNumberParam(params, "max_tokens_per_page", { integer: true });
-      if (
-        provider === "perplexity" &&
-        perplexityRuntime?.transport === "chat_completions" &&
-        (maxTokens !== undefined || maxTokensPerPage !== undefined)
-      ) {
-        return jsonResult({
-          error: "unsupported_content_budget",
-          message:
-            "max_tokens and max_tokens_per_page are only supported by the native Perplexity Search API path. Remove Perplexity baseUrl/model overrides or use a direct PERPLEXITY_API_KEY to enable them.",
-          docs: "https://docs.openclaw.ai/tools/web",
-        });
-      }
-
-      const result = await runWebSearch({
-        query,
-        count: resolveSearchCount(count, DEFAULT_SEARCH_COUNT),
-        apiKey,
-        timeoutSeconds: resolveTimeoutSeconds(search?.timeoutSeconds, DEFAULT_TIMEOUT_SECONDS),
-        cacheTtlMs: resolveCacheTtlMs(search?.cacheTtlMinutes, DEFAULT_CACHE_TTL_MINUTES),
-        provider,
-        country,
-        language,
-        search_lang: resolvedSearchLang,
-        ui_lang: resolvedUiLang,
-        freshness,
-        dateAfter,
-        dateBefore,
-        searchDomainFilter: domainFilter,
-        maxTokens: maxTokens ?? undefined,
-        maxTokensPerPage: maxTokensPerPage ?? undefined,
-        perplexityBaseUrl: perplexityRuntime?.baseUrl,
-        perplexityModel: perplexityRuntime?.model,
-        perplexityTransport: perplexityRuntime?.transport,
-        grokModel: resolveGrokModel(grokConfig),
-        grokInlineCitations: resolveGrokInlineCitations(grokConfig),
-        geminiModel: resolveGeminiModel(geminiConfig),
-        kimiBaseUrl: resolveKimiBaseUrl(kimiConfig),
-        kimiModel: resolveKimiModel(kimiConfig),
-        braveMode,
-      });
-      return jsonResult(result);
-    },
+    description: definition.description,
+    parameters: definition.parameters,
+    execute: async (_toolCallId, args) => jsonResult(await definition.execute(args)),
   };
 }
 
 export const __testing = {
+  ...coreTesting,
   resolveSearchProvider,
-  inferPerplexityBaseUrlFromApiKey,
-  resolvePerplexityBaseUrl,
-  resolvePerplexityModel,
-  resolvePerplexityTransport,
-  isDirectPerplexityBaseUrl,
-  resolvePerplexityRequestModel,
-  resolvePerplexityApiKey,
-  normalizeBraveLanguageParams,
-  normalizeFreshness,
-  normalizeToIsoDate,
-  isoToPerplexityDate,
-  SEARCH_CACHE,
-  FRESHNESS_TO_RECENCY,
-  RECENCY_TO_FRESHNESS,
-  resolveGrokApiKey,
-  resolveGrokModel,
-  resolveGrokInlineCitations,
-  extractGrokContent,
-  resolveKimiApiKey,
-  resolveKimiModel,
-  resolveKimiBaseUrl,
-  extractKimiCitations,
-  resolveRedirectUrl: resolveCitationRedirectUrl,
-  resolveBraveMode,
-  mapBraveLlmContextResults,
-} as const;
+};
diff --git a/src/agents/tools/web-tools.fetch.test.ts b/src/agents/tools/web-tools.fetch.test.ts
index e9bfabbee7a..f476cd65274 100644
--- a/src/agents/tools/web-tools.fetch.test.ts
+++ b/src/agents/tools/web-tools.fetch.test.ts
@@ -3,6 +3,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import * as ssrf from "../../infra/net/ssrf.js";
 import { resolveRequestUrl } from "../../plugin-sdk/request-url.js";
 import { withFetchPreconnect } from "../../test-utils/fetch-mock.js";
+import { __testing as webFetchTesting } from "./web-fetch.js";
 import { makeFetchHeaders } from "./web-fetch.test-harness.js";
 import { createWebFetchTool } from "./web-tools.js";
 
@@ -324,6 +325,40 @@ describe("web_fetch extraction fallbacks", () => {
     expect(authHeader).toBe("Bearer firecrawl-test-key");
   });
 
+  it("uses FIRECRAWL_BASE_URL env var when firecrawl.baseUrl is unset", async () => {
+    vi.stubEnv("FIRECRAWL_BASE_URL", "https://fc.example.com");
+
+    expect(webFetchTesting.resolveFirecrawlBaseUrl({})).toBe("https://fc.example.com");
+  });
+
+  it("uses guarded endpoint fetch for firecrawl requests", async () => {
+    vi.stubEnv("HTTP_PROXY", "http://127.0.0.1:7890");
+
+    const fetchSpy = installMockFetch((input: RequestInfo | URL) => {
+      const url = resolveRequestUrl(input);
+      if (url.includes("api.firecrawl.dev/v2/scrape")) {
+        return Promise.resolve(
+          firecrawlResponse("firecrawl guarded transport"),
+        ) as Promise<Response>;
+      }
+      return Promise.resolve(
+        htmlResponse("<!doctype html><html><head></head><body></body></html>", url),
+      ) as Promise<Response>;
+    });
+
+    const tool = createFirecrawlTool();
+    const result = await executeFetch(tool, { url: "https://example.com/guarded-firecrawl" });
+
+    expect(result?.details).toMatchObject({ extractor: "firecrawl" });
+    const firecrawlCall = fetchSpy.mock.calls.find((call) =>
+      resolveRequestUrl(call[0]).includes("/v2/scrape"),
+    );
+    expect(firecrawlCall).toBeTruthy();
+    const requestInit = firecrawlCall?.[1] as (RequestInit & { dispatcher?: unknown }) | undefined;
+    expect(requestInit?.dispatcher).toBeDefined();
+    expect(requestInit?.dispatcher).toBeInstanceOf(EnvHttpProxyAgent);
+  });
+
   it("throws when readability is disabled and firecrawl is unavailable", async () => {
     installMockFetch(
       (input: RequestInfo | URL) =>
@@ -356,7 +391,29 @@ describe("web_fetch extraction fallbacks", () => {
     const tool = createFirecrawlTool();
     await expect(
       executeFetch(tool, { url: "https://example.com/readability-empty" }),
-    ).rejects.toThrow("Readability and Firecrawl returned no content");
+    ).rejects.toThrow("Readability, Firecrawl, and basic HTML cleanup returned no content");
+  });
+
+  it("falls back to basic HTML cleanup after readability and before giving up", async () => {
+    installMockFetch(
+      (input: RequestInfo | URL) =>
+        Promise.resolve(
+          htmlResponse(
+            "<!doctype html><html><head><title>Shell App</title></head><body><div id='app'></div></body></html>",
+            resolveRequestUrl(input),
+          ),
+        ) as Promise<Response>,
+    );
+
+    const tool = createFetchTool({
+      firecrawl: { enabled: false },
+    });
+    const result = await executeFetch(tool, { url: "https://example.com/shell" });
+    const details = result?.details as { extractor?: string; text?: string; title?: string };
+
+    expect(details.extractor).toBe("raw-html");
+    expect(details.text).toContain("Shell App");
+    expect(details.title).toContain("Shell App");
   });
 
   it("uses firecrawl when direct fetch fails", async () => {
diff --git a/src/agents/tools/whatsapp-actions.ts b/src/agents/tools/whatsapp-actions.ts
index 92332d1b3c5..30f36331d18 100644
--- a/src/agents/tools/whatsapp-actions.ts
+++ b/src/agents/tools/whatsapp-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { sendReactionWhatsApp } from "../../../extensions/whatsapp/src/send.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { sendReactionWhatsApp } from "../../plugin-sdk-internal/whatsapp.js";
 import { createActionGate, jsonResult, readReactionParams, readStringParam } from "./common.js";
 import { resolveAuthorizedWhatsAppOutboundTarget } from "./whatsapp-target-auth.js";
 
diff --git a/src/agents/tools/whatsapp-target-auth.ts b/src/agents/tools/whatsapp-target-auth.ts
index 569a930d1a5..76e7e15d084 100644
--- a/src/agents/tools/whatsapp-target-auth.ts
+++ b/src/agents/tools/whatsapp-target-auth.ts
@@ -1,5 +1,5 @@
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk-internal/whatsapp.js";
 import { resolveWhatsAppOutboundTarget } from "../../whatsapp/resolve-outbound-target.js";
 import { ToolAuthorizationError } from "./common.js";
 
diff --git a/src/agents/workspace.test.ts b/src/agents/workspace.test.ts
index 14302629a1c..4493ef716a1 100644
--- a/src/agents/workspace.test.ts
+++ b/src/agents/workspace.test.ts
@@ -31,22 +31,22 @@ describe("resolveDefaultAgentWorkspaceDir", () => {
 
 const WORKSPACE_STATE_PATH_SEGMENTS = [".openclaw", "workspace-state.json"] as const;
 
-async function readOnboardingState(dir: string): Promise<{
+async function readWorkspaceState(dir: string): Promise<{
   version: number;
   bootstrapSeededAt?: string;
-  onboardingCompletedAt?: string;
+  setupCompletedAt?: string;
 }> {
   const raw = await fs.readFile(path.join(dir, ...WORKSPACE_STATE_PATH_SEGMENTS), "utf-8");
   return JSON.parse(raw) as {
     version: number;
     bootstrapSeededAt?: string;
-    onboardingCompletedAt?: string;
+    setupCompletedAt?: string;
   };
 }
 
 async function expectBootstrapSeeded(dir: string) {
   await expect(fs.access(path.join(dir, DEFAULT_BOOTSTRAP_FILENAME))).resolves.toBeUndefined();
-  const state = await readOnboardingState(dir);
+  const state = await readWorkspaceState(dir);
   expect(state.bootstrapSeededAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
 }
 
@@ -55,8 +55,8 @@ async function expectCompletedWithoutBootstrap(dir: string) {
   await expect(fs.access(path.join(dir, DEFAULT_BOOTSTRAP_FILENAME))).rejects.toMatchObject({
     code: "ENOENT",
   });
-  const state = await readOnboardingState(dir);
-  expect(state.onboardingCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
+  const state = await readWorkspaceState(dir);
+  expect(state.setupCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
 }
 
 function expectSubagentAllowedBootstrapNames(files: WorkspaceBootstrapFile[]) {
@@ -78,7 +78,7 @@ describe("ensureAgentWorkspace", () => {
     await ensureAgentWorkspace({ dir: tempDir, ensureBootstrapFiles: true });
 
     await expectBootstrapSeeded(tempDir);
-    expect((await readOnboardingState(tempDir)).onboardingCompletedAt).toBeUndefined();
+    expect((await readWorkspaceState(tempDir)).setupCompletedAt).toBeUndefined();
   });
 
   it("recovers partial initialization by creating BOOTSTRAP.md when marker is missing", async () => {
@@ -104,8 +104,8 @@ describe("ensureAgentWorkspace", () => {
       code: "ENOENT",
     });
     await expect(fs.access(path.join(tempDir, DEFAULT_TOOLS_FILENAME))).resolves.toBeUndefined();
-    const state = await readOnboardingState(tempDir);
-    expect(state.onboardingCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
+    const state = await readWorkspaceState(tempDir);
+    expect(state.setupCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
   });
 
   it("does not re-seed BOOTSTRAP.md for legacy completed workspaces without state marker", async () => {
@@ -118,9 +118,9 @@ describe("ensureAgentWorkspace", () => {
     await expect(fs.access(path.join(tempDir, DEFAULT_BOOTSTRAP_FILENAME))).rejects.toMatchObject({
       code: "ENOENT",
     });
-    const state = await readOnboardingState(tempDir);
+    const state = await readWorkspaceState(tempDir);
     expect(state.bootstrapSeededAt).toBeUndefined();
-    expect(state.onboardingCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
+    expect(state.setupCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
   });
 
   it("treats memory-backed workspaces as existing even when template files are missing", async () => {
@@ -135,8 +135,8 @@ describe("ensureAgentWorkspace", () => {
     await expect(fs.access(path.join(tempDir, DEFAULT_BOOTSTRAP_FILENAME))).rejects.toMatchObject({
       code: "ENOENT",
     });
-    const state = await readOnboardingState(tempDir);
-    expect(state.onboardingCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
+    const state = await readWorkspaceState(tempDir);
+    expect(state.setupCompletedAt).toMatch(/\d{4}-\d{2}-\d{2}T/);
     const memoryContent = await fs.readFile(path.join(tempDir, "MEMORY.md"), "utf-8");
     expect(memoryContent).toBe("# Long-term memory\nImportant stuff");
   });
@@ -150,6 +150,28 @@ describe("ensureAgentWorkspace", () => {
 
     await expectCompletedWithoutBootstrap(tempDir);
   });
+
+  it("migrates legacy onboardingCompletedAt markers to setupCompletedAt", async () => {
+    const tempDir = await makeTempWorkspace("openclaw-workspace-");
+    await fs.mkdir(path.join(tempDir, ".openclaw"), { recursive: true });
+    await fs.writeFile(
+      path.join(tempDir, ...WORKSPACE_STATE_PATH_SEGMENTS),
+      JSON.stringify({
+        version: 1,
+        onboardingCompletedAt: "2026-03-15T02:30:00.000Z",
+      }),
+    );
+
+    await ensureAgentWorkspace({ dir: tempDir, ensureBootstrapFiles: true });
+
+    const state = await readWorkspaceState(tempDir);
+    expect(state.setupCompletedAt).toBe("2026-03-15T02:30:00.000Z");
+    const persisted = await fs.readFile(
+      path.join(tempDir, ...WORKSPACE_STATE_PATH_SEGMENTS),
+      "utf-8",
+    );
+    expect(persisted).toContain('"setupCompletedAt": "2026-03-15T02:30:00.000Z"');
+  });
 });
 
 describe("loadWorkspaceBootstrapFiles", () => {
diff --git a/src/agents/workspace.ts b/src/agents/workspace.ts
index c4f1044a8d9..09159b4b072 100644
--- a/src/agents/workspace.ts
+++ b/src/agents/workspace.ts
@@ -159,10 +159,10 @@ export type ExtraBootstrapLoadDiagnostic = {
   detail: string;
 };
 
-type WorkspaceOnboardingState = {
+type WorkspaceSetupState = {
   version: typeof WORKSPACE_STATE_VERSION;
   bootstrapSeededAt?: string;
-  onboardingCompletedAt?: string;
+  setupCompletedAt?: string;
 };
 
 /** Set of recognized bootstrap filenames for runtime validation */
@@ -207,35 +207,43 @@ function resolveWorkspaceStatePath(dir: string): string {
   return path.join(dir, WORKSPACE_STATE_DIRNAME, WORKSPACE_STATE_FILENAME);
 }
 
-function parseWorkspaceOnboardingState(raw: string): WorkspaceOnboardingState | null {
+function parseWorkspaceSetupState(raw: string): WorkspaceSetupState | null {
   try {
     const parsed = JSON.parse(raw) as {
       bootstrapSeededAt?: unknown;
+      setupCompletedAt?: unknown;
       onboardingCompletedAt?: unknown;
     };
     if (!parsed || typeof parsed !== "object") {
       return null;
     }
+    const legacyCompletedAt =
+      typeof parsed.onboardingCompletedAt === "string" ? parsed.onboardingCompletedAt : undefined;
     return {
       version: WORKSPACE_STATE_VERSION,
       bootstrapSeededAt:
         typeof parsed.bootstrapSeededAt === "string" ? parsed.bootstrapSeededAt : undefined,
-      onboardingCompletedAt:
-        typeof parsed.onboardingCompletedAt === "string" ? parsed.onboardingCompletedAt : undefined,
+      setupCompletedAt:
+        typeof parsed.setupCompletedAt === "string" ? parsed.setupCompletedAt : legacyCompletedAt,
     };
   } catch {
     return null;
   }
 }
 
-async function readWorkspaceOnboardingState(statePath: string): Promise<WorkspaceOnboardingState> {
+async function readWorkspaceSetupState(statePath: string): Promise<WorkspaceSetupState> {
   try {
     const raw = await fs.readFile(statePath, "utf-8");
-    return (
-      parseWorkspaceOnboardingState(raw) ?? {
-        version: WORKSPACE_STATE_VERSION,
-      }
-    );
+    const parsed = parseWorkspaceSetupState(raw);
+    if (
+      parsed &&
+      raw.includes('"onboardingCompletedAt"') &&
+      !raw.includes('"setupCompletedAt"') &&
+      parsed.setupCompletedAt
+    ) {
+      await writeWorkspaceSetupState(statePath, parsed);
+    }
+    return parsed ?? { version: WORKSPACE_STATE_VERSION };
   } catch (err) {
     const anyErr = err as { code?: string };
     if (anyErr.code !== "ENOENT") {
@@ -247,21 +255,19 @@ async function readWorkspaceOnboardingState(statePath: string): Promise<Workspac
   }
 }
 
-async function readWorkspaceOnboardingStateForDir(dir: string): Promise<WorkspaceOnboardingState> {
+async function readWorkspaceSetupStateForDir(dir: string): Promise<WorkspaceSetupState> {
   const statePath = resolveWorkspaceStatePath(resolveUserPath(dir));
-  return await readWorkspaceOnboardingState(statePath);
+  return await readWorkspaceSetupState(statePath);
 }
 
-export async function isWorkspaceOnboardingCompleted(dir: string): Promise<boolean> {
-  const state = await readWorkspaceOnboardingStateForDir(dir);
-  return (
-    typeof state.onboardingCompletedAt === "string" && state.onboardingCompletedAt.trim().length > 0
-  );
+export async function isWorkspaceSetupCompleted(dir: string): Promise<boolean> {
+  const state = await readWorkspaceSetupStateForDir(dir);
+  return typeof state.setupCompletedAt === "string" && state.setupCompletedAt.trim().length > 0;
 }
 
-async function writeWorkspaceOnboardingState(
+async function writeWorkspaceSetupState(
   statePath: string,
-  state: WorkspaceOnboardingState,
+  state: WorkspaceSetupState,
 ): Promise<void> {
   await fs.mkdir(path.dirname(statePath), { recursive: true });
   const payload = `${JSON.stringify(state, null, 2)}\n`;
@@ -382,9 +388,9 @@ export async function ensureAgentWorkspace(params?: {
   await writeFileIfMissing(userPath, userTemplate);
   await writeFileIfMissing(heartbeatPath, heartbeatTemplate);
 
-  let state = await readWorkspaceOnboardingState(statePath);
+  let state = await readWorkspaceSetupState(statePath);
   let stateDirty = false;
-  const markState = (next: Partial<WorkspaceOnboardingState>) => {
+  const markState = (next: Partial<WorkspaceSetupState>) => {
     state = { ...state, ...next };
     stateDirty = true;
   };
@@ -395,14 +401,14 @@ export async function ensureAgentWorkspace(params?: {
     markState({ bootstrapSeededAt: nowIso() });
   }
 
-  if (!state.onboardingCompletedAt && state.bootstrapSeededAt && !bootstrapExists) {
-    markState({ onboardingCompletedAt: nowIso() });
+  if (!state.setupCompletedAt && state.bootstrapSeededAt && !bootstrapExists) {
+    markState({ setupCompletedAt: nowIso() });
   }
 
-  if (!state.bootstrapSeededAt && !state.onboardingCompletedAt && !bootstrapExists) {
+  if (!state.bootstrapSeededAt && !state.setupCompletedAt && !bootstrapExists) {
     // Legacy migration path: if USER/IDENTITY diverged from templates, or if user-content
-    // indicators exist, treat onboarding as complete and avoid recreating BOOTSTRAP for
-    // already-onboarded workspaces.
+    // indicators exist, treat setup as complete and avoid recreating BOOTSTRAP for
+    // already-configured workspaces.
     const [identityContent, userContent] = await Promise.all([
       fs.readFile(identityPath, "utf-8"),
       fs.readFile(userPath, "utf-8"),
@@ -423,10 +429,10 @@ export async function ensureAgentWorkspace(params?: {
       }
       return false;
     })();
-    const legacyOnboardingCompleted =
+    const legacySetupCompleted =
       identityContent !== identityTemplate || userContent !== userTemplate || hasUserContent;
-    if (legacyOnboardingCompleted) {
-      markState({ onboardingCompletedAt: nowIso() });
+    if (legacySetupCompleted) {
+      markState({ setupCompletedAt: nowIso() });
     } else {
       const bootstrapTemplate = await loadTemplate(DEFAULT_BOOTSTRAP_FILENAME);
       const wroteBootstrap = await writeFileIfMissing(bootstrapPath, bootstrapTemplate);
@@ -442,7 +448,7 @@ export async function ensureAgentWorkspace(params?: {
   }
 
   if (stateDirty) {
-    await writeWorkspaceOnboardingState(statePath, state);
+    await writeWorkspaceSetupState(statePath, state);
   }
   await ensureGitRepo(dir, isBrandNewWorkspace);
 
diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts
index ead6e6e0312..956c132d773 100644
--- a/src/auto-reply/command-auth.ts
+++ b/src/auto-reply/command-auth.ts
@@ -1,6 +1,5 @@
-import type { ChannelDock } from "../channels/dock.js";
-import { getChannelDock, listChannelDocks } from "../channels/dock.js";
-import type { ChannelId } from "../channels/plugins/types.js";
+import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
+import type { ChannelId, ChannelPlugin } from "../channels/plugins/types.js";
 import { normalizeAnyChannelId } from "../channels/registry.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";
@@ -52,19 +51,19 @@ function resolveProviderFromContext(ctx: MsgContext, cfg: OpenClawConfig): Chann
       return normalized;
     }
   }
-  const configured = listChannelDocks()
-    .map((dock) => {
-      if (!dock.config?.resolveAllowFrom) {
+  const configured = listChannelPlugins()
+    .map((plugin) => {
+      if (!plugin.config?.resolveAllowFrom) {
         return null;
       }
-      const allowFrom = dock.config.resolveAllowFrom({
+      const allowFrom = plugin.config.resolveAllowFrom({
         cfg,
         accountId: ctx.AccountId,
       });
       if (!Array.isArray(allowFrom) || allowFrom.length === 0) {
         return null;
       }
-      return dock.id;
+      return plugin.id;
     })
     .filter((value): value is ChannelId => Boolean(value));
   if (configured.length === 1) {
@@ -74,29 +73,29 @@ function resolveProviderFromContext(ctx: MsgContext, cfg: OpenClawConfig): Chann
 }
 
 function formatAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   allowFrom: Array<string | number>;
 }): string[] {
-  const { dock, cfg, accountId, allowFrom } = params;
+  const { plugin, cfg, accountId, allowFrom } = params;
   if (!allowFrom || allowFrom.length === 0) {
     return [];
   }
-  if (dock?.config?.formatAllowFrom) {
-    return dock.config.formatAllowFrom({ cfg, accountId, allowFrom });
+  if (plugin?.config?.formatAllowFrom) {
+    return plugin.config.formatAllowFrom({ cfg, accountId, allowFrom });
   }
   return normalizeStringEntries(allowFrom);
 }
 
 function normalizeAllowFromEntry(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   value: string;
 }): string[] {
   const normalized = formatAllowFromList({
-    dock: params.dock,
+    plugin: params.plugin,
     cfg: params.cfg,
     accountId: params.accountId,
     allowFrom: [params.value],
@@ -105,7 +104,7 @@ function normalizeAllowFromEntry(params: {
 }
 
 function resolveOwnerAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   providerId?: ChannelId;
@@ -139,7 +138,7 @@ function resolveOwnerAllowFromList(params: {
     filtered.push(trimmed);
   }
   return formatAllowFromList({
-    dock: params.dock,
+    plugin: params.plugin,
     cfg: params.cfg,
     accountId: params.accountId,
     allowFrom: filtered,
@@ -152,12 +151,12 @@ function resolveOwnerAllowFromList(params: {
  * Returns null if commands.allowFrom is not configured at all (fall back to channel allowFrom).
  */
 function resolveCommandsAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   providerId?: ChannelId;
 }): string[] | null {
-  const { dock, cfg, accountId, providerId } = params;
+  const { plugin, cfg, accountId, providerId } = params;
   const commandsAllowFrom = cfg.commands?.allowFrom;
   if (!commandsAllowFrom || typeof commandsAllowFrom !== "object") {
     return null; // Not configured, fall back to channel allowFrom
@@ -174,7 +173,7 @@ function resolveCommandsAllowFromList(params: {
   }
 
   return formatAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId,
     allowFrom: rawList,
@@ -211,7 +210,7 @@ function shouldUseFromAsSenderFallback(params: {
 }
 
 function resolveSenderCandidates(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   providerId?: ChannelId;
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -220,7 +219,7 @@ function resolveSenderCandidates(params: {
   from?: string | null;
   chatType?: string | null;
 }): string[] {
-  const { dock, cfg, accountId } = params;
+  const { plugin, cfg, accountId } = params;
   const candidates: string[] = [];
   const pushCandidate = (value?: string | null) => {
     const trimmed = (value ?? "").trim();
@@ -245,7 +244,7 @@ function resolveSenderCandidates(params: {
 
   const normalized: string[] = [];
   for (const sender of candidates) {
-    const entries = normalizeAllowFromEntry({ dock, cfg, accountId, value: sender });
+    const entries = normalizeAllowFromEntry({ plugin, cfg, accountId, value: sender });
     for (const entry of entries) {
       if (!normalized.includes(entry)) {
         normalized.push(entry);
@@ -262,36 +261,36 @@ export function resolveCommandAuthorization(params: {
 }): CommandAuthorization {
   const { ctx, cfg, commandAuthorized } = params;
   const providerId = resolveProviderFromContext(ctx, cfg);
-  const dock = providerId ? getChannelDock(providerId) : undefined;
+  const plugin = providerId ? getChannelPlugin(providerId) : undefined;
   const from = (ctx.From ?? "").trim();
   const to = (ctx.To ?? "").trim();
 
   // Check if commands.allowFrom is configured (separate command authorization)
   const commandsAllowFromList = resolveCommandsAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
   });
 
-  const allowFromRaw = dock?.config?.resolveAllowFrom
-    ? dock.config.resolveAllowFrom({ cfg, accountId: ctx.AccountId })
+  const allowFromRaw = plugin?.config?.resolveAllowFrom
+    ? plugin.config.resolveAllowFrom({ cfg, accountId: ctx.AccountId })
     : [];
   const allowFromList = formatAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     allowFrom: Array.isArray(allowFromRaw) ? allowFromRaw : [],
   });
   const configOwnerAllowFromList = resolveOwnerAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
     allowFrom: cfg.commands?.ownerAllowFrom,
   });
   const contextOwnerAllowFromList = resolveOwnerAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
@@ -303,7 +302,7 @@ export function resolveCommandAuthorization(params: {
   const ownerCandidatesForCommands = allowAll ? [] : allowFromList.filter((entry) => entry !== "*");
   if (!allowAll && ownerCandidatesForCommands.length === 0 && to) {
     const normalizedTo = normalizeAllowFromEntry({
-      dock,
+      plugin,
       cfg,
       accountId: ctx.AccountId,
       value: to,
@@ -328,7 +327,7 @@ export function resolveCommandAuthorization(params: {
   );
 
   const senderCandidates = resolveSenderCandidates({
-    dock,
+    plugin,
     providerId,
     cfg,
     accountId: ctx.AccountId,
@@ -345,7 +344,7 @@ export function resolveCommandAuthorization(params: {
     : undefined;
   const senderId = matchedSender ?? senderCandidates[0];
 
-  const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands);
+  const enforceOwner = Boolean(plugin?.commands?.enforceOwnerForCommands);
   const senderIsOwnerByIdentity = Boolean(matchedSender);
   const senderIsOwnerByScope =
     isInternalMessageChannel(ctx.Provider) &&
diff --git a/src/auto-reply/commands-registry.data.ts b/src/auto-reply/commands-registry.data.ts
index 80f8d4bd73f..58064473543 100644
--- a/src/auto-reply/commands-registry.data.ts
+++ b/src/auto-reply/commands-registry.data.ts
@@ -1,4 +1,4 @@
-import { listChannelDocks } from "../channels/dock.js";
+import { listChannelPlugins } from "../channels/plugins/index.js";
 import { getActivePluginRegistry } from "../plugins/runtime.js";
 import { COMMAND_ARG_FORMATTERS } from "./commands-args.js";
 import type {
@@ -46,14 +46,14 @@ function defineChatCommand(command: DefineChatCommandInput): ChatCommandDefiniti
   };
 }
 
-type ChannelDock = ReturnType<typeof listChannelDocks>[number];
+type ChannelPlugin = ReturnType<typeof listChannelPlugins>[number];
 
-function defineDockCommand(dock: ChannelDock): ChatCommandDefinition {
+function defineDockCommand(plugin: ChannelPlugin): ChatCommandDefinition {
   return defineChatCommand({
-    key: `dock:${dock.id}`,
-    nativeName: `dock_${dock.id}`,
-    description: `Switch to ${dock.id} for replies.`,
-    textAliases: [`/dock-${dock.id}`, `/dock_${dock.id}`],
+    key: `dock:${plugin.id}`,
+    nativeName: `dock_${plugin.id}`,
+    description: `Switch to ${plugin.id} for replies.`,
+    textAliases: [`/dock-${plugin.id}`, `/dock_${plugin.id}`],
     category: "docks",
   });
 }
@@ -758,9 +758,9 @@ function buildChatCommands(): ChatCommandDefinition[] {
         },
       ],
     }),
-    ...listChannelDocks()
-      .filter((dock) => dock.capabilities.nativeCommands)
-      .map((dock) => defineDockCommand(dock)),
+    ...listChannelPlugins()
+      .filter((plugin) => plugin.capabilities.nativeCommands)
+      .map((plugin) => defineDockCommand(plugin)),
   ];
 
   registerAlias(commands, "whoami", "/id");
@@ -792,9 +792,9 @@ export function getNativeCommandSurfaces(): Set<string> {
     return cachedNativeCommandSurfaces;
   }
   cachedNativeCommandSurfaces = new Set(
-    listChannelDocks()
-      .filter((dock) => dock.capabilities.nativeCommands)
-      .map((dock) => dock.id),
+    listChannelPlugins()
+      .filter((plugin) => plugin.capabilities.nativeCommands)
+      .map((plugin) => plugin.id),
   );
   cachedNativeRegistry = registry;
   return cachedNativeCommandSurfaces;
diff --git a/src/auto-reply/reply/agent-runner-utils.ts b/src/auto-reply/reply/agent-runner-utils.ts
index c6e71a9bab0..abf6322a287 100644
--- a/src/auto-reply/reply/agent-runner-utils.ts
+++ b/src/auto-reply/reply/agent-runner-utils.ts
@@ -1,6 +1,6 @@
 import { resolveRunModelFallbacksOverride } from "../../agents/agent-scope.js";
 import type { NormalizedUsage } from "../../agents/usage.js";
-import { getChannelDock } from "../../channels/dock.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId, ChannelThreadingToolContext } from "../../channels/plugins/types.js";
 import { normalizeAnyChannelId, normalizeChannelId } from "../../channels/registry.js";
 import type { OpenClawConfig } from "../../config/config.js";
@@ -44,8 +44,8 @@ export function buildThreadingToolContext(params: {
   }
   const provider = normalizeChannelId(rawProvider) ?? normalizeAnyChannelId(rawProvider);
   // Fallback for unrecognized/plugin channels (e.g., BlueBubbles before plugin registry init)
-  const dock = provider ? getChannelDock(provider) : undefined;
-  if (!dock?.threading?.buildToolContext) {
+  const threading = provider ? getChannelPlugin(provider)?.threading : undefined;
+  if (!threading?.buildToolContext) {
     return {
       currentChannelId: originTo?.trim() || undefined,
       currentChannelProvider: provider ?? (rawProvider as ChannelId),
@@ -54,7 +54,7 @@ export function buildThreadingToolContext(params: {
     };
   }
   const context =
-    dock.threading.buildToolContext({
+    threading.buildToolContext({
       cfg: config,
       accountId: sessionCtx.AccountId,
       context: {
@@ -72,7 +72,7 @@ export function buildThreadingToolContext(params: {
     }) ?? {};
   return {
     ...context,
-    currentChannelProvider: provider!, // guaranteed non-null since dock exists
+    currentChannelProvider: provider!, // guaranteed non-null since threading exists
     currentMessageId: context.currentMessageId ?? currentMessageId,
   };
 }
diff --git a/src/auto-reply/reply/block-streaming.ts b/src/auto-reply/reply/block-streaming.ts
index b24ee8cac1a..9149f7c8562 100644
--- a/src/auto-reply/reply/block-streaming.ts
+++ b/src/auto-reply/reply/block-streaming.ts
@@ -1,5 +1,4 @@
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { BlockStreamingCoalesceConfig } from "../../config/types.js";
 import { resolveAccountEntry } from "../../routing/account-lookup.js";
@@ -34,7 +33,7 @@ function resolveProviderChunkContext(
   const providerKey = normalizeChunkProvider(provider);
   const providerId = providerKey ? normalizeChannelId(providerKey) : null;
   const providerChunkLimit = providerId
-    ? getChannelDock(providerId)?.outbound?.textChunkLimit
+    ? getChannelPlugin(providerId)?.outbound?.textChunkLimit
     : undefined;
   const textLimit = resolveTextChunkLimit(cfg, providerKey, accountId, {
     fallbackLimit: providerChunkLimit,
@@ -209,7 +208,7 @@ export function resolveBlockStreamingCoalescing(
   // when chunkMode="newline", matching the delivery-time splitting behavior.
   const chunkMode = opts?.chunkMode ?? resolveChunkMode(cfg, providerKey, accountId);
   const providerDefaults = providerId
-    ? getChannelDock(providerId)?.streaming?.blockStreamingCoalesceDefaults
+    ? getChannelPlugin(providerId)?.streaming?.blockStreamingCoalesceDefaults
     : undefined;
   const providerCfg = resolveProviderBlockStreamingCoalesce({
     cfg,
diff --git a/src/auto-reply/reply/commands-acp.test.ts b/src/auto-reply/reply/commands-acp.test.ts
index e41fbd80ec2..5d732e4b4e6 100644
--- a/src/auto-reply/reply/commands-acp.test.ts
+++ b/src/auto-reply/reply/commands-acp.test.ts
@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { AcpRuntimeError } from "../../acp/runtime/errors.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../../utils/message-channel.js";
@@ -395,6 +396,7 @@ async function runInternalAcpCommand(params: {
 
 describe("/acp command", () => {
   beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
     acpManagerTesting.resetAcpSessionManagerForTests();
     hoisted.listAcpSessionEntriesMock.mockReset().mockResolvedValue([]);
     hoisted.callGatewayMock.mockReset().mockResolvedValue({ ok: true });
diff --git a/src/auto-reply/reply/commands-acp/context.ts b/src/auto-reply/reply/commands-acp/context.ts
index fd5eb50ee09..59db08384af 100644
--- a/src/auto-reply/reply/commands-acp/context.ts
+++ b/src/auto-reply/reply/commands-acp/context.ts
@@ -1,4 +1,3 @@
-import { buildFeishuConversationId } from "../../../../extensions/feishu/src/conversation-id.js";
 import {
   buildTelegramTopicConversationId,
   normalizeConversationText,
@@ -7,6 +6,7 @@ import {
 import { DISCORD_THREAD_BINDING_CHANNEL } from "../../../channels/thread-bindings-policy.js";
 import { resolveConversationIdFromTargets } from "../../../infra/outbound/conversation-id.js";
 import { getSessionBindingService } from "../../../infra/outbound/session-binding-service.js";
+import { buildFeishuConversationId } from "../../../plugin-sdk/feishu.js";
 import { parseAgentSessionKey } from "../../../routing/session-key.js";
 import type { HandleCommandsParams } from "../commands-types.js";
 import { parseDiscordParentChannelFromSessionKey } from "../discord-parent-channel.js";
diff --git a/src/auto-reply/reply/commands-allowlist.ts b/src/auto-reply/reply/commands-allowlist.ts
index 83d263b828c..7360fa20252 100644
--- a/src/auto-reply/reply/commands-allowlist.ts
+++ b/src/auto-reply/reply/commands-allowlist.ts
@@ -1,14 +1,4 @@
-import { resolveDiscordAccount } from "../../../extensions/discord/src/accounts.js";
-import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
-import { resolveIMessageAccount } from "../../../extensions/imessage/src/accounts.js";
-import { resolveSignalAccount } from "../../../extensions/signal/src/accounts.js";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
-import { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
-import { resolveTelegramAccount } from "../../../extensions/telegram/src/accounts.js";
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { resolveExplicitConfigWriteTarget } from "../../channels/plugins/config-writes.js";
-import { listPairingChannels } from "../../channels/plugins/pairing.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import { normalizeChannelId } from "../../channels/registry.js";
 import type { OpenClawConfig } from "../../config/config.js";
@@ -17,7 +7,6 @@ import {
   validateConfigObjectWithPlugins,
   writeConfigFile,
 } from "../../config/config.js";
-import { isBlockedObjectKey } from "../../infra/prototype-keys.js";
 import {
   addChannelAllowFromStoreEntry,
   readChannelAllowFromStore,
@@ -159,9 +148,9 @@ function normalizeAllowFrom(params: {
   accountId?: string | null;
   values: Array<string | number>;
 }): string[] {
-  const dock = getChannelDock(params.channelId);
-  if (dock?.config?.formatAllowFrom) {
-    return dock.config.formatAllowFrom({
+  const plugin = getChannelPlugin(params.channelId);
+  if (plugin?.config.formatAllowFrom) {
+    return plugin.config.formatAllowFrom({
       cfg: params.cfg,
       accountId: params.accountId,
       allowFrom: params.values,
@@ -182,22 +171,6 @@ function formatEntryList(entries: string[], resolved?: Map<string, string>): str
     .join(", ");
 }
 
-function extractConfigAllowlist(account: {
-  config?: {
-    allowFrom?: Array<string | number>;
-    groupAllowFrom?: Array<string | number>;
-    dmPolicy?: string;
-    groupPolicy?: string;
-  };
-}) {
-  return {
-    dmAllowFrom: (account.config?.allowFrom ?? []).map(String),
-    groupAllowFrom: (account.config?.groupAllowFrom ?? []).map(String),
-    dmPolicy: account.config?.dmPolicy,
-    groupPolicy: account.config?.groupPolicy,
-  };
-}
-
 async function updatePairingStoreAllowlist(params: {
   action: "add" | "remove";
   channelId: ChannelId;
@@ -223,135 +196,6 @@ async function updatePairingStoreAllowlist(params: {
   }
 }
 
-function resolveAccountTarget(
-  parsed: Record<string, unknown>,
-  channelId: ChannelId,
-  accountId?: string | null,
-) {
-  const channels = (parsed.channels ??= {}) as Record<string, unknown>;
-  const channel = (channels[channelId] ??= {}) as Record<string, unknown>;
-  const normalizedAccountId = normalizeAccountId(accountId);
-  if (isBlockedObjectKey(normalizedAccountId)) {
-    return {
-      target: channel,
-      pathPrefix: `channels.${channelId}`,
-      accountId: DEFAULT_ACCOUNT_ID,
-      writeTarget: resolveExplicitConfigWriteTarget({ channelId }),
-    };
-  }
-  const hasAccounts = Boolean(channel.accounts && typeof channel.accounts === "object");
-  const useAccount = normalizedAccountId !== DEFAULT_ACCOUNT_ID || hasAccounts;
-  if (!useAccount) {
-    return {
-      target: channel,
-      pathPrefix: `channels.${channelId}`,
-      accountId: normalizedAccountId,
-      writeTarget: resolveExplicitConfigWriteTarget({ channelId }),
-    };
-  }
-  const accounts = (channel.accounts ??= {}) as Record<string, unknown>;
-  const existingAccount = Object.hasOwn(accounts, normalizedAccountId)
-    ? accounts[normalizedAccountId]
-    : undefined;
-  if (!existingAccount || typeof existingAccount !== "object") {
-    accounts[normalizedAccountId] = {};
-  }
-  const account = accounts[normalizedAccountId] as Record<string, unknown>;
-  return {
-    target: account,
-    pathPrefix: `channels.${channelId}.accounts.${normalizedAccountId}`,
-    accountId: normalizedAccountId,
-    writeTarget: resolveExplicitConfigWriteTarget({
-      channelId,
-      accountId: normalizedAccountId,
-    }),
-  };
-}
-
-function getNestedValue(root: Record<string, unknown>, path: string[]): unknown {
-  let current: unknown = root;
-  for (const key of path) {
-    if (!current || typeof current !== "object") {
-      return undefined;
-    }
-    current = (current as Record<string, unknown>)[key];
-  }
-  return current;
-}
-
-function ensureNestedObject(
-  root: Record<string, unknown>,
-  path: string[],
-): Record<string, unknown> {
-  let current = root;
-  for (const key of path) {
-    const existing = current[key];
-    if (!existing || typeof existing !== "object") {
-      current[key] = {};
-    }
-    current = current[key] as Record<string, unknown>;
-  }
-  return current;
-}
-
-function setNestedValue(root: Record<string, unknown>, path: string[], value: unknown) {
-  if (path.length === 0) {
-    return;
-  }
-  if (path.length === 1) {
-    root[path[0]] = value;
-    return;
-  }
-  const parent = ensureNestedObject(root, path.slice(0, -1));
-  parent[path[path.length - 1]] = value;
-}
-
-function deleteNestedValue(root: Record<string, unknown>, path: string[]) {
-  if (path.length === 0) {
-    return;
-  }
-  if (path.length === 1) {
-    delete root[path[0]];
-    return;
-  }
-  const parent = getNestedValue(root, path.slice(0, -1));
-  if (!parent || typeof parent !== "object") {
-    return;
-  }
-  delete (parent as Record<string, unknown>)[path[path.length - 1]];
-}
-
-function resolveChannelAllowFromPaths(
-  channelId: ChannelId,
-  scope: AllowlistScope,
-): string[] | null {
-  const supportsGroupAllowlist =
-    channelId === "telegram" ||
-    channelId === "whatsapp" ||
-    channelId === "signal" ||
-    channelId === "imessage";
-  if (scope === "all") {
-    return null;
-  }
-  if (scope === "dm") {
-    if (channelId === "slack" || channelId === "discord") {
-      // Canonical DM allowlist location for Slack/Discord. Legacy: dm.allowFrom.
-      return ["allowFrom"];
-    }
-    if (supportsGroupAllowlist) {
-      return ["allowFrom"];
-    }
-    return null;
-  }
-  if (scope === "group") {
-    if (supportsGroupAllowlist) {
-      return ["groupAllowFrom"];
-    }
-    return null;
-  }
-  return null;
-}
-
 function mapResolvedAllowlistNames(entries: ResolvedAllowlistName[]): Map<string, string> {
   const map = new Map<string, string>();
   for (const entry of entries) {
@@ -362,32 +206,35 @@ function mapResolvedAllowlistNames(entries: ResolvedAllowlistName[]): Map<string
   return map;
 }
 
-async function resolveSlackNames(params: {
+async function resolveAllowlistNames(params: {
   cfg: OpenClawConfig;
+  channelId: ChannelId;
   accountId?: string | null;
+  scope: "dm" | "group";
   entries: string[];
 }) {
-  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
-  const token = account.userToken || account.botToken?.trim();
-  if (!token) {
-    return new Map<string, string>();
-  }
-  const resolved = await resolveSlackUserAllowlist({ token, entries: params.entries });
-  return mapResolvedAllowlistNames(resolved);
+  const plugin = getChannelPlugin(params.channelId);
+  const resolved = await plugin?.allowlist?.resolveNames?.({
+    cfg: params.cfg,
+    accountId: params.accountId,
+    scope: params.scope,
+    entries: params.entries,
+  });
+  return mapResolvedAllowlistNames(resolved ?? []);
 }
 
-async function resolveDiscordNames(params: {
+async function readAllowlistConfig(params: {
   cfg: OpenClawConfig;
+  channelId: ChannelId;
   accountId?: string | null;
-  entries: string[];
 }) {
-  const account = resolveDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
-  const token = account.token?.trim();
-  if (!token) {
-    return new Map<string, string>();
-  }
-  const resolved = await resolveDiscordUserAllowlist({ token, entries: params.entries });
-  return mapResolvedAllowlistNames(resolved);
+  const plugin = getChannelPlugin(params.channelId);
+  return (
+    (await plugin?.allowlist?.readConfig?.({
+      cfg: params.cfg,
+      accountId: params.accountId,
+    })) ?? {}
+  );
 }
 
 export const handleAllowlistCommand: CommandHandler = async (params, allowTextCommands) => {
@@ -425,83 +272,31 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     };
   }
   const accountId = normalizeAccountId(parsed.account ?? params.ctx.AccountId);
-  const scope = parsed.scope;
+  const plugin = getChannelPlugin(channelId);
 
   if (parsed.action === "list") {
-    const pairingChannels = listPairingChannels();
-    const supportsStore = pairingChannels.includes(channelId);
+    const supportsStore = Boolean(plugin?.pairing);
+    if (!plugin?.allowlist?.readConfig && !supportsStore) {
+      return {
+        shouldContinue: false,
+        reply: { text: `⚠️ ${channelId} does not expose allowlist configuration.` },
+      };
+    }
     const storeAllowFrom = supportsStore
       ? await readChannelAllowFromStore(channelId, process.env, accountId).catch(() => [])
       : [];
+    const configState = await readAllowlistConfig({
+      cfg: params.cfg,
+      channelId,
+      accountId,
+    });
 
-    let dmAllowFrom: string[] = [];
-    let groupAllowFrom: string[] = [];
-    let groupOverrides: Array<{ label: string; entries: string[] }> = [];
-    let dmPolicy: string | undefined;
-    let groupPolicy: string | undefined;
-
-    if (channelId === "telegram") {
-      const account = resolveTelegramAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-      const groups = account.config.groups ?? {};
-      for (const [groupId, groupCfg] of Object.entries(groups)) {
-        const entries = (groupCfg?.allowFrom ?? []).map(String).filter(Boolean);
-        if (entries.length > 0) {
-          groupOverrides.push({ label: groupId, entries });
-        }
-        const topics = groupCfg?.topics ?? {};
-        for (const [topicId, topicCfg] of Object.entries(topics)) {
-          const topicEntries = (topicCfg?.allowFrom ?? []).map(String).filter(Boolean);
-          if (topicEntries.length > 0) {
-            groupOverrides.push({ label: `${groupId} topic ${topicId}`, entries: topicEntries });
-          }
-        }
-      }
-    } else if (channelId === "whatsapp") {
-      const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.allowFrom ?? []).map(String);
-      groupAllowFrom = (account.groupAllowFrom ?? []).map(String);
-      dmPolicy = account.dmPolicy;
-      groupPolicy = account.groupPolicy;
-    } else if (channelId === "signal") {
-      const account = resolveSignalAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-    } else if (channelId === "imessage") {
-      const account = resolveIMessageAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-    } else if (channelId === "slack") {
-      const account = resolveSlackAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String);
-      groupPolicy = account.groupPolicy;
-      const channels = account.channels ?? {};
-      groupOverrides = Object.entries(channels)
-        .map(([key, value]) => {
-          const entries = (value?.users ?? []).map(String).filter(Boolean);
-          return entries.length > 0 ? { label: key, entries } : null;
-        })
-        .filter(Boolean) as Array<{ label: string; entries: string[] }>;
-    } else if (channelId === "discord") {
-      const account = resolveDiscordAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String);
-      groupPolicy = account.config.groupPolicy;
-      const guilds = account.config.guilds ?? {};
-      for (const [guildKey, guildCfg] of Object.entries(guilds)) {
-        const entries = (guildCfg?.users ?? []).map(String).filter(Boolean);
-        if (entries.length > 0) {
-          groupOverrides.push({ label: `guild ${guildKey}`, entries });
-        }
-        const channels = guildCfg?.channels ?? {};
-        for (const [channelKey, channelCfg] of Object.entries(channels)) {
-          const channelEntries = (channelCfg?.users ?? []).map(String).filter(Boolean);
-          if (channelEntries.length > 0) {
-            groupOverrides.push({
-              label: `guild ${guildKey} / channel ${channelKey}`,
-              entries: channelEntries,
-            });
-          }
-        }
-      }
-    }
+    const dmAllowFrom = (configState.dmAllowFrom ?? []).map(String);
+    const groupAllowFrom = (configState.groupAllowFrom ?? []).map(String);
+    const groupOverrides = (configState.groupOverrides ?? []).map((entry) => ({
+      label: entry.label,
+      entries: entry.entries.map(String).filter(Boolean),
+    }));
 
     const dmDisplay = normalizeAllowFrom({
       cfg: params.cfg,
@@ -522,38 +317,39 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
       accountId,
       values: groupOverrideEntries,
     });
+
     const resolvedDm =
-      parsed.resolve && dmDisplay.length > 0 && channelId === "slack"
-        ? await resolveSlackNames({ cfg: params.cfg, accountId, entries: dmDisplay })
-        : parsed.resolve && dmDisplay.length > 0 && channelId === "discord"
-          ? await resolveDiscordNames({ cfg: params.cfg, accountId, entries: dmDisplay })
-          : undefined;
-    const resolvedGroup =
-      parsed.resolve && groupOverrideDisplay.length > 0 && channelId === "slack"
-        ? await resolveSlackNames({
+      parsed.resolve && dmDisplay.length > 0
+        ? await resolveAllowlistNames({
             cfg: params.cfg,
+            channelId,
             accountId,
+            scope: "dm",
+            entries: dmDisplay,
+          })
+        : undefined;
+    const resolvedGroup =
+      parsed.resolve && groupOverrideDisplay.length > 0
+        ? await resolveAllowlistNames({
+            cfg: params.cfg,
+            channelId,
+            accountId,
+            scope: "group",
             entries: groupOverrideDisplay,
           })
-        : parsed.resolve && groupOverrideDisplay.length > 0 && channelId === "discord"
-          ? await resolveDiscordNames({
-              cfg: params.cfg,
-              accountId,
-              entries: groupOverrideDisplay,
-            })
-          : undefined;
+        : undefined;
 
     const lines: string[] = ["🧾 Allowlist"];
     lines.push(`Channel: ${channelId}${accountId ? ` (account ${accountId})` : ""}`);
-    if (dmPolicy) {
-      lines.push(`DM policy: ${dmPolicy}`);
+    if (configState.dmPolicy) {
+      lines.push(`DM policy: ${configState.dmPolicy}`);
     }
-    if (groupPolicy) {
-      lines.push(`Group policy: ${groupPolicy}`);
+    if (configState.groupPolicy) {
+      lines.push(`Group policy: ${configState.groupPolicy}`);
     }
 
-    const showDm = scope === "dm" || scope === "all";
-    const showGroup = scope === "group" || scope === "all";
+    const showDm = parsed.scope === "dm" || parsed.scope === "all";
+    const showGroup = parsed.scope === "group" || parsed.scope === "all";
     if (showDm) {
       lines.push(`DM allowFrom (config): ${formatEntryList(dmDisplay, resolvedDm)}`);
     }
@@ -568,7 +364,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     }
     if (showGroup) {
       if (groupAllowFrom.length > 0) {
-        lines.push(`Group allowFrom (config): ${formatEntryList(groupDisplay)}`);
+        lines.push(`Group allowFrom (config): ${formatEntryList(groupDisplay, resolvedGroup)}`);
       }
       if (groupOverrides.length > 0) {
         lines.push("Group overrides:");
@@ -597,15 +393,20 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   }
 
   const shouldUpdateConfig = parsed.target !== "store";
-  const shouldTouchStore = parsed.target !== "config" && listPairingChannels().includes(channelId);
+  const shouldTouchStore = parsed.target !== "config" && Boolean(plugin?.pairing);
 
   if (shouldUpdateConfig) {
-    const allowlistPath = resolveChannelAllowFromPaths(channelId, scope);
-    if (!allowlistPath) {
+    if (parsed.scope === "all") {
+      return {
+        shouldContinue: false,
+        reply: { text: "⚠️ /allowlist add|remove requires scope dm or group." },
+      };
+    }
+    if (!plugin?.allowlist?.applyConfigEdit) {
       return {
         shouldContinue: false,
         reply: {
-          text: `⚠️ ${channelId} does not support ${scope} allowlist edits via /allowlist.`,
+          text: `⚠️ ${channelId} does not support ${parsed.scope} allowlist edits via /allowlist.`,
         },
       };
     }
@@ -618,19 +419,35 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
       };
     }
     const parsedConfig = structuredClone(snapshot.parsed as Record<string, unknown>);
-    const {
-      target,
-      pathPrefix,
-      accountId: normalizedAccountId,
-      writeTarget,
-    } = resolveAccountTarget(parsedConfig, channelId, accountId);
+    const editResult = await plugin.allowlist.applyConfigEdit({
+      cfg: params.cfg,
+      parsedConfig,
+      accountId,
+      scope: parsed.scope,
+      action: parsed.action,
+      entry: parsed.entry,
+    });
+    if (!editResult) {
+      return {
+        shouldContinue: false,
+        reply: {
+          text: `⚠️ ${channelId} does not support ${parsed.scope} allowlist edits via /allowlist.`,
+        },
+      };
+    }
+    if (editResult.kind === "invalid-entry") {
+      return {
+        shouldContinue: false,
+        reply: { text: "⚠️ Invalid allowlist entry." },
+      };
+    }
     const deniedText = resolveConfigWriteDeniedText({
       cfg: params.cfg,
       channel: params.command.channel,
       channelId,
       accountId: params.ctx.AccountId,
       gatewayClientScopes: params.ctx.GatewayClientScopes,
-      target: writeTarget,
+      target: editResult.writeTarget,
     });
     if (deniedText) {
       return {
@@ -640,88 +457,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
         },
       };
     }
-
-    const existing: string[] = [];
-    const existingPaths =
-      scope === "dm" && (channelId === "slack" || channelId === "discord")
-        ? // Read both while legacy alias may still exist; write canonical below.
-          [allowlistPath, ["dm", "allowFrom"]]
-        : [allowlistPath];
-    for (const path of existingPaths) {
-      const existingRaw = getNestedValue(target, path);
-      if (!Array.isArray(existingRaw)) {
-        continue;
-      }
-      for (const entry of existingRaw) {
-        const value = String(entry).trim();
-        if (!value || existing.includes(value)) {
-          continue;
-        }
-        existing.push(value);
-      }
-    }
-
-    const normalizedEntry = normalizeAllowFrom({
-      cfg: params.cfg,
-      channelId,
-      accountId: normalizedAccountId,
-      values: [parsed.entry],
-    });
-    if (normalizedEntry.length === 0) {
-      return {
-        shouldContinue: false,
-        reply: { text: "⚠️ Invalid allowlist entry." },
-      };
-    }
-
-    const existingNormalized = normalizeAllowFrom({
-      cfg: params.cfg,
-      channelId,
-      accountId: normalizedAccountId,
-      values: existing,
-    });
-
-    const shouldMatch = (value: string) => normalizedEntry.includes(value);
-
-    let configChanged = false;
-    let next = existing;
-    const configHasEntry = existingNormalized.some((value) => shouldMatch(value));
-    if (parsed.action === "add") {
-      if (!configHasEntry) {
-        next = [...existing, parsed.entry.trim()];
-        configChanged = true;
-      }
-    }
-
-    if (parsed.action === "remove") {
-      const keep: string[] = [];
-      for (const entry of existing) {
-        const normalized = normalizeAllowFrom({
-          cfg: params.cfg,
-          channelId,
-          accountId: normalizedAccountId,
-          values: [entry],
-        });
-        if (normalized.some((value) => shouldMatch(value))) {
-          configChanged = true;
-          continue;
-        }
-        keep.push(entry);
-      }
-      next = keep;
-    }
-
-    if (configChanged) {
-      if (next.length === 0) {
-        deleteNestedValue(target, allowlistPath);
-      } else {
-        setNestedValue(target, allowlistPath, next);
-      }
-      if (scope === "dm" && (channelId === "slack" || channelId === "discord")) {
-        // Remove legacy DM allowlist alias to prevent drift.
-        deleteNestedValue(target, ["dm", "allowFrom"]);
-      }
-    }
+    const configChanged = editResult.changed;
 
     if (configChanged) {
       const validated = validateConfigObjectWithPlugins(parsedConfig);
@@ -750,10 +486,10 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     }
 
     const actionLabel = parsed.action === "add" ? "added" : "removed";
-    const scopeLabel = scope === "dm" ? "DM" : "group";
+    const scopeLabel = parsed.scope === "dm" ? "DM" : "group";
     const locations: string[] = [];
     if (configChanged) {
-      locations.push(`${pathPrefix}.${allowlistPath.join(".")}`);
+      locations.push(editResult.pathLabel);
     }
     if (shouldTouchStore) {
       locations.push("pairing store");
@@ -782,7 +518,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   });
 
   const actionLabel = parsed.action === "add" ? "added" : "removed";
-  const scopeLabel = scope === "dm" ? "DM" : "group";
+  const scopeLabel = parsed.scope === "dm" ? "DM" : "group";
   return {
     shouldContinue: false,
     reply: { text: `✅ ${scopeLabel} allowlist ${actionLabel} in pairing store.` },
diff --git a/src/auto-reply/reply/commands-approve.ts b/src/auto-reply/reply/commands-approve.ts
index ad1fde9eb0b..5f259c1b45a 100644
--- a/src/auto-reply/reply/commands-approve.ts
+++ b/src/auto-reply/reply/commands-approve.ts
@@ -1,9 +1,9 @@
+import { callGateway } from "../../gateway/call.js";
+import { logVerbose } from "../../globals.js";
 import {
   isTelegramExecApprovalApprover,
   isTelegramExecApprovalClientEnabled,
-} from "../../../extensions/telegram/src/exec-approvals.js";
-import { callGateway } from "../../gateway/call.js";
-import { logVerbose } from "../../globals.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../../utils/message-channel.js";
 import { requireGatewayClientScopeForInternalChannel } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/commands-models.ts b/src/auto-reply/reply/commands-models.ts
index afe56688256..99e02cfa81e 100644
--- a/src/auto-reply/reply/commands-models.ts
+++ b/src/auto-reply/reply/commands-models.ts
@@ -1,10 +1,3 @@
-import {
-  buildModelsKeyboard,
-  buildProviderKeyboard,
-  calculateTotalPages,
-  getModelsPageSize,
-  type ProviderInfo,
-} from "../../../extensions/telegram/src/model-buttons.js";
 import { resolveAgentDir, resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveModelAuthLabel } from "../../agents/model-auth-label.js";
 import { loadModelCatalog } from "../../agents/model-catalog.js";
@@ -17,6 +10,13 @@ import {
 } from "../../agents/model-selection.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
+import {
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  getModelsPageSize,
+  type ProviderInfo,
+} from "../../plugin-sdk-internal/telegram.js";
 import type { ReplyPayload } from "../types.js";
 import { rejectUnauthorizedCommand } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/commands-session-lifecycle.test.ts b/src/auto-reply/reply/commands-session-lifecycle.test.ts
index 92812abaae6..bb56ef82bd9 100644
--- a/src/auto-reply/reply/commands-session-lifecycle.test.ts
+++ b/src/auto-reply/reply/commands-session-lifecycle.test.ts
@@ -1,6 +1,9 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 
 const hoisted = vi.hoisted(() => {
   const getThreadBindingManagerMock = vi.fn();
@@ -19,28 +22,34 @@ const hoisted = vi.hoisted(() => {
   };
 });
 
-vi.mock("../../../extensions/discord/src/monitor/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<
-      typeof import("../../../extensions/discord/src/monitor/thread-bindings.js")
-    >();
+vi.mock("../../plugins/runtime/index.js", async () => {
+  const discordThreadBindings = await vi.importActual<
+    typeof import("../../../extensions/discord/src/monitor/thread-bindings.js")
+  >("../../../extensions/discord/src/monitor/thread-bindings.js");
   return {
-    ...actual,
-    getThreadBindingManager: hoisted.getThreadBindingManagerMock,
-    setThreadBindingIdleTimeoutBySessionKey: hoisted.setThreadBindingIdleTimeoutBySessionKeyMock,
-    setThreadBindingMaxAgeBySessionKey: hoisted.setThreadBindingMaxAgeBySessionKeyMock,
-  };
-});
-
-vi.mock("../../../extensions/telegram/src/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<typeof import("../../../extensions/telegram/src/thread-bindings.js")>();
-  return {
-    ...actual,
-    setTelegramThreadBindingIdleTimeoutBySessionKey:
-      hoisted.setTelegramThreadBindingIdleTimeoutBySessionKeyMock,
-    setTelegramThreadBindingMaxAgeBySessionKey:
-      hoisted.setTelegramThreadBindingMaxAgeBySessionKeyMock,
+    createPluginRuntime: () => ({
+      channel: {
+        discord: {
+          threadBindings: {
+            getManager: hoisted.getThreadBindingManagerMock,
+            resolveIdleTimeoutMs: discordThreadBindings.resolveThreadBindingIdleTimeoutMs,
+            resolveInactivityExpiresAt:
+              discordThreadBindings.resolveThreadBindingInactivityExpiresAt,
+            resolveMaxAgeMs: discordThreadBindings.resolveThreadBindingMaxAgeMs,
+            resolveMaxAgeExpiresAt: discordThreadBindings.resolveThreadBindingMaxAgeExpiresAt,
+            setIdleTimeoutBySessionKey: hoisted.setThreadBindingIdleTimeoutBySessionKeyMock,
+            setMaxAgeBySessionKey: hoisted.setThreadBindingMaxAgeBySessionKeyMock,
+            unbindBySessionKey: vi.fn(),
+          },
+        },
+        telegram: {
+          threadBindings: {
+            setIdleTimeoutBySessionKey: hoisted.setTelegramThreadBindingIdleTimeoutBySessionKeyMock,
+            setMaxAgeBySessionKey: hoisted.setTelegramThreadBindingMaxAgeBySessionKeyMock,
+          },
+        },
+      },
+    }),
   };
 });
 
@@ -168,6 +177,9 @@ function createFakeThreadBindingManager(binding: FakeBinding | null) {
 
 describe("/session idle and /session max-age", () => {
   beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "telegram", source: "test", plugin: telegramPlugin }]),
+    );
     hoisted.getThreadBindingManagerMock.mockReset();
     hoisted.setThreadBindingIdleTimeoutBySessionKeyMock.mockReset();
     hoisted.setThreadBindingMaxAgeBySessionKeyMock.mockReset();
diff --git a/src/auto-reply/reply/commands-session.ts b/src/auto-reply/reply/commands-session.ts
index b04d5112345..0359c77331b 100644
--- a/src/auto-reply/reply/commands-session.ts
+++ b/src/auto-reply/reply/commands-session.ts
@@ -1,18 +1,5 @@
-import {
-  formatThreadBindingDurationLabel,
-  getThreadBindingManager,
-  resolveThreadBindingIdleTimeoutMs,
-  resolveThreadBindingInactivityExpiresAt,
-  resolveThreadBindingMaxAgeExpiresAt,
-  resolveThreadBindingMaxAgeMs,
-  setThreadBindingIdleTimeoutBySessionKey,
-  setThreadBindingMaxAgeBySessionKey,
-} from "../../../extensions/discord/src/monitor/thread-bindings.js";
-import {
-  setTelegramThreadBindingIdleTimeoutBySessionKey,
-  setTelegramThreadBindingMaxAgeBySessionKey,
-} from "../../../extensions/telegram/src/thread-bindings.js";
 import { resolveFastModeState } from "../../agents/fast-mode.js";
+import { formatThreadBindingDurationLabel } from "../../channels/thread-bindings-messages.js";
 import { parseDurationMs } from "../../cli/parse-duration.js";
 import { isRestartEnabled } from "../../config/commands.js";
 import { logVerbose } from "../../globals.js";
@@ -20,6 +7,7 @@ import { getSessionBindingService } from "../../infra/outbound/session-binding-s
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import { scheduleGatewaySigusr1Restart, triggerOpenClawRestart } from "../../infra/restart.js";
 import { loadCostUsageSummary, loadSessionCostSummary } from "../../infra/session-cost-usage.js";
+import { createPluginRuntime } from "../../plugins/runtime/index.js";
 import { formatTokenCount, formatUsd } from "../../utils/usage-format.js";
 import { parseActivationCommand } from "../group-activation.js";
 import { parseSendPolicyCommand } from "../send-policy.js";
@@ -34,6 +22,12 @@ const SESSION_COMMAND_PREFIX = "/session";
 const SESSION_DURATION_OFF_VALUES = new Set(["off", "disable", "disabled", "none", "0"]);
 const SESSION_ACTION_IDLE = "idle";
 const SESSION_ACTION_MAX_AGE = "max-age";
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | undefined;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 
 function resolveSessionCommandUsage() {
   return "Usage: /session idle <duration|off> | /session max-age <duration|off> (example: /session idle 24h)";
@@ -384,8 +378,11 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   const threadId =
     params.ctx.MessageThreadId != null ? String(params.ctx.MessageThreadId).trim() : "";
   const telegramConversationId = onTelegram ? resolveTelegramConversationId(params) : undefined;
+  const channelRuntime = getChannelRuntime();
 
-  const discordManager = onDiscord ? getThreadBindingManager(accountId) : null;
+  const discordManager = onDiscord
+    ? channelRuntime.discord.threadBindings.getManager(accountId)
+    : null;
   if (onDiscord && !discordManager) {
     return {
       shouldContinue: false,
@@ -433,13 +430,13 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   }
 
   const idleTimeoutMs = onDiscord
-    ? resolveThreadBindingIdleTimeoutMs({
+    ? channelRuntime.discord.threadBindings.resolveIdleTimeoutMs({
         record: discordBinding!,
         defaultIdleTimeoutMs: discordManager!.getIdleTimeoutMs(),
       })
     : resolveTelegramBindingDurationMs(telegramBinding!, "idleTimeoutMs", 24 * 60 * 60 * 1000);
   const idleExpiresAt = onDiscord
-    ? resolveThreadBindingInactivityExpiresAt({
+    ? channelRuntime.discord.threadBindings.resolveInactivityExpiresAt({
         record: discordBinding!,
         defaultIdleTimeoutMs: discordManager!.getIdleTimeoutMs(),
       })
@@ -447,13 +444,13 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
       ? resolveTelegramBindingLastActivityAt(telegramBinding!) + idleTimeoutMs
       : undefined;
   const maxAgeMs = onDiscord
-    ? resolveThreadBindingMaxAgeMs({
+    ? channelRuntime.discord.threadBindings.resolveMaxAgeMs({
         record: discordBinding!,
         defaultMaxAgeMs: discordManager!.getMaxAgeMs(),
       })
     : resolveTelegramBindingDurationMs(telegramBinding!, "maxAgeMs", 0);
   const maxAgeExpiresAt = onDiscord
-    ? resolveThreadBindingMaxAgeExpiresAt({
+    ? channelRuntime.discord.threadBindings.resolveMaxAgeExpiresAt({
         record: discordBinding!,
         defaultMaxAgeMs: discordManager!.getMaxAgeMs(),
       })
@@ -528,24 +525,24 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   const updatedBindings = (() => {
     if (onDiscord) {
       return action === SESSION_ACTION_IDLE
-        ? setThreadBindingIdleTimeoutBySessionKey({
+        ? channelRuntime.discord.threadBindings.setIdleTimeoutBySessionKey({
             targetSessionKey: discordBinding!.targetSessionKey,
             accountId,
             idleTimeoutMs: durationMs,
           })
-        : setThreadBindingMaxAgeBySessionKey({
+        : channelRuntime.discord.threadBindings.setMaxAgeBySessionKey({
             targetSessionKey: discordBinding!.targetSessionKey,
             accountId,
             maxAgeMs: durationMs,
           });
     }
     return action === SESSION_ACTION_IDLE
-      ? setTelegramThreadBindingIdleTimeoutBySessionKey({
+      ? channelRuntime.telegram.threadBindings.setIdleTimeoutBySessionKey({
           targetSessionKey: telegramBinding!.targetSessionKey,
           accountId,
           idleTimeoutMs: durationMs,
         })
-      : setTelegramThreadBindingMaxAgeBySessionKey({
+      : channelRuntime.telegram.threadBindings.setMaxAgeBySessionKey({
           targetSessionKey: telegramBinding!.targetSessionKey,
           accountId,
           maxAgeMs: durationMs,
diff --git a/src/auto-reply/reply/commands-subagents/shared.ts b/src/auto-reply/reply/commands-subagents/shared.ts
index 1c7db7e13cd..9781683267e 100644
--- a/src/auto-reply/reply/commands-subagents/shared.ts
+++ b/src/auto-reply/reply/commands-subagents/shared.ts
@@ -1,4 +1,3 @@
-import { parseDiscordTarget } from "../../../../extensions/discord/src/targets.js";
 import { resolveStoredSubagentCapabilities } from "../../../agents/subagent-capabilities.js";
 import type { ResolvedSubagentController } from "../../../agents/subagent-control.js";
 import {
@@ -12,6 +11,7 @@ import {
   sanitizeTextContent,
   stripToolMessages,
 } from "../../../agents/tools/sessions-helpers.js";
+import { parseExplicitTargetForChannel } from "../../../channels/plugins/target-parsing.js";
 import type {
   SessionEntry,
   loadSessionStore as loadSessionStoreFn,
@@ -335,13 +335,9 @@ export function resolveDiscordChannelIdForFocus(
     typeof params.ctx.To === "string" ? params.ctx.To.trim() : "",
   ].filter(Boolean);
   for (const candidate of toCandidates) {
-    try {
-      const target = parseDiscordTarget(candidate, { defaultKind: "channel" });
-      if (target?.kind === "channel" && target.id) {
-        return target.id;
-      }
-    } catch {
-      // Ignore parse failures and try the next candidate.
+    const target = parseExplicitTargetForChannel("discord", candidate);
+    if (target?.chatType === "channel" && target.to) {
+      return target.to;
     }
   }
   return undefined;
diff --git a/src/auto-reply/reply/commands.test.ts b/src/auto-reply/reply/commands.test.ts
index 2d8e6458933..0f2853aab98 100644
--- a/src/auto-reply/reply/commands.test.ts
+++ b/src/auto-reply/reply/commands.test.ts
@@ -8,6 +8,7 @@ import {
   listSubagentRunsForRequester,
   resetSubagentRegistryForTests,
 } from "../../agents/subagent-registry.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { updateSessionStore, type SessionEntry } from "../../config/sessions.js";
 import * as internalHooks from "../../hooks/internal-hooks.js";
@@ -133,6 +134,32 @@ afterAll(async () => {
   await fs.rm(testWorkspaceDir, { recursive: true, force: true });
 });
 
+beforeEach(() => {
+  setDefaultChannelPluginRegistryForTests();
+  readConfigFileSnapshotMock.mockImplementation(async () => {
+    const configPath = process.env.OPENCLAW_CONFIG_PATH;
+    if (!configPath) {
+      return { valid: false, parsed: null };
+    }
+    const parsed = JSON.parse(await fs.readFile(configPath, "utf-8")) as Record<string, unknown>;
+    return { valid: true, parsed };
+  });
+  validateConfigObjectWithPluginsMock.mockImplementation((config: unknown) => ({
+    ok: true,
+    config,
+  }));
+  writeConfigFileMock.mockImplementation(async (config: unknown) => {
+    const configPath = process.env.OPENCLAW_CONFIG_PATH;
+    if (!configPath) {
+      return;
+    }
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2), "utf-8");
+  });
+  readChannelAllowFromStoreMock.mockResolvedValue([]);
+  addChannelAllowFromStoreEntryMock.mockResolvedValue({ changed: true, allowFrom: [] });
+  removeChannelAllowFromStoreEntryMock.mockResolvedValue({ changed: true, allowFrom: [] });
+});
+
 async function withTempConfigPath<T>(
   initialConfig: Record<string, unknown>,
   run: (configPath: string) => Promise<T>,
@@ -998,6 +1025,7 @@ function buildPolicyParams(
 describe("handleCommands /allowlist", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    setDefaultChannelPluginRegistryForTests();
   });
 
   it("lists config + store allowFrom entries", async () => {
diff --git a/src/auto-reply/reply/directive-handling.model.ts b/src/auto-reply/reply/directive-handling.model.ts
index bb66d8b8d7f..d27bdb25d61 100644
--- a/src/auto-reply/reply/directive-handling.model.ts
+++ b/src/auto-reply/reply/directive-handling.model.ts
@@ -1,4 +1,3 @@
-import { buildBrowseProvidersButton } from "../../../extensions/telegram/src/model-buttons.js";
 import { resolveAuthStorePathForDisplay } from "../../agents/auth-profiles.js";
 import {
   type ModelAliasIndex,
@@ -9,6 +8,7 @@ import {
 } from "../../agents/model-selection.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
+import { buildBrowseProvidersButton } from "../../plugin-sdk-internal/telegram.js";
 import { shortenHomePath } from "../../utils.js";
 import { resolveSelectedAndActiveModel } from "../model-runtime.js";
 import type { ReplyPayload } from "../types.js";
diff --git a/src/auto-reply/reply/dispatch-from-config.test.ts b/src/auto-reply/reply/dispatch-from-config.test.ts
index 38e3615dd9f..6d1604227bd 100644
--- a/src/auto-reply/reply/dispatch-from-config.test.ts
+++ b/src/auto-reply/reply/dispatch-from-config.test.ts
@@ -1,8 +1,11 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import { AcpRuntimeError } from "../../acp/runtime/errors.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import type { PluginTargetedInboundClaimOutcome } from "../../plugins/hooks.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { createInternalHookEventPayload } from "../../test-utils/internal-hook-event-payload.js";
 import type { MsgContext } from "../templating.js";
 import type { GetReplyOptions, ReplyPayload } from "../types.js";
@@ -252,6 +255,9 @@ async function dispatchTwiceWithFreshDispatchers(params: Omit<DispatchReplyArgs,
 
 describe("dispatchReplyFromConfig", () => {
   beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", source: "test", plugin: discordPlugin }]),
+    );
     acpManagerTesting.resetAcpSessionManagerForTests();
     resetInboundDedupe();
     mocks.routeReply.mockReset();
@@ -1295,6 +1301,11 @@ describe("dispatchReplyFromConfig", () => {
       commands: {
         text: false,
       },
+      session: {
+        sendPolicy: {
+          default: "allow",
+        },
+      },
     } as OpenClawConfig;
     const dispatcher = createDispatcher();
     const ctx = buildTestCtx({
diff --git a/src/auto-reply/reply/dispatch-from-config.ts b/src/auto-reply/reply/dispatch-from-config.ts
index 1e90dd58887..18a7eb7802d 100644
--- a/src/auto-reply/reply/dispatch-from-config.ts
+++ b/src/auto-reply/reply/dispatch-from-config.ts
@@ -1,5 +1,5 @@
-import { shouldSuppressLocalDiscordExecApprovalPrompt } from "../../../extensions/discord/src/exec-approvals.js";
 import { resolveSessionAgentId } from "../../agents/agent-scope.js";
+import { shouldSuppressLocalExecApprovalPrompt } from "../../channels/plugins/exec-approval-local.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
   loadSessionStore,
@@ -506,8 +506,8 @@ export async function dispatchReplyFromConfig(params: {
 
     const resolveToolDeliveryPayload = (payload: ReplyPayload): ReplyPayload | null => {
       if (
-        normalizeMessageChannel(ctx.Surface ?? ctx.Provider) === "discord" &&
-        shouldSuppressLocalDiscordExecApprovalPrompt({
+        shouldSuppressLocalExecApprovalPrompt({
+          channel: normalizeMessageChannel(ctx.Surface ?? ctx.Provider),
           cfg,
           accountId: ctx.AccountId,
           payload,
diff --git a/src/auto-reply/reply/get-reply-inline-actions.ts b/src/auto-reply/reply/get-reply-inline-actions.ts
index b4f921672f8..73983cfdc49 100644
--- a/src/auto-reply/reply/get-reply-inline-actions.ts
+++ b/src/auto-reply/reply/get-reply-inline-actions.ts
@@ -3,7 +3,7 @@ import { createOpenClawTools } from "../../agents/openclaw-tools.js";
 import type { BlockReplyChunking } from "../../agents/pi-embedded-block-chunker.js";
 import type { SkillCommandSpec } from "../../agents/skills.js";
 import { applyOwnerOnlyToolPolicy } from "../../agents/tool-policy.js";
-import { getChannelDock } from "../../channels/dock.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
 import { logVerbose } from "../../globals.js";
@@ -402,7 +402,7 @@ export async function handleInlineActions(params: {
 
   const isEmptyConfig = Object.keys(cfg).length === 0;
   const skipWhenConfigEmpty = command.channelId
-    ? Boolean(getChannelDock(command.channelId)?.commands?.skipWhenConfigEmpty)
+    ? Boolean(getChannelPlugin(command.channelId)?.commands?.skipWhenConfigEmpty)
     : false;
   if (
     skipWhenConfigEmpty &&
diff --git a/src/auto-reply/reply/groups.ts b/src/auto-reply/reply/groups.ts
index dcf398d5a4b..acdbbe67faf 100644
--- a/src/auto-reply/reply/groups.ts
+++ b/src/auto-reply/reply/groups.ts
@@ -1,4 +1,3 @@
-import { getChannelDock } from "../../channels/dock.js";
 import {
   getChannelPlugin,
   normalizeChannelId as normalizePluginChannelId,
@@ -39,7 +38,7 @@ function resolveDockChannelId(raw?: string | null): ChannelId | null {
     return null;
   }
   try {
-    if (getChannelDock(normalized as ChannelId)) {
+    if (getChannelPlugin(normalized as ChannelId)) {
       return normalized as ChannelId;
     }
   } catch {
@@ -68,7 +67,7 @@ export function resolveGroupRequireMention(params: {
   const groupSpace = ctx.GroupSpace?.trim();
   let requireMention: boolean | undefined;
   try {
-    requireMention = getChannelDock(channel)?.groups?.resolveRequireMention?.({
+    requireMention = getChannelPlugin(channel)?.groups?.resolveRequireMention?.({
       cfg,
       groupId,
       groupChannel,
@@ -158,7 +157,7 @@ export function buildGroupIntro(params: {
     params.sessionCtx.GroupChannel?.trim() ?? params.sessionCtx.GroupSubject?.trim();
   const groupSpace = params.sessionCtx.GroupSpace?.trim();
   const providerIdsLine = providerId
-    ? getChannelDock(providerId)?.groups?.resolveGroupIntroHint?.({
+    ? getChannelPlugin(providerId)?.groups?.resolveGroupIntroHint?.({
         cfg: params.cfg,
         groupId,
         groupChannel,
diff --git a/src/auto-reply/reply/mentions.ts b/src/auto-reply/reply/mentions.ts
index 714e599e38a..5b60cf6688f 100644
--- a/src/auto-reply/reply/mentions.ts
+++ b/src/auto-reply/reply/mentions.ts
@@ -1,6 +1,5 @@
 import { resolveAgentConfig } from "../../agents/agent-scope.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { compileConfigRegexes, type ConfigRegexRejectReason } from "../../security/config-regex.js";
@@ -199,7 +198,7 @@ export function stripMentions(
 ): string {
   let result = text;
   const providerId = ctx.Provider ? normalizeChannelId(ctx.Provider) : null;
-  const providerMentions = providerId ? getChannelDock(providerId)?.mentions : undefined;
+  const providerMentions = providerId ? getChannelPlugin(providerId)?.mentions : undefined;
   const configRegexes = compileMentionPatternsCached({
     patterns: normalizeMentionPatterns(resolveMentionPatterns(cfg, agentId)),
     flags: "gi",
diff --git a/src/auto-reply/reply/normalize-reply.ts b/src/auto-reply/reply/normalize-reply.ts
index 793cbcc326f..52faa463bdb 100644
--- a/src/auto-reply/reply/normalize-reply.ts
+++ b/src/auto-reply/reply/normalize-reply.ts
@@ -1,4 +1,5 @@
 import { sanitizeUserFacingText } from "../../agents/pi-embedded-helpers.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { stripHeartbeatToken } from "../heartbeat.js";
 import {
   HEARTBEAT_TOKEN,
@@ -31,12 +32,17 @@ export function normalizeReplyPayload(
   payload: ReplyPayload,
   opts: NormalizeReplyOptions = {},
 ): ReplyPayload | null {
-  const hasMedia = Boolean(payload.mediaUrl || (payload.mediaUrls?.length ?? 0) > 0);
-  const hasChannelData = Boolean(
-    payload.channelData && Object.keys(payload.channelData).length > 0,
-  );
+  const hasChannelData = hasReplyChannelData(payload.channelData);
   const trimmed = payload.text?.trim() ?? "";
-  if (!trimmed && !hasMedia && !hasChannelData) {
+  if (
+    !hasReplyContent({
+      text: trimmed,
+      mediaUrl: payload.mediaUrl,
+      mediaUrls: payload.mediaUrls,
+      interactive: payload.interactive,
+      hasChannelData,
+    })
+  ) {
     opts.onSkip?.("empty");
     return null;
   }
@@ -44,7 +50,14 @@ export function normalizeReplyPayload(
   const silentToken = opts.silentToken ?? SILENT_REPLY_TOKEN;
   let text = payload.text ?? undefined;
   if (text && isSilentReplyText(text, silentToken)) {
-    if (!hasMedia && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("silent");
       return null;
     }
@@ -55,7 +68,15 @@ export function normalizeReplyPayload(
   // silent just like the exact-match path above.  (#30916, #30955)
   if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
     text = stripSilentToken(text, silentToken);
-    if (!text && !hasMedia && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        text,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("silent");
       return null;
     }
@@ -71,7 +92,16 @@ export function normalizeReplyPayload(
     if (stripped.didStrip) {
       opts.onHeartbeatStrip?.();
     }
-    if (stripped.shouldSkip && !hasMedia && !hasChannelData) {
+    if (
+      stripped.shouldSkip &&
+      !hasReplyContent({
+        text: stripped.text,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("heartbeat");
       return null;
     }
@@ -81,7 +111,15 @@ export function normalizeReplyPayload(
   if (text) {
     text = sanitizeUserFacingText(text, { errorContext: Boolean(payload.isError) });
   }
-  if (!text?.trim() && !hasMedia && !hasChannelData) {
+  if (
+    !hasReplyContent({
+      text,
+      mediaUrl: payload.mediaUrl,
+      mediaUrls: payload.mediaUrls,
+      interactive: payload.interactive,
+      hasChannelData,
+    })
+  ) {
     opts.onSkip?.("empty");
     return null;
   }
diff --git a/src/auto-reply/reply/reply-elevated.ts b/src/auto-reply/reply/reply-elevated.ts
index 17da0058dd6..9a6e5093bda 100644
--- a/src/auto-reply/reply/reply-elevated.ts
+++ b/src/auto-reply/reply/reply-elevated.ts
@@ -1,6 +1,5 @@
 import { resolveAgentConfig } from "../../agents/agent-scope.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { AgentElevatedAllowFromConfig, OpenClawConfig } from "../../config/config.js";
 import { normalizeStringEntries } from "../../shared/string-normalization.js";
 import type { MsgContext } from "../templating.js";
@@ -34,8 +33,9 @@ function resolveAllowFromFormatter(params: {
   accountId?: string;
 }): AllowFromFormatter {
   const normalizedProvider = normalizeChannelId(params.provider);
-  const dock = normalizedProvider ? getChannelDock(normalizedProvider) : undefined;
-  const formatAllowFrom = dock?.config?.formatAllowFrom;
+  const formatAllowFrom = normalizedProvider
+    ? getChannelPlugin(normalizedProvider)?.config?.formatAllowFrom
+    : undefined;
   if (!formatAllowFrom) {
     return (values) => normalizeStringEntries(values);
   }
@@ -192,11 +192,12 @@ export function resolveElevatedPermissions(params: {
   }
 
   const normalizedProvider = normalizeChannelId(params.provider);
-  const dock = normalizedProvider ? getChannelDock(normalizedProvider) : undefined;
-  const fallbackAllowFrom = dock?.elevated?.allowFromFallback?.({
-    cfg: params.cfg,
-    accountId: params.ctx.AccountId,
-  });
+  const fallbackAllowFrom = normalizedProvider
+    ? getChannelPlugin(normalizedProvider)?.elevated?.allowFromFallback?.({
+        cfg: params.cfg,
+        accountId: params.ctx.AccountId,
+      })
+    : undefined;
   const formatAllowFrom = resolveAllowFromFormatter({
     cfg: params.cfg,
     provider: params.provider,
diff --git a/src/auto-reply/reply/reply-flow.test.ts b/src/auto-reply/reply/reply-flow.test.ts
index d7efa640b1c..21a22faf8b2 100644
--- a/src/auto-reply/reply/reply-flow.test.ts
+++ b/src/auto-reply/reply/reply-flow.test.ts
@@ -1,6 +1,6 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { importFreshModule } from "../../../test/helpers/import-fresh.js";
-import { expectInboundContextContract } from "../../../test/helpers/inbound-contract.js";
+import { expectChannelInboundContextContract as expectInboundContextContract } from "../../channels/plugins/contracts/suites.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { defaultRuntime } from "../../runtime.js";
 import type { MsgContext } from "../templating.js";
@@ -197,8 +197,8 @@ describe("inbound context contract (providers + extensions)", () => {
 
 const getLineData = (result: ReturnType<typeof parseLineDirectives>) =>
   (result.channelData?.line as Record<string, unknown> | undefined) ?? {};
-const getSlackData = (result: ReturnType<typeof parseSlackDirectives>) =>
-  (result.channelData?.slack as Record<string, unknown> | undefined) ?? {};
+const getSlackInteractive = (result: ReturnType<typeof parseSlackDirectives>) =>
+  result.interactive?.blocks ?? [];
 
 describe("hasLineDirectives", () => {
   it("matches expected detection across directive patterns", () => {
@@ -601,93 +601,52 @@ describe("parseLineDirectives", () => {
 });
 
 describe("parseSlackDirectives", () => {
-  it("builds section and button blocks from slack_buttons directives", () => {
+  it("builds shared text and button blocks from slack_buttons directives", () => {
     const result = parseSlackDirectives({
       text: "Choose an action [[slack_buttons: Approve:approve, Reject:reject]]",
     });
 
     expect(result.text).toBe("Choose an action");
-    expect(getSlackData(result).blocks).toEqual([
+    expect(getSlackInteractive(result)).toEqual([
       {
-        type: "section",
-        text: {
-          type: "mrkdwn",
-          text: "Choose an action",
-        },
+        type: "text",
+        text: "Choose an action",
       },
       {
-        type: "actions",
-        block_id: "openclaw_reply_buttons_1",
-        elements: [
+        type: "buttons",
+        buttons: [
           {
-            type: "button",
-            action_id: "openclaw:reply_button",
-            text: {
-              type: "plain_text",
-              text: "Approve",
-              emoji: true,
-            },
-            value: "reply_1_approve",
+            label: "Approve",
+            value: "approve",
           },
           {
-            type: "button",
-            action_id: "openclaw:reply_button",
-            text: {
-              type: "plain_text",
-              text: "Reject",
-              emoji: true,
-            },
-            value: "reply_2_reject",
+            label: "Reject",
+            value: "reject",
           },
         ],
       },
     ]);
   });
 
-  it("builds static select blocks from slack_select directives", () => {
+  it("builds shared select blocks from slack_select directives", () => {
     const result = parseSlackDirectives({
       text: "[[slack_select: Choose a project | Alpha:alpha, Beta:beta]]",
     });
 
     expect(result.text).toBeUndefined();
-    expect(getSlackData(result).blocks).toEqual([
+    expect(getSlackInteractive(result)).toEqual([
       {
-        type: "actions",
-        block_id: "openclaw_reply_select_1",
-        elements: [
-          {
-            type: "static_select",
-            action_id: "openclaw:reply_select",
-            placeholder: {
-              type: "plain_text",
-              text: "Choose a project",
-              emoji: true,
-            },
-            options: [
-              {
-                text: {
-                  type: "plain_text",
-                  text: "Alpha",
-                  emoji: true,
-                },
-                value: "reply_1_alpha",
-              },
-              {
-                text: {
-                  type: "plain_text",
-                  text: "Beta",
-                  emoji: true,
-                },
-                value: "reply_2_beta",
-              },
-            ],
-          },
+        type: "select",
+        placeholder: "Choose a project",
+        options: [
+          { label: "Alpha", value: "alpha" },
+          { label: "Beta", value: "beta" },
         ],
       },
     ]);
   });
 
-  it("appends Slack interactive blocks to existing slack blocks", () => {
+  it("leaves existing slack blocks in channelData and appends shared interactive blocks", () => {
     const result = parseSlackDirectives({
       text: "Act now [[slack_buttons: Retry:retry]]",
       channelData: {
@@ -698,30 +657,19 @@ describe("parseSlackDirectives", () => {
     });
 
     expect(result.text).toBe("Act now");
-    expect(getSlackData(result).blocks).toEqual([
-      { type: "divider" },
+    expect(result.channelData).toEqual({
+      slack: {
+        blocks: [{ type: "divider" }],
+      },
+    });
+    expect(getSlackInteractive(result)).toEqual([
       {
-        type: "section",
-        text: {
-          type: "mrkdwn",
-          text: "Act now",
-        },
+        type: "text",
+        text: "Act now",
       },
       {
-        type: "actions",
-        block_id: "openclaw_reply_buttons_1",
-        elements: [
-          {
-            type: "button",
-            action_id: "openclaw:reply_button",
-            text: {
-              type: "plain_text",
-              text: "Retry",
-              emoji: true,
-            },
-            value: "reply_1_retry",
-          },
-        ],
+        type: "buttons",
+        buttons: [{ label: "Retry", value: "retry" }],
       },
     ]);
   });
@@ -731,146 +679,70 @@ describe("parseSlackDirectives", () => {
       text: "[[slack_select: Pick one | Alpha:alpha]] then [[slack_buttons: Retry:retry]]",
     });
 
-    expect(getSlackData(result).blocks).toEqual([
+    expect(getSlackInteractive(result)).toEqual([
       {
-        type: "actions",
-        block_id: "openclaw_reply_select_1",
-        elements: [
-          {
-            type: "static_select",
-            action_id: "openclaw:reply_select",
-            placeholder: {
-              type: "plain_text",
-              text: "Pick one",
-              emoji: true,
-            },
-            options: [
-              {
-                text: {
-                  type: "plain_text",
-                  text: "Alpha",
-                  emoji: true,
-                },
-                value: "reply_1_alpha",
-              },
-            ],
-          },
-        ],
+        type: "select",
+        placeholder: "Pick one",
+        options: [{ label: "Alpha", value: "alpha" }],
       },
       {
-        type: "section",
-        text: {
-          type: "mrkdwn",
-          text: "then",
-        },
+        type: "text",
+        text: "then",
       },
       {
-        type: "actions",
-        block_id: "openclaw_reply_buttons_1",
-        elements: [
-          {
-            type: "button",
-            action_id: "openclaw:reply_button",
-            text: {
-              type: "plain_text",
-              text: "Retry",
-              emoji: true,
-            },
-            value: "reply_1_retry",
-          },
-        ],
+        type: "buttons",
+        buttons: [{ label: "Retry", value: "retry" }],
       },
     ]);
   });
 
-  it("truncates Slack interactive reply strings to safe Block Kit limits", () => {
+  it("preserves long Slack directive values in the shared interactive model", () => {
     const long = "x".repeat(120);
     const result = parseSlackDirectives({
       text: `${"y".repeat(3100)} [[slack_select: ${long} | ${long}:${long}]] [[slack_buttons: ${long}:${long}]]`,
     });
 
-    const blocks = getSlackData(result).blocks as Array<Record<string, unknown>>;
-    expect(blocks).toHaveLength(3);
-    expect(((blocks[0]?.text as { text?: string })?.text ?? "").length).toBeLessThanOrEqual(3000);
-    expect(
-      (
-        (
-          (blocks[1]?.elements as Array<Record<string, unknown>>)?.[0]?.placeholder as {
-            text?: string;
-          }
-        )?.text ?? ""
-      ).length,
-    ).toBeLessThanOrEqual(75);
-    expect(
-      (
-        (
-          (
-            (blocks[1]?.elements as Array<Record<string, unknown>>)?.[0]?.options as Array<
-              Record<string, unknown>
-            >
-          )?.[0]?.text as { text?: string }
-        )?.text ?? ""
-      ).length,
-    ).toBeLessThanOrEqual(75);
-    expect(
-      (
-        ((
-          (blocks[1]?.elements as Array<Record<string, unknown>>)?.[0]?.options as Array<
-            Record<string, unknown>
-          >
-        )?.[0]?.value as string | undefined) ?? ""
-      ).length,
-    ).toBeLessThanOrEqual(75);
-    expect(
-      (
-        (
-          (blocks[2]?.elements as Array<Record<string, unknown>>)?.[0]?.text as {
-            text?: string;
-          }
-        )?.text ?? ""
-      ).length,
-    ).toBeLessThanOrEqual(75);
-    expect(
-      (
-        ((blocks[2]?.elements as Array<Record<string, unknown>>)?.[0]?.value as
-          | string
-          | undefined) ?? ""
-      ).length,
-    ).toBeLessThanOrEqual(75);
+    expect(getSlackInteractive(result)).toEqual([
+      {
+        type: "text",
+        text: "y".repeat(3100),
+      },
+      {
+        type: "select",
+        placeholder: long,
+        options: [{ label: long, value: long }],
+      },
+      {
+        type: "buttons",
+        buttons: [{ label: long, value: long }],
+      },
+    ]);
   });
 
-  it("falls back to the original payload when generated blocks would exceed Slack limits", () => {
+  it("keeps existing interactive blocks when compiling additional Slack directives", () => {
     const result = parseSlackDirectives({
       text: "Choose [[slack_buttons: Retry:retry]]",
-      channelData: {
-        slack: {
-          blocks: Array.from({ length: 49 }, () => ({ type: "divider" })),
-        },
+      interactive: {
+        blocks: [{ type: "text", text: "Existing" }],
       },
     });
 
+    expect(getSlackInteractive(result)).toEqual([
+      { type: "text", text: "Existing" },
+      { type: "text", text: "Choose" },
+      { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+    ]);
+  });
+
+  it("ignores malformed directive choices when none remain", () => {
+    const result = parseSlackDirectives({
+      text: "Choose [[slack_buttons: : , : ]]",
+    });
+
     expect(result).toEqual({
-      text: "Choose [[slack_buttons: Retry:retry]]",
-      channelData: {
-        slack: {
-          blocks: Array.from({ length: 49 }, () => ({ type: "divider" })),
-        },
-      },
+      text: "Choose [[slack_buttons: : , : ]]",
     });
   });
-
-  it("ignores malformed existing Slack blocks during directive compilation", () => {
-    expect(() =>
-      parseSlackDirectives({
-        text: "Choose [[slack_buttons: Retry:retry]]",
-        channelData: {
-          slack: {
-            blocks: "{not json}",
-          },
-        },
-      }),
-    ).not.toThrow();
-  });
 });
 
 function createDeferred<T>() {
@@ -1796,22 +1668,17 @@ describe("createReplyDispatcher", () => {
     expect(deliver).toHaveBeenCalledTimes(1);
     expect(deliver.mock.calls[0]?.[0]).toMatchObject({
       text: "Choose",
-      channelData: {
-        slack: {
-          blocks: [
-            {
-              type: "section",
-              text: {
-                type: "mrkdwn",
-                text: "Choose",
-              },
-            },
-            {
-              type: "actions",
-              block_id: "openclaw_reply_buttons_1",
-            },
-          ],
-        },
+      interactive: {
+        blocks: [
+          {
+            type: "text",
+            text: "Choose",
+          },
+          {
+            type: "buttons",
+            buttons: [{ label: "Retry", value: "retry" }],
+          },
+        ],
       },
     });
   });
diff --git a/src/auto-reply/reply/reply-payloads.ts b/src/auto-reply/reply/reply-payloads.ts
index 63083941365..7d7ae82975c 100644
--- a/src/auto-reply/reply/reply-payloads.ts
+++ b/src/auto-reply/reply/reply-payloads.ts
@@ -1,9 +1,10 @@
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import { isMessagingToolDuplicate } from "../../agents/pi-embedded-helpers.js";
 import type { MessagingToolSend } from "../../agents/pi-embedded-runner.js";
 import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { parseExplicitTargetForChannel } from "../../channels/plugins/target-parsing.js";
 import type { ReplyToMode } from "../../config/types.js";
 import { normalizeTargetForProvider } from "../../infra/outbound/target-normalization.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { normalizeOptionalAccountId } from "../../routing/account-id.js";
 import type { OriginatingChannelType } from "../templating.js";
 import type { ReplyPayload } from "../types.js";
@@ -74,13 +75,14 @@ export function applyReplyTagsToPayload(
 }
 
 export function isRenderablePayload(payload: ReplyPayload): boolean {
-  return Boolean(
-    payload.text ||
-    payload.mediaUrl ||
-    (payload.mediaUrls && payload.mediaUrls.length > 0) ||
-    payload.audioAsVoice ||
-    payload.channelData,
-  );
+  return hasReplyContent({
+    text: payload.text,
+    mediaUrl: payload.mediaUrl,
+    mediaUrls: payload.mediaUrls,
+    interactive: payload.interactive,
+    hasChannelData: hasReplyChannelData(payload.channelData),
+    extraContent: payload.audioAsVoice,
+  });
 }
 
 export function shouldSuppressReasoningPayload(payload: ReplyPayload): boolean {
@@ -208,15 +210,16 @@ function targetsMatchForSuppression(params: {
     return params.targetKey === params.originTarget;
   }
 
-  const origin = parseTelegramTarget(params.originTarget);
-  const target = parseTelegramTarget(params.targetKey);
+  const origin = parseExplicitTargetForChannel("telegram", params.originTarget);
+  const target = parseExplicitTargetForChannel("telegram", params.targetKey);
+  if (!origin || !target) {
+    return params.targetKey === params.originTarget;
+  }
   const explicitTargetThreadId = normalizeThreadIdForComparison(params.targetThreadId);
   const targetThreadId =
-    explicitTargetThreadId ??
-    (target.messageThreadId != null ? String(target.messageThreadId) : undefined);
-  const originThreadId =
-    origin.messageThreadId != null ? String(origin.messageThreadId) : undefined;
-  if (origin.chatId.trim().toLowerCase() !== target.chatId.trim().toLowerCase()) {
+    explicitTargetThreadId ?? (target.threadId != null ? String(target.threadId) : undefined);
+  const originThreadId = origin.threadId != null ? String(origin.threadId) : undefined;
+  if (origin.to.trim().toLowerCase() !== target.to.trim().toLowerCase()) {
     return false;
   }
   if (originThreadId && targetThreadId != null) {
diff --git a/src/auto-reply/reply/reply-threading.ts b/src/auto-reply/reply/reply-threading.ts
index 5db377bbd00..66871f226b7 100644
--- a/src/auto-reply/reply/reply-threading.ts
+++ b/src/auto-reply/reply/reply-threading.ts
@@ -1,5 +1,4 @@
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { ReplyToMode } from "../../config/types.js";
 import type { OriginatingChannelType } from "../templating.js";
@@ -15,7 +14,7 @@ export function resolveReplyToMode(
   if (!provider) {
     return "all";
   }
-  const resolved = getChannelDock(provider)?.threading?.resolveReplyToMode?.({
+  const resolved = getChannelPlugin(provider)?.threading?.resolveReplyToMode?.({
     cfg,
     accountId,
     chatType,
@@ -59,9 +58,9 @@ export function createReplyToModeFilterForChannel(
   const isWebchat = normalized === "webchat";
   // Default: allow explicit reply tags/directives even when replyToMode is "off".
   // Unknown channels fail closed; internal webchat stays allowed.
-  const dock = provider ? getChannelDock(provider) : undefined;
+  const threading = provider ? getChannelPlugin(provider)?.threading : undefined;
   const allowExplicitReplyTagsWhenOff = provider
-    ? (dock?.threading?.allowExplicitReplyTagsWhenOff ?? dock?.threading?.allowTagsWhenOff ?? true)
+    ? (threading?.allowExplicitReplyTagsWhenOff ?? threading?.allowTagsWhenOff ?? true)
     : isWebchat;
   return createReplyToModeFilter(mode, {
     allowExplicitReplyTagsWhenOff,
diff --git a/src/auto-reply/reply/reply-utils.test.ts b/src/auto-reply/reply/reply-utils.test.ts
index 88f092bf1e5..fc499e93676 100644
--- a/src/auto-reply/reply/reply-utils.test.ts
+++ b/src/auto-reply/reply/reply-utils.test.ts
@@ -158,10 +158,10 @@ describe("normalizeReplyPayload", () => {
 
     expect(result).not.toBeNull();
     expect(result!.text).toBe("hello [[slack_buttons: Retry:retry, Ignore:ignore]]");
-    expect(result!.channelData).toBeUndefined();
+    expect(result!.interactive).toBeUndefined();
   });
 
-  it("applies responsePrefix before compiling Slack directives into blocks", () => {
+  it("applies responsePrefix before compiling Slack directives into shared interactive blocks", () => {
     const result = normalizeReplyPayload(
       {
         text: "hello [[slack_buttons: Retry:retry, Ignore:ignore]]",
@@ -171,44 +171,26 @@ describe("normalizeReplyPayload", () => {
 
     expect(result).not.toBeNull();
     expect(result!.text).toBe("[bot] hello");
-    expect(result!.channelData).toEqual({
-      slack: {
-        blocks: [
-          {
-            type: "section",
-            text: {
-              type: "mrkdwn",
-              text: "[bot] hello",
+    expect(result!.interactive).toEqual({
+      blocks: [
+        {
+          type: "text",
+          text: "[bot] hello",
+        },
+        {
+          type: "buttons",
+          buttons: [
+            {
+              label: "Retry",
+              value: "retry",
             },
-          },
-          {
-            type: "actions",
-            block_id: "openclaw_reply_buttons_1",
-            elements: [
-              {
-                type: "button",
-                action_id: "openclaw:reply_button",
-                text: {
-                  type: "plain_text",
-                  text: "Retry",
-                  emoji: true,
-                },
-                value: "reply_1_retry",
-              },
-              {
-                type: "button",
-                action_id: "openclaw:reply_button",
-                text: {
-                  type: "plain_text",
-                  text: "Ignore",
-                  emoji: true,
-                },
-                value: "reply_2_ignore",
-              },
-            ],
-          },
-        ],
-      },
+            {
+              label: "Ignore",
+              value: "ignore",
+            },
+          ],
+        },
+      ],
     });
   });
 });
diff --git a/src/auto-reply/reply/route-reply.test.ts b/src/auto-reply/reply/route-reply.test.ts
index ed507607c83..b7b6cd31e9f 100644
--- a/src/auto-reply/reply/route-reply.test.ts
+++ b/src/auto-reply/reply/route-reply.test.ts
@@ -1,11 +1,14 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { mattermostPlugin } from "../../../extensions/mattermost/src/channel.js";
-import { discordOutbound } from "../../channels/plugins/outbound/discord.js";
-import { imessageOutbound } from "../../channels/plugins/outbound/imessage.js";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { slackOutbound } from "../../channels/plugins/outbound/slack.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
+import {
+  discordOutbound,
+  imessageOutbound,
+  signalOutbound,
+  slackOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { ChannelOutboundAdapter, ChannelPlugin } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
@@ -88,6 +91,7 @@ const createRegistry = (channels: PluginRegistry["channels"]): PluginRegistry =>
     enabled: true,
   })),
   providers: [],
+  webSearchProviders: [],
   gatewayHandlers: {},
   httpRoutes: [],
   cliRegistrars: [],
@@ -539,7 +543,11 @@ const defaultRegistry = createTestRegistry([
   },
   {
     pluginId: "slack",
-    plugin: createOutboundTestPlugin({ id: "slack", outbound: slackOutbound, label: "Slack" }),
+    plugin: {
+      ...createOutboundTestPlugin({ id: "slack", outbound: slackOutbound, label: "Slack" }),
+      messaging: slackPlugin.messaging,
+      threading: slackPlugin.threading,
+    },
     source: "test",
   },
   {
diff --git a/src/auto-reply/reply/route-reply.ts b/src/auto-reply/reply/route-reply.ts
index 8ef3ef563c5..3836ceb5ab6 100644
--- a/src/auto-reply/reply/route-reply.ts
+++ b/src/auto-reply/reply/route-reply.ts
@@ -7,13 +7,12 @@
  * across multiple providers.
  */
 
-import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-input.js";
-import { isSlackInteractiveRepliesEnabled } from "../../../extensions/slack/src/interactive-replies.js";
 import { resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveEffectiveMessagesConfig } from "../../agents/identity.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { buildOutboundSessionContext } from "../../infra/outbound/session-context.js";
+import { hasReplyContent } from "../../interactive/payload.js";
 import { INTERNAL_MESSAGE_CHANNEL, normalizeMessageChannel } from "../../utils/message-channel.js";
 import type { OriginatingChannelType } from "../templating.js";
 import type { ReplyPayload } from "../types.js";
@@ -80,6 +79,8 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     return { ok: true };
   }
   const normalizedChannel = normalizeMessageChannel(channel);
+  const channelId = normalizeChannelId(channel) ?? null;
+  const plugin = channelId ? getChannelPlugin(channelId) : undefined;
   const resolvedAgentId = params.sessionKey
     ? resolveSessionAgentId({
         sessionKey: params.sessionKey,
@@ -99,8 +100,10 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       : cfg.messages?.responsePrefix;
   const normalized = normalizeReplyPayload(payload, {
     responsePrefix,
-    enableSlackInteractiveReplies:
-      channel === "slack" ? isSlackInteractiveRepliesEnabled({ cfg, accountId }) : false,
+    enableSlackInteractiveReplies: plugin?.messaging?.enableInteractiveReplies?.({
+      cfg,
+      accountId,
+    }),
   });
   if (!normalized) {
     return { ok: true };
@@ -117,25 +120,19 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       ? [externalPayload.mediaUrl]
       : [];
   const replyToId = externalPayload.replyToId;
-  let hasSlackBlocks = false;
-  if (
-    channel === "slack" &&
-    externalPayload.channelData?.slack &&
-    typeof externalPayload.channelData.slack === "object" &&
-    !Array.isArray(externalPayload.channelData.slack)
-  ) {
-    try {
-      hasSlackBlocks = Boolean(
-        parseSlackBlocksInput((externalPayload.channelData.slack as { blocks?: unknown }).blocks)
-          ?.length,
-      );
-    } catch {
-      hasSlackBlocks = false;
-    }
-  }
+  const hasChannelData = plugin?.messaging?.hasStructuredReplyPayload?.({
+    payload: externalPayload,
+  });
 
   // Skip empty replies.
-  if (!text.trim() && mediaUrls.length === 0 && !hasSlackBlocks) {
+  if (
+    !hasReplyContent({
+      text,
+      mediaUrls,
+      interactive: externalPayload.interactive,
+      hasChannelData,
+    })
+  ) {
     return { ok: true };
   }
 
@@ -146,7 +143,6 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     };
   }
 
-  const channelId = normalizeChannelId(channel) ?? null;
   if (!channelId) {
     return { ok: false, error: `Unknown channel: ${String(channel)}` };
   }
@@ -154,12 +150,21 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     return { ok: false, error: "Reply routing aborted" };
   }
 
+  const replyTransport =
+    plugin?.threading?.resolveReplyTransport?.({
+      cfg,
+      accountId,
+      threadId,
+      replyToId,
+    }) ?? null;
   const resolvedReplyToId =
+    replyTransport?.replyToId ??
     replyToId ??
     ((channelId === "slack" || channelId === "mattermost") && threadId != null && threadId !== ""
       ? String(threadId)
       : undefined);
-  const resolvedThreadId = channelId === "slack" ? null : (threadId ?? null);
+  const resolvedThreadId =
+    replyTransport?.threadId ?? (channelId === "slack" ? null : (threadId ?? null));
 
   try {
     // Provider docking: this is an execution boundary (we're about to send).
diff --git a/src/auto-reply/reply/session-delivery.test.ts b/src/auto-reply/reply/session-delivery.test.ts
index 2bfb4812f64..bd5f0d7c27b 100644
--- a/src/auto-reply/reply/session-delivery.test.ts
+++ b/src/auto-reply/reply/session-delivery.test.ts
@@ -9,24 +9,29 @@ describe("session delivery direct-session routing overrides", () => {
     "agent:main:telegram:dm:123456",
     "agent:main:telegram:direct:123456:thread:99",
     "agent:main:telegram:account-a:direct:123456:topic:ops",
-  ])("lets webchat override persisted routes for strict direct key %s", (sessionKey) => {
-    expect(
-      resolveLastChannelRaw({
-        originatingChannelRaw: "webchat",
-        persistedLastChannel: "telegram",
-        sessionKey,
-      }),
-    ).toBe("webchat");
-    expect(
-      resolveLastToRaw({
-        originatingChannelRaw: "webchat",
-        originatingToRaw: "session:dashboard",
-        persistedLastChannel: "telegram",
-        persistedLastTo: "123456",
-        sessionKey,
-      }),
-    ).toBe("session:dashboard");
-  });
+  ])(
+    "preserves persisted external route when webchat accesses channel-peer session %s (fixes #47745)",
+    (sessionKey) => {
+      // Webchat/dashboard viewing an external-channel session must not overwrite
+      // the delivery route — subagents must still deliver to the original channel.
+      expect(
+        resolveLastChannelRaw({
+          originatingChannelRaw: "webchat",
+          persistedLastChannel: "telegram",
+          sessionKey,
+        }),
+      ).toBe("telegram");
+      expect(
+        resolveLastToRaw({
+          originatingChannelRaw: "webchat",
+          originatingToRaw: "session:dashboard",
+          persistedLastChannel: "telegram",
+          persistedLastTo: "123456",
+          sessionKey,
+        }),
+      ).toBe("123456");
+    },
+  );
 
   it.each([
     "agent:main:main:direct",
diff --git a/src/auto-reply/reply/session-delivery.ts b/src/auto-reply/reply/session-delivery.ts
index ef2f0cde227..9a112a6829e 100644
--- a/src/auto-reply/reply/session-delivery.ts
+++ b/src/auto-reply/reply/session-delivery.ts
@@ -90,16 +90,23 @@ export function resolveLastChannelRaw(params: {
   sessionKey?: string;
 }): string | undefined {
   const originatingChannel = normalizeMessageChannel(params.originatingChannelRaw);
-  // WebChat should own reply routing for direct-session UI turns, even when the
-  // session previously replied through an external channel like iMessage.
+  // WebChat should own reply routing for direct-session UI turns, but only when
+  // the session has no established external delivery route. If the session was
+  // created via an external channel (e.g. Telegram, iMessage), webchat/dashboard
+  // access must not overwrite the persisted route — doing so causes subagent
+  // completion events to be delivered to the dashboard instead of the original
+  // channel. See: https://github.com/openclaw/openclaw/issues/47745
+  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
+  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
+  const hasEstablishedExternalRoute =
+    isExternalRoutingChannel(persistedChannel) || isExternalRoutingChannel(sessionKeyChannelHint);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
+    !hasEstablishedExternalRoute &&
     (isMainSessionKey(params.sessionKey) || isDirectSessionKey(params.sessionKey))
   ) {
     return params.originatingChannelRaw;
   }
-  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
   let resolved = params.originatingChannelRaw || params.persistedLastChannel;
   // Internal/non-deliverable sources should not overwrite previously known
   // external delivery routes (or explicit channel hints from the session key).
@@ -122,15 +129,17 @@ export function resolveLastToRaw(params: {
   sessionKey?: string;
 }): string | undefined {
   const originatingChannel = normalizeMessageChannel(params.originatingChannelRaw);
+  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
+  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
+  const hasEstablishedExternalRouteForTo =
+    isExternalRoutingChannel(persistedChannel) || isExternalRoutingChannel(sessionKeyChannelHint);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
+    !hasEstablishedExternalRouteForTo &&
     (isMainSessionKey(params.sessionKey) || isDirectSessionKey(params.sessionKey))
   ) {
     return params.originatingToRaw || params.toRaw;
   }
-  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
-
   // When the turn originates from an internal/non-deliverable source, do not
   // replace an established external destination with internal routing ids
   // (e.g., session/webchat ids).
diff --git a/src/auto-reply/reply/session.test.ts b/src/auto-reply/reply/session.test.ts
index db0870b704a..5c382a74aa9 100644
--- a/src/auto-reply/reply/session.test.ts
+++ b/src/auto-reply/reply/session.test.ts
@@ -1942,8 +1942,11 @@ describe("initSessionState internal channel routing preservation", () => {
     expect(result.sessionEntry.deliveryContext?.to).toBe("group:12345");
   });
 
-  it("lets direct webchat turns override persisted external routes for per-channel-peer sessions", async () => {
-    const storePath = await createStorePath("webchat-direct-route-override-");
+  it("preserves persisted external route when webchat views a channel-peer session (fixes #47745)", async () => {
+    // Regression: dashboard/webchat access must not overwrite an established
+    // external delivery route (e.g. Telegram/iMessage) on a channel-scoped session.
+    // Subagent completions should still be delivered to the original channel.
+    const storePath = await createStorePath("webchat-direct-route-preserve-");
     const sessionKey = "agent:main:imessage:direct:+1555";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -1973,6 +1976,40 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
+    // External route must be preserved — webchat is admin/monitoring only
+    expect(result.sessionEntry.lastChannel).toBe("imessage");
+    expect(result.sessionEntry.lastTo).toBe("+1555");
+    expect(result.sessionEntry.deliveryContext?.channel).toBe("imessage");
+    expect(result.sessionEntry.deliveryContext?.to).toBe("+1555");
+  });
+
+  it("lets direct webchat turns own routing for sessions with no prior external route", async () => {
+    // Webchat should still own routing for sessions that were created via webchat
+    // (no external channel ever established).
+    const storePath = await createStorePath("webchat-direct-route-noext-");
+    const sessionKey = "agent:main:main";
+    await writeSessionStoreFast(storePath, {
+      [sessionKey]: {
+        sessionId: "sess-webchat-noext",
+        updatedAt: Date.now(),
+      },
+    });
+    const cfg = {
+      session: { store: storePath, dmScope: "per-channel-peer" },
+    } as OpenClawConfig;
+
+    const result = await initSessionState({
+      ctx: {
+        Body: "reply from control ui",
+        SessionKey: sessionKey,
+        OriginatingChannel: "webchat",
+        OriginatingTo: "session:dashboard",
+        Surface: "webchat",
+      },
+      cfg,
+      commandAuthorized: true,
+    });
+
     expect(result.sessionEntry.lastChannel).toBe("webchat");
     expect(result.sessionEntry.lastTo).toBe("session:dashboard");
     expect(result.sessionEntry.deliveryContext?.channel).toBe("webchat");
@@ -2068,8 +2105,10 @@ describe("initSessionState internal channel routing preservation", () => {
     expect(result.sessionEntry.lastChannel).toBe("webchat");
   });
 
-  it("does not reuse stale external lastTo for webchat/main turns without destination", async () => {
-    const storePath = await createStorePath("webchat-main-no-stale-lastto-");
+  it("preserves external route for main session when webchat accesses without destination (fixes #47745)", async () => {
+    // Regression: webchat monitoring a main session that has an established WhatsApp
+    // route must not clear that route. Subagents should still deliver to WhatsApp.
+    const storePath = await createStorePath("webchat-main-preserve-external-");
     const sessionKey = "agent:main:main";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -2095,12 +2134,14 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
-    expect(result.sessionEntry.lastChannel).toBe("webchat");
-    expect(result.sessionEntry.lastTo).toBeUndefined();
+    expect(result.sessionEntry.lastChannel).toBe("whatsapp");
+    expect(result.sessionEntry.lastTo).toBe("+15555550123");
   });
 
-  it("prefers webchat route over persisted external route for main session turns", async () => {
-    const storePath = await createStorePath("prefer-webchat-main-route-");
+  it("preserves external route for main session when webchat sends with destination (fixes #47745)", async () => {
+    // Regression: webchat sending to a main session with an established WhatsApp route
+    // must not steal that route for webchat delivery.
+    const storePath = await createStorePath("preserve-main-external-webchat-send-");
     const sessionKey = "agent:main:main";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -2127,9 +2168,9 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
-    expect(result.sessionEntry.lastChannel).toBe("webchat");
-    expect(result.sessionEntry.lastTo).toBe("session:webchat-main");
-    expect(result.sessionEntry.deliveryContext?.channel).toBe("webchat");
-    expect(result.sessionEntry.deliveryContext?.to).toBe("session:webchat-main");
+    expect(result.sessionEntry.lastChannel).toBe("whatsapp");
+    expect(result.sessionEntry.lastTo).toBe("+15555550123");
+    expect(result.sessionEntry.deliveryContext?.channel).toBe("whatsapp");
+    expect(result.sessionEntry.deliveryContext?.to).toBe("+15555550123");
   });
 });
diff --git a/src/auto-reply/reply/slack-directives.ts b/src/auto-reply/reply/slack-directives.ts
index 552be69335c..58aa4e644b8 100644
--- a/src/auto-reply/reply/slack-directives.ts
+++ b/src/auto-reply/reply/slack-directives.ts
@@ -1,22 +1,9 @@
-import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-input.js";
-import { truncateSlackText } from "../../../extensions/slack/src/truncate.js";
 import type { ReplyPayload } from "../types.js";
 
-const SLACK_REPLY_BUTTON_ACTION_ID = "openclaw:reply_button";
-const SLACK_REPLY_SELECT_ACTION_ID = "openclaw:reply_select";
-const SLACK_MAX_BLOCKS = 50;
 const SLACK_BUTTON_MAX_ITEMS = 5;
 const SLACK_SELECT_MAX_ITEMS = 100;
-const SLACK_SECTION_TEXT_MAX = 3000;
-const SLACK_PLAIN_TEXT_MAX = 75;
-const SLACK_OPTION_VALUE_MAX = 75;
 const SLACK_DIRECTIVE_RE = /\[\[(slack_buttons|slack_select):\s*([^\]]+)\]\]/gi;
 
-type SlackBlock = Record<string, unknown>;
-type SlackChannelData = {
-  blocks?: unknown;
-};
-
 type SlackChoice = {
   label: string;
   value: string;
@@ -50,51 +37,35 @@ function parseChoices(raw: string, maxItems: number): SlackChoice[] {
     .slice(0, maxItems);
 }
 
-function buildSlackReplyChoiceToken(value: string, index: number): string {
-  const slug = value
-    .trim()
-    .toLowerCase()
-    .replace(/[^a-z0-9]+/g, "_")
-    .replace(/^_+|_+$/g, "");
-  return truncateSlackText(`reply_${index}_${slug || "choice"}`, SLACK_OPTION_VALUE_MAX);
-}
-
-function buildSectionBlock(text: string): SlackBlock | null {
+function buildTextBlock(
+  text: string,
+): NonNullable<ReplyPayload["interactive"]>["blocks"][number] | null {
   const trimmed = text.trim();
   if (!trimmed) {
     return null;
   }
-  return {
-    type: "section",
-    text: {
-      type: "mrkdwn",
-      text: truncateSlackText(trimmed, SLACK_SECTION_TEXT_MAX),
-    },
-  };
+  return { type: "text", text: trimmed };
 }
 
-function buildButtonsBlock(raw: string, index: number): SlackBlock | null {
+function buildButtonsBlock(
+  raw: string,
+): NonNullable<ReplyPayload["interactive"]>["blocks"][number] | null {
   const choices = parseChoices(raw, SLACK_BUTTON_MAX_ITEMS);
   if (choices.length === 0) {
     return null;
   }
   return {
-    type: "actions",
-    block_id: `openclaw_reply_buttons_${index}`,
-    elements: choices.map((choice, choiceIndex) => ({
-      type: "button",
-      action_id: SLACK_REPLY_BUTTON_ACTION_ID,
-      text: {
-        type: "plain_text",
-        text: truncateSlackText(choice.label, SLACK_PLAIN_TEXT_MAX),
-        emoji: true,
-      },
-      value: buildSlackReplyChoiceToken(choice.value, choiceIndex + 1),
+    type: "buttons",
+    buttons: choices.map((choice) => ({
+      label: choice.label,
+      value: choice.value,
     })),
   };
 }
 
-function buildSelectBlock(raw: string, index: number): SlackBlock | null {
+function buildSelectBlock(
+  raw: string,
+): NonNullable<ReplyPayload["interactive"]>["blocks"][number] | null {
   const parts = raw
     .split("|")
     .map((entry) => entry.trim())
@@ -109,40 +80,12 @@ function buildSelectBlock(raw: string, index: number): SlackBlock | null {
     return null;
   }
   return {
-    type: "actions",
-    block_id: `openclaw_reply_select_${index}`,
-    elements: [
-      {
-        type: "static_select",
-        action_id: SLACK_REPLY_SELECT_ACTION_ID,
-        placeholder: {
-          type: "plain_text",
-          text: truncateSlackText(placeholder, SLACK_PLAIN_TEXT_MAX),
-          emoji: true,
-        },
-        options: choices.map((choice, choiceIndex) => ({
-          text: {
-            type: "plain_text",
-            text: truncateSlackText(choice.label, SLACK_PLAIN_TEXT_MAX),
-            emoji: true,
-          },
-          value: buildSlackReplyChoiceToken(choice.value, choiceIndex + 1),
-        })),
-      },
-    ],
+    type: "select",
+    placeholder,
+    options: choices,
   };
 }
 
-function readExistingSlackBlocks(payload: ReplyPayload): SlackBlock[] {
-  const slackData = payload.channelData?.slack as SlackChannelData | undefined;
-  try {
-    const blocks = parseSlackBlocksInput(slackData?.blocks) as SlackBlock[] | undefined;
-    return blocks ?? [];
-  } catch {
-    return [];
-  }
-}
-
 export function hasSlackDirectives(text: string): boolean {
   SLACK_DIRECTIVE_RE.lastIndex = 0;
   return SLACK_DIRECTIVE_RE.test(text);
@@ -154,10 +97,8 @@ export function parseSlackDirectives(payload: ReplyPayload): ReplyPayload {
     return payload;
   }
 
-  const generatedBlocks: SlackBlock[] = [];
+  const generatedBlocks: NonNullable<ReplyPayload["interactive"]>["blocks"] = [];
   const visibleTextParts: string[] = [];
-  let buttonIndex = 0;
-  let selectIndex = 0;
   let cursor = 0;
   let matchedDirective = false;
   let generatedInteractiveBlock = false;
@@ -171,14 +112,14 @@ export function parseSlackDirectives(payload: ReplyPayload): ReplyPayload {
     const index = match.index ?? 0;
     const precedingText = text.slice(cursor, index);
     visibleTextParts.push(precedingText);
-    const section = buildSectionBlock(precedingText);
+    const section = buildTextBlock(precedingText);
     if (section) {
       generatedBlocks.push(section);
     }
     const block =
       directiveType.toLowerCase() === "slack_buttons"
-        ? buildButtonsBlock(body, ++buttonIndex)
-        : buildSelectBlock(body, ++selectIndex);
+        ? buildButtonsBlock(body)
+        : buildSelectBlock(body);
     if (block) {
       generatedInteractiveBlock = true;
       generatedBlocks.push(block);
@@ -188,7 +129,7 @@ export function parseSlackDirectives(payload: ReplyPayload): ReplyPayload {
 
   const trailingText = text.slice(cursor);
   visibleTextParts.push(trailingText);
-  const trailingSection = buildSectionBlock(trailingText);
+  const trailingSection = buildTextBlock(trailingText);
   if (trailingSection) {
     generatedBlocks.push(trailingSection);
   }
@@ -198,21 +139,11 @@ export function parseSlackDirectives(payload: ReplyPayload): ReplyPayload {
     return payload;
   }
 
-  const existingBlocks = readExistingSlackBlocks(payload);
-  if (existingBlocks.length + generatedBlocks.length > SLACK_MAX_BLOCKS) {
-    return payload;
-  }
-  const nextBlocks = [...existingBlocks, ...generatedBlocks];
-
   return {
     ...payload,
     text: cleanedText.trim() || undefined,
-    channelData: {
-      ...payload.channelData,
-      slack: {
-        ...(payload.channelData?.slack as Record<string, unknown> | undefined),
-        blocks: nextBlocks,
-      },
+    interactive: {
+      blocks: [...(payload.interactive?.blocks ?? []), ...generatedBlocks],
     },
   };
 }
diff --git a/src/auto-reply/reply/telegram-context.test.ts b/src/auto-reply/reply/telegram-context.test.ts
index 7b58b780180..b38397a1c01 100644
--- a/src/auto-reply/reply/telegram-context.test.ts
+++ b/src/auto-reply/reply/telegram-context.test.ts
@@ -1,6 +1,15 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { resolveTelegramConversationId } from "./telegram-context.js";
 
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "telegram", source: "test", plugin: telegramPlugin }]),
+  );
+});
+
 describe("resolveTelegramConversationId", () => {
   it("builds canonical topic ids from chat target and message thread id", () => {
     const conversationId = resolveTelegramConversationId({
diff --git a/src/auto-reply/reply/telegram-context.ts b/src/auto-reply/reply/telegram-context.ts
index f209af031fb..8ab905a44d1 100644
--- a/src/auto-reply/reply/telegram-context.ts
+++ b/src/auto-reply/reply/telegram-context.ts
@@ -1,4 +1,4 @@
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
+import { parseExplicitTargetForChannel } from "../../channels/plugins/target-parsing.js";
 
 type TelegramConversationParams = {
   ctx: {
@@ -25,7 +25,7 @@ export function resolveTelegramConversationId(
     .map((value) => value.trim())
     .filter(Boolean);
   const chatId = toCandidates
-    .map((candidate) => parseTelegramTarget(candidate).chatId.trim())
+    .map((candidate) => parseExplicitTargetForChannel("telegram", candidate)?.to.trim() ?? "")
     .find((candidate) => candidate.length > 0);
   if (!chatId) {
     return undefined;
diff --git a/src/auto-reply/templating.ts b/src/auto-reply/templating.ts
index c97584aeae3..b426b18eab5 100644
--- a/src/auto-reply/templating.ts
+++ b/src/auto-reply/templating.ts
@@ -1,9 +1,9 @@
-import type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
 import type { ChannelId } from "../channels/plugins/types.js";
 import type {
   MediaUnderstandingDecision,
   MediaUnderstandingOutput,
 } from "../media-understanding/types.js";
+import type { StickerMetadata } from "../plugin-sdk-internal/telegram.js";
 import type { InputProvenance } from "../sessions/input-provenance.js";
 import type { InternalMessageChannel } from "../utils/message-channel.js";
 import type { CommandArgs } from "./commands-registry.types.js";
diff --git a/src/auto-reply/thinking.shared.ts b/src/auto-reply/thinking.shared.ts
new file mode 100644
index 00000000000..bbde5b90ce5
--- /dev/null
+++ b/src/auto-reply/thinking.shared.ts
@@ -0,0 +1,226 @@
+export type ThinkLevel = "off" | "minimal" | "low" | "medium" | "high" | "xhigh" | "adaptive";
+export type VerboseLevel = "off" | "on" | "full";
+export type NoticeLevel = "off" | "on" | "full";
+export type ElevatedLevel = "off" | "on" | "ask" | "full";
+export type ElevatedMode = "off" | "ask" | "full";
+export type ReasoningLevel = "off" | "on" | "stream";
+export type UsageDisplayLevel = "off" | "tokens" | "full";
+export type ThinkingCatalogEntry = {
+  provider: string;
+  id: string;
+  reasoning?: boolean;
+};
+
+const BASE_THINKING_LEVELS: ThinkLevel[] = ["off", "minimal", "low", "medium", "high", "adaptive"];
+
+export function normalizeProviderId(provider?: string | null): string {
+  if (!provider) {
+    return "";
+  }
+  const normalized = provider.trim().toLowerCase();
+  if (normalized === "z.ai" || normalized === "z-ai") {
+    return "zai";
+  }
+  if (normalized === "bedrock" || normalized === "aws-bedrock") {
+    return "amazon-bedrock";
+  }
+  return normalized;
+}
+
+export function isBinaryThinkingProvider(provider?: string | null): boolean {
+  return normalizeProviderId(provider) === "zai";
+}
+
+// Normalize user-provided thinking level strings to the canonical enum.
+export function normalizeThinkLevel(raw?: string | null): ThinkLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.trim().toLowerCase();
+  const collapsed = key.replace(/[\s_-]+/g, "");
+  if (collapsed === "adaptive" || collapsed === "auto") {
+    return "adaptive";
+  }
+  if (collapsed === "xhigh" || collapsed === "extrahigh") {
+    return "xhigh";
+  }
+  if (["off"].includes(key)) {
+    return "off";
+  }
+  if (["on", "enable", "enabled"].includes(key)) {
+    return "low";
+  }
+  if (["min", "minimal"].includes(key)) {
+    return "minimal";
+  }
+  if (["low", "thinkhard", "think-hard", "think_hard"].includes(key)) {
+    return "low";
+  }
+  if (["mid", "med", "medium", "thinkharder", "think-harder", "harder"].includes(key)) {
+    return "medium";
+  }
+  if (
+    ["high", "ultra", "ultrathink", "think-hard", "thinkhardest", "highest", "max"].includes(key)
+  ) {
+    return "high";
+  }
+  if (["think"].includes(key)) {
+    return "minimal";
+  }
+  return undefined;
+}
+
+export function listThinkingLevels(
+  _provider?: string | null,
+  _model?: string | null,
+): ThinkLevel[] {
+  return [...BASE_THINKING_LEVELS];
+}
+
+export function listThinkingLevelLabels(provider?: string | null, model?: string | null): string[] {
+  if (isBinaryThinkingProvider(provider)) {
+    return ["off", "on"];
+  }
+  return listThinkingLevels(provider, model);
+}
+
+export function formatThinkingLevels(
+  provider?: string | null,
+  model?: string | null,
+  separator = ", ",
+): string {
+  return listThinkingLevelLabels(provider, model).join(separator);
+}
+
+export function formatXHighModelHint(): string {
+  return "provider models that advertise xhigh reasoning";
+}
+
+export function resolveThinkingDefaultForModel(params: {
+  provider: string;
+  model: string;
+  catalog?: ThinkingCatalogEntry[];
+}): ThinkLevel {
+  const candidate = params.catalog?.find(
+    (entry) => entry.provider === params.provider && entry.id === params.model,
+  );
+  if (candidate?.reasoning) {
+    return "low";
+  }
+  return "off";
+}
+
+type OnOffFullLevel = "off" | "on" | "full";
+
+function normalizeOnOffFullLevel(raw?: string | null): OnOffFullLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0"].includes(key)) {
+    return "off";
+  }
+  if (["full", "all", "everything"].includes(key)) {
+    return "full";
+  }
+  if (["on", "minimal", "true", "yes", "1"].includes(key)) {
+    return "on";
+  }
+  return undefined;
+}
+
+export function normalizeVerboseLevel(raw?: string | null): VerboseLevel | undefined {
+  return normalizeOnOffFullLevel(raw);
+}
+
+export function normalizeNoticeLevel(raw?: string | null): NoticeLevel | undefined {
+  return normalizeOnOffFullLevel(raw);
+}
+
+export function normalizeUsageDisplay(raw?: string | null): UsageDisplayLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(key)) {
+    return "off";
+  }
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(key)) {
+    return "tokens";
+  }
+  if (["tokens", "token", "tok", "minimal", "min"].includes(key)) {
+    return "tokens";
+  }
+  if (["full", "session"].includes(key)) {
+    return "full";
+  }
+  return undefined;
+}
+
+export function resolveResponseUsageMode(raw?: string | null): UsageDisplayLevel {
+  return normalizeUsageDisplay(raw) ?? "off";
+}
+
+export function normalizeFastMode(raw?: string | boolean | null): boolean | undefined {
+  if (typeof raw === "boolean") {
+    return raw;
+  }
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "disable", "disabled", "normal"].includes(key)) {
+    return false;
+  }
+  if (["on", "true", "yes", "1", "enable", "enabled", "fast"].includes(key)) {
+    return true;
+  }
+  return undefined;
+}
+
+export function normalizeElevatedLevel(raw?: string | null): ElevatedLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0"].includes(key)) {
+    return "off";
+  }
+  if (["full", "auto", "auto-approve", "autoapprove"].includes(key)) {
+    return "full";
+  }
+  if (["ask", "prompt", "approval", "approve"].includes(key)) {
+    return "ask";
+  }
+  if (["on", "true", "yes", "1"].includes(key)) {
+    return "on";
+  }
+  return undefined;
+}
+
+export function resolveElevatedMode(level?: ElevatedLevel | null): ElevatedMode {
+  if (!level || level === "off") {
+    return "off";
+  }
+  if (level === "full") {
+    return "full";
+  }
+  return "ask";
+}
+
+export function normalizeReasoningLevel(raw?: string | null): ReasoningLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "hide", "hidden", "disable", "disabled"].includes(key)) {
+    return "off";
+  }
+  if (["on", "true", "yes", "1", "show", "visible", "enable", "enabled"].includes(key)) {
+    return "on";
+  }
+  if (["stream", "streaming", "draft", "live"].includes(key)) {
+    return "stream";
+  }
+  return undefined;
+}
diff --git a/src/auto-reply/thinking.test.ts b/src/auto-reply/thinking.test.ts
index d4814a263e9..a6867d1d9b8 100644
--- a/src/auto-reply/thinking.test.ts
+++ b/src/auto-reply/thinking.test.ts
@@ -1,4 +1,16 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const providerRuntimeMocks = vi.hoisted(() => ({
+  resolveProviderBinaryThinking: vi.fn(),
+  resolveProviderDefaultThinkingLevel: vi.fn(),
+  resolveProviderXHighThinking: vi.fn(),
+}));
+
+vi.mock("../plugins/provider-runtime.js", () => ({
+  resolveProviderBinaryThinking: providerRuntimeMocks.resolveProviderBinaryThinking,
+  resolveProviderDefaultThinkingLevel: providerRuntimeMocks.resolveProviderDefaultThinkingLevel,
+  resolveProviderXHighThinking: providerRuntimeMocks.resolveProviderXHighThinking,
+}));
 import {
   listThinkingLevelLabels,
   listThinkingLevels,
@@ -7,6 +19,15 @@ import {
   resolveThinkingDefaultForModel,
 } from "./thinking.js";
 
+beforeEach(() => {
+  providerRuntimeMocks.resolveProviderBinaryThinking.mockReset();
+  providerRuntimeMocks.resolveProviderBinaryThinking.mockReturnValue(undefined);
+  providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockReset();
+  providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockReturnValue(undefined);
+  providerRuntimeMocks.resolveProviderXHighThinking.mockReset();
+  providerRuntimeMocks.resolveProviderXHighThinking.mockReturnValue(undefined);
+});
+
 describe("normalizeThinkLevel", () => {
   it("accepts mid as medium", () => {
     expect(normalizeThinkLevel("mid")).toBe("medium");
@@ -43,23 +64,31 @@ describe("normalizeThinkLevel", () => {
 });
 
 describe("listThinkingLevels", () => {
-  it("includes xhigh for codex models", () => {
-    expect(listThinkingLevels(undefined, "gpt-5.2-codex")).toContain("xhigh");
-    expect(listThinkingLevels(undefined, "gpt-5.3-codex")).toContain("xhigh");
-    expect(listThinkingLevels(undefined, "gpt-5.3-codex-spark")).toContain("xhigh");
+  it("uses provider runtime hooks for xhigh support", () => {
+    providerRuntimeMocks.resolveProviderXHighThinking.mockReturnValue(true);
+
+    expect(listThinkingLevels("demo", "demo-model")).toContain("xhigh");
   });
 
-  it("includes xhigh for openai gpt-5.2 and gpt-5.4 variants", () => {
+  it("includes xhigh for provider-advertised models", () => {
+    providerRuntimeMocks.resolveProviderXHighThinking.mockImplementation(({ provider, context }) =>
+      (provider === "openai" && ["gpt-5.2", "gpt-5.4", "gpt-5.4-pro"].includes(context.modelId)) ||
+      (provider === "openai-codex" &&
+        ["gpt-5.2-codex", "gpt-5.3-codex", "gpt-5.3-codex-spark", "gpt-5.4"].includes(
+          context.modelId,
+        )) ||
+      (provider === "github-copilot" && ["gpt-5.2", "gpt-5.2-codex"].includes(context.modelId))
+        ? true
+        : undefined,
+    );
+
+    expect(listThinkingLevels("openai-codex", "gpt-5.2-codex")).toContain("xhigh");
+    expect(listThinkingLevels("openai-codex", "gpt-5.3-codex")).toContain("xhigh");
+    expect(listThinkingLevels("openai-codex", "gpt-5.3-codex-spark")).toContain("xhigh");
     expect(listThinkingLevels("openai", "gpt-5.2")).toContain("xhigh");
     expect(listThinkingLevels("openai", "gpt-5.4")).toContain("xhigh");
     expect(listThinkingLevels("openai", "gpt-5.4-pro")).toContain("xhigh");
-  });
-
-  it("includes xhigh for openai-codex gpt-5.4", () => {
     expect(listThinkingLevels("openai-codex", "gpt-5.4")).toContain("xhigh");
-  });
-
-  it("includes xhigh for github-copilot gpt-5.2 refs", () => {
     expect(listThinkingLevels("github-copilot", "gpt-5.2")).toContain("xhigh");
     expect(listThinkingLevels("github-copilot", "gpt-5.2-codex")).toContain("xhigh");
   });
@@ -75,7 +104,21 @@ describe("listThinkingLevels", () => {
 });
 
 describe("listThinkingLevelLabels", () => {
-  it("returns on/off for ZAI", () => {
+  it("uses provider runtime hooks for binary thinking providers", () => {
+    providerRuntimeMocks.resolveProviderBinaryThinking.mockReturnValue(true);
+
+    expect(listThinkingLevelLabels("demo", "demo-model")).toEqual(["off", "on"]);
+  });
+
+  it("returns on/off for provider-advertised binary thinking", () => {
+    providerRuntimeMocks.resolveProviderBinaryThinking.mockImplementation(({ provider }) =>
+      provider === "zai" ? true : undefined,
+    );
+
+    expect(listThinkingLevelLabels("zai", "glm-4.7")).toEqual(["off", "on"]);
+  });
+
+  it("keeps built-in binary thinking fallback without provider runtime", () => {
     expect(listThinkingLevelLabels("zai", "glm-4.7")).toEqual(["off", "on"]);
   });
 
@@ -86,13 +129,42 @@ describe("listThinkingLevelLabels", () => {
 });
 
 describe("resolveThinkingDefaultForModel", () => {
-  it("defaults Claude 4.6 models to adaptive", () => {
+  it("uses provider runtime hooks for default thinking levels", () => {
+    providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockReturnValue("adaptive");
+
+    expect(resolveThinkingDefaultForModel({ provider: "demo", model: "demo-model" })).toBe(
+      "adaptive",
+    );
+  });
+
+  it("uses provider-advertised adaptive defaults", () => {
+    providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockImplementation(
+      ({ provider, context }) =>
+        provider === "anthropic" && context.modelId === "claude-opus-4-6" ? "adaptive" : undefined,
+    );
+
     expect(
       resolveThinkingDefaultForModel({ provider: "anthropic", model: "claude-opus-4-6" }),
     ).toBe("adaptive");
   });
 
-  it("treats Bedrock Anthropic aliases as adaptive", () => {
+  it("uses provider-advertised adaptive defaults for Bedrock aliases", () => {
+    providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockImplementation(
+      ({ provider, context }) =>
+        provider === "amazon-bedrock" && context.modelId === "claude-sonnet-4-6"
+          ? "adaptive"
+          : undefined,
+    );
+
+    expect(
+      resolveThinkingDefaultForModel({ provider: "aws-bedrock", model: "claude-sonnet-4-6" }),
+    ).toBe("adaptive");
+  });
+
+  it("keeps built-in adaptive defaults without provider runtime", () => {
+    expect(
+      resolveThinkingDefaultForModel({ provider: "anthropic", model: "claude-opus-4-6" }),
+    ).toBe("adaptive");
     expect(
       resolveThinkingDefaultForModel({ provider: "aws-bedrock", model: "claude-sonnet-4-6" }),
     ).toBe("adaptive");
diff --git a/src/auto-reply/thinking.ts b/src/auto-reply/thinking.ts
index 639db68eafb..1f2f1738b1f 100644
--- a/src/auto-reply/thinking.ts
+++ b/src/auto-reply/thinking.ts
@@ -1,93 +1,57 @@
-export type ThinkLevel = "off" | "minimal" | "low" | "medium" | "high" | "xhigh" | "adaptive";
-export type VerboseLevel = "off" | "on" | "full";
-export type NoticeLevel = "off" | "on" | "full";
-export type ElevatedLevel = "off" | "on" | "ask" | "full";
-export type ElevatedMode = "off" | "ask" | "full";
-export type ReasoningLevel = "off" | "on" | "stream";
-export type UsageDisplayLevel = "off" | "tokens" | "full";
-export type ThinkingCatalogEntry = {
-  provider: string;
-  id: string;
-  reasoning?: boolean;
-};
+import {
+  formatThinkingLevels as formatThinkingLevelsFallback,
+  isBinaryThinkingProvider as isBinaryThinkingProviderFallback,
+  listThinkingLevelLabels as listThinkingLevelLabelsFallback,
+  listThinkingLevels as listThinkingLevelsFallback,
+  normalizeProviderId,
+  resolveThinkingDefaultForModel as resolveThinkingDefaultForModelFallback,
+} from "./thinking.shared.js";
+import type { ThinkLevel, ThinkingCatalogEntry } from "./thinking.shared.js";
+export {
+  formatXHighModelHint,
+  normalizeElevatedLevel,
+  normalizeFastMode,
+  normalizeNoticeLevel,
+  normalizeReasoningLevel,
+  normalizeThinkLevel,
+  normalizeUsageDisplay,
+  normalizeVerboseLevel,
+  resolveResponseUsageMode,
+  resolveElevatedMode,
+} from "./thinking.shared.js";
+export type {
+  ElevatedLevel,
+  ElevatedMode,
+  NoticeLevel,
+  ReasoningLevel,
+  ThinkLevel,
+  ThinkingCatalogEntry,
+  UsageDisplayLevel,
+  VerboseLevel,
+} from "./thinking.shared.js";
+import {
+  resolveProviderBinaryThinking,
+  resolveProviderDefaultThinkingLevel,
+  resolveProviderXHighThinking,
+} from "../plugins/provider-runtime.js";
 
-const CLAUDE_46_MODEL_RE = /claude-(?:opus|sonnet)-4(?:\.|-)6(?:$|[-.])/i;
+export function isBinaryThinkingProvider(provider?: string | null, model?: string | null): boolean {
+  const normalizedProvider = normalizeProviderId(provider);
+  if (!normalizedProvider) {
+    return false;
+  }
 
-function normalizeProviderId(provider?: string | null): string {
-  if (!provider) {
-    return "";
+  const pluginDecision = resolveProviderBinaryThinking({
+    provider: normalizedProvider,
+    context: {
+      provider: normalizedProvider,
+      modelId: model?.trim() ?? "",
+    },
+  });
+  if (typeof pluginDecision === "boolean") {
+    return pluginDecision;
   }
-  const normalized = provider.trim().toLowerCase();
-  if (normalized === "z.ai" || normalized === "z-ai") {
-    return "zai";
-  }
-  if (normalized === "bedrock" || normalized === "aws-bedrock") {
-    return "amazon-bedrock";
-  }
-  return normalized;
-}
-
-export function isBinaryThinkingProvider(provider?: string | null): boolean {
-  return normalizeProviderId(provider) === "zai";
-}
-
-export const XHIGH_MODEL_REFS = [
-  "openai/gpt-5.4",
-  "openai/gpt-5.4-pro",
-  "openai/gpt-5.2",
-  "openai-codex/gpt-5.4",
-  "openai-codex/gpt-5.3-codex",
-  "openai-codex/gpt-5.3-codex-spark",
-  "openai-codex/gpt-5.2-codex",
-  "openai-codex/gpt-5.1-codex",
-  "github-copilot/gpt-5.2-codex",
-  "github-copilot/gpt-5.2",
-] as const;
-
-const XHIGH_MODEL_SET = new Set(XHIGH_MODEL_REFS.map((entry) => entry.toLowerCase()));
-const XHIGH_MODEL_IDS = new Set(
-  XHIGH_MODEL_REFS.map((entry) => entry.split("/")[1]?.toLowerCase()).filter(
-    (entry): entry is string => Boolean(entry),
-  ),
-);
-
-// Normalize user-provided thinking level strings to the canonical enum.
-export function normalizeThinkLevel(raw?: string | null): ThinkLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.trim().toLowerCase();
-  const collapsed = key.replace(/[\s_-]+/g, "");
-  if (collapsed === "adaptive" || collapsed === "auto") {
-    return "adaptive";
-  }
-  if (collapsed === "xhigh" || collapsed === "extrahigh") {
-    return "xhigh";
-  }
-  if (["off"].includes(key)) {
-    return "off";
-  }
-  if (["on", "enable", "enabled"].includes(key)) {
-    return "low";
-  }
-  if (["min", "minimal"].includes(key)) {
-    return "minimal";
-  }
-  if (["low", "thinkhard", "think-hard", "think_hard"].includes(key)) {
-    return "low";
-  }
-  if (["mid", "med", "medium", "thinkharder", "think-harder", "harder"].includes(key)) {
-    return "medium";
-  }
-  if (
-    ["high", "ultra", "ultrathink", "think-hard", "thinkhardest", "highest", "max"].includes(key)
-  ) {
-    return "high";
-  }
-  if (["think"].includes(key)) {
-    return "minimal";
-  }
-  return undefined;
+  return isBinaryThinkingProviderFallback(provider);
 }
 
 export function supportsXHighThinking(provider?: string | null, model?: string | null): boolean {
@@ -95,27 +59,35 @@ export function supportsXHighThinking(provider?: string | null, model?: string |
   if (!modelKey) {
     return false;
   }
-  const providerKey = provider?.trim().toLowerCase();
+  const providerKey = normalizeProviderId(provider);
   if (providerKey) {
-    return XHIGH_MODEL_SET.has(`${providerKey}/${modelKey}`);
+    const pluginDecision = resolveProviderXHighThinking({
+      provider: providerKey,
+      context: {
+        provider: providerKey,
+        modelId: modelKey,
+      },
+    });
+    if (typeof pluginDecision === "boolean") {
+      return pluginDecision;
+    }
   }
-  return XHIGH_MODEL_IDS.has(modelKey);
+  return false;
 }
 
 export function listThinkingLevels(provider?: string | null, model?: string | null): ThinkLevel[] {
-  const levels: ThinkLevel[] = ["off", "minimal", "low", "medium", "high"];
+  const levels = listThinkingLevelsFallback(provider, model);
   if (supportsXHighThinking(provider, model)) {
-    levels.push("xhigh");
+    levels.splice(levels.length - 1, 0, "xhigh");
   }
-  levels.push("adaptive");
   return levels;
 }
 
 export function listThinkingLevelLabels(provider?: string | null, model?: string | null): string[] {
-  if (isBinaryThinkingProvider(provider)) {
+  if (isBinaryThinkingProvider(provider, model)) {
     return ["off", "on"];
   }
-  return listThinkingLevels(provider, model);
+  return listThinkingLevelLabelsFallback(provider, model);
 }
 
 export function formatThinkingLevels(
@@ -123,21 +95,9 @@ export function formatThinkingLevels(
   model?: string | null,
   separator = ", ",
 ): string {
-  return listThinkingLevelLabels(provider, model).join(separator);
-}
-
-export function formatXHighModelHint(): string {
-  const refs = [...XHIGH_MODEL_REFS] as string[];
-  if (refs.length === 0) {
-    return "unknown model";
-  }
-  if (refs.length === 1) {
-    return refs[0];
-  }
-  if (refs.length === 2) {
-    return `${refs[0]} or ${refs[1]}`;
-  }
-  return `${refs.slice(0, -1).join(", ")} or ${refs[refs.length - 1]}`;
+  return supportsXHighThinking(provider, model)
+    ? listThinkingLevelLabels(provider, model).join(separator)
+    : formatThinkingLevelsFallback(provider, model, separator);
 }
 
 export function resolveThinkingDefaultForModel(params: {
@@ -146,141 +106,19 @@ export function resolveThinkingDefaultForModel(params: {
   catalog?: ThinkingCatalogEntry[];
 }): ThinkLevel {
   const normalizedProvider = normalizeProviderId(params.provider);
-  const modelLower = params.model.trim().toLowerCase();
-  const isAnthropicFamilyModel =
-    normalizedProvider === "anthropic" ||
-    normalizedProvider === "amazon-bedrock" ||
-    modelLower.includes("anthropic/") ||
-    modelLower.includes(".anthropic.");
-  if (isAnthropicFamilyModel && CLAUDE_46_MODEL_RE.test(modelLower)) {
-    return "adaptive";
-  }
   const candidate = params.catalog?.find(
     (entry) => entry.provider === params.provider && entry.id === params.model,
   );
-  if (candidate?.reasoning) {
-    return "low";
+  const pluginDecision = resolveProviderDefaultThinkingLevel({
+    provider: normalizedProvider,
+    context: {
+      provider: normalizedProvider,
+      modelId: params.model,
+      reasoning: candidate?.reasoning,
+    },
+  });
+  if (pluginDecision) {
+    return pluginDecision;
   }
-  return "off";
-}
-
-type OnOffFullLevel = "off" | "on" | "full";
-
-function normalizeOnOffFullLevel(raw?: string | null): OnOffFullLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0"].includes(key)) {
-    return "off";
-  }
-  if (["full", "all", "everything"].includes(key)) {
-    return "full";
-  }
-  if (["on", "minimal", "true", "yes", "1"].includes(key)) {
-    return "on";
-  }
-  return undefined;
-}
-
-// Normalize verbose flags used to toggle agent verbosity.
-export function normalizeVerboseLevel(raw?: string | null): VerboseLevel | undefined {
-  return normalizeOnOffFullLevel(raw);
-}
-
-// Normalize system notice flags used to toggle system notifications.
-export function normalizeNoticeLevel(raw?: string | null): NoticeLevel | undefined {
-  return normalizeOnOffFullLevel(raw);
-}
-
-// Normalize response-usage display modes used to toggle per-response usage footers.
-export function normalizeUsageDisplay(raw?: string | null): UsageDisplayLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "disable", "disabled"].includes(key)) {
-    return "off";
-  }
-  if (["on", "true", "yes", "1", "enable", "enabled"].includes(key)) {
-    return "tokens";
-  }
-  if (["tokens", "token", "tok", "minimal", "min"].includes(key)) {
-    return "tokens";
-  }
-  if (["full", "session"].includes(key)) {
-    return "full";
-  }
-  return undefined;
-}
-
-export function resolveResponseUsageMode(raw?: string | null): UsageDisplayLevel {
-  return normalizeUsageDisplay(raw) ?? "off";
-}
-
-// Normalize fast-mode flags used to toggle low-latency model behavior.
-export function normalizeFastMode(raw?: string | boolean | null): boolean | undefined {
-  if (typeof raw === "boolean") {
-    return raw;
-  }
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "disable", "disabled", "normal"].includes(key)) {
-    return false;
-  }
-  if (["on", "true", "yes", "1", "enable", "enabled", "fast"].includes(key)) {
-    return true;
-  }
-  return undefined;
-}
-
-// Normalize elevated flags used to toggle elevated bash permissions.
-export function normalizeElevatedLevel(raw?: string | null): ElevatedLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0"].includes(key)) {
-    return "off";
-  }
-  if (["full", "auto", "auto-approve", "autoapprove"].includes(key)) {
-    return "full";
-  }
-  if (["ask", "prompt", "approval", "approve"].includes(key)) {
-    return "ask";
-  }
-  if (["on", "true", "yes", "1"].includes(key)) {
-    return "on";
-  }
-  return undefined;
-}
-
-export function resolveElevatedMode(level?: ElevatedLevel | null): ElevatedMode {
-  if (!level || level === "off") {
-    return "off";
-  }
-  if (level === "full") {
-    return "full";
-  }
-  return "ask";
-}
-
-// Normalize reasoning visibility flags used to toggle reasoning exposure.
-export function normalizeReasoningLevel(raw?: string | null): ReasoningLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "hide", "hidden", "disable", "disabled"].includes(key)) {
-    return "off";
-  }
-  if (["on", "true", "yes", "1", "show", "visible", "enable", "enabled"].includes(key)) {
-    return "on";
-  }
-  if (["stream", "streaming", "draft", "live"].includes(key)) {
-    return "stream";
-  }
-  return undefined;
+  return resolveThinkingDefaultForModelFallback(params);
 }
diff --git a/src/auto-reply/types.ts b/src/auto-reply/types.ts
index 76f3e746a10..c424f43ab92 100644
--- a/src/auto-reply/types.ts
+++ b/src/auto-reply/types.ts
@@ -1,4 +1,5 @@
 import type { ImageContent } from "@mariozechner/pi-ai";
+import type { InteractiveReply } from "../interactive/payload.js";
 import type { TypingController } from "./reply/typing.js";
 
 export type BlockReplyContext = {
@@ -76,6 +77,7 @@ export type ReplyPayload = {
   text?: string;
   mediaUrl?: string;
   mediaUrls?: string[];
+  interactive?: InteractiveReply;
   btw?: {
     question: string;
   };
diff --git a/src/browser/browser-utils.test.ts b/src/browser/browser-utils.test.ts
index accd36ba7ac..5bd45952321 100644
--- a/src/browser/browser-utils.test.ts
+++ b/src/browser/browser-utils.test.ts
@@ -7,15 +7,10 @@ import {
 import { __test } from "./client-fetch.js";
 import { resolveBrowserConfig, resolveProfile } from "./config.js";
 import { shouldRejectBrowserMutation } from "./csrf.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
 import { toBoolean } from "./routes/utils.js";
 import type { BrowserServerState } from "./server-context.js";
 import { listKnownProfileNames } from "./server-context.js";
 import { resolveTargetIdFromTabs } from "./target-id.js";
-import { getFreePort } from "./test-port.js";
 
 describe("toBoolean", () => {
   it("parses yes/no and 1/0", () => {
@@ -195,29 +190,8 @@ describe("cdp.helpers", () => {
     expect(headers.Authorization).toBe("Bearer token");
   });
 
-  it("does not add relay header for unknown loopback ports", () => {
-    const headers = getHeadersWithAuth("http://127.0.0.1:19444/json/version");
-    expect(headers["x-openclaw-relay-token"]).toBeUndefined();
-  });
-
-  it("adds relay header for known relay ports", async () => {
-    const port = await getFreePort();
-    const cdpUrl = `http://127.0.0.1:${port}`;
-    const prev = process.env.OPENCLAW_GATEWAY_TOKEN;
-    process.env.OPENCLAW_GATEWAY_TOKEN = "test-gateway-token";
-    try {
-      await ensureChromeExtensionRelayServer({ cdpUrl });
-      const headers = getHeadersWithAuth(`${cdpUrl}/json/version`);
-      expect(headers["x-openclaw-relay-token"]).toBeTruthy();
-      expect(headers["x-openclaw-relay-token"]).not.toBe("test-gateway-token");
-    } finally {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      if (prev === undefined) {
-        delete process.env.OPENCLAW_GATEWAY_TOKEN;
-      } else {
-        process.env.OPENCLAW_GATEWAY_TOKEN = prev;
-      }
-    }
+  it("does not add custom headers when none are required", () => {
+    expect(getHeadersWithAuth("http://127.0.0.1:19444/json/version")).toEqual({});
   });
 });
 
diff --git a/src/browser/cdp.helpers.ts b/src/browser/cdp.helpers.ts
index 399f0582d88..3bc02362b55 100644
--- a/src/browser/cdp.helpers.ts
+++ b/src/browser/cdp.helpers.ts
@@ -6,7 +6,6 @@ import { redactSensitiveText } from "../logging/redact.js";
 import { getDirectAgentForCdp, withNoProxyForCdpUrl } from "./cdp-proxy-bypass.js";
 import { CDP_HTTP_REQUEST_TIMEOUT_MS, CDP_WS_HANDSHAKE_TIMEOUT_MS } from "./cdp-timeouts.js";
 import { resolveBrowserRateLimitMessage } from "./client-fetch.js";
-import { getChromeExtensionRelayAuthHeaders } from "./extension-relay.js";
 
 export { isLoopbackHost };
 
@@ -76,8 +75,7 @@ export type CdpSendFn = (
 ) => Promise<unknown>;
 
 export function getHeadersWithAuth(url: string, headers: Record<string, string> = {}) {
-  const relayHeaders = getChromeExtensionRelayAuthHeaders(url);
-  const mergedHeaders = { ...relayHeaders, ...headers };
+  const mergedHeaders = { ...headers };
   try {
     const parsed = new URL(url);
     const hasAuthHeader = Object.keys(mergedHeaders).some(
diff --git a/src/browser/chrome-extension-background-utils.test.ts b/src/browser/chrome-extension-background-utils.test.ts
deleted file mode 100644
index b22b602116c..00000000000
--- a/src/browser/chrome-extension-background-utils.test.ts
+++ /dev/null
@@ -1,133 +0,0 @@
-import { createRequire } from "node:module";
-import { describe, expect, it } from "vitest";
-
-type BackgroundUtilsModule = {
-  buildRelayWsUrl: (port: number, gatewayToken: string) => Promise<string>;
-  deriveRelayToken: (gatewayToken: string, port: number) => Promise<string>;
-  isLastRemainingTab: (
-    allTabs: Array<{ id?: number | undefined } | null | undefined>,
-    tabIdToClose: number,
-  ) => boolean;
-  isMissingTabError: (err: unknown) => boolean;
-  isRetryableReconnectError: (err: unknown) => boolean;
-  reconnectDelayMs: (
-    attempt: number,
-    opts?: { baseMs?: number; maxMs?: number; jitterMs?: number; random?: () => number },
-  ) => number;
-};
-
-const require = createRequire(import.meta.url);
-const BACKGROUND_UTILS_MODULE = "../../assets/chrome-extension/background-utils.js";
-
-async function loadBackgroundUtils(): Promise<BackgroundUtilsModule> {
-  try {
-    return require(BACKGROUND_UTILS_MODULE) as BackgroundUtilsModule;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    if (!message.includes("Unexpected token 'export'")) {
-      throw error;
-    }
-    return (await import(BACKGROUND_UTILS_MODULE)) as BackgroundUtilsModule;
-  }
-}
-
-const {
-  buildRelayWsUrl,
-  deriveRelayToken,
-  isLastRemainingTab,
-  isMissingTabError,
-  isRetryableReconnectError,
-  reconnectDelayMs,
-} = await loadBackgroundUtils();
-
-describe("chrome extension background utils", () => {
-  it("derives relay token as HMAC-SHA256 of gateway token and port", async () => {
-    const relayToken = await deriveRelayToken("test-gateway-token", 18792);
-    expect(relayToken).toMatch(/^[0-9a-f]{64}$/);
-    const relayToken2 = await deriveRelayToken("test-gateway-token", 18792);
-    expect(relayToken).toBe(relayToken2);
-    const differentPort = await deriveRelayToken("test-gateway-token", 9999);
-    expect(relayToken).not.toBe(differentPort);
-  });
-
-  it("builds websocket url with derived relay token", async () => {
-    const url = await buildRelayWsUrl(18792, "test-token");
-    expect(url).toMatch(/^ws:\/\/127\.0\.0\.1:18792\/extension\?token=[0-9a-f]{64}$/);
-  });
-
-  it("throws when gateway token is missing", async () => {
-    await expect(buildRelayWsUrl(18792, "")).rejects.toThrow(/Missing gatewayToken/);
-    await expect(buildRelayWsUrl(18792, "   ")).rejects.toThrow(/Missing gatewayToken/);
-  });
-
-  it("uses exponential backoff from attempt index", () => {
-    expect(reconnectDelayMs(0, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      1000,
-    );
-    expect(reconnectDelayMs(1, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      2000,
-    );
-    expect(reconnectDelayMs(4, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      16000,
-    );
-  });
-
-  it("caps reconnect delay at max", () => {
-    const delay = reconnectDelayMs(20, {
-      baseMs: 1000,
-      maxMs: 30000,
-      jitterMs: 0,
-      random: () => 0,
-    });
-    expect(delay).toBe(30000);
-  });
-
-  it("adds jitter using injected random source", () => {
-    const delay = reconnectDelayMs(3, {
-      baseMs: 1000,
-      maxMs: 30000,
-      jitterMs: 1000,
-      random: () => 0.25,
-    });
-    expect(delay).toBe(8250);
-  });
-
-  it("sanitizes invalid attempts and options", () => {
-    expect(reconnectDelayMs(-2, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      1000,
-    );
-    expect(
-      reconnectDelayMs(Number.NaN, {
-        baseMs: Number.NaN,
-        maxMs: Number.NaN,
-        jitterMs: Number.NaN,
-        random: () => 0,
-      }),
-    ).toBe(1000);
-  });
-
-  it("marks missing token errors as non-retryable", () => {
-    expect(
-      isRetryableReconnectError(
-        new Error("Missing gatewayToken in extension settings (chrome.storage.local.gatewayToken)"),
-      ),
-    ).toBe(false);
-  });
-
-  it("keeps transient network errors retryable", () => {
-    expect(isRetryableReconnectError(new Error("WebSocket connect timeout"))).toBe(true);
-    expect(isRetryableReconnectError(new Error("Relay server not reachable"))).toBe(true);
-  });
-
-  it("recognizes missing-tab debugger errors", () => {
-    expect(isMissingTabError(new Error("No tab with given id"))).toBe(true);
-    expect(isMissingTabError(new Error("tab not found"))).toBe(true);
-    expect(isMissingTabError(new Error("Cannot access a chrome:// URL"))).toBe(false);
-  });
-
-  it("blocks closing the final remaining tab only", () => {
-    expect(isLastRemainingTab([{ id: 7 }], 7)).toBe(true);
-    expect(isLastRemainingTab([{ id: 7 }, { id: 8 }], 7)).toBe(false);
-    expect(isLastRemainingTab([{ id: 7 }, { id: 8 }], 8)).toBe(false);
-  });
-});
diff --git a/src/browser/chrome-extension-manifest.test.ts b/src/browser/chrome-extension-manifest.test.ts
deleted file mode 100644
index 4d4a0321724..00000000000
--- a/src/browser/chrome-extension-manifest.test.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { describe, expect, it } from "vitest";
-
-type ExtensionManifest = {
-  background?: { service_worker?: string; type?: string };
-  permissions?: string[];
-};
-
-function readManifest(): ExtensionManifest {
-  const path = resolve(process.cwd(), "assets/chrome-extension/manifest.json");
-  return JSON.parse(readFileSync(path, "utf8")) as ExtensionManifest;
-}
-
-describe("chrome extension manifest", () => {
-  it("keeps background worker configured as module", () => {
-    const manifest = readManifest();
-    expect(manifest.background?.service_worker).toBe("background.js");
-    expect(manifest.background?.type).toBe("module");
-  });
-
-  it("includes resilience permissions", () => {
-    const permissions = readManifest().permissions ?? [];
-    expect(permissions).toContain("alarms");
-    expect(permissions).toContain("webNavigation");
-    expect(permissions).toContain("storage");
-    expect(permissions).toContain("debugger");
-  });
-});
diff --git a/src/browser/chrome-extension-options-validation.test.ts b/src/browser/chrome-extension-options-validation.test.ts
deleted file mode 100644
index 23aa6d1ce06..00000000000
--- a/src/browser/chrome-extension-options-validation.test.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { createRequire } from "node:module";
-import { describe, expect, it } from "vitest";
-
-type RelayCheckResponse = {
-  status?: number;
-  ok?: boolean;
-  error?: string;
-  contentType?: string;
-  json?: unknown;
-};
-
-type RelayCheckStatus =
-  | { action: "throw"; error: string }
-  | { action: "status"; kind: "ok" | "error"; message: string };
-
-type RelayCheckExceptionStatus = { kind: "error"; message: string };
-
-type OptionsValidationModule = {
-  classifyRelayCheckResponse: (
-    res: RelayCheckResponse | null | undefined,
-    port: number,
-  ) => RelayCheckStatus;
-  classifyRelayCheckException: (err: unknown, port: number) => RelayCheckExceptionStatus;
-};
-
-const require = createRequire(import.meta.url);
-const OPTIONS_VALIDATION_MODULE = "../../assets/chrome-extension/options-validation.js";
-
-async function loadOptionsValidation(): Promise<OptionsValidationModule> {
-  try {
-    return require(OPTIONS_VALIDATION_MODULE) as OptionsValidationModule;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    if (!message.includes("Unexpected token 'export'")) {
-      throw error;
-    }
-    return (await import(OPTIONS_VALIDATION_MODULE)) as OptionsValidationModule;
-  }
-}
-
-const { classifyRelayCheckException, classifyRelayCheckResponse } = await loadOptionsValidation();
-
-describe("chrome extension options validation", () => {
-  it("maps 401 response to token rejected error", () => {
-    const result = classifyRelayCheckResponse({ status: 401, ok: false }, 18792);
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message: "Gateway token rejected. Check token and save again.",
-    });
-  });
-
-  it("maps non-json 200 response to wrong-port error", () => {
-    const result = classifyRelayCheckResponse(
-      { status: 200, ok: true, contentType: "text/html; charset=utf-8", json: null },
-      18792,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message:
-        "Wrong port: this is likely the gateway, not the relay. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps json response without CDP keys to wrong-port error", () => {
-    const result = classifyRelayCheckResponse(
-      { status: 200, ok: true, contentType: "application/json", json: { ok: true } },
-      18792,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message:
-        "Wrong port: expected relay /json/version response. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps valid relay json response to success", () => {
-    const result = classifyRelayCheckResponse(
-      {
-        status: 200,
-        ok: true,
-        contentType: "application/json",
-        json: { Browser: "Chrome/136", "Protocol-Version": "1.3" },
-      },
-      19004,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "ok",
-      message: "Relay reachable and authenticated at http://127.0.0.1:19004/",
-    });
-  });
-
-  it("maps syntax/json exceptions to wrong-endpoint error", () => {
-    const result = classifyRelayCheckException(new Error("SyntaxError: Unexpected token <"), 18792);
-    expect(result).toEqual({
-      kind: "error",
-      message:
-        "Wrong port: this is not a relay endpoint. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps generic exceptions to relay unreachable error", () => {
-    const result = classifyRelayCheckException(new Error("TypeError: Failed to fetch"), 18792);
-    expect(result).toEqual({
-      kind: "error",
-      message:
-        "Relay not reachable/authenticated at http://127.0.0.1:18792/. Start OpenClaw browser relay and verify token.",
-    });
-  });
-});
diff --git a/src/browser/chrome-mcp.ts b/src/browser/chrome-mcp.ts
index c649fe53633..a673feb2c27 100644
--- a/src/browser/chrome-mcp.ts
+++ b/src/browser/chrome-mcp.ts
@@ -193,7 +193,7 @@ async function createRealSession(profileName: string): Promise<ChromeMcpSession>
       await client.close().catch(() => {});
       throw new BrowserProfileUnavailableError(
         `Chrome MCP existing-session attach failed for profile "${profileName}". ` +
-          `Make sure Chrome (v146+) is running. ` +
+          `Make sure Chrome (v144+) is running. ` +
           `Details: ${String(err)}`,
       );
     }
diff --git a/src/browser/chrome.executables.ts b/src/browser/chrome.executables.ts
index 729127c9df9..6ef7bc0b155 100644
--- a/src/browser/chrome.executables.ts
+++ b/src/browser/chrome.executables.ts
@@ -9,6 +9,8 @@ export type BrowserExecutable = {
   path: string;
 };
 
+const CHROME_VERSION_RE = /(\d+)(?:\.\d+){0,3}/;
+
 const CHROMIUM_BUNDLE_IDS = new Set([
   "com.google.Chrome",
   "com.google.Chrome.beta",
@@ -453,6 +455,22 @@ function findFirstExecutable(candidates: Array<BrowserExecutable>): BrowserExecu
   return null;
 }
 
+function findFirstChromeExecutable(candidates: string[]): BrowserExecutable | null {
+  for (const candidate of candidates) {
+    if (exists(candidate)) {
+      return {
+        kind:
+          candidate.toLowerCase().includes("sxs") || candidate.toLowerCase().includes("canary")
+            ? "canary"
+            : "chrome",
+        path: candidate,
+      };
+    }
+  }
+
+  return null;
+}
+
 export function findChromeExecutableMac(): BrowserExecutable | null {
   const candidates: Array<BrowserExecutable> = [
     {
@@ -506,6 +524,18 @@ export function findChromeExecutableMac(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableMac(): BrowserExecutable | null {
+  return findFirstChromeExecutable([
+    "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
+    path.join(os.homedir(), "Applications/Google Chrome.app/Contents/MacOS/Google Chrome"),
+    "/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary",
+    path.join(
+      os.homedir(),
+      "Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary",
+    ),
+  ]);
+}
+
 export function findChromeExecutableLinux(): BrowserExecutable | null {
   const candidates: Array<BrowserExecutable> = [
     { kind: "chrome", path: "/usr/bin/google-chrome" },
@@ -525,6 +555,16 @@ export function findChromeExecutableLinux(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableLinux(): BrowserExecutable | null {
+  return findFirstChromeExecutable([
+    "/usr/bin/google-chrome",
+    "/usr/bin/google-chrome-stable",
+    "/usr/bin/google-chrome-beta",
+    "/usr/bin/google-chrome-unstable",
+    "/snap/bin/google-chrome",
+  ]);
+}
+
 export function findChromeExecutableWindows(): BrowserExecutable | null {
   const localAppData = process.env.LOCALAPPDATA ?? "";
   const programFiles = process.env.ProgramFiles ?? "C:\\Program Files";
@@ -596,6 +636,56 @@ export function findChromeExecutableWindows(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableWindows(): BrowserExecutable | null {
+  const localAppData = process.env.LOCALAPPDATA ?? "";
+  const programFiles = process.env.ProgramFiles ?? "C:\\Program Files";
+  const programFilesX86 = process.env["ProgramFiles(x86)"] ?? "C:\\Program Files (x86)";
+  const joinWin = path.win32.join;
+  const candidates: string[] = [];
+
+  if (localAppData) {
+    candidates.push(joinWin(localAppData, "Google", "Chrome", "Application", "chrome.exe"));
+    candidates.push(joinWin(localAppData, "Google", "Chrome SxS", "Application", "chrome.exe"));
+  }
+
+  candidates.push(joinWin(programFiles, "Google", "Chrome", "Application", "chrome.exe"));
+  candidates.push(joinWin(programFilesX86, "Google", "Chrome", "Application", "chrome.exe"));
+
+  return findFirstChromeExecutable(candidates);
+}
+
+export function resolveGoogleChromeExecutableForPlatform(
+  platform: NodeJS.Platform,
+): BrowserExecutable | null {
+  if (platform === "darwin") {
+    return findGoogleChromeExecutableMac();
+  }
+  if (platform === "linux") {
+    return findGoogleChromeExecutableLinux();
+  }
+  if (platform === "win32") {
+    return findGoogleChromeExecutableWindows();
+  }
+  return null;
+}
+
+export function readBrowserVersion(executablePath: string): string | null {
+  const output = execText(executablePath, ["--version"], 2000);
+  if (!output) {
+    return null;
+  }
+  return output.replace(/\s+/g, " ").trim();
+}
+
+export function parseBrowserMajorVersion(rawVersion: string | null | undefined): number | null {
+  const match = String(rawVersion ?? "").match(CHROME_VERSION_RE);
+  if (!match?.[1]) {
+    return null;
+  }
+  const major = Number.parseInt(match[1], 10);
+  return Number.isFinite(major) ? major : null;
+}
+
 export function resolveBrowserExecutableForPlatform(
   resolved: ResolvedBrowserConfig,
   platform: NodeJS.Platform,
diff --git a/src/browser/client.ts b/src/browser/client.ts
index 8e30762bfb1..7791b4405be 100644
--- a/src/browser/client.ts
+++ b/src/browser/client.ts
@@ -5,7 +5,7 @@ export type BrowserTransport = "cdp" | "chrome-mcp";
 export type BrowserStatus = {
   enabled: boolean;
   profile?: string;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
   transport?: BrowserTransport;
   running: boolean;
   cdpReady?: boolean;
@@ -31,7 +31,7 @@ export type ProfileStatus = {
   cdpPort: number | null;
   cdpUrl: string | null;
   color: string;
-  driver: "openclaw" | "extension" | "existing-session";
+  driver: "openclaw" | "existing-session";
   running: boolean;
   tabCount: number;
   isDefault: boolean;
@@ -172,7 +172,7 @@ export async function browserCreateProfile(
     name: string;
     color?: string;
     cdpUrl?: string;
-    driver?: "openclaw" | "extension" | "existing-session";
+    driver?: "openclaw" | "existing-session";
   },
 ): Promise<BrowserCreateProfileResult> {
   return await fetchBrowserJson<BrowserCreateProfileResult>(
diff --git a/src/browser/config.test.ts b/src/browser/config.test.ts
index 947cf10c0fa..7f80c4389a1 100644
--- a/src/browser/config.test.ts
+++ b/src/browser/config.test.ts
@@ -188,13 +188,6 @@ describe("browser config", () => {
     expect(profile?.cdpIsLoopback).toBe(true);
   });
 
-  it("trims relayBindHost when configured", () => {
-    const resolved = resolveBrowserConfig({
-      relayBindHost: " 0.0.0.0 ",
-    });
-    expect(resolved.relayBindHost).toBe("0.0.0.0");
-  });
-
   it("rejects unsupported protocols", () => {
     expect(() => resolveBrowserConfig({ cdpUrl: "ftp://127.0.0.1:18791" })).toThrow(
       "must be http(s) or ws(s)",
@@ -289,7 +282,6 @@ describe("browser config", () => {
     const resolved = resolveBrowserConfig({
       profiles: {
         "chrome-live": { driver: "existing-session", attachOnly: true, color: "#00AA00" },
-        relay: { driver: "extension", cdpUrl: "http://127.0.0.1:18792", color: "#0066CC" },
         work: { cdpPort: 18801, color: "#0066CC" },
       },
     });
@@ -300,9 +292,6 @@ describe("browser config", () => {
     const managed = resolveProfile(resolved, "openclaw")!;
     expect(getBrowserProfileCapabilities(managed).usesChromeMcp).toBe(false);
 
-    const extension = resolveProfile(resolved, "relay")!;
-    expect(getBrowserProfileCapabilities(extension).usesChromeMcp).toBe(false);
-
     const work = resolveProfile(resolved, "work")!;
     expect(getBrowserProfileCapabilities(work).usesChromeMcp).toBe(false);
   });
diff --git a/src/browser/config.ts b/src/browser/config.ts
index e535b926a96..64fffce865c 100644
--- a/src/browser/config.ts
+++ b/src/browser/config.ts
@@ -36,7 +36,6 @@ export type ResolvedBrowserConfig = {
   profiles: Record<string, BrowserProfileConfig>;
   ssrfPolicy?: SsrFPolicy;
   extraArgs: string[];
-  relayBindHost?: string;
 };
 
 export type ResolvedBrowserProfile = {
@@ -46,7 +45,7 @@ export type ResolvedBrowserProfile = {
   cdpHost: string;
   cdpIsLoopback: boolean;
   color: string;
-  driver: "openclaw" | "extension" | "existing-session";
+  driver: "openclaw" | "existing-session";
   attachOnly: boolean;
 };
 
@@ -279,8 +278,6 @@ export function resolveBrowserConfig(
     ? cfg.extraArgs.filter((a): a is string => typeof a === "string" && a.trim().length > 0)
     : [];
   const ssrfPolicy = resolveBrowserSsrFPolicy(cfg);
-  const relayBindHost = cfg?.relayBindHost?.trim() || undefined;
-
   return {
     enabled,
     evaluateEnabled,
@@ -301,7 +298,6 @@ export function resolveBrowserConfig(
     profiles,
     ssrfPolicy,
     extraArgs,
-    relayBindHost,
   };
 }
 
@@ -322,12 +318,7 @@ export function resolveProfile(
   let cdpHost = resolved.cdpHost;
   let cdpPort = profile.cdpPort ?? 0;
   let cdpUrl = "";
-  const driver =
-    profile.driver === "extension"
-      ? "extension"
-      : profile.driver === "existing-session"
-        ? "existing-session"
-        : "openclaw";
+  const driver = profile.driver === "existing-session" ? "existing-session" : "openclaw";
 
   if (driver === "existing-session") {
     // existing-session uses Chrome MCP auto-connect; no CDP port/URL needed
diff --git a/src/browser/extension-relay-auth.secretref.test.ts b/src/browser/extension-relay-auth.secretref.test.ts
deleted file mode 100644
index 7976064f35e..00000000000
--- a/src/browser/extension-relay-auth.secretref.test.ts
+++ /dev/null
@@ -1,117 +0,0 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-
-const loadConfigMock = vi.hoisted(() => vi.fn());
-
-vi.mock("../config/config.js", () => ({
-  loadConfig: loadConfigMock,
-}));
-
-const { resolveRelayAcceptedTokensForPort } = await import("./extension-relay-auth.js");
-
-describe("extension-relay-auth SecretRef handling", () => {
-  const ENV_KEYS = ["OPENCLAW_GATEWAY_TOKEN", "CLAWDBOT_GATEWAY_TOKEN", "CUSTOM_GATEWAY_TOKEN"];
-  const envSnapshot = new Map<string, string | undefined>();
-
-  beforeEach(() => {
-    for (const key of ENV_KEYS) {
-      envSnapshot.set(key, process.env[key]);
-      delete process.env[key];
-    }
-    loadConfigMock.mockReset();
-  });
-
-  afterEach(() => {
-    for (const key of ENV_KEYS) {
-      const previous = envSnapshot.get(key);
-      if (previous === undefined) {
-        delete process.env[key];
-      } else {
-        process.env[key] = previous;
-      }
-    }
-  });
-
-  it("resolves env-template gateway.auth.token from its referenced env var", async () => {
-    loadConfigMock.mockReturnValue({
-      gateway: { auth: { token: "${CUSTOM_GATEWAY_TOKEN}" } },
-      secrets: { providers: { default: { source: "env" } } },
-    });
-    process.env.CUSTOM_GATEWAY_TOKEN = "resolved-gateway-token";
-
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-
-    expect(tokens).toContain("resolved-gateway-token");
-    expect(tokens[0]).not.toBe("resolved-gateway-token");
-  });
-
-  it("fails closed when env-template gateway.auth.token is unresolved", async () => {
-    loadConfigMock.mockReturnValue({
-      gateway: { auth: { token: "${CUSTOM_GATEWAY_TOKEN}" } },
-      secrets: { providers: { default: { source: "env" } } },
-    });
-
-    await expect(resolveRelayAcceptedTokensForPort(18790)).rejects.toThrow(
-      "gateway.auth.token SecretRef is unavailable",
-    );
-  });
-
-  it("resolves file-backed gateway.auth.token SecretRef", async () => {
-    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-relay-file-secret-"));
-    const secretFile = path.join(tempDir, "relay-secrets.json");
-    await fs.writeFile(secretFile, JSON.stringify({ relayToken: "resolved-file-relay-token" }));
-    await fs.chmod(secretFile, 0o600);
-
-    loadConfigMock.mockReturnValue({
-      secrets: {
-        providers: {
-          fileProvider: { source: "file", path: secretFile, mode: "json" },
-        },
-      },
-      gateway: {
-        auth: {
-          token: { source: "file", provider: "fileProvider", id: "/relayToken" },
-        },
-      },
-    });
-
-    try {
-      const tokens = await resolveRelayAcceptedTokensForPort(18790);
-      expect(tokens.length).toBeGreaterThan(0);
-      expect(tokens).toContain("resolved-file-relay-token");
-    } finally {
-      await fs.rm(tempDir, { recursive: true, force: true });
-    }
-  });
-
-  it("resolves exec-backed gateway.auth.token SecretRef", async () => {
-    const execProgram = [
-      "process.stdout.write(",
-      "JSON.stringify({ protocolVersion: 1, values: { RELAY_TOKEN: 'resolved-exec-relay-token' } })",
-      ");",
-    ].join("");
-    loadConfigMock.mockReturnValue({
-      secrets: {
-        providers: {
-          execProvider: {
-            source: "exec",
-            command: process.execPath,
-            args: ["-e", execProgram],
-            allowInsecurePath: true,
-          },
-        },
-      },
-      gateway: {
-        auth: {
-          token: { source: "exec", provider: "execProvider", id: "RELAY_TOKEN" },
-        },
-      },
-    });
-
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-    expect(tokens.length).toBeGreaterThan(0);
-    expect(tokens).toContain("resolved-exec-relay-token");
-  });
-});
diff --git a/src/browser/extension-relay-auth.test.ts b/src/browser/extension-relay-auth.test.ts
deleted file mode 100644
index c052e31a209..00000000000
--- a/src/browser/extension-relay-auth.test.ts
+++ /dev/null
@@ -1,131 +0,0 @@
-import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
-import type { AddressInfo } from "node:net";
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import {
-  probeAuthenticatedOpenClawRelay,
-  resolveRelayAcceptedTokensForPort,
-  resolveRelayAuthTokenForPort,
-} from "./extension-relay-auth.js";
-import { getFreePort } from "./test-port.js";
-
-async function withRelayServer(
-  handler: (req: IncomingMessage, res: ServerResponse) => void,
-  run: (params: { port: number }) => Promise<void>,
-) {
-  const port = await getFreePort();
-  const server = createServer(handler);
-  await new Promise<void>((resolve, reject) => {
-    server.listen(port, "127.0.0.1", () => resolve());
-    server.once("error", reject);
-  });
-  try {
-    const actualPort = (server.address() as AddressInfo).port;
-    await run({ port: actualPort });
-  } finally {
-    await new Promise<void>((resolve) => server.close(() => resolve()));
-  }
-}
-
-function handleNonVersionRequest(req: IncomingMessage, res: ServerResponse): boolean {
-  if (req.url?.startsWith("/json/version")) {
-    return false;
-  }
-  res.writeHead(404);
-  res.end("not found");
-  return true;
-}
-
-async function probeRelay(baseUrl: string, relayAuthToken: string): Promise<boolean> {
-  return await probeAuthenticatedOpenClawRelay({
-    baseUrl,
-    relayAuthHeader: "x-openclaw-relay-token",
-    relayAuthToken,
-  });
-}
-
-describe("extension-relay-auth", () => {
-  const TEST_GATEWAY_TOKEN = "test-gateway-token";
-  let prevGatewayToken: string | undefined;
-
-  beforeEach(() => {
-    prevGatewayToken = process.env.OPENCLAW_GATEWAY_TOKEN;
-    process.env.OPENCLAW_GATEWAY_TOKEN = TEST_GATEWAY_TOKEN;
-  });
-
-  afterEach(() => {
-    if (prevGatewayToken === undefined) {
-      delete process.env.OPENCLAW_GATEWAY_TOKEN;
-    } else {
-      process.env.OPENCLAW_GATEWAY_TOKEN = prevGatewayToken;
-    }
-  });
-
-  it("derives deterministic relay tokens per port", async () => {
-    const tokenA1 = await resolveRelayAuthTokenForPort(18790);
-    const tokenA2 = await resolveRelayAuthTokenForPort(18790);
-    const tokenB = await resolveRelayAuthTokenForPort(18791);
-    expect(tokenA1).toBe(tokenA2);
-    expect(tokenA1).not.toBe(tokenB);
-    expect(tokenA1).not.toBe(TEST_GATEWAY_TOKEN);
-  });
-
-  it("accepts both relay-scoped and raw gateway tokens for compatibility", async () => {
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-    expect(tokens).toContain(TEST_GATEWAY_TOKEN);
-    expect(tokens[0]).not.toBe(TEST_GATEWAY_TOKEN);
-    expect(tokens[0]).toBe(await resolveRelayAuthTokenForPort(18790));
-  });
-
-  it("accepts authenticated openclaw relay probe responses", async () => {
-    let seenToken: string | undefined;
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        const header = req.headers["x-openclaw-relay-token"];
-        seenToken = Array.isArray(header) ? header[0] : header;
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "OpenClaw/extension-relay" }));
-      },
-      async ({ port }) => {
-        const token = await resolveRelayAuthTokenForPort(port);
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, token);
-        expect(ok).toBe(true);
-        expect(seenToken).toBe(token);
-      },
-    );
-  });
-
-  it("rejects unauthenticated probe responses", async () => {
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        res.writeHead(401);
-        res.end("Unauthorized");
-      },
-      async ({ port }) => {
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, "irrelevant");
-        expect(ok).toBe(false);
-      },
-    );
-  });
-
-  it("rejects probe responses with wrong browser identity", async () => {
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "FakeRelay" }));
-      },
-      async ({ port }) => {
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, "irrelevant");
-        expect(ok).toBe(false);
-      },
-    );
-  });
-});
diff --git a/src/browser/extension-relay-auth.ts b/src/browser/extension-relay-auth.ts
deleted file mode 100644
index 7143a6c716e..00000000000
--- a/src/browser/extension-relay-auth.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { createHmac } from "node:crypto";
-import { loadConfig } from "../config/config.js";
-import { normalizeSecretInputString, resolveSecretInputRef } from "../config/types.secrets.js";
-import { secretRefKey } from "../secrets/ref-contract.js";
-import { resolveSecretRefValues } from "../secrets/resolve.js";
-
-const RELAY_TOKEN_CONTEXT = "openclaw-extension-relay-v1";
-const DEFAULT_RELAY_PROBE_TIMEOUT_MS = 500;
-const OPENCLAW_RELAY_BROWSER = "OpenClaw/extension-relay";
-
-class SecretRefUnavailableError extends Error {
-  readonly isSecretRefUnavailable = true;
-}
-
-function trimToUndefined(value: unknown): string | undefined {
-  if (typeof value !== "string") {
-    return undefined;
-  }
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : undefined;
-}
-
-async function resolveGatewayAuthToken(): Promise<string | null> {
-  const envToken =
-    process.env.OPENCLAW_GATEWAY_TOKEN?.trim() || process.env.CLAWDBOT_GATEWAY_TOKEN?.trim();
-  if (envToken) {
-    return envToken;
-  }
-  try {
-    const cfg = loadConfig();
-    const tokenRef = resolveSecretInputRef({
-      value: cfg.gateway?.auth?.token,
-      defaults: cfg.secrets?.defaults,
-    }).ref;
-    if (tokenRef) {
-      const refLabel = `${tokenRef.source}:${tokenRef.provider}:${tokenRef.id}`;
-      try {
-        const resolved = await resolveSecretRefValues([tokenRef], {
-          config: cfg,
-          env: process.env,
-        });
-        const resolvedToken = trimToUndefined(resolved.get(secretRefKey(tokenRef)));
-        if (resolvedToken) {
-          return resolvedToken;
-        }
-      } catch {
-        // handled below
-      }
-      throw new SecretRefUnavailableError(
-        `extension relay requires a resolved gateway token, but gateway.auth.token SecretRef is unavailable (${refLabel}). Set OPENCLAW_GATEWAY_TOKEN or resolve your secret provider.`,
-      );
-    }
-    const configToken = normalizeSecretInputString(cfg.gateway?.auth?.token);
-    if (configToken) {
-      return configToken;
-    }
-  } catch (err) {
-    if (err instanceof SecretRefUnavailableError) {
-      throw err;
-    }
-    // ignore config read failures; caller can fallback to per-process random token
-  }
-  return null;
-}
-
-function deriveRelayAuthToken(gatewayToken: string, port: number): string {
-  return createHmac("sha256", gatewayToken).update(`${RELAY_TOKEN_CONTEXT}:${port}`).digest("hex");
-}
-
-export async function resolveRelayAcceptedTokensForPort(port: number): Promise<string[]> {
-  const gatewayToken = await resolveGatewayAuthToken();
-  if (!gatewayToken) {
-    throw new Error(
-      "extension relay requires gateway auth token (set gateway.auth.token or OPENCLAW_GATEWAY_TOKEN)",
-    );
-  }
-  const relayToken = deriveRelayAuthToken(gatewayToken, port);
-  if (relayToken === gatewayToken) {
-    return [relayToken];
-  }
-  return [relayToken, gatewayToken];
-}
-
-export async function resolveRelayAuthTokenForPort(port: number): Promise<string> {
-  return (await resolveRelayAcceptedTokensForPort(port))[0];
-}
-
-export async function probeAuthenticatedOpenClawRelay(params: {
-  baseUrl: string;
-  relayAuthHeader: string;
-  relayAuthToken: string;
-  timeoutMs?: number;
-}): Promise<boolean> {
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), params.timeoutMs ?? DEFAULT_RELAY_PROBE_TIMEOUT_MS);
-  try {
-    const versionUrl = new URL("/json/version", `${params.baseUrl}/`).toString();
-    const res = await fetch(versionUrl, {
-      signal: ctrl.signal,
-      headers: { [params.relayAuthHeader]: params.relayAuthToken },
-    });
-    if (!res.ok) {
-      return false;
-    }
-    const body = (await res.json()) as { Browser?: unknown };
-    const browserName = typeof body?.Browser === "string" ? body.Browser.trim() : "";
-    return browserName === OPENCLAW_RELAY_BROWSER;
-  } catch {
-    return false;
-  } finally {
-    clearTimeout(timer);
-  }
-}
diff --git a/src/browser/extension-relay.bind-host.test.ts b/src/browser/extension-relay.bind-host.test.ts
deleted file mode 100644
index a029a2f1a95..00000000000
--- a/src/browser/extension-relay.bind-host.test.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { captureEnv } from "../test-utils/env.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
-import { getFreePort } from "./test-port.js";
-
-describe("chrome extension relay bindHost coordination", () => {
-  let cdpUrl = "";
-  let envSnapshot: ReturnType<typeof captureEnv>;
-
-  beforeEach(() => {
-    envSnapshot = captureEnv(["OPENCLAW_GATEWAY_TOKEN"]);
-    process.env.OPENCLAW_GATEWAY_TOKEN = "test-gateway-token";
-  });
-
-  afterEach(async () => {
-    if (cdpUrl) {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      cdpUrl = "";
-    }
-    envSnapshot.restore();
-  });
-
-  it("rebinds the relay when concurrent callers request different bind hosts", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-
-    const [first, second] = await Promise.all([
-      ensureChromeExtensionRelayServer({ cdpUrl }),
-      ensureChromeExtensionRelayServer({ cdpUrl, bindHost: "0.0.0.0" }),
-    ]);
-
-    const settled = await ensureChromeExtensionRelayServer({
-      cdpUrl,
-      bindHost: "0.0.0.0",
-    });
-
-    expect(first.port).toBe(port);
-    expect(second.port).toBe(port);
-    expect(second).not.toBe(first);
-    expect(second.bindHost).toBe("0.0.0.0");
-    expect(settled).toBe(second);
-
-    const res = await fetch(`http://127.0.0.1:${port}/`);
-    expect(res.status).toBe(200);
-  });
-});
diff --git a/src/browser/extension-relay.test.ts b/src/browser/extension-relay.test.ts
deleted file mode 100644
index f6e14ee8803..00000000000
--- a/src/browser/extension-relay.test.ts
+++ /dev/null
@@ -1,1224 +0,0 @@
-import { createServer } from "node:http";
-import { afterAll, afterEach, beforeEach, describe, expect, it } from "vitest";
-import WebSocket from "ws";
-import { captureEnv } from "../test-utils/env.js";
-import {
-  ensureChromeExtensionRelayServer,
-  getChromeExtensionRelayAuthHeaders,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
-import { getFreePort } from "./test-port.js";
-
-const RELAY_MESSAGE_TIMEOUT_MS = 1_200;
-const RELAY_LIST_MATCH_TIMEOUT_MS = 1_000;
-const RELAY_TEST_TIMEOUT_MS = 10_000;
-
-function waitForOpen(ws: WebSocket) {
-  return new Promise<void>((resolve, reject) => {
-    ws.once("open", () => resolve());
-    ws.once("error", reject);
-  });
-}
-
-function waitForError(ws: WebSocket) {
-  return new Promise<Error>((resolve, reject) => {
-    ws.once("error", (err) => resolve(err instanceof Error ? err : new Error(String(err))));
-    ws.once("open", () => reject(new Error("expected websocket error")));
-  });
-}
-
-function waitForClose(ws: WebSocket, timeoutMs = RELAY_MESSAGE_TIMEOUT_MS) {
-  return new Promise<void>((resolve, reject) => {
-    const timer = setTimeout(() => {
-      reject(new Error("timeout"));
-    }, timeoutMs);
-    ws.once("close", () => {
-      clearTimeout(timer);
-      resolve();
-    });
-    ws.once("error", (err) => {
-      clearTimeout(timer);
-      reject(err instanceof Error ? err : new Error(String(err)));
-    });
-  });
-}
-
-function relayAuthHeaders(url: string) {
-  return getChromeExtensionRelayAuthHeaders(url);
-}
-
-function createMessageQueue(ws: WebSocket) {
-  const queue: string[] = [];
-  let waiter: ((value: string) => void) | null = null;
-  let waiterReject: ((err: Error) => void) | null = null;
-  let waiterTimer: NodeJS.Timeout | null = null;
-
-  const flushWaiter = (value: string) => {
-    if (!waiter) {
-      return false;
-    }
-    const resolve = waiter;
-    waiter = null;
-    const reject = waiterReject;
-    waiterReject = null;
-    if (waiterTimer) {
-      clearTimeout(waiterTimer);
-    }
-    waiterTimer = null;
-    if (reject) {
-      // no-op (kept for symmetry)
-    }
-    resolve(value);
-    return true;
-  };
-
-  ws.on("message", (data) => {
-    const text =
-      typeof data === "string"
-        ? data
-        : Buffer.isBuffer(data)
-          ? data.toString("utf8")
-          : Array.isArray(data)
-            ? Buffer.concat(data).toString("utf8")
-            : Buffer.from(data).toString("utf8");
-    if (flushWaiter(text)) {
-      return;
-    }
-    queue.push(text);
-  });
-
-  ws.on("error", (err) => {
-    if (!waiterReject) {
-      return;
-    }
-    const reject = waiterReject;
-    waiterReject = null;
-    waiter = null;
-    if (waiterTimer) {
-      clearTimeout(waiterTimer);
-    }
-    waiterTimer = null;
-    reject(err instanceof Error ? err : new Error(String(err)));
-  });
-
-  const next = (timeoutMs = RELAY_MESSAGE_TIMEOUT_MS) =>
-    new Promise<string>((resolve, reject) => {
-      const existing = queue.shift();
-      if (existing !== undefined) {
-        return resolve(existing);
-      }
-      waiter = resolve;
-      waiterReject = reject;
-      waiterTimer = setTimeout(() => {
-        waiter = null;
-        waiterReject = null;
-        waiterTimer = null;
-        reject(new Error("timeout"));
-      }, timeoutMs);
-    });
-
-  return { next };
-}
-
-async function waitForListMatch<T>(
-  fetchList: () => Promise<T>,
-  predicate: (value: T) => boolean,
-  timeoutMs = RELAY_LIST_MATCH_TIMEOUT_MS,
-  intervalMs = 20,
-): Promise<T> {
-  const deadline = Date.now() + timeoutMs;
-  let latest: T | null = null;
-  while (Date.now() <= deadline) {
-    latest = await fetchList();
-    if (predicate(latest)) {
-      return latest;
-    }
-    await new Promise((resolve) => setTimeout(resolve, intervalMs));
-  }
-  throw new Error("timeout waiting for list match");
-}
-
-describe("chrome extension relay server", () => {
-  const TEST_GATEWAY_TOKEN = "test-gateway-token";
-  let cdpUrl = "";
-  let sharedCdpUrl = "";
-  let envSnapshot: ReturnType<typeof captureEnv>;
-
-  beforeEach(() => {
-    envSnapshot = captureEnv([
-      "OPENCLAW_GATEWAY_TOKEN",
-      "OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS",
-      "OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS",
-    ]);
-    process.env.OPENCLAW_GATEWAY_TOKEN = TEST_GATEWAY_TOKEN;
-    delete process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS;
-    delete process.env.OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS;
-  });
-
-  afterEach(async () => {
-    if (cdpUrl) {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      cdpUrl = "";
-    }
-    envSnapshot.restore();
-  });
-
-  afterAll(async () => {
-    if (!sharedCdpUrl) {
-      return;
-    }
-    await stopChromeExtensionRelayServer({ cdpUrl: sharedCdpUrl }).catch(() => {});
-    sharedCdpUrl = "";
-  });
-
-  async function ensureSharedRelayServer() {
-    if (sharedCdpUrl) {
-      return sharedCdpUrl;
-    }
-    const port = await getFreePort();
-    sharedCdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl: sharedCdpUrl });
-    return sharedCdpUrl;
-  }
-
-  async function startRelayWithExtension() {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-    const ext = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext);
-    return { port, ext };
-  }
-
-  it("advertises CDP WS only when extension is connected", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const v1 = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(v1.webSocketDebuggerUrl).toBeUndefined();
-
-    const ext = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext);
-
-    const v2 = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(String(v2.webSocketDebuggerUrl ?? "")).toContain(`/cdp`);
-
-    ext.close();
-  });
-
-  it("uses relay-scoped token only for known relay ports", async () => {
-    const port = await getFreePort();
-    const unknown = getChromeExtensionRelayAuthHeaders(`http://127.0.0.1:${port}`);
-    expect(unknown).toEqual({});
-
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const headers = getChromeExtensionRelayAuthHeaders(sharedUrl);
-    expect(Object.keys(headers)).toContain("x-openclaw-relay-token");
-    expect(headers["x-openclaw-relay-token"]).not.toBe(TEST_GATEWAY_TOKEN);
-  });
-
-  it("rejects CDP access without relay auth token", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const res = await fetch(`${sharedUrl}/json/version`);
-    expect(res.status).toBe(401);
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${sharedPort}/cdp`);
-    const err = await waitForError(cdp);
-    expect(err.message).toContain("401");
-  });
-
-  it("returns 400 for malformed percent-encoding in target action routes", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const res = await fetch(`${sharedUrl}/json/activate/%E0%A4%A`, {
-      headers: relayAuthHeaders(sharedUrl),
-    });
-    expect(res.status).toBe(400);
-    expect(await res.text()).toContain("invalid targetId encoding");
-  });
-
-  it("deduplicates concurrent relay starts for the same requested port", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const port = Number(new URL(sharedUrl).port);
-    const [first, second] = await Promise.all([
-      ensureChromeExtensionRelayServer({ cdpUrl: sharedUrl }),
-      ensureChromeExtensionRelayServer({ cdpUrl: sharedUrl }),
-    ]);
-    expect(first).toBe(second);
-    expect(first.port).toBe(port);
-  });
-
-  it("allows CORS preflight from chrome-extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const origin = "chrome-extension://abcdefghijklmnop";
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      method: "OPTIONS",
-      headers: {
-        Origin: origin,
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "x-openclaw-relay-token",
-      },
-    });
-
-    expect(res.status).toBe(204);
-    expect(res.headers.get("access-control-allow-origin")).toBe(origin);
-    expect(res.headers.get("access-control-allow-headers") ?? "").toContain(
-      "x-openclaw-relay-token",
-    );
-  });
-
-  it("rejects CORS preflight from non-extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      method: "OPTIONS",
-      headers: {
-        Origin: "https://example.com",
-        "Access-Control-Request-Method": "GET",
-      },
-    });
-
-    expect(res.status).toBe(403);
-  });
-
-  it("returns CORS headers on JSON responses for extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const origin = "chrome-extension://abcdefghijklmnop";
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      headers: {
-        Origin: origin,
-        ...relayAuthHeaders(sharedUrl),
-      },
-    });
-
-    expect(res.status).toBe(200);
-    expect(res.headers.get("access-control-allow-origin")).toBe(origin);
-  });
-
-  it("rejects extension websocket access without relay auth token", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const ext = new WebSocket(`ws://127.0.0.1:${sharedPort}/extension`);
-    const err = await waitForError(ext);
-    expect(err.message).toContain("401");
-  });
-
-  it("rejects a second live extension connection with 409", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const ext1 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext1);
-
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    const err = await waitForError(ext2);
-    expect(err.message).toContain("409");
-
-    ext1.close();
-  });
-
-  it("allows immediate reconnect when prior extension socket is closing", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const ext1 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext1);
-    const ext1Closed = new Promise<void>((resolve) => ext1.once("close", () => resolve()));
-
-    ext1.close();
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext2);
-    await ext1Closed;
-
-    const status = (await fetch(`${cdpUrl}/extension/status`).then((r) => r.json())) as {
-      connected?: boolean;
-    };
-    expect(status.connected).toBe(true);
-
-    ext2.close();
-  });
-
-  it("keeps CDP clients alive across a brief extension reconnect", async () => {
-    const { port, ext: ext1 } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-
-    let cdpClosed = false;
-    cdp.once("close", () => {
-      cdpClosed = true;
-    });
-
-    const ext1Closed = waitForClose(ext1, 2_000);
-    ext1.close();
-    await ext1Closed;
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext2);
-    expect(cdpClosed).toBe(false);
-
-    cdp.close();
-    ext2.close();
-  });
-
-  it("keeps /json/version websocket endpoint during short extension disconnects", async () => {
-    const { port, ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-disconnect",
-            targetInfo: {
-              targetId: "t-disconnect",
-              type: "page",
-              title: "Disconnect test",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((entry) => entry.id === "t-disconnect"),
-    );
-
-    const extClosed = waitForClose(ext, 2_000);
-    ext.close();
-    await extClosed;
-
-    const version = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(String(version.webSocketDebuggerUrl ?? "")).toContain("/cdp");
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    cdp.close();
-  });
-
-  it("accepts re-announce attach events with minimal targetInfo", async () => {
-    const { ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-minimal",
-            targetInfo: {
-              targetId: "t-minimal",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (entries) => entries.some((entry) => entry.id === "t-minimal"),
-    );
-  });
-
-  it("waits briefly for extension reconnect before failing CDP commands", async () => {
-    const { port, ext: ext1 } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const cdpQueue = createMessageQueue(cdp);
-
-    const ext1Closed = waitForClose(ext1, 2_000);
-    ext1.close();
-    await ext1Closed;
-
-    cdp.send(JSON.stringify({ id: 41, method: "Runtime.enable" }));
-    await new Promise((r) => setTimeout(r, 30));
-
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    const ext2Queue = createMessageQueue(ext2);
-    await waitForOpen(ext2);
-
-    while (true) {
-      const msg = JSON.parse(await ext2Queue.next(4_000)) as {
-        id?: number;
-        method?: string;
-      };
-      if (msg.method === "ping") {
-        ext2.send(JSON.stringify({ method: "pong" }));
-        continue;
-      }
-      if (msg.method === "forwardCDPCommand" && typeof msg.id === "number") {
-        ext2.send(JSON.stringify({ id: msg.id, result: { ok: true } }));
-        break;
-      }
-    }
-
-    const response = JSON.parse(await cdpQueue.next(6_000)) as {
-      id?: number;
-      result?: { ok?: boolean };
-      error?: { message?: string };
-    };
-    expect(response.id).toBe(41);
-    expect(response.error).toBeUndefined();
-    expect(response.result?.ok).toBe(true);
-
-    cdp.close();
-    ext2.close();
-  });
-
-  it("closes CDP clients after reconnect grace when extension stays disconnected", async () => {
-    process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "150";
-
-    const { port, ext } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-
-    ext.close();
-    await waitForClose(cdp, 2_000);
-  });
-
-  it("stops advertising websocket endpoint after reconnect grace expires", async () => {
-    process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "120";
-
-    const { ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-grace-expire",
-            targetInfo: {
-              targetId: "t-grace-expire",
-              type: "page",
-              title: "Grace expire",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((entry) => entry.id === "t-grace-expire"),
-    );
-
-    ext.close();
-    await expect
-      .poll(
-        async () => {
-          const version = (await fetch(`${cdpUrl}/json/version`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as { webSocketDebuggerUrl?: string };
-          return version.webSocketDebuggerUrl === undefined;
-        },
-        { timeout: 800, interval: 20 },
-      )
-      .toBe(true);
-  });
-
-  it("accepts extension websocket access with relay token query param", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const token = relayAuthHeaders(`ws://127.0.0.1:${sharedPort}/extension`)[
-      "x-openclaw-relay-token"
-    ];
-    expect(token).toBeTruthy();
-    const ext = new WebSocket(
-      `ws://127.0.0.1:${sharedPort}/extension?token=${encodeURIComponent(String(token))}`,
-    );
-    await waitForOpen(ext);
-    ext.close();
-  });
-
-  it("accepts /json endpoints with relay token query param", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const token = relayAuthHeaders(sharedUrl)["x-openclaw-relay-token"];
-    expect(token).toBeTruthy();
-    const versionRes = await fetch(
-      `${sharedUrl}/json/version?token=${encodeURIComponent(String(token))}`,
-    );
-    expect(versionRes.status).toBe(200);
-  });
-
-  it("accepts raw gateway token for relay auth compatibility", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const versionRes = await fetch(`${sharedUrl}/json/version`, {
-      headers: { "x-openclaw-relay-token": TEST_GATEWAY_TOKEN },
-    });
-    expect(versionRes.status).toBe(200);
-
-    const ext = new WebSocket(
-      `ws://127.0.0.1:${sharedPort}/extension?token=${encodeURIComponent(TEST_GATEWAY_TOKEN)}`,
-    );
-    await waitForOpen(ext);
-    ext.close();
-  });
-
-  it(
-    "tracks attached page targets and exposes them via CDP + /json/list",
-    async () => {
-      const { port, ext } = await startRelayWithExtension();
-
-      // Simulate a tab attach coming from the extension.
-      ext.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-1",
-              targetInfo: {
-                targetId: "t1",
-                type: "page",
-                title: "Example",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list = (await fetch(`${cdpUrl}/json/list`, {
-        headers: relayAuthHeaders(cdpUrl),
-      }).then((r) => r.json())) as Array<{
-        id?: string;
-        url?: string;
-        title?: string;
-      }>;
-      expect(list.some((t) => t.id === "t1" && t.url === "https://example.com")).toBe(true);
-
-      // Simulate navigation updating tab metadata.
-      ext.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.targetInfoChanged",
-            params: {
-              targetInfo: {
-                targetId: "t1",
-                type: "page",
-                title: "DER STANDARD",
-                url: "https://www.derstandard.at/",
-              },
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{
-            id?: string;
-            url?: string;
-            title?: string;
-          }>,
-        (list) =>
-          list.some(
-            (t) =>
-              t.id === "t1" &&
-              t.url === "https://www.derstandard.at/" &&
-              t.title === "DER STANDARD",
-          ),
-      );
-
-      const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-      });
-      await waitForOpen(cdp);
-      const q = createMessageQueue(cdp);
-
-      cdp.send(JSON.stringify({ id: 1, method: "Target.getTargets" }));
-      const res1 = JSON.parse(await q.next()) as { id: number; result?: unknown };
-      expect(res1.id).toBe(1);
-      const targetInfos = (
-        res1.result as { targetInfos?: Array<{ targetId?: string }> } | undefined
-      )?.targetInfos;
-      expect((targetInfos ?? []).some((target) => target.targetId === "t1")).toBe(true);
-
-      cdp.send(
-        JSON.stringify({
-          id: 2,
-          method: "Target.attachToTarget",
-          params: { targetId: "t1" },
-        }),
-      );
-      const received: Array<{
-        id?: number;
-        method?: string;
-        result?: unknown;
-        params?: unknown;
-      }> = [];
-      received.push(JSON.parse(await q.next()) as never);
-      received.push(JSON.parse(await q.next()) as never);
-
-      const res2 = received.find((m) => m.id === 2);
-      expect(res2?.id).toBe(2);
-      expect((res2?.result as { sessionId?: string } | undefined)?.sessionId).toBe("cb-tab-1");
-
-      const evt = received.find((m) => m.method === "Target.attachedToTarget");
-      expect(evt?.method).toBe("Target.attachedToTarget");
-      expect(
-        (evt?.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo?.targetId,
-      ).toBe("t1");
-
-      cdp.close();
-      ext.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it("removes cached targets from /json/list when targetDestroyed arrives", async () => {
-    const { ext } = await startRelayWithExtension();
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-1",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "Example",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((target) => target.id === "t1"),
-    );
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.targetDestroyed",
-          params: { targetId: "t1" },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.every((target) => target.id !== "t1"),
-    );
-    ext.close();
-  });
-
-  it("prunes stale cached targets after target-not-found command errors", async () => {
-    const { port, ext } = await startRelayWithExtension();
-    const extQueue = createMessageQueue(ext);
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-1",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "Example",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((target) => target.id === "t1"),
-    );
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const cdpQueue = createMessageQueue(cdp);
-
-    cdp.send(
-      JSON.stringify({
-        id: 77,
-        method: "Runtime.evaluate",
-        sessionId: "cb-tab-1",
-        params: { expression: "1+1" },
-      }),
-    );
-
-    let forwardedId: number | null = null;
-    for (let attempt = 0; attempt < 6; attempt++) {
-      const msg = JSON.parse(await extQueue.next()) as { method?: string; id?: number };
-      if (msg.method === "forwardCDPCommand" && typeof msg.id === "number") {
-        forwardedId = msg.id;
-        break;
-      }
-    }
-    expect(forwardedId).not.toBeNull();
-
-    ext.send(
-      JSON.stringify({
-        id: forwardedId,
-        error: "No target with given id",
-      }),
-    );
-
-    let response: { id?: number; error?: { message?: string } } | null = null;
-    for (let attempt = 0; attempt < 6; attempt++) {
-      const msg = JSON.parse(await cdpQueue.next()) as {
-        id?: number;
-        error?: { message?: string };
-      };
-      if (msg.id === 77) {
-        response = msg;
-        break;
-      }
-    }
-    expect(response?.id).toBe(77);
-    expect(response?.error?.message ?? "").toContain("No target with given id");
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.every((target) => target.id !== "t1"),
-    );
-
-    cdp.close();
-    ext.close();
-  });
-
-  it("rebroadcasts attach when a session id is reused for a new target", async () => {
-    const { port, ext } = await startRelayWithExtension();
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const q = createMessageQueue(cdp);
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "shared-session",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "First",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    const first = JSON.parse(await q.next()) as { method?: string; params?: unknown };
-    expect(first.method).toBe("Target.attachedToTarget");
-    expect(
-      (first.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo?.targetId,
-    ).toBe("t1");
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "shared-session",
-            targetInfo: {
-              targetId: "t2",
-              type: "page",
-              title: "Second",
-              url: "https://example.org",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    const received: Array<{ method?: string; params?: unknown }> = [];
-    received.push(JSON.parse(await q.next()) as never);
-    received.push(JSON.parse(await q.next()) as never);
-
-    const detached = received.find((m) => m.method === "Target.detachedFromTarget");
-    const attached = received.find((m) => m.method === "Target.attachedToTarget");
-    expect((detached?.params as { targetId?: string } | undefined)?.targetId).toBe("t1");
-    expect(
-      (attached?.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo
-        ?.targetId,
-    ).toBe("t2");
-
-    cdp.close();
-    ext.close();
-  });
-
-  it("reuses an already-bound relay port when another process owns it", async () => {
-    const port = await getFreePort();
-    let probeToken: string | undefined;
-    const fakeRelay = createServer((req, res) => {
-      if (req.url?.startsWith("/json/version")) {
-        const header = req.headers["x-openclaw-relay-token"];
-        probeToken = Array.isArray(header) ? header[0] : header;
-        if (!probeToken) {
-          res.writeHead(401);
-          res.end("Unauthorized");
-          return;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "OpenClaw/extension-relay" }));
-        return;
-      }
-      if (req.url?.startsWith("/extension/status")) {
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ connected: false }));
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("OK");
-    });
-    await new Promise<void>((resolve, reject) => {
-      fakeRelay.listen(port, "127.0.0.1", () => resolve());
-      fakeRelay.once("error", reject);
-    });
-
-    try {
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(relay.port).toBe(port);
-      const status = (await fetch(`${cdpUrl}/extension/status`).then((r) => r.json())) as {
-        connected?: boolean;
-      };
-      expect(status.connected).toBe(false);
-      expect(probeToken).toBeTruthy();
-      expect(probeToken).not.toBe("test-gateway-token");
-    } finally {
-      await new Promise<void>((resolve) => fakeRelay.close(() => resolve()));
-    }
-  });
-
-  it(
-    "restores tabs after extension reconnects and re-announces",
-    async () => {
-      process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "200";
-
-      const { port, ext: ext1 } = await startRelayWithExtension();
-
-      ext1.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-10",
-              targetInfo: {
-                targetId: "t10",
-                type: "page",
-                title: "My Page",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.some((t) => t.id === "t10"),
-      );
-
-      // Disconnect extension and wait for grace period cleanup.
-      const ext1Closed = waitForClose(ext1, 2_000);
-      ext1.close();
-      await ext1Closed;
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.length === 0,
-      );
-
-      // Reconnect and re-announce the same tab (simulates reannounceAttachedTabs).
-      const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-      });
-      await waitForOpen(ext2);
-
-      ext2.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-10",
-              targetInfo: {
-                targetId: "t10",
-                type: "page",
-                title: "My Page",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list2 = await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string; title?: string }>,
-        (list) => list.some((t) => t.id === "t10"),
-      );
-      expect(list2.some((t) => t.id === "t10" && t.title === "My Page")).toBe(true);
-
-      ext2.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "preserves tab across a fast extension reconnect within grace period",
-    async () => {
-      process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "2000";
-
-      const { port, ext: ext1 } = await startRelayWithExtension();
-
-      ext1.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-20",
-              targetInfo: {
-                targetId: "t20",
-                type: "page",
-                title: "Persistent",
-                url: "https://example.org",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.some((t) => t.id === "t20"),
-      );
-
-      // Disconnect briefly (within grace period).
-      const ext1Closed = waitForClose(ext1, 2_000);
-      ext1.close();
-      await ext1Closed;
-
-      // Tab should still be listed during grace period.
-      const listDuringGrace = (await fetch(`${cdpUrl}/json/list`, {
-        headers: relayAuthHeaders(cdpUrl),
-      }).then((r) => r.json())) as Array<{ id?: string }>;
-      expect(listDuringGrace.some((t) => t.id === "t20")).toBe(true);
-
-      // Reconnect within grace and re-announce with updated info.
-      const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-      });
-      await waitForOpen(ext2);
-
-      ext2.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-20",
-              targetInfo: {
-                targetId: "t20",
-                type: "page",
-                title: "Persistent Updated",
-                url: "https://example.org/new",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list2 = await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string; title?: string; url?: string }>,
-        (list) => list.some((t) => t.id === "t20" && t.title === "Persistent Updated"),
-      );
-      expect(list2.some((t) => t.id === "t20" && t.url === "https://example.org/new")).toBe(true);
-
-      ext2.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it("does not swallow EADDRINUSE when occupied port is not an openclaw relay", async () => {
-    const port = await getFreePort();
-    const blocker = createServer((_, res) => {
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("not-relay");
-    });
-    await new Promise<void>((resolve, reject) => {
-      blocker.listen(port, "127.0.0.1", () => resolve());
-      blocker.once("error", reject);
-    });
-    const blockedUrl = `http://127.0.0.1:${port}`;
-    await expect(ensureChromeExtensionRelayServer({ cdpUrl: blockedUrl })).rejects.toThrow(
-      /EADDRINUSE/i,
-    );
-    await new Promise<void>((resolve) => blocker.close(() => resolve()));
-  });
-
-  it(
-    "respects bindHost override to bind on a non-loopback address",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({
-        cdpUrl,
-        bindHost: "0.0.0.0",
-      });
-      expect(relay.port).toBe(port);
-      // Verify the server actually bound to 0.0.0.0, not the cdpUrl host.
-      expect(relay.bindHost).toBe("0.0.0.0");
-
-      const res = await fetch(`http://127.0.0.1:${port}/`);
-      expect(res.status).toBe(200);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "defaults bindHost to cdpUrl host when not specified",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(relay.host).toBe("127.0.0.1");
-      expect(relay.bindHost).toBe("127.0.0.1");
-
-      const res = await fetch(`http://127.0.0.1:${port}/`);
-      expect(res.status).toBe(200);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "restarts the relay when bindHost changes for the same port",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-
-      const initial = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(initial.bindHost).toBe("127.0.0.1");
-
-      const rebound = await ensureChromeExtensionRelayServer({
-        cdpUrl,
-        bindHost: "0.0.0.0",
-      });
-      expect(rebound.bindHost).toBe("0.0.0.0");
-      expect(rebound.port).toBe(port);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-});
diff --git a/src/browser/extension-relay.ts b/src/browser/extension-relay.ts
deleted file mode 100644
index 5a87670605e..00000000000
--- a/src/browser/extension-relay.ts
+++ /dev/null
@@ -1,1068 +0,0 @@
-import type { IncomingMessage } from "node:http";
-import { createServer } from "node:http";
-import type { AddressInfo } from "node:net";
-import type { Duplex } from "node:stream";
-import WebSocket, { WebSocketServer } from "ws";
-import { isLoopbackAddress, isLoopbackHost } from "../gateway/net.js";
-import { rawDataToString } from "../infra/ws.js";
-import {
-  probeAuthenticatedOpenClawRelay,
-  resolveRelayAcceptedTokensForPort,
-  resolveRelayAuthTokenForPort,
-} from "./extension-relay-auth.js";
-
-type CdpCommand = {
-  id: number;
-  method: string;
-  params?: unknown;
-  sessionId?: string;
-};
-
-type CdpResponse = {
-  id: number;
-  result?: unknown;
-  error?: { message: string };
-  sessionId?: string;
-};
-
-type CdpEvent = {
-  method: string;
-  params?: unknown;
-  sessionId?: string;
-};
-
-type ExtensionForwardCommandMessage = {
-  id: number;
-  method: "forwardCDPCommand";
-  params: { method: string; params?: unknown; sessionId?: string };
-};
-
-type ExtensionResponseMessage = {
-  id: number;
-  result?: unknown;
-  error?: string;
-};
-
-type ExtensionForwardEventMessage = {
-  method: "forwardCDPEvent";
-  params: { method: string; params?: unknown; sessionId?: string };
-};
-
-type ExtensionPingMessage = { method: "ping" };
-type ExtensionPongMessage = { method: "pong" };
-
-type ExtensionMessage =
-  | ExtensionResponseMessage
-  | ExtensionForwardEventMessage
-  | ExtensionPongMessage;
-
-type TargetInfo = {
-  targetId: string;
-  type?: string;
-  title?: string;
-  url?: string;
-  attached?: boolean;
-};
-
-type AttachedToTargetEvent = {
-  sessionId: string;
-  targetInfo: TargetInfo;
-  waitingForDebugger?: boolean;
-};
-
-type DetachedFromTargetEvent = {
-  sessionId: string;
-  targetId?: string;
-};
-
-type ConnectedTarget = {
-  sessionId: string;
-  targetId: string;
-  targetInfo: TargetInfo;
-};
-
-const RELAY_AUTH_HEADER = "x-openclaw-relay-token";
-const DEFAULT_EXTENSION_RECONNECT_GRACE_MS = 20_000;
-const DEFAULT_EXTENSION_COMMAND_RECONNECT_WAIT_MS = 3_000;
-
-function headerValue(value: string | string[] | undefined): string | undefined {
-  if (!value) {
-    return undefined;
-  }
-  if (Array.isArray(value)) {
-    return value[0];
-  }
-  return value;
-}
-
-function getHeader(req: IncomingMessage, name: string): string | undefined {
-  return headerValue(req.headers[name.toLowerCase()]);
-}
-
-function getRelayAuthTokenFromRequest(req: IncomingMessage, url?: URL): string | undefined {
-  const headerToken = getHeader(req, RELAY_AUTH_HEADER)?.trim();
-  if (headerToken) {
-    return headerToken;
-  }
-  const queryToken = url?.searchParams.get("token")?.trim();
-  if (queryToken) {
-    return queryToken;
-  }
-  return undefined;
-}
-
-export type ChromeExtensionRelayServer = {
-  host: string;
-  bindHost: string;
-  port: number;
-  baseUrl: string;
-  cdpWsUrl: string;
-  extensionConnected: () => boolean;
-  stop: () => Promise<void>;
-};
-
-type RelayRuntime = {
-  server: ChromeExtensionRelayServer;
-  relayAuthToken: string;
-};
-
-function parseUrlPort(parsed: URL): number | null {
-  const port =
-    parsed.port?.trim() !== "" ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
-  if (!Number.isFinite(port) || port <= 0 || port > 65535) {
-    return null;
-  }
-  return port;
-}
-
-function parseBaseUrl(raw: string): {
-  host: string;
-  port: number;
-  baseUrl: string;
-} {
-  const parsed = new URL(raw.trim().replace(/\/$/, ""));
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new Error(`extension relay cdpUrl must be http(s), got ${parsed.protocol}`);
-  }
-  const host = parsed.hostname;
-  const port = parseUrlPort(parsed);
-  if (!port) {
-    throw new Error(`extension relay cdpUrl has invalid port: ${parsed.port || "(empty)"}`);
-  }
-  return { host, port, baseUrl: parsed.toString().replace(/\/$/, "") };
-}
-
-function text(res: Duplex, status: number, bodyText: string) {
-  const body = Buffer.from(bodyText);
-  res.write(
-    `HTTP/1.1 ${status} ${status === 200 ? "OK" : "ERR"}\r\n` +
-      "Content-Type: text/plain; charset=utf-8\r\n" +
-      `Content-Length: ${body.length}\r\n` +
-      "Connection: close\r\n" +
-      "\r\n",
-  );
-  res.write(body);
-  res.end();
-}
-
-function rejectUpgrade(socket: Duplex, status: number, bodyText: string) {
-  text(socket, status, bodyText);
-  try {
-    socket.destroy();
-  } catch {
-    // ignore
-  }
-}
-
-function envMsOrDefault(name: string, fallback: number): number {
-  const raw = process.env[name];
-  if (!raw || raw.trim() === "") {
-    return fallback;
-  }
-  const parsed = Number.parseInt(raw, 10);
-  if (!Number.isFinite(parsed) || parsed <= 0) {
-    return fallback;
-  }
-  return parsed;
-}
-
-const relayRuntimeByPort = new Map<number, RelayRuntime>();
-const relayInitByPort = new Map<number, Promise<ChromeExtensionRelayServer>>();
-
-function isAddrInUseError(err: unknown): boolean {
-  return (
-    typeof err === "object" &&
-    err !== null &&
-    "code" in err &&
-    (err as { code?: unknown }).code === "EADDRINUSE"
-  );
-}
-
-function relayAuthTokenForUrl(url: string): string | null {
-  try {
-    const parsed = new URL(url);
-    if (!isLoopbackHost(parsed.hostname)) {
-      return null;
-    }
-    const port = parseUrlPort(parsed);
-    if (!port) {
-      return null;
-    }
-    return relayRuntimeByPort.get(port)?.relayAuthToken ?? null;
-  } catch {
-    return null;
-  }
-}
-
-export function getChromeExtensionRelayAuthHeaders(url: string): Record<string, string> {
-  const token = relayAuthTokenForUrl(url);
-  if (!token) {
-    return {};
-  }
-  return { [RELAY_AUTH_HEADER]: token };
-}
-
-export async function ensureChromeExtensionRelayServer(opts: {
-  cdpUrl: string;
-  bindHost?: string;
-}): Promise<ChromeExtensionRelayServer> {
-  const info = parseBaseUrl(opts.cdpUrl);
-  if (!isLoopbackHost(info.host)) {
-    throw new Error(`extension relay requires loopback cdpUrl host (got ${info.host})`);
-  }
-  const bindHost = opts.bindHost ?? info.host;
-
-  const existing = relayRuntimeByPort.get(info.port);
-  if (existing) {
-    if (existing.server.bindHost !== bindHost) {
-      await existing.server.stop();
-    } else {
-      return existing.server;
-    }
-  }
-
-  const inFlight = relayInitByPort.get(info.port);
-  if (inFlight) {
-    const server = await inFlight;
-    if (server.bindHost === bindHost) {
-      return server;
-    }
-    await server.stop();
-  }
-
-  const extensionReconnectGraceMs = envMsOrDefault(
-    "OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS",
-    DEFAULT_EXTENSION_RECONNECT_GRACE_MS,
-  );
-  const extensionCommandReconnectWaitMs = envMsOrDefault(
-    "OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS",
-    DEFAULT_EXTENSION_COMMAND_RECONNECT_WAIT_MS,
-  );
-
-  const initPromise = (async (): Promise<ChromeExtensionRelayServer> => {
-    const relayAuthToken = await resolveRelayAuthTokenForPort(info.port);
-    const relayAuthTokens = new Set(await resolveRelayAcceptedTokensForPort(info.port));
-
-    let extensionWs: WebSocket | null = null;
-    const cdpClients = new Set<WebSocket>();
-    const connectedTargets = new Map<string, ConnectedTarget>();
-    const extensionConnected = () => extensionWs?.readyState === WebSocket.OPEN;
-    const hasConnectedTargets = () => connectedTargets.size > 0;
-    let extensionDisconnectCleanupTimer: NodeJS.Timeout | null = null;
-    const extensionReconnectWaiters = new Set<(connected: boolean) => void>();
-
-    const flushExtensionReconnectWaiters = (connected: boolean) => {
-      if (extensionReconnectWaiters.size === 0) {
-        return;
-      }
-      const waiters = Array.from(extensionReconnectWaiters);
-      extensionReconnectWaiters.clear();
-      for (const waiter of waiters) {
-        waiter(connected);
-      }
-    };
-
-    const clearExtensionDisconnectCleanupTimer = () => {
-      if (!extensionDisconnectCleanupTimer) {
-        return;
-      }
-      clearTimeout(extensionDisconnectCleanupTimer);
-      extensionDisconnectCleanupTimer = null;
-    };
-
-    const closeCdpClientsAfterExtensionDisconnect = () => {
-      connectedTargets.clear();
-      for (const client of cdpClients) {
-        try {
-          client.close(1011, "extension disconnected");
-        } catch {
-          // ignore
-        }
-      }
-      cdpClients.clear();
-      flushExtensionReconnectWaiters(false);
-    };
-
-    const scheduleExtensionDisconnectCleanup = () => {
-      clearExtensionDisconnectCleanupTimer();
-      extensionDisconnectCleanupTimer = setTimeout(() => {
-        extensionDisconnectCleanupTimer = null;
-        if (extensionConnected()) {
-          return;
-        }
-        closeCdpClientsAfterExtensionDisconnect();
-      }, extensionReconnectGraceMs);
-    };
-
-    const waitForExtensionReconnect = async (timeoutMs: number): Promise<boolean> => {
-      if (extensionConnected()) {
-        return true;
-      }
-      return await new Promise<boolean>((resolve) => {
-        let settled = false;
-        const waiter = (connected: boolean) => {
-          if (settled) {
-            return;
-          }
-          settled = true;
-          clearTimeout(timer);
-          extensionReconnectWaiters.delete(waiter);
-          resolve(connected);
-        };
-        const timer = setTimeout(() => {
-          waiter(false);
-        }, timeoutMs);
-        extensionReconnectWaiters.add(waiter);
-      });
-    };
-
-    const pendingExtension = new Map<
-      number,
-      {
-        resolve: (v: unknown) => void;
-        reject: (e: Error) => void;
-        timer: NodeJS.Timeout;
-      }
-    >();
-    let nextExtensionId = 1;
-
-    const sendToExtension = async (payload: ExtensionForwardCommandMessage): Promise<unknown> => {
-      const ws = extensionWs;
-      if (!ws || ws.readyState !== WebSocket.OPEN) {
-        throw new Error("Chrome extension not connected");
-      }
-      ws.send(JSON.stringify(payload));
-      return await new Promise<unknown>((resolve, reject) => {
-        const timer = setTimeout(() => {
-          pendingExtension.delete(payload.id);
-          reject(new Error(`extension request timeout: ${payload.params.method}`));
-        }, 30_000);
-        pendingExtension.set(payload.id, { resolve, reject, timer });
-      });
-    };
-
-    const broadcastToCdpClients = (evt: CdpEvent) => {
-      const msg = JSON.stringify(evt);
-      for (const ws of cdpClients) {
-        if (ws.readyState !== WebSocket.OPEN) {
-          continue;
-        }
-        ws.send(msg);
-      }
-    };
-
-    const sendResponseToCdp = (ws: WebSocket, res: CdpResponse) => {
-      if (ws.readyState !== WebSocket.OPEN) {
-        return;
-      }
-      ws.send(JSON.stringify(res));
-    };
-
-    const dropConnectedTargetSession = (sessionId: string): ConnectedTarget | undefined => {
-      const existing = connectedTargets.get(sessionId);
-      if (!existing) {
-        return undefined;
-      }
-      connectedTargets.delete(sessionId);
-      return existing;
-    };
-
-    const dropConnectedTargetsByTargetId = (targetId: string): ConnectedTarget[] => {
-      const removed: ConnectedTarget[] = [];
-      for (const [sessionId, target] of connectedTargets) {
-        if (target.targetId !== targetId) {
-          continue;
-        }
-        connectedTargets.delete(sessionId);
-        removed.push(target);
-      }
-      return removed;
-    };
-
-    const broadcastDetachedTarget = (target: ConnectedTarget, targetId?: string) => {
-      broadcastToCdpClients({
-        method: "Target.detachedFromTarget",
-        params: {
-          sessionId: target.sessionId,
-          targetId: targetId ?? target.targetId,
-        },
-        sessionId: target.sessionId,
-      });
-    };
-
-    const isMissingTargetError = (err: unknown) => {
-      const message = (err instanceof Error ? err.message : String(err)).toLowerCase();
-      return (
-        message.includes("target not found") ||
-        message.includes("no target with given id") ||
-        message.includes("session not found") ||
-        message.includes("cannot find session")
-      );
-    };
-
-    const pruneStaleTargetsFromCommandFailure = (cmd: CdpCommand, err: unknown) => {
-      if (!isMissingTargetError(err)) {
-        return;
-      }
-      if (cmd.sessionId) {
-        const removed = dropConnectedTargetSession(cmd.sessionId);
-        if (removed) {
-          broadcastDetachedTarget(removed);
-          return;
-        }
-      }
-      const params = (cmd.params ?? {}) as { targetId?: unknown };
-      const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-      if (!targetId) {
-        return;
-      }
-      const removedTargets = dropConnectedTargetsByTargetId(targetId);
-      for (const removed of removedTargets) {
-        broadcastDetachedTarget(removed, targetId);
-      }
-    };
-
-    const ensureTargetEventsForClient = (ws: WebSocket, mode: "autoAttach" | "discover") => {
-      for (const target of connectedTargets.values()) {
-        if (mode === "autoAttach") {
-          ws.send(
-            JSON.stringify({
-              method: "Target.attachedToTarget",
-              params: {
-                sessionId: target.sessionId,
-                targetInfo: { ...target.targetInfo, attached: true },
-                waitingForDebugger: false,
-              },
-            } satisfies CdpEvent),
-          );
-        } else {
-          ws.send(
-            JSON.stringify({
-              method: "Target.targetCreated",
-              params: { targetInfo: { ...target.targetInfo, attached: true } },
-            } satisfies CdpEvent),
-          );
-        }
-      }
-    };
-
-    const routeCdpCommand = async (cmd: CdpCommand): Promise<unknown> => {
-      switch (cmd.method) {
-        case "Browser.getVersion":
-          return {
-            protocolVersion: "1.3",
-            product: "Chrome/OpenClaw-Extension-Relay",
-            revision: "0",
-            userAgent: "OpenClaw-Extension-Relay",
-            jsVersion: "V8",
-          };
-        case "Browser.setDownloadBehavior":
-          return {};
-        case "Target.setAutoAttach":
-        case "Target.setDiscoverTargets":
-          return {};
-        case "Target.getTargets":
-          return {
-            targetInfos: Array.from(connectedTargets.values()).map((t) => ({
-              ...t.targetInfo,
-              attached: true,
-            })),
-          };
-        case "Target.getTargetInfo": {
-          const params = (cmd.params ?? {}) as { targetId?: string };
-          const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-          if (targetId) {
-            for (const t of connectedTargets.values()) {
-              if (t.targetId === targetId) {
-                return { targetInfo: t.targetInfo };
-              }
-            }
-          }
-          if (cmd.sessionId && connectedTargets.has(cmd.sessionId)) {
-            const t = connectedTargets.get(cmd.sessionId);
-            if (t) {
-              return { targetInfo: t.targetInfo };
-            }
-          }
-          const first = Array.from(connectedTargets.values())[0];
-          return { targetInfo: first?.targetInfo };
-        }
-        case "Target.attachToTarget": {
-          const params = (cmd.params ?? {}) as { targetId?: string };
-          const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-          if (!targetId) {
-            throw new Error("targetId required");
-          }
-          for (const t of connectedTargets.values()) {
-            if (t.targetId === targetId) {
-              return { sessionId: t.sessionId };
-            }
-          }
-          throw new Error("target not found");
-        }
-        default: {
-          const id = nextExtensionId++;
-          return await sendToExtension({
-            id,
-            method: "forwardCDPCommand",
-            params: {
-              method: cmd.method,
-              sessionId: cmd.sessionId,
-              params: cmd.params,
-            },
-          });
-        }
-      }
-    };
-
-    const server = createServer((req, res) => {
-      const url = new URL(req.url ?? "/", info.baseUrl);
-      const path = url.pathname;
-      const origin = getHeader(req, "origin");
-      const isChromeExtensionOrigin =
-        typeof origin === "string" && origin.startsWith("chrome-extension://");
-
-      if (isChromeExtensionOrigin && origin) {
-        // Let extension pages call relay HTTP endpoints cross-origin.
-        res.setHeader("Access-Control-Allow-Origin", origin);
-        res.setHeader("Vary", "Origin");
-      }
-
-      // Handle CORS preflight requests from the browser extension.
-      if (req.method === "OPTIONS") {
-        if (origin && !isChromeExtensionOrigin) {
-          res.writeHead(403);
-          res.end("Forbidden");
-          return;
-        }
-        const requestedHeaders = (getHeader(req, "access-control-request-headers") ?? "")
-          .split(",")
-          .map((header) => header.trim().toLowerCase())
-          .filter((header) => header.length > 0);
-        const allowedHeaders = new Set(["content-type", RELAY_AUTH_HEADER, ...requestedHeaders]);
-        res.writeHead(204, {
-          "Access-Control-Allow-Origin": origin ?? "*",
-          "Access-Control-Allow-Methods": "GET, PUT, POST, OPTIONS",
-          "Access-Control-Allow-Headers": Array.from(allowedHeaders).join(", "),
-          "Access-Control-Max-Age": "86400",
-          Vary: "Origin, Access-Control-Request-Headers",
-        });
-        res.end();
-        return;
-      }
-
-      if (path.startsWith("/json")) {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          res.writeHead(401);
-          res.end("Unauthorized");
-          return;
-        }
-      }
-
-      if (req.method === "HEAD" && path === "/") {
-        res.writeHead(200);
-        res.end();
-        return;
-      }
-
-      if (path === "/") {
-        res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-        res.end("OK");
-        return;
-      }
-
-      if (path === "/extension/status") {
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ connected: extensionConnected() }));
-        return;
-      }
-
-      const hostHeader = req.headers.host?.trim() || `${info.host}:${info.port}`;
-      const wsHost = `ws://${hostHeader}`;
-      const cdpWsUrl = `${wsHost}/cdp`;
-
-      if (
-        (path === "/json/version" || path === "/json/version/") &&
-        (req.method === "GET" || req.method === "PUT")
-      ) {
-        const payload: Record<string, unknown> = {
-          Browser: "OpenClaw/extension-relay",
-          "Protocol-Version": "1.3",
-        };
-        // Keep reporting CDP WS while attached targets are cached, so callers can
-        // reconnect through brief MV3 worker disconnects.
-        if (extensionConnected() || hasConnectedTargets()) {
-          payload.webSocketDebuggerUrl = cdpWsUrl;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(payload));
-        return;
-      }
-
-      const listPaths = new Set(["/json", "/json/", "/json/list", "/json/list/"]);
-      if (listPaths.has(path) && (req.method === "GET" || req.method === "PUT")) {
-        const list = Array.from(connectedTargets.values()).map((t) => ({
-          id: t.targetId,
-          type: t.targetInfo.type ?? "page",
-          title: t.targetInfo.title ?? "",
-          description: t.targetInfo.title ?? "",
-          url: t.targetInfo.url ?? "",
-          webSocketDebuggerUrl: cdpWsUrl,
-          devtoolsFrontendUrl: `/devtools/inspector.html?ws=${cdpWsUrl.replace("ws://", "")}`,
-        }));
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(list));
-        return;
-      }
-
-      const handleTargetActionRoute = (
-        match: RegExpMatchArray | null,
-        cdpMethod: "Target.activateTarget" | "Target.closeTarget",
-      ): boolean => {
-        if (!match || (req.method !== "GET" && req.method !== "PUT")) {
-          return false;
-        }
-        let targetId = "";
-        try {
-          targetId = decodeURIComponent(match[1] ?? "").trim();
-        } catch {
-          res.writeHead(400);
-          res.end("invalid targetId encoding");
-          return true;
-        }
-        if (!targetId) {
-          res.writeHead(400);
-          res.end("targetId required");
-          return true;
-        }
-        void (async () => {
-          try {
-            await sendToExtension({
-              id: nextExtensionId++,
-              method: "forwardCDPCommand",
-              params: { method: cdpMethod, params: { targetId } },
-            });
-          } catch {
-            // ignore
-          }
-        })();
-        res.writeHead(200);
-        res.end("OK");
-        return true;
-      };
-
-      if (
-        handleTargetActionRoute(path.match(/^\/json\/activate\/(.+)$/), "Target.activateTarget")
-      ) {
-        return;
-      }
-      if (handleTargetActionRoute(path.match(/^\/json\/close\/(.+)$/), "Target.closeTarget")) {
-        return;
-      }
-
-      res.writeHead(404);
-      res.end("not found");
-    });
-
-    const wssExtension = new WebSocketServer({ noServer: true });
-    const wssCdp = new WebSocketServer({ noServer: true });
-
-    server.on("upgrade", (req, socket, head) => {
-      const url = new URL(req.url ?? "/", info.baseUrl);
-      const pathname = url.pathname;
-      const remote = req.socket.remoteAddress;
-
-      // When bindHost is explicitly non-loopback (e.g. 0.0.0.0 for WSL2),
-      // allow non-loopback connections; otherwise enforce loopback-only.
-      if (!isLoopbackAddress(remote) && isLoopbackHost(bindHost)) {
-        rejectUpgrade(socket, 403, "Forbidden");
-        return;
-      }
-
-      const origin = headerValue(req.headers.origin);
-      if (origin && !origin.startsWith("chrome-extension://")) {
-        rejectUpgrade(socket, 403, "Forbidden: invalid origin");
-        return;
-      }
-
-      if (pathname === "/extension") {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          rejectUpgrade(socket, 401, "Unauthorized");
-          return;
-        }
-        // MV3 worker reconnect races can leave a stale non-OPEN socket reference.
-        if (extensionWs && extensionWs.readyState !== WebSocket.OPEN) {
-          try {
-            extensionWs.terminate();
-          } catch {
-            // ignore
-          }
-          extensionWs = null;
-        }
-        if (extensionConnected()) {
-          rejectUpgrade(socket, 409, "Extension already connected");
-          return;
-        }
-        wssExtension.handleUpgrade(req, socket, head, (ws) => {
-          wssExtension.emit("connection", ws, req);
-        });
-        return;
-      }
-
-      if (pathname === "/cdp") {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          rejectUpgrade(socket, 401, "Unauthorized");
-          return;
-        }
-        // Allow CDP clients to connect even during brief extension worker drops.
-        // Individual commands already wait briefly for extension reconnect.
-        wssCdp.handleUpgrade(req, socket, head, (ws) => {
-          wssCdp.emit("connection", ws, req);
-        });
-        return;
-      }
-
-      rejectUpgrade(socket, 404, "Not Found");
-    });
-
-    wssExtension.on("connection", (ws) => {
-      extensionWs = ws;
-      clearExtensionDisconnectCleanupTimer();
-      flushExtensionReconnectWaiters(true);
-
-      const ping = setInterval(() => {
-        if (ws.readyState !== WebSocket.OPEN) {
-          return;
-        }
-        ws.send(JSON.stringify({ method: "ping" } satisfies ExtensionPingMessage));
-      }, 5000);
-
-      ws.on("message", (data) => {
-        if (extensionWs !== ws) {
-          return;
-        }
-        let parsed: ExtensionMessage | null = null;
-        try {
-          parsed = JSON.parse(rawDataToString(data)) as ExtensionMessage;
-        } catch {
-          return;
-        }
-
-        if (
-          parsed &&
-          typeof parsed === "object" &&
-          "id" in parsed &&
-          typeof parsed.id === "number"
-        ) {
-          const pending = pendingExtension.get(parsed.id);
-          if (!pending) {
-            return;
-          }
-          pendingExtension.delete(parsed.id);
-          clearTimeout(pending.timer);
-          if ("error" in parsed && typeof parsed.error === "string" && parsed.error.trim()) {
-            pending.reject(new Error(parsed.error));
-          } else {
-            pending.resolve(parsed.result);
-          }
-          return;
-        }
-
-        if (parsed && typeof parsed === "object" && "method" in parsed) {
-          if ((parsed as ExtensionPongMessage).method === "pong") {
-            return;
-          }
-          if ((parsed as ExtensionForwardEventMessage).method !== "forwardCDPEvent") {
-            return;
-          }
-          const evt = parsed as ExtensionForwardEventMessage;
-          const method = evt.params?.method;
-          const params = evt.params?.params;
-          const sessionId = evt.params?.sessionId;
-          if (!method || typeof method !== "string") {
-            return;
-          }
-
-          if (method === "Target.attachedToTarget") {
-            const attached = (params ?? {}) as AttachedToTargetEvent;
-            const targetType = attached?.targetInfo?.type ?? "page";
-            if (targetType !== "page") {
-              return;
-            }
-            if (attached?.sessionId && attached?.targetInfo?.targetId) {
-              const prev = connectedTargets.get(attached.sessionId);
-              const nextTargetId = attached.targetInfo.targetId;
-              const prevTargetId = prev?.targetId;
-              const changedTarget = Boolean(prev && prevTargetId && prevTargetId !== nextTargetId);
-              connectedTargets.set(attached.sessionId, {
-                sessionId: attached.sessionId,
-                targetId: nextTargetId,
-                targetInfo: attached.targetInfo,
-              });
-              if (changedTarget && prevTargetId) {
-                broadcastToCdpClients({
-                  method: "Target.detachedFromTarget",
-                  params: { sessionId: attached.sessionId, targetId: prevTargetId },
-                  sessionId: attached.sessionId,
-                });
-              }
-              if (!prev || changedTarget) {
-                broadcastToCdpClients({ method, params, sessionId });
-              }
-              return;
-            }
-          }
-
-          if (method === "Target.detachedFromTarget") {
-            const detached = (params ?? {}) as DetachedFromTargetEvent;
-            if (detached?.sessionId) {
-              dropConnectedTargetSession(detached.sessionId);
-            } else if (detached?.targetId) {
-              dropConnectedTargetsByTargetId(detached.targetId);
-            }
-            broadcastToCdpClients({ method, params, sessionId });
-            return;
-          }
-
-          if (method === "Target.targetDestroyed" || method === "Target.targetCrashed") {
-            const targetEvent = (params ?? {}) as { targetId?: string };
-            if (targetEvent.targetId) {
-              dropConnectedTargetsByTargetId(targetEvent.targetId);
-            }
-            broadcastToCdpClients({ method, params, sessionId });
-            return;
-          }
-
-          // Keep cached tab metadata fresh for /json/list.
-          // After navigation, Chrome updates URL/title via Target.targetInfoChanged.
-          if (method === "Target.targetInfoChanged") {
-            const changed = (params ?? {}) as { targetInfo?: { targetId?: string; type?: string } };
-            const targetInfo = changed?.targetInfo;
-            const targetId = targetInfo?.targetId;
-            if (targetId && (targetInfo?.type ?? "page") === "page") {
-              for (const [sid, target] of connectedTargets) {
-                if (target.targetId !== targetId) {
-                  continue;
-                }
-                connectedTargets.set(sid, {
-                  ...target,
-                  targetInfo: { ...target.targetInfo, ...(targetInfo as object) },
-                });
-              }
-            }
-          }
-
-          broadcastToCdpClients({ method, params, sessionId });
-        }
-      });
-
-      ws.on("close", () => {
-        clearInterval(ping);
-        if (extensionWs !== ws) {
-          return;
-        }
-        extensionWs = null;
-        for (const [, pending] of pendingExtension) {
-          clearTimeout(pending.timer);
-          pending.reject(new Error("extension disconnected"));
-        }
-        pendingExtension.clear();
-        scheduleExtensionDisconnectCleanup();
-      });
-    });
-
-    wssCdp.on("connection", (ws) => {
-      cdpClients.add(ws);
-
-      ws.on("message", async (data) => {
-        let cmd: CdpCommand | null = null;
-        try {
-          cmd = JSON.parse(rawDataToString(data)) as CdpCommand;
-        } catch {
-          return;
-        }
-        if (!cmd || typeof cmd !== "object") {
-          return;
-        }
-        if (typeof cmd.id !== "number" || typeof cmd.method !== "string") {
-          return;
-        }
-
-        if (!extensionConnected()) {
-          const reconnected = await waitForExtensionReconnect(extensionCommandReconnectWaitMs);
-          if (!reconnected || !extensionConnected()) {
-            sendResponseToCdp(ws, {
-              id: cmd.id,
-              sessionId: cmd.sessionId,
-              error: { message: "Extension not connected" },
-            });
-            return;
-          }
-        }
-
-        try {
-          const result = await routeCdpCommand(cmd);
-
-          if (cmd.method === "Target.setAutoAttach" && !cmd.sessionId) {
-            ensureTargetEventsForClient(ws, "autoAttach");
-          }
-          if (cmd.method === "Target.setDiscoverTargets") {
-            const discover = (cmd.params ?? {}) as { discover?: boolean };
-            if (discover.discover === true) {
-              ensureTargetEventsForClient(ws, "discover");
-            }
-          }
-          if (cmd.method === "Target.attachToTarget") {
-            const params = (cmd.params ?? {}) as { targetId?: string };
-            const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-            if (targetId) {
-              const target = Array.from(connectedTargets.values()).find(
-                (t) => t.targetId === targetId,
-              );
-              if (target) {
-                ws.send(
-                  JSON.stringify({
-                    method: "Target.attachedToTarget",
-                    params: {
-                      sessionId: target.sessionId,
-                      targetInfo: { ...target.targetInfo, attached: true },
-                      waitingForDebugger: false,
-                    },
-                  } satisfies CdpEvent),
-                );
-              }
-            }
-          }
-
-          sendResponseToCdp(ws, { id: cmd.id, sessionId: cmd.sessionId, result });
-        } catch (err) {
-          pruneStaleTargetsFromCommandFailure(cmd, err);
-          sendResponseToCdp(ws, {
-            id: cmd.id,
-            sessionId: cmd.sessionId,
-            error: { message: err instanceof Error ? err.message : String(err) },
-          });
-        }
-      });
-
-      ws.on("close", () => {
-        cdpClients.delete(ws);
-      });
-    });
-
-    try {
-      await new Promise<void>((resolve, reject) => {
-        server.listen(info.port, bindHost, () => resolve());
-        server.once("error", reject);
-      });
-    } catch (err) {
-      if (
-        isAddrInUseError(err) &&
-        (await probeAuthenticatedOpenClawRelay({
-          baseUrl: info.baseUrl,
-          relayAuthHeader: RELAY_AUTH_HEADER,
-          relayAuthToken,
-        }))
-      ) {
-        const existingRelay: ChromeExtensionRelayServer = {
-          host: info.host,
-          bindHost,
-          port: info.port,
-          baseUrl: info.baseUrl,
-          cdpWsUrl: `ws://${info.host}:${info.port}/cdp`,
-          extensionConnected: () => false,
-          stop: async () => {
-            relayRuntimeByPort.delete(info.port);
-          },
-        };
-        relayRuntimeByPort.set(info.port, { server: existingRelay, relayAuthToken });
-        return existingRelay;
-      }
-      throw err;
-    }
-
-    const addr = server.address() as AddressInfo | null;
-    const port = addr?.port ?? info.port;
-    const actualBindHost = addr?.address || bindHost;
-    const host = info.host;
-    const baseUrl = `${new URL(info.baseUrl).protocol}//${host}:${port}`;
-
-    const relay: ChromeExtensionRelayServer = {
-      host,
-      bindHost: actualBindHost,
-      port,
-      baseUrl,
-      cdpWsUrl: `ws://${host}:${port}/cdp`,
-      extensionConnected,
-      stop: async () => {
-        relayRuntimeByPort.delete(port);
-        clearExtensionDisconnectCleanupTimer();
-        flushExtensionReconnectWaiters(false);
-        for (const [, pending] of pendingExtension) {
-          clearTimeout(pending.timer);
-          pending.reject(new Error("server stopping"));
-        }
-        pendingExtension.clear();
-        try {
-          extensionWs?.close(1001, "server stopping");
-        } catch {
-          // ignore
-        }
-        for (const ws of cdpClients) {
-          try {
-            ws.close(1001, "server stopping");
-          } catch {
-            // ignore
-          }
-        }
-        await new Promise<void>((resolve) => {
-          server.close(() => resolve());
-        });
-        wssExtension.close();
-        wssCdp.close();
-      },
-    };
-
-    relayRuntimeByPort.set(port, { server: relay, relayAuthToken });
-    return relay;
-  })();
-  relayInitByPort.set(info.port, initPromise);
-  try {
-    return await initPromise;
-  } finally {
-    relayInitByPort.delete(info.port);
-  }
-}
-
-export async function stopChromeExtensionRelayServer(opts: { cdpUrl: string }): Promise<boolean> {
-  const info = parseBaseUrl(opts.cdpUrl);
-  const existing = relayRuntimeByPort.get(info.port);
-  if (!existing) {
-    return false;
-  }
-  await existing.server.stop();
-  return true;
-}
diff --git a/src/browser/profile-capabilities.ts b/src/browser/profile-capabilities.ts
index b736a77d943..994894239d1 100644
--- a/src/browser/profile-capabilities.ts
+++ b/src/browser/profile-capabilities.ts
@@ -1,18 +1,12 @@
 import type { ResolvedBrowserProfile } from "./config.js";
 
-export type BrowserProfileMode =
-  | "local-managed"
-  | "local-extension-relay"
-  | "local-existing-session"
-  | "remote-cdp";
+export type BrowserProfileMode = "local-managed" | "local-existing-session" | "remote-cdp";
 
 export type BrowserProfileCapabilities = {
   mode: BrowserProfileMode;
   isRemote: boolean;
   /** Profile uses the Chrome DevTools MCP server (existing-session driver). */
   usesChromeMcp: boolean;
-  requiresRelay: boolean;
-  requiresAttachedTab: boolean;
   usesPersistentPlaywright: boolean;
   supportsPerTabWs: boolean;
   supportsJsonTabEndpoints: boolean;
@@ -23,28 +17,11 @@ export type BrowserProfileCapabilities = {
 export function getBrowserProfileCapabilities(
   profile: ResolvedBrowserProfile,
 ): BrowserProfileCapabilities {
-  if (profile.driver === "extension") {
-    return {
-      mode: "local-extension-relay",
-      isRemote: false,
-      usesChromeMcp: false,
-      requiresRelay: true,
-      requiresAttachedTab: true,
-      usesPersistentPlaywright: false,
-      supportsPerTabWs: false,
-      supportsJsonTabEndpoints: true,
-      supportsReset: true,
-      supportsManagedTabLimit: false,
-    };
-  }
-
   if (profile.driver === "existing-session") {
     return {
       mode: "local-existing-session",
       isRemote: false,
       usesChromeMcp: true,
-      requiresRelay: false,
-      requiresAttachedTab: false,
       usesPersistentPlaywright: false,
       supportsPerTabWs: false,
       supportsJsonTabEndpoints: false,
@@ -58,8 +35,6 @@ export function getBrowserProfileCapabilities(
       mode: "remote-cdp",
       isRemote: true,
       usesChromeMcp: false,
-      requiresRelay: false,
-      requiresAttachedTab: false,
       usesPersistentPlaywright: true,
       supportsPerTabWs: false,
       supportsJsonTabEndpoints: false,
@@ -72,8 +47,6 @@ export function getBrowserProfileCapabilities(
     mode: "local-managed",
     isRemote: false,
     usesChromeMcp: false,
-    requiresRelay: false,
-    requiresAttachedTab: false,
     usesPersistentPlaywright: false,
     supportsPerTabWs: true,
     supportsJsonTabEndpoints: true,
@@ -96,9 +69,6 @@ export function resolveDefaultSnapshotFormat(params: {
   }
 
   const capabilities = getBrowserProfileCapabilities(params.profile);
-  if (capabilities.mode === "local-extension-relay") {
-    return "aria";
-  }
   if (capabilities.mode === "local-existing-session") {
     return "ai";
   }
@@ -112,16 +82,12 @@ export function shouldUsePlaywrightForScreenshot(params: {
   ref?: string;
   element?: string;
 }): boolean {
-  const capabilities = getBrowserProfileCapabilities(params.profile);
-  return (
-    capabilities.requiresRelay || !params.wsUrl || Boolean(params.ref) || Boolean(params.element)
-  );
+  return !params.wsUrl || Boolean(params.ref) || Boolean(params.element);
 }
 
 export function shouldUsePlaywrightForAriaSnapshot(params: {
   profile: ResolvedBrowserProfile;
   wsUrl?: string;
 }): boolean {
-  const capabilities = getBrowserProfileCapabilities(params.profile);
-  return capabilities.requiresRelay || !params.wsUrl;
+  return !params.wsUrl;
 }
diff --git a/src/browser/profiles-service.test.ts b/src/browser/profiles-service.test.ts
index 13bbdf27c49..b726ad3fbdb 100644
--- a/src/browser/profiles-service.test.ts
+++ b/src/browser/profiles-service.test.ts
@@ -136,37 +136,6 @@ describe("BrowserProfilesService", () => {
     );
   });
 
-  it("rejects driver=extension with non-loopback cdpUrl", async () => {
-    const resolved = resolveBrowserConfig({});
-    const { ctx } = createCtx(resolved);
-    vi.mocked(loadConfig).mockReturnValue({ browser: { profiles: {} } });
-
-    const service = createBrowserProfilesService(ctx);
-
-    await expect(
-      service.createProfile({
-        name: "chrome-remote",
-        driver: "extension",
-        cdpUrl: "http://10.0.0.42:9222",
-      }),
-    ).rejects.toThrow(/loopback cdpUrl host/i);
-  });
-
-  it("rejects driver=extension without an explicit cdpUrl", async () => {
-    const resolved = resolveBrowserConfig({});
-    const { ctx } = createCtx(resolved);
-    vi.mocked(loadConfig).mockReturnValue({ browser: { profiles: {} } });
-
-    const service = createBrowserProfilesService(ctx);
-
-    await expect(
-      service.createProfile({
-        name: "chrome-extension",
-        driver: "extension",
-      }),
-    ).rejects.toThrow(/requires an explicit loopback cdpUrl/i);
-  });
-
   it("creates existing-session profiles as attach-only local entries", async () => {
     const resolved = resolveBrowserConfig({});
     const { ctx, state } = createCtx(resolved);
diff --git a/src/browser/profiles-service.ts b/src/browser/profiles-service.ts
index 86321006e98..af747015e45 100644
--- a/src/browser/profiles-service.ts
+++ b/src/browser/profiles-service.ts
@@ -3,7 +3,6 @@ import path from "node:path";
 import type { BrowserProfileConfig, OpenClawConfig } from "../config/config.js";
 import { loadConfig, writeConfigFile } from "../config/config.js";
 import { deriveDefaultBrowserCdpPortRange } from "../config/port-defaults.js";
-import { isLoopbackHost } from "../gateway/net.js";
 import { resolveOpenClawUserDataDir } from "./chrome.js";
 import { parseHttpUrl, resolveProfile } from "./config.js";
 import {
@@ -27,7 +26,7 @@ export type CreateProfileParams = {
   name: string;
   color?: string;
   cdpUrl?: string;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
 };
 
 export type CreateProfileResult = {
@@ -80,12 +79,7 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
   const createProfile = async (params: CreateProfileParams): Promise<CreateProfileResult> => {
     const name = params.name.trim();
     const rawCdpUrl = params.cdpUrl?.trim() || undefined;
-    const driver =
-      params.driver === "extension"
-        ? "extension"
-        : params.driver === "existing-session"
-          ? "existing-session"
-          : undefined;
+    const driver = params.driver === "existing-session" ? "existing-session" : undefined;
 
     if (!isValidProfileName(name)) {
       throw new BrowserValidationError(
@@ -117,18 +111,6 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
       } catch (err) {
         throw new BrowserValidationError(String(err));
       }
-      if (driver === "extension") {
-        if (!isLoopbackHost(parsed.parsed.hostname)) {
-          throw new BrowserValidationError(
-            `driver=extension requires a loopback cdpUrl host, got: ${parsed.parsed.hostname}`,
-          );
-        }
-        if (parsed.parsed.protocol !== "http:" && parsed.parsed.protocol !== "https:") {
-          throw new BrowserValidationError(
-            `driver=extension requires an http(s) cdpUrl, got: ${parsed.parsed.protocol.replace(":", "")}`,
-          );
-        }
-      }
       if (driver === "existing-session") {
         throw new BrowserValidationError(
           "driver=existing-session does not accept cdpUrl; it attaches via the Chrome MCP auto-connect flow",
@@ -140,9 +122,6 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
         color: profileColor,
       };
     } else {
-      if (driver === "extension") {
-        throw new BrowserValidationError("driver=extension requires an explicit loopback cdpUrl");
-      }
       if (driver === "existing-session") {
         // existing-session uses Chrome MCP auto-connect; no CDP port needed
         profileConfig = {
diff --git a/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts b/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
index 8f64b2bf575..2b3bdb32bd8 100644
--- a/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
+++ b/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
@@ -52,7 +52,7 @@ function createExtensionFallbackBrowserHarness(options?: {
 }
 
 describe("pw-session getPageForTargetId", () => {
-  it("falls back to the only page when CDP session attachment is blocked (extension relays)", async () => {
+  it("falls back to the only page when Playwright cannot resolve target ids", async () => {
     const { browserClose, pages } = createExtensionFallbackBrowserHarness();
     const [page] = pages;
 
@@ -94,26 +94,20 @@ describe("pw-session getPageForTargetId", () => {
     }
   });
 
-  it("resolves extension-relay pages from /json/list without probing page CDP sessions first", async () => {
+  it("resolves pages from /json/list when page CDP probing fails", async () => {
     const { newCDPSession, pages } = createExtensionFallbackBrowserHarness({
       urls: ["https://alpha.example", "https://beta.example"],
       newCDPSessionError: "Target.attachToBrowserTarget: Not allowed",
     });
     const [, pageB] = pages;
 
-    const fetchSpy = vi.spyOn(globalThis, "fetch");
-    fetchSpy
-      .mockResolvedValueOnce({
-        ok: true,
-        json: async () => ({ Browser: "OpenClaw/extension-relay" }),
-      } as Response)
-      .mockResolvedValueOnce({
-        ok: true,
-        json: async () => [
-          { id: "TARGET_A", url: "https://alpha.example" },
-          { id: "TARGET_B", url: "https://beta.example" },
-        ],
-      } as Response);
+    const fetchSpy = vi.spyOn(globalThis, "fetch").mockResolvedValue({
+      ok: true,
+      json: async () => [
+        { id: "TARGET_A", url: "https://alpha.example" },
+        { id: "TARGET_B", url: "https://beta.example" },
+      ],
+    } as Response);
 
     try {
       const resolved = await getPageForTargetId({
@@ -121,7 +115,7 @@ describe("pw-session getPageForTargetId", () => {
         targetId: "TARGET_B",
       });
       expect(resolved).toBe(pageB);
-      expect(newCDPSession).not.toHaveBeenCalled();
+      expect(newCDPSession).toHaveBeenCalled();
     } finally {
       fetchSpy.mockRestore();
     }
diff --git a/src/browser/pw-session.page-cdp.test.ts b/src/browser/pw-session.page-cdp.test.ts
index 1347cca20a1..c00f8af5a02 100644
--- a/src/browser/pw-session.page-cdp.test.ts
+++ b/src/browser/pw-session.page-cdp.test.ts
@@ -1,61 +1,12 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const cdpHelperMocks = vi.hoisted(() => ({
-  fetchJson: vi.fn(),
-  withCdpSocket: vi.fn(),
-}));
-
-const chromeMocks = vi.hoisted(() => ({
-  getChromeWebSocketUrl: vi.fn(async () => "ws://127.0.0.1:18792/cdp"),
-}));
-
-vi.mock("./cdp.helpers.js", async () => {
-  const actual = await vi.importActual<typeof import("./cdp.helpers.js")>("./cdp.helpers.js");
-  return {
-    ...actual,
-    fetchJson: cdpHelperMocks.fetchJson,
-    withCdpSocket: cdpHelperMocks.withCdpSocket,
-  };
-});
-
-vi.mock("./chrome.js", () => chromeMocks);
-
-import { isExtensionRelayCdpEndpoint, withPageScopedCdpClient } from "./pw-session.page-cdp.js";
+import { withPageScopedCdpClient } from "./pw-session.page-cdp.js";
 
 describe("pw-session page-scoped CDP client", () => {
   beforeEach(() => {
     vi.clearAllMocks();
   });
 
-  it("uses raw relay /cdp commands for extension endpoints when targetId is known", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "OpenClaw/extension-relay" });
-    const send = vi.fn(async () => ({ ok: true }));
-    cdpHelperMocks.withCdpSocket.mockImplementation(async (_wsUrl, fn) => await fn(send));
-    const newCDPSession = vi.fn();
-    const page = {
-      context: () => ({
-        newCDPSession,
-      }),
-    };
-
-    await withPageScopedCdpClient({
-      cdpUrl: "http://127.0.0.1:18792",
-      page: page as never,
-      targetId: "tab-1",
-      fn: async (pageSend) => {
-        await pageSend("Page.bringToFront", { foo: "bar" });
-      },
-    });
-
-    expect(send).toHaveBeenCalledWith("Page.bringToFront", {
-      foo: "bar",
-      targetId: "tab-1",
-    });
-    expect(newCDPSession).not.toHaveBeenCalled();
-  });
-
-  it("falls back to Playwright page sessions for non-relay endpoints", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "Chrome/145.0" });
+  it("uses Playwright page sessions", async () => {
     const sessionSend = vi.fn(async () => ({ ok: true }));
     const sessionDetach = vi.fn(async () => {});
     const newCDPSession = vi.fn(async () => ({
@@ -80,15 +31,5 @@ describe("pw-session page-scoped CDP client", () => {
     expect(newCDPSession).toHaveBeenCalledWith(page);
     expect(sessionSend).toHaveBeenCalledWith("Emulation.setLocaleOverride", { locale: "en-US" });
     expect(sessionDetach).toHaveBeenCalledTimes(1);
-    expect(cdpHelperMocks.withCdpSocket).not.toHaveBeenCalled();
-  });
-
-  it("caches extension-relay endpoint detection by cdpUrl", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "OpenClaw/extension-relay" });
-
-    await expect(isExtensionRelayCdpEndpoint("http://127.0.0.1:19992")).resolves.toBe(true);
-    await expect(isExtensionRelayCdpEndpoint("http://127.0.0.1:19992/")).resolves.toBe(true);
-
-    expect(cdpHelperMocks.fetchJson).toHaveBeenCalledTimes(1);
   });
 });
diff --git a/src/browser/pw-session.page-cdp.ts b/src/browser/pw-session.page-cdp.ts
index 8c2109293cd..ccfc2ee7f34 100644
--- a/src/browser/pw-session.page-cdp.ts
+++ b/src/browser/pw-session.page-cdp.ts
@@ -1,44 +1,7 @@
 import type { CDPSession, Page } from "playwright-core";
-import {
-  appendCdpPath,
-  fetchJson,
-  normalizeCdpHttpBaseForJsonEndpoints,
-  withCdpSocket,
-} from "./cdp.helpers.js";
-import { getChromeWebSocketUrl } from "./chrome.js";
-
-const OPENCLAW_EXTENSION_RELAY_BROWSER = "OpenClaw/extension-relay";
 
 type PageCdpSend = (method: string, params?: Record<string, unknown>) => Promise<unknown>;
 
-const extensionRelayByCdpUrl = new Map<string, boolean>();
-
-function normalizeCdpUrl(raw: string) {
-  return raw.replace(/\/$/, "");
-}
-
-export async function isExtensionRelayCdpEndpoint(cdpUrl: string): Promise<boolean> {
-  const normalized = normalizeCdpUrl(cdpUrl);
-  const cached = extensionRelayByCdpUrl.get(normalized);
-  if (cached !== undefined) {
-    return cached;
-  }
-
-  try {
-    const cdpHttpBase = normalizeCdpHttpBaseForJsonEndpoints(normalized);
-    const version = await fetchJson<{ Browser?: string }>(
-      appendCdpPath(cdpHttpBase, "/json/version"),
-      2000,
-    );
-    const isRelay = String(version?.Browser ?? "").trim() === OPENCLAW_EXTENSION_RELAY_BROWSER;
-    extensionRelayByCdpUrl.set(normalized, isRelay);
-    return isRelay;
-  } catch {
-    extensionRelayByCdpUrl.set(normalized, false);
-    return false;
-  }
-}
-
 async function withPlaywrightPageCdpSession<T>(
   page: Page,
   fn: (session: CDPSession) => Promise<T>,
@@ -57,17 +20,6 @@ export async function withPageScopedCdpClient<T>(opts: {
   targetId?: string;
   fn: (send: PageCdpSend) => Promise<T>;
 }): Promise<T> {
-  const targetId = opts.targetId?.trim();
-  if (targetId && (await isExtensionRelayCdpEndpoint(opts.cdpUrl))) {
-    const wsUrl = await getChromeWebSocketUrl(opts.cdpUrl, 2000);
-    if (!wsUrl) {
-      throw new Error("CDP websocket unavailable");
-    }
-    return await withCdpSocket(wsUrl, async (send) => {
-      return await opts.fn((method, params) => send(method, { ...params, targetId }));
-    });
-  }
-
   return await withPlaywrightPageCdpSession(opts.page, async (session) => {
     return await opts.fn((method, params) =>
       (
diff --git a/src/browser/pw-session.ts b/src/browser/pw-session.ts
index 2e63d190dea..97677557543 100644
--- a/src/browser/pw-session.ts
+++ b/src/browser/pw-session.ts
@@ -26,7 +26,7 @@ import {
   assertBrowserNavigationResultAllowed,
   withBrowserNavigationPolicy,
 } from "./navigation-guard.js";
-import { isExtensionRelayCdpEndpoint, withPageScopedCdpClient } from "./pw-session.page-cdp.js";
+import { withPageScopedCdpClient } from "./pw-session.page-cdp.js";
 
 export type BrowserConsoleMessage = {
   type: string;
@@ -454,21 +454,6 @@ async function findPageByTargetId(
   cdpUrl?: string,
 ): Promise<Page | null> {
   const pages = await getAllPages(browser);
-  const isExtensionRelay = cdpUrl
-    ? await isExtensionRelayCdpEndpoint(cdpUrl).catch(() => false)
-    : false;
-  if (cdpUrl && isExtensionRelay) {
-    try {
-      const matched = await findPageByTargetIdViaTargetList(pages, targetId, cdpUrl);
-      if (matched) {
-        return matched;
-      }
-    } catch {
-      // Ignore fetch errors and fall through to best-effort single-page fallback.
-    }
-    return pages.length === 1 ? (pages[0] ?? null) : null;
-  }
-
   let resolvedViaCdp = false;
   for (const page of pages) {
     let tid: string | null = null;
@@ -522,9 +507,7 @@ export async function getPageForTargetId(opts: {
   }
   const found = await findPageByTargetId(browser, opts.targetId, opts.cdpUrl);
   if (!found) {
-    // Extension relays can block CDP attachment APIs (e.g. Target.attachToBrowserTarget),
-    // which prevents us from resolving a page's targetId via newCDPSession(). If Playwright
-    // only exposes a single Page, use it as a best-effort fallback.
+    // If Playwright only exposes a single Page, use it as a best-effort fallback.
     if (pages.length === 1) {
       return first;
     }
diff --git a/src/browser/routes/agent.snapshot.plan.test.ts b/src/browser/routes/agent.snapshot.plan.test.ts
index 384e24a1c71..1fa8c54b81e 100644
--- a/src/browser/routes/agent.snapshot.plan.test.ts
+++ b/src/browser/routes/agent.snapshot.plan.test.ts
@@ -3,15 +3,15 @@ import { resolveBrowserConfig, resolveProfile } from "../config.js";
 import { resolveSnapshotPlan } from "./agent.snapshot.plan.js";
 
 describe("resolveSnapshotPlan", () => {
-  it("defaults extension relay snapshots to aria when format is omitted", () => {
+  it("defaults existing-session snapshots to ai when format is omitted", () => {
     const resolved = resolveBrowserConfig({
       profiles: {
-        relay: { driver: "extension", cdpUrl: "http://127.0.0.1:18792", color: "#0066CC" },
+        user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
       },
     });
-    const profile = resolveProfile(resolved, "relay");
+    const profile = resolveProfile(resolved, "user");
     expect(profile).toBeTruthy();
-    expect(profile?.driver).toBe("extension");
+    expect(profile?.driver).toBe("existing-session");
 
     const plan = resolveSnapshotPlan({
       profile: profile as NonNullable<typeof profile>,
@@ -19,7 +19,7 @@ describe("resolveSnapshotPlan", () => {
       hasPlaywright: true,
     });
 
-    expect(plan.format).toBe("aria");
+    expect(plan.format).toBe("ai");
   });
 
   it("keeps ai snapshots for managed browsers when Playwright is available", () => {
diff --git a/src/browser/routes/basic.ts b/src/browser/routes/basic.ts
index f6123ac4cf0..c4f5db47a59 100644
--- a/src/browser/routes/basic.ts
+++ b/src/browser/routes/basic.ts
@@ -176,15 +176,18 @@ export function registerBrowserBasicRoutes(app: BrowserRouteRegistrar, ctx: Brow
     const name = toStringOrEmpty((req.body as { name?: unknown })?.name);
     const color = toStringOrEmpty((req.body as { color?: unknown })?.color);
     const cdpUrl = toStringOrEmpty((req.body as { cdpUrl?: unknown })?.cdpUrl);
-    const driver = toStringOrEmpty((req.body as { driver?: unknown })?.driver) as
-      | "openclaw"
-      | "extension"
-      | "existing-session"
-      | "";
+    const driver = toStringOrEmpty((req.body as { driver?: unknown })?.driver);
 
     if (!name) {
       return jsonError(res, 400, "name is required");
     }
+    if (driver && driver !== "openclaw" && driver !== "clawd" && driver !== "existing-session") {
+      return jsonError(
+        res,
+        400,
+        `unsupported profile driver "${driver}"; use "openclaw", "clawd", or "existing-session"`,
+      );
+    }
 
     await withProfilesServiceMutation({
       res,
@@ -195,10 +198,10 @@ export function registerBrowserBasicRoutes(app: BrowserRouteRegistrar, ctx: Brow
           color: color || undefined,
           cdpUrl: cdpUrl || undefined,
           driver:
-            driver === "extension"
-              ? "extension"
-              : driver === "existing-session"
-                ? "existing-session"
+            driver === "existing-session"
+              ? "existing-session"
+              : driver === "openclaw" || driver === "clawd"
+                ? "openclaw"
                 : undefined,
         }),
     });
diff --git a/src/browser/server-context.availability.ts b/src/browser/server-context.availability.ts
index a0281d53d9f..d7d33fd0fde 100644
--- a/src/browser/server-context.availability.ts
+++ b/src/browser/server-context.availability.ts
@@ -15,11 +15,7 @@ import {
   stopOpenClawChrome,
 } from "./chrome.js";
 import type { ResolvedBrowserProfile } from "./config.js";
-import { BrowserConfigurationError, BrowserProfileUnavailableError } from "./errors.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
+import { BrowserProfileUnavailableError } from "./errors.js";
 import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
 import {
   CDP_READY_AFTER_LAUNCH_MAX_TIMEOUT_MS,
@@ -124,9 +120,6 @@ export function createProfileAvailability({
       await stopOpenClawChrome(profileState.running).catch(() => {});
       setProfileRunning(null);
     }
-    if (previousProfile.driver === "extension") {
-      await stopChromeExtensionRelayServer({ cdpUrl: previousProfile.cdpUrl }).catch(() => false);
-    }
     if (getBrowserProfileCapabilities(previousProfile).usesChromeMcp) {
       await closeChromeMcpSession(previousProfile.name).catch(() => false);
     }
@@ -166,33 +159,9 @@ export function createProfileAvailability({
     const current = state();
     const remoteCdp = capabilities.isRemote;
     const attachOnly = profile.attachOnly;
-    const isExtension = capabilities.requiresRelay;
     const profileState = getProfileState();
     const httpReachable = await isHttpReachable();
 
-    if (isExtension && remoteCdp) {
-      throw new BrowserConfigurationError(
-        `Profile "${profile.name}" uses driver=extension but cdpUrl is not loopback (${profile.cdpUrl}).`,
-      );
-    }
-
-    if (isExtension) {
-      if (!httpReachable) {
-        await ensureChromeExtensionRelayServer({
-          cdpUrl: profile.cdpUrl,
-          bindHost: current.resolved.relayBindHost,
-        });
-        if (!(await isHttpReachable(PROFILE_ATTACH_RETRY_TIMEOUT_MS))) {
-          throw new BrowserProfileUnavailableError(
-            `Chrome extension relay for profile "${profile.name}" is not reachable at ${profile.cdpUrl}.`,
-          );
-        }
-      }
-      // Browser startup should only ensure relay availability.
-      // Tab attachment is checked when a tab is actually required.
-      return;
-    }
-
     if (!httpReachable) {
       if ((attachOnly || remoteCdp) && opts.onEnsureAttachTarget) {
         await opts.onEnsureAttachTarget(profile);
@@ -267,12 +236,6 @@ export function createProfileAvailability({
       const stopped = await closeChromeMcpSession(profile.name);
       return { stopped };
     }
-    if (capabilities.requiresRelay) {
-      const stopped = await stopChromeExtensionRelayServer({
-        cdpUrl: profile.cdpUrl,
-      });
-      return { stopped };
-    }
     const profileState = getProfileState();
     if (!profileState.running) {
       return { stopped: false };
diff --git a/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts b/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts
deleted file mode 100644
index d3760bd460d..00000000000
--- a/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts
+++ /dev/null
@@ -1,178 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { withFetchPreconnect } from "../test-utils/fetch-mock.js";
-import type { BrowserServerState } from "./server-context.js";
-import "./server-context.chrome-test-harness.js";
-import { createBrowserRouteContext } from "./server-context.js";
-
-function makeBrowserState(): BrowserServerState {
-  return {
-    // oxlint-disable-next-line typescript/no-explicit-any
-    server: null as any,
-    port: 0,
-    resolved: {
-      enabled: true,
-      controlPort: 18791,
-      cdpPortRangeStart: 18800,
-      cdpPortRangeEnd: 18899,
-      cdpProtocol: "http",
-      cdpHost: "127.0.0.1",
-      cdpIsLoopback: true,
-      evaluateEnabled: false,
-      remoteCdpTimeoutMs: 1500,
-      remoteCdpHandshakeTimeoutMs: 3000,
-      extraArgs: [],
-      color: "#FF4500",
-      headless: true,
-      noSandbox: false,
-      attachOnly: false,
-      defaultProfile: "chrome-relay",
-      profiles: {
-        "chrome-relay": {
-          driver: "extension",
-          cdpUrl: "http://127.0.0.1:18792",
-          cdpPort: 18792,
-          color: "#00AA00",
-        },
-        openclaw: { cdpPort: 18800, color: "#FF4500" },
-      },
-    },
-    profiles: new Map(),
-  };
-}
-
-function stubChromeJsonList(responses: unknown[]) {
-  const fetchMock = vi.fn();
-  const queue = [...responses];
-
-  fetchMock.mockImplementation(async (url: unknown) => {
-    const u = String(url);
-    if (!u.includes("/json/list")) {
-      throw new Error(`unexpected fetch: ${u}`);
-    }
-    const next = queue.shift();
-    if (!next) {
-      throw new Error("no more responses");
-    }
-    return {
-      ok: true,
-      json: async () => next,
-    } as unknown as Response;
-  });
-
-  global.fetch = withFetchPreconnect(fetchMock);
-  return fetchMock;
-}
-
-describe("browser server-context ensureTabAvailable", () => {
-  it("sticks to the last selected target when targetId is omitted", async () => {
-    // 1st call (snapshot): stable ordering A then B (twice)
-    // 2nd call (act): reversed ordering B then A (twice)
-    const responses = [
-      [
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-      ],
-      [
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-      ],
-      [
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-      ],
-      [
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-      ],
-    ];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({
-      getState: () => state,
-    });
-
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    const first = await chromeRelay.ensureTabAvailable();
-    expect(first.targetId).toBe("A");
-    const second = await chromeRelay.ensureTabAvailable();
-    expect(second.targetId).toBe("A");
-  });
-
-  it("rejects invalid targetId even when only one extension tab remains", async () => {
-    const responses = [
-      [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-      [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-    ];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({ getState: () => state });
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    await expect(chromeRelay.ensureTabAvailable("NOT_A_TAB")).rejects.toThrow(/tab not found/i);
-  });
-
-  it("returns a descriptive message when no extension tabs are attached", async () => {
-    const responses = [[]];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({ getState: () => state });
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    await expect(chromeRelay.ensureTabAvailable()).rejects.toThrow(/no attached Chrome tabs/i);
-  });
-
-  it("waits briefly for extension tabs to reappear when a previous target exists", async () => {
-    vi.useFakeTimers();
-    try {
-      const responses = [
-        // First call: select tab A and store lastTargetId.
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        // Second call: transient drop, then the extension re-announces attached tab A.
-        [],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-      ];
-      stubChromeJsonList(responses);
-      const state = makeBrowserState();
-
-      const ctx = createBrowserRouteContext({ getState: () => state });
-      const chromeRelay = ctx.forProfile("chrome-relay");
-      const first = await chromeRelay.ensureTabAvailable();
-      expect(first.targetId).toBe("A");
-
-      const secondPromise = chromeRelay.ensureTabAvailable();
-      await vi.advanceTimersByTimeAsync(250);
-      const second = await secondPromise;
-      expect(second.targetId).toBe("A");
-    } finally {
-      vi.useRealTimers();
-    }
-  });
-
-  it("still fails after the extension-tab grace window expires", async () => {
-    vi.useFakeTimers();
-    try {
-      const responses = [
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        ...Array.from({ length: 20 }, () => []),
-      ];
-      stubChromeJsonList(responses);
-      const state = makeBrowserState();
-
-      const ctx = createBrowserRouteContext({ getState: () => state });
-      const chromeRelay = ctx.forProfile("chrome-relay");
-      await chromeRelay.ensureTabAvailable();
-
-      const pending = expect(chromeRelay.ensureTabAvailable()).rejects.toThrow(
-        /no attached Chrome tabs/i,
-      );
-      await vi.advanceTimersByTimeAsync(3_500);
-      await pending;
-    } finally {
-      vi.useRealTimers();
-    }
-  });
-});
diff --git a/src/browser/server-context.reset.test.ts b/src/browser/server-context.reset.test.ts
index 7e74ffd3881..9fcbc1c2a7b 100644
--- a/src/browser/server-context.reset.test.ts
+++ b/src/browser/server-context.reset.test.ts
@@ -4,10 +4,6 @@ import path from "node:path";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import { createProfileResetOps } from "./server-context.reset.js";
 
-const relayMocks = vi.hoisted(() => ({
-  stopChromeExtensionRelayServer: vi.fn(async () => true),
-}));
-
 const trashMocks = vi.hoisted(() => ({
   movePathToTrash: vi.fn(async (from: string) => `${from}.trashed`),
 }));
@@ -16,7 +12,6 @@ const pwAiMocks = vi.hoisted(() => ({
   closePlaywrightBrowserConnection: vi.fn(async () => {}),
 }));
 
-vi.mock("./extension-relay.js", () => relayMocks);
 vi.mock("./trash.js", () => trashMocks);
 vi.mock("./pw-ai.js", () => pwAiMocks);
 
@@ -54,23 +49,6 @@ function createStatelessResetOps(profile: Parameters<typeof createProfileResetOp
 }
 
 describe("createProfileResetOps", () => {
-  it("stops extension relay for extension profiles", async () => {
-    const ops = createStatelessResetOps({
-      ...localOpenClawProfile(),
-      name: "chrome",
-      driver: "extension",
-    });
-
-    await expect(ops.resetProfile()).resolves.toEqual({
-      moved: false,
-      from: "http://127.0.0.1:18800",
-    });
-    expect(relayMocks.stopChromeExtensionRelayServer).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:18800",
-    });
-    expect(trashMocks.movePathToTrash).not.toHaveBeenCalled();
-  });
-
   it("rejects remote non-extension profiles", async () => {
     const ops = createStatelessResetOps({
       ...localOpenClawProfile(),
diff --git a/src/browser/server-context.reset.ts b/src/browser/server-context.reset.ts
index 09bc31cbf38..ea478f56f31 100644
--- a/src/browser/server-context.reset.ts
+++ b/src/browser/server-context.reset.ts
@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import type { ResolvedBrowserProfile } from "./config.js";
 import { BrowserResetUnsupportedError } from "./errors.js";
-import { stopChromeExtensionRelayServer } from "./extension-relay.js";
 import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
 import type { ProfileRuntimeState } from "./server-context.types.js";
 import { movePathToTrash } from "./trash.js";
@@ -36,10 +35,6 @@ export function createProfileResetOps({
 }: ResetDeps): ResetOps {
   const capabilities = getBrowserProfileCapabilities(profile);
   const resetProfile = async () => {
-    if (capabilities.requiresRelay) {
-      await stopChromeExtensionRelayServer({ cdpUrl: profile.cdpUrl }).catch(() => {});
-      return { moved: false, from: profile.cdpUrl };
-    }
     if (!capabilities.supportsReset) {
       throw new BrowserResetUnsupportedError(
         `reset-profile is only supported for local profiles (profile "${profile.name}" is remote).`,
diff --git a/src/browser/server-context.selection.ts b/src/browser/server-context.selection.ts
index f0ce3e25e06..1a744e06b09 100644
--- a/src/browser/server-context.selection.ts
+++ b/src/browser/server-context.selection.ts
@@ -36,28 +36,9 @@ export function createProfileSelectionOps({
   const ensureTabAvailable = async (targetId?: string): Promise<BrowserTab> => {
     await ensureBrowserAvailable();
     const profileState = getProfileState();
-    let tabs1 = await listTabs();
+    const tabs1 = await listTabs();
     if (tabs1.length === 0) {
-      if (capabilities.requiresAttachedTab) {
-        // Chrome extension relay can briefly drop its WebSocket connection (MV3 service worker
-        // lifecycle, relay restart). If we previously had a target selected, wait briefly for
-        // the extension to reconnect and re-announce its attached tabs before failing.
-        if (profileState.lastTargetId?.trim()) {
-          const deadlineAt = Date.now() + 3_000;
-          while (tabs1.length === 0 && Date.now() < deadlineAt) {
-            await new Promise((resolve) => setTimeout(resolve, 200));
-            tabs1 = await listTabs();
-          }
-        }
-        if (tabs1.length === 0) {
-          throw new BrowserTabNotFoundError(
-            `tab not found (no attached Chrome tabs for profile "${profile.name}"). ` +
-              "Click the OpenClaw Browser Relay toolbar icon on the tab you want to control (badge ON).",
-          );
-        }
-      } else {
-        await openTab("about:blank");
-      }
+      await openTab("about:blank");
     }
 
     const tabs = await listTabs();
diff --git a/src/browser/server-lifecycle.test.ts b/src/browser/server-lifecycle.test.ts
index 5ef331f1784..c64e054f96a 100644
--- a/src/browser/server-lifecycle.test.ts
+++ b/src/browser/server-lifecycle.test.ts
@@ -1,13 +1,7 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
-const { resolveProfileMock, ensureChromeExtensionRelayServerMock } = vi.hoisted(() => ({
-  resolveProfileMock: vi.fn(),
-  ensureChromeExtensionRelayServerMock: vi.fn(),
-}));
-
-const { stopOpenClawChromeMock, stopChromeExtensionRelayServerMock } = vi.hoisted(() => ({
+const { stopOpenClawChromeMock } = vi.hoisted(() => ({
   stopOpenClawChromeMock: vi.fn(async () => {}),
-  stopChromeExtensionRelayServerMock: vi.fn(async () => true),
 }));
 
 const { createBrowserRouteContextMock, listKnownProfileNamesMock } = vi.hoisted(() => ({
@@ -19,15 +13,6 @@ vi.mock("./chrome.js", () => ({
   stopOpenClawChrome: stopOpenClawChromeMock,
 }));
 
-vi.mock("./config.js", () => ({
-  resolveProfile: resolveProfileMock,
-}));
-
-vi.mock("./extension-relay.js", () => ({
-  ensureChromeExtensionRelayServer: ensureChromeExtensionRelayServerMock,
-  stopChromeExtensionRelayServer: stopChromeExtensionRelayServerMock,
-}));
-
 vi.mock("./server-context.js", () => ({
   createBrowserRouteContext: createBrowserRouteContextMock,
   listKnownProfileNames: listKnownProfileNamesMock,
@@ -36,49 +21,13 @@ vi.mock("./server-context.js", () => ({
 import { ensureExtensionRelayForProfiles, stopKnownBrowserProfiles } from "./server-lifecycle.js";
 
 describe("ensureExtensionRelayForProfiles", () => {
-  beforeEach(() => {
-    resolveProfileMock.mockClear();
-    ensureChromeExtensionRelayServerMock.mockClear();
-  });
-
-  it("starts relay only for extension profiles", async () => {
-    resolveProfileMock.mockImplementation((_resolved: unknown, name: string) => {
-      if (name === "chrome-relay") {
-        return { driver: "extension", cdpUrl: "http://127.0.0.1:18888" };
-      }
-      return { driver: "openclaw", cdpUrl: "http://127.0.0.1:18889" };
-    });
-    ensureChromeExtensionRelayServerMock.mockResolvedValue(undefined);
-
-    await ensureExtensionRelayForProfiles({
-      resolved: {
-        profiles: {
-          "chrome-relay": {},
-          openclaw: {},
-        },
-      } as never,
-      onWarn: vi.fn(),
-    });
-
-    expect(ensureChromeExtensionRelayServerMock).toHaveBeenCalledTimes(1);
-    expect(ensureChromeExtensionRelayServerMock).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:18888",
-    });
-  });
-
-  it("reports relay startup errors", async () => {
-    resolveProfileMock.mockReturnValue({ driver: "extension", cdpUrl: "http://127.0.0.1:18888" });
-    ensureChromeExtensionRelayServerMock.mockRejectedValue(new Error("boom"));
-    const onWarn = vi.fn();
-
-    await ensureExtensionRelayForProfiles({
-      resolved: { profiles: { "chrome-relay": {} } } as never,
-      onWarn,
-    });
-
-    expect(onWarn).toHaveBeenCalledWith(
-      'Chrome extension relay init failed for profile "chrome-relay": Error: boom',
-    );
+  it("is a no-op after removing the Chrome extension relay path", async () => {
+    await expect(
+      ensureExtensionRelayForProfiles({
+        resolved: { profiles: {} } as never,
+        onWarn: vi.fn(),
+      }),
+    ).resolves.toBeUndefined();
   });
 });
 
@@ -87,14 +36,13 @@ describe("stopKnownBrowserProfiles", () => {
     createBrowserRouteContextMock.mockClear();
     listKnownProfileNamesMock.mockClear();
     stopOpenClawChromeMock.mockClear();
-    stopChromeExtensionRelayServerMock.mockClear();
   });
 
   it("stops all known profiles and ignores per-profile failures", async () => {
-    listKnownProfileNamesMock.mockReturnValue(["openclaw", "chrome-relay"]);
+    listKnownProfileNamesMock.mockReturnValue(["openclaw", "user"]);
     const stopMap: Record<string, ReturnType<typeof vi.fn>> = {
       openclaw: vi.fn(async () => {}),
-      "chrome-relay": vi.fn(async () => {
+      user: vi.fn(async () => {
         throw new Error("profile stop failed");
       }),
     };
@@ -112,12 +60,12 @@ describe("stopKnownBrowserProfiles", () => {
     });
 
     expect(stopMap.openclaw).toHaveBeenCalledTimes(1);
-    expect(stopMap["chrome-relay"]).toHaveBeenCalledTimes(1);
+    expect(stopMap.user).toHaveBeenCalledTimes(1);
     expect(onWarn).not.toHaveBeenCalled();
   });
 
   it("stops tracked runtime browsers even when the profile no longer resolves", async () => {
-    listKnownProfileNamesMock.mockReturnValue(["deleted-local", "deleted-extension"]);
+    listKnownProfileNamesMock.mockReturnValue(["deleted-local"]);
     createBrowserRouteContextMock.mockReturnValue({
       forProfile: vi.fn(() => {
         throw new Error("profile not found");
@@ -134,18 +82,7 @@ describe("stopKnownBrowserProfiles", () => {
       },
     };
     const launchedBrowser = localRuntime.running;
-    const extensionRuntime = {
-      profile: {
-        name: "deleted-extension",
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:19999",
-      },
-      running: null,
-    };
-    const profiles = new Map<string, unknown>([
-      ["deleted-local", localRuntime],
-      ["deleted-extension", extensionRuntime],
-    ]);
+    const profiles = new Map<string, unknown>([["deleted-local", localRuntime]]);
     const state = {
       resolved: { profiles: {} },
       profiles,
@@ -158,9 +95,6 @@ describe("stopKnownBrowserProfiles", () => {
 
     expect(stopOpenClawChromeMock).toHaveBeenCalledWith(launchedBrowser);
     expect(localRuntime.running).toBeNull();
-    expect(stopChromeExtensionRelayServerMock).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:19999",
-    });
   });
 
   it("warns when profile enumeration fails", async () => {
diff --git a/src/browser/server-lifecycle.ts b/src/browser/server-lifecycle.ts
index 7053d924b6d..1dd322f2bc9 100644
--- a/src/browser/server-lifecycle.ts
+++ b/src/browser/server-lifecycle.ts
@@ -1,32 +1,18 @@
 import { stopOpenClawChrome } from "./chrome.js";
 import type { ResolvedBrowserConfig } from "./config.js";
-import { resolveProfile } from "./config.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
 import {
   type BrowserServerState,
   createBrowserRouteContext,
   listKnownProfileNames,
 } from "./server-context.js";
 
-export async function ensureExtensionRelayForProfiles(params: {
+export async function ensureExtensionRelayForProfiles(_params: {
   resolved: ResolvedBrowserConfig;
   onWarn: (message: string) => void;
 }) {
-  for (const name of Object.keys(params.resolved.profiles)) {
-    const profile = resolveProfile(params.resolved, name);
-    if (!profile || profile.driver !== "extension") {
-      continue;
-    }
-    await ensureChromeExtensionRelayServer({
-      cdpUrl: profile.cdpUrl,
-      bindHost: params.resolved.relayBindHost,
-    }).catch((err) => {
-      params.onWarn(`Chrome extension relay init failed for profile "${name}": ${String(err)}`);
-    });
-  }
+  // Intentional no-op: the Chrome extension relay path has been removed.
+  // runtime-lifecycle still calls this helper, so keep the stub until the next
+  // breaking cleanup rather than changing the call graph in a patch release.
 }
 
 export async function stopKnownBrowserProfiles(params: {
@@ -50,12 +36,6 @@ export async function stopKnownBrowserProfiles(params: {
           runtime.running = null;
           continue;
         }
-        if (runtime?.profile.driver === "extension") {
-          await stopChromeExtensionRelayServer({ cdpUrl: runtime.profile.cdpUrl }).catch(
-            () => false,
-          );
-          continue;
-        }
         await ctx.forProfile(name).stopRunningBrowser();
       } catch {
         // ignore
diff --git a/src/browser/server.control-server.test-harness.ts b/src/browser/server.control-server.test-harness.ts
index 118c83dbb73..57b8d191655 100644
--- a/src/browser/server.control-server.test-harness.ts
+++ b/src/browser/server.control-server.test-harness.ts
@@ -18,7 +18,7 @@ type HarnessState = {
       cdpPort?: number;
       cdpUrl?: string;
       color: string;
-      driver?: "openclaw" | "extension" | "existing-session";
+      driver?: "openclaw" | "existing-session";
       attachOnly?: boolean;
     }
   >;
diff --git a/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts b/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
index 8d84ef3c7a8..5ad1d5f7bd2 100644
--- a/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
+++ b/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
@@ -116,18 +116,29 @@ describe("profile CRUD endpoints", () => {
     const createBadRemoteBody = (await createBadRemote.json()) as { error: string };
     expect(createBadRemoteBody.error).toContain("cdpUrl");
 
-    const createBadExtension = await realFetch(`${base}/profiles/create`, {
+    const createClawd = await realFetch(`${base}/profiles/create`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        name: "badextension",
-        driver: "extension",
-        cdpUrl: "http://10.0.0.42:9222",
-      }),
+      body: JSON.stringify({ name: "legacyclawd", driver: "clawd" }),
     });
-    expect(createBadExtension.status).toBe(400);
-    const createBadExtensionBody = (await createBadExtension.json()) as { error: string };
-    expect(createBadExtensionBody.error).toContain("loopback cdpUrl host");
+    expect(createClawd.status).toBe(200);
+    const createClawdBody = (await createClawd.json()) as {
+      profile?: string;
+      transport?: string;
+      cdpPort?: number | null;
+    };
+    expect(createClawdBody.profile).toBe("legacyclawd");
+    expect(createClawdBody.transport).toBe("cdp");
+    expect(createClawdBody.cdpPort).toBeTypeOf("number");
+
+    const createLegacyDriver = await realFetch(`${base}/profiles/create`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name: "legacy", driver: "extension" }),
+    });
+    expect(createLegacyDriver.status).toBe(400);
+    const createLegacyDriverBody = (await createLegacyDriver.json()) as { error: string };
+    expect(createLegacyDriverBody.error).toContain('unsupported profile driver "extension"');
 
     const deleteMissing = await realFetch(`${base}/profiles/nonexistent`, {
       method: "DELETE",
diff --git a/src/channel-web.ts b/src/channel-web.ts
index 99e36ef67bc..f7e451b142a 100644
--- a/src/channel-web.ts
+++ b/src/channel-web.ts
@@ -7,19 +7,15 @@ export {
   monitorWebChannel,
   resolveHeartbeatRecipients,
   runWebHeartbeatOnce,
-  type WebChannelStatus,
-  type WebMonitorTuning,
-} from "../extensions/whatsapp/src/auto-reply.js";
+} from "./plugin-sdk-internal/whatsapp.js";
 export {
   extractMediaPlaceholder,
   extractText,
   monitorWebInbox,
-  type WebInboundMessage,
-  type WebListenerCloseReason,
-} from "../extensions/whatsapp/src/inbound.js";
-export { loginWeb } from "../extensions/whatsapp/src/login.js";
-export { loadWebMedia, optimizeImageToJpeg } from "../extensions/whatsapp/src/media.js";
-export { sendMessageWhatsApp } from "../extensions/whatsapp/src/send.js";
+} from "./plugin-sdk-internal/whatsapp.js";
+export { loginWeb } from "./plugin-sdk-internal/whatsapp.js";
+export { loadWebMedia, optimizeImageToJpeg } from "./plugin-sdk-internal/whatsapp.js";
+export { sendMessageWhatsApp } from "./plugin-sdk-internal/whatsapp.js";
 export {
   createWaSocket,
   formatError,
@@ -30,4 +26,4 @@ export {
   WA_WEB_AUTH_DIR,
   waitForWaConnection,
   webAuthExists,
-} from "../extensions/whatsapp/src/session.js";
+} from "./plugin-sdk-internal/whatsapp.js";
diff --git a/src/channels/config-presence.ts b/src/channels/config-presence.ts
new file mode 100644
index 00000000000..d9add345eeb
--- /dev/null
+++ b/src/channels/config-presence.ts
@@ -0,0 +1,130 @@
+import fs from "node:fs";
+import path from "node:path";
+import type { OpenClawConfig } from "../config/config.js";
+import { resolveOAuthDir } from "../config/paths.js";
+import { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
+
+const IGNORED_CHANNEL_CONFIG_KEYS = new Set(["defaults", "modelByChannel"]);
+
+const CHANNEL_ENV_PREFIXES = [
+  ["BLUEBUBBLES_", "bluebubbles"],
+  ["DISCORD_", "discord"],
+  ["GOOGLECHAT_", "googlechat"],
+  ["IRC_", "irc"],
+  ["LINE_", "line"],
+  ["MATRIX_", "matrix"],
+  ["MSTEAMS_", "msteams"],
+  ["SIGNAL_", "signal"],
+  ["SLACK_", "slack"],
+  ["TELEGRAM_", "telegram"],
+  ["WHATSAPP_", "whatsapp"],
+  ["ZALOUSER_", "zalouser"],
+  ["ZALO_", "zalo"],
+] as const;
+
+function hasNonEmptyString(value: unknown): boolean {
+  return typeof value === "string" && value.trim().length > 0;
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+function recordHasKeys(value: unknown): boolean {
+  return isRecord(value) && Object.keys(value).length > 0;
+}
+
+function hasWhatsAppAuthState(env: NodeJS.ProcessEnv): boolean {
+  try {
+    const oauthDir = resolveOAuthDir(env);
+    const legacyCreds = path.join(oauthDir, "creds.json");
+    if (fs.existsSync(legacyCreds)) {
+      return true;
+    }
+
+    const accountsRoot = path.join(oauthDir, "whatsapp");
+    const defaultCreds = path.join(accountsRoot, DEFAULT_ACCOUNT_ID, "creds.json");
+    if (fs.existsSync(defaultCreds)) {
+      return true;
+    }
+
+    const entries = fs.readdirSync(accountsRoot, { withFileTypes: true });
+    return entries.some((entry) => {
+      if (!entry.isDirectory()) {
+        return false;
+      }
+      return fs.existsSync(path.join(accountsRoot, entry.name, "creds.json"));
+    });
+  } catch {
+    return false;
+  }
+}
+
+export function listPotentialConfiguredChannelIds(
+  cfg: OpenClawConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): string[] {
+  const configuredChannelIds = new Set<string>();
+  const channels = isRecord(cfg.channels) ? cfg.channels : null;
+  if (channels) {
+    for (const [key, value] of Object.entries(channels)) {
+      if (IGNORED_CHANNEL_CONFIG_KEYS.has(key)) {
+        continue;
+      }
+      if (recordHasKeys(value)) {
+        configuredChannelIds.add(key);
+      }
+    }
+  }
+
+  for (const [key, value] of Object.entries(env)) {
+    if (!hasNonEmptyString(value)) {
+      continue;
+    }
+    for (const [prefix, channelId] of CHANNEL_ENV_PREFIXES) {
+      if (key.startsWith(prefix)) {
+        configuredChannelIds.add(channelId);
+      }
+    }
+    if (key === "TELEGRAM_BOT_TOKEN") {
+      configuredChannelIds.add("telegram");
+    }
+  }
+  if (hasWhatsAppAuthState(env)) {
+    configuredChannelIds.add("whatsapp");
+  }
+  return [...configuredChannelIds];
+}
+
+function hasEnvConfiguredChannel(env: NodeJS.ProcessEnv): boolean {
+  for (const [key, value] of Object.entries(env)) {
+    if (!hasNonEmptyString(value)) {
+      continue;
+    }
+    if (
+      CHANNEL_ENV_PREFIXES.some(([prefix]) => key.startsWith(prefix)) ||
+      key === "TELEGRAM_BOT_TOKEN"
+    ) {
+      return true;
+    }
+  }
+  return hasWhatsAppAuthState(env);
+}
+
+export function hasPotentialConfiguredChannels(
+  cfg: OpenClawConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  const channels = isRecord(cfg.channels) ? cfg.channels : null;
+  if (channels) {
+    for (const [key, value] of Object.entries(channels)) {
+      if (IGNORED_CHANNEL_CONFIG_KEYS.has(key)) {
+        continue;
+      }
+      if (recordHasKeys(value)) {
+        return true;
+      }
+    }
+  }
+  return hasEnvConfiguredChannel(env);
+}
diff --git a/src/channels/dock.test.ts b/src/channels/dock.test.ts
deleted file mode 100644
index 99e3947be9b..00000000000
--- a/src/channels/dock.test.ts
+++ /dev/null
@@ -1,194 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { OpenClawConfig } from "../config/config.js";
-import { withEnv } from "../test-utils/env.js";
-import { getChannelDock } from "./dock.js";
-
-function emptyConfig(): OpenClawConfig {
-  return {} as OpenClawConfig;
-}
-
-describe("channels dock", () => {
-  it("telegram and googlechat threading contexts map thread ids consistently", () => {
-    const hasRepliedRef = { value: false };
-    const telegramDock = getChannelDock("telegram");
-    const googleChatDock = getChannelDock("googlechat");
-
-    const telegramContext = telegramDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: {
-        To: " room-1 ",
-        MessageThreadId: 42,
-        ReplyToId: "fallback",
-        CurrentMessageId: "9001",
-      },
-      hasRepliedRef,
-    });
-    const googleChatContext = googleChatDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: { To: " space-1 ", ReplyToId: "thread-abc" },
-      hasRepliedRef,
-    });
-
-    expect(telegramContext).toEqual({
-      currentChannelId: "room-1",
-      currentThreadTs: "42",
-      currentMessageId: "9001",
-      hasRepliedRef,
-    });
-    expect(googleChatContext).toEqual({
-      currentChannelId: "space-1",
-      currentThreadTs: "thread-abc",
-      hasRepliedRef,
-    });
-  });
-
-  it("telegram threading does not treat ReplyToId as thread id in DMs", () => {
-    const hasRepliedRef = { value: false };
-    const telegramDock = getChannelDock("telegram");
-    const context = telegramDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: { To: " dm-1 ", ReplyToId: "12345", CurrentMessageId: "12345" },
-      hasRepliedRef,
-    });
-
-    expect(context).toEqual({
-      currentChannelId: "dm-1",
-      currentThreadTs: undefined,
-      currentMessageId: "12345",
-      hasRepliedRef,
-    });
-  });
-
-  it("irc resolveDefaultTo matches account id case-insensitively", () => {
-    const ircDock = getChannelDock("irc");
-    const cfg = {
-      channels: {
-        irc: {
-          defaultTo: "#root",
-          accounts: {
-            Work: { defaultTo: "#work" },
-          },
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    const accountDefault = ircDock?.config?.resolveDefaultTo?.({ cfg, accountId: "work" });
-    const rootDefault = ircDock?.config?.resolveDefaultTo?.({ cfg, accountId: "missing" });
-
-    expect(accountDefault).toBe("#work");
-    expect(rootDefault).toBe("#root");
-  });
-
-  it("signal allowFrom formatter normalizes values and preserves wildcard", () => {
-    const signalDock = getChannelDock("signal");
-
-    const formatted = signalDock?.config?.formatAllowFrom?.({
-      cfg: emptyConfig(),
-      allowFrom: [" signal:+14155550100 ", " * "],
-    });
-
-    expect(formatted).toEqual(["+14155550100", "*"]);
-  });
-
-  it("telegram allowFrom formatter trims, strips prefix, and lowercases", () => {
-    const telegramDock = getChannelDock("telegram");
-
-    const formatted = telegramDock?.config?.formatAllowFrom?.({
-      cfg: emptyConfig(),
-      allowFrom: [" TG:User ", "telegram:Foo", " Plain "],
-    });
-
-    expect(formatted).toEqual(["user", "foo", "plain"]);
-  });
-
-  it("telegram dock config readers preserve omitted-account fallback semantics", () => {
-    withEnv({ TELEGRAM_BOT_TOKEN: "tok-env" }, () => {
-      const telegramDock = getChannelDock("telegram");
-      const cfg = {
-        channels: {
-          telegram: {
-            allowFrom: ["top-owner"],
-            defaultTo: "@top-target",
-            accounts: {
-              work: {
-                botToken: "tok-work",
-                allowFrom: ["work-owner"],
-                defaultTo: "@work-target",
-              },
-            },
-          },
-        },
-      } as unknown as OpenClawConfig;
-
-      expect(telegramDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["top-owner"]);
-      expect(telegramDock?.config?.resolveDefaultTo?.({ cfg })).toBe("@top-target");
-    });
-  });
-
-  it("slack dock config readers stay read-only when tokens are unresolved SecretRefs", () => {
-    const slackDock = getChannelDock("slack");
-    const cfg = {
-      channels: {
-        slack: {
-          botToken: {
-            source: "env",
-            provider: "default",
-            id: "SLACK_BOT_TOKEN",
-          },
-          appToken: {
-            source: "env",
-            provider: "default",
-            id: "SLACK_APP_TOKEN",
-          },
-          defaultTo: "channel:C111",
-          dm: { allowFrom: ["U123"] },
-          channels: {
-            C111: { requireMention: false },
-          },
-          replyToMode: "all",
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    expect(slackDock?.config?.resolveAllowFrom?.({ cfg, accountId: "default" })).toEqual(["U123"]);
-    expect(slackDock?.config?.resolveDefaultTo?.({ cfg, accountId: "default" })).toBe(
-      "channel:C111",
-    );
-    expect(
-      slackDock?.threading?.resolveReplyToMode?.({
-        cfg,
-        accountId: "default",
-        chatType: "channel",
-      }),
-    ).toBe("all");
-    expect(
-      slackDock?.groups?.resolveRequireMention?.({
-        cfg,
-        accountId: "default",
-        groupId: "C111",
-      }),
-    ).toBe(false);
-  });
-
-  it("dock config readers coerce numeric allowFrom/defaultTo entries through shared helpers", () => {
-    const telegramDock = getChannelDock("telegram");
-    const signalDock = getChannelDock("signal");
-    const cfg = {
-      channels: {
-        telegram: {
-          allowFrom: [12345],
-          defaultTo: 67890,
-        },
-        signal: {
-          allowFrom: [14155550100],
-          defaultTo: 42,
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    expect(telegramDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["12345"]);
-    expect(telegramDock?.config?.resolveDefaultTo?.({ cfg })).toBe("67890");
-    expect(signalDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["14155550100"]);
-    expect(signalDock?.config?.resolveDefaultTo?.({ cfg })).toBe("42");
-  });
-});
diff --git a/src/channels/dock.ts b/src/channels/dock.ts
deleted file mode 100644
index 2e63583ca1b..00000000000
--- a/src/channels/dock.ts
+++ /dev/null
@@ -1,636 +0,0 @@
-import { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-import { resolveSignalAccount } from "../../extensions/signal/src/accounts.js";
-import { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-import { resolveSlackReplyToMode } from "../../extensions/slack/src/accounts.js";
-import { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
-import { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-import {
-  resolveChannelGroupRequireMention,
-  resolveChannelGroupToolsPolicy,
-} from "../config/group-policy.js";
-import {
-  formatAllowFromLowercase,
-  formatNormalizedAllowFromEntries,
-} from "../plugin-sdk/allow-from.js";
-import {
-  mapAllowFromEntries,
-  resolveOptionalConfigString,
-  formatTrimmedAllowFromEntries,
-  formatWhatsAppConfigAllowFromEntries,
-  resolveIMessageConfigAllowFrom,
-  resolveIMessageConfigDefaultTo,
-  resolveWhatsAppConfigAllowFrom,
-  resolveWhatsAppConfigDefaultTo,
-} from "../plugin-sdk/channel-config-helpers.js";
-import { requireActivePluginRegistry } from "../plugins/runtime.js";
-import { normalizeAccountId } from "../routing/session-key.js";
-import { normalizeE164 } from "../utils.js";
-import {
-  resolveDiscordGroupRequireMention,
-  resolveDiscordGroupToolPolicy,
-  resolveGoogleChatGroupRequireMention,
-  resolveGoogleChatGroupToolPolicy,
-  resolveIMessageGroupRequireMention,
-  resolveIMessageGroupToolPolicy,
-  resolveLineGroupRequireMention,
-  resolveLineGroupToolPolicy,
-  resolveSlackGroupRequireMention,
-  resolveSlackGroupToolPolicy,
-  resolveTelegramGroupRequireMention,
-  resolveTelegramGroupToolPolicy,
-  resolveWhatsAppGroupRequireMention,
-  resolveWhatsAppGroupToolPolicy,
-} from "./plugins/group-mentions.js";
-import { normalizeSignalMessagingTarget } from "./plugins/normalize/signal.js";
-import type {
-  ChannelCapabilities,
-  ChannelCommandAdapter,
-  ChannelConfigAdapter,
-  ChannelElevatedAdapter,
-  ChannelGroupAdapter,
-  ChannelId,
-  ChannelAgentPromptAdapter,
-  ChannelMentionAdapter,
-  ChannelPlugin,
-  ChannelThreadingContext,
-  ChannelThreadingAdapter,
-  ChannelThreadingToolContext,
-} from "./plugins/types.js";
-import {
-  resolveWhatsAppGroupIntroHint,
-  resolveWhatsAppMentionStripRegexes,
-} from "./plugins/whatsapp-shared.js";
-import { CHAT_CHANNEL_ORDER, type ChatChannelId, getChatChannelMeta } from "./registry.js";
-
-export type ChannelDock = {
-  id: ChannelId;
-  capabilities: ChannelCapabilities;
-  commands?: ChannelCommandAdapter;
-  outbound?: {
-    textChunkLimit?: number;
-  };
-  streaming?: ChannelDockStreaming;
-  elevated?: ChannelElevatedAdapter;
-  config?: Pick<
-    ChannelConfigAdapter<unknown>,
-    "resolveAllowFrom" | "formatAllowFrom" | "resolveDefaultTo"
-  >;
-  groups?: ChannelGroupAdapter;
-  mentions?: ChannelMentionAdapter;
-  threading?: ChannelThreadingAdapter;
-  agentPrompt?: ChannelAgentPromptAdapter;
-};
-
-type ChannelDockStreaming = {
-  blockStreamingCoalesceDefaults?: {
-    minChars?: number;
-    idleMs?: number;
-  };
-};
-
-const DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000 = { textChunkLimit: 4000 };
-
-const DEFAULT_BLOCK_STREAMING_COALESCE = {
-  blockStreamingCoalesceDefaults: { minChars: 1500, idleMs: 1000 },
-};
-
-function formatAllowFromWithReplacements(
-  allowFrom: Array<string | number>,
-  replacements: RegExp[],
-): string[] {
-  return formatNormalizedAllowFromEntries({
-    allowFrom,
-    normalizeEntry: (entry) => {
-      let normalized = entry;
-      for (const replacement of replacements) {
-        normalized = normalized.replace(replacement, "");
-      }
-      return normalized.toLowerCase();
-    },
-  });
-}
-
-const formatDiscordAllowFrom = (allowFrom: Array<string | number>) =>
-  allowFrom
-    .map((entry) =>
-      String(entry)
-        .trim()
-        .replace(/^<@!?/, "")
-        .replace(/>$/, "")
-        .replace(/^discord:/i, "")
-        .replace(/^user:/i, "")
-        .replace(/^pk:/i, "")
-        .trim()
-        .toLowerCase(),
-    )
-    .filter(Boolean);
-
-function resolveDirectOrGroupChannelId(context: ChannelThreadingContext): string | undefined {
-  const isDirect = context.ChatType?.toLowerCase() === "direct";
-  return (isDirect ? (context.From ?? context.To) : context.To)?.trim() || undefined;
-}
-
-function buildSignalThreadToolContext(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  const currentChannelIdRaw = resolveDirectOrGroupChannelId(params.context);
-  const currentChannelId = currentChannelIdRaw
-    ? (normalizeSignalMessagingTarget(currentChannelIdRaw) ?? currentChannelIdRaw.trim())
-    : undefined;
-  return {
-    currentChannelId,
-    currentThreadTs: params.context.ReplyToId,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function buildIMessageThreadToolContext(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  return {
-    currentChannelId: resolveDirectOrGroupChannelId(params.context),
-    currentThreadTs: params.context.ReplyToId,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function buildThreadToolContextFromMessageThreadOrReply(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  const threadId = params.context.MessageThreadId ?? params.context.ReplyToId;
-  return {
-    currentChannelId: params.context.To?.trim() || undefined,
-    currentThreadTs: threadId != null ? String(threadId) : undefined,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function resolveCaseInsensitiveAccount<T>(
-  accounts: Record<string, T> | undefined,
-  accountId?: string | null,
-): T | undefined {
-  if (!accounts) {
-    return undefined;
-  }
-  const normalized = normalizeAccountId(accountId);
-  return (
-    accounts[normalized] ??
-    accounts[
-      Object.keys(accounts).find((key) => key.toLowerCase() === normalized.toLowerCase()) ?? ""
-    ]
-  );
-}
-
-function resolveDefaultToCaseInsensitiveAccount(params: {
-  channel?:
-    | {
-        accounts?: Record<string, { defaultTo?: string }>;
-        defaultTo?: string;
-      }
-    | undefined;
-  accountId?: string | null;
-}): string | undefined {
-  const account = resolveCaseInsensitiveAccount(params.channel?.accounts, params.accountId);
-  return (account?.defaultTo ?? params.channel?.defaultTo)?.trim() || undefined;
-}
-
-function resolveChannelDefaultTo(
-  channel:
-    | {
-        accounts?: Record<string, { defaultTo?: string }>;
-        defaultTo?: string;
-      }
-    | undefined,
-  accountId?: string | null,
-): string | undefined {
-  return resolveDefaultToCaseInsensitiveAccount({ channel, accountId });
-}
-
-type CaseInsensitiveDefaultToChannel = {
-  accounts?: Record<string, { defaultTo?: string }>;
-  defaultTo?: string;
-};
-
-type CaseInsensitiveDefaultToChannels = Partial<
-  Record<"irc" | "googlechat", CaseInsensitiveDefaultToChannel>
->;
-
-function resolveNamedChannelDefaultTo(params: {
-  channels?: CaseInsensitiveDefaultToChannels;
-  channelId: keyof CaseInsensitiveDefaultToChannels;
-  accountId?: string | null;
-}): string | undefined {
-  return resolveChannelDefaultTo(params.channels?.[params.channelId], params.accountId);
-}
-// Channel docks: lightweight channel metadata/behavior for shared code paths.
-//
-// Rules:
-// - keep this module *light* (no monitors, probes, puppeteer/web login, etc)
-// - OK: config readers, allowFrom formatting, mention stripping patterns, threading defaults
-// - shared code should import from here (and from `src/channels/registry.ts`), not from the plugins registry
-//
-// Adding a channel:
-// - add a new entry to `DOCKS`
-// - keep it cheap; push heavy logic into `src/channels/plugins/<id>.ts` or channel modules
-const DOCKS: Record<ChatChannelId, ChannelDock> = {
-  telegram: {
-    id: "telegram",
-    capabilities: {
-      chatTypes: ["direct", "group", "channel", "thread"],
-      nativeCommands: true,
-      blockStreaming: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) =>
-        mapAllowFromEntries(inspectTelegramAccount({ cfg, accountId }).config.allowFrom),
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromLowercase({
-          allowFrom,
-          stripPrefixRe: /^(telegram|tg):/i,
-        }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectTelegramAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveTelegramGroupRequireMention,
-      resolveToolPolicy: resolveTelegramGroupToolPolicy,
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.telegram?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) => {
-        // Telegram auto-threading should only use actual thread/topic IDs.
-        // ReplyToId is a message ID and causes invalid message_thread_id in DMs.
-        const threadId = context.MessageThreadId;
-        const rawCurrentMessageId = context.CurrentMessageId;
-        const currentMessageId =
-          typeof rawCurrentMessageId === "number"
-            ? rawCurrentMessageId
-            : rawCurrentMessageId?.trim() || undefined;
-        return {
-          currentChannelId: context.To?.trim() || undefined,
-          currentThreadTs: threadId != null ? String(threadId) : undefined,
-          currentMessageId,
-          hasRepliedRef,
-        };
-      },
-    },
-  },
-  whatsapp: {
-    id: "whatsapp",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      polls: true,
-      reactions: true,
-      media: true,
-    },
-    commands: {
-      enforceOwnerForCommands: true,
-      skipWhenConfigEmpty: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => resolveWhatsAppConfigAllowFrom({ cfg, accountId }),
-      formatAllowFrom: ({ allowFrom }) => formatWhatsAppConfigAllowFromEntries(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) => resolveWhatsAppConfigDefaultTo({ cfg, accountId }),
-    },
-    groups: {
-      resolveRequireMention: resolveWhatsAppGroupRequireMention,
-      resolveToolPolicy: resolveWhatsAppGroupToolPolicy,
-      resolveGroupIntroHint: resolveWhatsAppGroupIntroHint,
-    },
-    mentions: {
-      stripRegexes: ({ ctx }) => resolveWhatsAppMentionStripRegexes(ctx),
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) => {
-        const channelId = context.From?.trim() || context.To?.trim() || undefined;
-        return {
-          currentChannelId: channelId,
-          currentThreadTs: context.ReplyToId,
-          hasRepliedRef,
-        };
-      },
-    },
-  },
-  discord: {
-    id: "discord",
-    capabilities: {
-      chatTypes: ["direct", "channel", "thread"],
-      polls: true,
-      reactions: true,
-      media: true,
-      nativeCommands: true,
-      threads: true,
-    },
-    outbound: { textChunkLimit: 2000 },
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    elevated: {
-      allowFromFallback: ({ cfg }) =>
-        cfg.channels?.discord?.allowFrom ?? cfg.channels?.discord?.dm?.allowFrom,
-    },
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const account = inspectDiscordAccount({ cfg, accountId });
-        return mapAllowFromEntries(account.config.allowFrom ?? account.config.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) => formatDiscordAllowFrom(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectDiscordAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveDiscordGroupRequireMention,
-      resolveToolPolicy: resolveDiscordGroupToolPolicy,
-    },
-    mentions: {
-      stripRegexes: () => [/<@!?\d+>/g],
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.discord?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) => ({
-        currentChannelId: context.To?.trim() || undefined,
-        currentThreadTs: context.ReplyToId,
-        hasRepliedRef,
-      }),
-    },
-  },
-  irc: {
-    id: "irc",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      media: true,
-      blockStreaming: true,
-    },
-    outbound: { textChunkLimit: 350 },
-    streaming: {
-      blockStreamingCoalesceDefaults: { minChars: 300, idleMs: 1000 },
-    },
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const channel = cfg.channels?.irc;
-        const account = resolveCaseInsensitiveAccount(channel?.accounts, accountId);
-        return mapAllowFromEntries(account?.allowFrom ?? channel?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromWithReplacements(allowFrom, [/^irc:/i, /^user:/i]),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveNamedChannelDefaultTo({
-          channels: cfg.channels as CaseInsensitiveDefaultToChannels | undefined,
-          channelId: "irc",
-          accountId,
-        }),
-    },
-    groups: {
-      resolveRequireMention: ({ cfg, accountId, groupId }) => {
-        if (!groupId) {
-          return true;
-        }
-        return resolveChannelGroupRequireMention({
-          cfg,
-          channel: "irc",
-          groupId,
-          accountId,
-          groupIdCaseInsensitive: true,
-        });
-      },
-      resolveToolPolicy: ({ cfg, accountId, groupId, senderId, senderName, senderUsername }) => {
-        if (!groupId) {
-          return undefined;
-        }
-        // IRC supports per-channel tool policies. Prefer the shared resolver so
-        // toolsBySender is honored consistently across surfaces.
-        return resolveChannelGroupToolsPolicy({
-          cfg,
-          channel: "irc",
-          groupId,
-          accountId,
-          groupIdCaseInsensitive: true,
-          senderId,
-          senderName,
-          senderUsername,
-        });
-      },
-    },
-  },
-  googlechat: {
-    id: "googlechat",
-    capabilities: {
-      chatTypes: ["direct", "group", "thread"],
-      reactions: true,
-      media: true,
-      threads: true,
-      blockStreaming: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const channel = cfg.channels?.googlechat as
-          | {
-              accounts?: Record<string, { dm?: { allowFrom?: Array<string | number> } }>;
-              dm?: { allowFrom?: Array<string | number> };
-            }
-          | undefined;
-        const account = resolveCaseInsensitiveAccount(channel?.accounts, accountId);
-        return mapAllowFromEntries(account?.dm?.allowFrom ?? channel?.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromWithReplacements(allowFrom, [
-          /^(googlechat|google-chat|gchat):/i,
-          /^user:/i,
-          /^users\//i,
-        ]),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveNamedChannelDefaultTo({
-          channels: cfg.channels as CaseInsensitiveDefaultToChannels | undefined,
-          channelId: "googlechat",
-          accountId,
-        }),
-    },
-    groups: {
-      resolveRequireMention: resolveGoogleChatGroupRequireMention,
-      resolveToolPolicy: resolveGoogleChatGroupToolPolicy,
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.googlechat?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildThreadToolContextFromMessageThreadOrReply({ context, hasRepliedRef }),
-    },
-  },
-  slack: {
-    id: "slack",
-    capabilities: {
-      chatTypes: ["direct", "channel", "thread"],
-      reactions: true,
-      media: true,
-      nativeCommands: true,
-      threads: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const account = inspectSlackAccount({ cfg, accountId });
-        return mapAllowFromEntries(account.config.allowFrom ?? account.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) => formatAllowFromLowercase({ allowFrom }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectSlackAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveSlackGroupRequireMention,
-      resolveToolPolicy: resolveSlackGroupToolPolicy,
-    },
-    mentions: {
-      stripRegexes: () => [/<@[^>]+>/g],
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg, accountId, chatType }) =>
-        resolveSlackReplyToMode(inspectSlackAccount({ cfg, accountId }), chatType),
-      allowExplicitReplyTagsWhenOff: false,
-      buildToolContext: (params) => buildSlackThreadingToolContext(params),
-    },
-  },
-  signal: {
-    id: "signal",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      reactions: true,
-      media: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) =>
-        mapAllowFromEntries(resolveSignalAccount({ cfg, accountId }).config.allowFrom),
-      formatAllowFrom: ({ allowFrom }) =>
-        formatNormalizedAllowFromEntries({
-          allowFrom,
-          normalizeEntry: (entry) =>
-            entry === "*" ? "*" : normalizeE164(entry.replace(/^signal:/i, "")),
-        }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(resolveSignalAccount({ cfg, accountId }).config.defaultTo),
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildSignalThreadToolContext({ context, hasRepliedRef }),
-    },
-  },
-  imessage: {
-    id: "imessage",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      reactions: true,
-      media: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => resolveIMessageConfigAllowFrom({ cfg, accountId }),
-      formatAllowFrom: ({ allowFrom }) => formatTrimmedAllowFromEntries(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) => resolveIMessageConfigDefaultTo({ cfg, accountId }),
-    },
-    groups: {
-      resolveRequireMention: resolveIMessageGroupRequireMention,
-      resolveToolPolicy: resolveIMessageGroupToolPolicy,
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildIMessageThreadToolContext({ context, hasRepliedRef }),
-    },
-  },
-  line: {
-    id: "line",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      media: true,
-    },
-    outbound: { textChunkLimit: 5000 },
-    groups: {
-      resolveRequireMention: resolveLineGroupRequireMention,
-      resolveToolPolicy: resolveLineGroupToolPolicy,
-    },
-  },
-};
-
-function buildDockFromPlugin(plugin: ChannelPlugin): ChannelDock {
-  return {
-    id: plugin.id,
-    capabilities: plugin.capabilities,
-    commands: plugin.commands,
-    outbound: plugin.outbound?.textChunkLimit
-      ? { textChunkLimit: plugin.outbound.textChunkLimit }
-      : undefined,
-    streaming: plugin.streaming
-      ? { blockStreamingCoalesceDefaults: plugin.streaming.blockStreamingCoalesceDefaults }
-      : undefined,
-    elevated: plugin.elevated,
-    config: plugin.config
-      ? {
-          resolveAllowFrom: plugin.config.resolveAllowFrom,
-          formatAllowFrom: plugin.config.formatAllowFrom,
-          resolveDefaultTo: plugin.config.resolveDefaultTo,
-        }
-      : undefined,
-    groups: plugin.groups,
-    mentions: plugin.mentions,
-    threading: plugin.threading,
-    agentPrompt: plugin.agentPrompt,
-  };
-}
-
-function listPluginDockEntries(): Array<{ id: ChannelId; dock: ChannelDock; order?: number }> {
-  const registry = requireActivePluginRegistry();
-  const entries: Array<{ id: ChannelId; dock: ChannelDock; order?: number }> = [];
-  const seen = new Set<string>();
-  for (const entry of registry.channels) {
-    const plugin = entry.plugin;
-    const id = String(plugin.id).trim();
-    if (!id || seen.has(id)) {
-      continue;
-    }
-    seen.add(id);
-    if (CHAT_CHANNEL_ORDER.includes(plugin.id as ChatChannelId)) {
-      continue;
-    }
-    const dock = entry.dock ?? buildDockFromPlugin(plugin);
-    entries.push({ id: plugin.id, dock, order: plugin.meta.order });
-  }
-  return entries;
-}
-
-export function listChannelDocks(): ChannelDock[] {
-  const baseEntries = CHAT_CHANNEL_ORDER.map((id) => ({
-    id,
-    dock: DOCKS[id],
-    order: getChatChannelMeta(id).order,
-  }));
-  const pluginEntries = listPluginDockEntries();
-  const combined = [...baseEntries, ...pluginEntries];
-  combined.sort((a, b) => {
-    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
-    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
-    const orderA = a.order ?? (indexA === -1 ? 999 : indexA);
-    const orderB = b.order ?? (indexB === -1 ? 999 : indexB);
-    if (orderA !== orderB) {
-      return orderA - orderB;
-    }
-    return String(a.id).localeCompare(String(b.id));
-  });
-  return combined.map((entry) => entry.dock);
-}
-
-export function getChannelDock(id: ChannelId): ChannelDock | undefined {
-  const core = DOCKS[id as ChatChannelId];
-  if (core) {
-    return core;
-  }
-  const registry = requireActivePluginRegistry();
-  const pluginEntry = registry.channels.find((entry) => entry.plugin.id === id);
-  if (!pluginEntry) {
-    return undefined;
-  }
-  return pluginEntry.dock ?? buildDockFromPlugin(pluginEntry.plugin);
-}
diff --git a/src/channels/plugins/actions/actions.test.ts b/src/channels/plugins/actions/actions.test.ts
index 055d660524f..cd33be0a3e2 100644
--- a/src/channels/plugins/actions/actions.test.ts
+++ b/src/channels/plugins/actions/actions.test.ts
@@ -540,6 +540,21 @@ describe("telegramMessageActions", () => {
     expect(actions).toContain("poll");
   });
 
+  it("lists topic-edit when telegram topic edits are enabled", () => {
+    const cfg = {
+      channels: {
+        telegram: {
+          botToken: "tok",
+          actions: { editForumTopic: true },
+        },
+      },
+    } as OpenClawConfig;
+
+    const actions = telegramMessageActions.listActions?.({ cfg }) ?? [];
+
+    expect(actions).toContain("topic-edit");
+  });
+
   it("omits poll when sendMessage is disabled", () => {
     const cfg = {
       channels: {
@@ -793,6 +808,24 @@ describe("telegramMessageActions", () => {
           accountId: undefined,
         },
       },
+      {
+        name: "topic-edit maps to editForumTopic",
+        action: "topic-edit" as const,
+        params: {
+          to: "telegram:group:-1001234567890:topic:271",
+          threadId: 271,
+          name: "Build Updates",
+          iconCustomEmojiId: "emoji-123",
+        },
+        expectedPayload: {
+          action: "editForumTopic",
+          chatId: "telegram:group:-1001234567890:topic:271",
+          messageThreadId: 271,
+          name: "Build Updates",
+          iconCustomEmojiId: "emoji-123",
+          accountId: undefined,
+        },
+      },
     ] as const;
 
     for (const testCase of cases) {
@@ -1259,6 +1292,25 @@ describe("slack actions adapter", () => {
     }
   });
 
+  it("does not attach empty blocks to plain media sends", async () => {
+    handleSlackAction.mockClear();
+
+    await runSlackAction("send", {
+      to: "channel:C1",
+      message: "",
+      media: "https://example.com/image.png",
+    });
+
+    const [params] = handleSlackAction.mock.calls[0] ?? [];
+    expect(params).toMatchObject({
+      action: "sendMessage",
+      to: "channel:C1",
+      content: "",
+      mediaUrl: "https://example.com/image.png",
+    });
+    expect(params).not.toHaveProperty("blocks");
+  });
+
   it("rejects edit when both message and blocks are missing", async () => {
     const { cfg, actions } = slackHarness();
 
diff --git a/src/channels/plugins/actions/discord.ts b/src/channels/plugins/actions/discord.ts
index 6b8689effb3..ec11ca6c970 100644
--- a/src/channels/plugins/actions/discord.ts
+++ b/src/channels/plugins/actions/discord.ts
@@ -1,2 +1,2 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/channel-actions.js";
+// Public entrypoint for the Discord channel action adapter.
+export * from "../../../plugin-sdk-internal/discord.js";
diff --git a/src/channels/plugins/actions/signal.ts b/src/channels/plugins/actions/signal.ts
index b75a20ae2ec..7db723f305e 100644
--- a/src/channels/plugins/actions/signal.ts
+++ b/src/channels/plugins/actions/signal.ts
@@ -1,13 +1,11 @@
+import { createActionGate, jsonResult, readStringParam } from "../../../agents/tools/common.js";
 import {
   listEnabledSignalAccounts,
-  resolveSignalAccount,
-} from "../../../../extensions/signal/src/accounts.js";
-import { resolveSignalReactionLevel } from "../../../../extensions/signal/src/reaction-level.js";
-import {
-  sendReactionSignal,
   removeReactionSignal,
-} from "../../../../extensions/signal/src/send-reactions.js";
-import { createActionGate, jsonResult, readStringParam } from "../../../agents/tools/common.js";
+  resolveSignalAccount,
+  resolveSignalReactionLevel,
+  sendReactionSignal,
+} from "../../../plugin-sdk-internal/signal.js";
 import type { ChannelMessageActionAdapter, ChannelMessageActionName } from "../types.js";
 import { resolveReactionMessageId } from "./reaction-message-id.js";
 
diff --git a/src/channels/plugins/actions/telegram.ts b/src/channels/plugins/actions/telegram.ts
index 57a690d2208..e34c4598ade 100644
--- a/src/channels/plugins/actions/telegram.ts
+++ b/src/channels/plugins/actions/telegram.ts
@@ -1 +1,2 @@
-export * from "../../../../extensions/telegram/src/channel-actions.js";
+// Public entrypoint for the Telegram channel action adapter.
+export * from "../../../plugin-sdk-internal/telegram.js";
diff --git a/src/channels/plugins/agent-tools/whatsapp-login.ts b/src/channels/plugins/agent-tools/whatsapp-login.ts
index 741b40a6fc9..661b49e083b 100644
--- a/src/channels/plugins/agent-tools/whatsapp-login.ts
+++ b/src/channels/plugins/agent-tools/whatsapp-login.ts
@@ -1,2 +1,2 @@
-// Shim: re-exports from extensions/whatsapp/src/agent-tools-login.ts
-export * from "../../../../extensions/whatsapp/src/agent-tools-login.js";
+// Shim: keep legacy import path while the runtime loads the plugin SDK surface.
+export * from "../../../plugin-sdk-internal/whatsapp.js";
diff --git a/src/channels/plugins/bundled.ts b/src/channels/plugins/bundled.ts
new file mode 100644
index 00000000000..c7cae53de20
--- /dev/null
+++ b/src/channels/plugins/bundled.ts
@@ -0,0 +1,88 @@
+import { bluebubblesPlugin } from "../../../extensions/bluebubbles/src/channel.js";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
+import { discordSetupPlugin } from "../../../extensions/discord/src/channel.setup.js";
+import { setDiscordRuntime } from "../../../extensions/discord/src/runtime.js";
+import { feishuPlugin } from "../../../extensions/feishu/src/channel.js";
+import { googlechatPlugin } from "../../../extensions/googlechat/src/channel.js";
+import { imessagePlugin } from "../../../extensions/imessage/src/channel.js";
+import { imessageSetupPlugin } from "../../../extensions/imessage/src/channel.setup.js";
+import { ircPlugin } from "../../../extensions/irc/src/channel.js";
+import { linePlugin } from "../../../extensions/line/src/channel.js";
+import { lineSetupPlugin } from "../../../extensions/line/src/channel.setup.js";
+import { setLineRuntime } from "../../../extensions/line/src/runtime.js";
+import { matrixPlugin } from "../../../extensions/matrix/src/channel.js";
+import { mattermostPlugin } from "../../../extensions/mattermost/src/channel.js";
+import { msteamsPlugin } from "../../../extensions/msteams/src/channel.js";
+import { nextcloudTalkPlugin } from "../../../extensions/nextcloud-talk/src/channel.js";
+import { nostrPlugin } from "../../../extensions/nostr/src/channel.js";
+import { signalPlugin } from "../../../extensions/signal/src/channel.js";
+import { signalSetupPlugin } from "../../../extensions/signal/src/channel.setup.js";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
+import { slackSetupPlugin } from "../../../extensions/slack/src/channel.setup.js";
+import { synologyChatPlugin } from "../../../extensions/synology-chat/src/channel.js";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
+import { telegramSetupPlugin } from "../../../extensions/telegram/src/channel.setup.js";
+import { setTelegramRuntime } from "../../../extensions/telegram/src/runtime.js";
+import { tlonPlugin } from "../../../extensions/tlon/src/channel.js";
+import { whatsappPlugin } from "../../../extensions/whatsapp/src/channel.js";
+import { whatsappSetupPlugin } from "../../../extensions/whatsapp/src/channel.setup.js";
+import { zaloPlugin } from "../../../extensions/zalo/src/channel.js";
+import { zalouserPlugin } from "../../../extensions/zalouser/src/channel.js";
+import type { ChannelId, ChannelPlugin } from "./types.js";
+
+export const bundledChannelPlugins = [
+  bluebubblesPlugin,
+  discordPlugin,
+  feishuPlugin,
+  googlechatPlugin,
+  imessagePlugin,
+  ircPlugin,
+  linePlugin,
+  matrixPlugin,
+  mattermostPlugin,
+  msteamsPlugin,
+  nextcloudTalkPlugin,
+  nostrPlugin,
+  signalPlugin,
+  slackPlugin,
+  synologyChatPlugin,
+  telegramPlugin,
+  tlonPlugin,
+  whatsappPlugin,
+  zaloPlugin,
+  zalouserPlugin,
+] as ChannelPlugin[];
+
+export const bundledChannelSetupPlugins = [
+  telegramSetupPlugin,
+  whatsappSetupPlugin,
+  discordSetupPlugin,
+  ircPlugin,
+  googlechatPlugin,
+  slackSetupPlugin,
+  signalSetupPlugin,
+  imessageSetupPlugin,
+  lineSetupPlugin,
+] as ChannelPlugin[];
+
+const bundledChannelPluginsById = new Map(
+  bundledChannelPlugins.map((plugin) => [plugin.id, plugin] as const),
+);
+
+export function getBundledChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
+  return bundledChannelPluginsById.get(id);
+}
+
+export function requireBundledChannelPlugin(id: ChannelId): ChannelPlugin {
+  const plugin = getBundledChannelPlugin(id);
+  if (!plugin) {
+    throw new Error(`missing bundled channel plugin: ${id}`);
+  }
+  return plugin;
+}
+
+export const bundledChannelRuntimeSetters = {
+  setDiscordRuntime,
+  setLineRuntime,
+  setTelegramRuntime,
+};
diff --git a/src/channels/plugins/contracts/actions.contract.test.ts b/src/channels/plugins/contracts/actions.contract.test.ts
new file mode 100644
index 00000000000..11daa8cd205
--- /dev/null
+++ b/src/channels/plugins/contracts/actions.contract.test.ts
@@ -0,0 +1,13 @@
+import { describe } from "vitest";
+import { actionContractRegistry } from "./registry.js";
+import { installChannelActionsContractSuite } from "./suites.js";
+
+for (const entry of actionContractRegistry) {
+  describe(`${entry.id} actions contract`, () => {
+    installChannelActionsContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+      unsupportedAction: entry.unsupportedAction as never,
+    });
+  });
+}
diff --git a/src/channels/plugins/contracts/group-policy.contract.test.ts b/src/channels/plugins/contracts/group-policy.contract.test.ts
new file mode 100644
index 00000000000..51a9c178170
--- /dev/null
+++ b/src/channels/plugins/contracts/group-policy.contract.test.ts
@@ -0,0 +1,94 @@
+import { describe, expect, it } from "vitest";
+import { __testing as discordTesting } from "../../../../extensions/discord/src/monitor/provider.js";
+import { __testing as imessageTesting } from "../../../../extensions/imessage/src/monitor/monitor-provider.js";
+import { __testing as slackTesting } from "../../../../extensions/slack/src/monitor/provider.js";
+import { resolveTelegramRuntimeGroupPolicy } from "../../../../extensions/telegram/src/group-access.js";
+import { __testing as whatsappTesting } from "../../../../extensions/whatsapp/src/inbound/access-control.js";
+import { __testing as zaloTesting } from "../../../../extensions/zalo/src/monitor.js";
+import { installChannelRuntimeGroupPolicyFallbackSuite } from "./suites.js";
+
+describe("channel runtime group policy contract", () => {
+  describe("slack", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: slackTesting.resolveSlackRuntimeGroupPolicy,
+      configuredLabel: "keeps open default when channels.slack is configured",
+      defaultGroupPolicyUnderTest: "open",
+      missingConfigLabel: "fails closed when channels.slack is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
+    });
+  });
+
+  describe("telegram", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: resolveTelegramRuntimeGroupPolicy,
+      configuredLabel: "keeps open fallback when channels.telegram is configured",
+      defaultGroupPolicyUnderTest: "disabled",
+      missingConfigLabel: "fails closed when channels.telegram is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit defaults when provider config is missing",
+    });
+  });
+
+  describe("whatsapp", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: whatsappTesting.resolveWhatsAppRuntimeGroupPolicy,
+      configuredLabel: "keeps open fallback when channels.whatsapp is configured",
+      defaultGroupPolicyUnderTest: "disabled",
+      missingConfigLabel: "fails closed when channels.whatsapp is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
+    });
+  });
+
+  describe("imessage", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: imessageTesting.resolveIMessageRuntimeGroupPolicy,
+      configuredLabel: "keeps open fallback when channels.imessage is configured",
+      defaultGroupPolicyUnderTest: "disabled",
+      missingConfigLabel: "fails closed when channels.imessage is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
+    });
+  });
+
+  describe("discord", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: discordTesting.resolveDiscordRuntimeGroupPolicy,
+      configuredLabel: "keeps open default when channels.discord is configured",
+      defaultGroupPolicyUnderTest: "open",
+      missingConfigLabel: "fails closed when channels.discord is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
+    });
+
+    it("respects explicit provider policy", () => {
+      const resolved = discordTesting.resolveDiscordRuntimeGroupPolicy({
+        providerConfigPresent: false,
+        groupPolicy: "disabled",
+      });
+      expect(resolved.groupPolicy).toBe("disabled");
+      expect(resolved.providerMissingFallbackApplied).toBe(false);
+    });
+  });
+
+  describe("zalo", () => {
+    installChannelRuntimeGroupPolicyFallbackSuite({
+      resolve: zaloTesting.resolveZaloRuntimeGroupPolicy,
+      configuredLabel: "keeps open fallback when channels.zalo is configured",
+      defaultGroupPolicyUnderTest: "open",
+      missingConfigLabel: "fails closed when channels.zalo is missing and no defaults are set",
+      missingDefaultLabel: "ignores explicit global defaults when provider config is missing",
+    });
+
+    it("keeps provider-owned group access evaluation", () => {
+      const decision = zaloTesting.evaluateZaloGroupAccess({
+        providerConfigPresent: true,
+        configuredGroupPolicy: "allowlist",
+        defaultGroupPolicy: "open",
+        groupAllowFrom: ["zl:12345"],
+        senderId: "12345",
+      });
+      expect(decision).toMatchObject({
+        allowed: true,
+        groupPolicy: "allowlist",
+        reason: "allowed",
+      });
+    });
+  });
+});
diff --git a/src/channels/plugins/contracts/inbound.discord.contract.test.ts b/src/channels/plugins/contracts/inbound.discord.contract.test.ts
new file mode 100644
index 00000000000..6b168f7d244
--- /dev/null
+++ b/src/channels/plugins/contracts/inbound.discord.contract.test.ts
@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest";
+import { inboundCtxCapture } from "../../../../test/helpers/inbound-contract-dispatch-mock.js";
+import { expectChannelInboundContextContract } from "./suites.js";
+
+const { processDiscordMessage } =
+  await import("../../../../extensions/discord/src/monitor/message-handler.process.js");
+const { createBaseDiscordMessageContext, createDiscordDirectMessageContextOverrides } =
+  await import("../../../../extensions/discord/src/monitor/message-handler.test-harness.js");
+
+describe("discord inbound contract", () => {
+  it("keeps inbound context finalized", async () => {
+    inboundCtxCapture.ctx = undefined;
+    const messageCtx = await createBaseDiscordMessageContext({
+      cfg: { messages: {} },
+      ackReactionScope: "direct",
+      ...createDiscordDirectMessageContextOverrides(),
+    });
+
+    await processDiscordMessage(messageCtx);
+
+    expect(inboundCtxCapture.ctx).toBeTruthy();
+    expectChannelInboundContextContract(inboundCtxCapture.ctx!);
+  });
+});
diff --git a/src/channels/plugins/contracts/inbound.signal.contract.test.ts b/src/channels/plugins/contracts/inbound.signal.contract.test.ts
new file mode 100644
index 00000000000..abec31c0174
--- /dev/null
+++ b/src/channels/plugins/contracts/inbound.signal.contract.test.ts
@@ -0,0 +1,73 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createSignalEventHandler } from "../../../../extensions/signal/src/monitor/event-handler.js";
+import {
+  createBaseSignalEventHandlerDeps,
+  createSignalReceiveEvent,
+} from "../../../../extensions/signal/src/monitor/event-handler.test-harness.js";
+import type { MsgContext } from "../../../auto-reply/templating.js";
+import { expectChannelInboundContextContract } from "./suites.js";
+
+const capture = vi.hoisted(() => ({ ctx: undefined as MsgContext | undefined }));
+const dispatchInboundMessageMock = vi.hoisted(() =>
+  vi.fn(
+    async (params: {
+      ctx: MsgContext;
+      replyOptions?: { onReplyStart?: () => void | Promise<void> };
+    }) => {
+      capture.ctx = params.ctx;
+      await Promise.resolve(params.replyOptions?.onReplyStart?.());
+      return { queuedFinal: false, counts: { tool: 0, block: 0, final: 0 } };
+    },
+  ),
+);
+
+vi.mock("../../../auto-reply/dispatch.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../../../auto-reply/dispatch.js")>();
+  return {
+    ...actual,
+    dispatchInboundMessage: dispatchInboundMessageMock,
+    dispatchInboundMessageWithDispatcher: dispatchInboundMessageMock,
+    dispatchInboundMessageWithBufferedDispatcher: dispatchInboundMessageMock,
+  };
+});
+
+vi.mock("../../../../extensions/signal/src/send.js", () => ({
+  sendMessageSignal: vi.fn(),
+  sendTypingSignal: vi.fn(async () => true),
+  sendReadReceiptSignal: vi.fn(async () => true),
+}));
+
+vi.mock("../../../pairing/pairing-store.js", () => ({
+  readChannelAllowFromStore: vi.fn().mockResolvedValue([]),
+  upsertChannelPairingRequest: vi.fn(),
+}));
+
+describe("signal inbound contract", () => {
+  beforeEach(() => {
+    capture.ctx = undefined;
+    dispatchInboundMessageMock.mockClear();
+  });
+
+  it("keeps inbound context finalized", async () => {
+    const handler = createSignalEventHandler(
+      createBaseSignalEventHandlerDeps({
+        // oxlint-disable-next-line typescript/no-explicit-any
+        cfg: { messages: { inbound: { debounceMs: 0 } } } as any,
+        historyLimit: 0,
+      }),
+    );
+
+    await handler(
+      createSignalReceiveEvent({
+        dataMessage: {
+          message: "hi",
+          attachments: [],
+          groupInfo: { groupId: "g1", groupName: "Test Group" },
+        },
+      }),
+    );
+
+    expect(capture.ctx).toBeTruthy();
+    expectChannelInboundContextContract(capture.ctx!);
+  });
+});
diff --git a/src/channels/plugins/contracts/inbound.slack.contract.test.ts b/src/channels/plugins/contracts/inbound.slack.contract.test.ts
new file mode 100644
index 00000000000..e013bed3b4f
--- /dev/null
+++ b/src/channels/plugins/contracts/inbound.slack.contract.test.ts
@@ -0,0 +1,54 @@
+import { describe, expect, it } from "vitest";
+import type { ResolvedSlackAccount } from "../../../../extensions/slack/src/accounts.js";
+import { prepareSlackMessage } from "../../../../extensions/slack/src/monitor/message-handler/prepare.js";
+import { createInboundSlackTestContext } from "../../../../extensions/slack/src/monitor/message-handler/prepare.test-helpers.js";
+import type { SlackMessageEvent } from "../../../../extensions/slack/src/types.js";
+import type { OpenClawConfig } from "../../../config/config.js";
+import { expectChannelInboundContextContract } from "./suites.js";
+
+function createSlackAccount(config: ResolvedSlackAccount["config"] = {}): ResolvedSlackAccount {
+  return {
+    accountId: "default",
+    enabled: true,
+    botTokenSource: "config",
+    appTokenSource: "config",
+    userTokenSource: "none",
+    config,
+    replyToMode: config.replyToMode,
+    replyToModeByChatType: config.replyToModeByChatType,
+    dm: config.dm,
+  };
+}
+
+function createSlackMessage(overrides: Partial<SlackMessageEvent>): SlackMessageEvent {
+  return {
+    channel: "D123",
+    channel_type: "im",
+    user: "U1",
+    text: "hi",
+    ts: "1.000",
+    ...overrides,
+  } as SlackMessageEvent;
+}
+
+describe("slack inbound contract", () => {
+  it("keeps inbound context finalized", async () => {
+    const ctx = createInboundSlackTestContext({
+      cfg: {
+        channels: { slack: { enabled: true } },
+      } as OpenClawConfig,
+    });
+    // oxlint-disable-next-line typescript/no-explicit-any
+    ctx.resolveUserName = async () => ({ name: "Alice" }) as any;
+
+    const prepared = await prepareSlackMessage({
+      ctx,
+      account: createSlackAccount(),
+      message: createSlackMessage({}),
+      opts: { source: "message" },
+    });
+
+    expect(prepared).toBeTruthy();
+    expectChannelInboundContextContract(prepared!.ctxPayload);
+  });
+});
diff --git a/src/channels/plugins/contracts/inbound.telegram.contract.test.ts b/src/channels/plugins/contracts/inbound.telegram.contract.test.ts
new file mode 100644
index 00000000000..a872964bd53
--- /dev/null
+++ b/src/channels/plugins/contracts/inbound.telegram.contract.test.ts
@@ -0,0 +1,60 @@
+import { beforeEach, describe, expect, it } from "vitest";
+import {
+  getLoadConfigMock,
+  getOnHandler,
+  onSpy,
+  replySpy,
+} from "../../../../extensions/telegram/src/bot.create-telegram-bot.test-harness.js";
+import type { MsgContext } from "../../../auto-reply/templating.js";
+import type { OpenClawConfig } from "../../../config/config.js";
+import { expectChannelInboundContextContract } from "./suites.js";
+
+const { createTelegramBot } = await import("../../../../extensions/telegram/src/bot.js");
+
+describe("telegram inbound contract", () => {
+  const loadConfig = getLoadConfigMock();
+
+  beforeEach(() => {
+    onSpy.mockClear();
+    replySpy.mockClear();
+    loadConfig.mockReturnValue({
+      agents: {
+        defaults: {
+          envelopeTimezone: "utc",
+        },
+      },
+      channels: {
+        telegram: {
+          groupPolicy: "open",
+          groups: { "*": { requireMention: false } },
+        },
+      },
+    } satisfies OpenClawConfig);
+  });
+
+  it("keeps inbound context finalized", async () => {
+    createTelegramBot({ token: "tok" });
+    const handler = getOnHandler("message") as (ctx: Record<string, unknown>) => Promise<void>;
+
+    await handler({
+      message: {
+        chat: { id: 42, type: "group", title: "Ops" },
+        text: "hello",
+        date: 1736380800,
+        message_id: 2,
+        from: {
+          id: 99,
+          first_name: "Ada",
+          last_name: "Lovelace",
+          username: "ada",
+        },
+      },
+      me: { username: "openclaw_bot" },
+      getFile: async () => ({ download: async () => new Uint8Array() }),
+    });
+
+    const payload = replySpy.mock.calls[0]?.[0] as MsgContext | undefined;
+    expect(payload).toBeTruthy();
+    expectChannelInboundContextContract(payload!);
+  });
+});
diff --git a/src/channels/plugins/contracts/inbound.whatsapp.contract.test.ts b/src/channels/plugins/contracts/inbound.whatsapp.contract.test.ts
new file mode 100644
index 00000000000..108131226aa
--- /dev/null
+++ b/src/channels/plugins/contracts/inbound.whatsapp.contract.test.ts
@@ -0,0 +1,111 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { processMessage } from "../../../../extensions/whatsapp/src/auto-reply/monitor/process-message.js";
+import type { MsgContext } from "../../../auto-reply/templating.js";
+import { expectChannelInboundContextContract } from "./suites.js";
+
+const capture = vi.hoisted(() => ({
+  ctx: undefined as MsgContext | undefined,
+}));
+
+vi.mock("../../../auto-reply/reply/provider-dispatcher.js", () => ({
+  dispatchReplyWithBufferedBlockDispatcher: vi.fn(async (params: { ctx: MsgContext }) => {
+    capture.ctx = params.ctx;
+    return { queuedFinal: false };
+  }),
+}));
+
+vi.mock("../../../../extensions/whatsapp/src/auto-reply/monitor/last-route.js", () => ({
+  trackBackgroundTask: (tasks: Set<Promise<unknown>>, task: Promise<unknown>) => {
+    tasks.add(task);
+    void task.finally(() => {
+      tasks.delete(task);
+    });
+  },
+  updateLastRouteInBackground: vi.fn(),
+}));
+
+vi.mock("../../../../extensions/whatsapp/src/auto-reply/deliver-reply.js", () => ({
+  deliverWebReply: vi.fn(async () => {}),
+}));
+
+function makeProcessArgs(sessionStorePath: string) {
+  return {
+    // oxlint-disable-next-line typescript/no-explicit-any
+    cfg: { messages: {}, session: { store: sessionStorePath } } as any,
+    // oxlint-disable-next-line typescript/no-explicit-any
+    msg: {
+      id: "msg1",
+      from: "123@g.us",
+      to: "+15550001111",
+      chatType: "group",
+      body: "hi",
+      senderName: "Alice",
+      senderJid: "alice@s.whatsapp.net",
+      senderE164: "+15550002222",
+      groupSubject: "Test Group",
+      groupParticipants: [],
+    } as unknown as Record<string, unknown>,
+    route: {
+      agentId: "main",
+      accountId: "default",
+      sessionKey: "agent:main:whatsapp:group:123",
+      // oxlint-disable-next-line typescript/no-explicit-any
+    } as any,
+    groupHistoryKey: "123@g.us",
+    groupHistories: new Map(),
+    groupMemberNames: new Map(),
+    connectionId: "conn",
+    verbose: false,
+    maxMediaBytes: 1,
+    // oxlint-disable-next-line typescript/no-explicit-any
+    replyResolver: (async () => undefined) as any,
+    // oxlint-disable-next-line typescript/no-explicit-any
+    replyLogger: { info: () => {}, warn: () => {}, error: () => {}, debug: () => {} } as any,
+    backgroundTasks: new Set<Promise<unknown>>(),
+    rememberSentText: () => {},
+    echoHas: () => false,
+    echoForget: () => {},
+    buildCombinedEchoKey: () => "echo",
+    groupHistory: [],
+    // oxlint-disable-next-line typescript/no-explicit-any
+  } as any;
+}
+
+async function removeDirEventually(dir: string) {
+  for (let attempt = 0; attempt < 3; attempt += 1) {
+    try {
+      await fs.rm(dir, { recursive: true, force: true });
+      return;
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOTEMPTY" || attempt === 2) {
+        throw error;
+      }
+      await new Promise((resolve) => setTimeout(resolve, 25));
+    }
+  }
+}
+
+describe("whatsapp inbound contract", () => {
+  let sessionDir = "";
+
+  afterEach(async () => {
+    capture.ctx = undefined;
+    if (sessionDir) {
+      await removeDirEventually(sessionDir);
+      sessionDir = "";
+    }
+  });
+
+  it("keeps inbound context finalized", async () => {
+    sessionDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-whatsapp-contract-"));
+    const sessionStorePath = path.join(sessionDir, "sessions.json");
+
+    await processMessage(makeProcessArgs(sessionStorePath));
+
+    expect(capture.ctx).toBeTruthy();
+    expectChannelInboundContextContract(capture.ctx!);
+  });
+});
diff --git a/src/channels/plugins/contracts/outbound-payload.contract.test.ts b/src/channels/plugins/contracts/outbound-payload.contract.test.ts
new file mode 100644
index 00000000000..5faa47893cb
--- /dev/null
+++ b/src/channels/plugins/contracts/outbound-payload.contract.test.ts
@@ -0,0 +1,209 @@
+import { describe, vi } from "vitest";
+import { discordOutbound } from "../../../../extensions/discord/src/outbound-adapter.js";
+import { whatsappOutbound } from "../../../../extensions/whatsapp/src/outbound-adapter.js";
+import { zaloPlugin } from "../../../../extensions/zalo/src/channel.js";
+import { sendMessageZalo } from "../../../../extensions/zalo/src/send.js";
+import "./../../../../extensions/zalouser/src/accounts.test-mocks.js";
+import { zalouserPlugin } from "../../../../extensions/zalouser/src/channel.js";
+import { setZalouserRuntime } from "../../../../extensions/zalouser/src/runtime.js";
+import { sendMessageZalouser } from "../../../../extensions/zalouser/src/send.js";
+import { slackOutbound } from "../../../../test/channel-outbounds.js";
+import type { ReplyPayload } from "../../../auto-reply/types.js";
+import { createDirectTextMediaOutbound } from "../outbound/direct-text-media.js";
+import {
+  installChannelOutboundPayloadContractSuite,
+  primeChannelOutboundSendMock,
+} from "./suites.js";
+
+vi.mock("../../../../extensions/zalo/src/send.js", () => ({
+  sendMessageZalo: vi.fn().mockResolvedValue({ ok: true, messageId: "zl-1" }),
+}));
+
+vi.mock("../../../../extensions/zalouser/src/send.js", () => ({
+  sendMessageZalouser: vi.fn().mockResolvedValue({ ok: true, messageId: "zlu-1" }),
+  sendReactionZalouser: vi.fn().mockResolvedValue({ ok: true }),
+}));
+
+type PayloadHarnessParams = {
+  payload: ReplyPayload;
+  sendResults?: Array<{ messageId: string }>;
+};
+
+const mockedSendZalo = vi.mocked(sendMessageZalo);
+const mockedSendZalouser = vi.mocked(sendMessageZalouser);
+
+function createSlackHarness(params: PayloadHarnessParams) {
+  const sendSlack = vi.fn();
+  primeChannelOutboundSendMock(
+    sendSlack,
+    { messageId: "sl-1", channelId: "C12345", ts: "1234.5678" },
+    params.sendResults,
+  );
+  const ctx = {
+    cfg: {},
+    to: "C12345",
+    text: "",
+    payload: params.payload,
+    deps: {
+      sendSlack,
+    },
+  };
+  return {
+    run: async () => await slackOutbound.sendPayload!(ctx),
+    sendMock: sendSlack,
+    to: ctx.to,
+  };
+}
+
+function createDiscordHarness(params: PayloadHarnessParams) {
+  const sendDiscord = vi.fn();
+  primeChannelOutboundSendMock(
+    sendDiscord,
+    { messageId: "dc-1", channelId: "123456" },
+    params.sendResults,
+  );
+  const ctx = {
+    cfg: {},
+    to: "channel:123456",
+    text: "",
+    payload: params.payload,
+    deps: {
+      sendDiscord,
+    },
+  };
+  return {
+    run: async () => await discordOutbound.sendPayload!(ctx),
+    sendMock: sendDiscord,
+    to: ctx.to,
+  };
+}
+
+function createWhatsAppHarness(params: PayloadHarnessParams) {
+  const sendWhatsApp = vi.fn();
+  primeChannelOutboundSendMock(sendWhatsApp, { messageId: "wa-1" }, params.sendResults);
+  const ctx = {
+    cfg: {},
+    to: "5511999999999@c.us",
+    text: "",
+    payload: params.payload,
+    deps: {
+      sendWhatsApp,
+    },
+  };
+  return {
+    run: async () => await whatsappOutbound.sendPayload!(ctx),
+    sendMock: sendWhatsApp,
+    to: ctx.to,
+  };
+}
+
+function createDirectTextMediaHarness(params: PayloadHarnessParams) {
+  const sendFn = vi.fn();
+  primeChannelOutboundSendMock(sendFn, { messageId: "m1" }, params.sendResults);
+  const outbound = createDirectTextMediaOutbound({
+    channel: "imessage",
+    resolveSender: () => sendFn,
+    resolveMaxBytes: () => undefined,
+    buildTextOptions: (opts) => opts as never,
+    buildMediaOptions: (opts) => opts as never,
+  });
+  const ctx = {
+    cfg: {},
+    to: "user1",
+    text: "",
+    payload: params.payload,
+  };
+  return {
+    run: async () => await outbound.sendPayload!(ctx),
+    sendMock: sendFn,
+    to: ctx.to,
+  };
+}
+
+describe("channel outbound payload contract", () => {
+  describe("slack", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "slack",
+      chunking: { mode: "passthrough", longTextLength: 5000 },
+      createHarness: createSlackHarness,
+    });
+  });
+
+  describe("discord", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "discord",
+      chunking: { mode: "passthrough", longTextLength: 3000 },
+      createHarness: createDiscordHarness,
+    });
+  });
+
+  describe("whatsapp", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "whatsapp",
+      chunking: { mode: "split", longTextLength: 5000, maxChunkLength: 4000 },
+      createHarness: createWhatsAppHarness,
+    });
+  });
+
+  describe("zalo", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "zalo",
+      chunking: { mode: "split", longTextLength: 3000, maxChunkLength: 2000 },
+      createHarness: ({ payload, sendResults }) => {
+        primeChannelOutboundSendMock(mockedSendZalo, { ok: true, messageId: "zl-1" }, sendResults);
+        return {
+          run: async () =>
+            await zaloPlugin.outbound!.sendPayload!({
+              cfg: {},
+              to: "123456789",
+              text: "",
+              payload,
+            }),
+          sendMock: mockedSendZalo,
+          to: "123456789",
+        };
+      },
+    });
+  });
+
+  describe("zalouser", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "zalouser",
+      chunking: { mode: "passthrough", longTextLength: 3000 },
+      createHarness: ({ payload, sendResults }) => {
+        setZalouserRuntime({
+          channel: {
+            text: {
+              resolveChunkMode: vi.fn(() => "length"),
+              resolveTextChunkLimit: vi.fn(() => 1200),
+            },
+          },
+        } as never);
+        primeChannelOutboundSendMock(
+          mockedSendZalouser,
+          { ok: true, messageId: "zlu-1" },
+          sendResults,
+        );
+        return {
+          run: async () =>
+            await zalouserPlugin.outbound!.sendPayload!({
+              cfg: {},
+              to: "user:987654321",
+              text: "",
+              payload,
+            }),
+          sendMock: mockedSendZalouser,
+          to: "987654321",
+        };
+      },
+    });
+  });
+
+  describe("direct-text-media", () => {
+    installChannelOutboundPayloadContractSuite({
+      channel: "imessage",
+      chunking: { mode: "split", longTextLength: 5000, maxChunkLength: 4000 },
+      createHarness: createDirectTextMediaHarness,
+    });
+  });
+});
diff --git a/src/channels/plugins/contracts/plugin.contract.test.ts b/src/channels/plugins/contracts/plugin.contract.test.ts
new file mode 100644
index 00000000000..534d7284456
--- /dev/null
+++ b/src/channels/plugins/contracts/plugin.contract.test.ts
@@ -0,0 +1,11 @@
+import { describe } from "vitest";
+import { pluginContractRegistry } from "./registry.js";
+import { installChannelPluginContractSuite } from "./suites.js";
+
+for (const entry of pluginContractRegistry) {
+  describe(`${entry.id} plugin contract`, () => {
+    installChannelPluginContractSuite({
+      plugin: entry.plugin,
+    });
+  });
+}
diff --git a/src/channels/plugins/contracts/registry.contract.test.ts b/src/channels/plugins/contracts/registry.contract.test.ts
new file mode 100644
index 00000000000..69ff11d8e68
--- /dev/null
+++ b/src/channels/plugins/contracts/registry.contract.test.ts
@@ -0,0 +1,73 @@
+import { describe, expect, it } from "vitest";
+import {
+  actionContractRegistry,
+  pluginContractRegistry,
+  setupContractRegistry,
+  statusContractRegistry,
+  surfaceContractRegistry,
+  type ChannelPluginSurface,
+} from "./registry.js";
+
+const orderedSurfaceKeys = [
+  "actions",
+  "setup",
+  "status",
+  "outbound",
+  "messaging",
+  "threading",
+  "directory",
+  "gateway",
+] as const satisfies readonly ChannelPluginSurface[];
+
+describe("channel contract registry", () => {
+  it("does not duplicate channel plugin ids", () => {
+    const ids = pluginContractRegistry.map((entry) => entry.id);
+    expect(ids).toEqual([...new Set(ids)]);
+  });
+
+  it("keeps the surface registry aligned with the plugin registry", () => {
+    expect(surfaceContractRegistry.map((entry) => entry.id).toSorted()).toEqual(
+      pluginContractRegistry.map((entry) => entry.id).toSorted(),
+    );
+  });
+
+  it("declares the actual owned channel plugin surfaces explicitly", () => {
+    for (const entry of surfaceContractRegistry) {
+      const actual = orderedSurfaceKeys.filter((surface) => Boolean(entry.plugin[surface]));
+      expect([...entry.surfaces].toSorted()).toEqual(actual.toSorted());
+    }
+  });
+
+  it("only installs deep action coverage for plugins that declare actions", () => {
+    const actionSurfaceIds = new Set(
+      surfaceContractRegistry
+        .filter((entry) => entry.surfaces.includes("actions"))
+        .map((entry) => entry.id),
+    );
+    for (const entry of actionContractRegistry) {
+      expect(actionSurfaceIds.has(entry.id)).toBe(true);
+    }
+  });
+
+  it("only installs deep setup coverage for plugins that declare setup", () => {
+    const setupSurfaceIds = new Set(
+      surfaceContractRegistry
+        .filter((entry) => entry.surfaces.includes("setup"))
+        .map((entry) => entry.id),
+    );
+    for (const entry of setupContractRegistry) {
+      expect(setupSurfaceIds.has(entry.id)).toBe(true);
+    }
+  });
+
+  it("only installs deep status coverage for plugins that declare status", () => {
+    const statusSurfaceIds = new Set(
+      surfaceContractRegistry
+        .filter((entry) => entry.surfaces.includes("status"))
+        .map((entry) => entry.id),
+    );
+    for (const entry of statusContractRegistry) {
+      expect(statusSurfaceIds.has(entry.id)).toBe(true);
+    }
+  });
+});
diff --git a/src/channels/plugins/contracts/registry.ts b/src/channels/plugins/contracts/registry.ts
new file mode 100644
index 00000000000..2d4569383f8
--- /dev/null
+++ b/src/channels/plugins/contracts/registry.ts
@@ -0,0 +1,674 @@
+import { expect, vi } from "vitest";
+import type { OpenClawConfig } from "../../../config/config.js";
+import {
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+  listLineAccountIds,
+} from "../../../line/accounts.js";
+import { bundledChannelRuntimeSetters, requireBundledChannelPlugin } from "../bundled.js";
+import type { ChannelPlugin } from "../types.js";
+
+type PluginContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
+};
+
+type ActionsContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "actions">;
+  unsupportedAction?: string;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    expectedActions: string[];
+    expectedCapabilities?: string[];
+    beforeTest?: () => void;
+  }>;
+};
+
+type SetupContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "config" | "setup">;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    accountId?: string;
+    input: Record<string, unknown>;
+    expectedAccountId?: string;
+    expectedValidation?: string | null;
+    beforeTest?: () => void;
+    assertPatchedConfig?: (cfg: OpenClawConfig) => void;
+    assertResolvedAccount?: (account: unknown, cfg: OpenClawConfig) => void;
+  }>;
+};
+
+type StatusContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "config" | "status">;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    accountId?: string;
+    runtime?: Record<string, unknown>;
+    probe?: unknown;
+    beforeTest?: () => void;
+    assertSnapshot?: (snapshot: Record<string, unknown>) => void;
+    assertSummary?: (summary: Record<string, unknown>) => void;
+  }>;
+};
+
+export type ChannelPluginSurface =
+  | "actions"
+  | "setup"
+  | "status"
+  | "outbound"
+  | "messaging"
+  | "threading"
+  | "directory"
+  | "gateway";
+
+type SurfaceContractEntry = {
+  id: string;
+  plugin: Pick<
+    ChannelPlugin,
+    | "id"
+    | "actions"
+    | "setup"
+    | "status"
+    | "outbound"
+    | "messaging"
+    | "threading"
+    | "directory"
+    | "gateway"
+  >;
+  surfaces: readonly ChannelPluginSurface[];
+};
+
+const telegramListActionsMock = vi.fn();
+const telegramGetCapabilitiesMock = vi.fn();
+const discordListActionsMock = vi.fn();
+const discordGetCapabilitiesMock = vi.fn();
+
+bundledChannelRuntimeSetters.setTelegramRuntime({
+  channel: {
+    telegram: {
+      messageActions: {
+        listActions: telegramListActionsMock,
+        getCapabilities: telegramGetCapabilitiesMock,
+      },
+    },
+  },
+} as never);
+
+bundledChannelRuntimeSetters.setDiscordRuntime({
+  channel: {
+    discord: {
+      messageActions: {
+        listActions: discordListActionsMock,
+        getCapabilities: discordGetCapabilitiesMock,
+      },
+    },
+  },
+} as never);
+
+bundledChannelRuntimeSetters.setLineRuntime({
+  channel: {
+    line: {
+      listLineAccountIds,
+      resolveDefaultLineAccountId,
+      resolveLineAccount: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId?: string }) =>
+        resolveLineAccount({ cfg, accountId }),
+    },
+  },
+} as never);
+
+export const pluginContractRegistry: PluginContractEntry[] = [
+  { id: "bluebubbles", plugin: requireBundledChannelPlugin("bluebubbles") },
+  { id: "discord", plugin: requireBundledChannelPlugin("discord") },
+  { id: "feishu", plugin: requireBundledChannelPlugin("feishu") },
+  { id: "googlechat", plugin: requireBundledChannelPlugin("googlechat") },
+  { id: "imessage", plugin: requireBundledChannelPlugin("imessage") },
+  { id: "irc", plugin: requireBundledChannelPlugin("irc") },
+  { id: "line", plugin: requireBundledChannelPlugin("line") },
+  { id: "matrix", plugin: requireBundledChannelPlugin("matrix") },
+  { id: "mattermost", plugin: requireBundledChannelPlugin("mattermost") },
+  { id: "msteams", plugin: requireBundledChannelPlugin("msteams") },
+  { id: "nextcloud-talk", plugin: requireBundledChannelPlugin("nextcloud-talk") },
+  { id: "nostr", plugin: requireBundledChannelPlugin("nostr") },
+  { id: "signal", plugin: requireBundledChannelPlugin("signal") },
+  { id: "slack", plugin: requireBundledChannelPlugin("slack") },
+  { id: "synology-chat", plugin: requireBundledChannelPlugin("synology-chat") },
+  { id: "telegram", plugin: requireBundledChannelPlugin("telegram") },
+  { id: "tlon", plugin: requireBundledChannelPlugin("tlon") },
+  { id: "whatsapp", plugin: requireBundledChannelPlugin("whatsapp") },
+  { id: "zalo", plugin: requireBundledChannelPlugin("zalo") },
+  { id: "zalouser", plugin: requireBundledChannelPlugin("zalouser") },
+];
+
+export const actionContractRegistry: ActionsContractEntry[] = [
+  {
+    id: "slack",
+    plugin: requireBundledChannelPlugin("slack"),
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes default Slack actions",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks"],
+      },
+      {
+        name: "interactive replies add the shared interactive capability",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+              capabilities: {
+                interactiveReplies: true,
+              },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks", "interactive"],
+      },
+      {
+        name: "missing tokens disables the actions surface",
+        cfg: {
+          channels: {
+            slack: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: requireBundledChannelPlugin("mattermost"),
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes send and react",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send", "react"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "reactions can be disabled while send stays available",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+              actions: { reactions: false },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "missing bot credentials disables the actions surface",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  },
+  {
+    id: "telegram",
+    plugin: requireBundledChannelPlugin("telegram"),
+    cases: [
+      {
+        name: "forwards runtime-backed Telegram actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "poll", "react"],
+        expectedCapabilities: ["interactive", "buttons"],
+        beforeTest: () => {
+          telegramListActionsMock.mockReset();
+          telegramGetCapabilitiesMock.mockReset();
+          telegramListActionsMock.mockReturnValue(["send", "poll", "react"]);
+          telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
+        },
+      },
+    ],
+  },
+  {
+    id: "discord",
+    plugin: requireBundledChannelPlugin("discord"),
+    cases: [
+      {
+        name: "forwards runtime-backed Discord actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "react", "poll"],
+        expectedCapabilities: ["interactive", "components"],
+        beforeTest: () => {
+          discordListActionsMock.mockReset();
+          discordGetCapabilitiesMock.mockReset();
+          discordListActionsMock.mockReturnValue(["send", "react", "poll"]);
+          discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
+        },
+      },
+    ],
+  },
+];
+
+export const setupContractRegistry: SetupContractEntry[] = [
+  {
+    id: "slack",
+    plugin: requireBundledChannelPlugin("slack"),
+    cases: [
+      {
+        name: "default account stores tokens and enables the channel",
+        cfg: {} as OpenClawConfig,
+        input: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.slack?.enabled).toBe(true);
+          expect(cfg.channels?.slack?.botToken).toBe("xoxb-test");
+          expect(cfg.channels?.slack?.appToken).toBe("xapp-test");
+        },
+      },
+      {
+        name: "non-default env setup is rejected",
+        cfg: {} as OpenClawConfig,
+        accountId: "ops",
+        input: {
+          useEnv: true,
+        },
+        expectedAccountId: "ops",
+        expectedValidation: "Slack env tokens can only be used for the default account.",
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: requireBundledChannelPlugin("mattermost"),
+    cases: [
+      {
+        name: "default account stores token and normalized base URL",
+        cfg: {} as OpenClawConfig,
+        input: {
+          botToken: "test-token",
+          httpUrl: "https://chat.example.com/",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.mattermost?.enabled).toBe(true);
+          expect(cfg.channels?.mattermost?.botToken).toBe("test-token");
+          expect(cfg.channels?.mattermost?.baseUrl).toBe("https://chat.example.com");
+        },
+      },
+      {
+        name: "missing credentials are rejected",
+        cfg: {} as OpenClawConfig,
+        input: {
+          httpUrl: "",
+        },
+        expectedAccountId: "default",
+        expectedValidation: "Mattermost requires --bot-token and --http-url (or --use-env).",
+      },
+    ],
+  },
+  {
+    id: "line",
+    plugin: requireBundledChannelPlugin("line"),
+    cases: [
+      {
+        name: "default account stores token and secret",
+        cfg: {} as OpenClawConfig,
+        input: {
+          channelAccessToken: "line-token",
+          channelSecret: "line-secret",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.line?.enabled).toBe(true);
+          expect(cfg.channels?.line?.channelAccessToken).toBe("line-token");
+          expect(cfg.channels?.line?.channelSecret).toBe("line-secret");
+        },
+      },
+      {
+        name: "non-default env setup is rejected",
+        cfg: {} as OpenClawConfig,
+        accountId: "ops",
+        input: {
+          useEnv: true,
+        },
+        expectedAccountId: "ops",
+        expectedValidation: "LINE_CHANNEL_ACCESS_TOKEN can only be used for the default account.",
+      },
+    ],
+  },
+];
+
+export const statusContractRegistry: StatusContractEntry[] = [
+  {
+    id: "slack",
+    plugin: requireBundledChannelPlugin("slack"),
+    cases: [
+      {
+        name: "configured account produces a configured status snapshot",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          connected: true,
+          running: true,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+        },
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: requireBundledChannelPlugin("mattermost"),
+    cases: [
+      {
+        name: "configured account preserves connectivity details in the snapshot",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          connected: true,
+          lastConnectedAt: 1234,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+          expect(snapshot.connected).toBe(true);
+          expect(snapshot.baseUrl).toBe("https://chat.example.com");
+        },
+      },
+    ],
+  },
+  {
+    id: "line",
+    plugin: requireBundledChannelPlugin("line"),
+    cases: [
+      {
+        name: "configured account produces a webhook status snapshot",
+        cfg: {
+          channels: {
+            line: {
+              enabled: true,
+              channelAccessToken: "line-token",
+              channelSecret: "line-secret",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          running: true,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+          expect(snapshot.mode).toBe("webhook");
+        },
+      },
+    ],
+  },
+];
+
+export const surfaceContractRegistry: SurfaceContractEntry[] = [
+  {
+    id: "bluebubbles",
+    plugin: requireBundledChannelPlugin("bluebubbles"),
+    surfaces: ["actions", "setup", "status", "outbound", "messaging", "threading", "gateway"],
+  },
+  {
+    id: "discord",
+    plugin: requireBundledChannelPlugin("discord"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "feishu",
+    plugin: requireBundledChannelPlugin("feishu"),
+    surfaces: ["actions", "setup", "status", "outbound", "messaging", "directory", "gateway"],
+  },
+  {
+    id: "googlechat",
+    plugin: requireBundledChannelPlugin("googlechat"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "imessage",
+    plugin: requireBundledChannelPlugin("imessage"),
+    surfaces: ["setup", "status", "outbound", "messaging", "gateway"],
+  },
+  {
+    id: "irc",
+    plugin: requireBundledChannelPlugin("irc"),
+    surfaces: ["setup", "status", "outbound", "messaging", "directory", "gateway"],
+  },
+  {
+    id: "line",
+    plugin: requireBundledChannelPlugin("line"),
+    surfaces: ["setup", "status", "outbound", "messaging", "directory", "gateway"],
+  },
+  {
+    id: "matrix",
+    plugin: requireBundledChannelPlugin("matrix"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: requireBundledChannelPlugin("mattermost"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "msteams",
+    plugin: requireBundledChannelPlugin("msteams"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "nextcloud-talk",
+    plugin: requireBundledChannelPlugin("nextcloud-talk"),
+    surfaces: ["setup", "status", "outbound", "messaging", "gateway"],
+  },
+  {
+    id: "nostr",
+    plugin: requireBundledChannelPlugin("nostr"),
+    surfaces: ["setup", "status", "outbound", "messaging", "gateway"],
+  },
+  {
+    id: "signal",
+    plugin: requireBundledChannelPlugin("signal"),
+    surfaces: ["actions", "setup", "status", "outbound", "messaging", "gateway"],
+  },
+  {
+    id: "slack",
+    plugin: requireBundledChannelPlugin("slack"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "synology-chat",
+    plugin: requireBundledChannelPlugin("synology-chat"),
+    surfaces: ["setup", "outbound", "messaging", "directory", "gateway"],
+  },
+  {
+    id: "telegram",
+    plugin: requireBundledChannelPlugin("telegram"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "tlon",
+    plugin: requireBundledChannelPlugin("tlon"),
+    surfaces: ["setup", "status", "outbound", "messaging", "gateway"],
+  },
+  {
+    id: "whatsapp",
+    plugin: requireBundledChannelPlugin("whatsapp"),
+    surfaces: ["actions", "setup", "status", "outbound", "messaging", "directory", "gateway"],
+  },
+  {
+    id: "zalo",
+    plugin: requireBundledChannelPlugin("zalo"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+  {
+    id: "zalouser",
+    plugin: requireBundledChannelPlugin("zalouser"),
+    surfaces: [
+      "actions",
+      "setup",
+      "status",
+      "outbound",
+      "messaging",
+      "threading",
+      "directory",
+      "gateway",
+    ],
+  },
+];
diff --git a/src/channels/plugins/contracts/setup.contract.test.ts b/src/channels/plugins/contracts/setup.contract.test.ts
new file mode 100644
index 00000000000..acc221d61d6
--- /dev/null
+++ b/src/channels/plugins/contracts/setup.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { setupContractRegistry } from "./registry.js";
+import { installChannelSetupContractSuite } from "./suites.js";
+
+for (const entry of setupContractRegistry) {
+  describe(`${entry.id} setup contract`, () => {
+    installChannelSetupContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+    });
+  });
+}
diff --git a/src/channels/plugins/contracts/status.contract.test.ts b/src/channels/plugins/contracts/status.contract.test.ts
new file mode 100644
index 00000000000..9cc364f17d2
--- /dev/null
+++ b/src/channels/plugins/contracts/status.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { statusContractRegistry } from "./registry.js";
+import { installChannelStatusContractSuite } from "./suites.js";
+
+for (const entry of statusContractRegistry) {
+  describe(`${entry.id} status contract`, () => {
+    installChannelStatusContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+    });
+  });
+}
diff --git a/src/channels/plugins/contracts/suites.ts b/src/channels/plugins/contracts/suites.ts
new file mode 100644
index 00000000000..f2c8a8e3b16
--- /dev/null
+++ b/src/channels/plugins/contracts/suites.ts
@@ -0,0 +1,548 @@
+import { expect, it, type Mock } from "vitest";
+import type { MsgContext } from "../../../auto-reply/templating.js";
+import type { OpenClawConfig } from "../../../config/config.js";
+import type {
+  ResolveProviderRuntimeGroupPolicyParams,
+  RuntimeGroupPolicyResolution,
+} from "../../../config/runtime-group-policy.js";
+import { normalizeChatType } from "../../chat-type.js";
+import { resolveConversationLabel } from "../../conversation-label.js";
+import { validateSenderIdentity } from "../../sender-identity.js";
+import type {
+  ChannelAccountSnapshot,
+  ChannelAccountState,
+  ChannelSetupInput,
+} from "../types.core.js";
+import type {
+  ChannelMessageActionName,
+  ChannelMessageCapability,
+  ChannelPlugin,
+} from "../types.js";
+
+function sortStrings(values: readonly string[]) {
+  return [...values].toSorted((left, right) => left.localeCompare(right));
+}
+
+export function installChannelPluginContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
+}) {
+  it("satisfies the base channel plugin contract", () => {
+    const { plugin } = params;
+
+    expect(typeof plugin.id).toBe("string");
+    expect(plugin.id.trim()).not.toBe("");
+
+    expect(plugin.meta.id).toBe(plugin.id);
+    expect(plugin.meta.label.trim()).not.toBe("");
+    expect(plugin.meta.selectionLabel.trim()).not.toBe("");
+    expect(plugin.meta.docsPath).toMatch(/^\/channels\//);
+    expect(plugin.meta.blurb.trim()).not.toBe("");
+
+    expect(plugin.capabilities.chatTypes.length).toBeGreaterThan(0);
+
+    expect(typeof plugin.config.listAccountIds).toBe("function");
+    expect(typeof plugin.config.resolveAccount).toBe("function");
+  });
+}
+
+type ChannelActionsContractCase = {
+  name: string;
+  cfg: OpenClawConfig;
+  expectedActions: readonly ChannelMessageActionName[];
+  expectedCapabilities?: readonly ChannelMessageCapability[];
+  beforeTest?: () => void;
+};
+
+export function installChannelActionsContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "actions">;
+  cases: readonly ChannelActionsContractCase[];
+  unsupportedAction?: ChannelMessageActionName;
+}) {
+  it("exposes the base message actions contract", () => {
+    expect(params.plugin.actions).toBeDefined();
+    expect(typeof params.plugin.actions?.listActions).toBe("function");
+  });
+
+  for (const testCase of params.cases) {
+    it(`actions contract: ${testCase.name}`, () => {
+      testCase.beforeTest?.();
+
+      const actions = params.plugin.actions?.listActions?.({ cfg: testCase.cfg }) ?? [];
+      const capabilities = params.plugin.actions?.getCapabilities?.({ cfg: testCase.cfg }) ?? [];
+
+      expect(actions).toEqual([...new Set(actions)]);
+      expect(capabilities).toEqual([...new Set(capabilities)]);
+      expect(sortStrings(actions)).toEqual(sortStrings(testCase.expectedActions));
+      expect(sortStrings(capabilities)).toEqual(sortStrings(testCase.expectedCapabilities ?? []));
+
+      if (params.plugin.actions?.supportsAction) {
+        for (const action of testCase.expectedActions) {
+          expect(params.plugin.actions.supportsAction({ action })).toBe(true);
+        }
+        if (
+          params.unsupportedAction &&
+          !testCase.expectedActions.includes(params.unsupportedAction)
+        ) {
+          expect(params.plugin.actions.supportsAction({ action: params.unsupportedAction })).toBe(
+            false,
+          );
+        }
+      }
+    });
+  }
+}
+
+export function installChannelSurfaceContractSuite(params: {
+  plugin: Pick<
+    ChannelPlugin,
+    | "id"
+    | "actions"
+    | "setup"
+    | "status"
+    | "outbound"
+    | "messaging"
+    | "threading"
+    | "directory"
+    | "gateway"
+  >;
+  surface:
+    | "actions"
+    | "setup"
+    | "status"
+    | "outbound"
+    | "messaging"
+    | "threading"
+    | "directory"
+    | "gateway";
+}) {
+  const { plugin, surface } = params;
+
+  it(`exposes the ${surface} surface contract`, () => {
+    if (surface === "actions") {
+      expect(plugin.actions).toBeDefined();
+      expect(typeof plugin.actions?.listActions).toBe("function");
+      return;
+    }
+
+    if (surface === "setup") {
+      expect(plugin.setup).toBeDefined();
+      expect(typeof plugin.setup?.applyAccountConfig).toBe("function");
+      return;
+    }
+
+    if (surface === "status") {
+      expect(plugin.status).toBeDefined();
+      expect(typeof plugin.status?.buildAccountSnapshot).toBe("function");
+      return;
+    }
+
+    if (surface === "outbound") {
+      const outbound = plugin.outbound;
+      expect(outbound).toBeDefined();
+      expect(["direct", "gateway", "hybrid"]).toContain(outbound?.deliveryMode);
+      expect(
+        [
+          outbound?.sendPayload,
+          outbound?.sendFormattedText,
+          outbound?.sendFormattedMedia,
+          outbound?.sendText,
+          outbound?.sendMedia,
+          outbound?.sendPoll,
+        ].some((value) => typeof value === "function"),
+      ).toBe(true);
+      return;
+    }
+
+    if (surface === "messaging") {
+      const messaging = plugin.messaging;
+      expect(messaging).toBeDefined();
+      expect(
+        [
+          messaging?.normalizeTarget,
+          messaging?.parseExplicitTarget,
+          messaging?.inferTargetChatType,
+          messaging?.buildCrossContextComponents,
+          messaging?.enableInteractiveReplies,
+          messaging?.hasStructuredReplyPayload,
+          messaging?.formatTargetDisplay,
+          messaging?.resolveOutboundSessionRoute,
+        ].some((value) => typeof value === "function"),
+      ).toBe(true);
+      if (messaging?.targetResolver) {
+        if (messaging.targetResolver.looksLikeId) {
+          expect(typeof messaging.targetResolver.looksLikeId).toBe("function");
+        }
+        if (messaging.targetResolver.hint !== undefined) {
+          expect(typeof messaging.targetResolver.hint).toBe("string");
+          expect(messaging.targetResolver.hint.trim()).not.toBe("");
+        }
+        if (messaging.targetResolver.resolveTarget) {
+          expect(typeof messaging.targetResolver.resolveTarget).toBe("function");
+        }
+      }
+      return;
+    }
+
+    if (surface === "threading") {
+      const threading = plugin.threading;
+      expect(threading).toBeDefined();
+      expect(
+        [
+          threading?.resolveReplyToMode,
+          threading?.buildToolContext,
+          threading?.resolveAutoThreadId,
+          threading?.resolveReplyTransport,
+          threading?.resolveFocusedBinding,
+        ].some((value) => typeof value === "function"),
+      ).toBe(true);
+      return;
+    }
+
+    if (surface === "directory") {
+      const directory = plugin.directory;
+      expect(directory).toBeDefined();
+      expect(
+        [
+          directory?.self,
+          directory?.listPeers,
+          directory?.listPeersLive,
+          directory?.listGroups,
+          directory?.listGroupsLive,
+          directory?.listGroupMembers,
+        ].some((value) => typeof value === "function"),
+      ).toBe(true);
+      return;
+    }
+
+    const gateway = plugin.gateway;
+    expect(gateway).toBeDefined();
+    expect(
+      [
+        gateway?.startAccount,
+        gateway?.stopAccount,
+        gateway?.loginWithQrStart,
+        gateway?.loginWithQrWait,
+        gateway?.logoutAccount,
+      ].some((value) => typeof value === "function"),
+    ).toBe(true);
+  });
+}
+
+type ChannelSetupContractCase<ResolvedAccount> = {
+  name: string;
+  cfg: OpenClawConfig;
+  accountId?: string;
+  input: ChannelSetupInput;
+  expectedAccountId?: string;
+  expectedValidation?: string | null;
+  beforeTest?: () => void;
+  assertPatchedConfig?: (cfg: OpenClawConfig) => void;
+  assertResolvedAccount?: (account: ResolvedAccount, cfg: OpenClawConfig) => void;
+};
+
+export function installChannelSetupContractSuite<ResolvedAccount>(params: {
+  plugin: Pick<ChannelPlugin<ResolvedAccount>, "id" | "config" | "setup">;
+  cases: readonly ChannelSetupContractCase<ResolvedAccount>[];
+}) {
+  it("exposes the base setup contract", () => {
+    expect(params.plugin.setup).toBeDefined();
+    expect(typeof params.plugin.setup?.applyAccountConfig).toBe("function");
+  });
+
+  for (const testCase of params.cases) {
+    it(`setup contract: ${testCase.name}`, () => {
+      testCase.beforeTest?.();
+
+      const resolvedAccountId =
+        params.plugin.setup?.resolveAccountId?.({
+          cfg: testCase.cfg,
+          accountId: testCase.accountId,
+          input: testCase.input,
+        }) ??
+        testCase.accountId ??
+        "default";
+
+      expect(resolvedAccountId).toBe(testCase.expectedAccountId ?? resolvedAccountId);
+
+      const validation =
+        params.plugin.setup?.validateInput?.({
+          cfg: testCase.cfg,
+          accountId: resolvedAccountId,
+          input: testCase.input,
+        }) ?? null;
+      expect(validation).toBe(testCase.expectedValidation ?? null);
+
+      const nextCfg = params.plugin.setup?.applyAccountConfig({
+        cfg: testCase.cfg,
+        accountId: resolvedAccountId,
+        input: testCase.input,
+      });
+      expect(nextCfg).toBeDefined();
+
+      const account = params.plugin.config.resolveAccount(nextCfg!, resolvedAccountId);
+      testCase.assertPatchedConfig?.(nextCfg!);
+      testCase.assertResolvedAccount?.(account, nextCfg!);
+    });
+  }
+}
+
+type ChannelStatusContractCase<Probe> = {
+  name: string;
+  cfg: OpenClawConfig;
+  accountId?: string;
+  runtime?: ChannelAccountSnapshot;
+  probe?: Probe;
+  beforeTest?: () => void;
+  expectedState?: ChannelAccountState;
+  resolveStateInput?: {
+    configured: boolean;
+    enabled: boolean;
+  };
+  assertSnapshot?: (snapshot: ChannelAccountSnapshot) => void;
+  assertSummary?: (summary: Record<string, unknown>) => void;
+};
+
+export function installChannelStatusContractSuite<ResolvedAccount, Probe = unknown>(params: {
+  plugin: Pick<ChannelPlugin<ResolvedAccount, Probe>, "id" | "config" | "status">;
+  cases: readonly ChannelStatusContractCase<Probe>[];
+}) {
+  it("exposes the base status contract", () => {
+    expect(params.plugin.status).toBeDefined();
+    expect(typeof params.plugin.status?.buildAccountSnapshot).toBe("function");
+  });
+
+  if (params.plugin.status?.defaultRuntime) {
+    it("status contract: default runtime is shaped like an account snapshot", () => {
+      expect(typeof params.plugin.status?.defaultRuntime?.accountId).toBe("string");
+    });
+  }
+
+  for (const testCase of params.cases) {
+    it(`status contract: ${testCase.name}`, async () => {
+      testCase.beforeTest?.();
+
+      const account = params.plugin.config.resolveAccount(testCase.cfg, testCase.accountId);
+      const snapshot = await params.plugin.status!.buildAccountSnapshot!({
+        account,
+        cfg: testCase.cfg,
+        runtime: testCase.runtime,
+        probe: testCase.probe,
+      });
+
+      expect(typeof snapshot.accountId).toBe("string");
+      expect(snapshot.accountId.trim()).not.toBe("");
+      testCase.assertSnapshot?.(snapshot);
+
+      if (params.plugin.status?.buildChannelSummary) {
+        const defaultAccountId =
+          params.plugin.config.defaultAccountId?.(testCase.cfg) ?? testCase.accountId ?? "default";
+        const summary = await params.plugin.status.buildChannelSummary({
+          account,
+          cfg: testCase.cfg,
+          defaultAccountId,
+          snapshot,
+        });
+        expect(summary).toEqual(expect.any(Object));
+        testCase.assertSummary?.(summary);
+      }
+
+      if (testCase.expectedState && params.plugin.status?.resolveAccountState) {
+        const state = params.plugin.status.resolveAccountState({
+          account,
+          cfg: testCase.cfg,
+          configured: testCase.resolveStateInput?.configured ?? true,
+          enabled: testCase.resolveStateInput?.enabled ?? true,
+        });
+        expect(state).toBe(testCase.expectedState);
+      }
+    });
+  }
+}
+
+type PayloadLike = {
+  mediaUrl?: string;
+  mediaUrls?: string[];
+  text?: string;
+};
+
+type SendResultLike = {
+  messageId: string;
+  [key: string]: unknown;
+};
+
+type ChunkingMode =
+  | {
+      longTextLength: number;
+      maxChunkLength: number;
+      mode: "split";
+    }
+  | {
+      longTextLength: number;
+      mode: "passthrough";
+    };
+
+export function installChannelOutboundPayloadContractSuite(params: {
+  channel: string;
+  chunking: ChunkingMode;
+  createHarness: (params: { payload: PayloadLike; sendResults?: SendResultLike[] }) => {
+    run: () => Promise<Record<string, unknown>>;
+    sendMock: Mock;
+    to: string;
+  };
+}) {
+  it("text-only delegates to sendText", async () => {
+    const { run, sendMock, to } = params.createHarness({
+      payload: { text: "hello" },
+    });
+    const result = await run();
+
+    expect(sendMock).toHaveBeenCalledTimes(1);
+    expect(sendMock).toHaveBeenCalledWith(to, "hello", expect.any(Object));
+    expect(result).toMatchObject({ channel: params.channel });
+  });
+
+  it("single media delegates to sendMedia", async () => {
+    const { run, sendMock, to } = params.createHarness({
+      payload: { text: "cap", mediaUrl: "https://example.com/a.jpg" },
+    });
+    const result = await run();
+
+    expect(sendMock).toHaveBeenCalledTimes(1);
+    expect(sendMock).toHaveBeenCalledWith(
+      to,
+      "cap",
+      expect.objectContaining({ mediaUrl: "https://example.com/a.jpg" }),
+    );
+    expect(result).toMatchObject({ channel: params.channel });
+  });
+
+  it("multi-media iterates URLs with caption on first", async () => {
+    const { run, sendMock, to } = params.createHarness({
+      payload: {
+        text: "caption",
+        mediaUrls: ["https://example.com/1.jpg", "https://example.com/2.jpg"],
+      },
+      sendResults: [{ messageId: "m-1" }, { messageId: "m-2" }],
+    });
+    const result = await run();
+
+    expect(sendMock).toHaveBeenCalledTimes(2);
+    expect(sendMock).toHaveBeenNthCalledWith(
+      1,
+      to,
+      "caption",
+      expect.objectContaining({ mediaUrl: "https://example.com/1.jpg" }),
+    );
+    expect(sendMock).toHaveBeenNthCalledWith(
+      2,
+      to,
+      "",
+      expect.objectContaining({ mediaUrl: "https://example.com/2.jpg" }),
+    );
+    expect(result).toMatchObject({ channel: params.channel, messageId: "m-2" });
+  });
+
+  it("empty payload returns no-op", async () => {
+    const { run, sendMock } = params.createHarness({ payload: {} });
+    const result = await run();
+
+    expect(sendMock).not.toHaveBeenCalled();
+    expect(result).toEqual({ channel: params.channel, messageId: "" });
+  });
+
+  if (params.chunking.mode === "passthrough") {
+    it("text exceeding chunk limit is sent as-is when chunker is null", async () => {
+      const text = "a".repeat(params.chunking.longTextLength);
+      const { run, sendMock, to } = params.createHarness({ payload: { text } });
+      const result = await run();
+
+      expect(sendMock).toHaveBeenCalledTimes(1);
+      expect(sendMock).toHaveBeenCalledWith(to, text, expect.any(Object));
+      expect(result).toMatchObject({ channel: params.channel });
+    });
+    return;
+  }
+
+  const chunking = params.chunking;
+
+  it("chunking splits long text", async () => {
+    const text = "a".repeat(chunking.longTextLength);
+    const { run, sendMock } = params.createHarness({
+      payload: { text },
+      sendResults: [{ messageId: "c-1" }, { messageId: "c-2" }],
+    });
+    const result = await run();
+
+    expect(sendMock.mock.calls.length).toBeGreaterThanOrEqual(2);
+    for (const call of sendMock.mock.calls) {
+      expect((call[1] as string).length).toBeLessThanOrEqual(chunking.maxChunkLength);
+    }
+    expect(result).toMatchObject({ channel: params.channel });
+  });
+}
+
+export function primeChannelOutboundSendMock(
+  sendMock: Mock,
+  fallbackResult: Record<string, unknown>,
+  sendResults: SendResultLike[] = [],
+) {
+  sendMock.mockReset();
+  if (sendResults.length === 0) {
+    sendMock.mockResolvedValue(fallbackResult);
+    return;
+  }
+  for (const result of sendResults) {
+    sendMock.mockResolvedValueOnce(result);
+  }
+}
+
+type RuntimeGroupPolicyResolver = (
+  params: ResolveProviderRuntimeGroupPolicyParams,
+) => RuntimeGroupPolicyResolution;
+
+export function installChannelRuntimeGroupPolicyFallbackSuite(params: {
+  configuredLabel: string;
+  defaultGroupPolicyUnderTest: "allowlist" | "disabled" | "open";
+  missingConfigLabel: string;
+  missingDefaultLabel: string;
+  resolve: RuntimeGroupPolicyResolver;
+}) {
+  it(params.missingConfigLabel, () => {
+    const resolved = params.resolve({
+      providerConfigPresent: false,
+    });
+    expect(resolved.groupPolicy).toBe("allowlist");
+    expect(resolved.providerMissingFallbackApplied).toBe(true);
+  });
+
+  it(params.configuredLabel, () => {
+    const resolved = params.resolve({
+      providerConfigPresent: true,
+    });
+    expect(resolved.groupPolicy).toBe("open");
+    expect(resolved.providerMissingFallbackApplied).toBe(false);
+  });
+
+  it(params.missingDefaultLabel, () => {
+    const resolved = params.resolve({
+      providerConfigPresent: false,
+      defaultGroupPolicy: params.defaultGroupPolicyUnderTest,
+    });
+    expect(resolved.groupPolicy).toBe("allowlist");
+    expect(resolved.providerMissingFallbackApplied).toBe(true);
+  });
+}
+
+export function expectChannelInboundContextContract(ctx: MsgContext) {
+  expect(validateSenderIdentity(ctx)).toEqual([]);
+
+  expect(ctx.Body).toBeTypeOf("string");
+  expect(ctx.BodyForAgent).toBeTypeOf("string");
+  expect(ctx.BodyForCommands).toBeTypeOf("string");
+
+  const chatType = normalizeChatType(ctx.ChatType);
+  if (chatType && chatType !== "direct") {
+    const label = ctx.ConversationLabel?.trim() || resolveConversationLabel(ctx);
+    expect(label).toBeTruthy();
+  }
+}
diff --git a/src/channels/plugins/contracts/surface.contract.test.ts b/src/channels/plugins/contracts/surface.contract.test.ts
new file mode 100644
index 00000000000..6e657bd19fc
--- /dev/null
+++ b/src/channels/plugins/contracts/surface.contract.test.ts
@@ -0,0 +1,14 @@
+import { describe } from "vitest";
+import { surfaceContractRegistry } from "./registry.js";
+import { installChannelSurfaceContractSuite } from "./suites.js";
+
+for (const entry of surfaceContractRegistry) {
+  for (const surface of entry.surfaces) {
+    describe(`${entry.id} ${surface} surface contract`, () => {
+      installChannelSurfaceContractSuite({
+        plugin: entry.plugin,
+        surface,
+      });
+    });
+  }
+}
diff --git a/src/channels/plugins/directory-config.ts b/src/channels/plugins/directory-config.ts
index 45fb8bcf46a..e54889076e8 100644
--- a/src/channels/plugins/directory-config.ts
+++ b/src/channels/plugins/directory-config.ts
@@ -1,12 +1,13 @@
-import { inspectDiscordAccount } from "../../../extensions/discord/src/account-inspect.js";
-import { inspectSlackAccount } from "../../../extensions/slack/src/account-inspect.js";
-import { inspectTelegramAccount } from "../../../extensions/telegram/src/account-inspect.js";
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { OpenClawConfig } from "../../config/types.js";
 import { mapAllowFromEntries } from "../../plugin-sdk/channel-config-helpers.js";
 import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
+import type { InspectedDiscordAccount } from "../read-only-account-inspect.discord.runtime.js";
+import { inspectReadOnlyChannelAccount } from "../read-only-account-inspect.js";
+import type { InspectedSlackAccount } from "../read-only-account-inspect.slack.runtime.js";
+import type { InspectedTelegramAccount } from "../read-only-account-inspect.telegram.runtime.js";
 import { applyDirectoryQueryAndLimit, toDirectoryEntries } from "./directory-config-helpers.js";
 import { normalizeSlackMessagingTarget } from "./normalize/slack.js";
+import { getChannelPlugin } from "./registry.js";
 import type { ChannelDirectoryEntry } from "./types.js";
 
 export type DirectoryConfigParams = {
@@ -58,7 +59,14 @@ function normalizeTrimmedSet(
 export async function listSlackDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "slack",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedSlackAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
 
   addAllowFromAndDmsIds(ids, account.config.allowFrom ?? account.dm?.allowFrom, account.config.dms);
@@ -81,7 +89,14 @@ export async function listSlackDirectoryPeersFromConfig(
 export async function listSlackDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "slack",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedSlackAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = Object.keys(account.config.channels ?? {})
     .map((raw) => raw.trim())
     .filter(Boolean)
@@ -93,7 +108,14 @@ export async function listSlackDirectoryGroupsFromConfig(
 export async function listDiscordDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "discord",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedDiscordAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
 
   addAllowFromAndDmsIds(
@@ -122,7 +144,14 @@ export async function listDiscordDirectoryPeersFromConfig(
 export async function listDiscordDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "discord",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedDiscordAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
   for (const guild of Object.values(account.config.guilds ?? {})) {
     addTrimmedEntries(ids, Object.keys(guild.channels ?? {}));
@@ -142,7 +171,14 @@ export async function listDiscordDirectoryGroupsFromConfig(
 export async function listTelegramDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectTelegramAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "telegram",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedTelegramAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const raw = [
     ...mapAllowFromEntries(account.config.allowFrom),
     ...Object.keys(account.config.dms ?? {}),
@@ -173,7 +209,14 @@ export async function listTelegramDirectoryPeersFromConfig(
 export async function listTelegramDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectTelegramAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "telegram",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedTelegramAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = Object.keys(account.config.groups ?? {})
     .map((id) => id.trim())
     .filter((id) => Boolean(id) && id !== "*");
@@ -183,9 +226,15 @@ export async function listTelegramDirectoryGroupsFromConfig(
 export async function listWhatsAppDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(
+    params.cfg,
+    params.accountId,
+  ) as { allowFrom?: unknown[] } | null | undefined;
+  if (!account || typeof account !== "object") {
+    return [];
+  }
   const ids = (account.allowFrom ?? [])
-    .map((entry) => String(entry).trim())
+    .map((entry: unknown) => String(entry).trim())
     .filter((entry) => Boolean(entry) && entry !== "*")
     .map((entry) => normalizeWhatsAppTarget(entry) ?? "")
     .filter(Boolean)
@@ -196,7 +245,13 @@ export async function listWhatsAppDirectoryPeersFromConfig(
 export async function listWhatsAppDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(
+    params.cfg,
+    params.accountId,
+  ) as { groups?: Record<string, unknown> } | null | undefined;
+  if (!account || typeof account !== "object") {
+    return [];
+  }
   const ids = Object.keys(account.groups ?? {})
     .map((id) => id.trim())
     .filter((id) => Boolean(id) && id !== "*");
diff --git a/src/channels/plugins/exec-approval-local.ts b/src/channels/plugins/exec-approval-local.ts
new file mode 100644
index 00000000000..0f4f409e0ae
--- /dev/null
+++ b/src/channels/plugins/exec-approval-local.ts
@@ -0,0 +1,22 @@
+import type { ReplyPayload } from "../../auto-reply/types.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { getChannelPlugin, normalizeChannelId } from "./registry.js";
+
+export function shouldSuppressLocalExecApprovalPrompt(params: {
+  channel?: string | null;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  payload: ReplyPayload;
+}): boolean {
+  const channel = params.channel ? normalizeChannelId(params.channel) : null;
+  if (!channel) {
+    return false;
+  }
+  return (
+    getChannelPlugin(channel)?.execApprovals?.shouldSuppressLocalPrompt?.({
+      cfg: params.cfg,
+      accountId: params.accountId,
+      payload: params.payload,
+    }) ?? false
+  );
+}
diff --git a/src/channels/plugins/group-mentions.ts b/src/channels/plugins/group-mentions.ts
index 4dac8bbc7f2..94079daed04 100644
--- a/src/channels/plugins/group-mentions.ts
+++ b/src/channels/plugins/group-mentions.ts
@@ -1,4 +1,3 @@
-import { inspectSlackAccount } from "../../../extensions/slack/src/account-inspect.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
   resolveChannelGroupRequireMention,
@@ -11,6 +10,7 @@ import type {
   GroupToolPolicyConfig,
 } from "../../config/types.tools.js";
 import { resolveExactLineGroupConfigKey } from "../../line/group-keys.js";
+import { inspectSlackAccount } from "../../plugin-sdk-internal/slack.js";
 import { normalizeAtHashSlug, normalizeHyphenSlug } from "../../shared/string-normalization.js";
 import type { ChannelGroupContext } from "./types.js";
 
diff --git a/src/channels/plugins/index.ts b/src/channels/plugins/index.ts
index 43b0aa99452..d7c91248109 100644
--- a/src/channels/plugins/index.ts
+++ b/src/channels/plugins/index.ts
@@ -1,93 +1,4 @@
-import {
-  getActivePluginRegistryVersion,
-  requireActivePluginRegistry,
-} from "../../plugins/runtime.js";
-import { CHAT_CHANNEL_ORDER, type ChatChannelId, normalizeAnyChannelId } from "../registry.js";
-import type { ChannelId, ChannelPlugin } from "./types.js";
-
-// Channel plugins registry (runtime).
-//
-// This module is intentionally "heavy" (plugins may import channel monitors, web login, etc).
-// Shared code paths (reply flow, command auth, sandbox explain) should depend on `src/channels/dock.ts`
-// instead, and only call `getChannelPlugin()` at execution boundaries.
-//
-function dedupeChannels(channels: ChannelPlugin[]): ChannelPlugin[] {
-  const seen = new Set<string>();
-  const resolved: ChannelPlugin[] = [];
-  for (const plugin of channels) {
-    const id = String(plugin.id).trim();
-    if (!id || seen.has(id)) {
-      continue;
-    }
-    seen.add(id);
-    resolved.push(plugin);
-  }
-  return resolved;
-}
-
-type CachedChannelPlugins = {
-  registryVersion: number;
-  sorted: ChannelPlugin[];
-  byId: Map<string, ChannelPlugin>;
-};
-
-const EMPTY_CHANNEL_PLUGIN_CACHE: CachedChannelPlugins = {
-  registryVersion: -1,
-  sorted: [],
-  byId: new Map(),
-};
-
-let cachedChannelPlugins = EMPTY_CHANNEL_PLUGIN_CACHE;
-
-function resolveCachedChannelPlugins(): CachedChannelPlugins {
-  const registry = requireActivePluginRegistry();
-  const registryVersion = getActivePluginRegistryVersion();
-  const cached = cachedChannelPlugins;
-  if (cached.registryVersion === registryVersion) {
-    return cached;
-  }
-
-  const sorted = dedupeChannels(registry.channels.map((entry) => entry.plugin)).toSorted((a, b) => {
-    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
-    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
-    const orderA = a.meta.order ?? (indexA === -1 ? 999 : indexA);
-    const orderB = b.meta.order ?? (indexB === -1 ? 999 : indexB);
-    if (orderA !== orderB) {
-      return orderA - orderB;
-    }
-    return a.id.localeCompare(b.id);
-  });
-  const byId = new Map<string, ChannelPlugin>();
-  for (const plugin of sorted) {
-    byId.set(plugin.id, plugin);
-  }
-
-  const next: CachedChannelPlugins = {
-    registryVersion,
-    sorted,
-    byId,
-  };
-  cachedChannelPlugins = next;
-  return next;
-}
-
-export function listChannelPlugins(): ChannelPlugin[] {
-  return resolveCachedChannelPlugins().sorted.slice();
-}
-
-export function getChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
-  const resolvedId = String(id).trim();
-  if (!resolvedId) {
-    return undefined;
-  }
-  return resolveCachedChannelPlugins().byId.get(resolvedId);
-}
-
-export function normalizeChannelId(raw?: string | null): ChannelId | null {
-  // Channel docking: keep input normalization centralized in src/channels/registry.ts.
-  // Plugin registry must be initialized before calling.
-  return normalizeAnyChannelId(raw);
-}
+export { getChannelPlugin, listChannelPlugins, normalizeChannelId } from "./registry.js";
 export {
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
diff --git a/src/channels/plugins/message-action-names.ts b/src/channels/plugins/message-action-names.ts
index 809d239be2c..aadff95c77d 100644
--- a/src/channels/plugins/message-action-names.ts
+++ b/src/channels/plugins/message-action-names.ts
@@ -44,6 +44,7 @@ export const CHANNEL_MESSAGE_ACTION_NAMES = [
   "category-edit",
   "category-delete",
   "topic-create",
+  "topic-edit",
   "voice-status",
   "event-list",
   "event-create",
diff --git a/src/channels/plugins/message-actions.security.test.ts b/src/channels/plugins/message-actions.security.test.ts
index 1dbd19de3e0..b8b62afdecd 100644
--- a/src/channels/plugins/message-actions.security.test.ts
+++ b/src/channels/plugins/message-actions.security.test.ts
@@ -25,6 +25,8 @@ const discordPlugin: ChannelPlugin = {
   actions: {
     listActions: () => ["kick"],
     supportsAction: ({ action }) => action === "kick",
+    requiresTrustedRequesterSender: ({ action, toolContext }) =>
+      Boolean(action === "kick" && toolContext),
     handleAction,
   },
 };
diff --git a/src/channels/plugins/message-actions.test.ts b/src/channels/plugins/message-actions.test.ts
index 6a292463b05..92af406e2f1 100644
--- a/src/channels/plugins/message-actions.test.ts
+++ b/src/channels/plugins/message-actions.test.ts
@@ -6,19 +6,19 @@ import {
   createTestRegistry,
 } from "../../test-utils/channel-plugins.js";
 import {
-  supportsChannelMessageButtons,
-  supportsChannelMessageButtonsForChannel,
-  supportsChannelMessageCards,
-  supportsChannelMessageCardsForChannel,
+  channelSupportsMessageCapability,
+  channelSupportsMessageCapabilityForChannel,
+  listChannelMessageCapabilities,
+  listChannelMessageCapabilitiesForChannel,
 } from "./message-actions.js";
+import type { ChannelMessageCapability } from "./message-capabilities.js";
 import type { ChannelPlugin } from "./types.js";
 
 const emptyRegistry = createTestRegistry([]);
 
 function createMessageActionsPlugin(params: {
   id: "discord" | "telegram";
-  supportsButtons: boolean;
-  supportsCards: boolean;
+  capabilities: readonly ChannelMessageCapability[];
 }): ChannelPlugin {
   return {
     ...createChannelTestPluginBase({
@@ -31,22 +31,19 @@ function createMessageActionsPlugin(params: {
     }),
     actions: {
       listActions: () => ["send"],
-      supportsButtons: () => params.supportsButtons,
-      supportsCards: () => params.supportsCards,
+      getCapabilities: () => params.capabilities,
     },
   };
 }
 
 const buttonsPlugin = createMessageActionsPlugin({
   id: "discord",
-  supportsButtons: true,
-  supportsCards: false,
+  capabilities: ["interactive", "buttons"],
 });
 
 const cardsPlugin = createMessageActionsPlugin({
   id: "telegram",
-  supportsButtons: false,
-  supportsCards: true,
+  capabilities: ["cards"],
 });
 
 function activateMessageActionTestRegistry() {
@@ -63,25 +60,66 @@ describe("message action capability checks", () => {
     setActivePluginRegistry(emptyRegistry);
   });
 
-  it("aggregates buttons/card support across plugins", () => {
+  it("aggregates capabilities across plugins", () => {
     activateMessageActionTestRegistry();
 
-    expect(supportsChannelMessageButtons({} as OpenClawConfig)).toBe(true);
-    expect(supportsChannelMessageCards({} as OpenClawConfig)).toBe(true);
+    expect(listChannelMessageCapabilities({} as OpenClawConfig).toSorted()).toEqual([
+      "buttons",
+      "cards",
+      "interactive",
+    ]);
+    expect(channelSupportsMessageCapability({} as OpenClawConfig, "interactive")).toBe(true);
+    expect(channelSupportsMessageCapability({} as OpenClawConfig, "buttons")).toBe(true);
+    expect(channelSupportsMessageCapability({} as OpenClawConfig, "cards")).toBe(true);
   });
 
   it("checks per-channel capabilities", () => {
     activateMessageActionTestRegistry();
 
     expect(
-      supportsChannelMessageButtonsForChannel({ cfg: {} as OpenClawConfig, channel: "discord" }),
+      listChannelMessageCapabilitiesForChannel({
+        cfg: {} as OpenClawConfig,
+        channel: "discord",
+      }),
+    ).toEqual(["interactive", "buttons"]);
+    expect(
+      listChannelMessageCapabilitiesForChannel({
+        cfg: {} as OpenClawConfig,
+        channel: "telegram",
+      }),
+    ).toEqual(["cards"]);
+    expect(
+      channelSupportsMessageCapabilityForChannel(
+        { cfg: {} as OpenClawConfig, channel: "discord" },
+        "interactive",
+      ),
     ).toBe(true);
     expect(
-      supportsChannelMessageButtonsForChannel({ cfg: {} as OpenClawConfig, channel: "telegram" }),
+      channelSupportsMessageCapabilityForChannel(
+        { cfg: {} as OpenClawConfig, channel: "telegram" },
+        "interactive",
+      ),
     ).toBe(false);
     expect(
-      supportsChannelMessageCardsForChannel({ cfg: {} as OpenClawConfig, channel: "telegram" }),
+      channelSupportsMessageCapabilityForChannel(
+        { cfg: {} as OpenClawConfig, channel: "discord" },
+        "buttons",
+      ),
     ).toBe(true);
-    expect(supportsChannelMessageCardsForChannel({ cfg: {} as OpenClawConfig })).toBe(false);
+    expect(
+      channelSupportsMessageCapabilityForChannel(
+        { cfg: {} as OpenClawConfig, channel: "telegram" },
+        "buttons",
+      ),
+    ).toBe(false);
+    expect(
+      channelSupportsMessageCapabilityForChannel(
+        { cfg: {} as OpenClawConfig, channel: "telegram" },
+        "cards",
+      ),
+    ).toBe(true);
+    expect(channelSupportsMessageCapabilityForChannel({ cfg: {} as OpenClawConfig }, "cards")).toBe(
+      false,
+    );
   });
 });
diff --git a/src/channels/plugins/message-actions.ts b/src/channels/plugins/message-actions.ts
index a7b8e6aa5e8..506f2204493 100644
--- a/src/channels/plugins/message-actions.ts
+++ b/src/channels/plugins/message-actions.ts
@@ -1,19 +1,19 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { OpenClawConfig } from "../../config/config.js";
 import { getChannelPlugin, listChannelPlugins } from "./index.js";
+import type { ChannelMessageCapability } from "./message-capabilities.js";
 import type { ChannelMessageActionContext, ChannelMessageActionName } from "./types.js";
 
-const trustedRequesterRequiredByChannel: Readonly<
-  Partial<Record<string, ReadonlySet<ChannelMessageActionName>>>
-> = {
-  discord: new Set<ChannelMessageActionName>(["timeout", "kick", "ban"]),
-};
-
 type ChannelActions = NonNullable<NonNullable<ReturnType<typeof getChannelPlugin>>["actions"]>;
 
 function requiresTrustedRequesterSender(ctx: ChannelMessageActionContext): boolean {
-  const actions = trustedRequesterRequiredByChannel[ctx.channel];
-  return Boolean(actions?.has(ctx.action) && ctx.toolContext);
+  const plugin = getChannelPlugin(ctx.channel);
+  return Boolean(
+    plugin?.actions?.requiresTrustedRequesterSender?.({
+      action: ctx.action,
+      toolContext: ctx.toolContext,
+    }),
+  );
 }
 
 export function listChannelMessageActions(cfg: OpenClawConfig): ChannelMessageActionName[] {
@@ -30,58 +30,52 @@ export function listChannelMessageActions(cfg: OpenClawConfig): ChannelMessageAc
   return Array.from(actions);
 }
 
-export function supportsChannelMessageButtons(cfg: OpenClawConfig): boolean {
-  return supportsMessageFeature(cfg, (actions) => actions?.supportsButtons?.({ cfg }) === true);
-}
-
-export function supportsChannelMessageButtonsForChannel(params: {
-  cfg: OpenClawConfig;
-  channel?: string;
-}): boolean {
-  return supportsMessageFeatureForChannel(
-    params,
-    (actions) => actions.supportsButtons?.(params) === true,
-  );
-}
-
-export function supportsChannelMessageCards(cfg: OpenClawConfig): boolean {
-  return supportsMessageFeature(cfg, (actions) => actions?.supportsCards?.({ cfg }) === true);
-}
-
-export function supportsChannelMessageCardsForChannel(params: {
-  cfg: OpenClawConfig;
-  channel?: string;
-}): boolean {
-  return supportsMessageFeatureForChannel(
-    params,
-    (actions) => actions.supportsCards?.(params) === true,
-  );
-}
-
-function supportsMessageFeature(
+function listCapabilities(
+  actions: ChannelActions,
   cfg: OpenClawConfig,
-  check: (actions: ChannelActions) => boolean,
-): boolean {
+): readonly ChannelMessageCapability[] {
+  return actions.getCapabilities?.({ cfg }) ?? [];
+}
+
+export function listChannelMessageCapabilities(cfg: OpenClawConfig): ChannelMessageCapability[] {
+  const capabilities = new Set<ChannelMessageCapability>();
   for (const plugin of listChannelPlugins()) {
-    if (plugin.actions && check(plugin.actions)) {
-      return true;
+    if (!plugin.actions) {
+      continue;
+    }
+    for (const capability of listCapabilities(plugin.actions, cfg)) {
+      capabilities.add(capability);
     }
   }
-  return false;
+  return Array.from(capabilities);
 }
 
-function supportsMessageFeatureForChannel(
+export function listChannelMessageCapabilitiesForChannel(params: {
+  cfg: OpenClawConfig;
+  channel?: string;
+}): ChannelMessageCapability[] {
+  if (!params.channel) {
+    return [];
+  }
+  const plugin = getChannelPlugin(params.channel as Parameters<typeof getChannelPlugin>[0]);
+  return plugin?.actions ? Array.from(listCapabilities(plugin.actions, params.cfg)) : [];
+}
+
+export function channelSupportsMessageCapability(
+  cfg: OpenClawConfig,
+  capability: ChannelMessageCapability,
+): boolean {
+  return listChannelMessageCapabilities(cfg).includes(capability);
+}
+
+export function channelSupportsMessageCapabilityForChannel(
   params: {
     cfg: OpenClawConfig;
     channel?: string;
   },
-  check: (actions: ChannelActions) => boolean,
+  capability: ChannelMessageCapability,
 ): boolean {
-  if (!params.channel) {
-    return false;
-  }
-  const plugin = getChannelPlugin(params.channel as Parameters<typeof getChannelPlugin>[0]);
-  return plugin?.actions ? check(plugin.actions) : false;
+  return listChannelMessageCapabilitiesForChannel(params).includes(capability);
 }
 
 export async function dispatchChannelMessageAction(
diff --git a/src/channels/plugins/message-capabilities.ts b/src/channels/plugins/message-capabilities.ts
new file mode 100644
index 00000000000..b7c2abd2a24
--- /dev/null
+++ b/src/channels/plugins/message-capabilities.ts
@@ -0,0 +1,9 @@
+export const CHANNEL_MESSAGE_CAPABILITIES = [
+  "interactive",
+  "buttons",
+  "cards",
+  "components",
+  "blocks",
+] as const;
+
+export type ChannelMessageCapability = (typeof CHANNEL_MESSAGE_CAPABILITIES)[number];
diff --git a/src/channels/plugins/message-capability-matrix.test.ts b/src/channels/plugins/message-capability-matrix.test.ts
new file mode 100644
index 00000000000..b8d289aa56b
--- /dev/null
+++ b/src/channels/plugins/message-capability-matrix.test.ts
@@ -0,0 +1,175 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+
+const telegramGetCapabilitiesMock = vi.fn();
+const discordGetCapabilitiesMock = vi.fn();
+
+vi.mock("../../../extensions/telegram/src/runtime.js", () => ({
+  getTelegramRuntime: () => ({
+    channel: {
+      telegram: {
+        messageActions: {
+          getCapabilities: telegramGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+vi.mock("../../../extensions/discord/src/runtime.js", () => ({
+  getDiscordRuntime: () => ({
+    channel: {
+      discord: {
+        messageActions: {
+          getCapabilities: discordGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+const { slackPlugin } = await import("../../../extensions/slack/src/channel.js");
+const { telegramPlugin } = await import("../../../extensions/telegram/src/channel.js");
+const { discordPlugin } = await import("../../../extensions/discord/src/channel.js");
+const { mattermostPlugin } = await import("../../../extensions/mattermost/src/channel.js");
+const { feishuPlugin } = await import("../../../extensions/feishu/src/channel.js");
+const { msteamsPlugin } = await import("../../../extensions/msteams/src/channel.js");
+const { zaloPlugin } = await import("../../../extensions/zalo/src/channel.js");
+
+describe("channel action capability matrix", () => {
+  afterEach(() => {
+    telegramGetCapabilitiesMock.mockReset();
+    discordGetCapabilitiesMock.mockReset();
+  });
+
+  it("exposes Slack blocks by default and interactive when enabled", () => {
+    const baseCfg = {
+      channels: {
+        slack: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+        },
+      },
+    } as OpenClawConfig;
+    const interactiveCfg = {
+      channels: {
+        slack: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+          capabilities: { interactiveReplies: true },
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(slackPlugin.actions?.getCapabilities?.({ cfg: baseCfg })).toEqual(["blocks"]);
+    expect(slackPlugin.actions?.getCapabilities?.({ cfg: interactiveCfg })).toEqual([
+      "blocks",
+      "interactive",
+    ]);
+  });
+
+  it("forwards Telegram action capabilities through the channel wrapper", () => {
+    telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
+
+    const result = telegramPlugin.actions?.getCapabilities?.({ cfg: {} as OpenClawConfig });
+
+    expect(result).toEqual(["interactive", "buttons"]);
+    expect(telegramGetCapabilitiesMock).toHaveBeenCalledWith({ cfg: {} });
+  });
+
+  it("forwards Discord action capabilities through the channel wrapper", () => {
+    discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
+
+    const result = discordPlugin.actions?.getCapabilities?.({ cfg: {} as OpenClawConfig });
+
+    expect(result).toEqual(["interactive", "components"]);
+    expect(discordGetCapabilitiesMock).toHaveBeenCalledWith({ cfg: {} });
+  });
+
+  it("exposes Mattermost buttons only when an account is configured", () => {
+    const configuredCfg = {
+      channels: {
+        mattermost: {
+          enabled: true,
+          botToken: "mm-token",
+          baseUrl: "https://chat.example.com",
+        },
+      },
+    } as OpenClawConfig;
+    const unconfiguredCfg = {
+      channels: {
+        mattermost: {
+          enabled: true,
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(mattermostPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual([
+      "buttons",
+    ]);
+    expect(mattermostPlugin.actions?.getCapabilities?.({ cfg: unconfiguredCfg })).toEqual([]);
+  });
+
+  it("exposes Feishu cards only when credentials are configured", () => {
+    const configuredCfg = {
+      channels: {
+        feishu: {
+          enabled: true,
+          appId: "cli_a",
+          appSecret: "secret",
+        },
+      },
+    } as OpenClawConfig;
+    const disabledCfg = {
+      channels: {
+        feishu: {
+          enabled: false,
+          appId: "cli_a",
+          appSecret: "secret",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(feishuPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual(["cards"]);
+    expect(feishuPlugin.actions?.getCapabilities?.({ cfg: disabledCfg })).toEqual([]);
+  });
+
+  it("exposes MSTeams cards only when credentials are configured", () => {
+    const configuredCfg = {
+      channels: {
+        msteams: {
+          enabled: true,
+          tenantId: "tenant",
+          appId: "app",
+          appPassword: "secret",
+        },
+      },
+    } as OpenClawConfig;
+    const disabledCfg = {
+      channels: {
+        msteams: {
+          enabled: false,
+          tenantId: "tenant",
+          appId: "app",
+          appPassword: "secret",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(msteamsPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual(["cards"]);
+    expect(msteamsPlugin.actions?.getCapabilities?.({ cfg: disabledCfg })).toEqual([]);
+  });
+
+  it("keeps Zalo actions on the empty capability set", () => {
+    const cfg = {
+      channels: {
+        zalo: {
+          enabled: true,
+          botToken: "zl-token",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(zaloPlugin.actions?.getCapabilities?.({ cfg })).toEqual([]);
+  });
+});
diff --git a/src/channels/plugins/normalize/discord.ts b/src/channels/plugins/normalize/discord.ts
deleted file mode 100644
index e4fcc4e9c00..00000000000
--- a/src/channels/plugins/normalize/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/normalize.js";
diff --git a/src/channels/plugins/normalize/imessage.ts b/src/channels/plugins/normalize/imessage.ts
index 3b9ecbe1837..a6043632121 100644
--- a/src/channels/plugins/normalize/imessage.ts
+++ b/src/channels/plugins/normalize/imessage.ts
@@ -1,4 +1,4 @@
-import { normalizeIMessageHandle } from "../../../../extensions/imessage/src/targets.js";
+import { normalizeIMessageHandle } from "../../../plugin-sdk/imessage-targets.js";
 import { looksLikeHandleOrPhoneTarget, trimMessagingTarget } from "./shared.js";
 
 // Service prefixes that indicate explicit delivery method; must be preserved during normalization
diff --git a/src/channels/plugins/normalize/slack.ts b/src/channels/plugins/normalize/slack.ts
index 52d4c905342..50e31a0feee 100644
--- a/src/channels/plugins/normalize/slack.ts
+++ b/src/channels/plugins/normalize/slack.ts
@@ -1,4 +1,4 @@
-import { parseSlackTarget } from "../../../../extensions/slack/src/targets.js";
+import { parseSlackTarget } from "../../../plugin-sdk/slack-targets.js";
 
 export function normalizeSlackMessagingTarget(raw: string): string | undefined {
   const target = parseSlackTarget(raw, { defaultKind: "channel" });
diff --git a/src/channels/plugins/normalize/telegram.ts b/src/channels/plugins/normalize/telegram.ts
deleted file mode 100644
index ab3971ff32b..00000000000
--- a/src/channels/plugins/normalize/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/normalize.js";
diff --git a/src/channels/plugins/normalize/whatsapp.ts b/src/channels/plugins/normalize/whatsapp.ts
index 1e464489818..edff8bfe5e1 100644
--- a/src/channels/plugins/normalize/whatsapp.ts
+++ b/src/channels/plugins/normalize/whatsapp.ts
@@ -1,2 +1,25 @@
-// Shim: re-exports from extensions/whatsapp/src/normalize.ts
-export * from "../../../../extensions/whatsapp/src/normalize.js";
+import { normalizeWhatsAppTarget } from "../../../whatsapp/normalize.js";
+import { looksLikeHandleOrPhoneTarget, trimMessagingTarget } from "./shared.js";
+
+export function normalizeWhatsAppMessagingTarget(raw: string): string | undefined {
+  const trimmed = trimMessagingTarget(raw);
+  if (!trimmed) {
+    return undefined;
+  }
+  return normalizeWhatsAppTarget(trimmed) ?? undefined;
+}
+
+export function normalizeWhatsAppAllowFromEntries(allowFrom: Array<string | number>): string[] {
+  return allowFrom
+    .map((entry) => String(entry).trim())
+    .filter((entry): entry is string => Boolean(entry))
+    .map((entry) => (entry === "*" ? entry : normalizeWhatsAppTarget(entry)))
+    .filter((entry): entry is string => Boolean(entry));
+}
+
+export function looksLikeWhatsAppTargetId(raw: string): boolean {
+  return looksLikeHandleOrPhoneTarget({
+    raw,
+    prefixPattern: /^whatsapp:/i,
+  });
+}
diff --git a/src/channels/plugins/outbound/direct-text-media.sendpayload.test.ts b/src/channels/plugins/outbound/direct-text-media.sendpayload.test.ts
deleted file mode 100644
index 42971f1e89c..00000000000
--- a/src/channels/plugins/outbound/direct-text-media.sendpayload.test.ts
+++ /dev/null
@@ -1,47 +0,0 @@
-import { describe, vi } from "vitest";
-import type { ReplyPayload } from "../../../auto-reply/types.js";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../test-utils/send-payload-contract.js";
-import { createDirectTextMediaOutbound } from "./direct-text-media.js";
-
-function createDirectHarness(params: {
-  payload: ReplyPayload;
-  sendResults?: Array<{ messageId: string }>;
-}) {
-  const sendFn = vi.fn();
-  primeSendMock(sendFn, { messageId: "m1" }, params.sendResults);
-  const outbound = createDirectTextMediaOutbound({
-    channel: "imessage",
-    resolveSender: () => sendFn,
-    resolveMaxBytes: () => undefined,
-    buildTextOptions: (opts) => opts as never,
-    buildMediaOptions: (opts) => opts as never,
-  });
-  return { outbound, sendFn };
-}
-
-function baseCtx(payload: ReplyPayload) {
-  return {
-    cfg: {},
-    to: "user1",
-    text: "",
-    payload,
-  };
-}
-
-describe("createDirectTextMediaOutbound sendPayload", () => {
-  installSendPayloadContractSuite({
-    channel: "imessage",
-    chunking: { mode: "split", longTextLength: 5000, maxChunkLength: 4000 },
-    createHarness: ({ payload, sendResults }) => {
-      const { outbound, sendFn } = createDirectHarness({ payload, sendResults });
-      return {
-        run: async () => await outbound.sendPayload!(baseCtx(payload)),
-        sendMock: sendFn,
-        to: "user1",
-      };
-    },
-  });
-});
diff --git a/src/channels/plugins/outbound/discord.ts b/src/channels/plugins/outbound/discord.ts
deleted file mode 100644
index 5b2126b8fcc..00000000000
--- a/src/channels/plugins/outbound/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/outbound-adapter.js";
diff --git a/src/channels/plugins/outbound/imessage.test.ts b/src/channels/plugins/outbound/imessage.test.ts
index b42b5a954c8..04c68a94f82 100644
--- a/src/channels/plugins/outbound/imessage.test.ts
+++ b/src/channels/plugins/outbound/imessage.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it, vi } from "vitest";
+import { imessageOutbound } from "../../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../../config/config.js";
-import { imessageOutbound } from "./imessage.js";
 
 describe("imessageOutbound", () => {
   const cfg: OpenClawConfig = {
diff --git a/src/channels/plugins/outbound/interactive.test.ts b/src/channels/plugins/outbound/interactive.test.ts
new file mode 100644
index 00000000000..8cc2e44c1ec
--- /dev/null
+++ b/src/channels/plugins/outbound/interactive.test.ts
@@ -0,0 +1,27 @@
+import { describe, expect, it } from "vitest";
+import { reduceInteractiveReply } from "./interactive.js";
+
+describe("reduceInteractiveReply", () => {
+  it("walks authored blocks in order", () => {
+    const order = reduceInteractiveReply(
+      {
+        blocks: [
+          { type: "text", text: "first" },
+          { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+          { type: "select", options: [{ label: "Alpha", value: "alpha" }] },
+        ],
+      },
+      [] as string[],
+      (state, block) => {
+        state.push(block.type);
+        return state;
+      },
+    );
+
+    expect(order).toEqual(["text", "buttons", "select"]);
+  });
+
+  it("returns the initial state when interactive payload is missing", () => {
+    expect(reduceInteractiveReply(undefined, 3, (value) => value + 1)).toBe(3);
+  });
+});
diff --git a/src/channels/plugins/outbound/interactive.ts b/src/channels/plugins/outbound/interactive.ts
new file mode 100644
index 00000000000..6a5cdacb0ce
--- /dev/null
+++ b/src/channels/plugins/outbound/interactive.ts
@@ -0,0 +1,13 @@
+import type { InteractiveReply, InteractiveReplyBlock } from "../../../interactive/payload.js";
+
+export function reduceInteractiveReply<TState>(
+  interactive: InteractiveReply | undefined,
+  initialState: TState,
+  reduce: (state: TState, block: InteractiveReplyBlock, index: number) => TState,
+): TState {
+  let state = initialState;
+  for (const [index, block] of (interactive?.blocks ?? []).entries()) {
+    state = reduce(state, block, index);
+  }
+  return state;
+}
diff --git a/src/channels/plugins/outbound/load.ts b/src/channels/plugins/outbound/load.ts
index 131924e707c..e082fdc4a80 100644
--- a/src/channels/plugins/outbound/load.ts
+++ b/src/channels/plugins/outbound/load.ts
@@ -4,7 +4,7 @@ import type { ChannelId, ChannelOutboundAdapter } from "../types.js";
 // Channel docking: outbound sends should stay cheap to import.
 //
 // The full channel plugins (src/channels/plugins/*.ts) pull in status,
-// onboarding, gateway monitors, etc. Outbound delivery only needs chunking +
+// setup, gateway monitors, etc. Outbound delivery only needs chunking +
 // send primitives, so we keep a dedicated, lightweight loader here.
 const loadOutboundAdapterFromRegistry = createChannelRegistryLoader<ChannelOutboundAdapter>(
   (entry) => entry.plugin.outbound,
diff --git a/src/channels/plugins/outbound/signal.test.ts b/src/channels/plugins/outbound/signal.test.ts
index 9848c558965..5d28e4aefaf 100644
--- a/src/channels/plugins/outbound/signal.test.ts
+++ b/src/channels/plugins/outbound/signal.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it, vi } from "vitest";
+import { signalOutbound } from "../../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../../config/config.js";
-import { signalOutbound } from "./signal.js";
 
 describe("signalOutbound", () => {
   const cfg: OpenClawConfig = {
diff --git a/src/channels/plugins/outbound/signal.ts b/src/channels/plugins/outbound/signal.ts
deleted file mode 100644
index 028192a3f54..00000000000
--- a/src/channels/plugins/outbound/signal.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import { sendMessageSignal } from "../../../../extensions/signal/src/send.js";
-import {
-  resolveOutboundSendDep,
-  type OutboundSendDeps,
-} from "../../../infra/outbound/send-deps.js";
-import {
-  createScopedChannelMediaMaxBytesResolver,
-  createDirectTextMediaOutbound,
-} from "./direct-text-media.js";
-
-function resolveSignalSender(deps: OutboundSendDeps | undefined) {
-  return resolveOutboundSendDep<typeof sendMessageSignal>(deps, "signal") ?? sendMessageSignal;
-}
-
-export const signalOutbound = createDirectTextMediaOutbound({
-  channel: "signal",
-  resolveSender: resolveSignalSender,
-  resolveMaxBytes: createScopedChannelMediaMaxBytesResolver("signal"),
-  buildTextOptions: ({ cfg, maxBytes, accountId }) => ({
-    cfg,
-    maxBytes,
-    accountId: accountId ?? undefined,
-  }),
-  buildMediaOptions: ({ cfg, mediaUrl, maxBytes, accountId, mediaLocalRoots }) => ({
-    cfg,
-    mediaUrl,
-    maxBytes,
-    accountId: accountId ?? undefined,
-    mediaLocalRoots,
-  }),
-});
diff --git a/src/channels/plugins/outbound/slack.sendpayload.test.ts b/src/channels/plugins/outbound/slack.sendpayload.test.ts
index 8c6b0806254..a78916c1336 100644
--- a/src/channels/plugins/outbound/slack.sendpayload.test.ts
+++ b/src/channels/plugins/outbound/slack.sendpayload.test.ts
@@ -1,17 +1,14 @@
 import { describe, expect, it, vi } from "vitest";
+import { slackOutbound } from "../../../../test/channel-outbounds.js";
 import type { ReplyPayload } from "../../../auto-reply/types.js";
-import {
-  installSendPayloadContractSuite,
-  primeSendMock,
-} from "../../../test-utils/send-payload-contract.js";
-import { slackOutbound } from "./slack.js";
+import { primeChannelOutboundSendMock } from "../contracts/suites.js";
 
 function createHarness(params: {
   payload: ReplyPayload;
   sendResults?: Array<{ messageId: string }>;
 }) {
   const sendSlack = vi.fn();
-  primeSendMock(
+  primeChannelOutboundSendMock(
     sendSlack,
     { messageId: "sl-1", channelId: "C12345", ts: "1234.5678" },
     params.sendResults,
@@ -33,12 +30,6 @@ function createHarness(params: {
 }
 
 describe("slackOutbound sendPayload", () => {
-  installSendPayloadContractSuite({
-    channel: "slack",
-    chunking: { mode: "passthrough", longTextLength: 5000 },
-    createHarness,
-  });
-
   it("forwards Slack blocks from channelData", async () => {
     const { run, sendMock, to } = createHarness({
       payload: {
@@ -100,4 +91,71 @@ describe("slackOutbound sendPayload", () => {
     await expect(run()).rejects.toThrow(/blocks must be an array/i);
     expect(sendMock).not.toHaveBeenCalled();
   });
+
+  it("sends media before a separate interactive blocks message", async () => {
+    const { run, sendMock, to } = createHarness({
+      payload: {
+        text: "Approval required",
+        mediaUrl: "https://example.com/image.png",
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Allow", value: "pluginbind:approval-123:o" }],
+            },
+          ],
+        },
+      },
+      sendResults: [{ messageId: "sl-media" }, { messageId: "sl-controls" }],
+    });
+
+    const result = await run();
+
+    expect(sendMock).toHaveBeenCalledTimes(2);
+    expect(sendMock).toHaveBeenNthCalledWith(
+      1,
+      to,
+      "",
+      expect.objectContaining({
+        mediaUrl: "https://example.com/image.png",
+      }),
+    );
+    expect(sendMock.mock.calls[0]?.[2]).not.toHaveProperty("blocks");
+    expect(sendMock).toHaveBeenNthCalledWith(
+      2,
+      to,
+      "Approval required",
+      expect.objectContaining({
+        blocks: [
+          expect.objectContaining({
+            type: "actions",
+          }),
+        ],
+      }),
+    );
+    expect(result).toMatchObject({ channel: "slack", messageId: "sl-controls" });
+  });
+
+  it("fails when merged Slack blocks exceed the platform limit", async () => {
+    const { run, sendMock } = createHarness({
+      payload: {
+        channelData: {
+          slack: {
+            blocks: Array.from({ length: 50 }, () => ({ type: "divider" })),
+          },
+        },
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Allow", value: "pluginbind:approval-123:o" }],
+            },
+          ],
+        },
+      },
+    });
+
+    await expect(run()).rejects.toThrow(/Slack blocks cannot exceed 50 items/i);
+    expect(sendMock).not.toHaveBeenCalled();
+  });
 });
diff --git a/src/channels/plugins/outbound/slack.test.ts b/src/channels/plugins/outbound/slack.test.ts
index 9b5c1843ce2..90c6f5e55ad 100644
--- a/src/channels/plugins/outbound/slack.test.ts
+++ b/src/channels/plugins/outbound/slack.test.ts
@@ -10,8 +10,8 @@ vi.mock("../../../plugins/hook-runner-global.js", () => ({
 }));
 
 import { sendMessageSlack } from "../../../../extensions/slack/src/send.js";
+import { slackOutbound } from "../../../../test/channel-outbounds.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
-import { slackOutbound } from "./slack.js";
 
 type SlackSendTextCtx = {
   to: string;
diff --git a/src/channels/plugins/outbound/telegram.ts b/src/channels/plugins/outbound/telegram.ts
deleted file mode 100644
index 685ddb6ef31..00000000000
--- a/src/channels/plugins/outbound/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/outbound-adapter.js";
diff --git a/src/channels/plugins/outbound/whatsapp.ts b/src/channels/plugins/outbound/whatsapp.ts
deleted file mode 100644
index 112ff4ccf91..00000000000
--- a/src/channels/plugins/outbound/whatsapp.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extensions/whatsapp/src/outbound-adapter.ts
-export * from "../../../../extensions/whatsapp/src/outbound-adapter.js";
diff --git a/src/channels/plugins/plugins-channel.test.ts b/src/channels/plugins/plugins-channel.test.ts
index 01a9d29169a..bfd2c4ff556 100644
--- a/src/channels/plugins/plugins-channel.test.ts
+++ b/src/channels/plugins/plugins-channel.test.ts
@@ -1,10 +1,9 @@
 import { describe, expect, it, vi } from "vitest";
 import { normalizeSignalAccountInput } from "../../../extensions/signal/src/setup-surface.js";
+import { telegramOutbound, whatsappOutbound } from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { normalizeIMessageMessagingTarget } from "./normalize/imessage.js";
 import { looksLikeSignalTargetId, normalizeSignalMessagingTarget } from "./normalize/signal.js";
-import { telegramOutbound } from "./outbound/telegram.js";
-import { whatsappOutbound } from "./outbound/whatsapp.js";
 
 function expectWhatsAppTargetResolutionError(result: unknown) {
   expect(result).toEqual({
diff --git a/src/channels/plugins/registry.ts b/src/channels/plugins/registry.ts
new file mode 100644
index 00000000000..3f170cbfb92
--- /dev/null
+++ b/src/channels/plugins/registry.ts
@@ -0,0 +1,82 @@
+import {
+  getActivePluginRegistryVersion,
+  requireActivePluginRegistry,
+} from "../../plugins/runtime.js";
+import { CHAT_CHANNEL_ORDER, type ChatChannelId, normalizeAnyChannelId } from "../registry.js";
+import type { ChannelId, ChannelPlugin } from "./types.js";
+
+function dedupeChannels(channels: ChannelPlugin[]): ChannelPlugin[] {
+  const seen = new Set<string>();
+  const resolved: ChannelPlugin[] = [];
+  for (const plugin of channels) {
+    const id = String(plugin.id).trim();
+    if (!id || seen.has(id)) {
+      continue;
+    }
+    seen.add(id);
+    resolved.push(plugin);
+  }
+  return resolved;
+}
+
+type CachedChannelPlugins = {
+  registryVersion: number;
+  sorted: ChannelPlugin[];
+  byId: Map<string, ChannelPlugin>;
+};
+
+const EMPTY_CHANNEL_PLUGIN_CACHE: CachedChannelPlugins = {
+  registryVersion: -1,
+  sorted: [],
+  byId: new Map(),
+};
+
+let cachedChannelPlugins = EMPTY_CHANNEL_PLUGIN_CACHE;
+
+function resolveCachedChannelPlugins(): CachedChannelPlugins {
+  const registry = requireActivePluginRegistry();
+  const registryVersion = getActivePluginRegistryVersion();
+  const cached = cachedChannelPlugins;
+  if (cached.registryVersion === registryVersion) {
+    return cached;
+  }
+
+  const sorted = dedupeChannels(registry.channels.map((entry) => entry.plugin)).toSorted((a, b) => {
+    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
+    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
+    const orderA = a.meta.order ?? (indexA === -1 ? 999 : indexA);
+    const orderB = b.meta.order ?? (indexB === -1 ? 999 : indexB);
+    if (orderA !== orderB) {
+      return orderA - orderB;
+    }
+    return a.id.localeCompare(b.id);
+  });
+  const byId = new Map<string, ChannelPlugin>();
+  for (const plugin of sorted) {
+    byId.set(plugin.id, plugin);
+  }
+
+  const next: CachedChannelPlugins = {
+    registryVersion,
+    sorted,
+    byId,
+  };
+  cachedChannelPlugins = next;
+  return next;
+}
+
+export function listChannelPlugins(): ChannelPlugin[] {
+  return resolveCachedChannelPlugins().sorted.slice();
+}
+
+export function getChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
+  const resolvedId = String(id).trim();
+  if (!resolvedId) {
+    return undefined;
+  }
+  return resolveCachedChannelPlugins().byId.get(resolvedId);
+}
+
+export function normalizeChannelId(raw?: string | null): ChannelId | null {
+  return normalizeAnyChannelId(raw);
+}
diff --git a/src/channels/plugins/onboarding/channel-access-configure.test.ts b/src/channels/plugins/setup-group-access-configure.test.ts
similarity index 77%
rename from src/channels/plugins/onboarding/channel-access-configure.test.ts
rename to src/channels/plugins/setup-group-access-configure.test.ts
index aba8f05ea95..bb3b0307501 100644
--- a/src/channels/plugins/onboarding/channel-access-configure.test.ts
+++ b/src/channels/plugins/setup-group-access-configure.test.ts
@@ -1,7 +1,7 @@
 import { describe, expect, it, vi } from "vitest";
-import type { OpenClawConfig } from "../../../config/config.js";
-import { configureChannelAccessWithAllowlist } from "./channel-access-configure.js";
-import type { ChannelAccessPolicy } from "./channel-access.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { configureChannelAccessWithAllowlist } from "./setup-group-access-configure.js";
+import type { ChannelAccessPolicy } from "./setup-group-access.js";
 
 function createPrompter(params: { confirm: boolean; policy?: ChannelAccessPolicy; text?: string }) {
   return {
@@ -89,6 +89,41 @@ describe("configureChannelAccessWithAllowlist", () => {
     expect(applyAllowlist).not.toHaveBeenCalled();
   });
 
+  it("supports allowlist policies without prompting for entries", async () => {
+    const cfg: OpenClawConfig = {};
+    const prompter = createPrompter({
+      confirm: true,
+      policy: "allowlist",
+    });
+    const setPolicy = vi.fn(
+      (next: OpenClawConfig, policy: ChannelAccessPolicy): OpenClawConfig => ({
+        ...next,
+        channels: { twitch: { groupPolicy: policy } },
+      }),
+    );
+    const resolveAllowlist = vi.fn(async () => ["ignored"]);
+    const applyAllowlist = vi.fn((params: { cfg: OpenClawConfig }) => params.cfg);
+
+    const next = await configureChannelAccessWithAllowlist({
+      cfg,
+      // oxlint-disable-next-line typescript/no-explicit-any
+      prompter: prompter as any,
+      label: "Twitch chat",
+      currentPolicy: "disabled",
+      currentEntries: [],
+      placeholder: "",
+      updatePrompt: false,
+      skipAllowlistEntries: true,
+      setPolicy,
+      resolveAllowlist,
+      applyAllowlist,
+    });
+
+    expect(next.channels).toEqual({ twitch: { groupPolicy: "allowlist" } });
+    expect(resolveAllowlist).not.toHaveBeenCalled();
+    expect(applyAllowlist).not.toHaveBeenCalled();
+  });
+
   it("resolves allowlist entries and applies them after forcing allowlist policy", async () => {
     const cfg: OpenClawConfig = {};
     const prompter = createPrompter({
diff --git a/src/channels/plugins/onboarding/channel-access-configure.ts b/src/channels/plugins/setup-group-access-configure.ts
similarity index 65%
rename from src/channels/plugins/onboarding/channel-access-configure.ts
rename to src/channels/plugins/setup-group-access-configure.ts
index 200efce5811..26b07f9cf99 100644
--- a/src/channels/plugins/onboarding/channel-access-configure.ts
+++ b/src/channels/plugins/setup-group-access-configure.ts
@@ -1,6 +1,6 @@
-import type { OpenClawConfig } from "../../../config/config.js";
-import type { WizardPrompter } from "../../../wizard/prompts.js";
-import { promptChannelAccessConfig, type ChannelAccessPolicy } from "./channel-access.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import type { WizardPrompter } from "../../wizard/prompts.js";
+import { promptChannelAccessConfig, type ChannelAccessPolicy } from "./setup-group-access.js";
 
 export async function configureChannelAccessWithAllowlist<TResolved>(params: {
   cfg: OpenClawConfig;
@@ -10,9 +10,10 @@ export async function configureChannelAccessWithAllowlist<TResolved>(params: {
   currentEntries: string[];
   placeholder: string;
   updatePrompt: boolean;
+  skipAllowlistEntries?: boolean;
   setPolicy: (cfg: OpenClawConfig, policy: ChannelAccessPolicy) => OpenClawConfig;
-  resolveAllowlist: (params: { cfg: OpenClawConfig; entries: string[] }) => Promise<TResolved>;
-  applyAllowlist: (params: { cfg: OpenClawConfig; resolved: TResolved }) => OpenClawConfig;
+  resolveAllowlist?: (params: { cfg: OpenClawConfig; entries: string[] }) => Promise<TResolved>;
+  applyAllowlist?: (params: { cfg: OpenClawConfig; resolved: TResolved }) => OpenClawConfig;
 }): Promise<OpenClawConfig> {
   let next = params.cfg;
   const accessConfig = await promptChannelAccessConfig({
@@ -22,6 +23,7 @@ export async function configureChannelAccessWithAllowlist<TResolved>(params: {
     currentEntries: params.currentEntries,
     placeholder: params.placeholder,
     updatePrompt: params.updatePrompt,
+    skipAllowlistEntries: params.skipAllowlistEntries,
   });
   if (!accessConfig) {
     return next;
@@ -29,6 +31,9 @@ export async function configureChannelAccessWithAllowlist<TResolved>(params: {
   if (accessConfig.policy !== "allowlist") {
     return params.setPolicy(next, accessConfig.policy);
   }
+  if (params.skipAllowlistEntries || !params.resolveAllowlist || !params.applyAllowlist) {
+    return params.setPolicy(next, "allowlist");
+  }
   const resolved = await params.resolveAllowlist({
     cfg: next,
     entries: accessConfig.entries,
diff --git a/src/channels/plugins/onboarding/channel-access.test.ts b/src/channels/plugins/setup-group-access.test.ts
similarity index 84%
rename from src/channels/plugins/onboarding/channel-access.test.ts
rename to src/channels/plugins/setup-group-access.test.ts
index 0e5b2ba6651..a19ed348015 100644
--- a/src/channels/plugins/onboarding/channel-access.test.ts
+++ b/src/channels/plugins/setup-group-access.test.ts
@@ -5,7 +5,7 @@ import {
   promptChannelAccessConfig,
   promptChannelAllowlist,
   promptChannelAccessPolicy,
-} from "./channel-access.js";
+} from "./setup-group-access.js";
 
 function createPrompter(params?: {
   confirm?: (options: { message: string; initialValue: boolean }) => Promise<boolean>;
@@ -83,6 +83,27 @@ describe("promptChannelAccessPolicy", () => {
   });
 });
 
+describe("promptChannelAccessConfig", () => {
+  it("skips the allowlist text prompt when entries are policy-only", async () => {
+    const prompter = createPrompter({
+      confirm: async () => true,
+      select: async () => "allowlist",
+      text: async () => {
+        throw new Error("text prompt should not run");
+      },
+    });
+
+    const result = await promptChannelAccessConfig({
+      // oxlint-disable-next-line typescript/no-explicit-any
+      prompter: prompter as any,
+      label: "Twitch chat",
+      skipAllowlistEntries: true,
+    });
+
+    expect(result).toEqual({ policy: "allowlist", entries: [] });
+  });
+});
+
 describe("promptChannelAccessConfig", () => {
   it("returns null when user skips configuration", async () => {
     const prompter = createPrompter({
diff --git a/src/channels/plugins/onboarding/channel-access.ts b/src/channels/plugins/setup-group-access.ts
similarity index 91%
rename from src/channels/plugins/onboarding/channel-access.ts
rename to src/channels/plugins/setup-group-access.ts
index ef86b37f336..6e68a0a4842 100644
--- a/src/channels/plugins/onboarding/channel-access.ts
+++ b/src/channels/plugins/setup-group-access.ts
@@ -1,10 +1,10 @@
-import type { WizardPrompter } from "../../../wizard/prompts.js";
-import { splitOnboardingEntries } from "./helpers.js";
+import type { WizardPrompter } from "../../wizard/prompts.js";
+import { splitSetupEntries } from "./setup-wizard-helpers.js";
 
 export type ChannelAccessPolicy = "allowlist" | "open" | "disabled";
 
 export function parseAllowlistEntries(raw: string): string[] {
-  return splitOnboardingEntries(String(raw ?? ""));
+  return splitSetupEntries(String(raw ?? ""));
 }
 
 export function formatAllowlistEntries(entries: string[]): string {
@@ -64,6 +64,7 @@ export async function promptChannelAccessConfig(params: {
   placeholder?: string;
   allowOpen?: boolean;
   allowDisabled?: boolean;
+  skipAllowlistEntries?: boolean;
   defaultPrompt?: boolean;
   updatePrompt?: boolean;
 }): Promise<{ policy: ChannelAccessPolicy; entries: string[] } | null> {
@@ -88,6 +89,9 @@ export async function promptChannelAccessConfig(params: {
   if (policy !== "allowlist") {
     return { policy, entries: [] };
   }
+  if (params.skipAllowlistEntries) {
+    return { policy, entries: [] };
+  }
   const entries = await promptChannelAllowlist({
     prompter: params.prompter,
     label: params.label,
diff --git a/src/channels/plugins/setup-registry.ts b/src/channels/plugins/setup-registry.ts
index 493b14351cc..bbb82022da9 100644
--- a/src/channels/plugins/setup-registry.ts
+++ b/src/channels/plugins/setup-registry.ts
@@ -3,6 +3,7 @@ import {
   requireActivePluginRegistry,
 } from "../../plugins/runtime.js";
 import { CHAT_CHANNEL_ORDER, type ChatChannelId } from "../registry.js";
+import { bundledChannelSetupPlugins } from "./bundled.js";
 import type { ChannelId, ChannelPlugin } from "./types.js";
 
 type CachedChannelSetupPlugins = {
@@ -33,17 +34,8 @@ function dedupeSetupPlugins(plugins: ChannelPlugin[]): ChannelPlugin[] {
   return resolved;
 }
 
-function resolveCachedChannelSetupPlugins(): CachedChannelSetupPlugins {
-  const registry = requireActivePluginRegistry();
-  const registryVersion = getActivePluginRegistryVersion();
-  const cached = cachedChannelSetupPlugins;
-  if (cached.registryVersion === registryVersion) {
-    return cached;
-  }
-
-  const sorted = dedupeSetupPlugins(
-    (registry.channelSetups ?? []).map((entry) => entry.plugin),
-  ).toSorted((a, b) => {
+function sortChannelSetupPlugins(plugins: ChannelPlugin[]): ChannelPlugin[] {
+  return dedupeSetupPlugins(plugins).toSorted((a, b) => {
     const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
     const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
     const orderA = a.meta.order ?? (indexA === -1 ? 999 : indexA);
@@ -53,6 +45,20 @@ function resolveCachedChannelSetupPlugins(): CachedChannelSetupPlugins {
     }
     return a.id.localeCompare(b.id);
   });
+}
+
+function resolveCachedChannelSetupPlugins(): CachedChannelSetupPlugins {
+  const registry = requireActivePluginRegistry();
+  const registryVersion = getActivePluginRegistryVersion();
+  const cached = cachedChannelSetupPlugins;
+  if (cached.registryVersion === registryVersion) {
+    return cached;
+  }
+
+  const registryPlugins = (registry.channelSetups ?? []).map((entry) => entry.plugin);
+  const sorted = sortChannelSetupPlugins(
+    registryPlugins.length > 0 ? registryPlugins : bundledChannelSetupPlugins,
+  );
   const byId = new Map<string, ChannelPlugin>();
   for (const plugin of sorted) {
     byId.set(plugin.id, plugin);
diff --git a/src/channels/plugins/setup-wizard-helpers.runtime.ts b/src/channels/plugins/setup-wizard-helpers.runtime.ts
new file mode 100644
index 00000000000..8c1808f5d40
--- /dev/null
+++ b/src/channels/plugins/setup-wizard-helpers.runtime.ts
@@ -0,0 +1 @@
+export { promptResolvedAllowFrom } from "./setup-wizard-helpers.js";
diff --git a/src/channels/plugins/onboarding/helpers.test.ts b/src/channels/plugins/setup-wizard-helpers.test.ts
similarity index 94%
rename from src/channels/plugins/onboarding/helpers.test.ts
rename to src/channels/plugins/setup-wizard-helpers.test.ts
index f4d4c0c2f5a..3c20f51242f 100644
--- a/src/channels/plugins/onboarding/helpers.test.ts
+++ b/src/channels/plugins/setup-wizard-helpers.test.ts
@@ -1,12 +1,6 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import type { OpenClawConfig } from "../../../config/config.js";
-import { DEFAULT_ACCOUNT_ID } from "../../../routing/session-key.js";
-
-const promptAccountIdSdkMock = vi.hoisted(() => vi.fn(async () => "default"));
-vi.mock("../../../plugin-sdk/onboarding.js", () => ({
-  promptAccountId: promptAccountIdSdkMock,
-}));
-
+import { describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import { DEFAULT_ACCOUNT_ID } from "../../routing/session-key.js";
 import {
   applySingleTokenPromptResult,
   buildSingleChannelSecretPromptState,
@@ -14,17 +8,17 @@ import {
   noteChannelLookupFailure,
   noteChannelLookupSummary,
   parseMentionOrPrefixedId,
-  parseOnboardingEntriesAllowingWildcard,
+  parseSetupEntriesAllowingWildcard,
   patchChannelConfigForAccount,
   patchLegacyDmChannelConfig,
   promptLegacyChannelAllowFrom,
-  parseOnboardingEntriesWithParser,
+  parseSetupEntriesWithParser,
   promptParsedAllowFromForScopedChannel,
   promptSingleChannelSecretInput,
   promptSingleChannelToken,
   promptResolvedAllowFrom,
   resolveAccountIdForConfigure,
-  resolveOnboardingAccountId,
+  resolveSetupAccountId,
   setAccountAllowFromForChannel,
   setAccountGroupPolicyForChannel,
   setChannelDmPolicyWithAllowFrom,
@@ -33,9 +27,9 @@ import {
   setTopLevelChannelGroupPolicy,
   setLegacyChannelAllowFrom,
   setLegacyChannelDmPolicyWithAllowFrom,
-  setOnboardingChannelEnabled,
-  splitOnboardingEntries,
-} from "./helpers.js";
+  setSetupChannelEnabled,
+  splitSetupEntries,
+} from "./setup-wizard-helpers.js";
 
 function createPrompter(inputs: string[]) {
   return {
@@ -166,11 +160,6 @@ async function runPromptLegacyAllowFrom(params: {
 }
 
 describe("promptResolvedAllowFrom", () => {
-  beforeEach(() => {
-    promptAccountIdSdkMock.mockReset();
-    promptAccountIdSdkMock.mockResolvedValue("default");
-  });
-
   it("re-prompts without token until all ids are parseable", async () => {
     const prompter = createPrompter(["@alice", "123"]);
     const resolveEntries = vi.fn();
@@ -464,7 +453,7 @@ describe("promptParsedAllowFromForScopedChannel", () => {
       message: "msg",
       placeholder: "placeholder",
       parseEntries: (raw) =>
-        parseOnboardingEntriesWithParser(raw, (entry) => ({ value: entry.toLowerCase() })),
+        parseSetupEntriesWithParser(raw, (entry) => ({ value: entry.toLowerCase() })),
       getExistingAllowFrom: ({ cfg }) => cfg.channels?.imessage?.allowFrom ?? [],
     });
 
@@ -748,7 +737,7 @@ describe("patchChannelConfigForAccount", () => {
   });
 });
 
-describe("setOnboardingChannelEnabled", () => {
+describe("setSetupChannelEnabled", () => {
   it("updates enabled and keeps existing channel fields", () => {
     const cfg: OpenClawConfig = {
       channels: {
@@ -759,13 +748,13 @@ describe("setOnboardingChannelEnabled", () => {
       },
     };
 
-    const next = setOnboardingChannelEnabled(cfg, "discord", false);
+    const next = setSetupChannelEnabled(cfg, "discord", false);
     expect(next.channels?.discord?.enabled).toBe(false);
     expect(next.channels?.discord?.token).toBe("abc");
   });
 
   it("creates missing channel config with enabled state", () => {
-    const next = setOnboardingChannelEnabled({}, "signal", true);
+    const next = setSetupChannelEnabled({}, "signal", true);
     expect(next.channels?.signal?.enabled).toBe(true);
   });
 });
@@ -1016,16 +1005,16 @@ describe("setTopLevelChannelGroupPolicy", () => {
   });
 });
 
-describe("splitOnboardingEntries", () => {
+describe("splitSetupEntries", () => {
   it("splits comma/newline/semicolon input and trims blanks", () => {
-    expect(splitOnboardingEntries(" alice, bob \ncarol;  ;\n")).toEqual(["alice", "bob", "carol"]);
+    expect(splitSetupEntries(" alice, bob \ncarol;  ;\n")).toEqual(["alice", "bob", "carol"]);
   });
 });
 
-describe("parseOnboardingEntriesWithParser", () => {
+describe("parseSetupEntriesWithParser", () => {
   it("maps entries and de-duplicates parsed values", () => {
     expect(
-      parseOnboardingEntriesWithParser(" alice, ALICE ; * ", (entry) => {
+      parseSetupEntriesWithParser(" alice, ALICE ; * ", (entry) => {
         if (entry === "*") {
           return { value: "*" };
         }
@@ -1038,7 +1027,7 @@ describe("parseOnboardingEntriesWithParser", () => {
 
   it("returns parser errors and clears parsed entries", () => {
     expect(
-      parseOnboardingEntriesWithParser("ok, bad", (entry) =>
+      parseSetupEntriesWithParser("ok, bad", (entry) =>
         entry === "bad" ? { error: "invalid entry: bad" } : { value: entry },
       ),
     ).toEqual({
@@ -1048,10 +1037,10 @@ describe("parseOnboardingEntriesWithParser", () => {
   });
 });
 
-describe("parseOnboardingEntriesAllowingWildcard", () => {
+describe("parseSetupEntriesAllowingWildcard", () => {
   it("preserves wildcard and delegates non-wildcard entries", () => {
     expect(
-      parseOnboardingEntriesAllowingWildcard(" *, Foo ", (entry) => ({
+      parseSetupEntriesAllowingWildcard(" *, Foo ", (entry) => ({
         value: entry.toLowerCase(),
       })),
     ).toEqual({
@@ -1061,7 +1050,7 @@ describe("parseOnboardingEntriesAllowingWildcard", () => {
 
   it("returns parser errors for non-wildcard entries", () => {
     expect(
-      parseOnboardingEntriesAllowingWildcard("ok,bad", (entry) =>
+      parseSetupEntriesAllowingWildcard("ok,bad", (entry) =>
         entry === "bad" ? { error: "bad entry" } : { value: entry },
       ),
     ).toEqual({
@@ -1129,10 +1118,10 @@ describe("normalizeAllowFromEntries", () => {
   });
 });
 
-describe("resolveOnboardingAccountId", () => {
+describe("resolveSetupAccountId", () => {
   it("normalizes provided account ids", () => {
     expect(
-      resolveOnboardingAccountId({
+      resolveSetupAccountId({
         accountId: " Work Account ",
         defaultAccountId: DEFAULT_ACCOUNT_ID,
       }),
@@ -1141,7 +1130,7 @@ describe("resolveOnboardingAccountId", () => {
 
   it("falls back to default account id when input is blank", () => {
     expect(
-      resolveOnboardingAccountId({
+      resolveSetupAccountId({
         accountId: "   ",
         defaultAccountId: "custom-default",
       }),
@@ -1150,11 +1139,6 @@ describe("resolveOnboardingAccountId", () => {
 });
 
 describe("resolveAccountIdForConfigure", () => {
-  beforeEach(() => {
-    promptAccountIdSdkMock.mockReset();
-    promptAccountIdSdkMock.mockResolvedValue("default");
-  });
-
   it("uses normalized override without prompting", async () => {
     const accountId = await resolveAccountIdForConfigure({
       cfg: {},
@@ -1183,12 +1167,16 @@ describe("resolveAccountIdForConfigure", () => {
   });
 
   it("prompts for account id when prompting is enabled and no override is provided", async () => {
-    promptAccountIdSdkMock.mockResolvedValueOnce("prompted-id");
+    const prompter = {
+      select: vi.fn(async () => "prompted-id"),
+      text: vi.fn(async () => ""),
+      note: vi.fn(async () => undefined),
+    };
 
     const accountId = await resolveAccountIdForConfigure({
       cfg: {},
       // oxlint-disable-next-line typescript/no-explicit-any
-      prompter: {} as any,
+      prompter: prompter as any,
       label: "Signal",
       shouldPromptAccountIds: true,
       listAccountIds: () => ["default", "prompted-id"],
@@ -1196,12 +1184,12 @@ describe("resolveAccountIdForConfigure", () => {
     });
 
     expect(accountId).toBe("prompted-id");
-    expect(promptAccountIdSdkMock).toHaveBeenCalledWith(
+    expect(prompter.select).toHaveBeenCalledWith(
       expect.objectContaining({
-        label: "Signal",
-        currentId: "fallback",
-        defaultAccountId: "fallback",
+        message: "Signal account",
+        initialValue: "fallback",
       }),
     );
+    expect(prompter.text).not.toHaveBeenCalled();
   });
 });
diff --git a/src/channels/plugins/onboarding/helpers.ts b/src/channels/plugins/setup-wizard-helpers.ts
similarity index 91%
rename from src/channels/plugins/onboarding/helpers.ts
rename to src/channels/plugins/setup-wizard-helpers.ts
index d26999bd3ff..de513f64d27 100644
--- a/src/channels/plugins/onboarding/helpers.ts
+++ b/src/channels/plugins/setup-wizard-helpers.ts
@@ -1,21 +1,49 @@
 import {
-  promptSecretRefForOnboarding,
+  promptSecretRefForSetup,
   resolveSecretInputModeForEnvSelection,
-} from "../../../commands/auth-choice.apply-helpers.js";
-import type { OpenClawConfig } from "../../../config/config.js";
-import type { DmPolicy, GroupPolicy } from "../../../config/types.js";
-import type { SecretInput } from "../../../config/types.secrets.js";
-import { promptAccountId as promptAccountIdSdk } from "../../../plugin-sdk/onboarding.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../../routing/session-key.js";
-import type { WizardPrompter } from "../../../wizard/prompts.js";
-import type { PromptAccountId, PromptAccountIdParams } from "../onboarding-types.js";
+} from "../../commands/auth-choice.apply-helpers.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import type { DmPolicy, GroupPolicy } from "../../config/types.js";
+import type { SecretInput } from "../../config/types.secrets.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../routing/session-key.js";
+import type { WizardPrompter } from "../../wizard/prompts.js";
 import {
   moveSingleAccountChannelSectionToDefaultAccount,
   patchScopedAccountConfig,
-} from "../setup-helpers.js";
+} from "./setup-helpers.js";
+import type { PromptAccountId, PromptAccountIdParams } from "./setup-wizard-types.js";
 
 export const promptAccountId: PromptAccountId = async (params: PromptAccountIdParams) => {
-  return await promptAccountIdSdk(params);
+  const existingIds = params.listAccountIds(params.cfg);
+  const initial = params.currentId?.trim() || params.defaultAccountId || DEFAULT_ACCOUNT_ID;
+  const choice = await params.prompter.select({
+    message: `${params.label} account`,
+    options: [
+      ...existingIds.map((id) => ({
+        value: id,
+        label: id === DEFAULT_ACCOUNT_ID ? "default (primary)" : id,
+      })),
+      { value: "__new__", label: "Add a new account" },
+    ],
+    initialValue: initial,
+  });
+
+  if (choice !== "__new__") {
+    return normalizeAccountId(choice);
+  }
+
+  const entered = await params.prompter.text({
+    message: `New ${params.label} account id`,
+    validate: (value) => (value?.trim() ? undefined : "Required"),
+  });
+  const normalized = normalizeAccountId(String(entered));
+  if (String(entered).trim() !== normalized) {
+    await params.prompter.note(
+      `Normalized account id to "${normalized}".`,
+      `${params.label} account`,
+    );
+  }
+  return normalized;
 };
 
 export function addWildcardAllowFrom(allowFrom?: Array<string | number> | null): string[] {
@@ -34,20 +62,20 @@ export function mergeAllowFromEntries(
   return [...new Set(merged)];
 }
 
-export function splitOnboardingEntries(raw: string): string[] {
+export function splitSetupEntries(raw: string): string[] {
   return raw
     .split(/[\n,;]+/g)
     .map((entry) => entry.trim())
     .filter(Boolean);
 }
 
-type ParsedOnboardingEntry = { value: string } | { error: string };
+type ParsedSetupEntry = { value: string } | { error: string };
 
-export function parseOnboardingEntriesWithParser(
+export function parseSetupEntriesWithParser(
   raw: string,
-  parseEntry: (entry: string) => ParsedOnboardingEntry,
+  parseEntry: (entry: string) => ParsedSetupEntry,
 ): { entries: string[]; error?: string } {
-  const parts = splitOnboardingEntries(String(raw ?? ""));
+  const parts = splitSetupEntries(String(raw ?? ""));
   const entries: string[] = [];
   for (const part of parts) {
     const parsed = parseEntry(part);
@@ -59,11 +87,11 @@ export function parseOnboardingEntriesWithParser(
   return { entries: normalizeAllowFromEntries(entries) };
 }
 
-export function parseOnboardingEntriesAllowingWildcard(
+export function parseSetupEntriesAllowingWildcard(
   raw: string,
-  parseEntry: (entry: string) => ParsedOnboardingEntry,
+  parseEntry: (entry: string) => ParsedSetupEntry,
 ): { entries: string[]; error?: string } {
-  return parseOnboardingEntriesWithParser(raw, (entry) => {
+  return parseSetupEntriesWithParser(raw, (entry) => {
     if (entry === "*") {
       return { value: "*" };
     }
@@ -117,7 +145,7 @@ export function normalizeAllowFromEntries(
   return [...new Set(normalized)];
 }
 
-export function resolveOnboardingAccountId(params: {
+export function resolveSetupAccountId(params: {
   accountId?: string;
   defaultAccountId: string;
 }): string {
@@ -338,7 +366,7 @@ export function patchLegacyDmChannelConfig(params: {
   };
 }
 
-export function setOnboardingChannelEnabled(
+export function setSetupChannelEnabled(
   cfg: OpenClawConfig,
   channel: string,
   enabled: boolean,
@@ -617,7 +645,7 @@ export async function promptSingleChannelSecretInput(params: {
     }
   }
 
-  const resolved = await promptSecretRefForOnboarding({
+  const resolved = await promptSecretRefForSetup({
     provider: params.providerHint,
     config: params.cfg,
     prompter: params.prompter as WizardPrompter,
@@ -656,7 +684,7 @@ export async function promptParsedAllowFromForScopedChannel(params: {
     accountId: string;
   }) => Array<string | number>;
 }): Promise<OpenClawConfig> {
-  const accountId = resolveOnboardingAccountId({
+  const accountId = resolveSetupAccountId({
     accountId: params.accountId,
     defaultAccountId: params.defaultAccountId,
   });
@@ -799,7 +827,7 @@ export async function promptLegacyChannelAllowFrom(params: {
     message: params.message,
     placeholder: params.placeholder,
     label: params.noteTitle,
-    parseInputs: splitOnboardingEntries,
+    parseInputs: splitSetupEntries,
     parseId: params.parseId,
     invalidWithoutTokenNote: params.invalidWithoutTokenNote,
     resolveEntries: params.resolveEntries,
diff --git a/src/channels/plugins/onboarding-types.ts b/src/channels/plugins/setup-wizard-types.ts
similarity index 71%
rename from src/channels/plugins/onboarding-types.ts
rename to src/channels/plugins/setup-wizard-types.ts
index f560b27b172..7dec2ea87a4 100644
--- a/src/channels/plugins/onboarding-types.ts
+++ b/src/channels/plugins/setup-wizard-types.ts
@@ -4,13 +4,18 @@ import type { RuntimeEnv } from "../../runtime.js";
 import type { WizardPrompter } from "../../wizard/prompts.js";
 import type { ChannelId, ChannelPlugin } from "./types.js";
 
+export type ChannelSetupPlugin = Pick<
+  ChannelPlugin,
+  "id" | "meta" | "capabilities" | "config" | "setup" | "setupWizard"
+>;
+
 export type SetupChannelsOptions = {
   allowDisable?: boolean;
   allowSignalInstall?: boolean;
   onSelection?: (selection: ChannelId[]) => void;
   accountIds?: Partial<Record<ChannelId, string>>;
   onAccountId?: (channel: ChannelId, accountId: string) => void;
-  onResolvedPlugin?: (channel: ChannelId, plugin: ChannelPlugin) => void;
+  onResolvedPlugin?: (channel: ChannelId, plugin: ChannelSetupPlugin) => void;
   promptAccountIds?: boolean;
   whatsappAccountId?: string;
   promptWhatsAppAccountId?: boolean;
@@ -35,7 +40,7 @@ export type PromptAccountIdParams = {
 
 export type PromptAccountId = (params: PromptAccountIdParams) => Promise<string>;
 
-export type ChannelOnboardingStatus = {
+export type ChannelSetupStatus = {
   channel: ChannelId;
   configured: boolean;
   statusLines: string[];
@@ -43,13 +48,13 @@ export type ChannelOnboardingStatus = {
   quickstartScore?: number;
 };
 
-export type ChannelOnboardingStatusContext = {
+export type ChannelSetupStatusContext = {
   cfg: OpenClawConfig;
   options?: SetupChannelsOptions;
   accountOverrides: Partial<Record<ChannelId, string>>;
 };
 
-export type ChannelOnboardingConfigureContext = {
+export type ChannelSetupConfigureContext = {
   cfg: OpenClawConfig;
   runtime: RuntimeEnv;
   prompter: WizardPrompter;
@@ -59,19 +64,19 @@ export type ChannelOnboardingConfigureContext = {
   forceAllowFrom: boolean;
 };
 
-export type ChannelOnboardingResult = {
+export type ChannelSetupResult = {
   cfg: OpenClawConfig;
   accountId?: string;
 };
 
-export type ChannelOnboardingConfiguredResult = ChannelOnboardingResult | "skip";
+export type ChannelSetupConfiguredResult = ChannelSetupResult | "skip";
 
-export type ChannelOnboardingInteractiveContext = ChannelOnboardingConfigureContext & {
+export type ChannelSetupInteractiveContext = ChannelSetupConfigureContext & {
   configured: boolean;
   label: string;
 };
 
-export type ChannelOnboardingDmPolicy = {
+export type ChannelSetupDmPolicy = {
   label: string;
   channel: ChannelId;
   policyKey: string;
@@ -85,17 +90,17 @@ export type ChannelOnboardingDmPolicy = {
   }) => Promise<OpenClawConfig>;
 };
 
-export type ChannelOnboardingAdapter = {
+export type ChannelSetupWizardAdapter = {
   channel: ChannelId;
-  getStatus: (ctx: ChannelOnboardingStatusContext) => Promise<ChannelOnboardingStatus>;
-  configure: (ctx: ChannelOnboardingConfigureContext) => Promise<ChannelOnboardingResult>;
+  getStatus: (ctx: ChannelSetupStatusContext) => Promise<ChannelSetupStatus>;
+  configure: (ctx: ChannelSetupConfigureContext) => Promise<ChannelSetupResult>;
   configureInteractive?: (
-    ctx: ChannelOnboardingInteractiveContext,
-  ) => Promise<ChannelOnboardingConfiguredResult>;
+    ctx: ChannelSetupInteractiveContext,
+  ) => Promise<ChannelSetupConfiguredResult>;
   configureWhenConfigured?: (
-    ctx: ChannelOnboardingInteractiveContext,
-  ) => Promise<ChannelOnboardingConfiguredResult>;
-  dmPolicy?: ChannelOnboardingDmPolicy;
+    ctx: ChannelSetupInteractiveContext,
+  ) => Promise<ChannelSetupConfiguredResult>;
+  dmPolicy?: ChannelSetupDmPolicy;
   onAccountRecorded?: (accountId: string, options?: SetupChannelsOptions) => void;
   disable?: (cfg: OpenClawConfig) => OpenClawConfig;
 };
diff --git a/src/channels/plugins/setup-wizard.ts b/src/channels/plugins/setup-wizard.ts
index f71d1802aa3..2301cc8fe49 100644
--- a/src/channels/plugins/setup-wizard.ts
+++ b/src/channels/plugins/setup-wizard.ts
@@ -1,21 +1,21 @@
 import type { OpenClawConfig } from "../../config/config.js";
 import { DEFAULT_ACCOUNT_ID } from "../../routing/session-key.js";
 import type { WizardPrompter } from "../../wizard/prompts.js";
-import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingConfigureContext,
-  ChannelOnboardingDmPolicy,
-  ChannelOnboardingStatus,
-  ChannelOnboardingStatusContext,
-} from "./onboarding-types.js";
-import { configureChannelAccessWithAllowlist } from "./onboarding/channel-access-configure.js";
-import type { ChannelAccessPolicy } from "./onboarding/channel-access.js";
+import { configureChannelAccessWithAllowlist } from "./setup-group-access-configure.js";
+import type { ChannelAccessPolicy } from "./setup-group-access.js";
 import {
   promptResolvedAllowFrom,
   resolveAccountIdForConfigure,
   runSingleChannelSecretStep,
-  splitOnboardingEntries,
-} from "./onboarding/helpers.js";
+  splitSetupEntries,
+} from "./setup-wizard-helpers.js";
+import type {
+  ChannelSetupWizardAdapter,
+  ChannelSetupConfigureContext,
+  ChannelSetupDmPolicy,
+  ChannelSetupStatus,
+  ChannelSetupStatusContext,
+} from "./setup-wizard-types.js";
 import type { ChannelSetupInput } from "./types.core.js";
 import type { ChannelPlugin } from "./types.js";
 
@@ -184,6 +184,7 @@ export type ChannelSetupWizardGroupAccess = {
   placeholder: string;
   helpTitle?: string;
   helpLines?: string[];
+  skipAllowlistEntries?: boolean;
   currentPolicy: (params: { cfg: OpenClawConfig; accountId: string }) => ChannelAccessPolicy;
   currentEntries: (params: { cfg: OpenClawConfig; accountId: string }) => string[];
   updatePrompt: (params: { cfg: OpenClawConfig; accountId: string }) => boolean;
@@ -192,14 +193,14 @@ export type ChannelSetupWizardGroupAccess = {
     accountId: string;
     policy: ChannelAccessPolicy;
   }) => OpenClawConfig;
-  resolveAllowlist: (params: {
+  resolveAllowlist?: (params: {
     cfg: OpenClawConfig;
     accountId: string;
     credentialValues: ChannelSetupWizardCredentialValues;
     entries: string[];
     prompter: Pick<WizardPrompter, "note">;
   }) => Promise<unknown>;
-  applyAllowlist: (params: {
+  applyAllowlist?: (params: {
     cfg: OpenClawConfig;
     accountId: string;
     resolved: unknown;
@@ -210,9 +211,9 @@ export type ChannelSetupWizardPrepare = (params: {
   cfg: OpenClawConfig;
   accountId: string;
   credentialValues: ChannelSetupWizardCredentialValues;
-  runtime: ChannelOnboardingConfigureContext["runtime"];
+  runtime: ChannelSetupConfigureContext["runtime"];
   prompter: WizardPrompter;
-  options?: ChannelOnboardingConfigureContext["options"];
+  options?: ChannelSetupConfigureContext["options"];
 }) =>
   | {
       cfg?: OpenClawConfig;
@@ -228,9 +229,9 @@ export type ChannelSetupWizardFinalize = (params: {
   cfg: OpenClawConfig;
   accountId: string;
   credentialValues: ChannelSetupWizardCredentialValues;
-  runtime: ChannelOnboardingConfigureContext["runtime"];
+  runtime: ChannelSetupConfigureContext["runtime"];
   prompter: WizardPrompter;
-  options?: ChannelOnboardingConfigureContext["options"];
+  options?: ChannelSetupConfigureContext["options"];
   forceAllowFrom: boolean;
 }) =>
   | {
@@ -248,9 +249,18 @@ export type ChannelSetupWizard = {
   status: ChannelSetupWizardStatus;
   introNote?: ChannelSetupWizardNote;
   envShortcut?: ChannelSetupWizardEnvShortcut;
+  resolveAccountIdForConfigure?: (params: {
+    cfg: OpenClawConfig;
+    prompter: WizardPrompter;
+    options?: ChannelSetupConfigureContext["options"];
+    accountOverride?: string;
+    shouldPromptAccountIds: boolean;
+    listAccountIds: ChannelSetupWizardPlugin["config"]["listAccountIds"];
+    defaultAccountId: string;
+  }) => string | Promise<string>;
   resolveShouldPromptAccountIds?: (params: {
     cfg: OpenClawConfig;
-    options?: ChannelOnboardingConfigureContext["options"];
+    options?: ChannelSetupConfigureContext["options"];
     shouldPromptAccountIds: boolean;
   }) => boolean;
   prepare?: ChannelSetupWizardPrepare;
@@ -259,11 +269,11 @@ export type ChannelSetupWizard = {
   textInputs?: ChannelSetupWizardTextInput[];
   finalize?: ChannelSetupWizardFinalize;
   completionNote?: ChannelSetupWizardNote;
-  dmPolicy?: ChannelOnboardingDmPolicy;
+  dmPolicy?: ChannelSetupDmPolicy;
   allowFrom?: ChannelSetupWizardAllowFrom;
   groupAccess?: ChannelSetupWizardGroupAccess;
   disable?: (cfg: OpenClawConfig) => OpenClawConfig;
-  onAccountRecorded?: ChannelOnboardingAdapter["onAccountRecorded"];
+  onAccountRecorded?: ChannelSetupWizardAdapter["onAccountRecorded"];
 };
 
 type ChannelSetupWizardPlugin = Pick<ChannelPlugin, "id" | "meta" | "config" | "setup">;
@@ -271,8 +281,8 @@ type ChannelSetupWizardPlugin = Pick<ChannelPlugin, "id" | "meta" | "config" | "
 async function buildStatus(
   plugin: ChannelSetupWizardPlugin,
   wizard: ChannelSetupWizard,
-  ctx: ChannelOnboardingStatusContext,
-): Promise<ChannelOnboardingStatus> {
+  ctx: ChannelSetupStatusContext,
+): Promise<ChannelSetupStatus> {
   const configured = await wizard.status.resolveConfigured({ cfg: ctx.cfg });
   const statusLines = (await wizard.status.resolveStatusLines?.({
     cfg: ctx.cfg,
@@ -389,10 +399,10 @@ async function applyWizardTextInputValue(params: {
       }).cfg;
 }
 
-export function buildChannelOnboardingAdapterFromSetupWizard(params: {
+export function buildChannelSetupWizardAdapterFromSetupWizard(params: {
   plugin: ChannelSetupWizardPlugin;
   wizard: ChannelSetupWizard;
-}): ChannelOnboardingAdapter {
+}): ChannelSetupWizardAdapter {
   const { plugin, wizard } = params;
   return {
     channel: plugin.id,
@@ -416,15 +426,25 @@ export function buildChannelOnboardingAdapterFromSetupWizard(params: {
           options,
           shouldPromptAccountIds,
         }) ?? shouldPromptAccountIds;
-      const accountId = await resolveAccountIdForConfigure({
-        cfg,
-        prompter,
-        label: plugin.meta.label,
-        accountOverride: accountOverrides[plugin.id],
-        shouldPromptAccountIds: resolvedShouldPromptAccountIds,
-        listAccountIds: plugin.config.listAccountIds,
-        defaultAccountId,
-      });
+      const accountId = await (wizard.resolveAccountIdForConfigure
+        ? wizard.resolveAccountIdForConfigure({
+            cfg,
+            prompter,
+            options,
+            accountOverride: accountOverrides[plugin.id],
+            shouldPromptAccountIds: resolvedShouldPromptAccountIds,
+            listAccountIds: plugin.config.listAccountIds,
+            defaultAccountId,
+          })
+        : resolveAccountIdForConfigure({
+            cfg,
+            prompter,
+            label: plugin.meta.label,
+            accountOverride: accountOverrides[plugin.id],
+            shouldPromptAccountIds: resolvedShouldPromptAccountIds,
+            listAccountIds: plugin.config.listAccountIds,
+            defaultAccountId,
+          }));
 
       let next = cfg;
       let credentialValues = collectCredentialValues({
@@ -738,26 +758,31 @@ export function buildChannelOnboardingAdapterFromSetupWizard(params: {
           currentEntries: access.currentEntries({ cfg: next, accountId }),
           placeholder: access.placeholder,
           updatePrompt: access.updatePrompt({ cfg: next, accountId }),
+          skipAllowlistEntries: access.skipAllowlistEntries,
           setPolicy: (currentCfg, policy) =>
             access.setPolicy({
               cfg: currentCfg,
               accountId,
               policy,
             }),
-          resolveAllowlist: async ({ cfg: currentCfg, entries }) =>
-            await access.resolveAllowlist({
-              cfg: currentCfg,
-              accountId,
-              credentialValues,
-              entries,
-              prompter,
-            }),
-          applyAllowlist: ({ cfg: currentCfg, resolved }) =>
-            access.applyAllowlist({
-              cfg: currentCfg,
-              accountId,
-              resolved,
-            }),
+          resolveAllowlist: access.resolveAllowlist
+            ? async ({ cfg: currentCfg, entries }) =>
+                await access.resolveAllowlist!({
+                  cfg: currentCfg,
+                  accountId,
+                  credentialValues,
+                  entries,
+                  prompter,
+                })
+            : undefined,
+          applyAllowlist: access.applyAllowlist
+            ? ({ cfg: currentCfg, resolved }) =>
+                access.applyAllowlist!({
+                  cfg: currentCfg,
+                  accountId,
+                  resolved,
+                })
+            : undefined,
         });
       }
 
@@ -784,7 +809,7 @@ export function buildChannelOnboardingAdapterFromSetupWizard(params: {
           message: allowFrom.message,
           placeholder: allowFrom.placeholder,
           label: allowFrom.helpTitle ?? `${plugin.meta.label} allowlist`,
-          parseInputs: allowFrom.parseInputs ?? splitOnboardingEntries,
+          parseInputs: allowFrom.parseInputs ?? splitSetupEntries,
           parseId: allowFrom.parseId,
           invalidWithoutTokenNote: allowFrom.invalidWithoutCredentialNote,
           resolveEntries: async ({ entries }) =>
diff --git a/src/channels/plugins/slack.actions.ts b/src/channels/plugins/slack.actions.ts
index 1e9f907d498..7e74af7058d 100644
--- a/src/channels/plugins/slack.actions.ts
+++ b/src/channels/plugins/slack.actions.ts
@@ -1,15 +1,26 @@
+import { handleSlackAction, type SlackActionContext } from "../../agents/tools/slack-actions.js";
 import {
   extractSlackToolSend,
+  isSlackInteractiveRepliesEnabled,
   listSlackMessageActions,
-} from "../../../extensions/slack/src/message-actions.js";
-import { resolveSlackChannelId } from "../../../extensions/slack/src/targets.js";
-import { handleSlackAction, type SlackActionContext } from "../../agents/tools/slack-actions.js";
+  resolveSlackChannelId,
+} from "../../plugin-sdk-internal/slack.js";
 import { handleSlackMessageAction } from "../../plugin-sdk/slack-message-actions.js";
 import type { ChannelMessageActionAdapter } from "./types.js";
 
 export function createSlackActions(providerId: string): ChannelMessageActionAdapter {
   return {
     listActions: ({ cfg }) => listSlackMessageActions(cfg),
+    getCapabilities: ({ cfg }) => {
+      const capabilities = new Set<"interactive" | "blocks">();
+      if (listSlackMessageActions(cfg).includes("send")) {
+        capabilities.add("blocks");
+      }
+      if (isSlackInteractiveRepliesEnabled({ cfg })) {
+        capabilities.add("interactive");
+      }
+      return Array.from(capabilities);
+    },
     extractToolSend: ({ args }) => extractSlackToolSend(args),
     handleAction: async (ctx) => {
       return await handleSlackMessageAction({
diff --git a/src/channels/plugins/status-issues/discord.ts b/src/channels/plugins/status-issues/discord.ts
deleted file mode 100644
index f42578df1e9..00000000000
--- a/src/channels/plugins/status-issues/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/status-issues.js";
diff --git a/src/channels/plugins/status-issues/telegram.ts b/src/channels/plugins/status-issues/telegram.ts
deleted file mode 100644
index 26425a07ae4..00000000000
--- a/src/channels/plugins/status-issues/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/status-issues.js";
diff --git a/src/channels/plugins/status-issues/whatsapp.ts b/src/channels/plugins/status-issues/whatsapp.ts
deleted file mode 100644
index 45be4231ed2..00000000000
--- a/src/channels/plugins/status-issues/whatsapp.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extensions/whatsapp/src/status-issues.ts
-export * from "../../../../extensions/whatsapp/src/status-issues.js";
diff --git a/src/channels/plugins/status.ts b/src/channels/plugins/status.ts
index 689c50c6710..983ba23be33 100644
--- a/src/channels/plugins/status.ts
+++ b/src/channels/plugins/status.ts
@@ -41,17 +41,17 @@ async function buildSnapshotFromAccount<ResolvedAccount>(params: {
   };
 }
 
-function inspectChannelAccount<ResolvedAccount>(params: {
+async function inspectChannelAccount<ResolvedAccount>(params: {
   plugin: ChannelPlugin<ResolvedAccount>;
   cfg: OpenClawConfig;
   accountId: string;
-}): ResolvedAccount | null {
+}): Promise<ResolvedAccount | null> {
   return (params.plugin.config.inspectAccount?.(params.cfg, params.accountId) ??
-    inspectReadOnlyChannelAccount({
+    (await inspectReadOnlyChannelAccount({
       channelId: params.plugin.id,
       cfg: params.cfg,
       accountId: params.accountId,
-    })) as ResolvedAccount | null;
+    }))) as ResolvedAccount | null;
 }
 
 export async function buildReadOnlySourceChannelAccountSnapshot<ResolvedAccount>(params: {
@@ -62,7 +62,7 @@ export async function buildReadOnlySourceChannelAccountSnapshot<ResolvedAccount>
   probe?: unknown;
   audit?: unknown;
 }): Promise<ChannelAccountSnapshot | null> {
-  const inspectedAccount = inspectChannelAccount(params);
+  const inspectedAccount = await inspectChannelAccount(params);
   if (!inspectedAccount) {
     return null;
   }
@@ -80,7 +80,7 @@ export async function buildChannelAccountSnapshot<ResolvedAccount>(params: {
   probe?: unknown;
   audit?: unknown;
 }): Promise<ChannelAccountSnapshot> {
-  const inspectedAccount = inspectChannelAccount(params);
+  const inspectedAccount = await inspectChannelAccount(params);
   const account =
     inspectedAccount ?? params.plugin.config.resolveAccount(params.cfg, params.accountId);
   return await buildSnapshotFromAccount({
diff --git a/src/channels/plugins/target-parsing.ts b/src/channels/plugins/target-parsing.ts
new file mode 100644
index 00000000000..5d7fd6e28da
--- /dev/null
+++ b/src/channels/plugins/target-parsing.ts
@@ -0,0 +1,26 @@
+import type { ChatType } from "../chat-type.js";
+import { getChannelPlugin, normalizeChannelId } from "./registry.js";
+
+export type ParsedChannelExplicitTarget = {
+  to: string;
+  threadId?: string | number;
+  chatType?: ChatType;
+};
+
+function parseWithPlugin(
+  rawChannel: string,
+  rawTarget: string,
+): ParsedChannelExplicitTarget | null {
+  const channel = normalizeChannelId(rawChannel);
+  if (!channel) {
+    return null;
+  }
+  return getChannelPlugin(channel)?.messaging?.parseExplicitTarget?.({ raw: rawTarget }) ?? null;
+}
+
+export function parseExplicitTargetForChannel(
+  channel: string,
+  rawTarget: string,
+): ParsedChannelExplicitTarget | null {
+  return parseWithPlugin(channel, rawTarget);
+}
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index 257985e133c..eff6878e85e 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -1,10 +1,13 @@
 import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import type { AgentAcpBinding } from "../../config/types.js";
 import type { GroupToolPolicyConfig } from "../../config/types.tools.js";
+import type { ExecApprovalRequest, ExecApprovalResolved } from "../../infra/exec-approvals.js";
 import type { OutboundDeliveryResult, OutboundSendDeps } from "../../infra/outbound/deliver.js";
 import type { OutboundIdentity } from "../../infra/outbound/identity.js";
 import type { PluginRuntime } from "../../plugins/runtime/types.js";
 import type { RuntimeEnv } from "../../runtime.js";
+import type { ConfigWriteTarget } from "./config-writes.js";
 import type {
   ChannelAccountSnapshot,
   ChannelAccountState,
@@ -21,6 +24,35 @@ import type {
   ChannelStatusIssue,
 } from "./types.core.js";
 
+export type ChannelExecApprovalInitiatingSurfaceState =
+  | { kind: "enabled" }
+  | { kind: "disabled" }
+  | { kind: "unsupported" };
+
+export type ChannelExecApprovalForwardTarget = {
+  channel: string;
+  to: string;
+  accountId?: string | null;
+  threadId?: string | number | null;
+  source?: "session" | "target";
+};
+
+export type ChannelCapabilitiesDisplayTone = "default" | "muted" | "success" | "warn" | "error";
+
+export type ChannelCapabilitiesDisplayLine = {
+  text: string;
+  tone?: ChannelCapabilitiesDisplayTone;
+};
+
+export type ChannelCapabilitiesDiagnostics = {
+  lines?: ChannelCapabilitiesDisplayLine[];
+  details?: Record<string, unknown>;
+};
+
+type BivariantCallback<T extends (...args: never[]) => unknown> = {
+  bivarianceHack: T;
+}["bivarianceHack"];
+
 export type ChannelSetupAdapter = {
   resolveAccountId?: (params: {
     cfg: OpenClawConfig;
@@ -107,12 +139,23 @@ export type ChannelOutboundPayloadContext = ChannelOutboundContext & {
   payload: ReplyPayload;
 };
 
+export type ChannelOutboundFormattedContext = ChannelOutboundContext & {
+  abortSignal?: AbortSignal;
+};
+
 export type ChannelOutboundAdapter = {
   deliveryMode: "direct" | "gateway" | "hybrid";
   chunker?: ((text: string, limit: number) => string[]) | null;
   chunkerMode?: "text" | "markdown";
   textChunkLimit?: number;
   pollMaxOptions?: number;
+  normalizePayload?: (params: { payload: ReplyPayload }) => ReplyPayload | null;
+  shouldSkipPlainTextSanitization?: (params: { payload: ReplyPayload }) => boolean;
+  resolveEffectiveTextChunkLimit?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    fallbackLimit?: number;
+  }) => number | undefined;
   resolveTarget?: (params: {
     cfg?: OpenClawConfig;
     to?: string;
@@ -121,6 +164,10 @@ export type ChannelOutboundAdapter = {
     mode?: ChannelOutboundTargetMode;
   }) => { ok: true; to: string } | { ok: false; error: Error };
   sendPayload?: (ctx: ChannelOutboundPayloadContext) => Promise<OutboundDeliveryResult>;
+  sendFormattedText?: (ctx: ChannelOutboundFormattedContext) => Promise<OutboundDeliveryResult[]>;
+  sendFormattedMedia?: (
+    ctx: ChannelOutboundFormattedContext & { mediaUrl: string },
+  ) => Promise<OutboundDeliveryResult>;
   sendText?: (ctx: ChannelOutboundContext) => Promise<OutboundDeliveryResult>;
   sendMedia?: (ctx: ChannelOutboundContext) => Promise<OutboundDeliveryResult>;
   sendPoll?: (ctx: ChannelPollContext) => Promise<ChannelPollResult>;
@@ -139,12 +186,25 @@ export type ChannelStatusAdapter<ResolvedAccount, Probe = unknown, Audit = unkno
     timeoutMs: number;
     cfg: OpenClawConfig;
   }) => Promise<Probe>;
+  formatCapabilitiesProbe?: BivariantCallback<
+    (params: { probe: Probe }) => ChannelCapabilitiesDisplayLine[]
+  >;
   auditAccount?: (params: {
     account: ResolvedAccount;
     timeoutMs: number;
     cfg: OpenClawConfig;
     probe?: Probe;
   }) => Promise<Audit>;
+  buildCapabilitiesDiagnostics?: BivariantCallback<
+    (params: {
+      account: ResolvedAccount;
+      timeoutMs: number;
+      cfg: OpenClawConfig;
+      probe?: Probe;
+      audit?: Audit;
+      target?: string;
+    }) => Promise<ChannelCapabilitiesDiagnostics | undefined>
+  >;
   buildAccountSnapshot?: (params: {
     account: ResolvedAccount;
     cfg: OpenClawConfig;
@@ -377,6 +437,130 @@ export type ChannelCommandAdapter = {
   skipWhenConfigEmpty?: boolean;
 };
 
+export type ChannelLifecycleAdapter = {
+  onAccountConfigChanged?: (params: {
+    prevCfg: OpenClawConfig;
+    nextCfg: OpenClawConfig;
+    accountId: string;
+    runtime: RuntimeEnv;
+  }) => Promise<void> | void;
+  onAccountRemoved?: (params: {
+    prevCfg: OpenClawConfig;
+    accountId: string;
+    runtime: RuntimeEnv;
+  }) => Promise<void> | void;
+};
+
+export type ChannelExecApprovalAdapter = {
+  getInitiatingSurfaceState?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+  }) => ChannelExecApprovalInitiatingSurfaceState;
+  shouldSuppressLocalPrompt?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    payload: ReplyPayload;
+  }) => boolean;
+  hasConfiguredDmRoute?: (params: { cfg: OpenClawConfig }) => boolean;
+  shouldSuppressForwardingFallback?: (params: {
+    cfg: OpenClawConfig;
+    target: ChannelExecApprovalForwardTarget;
+    request: ExecApprovalRequest;
+  }) => boolean;
+  buildPendingPayload?: (params: {
+    cfg: OpenClawConfig;
+    request: ExecApprovalRequest;
+    target: ChannelExecApprovalForwardTarget;
+    nowMs: number;
+  }) => ReplyPayload | null;
+  buildResolvedPayload?: (params: {
+    cfg: OpenClawConfig;
+    resolved: ExecApprovalResolved;
+    target: ChannelExecApprovalForwardTarget;
+  }) => ReplyPayload | null;
+  beforeDeliverPending?: (params: {
+    cfg: OpenClawConfig;
+    target: ChannelExecApprovalForwardTarget;
+    payload: ReplyPayload;
+  }) => Promise<void> | void;
+};
+
+export type ChannelAllowlistAdapter = {
+  applyConfigEdit?: (params: {
+    cfg: OpenClawConfig;
+    parsedConfig: Record<string, unknown>;
+    accountId?: string | null;
+    scope: "dm" | "group";
+    action: "add" | "remove";
+    entry: string;
+  }) =>
+    | {
+        kind: "ok";
+        changed: boolean;
+        pathLabel: string;
+        writeTarget: ConfigWriteTarget;
+      }
+    | {
+        kind: "invalid-entry";
+      }
+    | Promise<
+        | {
+            kind: "ok";
+            changed: boolean;
+            pathLabel: string;
+            writeTarget: ConfigWriteTarget;
+          }
+        | {
+            kind: "invalid-entry";
+          }
+      >
+    | null;
+  readConfig?: (params: { cfg: OpenClawConfig; accountId?: string | null }) =>
+    | {
+        dmAllowFrom?: Array<string | number>;
+        groupAllowFrom?: Array<string | number>;
+        dmPolicy?: string;
+        groupPolicy?: string;
+        groupOverrides?: Array<{ label: string; entries: Array<string | number> }>;
+      }
+    | Promise<{
+        dmAllowFrom?: Array<string | number>;
+        groupAllowFrom?: Array<string | number>;
+        dmPolicy?: string;
+        groupPolicy?: string;
+        groupOverrides?: Array<{ label: string; entries: Array<string | number> }>;
+      }>;
+  resolveNames?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    scope: "dm" | "group";
+    entries: string[];
+  }) =>
+    | Array<{ input: string; resolved: boolean; name?: string | null }>
+    | Promise<Array<{ input: string; resolved: boolean; name?: string | null }>>;
+  supportsScope?: (params: { scope: "dm" | "group" | "all" }) => boolean;
+};
+
+export type ChannelAcpBindingAdapter = {
+  normalizeConfiguredBindingTarget?: (params: {
+    binding: AgentAcpBinding;
+    conversationId: string;
+  }) => {
+    conversationId: string;
+    parentConversationId?: string;
+  } | null;
+  matchConfiguredBinding?: (params: {
+    binding: AgentAcpBinding;
+    bindingConversationId: string;
+    conversationId: string;
+    parentConversationId?: string;
+  }) => {
+    conversationId: string;
+    parentConversationId?: string;
+    matchPriority?: number;
+  } | null;
+};
+
 export type ChannelSecurityAdapter<ResolvedAccount = unknown> = {
   resolveDmPolicy?: (
     ctx: ChannelSecurityContext<ResolvedAccount>,
diff --git a/src/channels/plugins/types.core.ts b/src/channels/plugins/types.core.ts
index fef8b010ca5..a43dbb42876 100644
--- a/src/channels/plugins/types.core.ts
+++ b/src/channels/plugins/types.core.ts
@@ -1,12 +1,15 @@
+import type { TopLevelComponents } from "@buape/carbon";
 import type { AgentTool, AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { TSchema } from "@sinclair/typebox";
 import type { MsgContext } from "../../auto-reply/templating.js";
+import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { PollInput } from "../../polls.js";
 import type { GatewayClientMode, GatewayClientName } from "../../utils/message-channel.js";
 import type { ChatType } from "../chat-type.js";
 import type { ChatChannelId } from "../registry.js";
 import type { ChannelMessageActionName as ChannelMessageActionNameFromList } from "./message-action-names.js";
+import type { ChannelMessageCapability } from "./message-capabilities.js";
 
 export type ChannelId = ChatChannelId | (string & {});
 
@@ -21,6 +24,7 @@ export type ChannelAgentToolFactory = (params: { cfg?: OpenClawConfig }) => Chan
 export type ChannelSetupInput = {
   name?: string;
   token?: string;
+  privateKey?: string;
   tokenFile?: string;
   botToken?: string;
   appToken?: string;
@@ -46,6 +50,7 @@ export type ChannelSetupInput = {
   initialSyncLimit?: number;
   ship?: string;
   url?: string;
+  relayUrls?: string;
   code?: string;
   groupChannels?: string[];
   dmAllowlist?: string[];
@@ -234,6 +239,38 @@ export type ChannelStreamingAdapter = {
   };
 };
 
+export type ChannelCrossContextComponentsFactory = (params: {
+  originLabel: string;
+  message: string;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+}) => TopLevelComponents[];
+
+export type ChannelReplyTransport = {
+  replyToId?: string | null;
+  threadId?: string | number | null;
+};
+
+export type ChannelFocusedBindingContext = {
+  conversationId: string;
+  parentConversationId?: string;
+  placement: "current" | "child";
+  labelNoun: string;
+};
+
+export type ChannelOutboundSessionRoute = {
+  sessionKey: string;
+  baseSessionKey: string;
+  peer: {
+    kind: ChatType;
+    id: string;
+  };
+  chatType: "direct" | "group" | "channel";
+  from: string;
+  to: string;
+  threadId?: string | number;
+};
+
 export type ChannelThreadingAdapter = {
   resolveReplyToMode?: (params: {
     cfg: OpenClawConfig;
@@ -257,6 +294,24 @@ export type ChannelThreadingAdapter = {
     context: ChannelThreadingContext;
     hasRepliedRef?: { value: boolean };
   }) => ChannelThreadingToolContext | undefined;
+  resolveAutoThreadId?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    to: string;
+    toolContext?: ChannelThreadingToolContext;
+    replyToId?: string | null;
+  }) => string | undefined;
+  resolveReplyTransport?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    threadId?: string | number | null;
+    replyToId?: string | null;
+  }) => ChannelReplyTransport | null;
+  resolveFocusedBinding?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    context: ChannelThreadingContext;
+  }) => ChannelFocusedBindingContext | null;
 };
 
 export type ChannelThreadingContext = {
@@ -290,6 +345,18 @@ export type ChannelThreadingToolContext = {
 
 export type ChannelMessagingAdapter = {
   normalizeTarget?: (raw: string) => string | undefined;
+  parseExplicitTarget?: (params: { raw: string }) => {
+    to: string;
+    threadId?: string | number;
+    chatType?: ChatType;
+  } | null;
+  inferTargetChatType?: (params: { to: string }) => ChatType | undefined;
+  buildCrossContextComponents?: ChannelCrossContextComponentsFactory;
+  enableInteractiveReplies?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+  }) => boolean;
+  hasStructuredReplyPayload?: (params: { payload: ReplyPayload }) => boolean;
   targetResolver?: {
     looksLikeId?: (raw: string, normalized?: string) => boolean;
     hint?: string;
@@ -311,6 +378,20 @@ export type ChannelMessagingAdapter = {
     display?: string;
     kind?: ChannelDirectoryEntryKind;
   }) => string;
+  resolveOutboundSessionRoute?: (params: {
+    cfg: OpenClawConfig;
+    agentId: string;
+    accountId?: string | null;
+    target: string;
+    resolvedTarget?: {
+      to: string;
+      kind: ChannelDirectoryEntryKind | "channel";
+      display?: string;
+      source: "normalized" | "directory";
+    };
+    replyToId?: string | null;
+    threadId?: string | number | null;
+  }) => ChannelOutboundSessionRoute | Promise<ChannelOutboundSessionRoute | null> | null;
 };
 
 export type ChannelAgentPromptAdapter = {
@@ -370,8 +451,11 @@ export type ChannelMessageActionAdapter = {
    */
   listActions?: (params: { cfg: OpenClawConfig }) => ChannelMessageActionName[];
   supportsAction?: (params: { action: ChannelMessageActionName }) => boolean;
-  supportsButtons?: (params: { cfg: OpenClawConfig }) => boolean;
-  supportsCards?: (params: { cfg: OpenClawConfig }) => boolean;
+  getCapabilities?: (params: { cfg: OpenClawConfig }) => readonly ChannelMessageCapability[];
+  requiresTrustedRequesterSender?: (params: {
+    action: ChannelMessageActionName;
+    toolContext?: ChannelThreadingToolContext;
+  }) => boolean;
   extractToolSend?: (params: { args: Record<string, unknown> }) => ChannelToolSend | null;
   handleAction?: (ctx: ChannelMessageActionContext) => Promise<AgentToolResult<unknown>>;
 };
diff --git a/src/channels/plugins/types.plugin.ts b/src/channels/plugins/types.plugin.ts
index 3c821ab601b..6798545d22f 100644
--- a/src/channels/plugins/types.plugin.ts
+++ b/src/channels/plugins/types.plugin.ts
@@ -1,20 +1,23 @@
-import type { ChannelOnboardingAdapter } from "./onboarding-types.js";
 import type { ChannelSetupWizard } from "./setup-wizard.js";
 import type {
   ChannelAuthAdapter,
   ChannelCommandAdapter,
   ChannelConfigAdapter,
   ChannelDirectoryAdapter,
+  ChannelExecApprovalAdapter,
   ChannelResolverAdapter,
   ChannelElevatedAdapter,
   ChannelGatewayAdapter,
   ChannelGroupAdapter,
   ChannelHeartbeatAdapter,
+  ChannelLifecycleAdapter,
   ChannelOutboundAdapter,
   ChannelPairingAdapter,
   ChannelSecurityAdapter,
   ChannelSetupAdapter,
   ChannelStatusAdapter,
+  ChannelAllowlistAdapter,
+  ChannelAcpBindingAdapter,
 } from "./types.adapters.js";
 import type {
   ChannelAgentTool,
@@ -57,8 +60,6 @@ export type ChannelPlugin<ResolvedAccount = any, Probe = unknown, Audit = unknow
     };
   };
   reload?: { configPrefixes: string[]; noopPrefixes?: string[] };
-  // CLI onboarding wizard hooks for this channel.
-  onboarding?: ChannelOnboardingAdapter;
   setupWizard?: ChannelSetupWizard;
   config: ChannelConfigAdapter<ResolvedAccount>;
   configSchema?: ChannelConfigSchema;
@@ -74,6 +75,10 @@ export type ChannelPlugin<ResolvedAccount = any, Probe = unknown, Audit = unknow
   auth?: ChannelAuthAdapter;
   elevated?: ChannelElevatedAdapter;
   commands?: ChannelCommandAdapter;
+  lifecycle?: ChannelLifecycleAdapter;
+  execApprovals?: ChannelExecApprovalAdapter;
+  allowlist?: ChannelAllowlistAdapter;
+  acpBindings?: ChannelAcpBindingAdapter;
   streaming?: ChannelStreamingAdapter;
   threading?: ChannelThreadingAdapter;
   messaging?: ChannelMessagingAdapter;
diff --git a/src/channels/plugins/types.ts b/src/channels/plugins/types.ts
index d3028e9970d..bb2d19d0bbd 100644
--- a/src/channels/plugins/types.ts
+++ b/src/channels/plugins/types.ts
@@ -1,14 +1,22 @@
 import type { ChannelMessageActionName as ChannelMessageActionNameFromList } from "./message-action-names.js";
 
 export { CHANNEL_MESSAGE_ACTION_NAMES } from "./message-action-names.js";
+export { CHANNEL_MESSAGE_CAPABILITIES } from "./message-capabilities.js";
 
 export type ChannelMessageActionName = ChannelMessageActionNameFromList;
+export type { ChannelMessageCapability } from "./message-capabilities.js";
 
 export type {
   ChannelAuthAdapter,
   ChannelCommandAdapter,
+  ChannelCapabilitiesDiagnostics,
+  ChannelCapabilitiesDisplayLine,
+  ChannelCapabilitiesDisplayTone,
   ChannelConfigAdapter,
   ChannelDirectoryAdapter,
+  ChannelExecApprovalAdapter,
+  ChannelExecApprovalForwardTarget,
+  ChannelExecApprovalInitiatingSurfaceState,
   ChannelResolveKind,
   ChannelResolveResult,
   ChannelResolverAdapter,
@@ -17,12 +25,15 @@ export type {
   ChannelGatewayContext,
   ChannelGroupAdapter,
   ChannelHeartbeatAdapter,
+  ChannelLifecycleAdapter,
   ChannelLoginWithQrStartResult,
   ChannelLoginWithQrWaitResult,
   ChannelLogoutContext,
   ChannelLogoutResult,
   ChannelOutboundAdapter,
   ChannelOutboundContext,
+  ChannelAllowlistAdapter,
+  ChannelAcpBindingAdapter,
   ChannelPairingAdapter,
   ChannelSecurityAdapter,
   ChannelSetupAdapter,
diff --git a/src/channels/read-only-account-inspect.discord.runtime.ts b/src/channels/read-only-account-inspect.discord.runtime.ts
new file mode 100644
index 00000000000..00d0943b1ec
--- /dev/null
+++ b/src/channels/read-only-account-inspect.discord.runtime.ts
@@ -0,0 +1,2 @@
+export { inspectDiscordAccount } from "../plugin-sdk-internal/discord.js";
+export type { InspectedDiscordAccount } from "../plugin-sdk-internal/discord.js";
diff --git a/src/channels/read-only-account-inspect.slack.runtime.ts b/src/channels/read-only-account-inspect.slack.runtime.ts
new file mode 100644
index 00000000000..c3e2bd5d83c
--- /dev/null
+++ b/src/channels/read-only-account-inspect.slack.runtime.ts
@@ -0,0 +1,2 @@
+export { inspectSlackAccount } from "../plugin-sdk-internal/slack.js";
+export type { InspectedSlackAccount } from "../plugin-sdk-internal/slack.js";
diff --git a/src/channels/read-only-account-inspect.telegram.runtime.ts b/src/channels/read-only-account-inspect.telegram.runtime.ts
new file mode 100644
index 00000000000..1e633a0ff8e
--- /dev/null
+++ b/src/channels/read-only-account-inspect.telegram.runtime.ts
@@ -0,0 +1,2 @@
+export { inspectTelegramAccount } from "../plugin-sdk-internal/telegram.js";
+export type { InspectedTelegramAccount } from "../plugin-sdk-internal/telegram.js";
diff --git a/src/channels/read-only-account-inspect.ts b/src/channels/read-only-account-inspect.ts
index c8d99a3a42e..d26c1c77f55 100644
--- a/src/channels/read-only-account-inspect.ts
+++ b/src/channels/read-only-account-inspect.ts
@@ -1,41 +1,55 @@
-import {
-  inspectDiscordAccount,
-  type InspectedDiscordAccount,
-} from "../../extensions/discord/src/account-inspect.js";
-import {
-  inspectSlackAccount,
-  type InspectedSlackAccount,
-} from "../../extensions/slack/src/account-inspect.js";
-import {
-  inspectTelegramAccount,
-  type InspectedTelegramAccount,
-} from "../../extensions/telegram/src/account-inspect.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { ChannelId } from "./plugins/types.js";
 
-export type ReadOnlyInspectedAccount =
-  | InspectedDiscordAccount
-  | InspectedSlackAccount
-  | InspectedTelegramAccount;
+type DiscordInspectModule = typeof import("./read-only-account-inspect.discord.runtime.js");
+type SlackInspectModule = typeof import("./read-only-account-inspect.slack.runtime.js");
+type TelegramInspectModule = typeof import("./read-only-account-inspect.telegram.runtime.js");
 
-export function inspectReadOnlyChannelAccount(params: {
+let discordInspectModulePromise: Promise<DiscordInspectModule> | undefined;
+let slackInspectModulePromise: Promise<SlackInspectModule> | undefined;
+let telegramInspectModulePromise: Promise<TelegramInspectModule> | undefined;
+
+function loadDiscordInspectModule() {
+  discordInspectModulePromise ??= import("./read-only-account-inspect.discord.runtime.js");
+  return discordInspectModulePromise;
+}
+
+function loadSlackInspectModule() {
+  slackInspectModulePromise ??= import("./read-only-account-inspect.slack.runtime.js");
+  return slackInspectModulePromise;
+}
+
+function loadTelegramInspectModule() {
+  telegramInspectModulePromise ??= import("./read-only-account-inspect.telegram.runtime.js");
+  return telegramInspectModulePromise;
+}
+
+export type ReadOnlyInspectedAccount =
+  | Awaited<ReturnType<DiscordInspectModule["inspectDiscordAccount"]>>
+  | Awaited<ReturnType<SlackInspectModule["inspectSlackAccount"]>>
+  | Awaited<ReturnType<TelegramInspectModule["inspectTelegramAccount"]>>;
+
+export async function inspectReadOnlyChannelAccount(params: {
   channelId: ChannelId;
   cfg: OpenClawConfig;
   accountId?: string | null;
-}): ReadOnlyInspectedAccount | null {
+}): Promise<ReadOnlyInspectedAccount | null> {
   if (params.channelId === "discord") {
+    const { inspectDiscordAccount } = await loadDiscordInspectModule();
     return inspectDiscordAccount({
       cfg: params.cfg,
       accountId: params.accountId,
     });
   }
   if (params.channelId === "slack") {
+    const { inspectSlackAccount } = await loadSlackInspectModule();
     return inspectSlackAccount({
       cfg: params.cfg,
       accountId: params.accountId,
     });
   }
   if (params.channelId === "telegram") {
+    const { inspectTelegramAccount } = await loadTelegramInspectModule();
     return inspectTelegramAccount({
       cfg: params.cfg,
       accountId: params.accountId,
diff --git a/src/channels/reply-prefix.ts b/src/channels/reply-prefix.ts
index 247109fb59d..cfda423eeb9 100644
--- a/src/channels/reply-prefix.ts
+++ b/src/channels/reply-prefix.ts
@@ -1,10 +1,10 @@
-import { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
 import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../agents/identity.js";
 import {
   extractShortModelName,
   type ResponsePrefixContext,
 } from "../auto-reply/reply/response-prefix-template.js";
 import type { GetReplyOptions } from "../auto-reply/types.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { OpenClawConfig } from "../config/config.js";
 
 type ModelSelectionContext = Parameters<NonNullable<GetReplyOptions["onModelSelected"]>>[0];
@@ -50,10 +50,12 @@ export function createReplyPrefixContext(params: {
       channel: params.channel,
       accountId: params.accountId,
     }).responsePrefix,
-    enableSlackInteractiveReplies:
-      params.channel === "slack"
-        ? isSlackInteractiveRepliesEnabled({ cfg, accountId: params.accountId })
-        : undefined,
+    enableSlackInteractiveReplies: params.channel
+      ? (getChannelPlugin(params.channel)?.messaging?.enableInteractiveReplies?.({
+          cfg,
+          accountId: params.accountId,
+        }) ?? undefined)
+      : undefined,
     responsePrefixContextProvider: () => prefixContext,
     onModelSelected,
   };
diff --git a/src/cli/banner-config-lite.ts b/src/cli/banner-config-lite.ts
new file mode 100644
index 00000000000..f402b7c61b9
--- /dev/null
+++ b/src/cli/banner-config-lite.ts
@@ -0,0 +1,24 @@
+import fs from "node:fs";
+import JSON5 from "json5";
+import { resolveConfigPath } from "../config/paths.js";
+import type { TaglineMode } from "./tagline.js";
+
+function parseTaglineMode(value: unknown): TaglineMode | undefined {
+  if (value === "random" || value === "default" || value === "off") {
+    return value;
+  }
+  return undefined;
+}
+
+export function readCliBannerTaglineMode(
+  env: NodeJS.ProcessEnv = process.env,
+): TaglineMode | undefined {
+  try {
+    const configPath = resolveConfigPath(env);
+    const raw = fs.readFileSync(configPath, "utf8");
+    const parsed: { cli?: { banner?: { taglineMode?: unknown } } } = JSON5.parse(raw);
+    return parseTaglineMode(parsed.cli?.banner?.taglineMode);
+  } catch {
+    return undefined;
+  }
+}
diff --git a/src/cli/banner.test.ts b/src/cli/banner.test.ts
index 93e47a750d2..722a574f49f 100644
--- a/src/cli/banner.test.ts
+++ b/src/cli/banner.test.ts
@@ -1,9 +1,9 @@
 import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
-const loadConfigMock = vi.fn();
+const readCliBannerTaglineModeMock = vi.fn();
 
-vi.mock("../config/config.js", () => ({
-  loadConfig: loadConfigMock,
+vi.mock("./banner-config-lite.js", () => ({
+  readCliBannerTaglineMode: readCliBannerTaglineModeMock,
 }));
 
 let formatCliBannerLine: typeof import("./banner.js").formatCliBannerLine;
@@ -13,15 +13,13 @@ beforeAll(async () => {
 });
 
 beforeEach(() => {
-  loadConfigMock.mockReset();
-  loadConfigMock.mockReturnValue({});
+  readCliBannerTaglineModeMock.mockReset();
+  readCliBannerTaglineModeMock.mockReturnValue(undefined);
 });
 
 describe("formatCliBannerLine", () => {
   it("hides tagline text when cli.banner.taglineMode is off", () => {
-    loadConfigMock.mockReturnValue({
-      cli: { banner: { taglineMode: "off" } },
-    });
+    readCliBannerTaglineModeMock.mockReturnValue("off");
 
     const line = formatCliBannerLine("2026.3.7", {
       commit: "abc1234",
@@ -32,9 +30,7 @@ describe("formatCliBannerLine", () => {
   });
 
   it("uses default tagline when cli.banner.taglineMode is default", () => {
-    loadConfigMock.mockReturnValue({
-      cli: { banner: { taglineMode: "default" } },
-    });
+    readCliBannerTaglineModeMock.mockReturnValue("default");
 
     const line = formatCliBannerLine("2026.3.7", {
       commit: "abc1234",
@@ -45,9 +41,7 @@ describe("formatCliBannerLine", () => {
   });
 
   it("prefers explicit tagline mode over config", () => {
-    loadConfigMock.mockReturnValue({
-      cli: { banner: { taglineMode: "off" } },
-    });
+    readCliBannerTaglineModeMock.mockReturnValue("off");
 
     const line = formatCliBannerLine("2026.3.7", {
       commit: "abc1234",
diff --git a/src/cli/banner.ts b/src/cli/banner.ts
index 07bc16abfa0..17487d58904 100644
--- a/src/cli/banner.ts
+++ b/src/cli/banner.ts
@@ -1,8 +1,8 @@
-import { loadConfig } from "../config/config.js";
 import { resolveCommitHash } from "../infra/git-commit.js";
 import { visibleWidth } from "../terminal/ansi.js";
 import { isRich, theme } from "../terminal/theme.js";
 import { hasRootVersionAlias } from "./argv.js";
+import { readCliBannerTaglineMode } from "./banner-config-lite.js";
 import { pickTagline, type TaglineMode, type TaglineOptions } from "./tagline.js";
 
 type BannerOptions = TaglineOptions & {
@@ -48,12 +48,7 @@ function resolveTaglineMode(options: BannerOptions): TaglineMode | undefined {
   if (explicit) {
     return explicit;
   }
-  try {
-    return parseTaglineMode(loadConfig().cli?.banner?.taglineMode);
-  } catch {
-    // Fall back to default random behavior when config is missing/invalid.
-    return undefined;
-  }
+  return readCliBannerTaglineMode(options.env);
 }
 
 export function formatCliBannerLine(version: string, options: BannerOptions = {}): string {
diff --git a/src/cli/browser-cli-extension.test.ts b/src/cli/browser-cli-extension.test.ts
deleted file mode 100644
index 1c8c74d8c6e..00000000000
--- a/src/cli/browser-cli-extension.test.ts
+++ /dev/null
@@ -1,190 +0,0 @@
-import path from "node:path";
-import { Command } from "commander";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
-import { withEnvAsync } from "../test-utils/env.js";
-
-const copyToClipboard = vi.fn();
-const runtime = {
-  log: vi.fn(),
-  error: vi.fn(),
-  exit: vi.fn(),
-};
-
-type FakeFsEntry = { kind: "file"; content: string } | { kind: "dir" };
-
-const state = vi.hoisted(() => ({
-  entries: new Map<string, FakeFsEntry>(),
-  counter: 0,
-}));
-
-const abs = (p: string) => path.resolve(p);
-
-function setFile(p: string, content = "") {
-  const resolved = abs(p);
-  state.entries.set(resolved, { kind: "file", content });
-  setDir(path.dirname(resolved));
-}
-
-function setDir(p: string) {
-  const resolved = abs(p);
-  if (!state.entries.has(resolved)) {
-    state.entries.set(resolved, { kind: "dir" });
-  }
-}
-
-function copyTree(src: string, dest: string) {
-  const srcAbs = abs(src);
-  const destAbs = abs(dest);
-  const srcPrefix = `${srcAbs}${path.sep}`;
-  for (const [key, entry] of state.entries.entries()) {
-    if (key === srcAbs || key.startsWith(srcPrefix)) {
-      const rel = key === srcAbs ? "" : key.slice(srcPrefix.length);
-      const next = rel ? path.join(destAbs, rel) : destAbs;
-      state.entries.set(next, entry);
-    }
-  }
-}
-
-vi.mock("node:fs", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("node:fs")>();
-  const pathMod = await import("node:path");
-  const absInMock = (p: string) => pathMod.resolve(p);
-
-  const wrapped = {
-    ...actual,
-    existsSync: (p: string) => state.entries.has(absInMock(p)),
-    mkdirSync: (p: string, _opts?: unknown) => {
-      setDir(p);
-    },
-    writeFileSync: (p: string, content: string) => {
-      setFile(p, content);
-    },
-    renameSync: (from: string, to: string) => {
-      const fromAbs = absInMock(from);
-      const toAbs = absInMock(to);
-      const entry = state.entries.get(fromAbs);
-      if (!entry) {
-        throw new Error(`ENOENT: no such file or directory, rename '${from}' -> '${to}'`);
-      }
-      state.entries.delete(fromAbs);
-      state.entries.set(toAbs, entry);
-    },
-    rmSync: (p: string) => {
-      const root = absInMock(p);
-      const prefix = `${root}${pathMod.sep}`;
-      const keys = Array.from(state.entries.keys());
-      for (const key of keys) {
-        if (key === root || key.startsWith(prefix)) {
-          state.entries.delete(key);
-        }
-      }
-    },
-    mkdtempSync: (prefix: string) => {
-      const dir = `${prefix}${state.counter++}`;
-      setDir(dir);
-      return dir;
-    },
-    promises: {
-      ...actual.promises,
-      cp: async (src: string, dest: string, _opts?: unknown) => {
-        copyTree(src, dest);
-      },
-    },
-  };
-
-  return { ...wrapped, default: wrapped };
-});
-
-vi.mock("../infra/clipboard.js", () => ({
-  copyToClipboard,
-}));
-
-vi.mock("../runtime.js", () => ({
-  defaultRuntime: runtime,
-}));
-
-let resolveBundledExtensionRootDir: typeof import("./browser-cli-extension.js").resolveBundledExtensionRootDir;
-let installChromeExtension: typeof import("./browser-cli-extension.js").installChromeExtension;
-let registerBrowserExtensionCommands: typeof import("./browser-cli-extension.js").registerBrowserExtensionCommands;
-
-beforeAll(async () => {
-  ({ resolveBundledExtensionRootDir, installChromeExtension, registerBrowserExtensionCommands } =
-    await import("./browser-cli-extension.js"));
-});
-
-beforeEach(() => {
-  state.entries.clear();
-  state.counter = 0;
-  copyToClipboard.mockClear();
-  copyToClipboard.mockResolvedValue(false);
-  runtime.log.mockClear();
-  runtime.error.mockClear();
-  runtime.exit.mockClear();
-});
-
-function writeManifest(dir: string) {
-  setDir(dir);
-  setFile(path.join(dir, "manifest.json"), JSON.stringify({ manifest_version: 3 }));
-}
-
-describe("bundled extension resolver (fs-mocked)", () => {
-  it("walks up to find the assets directory", () => {
-    const root = abs("/tmp/openclaw-ext-root");
-    const here = path.join(root, "dist", "cli");
-    const assets = path.join(root, "assets", "chrome-extension");
-
-    writeManifest(assets);
-    setDir(here);
-
-    expect(resolveBundledExtensionRootDir(here)).toBe(assets);
-  });
-
-  it("prefers the nearest assets directory", () => {
-    const root = abs("/tmp/openclaw-ext-root-nearest");
-    const here = path.join(root, "dist", "cli");
-    const distAssets = path.join(root, "dist", "assets", "chrome-extension");
-    const rootAssets = path.join(root, "assets", "chrome-extension");
-
-    writeManifest(distAssets);
-    writeManifest(rootAssets);
-    setDir(here);
-
-    expect(resolveBundledExtensionRootDir(here)).toBe(distAssets);
-  });
-});
-
-describe("browser extension install (fs-mocked)", () => {
-  it("installs into the state dir (never node_modules)", async () => {
-    const tmp = abs("/tmp/openclaw-ext-install");
-    const sourceDir = path.join(tmp, "source-ext");
-    writeManifest(sourceDir);
-    setFile(path.join(sourceDir, "test.txt"), "ok");
-
-    const result = await installChromeExtension({ stateDir: tmp, sourceDir });
-
-    expect(result.path).toBe(path.join(tmp, "browser", "chrome-extension"));
-    expect(state.entries.has(abs(path.join(result.path, "manifest.json")))).toBe(true);
-    expect(state.entries.has(abs(path.join(result.path, "test.txt")))).toBe(true);
-    expect(result.path.includes("node_modules")).toBe(false);
-  });
-
-  it("copies extension path to clipboard", async () => {
-    const tmp = abs("/tmp/openclaw-ext-path");
-    await withEnvAsync({ OPENCLAW_STATE_DIR: tmp }, async () => {
-      copyToClipboard.mockResolvedValue(true);
-
-      const dir = path.join(tmp, "browser", "chrome-extension");
-      writeManifest(dir);
-
-      const program = new Command();
-      const browser = program.command("browser").option("--json", "JSON output", false);
-      registerBrowserExtensionCommands(
-        browser,
-        (cmd) => cmd.parent?.opts?.() as { json?: boolean },
-      );
-
-      await program.parseAsync(["browser", "extension", "path"], { from: "user" });
-      expect(copyToClipboard).toHaveBeenCalledWith(dir);
-    });
-  });
-});
diff --git a/src/cli/browser-cli-extension.ts b/src/cli/browser-cli-extension.ts
deleted file mode 100644
index a04059dfda6..00000000000
--- a/src/cli/browser-cli-extension.ts
+++ /dev/null
@@ -1,140 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import type { Command } from "commander";
-import { movePathToTrash } from "../browser/trash.js";
-import { resolveStateDir } from "../config/paths.js";
-import { danger, info } from "../globals.js";
-import { copyToClipboard } from "../infra/clipboard.js";
-import { defaultRuntime } from "../runtime.js";
-import { formatDocsLink } from "../terminal/links.js";
-import { theme } from "../terminal/theme.js";
-import { shortenHomePath } from "../utils.js";
-import { formatCliCommand } from "./command-format.js";
-
-export function resolveBundledExtensionRootDir(
-  here = path.dirname(fileURLToPath(import.meta.url)),
-) {
-  let current = here;
-  while (true) {
-    const candidate = path.join(current, "assets", "chrome-extension");
-    if (hasManifest(candidate)) {
-      return candidate;
-    }
-    const parent = path.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
-  }
-
-  return path.resolve(here, "../../assets/chrome-extension");
-}
-
-function installedExtensionRootDir() {
-  return path.join(resolveStateDir(), "browser", "chrome-extension");
-}
-
-function hasManifest(dir: string) {
-  return fs.existsSync(path.join(dir, "manifest.json"));
-}
-
-export async function installChromeExtension(opts?: {
-  stateDir?: string;
-  sourceDir?: string;
-}): Promise<{ path: string }> {
-  const src = opts?.sourceDir ?? resolveBundledExtensionRootDir();
-  if (!hasManifest(src)) {
-    throw new Error("Bundled Chrome extension is missing. Reinstall OpenClaw and try again.");
-  }
-
-  const stateDir = opts?.stateDir ?? resolveStateDir();
-  const dest = path.join(stateDir, "browser", "chrome-extension");
-  fs.mkdirSync(path.dirname(dest), { recursive: true });
-
-  if (fs.existsSync(dest)) {
-    await movePathToTrash(dest).catch(() => {
-      const backup = `${dest}.old-${Date.now()}`;
-      fs.renameSync(dest, backup);
-    });
-  }
-
-  await fs.promises.cp(src, dest, { recursive: true });
-  if (!hasManifest(dest)) {
-    throw new Error("Chrome extension install failed (manifest.json missing). Try again.");
-  }
-
-  return { path: dest };
-}
-
-export function registerBrowserExtensionCommands(
-  browser: Command,
-  parentOpts: (cmd: Command) => { json?: boolean },
-) {
-  const ext = browser.command("extension").description("Chrome extension helpers");
-
-  ext
-    .command("install")
-    .description("Install the Chrome extension to a stable local path")
-    .action(async (_opts, cmd) => {
-      const parent = parentOpts(cmd);
-      let installed: { path: string };
-      try {
-        installed = await installChromeExtension();
-      } catch (err) {
-        defaultRuntime.error(danger(String(err)));
-        defaultRuntime.exit(1);
-        return;
-      }
-
-      if (parent?.json) {
-        defaultRuntime.log(JSON.stringify({ ok: true, path: installed.path }, null, 2));
-        return;
-      }
-      const displayPath = shortenHomePath(installed.path);
-      defaultRuntime.log(displayPath);
-      const copied = await copyToClipboard(installed.path).catch(() => false);
-      defaultRuntime.error(
-        info(
-          [
-            copied ? "Copied to clipboard." : "Copy to clipboard unavailable.",
-            "Next:",
-            `- Chrome → chrome://extensions → enable “Developer mode”`,
-            `- “Load unpacked” → select: ${displayPath}`,
-            `- Pin “OpenClaw Browser Relay”, then click it on the tab (badge shows ON)`,
-            "",
-            `${theme.muted("Docs:")} ${formatDocsLink("/tools/chrome-extension", "docs.openclaw.ai/tools/chrome-extension")}`,
-          ].join("\n"),
-        ),
-      );
-    });
-
-  ext
-    .command("path")
-    .description("Print the path to the installed Chrome extension (load unpacked)")
-    .action(async (_opts, cmd) => {
-      const parent = parentOpts(cmd);
-      const dir = installedExtensionRootDir();
-      if (!hasManifest(dir)) {
-        defaultRuntime.error(
-          danger(
-            [
-              `Chrome extension is not installed. Run: "${formatCliCommand("openclaw browser extension install")}"`,
-              `Docs: ${formatDocsLink("/tools/chrome-extension", "docs.openclaw.ai/tools/chrome-extension")}`,
-            ].join("\n"),
-          ),
-        );
-        defaultRuntime.exit(1);
-      }
-      if (parent?.json) {
-        defaultRuntime.log(JSON.stringify({ path: dir }, null, 2));
-        return;
-      }
-      const displayPath = shortenHomePath(dir);
-      defaultRuntime.log(displayPath);
-      const copied = await copyToClipboard(dir).catch(() => false);
-      if (copied) {
-        defaultRuntime.error(info("Copied to clipboard."));
-      }
-    });
-}
diff --git a/src/cli/browser-cli-manage.ts b/src/cli/browser-cli-manage.ts
index ddf207b28f0..e13b7af003a 100644
--- a/src/cli/browser-cli-manage.ts
+++ b/src/cli/browser-cli-manage.ts
@@ -105,14 +105,14 @@ function logBrowserTabs(tabs: BrowserTab[], json?: boolean) {
 
 function usesChromeMcpTransport(params: {
   transport?: BrowserTransport;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
 }): boolean {
   return params.transport === "chrome-mcp" || params.driver === "existing-session";
 }
 
 function formatBrowserConnectionSummary(params: {
   transport?: BrowserTransport;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
   isRemote?: boolean;
   cdpPort?: number | null;
   cdpUrl?: string | null;
@@ -455,10 +455,7 @@ export function registerBrowserManageCommands(
     .requiredOption("--name <name>", "Profile name (lowercase, numbers, hyphens)")
     .option("--color <hex>", "Profile color (hex format, e.g. #0066CC)")
     .option("--cdp-url <url>", "CDP URL for remote Chrome (http/https)")
-    .option(
-      "--driver <driver>",
-      "Profile driver (openclaw|extension|existing-session). Default: openclaw",
-    )
+    .option("--driver <driver>", "Profile driver (openclaw|existing-session). Default: openclaw")
     .action(
       async (opts: { name: string; color?: string; cdpUrl?: string; driver?: string }, cmd) => {
         const parent = parentOpts(cmd);
@@ -472,12 +469,7 @@ export function registerBrowserManageCommands(
                 name: opts.name,
                 color: opts.color,
                 cdpUrl: opts.cdpUrl,
-                driver:
-                  opts.driver === "extension"
-                    ? "extension"
-                    : opts.driver === "existing-session"
-                      ? "existing-session"
-                      : undefined,
+                driver: opts.driver === "existing-session" ? "existing-session" : undefined,
               },
             },
             { timeoutMs: 10_000 },
@@ -489,11 +481,7 @@ export function registerBrowserManageCommands(
           defaultRuntime.log(
             info(
               `🦞 Created profile "${result.profile}"\n${loc}\n  color: ${result.color}${
-                opts.driver === "extension"
-                  ? "\n  driver: extension"
-                  : opts.driver === "existing-session"
-                    ? "\n  driver: existing-session"
-                    : ""
+                opts.driver === "existing-session" ? "\n  driver: existing-session" : ""
               }`,
             ),
           );
diff --git a/src/cli/browser-cli.ts b/src/cli/browser-cli.ts
index 085d06cad80..fd4c9a4a8b3 100644
--- a/src/cli/browser-cli.ts
+++ b/src/cli/browser-cli.ts
@@ -7,7 +7,6 @@ import { registerBrowserActionInputCommands } from "./browser-cli-actions-input.
 import { registerBrowserActionObserveCommands } from "./browser-cli-actions-observe.js";
 import { registerBrowserDebugCommands } from "./browser-cli-debug.js";
 import { browserActionExamples, browserCoreExamples } from "./browser-cli-examples.js";
-import { registerBrowserExtensionCommands } from "./browser-cli-extension.js";
 import { registerBrowserInspectCommands } from "./browser-cli-inspect.js";
 import { registerBrowserManageCommands } from "./browser-cli-manage.js";
 import type { BrowserParentOpts } from "./browser-cli-shared.js";
@@ -46,7 +45,6 @@ export function registerBrowserCli(program: Command) {
   const parentOpts = (cmd: Command) => cmd.parent?.opts?.() as BrowserParentOpts;
 
   registerBrowserManageCommands(browser, parentOpts);
-  registerBrowserExtensionCommands(browser, parentOpts);
   registerBrowserInspectCommands(browser, parentOpts);
   registerBrowserActionInputCommands(browser, parentOpts);
   registerBrowserActionObserveCommands(browser, parentOpts);
diff --git a/src/cli/channels-cli.ts b/src/cli/channels-cli.ts
index 3015ed1d42a..d2e7bf148f3 100644
--- a/src/cli/channels-cli.ts
+++ b/src/cli/channels-cli.ts
@@ -14,6 +14,7 @@ const optionNamesAdd = [
   "account",
   "name",
   "token",
+  "privateKey",
   "tokenFile",
   "botToken",
   "appToken",
@@ -39,6 +40,7 @@ const optionNamesAdd = [
   "initialSyncLimit",
   "ship",
   "url",
+  "relayUrls",
   "code",
   "groupChannels",
   "dmAllowlist",
@@ -164,6 +166,7 @@ export function registerChannelsCli(program: Command) {
     .option("--account <id>", "Account id (default when omitted)")
     .option("--name <name>", "Display name for this account")
     .option("--token <token>", "Bot token (Telegram/Discord)")
+    .option("--private-key <key>", "Nostr private key (nsec... or hex)")
     .option("--token-file <path>", "Bot token file (Telegram)")
     .option("--bot-token <token>", "Slack bot token (xoxb-...)")
     .option("--app-token <token>", "Slack app token (xapp-...)")
@@ -188,6 +191,7 @@ export function registerChannelsCli(program: Command) {
     .option("--initial-sync-limit <n>", "Matrix initial sync limit")
     .option("--ship <ship>", "Tlon ship name (~sampel-palnet)")
     .option("--url <url>", "Tlon ship URL")
+    .option("--relay-urls <list>", "Nostr relay URLs (comma-separated)")
     .option("--code <code>", "Tlon login code")
     .option("--group-channels <list>", "Tlon group channels (comma-separated)")
     .option("--dm-allowlist <list>", "Tlon DM allowlist (comma-separated ships)")
diff --git a/src/cli/command-secret-gateway.test.ts b/src/cli/command-secret-gateway.test.ts
index 74c47f637e9..c9de91d4257 100644
--- a/src/cli/command-secret-gateway.test.ts
+++ b/src/cli/command-secret-gateway.test.ts
@@ -43,7 +43,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
   async function resolveTalkApiKey(params: {
     envKey: string;
     commandName?: string;
-    mode?: "strict" | "summary";
+    mode?: "enforce_resolved" | "read_only_status";
   }) {
     return resolveCommandSecretRefsViaGateway({
       config: makeTalkApiKeySecretRefConfig(params.envKey),
@@ -447,7 +447,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
     expect(result.diagnostics).toEqual(["memory search ref inactive"]);
   });
 
-  it("degrades unresolved refs in summary mode instead of throwing", async () => {
+  it("degrades unresolved refs in read-only status mode instead of throwing", async () => {
     const envKey = "TALK_API_KEY_SUMMARY_MISSING";
     callGateway.mockResolvedValueOnce({
       assignments: [],
@@ -457,7 +457,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
       const result = await resolveTalkApiKey({
         envKey,
         commandName: "status",
-        mode: "summary",
+        mode: "read_only_status",
       });
       expect(result.resolvedConfig.talk?.apiKey).toBeUndefined();
       expect(result.hadUnresolvedTargets).toBe(true);
@@ -470,6 +470,25 @@ describe("resolveCommandSecretRefsViaGateway", () => {
     });
   });
 
+  it("accepts legacy summary mode as a read-only alias", async () => {
+    const envKey = "TALK_API_KEY_LEGACY_SUMMARY_MISSING";
+    callGateway.mockResolvedValueOnce({
+      assignments: [],
+      diagnostics: [],
+    });
+    await withEnvValue(envKey, undefined, async () => {
+      const result = await resolveCommandSecretRefsViaGateway({
+        config: makeTalkApiKeySecretRefConfig(envKey),
+        commandName: "status",
+        targetIds: new Set(["talk.apiKey"]),
+        mode: "summary",
+      });
+      expect(result.resolvedConfig.talk?.apiKey).toBeUndefined();
+      expect(result.hadUnresolvedTargets).toBe(true);
+      expect(result.targetStatesByPath["talk.apiKey"]).toBe("unresolved");
+    });
+  });
+
   it("uses targeted local fallback after an incomplete gateway snapshot", async () => {
     const envKey = "TALK_API_KEY_PARTIAL_GATEWAY";
     callGateway.mockResolvedValueOnce({
@@ -480,7 +499,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
       const result = await resolveTalkApiKey({
         envKey,
         commandName: "status",
-        mode: "summary",
+        mode: "read_only_status",
       });
       expect(result.resolvedConfig.talk?.apiKey).toBe("recovered-locally");
       expect(result.hadUnresolvedTargets).toBe(false);
@@ -571,7 +590,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
         } as OpenClawConfig,
         commandName: "status",
         targetIds: new Set(["talk.apiKey"]),
-        mode: "summary",
+        mode: "read_only_status",
       });
 
       expect(result.resolvedConfig.talk?.apiKey).toBe("target-only");
@@ -591,7 +610,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
     }
   });
 
-  it("degrades unresolved refs in operational read-only mode", async () => {
+  it("degrades unresolved refs in read-only operational mode", async () => {
     const envKey = "TALK_API_KEY_OPERATIONAL_MISSING";
     const priorValue = process.env[envKey];
     delete process.env[envKey];
@@ -606,7 +625,7 @@ describe("resolveCommandSecretRefsViaGateway", () => {
         } as OpenClawConfig,
         commandName: "channels resolve",
         targetIds: new Set(["talk.apiKey"]),
-        mode: "operational_readonly",
+        mode: "read_only_operational",
       });
 
       expect(result.resolvedConfig.talk?.apiKey).toBeUndefined();
diff --git a/src/cli/command-secret-gateway.ts b/src/cli/command-secret-gateway.ts
index 03e578b642c..8b2b73c9f0f 100644
--- a/src/cli/command-secret-gateway.ts
+++ b/src/cli/command-secret-gateway.ts
@@ -26,7 +26,16 @@ type ResolveCommandSecretsResult = {
   hadUnresolvedTargets: boolean;
 };
 
-export type CommandSecretResolutionMode = "strict" | "summary" | "operational_readonly"; // pragma: allowlist secret
+export type CommandSecretResolutionMode =
+  | "enforce_resolved"
+  | "read_only_status"
+  | "read_only_operational";
+
+type LegacyCommandSecretResolutionMode = "strict" | "summary" | "operational_readonly"; // pragma: allowlist secret
+
+type CommandSecretResolutionModeInput =
+  | CommandSecretResolutionMode
+  | LegacyCommandSecretResolutionMode;
 
 export type CommandSecretTargetState =
   | "resolved_gateway"
@@ -54,6 +63,22 @@ const WEB_RUNTIME_SECRET_PATH_PREFIXES = [
   "tools.web.fetch.firecrawl.",
 ] as const;
 
+function normalizeCommandSecretResolutionMode(
+  mode?: CommandSecretResolutionModeInput,
+): CommandSecretResolutionMode {
+  if (!mode || mode === "enforce_resolved" || mode === "strict") {
+    return "enforce_resolved";
+  }
+  if (mode === "read_only_status" || mode === "summary") {
+    return "read_only_status";
+  }
+  return "read_only_operational";
+}
+
+function enforcesResolvedSecrets(mode: CommandSecretResolutionMode): boolean {
+  return mode === "enforce_resolved";
+}
+
 function dedupeDiagnostics(entries: readonly string[]): string[] {
   const seen = new Set<string>();
   const ordered: string[] = [];
@@ -242,7 +267,7 @@ async function resolveCommandSecretRefsLocally(params: {
         context,
       });
     } catch (error) {
-      if (params.mode === "strict") {
+      if (enforcesResolvedSecrets(params.mode)) {
         throw error;
       }
       localResolutionDiagnostics.push(
@@ -289,7 +314,7 @@ async function resolveCommandSecretRefsLocally(params: {
     analyzed,
     resolvedState: "resolved_local",
   });
-  if (params.mode !== "strict" && analyzed.unresolved.length > 0) {
+  if (!enforcesResolvedSecrets(params.mode) && analyzed.unresolved.length > 0) {
     scrubUnresolvedAssignments(resolvedConfig, analyzed.unresolved);
   } else if (analyzed.unresolved.length > 0) {
     throw new Error(
@@ -336,7 +361,7 @@ function buildUnresolvedDiagnostics(
   unresolved: UnresolvedCommandSecretAssignment[],
   mode: CommandSecretResolutionMode,
 ): string[] {
-  if (mode === "strict") {
+  if (enforcesResolvedSecrets(mode)) {
     return [];
   }
   return unresolved.map(
@@ -411,7 +436,7 @@ async function resolveTargetSecretLocally(params: {
     });
     setPathExistingStrict(params.resolvedConfig, params.target.pathSegments, resolved);
   } catch (error) {
-    if (params.mode !== "strict") {
+    if (!enforcesResolvedSecrets(params.mode)) {
       params.localResolutionDiagnostics.push(
         `${params.commandName}: failed to resolve ${params.target.path} locally (${describeUnknownError(error)}).`,
       );
@@ -423,9 +448,9 @@ export async function resolveCommandSecretRefsViaGateway(params: {
   config: OpenClawConfig;
   commandName: string;
   targetIds: Set<string>;
-  mode?: CommandSecretResolutionMode;
+  mode?: CommandSecretResolutionModeInput;
 }): Promise<ResolveCommandSecretsResult> {
-  const mode = params.mode ?? "strict";
+  const mode = normalizeCommandSecretResolutionMode(params.mode);
   const configuredTargetRefPaths = collectConfiguredTargetRefPaths({
     config: params.config,
     targetIds: params.targetIds,
@@ -567,7 +592,7 @@ export async function resolveCommandSecretRefsViaGateway(params: {
         (entry) => !recoveredPaths.has(entry.path),
       );
       if (stillUnresolved.length > 0) {
-        if (mode === "strict") {
+        if (enforcesResolvedSecrets(mode)) {
           throw new Error(
             `${params.commandName}: ${stillUnresolved[0]?.path ?? "target"} is unresolved in the active runtime snapshot.`,
           );
@@ -590,7 +615,7 @@ export async function resolveCommandSecretRefsViaGateway(params: {
         ]);
       }
     } catch (error) {
-      if (mode === "strict") {
+      if (enforcesResolvedSecrets(mode)) {
         throw error;
       }
       scrubUnresolvedAssignments(resolvedConfig, analyzed.unresolved);
diff --git a/src/cli/command-secret-targets.test.ts b/src/cli/command-secret-targets.test.ts
index a71ac5e00c4..22a23b36055 100644
--- a/src/cli/command-secret-targets.test.ts
+++ b/src/cli/command-secret-targets.test.ts
@@ -2,6 +2,7 @@ import { describe, expect, it } from "vitest";
 import {
   getAgentRuntimeCommandSecretTargetIds,
   getMemoryCommandSecretTargetIds,
+  getSecurityAuditCommandSecretTargetIds,
 } from "./command-secret-targets.js";
 
 describe("command secret target ids", () => {
@@ -21,4 +22,13 @@ describe("command secret target ids", () => {
       ]),
     );
   });
+
+  it("includes gateway auth and channel targets for security audit", () => {
+    const ids = getSecurityAuditCommandSecretTargetIds();
+    expect(ids.has("channels.discord.token")).toBe(true);
+    expect(ids.has("gateway.auth.token")).toBe(true);
+    expect(ids.has("gateway.auth.password")).toBe(true);
+    expect(ids.has("gateway.remote.token")).toBe(true);
+    expect(ids.has("gateway.remote.password")).toBe(true);
+  });
 });
diff --git a/src/cli/command-secret-targets.ts b/src/cli/command-secret-targets.ts
index e1c2c49e0ae..d6dde83cd19 100644
--- a/src/cli/command-secret-targets.ts
+++ b/src/cli/command-secret-targets.ts
@@ -30,6 +30,7 @@ const COMMAND_SECRET_TARGETS = {
     "agents.defaults.memorySearch.remote.",
     "agents.list[].memorySearch.remote.",
   ]),
+  securityAudit: idsByPrefix(["channels.", "gateway.auth.", "gateway.remote."]),
 } as const;
 
 function toTargetIdSet(values: readonly string[]): Set<string> {
@@ -59,3 +60,7 @@ export function getAgentRuntimeCommandSecretTargetIds(): Set<string> {
 export function getStatusCommandSecretTargetIds(): Set<string> {
   return toTargetIdSet(COMMAND_SECRET_TARGETS.status);
 }
+
+export function getSecurityAuditCommandSecretTargetIds(): Set<string> {
+  return toTargetIdSet(COMMAND_SECRET_TARGETS.securityAudit);
+}
diff --git a/src/cli/daemon-cli/lifecycle.ts b/src/cli/daemon-cli/lifecycle.ts
index 53efaff9495..d3e01f66412 100644
--- a/src/cli/daemon-cli/lifecycle.ts
+++ b/src/cli/daemon-cli/lifecycle.ts
@@ -50,8 +50,11 @@ function resolveGatewayPortFallback(): Promise<number> {
 }
 
 async function assertUnmanagedGatewayRestartEnabled(port: number): Promise<void> {
+  const cfg = await readBestEffortConfig().catch(() => undefined);
+  const tlsEnabled = !!cfg?.gateway?.tls?.enabled;
+  const scheme = tlsEnabled ? "wss" : "ws";
   const probe = await probeGateway({
-    url: `ws://127.0.0.1:${port}`,
+    url: `${scheme}://127.0.0.1:${port}`,
     auth: {
       token: process.env.OPENCLAW_GATEWAY_TOKEN?.trim() || undefined,
       password: process.env.OPENCLAW_GATEWAY_PASSWORD?.trim() || undefined,
diff --git a/src/cli/daemon-cli/status.gather.test.ts b/src/cli/daemon-cli/status.gather.test.ts
index 27b53753eda..fd94acca3a9 100644
--- a/src/cli/daemon-cli/status.gather.test.ts
+++ b/src/cli/daemon-cli/status.gather.test.ts
@@ -2,7 +2,13 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { captureEnv } from "../../test-utils/env.js";
 import type { GatewayRestartSnapshot } from "./restart-health.js";
 
-const callGatewayStatusProbe = vi.fn(async (_opts?: unknown) => ({ ok: true as const }));
+const callGatewayStatusProbe = vi.fn<
+  (opts?: unknown) => Promise<{ ok: boolean; url?: string; error?: string | null }>
+>(async (_opts?: unknown) => ({
+  ok: true,
+  url: "ws://127.0.0.1:19001",
+  error: null,
+}));
 const loadGatewayTlsRuntime = vi.fn(async (_cfg?: unknown) => ({
   enabled: true,
   required: true,
@@ -333,6 +339,71 @@ describe("gatherDaemonStatus", () => {
     );
   });
 
+  it("degrades safely when daemon probe auth SecretRef is unresolved", async () => {
+    daemonLoadedConfig = {
+      gateway: {
+        bind: "lan",
+        tls: { enabled: true },
+        auth: {
+          mode: "token",
+          token: { source: "env", provider: "default", id: "MISSING_DAEMON_GATEWAY_TOKEN" },
+        },
+      },
+      secrets: {
+        providers: {
+          default: { source: "env" },
+        },
+      },
+    };
+
+    const status = await gatherDaemonStatus({
+      rpc: {},
+      probe: true,
+      deep: false,
+    });
+
+    expect(callGatewayStatusProbe).toHaveBeenCalledWith(
+      expect.objectContaining({
+        token: undefined,
+        password: undefined,
+      }),
+    );
+    expect(status.rpc?.authWarning).toBeUndefined();
+  });
+
+  it("surfaces authWarning when daemon probe auth SecretRef is unresolved and probe fails", async () => {
+    daemonLoadedConfig = {
+      gateway: {
+        bind: "lan",
+        tls: { enabled: true },
+        auth: {
+          mode: "token",
+          token: { source: "env", provider: "default", id: "MISSING_DAEMON_GATEWAY_TOKEN" },
+        },
+      },
+      secrets: {
+        providers: {
+          default: { source: "env" },
+        },
+      },
+    };
+    callGatewayStatusProbe.mockResolvedValueOnce({
+      ok: false,
+      error: "gateway closed",
+      url: "wss://127.0.0.1:19001",
+    });
+
+    const status = await gatherDaemonStatus({
+      rpc: {},
+      probe: true,
+      deep: false,
+    });
+
+    expect(status.rpc?.ok).toBe(false);
+    expect(status.rpc?.authWarning).toContain("gateway.auth.token SecretRef is unavailable");
+    expect(status.rpc?.authWarning).toContain("probing without configured auth credentials");
+  });
+
   it("keeps remote probe auth strict when remote token is missing", async () => {
     daemonLoadedConfig = {
       gateway: {
diff --git a/src/cli/daemon-cli/status.gather.ts b/src/cli/daemon-cli/status.gather.ts
index 707a908b1f6..4647b789ff9 100644
--- a/src/cli/daemon-cli/status.gather.ts
+++ b/src/cli/daemon-cli/status.gather.ts
@@ -16,7 +16,7 @@ import type { ServiceConfigAudit } from "../../daemon/service-audit.js";
 import { auditGatewayServiceConfig } from "../../daemon/service-audit.js";
 import type { GatewayServiceRuntime } from "../../daemon/service-runtime.js";
 import { resolveGatewayService } from "../../daemon/service.js";
-import { trimToUndefined } from "../../gateway/credentials.js";
+import { isGatewaySecretRefUnavailableError, trimToUndefined } from "../../gateway/credentials.js";
 import { resolveGatewayBindHost } from "../../gateway/net.js";
 import { resolveGatewayProbeAuthWithSecretInputs } from "../../gateway/probe-auth.js";
 import { parseStrictPositiveInteger } from "../../infra/parse-finite-number.js";
@@ -112,6 +112,7 @@ export type DaemonStatus = {
     ok: boolean;
     error?: string;
     url?: string;
+    authWarning?: string;
   };
   health?: {
     healthy: boolean;
@@ -130,6 +131,10 @@ function shouldReportPortUsage(status: PortUsageStatus | undefined, rpcOk?: bool
   return true;
 }
 
+function parseGatewaySecretRefPathFromError(error: unknown): string | null {
+  return isGatewaySecretRefUnavailableError(error) ? error.path : null;
+}
+
 async function loadDaemonConfigContext(
   serviceEnv?: Record<string, string>,
 ): Promise<DaemonConfigContext> {
@@ -310,8 +315,11 @@ export async function gatherDaemonStatus(
   const tlsRuntime = shouldUseLocalTlsRuntime
     ? await loadGatewayTlsRuntime(daemonCfg.gateway?.tls)
     : undefined;
-  const daemonProbeAuth = opts.probe
-    ? await resolveGatewayProbeAuthWithSecretInputs({
+  let daemonProbeAuth: { token?: string; password?: string } | undefined;
+  let rpcAuthWarning: string | undefined;
+  if (opts.probe) {
+    try {
+      daemonProbeAuth = await resolveGatewayProbeAuthWithSecretInputs({
         cfg: daemonCfg,
         mode: daemonCfg.gateway?.mode === "remote" ? "remote" : "local",
         env: mergedDaemonEnv as NodeJS.ProcessEnv,
@@ -319,8 +327,16 @@ export async function gatherDaemonStatus(
           token: opts.rpc.token,
           password: opts.rpc.password,
         },
-      })
-    : undefined;
+      });
+    } catch (error) {
+      const refPath = parseGatewaySecretRefPathFromError(error);
+      if (!refPath) {
+        throw error;
+      }
+      daemonProbeAuth = undefined;
+      rpcAuthWarning = `${refPath} SecretRef is unavailable in this command path; probing without configured auth credentials.`;
+    }
+  }
 
   const rpc = opts.probe
     ? await probeGatewayStatus({
@@ -336,6 +352,9 @@ export async function gatherDaemonStatus(
         configPath: daemonConfigSummary.path,
       })
     : undefined;
+  if (rpc?.ok) {
+    rpcAuthWarning = undefined;
+  }
   const health =
     opts.probe && loaded
       ? await inspectGatewayRestart({
@@ -369,7 +388,15 @@ export async function gatherDaemonStatus(
     port: portStatus,
     ...(portCliStatus ? { portCli: portCliStatus } : {}),
     lastError,
-    ...(rpc ? { rpc: { ...rpc, url: gateway.probeUrl } } : {}),
+    ...(rpc
+      ? {
+          rpc: {
+            ...rpc,
+            url: gateway.probeUrl,
+            ...(rpcAuthWarning ? { authWarning: rpcAuthWarning } : {}),
+          },
+        }
+      : {}),
     ...(health
       ? {
           health: {
diff --git a/src/cli/daemon-cli/status.print.ts b/src/cli/daemon-cli/status.print.ts
index 91348d10d4a..088a3654797 100644
--- a/src/cli/daemon-cli/status.print.ts
+++ b/src/cli/daemon-cli/status.print.ts
@@ -181,6 +181,9 @@ export function printDaemonStatus(status: DaemonStatus, opts: { json: boolean })
       defaultRuntime.log(`${label("RPC probe:")} ${okText("ok")}`);
     } else {
       defaultRuntime.error(`${label("RPC probe:")} ${errorText("failed")}`);
+      if (rpc.authWarning) {
+        defaultRuntime.error(`${label("RPC auth:")} ${warnText(rpc.authWarning)}`);
+      }
       if (rpc.url) {
         defaultRuntime.error(`${label("RPC target:")} ${rpc.url}`);
       }
diff --git a/src/cli/deps.test.ts b/src/cli/deps.test.ts
index f345e1a24bb..d13f2998987 100644
--- a/src/cli/deps.test.ts
+++ b/src/cli/deps.test.ts
@@ -19,32 +19,32 @@ const sendFns = vi.hoisted(() => ({
   imessage: vi.fn(async () => ({ messageId: "i1", chatId: "imessage:1" })),
 }));
 
-vi.mock("../channels/web/index.js", () => {
+vi.mock("../plugin-sdk-internal/whatsapp.js", () => {
   moduleLoads.whatsapp();
   return { sendMessageWhatsApp: sendFns.whatsapp };
 });
 
-vi.mock("../../extensions/telegram/src/send.js", () => {
+vi.mock("../plugin-sdk-internal/telegram.js", () => {
   moduleLoads.telegram();
   return { sendMessageTelegram: sendFns.telegram };
 });
 
-vi.mock("../../extensions/discord/src/send.js", () => {
+vi.mock("../plugin-sdk-internal/discord.js", () => {
   moduleLoads.discord();
   return { sendMessageDiscord: sendFns.discord };
 });
 
-vi.mock("../../extensions/slack/src/send.js", () => {
+vi.mock("../plugin-sdk-internal/slack.js", () => {
   moduleLoads.slack();
   return { sendMessageSlack: sendFns.slack };
 });
 
-vi.mock("../../extensions/signal/src/send.js", () => {
+vi.mock("../plugin-sdk-internal/signal.js", () => {
   moduleLoads.signal();
   return { sendMessageSignal: sendFns.signal };
 });
 
-vi.mock("../../extensions/imessage/src/send.js", () => {
+vi.mock("../plugin-sdk-internal/imessage.js", () => {
   moduleLoads.imessage();
   return { sendMessageIMessage: sendFns.imessage };
 });
diff --git a/src/cli/deps.ts b/src/cli/deps.ts
index c9ab341dd18..84bb107f97e 100644
--- a/src/cli/deps.ts
+++ b/src/cli/deps.ts
@@ -35,32 +35,32 @@ export function createDefaultDeps(): CliDeps {
   return {
     whatsapp: createLazySender(
       "whatsapp",
-      () => import("../channels/web/index.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/whatsapp.js") as Promise<Record<string, unknown>>,
       "sendMessageWhatsApp",
     ),
     telegram: createLazySender(
       "telegram",
-      () => import("../../extensions/telegram/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/telegram.js") as Promise<Record<string, unknown>>,
       "sendMessageTelegram",
     ),
     discord: createLazySender(
       "discord",
-      () => import("../../extensions/discord/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/discord.js") as Promise<Record<string, unknown>>,
       "sendMessageDiscord",
     ),
     slack: createLazySender(
       "slack",
-      () => import("../../extensions/slack/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/slack.js") as Promise<Record<string, unknown>>,
       "sendMessageSlack",
     ),
     signal: createLazySender(
       "signal",
-      () => import("../../extensions/signal/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/signal.js") as Promise<Record<string, unknown>>,
       "sendMessageSignal",
     ),
     imessage: createLazySender(
       "imessage",
-      () => import("../../extensions/imessage/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/imessage.js") as Promise<Record<string, unknown>>,
       "sendMessageIMessage",
     ),
   };
@@ -70,4 +70,4 @@ export function createOutboundSendDeps(deps: CliDeps): OutboundSendDeps {
   return createOutboundSendDepsFromCliSource(deps);
 }
 
-export { logWebSelfId } from "../../extensions/whatsapp/src/auth-store.js";
+export { logWebSelfId } from "../plugin-sdk-internal/whatsapp.js";
diff --git a/src/cli/gateway-cli/run-loop.test.ts b/src/cli/gateway-cli/run-loop.test.ts
index bff37742254..ce8fbccbe93 100644
--- a/src/cli/gateway-cli/run-loop.test.ts
+++ b/src/cli/gateway-cli/run-loop.test.ts
@@ -8,6 +8,15 @@ const acquireGatewayLock = vi.fn(async (_opts?: { port?: number }) => ({
 const consumeGatewaySigusr1RestartAuthorization = vi.fn(() => true);
 const isGatewaySigusr1RestartExternallyAllowed = vi.fn(() => false);
 const markGatewaySigusr1RestartHandled = vi.fn();
+const scheduleGatewaySigusr1Restart = vi.fn((_opts?: { delayMs?: number; reason?: string }) => ({
+  ok: true,
+  pid: process.pid,
+  signal: "SIGUSR1" as const,
+  delayMs: 0,
+  mode: "emit" as const,
+  coalesced: false,
+  cooldownMsApplied: 0,
+}));
 const getActiveTaskCount = vi.fn(() => 0);
 const markGatewayDraining = vi.fn();
 const waitForActiveTasks = vi.fn(async (_timeoutMs: number) => ({ drained: true }));
@@ -35,6 +44,8 @@ vi.mock("../../infra/restart.js", () => ({
   consumeGatewaySigusr1RestartAuthorization: () => consumeGatewaySigusr1RestartAuthorization(),
   isGatewaySigusr1RestartExternallyAllowed: () => isGatewaySigusr1RestartExternallyAllowed(),
   markGatewaySigusr1RestartHandled: () => markGatewaySigusr1RestartHandled(),
+  scheduleGatewaySigusr1Restart: (opts?: { delayMs?: number; reason?: string }) =>
+    scheduleGatewaySigusr1Restart(opts),
 }));
 
 vi.mock("../../infra/process-respawn.js", () => ({
@@ -292,6 +303,28 @@ describe("runGatewayLoop", () => {
     });
   });
 
+  it("routes external SIGUSR1 through the restart scheduler before draining", async () => {
+    vi.clearAllMocks();
+    consumeGatewaySigusr1RestartAuthorization.mockReturnValueOnce(false);
+    isGatewaySigusr1RestartExternallyAllowed.mockReturnValueOnce(true);
+
+    await withIsolatedSignals(async ({ captureSignal }) => {
+      const { close, start } = await createSignaledLoopHarness();
+      const sigusr1 = captureSignal("SIGUSR1");
+
+      sigusr1();
+      await new Promise<void>((resolve) => setImmediate(resolve));
+
+      expect(scheduleGatewaySigusr1Restart).toHaveBeenCalledWith({
+        delayMs: 0,
+        reason: "SIGUSR1",
+      });
+      expect(close).not.toHaveBeenCalled();
+      expect(start).toHaveBeenCalledTimes(1);
+      expect(markGatewaySigusr1RestartHandled).not.toHaveBeenCalled();
+    });
+  });
+
   it("releases the lock before exiting on spawned restart", async () => {
     vi.clearAllMocks();
 
diff --git a/src/cli/gateway-cli/run-loop.ts b/src/cli/gateway-cli/run-loop.ts
index 13ef073a80d..23ec7dd584d 100644
--- a/src/cli/gateway-cli/run-loop.ts
+++ b/src/cli/gateway-cli/run-loop.ts
@@ -10,6 +10,7 @@ import {
   consumeGatewaySigusr1RestartAuthorization,
   isGatewaySigusr1RestartExternallyAllowed,
   markGatewaySigusr1RestartHandled,
+  scheduleGatewaySigusr1Restart,
 } from "../../infra/restart.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import {
@@ -186,10 +187,20 @@ export async function runGatewayLoop(params: {
   const onSigusr1 = () => {
     gatewayLog.info("signal SIGUSR1 received");
     const authorized = consumeGatewaySigusr1RestartAuthorization();
-    if (!authorized && !isGatewaySigusr1RestartExternallyAllowed()) {
-      gatewayLog.warn(
-        "SIGUSR1 restart ignored (not authorized; commands.restart=false or use gateway tool).",
-      );
+    if (!authorized) {
+      if (!isGatewaySigusr1RestartExternallyAllowed()) {
+        gatewayLog.warn(
+          "SIGUSR1 restart ignored (not authorized; commands.restart=false or use gateway tool).",
+        );
+        return;
+      }
+      if (shuttingDown) {
+        gatewayLog.info("received SIGUSR1 during shutdown; ignoring");
+        return;
+      }
+      // External SIGUSR1 requests should still reuse the in-process restart
+      // scheduler so idle drain and restart coalescing stay consistent.
+      scheduleGatewaySigusr1Restart({ delayMs: 0, reason: "SIGUSR1" });
       return;
     }
     markGatewaySigusr1RestartHandled();
diff --git a/src/cli/models-cli.test.ts b/src/cli/models-cli.test.ts
index 7386988a1f0..208b74fd09d 100644
--- a/src/cli/models-cli.test.ts
+++ b/src/cli/models-cli.test.ts
@@ -2,18 +2,17 @@ import { Command } from "commander";
 import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { runRegisteredCli } from "../test-utils/command-runner.js";
 
-const githubCopilotLoginCommand = vi.fn();
 const modelsStatusCommand = vi.fn().mockResolvedValue(undefined);
 const noopAsync = vi.fn(async () => undefined);
+const modelsAuthLoginCommand = vi.fn().mockResolvedValue(undefined);
 
 vi.mock("../commands/models.js", () => ({
-  githubCopilotLoginCommand,
   modelsStatusCommand,
   modelsAliasesAddCommand: noopAsync,
   modelsAliasesListCommand: noopAsync,
   modelsAliasesRemoveCommand: noopAsync,
   modelsAuthAddCommand: noopAsync,
-  modelsAuthLoginCommand: noopAsync,
+  modelsAuthLoginCommand,
   modelsAuthOrderClearCommand: noopAsync,
   modelsAuthOrderGetCommand: noopAsync,
   modelsAuthOrderSetCommand: noopAsync,
@@ -42,7 +41,7 @@ describe("models cli", () => {
   });
 
   beforeEach(() => {
-    githubCopilotLoginCommand.mockClear();
+    modelsAuthLoginCommand.mockClear();
     modelsStatusCommand.mockClear();
   });
 
@@ -74,9 +73,13 @@ describe("models cli", () => {
       from: "user",
     });
 
-    expect(githubCopilotLoginCommand).toHaveBeenCalledTimes(1);
-    expect(githubCopilotLoginCommand).toHaveBeenCalledWith(
-      expect.objectContaining({ yes: true }),
+    expect(modelsAuthLoginCommand).toHaveBeenCalledTimes(1);
+    expect(modelsAuthLoginCommand).toHaveBeenCalledWith(
+      expect.objectContaining({
+        provider: "github-copilot",
+        method: "device",
+        yes: true,
+      }),
       expect.any(Object),
     );
   });
diff --git a/src/cli/models-cli.ts b/src/cli/models-cli.ts
index d3be2d6c131..f3391c2796e 100644
--- a/src/cli/models-cli.ts
+++ b/src/cli/models-cli.ts
@@ -1,6 +1,5 @@
 import type { Command } from "commander";
 import {
-  githubCopilotLoginCommand,
   modelsAliasesAddCommand,
   modelsAliasesListCommand,
   modelsAliasesRemoveCommand,
@@ -364,13 +363,13 @@ export function registerModelsCli(program: Command) {
   auth
     .command("login-github-copilot")
     .description("Login to GitHub Copilot via GitHub device flow (TTY required)")
-    .option("--profile-id <id>", "Auth profile id (default: github-copilot:github)")
     .option("--yes", "Overwrite existing profile without prompting", false)
     .action(async (opts) => {
       await runModelsCommand(async () => {
-        await githubCopilotLoginCommand(
+        await modelsAuthLoginCommand(
           {
-            profileId: opts.profileId as string | undefined,
+            provider: "github-copilot",
+            method: "device",
             yes: Boolean(opts.yes),
           },
           defaultRuntime,
diff --git a/src/cli/plugin-registry.test.ts b/src/cli/plugin-registry.test.ts
new file mode 100644
index 00000000000..f9751d5fed8
--- /dev/null
+++ b/src/cli/plugin-registry.test.ts
@@ -0,0 +1,95 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  resolveAgentWorkspaceDir: vi.fn(() => "/tmp/workspace"),
+  resolveDefaultAgentId: vi.fn(() => "main"),
+  loadConfig: vi.fn(),
+  loadOpenClawPlugins: vi.fn(),
+  loadPluginManifestRegistry: vi.fn(),
+  getActivePluginRegistry: vi.fn(),
+}));
+
+vi.mock("../agents/agent-scope.js", () => ({
+  resolveAgentWorkspaceDir: mocks.resolveAgentWorkspaceDir,
+  resolveDefaultAgentId: mocks.resolveDefaultAgentId,
+}));
+
+vi.mock("../config/config.js", () => ({
+  loadConfig: mocks.loadConfig,
+}));
+
+vi.mock("../plugins/loader.js", () => ({
+  loadOpenClawPlugins: mocks.loadOpenClawPlugins,
+}));
+
+vi.mock("../plugins/manifest-registry.js", () => ({
+  loadPluginManifestRegistry: mocks.loadPluginManifestRegistry,
+}));
+
+vi.mock("../plugins/runtime.js", () => ({
+  getActivePluginRegistry: mocks.getActivePluginRegistry,
+}));
+
+describe("ensurePluginRegistryLoaded", () => {
+  beforeEach(() => {
+    vi.resetModules();
+    vi.clearAllMocks();
+    mocks.loadConfig.mockReturnValue({
+      plugins: { enabled: true },
+      channels: { telegram: { enabled: false } },
+    });
+    mocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        { id: "telegram", channels: ["telegram"] },
+        { id: "slack", channels: ["slack"] },
+        { id: "openai", channels: [] },
+      ],
+    });
+    mocks.getActivePluginRegistry.mockReturnValue({
+      plugins: [],
+      channels: [],
+      tools: [],
+    });
+  });
+
+  it("loads only configured channel plugins for configured-channels scope", async () => {
+    const { ensurePluginRegistryLoaded } = await import("./plugin-registry.js");
+
+    ensurePluginRegistryLoaded({ scope: "configured-channels" });
+
+    expect(mocks.loadOpenClawPlugins).toHaveBeenCalledWith(
+      expect.objectContaining({
+        onlyPluginIds: ["telegram"],
+      }),
+    );
+  });
+
+  it("reloads when escalating from configured-channels to channels", async () => {
+    mocks.getActivePluginRegistry
+      .mockReturnValueOnce({
+        plugins: [],
+        channels: [],
+        tools: [],
+      })
+      .mockReturnValue({
+        plugins: [{ id: "telegram" }],
+        channels: [{ plugin: { id: "telegram" } }],
+        tools: [],
+      });
+
+    const { ensurePluginRegistryLoaded } = await import("./plugin-registry.js");
+
+    ensurePluginRegistryLoaded({ scope: "configured-channels" });
+    ensurePluginRegistryLoaded({ scope: "channels" });
+
+    expect(mocks.loadOpenClawPlugins).toHaveBeenCalledTimes(2);
+    expect(mocks.loadOpenClawPlugins).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({ onlyPluginIds: ["telegram"] }),
+    );
+    expect(mocks.loadOpenClawPlugins).toHaveBeenNthCalledWith(
+      2,
+      expect.objectContaining({ onlyPluginIds: ["telegram", "slack"] }),
+    );
+  });
+});
diff --git a/src/cli/plugin-registry.ts b/src/cli/plugin-registry.ts
index aad181eff7f..f51a57d7fda 100644
--- a/src/cli/plugin-registry.ts
+++ b/src/cli/plugin-registry.ts
@@ -1,4 +1,5 @@
 import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../agents/agent-scope.js";
+import { listPotentialConfiguredChannelIds } from "../channels/config-presence.js";
 import { loadConfig } from "../config/config.js";
 import { createSubsystemLogger } from "../logging.js";
 import { loadOpenClawPlugins } from "../plugins/loader.js";
@@ -7,9 +8,22 @@ import { getActivePluginRegistry } from "../plugins/runtime.js";
 import type { PluginLogger } from "../plugins/types.js";
 
 const log = createSubsystemLogger("plugins");
-let pluginRegistryLoaded: "none" | "channels" | "all" = "none";
+let pluginRegistryLoaded: "none" | "configured-channels" | "channels" | "all" = "none";
 
-export type PluginRegistryScope = "channels" | "all";
+export type PluginRegistryScope = "configured-channels" | "channels" | "all";
+
+function scopeRank(scope: typeof pluginRegistryLoaded): number {
+  switch (scope) {
+    case "none":
+      return 0;
+    case "configured-channels":
+      return 1;
+    case "channels":
+      return 2;
+    case "all":
+      return 3;
+  }
+}
 
 function resolveChannelPluginIds(params: {
   config: ReturnType<typeof loadConfig>;
@@ -25,15 +39,30 @@ function resolveChannelPluginIds(params: {
     .map((plugin) => plugin.id);
 }
 
+function resolveConfiguredChannelPluginIds(params: {
+  config: ReturnType<typeof loadConfig>;
+  workspaceDir?: string;
+  env: NodeJS.ProcessEnv;
+}): string[] {
+  const configuredChannelIds = new Set(
+    listPotentialConfiguredChannelIds(params.config, params.env).map((id) => id.trim()),
+  );
+  if (configuredChannelIds.size === 0) {
+    return [];
+  }
+  return resolveChannelPluginIds(params).filter((pluginId) => configuredChannelIds.has(pluginId));
+}
+
 export function ensurePluginRegistryLoaded(options?: { scope?: PluginRegistryScope }): void {
   const scope = options?.scope ?? "all";
-  if (pluginRegistryLoaded === "all" || pluginRegistryLoaded === scope) {
+  if (scopeRank(pluginRegistryLoaded) >= scopeRank(scope)) {
     return;
   }
   const active = getActivePluginRegistry();
   // Tests (and callers) can pre-seed a registry (e.g. `test/setup.ts`); avoid
   // doing an expensive load when we already have plugins/channels/tools.
   if (
+    pluginRegistryLoaded === "none" &&
     active &&
     (active.plugins.length > 0 || active.channels.length > 0 || active.tools.length > 0)
   ) {
@@ -52,15 +81,23 @@ export function ensurePluginRegistryLoaded(options?: { scope?: PluginRegistrySco
     config,
     workspaceDir,
     logger,
-    ...(scope === "channels"
+    ...(scope === "configured-channels"
       ? {
-          onlyPluginIds: resolveChannelPluginIds({
+          onlyPluginIds: resolveConfiguredChannelPluginIds({
             config,
             workspaceDir,
             env: process.env,
           }),
         }
-      : {}),
+      : scope === "channels"
+        ? {
+            onlyPluginIds: resolveChannelPluginIds({
+              config,
+              workspaceDir,
+              env: process.env,
+            }),
+          }
+        : {}),
   });
   pluginRegistryLoaded = scope;
 }
diff --git a/src/cli/plugins-cli.ts b/src/cli/plugins-cli.ts
index d090fe7d83d..b4b197bf96c 100644
--- a/src/cli/plugins-cli.ts
+++ b/src/cli/plugins-cli.ts
@@ -11,6 +11,11 @@ import { enablePluginInConfig } from "../plugins/enable.js";
 import { installPluginFromNpmSpec, installPluginFromPath } from "../plugins/install.js";
 import { recordPluginInstall } from "../plugins/installs.js";
 import { clearPluginManifestRegistryCache } from "../plugins/manifest-registry.js";
+import {
+  installPluginFromMarketplace,
+  listMarketplacePlugins,
+  resolveMarketplaceInstallShortcut,
+} from "../plugins/marketplace.js";
 import type { PluginRecord } from "../plugins/registry.js";
 import { applyExclusiveSlotSelection } from "../plugins/slots.js";
 import { resolvePluginSourceRoots, formatPluginSourceForTable } from "../plugins/source-display.js";
@@ -46,6 +51,10 @@ export type PluginUpdateOptions = {
   dryRun?: boolean;
 };
 
+export type PluginMarketplaceListOptions = {
+  json?: boolean;
+};
+
 export type PluginUninstallOptions = {
   keepFiles?: boolean;
   keepConfig?: boolean;
@@ -203,9 +212,65 @@ async function installBundledPluginSource(params: {
 
 async function runPluginInstallCommand(params: {
   raw: string;
-  opts: { link?: boolean; pin?: boolean };
+  opts: { link?: boolean; pin?: boolean; marketplace?: string };
 }) {
-  const { raw, opts } = params;
+  const shorthand = !params.opts.marketplace
+    ? await resolveMarketplaceInstallShortcut(params.raw)
+    : null;
+  if (shorthand?.ok === false) {
+    defaultRuntime.error(shorthand.error);
+    process.exit(1);
+  }
+
+  const raw = shorthand?.ok ? shorthand.plugin : params.raw;
+  const opts = {
+    ...params.opts,
+    marketplace:
+      params.opts.marketplace ?? (shorthand?.ok ? shorthand.marketplaceSource : undefined),
+  };
+
+  if (opts.marketplace) {
+    if (opts.link) {
+      defaultRuntime.error("`--link` is not supported with `--marketplace`.");
+      process.exit(1);
+    }
+    if (opts.pin) {
+      defaultRuntime.error("`--pin` is not supported with `--marketplace`.");
+      process.exit(1);
+    }
+
+    const cfg = loadConfig();
+    const result = await installPluginFromMarketplace({
+      marketplace: opts.marketplace,
+      plugin: raw,
+      logger: createPluginInstallLogger(),
+    });
+    if (!result.ok) {
+      defaultRuntime.error(result.error);
+      process.exit(1);
+    }
+
+    clearPluginManifestRegistryCache();
+
+    let next = enablePluginInConfig(cfg, result.pluginId).config;
+    next = recordPluginInstall(next, {
+      pluginId: result.pluginId,
+      source: "marketplace",
+      installPath: result.targetDir,
+      version: result.version,
+      marketplaceName: result.marketplaceName,
+      marketplaceSource: result.marketplaceSource,
+      marketplacePlugin: result.marketplacePlugin,
+    });
+    const slotResult = applySlotSelectionForPlugin(next, result.pluginId);
+    next = slotResult.config;
+    await writeConfigFile(next);
+    logSlotWarnings(slotResult.warnings);
+    defaultRuntime.log(`Installed plugin: ${result.pluginId}`);
+    defaultRuntime.log(`Restart the gateway to load plugins.`);
+    return;
+  }
+
   const fileSpec = resolveFileNpmSpecToLocalPath(raw);
   if (fileSpec && !fileSpec.ok) {
     defaultRuntime.error(fileSpec.error);
@@ -734,17 +799,24 @@ export function registerPluginsCli(program: Command) {
 
   plugins
     .command("install")
-    .description("Install a plugin (path, archive, or npm spec)")
-    .argument("<path-or-spec>", "Path (.ts/.js/.zip/.tgz/.tar.gz) or an npm package spec")
+    .description("Install a plugin (path, archive, npm spec, or marketplace entry)")
+    .argument(
+      "<path-or-spec-or-plugin>",
+      "Path (.ts/.js/.zip/.tgz/.tar.gz), npm package spec, or marketplace plugin name",
+    )
     .option("-l, --link", "Link a local path instead of copying", false)
     .option("--pin", "Record npm installs as exact resolved <name>@<version>", false)
-    .action(async (raw: string, opts: { link?: boolean; pin?: boolean }) => {
+    .option(
+      "--marketplace <source>",
+      "Install a Claude marketplace plugin from a local repo/path or git/GitHub source",
+    )
+    .action(async (raw: string, opts: { link?: boolean; pin?: boolean; marketplace?: string }) => {
       await runPluginInstallCommand({ raw, opts });
     });
 
   plugins
     .command("update")
-    .description("Update installed plugins (npm installs only)")
+    .description("Update installed plugins (npm and marketplace installs)")
     .argument("[id]", "Plugin id (omit with --all)")
     .option("--all", "Update all tracked plugins", false)
     .option("--dry-run", "Show what would change without writing", false)
@@ -755,7 +827,7 @@ export function registerPluginsCli(program: Command) {
 
       if (targets.length === 0) {
         if (opts.all) {
-          defaultRuntime.log("No npm-installed plugins to update.");
+          defaultRuntime.log("No tracked plugins to update.");
           return;
         }
         defaultRuntime.error("Provide a plugin id or use --all.");
@@ -839,4 +911,54 @@ export function registerPluginsCli(program: Command) {
       lines.push(`${theme.muted("Docs:")} ${docs}`);
       defaultRuntime.log(lines.join("\n"));
     });
+
+  const marketplace = plugins
+    .command("marketplace")
+    .description("Inspect Claude-compatible plugin marketplaces");
+
+  marketplace
+    .command("list")
+    .description("List plugins published by a marketplace source")
+    .argument("<source>", "Local marketplace path/repo or git/GitHub source")
+    .option("--json", "Print JSON")
+    .action(async (source: string, opts: PluginMarketplaceListOptions) => {
+      const result = await listMarketplacePlugins({
+        marketplace: source,
+        logger: createPluginInstallLogger(),
+      });
+      if (!result.ok) {
+        defaultRuntime.error(result.error);
+        process.exit(1);
+      }
+
+      if (opts.json) {
+        defaultRuntime.log(
+          JSON.stringify(
+            {
+              source: result.sourceLabel,
+              name: result.manifest.name,
+              version: result.manifest.version,
+              plugins: result.manifest.plugins,
+            },
+            null,
+            2,
+          ),
+        );
+        return;
+      }
+
+      if (result.manifest.plugins.length === 0) {
+        defaultRuntime.log(`No plugins found in marketplace ${result.sourceLabel}.`);
+        return;
+      }
+
+      defaultRuntime.log(
+        `${theme.heading("Marketplace")} ${theme.muted(result.manifest.name ?? result.sourceLabel)}`,
+      );
+      for (const plugin of result.manifest.plugins) {
+        const suffix = plugin.version ? theme.muted(` v${plugin.version}`) : "";
+        const desc = plugin.description ? ` - ${theme.muted(plugin.description)}` : "";
+        defaultRuntime.log(`${theme.command(plugin.name)}${suffix}${desc}`);
+      }
+    });
 }
diff --git a/src/cli/program.smoke.test.ts b/src/cli/program.smoke.test.ts
index 259dd3b0360..9b8fc6dc454 100644
--- a/src/cli/program.smoke.test.ts
+++ b/src/cli/program.smoke.test.ts
@@ -4,10 +4,10 @@ import {
   ensureConfigReady,
   installBaseProgramMocks,
   installSmokeProgramMocks,
-  onboardCommand,
   runTui,
   runtime,
   setupCommand,
+  setupWizardCommand,
 } from "./program.test-mocks.js";
 
 installBaseProgramMocks();
@@ -68,6 +68,6 @@ describe("cli program (smoke)", () => {
     await runProgram(["setup", "--remote-url", "ws://example"]);
 
     expect(setupCommand).not.toHaveBeenCalled();
-    expect(onboardCommand).toHaveBeenCalledTimes(1);
+    expect(setupWizardCommand).toHaveBeenCalledTimes(1);
   });
 });
diff --git a/src/cli/program.test-mocks.ts b/src/cli/program.test-mocks.ts
index ab0d6b497bf..15595755dc3 100644
--- a/src/cli/program.test-mocks.ts
+++ b/src/cli/program.test-mocks.ts
@@ -1,78 +1,112 @@
-import { Mock, vi } from "vitest";
+import { vi, type Mock } from "vitest";
 
-export const messageCommand: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const statusCommand: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const configureCommand: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const configureCommandWithSections: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const setupCommand: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const onboardCommand: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const callGateway: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const runChannelLogin: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const runChannelLogout: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const runTui: Mock<(...args: unknown[]) => unknown> = vi.fn();
+type AnyMock = Mock<(...args: unknown[]) => unknown>;
 
-export const loadAndMaybeMigrateDoctorConfig: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const ensureConfigReady: Mock<(...args: unknown[]) => unknown> = vi.fn();
-export const ensurePluginRegistryLoaded: Mock<(...args: unknown[]) => unknown> = vi.fn();
+const programMocks = vi.hoisted(() => {
+  const setupWizardCommand = vi.fn();
+  return {
+    messageCommand: vi.fn(),
+    statusCommand: vi.fn(),
+    configureCommand: vi.fn(),
+    configureCommandWithSections: vi.fn(),
+    setupCommand: vi.fn(),
+    setupWizardCommand,
+    onboardCommand: setupWizardCommand,
+    callGateway: vi.fn(),
+    runChannelLogin: vi.fn(),
+    runChannelLogout: vi.fn(),
+    runTui: vi.fn(),
+    loadAndMaybeMigrateDoctorConfig: vi.fn(),
+    ensureConfigReady: vi.fn(),
+    ensurePluginRegistryLoaded: vi.fn(),
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(() => {
+        throw new Error("exit");
+      }),
+    },
+  };
+});
 
-export const runtime: {
+export const messageCommand = programMocks.messageCommand as AnyMock;
+export const statusCommand = programMocks.statusCommand as AnyMock;
+export const configureCommand = programMocks.configureCommand as AnyMock;
+export const configureCommandWithSections = programMocks.configureCommandWithSections as AnyMock;
+export const setupCommand = programMocks.setupCommand as AnyMock;
+export const onboardCommand = programMocks.onboardCommand as AnyMock;
+export const setupWizardCommand = programMocks.setupWizardCommand as AnyMock;
+export const callGateway = programMocks.callGateway as AnyMock;
+export const runChannelLogin = programMocks.runChannelLogin as AnyMock;
+export const runChannelLogout = programMocks.runChannelLogout as AnyMock;
+export const runTui = programMocks.runTui as AnyMock;
+export const loadAndMaybeMigrateDoctorConfig =
+  programMocks.loadAndMaybeMigrateDoctorConfig as AnyMock;
+export const ensureConfigReady = programMocks.ensureConfigReady as AnyMock;
+export const ensurePluginRegistryLoaded = programMocks.ensurePluginRegistryLoaded as AnyMock;
+
+export const runtime = programMocks.runtime as {
   log: Mock<(...args: unknown[]) => void>;
   error: Mock<(...args: unknown[]) => void>;
   exit: Mock<(...args: unknown[]) => never>;
-} = {
-  log: vi.fn(),
-  error: vi.fn(),
-  exit: vi.fn(() => {
-    throw new Error("exit");
-  }),
 };
 
-export function installBaseProgramMocks() {
-  vi.mock("../commands/message.js", () => ({ messageCommand }));
-  vi.mock("../commands/status.js", () => ({ statusCommand }));
-  vi.mock("../commands/configure.js", () => ({
-    CONFIGURE_WIZARD_SECTIONS: [
-      "workspace",
-      "model",
-      "web",
-      "gateway",
-      "daemon",
-      "channels",
-      "skills",
-      "health",
-    ],
-    configureCommand,
-    configureCommandWithSections,
-    configureCommandFromSectionsArg: (sections: unknown, runtime: unknown) => {
-      const resolved = Array.isArray(sections) ? sections : [];
-      if (resolved.length > 0) {
-        return configureCommandWithSections(resolved, runtime);
-      }
-      return configureCommand({}, runtime);
-    },
-  }));
-  vi.mock("../commands/setup.js", () => ({ setupCommand }));
-  vi.mock("../commands/onboard.js", () => ({ onboardCommand }));
-  vi.mock("../runtime.js", () => ({ defaultRuntime: runtime }));
-  vi.mock("./channel-auth.js", () => ({ runChannelLogin, runChannelLogout }));
-  vi.mock("../tui/tui.js", () => ({ runTui }));
-  vi.mock("../gateway/call.js", () => ({
-    callGateway,
-    randomIdempotencyKey: () => "idem-test",
-    buildGatewayConnectionDetails: () => ({
-      url: "ws://127.0.0.1:1234",
-      urlSource: "test",
-      message: "Gateway target: ws://127.0.0.1:1234",
-    }),
-  }));
-  vi.mock("./deps.js", () => ({ createDefaultDeps: () => ({}) }));
-}
+// Keep these mocks at top level so Vitest does not warn about hoisted nested mocks.
+vi.mock("../commands/message.js", () => ({ messageCommand: programMocks.messageCommand }));
+vi.mock("../commands/status.js", () => ({ statusCommand: programMocks.statusCommand }));
+vi.mock("../commands/configure.js", () => ({
+  CONFIGURE_WIZARD_SECTIONS: [
+    "workspace",
+    "model",
+    "web",
+    "gateway",
+    "daemon",
+    "channels",
+    "skills",
+    "health",
+  ],
+  configureCommand: programMocks.configureCommand,
+  configureCommandWithSections: programMocks.configureCommandWithSections,
+  configureCommandFromSectionsArg: (sections: unknown, runtime: unknown) => {
+    const resolved = Array.isArray(sections) ? sections : [];
+    if (resolved.length > 0) {
+      return programMocks.configureCommandWithSections(resolved, runtime);
+    }
+    return programMocks.configureCommand({}, runtime);
+  },
+}));
+vi.mock("../commands/setup.js", () => ({ setupCommand: programMocks.setupCommand }));
+vi.mock("../commands/onboard.js", () => ({
+  onboardCommand: programMocks.onboardCommand,
+  setupWizardCommand: programMocks.setupWizardCommand,
+}));
+vi.mock("../runtime.js", () => ({ defaultRuntime: programMocks.runtime }));
+vi.mock("./channel-auth.js", () => ({
+  runChannelLogin: programMocks.runChannelLogin,
+  runChannelLogout: programMocks.runChannelLogout,
+}));
+vi.mock("../tui/tui.js", () => ({ runTui: programMocks.runTui }));
+vi.mock("../gateway/call.js", () => ({
+  callGateway: programMocks.callGateway,
+  randomIdempotencyKey: () => "idem-test",
+  buildGatewayConnectionDetails: () => ({
+    url: "ws://127.0.0.1:1234",
+    urlSource: "test",
+    message: "Gateway target: ws://127.0.0.1:1234",
+  }),
+}));
+vi.mock("./deps.js", () => ({ createDefaultDeps: () => ({}) }));
+vi.mock("./plugin-registry.js", () => ({
+  ensurePluginRegistryLoaded: programMocks.ensurePluginRegistryLoaded,
+}));
+vi.mock("../commands/doctor-config-flow.js", () => ({
+  loadAndMaybeMigrateDoctorConfig: programMocks.loadAndMaybeMigrateDoctorConfig,
+}));
+vi.mock("./program/config-guard.js", () => ({
+  ensureConfigReady: programMocks.ensureConfigReady,
+}));
+vi.mock("./preaction.js", () => ({ registerPreActionHooks: () => {} }));
 
-export function installSmokeProgramMocks() {
-  vi.mock("./plugin-registry.js", () => ({ ensurePluginRegistryLoaded }));
-  vi.mock("../commands/doctor-config-flow.js", () => ({
-    loadAndMaybeMigrateDoctorConfig,
-  }));
-  vi.mock("./program/config-guard.js", () => ({ ensureConfigReady }));
-  vi.mock("./preaction.js", () => ({ registerPreActionHooks: () => {} }));
-}
+export function installBaseProgramMocks() {}
+
+export function installSmokeProgramMocks() {}
diff --git a/src/cli/program/command-registry.ts b/src/cli/program/command-registry.ts
index ad468878aeb..89d59bfb7ee 100644
--- a/src/cli/program/command-registry.ts
+++ b/src/cli/program/command-registry.ts
@@ -3,8 +3,15 @@ import { getPrimaryCommand, hasHelpOrVersion } from "../argv.js";
 import { reparseProgramFromActionArgs } from "./action-reparse.js";
 import { removeCommandByName } from "./command-tree.js";
 import type { ProgramContext } from "./context.js";
+import {
+  type CoreCliCommandDescriptor,
+  getCoreCliCommandDescriptors,
+  getCoreCliCommandsWithSubcommands,
+} from "./core-command-descriptors.js";
 import { registerSubCliCommands } from "./register.subclis.js";
 
+export { getCoreCliCommandDescriptors, getCoreCliCommandsWithSubcommands };
+
 type CommandRegisterParams = {
   program: Command;
   ctx: ProgramContext;
@@ -16,12 +23,6 @@ export type CommandRegistration = {
   register: (params: CommandRegisterParams) => void;
 };
 
-type CoreCliCommandDescriptor = {
-  name: string;
-  description: string;
-  hasSubcommands: boolean;
-};
-
 type CoreCliEntry = {
   commands: CoreCliCommandDescriptor[];
   register: (params: CommandRegisterParams) => Promise<void> | void;
@@ -55,7 +56,7 @@ const coreEntries: CoreCliEntry[] = [
     commands: [
       {
         name: "onboard",
-        description: "Interactive onboarding wizard for gateway, workspace, and skills",
+        description: "Interactive setup wizard for gateway, workspace, and skills",
         hasSubcommands: false,
       },
     ],
@@ -217,34 +218,8 @@ const coreEntries: CoreCliEntry[] = [
   },
 ];
 
-function collectCoreCliCommandNames(predicate?: (command: CoreCliCommandDescriptor) => boolean) {
-  const seen = new Set<string>();
-  const names: string[] = [];
-  for (const entry of coreEntries) {
-    for (const command of entry.commands) {
-      if (predicate && !predicate(command)) {
-        continue;
-      }
-      if (seen.has(command.name)) {
-        continue;
-      }
-      seen.add(command.name);
-      names.push(command.name);
-    }
-  }
-  return names;
-}
-
-export function getCoreCliCommandDescriptors(): ReadonlyArray<CoreCliCommandDescriptor> {
-  return coreEntries.flatMap((entry) => entry.commands);
-}
-
 export function getCoreCliCommandNames(): string[] {
-  return collectCoreCliCommandNames();
-}
-
-export function getCoreCliCommandsWithSubcommands(): string[] {
-  return collectCoreCliCommandNames((command) => command.hasSubcommands);
+  return getCoreCliCommandDescriptors().map((command) => command.name);
 }
 
 function removeEntryCommands(program: Command, entry: CoreCliEntry) {
diff --git a/src/cli/program/core-command-descriptors.ts b/src/cli/program/core-command-descriptors.ts
new file mode 100644
index 00000000000..8756c7bf7d4
--- /dev/null
+++ b/src/cli/program/core-command-descriptors.ts
@@ -0,0 +1,104 @@
+export type CoreCliCommandDescriptor = {
+  name: string;
+  description: string;
+  hasSubcommands: boolean;
+};
+
+export const CORE_CLI_COMMAND_DESCRIPTORS = [
+  {
+    name: "setup",
+    description: "Initialize local config and agent workspace",
+    hasSubcommands: false,
+  },
+  {
+    name: "onboard",
+    description: "Interactive setup wizard for gateway, workspace, and skills",
+    hasSubcommands: false,
+  },
+  {
+    name: "configure",
+    description: "Interactive setup wizard for credentials, channels, gateway, and agent defaults",
+    hasSubcommands: false,
+  },
+  {
+    name: "config",
+    description:
+      "Non-interactive config helpers (get/set/unset/file/validate). Default: starts setup wizard.",
+    hasSubcommands: true,
+  },
+  {
+    name: "backup",
+    description: "Create and verify local backup archives for OpenClaw state",
+    hasSubcommands: true,
+  },
+  {
+    name: "doctor",
+    description: "Health checks + quick fixes for the gateway and channels",
+    hasSubcommands: false,
+  },
+  {
+    name: "dashboard",
+    description: "Open the Control UI with your current token",
+    hasSubcommands: false,
+  },
+  {
+    name: "reset",
+    description: "Reset local config/state (keeps the CLI installed)",
+    hasSubcommands: false,
+  },
+  {
+    name: "uninstall",
+    description: "Uninstall the gateway service + local data (CLI remains)",
+    hasSubcommands: false,
+  },
+  {
+    name: "message",
+    description: "Send, read, and manage messages",
+    hasSubcommands: true,
+  },
+  {
+    name: "memory",
+    description: "Search and reindex memory files",
+    hasSubcommands: true,
+  },
+  {
+    name: "agent",
+    description: "Run one agent turn via the Gateway",
+    hasSubcommands: false,
+  },
+  {
+    name: "agents",
+    description: "Manage isolated agents (workspaces, auth, routing)",
+    hasSubcommands: true,
+  },
+  {
+    name: "status",
+    description: "Show channel health and recent session recipients",
+    hasSubcommands: false,
+  },
+  {
+    name: "health",
+    description: "Fetch health from the running gateway",
+    hasSubcommands: false,
+  },
+  {
+    name: "sessions",
+    description: "List stored conversation sessions",
+    hasSubcommands: true,
+  },
+  {
+    name: "browser",
+    description: "Manage OpenClaw's dedicated browser (Chrome/Chromium)",
+    hasSubcommands: true,
+  },
+] as const satisfies ReadonlyArray<CoreCliCommandDescriptor>;
+
+export function getCoreCliCommandDescriptors(): ReadonlyArray<CoreCliCommandDescriptor> {
+  return CORE_CLI_COMMAND_DESCRIPTORS;
+}
+
+export function getCoreCliCommandsWithSubcommands(): string[] {
+  return CORE_CLI_COMMAND_DESCRIPTORS.filter((command) => command.hasSubcommands).map(
+    (command) => command.name,
+  );
+}
diff --git a/src/cli/program/help.ts b/src/cli/program/help.ts
index c22ea7c8322..fc924cec9d3 100644
--- a/src/cli/program/help.ts
+++ b/src/cli/program/help.ts
@@ -7,9 +7,9 @@ import { hasFlag, hasRootVersionAlias } from "../argv.js";
 import { formatCliBannerLine, hasEmittedCliBanner } from "../banner.js";
 import { replaceCliName, resolveCliName } from "../cli-name.js";
 import { CLI_LOG_LEVEL_VALUES, parseCliLogLevelOption } from "../log-level-option.js";
-import { getCoreCliCommandsWithSubcommands } from "./command-registry.js";
 import type { ProgramContext } from "./context.js";
-import { getSubCliCommandsWithSubcommands } from "./register.subclis.js";
+import { getCoreCliCommandsWithSubcommands } from "./core-command-descriptors.js";
+import { getSubCliCommandsWithSubcommands } from "./subcli-descriptors.js";
 
 const CLI_NAME = resolveCliName();
 const CLI_NAME_PATTERN = escapeRegExp(CLI_NAME);
diff --git a/src/cli/program/message/register.send.ts b/src/cli/program/message/register.send.ts
index f33bd2a24a8..7b499207fd5 100644
--- a/src/cli/program/message/register.send.ts
+++ b/src/cli/program/message/register.send.ts
@@ -15,6 +15,10 @@ export function registerMessageSendCommand(message: Command, helpers: MessageCli
           "--media <path-or-url>",
           "Attach media (image/audio/video/document). Accepts local paths or URLs.",
         )
+        .option(
+          "--interactive <json>",
+          "Shared interactive payload as JSON (buttons/selects rendered natively by supported channels)",
+        )
         .option(
           "--buttons <json>",
           "Telegram inline keyboard buttons as JSON (array of button rows)",
diff --git a/src/cli/program/preaction.test.ts b/src/cli/program/preaction.test.ts
index 2a1367870c6..6fe29f0b295 100644
--- a/src/cli/program/preaction.test.ts
+++ b/src/cli/program/preaction.test.ts
@@ -91,6 +91,8 @@ describe("registerPreActionHooks", () => {
     program.command("agents").action(() => {});
     program.command("configure").action(() => {});
     program.command("onboard").action(() => {});
+    const channels = program.command("channels");
+    channels.command("add").action(() => {});
     program
       .command("update")
       .command("status")
@@ -167,6 +169,31 @@ describe("registerPreActionHooks", () => {
     expect(ensurePluginRegistryLoadedMock).toHaveBeenCalledWith({ scope: "all" });
   });
 
+  it("keeps setup alias and channels add manifest-first", async () => {
+    await runPreAction({
+      parseArgv: ["onboard"],
+      processArgv: ["node", "openclaw", "onboard"],
+    });
+
+    expect(ensureConfigReadyMock).toHaveBeenCalledWith({
+      runtime: runtimeMock,
+      commandPath: ["onboard"],
+    });
+    expect(ensurePluginRegistryLoadedMock).not.toHaveBeenCalled();
+
+    vi.clearAllMocks();
+    await runPreAction({
+      parseArgv: ["channels", "add"],
+      processArgv: ["node", "openclaw", "channels", "add"],
+    });
+
+    expect(ensureConfigReadyMock).toHaveBeenCalledWith({
+      runtime: runtimeMock,
+      commandPath: ["channels", "add"],
+    });
+    expect(ensurePluginRegistryLoadedMock).not.toHaveBeenCalled();
+  });
+
   it("skips help/version preaction and respects banner opt-out", async () => {
     await runPreAction({
       parseArgv: ["status"],
@@ -190,6 +217,19 @@ describe("registerPreActionHooks", () => {
   });
 
   it("applies --json stdout suppression only for explicit JSON output commands", async () => {
+    await runPreAction({
+      parseArgv: ["status"],
+      processArgv: ["node", "openclaw", "status", "--json"],
+    });
+
+    expect(ensureConfigReadyMock).toHaveBeenCalledWith({
+      runtime: runtimeMock,
+      commandPath: ["status"],
+      suppressDoctorStdout: true,
+    });
+    expect(ensurePluginRegistryLoadedMock).not.toHaveBeenCalled();
+
+    vi.clearAllMocks();
     await runPreAction({
       parseArgv: ["update", "status", "--json"],
       processArgv: ["node", "openclaw", "update", "status", "--json"],
@@ -200,6 +240,7 @@ describe("registerPreActionHooks", () => {
       commandPath: ["update", "status"],
       suppressDoctorStdout: true,
     });
+    expect(ensurePluginRegistryLoadedMock).not.toHaveBeenCalled();
 
     vi.clearAllMocks();
     await runPreAction({
diff --git a/src/cli/program/preaction.ts b/src/cli/program/preaction.ts
index ccd84e3201e..650c8f52686 100644
--- a/src/cli/program/preaction.ts
+++ b/src/cli/program/preaction.ts
@@ -32,7 +32,6 @@ const PLUGIN_REQUIRED_COMMANDS = new Set([
   "directory",
   "agents",
   "configure",
-  "onboard",
   "status",
   "health",
 ]);
@@ -71,6 +70,20 @@ function resolvePluginRegistryScope(commandPath: string[]): "channels" | "all" {
   return commandPath[0] === "status" || commandPath[0] === "health" ? "channels" : "all";
 }
 
+function shouldLoadPluginsForCommand(commandPath: string[], argv: string[]): boolean {
+  const [primary, secondary] = commandPath;
+  if (!primary || !PLUGIN_REQUIRED_COMMANDS.has(primary)) {
+    return false;
+  }
+  if ((primary === "status" || primary === "health") && hasFlag(argv, "--json")) {
+    return false;
+  }
+  // Setup wizard and channels add should stay manifest-first and load selected plugins on demand.
+  if (primary === "onboard" || (primary === "channels" && secondary === "add")) {
+    return false;
+  }
+  return true;
+}
 function getRootCommand(command: Command): Command {
   let current = command;
   while (current.parent) {
@@ -138,7 +151,7 @@ export function registerPreActionHooks(program: Command, programVersion: string)
       ...(suppressDoctorStdout ? { suppressDoctorStdout: true } : {}),
     });
     // Load plugins for commands that need channel access
-    if (PLUGIN_REQUIRED_COMMANDS.has(commandPath[0])) {
+    if (shouldLoadPluginsForCommand(commandPath, argv)) {
       const { ensurePluginRegistryLoaded } = await loadPluginRegistryModule();
       ensurePluginRegistryLoaded({ scope: resolvePluginRegistryScope(commandPath) });
     }
diff --git a/src/cli/program/register.onboard.test.ts b/src/cli/program/register.onboard.test.ts
index 086296c8895..5b005512bfd 100644
--- a/src/cli/program/register.onboard.test.ts
+++ b/src/cli/program/register.onboard.test.ts
@@ -1,7 +1,7 @@
 import { Command } from "commander";
 import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
-const onboardCommandMock = vi.fn();
+const setupWizardCommandMock = vi.fn();
 
 const runtime = {
   log: vi.fn(),
@@ -13,17 +13,32 @@ vi.mock("../../commands/auth-choice-options.static.js", () => ({
   formatStaticAuthChoiceChoicesForCli: () => "token|oauth",
 }));
 
-vi.mock("../../commands/onboard-provider-auth-flags.js", () => ({
-  ONBOARD_PROVIDER_AUTH_FLAGS: [
+vi.mock("../../commands/auth-choice-options.js", () => ({
+  formatAuthChoiceChoicesForCli: () => "token|oauth|openai-api-key",
+}));
+
+vi.mock("../../commands/onboard-core-auth-flags.js", () => ({
+  CORE_ONBOARD_AUTH_FLAGS: [
     {
       cliOption: "--mistral-api-key <key>",
       description: "Mistral API key",
+      optionKey: "mistralApiKey",
     },
-  ] as Array<{ cliOption: string; description: string }>,
+  ] as Array<{ cliOption: string; description: string; optionKey: string }>,
+}));
+
+vi.mock("../../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderOnboardAuthFlags: () => [
+    {
+      cliOption: "--openai-api-key <key>",
+      description: "OpenAI API key",
+      optionKey: "openaiApiKey",
+    },
+  ],
 }));
 
 vi.mock("../../commands/onboard.js", () => ({
-  onboardCommand: onboardCommandMock,
+  setupWizardCommand: setupWizardCommandMock,
 }));
 
 vi.mock("../../runtime.js", () => ({
@@ -45,13 +60,13 @@ describe("registerOnboardCommand", () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    onboardCommandMock.mockResolvedValue(undefined);
+    setupWizardCommandMock.mockResolvedValue(undefined);
   });
 
   it("defaults installDaemon to undefined when no daemon flags are provided", async () => {
     await runCli(["onboard"]);
 
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         installDaemon: undefined,
       }),
@@ -61,7 +76,7 @@ describe("registerOnboardCommand", () => {
 
   it("sets installDaemon from explicit install flags and prioritizes --skip-daemon", async () => {
     await runCli(["onboard", "--install-daemon"]);
-    expect(onboardCommandMock).toHaveBeenNthCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenNthCalledWith(
       1,
       expect.objectContaining({
         installDaemon: true,
@@ -70,7 +85,7 @@ describe("registerOnboardCommand", () => {
     );
 
     await runCli(["onboard", "--no-install-daemon"]);
-    expect(onboardCommandMock).toHaveBeenNthCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenNthCalledWith(
       2,
       expect.objectContaining({
         installDaemon: false,
@@ -79,7 +94,7 @@ describe("registerOnboardCommand", () => {
     );
 
     await runCli(["onboard", "--install-daemon", "--skip-daemon"]);
-    expect(onboardCommandMock).toHaveBeenNthCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenNthCalledWith(
       3,
       expect.objectContaining({
         installDaemon: false,
@@ -90,7 +105,7 @@ describe("registerOnboardCommand", () => {
 
   it("parses numeric gateway port and drops invalid values", async () => {
     await runCli(["onboard", "--gateway-port", "18789"]);
-    expect(onboardCommandMock).toHaveBeenNthCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenNthCalledWith(
       1,
       expect.objectContaining({
         gatewayPort: 18789,
@@ -99,7 +114,7 @@ describe("registerOnboardCommand", () => {
     );
 
     await runCli(["onboard", "--gateway-port", "nope"]);
-    expect(onboardCommandMock).toHaveBeenNthCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenNthCalledWith(
       2,
       expect.objectContaining({
         gatewayPort: undefined,
@@ -108,9 +123,9 @@ describe("registerOnboardCommand", () => {
     );
   });
 
-  it("forwards --reset-scope to onboard command options", async () => {
+  it("forwards --reset-scope to setup wizard options", async () => {
     await runCli(["onboard", "--reset", "--reset-scope", "full"]);
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         reset: true,
         resetScope: "full",
@@ -121,7 +136,7 @@ describe("registerOnboardCommand", () => {
 
   it("parses --mistral-api-key and forwards mistralApiKey", async () => {
     await runCli(["onboard", "--mistral-api-key", "sk-mistral-test"]);
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         mistralApiKey: "sk-mistral-test", // pragma: allowlist secret
       }),
@@ -131,7 +146,7 @@ describe("registerOnboardCommand", () => {
 
   it("forwards --gateway-token-ref-env", async () => {
     await runCli(["onboard", "--gateway-token-ref-env", "OPENCLAW_GATEWAY_TOKEN"]);
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         gatewayTokenRefEnv: "OPENCLAW_GATEWAY_TOKEN",
       }),
@@ -139,12 +154,12 @@ describe("registerOnboardCommand", () => {
     );
   });
 
-  it("reports errors via runtime on onboard command failures", async () => {
-    onboardCommandMock.mockRejectedValueOnce(new Error("onboard failed"));
+  it("reports errors via runtime on setup wizard command failures", async () => {
+    setupWizardCommandMock.mockRejectedValueOnce(new Error("setup failed"));
 
     await runCli(["onboard"]);
 
-    expect(runtime.error).toHaveBeenCalledWith("Error: onboard failed");
+    expect(runtime.error).toHaveBeenCalledWith("Error: setup failed");
     expect(runtime.exit).toHaveBeenCalledWith(1);
   });
 });
diff --git a/src/cli/program/register.onboard.ts b/src/cli/program/register.onboard.ts
index 8c742f0ab66..0cd2828553b 100644
--- a/src/cli/program/register.onboard.ts
+++ b/src/cli/program/register.onboard.ts
@@ -1,7 +1,7 @@
 import type { Command } from "commander";
-import { formatStaticAuthChoiceChoicesForCli } from "../../commands/auth-choice-options.static.js";
+import { formatAuthChoiceChoicesForCli } from "../../commands/auth-choice-options.js";
 import type { GatewayDaemonRuntime } from "../../commands/daemon-runtime.js";
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "../../commands/onboard-provider-auth-flags.js";
+import { CORE_ONBOARD_AUTH_FLAGS } from "../../commands/onboard-core-auth-flags.js";
 import type {
   AuthChoice,
   GatewayAuthChoice,
@@ -11,7 +11,8 @@ import type {
   SecretInputMode,
   TailscaleMode,
 } from "../../commands/onboard-types.js";
-import { onboardCommand } from "../../commands/onboard.js";
+import { setupWizardCommand } from "../../commands/onboard.js";
+import { resolveManifestProviderOnboardAuthFlags } from "../../plugins/provider-auth-choices.js";
 import { defaultRuntime } from "../../runtime.js";
 import { formatDocsLink } from "../../terminal/links.js";
 import { theme } from "../../terminal/theme.js";
@@ -41,11 +42,24 @@ function resolveInstallDaemonFlag(
   return undefined;
 }
 
-const AUTH_CHOICE_HELP = formatStaticAuthChoiceChoicesForCli({
+const AUTH_CHOICE_HELP = formatAuthChoiceChoicesForCli({
   includeLegacyAliases: true,
   includeSkip: true,
 });
 
+const ONBOARD_AUTH_FLAGS = [
+  ...CORE_ONBOARD_AUTH_FLAGS,
+  ...resolveManifestProviderOnboardAuthFlags(),
+] as const;
+
+function pickOnboardProviderAuthOptionValues(
+  opts: Record<string, unknown>,
+): Partial<Record<string, string | undefined>> {
+  return Object.fromEntries(
+    ONBOARD_AUTH_FLAGS.map((flag) => [flag.optionKey, opts[flag.optionKey] as string | undefined]),
+  );
+}
+
 export function registerOnboardCommand(program: Command) {
   const command = program
     .command("onboard")
@@ -87,7 +101,7 @@ export function registerOnboardCommand(program: Command) {
     .option("--cloudflare-ai-gateway-account-id <id>", "Cloudflare Account ID")
     .option("--cloudflare-ai-gateway-gateway-id <id>", "Cloudflare AI Gateway ID");
 
-  for (const providerFlag of ONBOARD_PROVIDER_AUTH_FLAGS) {
+  for (const providerFlag of ONBOARD_AUTH_FLAGS) {
     command.option(providerFlag.cliOption, providerFlag.description);
   }
 
@@ -132,7 +146,10 @@ export function registerOnboardCommand(program: Command) {
       });
       const gatewayPort =
         typeof opts.gatewayPort === "string" ? Number.parseInt(opts.gatewayPort, 10) : undefined;
-      await onboardCommand(
+      const providerAuthOptionValues = pickOnboardProviderAuthOptionValues(
+        opts as Record<string, unknown>,
+      );
+      await setupWizardCommand(
         {
           workspace: opts.workspace as string | undefined,
           nonInteractive: Boolean(opts.nonInteractive),
@@ -145,34 +162,9 @@ export function registerOnboardCommand(program: Command) {
           tokenProfileId: opts.tokenProfileId as string | undefined,
           tokenExpiresIn: opts.tokenExpiresIn as string | undefined,
           secretInputMode: opts.secretInputMode as SecretInputMode | undefined,
-          anthropicApiKey: opts.anthropicApiKey as string | undefined,
-          openaiApiKey: opts.openaiApiKey as string | undefined,
-          mistralApiKey: opts.mistralApiKey as string | undefined,
-          openrouterApiKey: opts.openrouterApiKey as string | undefined,
-          kilocodeApiKey: opts.kilocodeApiKey as string | undefined,
-          aiGatewayApiKey: opts.aiGatewayApiKey as string | undefined,
+          ...providerAuthOptionValues,
           cloudflareAiGatewayAccountId: opts.cloudflareAiGatewayAccountId as string | undefined,
           cloudflareAiGatewayGatewayId: opts.cloudflareAiGatewayGatewayId as string | undefined,
-          cloudflareAiGatewayApiKey: opts.cloudflareAiGatewayApiKey as string | undefined,
-          moonshotApiKey: opts.moonshotApiKey as string | undefined,
-          kimiCodeApiKey: opts.kimiCodeApiKey as string | undefined,
-          geminiApiKey: opts.geminiApiKey as string | undefined,
-          zaiApiKey: opts.zaiApiKey as string | undefined,
-          xiaomiApiKey: opts.xiaomiApiKey as string | undefined,
-          qianfanApiKey: opts.qianfanApiKey as string | undefined,
-          modelstudioApiKeyCn: opts.modelstudioApiKeyCn as string | undefined,
-          modelstudioApiKey: opts.modelstudioApiKey as string | undefined,
-          minimaxApiKey: opts.minimaxApiKey as string | undefined,
-          syntheticApiKey: opts.syntheticApiKey as string | undefined,
-          veniceApiKey: opts.veniceApiKey as string | undefined,
-          togetherApiKey: opts.togetherApiKey as string | undefined,
-          huggingfaceApiKey: opts.huggingfaceApiKey as string | undefined,
-          opencodeZenApiKey: opts.opencodeZenApiKey as string | undefined,
-          opencodeGoApiKey: opts.opencodeGoApiKey as string | undefined,
-          xaiApiKey: opts.xaiApiKey as string | undefined,
-          litellmApiKey: opts.litellmApiKey as string | undefined,
-          volcengineApiKey: opts.volcengineApiKey as string | undefined,
-          byteplusApiKey: opts.byteplusApiKey as string | undefined,
           customBaseUrl: opts.customBaseUrl as string | undefined,
           customApiKey: opts.customApiKey as string | undefined,
           customModelId: opts.customModelId as string | undefined,
diff --git a/src/cli/program/register.setup.test.ts b/src/cli/program/register.setup.test.ts
index 2ac5ec1ece7..4811a82cf47 100644
--- a/src/cli/program/register.setup.test.ts
+++ b/src/cli/program/register.setup.test.ts
@@ -2,7 +2,7 @@ import { Command } from "commander";
 import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
 const setupCommandMock = vi.fn();
-const onboardCommandMock = vi.fn();
+const setupWizardCommandMock = vi.fn();
 const runtime = {
   log: vi.fn(),
   error: vi.fn(),
@@ -14,7 +14,7 @@ vi.mock("../../commands/setup.js", () => ({
 }));
 
 vi.mock("../../commands/onboard.js", () => ({
-  onboardCommand: onboardCommandMock,
+  setupWizardCommand: setupWizardCommandMock,
 }));
 
 vi.mock("../../runtime.js", () => ({
@@ -37,7 +37,7 @@ describe("registerSetupCommand", () => {
   beforeEach(() => {
     vi.clearAllMocks();
     setupCommandMock.mockResolvedValue(undefined);
-    onboardCommandMock.mockResolvedValue(undefined);
+    setupWizardCommandMock.mockResolvedValue(undefined);
   });
 
   it("runs setup command by default", async () => {
@@ -49,13 +49,13 @@ describe("registerSetupCommand", () => {
       }),
       runtime,
     );
-    expect(onboardCommandMock).not.toHaveBeenCalled();
+    expect(setupWizardCommandMock).not.toHaveBeenCalled();
   });
 
-  it("runs onboard command when --wizard is set", async () => {
+  it("runs setup wizard command when --wizard is set", async () => {
     await runCli(["setup", "--wizard", "--mode", "remote", "--remote-url", "wss://example"]);
 
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         mode: "remote",
         remoteUrl: "wss://example",
@@ -65,10 +65,10 @@ describe("registerSetupCommand", () => {
     expect(setupCommandMock).not.toHaveBeenCalled();
   });
 
-  it("runs onboard command when wizard-only flags are passed explicitly", async () => {
+  it("runs setup wizard command when wizard-only flags are passed explicitly", async () => {
     await runCli(["setup", "--mode", "remote", "--non-interactive"]);
 
-    expect(onboardCommandMock).toHaveBeenCalledWith(
+    expect(setupWizardCommandMock).toHaveBeenCalledWith(
       expect.objectContaining({
         mode: "remote",
         nonInteractive: true,
diff --git a/src/cli/program/register.setup.ts b/src/cli/program/register.setup.ts
index ec580a2344e..33893d945bb 100644
--- a/src/cli/program/register.setup.ts
+++ b/src/cli/program/register.setup.ts
@@ -1,5 +1,5 @@
 import type { Command } from "commander";
-import { onboardCommand } from "../../commands/onboard.js";
+import { setupWizardCommand } from "../../commands/onboard.js";
 import { setupCommand } from "../../commands/setup.js";
 import { defaultRuntime } from "../../runtime.js";
 import { formatDocsLink } from "../../terminal/links.js";
@@ -35,7 +35,7 @@ export function registerSetupCommand(program: Command) {
           "remoteToken",
         ]);
         if (opts.wizard || hasWizardFlags) {
-          await onboardCommand(
+          await setupWizardCommand(
             {
               workspace: opts.workspace as string | undefined,
               nonInteractive: Boolean(opts.nonInteractive),
diff --git a/src/cli/program/register.subclis.ts b/src/cli/program/register.subclis.ts
index ad120cc0417..5ace8c10441 100644
--- a/src/cli/program/register.subclis.ts
+++ b/src/cli/program/register.subclis.ts
@@ -4,13 +4,17 @@ import { isTruthyEnvValue } from "../../infra/env.js";
 import { getPrimaryCommand, hasHelpOrVersion } from "../argv.js";
 import { reparseProgramFromActionArgs } from "./action-reparse.js";
 import { removeCommand, removeCommandByName } from "./command-tree.js";
+import {
+  getSubCliCommandsWithSubcommands,
+  getSubCliEntries as getSubCliEntryDescriptors,
+  type SubCliDescriptor,
+} from "./subcli-descriptors.js";
+
+export { getSubCliCommandsWithSubcommands };
 
 type SubCliRegistrar = (program: Command) => Promise<void> | void;
 
-type SubCliEntry = {
-  name: string;
-  description: string;
-  hasSubcommands: boolean;
+type SubCliEntry = SubCliDescriptor & {
   register: SubCliRegistrar;
 };
 
@@ -309,12 +313,8 @@ const entries: SubCliEntry[] = [
   },
 ];
 
-export function getSubCliEntries(): SubCliEntry[] {
-  return entries;
-}
-
-export function getSubCliCommandsWithSubcommands(): string[] {
-  return entries.filter((entry) => entry.hasSubcommands).map((entry) => entry.name);
+export function getSubCliEntries(): ReadonlyArray<SubCliDescriptor> {
+  return getSubCliEntryDescriptors();
 }
 
 export async function registerSubCliByName(program: Command, name: string): Promise<boolean> {
diff --git a/src/cli/program/root-help.ts b/src/cli/program/root-help.ts
index b80302e9818..500dbe3b039 100644
--- a/src/cli/program/root-help.ts
+++ b/src/cli/program/root-help.ts
@@ -1,8 +1,8 @@
 import { Command } from "commander";
 import { VERSION } from "../../version.js";
-import { getCoreCliCommandDescriptors } from "./command-registry.js";
+import { getCoreCliCommandDescriptors } from "./core-command-descriptors.js";
 import { configureProgramHelp } from "./help.js";
-import { getSubCliEntries } from "./register.subclis.js";
+import { getSubCliEntries } from "./subcli-descriptors.js";
 
 function buildRootHelpProgram(): Command {
   const program = new Command();
diff --git a/src/cli/program/routes.test.ts b/src/cli/program/routes.test.ts
index e7958a684a5..87849fb4d0b 100644
--- a/src/cli/program/routes.test.ts
+++ b/src/cli/program/routes.test.ts
@@ -5,6 +5,8 @@ const runConfigGetMock = vi.hoisted(() => vi.fn(async () => {}));
 const runConfigUnsetMock = vi.hoisted(() => vi.fn(async () => {}));
 const modelsListCommandMock = vi.hoisted(() => vi.fn(async () => {}));
 const modelsStatusCommandMock = vi.hoisted(() => vi.fn(async () => {}));
+const runDaemonStatusMock = vi.hoisted(() => vi.fn(async () => {}));
+const statusJsonCommandMock = vi.hoisted(() => vi.fn(async () => {}));
 
 vi.mock("../config-cli.js", () => ({
   runConfigGet: runConfigGetMock,
@@ -16,6 +18,14 @@ vi.mock("../../commands/models.js", () => ({
   modelsStatusCommand: modelsStatusCommandMock,
 }));
 
+vi.mock("../daemon-cli/status.js", () => ({
+  runDaemonStatus: runDaemonStatusMock,
+}));
+
+vi.mock("../../commands/status-json.js", () => ({
+  statusJsonCommand: statusJsonCommandMock,
+}));
+
 describe("program routes", () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -32,9 +42,12 @@ describe("program routes", () => {
     await expect(route?.run(argv)).resolves.toBe(false);
   }
 
-  it("matches status route and always preloads plugins", () => {
+  it("matches status route and preloads plugins only for text output", () => {
     const route = expectRoute(["status"]);
-    expect(route?.loadPlugins).toBe(true);
+    expect(typeof route?.loadPlugins).toBe("function");
+    const shouldLoad = route?.loadPlugins as (argv: string[]) => boolean;
+    expect(shouldLoad(["node", "openclaw", "status"])).toBe(true);
+    expect(shouldLoad(["node", "openclaw", "status", "--json"])).toBe(false);
   });
 
   it("matches health route and preloads plugins only for text output", () => {
@@ -45,10 +58,123 @@ describe("program routes", () => {
     expect(shouldLoad(["node", "openclaw", "health", "--json"])).toBe(false);
   });
 
+  it("matches gateway status route without plugin preload", () => {
+    const route = expectRoute(["gateway", "status"]);
+    expect(route?.loadPlugins).toBeUndefined();
+  });
+
+  it("returns false for gateway status route when option values are missing", async () => {
+    await expectRunFalse(["gateway", "status"], ["node", "openclaw", "gateway", "status", "--url"]);
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--token"],
+    );
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--password"],
+    );
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--timeout"],
+    );
+  });
+
+  it("returns false for gateway status route when probe-only flags are present", async () => {
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--ssh", "user@host"],
+    );
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--ssh-identity", "~/.ssh/id_test"],
+    );
+    await expectRunFalse(
+      ["gateway", "status"],
+      ["node", "openclaw", "gateway", "status", "--ssh-auto"],
+    );
+  });
+
+  it("passes parsed gateway status flags through to daemon status", async () => {
+    const route = expectRoute(["gateway", "status"]);
+    await expect(
+      route?.run([
+        "node",
+        "openclaw",
+        "--profile",
+        "work",
+        "gateway",
+        "status",
+        "--url",
+        "ws://127.0.0.1:18789",
+        "--token",
+        "abc",
+        "--password",
+        "def",
+        "--timeout",
+        "5000",
+        "--deep",
+        "--require-rpc",
+        "--json",
+      ]),
+    ).resolves.toBe(true);
+    expect(runDaemonStatusMock).toHaveBeenCalledWith({
+      rpc: {
+        url: "ws://127.0.0.1:18789",
+        token: "abc",
+        password: "def",
+        timeout: "5000",
+      },
+      probe: true,
+      requireRpc: true,
+      deep: true,
+      json: true,
+    });
+  });
+
+  it("passes --no-probe through to daemon status", async () => {
+    const route = expectRoute(["gateway", "status"]);
+    await expect(route?.run(["node", "openclaw", "gateway", "status", "--no-probe"])).resolves.toBe(
+      true,
+    );
+
+    expect(runDaemonStatusMock).toHaveBeenCalledWith({
+      rpc: {
+        url: undefined,
+        token: undefined,
+        password: undefined,
+        timeout: undefined,
+      },
+      probe: false,
+      requireRpc: false,
+      deep: false,
+      json: false,
+    });
+  });
+
   it("returns false when status timeout flag value is missing", async () => {
     await expectRunFalse(["status"], ["node", "openclaw", "status", "--timeout"]);
   });
 
+  it("routes status --json through the lean JSON command", async () => {
+    const route = expectRoute(["status"]);
+    await expect(
+      route?.run([
+        "node",
+        "openclaw",
+        "status",
+        "--json",
+        "--deep",
+        "--usage",
+        "--timeout",
+        "5000",
+      ]),
+    ).resolves.toBe(true);
+    expect(statusJsonCommandMock).toHaveBeenCalledWith(
+      { deep: true, all: false, usage: true, timeoutMs: 5000 },
+      expect.any(Object),
+    );
+  });
+
   it("returns false for sessions route when --store value is missing", async () => {
     await expectRunFalse(["sessions"], ["node", "openclaw", "sessions", "--store"]);
   });
diff --git a/src/cli/program/routes.ts b/src/cli/program/routes.ts
index cea5fcb8138..cbb6d6dbfdc 100644
--- a/src/cli/program/routes.ts
+++ b/src/cli/program/routes.ts
@@ -34,9 +34,9 @@ const routeHealth: RouteSpec = {
 
 const routeStatus: RouteSpec = {
   match: (path) => path[0] === "status",
-  // Status runs security audit with channel checks in both text and JSON output,
-  // so plugin registry must be ready for consistent findings.
-  loadPlugins: true,
+  // `status --json` can defer channel plugin loading until config/env inspection
+  // proves it is needed, which keeps the fast-path startup lightweight.
+  loadPlugins: (argv) => !hasFlag(argv, "--json"),
   run: async (argv) => {
     const json = hasFlag(argv, "--json");
     const deep = hasFlag(argv, "--deep");
@@ -47,12 +47,74 @@ const routeStatus: RouteSpec = {
     if (timeoutMs === null) {
       return false;
     }
+    if (json) {
+      const { statusJsonCommand } = await import("../../commands/status-json.js");
+      await statusJsonCommand({ deep, all, usage, timeoutMs }, defaultRuntime);
+      return true;
+    }
     const { statusCommand } = await import("../../commands/status.js");
     await statusCommand({ json, deep, all, usage, timeoutMs, verbose }, defaultRuntime);
     return true;
   },
 };
 
+const routeGatewayStatus: RouteSpec = {
+  match: (path) => path[0] === "gateway" && path[1] === "status",
+  run: async (argv) => {
+    const url = getFlagValue(argv, "--url");
+    if (url === null) {
+      return false;
+    }
+    const token = getFlagValue(argv, "--token");
+    if (token === null) {
+      return false;
+    }
+    const password = getFlagValue(argv, "--password");
+    if (password === null) {
+      return false;
+    }
+    const timeout = getFlagValue(argv, "--timeout");
+    if (timeout === null) {
+      return false;
+    }
+    const ssh = getFlagValue(argv, "--ssh");
+    if (ssh === null) {
+      return false;
+    }
+    if (ssh !== undefined) {
+      return false;
+    }
+    const sshIdentity = getFlagValue(argv, "--ssh-identity");
+    if (sshIdentity === null) {
+      return false;
+    }
+    if (sshIdentity !== undefined) {
+      return false;
+    }
+    if (hasFlag(argv, "--ssh-auto")) {
+      return false;
+    }
+    const deep = hasFlag(argv, "--deep");
+    const json = hasFlag(argv, "--json");
+    const requireRpc = hasFlag(argv, "--require-rpc");
+    const probe = !hasFlag(argv, "--no-probe");
+    const { runDaemonStatus } = await import("../daemon-cli/status.js");
+    await runDaemonStatus({
+      rpc: {
+        url: url ?? undefined,
+        token: token ?? undefined,
+        password: password ?? undefined,
+        timeout: timeout ?? undefined,
+      },
+      probe,
+      requireRpc,
+      deep,
+      json,
+    });
+    return true;
+  },
+};
+
 const routeSessions: RouteSpec = {
   // Fast-path only bare `sessions`; subcommands (e.g. `sessions cleanup`)
   // must fall through to Commander so nested handlers run.
@@ -251,6 +313,7 @@ const routeModelsStatus: RouteSpec = {
 const routes: RouteSpec[] = [
   routeHealth,
   routeStatus,
+  routeGatewayStatus,
   routeSessions,
   routeAgentsList,
   routeMemoryStatus,
diff --git a/src/cli/program/subcli-descriptors.ts b/src/cli/program/subcli-descriptors.ts
new file mode 100644
index 00000000000..4011e706b2b
--- /dev/null
+++ b/src/cli/program/subcli-descriptors.ts
@@ -0,0 +1,144 @@
+export type SubCliDescriptor = {
+  name: string;
+  description: string;
+  hasSubcommands: boolean;
+};
+
+export const SUB_CLI_DESCRIPTORS = [
+  { name: "acp", description: "Agent Control Protocol tools", hasSubcommands: true },
+  {
+    name: "gateway",
+    description: "Run, inspect, and query the WebSocket Gateway",
+    hasSubcommands: true,
+  },
+  { name: "daemon", description: "Gateway service (legacy alias)", hasSubcommands: true },
+  { name: "logs", description: "Tail gateway file logs via RPC", hasSubcommands: false },
+  {
+    name: "system",
+    description: "System events, heartbeat, and presence",
+    hasSubcommands: true,
+  },
+  {
+    name: "models",
+    description: "Discover, scan, and configure models",
+    hasSubcommands: true,
+  },
+  {
+    name: "approvals",
+    description: "Manage exec approvals (gateway or node host)",
+    hasSubcommands: true,
+  },
+  {
+    name: "nodes",
+    description: "Manage gateway-owned node pairing and node commands",
+    hasSubcommands: true,
+  },
+  {
+    name: "devices",
+    description: "Device pairing + token management",
+    hasSubcommands: true,
+  },
+  {
+    name: "node",
+    description: "Run and manage the headless node host service",
+    hasSubcommands: true,
+  },
+  {
+    name: "sandbox",
+    description: "Manage sandbox containers for agent isolation",
+    hasSubcommands: true,
+  },
+  {
+    name: "tui",
+    description: "Open a terminal UI connected to the Gateway",
+    hasSubcommands: false,
+  },
+  {
+    name: "cron",
+    description: "Manage cron jobs via the Gateway scheduler",
+    hasSubcommands: true,
+  },
+  {
+    name: "dns",
+    description: "DNS helpers for wide-area discovery (Tailscale + CoreDNS)",
+    hasSubcommands: true,
+  },
+  {
+    name: "docs",
+    description: "Search the live OpenClaw docs",
+    hasSubcommands: false,
+  },
+  {
+    name: "hooks",
+    description: "Manage internal agent hooks",
+    hasSubcommands: true,
+  },
+  {
+    name: "webhooks",
+    description: "Webhook helpers and integrations",
+    hasSubcommands: true,
+  },
+  {
+    name: "qr",
+    description: "Generate iOS pairing QR/setup code",
+    hasSubcommands: false,
+  },
+  {
+    name: "clawbot",
+    description: "Legacy clawbot command aliases",
+    hasSubcommands: true,
+  },
+  {
+    name: "pairing",
+    description: "Secure DM pairing (approve inbound requests)",
+    hasSubcommands: true,
+  },
+  {
+    name: "plugins",
+    description: "Manage OpenClaw plugins and extensions",
+    hasSubcommands: true,
+  },
+  {
+    name: "channels",
+    description: "Manage connected chat channels (Telegram, Discord, etc.)",
+    hasSubcommands: true,
+  },
+  {
+    name: "directory",
+    description: "Lookup contact and group IDs (self, peers, groups) for supported chat channels",
+    hasSubcommands: true,
+  },
+  {
+    name: "security",
+    description: "Security tools and local config audits",
+    hasSubcommands: true,
+  },
+  {
+    name: "secrets",
+    description: "Secrets runtime reload controls",
+    hasSubcommands: true,
+  },
+  {
+    name: "skills",
+    description: "List and inspect available skills",
+    hasSubcommands: true,
+  },
+  {
+    name: "update",
+    description: "Update OpenClaw and inspect update channel status",
+    hasSubcommands: true,
+  },
+  {
+    name: "completion",
+    description: "Generate shell completion script",
+    hasSubcommands: false,
+  },
+] as const satisfies ReadonlyArray<SubCliDescriptor>;
+
+export function getSubCliEntries(): ReadonlyArray<SubCliDescriptor> {
+  return SUB_CLI_DESCRIPTORS;
+}
+
+export function getSubCliCommandsWithSubcommands(): string[] {
+  return SUB_CLI_DESCRIPTORS.filter((entry) => entry.hasSubcommands).map((entry) => entry.name);
+}
diff --git a/src/cli/route.test.ts b/src/cli/route.test.ts
index 93516906ad0..9e7c6c7c110 100644
--- a/src/cli/route.test.ts
+++ b/src/cli/route.test.ts
@@ -37,7 +37,7 @@ describe("tryRouteCli", () => {
     vi.resetModules();
     ({ tryRouteCli } = await import("./route.js"));
     findRoutedCommandMock.mockReturnValue({
-      loadPlugins: true,
+      loadPlugins: (argv: string[]) => !argv.includes("--json"),
       run: runRouteMock,
     });
   });
@@ -59,7 +59,7 @@ describe("tryRouteCli", () => {
         suppressDoctorStdout: true,
       }),
     );
-    expect(ensurePluginRegistryLoadedMock).toHaveBeenCalledWith({ scope: "channels" });
+    expect(ensurePluginRegistryLoadedMock).not.toHaveBeenCalled();
   });
 
   it("does not pass suppressDoctorStdout for routed non-json commands", async () => {
diff --git a/src/cli/security-cli.test.ts b/src/cli/security-cli.test.ts
new file mode 100644
index 00000000000..95c3e62d4ae
--- /dev/null
+++ b/src/cli/security-cli.test.ts
@@ -0,0 +1,245 @@
+import { Command } from "commander";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createCliRuntimeCapture } from "./test-runtime-capture.js";
+
+const loadConfig = vi.fn();
+const runSecurityAudit = vi.fn();
+const fixSecurityFootguns = vi.fn();
+const resolveCommandSecretRefsViaGateway = vi.fn();
+const getSecurityAuditCommandSecretTargetIds = vi.fn(
+  () => new Set(["gateway.auth.token", "gateway.auth.password"]),
+);
+
+const { defaultRuntime, runtimeLogs, resetRuntimeCapture } = createCliRuntimeCapture();
+
+vi.mock("../config/config.js", () => ({
+  loadConfig: () => loadConfig(),
+}));
+
+vi.mock("../runtime.js", () => ({
+  defaultRuntime,
+}));
+
+vi.mock("../security/audit.js", () => ({
+  runSecurityAudit: (opts: unknown) => runSecurityAudit(opts),
+}));
+
+vi.mock("../security/fix.js", () => ({
+  fixSecurityFootguns: () => fixSecurityFootguns(),
+}));
+
+vi.mock("./command-secret-gateway.js", () => ({
+  resolveCommandSecretRefsViaGateway: (opts: unknown) => resolveCommandSecretRefsViaGateway(opts),
+}));
+
+vi.mock("./command-secret-targets.js", () => ({
+  getSecurityAuditCommandSecretTargetIds: () => getSecurityAuditCommandSecretTargetIds(),
+}));
+
+const { registerSecurityCli } = await import("./security-cli.js");
+
+function createProgram() {
+  const program = new Command();
+  program.exitOverride();
+  registerSecurityCli(program);
+  return program;
+}
+
+describe("security CLI", () => {
+  beforeEach(() => {
+    resetRuntimeCapture();
+    loadConfig.mockReset();
+    runSecurityAudit.mockReset();
+    fixSecurityFootguns.mockReset();
+    resolveCommandSecretRefsViaGateway.mockReset();
+    getSecurityAuditCommandSecretTargetIds.mockClear();
+    fixSecurityFootguns.mockResolvedValue({
+      changes: [],
+      actions: [],
+      errors: [],
+    });
+  });
+
+  it("runs audit with read-only SecretRef resolution and prints JSON diagnostics", async () => {
+    const sourceConfig = {
+      gateway: {
+        auth: {
+          mode: "token",
+          token: { source: "env", provider: "default", id: "OPENCLAW_GATEWAY_TOKEN" },
+        },
+      },
+      secrets: {
+        providers: {
+          default: { source: "env" },
+        },
+      },
+    };
+    const resolvedConfig = {
+      ...sourceConfig,
+      gateway: {
+        ...sourceConfig.gateway,
+        auth: {
+          ...sourceConfig.gateway.auth,
+          token: "resolved-token",
+        },
+      },
+    };
+    loadConfig.mockReturnValue(sourceConfig);
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig,
+      diagnostics: [
+        "security audit: gateway secrets.resolve unavailable (gateway closed); resolved command secrets locally.",
+      ],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: false,
+    });
+    runSecurityAudit.mockResolvedValue({
+      ts: 0,
+      summary: { critical: 0, warn: 1, info: 0 },
+      findings: [
+        {
+          checkId: "gateway.probe_failed",
+          severity: "warn",
+          title: "Gateway probe failed (deep)",
+          detail: "connect failed: connect ECONNREFUSED 127.0.0.1:18789",
+        },
+      ],
+    });
+
+    await createProgram().parseAsync(["security", "audit", "--json"], { from: "user" });
+
+    expect(resolveCommandSecretRefsViaGateway).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: sourceConfig,
+        commandName: "security audit",
+        mode: "read_only_status",
+        targetIds: expect.any(Set),
+      }),
+    );
+    expect(runSecurityAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: resolvedConfig,
+        sourceConfig,
+        deep: false,
+        includeFilesystem: true,
+        includeChannelSecurity: true,
+      }),
+    );
+    const payload = JSON.parse(String(runtimeLogs.at(-1)));
+    expect(payload.secretDiagnostics).toEqual([
+      "security audit: gateway secrets.resolve unavailable (gateway closed); resolved command secrets locally.",
+    ]);
+  });
+
+  it("forwards --token to deep probe auth without altering command-level resolver mode", async () => {
+    const sourceConfig = { gateway: { mode: "local" } };
+    loadConfig.mockReturnValue(sourceConfig);
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: sourceConfig,
+      diagnostics: [],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: false,
+    });
+    runSecurityAudit.mockResolvedValue({
+      ts: 0,
+      summary: { critical: 0, warn: 0, info: 0 },
+      findings: [],
+    });
+
+    await createProgram().parseAsync(
+      ["security", "audit", "--deep", "--token", "explicit-token", "--json"],
+      {
+        from: "user",
+      },
+    );
+
+    expect(resolveCommandSecretRefsViaGateway).toHaveBeenCalledWith(
+      expect.objectContaining({
+        mode: "read_only_status",
+      }),
+    );
+    expect(runSecurityAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        deep: true,
+        deepProbeAuth: { token: "explicit-token" },
+      }),
+    );
+  });
+
+  it("forwards --password to deep probe auth without altering command-level resolver mode", async () => {
+    const sourceConfig = { gateway: { mode: "local" } };
+    loadConfig.mockReturnValue(sourceConfig);
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: sourceConfig,
+      diagnostics: [],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: false,
+    });
+    runSecurityAudit.mockResolvedValue({
+      ts: 0,
+      summary: { critical: 0, warn: 0, info: 0 },
+      findings: [],
+    });
+
+    await createProgram().parseAsync(
+      ["security", "audit", "--deep", "--password", "explicit-password", "--json"],
+      {
+        from: "user",
+      },
+    );
+
+    expect(resolveCommandSecretRefsViaGateway).toHaveBeenCalledWith(
+      expect.objectContaining({
+        mode: "read_only_status",
+      }),
+    );
+    expect(runSecurityAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        deep: true,
+        deepProbeAuth: { password: "explicit-password" },
+      }),
+    );
+  });
+
+  it("forwards both --token and --password to deep probe auth", async () => {
+    const sourceConfig = { gateway: { mode: "local" } };
+    loadConfig.mockReturnValue(sourceConfig);
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: sourceConfig,
+      diagnostics: [],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: false,
+    });
+    runSecurityAudit.mockResolvedValue({
+      ts: 0,
+      summary: { critical: 0, warn: 0, info: 0 },
+      findings: [],
+    });
+
+    await createProgram().parseAsync(
+      [
+        "security",
+        "audit",
+        "--deep",
+        "--token",
+        "explicit-token",
+        "--password",
+        "explicit-password",
+        "--json",
+      ],
+      {
+        from: "user",
+      },
+    );
+
+    expect(runSecurityAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        deep: true,
+        deepProbeAuth: {
+          token: "explicit-token",
+          password: "explicit-password",
+        },
+      }),
+    );
+  });
+});
diff --git a/src/cli/security-cli.ts b/src/cli/security-cli.ts
index f55f657f4c1..586e5e0f114 100644
--- a/src/cli/security-cli.ts
+++ b/src/cli/security-cli.ts
@@ -7,12 +7,16 @@ import { formatDocsLink } from "../terminal/links.js";
 import { isRich, theme } from "../terminal/theme.js";
 import { shortenHomeInString, shortenHomePath } from "../utils.js";
 import { formatCliCommand } from "./command-format.js";
+import { resolveCommandSecretRefsViaGateway } from "./command-secret-gateway.js";
+import { getSecurityAuditCommandSecretTargetIds } from "./command-secret-targets.js";
 import { formatHelpExamples } from "./help-format.js";
 
 type SecurityAuditOptions = {
   json?: boolean;
   deep?: boolean;
   fix?: boolean;
+  token?: string;
+  password?: string;
 };
 
 function formatSummary(summary: { critical: number; warn: number; info: number }): string {
@@ -37,6 +41,11 @@ export function registerSecurityCli(program: Command) {
         `\n${theme.heading("Examples:")}\n${formatHelpExamples([
           ["openclaw security audit", "Run a local security audit."],
           ["openclaw security audit --deep", "Include best-effort live Gateway probe checks."],
+          ["openclaw security audit --deep --token <token>", "Use explicit token for deep probe."],
+          [
+            "openclaw security audit --deep --password <password>",
+            "Use explicit password for deep probe.",
+          ],
           ["openclaw security audit --fix", "Apply safe remediations and file-permission fixes."],
           ["openclaw security audit --json", "Output machine-readable JSON."],
         ])}\n\n${theme.muted("Docs:")} ${formatDocsLink("/cli/security", "docs.openclaw.ai/cli/security")}\n`,
@@ -46,22 +55,45 @@ export function registerSecurityCli(program: Command) {
     .command("audit")
     .description("Audit config + local state for common security foot-guns")
     .option("--deep", "Attempt live Gateway probe (best-effort)", false)
+    .option("--token <token>", "Use explicit gateway token for deep probe auth")
+    .option("--password <password>", "Use explicit gateway password for deep probe auth")
     .option("--fix", "Apply safe fixes (tighten defaults + chmod state/config)", false)
     .option("--json", "Print JSON", false)
     .action(async (opts: SecurityAuditOptions) => {
       const fixResult = opts.fix ? await fixSecurityFootguns().catch((_err) => null) : null;
 
-      const cfg = loadConfig();
+      const sourceConfig = loadConfig();
+      const { resolvedConfig: cfg, diagnostics: secretDiagnostics } =
+        await resolveCommandSecretRefsViaGateway({
+          config: sourceConfig,
+          commandName: "security audit",
+          targetIds: getSecurityAuditCommandSecretTargetIds(),
+          mode: "read_only_status",
+        });
       const report = await runSecurityAudit({
         config: cfg,
+        sourceConfig,
         deep: Boolean(opts.deep),
         includeFilesystem: true,
         includeChannelSecurity: true,
+        deepProbeAuth:
+          opts.token?.trim() || opts.password?.trim()
+            ? {
+                ...(opts.token?.trim() ? { token: opts.token } : {}),
+                ...(opts.password?.trim() ? { password: opts.password } : {}),
+              }
+            : undefined,
       });
 
       if (opts.json) {
         defaultRuntime.log(
-          JSON.stringify(fixResult ? { fix: fixResult, report } : report, null, 2),
+          JSON.stringify(
+            fixResult
+              ? { fix: fixResult, report, secretDiagnostics }
+              : { ...report, secretDiagnostics },
+            null,
+            2,
+          ),
         );
         return;
       }
@@ -74,6 +106,9 @@ export function registerSecurityCli(program: Command) {
       lines.push(heading("OpenClaw security audit"));
       lines.push(muted(`Summary: ${formatSummary(report.summary)}`));
       lines.push(muted(`Run deeper: ${formatCliCommand("openclaw security audit --deep")}`));
+      for (const diagnostic of secretDiagnostics) {
+        lines.push(muted(`[secrets] ${diagnostic}`));
+      }
 
       if (opts.fix) {
         lines.push(muted(`Fix: ${formatCliCommand("openclaw security audit --fix")}`));
diff --git a/src/commands/agent/run-context.ts b/src/commands/agent/run-context.ts
index b9d3c3a69d0..b6c121a6c0a 100644
--- a/src/commands/agent/run-context.ts
+++ b/src/commands/agent/run-context.ts
@@ -42,8 +42,8 @@ export function resolveAgentRunContext(opts: AgentCommandOpts): AgentRunContext
     merged.currentThreadTs = String(opts.threadId);
   }
 
-  // Populate currentChannelId from the outbound target so that
-  // resolveTelegramAutoThreadId can match the originating chat.
+  // Populate currentChannelId from the outbound target so channel threading
+  // adapters can detect same-conversation auto-threading.
   if (!merged.currentChannelId && opts.to) {
     const trimmedTo = opts.to.trim();
     if (trimmedTo) {
diff --git a/src/commands/auth-choice-options.static.ts b/src/commands/auth-choice-options.static.ts
index f42c208333f..2dd92e35cdf 100644
--- a/src/commands/auth-choice-options.static.ts
+++ b/src/commands/auth-choice-options.static.ts
@@ -1,5 +1,4 @@
 import { AUTH_CHOICE_LEGACY_ALIASES_FOR_CLI } from "./auth-choice-legacy.js";
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "./onboard-provider-auth-flags.js";
 import type { AuthChoice, AuthChoiceGroupId } from "./onboard-types.js";
 
 export type { AuthChoiceGroupId };
@@ -8,7 +7,11 @@ export type AuthChoiceOption = {
   value: AuthChoice;
   label: string;
   hint?: string;
+  groupId?: AuthChoiceGroupId;
+  groupLabel?: string;
+  groupHint?: string;
 };
+
 export type AuthChoiceGroup = {
   value: AuthChoiceGroupId;
   label: string;
@@ -16,310 +19,39 @@ export type AuthChoiceGroup = {
   options: AuthChoiceOption[];
 };
 
-export const AUTH_CHOICE_GROUP_DEFS: {
-  value: AuthChoiceGroupId;
-  label: string;
-  hint?: string;
-  choices: AuthChoice[];
-}[] = [
-  {
-    value: "openai",
-    label: "OpenAI",
-    hint: "Codex OAuth + API key",
-    choices: ["openai-codex", "openai-api-key"],
-  },
-  {
-    value: "anthropic",
-    label: "Anthropic",
-    hint: "setup-token + API key",
-    choices: ["token", "apiKey"],
-  },
+export const CORE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
   {
     value: "chutes",
-    label: "Chutes",
-    hint: "OAuth",
-    choices: ["chutes"],
+    label: "Chutes (OAuth)",
+    groupId: "chutes",
+    groupLabel: "Chutes",
+    groupHint: "OAuth",
   },
   {
-    value: "minimax",
-    label: "MiniMax",
-    hint: "M2.5 (recommended)",
-    choices: ["minimax-global-oauth", "minimax-global-api", "minimax-cn-oauth", "minimax-cn-api"],
+    value: "litellm-api-key",
+    label: "LiteLLM API key",
+    hint: "Unified gateway for 100+ LLM providers",
+    groupId: "litellm",
+    groupLabel: "LiteLLM",
+    groupHint: "Unified LLM gateway (100+ providers)",
   },
   {
-    value: "moonshot",
-    label: "Moonshot AI (Kimi K2.5)",
-    hint: "Kimi K2.5 + Kimi Coding",
-    choices: ["moonshot-api-key", "moonshot-api-key-cn", "kimi-code-api-key"],
-  },
-  {
-    value: "google",
-    label: "Google",
-    hint: "Gemini API key + OAuth",
-    choices: ["gemini-api-key", "google-gemini-cli"],
-  },
-  {
-    value: "xai",
-    label: "xAI (Grok)",
-    hint: "API key",
-    choices: ["xai-api-key"],
-  },
-  {
-    value: "mistral",
-    label: "Mistral AI",
-    hint: "API key",
-    choices: ["mistral-api-key"],
-  },
-  {
-    value: "volcengine",
-    label: "Volcano Engine",
-    hint: "API key",
-    choices: ["volcengine-api-key"],
-  },
-  {
-    value: "byteplus",
-    label: "BytePlus",
-    hint: "API key",
-    choices: ["byteplus-api-key"],
-  },
-  {
-    value: "openrouter",
-    label: "OpenRouter",
-    hint: "API key",
-    choices: ["openrouter-api-key"],
-  },
-  {
-    value: "kilocode",
-    label: "Kilo Gateway",
-    hint: "API key (OpenRouter-compatible)",
-    choices: ["kilocode-api-key"],
-  },
-  {
-    value: "qwen",
-    label: "Qwen",
-    hint: "OAuth",
-    choices: ["qwen-portal"],
-  },
-  {
-    value: "zai",
-    label: "Z.AI",
-    hint: "GLM Coding Plan / Global / CN",
-    choices: ["zai-coding-global", "zai-coding-cn", "zai-global", "zai-cn"],
-  },
-  {
-    value: "qianfan",
-    label: "Qianfan",
-    hint: "API key",
-    choices: ["qianfan-api-key"],
-  },
-  {
-    value: "modelstudio",
-    label: "Alibaba Cloud Model Studio",
-    hint: "Coding Plan API key (CN / Global)",
-    choices: ["modelstudio-api-key-cn", "modelstudio-api-key"],
-  },
-  {
-    value: "copilot",
-    label: "Copilot",
-    hint: "GitHub + local proxy",
-    choices: ["github-copilot", "copilot-proxy"],
-  },
-  {
-    value: "ai-gateway",
-    label: "Vercel AI Gateway",
-    hint: "API key",
-    choices: ["ai-gateway-api-key"],
-  },
-  {
-    value: "opencode",
-    label: "OpenCode",
-    hint: "Shared API key for Zen + Go catalogs",
-    choices: ["opencode-zen", "opencode-go"],
-  },
-  {
-    value: "xiaomi",
-    label: "Xiaomi",
-    hint: "API key",
-    choices: ["xiaomi-api-key"],
-  },
-  {
-    value: "synthetic",
-    label: "Synthetic",
-    hint: "Anthropic-compatible (multi-model)",
-    choices: ["synthetic-api-key"],
-  },
-  {
-    value: "together",
-    label: "Together AI",
-    hint: "API key",
-    choices: ["together-api-key"],
-  },
-  {
-    value: "huggingface",
-    label: "Hugging Face",
-    hint: "Inference API (HF token)",
-    choices: ["huggingface-api-key"],
-  },
-  {
-    value: "venice",
-    label: "Venice AI",
-    hint: "Privacy-focused (uncensored models)",
-    choices: ["venice-api-key"],
-  },
-  {
-    value: "litellm",
-    label: "LiteLLM",
-    hint: "Unified LLM gateway (100+ providers)",
-    choices: ["litellm-api-key"],
-  },
-  {
-    value: "cloudflare-ai-gateway",
-    label: "Cloudflare AI Gateway",
-    hint: "Account ID + Gateway ID + API key",
-    choices: ["cloudflare-ai-gateway-api-key"],
-  },
-  {
-    value: "custom",
+    value: "custom-api-key",
     label: "Custom Provider",
     hint: "Any OpenAI or Anthropic compatible endpoint",
-    choices: ["custom-api-key"],
+    groupId: "custom",
+    groupLabel: "Custom Provider",
+    groupHint: "Any OpenAI or Anthropic compatible endpoint",
   },
 ];
 
-const PROVIDER_AUTH_CHOICE_OPTION_HINTS: Partial<Record<AuthChoice, string>> = {
-  "litellm-api-key": "Unified gateway for 100+ LLM providers",
-  "cloudflare-ai-gateway-api-key": "Account ID + Gateway ID + API key",
-  "venice-api-key": "Privacy-focused inference (uncensored models)",
-  "together-api-key": "Access to Llama, DeepSeek, Qwen, and more open models",
-  "huggingface-api-key": "Inference Providers — OpenAI-compatible chat",
-  "opencode-zen": "Shared OpenCode key; curated Zen catalog",
-  "opencode-go": "Shared OpenCode key; Kimi/GLM/MiniMax Go catalog",
-};
-
-const PROVIDER_AUTH_CHOICE_OPTION_LABELS: Partial<Record<AuthChoice, string>> = {
-  "moonshot-api-key": "Kimi API key (.ai)",
-  "moonshot-api-key-cn": "Kimi API key (.cn)",
-  "kimi-code-api-key": "Kimi Code API key (subscription)",
-  "cloudflare-ai-gateway-api-key": "Cloudflare AI Gateway",
-  "opencode-zen": "OpenCode Zen catalog",
-  "opencode-go": "OpenCode Go catalog",
-};
-
-function buildProviderAuthChoiceOptions(): AuthChoiceOption[] {
-  return ONBOARD_PROVIDER_AUTH_FLAGS.map((flag) => ({
-    value: flag.authChoice,
-    label: PROVIDER_AUTH_CHOICE_OPTION_LABELS[flag.authChoice] ?? flag.description,
-    ...(PROVIDER_AUTH_CHOICE_OPTION_HINTS[flag.authChoice]
-      ? { hint: PROVIDER_AUTH_CHOICE_OPTION_HINTS[flag.authChoice] }
-      : {}),
-  }));
-}
-
-export const BASE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
-  {
-    value: "token",
-    label: "Anthropic token (paste setup-token)",
-    hint: "run `claude setup-token` elsewhere, then paste the token here",
-  },
-  {
-    value: "openai-codex",
-    label: "OpenAI Codex (ChatGPT OAuth)",
-  },
-  { value: "chutes", label: "Chutes (OAuth)" },
-  ...buildProviderAuthChoiceOptions(),
-  {
-    value: "moonshot-api-key-cn",
-    label: "Kimi API key (.cn)",
-  },
-  {
-    value: "github-copilot",
-    label: "GitHub Copilot (GitHub device login)",
-    hint: "Uses GitHub device flow",
-  },
-  { value: "gemini-api-key", label: "Google Gemini API key" },
-  {
-    value: "google-gemini-cli",
-    label: "Google Gemini CLI OAuth",
-    hint: "Unofficial flow; review account-risk warning before use",
-  },
-  { value: "zai-api-key", label: "Z.AI API key" },
-  {
-    value: "zai-coding-global",
-    label: "Coding-Plan-Global",
-    hint: "GLM Coding Plan Global (api.z.ai)",
-  },
-  {
-    value: "zai-coding-cn",
-    label: "Coding-Plan-CN",
-    hint: "GLM Coding Plan CN (open.bigmodel.cn)",
-  },
-  {
-    value: "zai-global",
-    label: "Global",
-    hint: "Z.AI Global (api.z.ai)",
-  },
-  {
-    value: "zai-cn",
-    label: "CN",
-    hint: "Z.AI CN (open.bigmodel.cn)",
-  },
-  {
-    value: "xiaomi-api-key",
-    label: "Xiaomi API key",
-  },
-  {
-    value: "minimax-global-oauth",
-    label: "MiniMax Global — OAuth (minimax.io)",
-    hint: "Only supports OAuth for the coding plan",
-  },
-  {
-    value: "minimax-global-api",
-    label: "MiniMax Global — API Key (minimax.io)",
-    hint: "sk-api- or sk-cp- keys supported",
-  },
-  {
-    value: "minimax-cn-oauth",
-    label: "MiniMax CN — OAuth (minimaxi.com)",
-    hint: "Only supports OAuth for the coding plan",
-  },
-  {
-    value: "minimax-cn-api",
-    label: "MiniMax CN — API Key (minimaxi.com)",
-    hint: "sk-api- or sk-cp- keys supported",
-  },
-  { value: "qwen-portal", label: "Qwen OAuth" },
-  {
-    value: "copilot-proxy",
-    label: "Copilot Proxy (local)",
-    hint: "Local proxy for VS Code Copilot models",
-  },
-  { value: "apiKey", label: "Anthropic API key" },
-  {
-    value: "opencode-zen",
-    label: "OpenCode Zen catalog",
-    hint: "Claude, GPT, Gemini via opencode.ai/zen",
-  },
-  { value: "qianfan-api-key", label: "Qianfan API key" },
-  {
-    value: "modelstudio-api-key-cn",
-    label: "Coding Plan API Key for China (subscription)",
-    hint: "Endpoint: coding.dashscope.aliyuncs.com",
-  },
-  {
-    value: "modelstudio-api-key",
-    label: "Coding Plan API Key for Global/Intl (subscription)",
-    hint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
-  },
-  { value: "custom-api-key", label: "Custom Provider" },
-];
-
 export function formatStaticAuthChoiceChoicesForCli(params?: {
   includeSkip?: boolean;
   includeLegacyAliases?: boolean;
 }): string {
   const includeSkip = params?.includeSkip ?? true;
   const includeLegacyAliases = params?.includeLegacyAliases ?? false;
-  const values = BASE_AUTH_CHOICE_OPTIONS.map((opt) => opt.value);
+  const values = CORE_AUTH_CHOICE_OPTIONS.map((opt) => opt.value);
 
   if (includeSkip) {
     values.push("skip");
diff --git a/src/commands/auth-choice-options.test.ts b/src/commands/auth-choice-options.test.ts
index c45297a001e..933d998bc6e 100644
--- a/src/commands/auth-choice-options.test.ts
+++ b/src/commands/auth-choice-options.test.ts
@@ -1,5 +1,6 @@
-import { describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { AuthProfileStore } from "../agents/auth-profiles.js";
+import type { ProviderAuthChoiceMetadata } from "../plugins/provider-auth-choices.js";
 import type { ProviderWizardOption } from "../plugins/provider-wizard.js";
 import {
   buildAuthChoiceGroups,
@@ -8,9 +9,15 @@ import {
 } from "./auth-choice-options.js";
 import { formatStaticAuthChoiceChoicesForCli } from "./auth-choice-options.static.js";
 
+const resolveManifestProviderAuthChoices = vi.hoisted(() =>
+  vi.fn<() => ProviderAuthChoiceMetadata[]>(() => []),
+);
 const resolveProviderWizardOptions = vi.hoisted(() =>
   vi.fn<() => ProviderWizardOption[]>(() => []),
 );
+vi.mock("../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderAuthChoices,
+}));
 vi.mock("../plugins/provider-wizard.js", () => ({
   resolveProviderWizardOptions,
 }));
@@ -25,7 +32,140 @@ function getOptions(includeSkip = false) {
 }
 
 describe("buildAuthChoiceOptions", () => {
+  beforeEach(() => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
+    resolveProviderWizardOptions.mockReturnValue([]);
+  });
+
   it("includes core and provider-specific auth choices", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "github-copilot",
+        providerId: "github-copilot",
+        methodId: "device",
+        choiceId: "github-copilot",
+        choiceLabel: "GitHub Copilot",
+        groupId: "copilot",
+        groupLabel: "Copilot",
+      },
+      {
+        pluginId: "anthropic",
+        providerId: "anthropic",
+        methodId: "setup-token",
+        choiceId: "token",
+        choiceLabel: "Anthropic token (paste setup-token)",
+        groupId: "anthropic",
+        groupLabel: "Anthropic",
+      },
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+        groupId: "openai",
+        groupLabel: "OpenAI",
+      },
+      {
+        pluginId: "moonshot",
+        providerId: "moonshot",
+        methodId: "api-key",
+        choiceId: "moonshot-api-key",
+        choiceLabel: "Kimi API key (.ai)",
+        groupId: "moonshot",
+        groupLabel: "Moonshot AI (Kimi K2.5)",
+      },
+      {
+        pluginId: "minimax",
+        providerId: "minimax",
+        methodId: "api-global",
+        choiceId: "minimax-global-api",
+        choiceLabel: "MiniMax API key (Global)",
+        groupId: "minimax",
+        groupLabel: "MiniMax",
+      },
+      {
+        pluginId: "zai",
+        providerId: "zai",
+        methodId: "api-key",
+        choiceId: "zai-api-key",
+        choiceLabel: "Z.AI API key",
+        groupId: "zai",
+        groupLabel: "Z.AI",
+      },
+      {
+        pluginId: "xiaomi",
+        providerId: "xiaomi",
+        methodId: "api-key",
+        choiceId: "xiaomi-api-key",
+        choiceLabel: "Xiaomi API key",
+        groupId: "xiaomi",
+        groupLabel: "Xiaomi",
+      },
+      {
+        pluginId: "together",
+        providerId: "together",
+        methodId: "api-key",
+        choiceId: "together-api-key",
+        choiceLabel: "Together AI API key",
+        groupId: "together",
+        groupLabel: "Together AI",
+      },
+      {
+        pluginId: "qwen-portal-auth",
+        providerId: "qwen-portal",
+        methodId: "device",
+        choiceId: "qwen-portal",
+        choiceLabel: "Qwen OAuth",
+        groupId: "qwen",
+        groupLabel: "Qwen",
+      },
+      {
+        pluginId: "xai",
+        providerId: "xai",
+        methodId: "api-key",
+        choiceId: "xai-api-key",
+        choiceLabel: "xAI API key",
+        groupId: "xai",
+        groupLabel: "xAI (Grok)",
+      },
+      {
+        pluginId: "mistral",
+        providerId: "mistral",
+        methodId: "api-key",
+        choiceId: "mistral-api-key",
+        choiceLabel: "Mistral API key",
+        groupId: "mistral",
+        groupLabel: "Mistral AI",
+      },
+      {
+        pluginId: "volcengine",
+        providerId: "volcengine",
+        methodId: "api-key",
+        choiceId: "volcengine-api-key",
+        choiceLabel: "Volcano Engine API key",
+        groupId: "volcengine",
+        groupLabel: "Volcano Engine",
+      },
+      {
+        pluginId: "byteplus",
+        providerId: "byteplus",
+        methodId: "api-key",
+        choiceId: "byteplus-api-key",
+        choiceLabel: "BytePlus API key",
+        groupId: "byteplus",
+        groupLabel: "BytePlus",
+      },
+      {
+        pluginId: "opencode-go",
+        providerId: "opencode-go",
+        methodId: "api-key",
+        choiceId: "opencode-go",
+        choiceLabel: "OpenCode Go catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+    ]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
@@ -57,15 +197,8 @@ describe("buildAuthChoiceOptions", () => {
       "zai-api-key",
       "xiaomi-api-key",
       "minimax-global-api",
-      "minimax-cn-api",
-      "minimax-global-oauth",
       "moonshot-api-key",
-      "moonshot-api-key-cn",
-      "kimi-code-api-key",
       "together-api-key",
-      "ai-gateway-api-key",
-      "cloudflare-ai-gateway-api-key",
-      "synthetic-api-key",
       "chutes",
       "qwen-portal",
       "xai-api-key",
@@ -82,15 +215,37 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("builds cli help choices from the same catalog", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
+    resolveProviderWizardOptions.mockReturnValue([
+      {
+        value: "ollama",
+        label: "Ollama",
+        hint: "Cloud and local open models",
+        groupId: "ollama",
+        groupLabel: "Ollama",
+      },
+    ]);
     const options = getOptions(true);
     const cliChoices = formatAuthChoiceChoicesForCli({
       includeLegacyAliases: false,
       includeSkip: true,
     }).split("|");
 
-    for (const option of options) {
-      expect(cliChoices).toContain(option.value);
-    }
+    expect(cliChoices).toContain("openai-api-key");
+    expect(cliChoices).toContain("chutes");
+    expect(cliChoices).toContain("litellm-api-key");
+    expect(cliChoices).toContain("custom-api-key");
+    expect(cliChoices).toContain("skip");
+    expect(options.some((option) => option.value === "ollama")).toBe(true);
+    expect(cliChoices).not.toContain("ollama");
   });
 
   it("can include legacy aliases in cli help choices", () => {
@@ -106,6 +261,15 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("keeps static cli help choices off the plugin-backed catalog", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
@@ -122,10 +286,12 @@ describe("buildAuthChoiceOptions", () => {
     }).split("|");
 
     expect(cliChoices).not.toContain("ollama");
+    expect(cliChoices).not.toContain("openai-api-key");
     expect(cliChoices).toContain("skip");
   });
 
   it("shows Chutes in grouped provider selection", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
     const { groups } = buildAuthChoiceGroups({
       store: EMPTY_STORE,
       includeSkip: false,
@@ -137,6 +303,26 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("groups OpenCode Zen and Go under one OpenCode entry", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "opencode",
+        providerId: "opencode",
+        methodId: "api-key",
+        choiceId: "opencode-zen",
+        choiceLabel: "OpenCode Zen catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+      {
+        pluginId: "opencode-go",
+        providerId: "opencode-go",
+        methodId: "api-key",
+        choiceId: "opencode-go",
+        choiceLabel: "OpenCode Go catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+    ]);
     const { groups } = buildAuthChoiceGroups({
       store: EMPTY_STORE,
       includeSkip: false,
@@ -149,6 +335,7 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("shows Ollama in grouped provider selection", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
diff --git a/src/commands/auth-choice-options.ts b/src/commands/auth-choice-options.ts
index 3e97a103aad..03bfa86749a 100644
--- a/src/commands/auth-choice-options.ts
+++ b/src/commands/auth-choice-options.ts
@@ -1,21 +1,51 @@
 import type { AuthProfileStore } from "../agents/auth-profiles.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { resolveManifestProviderAuthChoices } from "../plugins/provider-auth-choices.js";
 import { resolveProviderWizardOptions } from "../plugins/provider-wizard.js";
 import {
-  AUTH_CHOICE_GROUP_DEFS,
-  BASE_AUTH_CHOICE_OPTIONS,
+  CORE_AUTH_CHOICE_OPTIONS,
   type AuthChoiceGroup,
   type AuthChoiceOption,
   formatStaticAuthChoiceChoicesForCli,
 } from "./auth-choice-options.static.js";
 import type { AuthChoice, AuthChoiceGroupId } from "./onboard-types.js";
 
-function resolveDynamicProviderCliChoices(params?: {
+function compareOptionLabels(a: AuthChoiceOption, b: AuthChoiceOption): number {
+  return a.label.localeCompare(b.label);
+}
+
+function compareGroupLabels(a: AuthChoiceGroup, b: AuthChoiceGroup): number {
+  return a.label.localeCompare(b.label);
+}
+
+function resolveManifestProviderChoiceOptions(params?: {
   config?: OpenClawConfig;
   workspaceDir?: string;
   env?: NodeJS.ProcessEnv;
-}): string[] {
-  return [...new Set(resolveProviderWizardOptions(params ?? {}).map((option) => option.value))];
+}): AuthChoiceOption[] {
+  return resolveManifestProviderAuthChoices(params ?? {}).map((choice) => ({
+    value: choice.choiceId as AuthChoice,
+    label: choice.choiceLabel,
+    ...(choice.choiceHint ? { hint: choice.choiceHint } : {}),
+    ...(choice.groupId ? { groupId: choice.groupId as AuthChoiceGroupId } : {}),
+    ...(choice.groupLabel ? { groupLabel: choice.groupLabel } : {}),
+    ...(choice.groupHint ? { groupHint: choice.groupHint } : {}),
+  }));
+}
+
+function resolveRuntimeFallbackProviderChoiceOptions(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): AuthChoiceOption[] {
+  return resolveProviderWizardOptions(params ?? {}).map((option) => ({
+    value: option.value as AuthChoice,
+    label: option.label,
+    ...(option.hint ? { hint: option.hint } : {}),
+    groupId: option.groupId as AuthChoiceGroupId,
+    groupLabel: option.groupLabel,
+    ...(option.groupHint ? { groupHint: option.groupHint } : {}),
+  }));
 }
 
 export function formatAuthChoiceChoicesForCli(params?: {
@@ -27,10 +57,10 @@ export function formatAuthChoiceChoicesForCli(params?: {
 }): string {
   const values = [
     ...formatStaticAuthChoiceChoicesForCli(params).split("|"),
-    ...resolveDynamicProviderCliChoices(params),
+    ...resolveManifestProviderChoiceOptions(params).map((option) => option.value),
   ];
 
-  return values.join("|");
+  return [...new Set(values)].join("|");
 }
 
 export function buildAuthChoiceOptions(params: {
@@ -41,24 +71,30 @@ export function buildAuthChoiceOptions(params: {
   env?: NodeJS.ProcessEnv;
 }): AuthChoiceOption[] {
   void params.store;
-  const options: AuthChoiceOption[] = [...BASE_AUTH_CHOICE_OPTIONS];
-  const seen = new Set(options.map((option) => option.value));
-
-  for (const option of resolveProviderWizardOptions({
+  const optionByValue = new Map<AuthChoice, AuthChoiceOption>();
+  for (const option of CORE_AUTH_CHOICE_OPTIONS) {
+    optionByValue.set(option.value, option);
+  }
+  for (const option of resolveManifestProviderChoiceOptions({
     config: params.config,
     workspaceDir: params.workspaceDir,
     env: params.env,
   })) {
-    if (seen.has(option.value as AuthChoice)) {
-      continue;
-    }
-    options.push({
-      value: option.value as AuthChoice,
-      label: option.label,
-      hint: option.hint,
-    });
-    seen.add(option.value as AuthChoice);
+    optionByValue.set(option.value, option);
   }
+  for (const option of resolveRuntimeFallbackProviderChoiceOptions({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+  })) {
+    if (!optionByValue.has(option.value)) {
+      optionByValue.set(option.value, option);
+    }
+  }
+
+  const options: AuthChoiceOption[] = Array.from(optionByValue.values()).toSorted(
+    compareOptionLabels,
+  );
 
   if (params.includeSkip) {
     options.push({ value: "skip", label: "Skip for now" });
@@ -81,46 +117,30 @@ export function buildAuthChoiceGroups(params: {
     ...params,
     includeSkip: false,
   });
-  const optionByValue = new Map<AuthChoice, AuthChoiceOption>(
-    options.map((opt) => [opt.value, opt]),
-  );
+  const groupsById = new Map<AuthChoiceGroupId, AuthChoiceGroup>();
 
-  const groups: AuthChoiceGroup[] = AUTH_CHOICE_GROUP_DEFS.map((group) => ({
-    ...group,
-    options: group.choices
-      .map((choice) => optionByValue.get(choice))
-      .filter((opt): opt is AuthChoiceOption => Boolean(opt)),
-  }));
-  const staticGroupIds = new Set(groups.map((group) => group.value));
-
-  for (const option of resolveProviderWizardOptions({
-    config: params.config,
-    workspaceDir: params.workspaceDir,
-    env: params.env,
-  })) {
-    const existing = groups.find((group) => group.value === option.groupId);
-    const nextOption = optionByValue.get(option.value as AuthChoice) ?? {
-      value: option.value as AuthChoice,
-      label: option.label,
-      hint: option.hint,
-    };
+  for (const option of options) {
+    if (!option.groupId || !option.groupLabel) {
+      continue;
+    }
+    const existing = groupsById.get(option.groupId);
     if (existing) {
-      if (!existing.options.some((candidate) => candidate.value === nextOption.value)) {
-        existing.options.push(nextOption);
-      }
+      existing.options.push(option);
       continue;
     }
-    if (staticGroupIds.has(option.groupId as AuthChoiceGroupId)) {
-      continue;
-    }
-    groups.push({
-      value: option.groupId as AuthChoiceGroupId,
+    groupsById.set(option.groupId, {
+      value: option.groupId,
       label: option.groupLabel,
-      hint: option.groupHint,
-      options: [nextOption],
+      ...(option.groupHint ? { hint: option.groupHint } : {}),
+      options: [option],
     });
-    staticGroupIds.add(option.groupId as AuthChoiceGroupId);
   }
+  const groups = Array.from(groupsById.values())
+    .map((group) => ({
+      ...group,
+      options: [...group.options].toSorted(compareOptionLabels),
+    }))
+    .toSorted(compareGroupLabels);
 
   const skipOption = params.includeSkip
     ? ({ value: "skip", label: "Skip for now" } satisfies AuthChoiceOption)
diff --git a/src/commands/auth-choice.apply-helpers.test.ts b/src/commands/auth-choice.apply-helpers.test.ts
index 7a1c30fd18f..e80f5e79b07 100644
--- a/src/commands/auth-choice.apply-helpers.test.ts
+++ b/src/commands/auth-choice.apply-helpers.test.ts
@@ -282,7 +282,7 @@ describe("ensureApiKeyFromEnvOrPrompt", () => {
         setCredential,
       }),
     ).rejects.toThrow(
-      'Environment variable "MINIMAX_API_KEY" is required for --secret-input-mode ref in non-interactive onboarding.',
+      'Environment variable "MINIMAX_API_KEY" is required for --secret-input-mode ref in non-interactive setup.',
     );
     expect(setCredential).not.toHaveBeenCalled();
   });
diff --git a/src/commands/auth-choice.apply-helpers.ts b/src/commands/auth-choice.apply-helpers.ts
index 32c6ac82786..7029dd081c3 100644
--- a/src/commands/auth-choice.apply-helpers.ts
+++ b/src/commands/auth-choice.apply-helpers.ts
@@ -32,7 +32,7 @@ export type SecretInputModePromptCopy = {
   refHint?: string;
 };
 
-export type SecretRefOnboardingPromptCopy = {
+export type SecretRefSetupPromptCopy = {
   sourceMessage?: string;
   envVarMessage?: string;
   envVarPlaceholder?: string;
@@ -72,13 +72,13 @@ function resolveRefFallbackInput(params: {
   const fallbackEnvVar = params.preferredEnvVar ?? resolveDefaultProviderEnvVar(params.provider);
   if (!fallbackEnvVar) {
     throw new Error(
-      `No default environment variable mapping found for provider "${params.provider}". Set a provider-specific env var, or re-run onboarding in an interactive terminal to configure a ref.`,
+      `No default environment variable mapping found for provider "${params.provider}". Set a provider-specific env var, or re-run setup in an interactive terminal to configure a ref.`,
     );
   }
   const value = process.env[fallbackEnvVar]?.trim();
   if (!value) {
     throw new Error(
-      `Environment variable "${fallbackEnvVar}" is required for --secret-input-mode ref in non-interactive onboarding.`,
+      `Environment variable "${fallbackEnvVar}" is required for --secret-input-mode ref in non-interactive setup.`,
     );
   }
   return {
@@ -93,12 +93,12 @@ function resolveRefFallbackInput(params: {
   };
 }
 
-export async function promptSecretRefForOnboarding(params: {
+export async function promptSecretRefForSetup(params: {
   provider: string;
   config: OpenClawConfig;
   prompter: WizardPrompter;
   preferredEnvVar?: string;
-  copy?: SecretRefOnboardingPromptCopy;
+  copy?: SecretRefSetupPromptCopy;
 }): Promise<{ ref: SecretRef; resolvedValue: string }> {
   const defaultEnvVar =
     params.preferredEnvVar ?? resolveDefaultProviderEnvVar(params.provider) ?? "";
@@ -506,7 +506,7 @@ export async function ensureApiKeyFromEnvOrPrompt(params: {
       await params.setCredential(fallback.ref, selectedMode);
       return fallback.resolvedValue;
     }
-    const resolved = await promptSecretRefForOnboarding({
+    const resolved = await promptSecretRefForSetup({
       provider: params.provider,
       config: params.config,
       prompter: params.prompter,
diff --git a/src/commands/auth-choice.apply.anthropic.test.ts b/src/commands/auth-choice.apply.anthropic.test.ts
deleted file mode 100644
index 30eb5d3fcfe..00000000000
--- a/src/commands/auth-choice.apply.anthropic.test.ts
+++ /dev/null
@@ -1,61 +0,0 @@
-import { afterEach, describe, expect, it } from "vitest";
-import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
-import { ANTHROPIC_SETUP_TOKEN_PREFIX } from "./auth-token.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("applyAuthChoiceAnthropic", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "ANTHROPIC_SETUP_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-anthropic-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("persists setup-token ref without plaintext token in auth-profiles store", async () => {
-    const agentDir = await setupTempState();
-    process.env.ANTHROPIC_SETUP_TOKEN = `${ANTHROPIC_SETUP_TOKEN_PREFIX}${"x".repeat(100)}`;
-
-    const prompter = createWizardPrompter({}, { defaultSelect: "ref" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceAnthropic({
-      authChoice: "setup-token",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["anthropic:default"]).toMatchObject({
-      provider: "anthropic",
-      mode: "token",
-    });
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { token?: string; tokenRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["anthropic:default"]?.token).toBeUndefined();
-    expect(parsed.profiles?.["anthropic:default"]?.tokenRef).toMatchObject({
-      source: "env",
-      provider: "default",
-      id: "ANTHROPIC_SETUP_TOKEN",
-    });
-  });
-});
diff --git a/src/commands/auth-choice.apply.anthropic.ts b/src/commands/auth-choice.apply.anthropic.ts
deleted file mode 100644
index e9914c7fa78..00000000000
--- a/src/commands/auth-choice.apply.anthropic.ts
+++ /dev/null
@@ -1,134 +0,0 @@
-import { upsertAuthProfile } from "../agents/auth-profiles.js";
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  normalizeSecretInputModeInput,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  promptSecretRefForOnboarding,
-  resolveSecretInputModeForEnvSelection,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { buildTokenProfileId, validateAnthropicSetupToken } from "./auth-token.js";
-import { applyAgentDefaultModelPrimary } from "./onboard-auth.config-shared.js";
-import { applyAuthProfileConfig, setAnthropicApiKey } from "./onboard-auth.js";
-
-const DEFAULT_ANTHROPIC_MODEL = "anthropic/claude-sonnet-4-6";
-
-export async function applyAuthChoiceAnthropic(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  if (
-    params.authChoice === "setup-token" ||
-    params.authChoice === "oauth" ||
-    params.authChoice === "token"
-  ) {
-    let nextConfig = params.config;
-    await params.prompter.note(
-      ["Run `claude setup-token` in your terminal.", "Then paste the generated token below."].join(
-        "\n",
-      ),
-      "Anthropic setup-token",
-    );
-
-    const selectedMode = await resolveSecretInputModeForEnvSelection({
-      prompter: params.prompter,
-      explicitMode: requestedSecretInputMode,
-      copy: {
-        modeMessage: "How do you want to provide this setup token?",
-        plaintextLabel: "Paste setup token now",
-        plaintextHint: "Stores the token directly in the auth profile",
-      },
-    });
-    let token = "";
-    let tokenRef: { source: "env" | "file" | "exec"; provider: string; id: string } | undefined;
-    if (selectedMode === "ref") {
-      const resolved = await promptSecretRefForOnboarding({
-        provider: "anthropic-setup-token",
-        config: params.config,
-        prompter: params.prompter,
-        preferredEnvVar: "ANTHROPIC_SETUP_TOKEN",
-        copy: {
-          sourceMessage: "Where is this Anthropic setup token stored?",
-          envVarPlaceholder: "ANTHROPIC_SETUP_TOKEN",
-        },
-      });
-      token = resolved.resolvedValue.trim();
-      tokenRef = resolved.ref;
-    } else {
-      const tokenRaw = await params.prompter.text({
-        message: "Paste Anthropic setup-token",
-        validate: (value) => validateAnthropicSetupToken(String(value ?? "")),
-      });
-      token = String(tokenRaw ?? "").trim();
-    }
-    const tokenValidationError = validateAnthropicSetupToken(token);
-    if (tokenValidationError) {
-      throw new Error(tokenValidationError);
-    }
-
-    const profileNameRaw = await params.prompter.text({
-      message: "Token name (blank = default)",
-      placeholder: "default",
-    });
-    const provider = "anthropic";
-    const namedProfileId = buildTokenProfileId({
-      provider,
-      name: String(profileNameRaw ?? ""),
-    });
-
-    upsertAuthProfile({
-      profileId: namedProfileId,
-      agentDir: params.agentDir,
-      credential: {
-        type: "token",
-        provider,
-        token,
-        ...(tokenRef ? { tokenRef } : {}),
-      },
-    });
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: namedProfileId,
-      provider,
-      mode: "token",
-    });
-    if (params.setDefaultModel) {
-      nextConfig = applyAgentDefaultModelPrimary(nextConfig, DEFAULT_ANTHROPIC_MODEL);
-    }
-    return { config: nextConfig };
-  }
-
-  if (params.authChoice === "apiKey") {
-    if (params.opts?.tokenProvider && params.opts.tokenProvider !== "anthropic") {
-      return null;
-    }
-
-    let nextConfig = params.config;
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider ?? "anthropic",
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["anthropic"],
-      provider: "anthropic",
-      envLabel: "ANTHROPIC_API_KEY",
-      promptMessage: "Enter Anthropic API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setAnthropicApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "anthropic:default",
-      provider: "anthropic",
-      mode: "api_key",
-    });
-    if (params.setDefaultModel) {
-      nextConfig = applyAgentDefaultModelPrimary(nextConfig, DEFAULT_ANTHROPIC_MODEL);
-    }
-    return { config: nextConfig };
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.api-key-providers.ts b/src/commands/auth-choice.apply.api-key-providers.ts
index ac3690bf3cd..3ff35a46365 100644
--- a/src/commands/auth-choice.apply.api-key-providers.ts
+++ b/src/commands/auth-choice.apply.api-key-providers.ts
@@ -1,73 +1,15 @@
 import { ensureAuthProfileStore, resolveAuthProfileOrder } from "../agents/auth-profiles.js";
-import type { SecretInput } from "../config/types.secrets.js";
 import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
 import { ensureApiKeyFromOptionEnvOrPrompt } from "./auth-choice.apply-helpers.js";
 import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import type { ApiKeyStorageOptions } from "./onboard-auth.credentials.js";
 import {
   applyAuthProfileConfig,
-  applyKilocodeConfig,
-  applyKilocodeProviderConfig,
-  applyKimiCodeConfig,
-  applyKimiCodeProviderConfig,
   applyLitellmConfig,
   applyLitellmProviderConfig,
-  applyMistralConfig,
-  applyMistralProviderConfig,
-  applyModelStudioConfig,
-  applyModelStudioConfigCn,
-  applyModelStudioProviderConfig,
-  applyModelStudioProviderConfigCn,
-  applyMoonshotConfig,
-  applyMoonshotConfigCn,
-  applyMoonshotProviderConfig,
-  applyMoonshotProviderConfigCn,
-  applyOpencodeGoConfig,
-  applyOpencodeGoProviderConfig,
-  applyOpencodeZenConfig,
-  applyOpencodeZenProviderConfig,
-  applyQianfanConfig,
-  applyQianfanProviderConfig,
-  applySyntheticConfig,
-  applySyntheticProviderConfig,
-  applyTogetherConfig,
-  applyTogetherProviderConfig,
-  applyVeniceConfig,
-  applyVeniceProviderConfig,
-  applyVercelAiGatewayConfig,
-  applyVercelAiGatewayProviderConfig,
-  applyXiaomiConfig,
-  applyXiaomiProviderConfig,
-  KILOCODE_DEFAULT_MODEL_REF,
-  KIMI_CODING_MODEL_REF,
   LITELLM_DEFAULT_MODEL_REF,
-  MISTRAL_DEFAULT_MODEL_REF,
-  MODELSTUDIO_DEFAULT_MODEL_REF,
-  MOONSHOT_DEFAULT_MODEL_REF,
-  QIANFAN_DEFAULT_MODEL_REF,
-  setKilocodeApiKey,
-  setKimiCodingApiKey,
   setLitellmApiKey,
-  setMistralApiKey,
-  setModelStudioApiKey,
-  setMoonshotApiKey,
-  setOpencodeGoApiKey,
-  setOpencodeZenApiKey,
-  setQianfanApiKey,
-  setSyntheticApiKey,
-  setTogetherApiKey,
-  setVeniceApiKey,
-  setVercelAiGatewayApiKey,
-  setXiaomiApiKey,
-  SYNTHETIC_DEFAULT_MODEL_REF,
-  TOGETHER_DEFAULT_MODEL_REF,
-  VENICE_DEFAULT_MODEL_REF,
-  VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-  XIAOMI_DEFAULT_MODEL_REF,
 } from "./onboard-auth.js";
-import type { AuthChoice, SecretInputMode } from "./onboard-types.js";
-import { OPENCODE_GO_DEFAULT_MODEL_REF } from "./opencode-go-model-default.js";
-import { OPENCODE_ZEN_DEFAULT_MODEL } from "./opencode-zen-model-default.js";
+import type { SecretInputMode } from "./onboard-types.js";
 
 type ApiKeyProviderConfigApplier = (
   config: ApplyAuthChoiceParams["config"],
@@ -82,7 +24,7 @@ type ApplyProviderDefaultModel = (args: {
 
 type ApplyApiKeyProviderParams = {
   params: ApplyAuthChoiceParams;
-  authChoice: AuthChoice;
+  authChoice: string;
   config: ApplyAuthChoiceParams["config"];
   setConfig: (config: ApplyAuthChoiceParams["config"]) => void;
   getConfig: () => ApplyAuthChoiceParams["config"];
@@ -92,339 +34,6 @@ type ApplyApiKeyProviderParams = {
   getAgentModelOverride: () => string | undefined;
 };
 
-type SimpleApiKeyProviderFlow = {
-  provider: Parameters<typeof ensureApiKeyFromOptionEnvOrPrompt>[0]["provider"];
-  profileId: string;
-  expectedProviders: string[];
-  envLabel: string;
-  promptMessage: string;
-  setCredential: (
-    apiKey: SecretInput,
-    agentDir?: string,
-    options?: ApiKeyStorageOptions,
-  ) => void | Promise<void>;
-  defaultModel: string;
-  applyDefaultConfig: ApiKeyProviderConfigApplier;
-  applyProviderConfig: ApiKeyProviderConfigApplier;
-  tokenProvider?: string;
-  normalize?: (value: string) => string;
-  validate?: (value: string) => string | undefined;
-  noteDefault?: string;
-  noteMessage?: string;
-  noteTitle?: string;
-};
-
-const SIMPLE_API_KEY_PROVIDER_FLOWS: Partial<Record<AuthChoice, SimpleApiKeyProviderFlow>> = {
-  "ai-gateway-api-key": {
-    provider: "vercel-ai-gateway",
-    profileId: "vercel-ai-gateway:default",
-    expectedProviders: ["vercel-ai-gateway"],
-    envLabel: "AI_GATEWAY_API_KEY",
-    promptMessage: "Enter Vercel AI Gateway API key",
-    setCredential: setVercelAiGatewayApiKey,
-    defaultModel: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyVercelAiGatewayConfig,
-    applyProviderConfig: applyVercelAiGatewayProviderConfig,
-    noteDefault: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-  },
-  "moonshot-api-key": {
-    provider: "moonshot",
-    profileId: "moonshot:default",
-    expectedProviders: ["moonshot"],
-    envLabel: "MOONSHOT_API_KEY",
-    promptMessage: "Enter Moonshot API key",
-    setCredential: setMoonshotApiKey,
-    defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMoonshotConfig,
-    applyProviderConfig: applyMoonshotProviderConfig,
-  },
-  "moonshot-api-key-cn": {
-    provider: "moonshot",
-    profileId: "moonshot:default",
-    expectedProviders: ["moonshot"],
-    envLabel: "MOONSHOT_API_KEY",
-    promptMessage: "Enter Moonshot API key (.cn)",
-    setCredential: setMoonshotApiKey,
-    defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMoonshotConfigCn,
-    applyProviderConfig: applyMoonshotProviderConfigCn,
-  },
-  "kimi-code-api-key": {
-    provider: "kimi-coding",
-    profileId: "kimi-coding:default",
-    expectedProviders: ["kimi-code", "kimi-coding"],
-    envLabel: "KIMI_API_KEY",
-    promptMessage: "Enter Kimi Coding API key",
-    setCredential: setKimiCodingApiKey,
-    defaultModel: KIMI_CODING_MODEL_REF,
-    applyDefaultConfig: applyKimiCodeConfig,
-    applyProviderConfig: applyKimiCodeProviderConfig,
-    noteDefault: KIMI_CODING_MODEL_REF,
-    noteMessage: [
-      "Kimi Coding uses a dedicated endpoint and API key.",
-      "Get your API key at: https://www.kimi.com/code/en",
-    ].join("\n"),
-    noteTitle: "Kimi Coding",
-  },
-  "xiaomi-api-key": {
-    provider: "xiaomi",
-    profileId: "xiaomi:default",
-    expectedProviders: ["xiaomi"],
-    envLabel: "XIAOMI_API_KEY",
-    promptMessage: "Enter Xiaomi API key",
-    setCredential: setXiaomiApiKey,
-    defaultModel: XIAOMI_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyXiaomiConfig,
-    applyProviderConfig: applyXiaomiProviderConfig,
-    noteDefault: XIAOMI_DEFAULT_MODEL_REF,
-  },
-  "mistral-api-key": {
-    provider: "mistral",
-    profileId: "mistral:default",
-    expectedProviders: ["mistral"],
-    envLabel: "MISTRAL_API_KEY",
-    promptMessage: "Enter Mistral API key",
-    setCredential: setMistralApiKey,
-    defaultModel: MISTRAL_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMistralConfig,
-    applyProviderConfig: applyMistralProviderConfig,
-    noteDefault: MISTRAL_DEFAULT_MODEL_REF,
-  },
-  "venice-api-key": {
-    provider: "venice",
-    profileId: "venice:default",
-    expectedProviders: ["venice"],
-    envLabel: "VENICE_API_KEY",
-    promptMessage: "Enter Venice AI API key",
-    setCredential: setVeniceApiKey,
-    defaultModel: VENICE_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyVeniceConfig,
-    applyProviderConfig: applyVeniceProviderConfig,
-    noteDefault: VENICE_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Venice AI provides privacy-focused inference with uncensored models.",
-      "Get your API key at: https://venice.ai/settings/api",
-      "Supports 'private' (fully private) and 'anonymized' (proxy) modes.",
-    ].join("\n"),
-    noteTitle: "Venice AI",
-  },
-  "opencode-zen": {
-    provider: "opencode",
-    profileId: "opencode:default",
-    expectedProviders: ["opencode", "opencode-go"],
-    envLabel: "OPENCODE_API_KEY",
-    promptMessage: "Enter OpenCode API key",
-    setCredential: setOpencodeZenApiKey,
-    defaultModel: OPENCODE_ZEN_DEFAULT_MODEL,
-    applyDefaultConfig: applyOpencodeZenConfig,
-    applyProviderConfig: applyOpencodeZenProviderConfig,
-    noteDefault: OPENCODE_ZEN_DEFAULT_MODEL,
-    noteMessage: [
-      "OpenCode uses one API key across the Zen and Go catalogs.",
-      "Zen provides access to Claude, GPT, Gemini, and more models.",
-      "Get your API key at: https://opencode.ai/auth",
-      "Choose the Zen catalog when you want the curated multi-model proxy.",
-    ].join("\n"),
-    noteTitle: "OpenCode",
-  },
-  "opencode-go": {
-    provider: "opencode-go",
-    profileId: "opencode-go:default",
-    expectedProviders: ["opencode", "opencode-go"],
-    envLabel: "OPENCODE_API_KEY",
-    promptMessage: "Enter OpenCode API key",
-    setCredential: setOpencodeGoApiKey,
-    defaultModel: OPENCODE_GO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyOpencodeGoConfig,
-    applyProviderConfig: applyOpencodeGoProviderConfig,
-    noteDefault: OPENCODE_GO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "OpenCode uses one API key across the Zen and Go catalogs.",
-      "Go provides access to Kimi, GLM, and MiniMax models through the Go catalog.",
-      "Get your API key at: https://opencode.ai/auth",
-      "Choose the Go catalog when you want the OpenCode-hosted Kimi/GLM/MiniMax lineup.",
-    ].join("\n"),
-    noteTitle: "OpenCode",
-  },
-  "together-api-key": {
-    provider: "together",
-    profileId: "together:default",
-    expectedProviders: ["together"],
-    envLabel: "TOGETHER_API_KEY",
-    promptMessage: "Enter Together AI API key",
-    setCredential: setTogetherApiKey,
-    defaultModel: TOGETHER_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyTogetherConfig,
-    applyProviderConfig: applyTogetherProviderConfig,
-    noteDefault: TOGETHER_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Together AI provides access to leading open-source models including Llama, DeepSeek, Qwen, and more.",
-      "Get your API key at: https://api.together.xyz/settings/api-keys",
-    ].join("\n"),
-    noteTitle: "Together AI",
-  },
-  "qianfan-api-key": {
-    provider: "qianfan",
-    profileId: "qianfan:default",
-    expectedProviders: ["qianfan"],
-    envLabel: "QIANFAN_API_KEY",
-    promptMessage: "Enter QIANFAN API key",
-    setCredential: setQianfanApiKey,
-    defaultModel: QIANFAN_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyQianfanConfig,
-    applyProviderConfig: applyQianfanProviderConfig,
-    noteDefault: QIANFAN_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://console.bce.baidu.com/qianfan/ais/console/apiKey",
-      "API key format: bce-v3/ALTAK-...",
-    ].join("\n"),
-    noteTitle: "QIANFAN",
-  },
-  "kilocode-api-key": {
-    provider: "kilocode",
-    profileId: "kilocode:default",
-    expectedProviders: ["kilocode"],
-    envLabel: "KILOCODE_API_KEY",
-    promptMessage: "Enter Kilo Gateway API key",
-    setCredential: setKilocodeApiKey,
-    defaultModel: KILOCODE_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyKilocodeConfig,
-    applyProviderConfig: applyKilocodeProviderConfig,
-    noteDefault: KILOCODE_DEFAULT_MODEL_REF,
-  },
-  "modelstudio-api-key-cn": {
-    provider: "modelstudio",
-    profileId: "modelstudio:default",
-    expectedProviders: ["modelstudio"],
-    envLabel: "MODELSTUDIO_API_KEY",
-    promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (China)",
-    setCredential: setModelStudioApiKey,
-    defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyModelStudioConfigCn,
-    applyProviderConfig: applyModelStudioProviderConfigCn,
-    noteDefault: MODELSTUDIO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://bailian.console.aliyun.com/",
-      "Endpoint: coding.dashscope.aliyuncs.com",
-      "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
-    ].join("\n"),
-    noteTitle: "Alibaba Cloud Model Studio Coding Plan (China)",
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-  "modelstudio-api-key": {
-    provider: "modelstudio",
-    profileId: "modelstudio:default",
-    expectedProviders: ["modelstudio"],
-    envLabel: "MODELSTUDIO_API_KEY",
-    promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
-    setCredential: setModelStudioApiKey,
-    defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyModelStudioConfig,
-    applyProviderConfig: applyModelStudioProviderConfig,
-    noteDefault: MODELSTUDIO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://bailian.console.aliyun.com/",
-      "Endpoint: coding-intl.dashscope.aliyuncs.com",
-      "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
-    ].join("\n"),
-    noteTitle: "Alibaba Cloud Model Studio Coding Plan (Global/Intl)",
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-  "synthetic-api-key": {
-    provider: "synthetic",
-    profileId: "synthetic:default",
-    expectedProviders: ["synthetic"],
-    envLabel: "SYNTHETIC_API_KEY",
-    promptMessage: "Enter Synthetic API key",
-    setCredential: setSyntheticApiKey,
-    defaultModel: SYNTHETIC_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applySyntheticConfig,
-    applyProviderConfig: applySyntheticProviderConfig,
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-};
-
-async function applyApiKeyProviderWithDefaultModel({
-  params,
-  config,
-  setConfig,
-  getConfig,
-  normalizedTokenProvider,
-  requestedSecretInputMode,
-  applyProviderDefaultModel,
-  getAgentModelOverride,
-  provider,
-  profileId,
-  expectedProviders,
-  envLabel,
-  promptMessage,
-  setCredential,
-  defaultModel,
-  applyDefaultConfig,
-  applyProviderConfig,
-  noteMessage,
-  noteTitle,
-  tokenProvider = normalizedTokenProvider,
-  normalize = normalizeApiKeyInput,
-  validate = validateApiKeyInput,
-  noteDefault = defaultModel,
-}: ApplyApiKeyProviderParams & {
-  provider: Parameters<typeof ensureApiKeyFromOptionEnvOrPrompt>[0]["provider"];
-  profileId: string;
-  expectedProviders: string[];
-  envLabel: string;
-  promptMessage: string;
-  setCredential: (apiKey: SecretInput, mode?: SecretInputMode) => void | Promise<void>;
-  defaultModel: string;
-  applyDefaultConfig: ApiKeyProviderConfigApplier;
-  applyProviderConfig: ApiKeyProviderConfigApplier;
-  noteMessage?: string;
-  noteTitle?: string;
-  tokenProvider?: string;
-  normalize?: (value: string) => string;
-  validate?: (value: string) => string | undefined;
-  noteDefault?: string;
-}): Promise<ApplyAuthChoiceResult> {
-  let nextConfig = config;
-
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.token,
-    provider,
-    tokenProvider,
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders,
-    envLabel,
-    promptMessage,
-    setCredential: async (apiKey, mode) => {
-      await setCredential(apiKey, mode);
-    },
-    noteMessage,
-    noteTitle,
-    normalize,
-    validate,
-    prompter: params.prompter,
-  });
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId,
-    provider,
-    mode: "api_key",
-  });
-  setConfig(nextConfig);
-  await applyProviderDefaultModel({
-    defaultModel,
-    applyDefaultConfig,
-    applyProviderConfig,
-    noteDefault,
-  });
-
-  return { config: getConfig(), agentModelOverride: getAgentModelOverride() };
-}
-
 export async function applyLiteLlmApiKeyProvider({
   params,
   authChoice,
@@ -489,50 +98,3 @@ export async function applyLiteLlmApiKeyProvider({
   });
   return { config: getConfig(), agentModelOverride: getAgentModelOverride() };
 }
-
-export async function applySimpleAuthChoiceApiProvider({
-  params,
-  authChoice,
-  config,
-  setConfig,
-  getConfig,
-  normalizedTokenProvider,
-  requestedSecretInputMode,
-  applyProviderDefaultModel,
-  getAgentModelOverride,
-}: ApplyApiKeyProviderParams): Promise<ApplyAuthChoiceResult | null> {
-  const simpleApiKeyProviderFlow = SIMPLE_API_KEY_PROVIDER_FLOWS[authChoice];
-  if (!simpleApiKeyProviderFlow) {
-    return null;
-  }
-
-  return await applyApiKeyProviderWithDefaultModel({
-    params,
-    authChoice,
-    config,
-    setConfig,
-    getConfig,
-    normalizedTokenProvider,
-    requestedSecretInputMode,
-    applyProviderDefaultModel,
-    getAgentModelOverride,
-    provider: simpleApiKeyProviderFlow.provider,
-    profileId: simpleApiKeyProviderFlow.profileId,
-    expectedProviders: simpleApiKeyProviderFlow.expectedProviders,
-    envLabel: simpleApiKeyProviderFlow.envLabel,
-    promptMessage: simpleApiKeyProviderFlow.promptMessage,
-    setCredential: async (apiKey, mode) =>
-      simpleApiKeyProviderFlow.setCredential(apiKey, params.agentDir, {
-        secretInputMode: mode ?? requestedSecretInputMode,
-      }),
-    defaultModel: simpleApiKeyProviderFlow.defaultModel,
-    applyDefaultConfig: simpleApiKeyProviderFlow.applyDefaultConfig,
-    applyProviderConfig: simpleApiKeyProviderFlow.applyProviderConfig,
-    noteDefault: simpleApiKeyProviderFlow.noteDefault,
-    noteMessage: simpleApiKeyProviderFlow.noteMessage,
-    noteTitle: simpleApiKeyProviderFlow.noteTitle,
-    tokenProvider: simpleApiKeyProviderFlow.tokenProvider,
-    normalize: simpleApiKeyProviderFlow.normalize,
-    validate: simpleApiKeyProviderFlow.validate,
-  });
-}
diff --git a/src/commands/auth-choice.apply.api-providers.ts b/src/commands/auth-choice.apply.api-providers.ts
index f58a7312f74..6376dd51c7d 100644
--- a/src/commands/auth-choice.apply.api-providers.ts
+++ b/src/commands/auth-choice.apply.api-providers.ts
@@ -1,74 +1,48 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
+import { resolveManifestProviderApiKeyChoice } from "../plugins/provider-auth-choices.js";
 import {
-  normalizeSecretInputModeInput,
-  createAuthChoiceAgentModelNoter,
   createAuthChoiceDefaultModelApplierForMutableState,
-  ensureApiKeyFromOptionEnvOrPrompt,
+  normalizeSecretInputModeInput,
   normalizeTokenProviderInput,
 } from "./auth-choice.apply-helpers.js";
-import {
-  applyLiteLlmApiKeyProvider,
-  applySimpleAuthChoiceApiProvider,
-} from "./auth-choice.apply.api-key-providers.js";
-import { applyAuthChoiceHuggingface } from "./auth-choice.apply.huggingface.js";
+import { applyLiteLlmApiKeyProvider } from "./auth-choice.apply.api-key-providers.js";
 import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoiceOpenRouter } from "./auth-choice.apply.openrouter.js";
-import {
-  applyGoogleGeminiModelDefault,
-  GOOGLE_GEMINI_DEFAULT_MODEL,
-} from "./google-gemini-model-default.js";
-import {
-  applyAuthProfileConfig,
-  applyCloudflareAiGatewayConfig,
-  applyCloudflareAiGatewayProviderConfig,
-  applyZaiConfig,
-  applyZaiProviderConfig,
-  CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-  setCloudflareAiGatewayConfig,
-  setGeminiApiKey,
-  setZaiApiKey,
-  ZAI_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
 import type { AuthChoice } from "./onboard-types.js";
-import { detectZaiEndpoint } from "./zai-endpoint-detect.js";
 
-const API_KEY_TOKEN_PROVIDER_AUTH_CHOICE: Record<string, AuthChoice> = {
-  openrouter: "openrouter-api-key",
+const CORE_API_KEY_TOKEN_PROVIDER_AUTH_CHOICES: Partial<Record<string, AuthChoice>> = {
   litellm: "litellm-api-key",
-  "vercel-ai-gateway": "ai-gateway-api-key",
-  "cloudflare-ai-gateway": "cloudflare-ai-gateway-api-key",
-  moonshot: "moonshot-api-key",
-  "kimi-code": "kimi-code-api-key",
-  "kimi-coding": "kimi-code-api-key",
-  google: "gemini-api-key",
-  zai: "zai-api-key",
-  xiaomi: "xiaomi-api-key",
-  synthetic: "synthetic-api-key",
-  venice: "venice-api-key",
-  together: "together-api-key",
-  huggingface: "huggingface-api-key",
-  mistral: "mistral-api-key",
-  opencode: "opencode-zen",
-  "opencode-go": "opencode-go",
-  kilocode: "kilocode-api-key",
-  qianfan: "qianfan-api-key",
 };
 
-const ZAI_AUTH_CHOICE_ENDPOINT: Partial<
-  Record<AuthChoice, "global" | "cn" | "coding-global" | "coding-cn">
-> = {
-  "zai-coding-global": "coding-global",
-  "zai-coding-cn": "coding-cn",
-  "zai-global": "global",
-  "zai-cn": "cn",
-};
+export function normalizeApiKeyTokenProviderAuthChoice(params: {
+  authChoice: AuthChoice;
+  tokenProvider?: string;
+  config?: ApplyAuthChoiceParams["config"];
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): AuthChoice {
+  if (params.authChoice !== "apiKey" || !params.tokenProvider) {
+    return params.authChoice;
+  }
+  const normalizedTokenProvider = normalizeTokenProviderInput(params.tokenProvider);
+  if (!normalizedTokenProvider) {
+    return params.authChoice;
+  }
+  return (
+    (resolveManifestProviderApiKeyChoice({
+      providerId: normalizedTokenProvider,
+      config: params.config,
+      workspaceDir: params.workspaceDir,
+      env: params.env,
+    })?.choiceId as AuthChoice | undefined) ??
+    CORE_API_KEY_TOKEN_PROVIDER_AUTH_CHOICES[normalizedTokenProvider] ??
+    params.authChoice
+  );
+}
 
 export async function applyAuthChoiceApiProviders(
   params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult | null> {
   let nextConfig = params.config;
   let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
   const applyProviderDefaultModel = createAuthChoiceDefaultModelApplierForMutableState(
     params,
     () => nextConfig,
@@ -77,18 +51,14 @@ export async function applyAuthChoiceApiProviders(
     (model) => (agentModelOverride = model),
   );
 
-  let authChoice = params.authChoice;
+  const authChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: params.authChoice,
+    tokenProvider: params.opts?.tokenProvider,
+    config: params.config,
+    env: process.env,
+  });
   const normalizedTokenProvider = normalizeTokenProviderInput(params.opts?.tokenProvider);
   const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  if (authChoice === "apiKey" && params.opts?.tokenProvider) {
-    if (normalizedTokenProvider !== "anthropic" && normalizedTokenProvider !== "openai") {
-      authChoice = API_KEY_TOKEN_PROVIDER_AUTH_CHOICE[normalizedTokenProvider ?? ""] ?? authChoice;
-    }
-  }
-
-  if (authChoice === "openrouter-api-key") {
-    return applyAuthChoiceOpenRouter(params);
-  }
 
   const litellmResult = await applyLiteLlmApiKeyProvider({
     params,
@@ -105,218 +75,5 @@ export async function applyAuthChoiceApiProviders(
     return litellmResult;
   }
 
-  const simpleProviderResult = await applySimpleAuthChoiceApiProvider({
-    params,
-    authChoice,
-    config: nextConfig,
-    setConfig: (config) => (nextConfig = config),
-    getConfig: () => nextConfig,
-    normalizedTokenProvider,
-    requestedSecretInputMode,
-    applyProviderDefaultModel,
-    getAgentModelOverride: () => agentModelOverride,
-  });
-  if (simpleProviderResult) {
-    return simpleProviderResult;
-  }
-
-  if (authChoice === "cloudflare-ai-gateway-api-key") {
-    let accountId = params.opts?.cloudflareAiGatewayAccountId?.trim() ?? "";
-    let gatewayId = params.opts?.cloudflareAiGatewayGatewayId?.trim() ?? "";
-
-    const ensureAccountGateway = async () => {
-      if (!accountId) {
-        const value = await params.prompter.text({
-          message: "Enter Cloudflare Account ID",
-          validate: (val) => (String(val ?? "").trim() ? undefined : "Account ID is required"),
-        });
-        accountId = String(value ?? "").trim();
-      }
-      if (!gatewayId) {
-        const value = await params.prompter.text({
-          message: "Enter Cloudflare AI Gateway ID",
-          validate: (val) => (String(val ?? "").trim() ? undefined : "Gateway ID is required"),
-        });
-        gatewayId = String(value ?? "").trim();
-      }
-    };
-
-    await ensureAccountGateway();
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.cloudflareAiGatewayApiKey,
-      tokenProvider: "cloudflare-ai-gateway",
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["cloudflare-ai-gateway"],
-      provider: "cloudflare-ai-gateway",
-      envLabel: "CLOUDFLARE_AI_GATEWAY_API_KEY",
-      promptMessage: "Enter Cloudflare AI Gateway API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setCloudflareAiGatewayConfig(accountId, gatewayId, apiKey, params.agentDir, {
-          secretInputMode: mode,
-        }),
-    });
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "cloudflare-ai-gateway:default",
-      provider: "cloudflare-ai-gateway",
-      mode: "api_key",
-    });
-    await applyProviderDefaultModel({
-      defaultModel: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-      applyDefaultConfig: (cfg) =>
-        applyCloudflareAiGatewayConfig(cfg, {
-          accountId: accountId || params.opts?.cloudflareAiGatewayAccountId,
-          gatewayId: gatewayId || params.opts?.cloudflareAiGatewayGatewayId,
-        }),
-      applyProviderConfig: (cfg) =>
-        applyCloudflareAiGatewayProviderConfig(cfg, {
-          accountId: accountId || params.opts?.cloudflareAiGatewayAccountId,
-          gatewayId: gatewayId || params.opts?.cloudflareAiGatewayGatewayId,
-        }),
-      noteDefault: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-    });
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (authChoice === "gemini-api-key") {
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      provider: "google",
-      tokenProvider: normalizedTokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["google"],
-      envLabel: "GEMINI_API_KEY",
-      promptMessage: "Enter Gemini API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setGeminiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "google:default",
-      provider: "google",
-      mode: "api_key",
-    });
-    if (params.setDefaultModel) {
-      const applied = applyGoogleGeminiModelDefault(nextConfig);
-      nextConfig = applied.next;
-      if (applied.changed) {
-        await params.prompter.note(
-          `Default model set to ${GOOGLE_GEMINI_DEFAULT_MODEL}`,
-          "Model configured",
-        );
-      }
-    } else {
-      agentModelOverride = GOOGLE_GEMINI_DEFAULT_MODEL;
-      await noteAgentModel(GOOGLE_GEMINI_DEFAULT_MODEL);
-    }
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (
-    authChoice === "zai-api-key" ||
-    authChoice === "zai-coding-global" ||
-    authChoice === "zai-coding-cn" ||
-    authChoice === "zai-global" ||
-    authChoice === "zai-cn"
-  ) {
-    let endpoint = ZAI_AUTH_CHOICE_ENDPOINT[authChoice];
-
-    const apiKey = await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      provider: "zai",
-      tokenProvider: normalizedTokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["zai"],
-      envLabel: "ZAI_API_KEY",
-      promptMessage: "Enter Z.AI API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setZaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-
-    let modelIdOverride: string | undefined;
-    if (endpoint) {
-      const detected = await detectZaiEndpoint({ apiKey, endpoint });
-      if (detected) {
-        modelIdOverride = detected.modelId;
-        await params.prompter.note(detected.note, "Z.AI endpoint");
-      }
-    } else {
-      // zai-api-key: auto-detect endpoint + choose a working default model.
-      const detected = await detectZaiEndpoint({ apiKey });
-      if (detected) {
-        endpoint = detected.endpoint;
-        modelIdOverride = detected.modelId;
-        await params.prompter.note(detected.note, "Z.AI endpoint");
-      } else {
-        endpoint = await params.prompter.select({
-          message: "Select Z.AI endpoint",
-          options: [
-            {
-              value: "coding-global",
-              label: "Coding-Plan-Global",
-              hint: "GLM Coding Plan Global (api.z.ai)",
-            },
-            {
-              value: "coding-cn",
-              label: "Coding-Plan-CN",
-              hint: "GLM Coding Plan CN (open.bigmodel.cn)",
-            },
-            {
-              value: "global",
-              label: "Global",
-              hint: "Z.AI Global (api.z.ai)",
-            },
-            {
-              value: "cn",
-              label: "CN",
-              hint: "Z.AI CN (open.bigmodel.cn)",
-            },
-          ],
-          initialValue: "global",
-        });
-      }
-    }
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "zai:default",
-      provider: "zai",
-      mode: "api_key",
-    });
-
-    const defaultModel = modelIdOverride ? `zai/${modelIdOverride}` : ZAI_DEFAULT_MODEL_REF;
-    await applyProviderDefaultModel({
-      defaultModel,
-      applyDefaultConfig: (config) =>
-        applyZaiConfig(config, {
-          endpoint,
-          ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-        }),
-      applyProviderConfig: (config) =>
-        applyZaiProviderConfig(config, {
-          endpoint,
-          ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-        }),
-      noteDefault: defaultModel,
-    });
-
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (authChoice === "huggingface-api-key") {
-    return applyAuthChoiceHuggingface({ ...params, authChoice });
-  }
-
   return null;
 }
diff --git a/src/commands/auth-choice.apply.byteplus.ts b/src/commands/auth-choice.apply.byteplus.ts
deleted file mode 100644
index 80cfa377bde..00000000000
--- a/src/commands/auth-choice.apply.byteplus.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyPrimaryModel } from "./model-picker.js";
-import { applyAuthProfileConfig, setByteplusApiKey } from "./onboard-auth.js";
-
-/** Default model for BytePlus auth onboarding. */
-export const BYTEPLUS_DEFAULT_MODEL = "byteplus-plan/ark-code-latest";
-
-export async function applyAuthChoiceBytePlus(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "byteplus-api-key") {
-    return null;
-  }
-
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.byteplusApiKey,
-    tokenProvider: "byteplus",
-    secretInputMode: requestedSecretInputMode,
-    config: params.config,
-    expectedProviders: ["byteplus"],
-    provider: "byteplus",
-    envLabel: "BYTEPLUS_API_KEY",
-    promptMessage: "Enter BytePlus API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setByteplusApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-  const configWithAuth = applyAuthProfileConfig(params.config, {
-    profileId: "byteplus:default",
-    provider: "byteplus",
-    mode: "api_key",
-  });
-  const configWithModel = applyPrimaryModel(configWithAuth, BYTEPLUS_DEFAULT_MODEL);
-  return {
-    config: configWithModel,
-    agentModelOverride: BYTEPLUS_DEFAULT_MODEL,
-  };
-}
diff --git a/src/commands/auth-choice.apply.copilot-proxy.ts b/src/commands/auth-choice.apply.copilot-proxy.ts
deleted file mode 100644
index 3906846972e..00000000000
--- a/src/commands/auth-choice.apply.copilot-proxy.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceCopilotProxy(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "copilot-proxy",
-    pluginId: "copilot-proxy",
-    providerId: "copilot-proxy",
-    methodId: "local",
-    label: "Copilot Proxy",
-  });
-}
diff --git a/src/commands/auth-choice.apply.github-copilot.ts b/src/commands/auth-choice.apply.github-copilot.ts
deleted file mode 100644
index 1ef474682af..00000000000
--- a/src/commands/auth-choice.apply.github-copilot.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-import { toAgentModelListLike } from "../config/model-input.js";
-import { githubCopilotLoginCommand } from "../providers/github-copilot-auth.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthProfileConfig } from "./onboard-auth.js";
-
-export async function applyAuthChoiceGitHubCopilot(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "github-copilot") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-
-  await params.prompter.note(
-    [
-      "This will open a GitHub device login to authorize Copilot.",
-      "Requires an active GitHub Copilot subscription.",
-    ].join("\n"),
-    "GitHub Copilot",
-  );
-
-  if (!process.stdin.isTTY) {
-    await params.prompter.note(
-      "GitHub Copilot login requires an interactive TTY.",
-      "GitHub Copilot",
-    );
-    return { config: nextConfig };
-  }
-
-  try {
-    await githubCopilotLoginCommand({ yes: true }, params.runtime);
-  } catch (err) {
-    await params.prompter.note(`GitHub Copilot login failed: ${String(err)}`, "GitHub Copilot");
-    return { config: nextConfig };
-  }
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "github-copilot:github",
-    provider: "github-copilot",
-    mode: "token",
-  });
-
-  if (params.setDefaultModel) {
-    const model = "github-copilot/gpt-4o";
-    nextConfig = {
-      ...nextConfig,
-      agents: {
-        ...nextConfig.agents,
-        defaults: {
-          ...nextConfig.agents?.defaults,
-          model: {
-            ...toAgentModelListLike(nextConfig.agents?.defaults?.model),
-            primary: model,
-          },
-        },
-      },
-    };
-    await params.prompter.note(`Default model set to ${model}`, "Model configured");
-  }
-
-  return { config: nextConfig };
-}
diff --git a/src/commands/auth-choice.apply.google-gemini-cli.test.ts b/src/commands/auth-choice.apply.google-gemini-cli.test.ts
deleted file mode 100644
index f07f970a18d..00000000000
--- a/src/commands/auth-choice.apply.google-gemini-cli.test.ts
+++ /dev/null
@@ -1,86 +0,0 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceGoogleGeminiCli } from "./auth-choice.apply.google-gemini-cli.js";
-import type { ApplyAuthChoiceParams } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { createExitThrowingRuntime, createWizardPrompter } from "./test-wizard-helpers.js";
-
-vi.mock("./auth-choice.apply.plugin-provider.js", () => ({
-  applyAuthChoicePluginProvider: vi.fn(),
-}));
-
-function createParams(
-  authChoice: ApplyAuthChoiceParams["authChoice"],
-  overrides: Partial<ApplyAuthChoiceParams> = {},
-): ApplyAuthChoiceParams {
-  return {
-    authChoice,
-    config: {},
-    prompter: createWizardPrompter({}, { defaultSelect: "" }),
-    runtime: createExitThrowingRuntime(),
-    setDefaultModel: true,
-    ...overrides,
-  };
-}
-
-describe("applyAuthChoiceGoogleGeminiCli", () => {
-  const mockedApplyAuthChoicePluginProvider = vi.mocked(applyAuthChoicePluginProvider);
-
-  beforeEach(() => {
-    mockedApplyAuthChoicePluginProvider.mockReset();
-  });
-
-  it("returns null for unrelated authChoice", async () => {
-    const result = await applyAuthChoiceGoogleGeminiCli(createParams("openrouter-api-key"));
-
-    expect(result).toBeNull();
-    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
-  });
-
-  it("shows caution and skips setup when user declines", async () => {
-    const confirm = vi.fn(async () => false);
-    const note = vi.fn(async () => {});
-    const params = createParams("google-gemini-cli", {
-      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
-    });
-
-    const result = await applyAuthChoiceGoogleGeminiCli(params);
-
-    expect(result).toEqual({ config: params.config });
-    expect(note).toHaveBeenNthCalledWith(
-      1,
-      expect.stringContaining("This is an unofficial integration and is not endorsed by Google."),
-      "Google Gemini CLI caution",
-    );
-    expect(confirm).toHaveBeenCalledWith({
-      message: "Continue with Google Gemini CLI OAuth?",
-      initialValue: false,
-    });
-    expect(note).toHaveBeenNthCalledWith(
-      2,
-      "Skipped Google Gemini CLI OAuth setup.",
-      "Setup skipped",
-    );
-    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
-  });
-
-  it("continues to plugin provider flow when user confirms", async () => {
-    const confirm = vi.fn(async () => true);
-    const note = vi.fn(async () => {});
-    const params = createParams("google-gemini-cli", {
-      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
-    });
-    const expected = { config: {} };
-    mockedApplyAuthChoicePluginProvider.mockResolvedValue(expected);
-
-    const result = await applyAuthChoiceGoogleGeminiCli(params);
-
-    expect(result).toBe(expected);
-    expect(mockedApplyAuthChoicePluginProvider).toHaveBeenCalledWith(params, {
-      authChoice: "google-gemini-cli",
-      pluginId: "google-gemini-cli-auth",
-      providerId: "google-gemini-cli",
-      methodId: "oauth",
-      label: "Google Gemini CLI",
-    });
-  });
-});
diff --git a/src/commands/auth-choice.apply.google-gemini-cli.ts b/src/commands/auth-choice.apply.google-gemini-cli.ts
deleted file mode 100644
index 5fcbc832338..00000000000
--- a/src/commands/auth-choice.apply.google-gemini-cli.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceGoogleGeminiCli(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "google-gemini-cli") {
-    return null;
-  }
-
-  await params.prompter.note(
-    [
-      "This is an unofficial integration and is not endorsed by Google.",
-      "Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.",
-      "Proceed only if you understand and accept this risk.",
-    ].join("\n"),
-    "Google Gemini CLI caution",
-  );
-
-  const proceed = await params.prompter.confirm({
-    message: "Continue with Google Gemini CLI OAuth?",
-    initialValue: false,
-  });
-
-  if (!proceed) {
-    await params.prompter.note("Skipped Google Gemini CLI OAuth setup.", "Setup skipped");
-    return { config: params.config };
-  }
-
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "google-gemini-cli",
-    pluginId: "google-gemini-cli-auth",
-    providerId: "google-gemini-cli",
-    methodId: "oauth",
-    label: "Google Gemini CLI",
-  });
-}
diff --git a/src/commands/auth-choice.apply.huggingface.test.ts b/src/commands/auth-choice.apply.huggingface.test.ts
deleted file mode 100644
index 5b55252067f..00000000000
--- a/src/commands/auth-choice.apply.huggingface.test.ts
+++ /dev/null
@@ -1,194 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
-import type { WizardPrompter } from "../wizard/prompts.js";
-import { applyAuthChoiceHuggingface } from "./auth-choice.apply.huggingface.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-function createHuggingfacePrompter(params: {
-  text: WizardPrompter["text"];
-  select: WizardPrompter["select"];
-  confirm?: WizardPrompter["confirm"];
-  note?: WizardPrompter["note"];
-}): WizardPrompter {
-  const overrides: Partial<WizardPrompter> = {
-    text: params.text,
-    select: params.select,
-  };
-  if (params.confirm) {
-    overrides.confirm = params.confirm;
-  }
-  if (params.note) {
-    overrides.note = params.note;
-  }
-  return createWizardPrompter(overrides, { defaultSelect: "" });
-}
-
-type ApplyHuggingfaceParams = Parameters<typeof applyAuthChoiceHuggingface>[0];
-
-async function runHuggingfaceApply(
-  params: Omit<ApplyHuggingfaceParams, "authChoice" | "setDefaultModel"> &
-    Partial<Pick<ApplyHuggingfaceParams, "setDefaultModel">>,
-) {
-  return await applyAuthChoiceHuggingface({
-    authChoice: "huggingface-api-key",
-    setDefaultModel: params.setDefaultModel ?? true,
-    ...params,
-  });
-}
-
-describe("applyAuthChoiceHuggingface", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "HF_TOKEN",
-    "HUGGINGFACE_HUB_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-hf-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  async function readAuthProfiles(agentDir: string) {
-    return await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string }>;
-    }>(agentDir);
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("returns null when authChoice is not huggingface-api-key", async () => {
-    const result = await applyAuthChoiceHuggingface({
-      authChoice: "openrouter-api-key",
-      config: {},
-      prompter: {} as WizardPrompter,
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: false,
-    });
-    expect(result).toBeNull();
-  });
-
-  it("prompts for key and model, then writes config and auth profile", async () => {
-    const agentDir = await setupTempState();
-
-    const text = vi.fn().mockResolvedValue("hf-test-token");
-    const select: WizardPrompter["select"] = vi.fn(
-      async (params) => params.options?.[0]?.value as never,
-    );
-    const prompter = createHuggingfacePrompter({ text, select });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["huggingface:default"]).toMatchObject({
-      provider: "huggingface",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toMatch(
-      /^huggingface\/.+/,
-    );
-    expect(text).toHaveBeenCalledWith(
-      expect.objectContaining({ message: expect.stringContaining("Hugging Face") }),
-    );
-    expect(select).toHaveBeenCalledWith(
-      expect.objectContaining({ message: "Default Hugging Face model" }),
-    );
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["huggingface:default"]?.key).toBe("hf-test-token");
-  });
-
-  it.each([
-    {
-      caseName: "does not prompt to reuse env token when opts.token already provided",
-      tokenProvider: "huggingface",
-      token: "hf-opts-token",
-      envToken: "hf-env-token",
-    },
-    {
-      caseName: "accepts mixed-case tokenProvider from opts without prompting",
-      tokenProvider: "  HuGgInGfAcE  ",
-      token: "hf-opts-mixed",
-      envToken: undefined,
-    },
-  ])("$caseName", async ({ tokenProvider, token, envToken }) => {
-    const agentDir = await setupTempState();
-    if (envToken) {
-      process.env.HF_TOKEN = envToken;
-    } else {
-      delete process.env.HF_TOKEN;
-    }
-    delete process.env.HUGGINGFACE_HUB_TOKEN;
-
-    const text = vi.fn().mockResolvedValue("hf-text-token");
-    const select: WizardPrompter["select"] = vi.fn(
-      async (params) => params.options?.[0]?.value as never,
-    );
-    const confirm = vi.fn(async () => true);
-    const prompter = createHuggingfacePrompter({ text, select, confirm });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-      opts: {
-        tokenProvider,
-        token,
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(confirm).not.toHaveBeenCalled();
-    expect(text).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["huggingface:default"]?.key).toBe(token);
-  });
-
-  it("notes when selected Hugging Face model uses a locked router policy", async () => {
-    await setupTempState();
-    delete process.env.HF_TOKEN;
-    delete process.env.HUGGINGFACE_HUB_TOKEN;
-
-    const text = vi.fn().mockResolvedValue("hf-test-token");
-    const select: WizardPrompter["select"] = vi.fn(async (params) => {
-      const options = (params.options ?? []) as Array<{ value: string }>;
-      const cheapest = options.find((option) => option.value.endsWith(":cheapest"));
-      return (cheapest?.value ?? options[0]?.value ?? "") as never;
-    });
-    const note: WizardPrompter["note"] = vi.fn(async () => {});
-    const prompter = createHuggingfacePrompter({ text, select, note });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-    });
-
-    expect(result).not.toBeNull();
-    expect(String(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model))).toContain(
-      ":cheapest",
-    );
-    expect(note).toHaveBeenCalledWith(
-      "Provider locked — router will choose backend by cost or speed.",
-      "Hugging Face",
-    );
-  });
-});
diff --git a/src/commands/auth-choice.apply.huggingface.ts b/src/commands/auth-choice.apply.huggingface.ts
deleted file mode 100644
index 91bfd533cb0..00000000000
--- a/src/commands/auth-choice.apply.huggingface.ts
+++ /dev/null
@@ -1,137 +0,0 @@
-import {
-  discoverHuggingfaceModels,
-  isHuggingfacePolicyLocked,
-} from "../agents/huggingface-models.js";
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import { ensureModelAllowlistEntry } from "./model-allowlist.js";
-import {
-  applyAuthProfileConfig,
-  applyHuggingfaceProviderConfig,
-  setHuggingfaceApiKey,
-  HUGGINGFACE_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceHuggingface(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "huggingface-api-key") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-  const hfKey = await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.token,
-    tokenProvider: params.opts?.tokenProvider,
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders: ["huggingface"],
-    provider: "huggingface",
-    envLabel: "Hugging Face token",
-    promptMessage: "Enter Hugging Face API key (HF token)",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setHuggingfaceApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    noteMessage: [
-      "Hugging Face Inference Providers offer OpenAI-compatible chat completions.",
-      "Create a token at: https://huggingface.co/settings/tokens (fine-grained, 'Make calls to Inference Providers').",
-    ].join("\n"),
-    noteTitle: "Hugging Face",
-  });
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "huggingface:default",
-    provider: "huggingface",
-    mode: "api_key",
-  });
-
-  const models = await discoverHuggingfaceModels(hfKey);
-  const modelRefPrefix = "huggingface/";
-  const options: { value: string; label: string }[] = [];
-  for (const m of models) {
-    const baseRef = `${modelRefPrefix}${m.id}`;
-    const label = m.name ?? m.id;
-    options.push({ value: baseRef, label });
-    options.push({ value: `${baseRef}:cheapest`, label: `${label} (cheapest)` });
-    options.push({ value: `${baseRef}:fastest`, label: `${label} (fastest)` });
-  }
-  const defaultRef = HUGGINGFACE_DEFAULT_MODEL_REF;
-  options.sort((a, b) => {
-    if (a.value === defaultRef) {
-      return -1;
-    }
-    if (b.value === defaultRef) {
-      return 1;
-    }
-    return a.label.localeCompare(b.label, undefined, { sensitivity: "base" });
-  });
-  const selectedModelRef =
-    options.length === 0
-      ? defaultRef
-      : options.length === 1
-        ? options[0].value
-        : await params.prompter.select({
-            message: "Default Hugging Face model",
-            options,
-            initialValue: options.some((o) => o.value === defaultRef)
-              ? defaultRef
-              : options[0].value,
-          });
-
-  if (isHuggingfacePolicyLocked(selectedModelRef)) {
-    await params.prompter.note(
-      "Provider locked — router will choose backend by cost or speed.",
-      "Hugging Face",
-    );
-  }
-
-  const applied = await applyDefaultModelChoice({
-    config: nextConfig,
-    setDefaultModel: params.setDefaultModel,
-    defaultModel: selectedModelRef,
-    applyDefaultConfig: (config) => {
-      const withProvider = applyHuggingfaceProviderConfig(config);
-      const existingModel = withProvider.agents?.defaults?.model;
-      const withPrimary = {
-        ...withProvider,
-        agents: {
-          ...withProvider.agents,
-          defaults: {
-            ...withProvider.agents?.defaults,
-            model: {
-              ...(existingModel && typeof existingModel === "object" && "fallbacks" in existingModel
-                ? {
-                    fallbacks: (existingModel as { fallbacks?: string[] }).fallbacks,
-                  }
-                : {}),
-              primary: selectedModelRef,
-            },
-          },
-        },
-      };
-      return ensureModelAllowlistEntry({
-        cfg: withPrimary,
-        modelRef: selectedModelRef,
-      });
-    },
-    applyProviderConfig: applyHuggingfaceProviderConfig,
-    noteDefault: selectedModelRef,
-    noteAgentModel,
-    prompter: params.prompter,
-  });
-  nextConfig = applied.config;
-  agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.apply.minimax.test.ts b/src/commands/auth-choice.apply.minimax.test.ts
deleted file mode 100644
index 9b5442b108c..00000000000
--- a/src/commands/auth-choice.apply.minimax.test.ts
+++ /dev/null
@@ -1,208 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
-import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("applyAuthChoiceMiniMax", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "MINIMAX_API_KEY",
-    "MINIMAX_OAUTH_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-minimax-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  async function readAuthProfiles(agentDir: string) {
-    return await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: { source: string; id: string } }>;
-    }>(agentDir);
-  }
-
-  function resetMiniMaxEnv(): void {
-    delete process.env.MINIMAX_API_KEY;
-    delete process.env.MINIMAX_OAUTH_TOKEN;
-  }
-
-  async function runMiniMaxChoice(params: {
-    authChoice: Parameters<typeof applyAuthChoiceMiniMax>[0]["authChoice"];
-    opts?: Parameters<typeof applyAuthChoiceMiniMax>[0]["opts"];
-    env?: { apiKey?: string };
-    prompterText?: () => Promise<string>;
-  }) {
-    const agentDir = await setupTempState();
-    resetMiniMaxEnv();
-    if (params.env?.apiKey !== undefined) {
-      process.env.MINIMAX_API_KEY = params.env.apiKey;
-    }
-
-    const text = vi.fn(async () => "should-not-be-used");
-    const confirm = vi.fn(async () => true);
-    const result = await applyAuthChoiceMiniMax({
-      authChoice: params.authChoice,
-      config: {},
-      // Pass select: undefined so ref-mode uses the non-interactive fallback (same as old test behavior).
-      prompter: createWizardPrompter({
-        text: params.prompterText ?? text,
-        confirm,
-        select: undefined,
-      }),
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: true,
-      ...(params.opts ? { opts: params.opts } : {}),
-    });
-
-    return { agentDir, result, text, confirm };
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("returns null for unrelated authChoice", async () => {
-    const result = await applyAuthChoiceMiniMax({
-      authChoice: "openrouter-api-key",
-      config: {},
-      prompter: createWizardPrompter({}),
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: true,
-    });
-
-    expect(result).toBeNull();
-  });
-
-  it.each([
-    {
-      caseName: "uses opts token for minimax-global-api without prompt",
-      authChoice: "minimax-global-api" as const,
-      tokenProvider: "minimax",
-      token: "mm-opts-token",
-      profileId: "minimax:global",
-      expectedModel: "minimax/MiniMax-M2.5",
-    },
-    {
-      caseName: "uses opts token for minimax-cn-api with trimmed/case-insensitive tokenProvider",
-      authChoice: "minimax-cn-api" as const,
-      tokenProvider: "  MINIMAX  ",
-      token: "mm-cn-opts-token",
-      profileId: "minimax:cn",
-      expectedModel: "minimax/MiniMax-M2.5",
-    },
-  ])("$caseName", async ({ authChoice, tokenProvider, token, profileId, expectedModel }) => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice,
-      opts: { tokenProvider, token },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.[profileId]).toMatchObject({
-      provider: "minimax",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-      expectedModel,
-    );
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.[profileId]?.key).toBe(token);
-  });
-
-  it.each([
-    {
-      name: "uses env token for minimax-cn-api as plaintext by default",
-      opts: undefined,
-      expectKey: "mm-env-token",
-      expectKeyRef: undefined,
-      expectConfirmCalls: 1,
-    },
-    {
-      name: "uses env token for minimax-cn-api as keyRef in ref mode",
-      opts: { secretInputMode: "ref" as const }, // pragma: allowlist secret
-      expectKey: undefined,
-      expectKeyRef: {
-        source: "env",
-        provider: "default",
-        id: "MINIMAX_API_KEY",
-      },
-      expectConfirmCalls: 0,
-    },
-  ])("$name", async ({ opts, expectKey, expectKeyRef, expectConfirmCalls }) => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice: "minimax-cn-api",
-      opts,
-      env: { apiKey: "mm-env-token" }, // pragma: allowlist secret
-    });
-
-    expect(result).not.toBeNull();
-    if (!opts) {
-      expect(result?.config.auth?.profiles?.["minimax:cn"]).toMatchObject({
-        provider: "minimax",
-        mode: "api_key",
-      });
-      expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-        "minimax/MiniMax-M2.5",
-      );
-    }
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).toHaveBeenCalledTimes(expectConfirmCalls);
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["minimax:cn"]?.key).toBe(expectKey);
-    if (expectKeyRef) {
-      expect(parsed.profiles?.["minimax:cn"]?.keyRef).toEqual(expectKeyRef);
-    } else {
-      expect(parsed.profiles?.["minimax:cn"]?.keyRef).toBeUndefined();
-    }
-  });
-
-  it("minimax-global-api uses minimax:global profile and minimax/MiniMax-M2.5 model", async () => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice: "minimax-global-api",
-      opts: {
-        tokenProvider: "minimax",
-        token: "mm-global-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["minimax:global"]).toMatchObject({
-      provider: "minimax",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-      "minimax/MiniMax-M2.5",
-    );
-    expect(result?.config.models?.providers?.minimax?.baseUrl).toContain("minimax.io");
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["minimax:global"]?.key).toBe("mm-global-token");
-  });
-
-  it("minimax-cn-api sets CN baseUrl", async () => {
-    const { result } = await runMiniMaxChoice({
-      authChoice: "minimax-cn-api",
-      opts: {
-        tokenProvider: "minimax",
-        token: "mm-cn-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.models?.providers?.minimax?.baseUrl).toContain("minimaxi.com");
-  });
-});
diff --git a/src/commands/auth-choice.apply.minimax.ts b/src/commands/auth-choice.apply.minimax.ts
deleted file mode 100644
index 1a381b908b8..00000000000
--- a/src/commands/auth-choice.apply.minimax.ts
+++ /dev/null
@@ -1,106 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceDefaultModelApplierForMutableState,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import {
-  applyAuthProfileConfig,
-  applyMinimaxApiConfig,
-  applyMinimaxApiConfigCn,
-  applyMinimaxApiProviderConfig,
-  applyMinimaxApiProviderConfigCn,
-  setMinimaxApiKey,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceMiniMax(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  // OAuth paths — delegate to plugin, no API key needed
-  if (params.authChoice === "minimax-global-oauth") {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: "minimax-global-oauth",
-      pluginId: "minimax-portal-auth",
-      providerId: "minimax-portal",
-      methodId: "oauth",
-      label: "MiniMax",
-    });
-  }
-
-  if (params.authChoice === "minimax-cn-oauth") {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: "minimax-cn-oauth",
-      pluginId: "minimax-portal-auth",
-      providerId: "minimax-portal",
-      methodId: "oauth-cn",
-      label: "MiniMax CN",
-    });
-  }
-
-  // API key paths
-  if (params.authChoice === "minimax-global-api" || params.authChoice === "minimax-cn-api") {
-    const isCn = params.authChoice === "minimax-cn-api";
-    const profileId = isCn ? "minimax:cn" : "minimax:global";
-    const keyLink = isCn
-      ? "https://platform.minimaxi.com/user-center/basic-information/interface-key"
-      : "https://platform.minimax.io/user-center/basic-information/interface-key";
-    const promptMessage = `Enter MiniMax ${isCn ? "CN " : ""}API key (sk-api- or sk-cp-)\n${keyLink}`;
-
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-    const applyProviderDefaultModel = createAuthChoiceDefaultModelApplierForMutableState(
-      params,
-      () => nextConfig,
-      (config) => (nextConfig = config),
-      () => agentModelOverride,
-      (model) => (agentModelOverride = model),
-    );
-    const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-    // Warn when both Global and CN share the same `minimax` provider entry — configuring one
-    // overwrites the other's baseUrl. Only show when the other profile is already present.
-    const otherProfileId = isCn ? "minimax:global" : "minimax:cn";
-    const hasOtherProfile = Boolean(nextConfig.auth?.profiles?.[otherProfileId]);
-    const noteMessage = hasOtherProfile
-      ? `Note: Global and CN both use the "minimax" provider entry. Saving this key will overwrite the existing ${isCn ? "Global" : "CN"} endpoint (${otherProfileId}).`
-      : undefined;
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      // Accept "minimax-cn" as a legacy tokenProvider alias for the CN path.
-      expectedProviders: isCn ? ["minimax", "minimax-cn"] : ["minimax"],
-      provider: "minimax",
-      envLabel: "MINIMAX_API_KEY",
-      promptMessage,
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      noteMessage,
-      setCredential: async (apiKey, mode) =>
-        setMinimaxApiKey(apiKey, params.agentDir, profileId, { secretInputMode: mode }),
-    });
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "minimax",
-      mode: "api_key",
-    });
-
-    await applyProviderDefaultModel({
-      defaultModel: "minimax/MiniMax-M2.5",
-      applyDefaultConfig: (config) =>
-        isCn ? applyMinimaxApiConfigCn(config) : applyMinimaxApiConfig(config),
-      applyProviderConfig: (config) =>
-        isCn ? applyMinimaxApiProviderConfigCn(config) : applyMinimaxApiProviderConfig(config),
-    });
-
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.openai.test.ts b/src/commands/auth-choice.apply.openai.test.ts
deleted file mode 100644
index 1d14f136f32..00000000000
--- a/src/commands/auth-choice.apply.openai.test.ts
+++ /dev/null
@@ -1,116 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceOpenAI } from "./auth-choice.apply.openai.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("applyAuthChoiceOpenAI", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "OPENAI_API_KEY",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-openai-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("writes env-backed OpenAI key as plaintext by default", async () => {
-    const agentDir = await setupTempState();
-    process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret
-
-    const confirm = vi.fn(async () => true);
-    const text = vi.fn(async () => "unused");
-    const prompter = createWizardPrompter({ confirm, text }, { defaultSelect: "plaintext" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "openai-api-key",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["openai:default"]).toMatchObject({
-      provider: "openai",
-      mode: "api_key",
-    });
-    const defaultModel = result?.config.agents?.defaults?.model;
-    const primaryModel = typeof defaultModel === "string" ? defaultModel : defaultModel?.primary;
-    expect(primaryModel).toBe("openai/gpt-5.1-codex");
-    expect(text).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]?.key).toBe("sk-openai-env");
-    expect(parsed.profiles?.["openai:default"]?.keyRef).toBeUndefined();
-  });
-
-  it("writes env-backed OpenAI key as keyRef when secret-input-mode=ref", async () => {
-    const agentDir = await setupTempState();
-    process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret
-
-    const confirm = vi.fn(async () => true);
-    const text = vi.fn(async () => "unused");
-    const prompter = createWizardPrompter({ confirm, text }, { defaultSelect: "ref" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "openai-api-key",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]).toMatchObject({
-      keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
-    });
-    expect(parsed.profiles?.["openai:default"]?.key).toBeUndefined();
-  });
-
-  it("writes explicit token input into openai auth profile", async () => {
-    const agentDir = await setupTempState();
-
-    const prompter = createWizardPrompter({}, { defaultSelect: "" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "apiKey",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-      opts: {
-        tokenProvider: "openai",
-        token: "sk-openai-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]?.key).toBe("sk-openai-token");
-    expect(parsed.profiles?.["openai:default"]?.keyRef).toBeUndefined();
-  });
-});
diff --git a/src/commands/auth-choice.apply.openai.ts b/src/commands/auth-choice.apply.openai.ts
deleted file mode 100644
index 57059307920..00000000000
--- a/src/commands/auth-choice.apply.openai.ts
+++ /dev/null
@@ -1,123 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import { isRemoteEnvironment } from "./oauth-env.js";
-import { applyAuthProfileConfig, setOpenaiApiKey, writeOAuthCredentials } from "./onboard-auth.js";
-import { openUrl } from "./onboard-helpers.js";
-import {
-  applyOpenAICodexModelDefault,
-  OPENAI_CODEX_DEFAULT_MODEL,
-} from "./openai-codex-model-default.js";
-import { loginOpenAICodexOAuth } from "./openai-codex-oauth.js";
-import {
-  applyOpenAIConfig,
-  applyOpenAIProviderConfig,
-  OPENAI_DEFAULT_MODEL,
-} from "./openai-model-default.js";
-
-export async function applyAuthChoiceOpenAI(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  let authChoice = params.authChoice;
-  if (authChoice === "apiKey" && params.opts?.tokenProvider === "openai") {
-    authChoice = "openai-api-key";
-  }
-
-  if (authChoice === "openai-api-key") {
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-
-    const applyOpenAiDefaultModelChoice = async (): Promise<ApplyAuthChoiceResult> => {
-      const applied = await applyDefaultModelChoice({
-        config: nextConfig,
-        setDefaultModel: params.setDefaultModel,
-        defaultModel: OPENAI_DEFAULT_MODEL,
-        applyDefaultConfig: applyOpenAIConfig,
-        applyProviderConfig: applyOpenAIProviderConfig,
-        noteDefault: OPENAI_DEFAULT_MODEL,
-        noteAgentModel,
-        prompter: params.prompter,
-      });
-      nextConfig = applied.config;
-      agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-      return { config: nextConfig, agentModelOverride };
-    };
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["openai"],
-      provider: "openai",
-      envLabel: "OPENAI_API_KEY",
-      promptMessage: "Enter OpenAI API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setOpenaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "openai:default",
-      provider: "openai",
-      mode: "api_key",
-    });
-    return await applyOpenAiDefaultModelChoice();
-  }
-
-  if (params.authChoice === "openai-codex") {
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-
-    let creds;
-    try {
-      creds = await loginOpenAICodexOAuth({
-        prompter: params.prompter,
-        runtime: params.runtime,
-        isRemote: isRemoteEnvironment(),
-        openUrl: async (url) => {
-          await openUrl(url);
-        },
-        localBrowserMessage: "Complete sign-in in browser…",
-      });
-    } catch {
-      // The helper already surfaces the error to the user.
-      // Keep onboarding flow alive and return unchanged config.
-      return { config: nextConfig, agentModelOverride };
-    }
-    if (creds) {
-      const profileId = await writeOAuthCredentials("openai-codex", creds, params.agentDir, {
-        syncSiblingAgents: true,
-      });
-      nextConfig = applyAuthProfileConfig(nextConfig, {
-        profileId,
-        provider: "openai-codex",
-        mode: "oauth",
-      });
-      if (params.setDefaultModel) {
-        const applied = applyOpenAICodexModelDefault(nextConfig);
-        nextConfig = applied.next;
-        if (applied.changed) {
-          await params.prompter.note(
-            `Default model set to ${OPENAI_CODEX_DEFAULT_MODEL}`,
-            "Model configured",
-          );
-        }
-      } else {
-        agentModelOverride = OPENAI_CODEX_DEFAULT_MODEL;
-        await noteAgentModel(OPENAI_CODEX_DEFAULT_MODEL);
-      }
-    }
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.openrouter.ts b/src/commands/auth-choice.apply.openrouter.ts
deleted file mode 100644
index 4cf01762615..00000000000
--- a/src/commands/auth-choice.apply.openrouter.ts
+++ /dev/null
@@ -1,93 +0,0 @@
-import { ensureAuthProfileStore, resolveAuthProfileOrder } from "../agents/auth-profiles.js";
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import {
-  applyAuthProfileConfig,
-  applyOpenrouterConfig,
-  applyOpenrouterProviderConfig,
-  setOpenrouterApiKey,
-  OPENROUTER_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceOpenRouter(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult> {
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-  const store = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
-  const profileOrder = resolveAuthProfileOrder({
-    cfg: nextConfig,
-    store,
-    provider: "openrouter",
-  });
-  const existingProfileId = profileOrder.find((profileId) => Boolean(store.profiles[profileId]));
-  const existingCred = existingProfileId ? store.profiles[existingProfileId] : undefined;
-  let profileId = "openrouter:default";
-  let mode: "api_key" | "oauth" | "token" = "api_key";
-  let hasCredential = false;
-
-  if (existingProfileId && existingCred?.type) {
-    profileId = existingProfileId;
-    mode =
-      existingCred.type === "oauth" ? "oauth" : existingCred.type === "token" ? "token" : "api_key";
-    hasCredential = true;
-  }
-
-  if (!hasCredential && params.opts?.token && params.opts?.tokenProvider === "openrouter") {
-    await setOpenrouterApiKey(normalizeApiKeyInput(params.opts.token), params.agentDir, {
-      secretInputMode: requestedSecretInputMode,
-    });
-    hasCredential = true;
-  }
-
-  if (!hasCredential) {
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["openrouter"],
-      provider: "openrouter",
-      envLabel: "OPENROUTER_API_KEY",
-      promptMessage: "Enter OpenRouter API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setOpenrouterApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    hasCredential = true;
-  }
-
-  if (hasCredential) {
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "openrouter",
-      mode,
-    });
-  }
-
-  const applied = await applyDefaultModelChoice({
-    config: nextConfig,
-    setDefaultModel: params.setDefaultModel,
-    defaultModel: OPENROUTER_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyOpenrouterConfig,
-    applyProviderConfig: applyOpenrouterProviderConfig,
-    noteDefault: OPENROUTER_DEFAULT_MODEL_REF,
-    noteAgentModel,
-    prompter: params.prompter,
-  });
-  nextConfig = applied.config;
-  agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.apply.plugin-provider.ts b/src/commands/auth-choice.apply.plugin-provider.ts
index 2268a34d3ff..746eb219fff 100644
--- a/src/commands/auth-choice.apply.plugin-provider.ts
+++ b/src/commands/auth-choice.apply.plugin-provider.ts
@@ -13,6 +13,7 @@ import { isRemoteEnvironment } from "./oauth-env.js";
 import { createVpsAwareOAuthHandlers } from "./oauth-flow.js";
 import { applyAuthProfileConfig } from "./onboard-auth.js";
 import { openUrl } from "./onboard-helpers.js";
+import type { OnboardOptions } from "./onboard-types.js";
 import {
   applyDefaultModel,
   mergeConfigPatch,
@@ -28,6 +29,38 @@ export type PluginProviderAuthChoiceOptions = {
   label: string;
 };
 
+function restoreConfiguredPrimaryModel(
+  nextConfig: ApplyAuthChoiceParams["config"],
+  originalConfig: ApplyAuthChoiceParams["config"],
+): ApplyAuthChoiceParams["config"] {
+  const originalModel = originalConfig.agents?.defaults?.model;
+  const nextAgents = nextConfig.agents;
+  const nextDefaults = nextAgents?.defaults;
+  if (!nextDefaults) {
+    return nextConfig;
+  }
+  if (originalModel !== undefined) {
+    return {
+      ...nextConfig,
+      agents: {
+        ...nextAgents,
+        defaults: {
+          ...nextDefaults,
+          model: originalModel,
+        },
+      },
+    };
+  }
+  const { model: _model, ...restDefaults } = nextDefaults;
+  return {
+    ...nextConfig,
+    agents: {
+      ...nextAgents,
+      defaults: restDefaults,
+    },
+  };
+}
+
 async function loadPluginProviderRuntime() {
   return import("./auth-choice.apply.plugin-provider.runtime.js");
 }
@@ -41,6 +74,9 @@ export async function runProviderPluginAuthMethod(params: {
   agentId?: string;
   workspaceDir?: string;
   emitNotes?: boolean;
+  secretInputMode?: OnboardOptions["secretInputMode"];
+  allowSecretRefPrompt?: boolean;
+  opts?: Partial<OnboardOptions>;
 }): Promise<{ config: ApplyAuthChoiceParams["config"]; defaultModel?: string }> {
   const agentId = params.agentId ?? resolveDefaultAgentId(params.config);
   const defaultAgentId = resolveDefaultAgentId(params.config);
@@ -61,6 +97,9 @@ export async function runProviderPluginAuthMethod(params: {
     workspaceDir,
     prompter: params.prompter,
     runtime: params.runtime,
+    opts: params.opts,
+    secretInputMode: params.secretInputMode,
+    allowSecretRefPrompt: params.allowSecretRefPrompt,
     isRemote,
     openUrl: async (url) => {
       await openUrl(url);
@@ -110,7 +149,12 @@ export async function applyAuthChoiceLoadedPluginProvider(
     resolveAgentWorkspaceDir(params.config, agentId) ?? resolveDefaultAgentWorkspaceDir();
   const { resolvePluginProviders, resolveProviderPluginChoice, runProviderModelSelectedHook } =
     await loadPluginProviderRuntime();
-  const providers = resolvePluginProviders({ config: params.config, workspaceDir });
+  const providers = resolvePluginProviders({
+    config: params.config,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
   const resolved = resolveProviderPluginChoice({
     providers,
     choice: params.authChoice,
@@ -127,12 +171,16 @@ export async function applyAuthChoiceLoadedPluginProvider(
     agentDir: params.agentDir,
     agentId: params.agentId,
     workspaceDir,
+    secretInputMode: params.opts?.secretInputMode,
+    allowSecretRefPrompt: false,
+    opts: params.opts,
   });
 
+  let nextConfig = applied.config;
   let agentModelOverride: string | undefined;
   if (applied.defaultModel) {
     if (params.setDefaultModel) {
-      const nextConfig = applyDefaultModel(applied.config, applied.defaultModel);
+      nextConfig = applyDefaultModel(nextConfig, applied.defaultModel);
       await runProviderModelSelectedHook({
         config: nextConfig,
         model: applied.defaultModel,
@@ -146,10 +194,11 @@ export async function applyAuthChoiceLoadedPluginProvider(
       );
       return { config: nextConfig };
     }
+    nextConfig = restoreConfiguredPrimaryModel(nextConfig, params.config);
     agentModelOverride = applied.defaultModel;
   }
 
-  return { config: applied.config, agentModelOverride };
+  return { config: nextConfig, agentModelOverride };
 }
 
 export async function applyAuthChoicePluginProvider(
@@ -180,7 +229,12 @@ export async function applyAuthChoicePluginProvider(
 
   const { resolvePluginProviders, runProviderModelSelectedHook } =
     await loadPluginProviderRuntime();
-  const providers = resolvePluginProviders({ config: nextConfig, workspaceDir });
+  const providers = resolvePluginProviders({
+    config: nextConfig,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
   const provider = resolveProviderMatch(providers, options.providerId);
   if (!provider) {
     await params.prompter.note(
@@ -204,6 +258,9 @@ export async function applyAuthChoicePluginProvider(
     agentDir,
     agentId,
     workspaceDir,
+    secretInputMode: params.opts?.secretInputMode,
+    allowSecretRefPrompt: false,
+    opts: params.opts,
   });
   nextConfig = applied.config;
 
@@ -222,7 +279,10 @@ export async function applyAuthChoicePluginProvider(
         `Default model set to ${applied.defaultModel}`,
         "Model configured",
       );
-    } else if (params.agentId) {
+    } else {
+      nextConfig = restoreConfiguredPrimaryModel(nextConfig, params.config);
+    }
+    if (!params.setDefaultModel && params.agentId) {
       agentModelOverride = applied.defaultModel;
       await params.prompter.note(
         `Default model set to ${applied.defaultModel} for agent "${params.agentId}".`,
diff --git a/src/commands/auth-choice.apply.qwen-portal.ts b/src/commands/auth-choice.apply.qwen-portal.ts
deleted file mode 100644
index b8c975c591f..00000000000
--- a/src/commands/auth-choice.apply.qwen-portal.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceQwenPortal(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "qwen-portal",
-    pluginId: "qwen-portal-auth",
-    providerId: "qwen-portal",
-    methodId: "device",
-    label: "Qwen",
-  });
-}
diff --git a/src/commands/auth-choice.apply.ts b/src/commands/auth-choice.apply.ts
index b01fd65c875..cf96b8f8905 100644
--- a/src/commands/auth-choice.apply.ts
+++ b/src/commands/auth-choice.apply.ts
@@ -1,19 +1,11 @@
 import type { OpenClawConfig } from "../config/config.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
-import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
+import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import { applyAuthChoiceApiProviders } from "./auth-choice.apply.api-providers.js";
-import { applyAuthChoiceBytePlus } from "./auth-choice.apply.byteplus.js";
-import { applyAuthChoiceCopilotProxy } from "./auth-choice.apply.copilot-proxy.js";
-import { applyAuthChoiceGitHubCopilot } from "./auth-choice.apply.github-copilot.js";
-import { applyAuthChoiceGoogleGeminiCli } from "./auth-choice.apply.google-gemini-cli.js";
-import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
+import { normalizeApiKeyTokenProviderAuthChoice } from "./auth-choice.apply.api-providers.js";
 import { applyAuthChoiceOAuth } from "./auth-choice.apply.oauth.js";
-import { applyAuthChoiceOpenAI } from "./auth-choice.apply.openai.js";
 import { applyAuthChoiceLoadedPluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { applyAuthChoiceQwenPortal } from "./auth-choice.apply.qwen-portal.js";
-import { applyAuthChoiceVolcengine } from "./auth-choice.apply.volcengine.js";
-import { applyAuthChoiceXAI } from "./auth-choice.apply.xai.js";
 import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
 
 export type ApplyAuthChoiceParams = {
@@ -35,28 +27,30 @@ export type ApplyAuthChoiceResult = {
 export async function applyAuthChoice(
   params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult> {
+  const normalizedAuthChoice =
+    normalizeLegacyOnboardAuthChoice(params.authChoice) ?? params.authChoice;
+  const normalizedProviderAuthChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: normalizedAuthChoice,
+    tokenProvider: params.opts?.tokenProvider,
+    config: params.config,
+    env: process.env,
+  });
+  const normalizedParams =
+    normalizedProviderAuthChoice === params.authChoice
+      ? params
+      : { ...params, authChoice: normalizedProviderAuthChoice };
   const handlers: Array<(p: ApplyAuthChoiceParams) => Promise<ApplyAuthChoiceResult | null>> = [
     applyAuthChoiceLoadedPluginProvider,
-    applyAuthChoiceAnthropic,
-    applyAuthChoiceOpenAI,
     applyAuthChoiceOAuth,
     applyAuthChoiceApiProviders,
-    applyAuthChoiceMiniMax,
-    applyAuthChoiceGitHubCopilot,
-    applyAuthChoiceGoogleGeminiCli,
-    applyAuthChoiceCopilotProxy,
-    applyAuthChoiceQwenPortal,
-    applyAuthChoiceXAI,
-    applyAuthChoiceVolcengine,
-    applyAuthChoiceBytePlus,
   ];
 
   for (const handler of handlers) {
-    const result = await handler(params);
+    const result = await handler(normalizedParams);
     if (result) {
       return result;
     }
   }
 
-  return { config: params.config };
+  return { config: normalizedParams.config };
 }
diff --git a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts b/src/commands/auth-choice.apply.volcengine-byteplus.test.ts
deleted file mode 100644
index 0f86d06f3cd..00000000000
--- a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts
+++ /dev/null
@@ -1,141 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceBytePlus } from "./auth-choice.apply.byteplus.js";
-import { applyAuthChoiceVolcengine } from "./auth-choice.apply.volcengine.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("volcengine/byteplus auth choice", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "VOLCANO_ENGINE_API_KEY",
-    "BYTEPLUS_API_KEY",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-volc-byte-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  function createTestContext(defaultSelect: string, confirmResult = true, textValue = "unused") {
-    return {
-      prompter: createWizardPrompter(
-        {
-          confirm: vi.fn(async () => confirmResult),
-          text: vi.fn(async () => textValue),
-        },
-        { defaultSelect },
-      ),
-      runtime: createExitThrowingRuntime(),
-    };
-  }
-
-  type ProviderAuthCase = {
-    provider: "volcengine" | "byteplus";
-    authChoice: "volcengine-api-key" | "byteplus-api-key";
-    envVar: "VOLCANO_ENGINE_API_KEY" | "BYTEPLUS_API_KEY";
-    envValue: string;
-    profileId: "volcengine:default" | "byteplus:default";
-    applyAuthChoice: typeof applyAuthChoiceVolcengine | typeof applyAuthChoiceBytePlus;
-  };
-
-  async function runProviderAuthChoice(
-    testCase: ProviderAuthCase,
-    options?: {
-      defaultSelect?: string;
-      confirmResult?: boolean;
-      textValue?: string;
-      secretInputMode?: "ref"; // pragma: allowlist secret
-    },
-  ) {
-    const agentDir = await setupTempState();
-    process.env[testCase.envVar] = testCase.envValue;
-
-    const { prompter, runtime } = createTestContext(
-      options?.defaultSelect ?? "plaintext",
-      options?.confirmResult ?? true,
-      options?.textValue ?? "unused",
-    );
-
-    const result = await testCase.applyAuthChoice({
-      authChoice: testCase.authChoice,
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-      ...(options?.secretInputMode ? { opts: { secretInputMode: options.secretInputMode } } : {}),
-    });
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-
-    return { result, parsed };
-  }
-
-  const providerAuthCases: ProviderAuthCase[] = [
-    {
-      provider: "volcengine",
-      authChoice: "volcengine-api-key",
-      envVar: "VOLCANO_ENGINE_API_KEY",
-      envValue: "volc-env-key",
-      profileId: "volcengine:default",
-      applyAuthChoice: applyAuthChoiceVolcengine,
-    },
-    {
-      provider: "byteplus",
-      authChoice: "byteplus-api-key",
-      envVar: "BYTEPLUS_API_KEY",
-      envValue: "byte-env-key",
-      profileId: "byteplus:default",
-      applyAuthChoice: applyAuthChoiceBytePlus,
-    },
-  ];
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it.each(providerAuthCases)(
-    "stores $provider env key as plaintext by default",
-    async (testCase) => {
-      const { result, parsed } = await runProviderAuthChoice(testCase);
-      expect(result).not.toBeNull();
-      expect(result?.config.auth?.profiles?.[testCase.profileId]).toMatchObject({
-        provider: testCase.provider,
-        mode: "api_key",
-      });
-      expect(parsed.profiles?.[testCase.profileId]?.key).toBe(testCase.envValue);
-      expect(parsed.profiles?.[testCase.profileId]?.keyRef).toBeUndefined();
-    },
-  );
-
-  it.each(providerAuthCases)("stores $provider env key as keyRef in ref mode", async (testCase) => {
-    const { result, parsed } = await runProviderAuthChoice(testCase, {
-      defaultSelect: "ref",
-    });
-    expect(result).not.toBeNull();
-    expect(parsed.profiles?.[testCase.profileId]).toMatchObject({
-      keyRef: { source: "env", provider: "default", id: testCase.envVar },
-    });
-    expect(parsed.profiles?.[testCase.profileId]?.key).toBeUndefined();
-  });
-
-  it("stores explicit volcengine key when env is not used", async () => {
-    const { result, parsed } = await runProviderAuthChoice(providerAuthCases[0], {
-      defaultSelect: "",
-      confirmResult: false,
-      textValue: "volc-manual-key",
-    });
-    expect(result).not.toBeNull();
-    expect(parsed.profiles?.["volcengine:default"]?.key).toBe("volc-manual-key");
-    expect(parsed.profiles?.["volcengine:default"]?.keyRef).toBeUndefined();
-  });
-});
diff --git a/src/commands/auth-choice.apply.volcengine.ts b/src/commands/auth-choice.apply.volcengine.ts
deleted file mode 100644
index c98f442ae4e..00000000000
--- a/src/commands/auth-choice.apply.volcengine.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyPrimaryModel } from "./model-picker.js";
-import { applyAuthProfileConfig, setVolcengineApiKey } from "./onboard-auth.js";
-
-/** Default model for Volcano Engine auth onboarding. */
-export const VOLCENGINE_DEFAULT_MODEL = "volcengine-plan/ark-code-latest";
-
-export async function applyAuthChoiceVolcengine(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "volcengine-api-key") {
-    return null;
-  }
-
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.volcengineApiKey,
-    tokenProvider: "volcengine",
-    secretInputMode: requestedSecretInputMode,
-    config: params.config,
-    expectedProviders: ["volcengine"],
-    provider: "volcengine",
-    envLabel: "VOLCANO_ENGINE_API_KEY",
-    promptMessage: "Enter Volcano Engine API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setVolcengineApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-  const configWithAuth = applyAuthProfileConfig(params.config, {
-    profileId: "volcengine:default",
-    provider: "volcengine",
-    mode: "api_key",
-  });
-  const configWithModel = applyPrimaryModel(configWithAuth, VOLCENGINE_DEFAULT_MODEL);
-  return {
-    config: configWithModel,
-    agentModelOverride: VOLCENGINE_DEFAULT_MODEL,
-  };
-}
diff --git a/src/commands/auth-choice.apply.xai.ts b/src/commands/auth-choice.apply.xai.ts
deleted file mode 100644
index 68e9ac651c3..00000000000
--- a/src/commands/auth-choice.apply.xai.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import {
-  applyAuthProfileConfig,
-  applyXaiConfig,
-  applyXaiProviderConfig,
-  setXaiApiKey,
-  XAI_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceXAI(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "xai-api-key") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.xaiApiKey,
-    tokenProvider: "xai",
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders: ["xai"],
-    provider: "xai",
-    envLabel: "XAI_API_KEY",
-    promptMessage: "Enter xAI API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setXaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "xai:default",
-    provider: "xai",
-    mode: "api_key",
-  });
-  {
-    const applied = await applyDefaultModelChoice({
-      config: nextConfig,
-      setDefaultModel: params.setDefaultModel,
-      defaultModel: XAI_DEFAULT_MODEL_REF,
-      applyDefaultConfig: applyXaiConfig,
-      applyProviderConfig: applyXaiProviderConfig,
-      noteDefault: XAI_DEFAULT_MODEL_REF,
-      noteAgentModel,
-      prompter: params.prompter,
-    });
-    nextConfig = applied.config;
-    agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-  }
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.model-check.ts b/src/commands/auth-choice.model-check.ts
index 975fc3521d3..99d5fae5b9f 100644
--- a/src/commands/auth-choice.model-check.ts
+++ b/src/commands/auth-choice.model-check.ts
@@ -4,7 +4,7 @@ import { loadModelCatalog } from "../agents/model-catalog.js";
 import { resolveDefaultModelForAgent } from "../agents/model-selection.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
-import { OPENAI_CODEX_DEFAULT_MODEL } from "./openai-codex-model-default.js";
+import { buildProviderAuthRecoveryHint } from "./provider-auth-guidance.js";
 
 export async function warnIfModelConfigLooksOff(
   config: OpenClawConfig,
@@ -37,19 +37,16 @@ export async function warnIfModelConfigLooksOff(
   const hasCustomKey = hasUsableCustomProviderApiKey(config, ref.provider);
   if (!hasProfile && !envKey && !hasCustomKey) {
     warnings.push(
-      `No auth configured for provider "${ref.provider}". The agent may fail until credentials are added.`,
+      `No auth configured for provider "${ref.provider}". The agent may fail until credentials are added. ${buildProviderAuthRecoveryHint(
+        {
+          provider: ref.provider,
+          config,
+          includeEnvVar: true,
+        },
+      )}`,
     );
   }
 
-  if (ref.provider === "openai") {
-    const hasCodex = listProfilesForProvider(store, "openai-codex").length > 0;
-    if (hasCodex) {
-      warnings.push(
-        `Detected OpenAI Codex OAuth. Consider setting agents.defaults.model to ${OPENAI_CODEX_DEFAULT_MODEL}.`,
-      );
-    }
-  }
-
   if (warnings.length > 0) {
     await prompter.note(warnings.join("\n"), "Model check");
   }
diff --git a/src/commands/auth-choice.preferred-provider.test.ts b/src/commands/auth-choice.preferred-provider.test.ts
new file mode 100644
index 00000000000..6c9aae5f28e
--- /dev/null
+++ b/src/commands/auth-choice.preferred-provider.test.ts
@@ -0,0 +1,71 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const resolveManifestProviderAuthChoice = vi.hoisted(() => vi.fn());
+const resolveProviderPluginChoice = vi.hoisted(() => vi.fn());
+const resolvePluginProviders = vi.hoisted(() => vi.fn(() => []));
+
+vi.mock("../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderAuthChoice,
+}));
+
+vi.mock("../plugins/provider-wizard.js", () => ({
+  resolveProviderPluginChoice,
+}));
+
+vi.mock("../plugins/providers.js", () => ({
+  resolvePluginProviders,
+}));
+
+import { resolvePreferredProviderForAuthChoice } from "./auth-choice.preferred-provider.js";
+
+describe("resolvePreferredProviderForAuthChoice", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    resolveManifestProviderAuthChoice.mockReturnValue(undefined);
+    resolvePluginProviders.mockReturnValue([]);
+    resolveProviderPluginChoice.mockReturnValue(null);
+  });
+
+  it("prefers manifest metadata when available", async () => {
+    resolveManifestProviderAuthChoice.mockReturnValue({
+      pluginId: "openai",
+      providerId: "openai",
+      methodId: "api-key",
+      choiceId: "openai-api-key",
+      choiceLabel: "OpenAI API key",
+    });
+
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "openai-api-key" })).resolves.toBe(
+      "openai",
+    );
+    expect(resolvePluginProviders).not.toHaveBeenCalled();
+  });
+
+  it("normalizes legacy auth choices before plugin lookup", async () => {
+    resolveProviderPluginChoice.mockReturnValue({
+      provider: { id: "anthropic", label: "Anthropic", auth: [] },
+      method: { id: "setup-token", label: "setup-token", kind: "token" },
+    });
+
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "claude-cli" })).resolves.toBe(
+      "anthropic",
+    );
+    expect(resolveProviderPluginChoice).toHaveBeenCalledWith(
+      expect.objectContaining({
+        choice: "setup-token",
+      }),
+    );
+    expect(resolvePluginProviders).toHaveBeenCalledWith(
+      expect.objectContaining({
+        bundledProviderAllowlistCompat: true,
+        bundledProviderVitestCompat: true,
+      }),
+    );
+  });
+
+  it("falls back to static core choices when no provider plugin claims the choice", async () => {
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "chutes" })).resolves.toBe(
+      "chutes",
+    );
+  });
+});
diff --git a/src/commands/auth-choice.preferred-provider.ts b/src/commands/auth-choice.preferred-provider.ts
index 49251a88f87..7cab79d2215 100644
--- a/src/commands/auth-choice.preferred-provider.ts
+++ b/src/commands/auth-choice.preferred-provider.ts
@@ -1,54 +1,12 @@
 import type { OpenClawConfig } from "../config/config.js";
+import { resolveManifestProviderAuthChoice } from "../plugins/provider-auth-choices.js";
+import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import type { AuthChoice } from "./onboard-types.js";
 
 const PREFERRED_PROVIDER_BY_AUTH_CHOICE: Partial<Record<AuthChoice, string>> = {
-  oauth: "anthropic",
-  "setup-token": "anthropic",
-  "claude-cli": "anthropic",
-  token: "anthropic",
-  apiKey: "anthropic",
-  "openai-codex": "openai-codex",
-  "codex-cli": "openai-codex",
   chutes: "chutes",
-  "openai-api-key": "openai",
-  "openrouter-api-key": "openrouter",
-  "kilocode-api-key": "kilocode",
-  "ai-gateway-api-key": "vercel-ai-gateway",
-  "cloudflare-ai-gateway-api-key": "cloudflare-ai-gateway",
-  "moonshot-api-key": "moonshot",
-  "moonshot-api-key-cn": "moonshot",
-  "kimi-code-api-key": "kimi-coding",
-  "gemini-api-key": "google",
-  "google-gemini-cli": "google-gemini-cli",
-  "mistral-api-key": "mistral",
-  ollama: "ollama",
-  sglang: "sglang",
-  "zai-api-key": "zai",
-  "zai-coding-global": "zai",
-  "zai-coding-cn": "zai",
-  "zai-global": "zai",
-  "zai-cn": "zai",
-  "xiaomi-api-key": "xiaomi",
-  "synthetic-api-key": "synthetic",
-  "venice-api-key": "venice",
-  "together-api-key": "together",
-  "huggingface-api-key": "huggingface",
-  "github-copilot": "github-copilot",
-  "copilot-proxy": "copilot-proxy",
-  "minimax-global-oauth": "minimax-portal",
-  "minimax-global-api": "minimax",
-  "minimax-cn-oauth": "minimax-portal",
-  "minimax-cn-api": "minimax",
-  "opencode-zen": "opencode",
-  "opencode-go": "opencode-go",
-  "xai-api-key": "xai",
   "litellm-api-key": "litellm",
-  "qwen-portal": "qwen-portal",
-  "volcengine-api-key": "volcengine",
-  "byteplus-api-key": "byteplus",
-  "qianfan-api-key": "qianfan",
   "custom-api-key": "custom",
-  vllm: "vllm",
 };
 
 export async function resolvePreferredProviderForAuthChoice(params: {
@@ -57,11 +15,11 @@ export async function resolvePreferredProviderForAuthChoice(params: {
   workspaceDir?: string;
   env?: NodeJS.ProcessEnv;
 }): Promise<string | undefined> {
-  const preferred = PREFERRED_PROVIDER_BY_AUTH_CHOICE[params.choice];
-  if (preferred) {
-    return preferred;
+  const choice = normalizeLegacyOnboardAuthChoice(params.choice) ?? params.choice;
+  const manifestResolved = resolveManifestProviderAuthChoice(choice, params);
+  if (manifestResolved) {
+    return manifestResolved.providerId;
   }
-
   const [{ resolveProviderPluginChoice }, { resolvePluginProviders }] = await Promise.all([
     import("../plugins/provider-wizard.js"),
     import("../plugins/providers.js"),
@@ -70,9 +28,20 @@ export async function resolvePreferredProviderForAuthChoice(params: {
     config: params.config,
     workspaceDir: params.workspaceDir,
     env: params.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
   });
-  return resolveProviderPluginChoice({
+  const pluginResolved = resolveProviderPluginChoice({
     providers,
-    choice: params.choice,
-  })?.provider.id;
+    choice,
+  });
+  if (pluginResolved) {
+    return pluginResolved.provider.id;
+  }
+
+  const preferred = PREFERRED_PROVIDER_BY_AUTH_CHOICE[choice];
+  if (preferred) {
+    return preferred;
+  }
+  return undefined;
 }
diff --git a/src/commands/auth-choice.test.ts b/src/commands/auth-choice.test.ts
index e74c0e1c31f..f6ca9d29332 100644
--- a/src/commands/auth-choice.test.ts
+++ b/src/commands/auth-choice.test.ts
@@ -1,7 +1,33 @@
 import fs from "node:fs/promises";
 import type { OAuthCredentials } from "@mariozechner/pi-ai";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import anthropicPlugin from "../../extensions/anthropic/index.js";
+import cloudflareAiGatewayPlugin from "../../extensions/cloudflare-ai-gateway/index.js";
+import googlePlugin from "../../extensions/google/index.js";
+import huggingfacePlugin from "../../extensions/huggingface/index.js";
+import kimiCodingPlugin from "../../extensions/kimi-coding/index.js";
+import minimaxPlugin from "../../extensions/minimax/index.js";
+import mistralPlugin from "../../extensions/mistral/index.js";
+import moonshotPlugin from "../../extensions/moonshot/index.js";
+import ollamaPlugin from "../../extensions/ollama/index.js";
+import openAIPlugin from "../../extensions/openai/index.js";
+import opencodeGoPlugin from "../../extensions/opencode-go/index.js";
+import opencodePlugin from "../../extensions/opencode/index.js";
+import openrouterPlugin from "../../extensions/openrouter/index.js";
+import qianfanPlugin from "../../extensions/qianfan/index.js";
+import qwenPortalAuthPlugin from "../../extensions/qwen-portal-auth/index.js";
+import syntheticPlugin from "../../extensions/synthetic/index.js";
+import togetherPlugin from "../../extensions/together/index.js";
+import venicePlugin from "../../extensions/venice/index.js";
+import vercelAiGatewayPlugin from "../../extensions/vercel-ai-gateway/index.js";
+import xaiPlugin from "../../extensions/xai/index.js";
+import xiaomiPlugin from "../../extensions/xiaomi/index.js";
+import { setDetectZaiEndpointForTesting } from "../../extensions/zai/detect.js";
+import zaiPlugin from "../../extensions/zai/index.js";
+import { resolveAgentDir } from "../agents/agent-scope.js";
 import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
+import type { ProviderPlugin } from "../plugins/types.js";
+import { createCapturedPluginRegistration } from "../test-utils/plugin-registration.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { applyAuthChoice, resolvePreferredProviderForAuthChoice } from "./auth-choice.js";
 import { GOOGLE_GEMINI_DEFAULT_MODEL } from "./google-gemini-model-default.js";
@@ -34,7 +60,7 @@ vi.mock("./openai-codex-oauth.js", () => ({
   loginOpenAICodexOAuth,
 }));
 
-const resolvePluginProviders = vi.hoisted(() => vi.fn(() => []));
+const resolvePluginProviders = vi.hoisted(() => vi.fn<() => ProviderPlugin[]>(() => []));
 vi.mock("../plugins/providers.js", () => ({
   resolvePluginProviders,
 }));
@@ -55,6 +81,37 @@ type StoredAuthProfile = {
   metadata?: Record<string, string>;
 };
 
+function createDefaultProviderPlugins() {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of [
+    anthropicPlugin,
+    cloudflareAiGatewayPlugin,
+    googlePlugin,
+    huggingfacePlugin,
+    kimiCodingPlugin,
+    minimaxPlugin,
+    mistralPlugin,
+    moonshotPlugin,
+    ollamaPlugin,
+    openAIPlugin,
+    opencodeGoPlugin,
+    opencodePlugin,
+    openrouterPlugin,
+    qianfanPlugin,
+    qwenPortalAuthPlugin,
+    syntheticPlugin,
+    togetherPlugin,
+    venicePlugin,
+    vercelAiGatewayPlugin,
+    xaiPlugin,
+    xiaomiPlugin,
+    zaiPlugin,
+  ]) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
 describe("applyAuthChoice", () => {
   const lifecycle = createAuthTestLifecycle([
     "OPENCLAW_STATE_DIR",
@@ -127,18 +184,44 @@ describe("applyAuthChoice", () => {
   afterEach(async () => {
     vi.unstubAllGlobals();
     resolvePluginProviders.mockReset();
+    resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
     detectZaiEndpoint.mockReset();
     detectZaiEndpoint.mockResolvedValue(null);
+    setDetectZaiEndpointForTesting(detectZaiEndpoint);
     loginOpenAICodexOAuth.mockReset();
     loginOpenAICodexOAuth.mockResolvedValue(null);
     await lifecycle.cleanup();
     activeStateDir = null;
   });
 
+  setDetectZaiEndpointForTesting(detectZaiEndpoint);
+  resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
+
   it("does not throw when openai-codex oauth fails", async () => {
     await setupTempState();
 
     loginOpenAICodexOAuth.mockRejectedValueOnce(new Error("oauth failed"));
+    resolvePluginProviders.mockReturnValue([
+      {
+        id: "openai-codex",
+        label: "OpenAI Codex",
+        auth: [
+          {
+            id: "oauth",
+            label: "ChatGPT OAuth",
+            kind: "oauth",
+            run: vi.fn(async () => {
+              try {
+                await loginOpenAICodexOAuth();
+              } catch {
+                return { profiles: [] };
+              }
+              return { profiles: [] };
+            }),
+          },
+        ],
+      },
+    ] as never);
 
     const prompter = createPrompter({});
     const runtime = createExitThrowingRuntime();
@@ -163,6 +246,41 @@ describe("applyAuthChoice", () => {
       access: "access-token",
       expires: Date.now() + 60_000,
     });
+    resolvePluginProviders.mockReturnValue([
+      {
+        id: "openai-codex",
+        label: "OpenAI Codex",
+        auth: [
+          {
+            id: "oauth",
+            label: "ChatGPT OAuth",
+            kind: "oauth",
+            run: vi.fn(async () => {
+              const creds = await loginOpenAICodexOAuth();
+              if (!creds) {
+                return { profiles: [] };
+              }
+              return {
+                profiles: [
+                  {
+                    profileId: "openai-codex:user@example.com",
+                    credential: {
+                      type: "oauth",
+                      provider: "openai-codex",
+                      refresh: "refresh-token",
+                      access: "access-token",
+                      expires: creds.expires,
+                      email: "user@example.com",
+                    },
+                  },
+                ],
+                defaultModel: "openai-codex/gpt-5.4",
+              };
+            }),
+          },
+        ],
+      },
+    ] as never);
 
     const prompter = createPrompter({});
     const runtime = createExitThrowingRuntime();
@@ -896,10 +1014,22 @@ describe("applyAuthChoice", () => {
           provider: scenario.profileProvider,
           mode: "api_key",
         });
-        expect((await readAuthProfile(scenario.profileId))?.key).toBe(scenario.token);
+        const profileStore =
+          scenario.agentId && scenario.agentId !== "default"
+            ? await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+                resolveAgentDir(result.config, scenario.agentId),
+              )
+            : await readAuthProfiles();
+        expect(profileStore.profiles?.[scenario.profileId]?.key).toBe(scenario.token);
       }
       if (scenario.extraProfileId) {
-        expect((await readAuthProfile(scenario.extraProfileId))?.key).toBe(scenario.token);
+        const profileStore =
+          scenario.agentId && scenario.agentId !== "default"
+            ? await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+                resolveAgentDir(result.config, scenario.agentId),
+              )
+            : await readAuthProfiles();
+        expect(profileStore.profiles?.[scenario.extraProfileId]?.key).toBe(scenario.token);
       }
       if (scenario.expectProviderConfigUndefined) {
         expect(
@@ -912,6 +1042,33 @@ describe("applyAuthChoice", () => {
   it("sets default model when selecting github-copilot", async () => {
     await setupTempState();
 
+    resolvePluginProviders.mockReturnValue([
+      {
+        id: "github-copilot",
+        label: "GitHub Copilot",
+        auth: [
+          {
+            id: "device",
+            label: "GitHub device login",
+            kind: "device_code",
+            run: vi.fn(async () => ({
+              profiles: [
+                {
+                  profileId: "github-copilot:github",
+                  credential: {
+                    type: "token",
+                    provider: "github-copilot",
+                    token: "github-device-token",
+                  },
+                },
+              ],
+              defaultModel: "github-copilot/gpt-4o",
+            })),
+          },
+        ],
+      },
+    ] as never);
+
     const prompter = createPrompter({});
     const runtime = createExitThrowingRuntime();
 
@@ -1284,6 +1441,7 @@ describe("applyAuthChoice", () => {
               id: scenario.authId,
               label: scenario.authLabel,
               kind: "device_code",
+              wizard: { choiceId: scenario.authChoice },
               run: vi.fn(async () => ({
                 profiles: [
                   {
diff --git a/src/commands/channel-account-context.test.ts b/src/commands/channel-account-context.test.ts
index 9fdaadb5231..4cdbde4d7e2 100644
--- a/src/commands/channel-account-context.test.ts
+++ b/src/commands/channel-account-context.test.ts
@@ -21,6 +21,8 @@ describe("resolveDefaultChannelAccountContext", () => {
     expect(result.account).toBe(account);
     expect(result.enabled).toBe(true);
     expect(result.configured).toBe(true);
+    expect(result.diagnostics).toEqual([]);
+    expect(result.degraded).toBe(false);
   });
 
   it("uses plugin enable/configure hooks", async () => {
@@ -43,5 +45,70 @@ describe("resolveDefaultChannelAccountContext", () => {
     expect(isConfigured).toHaveBeenCalledWith(account, {});
     expect(result.enabled).toBe(false);
     expect(result.configured).toBe(false);
+    expect(result.diagnostics).toEqual([]);
+    expect(result.degraded).toBe(false);
+  });
+
+  it("keeps strict mode fail-closed when resolveAccount throws", async () => {
+    const plugin = {
+      id: "demo",
+      config: {
+        listAccountIds: () => ["acc-err"],
+        resolveAccount: () => {
+          throw new Error("missing secret");
+        },
+      },
+    } as unknown as ChannelPlugin;
+
+    await expect(resolveDefaultChannelAccountContext(plugin, {} as OpenClawConfig)).rejects.toThrow(
+      /missing secret/i,
+    );
+  });
+
+  it("degrades safely in read_only mode when resolveAccount throws", async () => {
+    const plugin = {
+      id: "demo",
+      config: {
+        listAccountIds: () => ["acc-err"],
+        resolveAccount: () => {
+          throw new Error("missing secret");
+        },
+      },
+    } as unknown as ChannelPlugin;
+
+    const result = await resolveDefaultChannelAccountContext(plugin, {} as OpenClawConfig, {
+      mode: "read_only",
+      commandName: "status",
+    });
+
+    expect(result.enabled).toBe(false);
+    expect(result.configured).toBe(false);
+    expect(result.degraded).toBe(true);
+    expect(result.diagnostics.some((entry) => entry.includes("failed to resolve account"))).toBe(
+      true,
+    );
+  });
+
+  it("prefers inspectAccount in read_only mode", async () => {
+    const inspectAccount = vi.fn(() => ({ configured: true, enabled: true }));
+    const resolveAccount = vi.fn(() => ({ configured: false, enabled: false }));
+    const plugin = {
+      id: "demo",
+      config: {
+        listAccountIds: () => ["acc-1"],
+        inspectAccount,
+        resolveAccount,
+      },
+    } as unknown as ChannelPlugin;
+
+    const result = await resolveDefaultChannelAccountContext(plugin, {} as OpenClawConfig, {
+      mode: "read_only",
+    });
+
+    expect(inspectAccount).toHaveBeenCalled();
+    expect(resolveAccount).not.toHaveBeenCalled();
+    expect(result.enabled).toBe(true);
+    expect(result.configured).toBe(true);
+    expect(result.degraded).toBe(true);
   });
 });
diff --git a/src/commands/channel-account-context.ts b/src/commands/channel-account-context.ts
index 36ce8c53e72..a9f12974b06 100644
--- a/src/commands/channel-account-context.ts
+++ b/src/commands/channel-account-context.ts
@@ -1,6 +1,8 @@
 import { resolveChannelDefaultAccountId } from "../channels/plugins/helpers.js";
 import type { ChannelPlugin } from "../channels/plugins/types.js";
+import { inspectReadOnlyChannelAccount } from "../channels/read-only-account-inspect.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { formatErrorMessage } from "../infra/errors.js";
 
 export type ChannelDefaultAccountContext = {
   accountIds: string[];
@@ -8,22 +10,154 @@ export type ChannelDefaultAccountContext = {
   account: unknown;
   enabled: boolean;
   configured: boolean;
+  diagnostics: string[];
+  /**
+   * Indicates read-only resolution was used instead of strict full-account resolution.
+   * This is expected for read_only mode and does not necessarily mean an error occurred.
+   */
+  degraded: boolean;
 };
 
+export type ChannelAccountContextMode = "strict" | "read_only";
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  return value as Record<string, unknown>;
+}
+
+function getBooleanField(value: unknown, key: string): boolean | undefined {
+  const record = asRecord(value);
+  if (!record) {
+    return undefined;
+  }
+  return typeof record[key] === "boolean" ? record[key] : undefined;
+}
+
+function formatContextDiagnostic(params: {
+  commandName?: string;
+  pluginId: string;
+  accountId: string;
+  message: string;
+}): string {
+  const prefix = params.commandName ? `${params.commandName}: ` : "";
+  return `${prefix}channels.${params.pluginId}.accounts.${params.accountId}: ${params.message}`;
+}
+
 export async function resolveDefaultChannelAccountContext(
   plugin: ChannelPlugin,
   cfg: OpenClawConfig,
+  options?: { mode?: ChannelAccountContextMode; commandName?: string },
 ): Promise<ChannelDefaultAccountContext> {
+  const mode = options?.mode ?? "strict";
   const accountIds = plugin.config.listAccountIds(cfg);
   const defaultAccountId = resolveChannelDefaultAccountId({
     plugin,
     cfg,
     accountIds,
   });
-  const account = plugin.config.resolveAccount(cfg, defaultAccountId);
-  const enabled = plugin.config.isEnabled ? plugin.config.isEnabled(account, cfg) : true;
-  const configured = plugin.config.isConfigured
-    ? await plugin.config.isConfigured(account, cfg)
-    : true;
-  return { accountIds, defaultAccountId, account, enabled, configured };
+  if (mode === "strict") {
+    const account = plugin.config.resolveAccount(cfg, defaultAccountId);
+    const enabled = plugin.config.isEnabled ? plugin.config.isEnabled(account, cfg) : true;
+    const configured = plugin.config.isConfigured
+      ? await plugin.config.isConfigured(account, cfg)
+      : true;
+    return {
+      accountIds,
+      defaultAccountId,
+      account,
+      enabled,
+      configured,
+      diagnostics: [],
+      degraded: false,
+    };
+  }
+
+  const diagnostics: string[] = [];
+  let degraded = false;
+
+  const inspected =
+    plugin.config.inspectAccount?.(cfg, defaultAccountId) ??
+    (await inspectReadOnlyChannelAccount({
+      channelId: plugin.id,
+      cfg,
+      accountId: defaultAccountId,
+    }));
+
+  let account = inspected;
+  if (!account) {
+    try {
+      account = plugin.config.resolveAccount(cfg, defaultAccountId);
+    } catch (error) {
+      degraded = true;
+      diagnostics.push(
+        formatContextDiagnostic({
+          commandName: options?.commandName,
+          pluginId: plugin.id,
+          accountId: defaultAccountId,
+          message: `failed to resolve account (${formatErrorMessage(error)}); skipping read-only checks.`,
+        }),
+      );
+      return {
+        accountIds,
+        defaultAccountId,
+        account: {},
+        enabled: false,
+        configured: false,
+        diagnostics,
+        degraded,
+      };
+    }
+  } else {
+    degraded = true;
+  }
+
+  const inspectEnabled = getBooleanField(account, "enabled");
+  let enabled = inspectEnabled ?? true;
+  if (inspectEnabled === undefined && plugin.config.isEnabled) {
+    try {
+      enabled = plugin.config.isEnabled(account, cfg);
+    } catch (error) {
+      degraded = true;
+      enabled = false;
+      diagnostics.push(
+        formatContextDiagnostic({
+          commandName: options?.commandName,
+          pluginId: plugin.id,
+          accountId: defaultAccountId,
+          message: `failed to evaluate enabled state (${formatErrorMessage(error)}); treating as disabled.`,
+        }),
+      );
+    }
+  }
+
+  const inspectConfigured = getBooleanField(account, "configured");
+  let configured = inspectConfigured ?? true;
+  if (inspectConfigured === undefined && plugin.config.isConfigured) {
+    try {
+      configured = await plugin.config.isConfigured(account, cfg);
+    } catch (error) {
+      degraded = true;
+      configured = false;
+      diagnostics.push(
+        formatContextDiagnostic({
+          commandName: options?.commandName,
+          pluginId: plugin.id,
+          accountId: defaultAccountId,
+          message: `failed to evaluate configured state (${formatErrorMessage(error)}); treating as unconfigured.`,
+        }),
+      );
+    }
+  }
+
+  return {
+    accountIds,
+    defaultAccountId,
+    account,
+    enabled,
+    configured,
+    diagnostics,
+    degraded,
+  };
 }
diff --git a/src/commands/channel-setup/discovery.ts b/src/commands/channel-setup/discovery.ts
new file mode 100644
index 00000000000..8ae5f16f800
--- /dev/null
+++ b/src/commands/channel-setup/discovery.ts
@@ -0,0 +1,108 @@
+import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../../agents/agent-scope.js";
+import {
+  listChannelPluginCatalogEntries,
+  type ChannelPluginCatalogEntry,
+} from "../../channels/plugins/catalog.js";
+import type { ChannelMeta, ChannelPlugin } from "../../channels/plugins/types.js";
+import { listChatChannels } from "../../channels/registry.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { loadPluginManifestRegistry } from "../../plugins/manifest-registry.js";
+import type { ChannelChoice } from "../onboard-types.js";
+
+type ChannelCatalogEntry = {
+  id: ChannelChoice;
+  meta: ChannelMeta;
+};
+
+export type ResolvedChannelSetupEntries = {
+  entries: ChannelCatalogEntry[];
+  installedCatalogEntries: ChannelPluginCatalogEntry[];
+  installableCatalogEntries: ChannelPluginCatalogEntry[];
+  installedCatalogById: Map<ChannelChoice, ChannelPluginCatalogEntry>;
+  installableCatalogById: Map<ChannelChoice, ChannelPluginCatalogEntry>;
+};
+
+function resolveWorkspaceDir(cfg: OpenClawConfig, workspaceDir?: string): string | undefined {
+  return workspaceDir ?? resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
+}
+
+export function listManifestInstalledChannelIds(params: {
+  cfg: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): Set<ChannelChoice> {
+  const workspaceDir = resolveWorkspaceDir(params.cfg, params.workspaceDir);
+  return new Set(
+    loadPluginManifestRegistry({
+      config: params.cfg,
+      workspaceDir,
+      env: params.env ?? process.env,
+    }).plugins.flatMap((plugin) => plugin.channels as ChannelChoice[]),
+  );
+}
+
+export function isCatalogChannelInstalled(params: {
+  cfg: OpenClawConfig;
+  entry: ChannelPluginCatalogEntry;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): boolean {
+  return listManifestInstalledChannelIds(params).has(params.entry.id as ChannelChoice);
+}
+
+export function resolveChannelSetupEntries(params: {
+  cfg: OpenClawConfig;
+  installedPlugins: ChannelPlugin[];
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ResolvedChannelSetupEntries {
+  const workspaceDir = resolveWorkspaceDir(params.cfg, params.workspaceDir);
+  const manifestInstalledIds = listManifestInstalledChannelIds({
+    cfg: params.cfg,
+    workspaceDir,
+    env: params.env,
+  });
+  const installedPluginIds = new Set(params.installedPlugins.map((plugin) => plugin.id));
+  const catalogEntries = listChannelPluginCatalogEntries({ workspaceDir });
+  const installedCatalogEntries = catalogEntries.filter(
+    (entry) =>
+      !installedPluginIds.has(entry.id) && manifestInstalledIds.has(entry.id as ChannelChoice),
+  );
+  const installableCatalogEntries = catalogEntries.filter(
+    (entry) =>
+      !installedPluginIds.has(entry.id) && !manifestInstalledIds.has(entry.id as ChannelChoice),
+  );
+
+  const metaById = new Map<string, ChannelMeta>();
+  for (const meta of listChatChannels()) {
+    metaById.set(meta.id, meta);
+  }
+  for (const plugin of params.installedPlugins) {
+    metaById.set(plugin.id, plugin.meta);
+  }
+  for (const entry of installedCatalogEntries) {
+    if (!metaById.has(entry.id)) {
+      metaById.set(entry.id, entry.meta);
+    }
+  }
+  for (const entry of installableCatalogEntries) {
+    if (!metaById.has(entry.id)) {
+      metaById.set(entry.id, entry.meta);
+    }
+  }
+
+  return {
+    entries: Array.from(metaById, ([id, meta]) => ({
+      id: id as ChannelChoice,
+      meta,
+    })),
+    installedCatalogEntries,
+    installableCatalogEntries,
+    installedCatalogById: new Map(
+      installedCatalogEntries.map((entry) => [entry.id as ChannelChoice, entry]),
+    ),
+    installableCatalogById: new Map(
+      installableCatalogEntries.map((entry) => [entry.id as ChannelChoice, entry]),
+    ),
+  };
+}
diff --git a/src/commands/onboarding/plugin-install.test.ts b/src/commands/channel-setup/plugin-install.test.ts
similarity index 89%
rename from src/commands/onboarding/plugin-install.test.ts
rename to src/commands/channel-setup/plugin-install.test.ts
index d2c55d330c7..056b2709891 100644
--- a/src/commands/onboarding/plugin-install.test.ts
+++ b/src/commands/channel-setup/plugin-install.test.ts
@@ -61,12 +61,12 @@ import { loadOpenClawPlugins } from "../../plugins/loader.js";
 import { createEmptyPluginRegistry } from "../../plugins/registry.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import type { WizardPrompter } from "../../wizard/prompts.js";
-import { makePrompter, makeRuntime } from "./__tests__/test-utils.js";
+import { makePrompter, makeRuntime } from "../setup/__tests__/test-utils.js";
 import {
-  ensureOnboardingPluginInstalled,
-  loadOnboardingPluginRegistrySnapshotForChannel,
-  reloadOnboardingPluginRegistry,
-  reloadOnboardingPluginRegistryForChannel,
+  ensureChannelSetupPluginInstalled,
+  loadChannelSetupPluginRegistrySnapshotForChannel,
+  reloadChannelSetupPluginRegistry,
+  reloadChannelSetupPluginRegistryForChannel,
 } from "./plugin-install.js";
 
 const baseEntry: ChannelPluginCatalogEntry = {
@@ -106,7 +106,7 @@ async function runInitialValueForChannel(channel: "dev" | "beta") {
   const cfg: OpenClawConfig = { update: { channel } };
   mockRepoLocalPathExists();
 
-  await ensureOnboardingPluginInstalled({
+  await ensureChannelSetupPluginInstalled({
     cfg,
     entry: baseEntry,
     prompter,
@@ -118,14 +118,14 @@ async function runInitialValueForChannel(channel: "dev" | "beta") {
 }
 
 function expectPluginLoadedFromLocalPath(
-  result: Awaited<ReturnType<typeof ensureOnboardingPluginInstalled>>,
+  result: Awaited<ReturnType<typeof ensureChannelSetupPluginInstalled>>,
 ) {
   const expectedPath = path.resolve(process.cwd(), "extensions/zalo");
   expect(result.installed).toBe(true);
   expect(result.cfg.plugins?.load?.paths).toContain(expectedPath);
 }
 
-describe("ensureOnboardingPluginInstalled", () => {
+describe("ensureChannelSetupPluginInstalled", () => {
   it("installs from npm and enables the plugin", async () => {
     const runtime = makeRuntime();
     const prompter = makePrompter({
@@ -140,7 +140,7 @@ describe("ensureOnboardingPluginInstalled", () => {
       extensions: [],
     });
 
-    const result = await ensureOnboardingPluginInstalled({
+    const result = await ensureChannelSetupPluginInstalled({
       cfg,
       entry: baseEntry,
       prompter,
@@ -166,7 +166,7 @@ describe("ensureOnboardingPluginInstalled", () => {
     const cfg: OpenClawConfig = {};
     mockRepoLocalPathExists();
 
-    const result = await ensureOnboardingPluginInstalled({
+    const result = await ensureChannelSetupPluginInstalled({
       cfg,
       entry: baseEntry,
       prompter,
@@ -185,7 +185,7 @@ describe("ensureOnboardingPluginInstalled", () => {
     const cfg: OpenClawConfig = {};
     mockRepoLocalPathExists();
 
-    const result = await ensureOnboardingPluginInstalled({
+    const result = await ensureChannelSetupPluginInstalled({
       cfg,
       entry: {
         ...baseEntry,
@@ -228,7 +228,7 @@ describe("ensureOnboardingPluginInstalled", () => {
       ]),
     );
 
-    await ensureOnboardingPluginInstalled({
+    await ensureChannelSetupPluginInstalled({
       cfg,
       entry: baseEntry,
       prompter,
@@ -264,7 +264,7 @@ describe("ensureOnboardingPluginInstalled", () => {
       error: "nope",
     });
 
-    const result = await ensureOnboardingPluginInstalled({
+    const result = await ensureChannelSetupPluginInstalled({
       cfg,
       entry: baseEntry,
       prompter,
@@ -276,11 +276,11 @@ describe("ensureOnboardingPluginInstalled", () => {
     expect(runtime.error).not.toHaveBeenCalled();
   });
 
-  it("clears discovery cache before reloading the onboarding plugin registry", () => {
+  it("clears discovery cache before reloading the setup plugin registry", () => {
     const runtime = makeRuntime();
     const cfg: OpenClawConfig = {};
 
-    reloadOnboardingPluginRegistry({
+    reloadChannelSetupPluginRegistry({
       cfg,
       runtime,
       workspaceDir: "/tmp/openclaw-workspace",
@@ -292,6 +292,7 @@ describe("ensureOnboardingPluginInstalled", () => {
         config: cfg,
         workspaceDir: "/tmp/openclaw-workspace",
         cache: false,
+        includeSetupOnlyChannelPlugins: true,
       }),
     );
     expect(clearPluginDiscoveryCache.mock.invocationCallOrder[0]).toBeLessThan(
@@ -299,11 +300,11 @@ describe("ensureOnboardingPluginInstalled", () => {
     );
   });
 
-  it("scopes channel reloads when onboarding starts from an empty registry", () => {
+  it("scopes channel reloads when setup starts from an empty registry", () => {
     const runtime = makeRuntime();
     const cfg: OpenClawConfig = {};
 
-    reloadOnboardingPluginRegistryForChannel({
+    reloadChannelSetupPluginRegistryForChannel({
       cfg,
       runtime,
       channel: "telegram",
@@ -316,6 +317,7 @@ describe("ensureOnboardingPluginInstalled", () => {
         workspaceDir: "/tmp/openclaw-workspace",
         cache: false,
         onlyPluginIds: ["telegram"],
+        includeSetupOnlyChannelPlugins: true,
       }),
     );
   });
@@ -335,6 +337,7 @@ describe("ensureOnboardingPluginInstalled", () => {
       hookNames: [],
       channelIds: [],
       providerIds: [],
+      webSearchProviderIds: [],
       gatewayMethods: [],
       cliCommands: [],
       services: [],
@@ -345,7 +348,7 @@ describe("ensureOnboardingPluginInstalled", () => {
     });
     setActivePluginRegistry(registry);
 
-    reloadOnboardingPluginRegistryForChannel({
+    reloadChannelSetupPluginRegistryForChannel({
       cfg,
       runtime,
       channel: "telegram",
@@ -363,7 +366,7 @@ describe("ensureOnboardingPluginInstalled", () => {
     const runtime = makeRuntime();
     const cfg: OpenClawConfig = {};
 
-    loadOnboardingPluginRegistrySnapshotForChannel({
+    loadChannelSetupPluginRegistrySnapshotForChannel({
       cfg,
       runtime,
       channel: "telegram",
@@ -376,6 +379,7 @@ describe("ensureOnboardingPluginInstalled", () => {
         workspaceDir: "/tmp/openclaw-workspace",
         cache: false,
         onlyPluginIds: ["telegram"],
+        includeSetupOnlyChannelPlugins: true,
         activate: false,
       }),
     );
@@ -385,7 +389,7 @@ describe("ensureOnboardingPluginInstalled", () => {
     const runtime = makeRuntime();
     const cfg: OpenClawConfig = {};
 
-    loadOnboardingPluginRegistrySnapshotForChannel({
+    loadChannelSetupPluginRegistrySnapshotForChannel({
       cfg,
       runtime,
       channel: "msteams",
@@ -399,6 +403,7 @@ describe("ensureOnboardingPluginInstalled", () => {
         workspaceDir: "/tmp/openclaw-workspace",
         cache: false,
         onlyPluginIds: ["@openclaw/msteams-plugin"],
+        includeSetupOnlyChannelPlugins: true,
         activate: false,
       }),
     );
diff --git a/src/commands/onboarding/plugin-install.ts b/src/commands/channel-setup/plugin-install.ts
similarity index 94%
rename from src/commands/onboarding/plugin-install.ts
rename to src/commands/channel-setup/plugin-install.ts
index 31f5ec1d64d..ff4e03c5128 100644
--- a/src/commands/onboarding/plugin-install.ts
+++ b/src/commands/channel-setup/plugin-install.ts
@@ -139,7 +139,7 @@ function resolveInstallDefaultChoice(params: {
   return localPath ? "local" : "npm";
 }
 
-export async function ensureOnboardingPluginInstalled(params: {
+export async function ensureChannelSetupPluginInstalled(params: {
   cfg: OpenClawConfig;
   entry: ChannelPluginCatalogEntry;
   prompter: WizardPrompter;
@@ -225,15 +225,15 @@ export async function ensureOnboardingPluginInstalled(params: {
   return { cfg: next, installed: false };
 }
 
-export function reloadOnboardingPluginRegistry(params: {
+export function reloadChannelSetupPluginRegistry(params: {
   cfg: OpenClawConfig;
   runtime: RuntimeEnv;
   workspaceDir?: string;
 }): void {
-  loadOnboardingPluginRegistry(params);
+  loadChannelSetupPluginRegistry(params);
 }
 
-function loadOnboardingPluginRegistry(params: {
+function loadChannelSetupPluginRegistry(params: {
   cfg: OpenClawConfig;
   runtime: RuntimeEnv;
   workspaceDir?: string;
@@ -250,11 +250,12 @@ function loadOnboardingPluginRegistry(params: {
     cache: false,
     logger: createPluginLoaderLogger(log),
     onlyPluginIds: params.onlyPluginIds,
+    includeSetupOnlyChannelPlugins: true,
     activate: params.activate,
   });
 }
 
-export function reloadOnboardingPluginRegistryForChannel(params: {
+export function reloadChannelSetupPluginRegistryForChannel(params: {
   cfg: OpenClawConfig;
   runtime: RuntimeEnv;
   channel: string;
@@ -263,24 +264,24 @@ export function reloadOnboardingPluginRegistryForChannel(params: {
 }): void {
   const activeRegistry = getActivePluginRegistry();
   // On low-memory hosts, the empty-registry fallback should only recover the selected
-  // plugin instead of importing every bundled extension during onboarding.
+  // plugin instead of importing every bundled extension during setup.
   const onlyPluginIds = activeRegistry?.plugins.length
     ? undefined
     : [params.pluginId ?? params.channel];
-  loadOnboardingPluginRegistry({
+  loadChannelSetupPluginRegistry({
     ...params,
     onlyPluginIds,
   });
 }
 
-export function loadOnboardingPluginRegistrySnapshotForChannel(params: {
+export function loadChannelSetupPluginRegistrySnapshotForChannel(params: {
   cfg: OpenClawConfig;
   runtime: RuntimeEnv;
   channel: string;
   pluginId?: string;
   workspaceDir?: string;
 }): PluginRegistry {
-  return loadOnboardingPluginRegistry({
+  return loadChannelSetupPluginRegistry({
     ...params,
     onlyPluginIds: [params.pluginId ?? params.channel],
     activate: false,
diff --git a/src/commands/channel-setup/registry.ts b/src/commands/channel-setup/registry.ts
new file mode 100644
index 00000000000..a2f72f63343
--- /dev/null
+++ b/src/commands/channel-setup/registry.ts
@@ -0,0 +1,47 @@
+import { listChannelSetupPlugins } from "../../channels/plugins/setup-registry.js";
+import { buildChannelSetupWizardAdapterFromSetupWizard } from "../../channels/plugins/setup-wizard.js";
+import type { ChannelPlugin } from "../../channels/plugins/types.js";
+import type { ChannelChoice } from "../onboard-types.js";
+import type { ChannelSetupWizardAdapter } from "./types.js";
+
+const setupWizardAdapters = new WeakMap<object, ChannelSetupWizardAdapter>();
+
+export function resolveChannelSetupWizardAdapterForPlugin(
+  plugin?: ChannelPlugin,
+): ChannelSetupWizardAdapter | undefined {
+  if (plugin?.setupWizard) {
+    const cached = setupWizardAdapters.get(plugin);
+    if (cached) {
+      return cached;
+    }
+    const adapter = buildChannelSetupWizardAdapterFromSetupWizard({
+      plugin,
+      wizard: plugin.setupWizard,
+    });
+    setupWizardAdapters.set(plugin, adapter);
+    return adapter;
+  }
+  return undefined;
+}
+
+const getChannelSetupWizardAdapterMap = () => {
+  const adapters = new Map<ChannelChoice, ChannelSetupWizardAdapter>();
+  for (const plugin of listChannelSetupPlugins()) {
+    const adapter = resolveChannelSetupWizardAdapterForPlugin(plugin);
+    if (!adapter) {
+      continue;
+    }
+    adapters.set(plugin.id, adapter);
+  }
+  return adapters;
+};
+
+export function getChannelSetupWizardAdapter(
+  channel: ChannelChoice,
+): ChannelSetupWizardAdapter | undefined {
+  return getChannelSetupWizardAdapterMap().get(channel);
+}
+
+export function listChannelSetupWizardAdapters(): ChannelSetupWizardAdapter[] {
+  return Array.from(getChannelSetupWizardAdapterMap().values());
+}
diff --git a/src/commands/channel-setup/types.ts b/src/commands/channel-setup/types.ts
new file mode 100644
index 00000000000..d1fb33c2c5b
--- /dev/null
+++ b/src/commands/channel-setup/types.ts
@@ -0,0 +1 @@
+export * from "../../channels/plugins/setup-wizard-types.js";
diff --git a/src/commands/channel-test-helpers.ts b/src/commands/channel-test-helpers.ts
index 2814f6bb5bd..38f3621146f 100644
--- a/src/commands/channel-test-helpers.ts
+++ b/src/commands/channel-test-helpers.ts
@@ -1,51 +1,47 @@
-import { discordPlugin } from "../../extensions/discord/src/channel.js";
-import { imessagePlugin } from "../../extensions/imessage/src/channel.js";
-import { signalPlugin } from "../../extensions/signal/src/channel.js";
-import { slackPlugin } from "../../extensions/slack/src/channel.js";
-import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
-import { whatsappPlugin } from "../../extensions/whatsapp/src/channel.js";
+import { requireBundledChannelPlugin } from "../channels/plugins/bundled.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createTestRegistry } from "../test-utils/channel-plugins.js";
+import { getChannelSetupWizardAdapter } from "./channel-setup/registry.js";
+import type { ChannelSetupWizardAdapter } from "./channel-setup/types.js";
 import type { ChannelChoice } from "./onboard-types.js";
-import { getChannelOnboardingAdapter } from "./onboarding/registry.js";
-import type { ChannelOnboardingAdapter } from "./onboarding/types.js";
 
-type ChannelOnboardingAdapterPatch = Partial<
+type ChannelSetupWizardAdapterPatch = Partial<
   Pick<
-    ChannelOnboardingAdapter,
+    ChannelSetupWizardAdapter,
     "configure" | "configureInteractive" | "configureWhenConfigured" | "getStatus"
   >
 >;
 
-type PatchedOnboardingAdapterFields = {
-  configure?: ChannelOnboardingAdapter["configure"];
-  configureInteractive?: ChannelOnboardingAdapter["configureInteractive"];
-  configureWhenConfigured?: ChannelOnboardingAdapter["configureWhenConfigured"];
-  getStatus?: ChannelOnboardingAdapter["getStatus"];
+type PatchedSetupAdapterFields = {
+  configure?: ChannelSetupWizardAdapter["configure"];
+  configureInteractive?: ChannelSetupWizardAdapter["configureInteractive"];
+  configureWhenConfigured?: ChannelSetupWizardAdapter["configureWhenConfigured"];
+  getStatus?: ChannelSetupWizardAdapter["getStatus"];
 };
 
 export function setDefaultChannelPluginRegistryForTests(): void {
   const channels = [
-    { pluginId: "discord", plugin: discordPlugin, source: "test" },
-    { pluginId: "slack", plugin: slackPlugin, source: "test" },
-    { pluginId: "telegram", plugin: telegramPlugin, source: "test" },
-    { pluginId: "whatsapp", plugin: whatsappPlugin, source: "test" },
-    { pluginId: "signal", plugin: signalPlugin, source: "test" },
-    { pluginId: "imessage", plugin: imessagePlugin, source: "test" },
+    { pluginId: "discord", plugin: requireBundledChannelPlugin("discord"), source: "test" },
+    { pluginId: "feishu", plugin: requireBundledChannelPlugin("feishu"), source: "test" },
+    { pluginId: "slack", plugin: requireBundledChannelPlugin("slack"), source: "test" },
+    { pluginId: "telegram", plugin: requireBundledChannelPlugin("telegram"), source: "test" },
+    { pluginId: "whatsapp", plugin: requireBundledChannelPlugin("whatsapp"), source: "test" },
+    { pluginId: "signal", plugin: requireBundledChannelPlugin("signal"), source: "test" },
+    { pluginId: "imessage", plugin: requireBundledChannelPlugin("imessage"), source: "test" },
   ] as unknown as Parameters<typeof createTestRegistry>[0];
   setActivePluginRegistry(createTestRegistry(channels));
 }
 
-export function patchChannelOnboardingAdapter(
+export function patchChannelSetupWizardAdapter(
   channel: ChannelChoice,
-  patch: ChannelOnboardingAdapterPatch,
+  patch: ChannelSetupWizardAdapterPatch,
 ): () => void {
-  const adapter = getChannelOnboardingAdapter(channel);
+  const adapter = getChannelSetupWizardAdapter(channel);
   if (!adapter) {
-    throw new Error(`missing onboarding adapter for ${channel}`);
+    throw new Error(`missing setup adapter for ${channel}`);
   }
 
-  const previous: PatchedOnboardingAdapterFields = {};
+  const previous: PatchedSetupAdapterFields = {};
 
   if (Object.prototype.hasOwnProperty.call(patch, "getStatus")) {
     previous.getStatus = adapter.getStatus;
diff --git a/src/commands/channels.add.test.ts b/src/commands/channels.add.test.ts
index 9f584494fba..ad5d323f427 100644
--- a/src/commands/channels.add.test.ts
+++ b/src/commands/channels.add.test.ts
@@ -2,18 +2,22 @@ import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import type { ChannelPluginCatalogEntry } from "../channels/plugins/catalog.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createChannelTestPluginBase, createTestRegistry } from "../test-utils/channel-plugins.js";
+import {
+  ensureChannelSetupPluginInstalled,
+  loadChannelSetupPluginRegistrySnapshotForChannel,
+} from "./channel-setup/plugin-install.js";
 import { setDefaultChannelPluginRegistryForTests } from "./channel-test-helpers.js";
 import { configMocks, offsetMocks } from "./channels.mock-harness.js";
-import {
-  ensureOnboardingPluginInstalled,
-  loadOnboardingPluginRegistrySnapshotForChannel,
-} from "./onboarding/plugin-install.js";
 import { baseConfigSnapshot, createTestRuntime } from "./test-runtime-config-helpers.js";
 
 const catalogMocks = vi.hoisted(() => ({
   listChannelPluginCatalogEntries: vi.fn((): ChannelPluginCatalogEntry[] => []),
 }));
 
+const manifestRegistryMocks = vi.hoisted(() => ({
+  loadPluginManifestRegistry: vi.fn(() => ({ plugins: [], diagnostics: [] })),
+}));
+
 vi.mock("../channels/plugins/catalog.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("../channels/plugins/catalog.js")>();
   return {
@@ -22,12 +26,20 @@ vi.mock("../channels/plugins/catalog.js", async (importOriginal) => {
   };
 });
 
-vi.mock("./onboarding/plugin-install.js", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("./onboarding/plugin-install.js")>();
+vi.mock("../plugins/manifest-registry.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../plugins/manifest-registry.js")>();
   return {
     ...actual,
-    ensureOnboardingPluginInstalled: vi.fn(async ({ cfg }) => ({ cfg, installed: true })),
-    loadOnboardingPluginRegistrySnapshotForChannel: vi.fn(() => createTestRegistry()),
+    loadPluginManifestRegistry: manifestRegistryMocks.loadPluginManifestRegistry,
+  };
+});
+
+vi.mock("./channel-setup/plugin-install.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./channel-setup/plugin-install.js")>();
+  return {
+    ...actual,
+    ensureChannelSetupPluginInstalled: vi.fn(async ({ cfg }) => ({ cfg, installed: true })),
+    loadChannelSetupPluginRegistrySnapshotForChannel: vi.fn(() => createTestRegistry()),
   };
 });
 
@@ -48,13 +60,20 @@ describe("channelsAddCommand", () => {
     runtime.exit.mockClear();
     catalogMocks.listChannelPluginCatalogEntries.mockClear();
     catalogMocks.listChannelPluginCatalogEntries.mockReturnValue([]);
-    vi.mocked(ensureOnboardingPluginInstalled).mockClear();
-    vi.mocked(ensureOnboardingPluginInstalled).mockImplementation(async ({ cfg }) => ({
+    manifestRegistryMocks.loadPluginManifestRegistry.mockClear();
+    manifestRegistryMocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [],
+      diagnostics: [],
+    });
+    vi.mocked(ensureChannelSetupPluginInstalled).mockClear();
+    vi.mocked(ensureChannelSetupPluginInstalled).mockImplementation(async ({ cfg }) => ({
       cfg,
       installed: true,
     }));
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockClear();
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockReturnValue(createTestRegistry());
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockClear();
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockReturnValue(
+      createTestRegistry(),
+    );
     setDefaultChannelPluginRegistryForTests();
   });
 
@@ -134,7 +153,7 @@ describe("channelsAddCommand", () => {
         })),
       },
     };
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockReturnValue(
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockReturnValue(
       createTestRegistry([{ pluginId: "msteams", plugin: scopedMSTeamsPlugin, source: "test" }]),
     );
 
@@ -148,10 +167,10 @@ describe("channelsAddCommand", () => {
       { hasFlags: true },
     );
 
-    expect(ensureOnboardingPluginInstalled).toHaveBeenCalledWith(
+    expect(ensureChannelSetupPluginInstalled).toHaveBeenCalledWith(
       expect.objectContaining({ entry: catalogEntry }),
     );
-    expect(loadOnboardingPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
       expect.objectContaining({
         channel: "msteams",
         pluginId: "@openclaw/msteams-plugin",
@@ -171,6 +190,85 @@ describe("channelsAddCommand", () => {
     expect(runtime.exit).not.toHaveBeenCalled();
   });
 
+  it("uses the installed external channel snapshot without reinstalling", async () => {
+    configMocks.readConfigFileSnapshot.mockResolvedValue({ ...baseConfigSnapshot });
+    setActivePluginRegistry(createTestRegistry());
+    const catalogEntry: ChannelPluginCatalogEntry = {
+      id: "msteams",
+      pluginId: "@openclaw/msteams-plugin",
+      meta: {
+        id: "msteams",
+        label: "Microsoft Teams",
+        selectionLabel: "Microsoft Teams",
+        docsPath: "/channels/msteams",
+        blurb: "teams channel",
+      },
+      install: {
+        npmSpec: "@openclaw/msteams",
+      },
+    };
+    catalogMocks.listChannelPluginCatalogEntries.mockReturnValue([catalogEntry]);
+    manifestRegistryMocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "@openclaw/msteams-plugin",
+          channels: ["msteams"],
+        } as never,
+      ],
+      diagnostics: [],
+    });
+    const scopedMSTeamsPlugin = {
+      ...createChannelTestPluginBase({
+        id: "msteams",
+        label: "Microsoft Teams",
+        docsPath: "/channels/msteams",
+      }),
+      setup: {
+        applyAccountConfig: vi.fn(({ cfg, input }) => ({
+          ...cfg,
+          channels: {
+            ...cfg.channels,
+            msteams: {
+              enabled: true,
+              tenantId: input.token,
+            },
+          },
+        })),
+      },
+    };
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockReturnValue(
+      createTestRegistry([{ pluginId: "msteams", plugin: scopedMSTeamsPlugin, source: "test" }]),
+    );
+
+    await channelsAddCommand(
+      {
+        channel: "msteams",
+        account: "default",
+        token: "tenant-installed",
+      },
+      runtime,
+      { hasFlags: true },
+    );
+
+    expect(ensureChannelSetupPluginInstalled).not.toHaveBeenCalled();
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channel: "msteams",
+        pluginId: "@openclaw/msteams-plugin",
+      }),
+    );
+    expect(configMocks.writeConfigFile).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channels: {
+          msteams: {
+            enabled: true,
+            tenantId: "tenant-installed",
+          },
+        },
+      }),
+    );
+  });
+
   it("uses the installed plugin id when channel and plugin ids differ", async () => {
     configMocks.readConfigFileSnapshot.mockResolvedValue({ ...baseConfigSnapshot });
     setActivePluginRegistry(createTestRegistry());
@@ -189,12 +287,12 @@ describe("channelsAddCommand", () => {
       },
     };
     catalogMocks.listChannelPluginCatalogEntries.mockReturnValue([catalogEntry]);
-    vi.mocked(ensureOnboardingPluginInstalled).mockImplementation(async ({ cfg }) => ({
+    vi.mocked(ensureChannelSetupPluginInstalled).mockImplementation(async ({ cfg }) => ({
       cfg,
       installed: true,
       pluginId: "@vendor/teams-runtime",
     }));
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockReturnValue(
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockReturnValue(
       createTestRegistry([
         {
           pluginId: "@vendor/teams-runtime",
@@ -232,7 +330,7 @@ describe("channelsAddCommand", () => {
       { hasFlags: true },
     );
 
-    expect(loadOnboardingPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
       expect.objectContaining({
         channel: "msteams",
         pluginId: "@vendor/teams-runtime",
diff --git a/src/commands/channels.status.command-flow.test.ts b/src/commands/channels.status.command-flow.test.ts
new file mode 100644
index 00000000000..e613c64323a
--- /dev/null
+++ b/src/commands/channels.status.command-flow.test.ts
@@ -0,0 +1,172 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const callGateway = vi.fn();
+const resolveCommandSecretRefsViaGateway = vi.fn();
+const requireValidConfigSnapshot = vi.fn();
+const listChannelPlugins = vi.fn();
+const withProgress = vi.fn(async (_opts: unknown, run: () => Promise<unknown>) => await run());
+
+vi.mock("../gateway/call.js", () => ({
+  callGateway: (opts: unknown) => callGateway(opts),
+}));
+
+vi.mock("../cli/command-secret-gateway.js", () => ({
+  resolveCommandSecretRefsViaGateway: (opts: unknown) => resolveCommandSecretRefsViaGateway(opts),
+}));
+
+vi.mock("./shared.js", () => ({
+  requireValidConfigSnapshot: (runtime: unknown) => requireValidConfigSnapshot(runtime),
+  formatChannelAccountLabel: ({
+    channel,
+    accountId,
+  }: {
+    channel: string;
+    accountId: string;
+    name?: string;
+  }) => `${channel} ${accountId}`,
+}));
+
+vi.mock("../channels/plugins/index.js", () => ({
+  listChannelPlugins: () => listChannelPlugins(),
+  getChannelPlugin: (channel: string) =>
+    (listChannelPlugins() as Array<{ id: string }>).find((plugin) => plugin.id === channel),
+}));
+
+vi.mock("../cli/progress.js", () => ({
+  withProgress: (opts: unknown, run: () => Promise<unknown>) => withProgress(opts, run),
+}));
+
+const { channelsStatusCommand } = await import("./channels/status.js");
+
+function createTokenOnlyPlugin() {
+  return {
+    id: "discord",
+    meta: {
+      id: "discord",
+      label: "Discord",
+      selectionLabel: "Discord",
+      docsPath: "/channels/discord",
+      blurb: "test",
+    },
+    capabilities: { chatTypes: ["direct"] },
+    config: {
+      listAccountIds: () => ["default"],
+      defaultAccountId: () => "default",
+      inspectAccount: (cfg: { secretResolved?: boolean }) =>
+        cfg.secretResolved
+          ? {
+              name: "Primary",
+              enabled: true,
+              configured: true,
+              token: "resolved-discord-token",
+              tokenSource: "config",
+              tokenStatus: "available",
+            }
+          : {
+              name: "Primary",
+              enabled: true,
+              configured: true,
+              token: "",
+              tokenSource: "config",
+              tokenStatus: "configured_unavailable",
+            },
+      resolveAccount: (cfg: { secretResolved?: boolean }) =>
+        cfg.secretResolved
+          ? {
+              name: "Primary",
+              enabled: true,
+              configured: true,
+              token: "resolved-discord-token",
+              tokenSource: "config",
+              tokenStatus: "available",
+            }
+          : {
+              name: "Primary",
+              enabled: true,
+              configured: true,
+              token: "",
+              tokenSource: "config",
+              tokenStatus: "configured_unavailable",
+            },
+      isConfigured: () => true,
+      isEnabled: () => true,
+    },
+    actions: {
+      listActions: () => ["send"],
+    },
+  };
+}
+
+function createRuntimeCapture() {
+  const logs: string[] = [];
+  const errors: string[] = [];
+  const runtime = {
+    log: (message: unknown) => logs.push(String(message)),
+    error: (message: unknown) => errors.push(String(message)),
+    exit: (_code?: number) => undefined,
+  };
+  return { runtime, logs, errors };
+}
+
+describe("channelsStatusCommand SecretRef fallback flow", () => {
+  beforeEach(() => {
+    callGateway.mockReset();
+    resolveCommandSecretRefsViaGateway.mockReset();
+    requireValidConfigSnapshot.mockReset();
+    listChannelPlugins.mockReset();
+    withProgress.mockClear();
+    listChannelPlugins.mockReturnValue([createTokenOnlyPlugin()]);
+  });
+
+  it("keeps read-only fallback output when SecretRefs are unresolved", async () => {
+    callGateway.mockRejectedValue(new Error("gateway closed"));
+    requireValidConfigSnapshot.mockResolvedValue({ secretResolved: false, channels: {} });
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: { secretResolved: false, channels: {} },
+      diagnostics: [
+        "channels status: channels.discord.token is unavailable in this command path; continuing with degraded read-only config.",
+      ],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: true,
+    });
+    const { runtime, logs, errors } = createRuntimeCapture();
+
+    await channelsStatusCommand({ probe: false }, runtime as never);
+
+    expect(errors.some((line) => line.includes("Gateway not reachable"))).toBe(true);
+    expect(resolveCommandSecretRefsViaGateway).toHaveBeenCalledWith(
+      expect.objectContaining({
+        commandName: "channels status",
+        mode: "read_only_status",
+      }),
+    );
+    expect(
+      logs.some((line) =>
+        line.includes("[secrets] channels status: channels.discord.token is unavailable"),
+      ),
+    ).toBe(true);
+    const joined = logs.join("\n");
+    expect(joined).toContain("configured, secret unavailable in this command path");
+    expect(joined).toContain("token:config (unavailable)");
+  });
+
+  it("prefers resolved snapshots when command-local SecretRef resolution succeeds", async () => {
+    callGateway.mockRejectedValue(new Error("gateway closed"));
+    requireValidConfigSnapshot.mockResolvedValue({ secretResolved: false, channels: {} });
+    resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: { secretResolved: true, channels: {} },
+      diagnostics: [],
+      targetStatesByPath: {},
+      hadUnresolvedTargets: false,
+    });
+    const { runtime, logs } = createRuntimeCapture();
+
+    await channelsStatusCommand({ probe: false }, runtime as never);
+
+    const joined = logs.join("\n");
+    expect(joined).toContain("configured");
+    expect(joined).toContain("token:config");
+    expect(joined).not.toContain("secret unavailable in this command path");
+    expect(joined).not.toContain("token:config (unavailable)");
+  });
+});
diff --git a/src/commands/channels/add.ts b/src/commands/channels/add.ts
index e412c60215a..4f8b3e8133c 100644
--- a/src/commands/channels/add.ts
+++ b/src/commands/channels/add.ts
@@ -3,12 +3,14 @@ import { listChannelPluginCatalogEntries } from "../../channels/plugins/catalog.
 import { parseOptionalDelimitedEntries } from "../../channels/plugins/helpers.js";
 import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import { moveSingleAccountChannelSectionToDefaultAccount } from "../../channels/plugins/setup-helpers.js";
+import type { ChannelSetupPlugin } from "../../channels/plugins/setup-wizard-types.js";
 import type { ChannelId, ChannelPlugin, ChannelSetupInput } from "../../channels/plugins/types.js";
 import { writeConfigFile, type OpenClawConfig } from "../../config/config.js";
 import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../routing/session-key.js";
 import { defaultRuntime, type RuntimeEnv } from "../../runtime.js";
 import { createClackPrompter } from "../../wizard/clack-prompter.js";
 import { applyAgentBindings, describeBinding } from "../agents.bindings.js";
+import { isCatalogChannelInstalled } from "../channel-setup/discovery.js";
 import type { ChannelChoice } from "../onboard-types.js";
 import { applyAccountName, applyChannelAccountConfig } from "./add-mutators.js";
 import { channelLabel, requireValidConfig, shouldUseWizard } from "./shared.js";
@@ -55,7 +57,7 @@ export async function channelsAddCommand(
     const prompter = createClackPrompter();
     let selection: ChannelChoice[] = [];
     const accountIds: Partial<Record<ChannelChoice, string>> = {};
-    const resolvedPlugins = new Map<ChannelChoice, ChannelPlugin>();
+    const resolvedPlugins = new Map<ChannelChoice, ChannelSetupPlugin>();
     await prompter.intro("Channel setup");
     let nextConfig = await setupChannels(cfg, runtime, prompter, {
       allowDisable: false,
@@ -186,37 +188,49 @@ export async function channelsAddCommand(
     if (existing) {
       return existing;
     }
-    const { loadOnboardingPluginRegistrySnapshotForChannel } =
-      await import("../onboarding/plugin-install.js");
-    const snapshot = loadOnboardingPluginRegistrySnapshotForChannel({
+    const { loadChannelSetupPluginRegistrySnapshotForChannel } =
+      await import("../channel-setup/plugin-install.js");
+    const snapshot = loadChannelSetupPluginRegistrySnapshotForChannel({
       cfg: nextConfig,
       runtime,
       channel: channelId,
       ...(pluginId ? { pluginId } : {}),
       workspaceDir: resolveWorkspaceDir(),
     });
-    return snapshot.channels.find((entry) => entry.plugin.id === channelId)?.plugin;
+    return (
+      snapshot.channels.find((entry) => entry.plugin.id === channelId)?.plugin ??
+      snapshot.channelSetups.find((entry) => entry.plugin.id === channelId)?.plugin
+    );
   };
 
   if (!channel && catalogEntry) {
-    const { ensureOnboardingPluginInstalled } = await import("../onboarding/plugin-install.js");
-    const prompter = createClackPrompter();
     const workspaceDir = resolveWorkspaceDir();
-    const result = await ensureOnboardingPluginInstalled({
-      cfg: nextConfig,
-      entry: catalogEntry,
-      prompter,
-      runtime,
-      workspaceDir,
-    });
-    nextConfig = result.cfg;
-    if (!result.installed) {
-      return;
+    if (
+      !isCatalogChannelInstalled({
+        cfg: nextConfig,
+        entry: catalogEntry,
+        workspaceDir,
+      })
+    ) {
+      const { ensureChannelSetupPluginInstalled } =
+        await import("../channel-setup/plugin-install.js");
+      const prompter = createClackPrompter();
+      const result = await ensureChannelSetupPluginInstalled({
+        cfg: nextConfig,
+        entry: catalogEntry,
+        prompter,
+        runtime,
+        workspaceDir,
+      });
+      nextConfig = result.cfg;
+      if (!result.installed) {
+        return;
+      }
+      catalogEntry = {
+        ...catalogEntry,
+        ...(result.pluginId ? { pluginId: result.pluginId } : {}),
+      };
     }
-    catalogEntry = {
-      ...catalogEntry,
-      ...(result.pluginId ? { pluginId: result.pluginId } : {}),
-    };
     channel = normalizeChannelId(catalogEntry.id) ?? (catalogEntry.id as ChannelId);
   }
 
@@ -248,6 +262,7 @@ export async function channelsAddCommand(
   const input: ChannelSetupInput = {
     name: opts.name,
     token: opts.token,
+    privateKey: opts.privateKey,
     tokenFile: opts.tokenFile,
     botToken: opts.botToken,
     appToken: opts.appToken,
@@ -273,6 +288,7 @@ export async function channelsAddCommand(
     useEnv,
     ship: opts.ship,
     url: opts.url,
+    relayUrls: opts.relayUrls,
     code: opts.code,
     groupChannels,
     dmAllowlist,
@@ -296,20 +312,7 @@ export async function channelsAddCommand(
     return;
   }
 
-  let previousTelegramToken = "";
-  let resolveTelegramAccount:
-    | ((
-        params: Parameters<
-          typeof import("../../../extensions/telegram/src/accounts.js").resolveTelegramAccount
-        >[0],
-      ) => ReturnType<
-        typeof import("../../../extensions/telegram/src/accounts.js").resolveTelegramAccount
-      >)
-    | undefined;
-  if (channel === "telegram") {
-    ({ resolveTelegramAccount } = await import("../../../extensions/telegram/src/accounts.js"));
-    previousTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
-  }
+  const prevConfig = nextConfig;
 
   if (accountId !== DEFAULT_ACCOUNT_ID) {
     nextConfig = moveSingleAccountChannelSectionToDefaultAccount({
@@ -325,16 +328,12 @@ export async function channelsAddCommand(
     input,
     plugin,
   });
-
-  if (channel === "telegram" && resolveTelegramAccount) {
-    const { deleteTelegramUpdateOffset } =
-      await import("../../../extensions/telegram/src/update-offset-store.js");
-    const nextTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
-    if (previousTelegramToken !== nextTelegramToken) {
-      // Clear stale polling offsets after Telegram token rotation.
-      await deleteTelegramUpdateOffset({ accountId });
-    }
-  }
+  await plugin.lifecycle?.onAccountConfigChanged?.({
+    prevCfg: prevConfig,
+    nextCfg: nextConfig,
+    accountId,
+    runtime,
+  });
 
   await writeConfigFile(nextConfig);
   runtime.log(`Added ${channelLabel(channel)} account "${accountId}".`);
diff --git a/src/commands/channels/capabilities.test.ts b/src/commands/channels/capabilities.test.ts
index 5e838cc4ec8..3a70bdb85f9 100644
--- a/src/commands/channels/capabilities.test.ts
+++ b/src/commands/channels/capabilities.test.ts
@@ -1,7 +1,6 @@
 process.env.NO_COLOR = "1";
 
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { fetchSlackScopes } from "../../../extensions/slack/src/scopes.js";
 import { getChannelPlugin, listChannelPlugins } from "../../channels/plugins/index.js";
 import type { ChannelPlugin } from "../../channels/plugins/types.js";
 import { channelsCapabilitiesCommand } from "./capabilities.js";
@@ -21,10 +20,6 @@ vi.mock("../../channels/plugins/index.js", () => ({
   getChannelPlugin: vi.fn(),
 }));
 
-vi.mock("../../../extensions/slack/src/scopes.js", () => ({
-  fetchSlackScopes: vi.fn(),
-}));
-
 const runtime = {
   log: (...args: unknown[]) => {
     logs.push(args.map(String).join(" "));
@@ -95,14 +90,22 @@ describe("channelsCapabilitiesCommand", () => {
       },
       probe: { ok: true, bot: { name: "openclaw" }, team: { name: "team" } },
     });
+    plugin.status = {
+      ...plugin.status,
+      formatCapabilitiesProbe: () => [{ text: "Bot: @openclaw" }, { text: "Team: team" }],
+      buildCapabilitiesDiagnostics: async () => ({
+        lines: [
+          { text: "Bot scopes (auth.scopes): chat:write" },
+          { text: "User scopes (auth.scopes): users:read" },
+        ],
+        details: {
+          botScopes: { ok: true, scopes: ["chat:write"], source: "auth.scopes" },
+          userScopes: { ok: true, scopes: ["users:read"], source: "auth.scopes" },
+        },
+      }),
+    };
     vi.mocked(listChannelPlugins).mockReturnValue([plugin]);
     vi.mocked(getChannelPlugin).mockReturnValue(plugin);
-    vi.mocked(fetchSlackScopes).mockImplementation(async (token: string) => {
-      if (token === "xoxp-user") {
-        return { ok: true, scopes: ["users:read"], source: "auth.scopes" };
-      }
-      return { ok: true, scopes: ["chat:write"], source: "auth.scopes" };
-    });
 
     await channelsCapabilitiesCommand({ channel: "slack" }, runtime);
 
@@ -111,8 +114,6 @@ describe("channelsCapabilitiesCommand", () => {
     expect(output).toContain("User scopes");
     expect(output).toContain("chat:write");
     expect(output).toContain("users:read");
-    expect(fetchSlackScopes).toHaveBeenCalledWith("xoxb-bot", expect.any(Number));
-    expect(fetchSlackScopes).toHaveBeenCalledWith("xoxp-user", expect.any(Number));
   });
 
   it("prints Teams Graph permission hints when present", async () => {
@@ -127,6 +128,15 @@ describe("channelsCapabilitiesCommand", () => {
         },
       },
     });
+    plugin.status = {
+      ...plugin.status,
+      formatCapabilitiesProbe: () => [
+        { text: "App: app-id" },
+        {
+          text: "Graph roles: ChannelMessage.Read.All (channel history), Files.Read.All (files (OneDrive))",
+        },
+      ],
+    };
     vi.mocked(listChannelPlugins).mockReturnValue([plugin]);
     vi.mocked(getChannelPlugin).mockReturnValue(plugin);
 
diff --git a/src/commands/channels/capabilities.ts b/src/commands/channels/capabilities.ts
index 30f64da43d9..acd28137b30 100644
--- a/src/commands/channels/capabilities.ts
+++ b/src/commands/channels/capabilities.ts
@@ -1,9 +1,11 @@
-import { fetchChannelPermissionsDiscord } from "../../../extensions/discord/src/send.js";
-import { parseDiscordTarget } from "../../../extensions/discord/src/targets.js";
-import { fetchSlackScopes, type SlackScopesResult } from "../../../extensions/slack/src/scopes.js";
 import { resolveChannelDefaultAccountId } from "../../channels/plugins/helpers.js";
 import { getChannelPlugin, listChannelPlugins } from "../../channels/plugins/index.js";
-import type { ChannelCapabilities, ChannelPlugin } from "../../channels/plugins/types.js";
+import type {
+  ChannelCapabilities,
+  ChannelCapabilitiesDiagnostics,
+  ChannelCapabilitiesDisplayLine,
+  ChannelPlugin,
+} from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { danger } from "../../globals.js";
 import { defaultRuntime, type RuntimeEnv } from "../../runtime.js";
@@ -18,24 +20,6 @@ export type ChannelsCapabilitiesOptions = {
   json?: boolean;
 };
 
-type DiscordTargetSummary = {
-  raw?: string;
-  normalized?: string;
-  kind?: "channel" | "user";
-  channelId?: string;
-};
-
-type DiscordPermissionsReport = {
-  channelId?: string;
-  guildId?: string;
-  isDm?: boolean;
-  channelType?: number;
-  permissions?: string[];
-  missingRequired?: string[];
-  raw?: string;
-  error?: string;
-};
-
 type ChannelCapabilitiesReport = {
   channel: string;
   accountId: string;
@@ -45,24 +29,7 @@ type ChannelCapabilitiesReport = {
   support?: ChannelCapabilities;
   actions?: string[];
   probe?: unknown;
-  slackScopes?: Array<{
-    tokenType: "bot" | "user";
-    result: SlackScopesResult;
-  }>;
-  target?: DiscordTargetSummary;
-  channelPermissions?: DiscordPermissionsReport;
-};
-
-const REQUIRED_DISCORD_PERMISSIONS = ["ViewChannel", "SendMessages"] as const;
-
-const TEAMS_GRAPH_PERMISSION_HINTS: Record<string, string> = {
-  "ChannelMessage.Read.All": "channel history",
-  "Chat.Read.All": "chat history",
-  "Channel.ReadBasic.All": "channel list",
-  "Team.ReadBasic.All": "team list",
-  "TeamsActivity.Read.All": "teams activity",
-  "Sites.Read.All": "files (SharePoint)",
-  "Files.Read.All": "files (OneDrive)",
+  diagnostics?: ChannelCapabilitiesDiagnostics;
 };
 
 function normalizeTimeout(raw: unknown, fallback = 10_000) {
@@ -117,221 +84,35 @@ function formatSupport(capabilities?: ChannelCapabilities) {
   return bits.length ? bits.join(" ") : "none";
 }
 
-function summarizeDiscordTarget(raw?: string): DiscordTargetSummary | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const target = parseDiscordTarget(raw, { defaultKind: "channel" });
-  if (!target) {
-    return { raw };
-  }
-  if (target.kind === "channel") {
-    return {
-      raw,
-      normalized: target.normalized,
-      kind: "channel",
-      channelId: target.id,
-    };
-  }
-  if (target.kind === "user") {
-    return {
-      raw,
-      normalized: target.normalized,
-      kind: "user",
-    };
-  }
-  return { raw, normalized: target.normalized };
-}
-
-function formatDiscordIntents(intents?: {
-  messageContent?: string;
-  guildMembers?: string;
-  presence?: string;
-}) {
-  if (!intents) {
-    return "unknown";
-  }
-  return [
-    `messageContent=${intents.messageContent ?? "unknown"}`,
-    `guildMembers=${intents.guildMembers ?? "unknown"}`,
-    `presence=${intents.presence ?? "unknown"}`,
-  ].join(" ");
-}
-
-function formatProbeLines(channelId: string, probe: unknown): string[] {
-  const lines: string[] = [];
+function formatGenericProbeLines(probe: unknown): ChannelCapabilitiesDisplayLine[] {
   if (!probe || typeof probe !== "object") {
-    return lines;
+    return [];
   }
   const probeObj = probe as Record<string, unknown>;
-
-  if (channelId === "discord") {
-    const bot = probeObj.bot as { id?: string | null; username?: string | null } | undefined;
-    if (bot?.username) {
-      const botId = bot.id ? ` (${bot.id})` : "";
-      lines.push(`Bot: ${theme.accent(`@${bot.username}`)}${botId}`);
-    }
-    const app = probeObj.application as { intents?: Record<string, unknown> } | undefined;
-    if (app?.intents) {
-      lines.push(`Intents: ${formatDiscordIntents(app.intents)}`);
-    }
-  }
-
-  if (channelId === "telegram") {
-    const bot = probeObj.bot as { username?: string | null; id?: number | null } | undefined;
-    if (bot?.username) {
-      const botId = bot.id ? ` (${bot.id})` : "";
-      lines.push(`Bot: ${theme.accent(`@${bot.username}`)}${botId}`);
-    }
-    const flags: string[] = [];
-    const canJoinGroups = (bot as { canJoinGroups?: boolean | null })?.canJoinGroups;
-    const canReadAll = (bot as { canReadAllGroupMessages?: boolean | null })
-      ?.canReadAllGroupMessages;
-    const inlineQueries = (bot as { supportsInlineQueries?: boolean | null })
-      ?.supportsInlineQueries;
-    if (typeof canJoinGroups === "boolean") {
-      flags.push(`joinGroups=${canJoinGroups}`);
-    }
-    if (typeof canReadAll === "boolean") {
-      flags.push(`readAllGroupMessages=${canReadAll}`);
-    }
-    if (typeof inlineQueries === "boolean") {
-      flags.push(`inlineQueries=${inlineQueries}`);
-    }
-    if (flags.length > 0) {
-      lines.push(`Flags: ${flags.join(" ")}`);
-    }
-    const webhook = probeObj.webhook as { url?: string | null } | undefined;
-    if (webhook?.url !== undefined) {
-      lines.push(`Webhook: ${webhook.url || "none"}`);
-    }
-  }
-
-  if (channelId === "slack") {
-    const bot = probeObj.bot as { name?: string } | undefined;
-    const team = probeObj.team as { name?: string; id?: string } | undefined;
-    if (bot?.name) {
-      lines.push(`Bot: ${theme.accent(`@${bot.name}`)}`);
-    }
-    if (team?.name || team?.id) {
-      const id = team?.id ? ` (${team.id})` : "";
-      lines.push(`Team: ${team?.name ?? "unknown"}${id}`);
-    }
-  }
-
-  if (channelId === "signal") {
-    const version = probeObj.version as string | null | undefined;
-    if (version) {
-      lines.push(`Signal daemon: ${version}`);
-    }
-  }
-
-  if (channelId === "msteams") {
-    const appId = typeof probeObj.appId === "string" ? probeObj.appId.trim() : "";
-    if (appId) {
-      lines.push(`App: ${theme.accent(appId)}`);
-    }
-    const graph = probeObj.graph as
-      | { ok?: boolean; roles?: unknown; scopes?: unknown; error?: string }
-      | undefined;
-    if (graph) {
-      const roles = Array.isArray(graph.roles)
-        ? graph.roles.map((role) => String(role).trim()).filter(Boolean)
-        : [];
-      const scopes =
-        typeof graph.scopes === "string"
-          ? graph.scopes
-              .split(/\s+/)
-              .map((scope) => scope.trim())
-              .filter(Boolean)
-          : Array.isArray(graph.scopes)
-            ? graph.scopes.map((scope) => String(scope).trim()).filter(Boolean)
-            : [];
-      if (graph.ok === false) {
-        lines.push(`Graph: ${theme.error(graph.error ?? "failed")}`);
-      } else if (roles.length > 0 || scopes.length > 0) {
-        const formatPermission = (permission: string) => {
-          const hint = TEAMS_GRAPH_PERMISSION_HINTS[permission];
-          return hint ? `${permission} (${hint})` : permission;
-        };
-        if (roles.length > 0) {
-          lines.push(`Graph roles: ${roles.map(formatPermission).join(", ")}`);
-        }
-        if (scopes.length > 0) {
-          lines.push(`Graph scopes: ${scopes.map(formatPermission).join(", ")}`);
-        }
-      } else if (graph.ok === true) {
-        lines.push("Graph: ok");
-      }
-    }
-  }
-
   const ok = typeof probeObj.ok === "boolean" ? probeObj.ok : undefined;
-  if (ok === true && lines.length === 0) {
-    lines.push("Probe: ok");
+  if (ok === true) {
+    return [{ text: "Probe: ok" }];
   }
   if (ok === false) {
     const error =
       typeof probeObj.error === "string" && probeObj.error ? ` (${probeObj.error})` : "";
-    lines.push(`Probe: ${theme.error(`failed${error}`)}`);
+    return [{ text: `Probe: failed${error}`, tone: "error" }];
   }
-  return lines;
+  return [];
 }
 
-async function buildDiscordPermissions(params: {
-  account: { token?: string; accountId?: string };
-  target?: string;
-}): Promise<{ target?: DiscordTargetSummary; report?: DiscordPermissionsReport }> {
-  const target = summarizeDiscordTarget(params.target?.trim());
-  if (!target) {
-    return {};
-  }
-  if (target.kind !== "channel" || !target.channelId) {
-    return {
-      target,
-      report: {
-        error: "Target looks like a DM user; pass channel:<id> to audit channel permissions.",
-      },
-    };
-  }
-  const token = params.account.token?.trim();
-  if (!token) {
-    return {
-      target,
-      report: {
-        channelId: target.channelId,
-        error: "Discord bot token missing for permission audit.",
-      },
-    };
-  }
-  try {
-    const perms = await fetchChannelPermissionsDiscord(target.channelId, {
-      token,
-      accountId: params.account.accountId ?? undefined,
-    });
-    const missing = REQUIRED_DISCORD_PERMISSIONS.filter(
-      (permission) => !perms.permissions.includes(permission),
-    );
-    return {
-      target,
-      report: {
-        channelId: perms.channelId,
-        guildId: perms.guildId,
-        isDm: perms.isDm,
-        channelType: perms.channelType,
-        permissions: perms.permissions,
-        missingRequired: missing.length ? missing : [],
-        raw: perms.raw,
-      },
-    };
-  } catch (err) {
-    return {
-      target,
-      report: {
-        channelId: target.channelId,
-        error: err instanceof Error ? err.message : String(err),
-      },
-    };
+function renderDisplayLine(line: ChannelCapabilitiesDisplayLine) {
+  switch (line.tone) {
+    case "muted":
+      return theme.muted(line.text);
+    case "success":
+      return theme.success(line.text);
+    case "warn":
+      return theme.warn(line.text);
+    case "error":
+      return theme.error(line.text);
+    default:
+      return line.text;
   }
 }
 
@@ -378,41 +159,16 @@ async function resolveChannelReports(params: {
       }
     }
 
-    let slackScopes: ChannelCapabilitiesReport["slackScopes"];
-    if (plugin.id === "slack" && configured && enabled) {
-      const botToken = (resolvedAccount as { botToken?: string }).botToken?.trim();
-      const userToken = (resolvedAccount as { userToken?: string }).userToken?.trim();
-      const scopeReports: NonNullable<ChannelCapabilitiesReport["slackScopes"]> = [];
-      if (botToken) {
-        scopeReports.push({
-          tokenType: "bot",
-          result: await fetchSlackScopes(botToken, timeoutMs),
-        });
-      } else {
-        scopeReports.push({
-          tokenType: "bot",
-          result: { ok: false, error: "Slack bot token missing." },
-        });
-      }
-      if (userToken) {
-        scopeReports.push({
-          tokenType: "user",
-          result: await fetchSlackScopes(userToken, timeoutMs),
-        });
-      }
-      slackScopes = scopeReports;
-    }
-
-    let discordTarget: DiscordTargetSummary | undefined;
-    let discordPermissions: DiscordPermissionsReport | undefined;
-    if (plugin.id === "discord" && params.target) {
-      const perms = await buildDiscordPermissions({
-        account: resolvedAccount as { token?: string; accountId?: string },
-        target: params.target,
-      });
-      discordTarget = perms.target;
-      discordPermissions = perms.report;
-    }
+    const diagnostics =
+      configured && enabled
+        ? await plugin.status?.buildCapabilitiesDiagnostics?.({
+            account: resolvedAccount,
+            timeoutMs,
+            cfg,
+            probe,
+            target: params.target,
+          })
+        : undefined;
 
     reports.push({
       channel: plugin.id,
@@ -425,10 +181,8 @@ async function resolveChannelReports(params: {
       enabled,
       support: plugin.capabilities,
       probe,
-      target: discordTarget,
-      channelPermissions: discordPermissions,
       actions,
-      slackScopes,
+      diagnostics,
     });
   }
   return reports;
@@ -451,8 +205,8 @@ export async function channelsCapabilitiesCommand(
     runtime.exit(1);
     return;
   }
-  if (rawTarget && rawChannel !== "discord") {
-    runtime.error(danger("--target requires --channel discord."));
+  if (rawTarget && (!rawChannel || rawChannel === "all")) {
+    runtime.error(danger("--target requires a specific --channel."));
     runtime.exit(1);
     return;
   }
@@ -484,7 +238,7 @@ export async function channelsCapabilitiesCommand(
         cfg,
         timeoutMs,
         accountOverride,
-        target: rawTarget && plugin.id === "discord" ? rawTarget : undefined,
+        target: rawTarget || undefined,
       })),
     );
   }
@@ -513,39 +267,17 @@ export async function channelsCapabilitiesCommand(
       const enabledLabel = report.enabled === false ? "disabled" : "enabled";
       lines.push(`Status: ${configuredLabel}, ${enabledLabel}`);
     }
-    const probeLines = formatProbeLines(report.channel, report.probe);
+    const probeLines =
+      getChannelPlugin(report.channel)?.status?.formatCapabilitiesProbe?.({
+        probe: report.probe,
+      }) ?? formatGenericProbeLines(report.probe);
     if (probeLines.length > 0) {
-      lines.push(...probeLines);
+      lines.push(...probeLines.map(renderDisplayLine));
     } else if (report.configured && report.enabled) {
       lines.push(theme.muted("Probe: unavailable"));
     }
-    if (report.channel === "slack" && report.slackScopes) {
-      for (const entry of report.slackScopes) {
-        const source = entry.result.source ? ` (${entry.result.source})` : "";
-        const label = entry.tokenType === "user" ? "User scopes" : "Bot scopes";
-        if (entry.result.ok && entry.result.scopes?.length) {
-          lines.push(`${label}${source}: ${entry.result.scopes.join(", ")}`);
-        } else if (entry.result.error) {
-          lines.push(`${label}: ${theme.error(entry.result.error)}`);
-        }
-      }
-    }
-    if (report.channel === "discord" && report.channelPermissions) {
-      const perms = report.channelPermissions;
-      if (perms.error) {
-        lines.push(`Permissions: ${theme.error(perms.error)}`);
-      } else {
-        const list = perms.permissions?.length ? perms.permissions.join(", ") : "none";
-        const label = perms.channelId ? ` (${perms.channelId})` : "";
-        lines.push(`Permissions${label}: ${list}`);
-        if (perms.missingRequired && perms.missingRequired.length > 0) {
-          lines.push(`${theme.warn("Missing required:")} ${perms.missingRequired.join(", ")}`);
-        } else {
-          lines.push(theme.success("Missing required: none"));
-        }
-      }
-    } else if (report.channel === "discord" && rawTarget && !report.channelPermissions) {
-      lines.push(theme.muted("Permissions: skipped (no target)."));
+    if (report.diagnostics?.lines?.length) {
+      lines.push(...report.diagnostics.lines.map(renderDisplayLine));
     }
     lines.push("");
   }
diff --git a/src/commands/channels/remove.ts b/src/commands/channels/remove.ts
index 58354170135..1cd5fded7d3 100644
--- a/src/commands/channels/remove.ts
+++ b/src/commands/channels/remove.ts
@@ -1,4 +1,3 @@
-import { deleteTelegramUpdateOffset } from "../../../extensions/telegram/src/update-offset-store.js";
 import { resolveChannelDefaultAccountId } from "../../channels/plugins/helpers.js";
 import {
   getChannelPlugin,
@@ -103,6 +102,7 @@ export async function channelsRemoveCommand(
   const accountKey = resolvedAccountId || DEFAULT_ACCOUNT_ID;
 
   let next = { ...cfg };
+  const prevCfg = cfg;
   if (deleteConfig) {
     if (!plugin.config.deleteAccount) {
       runtime.error(`Channel ${channel} does not support delete.`);
@@ -113,11 +113,11 @@ export async function channelsRemoveCommand(
       cfg: next,
       accountId: resolvedAccountId,
     });
-
-    // Clean up Telegram polling offset to prevent stale offset on bot token change (#18233)
-    if (channel === "telegram") {
-      await deleteTelegramUpdateOffset({ accountId: resolvedAccountId });
-    }
+    await plugin.lifecycle?.onAccountRemoved?.({
+      prevCfg,
+      accountId: resolvedAccountId,
+      runtime,
+    });
   } else {
     if (!plugin.config.setAccountEnabled) {
       runtime.error(`Channel ${channel} does not support disable.`);
@@ -129,6 +129,12 @@ export async function channelsRemoveCommand(
       accountId: resolvedAccountId,
       enabled: false,
     });
+    await plugin.lifecycle?.onAccountConfigChanged?.({
+      prevCfg,
+      nextCfg: next,
+      accountId: resolvedAccountId,
+      runtime,
+    });
   }
 
   await writeConfigFile(next);
diff --git a/src/commands/channels/resolve.ts b/src/commands/channels/resolve.ts
index e9e0345871f..7a29b4993f5 100644
--- a/src/commands/channels/resolve.ts
+++ b/src/commands/channels/resolve.ts
@@ -75,7 +75,7 @@ export async function channelsResolveCommand(opts: ChannelsResolveOptions, runti
     config: loadedRaw,
     commandName: "channels resolve",
     targetIds: getChannelsCommandSecretTargetIds(),
-    mode: "operational_readonly",
+    mode: "read_only_operational",
   });
   for (const entry of diagnostics) {
     runtime.log(`[secrets] ${entry}`);
diff --git a/src/commands/channels/status.ts b/src/commands/channels/status.ts
index 3a56810e44c..2cbdaf17726 100644
--- a/src/commands/channels/status.ts
+++ b/src/commands/channels/status.ts
@@ -315,7 +315,7 @@ export async function channelsStatusCommand(
       config: cfg,
       commandName: "channels status",
       targetIds: getChannelsCommandSecretTargetIds(),
-      mode: "summary",
+      mode: "read_only_status",
     });
     for (const entry of diagnostics) {
       runtime.log(`[secrets] ${entry}`);
diff --git a/src/commands/configure.gateway-auth.prompt-auth-config.test.ts b/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
index 0657a77b3e1..b6ba81a432e 100644
--- a/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
+++ b/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
@@ -8,6 +8,8 @@ const mocks = vi.hoisted(() => ({
   promptModelAllowlist: vi.fn(),
   promptDefaultModel: vi.fn(),
   promptCustomApiConfig: vi.fn(),
+  resolvePluginProviders: vi.fn(() => []),
+  resolveProviderPluginChoice: vi.fn<() => unknown>(() => null),
 }));
 
 vi.mock("../agents/auth-profiles.js", () => ({
@@ -39,6 +41,14 @@ vi.mock("./onboard-custom.js", () => ({
   promptCustomApiConfig: mocks.promptCustomApiConfig,
 }));
 
+vi.mock("../plugins/providers.js", () => ({
+  resolvePluginProviders: mocks.resolvePluginProviders,
+}));
+
+vi.mock("../plugins/provider-wizard.js", () => ({
+  resolveProviderPluginChoice: mocks.resolveProviderPluginChoice,
+}));
+
 import { promptAuthConfig } from "./configure.gateway-auth.js";
 
 function makeRuntime(): RuntimeEnv {
@@ -94,6 +104,8 @@ async function runPromptAuthConfigWithAllowlist(includeMinimaxProvider = false)
   mocks.promptModelAllowlist.mockResolvedValue({
     models: ["kilocode/kilo/auto"],
   });
+  mocks.resolvePluginProviders.mockReturnValue([]);
+  mocks.resolveProviderPluginChoice.mockReturnValue(null);
 
   return promptAuthConfig({}, makeRuntime(), noopPrompter);
 }
@@ -118,4 +130,31 @@ describe("promptAuthConfig", () => {
       "MiniMax-M2.5",
     ]);
   });
+
+  it("uses plugin-owned allowlist metadata for provider auth choices", async () => {
+    mocks.promptAuthChoiceGrouped.mockResolvedValue("token");
+    mocks.applyAuthChoice.mockResolvedValue({ config: {} });
+    mocks.promptModelAllowlist.mockResolvedValue({ models: undefined });
+    mocks.resolveProviderPluginChoice.mockReturnValue({
+      provider: { id: "anthropic", label: "Anthropic", auth: [] },
+      method: { id: "setup-token", label: "setup-token", kind: "token" },
+      wizard: {
+        modelAllowlist: {
+          allowedKeys: ["anthropic/claude-sonnet-4-6"],
+          initialSelections: ["anthropic/claude-sonnet-4-6"],
+          message: "Anthropic OAuth models",
+        },
+      },
+    });
+
+    await promptAuthConfig({}, makeRuntime(), noopPrompter);
+
+    expect(mocks.promptModelAllowlist).toHaveBeenCalledWith(
+      expect.objectContaining({
+        allowedKeys: ["anthropic/claude-sonnet-4-6"],
+        initialSelections: ["anthropic/claude-sonnet-4-6"],
+        message: "Anthropic OAuth models",
+      }),
+    );
+  });
 });
diff --git a/src/commands/configure.gateway-auth.ts b/src/commands/configure.gateway-auth.ts
index ca56ee25275..8963557e80a 100644
--- a/src/commands/configure.gateway-auth.ts
+++ b/src/commands/configure.gateway-auth.ts
@@ -2,6 +2,8 @@ import { ensureAuthProfileStore } from "../agents/auth-profiles.js";
 import { resolveDefaultAgentWorkspaceDir } from "../agents/workspace.js";
 import type { OpenClawConfig, GatewayAuthConfig } from "../config/config.js";
 import { isSecretRef, type SecretInput } from "../config/types.secrets.js";
+import { resolveProviderPluginChoice } from "../plugins/provider-wizard.js";
+import { resolvePluginProviders } from "../plugins/providers.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { promptAuthChoiceGrouped } from "./auth-choice-prompt.js";
@@ -30,13 +32,30 @@ function sanitizeTokenValue(value: unknown): string | undefined {
   return trimmed;
 }
 
-const ANTHROPIC_OAUTH_MODEL_KEYS = [
-  "anthropic/claude-sonnet-4-6",
-  "anthropic/claude-opus-4-6",
-  "anthropic/claude-opus-4-5",
-  "anthropic/claude-sonnet-4-5",
-  "anthropic/claude-haiku-4-5",
-];
+function resolveProviderChoiceModelAllowlist(params: {
+  authChoice: string;
+  config: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}):
+  | {
+      allowedKeys?: string[];
+      initialSelections?: string[];
+      message?: string;
+    }
+  | undefined {
+  const providers = resolvePluginProviders({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+  return resolveProviderPluginChoice({
+    providers,
+    choice: params.authChoice,
+  })?.wizard?.modelAllowlist;
+}
 
 export function buildGatewayAuthConfig(params: {
   existing?: GatewayAuthConfig;
@@ -125,16 +144,19 @@ export async function promptAuthConfig(
     }
   }
 
-  const anthropicOAuth =
-    authChoice === "setup-token" || authChoice === "token" || authChoice === "oauth";
-
   if (authChoice !== "custom-api-key") {
+    const modelAllowlist = resolveProviderChoiceModelAllowlist({
+      authChoice,
+      config: next,
+      workspaceDir: resolveDefaultAgentWorkspaceDir(),
+      env: process.env,
+    });
     const allowlistSelection = await promptModelAllowlist({
       config: next,
       prompter,
-      allowedKeys: anthropicOAuth ? ANTHROPIC_OAUTH_MODEL_KEYS : undefined,
-      initialSelections: anthropicOAuth ? ["anthropic/claude-sonnet-4-6"] : undefined,
-      message: anthropicOAuth ? "Anthropic OAuth models" : undefined,
+      allowedKeys: modelAllowlist?.allowedKeys,
+      initialSelections: modelAllowlist?.initialSelections,
+      message: modelAllowlist?.message,
     });
     if (allowlistSelection.models) {
       next = applyModelAllowlist(next, allowlistSelection.models);
diff --git a/src/commands/configure.wizard.ts b/src/commands/configure.wizard.ts
index 80af67043ab..78cd0716376 100644
--- a/src/commands/configure.wizard.ts
+++ b/src/commands/configure.wizard.ts
@@ -10,8 +10,8 @@ import { defaultRuntime } from "../runtime.js";
 import { note } from "../terminal/note.js";
 import { resolveUserPath } from "../utils.js";
 import { createClackPrompter } from "../wizard/clack-prompter.js";
-import { resolveOnboardingSecretInputString } from "../wizard/onboarding.secret-input.js";
 import { WizardCancelledError } from "../wizard/prompts.js";
+import { resolveSetupSecretInputString } from "../wizard/setup.secret-input.js";
 import { removeChannelConfigWizard } from "./configure.channels.js";
 import { maybeInstallDaemon } from "./configure.daemon.js";
 import { promptAuthConfig } from "./configure.gateway-auth.js";
@@ -54,7 +54,7 @@ async function resolveGatewaySecretInputForWizard(params: {
   path: string;
 }): Promise<string | undefined> {
   try {
-    return await resolveOnboardingSecretInputString({
+    return await resolveSetupSecretInputString({
       config: params.cfg,
       value: params.value,
       path: params.path,
@@ -174,6 +174,10 @@ async function promptWebToolsConfig(
     hasKeyInEnv,
   } = await import("./onboard-search.js");
   type SP = (typeof SEARCH_PROVIDER_OPTIONS)[number]["value"];
+  const defaultProvider = SEARCH_PROVIDER_OPTIONS[0]?.value;
+  if (!defaultProvider) {
+    throw new Error("No web search providers are registered.");
+  }
 
   const hasKeyForProvider = (provider: string): boolean => {
     const entry = SEARCH_PROVIDER_OPTIONS.find((e) => e.value === provider);
@@ -183,14 +187,13 @@ async function promptWebToolsConfig(
     return hasExistingKey(nextConfig, provider as SP) || hasKeyInEnv(entry);
   };
 
-  const existingProvider: string = (() => {
+  const existingProvider: SP = (() => {
     const stored = existingSearch?.provider;
     if (stored && SEARCH_PROVIDER_OPTIONS.some((e) => e.value === stored)) {
-      return stored;
+      return stored as SP;
     }
     return (
-      SEARCH_PROVIDER_OPTIONS.find((e) => hasKeyForProvider(e.value))?.value ??
-      SEARCH_PROVIDER_OPTIONS[0].value
+      SEARCH_PROVIDER_OPTIONS.find((e) => hasKeyForProvider(e.value))?.value ?? defaultProvider
     );
   })();
 
diff --git a/src/commands/doctor-auth.ts b/src/commands/doctor-auth.ts
index 56ba510f41d..1f46ef28ba1 100644
--- a/src/commands/doctor-auth.ts
+++ b/src/commands/doctor-auth.ts
@@ -15,8 +15,13 @@ import {
 import { updateAuthProfileStoreWithLock } from "../agents/auth-profiles/store.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { resolvePluginProviders } from "../plugins/providers.js";
 import { note } from "../terminal/note.js";
 import type { DoctorPrompter } from "./doctor-prompter.js";
+import {
+  buildProviderAuthRecoveryHint,
+  resolveProviderAuthLoginCommand,
+} from "./provider-auth-guidance.js";
 
 export async function maybeRepairAnthropicOAuthProfileId(
   cfg: OpenClawConfig,
@@ -115,30 +120,36 @@ export async function maybeRemoveDeprecatedCliAuthProfiles(
   prompter: DoctorPrompter,
 ): Promise<OpenClawConfig> {
   const store = ensureAuthProfileStore(undefined, { allowKeychainPrompt: false });
-  const deprecated = new Set<string>();
-  if (store.profiles[CLAUDE_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CLAUDE_CLI_PROFILE_ID]) {
-    deprecated.add(CLAUDE_CLI_PROFILE_ID);
-  }
-  if (store.profiles[CODEX_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CODEX_CLI_PROFILE_ID]) {
-    deprecated.add(CODEX_CLI_PROFILE_ID);
-  }
+  const providers = resolvePluginProviders({
+    config: cfg,
+    env: process.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+  const deprecatedEntries = providers.flatMap((provider) =>
+    (provider.deprecatedProfileIds ?? [])
+      .filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId])
+      .map((profileId) => ({
+        profileId,
+        providerId: provider.id,
+        providerLabel: provider.label,
+      })),
+  );
+  const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId));
 
   if (deprecated.size === 0) {
     return cfg;
   }
 
   const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
-  if (deprecated.has(CLAUDE_CLI_PROFILE_ID)) {
-    lines.push(
-      `- ${CLAUDE_CLI_PROFILE_ID} (Anthropic): use setup-token → ${formatCliCommand("openclaw models auth setup-token")}`,
-    );
-  }
-  if (deprecated.has(CODEX_CLI_PROFILE_ID)) {
-    lines.push(
-      `- ${CODEX_CLI_PROFILE_ID} (OpenAI Codex): use OAuth → ${formatCliCommand(
-        "openclaw models auth login --provider openai-codex",
-      )}`,
-    );
+  for (const entry of deprecatedEntries) {
+    const authCommand =
+      resolveProviderAuthLoginCommand({
+        provider: entry.providerId,
+        config: cfg,
+        env: process.env,
+      }) ?? formatCliCommand("openclaw configure");
+    lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`);
   }
   note(lines.join("\n"), "Auth profiles");
 
@@ -228,16 +239,18 @@ function formatAuthIssueHint(issue: AuthIssue): string | null {
     return "Invalid token expires metadata. Set a future Unix ms timestamp or remove expires.";
   }
   if (issue.provider === "anthropic" && issue.profileId === CLAUDE_CLI_PROFILE_ID) {
-    return `Deprecated profile. Use ${formatCliCommand("openclaw models auth setup-token")} or ${formatCliCommand(
-      "openclaw configure",
-    )}.`;
+    return `Deprecated profile. ${buildProviderAuthRecoveryHint({
+      provider: "anthropic",
+    })}`;
   }
   if (issue.provider === "openai-codex" && issue.profileId === CODEX_CLI_PROFILE_ID) {
-    return `Deprecated profile. Use ${formatCliCommand(
-      "openclaw models auth login --provider openai-codex",
-    )} or ${formatCliCommand("openclaw configure")}.`;
+    return `Deprecated profile. ${buildProviderAuthRecoveryHint({
+      provider: "openai-codex",
+    })}`;
   }
-  return `Re-auth via \`${formatCliCommand("openclaw configure")}\` or \`${formatCliCommand("openclaw onboard")}\`.`;
+  return buildProviderAuthRecoveryHint({
+    provider: issue.provider,
+  }).replace(/^Run /, "Re-auth via ");
 }
 
 function formatAuthIssueLine(issue: AuthIssue): string {
diff --git a/src/commands/doctor-browser.test.ts b/src/commands/doctor-browser.test.ts
new file mode 100644
index 00000000000..da59fe5ed9a
--- /dev/null
+++ b/src/commands/doctor-browser.test.ts
@@ -0,0 +1,96 @@
+import { describe, expect, it, vi } from "vitest";
+import { noteChromeMcpBrowserReadiness } from "./doctor-browser.js";
+
+describe("doctor browser readiness", () => {
+  it("does nothing when Chrome MCP is not configured", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            openclaw: { color: "#FF4500" },
+          },
+        },
+      },
+      {
+        noteFn,
+      },
+    );
+    expect(noteFn).not.toHaveBeenCalled();
+  });
+
+  it("warns when Chrome MCP is configured but Chrome is missing", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          defaultProfile: "user",
+        },
+      },
+      {
+        noteFn,
+        platform: "darwin",
+        resolveChromeExecutable: () => null,
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("Google Chrome was not found");
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("chrome://inspect/#remote-debugging");
+  });
+
+  it("warns when detected Chrome is too old for Chrome MCP", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            chromeLive: {
+              driver: "existing-session",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      {
+        noteFn,
+        platform: "linux",
+        resolveChromeExecutable: () => ({ path: "/usr/bin/google-chrome" }),
+        readVersion: () => "Google Chrome 143.0.7499.4",
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("too old");
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("Chrome 144+");
+  });
+
+  it("reports the detected Chrome version for existing-session profiles", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            chromeLive: {
+              driver: "existing-session",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      {
+        noteFn,
+        platform: "win32",
+        resolveChromeExecutable: () => ({
+          path: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
+        }),
+        readVersion: () => "Google Chrome 144.0.7534.0",
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain(
+      "Detected Chrome Google Chrome 144.0.7534.0",
+    );
+  });
+});
diff --git a/src/commands/doctor-browser.ts b/src/commands/doctor-browser.ts
new file mode 100644
index 00000000000..482e370b052
--- /dev/null
+++ b/src/commands/doctor-browser.ts
@@ -0,0 +1,108 @@
+import {
+  parseBrowserMajorVersion,
+  readBrowserVersion,
+  resolveGoogleChromeExecutableForPlatform,
+} from "../browser/chrome.executables.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { note } from "../terminal/note.js";
+
+const CHROME_MCP_MIN_MAJOR = 144;
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  return value && typeof value === "object" && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : null;
+}
+
+function collectChromeMcpProfileNames(cfg: OpenClawConfig): string[] {
+  const browser = asRecord(cfg.browser);
+  if (!browser) {
+    return [];
+  }
+
+  const names = new Set<string>();
+  const defaultProfile =
+    typeof browser.defaultProfile === "string" ? browser.defaultProfile.trim() : "";
+  if (defaultProfile === "user") {
+    names.add("user");
+  }
+
+  const profiles = asRecord(browser.profiles);
+  if (!profiles) {
+    return [...names];
+  }
+
+  for (const [profileName, rawProfile] of Object.entries(profiles)) {
+    const profile = asRecord(rawProfile);
+    const driver = typeof profile?.driver === "string" ? profile.driver.trim() : "";
+    if (driver === "existing-session") {
+      names.add(profileName);
+    }
+  }
+
+  return [...names].toSorted((a, b) => a.localeCompare(b));
+}
+
+export async function noteChromeMcpBrowserReadiness(
+  cfg: OpenClawConfig,
+  deps?: {
+    platform?: NodeJS.Platform;
+    noteFn?: typeof note;
+    resolveChromeExecutable?: (platform: NodeJS.Platform) => { path: string } | null;
+    readVersion?: (executablePath: string) => string | null;
+  },
+) {
+  const profiles = collectChromeMcpProfileNames(cfg);
+  if (profiles.length === 0) {
+    return;
+  }
+
+  const noteFn = deps?.noteFn ?? note;
+  const platform = deps?.platform ?? process.platform;
+  const resolveChromeExecutable =
+    deps?.resolveChromeExecutable ?? resolveGoogleChromeExecutableForPlatform;
+  const readVersion = deps?.readVersion ?? readBrowserVersion;
+  const chrome = resolveChromeExecutable(platform);
+  const profileLabel = profiles.join(", ");
+
+  if (!chrome) {
+    noteFn(
+      [
+        `- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+        "- Google Chrome was not found on this host. OpenClaw does not bundle Chrome.",
+        `- Install Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node.`,
+        "- In Chrome, enable remote debugging at chrome://inspect/#remote-debugging.",
+        "- Keep Chrome running and accept the attach consent prompt the first time OpenClaw connects.",
+        "- Docker, headless, and sandbox browser flows stay on raw CDP; this check only applies to host-local Chrome MCP attach.",
+      ].join("\n"),
+      "Browser",
+    );
+    return;
+  }
+
+  const versionRaw = readVersion(chrome.path);
+  const major = parseBrowserMajorVersion(versionRaw);
+  const lines = [
+    `- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+    `- Chrome path: ${chrome.path}`,
+  ];
+
+  if (!versionRaw || major === null) {
+    lines.push(
+      `- Could not determine the installed Chrome version. Chrome MCP requires Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on this host.`,
+    );
+  } else if (major < CHROME_MCP_MIN_MAJOR) {
+    lines.push(
+      `- Detected Chrome ${versionRaw}, which is too old for Chrome MCP existing-session attach. Upgrade to Chrome ${CHROME_MCP_MIN_MAJOR}+.`,
+    );
+  } else {
+    lines.push(`- Detected Chrome ${versionRaw}.`);
+  }
+
+  lines.push("- In Chrome, enable remote debugging at chrome://inspect/#remote-debugging.");
+  lines.push(
+    "- Keep Chrome running and accept the attach consent prompt the first time OpenClaw connects.",
+  );
+
+  noteFn(lines.join("\n"), "Browser");
+}
diff --git a/src/commands/doctor-completion.ts b/src/commands/doctor-completion.ts
index 1e38c7701c7..edb2d98fb38 100644
--- a/src/commands/doctor-completion.ts
+++ b/src/commands/doctor-completion.ts
@@ -163,7 +163,7 @@ export async function doctorShellCompletion(
 }
 
 /**
- * Ensure completion cache exists. Used during onboarding/update to fix
+ * Ensure completion cache exists. Used during setup/update to fix
  * cases where profile has completion but no cache.
  * This is a silent fix - no prompts.
  */
diff --git a/src/commands/doctor-config-analysis.ts b/src/commands/doctor-config-analysis.ts
index 994bac5f863..acc333b5cba 100644
--- a/src/commands/doctor-config-analysis.ts
+++ b/src/commands/doctor-config-analysis.ts
@@ -126,7 +126,7 @@ export function noteOpencodeProviderOverrides(cfg: OpenClawConfig): void {
   });
 
   lines.push(
-    "- Remove these entries to restore per-model API routing + costs (then re-run onboarding if needed).",
+    "- Remove these entries to restore per-model API routing + costs (then re-run setup if needed).",
   );
   note(lines.join("\n"), "OpenCode");
 }
diff --git a/src/commands/doctor-config-flow.test.ts b/src/commands/doctor-config-flow.test.ts
index 265c90197e2..a1b204b5990 100644
--- a/src/commands/doctor-config-flow.test.ts
+++ b/src/commands/doctor-config-flow.test.ts
@@ -179,6 +179,60 @@ describe("doctor config flow", () => {
     });
   });
 
+  it("migrates legacy browser extension profiles to existing-session on repair", async () => {
+    const result = await runDoctorConfigWithInput({
+      repair: true,
+      config: {
+        browser: {
+          relayBindHost: "0.0.0.0",
+          profiles: {
+            chromeLive: {
+              driver: "extension",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      run: loadAndMaybeMigrateDoctorConfig,
+    });
+
+    const browser = (result.cfg as { browser?: Record<string, unknown> }).browser ?? {};
+    expect(browser.relayBindHost).toBeUndefined();
+    expect(
+      ((browser.profiles as Record<string, { driver?: string }>)?.chromeLive ?? {}).driver,
+    ).toBe("existing-session");
+  });
+
+  it("notes legacy browser extension migration changes", async () => {
+    const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {});
+    try {
+      await runDoctorConfigWithInput({
+        config: {
+          browser: {
+            relayBindHost: "127.0.0.1",
+            profiles: {
+              chromeLive: {
+                driver: "extension",
+                color: "#00AA00",
+              },
+            },
+          },
+        },
+        run: loadAndMaybeMigrateDoctorConfig,
+      });
+
+      const messages = noteSpy.mock.calls
+        .filter((call) => call[1] === "Doctor changes")
+        .map((call) => String(call[0]));
+      expect(
+        messages.some((line) => line.includes('browser.profiles.chromeLive.driver "extension"')),
+      ).toBe(true);
+      expect(messages.some((line) => line.includes("browser.relayBindHost"))).toBe(true);
+    } finally {
+      noteSpy.mockRestore();
+    }
+  });
+
   it("preserves discord streaming intent while stripping unsupported keys on repair", async () => {
     const result = await runDoctorConfigWithInput({
       repair: true,
diff --git a/src/commands/doctor-config-flow.ts b/src/commands/doctor-config-flow.ts
index f616bfaba55..0c52c9b582a 100644
--- a/src/commands/doctor-config-flow.ts
+++ b/src/commands/doctor-config-flow.ts
@@ -1,15 +1,5 @@
 import fs from "node:fs/promises";
 import path from "node:path";
-import { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-import {
-  listTelegramAccountIds,
-  resolveTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-import {
-  isNumericTelegramUserId,
-  normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
-import { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
 import { normalizeChatChannelId } from "../channels/registry.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import { resolveCommandSecretRefsViaGateway } from "../cli/command-secret-gateway.js";
@@ -32,6 +22,14 @@ import {
   normalizeTrustedSafeBinDirs,
 } from "../infra/exec-safe-bin-trust.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import {
+  fetchTelegramChatId,
+  inspectTelegramAccount,
+  isNumericTelegramUserId,
+  listTelegramAccountIds,
+  normalizeTelegramAllowFromEntry,
+  resolveTelegramAccount,
+} from "../plugin-sdk-internal/telegram.js";
 import {
   formatChannelAccountsDefaultPath,
   formatSetExplicitDefaultInstruction,
@@ -330,7 +328,7 @@ async function maybeRepairTelegramAllowFromUsernames(cfg: OpenClawConfig): Promi
     config: cfg,
     commandName: "doctor --fix",
     targetIds: getChannelsCommandSecretTargetIds(),
-    mode: "summary",
+    mode: "read_only_status",
   });
   const hasConfiguredUnavailableToken = listTelegramAccountIds(cfg).some((accountId) => {
     const inspected = inspectTelegramAccount({ cfg, accountId });
@@ -352,7 +350,7 @@ async function maybeRepairTelegramAllowFromUsernames(cfg: OpenClawConfig): Promi
       changes: [
         hasConfiguredUnavailableToken
           ? `- Telegram allowFrom contains @username entries, but configured Telegram bot credentials are unavailable in this command path; cannot auto-resolve (start the gateway or make the secret source available, then rerun doctor --fix).`
-          : `- Telegram allowFrom contains @username entries, but no Telegram bot token is configured; cannot auto-resolve (run onboarding or replace with numeric sender IDs).`,
+          : `- Telegram allowFrom contains @username entries, but no Telegram bot token is configured; cannot auto-resolve (run setup or replace with numeric sender IDs).`,
       ],
     };
   }
diff --git a/src/commands/doctor-legacy-config.ts b/src/commands/doctor-legacy-config.ts
index 50c9f38eb40..2d6bfa83a11 100644
--- a/src/commands/doctor-legacy-config.ts
+++ b/src/commands/doctor-legacy-config.ts
@@ -291,6 +291,67 @@ export function normalizeCompatibilityConfigValues(cfg: OpenClawConfig): {
     }
   };
 
+  const normalizeLegacyBrowserProfiles = () => {
+    const rawBrowser = next.browser;
+    if (!isRecord(rawBrowser)) {
+      return;
+    }
+
+    const browser = structuredClone(rawBrowser);
+    let browserChanged = false;
+
+    if ("relayBindHost" in browser) {
+      delete browser.relayBindHost;
+      browserChanged = true;
+      changes.push(
+        "Removed browser.relayBindHost (legacy Chrome extension relay setting; host-local Chrome now uses Chrome MCP existing-session attach).",
+      );
+    }
+
+    const rawProfiles = browser.profiles;
+    if (!isRecord(rawProfiles)) {
+      if (!browserChanged) {
+        return;
+      }
+      next = { ...next, browser };
+      return;
+    }
+
+    const profiles = { ...rawProfiles };
+    let profilesChanged = false;
+    for (const [profileName, rawProfile] of Object.entries(rawProfiles)) {
+      if (!isRecord(rawProfile)) {
+        continue;
+      }
+      const rawDriver = typeof rawProfile.driver === "string" ? rawProfile.driver.trim() : "";
+      if (rawDriver !== "extension") {
+        continue;
+      }
+      profiles[profileName] = {
+        ...rawProfile,
+        driver: "existing-session",
+      };
+      profilesChanged = true;
+      changes.push(
+        `Moved browser.profiles.${profileName}.driver "extension" → "existing-session" (Chrome MCP attach).`,
+      );
+    }
+
+    if (profilesChanged) {
+      browser.profiles = profiles;
+      browserChanged = true;
+    }
+
+    if (!browserChanged) {
+      return;
+    }
+
+    next = {
+      ...next,
+      browser,
+    };
+  };
+
   const seedMissingDefaultAccountsFromSingleAccountBase = () => {
     const channels = next.channels as Record<string, unknown> | undefined;
     if (!channels) {
@@ -365,6 +426,7 @@ export function normalizeCompatibilityConfigValues(cfg: OpenClawConfig): {
   normalizeProvider("slack");
   normalizeProvider("discord");
   seedMissingDefaultAccountsFromSingleAccountBase();
+  normalizeLegacyBrowserProfiles();
 
   const normalizeBrowserSsrFPolicyAlias = () => {
     const rawBrowser = next.browser;
diff --git a/src/commands/doctor-sandbox.ts b/src/commands/doctor-sandbox.ts
index 90790e90737..2138c422fe2 100644
--- a/src/commands/doctor-sandbox.ts
+++ b/src/commands/doctor-sandbox.ts
@@ -94,6 +94,11 @@ function resolveSandboxDockerImage(cfg: OpenClawConfig): string {
   return image ? image : DEFAULT_SANDBOX_IMAGE;
 }
 
+function resolveSandboxBackend(cfg: OpenClawConfig): string {
+  const backend = cfg.agents?.defaults?.sandbox?.backend?.trim();
+  return backend || "docker";
+}
+
 function resolveSandboxBrowserImage(cfg: OpenClawConfig): string {
   const image = cfg.agents?.defaults?.sandbox?.browser?.image?.trim();
   return image ? image : DEFAULT_SANDBOX_BROWSER_IMAGE;
@@ -185,6 +190,16 @@ export async function maybeRepairSandboxImages(
   if (!sandbox || mode === "off") {
     return cfg;
   }
+  const backend = resolveSandboxBackend(cfg);
+  if (backend !== "docker") {
+    if (sandbox.browser?.enabled) {
+      note(
+        `Sandbox backend "${backend}" selected. Docker browser health checks are skipped; browser sandbox currently requires the docker backend.`,
+        "Sandbox",
+      );
+    }
+    return cfg;
+  }
 
   const dockerAvailable = await isDockerAvailable();
   if (!dockerAvailable) {
diff --git a/src/commands/doctor-security.test.ts b/src/commands/doctor-security.test.ts
index c91ed2087a4..ca2bfb2989c 100644
--- a/src/commands/doctor-security.test.ts
+++ b/src/commands/doctor-security.test.ts
@@ -173,6 +173,32 @@ describe("noteSecurityWarnings gateway exposure", () => {
     expect(message).toContain("direct/DM targets by default");
   });
 
+  it("degrades safely when channel account resolution fails in read-only security checks", async () => {
+    pluginRegistry.list = [
+      {
+        id: "whatsapp",
+        meta: { label: "WhatsApp" },
+        config: {
+          listAccountIds: () => ["default"],
+          resolveAccount: () => {
+            throw new Error("missing secret");
+          },
+          isEnabled: () => true,
+          isConfigured: () => true,
+        },
+        security: {
+          resolveDmPolicy: () => null,
+        },
+      },
+    ];
+
+    await noteSecurityWarnings({} as OpenClawConfig);
+    const message = lastMessage();
+    expect(message).toContain("[secrets]");
+    expect(message).toContain("failed to resolve account");
+    expect(message).toContain("Run: openclaw security audit --deep");
+  });
+
   it("skips heartbeat directPolicy warning when delivery is internal-only or explicit", async () => {
     const cfg = {
       agents: {
diff --git a/src/commands/doctor-security.ts b/src/commands/doctor-security.ts
index 5ba17c1c751..c489682f607 100644
--- a/src/commands/doctor-security.ts
+++ b/src/commands/doctor-security.ts
@@ -189,8 +189,14 @@ export async function noteSecurityWarnings(cfg: OpenClawConfig) {
     if (!plugin.security) {
       continue;
     }
-    const { defaultAccountId, account, enabled, configured } =
-      await resolveDefaultChannelAccountContext(plugin, cfg);
+    const { defaultAccountId, account, enabled, configured, diagnostics } =
+      await resolveDefaultChannelAccountContext(plugin, cfg, {
+        mode: "read_only",
+        commandName: "doctor",
+      });
+    for (const diagnostic of diagnostics) {
+      warnings.push(`- [secrets] ${diagnostic}`);
+    }
     if (!enabled) {
       continue;
     }
diff --git a/src/commands/doctor.fast-path-mocks.ts b/src/commands/doctor.fast-path-mocks.ts
index f05e3d929a7..f9d25da73d8 100644
--- a/src/commands/doctor.fast-path-mocks.ts
+++ b/src/commands/doctor.fast-path-mocks.ts
@@ -8,6 +8,10 @@ vi.mock("./doctor-bootstrap-size.js", () => ({
   noteBootstrapFileSize: vi.fn().mockResolvedValue(undefined),
 }));
 
+vi.mock("./doctor-browser.js", () => ({
+  noteChromeMcpBrowserReadiness: vi.fn().mockResolvedValue(undefined),
+}));
+
 vi.mock("./doctor-gateway-daemon-flow.js", () => ({
   maybeRepairGatewayDaemon: vi.fn().mockResolvedValue(undefined),
 }));
diff --git a/src/commands/doctor.ts b/src/commands/doctor.ts
index bdde2781ff9..3e4cbebe5d0 100644
--- a/src/commands/doctor.ts
+++ b/src/commands/doctor.ts
@@ -29,6 +29,7 @@ import {
   noteAuthProfileHealth,
 } from "./doctor-auth.js";
 import { noteBootstrapFileSize } from "./doctor-bootstrap-size.js";
+import { noteChromeMcpBrowserReadiness } from "./doctor-browser.js";
 import { doctorShellCompletion } from "./doctor-completion.js";
 import { loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow.js";
 import { maybeRepairLegacyCronStore } from "./doctor-cron.js";
@@ -236,6 +237,7 @@ export async function doctorCommand(
   await noteMacLaunchctlGatewayEnvOverrides(cfg);
 
   await noteSecurityWarnings(cfg);
+  await noteChromeMcpBrowserReadiness(cfg);
   await noteOpenAIOAuthTlsPrerequisites({
     cfg,
     deep: options.deep === true,
diff --git a/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts b/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts
index 68d865996d2..11a382db241 100644
--- a/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts
+++ b/src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts
@@ -122,4 +122,52 @@ describe("doctor command", () => {
       "openclaw config set gateway.auth.mode password",
     );
   });
+
+  it("keeps doctor read-only when gateway token is SecretRef-managed but unresolved", async () => {
+    mockDoctorConfigSnapshot({
+      config: {
+        gateway: {
+          mode: "local",
+          auth: {
+            mode: "token",
+            token: {
+              source: "env",
+              provider: "default",
+              id: "OPENCLAW_GATEWAY_TOKEN",
+            },
+          },
+        },
+        secrets: {
+          providers: {
+            default: { source: "env" },
+          },
+        },
+      },
+    });
+
+    const previousToken = process.env.OPENCLAW_GATEWAY_TOKEN;
+    delete process.env.OPENCLAW_GATEWAY_TOKEN;
+    note.mockClear();
+    try {
+      await doctorCommand(createDoctorRuntime(), {
+        nonInteractive: true,
+        workspaceSuggestions: false,
+      });
+    } finally {
+      if (previousToken === undefined) {
+        delete process.env.OPENCLAW_GATEWAY_TOKEN;
+      } else {
+        process.env.OPENCLAW_GATEWAY_TOKEN = previousToken;
+      }
+    }
+
+    const gatewayAuthNote = note.mock.calls.find((call) => call[1] === "Gateway auth");
+    expect(gatewayAuthNote).toBeTruthy();
+    expect(String(gatewayAuthNote?.[0])).toContain(
+      "Gateway token is managed via SecretRef and is currently unavailable.",
+    );
+    expect(String(gatewayAuthNote?.[0])).toContain(
+      "Doctor will not overwrite gateway.auth.token with a plaintext value.",
+    );
+  });
 });
diff --git a/src/commands/gateway-status.test.ts b/src/commands/gateway-status.test.ts
index 452bcb3691b..46212816410 100644
--- a/src/commands/gateway-status.test.ts
+++ b/src/commands/gateway-status.test.ts
@@ -268,7 +268,7 @@ describe("gateway-status command", () => {
     expect(scopeLimitedWarning?.targetIds).toContain("localLoopback");
   });
 
-  it("surfaces unresolved SecretRef auth diagnostics in warnings", async () => {
+  it("suppresses unresolved SecretRef auth warnings when probe is reachable", async () => {
     const { runtime, runtimeLogs, runtimeErrors } = createRuntimeCapture();
     await withEnvAsync({ MISSING_GATEWAY_TOKEN: undefined }, async () => {
       mockLocalTokenEnvRefConfig();
@@ -276,6 +276,38 @@ describe("gateway-status command", () => {
       await runGatewayStatus(runtime, { timeout: "1000", json: true });
     });
 
+    expect(runtimeErrors).toHaveLength(0);
+    const parsed = JSON.parse(runtimeLogs.join("\n")) as {
+      warnings?: Array<{ code?: string; message?: string; targetIds?: string[] }>;
+    };
+    const unresolvedWarning = parsed.warnings?.find(
+      (warning) =>
+        warning.code === "auth_secretref_unresolved" &&
+        warning.message?.includes("gateway.auth.token SecretRef is unresolved"),
+    );
+    expect(unresolvedWarning).toBeUndefined();
+  });
+
+  it("surfaces unresolved SecretRef auth diagnostics when probe fails", async () => {
+    const { runtime, runtimeLogs, runtimeErrors } = createRuntimeCapture();
+    await withEnvAsync({ MISSING_GATEWAY_TOKEN: undefined }, async () => {
+      mockLocalTokenEnvRefConfig();
+      probeGateway.mockResolvedValueOnce({
+        ok: false,
+        url: "ws://127.0.0.1:18789",
+        connectLatencyMs: null,
+        error: "connection refused",
+        close: null,
+        health: null,
+        status: null,
+        presence: null,
+        configSnapshot: null,
+      });
+      await expect(runGatewayStatus(runtime, { timeout: "1000", json: true })).rejects.toThrow(
+        "__exit__:1",
+      );
+    });
+
     expect(runtimeErrors).toHaveLength(0);
     const parsed = JSON.parse(runtimeLogs.join("\n")) as {
       warnings?: Array<{ code?: string; message?: string; targetIds?: string[] }>;
diff --git a/src/commands/gateway-status.ts b/src/commands/gateway-status.ts
index be0b9abf69a..ecdeeaa9570 100644
--- a/src/commands/gateway-status.ts
+++ b/src/commands/gateway-status.ts
@@ -2,8 +2,6 @@ import { withProgress } from "../cli/progress.js";
 import { readBestEffortConfig, resolveGatewayPort } from "../config/config.js";
 import { probeGateway } from "../gateway/probe.js";
 import { discoverGatewayBeacons } from "../infra/bonjour-discovery.js";
-import { resolveSshConfig } from "../infra/ssh-config.js";
-import { parseSshTarget, startSshPortForward } from "../infra/ssh-tunnel.js";
 import { resolveWideAreaDiscoveryDomain } from "../infra/widearea-dns.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { colorize, isRich, theme } from "../terminal/theme.js";
@@ -23,6 +21,19 @@ import {
   sanitizeSshTarget,
 } from "./gateway-status/helpers.js";
 
+let sshConfigModulePromise: Promise<typeof import("../infra/ssh-config.js")> | undefined;
+let sshTunnelModulePromise: Promise<typeof import("../infra/ssh-tunnel.js")> | undefined;
+
+function loadSshConfigModule() {
+  sshConfigModulePromise ??= import("../infra/ssh-config.js");
+  return sshConfigModulePromise;
+}
+
+function loadSshTunnelModule() {
+  sshTunnelModulePromise ??= import("../infra/ssh-tunnel.js");
+  return sshTunnelModulePromise;
+}
+
 export async function gatewayStatusCommand(
   opts: {
     url?: string;
@@ -87,6 +98,7 @@ export async function gatewayStatusCommand(
           return null;
         }
         try {
+          const { startSshPortForward } = await loadSshTunnelModule();
           const tunnel = await startSshPortForward({
             target: sshTarget,
             identity: sshIdentity ?? undefined,
@@ -119,11 +131,13 @@ export async function gatewayStatusCommand(
             const base = user ? `${user}@${host.trim()}` : host.trim();
             return sshPort !== 22 ? `${base}:${sshPort}` : base;
           })
-          .filter((candidate): candidate is string =>
-            Boolean(candidate && parseSshTarget(candidate)),
-          );
-        if (candidates.length > 0) {
-          sshTarget = candidates[0] ?? null;
+          .filter((candidate): candidate is string => Boolean(candidate));
+        const { parseSshTarget } = await loadSshTunnelModule();
+        const validCandidates = candidates.filter((candidate) =>
+          Boolean(parseSshTarget(candidate)),
+        );
+        if (validCandidates.length > 0) {
+          sshTarget = validCandidates[0] ?? null;
         }
       }
 
@@ -229,7 +243,7 @@ export async function gatewayStatusCommand(
     });
   }
   for (const result of probed) {
-    if (result.authDiagnostics.length === 0) {
+    if (result.authDiagnostics.length === 0 || isProbeReachable(result.probe)) {
       continue;
     }
     for (const diagnostic of result.authDiagnostics) {
@@ -420,6 +434,10 @@ async function resolveSshTarget(
   identity: string | null,
   overallTimeoutMs: number,
 ): Promise<{ target: string; identity?: string } | null> {
+  const [{ resolveSshConfig }, { parseSshTarget }] = await Promise.all([
+    loadSshConfigModule(),
+    loadSshTunnelModule(),
+  ]);
   const parsed = parseSshTarget(rawTarget);
   if (!parsed) {
     return null;
diff --git a/src/commands/health.ts b/src/commands/health.ts
index 56705c96270..301cb55282e 100644
--- a/src/commands/health.ts
+++ b/src/commands/health.ts
@@ -1,7 +1,8 @@
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { resolveChannelDefaultAccountId } from "../channels/plugins/helpers.js";
 import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
-import type { ChannelAccountSnapshot } from "../channels/plugins/types.js";
+import type { ChannelAccountSnapshot, ChannelPlugin } from "../channels/plugins/types.js";
+import { inspectReadOnlyChannelAccount } from "../channels/read-only-account-inspect.js";
 import { withProgress } from "../cli/progress.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig, readBestEffortConfig } from "../config/config.js";
@@ -13,7 +14,7 @@ import { formatErrorMessage } from "../infra/errors.js";
 import {
   type HeartbeatSummary,
   resolveHeartbeatSummaryForAgent,
-} from "../infra/heartbeat-runner.js";
+} from "../infra/heartbeat-summary.js";
 import { buildChannelAccountBindings, resolvePreferredAccountId } from "../routing/bindings.js";
 import { normalizeAgentId } from "../routing/session-key.js";
 import type { RuntimeEnv } from "../runtime.js";
@@ -161,17 +162,87 @@ const buildSessionSummary = (storePath: string) => {
   } satisfies HealthSummary["sessions"];
 };
 
-const isAccountEnabled = (account: unknown): boolean => {
-  if (!account || typeof account !== "object") {
-    return true;
-  }
-  const enabled = (account as { enabled?: boolean }).enabled;
-  return enabled !== false;
-};
-
 const asRecord = (value: unknown): Record<string, unknown> | null =>
   value && typeof value === "object" ? (value as Record<string, unknown>) : null;
 
+async function inspectHealthAccount(plugin: ChannelPlugin, cfg: OpenClawConfig, accountId: string) {
+  return (
+    plugin.config.inspectAccount?.(cfg, accountId) ??
+    (await inspectReadOnlyChannelAccount({
+      channelId: plugin.id,
+      cfg,
+      accountId,
+    }))
+  );
+}
+
+function readBooleanField(value: unknown, key: string): boolean | undefined {
+  const record = asRecord(value);
+  if (!record) {
+    return undefined;
+  }
+  return typeof record[key] === "boolean" ? record[key] : undefined;
+}
+
+async function resolveHealthAccountContext(params: {
+  plugin: ChannelPlugin;
+  cfg: OpenClawConfig;
+  accountId: string;
+}): Promise<{
+  account: unknown;
+  enabled: boolean;
+  configured: boolean;
+  diagnostics: string[];
+}> {
+  const diagnostics: string[] = [];
+  let account: unknown;
+  try {
+    account = params.plugin.config.resolveAccount(params.cfg, params.accountId);
+  } catch (error) {
+    diagnostics.push(
+      `${params.plugin.id}:${params.accountId}: failed to resolve account (${formatErrorMessage(error)}).`,
+    );
+    account = await inspectHealthAccount(params.plugin, params.cfg, params.accountId);
+  }
+
+  if (!account) {
+    return {
+      account: {},
+      enabled: false,
+      configured: false,
+      diagnostics,
+    };
+  }
+
+  const enabledFallback = readBooleanField(account, "enabled") ?? true;
+  let enabled = enabledFallback;
+  if (params.plugin.config.isEnabled) {
+    try {
+      enabled = params.plugin.config.isEnabled(account, params.cfg);
+    } catch (error) {
+      enabled = enabledFallback;
+      diagnostics.push(
+        `${params.plugin.id}:${params.accountId}: failed to evaluate enabled state (${formatErrorMessage(error)}).`,
+      );
+    }
+  }
+
+  const configuredFallback = readBooleanField(account, "configured") ?? true;
+  let configured = configuredFallback;
+  if (params.plugin.config.isConfigured) {
+    try {
+      configured = await params.plugin.config.isConfigured(account, params.cfg);
+    } catch (error) {
+      configured = configuredFallback;
+      diagnostics.push(
+        `${params.plugin.id}:${params.accountId}: failed to evaluate configured state (${formatErrorMessage(error)}).`,
+      );
+    }
+  }
+
+  return { account, enabled, configured, diagnostics };
+}
+
 const formatProbeLine = (probe: unknown, opts: { botUsernames?: string[] } = {}): string | null => {
   const record = asRecord(probe);
   if (!record) {
@@ -416,13 +487,14 @@ export async function getHealthSnapshot(params?: {
     const accountSummaries: Record<string, ChannelAccountHealthSummary> = {};
 
     for (const accountId of accountIdsToProbe) {
-      const account = plugin.config.resolveAccount(cfg, accountId);
-      const enabled = plugin.config.isEnabled
-        ? plugin.config.isEnabled(account, cfg)
-        : isAccountEnabled(account);
-      const configured = plugin.config.isConfigured
-        ? await plugin.config.isConfigured(account, cfg)
-        : true;
+      const { account, enabled, configured, diagnostics } = await resolveHealthAccountContext({
+        plugin,
+        cfg,
+        accountId,
+      });
+      if (diagnostics.length > 0) {
+        debugHealth("account.diagnostics", { channel: plugin.id, accountId, diagnostics });
+      }
 
       let probe: unknown;
       let lastProbeAt: number | null = null;
@@ -588,16 +660,20 @@ export async function healthCommand(
           `  ${plugin.id}: accounts=${accountIds.join(", ") || "(none)"} default=${defaultAccountId}`,
         );
         for (const accountId of accountIds) {
-          const account = plugin.config.resolveAccount(cfg, accountId);
+          const { account, configured, diagnostics } = await resolveHealthAccountContext({
+            plugin,
+            cfg,
+            accountId,
+          });
           const record = asRecord(account);
           const tokenSource =
             record && typeof record.tokenSource === "string" ? record.tokenSource : undefined;
-          const configured = plugin.config.isConfigured
-            ? await plugin.config.isConfigured(account, cfg)
-            : true;
           runtime.log(
             `    - ${accountId}: configured=${configured}${tokenSource ? ` tokenSource=${tokenSource}` : ""}`,
           );
+          for (const diagnostic of diagnostics) {
+            runtime.log(`      ! ${diagnostic}`);
+          }
         }
       }
       runtime.log(info("[debug] bindings map"));
@@ -691,13 +767,31 @@ export async function healthCommand(
         defaultAccountId,
         boundAccounts,
       });
-      const account = plugin.config.resolveAccount(cfg, accountId);
-      plugin.status.logSelfId({
-        account,
+      const accountContext = await resolveHealthAccountContext({
+        plugin,
         cfg,
-        runtime,
-        includeChannelPrefix: true,
+        accountId,
       });
+      if (!accountContext.enabled || !accountContext.configured) {
+        continue;
+      }
+      if (accountContext.diagnostics.length > 0) {
+        continue;
+      }
+      try {
+        plugin.status.logSelfId({
+          account: accountContext.account,
+          cfg,
+          runtime,
+          includeChannelPrefix: true,
+        });
+      } catch (error) {
+        debugHealth("logSelfId.failed", {
+          channel: plugin.id,
+          accountId,
+          error: formatErrorMessage(error),
+        });
+      }
     }
 
     if (resolvedAgents.length > 0) {
diff --git a/src/commands/model-picker.test.ts b/src/commands/model-picker.test.ts
index ce8c4bfb9f6..a4eb89e066c 100644
--- a/src/commands/model-picker.test.ts
+++ b/src/commands/model-picker.test.ts
@@ -6,7 +6,7 @@ import {
   promptDefaultModel,
   promptModelAllowlist,
 } from "./model-picker.js";
-import { makePrompter } from "./onboarding/__tests__/test-utils.js";
+import { makePrompter } from "./setup/__tests__/test-utils.js";
 
 const loadModelCatalog = vi.hoisted(() => vi.fn());
 vi.mock("../agents/model-catalog.js", () => ({
@@ -76,7 +76,7 @@ beforeEach(() => {
 });
 
 describe("promptDefaultModel", () => {
-  it("supports configuring vLLM during onboarding", async () => {
+  it("supports configuring vLLM during setup", async () => {
     loadModelCatalog.mockResolvedValue([
       {
         provider: "anthropic",
diff --git a/src/commands/model-picker.ts b/src/commands/model-picker.ts
index 64d9e533e1f..483997511cb 100644
--- a/src/commands/model-picker.ts
+++ b/src/commands/model-picker.ts
@@ -14,7 +14,6 @@ import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
 import type { ProviderPlugin } from "../plugins/types.js";
 import type { WizardPrompter, WizardSelectOption } from "../wizard/prompts.js";
 import { formatTokenK } from "./models/shared.js";
-import { OPENAI_CODEX_DEFAULT_MODEL } from "./openai-codex-model-default.js";
 
 const KEEP_VALUE = "__keep__";
 const MANUAL_VALUE = "__manual__";
@@ -154,14 +153,6 @@ function addModelSelectOption(params: {
   params.seen.add(key);
 }
 
-function isAnthropicLegacyModel(entry: { provider: string; id: string }): boolean {
-  return (
-    entry.provider === "anthropic" &&
-    typeof entry.id === "string" &&
-    entry.id.toLowerCase().startsWith("claude-3")
-  );
-}
-
 async function promptManualModel(params: {
   prompter: WizardPrompter;
   allowBlank: boolean;
@@ -270,9 +261,6 @@ export async function promptDefaultModel(
       }
       return entry.provider === preferredProvider;
     });
-    if (preferredProvider === "anthropic") {
-      models = models.filter((entry) => !isAnthropicLegacyModel(entry));
-    }
   }
 
   const agentDir = params.agentDir;
@@ -459,7 +447,7 @@ export async function promptModelAllowlist(params: {
         params.message ??
         "Allowlist models (comma-separated provider/model; blank to keep current)",
       initialValue: existingKeys.join(", "),
-      placeholder: `${OPENAI_CODEX_DEFAULT_MODEL}, anthropic/claude-opus-4-6`,
+      placeholder: "provider/model, other-provider/model",
     });
     const parsed = String(raw ?? "")
       .split(",")
diff --git a/src/commands/models/auth.test.ts b/src/commands/models/auth.test.ts
index bf8195b5284..6bb052ba3d6 100644
--- a/src/commands/models/auth.test.ts
+++ b/src/commands/models/auth.test.ts
@@ -1,5 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import type { OpenClawConfig } from "../../config/config.js";
+import type { ProviderPlugin } from "../../plugins/types.js";
 import type { RuntimeEnv } from "../../runtime.js";
 
 const mocks = vi.hoisted(() => ({
@@ -15,8 +16,6 @@ const mocks = vi.hoisted(() => ({
   upsertAuthProfile: vi.fn(),
   resolvePluginProviders: vi.fn(),
   createClackPrompter: vi.fn(),
-  loginOpenAICodexOAuth: vi.fn(),
-  writeOAuthCredentials: vi.fn(),
   loadValidConfigOrThrow: vi.fn(),
   updateConfig: vi.fn(),
   logConfigUpdated: vi.fn(),
@@ -59,18 +58,6 @@ vi.mock("../../wizard/clack-prompter.js", () => ({
   createClackPrompter: mocks.createClackPrompter,
 }));
 
-vi.mock("../openai-codex-oauth.js", () => ({
-  loginOpenAICodexOAuth: mocks.loginOpenAICodexOAuth,
-}));
-
-vi.mock("../onboard-auth.js", async (importActual) => {
-  const actual = await importActual<typeof import("../onboard-auth.js")>();
-  return {
-    ...actual,
-    writeOAuthCredentials: mocks.writeOAuthCredentials,
-  };
-});
-
 vi.mock("./shared.js", async (importActual) => {
   const actual = await importActual<typeof import("./shared.js")>();
   return {
@@ -88,7 +75,8 @@ vi.mock("../onboard-helpers.js", () => ({
   openUrl: mocks.openUrl,
 }));
 
-const { modelsAuthLoginCommand, modelsAuthPasteTokenCommand } = await import("./auth.js");
+const { modelsAuthLoginCommand, modelsAuthPasteTokenCommand, modelsAuthSetupTokenCommand } =
+  await import("./auth.js");
 
 function createRuntime(): RuntimeEnv {
   return {
@@ -116,10 +104,30 @@ function withInteractiveStdin() {
   };
 }
 
+function createProvider(params: {
+  id: string;
+  label?: string;
+  run: NonNullable<ProviderPlugin["auth"]>[number]["run"];
+}): ProviderPlugin {
+  return {
+    id: params.id,
+    label: params.label ?? params.id,
+    auth: [
+      {
+        id: "oauth",
+        label: "OAuth",
+        kind: "oauth",
+        run: params.run,
+      },
+    ],
+  };
+}
+
 describe("modelsAuthLoginCommand", () => {
   let restoreStdin: (() => void) | null = null;
   let currentConfig: OpenClawConfig;
   let lastUpdatedConfig: OpenClawConfig | null;
+  let runProviderAuth: ReturnType<typeof vi.fn>;
 
   beforeEach(() => {
     vi.clearAllMocks();
@@ -151,16 +159,29 @@ describe("modelsAuthLoginCommand", () => {
       note: vi.fn(async () => {}),
       select: vi.fn(),
     });
-    mocks.loginOpenAICodexOAuth.mockResolvedValue({
-      type: "oauth",
-      provider: "openai-codex",
-      access: "access-token",
-      refresh: "refresh-token",
-      expires: Date.now() + 60_000,
-      email: "user@example.com",
+    runProviderAuth = vi.fn().mockResolvedValue({
+      profiles: [
+        {
+          profileId: "openai-codex:user@example.com",
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: Date.now() + 60_000,
+            email: "user@example.com",
+          },
+        },
+      ],
+      defaultModel: "openai-codex/gpt-5.4",
     });
-    mocks.writeOAuthCredentials.mockResolvedValue("openai-codex:user@example.com");
-    mocks.resolvePluginProviders.mockReturnValue([]);
+    mocks.resolvePluginProviders.mockReturnValue([
+      createProvider({
+        id: "openai-codex",
+        label: "OpenAI Codex",
+        run: runProviderAuth as ProviderPlugin["auth"][number]["run"],
+      }),
+    ]);
     mocks.loadAuthProfileStoreForRuntime.mockReturnValue({ profiles: {}, usageStats: {} });
     mocks.listProfilesForProvider.mockReturnValue([]);
     mocks.clearAuthProfileCooldown.mockResolvedValue(undefined);
@@ -171,19 +192,20 @@ describe("modelsAuthLoginCommand", () => {
     restoreStdin = null;
   });
 
-  it("supports built-in openai-codex login without provider plugins", async () => {
+  it("runs plugin-owned openai-codex login", async () => {
     const runtime = createRuntime();
 
     await modelsAuthLoginCommand({ provider: "openai-codex" }, runtime);
 
-    expect(mocks.loginOpenAICodexOAuth).toHaveBeenCalledOnce();
-    expect(mocks.writeOAuthCredentials).toHaveBeenCalledWith(
-      "openai-codex",
-      expect.any(Object),
-      "/tmp/openclaw/agents/main",
-      { syncSiblingAgents: true },
-    );
-    expect(mocks.resolvePluginProviders).not.toHaveBeenCalled();
+    expect(runProviderAuth).toHaveBeenCalledOnce();
+    expect(mocks.upsertAuthProfile).toHaveBeenCalledWith({
+      profileId: "openai-codex:user@example.com",
+      credential: expect.objectContaining({
+        type: "oauth",
+        provider: "openai-codex",
+      }),
+      agentDir: "/tmp/openclaw/agents/main",
+    });
     expect(lastUpdatedConfig?.auth?.profiles?.["openai-codex:user@example.com"]).toMatchObject({
       provider: "openai-codex",
       mode: "oauth",
@@ -236,7 +258,7 @@ describe("modelsAuthLoginCommand", () => {
     });
     // Verify clearing happens before login attempt
     const clearOrder = mocks.clearAuthProfileCooldown.mock.invocationCallOrder[0];
-    const loginOrder = mocks.loginOpenAICodexOAuth.mock.invocationCallOrder[0];
+    const loginOrder = runProviderAuth.mock.invocationCallOrder[0];
     expect(clearOrder).toBeLessThan(loginOrder);
   });
 
@@ -248,7 +270,7 @@ describe("modelsAuthLoginCommand", () => {
 
     await modelsAuthLoginCommand({ provider: "openai-codex" }, runtime);
 
-    expect(mocks.loginOpenAICodexOAuth).toHaveBeenCalledOnce();
+    expect(runProviderAuth).toHaveBeenCalledOnce();
   });
 
   it("loads lockout state from the agent-scoped store", async () => {
@@ -261,11 +283,11 @@ describe("modelsAuthLoginCommand", () => {
     expect(mocks.loadAuthProfileStoreForRuntime).toHaveBeenCalledWith("/tmp/openclaw/agents/main");
   });
 
-  it("keeps existing plugin error behavior for non built-in providers", async () => {
+  it("reports loaded plugin providers when requested provider is unavailable", async () => {
     const runtime = createRuntime();
 
     await expect(modelsAuthLoginCommand({ provider: "anthropic" }, runtime)).rejects.toThrow(
-      "No provider plugins found.",
+      'Unknown provider "anthropic". Loaded providers: openai-codex. Verify plugins via `openclaw plugins list --json`.',
     );
   });
 
@@ -292,4 +314,47 @@ describe("modelsAuthLoginCommand", () => {
       exitSpy.mockRestore();
     }
   });
+
+  it("runs token auth for any token-capable provider plugin", async () => {
+    const runtime = createRuntime();
+    const runTokenAuth = vi.fn().mockResolvedValue({
+      profiles: [
+        {
+          profileId: "moonshot:token",
+          credential: {
+            type: "token",
+            provider: "moonshot",
+            token: "moonshot-token",
+          },
+        },
+      ],
+    });
+    mocks.resolvePluginProviders.mockReturnValue([
+      {
+        id: "moonshot",
+        label: "Moonshot",
+        auth: [
+          {
+            id: "setup-token",
+            label: "setup-token",
+            kind: "token",
+            run: runTokenAuth,
+          },
+        ],
+      },
+    ]);
+
+    await modelsAuthSetupTokenCommand({ provider: "moonshot", yes: true }, runtime);
+
+    expect(runTokenAuth).toHaveBeenCalledOnce();
+    expect(mocks.upsertAuthProfile).toHaveBeenCalledWith({
+      profileId: "moonshot:token",
+      credential: {
+        type: "token",
+        provider: "moonshot",
+        token: "moonshot-token",
+      },
+      agentDir: "/tmp/openclaw/agents/main",
+    });
+  });
 });
diff --git a/src/commands/models/auth.ts b/src/commands/models/auth.ts
index c9b54b2f753..6001ede2ea4 100644
--- a/src/commands/models/auth.ts
+++ b/src/commands/models/auth.ts
@@ -21,22 +21,21 @@ import { normalizeProviderId } from "../../agents/model-selection.js";
 import { resolveDefaultAgentWorkspaceDir } from "../../agents/workspace.js";
 import { formatCliCommand } from "../../cli/command-format.js";
 import { parseDurationMs } from "../../cli/parse-duration.js";
+import type { OpenClawConfig } from "../../config/config.js";
 import { logConfigUpdated } from "../../config/logging.js";
 import { resolvePluginProviders } from "../../plugins/providers.js";
-import type { ProviderAuthResult, ProviderPlugin } from "../../plugins/types.js";
+import type {
+  ProviderAuthMethod,
+  ProviderAuthResult,
+  ProviderPlugin,
+} from "../../plugins/types.js";
 import type { RuntimeEnv } from "../../runtime.js";
 import { stylePromptHint, stylePromptMessage } from "../../terminal/prompt-style.js";
 import { createClackPrompter } from "../../wizard/clack-prompter.js";
-import { validateAnthropicSetupToken } from "../auth-token.js";
 import { isRemoteEnvironment } from "../oauth-env.js";
 import { createVpsAwareOAuthHandlers } from "../oauth-flow.js";
-import { applyAuthProfileConfig, writeOAuthCredentials } from "../onboard-auth.js";
+import { applyAuthProfileConfig } from "../onboard-auth.js";
 import { openUrl } from "../onboard-helpers.js";
-import {
-  applyOpenAICodexModelDefault,
-  OPENAI_CODEX_DEFAULT_MODEL,
-} from "../openai-codex-model-default.js";
-import { loginOpenAICodexOAuth } from "../openai-codex-oauth.js";
 import {
   applyDefaultModel,
   mergeConfigPatch,
@@ -78,40 +77,256 @@ const select = async <T>(params: Parameters<typeof clackSelect<T>>[0]) =>
     }),
   );
 
-type TokenProvider = "anthropic";
-
-function resolveTokenProvider(raw?: string): TokenProvider | "custom" | null {
-  const trimmed = raw?.trim();
-  if (!trimmed) {
-    return null;
-  }
-  const normalized = normalizeProviderId(trimmed);
-  if (normalized === "anthropic") {
-    return "anthropic";
-  }
-  return "custom";
-}
-
 function resolveDefaultTokenProfileId(provider: string): string {
   return `${normalizeProviderId(provider)}:manual`;
 }
 
+type ResolvedModelsAuthContext = {
+  config: OpenClawConfig;
+  agentDir: string;
+  workspaceDir: string;
+  providers: ProviderPlugin[];
+};
+
+function listProvidersWithAuthMethods(providers: ProviderPlugin[]): ProviderPlugin[] {
+  return providers.filter((provider) => provider.auth.length > 0);
+}
+
+function listTokenAuthMethods(provider: ProviderPlugin): ProviderAuthMethod[] {
+  return provider.auth.filter((method) => method.kind === "token");
+}
+
+function listProvidersWithTokenMethods(providers: ProviderPlugin[]): ProviderPlugin[] {
+  return providers.filter((provider) => listTokenAuthMethods(provider).length > 0);
+}
+
+async function resolveModelsAuthContext(): Promise<ResolvedModelsAuthContext> {
+  const config = await loadValidConfigOrThrow();
+  const defaultAgentId = resolveDefaultAgentId(config);
+  const agentDir = resolveAgentDir(config, defaultAgentId);
+  const workspaceDir =
+    resolveAgentWorkspaceDir(config, defaultAgentId) ?? resolveDefaultAgentWorkspaceDir();
+  const providers = resolvePluginProviders({
+    config,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+  return { config, agentDir, workspaceDir, providers };
+}
+
+function resolveRequestedProviderOrThrow(
+  providers: ProviderPlugin[],
+  rawProvider?: string,
+): ProviderPlugin | null {
+  const requested = rawProvider?.trim();
+  if (!requested) {
+    return null;
+  }
+  const matched = resolveProviderMatch(providers, requested);
+  if (matched) {
+    return matched;
+  }
+  const available = providers
+    .map((provider) => provider.id)
+    .filter(Boolean)
+    .toSorted((a, b) => a.localeCompare(b));
+  const availableText = available.length > 0 ? available.join(", ") : "(none)";
+  throw new Error(
+    `Unknown provider "${requested}". Loaded providers: ${availableText}. Verify plugins via \`${formatCliCommand("openclaw plugins list --json")}\`.`,
+  );
+}
+
+function resolveTokenMethodOrThrow(
+  provider: ProviderPlugin,
+  rawMethod?: string,
+): ProviderAuthMethod | null {
+  const tokenMethods = listTokenAuthMethods(provider);
+  if (rawMethod?.trim()) {
+    const matched = pickAuthMethod(provider, rawMethod);
+    if (matched && matched.kind === "token") {
+      return matched;
+    }
+    const available = tokenMethods.map((method) => method.id).join(", ") || "(none)";
+    throw new Error(
+      `Unknown token auth method "${rawMethod}" for provider "${provider.id}". Available token methods: ${available}.`,
+    );
+  }
+  return null;
+}
+
+async function pickProviderAuthMethod(params: {
+  provider: ProviderPlugin;
+  requestedMethod?: string;
+  prompter: ReturnType<typeof createClackPrompter>;
+}) {
+  const requestedMethod = pickAuthMethod(params.provider, params.requestedMethod);
+  if (requestedMethod) {
+    return requestedMethod;
+  }
+  if (params.provider.auth.length === 1) {
+    return params.provider.auth[0] ?? null;
+  }
+  return await params.prompter
+    .select({
+      message: `Auth method for ${params.provider.label}`,
+      options: params.provider.auth.map((method) => ({
+        value: method.id,
+        label: method.label,
+        hint: method.hint,
+      })),
+    })
+    .then((id) => params.provider.auth.find((method) => method.id === String(id)) ?? null);
+}
+
+async function pickProviderTokenMethod(params: {
+  provider: ProviderPlugin;
+  requestedMethod?: string;
+  prompter: ReturnType<typeof createClackPrompter>;
+}) {
+  const explicitTokenMethod = resolveTokenMethodOrThrow(params.provider, params.requestedMethod);
+  if (explicitTokenMethod) {
+    return explicitTokenMethod;
+  }
+  const tokenMethods = listTokenAuthMethods(params.provider);
+  if (tokenMethods.length === 0) {
+    return null;
+  }
+  const setupTokenMethod = tokenMethods.find((method) => method.id === "setup-token");
+  if (setupTokenMethod) {
+    return setupTokenMethod;
+  }
+  if (tokenMethods.length === 1) {
+    return tokenMethods[0] ?? null;
+  }
+  return await params.prompter
+    .select({
+      message: `Token method for ${params.provider.label}`,
+      options: tokenMethods.map((method) => ({
+        value: method.id,
+        label: method.label,
+        hint: method.hint,
+      })),
+    })
+    .then((id) => tokenMethods.find((method) => method.id === String(id)) ?? null);
+}
+
+async function persistProviderAuthResult(params: {
+  result: ProviderAuthResult;
+  agentDir: string;
+  runtime: RuntimeEnv;
+  prompter: ReturnType<typeof createClackPrompter>;
+  setDefault?: boolean;
+}) {
+  for (const profile of params.result.profiles) {
+    upsertAuthProfile({
+      profileId: profile.profileId,
+      credential: profile.credential,
+      agentDir: params.agentDir,
+    });
+  }
+
+  await updateConfig((cfg) => {
+    let next = cfg;
+    if (params.result.configPatch) {
+      next = mergeConfigPatch(next, params.result.configPatch);
+    }
+    for (const profile of params.result.profiles) {
+      next = applyAuthProfileConfig(next, {
+        profileId: profile.profileId,
+        provider: profile.credential.provider,
+        mode: credentialMode(profile.credential),
+      });
+    }
+    if (params.setDefault && params.result.defaultModel) {
+      next = applyDefaultModel(next, params.result.defaultModel);
+    }
+    return next;
+  });
+
+  logConfigUpdated(params.runtime);
+  for (const profile of params.result.profiles) {
+    params.runtime.log(
+      `Auth profile: ${profile.profileId} (${profile.credential.provider}/${credentialMode(profile.credential)})`,
+    );
+  }
+  if (params.result.defaultModel) {
+    params.runtime.log(
+      params.setDefault
+        ? `Default model set to ${params.result.defaultModel}`
+        : `Default model available: ${params.result.defaultModel} (use --set-default to apply)`,
+    );
+  }
+  if (params.result.notes && params.result.notes.length > 0) {
+    await params.prompter.note(params.result.notes.join("\n"), "Provider notes");
+  }
+}
+
+async function runProviderAuthMethod(params: {
+  config: OpenClawConfig;
+  agentDir: string;
+  workspaceDir: string;
+  provider: ProviderPlugin;
+  method: ProviderAuthMethod;
+  runtime: RuntimeEnv;
+  prompter: ReturnType<typeof createClackPrompter>;
+  setDefault?: boolean;
+}) {
+  await clearStaleProfileLockouts(params.provider.id, params.agentDir);
+
+  const result = await params.method.run({
+    config: params.config,
+    agentDir: params.agentDir,
+    workspaceDir: params.workspaceDir,
+    prompter: params.prompter,
+    runtime: params.runtime,
+    allowSecretRefPrompt: false,
+    isRemote: isRemoteEnvironment(),
+    openUrl: async (url) => {
+      await openUrl(url);
+    },
+    oauth: {
+      createVpsAwareHandlers: (runtimeParams) => createVpsAwareOAuthHandlers(runtimeParams),
+    },
+  });
+
+  await persistProviderAuthResult({
+    result,
+    agentDir: params.agentDir,
+    runtime: params.runtime,
+    prompter: params.prompter,
+    setDefault: params.setDefault,
+  });
+}
+
 export async function modelsAuthSetupTokenCommand(
   opts: { provider?: string; yes?: boolean },
   runtime: RuntimeEnv,
 ) {
-  const provider = resolveTokenProvider(opts.provider ?? "anthropic");
-  if (provider !== "anthropic") {
-    throw new Error("Only --provider anthropic is supported for setup-token.");
-  }
-
   if (!process.stdin.isTTY) {
     throw new Error("setup-token requires an interactive TTY.");
   }
 
+  const { config, agentDir, workspaceDir, providers } = await resolveModelsAuthContext();
+  const tokenProviders = listProvidersWithTokenMethods(providers);
+  if (tokenProviders.length === 0) {
+    throw new Error(
+      `No provider token-auth plugins found. Install one via \`${formatCliCommand("openclaw plugins install")}\`.`,
+    );
+  }
+
+  const provider =
+    resolveRequestedProviderOrThrow(tokenProviders, opts.provider ?? "anthropic") ??
+    tokenProviders.find((candidate) => normalizeProviderId(candidate.id) === "anthropic") ??
+    tokenProviders[0] ??
+    null;
+  if (!provider) {
+    throw new Error("No token-capable provider is available.");
+  }
+
   if (!opts.yes) {
     const proceed = await confirm({
-      message: "Have you run `claude setup-token` and copied the token?",
+      message: `Continue with ${provider.label} token auth?`,
       initialValue: true,
     });
     if (!proceed) {
@@ -119,32 +334,21 @@ export async function modelsAuthSetupTokenCommand(
     }
   }
 
-  const tokenInput = await text({
-    message: "Paste Anthropic setup-token",
-    validate: (value) => validateAnthropicSetupToken(String(value ?? "")),
+  const prompter = createClackPrompter();
+  const method = await pickProviderTokenMethod({ provider, prompter });
+  if (!method) {
+    throw new Error(`Provider "${provider.id}" does not expose a token auth method.`);
+  }
+
+  await runProviderAuthMethod({
+    config,
+    agentDir,
+    workspaceDir,
+    provider,
+    method,
+    runtime,
+    prompter,
   });
-  const token = String(tokenInput ?? "").trim();
-  const profileId = resolveDefaultTokenProfileId(provider);
-
-  upsertAuthProfile({
-    profileId,
-    credential: {
-      type: "token",
-      provider,
-      token,
-    },
-  });
-
-  await updateConfig((cfg) =>
-    applyAuthProfileConfig(cfg, {
-      profileId,
-      provider,
-      mode: "token",
-    }),
-  );
-
-  logConfigUpdated(runtime);
-  runtime.log(`Auth profile: ${profileId} (${provider}/token)`);
 }
 
 export async function modelsAuthPasteTokenCommand(
@@ -190,10 +394,17 @@ export async function modelsAuthPasteTokenCommand(
 }
 
 export async function modelsAuthAddCommand(_opts: Record<string, never>, runtime: RuntimeEnv) {
+  const { config, agentDir, workspaceDir, providers } = await resolveModelsAuthContext();
+  const tokenProviders = listProvidersWithTokenMethods(providers);
+
   const provider = await select({
     message: "Token provider",
     options: [
-      { value: "anthropic", label: "anthropic" },
+      ...tokenProviders.map((providerPlugin) => ({
+        value: providerPlugin.id,
+        label: providerPlugin.id,
+        hint: providerPlugin.docsPath ? `Docs: ${providerPlugin.docsPath}` : undefined,
+      })),
       { value: "custom", label: "custom (type provider id)" },
     ],
   });
@@ -210,25 +421,41 @@ export async function modelsAuthAddCommand(_opts: Record<string, never>, runtime
         )
       : provider;
 
-  const method = (await select({
-    message: "Token method",
-    options: [
-      ...(providerId === "anthropic"
-        ? [
-            {
-              value: "setup-token",
-              label: "setup-token (claude)",
-              hint: "Paste a setup-token from `claude setup-token`",
-            },
-          ]
-        : []),
-      { value: "paste", label: "paste token" },
-    ],
-  })) as "setup-token" | "paste";
-
-  if (method === "setup-token") {
-    await modelsAuthSetupTokenCommand({ provider: providerId }, runtime);
-    return;
+  const providerPlugin =
+    provider === "custom" ? null : resolveRequestedProviderOrThrow(tokenProviders, providerId);
+  if (providerPlugin) {
+    const tokenMethods = listTokenAuthMethods(providerPlugin);
+    const methodId =
+      tokenMethods.length > 0
+        ? await select({
+            message: "Token method",
+            options: [
+              ...tokenMethods.map((method) => ({
+                value: method.id,
+                label: method.label,
+                hint: method.hint,
+              })),
+              { value: "paste", label: "paste token" },
+            ],
+          })
+        : "paste";
+    if (methodId !== "paste") {
+      const prompter = createClackPrompter();
+      const method = tokenMethods.find((candidate) => candidate.id === methodId);
+      if (!method) {
+        throw new Error(`Unknown token auth method "${String(methodId)}".`);
+      }
+      await runProviderAuthMethod({
+        config,
+        agentDir,
+        workspaceDir,
+        provider: providerPlugin,
+        method,
+        runtime,
+        prompter,
+      });
+      return;
+    }
   }
 
   const profileIdDefault = resolveDefaultTokenProfileId(providerId);
@@ -268,6 +495,7 @@ type LoginOptions = {
   provider?: string;
   method?: string;
   setDefault?: boolean;
+  yes?: boolean;
 };
 
 /**
@@ -292,22 +520,7 @@ export function resolveRequestedLoginProviderOrThrow(
   providers: ProviderPlugin[],
   rawProvider?: string,
 ): ProviderPlugin | null {
-  const requested = rawProvider?.trim();
-  if (!requested) {
-    return null;
-  }
-  const matched = resolveProviderMatch(providers, requested);
-  if (matched) {
-    return matched;
-  }
-  const available = providers
-    .map((provider) => provider.id)
-    .filter(Boolean)
-    .toSorted((a, b) => a.localeCompare(b));
-  const availableText = available.length > 0 ? available.join(", ") : "(none)";
-  throw new Error(
-    `Unknown provider "${requested}". Loaded providers: ${availableText}. Verify plugins via \`${formatCliCommand("openclaw plugins list --json")}\`.`,
-  );
+  return resolveRequestedProviderOrThrow(providers, rawProvider);
 }
 
 function credentialMode(credential: AuthProfileCredential): "api_key" | "oauth" | "token" {
@@ -320,177 +533,55 @@ function credentialMode(credential: AuthProfileCredential): "api_key" | "oauth"
   return "oauth";
 }
 
-async function runBuiltInOpenAICodexLogin(params: {
-  opts: LoginOptions;
-  runtime: RuntimeEnv;
-  prompter: ReturnType<typeof createClackPrompter>;
-  agentDir: string;
-}) {
-  const creds = await loginOpenAICodexOAuth({
-    prompter: params.prompter,
-    runtime: params.runtime,
-    isRemote: isRemoteEnvironment(),
-    openUrl: async (url) => {
-      await openUrl(url);
-    },
-    localBrowserMessage: "Complete sign-in in browser…",
-  });
-  if (!creds) {
-    throw new Error("OpenAI Codex OAuth did not return credentials.");
-  }
-
-  const profileId = await writeOAuthCredentials("openai-codex", creds, params.agentDir, {
-    syncSiblingAgents: true,
-  });
-  await updateConfig((cfg) => {
-    let next = applyAuthProfileConfig(cfg, {
-      profileId,
-      provider: "openai-codex",
-      mode: "oauth",
-    });
-    if (params.opts.setDefault) {
-      next = applyOpenAICodexModelDefault(next).next;
-    }
-    return next;
-  });
-
-  logConfigUpdated(params.runtime);
-  params.runtime.log(`Auth profile: ${profileId} (openai-codex/oauth)`);
-  if (params.opts.setDefault) {
-    params.runtime.log(`Default model set to ${OPENAI_CODEX_DEFAULT_MODEL}`);
-  } else {
-    params.runtime.log(
-      `Default model available: ${OPENAI_CODEX_DEFAULT_MODEL} (use --set-default to apply)`,
-    );
-  }
-}
-
 export async function modelsAuthLoginCommand(opts: LoginOptions, runtime: RuntimeEnv) {
   if (!process.stdin.isTTY) {
     throw new Error("models auth login requires an interactive TTY.");
   }
 
-  const config = await loadValidConfigOrThrow();
-  const defaultAgentId = resolveDefaultAgentId(config);
-  const agentDir = resolveAgentDir(config, defaultAgentId);
-  const workspaceDir =
-    resolveAgentWorkspaceDir(config, defaultAgentId) ?? resolveDefaultAgentWorkspaceDir();
-  const requestedProviderId = normalizeProviderId(String(opts.provider ?? ""));
+  const { config, agentDir, workspaceDir, providers } = await resolveModelsAuthContext();
   const prompter = createClackPrompter();
-
-  if (requestedProviderId === "openai-codex") {
-    await clearStaleProfileLockouts("openai-codex", agentDir);
-    await runBuiltInOpenAICodexLogin({
-      opts,
-      runtime,
-      prompter,
-      agentDir,
-    });
-    return;
-  }
-
-  const providers = resolvePluginProviders({ config, workspaceDir });
-  if (providers.length === 0) {
+  const authProviders = listProvidersWithAuthMethods(providers);
+  if (authProviders.length === 0) {
     throw new Error(
       `No provider plugins found. Install one via \`${formatCliCommand("openclaw plugins install")}\`.`,
     );
   }
 
-  const requestedProvider = resolveRequestedLoginProviderOrThrow(providers, opts.provider);
+  const requestedProvider = resolveRequestedLoginProviderOrThrow(authProviders, opts.provider);
   const selectedProvider =
     requestedProvider ??
     (await prompter
       .select({
         message: "Select a provider",
-        options: providers.map((provider) => ({
+        options: authProviders.map((provider) => ({
           value: provider.id,
           label: provider.label,
           hint: provider.docsPath ? `Docs: ${provider.docsPath}` : undefined,
         })),
       })
-      .then((id) => resolveProviderMatch(providers, String(id))));
+      .then((id) => resolveProviderMatch(authProviders, String(id))));
 
   if (!selectedProvider) {
     throw new Error("Unknown provider. Use --provider <id> to pick a provider plugin.");
   }
-
-  await clearStaleProfileLockouts(selectedProvider.id, agentDir);
-
-  const chosenMethod =
-    pickAuthMethod(selectedProvider, opts.method) ??
-    (selectedProvider.auth.length === 1
-      ? selectedProvider.auth[0]
-      : await prompter
-          .select({
-            message: `Auth method for ${selectedProvider.label}`,
-            options: selectedProvider.auth.map((method) => ({
-              value: method.id,
-              label: method.label,
-              hint: method.hint,
-            })),
-          })
-          .then((id) => selectedProvider.auth.find((method) => method.id === String(id))));
+  const chosenMethod = await pickProviderAuthMethod({
+    provider: selectedProvider,
+    requestedMethod: opts.method,
+    prompter,
+  });
 
   if (!chosenMethod) {
     throw new Error("Unknown auth method. Use --method <id> to select one.");
   }
 
-  const isRemote = isRemoteEnvironment();
-  const result: ProviderAuthResult = await chosenMethod.run({
+  await runProviderAuthMethod({
     config,
     agentDir,
     workspaceDir,
-    prompter,
+    provider: selectedProvider,
+    method: chosenMethod,
     runtime,
-    isRemote,
-    openUrl: async (url) => {
-      await openUrl(url);
-    },
-    oauth: {
-      createVpsAwareHandlers: (params) => createVpsAwareOAuthHandlers(params),
-    },
+    prompter,
+    setDefault: opts.setDefault,
   });
-
-  for (const profile of result.profiles) {
-    upsertAuthProfile({
-      profileId: profile.profileId,
-      credential: profile.credential,
-      agentDir,
-    });
-  }
-
-  await updateConfig((cfg) => {
-    let next = cfg;
-    if (result.configPatch) {
-      next = mergeConfigPatch(next, result.configPatch);
-    }
-    for (const profile of result.profiles) {
-      next = applyAuthProfileConfig(next, {
-        profileId: profile.profileId,
-        provider: profile.credential.provider,
-        mode: credentialMode(profile.credential),
-      });
-    }
-    if (opts.setDefault && result.defaultModel) {
-      next = applyDefaultModel(next, result.defaultModel);
-    }
-    return next;
-  });
-
-  logConfigUpdated(runtime);
-  for (const profile of result.profiles) {
-    runtime.log(
-      `Auth profile: ${profile.profileId} (${profile.credential.provider}/${credentialMode(profile.credential)})`,
-    );
-  }
-  if (result.defaultModel) {
-    runtime.log(
-      opts.setDefault
-        ? `Default model set to ${result.defaultModel}`
-        : `Default model available: ${result.defaultModel} (use --set-default to apply)`,
-    );
-  }
-  if (result.notes && result.notes.length > 0) {
-    await prompter.note(result.notes.join("\n"), "Provider notes");
-  }
 }
diff --git a/src/commands/models/list.status-command.ts b/src/commands/models/list.status-command.ts
index 156860bb960..e17fcd2cc4b 100644
--- a/src/commands/models/list.status-command.ts
+++ b/src/commands/models/list.status-command.ts
@@ -23,7 +23,6 @@ import {
   resolveDefaultModelForAgent,
   resolveModelRefFromString,
 } from "../../agents/model-selection.js";
-import { formatCliCommand } from "../../cli/command-format.js";
 import { withProgressTotals } from "../../cli/progress.js";
 import { createConfigIO } from "../../config/config.js";
 import {
@@ -41,6 +40,7 @@ import type { RuntimeEnv } from "../../runtime.js";
 import { getTerminalTableWidth, renderTable } from "../../terminal/table.js";
 import { colorize, theme } from "../../terminal/theme.js";
 import { shortenHomePath } from "../../utils.js";
+import { buildProviderAuthRecoveryHint } from "../provider-auth-guidance.js";
 import { resolveProviderAuthOverview } from "./list.auth-overview.js";
 import { isRich } from "./list.format.js";
 import {
@@ -536,10 +536,11 @@ export async function modelsStatusCommand(
     runtime.log("");
     runtime.log(colorize(rich, theme.heading, "Missing auth"));
     for (const provider of missingProvidersInUse) {
-      const hint =
-        provider === "anthropic"
-          ? `Run \`claude setup-token\`, then \`${formatCliCommand("openclaw models auth setup-token")}\` or \`${formatCliCommand("openclaw configure")}\`.`
-          : `Run \`${formatCliCommand("openclaw configure")}\` or set an API key env var.`;
+      const hint = buildProviderAuthRecoveryHint({
+        provider,
+        config: cfg,
+        includeEnvVar: true,
+      });
       runtime.log(`- ${theme.heading(provider)} ${hint}`);
     }
   }
diff --git a/src/commands/ollama-setup.ts b/src/commands/ollama-setup.ts
index 3308dfcf067..060724061bd 100644
--- a/src/commands/ollama-setup.ts
+++ b/src/commands/ollama-setup.ts
@@ -313,7 +313,7 @@ export async function promptAndConfigureOllama(params: {
         `Ollama could not be reached at ${baseUrl}.`,
         "Download it at https://ollama.com/download",
         "",
-        "Start Ollama and re-run onboarding.",
+        "Start Ollama and re-run setup.",
       ].join("\n"),
       "Ollama",
     );
@@ -486,7 +486,7 @@ export async function configureOllamaNonInteractive(params: {
       runtime.error(
         [
           `No Ollama models are available at ${baseUrl}.`,
-          "Pull a model first, then re-run onboarding.",
+          "Pull a model first, then re-run setup.",
         ].join("\n"),
       );
       runtime.exit(1);
diff --git a/src/commands/onboard-auth.config-core.ts b/src/commands/onboard-auth.config-core.ts
index 6fc132f57cb..0afd59c3910 100644
--- a/src/commands/onboard-auth.config-core.ts
+++ b/src/commands/onboard-auth.config-core.ts
@@ -338,7 +338,7 @@ export function applyVeniceProviderConfig(cfg: OpenClawConfig): OpenClawConfig {
 
 /**
  * Apply Venice provider configuration AND set Venice as the default model.
- * Use this when Venice is the primary provider choice during onboarding.
+ * Use this when Venice is the primary provider choice during setup.
  */
 export function applyVeniceConfig(cfg: OpenClawConfig): OpenClawConfig {
   const next = applyVeniceProviderConfig(cfg);
@@ -368,7 +368,7 @@ export function applyTogetherProviderConfig(cfg: OpenClawConfig): OpenClawConfig
 
 /**
  * Apply Together provider configuration AND set Together as the default model.
- * Use this when Together is the primary provider choice during onboarding.
+ * Use this when Together is the primary provider choice during setup.
  */
 export function applyTogetherConfig(cfg: OpenClawConfig): OpenClawConfig {
   const next = applyTogetherProviderConfig(cfg);
@@ -477,7 +477,7 @@ export function applyKilocodeProviderConfig(cfg: OpenClawConfig): OpenClawConfig
 
 /**
  * Apply Kilo Gateway provider configuration AND set Kilo Gateway as the default model.
- * Use this when Kilo Gateway is the primary provider choice during onboarding.
+ * Use this when Kilo Gateway is the primary provider choice during setup.
  */
 export function applyKilocodeConfig(cfg: OpenClawConfig): OpenClawConfig {
   const next = applyKilocodeProviderConfig(cfg);
diff --git a/src/commands/onboard-auth.credentials.ts b/src/commands/onboard-auth.credentials.ts
index 92e1170b010..2973667830b 100644
--- a/src/commands/onboard-auth.credentials.ts
+++ b/src/commands/onboard-auth.credentials.ts
@@ -74,7 +74,7 @@ function resolveApiKeySecretInput(
   return normalized;
 }
 
-function buildApiKeyCredential(
+export function buildApiKeyCredential(
   provider: string,
   input: SecretInput,
   metadata?: Record<string, string>,
@@ -197,7 +197,7 @@ export async function writeOAuthCredentials(
           agentDir: targetAgentDir,
         });
       } catch {
-        // Best-effort: sibling sync failure must not block primary onboarding.
+        // Best-effort: sibling sync failure must not block primary setup.
       }
     }
   }
diff --git a/src/commands/onboard-auth.test.ts b/src/commands/onboard-auth.test.ts
index 8742c2fe7fa..8c4b8e38bda 100644
--- a/src/commands/onboard-auth.test.ts
+++ b/src/commands/onboard-auth.test.ts
@@ -467,7 +467,7 @@ describe("applyZaiConfig", () => {
   it("adds zai provider with correct settings", () => {
     const cfg = applyZaiConfig({});
     expect(cfg.models?.providers?.zai).toMatchObject({
-      // Default: general (non-coding) endpoint. Coding Plan endpoint is detected during onboarding.
+      // Default: general (non-coding) endpoint. Coding Plan endpoint is detected during setup.
       baseUrl: ZAI_GLOBAL_BASE_URL,
       api: "openai-completions",
     });
diff --git a/src/commands/onboard-channels.e2e.test.ts b/src/commands/onboard-channels.e2e.test.ts
index 6c505c6d4e2..7d64a4d120f 100644
--- a/src/commands/onboard-channels.e2e.test.ts
+++ b/src/commands/onboard-channels.e2e.test.ts
@@ -5,20 +5,25 @@ import { createEmptyPluginRegistry } from "../plugins/registry.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import {
-  patchChannelOnboardingAdapter,
+  ensureChannelSetupPluginInstalled,
+  loadChannelSetupPluginRegistrySnapshotForChannel,
+  reloadChannelSetupPluginRegistry,
+} from "./channel-setup/plugin-install.js";
+import {
+  patchChannelSetupWizardAdapter,
   setDefaultChannelPluginRegistryForTests,
 } from "./channel-test-helpers.js";
 import { setupChannels } from "./onboard-channels.js";
-import {
-  loadOnboardingPluginRegistrySnapshotForChannel,
-  reloadOnboardingPluginRegistry,
-} from "./onboarding/plugin-install.js";
 import { createExitThrowingRuntime, createWizardPrompter } from "./test-wizard-helpers.js";
 
 const catalogMocks = vi.hoisted(() => ({
   listChannelPluginCatalogEntries: vi.fn(),
 }));
 
+const manifestRegistryMocks = vi.hoisted(() => ({
+  loadPluginManifestRegistry: vi.fn(() => ({ plugins: [], diagnostics: [] })),
+}));
+
 function createPrompter(overrides: Partial<WizardPrompter>): WizardPrompter {
   return createWizardPrompter(
     {
@@ -91,8 +96,8 @@ function createTelegramCfg(botToken: string, enabled?: boolean): OpenClawConfig
   } as OpenClawConfig;
 }
 
-function patchTelegramAdapter(overrides: Parameters<typeof patchChannelOnboardingAdapter>[1]) {
-  return patchChannelOnboardingAdapter("telegram", {
+function patchTelegramAdapter(overrides: Parameters<typeof patchChannelSetupWizardAdapter>[1]) {
+  return patchChannelSetupWizardAdapter("telegram", {
     ...overrides,
     getStatus:
       overrides.getStatus ??
@@ -197,17 +202,29 @@ vi.mock("../channels/plugins/catalog.js", async (importOriginal) => {
   };
 });
 
+vi.mock("../plugins/manifest-registry.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../plugins/manifest-registry.js")>();
+  return {
+    ...actual,
+    loadPluginManifestRegistry: manifestRegistryMocks.loadPluginManifestRegistry,
+  };
+});
+
 vi.mock("./onboard-helpers.js", () => ({
   detectBinary: vi.fn(async () => false),
 }));
 
-vi.mock("./onboarding/plugin-install.js", async (importOriginal) => {
+vi.mock("./channel-setup/plugin-install.js", async (importOriginal) => {
   const actual = await importOriginal();
   return {
     ...(actual as Record<string, unknown>),
-    // Allow tests to simulate an empty plugin registry during onboarding.
-    loadOnboardingPluginRegistrySnapshotForChannel: vi.fn(() => createEmptyPluginRegistry()),
-    reloadOnboardingPluginRegistry: vi.fn(() => {}),
+    ensureChannelSetupPluginInstalled: vi.fn(async ({ cfg }: { cfg: OpenClawConfig }) => ({
+      cfg,
+      installed: true,
+    })),
+    // Allow tests to simulate an empty plugin registry during setup.
+    loadChannelSetupPluginRegistrySnapshotForChannel: vi.fn(() => createEmptyPluginRegistry()),
+    reloadChannelSetupPluginRegistry: vi.fn(() => {}),
   };
 });
 
@@ -215,8 +232,18 @@ describe("setupChannels", () => {
   beforeEach(() => {
     setDefaultChannelPluginRegistryForTests();
     catalogMocks.listChannelPluginCatalogEntries.mockReset();
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockClear();
-    vi.mocked(reloadOnboardingPluginRegistry).mockClear();
+    manifestRegistryMocks.loadPluginManifestRegistry.mockReset();
+    manifestRegistryMocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [],
+      diagnostics: [],
+    });
+    vi.mocked(ensureChannelSetupPluginInstalled).mockClear();
+    vi.mocked(ensureChannelSetupPluginInstalled).mockImplementation(async ({ cfg }) => ({
+      cfg,
+      installed: true,
+    }));
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockClear();
+    vi.mocked(reloadChannelSetupPluginRegistry).mockClear();
   });
   it("QuickStart uses single-select (no multiselect) and doesn't prompt for Telegram token when WhatsApp is chosen", async () => {
     const select = vi.fn(async () => "whatsapp");
@@ -250,7 +277,7 @@ describe("setupChannels", () => {
     expect(multiselect).not.toHaveBeenCalled();
   });
 
-  it("continues Telegram onboarding even when plugin registry is empty (avoids 'plugin not available' block)", async () => {
+  it("continues Telegram setup when the plugin registry is empty", async () => {
     // Simulate missing registry entries (the scenario reported in #25545).
     setActivePluginRegistry(createEmptyPluginRegistry());
     // Avoid accidental env-token configuration changing the prompt path.
@@ -284,12 +311,8 @@ describe("setupChannels", () => {
       );
     });
     expect(sawHardStop).toBe(false);
-    expect(loadOnboardingPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
-      expect.objectContaining({
-        channel: "telegram",
-      }),
-    );
-    expect(reloadOnboardingPluginRegistry).not.toHaveBeenCalled();
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).not.toHaveBeenCalled();
+    expect(reloadChannelSetupPluginRegistry).not.toHaveBeenCalled();
   });
 
   it("shows explicit dmScope config command in channel primer", async () => {
@@ -333,7 +356,7 @@ describe("setupChannels", () => {
         },
       } satisfies ChannelPluginCatalogEntry,
     ]);
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockImplementation(
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockImplementation(
       ({ channel }: { channel: string }) => {
         const registry = createEmptyPluginRegistry();
         if (channel === "msteams") {
@@ -395,7 +418,101 @@ describe("setupChannels", () => {
       prompter,
     );
 
-    expect(loadOnboardingPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channel: "msteams",
+        pluginId: "@openclaw/msteams-plugin",
+      }),
+    );
+    expect(multiselect).not.toHaveBeenCalled();
+  });
+
+  it("treats installed external plugin channels as installed without reinstall prompts", async () => {
+    setActivePluginRegistry(createEmptyPluginRegistry());
+    catalogMocks.listChannelPluginCatalogEntries.mockReturnValue([
+      {
+        id: "msteams",
+        pluginId: "@openclaw/msteams-plugin",
+        meta: {
+          id: "msteams",
+          label: "Microsoft Teams",
+          selectionLabel: "Microsoft Teams",
+          docsPath: "/channels/msteams",
+          blurb: "teams channel",
+        },
+        install: {
+          npmSpec: "@openclaw/msteams",
+        },
+      } satisfies ChannelPluginCatalogEntry,
+    ]);
+    manifestRegistryMocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "@openclaw/msteams-plugin",
+          channels: ["msteams"],
+        } as never,
+      ],
+      diagnostics: [],
+    });
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockImplementation(
+      ({ channel }: { channel: string }) => {
+        const registry = createEmptyPluginRegistry();
+        if (channel === "msteams") {
+          registry.channelSetups.push({
+            pluginId: "@openclaw/msteams-plugin",
+            source: "test",
+            plugin: {
+              id: "msteams",
+              meta: {
+                id: "msteams",
+                label: "Microsoft Teams",
+                selectionLabel: "Microsoft Teams",
+                docsPath: "/channels/msteams",
+                blurb: "teams channel",
+              },
+              capabilities: { chatTypes: ["direct"] },
+              config: {
+                listAccountIds: () => [],
+                resolveAccount: () => ({ accountId: "default" }),
+              },
+              setupWizard: {
+                channel: "msteams",
+                status: {
+                  configuredLabel: "configured",
+                  unconfiguredLabel: "installed",
+                  resolveConfigured: () => false,
+                  resolveStatusLines: async () => [],
+                  resolveSelectionHint: async () => "installed",
+                },
+                credentials: [],
+              },
+              outbound: { deliveryMode: "direct" },
+            },
+          } as never);
+        }
+        return registry;
+      },
+    );
+
+    let channelSelectionCount = 0;
+    const select = vi.fn(async ({ message }: { message: string }) => {
+      if (message === "Select a channel") {
+        channelSelectionCount += 1;
+        return channelSelectionCount === 1 ? "msteams" : "__done__";
+      }
+      return "__done__";
+    });
+    const { multiselect, text } = createUnexpectedPromptGuards();
+    const prompter = createPrompter({
+      select: select as unknown as WizardPrompter["select"],
+      multiselect,
+      text,
+    });
+
+    await runSetupChannels({} as OpenClawConfig, prompter);
+
+    expect(ensureChannelSetupPluginInstalled).not.toHaveBeenCalled();
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
       expect.objectContaining({
         channel: "msteams",
         pluginId: "@openclaw/msteams-plugin",
@@ -439,7 +556,7 @@ describe("setupChannels", () => {
         },
       }),
     );
-    vi.mocked(loadOnboardingPluginRegistrySnapshotForChannel).mockImplementation(
+    vi.mocked(loadChannelSetupPluginRegistrySnapshotForChannel).mockImplementation(
       ({ channel }: { channel: string }) => {
         const registry = createEmptyPluginRegistry();
         if (channel === "msteams") {
@@ -472,15 +589,17 @@ describe("setupChannels", () => {
                   )?.accounts?.[accountId] ?? { accountId },
                 setAccountEnabled,
               },
-              onboarding: {
-                getStatus: vi.fn(async ({ cfg }: { cfg: OpenClawConfig }) => ({
-                  channel: "msteams",
-                  configured: Boolean(
-                    (cfg.channels?.msteams as { tenantId?: string } | undefined)?.tenantId,
-                  ),
-                  statusLines: [],
-                  selectionHint: "configured",
-                })),
+              setupWizard: {
+                channel: "msteams",
+                status: {
+                  configuredLabel: "configured",
+                  unconfiguredLabel: "needs setup",
+                  resolveConfigured: ({ cfg }: { cfg: OpenClawConfig }) =>
+                    Boolean((cfg.channels?.msteams as { tenantId?: string } | undefined)?.tenantId),
+                  resolveStatusLines: async () => [],
+                  resolveSelectionHint: async () => "configured",
+                },
+                credentials: [],
               },
               outbound: { deliveryMode: "direct" },
             },
@@ -534,7 +653,7 @@ describe("setupChannels", () => {
       { allowDisable: true },
     );
 
-    expect(loadOnboardingPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
+    expect(loadChannelSetupPluginRegistrySnapshotForChannel).toHaveBeenCalledWith(
       expect.objectContaining({ channel: "msteams" }),
     );
     expect(setAccountEnabled).toHaveBeenCalledWith(
diff --git a/src/commands/onboard-channels.ts b/src/commands/onboard-channels.ts
index 4a313ebf913..569e4cd4a44 100644
--- a/src/commands/onboard-channels.ts
+++ b/src/commands/onboard-channels.ts
@@ -5,7 +5,7 @@ import {
   getChannelSetupPlugin,
   listChannelSetupPlugins,
 } from "../channels/plugins/setup-registry.js";
-import type { ChannelMeta, ChannelPlugin } from "../channels/plugins/types.js";
+import type { ChannelSetupPlugin } from "../channels/plugins/setup-wizard-types.js";
 import {
   formatChannelPrimerLine,
   formatChannelSelectionLine,
@@ -20,30 +20,29 @@ import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.j
 import type { RuntimeEnv } from "../runtime.js";
 import { formatDocsLink } from "../terminal/links.js";
 import type { WizardPrompter, WizardSelectOption } from "../wizard/prompts.js";
-import type { ChannelChoice } from "./onboard-types.js";
+import { resolveChannelSetupEntries } from "./channel-setup/discovery.js";
 import {
-  ensureOnboardingPluginInstalled,
-  loadOnboardingPluginRegistrySnapshotForChannel,
-} from "./onboarding/plugin-install.js";
-import {
-  getChannelOnboardingAdapter,
-  listChannelOnboardingAdapters,
-} from "./onboarding/registry.js";
+  ensureChannelSetupPluginInstalled,
+  loadChannelSetupPluginRegistrySnapshotForChannel,
+} from "./channel-setup/plugin-install.js";
+import { resolveChannelSetupWizardAdapterForPlugin } from "./channel-setup/registry.js";
 import type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingConfiguredResult,
-  ChannelOnboardingDmPolicy,
-  ChannelOnboardingResult,
-  ChannelOnboardingStatus,
+  ChannelSetupWizardAdapter,
+  ChannelSetupConfiguredResult,
+  ChannelSetupDmPolicy,
+  ChannelSetupResult,
+  ChannelSetupStatus,
   SetupChannelsOptions,
-} from "./onboarding/types.js";
+} from "./channel-setup/types.js";
+import type { ChannelChoice } from "./onboard-types.js";
 
 type ConfiguredChannelAction = "update" | "disable" | "delete" | "skip";
 
 type ChannelStatusSummary = {
   installedPlugins: ReturnType<typeof listChannelSetupPlugins>;
   catalogEntries: ReturnType<typeof listChannelPluginCatalogEntries>;
-  statusByChannel: Map<ChannelChoice, ChannelOnboardingStatus>;
+  installedCatalogEntries: ReturnType<typeof listChannelPluginCatalogEntries>;
+  statusByChannel: Map<ChannelChoice, ChannelSetupStatus>;
   statusLines: string[];
 };
 
@@ -92,7 +91,7 @@ async function promptRemovalAccountId(params: {
   prompter: WizardPrompter;
   label: string;
   channel: ChannelChoice;
-  plugin?: ChannelPlugin;
+  plugin?: ChannelSetupPlugin;
 }): Promise<string> {
   const { cfg, prompter, label, channel } = params;
   const plugin = params.plugin ?? getChannelSetupPlugin(channel);
@@ -119,22 +118,34 @@ async function collectChannelStatus(params: {
   cfg: OpenClawConfig;
   options?: SetupChannelsOptions;
   accountOverrides: Partial<Record<ChannelChoice, string>>;
-  installedPlugins?: ReturnType<typeof listChannelSetupPlugins>;
+  installedPlugins?: ChannelSetupPlugin[];
+  resolveAdapter?: (channel: ChannelChoice) => ChannelSetupWizardAdapter | undefined;
 }): Promise<ChannelStatusSummary> {
   const installedPlugins = params.installedPlugins ?? listChannelSetupPlugins();
-  const installedIds = new Set(installedPlugins.map((plugin) => plugin.id));
   const workspaceDir = resolveAgentWorkspaceDir(params.cfg, resolveDefaultAgentId(params.cfg));
-  const catalogEntries = listChannelPluginCatalogEntries({ workspaceDir }).filter(
-    (entry) => !installedIds.has(entry.id),
-  );
+  const { installedCatalogEntries, installableCatalogEntries } = resolveChannelSetupEntries({
+    cfg: params.cfg,
+    installedPlugins,
+    workspaceDir,
+  });
+  const resolveAdapter =
+    params.resolveAdapter ??
+    ((channel: ChannelChoice) =>
+      resolveChannelSetupWizardAdapterForPlugin(
+        installedPlugins.find((plugin) => plugin.id === channel),
+      ));
   const statusEntries = await Promise.all(
-    listChannelOnboardingAdapters().map((adapter) =>
-      adapter.getStatus({
+    installedPlugins.flatMap((plugin) => {
+      const adapter = resolveAdapter(plugin.id);
+      if (!adapter) {
+        return [];
+      }
+      return adapter.getStatus({
         cfg: params.cfg,
         options: params.options,
         accountOverrides: params.accountOverrides,
-      }),
-    ),
+      });
+    }),
   );
   const statusByChannel = new Map(statusEntries.map((entry) => [entry.channel, entry]));
   const fallbackStatuses = listChatChannels()
@@ -150,19 +161,46 @@ async function collectChannelStatus(params: {
         quickstartScore: 0,
       };
     });
-  const catalogStatuses = catalogEntries.map((entry) => ({
+  const discoveredPluginStatuses = installedCatalogEntries
+    .filter((entry) => !statusByChannel.has(entry.id as ChannelChoice))
+    .map((entry) => {
+      const configured = isChannelConfigured(params.cfg, entry.id);
+      const pluginEnabled =
+        params.cfg.plugins?.entries?.[entry.pluginId ?? entry.id]?.enabled !== false;
+      const statusLabel = configured
+        ? pluginEnabled
+          ? "configured"
+          : "configured (plugin disabled)"
+        : pluginEnabled
+          ? "installed"
+          : "installed (plugin disabled)";
+      return {
+        channel: entry.id as ChannelChoice,
+        configured,
+        statusLines: [`${entry.meta.label}: ${statusLabel}`],
+        selectionHint: statusLabel,
+        quickstartScore: 0,
+      };
+    });
+  const catalogStatuses = installableCatalogEntries.map((entry) => ({
     channel: entry.id,
     configured: false,
     statusLines: [`${entry.meta.label}: install plugin to enable`],
     selectionHint: "plugin · install",
     quickstartScore: 0,
   }));
-  const combinedStatuses = [...statusEntries, ...fallbackStatuses, ...catalogStatuses];
+  const combinedStatuses = [
+    ...statusEntries,
+    ...fallbackStatuses,
+    ...discoveredPluginStatuses,
+    ...catalogStatuses,
+  ];
   const mergedStatusByChannel = new Map(combinedStatuses.map((entry) => [entry.channel, entry]));
   const statusLines = combinedStatuses.flatMap((entry) => entry.statusLines);
   return {
     installedPlugins,
-    catalogEntries,
+    catalogEntries: installableCatalogEntries,
+    installedCatalogEntries,
     statusByChannel: mergedStatusByChannel,
     statusLines,
   };
@@ -233,13 +271,13 @@ async function maybeConfigureDmPolicies(params: {
   selection: ChannelChoice[];
   prompter: WizardPrompter;
   accountIdsByChannel?: Map<ChannelChoice, string>;
-  resolveAdapter?: (channel: ChannelChoice) => ChannelOnboardingAdapter | undefined;
+  resolveAdapter?: (channel: ChannelChoice) => ChannelSetupWizardAdapter | undefined;
 }): Promise<OpenClawConfig> {
   const { selection, prompter, accountIdsByChannel } = params;
-  const resolve = params.resolveAdapter ?? getChannelOnboardingAdapter;
+  const resolve = params.resolveAdapter ?? (() => undefined);
   const dmPolicies = selection
     .map((channel) => resolve(channel)?.dmPolicy)
-    .filter(Boolean) as ChannelOnboardingDmPolicy[];
+    .filter(Boolean) as ChannelSetupDmPolicy[];
   if (dmPolicies.length === 0) {
     return params.cfg;
   }
@@ -253,7 +291,7 @@ async function maybeConfigureDmPolicies(params: {
   }
 
   let cfg = params.cfg;
-  const selectPolicy = async (policy: ChannelOnboardingDmPolicy) => {
+  const selectPolicy = async (policy: ChannelSetupDmPolicy) => {
     await prompter.note(
       [
         "Default: pairing (unknown DMs get a pairing code).",
@@ -296,7 +334,7 @@ async function maybeConfigureDmPolicies(params: {
   return cfg;
 }
 
-// Channel-specific prompts moved into onboarding adapters.
+// Channel-specific prompts moved into setup flow adapters.
 
 export async function setupChannels(
   cfg: OpenClawConfig,
@@ -309,17 +347,17 @@ export async function setupChannels(
   const accountOverrides: Partial<Record<ChannelChoice, string>> = {
     ...options?.accountIds,
   };
-  const scopedPluginsById = new Map<ChannelChoice, ChannelPlugin>();
+  const scopedPluginsById = new Map<ChannelChoice, ChannelSetupPlugin>();
   const resolveWorkspaceDir = () => resolveAgentWorkspaceDir(next, resolveDefaultAgentId(next));
-  const rememberScopedPlugin = (plugin: ChannelPlugin) => {
+  const rememberScopedPlugin = (plugin: ChannelSetupPlugin) => {
     const channel = plugin.id;
     scopedPluginsById.set(channel, plugin);
     options?.onResolvedPlugin?.(channel, plugin);
   };
-  const getVisibleChannelPlugin = (channel: ChannelChoice): ChannelPlugin | undefined =>
+  const getVisibleChannelPlugin = (channel: ChannelChoice): ChannelSetupPlugin | undefined =>
     scopedPluginsById.get(channel) ?? getChannelSetupPlugin(channel);
-  const listVisibleInstalledPlugins = (): ChannelPlugin[] => {
-    const merged = new Map<string, ChannelPlugin>();
+  const listVisibleInstalledPlugins = (): ChannelSetupPlugin[] => {
+    const merged = new Map<string, ChannelSetupPlugin>();
     for (const plugin of listChannelSetupPlugins()) {
       merged.set(plugin.id, plugin);
     }
@@ -328,36 +366,39 @@ export async function setupChannels(
     }
     return Array.from(merged.values());
   };
-  const loadScopedChannelPlugin = (
+  const loadScopedChannelPlugin = async (
     channel: ChannelChoice,
     pluginId?: string,
-  ): ChannelPlugin | undefined => {
+  ): Promise<ChannelSetupPlugin | undefined> => {
     const existing = getVisibleChannelPlugin(channel);
     if (existing) {
       return existing;
     }
-    const snapshot = loadOnboardingPluginRegistrySnapshotForChannel({
+    const snapshot = loadChannelSetupPluginRegistrySnapshotForChannel({
       cfg: next,
       runtime,
       channel,
       ...(pluginId ? { pluginId } : {}),
       workspaceDir: resolveWorkspaceDir(),
     });
-    const plugin = snapshot.channels.find((entry) => entry.plugin.id === channel)?.plugin;
+    const plugin =
+      snapshot.channels.find((entry) => entry.plugin.id === channel)?.plugin ??
+      snapshot.channelSetups.find((entry) => entry.plugin.id === channel)?.plugin;
     if (plugin) {
       rememberScopedPlugin(plugin);
+      return plugin;
     }
-    return plugin;
+    return undefined;
   };
-  const getVisibleOnboardingAdapter = (channel: ChannelChoice) => {
-    const adapter = getChannelOnboardingAdapter(channel);
-    if (adapter) {
-      return adapter;
+  const getVisibleSetupFlowAdapter = (channel: ChannelChoice) => {
+    const scopedPlugin = scopedPluginsById.get(channel);
+    if (scopedPlugin) {
+      return resolveChannelSetupWizardAdapterForPlugin(scopedPlugin);
     }
-    return scopedPluginsById.get(channel)?.onboarding;
+    return resolveChannelSetupWizardAdapterForPlugin(getChannelSetupPlugin(channel));
   };
   const preloadConfiguredExternalPlugins = () => {
-    // Keep onboarding memory bounded by snapshot-loading only configured external plugins.
+    // Keep setup memory bounded by snapshot-loading only configured external plugins.
     const workspaceDir = resolveWorkspaceDir();
     for (const entry of listChannelPluginCatalogEntries({ workspaceDir })) {
       const channel = entry.id as ChannelChoice;
@@ -369,7 +410,7 @@ export async function setupChannels(
       if (!explicitlyEnabled && !isChannelConfigured(next, channel)) {
         continue;
       }
-      loadScopedChannelPlugin(channel, entry.pluginId);
+      void loadScopedChannelPlugin(channel, entry.pluginId);
     }
   };
   if (options?.whatsappAccountId?.trim()) {
@@ -377,13 +418,19 @@ export async function setupChannels(
   }
   preloadConfiguredExternalPlugins();
 
-  const { installedPlugins, catalogEntries, statusByChannel, statusLines } =
-    await collectChannelStatus({
-      cfg: next,
-      options,
-      accountOverrides,
-      installedPlugins: listVisibleInstalledPlugins(),
-    });
+  const {
+    installedPlugins,
+    catalogEntries,
+    installedCatalogEntries,
+    statusByChannel,
+    statusLines,
+  } = await collectChannelStatus({
+    cfg: next,
+    options,
+    accountOverrides,
+    installedPlugins: listVisibleInstalledPlugins(),
+    resolveAdapter: getVisibleSetupFlowAdapter,
+  });
   if (!options?.skipStatusNote && statusLines.length > 0) {
     await prompter.note(statusLines.join("\n"), "Channel status");
   }
@@ -413,6 +460,13 @@ export async function setupChannels(
         label: plugin.meta.label,
         blurb: plugin.meta.blurb,
       })),
+    ...installedCatalogEntries
+      .filter((entry) => !coreIds.has(entry.id as ChannelChoice))
+      .map((entry) => ({
+        id: entry.id as ChannelChoice,
+        label: entry.meta.label,
+        blurb: entry.meta.blurb,
+      })),
     ...catalogEntries
       .filter((entry) => !coreIds.has(entry.id as ChannelChoice))
       .map((entry) => ({
@@ -430,7 +484,7 @@ export async function setupChannels(
   const accountIdsByChannel = new Map<ChannelChoice, string>();
   const recordAccount = (channel: ChannelChoice, accountId: string) => {
     options?.onAccountId?.(channel, accountId);
-    const adapter = getVisibleOnboardingAdapter(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     adapter?.onAccountRecorded?.(accountId, options);
     accountIdsByChannel.set(channel, accountId);
   };
@@ -490,38 +544,20 @@ export async function setupChannels(
     });
 
   const getChannelEntries = () => {
-    const core = listChatChannels();
-    const installed = listVisibleInstalledPlugins();
-    const installedIds = new Set(installed.map((plugin) => plugin.id));
-    const workspaceDir = resolveWorkspaceDir();
-    const catalog = listChannelPluginCatalogEntries({ workspaceDir }).filter(
-      (entry) => !installedIds.has(entry.id),
-    );
-    const metaById = new Map<string, ChannelMeta>();
-    for (const meta of core) {
-      metaById.set(meta.id, meta);
-    }
-    for (const plugin of installed) {
-      metaById.set(plugin.id, plugin.meta);
-    }
-    for (const entry of catalog) {
-      if (!metaById.has(entry.id)) {
-        metaById.set(entry.id, entry.meta);
-      }
-    }
-    const entries = Array.from(metaById, ([id, meta]) => ({
-      id: id as ChannelChoice,
-      meta,
-    }));
+    const resolved = resolveChannelSetupEntries({
+      cfg: next,
+      installedPlugins: listVisibleInstalledPlugins(),
+      workspaceDir: resolveWorkspaceDir(),
+    });
     return {
-      entries,
-      catalog,
-      catalogById: new Map(catalog.map((entry) => [entry.id as ChannelChoice, entry])),
+      entries: resolved.entries,
+      catalogById: resolved.installableCatalogById,
+      installedCatalogById: resolved.installedCatalogById,
     };
   };
 
   const refreshStatus = async (channel: ChannelChoice) => {
-    const adapter = getVisibleOnboardingAdapter(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     if (!adapter) {
       return;
     }
@@ -543,12 +579,12 @@ export async function setupChannels(
       );
       return false;
     }
-    const adapter = getVisibleOnboardingAdapter(channel);
-    const plugin = loadScopedChannelPlugin(channel);
+    const plugin = await loadScopedChannelPlugin(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     if (!plugin) {
       if (adapter) {
         await prompter.note(
-          `${channel} plugin not available (continuing with onboarding). If the channel still doesn't work after setup, run \`${formatCliCommand(
+          `${channel} plugin not available (continuing with setup). If the channel still doesn't work after setup, run \`${formatCliCommand(
             "openclaw plugins list",
           )}\` and \`${formatCliCommand("openclaw plugins enable " + channel)}\`, then restart the gateway.`,
           "Channel setup",
@@ -563,7 +599,7 @@ export async function setupChannels(
     return true;
   };
 
-  const applyOnboardingResult = async (channel: ChannelChoice, result: ChannelOnboardingResult) => {
+  const applySetupResult = async (channel: ChannelChoice, result: ChannelSetupResult) => {
     next = result.cfg;
     if (result.accountId) {
       recordAccount(channel, result.accountId);
@@ -572,21 +608,21 @@ export async function setupChannels(
     await refreshStatus(channel);
   };
 
-  const applyCustomOnboardingResult = async (
+  const applyCustomSetupResult = async (
     channel: ChannelChoice,
-    result: ChannelOnboardingConfiguredResult,
+    result: ChannelSetupConfiguredResult,
   ) => {
     if (result === "skip") {
       return false;
     }
-    await applyOnboardingResult(channel, result);
+    await applySetupResult(channel, result);
     return true;
   };
 
   const configureChannel = async (channel: ChannelChoice) => {
-    const adapter = getVisibleOnboardingAdapter(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     if (!adapter) {
-      await prompter.note(`${channel} does not support onboarding yet.`, "Channel setup");
+      await prompter.note(`${channel} does not support guided setup yet.`, "Channel setup");
       return;
     }
     const result = await adapter.configure({
@@ -598,12 +634,12 @@ export async function setupChannels(
       shouldPromptAccountIds,
       forceAllowFrom: forceAllowFromChannels.has(channel),
     });
-    await applyOnboardingResult(channel, result);
+    await applySetupResult(channel, result);
   };
 
   const handleConfiguredChannel = async (channel: ChannelChoice, label: string) => {
     const plugin = getVisibleChannelPlugin(channel);
-    const adapter = getVisibleOnboardingAdapter(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     if (adapter?.configureWhenConfigured) {
       const custom = await adapter.configureWhenConfigured({
         cfg: next,
@@ -616,7 +652,7 @@ export async function setupChannels(
         configured: true,
         label,
       });
-      if (!(await applyCustomOnboardingResult(channel, custom))) {
+      if (!(await applyCustomSetupResult(channel, custom))) {
         return;
       }
       return;
@@ -694,11 +730,12 @@ export async function setupChannels(
   };
 
   const handleChannelChoice = async (channel: ChannelChoice) => {
-    const { catalogById } = getChannelEntries();
+    const { catalogById, installedCatalogById } = getChannelEntries();
     const catalogEntry = catalogById.get(channel);
+    const installedCatalogEntry = installedCatalogById.get(channel);
     if (catalogEntry) {
       const workspaceDir = resolveWorkspaceDir();
-      const result = await ensureOnboardingPluginInstalled({
+      const result = await ensureChannelSetupPluginInstalled({
         cfg: next,
         entry: catalogEntry,
         prompter,
@@ -709,7 +746,14 @@ export async function setupChannels(
       if (!result.installed) {
         return;
       }
-      loadScopedChannelPlugin(channel, result.pluginId ?? catalogEntry.pluginId);
+      await loadScopedChannelPlugin(channel, result.pluginId ?? catalogEntry.pluginId);
+      await refreshStatus(channel);
+    } else if (installedCatalogEntry) {
+      const plugin = await loadScopedChannelPlugin(channel, installedCatalogEntry.pluginId);
+      if (!plugin) {
+        await prompter.note(`${channel} plugin not available.`, "Channel setup");
+        return;
+      }
       await refreshStatus(channel);
     } else {
       const enabled = await enableBundledPluginForSetup(channel);
@@ -719,7 +763,7 @@ export async function setupChannels(
     }
 
     const plugin = getVisibleChannelPlugin(channel);
-    const adapter = getVisibleOnboardingAdapter(channel);
+    const adapter = getVisibleSetupFlowAdapter(channel);
     const label = plugin?.meta.label ?? catalogEntry?.meta.label ?? channel;
     const status = statusByChannel.get(channel);
     const configured = status?.configured ?? false;
@@ -735,7 +779,7 @@ export async function setupChannels(
         configured,
         label,
       });
-      if (!(await applyCustomOnboardingResult(channel, custom))) {
+      if (!(await applyCustomSetupResult(channel, custom))) {
         return;
       }
       return;
@@ -808,7 +852,7 @@ export async function setupChannels(
       selection,
       prompter,
       accountIdsByChannel,
-      resolveAdapter: getVisibleOnboardingAdapter,
+      resolveAdapter: getVisibleSetupFlowAdapter,
     });
   }
 
diff --git a/src/commands/onboard-config.test.ts b/src/commands/onboard-config.test.ts
index c5997345fe7..af602920674 100644
--- a/src/commands/onboard-config.test.ts
+++ b/src/commands/onboard-config.test.ts
@@ -1,19 +1,19 @@
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
 import {
-  applyOnboardingLocalWorkspaceConfig,
+  applyLocalSetupWorkspaceConfig,
   ONBOARDING_DEFAULT_DM_SCOPE,
   ONBOARDING_DEFAULT_TOOLS_PROFILE,
 } from "./onboard-config.js";
 
-describe("applyOnboardingLocalWorkspaceConfig", () => {
-  it("defaults local onboarding tool profile to coding", () => {
+describe("applyLocalSetupWorkspaceConfig", () => {
+  it("defaults local setup tool profile to coding", () => {
     expect(ONBOARDING_DEFAULT_TOOLS_PROFILE).toBe("coding");
   });
 
   it("sets secure dmScope default when unset", () => {
     const baseConfig: OpenClawConfig = {};
-    const result = applyOnboardingLocalWorkspaceConfig(baseConfig, "/tmp/workspace");
+    const result = applyLocalSetupWorkspaceConfig(baseConfig, "/tmp/workspace");
 
     expect(result.session?.dmScope).toBe(ONBOARDING_DEFAULT_DM_SCOPE);
     expect(result.gateway?.mode).toBe("local");
@@ -27,7 +27,7 @@ describe("applyOnboardingLocalWorkspaceConfig", () => {
         dmScope: "main",
       },
     };
-    const result = applyOnboardingLocalWorkspaceConfig(baseConfig, "/tmp/workspace");
+    const result = applyLocalSetupWorkspaceConfig(baseConfig, "/tmp/workspace");
 
     expect(result.session?.dmScope).toBe("main");
   });
@@ -38,7 +38,7 @@ describe("applyOnboardingLocalWorkspaceConfig", () => {
         dmScope: "per-account-channel-peer",
       },
     };
-    const result = applyOnboardingLocalWorkspaceConfig(baseConfig, "/tmp/workspace");
+    const result = applyLocalSetupWorkspaceConfig(baseConfig, "/tmp/workspace");
 
     expect(result.session?.dmScope).toBe("per-account-channel-peer");
   });
@@ -49,7 +49,7 @@ describe("applyOnboardingLocalWorkspaceConfig", () => {
         profile: "full",
       },
     };
-    const result = applyOnboardingLocalWorkspaceConfig(baseConfig, "/tmp/workspace");
+    const result = applyLocalSetupWorkspaceConfig(baseConfig, "/tmp/workspace");
 
     expect(result.tools?.profile).toBe("full");
   });
diff --git a/src/commands/onboard-config.ts b/src/commands/onboard-config.ts
index 62b1006283e..73e0cd5ceca 100644
--- a/src/commands/onboard-config.ts
+++ b/src/commands/onboard-config.ts
@@ -5,7 +5,7 @@ import type { ToolProfileId } from "../config/types.tools.js";
 export const ONBOARDING_DEFAULT_DM_SCOPE: DmScope = "per-channel-peer";
 export const ONBOARDING_DEFAULT_TOOLS_PROFILE: ToolProfileId = "coding";
 
-export function applyOnboardingLocalWorkspaceConfig(
+export function applyLocalSetupWorkspaceConfig(
   baseConfig: OpenClawConfig,
   workspaceDir: string,
 ): OpenClawConfig {
diff --git a/src/commands/onboard-core-auth-flags.ts b/src/commands/onboard-core-auth-flags.ts
new file mode 100644
index 00000000000..38663dbbccb
--- /dev/null
+++ b/src/commands/onboard-core-auth-flags.ts
@@ -0,0 +1,21 @@
+import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
+
+type OnboardCoreAuthOptionKey = keyof Pick<OnboardOptions, "litellmApiKey">;
+
+export type OnboardCoreAuthFlag = {
+  optionKey: OnboardCoreAuthOptionKey;
+  authChoice: AuthChoice;
+  cliFlag: `--${string}`;
+  cliOption: `--${string} <key>`;
+  description: string;
+};
+
+export const CORE_ONBOARD_AUTH_FLAGS: ReadonlyArray<OnboardCoreAuthFlag> = [
+  {
+    optionKey: "litellmApiKey",
+    authChoice: "litellm-api-key",
+    cliFlag: "--litellm-api-key",
+    cliOption: "--litellm-api-key <key>",
+    description: "LiteLLM API key",
+  },
+];
diff --git a/src/commands/onboard-custom.test.ts b/src/commands/onboard-custom.test.ts
index bc1a1927bdc..6d78766853a 100644
--- a/src/commands/onboard-custom.test.ts
+++ b/src/commands/onboard-custom.test.ts
@@ -134,7 +134,7 @@ describe("promptCustomApiConfig", () => {
     expect(result.config.agents?.defaults?.models?.["custom/llama3"]?.alias).toBe("local");
   });
 
-  it("defaults custom onboarding to the native Ollama base URL", async () => {
+  it("defaults custom setup to the native Ollama base URL", async () => {
     const prompter = createTestPrompter({
       text: ["http://localhost:11434", "", "llama3", "custom", ""],
       select: ["plaintext", "openai"],
diff --git a/src/commands/onboard-hooks.ts b/src/commands/onboard-hooks.ts
index b2086161511..7286673ce29 100644
--- a/src/commands/onboard-hooks.ts
+++ b/src/commands/onboard-hooks.ts
@@ -24,7 +24,7 @@ export async function setupInternalHooks(
   const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
   const report = buildWorkspaceHookStatus(workspaceDir, { config: cfg });
 
-  // Show every eligible hook so users can opt in during onboarding.
+  // Show every eligible hook so users can opt in during setup.
   const eligibleHooks = report.hooks.filter((h) => h.eligible);
 
   if (eligibleHooks.length === 0) {
diff --git a/src/commands/onboard-interactive.test.ts b/src/commands/onboard-interactive.test.ts
index 4dd8d9b4ddc..ba3a9227fe6 100644
--- a/src/commands/onboard-interactive.test.ts
+++ b/src/commands/onboard-interactive.test.ts
@@ -1,11 +1,11 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
 import type { RuntimeEnv } from "../runtime.js";
 import { WizardCancelledError } from "../wizard/prompts.js";
-import { runInteractiveOnboarding } from "./onboard-interactive.js";
+import { runInteractiveSetup } from "./onboard-interactive.js";
 
 const mocks = vi.hoisted(() => ({
   createClackPrompter: vi.fn(() => ({ id: "prompter" })),
-  runOnboardingWizard: vi.fn(async () => {}),
+  runSetupWizard: vi.fn(async () => {}),
   restoreTerminalState: vi.fn(),
 }));
 
@@ -13,8 +13,8 @@ vi.mock("../wizard/clack-prompter.js", () => ({
   createClackPrompter: mocks.createClackPrompter,
 }));
 
-vi.mock("../wizard/onboarding.js", () => ({
-  runOnboardingWizard: mocks.runOnboardingWizard,
+vi.mock("../wizard/setup.js", () => ({
+  runSetupWizard: mocks.runSetupWizard,
 }));
 
 vi.mock("../terminal/restore.js", () => ({
@@ -29,7 +29,7 @@ function makeRuntime(): RuntimeEnv {
   };
 }
 
-describe("runInteractiveOnboarding", () => {
+describe("runInteractiveSetup", () => {
   afterEach(() => {
     vi.clearAllMocks();
   });
@@ -37,10 +37,10 @@ describe("runInteractiveOnboarding", () => {
   it("restores terminal state without resuming stdin on success", async () => {
     const runtime = makeRuntime();
 
-    await runInteractiveOnboarding({} as never, runtime);
+    await runInteractiveSetup({} as never, runtime);
 
-    expect(mocks.runOnboardingWizard).toHaveBeenCalledOnce();
-    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("onboarding finish", {
+    expect(mocks.runSetupWizard).toHaveBeenCalledOnce();
+    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("setup finish", {
       resumeStdinIfPaused: false,
     });
   });
@@ -54,12 +54,12 @@ describe("runInteractiveOnboarding", () => {
         throw exitError;
       }) as unknown as RuntimeEnv["exit"],
     };
-    mocks.runOnboardingWizard.mockRejectedValueOnce(new WizardCancelledError("cancelled"));
+    mocks.runSetupWizard.mockRejectedValueOnce(new WizardCancelledError("cancelled"));
 
-    await expect(runInteractiveOnboarding({} as never, runtime)).rejects.toBe(exitError);
+    await expect(runInteractiveSetup({} as never, runtime)).rejects.toBe(exitError);
 
     expect(runtime.exit).toHaveBeenCalledWith(1);
-    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("onboarding finish", {
+    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("setup finish", {
       resumeStdinIfPaused: false,
     });
     const restoreOrder =
@@ -73,12 +73,12 @@ describe("runInteractiveOnboarding", () => {
   it("rethrows non-cancel errors after restoring terminal state", async () => {
     const runtime = makeRuntime();
     const err = new Error("boom");
-    mocks.runOnboardingWizard.mockRejectedValueOnce(err);
+    mocks.runSetupWizard.mockRejectedValueOnce(err);
 
-    await expect(runInteractiveOnboarding({} as never, runtime)).rejects.toThrow("boom");
+    await expect(runInteractiveSetup({} as never, runtime)).rejects.toThrow("boom");
 
     expect(runtime.exit).not.toHaveBeenCalled();
-    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("onboarding finish", {
+    expect(mocks.restoreTerminalState).toHaveBeenCalledWith("setup finish", {
       resumeStdinIfPaused: false,
     });
   });
diff --git a/src/commands/onboard-interactive.ts b/src/commands/onboard-interactive.ts
index 670c0fa02de..f271764e5de 100644
--- a/src/commands/onboard-interactive.ts
+++ b/src/commands/onboard-interactive.ts
@@ -2,18 +2,18 @@ import type { RuntimeEnv } from "../runtime.js";
 import { defaultRuntime } from "../runtime.js";
 import { restoreTerminalState } from "../terminal/restore.js";
 import { createClackPrompter } from "../wizard/clack-prompter.js";
-import { runOnboardingWizard } from "../wizard/onboarding.js";
 import { WizardCancelledError } from "../wizard/prompts.js";
+import { runSetupWizard } from "../wizard/setup.js";
 import type { OnboardOptions } from "./onboard-types.js";
 
-export async function runInteractiveOnboarding(
+export async function runInteractiveSetup(
   opts: OnboardOptions,
   runtime: RuntimeEnv = defaultRuntime,
 ) {
   const prompter = createClackPrompter();
   let exitCode: number | null = null;
   try {
-    await runOnboardingWizard(opts, runtime, prompter);
+    await runSetupWizard(opts, runtime, prompter);
   } catch (err) {
     if (err instanceof WizardCancelledError) {
       // Best practice: cancellation is not a successful completion.
@@ -23,7 +23,7 @@ export async function runInteractiveOnboarding(
     throw err;
   } finally {
     // Keep stdin paused so non-daemon runs can exit cleanly (e.g. Docker setup).
-    restoreTerminalState("onboarding finish", { resumeStdinIfPaused: false });
+    restoreTerminalState("setup finish", { resumeStdinIfPaused: false });
     if (exitCode !== null) {
       runtime.exit(exitCode);
     }
diff --git a/src/commands/onboard-non-interactive.gateway.test.ts b/src/commands/onboard-non-interactive.gateway.test.ts
index 83a81f340b3..3ea1bf159ca 100644
--- a/src/commands/onboard-non-interactive.gateway.test.ts
+++ b/src/commands/onboard-non-interactive.gateway.test.ts
@@ -90,7 +90,7 @@ vi.mock("../daemon/diagnostics.js", () => ({
   readLastGatewayErrorLine: readLastGatewayErrorLineMock,
 }));
 
-const { runNonInteractiveOnboarding } = await import("./onboard-non-interactive.js");
+const { runNonInteractiveSetup } = await import("./onboard-non-interactive.js");
 const { resolveConfigPath: resolveStateConfigPath } = await import("../config/paths.js");
 const { resolveConfigPath } = await import("../config/config.js");
 const { callGateway } = await import("../gateway/call.js");
@@ -170,7 +170,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       const token = "tok_test_123";
       const workspace = path.join(stateDir, "openclaw");
 
-      await runNonInteractiveOnboarding(
+      await runNonInteractiveSetup(
         {
           nonInteractive: true,
           mode: "local",
@@ -208,7 +208,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       process.env.OPENCLAW_GATEWAY_TOKEN = envToken;
 
       try {
-        await runNonInteractiveOnboarding(
+        await runNonInteractiveSetup(
           {
             nonInteractive: true,
             mode: "local",
@@ -248,7 +248,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       process.env.OPENCLAW_GATEWAY_TOKEN = envToken;
 
       try {
-        await runNonInteractiveOnboarding(
+        await runNonInteractiveSetup(
           {
             nonInteractive: true,
             mode: "local",
@@ -292,7 +292,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       delete process.env.MISSING_GATEWAY_TOKEN_ENV;
       try {
         await expect(
-          runNonInteractiveOnboarding(
+          runNonInteractiveSetup(
             {
               nonInteractive: true,
               mode: "local",
@@ -322,7 +322,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
     await withStateDir("state-remote-", async () => {
       const port = getPseudoPort(30_000);
       const token = "tok_remote_123";
-      await runNonInteractiveOnboarding(
+      await runNonInteractiveSetup(
         {
           nonInteractive: true,
           mode: "remote",
@@ -359,7 +359,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       }));
 
       await expect(
-        runNonInteractiveOnboarding(
+        runNonInteractiveSetup(
           {
             nonInteractive: true,
             mode: "local",
@@ -386,7 +386,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
         return { ok: true };
       });
 
-      await runNonInteractiveOnboarding(
+      await runNonInteractiveSetup(
         {
           nonInteractive: true,
           mode: "local",
@@ -438,7 +438,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
 
       try {
         await expect(
-          runNonInteractiveOnboarding(
+          runNonInteractiveSetup(
             {
               nonInteractive: true,
               mode: "local",
@@ -509,7 +509,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       };
 
       await expect(
-        runNonInteractiveOnboarding(
+        runNonInteractiveSetup(
           {
             nonInteractive: true,
             mode: "local",
@@ -568,7 +568,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
       const port = getPseudoPort(40_000);
       const workspace = path.join(stateDir, "openclaw");
 
-      await runNonInteractiveOnboarding(
+      await runNonInteractiveSetup(
         {
           nonInteractive: true,
           mode: "local",
diff --git a/src/commands/onboard-non-interactive.provider-auth.test.ts b/src/commands/onboard-non-interactive.provider-auth.test.ts
index 5ee3077d1c5..abf8362d694 100644
--- a/src/commands/onboard-non-interactive.provider-auth.test.ts
+++ b/src/commands/onboard-non-interactive.provider-auth.test.ts
@@ -1,10 +1,16 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { setTimeout as delay } from "node:timers/promises";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { beforeAll, describe, expect, it, vi } from "vitest";
 import { makeTempWorkspace } from "../test-helpers/workspace.js";
 import { withEnvAsync } from "../test-utils/env.js";
-import { MINIMAX_API_BASE_URL, MINIMAX_CN_API_BASE_URL } from "./onboard-auth.js";
+import {
+  MINIMAX_API_BASE_URL,
+  MINIMAX_CN_API_BASE_URL,
+  ZAI_CODING_CN_BASE_URL,
+  ZAI_CODING_GLOBAL_BASE_URL,
+  ZAI_GLOBAL_BASE_URL,
+} from "./onboard-auth.js";
 import {
   createThrowingRuntime,
   readJsonFile,
@@ -18,8 +24,6 @@ type OnboardEnv = {
 };
 
 const ensureWorkspaceAndSessionsMock = vi.hoisted(() => vi.fn(async (..._args: unknown[]) => {}));
-type DetectZaiEndpoint = typeof import("./zai-endpoint-detect.js").detectZaiEndpoint;
-const detectZaiEndpoint = vi.hoisted(() => vi.fn<DetectZaiEndpoint>(async () => null));
 
 vi.mock("./onboard-helpers.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("./onboard-helpers.js")>();
@@ -29,11 +33,7 @@ vi.mock("./onboard-helpers.js", async (importOriginal) => {
   };
 });
 
-vi.mock("./zai-endpoint-detect.js", () => ({
-  detectZaiEndpoint,
-}));
-
-const { runNonInteractiveOnboarding } = await import("./onboard-non-interactive.js");
+const { runNonInteractiveSetup } = await import("./onboard-non-interactive.js");
 
 const NON_INTERACTIVE_DEFAULT_OPTIONS = {
   nonInteractive: true,
@@ -61,6 +61,45 @@ type ProviderAuthConfigSnapshot = {
   };
 };
 
+function createZaiFetchMock(responses: Record<string, number>): typeof fetch {
+  return vi.fn(async (input, init) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : "";
+    const parsedBody =
+      typeof init?.body === "string" ? (JSON.parse(init.body) as { model?: string }) : {};
+    const key = `${url}::${parsedBody.model ?? ""}`;
+    const status = responses[key] ?? 404;
+    return new Response(
+      JSON.stringify(
+        status === 200 ? { ok: true } : { error: { code: "unsupported", message: "unsupported" } },
+      ),
+      {
+        status,
+        headers: { "content-type": "application/json" },
+      },
+    );
+  }) as typeof fetch;
+}
+
+async function withZaiProbeFetch<T>(
+  responses: Record<string, number>,
+  run: (fetchMock: typeof fetch) => Promise<T>,
+): Promise<T> {
+  const originalVitest = process.env.VITEST;
+  delete process.env.VITEST;
+  const fetchMock = createZaiFetchMock(responses);
+  vi.stubGlobal("fetch", fetchMock);
+  try {
+    return await run(fetchMock);
+  } finally {
+    vi.unstubAllGlobals();
+    if (originalVitest === undefined) {
+      delete process.env.VITEST;
+    } else {
+      process.env.VITEST = originalVitest;
+    }
+  }
+}
+
 async function removeDirWithRetry(dir: string): Promise<void> {
   for (let attempt = 0; attempt < 5; attempt += 1) {
     try {
@@ -109,11 +148,11 @@ async function withOnboardEnv(
   }
 }
 
-async function runNonInteractiveOnboardingWithDefaults(
+async function runNonInteractiveSetupWithDefaults(
   runtime: NonInteractiveRuntime,
   options: Record<string, unknown>,
 ): Promise<void> {
-  await runNonInteractiveOnboarding(
+  await runNonInteractiveSetup(
     {
       ...NON_INTERACTIVE_DEFAULT_OPTIONS,
       ...options,
@@ -126,7 +165,7 @@ async function runOnboardingAndReadConfig(
   env: OnboardEnv,
   options: Record<string, unknown>,
 ): Promise<ProviderAuthConfigSnapshot> {
-  await runNonInteractiveOnboardingWithDefaults(env.runtime, {
+  await runNonInteractiveSetupWithDefaults(env.runtime, {
     skipSkills: true,
     ...options,
   });
@@ -141,7 +180,7 @@ async function runCustomLocalNonInteractive(
   runtime: NonInteractiveRuntime,
   overrides: Record<string, unknown> = {},
 ): Promise<void> {
-  await runNonInteractiveOnboardingWithDefaults(runtime, {
+  await runNonInteractiveSetupWithDefaults(runtime, {
     authChoice: "custom-api-key",
     customBaseUrl: CUSTOM_LOCAL_BASE_URL,
     customModelId: CUSTOM_LOCAL_MODEL_ID,
@@ -186,11 +225,6 @@ describe("onboard (non-interactive): provider auth", () => {
     ({ ensureAuthProfileStore, upsertAuthProfile } = await import("../agents/auth-profiles.js"));
   });
 
-  beforeEach(() => {
-    detectZaiEndpoint.mockReset();
-    detectZaiEndpoint.mockResolvedValue(null);
-  });
-
   it("stores MiniMax API key and uses global baseUrl by default", async () => {
     await withOnboardEnv("openclaw-onboard-minimax-", async (env) => {
       const cfg = await runOnboardingAndReadConfig(env, {
@@ -230,62 +264,68 @@ describe("onboard (non-interactive): provider auth", () => {
   });
 
   it("stores Z.AI API key and uses global baseUrl by default", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "global",
-        baseUrl: "https://api.z.ai/api/paas/v4",
-        modelId: "glm-5",
-        note: "Verified GLM-5 on global endpoint.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-api-key",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-api-key",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.auth?.profiles?.["zai:default"]?.provider).toBe("zai");
-      expect(cfg.auth?.profiles?.["zai:default"]?.mode).toBe("api_key");
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe("https://api.z.ai/api/paas/v4");
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
-      await expectApiKeyProfile({ profileId: "zai:default", provider: "zai", key: "zai-test-key" });
-    });
+          expect(cfg.auth?.profiles?.["zai:default"]?.provider).toBe("zai");
+          expect(cfg.auth?.profiles?.["zai:default"]?.mode).toBe("api_key");
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_GLOBAL_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
+          expect(fetchMock).toHaveBeenCalled();
+          await expectApiKeyProfile({
+            profileId: "zai:default",
+            provider: "zai",
+            key: "zai-test-key",
+          });
+        }),
+    );
   });
 
   it("supports Z.AI CN coding endpoint auth choice", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-cn-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "coding-cn",
-        baseUrl: "https://open.bigmodel.cn/api/coding/paas/v4",
-        modelId: "glm-4.7",
-        note: "Coding Plan CN endpoint verified, but this key/plan does not expose GLM-5 there. Defaulting to GLM-4.7.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-coding-cn",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-5`]: 404,
+        [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-4.7`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-cn-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-coding-cn",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe(
-        "https://open.bigmodel.cn/api/coding/paas/v4",
-      );
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-4.7");
-    });
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_CN_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-4.7");
+          expect(fetchMock).toHaveBeenCalled();
+        }),
+    );
   });
 
   it("supports Z.AI Coding Plan global endpoint with GLM-5 when available", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-coding-global-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "coding-global",
-        baseUrl: "https://api.z.ai/api/coding/paas/v4",
-        modelId: "glm-5",
-        note: "Verified GLM-5 on coding-global endpoint.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-coding-global",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_CODING_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-coding-global-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-coding-global",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe("https://api.z.ai/api/coding/paas/v4");
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
-    });
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_GLOBAL_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
+          expect(fetchMock).toHaveBeenCalled();
+        }),
+    );
   });
 
   it("stores xAI API key and sets default model", async () => {
@@ -366,7 +406,7 @@ describe("onboard (non-interactive): provider auth", () => {
       const cleanToken = `sk-ant-oat01-${"a".repeat(80)}`;
       const token = `${cleanToken.slice(0, 30)}\r${cleanToken.slice(30)}`;
 
-      await runNonInteractiveOnboardingWithDefaults(runtime, {
+      await runNonInteractiveSetupWithDefaults(runtime, {
         authChoice: "token",
         tokenProvider: "anthropic",
         token,
@@ -466,7 +506,7 @@ describe("onboard (non-interactive): provider auth", () => {
         await withEnvAsync(envOverrides, async () => {
           let thrown: Error | undefined;
           try {
-            await runNonInteractiveOnboardingWithDefaults(runtime, options);
+            await runNonInteractiveSetupWithDefaults(runtime, options);
           } catch (error) {
             thrown = error as Error;
           }
@@ -492,7 +532,7 @@ describe("onboard (non-interactive): provider auth", () => {
           OPENCODE_ZEN_API_KEY: "opencode-zen-env-key", // pragma: allowlist secret
         },
         async () => {
-          await runNonInteractiveOnboardingWithDefaults(runtime, {
+          await runNonInteractiveSetupWithDefaults(runtime, {
             authChoice: "opencode-zen",
             secretInputMode: "ref", // pragma: allowlist secret
             skipSkills: true,
@@ -609,7 +649,7 @@ describe("onboard (non-interactive): provider auth", () => {
     },
   ])("$name", async ({ prefix, options }) => {
     await withOnboardEnv(prefix, async ({ configPath, runtime }) => {
-      await runNonInteractiveOnboardingWithDefaults(runtime, {
+      await runNonInteractiveSetupWithDefaults(runtime, {
         cloudflareAiGatewayAccountId: "cf-account-id",
         cloudflareAiGatewayGatewayId: "cf-gateway-id",
         cloudflareAiGatewayApiKey: "cf-gateway-test-key", // pragma: allowlist secret
@@ -689,7 +729,7 @@ describe("onboard (non-interactive): provider auth", () => {
 
   it("configures a custom provider from non-interactive flags", async () => {
     await withOnboardEnv("openclaw-onboard-custom-provider-", async ({ configPath, runtime }) => {
-      await runNonInteractiveOnboardingWithDefaults(runtime, {
+      await runNonInteractiveSetupWithDefaults(runtime, {
         authChoice: "custom-api-key",
         customBaseUrl: "https://llm.example.com/v1",
         customApiKey: "custom-test-key", // pragma: allowlist secret
@@ -713,7 +753,7 @@ describe("onboard (non-interactive): provider auth", () => {
     await withOnboardEnv(
       "openclaw-onboard-custom-provider-infer-",
       async ({ configPath, runtime }) => {
-        await runNonInteractiveOnboardingWithDefaults(runtime, {
+        await runNonInteractiveSetupWithDefaults(runtime, {
           customBaseUrl: "https://models.custom.local/v1",
           customModelId: "local-large",
           customApiKey: "custom-test-key", // pragma: allowlist secret
@@ -810,7 +850,7 @@ describe("onboard (non-interactive): provider auth", () => {
       "openclaw-onboard-custom-provider-invalid-compat-",
       async ({ runtime }) => {
         await expect(
-          runNonInteractiveOnboardingWithDefaults(runtime, {
+          runNonInteractiveSetupWithDefaults(runtime, {
             authChoice: "custom-api-key",
             customBaseUrl: "https://models.custom.local/v1",
             customModelId: "local-large",
@@ -825,7 +865,7 @@ describe("onboard (non-interactive): provider auth", () => {
   it("fails custom provider auth when explicit provider id is invalid", async () => {
     await withOnboardEnv("openclaw-onboard-custom-provider-invalid-id-", async ({ runtime }) => {
       await expect(
-        runNonInteractiveOnboardingWithDefaults(runtime, {
+        runNonInteractiveSetupWithDefaults(runtime, {
           authChoice: "custom-api-key",
           customBaseUrl: "https://models.custom.local/v1",
           customModelId: "local-large",
@@ -843,7 +883,7 @@ describe("onboard (non-interactive): provider auth", () => {
       "openclaw-onboard-custom-provider-missing-required-",
       async ({ runtime }) => {
         await expect(
-          runNonInteractiveOnboardingWithDefaults(runtime, {
+          runNonInteractiveSetupWithDefaults(runtime, {
             customApiKey: "custom-test-key", // pragma: allowlist secret
             skipSkills: true,
           }),
diff --git a/src/commands/onboard-non-interactive.test-helpers.ts b/src/commands/onboard-non-interactive.test-helpers.ts
index 6fb5aa24e33..acb2a6d48d5 100644
--- a/src/commands/onboard-non-interactive.test-helpers.ts
+++ b/src/commands/onboard-non-interactive.test-helpers.ts
@@ -28,19 +28,19 @@ export function createThrowingRuntime(): NonInteractiveRuntime {
   };
 }
 
-export async function runNonInteractiveOnboarding(
+export async function runNonInteractiveSetup(
   options: Record<string, unknown>,
   runtime: NonInteractiveRuntime,
 ): Promise<void> {
-  const { runNonInteractiveOnboarding: run } = await import("./onboard-non-interactive.js");
+  const { runNonInteractiveSetup: run } = await import("./onboard-non-interactive.js");
   await run(options, runtime);
 }
 
-export async function runNonInteractiveOnboardingWithDefaults(
+export async function runNonInteractiveSetupWithDefaults(
   runtime: NonInteractiveRuntime,
   options: Record<string, unknown>,
 ): Promise<void> {
-  await runNonInteractiveOnboarding(
+  await runNonInteractiveSetup(
     {
       ...NON_INTERACTIVE_DEFAULT_OPTIONS,
       ...options,
diff --git a/src/commands/onboard-non-interactive.ts b/src/commands/onboard-non-interactive.ts
index ee2b3498180..7d9fbe7c1af 100644
--- a/src/commands/onboard-non-interactive.ts
+++ b/src/commands/onboard-non-interactive.ts
@@ -3,18 +3,18 @@ import type { OpenClawConfig } from "../config/config.js";
 import { readConfigFileSnapshot } from "../config/config.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { defaultRuntime } from "../runtime.js";
-import { runNonInteractiveOnboardingLocal } from "./onboard-non-interactive/local.js";
-import { runNonInteractiveOnboardingRemote } from "./onboard-non-interactive/remote.js";
+import { runNonInteractiveLocalSetup } from "./onboard-non-interactive/local.js";
+import { runNonInteractiveRemoteSetup } from "./onboard-non-interactive/remote.js";
 import type { OnboardOptions } from "./onboard-types.js";
 
-export async function runNonInteractiveOnboarding(
+export async function runNonInteractiveSetup(
   opts: OnboardOptions,
   runtime: RuntimeEnv = defaultRuntime,
 ) {
   const snapshot = await readConfigFileSnapshot();
   if (snapshot.exists && !snapshot.valid) {
     runtime.error(
-      `Config invalid. Run \`${formatCliCommand("openclaw doctor")}\` to repair it, then re-run onboarding.`,
+      `Config invalid. Run \`${formatCliCommand("openclaw doctor")}\` to repair it, then re-run setup.`,
     );
     runtime.exit(1);
     return;
@@ -29,9 +29,9 @@ export async function runNonInteractiveOnboarding(
   }
 
   if (mode === "remote") {
-    await runNonInteractiveOnboardingRemote({ opts, runtime, baseConfig });
+    await runNonInteractiveRemoteSetup({ opts, runtime, baseConfig });
     return;
   }
 
-  await runNonInteractiveOnboardingLocal({ opts, runtime, baseConfig });
+  await runNonInteractiveLocalSetup({ opts, runtime, baseConfig });
 }
diff --git a/src/commands/onboard-non-interactive/local.ts b/src/commands/onboard-non-interactive/local.ts
index 5e26bf50d24..f14aae65eec 100644
--- a/src/commands/onboard-non-interactive/local.ts
+++ b/src/commands/onboard-non-interactive/local.ts
@@ -4,7 +4,7 @@ import { resolveGatewayPort, writeConfigFile } from "../../config/config.js";
 import { logConfigUpdated } from "../../config/logging.js";
 import type { RuntimeEnv } from "../../runtime.js";
 import { DEFAULT_GATEWAY_DAEMON_RUNTIME } from "../daemon-runtime.js";
-import { applyOnboardingLocalWorkspaceConfig } from "../onboard-config.js";
+import { applyLocalSetupWorkspaceConfig } from "../onboard-config.js";
 import {
   applyWizardMetadata,
   DEFAULT_WORKSPACE,
@@ -67,7 +67,7 @@ async function collectGatewayHealthFailureDiagnostics(): Promise<
     : undefined;
 }
 
-export async function runNonInteractiveOnboardingLocal(params: {
+export async function runNonInteractiveLocalSetup(params: {
   opts: OnboardOptions;
   runtime: RuntimeEnv;
   baseConfig: OpenClawConfig;
@@ -81,13 +81,13 @@ export async function runNonInteractiveOnboardingLocal(params: {
     defaultWorkspaceDir: DEFAULT_WORKSPACE,
   });
 
-  let nextConfig: OpenClawConfig = applyOnboardingLocalWorkspaceConfig(baseConfig, workspaceDir);
+  let nextConfig: OpenClawConfig = applyLocalSetupWorkspaceConfig(baseConfig, workspaceDir);
 
   const inferredAuthChoice = inferAuthChoiceFromFlags(opts);
   if (!opts.authChoice && inferredAuthChoice.matches.length > 1) {
     runtime.error(
       [
-        "Multiple API key flags were provided for non-interactive onboarding.",
+        "Multiple API key flags were provided for non-interactive setup.",
         "Use a single provider flag or pass --auth-choice explicitly.",
         `Flags: ${inferredAuthChoice.matches.map((match) => match.label).join(", ")}`,
       ].join("\n"),
@@ -225,7 +225,7 @@ export async function runNonInteractiveOnboardingLocal(params: {
         diagnostics,
         hints: !opts.installDaemon
           ? [
-              "Non-interactive local onboarding only waits for an already-running gateway unless you pass --install-daemon.",
+              "Non-interactive local setup only waits for an already-running gateway unless you pass --install-daemon.",
               `Fix: start \`${formatCliCommand("openclaw gateway run")}\`, re-run with \`--install-daemon\`, or use \`--skip-health\`.`,
               process.platform === "win32"
                 ? "Native Windows managed gateway install tries Scheduled Tasks first and falls back to a per-user Startup-folder login item when task creation is denied."
diff --git a/src/commands/onboard-non-interactive/local/auth-choice-inference.ts b/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
index 212bb9dd890..4f29bcfa2b0 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
@@ -1,45 +1,13 @@
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "../../onboard-provider-auth-flags.js";
+import { resolveManifestProviderOnboardAuthFlags } from "../../../plugins/provider-auth-choices.js";
+import { CORE_ONBOARD_AUTH_FLAGS } from "../../onboard-core-auth-flags.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
 
 type AuthChoiceFlag = {
-  optionKey: keyof AuthChoiceFlagOptions;
+  optionKey: string;
   authChoice: AuthChoice;
   label: string;
 };
 
-type AuthChoiceFlagOptions = Pick<
-  OnboardOptions,
-  | "anthropicApiKey"
-  | "geminiApiKey"
-  | "openaiApiKey"
-  | "mistralApiKey"
-  | "openrouterApiKey"
-  | "kilocodeApiKey"
-  | "aiGatewayApiKey"
-  | "cloudflareAiGatewayApiKey"
-  | "moonshotApiKey"
-  | "kimiCodeApiKey"
-  | "syntheticApiKey"
-  | "veniceApiKey"
-  | "togetherApiKey"
-  | "huggingfaceApiKey"
-  | "zaiApiKey"
-  | "xiaomiApiKey"
-  | "minimaxApiKey"
-  | "opencodeZenApiKey"
-  | "opencodeGoApiKey"
-  | "xaiApiKey"
-  | "litellmApiKey"
-  | "qianfanApiKey"
-  | "modelstudioApiKeyCn"
-  | "modelstudioApiKey"
-  | "volcengineApiKey"
-  | "byteplusApiKey"
-  | "customBaseUrl"
-  | "customModelId"
-  | "customApiKey"
->;
-
 export type AuthChoiceInference = {
   choice?: AuthChoice;
   matches: AuthChoiceFlag[];
@@ -51,13 +19,21 @@ function hasStringValue(value: unknown): boolean {
 
 // Infer auth choice from explicit provider API key flags.
 export function inferAuthChoiceFromFlags(opts: OnboardOptions): AuthChoiceInference {
-  const matches: AuthChoiceFlag[] = ONBOARD_PROVIDER_AUTH_FLAGS.filter(({ optionKey }) =>
-    hasStringValue(opts[optionKey]),
-  ).map((flag) => ({
-    optionKey: flag.optionKey,
-    authChoice: flag.authChoice,
-    label: flag.cliFlag,
-  }));
+  const flags = [
+    ...CORE_ONBOARD_AUTH_FLAGS,
+    ...resolveManifestProviderOnboardAuthFlags(),
+  ] as ReadonlyArray<{
+    optionKey: string;
+    authChoice: string;
+    cliFlag: string;
+  }>;
+  const matches: AuthChoiceFlag[] = flags
+    .filter(({ optionKey }) => hasStringValue(opts[optionKey as keyof OnboardOptions]))
+    .map((flag) => ({
+      optionKey: flag.optionKey,
+      authChoice: flag.authChoice as AuthChoice,
+      label: flag.cliFlag,
+    }));
 
   if (
     hasStringValue(opts.customBaseUrl) ||
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts b/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
index a04dda68fd1..4c0454401ad 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
@@ -1,499 +1,22 @@
 import type { OpenClawConfig } from "../../../config/config.js";
 import type { SecretInput } from "../../../config/types.secrets.js";
 import type { RuntimeEnv } from "../../../runtime.js";
-import { applyGoogleGeminiModelDefault } from "../../google-gemini-model-default.js";
-import { applyPrimaryModel } from "../../model-picker.js";
 import {
   applyAuthProfileConfig,
-  applyHuggingfaceConfig,
-  applyKilocodeConfig,
-  applyKimiCodeConfig,
   applyLitellmConfig,
-  applyMistralConfig,
-  applyModelStudioConfig,
-  applyModelStudioConfigCn,
-  applyMoonshotConfig,
-  applyMoonshotConfigCn,
-  applyOpencodeGoConfig,
-  applyOpencodeZenConfig,
-  applyOpenrouterConfig,
-  applyQianfanConfig,
-  applySyntheticConfig,
-  applyTogetherConfig,
-  applyVeniceConfig,
-  applyVercelAiGatewayConfig,
-  applyXaiConfig,
-  applyXiaomiConfig,
-  setAnthropicApiKey,
-  setGeminiApiKey,
-  setHuggingfaceApiKey,
-  setKilocodeApiKey,
-  setKimiCodingApiKey,
   setLitellmApiKey,
-  setMistralApiKey,
-  setModelStudioApiKey,
-  setMoonshotApiKey,
-  setOpenaiApiKey,
-  setOpencodeGoApiKey,
-  setOpencodeZenApiKey,
-  setOpenrouterApiKey,
-  setQianfanApiKey,
-  setSyntheticApiKey,
-  setTogetherApiKey,
-  setVeniceApiKey,
-  setVercelAiGatewayApiKey,
-  setVolcengineApiKey,
-  setXaiApiKey,
-  setXiaomiApiKey,
-  setByteplusApiKey,
 } from "../../onboard-auth.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
-import { applyOpenAIConfig } from "../../openai-model-default.js";
 
 type ApiKeyStorageOptions = {
   secretInputMode: "plaintext" | "ref";
 };
 
-type SimpleApiKeyAuthChoice = {
-  authChoices: AuthChoice[];
-  provider: string;
-  flagValue?: string;
-  flagName: `--${string}`;
-  envVar: string;
-  profileId: string;
-  setCredential: (value: SecretInput, options?: ApiKeyStorageOptions) => Promise<void> | void;
-  applyConfig: (cfg: OpenClawConfig) => OpenClawConfig;
-};
-
 type ResolvedNonInteractiveApiKey = {
   key: string;
   source: "profile" | "env" | "flag";
 };
 
-function buildSimpleApiKeyAuthChoices(params: { opts: OnboardOptions }): SimpleApiKeyAuthChoice[] {
-  const withStorage =
-    (
-      setter: (
-        value: SecretInput,
-        agentDir?: string,
-        options?: ApiKeyStorageOptions,
-      ) => Promise<void> | void,
-    ) =>
-    (value: SecretInput, options?: ApiKeyStorageOptions) =>
-      setter(value, undefined, options);
-
-  return [
-    {
-      authChoices: ["apiKey"],
-      provider: "anthropic",
-      flagValue: params.opts.anthropicApiKey,
-      flagName: "--anthropic-api-key",
-      envVar: "ANTHROPIC_API_KEY",
-      profileId: "anthropic:default",
-      setCredential: withStorage(setAnthropicApiKey),
-      applyConfig: (cfg) =>
-        applyAuthProfileConfig(cfg, {
-          profileId: "anthropic:default",
-          provider: "anthropic",
-          mode: "api_key",
-        }),
-    },
-    {
-      authChoices: ["gemini-api-key"],
-      provider: "google",
-      flagValue: params.opts.geminiApiKey,
-      flagName: "--gemini-api-key",
-      envVar: "GEMINI_API_KEY",
-      profileId: "google:default",
-      setCredential: withStorage(setGeminiApiKey),
-      applyConfig: (cfg) =>
-        applyGoogleGeminiModelDefault(
-          applyAuthProfileConfig(cfg, {
-            profileId: "google:default",
-            provider: "google",
-            mode: "api_key",
-          }),
-        ).next,
-    },
-    {
-      authChoices: ["xiaomi-api-key"],
-      provider: "xiaomi",
-      flagValue: params.opts.xiaomiApiKey,
-      flagName: "--xiaomi-api-key",
-      envVar: "XIAOMI_API_KEY",
-      profileId: "xiaomi:default",
-      setCredential: withStorage(setXiaomiApiKey),
-      applyConfig: (cfg) =>
-        applyXiaomiConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "xiaomi:default",
-            provider: "xiaomi",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["xai-api-key"],
-      provider: "xai",
-      flagValue: params.opts.xaiApiKey,
-      flagName: "--xai-api-key",
-      envVar: "XAI_API_KEY",
-      profileId: "xai:default",
-      setCredential: withStorage(setXaiApiKey),
-      applyConfig: (cfg) =>
-        applyXaiConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "xai:default",
-            provider: "xai",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["mistral-api-key"],
-      provider: "mistral",
-      flagValue: params.opts.mistralApiKey,
-      flagName: "--mistral-api-key",
-      envVar: "MISTRAL_API_KEY",
-      profileId: "mistral:default",
-      setCredential: withStorage(setMistralApiKey),
-      applyConfig: (cfg) =>
-        applyMistralConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "mistral:default",
-            provider: "mistral",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["volcengine-api-key"],
-      provider: "volcengine",
-      flagValue: params.opts.volcengineApiKey,
-      flagName: "--volcengine-api-key",
-      envVar: "VOLCANO_ENGINE_API_KEY",
-      profileId: "volcengine:default",
-      setCredential: withStorage(setVolcengineApiKey),
-      applyConfig: (cfg) =>
-        applyPrimaryModel(
-          applyAuthProfileConfig(cfg, {
-            profileId: "volcengine:default",
-            provider: "volcengine",
-            mode: "api_key",
-          }),
-          "volcengine-plan/ark-code-latest",
-        ),
-    },
-    {
-      authChoices: ["byteplus-api-key"],
-      provider: "byteplus",
-      flagValue: params.opts.byteplusApiKey,
-      flagName: "--byteplus-api-key",
-      envVar: "BYTEPLUS_API_KEY",
-      profileId: "byteplus:default",
-      setCredential: withStorage(setByteplusApiKey),
-      applyConfig: (cfg) =>
-        applyPrimaryModel(
-          applyAuthProfileConfig(cfg, {
-            profileId: "byteplus:default",
-            provider: "byteplus",
-            mode: "api_key",
-          }),
-          "byteplus-plan/ark-code-latest",
-        ),
-    },
-    {
-      authChoices: ["qianfan-api-key"],
-      provider: "qianfan",
-      flagValue: params.opts.qianfanApiKey,
-      flagName: "--qianfan-api-key",
-      envVar: "QIANFAN_API_KEY",
-      profileId: "qianfan:default",
-      setCredential: withStorage(setQianfanApiKey),
-      applyConfig: (cfg) =>
-        applyQianfanConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "qianfan:default",
-            provider: "qianfan",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["modelstudio-api-key-cn"],
-      provider: "modelstudio",
-      flagValue: params.opts.modelstudioApiKeyCn,
-      flagName: "--modelstudio-api-key-cn",
-      envVar: "MODELSTUDIO_API_KEY",
-      profileId: "modelstudio:default",
-      setCredential: withStorage(setModelStudioApiKey),
-      applyConfig: (cfg) =>
-        applyModelStudioConfigCn(
-          applyAuthProfileConfig(cfg, {
-            profileId: "modelstudio:default",
-            provider: "modelstudio",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["modelstudio-api-key"],
-      provider: "modelstudio",
-      flagValue: params.opts.modelstudioApiKey,
-      flagName: "--modelstudio-api-key",
-      envVar: "MODELSTUDIO_API_KEY",
-      profileId: "modelstudio:default",
-      setCredential: withStorage(setModelStudioApiKey),
-      applyConfig: (cfg) =>
-        applyModelStudioConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "modelstudio:default",
-            provider: "modelstudio",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["openai-api-key"],
-      provider: "openai",
-      flagValue: params.opts.openaiApiKey,
-      flagName: "--openai-api-key",
-      envVar: "OPENAI_API_KEY",
-      profileId: "openai:default",
-      setCredential: withStorage(setOpenaiApiKey),
-      applyConfig: (cfg) =>
-        applyOpenAIConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "openai:default",
-            provider: "openai",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["openrouter-api-key"],
-      provider: "openrouter",
-      flagValue: params.opts.openrouterApiKey,
-      flagName: "--openrouter-api-key",
-      envVar: "OPENROUTER_API_KEY",
-      profileId: "openrouter:default",
-      setCredential: withStorage(setOpenrouterApiKey),
-      applyConfig: (cfg) =>
-        applyOpenrouterConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "openrouter:default",
-            provider: "openrouter",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["kilocode-api-key"],
-      provider: "kilocode",
-      flagValue: params.opts.kilocodeApiKey,
-      flagName: "--kilocode-api-key",
-      envVar: "KILOCODE_API_KEY",
-      profileId: "kilocode:default",
-      setCredential: withStorage(setKilocodeApiKey),
-      applyConfig: (cfg) =>
-        applyKilocodeConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "kilocode:default",
-            provider: "kilocode",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["litellm-api-key"],
-      provider: "litellm",
-      flagValue: params.opts.litellmApiKey,
-      flagName: "--litellm-api-key",
-      envVar: "LITELLM_API_KEY",
-      profileId: "litellm:default",
-      setCredential: withStorage(setLitellmApiKey),
-      applyConfig: (cfg) =>
-        applyLitellmConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "litellm:default",
-            provider: "litellm",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["ai-gateway-api-key"],
-      provider: "vercel-ai-gateway",
-      flagValue: params.opts.aiGatewayApiKey,
-      flagName: "--ai-gateway-api-key",
-      envVar: "AI_GATEWAY_API_KEY",
-      profileId: "vercel-ai-gateway:default",
-      setCredential: withStorage(setVercelAiGatewayApiKey),
-      applyConfig: (cfg) =>
-        applyVercelAiGatewayConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "vercel-ai-gateway:default",
-            provider: "vercel-ai-gateway",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["moonshot-api-key"],
-      provider: "moonshot",
-      flagValue: params.opts.moonshotApiKey,
-      flagName: "--moonshot-api-key",
-      envVar: "MOONSHOT_API_KEY",
-      profileId: "moonshot:default",
-      setCredential: withStorage(setMoonshotApiKey),
-      applyConfig: (cfg) =>
-        applyMoonshotConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "moonshot:default",
-            provider: "moonshot",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["moonshot-api-key-cn"],
-      provider: "moonshot",
-      flagValue: params.opts.moonshotApiKey,
-      flagName: "--moonshot-api-key",
-      envVar: "MOONSHOT_API_KEY",
-      profileId: "moonshot:default",
-      setCredential: withStorage(setMoonshotApiKey),
-      applyConfig: (cfg) =>
-        applyMoonshotConfigCn(
-          applyAuthProfileConfig(cfg, {
-            profileId: "moonshot:default",
-            provider: "moonshot",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["kimi-code-api-key"],
-      provider: "kimi-coding",
-      flagValue: params.opts.kimiCodeApiKey,
-      flagName: "--kimi-code-api-key",
-      envVar: "KIMI_API_KEY",
-      profileId: "kimi-coding:default",
-      setCredential: withStorage(setKimiCodingApiKey),
-      applyConfig: (cfg) =>
-        applyKimiCodeConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "kimi-coding:default",
-            provider: "kimi-coding",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["synthetic-api-key"],
-      provider: "synthetic",
-      flagValue: params.opts.syntheticApiKey,
-      flagName: "--synthetic-api-key",
-      envVar: "SYNTHETIC_API_KEY",
-      profileId: "synthetic:default",
-      setCredential: withStorage(setSyntheticApiKey),
-      applyConfig: (cfg) =>
-        applySyntheticConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "synthetic:default",
-            provider: "synthetic",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["venice-api-key"],
-      provider: "venice",
-      flagValue: params.opts.veniceApiKey,
-      flagName: "--venice-api-key",
-      envVar: "VENICE_API_KEY",
-      profileId: "venice:default",
-      setCredential: withStorage(setVeniceApiKey),
-      applyConfig: (cfg) =>
-        applyVeniceConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "venice:default",
-            provider: "venice",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["opencode-zen"],
-      provider: "opencode",
-      flagValue: params.opts.opencodeZenApiKey,
-      flagName: "--opencode-zen-api-key",
-      envVar: "OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY)",
-      profileId: "opencode:default",
-      setCredential: withStorage(setOpencodeZenApiKey),
-      applyConfig: (cfg) =>
-        applyOpencodeZenConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "opencode:default",
-            provider: "opencode",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["opencode-go"],
-      provider: "opencode-go",
-      flagValue: params.opts.opencodeGoApiKey,
-      flagName: "--opencode-go-api-key",
-      envVar: "OPENCODE_API_KEY",
-      profileId: "opencode-go:default",
-      setCredential: withStorage(setOpencodeGoApiKey),
-      applyConfig: (cfg) =>
-        applyOpencodeGoConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "opencode-go:default",
-            provider: "opencode-go",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["together-api-key"],
-      provider: "together",
-      flagValue: params.opts.togetherApiKey,
-      flagName: "--together-api-key",
-      envVar: "TOGETHER_API_KEY",
-      profileId: "together:default",
-      setCredential: withStorage(setTogetherApiKey),
-      applyConfig: (cfg) =>
-        applyTogetherConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "together:default",
-            provider: "together",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["huggingface-api-key"],
-      provider: "huggingface",
-      flagValue: params.opts.huggingfaceApiKey,
-      flagName: "--huggingface-api-key",
-      envVar: "HF_TOKEN",
-      profileId: "huggingface:default",
-      setCredential: withStorage(setHuggingfaceApiKey),
-      applyConfig: (cfg) =>
-        applyHuggingfaceConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "huggingface:default",
-            provider: "huggingface",
-            mode: "api_key",
-          }),
-        ),
-    },
-  ];
-}
-
 export async function applySimpleNonInteractiveApiKeyChoice(params: {
   authChoice: AuthChoice;
   nextConfig: OpenClawConfig;
@@ -514,19 +37,16 @@ export async function applySimpleNonInteractiveApiKeyChoice(params: {
     setter: (value: SecretInput) => Promise<void> | void,
   ) => Promise<boolean>;
 }): Promise<OpenClawConfig | null | undefined> {
-  const definition = buildSimpleApiKeyAuthChoices({
-    opts: params.opts,
-  }).find((entry) => entry.authChoices.includes(params.authChoice));
-  if (!definition) {
+  if (params.authChoice !== "litellm-api-key") {
     return undefined;
   }
 
   const resolved = await params.resolveApiKey({
-    provider: definition.provider,
+    provider: "litellm",
     cfg: params.baseConfig,
-    flagValue: definition.flagValue,
-    flagName: definition.flagName,
-    envVar: definition.envVar,
+    flagValue: params.opts.litellmApiKey,
+    flagName: "--litellm-api-key",
+    envVar: "LITELLM_API_KEY",
     runtime: params.runtime,
   });
   if (!resolved) {
@@ -534,10 +54,16 @@ export async function applySimpleNonInteractiveApiKeyChoice(params: {
   }
   if (
     !(await params.maybeSetResolvedApiKey(resolved, (value) =>
-      definition.setCredential(value, params.apiKeyStorageOptions),
+      setLitellmApiKey(value, undefined, params.apiKeyStorageOptions),
     ))
   ) {
     return null;
   }
-  return definition.applyConfig(params.nextConfig);
+  return applyLitellmConfig(
+    applyAuthProfileConfig(params.nextConfig, {
+      profileId: "litellm:default",
+      provider: "litellm",
+      mode: "api_key",
+    }),
+  );
 }
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts b/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
index e5c8dedb12f..8d9b820fc52 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
@@ -1,4 +1,8 @@
-import { resolveDefaultAgentId, resolveAgentWorkspaceDir } from "../../../agents/agent-scope.js";
+import {
+  resolveAgentDir,
+  resolveDefaultAgentId,
+  resolveAgentWorkspaceDir,
+} from "../../../agents/agent-scope.js";
 import type { ApiKeyCredential } from "../../../agents/auth-profiles/types.js";
 import { resolveDefaultAgentWorkspaceDir } from "../../../agents/workspace.js";
 import type { OpenClawConfig } from "../../../config/config.js";
@@ -58,6 +62,7 @@ export async function applyNonInteractivePluginProviderChoice(params: {
   ) => ApiKeyCredential | null;
 }): Promise<OpenClawConfig | null | undefined> {
   const agentId = resolveDefaultAgentId(params.nextConfig);
+  const agentDir = resolveAgentDir(params.nextConfig, agentId);
   const workspaceDir =
     resolveAgentWorkspaceDir(params.nextConfig, agentId) ?? resolveDefaultAgentWorkspaceDir();
   const prefixedProviderId = params.authChoice.startsWith(PROVIDER_PLUGIN_CHOICE_PREFIX)
@@ -79,6 +84,8 @@ export async function applyNonInteractivePluginProviderChoice(params: {
     providers: resolvePluginProviders({
       config: resolutionConfig,
       workspaceDir,
+      bundledProviderAllowlistCompat: true,
+      bundledProviderVitestCompat: true,
     }),
     choice: params.authChoice,
   });
@@ -116,6 +123,7 @@ export async function applyNonInteractivePluginProviderChoice(params: {
     baseConfig: params.baseConfig,
     opts: params.opts,
     runtime: params.runtime,
+    agentDir,
     workspaceDir,
     resolveApiKey: params.resolveApiKey,
     toApiKeyCredential: params.toApiKeyCredential,
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.test.ts b/src/commands/onboard-non-interactive/local/auth-choice.test.ts
index 9fe7a34cda9..b3255e7b4bb 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.test.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.test.ts
@@ -32,11 +32,11 @@ function createRuntime() {
 }
 
 describe("applyNonInteractiveAuthChoice", () => {
-  it("resolves builtin API key auth before plugin provider resolution", async () => {
+  it("resolves plugin provider auth before builtin API key fallbacks", async () => {
     const runtime = createRuntime();
     const nextConfig = { agents: { defaults: {} } } as OpenClawConfig;
     const resolvedConfig = { auth: { profiles: { "openai:default": { mode: "api_key" } } } };
-    applySimpleNonInteractiveApiKeyChoice.mockResolvedValueOnce(resolvedConfig as never);
+    applyNonInteractivePluginProviderChoice.mockResolvedValueOnce(resolvedConfig as never);
 
     const result = await applyNonInteractiveAuthChoice({
       nextConfig,
@@ -47,7 +47,7 @@ describe("applyNonInteractiveAuthChoice", () => {
     });
 
     expect(result).toBe(resolvedConfig);
-    expect(applySimpleNonInteractiveApiKeyChoice).toHaveBeenCalledOnce();
-    expect(applyNonInteractivePluginProviderChoice).not.toHaveBeenCalled();
+    expect(applyNonInteractivePluginProviderChoice).toHaveBeenCalledOnce();
+    expect(applySimpleNonInteractiveApiKeyChoice).not.toHaveBeenCalled();
   });
 });
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.ts b/src/commands/onboard-non-interactive/local/auth-choice.ts
index 6d360487ee9..c52be44afda 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.ts
@@ -1,23 +1,14 @@
-import { upsertAuthProfile } from "../../../agents/auth-profiles.js";
 import type { ApiKeyCredential } from "../../../agents/auth-profiles/types.js";
-import { normalizeProviderId } from "../../../agents/model-selection.js";
-import { parseDurationMs } from "../../../cli/parse-duration.js";
 import type { OpenClawConfig } from "../../../config/config.js";
 import type { SecretInput } from "../../../config/types.secrets.js";
 import type { RuntimeEnv } from "../../../runtime.js";
 import { resolveDefaultSecretProviderAlias } from "../../../secrets/ref-contract.js";
-import { normalizeSecretInput } from "../../../utils/normalize-secret-input.js";
 import { normalizeSecretInputModeInput } from "../../auth-choice.apply-helpers.js";
-import { buildTokenProfileId, validateAnthropicSetupToken } from "../../auth-token.js";
+import { normalizeApiKeyTokenProviderAuthChoice } from "../../auth-choice.apply.api-providers.js";
 import {
   applyAuthProfileConfig,
   applyCloudflareAiGatewayConfig,
-  applyMinimaxApiConfig,
-  applyMinimaxApiConfigCn,
-  applyZaiConfig,
   setCloudflareAiGatewayConfig,
-  setMinimaxApiKey,
-  setZaiApiKey,
 } from "../../onboard-auth.js";
 import {
   applyCustomApiConfig,
@@ -26,7 +17,6 @@ import {
   resolveCustomProviderId,
 } from "../../onboard-custom.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
-import { detectZaiEndpoint } from "../../zai-endpoint-detect.js";
 import { resolveNonInteractiveApiKey } from "../api-keys.js";
 import { applySimpleNonInteractiveApiKeyChoice } from "./auth-choice.api-key-providers.js";
 import { applyNonInteractivePluginProviderChoice } from "./auth-choice.plugin-providers.js";
@@ -42,7 +32,13 @@ export async function applyNonInteractiveAuthChoice(params: {
   runtime: RuntimeEnv;
   baseConfig: OpenClawConfig;
 }): Promise<OpenClawConfig | null> {
-  const { authChoice, opts, runtime, baseConfig } = params;
+  const { opts, runtime, baseConfig } = params;
+  const authChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: params.authChoice,
+    tokenProvider: opts.tokenProvider,
+    config: params.nextConfig,
+    env: process.env,
+  });
   let nextConfig = params.nextConfig;
   const requestedSecretInputMode = normalizeSecretInputModeInput(opts.secretInputMode);
   if (opts.secretInputMode && !requestedSecretInputMode) {
@@ -161,59 +157,22 @@ export async function applyNonInteractiveAuthChoice(params: {
     return null;
   }
 
-  if (authChoice === "token") {
-    const providerRaw = opts.tokenProvider?.trim();
-    if (!providerRaw) {
-      runtime.error("Missing --token-provider for --auth-choice token.");
-      runtime.exit(1);
-      return null;
-    }
-    const provider = normalizeProviderId(providerRaw);
-    if (provider !== "anthropic") {
-      runtime.error("Only --token-provider anthropic is supported for --auth-choice token.");
-      runtime.exit(1);
-      return null;
-    }
-    const tokenRaw = normalizeSecretInput(opts.token);
-    if (!tokenRaw) {
-      runtime.error("Missing --token for --auth-choice token.");
-      runtime.exit(1);
-      return null;
-    }
-    const tokenError = validateAnthropicSetupToken(tokenRaw);
-    if (tokenError) {
-      runtime.error(tokenError);
-      runtime.exit(1);
-      return null;
-    }
-
-    let expires: number | undefined;
-    const expiresInRaw = opts.tokenExpiresIn?.trim();
-    if (expiresInRaw) {
-      try {
-        expires = Date.now() + parseDurationMs(expiresInRaw, { defaultUnit: "d" });
-      } catch (err) {
-        runtime.error(`Invalid --token-expires-in: ${String(err)}`);
-        runtime.exit(1);
-        return null;
-      }
-    }
-
-    const profileId = opts.tokenProfileId?.trim() || buildTokenProfileId({ provider, name: "" });
-    upsertAuthProfile({
-      profileId,
-      credential: {
-        type: "token",
-        provider,
-        token: tokenRaw.trim(),
-        ...(expires ? { expires } : {}),
-      },
-    });
-    return applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider,
-      mode: "token",
-    });
+  const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({
+    nextConfig,
+    authChoice,
+    opts,
+    runtime,
+    baseConfig,
+    resolveApiKey: (input) =>
+      resolveApiKey({
+        ...input,
+        cfg: baseConfig,
+        runtime,
+      }),
+    toApiKeyCredential,
+  });
+  if (pluginProviderChoice !== undefined) {
+    return pluginProviderChoice;
   }
 
   const simpleApiKeyChoice = await applySimpleNonInteractiveApiKeyChoice({
@@ -230,72 +189,6 @@ export async function applyNonInteractiveAuthChoice(params: {
     return simpleApiKeyChoice;
   }
 
-  if (
-    authChoice === "zai-api-key" ||
-    authChoice === "zai-coding-global" ||
-    authChoice === "zai-coding-cn" ||
-    authChoice === "zai-global" ||
-    authChoice === "zai-cn"
-  ) {
-    const resolved = await resolveApiKey({
-      provider: "zai",
-      cfg: baseConfig,
-      flagValue: opts.zaiApiKey,
-      flagName: "--zai-api-key",
-      envVar: "ZAI_API_KEY",
-      runtime,
-    });
-    if (!resolved) {
-      return null;
-    }
-    if (
-      !(await maybeSetResolvedApiKey(resolved, (value) =>
-        setZaiApiKey(value, undefined, apiKeyStorageOptions),
-      ))
-    ) {
-      return null;
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "zai:default",
-      provider: "zai",
-      mode: "api_key",
-    });
-
-    // Determine endpoint from authChoice or detect from the API key.
-    let endpoint: "global" | "cn" | "coding-global" | "coding-cn" | undefined;
-    let modelIdOverride: string | undefined;
-
-    if (authChoice === "zai-coding-global") {
-      endpoint = "coding-global";
-    } else if (authChoice === "zai-coding-cn") {
-      endpoint = "coding-cn";
-    } else if (authChoice === "zai-global") {
-      endpoint = "global";
-    } else if (authChoice === "zai-cn") {
-      endpoint = "cn";
-    }
-
-    if (endpoint) {
-      const detected = await detectZaiEndpoint({ apiKey: resolved.key, endpoint });
-      if (detected) {
-        modelIdOverride = detected.modelId;
-      }
-    } else {
-      const detected = await detectZaiEndpoint({ apiKey: resolved.key });
-      if (detected) {
-        endpoint = detected.endpoint;
-        modelIdOverride = detected.modelId;
-      } else {
-        endpoint = "global";
-      }
-    }
-
-    return applyZaiConfig(nextConfig, {
-      endpoint,
-      ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-    });
-  }
-
   if (authChoice === "cloudflare-ai-gateway-api-key") {
     const accountId = opts.cloudflareAiGatewayAccountId?.trim() ?? "";
     const gatewayId = opts.cloudflareAiGatewayGatewayId?.trim() ?? "";
@@ -362,38 +255,6 @@ export async function applyNonInteractiveAuthChoice(params: {
     return null;
   }
 
-  if (authChoice === "minimax-global-api" || authChoice === "minimax-cn-api") {
-    const isCn = authChoice === "minimax-cn-api";
-    const profileId = isCn ? "minimax:cn" : "minimax:global";
-    const resolved = await resolveApiKey({
-      provider: "minimax",
-      cfg: baseConfig,
-      flagValue: opts.minimaxApiKey,
-      flagName: "--minimax-api-key",
-      envVar: "MINIMAX_API_KEY",
-      runtime,
-      // Disable profile fallback: both regions share provider "minimax", so an existing
-      // Global profile key must not be silently reused when configuring CN (and vice versa).
-      allowProfile: false,
-    });
-    if (!resolved) {
-      return null;
-    }
-    if (
-      !(await maybeSetResolvedApiKey(resolved, (value) =>
-        setMinimaxApiKey(value, undefined, profileId, apiKeyStorageOptions),
-      ))
-    ) {
-      return null;
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "minimax",
-      mode: "api_key",
-    });
-    return isCn ? applyMinimaxApiConfigCn(nextConfig) : applyMinimaxApiConfig(nextConfig);
-  }
-
   if (authChoice === "custom-api-key") {
     try {
       const customAuth = parseNonInteractiveCustomApiFlags({
@@ -466,28 +327,9 @@ export async function applyNonInteractiveAuthChoice(params: {
     }
   }
 
-  const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({
-    nextConfig,
-    authChoice,
-    opts,
-    runtime,
-    baseConfig,
-    resolveApiKey: (input) =>
-      resolveApiKey({
-        ...input,
-        cfg: baseConfig,
-        runtime,
-      }),
-    toApiKeyCredential,
-  });
-  if (pluginProviderChoice !== undefined) {
-    return pluginProviderChoice;
-  }
-
   if (
     authChoice === "oauth" ||
     authChoice === "chutes" ||
-    authChoice === "openai-codex" ||
     authChoice === "qwen-portal" ||
     authChoice === "minimax-global-oauth" ||
     authChoice === "minimax-cn-oauth"
diff --git a/src/commands/onboard-non-interactive/local/daemon-install.ts b/src/commands/onboard-non-interactive/local/daemon-install.ts
index 6236b410f75..1d4ed76d966 100644
--- a/src/commands/onboard-non-interactive/local/daemon-install.ts
+++ b/src/commands/onboard-non-interactive/local/daemon-install.ts
@@ -56,7 +56,7 @@ export async function installGatewayDaemonNonInteractive(params: {
       [
         "Gateway install blocked:",
         tokenResolution.unavailableReason,
-        "Fix gateway auth config/token input and rerun onboarding.",
+        "Fix gateway auth config/token input and rerun setup.",
       ].join(" "),
     );
     runtime.exit(1);
diff --git a/src/commands/onboard-non-interactive/remote.ts b/src/commands/onboard-non-interactive/remote.ts
index fa38cb9c43f..f58488b89e5 100644
--- a/src/commands/onboard-non-interactive/remote.ts
+++ b/src/commands/onboard-non-interactive/remote.ts
@@ -6,7 +6,7 @@ import type { RuntimeEnv } from "../../runtime.js";
 import { applyWizardMetadata } from "../onboard-helpers.js";
 import type { OnboardOptions } from "../onboard-types.js";
 
-export async function runNonInteractiveOnboardingRemote(params: {
+export async function runNonInteractiveRemoteSetup(params: {
   opts: OnboardOptions;
   runtime: RuntimeEnv;
   baseConfig: OpenClawConfig;
diff --git a/src/commands/onboard-provider-auth-flags.ts b/src/commands/onboard-provider-auth-flags.ts
deleted file mode 100644
index 53df8cdc4c8..00000000000
--- a/src/commands/onboard-provider-auth-flags.ts
+++ /dev/null
@@ -1,225 +0,0 @@
-import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
-
-type OnboardProviderAuthOptionKey = keyof Pick<
-  OnboardOptions,
-  | "anthropicApiKey"
-  | "openaiApiKey"
-  | "mistralApiKey"
-  | "openrouterApiKey"
-  | "kilocodeApiKey"
-  | "aiGatewayApiKey"
-  | "cloudflareAiGatewayApiKey"
-  | "moonshotApiKey"
-  | "kimiCodeApiKey"
-  | "geminiApiKey"
-  | "zaiApiKey"
-  | "xiaomiApiKey"
-  | "minimaxApiKey"
-  | "syntheticApiKey"
-  | "veniceApiKey"
-  | "togetherApiKey"
-  | "huggingfaceApiKey"
-  | "opencodeZenApiKey"
-  | "opencodeGoApiKey"
-  | "xaiApiKey"
-  | "litellmApiKey"
-  | "qianfanApiKey"
-  | "modelstudioApiKeyCn"
-  | "modelstudioApiKey"
-  | "volcengineApiKey"
-  | "byteplusApiKey"
->;
-
-export type OnboardProviderAuthFlag = {
-  optionKey: OnboardProviderAuthOptionKey;
-  authChoice: AuthChoice;
-  cliFlag: `--${string}`;
-  cliOption: `--${string} <key>`;
-  description: string;
-};
-
-// Shared source for provider API-key flags used by CLI registration + non-interactive inference.
-export const ONBOARD_PROVIDER_AUTH_FLAGS: ReadonlyArray<OnboardProviderAuthFlag> = [
-  {
-    optionKey: "anthropicApiKey",
-    authChoice: "apiKey",
-    cliFlag: "--anthropic-api-key",
-    cliOption: "--anthropic-api-key <key>",
-    description: "Anthropic API key",
-  },
-  {
-    optionKey: "openaiApiKey",
-    authChoice: "openai-api-key",
-    cliFlag: "--openai-api-key",
-    cliOption: "--openai-api-key <key>",
-    description: "OpenAI API key",
-  },
-  {
-    optionKey: "mistralApiKey",
-    authChoice: "mistral-api-key",
-    cliFlag: "--mistral-api-key",
-    cliOption: "--mistral-api-key <key>",
-    description: "Mistral API key",
-  },
-  {
-    optionKey: "openrouterApiKey",
-    authChoice: "openrouter-api-key",
-    cliFlag: "--openrouter-api-key",
-    cliOption: "--openrouter-api-key <key>",
-    description: "OpenRouter API key",
-  },
-  {
-    optionKey: "kilocodeApiKey",
-    authChoice: "kilocode-api-key",
-    cliFlag: "--kilocode-api-key",
-    cliOption: "--kilocode-api-key <key>",
-    description: "Kilo Gateway API key",
-  },
-  {
-    optionKey: "aiGatewayApiKey",
-    authChoice: "ai-gateway-api-key",
-    cliFlag: "--ai-gateway-api-key",
-    cliOption: "--ai-gateway-api-key <key>",
-    description: "Vercel AI Gateway API key",
-  },
-  {
-    optionKey: "cloudflareAiGatewayApiKey",
-    authChoice: "cloudflare-ai-gateway-api-key",
-    cliFlag: "--cloudflare-ai-gateway-api-key",
-    cliOption: "--cloudflare-ai-gateway-api-key <key>",
-    description: "Cloudflare AI Gateway API key",
-  },
-  {
-    optionKey: "moonshotApiKey",
-    authChoice: "moonshot-api-key",
-    cliFlag: "--moonshot-api-key",
-    cliOption: "--moonshot-api-key <key>",
-    description: "Moonshot API key",
-  },
-  {
-    optionKey: "kimiCodeApiKey",
-    authChoice: "kimi-code-api-key",
-    cliFlag: "--kimi-code-api-key",
-    cliOption: "--kimi-code-api-key <key>",
-    description: "Kimi Coding API key",
-  },
-  {
-    optionKey: "geminiApiKey",
-    authChoice: "gemini-api-key",
-    cliFlag: "--gemini-api-key",
-    cliOption: "--gemini-api-key <key>",
-    description: "Gemini API key",
-  },
-  {
-    optionKey: "zaiApiKey",
-    authChoice: "zai-api-key",
-    cliFlag: "--zai-api-key",
-    cliOption: "--zai-api-key <key>",
-    description: "Z.AI API key",
-  },
-  {
-    optionKey: "xiaomiApiKey",
-    authChoice: "xiaomi-api-key",
-    cliFlag: "--xiaomi-api-key",
-    cliOption: "--xiaomi-api-key <key>",
-    description: "Xiaomi API key",
-  },
-  {
-    optionKey: "minimaxApiKey",
-    authChoice: "minimax-global-api",
-    cliFlag: "--minimax-api-key",
-    cliOption: "--minimax-api-key <key>",
-    description: "MiniMax API key",
-  },
-  {
-    optionKey: "syntheticApiKey",
-    authChoice: "synthetic-api-key",
-    cliFlag: "--synthetic-api-key",
-    cliOption: "--synthetic-api-key <key>",
-    description: "Synthetic API key",
-  },
-  {
-    optionKey: "veniceApiKey",
-    authChoice: "venice-api-key",
-    cliFlag: "--venice-api-key",
-    cliOption: "--venice-api-key <key>",
-    description: "Venice API key",
-  },
-  {
-    optionKey: "togetherApiKey",
-    authChoice: "together-api-key",
-    cliFlag: "--together-api-key",
-    cliOption: "--together-api-key <key>",
-    description: "Together AI API key",
-  },
-  {
-    optionKey: "huggingfaceApiKey",
-    authChoice: "huggingface-api-key",
-    cliFlag: "--huggingface-api-key",
-    cliOption: "--huggingface-api-key <key>",
-    description: "Hugging Face API key (HF token)",
-  },
-  {
-    optionKey: "opencodeZenApiKey",
-    authChoice: "opencode-zen",
-    cliFlag: "--opencode-zen-api-key",
-    cliOption: "--opencode-zen-api-key <key>",
-    description: "OpenCode API key (Zen catalog)",
-  },
-  {
-    optionKey: "opencodeGoApiKey",
-    authChoice: "opencode-go",
-    cliFlag: "--opencode-go-api-key",
-    cliOption: "--opencode-go-api-key <key>",
-    description: "OpenCode API key (Go catalog)",
-  },
-  {
-    optionKey: "xaiApiKey",
-    authChoice: "xai-api-key",
-    cliFlag: "--xai-api-key",
-    cliOption: "--xai-api-key <key>",
-    description: "xAI API key",
-  },
-  {
-    optionKey: "litellmApiKey",
-    authChoice: "litellm-api-key",
-    cliFlag: "--litellm-api-key",
-    cliOption: "--litellm-api-key <key>",
-    description: "LiteLLM API key",
-  },
-  {
-    optionKey: "qianfanApiKey",
-    authChoice: "qianfan-api-key",
-    cliFlag: "--qianfan-api-key",
-    cliOption: "--qianfan-api-key <key>",
-    description: "QIANFAN API key",
-  },
-  {
-    optionKey: "modelstudioApiKeyCn",
-    authChoice: "modelstudio-api-key-cn",
-    cliFlag: "--modelstudio-api-key-cn",
-    cliOption: "--modelstudio-api-key-cn <key>",
-    description: "Alibaba Cloud Model Studio Coding Plan API key (China)",
-  },
-  {
-    optionKey: "modelstudioApiKey",
-    authChoice: "modelstudio-api-key",
-    cliFlag: "--modelstudio-api-key",
-    cliOption: "--modelstudio-api-key <key>",
-    description: "Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
-  },
-  {
-    optionKey: "volcengineApiKey",
-    authChoice: "volcengine-api-key",
-    cliFlag: "--volcengine-api-key",
-    cliOption: "--volcengine-api-key <key>",
-    description: "Volcano Engine API key",
-  },
-  {
-    optionKey: "byteplusApiKey",
-    authChoice: "byteplus-api-key",
-    cliFlag: "--byteplus-api-key",
-    cliOption: "--byteplus-api-key <key>",
-    description: "BytePlus API key",
-  },
-];
diff --git a/src/commands/onboard-remote.ts b/src/commands/onboard-remote.ts
index 665d3ad3d26..2f213df4853 100644
--- a/src/commands/onboard-remote.ts
+++ b/src/commands/onboard-remote.ts
@@ -6,7 +6,7 @@ import { discoverGatewayBeacons } from "../infra/bonjour-discovery.js";
 import { resolveWideAreaDiscoveryDomain } from "../infra/widearea-dns.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import {
-  promptSecretRefForOnboarding,
+  promptSecretRefForSetup,
   resolveSecretInputModeForEnvSelection,
 } from "./auth-choice.apply-helpers.js";
 import { detectBinary } from "./onboard-helpers.js";
@@ -175,7 +175,7 @@ export async function promptRemoteGatewayConfig(
       },
     });
     if (selectedMode === "ref") {
-      const resolved = await promptSecretRefForOnboarding({
+      const resolved = await promptSecretRefForSetup({
         provider: "gateway-remote-token",
         config: cfg,
         prompter,
@@ -207,7 +207,7 @@ export async function promptRemoteGatewayConfig(
       },
     });
     if (selectedMode === "ref") {
-      const resolved = await promptSecretRefForOnboarding({
+      const resolved = await promptSecretRefForSetup({
         provider: "gateway-remote-password",
         config: cfg,
         prompter,
diff --git a/src/commands/onboard-search.test.ts b/src/commands/onboard-search.test.ts
index 10e2df9f81b..00bfd6382a6 100644
--- a/src/commands/onboard-search.test.ts
+++ b/src/commands/onboard-search.test.ts
@@ -116,6 +116,19 @@ describe("setupSearch", () => {
     expect(result.tools?.web?.search?.gemini?.apiKey).toBe("AIza-test");
   });
 
+  it("sets provider and key for firecrawl and enables the plugin", async () => {
+    const cfg: OpenClawConfig = {};
+    const { prompter } = createPrompter({
+      selectValue: "firecrawl",
+      textValue: "fc-test-key",
+    });
+    const result = await setupSearch(cfg, runtime, prompter);
+    expect(result.tools?.web?.search?.provider).toBe("firecrawl");
+    expect(result.tools?.web?.search?.enabled).toBe(true);
+    expect(result.tools?.web?.search?.firecrawl?.apiKey).toBe("fc-test-key");
+    expect(result.plugins?.entries?.firecrawl?.enabled).toBe(true);
+  });
+
   it("sets provider and key for grok", async () => {
     const cfg: OpenClawConfig = {};
     const { prompter } = createPrompter({
@@ -244,18 +257,66 @@ describe("setupSearch", () => {
   });
 
   it("stores env-backed SecretRef when secretInputMode=ref for perplexity", async () => {
+    const originalPerplexity = process.env.PERPLEXITY_API_KEY;
+    const originalOpenRouter = process.env.OPENROUTER_API_KEY;
+    delete process.env.PERPLEXITY_API_KEY;
+    delete process.env.OPENROUTER_API_KEY;
     const cfg: OpenClawConfig = {};
-    const { prompter } = createPrompter({ selectValue: "perplexity" });
-    const result = await setupSearch(cfg, runtime, prompter, {
-      secretInputMode: "ref", // pragma: allowlist secret
-    });
-    expect(result.tools?.web?.search?.provider).toBe("perplexity");
-    expect(result.tools?.web?.search?.perplexity?.apiKey).toEqual({
-      source: "env",
-      provider: "default",
-      id: "PERPLEXITY_API_KEY", // pragma: allowlist secret
-    });
-    expect(prompter.text).not.toHaveBeenCalled();
+    try {
+      const { prompter } = createPrompter({ selectValue: "perplexity" });
+      const result = await setupSearch(cfg, runtime, prompter, {
+        secretInputMode: "ref", // pragma: allowlist secret
+      });
+      expect(result.tools?.web?.search?.provider).toBe("perplexity");
+      expect(result.tools?.web?.search?.perplexity?.apiKey).toEqual({
+        source: "env",
+        provider: "default",
+        id: "PERPLEXITY_API_KEY", // pragma: allowlist secret
+      });
+      expect(prompter.text).not.toHaveBeenCalled();
+    } finally {
+      if (originalPerplexity === undefined) {
+        delete process.env.PERPLEXITY_API_KEY;
+      } else {
+        process.env.PERPLEXITY_API_KEY = originalPerplexity;
+      }
+      if (originalOpenRouter === undefined) {
+        delete process.env.OPENROUTER_API_KEY;
+      } else {
+        process.env.OPENROUTER_API_KEY = originalOpenRouter;
+      }
+    }
+  });
+
+  it("prefers detected OPENROUTER_API_KEY SecretRef for perplexity ref mode", async () => {
+    const originalPerplexity = process.env.PERPLEXITY_API_KEY;
+    const originalOpenRouter = process.env.OPENROUTER_API_KEY;
+    delete process.env.PERPLEXITY_API_KEY;
+    process.env.OPENROUTER_API_KEY = "sk-or-test";
+    const cfg: OpenClawConfig = {};
+    try {
+      const { prompter } = createPrompter({ selectValue: "perplexity" });
+      const result = await setupSearch(cfg, runtime, prompter, {
+        secretInputMode: "ref", // pragma: allowlist secret
+      });
+      expect(result.tools?.web?.search?.perplexity?.apiKey).toEqual({
+        source: "env",
+        provider: "default",
+        id: "OPENROUTER_API_KEY", // pragma: allowlist secret
+      });
+      expect(prompter.text).not.toHaveBeenCalled();
+    } finally {
+      if (originalPerplexity === undefined) {
+        delete process.env.PERPLEXITY_API_KEY;
+      } else {
+        process.env.PERPLEXITY_API_KEY = originalPerplexity;
+      }
+      if (originalOpenRouter === undefined) {
+        delete process.env.OPENROUTER_API_KEY;
+      } else {
+        process.env.OPENROUTER_API_KEY = originalOpenRouter;
+      }
+    }
   });
 
   it("stores env-backed SecretRef when secretInputMode=ref for brave", async () => {
@@ -283,9 +344,9 @@ describe("setupSearch", () => {
     expect(result.tools?.web?.search?.apiKey).toBe("BSA-plain");
   });
 
-  it("exports all 5 providers in SEARCH_PROVIDER_OPTIONS", () => {
-    expect(SEARCH_PROVIDER_OPTIONS).toHaveLength(5);
+  it("exports all 6 providers in SEARCH_PROVIDER_OPTIONS", () => {
+    expect(SEARCH_PROVIDER_OPTIONS).toHaveLength(6);
     const values = SEARCH_PROVIDER_OPTIONS.map((e) => e.value);
-    expect(values).toEqual(["brave", "gemini", "grok", "kimi", "perplexity"]);
+    expect(values).toEqual(["brave", "gemini", "grok", "kimi", "perplexity", "firecrawl"]);
   });
 });
diff --git a/src/commands/onboard-search.ts b/src/commands/onboard-search.ts
index df2f4643b60..72fafe461d2 100644
--- a/src/commands/onboard-search.ts
+++ b/src/commands/onboard-search.ts
@@ -6,11 +6,27 @@ import {
   hasConfiguredSecretInput,
   normalizeSecretInputString,
 } from "../config/types.secrets.js";
+import { enablePluginInConfig } from "../plugins/enable.js";
+import { resolvePluginWebSearchProviders } from "../plugins/web-search-providers.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import type { SecretInputMode } from "./onboard-types.js";
 
-export type SearchProvider = "brave" | "gemini" | "grok" | "kimi" | "perplexity";
+export type SearchProvider = NonNullable<
+  NonNullable<NonNullable<NonNullable<OpenClawConfig["tools"]>["web"]>["search"]>["provider"]
+>;
+
+const SEARCH_PROVIDER_IDS = ["brave", "firecrawl", "gemini", "grok", "kimi", "perplexity"] as const;
+
+function isSearchProvider(value: string): value is SearchProvider {
+  return (SEARCH_PROVIDER_IDS as readonly string[]).includes(value);
+}
+
+function hasSearchProviderId<T extends { id: string }>(
+  provider: T,
+): provider is T & { id: SearchProvider } {
+  return isSearchProvider(provider.id);
+}
 
 type SearchProviderEntry = {
   value: SearchProvider;
@@ -21,48 +37,19 @@ type SearchProviderEntry = {
   signupUrl: string;
 };
 
-export const SEARCH_PROVIDER_OPTIONS: readonly SearchProviderEntry[] = [
-  {
-    value: "brave",
-    label: "Brave Search",
-    hint: "Structured results · country/language/time filters",
-    envKeys: ["BRAVE_API_KEY"],
-    placeholder: "BSA...",
-    signupUrl: "https://brave.com/search/api/",
-  },
-  {
-    value: "gemini",
-    label: "Gemini (Google Search)",
-    hint: "Google Search grounding · AI-synthesized",
-    envKeys: ["GEMINI_API_KEY"],
-    placeholder: "AIza...",
-    signupUrl: "https://aistudio.google.com/apikey",
-  },
-  {
-    value: "grok",
-    label: "Grok (xAI)",
-    hint: "xAI web-grounded responses",
-    envKeys: ["XAI_API_KEY"],
-    placeholder: "xai-...",
-    signupUrl: "https://console.x.ai/",
-  },
-  {
-    value: "kimi",
-    label: "Kimi (Moonshot)",
-    hint: "Moonshot web search",
-    envKeys: ["KIMI_API_KEY", "MOONSHOT_API_KEY"],
-    placeholder: "sk-...",
-    signupUrl: "https://platform.moonshot.cn/",
-  },
-  {
-    value: "perplexity",
-    label: "Perplexity Search",
-    hint: "Structured results · domain/country/language/time filters",
-    envKeys: ["PERPLEXITY_API_KEY"],
-    placeholder: "pplx-...",
-    signupUrl: "https://www.perplexity.ai/settings/api",
-  },
-] as const;
+export const SEARCH_PROVIDER_OPTIONS: readonly SearchProviderEntry[] =
+  resolvePluginWebSearchProviders({
+    bundledAllowlistCompat: true,
+  })
+    .filter(hasSearchProviderId)
+    .map((provider) => ({
+      value: provider.id,
+      label: provider.label,
+      hint: provider.hint,
+      envKeys: provider.envVars,
+      placeholder: provider.placeholder,
+      signupUrl: provider.signupUrl,
+    }));
 
 export function hasKeyInEnv(entry: SearchProviderEntry): boolean {
   return entry.envKeys.some((k) => Boolean(process.env[k]?.trim()));
@@ -70,18 +57,11 @@ export function hasKeyInEnv(entry: SearchProviderEntry): boolean {
 
 function rawKeyValue(config: OpenClawConfig, provider: SearchProvider): unknown {
   const search = config.tools?.web?.search;
-  switch (provider) {
-    case "brave":
-      return search?.apiKey;
-    case "gemini":
-      return search?.gemini?.apiKey;
-    case "grok":
-      return search?.grok?.apiKey;
-    case "kimi":
-      return search?.kimi?.apiKey;
-    case "perplexity":
-      return search?.perplexity?.apiKey;
-  }
+  const entry = resolvePluginWebSearchProviders({
+    config,
+    bundledAllowlistCompat: true,
+  }).find((candidate) => candidate.id === provider);
+  return entry?.getCredentialValue(search as Record<string, unknown> | undefined);
 }
 
 /** Returns the plaintext key string, or undefined for SecretRefs/missing. */
@@ -128,34 +108,28 @@ export function applySearchKey(
   key: SecretInput,
 ): OpenClawConfig {
   const search = { ...config.tools?.web?.search, provider, enabled: true };
-  switch (provider) {
-    case "brave":
-      search.apiKey = key;
-      break;
-    case "gemini":
-      search.gemini = { ...search.gemini, apiKey: key };
-      break;
-    case "grok":
-      search.grok = { ...search.grok, apiKey: key };
-      break;
-    case "kimi":
-      search.kimi = { ...search.kimi, apiKey: key };
-      break;
-    case "perplexity":
-      search.perplexity = { ...search.perplexity, apiKey: key };
-      break;
+  const entry = resolvePluginWebSearchProviders({
+    config,
+    bundledAllowlistCompat: true,
+  }).find((candidate) => candidate.id === provider);
+  if (entry) {
+    entry.setCredentialValue(search as Record<string, unknown>, key);
   }
-  return {
+  const next = {
     ...config,
     tools: {
       ...config.tools,
       web: { ...config.tools?.web, search },
     },
   };
+  if (provider !== "firecrawl") {
+    return next;
+  }
+  return enablePluginInConfig(next, "firecrawl").config;
 }
 
 function applyProviderOnly(config: OpenClawConfig, provider: SearchProvider): OpenClawConfig {
-  return {
+  const next = {
     ...config,
     tools: {
       ...config.tools,
@@ -169,6 +143,10 @@ function applyProviderOnly(config: OpenClawConfig, provider: SearchProvider): Op
       },
     },
   };
+  if (provider !== "firecrawl") {
+    return next;
+  }
+  return enablePluginInConfig(next, "firecrawl").config;
 }
 
 function preserveDisabledState(original: OpenClawConfig, result: OpenClawConfig): OpenClawConfig {
@@ -236,7 +214,7 @@ export async function setupSearch(
         hint: "Configure later with openclaw configure --section web",
       },
     ],
-    initialValue: defaultProvider as PickerValue,
+    initialValue: defaultProvider,
   });
 
   if (choice === "__skip__") {
diff --git a/src/commands/onboard-types.ts b/src/commands/onboard-types.ts
index f7a89a8b971..9d738298e52 100644
--- a/src/commands/onboard-types.ts
+++ b/src/commands/onboard-types.ts
@@ -98,7 +98,7 @@ export type OnboardOptions = {
   flow?: "quickstart" | "advanced" | "manual";
   workspace?: string;
   nonInteractive?: boolean;
-  /** Required for non-interactive onboarding; skips the interactive risk prompt when true. */
+  /** Required for non-interactive setup; skips the interactive risk prompt when true. */
   acceptRisk?: boolean;
   reset?: boolean;
   resetScope?: ResetScope;
@@ -111,7 +111,7 @@ export type OnboardOptions = {
   tokenProfileId?: string;
   /** Used when `authChoice=token` in non-interactive mode. */
   tokenExpiresIn?: string;
-  /** API key persistence mode for onboarding flows (default: plaintext). */
+  /** API key persistence mode for setup flows (default: plaintext). */
   secretInputMode?: SecretInputMode;
   anthropicApiKey?: string;
   openaiApiKey?: string;
diff --git a/src/commands/onboard.test.ts b/src/commands/onboard.test.ts
index 5d1dc20634d..daa0899dd87 100644
--- a/src/commands/onboard.test.ts
+++ b/src/commands/onboard.test.ts
@@ -3,18 +3,18 @@ import { afterEach, describe, expect, it, vi } from "vitest";
 import type { RuntimeEnv } from "../runtime.js";
 
 const mocks = vi.hoisted(() => ({
-  runInteractiveOnboarding: vi.fn(async () => {}),
-  runNonInteractiveOnboarding: vi.fn(async () => {}),
+  runInteractiveSetup: vi.fn(async () => {}),
+  runNonInteractiveSetup: vi.fn(async () => {}),
   readConfigFileSnapshot: vi.fn(async () => ({ exists: false, valid: false, config: {} })),
   handleReset: vi.fn(async () => {}),
 }));
 
 vi.mock("./onboard-interactive.js", () => ({
-  runInteractiveOnboarding: mocks.runInteractiveOnboarding,
+  runInteractiveSetup: mocks.runInteractiveSetup,
 }));
 
 vi.mock("./onboard-non-interactive.js", () => ({
-  runNonInteractiveOnboarding: mocks.runNonInteractiveOnboarding,
+  runNonInteractiveSetup: mocks.runNonInteractiveSetup,
 }));
 
 vi.mock("../config/config.js", () => ({
@@ -26,7 +26,7 @@ vi.mock("./onboard-helpers.js", () => ({
   handleReset: mocks.handleReset,
 }));
 
-const { onboardCommand } = await import("./onboard.js");
+const { onboardCommand, setupWizardCommand } = await import("./onboard.js");
 
 function makeRuntime(): RuntimeEnv {
   return {
@@ -36,16 +36,16 @@ function makeRuntime(): RuntimeEnv {
   };
 }
 
-describe("onboardCommand", () => {
+describe("setupWizardCommand", () => {
   afterEach(() => {
     vi.clearAllMocks();
     mocks.readConfigFileSnapshot.mockResolvedValue({ exists: false, valid: false, config: {} });
   });
 
-  it("fails fast for invalid secret-input-mode before onboarding starts", async () => {
+  it("fails fast for invalid secret-input-mode before setup starts", async () => {
     const runtime = makeRuntime();
 
-    await onboardCommand(
+    await setupWizardCommand(
       {
         secretInputMode: "invalid" as never, // pragma: allowlist secret
       },
@@ -56,16 +56,16 @@ describe("onboardCommand", () => {
       'Invalid --secret-input-mode. Use "plaintext" or "ref".',
     );
     expect(runtime.exit).toHaveBeenCalledWith(1);
-    expect(mocks.runInteractiveOnboarding).not.toHaveBeenCalled();
-    expect(mocks.runNonInteractiveOnboarding).not.toHaveBeenCalled();
+    expect(mocks.runInteractiveSetup).not.toHaveBeenCalled();
+    expect(mocks.runNonInteractiveSetup).not.toHaveBeenCalled();
   });
 
-  it("logs ASCII-safe Windows guidance before onboarding", async () => {
+  it("logs ASCII-safe Windows guidance before setup", async () => {
     const runtime = makeRuntime();
     const platformSpy = vi.spyOn(process, "platform", "get").mockReturnValue("win32");
 
     try {
-      await onboardCommand({}, runtime);
+      await setupWizardCommand({}, runtime);
 
       expect(runtime.log).toHaveBeenCalledWith(
         [
@@ -83,7 +83,7 @@ describe("onboardCommand", () => {
   it("defaults --reset to config+creds+sessions scope", async () => {
     const runtime = makeRuntime();
 
-    await onboardCommand(
+    await setupWizardCommand(
       {
         reset: true,
       },
@@ -111,7 +111,7 @@ describe("onboardCommand", () => {
       },
     });
 
-    await onboardCommand(
+    await setupWizardCommand(
       {
         reset: true,
       },
@@ -128,7 +128,7 @@ describe("onboardCommand", () => {
   it("accepts explicit --reset-scope full", async () => {
     const runtime = makeRuntime();
 
-    await onboardCommand(
+    await setupWizardCommand(
       {
         reset: true,
         resetScope: "full",
@@ -142,7 +142,7 @@ describe("onboardCommand", () => {
   it("fails fast for invalid --reset-scope", async () => {
     const runtime = makeRuntime();
 
-    await onboardCommand(
+    await setupWizardCommand(
       {
         reset: true,
         resetScope: "invalid" as never,
@@ -155,7 +155,11 @@ describe("onboardCommand", () => {
     );
     expect(runtime.exit).toHaveBeenCalledWith(1);
     expect(mocks.handleReset).not.toHaveBeenCalled();
-    expect(mocks.runInteractiveOnboarding).not.toHaveBeenCalled();
-    expect(mocks.runNonInteractiveOnboarding).not.toHaveBeenCalled();
+    expect(mocks.runInteractiveSetup).not.toHaveBeenCalled();
+    expect(mocks.runNonInteractiveSetup).not.toHaveBeenCalled();
+  });
+
+  it("keeps onboardCommand as an alias for setupWizardCommand", () => {
+    expect(onboardCommand).toBe(setupWizardCommand);
   });
 });
diff --git a/src/commands/onboard.ts b/src/commands/onboard.ts
index 6762998f815..c9af3fbf937 100644
--- a/src/commands/onboard.ts
+++ b/src/commands/onboard.ts
@@ -6,13 +6,16 @@ import { defaultRuntime } from "../runtime.js";
 import { resolveUserPath } from "../utils.js";
 import { isDeprecatedAuthChoice, normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import { DEFAULT_WORKSPACE, handleReset } from "./onboard-helpers.js";
-import { runInteractiveOnboarding } from "./onboard-interactive.js";
-import { runNonInteractiveOnboarding } from "./onboard-non-interactive.js";
+import { runInteractiveSetup } from "./onboard-interactive.js";
+import { runNonInteractiveSetup } from "./onboard-non-interactive.js";
 import type { OnboardOptions, ResetScope } from "./onboard-types.js";
 
 const VALID_RESET_SCOPES = new Set<ResetScope>(["config", "config+creds+sessions", "full"]);
 
-export async function onboardCommand(opts: OnboardOptions, runtime: RuntimeEnv = defaultRuntime) {
+export async function setupWizardCommand(
+  opts: OnboardOptions,
+  runtime: RuntimeEnv = defaultRuntime,
+) {
   assertSupportedRuntime(runtime);
   const originalAuthChoice = opts.authChoice;
   const normalizedAuthChoice = normalizeLegacyOnboardAuthChoice(originalAuthChoice);
@@ -56,7 +59,7 @@ export async function onboardCommand(opts: OnboardOptions, runtime: RuntimeEnv =
   if (normalizedOpts.nonInteractive && normalizedOpts.acceptRisk !== true) {
     runtime.error(
       [
-        "Non-interactive onboarding requires explicit risk acknowledgement.",
+        "Non-interactive setup requires explicit risk acknowledgement.",
         "Read: https://docs.openclaw.ai/security",
         `Re-run with: ${formatCliCommand("openclaw onboard --non-interactive --accept-risk ...")}`,
       ].join("\n"),
@@ -86,11 +89,14 @@ export async function onboardCommand(opts: OnboardOptions, runtime: RuntimeEnv =
   }
 
   if (normalizedOpts.nonInteractive) {
-    await runNonInteractiveOnboarding(normalizedOpts, runtime);
+    await runNonInteractiveSetup(normalizedOpts, runtime);
     return;
   }
 
-  await runInteractiveOnboarding(normalizedOpts, runtime);
+  await runInteractiveSetup(normalizedOpts, runtime);
 }
 
+export const onboardCommand = setupWizardCommand;
+
 export type { OnboardOptions } from "./onboard-types.js";
+export type { OnboardOptions as SetupWizardOptions } from "./onboard-types.js";
diff --git a/src/commands/onboarding/registry.ts b/src/commands/onboarding/registry.ts
deleted file mode 100644
index 14074daf193..00000000000
--- a/src/commands/onboarding/registry.ts
+++ /dev/null
@@ -1,95 +0,0 @@
-import { discordPlugin } from "../../../extensions/discord/src/channel.js";
-import { imessagePlugin } from "../../../extensions/imessage/src/channel.js";
-import { signalPlugin } from "../../../extensions/signal/src/channel.js";
-import { slackPlugin } from "../../../extensions/slack/src/channel.js";
-import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
-import { whatsappPlugin } from "../../../extensions/whatsapp/src/channel.js";
-import { listChannelSetupPlugins } from "../../channels/plugins/setup-registry.js";
-import { buildChannelOnboardingAdapterFromSetupWizard } from "../../channels/plugins/setup-wizard.js";
-import type { ChannelChoice } from "../onboard-types.js";
-import type { ChannelOnboardingAdapter } from "./types.js";
-
-const telegramOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: telegramPlugin,
-  wizard: telegramPlugin.setupWizard!,
-});
-const discordOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: discordPlugin,
-  wizard: discordPlugin.setupWizard!,
-});
-const slackOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: slackPlugin,
-  wizard: slackPlugin.setupWizard!,
-});
-const signalOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: signalPlugin,
-  wizard: signalPlugin.setupWizard!,
-});
-const imessageOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: imessagePlugin,
-  wizard: imessagePlugin.setupWizard!,
-});
-const whatsappOnboardingAdapter = buildChannelOnboardingAdapterFromSetupWizard({
-  plugin: whatsappPlugin,
-  wizard: whatsappPlugin.setupWizard!,
-});
-
-const BUILTIN_ONBOARDING_ADAPTERS: ChannelOnboardingAdapter[] = [
-  telegramOnboardingAdapter,
-  whatsappOnboardingAdapter,
-  discordOnboardingAdapter,
-  slackOnboardingAdapter,
-  signalOnboardingAdapter,
-  imessageOnboardingAdapter,
-];
-
-const setupWizardAdapters = new WeakMap<object, ChannelOnboardingAdapter>();
-
-function resolveChannelOnboardingAdapter(
-  plugin: ReturnType<typeof listChannelSetupPlugins>[number],
-): ChannelOnboardingAdapter | undefined {
-  if (plugin.setupWizard) {
-    const cached = setupWizardAdapters.get(plugin);
-    if (cached) {
-      return cached;
-    }
-    const adapter = buildChannelOnboardingAdapterFromSetupWizard({
-      plugin,
-      wizard: plugin.setupWizard,
-    });
-    setupWizardAdapters.set(plugin, adapter);
-    return adapter;
-  }
-  if (plugin.onboarding) {
-    return plugin.onboarding;
-  }
-  return undefined;
-}
-
-const CHANNEL_ONBOARDING_ADAPTERS = () => {
-  const adapters = new Map<ChannelChoice, ChannelOnboardingAdapter>(
-    BUILTIN_ONBOARDING_ADAPTERS.map((adapter) => [adapter.channel, adapter] as const),
-  );
-  for (const plugin of listChannelSetupPlugins()) {
-    const adapter = resolveChannelOnboardingAdapter(plugin);
-    if (!adapter) {
-      continue;
-    }
-    adapters.set(plugin.id, adapter);
-  }
-  return adapters;
-};
-
-export function getChannelOnboardingAdapter(
-  channel: ChannelChoice,
-): ChannelOnboardingAdapter | undefined {
-  return CHANNEL_ONBOARDING_ADAPTERS().get(channel);
-}
-
-export function listChannelOnboardingAdapters(): ChannelOnboardingAdapter[] {
-  return Array.from(CHANNEL_ONBOARDING_ADAPTERS().values());
-}
-
-// Legacy aliases (pre-rename).
-export const getProviderOnboardingAdapter = getChannelOnboardingAdapter;
-export const listProviderOnboardingAdapters = listChannelOnboardingAdapters;
diff --git a/src/commands/onboarding/types.ts b/src/commands/onboarding/types.ts
deleted file mode 100644
index fb0430abda0..00000000000
--- a/src/commands/onboarding/types.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../channels/plugins/onboarding-types.js";
diff --git a/src/commands/openai-codex-model-default.ts b/src/commands/openai-codex-model-default.ts
deleted file mode 100644
index 58d57ef0c39..00000000000
--- a/src/commands/openai-codex-model-default.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-import type { OpenClawConfig } from "../config/config.js";
-import type { AgentModelListConfig } from "../config/types.js";
-
-export const OPENAI_CODEX_DEFAULT_MODEL = "openai-codex/gpt-5.4";
-
-function shouldSetOpenAICodexModel(model?: string): boolean {
-  const trimmed = model?.trim();
-  if (!trimmed) {
-    return true;
-  }
-  const normalized = trimmed.toLowerCase();
-  if (normalized.startsWith("openai-codex/")) {
-    return false;
-  }
-  if (normalized.startsWith("openai/")) {
-    return true;
-  }
-  return normalized === "gpt" || normalized === "gpt-mini";
-}
-
-function resolvePrimaryModel(model?: AgentModelListConfig | string): string | undefined {
-  if (typeof model === "string") {
-    return model;
-  }
-  if (model && typeof model === "object" && typeof model.primary === "string") {
-    return model.primary;
-  }
-  return undefined;
-}
-
-export function applyOpenAICodexModelDefault(cfg: OpenClawConfig): {
-  next: OpenClawConfig;
-  changed: boolean;
-} {
-  const current = resolvePrimaryModel(cfg.agents?.defaults?.model);
-  if (!shouldSetOpenAICodexModel(current)) {
-    return { next: cfg, changed: false };
-  }
-  return {
-    next: {
-      ...cfg,
-      agents: {
-        ...cfg.agents,
-        defaults: {
-          ...cfg.agents?.defaults,
-          model:
-            cfg.agents?.defaults?.model && typeof cfg.agents.defaults.model === "object"
-              ? {
-                  ...cfg.agents.defaults.model,
-                  primary: OPENAI_CODEX_DEFAULT_MODEL,
-                }
-              : { primary: OPENAI_CODEX_DEFAULT_MODEL },
-        },
-      },
-    },
-    changed: true,
-  };
-}
diff --git a/src/commands/openai-model-default.test.ts b/src/commands/openai-model-default.test.ts
index 5c099ddd9de..504dc0b8556 100644
--- a/src/commands/openai-model-default.test.ts
+++ b/src/commands/openai-model-default.test.ts
@@ -6,10 +6,6 @@ import {
   applyGoogleGeminiModelDefault,
   GOOGLE_GEMINI_DEFAULT_MODEL,
 } from "./google-gemini-model-default.js";
-import {
-  applyOpenAICodexModelDefault,
-  OPENAI_CODEX_DEFAULT_MODEL,
-} from "./openai-codex-model-default.js";
 import {
   applyOpenAIConfig,
   applyOpenAIProviderConfig,
@@ -197,38 +193,6 @@ describe("applyOpenAIConfig", () => {
   });
 });
 
-describe("applyOpenAICodexModelDefault", () => {
-  it("sets openai-codex default when model is unset", () => {
-    const cfg: OpenClawConfig = { agents: { defaults: {} } };
-    const applied = applyOpenAICodexModelDefault(cfg);
-    expectPrimaryModelChanged(applied, OPENAI_CODEX_DEFAULT_MODEL);
-  });
-
-  it("sets openai-codex default when model is openai/*", () => {
-    const cfg: OpenClawConfig = {
-      agents: { defaults: { model: { primary: OPENAI_DEFAULT_MODEL } } },
-    };
-    const applied = applyOpenAICodexModelDefault(cfg);
-    expectPrimaryModelChanged(applied, OPENAI_CODEX_DEFAULT_MODEL);
-  });
-
-  it("does not override openai-codex/*", () => {
-    const cfg: OpenClawConfig = {
-      agents: { defaults: { model: { primary: OPENAI_CODEX_DEFAULT_MODEL } } },
-    };
-    const applied = applyOpenAICodexModelDefault(cfg);
-    expectConfigUnchanged(applied, cfg);
-  });
-
-  it("does not override non-openai models", () => {
-    const cfg: OpenClawConfig = {
-      agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
-    };
-    const applied = applyOpenAICodexModelDefault(cfg);
-    expectConfigUnchanged(applied, cfg);
-  });
-});
-
 describe("applyOpencodeZenModelDefault", () => {
   it("no-ops when already legacy opencode-zen default", () => {
     const cfg = {
diff --git a/src/commands/provider-auth-guidance.ts b/src/commands/provider-auth-guidance.ts
new file mode 100644
index 00000000000..f5e6757bc03
--- /dev/null
+++ b/src/commands/provider-auth-guidance.ts
@@ -0,0 +1,68 @@
+import { normalizeProviderId } from "../agents/model-selection.js";
+import { formatCliCommand } from "../cli/command-format.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { resolvePluginProviders } from "../plugins/providers.js";
+
+function matchesProviderId(
+  candidate: { id: string; aliases?: string[] | readonly string[] },
+  providerId: string,
+): boolean {
+  const normalized = normalizeProviderId(providerId);
+  if (!normalized) {
+    return false;
+  }
+  if (normalizeProviderId(candidate.id) === normalized) {
+    return true;
+  }
+  return (candidate.aliases ?? []).some((alias) => normalizeProviderId(alias) === normalized);
+}
+
+export function resolveProviderAuthLoginCommand(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): string | undefined {
+  const provider = resolvePluginProviders({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  }).find((candidate) => matchesProviderId(candidate, params.provider));
+  if (!provider || provider.auth.length === 0) {
+    return undefined;
+  }
+  return formatCliCommand(`openclaw models auth login --provider ${provider.id}`);
+}
+
+export function buildProviderAuthRecoveryHint(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  includeConfigure?: boolean;
+  includeEnvVar?: boolean;
+}): string {
+  const loginCommand = resolveProviderAuthLoginCommand(params);
+  const parts: string[] = [];
+  if (loginCommand) {
+    parts.push(`Run \`${loginCommand}\``);
+  }
+  if (params.includeConfigure !== false) {
+    parts.push(`\`${formatCliCommand("openclaw configure")}\``);
+  }
+  if (params.includeEnvVar) {
+    parts.push("set an API key env var");
+  }
+  if (parts.length === 0) {
+    return `Run \`${formatCliCommand("openclaw configure")}\`.`;
+  }
+  if (parts.length === 1) {
+    return `${parts[0]}.`;
+  }
+  if (parts.length === 2) {
+    return `${parts[0]} or ${parts[1]}.`;
+  }
+  return `${parts[0]}, ${parts[1]}, or ${parts[2]}.`;
+}
diff --git a/src/commands/sandbox-display.ts b/src/commands/sandbox-display.ts
index 181af6bcc1f..8eaf245c5bf 100644
--- a/src/commands/sandbox-display.ts
+++ b/src/commands/sandbox-display.ts
@@ -30,12 +30,15 @@ export function displayContainers(containers: SandboxContainerInfo[], runtime: R
   displayItems(
     containers,
     {
-      emptyMessage: "No sandbox containers found.",
-      title: "📦 Sandbox Containers:",
+      emptyMessage: "No sandbox runtimes found.",
+      title: "📦 Sandbox Runtimes:",
       renderItem: (container, rt) => {
-        rt.log(`  ${container.containerName}`);
+        rt.log(`  ${container.runtimeLabel ?? container.containerName}`);
         rt.log(`    Status:  ${formatStatus(container.running)}`);
-        rt.log(`    Image:   ${container.image} ${formatImageMatch(container.imageMatch)}`);
+        rt.log(
+          `    ${container.configLabelKind ?? "Image"}:   ${container.image} ${formatImageMatch(container.imageMatch)}`,
+        );
+        rt.log(`    Backend: ${container.backendId ?? "docker"}`);
         rt.log(
           `    Age:     ${formatDurationCompact(Date.now() - container.createdAtMs, { spaced: true }) ?? "0s"}`,
         );
@@ -92,9 +95,9 @@ export function displaySummary(
   runtime.log(`Total: ${totalCount} (${runningCount} running)`);
 
   if (mismatchCount > 0) {
-    runtime.log(`\n⚠️  ${mismatchCount} container(s) with image mismatch detected.`);
+    runtime.log(`\n⚠️  ${mismatchCount} runtime(s) with config mismatch detected.`);
     runtime.log(
-      `   Run '${formatCliCommand("openclaw sandbox recreate --all")}' to update all containers.`,
+      `   Run '${formatCliCommand("openclaw sandbox recreate --all")}' to update all runtimes.`,
     );
   }
 }
@@ -104,12 +107,14 @@ export function displayRecreatePreview(
   browsers: SandboxBrowserInfo[],
   runtime: RuntimeEnv,
 ): void {
-  runtime.log("\nContainers to be recreated:\n");
+  runtime.log("\nSandbox runtimes to be recreated:\n");
 
   if (containers.length > 0) {
-    runtime.log("📦 Sandbox Containers:");
+    runtime.log("📦 Sandbox Runtimes:");
     for (const container of containers) {
-      runtime.log(`  - ${container.containerName} (${formatSimpleStatus(container.running)})`);
+      runtime.log(
+        `  - ${container.runtimeLabel ?? container.containerName} [${container.backendId ?? "docker"}] (${formatSimpleStatus(container.running)})`,
+      );
     }
   }
 
@@ -121,7 +126,7 @@ export function displayRecreatePreview(
   }
 
   const total = containers.length + browsers.length;
-  runtime.log(`\nTotal: ${total} container(s)`);
+  runtime.log(`\nTotal: ${total} runtime(s)`);
 }
 
 export function displayRecreateResult(
@@ -131,6 +136,6 @@ export function displayRecreateResult(
   runtime.log(`\nDone: ${result.successCount} removed, ${result.failCount} failed`);
 
   if (result.successCount > 0) {
-    runtime.log("\nContainers will be automatically recreated when the agent is next used.");
+    runtime.log("\nRuntimes will be automatically recreated when the agent is next used.");
   }
 }
diff --git a/src/commands/sandbox.test.ts b/src/commands/sandbox.test.ts
index 384dc2eef41..7425e712c6f 100644
--- a/src/commands/sandbox.test.ts
+++ b/src/commands/sandbox.test.ts
@@ -29,10 +29,14 @@ import { sandboxListCommand, sandboxRecreateCommand } from "./sandbox.js";
 const NOW = Date.now();
 
 function createContainer(overrides: Partial<SandboxContainerInfo> = {}): SandboxContainerInfo {
+  const containerName = overrides.containerName ?? "openclaw-sandbox-test";
   return {
-    containerName: "openclaw-sandbox-test",
+    containerName,
+    backendId: "docker",
+    runtimeLabel: containerName,
     sessionKey: "test-session",
     image: "openclaw/sandbox:latest",
+    configLabelKind: "Image",
     imageMatch: true,
     running: true,
     createdAtMs: NOW - 3600000,
@@ -104,7 +108,7 @@ describe("sandboxListCommand", () => {
 
       await sandboxListCommand({ browser: false, json: false }, runtime as never);
 
-      expectLogContains(runtime, "📦 Sandbox Containers");
+      expectLogContains(runtime, "📦 Sandbox Runtimes");
       expectLogContains(runtime, container1.containerName);
       expectLogContains(runtime, container2.containerName);
       expectLogContains(runtime, "Total");
@@ -128,14 +132,14 @@ describe("sandboxListCommand", () => {
       await sandboxListCommand({ browser: false, json: false }, runtime as never);
 
       expectLogContains(runtime, "⚠️");
-      expectLogContains(runtime, "image mismatch");
+      expectLogContains(runtime, "config mismatch");
       expectLogContains(runtime, "sandbox recreate --all");
     });
 
     it("should display message when no containers found", async () => {
       await sandboxListCommand({ browser: false, json: false }, runtime as never);
 
-      expect(runtime.log).toHaveBeenCalledWith("No sandbox containers found.");
+      expect(runtime.log).toHaveBeenCalledWith("No sandbox runtimes found.");
     });
   });
 
@@ -161,7 +165,7 @@ describe("sandboxListCommand", () => {
 
       await sandboxListCommand({ browser: false, json: false }, runtime as never);
 
-      expect(runtime.log).toHaveBeenCalledWith("No sandbox containers found.");
+      expect(runtime.log).toHaveBeenCalledWith("No sandbox runtimes found.");
     });
   });
 });
@@ -295,7 +299,7 @@ describe("sandboxRecreateCommand", () => {
     it("should show message when no containers match", async () => {
       await sandboxRecreateCommand({ all: true, browser: false, force: true }, runtime as never);
 
-      expect(runtime.log).toHaveBeenCalledWith("No containers found matching the criteria.");
+      expect(runtime.log).toHaveBeenCalledWith("No sandbox runtimes found matching the criteria.");
       expect(mocks.removeSandboxContainer).not.toHaveBeenCalled();
     });
 
diff --git a/src/commands/sandbox.ts b/src/commands/sandbox.ts
index e9071ce7810..d6b494fc5aa 100644
--- a/src/commands/sandbox.ts
+++ b/src/commands/sandbox.ts
@@ -74,7 +74,7 @@ export async function sandboxRecreateCommand(
   const filtered = await fetchAndFilterContainers(opts);
 
   if (filtered.containers.length + filtered.browsers.length === 0) {
-    runtime.log("No containers found matching the criteria.");
+    runtime.log("No sandbox runtimes found matching the criteria.");
     return;
   }
 
@@ -154,7 +154,7 @@ async function removeContainers(
   filtered: FilteredContainers,
   runtime: RuntimeEnv,
 ): Promise<{ successCount: number; failCount: number }> {
-  runtime.log("\nRemoving containers...\n");
+  runtime.log("\nRemoving sandbox runtimes...\n");
 
   let successCount = 0;
   let failCount = 0;
diff --git a/src/commands/onboarding/__tests__/test-utils.ts b/src/commands/setup/__tests__/test-utils.ts
similarity index 100%
rename from src/commands/onboarding/__tests__/test-utils.ts
rename to src/commands/setup/__tests__/test-utils.ts
diff --git a/src/commands/status-all.ts b/src/commands/status-all.ts
index fa4e3dcb435..b643c30ff33 100644
--- a/src/commands/status-all.ts
+++ b/src/commands/status-all.ts
@@ -48,7 +48,7 @@ export async function statusAllCommand(
       config: loadedRaw,
       commandName: "status --all",
       targetIds: getStatusCommandSecretTargetIds(),
-      mode: "summary",
+      mode: "read_only_status",
     });
     const osSummary = resolveOsSummary();
     const snap = await readConfigFileSnapshot().catch(() => null);
diff --git a/src/commands/status-all/agents.ts b/src/commands/status-all/agents.ts
index caf1ae03ed2..e8d7c485fe5 100644
--- a/src/commands/status-all/agents.ts
+++ b/src/commands/status-all/agents.ts
@@ -3,7 +3,7 @@ import path from "node:path";
 import { resolveAgentWorkspaceDir } from "../../agents/agent-scope.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { loadSessionStore, resolveStorePath } from "../../config/sessions.js";
-import { listAgentsForGateway } from "../../gateway/session-utils.js";
+import { listGatewayAgentsBasic } from "../../gateway/agent-list.js";
 
 async function fileExists(p: string): Promise<boolean> {
   try {
@@ -15,7 +15,7 @@ async function fileExists(p: string): Promise<boolean> {
 }
 
 export async function getAgentLocalStatuses(cfg: OpenClawConfig) {
-  const agentList = listAgentsForGateway(cfg);
+  const agentList = listGatewayAgentsBasic(cfg);
   const now = Date.now();
 
   const agents = await Promise.all(
diff --git a/src/commands/status-all/channels.ts b/src/commands/status-all/channels.ts
index cf3a67a99b5..27e0eff43c6 100644
--- a/src/commands/status-all/channels.ts
+++ b/src/commands/status-all/channels.ts
@@ -91,14 +91,18 @@ function formatTokenHint(token: string, opts: { showSecrets: boolean }): string
   return `${head}…${tail} · len ${t.length}`;
 }
 
-function inspectChannelAccount(plugin: ChannelPlugin, cfg: OpenClawConfig, accountId: string) {
+async function inspectChannelAccount(
+  plugin: ChannelPlugin,
+  cfg: OpenClawConfig,
+  accountId: string,
+) {
   return (
     plugin.config.inspectAccount?.(cfg, accountId) ??
-    inspectReadOnlyChannelAccount({
+    (await inspectReadOnlyChannelAccount({
       channelId: plugin.id,
       cfg,
       accountId,
-    })
+    }))
   );
 }
 
@@ -106,8 +110,8 @@ async function resolveChannelAccountRow(
   params: ResolvedChannelAccountRowParams,
 ): Promise<ChannelAccountRow> {
   const { plugin, cfg, sourceConfig, accountId } = params;
-  const sourceInspectedAccount = inspectChannelAccount(plugin, sourceConfig, accountId);
-  const resolvedInspectedAccount = inspectChannelAccount(plugin, cfg, accountId);
+  const sourceInspectedAccount = await inspectChannelAccount(plugin, sourceConfig, accountId);
+  const resolvedInspectedAccount = await inspectChannelAccount(plugin, cfg, accountId);
   const resolvedInspection = resolvedInspectedAccount as {
     enabled?: boolean;
     configured?: boolean;
diff --git a/src/commands/status-json.ts b/src/commands/status-json.ts
new file mode 100644
index 00000000000..2579717679c
--- /dev/null
+++ b/src/commands/status-json.ts
@@ -0,0 +1,107 @@
+import { callGateway } from "../gateway/call.js";
+import type { HeartbeatEventPayload } from "../infra/heartbeat-events.js";
+import { normalizeUpdateChannel, resolveUpdateChannelDisplay } from "../infra/update-channels.js";
+import type { RuntimeEnv } from "../runtime.js";
+import { getDaemonStatusSummary, getNodeDaemonStatusSummary } from "./status.daemon.js";
+import { scanStatus } from "./status.scan.js";
+
+let providerUsagePromise: Promise<typeof import("../infra/provider-usage.js")> | undefined;
+let securityAuditModulePromise: Promise<typeof import("../security/audit.runtime.js")> | undefined;
+
+function loadProviderUsage() {
+  providerUsagePromise ??= import("../infra/provider-usage.js");
+  return providerUsagePromise;
+}
+
+function loadSecurityAuditModule() {
+  securityAuditModulePromise ??= import("../security/audit.runtime.js");
+  return securityAuditModulePromise;
+}
+
+export async function statusJsonCommand(
+  opts: {
+    deep?: boolean;
+    usage?: boolean;
+    timeoutMs?: number;
+    all?: boolean;
+  },
+  runtime: RuntimeEnv,
+) {
+  const scan = await scanStatus({ json: true, timeoutMs: opts.timeoutMs, all: opts.all }, runtime);
+  const securityAudit = await loadSecurityAuditModule().then(({ runSecurityAudit }) =>
+    runSecurityAudit({
+      config: scan.cfg,
+      sourceConfig: scan.sourceConfig,
+      deep: false,
+      includeFilesystem: true,
+      includeChannelSecurity: true,
+    }),
+  );
+
+  const usage = opts.usage
+    ? await loadProviderUsage().then(({ loadProviderUsageSummary }) =>
+        loadProviderUsageSummary({ timeoutMs: opts.timeoutMs }),
+      )
+    : undefined;
+  const health = opts.deep
+    ? await callGateway({
+        method: "health",
+        params: { probe: true },
+        timeoutMs: opts.timeoutMs,
+        config: scan.cfg,
+      }).catch(() => undefined)
+    : undefined;
+  const lastHeartbeat =
+    opts.deep && scan.gatewayReachable
+      ? await callGateway<HeartbeatEventPayload | null>({
+          method: "last-heartbeat",
+          params: {},
+          timeoutMs: opts.timeoutMs,
+          config: scan.cfg,
+        }).catch(() => null)
+      : null;
+
+  const [daemon, nodeDaemon] = await Promise.all([
+    getDaemonStatusSummary(),
+    getNodeDaemonStatusSummary(),
+  ]);
+  const channelInfo = resolveUpdateChannelDisplay({
+    configChannel: normalizeUpdateChannel(scan.cfg.update?.channel),
+    installKind: scan.update.installKind,
+    gitTag: scan.update.git?.tag ?? null,
+    gitBranch: scan.update.git?.branch ?? null,
+  });
+
+  runtime.log(
+    JSON.stringify(
+      {
+        ...scan.summary,
+        os: scan.osSummary,
+        update: scan.update,
+        updateChannel: channelInfo.channel,
+        updateChannelSource: channelInfo.source,
+        memory: scan.memory,
+        memoryPlugin: scan.memoryPlugin,
+        gateway: {
+          mode: scan.gatewayMode,
+          url: scan.gatewayConnection.url,
+          urlSource: scan.gatewayConnection.urlSource,
+          misconfigured: scan.remoteUrlMissing,
+          reachable: scan.gatewayReachable,
+          connectLatencyMs: scan.gatewayProbe?.connectLatencyMs ?? null,
+          self: scan.gatewaySelf,
+          error: scan.gatewayProbe?.error ?? null,
+          authWarning: scan.gatewayProbeAuthWarning ?? null,
+        },
+        gatewayService: daemon,
+        nodeService: nodeDaemon,
+        agents: scan.agentStatus,
+        securityAudit,
+        secretDiagnostics: scan.secretDiagnostics,
+        ...(health || usage || lastHeartbeat ? { health, usage, lastHeartbeat } : {}),
+      },
+      null,
+      2,
+    ),
+  );
+}
diff --git a/src/commands/status.agent-local.ts b/src/commands/status.agent-local.ts
index 5c57036eb97..ce17f9ab94f 100644
--- a/src/commands/status.agent-local.ts
+++ b/src/commands/status.agent-local.ts
@@ -4,7 +4,7 @@ import { resolveAgentWorkspaceDir } from "../agents/agent-scope.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import { loadSessionStore, resolveStorePath } from "../config/sessions.js";
-import { listAgentsForGateway } from "../gateway/session-utils.js";
+import { listGatewayAgentsBasic } from "../gateway/agent-list.js";
 
 export type AgentLocalStatus = {
   id: string;
@@ -36,7 +36,7 @@ async function fileExists(p: string): Promise<boolean> {
 export async function getAgentLocalStatuses(
   cfg: OpenClawConfig = loadConfig(),
 ): Promise<AgentLocalStatusesResult> {
-  const agentList = listAgentsForGateway(cfg);
+  const agentList = listGatewayAgentsBasic(cfg);
   const now = Date.now();
 
   const statuses: AgentLocalStatus[] = [];
diff --git a/src/commands/status.command.ts b/src/commands/status.command.ts
index 7e68424c5a9..9f17b1a9fee 100644
--- a/src/commands/status.command.ts
+++ b/src/commands/status.command.ts
@@ -5,7 +5,6 @@ import { buildGatewayConnectionDetails, callGateway } from "../gateway/call.js";
 import { info } from "../globals.js";
 import { formatTimeAgo } from "../infra/format-time/format-relative.ts";
 import type { HeartbeatEventPayload } from "../infra/heartbeat-events.js";
-import { formatUsageReportLines, loadProviderUsageSummary } from "../infra/provider-usage.js";
 import { normalizeUpdateChannel, resolveUpdateChannelDisplay } from "../infra/update-channels.js";
 import { formatGitInstallLabel } from "../infra/update-check.js";
 import {
@@ -15,7 +14,6 @@ import {
   type Tone,
 } from "../memory/status-format.js";
 import type { RuntimeEnv } from "../runtime.js";
-import { runSecurityAudit } from "../security/audit.js";
 import { getTerminalTableWidth, renderTable } from "../terminal/table.js";
 import { theme } from "../terminal/theme.js";
 import { formatHealthChannelLines, type HealthSummary } from "./health.js";
@@ -37,6 +35,19 @@ import {
   resolveUpdateAvailability,
 } from "./status.update.js";
 
+let providerUsagePromise: Promise<typeof import("../infra/provider-usage.js")> | undefined;
+let securityAuditModulePromise: Promise<typeof import("../security/audit.runtime.js")> | undefined;
+
+function loadProviderUsage() {
+  providerUsagePromise ??= import("../infra/provider-usage.js");
+  return providerUsagePromise;
+}
+
+function loadSecurityAuditModule() {
+  securityAuditModulePromise ??= import("../security/audit.runtime.js");
+  return securityAuditModulePromise;
+}
+
 function resolvePairingRecoveryContext(params: {
   error?: string | null;
   closeReason?: string | null;
@@ -84,28 +95,25 @@ export async function statusCommand(
     { json: opts.json, timeoutMs: opts.timeoutMs, all: opts.all },
     runtime,
   );
-  const securityAudit = opts.json
-    ? await runSecurityAudit({
+  const runSecurityAudit = async () =>
+    await loadSecurityAuditModule().then(({ runSecurityAudit }) =>
+      runSecurityAudit({
         config: scan.cfg,
         sourceConfig: scan.sourceConfig,
         deep: false,
         includeFilesystem: true,
         includeChannelSecurity: true,
-      })
+      }),
+    );
+  const securityAudit = opts.json
+    ? await runSecurityAudit()
     : await withProgress(
         {
           label: "Running security audit…",
           indeterminate: true,
           enabled: true,
         },
-        async () =>
-          await runSecurityAudit({
-            config: scan.cfg,
-            sourceConfig: scan.sourceConfig,
-            deep: false,
-            includeFilesystem: true,
-            includeChannelSecurity: true,
-          }),
+        async () => await runSecurityAudit(),
       );
   const {
     cfg,
@@ -138,7 +146,10 @@ export async function statusCommand(
           indeterminate: true,
           enabled: opts.json !== true,
         },
-        async () => await loadProviderUsageSummary({ timeoutMs: opts.timeoutMs }),
+        async () => {
+          const { loadProviderUsageSummary } = await loadProviderUsage();
+          return await loadProviderUsageSummary({ timeoutMs: opts.timeoutMs });
+        },
       )
     : undefined;
   const health: HealthSummary | undefined = opts.deep
@@ -658,6 +669,7 @@ export async function statusCommand(
   }
 
   if (usage) {
+    const { formatUsageReportLines } = await loadProviderUsage();
     runtime.log("");
     runtime.log(theme.heading("Usage"));
     for (const line of formatUsageReportLines(usage)) {
diff --git a/src/commands/status.link-channel.test.ts b/src/commands/status.link-channel.test.ts
new file mode 100644
index 00000000000..14315ef1a35
--- /dev/null
+++ b/src/commands/status.link-channel.test.ts
@@ -0,0 +1,55 @@
+import { describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../config/config.js";
+
+const pluginRegistry = vi.hoisted(() => ({ list: [] as unknown[] }));
+
+vi.mock("../channels/plugins/index.js", () => ({
+  listChannelPlugins: () => pluginRegistry.list,
+}));
+
+import { resolveLinkChannelContext } from "./status.link-channel.js";
+
+describe("resolveLinkChannelContext", () => {
+  it("returns linked context from read-only inspected account state", async () => {
+    const account = { configured: true, enabled: true };
+    pluginRegistry.list = [
+      {
+        id: "discord",
+        meta: { label: "Discord" },
+        config: {
+          listAccountIds: () => ["default"],
+          inspectAccount: () => account,
+          resolveAccount: () => {
+            throw new Error("should not be called in read-only mode");
+          },
+        },
+        status: {
+          buildChannelSummary: () => ({ linked: true, authAgeMs: 1234 }),
+        },
+      },
+    ];
+
+    const result = await resolveLinkChannelContext({} as OpenClawConfig);
+    expect(result?.linked).toBe(true);
+    expect(result?.authAgeMs).toBe(1234);
+    expect(result?.account).toBe(account);
+  });
+
+  it("degrades safely when account resolution throws", async () => {
+    pluginRegistry.list = [
+      {
+        id: "discord",
+        meta: { label: "Discord" },
+        config: {
+          listAccountIds: () => ["default"],
+          resolveAccount: () => {
+            throw new Error("missing secret");
+          },
+        },
+      },
+    ];
+
+    const result = await resolveLinkChannelContext({} as OpenClawConfig);
+    expect(result).toBeNull();
+  });
+});
diff --git a/src/commands/status.link-channel.ts b/src/commands/status.link-channel.ts
index 2ee0eee4f2e..4f192f31623 100644
--- a/src/commands/status.link-channel.ts
+++ b/src/commands/status.link-channel.ts
@@ -16,7 +16,10 @@ export async function resolveLinkChannelContext(
 ): Promise<LinkChannelContext | null> {
   for (const plugin of listChannelPlugins()) {
     const { defaultAccountId, account, enabled, configured } =
-      await resolveDefaultChannelAccountContext(plugin, cfg);
+      await resolveDefaultChannelAccountContext(plugin, cfg, {
+        mode: "read_only",
+        commandName: "status",
+      });
     const snapshot = plugin.config.describeAccount
       ? plugin.config.describeAccount(account, cfg)
       : ({
diff --git a/src/commands/status.scan.deps.runtime.ts b/src/commands/status.scan.deps.runtime.ts
new file mode 100644
index 00000000000..b9838d2176f
--- /dev/null
+++ b/src/commands/status.scan.deps.runtime.ts
@@ -0,0 +1,2 @@
+export { getTailnetHostname } from "../infra/tailscale.js";
+export { getMemorySearchManager } from "../memory/index.js";
diff --git a/src/commands/status.scan.runtime.ts b/src/commands/status.scan.runtime.ts
new file mode 100644
index 00000000000..372b31f4803
--- /dev/null
+++ b/src/commands/status.scan.runtime.ts
@@ -0,0 +1,2 @@
+export { collectChannelStatusIssues } from "../infra/channels-status-issues.js";
+export { buildChannelsTable } from "./status-all/channels.js";
diff --git a/src/commands/status.scan.test.ts b/src/commands/status.scan.test.ts
index 6592b84c864..edb77ae4fcf 100644
--- a/src/commands/status.scan.test.ts
+++ b/src/commands/status.scan.test.ts
@@ -4,12 +4,15 @@ const mocks = vi.hoisted(() => ({
   readBestEffortConfig: vi.fn(),
   resolveCommandSecretRefsViaGateway: vi.fn(),
   buildChannelsTable: vi.fn(),
+  callGateway: vi.fn(),
   getUpdateCheckResult: vi.fn(),
   getAgentLocalStatuses: vi.fn(),
   getStatusSummary: vi.fn(),
+  getMemorySearchManager: vi.fn(),
   buildGatewayConnectionDetails: vi.fn(),
   probeGateway: vi.fn(),
   resolveGatewayProbeAuthResolution: vi.fn(),
+  ensurePluginRegistryLoaded: vi.fn(),
 }));
 
 vi.mock("../cli/progress.js", () => ({
@@ -28,6 +31,11 @@ vi.mock("./status-all/channels.js", () => ({
   buildChannelsTable: mocks.buildChannelsTable,
 }));
 
+vi.mock("./status.scan.runtime.js", () => ({
+  buildChannelsTable: mocks.buildChannelsTable,
+  collectChannelStatusIssues: vi.fn(() => []),
+}));
+
 vi.mock("./status.update.js", () => ({
   getUpdateCheckResult: mocks.getUpdateCheckResult,
 }));
@@ -44,13 +52,14 @@ vi.mock("../infra/os-summary.js", () => ({
   resolveOsSummary: vi.fn(() => ({ label: "test-os" })),
 }));
 
-vi.mock("../infra/tailscale.js", () => ({
+vi.mock("./status.scan.deps.runtime.js", () => ({
   getTailnetHostname: vi.fn(),
+  getMemorySearchManager: mocks.getMemorySearchManager,
 }));
 
 vi.mock("../gateway/call.js", () => ({
   buildGatewayConnectionDetails: mocks.buildGatewayConnectionDetails,
-  callGateway: vi.fn(),
+  callGateway: mocks.callGateway,
 }));
 
 vi.mock("../gateway/probe.js", () => ({
@@ -62,14 +71,14 @@ vi.mock("./status.gateway-probe.js", () => ({
   resolveGatewayProbeAuthResolution: mocks.resolveGatewayProbeAuthResolution,
 }));
 
-vi.mock("../memory/index.js", () => ({
-  getMemorySearchManager: vi.fn(),
-}));
-
 vi.mock("../process/exec.js", () => ({
   runExec: vi.fn(),
 }));
 
+vi.mock("../cli/plugin-registry.js", () => ({
+  ensurePluginRegistryLoaded: mocks.ensurePluginRegistryLoaded,
+}));
+
 import { scanStatus } from "./status.scan.js";
 
 describe("scanStatus", () => {
@@ -135,4 +144,317 @@ describe("scanStatus", () => {
       }),
     );
   });
+
+  it("skips channel plugin preload for status --json with no channel config", async () => {
+    mocks.readBestEffortConfig.mockResolvedValue({
+      session: {},
+      plugins: { enabled: false },
+      gateway: {},
+    });
+    mocks.resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: {
+        session: {},
+        plugins: { enabled: false },
+        gateway: {},
+      },
+      diagnostics: [],
+    });
+    mocks.getUpdateCheckResult.mockResolvedValue({
+      installKind: "git",
+      git: null,
+      registry: null,
+    });
+    mocks.getAgentLocalStatuses.mockResolvedValue({
+      defaultId: "main",
+      agents: [],
+    });
+    mocks.getStatusSummary.mockResolvedValue({
+      linkChannel: undefined,
+      sessions: { count: 0, paths: [], defaults: {}, recent: [] },
+    });
+    mocks.buildGatewayConnectionDetails.mockReturnValue({
+      url: "ws://127.0.0.1:18789",
+      urlSource: "default",
+    });
+    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+      auth: {},
+      warning: undefined,
+    });
+    mocks.probeGateway.mockResolvedValue({
+      ok: false,
+      url: "ws://127.0.0.1:18789",
+      connectLatencyMs: null,
+      error: "timeout",
+      close: null,
+      health: null,
+      status: null,
+      presence: null,
+      configSnapshot: null,
+    });
+
+    await scanStatus({ json: true }, {} as never);
+
+    expect(mocks.ensurePluginRegistryLoaded).not.toHaveBeenCalled();
+  });
+
+  it("skips memory backend inspection for default memory-core with no existing store", async () => {
+    mocks.readBestEffortConfig.mockResolvedValue({
+      session: {},
+      gateway: {},
+    });
+    mocks.resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: {
+        session: {},
+        gateway: {},
+      },
+      diagnostics: [],
+    });
+    mocks.getUpdateCheckResult.mockResolvedValue({
+      installKind: "git",
+      git: null,
+      registry: null,
+    });
+    mocks.getAgentLocalStatuses.mockResolvedValue({
+      defaultId: "main",
+      agents: [],
+    });
+    mocks.getStatusSummary.mockResolvedValue({
+      linkChannel: undefined,
+      sessions: { count: 0, paths: [], defaults: {}, recent: [] },
+    });
+    mocks.buildGatewayConnectionDetails.mockReturnValue({
+      url: "ws://127.0.0.1:18789",
+      urlSource: "default",
+    });
+    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+      auth: {},
+      warning: undefined,
+    });
+    mocks.probeGateway.mockResolvedValue({
+      ok: false,
+      url: "ws://127.0.0.1:18789",
+      connectLatencyMs: null,
+      error: "timeout",
+      close: null,
+      health: null,
+      status: null,
+      presence: null,
+      configSnapshot: null,
+    });
+
+    await scanStatus({ json: true }, {} as never);
+
+    expect(mocks.getMemorySearchManager).not.toHaveBeenCalled();
+  });
+
+  it("inspects memory backend when memory search is explicitly configured", async () => {
+    mocks.readBestEffortConfig.mockResolvedValue({
+      session: {},
+      gateway: {},
+      agents: {
+        defaults: {
+          memorySearch: {
+            provider: "local",
+            local: { modelPath: "/tmp/model.gguf" },
+            fallback: "none",
+          },
+        },
+      },
+    });
+    mocks.resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: {
+        session: {},
+        gateway: {},
+        agents: {
+          defaults: {
+            memorySearch: {
+              provider: "local",
+              local: { modelPath: "/tmp/model.gguf" },
+              fallback: "none",
+            },
+          },
+        },
+      },
+      diagnostics: [],
+    });
+    mocks.getUpdateCheckResult.mockResolvedValue({
+      installKind: "git",
+      git: null,
+      registry: null,
+    });
+    mocks.getAgentLocalStatuses.mockResolvedValue({
+      defaultId: "main",
+      agents: [],
+    });
+    mocks.getStatusSummary.mockResolvedValue({
+      linkChannel: undefined,
+      sessions: { count: 0, paths: [], defaults: {}, recent: [] },
+    });
+    mocks.buildGatewayConnectionDetails.mockReturnValue({
+      url: "ws://127.0.0.1:18789",
+      urlSource: "default",
+    });
+    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+      auth: {},
+      warning: undefined,
+    });
+    mocks.probeGateway.mockResolvedValue({
+      ok: false,
+      url: "ws://127.0.0.1:18789",
+      connectLatencyMs: null,
+      error: "timeout",
+      close: null,
+      health: null,
+      status: null,
+      presence: null,
+      configSnapshot: null,
+    });
+    mocks.getMemorySearchManager.mockResolvedValue({
+      manager: {
+        probeVectorAvailability: vi.fn(async () => true),
+        status: vi.fn(() => ({ files: 0, chunks: 0, dirty: false })),
+        close: vi.fn(async () => {}),
+      },
+    });
+
+    await scanStatus({ json: true }, {} as never);
+
+    expect(mocks.getMemorySearchManager).toHaveBeenCalledWith({
+      cfg: expect.objectContaining({
+        agents: expect.objectContaining({
+          defaults: expect.objectContaining({
+            memorySearch: expect.any(Object),
+          }),
+        }),
+      }),
+      agentId: "main",
+      purpose: "status",
+    });
+  });
+
+  it("preloads configured channel plugins for status --json when channel config exists", async () => {
+    mocks.readBestEffortConfig.mockResolvedValue({
+      session: {},
+      plugins: { enabled: false },
+      gateway: {},
+      channels: { telegram: { enabled: false } },
+    });
+    mocks.resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: {
+        session: {},
+        plugins: { enabled: false },
+        gateway: {},
+        channels: { telegram: { enabled: false } },
+      },
+      diagnostics: [],
+    });
+    mocks.getUpdateCheckResult.mockResolvedValue({
+      installKind: "git",
+      git: null,
+      registry: null,
+    });
+    mocks.getAgentLocalStatuses.mockResolvedValue({
+      defaultId: "main",
+      agents: [],
+    });
+    mocks.getStatusSummary.mockResolvedValue({
+      linkChannel: { linked: false },
+      sessions: { count: 0, paths: [], defaults: {}, recent: [] },
+    });
+    mocks.buildGatewayConnectionDetails.mockReturnValue({
+      url: "ws://127.0.0.1:18789",
+      urlSource: "default",
+    });
+    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+      auth: {},
+      warning: undefined,
+    });
+    mocks.probeGateway.mockResolvedValue({
+      ok: false,
+      url: "ws://127.0.0.1:18789",
+      connectLatencyMs: null,
+      error: "timeout",
+      close: null,
+      health: null,
+      status: null,
+      presence: null,
+      configSnapshot: null,
+    });
+
+    await scanStatus({ json: true }, {} as never);
+
+    expect(mocks.ensurePluginRegistryLoaded).toHaveBeenCalledWith({
+      scope: "configured-channels",
+    });
+    expect(mocks.probeGateway).toHaveBeenCalledWith(
+      expect.objectContaining({ detailLevel: "presence" }),
+    );
+    expect(mocks.callGateway).not.toHaveBeenCalledWith(
+      expect.objectContaining({ method: "channels.status" }),
+    );
+  });
+
+  it("preloads configured channel plugins for status --json when channel auth is env-only", async () => {
+    const prevMatrixToken = process.env.MATRIX_ACCESS_TOKEN;
+    process.env.MATRIX_ACCESS_TOKEN = "token";
+    mocks.readBestEffortConfig.mockResolvedValue({
+      session: {},
+      plugins: { enabled: false },
+      gateway: {},
+    });
+    mocks.resolveCommandSecretRefsViaGateway.mockResolvedValue({
+      resolvedConfig: {
+        session: {},
+        plugins: { enabled: false },
+        gateway: {},
+      },
+      diagnostics: [],
+    });
+    mocks.getUpdateCheckResult.mockResolvedValue({
+      installKind: "git",
+      git: null,
+      registry: null,
+    });
+    mocks.getAgentLocalStatuses.mockResolvedValue({
+      defaultId: "main",
+      agents: [],
+    });
+    mocks.getStatusSummary.mockResolvedValue({
+      linkChannel: { linked: false },
+      sessions: { count: 0, paths: [], defaults: {}, recent: [] },
+    });
+    mocks.buildGatewayConnectionDetails.mockReturnValue({
+      url: "ws://127.0.0.1:18789",
+      urlSource: "default",
+    });
+    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+      auth: {},
+      warning: undefined,
+    });
+    mocks.probeGateway.mockResolvedValue({
+      ok: false,
+      url: "ws://127.0.0.1:18789",
+      connectLatencyMs: null,
+      error: "timeout",
+      close: null,
+      health: null,
+      status: null,
+      presence: null,
+      configSnapshot: null,
+    });
+
+    try {
+      await scanStatus({ json: true }, {} as never);
+    } finally {
+      if (prevMatrixToken === undefined) {
+        delete process.env.MATRIX_ACCESS_TOKEN;
+      } else {
+        process.env.MATRIX_ACCESS_TOKEN = prevMatrixToken;
+      }
+    }
+
+    expect(mocks.ensurePluginRegistryLoaded).toHaveBeenCalledWith({
+      scope: "configured-channels",
+    });
+  });
 });
diff --git a/src/commands/status.scan.ts b/src/commands/status.scan.ts
index 38e15e6417b..6c2bd67f3dd 100644
--- a/src/commands/status.scan.ts
+++ b/src/commands/status.scan.ts
@@ -1,3 +1,6 @@
+import { existsSync } from "node:fs";
+import { resolveMemorySearchConfig } from "../agents/memory-search.js";
+import { hasPotentialConfiguredChannels } from "../channels/config-presence.js";
 import { resolveCommandSecretRefsViaGateway } from "../cli/command-secret-gateway.js";
 import { getStatusCommandSecretTargetIds } from "../cli/command-secret-targets.js";
 import { withProgress } from "../cli/progress.js";
@@ -6,19 +9,19 @@ import { readBestEffortConfig } from "../config/config.js";
 import { buildGatewayConnectionDetails, callGateway } from "../gateway/call.js";
 import { normalizeControlUiBasePath } from "../gateway/control-ui-shared.js";
 import { probeGateway } from "../gateway/probe.js";
-import { collectChannelStatusIssues } from "../infra/channels-status-issues.js";
 import { resolveOsSummary } from "../infra/os-summary.js";
-import { getTailnetHostname } from "../infra/tailscale.js";
-import { getMemorySearchManager } from "../memory/index.js";
 import type { MemoryProviderStatus } from "../memory/types.js";
 import { runExec } from "../process/exec.js";
 import type { RuntimeEnv } from "../runtime.js";
-import { buildChannelsTable } from "./status-all/channels.js";
 import { getAgentLocalStatuses } from "./status.agent-local.js";
 import {
   pickGatewaySelfPresence,
   resolveGatewayProbeAuthResolution,
 } from "./status.gateway-probe.js";
+import type {
+  buildChannelsTable as buildChannelsTableFn,
+  collectChannelStatusIssues as collectChannelStatusIssuesFn,
+} from "./status.scan.runtime.js";
 import { getStatusSummary } from "./status.summary.js";
 import { getUpdateCheckResult } from "./status.update.js";
 
@@ -32,6 +35,19 @@ type MemoryPluginStatus = {
   reason?: string;
 };
 
+function hasExplicitMemorySearchConfig(cfg: OpenClawConfig, agentId: string): boolean {
+  if (
+    cfg.agents?.defaults &&
+    Object.prototype.hasOwnProperty.call(cfg.agents.defaults, "memorySearch")
+  ) {
+    return true;
+  }
+  const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
+  return agents.some(
+    (agent) => agent?.id === agentId && Object.prototype.hasOwnProperty.call(agent, "memorySearch"),
+  );
+}
+
 type DeferredResult<T> = { ok: true; value: T } | { ok: false; error: unknown };
 
 type GatewayProbeSnapshot = {
@@ -46,6 +62,27 @@ type GatewayProbeSnapshot = {
   gatewayProbe: Awaited<ReturnType<typeof probeGateway>> | null;
 };
 
+let pluginRegistryModulePromise: Promise<typeof import("../cli/plugin-registry.js")> | undefined;
+let statusScanRuntimeModulePromise: Promise<typeof import("./status.scan.runtime.js")> | undefined;
+let statusScanDepsRuntimeModulePromise:
+  | Promise<typeof import("./status.scan.deps.runtime.js")>
+  | undefined;
+
+function loadPluginRegistryModule() {
+  pluginRegistryModulePromise ??= import("../cli/plugin-registry.js");
+  return pluginRegistryModulePromise;
+}
+
+function loadStatusScanRuntimeModule() {
+  statusScanRuntimeModulePromise ??= import("./status.scan.runtime.js");
+  return statusScanRuntimeModulePromise;
+}
+
+function loadStatusScanDepsRuntimeModule() {
+  statusScanDepsRuntimeModulePromise ??= import("./status.scan.deps.runtime.js");
+  return statusScanDepsRuntimeModulePromise;
+}
+
 function deferResult<T>(promise: Promise<T>): Promise<DeferredResult<T>> {
   return promise.then(
     (value) => ({ ok: true, value }),
@@ -90,6 +127,7 @@ async function resolveGatewayProbeSnapshot(params: {
         url: gatewayConnection.url,
         auth: gatewayProbeAuthResolution.auth,
         timeoutMs: Math.min(params.opts.all ? 5000 : 2500, params.opts.timeoutMs ?? 10_000),
+        detailLevel: "presence",
       }).catch(() => null);
   if (gatewayProbeAuthWarning && gatewayProbe?.ok === false) {
     gatewayProbe.error = gatewayProbe.error
@@ -146,9 +184,9 @@ export type StatusScanResult = {
   gatewayProbe: Awaited<ReturnType<typeof probeGateway>> | null;
   gatewayReachable: boolean;
   gatewaySelf: ReturnType<typeof pickGatewaySelfPresence>;
-  channelIssues: ReturnType<typeof collectChannelStatusIssues>;
+  channelIssues: ReturnType<typeof collectChannelStatusIssuesFn>;
   agentStatus: Awaited<ReturnType<typeof getAgentLocalStatuses>>;
-  channels: Awaited<ReturnType<typeof buildChannelsTable>>;
+  channels: Awaited<ReturnType<typeof buildChannelsTableFn>>;
   summary: Awaited<ReturnType<typeof getStatusSummary>>;
   memory: MemoryStatusSnapshot | null;
   memoryPlugin: MemoryPluginStatus;
@@ -167,6 +205,16 @@ async function resolveMemoryStatusSnapshot(params: {
     return null;
   }
   const agentId = agentStatus.defaultId ?? "main";
+  const resolvedMemory = resolveMemorySearchConfig(cfg, agentId);
+  if (!resolvedMemory) {
+    return null;
+  }
+  const shouldInspectStore =
+    hasExplicitMemorySearchConfig(cfg, agentId) || existsSync(resolvedMemory.store.path);
+  if (!shouldInspectStore) {
+    return null;
+  }
+  const { getMemorySearchManager } = await loadStatusScanDepsRuntimeModule();
   const { manager } = await getMemorySearchManager({ cfg, agentId, purpose: "status" });
   if (!manager) {
     return null;
@@ -189,8 +237,12 @@ async function scanStatusJsonFast(opts: {
       config: loadedRaw,
       commandName: "status --json",
       targetIds: getStatusCommandSecretTargetIds(),
-      mode: "summary",
+      mode: "read_only_status",
     });
+  if (hasPotentialConfiguredChannels(cfg)) {
+    const { ensurePluginRegistryLoaded } = await loadPluginRegistryModule();
+    ensurePluginRegistryLoaded({ scope: "configured-channels" });
+  }
   const osSummary = resolveOsSummary();
   const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
   const updateTimeoutMs = opts.all ? 6500 : 2500;
@@ -205,9 +257,13 @@ async function scanStatusJsonFast(opts: {
   const tailscaleDnsPromise =
     tailscaleMode === "off"
       ? Promise.resolve<string | null>(null)
-      : getTailnetHostname((cmd, args) =>
-          runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
-        ).catch(() => null);
+      : loadStatusScanDepsRuntimeModule()
+          .then(({ getTailnetHostname }) =>
+            getTailnetHostname((cmd, args) =>
+              runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
+            ),
+          )
+          .catch(() => null);
 
   const gatewayProbePromise = resolveGatewayProbeSnapshot({ cfg, opts });
 
@@ -235,11 +291,9 @@ async function scanStatusJsonFast(opts: {
   const gatewaySelf = gatewayProbe?.presence
     ? pickGatewaySelfPresence(gatewayProbe.presence)
     : null;
-  const channelsStatusPromise = resolveChannelsStatus({ cfg, gatewayReachable, opts });
   const memoryPlugin = resolveMemoryPluginStatus(cfg);
   const memoryPromise = resolveMemoryStatusSnapshot({ cfg, agentStatus, memoryPlugin });
-  const [channelsStatus, memory] = await Promise.all([channelsStatusPromise, memoryPromise]);
-  const channelIssues = channelsStatus ? collectChannelStatusIssues(channelsStatus) : [];
+  const memory = await memoryPromise;
 
   return {
     cfg,
@@ -258,7 +312,7 @@ async function scanStatusJsonFast(opts: {
     gatewayProbe,
     gatewayReachable,
     gatewaySelf,
-    channelIssues,
+    channelIssues: [],
     agentStatus,
     channels: { rows: [], details: [] },
     summary,
@@ -292,16 +346,20 @@ export async function scanStatus(
           config: loadedRaw,
           commandName: "status",
           targetIds: getStatusCommandSecretTargetIds(),
-          mode: "summary",
+          mode: "read_only_status",
         });
       const osSummary = resolveOsSummary();
       const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
       const tailscaleDnsPromise =
         tailscaleMode === "off"
           ? Promise.resolve<string | null>(null)
-          : getTailnetHostname((cmd, args) =>
-              runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
-            ).catch(() => null);
+          : loadStatusScanDepsRuntimeModule()
+              .then(({ getTailnetHostname }) =>
+                getTailnetHostname((cmd, args) =>
+                  runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
+                ),
+              )
+              .catch(() => null);
       const updateTimeoutMs = opts.all ? 6500 : 2500;
       const updatePromise = deferResult(
         getUpdateCheckResult({
@@ -349,6 +407,8 @@ export async function scanStatus(
 
       progress.setLabel("Querying channel status…");
       const channelsStatus = await resolveChannelsStatus({ cfg, gatewayReachable, opts });
+      const { collectChannelStatusIssues, buildChannelsTable } =
+        await loadStatusScanRuntimeModule();
       const channelIssues = channelsStatus ? collectChannelStatusIssues(channelsStatus) : [];
       progress.tick();
 
diff --git a/src/commands/status.summary.runtime.ts b/src/commands/status.summary.runtime.ts
new file mode 100644
index 00000000000..df1ae881d4f
--- /dev/null
+++ b/src/commands/status.summary.runtime.ts
@@ -0,0 +1,2 @@
+export { resolveContextTokensForModel } from "../agents/context.js";
+export { classifySessionKey, resolveSessionModelRef } from "../gateway/session-utils.js";
diff --git a/src/commands/status.summary.test.ts b/src/commands/status.summary.test.ts
index addda823a23..12ce55844c3 100644
--- a/src/commands/status.summary.test.ts
+++ b/src/commands/status.summary.test.ts
@@ -1,5 +1,9 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
+vi.mock("../channels/config-presence.js", () => ({
+  hasPotentialConfiguredChannels: vi.fn(() => true),
+}));
+
 vi.mock("../agents/context.js", () => ({
   resolveContextTokensForModel: vi.fn(() => 200_000),
 }));
@@ -28,12 +32,15 @@ vi.mock("../config/sessions.js", () => ({
   resolveStorePath: vi.fn(() => "/tmp/sessions.json"),
 }));
 
-vi.mock("../gateway/session-utils.js", () => ({
-  classifySessionKey: vi.fn(() => "direct"),
-  listAgentsForGateway: vi.fn(() => ({
+vi.mock("../gateway/agent-list.js", () => ({
+  listGatewayAgentsBasic: vi.fn(() => ({
     defaultId: "main",
     agents: [{ id: "main" }],
   })),
+}));
+
+vi.mock("../gateway/session-utils.js", () => ({
+  classifySessionKey: vi.fn(() => "direct"),
   resolveSessionModelRef: vi.fn(() => ({
     provider: "openai",
     model: "gpt-5.2",
@@ -44,7 +51,7 @@ vi.mock("../infra/channel-summary.js", () => ({
   buildChannelSummary: vi.fn(async () => ["ok"]),
 }));
 
-vi.mock("../infra/heartbeat-runner.js", () => ({
+vi.mock("../infra/heartbeat-summary.js", () => ({
   resolveHeartbeatSummaryForAgent: vi.fn(() => ({
     enabled: true,
     every: "5m",
@@ -57,6 +64,8 @@ vi.mock("../infra/system-events.js", () => ({
 }));
 
 vi.mock("../routing/session-key.js", () => ({
+  normalizeAgentId: vi.fn((value: string) => value),
+  normalizeMainKey: vi.fn((value?: string) => value ?? "main"),
   parseAgentSessionKey: vi.fn(() => null),
 }));
 
@@ -82,4 +91,19 @@ describe("getStatusSummary", () => {
     expect(summary.heartbeat.defaultAgentId).toBe("main");
     expect(summary.channelSummary).toEqual(["ok"]);
   });
+
+  it("skips channel summary imports when no channels are configured", async () => {
+    const { hasPotentialConfiguredChannels } = await import("../channels/config-presence.js");
+    vi.mocked(hasPotentialConfiguredChannels).mockReturnValue(false);
+    const { buildChannelSummary } = await import("../infra/channel-summary.js");
+    const { resolveLinkChannelContext } = await import("./status.link-channel.js");
+    const { getStatusSummary } = await import("./status.summary.js");
+
+    const summary = await getStatusSummary();
+
+    expect(summary.channelSummary).toEqual([]);
+    expect(summary.linkChannel).toBeUndefined();
+    expect(buildChannelSummary).not.toHaveBeenCalled();
+    expect(resolveLinkChannelContext).not.toHaveBeenCalled();
+  });
 });
diff --git a/src/commands/status.summary.ts b/src/commands/status.summary.ts
index b84bada07ff..bc2c7b4c205 100644
--- a/src/commands/status.summary.ts
+++ b/src/commands/status.summary.ts
@@ -1,6 +1,6 @@
-import { resolveContextTokensForModel } from "../agents/context.js";
 import { DEFAULT_CONTEXT_TOKENS, DEFAULT_MODEL, DEFAULT_PROVIDER } from "../agents/defaults.js";
 import { resolveConfiguredModelRef } from "../agents/model-selection.js";
+import { hasPotentialConfiguredChannels } from "../channels/config-presence.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import {
@@ -10,19 +10,34 @@ import {
   resolveStorePath,
   type SessionEntry,
 } from "../config/sessions.js";
-import {
-  classifySessionKey,
-  listAgentsForGateway,
-  resolveSessionModelRef,
-} from "../gateway/session-utils.js";
-import { buildChannelSummary } from "../infra/channel-summary.js";
-import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-runner.js";
+import { listGatewayAgentsBasic } from "../gateway/agent-list.js";
+import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-summary.js";
 import { peekSystemEvents } from "../infra/system-events.js";
 import { parseAgentSessionKey } from "../routing/session-key.js";
 import { resolveRuntimeServiceVersion } from "../version.js";
-import { resolveLinkChannelContext } from "./status.link-channel.js";
 import type { HeartbeatStatus, SessionStatus, StatusSummary } from "./status.types.js";
 
+let channelSummaryModulePromise: Promise<typeof import("../infra/channel-summary.js")> | undefined;
+let linkChannelModulePromise: Promise<typeof import("./status.link-channel.js")> | undefined;
+let statusSummaryRuntimeModulePromise:
+  | Promise<typeof import("./status.summary.runtime.js")>
+  | undefined;
+
+function loadChannelSummaryModule() {
+  channelSummaryModulePromise ??= import("../infra/channel-summary.js");
+  return channelSummaryModulePromise;
+}
+
+function loadLinkChannelModule() {
+  linkChannelModulePromise ??= import("./status.link-channel.js");
+  return linkChannelModulePromise;
+}
+
+function loadStatusSummaryRuntimeModule() {
+  statusSummaryRuntimeModulePromise ??= import("./status.summary.runtime.js");
+  return statusSummaryRuntimeModulePromise;
+}
+
 const buildFlags = (entry?: SessionEntry): string[] => {
   if (!entry) {
     return [];
@@ -88,9 +103,16 @@ export async function getStatusSummary(
   } = {},
 ): Promise<StatusSummary> {
   const { includeSensitive = true } = options;
+  const { classifySessionKey, resolveContextTokensForModel, resolveSessionModelRef } =
+    await loadStatusSummaryRuntimeModule();
   const cfg = options.config ?? loadConfig();
-  const linkContext = await resolveLinkChannelContext(cfg);
-  const agentList = listAgentsForGateway(cfg);
+  const needsChannelPlugins = hasPotentialConfiguredChannels(cfg);
+  const linkContext = needsChannelPlugins
+    ? await loadLinkChannelModule().then(({ resolveLinkChannelContext }) =>
+        resolveLinkChannelContext(cfg),
+      )
+    : null;
+  const agentList = listGatewayAgentsBasic(cfg);
   const heartbeatAgents: HeartbeatStatus[] = agentList.agents.map((agent) => {
     const summary = resolveHeartbeatSummaryForAgent(cfg, agent.id);
     return {
@@ -100,11 +122,15 @@ export async function getStatusSummary(
       everyMs: summary.everyMs,
     } satisfies HeartbeatStatus;
   });
-  const channelSummary = await buildChannelSummary(cfg, {
-    colorize: true,
-    includeAllowFrom: true,
-    sourceConfig: options.sourceConfig,
-  });
+  const channelSummary = needsChannelPlugins
+    ? await loadChannelSummaryModule().then(({ buildChannelSummary }) =>
+        buildChannelSummary(cfg, {
+          colorize: true,
+          includeAllowFrom: true,
+          sourceConfig: options.sourceConfig,
+        }),
+      )
+    : [];
   const mainSessionKey = resolveMainSessionKey(cfg);
   const queuedSystemEvents = peekSystemEvents(mainSessionKey);
 
diff --git a/src/commands/status.test.ts b/src/commands/status.test.ts
index c40693302ac..3e68d55ced2 100644
--- a/src/commands/status.test.ts
+++ b/src/commands/status.test.ts
@@ -168,7 +168,7 @@ const mocks = vi.hoisted(() => ({
     configSnapshot: null,
   }),
   callGateway: vi.fn().mockResolvedValue({}),
-  listAgentsForGateway: vi.fn().mockReturnValue({
+  listGatewayAgentsBasic: vi.fn().mockReturnValue({
     defaultId: "main",
     mainKey: "agent:main:main",
     scope: "per-sender",
@@ -299,11 +299,18 @@ vi.mock("../gateway/call.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("../gateway/call.js")>();
   return { ...actual, callGateway: mocks.callGateway };
 });
+vi.mock("../gateway/agent-list.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../gateway/agent-list.js")>();
+  return {
+    ...actual,
+    listGatewayAgentsBasic: mocks.listGatewayAgentsBasic,
+  };
+});
+
 vi.mock("../gateway/session-utils.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("../gateway/session-utils.js")>();
   return {
     ...actual,
-    listAgentsForGateway: mocks.listAgentsForGateway,
   };
 });
 vi.mock("../infra/openclaw-root.js", () => ({
@@ -398,7 +405,7 @@ describe("statusCommand", () => {
   it("prints JSON when requested", async () => {
     await statusCommand({ json: true }, runtime as never);
     const payload = JSON.parse(String(runtimeLogMock.mock.calls[0]?.[0]));
-    expect(payload.linkChannel.linked).toBe(true);
+    expect(payload.linkChannel).toBeUndefined();
     expect(payload.memory.agentId).toBe("main");
     expect(payload.memoryPlugin.enabled).toBe(true);
     expect(payload.memoryPlugin.slot).toBe("memory-core");
@@ -512,6 +519,11 @@ describe("statusCommand", () => {
     await statusCommand({ json: true }, runtime as never);
     const payload = JSON.parse(String(runtimeLogMock.mock.calls.at(-1)?.[0]));
     expect(payload.gateway.error ?? payload.gateway.authWarning ?? null).not.toBeNull();
+    if (Array.isArray(payload.secretDiagnostics) && payload.secretDiagnostics.length > 0) {
+      expect(
+        payload.secretDiagnostics.some((entry: string) => entry.includes("gateway.auth.token")),
+      ).toBe(true);
+    }
     expect(runtime.error).not.toHaveBeenCalled();
   });
 
@@ -603,11 +615,11 @@ describe("statusCommand", () => {
   });
 
   it("includes sessions across agents in JSON output", async () => {
-    const originalAgents = mocks.listAgentsForGateway.getMockImplementation();
+    const originalAgents = mocks.listGatewayAgentsBasic.getMockImplementation();
     const originalResolveStorePath = mocks.resolveStorePath.getMockImplementation();
     const originalLoadSessionStore = mocks.loadSessionStore.getMockImplementation();
 
-    mocks.listAgentsForGateway.mockReturnValue({
+    mocks.listGatewayAgentsBasic.mockReturnValue({
       defaultId: "main",
       mainKey: "agent:main:main",
       scope: "per-sender",
@@ -646,7 +658,7 @@ describe("statusCommand", () => {
     ).toBe(true);
 
     if (originalAgents) {
-      mocks.listAgentsForGateway.mockImplementation(originalAgents);
+      mocks.listGatewayAgentsBasic.mockImplementation(originalAgents);
     }
     if (originalResolveStorePath) {
       mocks.resolveStorePath.mockImplementation(originalResolveStorePath);
diff --git a/src/config/commands.ts b/src/config/commands.ts
index 4d174d7c396..29992b3a1cd 100644
--- a/src/config/commands.ts
+++ b/src/config/commands.ts
@@ -1,5 +1,5 @@
-import { normalizeChannelId } from "../channels/plugins/index.js";
 import type { ChannelId } from "../channels/plugins/types.js";
+import { normalizeChannelId } from "../channels/registry.js";
 import { isPlainObject } from "../infra/plain-object.js";
 import type { CommandsConfig, NativeCommandsSetting } from "./types.js";
 
diff --git a/src/config/config.plugin-validation.test.ts b/src/config/config.plugin-validation.test.ts
index efb84acdacf..42d473aed4e 100644
--- a/src/config/config.plugin-validation.test.ts
+++ b/src/config/config.plugin-validation.test.ts
@@ -281,6 +281,47 @@ describe("config plugin validation", () => {
     }
   });
 
+  it("warns for removed google gemini auth plugin ids instead of failing validation", async () => {
+    const removedId = "google-gemini-cli-auth";
+    const res = validateInSuite({
+      agents: { list: [{ id: "pi" }] },
+      plugins: {
+        enabled: false,
+        entries: { [removedId]: { enabled: true } },
+        allow: [removedId],
+        deny: [removedId],
+        slots: { memory: removedId },
+      },
+    });
+    expect(res.ok).toBe(true);
+    if (res.ok) {
+      expect(res.warnings).toEqual(
+        expect.arrayContaining([
+          {
+            path: `plugins.entries.${removedId}`,
+            message:
+              "plugin removed: google-gemini-cli-auth (stale config entry ignored; remove it from plugins config)",
+          },
+          {
+            path: "plugins.allow",
+            message:
+              "plugin removed: google-gemini-cli-auth (stale config entry ignored; remove it from plugins config)",
+          },
+          {
+            path: "plugins.deny",
+            message:
+              "plugin removed: google-gemini-cli-auth (stale config entry ignored; remove it from plugins config)",
+          },
+          {
+            path: "plugins.slots.memory",
+            message:
+              "plugin removed: google-gemini-cli-auth (stale config entry ignored; remove it from plugins config)",
+          },
+        ]),
+      );
+    }
+  });
+
   it("surfaces plugin config diagnostics", async () => {
     const res = validateInSuite({
       agents: { list: [{ id: "pi" }] },
diff --git a/src/config/config.web-search-provider.test.ts b/src/config/config.web-search-provider.test.ts
index 7ddb4ca3ab4..912e70ac5a4 100644
--- a/src/config/config.web-search-provider.test.ts
+++ b/src/config/config.web-search-provider.test.ts
@@ -6,6 +6,45 @@ vi.mock("../runtime.js", () => ({
   defaultRuntime: { log: vi.fn(), error: vi.fn() },
 }));
 
+vi.mock("../plugins/web-search-providers.js", () => {
+  const getScoped = (key: string) => (search?: Record<string, unknown>) =>
+    (search?.[key] as { apiKey?: unknown } | undefined)?.apiKey;
+  return {
+    resolvePluginWebSearchProviders: () => [
+      {
+        id: "brave",
+        envVars: ["BRAVE_API_KEY"],
+        getCredentialValue: (search?: Record<string, unknown>) => search?.apiKey,
+      },
+      {
+        id: "firecrawl",
+        envVars: ["FIRECRAWL_API_KEY"],
+        getCredentialValue: getScoped("firecrawl"),
+      },
+      {
+        id: "gemini",
+        envVars: ["GEMINI_API_KEY"],
+        getCredentialValue: getScoped("gemini"),
+      },
+      {
+        id: "grok",
+        envVars: ["XAI_API_KEY"],
+        getCredentialValue: getScoped("grok"),
+      },
+      {
+        id: "kimi",
+        envVars: ["KIMI_API_KEY", "MOONSHOT_API_KEY"],
+        getCredentialValue: getScoped("kimi"),
+      },
+      {
+        id: "perplexity",
+        envVars: ["PERPLEXITY_API_KEY", "OPENROUTER_API_KEY"],
+        getCredentialValue: getScoped("perplexity"),
+      },
+    ],
+  };
+});
+
 const { __testing } = await import("../agents/tools/web-search.js");
 const { resolveSearchProvider } = __testing;
 
@@ -41,6 +80,21 @@ describe("web search provider config", () => {
     expect(res.ok).toBe(true);
   });
 
+  it("accepts firecrawl provider and config", () => {
+    const res = validateConfigObject(
+      buildWebSearchProviderConfig({
+        enabled: true,
+        provider: "firecrawl",
+        providerConfig: {
+          apiKey: "fc-test-key", // pragma: allowlist secret
+          baseUrl: "https://api.firecrawl.dev",
+        },
+      }),
+    );
+
+    expect(res.ok).toBe(true);
+  });
+
   it("accepts gemini provider with no extra config", () => {
     const res = validateConfigObject(
       buildWebSearchProviderConfig({
@@ -83,6 +137,7 @@ describe("web search provider auto-detection", () => {
 
   beforeEach(() => {
     delete process.env.BRAVE_API_KEY;
+    delete process.env.FIRECRAWL_API_KEY;
     delete process.env.GEMINI_API_KEY;
     delete process.env.KIMI_API_KEY;
     delete process.env.MOONSHOT_API_KEY;
@@ -112,6 +167,11 @@ describe("web search provider auto-detection", () => {
     expect(resolveSearchProvider({})).toBe("gemini");
   });
 
+  it("auto-detects firecrawl when only FIRECRAWL_API_KEY is set", () => {
+    process.env.FIRECRAWL_API_KEY = "fc-test-key"; // pragma: allowlist secret
+    expect(resolveSearchProvider({})).toBe("firecrawl");
+  });
+
   it("auto-detects kimi when only KIMI_API_KEY is set", () => {
     process.env.KIMI_API_KEY = "test-kimi-key"; // pragma: allowlist secret
     expect(resolveSearchProvider({})).toBe("kimi");
diff --git a/src/config/legacy.migrations.part-3.ts b/src/config/legacy.migrations.part-3.ts
index 5035930dadb..be382e5bd8a 100644
--- a/src/config/legacy.migrations.part-3.ts
+++ b/src/config/legacy.migrations.part-3.ts
@@ -100,7 +100,7 @@ function mergeLegacyIntoDefaults(params: {
 export const LEGACY_CONFIG_MIGRATIONS_PART_3: LegacyConfigMigration[] = [
   {
     // v2026.2.26 added a startup guard requiring gateway.controlUi.allowedOrigins (or the
-    // host-header fallback flag) for any non-loopback bind. The onboarding wizard was updated
+    // host-header fallback flag) for any non-loopback bind. The setup wizard was updated
     // to seed this for new installs, but existing bind=lan/bind=custom installs that upgrade
     // crash-loop immediately on next startup with no recovery path (issue #29385).
     //
diff --git a/src/config/plugin-auto-enable.test.ts b/src/config/plugin-auto-enable.test.ts
index c289417ce53..8439a2768ec 100644
--- a/src/config/plugin-auto-enable.test.ts
+++ b/src/config/plugin-auto-enable.test.ts
@@ -307,7 +307,26 @@ describe("applyPluginAutoEnable", () => {
       env: {},
     });
 
-    expect(result.config.plugins?.entries?.["google-gemini-cli-auth"]?.enabled).toBe(true);
+    expect(result.config.plugins?.entries?.google?.enabled).toBe(true);
+  });
+
+  it("auto-enables minimax when minimax-portal profiles exist", () => {
+    const result = applyPluginAutoEnable({
+      config: {
+        auth: {
+          profiles: {
+            "minimax-portal:default": {
+              provider: "minimax-portal",
+              mode: "oauth",
+            },
+          },
+        },
+      },
+      env: {},
+    });
+
+    expect(result.config.plugins?.entries?.minimax?.enabled).toBe(true);
+    expect(result.config.plugins?.entries?.["minimax-portal-auth"]).toBeUndefined();
   });
 
   it("auto-enables acpx plugin when ACP is configured", () => {
diff --git a/src/config/plugin-auto-enable.ts b/src/config/plugin-auto-enable.ts
index 4e0cae1209f..7ca736ee448 100644
--- a/src/config/plugin-auto-enable.ts
+++ b/src/config/plugin-auto-enable.ts
@@ -1,4 +1,3 @@
-import { hasAnyWhatsAppAuth } from "../../extensions/whatsapp/src/accounts.js";
 import { normalizeProviderId } from "../agents/model-selection.js";
 import {
   getChannelPluginCatalogEntry,
@@ -9,6 +8,7 @@ import {
   listChatChannels,
   normalizeChatChannelId,
 } from "../channels/registry.js";
+import { hasAnyWhatsAppAuth } from "../plugin-sdk-internal/whatsapp.js";
 import {
   loadPluginManifestRegistry,
   type PluginManifestRegistry,
@@ -28,10 +28,10 @@ export type PluginAutoEnableResult = {
 };
 
 const PROVIDER_PLUGIN_IDS: Array<{ pluginId: string; providerId: string }> = [
-  { pluginId: "google-gemini-cli-auth", providerId: "google-gemini-cli" },
+  { pluginId: "google", providerId: "google-gemini-cli" },
   { pluginId: "qwen-portal-auth", providerId: "qwen-portal" },
   { pluginId: "copilot-proxy", providerId: "copilot-proxy" },
-  { pluginId: "minimax-portal-auth", providerId: "minimax-portal" },
+  { pluginId: "minimax", providerId: "minimax-portal" },
 ];
 
 function hasNonEmptyString(value: unknown): boolean {
diff --git a/src/config/schema.help.quality.test.ts b/src/config/schema.help.quality.test.ts
index 7de4e592b23..2680013a717 100644
--- a/src/config/schema.help.quality.test.ts
+++ b/src/config/schema.help.quality.test.ts
@@ -422,7 +422,7 @@ const ENUM_EXPECTATIONS: Record<string, string[]> = {
   "gateway.bind": ['"auto"', '"lan"', '"loopback"', '"custom"', '"tailnet"'],
   "gateway.auth.mode": ['"none"', '"token"', '"password"', '"trusted-proxy"'],
   "gateway.tailscale.mode": ['"off"', '"serve"', '"funnel"'],
-  "browser.profiles.*.driver": ['"openclaw"', '"clawd"', '"extension"'],
+  "browser.profiles.*.driver": ['"openclaw"', '"clawd"', '"existing-session"'],
   "discovery.mdns.mode": ['"off"', '"minimal"', '"full"'],
   "wizard.lastRunMode": ['"local"', '"remote"'],
   "diagnostics.otel.protocol": ['"http/protobuf"', '"grpc"'],
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index 0d03f9574b1..627dccb5049 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -1,7 +1,7 @@
 import {
   DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
   DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
-} from "../../extensions/discord/src/monitor/timeouts.js";
+} from "../plugin-sdk-internal/discord.js";
 import { MEDIA_AUDIO_FIELD_HELP } from "./media-audio-field-metadata.js";
 import { IRC_FIELD_HELP } from "./schema.irc.js";
 import { describeTalkSilenceTimeoutDefaults } from "./talk-defaults.js";
@@ -20,17 +20,17 @@ export const FIELD_HELP: Record<string, string> = {
   "env.vars":
     "Explicit key/value environment variable overrides merged into runtime process environment for OpenClaw. Use this for deterministic env configuration instead of relying only on shell profile side effects.",
   wizard:
-    "Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
+    "Setup wizard state tracking fields that record the most recent guided setup run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
   "wizard.lastRunAt":
-    "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.",
+    "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm setup recency during support and operational audits.",
   "wizard.lastRunVersion":
-    "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.",
+    "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version setup changes.",
   "wizard.lastRunCommit":
-    "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.",
+    "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate setup behavior with exact source state during debugging.",
   "wizard.lastRunCommand":
-    "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.",
+    "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce setup steps when verifying setup regressions.",
   "wizard.lastRunMode":
-    'Wizard execution mode recorded as "local" or "remote" for the most recent onboarding flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.',
+    'Wizard execution mode recorded as "local" or "remote" for the most recent setup flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.',
   diagnostics:
     "Diagnostics controls for targeted tracing, telemetry export, and cache inspection during debugging. Keep baseline diagnostics minimal in production and enable deeper signals only when investigating issues.",
   "diagnostics.otel":
@@ -254,8 +254,6 @@ export const FIELD_HELP: Record<string, string> = {
     "Starting local CDP port used for auto-allocated browser profile ports. Increase this when host-level port defaults conflict with other local services.",
   "browser.defaultProfile":
     "Default browser profile name selected when callers do not explicitly choose a profile. Use a stable low-privilege profile as the default to reduce accidental cross-context state use.",
-  "browser.relayBindHost":
-    "Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.",
   "browser.profiles":
     "Named browser profile connection map used for explicit routing to CDP ports or URLs with optional metadata. Keep profile names consistent and avoid overlapping endpoint definitions.",
   "browser.profiles.*.cdpPort":
@@ -263,7 +261,7 @@ export const FIELD_HELP: Record<string, string> = {
   "browser.profiles.*.cdpUrl":
     "Per-profile CDP websocket URL used for explicit remote browser routing by profile name. Use this when profile connections terminate on remote hosts or tunnels.",
   "browser.profiles.*.driver":
-    'Per-profile browser driver mode: "openclaw" (or legacy "clawd") or "extension" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.',
+    'Per-profile browser driver mode. Use "openclaw" (or legacy "clawd") for CDP-based profiles, or use "existing-session" for host-local Chrome MCP attachment.',
   "browser.profiles.*.attachOnly":
     "Per-profile attach-only override that skips local browser launch and only attaches to an existing CDP endpoint. Useful when one profile is externally managed but others are locally launched.",
   "browser.profiles.*.color":
@@ -427,6 +425,8 @@ export const FIELD_HELP: Record<string, string> = {
   "gateway.reload.mode":
     'Controls how config edits are applied: "off" ignores live edits, "restart" always restarts, "hot" applies in-process, and "hybrid" tries hot then restarts if required. Keep "hybrid" for safest routine updates.',
   "gateway.reload.debounceMs": "Debounce window (ms) before applying config changes.",
+  "gateway.reload.deferralTimeoutMs":
+    "Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.",
   "gateway.nodes.browser.mode":
     'Node browser routing ("auto" = pick single connected browser node, "manual" = require node param, "off" = disable).',
   "gateway.nodes.browser.node": "Pin browser routing to a specific node id or name (optional).",
@@ -665,13 +665,17 @@ export const FIELD_HELP: Record<string, string> = {
   "tools.message.broadcast.enabled": "Enable broadcast action (default: true).",
   "tools.web.search.enabled": "Enable the web_search tool (requires a provider API key).",
   "tools.web.search.provider":
-    'Search provider ("brave", "gemini", "grok", "kimi", or "perplexity"). Auto-detected from available API keys if omitted.',
+    'Search provider ("brave", "firecrawl", "gemini", "grok", "kimi", or "perplexity"). Auto-detected from available API keys if omitted.',
   "tools.web.search.apiKey": "Brave Search API key (fallback: BRAVE_API_KEY env var).",
   "tools.web.search.maxResults": "Number of results to return (1-10).",
   "tools.web.search.timeoutSeconds": "Timeout in seconds for web_search requests.",
   "tools.web.search.cacheTtlMinutes": "Cache TTL in minutes for web_search results.",
   "tools.web.search.brave.mode":
     'Brave Search mode: "web" (URL results) or "llm-context" (pre-extracted page content for LLM grounding).',
+  "tools.web.search.firecrawl.apiKey":
+    "Firecrawl API key for web search (fallback: FIRECRAWL_API_KEY env var).",
+  "tools.web.search.firecrawl.baseUrl":
+    'Firecrawl Search base URL override (default: "https://api.firecrawl.dev").',
   "tools.web.search.gemini.apiKey":
     "Gemini API key for Google Search grounding (fallback: GEMINI_API_KEY env var).",
   "tools.web.search.gemini.model": 'Gemini model override (default: "gemini-2.5-flash").',
@@ -999,6 +1003,12 @@ export const FIELD_HELP: Record<string, string> = {
   "plugins.installs.*.resolvedAt":
     "ISO timestamp when npm package metadata was last resolved for this install record.",
   "plugins.installs.*.installedAt": "ISO timestamp of last install/update.",
+  "plugins.installs.*.marketplaceName":
+    "Marketplace display name recorded for marketplace-backed plugin installs (if available).",
+  "plugins.installs.*.marketplaceSource":
+    "Original marketplace source used to resolve the install (for example a repo path or Git URL).",
+  "plugins.installs.*.marketplacePlugin":
+    "Plugin entry name inside the source marketplace, used for later updates.",
   "agents.list.*.identity.avatar":
     "Agent avatar (workspace-relative path, http(s) URL, or data URI).",
   "agents.defaults.model.primary": "Primary model (provider/model).",
diff --git a/src/config/schema.labels.ts b/src/config/schema.labels.ts
index dc5195fb766..9541ad3b10a 100644
--- a/src/config/schema.labels.ts
+++ b/src/config/schema.labels.ts
@@ -120,7 +120,6 @@ export const FIELD_LABELS: Record<string, string> = {
   "browser.attachOnly": "Browser Attach-only Mode",
   "browser.cdpPortRangeStart": "Browser CDP Port Range Start",
   "browser.defaultProfile": "Browser Default Profile",
-  "browser.relayBindHost": "Browser Relay Bind Address",
   "browser.profiles": "Browser Profiles",
   "browser.profiles.*.cdpPort": "Browser Profile CDP Port",
   "browser.profiles.*.cdpUrl": "Browser Profile CDP URL",
@@ -221,6 +220,8 @@ export const FIELD_LABELS: Record<string, string> = {
   "tools.web.search.timeoutSeconds": "Web Search Timeout (sec)",
   "tools.web.search.cacheTtlMinutes": "Web Search Cache TTL (min)",
   "tools.web.search.brave.mode": "Brave Search Mode",
+  "tools.web.search.firecrawl.apiKey": "Firecrawl Search API Key", // pragma: allowlist secret
+  "tools.web.search.firecrawl.baseUrl": "Firecrawl Search Base URL",
   "tools.web.search.gemini.apiKey": "Gemini Search API Key", // pragma: allowlist secret
   "tools.web.search.gemini.model": "Gemini Search Model",
   "tools.web.search.grok.apiKey": "Grok Search API Key", // pragma: allowlist secret
@@ -277,6 +278,7 @@ export const FIELD_LABELS: Record<string, string> = {
     "OpenAI Chat Completions Image Timeout (ms)",
   "gateway.reload.mode": "Config Reload Mode",
   "gateway.reload.debounceMs": "Config Reload Debounce (ms)",
+  "gateway.reload.deferralTimeoutMs": "Restart Deferral Timeout (ms)",
   "gateway.nodes.browser.mode": "Gateway Node Browser Mode",
   "gateway.nodes.browser.node": "Gateway Node Browser Pin",
   "gateway.nodes.allowCommands": "Gateway Node Allowlist (Extra Commands)",
@@ -869,4 +871,7 @@ export const FIELD_LABELS: Record<string, string> = {
   "plugins.installs.*.shasum": "Plugin Resolved Shasum",
   "plugins.installs.*.resolvedAt": "Plugin Resolution Time",
   "plugins.installs.*.installedAt": "Plugin Install Time",
+  "plugins.installs.*.marketplaceName": "Plugin Marketplace Name",
+  "plugins.installs.*.marketplaceSource": "Plugin Marketplace Source",
+  "plugins.installs.*.marketplacePlugin": "Plugin Marketplace Plugin",
 };
diff --git a/src/config/sessions/explicit-session-key-normalization.ts b/src/config/sessions/explicit-session-key-normalization.ts
index 984b70487a3..16b43a7c43c 100644
--- a/src/config/sessions/explicit-session-key-normalization.ts
+++ b/src/config/sessions/explicit-session-key-normalization.ts
@@ -1,5 +1,5 @@
-import { normalizeExplicitDiscordSessionKey } from "../../../extensions/discord/src/session-key-normalization.js";
 import type { MsgContext } from "../../auto-reply/templating.js";
+import { normalizeExplicitDiscordSessionKey } from "../../plugin-sdk-internal/discord.js";
 
 type ExplicitSessionKeyNormalizer = (sessionKey: string, ctx: MsgContext) => string;
 type ExplicitSessionKeyNormalizerEntry = {
diff --git a/src/config/sessions/metadata.ts b/src/config/sessions/metadata.ts
index c438fd60f2b..b93cfcb5372 100644
--- a/src/config/sessions/metadata.ts
+++ b/src/config/sessions/metadata.ts
@@ -1,8 +1,7 @@
 import type { MsgContext } from "../../auto-reply/templating.js";
 import { normalizeChatType } from "../../channels/chat-type.js";
 import { resolveConversationLabel } from "../../channels/conversation-label.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import { normalizeMessageChannel } from "../../utils/message-channel.js";
 import { buildGroupDisplayName, resolveGroupSessionKey } from "./group.js";
 import type { GroupKeyResolution, SessionEntry, SessionOrigin } from "./types.js";
@@ -111,7 +110,7 @@ export function deriveGroupSessionPatch(params: {
   const normalizedChannel = normalizeChannelId(channel);
   const isChannelProvider = Boolean(
     normalizedChannel &&
-    getChannelDock(normalizedChannel)?.capabilities.chatTypes.includes("channel"),
+    getChannelPlugin(normalizedChannel)?.capabilities.chatTypes.includes("channel"),
   );
   const nextGroupChannel =
     explicitChannel ??
diff --git a/src/config/test-helpers.ts b/src/config/test-helpers.ts
index 69e7745a85b..5809a37da2d 100644
--- a/src/config/test-helpers.ts
+++ b/src/config/test-helpers.ts
@@ -1,6 +1,7 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { withTempHome as withTempHomeBase } from "../../test/helpers/temp-home.js";
+import type { OpenClawConfig } from "./config.js";
 
 export async function withTempHome<T>(fn: (home: string) => Promise<T>): Promise<T> {
   return withTempHomeBase(fn, { prefix: "openclaw-config-" });
@@ -53,7 +54,9 @@ export async function withEnvOverride<T>(
 }
 
 export function buildWebSearchProviderConfig(params: {
-  provider: string;
+  provider: NonNullable<
+    NonNullable<NonNullable<NonNullable<OpenClawConfig["tools"]>["web"]>["search"]>["provider"]
+  >;
   enabled?: boolean;
   providerConfig?: Record<string, unknown>;
 }): Record<string, unknown> {
diff --git a/src/config/types.agents-shared.ts b/src/config/types.agents-shared.ts
index 152c8973c11..3351d9903c9 100644
--- a/src/config/types.agents-shared.ts
+++ b/src/config/types.agents-shared.ts
@@ -2,6 +2,7 @@ import type {
   SandboxBrowserSettings,
   SandboxDockerSettings,
   SandboxPruneSettings,
+  SandboxSshSettings,
 } from "./types.sandbox.js";
 
 export type AgentModelConfig =
@@ -15,6 +16,8 @@ export type AgentModelConfig =
 
 export type AgentSandboxConfig = {
   mode?: "off" | "non-main" | "all";
+  /** Sandbox runtime backend id. Default: "docker". */
+  backend?: string;
   /** Agent workspace access inside the sandbox. */
   workspaceAccess?: "none" | "ro" | "rw";
   /**
@@ -30,6 +33,8 @@ export type AgentSandboxConfig = {
   workspaceRoot?: string;
   /** Docker-specific sandbox settings. */
   docker?: SandboxDockerSettings;
+  /** SSH-specific sandbox settings. */
+  ssh?: SandboxSshSettings;
   /** Optional sandboxed browser settings. */
   browser?: SandboxBrowserSettings;
   /** Auto-prune sandbox settings. */
diff --git a/src/config/types.browser.ts b/src/config/types.browser.ts
index 5f8e28a0ebe..b50795fd9d0 100644
--- a/src/config/types.browser.ts
+++ b/src/config/types.browser.ts
@@ -4,7 +4,7 @@ export type BrowserProfileConfig = {
   /** CDP URL for this profile (use for remote Chrome). */
   cdpUrl?: string;
   /** Profile driver (default: openclaw). */
-  driver?: "openclaw" | "clawd" | "extension" | "existing-session";
+  driver?: "openclaw" | "clawd" | "existing-session";
   /** If true, never launch a browser for this profile; only attach. Falls back to browser.attachOnly. */
   attachOnly?: boolean;
   /** Profile color (hex). Auto-assigned at creation. */
@@ -66,10 +66,4 @@ export type BrowserConfig = {
    * Example: ["--window-size=1920,1080", "--disable-infobars"]
    */
   extraArgs?: string[];
-  /**
-   * Bind address for the Chrome extension relay server.
-   * Default: "127.0.0.1". Set to "0.0.0.0" for WSL2 or other environments where
-   * the relay must be reachable from a different network namespace.
-   */
-  relayBindHost?: string;
 };
diff --git a/src/config/types.discord.ts b/src/config/types.discord.ts
index a27fd3f8b45..aea4e7f8cfd 100644
--- a/src/config/types.discord.ts
+++ b/src/config/types.discord.ts
@@ -1,4 +1,4 @@
-import type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
+import type { DiscordPluralKitConfig } from "../plugin-sdk-internal/discord.js";
 import type {
   BlockStreamingChunkConfig,
   BlockStreamingCoalesceConfig,
diff --git a/src/config/types.gateway.ts b/src/config/types.gateway.ts
index 88a5350ab1d..385ece27aad 100644
--- a/src/config/types.gateway.ts
+++ b/src/config/types.gateway.ts
@@ -211,6 +211,13 @@ export type GatewayReloadConfig = {
   mode?: GatewayReloadMode;
   /** Debounce window for config reloads (ms). Default: 300. */
   debounceMs?: number;
+  /**
+   * Maximum time (ms) to wait for in-flight operations to complete before
+   * forcing a SIGUSR1 restart. Default: 300000 (5 minutes).
+   * Lower values risk aborting active subagent LLM calls.
+   * @see https://github.com/openclaw/openclaw/issues/47711
+   */
+  deferralTimeoutMs?: number;
 };
 
 export type GatewayHttpChatCompletionsConfig = {
diff --git a/src/config/types.plugins.ts b/src/config/types.plugins.ts
index 323946dd541..62d750b0470 100644
--- a/src/config/types.plugins.ts
+++ b/src/config/types.plugins.ts
@@ -19,7 +19,12 @@ export type PluginsLoadConfig = {
   paths?: string[];
 };
 
-export type PluginInstallRecord = InstallRecordBase;
+export type PluginInstallRecord = Omit<InstallRecordBase, "source"> & {
+  source: InstallRecordBase["source"] | "marketplace";
+  marketplaceName?: string;
+  marketplaceSource?: string;
+  marketplacePlugin?: string;
+};
 
 export type PluginsConfig = {
   /** Enable or disable plugin loading. */
diff --git a/src/config/types.sandbox.ts b/src/config/types.sandbox.ts
index 047f10cde53..04128e2ffaa 100644
--- a/src/config/types.sandbox.ts
+++ b/src/config/types.sandbox.ts
@@ -1,3 +1,5 @@
+import type { SecretInput } from "./types.secrets.js";
+
 export type SandboxDockerSettings = {
   /** Docker image to use for sandbox containers. */
   image?: string;
@@ -94,3 +96,28 @@ export type SandboxPruneSettings = {
   /** Prune if older than N days (0 disables). */
   maxAgeDays?: number;
 };
+
+export type SandboxSshSettings = {
+  /** SSH target in user@host[:port] form. */
+  target?: string;
+  /** SSH client command. Default: "ssh". */
+  command?: string;
+  /** Absolute remote root used for per-scope workspaces. */
+  workspaceRoot?: string;
+  /** Enforce host-key verification. Default: true. */
+  strictHostKeyChecking?: boolean;
+  /** Allow OpenSSH host-key updates. Default: true. */
+  updateHostKeys?: boolean;
+  /** Existing private key path on the host. */
+  identityFile?: string;
+  /** Existing SSH certificate path on the host. */
+  certificateFile?: string;
+  /** Existing known_hosts file path on the host. */
+  knownHostsFile?: string;
+  /** Inline or SecretRef-backed private key contents. */
+  identityData?: SecretInput;
+  /** Inline or SecretRef-backed SSH certificate contents. */
+  certificateData?: SecretInput;
+  /** Inline or SecretRef-backed known_hosts contents. */
+  knownHostsData?: SecretInput;
+};
diff --git a/src/config/types.telegram.ts b/src/config/types.telegram.ts
index 252f66740b2..fe1c5be3962 100644
--- a/src/config/types.telegram.ts
+++ b/src/config/types.telegram.ts
@@ -26,6 +26,8 @@ export type TelegramActionConfig = {
   sticker?: boolean;
   /** Enable forum topic creation. */
   createForumTopic?: boolean;
+  /** Enable forum topic editing (rename / change icon). */
+  editForumTopic?: boolean;
 };
 
 export type TelegramNetworkConfig = {
diff --git a/src/config/types.tools.ts b/src/config/types.tools.ts
index 43d39285b57..d1195ace393 100644
--- a/src/config/types.tools.ts
+++ b/src/config/types.tools.ts
@@ -457,8 +457,8 @@ export type ToolsConfig = {
     search?: {
       /** Enable web search tool (default: true when API key is present). */
       enabled?: boolean;
-      /** Search provider ("brave", "gemini", "grok", "kimi", or "perplexity"). */
-      provider?: "brave" | "gemini" | "grok" | "kimi" | "perplexity";
+      /** Search provider ("brave", "firecrawl", "gemini", "grok", "kimi", or "perplexity"). */
+      provider?: "brave" | "firecrawl" | "gemini" | "grok" | "kimi" | "perplexity";
       /** Brave Search API key (optional; defaults to BRAVE_API_KEY env var). */
       apiKey?: SecretInput;
       /** Default search results count (1-10). */
@@ -479,6 +479,13 @@ export type ToolsConfig = {
         /** Model to use for grounded search (defaults to "gemini-2.5-flash"). */
         model?: string;
       };
+      /** Firecrawl-specific configuration (used when provider="firecrawl"). */
+      firecrawl?: {
+        /** Firecrawl API key (defaults to FIRECRAWL_API_KEY env var). */
+        apiKey?: SecretInput;
+        /** Base URL for API requests (defaults to "https://api.firecrawl.dev"). */
+        baseUrl?: string;
+      };
       /** Grok-specific configuration (used when provider="grok"). */
       grok?: {
         /** API key for xAI (defaults to XAI_API_KEY env var). */
diff --git a/src/config/validation.ts b/src/config/validation.ts
index e97bd8cbedf..2a2c08b96ee 100644
--- a/src/config/validation.ts
+++ b/src/config/validation.ts
@@ -24,7 +24,7 @@ import { findLegacyConfigIssues } from "./legacy.js";
 import type { OpenClawConfig, ConfigValidationIssue } from "./types.js";
 import { OpenClawSchema } from "./zod-schema.js";
 
-const LEGACY_REMOVED_PLUGIN_IDS = new Set(["google-antigravity-auth"]);
+const LEGACY_REMOVED_PLUGIN_IDS = new Set(["google-antigravity-auth", "google-gemini-cli-auth"]);
 
 type UnknownIssueRecord = Record<string, unknown>;
 type AllowedValuesCollection = {
diff --git a/src/config/zod-schema.agent-runtime.ts b/src/config/zod-schema.agent-runtime.ts
index d7b1dd393e7..10cef396275 100644
--- a/src/config/zod-schema.agent-runtime.ts
+++ b/src/config/zod-schema.agent-runtime.ts
@@ -266,6 +266,7 @@ export const ToolsWebSearchSchema = z
     provider: z
       .union([
         z.literal("brave"),
+        z.literal("firecrawl"),
         z.literal("perplexity"),
         z.literal("grok"),
         z.literal("gemini"),
@@ -301,6 +302,13 @@ export const ToolsWebSearchSchema = z
       })
       .strict()
       .optional(),
+    firecrawl: z
+      .object({
+        apiKey: SecretInputSchema.optional().register(sensitive),
+        baseUrl: z.string().optional(),
+      })
+      .strict()
+      .optional(),
     kimi: z
       .object({
         apiKey: SecretInputSchema.optional().register(sensitive),
@@ -493,15 +501,34 @@ const ToolLoopDetectionSchema = z
   })
   .optional();
 
+export const SandboxSshSchema = z
+  .object({
+    target: z.string().min(1).optional(),
+    command: z.string().min(1).optional(),
+    workspaceRoot: z.string().min(1).optional(),
+    strictHostKeyChecking: z.boolean().optional(),
+    updateHostKeys: z.boolean().optional(),
+    identityFile: z.string().min(1).optional(),
+    certificateFile: z.string().min(1).optional(),
+    knownHostsFile: z.string().min(1).optional(),
+    identityData: SecretInputSchema.optional().register(sensitive),
+    certificateData: SecretInputSchema.optional().register(sensitive),
+    knownHostsData: SecretInputSchema.optional().register(sensitive),
+  })
+  .strict()
+  .optional();
+
 export const AgentSandboxSchema = z
   .object({
     mode: z.union([z.literal("off"), z.literal("non-main"), z.literal("all")]).optional(),
+    backend: z.string().min(1).optional(),
     workspaceAccess: z.union([z.literal("none"), z.literal("ro"), z.literal("rw")]).optional(),
     sessionToolsVisibility: z.union([z.literal("spawned"), z.literal("all")]).optional(),
     scope: z.union([z.literal("session"), z.literal("agent"), z.literal("shared")]).optional(),
     perSession: z.boolean().optional(),
     workspaceRoot: z.string().optional(),
     docker: SandboxDockerSchema,
+    ssh: SandboxSshSchema,
     browser: SandboxBrowserSchema,
     prune: SandboxPruneSchema,
   })
diff --git a/src/config/zod-schema.installs.ts b/src/config/zod-schema.installs.ts
index 7853948a10c..7270e5c5d28 100644
--- a/src/config/zod-schema.installs.ts
+++ b/src/config/zod-schema.installs.ts
@@ -6,6 +6,8 @@ export const InstallSourceSchema = z.union([
   z.literal("path"),
 ]);
 
+export const PluginInstallSourceSchema = z.union([InstallSourceSchema, z.literal("marketplace")]);
+
 export const InstallRecordShape = {
   source: InstallSourceSchema,
   spec: z.string().optional(),
@@ -20,3 +22,11 @@ export const InstallRecordShape = {
   resolvedAt: z.string().optional(),
   installedAt: z.string().optional(),
 } as const;
+
+export const PluginInstallRecordShape = {
+  ...InstallRecordShape,
+  source: PluginInstallSourceSchema,
+  marketplaceName: z.string().optional(),
+  marketplaceSource: z.string().optional(),
+  marketplacePlugin: z.string().optional(),
+} as const;
diff --git a/src/config/zod-schema.providers-core.ts b/src/config/zod-schema.providers-core.ts
index 5f7dd7b8e48..da81ef61a4f 100644
--- a/src/config/zod-schema.providers-core.ts
+++ b/src/config/zod-schema.providers-core.ts
@@ -258,6 +258,7 @@ export const TelegramAccountSchemaBase = z
         editMessage: z.boolean().optional(),
         sticker: z.boolean().optional(),
         createForumTopic: z.boolean().optional(),
+        editForumTopic: z.boolean().optional(),
       })
       .strict()
       .optional(),
diff --git a/src/config/zod-schema.ts b/src/config/zod-schema.ts
index 20b8b232157..d1bce17b575 100644
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -11,7 +11,7 @@ import {
   SecretsConfigSchema,
 } from "./zod-schema.core.js";
 import { HookMappingSchema, HooksGmailSchema, InternalHooksSchema } from "./zod-schema.hooks.js";
-import { InstallRecordShape } from "./zod-schema.installs.js";
+import { PluginInstallRecordShape } from "./zod-schema.installs.js";
 import { ChannelsSchema } from "./zod-schema.providers.js";
 import { sensitive } from "./zod-schema.sensitive.js";
 import {
@@ -360,12 +360,7 @@ export const OpenClawSchema = z
                 cdpPort: z.number().int().min(1).max(65535).optional(),
                 cdpUrl: z.string().optional(),
                 driver: z
-                  .union([
-                    z.literal("openclaw"),
-                    z.literal("clawd"),
-                    z.literal("extension"),
-                    z.literal("existing-session"),
-                  ])
+                  .union([z.literal("openclaw"), z.literal("clawd"), z.literal("existing-session")])
                   .optional(),
                 attachOnly: z.boolean().optional(),
                 color: HexColorSchema,
@@ -380,7 +375,6 @@ export const OpenClawSchema = z
           )
           .optional(),
         extraArgs: z.array(z.string()).optional(),
-        relayBindHost: z.union([z.string().ipv4(), z.string().ipv6()]).optional(),
       })
       .strict()
       .optional(),
@@ -728,6 +722,7 @@ export const OpenClawSchema = z
               ])
               .optional(),
             debounceMs: z.number().int().min(0).optional(),
+            deferralTimeoutMs: z.number().int().min(0).optional(),
           })
           .strict()
           .optional(),
@@ -910,7 +905,7 @@ export const OpenClawSchema = z
             z.string(),
             z
               .object({
-                ...InstallRecordShape,
+                ...PluginInstallRecordShape,
               })
               .strict(),
           )
diff --git a/src/cron/isolated-agent.delivery-target-thread-session.test.ts b/src/cron/isolated-agent.delivery-target-thread-session.test.ts
index a034d7ab924..51f9c645a03 100644
--- a/src/cron/isolated-agent.delivery-target-thread-session.test.ts
+++ b/src/cron/isolated-agent.delivery-target-thread-session.test.ts
@@ -1,4 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
 import type { OpenClawConfig } from "../config/config.js";
 
 // Mock session store so we can control what entries exist.
@@ -19,6 +20,16 @@ vi.mock("../channels/plugins/index.js", () => ({
   getChannelPlugin: vi.fn(() => ({
     meta: { label: "Telegram" },
     config: {},
+    messaging: {
+      parseExplicitTarget: ({ raw }: { raw: string }) => {
+        const target = parseTelegramTarget(raw);
+        return {
+          to: target.chatId,
+          threadId: target.messageThreadId,
+          chatType: target.chatType === "unknown" ? undefined : target.chatType,
+        };
+      },
+    },
     outbound: {
       resolveTarget: ({ to }: { to?: string }) =>
         to ? { ok: true, to } : { ok: false, error: new Error("missing") },
diff --git a/src/cron/isolated-agent.direct-delivery-core-channels.test.ts b/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
index 1950e361068..c477ded7f7d 100644
--- a/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
+++ b/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
@@ -1,12 +1,14 @@
 import "./isolated-agent.mocks.js";
 import { beforeEach, describe, expect, it } from "vitest";
+import {
+  discordOutbound,
+  imessageOutbound,
+  signalOutbound,
+  slackOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../test/channel-outbounds.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
-import { discordOutbound } from "../channels/plugins/outbound/discord.js";
-import { imessageOutbound } from "../channels/plugins/outbound/imessage.js";
-import { signalOutbound } from "../channels/plugins/outbound/signal.js";
-import { slackOutbound } from "../channels/plugins/outbound/slack.js";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../channels/plugins/outbound/whatsapp.js";
 import type { CliDeps } from "../cli/deps.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
diff --git a/src/cron/isolated-agent.test-setup.ts b/src/cron/isolated-agent.test-setup.ts
index e6357531ad3..c70ea583f68 100644
--- a/src/cron/isolated-agent.test-setup.ts
+++ b/src/cron/isolated-agent.test-setup.ts
@@ -1,9 +1,9 @@
 import { vi } from "vitest";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { signalOutbound, telegramOutbound } from "../../test/channel-outbounds.js";
 import { loadModelCatalog } from "../agents/model-catalog.js";
 import { runEmbeddedPiAgent } from "../agents/pi-embedded.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
-import { signalOutbound } from "../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
 import { callGateway } from "../gateway/call.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
@@ -20,7 +20,20 @@ export function setupIsolatedAgentTurnMocks(params?: { fast?: boolean }): void {
     createTestRegistry([
       {
         pluginId: "telegram",
-        plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+        plugin: createOutboundTestPlugin({
+          id: "telegram",
+          outbound: telegramOutbound,
+          messaging: {
+            parseExplicitTarget: ({ raw }) => {
+              const target = parseTelegramTarget(raw);
+              return {
+                to: target.chatId,
+                threadId: target.messageThreadId,
+                chatType: target.chatType === "unknown" ? undefined : target.chatType,
+              };
+            },
+          },
+        }),
         source: "test",
       },
       {
diff --git a/src/cron/isolated-agent/delivery-target.ts b/src/cron/isolated-agent/delivery-target.ts
index 4a70352e233..585e273e613 100644
--- a/src/cron/isolated-agent/delivery-target.ts
+++ b/src/cron/isolated-agent/delivery-target.ts
@@ -1,4 +1,3 @@
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
@@ -14,6 +13,7 @@ import {
   resolveSessionDeliveryTarget,
 } from "../../infra/outbound/targets.js";
 import { readChannelAllowFromStoreSync } from "../../pairing/pairing-store.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk-internal/whatsapp.js";
 import { buildChannelAccountBindings } from "../../routing/bindings.js";
 import { normalizeAccountId, normalizeAgentId } from "../../routing/session-key.js";
 import { normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
diff --git a/src/cron/isolated-agent/helpers.ts b/src/cron/isolated-agent/helpers.ts
index 3792a3a7abd..448ef1c59ae 100644
--- a/src/cron/isolated-agent/helpers.ts
+++ b/src/cron/isolated-agent/helpers.ts
@@ -1,14 +1,12 @@
 import { DEFAULT_HEARTBEAT_ACK_MAX_CHARS } from "../../auto-reply/heartbeat.js";
+import type { ReplyPayload } from "../../auto-reply/types.js";
 import { truncateUtf16Safe } from "../../utils.js";
 import { shouldSkipHeartbeatOnlyDelivery } from "../heartbeat-policy.js";
 
-type DeliveryPayload = {
-  text?: string;
-  mediaUrl?: string;
-  mediaUrls?: string[];
-  channelData?: Record<string, unknown>;
-  isError?: boolean;
-};
+type DeliveryPayload = Pick<
+  ReplyPayload,
+  "text" | "mediaUrl" | "mediaUrls" | "interactive" | "channelData" | "isError"
+>;
 
 export function pickSummaryFromOutput(text: string | undefined) {
   const clean = (text ?? "").trim();
@@ -65,8 +63,9 @@ export function pickLastDeliverablePayload(payloads: DeliveryPayload[]) {
   const isDeliverable = (p: DeliveryPayload) => {
     const text = (p?.text ?? "").trim();
     const hasMedia = Boolean(p?.mediaUrl) || (p?.mediaUrls?.length ?? 0) > 0;
+    const hasInteractive = (p?.interactive?.blocks?.length ?? 0) > 0;
     const hasChannelData = Object.keys(p?.channelData ?? {}).length > 0;
-    return text || hasMedia || hasChannelData;
+    return text || hasMedia || hasInteractive || hasChannelData;
   };
   for (let i = payloads.length - 1; i >= 0; i--) {
     if (payloads[i]?.isError) {
diff --git a/src/daemon/launchd.ts b/src/daemon/launchd.ts
index 6c190ccd213..13d6fd46d33 100644
--- a/src/daemon/launchd.ts
+++ b/src/daemon/launchd.ts
@@ -513,7 +513,7 @@ export async function installLaunchAgent({
   });
   // `bootstrap` already loads RunAtLoad agents. Avoid `kickstart -k` here:
   // on slow macOS guests it SIGTERMs the freshly booted gateway and pushes the
-  // real listener startup past onboarding's health deadline.
+  // real listener startup past setup's health deadline.
 
   // Ensure we don't end up writing to a clack spinner line (wizards show progress without a newline).
   writeFormattedLines(
diff --git a/src/daemon/program-args.test.ts b/src/daemon/program-args.test.ts
index 68dc4edb71c..920f4533297 100644
--- a/src/daemon/program-args.test.ts
+++ b/src/daemon/program-args.test.ts
@@ -1,6 +1,10 @@
 import path from "node:path";
 import { afterEach, describe, expect, it, vi } from "vitest";
 
+const childProcessMocks = vi.hoisted(() => ({
+  execFileSync: vi.fn(),
+}));
+
 const fsMocks = vi.hoisted(() => ({
   access: vi.fn(),
   realpath: vi.fn(),
@@ -12,6 +16,10 @@ vi.mock("node:fs/promises", () => ({
   realpath: fsMocks.realpath,
 }));
 
+vi.mock("node:child_process", () => ({
+  execFileSync: childProcessMocks.execFileSync,
+}));
+
 import { resolveGatewayProgramArguments } from "./program-args.js";
 
 const originalArgv = [...process.argv];
@@ -87,4 +95,28 @@ describe("resolveGatewayProgramArguments", () => {
       "18789",
     ]);
   });
+
+  it("uses src/entry.ts for bun dev mode", async () => {
+    const repoIndexPath = path.resolve("/repo/src/index.ts");
+    const repoEntryPath = path.resolve("/repo/src/entry.ts");
+    process.argv = ["/usr/local/bin/node", repoIndexPath];
+    fsMocks.realpath.mockResolvedValue(repoIndexPath);
+    fsMocks.access.mockResolvedValue(undefined);
+    childProcessMocks.execFileSync.mockReturnValue("/usr/local/bin/bun\n");
+
+    const result = await resolveGatewayProgramArguments({
+      dev: true,
+      port: 18789,
+      runtime: "bun",
+    });
+
+    expect(result.programArguments).toEqual([
+      "/usr/local/bin/bun",
+      repoEntryPath,
+      "gateway",
+      "--port",
+      "18789",
+    ]);
+    expect(result.workingDirectory).toBe(path.resolve("/repo"));
+  });
 });
diff --git a/src/daemon/program-args.ts b/src/daemon/program-args.ts
index 76bad8fc1ce..9e60f26f761 100644
--- a/src/daemon/program-args.ts
+++ b/src/daemon/program-args.ts
@@ -123,7 +123,7 @@ function resolveRepoRootForDev(): string {
   const parts = normalized.split(path.sep);
   const srcIndex = parts.lastIndexOf("src");
   if (srcIndex === -1) {
-    throw new Error("Dev mode requires running from repo (src/index.ts)");
+    throw new Error("Dev mode requires running from repo (src/entry.ts)");
   }
   return parts.slice(0, srcIndex).join(path.sep);
 }
@@ -180,7 +180,7 @@ async function resolveCliProgramArguments(params: {
   if (runtime === "bun") {
     if (params.dev) {
       const repoRoot = resolveRepoRootForDev();
-      const devCliPath = path.join(repoRoot, "src", "index.ts");
+      const devCliPath = path.join(repoRoot, "src", "entry.ts");
       await fs.access(devCliPath);
       const bunPath = isBunRuntime(execPath) ? execPath : await resolveBunPath();
       return {
@@ -213,7 +213,7 @@ async function resolveCliProgramArguments(params: {
 
   // Dev mode: use bun to run TypeScript directly
   const repoRoot = resolveRepoRootForDev();
-  const devCliPath = path.join(repoRoot, "src", "index.ts");
+  const devCliPath = path.join(repoRoot, "src", "entry.ts");
   await fs.access(devCliPath);
 
   // If already running under bun, use current execPath
diff --git a/src/daemon/schtasks.test.ts b/src/daemon/schtasks.test.ts
index 633df0fee7e..469ca584a7d 100644
--- a/src/daemon/schtasks.test.ts
+++ b/src/daemon/schtasks.test.ts
@@ -23,6 +23,20 @@ describe("schtasks runtime parsing", () => {
       lastRunResult: "0x0",
     });
   });
+
+  it("parses 'Last Result' key variant (without 'Run') (#47726)", () => {
+    const output = [
+      "TaskName: \\OpenClaw Gateway",
+      "Status: Running",
+      "Last Run Time: 2026/3/16 8:34:15",
+      "Last Result: 267009",
+    ].join("\r\n");
+    expect(parseSchtasksQuery(output)).toEqual({
+      status: "Running",
+      lastRunTime: "2026/3/16 8:34:15",
+      lastRunResult: "267009",
+    });
+  });
 });
 
 describe("scheduled task runtime derivation", () => {
diff --git a/src/daemon/schtasks.ts b/src/daemon/schtasks.ts
index 2216e93bfd9..816ade13390 100644
--- a/src/daemon/schtasks.ts
+++ b/src/daemon/schtasks.ts
@@ -178,7 +178,9 @@ export function parseSchtasksQuery(output: string): ScheduledTaskInfo {
   if (lastRunTime) {
     info.lastRunTime = lastRunTime;
   }
-  const lastRunResult = entries["last run result"];
+  // Some Windows locales/versions emit "Last Result" instead of "Last Run Result".
+  // Accept both so gateway status is not falsely reported as "unknown" (#47726).
+  const lastRunResult = entries["last run result"] ?? entries["last result"];
   if (lastRunResult) {
     info.lastRunResult = lastRunResult;
   }
diff --git a/src/docker-setup.e2e.test.ts b/src/docker-setup.e2e.test.ts
index 160c74b8a21..3b46aac5c0c 100644
--- a/src/docker-setup.e2e.test.ts
+++ b/src/docker-setup.e2e.test.ts
@@ -253,7 +253,7 @@ describe("docker-setup.sh", () => {
     const sessionsDirStat = await stat(join(configDir, "agents", "main", "sessions"));
     expect(sessionsDirStat.isDirectory()).toBe(true);
 
-    // Verify that a root-user chown step runs before onboarding.
+    // Verify that a root-user chown step runs before setup.
     const log = await readFile(activeSandbox.logPath, "utf8");
     const chownIdx = log.indexOf("--user root");
     const onboardIdx = log.indexOf("onboard");
diff --git a/src/entry.ts b/src/entry.ts
index 9b693c756e3..3496e48f0e9 100644
--- a/src/entry.ts
+++ b/src/entry.ts
@@ -41,6 +41,9 @@ if (
 ) {
   // Imported as a dependency — skip all entry-point side effects.
 } else {
+  const { installGaxiosFetchCompat } = await import("./infra/gaxios-fetch-compat.js");
+
+  installGaxiosFetchCompat();
   process.title = "openclaw";
   ensureOpenClawExecMarkerOnProcess();
   installProcessWarningFilter();
diff --git a/src/gateway/agent-list.ts b/src/gateway/agent-list.ts
new file mode 100644
index 00000000000..d14cdf0c534
--- /dev/null
+++ b/src/gateway/agent-list.ts
@@ -0,0 +1,88 @@
+import fs from "node:fs";
+import path from "node:path";
+import { resolveDefaultAgentId } from "../agents/agent-scope.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { resolveStateDir } from "../config/paths.js";
+import type { SessionScope } from "../config/sessions.js";
+import { normalizeAgentId, normalizeMainKey } from "../routing/session-key.js";
+
+export type GatewayAgentListRow = {
+  id: string;
+  name?: string;
+};
+
+function listExistingAgentIdsFromDisk(): string[] {
+  const root = resolveStateDir();
+  const agentsDir = path.join(root, "agents");
+  try {
+    const entries = fs.readdirSync(agentsDir, { withFileTypes: true });
+    return entries
+      .filter((entry) => entry.isDirectory())
+      .map((entry) => normalizeAgentId(entry.name))
+      .filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+function listConfiguredAgentIds(cfg: OpenClawConfig): string[] {
+  const ids = new Set<string>();
+  const defaultId = normalizeAgentId(resolveDefaultAgentId(cfg));
+  ids.add(defaultId);
+
+  for (const entry of cfg.agents?.list ?? []) {
+    if (entry?.id) {
+      ids.add(normalizeAgentId(entry.id));
+    }
+  }
+
+  for (const id of listExistingAgentIdsFromDisk()) {
+    ids.add(id);
+  }
+
+  const sorted = Array.from(ids).filter(Boolean);
+  sorted.sort((a, b) => a.localeCompare(b));
+  return sorted.includes(defaultId)
+    ? [defaultId, ...sorted.filter((id) => id !== defaultId)]
+    : sorted;
+}
+
+export function listGatewayAgentsBasic(cfg: OpenClawConfig): {
+  defaultId: string;
+  mainKey: string;
+  scope: SessionScope;
+  agents: GatewayAgentListRow[];
+} {
+  const defaultId = normalizeAgentId(resolveDefaultAgentId(cfg));
+  const mainKey = normalizeMainKey(cfg.session?.mainKey);
+  const scope = cfg.session?.scope ?? "per-sender";
+  const configuredById = new Map<string, { name?: string }>();
+  for (const entry of cfg.agents?.list ?? []) {
+    if (!entry?.id) {
+      continue;
+    }
+    configuredById.set(normalizeAgentId(entry.id), {
+      name: typeof entry.name === "string" && entry.name.trim() ? entry.name.trim() : undefined,
+    });
+  }
+  const explicitIds = new Set(
+    (cfg.agents?.list ?? [])
+      .map((entry) => (entry?.id ? normalizeAgentId(entry.id) : ""))
+      .filter(Boolean),
+  );
+  const allowedIds = explicitIds.size > 0 ? new Set([...explicitIds, defaultId]) : null;
+  let agentIds = listConfiguredAgentIds(cfg).filter((id) =>
+    allowedIds ? allowedIds.has(id) : true,
+  );
+  if (mainKey && !agentIds.includes(mainKey) && (!allowedIds || allowedIds.has(mainKey))) {
+    agentIds = [...agentIds, mainKey];
+  }
+  const agents = agentIds.map((id) => {
+    const meta = configuredById.get(id);
+    return {
+      id,
+      name: meta?.name,
+    };
+  });
+  return { defaultId, mainKey, scope, agents };
+}
diff --git a/src/gateway/call.test.ts b/src/gateway/call.test.ts
index 7fd9b7c84cb..5ffd3ce3c51 100644
--- a/src/gateway/call.test.ts
+++ b/src/gateway/call.test.ts
@@ -209,7 +209,7 @@ describe("callGateway url resolution", () => {
     expect(lastClientOptions?.token).toBe("explicit-token");
   });
 
-  it("does not attach device identity for local loopback shared-token auth", async () => {
+  it("keeps device identity enabled for local loopback shared-token auth", async () => {
     setLocalLoopbackGatewayConfig();
 
     await callGateway({
@@ -219,7 +219,7 @@ describe("callGateway url resolution", () => {
 
     expect(lastClientOptions?.url).toBe("ws://127.0.0.1:18789");
     expect(lastClientOptions?.token).toBe("explicit-token");
-    expect(lastClientOptions?.deviceIdentity).toBeUndefined();
+    expect(lastClientOptions?.deviceIdentity).toBeDefined();
   });
 
   it("uses OPENCLAW_GATEWAY_URL env override in remote mode when remote URL is missing", async () => {
diff --git a/src/gateway/call.ts b/src/gateway/call.ts
index f163a45ef06..98793dd4071 100644
--- a/src/gateway/call.ts
+++ b/src/gateway/call.ts
@@ -86,15 +86,12 @@ function shouldAttachDeviceIdentityForGatewayCall(params: {
   token?: string;
   password?: string;
 }): boolean {
-  if (!(params.token || params.password)) {
-    return true;
-  }
-  try {
-    const parsed = new URL(params.url);
-    return !["127.0.0.1", "::1", "localhost"].includes(parsed.hostname);
-  } catch {
-    return true;
-  }
+  void params;
+  // Shared-auth local calls used to skip device identity as an optimization, but
+  // device-less operator connects now have their self-declared scopes stripped.
+  // Keep identity enabled so local authenticated calls stay device-bound and
+  // retain their least-privilege scopes.
+  return true;
 }
 
 export type ExplicitGatewayAuth = {
@@ -330,11 +327,8 @@ async function resolveGatewaySecretInputString(params: {
     value: params.value,
     env: params.env,
     normalize: trimToUndefined,
-    onResolveRefError: (error) => {
-      const detail = error instanceof Error ? error.message : String(error);
-      throw new Error(`${params.path} secret reference could not be resolved: ${detail}`, {
-        cause: error,
-      });
+    onResolveRefError: () => {
+      throw new GatewaySecretRefUnavailableError(params.path);
     },
   });
   if (!value) {
diff --git a/src/gateway/hooks-policy.ts b/src/gateway/hooks-policy.ts
new file mode 100644
index 00000000000..27ce19b40cf
--- /dev/null
+++ b/src/gateway/hooks-policy.ts
@@ -0,0 +1,24 @@
+import { normalizeAgentId } from "../routing/session-key.js";
+
+export function resolveAllowedAgentIds(raw: string[] | undefined): Set<string> | undefined {
+  if (!Array.isArray(raw)) {
+    return undefined;
+  }
+  const allowed = new Set<string>();
+  let hasWildcard = false;
+  for (const entry of raw) {
+    const trimmed = entry.trim();
+    if (!trimmed) {
+      continue;
+    }
+    if (trimmed === "*") {
+      hasWildcard = true;
+      break;
+    }
+    allowed.add(normalizeAgentId(trimmed));
+  }
+  if (hasWildcard) {
+    return undefined;
+  }
+  return allowed;
+}
diff --git a/src/gateway/hooks.ts b/src/gateway/hooks.ts
index f371e3565a9..c11595f8f18 100644
--- a/src/gateway/hooks.ts
+++ b/src/gateway/hooks.ts
@@ -8,6 +8,7 @@ import { readJsonBodyWithLimit, requestBodyErrorToText } from "../infra/http-bod
 import { normalizeAgentId, parseAgentSessionKey } from "../routing/session-key.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { type HookMappingResolved, resolveHookMappings } from "./hooks-mapping.js";
+import { resolveAllowedAgentIds } from "./hooks-policy.js";
 
 const DEFAULT_HOOKS_PATH = "/hooks";
 const DEFAULT_HOOKS_MAX_BODY_BYTES = 256 * 1024;
@@ -100,29 +101,6 @@ function resolveKnownAgentIds(cfg: OpenClawConfig, defaultAgentId: string): Set<
   return known;
 }
 
-export function resolveAllowedAgentIds(raw: string[] | undefined): Set<string> | undefined {
-  if (!Array.isArray(raw)) {
-    return undefined;
-  }
-  const allowed = new Set<string>();
-  let hasWildcard = false;
-  for (const entry of raw) {
-    const trimmed = entry.trim();
-    if (!trimmed) {
-      continue;
-    }
-    if (trimmed === "*") {
-      hasWildcard = true;
-      break;
-    }
-    allowed.add(normalizeAgentId(trimmed));
-  }
-  if (hasWildcard) {
-    return undefined;
-  }
-  return allowed;
-}
-
 function resolveSessionKey(raw: string | undefined): string | undefined {
   const value = raw?.trim();
   return value ? value : undefined;
diff --git a/src/gateway/probe-auth.ts b/src/gateway/probe-auth.ts
index 64980be601e..2c624acaa00 100644
--- a/src/gateway/probe-auth.ts
+++ b/src/gateway/probe-auth.ts
@@ -54,10 +54,22 @@ export function resolveGatewayProbeAuthSafe(params: {
   cfg: OpenClawConfig;
   mode: "local" | "remote";
   env?: NodeJS.ProcessEnv;
+  explicitAuth?: ExplicitGatewayAuth;
 }): {
   auth: { token?: string; password?: string };
   warning?: string;
 } {
+  const explicitToken = params.explicitAuth?.token?.trim();
+  const explicitPassword = params.explicitAuth?.password?.trim();
+  if (explicitToken || explicitPassword) {
+    return {
+      auth: {
+        ...(explicitToken ? { token: explicitToken } : {}),
+        ...(explicitPassword ? { password: explicitPassword } : {}),
+      },
+    };
+  }
+
   try {
     return { auth: resolveGatewayProbeAuth(params) };
   } catch (error) {
diff --git a/src/gateway/probe.auth.integration.test.ts b/src/gateway/probe.auth.integration.test.ts
new file mode 100644
index 00000000000..eed4d1be8ac
--- /dev/null
+++ b/src/gateway/probe.auth.integration.test.ts
@@ -0,0 +1,50 @@
+import { describe, expect, it } from "vitest";
+import { installGatewayTestHooks, testState, withGatewayServer } from "./test-helpers.js";
+
+installGatewayTestHooks();
+
+const { callGateway } = await import("./call.js");
+const { probeGateway } = await import("./probe.js");
+
+describe("probeGateway auth integration", () => {
+  it("keeps direct local authenticated status RPCs device-bound", async () => {
+    const token =
+      typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+        ? ((testState.gatewayAuth as { token?: string }).token ?? "")
+        : "";
+    expect(token).toBeTruthy();
+
+    await withGatewayServer(async ({ port }) => {
+      const status = await callGateway({
+        url: `ws://127.0.0.1:${port}`,
+        token,
+        method: "status",
+        timeoutMs: 5_000,
+      });
+
+      expect(status).toBeTruthy();
+    });
+  });
+
+  it("keeps detail RPCs available for local authenticated probes", async () => {
+    const token =
+      typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+        ? ((testState.gatewayAuth as { token?: string }).token ?? "")
+        : "";
+    expect(token).toBeTruthy();
+
+    await withGatewayServer(async ({ port }) => {
+      const result = await probeGateway({
+        url: `ws://127.0.0.1:${port}`,
+        auth: { token },
+        timeoutMs: 5_000,
+      });
+
+      expect(result.ok).toBe(true);
+      expect(result.error).toBeNull();
+      expect(result.health).not.toBeNull();
+      expect(result.status).not.toBeNull();
+      expect(result.configSnapshot).not.toBeNull();
+    });
+  });
+});
diff --git a/src/gateway/probe.test.ts b/src/gateway/probe.test.ts
index 6cd7d64fc51..4a2374e17cb 100644
--- a/src/gateway/probe.test.ts
+++ b/src/gateway/probe.test.ts
@@ -51,7 +51,7 @@ describe("probeGateway", () => {
     });
 
     expect(gatewayClientState.options?.scopes).toEqual(["operator.read"]);
-    expect(gatewayClientState.options?.deviceIdentity).toBeNull();
+    expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
     expect(gatewayClientState.requests).toEqual([
       "health",
       "status",
@@ -71,6 +71,15 @@ describe("probeGateway", () => {
     expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
   });
 
+  it("keeps device identity disabled for unauthenticated loopback probes", async () => {
+    await probeGateway({
+      url: "ws://127.0.0.1:18789",
+      timeoutMs: 1_000,
+    });
+
+    expect(gatewayClientState.options?.deviceIdentity).toBeNull();
+  });
+
   it("skips detail RPCs for lightweight reachability probes", async () => {
     const result = await probeGateway({
       url: "ws://127.0.0.1:18789",
@@ -81,4 +90,18 @@ describe("probeGateway", () => {
     expect(result.ok).toBe(true);
     expect(gatewayClientState.requests).toEqual([]);
   });
+
+  it("fetches only presence for presence-only probes", async () => {
+    const result = await probeGateway({
+      url: "ws://127.0.0.1:18789",
+      timeoutMs: 1_000,
+      detailLevel: "presence",
+    });
+
+    expect(result.ok).toBe(true);
+    expect(gatewayClientState.requests).toEqual(["system-presence"]);
+    expect(result.health).toBeNull();
+    expect(result.status).toBeNull();
+    expect(result.configSnapshot).toBeNull();
+  });
 });
diff --git a/src/gateway/probe.ts b/src/gateway/probe.ts
index 40740987fb0..bbd36639b78 100644
--- a/src/gateway/probe.ts
+++ b/src/gateway/probe.ts
@@ -34,6 +34,7 @@ export async function probeGateway(opts: {
   auth?: GatewayProbeAuth;
   timeoutMs: number;
   includeDetails?: boolean;
+  detailLevel?: "none" | "presence" | "full";
 }): Promise<GatewayProbeResult> {
   const startedAt = Date.now();
   const instanceId = randomUUID();
@@ -43,12 +44,17 @@ export async function probeGateway(opts: {
 
   const disableDeviceIdentity = (() => {
     try {
-      return isLoopbackHost(new URL(opts.url).hostname);
+      const hostname = new URL(opts.url).hostname;
+      // Local authenticated probes should stay device-bound so read/detail RPCs
+      // are not scope-limited by the shared-auth scope stripping hardening.
+      return isLoopbackHost(hostname) && !(opts.auth?.token || opts.auth?.password);
     } catch {
       return false;
     }
   })();
 
+  const detailLevel = opts.includeDetails === false ? "none" : (opts.detailLevel ?? "full");
+
   return await new Promise<GatewayProbeResult>((resolve) => {
     let settled = false;
     const settle = (result: Omit<GatewayProbeResult, "url">) => {
@@ -79,7 +85,7 @@ export async function probeGateway(opts: {
       },
       onHelloOk: async () => {
         connectLatencyMs = Date.now() - startedAt;
-        if (opts.includeDetails === false) {
+        if (detailLevel === "none") {
           settle({
             ok: true,
             connectLatencyMs,
@@ -93,6 +99,20 @@ export async function probeGateway(opts: {
           return;
         }
         try {
+          if (detailLevel === "presence") {
+            const presence = await client.request("system-presence");
+            settle({
+              ok: true,
+              connectLatencyMs,
+              error: null,
+              close,
+              health: null,
+              status: null,
+              presence: Array.isArray(presence) ? (presence as SystemPresence[]) : null,
+              configSnapshot: null,
+            });
+            return;
+          }
           const [health, status, presence, configSnapshot] = await Promise.all([
             client.request("health"),
             client.request("status"),
diff --git a/src/gateway/server-channels.test.ts b/src/gateway/server-channels.test.ts
index d3820c294b9..2e886962d33 100644
--- a/src/gateway/server-channels.test.ts
+++ b/src/gateway/server-channels.test.ts
@@ -91,6 +91,7 @@ function installTestRegistry(plugin: ChannelPlugin<TestAccount>) {
 
 function createManager(options?: {
   channelRuntime?: PluginRuntime["channel"];
+  resolveChannelRuntime?: () => PluginRuntime["channel"];
   loadConfig?: () => Record<string, unknown>;
 }) {
   const log = createSubsystemLogger("gateway/server-channels-test");
@@ -102,6 +103,9 @@ function createManager(options?: {
     channelLogs,
     channelRuntimeEnvs,
     ...(options?.channelRuntime ? { channelRuntime: options.channelRuntime } : {}),
+    ...(options?.resolveChannelRuntime
+      ? { resolveChannelRuntime: options.resolveChannelRuntime }
+      : {}),
   });
 }
 
@@ -136,7 +140,7 @@ describe("server-channels auto restart", () => {
     const snapshot = manager.getRuntimeSnapshot();
     const account = snapshot.channelAccounts.discord?.[DEFAULT_ACCOUNT_ID];
     expect(account?.running).toBe(false);
-    expect(account?.reconnectAttempts).toBe(10);
+    expect(account?.reconnectAttempts).toBe(11);
 
     await vi.advanceTimersByTimeAsync(200);
     expect(startAccount).toHaveBeenCalledTimes(11);
@@ -185,6 +189,29 @@ describe("server-channels auto restart", () => {
     expect(startAccount).toHaveBeenCalledTimes(1);
   });
 
+  it("does not resolve channelRuntime until a channel starts", async () => {
+    const channelRuntime = {
+      marker: "lazy-channel-runtime",
+    } as unknown as PluginRuntime["channel"];
+    const resolveChannelRuntime = vi.fn(() => channelRuntime);
+    const startAccount = vi.fn(async (ctx) => {
+      expect(ctx.channelRuntime).toBe(channelRuntime);
+    });
+
+    installTestRegistry(createTestPlugin({ startAccount }));
+    const manager = createManager({ resolveChannelRuntime });
+
+    expect(resolveChannelRuntime).not.toHaveBeenCalled();
+
+    void manager.getRuntimeSnapshot();
+    expect(resolveChannelRuntime).not.toHaveBeenCalled();
+
+    await manager.startChannels();
+
+    expect(resolveChannelRuntime).toHaveBeenCalledTimes(1);
+    expect(startAccount).toHaveBeenCalledTimes(1);
+  });
+
   it("reuses plugin account resolution for health monitor overrides", () => {
     installTestRegistry(
       createTestPlugin({
diff --git a/src/gateway/server-channels.ts b/src/gateway/server-channels.ts
index 075fac382a3..a016826f69b 100644
--- a/src/gateway/server-channels.ts
+++ b/src/gateway/server-channels.ts
@@ -105,6 +105,14 @@ type ChannelManagerOptions = {
    * @see {@link ChannelGatewayContext.channelRuntime}
    */
   channelRuntime?: PluginRuntime["channel"];
+  /**
+   * Lazily resolves optional channel runtime helpers for external channel plugins.
+   *
+   * Use this when the caller wants to avoid instantiating the full plugin channel
+   * runtime during gateway startup. The manager only needs the runtime surface once
+   * a channel account actually starts.
+   */
+  resolveChannelRuntime?: () => PluginRuntime["channel"];
 };
 
 type StartChannelOptions = {
@@ -125,7 +133,8 @@ export type ChannelManager = {
 
 // Channel docking: lifecycle hooks (`plugin.gateway`) flow through this manager.
 export function createChannelManager(opts: ChannelManagerOptions): ChannelManager {
-  const { loadConfig, channelLogs, channelRuntimeEnvs, channelRuntime } = opts;
+  const { loadConfig, channelLogs, channelRuntimeEnvs, channelRuntime, resolveChannelRuntime } =
+    opts;
 
   const channelStores = new Map<ChannelId, ChannelRuntimeStore>();
   // Tracks restart attempts per channel:account. Reset on successful start.
@@ -219,6 +228,10 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
     return next;
   };
 
+  const getChannelRuntime = (): PluginRuntime["channel"] | undefined => {
+    return channelRuntime ?? resolveChannelRuntime?.();
+  };
+
   const startChannelInternal = async (
     channelId: ChannelId,
     accountId?: string,
@@ -297,6 +310,7 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
         });
 
         const log = channelLogs[channelId];
+        const resolvedChannelRuntime = getChannelRuntime();
         const task = startAccount({
           cfg,
           accountId: id,
@@ -306,7 +320,7 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
           log,
           getStatus: () => getRuntime(channelId, id),
           setStatus: (next) => setRuntime(channelId, id, next),
-          ...(channelRuntime ? { channelRuntime } : {}),
+          ...(resolvedChannelRuntime ? { channelRuntime: resolvedChannelRuntime } : {}),
         });
         const trackedPromise = Promise.resolve(task)
           .catch((err) => {
diff --git a/src/gateway/server-close.ts b/src/gateway/server-close.ts
index 1d941c0e206..7d07cb1abd5 100644
--- a/src/gateway/server-close.ts
+++ b/src/gateway/server-close.ts
@@ -11,6 +11,7 @@ export function createGatewayCloseHandler(params: {
   tailscaleCleanup: (() => Promise<void>) | null;
   canvasHost: CanvasHostHandler | null;
   canvasHostServer: CanvasHostServer | null;
+  releasePluginRouteRegistry?: (() => void) | null;
   stopChannel: (name: ChannelId, accountId?: string) => Promise<void>;
   pluginServices: PluginServicesHandle | null;
   cron: { stop: () => void };
@@ -33,106 +34,114 @@ export function createGatewayCloseHandler(params: {
   httpServers?: HttpServer[];
 }) {
   return async (opts?: { reason?: string; restartExpectedMs?: number | null }) => {
-    const reasonRaw = typeof opts?.reason === "string" ? opts.reason.trim() : "";
-    const reason = reasonRaw || "gateway stopping";
-    const restartExpectedMs =
-      typeof opts?.restartExpectedMs === "number" && Number.isFinite(opts.restartExpectedMs)
-        ? Math.max(0, Math.floor(opts.restartExpectedMs))
-        : null;
-    if (params.bonjourStop) {
-      try {
-        await params.bonjourStop();
-      } catch {
-        /* ignore */
-      }
-    }
-    if (params.tailscaleCleanup) {
-      await params.tailscaleCleanup();
-    }
-    if (params.canvasHost) {
-      try {
-        await params.canvasHost.close();
-      } catch {
-        /* ignore */
-      }
-    }
-    if (params.canvasHostServer) {
-      try {
-        await params.canvasHostServer.close();
-      } catch {
-        /* ignore */
-      }
-    }
-    for (const plugin of listChannelPlugins()) {
-      await params.stopChannel(plugin.id);
-    }
-    if (params.pluginServices) {
-      await params.pluginServices.stop().catch(() => {});
-    }
-    await stopGmailWatcher();
-    params.cron.stop();
-    params.heartbeatRunner.stop();
     try {
-      params.updateCheckStop?.();
-    } catch {
-      /* ignore */
-    }
-    for (const timer of params.nodePresenceTimers.values()) {
-      clearInterval(timer);
-    }
-    params.nodePresenceTimers.clear();
-    params.broadcast("shutdown", {
-      reason,
-      restartExpectedMs,
-    });
-    clearInterval(params.tickInterval);
-    clearInterval(params.healthInterval);
-    clearInterval(params.dedupeCleanup);
-    if (params.mediaCleanup) {
-      clearInterval(params.mediaCleanup);
-    }
-    if (params.agentUnsub) {
+      const reasonRaw = typeof opts?.reason === "string" ? opts.reason.trim() : "";
+      const reason = reasonRaw || "gateway stopping";
+      const restartExpectedMs =
+        typeof opts?.restartExpectedMs === "number" && Number.isFinite(opts.restartExpectedMs)
+          ? Math.max(0, Math.floor(opts.restartExpectedMs))
+          : null;
+      if (params.bonjourStop) {
+        try {
+          await params.bonjourStop();
+        } catch {
+          /* ignore */
+        }
+      }
+      if (params.tailscaleCleanup) {
+        await params.tailscaleCleanup();
+      }
+      if (params.canvasHost) {
+        try {
+          await params.canvasHost.close();
+        } catch {
+          /* ignore */
+        }
+      }
+      if (params.canvasHostServer) {
+        try {
+          await params.canvasHostServer.close();
+        } catch {
+          /* ignore */
+        }
+      }
+      for (const plugin of listChannelPlugins()) {
+        await params.stopChannel(plugin.id);
+      }
+      if (params.pluginServices) {
+        await params.pluginServices.stop().catch(() => {});
+      }
+      await stopGmailWatcher();
+      params.cron.stop();
+      params.heartbeatRunner.stop();
       try {
-        params.agentUnsub();
+        params.updateCheckStop?.();
       } catch {
         /* ignore */
       }
-    }
-    if (params.heartbeatUnsub) {
+      for (const timer of params.nodePresenceTimers.values()) {
+        clearInterval(timer);
+      }
+      params.nodePresenceTimers.clear();
+      params.broadcast("shutdown", {
+        reason,
+        restartExpectedMs,
+      });
+      clearInterval(params.tickInterval);
+      clearInterval(params.healthInterval);
+      clearInterval(params.dedupeCleanup);
+      if (params.mediaCleanup) {
+        clearInterval(params.mediaCleanup);
+      }
+      if (params.agentUnsub) {
+        try {
+          params.agentUnsub();
+        } catch {
+          /* ignore */
+        }
+      }
+      if (params.heartbeatUnsub) {
+        try {
+          params.heartbeatUnsub();
+        } catch {
+          /* ignore */
+        }
+      }
+      params.chatRunState.clear();
+      for (const c of params.clients) {
+        try {
+          c.socket.close(1012, "service restart");
+        } catch {
+          /* ignore */
+        }
+      }
+      params.clients.clear();
+      await params.configReloader.stop().catch(() => {});
+      if (params.browserControl) {
+        await params.browserControl.stop().catch(() => {});
+      }
+      await new Promise<void>((resolve) => params.wss.close(() => resolve()));
+      const servers =
+        params.httpServers && params.httpServers.length > 0
+          ? params.httpServers
+          : [params.httpServer];
+      for (const server of servers) {
+        const httpServer = server as HttpServer & {
+          closeIdleConnections?: () => void;
+        };
+        if (typeof httpServer.closeIdleConnections === "function") {
+          httpServer.closeIdleConnections();
+        }
+        await new Promise<void>((resolve, reject) =>
+          httpServer.close((err) => (err ? reject(err) : resolve())),
+        );
+      }
+    } finally {
       try {
-        params.heartbeatUnsub();
+        params.releasePluginRouteRegistry?.();
       } catch {
         /* ignore */
       }
     }
-    params.chatRunState.clear();
-    for (const c of params.clients) {
-      try {
-        c.socket.close(1012, "service restart");
-      } catch {
-        /* ignore */
-      }
-    }
-    params.clients.clear();
-    await params.configReloader.stop().catch(() => {});
-    if (params.browserControl) {
-      await params.browserControl.stop().catch(() => {});
-    }
-    await new Promise<void>((resolve) => params.wss.close(() => resolve()));
-    const servers =
-      params.httpServers && params.httpServers.length > 0
-        ? params.httpServers
-        : [params.httpServer];
-    for (const server of servers) {
-      const httpServer = server as HttpServer & {
-        closeIdleConnections?: () => void;
-      };
-      if (typeof httpServer.closeIdleConnections === "function") {
-        httpServer.closeIdleConnections();
-      }
-      await new Promise<void>((resolve, reject) =>
-        httpServer.close((err) => (err ? reject(err) : resolve())),
-      );
-    }
   };
 }
diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts
index 75af96dd545..fe35da1f356 100644
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -8,12 +8,12 @@ import {
 import { createServer as createHttpsServer } from "node:https";
 import type { TlsOptions } from "node:tls";
 import type { WebSocketServer } from "ws";
-import { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
 import { resolveAgentAvatar } from "../agents/identity-avatar.js";
 import { CANVAS_WS_PATH, handleA2uiHttpRequest } from "../canvas-host/a2ui.js";
 import type { CanvasHostHandler } from "../canvas-host/server.js";
 import { loadConfig } from "../config/config.js";
 import type { createSubsystemLogger } from "../logging/subsystem.js";
+import { handleSlackHttpRequest } from "../plugin-sdk-internal/slack.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
 import {
   AUTH_RATE_LIMIT_SCOPE_HOOK_AUTH,
diff --git a/src/gateway/server-methods/agents-mutate.test.ts b/src/gateway/server-methods/agents-mutate.test.ts
index 1cd88825b8a..02f4da99f6f 100644
--- a/src/gateway/server-methods/agents-mutate.test.ts
+++ b/src/gateway/server-methods/agents-mutate.test.ts
@@ -172,7 +172,7 @@ function makeSymlinkStat(params?: { dev?: number; ino?: number }): import("node:
 }
 
 function mockWorkspaceStateRead(params: {
-  onboardingCompletedAt?: string;
+  setupCompletedAt?: string;
   errorCode?: string;
   rawContent?: string;
 }) {
@@ -186,7 +186,7 @@ function mockWorkspaceStateRead(params: {
         return params.rawContent;
       }
       return JSON.stringify({
-        onboardingCompletedAt: params.onboardingCompletedAt ?? "2026-02-15T14:00:00.000Z",
+        setupCompletedAt: params.setupCompletedAt ?? "2026-02-15T14:00:00.000Z",
       });
     }
     throw createEnoentError();
@@ -507,13 +507,13 @@ describe("agents.files.list", () => {
     mocks.loadConfigReturn = {};
   });
 
-  it("includes BOOTSTRAP.md when onboarding has not completed", async () => {
+  it("includes BOOTSTRAP.md when setup has not completed", async () => {
     const names = await listAgentFileNames();
     expect(names).toContain("BOOTSTRAP.md");
   });
 
-  it("hides BOOTSTRAP.md when workspace onboarding is complete", async () => {
-    mockWorkspaceStateRead({ onboardingCompletedAt: "2026-02-15T14:00:00.000Z" });
+  it("hides BOOTSTRAP.md when workspace setup is complete", async () => {
+    mockWorkspaceStateRead({ setupCompletedAt: "2026-02-15T14:00:00.000Z" });
 
     const names = await listAgentFileNames();
     expect(names).not.toContain("BOOTSTRAP.md");
@@ -576,7 +576,7 @@ describe("agents.files.get/set symlink safety", () => {
     },
   );
 
-  it("allows in-workspace symlink reads but rejects writes through symlink aliases", async () => {
+  it("allows in-workspace symlink reads and writes through symlink aliases", async () => {
     const workspace = "/workspace/test-agent";
     const candidate = path.resolve(workspace, "AGENTS.md");
     const target = path.resolve(workspace, "policies", "AGENTS.md");
@@ -636,11 +636,14 @@ describe("agents.files.get/set symlink safety", () => {
     });
     await setCall.promise;
     expect(setCall.respond).toHaveBeenCalledWith(
-      false,
-      undefined,
+      true,
       expect.objectContaining({
-        message: expect.stringContaining('unsafe workspace file "AGENTS.md"'),
+        file: expect.objectContaining({
+          missing: false,
+          content: "updated\n",
+        }),
       }),
+      undefined,
     );
   });
 
diff --git a/src/gateway/server-methods/agents.ts b/src/gateway/server-methods/agents.ts
index b9de9b797aa..73d640b2756 100644
--- a/src/gateway/server-methods/agents.ts
+++ b/src/gateway/server-methods/agents.ts
@@ -16,7 +16,7 @@ import {
   DEFAULT_TOOLS_FILENAME,
   DEFAULT_USER_FILENAME,
   ensureAgentWorkspace,
-  isWorkspaceOnboardingCompleted,
+  isWorkspaceSetupCompleted,
 } from "../../agents/workspace.js";
 import { movePathToTrash } from "../../browser/trash.js";
 import {
@@ -653,7 +653,7 @@ export const agentsHandlers: GatewayRequestHandlers = {
     const workspaceDir = resolveAgentWorkspaceDir(cfg, agentId);
     let hideBootstrap = false;
     try {
-      hideBootstrap = await isWorkspaceOnboardingCompleted(workspaceDir);
+      hideBootstrap = await isWorkspaceSetupCompleted(workspaceDir);
     } catch {
       // Fall back to showing BOOTSTRAP if workspace state cannot be read.
     }
diff --git a/src/gateway/server-plugins.test.ts b/src/gateway/server-plugins.test.ts
index 560392499c1..2db21cccde1 100644
--- a/src/gateway/server-plugins.test.ts
+++ b/src/gateway/server-plugins.test.ts
@@ -29,6 +29,7 @@ const createRegistry = (diagnostics: PluginDiagnostic[]): PluginRegistry => ({
   channelSetups: [],
   commands: [],
   providers: [],
+  webSearchProviders: [],
   gatewayHandlers: {},
   httpRoutes: [],
   cliRegistrars: [],
diff --git a/src/gateway/server-reload-handlers.ts b/src/gateway/server-reload-handlers.ts
index 008f0977d37..b92d71889bc 100644
--- a/src/gateway/server-reload-handlers.ts
+++ b/src/gateway/server-reload-handlers.ts
@@ -219,6 +219,7 @@ export function createGatewayReloadHandlers(params: {
 
       deferGatewayRestartUntilIdle({
         getPendingCount: () => getActiveCounts().totalActive,
+        maxWaitMs: nextConfig.gateway?.reload?.deferralTimeoutMs,
         hooks: {
           onReady: () => {
             restartPending = false;
diff --git a/src/gateway/server-runtime-state.ts b/src/gateway/server-runtime-state.ts
index a569b896e54..50bc491f421 100644
--- a/src/gateway/server-runtime-state.ts
+++ b/src/gateway/server-runtime-state.ts
@@ -5,6 +5,11 @@ import { type CanvasHostHandler, createCanvasHostHandler } from "../canvas-host/
 import type { CliDeps } from "../cli/deps.js";
 import type { createSubsystemLogger } from "../logging/subsystem.js";
 import type { PluginRegistry } from "../plugins/registry.js";
+import {
+  pinActivePluginHttpRouteRegistry,
+  releasePinnedPluginHttpRouteRegistry,
+  resolveActivePluginHttpRouteRegistry,
+} from "../plugins/runtime.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { AuthRateLimiter } from "./auth-rate-limit.js";
 import type { ResolvedGatewayAuth } from "./auth.js";
@@ -70,6 +75,7 @@ export async function createGatewayRuntimeState(params: {
   getReadiness?: ReadinessChecker;
 }): Promise<{
   canvasHost: CanvasHostHandler | null;
+  releasePluginRouteRegistry: () => void;
   httpServer: HttpServer;
   httpServers: HttpServer[];
   httpBindHosts: string[];
@@ -91,147 +97,157 @@ export async function createGatewayRuntimeState(params: {
   chatAbortControllers: Map<string, ChatAbortControllerEntry>;
   toolEventRecipients: ReturnType<typeof createToolEventRecipientRegistry>;
 }> {
-  let canvasHost: CanvasHostHandler | null = null;
-  if (params.canvasHostEnabled) {
-    try {
-      const handler = await createCanvasHostHandler({
-        runtime: params.canvasRuntime,
-        rootDir: params.cfg.canvasHost?.root,
-        basePath: CANVAS_HOST_PATH,
-        allowInTests: params.allowCanvasHostInTests,
-        liveReload: params.cfg.canvasHost?.liveReload,
-      });
-      if (handler.rootDir) {
-        canvasHost = handler;
-        params.logCanvas.info(
-          `canvas host mounted at http://${params.bindHost}:${params.port}${CANVAS_HOST_PATH}/ (root ${handler.rootDir})`,
-        );
+  pinActivePluginHttpRouteRegistry(params.pluginRegistry);
+  try {
+    let canvasHost: CanvasHostHandler | null = null;
+    if (params.canvasHostEnabled) {
+      try {
+        const handler = await createCanvasHostHandler({
+          runtime: params.canvasRuntime,
+          rootDir: params.cfg.canvasHost?.root,
+          basePath: CANVAS_HOST_PATH,
+          allowInTests: params.allowCanvasHostInTests,
+          liveReload: params.cfg.canvasHost?.liveReload,
+        });
+        if (handler.rootDir) {
+          canvasHost = handler;
+          params.logCanvas.info(
+            `canvas host mounted at http://${params.bindHost}:${params.port}${CANVAS_HOST_PATH}/ (root ${handler.rootDir})`,
+          );
+        }
+      } catch (err) {
+        params.logCanvas.warn(`canvas host failed to start: ${String(err)}`);
       }
-    } catch (err) {
-      params.logCanvas.warn(`canvas host failed to start: ${String(err)}`);
     }
-  }
 
-  const clients = new Set<GatewayWsClient>();
-  const { broadcast, broadcastToConnIds } = createGatewayBroadcaster({ clients });
+    const clients = new Set<GatewayWsClient>();
+    const { broadcast, broadcastToConnIds } = createGatewayBroadcaster({ clients });
 
-  const handleHooksRequest = createGatewayHooksRequestHandler({
-    deps: params.deps,
-    getHooksConfig: params.hooksConfig,
-    getClientIpConfig: params.getHookClientIpConfig,
-    bindHost: params.bindHost,
-    port: params.port,
-    logHooks: params.logHooks,
-  });
-
-  const handlePluginRequest = createGatewayPluginRequestHandler({
-    registry: params.pluginRegistry,
-    log: params.logPlugins,
-  });
-  const shouldEnforcePluginGatewayAuth = (pathContext: PluginRoutePathContext): boolean => {
-    return shouldEnforceGatewayAuthForPluginPath(params.pluginRegistry, pathContext);
-  };
-
-  const bindHosts = await resolveGatewayListenHosts(params.bindHost);
-  if (!isLoopbackHost(params.bindHost)) {
-    params.log.warn(
-      "⚠️  Gateway is binding to a non-loopback address. " +
-        "Ensure authentication is configured before exposing to public networks.",
-    );
-  }
-  if (params.cfg.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true) {
-    params.log.warn(
-      "⚠️  gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true is enabled. " +
-        "Host-header origin fallback weakens origin checks and should only be used as break-glass.",
-    );
-  }
-  const httpServers: HttpServer[] = [];
-  const httpBindHosts: string[] = [];
-  for (const host of bindHosts) {
-    const httpServer = createGatewayHttpServer({
-      canvasHost,
-      clients,
-      controlUiEnabled: params.controlUiEnabled,
-      controlUiBasePath: params.controlUiBasePath,
-      controlUiRoot: params.controlUiRoot,
-      openAiChatCompletionsEnabled: params.openAiChatCompletionsEnabled,
-      openAiChatCompletionsConfig: params.openAiChatCompletionsConfig,
-      openResponsesEnabled: params.openResponsesEnabled,
-      openResponsesConfig: params.openResponsesConfig,
-      strictTransportSecurityHeader: params.strictTransportSecurityHeader,
-      handleHooksRequest,
-      handlePluginRequest,
-      shouldEnforcePluginGatewayAuth,
-      resolvedAuth: params.resolvedAuth,
-      rateLimiter: params.rateLimiter,
-      getReadiness: params.getReadiness,
-      tlsOptions: params.gatewayTls?.enabled ? params.gatewayTls.tlsOptions : undefined,
+    const handleHooksRequest = createGatewayHooksRequestHandler({
+      deps: params.deps,
+      getHooksConfig: params.hooksConfig,
+      getClientIpConfig: params.getHookClientIpConfig,
+      bindHost: params.bindHost,
+      port: params.port,
+      logHooks: params.logHooks,
     });
-    try {
-      await listenGatewayHttpServer({
-        httpServer,
-        bindHost: host,
-        port: params.port,
-      });
-      httpServers.push(httpServer);
-      httpBindHosts.push(host);
-    } catch (err) {
-      if (host === bindHosts[0]) {
-        throw err;
-      }
+
+    const handlePluginRequest = createGatewayPluginRequestHandler({
+      registry: params.pluginRegistry,
+      log: params.logPlugins,
+    });
+    const shouldEnforcePluginGatewayAuth = (pathContext: PluginRoutePathContext): boolean => {
+      return shouldEnforceGatewayAuthForPluginPath(
+        resolveActivePluginHttpRouteRegistry(params.pluginRegistry),
+        pathContext,
+      );
+    };
+
+    const bindHosts = await resolveGatewayListenHosts(params.bindHost);
+    if (!isLoopbackHost(params.bindHost)) {
       params.log.warn(
-        `gateway: failed to bind loopback alias ${host}:${params.port} (${String(err)})`,
+        "⚠️  Gateway is binding to a non-loopback address. " +
+          "Ensure authentication is configured before exposing to public networks.",
       );
     }
-  }
-  const httpServer = httpServers[0];
-  if (!httpServer) {
-    throw new Error("Gateway HTTP server failed to start");
-  }
+    if (params.cfg.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true) {
+      params.log.warn(
+        "⚠️  gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true is enabled. " +
+          "Host-header origin fallback weakens origin checks and should only be used as break-glass.",
+      );
+    }
+    const httpServers: HttpServer[] = [];
+    const httpBindHosts: string[] = [];
+    for (const host of bindHosts) {
+      const httpServer = createGatewayHttpServer({
+        canvasHost,
+        clients,
+        controlUiEnabled: params.controlUiEnabled,
+        controlUiBasePath: params.controlUiBasePath,
+        controlUiRoot: params.controlUiRoot,
+        openAiChatCompletionsEnabled: params.openAiChatCompletionsEnabled,
+        openAiChatCompletionsConfig: params.openAiChatCompletionsConfig,
+        openResponsesEnabled: params.openResponsesEnabled,
+        openResponsesConfig: params.openResponsesConfig,
+        strictTransportSecurityHeader: params.strictTransportSecurityHeader,
+        handleHooksRequest,
+        handlePluginRequest,
+        shouldEnforcePluginGatewayAuth,
+        resolvedAuth: params.resolvedAuth,
+        rateLimiter: params.rateLimiter,
+        getReadiness: params.getReadiness,
+        tlsOptions: params.gatewayTls?.enabled ? params.gatewayTls.tlsOptions : undefined,
+      });
+      try {
+        await listenGatewayHttpServer({
+          httpServer,
+          bindHost: host,
+          port: params.port,
+        });
+        httpServers.push(httpServer);
+        httpBindHosts.push(host);
+      } catch (err) {
+        if (host === bindHosts[0]) {
+          throw err;
+        }
+        params.log.warn(
+          `gateway: failed to bind loopback alias ${host}:${params.port} (${String(err)})`,
+        );
+      }
+    }
+    const httpServer = httpServers[0];
+    if (!httpServer) {
+      throw new Error("Gateway HTTP server failed to start");
+    }
 
-  const wss = new WebSocketServer({
-    noServer: true,
-    maxPayload: MAX_PREAUTH_PAYLOAD_BYTES,
-  });
-  for (const server of httpServers) {
-    attachGatewayUpgradeHandler({
-      httpServer: server,
-      wss,
-      canvasHost,
-      clients,
-      resolvedAuth: params.resolvedAuth,
-      rateLimiter: params.rateLimiter,
+    const wss = new WebSocketServer({
+      noServer: true,
+      maxPayload: MAX_PREAUTH_PAYLOAD_BYTES,
     });
+    for (const server of httpServers) {
+      attachGatewayUpgradeHandler({
+        httpServer: server,
+        wss,
+        canvasHost,
+        clients,
+        resolvedAuth: params.resolvedAuth,
+        rateLimiter: params.rateLimiter,
+      });
+    }
+
+    const agentRunSeq = new Map<string, number>();
+    const dedupe = new Map<string, DedupeEntry>();
+    const chatRunState = createChatRunState();
+    const chatRunRegistry = chatRunState.registry;
+    const chatRunBuffers = chatRunState.buffers;
+    const chatDeltaSentAt = chatRunState.deltaSentAt;
+    const addChatRun = chatRunRegistry.add;
+    const removeChatRun = chatRunRegistry.remove;
+    const chatAbortControllers = new Map<string, ChatAbortControllerEntry>();
+    const toolEventRecipients = createToolEventRecipientRegistry();
+
+    return {
+      canvasHost,
+      releasePluginRouteRegistry: () => releasePinnedPluginHttpRouteRegistry(params.pluginRegistry),
+      httpServer,
+      httpServers,
+      httpBindHosts,
+      wss,
+      clients,
+      broadcast,
+      broadcastToConnIds,
+      agentRunSeq,
+      dedupe,
+      chatRunState,
+      chatRunBuffers,
+      chatDeltaSentAt,
+      addChatRun,
+      removeChatRun,
+      chatAbortControllers,
+      toolEventRecipients,
+    };
+  } catch (err) {
+    releasePinnedPluginHttpRouteRegistry(params.pluginRegistry);
+    throw err;
   }
-
-  const agentRunSeq = new Map<string, number>();
-  const dedupe = new Map<string, DedupeEntry>();
-  const chatRunState = createChatRunState();
-  const chatRunRegistry = chatRunState.registry;
-  const chatRunBuffers = chatRunState.buffers;
-  const chatDeltaSentAt = chatRunState.deltaSentAt;
-  const addChatRun = chatRunRegistry.add;
-  const removeChatRun = chatRunRegistry.remove;
-  const chatAbortControllers = new Map<string, ChatAbortControllerEntry>();
-  const toolEventRecipients = createToolEventRecipientRegistry();
-
-  return {
-    canvasHost,
-    httpServer,
-    httpServers,
-    httpBindHosts,
-    wss,
-    clients,
-    broadcast,
-    broadcastToConnIds,
-    agentRunSeq,
-    dedupe,
-    chatRunState,
-    chatRunBuffers,
-    chatDeltaSentAt,
-    addChatRun,
-    removeChatRun,
-    chatAbortControllers,
-    toolEventRecipients,
-  };
 }
diff --git a/src/gateway/server.agent.gateway-server-agent.mocks.ts b/src/gateway/server.agent.gateway-server-agent.mocks.ts
index 0e1f779ef4f..acf507dbde2 100644
--- a/src/gateway/server.agent.gateway-server-agent.mocks.ts
+++ b/src/gateway/server.agent.gateway-server-agent.mocks.ts
@@ -11,6 +11,7 @@ export const registryState: { registry: PluginRegistry } = {
     channels: [],
     channelSetups: [],
     providers: [],
+    webSearchProviders: [],
     gatewayHandlers: {},
     httpHandlers: [],
     httpRoutes: [],
diff --git a/src/gateway/server.impl.ts b/src/gateway/server.impl.ts
index 5453ff8fcee..4c22e94bddf 100644
--- a/src/gateway/server.impl.ts
+++ b/src/gateway/server.impl.ts
@@ -63,7 +63,7 @@ import {
   prepareSecretsRuntimeSnapshot,
   resolveCommandSecretsFromActiveRuntimeSnapshot,
 } from "../secrets/runtime.js";
-import { runOnboardingWizard } from "../wizard/onboarding.js";
+import { runSetupWizard } from "../wizard/setup.js";
 import { createAuthRateLimiter, type AuthRateLimiter } from "./auth-rate-limit.js";
 import { startChannelHealthMonitor } from "./channel-health-monitor.js";
 import { startGatewayConfigReloader } from "./config-reload.js";
@@ -138,6 +138,13 @@ const logDiscovery = log.child("discovery");
 const logTailscale = log.child("tailscale");
 const logChannels = log.child("channels");
 const logBrowser = log.child("browser");
+
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | null = null;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 const logHealth = log.child("health");
 const logCron = log.child("cron");
 const logReload = log.child("reload");
@@ -255,7 +262,7 @@ export type GatewayServerOptions = {
    */
   allowCanvasHostInTests?: boolean;
   /**
-   * Test-only: override the onboarding wizard runner.
+   * Test-only: override the setup wizard runner.
    */
   wizardRunner?: (
     opts: import("../commands/onboard-types.js").OnboardOptions,
@@ -561,7 +568,7 @@ export async function startGatewayServer(
       : { kind: "missing" };
   }
 
-  const wizardRunner = opts.wizardRunner ?? runOnboardingWizard;
+  const wizardRunner = opts.wizardRunner ?? runSetupWizard;
   const { wizardSessions, findRunningWizard, purgeWizardSession } = createWizardSessionTracker();
 
   const deps = createDefaultDeps();
@@ -575,7 +582,7 @@ export async function startGatewayServer(
     loadConfig,
     channelLogs,
     channelRuntimeEnvs,
-    channelRuntime: createPluginRuntime().channel,
+    resolveChannelRuntime: getChannelRuntime,
   });
   const getReadiness = createReadinessChecker({
     channelManager,
@@ -583,6 +590,7 @@ export async function startGatewayServer(
   });
   const {
     canvasHost,
+    releasePluginRouteRegistry,
     httpServer,
     httpServers,
     httpBindHosts,
@@ -1041,6 +1049,7 @@ export async function startGatewayServer(
     tailscaleCleanup,
     canvasHost,
     canvasHostServer,
+    releasePluginRouteRegistry,
     stopChannel,
     pluginServices,
     cron,
diff --git a/src/gateway/server.sessions.gateway-server-sessions-a.test.ts b/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
index fdce44e33f4..903a52592a3 100644
--- a/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
+++ b/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
@@ -102,15 +102,21 @@ vi.mock("../plugins/hook-runner-global.js", async (importOriginal) => {
   };
 });
 
-vi.mock("../../extensions/discord/src/monitor/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<
-      typeof import("../../extensions/discord/src/monitor/thread-bindings.js")
-    >();
+vi.mock("../plugins/runtime/runtime-discord.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../plugins/runtime/runtime-discord.js")>();
   return {
     ...actual,
-    unbindThreadBindingsBySessionKey: (params: unknown) =>
-      threadBindingMocks.unbindThreadBindingsBySessionKey(params),
+    createRuntimeDiscord: () => {
+      const runtime = actual.createRuntimeDiscord();
+      return {
+        ...runtime,
+        threadBindings: {
+          ...runtime.threadBindings,
+          unbindBySessionKey: (params: unknown) =>
+            threadBindingMocks.unbindThreadBindingsBySessionKey(params),
+        },
+      };
+    },
   };
 });
 
diff --git a/src/gateway/server/plugins-http.test.ts b/src/gateway/server/plugins-http.test.ts
index 1a4866d7d23..a373793e108 100644
--- a/src/gateway/server/plugins-http.test.ts
+++ b/src/gateway/server/plugins-http.test.ts
@@ -1,5 +1,12 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { registerPluginHttpRoute } from "../../plugins/http-registry.js";
+import { createEmptyPluginRegistry } from "../../plugins/registry.js";
+import {
+  pinActivePluginHttpRouteRegistry,
+  releasePinnedPluginHttpRouteRegistry,
+  setActivePluginRegistry,
+} from "../../plugins/runtime.js";
 import type { PluginRuntime } from "../../plugins/runtime/types.js";
 import type { GatewayRequestContext, GatewayRequestOptions } from "../server-methods/types.js";
 import { makeMockHttpResponse } from "../test-http-response.js";
@@ -129,6 +136,11 @@ async function invokeSecureGatewayRoute(params: { gatewayAuthSatisfied: boolean
 }
 
 describe("createGatewayPluginRequestHandler", () => {
+  afterEach(() => {
+    releasePinnedPluginHttpRouteRegistry();
+    setActivePluginRegistry(createEmptyPluginRegistry());
+  });
+
   it("caps unauthenticated plugin routes to non-admin subagent scopes", async () => {
     loadOpenClawPlugins.mockReset();
     handleGatewayRequest.mockReset();
@@ -283,6 +295,100 @@ describe("createGatewayPluginRequestHandler", () => {
     expect(routeHandler).toHaveBeenCalledTimes(1);
   });
 
+  it("falls back to the provided registry when the pinned route registry is empty", async () => {
+    const explicitRouteHandler = vi.fn(async (_req, res: ServerResponse) => {
+      res.statusCode = 200;
+      return true;
+    });
+    const startupRegistry = createTestRegistry();
+    const explicitRegistry = createTestRegistry({
+      httpRoutes: [createRoute({ path: "/demo", auth: "plugin", handler: explicitRouteHandler })],
+    });
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+
+    const handler = createGatewayPluginRequestHandler({
+      registry: explicitRegistry,
+      log: createPluginLog(),
+    });
+
+    const { res } = makeMockHttpResponse();
+    const handled = await handler({ url: "/demo" } as IncomingMessage, res);
+    expect(handled).toBe(true);
+    expect(explicitRouteHandler).toHaveBeenCalledTimes(1);
+  });
+
+  it("handles routes registered into the pinned startup registry after the active registry changes", async () => {
+    const startupRegistry = createTestRegistry();
+    const laterActiveRegistry = createTestRegistry();
+    const routeHandler = vi.fn(async (_req, res: ServerResponse) => {
+      res.statusCode = 202;
+      return true;
+    });
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+    setActivePluginRegistry(laterActiveRegistry);
+
+    const unregister = registerPluginHttpRoute({
+      path: "/bluebubbles-webhook",
+      auth: "plugin",
+      handler: routeHandler,
+    });
+
+    try {
+      const handler = createGatewayPluginRequestHandler({
+        registry: startupRegistry,
+        log: createPluginLog(),
+      });
+
+      const { res } = makeMockHttpResponse();
+      const handled = await handler({ url: "/bluebubbles-webhook" } as IncomingMessage, res);
+      expect(handled).toBe(true);
+      expect(routeHandler).toHaveBeenCalledTimes(1);
+      expect(laterActiveRegistry.httpRoutes).toHaveLength(0);
+    } finally {
+      unregister();
+    }
+  });
+
+  it("prefers the pinned route registry over a stale explicit registry", async () => {
+    const startupRegistry = createTestRegistry();
+    const staleExplicitRegistry = createTestRegistry({
+      httpRoutes: [createRoute({ path: "/plugins/diffs", auth: "plugin" })],
+    });
+    const routeHandler = vi.fn(async (_req, res: ServerResponse) => {
+      res.statusCode = 204;
+      return true;
+    });
+
+    setActivePluginRegistry(createTestRegistry());
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+
+    const unregister = registerPluginHttpRoute({
+      path: "/bluebubbles-webhook",
+      auth: "plugin",
+      handler: routeHandler,
+    });
+
+    try {
+      const handler = createGatewayPluginRequestHandler({
+        registry: staleExplicitRegistry,
+        log: createPluginLog(),
+      });
+
+      const { res } = makeMockHttpResponse();
+      const handled = await handler({ url: "/bluebubbles-webhook" } as IncomingMessage, res);
+      expect(handled).toBe(true);
+      expect(routeHandler).toHaveBeenCalledTimes(1);
+      expect(staleExplicitRegistry.httpRoutes).toHaveLength(1);
+      expect(startupRegistry.httpRoutes).toHaveLength(1);
+    } finally {
+      unregister();
+    }
+  });
+
   it("logs and responds with 500 when a route throws", async () => {
     const log = createPluginLog();
     const handler = createGatewayPluginRequestHandler({
diff --git a/src/gateway/server/plugins-http.ts b/src/gateway/server/plugins-http.ts
index 6147e1bee99..b2b3f3a17ec 100644
--- a/src/gateway/server/plugins-http.ts
+++ b/src/gateway/server/plugins-http.ts
@@ -1,6 +1,7 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { createSubsystemLogger } from "../../logging/subsystem.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
+import { resolveActivePluginHttpRouteRegistry } from "../../plugins/runtime.js";
 import { withPluginRuntimeGatewayRequestScope } from "../../plugins/runtime/gateway-request-scope.js";
 import { ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE, WRITE_SCOPE } from "../method-scopes.js";
 import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../protocol/client-info.js";
@@ -63,8 +64,9 @@ export function createGatewayPluginRequestHandler(params: {
   registry: PluginRegistry;
   log: SubsystemLogger;
 }): PluginHttpRequestHandler {
-  const { registry, log } = params;
+  const { log } = params;
   return async (req, res, providedPathContext, dispatchContext) => {
+    const registry = resolveActivePluginHttpRouteRegistry(params.registry);
     const routes = registry.httpRoutes ?? [];
     if (routes.length === 0) {
       return false;
diff --git a/src/gateway/session-reset-service.ts b/src/gateway/session-reset-service.ts
index b07bf0095dd..48066b6e2a7 100644
--- a/src/gateway/session-reset-service.ts
+++ b/src/gateway/session-reset-service.ts
@@ -1,5 +1,4 @@
 import { randomUUID } from "node:crypto";
-import { unbindThreadBindingsBySessionKey } from "../../extensions/discord/src/monitor/thread-bindings.js";
 import { getAcpSessionManager } from "../acp/control-plane/manager.js";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { clearBootstrapSnapshot } from "../agents/bootstrap-cache.js";
@@ -16,6 +15,7 @@ import {
 import { logVerbose } from "../globals.js";
 import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-hooks.js";
 import { getGlobalHookRunner } from "../plugins/hook-runner-global.js";
+import { createPluginRuntime } from "../plugins/runtime/index.js";
 import {
   isSubagentSessionKey,
   normalizeAgentId,
@@ -31,6 +31,12 @@ import {
 } from "./session-utils.js";
 
 const ACP_RUNTIME_CLEANUP_TIMEOUT_MS = 15_000;
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | undefined;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 
 function stripRuntimeModelState(entry?: SessionEntry): SessionEntry | undefined {
   if (!entry) {
@@ -70,7 +76,8 @@ export async function emitSessionUnboundLifecycleEvent(params: {
   emitHooks?: boolean;
 }) {
   const targetKind = isSubagentSessionKey(params.targetSessionKey) ? "subagent" : "acp";
-  unbindThreadBindingsBySessionKey({
+  const channelRuntime = getChannelRuntime();
+  channelRuntime.discord.threadBindings.unbindBySessionKey({
     targetSessionKey: params.targetSessionKey,
     targetKind,
     reason: params.reason,
diff --git a/src/gateway/test-helpers.mocks.ts b/src/gateway/test-helpers.mocks.ts
index 17868ae0bca..59ad8a9cedc 100644
--- a/src/gateway/test-helpers.mocks.ts
+++ b/src/gateway/test-helpers.mocks.ts
@@ -146,6 +146,7 @@ const createStubPluginRegistry = (): PluginRegistry => ({
   ],
   channelSetups: [],
   providers: [],
+  webSearchProviders: [],
   gatewayHandlers: {},
   httpRoutes: [],
   cliRegistrars: [],
diff --git a/src/hooks/bundled/session-memory/HOOK.md b/src/hooks/bundled/session-memory/HOOK.md
index 6969fb2b8be..c963e17b76c 100644
--- a/src/hooks/bundled/session-memory/HOOK.md
+++ b/src/hooks/bundled/session-memory/HOOK.md
@@ -51,7 +51,7 @@ The LLM generates descriptive slugs based on your conversation:
 
 ## Requirements
 
-- **Config**: `workspace.dir` must be set (automatically configured during onboarding)
+- **Config**: `workspace.dir` must be set (automatically configured during setup)
 
 The hook uses your configured LLM provider to generate slugs, so it works with any provider (Anthropic, OpenAI, etc.).
 
diff --git a/src/index.test.ts b/src/index.test.ts
new file mode 100644
index 00000000000..e1cd55a39e2
--- /dev/null
+++ b/src/index.test.ts
@@ -0,0 +1,60 @@
+import fs from "node:fs";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+const runtimeMocks = vi.hoisted(() => ({
+  runCli: vi.fn(async () => {}),
+}));
+
+vi.mock("./cli/run-main.js", () => ({
+  runCli: runtimeMocks.runCli,
+}));
+
+describe("legacy root entry", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+    vi.resetModules();
+  });
+
+  it("routes the package root export to the pure library entry", () => {
+    const packageJson = JSON.parse(
+      fs.readFileSync(new URL("../package.json", import.meta.url), "utf8"),
+    ) as {
+      exports?: Record<string, unknown>;
+      main?: string;
+    };
+
+    expect(packageJson.main).toBe("dist/index.js");
+    expect(packageJson.exports?.["."]).toBe("./dist/index.js");
+  });
+
+  it("does not run CLI bootstrap when imported as a library dependency", async () => {
+    const mod = await import("./index.js");
+
+    expect(typeof mod.runLegacyCliEntry).toBe("function");
+    expect(runtimeMocks.runCli).not.toHaveBeenCalled();
+  });
+
+  it("keeps library imports free of global window shims", async () => {
+    const originalWindowDescriptor = Object.getOwnPropertyDescriptor(globalThis, "window");
+    Reflect.deleteProperty(globalThis as object, "window");
+
+    try {
+      await import("./index.js");
+      expect("window" in globalThis).toBe(false);
+    } finally {
+      if (originalWindowDescriptor) {
+        Object.defineProperty(globalThis, "window", originalWindowDescriptor);
+      }
+    }
+  });
+
+  it("delegates legacy direct-entry execution to run-main", async () => {
+    const mod = await import("./index.js");
+    const argv = ["node", "dist/index.js", "status"];
+
+    await mod.runLegacyCliEntry(argv);
+
+    expect(runtimeMocks.runCli).toHaveBeenCalledOnce();
+    expect(runtimeMocks.runCli).toHaveBeenCalledWith(argv);
+  });
+});
diff --git a/src/index.ts b/src/index.ts
index 61d96ccee33..92cf6269cc4 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,76 +1,45 @@
 #!/usr/bin/env node
 import process from "node:process";
 import { fileURLToPath } from "node:url";
-import { getReplyFromConfig } from "./auto-reply/reply.js";
-import { applyTemplate } from "./auto-reply/templating.js";
-import { monitorWebChannel } from "./channel-web.js";
-import { createDefaultDeps } from "./cli/deps.js";
-import { promptYesNo } from "./cli/prompt.js";
-import { waitForever } from "./cli/wait.js";
-import { loadConfig } from "./config/config.js";
-import {
-  deriveSessionKey,
-  loadSessionStore,
-  resolveSessionKey,
-  resolveStorePath,
-  saveSessionStore,
-} from "./config/sessions.js";
-import { ensureBinary } from "./infra/binaries.js";
-import { loadDotEnv } from "./infra/dotenv.js";
-import { normalizeEnv } from "./infra/env.js";
 import { formatUncaughtError } from "./infra/errors.js";
 import { isMainModule } from "./infra/is-main.js";
-import { ensureOpenClawCliOnPath } from "./infra/path-env.js";
-import {
-  describePortOwner,
-  ensurePortAvailable,
-  handlePortError,
-  PortInUseError,
-} from "./infra/ports.js";
-import { assertSupportedRuntime } from "./infra/runtime-guard.js";
 import { installUnhandledRejectionHandler } from "./infra/unhandled-rejections.js";
-import { enableConsoleCapture } from "./logging.js";
-import { runCommandWithTimeout, runExec } from "./process/exec.js";
-import { assertWebChannel, normalizeE164, toWhatsappJid } from "./utils.js";
 
-loadDotEnv({ quiet: true });
-normalizeEnv();
-ensureOpenClawCliOnPath();
+const library = await import("./library.js");
 
-// Capture all console output into structured logs while keeping stdout/stderr behavior.
-enableConsoleCapture();
+export const assertWebChannel = library.assertWebChannel;
+export const applyTemplate = library.applyTemplate;
+export const createDefaultDeps = library.createDefaultDeps;
+export const deriveSessionKey = library.deriveSessionKey;
+export const describePortOwner = library.describePortOwner;
+export const ensureBinary = library.ensureBinary;
+export const ensurePortAvailable = library.ensurePortAvailable;
+export const getReplyFromConfig = library.getReplyFromConfig;
+export const handlePortError = library.handlePortError;
+export const loadConfig = library.loadConfig;
+export const loadSessionStore = library.loadSessionStore;
+export const monitorWebChannel = library.monitorWebChannel;
+export const normalizeE164 = library.normalizeE164;
+export const PortInUseError = library.PortInUseError;
+export const promptYesNo = library.promptYesNo;
+export const resolveSessionKey = library.resolveSessionKey;
+export const resolveStorePath = library.resolveStorePath;
+export const runCommandWithTimeout = library.runCommandWithTimeout;
+export const runExec = library.runExec;
+export const saveSessionStore = library.saveSessionStore;
+export const toWhatsappJid = library.toWhatsappJid;
+export const waitForever = library.waitForever;
 
-// Enforce the minimum supported runtime before doing any work.
-assertSupportedRuntime();
+// Legacy direct file entrypoint only. Package root exports now live in library.ts.
+export async function runLegacyCliEntry(argv: string[] = process.argv): Promise<void> {
+  const [{ installGaxiosFetchCompat }, { runCli }] = await Promise.all([
+    import("./infra/gaxios-fetch-compat.js"),
+    import("./cli/run-main.js"),
+  ]);
 
-import { buildProgram } from "./cli/program.js";
-
-const program = buildProgram();
-
-export {
-  assertWebChannel,
-  applyTemplate,
-  createDefaultDeps,
-  deriveSessionKey,
-  describePortOwner,
-  ensureBinary,
-  ensurePortAvailable,
-  getReplyFromConfig,
-  handlePortError,
-  loadConfig,
-  loadSessionStore,
-  monitorWebChannel,
-  normalizeE164,
-  PortInUseError,
-  promptYesNo,
-  resolveSessionKey,
-  resolveStorePath,
-  runCommandWithTimeout,
-  runExec,
-  saveSessionStore,
-  toWhatsappJid,
-  waitForever,
-};
+  installGaxiosFetchCompat();
+  await runCli(argv);
+}
 
 const isMain = isMainModule({
   currentFile: fileURLToPath(import.meta.url),
@@ -86,7 +55,7 @@ if (isMain) {
     process.exit(1);
   });
 
-  void program.parseAsync(process.argv).catch((err) => {
+  void runLegacyCliEntry(process.argv).catch((err) => {
     console.error("[openclaw] CLI failed:", formatUncaughtError(err));
     process.exit(1);
   });
diff --git a/src/infra/bonjour.test.ts b/src/infra/bonjour.test.ts
index d8f976fdc41..b101171782b 100644
--- a/src/infra/bonjour.test.ts
+++ b/src/infra/bonjour.test.ts
@@ -27,21 +27,32 @@ function mockCiaoService(params?: {
   advertise?: ReturnType<typeof vi.fn>;
   destroy?: ReturnType<typeof vi.fn>;
   serviceState?: string;
+  stateRef?: { value: string };
   on?: ReturnType<typeof vi.fn>;
 }) {
   const advertise = params?.advertise ?? vi.fn().mockResolvedValue(undefined);
   const destroy = params?.destroy ?? vi.fn().mockResolvedValue(undefined);
   const on = params?.on ?? vi.fn();
   createService.mockImplementation((options: Record<string, unknown>) => {
-    return {
+    const service = {
       advertise,
       destroy,
-      serviceState: params?.serviceState ?? "announced",
       on,
       getFQDN: () => `${asString(options.type, "service")}.${asString(options.domain, "local")}.`,
       getHostname: () => asString(options.hostname, "unknown"),
       getPort: () => Number(options.port ?? -1),
     };
+    Object.defineProperty(service, "serviceState", {
+      configurable: true,
+      enumerable: true,
+      get: () => params?.stateRef?.value ?? params?.serviceState ?? "announced",
+      set: (value: string) => {
+        if (params?.stateRef) {
+          params.stateRef.value = value;
+        }
+      },
+    });
+    return service;
   });
   return { advertise, destroy, on };
 }
@@ -253,14 +264,16 @@ describe("gateway bonjour advertiser", () => {
     await Promise.resolve();
     expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("advertise failed"));
 
-    // watchdog should attempt re-advertise at the 60s interval tick
-    await vi.advanceTimersByTimeAsync(60_000);
-    expect(advertise).toHaveBeenCalledTimes(2);
+    // watchdog first retries, then recreates the advertiser after the service
+    // stays unhealthy across multiple 5s ticks.
+    await vi.advanceTimersByTimeAsync(15_000);
+    expect(advertise).toHaveBeenCalledTimes(3);
+    expect(createService).toHaveBeenCalledTimes(2);
 
     await started.stop();
 
     await vi.advanceTimersByTimeAsync(60_000);
-    expect(advertise).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(3);
   });
 
   it("handles advertise throwing synchronously", async () => {
@@ -283,6 +296,88 @@ describe("gateway bonjour advertiser", () => {
     await started.stop();
   });
 
+  it("recreates the advertiser when ciao gets stuck announcing", async () => {
+    enableAdvertiserUnitMode();
+    vi.useFakeTimers();
+
+    const stateRef = { value: "announcing" };
+    const events: string[] = [];
+    let advertiseCount = 0;
+    const destroy = vi.fn().mockImplementation(async () => {
+      events.push("destroy");
+    });
+    const advertise = vi.fn().mockImplementation(() => {
+      advertiseCount += 1;
+      events.push(`advertise:${advertiseCount}`);
+      if (advertiseCount === 1) {
+        stateRef.value = "announcing";
+        return new Promise<void>(() => {});
+      }
+      stateRef.value = "announced";
+      return Promise.resolve();
+    });
+    mockCiaoService({ advertise, destroy, stateRef });
+
+    const started = await startGatewayBonjourAdvertiser({
+      gatewayPort: 18789,
+      sshPort: 2222,
+    });
+
+    expect(createService).toHaveBeenCalledTimes(1);
+    expect(advertise).toHaveBeenCalledTimes(1);
+
+    await vi.advanceTimersByTimeAsync(15_000);
+
+    expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("restarting advertiser"));
+    expect(createService).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(2);
+    expect(destroy).toHaveBeenCalledTimes(1);
+    expect(shutdown).toHaveBeenCalledTimes(1);
+    expect(events).toEqual(["advertise:1", "destroy", "advertise:2"]);
+
+    await started.stop();
+    expect(destroy).toHaveBeenCalledTimes(2);
+    expect(shutdown).toHaveBeenCalledTimes(2);
+  });
+
+  it("treats probing-to-announcing churn as one unhealthy window", async () => {
+    enableAdvertiserUnitMode();
+    vi.useFakeTimers();
+
+    const stateRef = { value: "probing" };
+    let advertiseCount = 0;
+    const destroy = vi.fn().mockResolvedValue(undefined);
+    const advertise = vi.fn().mockImplementation(() => {
+      advertiseCount += 1;
+      if (advertiseCount === 2) {
+        stateRef.value = "announcing";
+      }
+      if (advertiseCount >= 3) {
+        stateRef.value = "announced";
+      }
+      return Promise.resolve();
+    });
+    mockCiaoService({ advertise, destroy, stateRef });
+
+    const started = await startGatewayBonjourAdvertiser({
+      gatewayPort: 18789,
+      sshPort: 2222,
+    });
+
+    expect(createService).toHaveBeenCalledTimes(1);
+    expect(advertise).toHaveBeenCalledTimes(1);
+
+    await vi.advanceTimersByTimeAsync(15_000);
+
+    expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("service stuck in announcing"));
+    expect(createService).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(3);
+    expect(destroy).toHaveBeenCalledTimes(1);
+    expect(shutdown).toHaveBeenCalledTimes(1);
+
+    await started.stop();
+  });
+
   it("normalizes hostnames with domains for service names", async () => {
     // Allow advertiser to run in unit tests.
     delete process.env.VITEST;
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 7d405741a0e..457853a9b45 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -48,16 +48,25 @@ function prettifyInstanceName(name: string) {
   return normalized.replace(/\s+\(OpenClaw\)\s*$/i, "").trim() || normalized;
 }
 
-type BonjourService = {
-  advertise: () => Promise<void>;
-  destroy: () => Promise<void>;
-  getFQDN: () => string;
-  getHostname: () => string;
-  getPort: () => number;
-  on: (event: string, listener: (...args: unknown[]) => void) => unknown;
-  serviceState: string;
+type BonjourService = import("@homebridge/ciao").CiaoService;
+type BonjourResponder = import("@homebridge/ciao").Responder;
+type BonjourServiceState = BonjourService["serviceState"];
+
+type BonjourCycle = {
+  responder: BonjourResponder;
+  services: Array<{ label: string; svc: BonjourService }>;
+  cleanupUnhandledRejection?: () => void;
 };
 
+type ServiceStateTracker = {
+  state: BonjourServiceState | "unknown";
+  sinceMs: number;
+};
+
+const WATCHDOG_INTERVAL_MS = 5_000;
+const REPAIR_DEBOUNCE_MS = 30_000;
+const STUCK_ANNOUNCING_MS = 8_000;
+
 function serviceSummary(label: string, svc: BonjourService): string {
   let fqdn = "unknown";
   let hostname = "unknown";
@@ -81,6 +90,10 @@ function serviceSummary(label: string, svc: BonjourService): string {
   return `${label} fqdn=${fqdn} host=${hostname} port=${port} state=${state}`;
 }
 
+function isAnnouncedState(state: BonjourServiceState | "unknown") {
+  return String(state) === "announced";
+}
+
 export async function startGatewayBonjourAdvertiser(
   opts: GatewayBonjourAdvertiseOpts,
 ): Promise<GatewayBonjourAdvertiser> {
@@ -89,7 +102,6 @@ export async function startGatewayBonjourAdvertiser(
   }
 
   const { getResponder, Protocol } = await import("@homebridge/ciao");
-  const responder = getResponder();
 
   // mDNS service instance names are single DNS labels; dots in hostnames (like
   // `Mac.localdomain`) can confuse some resolvers/browsers and break discovery.
@@ -133,8 +145,6 @@ export async function startGatewayBonjourAdvertiser(
     txtBase.cliPath = opts.cliPath.trim();
   }
 
-  const services: Array<{ label: string; svc: BonjourService }> = [];
-
   // Build TXT record for the gateway service.
   // In minimal mode, omit sshPort to avoid advertising SSH availability.
   const gatewayTxt: Record<string, string> = {
@@ -145,25 +155,105 @@ export async function startGatewayBonjourAdvertiser(
     gatewayTxt.sshPort = String(opts.sshPort ?? 22);
   }
 
-  const gateway = responder.createService({
-    name: safeServiceName(instanceName),
-    type: "openclaw-gw",
-    protocol: Protocol.TCP,
-    port: opts.gatewayPort,
-    domain: "local",
-    hostname,
-    txt: gatewayTxt,
-  });
-  services.push({
-    label: "gateway",
-    svc: gateway as unknown as BonjourService,
-  });
+  function createCycle(): BonjourCycle {
+    const responder = getResponder();
+    const services: Array<{ label: string; svc: BonjourService }> = [];
 
-  let ciaoCancellationRejectionHandler: (() => void) | undefined;
-  if (services.length > 0) {
-    ciaoCancellationRejectionHandler = registerUnhandledRejectionHandler(
-      ignoreCiaoCancellationRejection,
-    );
+    const gateway = responder.createService({
+      name: safeServiceName(instanceName),
+      type: "openclaw-gw",
+      protocol: Protocol.TCP,
+      port: opts.gatewayPort,
+      domain: "local",
+      hostname,
+      txt: gatewayTxt,
+    });
+    services.push({
+      label: "gateway",
+      svc: gateway as unknown as BonjourService,
+    });
+
+    const cleanupUnhandledRejection =
+      services.length > 0
+        ? registerUnhandledRejectionHandler(ignoreCiaoCancellationRejection)
+        : undefined;
+
+    return { responder, services, cleanupUnhandledRejection };
+  }
+
+  async function stopCycle(cycle: BonjourCycle | null) {
+    if (!cycle) {
+      return;
+    }
+    const responder = cycle.responder as unknown as {
+      advertiseService?: (...args: unknown[]) => unknown;
+      announce?: (...args: unknown[]) => unknown;
+      probe?: (...args: unknown[]) => unknown;
+      republishService?: (...args: unknown[]) => unknown;
+    };
+    const noopAsync = async () => {};
+    // ciao schedules its own 2s retry timers after failed probe/announce attempts.
+    // Those callbacks target the original responder instance, so disarm it before
+    // destroy/shutdown to prevent a dead cycle from re-entering advertise/probe.
+    responder.advertiseService = noopAsync;
+    responder.announce = noopAsync;
+    responder.probe = noopAsync;
+    responder.republishService = noopAsync;
+    for (const { svc } of cycle.services) {
+      try {
+        await svc.destroy();
+      } catch {
+        /* ignore */
+      }
+    }
+    try {
+      await cycle.responder.shutdown();
+    } catch {
+      /* ignore */
+    } finally {
+      cycle.cleanupUnhandledRejection?.();
+    }
+  }
+
+  function attachConflictListeners(services: Array<{ label: string; svc: BonjourService }>) {
+    for (const { label, svc } of services) {
+      try {
+        svc.on("name-change", (name: unknown) => {
+          const next = typeof name === "string" ? name : String(name);
+          logWarn(`bonjour: ${label} name conflict resolved; newName=${JSON.stringify(next)}`);
+        });
+        svc.on("hostname-change", (nextHostname: unknown) => {
+          const next = typeof nextHostname === "string" ? nextHostname : String(nextHostname);
+          logWarn(
+            `bonjour: ${label} hostname conflict resolved; newHostname=${JSON.stringify(next)}`,
+          );
+        });
+      } catch (err) {
+        logDebug(`bonjour: failed to attach listeners for ${label}: ${String(err)}`);
+      }
+    }
+  }
+
+  function startAdvertising(services: Array<{ label: string; svc: BonjourService }>) {
+    for (const { label, svc } of services) {
+      try {
+        void svc
+          .advertise()
+          .then(() => {
+            // Keep this out of stdout/stderr (menubar + tests) but capture in the rolling log.
+            getLogger().info(`bonjour: advertised ${serviceSummary(label, svc)}`);
+          })
+          .catch((err) => {
+            logWarn(
+              `bonjour: advertise failed (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
+            );
+          });
+      } catch (err) {
+        logWarn(
+          `bonjour: advertise threw (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
+        );
+      }
+    }
   }
 
   logDebug(
@@ -172,55 +262,77 @@ export async function startGatewayBonjourAdvertiser(
     )}, gatewayPort=${opts.gatewayPort}${opts.minimal ? ", minimal=true" : `, sshPort=${opts.sshPort ?? 22}`})`,
   );
 
-  for (const { label, svc } of services) {
-    try {
-      svc.on("name-change", (name: unknown) => {
-        const next = typeof name === "string" ? name : String(name);
-        logWarn(`bonjour: ${label} name conflict resolved; newName=${JSON.stringify(next)}`);
-      });
-      svc.on("hostname-change", (nextHostname: unknown) => {
-        const next = typeof nextHostname === "string" ? nextHostname : String(nextHostname);
-        logWarn(
-          `bonjour: ${label} hostname conflict resolved; newHostname=${JSON.stringify(next)}`,
-        );
-      });
-    } catch (err) {
-      logDebug(`bonjour: failed to attach listeners for ${label}: ${String(err)}`);
-    }
-  }
+  let stopped = false;
+  let recreatePromise: Promise<void> | null = null;
+  let cycle = createCycle();
+  const stateTracker = new Map<string, ServiceStateTracker>();
+  attachConflictListeners(cycle.services);
+  startAdvertising(cycle.services);
 
-  // Do not block gateway startup on mDNS probing/announce. Advertising can take
-  // multiple seconds depending on network state; the gateway should come up even
-  // if Bonjour is slow or fails.
-  for (const { label, svc } of services) {
-    try {
-      void svc
-        .advertise()
-        .then(() => {
-          // Keep this out of stdout/stderr (menubar + tests) but capture in the rolling log.
-          getLogger().info(`bonjour: advertised ${serviceSummary(label, svc)}`);
-        })
-        .catch((err) => {
-          logWarn(
-            `bonjour: advertise failed (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
-          );
-        });
-    } catch (err) {
-      logWarn(
-        `bonjour: advertise threw (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
-      );
+  const updateStateTrackers = (services: Array<{ label: string; svc: BonjourService }>) => {
+    const now = Date.now();
+    for (const { label, svc } of services) {
+      const nextState: BonjourServiceState | "unknown" =
+        typeof svc.serviceState === "string" ? svc.serviceState : "unknown";
+      const current = stateTracker.get(label);
+      const nextEnteredAt =
+        current && !isAnnouncedState(current.state) && !isAnnouncedState(nextState)
+          ? current.sinceMs
+          : now;
+      if (!current || current.state !== nextState || current.sinceMs !== nextEnteredAt) {
+        stateTracker.set(label, { state: nextState, sinceMs: nextEnteredAt });
+      }
     }
-  }
+  };
+
+  const recreateAdvertiser = async (reason: string) => {
+    if (stopped) {
+      return;
+    }
+    if (recreatePromise) {
+      return recreatePromise;
+    }
+    recreatePromise = (async () => {
+      logWarn(`bonjour: restarting advertiser (${reason})`);
+      const previous = cycle;
+      await stopCycle(previous);
+      cycle = createCycle();
+      stateTracker.clear();
+      attachConflictListeners(cycle.services);
+      startAdvertising(cycle.services);
+    })().finally(() => {
+      recreatePromise = null;
+    });
+    return recreatePromise;
+  };
 
   // Watchdog: if we ever end up in an unannounced state (e.g. after sleep/wake or
   // interface churn), try to re-advertise instead of requiring a full gateway restart.
   const lastRepairAttempt = new Map<string, number>();
   const watchdog = setInterval(() => {
-    for (const { label, svc } of services) {
+    if (stopped || recreatePromise) {
+      return;
+    }
+    updateStateTrackers(cycle.services);
+    for (const { label, svc } of cycle.services) {
       const stateUnknown = (svc as { serviceState?: unknown }).serviceState;
       if (typeof stateUnknown !== "string") {
         continue;
       }
+      const tracked = stateTracker.get(label);
+      if (
+        stateUnknown !== "announced" &&
+        tracked &&
+        Date.now() - tracked.sinceMs >= STUCK_ANNOUNCING_MS
+      ) {
+        void recreateAdvertiser(
+          `service stuck in ${stateUnknown} for ${Date.now() - tracked.sinceMs}ms (${serviceSummary(
+            label,
+            svc,
+          )})`,
+        );
+        return;
+      }
       if (stateUnknown === "announced" || stateUnknown === "announcing") {
         continue;
       }
@@ -233,7 +345,7 @@ export async function startGatewayBonjourAdvertiser(
       }
       const now = Date.now();
       const last = lastRepairAttempt.get(key) ?? 0;
-      if (now - last < 30_000) {
+      if (now - last < REPAIR_DEBOUNCE_MS) {
         continue;
       }
       lastRepairAttempt.set(key, now);
@@ -256,26 +368,15 @@ export async function startGatewayBonjourAdvertiser(
         );
       }
     }
-  }, 60_000);
+  }, WATCHDOG_INTERVAL_MS);
   watchdog.unref?.();
 
   return {
     stop: async () => {
+      stopped = true;
       clearInterval(watchdog);
-      for (const { svc } of services) {
-        try {
-          await svc.destroy();
-        } catch {
-          /* ignore */
-        }
-      }
-      try {
-        await responder.shutdown();
-      } catch {
-        /* ignore */
-      } finally {
-        ciaoCancellationRejectionHandler?.();
-      }
+      await recreatePromise;
+      await stopCycle(cycle);
     },
   };
 }
diff --git a/src/infra/channel-summary.ts b/src/infra/channel-summary.ts
index 08fd35d9327..d537b5eb317 100644
--- a/src/infra/channel-summary.ts
+++ b/src/infra/channel-summary.ts
@@ -105,14 +105,18 @@ const buildAccountDetails = (params: {
   return details;
 };
 
-function inspectChannelAccount(plugin: ChannelPlugin, cfg: OpenClawConfig, accountId: string) {
+async function inspectChannelAccount(
+  plugin: ChannelPlugin,
+  cfg: OpenClawConfig,
+  accountId: string,
+) {
   return (
     plugin.config.inspectAccount?.(cfg, accountId) ??
-    inspectReadOnlyChannelAccount({
+    (await inspectReadOnlyChannelAccount({
       channelId: plugin.id,
       cfg,
       accountId,
-    })
+    }))
   );
 }
 
@@ -135,8 +139,8 @@ export async function buildChannelSummary(
     const entries: ChannelAccountEntry[] = [];
 
     for (const accountId of resolvedAccountIds) {
-      const sourceInspectedAccount = inspectChannelAccount(plugin, sourceConfig, accountId);
-      const resolvedInspectedAccount = inspectChannelAccount(plugin, effective, accountId);
+      const sourceInspectedAccount = await inspectChannelAccount(plugin, sourceConfig, accountId);
+      const resolvedInspectedAccount = await inspectChannelAccount(plugin, effective, accountId);
       const resolvedInspection = resolvedInspectedAccount as {
         enabled?: boolean;
         configured?: boolean;
diff --git a/src/infra/exec-approval-forwarder.test.ts b/src/infra/exec-approval-forwarder.test.ts
index d29856c3088..2dfc1c97dbd 100644
--- a/src/infra/exec-approval-forwarder.test.ts
+++ b/src/infra/exec-approval-forwarder.test.ts
@@ -1,8 +1,9 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
-import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 import { createExecApprovalForwarder } from "./exec-approval-forwarder.js";
 
 const baseRequest = {
@@ -25,7 +26,12 @@ const emptyRegistry = createTestRegistry([]);
 const defaultRegistry = createTestRegistry([
   {
     pluginId: "telegram",
-    plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+    plugin: telegramPlugin,
+    source: "test",
+  },
+  {
+    pluginId: "discord",
+    plugin: discordPlugin,
     source: "test",
   },
 ]);
diff --git a/src/infra/exec-approval-forwarder.ts b/src/infra/exec-approval-forwarder.ts
index 5d197d6ae62..93a53d445c7 100644
--- a/src/infra/exec-approval-forwarder.ts
+++ b/src/infra/exec-approval-forwarder.ts
@@ -1,6 +1,5 @@
-import { buildTelegramExecApprovalButtons } from "../../extensions/telegram/src/approval-buttons.js";
-import { sendTypingTelegram } from "../../extensions/telegram/src/send.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import type {
@@ -8,7 +7,7 @@ import type {
   ExecApprovalForwardTarget,
 } from "../config/types.approvals.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
-import { normalizeAccountId, parseAgentSessionKey } from "../routing/session-key.js";
+import { parseAgentSessionKey } from "../routing/session-key.js";
 import { compileConfigRegex } from "../security/config-regex.js";
 import { testRegexWithBoundedInput } from "../security/safe-regex.js";
 import {
@@ -17,7 +16,6 @@ import {
   type DeliverableMessageChannel,
 } from "../utils/message-channel.js";
 import { resolveExecApprovalCommandDisplay } from "./exec-approval-command-display.js";
-import { buildExecApprovalPendingReplyPayload } from "./exec-approval-reply.js";
 import { resolveExecApprovalSessionTarget } from "./exec-approval-session-target.js";
 import type {
   ExecApprovalDecision,
@@ -111,91 +109,23 @@ function buildTargetKey(target: ExecApprovalForwardTarget): string {
   return [channel, target.to, accountId, threadId].join(":");
 }
 
-function resolveChannelAccountConfig<T>(
-  accounts: Record<string, T> | undefined,
-  accountId?: string,
-): T | undefined {
-  if (!accounts || !accountId?.trim()) {
-    return undefined;
-  }
-  const normalized = normalizeAccountId(accountId);
-  const direct = accounts[normalized];
-  if (direct) {
-    return direct;
-  }
-  const fallbackKey = Object.keys(accounts).find(
-    (key) => key.toLowerCase() === normalized.toLowerCase(),
-  );
-  return fallbackKey ? accounts[fallbackKey] : undefined;
-}
-
-// Discord has component-based exec approvals; skip text fallback only when the
-// Discord-specific handler is enabled for the same target account.
-function shouldSkipDiscordForwarding(
-  target: ExecApprovalForwardTarget,
-  cfg: OpenClawConfig,
-): boolean {
-  const channel = normalizeMessageChannel(target.channel) ?? target.channel;
-  if (channel !== "discord") {
-    return false;
-  }
-  const discord = cfg.channels?.discord as
-    | {
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-        accounts?: Record<
-          string,
-          { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        >;
-      }
-    | undefined;
-  if (!discord) {
-    return false;
-  }
-  const account = resolveChannelAccountConfig(discord.accounts, target.accountId);
-  const execApprovals = account?.execApprovals ?? discord.execApprovals;
-  return Boolean(execApprovals?.enabled && (execApprovals.approvers?.length ?? 0) > 0);
-}
-
-function shouldSkipTelegramForwarding(params: {
+function shouldSkipForwardingFallback(params: {
   target: ExecApprovalForwardTarget;
   cfg: OpenClawConfig;
   request: ExecApprovalRequest;
 }): boolean {
   const channel = normalizeMessageChannel(params.target.channel) ?? params.target.channel;
-  if (channel !== "telegram") {
+  if (!channel) {
     return false;
   }
-  const requestChannel = normalizeMessageChannel(params.request.request.turnSourceChannel ?? "");
-  if (requestChannel !== "telegram") {
-    return false;
-  }
-  const telegram = params.cfg.channels?.telegram;
-  if (!telegram) {
-    return false;
-  }
-  const telegramConfig = telegram as
-    | {
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-        accounts?: Record<
-          string,
-          { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        >;
-      }
-    | undefined;
-  if (!telegramConfig) {
-    return false;
-  }
-  const accountId =
-    params.target.accountId?.trim() || params.request.request.turnSourceAccountId?.trim();
-  const account = accountId
-    ? (resolveChannelAccountConfig<{
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-      }>(telegramConfig.accounts, accountId) as
-        | { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        | undefined)
-    : undefined;
-  const execApprovals = account?.execApprovals ?? telegramConfig.execApprovals;
-  return Boolean(execApprovals?.enabled && (execApprovals.approvers?.length ?? 0) > 0);
+  const adapter = getChannelPlugin(channel)?.execApprovals;
+  return (
+    adapter?.shouldSuppressForwardingFallback?.({
+      cfg: params.cfg,
+      target: params.target,
+      request: params.request,
+    }) ?? false
+  );
 }
 
 function formatApprovalCommand(command: string): { inline: boolean; text: string } {
@@ -309,6 +239,7 @@ async function deliverToTargets(params: {
   targets: ForwardTarget[];
   buildPayload: (target: ForwardTarget) => ReplyPayload;
   deliver: typeof deliverOutboundPayloads;
+  beforeDeliver?: (target: ForwardTarget, payload: ReplyPayload) => Promise<void> | void;
   shouldSend?: () => boolean;
 }) {
   const deliveries = params.targets.map(async (target) => {
@@ -321,25 +252,7 @@ async function deliverToTargets(params: {
     }
     try {
       const payload = params.buildPayload(target);
-      if (
-        channel === "telegram" &&
-        payload.channelData &&
-        typeof payload.channelData === "object" &&
-        !Array.isArray(payload.channelData) &&
-        payload.channelData.execApproval
-      ) {
-        const threadId =
-          typeof target.threadId === "number"
-            ? target.threadId
-            : typeof target.threadId === "string"
-              ? Number.parseInt(target.threadId, 10)
-              : undefined;
-        await sendTypingTelegram(target.to, {
-          cfg: params.cfg,
-          accountId: target.accountId,
-          ...(Number.isFinite(threadId) ? { messageThreadId: threadId } : {}),
-        }).catch(() => {});
-      }
+      await params.beforeDeliver?.(target, payload);
       await params.deliver({
         cfg: params.cfg,
         channel,
@@ -356,41 +269,45 @@ async function deliverToTargets(params: {
 }
 
 function buildRequestPayloadForTarget(
-  _cfg: OpenClawConfig,
+  cfg: OpenClawConfig,
   request: ExecApprovalRequest,
   nowMsValue: number,
   target: ForwardTarget,
 ): ReplyPayload {
   const channel = normalizeMessageChannel(target.channel) ?? target.channel;
-  if (channel === "telegram") {
-    const payload = buildExecApprovalPendingReplyPayload({
-      approvalId: request.id,
-      approvalSlug: request.id.slice(0, 8),
-      approvalCommandId: request.id,
-      command: resolveExecApprovalCommandDisplay(request.request).commandText,
-      cwd: request.request.cwd ?? undefined,
-      host: request.request.host === "node" ? "node" : "gateway",
-      nodeId: request.request.nodeId ?? undefined,
-      expiresAtMs: request.expiresAtMs,
-      nowMs: nowMsValue,
-    });
-    const buttons = buildTelegramExecApprovalButtons(request.id);
-    if (!buttons) {
-      return payload;
-    }
-    return {
-      ...payload,
-      channelData: {
-        ...payload.channelData,
-        telegram: {
-          buttons,
-        },
-      },
-    };
+  const pluginPayload = channel
+    ? getChannelPlugin(channel)?.execApprovals?.buildPendingPayload?.({
+        cfg,
+        request,
+        target,
+        nowMs: nowMsValue,
+      })
+    : null;
+  if (pluginPayload) {
+    return pluginPayload;
   }
   return { text: buildRequestMessage(request, nowMsValue) };
 }
 
+function buildResolvedPayloadForTarget(
+  cfg: OpenClawConfig,
+  resolved: ExecApprovalResolved,
+  target: ForwardTarget,
+): ReplyPayload {
+  const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+  const pluginPayload = channel
+    ? getChannelPlugin(channel)?.execApprovals?.buildResolvedPayload?.({
+        cfg,
+        resolved,
+        target,
+      })
+    : null;
+  if (pluginPayload) {
+    return pluginPayload;
+  }
+  return { text: buildResolvedMessage(resolved) };
+}
+
 function resolveForwardTargets(params: {
   cfg: OpenClawConfig;
   config?: ExecApprovalForwardingConfig;
@@ -454,11 +371,7 @@ export function createExecApprovalForwarder(
             resolveSessionTarget,
           })
         : []),
-    ].filter(
-      (target) =>
-        !shouldSkipDiscordForwarding(target, cfg) &&
-        !shouldSkipTelegramForwarding({ target, cfg, request }),
-    );
+    ].filter((target) => !shouldSkipForwardingFallback({ target, cfg, request }));
 
     if (filteredTargets.length === 0) {
       return false;
@@ -493,6 +406,17 @@ export function createExecApprovalForwarder(
       cfg,
       targets: filteredTargets,
       buildPayload: (target) => buildRequestPayloadForTarget(cfg, request, nowMs(), target),
+      beforeDeliver: async (target, payload) => {
+        const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+        if (!channel) {
+          return;
+        }
+        await getChannelPlugin(channel)?.execApprovals?.beforeDeliverPending?.({
+          cfg,
+          target,
+          payload,
+        });
+      },
       deliver,
       shouldSend: () => pending.get(request.id) === pendingEntry,
     }).catch((err) => {
@@ -529,17 +453,17 @@ export function createExecApprovalForwarder(
               resolveSessionTarget,
             })
           : []),
-      ].filter(
-        (target) =>
-          !shouldSkipDiscordForwarding(target, cfg) &&
-          !shouldSkipTelegramForwarding({ target, cfg, request }),
-      );
+      ].filter((target) => !shouldSkipForwardingFallback({ target, cfg, request }));
     }
     if (!targets || targets.length === 0) {
       return;
     }
-    const text = buildResolvedMessage(resolved);
-    await deliverToTargets({ cfg, targets, buildPayload: () => ({ text }), deliver });
+    await deliverToTargets({
+      cfg,
+      targets,
+      buildPayload: (target) => buildResolvedPayloadForTarget(cfg, resolved, target),
+      deliver,
+    });
   };
 
   const stop = () => {
diff --git a/src/infra/exec-approval-surface.test.ts b/src/infra/exec-approval-surface.test.ts
index 17f6789967c..c4b959c5042 100644
--- a/src/infra/exec-approval-surface.test.ts
+++ b/src/infra/exec-approval-surface.test.ts
@@ -1,32 +1,41 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const loadConfigMock = vi.hoisted(() => vi.fn());
-const listEnabledDiscordAccountsMock = vi.hoisted(() => vi.fn());
-const isDiscordExecApprovalClientEnabledMock = vi.hoisted(() => vi.fn());
-const listEnabledTelegramAccountsMock = vi.hoisted(() => vi.fn());
-const isTelegramExecApprovalClientEnabledMock = vi.hoisted(() => vi.fn());
+const getChannelPluginMock = vi.hoisted(() => vi.fn());
+const listChannelPluginsMock = vi.hoisted(() => vi.fn());
 const normalizeMessageChannelMock = vi.hoisted(() => vi.fn());
 
 vi.mock("../config/config.js", () => ({
   loadConfig: (...args: unknown[]) => loadConfigMock(...args),
 }));
 
-vi.mock("../../extensions/discord/src/accounts.js", () => ({
-  listEnabledDiscordAccounts: (...args: unknown[]) => listEnabledDiscordAccountsMock(...args),
+vi.mock("../channels/plugins/index.js", () => ({
+  getChannelPlugin: (...args: unknown[]) => getChannelPluginMock(...args),
+  listChannelPlugins: (...args: unknown[]) => listChannelPluginsMock(...args),
 }));
 
-vi.mock("../../extensions/discord/src/exec-approvals.js", () => ({
-  isDiscordExecApprovalClientEnabled: (...args: unknown[]) =>
-    isDiscordExecApprovalClientEnabledMock(...args),
+vi.mock("../../extensions/discord/src/channel.js", () => ({
+  discordPlugin: {},
 }));
 
-vi.mock("../../extensions/telegram/src/accounts.js", () => ({
-  listEnabledTelegramAccounts: (...args: unknown[]) => listEnabledTelegramAccountsMock(...args),
+vi.mock("../../extensions/telegram/src/channel.js", () => ({
+  telegramPlugin: {},
 }));
 
-vi.mock("../../extensions/telegram/src/exec-approvals.js", () => ({
-  isTelegramExecApprovalClientEnabled: (...args: unknown[]) =>
-    isTelegramExecApprovalClientEnabledMock(...args),
+vi.mock("../../extensions/slack/src/channel.js", () => ({
+  slackPlugin: {},
+}));
+
+vi.mock("../../extensions/whatsapp/src/channel.js", () => ({
+  whatsappPlugin: {},
+}));
+
+vi.mock("../../extensions/signal/src/channel.js", () => ({
+  signalPlugin: {},
+}));
+
+vi.mock("../../extensions/imessage/src/channel.js", () => ({
+  imessagePlugin: {},
 }));
 
 vi.mock("../utils/message-channel.js", () => ({
@@ -42,10 +51,8 @@ import {
 describe("resolveExecApprovalInitiatingSurfaceState", () => {
   beforeEach(() => {
     loadConfigMock.mockReset();
-    listEnabledDiscordAccountsMock.mockReset();
-    isDiscordExecApprovalClientEnabledMock.mockReset();
-    listEnabledTelegramAccountsMock.mockReset();
-    isTelegramExecApprovalClientEnabledMock.mockReset();
+    getChannelPluginMock.mockReset();
+    listChannelPluginsMock.mockReset();
     normalizeMessageChannelMock.mockReset();
     normalizeMessageChannelMock.mockImplementation((value?: string | null) =>
       typeof value === "string" ? value.trim().toLowerCase() : undefined,
@@ -71,8 +78,21 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
   });
 
   it("uses the provided cfg for telegram and discord client enablement", () => {
-    isTelegramExecApprovalClientEnabledMock.mockReturnValueOnce(true);
-    isDiscordExecApprovalClientEnabledMock.mockReturnValueOnce(false);
+    getChannelPluginMock.mockImplementation((channel: string) =>
+      channel === "telegram"
+        ? {
+            execApprovals: {
+              getInitiatingSurfaceState: () => ({ kind: "enabled" }),
+            },
+          }
+        : channel === "discord"
+          ? {
+              execApprovals: {
+                getInitiatingSurfaceState: () => ({ kind: "disabled" }),
+              },
+            }
+          : undefined,
+    );
     const cfg = { channels: {} };
 
     expect(
@@ -103,7 +123,15 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
 
   it("loads config lazily when cfg is omitted and marks unsupported channels", () => {
     loadConfigMock.mockReturnValueOnce({ loaded: true });
-    isTelegramExecApprovalClientEnabledMock.mockReturnValueOnce(false);
+    getChannelPluginMock.mockImplementation((channel: string) =>
+      channel === "telegram"
+        ? {
+            execApprovals: {
+              getInitiatingSurfaceState: () => ({ kind: "disabled" }),
+            },
+          }
+        : undefined,
+    );
 
     expect(
       resolveExecApprovalInitiatingSurfaceState({
@@ -127,30 +155,19 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
 
 describe("hasConfiguredExecApprovalDmRoute", () => {
   beforeEach(() => {
-    listEnabledDiscordAccountsMock.mockReset();
-    listEnabledTelegramAccountsMock.mockReset();
+    listChannelPluginsMock.mockReset();
   });
 
   it("returns true when any enabled account routes approvals to DM or both", () => {
-    listEnabledDiscordAccountsMock.mockReturnValueOnce([
+    listChannelPluginsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "channel",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
-    ]);
-    listEnabledTelegramAccountsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "both",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => true,
         },
       },
     ]);
@@ -158,37 +175,21 @@ describe("hasConfiguredExecApprovalDmRoute", () => {
     expect(hasConfiguredExecApprovalDmRoute({} as never)).toBe(true);
   });
 
-  it("returns false when exec approvals are disabled or have no DM route", () => {
-    listEnabledDiscordAccountsMock.mockReturnValueOnce([
+  it("returns false when no plugin reports a DM route", () => {
+    listChannelPluginsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: false,
-            approvers: ["a"],
-            target: "dm",
-          },
-        },
-      },
-    ]);
-    listEnabledTelegramAccountsMock.mockReturnValueOnce([
-      {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: [],
-            target: "dm",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "channel",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
+      {
+        execApprovals: undefined,
+      },
     ]);
 
     expect(hasConfiguredExecApprovalDmRoute({} as never)).toBe(false);
diff --git a/src/infra/exec-approval-surface.ts b/src/infra/exec-approval-surface.ts
index 8cf43c79a3e..2147baffe02 100644
--- a/src/infra/exec-approval-surface.ts
+++ b/src/infra/exec-approval-surface.ts
@@ -1,7 +1,4 @@
-import { listEnabledDiscordAccounts } from "../../extensions/discord/src/accounts.js";
-import { isDiscordExecApprovalClientEnabled } from "../../extensions/discord/src/exec-approvals.js";
-import { listEnabledTelegramAccounts } from "../../extensions/telegram/src/accounts.js";
-import { isTelegramExecApprovalClientEnabled } from "../../extensions/telegram/src/exec-approvals.js";
+import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
 import { loadConfig, type OpenClawConfig } from "../config/config.js";
 import { INTERNAL_MESSAGE_CHANNEL, normalizeMessageChannel } from "../utils/message-channel.js";
 
@@ -37,46 +34,18 @@ export function resolveExecApprovalInitiatingSurfaceState(params: {
   }
 
   const cfg = params.cfg ?? loadConfig();
-  if (channel === "telegram") {
-    return isTelegramExecApprovalClientEnabled({ cfg, accountId: params.accountId })
-      ? { kind: "enabled", channel, channelLabel }
-      : { kind: "disabled", channel, channelLabel };
-  }
-  if (channel === "discord") {
-    return isDiscordExecApprovalClientEnabled({ cfg, accountId: params.accountId })
-      ? { kind: "enabled", channel, channelLabel }
-      : { kind: "disabled", channel, channelLabel };
+  const state = getChannelPlugin(channel)?.execApprovals?.getInitiatingSurfaceState?.({
+    cfg,
+    accountId: params.accountId,
+  });
+  if (state) {
+    return { ...state, channel, channelLabel };
   }
   return { kind: "unsupported", channel, channelLabel };
 }
 
-function hasExecApprovalDmRoute(
-  accounts: Array<{
-    config: {
-      execApprovals?: {
-        enabled?: boolean;
-        approvers?: unknown[];
-        target?: string;
-      };
-    };
-  }>,
-): boolean {
-  for (const account of accounts) {
-    const execApprovals = account.config.execApprovals;
-    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
-      continue;
-    }
-    const target = execApprovals.target ?? "dm";
-    if (target === "dm" || target === "both") {
-      return true;
-    }
-  }
-  return false;
-}
-
 export function hasConfiguredExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return (
-    hasExecApprovalDmRoute(listEnabledDiscordAccounts(cfg)) ||
-    hasExecApprovalDmRoute(listEnabledTelegramAccounts(cfg))
+  return listChannelPlugins().some(
+    (plugin) => plugin.execApprovals?.hasConfiguredDmRoute?.({ cfg }) ?? false,
   );
 }
diff --git a/src/infra/fetch.test.ts b/src/infra/fetch.test.ts
index deef81f551f..820325c0e70 100644
--- a/src/infra/fetch.test.ts
+++ b/src/infra/fetch.test.ts
@@ -293,7 +293,7 @@ describe("wrapFetchWithAbortSignal", () => {
   });
 
   it("exposes a no-op preconnect when the source fetch has none", () => {
-    const fetchImpl = vi.fn(async () => ({ ok: true }) as Response) as typeof fetch;
+    const fetchImpl = withFetchPreconnect(vi.fn(async () => ({ ok: true }) as Response));
     const wrapped = wrapFetchWithAbortSignal(fetchImpl) as typeof fetch & {
       preconnect: (url: string, init?: { credentials?: RequestCredentials }) => unknown;
     };
diff --git a/src/infra/gateway-process-argv.test.ts b/src/infra/gateway-process-argv.test.ts
index 81e6da2210a..8f072a80ca6 100644
--- a/src/infra/gateway-process-argv.test.ts
+++ b/src/infra/gateway-process-argv.test.ts
@@ -26,6 +26,7 @@ describe("isGatewayArgv", () => {
     expect(isGatewayArgv(["NODE", "C:\\OpenClaw\\DIST\\ENTRY.JS", "gateway"])).toBe(true);
     expect(isGatewayArgv(["bun", "/srv/openclaw/scripts/run-node.mjs", "gateway"])).toBe(true);
     expect(isGatewayArgv(["node", "/srv/openclaw/openclaw.mjs", "gateway"])).toBe(true);
+    expect(isGatewayArgv(["tsx", "/srv/openclaw/src/entry.ts", "gateway"])).toBe(true);
     expect(isGatewayArgv(["tsx", "/srv/openclaw/src/index.ts", "gateway"])).toBe(true);
   });
 
diff --git a/src/infra/gateway-process-argv.ts b/src/infra/gateway-process-argv.ts
index 59f042ead88..47eab54fce2 100644
--- a/src/infra/gateway-process-argv.ts
+++ b/src/infra/gateway-process-argv.ts
@@ -20,6 +20,7 @@ export function isGatewayArgv(args: string[], opts?: { allowGatewayBinary?: bool
     "dist/entry.js",
     "openclaw.mjs",
     "scripts/run-node.mjs",
+    "src/entry.ts",
     "src/index.ts",
   ];
   if (normalized.some((arg) => entryCandidates.some((entry) => arg.endsWith(entry)))) {
diff --git a/src/infra/gaxios-fetch-compat.test.ts b/src/infra/gaxios-fetch-compat.test.ts
new file mode 100644
index 00000000000..4d7559f3eee
--- /dev/null
+++ b/src/infra/gaxios-fetch-compat.test.ts
@@ -0,0 +1,60 @@
+import { HttpsProxyAgent } from "https-proxy-agent";
+import { ProxyAgent } from "undici";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+describe("gaxios fetch compat", () => {
+  afterEach(() => {
+    vi.resetModules();
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+  });
+
+  it("uses native fetch without defining window or importing node-fetch", async () => {
+    const fetchMock = vi.fn<typeof fetch>(async () => {
+      return new Response("ok", {
+        headers: { "content-type": "text/plain" },
+        status: 200,
+      });
+    });
+
+    vi.stubGlobal("fetch", fetchMock);
+    vi.doMock("node-fetch", () => {
+      throw new Error("node-fetch should not load");
+    });
+
+    const { installGaxiosFetchCompat } = await import("./gaxios-fetch-compat.js");
+    const { Gaxios } = await import("gaxios");
+
+    installGaxiosFetchCompat();
+
+    const res = await new Gaxios().request({
+      responseType: "text",
+      url: "https://example.com",
+    });
+
+    expect(res.data).toBe("ok");
+    expect(fetchMock).toHaveBeenCalledOnce();
+    expect("window" in globalThis).toBe(false);
+  });
+
+  it("translates proxy agents into undici dispatchers for native fetch", async () => {
+    const fetchMock = vi.fn<typeof fetch>(async () => {
+      return new Response("ok", {
+        headers: { "content-type": "text/plain" },
+        status: 200,
+      });
+    });
+    const { createGaxiosCompatFetch } = await import("./gaxios-fetch-compat.js");
+
+    const compatFetch = createGaxiosCompatFetch(fetchMock);
+    await compatFetch("https://example.com", {
+      agent: new HttpsProxyAgent("http://proxy.example:8080"),
+    } as RequestInit);
+
+    expect(fetchMock).toHaveBeenCalledOnce();
+    const [, init] = fetchMock.mock.calls[0] ?? [];
+
+    expect(init).not.toHaveProperty("agent");
+    expect((init as { dispatcher?: unknown })?.dispatcher).toBeInstanceOf(ProxyAgent);
+  });
+});
diff --git a/src/infra/gaxios-fetch-compat.ts b/src/infra/gaxios-fetch-compat.ts
new file mode 100644
index 00000000000..e4d3688d7e5
--- /dev/null
+++ b/src/infra/gaxios-fetch-compat.ts
@@ -0,0 +1,212 @@
+import type { ConnectionOptions } from "node:tls";
+import { Gaxios } from "gaxios";
+import type { Dispatcher } from "undici";
+import { Agent as UndiciAgent, ProxyAgent } from "undici";
+
+type ProxyRule = RegExp | URL | string;
+type TlsCert = ConnectionOptions["cert"];
+type TlsKey = ConnectionOptions["key"];
+
+type GaxiosFetchRequestInit = RequestInit & {
+  agent?: unknown;
+  cert?: TlsCert;
+  dispatcher?: Dispatcher;
+  fetchImplementation?: typeof fetch;
+  key?: TlsKey;
+  noProxy?: ProxyRule[];
+  proxy?: string | URL;
+};
+
+type ProxyAgentLike = {
+  connectOpts?: { cert?: TlsCert; key?: TlsKey };
+  proxy: URL;
+};
+
+type TlsAgentLike = {
+  options?: { cert?: TlsCert; key?: TlsKey };
+};
+
+type GaxiosPrototype = {
+  _defaultAdapter: (this: Gaxios, config: GaxiosFetchRequestInit) => Promise<unknown>;
+};
+
+let installState: "not-installed" | "installed" = "not-installed";
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
+function hasDispatcher(value: unknown): value is Dispatcher {
+  return isRecord(value) && typeof value.dispatch === "function";
+}
+
+function hasProxyAgentShape(value: unknown): value is ProxyAgentLike {
+  return isRecord(value) && value.proxy instanceof URL;
+}
+
+function hasTlsAgentShape(value: unknown): value is TlsAgentLike {
+  return isRecord(value) && isRecord(value.options);
+}
+
+function resolveTlsOptions(
+  init: GaxiosFetchRequestInit,
+  url: URL,
+): { cert?: TlsCert; key?: TlsKey } {
+  const explicit = {
+    cert: init.cert,
+    key: init.key,
+  };
+  if (explicit.cert !== undefined || explicit.key !== undefined) {
+    return explicit;
+  }
+
+  const agent = typeof init.agent === "function" ? init.agent(url) : init.agent;
+  if (hasProxyAgentShape(agent)) {
+    return {
+      cert: agent.connectOpts?.cert,
+      key: agent.connectOpts?.key,
+    };
+  }
+  if (hasTlsAgentShape(agent)) {
+    return {
+      cert: agent.options?.cert,
+      key: agent.options?.key,
+    };
+  }
+  return {};
+}
+
+function urlMayUseProxy(url: URL, noProxy: ProxyRule[] = []): boolean {
+  const rules = [...noProxy];
+  const envRules = (process.env.NO_PROXY ?? process.env.no_proxy)?.split(",") ?? [];
+  for (const rule of envRules) {
+    const trimmed = rule.trim();
+    if (trimmed.length > 0) {
+      rules.push(trimmed);
+    }
+  }
+
+  for (const rule of rules) {
+    if (rule instanceof RegExp) {
+      if (rule.test(url.toString())) {
+        return false;
+      }
+      continue;
+    }
+    if (rule instanceof URL) {
+      if (rule.origin === url.origin) {
+        return false;
+      }
+      continue;
+    }
+    if (rule.startsWith("*.") || rule.startsWith(".")) {
+      const cleanedRule = rule.replace(/^\*\./, ".");
+      if (url.hostname.endsWith(cleanedRule)) {
+        return false;
+      }
+      continue;
+    }
+    if (rule === url.origin || rule === url.hostname || rule === url.href) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+function resolveProxyUri(init: GaxiosFetchRequestInit, url: URL): string | undefined {
+  if (init.proxy) {
+    const proxyUri = String(init.proxy);
+    return urlMayUseProxy(url, init.noProxy) ? proxyUri : undefined;
+  }
+
+  const envProxy =
+    process.env.HTTPS_PROXY ??
+    process.env.https_proxy ??
+    process.env.HTTP_PROXY ??
+    process.env.http_proxy;
+  if (!envProxy) {
+    return undefined;
+  }
+
+  return urlMayUseProxy(url, init.noProxy) ? envProxy : undefined;
+}
+
+function buildDispatcher(init: GaxiosFetchRequestInit, url: URL): Dispatcher | undefined {
+  if (init.dispatcher) {
+    return init.dispatcher;
+  }
+
+  const agent = typeof init.agent === "function" ? init.agent(url) : init.agent;
+  if (hasDispatcher(agent)) {
+    return agent;
+  }
+
+  const { cert, key } = resolveTlsOptions(init, url);
+  const proxyUri =
+    resolveProxyUri(init, url) ?? (hasProxyAgentShape(agent) ? String(agent.proxy) : undefined);
+  if (proxyUri) {
+    return new ProxyAgent({
+      requestTls: cert !== undefined || key !== undefined ? { cert, key } : undefined,
+      uri: proxyUri,
+    });
+  }
+
+  if (cert !== undefined || key !== undefined) {
+    return new UndiciAgent({
+      connect: { cert, key },
+    });
+  }
+
+  return undefined;
+}
+
+export function createGaxiosCompatFetch(baseFetch: typeof fetch = globalThis.fetch): typeof fetch {
+  return async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+    const gaxiosInit = (init ?? {}) as GaxiosFetchRequestInit;
+    const requestUrl =
+      input instanceof Request
+        ? new URL(input.url)
+        : new URL(typeof input === "string" ? input : input.toString());
+    const dispatcher = buildDispatcher(gaxiosInit, requestUrl);
+
+    const nextInit: RequestInit = { ...gaxiosInit };
+    delete (nextInit as GaxiosFetchRequestInit).agent;
+    delete (nextInit as GaxiosFetchRequestInit).cert;
+    delete (nextInit as GaxiosFetchRequestInit).fetchImplementation;
+    delete (nextInit as GaxiosFetchRequestInit).key;
+    delete (nextInit as GaxiosFetchRequestInit).noProxy;
+    delete (nextInit as GaxiosFetchRequestInit).proxy;
+
+    if (dispatcher) {
+      (nextInit as RequestInit & { dispatcher: Dispatcher }).dispatcher = dispatcher;
+    }
+
+    return baseFetch(input, nextInit);
+  };
+}
+
+export function installGaxiosFetchCompat(): void {
+  if (installState === "installed" || typeof globalThis.fetch !== "function") {
+    return;
+  }
+
+  const prototype = Gaxios.prototype as unknown as GaxiosPrototype;
+  const originalDefaultAdapter = prototype._defaultAdapter;
+  const compatFetch = createGaxiosCompatFetch();
+
+  prototype._defaultAdapter = function patchedDefaultAdapter(
+    this: Gaxios,
+    config: GaxiosFetchRequestInit,
+  ): Promise<unknown> {
+    if (config.fetchImplementation) {
+      return originalDefaultAdapter.call(this, config);
+    }
+    return originalDefaultAdapter.call(this, {
+      ...config,
+      fetchImplementation: compatFetch,
+    });
+  };
+
+  installState = "installed";
+}
diff --git a/src/infra/heartbeat-runner.returns-default-unset.test.ts b/src/infra/heartbeat-runner.returns-default-unset.test.ts
index dc28784870a..8bca1ca1de7 100644
--- a/src/infra/heartbeat-runner.returns-default-unset.test.ts
+++ b/src/infra/heartbeat-runner.returns-default-unset.test.ts
@@ -2,9 +2,10 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { whatsappOutbound } from "../../test/channel-outbounds.js";
 import { HEARTBEAT_PROMPT } from "../auto-reply/heartbeat.js";
 import * as replyModule from "../auto-reply/reply.js";
-import { whatsappOutbound } from "../channels/plugins/outbound/whatsapp.js";
 import type { OpenClawConfig } from "../config/config.js";
 import {
   resolveAgentIdFromSessionKey,
@@ -80,6 +81,20 @@ beforeAll(async () => {
         return { channel: "telegram", messageId: res.messageId, chatId: res.chatId };
       },
     },
+    messaging: {
+      parseExplicitTarget: ({ raw }) => {
+        const target = parseTelegramTarget(raw);
+        return {
+          to: target.chatId,
+          threadId: target.messageThreadId,
+          chatType: target.chatType === "unknown" ? undefined : target.chatType,
+        };
+      },
+      inferTargetChatType: ({ to }) => {
+        const target = parseTelegramTarget(to);
+        return target.chatType === "unknown" ? undefined : target.chatType;
+      },
+    },
   });
   telegramPlugin.config = {
     ...telegramPlugin.config,
diff --git a/src/infra/heartbeat-runner.ts b/src/infra/heartbeat-runner.ts
index 1f6ae8767e9..34b3a7b5f86 100644
--- a/src/infra/heartbeat-runner.ts
+++ b/src/infra/heartbeat-runner.ts
@@ -11,7 +11,6 @@ import { DEFAULT_HEARTBEAT_FILENAME } from "../agents/workspace.js";
 import { resolveHeartbeatReplyPayload } from "../auto-reply/heartbeat-reply-payload.js";
 import {
   DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
-  DEFAULT_HEARTBEAT_EVERY,
   isHeartbeatContentEffectivelyEmpty,
   resolveHeartbeatPrompt as resolveHeartbeatPromptText,
   stripHeartbeatToken,
@@ -21,7 +20,6 @@ import { HEARTBEAT_TOKEN } from "../auto-reply/tokens.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
 import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { ChannelHeartbeatDeps } from "../channels/plugins/types.js";
-import { parseDurationMs } from "../cli/parse-duration.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import {
@@ -56,6 +54,12 @@ import {
 } from "./heartbeat-events-filter.js";
 import { emitHeartbeatEvent, resolveIndicatorType } from "./heartbeat-events.js";
 import { resolveHeartbeatReasonKind } from "./heartbeat-reason.js";
+import {
+  isHeartbeatEnabledForAgent,
+  resolveHeartbeatIntervalMs,
+  resolveHeartbeatSummaryForAgent,
+  type HeartbeatSummary,
+} from "./heartbeat-summary.js";
 import { resolveHeartbeatVisibility } from "./heartbeat-visibility.js";
 import {
   areHeartbeatsEnabled,
@@ -84,6 +88,12 @@ export type HeartbeatDeps = OutboundSendDeps &
 const log = createSubsystemLogger("gateway/heartbeat");
 
 export { areHeartbeatsEnabled, setHeartbeatsEnabled };
+export {
+  isHeartbeatEnabledForAgent,
+  resolveHeartbeatIntervalMs,
+  resolveHeartbeatSummaryForAgent,
+  type HeartbeatSummary,
+} from "./heartbeat-summary.js";
 
 type HeartbeatConfig = AgentDefaultsConfig["heartbeat"];
 type HeartbeatAgent = {
@@ -91,17 +101,6 @@ type HeartbeatAgent = {
   heartbeat?: HeartbeatConfig;
 };
 
-export type HeartbeatSummary = {
-  enabled: boolean;
-  every: string;
-  everyMs: number | null;
-  prompt: string;
-  target: string;
-  model?: string;
-  ackMaxChars: number;
-};
-
-const DEFAULT_HEARTBEAT_TARGET = "none";
 export { isCronSystemEvent };
 
 type HeartbeatAgentState = {
@@ -122,18 +121,6 @@ function hasExplicitHeartbeatAgents(cfg: OpenClawConfig) {
   return list.some((entry) => Boolean(entry?.heartbeat));
 }
 
-export function isHeartbeatEnabledForAgent(cfg: OpenClawConfig, agentId?: string): boolean {
-  const resolvedAgentId = normalizeAgentId(agentId ?? resolveDefaultAgentId(cfg));
-  const list = cfg.agents?.list ?? [];
-  const hasExplicit = hasExplicitHeartbeatAgents(cfg);
-  if (hasExplicit) {
-    return list.some(
-      (entry) => Boolean(entry?.heartbeat) && normalizeAgentId(entry?.id) === resolvedAgentId,
-    );
-  }
-  return resolvedAgentId === resolveDefaultAgentId(cfg);
-}
-
 function resolveHeartbeatConfig(
   cfg: OpenClawConfig,
   agentId?: string,
@@ -149,54 +136,6 @@ function resolveHeartbeatConfig(
   return { ...defaults, ...overrides };
 }
 
-export function resolveHeartbeatSummaryForAgent(
-  cfg: OpenClawConfig,
-  agentId?: string,
-): HeartbeatSummary {
-  const defaults = cfg.agents?.defaults?.heartbeat;
-  const overrides = agentId ? resolveAgentConfig(cfg, agentId)?.heartbeat : undefined;
-  const enabled = isHeartbeatEnabledForAgent(cfg, agentId);
-
-  if (!enabled) {
-    return {
-      enabled: false,
-      every: "disabled",
-      everyMs: null,
-      prompt: resolveHeartbeatPromptText(defaults?.prompt),
-      target: defaults?.target ?? DEFAULT_HEARTBEAT_TARGET,
-      model: defaults?.model,
-      ackMaxChars: Math.max(0, defaults?.ackMaxChars ?? DEFAULT_HEARTBEAT_ACK_MAX_CHARS),
-    };
-  }
-
-  const merged = defaults || overrides ? { ...defaults, ...overrides } : undefined;
-  const every = merged?.every ?? defaults?.every ?? overrides?.every ?? DEFAULT_HEARTBEAT_EVERY;
-  const everyMs = resolveHeartbeatIntervalMs(cfg, undefined, merged);
-  const prompt = resolveHeartbeatPromptText(
-    merged?.prompt ?? defaults?.prompt ?? overrides?.prompt,
-  );
-  const target =
-    merged?.target ?? defaults?.target ?? overrides?.target ?? DEFAULT_HEARTBEAT_TARGET;
-  const model = merged?.model ?? defaults?.model ?? overrides?.model;
-  const ackMaxChars = Math.max(
-    0,
-    merged?.ackMaxChars ??
-      defaults?.ackMaxChars ??
-      overrides?.ackMaxChars ??
-      DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
-  );
-
-  return {
-    enabled: true,
-    every,
-    everyMs,
-    prompt,
-    target,
-    model,
-    ackMaxChars,
-  };
-}
-
 function resolveHeartbeatAgents(cfg: OpenClawConfig): HeartbeatAgent[] {
   const list = cfg.agents?.list ?? [];
   if (hasExplicitHeartbeatAgents(cfg)) {
@@ -212,35 +151,6 @@ function resolveHeartbeatAgents(cfg: OpenClawConfig): HeartbeatAgent[] {
   return [{ agentId: fallbackId, heartbeat: resolveHeartbeatConfig(cfg, fallbackId) }];
 }
 
-export function resolveHeartbeatIntervalMs(
-  cfg: OpenClawConfig,
-  overrideEvery?: string,
-  heartbeat?: HeartbeatConfig,
-) {
-  const raw =
-    overrideEvery ??
-    heartbeat?.every ??
-    cfg.agents?.defaults?.heartbeat?.every ??
-    DEFAULT_HEARTBEAT_EVERY;
-  if (!raw) {
-    return null;
-  }
-  const trimmed = String(raw).trim();
-  if (!trimmed) {
-    return null;
-  }
-  let ms: number;
-  try {
-    ms = parseDurationMs(trimmed, { defaultUnit: "m" });
-  } catch {
-    return null;
-  }
-  if (ms <= 0) {
-    return null;
-  }
-  return ms;
-}
-
 export function resolveHeartbeatPrompt(cfg: OpenClawConfig, heartbeat?: HeartbeatConfig) {
   return resolveHeartbeatPromptText(heartbeat?.prompt ?? cfg.agents?.defaults?.heartbeat?.prompt);
 }
diff --git a/src/infra/heartbeat-summary.ts b/src/infra/heartbeat-summary.ts
new file mode 100644
index 00000000000..89650de44a6
--- /dev/null
+++ b/src/infra/heartbeat-summary.ts
@@ -0,0 +1,118 @@
+import { resolveAgentConfig, resolveDefaultAgentId } from "../agents/agent-scope.js";
+import {
+  DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
+  DEFAULT_HEARTBEAT_EVERY,
+  resolveHeartbeatPrompt as resolveHeartbeatPromptText,
+} from "../auto-reply/heartbeat.js";
+import { parseDurationMs } from "../cli/parse-duration.js";
+import type { OpenClawConfig } from "../config/config.js";
+import type { AgentDefaultsConfig } from "../config/types.agent-defaults.js";
+import { normalizeAgentId } from "../routing/session-key.js";
+
+type HeartbeatConfig = AgentDefaultsConfig["heartbeat"];
+
+export type HeartbeatSummary = {
+  enabled: boolean;
+  every: string;
+  everyMs: number | null;
+  prompt: string;
+  target: string;
+  model?: string;
+  ackMaxChars: number;
+};
+
+const DEFAULT_HEARTBEAT_TARGET = "none";
+
+function hasExplicitHeartbeatAgents(cfg: OpenClawConfig) {
+  const list = cfg.agents?.list ?? [];
+  return list.some((entry) => Boolean(entry?.heartbeat));
+}
+
+export function isHeartbeatEnabledForAgent(cfg: OpenClawConfig, agentId?: string): boolean {
+  const resolvedAgentId = normalizeAgentId(agentId ?? resolveDefaultAgentId(cfg));
+  const list = cfg.agents?.list ?? [];
+  const hasExplicit = hasExplicitHeartbeatAgents(cfg);
+  if (hasExplicit) {
+    return list.some(
+      (entry) => Boolean(entry?.heartbeat) && normalizeAgentId(entry?.id) === resolvedAgentId,
+    );
+  }
+  return resolvedAgentId === resolveDefaultAgentId(cfg);
+}
+
+export function resolveHeartbeatIntervalMs(
+  cfg: OpenClawConfig,
+  overrideEvery?: string,
+  heartbeat?: HeartbeatConfig,
+) {
+  const raw =
+    overrideEvery ??
+    heartbeat?.every ??
+    cfg.agents?.defaults?.heartbeat?.every ??
+    DEFAULT_HEARTBEAT_EVERY;
+  if (!raw) {
+    return null;
+  }
+  const trimmed = String(raw).trim();
+  if (!trimmed) {
+    return null;
+  }
+  let ms: number;
+  try {
+    ms = parseDurationMs(trimmed, { defaultUnit: "m" });
+  } catch {
+    return null;
+  }
+  if (ms <= 0) {
+    return null;
+  }
+  return ms;
+}
+
+export function resolveHeartbeatSummaryForAgent(
+  cfg: OpenClawConfig,
+  agentId?: string,
+): HeartbeatSummary {
+  const defaults = cfg.agents?.defaults?.heartbeat;
+  const overrides = agentId ? resolveAgentConfig(cfg, agentId)?.heartbeat : undefined;
+  const enabled = isHeartbeatEnabledForAgent(cfg, agentId);
+
+  if (!enabled) {
+    return {
+      enabled: false,
+      every: "disabled",
+      everyMs: null,
+      prompt: resolveHeartbeatPromptText(defaults?.prompt),
+      target: defaults?.target ?? DEFAULT_HEARTBEAT_TARGET,
+      model: defaults?.model,
+      ackMaxChars: Math.max(0, defaults?.ackMaxChars ?? DEFAULT_HEARTBEAT_ACK_MAX_CHARS),
+    };
+  }
+
+  const merged = defaults || overrides ? { ...defaults, ...overrides } : undefined;
+  const every = merged?.every ?? defaults?.every ?? overrides?.every ?? DEFAULT_HEARTBEAT_EVERY;
+  const everyMs = resolveHeartbeatIntervalMs(cfg, undefined, merged);
+  const prompt = resolveHeartbeatPromptText(
+    merged?.prompt ?? defaults?.prompt ?? overrides?.prompt,
+  );
+  const target =
+    merged?.target ?? defaults?.target ?? overrides?.target ?? DEFAULT_HEARTBEAT_TARGET;
+  const model = merged?.model ?? defaults?.model ?? overrides?.model;
+  const ackMaxChars = Math.max(
+    0,
+    merged?.ackMaxChars ??
+      defaults?.ackMaxChars ??
+      overrides?.ackMaxChars ??
+      DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
+  );
+
+  return {
+    enabled: true,
+    every,
+    everyMs,
+    prompt,
+    target,
+    model,
+    ackMaxChars,
+  };
+}
diff --git a/src/infra/infra-runtime.test.ts b/src/infra/infra-runtime.test.ts
index 2072f8f2da3..97f2336fd11 100644
--- a/src/infra/infra-runtime.test.ts
+++ b/src/infra/infra-runtime.test.ts
@@ -190,8 +190,8 @@ describe("infra runtime", () => {
         await vi.advanceTimersByTimeAsync(0);
         expect(emitSpy).not.toHaveBeenCalledWith("SIGUSR1");
 
-        // Advance past the 90s max deferral wait
-        await vi.advanceTimersByTimeAsync(90_000);
+        // Advance past the 5-minute max deferral wait
+        await vi.advanceTimersByTimeAsync(300_000);
         expect(emitSpy).toHaveBeenCalledWith("SIGUSR1");
       } finally {
         process.removeListener("SIGUSR1", handler);
diff --git a/src/infra/outbound/channel-adapters.test.ts b/src/infra/outbound/channel-adapters.test.ts
index d8a01aadb2b..ca39b403226 100644
--- a/src/infra/outbound/channel-adapters.test.ts
+++ b/src/infra/outbound/channel-adapters.test.ts
@@ -1,9 +1,18 @@
 import { Separator, TextDisplay } from "@buape/carbon";
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { getChannelMessageAdapter } from "./channel-adapters.js";
 
 describe("getChannelMessageAdapter", () => {
+  beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+    );
+  });
+
   it("returns the default adapter for non-discord channels", () => {
     expect(getChannelMessageAdapter("telegram")).toEqual({
       supportsComponentsV2: false,
diff --git a/src/infra/outbound/channel-adapters.ts b/src/infra/outbound/channel-adapters.ts
index da62e2932bb..0c752854e8d 100644
--- a/src/infra/outbound/channel-adapters.ts
+++ b/src/infra/outbound/channel-adapters.ts
@@ -1,5 +1,5 @@
-import { Separator, TextDisplay, type TopLevelComponents } from "@buape/carbon";
-import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
+import type { TopLevelComponents } from "@buape/carbon";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 
@@ -17,40 +17,17 @@ export type ChannelMessageAdapter = {
   buildCrossContextComponents?: CrossContextComponentsFactory;
 };
 
-type CrossContextContainerParams = {
-  originLabel: string;
-  message: string;
-  cfg: OpenClawConfig;
-  accountId?: string | null;
-};
-
-class CrossContextContainer extends DiscordUiContainer {
-  constructor({ originLabel, message, cfg, accountId }: CrossContextContainerParams) {
-    const trimmed = message.trim();
-    const components = [] as Array<TextDisplay | Separator>;
-    if (trimmed) {
-      components.push(new TextDisplay(message));
-      components.push(new Separator({ divider: true, spacing: "small" }));
-    }
-    components.push(new TextDisplay(`*From ${originLabel}*`));
-    super({ cfg, accountId, components });
-  }
-}
-
 const DEFAULT_ADAPTER: ChannelMessageAdapter = {
   supportsComponentsV2: false,
 };
 
-const DISCORD_ADAPTER: ChannelMessageAdapter = {
-  supportsComponentsV2: true,
-  buildCrossContextComponents: ({ originLabel, message, cfg, accountId }) => [
-    new CrossContextContainer({ originLabel, message, cfg, accountId }),
-  ],
-};
-
 export function getChannelMessageAdapter(channel: ChannelId): ChannelMessageAdapter {
-  if (channel === "discord") {
-    return DISCORD_ADAPTER;
+  const adapter = getChannelPlugin(channel)?.messaging?.buildCrossContextComponents;
+  if (adapter) {
+    return {
+      supportsComponentsV2: true,
+      buildCrossContextComponents: adapter,
+    };
   }
   return DEFAULT_ADAPTER;
 }
diff --git a/src/infra/outbound/channel-resolution.test.ts b/src/infra/outbound/channel-resolution.test.ts
index 407994b152f..3d8f8c4fbdd 100644
--- a/src/infra/outbound/channel-resolution.test.ts
+++ b/src/infra/outbound/channel-resolution.test.ts
@@ -133,6 +133,23 @@ describe("outbound channel resolution", () => {
     expect(loadOpenClawPluginsMock).toHaveBeenCalledTimes(1);
   });
 
+  it("bootstraps when the active registry has other channels but not the requested one", async () => {
+    const plugin = { id: "telegram" };
+    getChannelPluginMock.mockReturnValueOnce(undefined).mockReturnValueOnce(plugin);
+    getActivePluginRegistryMock.mockReturnValue({
+      channels: [{ plugin: { id: "discord" } }],
+    });
+    const channelResolution = await importChannelResolution("bootstrap-missing-target");
+
+    expect(
+      channelResolution.resolveOutboundChannelPlugin({
+        channel: "telegram",
+        cfg: { channels: {} } as never,
+      }),
+    ).toBe(plugin);
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledTimes(1);
+  });
+
   it("retries bootstrap after a transient load failure", async () => {
     getChannelPluginMock.mockReturnValue(undefined);
     loadOpenClawPluginsMock.mockImplementationOnce(() => {
diff --git a/src/infra/outbound/channel-resolution.ts b/src/infra/outbound/channel-resolution.ts
index 041e8c60480..c39ff8bb210 100644
--- a/src/infra/outbound/channel-resolution.ts
+++ b/src/infra/outbound/channel-resolution.ts
@@ -33,7 +33,10 @@ function maybeBootstrapChannelPlugin(params: {
   }
 
   const activeRegistry = getActivePluginRegistry();
-  if ((activeRegistry?.channels?.length ?? 0) > 0) {
+  const activeHasRequestedChannel = activeRegistry?.channels?.some(
+    (entry) => entry?.plugin?.id === params.channel,
+  );
+  if (activeHasRequestedChannel) {
     return;
   }
 
diff --git a/src/infra/outbound/channel-selection.test.ts b/src/infra/outbound/channel-selection.test.ts
index da605dcdb63..9448b919312 100644
--- a/src/infra/outbound/channel-selection.test.ts
+++ b/src/infra/outbound/channel-selection.test.ts
@@ -2,12 +2,17 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const mocks = vi.hoisted(() => ({
   listChannelPlugins: vi.fn(),
+  resolveOutboundChannelPlugin: vi.fn(),
 }));
 
 vi.mock("../../channels/plugins/index.js", () => ({
   listChannelPlugins: mocks.listChannelPlugins,
 }));
 
+vi.mock("./channel-resolution.js", () => ({
+  resolveOutboundChannelPlugin: mocks.resolveOutboundChannelPlugin,
+}));
+
 import {
   listConfiguredMessageChannels,
   resolveMessageChannelSelection,
@@ -36,6 +41,10 @@ describe("listConfiguredMessageChannels", () => {
   beforeEach(() => {
     mocks.listChannelPlugins.mockReset();
     mocks.listChannelPlugins.mockReturnValue([]);
+    mocks.resolveOutboundChannelPlugin.mockReset();
+    mocks.resolveOutboundChannelPlugin.mockImplementation(({ channel }: { channel: string }) => ({
+      id: channel,
+    }));
   });
 
   it("skips unknown plugin ids and plugins without accounts", async () => {
@@ -158,6 +167,35 @@ describe("resolveMessageChannelSelection", () => {
     ).rejects.toThrow("Unknown channel: channel:c123");
   });
 
+  it("falls back when the explicit known channel is unavailable in the active plugin registry", async () => {
+    mocks.resolveOutboundChannelPlugin.mockImplementation(({ channel }: { channel: string }) =>
+      channel === "slack" ? { id: "slack" } : undefined,
+    );
+
+    const selection = await resolveMessageChannelSelection({
+      cfg: {} as never,
+      channel: "discord",
+      fallbackChannel: "slack",
+    });
+
+    expect(selection).toEqual({
+      channel: "slack",
+      configured: [],
+      source: "tool-context-fallback",
+    });
+  });
+
+  it("throws unavailable when a known channel has no active plugin", async () => {
+    mocks.resolveOutboundChannelPlugin.mockReturnValue(undefined);
+
+    await expect(
+      resolveMessageChannelSelection({
+        cfg: {} as never,
+        channel: "discord",
+      }),
+    ).rejects.toThrow("Channel is unavailable: discord");
+  });
+
   it("throws when no channel is provided and nothing is configured", async () => {
     await expect(
       resolveMessageChannelSelection({
diff --git a/src/infra/outbound/channel-selection.ts b/src/infra/outbound/channel-selection.ts
index 9fbd592a589..024fc2273f6 100644
--- a/src/infra/outbound/channel-selection.ts
+++ b/src/infra/outbound/channel-selection.ts
@@ -7,6 +7,7 @@ import {
   isDeliverableMessageChannel,
   normalizeMessageChannel,
 } from "../../utils/message-channel.js";
+import { resolveOutboundChannelPlugin } from "./channel-resolution.js";
 
 export type MessageChannelId = DeliverableMessageChannel;
 export type MessageChannelSelectionSource =
@@ -34,6 +35,22 @@ function resolveKnownChannel(value?: string | null): MessageChannelId | undefine
   return normalized as MessageChannelId;
 }
 
+function resolveAvailableKnownChannel(params: {
+  cfg: OpenClawConfig;
+  value?: string | null;
+}): MessageChannelId | undefined {
+  const normalized = resolveKnownChannel(params.value);
+  if (!normalized) {
+    return undefined;
+  }
+  return resolveOutboundChannelPlugin({
+    channel: normalized,
+    cfg: params.cfg,
+  })
+    ? normalized
+    : undefined;
+}
+
 function isAccountEnabled(account: unknown): boolean {
   if (!account || typeof account !== "object") {
     return true;
@@ -94,8 +111,15 @@ export async function resolveMessageChannelSelection(params: {
 }> {
   const normalized = normalizeMessageChannel(params.channel);
   if (normalized) {
-    if (!isKnownChannel(normalized)) {
-      const fallback = resolveKnownChannel(params.fallbackChannel);
+    const availableExplicit = resolveAvailableKnownChannel({
+      cfg: params.cfg,
+      value: normalized,
+    });
+    if (!availableExplicit) {
+      const fallback = resolveAvailableKnownChannel({
+        cfg: params.cfg,
+        value: params.fallbackChannel,
+      });
       if (fallback) {
         return {
           channel: fallback,
@@ -103,16 +127,22 @@ export async function resolveMessageChannelSelection(params: {
           source: "tool-context-fallback",
         };
       }
-      throw new Error(`Unknown channel: ${String(normalized)}`);
+      if (!isKnownChannel(normalized)) {
+        throw new Error(`Unknown channel: ${String(normalized)}`);
+      }
+      throw new Error(`Channel is unavailable: ${String(normalized)}`);
     }
     return {
-      channel: normalized as MessageChannelId,
+      channel: availableExplicit,
       configured: await listConfiguredMessageChannels(params.cfg),
       source: "explicit",
     };
   }
 
-  const fallback = resolveKnownChannel(params.fallbackChannel);
+  const fallback = resolveAvailableKnownChannel({
+    cfg: params.cfg,
+    value: params.fallbackChannel,
+  });
   if (fallback) {
     return {
       channel: fallback,
diff --git a/src/infra/outbound/deliver.test-helpers.ts b/src/infra/outbound/deliver.test-helpers.ts
index bc70c456dc5..77054dff7f3 100644
--- a/src/infra/outbound/deliver.test-helpers.ts
+++ b/src/infra/outbound/deliver.test-helpers.ts
@@ -1,7 +1,9 @@
 import { vi } from "vitest";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import {
+  signalOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../../test-utils/channel-plugins.js";
diff --git a/src/infra/outbound/deliver.test.ts b/src/infra/outbound/deliver.test.ts
index cb86483b4b5..5323dd83e27 100644
--- a/src/infra/outbound/deliver.test.ts
+++ b/src/infra/outbound/deliver.test.ts
@@ -1,9 +1,11 @@
 import path from "node:path";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { markdownToSignalTextChunks } from "../../../extensions/signal/src/format.js";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import {
+  signalOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { STATE_DIR } from "../../config/paths.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
@@ -404,6 +406,38 @@ describe("deliverOutboundPayloads", () => {
     ]);
   });
 
+  it("renders shared interactive payloads into telegram buttons", async () => {
+    const sendTelegram = vi.fn().mockResolvedValue({ messageId: "m1", chatId: "c1" });
+
+    await deliverTelegramPayload({
+      sendTelegram,
+      payload: {
+        text: "Approval required",
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [
+                { label: "Allow once", value: "allow-once", style: "success" },
+                { label: "Always allow", value: "allow-always", style: "primary" },
+                { label: "Deny", value: "deny", style: "danger" },
+              ],
+            },
+          ],
+        },
+      },
+    });
+
+    const sendOpts = sendTelegram.mock.calls[0]?.[2] as { buttons?: unknown } | undefined;
+    expect(sendOpts?.buttons).toEqual([
+      [
+        { text: "Allow once", callback_data: "allow-once", style: "success" },
+        { text: "Always allow", callback_data: "allow-always", style: "primary" },
+        { text: "Deny", callback_data: "deny", style: "danger" },
+      ],
+    ]);
+  });
+
   it("scopes media local roots to the active agent workspace when agentId is provided", async () => {
     const sendTelegram = vi.fn().mockResolvedValue({ messageId: "m1", chatId: "c1" });
 
diff --git a/src/infra/outbound/deliver.ts b/src/infra/outbound/deliver.ts
index 509ff278a1d..452875d9cff 100644
--- a/src/infra/outbound/deliver.ts
+++ b/src/infra/outbound/deliver.ts
@@ -1,8 +1,3 @@
-import {
-  markdownToSignalTextChunks,
-  type SignalTextStyleRange,
-} from "../../../extensions/signal/src/format.js";
-import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
 import {
   chunkByParagraph,
   chunkMarkdownTextWithMode,
@@ -10,14 +5,12 @@ import {
   resolveTextChunkLimit,
 } from "../../auto-reply/chunk.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
-import { resolveChannelMediaMaxBytes } from "../../channels/plugins/media-limits.js";
 import { loadChannelOutboundAdapter } from "../../channels/plugins/outbound/load.js";
 import type {
   ChannelOutboundAdapter,
   ChannelOutboundContext,
 } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
-import { resolveMarkdownTableMode } from "../../config/markdown-tables.js";
 import {
   appendAssistantMessageToSessionTranscript,
   resolveMirroredTranscriptText,
@@ -30,10 +23,12 @@ import {
   toPluginMessageContext,
   toPluginMessageSentEvent,
 } from "../../hooks/message-hook-mappers.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
 import { getGlobalHookRunner } from "../../plugins/hook-runner-global.js";
 import { throwIfAborted } from "./abort.js";
+import { resolveOutboundChannelPlugin } from "./channel-resolution.js";
 import { ackDelivery, enqueueDelivery, failDelivery } from "./delivery-queue.js";
 import type { OutboundIdentity } from "./identity.js";
 import type { DeliveryMirror } from "./mirror.js";
@@ -49,7 +44,6 @@ export { normalizeOutboundPayloads } from "./payloads.js";
 export { resolveOutboundSendDep, type OutboundSendDeps } from "./send-deps.js";
 
 const log = createSubsystemLogger("outbound/deliver");
-const TELEGRAM_TEXT_LIMIT = 4096;
 
 export type OutboundDeliveryResult = {
   channel: Exclude<OutboundChannel, "none">;
@@ -72,6 +66,9 @@ type ChannelHandler = {
   chunkerMode?: "text" | "markdown";
   textChunkLimit?: number;
   supportsMedia: boolean;
+  normalizePayload?: (payload: ReplyPayload) => ReplyPayload | null;
+  shouldSkipPlainTextSanitization?: (payload: ReplyPayload) => boolean;
+  resolveEffectiveTextChunkLimit?: (fallbackLimit?: number) => number | undefined;
   sendPayload?: (
     payload: ReplyPayload,
     overrides?: {
@@ -79,6 +76,21 @@ type ChannelHandler = {
       threadId?: string | number | null;
     },
   ) => Promise<OutboundDeliveryResult>;
+  sendFormattedText?: (
+    text: string,
+    overrides?: {
+      replyToId?: string | null;
+      threadId?: string | number | null;
+    },
+  ) => Promise<OutboundDeliveryResult[]>;
+  sendFormattedMedia?: (
+    caption: string,
+    mediaUrl: string,
+    overrides?: {
+      replyToId?: string | null;
+      threadId?: string | number | null;
+    },
+  ) => Promise<OutboundDeliveryResult>;
   sendText: (
     text: string,
     overrides?: {
@@ -113,6 +125,13 @@ type ChannelHandlerParams = {
 
 // Channel docking: outbound delivery delegates to plugin.outbound adapters.
 async function createChannelHandler(params: ChannelHandlerParams): Promise<ChannelHandler> {
+  // Recover channel plugins the same way target resolution does so direct cron
+  // delivery still works when a prior test or lazy path left the active plugin
+  // registry empty.
+  resolveOutboundChannelPlugin({
+    channel: params.channel,
+    cfg: params.cfg,
+  });
   const outbound = await loadChannelOutboundAdapter(params.channel);
   const handler = createPluginHandler({ ...params, outbound });
   if (!handler) {
@@ -146,6 +165,20 @@ function createPluginHandler(
     chunkerMode,
     textChunkLimit: outbound.textChunkLimit,
     supportsMedia: Boolean(sendMedia),
+    normalizePayload: outbound.normalizePayload
+      ? (payload) => outbound.normalizePayload!({ payload })
+      : undefined,
+    shouldSkipPlainTextSanitization: outbound.shouldSkipPlainTextSanitization
+      ? (payload) => outbound.shouldSkipPlainTextSanitization!({ payload })
+      : undefined,
+    resolveEffectiveTextChunkLimit: outbound.resolveEffectiveTextChunkLimit
+      ? (fallbackLimit) =>
+          outbound.resolveEffectiveTextChunkLimit!({
+            cfg: params.cfg,
+            accountId: params.accountId ?? undefined,
+            fallbackLimit,
+          })
+      : undefined,
     sendPayload: outbound.sendPayload
       ? async (payload, overrides) =>
           outbound.sendPayload!({
@@ -155,6 +188,21 @@ function createPluginHandler(
             payload,
           })
       : undefined,
+    sendFormattedText: outbound.sendFormattedText
+      ? async (text, overrides) =>
+          outbound.sendFormattedText!({
+            ...resolveCtx(overrides),
+            text,
+          })
+      : undefined,
+    sendFormattedMedia: outbound.sendFormattedMedia
+      ? async (caption, mediaUrl, overrides) =>
+          outbound.sendFormattedMedia!({
+            ...resolveCtx(overrides),
+            text: caption,
+            mediaUrl,
+          })
+      : undefined,
     sendText: async (text, overrides) =>
       sendText({
         ...resolveCtx(overrides),
@@ -230,47 +278,35 @@ type MessageSentEvent = {
   messageId?: string;
 };
 
-function hasMediaPayload(payload: ReplyPayload): boolean {
-  return Boolean(payload.mediaUrl) || (payload.mediaUrls?.length ?? 0) > 0;
-}
-
-function hasChannelDataPayload(payload: ReplyPayload): boolean {
-  return Boolean(payload.channelData && Object.keys(payload.channelData).length > 0);
-}
-
-function normalizePayloadForChannelDelivery(
-  payload: ReplyPayload,
-  channelId: string,
-): ReplyPayload | null {
-  const hasMedia = hasMediaPayload(payload);
-  const hasChannelData = hasChannelDataPayload(payload);
-  const rawText = typeof payload.text === "string" ? payload.text : "";
-  const normalizedText =
-    channelId === "whatsapp" ? rawText.replace(/^(?:[ \t]*\r?\n)+/, "") : rawText;
-  if (!normalizedText.trim()) {
-    if (!hasMedia && !hasChannelData) {
+function normalizeEmptyPayloadForDelivery(payload: ReplyPayload): ReplyPayload | null {
+  const text = typeof payload.text === "string" ? payload.text : "";
+  const hasChannelData = hasReplyChannelData(payload.channelData);
+  if (!text.trim()) {
+    if (
+      !hasReplyContent({
+        text,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       return null;
     }
-    return {
-      ...payload,
-      text: "",
-    };
+    if (text) {
+      return {
+        ...payload,
+        text: "",
+      };
+    }
   }
-  if (normalizedText === rawText) {
-    return payload;
-  }
-  return {
-    ...payload,
-    text: normalizedText,
-  };
+  return payload;
 }
 
 function normalizePayloadsForChannelDelivery(
   payloads: ReplyPayload[],
   channel: Exclude<OutboundChannel, "none">,
-  _cfg: OpenClawConfig,
-  _to: string,
-  _accountId?: string,
+  handler: ChannelHandler,
 ): ReplyPayload[] {
   const normalizedPayloads: ReplyPayload[] = [];
   for (const payload of normalizeReplyPayloadsForDelivery(payloads)) {
@@ -279,15 +315,19 @@ function normalizePayloadsForChannelDelivery(
     // Models occasionally produce <br>, <b>, etc. that render as literal text.
     // See https://github.com/openclaw/openclaw/issues/31884
     if (isPlainTextSurface(channel) && sanitizedPayload.text) {
-      // Telegram sendPayload uses textMode:"html". Preserve raw HTML in this path.
-      if (!(channel === "telegram" && sanitizedPayload.channelData)) {
+      if (!handler.shouldSkipPlainTextSanitization?.(sanitizedPayload)) {
         sanitizedPayload = {
           ...sanitizedPayload,
           text: sanitizeForPlainText(sanitizedPayload.text),
         };
       }
     }
-    const normalized = normalizePayloadForChannelDelivery(sanitizedPayload, channel);
+    const normalizedPayload = handler.normalizePayload
+      ? handler.normalizePayload(sanitizedPayload)
+      : sanitizedPayload;
+    const normalized = normalizedPayload
+      ? normalizeEmptyPayloadForDelivery(normalizedPayload)
+      : null;
     if (normalized) {
       normalizedPayloads.push(normalized);
     }
@@ -299,6 +339,7 @@ function buildPayloadSummary(payload: ReplyPayload): NormalizedOutboundPayload {
   return {
     text: payload.text ?? "",
     mediaUrls: payload.mediaUrls ?? (payload.mediaUrl ? [payload.mediaUrl] : []),
+    interactive: payload.interactive,
     channelData: payload.channelData,
   };
 }
@@ -504,8 +545,6 @@ async function deliverOutboundPayloadsCore(
   const accountId = params.accountId;
   const deps = params.deps;
   const abortSignal = params.abortSignal;
-  const sendSignal =
-    resolveOutboundSendDep<typeof sendMessageSignal>(params.deps, "signal") ?? sendMessageSignal;
   const mediaLocalRoots = getAgentScopedMediaLocalRoots(
     cfg,
     params.session?.agentId ?? params.mirror?.agentId,
@@ -530,24 +569,10 @@ async function deliverOutboundPayloadsCore(
         fallbackLimit: handler.textChunkLimit,
       })
     : undefined;
-  const textLimit =
-    channel === "telegram" && typeof configuredTextLimit === "number"
-      ? Math.min(configuredTextLimit, TELEGRAM_TEXT_LIMIT)
-      : configuredTextLimit;
+  const textLimit = handler.resolveEffectiveTextChunkLimit
+    ? handler.resolveEffectiveTextChunkLimit(configuredTextLimit)
+    : configuredTextLimit;
   const chunkMode = handler.chunker ? resolveChunkMode(cfg, channel, accountId) : "length";
-  const isSignalChannel = channel === "signal";
-  const signalTableMode = isSignalChannel
-    ? resolveMarkdownTableMode({ cfg, channel: "signal", accountId })
-    : "code";
-  const signalMaxBytes = isSignalChannel
-    ? resolveChannelMediaMaxBytes({
-        cfg,
-        resolveChannelLimitMb: ({ cfg, accountId }) =>
-          cfg.channels?.signal?.accounts?.[accountId]?.mediaMaxMb ??
-          cfg.channels?.signal?.mediaMaxMb,
-        accountId,
-      })
-    : undefined;
 
   const sendTextChunks = async (
     text: string,
@@ -586,66 +611,7 @@ async function deliverOutboundPayloadsCore(
       results.push(await handler.sendText(chunk, overrides));
     }
   };
-
-  const sendSignalText = async (text: string, styles: SignalTextStyleRange[]) => {
-    throwIfAborted(abortSignal);
-    return {
-      channel: "signal" as const,
-      ...(await sendSignal(to, text, {
-        cfg,
-        maxBytes: signalMaxBytes,
-        accountId: accountId ?? undefined,
-        textMode: "plain",
-        textStyles: styles,
-      })),
-    };
-  };
-
-  const sendSignalTextChunks = async (text: string) => {
-    throwIfAborted(abortSignal);
-    let signalChunks =
-      textLimit === undefined
-        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
-            tableMode: signalTableMode,
-          })
-        : markdownToSignalTextChunks(text, textLimit, { tableMode: signalTableMode });
-    if (signalChunks.length === 0 && text) {
-      signalChunks = [{ text, styles: [] }];
-    }
-    for (const chunk of signalChunks) {
-      throwIfAborted(abortSignal);
-      results.push(await sendSignalText(chunk.text, chunk.styles));
-    }
-  };
-
-  const sendSignalMedia = async (caption: string, mediaUrl: string) => {
-    throwIfAborted(abortSignal);
-    const formatted = markdownToSignalTextChunks(caption, Number.POSITIVE_INFINITY, {
-      tableMode: signalTableMode,
-    })[0] ?? {
-      text: caption,
-      styles: [],
-    };
-    return {
-      channel: "signal" as const,
-      ...(await sendSignal(to, formatted.text, {
-        cfg,
-        mediaUrl,
-        maxBytes: signalMaxBytes,
-        accountId: accountId ?? undefined,
-        textMode: "plain",
-        textStyles: formatted.styles,
-        mediaLocalRoots,
-      })),
-    };
-  };
-  const normalizedPayloads = normalizePayloadsForChannelDelivery(
-    payloads,
-    channel,
-    cfg,
-    to,
-    accountId,
-  );
+  const normalizedPayloads = normalizePayloadsForChannelDelivery(payloads, channel, handler);
   const hookRunner = getGlobalHookRunner();
   const sessionKeyForInternalHooks = params.mirror?.sessionKey ?? params.session?.key;
   const mirrorIsGroup = params.mirror?.isGroup;
@@ -697,7 +663,13 @@ async function deliverOutboundPayloadsCore(
         threadId: params.threadId ?? undefined,
         forceDocument: params.forceDocument,
       };
-      if (handler.sendPayload && effectivePayload.channelData) {
+      if (
+        handler.sendPayload &&
+        (effectivePayload.channelData ||
+          hasReplyContent({
+            interactive: effectivePayload.interactive,
+          }))
+      ) {
         const delivery = await handler.sendPayload(effectivePayload, sendOverrides);
         results.push(delivery);
         emitMessageSent({
@@ -709,8 +681,8 @@ async function deliverOutboundPayloadsCore(
       }
       if (payloadSummary.mediaUrls.length === 0) {
         const beforeCount = results.length;
-        if (isSignalChannel) {
-          await sendSignalTextChunks(payloadSummary.text);
+        if (handler.sendFormattedText) {
+          results.push(...(await handler.sendFormattedText(payloadSummary.text, sendOverrides)));
         } else {
           await sendTextChunks(payloadSummary.text, sendOverrides);
         }
@@ -755,8 +727,8 @@ async function deliverOutboundPayloadsCore(
         throwIfAborted(abortSignal);
         const caption = first ? payloadSummary.text : "";
         first = false;
-        if (isSignalChannel) {
-          const delivery = await sendSignalMedia(caption, url);
+        if (handler.sendFormattedMedia) {
+          const delivery = await handler.sendFormattedMedia(caption, url, sendOverrides);
           results.push(delivery);
           lastMessageId = delivery.messageId;
         } else {
diff --git a/src/infra/outbound/message-action-normalization.test.ts b/src/infra/outbound/message-action-normalization.test.ts
index 87fa7a8503c..2ee5f35b3dd 100644
--- a/src/infra/outbound/message-action-normalization.test.ts
+++ b/src/infra/outbound/message-action-normalization.test.ts
@@ -115,6 +115,47 @@ describe("normalizeMessageActionInput", () => {
     expect("to" in normalized).toBe(false);
   });
 
+  it("keeps Feishu message and chat aliases without forcing canonical targets", () => {
+    const pin = normalizeMessageActionInput({
+      action: "pin",
+      args: {
+        channel: "feishu",
+        messageId: "om_123",
+      },
+    });
+    const listPins = normalizeMessageActionInput({
+      action: "list-pins",
+      args: {
+        channel: "feishu",
+        chatId: "oc_123",
+      },
+    });
+
+    expect(pin.messageId).toBe("om_123");
+    expect("target" in pin).toBe(false);
+    expect("to" in pin).toBe(false);
+    expect(listPins.chatId).toBe("oc_123");
+    expect("target" in listPins).toBe(false);
+    expect("to" in listPins).toBe(false);
+  });
+
+  it("still backfills target for non-Feishu read actions with messageId-only input", () => {
+    const normalized = normalizeMessageActionInput({
+      action: "read",
+      args: {
+        channel: "slack",
+        messageId: "123.456",
+      },
+      toolContext: {
+        currentChannelId: "C12345678",
+        currentChannelProvider: "slack",
+      },
+    });
+
+    expect(normalized.target).toBe("C12345678");
+    expect(normalized.messageId).toBe("123.456");
+  });
+
   it("maps legacy channelId inputs through canonical target for channel-id actions", () => {
     const normalized = normalizeMessageActionInput({
       action: "channel-info",
diff --git a/src/infra/outbound/message-action-normalization.ts b/src/infra/outbound/message-action-normalization.ts
index a4b4f4829bd..ff40ca45e6a 100644
--- a/src/infra/outbound/message-action-normalization.ts
+++ b/src/infra/outbound/message-action-normalization.ts
@@ -16,6 +16,10 @@ export function normalizeMessageActionInput(params: {
 }): Record<string, unknown> {
   const normalizedArgs = { ...params.args };
   const { action, toolContext } = params;
+  const explicitChannel =
+    typeof normalizedArgs.channel === "string" ? normalizedArgs.channel.trim() : "";
+  const inferredChannel =
+    explicitChannel || normalizeMessageChannel(toolContext?.currentChannelProvider) || "";
 
   const explicitTarget =
     typeof normalizedArgs.target === "string" ? normalizedArgs.target.trim() : "";
@@ -34,7 +38,7 @@ export function normalizeMessageActionInput(params: {
     !explicitTarget &&
     !hasLegacyTarget &&
     actionRequiresTarget(action) &&
-    !actionHasTarget(action, normalizedArgs)
+    !actionHasTarget(action, normalizedArgs, { channel: inferredChannel })
   ) {
     const inferredTarget = toolContext?.currentChannelId?.trim();
     if (inferredTarget) {
@@ -54,17 +58,17 @@ export function normalizeMessageActionInput(params: {
     }
   }
 
-  const explicitChannel =
-    typeof normalizedArgs.channel === "string" ? normalizedArgs.channel.trim() : "";
   if (!explicitChannel) {
-    const inferredChannel = normalizeMessageChannel(toolContext?.currentChannelProvider);
     if (inferredChannel && isDeliverableMessageChannel(inferredChannel)) {
       normalizedArgs.channel = inferredChannel;
     }
   }
 
   applyTargetToParams({ action, args: normalizedArgs });
-  if (actionRequiresTarget(action) && !actionHasTarget(action, normalizedArgs)) {
+  if (
+    actionRequiresTarget(action) &&
+    !actionHasTarget(action, normalizedArgs, { channel: inferredChannel })
+  ) {
     throw new Error(`Action ${action} requires a target.`);
   }
 
diff --git a/src/infra/outbound/message-action-params.test.ts b/src/infra/outbound/message-action-params.test.ts
index f72bd2d26aa..3442711eab4 100644
--- a/src/infra/outbound/message-action-params.test.ts
+++ b/src/infra/outbound/message-action-params.test.ts
@@ -2,6 +2,8 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
 import type { ChannelThreadingToolContext } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
@@ -9,8 +11,6 @@ import {
   normalizeSandboxMediaList,
   normalizeSandboxMediaParams,
   resolveAttachmentMediaPolicy,
-  resolveSlackAutoThreadId,
-  resolveTelegramAutoThreadId,
 } from "./message-action-params.js";
 
 const cfg = {} as OpenClawConfig;
@@ -30,19 +30,25 @@ function createToolContext(
 describe("message action threading helpers", () => {
   it("resolves Slack auto-thread ids only for matching active channels", () => {
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "#c123",
         toolContext: createToolContext(),
       }),
     ).toBe("thread-1");
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "channel:C999",
         toolContext: createToolContext(),
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "user:U123",
         toolContext: createToolContext(),
       }),
@@ -51,7 +57,9 @@ describe("message action threading helpers", () => {
 
   it("skips Slack auto-thread ids when reply mode or context blocks them", () => {
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({
           replyToMode: "first",
@@ -60,13 +68,17 @@ describe("message action threading helpers", () => {
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({ replyToMode: "off" }),
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({ currentThreadTs: undefined }),
       }),
@@ -75,7 +87,9 @@ describe("message action threading helpers", () => {
 
   it("resolves Telegram auto-thread ids for matching chats across target formats", () => {
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "telegram:group:-100123:topic:77",
         toolContext: createToolContext({
           currentChannelId: "tg:group:-100123",
@@ -83,7 +97,9 @@ describe("message action threading helpers", () => {
       }),
     ).toBe("thread-1");
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "-100999:77",
         toolContext: createToolContext({
           currentChannelId: "-100123",
@@ -91,7 +107,9 @@ describe("message action threading helpers", () => {
       }),
     ).toBeUndefined();
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "-100123",
         toolContext: createToolContext({ currentChannelId: undefined }),
       }),
diff --git a/src/infra/outbound/message-action-params.ts b/src/infra/outbound/message-action-params.ts
index ea527a74bd6..6f95e0a5a4d 100644
--- a/src/infra/outbound/message-action-params.ts
+++ b/src/infra/outbound/message-action-params.ts
@@ -1,76 +1,16 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
-import { loadWebMedia } from "../../../extensions/whatsapp/src/media.js";
 import { assertMediaNotDataUrl, resolveSandboxedMediaSource } from "../../agents/sandbox-paths.js";
 import { readStringParam } from "../../agents/tools/common.js";
-import type {
-  ChannelId,
-  ChannelMessageActionName,
-  ChannelThreadingToolContext,
-} from "../../channels/plugins/types.js";
+import type { ChannelId, ChannelMessageActionName } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { createRootScopedReadFile } from "../../infra/fs-safe.js";
 import { extensionForMime } from "../../media/mime.js";
 import { readBooleanParam as readBooleanParamShared } from "../../plugin-sdk/boolean-param.js";
+import { loadWebMedia } from "../../plugin-sdk/web-media.js";
 
 export const readBooleanParam = readBooleanParamShared;
 
-export function resolveSlackAutoThreadId(params: {
-  to: string;
-  toolContext?: ChannelThreadingToolContext;
-}): string | undefined {
-  const context = params.toolContext;
-  if (!context?.currentThreadTs || !context.currentChannelId) {
-    return undefined;
-  }
-  // Only mirror auto-threading when Slack would reply in the active thread for this channel.
-  if (context.replyToMode !== "all" && context.replyToMode !== "first") {
-    return undefined;
-  }
-  const parsedTarget = parseSlackTarget(params.to, { defaultKind: "channel" });
-  if (!parsedTarget || parsedTarget.kind !== "channel") {
-    return undefined;
-  }
-  if (parsedTarget.id.toLowerCase() !== context.currentChannelId.toLowerCase()) {
-    return undefined;
-  }
-  if (context.replyToMode === "first" && context.hasRepliedRef?.value) {
-    return undefined;
-  }
-  return context.currentThreadTs;
-}
-
-/**
- * Auto-inject Telegram forum topic thread ID when the message tool targets
- * the same chat the session originated from.  Mirrors the Slack auto-threading
- * pattern so media, buttons, and other tool-sent messages land in the correct
- * topic instead of the General Topic.
- *
- * Unlike Slack, we do not gate on `replyToMode` here: Telegram forum topics
- * are persistent sub-channels (not ephemeral reply threads), so auto-injection
- * should always apply when the target chat matches.
- */
-export function resolveTelegramAutoThreadId(params: {
-  to: string;
-  toolContext?: ChannelThreadingToolContext;
-}): string | undefined {
-  const context = params.toolContext;
-  if (!context?.currentThreadTs || !context.currentChannelId) {
-    return undefined;
-  }
-  // Use parseTelegramTarget to extract canonical chatId from both sides,
-  // mirroring how Slack uses parseSlackTarget. This handles format variations
-  // like `telegram:group:123:topic:456` vs `telegram:123`.
-  const parsedTo = parseTelegramTarget(params.to);
-  const parsedChannel = parseTelegramTarget(context.currentChannelId);
-  if (parsedTo.chatId.toLowerCase() !== parsedChannel.chatId.toLowerCase()) {
-    return undefined;
-  }
-  return context.currentThreadTs;
-}
-
 function resolveAttachmentMaxBytes(params: {
   cfg: OpenClawConfig;
   channel: ChannelId;
@@ -422,3 +362,20 @@ export function parseComponentsParam(params: Record<string, unknown>): void {
     throw new Error("--components must be valid JSON");
   }
 }
+
+export function parseInteractiveParam(params: Record<string, unknown>): void {
+  const raw = params.interactive;
+  if (typeof raw !== "string") {
+    return;
+  }
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    delete params.interactive;
+    return;
+  }
+  try {
+    params.interactive = JSON.parse(trimmed) as unknown;
+  } catch {
+    throw new Error("--interactive must be valid JSON");
+  }
+}
diff --git a/src/infra/outbound/message-action-runner.context.test.ts b/src/infra/outbound/message-action-runner.context.test.ts
index 185ff2bf648..ed470984e45 100644
--- a/src/infra/outbound/message-action-runner.context.test.ts
+++ b/src/infra/outbound/message-action-runner.context.test.ts
@@ -186,6 +186,46 @@ describe("runMessageAction context isolation", () => {
     ).rejects.toThrow(/message required/i);
   });
 
+  it("allows send when only shared interactive payloads are provided", async () => {
+    const result = await runDrySend({
+      cfg: {
+        channels: {
+          telegram: {
+            botToken: "telegram-test",
+          },
+        },
+      } as OpenClawConfig,
+      actionParams: {
+        channel: "telegram",
+        target: "123456",
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Approve", value: "approve" }],
+            },
+          ],
+        },
+      },
+    });
+
+    expect(result.kind).toBe("send");
+  });
+
+  it("allows send when only Slack blocks are provided", async () => {
+    const result = await runDrySend({
+      cfg: slackConfig,
+      actionParams: {
+        channel: "slack",
+        target: "#C12345678",
+        blocks: [{ type: "divider" }],
+      },
+      toolContext: { currentChannelId: "C12345678" },
+    });
+
+    expect(result.kind).toBe("send");
+  });
+
   it.each([
     {
       name: "structured poll params",
diff --git a/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts b/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
index 00c4bafef11..952bf16f51c 100644
--- a/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
+++ b/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
@@ -15,6 +15,105 @@ function createAlwaysConfiguredPluginConfig(account: Record<string, unknown> = {
 }
 
 describe("runMessageAction plugin dispatch", () => {
+  describe("alias-based plugin action dispatch", () => {
+    const handleAction = vi.fn(async ({ params }: { params: Record<string, unknown> }) =>
+      jsonResult({
+        ok: true,
+        params,
+      }),
+    );
+
+    const feishuLikePlugin: ChannelPlugin = {
+      id: "feishu",
+      meta: {
+        id: "feishu",
+        label: "Feishu",
+        selectionLabel: "Feishu",
+        docsPath: "/channels/feishu",
+        blurb: "Feishu action dispatch test plugin.",
+      },
+      capabilities: { chatTypes: ["direct", "channel"] },
+      config: createAlwaysConfiguredPluginConfig(),
+      actions: {
+        listActions: () => ["pin", "list-pins", "member-info"],
+        supportsAction: ({ action }) =>
+          action === "pin" || action === "list-pins" || action === "member-info",
+        handleAction,
+      },
+    };
+
+    beforeEach(() => {
+      setActivePluginRegistry(
+        createTestRegistry([
+          {
+            pluginId: "feishu",
+            source: "test",
+            plugin: feishuLikePlugin,
+          },
+        ]),
+      );
+      handleAction.mockClear();
+    });
+
+    afterEach(() => {
+      setActivePluginRegistry(createTestRegistry([]));
+      vi.clearAllMocks();
+    });
+
+    it("dispatches messageId/chatId-based Feishu actions through the shared runner", async () => {
+      await runMessageAction({
+        cfg: {
+          channels: {
+            feishu: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        action: "pin",
+        params: {
+          channel: "feishu",
+          messageId: "om_123",
+        },
+        dryRun: false,
+      });
+
+      await runMessageAction({
+        cfg: {
+          channels: {
+            feishu: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        action: "list-pins",
+        params: {
+          channel: "feishu",
+          chatId: "oc_123",
+        },
+        dryRun: false,
+      });
+
+      expect(handleAction).toHaveBeenNthCalledWith(
+        1,
+        expect.objectContaining({
+          action: "pin",
+          params: expect.objectContaining({
+            messageId: "om_123",
+          }),
+        }),
+      );
+      expect(handleAction).toHaveBeenNthCalledWith(
+        2,
+        expect.objectContaining({
+          action: "list-pins",
+          params: expect.objectContaining({
+            chatId: "oc_123",
+          }),
+        }),
+      );
+    });
+  });
+
   describe("media caption behavior", () => {
     afterEach(() => {
       setActivePluginRegistry(createTestRegistry([]));
diff --git a/src/infra/outbound/message-action-runner.ts b/src/infra/outbound/message-action-runner.ts
index 0b6ad1ba16e..8480b962544 100644
--- a/src/infra/outbound/message-action-runner.ts
+++ b/src/infra/outbound/message-action-runner.ts
@@ -6,6 +6,7 @@ import {
   readStringParam,
 } from "../../agents/tools/common.js";
 import { parseReplyDirectives } from "../../auto-reply/reply/reply-directives.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import { dispatchChannelMessageAction } from "../../channels/plugins/message-actions.js";
 import type {
   ChannelId,
@@ -13,6 +14,7 @@ import type {
   ChannelThreadingToolContext,
 } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { hasInteractiveReplyBlocks, hasReplyContent } from "../../interactive/payload.js";
 import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
 import { hasPollCreationParams, resolveTelegramPollVisibility } from "../../poll-params.js";
 import { resolvePollMaxSelections } from "../../polls.js";
@@ -20,6 +22,7 @@ import { buildChannelAccountBindings } from "../../routing/bindings.js";
 import { normalizeAgentId } from "../../routing/session-key.js";
 import { type GatewayClientMode, type GatewayClientName } from "../../utils/message-channel.js";
 import { throwIfAborted } from "./abort.js";
+import { resolveOutboundChannelPlugin } from "./channel-resolution.js";
 import {
   listConfiguredMessageChannels,
   resolveMessageChannelSelection,
@@ -33,10 +36,9 @@ import {
   parseButtonsParam,
   parseCardParam,
   parseComponentsParam,
+  parseInteractiveParam,
   readBooleanParam,
   resolveAttachmentMediaPolicy,
-  resolveSlackAutoThreadId,
-  resolveTelegramAutoThreadId,
 } from "./message-action-params.js";
 import type { MessagePollResult, MessageSendResult } from "./message.js";
 import {
@@ -63,22 +65,23 @@ export type MessageActionRunnerGateway = {
 function resolveAndApplyOutboundThreadId(
   params: Record<string, unknown>,
   ctx: {
+    cfg: OpenClawConfig;
     channel: ChannelId;
     to: string;
+    accountId?: string | null;
     toolContext?: ChannelThreadingToolContext;
-    allowSlackAutoThread: boolean;
   },
 ): string | undefined {
   const threadId = readStringParam(params, "threadId");
-  const slackAutoThreadId =
-    ctx.allowSlackAutoThread && ctx.channel === "slack" && !threadId
-      ? resolveSlackAutoThreadId({ to: ctx.to, toolContext: ctx.toolContext })
-      : undefined;
-  const telegramAutoThreadId =
-    ctx.channel === "telegram" && !threadId
-      ? resolveTelegramAutoThreadId({ to: ctx.to, toolContext: ctx.toolContext })
-      : undefined;
-  const resolved = threadId ?? slackAutoThreadId ?? telegramAutoThreadId;
+  const resolved =
+    threadId ??
+    getChannelPlugin(ctx.channel)?.threading?.resolveAutoThreadId?.({
+      cfg: ctx.cfg,
+      accountId: ctx.accountId,
+      to: ctx.to,
+      toolContext: ctx.toolContext,
+      replyToId: readStringParam(params, "replyTo"),
+    });
   // Write auto-resolved threadId back into params so downstream dispatch
   // (plugin `readStringParam(params, "threadId")`) picks it up.
   if (resolved && !params.threadId) {
@@ -402,12 +405,18 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
     readStringParam(params, "media", { trim: false }) ??
     readStringParam(params, "path", { trim: false }) ??
     readStringParam(params, "filePath", { trim: false });
+  const hasButtons = Array.isArray(params.buttons) && params.buttons.length > 0;
   const hasCard = params.card != null && typeof params.card === "object";
   const hasComponents = params.components != null && typeof params.components === "object";
+  const hasInteractive = hasInteractiveReplyBlocks(params.interactive);
+  const hasBlocks =
+    (Array.isArray(params.blocks) && params.blocks.length > 0) ||
+    (typeof params.blocks === "string" && params.blocks.trim().length > 0);
   const caption = readStringParam(params, "caption", { allowEmpty: true }) ?? "";
   let message =
     readStringParam(params, "message", {
-      required: !mediaHint && !hasCard && !hasComponents,
+      required:
+        !mediaHint && !hasButtons && !hasCard && !hasComponents && !hasInteractive && !hasBlocks,
       allowEmpty: true,
     }) ?? "";
   if (message.includes("\\n")) {
@@ -473,7 +482,15 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
       message = "";
     }
   }
-  if (!message.trim() && !mediaUrl && mergedMediaUrls.length === 0 && !hasCard && !hasComponents) {
+  if (
+    !hasReplyContent({
+      text: message,
+      mediaUrl,
+      mediaUrls: mergedMediaUrls,
+      interactive: params.interactive,
+      extraContent: hasButtons || hasCard || hasComponents || hasBlocks,
+    })
+  ) {
     throw new Error("send requires text or media");
   }
   params.message = message;
@@ -484,10 +501,11 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
 
   const replyToId = readStringParam(params, "replyTo");
   const resolvedThreadId = resolveAndApplyOutboundThreadId(params, {
+    cfg,
     channel,
     to,
+    accountId,
     toolContext: input.toolContext,
-    allowSlackAutoThread: channel === "slack" && !replyToId,
   });
   const outboundRoute =
     agentId && !dryRun
@@ -602,10 +620,11 @@ async function handlePollAction(ctx: ResolvedActionContext): Promise<MessageActi
   }
 
   const resolvedThreadId = resolveAndApplyOutboundThreadId(params, {
+    cfg,
     channel,
     to,
+    accountId,
     toolContext: input.toolContext,
-    allowSlackAutoThread: channel === "slack",
   });
 
   const base = typeof params.message === "string" ? params.message : "";
@@ -670,6 +689,11 @@ async function handlePluginAction(ctx: ResolvedActionContext): Promise<MessageAc
     };
   }
 
+  const plugin = resolveOutboundChannelPlugin({ channel, cfg });
+  if (!plugin?.actions?.handleAction) {
+    throw new Error(`Channel ${channel} is unavailable for message actions (plugin not loaded).`);
+  }
+
   const handled = await dispatchChannelMessageAction({
     channel,
     action,
@@ -708,6 +732,7 @@ export async function runMessageAction(
   parseButtonsParam(params);
   parseCardParam(params);
   parseComponentsParam(params);
+  parseInteractiveParam(params);
 
   const action = input.action;
   if (action === "broadcast") {
diff --git a/src/infra/outbound/message-action-spec.test.ts b/src/infra/outbound/message-action-spec.test.ts
index 138f61e08a0..cc8a127799f 100644
--- a/src/infra/outbound/message-action-spec.test.ts
+++ b/src/infra/outbound/message-action-spec.test.ts
@@ -20,12 +20,25 @@ describe("actionHasTarget", () => {
   });
 
   it("detects alias targets for message and chat actions", () => {
+    expect(actionHasTarget("read", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
     expect(actionHasTarget("edit", { messageId: "  msg_123  " })).toBe(true);
+    expect(actionHasTarget("pin", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("unpin", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("list-pins", { chatId: "oc_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("channel-info", { chatId: "oc_123" }, { channel: "feishu" })).toBe(true);
     expect(actionHasTarget("react", { chatGuid: "chat-guid" })).toBe(true);
     expect(actionHasTarget("react", { chatIdentifier: "chat-id" })).toBe(true);
     expect(actionHasTarget("react", { chatId: 42 })).toBe(true);
   });
 
+  it("scopes Feishu-only aliases to Feishu", () => {
+    expect(actionHasTarget("read", { messageId: "msg_123" })).toBe(false);
+    expect(actionHasTarget("pin", { messageId: "msg_123" }, { channel: "slack" })).toBe(false);
+    expect(actionHasTarget("channel-info", { chatId: "oc_123" }, { channel: "discord" })).toBe(
+      false,
+    );
+  });
+
   it("rejects blank and non-finite alias targets", () => {
     expect(actionHasTarget("edit", { messageId: "   " })).toBe(false);
     expect(actionHasTarget("react", { chatGuid: "" })).toBe(false);
diff --git a/src/infra/outbound/message-action-spec.ts b/src/infra/outbound/message-action-spec.ts
index b49a60c6991..a71bc35b6fb 100644
--- a/src/infra/outbound/message-action-spec.ts
+++ b/src/infra/outbound/message-action-spec.ts
@@ -49,6 +49,7 @@ export const MESSAGE_ACTION_TARGET_MODE: Record<ChannelMessageActionName, Messag
     "category-edit": "none",
     "category-delete": "none",
     "topic-create": "to",
+    "topic-edit": "to",
     "voice-status": "none",
     "event-list": "none",
     "event-create": "none",
@@ -59,15 +60,25 @@ export const MESSAGE_ACTION_TARGET_MODE: Record<ChannelMessageActionName, Messag
     "download-file": "none",
   };
 
-const ACTION_TARGET_ALIASES: Partial<Record<ChannelMessageActionName, string[]>> = {
-  unsend: ["messageId"],
-  edit: ["messageId"],
-  react: ["chatGuid", "chatIdentifier", "chatId"],
-  renameGroup: ["chatGuid", "chatIdentifier", "chatId"],
-  setGroupIcon: ["chatGuid", "chatIdentifier", "chatId"],
-  addParticipant: ["chatGuid", "chatIdentifier", "chatId"],
-  removeParticipant: ["chatGuid", "chatIdentifier", "chatId"],
-  leaveGroup: ["chatGuid", "chatIdentifier", "chatId"],
+type ActionTargetAliasSpec = {
+  aliases: string[];
+  channels?: string[];
+};
+
+const ACTION_TARGET_ALIASES: Partial<Record<ChannelMessageActionName, ActionTargetAliasSpec>> = {
+  read: { aliases: ["messageId"], channels: ["feishu"] },
+  unsend: { aliases: ["messageId"] },
+  edit: { aliases: ["messageId"] },
+  pin: { aliases: ["messageId"], channels: ["feishu"] },
+  unpin: { aliases: ["messageId"], channels: ["feishu"] },
+  "list-pins": { aliases: ["chatId"], channels: ["feishu"] },
+  "channel-info": { aliases: ["chatId"], channels: ["feishu"] },
+  react: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  renameGroup: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  setGroupIcon: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  addParticipant: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  removeParticipant: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  leaveGroup: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
 };
 
 export function actionRequiresTarget(action: ChannelMessageActionName): boolean {
@@ -77,6 +88,7 @@ export function actionRequiresTarget(action: ChannelMessageActionName): boolean
 export function actionHasTarget(
   action: ChannelMessageActionName,
   params: Record<string, unknown>,
+  options?: { channel?: string },
 ): boolean {
   const to = typeof params.to === "string" ? params.to.trim() : "";
   if (to) {
@@ -86,11 +98,17 @@ export function actionHasTarget(
   if (channelId) {
     return true;
   }
-  const aliases = ACTION_TARGET_ALIASES[action];
-  if (!aliases) {
+  const spec = ACTION_TARGET_ALIASES[action];
+  if (!spec) {
     return false;
   }
-  return aliases.some((alias) => {
+  if (
+    spec.channels &&
+    (!options?.channel || !spec.channels.includes(options.channel.trim().toLowerCase()))
+  ) {
+    return false;
+  }
+  return spec.aliases.some((alias) => {
     const value = params[alias];
     if (typeof value === "string") {
       return value.trim().length > 0;
diff --git a/src/infra/outbound/outbound-policy.test.ts b/src/infra/outbound/outbound-policy.test.ts
index fd19649c345..43e71afb923 100644
--- a/src/infra/outbound/outbound-policy.test.ts
+++ b/src/infra/outbound/outbound-policy.test.ts
@@ -1,5 +1,8 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import {
   applyCrossContextDecoration,
   buildCrossContextDecoration,
@@ -23,6 +26,12 @@ const discordConfig = {
 } as OpenClawConfig;
 
 describe("outbound policy helpers", () => {
+  beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+    );
+  });
+
   it("allows cross-provider sends when enabled", () => {
     const cfg = {
       ...slackConfig,
diff --git a/src/infra/outbound/outbound-session.test.ts b/src/infra/outbound/outbound-session.test.ts
index 17367f4a128..44a6df08251 100644
--- a/src/infra/outbound/outbound-session.test.ts
+++ b/src/infra/outbound/outbound-session.test.ts
@@ -1,8 +1,13 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { resolveOutboundSessionRoute } from "./outbound-session.js";
 
 describe("resolveOutboundSessionRoute", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   const baseConfig = {} as OpenClawConfig;
 
   it("resolves provider-specific session routes", async () => {
diff --git a/src/infra/outbound/outbound-session.ts b/src/infra/outbound/outbound-session.ts
index 9316f1ba5fc..c8da99c5f66 100644
--- a/src/infra/outbound/outbound-session.ts
+++ b/src/infra/outbound/outbound-session.ts
@@ -1,25 +1,3 @@
-import {
-  parseDiscordTarget,
-  type DiscordTargetKind,
-} from "../../../extensions/discord/src/targets.js";
-import {
-  parseIMessageTarget,
-  normalizeIMessageHandle,
-} from "../../../extensions/imessage/src/targets.js";
-import {
-  looksLikeUuid,
-  resolveSignalPeerId,
-  resolveSignalRecipient,
-  resolveSignalSender,
-} from "../../../extensions/signal/src/identity.js";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
-import { createSlackWebClient } from "../../../extensions/slack/src/client.js";
-import { normalizeAllowListLower } from "../../../extensions/slack/src/monitor/allow-list.js";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import { buildTelegramGroupPeerId } from "../../../extensions/telegram/src/bot/helpers.js";
-import { resolveTelegramTargetChatType } from "../../../extensions/telegram/src/inline-buttons.js";
-import { parseTelegramThreadId } from "../../../extensions/telegram/src/outbound-params.js";
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import type { MsgContext } from "../../auto-reply/templating.js";
 import type { ChatType } from "../../channels/chat-type.js";
 import { getChannelPlugin } from "../../channels/plugins/index.js";
@@ -52,9 +30,6 @@ export type ResolveOutboundSessionRouteParams = {
   threadId?: string | number | null;
 };
 
-// Cache Slack channel type lookups to avoid repeated API calls.
-const SLACK_CHANNEL_TYPE_CACHE = new Map<string, "channel" | "group" | "dm" | "unknown">();
-
 function normalizeThreadId(value?: string | number | null): string | undefined {
   if (value == null) {
     return undefined;
@@ -124,238 +99,6 @@ function buildBaseSessionKey(params: {
   });
 }
 
-// Best-effort mpim detection: allowlist/config, then Slack API (if token available).
-async function resolveSlackChannelType(params: {
-  cfg: OpenClawConfig;
-  accountId?: string | null;
-  channelId: string;
-}): Promise<"channel" | "group" | "dm" | "unknown"> {
-  const channelId = params.channelId.trim();
-  if (!channelId) {
-    return "unknown";
-  }
-  const cached = SLACK_CHANNEL_TYPE_CACHE.get(`${params.accountId ?? "default"}:${channelId}`);
-  if (cached) {
-    return cached;
-  }
-
-  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
-  const groupChannels = normalizeAllowListLower(account.dm?.groupChannels);
-  const channelIdLower = channelId.toLowerCase();
-  if (
-    groupChannels.includes(channelIdLower) ||
-    groupChannels.includes(`slack:${channelIdLower}`) ||
-    groupChannels.includes(`channel:${channelIdLower}`) ||
-    groupChannels.includes(`group:${channelIdLower}`) ||
-    groupChannels.includes(`mpim:${channelIdLower}`)
-  ) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "group");
-    return "group";
-  }
-
-  const channelKeys = Object.keys(account.channels ?? {});
-  if (
-    channelKeys.some((key) => {
-      const normalized = key.trim().toLowerCase();
-      return (
-        normalized === channelIdLower ||
-        normalized === `channel:${channelIdLower}` ||
-        normalized.replace(/^#/, "") === channelIdLower
-      );
-    })
-  ) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "channel");
-    return "channel";
-  }
-
-  const token = account.botToken?.trim() || account.userToken || "";
-  if (!token) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "unknown");
-    return "unknown";
-  }
-
-  try {
-    const client = createSlackWebClient(token);
-    const info = await client.conversations.info({ channel: channelId });
-    const channel = info.channel as { is_im?: boolean; is_mpim?: boolean } | undefined;
-    const type = channel?.is_im ? "dm" : channel?.is_mpim ? "group" : "channel";
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, type);
-    return type;
-  } catch {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "unknown");
-    return "unknown";
-  }
-}
-
-async function resolveSlackSession(
-  params: ResolveOutboundSessionRouteParams,
-): Promise<OutboundSessionRoute | null> {
-  const parsed = parseSlackTarget(params.target, { defaultKind: "channel" });
-  if (!parsed) {
-    return null;
-  }
-  const isDm = parsed.kind === "user";
-  let peerKind: ChatType = isDm ? "direct" : "channel";
-  if (!isDm && /^G/i.test(parsed.id)) {
-    // Slack mpim/group DMs share the G-prefix; detect to align session keys with inbound.
-    const channelType = await resolveSlackChannelType({
-      cfg: params.cfg,
-      accountId: params.accountId,
-      channelId: parsed.id,
-    });
-    if (channelType === "group") {
-      peerKind = "group";
-    }
-    if (channelType === "dm") {
-      peerKind = "direct";
-    }
-  }
-  const peer: RoutePeer = {
-    kind: peerKind,
-    id: parsed.id,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "slack",
-    accountId: params.accountId,
-    peer,
-  });
-  const threadId = normalizeThreadId(params.threadId ?? params.replyToId);
-  const threadKeys = resolveThreadSessionKeys({
-    baseSessionKey,
-    threadId,
-  });
-  return {
-    sessionKey: threadKeys.sessionKey,
-    baseSessionKey,
-    peer,
-    chatType: peerKind === "direct" ? "direct" : "channel",
-    from:
-      peerKind === "direct"
-        ? `slack:${parsed.id}`
-        : peerKind === "group"
-          ? `slack:group:${parsed.id}`
-          : `slack:channel:${parsed.id}`,
-    to: peerKind === "direct" ? `user:${parsed.id}` : `channel:${parsed.id}`,
-    threadId,
-  };
-}
-
-function resolveDiscordSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseDiscordTarget(params.target, {
-    defaultKind: resolveDiscordOutboundTargetKindHint(params),
-  });
-  if (!parsed) {
-    return null;
-  }
-  const isDm = parsed.kind === "user";
-  const peer: RoutePeer = {
-    kind: isDm ? "direct" : "channel",
-    id: parsed.id,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "discord",
-    accountId: params.accountId,
-    peer,
-  });
-  const explicitThreadId = normalizeThreadId(params.threadId);
-  const threadCandidate = explicitThreadId ?? normalizeThreadId(params.replyToId);
-  // Discord threads use their own channel id; avoid adding a :thread suffix.
-  const threadKeys = resolveThreadSessionKeys({
-    baseSessionKey,
-    threadId: threadCandidate,
-    useSuffix: false,
-  });
-  return {
-    sessionKey: threadKeys.sessionKey,
-    baseSessionKey,
-    peer,
-    chatType: isDm ? "direct" : "channel",
-    from: isDm ? `discord:${parsed.id}` : `discord:channel:${parsed.id}`,
-    to: isDm ? `user:${parsed.id}` : `channel:${parsed.id}`,
-    threadId: explicitThreadId ?? undefined,
-  };
-}
-
-function resolveDiscordOutboundTargetKindHint(
-  params: ResolveOutboundSessionRouteParams,
-): DiscordTargetKind | undefined {
-  const resolvedKind = params.resolvedTarget?.kind;
-  if (resolvedKind === "user") {
-    return "user";
-  }
-  if (resolvedKind === "group" || resolvedKind === "channel") {
-    return "channel";
-  }
-
-  const target = params.target.trim();
-  if (/^channel:/i.test(target)) {
-    return "channel";
-  }
-  if (/^(user:|discord:|@|<@!?)/i.test(target)) {
-    return "user";
-  }
-  return undefined;
-}
-
-function resolveTelegramSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseTelegramTarget(params.target);
-  const chatId = parsed.chatId.trim();
-  if (!chatId) {
-    return null;
-  }
-  const parsedThreadId = parsed.messageThreadId;
-  const fallbackThreadId = normalizeThreadId(params.threadId);
-  const resolvedThreadId = parsedThreadId ?? parseTelegramThreadId(fallbackThreadId);
-  // Telegram topics are encoded in the peer id (chatId:topic:<id>).
-  const chatType = resolveTelegramTargetChatType(params.target);
-  // If the target is a username and we lack a resolvedTarget, default to DM to avoid group keys.
-  const isGroup =
-    chatType === "group" ||
-    (chatType === "unknown" &&
-      params.resolvedTarget?.kind &&
-      params.resolvedTarget.kind !== "user");
-  // For groups: include thread ID in peerId. For DMs: use simple chatId (thread handled via suffix).
-  const peerId =
-    isGroup && resolvedThreadId ? buildTelegramGroupPeerId(chatId, resolvedThreadId) : chatId;
-  const peer: RoutePeer = {
-    kind: isGroup ? "group" : "direct",
-    id: peerId,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "telegram",
-    accountId: params.accountId,
-    peer,
-  });
-  // Use thread suffix for DM topics to match inbound session key format
-  const threadKeys =
-    resolvedThreadId && !isGroup
-      ? { sessionKey: `${baseSessionKey}:thread:${resolvedThreadId}` }
-      : null;
-  return {
-    sessionKey: threadKeys?.sessionKey ?? baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: isGroup ? "group" : "direct",
-    from: isGroup
-      ? `telegram:group:${peerId}`
-      : resolvedThreadId
-        ? `telegram:${chatId}:topic:${resolvedThreadId}`
-        : `telegram:${chatId}`,
-    to: `telegram:${chatId}`,
-    threadId: resolvedThreadId,
-  };
-}
-
 function resolveWhatsAppSession(
   params: ResolveOutboundSessionRouteParams,
 ): OutboundSessionRoute | null {
@@ -385,131 +128,6 @@ function resolveWhatsAppSession(
   };
 }
 
-function resolveSignalSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const stripped = stripProviderPrefix(params.target, "signal");
-  const lowered = stripped.toLowerCase();
-  if (lowered.startsWith("group:")) {
-    const groupId = stripped.slice("group:".length).trim();
-    if (!groupId) {
-      return null;
-    }
-    const peer: RoutePeer = { kind: "group", id: groupId };
-    const baseSessionKey = buildBaseSessionKey({
-      cfg: params.cfg,
-      agentId: params.agentId,
-      channel: "signal",
-      accountId: params.accountId,
-      peer,
-    });
-    return {
-      sessionKey: baseSessionKey,
-      baseSessionKey,
-      peer,
-      chatType: "group",
-      from: `group:${groupId}`,
-      to: `group:${groupId}`,
-    };
-  }
-
-  let recipient = stripped.trim();
-  if (lowered.startsWith("username:")) {
-    recipient = stripped.slice("username:".length).trim();
-  } else if (lowered.startsWith("u:")) {
-    recipient = stripped.slice("u:".length).trim();
-  }
-  if (!recipient) {
-    return null;
-  }
-
-  const uuidCandidate = recipient.toLowerCase().startsWith("uuid:")
-    ? recipient.slice("uuid:".length)
-    : recipient;
-  const sender = resolveSignalSender({
-    sourceUuid: looksLikeUuid(uuidCandidate) ? uuidCandidate : null,
-    sourceNumber: looksLikeUuid(uuidCandidate) ? null : recipient,
-  });
-  const peerId = sender ? resolveSignalPeerId(sender) : recipient;
-  const displayRecipient = sender ? resolveSignalRecipient(sender) : recipient;
-  const peer: RoutePeer = { kind: "direct", id: peerId };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "signal",
-    accountId: params.accountId,
-    peer,
-  });
-  return {
-    sessionKey: baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: "direct",
-    from: `signal:${displayRecipient}`,
-    to: `signal:${displayRecipient}`,
-  };
-}
-
-function resolveIMessageSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseIMessageTarget(params.target);
-  if (parsed.kind === "handle") {
-    const handle = normalizeIMessageHandle(parsed.to);
-    if (!handle) {
-      return null;
-    }
-    const peer: RoutePeer = { kind: "direct", id: handle };
-    const baseSessionKey = buildBaseSessionKey({
-      cfg: params.cfg,
-      agentId: params.agentId,
-      channel: "imessage",
-      accountId: params.accountId,
-      peer,
-    });
-    return {
-      sessionKey: baseSessionKey,
-      baseSessionKey,
-      peer,
-      chatType: "direct",
-      from: `imessage:${handle}`,
-      to: `imessage:${handle}`,
-    };
-  }
-
-  const peerId =
-    parsed.kind === "chat_id"
-      ? String(parsed.chatId)
-      : parsed.kind === "chat_guid"
-        ? parsed.chatGuid
-        : parsed.chatIdentifier;
-  if (!peerId) {
-    return null;
-  }
-  const peer: RoutePeer = { kind: "group", id: peerId };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "imessage",
-    accountId: params.accountId,
-    peer,
-  });
-  const toPrefix =
-    parsed.kind === "chat_id"
-      ? "chat_id"
-      : parsed.kind === "chat_guid"
-        ? "chat_guid"
-        : "chat_identifier";
-  return {
-    sessionKey: baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: "group",
-    from: `imessage:group:${peerId}`,
-    to: `${toPrefix}:${peerId}`,
-  };
-}
-
 function resolveMatrixSession(
   params: ResolveOutboundSessionRouteParams,
 ): OutboundSessionRoute | null {
@@ -944,12 +562,7 @@ type OutboundSessionResolver = (
 ) => OutboundSessionRoute | null | Promise<OutboundSessionRoute | null>;
 
 const OUTBOUND_SESSION_RESOLVERS: Partial<Record<ChannelId, OutboundSessionResolver>> = {
-  slack: resolveSlackSession,
-  discord: resolveDiscordSession,
-  telegram: resolveTelegramSession,
   whatsapp: resolveWhatsAppSession,
-  signal: resolveSignalSession,
-  imessage: resolveIMessageSession,
   matrix: resolveMatrixSession,
   msteams: resolveMSTeamsSession,
   mattermost: resolveMattermostSession,
@@ -970,6 +583,20 @@ export async function resolveOutboundSessionRoute(
     return null;
   }
   const nextParams = { ...params, target };
+  const pluginRoute = await getChannelPlugin(
+    params.channel,
+  )?.messaging?.resolveOutboundSessionRoute?.({
+    cfg: nextParams.cfg,
+    agentId: nextParams.agentId,
+    accountId: nextParams.accountId,
+    target,
+    resolvedTarget: nextParams.resolvedTarget,
+    replyToId: nextParams.replyToId,
+    threadId: nextParams.threadId,
+  });
+  if (pluginRoute) {
+    return pluginRoute;
+  }
   const resolver = OUTBOUND_SESSION_RESOLVERS[params.channel];
   if (!resolver) {
     return resolveFallbackSession(nextParams);
diff --git a/src/infra/outbound/outbound.test.ts b/src/infra/outbound/outbound.test.ts
index 9e58d5c6c05..150dd4e26ea 100644
--- a/src/infra/outbound/outbound.test.ts
+++ b/src/infra/outbound/outbound.test.ts
@@ -2,8 +2,12 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { typedCases } from "../../test-utils/typed-cases.js";
 import {
   ackDelivery,
@@ -39,6 +43,12 @@ import {
 } from "./payloads.js";
 import { runResolveOutboundTargetCoreTests } from "./targets.shared-test.js";
 
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+  );
+});
+
 describe("delivery-queue", () => {
   let tmpDir: string;
   let fixtureRoot = "";
@@ -879,6 +889,10 @@ const discordConfig = {
 } as OpenClawConfig;
 
 describe("outbound policy", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   it("allows cross-provider sends when enabled", () => {
     const cfg = {
       ...slackConfig,
@@ -921,6 +935,10 @@ describe("outbound policy", () => {
 });
 
 describe("resolveOutboundSessionRoute", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   const baseConfig = {} as OpenClawConfig;
 
   it("resolves provider-specific session routes", async () => {
diff --git a/src/infra/outbound/payloads.ts b/src/infra/outbound/payloads.ts
index 754d3434445..d98bf22c218 100644
--- a/src/infra/outbound/payloads.ts
+++ b/src/infra/outbound/payloads.ts
@@ -5,10 +5,17 @@ import {
   shouldSuppressReasoningPayload,
 } from "../../auto-reply/reply/reply-payloads.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
+import {
+  hasInteractiveReplyBlocks,
+  hasReplyChannelData,
+  hasReplyContent,
+  type InteractiveReply,
+} from "../../interactive/payload.js";
 
 export type NormalizedOutboundPayload = {
   text: string;
   mediaUrls: string[];
+  interactive?: InteractiveReply;
   channelData?: Record<string, unknown>;
 };
 
@@ -16,6 +23,7 @@ export type OutboundPayloadJson = {
   text: string;
   mediaUrl: string | null;
   mediaUrls?: string[];
+  interactive?: InteractiveReply;
   channelData?: Record<string, unknown>;
 };
 
@@ -89,15 +97,25 @@ export function normalizeOutboundPayloads(
   const normalizedPayloads: NormalizedOutboundPayload[] = [];
   for (const payload of normalizeReplyPayloadsForDelivery(payloads)) {
     const mediaUrls = payload.mediaUrls ?? (payload.mediaUrl ? [payload.mediaUrl] : []);
+    const interactive = payload.interactive;
     const channelData = payload.channelData;
-    const hasChannelData = Boolean(channelData && Object.keys(channelData).length > 0);
+    const hasChannelData = hasReplyChannelData(channelData);
+    const hasInteractive = hasInteractiveReplyBlocks(interactive);
     const text = payload.text ?? "";
-    if (!text && mediaUrls.length === 0 && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        text,
+        mediaUrls,
+        interactive,
+        hasChannelData,
+      })
+    ) {
       continue;
     }
     normalizedPayloads.push({
       text,
       mediaUrls,
+      ...(hasInteractive ? { interactive } : {}),
       ...(hasChannelData ? { channelData } : {}),
     });
   }
@@ -113,6 +131,7 @@ export function normalizeOutboundPayloadsForJson(
       text: payload.text ?? "",
       mediaUrl: payload.mediaUrl ?? null,
       mediaUrls: payload.mediaUrls ?? (payload.mediaUrl ? [payload.mediaUrl] : undefined),
+      interactive: payload.interactive,
       channelData: payload.channelData,
     });
   }
diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts
index 4da860d083f..2ac707a804d 100644
--- a/src/infra/outbound/targets.test.ts
+++ b/src/infra/outbound/targets.test.ts
@@ -1,9 +1,12 @@
-import { describe, expect, it } from "vitest";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
+import { beforeEach, describe, expect, it } from "vitest";
+import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
+import { telegramOutbound, whatsappOutbound } from "../../../test/channel-outbounds.js";
+import type { ChannelOutboundAdapter } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions/types.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../../test-utils/channel-plugins.js";
+import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
 import {
   resolveHeartbeatDeliveryTarget,
   resolveOutboundTarget,
@@ -17,6 +20,76 @@ import {
 
 runResolveOutboundTargetCoreTests();
 
+const telegramMessaging = {
+  parseExplicitTarget: ({ raw }: { raw: string }) => {
+    const target = parseTelegramTarget(raw);
+    return {
+      to: target.chatId,
+      threadId: target.messageThreadId,
+      chatType: target.chatType === "unknown" ? undefined : target.chatType,
+    };
+  },
+  inferTargetChatType: ({ to }: { to: string }) => {
+    const target = parseTelegramTarget(to);
+    return target.chatType === "unknown" ? undefined : target.chatType;
+  },
+};
+
+const whatsappMessaging = {
+  inferTargetChatType: ({ to }: { to: string }) => {
+    const normalized = normalizeWhatsAppTarget(to);
+    if (!normalized) {
+      return undefined;
+    }
+    return isWhatsAppGroupJid(normalized) ? ("group" as const) : ("direct" as const);
+  },
+};
+
+const noopOutbound = (channel: "discord" | "imessage" | "slack"): ChannelOutboundAdapter => ({
+  deliveryMode: "direct",
+  sendText: async () => ({ channel, messageId: `${channel}-msg` }),
+});
+
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([
+      {
+        pluginId: "discord",
+        plugin: createOutboundTestPlugin({ id: "discord", outbound: noopOutbound("discord") }),
+        source: "test",
+      },
+      {
+        pluginId: "imessage",
+        plugin: createOutboundTestPlugin({ id: "imessage", outbound: noopOutbound("imessage") }),
+        source: "test",
+      },
+      {
+        pluginId: "slack",
+        plugin: createOutboundTestPlugin({ id: "slack", outbound: noopOutbound("slack") }),
+        source: "test",
+      },
+      {
+        pluginId: "telegram",
+        plugin: createOutboundTestPlugin({
+          id: "telegram",
+          outbound: telegramOutbound,
+          messaging: telegramMessaging,
+        }),
+        source: "test",
+      },
+      {
+        pluginId: "whatsapp",
+        plugin: createOutboundTestPlugin({
+          id: "whatsapp",
+          outbound: whatsappOutbound,
+          messaging: whatsappMessaging,
+        }),
+        source: "test",
+      },
+    ]),
+  );
+});
+
 describe("resolveOutboundTarget defaultTo config fallback", () => {
   installResolveOutboundTargetPluginRegistryHooks();
   const whatsappDefaultCfg: OpenClawConfig = {
@@ -80,7 +153,11 @@ describe("resolveOutboundTarget defaultTo config fallback", () => {
 
     registry.channels.push({
       pluginId: "telegram",
-      plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+      plugin: createOutboundTestPlugin({
+        id: "telegram",
+        outbound: telegramOutbound,
+        messaging: telegramMessaging,
+      }),
       source: "test",
     });
 
@@ -310,6 +387,24 @@ describe("resolveSessionDeliveryTarget", () => {
     expect(resolved.threadId).toBeUndefined();
   });
 
+  it("keeps raw :topic: targets when the telegram plugin registry is unavailable", () => {
+    setActivePluginRegistry(createTestRegistry([]));
+
+    const resolved = resolveSessionDeliveryTarget({
+      entry: {
+        sessionId: "sess-no-registry",
+        updatedAt: 1,
+        lastChannel: "telegram",
+        lastTo: "63448508",
+      },
+      requestedChannel: "last",
+      explicitTo: "63448508:topic:1008013",
+    });
+
+    expect(resolved.to).toBe("63448508:topic:1008013");
+    expect(resolved.threadId).toBeUndefined();
+  });
+
   it("explicitThreadId takes priority over :topic: parsed value", () => {
     const resolved = resolveSessionDeliveryTarget({
       entry: {
diff --git a/src/infra/outbound/targets.ts b/src/infra/outbound/targets.ts
index 9859176abbf..b15dfb881b2 100644
--- a/src/infra/outbound/targets.ts
+++ b/src/infra/outbound/targets.ts
@@ -1,9 +1,3 @@
-import { parseDiscordTarget } from "../../../extensions/discord/src/targets.js";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import {
-  parseTelegramTarget,
-  resolveTelegramTargetChatType,
-} from "../../../extensions/telegram/src/targets.js";
 import { normalizeChatType, type ChatType } from "../../channels/chat-type.js";
 import type { ChannelOutboundTargetMode } from "../../channels/plugins/types.js";
 import { formatCliCommand } from "../../cli/command-format.js";
@@ -22,7 +16,6 @@ import {
   isDeliverableMessageChannel,
   normalizeMessageChannel,
 } from "../../utils/message-channel.js";
-import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
 import {
   normalizeDeliverableOutboundChannel,
   resolveOutboundChannelPlugin,
@@ -65,6 +58,26 @@ export type SessionDeliveryTarget = {
   lastThreadId?: string | number;
 };
 
+function parseExplicitTargetWithPlugin(params: {
+  channel?: DeliverableMessageChannel;
+  fallbackChannel?: DeliverableMessageChannel;
+  raw?: string;
+}) {
+  const raw = params.raw?.trim();
+  if (!raw) {
+    return null;
+  }
+  const provider = params.channel ?? params.fallbackChannel;
+  if (!provider) {
+    return null;
+  }
+  return (
+    resolveOutboundChannelPlugin({ channel: provider })?.messaging?.parseExplicitTarget?.({
+      raw,
+    }) ?? null
+  );
+}
+
 export function resolveSessionDeliveryTarget(params: {
   entry?: SessionEntry;
   requestedChannel?: GatewayMessageChannel | "last";
@@ -124,22 +137,19 @@ export function resolveSessionDeliveryTarget(params: {
     channel = params.fallbackChannel;
   }
 
-  // Parse :topic:NNN from explicitTo (Telegram topic syntax).
-  // Only applies when we positively know the channel is Telegram.
-  // When channel is unknown, the downstream send path (resolveTelegramSession)
-  // handles :topic: parsing independently.
-  const isTelegramContext = channel === "telegram" || (!channel && lastChannel === "telegram");
   let explicitTo = rawExplicitTo;
-  let parsedThreadId: number | undefined;
-  if (isTelegramContext && rawExplicitTo && rawExplicitTo.includes(":topic:")) {
-    const parsed = parseTelegramTarget(rawExplicitTo);
-    explicitTo = parsed.chatId;
-    parsedThreadId = parsed.messageThreadId;
+  const parsedExplicitTarget = parseExplicitTargetWithPlugin({
+    channel,
+    fallbackChannel: !channel ? lastChannel : undefined,
+    raw: rawExplicitTo,
+  });
+  if (parsedExplicitTarget?.to) {
+    explicitTo = parsedExplicitTarget.to;
   }
   const explicitThreadId =
     params.explicitThreadId != null && params.explicitThreadId !== ""
       ? params.explicitThreadId
-      : parsedThreadId;
+      : parsedExplicitTarget?.threadId;
 
   let to = explicitTo;
   if (!to && lastTo) {
@@ -387,70 +397,6 @@ function buildNoHeartbeatDeliveryTarget(params: {
   };
 }
 
-function inferDiscordTargetChatType(to: string): ChatType | undefined {
-  try {
-    const target = parseDiscordTarget(to, { defaultKind: "channel" });
-    if (!target) {
-      return undefined;
-    }
-    return target.kind === "user" ? "direct" : "channel";
-  } catch {
-    return undefined;
-  }
-}
-
-function inferSlackTargetChatType(to: string): ChatType | undefined {
-  const target = parseSlackTarget(to, { defaultKind: "channel" });
-  if (!target) {
-    return undefined;
-  }
-  return target.kind === "user" ? "direct" : "channel";
-}
-
-function inferTelegramTargetChatType(to: string): ChatType | undefined {
-  const chatType = resolveTelegramTargetChatType(to);
-  return chatType === "unknown" ? undefined : chatType;
-}
-
-function inferWhatsAppTargetChatType(to: string): ChatType | undefined {
-  const normalized = normalizeWhatsAppTarget(to);
-  if (!normalized) {
-    return undefined;
-  }
-  return isWhatsAppGroupJid(normalized) ? "group" : "direct";
-}
-
-function inferSignalTargetChatType(rawTo: string): ChatType | undefined {
-  let to = rawTo.trim();
-  if (!to) {
-    return undefined;
-  }
-  if (/^signal:/i.test(to)) {
-    to = to.replace(/^signal:/i, "").trim();
-  }
-  if (!to) {
-    return undefined;
-  }
-  const lower = to.toLowerCase();
-  if (lower.startsWith("group:")) {
-    return "group";
-  }
-  if (lower.startsWith("username:") || lower.startsWith("u:")) {
-    return "direct";
-  }
-  return "direct";
-}
-
-const HEARTBEAT_TARGET_CHAT_TYPE_INFERERS: Partial<
-  Record<DeliverableMessageChannel, (to: string) => ChatType | undefined>
-> = {
-  discord: inferDiscordTargetChatType,
-  slack: inferSlackTargetChatType,
-  telegram: inferTelegramTargetChatType,
-  whatsapp: inferWhatsAppTargetChatType,
-  signal: inferSignalTargetChatType,
-};
-
 function inferChatTypeFromTarget(params: {
   channel: DeliverableMessageChannel;
   to: string;
@@ -469,7 +415,11 @@ function inferChatTypeFromTarget(params: {
   if (/^group:/i.test(to)) {
     return "group";
   }
-  return HEARTBEAT_TARGET_CHAT_TYPE_INFERERS[params.channel]?.(to);
+  return (
+    resolveOutboundChannelPlugin({
+      channel: params.channel,
+    })?.messaging?.inferTargetChatType?.({ to }) ?? undefined
+  );
 }
 
 function resolveHeartbeatDeliveryChatType(params: {
diff --git a/src/infra/provider-usage.auth.ts b/src/infra/provider-usage.auth.ts
index a3981fe5f32..00bba63f2e1 100644
--- a/src/infra/provider-usage.auth.ts
+++ b/src/infra/provider-usage.auth.ts
@@ -1,6 +1,3 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
 import {
   dedupeProfileIds,
   ensureAuthProfileStore,
@@ -14,7 +11,6 @@ import { normalizeProviderId } from "../agents/model-selection.js";
 import { loadConfig, type OpenClawConfig } from "../config/config.js";
 import { resolveProviderUsageAuthWithPlugin } from "../plugins/provider-runtime.js";
 import { normalizeSecretInput } from "../utils/normalize-secret-input.js";
-import { resolveRequiredHomeDir } from "./home-dir.js";
 import type { UsageProviderId } from "./provider-usage.types.js";
 
 export type ProviderAuth = {
@@ -32,46 +28,6 @@ type UsageAuthState = {
   agentDir?: string;
 };
 
-const LEGACY_OAUTH_USAGE_PROVIDERS = new Set<UsageProviderId>([
-  "anthropic",
-  "github-copilot",
-  "google-gemini-cli",
-  "openai-codex",
-]);
-
-function parseGoogleToken(apiKey: string): { token: string } | null {
-  try {
-    const parsed = JSON.parse(apiKey) as { token?: unknown };
-    if (parsed && typeof parsed.token === "string") {
-      return { token: parsed.token };
-    }
-  } catch {
-    // ignore
-  }
-  return null;
-}
-
-function resolveLegacyZaiApiKey(state: UsageAuthState): string | undefined {
-  try {
-    const authPath = path.join(
-      resolveRequiredHomeDir(state.env, os.homedir),
-      ".pi",
-      "agent",
-      "auth.json",
-    );
-    if (!fs.existsSync(authPath)) {
-      return undefined;
-    }
-    const data = JSON.parse(fs.readFileSync(authPath, "utf-8")) as Record<
-      string,
-      { access?: string }
-    >;
-    return data["z-ai"]?.access || data.zai?.access;
-  } catch {
-    return undefined;
-  }
-}
-
 function resolveProviderApiKeyFromConfigAndStore(params: {
   state: UsageAuthState;
   providerIds: string[];
@@ -236,66 +192,7 @@ export async function resolveProviderAuths(params: {
     });
     if (pluginAuth) {
       auths.push(pluginAuth);
-      continue;
     }
-
-    if (provider === "zai") {
-      const apiKey =
-        resolveProviderApiKeyFromConfigAndStore({
-          state,
-          providerIds: ["zai", "z-ai"],
-          envDirect: [state.env.ZAI_API_KEY, state.env.Z_AI_API_KEY],
-        }) ?? resolveLegacyZaiApiKey(state);
-      if (apiKey) {
-        auths.push({ provider, token: apiKey });
-      }
-      continue;
-    }
-
-    if (provider === "minimax") {
-      const apiKey = resolveProviderApiKeyFromConfigAndStore({
-        state,
-        providerIds: ["minimax"],
-        envDirect: [state.env.MINIMAX_CODE_PLAN_KEY, state.env.MINIMAX_API_KEY],
-      });
-      if (apiKey) {
-        auths.push({ provider, token: apiKey });
-      }
-      continue;
-    }
-
-    if (provider === "xiaomi") {
-      const apiKey = resolveProviderApiKeyFromConfigAndStore({
-        state,
-        providerIds: ["xiaomi"],
-        envDirect: [state.env.XIAOMI_API_KEY],
-      });
-      if (apiKey) {
-        auths.push({ provider, token: apiKey });
-      }
-      continue;
-    }
-
-    if (!LEGACY_OAUTH_USAGE_PROVIDERS.has(provider)) {
-      continue;
-    }
-
-    const auth = await resolveOAuthToken({
-      state,
-      provider,
-    });
-    if (!auth) {
-      continue;
-    }
-    if (provider === "google-gemini-cli") {
-      const parsed = parseGoogleToken(auth.token);
-      auths.push({
-        ...auth,
-        token: parsed?.token ?? auth.token,
-      });
-      continue;
-    }
-    auths.push(auth);
   }
 
   return auths;
diff --git a/src/infra/provider-usage.fetch.shared.test.ts b/src/infra/provider-usage.fetch.shared.test.ts
index 692a57705db..b287f1fad04 100644
--- a/src/infra/provider-usage.fetch.shared.test.ts
+++ b/src/infra/provider-usage.fetch.shared.test.ts
@@ -1,4 +1,5 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
+import { withFetchPreconnect } from "../test-utils/fetch-mock.js";
 import {
   buildUsageErrorSnapshot,
   buildUsageHttpErrorSnapshot,
@@ -36,7 +37,7 @@ describe("provider usage fetch shared helpers", () => {
       async (_input: URL | RequestInfo, init?: RequestInit) =>
         new Response(JSON.stringify({ aborted: init?.signal?.aborted ?? false }), { status: 200 }),
     );
-    const fetchFn = fetchFnMock as typeof fetch;
+    const fetchFn = withFetchPreconnect(fetchFnMock);
 
     const response = await fetchJson(
       "https://example.com/usage",
@@ -71,7 +72,7 @@ describe("provider usage fetch shared helpers", () => {
           });
         }),
     );
-    const fetchFn = fetchFnMock as typeof fetch;
+    const fetchFn = withFetchPreconnect(fetchFnMock);
 
     const request = fetchJson("https://example.com/usage", {}, 50, fetchFn);
     const rejection = expect(request).rejects.toThrow("aborted by timeout");
diff --git a/src/infra/provider-usage.fetch.ts b/src/infra/provider-usage.fetch.ts
index e0bcd60c94b..87f216eef24 100644
--- a/src/infra/provider-usage.fetch.ts
+++ b/src/infra/provider-usage.fetch.ts
@@ -1,6 +1,5 @@
 export { fetchClaudeUsage } from "./provider-usage.fetch.claude.js";
 export { fetchCodexUsage } from "./provider-usage.fetch.codex.js";
-export { fetchCopilotUsage } from "./provider-usage.fetch.copilot.js";
 export { fetchGeminiUsage } from "./provider-usage.fetch.gemini.js";
 export { fetchMinimaxUsage } from "./provider-usage.fetch.minimax.js";
 export { fetchZaiUsage } from "./provider-usage.fetch.zai.js";
diff --git a/src/infra/provider-usage.load.plugin.test.ts b/src/infra/provider-usage.load.plugin.test.ts
index cf78ac667da..55cff6cad72 100644
--- a/src/infra/provider-usage.load.plugin.test.ts
+++ b/src/infra/provider-usage.load.plugin.test.ts
@@ -22,7 +22,7 @@ describe("provider-usage.load plugin seam", () => {
     resolveProviderUsageSnapshotWithPluginMock.mockResolvedValue(null);
   });
 
-  it("prefers plugin-owned usage snapshots before the legacy core switch", async () => {
+  it("prefers plugin-owned usage snapshots", async () => {
     resolveProviderUsageSnapshotWithPluginMock.mockResolvedValueOnce({
       provider: "github-copilot",
       displayName: "Copilot",
diff --git a/src/infra/provider-usage.load.ts b/src/infra/provider-usage.load.ts
index 9b50285c64f..d34c55c22d3 100644
--- a/src/infra/provider-usage.load.ts
+++ b/src/infra/provider-usage.load.ts
@@ -2,14 +2,6 @@ import { loadConfig, type OpenClawConfig } from "../config/config.js";
 import { resolveProviderUsageSnapshotWithPlugin } from "../plugins/provider-runtime.js";
 import { resolveFetch } from "./fetch.js";
 import { type ProviderAuth, resolveProviderAuths } from "./provider-usage.auth.js";
-import {
-  fetchClaudeUsage,
-  fetchCodexUsage,
-  fetchCopilotUsage,
-  fetchGeminiUsage,
-  fetchMinimaxUsage,
-  fetchZaiUsage,
-} from "./provider-usage.fetch.js";
 import {
   DEFAULT_TIMEOUT_MS,
   ignoredErrors,
@@ -64,44 +56,12 @@ async function fetchProviderUsageSnapshot(params: {
   if (pluginSnapshot) {
     return pluginSnapshot;
   }
-
-  switch (params.auth.provider) {
-    case "anthropic":
-      return await fetchClaudeUsage(params.auth.token, params.timeoutMs, params.fetchFn);
-    case "github-copilot":
-      return await fetchCopilotUsage(params.auth.token, params.timeoutMs, params.fetchFn);
-    case "google-gemini-cli":
-      return await fetchGeminiUsage(
-        params.auth.token,
-        params.timeoutMs,
-        params.fetchFn,
-        params.auth.provider,
-      );
-    case "openai-codex":
-      return await fetchCodexUsage(
-        params.auth.token,
-        params.auth.accountId,
-        params.timeoutMs,
-        params.fetchFn,
-      );
-    case "minimax":
-      return await fetchMinimaxUsage(params.auth.token, params.timeoutMs, params.fetchFn);
-    case "xiaomi":
-      return {
-        provider: "xiaomi",
-        displayName: PROVIDER_LABELS.xiaomi,
-        windows: [],
-      };
-    case "zai":
-      return await fetchZaiUsage(params.auth.token, params.timeoutMs, params.fetchFn);
-    default:
-      return {
-        provider: params.auth.provider,
-        displayName: PROVIDER_LABELS[params.auth.provider],
-        windows: [],
-        error: "Unsupported provider",
-      };
-  }
+  return {
+    provider: params.auth.provider,
+    displayName: PROVIDER_LABELS[params.auth.provider],
+    windows: [],
+    error: "Unsupported provider",
+  };
 }
 
 export async function loadProviderUsageSummary(
diff --git a/src/infra/restart.deferral-timeout.test.ts b/src/infra/restart.deferral-timeout.test.ts
new file mode 100644
index 00000000000..167fe95ccdc
--- /dev/null
+++ b/src/infra/restart.deferral-timeout.test.ts
@@ -0,0 +1,119 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { __testing, deferGatewayRestartUntilIdle, type RestartDeferralHooks } from "./restart.js";
+
+describe("deferGatewayRestartUntilIdle timeout", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    __testing.resetSigusr1State();
+    // Add a listener so emitGatewayRestart uses process.emit instead of process.kill
+    process.on("SIGUSR1", () => {});
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+    __testing.resetSigusr1State();
+    process.removeAllListeners("SIGUSR1");
+  });
+
+  it("uses default 5-minute timeout when maxWaitMs is not specified", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    // Always return 1 pending item to prevent draining
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 1,
+      hooks,
+    });
+
+    // Advance to just before 5 minutes — should NOT have timed out yet
+    vi.advanceTimersByTime(299_999);
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+
+    // Advance past 5 minutes — should time out
+    vi.advanceTimersByTime(1);
+    expect(hooks.onTimeout).toHaveBeenCalledOnce();
+    expect(hooks.onReady).not.toHaveBeenCalled();
+  });
+
+  it("respects custom maxWaitMs configuration", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    const customTimeoutMs = 120_000; // 2 minutes
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 1,
+      maxWaitMs: customTimeoutMs,
+      hooks,
+    });
+
+    // Advance to just before 2 minutes
+    vi.advanceTimersByTime(119_999);
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+
+    // Advance past 2 minutes
+    vi.advanceTimersByTime(1);
+    expect(hooks.onTimeout).toHaveBeenCalledOnce();
+  });
+
+  it("calls onReady and does not timeout when pending count drops to 0", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    let pending = 3;
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => pending,
+      hooks,
+    });
+
+    // Advance a few poll intervals, then drain
+    vi.advanceTimersByTime(1000);
+    expect(hooks.onReady).not.toHaveBeenCalled();
+
+    pending = 0;
+    vi.advanceTimersByTime(500); // Next poll interval
+    expect(hooks.onReady).toHaveBeenCalledOnce();
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+  });
+
+  it("immediately restarts when pending count is 0", () => {
+    const hooks: RestartDeferralHooks = {
+      onReady: vi.fn(),
+      onTimeout: vi.fn(),
+    };
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 0,
+      hooks,
+    });
+
+    // onReady should be called synchronously
+    expect(hooks.onReady).toHaveBeenCalledOnce();
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+  });
+
+  it("handles getPendingCount error by restarting immediately", () => {
+    const hooks: RestartDeferralHooks = {
+      onCheckError: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => {
+        throw new Error("store corrupted");
+      },
+      hooks,
+    });
+
+    expect(hooks.onCheckError).toHaveBeenCalledOnce();
+    expect(hooks.onReady).not.toHaveBeenCalled();
+  });
+});
diff --git a/src/infra/restart.ts b/src/infra/restart.ts
index 3e0379f25f2..f671df382e2 100644
--- a/src/infra/restart.ts
+++ b/src/infra/restart.ts
@@ -1,6 +1,7 @@
 import { spawnSync } from "node:child_process";
 import os from "node:os";
 import path from "node:path";
+import { loadConfig } from "../config/config.js";
 import {
   resolveGatewayLaunchAgentLabel,
   resolveGatewaySystemdServiceName,
@@ -19,8 +20,9 @@ export type RestartAttempt = {
 const SPAWN_TIMEOUT_MS = 2000;
 const SIGUSR1_AUTH_GRACE_MS = 5000;
 const DEFAULT_DEFERRAL_POLL_MS = 500;
-// Cover slow in-flight embedded compaction work before forcing restart.
-const DEFAULT_DEFERRAL_MAX_WAIT_MS = 90_000;
+// Default to 5 minutes to avoid aborting in-flight subagent LLM calls.
+// Configurable via gateway.reload.deferralTimeoutMs.
+const DEFAULT_DEFERRAL_MAX_WAIT_MS = 300_000;
 const RESTART_COOLDOWN_MS = 30_000;
 
 const restartLog = createSubsystemLogger("restart");
@@ -475,7 +477,11 @@ export function scheduleGatewaySigusr1Restart(opts?: {
         emitGatewayRestart();
         return;
       }
-      deferGatewayRestartUntilIdle({ getPendingCount: pendingCheck });
+      const cfg = loadConfig();
+      deferGatewayRestartUntilIdle({
+        getPendingCount: pendingCheck,
+        maxWaitMs: cfg.gateway?.reload?.deferralTimeoutMs,
+      });
     },
     Math.max(0, requestedDueAt - nowMs),
   );
diff --git a/src/infra/state-migrations.ts b/src/infra/state-migrations.ts
index 96f3071bd57..6646ab02e75 100644
--- a/src/infra/state-migrations.ts
+++ b/src/infra/state-migrations.ts
@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { listTelegramAccountIds } from "../../extensions/telegram/src/accounts.js";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import type { OpenClawConfig } from "../config/config.js";
 import {
@@ -16,6 +15,7 @@ import { canonicalizeMainSessionAlias } from "../config/sessions/main-session.js
 import type { SessionScope } from "../config/sessions/types.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveChannelAllowFromPath } from "../pairing/pairing-store.js";
+import { listTelegramAccountIds } from "../plugin-sdk-internal/telegram.js";
 import {
   buildAgentMainSessionKey,
   DEFAULT_ACCOUNT_ID,
diff --git a/src/infra/warning-filter.test.ts b/src/infra/warning-filter.test.ts
index 7ce9854aa9a..da4b9dad163 100644
--- a/src/infra/warning-filter.test.ts
+++ b/src/infra/warning-filter.test.ts
@@ -74,6 +74,7 @@ describe("warning filter", () => {
 
   it("installs once and suppresses known warnings at emit time", async () => {
     const seenWarnings: Array<{ code?: string; name: string; message: string }> = [];
+    const stderrWrites: string[] = [];
     const onWarning = (warning: Error & { code?: string }) => {
       seenWarnings.push({
         code: warning.code,
@@ -81,6 +82,12 @@ describe("warning filter", () => {
         message: warning.message,
       });
     };
+    const stderrWriteSpy = vi.spyOn(process.stderr, "write").mockImplementation(((
+      chunk: string | Uint8Array,
+    ) => {
+      stderrWrites.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
+      return true;
+    }) as typeof process.stderr.write);
 
     process.on("warning", onWarning);
     try {
@@ -135,7 +142,9 @@ describe("warning filter", () => {
             warning.code === "DEP0040" && warning.message === "The punycode module is deprecated.",
         ),
       ).toBeDefined();
+      expect(stderrWrites.join("")).toContain("Visible warning");
     } finally {
+      stderrWriteSpy.mockRestore();
       process.off("warning", onWarning);
     }
   });
diff --git a/src/interactive/payload.test.ts b/src/interactive/payload.test.ts
new file mode 100644
index 00000000000..3000716cd2e
--- /dev/null
+++ b/src/interactive/payload.test.ts
@@ -0,0 +1,66 @@
+import { describe, expect, it } from "vitest";
+import {
+  hasReplyChannelData,
+  hasReplyContent,
+  normalizeInteractiveReply,
+  resolveInteractiveTextFallback,
+} from "./payload.js";
+
+describe("hasReplyChannelData", () => {
+  it("accepts non-empty objects only", () => {
+    expect(hasReplyChannelData(undefined)).toBe(false);
+    expect(hasReplyChannelData({})).toBe(false);
+    expect(hasReplyChannelData([])).toBe(false);
+    expect(hasReplyChannelData({ slack: { blocks: [] } })).toBe(true);
+  });
+});
+
+describe("hasReplyContent", () => {
+  it("treats whitespace-only text and empty structured payloads as empty", () => {
+    expect(
+      hasReplyContent({
+        text: "   ",
+        mediaUrls: ["", "   "],
+        interactive: { blocks: [] },
+        hasChannelData: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("accepts shared interactive blocks and explicit extra content", () => {
+    expect(
+      hasReplyContent({
+        interactive: {
+          blocks: [{ type: "buttons", buttons: [{ label: "Retry", value: "retry" }] }],
+        },
+      }),
+    ).toBe(true);
+    expect(
+      hasReplyContent({
+        text: "   ",
+        extraContent: true,
+      }),
+    ).toBe(true);
+  });
+});
+
+describe("interactive payload helpers", () => {
+  it("normalizes interactive replies and resolves text fallbacks", () => {
+    const interactive = normalizeInteractiveReply({
+      blocks: [
+        { type: "text", text: "First" },
+        { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+        { type: "text", text: "Second" },
+      ],
+    });
+
+    expect(interactive).toEqual({
+      blocks: [
+        { type: "text", text: "First" },
+        { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+        { type: "text", text: "Second" },
+      ],
+    });
+    expect(resolveInteractiveTextFallback({ interactive })).toBe("First\n\nSecond");
+  });
+});
diff --git a/src/interactive/payload.ts b/src/interactive/payload.ts
new file mode 100644
index 00000000000..5ccd55d0eff
--- /dev/null
+++ b/src/interactive/payload.ts
@@ -0,0 +1,177 @@
+export type InteractiveButtonStyle = "primary" | "secondary" | "success" | "danger";
+
+export type InteractiveReplyButton = {
+  label: string;
+  value: string;
+  style?: InteractiveButtonStyle;
+};
+
+export type InteractiveReplyOption = {
+  label: string;
+  value: string;
+};
+
+export type InteractiveReplyTextBlock = {
+  type: "text";
+  text: string;
+};
+
+export type InteractiveReplyButtonsBlock = {
+  type: "buttons";
+  buttons: InteractiveReplyButton[];
+};
+
+export type InteractiveReplySelectBlock = {
+  type: "select";
+  placeholder?: string;
+  options: InteractiveReplyOption[];
+};
+
+export type InteractiveReplyBlock =
+  | InteractiveReplyTextBlock
+  | InteractiveReplyButtonsBlock
+  | InteractiveReplySelectBlock;
+
+export type InteractiveReply = {
+  blocks: InteractiveReplyBlock[];
+};
+
+function readTrimmedString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}
+
+function normalizeButtonStyle(value: unknown): InteractiveButtonStyle | undefined {
+  const style = readTrimmedString(value)?.toLowerCase();
+  return style === "primary" || style === "secondary" || style === "success" || style === "danger"
+    ? style
+    : undefined;
+}
+
+function normalizeInteractiveButton(raw: unknown): InteractiveReplyButton | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value =
+    readTrimmedString(record.value) ??
+    readTrimmedString(record.callbackData) ??
+    readTrimmedString(record.callback_data);
+  if (!label || !value) {
+    return undefined;
+  }
+  return {
+    label,
+    value,
+    style: normalizeButtonStyle(record.style),
+  };
+}
+
+function normalizeInteractiveOption(raw: unknown): InteractiveReplyOption | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value = readTrimmedString(record.value);
+  if (!label || !value) {
+    return undefined;
+  }
+  return { label, value };
+}
+
+function normalizeInteractiveBlock(raw: unknown): InteractiveReplyBlock | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const type = readTrimmedString(record.type)?.toLowerCase();
+  if (type === "text") {
+    const text = readTrimmedString(record.text);
+    return text ? { type: "text", text } : undefined;
+  }
+  if (type === "buttons") {
+    const buttons = Array.isArray(record.buttons)
+      ? record.buttons
+          .map((entry) => normalizeInteractiveButton(entry))
+          .filter((entry): entry is InteractiveReplyButton => Boolean(entry))
+      : [];
+    return buttons.length > 0 ? { type: "buttons", buttons } : undefined;
+  }
+  if (type === "select") {
+    const options = Array.isArray(record.options)
+      ? record.options
+          .map((entry) => normalizeInteractiveOption(entry))
+          .filter((entry): entry is InteractiveReplyOption => Boolean(entry))
+      : [];
+    return options.length > 0
+      ? {
+          type: "select",
+          placeholder: readTrimmedString(record.placeholder),
+          options,
+        }
+      : undefined;
+  }
+  return undefined;
+}
+
+export function normalizeInteractiveReply(raw: unknown): InteractiveReply | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const blocks = Array.isArray(record.blocks)
+    ? record.blocks
+        .map((entry) => normalizeInteractiveBlock(entry))
+        .filter((entry): entry is InteractiveReplyBlock => Boolean(entry))
+    : [];
+  return blocks.length > 0 ? { blocks } : undefined;
+}
+
+export function hasInteractiveReplyBlocks(value: unknown): value is InteractiveReply {
+  return Boolean(normalizeInteractiveReply(value));
+}
+
+export function hasReplyChannelData(value: unknown): value is Record<string, unknown> {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && Object.keys(value).length > 0,
+  );
+}
+
+export function hasReplyContent(params: {
+  text?: string | null;
+  mediaUrl?: string | null;
+  mediaUrls?: ReadonlyArray<string | null | undefined>;
+  interactive?: unknown;
+  hasChannelData?: boolean;
+  extraContent?: boolean;
+}): boolean {
+  return Boolean(
+    params.text?.trim() ||
+    params.mediaUrl?.trim() ||
+    params.mediaUrls?.some((entry) => Boolean(entry?.trim())) ||
+    hasInteractiveReplyBlocks(params.interactive) ||
+    params.hasChannelData ||
+    params.extraContent,
+  );
+}
+
+export function resolveInteractiveTextFallback(params: {
+  text?: string;
+  interactive?: InteractiveReply;
+}): string | undefined {
+  const text = readTrimmedString(params.text);
+  if (text) {
+    return params.text;
+  }
+  const interactiveText = (params.interactive?.blocks ?? [])
+    .filter((block): block is InteractiveReplyTextBlock => block.type === "text")
+    .map((block) => block.text.trim())
+    .filter(Boolean)
+    .join("\n\n");
+  return interactiveText || params.text;
+}
diff --git a/src/library.ts b/src/library.ts
new file mode 100644
index 00000000000..faaf7ea5998
--- /dev/null
+++ b/src/library.ts
@@ -0,0 +1,48 @@
+import { getReplyFromConfig } from "./auto-reply/reply.js";
+import { applyTemplate } from "./auto-reply/templating.js";
+import { monitorWebChannel } from "./channel-web.js";
+import { createDefaultDeps } from "./cli/deps.js";
+import { promptYesNo } from "./cli/prompt.js";
+import { waitForever } from "./cli/wait.js";
+import { loadConfig } from "./config/config.js";
+import {
+  deriveSessionKey,
+  loadSessionStore,
+  resolveSessionKey,
+  resolveStorePath,
+  saveSessionStore,
+} from "./config/sessions.js";
+import { ensureBinary } from "./infra/binaries.js";
+import {
+  describePortOwner,
+  ensurePortAvailable,
+  handlePortError,
+  PortInUseError,
+} from "./infra/ports.js";
+import { runCommandWithTimeout, runExec } from "./process/exec.js";
+import { assertWebChannel, normalizeE164, toWhatsappJid } from "./utils.js";
+
+export {
+  assertWebChannel,
+  applyTemplate,
+  createDefaultDeps,
+  deriveSessionKey,
+  describePortOwner,
+  ensureBinary,
+  ensurePortAvailable,
+  getReplyFromConfig,
+  handlePortError,
+  loadConfig,
+  loadSessionStore,
+  monitorWebChannel,
+  normalizeE164,
+  PortInUseError,
+  promptYesNo,
+  resolveSessionKey,
+  resolveStorePath,
+  runCommandWithTimeout,
+  runExec,
+  saveSessionStore,
+  toWhatsappJid,
+  waitForever,
+};
diff --git a/src/media-understanding/runner.auto-audio.test.ts b/src/media-understanding/runner.auto-audio.test.ts
index b2e282f3666..775e2ecb6be 100644
--- a/src/media-understanding/runner.auto-audio.test.ts
+++ b/src/media-understanding/runner.auto-audio.test.ts
@@ -1,5 +1,9 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
+import { withEnvAsync } from "../test-utils/env.js";
 import { buildProviderRegistry, runCapability } from "./runner.js";
 import { withAudioFixture } from "./runner.test-utils.js";
 
@@ -109,68 +113,71 @@ describe("runCapability auto audio entries", () => {
   });
 
   it("uses mistral when only mistral key is configured", async () => {
-    const priorEnv: Record<string, string | undefined> = {
-      OPENAI_API_KEY: process.env.OPENAI_API_KEY,
-      GROQ_API_KEY: process.env.GROQ_API_KEY,
-      DEEPGRAM_API_KEY: process.env.DEEPGRAM_API_KEY,
-      GEMINI_API_KEY: process.env.GEMINI_API_KEY,
-      MISTRAL_API_KEY: process.env.MISTRAL_API_KEY,
-    };
-    delete process.env.OPENAI_API_KEY;
-    delete process.env.GROQ_API_KEY;
-    delete process.env.DEEPGRAM_API_KEY;
-    delete process.env.GEMINI_API_KEY;
-    process.env.MISTRAL_API_KEY = "mistral-test-key"; // pragma: allowlist secret
+    const isolatedAgentDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-audio-agent-"));
     let runResult: Awaited<ReturnType<typeof runCapability>> | undefined;
     try {
-      await withAudioFixture("openclaw-auto-audio-mistral", async ({ ctx, media, cache }) => {
-        const providerRegistry = buildProviderRegistry({
-          openai: {
-            id: "openai",
-            capabilities: ["audio"],
-            transcribeAudio: async () => ({ text: "openai", model: "gpt-4o-mini-transcribe" }),
-          },
-          mistral: {
-            id: "mistral",
-            capabilities: ["audio"],
-            transcribeAudio: async (req) => ({ text: "mistral", model: req.model ?? "unknown" }),
-          },
-        });
-        const cfg = {
-          models: {
-            providers: {
+      await withEnvAsync(
+        {
+          OPENAI_API_KEY: undefined,
+          GROQ_API_KEY: undefined,
+          DEEPGRAM_API_KEY: undefined,
+          GEMINI_API_KEY: undefined,
+          GOOGLE_API_KEY: undefined,
+          MISTRAL_API_KEY: "mistral-test-key", // pragma: allowlist secret
+          OPENCLAW_AGENT_DIR: isolatedAgentDir,
+          PI_CODING_AGENT_DIR: isolatedAgentDir,
+        },
+        async () => {
+          await withAudioFixture("openclaw-auto-audio-mistral", async ({ ctx, media, cache }) => {
+            const providerRegistry = buildProviderRegistry({
+              openai: {
+                id: "openai",
+                capabilities: ["audio"],
+                transcribeAudio: async () => ({
+                  text: "openai",
+                  model: "gpt-4o-mini-transcribe",
+                }),
+              },
               mistral: {
-                apiKey: "mistral-test-key", // pragma: allowlist secret
-                models: [],
+                id: "mistral",
+                capabilities: ["audio"],
+                transcribeAudio: async (req) => ({
+                  text: "mistral",
+                  model: req.model ?? "unknown",
+                }),
               },
-            },
-          },
-          tools: {
-            media: {
-              audio: {
-                enabled: true,
+            });
+            const cfg = {
+              models: {
+                providers: {
+                  mistral: {
+                    apiKey: "mistral-test-key", // pragma: allowlist secret
+                    models: [],
+                  },
+                },
               },
-            },
-          },
-        } as unknown as OpenClawConfig;
+              tools: {
+                media: {
+                  audio: {
+                    enabled: true,
+                  },
+                },
+              },
+            } as unknown as OpenClawConfig;
 
-        runResult = await runCapability({
-          capability: "audio",
-          cfg,
-          ctx,
-          attachments: cache,
-          media,
-          providerRegistry,
-        });
-      });
+            runResult = await runCapability({
+              capability: "audio",
+              cfg,
+              ctx,
+              attachments: cache,
+              media,
+              providerRegistry,
+            });
+          });
+        },
+      );
     } finally {
-      for (const [key, value] of Object.entries(priorEnv)) {
-        if (value === undefined) {
-          delete process.env[key];
-        } else {
-          process.env[key] = value;
-        }
-      }
+      await fs.rm(isolatedAgentDir, { recursive: true, force: true });
     }
     if (!runResult) {
       throw new Error("Expected auto audio mistral result");
diff --git a/src/media-understanding/runner.ts b/src/media-understanding/runner.ts
index c2ffe584448..a04cc6420fa 100644
--- a/src/media-understanding/runner.ts
+++ b/src/media-understanding/runner.ts
@@ -2,7 +2,7 @@ import { constants as fsConstants } from "node:fs";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { resolveApiKeyForProvider } from "../agents/model-auth.js";
+import { hasAvailableAuthForProvider } from "../agents/model-auth.js";
 import {
   findModelInCatalog,
   loadModelCatalog,
@@ -362,12 +362,16 @@ async function resolveKeyEntry(params: {
     if (capability === "video" && !provider.describeVideo) {
       return null;
     }
-    try {
-      await resolveApiKeyForProvider({ provider: providerId, cfg, agentDir });
-      return { type: "provider" as const, provider: providerId, model };
-    } catch {
+    if (
+      !(await hasAvailableAuthForProvider({
+        provider: providerId,
+        cfg,
+        agentDir,
+      }))
+    ) {
       return null;
     }
+    return { type: "provider" as const, provider: providerId, model };
   };
 
   if (capability === "image") {
@@ -553,13 +557,12 @@ async function resolveActiveModelEntry(params: {
   if (params.capability === "video" && !provider.describeVideo) {
     return null;
   }
-  try {
-    await resolveApiKeyForProvider({
-      provider: providerId,
-      cfg: params.cfg,
-      agentDir: params.agentDir,
-    });
-  } catch {
+  const hasAuth = await hasAvailableAuthForProvider({
+    provider: providerId,
+    cfg: params.cfg,
+    agentDir: params.agentDir,
+  });
+  if (!hasAuth) {
     return null;
   }
   return {
diff --git a/src/media-understanding/runner.video.test.ts b/src/media-understanding/runner.video.test.ts
index 90eab226cea..5c3992dfc55 100644
--- a/src/media-understanding/runner.video.test.ts
+++ b/src/media-understanding/runner.video.test.ts
@@ -1,3 +1,6 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
 import { withEnvAsync } from "../test-utils/env.js";
@@ -74,62 +77,70 @@ describe("runCapability video provider wiring", () => {
   });
 
   it("auto-selects moonshot for video when google is unavailable", async () => {
-    await withEnvAsync(
-      {
-        GEMINI_API_KEY: undefined,
-        MOONSHOT_API_KEY: undefined,
-      },
-      async () => {
-        await withVideoFixture("openclaw-video-auto-moonshot", async ({ ctx, media, cache }) => {
-          const cfg = {
-            models: {
-              providers: {
-                moonshot: {
-                  apiKey: "moonshot-key", // pragma: allowlist secret
-                  models: [],
+    const isolatedAgentDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-video-agent-"));
+    try {
+      await withEnvAsync(
+        {
+          GEMINI_API_KEY: undefined,
+          GOOGLE_API_KEY: undefined,
+          MOONSHOT_API_KEY: undefined,
+          OPENCLAW_AGENT_DIR: isolatedAgentDir,
+          PI_CODING_AGENT_DIR: isolatedAgentDir,
+        },
+        async () => {
+          await withVideoFixture("openclaw-video-auto-moonshot", async ({ ctx, media, cache }) => {
+            const cfg = {
+              models: {
+                providers: {
+                  moonshot: {
+                    apiKey: "moonshot-key", // pragma: allowlist secret
+                    models: [],
+                  },
                 },
               },
-            },
-            tools: {
-              media: {
-                video: {
-                  enabled: true,
+              tools: {
+                media: {
+                  video: {
+                    enabled: true,
+                  },
                 },
               },
-            },
-          } as unknown as OpenClawConfig;
+            } as unknown as OpenClawConfig;
 
-          const result = await runCapability({
-            capability: "video",
-            cfg,
-            ctx,
-            attachments: cache,
-            media,
-            providerRegistry: new Map([
-              [
-                "google",
-                {
-                  id: "google",
-                  capabilities: ["video"],
-                  describeVideo: async () => ({ text: "google" }),
-                },
-              ],
-              [
-                "moonshot",
-                {
-                  id: "moonshot",
-                  capabilities: ["video"],
-                  describeVideo: async () => ({ text: "moonshot", model: "kimi-k2.5" }),
-                },
-              ],
-            ]),
+            const result = await runCapability({
+              capability: "video",
+              cfg,
+              ctx,
+              attachments: cache,
+              media,
+              providerRegistry: new Map([
+                [
+                  "google",
+                  {
+                    id: "google",
+                    capabilities: ["video"],
+                    describeVideo: async () => ({ text: "google" }),
+                  },
+                ],
+                [
+                  "moonshot",
+                  {
+                    id: "moonshot",
+                    capabilities: ["video"],
+                    describeVideo: async () => ({ text: "moonshot", model: "kimi-k2.5" }),
+                  },
+                ],
+              ]),
+            });
+
+            expect(result.decision.outcome).toBe("success");
+            expect(result.outputs[0]?.provider).toBe("moonshot");
+            expect(result.outputs[0]?.text).toBe("moonshot");
           });
-
-          expect(result.decision.outcome).toBe("success");
-          expect(result.outputs[0]?.provider).toBe("moonshot");
-          expect(result.outputs[0]?.text).toBe("moonshot");
-        });
-      },
-    );
+        },
+      );
+    } finally {
+      await fs.rm(isolatedAgentDir, { recursive: true, force: true });
+    }
   });
 });
diff --git a/src/media/outbound-attachment.ts b/src/media/outbound-attachment.ts
index 374f0696b96..7e2a180c2e1 100644
--- a/src/media/outbound-attachment.ts
+++ b/src/media/outbound-attachment.ts
@@ -1,4 +1,4 @@
-import { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "../plugin-sdk/web-media.js";
 import { buildOutboundMediaLoadOptions } from "./load-options.js";
 import { saveMediaBuffer } from "./store.js";
 
diff --git a/src/node-host/invoke-browser.test.ts b/src/node-host/invoke-browser.test.ts
index c1dd0d1df76..7f8c51a2b39 100644
--- a/src/node-host/invoke-browser.test.ts
+++ b/src/node-host/invoke-browser.test.ts
@@ -70,12 +70,12 @@ describe("runBrowserProxyCommand", () => {
         JSON.stringify({
           method: "GET",
           path: "/snapshot",
-          profile: "chrome-relay",
+          profile: "openclaw",
           timeoutMs: 5,
         }),
       ),
     ).rejects.toThrow(
-      /browser proxy timed out for GET \/snapshot after 5ms; ws-backed browser action; profile=chrome-relay; status\(running=true, cdpHttp=true, cdpReady=false, cdpUrl=http:\/\/127\.0\.0\.1:18792\)/,
+      /browser proxy timed out for GET \/snapshot after 5ms; ws-backed browser action; profile=openclaw; status\(running=true, cdpHttp=true, cdpReady=false, cdpUrl=http:\/\/127\.0\.0\.1:18792\)/,
     );
   });
 
@@ -150,7 +150,7 @@ describe("runBrowserProxyCommand", () => {
         JSON.stringify({
           method: "POST",
           path: "/act",
-          profile: "chrome-relay",
+          profile: "openclaw",
           timeoutMs: 50,
         }),
       ),
diff --git a/src/plugin-sdk-internal/discord.ts b/src/plugin-sdk-internal/discord.ts
new file mode 100644
index 00000000000..9a29900c717
--- /dev/null
+++ b/src/plugin-sdk-internal/discord.ts
@@ -0,0 +1,116 @@
+export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { DiscordAccountConfig, DiscordActionConfig } from "../config/types.js";
+export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
+export type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
+export type {
+  DiscordSendComponents,
+  DiscordSendEmbeds,
+} from "../../extensions/discord/src/send.shared.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+
+export {
+  createDiscordActionGate,
+  listDiscordAccountIds,
+  resolveDefaultDiscordAccountId,
+  resolveDiscordAccount,
+} from "../../extensions/discord/src/accounts.js";
+export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listDiscordDirectoryGroupsFromConfig,
+  listDiscordDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeDiscordTargetId,
+  normalizeDiscordMessagingTarget,
+  normalizeDiscordOutboundTarget,
+} from "../../extensions/discord/src/normalize.js";
+export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
+export { collectDiscordStatusIssues } from "../../extensions/discord/src/status-issues.js";
+export {
+  DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
+  DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
+} from "../../extensions/discord/src/monitor/timeouts.js";
+export { normalizeExplicitDiscordSessionKey } from "../../extensions/discord/src/session-key-normalization.js";
+export type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
+
+export {
+  resolveDefaultGroupPolicy,
+  resolveOpenProviderRuntimeGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveDiscordGroupRequireMention,
+  resolveDiscordGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { discordSetupWizard } from "../../extensions/discord/src/setup-surface.js";
+export { discordSetupAdapter } from "../../extensions/discord/src/setup-core.js";
+export { DiscordConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export {
+  autoBindSpawnedDiscordSubagent,
+  listThreadBindingsBySessionKey,
+  unbindThreadBindingsBySessionKey,
+} from "../../extensions/discord/src/monitor/thread-bindings.js";
+export { getGateway } from "../../extensions/discord/src/monitor/gateway-registry.js";
+export { getPresence } from "../../extensions/discord/src/monitor/presence-cache.js";
+export { readDiscordComponentSpec } from "../../extensions/discord/src/components.js";
+export { resolveDiscordChannelId } from "../../extensions/discord/src/targets.js";
+export {
+  addRoleDiscord,
+  banMemberDiscord,
+  createChannelDiscord,
+  createScheduledEventDiscord,
+  createThreadDiscord,
+  deleteChannelDiscord,
+  deleteMessageDiscord,
+  editChannelDiscord,
+  editMessageDiscord,
+  fetchChannelInfoDiscord,
+  fetchChannelPermissionsDiscord,
+  fetchMemberInfoDiscord,
+  fetchMessageDiscord,
+  fetchReactionsDiscord,
+  fetchRoleInfoDiscord,
+  fetchVoiceStatusDiscord,
+  hasAnyGuildPermissionDiscord,
+  kickMemberDiscord,
+  listGuildChannelsDiscord,
+  listGuildEmojisDiscord,
+  listPinsDiscord,
+  listScheduledEventsDiscord,
+  listThreadsDiscord,
+  moveChannelDiscord,
+  pinMessageDiscord,
+  reactMessageDiscord,
+  readMessagesDiscord,
+  removeChannelPermissionDiscord,
+  removeOwnReactionsDiscord,
+  removeReactionDiscord,
+  removeRoleDiscord,
+  searchMessagesDiscord,
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendStickerDiscord,
+  sendVoiceMessageDiscord,
+  setChannelPermissionDiscord,
+  timeoutMemberDiscord,
+  unpinMessageDiscord,
+  uploadEmojiDiscord,
+  uploadStickerDiscord,
+} from "../../extensions/discord/src/send.js";
+export { discordMessageActions } from "../../extensions/discord/src/channel-actions.js";
+export type {
+  ThreadBindingManager,
+  ThreadBindingRecord,
+  ThreadBindingTargetKind,
+} from "../../extensions/discord/src/monitor/thread-bindings.js";
+
+export {
+  buildComputedAccountStatusSnapshot,
+  buildTokenChannelStatusSummary,
+} from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/imessage.ts b/src/plugin-sdk-internal/imessage.ts
new file mode 100644
index 00000000000..170dd7ff188
--- /dev/null
+++ b/src/plugin-sdk-internal/imessage.ts
@@ -0,0 +1,46 @@
+export type { ResolvedIMessageAccount } from "../../extensions/imessage/src/accounts.js";
+export type { IMessageAccountConfig } from "../config/types.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+} from "../../extensions/imessage/src/accounts.js";
+export {
+  formatTrimmedAllowFromEntries,
+  resolveIMessageConfigAllowFrom,
+  resolveIMessageConfigDefaultTo,
+} from "../plugin-sdk/channel-config-helpers.js";
+export {
+  looksLikeIMessageTargetId,
+  normalizeIMessageMessagingTarget,
+} from "../channels/plugins/normalize/imessage.js";
+export {
+  createAllowedChatSenderMatcher,
+  parseChatAllowTargetPrefixes,
+  parseChatTargetPrefixesOrThrow,
+  resolveServicePrefixedChatTarget,
+  resolveServicePrefixedAllowTarget,
+  resolveServicePrefixedOrChatAllowTarget,
+  resolveServicePrefixedTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
+export type {
+  ChatSenderAllowParams,
+  ParsedChatTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
+export { sendMessageIMessage } from "../../extensions/imessage/src/send.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveIMessageGroupRequireMention,
+  resolveIMessageGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { imessageSetupWizard } from "../../extensions/imessage/src/setup-surface.js";
+export { imessageSetupAdapter } from "../../extensions/imessage/src/setup-core.js";
+export { IMessageConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
+export { collectStatusIssuesFromLastError } from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/signal.ts b/src/plugin-sdk-internal/signal.ts
new file mode 100644
index 00000000000..4594420af8d
--- /dev/null
+++ b/src/plugin-sdk-internal/signal.ts
@@ -0,0 +1,38 @@
+export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
+export type { ResolvedSignalAccount } from "../../extensions/signal/src/accounts.js";
+export type { SignalAccountConfig } from "../config/types.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listEnabledSignalAccounts,
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+} from "../../extensions/signal/src/accounts.js";
+export { resolveSignalReactionLevel } from "../../extensions/signal/src/reaction-level.js";
+export {
+  removeReactionSignal,
+  sendReactionSignal,
+} from "../../extensions/signal/src/send-reactions.js";
+export { sendMessageSignal } from "../../extensions/signal/src/send.js";
+export {
+  looksLikeSignalTargetId,
+  normalizeSignalMessagingTarget,
+} from "../channels/plugins/normalize/signal.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export { signalSetupWizard } from "../../extensions/signal/src/setup-surface.js";
+export { signalSetupAdapter } from "../../extensions/signal/src/setup-core.js";
+export { SignalConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { normalizeE164 } from "../utils.js";
+export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
+
+export {
+  buildBaseAccountStatusSnapshot,
+  buildBaseChannelStatusSummary,
+  collectStatusIssuesFromLastError,
+  createDefaultChannelRuntimeState,
+} from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/slack.ts b/src/plugin-sdk-internal/slack.ts
new file mode 100644
index 00000000000..abde5688cdb
--- /dev/null
+++ b/src/plugin-sdk-internal/slack.ts
@@ -0,0 +1,68 @@
+export type { OpenClawConfig } from "../config/config.js";
+export type { SlackAccountConfig } from "../config/types.slack.js";
+export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+export type { ResolvedSlackAccount } from "../../extensions/slack/src/accounts.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listEnabledSlackAccounts,
+  listSlackAccountIds,
+  resolveDefaultSlackAccountId,
+  resolveSlackAccount,
+  resolveSlackReplyToMode,
+} from "../../extensions/slack/src/accounts.js";
+export { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
+export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+  resolveConfiguredFromRequiredCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listSlackDirectoryGroupsFromConfig,
+  listSlackDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeSlackTargetId,
+  normalizeSlackMessagingTarget,
+} from "../channels/plugins/normalize/slack.js";
+export { parseSlackTarget, resolveSlackChannelId } from "../plugin-sdk/slack-targets.js";
+export {
+  extractSlackToolSend,
+  listSlackMessageActions,
+} from "../../extensions/slack/src/message-actions.js";
+export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
+export { parseSlackBlocksInput } from "../../extensions/slack/src/blocks-input.js";
+export { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
+export { sendMessageSlack } from "../../extensions/slack/src/send.js";
+export {
+  deleteSlackMessage,
+  downloadSlackFile,
+  editSlackMessage,
+  getSlackMemberInfo,
+  listSlackEmojis,
+  listSlackPins,
+  listSlackReactions,
+  pinSlackMessage,
+  reactSlackMessage,
+  readSlackMessages,
+  removeOwnSlackReactions,
+  removeSlackReaction,
+  sendSlackMessage,
+  unpinSlackMessage,
+} from "../../extensions/slack/src/actions.js";
+export { recordSlackThreadParticipation } from "../../extensions/slack/src/sent-thread-cache.js";
+export { buildComputedAccountStatusSnapshot } from "../plugin-sdk/status-helpers.js";
+
+export {
+  resolveDefaultGroupPolicy,
+  resolveOpenProviderRuntimeGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveSlackGroupRequireMention,
+  resolveSlackGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { slackSetupAdapter } from "../../extensions/slack/src/setup-core.js";
+export { slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
+export { SlackConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { handleSlackMessageAction } from "../plugin-sdk/slack-message-actions.js";
diff --git a/src/plugin-sdk-internal/telegram.ts b/src/plugin-sdk-internal/telegram.ts
new file mode 100644
index 00000000000..bb983d690d1
--- /dev/null
+++ b/src/plugin-sdk-internal/telegram.ts
@@ -0,0 +1,113 @@
+export type {
+  ChannelAccountSnapshot,
+  ChannelGatewayContext,
+  ChannelMessageActionAdapter,
+} from "../channels/plugins/types.js";
+export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { PluginRuntime } from "../plugins/runtime/types.js";
+export type { OpenClawPluginApi } from "../plugins/types.js";
+export type { TelegramAccountConfig, TelegramActionConfig } from "../config/types.js";
+export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
+export type { ResolvedTelegramAccount } from "../../extensions/telegram/src/accounts.js";
+export type { TelegramProbe } from "../../extensions/telegram/src/probe.js";
+export type {
+  TelegramButtonStyle,
+  TelegramInlineButtons,
+} from "../../extensions/telegram/src/button-types.js";
+
+export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
+
+export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+export {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../channels/plugins/setup-helpers.js";
+export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export {
+  deleteAccountFromConfigSection,
+  clearAccountEntryFields,
+  setAccountEnabledInConfigSection,
+} from "../channels/plugins/config-helpers.js";
+export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
+export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
+
+export { getChatChannelMeta } from "../channels/registry.js";
+
+export {
+  createTelegramActionGate,
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramPollActionGateState,
+  resolveTelegramAccount,
+} from "../../extensions/telegram/src/accounts.js";
+export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listTelegramDirectoryGroupsFromConfig,
+  listTelegramDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeTelegramTargetId,
+  normalizeTelegramMessagingTarget,
+} from "../../extensions/telegram/src/normalize.js";
+export {
+  parseTelegramReplyToMessageId,
+  parseTelegramThreadId,
+} from "../../extensions/telegram/src/outbound-params.js";
+export {
+  isNumericTelegramUserId,
+  normalizeTelegramAllowFromEntry,
+} from "../../extensions/telegram/src/allow-from.js";
+export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
+export {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramTargetChatType,
+} from "../../extensions/telegram/src/inline-buttons.js";
+export { resolveTelegramReactionLevel } from "../../extensions/telegram/src/reaction-level.js";
+export {
+  createForumTopicTelegram,
+  deleteMessageTelegram,
+  editForumTopicTelegram,
+  editMessageTelegram,
+  reactMessageTelegram,
+  sendMessageTelegram,
+  sendPollTelegram,
+  sendStickerTelegram,
+} from "../../extensions/telegram/src/send.js";
+export { getCacheStats, searchStickers } from "../../extensions/telegram/src/sticker-cache.js";
+export { resolveTelegramToken } from "../../extensions/telegram/src/token.js";
+export { telegramMessageActions } from "../../extensions/telegram/src/channel-actions.js";
+export { collectTelegramStatusIssues } from "../../extensions/telegram/src/status-issues.js";
+export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
+export {
+  buildBrowseProvidersButton,
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  getModelsPageSize,
+  type ProviderInfo,
+} from "../../extensions/telegram/src/model-buttons.js";
+export {
+  isTelegramExecApprovalApprover,
+  isTelegramExecApprovalClientEnabled,
+} from "../../extensions/telegram/src/exec-approvals.js";
+export type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveTelegramGroupRequireMention,
+  resolveTelegramGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { telegramSetupWizard } from "../../extensions/telegram/src/setup-surface.js";
+export { telegramSetupAdapter } from "../../extensions/telegram/src/setup-core.js";
+export { TelegramConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { buildTokenChannelStatusSummary } from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/whatsapp.ts b/src/plugin-sdk-internal/whatsapp.ts
new file mode 100644
index 00000000000..a1871198c70
--- /dev/null
+++ b/src/plugin-sdk-internal/whatsapp.ts
@@ -0,0 +1,108 @@
+export type { ChannelMessageActionName } from "../channels/plugins/types.js";
+export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { DmPolicy, GroupPolicy, WhatsAppAccountConfig } from "../config/types.js";
+export type { PluginRuntime } from "../plugins/runtime/types.js";
+export type { OpenClawPluginApi } from "../plugins/types.js";
+
+export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
+
+export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+export {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../channels/plugins/setup-helpers.js";
+export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
+
+export { getChatChannelMeta } from "../channels/registry.js";
+export {
+  formatWhatsAppConfigAllowFromEntries,
+  resolveWhatsAppConfigAllowFrom,
+  resolveWhatsAppConfigDefaultTo,
+} from "../plugin-sdk/channel-config-helpers.js";
+export {
+  listWhatsAppDirectoryGroupsFromConfig,
+  listWhatsAppDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  hasAnyWhatsAppAuth,
+  listEnabledWhatsAppAccounts,
+  resolveWhatsAppAccount,
+} from "../../extensions/whatsapp/src/accounts.js";
+export {
+  WA_WEB_AUTH_DIR,
+  logWebSelfId,
+  logoutWeb,
+  pickWebChannel,
+  webAuthExists,
+} from "../../extensions/whatsapp/src/auth-store.js";
+export {
+  DEFAULT_WEB_MEDIA_BYTES,
+  HEARTBEAT_PROMPT,
+  HEARTBEAT_TOKEN,
+  monitorWebChannel,
+  resolveHeartbeatRecipients,
+  runWebHeartbeatOnce,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export type {
+  WebChannelStatus,
+  WebMonitorTuning,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export {
+  extractMediaPlaceholder,
+  extractText,
+  monitorWebInbox,
+} from "../../extensions/whatsapp/src/inbound.js";
+export type {
+  WebInboundMessage,
+  WebListenerCloseReason,
+} from "../../extensions/whatsapp/src/inbound.js";
+export { loginWeb } from "../../extensions/whatsapp/src/login.js";
+export {
+  getDefaultLocalRoots,
+  loadWebMedia,
+  loadWebMediaRaw,
+  optimizeImageToJpeg,
+} from "../../extensions/whatsapp/src/media.js";
+export {
+  sendMessageWhatsApp,
+  sendPollWhatsApp,
+  sendReactionWhatsApp,
+} from "../../extensions/whatsapp/src/send.js";
+export {
+  createWaSocket,
+  formatError,
+  getStatusCode,
+  waitForWaConnection,
+} from "../../extensions/whatsapp/src/session.js";
+export { createWhatsAppLoginTool } from "../../extensions/whatsapp/src/agent-tools-login.js";
+export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
+export {
+  collectAllowlistProviderGroupPolicyWarnings,
+  collectOpenGroupPolicyRouteAllowlistWarnings,
+} from "../channels/plugins/group-policy-warnings.js";
+export { buildAccountScopedDmSecurityPolicy } from "../channels/plugins/helpers.js";
+export { resolveWhatsAppOutboundTarget } from "../whatsapp/resolve-outbound-target.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveWhatsAppGroupRequireMention,
+  resolveWhatsAppGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export {
+  createWhatsAppOutboundBase,
+  resolveWhatsAppGroupIntroHint,
+  resolveWhatsAppMentionStripRegexes,
+} from "../channels/plugins/whatsapp-shared.js";
+export { resolveWhatsAppHeartbeatRecipients } from "../channels/plugins/whatsapp-heartbeat.js";
+export { WhatsAppConfigSchema } from "../config/zod-schema.providers-whatsapp.js";
+
+export { createActionGate, readStringParam } from "../agents/tools/common.js";
+export { createPluginRuntimeStore } from "../plugin-sdk/runtime-store.js";
+
+export { normalizeE164 } from "../utils.js";
diff --git a/src/plugin-sdk/account-resolution.ts b/src/plugin-sdk/account-resolution.ts
index e25c2cc74cb..4aceec2c945 100644
--- a/src/plugin-sdk/account-resolution.ts
+++ b/src/plugin-sdk/account-resolution.ts
@@ -1,3 +1,4 @@
+/** Resolve an account by id, then fall back to the default account when the primary lacks credentials. */
 export function resolveAccountWithDefaultFallback<TAccount>(params: {
   accountId?: string | null;
   normalizeAccountId: (accountId?: string | null) => string;
@@ -23,6 +24,7 @@ export function resolveAccountWithDefaultFallback<TAccount>(params: {
   return fallback;
 }
 
+/** List normalized configured account ids from a raw channel account record map. */
 export function listConfiguredAccountIds(params: {
   accounts: Record<string, unknown> | undefined;
   normalizeAccountId: (accountId: string) => string;
diff --git a/src/plugin-sdk/agent-media-payload.ts b/src/plugin-sdk/agent-media-payload.ts
index 98d12a8420b..5fa1fb767f5 100644
--- a/src/plugin-sdk/agent-media-payload.ts
+++ b/src/plugin-sdk/agent-media-payload.ts
@@ -7,6 +7,7 @@ export type AgentMediaPayload = {
   MediaTypes?: string[];
 };
 
+/** Convert outbound media descriptors into the legacy agent payload field layout. */
 export function buildAgentMediaPayload(
   mediaList: Array<{ path: string; contentType?: string | null }>,
 ): AgentMediaPayload {
diff --git a/src/plugin-sdk/allow-from.ts b/src/plugin-sdk/allow-from.ts
index 9b43a8ced6d..f03f2427558 100644
--- a/src/plugin-sdk/allow-from.ts
+++ b/src/plugin-sdk/allow-from.ts
@@ -1,3 +1,4 @@
+/** Lowercase and optionally strip prefixes from allowlist entries before sender comparisons. */
 export function formatAllowFromLowercase(params: {
   allowFrom: Array<string | number>;
   stripPrefixRe?: RegExp;
@@ -9,6 +10,7 @@ export function formatAllowFromLowercase(params: {
     .map((entry) => entry.toLowerCase());
 }
 
+/** Normalize allowlist entries through a channel-provided parser or canonicalizer. */
 export function formatNormalizedAllowFromEntries(params: {
   allowFrom: Array<string | number>;
   normalizeEntry: (entry: string) => string | undefined | null;
@@ -20,6 +22,7 @@ export function formatNormalizedAllowFromEntries(params: {
     .filter((entry): entry is string => Boolean(entry));
 }
 
+/** Check whether a sender id matches a simple normalized allowlist with wildcard support. */
 export function isNormalizedSenderAllowed(params: {
   senderId: string | number;
   allowFrom: Array<string | number>;
@@ -45,6 +48,7 @@ type ParsedChatAllowTarget =
   | { kind: "chat_identifier"; chatIdentifier: string }
   | { kind: "handle"; handle: string };
 
+/** Match chat-aware allowlist entries against sender, chat id, guid, or identifier fields. */
 export function isAllowedParsedChatSender<TParsed extends ParsedChatAllowTarget>(params: {
   allowFrom: Array<string | number>;
   sender: string;
diff --git a/src/plugin-sdk/allowlist-config-edit.ts b/src/plugin-sdk/allowlist-config-edit.ts
new file mode 100644
index 00000000000..c9f2a92e3be
--- /dev/null
+++ b/src/plugin-sdk/allowlist-config-edit.ts
@@ -0,0 +1,211 @@
+import type { ConfigWriteTarget } from "../channels/plugins/config-writes.js";
+import type { ChannelAllowlistAdapter } from "../channels/plugins/types.adapters.js";
+import type { ChannelId } from "../channels/plugins/types.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { isBlockedObjectKey } from "../infra/prototype-keys.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+type AllowlistConfigPaths = {
+  readPaths: string[][];
+  writePath: string[];
+  cleanupPaths?: string[][];
+};
+
+function resolveAccountScopedWriteTarget(
+  parsed: Record<string, unknown>,
+  channelId: ChannelId,
+  accountId?: string | null,
+) {
+  const channels = (parsed.channels ??= {}) as Record<string, unknown>;
+  const channel = (channels[channelId] ??= {}) as Record<string, unknown>;
+  const normalizedAccountId = normalizeAccountId(accountId);
+  if (isBlockedObjectKey(normalizedAccountId)) {
+    return {
+      target: channel,
+      pathPrefix: `channels.${channelId}`,
+      writeTarget: { kind: "channel", scope: { channelId } } as const satisfies ConfigWriteTarget,
+    };
+  }
+  const hasAccounts = Boolean(channel.accounts && typeof channel.accounts === "object");
+  const useAccount = normalizedAccountId !== DEFAULT_ACCOUNT_ID || hasAccounts;
+  if (!useAccount) {
+    return {
+      target: channel,
+      pathPrefix: `channels.${channelId}`,
+      writeTarget: { kind: "channel", scope: { channelId } } as const satisfies ConfigWriteTarget,
+    };
+  }
+  const accounts = (channel.accounts ??= {}) as Record<string, unknown>;
+  const existingAccount = Object.hasOwn(accounts, normalizedAccountId)
+    ? accounts[normalizedAccountId]
+    : undefined;
+  if (!existingAccount || typeof existingAccount !== "object") {
+    accounts[normalizedAccountId] = {};
+  }
+  const account = accounts[normalizedAccountId] as Record<string, unknown>;
+  return {
+    target: account,
+    pathPrefix: `channels.${channelId}.accounts.${normalizedAccountId}`,
+    writeTarget: {
+      kind: "account",
+      scope: { channelId, accountId: normalizedAccountId },
+    } as const satisfies ConfigWriteTarget,
+  };
+}
+
+function getNestedValue(root: Record<string, unknown>, path: string[]): unknown {
+  let current: unknown = root;
+  for (const key of path) {
+    if (!current || typeof current !== "object") {
+      return undefined;
+    }
+    current = (current as Record<string, unknown>)[key];
+  }
+  return current;
+}
+
+function ensureNestedObject(
+  root: Record<string, unknown>,
+  path: string[],
+): Record<string, unknown> {
+  let current = root;
+  for (const key of path) {
+    const existing = current[key];
+    if (!existing || typeof existing !== "object") {
+      current[key] = {};
+    }
+    current = current[key] as Record<string, unknown>;
+  }
+  return current;
+}
+
+function setNestedValue(root: Record<string, unknown>, path: string[], value: unknown) {
+  if (path.length === 0) {
+    return;
+  }
+  if (path.length === 1) {
+    root[path[0]] = value;
+    return;
+  }
+  const parent = ensureNestedObject(root, path.slice(0, -1));
+  parent[path[path.length - 1]] = value;
+}
+
+function deleteNestedValue(root: Record<string, unknown>, path: string[]) {
+  if (path.length === 0) {
+    return;
+  }
+  if (path.length === 1) {
+    delete root[path[0]];
+    return;
+  }
+  const parent = getNestedValue(root, path.slice(0, -1));
+  if (!parent || typeof parent !== "object") {
+    return;
+  }
+  delete (parent as Record<string, unknown>)[path[path.length - 1]];
+}
+
+function applyAccountScopedAllowlistConfigEdit(params: {
+  parsedConfig: Record<string, unknown>;
+  channelId: ChannelId;
+  accountId?: string | null;
+  action: "add" | "remove";
+  entry: string;
+  normalize: (values: Array<string | number>) => string[];
+  paths: AllowlistConfigPaths;
+}): NonNullable<Awaited<ReturnType<NonNullable<ChannelAllowlistAdapter["applyConfigEdit"]>>>> {
+  const resolvedTarget = resolveAccountScopedWriteTarget(
+    params.parsedConfig,
+    params.channelId,
+    params.accountId,
+  );
+  const existing: string[] = [];
+  for (const path of params.paths.readPaths) {
+    const existingRaw = getNestedValue(resolvedTarget.target, path);
+    if (!Array.isArray(existingRaw)) {
+      continue;
+    }
+    for (const entry of existingRaw) {
+      const value = String(entry).trim();
+      if (!value || existing.includes(value)) {
+        continue;
+      }
+      existing.push(value);
+    }
+  }
+
+  const normalizedEntry = params.normalize([params.entry]);
+  if (normalizedEntry.length === 0) {
+    return { kind: "invalid-entry" };
+  }
+
+  const existingNormalized = params.normalize(existing);
+  const shouldMatch = (value: string) => normalizedEntry.includes(value);
+
+  let changed = false;
+  let next = existing;
+  const configHasEntry = existingNormalized.some((value) => shouldMatch(value));
+  if (params.action === "add") {
+    if (!configHasEntry) {
+      next = [...existing, params.entry.trim()];
+      changed = true;
+    }
+  } else {
+    const keep: string[] = [];
+    for (const entry of existing) {
+      const normalized = params.normalize([entry]);
+      if (normalized.some((value) => shouldMatch(value))) {
+        changed = true;
+        continue;
+      }
+      keep.push(entry);
+    }
+    next = keep;
+  }
+
+  if (changed) {
+    if (next.length === 0) {
+      deleteNestedValue(resolvedTarget.target, params.paths.writePath);
+    } else {
+      setNestedValue(resolvedTarget.target, params.paths.writePath, next);
+    }
+    for (const path of params.paths.cleanupPaths ?? []) {
+      deleteNestedValue(resolvedTarget.target, path);
+    }
+  }
+
+  return {
+    kind: "ok",
+    changed,
+    pathLabel: `${resolvedTarget.pathPrefix}.${params.paths.writePath.join(".")}`,
+    writeTarget: resolvedTarget.writeTarget,
+  };
+}
+
+/** Build the default account-scoped allowlist editor used by channel plugins with config-backed lists. */
+export function buildAccountScopedAllowlistConfigEditor(params: {
+  channelId: ChannelId;
+  normalize: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    values: Array<string | number>;
+  }) => string[];
+  resolvePaths: (scope: "dm" | "group") => AllowlistConfigPaths | null;
+}): NonNullable<ChannelAllowlistAdapter["applyConfigEdit"]> {
+  return ({ cfg, parsedConfig, accountId, scope, action, entry }) => {
+    const paths = params.resolvePaths(scope);
+    if (!paths) {
+      return null;
+    }
+    return applyAccountScopedAllowlistConfigEdit({
+      parsedConfig,
+      channelId: params.channelId,
+      accountId,
+      action,
+      entry,
+      normalize: (values) => params.normalize({ cfg, accountId, values }),
+      paths,
+    });
+  };
+}
diff --git a/src/plugin-sdk/allowlist-resolution.ts b/src/plugin-sdk/allowlist-resolution.ts
index 8e955e422b3..1acf87f4d1c 100644
--- a/src/plugin-sdk/allowlist-resolution.ts
+++ b/src/plugin-sdk/allowlist-resolution.ts
@@ -6,6 +6,7 @@ export type BasicAllowlistResolutionEntry = {
   note?: string;
 };
 
+/** Clone allowlist resolution entries into a plain serializable shape for UI and docs output. */
 export function mapBasicAllowlistResolutionEntries(
   entries: BasicAllowlistResolutionEntry[],
 ): BasicAllowlistResolutionEntry[] {
@@ -18,6 +19,7 @@ export function mapBasicAllowlistResolutionEntries(
   }));
 }
 
+/** Map allowlist inputs sequentially so resolver side effects stay ordered and predictable. */
 export async function mapAllowlistResolutionInputs<T>(params: {
   inputs: string[];
   mapInput: (input: string) => Promise<T> | T;
diff --git a/src/plugin-sdk/bluebubbles.ts b/src/plugin-sdk/bluebubbles.ts
index dff21c19bd7..6375bdea76c 100644
--- a/src/plugin-sdk/bluebubbles.ts
+++ b/src/plugin-sdk/bluebubbles.ts
@@ -34,10 +34,8 @@ export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js
 export {
   addWildcardAllowFrom,
   mergeAllowFromEntries,
-  promptAccountId,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export {
   applyAccountNameToChannelSection,
diff --git a/src/plugin-sdk/boolean-param.ts b/src/plugin-sdk/boolean-param.ts
index 4616eaec3b8..9e583027052 100644
--- a/src/plugin-sdk/boolean-param.ts
+++ b/src/plugin-sdk/boolean-param.ts
@@ -1,3 +1,4 @@
+/** Read loose boolean params from tool input that may arrive as booleans or "true"/"false" strings. */
 export function readBooleanParam(
   params: Record<string, unknown>,
   key: string,
diff --git a/src/plugin-sdk/channel-config-helpers.ts b/src/plugin-sdk/channel-config-helpers.ts
index ccd5de7a31a..564bc86bc68 100644
--- a/src/plugin-sdk/channel-config-helpers.ts
+++ b/src/plugin-sdk/channel-config-helpers.ts
@@ -1,26 +1,28 @@
-import { resolveIMessageAccount } from "../../extensions/imessage/src/accounts.js";
-import { resolveWhatsAppAccount } from "../../extensions/whatsapp/src/accounts.js";
 import {
   deleteAccountFromConfigSection,
   setAccountEnabledInConfigSection,
 } from "../channels/plugins/config-helpers.js";
 import { buildAccountScopedDmSecurityPolicy } from "../channels/plugins/helpers.js";
 import { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
+import { getChannelPlugin } from "../channels/plugins/registry.js";
 import type { ChannelConfigAdapter } from "../channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { normalizeAccountId } from "../routing/session-key.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";
 
+/** Coerce mixed allowlist config values into plain strings without trimming or deduping. */
 export function mapAllowFromEntries(
   allowFrom: Array<string | number> | null | undefined,
 ): string[] {
   return (allowFrom ?? []).map((entry) => String(entry));
 }
 
+/** Normalize user-facing allowlist entries the same way config and doctor flows expect. */
 export function formatTrimmedAllowFromEntries(allowFrom: Array<string | number>): string[] {
   return normalizeStringEntries(allowFrom);
 }
 
+/** Collapse nullable config scalars into a trimmed optional string. */
 export function resolveOptionalConfigString(
   value: string | number | null | undefined,
 ): string | undefined {
@@ -31,6 +33,7 @@ export function resolveOptionalConfigString(
   return normalized || undefined;
 }
 
+/** Build the shared allowlist/default target adapter surface for account-scoped channel configs. */
 export function createScopedAccountConfigAccessors<ResolvedAccount>(params: {
   resolveAccount: (params: { cfg: OpenClawConfig; accountId?: string | null }) => ResolvedAccount;
   resolveAllowFrom: (account: ResolvedAccount) => Array<string | number> | null | undefined;
@@ -60,6 +63,7 @@ export function createScopedAccountConfigAccessors<ResolvedAccount>(params: {
   };
 }
 
+/** Build the common CRUD/config helpers for channels that store multiple named accounts. */
 export function createScopedChannelConfigBase<
   ResolvedAccount,
   Config extends OpenClawConfig = OpenClawConfig,
@@ -105,6 +109,7 @@ export function createScopedChannelConfigBase<
   };
 }
 
+/** Convert account-specific DM security fields into the shared runtime policy resolver shape. */
 export function createScopedDmSecurityResolver<
   ResolvedAccount extends { accountId?: string | null },
 >(params: {
@@ -144,17 +149,23 @@ export function createScopedDmSecurityResolver<
     });
 }
 
+/** Read the effective WhatsApp allowlist through the active plugin contract. */
 export function resolveWhatsAppConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string[] {
-  return resolveWhatsAppAccount(params).allowFrom ?? [];
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(params.cfg, params.accountId);
+  return account && typeof account === "object" && Array.isArray(account.allowFrom)
+    ? account.allowFrom.map(String)
+    : [];
 }
 
+/** Format WhatsApp allowlist entries with the same normalization used by the channel plugin. */
 export function formatWhatsAppConfigAllowFromEntries(allowFrom: Array<string | number>): string[] {
   return normalizeWhatsAppAllowFromEntries(allowFrom);
 }
 
+/** Resolve the effective WhatsApp default recipient after account and root config fallback. */
 export function resolveWhatsAppConfigDefaultTo(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -165,16 +176,26 @@ export function resolveWhatsAppConfigDefaultTo(params: {
   return (account?.defaultTo ?? root?.defaultTo)?.trim() || undefined;
 }
 
+/** Read iMessage allowlist entries from the active plugin's resolved account view. */
 export function resolveIMessageConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string[] {
-  return mapAllowFromEntries(resolveIMessageAccount(params).config.allowFrom);
+  const account = getChannelPlugin("imessage")?.config.resolveAccount(params.cfg, params.accountId);
+  if (!account || typeof account !== "object" || !("config" in account)) {
+    return [];
+  }
+  return mapAllowFromEntries(account.config.allowFrom);
 }
 
+/** Resolve the effective iMessage default recipient from the plugin-resolved account config. */
 export function resolveIMessageConfigDefaultTo(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string | undefined {
-  return resolveOptionalConfigString(resolveIMessageAccount(params).config.defaultTo);
+  const account = getChannelPlugin("imessage")?.config.resolveAccount(params.cfg, params.accountId);
+  if (!account || typeof account !== "object" || !("config" in account)) {
+    return undefined;
+  }
+  return resolveOptionalConfigString(account.config.defaultTo);
 }
diff --git a/src/plugin-sdk/channel-lifecycle.ts b/src/plugin-sdk/channel-lifecycle.ts
index 7d4fea578d5..28045aeb058 100644
--- a/src/plugin-sdk/channel-lifecycle.ts
+++ b/src/plugin-sdk/channel-lifecycle.ts
@@ -11,6 +11,7 @@ type PassiveAccountLifecycleParams<Handle> = {
   onStop?: () => void | Promise<void>;
 };
 
+/** Bind a fixed account id into a status writer so lifecycle code can emit partial snapshots. */
 export function createAccountStatusSink(params: {
   accountId: string;
   setStatus: (next: ChannelAccountSnapshot) => void;
diff --git a/src/plugin-sdk/channel-plugin-common.ts b/src/plugin-sdk/channel-plugin-common.ts
index 59c347c8f0c..3c5153733c0 100644
--- a/src/plugin-sdk/channel-plugin-common.ts
+++ b/src/plugin-sdk/channel-plugin-common.ts
@@ -1,4 +1,8 @@
+// Canonical shared prelude for channel-oriented plugin SDK surfaces.
+// Keep `core` and channel-specific SDK entrypoints derived from this module
+// so bundled channel entrypoints do not drift across overlapping exports.
 export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
+export type { ChannelMessageActionContext } from "../channels/plugins/types.js";
 export type { PluginRuntime } from "../plugins/runtime/types.js";
 export type { OpenClawPluginApi } from "../plugins/types.js";
 
diff --git a/src/plugin-sdk/channel-send-result.ts b/src/plugin-sdk/channel-send-result.ts
index e64ff290fea..b73df6f0448 100644
--- a/src/plugin-sdk/channel-send-result.ts
+++ b/src/plugin-sdk/channel-send-result.ts
@@ -4,6 +4,7 @@ export type ChannelSendRawResult = {
   error?: string | null;
 };
 
+/** Normalize raw channel send results into the shape shared outbound callers expect. */
 export function buildChannelSendResult(channel: string, result: ChannelSendRawResult) {
   return {
     channel,
diff --git a/src/plugin-sdk/command-auth.ts b/src/plugin-sdk/command-auth.ts
index 2e95974cf1f..0a09e0c1dcd 100644
--- a/src/plugin-sdk/command-auth.ts
+++ b/src/plugin-sdk/command-auth.ts
@@ -33,6 +33,7 @@ export type ResolveSenderCommandAuthorizationWithRuntimeParams = Omit<
   runtime: CommandAuthorizationRuntime;
 };
 
+/** Fast-path DM command authorization when only policy and sender allowlist state matter. */
 export function resolveDirectDmAuthorizationOutcome(params: {
   isGroup: boolean;
   dmPolicy: string;
@@ -50,6 +51,7 @@ export function resolveDirectDmAuthorizationOutcome(params: {
   return "allowed";
 }
 
+/** Runtime-backed wrapper around sender command authorization for grouped helper surfaces. */
 export async function resolveSenderCommandAuthorizationWithRuntime(
   params: ResolveSenderCommandAuthorizationWithRuntimeParams,
 ): ReturnType<typeof resolveSenderCommandAuthorization> {
@@ -60,6 +62,7 @@ export async function resolveSenderCommandAuthorizationWithRuntime(
   });
 }
 
+/** Compute effective allowlists and command authorization for one inbound sender. */
 export async function resolveSenderCommandAuthorization(
   params: ResolveSenderCommandAuthorizationParams,
 ): Promise<{
diff --git a/src/plugin-sdk/config-paths.ts b/src/plugin-sdk/config-paths.ts
index 06940f1842a..00c67a3036b 100644
--- a/src/plugin-sdk/config-paths.ts
+++ b/src/plugin-sdk/config-paths.ts
@@ -1,5 +1,6 @@
 import type { OpenClawConfig } from "../config/config.js";
 
+/** Resolve the config path prefix for a channel account, falling back to the root channel section. */
 export function resolveChannelAccountConfigBasePath(params: {
   cfg: OpenClawConfig;
   channelKey: string;
diff --git a/src/plugin-sdk/core.ts b/src/plugin-sdk/core.ts
index d8b94a53545..1e33cafe4e9 100644
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -1,11 +1,17 @@
 export type {
   AnyAgentTool,
-  OpenClawPluginApi,
+  OpenClawPluginConfigSchema,
   ProviderDiscoveryContext,
   ProviderCatalogContext,
   ProviderCatalogResult,
+  ProviderAugmentModelCatalogContext,
+  ProviderBuiltInModelSuppressionContext,
+  ProviderBuiltInModelSuppressionResult,
+  ProviderBuildMissingAuthMessageContext,
   ProviderCacheTtlEligibilityContext,
+  ProviderDefaultThinkingPolicyContext,
   ProviderFetchUsageSnapshotContext,
+  ProviderModernModelPolicyContext,
   ProviderPreparedRuntimeAuth,
   ProviderResolvedUsageAuth,
   ProviderPrepareExtraParamsContext,
@@ -15,14 +21,36 @@ export type {
   ProviderResolveDynamicModelContext,
   ProviderNormalizeResolvedModelContext,
   ProviderRuntimeModel,
+  ProviderThinkingPolicyContext,
   ProviderWrapStreamFnContext,
   OpenClawPluginService,
   ProviderAuthContext,
+  ProviderAuthDoctorHintContext,
   ProviderAuthMethodNonInteractiveContext,
+  ProviderAuthMethod,
   ProviderAuthResult,
 } from "../plugins/types.js";
-export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
-export type { PluginRuntime } from "../plugins/runtime/types.js";
+export type {
+  CreateSandboxBackendParams,
+  RemoteShellSandboxHandle,
+  RunSshSandboxCommandParams,
+  SandboxBackendCommandParams,
+  SandboxBackendCommandResult,
+  SandboxBackendExecSpec,
+  SandboxBackendFactory,
+  SandboxFsBridge,
+  SandboxFsStat,
+  SandboxBackendHandle,
+  SandboxBackendId,
+  SandboxBackendManager,
+  SandboxBackendRegistration,
+  SandboxBackendRuntimeInfo,
+  SandboxContext,
+  SandboxResolvedPath,
+  SandboxSshConfig,
+  SshSandboxSession,
+  SshSandboxSettings,
+} from "../agents/sandbox.js";
 export type { OpenClawConfig } from "../config/config.js";
 export type { GatewayRequestHandlerOptions } from "../gateway/server-methods/types.js";
 export type {
@@ -30,8 +58,30 @@ export type {
   UsageProviderId,
   UsageWindow,
 } from "../infra/provider-usage.types.js";
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 
-export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
+export { emptyPluginConfigSchema } from "./channel-plugin-common.js";
+export {
+  buildExecRemoteCommand,
+  buildRemoteCommand,
+  buildSshSandboxArgv,
+  createRemoteShellSandboxFsBridge,
+  createSshSandboxSessionFromConfigText,
+  createSshSandboxSessionFromSettings,
+  disposeSshSandboxSession,
+  getSandboxBackendFactory,
+  getSandboxBackendManager,
+  registerSandboxBackend,
+  runSshSandboxCommand,
+  shellEscape,
+  uploadDirectoryToSshTarget,
+  requireSandboxBackendFactory,
+} from "../agents/sandbox.js";
 export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
 export {
   applyProviderDefaultModel,
@@ -91,3 +141,11 @@ export type {
   TailscaleStatusCommandResult,
   TailscaleStatusCommandRunner,
 } from "../shared/tailscale-status.js";
+export {
+  buildAgentSessionKey,
+  type RoutePeer,
+  type RoutePeerKind,
+} from "../routing/resolve-route.js";
+export { resolveThreadSessionKeys } from "../routing/session-key.js";
+export { runPassiveAccountLifecycle } from "./channel-lifecycle.js";
+export { createLoggerBackedRuntime } from "./runtime.js";
diff --git a/src/plugin-sdk/discord-send.ts b/src/plugin-sdk/discord-send.ts
index d3cdaf38a22..6cca5f9f803 100644
--- a/src/plugin-sdk/discord-send.ts
+++ b/src/plugin-sdk/discord-send.ts
@@ -11,6 +11,7 @@ type DiscordSendMediaOptionInput = DiscordSendOptionInput & {
   mediaLocalRoots?: readonly string[];
 };
 
+/** Build the common Discord send options from SDK-level reply payload fields. */
 export function buildDiscordSendOptions(input: DiscordSendOptionInput) {
   return {
     verbose: false,
@@ -20,6 +21,7 @@ export function buildDiscordSendOptions(input: DiscordSendOptionInput) {
   };
 }
 
+/** Extend the base Discord send options with media-specific fields. */
 export function buildDiscordSendMediaOptions(input: DiscordSendMediaOptionInput) {
   return {
     ...buildDiscordSendOptions(input),
@@ -28,6 +30,7 @@ export function buildDiscordSendMediaOptions(input: DiscordSendMediaOptionInput)
   };
 }
 
+/** Stamp raw Discord send results with the channel id expected by shared outbound flows. */
 export function tagDiscordChannelResult(result: DiscordSendResult) {
   return { channel: "discord" as const, ...result };
 }
diff --git a/src/plugin-sdk/discord.ts b/src/plugin-sdk/discord.ts
index f4ffe6ef809..d15f5091b9d 100644
--- a/src/plugin-sdk/discord.ts
+++ b/src/plugin-sdk/discord.ts
@@ -1,16 +1,26 @@
 export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
 export type { OpenClawConfig } from "../config/config.js";
 export type { DiscordAccountConfig, DiscordActionConfig } from "../config/types.js";
-export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
-export * from "./channel-plugin-common.js";
-
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
-  listDiscordAccountIds,
-  resolveDefaultDiscordAccountId,
-  resolveDiscordAccount,
-} from "../../extensions/discord/src/accounts.js";
-export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
+  applyAccountNameToChannelSection,
+  buildChannelConfigSchema,
+  deleteAccountFromConfigSection,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  setAccountEnabledInConfigSection,
+} from "./channel-plugin-common.js";
+
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -19,13 +29,6 @@ export {
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
-export {
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
-} from "../channels/plugins/normalize/discord.js";
-export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
-export { collectDiscordStatusIssues } from "../channels/plugins/status-issues/discord.js";
 
 export {
   resolveDefaultGroupPolicy,
@@ -35,18 +38,8 @@ export {
   resolveDiscordGroupRequireMention,
   resolveDiscordGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export {
-  discordSetupAdapter,
-  discordSetupWizard,
-} from "../../extensions/discord/src/setup-surface.js";
 export { DiscordConfigSchema } from "../config/zod-schema.providers-core.js";
 
-export {
-  autoBindSpawnedDiscordSubagent,
-  listThreadBindingsBySessionKey,
-  unbindThreadBindingsBySessionKey,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
-
 export {
   buildComputedAccountStatusSnapshot,
   buildTokenChannelStatusSummary,
diff --git a/src/plugin-sdk/entrypoints.ts b/src/plugin-sdk/entrypoints.ts
new file mode 100644
index 00000000000..cc337c16fcf
--- /dev/null
+++ b/src/plugin-sdk/entrypoints.ts
@@ -0,0 +1,40 @@
+import pluginSdkEntryList from "../../scripts/lib/plugin-sdk-entrypoints.json" with { type: "json" };
+
+export const pluginSdkEntrypoints = [...pluginSdkEntryList];
+
+export const pluginSdkSubpaths = pluginSdkEntrypoints.filter((entry) => entry !== "index");
+
+/** Map every SDK entrypoint name to its source file path inside the repo. */
+export function buildPluginSdkEntrySources() {
+  return Object.fromEntries(
+    pluginSdkEntrypoints.map((entry) => [entry, `src/plugin-sdk/${entry}.ts`]),
+  );
+}
+
+/** List the public package specifiers that should resolve to plugin SDK entrypoints. */
+export function buildPluginSdkSpecifiers() {
+  return pluginSdkEntrypoints.map((entry) =>
+    entry === "index" ? "openclaw/plugin-sdk" : `openclaw/plugin-sdk/${entry}`,
+  );
+}
+
+/** Build the package.json exports map for all plugin SDK subpaths. */
+export function buildPluginSdkPackageExports() {
+  return Object.fromEntries(
+    pluginSdkEntrypoints.map((entry) => [
+      entry === "index" ? "./plugin-sdk" : `./plugin-sdk/${entry}`,
+      {
+        types: `./dist/plugin-sdk/${entry}.d.ts`,
+        default: `./dist/plugin-sdk/${entry}.js`,
+      },
+    ]),
+  );
+}
+
+/** List the dist artifacts expected for every generated plugin SDK entrypoint. */
+export function listPluginSdkDistArtifacts() {
+  return pluginSdkEntrypoints.flatMap((entry) => [
+    `dist/plugin-sdk/${entry}.js`,
+    `dist/plugin-sdk/${entry}.d.ts`,
+  ]);
+}
diff --git a/src/plugin-sdk/feishu.ts b/src/plugin-sdk/feishu.ts
index 772cde76ff2..ee15823738b 100644
--- a/src/plugin-sdk/feishu.ts
+++ b/src/plugin-sdk/feishu.ts
@@ -13,10 +13,6 @@ export { logTypingFailure } from "../channels/logging.js";
 export type { AllowlistMatch } from "../channels/plugins/allowlist-match.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { createActionGate } from "../agents/tools/common.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
 export {
   buildSingleChannelSecretPromptState,
   addWildcardAllowFrom,
@@ -25,8 +21,8 @@ export {
   setTopLevelChannelAllowFrom,
   setTopLevelChannelDmPolicyWithAllowFrom,
   setTopLevelChannelGroupPolicy,
-  splitOnboardingEntries,
-} from "../channels/plugins/onboarding/helpers.js";
+  splitSetupEntries,
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export type {
   BaseProbeResult,
@@ -66,6 +62,8 @@ export type { RuntimeEnv } from "../runtime.js";
 export { formatDocsLink } from "../terminal/links.js";
 export { evaluateSenderGroupAccessForPolicy } from "./group-access.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
+export { feishuSetupWizard } from "../../extensions/feishu/src/setup-surface.js";
+export { feishuSetupAdapter } from "../../extensions/feishu/src/setup-core.js";
 export { buildAgentMediaPayload } from "./agent-media-payload.js";
 export { readJsonFileWithFallback } from "./json-store.js";
 export { createScopedPairingAccess } from "./pairing-access.js";
@@ -78,6 +76,10 @@ export {
   createDefaultChannelRuntimeState,
 } from "./status-helpers.js";
 export { withTempDownloadPath } from "./temp-path.js";
+export {
+  buildFeishuConversationId,
+  parseFeishuConversationId,
+} from "../../extensions/feishu/src/conversation-id.js";
 export {
   createFixedWindowRateLimiter,
   createWebhookAnomalyTracker,
diff --git a/src/plugin-sdk/fetch-auth.ts b/src/plugin-sdk/fetch-auth.ts
index fc04e4aa910..10945bb2a44 100644
--- a/src/plugin-sdk/fetch-auth.ts
+++ b/src/plugin-sdk/fetch-auth.ts
@@ -6,6 +6,7 @@ function isAuthFailureStatus(status: number): boolean {
   return status === 401 || status === 403;
 }
 
+/** Retry a fetch with bearer tokens from the provided scopes when the unauthenticated attempt fails. */
 export async function fetchWithBearerAuthScopeFallback(params: {
   url: string;
   scopes: readonly string[];
diff --git a/src/plugin-sdk/file-lock.ts b/src/plugin-sdk/file-lock.ts
index 98277381868..3870c38fc35 100644
--- a/src/plugin-sdk/file-lock.ts
+++ b/src/plugin-sdk/file-lock.ts
@@ -100,6 +100,7 @@ async function releaseHeldLock(normalizedFile: string): Promise<void> {
   await fs.rm(current.lockPath, { force: true }).catch(() => undefined);
 }
 
+/** Acquire a re-entrant process-local file lock backed by a `.lock` sidecar file. */
 export async function acquireFileLock(
   filePath: string,
   options: FileLockOptions,
@@ -147,6 +148,7 @@ export async function acquireFileLock(
   throw new Error(`file lock timeout for ${normalizedFile}`);
 }
 
+/** Run an async callback while holding a file lock, always releasing the lock afterward. */
 export async function withFileLock<T>(
   filePath: string,
   options: FileLockOptions,
diff --git a/src/plugin-sdk/google-gemini-cli-auth.ts b/src/plugin-sdk/google-gemini-cli-auth.ts
deleted file mode 100644
index a03002feaab..00000000000
--- a/src/plugin-sdk/google-gemini-cli-auth.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-// Narrow plugin-sdk surface for the bundled google-gemini-cli-auth plugin.
-// Keep this list additive and scoped to symbols used under extensions/google-gemini-cli-auth.
-
-export { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
-export { isWSL2Sync } from "../infra/wsl.js";
-export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-export type {
-  OpenClawPluginApi,
-  ProviderAuthContext,
-  ProviderFetchUsageSnapshotContext,
-  ProviderResolveDynamicModelContext,
-  ProviderRuntimeModel,
-} from "../plugins/types.js";
-export type { ProviderUsageSnapshot } from "../infra/provider-usage.types.js";
-export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
diff --git a/src/plugin-sdk/googlechat.ts b/src/plugin-sdk/googlechat.ts
index e6e9aaefb1c..ce05a95b47a 100644
--- a/src/plugin-sdk/googlechat.ts
+++ b/src/plugin-sdk/googlechat.ts
@@ -8,7 +8,6 @@ export {
   readReactionParams,
   readStringParam,
 } from "../agents/tools/common.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { resolveMentionGatingWithBypass } from "../channels/mention-gating.js";
 export {
   deleteAccountFromConfigSection,
@@ -27,10 +26,9 @@ export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js
 export {
   addWildcardAllowFrom,
   mergeAllowFromEntries,
-  promptAccountId,
-  splitOnboardingEntries,
+  splitSetupEntries,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export {
   applyAccountNameToChannelSection,
@@ -67,10 +65,8 @@ export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.j
 export { resolveDmGroupAccessWithLists } from "../security/dm-policy-shared.js";
 export { formatDocsLink } from "../terminal/links.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
-export {
-  googlechatSetupAdapter,
-  googlechatSetupWizard,
-} from "../../extensions/googlechat/src/setup-surface.js";
+export { googlechatSetupAdapter } from "../../extensions/googlechat/src/setup-core.js";
+export { googlechatSetupWizard } from "../../extensions/googlechat/src/setup-surface.js";
 export { resolveInboundRouteEnvelopeBuilderWithRuntime } from "./inbound-envelope.js";
 export { createScopedPairingAccess } from "./pairing-access.js";
 export { issuePairingChallenge } from "../pairing/pairing-challenge.js";
diff --git a/src/plugin-sdk/group-access.ts b/src/plugin-sdk/group-access.ts
index 5a58242338b..bec84b4ba7c 100644
--- a/src/plugin-sdk/group-access.ts
+++ b/src/plugin-sdk/group-access.ts
@@ -40,6 +40,7 @@ export type MatchedGroupAccessDecision = {
   reason: MatchedGroupAccessReason;
 };
 
+/** Downgrade sender-scoped group policy to open mode when no allowlist is configured. */
 export function resolveSenderScopedGroupPolicy(params: {
   groupPolicy: GroupPolicy;
   groupAllowFrom: string[];
@@ -50,6 +51,7 @@ export function resolveSenderScopedGroupPolicy(params: {
   return params.groupAllowFrom.length > 0 ? "allowlist" : "open";
 }
 
+/** Evaluate route-level group access after policy, route match, and enablement checks. */
 export function evaluateGroupRouteAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   routeAllowlistConfigured: boolean;
@@ -96,6 +98,7 @@ export function evaluateGroupRouteAccessForPolicy(params: {
   };
 }
 
+/** Evaluate generic allowlist match state for channels that compare derived group identifiers. */
 export function evaluateMatchedGroupAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   allowlistConfigured: boolean;
@@ -142,6 +145,7 @@ export function evaluateMatchedGroupAccessForPolicy(params: {
   };
 }
 
+/** Evaluate sender access for an already-resolved group policy and allowlist. */
 export function evaluateSenderGroupAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   providerMissingFallbackApplied?: boolean;
@@ -184,6 +188,7 @@ export function evaluateSenderGroupAccessForPolicy(params: {
   };
 }
 
+/** Resolve provider fallback policy first, then evaluate sender access against that result. */
 export function evaluateSenderGroupAccess(params: {
   providerConfigPresent: boolean;
   configuredGroupPolicy?: GroupPolicy;
diff --git a/src/plugin-sdk/imessage-targets.ts b/src/plugin-sdk/imessage-targets.ts
new file mode 100644
index 00000000000..b3353edc3df
--- /dev/null
+++ b/src/plugin-sdk/imessage-targets.ts
@@ -0,0 +1 @@
+export { normalizeIMessageHandle } from "../../extensions/imessage/src/targets.js";
diff --git a/src/plugin-sdk/imessage.ts b/src/plugin-sdk/imessage.ts
index 8c8727ef5d9..a974910e680 100644
--- a/src/plugin-sdk/imessage.ts
+++ b/src/plugin-sdk/imessage.ts
@@ -1,11 +1,23 @@
-export type { ResolvedIMessageAccount } from "../../extensions/imessage/src/accounts.js";
 export type { IMessageAccountConfig } from "../config/types.js";
-export * from "./channel-plugin-common.js";
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
-  listIMessageAccountIds,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
-} from "../../extensions/imessage/src/accounts.js";
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
+  applyAccountNameToChannelSection,
+  buildChannelConfigSchema,
+  deleteAccountFromConfigSection,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  setAccountEnabledInConfigSection,
+} from "./channel-plugin-common.js";
 export {
   formatTrimmedAllowFromEntries,
   resolveIMessageConfigAllowFrom,
@@ -24,10 +36,6 @@ export {
   resolveIMessageGroupRequireMention,
   resolveIMessageGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export {
-  imessageSetupAdapter,
-  imessageSetupWizard,
-} from "../../extensions/imessage/src/setup-surface.js";
 export { IMessageConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
diff --git a/src/plugin-sdk/inbound-envelope.ts b/src/plugin-sdk/inbound-envelope.ts
index 2a4ff0aaa06..f3662b725c3 100644
--- a/src/plugin-sdk/inbound-envelope.ts
+++ b/src/plugin-sdk/inbound-envelope.ts
@@ -24,6 +24,7 @@ type InboundRouteResolveParams<TConfig, TPeer extends RoutePeerLike> = {
   peer: TPeer;
 };
 
+/** Create an envelope formatter bound to one resolved route and session store. */
 export function createInboundEnvelopeBuilder<TConfig, TEnvelope>(params: {
   cfg: TConfig;
   route: RouteLike;
@@ -54,6 +55,7 @@ export function createInboundEnvelopeBuilder<TConfig, TEnvelope>(params: {
   };
 }
 
+/** Resolve a route first, then return both the route and a formatter for future inbound messages. */
 export function resolveInboundRouteEnvelopeBuilder<
   TConfig,
   TEnvelope,
@@ -111,6 +113,7 @@ type InboundRouteEnvelopeRuntime<
   };
 };
 
+/** Runtime-driven variant of inbound envelope resolution for plugins that already expose grouped helpers. */
 export function resolveInboundRouteEnvelopeBuilderWithRuntime<
   TConfig,
   TEnvelope,
diff --git a/src/plugin-sdk/inbound-reply-dispatch.ts b/src/plugin-sdk/inbound-reply-dispatch.ts
index cf11b3ee451..b2ba466a21c 100644
--- a/src/plugin-sdk/inbound-reply-dispatch.ts
+++ b/src/plugin-sdk/inbound-reply-dispatch.ts
@@ -20,6 +20,7 @@ type DispatchReplyWithBufferedBlockDispatcherFn =
 
 type ReplyDispatchFromConfigOptions = Omit<GetReplyOptions, "onToolResult" | "onBlockReply">;
 
+/** Run `dispatchReplyFromConfig` with a dispatcher that always gets its settled callback. */
 export async function dispatchReplyFromConfigWithSettledDispatcher(params: {
   cfg: OpenClawConfig;
   ctxPayload: FinalizedMsgContext;
@@ -40,6 +41,7 @@ export async function dispatchReplyFromConfigWithSettledDispatcher(params: {
   });
 }
 
+/** Assemble the common inbound reply dispatch dependencies for a resolved route. */
 export function buildInboundReplyDispatchBase(params: {
   cfg: OpenClawConfig;
   channel: string;
@@ -80,6 +82,7 @@ type RecordInboundSessionAndDispatchReplyParams = Parameters<
   typeof recordInboundSessionAndDispatchReply
 >[0];
 
+/** Resolve the shared dispatch base and immediately record + dispatch one inbound reply turn. */
 export async function dispatchInboundReplyWithBase(
   params: BuildInboundReplyDispatchBaseParams &
     Pick<
@@ -97,6 +100,7 @@ export async function dispatchInboundReplyWithBase(
   });
 }
 
+/** Record the inbound session first, then dispatch the reply using normalized outbound delivery. */
 export async function recordInboundSessionAndDispatchReply(params: {
   cfg: OpenClawConfig;
   channel: string;
diff --git a/src/plugin-sdk/index.test.ts b/src/plugin-sdk/index.test.ts
index 61d1cccb10c..d634f80ce66 100644
--- a/src/plugin-sdk/index.test.ts
+++ b/src/plugin-sdk/index.test.ts
@@ -4,69 +4,15 @@ import path from "node:path";
 import { pathToFileURL } from "node:url";
 import { build } from "tsdown";
 import { describe, expect, it } from "vitest";
+import {
+  buildPluginSdkEntrySources,
+  buildPluginSdkPackageExports,
+  buildPluginSdkSpecifiers,
+  pluginSdkEntrypoints,
+} from "./entrypoints.js";
 import * as sdk from "./index.js";
 
-const pluginSdkEntrypoints = [
-  "index",
-  "core",
-  "compat",
-  "telegram",
-  "discord",
-  "slack",
-  "signal",
-  "imessage",
-  "whatsapp",
-  "line",
-  "msteams",
-  "acpx",
-  "bluebubbles",
-  "copilot-proxy",
-  "device-pair",
-  "diagnostics-otel",
-  "diffs",
-  "feishu",
-  "google-gemini-cli-auth",
-  "googlechat",
-  "irc",
-  "llm-task",
-  "lobster",
-  "matrix",
-  "mattermost",
-  "memory-core",
-  "memory-lancedb",
-  "minimax-portal-auth",
-  "nextcloud-talk",
-  "nostr",
-  "open-prose",
-  "phone-control",
-  "qwen-portal-auth",
-  "synology-chat",
-  "talk-voice",
-  "test-utils",
-  "thread-ownership",
-  "tlon",
-  "twitch",
-  "voice-call",
-  "zalo",
-  "zalouser",
-  "account-id",
-  "keyed-async-queue",
-] as const;
-
-const pluginSdkSpecifiers = pluginSdkEntrypoints.map((entry) =>
-  entry === "index" ? "openclaw/plugin-sdk" : `openclaw/plugin-sdk/${entry}`,
-);
-
-function buildPluginSdkPackageExports() {
-  return Object.fromEntries(
-    pluginSdkEntrypoints.map((entry) => [
-      entry === "index" ? "./plugin-sdk" : `./plugin-sdk/${entry}`,
-      {
-        default: `./dist/plugin-sdk/${entry}.js`,
-      },
-    ]),
-  );
-}
+const pluginSdkSpecifiers = buildPluginSdkSpecifiers();
 
 describe("plugin-sdk exports", () => {
   it("does not expose runtime modules", () => {
@@ -181,9 +127,7 @@ describe("plugin-sdk exports", () => {
         clean: true,
         config: false,
         dts: false,
-        entry: Object.fromEntries(
-          pluginSdkEntrypoints.map((entry) => [entry, `src/plugin-sdk/${entry}.ts`]),
-        ),
+        entry: buildPluginSdkEntrySources(),
         env: { NODE_ENV: "production" },
         fixedExtension: false,
         logLevel: "error",
@@ -231,11 +175,23 @@ describe("plugin-sdk exports", () => {
 
       const { default: importResults } = await import(pathToFileURL(consumerEntry).href);
       expect(importResults).toEqual(
-        Object.fromEntries(pluginSdkSpecifiers.map((specifier) => [specifier, "object"])),
+        Object.fromEntries(pluginSdkSpecifiers.map((specifier: string) => [specifier, "object"])),
       );
     } finally {
       await fs.rm(outDir, { recursive: true, force: true });
       await fs.rm(fixtureDir, { recursive: true, force: true });
     }
   });
+
+  it("keeps package.json plugin-sdk exports synced with the manifest", async () => {
+    const packageJsonPath = path.join(process.cwd(), "package.json");
+    const packageJson = JSON.parse(await fs.readFile(packageJsonPath, "utf8")) as {
+      exports?: Record<string, unknown>;
+    };
+    const currentPluginSdkExports = Object.fromEntries(
+      Object.entries(packageJson.exports ?? {}).filter(([key]) => key.startsWith("./plugin-sdk")),
+    );
+
+    expect(currentPluginSdkExports).toEqual(buildPluginSdkPackageExports());
+  });
 });
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 5c8c514d191..e43be3bfadd 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -61,16 +61,6 @@ export type {
   BaseTokenResolution,
 } from "../channels/plugins/types.js";
 export type { ChannelConfigSchema, ChannelPlugin } from "../channels/plugins/types.plugin.js";
-export type {
-  ThreadBindingManager,
-  ThreadBindingRecord,
-  ThreadBindingTargetKind,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
-export {
-  autoBindSpawnedDiscordSubagent,
-  listThreadBindingsBySessionKey,
-  unbindThreadBindingsBySessionKey,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
 export type {
   AcpRuntimeCapabilities,
   AcpRuntimeControl,
@@ -105,12 +95,20 @@ export type {
   PluginHookInboundClaimResult,
   PluginInteractiveDiscordHandlerContext,
   PluginInteractiveHandlerRegistration,
+  PluginInteractiveSlackHandlerContext,
   PluginInteractiveTelegramHandlerContext,
   PluginLogger,
   ProviderAuthContext,
+  ProviderAuthDoctorHintContext,
   ProviderAuthResult,
+  ProviderAugmentModelCatalogContext,
+  ProviderBuiltInModelSuppressionContext,
+  ProviderBuiltInModelSuppressionResult,
+  ProviderBuildMissingAuthMessageContext,
   ProviderCacheTtlEligibilityContext,
+  ProviderDefaultThinkingPolicyContext,
   ProviderFetchUsageSnapshotContext,
+  ProviderModernModelPolicyContext,
   ProviderPreparedRuntimeAuth,
   ProviderResolvedUsageAuth,
   ProviderPrepareExtraParamsContext,
@@ -120,6 +118,7 @@ export type {
   ProviderResolveDynamicModelContext,
   ProviderNormalizeResolvedModelContext,
   ProviderRuntimeModel,
+  ProviderThinkingPolicyContext,
   ProviderWrapStreamFnContext,
 } from "../plugins/types.js";
 export type {
@@ -225,20 +224,20 @@ export {
 export {
   promptSingleChannelSecretInput,
   type SingleChannelSecretInputPromptResult,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
 export { formatResolvedUnresolvedNote } from "./resolution-notes.js";
 export { buildChannelSendResult } from "./channel-send-result.js";
 export type { ChannelSendRawResult } from "./channel-send-result.js";
 export { createPluginRuntimeStore } from "./runtime-store.js";
 export { createScopedChannelConfigBase } from "./channel-config-helpers.js";
+export { buildAccountScopedAllowlistConfigEditor } from "./allowlist-config-edit.js";
 export {
   AllowFromEntrySchema,
   AllowFromListSchema,
   buildNestedDmConfigSchema,
   buildCatchallMultiAccountChannelSchema,
 } from "../channels/plugins/config-schema.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { getChatChannelMeta } from "../channels/registry.js";
 export {
   compileAllowlist,
@@ -320,6 +319,7 @@ export {
   normalizeAgentId,
   resolveThreadSessionKeys,
 } from "../routing/session-key.js";
+export { buildAgentSessionKey, type RoutePeer } from "../routing/resolve-route.js";
 export {
   formatAllowFromLowercase,
   formatNormalizedAllowFromEntries,
@@ -611,21 +611,6 @@ export {
 } from "../channels/plugins/helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
-export {
-  addWildcardAllowFrom,
-  mergeAllowFromEntries,
-  promptAccountId,
-  resolveAccountIdForConfigure,
-  setTopLevelChannelAllowFrom,
-  setTopLevelChannelDmPolicyWithAllowFrom,
-  setTopLevelChannelGroupPolicy,
-} from "../channels/plugins/onboarding/helpers.js";
-export { promptChannelAccessConfig } from "../channels/plugins/onboarding/channel-access.js";
-
 export {
   createActionGate,
   jsonResult,
@@ -676,118 +661,6 @@ export { extractOriginalFilename } from "../media/store.js";
 export { listSkillCommandsForAgents } from "../auto-reply/skill-commands.js";
 export type { SkillCommandSpec } from "../agents/skills.js";
 
-// Channel: Discord
-export {
-  listDiscordAccountIds,
-  resolveDefaultDiscordAccountId,
-  resolveDiscordAccount,
-  type ResolvedDiscordAccount,
-} from "../../extensions/discord/src/accounts.js";
-export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
-export {
-  discordSetupAdapter,
-  discordSetupWizard,
-} from "../../extensions/discord/src/setup-surface.js";
-export {
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
-} from "../channels/plugins/normalize/discord.js";
-export { collectDiscordStatusIssues } from "../channels/plugins/status-issues/discord.js";
-
-// Channel: iMessage
-export {
-  listIMessageAccountIds,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
-  type ResolvedIMessageAccount,
-} from "../../extensions/imessage/src/accounts.js";
-export {
-  imessageSetupAdapter,
-  imessageSetupWizard,
-} from "../../extensions/imessage/src/setup-surface.js";
-export {
-  looksLikeIMessageTargetId,
-  normalizeIMessageMessagingTarget,
-} from "../channels/plugins/normalize/imessage.js";
-export {
-  createAllowedChatSenderMatcher,
-  parseChatAllowTargetPrefixes,
-  parseChatTargetPrefixesOrThrow,
-  resolveServicePrefixedChatTarget,
-  resolveServicePrefixedAllowTarget,
-  resolveServicePrefixedOrChatAllowTarget,
-  resolveServicePrefixedTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
-export type {
-  ChatSenderAllowParams,
-  ParsedChatTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
-
-// Channel: Slack
-export {
-  listEnabledSlackAccounts,
-  listSlackAccountIds,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-  type ResolvedSlackAccount,
-} from "../../extensions/slack/src/accounts.js";
-export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export {
-  extractSlackToolSend,
-  listSlackMessageActions,
-} from "../../extensions/slack/src/message-actions.js";
-export { slackSetupAdapter, slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
-export {
-  looksLikeSlackTargetId,
-  normalizeSlackMessagingTarget,
-} from "../channels/plugins/normalize/slack.js";
-export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
-
-// Channel: Telegram
-export {
-  listTelegramAccountIds,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
-  type ResolvedTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export {
-  telegramSetupAdapter,
-  telegramSetupWizard,
-} from "../../extensions/telegram/src/setup-surface.js";
-export {
-  looksLikeTelegramTargetId,
-  normalizeTelegramMessagingTarget,
-} from "../channels/plugins/normalize/telegram.js";
-export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
-export {
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
-} from "../../extensions/telegram/src/outbound-params.js";
-export { type TelegramProbe } from "../../extensions/telegram/src/probe.js";
-
-// Channel: Signal
-export {
-  listSignalAccountIds,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
-  type ResolvedSignalAccount,
-} from "../../extensions/signal/src/accounts.js";
-export {
-  signalSetupAdapter,
-  signalSetupWizard,
-} from "../../extensions/signal/src/setup-surface.js";
-export {
-  looksLikeSignalTargetId,
-  normalizeSignalMessagingTarget,
-} from "../channels/plugins/normalize/signal.js";
-
 // Channel: WhatsApp — WhatsApp-specific exports moved to extensions/whatsapp/src/
 export { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../whatsapp/normalize.js";
 export { resolveWhatsAppOutboundTarget } from "../whatsapp/resolve-outbound-target.js";
@@ -798,11 +671,13 @@ export { collectBlueBubblesStatusIssues } from "../channels/plugins/status-issue
 // Channel: LINE
 export {
   listLineAccountIds,
+  lineSetupAdapter,
+  lineSetupWizard,
   normalizeAccountId as normalizeLineAccountId,
   resolveDefaultLineAccountId,
   resolveLineAccount,
-} from "../line/accounts.js";
-export { LineConfigSchema } from "../line/config-schema.js";
+  LineConfigSchema,
+} from "./line.js";
 export type {
   LineConfig,
   LineAccountConfig,
@@ -826,7 +701,7 @@ export {
 export type { ProcessedLineMessage } from "../line/markdown-to-line.js";
 
 // Media utilities
-export { loadWebMedia, type WebMediaResult } from "../../extensions/whatsapp/src/media.js";
+export { loadWebMedia, type WebMediaResult } from "./web-media.js";
 
 // Context engine
 export type {
diff --git a/src/plugin-sdk/irc.ts b/src/plugin-sdk/irc.ts
index 472c46ea2e5..4192322d527 100644
--- a/src/plugin-sdk/irc.ts
+++ b/src/plugin-sdk/irc.ts
@@ -15,10 +15,9 @@ export {
 } from "../channels/plugins/helpers.js";
 export {
   addWildcardAllowFrom,
-  promptAccountId,
   setTopLevelChannelAllowFrom,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export { patchScopedAccountConfig } from "../channels/plugins/setup-helpers.js";
 export type { BaseProbeResult } from "../channels/plugins/types.js";
diff --git a/src/plugin-sdk/json-store.ts b/src/plugin-sdk/json-store.ts
index 5c08be6c561..faff8f64e59 100644
--- a/src/plugin-sdk/json-store.ts
+++ b/src/plugin-sdk/json-store.ts
@@ -2,6 +2,7 @@ import fs from "node:fs";
 import { writeJsonAtomic } from "../infra/json-files.js";
 import { safeParseJson } from "../utils.js";
 
+/** Read JSON from disk and fall back cleanly when the file is missing or invalid. */
 export async function readJsonFileWithFallback<T>(
   filePath: string,
   fallback: T,
@@ -22,6 +23,7 @@ export async function readJsonFileWithFallback<T>(
   }
 }
 
+/** Write JSON with secure file permissions and atomic replacement semantics. */
 export async function writeJsonFileAtomically(filePath: string, value: unknown): Promise<void> {
   await writeJsonAtomic(filePath, value, {
     mode: 0o600,
diff --git a/src/plugin-sdk/keyed-async-queue.ts b/src/plugin-sdk/keyed-async-queue.ts
index 6e79cf35d59..0f07f3c8462 100644
--- a/src/plugin-sdk/keyed-async-queue.ts
+++ b/src/plugin-sdk/keyed-async-queue.ts
@@ -3,6 +3,7 @@ export type KeyedAsyncQueueHooks = {
   onSettle?: () => void;
 };
 
+/** Serialize async work per key while allowing unrelated keys to run concurrently. */
 export function enqueueKeyedTask<T>(params: {
   tails: Map<string, Promise<void>>;
   key: string;
diff --git a/src/plugin-sdk/line.ts b/src/plugin-sdk/line.ts
index 0318e5ac1e7..b6617199472 100644
--- a/src/plugin-sdk/line.ts
+++ b/src/plugin-sdk/line.ts
@@ -6,14 +6,14 @@ export type {
 export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
 export type { OpenClawConfig } from "../config/config.js";
 export type { ReplyPayload } from "../auto-reply/types.js";
-export type { PluginRuntime } from "../plugins/runtime/types.js";
-export type { OpenClawPluginApi } from "../plugins/types.js";
+export type { ChannelSetupAdapter } from "../channels/plugins/types.adapters.js";
+export type { OpenClawPluginApi, PluginRuntime } from "./channel-plugin-common.js";
 
-export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-
-export { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
-
-export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export {
+  DEFAULT_ACCOUNT_ID,
+  buildChannelConfigSchema,
+  emptyPluginConfigSchema,
+} from "./channel-plugin-common.js";
 export { clearAccountEntryFields } from "../channels/plugins/config-helpers.js";
 
 export {
@@ -26,6 +26,14 @@ export {
   buildTokenChannelStatusSummary,
 } from "./status-helpers.js";
 
+export {
+  listLineAccountIds,
+  normalizeAccountId,
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+} from "../line/accounts.js";
+export { lineSetupAdapter } from "../../extensions/line/src/setup-core.js";
+export { lineSetupWizard } from "../../extensions/line/src/setup-surface.js";
 export { LineConfigSchema } from "../line/config-schema.js";
 export type { LineChannelData, LineConfig, ResolvedLineAccount } from "../line/types.js";
 export {
diff --git a/src/plugin-sdk/matrix.ts b/src/plugin-sdk/matrix.ts
index ba4cad93a92..164575e04e1 100644
--- a/src/plugin-sdk/matrix.ts
+++ b/src/plugin-sdk/matrix.ts
@@ -32,18 +32,13 @@ export {
 } from "../channels/plugins/config-helpers.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
-export { promptChannelAccessConfig } from "../channels/plugins/onboarding/channel-access.js";
 export {
   buildSingleChannelSecretPromptState,
   addWildcardAllowFrom,
   mergeAllowFromEntries,
   promptSingleChannelSecretInput,
   setTopLevelChannelGroupPolicy,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export { applyAccountNameToChannelSection } from "../channels/plugins/setup-helpers.js";
 export { createAccountListHelpers } from "../channels/plugins/account-helpers.js";
@@ -113,3 +108,5 @@ export {
   buildProbeChannelStatusSummary,
   collectStatusIssuesFromLastError,
 } from "./status-helpers.js";
+export { matrixSetupWizard } from "../../extensions/matrix/src/setup-surface.js";
+export { matrixSetupAdapter } from "../../extensions/matrix/src/setup-core.js";
diff --git a/src/plugin-sdk/mattermost.ts b/src/plugin-sdk/mattermost.ts
index 54cf2a1bd2f..c8043045906 100644
--- a/src/plugin-sdk/mattermost.ts
+++ b/src/plugin-sdk/mattermost.ts
@@ -28,14 +28,11 @@ export {
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
 export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
-export type { ChannelOnboardingAdapter } from "../channels/plugins/onboarding-types.js";
 export {
   buildSingleChannelSecretPromptState,
-  promptAccountId,
   promptSingleChannelSecretInput,
   runSingleChannelSecretStep,
-  resolveAccountIdForConfigure,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export {
   applyAccountNameToChannelSection,
   applySetupAccountConfigPatch,
diff --git a/src/plugin-sdk/minimax-portal-auth.ts b/src/plugin-sdk/minimax-portal-auth.ts
index cc41b2cc80d..07aefa0aafa 100644
--- a/src/plugin-sdk/minimax-portal-auth.ts
+++ b/src/plugin-sdk/minimax-portal-auth.ts
@@ -1,5 +1,5 @@
-// Narrow plugin-sdk surface for the bundled minimax-portal-auth plugin.
-// Keep this list additive and scoped to symbols used under extensions/minimax-portal-auth.
+// Narrow plugin-sdk surface for MiniMax OAuth helpers used by the bundled minimax plugin.
+// Keep this list additive and scoped to MiniMax OAuth support code.
 
 export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
 export { buildOauthProviderAuthResult } from "./provider-auth-result.js";
diff --git a/src/plugin-sdk/msteams.ts b/src/plugin-sdk/msteams.ts
index b73aec7c779..b30e6c6914a 100644
--- a/src/plugin-sdk/msteams.ts
+++ b/src/plugin-sdk/msteams.ts
@@ -32,19 +32,14 @@ export {
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
 export { buildMediaPayload } from "../channels/plugins/media-payload.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
-export { promptChannelAccessConfig } from "../channels/plugins/onboarding/channel-access.js";
 export {
   addWildcardAllowFrom,
   mergeAllowFromEntries,
   setTopLevelChannelAllowFrom,
   setTopLevelChannelDmPolicyWithAllowFrom,
   setTopLevelChannelGroupPolicy,
-  splitOnboardingEntries,
-} from "../channels/plugins/onboarding/helpers.js";
+  splitSetupEntries,
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export type {
   BaseProbeResult,
@@ -101,7 +96,7 @@ export {
 } from "./group-access.js";
 export { formatDocsLink } from "../terminal/links.js";
 export { sleep } from "../utils.js";
-export { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+export { loadWebMedia } from "./web-media.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
 export { keepHttpServerTaskAlive } from "./channel-lifecycle.js";
 export { withFileLock } from "./file-lock.js";
@@ -122,3 +117,5 @@ export {
   createDefaultChannelRuntimeState,
 } from "./status-helpers.js";
 export { normalizeStringEntries } from "../shared/string-normalization.js";
+export { msteamsSetupWizard } from "../../extensions/msteams/src/setup-surface.js";
+export { msteamsSetupAdapter } from "../../extensions/msteams/src/setup-core.js";
diff --git a/src/plugin-sdk/nextcloud-talk.ts b/src/plugin-sdk/nextcloud-talk.ts
index 7e2434914bb..4ce53e1ec15 100644
--- a/src/plugin-sdk/nextcloud-talk.ts
+++ b/src/plugin-sdk/nextcloud-talk.ts
@@ -21,12 +21,10 @@ export {
   buildSingleChannelSecretPromptState,
   addWildcardAllowFrom,
   mergeAllowFromEntries,
-  promptAccountId,
   promptSingleChannelSecretInput,
   runSingleChannelSecretStep,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export {
   applyAccountNameToChannelSection,
   patchScopedAccountConfig,
diff --git a/src/plugin-sdk/nostr.ts b/src/plugin-sdk/nostr.ts
index 381e5e71a8a..a2997c5702c 100644
--- a/src/plugin-sdk/nostr.ts
+++ b/src/plugin-sdk/nostr.ts
@@ -2,6 +2,7 @@
 // Keep this list additive and scoped to symbols used under extensions/nostr.
 
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export type { ChannelSetupAdapter } from "../channels/plugins/types.adapters.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
 export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
 export type { OpenClawConfig } from "../config/config.js";
@@ -18,3 +19,4 @@ export {
 } from "./status-helpers.js";
 export { createFixedWindowRateLimiter } from "./webhook-memory-guards.js";
 export { mapAllowFromEntries } from "./channel-config-helpers.js";
+export { nostrSetupAdapter, nostrSetupWizard } from "../../extensions/nostr/src/setup-surface.js";
diff --git a/src/plugin-sdk/oauth-utils.ts b/src/plugin-sdk/oauth-utils.ts
index a6465d4d40e..e96a1856946 100644
--- a/src/plugin-sdk/oauth-utils.ts
+++ b/src/plugin-sdk/oauth-utils.ts
@@ -1,11 +1,13 @@
 import { createHash, randomBytes } from "node:crypto";
 
+/** Encode a flat object as application/x-www-form-urlencoded form data. */
 export function toFormUrlEncoded(data: Record<string, string>): string {
   return Object.entries(data)
     .map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
     .join("&");
 }
 
+/** Generate a PKCE verifier/challenge pair suitable for OAuth authorization flows. */
 export function generatePkceVerifierChallenge(): { verifier: string; challenge: string } {
   const verifier = randomBytes(32).toString("base64url");
   const challenge = createHash("sha256").update(verifier).digest("base64url");
diff --git a/src/plugin-sdk/onboarding.ts b/src/plugin-sdk/onboarding.ts
deleted file mode 100644
index 0752243124f..00000000000
--- a/src/plugin-sdk/onboarding.ts
+++ /dev/null
@@ -1,45 +0,0 @@
-import type { OpenClawConfig } from "../config/config.js";
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
-import type { WizardPrompter } from "../wizard/prompts.js";
-
-export type PromptAccountIdParams = {
-  cfg: OpenClawConfig;
-  prompter: WizardPrompter;
-  label: string;
-  currentId?: string;
-  listAccountIds: (cfg: OpenClawConfig) => string[];
-  defaultAccountId: string;
-};
-
-export async function promptAccountId(params: PromptAccountIdParams): Promise<string> {
-  const existingIds = params.listAccountIds(params.cfg);
-  const initial = params.currentId?.trim() || params.defaultAccountId || DEFAULT_ACCOUNT_ID;
-  const choice = await params.prompter.select({
-    message: `${params.label} account`,
-    options: [
-      ...existingIds.map((id) => ({
-        value: id,
-        label: id === DEFAULT_ACCOUNT_ID ? "default (primary)" : id,
-      })),
-      { value: "__new__", label: "Add a new account" },
-    ],
-    initialValue: initial,
-  });
-
-  if (choice !== "__new__") {
-    return normalizeAccountId(choice);
-  }
-
-  const entered = await params.prompter.text({
-    message: `New ${params.label} account id`,
-    validate: (value) => (value?.trim() ? undefined : "Required"),
-  });
-  const normalized = normalizeAccountId(String(entered));
-  if (String(entered).trim() !== normalized) {
-    await params.prompter.note(
-      `Normalized account id to "${normalized}".`,
-      `${params.label} account`,
-    );
-  }
-  return normalized;
-}
diff --git a/src/plugin-sdk/outbound-media.ts b/src/plugin-sdk/outbound-media.ts
index b1e89b17866..979f8ac77a3 100644
--- a/src/plugin-sdk/outbound-media.ts
+++ b/src/plugin-sdk/outbound-media.ts
@@ -1,10 +1,11 @@
-import { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "./web-media.js";
 
 export type OutboundMediaLoadOptions = {
   maxBytes?: number;
   mediaLocalRoots?: readonly string[];
 };
 
+/** Load outbound media from a remote URL or approved local path using the shared web-media policy. */
 export async function loadOutboundMediaFromUrl(
   mediaUrl: string,
   options: OutboundMediaLoadOptions = {},
diff --git a/src/plugin-sdk/pairing-access.ts b/src/plugin-sdk/pairing-access.ts
index 31f0cd4d3a7..260f24c89d1 100644
--- a/src/plugin-sdk/pairing-access.ts
+++ b/src/plugin-sdk/pairing-access.ts
@@ -8,6 +8,7 @@ type ScopedUpsertInput = Omit<
   "channel" | "accountId"
 >;
 
+/** Scope pairing store operations to one channel/account pair for plugin-facing helpers. */
 export function createScopedPairingAccess(params: {
   core: PluginRuntime;
   channel: ChannelId;
diff --git a/src/plugin-sdk/persistent-dedupe.ts b/src/plugin-sdk/persistent-dedupe.ts
index 0b33824c795..7a6ea159841 100644
--- a/src/plugin-sdk/persistent-dedupe.ts
+++ b/src/plugin-sdk/persistent-dedupe.ts
@@ -91,6 +91,7 @@ function pruneData(
     });
 }
 
+/** Create a dedupe helper that combines in-memory fast checks with a lock-protected disk store. */
 export function createPersistentDedupe(options: PersistentDedupeOptions): PersistentDedupe {
   const ttlMs = Math.max(0, Math.floor(options.ttlMs));
   const memoryMaxSize = Math.max(0, Math.floor(options.memoryMaxSize));
diff --git a/src/plugin-sdk/provider-auth-result.ts b/src/plugin-sdk/provider-auth-result.ts
index c16c23cc15e..ece6cebb0df 100644
--- a/src/plugin-sdk/provider-auth-result.ts
+++ b/src/plugin-sdk/provider-auth-result.ts
@@ -2,6 +2,7 @@ import type { AuthProfileCredential } from "../agents/auth-profiles/types.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { ProviderAuthResult } from "../plugins/types.js";
 
+/** Build the standard auth result payload for OAuth-style provider login flows. */
 export function buildOauthProviderAuthResult(params: {
   providerId: string;
   defaultModel: string;
diff --git a/src/plugin-sdk/reply-payload.ts b/src/plugin-sdk/reply-payload.ts
index e141da2a940..a35380f5250 100644
--- a/src/plugin-sdk/reply-payload.ts
+++ b/src/plugin-sdk/reply-payload.ts
@@ -5,6 +5,7 @@ export type OutboundReplyPayload = {
   replyToId?: string;
 };
 
+/** Extract the supported outbound reply fields from loose tool or agent payload objects. */
 export function normalizeOutboundReplyPayload(
   payload: Record<string, unknown>,
 ): OutboundReplyPayload {
@@ -24,6 +25,7 @@ export function normalizeOutboundReplyPayload(
   };
 }
 
+/** Wrap a deliverer so callers can hand it arbitrary payloads while channels receive normalized data. */
 export function createNormalizedOutboundDeliverer(
   handler: (payload: OutboundReplyPayload) => Promise<void>,
 ): (payload: unknown) => Promise<void> {
@@ -36,6 +38,7 @@ export function createNormalizedOutboundDeliverer(
   };
 }
 
+/** Prefer multi-attachment payloads, then fall back to the legacy single-media field. */
 export function resolveOutboundMediaUrls(payload: {
   mediaUrls?: string[];
   mediaUrl?: string;
@@ -49,6 +52,7 @@ export function resolveOutboundMediaUrls(payload: {
   return [];
 }
 
+/** Send media-first payloads intact, or chunk text-only payloads through the caller's transport hooks. */
 export async function sendPayloadWithChunkedTextAndMedia<
   TContext extends { payload: object },
   TResult,
@@ -90,6 +94,7 @@ export async function sendPayloadWithChunkedTextAndMedia<
   return lastResult!;
 }
 
+/** Detect numeric-looking target ids for channels that distinguish ids from handles. */
 export function isNumericTargetId(raw: string): boolean {
   const trimmed = raw.trim();
   if (!trimmed) {
@@ -98,6 +103,7 @@ export function isNumericTargetId(raw: string): boolean {
   return /^\d{3,}$/.test(trimmed);
 }
 
+/** Append attachment links to plain text when the channel cannot send media inline. */
 export function formatTextWithAttachmentLinks(
   text: string | undefined,
   mediaUrls: string[],
@@ -118,6 +124,7 @@ export function formatTextWithAttachmentLinks(
   return `${trimmedText}\n\n${mediaBlock}`;
 }
 
+/** Send a caption with only the first media item, mirroring caption-limited channel transports. */
 export async function sendMediaWithLeadingCaption(params: {
   mediaUrls: string[];
   caption: string;
diff --git a/src/plugin-sdk/request-url.ts b/src/plugin-sdk/request-url.ts
index 2ba7354cc28..a1ce2216276 100644
--- a/src/plugin-sdk/request-url.ts
+++ b/src/plugin-sdk/request-url.ts
@@ -1,3 +1,4 @@
+/** Extract a string URL from the common request-like inputs accepted by fetch helpers. */
 export function resolveRequestUrl(input: RequestInfo | URL): string {
   if (typeof input === "string") {
     return input;
diff --git a/src/plugin-sdk/resolution-notes.ts b/src/plugin-sdk/resolution-notes.ts
index 9baf64c21d4..49b2f9c67e9 100644
--- a/src/plugin-sdk/resolution-notes.ts
+++ b/src/plugin-sdk/resolution-notes.ts
@@ -1,3 +1,4 @@
+/** Format a short note that separates successfully resolved targets from unresolved passthrough values. */
 export function formatResolvedUnresolvedNote(params: {
   resolved: string[];
   unresolved: string[];
diff --git a/src/plugin-sdk/routing.ts b/src/plugin-sdk/routing.ts
new file mode 100644
index 00000000000..921d085ae55
--- /dev/null
+++ b/src/plugin-sdk/routing.ts
@@ -0,0 +1,6 @@
+export {
+  buildAgentSessionKey,
+  type RoutePeer,
+  type RoutePeerKind,
+} from "../routing/resolve-route.js";
+export { resolveThreadSessionKeys } from "../routing/session-key.js";
diff --git a/src/plugin-sdk/run-command.ts b/src/plugin-sdk/run-command.ts
index 03f0846a57e..7cf626ce8ef 100644
--- a/src/plugin-sdk/run-command.ts
+++ b/src/plugin-sdk/run-command.ts
@@ -13,6 +13,7 @@ export type PluginCommandRunOptions = {
   env?: NodeJS.ProcessEnv;
 };
 
+/** Run a plugin-managed command with timeout handling and normalized stdout/stderr results. */
 export async function runPluginCommandWithTimeout(
   options: PluginCommandRunOptions,
 ): Promise<PluginCommandRunResult> {
diff --git a/src/plugin-sdk/runtime-store.ts b/src/plugin-sdk/runtime-store.ts
index de0d84131e1..67e8bb3644c 100644
--- a/src/plugin-sdk/runtime-store.ts
+++ b/src/plugin-sdk/runtime-store.ts
@@ -1,3 +1,4 @@
+/** Create a tiny mutable runtime slot with strict access when the runtime has not been initialized. */
 export function createPluginRuntimeStore<T>(errorMessage: string): {
   setRuntime: (next: T) => void;
   clearRuntime: () => void;
diff --git a/src/plugin-sdk/runtime.ts b/src/plugin-sdk/runtime.ts
index c438a4e9788..75b6f955dc7 100644
--- a/src/plugin-sdk/runtime.ts
+++ b/src/plugin-sdk/runtime.ts
@@ -6,6 +6,7 @@ type LoggerLike = {
   error: (message: string) => void;
 };
 
+/** Adapt a simple logger into the RuntimeEnv contract used by shared plugin SDK helpers. */
 export function createLoggerBackedRuntime(params: {
   logger: LoggerLike;
   exitError?: (code: number) => Error;
@@ -23,6 +24,7 @@ export function createLoggerBackedRuntime(params: {
   };
 }
 
+/** Reuse an existing runtime when present, otherwise synthesize one from the provided logger. */
 export function resolveRuntimeEnv(params: {
   runtime?: RuntimeEnv;
   logger: LoggerLike;
@@ -31,6 +33,7 @@ export function resolveRuntimeEnv(params: {
   return params.runtime ?? createLoggerBackedRuntime(params);
 }
 
+/** Resolve a runtime that treats exit requests as unsupported errors instead of process termination. */
 export function resolveRuntimeEnvWithUnavailableExit(params: {
   runtime?: RuntimeEnv;
   logger: LoggerLike;
diff --git a/src/plugin-sdk/secret-input-schema.ts b/src/plugin-sdk/secret-input-schema.ts
index 579d80df441..96d5247c767 100644
--- a/src/plugin-sdk/secret-input-schema.ts
+++ b/src/plugin-sdk/secret-input-schema.ts
@@ -7,6 +7,7 @@ import {
   SECRET_PROVIDER_ALIAS_PATTERN,
 } from "../secrets/ref-contract.js";
 
+/** Build the shared zod schema for secret inputs accepted by plugin auth/config surfaces. */
 export function buildSecretInputSchema() {
   const providerSchema = z
     .string()
diff --git a/src/plugin-sdk/signal.ts b/src/plugin-sdk/signal.ts
index 2eb0497c277..8fd6fd2afd0 100644
--- a/src/plugin-sdk/signal.ts
+++ b/src/plugin-sdk/signal.ts
@@ -1,12 +1,25 @@
 export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
-export type { ResolvedSignalAccount } from "../../extensions/signal/src/accounts.js";
 export type { SignalAccountConfig } from "../config/types.js";
-export * from "./channel-plugin-common.js";
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
-  listSignalAccountIds,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
-} from "../../extensions/signal/src/accounts.js";
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
+  applyAccountNameToChannelSection,
+  buildChannelConfigSchema,
+  deleteAccountFromConfigSection,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  setAccountEnabledInConfigSection,
+} from "./channel-plugin-common.js";
+
 export {
   looksLikeSignalTargetId,
   normalizeSignalMessagingTarget,
@@ -16,10 +29,6 @@ export {
   resolveAllowlistProviderRuntimeGroupPolicy,
   resolveDefaultGroupPolicy,
 } from "../config/runtime-group-policy.js";
-export {
-  signalSetupAdapter,
-  signalSetupWizard,
-} from "../../extensions/signal/src/setup-surface.js";
 export { SignalConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { normalizeE164 } from "../utils.js";
diff --git a/src/plugin-sdk/slack-message-actions.ts b/src/plugin-sdk/slack-message-actions.ts
index 5470be86df1..ef7a5f12876 100644
--- a/src/plugin-sdk/slack-message-actions.ts
+++ b/src/plugin-sdk/slack-message-actions.ts
@@ -1,7 +1,9 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import { parseSlackBlocksInput } from "../../extensions/slack/src/blocks-input.js";
+import { buildSlackInteractiveBlocks } from "../../extensions/slack/src/blocks-render.js";
 import { readNumberParam, readStringParam } from "../agents/tools/common.js";
 import type { ChannelMessageActionContext } from "../channels/plugins/types.js";
+import { normalizeInteractiveReply } from "../interactive/payload.js";
 
 type SlackActionInvoke = (
   action: Record<string, unknown>,
@@ -13,6 +15,7 @@ function readSlackBlocksParam(actionParams: Record<string, unknown>) {
   return parseSlackBlocksInput(actionParams.blocks) as Record<string, unknown>[] | undefined;
 }
 
+/** Translate generic channel action requests into Slack-specific tool invocations and payload shapes. */
 export async function handleSlackMessageAction(params: {
   providerId: string;
   ctx: ChannelMessageActionContext;
@@ -37,7 +40,9 @@ export async function handleSlackMessageAction(params: {
       allowEmpty: true,
     });
     const mediaUrl = readStringParam(actionParams, "media", { trim: false });
-    const blocks = readSlackBlocksParam(actionParams);
+    const interactive = normalizeInteractiveReply(actionParams.interactive);
+    const interactiveBlocks = interactive ? buildSlackInteractiveBlocks(interactive) : undefined;
+    const blocks = readSlackBlocksParam(actionParams) ?? interactiveBlocks;
     if (!content && !mediaUrl && !blocks) {
       throw new Error("Slack send requires message, blocks, or media.");
     }
@@ -52,9 +57,9 @@ export async function handleSlackMessageAction(params: {
         to,
         content: content ?? "",
         mediaUrl: mediaUrl ?? undefined,
-        blocks,
         accountId,
         threadTs: threadId ?? replyTo ?? undefined,
+        ...(blocks ? { blocks } : {}),
       },
       cfg,
       ctx.toolContext,
diff --git a/src/plugin-sdk/slack-targets.ts b/src/plugin-sdk/slack-targets.ts
new file mode 100644
index 00000000000..be9ded918cf
--- /dev/null
+++ b/src/plugin-sdk/slack-targets.ts
@@ -0,0 +1,6 @@
+export {
+  parseSlackTarget,
+  resolveSlackChannelId,
+  type SlackTarget,
+  type SlackTargetKind,
+} from "../../extensions/slack/src/targets.js";
diff --git a/src/plugin-sdk/slack.ts b/src/plugin-sdk/slack.ts
index 779560b930b..f7533b95687 100644
--- a/src/plugin-sdk/slack.ts
+++ b/src/plugin-sdk/slack.ts
@@ -1,16 +1,25 @@
 export type { OpenClawConfig } from "../config/config.js";
 export type { SlackAccountConfig } from "../config/types.slack.js";
-export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export type { ResolvedSlackAccount } from "../../extensions/slack/src/accounts.js";
-export * from "./channel-plugin-common.js";
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
-  listSlackAccountIds,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-} from "../../extensions/slack/src/accounts.js";
-export { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
-export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
+  applyAccountNameToChannelSection,
+  buildChannelConfigSchema,
+  deleteAccountFromConfigSection,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  setAccountEnabledInConfigSection,
+} from "./channel-plugin-common.js";
+
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -24,13 +33,6 @@ export {
   looksLikeSlackTargetId,
   normalizeSlackMessagingTarget,
 } from "../channels/plugins/normalize/slack.js";
-export {
-  extractSlackToolSend,
-  listSlackMessageActions,
-} from "../../extensions/slack/src/message-actions.js";
-export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
-export { buildComputedAccountStatusSnapshot } from "./status-helpers.js";
-
 export {
   resolveDefaultGroupPolicy,
   resolveOpenProviderRuntimeGroupPolicy,
@@ -39,7 +41,5 @@ export {
   resolveSlackGroupRequireMention,
   resolveSlackGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export { slackSetupAdapter, slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
 export { SlackConfigSchema } from "../config/zod-schema.providers-core.js";
-
-export { handleSlackMessageAction } from "./slack-message-actions.js";
+export { buildComputedAccountStatusSnapshot } from "./status-helpers.js";
diff --git a/src/plugin-sdk/ssrf-policy.ts b/src/plugin-sdk/ssrf-policy.ts
index 351938d0456..420f7dfc6b7 100644
--- a/src/plugin-sdk/ssrf-policy.ts
+++ b/src/plugin-sdk/ssrf-policy.ts
@@ -24,6 +24,7 @@ function isHostnameAllowedBySuffixAllowlist(
   return allowlist.some((entry) => normalized === entry || normalized.endsWith(`.${entry}`));
 }
 
+/** Normalize suffix-style host allowlists into lowercase canonical entries with wildcard collapse. */
 export function normalizeHostnameSuffixAllowlist(
   input?: readonly string[],
   defaults?: readonly string[],
@@ -39,6 +40,7 @@ export function normalizeHostnameSuffixAllowlist(
   return Array.from(new Set(normalized));
 }
 
+/** Check whether a URL is HTTPS and its hostname matches the normalized suffix allowlist. */
 export function isHttpsUrlAllowedByHostnameSuffixAllowlist(
   url: string,
   allowlist: readonly string[],
diff --git a/src/plugin-sdk/status-helpers.ts b/src/plugin-sdk/status-helpers.ts
index 42aad35a702..231c438b8ef 100644
--- a/src/plugin-sdk/status-helpers.ts
+++ b/src/plugin-sdk/status-helpers.ts
@@ -9,6 +9,7 @@ type RuntimeLifecycleSnapshot = {
   lastOutboundAt?: number | null;
 };
 
+/** Create the baseline runtime snapshot shape used by channel/account status stores. */
 export function createDefaultChannelRuntimeState<T extends Record<string, unknown>>(
   accountId: string,
   extra?: T,
@@ -29,6 +30,7 @@ export function createDefaultChannelRuntimeState<T extends Record<string, unknow
   };
 }
 
+/** Normalize a channel-level status summary so missing lifecycle fields become explicit nulls. */
 export function buildBaseChannelStatusSummary(snapshot: {
   configured?: boolean | null;
   running?: boolean | null;
@@ -45,6 +47,7 @@ export function buildBaseChannelStatusSummary(snapshot: {
   };
 }
 
+/** Extend the base summary with probe fields while preserving stable null defaults. */
 export function buildProbeChannelStatusSummary<TExtra extends Record<string, unknown>>(
   snapshot: {
     configured?: boolean | null;
@@ -65,6 +68,7 @@ export function buildProbeChannelStatusSummary<TExtra extends Record<string, unk
   };
 }
 
+/** Build the standard per-account status payload from config metadata plus runtime state. */
 export function buildBaseAccountStatusSnapshot(params: {
   account: {
     accountId: string;
@@ -87,6 +91,7 @@ export function buildBaseAccountStatusSnapshot(params: {
   };
 }
 
+/** Convenience wrapper when the caller already has flattened account fields instead of an account object. */
 export function buildComputedAccountStatusSnapshot(params: {
   accountId: string;
   name?: string;
@@ -108,6 +113,7 @@ export function buildComputedAccountStatusSnapshot(params: {
   });
 }
 
+/** Normalize runtime-only account state into the shared status snapshot fields. */
 export function buildRuntimeAccountStatusSnapshot(params: {
   runtime?: RuntimeLifecycleSnapshot | null;
   probe?: unknown;
@@ -122,6 +128,7 @@ export function buildRuntimeAccountStatusSnapshot(params: {
   };
 }
 
+/** Build token-based channel status summaries with optional mode reporting. */
 export function buildTokenChannelStatusSummary(
   snapshot: {
     configured?: boolean | null;
@@ -151,6 +158,7 @@ export function buildTokenChannelStatusSummary(
   };
 }
 
+/** Convert account runtime errors into the generic channel status issue format. */
 export function collectStatusIssuesFromLastError(
   channel: string,
   accounts: Array<{ accountId: string; lastError?: unknown }>,
diff --git a/src/plugin-sdk/subpaths.test.ts b/src/plugin-sdk/subpaths.test.ts
index 996c6b27188..856bacbca10 100644
--- a/src/plugin-sdk/subpaths.test.ts
+++ b/src/plugin-sdk/subpaths.test.ts
@@ -1,54 +1,39 @@
 import * as extensionApi from "openclaw/extension-api";
 import * as compatSdk from "openclaw/plugin-sdk/compat";
+import * as coreSdk from "openclaw/plugin-sdk/core";
+import type {
+  ChannelMessageActionContext as CoreChannelMessageActionContext,
+  OpenClawPluginApi as CoreOpenClawPluginApi,
+  PluginRuntime as CorePluginRuntime,
+} from "openclaw/plugin-sdk/core";
 import * as discordSdk from "openclaw/plugin-sdk/discord";
 import * as imessageSdk from "openclaw/plugin-sdk/imessage";
 import * as lineSdk from "openclaw/plugin-sdk/line";
 import * as msteamsSdk from "openclaw/plugin-sdk/msteams";
+import * as nostrSdk from "openclaw/plugin-sdk/nostr";
 import * as signalSdk from "openclaw/plugin-sdk/signal";
 import * as slackSdk from "openclaw/plugin-sdk/slack";
 import * as telegramSdk from "openclaw/plugin-sdk/telegram";
 import * as whatsappSdk from "openclaw/plugin-sdk/whatsapp";
-import { describe, expect, it } from "vitest";
+import { describe, expect, expectTypeOf, it } from "vitest";
+import type { ChannelMessageActionContext } from "../channels/plugins/types.js";
+import type { PluginRuntime } from "../plugins/runtime/types.js";
+import type { OpenClawPluginApi } from "../plugins/types.js";
+import type {
+  ChannelMessageActionContext as SharedChannelMessageActionContext,
+  OpenClawPluginApi as SharedOpenClawPluginApi,
+  PluginRuntime as SharedPluginRuntime,
+} from "./channel-plugin-common.js";
+import { pluginSdkSubpaths } from "./entrypoints.js";
 
-const bundledExtensionSubpathLoaders = [
-  { id: "acpx", load: () => import("openclaw/plugin-sdk/acpx") },
-  { id: "bluebubbles", load: () => import("openclaw/plugin-sdk/bluebubbles") },
-  { id: "copilot-proxy", load: () => import("openclaw/plugin-sdk/copilot-proxy") },
-  { id: "device-pair", load: () => import("openclaw/plugin-sdk/device-pair") },
-  { id: "diagnostics-otel", load: () => import("openclaw/plugin-sdk/diagnostics-otel") },
-  { id: "diffs", load: () => import("openclaw/plugin-sdk/diffs") },
-  { id: "feishu", load: () => import("openclaw/plugin-sdk/feishu") },
-  {
-    id: "google-gemini-cli-auth",
-    load: () => import("openclaw/plugin-sdk/google-gemini-cli-auth"),
-  },
-  { id: "googlechat", load: () => import("openclaw/plugin-sdk/googlechat") },
-  { id: "irc", load: () => import("openclaw/plugin-sdk/irc") },
-  { id: "llm-task", load: () => import("openclaw/plugin-sdk/llm-task") },
-  { id: "lobster", load: () => import("openclaw/plugin-sdk/lobster") },
-  { id: "matrix", load: () => import("openclaw/plugin-sdk/matrix") },
-  { id: "mattermost", load: () => import("openclaw/plugin-sdk/mattermost") },
-  { id: "memory-core", load: () => import("openclaw/plugin-sdk/memory-core") },
-  { id: "memory-lancedb", load: () => import("openclaw/plugin-sdk/memory-lancedb") },
-  {
-    id: "minimax-portal-auth",
-    load: () => import("openclaw/plugin-sdk/minimax-portal-auth"),
-  },
-  { id: "nextcloud-talk", load: () => import("openclaw/plugin-sdk/nextcloud-talk") },
-  { id: "nostr", load: () => import("openclaw/plugin-sdk/nostr") },
-  { id: "open-prose", load: () => import("openclaw/plugin-sdk/open-prose") },
-  { id: "phone-control", load: () => import("openclaw/plugin-sdk/phone-control") },
-  { id: "qwen-portal-auth", load: () => import("openclaw/plugin-sdk/qwen-portal-auth") },
-  { id: "synology-chat", load: () => import("openclaw/plugin-sdk/synology-chat") },
-  { id: "talk-voice", load: () => import("openclaw/plugin-sdk/talk-voice") },
-  { id: "test-utils", load: () => import("openclaw/plugin-sdk/test-utils") },
-  { id: "thread-ownership", load: () => import("openclaw/plugin-sdk/thread-ownership") },
-  { id: "tlon", load: () => import("openclaw/plugin-sdk/tlon") },
-  { id: "twitch", load: () => import("openclaw/plugin-sdk/twitch") },
-  { id: "voice-call", load: () => import("openclaw/plugin-sdk/voice-call") },
-  { id: "zalo", load: () => import("openclaw/plugin-sdk/zalo") },
-  { id: "zalouser", load: () => import("openclaw/plugin-sdk/zalouser") },
-] as const;
+const importPluginSdkSubpath = (specifier: string) => import(/* @vite-ignore */ specifier);
+
+const bundledExtensionSubpathLoaders = pluginSdkSubpaths.map((id: string) => ({
+  id,
+  load: () => importPluginSdkSubpath(`openclaw/plugin-sdk/${id}`),
+}));
+
+const asExports = (mod: object) => mod as Record<string, unknown>;
 
 describe("plugin-sdk subpath exports", () => {
   it("exports compat helpers", () => {
@@ -56,38 +41,58 @@ describe("plugin-sdk subpath exports", () => {
     expect(typeof compatSdk.resolveControlCommandGate).toBe("function");
   });
 
+  it("exports core routing helpers", () => {
+    expect(typeof coreSdk.buildAgentSessionKey).toBe("function");
+    expect(typeof coreSdk.resolveThreadSessionKeys).toBe("function");
+    expect(typeof coreSdk.runPassiveAccountLifecycle).toBe("function");
+    expect(typeof coreSdk.createLoggerBackedRuntime).toBe("function");
+  });
+
+  it("exports shared core types used by bundled channels", () => {
+    expectTypeOf<CoreOpenClawPluginApi>().toMatchTypeOf<OpenClawPluginApi>();
+    expectTypeOf<CorePluginRuntime>().toMatchTypeOf<PluginRuntime>();
+    expectTypeOf<CoreChannelMessageActionContext>().toMatchTypeOf<ChannelMessageActionContext>();
+  });
+
+  it("keeps core shared types aligned with the channel prelude", () => {
+    expectTypeOf<CoreOpenClawPluginApi>().toMatchTypeOf<SharedOpenClawPluginApi>();
+    expectTypeOf<CorePluginRuntime>().toMatchTypeOf<SharedPluginRuntime>();
+    expectTypeOf<CoreChannelMessageActionContext>().toMatchTypeOf<SharedChannelMessageActionContext>();
+  });
+
   it("exports Discord helpers", () => {
-    expect(typeof discordSdk.resolveDiscordAccount).toBe("function");
-    expect(typeof discordSdk.inspectDiscordAccount).toBe("function");
-    expect(typeof discordSdk.discordSetupWizard).toBe("object");
-    expect(typeof discordSdk.discordSetupAdapter).toBe("object");
+    expect(typeof discordSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof discordSdk.DiscordConfigSchema).toBe("object");
+    expect(typeof discordSdk.projectCredentialSnapshotFields).toBe("function");
+    expect("resolveDiscordAccount" in asExports(discordSdk)).toBe(false);
   });
 
   it("exports Slack helpers", () => {
-    expect(typeof slackSdk.resolveSlackAccount).toBe("function");
-    expect(typeof slackSdk.inspectSlackAccount).toBe("function");
-    expect(typeof slackSdk.handleSlackMessageAction).toBe("function");
-    expect(typeof slackSdk.slackSetupWizard).toBe("object");
-    expect(typeof slackSdk.slackSetupAdapter).toBe("object");
+    expect(typeof slackSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof slackSdk.SlackConfigSchema).toBe("object");
+    expect(typeof slackSdk.looksLikeSlackTargetId).toBe("function");
+    expect("resolveSlackAccount" in asExports(slackSdk)).toBe(false);
   });
 
   it("exports Telegram helpers", () => {
-    expect(typeof telegramSdk.resolveTelegramAccount).toBe("function");
-    expect(typeof telegramSdk.inspectTelegramAccount).toBe("function");
-    expect(typeof telegramSdk.telegramSetupWizard).toBe("object");
-    expect(typeof telegramSdk.telegramSetupAdapter).toBe("object");
+    expect(typeof telegramSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof telegramSdk.TelegramConfigSchema).toBe("object");
+    expect(typeof telegramSdk.projectCredentialSnapshotFields).toBe("function");
+    expect("resolveTelegramAccount" in asExports(telegramSdk)).toBe(false);
   });
 
   it("exports Signal helpers", () => {
-    expect(typeof signalSdk.resolveSignalAccount).toBe("function");
-    expect(typeof signalSdk.signalSetupWizard).toBe("object");
-    expect(typeof signalSdk.signalSetupAdapter).toBe("object");
+    expect(typeof signalSdk.buildBaseAccountStatusSnapshot).toBe("function");
+    expect(typeof signalSdk.SignalConfigSchema).toBe("object");
+    expect(typeof signalSdk.normalizeSignalMessagingTarget).toBe("function");
+    expect("resolveSignalAccount" in asExports(signalSdk)).toBe(false);
   });
 
   it("exports iMessage helpers", () => {
-    expect(typeof imessageSdk.resolveIMessageAccount).toBe("function");
-    expect(typeof imessageSdk.imessageSetupWizard).toBe("object");
-    expect(typeof imessageSdk.imessageSetupAdapter).toBe("object");
+    expect(typeof imessageSdk.IMessageConfigSchema).toBe("object");
+    expect(typeof imessageSdk.resolveIMessageConfigAllowFrom).toBe("function");
+    expect(typeof imessageSdk.looksLikeIMessageTargetId).toBe("function");
+    expect("resolveIMessageAccount" in asExports(imessageSdk)).toBe(false);
   });
 
   it("exports IRC helpers", async () => {
@@ -105,14 +110,29 @@ describe("plugin-sdk subpath exports", () => {
     expect("resolveWhatsAppMentionStripPatterns" in whatsappSdk).toBe(false);
   });
 
+  it("exports Feishu helpers", async () => {
+    const feishuSdk = await import("openclaw/plugin-sdk/feishu");
+    expect(typeof feishuSdk.feishuSetupWizard).toBe("object");
+    expect(typeof feishuSdk.feishuSetupAdapter).toBe("object");
+  });
+
   it("exports LINE helpers", () => {
     expect(typeof lineSdk.processLineMessage).toBe("function");
     expect(typeof lineSdk.createInfoCard).toBe("function");
+    expect(typeof lineSdk.lineSetupWizard).toBe("object");
+    expect(typeof lineSdk.lineSetupAdapter).toBe("object");
   });
 
   it("exports Microsoft Teams helpers", () => {
     expect(typeof msteamsSdk.resolveControlCommandGate).toBe("function");
     expect(typeof msteamsSdk.loadOutboundMediaFromUrl).toBe("function");
+    expect(typeof msteamsSdk.msteamsSetupWizard).toBe("object");
+    expect(typeof msteamsSdk.msteamsSetupAdapter).toBe("object");
+  });
+
+  it("exports Nostr helpers", () => {
+    expect(typeof nostrSdk.nostrSetupWizard).toBe("object");
+    expect(typeof nostrSdk.nostrSetupAdapter).toBe("object");
   });
 
   it("exports Google Chat helpers", async () => {
@@ -121,6 +141,24 @@ describe("plugin-sdk subpath exports", () => {
     expect(typeof googlechatSdk.googlechatSetupAdapter).toBe("object");
   });
 
+  it("exports Zalo helpers", async () => {
+    const zaloSdk = await import("openclaw/plugin-sdk/zalo");
+    expect(typeof zaloSdk.zaloSetupWizard).toBe("object");
+    expect(typeof zaloSdk.zaloSetupAdapter).toBe("object");
+  });
+
+  it("exports Synology Chat helpers", async () => {
+    const synologyChatSdk = await import("openclaw/plugin-sdk/synology-chat");
+    expect(typeof synologyChatSdk.synologyChatSetupWizard).toBe("object");
+    expect(typeof synologyChatSdk.synologyChatSetupAdapter).toBe("object");
+  });
+
+  it("exports Zalouser helpers", async () => {
+    const zalouserSdk = await import("openclaw/plugin-sdk/zalouser");
+    expect(typeof zalouserSdk.zalouserSetupWizard).toBe("object");
+    expect(typeof zalouserSdk.zalouserSetupAdapter).toBe("object");
+  });
+
   it("exports Tlon helpers", async () => {
     const tlonSdk = await import("openclaw/plugin-sdk/tlon");
     expect(typeof tlonSdk.fetchWithSsrFGuard).toBe("function");
@@ -146,6 +184,10 @@ describe("plugin-sdk subpath exports", () => {
     const bluebubbles = await import("openclaw/plugin-sdk/bluebubbles");
     expect(typeof bluebubbles.parseFiniteNumber).toBe("function");
 
+    const matrix = await import("openclaw/plugin-sdk/matrix");
+    expect(typeof matrix.matrixSetupWizard).toBe("object");
+    expect(typeof matrix.matrixSetupAdapter).toBe("object");
+
     const mattermost = await import("openclaw/plugin-sdk/mattermost");
     expect(typeof mattermost.parseStrictPositiveInteger).toBe("function");
 
@@ -155,6 +197,8 @@ describe("plugin-sdk subpath exports", () => {
     const twitch = await import("openclaw/plugin-sdk/twitch");
     expect(typeof twitch.DEFAULT_ACCOUNT_ID).toBe("string");
     expect(typeof twitch.normalizeAccountId).toBe("function");
+    expect(typeof twitch.twitchSetupWizard).toBe("object");
+    expect(typeof twitch.twitchSetupAdapter).toBe("object");
 
     const zalo = await import("openclaw/plugin-sdk/zalo");
     expect(typeof zalo.resolveClientIp).toBe("function");
diff --git a/src/plugin-sdk/synology-chat.ts b/src/plugin-sdk/synology-chat.ts
index dcce2ea760b..f5fae73fbb2 100644
--- a/src/plugin-sdk/synology-chat.ts
+++ b/src/plugin-sdk/synology-chat.ts
@@ -3,6 +3,7 @@
 
 export { setAccountEnabledInConfigSection } from "../channels/plugins/config-helpers.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export type { ChannelSetupAdapter } from "../channels/plugins/types.adapters.js";
 export {
   isRequestBodyLimitError,
   readRequestBodyWithLimit,
@@ -10,8 +11,13 @@ export {
 } from "../infra/http-body.js";
 export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
 export { registerPluginHttpRoute } from "../plugins/http-registry.js";
+export type { OpenClawConfig } from "../config/config.js";
 export type { PluginRuntime } from "../plugins/runtime/types.js";
 export type { OpenClawPluginApi } from "../plugins/types.js";
 export { DEFAULT_ACCOUNT_ID } from "../routing/session-key.js";
 export type { FixedWindowRateLimiter } from "./webhook-memory-guards.js";
 export { createFixedWindowRateLimiter } from "./webhook-memory-guards.js";
+export {
+  synologyChatSetupAdapter,
+  synologyChatSetupWizard,
+} from "../../extensions/synology-chat/src/setup-surface.js";
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index 64502bf2703..2eed87097f0 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -3,40 +3,30 @@ export type {
   ChannelGatewayContext,
   ChannelMessageActionAdapter,
 } from "../channels/plugins/types.js";
-export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
 export type { OpenClawConfig } from "../config/config.js";
-export type { PluginRuntime } from "../plugins/runtime/types.js";
-export type { OpenClawPluginApi } from "../plugins/types.js";
 export type { TelegramAccountConfig, TelegramActionConfig } from "../config/types.js";
-export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export type { ResolvedTelegramAccount } from "../../extensions/telegram/src/accounts.js";
-export type { TelegramProbe } from "../../extensions/telegram/src/probe.js";
-
-export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-
-export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
-
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
   applyAccountNameToChannelSection,
-  migrateBaseNameToDefaultAccount,
-} from "../channels/plugins/setup-helpers.js";
-export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
-export {
+  buildChannelConfigSchema,
   deleteAccountFromConfigSection,
-  clearAccountEntryFields,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
   setAccountEnabledInConfigSection,
-} from "../channels/plugins/config-helpers.js";
-export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
+} from "./channel-plugin-common.js";
 
-export { getChatChannelMeta } from "../channels/registry.js";
+export { clearAccountEntryFields } from "../channels/plugins/config-helpers.js";
 
-export {
-  listTelegramAccountIds,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -45,16 +35,6 @@ export {
   listTelegramDirectoryGroupsFromConfig,
   listTelegramDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
-export {
-  looksLikeTelegramTargetId,
-  normalizeTelegramMessagingTarget,
-} from "../channels/plugins/normalize/telegram.js";
-export {
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
-} from "../../extensions/telegram/src/outbound-params.js";
-export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
-export { sendTelegramPayloadMessages } from "../channels/plugins/outbound/telegram.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
@@ -64,10 +44,6 @@ export {
   resolveTelegramGroupRequireMention,
   resolveTelegramGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export {
-  telegramSetupAdapter,
-  telegramSetupWizard,
-} from "../../extensions/telegram/src/setup-surface.js";
 export { TelegramConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { buildTokenChannelStatusSummary } from "./status-helpers.js";
diff --git a/src/plugin-sdk/temp-path.ts b/src/plugin-sdk/temp-path.ts
index c418fe9f664..436377fe5e1 100644
--- a/src/plugin-sdk/temp-path.ts
+++ b/src/plugin-sdk/temp-path.ts
@@ -40,6 +40,7 @@ function isNodeErrorWithCode(err: unknown, code: string): boolean {
   );
 }
 
+/** Build a unique temp file path with sanitized prefix/extension parts. */
 export function buildRandomTempFilePath(params: {
   prefix: string;
   extension?: string;
@@ -58,6 +59,7 @@ export function buildRandomTempFilePath(params: {
   return path.join(resolveTempRoot(params.tmpDir), `${prefix}-${now}-${uuid}${extension}`);
 }
 
+/** Create a temporary download directory, run the callback, then clean it up best-effort. */
 export async function withTempDownloadPath<T>(
   params: {
     prefix: string;
diff --git a/src/plugin-sdk/text-chunking.ts b/src/plugin-sdk/text-chunking.ts
index 47c98c10851..724c651168a 100644
--- a/src/plugin-sdk/text-chunking.ts
+++ b/src/plugin-sdk/text-chunking.ts
@@ -1,5 +1,6 @@
 import { chunkTextByBreakResolver } from "../shared/text-chunking.js";
 
+/** Chunk outbound text while preferring newline boundaries over spaces. */
 export function chunkTextForOutbound(text: string, limit: number): string[] {
   return chunkTextByBreakResolver(text, limit, (window) => {
     const lastNewline = window.lastIndexOf("\n");
diff --git a/src/plugin-sdk/tlon.ts b/src/plugin-sdk/tlon.ts
index 9a39493cac2..291834b9648 100644
--- a/src/plugin-sdk/tlon.ts
+++ b/src/plugin-sdk/tlon.ts
@@ -3,7 +3,6 @@
 
 export type { ReplyPayload } from "../auto-reply/types.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
-export { promptAccountId } from "../channels/plugins/onboarding/helpers.js";
 export {
   applyAccountNameToChannelSection,
   patchScopedAccountConfig,
@@ -28,4 +27,5 @@ export type { RuntimeEnv } from "../runtime.js";
 export { formatDocsLink } from "../terminal/links.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
 export { createLoggerBackedRuntime } from "./runtime.js";
-export { tlonSetupAdapter, tlonSetupWizard } from "../../extensions/tlon/src/setup-surface.js";
+export { tlonSetupAdapter } from "../../extensions/tlon/src/setup-core.js";
+export { tlonSetupWizard } from "../../extensions/tlon/src/setup-surface.js";
diff --git a/src/plugin-sdk/tool-send.ts b/src/plugin-sdk/tool-send.ts
index 835cd688d8a..61ee56fa9ac 100644
--- a/src/plugin-sdk/tool-send.ts
+++ b/src/plugin-sdk/tool-send.ts
@@ -1,3 +1,4 @@
+/** Extract the canonical send target fields from tool arguments when the action matches. */
 export function extractToolSend(
   args: Record<string, unknown>,
   expectedAction = "sendMessage",
diff --git a/src/plugin-sdk/twitch.ts b/src/plugin-sdk/twitch.ts
index 7ea8a9f5f4b..907cdd171fa 100644
--- a/src/plugin-sdk/twitch.ts
+++ b/src/plugin-sdk/twitch.ts
@@ -22,11 +22,6 @@ export type {
   ChannelStatusIssue,
 } from "../channels/plugins/types.js";
 export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
-export { promptChannelAccessConfig } from "../channels/plugins/onboarding/channel-access.js";
 export { createReplyPrefixOptions } from "../channels/reply-prefix.js";
 export type { OpenClawConfig } from "../config/config.js";
 export { MarkdownConfigSchema } from "../config/zod-schema.core.js";
@@ -38,3 +33,7 @@ export type { OpenClawPluginApi } from "../plugins/types.js";
 export type { RuntimeEnv } from "../runtime.js";
 export { formatDocsLink } from "../terminal/links.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
+export {
+  twitchSetupAdapter,
+  twitchSetupWizard,
+} from "../../extensions/twitch/src/setup-surface.js";
diff --git a/src/plugin-sdk/web-media.ts b/src/plugin-sdk/web-media.ts
new file mode 100644
index 00000000000..1c7432ad2b5
--- /dev/null
+++ b/src/plugin-sdk/web-media.ts
@@ -0,0 +1,6 @@
+export {
+  getDefaultLocalRoots,
+  loadWebMedia,
+  loadWebMediaRaw,
+  type WebMediaResult,
+} from "../../extensions/whatsapp/src/media.js";
diff --git a/src/plugin-sdk/webhook-memory-guards.ts b/src/plugin-sdk/webhook-memory-guards.ts
index 50a43c0b3ab..6b4061cac3b 100644
--- a/src/plugin-sdk/webhook-memory-guards.ts
+++ b/src/plugin-sdk/webhook-memory-guards.ts
@@ -48,6 +48,7 @@ export type WebhookAnomalyTracker = {
   clear: () => void;
 };
 
+/** Create a simple fixed-window rate limiter for in-memory webhook protection. */
 export function createFixedWindowRateLimiter(options: {
   windowMs: number;
   maxRequests: number;
@@ -104,6 +105,7 @@ export function createFixedWindowRateLimiter(options: {
   };
 }
 
+/** Count keyed events in memory with optional TTL pruning and bounded cardinality. */
 export function createBoundedCounter(options: {
   maxTrackedKeys: number;
   ttlMs?: number;
@@ -161,6 +163,7 @@ export function createBoundedCounter(options: {
   };
 }
 
+/** Track repeated webhook failures and emit sampled logs for suspicious request patterns. */
 export function createWebhookAnomalyTracker(options?: {
   maxTrackedKeys?: number;
   ttlMs?: number;
diff --git a/src/plugin-sdk/webhook-path.ts b/src/plugin-sdk/webhook-path.ts
index 41e4bd0ba98..fa68c9e20ee 100644
--- a/src/plugin-sdk/webhook-path.ts
+++ b/src/plugin-sdk/webhook-path.ts
@@ -1,3 +1,4 @@
+/** Normalize webhook paths into the canonical registry form used by route lookup. */
 export function normalizeWebhookPath(raw: string): string {
   const trimmed = raw.trim();
   if (!trimmed) {
@@ -10,6 +11,7 @@ export function normalizeWebhookPath(raw: string): string {
   return withSlash;
 }
 
+/** Resolve the effective webhook path from explicit path, URL, or default fallback. */
 export function resolveWebhookPath(params: {
   webhookPath?: string;
   webhookUrl?: string;
diff --git a/src/plugin-sdk/webhook-request-guards.ts b/src/plugin-sdk/webhook-request-guards.ts
index a45df7c06dd..f181859bc84 100644
--- a/src/plugin-sdk/webhook-request-guards.ts
+++ b/src/plugin-sdk/webhook-request-guards.ts
@@ -81,6 +81,7 @@ function respondWebhookBodyReadError(params: {
   return { ok: false };
 }
 
+/** Create an in-memory limiter that caps concurrent webhook handlers per key. */
 export function createWebhookInFlightLimiter(options?: {
   maxInFlightPerKey?: number;
   maxTrackedKeys?: number;
@@ -127,6 +128,7 @@ export function createWebhookInFlightLimiter(options?: {
   };
 }
 
+/** Detect JSON content types, including structured syntax suffixes like `application/ld+json`. */
 export function isJsonContentType(value: string | string[] | undefined): boolean {
   const first = Array.isArray(value) ? value[0] : value;
   if (!first) {
@@ -136,6 +138,7 @@ export function isJsonContentType(value: string | string[] | undefined): boolean
   return mediaType === "application/json" || Boolean(mediaType?.endsWith("+json"));
 }
 
+/** Apply method, rate-limit, and content-type guards before a webhook handler reads the body. */
 export function applyBasicWebhookRequestGuards(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -176,6 +179,7 @@ export function applyBasicWebhookRequestGuards(params: {
   return true;
 }
 
+/** Start the shared webhook request lifecycle and return a release hook for in-flight tracking. */
 export function beginWebhookRequestPipelineOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -226,6 +230,7 @@ export function beginWebhookRequestPipelineOrReject(params: {
   };
 }
 
+/** Read a webhook request body with bounded size/time limits and translate failures into responses. */
 export async function readWebhookBodyOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -260,6 +265,7 @@ export async function readWebhookBodyOrReject(params: {
   }
 }
 
+/** Read and parse a JSON webhook body, rejecting malformed or oversized payloads consistently. */
 export async function readJsonWebhookBodyOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
diff --git a/src/plugin-sdk/webhook-targets.ts b/src/plugin-sdk/webhook-targets.ts
index 791f4591101..e3dd9eda01d 100644
--- a/src/plugin-sdk/webhook-targets.ts
+++ b/src/plugin-sdk/webhook-targets.ts
@@ -24,6 +24,7 @@ export type RegisterWebhookPluginRouteOptions = Omit<
   "path" | "fallbackPath"
 >;
 
+/** Register a webhook target and lazily install the matching plugin HTTP route on first use. */
 export function registerWebhookTargetWithPluginRoute<T extends { path: string }>(params: {
   targetsByPath: Map<string, T[]>;
   target: T;
@@ -54,6 +55,7 @@ function getPathTeardownMap<T>(targetsByPath: Map<string, T[]>): Map<string, ()
   return created;
 }
 
+/** Add a normalized target to a path bucket and clean up route state when the last target leaves. */
 export function registerWebhookTarget<T extends { path: string }>(
   targetsByPath: Map<string, T[]>,
   target: T,
@@ -99,6 +101,7 @@ export function registerWebhookTarget<T extends { path: string }>(
   return { target: normalizedTarget, unregister };
 }
 
+/** Resolve all registered webhook targets for the incoming request path. */
 export function resolveWebhookTargets<T>(
   req: IncomingMessage,
   targetsByPath: Map<string, T[]>,
@@ -112,6 +115,7 @@ export function resolveWebhookTargets<T>(
   return { path, targets };
 }
 
+/** Run common webhook guards, then dispatch only when the request path resolves to live targets. */
 export async function withResolvedWebhookRequestPipeline<T>(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -183,6 +187,7 @@ function finalizeMatchedWebhookTarget<T>(matched: T | undefined): WebhookTargetM
   return { kind: "single", target: matched };
 }
 
+/** Match exactly one synchronous target or report whether resolution was empty or ambiguous. */
 export function resolveSingleWebhookTarget<T>(
   targets: readonly T[],
   isMatch: (target: T) => boolean,
@@ -201,6 +206,7 @@ export function resolveSingleWebhookTarget<T>(
   return finalizeMatchedWebhookTarget(matched);
 }
 
+/** Async variant of single-target resolution for auth checks that need I/O. */
 export async function resolveSingleWebhookTargetAsync<T>(
   targets: readonly T[],
   isMatch: (target: T) => Promise<boolean>,
@@ -219,6 +225,7 @@ export async function resolveSingleWebhookTargetAsync<T>(
   return finalizeMatchedWebhookTarget(matched);
 }
 
+/** Resolve an authorized target and send the standard unauthorized or ambiguous response on failure. */
 export async function resolveWebhookTargetWithAuthOrReject<T>(params: {
   targets: readonly T[];
   res: ServerResponse;
@@ -234,6 +241,7 @@ export async function resolveWebhookTargetWithAuthOrReject<T>(params: {
   return resolveWebhookTargetMatchOrReject(params, match);
 }
 
+/** Synchronous variant of webhook auth resolution for cheap in-memory match checks. */
 export function resolveWebhookTargetWithAuthOrRejectSync<T>(params: {
   targets: readonly T[];
   res: ServerResponse;
@@ -270,6 +278,7 @@ function resolveWebhookTargetMatchOrReject<T>(
   return null;
 }
 
+/** Reject non-POST webhook requests with the conventional Allow header. */
 export function rejectNonPostWebhookRequest(req: IncomingMessage, res: ServerResponse): boolean {
   if (req.method === "POST") {
     return false;
diff --git a/src/plugin-sdk/whatsapp.ts b/src/plugin-sdk/whatsapp.ts
index e84a60e785c..df814fa04eb 100644
--- a/src/plugin-sdk/whatsapp.ts
+++ b/src/plugin-sdk/whatsapp.ts
@@ -1,22 +1,25 @@
 export type { ChannelMessageActionName } from "../channels/plugins/types.js";
-export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
 export type { OpenClawConfig } from "../config/config.js";
 export type { DmPolicy, GroupPolicy, WhatsAppAccountConfig } from "../config/types.js";
-export type { PluginRuntime } from "../plugins/runtime/types.js";
-export type { OpenClawPluginApi } from "../plugins/types.js";
-
-export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-
-export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
-
+export type {
+  ChannelMessageActionContext,
+  ChannelPlugin,
+  OpenClawPluginApi,
+  PluginRuntime,
+} from "./channel-plugin-common.js";
 export {
+  DEFAULT_ACCOUNT_ID,
+  PAIRING_APPROVED_MESSAGE,
   applyAccountNameToChannelSection,
+  buildChannelConfigSchema,
+  deleteAccountFromConfigSection,
+  emptyPluginConfigSchema,
+  formatPairingApproveHint,
+  getChatChannelMeta,
   migrateBaseNameToDefaultAccount,
-} from "../channels/plugins/setup-helpers.js";
-export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
-export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-
-export { getChatChannelMeta } from "../channels/registry.js";
+  normalizeAccountId,
+  setAccountEnabledInConfigSection,
+} from "./channel-plugin-common.js";
 export {
   formatWhatsAppConfigAllowFromEntries,
   resolveWhatsAppConfigAllowFrom,
@@ -26,6 +29,7 @@ export {
   listWhatsAppDirectoryGroupsFromConfig,
   listWhatsAppDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
+export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
 export {
   collectAllowlistProviderGroupPolicyWarnings,
   collectOpenGroupPolicyRouteAllowlistWarnings,
@@ -51,5 +55,4 @@ export { WhatsAppConfigSchema } from "../config/zod-schema.providers-whatsapp.js
 
 export { createActionGate, readStringParam } from "../agents/tools/common.js";
 export { createPluginRuntimeStore } from "./runtime-store.js";
-
 export { normalizeE164 } from "../utils.js";
diff --git a/src/plugin-sdk/windows-spawn.ts b/src/plugin-sdk/windows-spawn.ts
index 16d24de629a..9a296508165 100644
--- a/src/plugin-sdk/windows-spawn.ts
+++ b/src/plugin-sdk/windows-spawn.ts
@@ -52,6 +52,7 @@ function isFilePath(candidate: string): boolean {
   }
 }
 
+/** Resolve a Windows command name through PATH and PATHEXT so wrapper inspection sees the real file. */
 export function resolveWindowsExecutablePath(command: string, env: NodeJS.ProcessEnv): string {
   if (command.includes("/") || command.includes("\\") || path.isAbsolute(command)) {
     return command;
@@ -188,6 +189,7 @@ function resolveEntrypointFromPackageJson(
   return null;
 }
 
+/** Resolve the safest direct spawn candidate for Windows wrappers, scripts, and binaries. */
 export function resolveWindowsSpawnProgramCandidate(
   params: ResolveWindowsSpawnProgramCandidateParams,
 ): WindowsSpawnProgramCandidate {
@@ -250,6 +252,7 @@ export function resolveWindowsSpawnProgramCandidate(
   };
 }
 
+/** Apply shell-fallback policy when Windows wrapper resolution could not find a direct entrypoint. */
 export function applyWindowsSpawnProgramPolicy(params: {
   candidate: WindowsSpawnProgramCandidate;
   allowShellFallback?: boolean;
@@ -275,6 +278,7 @@ export function applyWindowsSpawnProgramPolicy(params: {
   );
 }
 
+/** Resolve the final Windows spawn program after candidate discovery and fallback policy. */
 export function resolveWindowsSpawnProgram(
   params: ResolveWindowsSpawnProgramParams,
 ): WindowsSpawnProgram {
@@ -285,6 +289,7 @@ export function resolveWindowsSpawnProgram(
   });
 }
 
+/** Combine a resolved Windows spawn program with call-site argv for actual process launch. */
 export function materializeWindowsSpawnProgram(
   program: WindowsSpawnProgram,
   argv: string[],
diff --git a/src/plugin-sdk/zalo.ts b/src/plugin-sdk/zalo.ts
index e13529f8c42..37e3b9fde26 100644
--- a/src/plugin-sdk/zalo.ts
+++ b/src/plugin-sdk/zalo.ts
@@ -3,7 +3,6 @@
 
 export { jsonResult, readStringParam } from "../agents/tools/common.js";
 export type { ReplyPayload } from "../auto-reply/types.js";
-export type { ChannelDock } from "../channels/dock.js";
 export {
   deleteAccountFromConfigSection,
   setAccountEnabledInConfigSection,
@@ -11,20 +10,14 @@ export {
 export { listDirectoryUserEntriesFromAllowFrom } from "../channels/plugins/directory-config-helpers.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
 export {
   buildSingleChannelSecretPromptState,
   addWildcardAllowFrom,
   mergeAllowFromEntries,
-  promptAccountId,
   promptSingleChannelSecretInput,
   runSingleChannelSecretStep,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
 export {
   applyAccountNameToChannelSection,
@@ -69,6 +62,8 @@ export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.j
 export type { RuntimeEnv } from "../runtime.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
 export { formatAllowFromLowercase, isNormalizedSenderAllowed } from "./allow-from.js";
+export { zaloSetupAdapter } from "../../extensions/zalo/src/setup-core.js";
+export { zaloSetupWizard } from "../../extensions/zalo/src/setup-surface.js";
 export {
   resolveDirectDmAuthorizationOutcome,
   resolveSenderCommandAuthorizationWithRuntime,
diff --git a/src/plugin-sdk/zalouser.ts b/src/plugin-sdk/zalouser.ts
index 4b8ef88d06d..b7b95910132 100644
--- a/src/plugin-sdk/zalouser.ts
+++ b/src/plugin-sdk/zalouser.ts
@@ -3,7 +3,6 @@
 
 export type { ReplyPayload } from "../auto-reply/types.js";
 export { mergeAllowlist, summarizeMapping } from "../channels/allowlists/resolve-utils.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { resolveMentionGatingWithBypass } from "../channels/mention-gating.js";
 export {
   deleteAccountFromConfigSection,
@@ -11,18 +10,11 @@ export {
 } from "../channels/plugins/config-helpers.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-export type {
-  ChannelOnboardingAdapter,
-  ChannelOnboardingDmPolicy,
-} from "../channels/plugins/onboarding-types.js";
-export { promptChannelAccessConfig } from "../channels/plugins/onboarding/channel-access.js";
 export {
   addWildcardAllowFrom,
   mergeAllowFromEntries,
-  promptAccountId,
-  resolveAccountIdForConfigure,
   setTopLevelChannelDmPolicyWithAllowFrom,
-} from "../channels/plugins/onboarding/helpers.js";
+} from "../channels/plugins/setup-wizard-helpers.js";
 export {
   applyAccountNameToChannelSection,
   applySetupAccountConfigPatch,
@@ -61,6 +53,8 @@ export type { WizardPrompter } from "../wizard/prompts.js";
 export { formatAllowFromLowercase } from "./allow-from.js";
 export { resolveSenderCommandAuthorization } from "./command-auth.js";
 export { resolveChannelAccountConfigBasePath } from "./config-paths.js";
+export { zalouserSetupAdapter } from "../../extensions/zalouser/src/setup-core.js";
+export { zalouserSetupWizard } from "../../extensions/zalouser/src/setup-surface.js";
 export {
   evaluateGroupRouteAccessForPolicy,
   resolveSenderScopedGroupPolicy,
diff --git a/src/plugins/bundle-mcp.test.ts b/src/plugins/bundle-mcp.test.ts
index 122c7a83c5c..ef109f4abfb 100644
--- a/src/plugins/bundle-mcp.test.ts
+++ b/src/plugins/bundle-mcp.test.ts
@@ -24,11 +24,14 @@ afterEach(async () => {
 
 describe("loadEnabledBundleMcpConfig", () => {
   it("loads enabled Claude bundle MCP config and absolutizes relative args", async () => {
-    const env = captureEnv(["HOME"]);
+    const env = captureEnv(["HOME", "USERPROFILE", "OPENCLAW_HOME", "OPENCLAW_STATE_DIR"]);
     try {
       const homeDir = await createTempDir("openclaw-bundle-mcp-home-");
       const workspaceDir = await createTempDir("openclaw-bundle-mcp-workspace-");
       process.env.HOME = homeDir;
+      process.env.USERPROFILE = homeDir;
+      delete process.env.OPENCLAW_HOME;
+      delete process.env.OPENCLAW_STATE_DIR;
 
       const pluginRoot = path.join(homeDir, ".openclaw", "extensions", "bundle-probe");
       const serverPath = path.join(pluginRoot, "servers", "probe.mjs");
@@ -80,11 +83,14 @@ describe("loadEnabledBundleMcpConfig", () => {
   });
 
   it("merges inline bundle MCP servers and skips disabled bundles", async () => {
-    const env = captureEnv(["HOME"]);
+    const env = captureEnv(["HOME", "USERPROFILE", "OPENCLAW_HOME", "OPENCLAW_STATE_DIR"]);
     try {
       const homeDir = await createTempDir("openclaw-bundle-inline-home-");
       const workspaceDir = await createTempDir("openclaw-bundle-inline-workspace-");
       process.env.HOME = homeDir;
+      process.env.USERPROFILE = homeDir;
+      delete process.env.OPENCLAW_HOME;
+      delete process.env.OPENCLAW_STATE_DIR;
 
       const enabledRoot = path.join(homeDir, ".openclaw", "extensions", "inline-enabled");
       const disabledRoot = path.join(homeDir, ".openclaw", "extensions", "inline-disabled");
diff --git a/src/plugins/bundled-compat.ts b/src/plugins/bundled-compat.ts
new file mode 100644
index 00000000000..e946be355b5
--- /dev/null
+++ b/src/plugins/bundled-compat.ts
@@ -0,0 +1,65 @@
+import type { PluginEntryConfig } from "../config/types.plugins.js";
+import type { PluginLoadOptions } from "./loader.js";
+
+export function withBundledPluginAllowlistCompat(params: {
+  config: PluginLoadOptions["config"];
+  pluginIds: readonly string[];
+}): PluginLoadOptions["config"] {
+  const allow = params.config?.plugins?.allow;
+  if (!Array.isArray(allow) || allow.length === 0) {
+    return params.config;
+  }
+
+  const allowSet = new Set(allow.map((entry) => entry.trim()).filter(Boolean));
+  let changed = false;
+  for (const pluginId of params.pluginIds) {
+    if (!allowSet.has(pluginId)) {
+      allowSet.add(pluginId);
+      changed = true;
+    }
+  }
+
+  if (!changed) {
+    return params.config;
+  }
+
+  return {
+    ...params.config,
+    plugins: {
+      ...params.config?.plugins,
+      allow: [...allowSet],
+    },
+  };
+}
+
+export function withBundledPluginEnablementCompat(params: {
+  config: PluginLoadOptions["config"];
+  pluginIds: readonly string[];
+}): PluginLoadOptions["config"] {
+  const existingEntries = params.config?.plugins?.entries ?? {};
+  let changed = false;
+  const nextEntries: Record<string, PluginEntryConfig> = { ...existingEntries };
+
+  for (const pluginId of params.pluginIds) {
+    if (existingEntries[pluginId] !== undefined) {
+      continue;
+    }
+    nextEntries[pluginId] = { enabled: true };
+    changed = true;
+  }
+
+  if (!changed) {
+    return params.config;
+  }
+
+  return {
+    ...params.config,
+    plugins: {
+      ...params.config?.plugins,
+      entries: {
+        ...existingEntries,
+        ...nextEntries,
+      },
+    },
+  };
+}
diff --git a/src/plugins/bundled-provider-auth-env-vars.test.ts b/src/plugins/bundled-provider-auth-env-vars.test.ts
new file mode 100644
index 00000000000..81523392e7a
--- /dev/null
+++ b/src/plugins/bundled-provider-auth-env-vars.test.ts
@@ -0,0 +1,22 @@
+import { describe, expect, it } from "vitest";
+import { BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES } from "./bundled-provider-auth-env-vars.js";
+
+describe("bundled provider auth env vars", () => {
+  it("reads bundled provider auth env vars from plugin manifests", () => {
+    expect(BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES["github-copilot"]).toEqual([
+      "COPILOT_GITHUB_TOKEN",
+      "GH_TOKEN",
+      "GITHUB_TOKEN",
+    ]);
+    expect(BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES["qwen-portal"]).toEqual([
+      "QWEN_OAUTH_TOKEN",
+      "QWEN_PORTAL_API_KEY",
+    ]);
+    expect(BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES["minimax-portal"]).toEqual([
+      "MINIMAX_OAUTH_TOKEN",
+      "MINIMAX_API_KEY",
+    ]);
+    expect(BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES.openai).toEqual(["OPENAI_API_KEY"]);
+    expect(BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES["openai-codex"]).toBeUndefined();
+  });
+});
diff --git a/src/plugins/bundled-provider-auth-env-vars.ts b/src/plugins/bundled-provider-auth-env-vars.ts
new file mode 100644
index 00000000000..42ca376959d
--- /dev/null
+++ b/src/plugins/bundled-provider-auth-env-vars.ts
@@ -0,0 +1,93 @@
+import ANTHROPIC_MANIFEST from "../../extensions/anthropic/openclaw.plugin.json" with { type: "json" };
+import BYTEPLUS_MANIFEST from "../../extensions/byteplus/openclaw.plugin.json" with { type: "json" };
+import CLOUDFLARE_AI_GATEWAY_MANIFEST from "../../extensions/cloudflare-ai-gateway/openclaw.plugin.json" with { type: "json" };
+import COPILOT_PROXY_MANIFEST from "../../extensions/copilot-proxy/openclaw.plugin.json" with { type: "json" };
+import GITHUB_COPILOT_MANIFEST from "../../extensions/github-copilot/openclaw.plugin.json" with { type: "json" };
+import GOOGLE_MANIFEST from "../../extensions/google/openclaw.plugin.json" with { type: "json" };
+import HUGGINGFACE_MANIFEST from "../../extensions/huggingface/openclaw.plugin.json" with { type: "json" };
+import KILOCODE_MANIFEST from "../../extensions/kilocode/openclaw.plugin.json" with { type: "json" };
+import KIMI_CODING_MANIFEST from "../../extensions/kimi-coding/openclaw.plugin.json" with { type: "json" };
+import MINIMAX_MANIFEST from "../../extensions/minimax/openclaw.plugin.json" with { type: "json" };
+import MISTRAL_MANIFEST from "../../extensions/mistral/openclaw.plugin.json" with { type: "json" };
+import MODELSTUDIO_MANIFEST from "../../extensions/modelstudio/openclaw.plugin.json" with { type: "json" };
+import MOONSHOT_MANIFEST from "../../extensions/moonshot/openclaw.plugin.json" with { type: "json" };
+import NVIDIA_MANIFEST from "../../extensions/nvidia/openclaw.plugin.json" with { type: "json" };
+import OLLAMA_MANIFEST from "../../extensions/ollama/openclaw.plugin.json" with { type: "json" };
+import OPENAI_MANIFEST from "../../extensions/openai/openclaw.plugin.json" with { type: "json" };
+import OPENCODE_GO_MANIFEST from "../../extensions/opencode-go/openclaw.plugin.json" with { type: "json" };
+import OPENCODE_MANIFEST from "../../extensions/opencode/openclaw.plugin.json" with { type: "json" };
+import OPENROUTER_MANIFEST from "../../extensions/openrouter/openclaw.plugin.json" with { type: "json" };
+import QIANFAN_MANIFEST from "../../extensions/qianfan/openclaw.plugin.json" with { type: "json" };
+import QWEN_PORTAL_AUTH_MANIFEST from "../../extensions/qwen-portal-auth/openclaw.plugin.json" with { type: "json" };
+import SGLANG_MANIFEST from "../../extensions/sglang/openclaw.plugin.json" with { type: "json" };
+import SYNTHETIC_MANIFEST from "../../extensions/synthetic/openclaw.plugin.json" with { type: "json" };
+import TOGETHER_MANIFEST from "../../extensions/together/openclaw.plugin.json" with { type: "json" };
+import VENICE_MANIFEST from "../../extensions/venice/openclaw.plugin.json" with { type: "json" };
+import VERCEL_AI_GATEWAY_MANIFEST from "../../extensions/vercel-ai-gateway/openclaw.plugin.json" with { type: "json" };
+import VLLM_MANIFEST from "../../extensions/vllm/openclaw.plugin.json" with { type: "json" };
+import VOLCENGINE_MANIFEST from "../../extensions/volcengine/openclaw.plugin.json" with { type: "json" };
+import XAI_MANIFEST from "../../extensions/xai/openclaw.plugin.json" with { type: "json" };
+import XIAOMI_MANIFEST from "../../extensions/xiaomi/openclaw.plugin.json" with { type: "json" };
+import ZAI_MANIFEST from "../../extensions/zai/openclaw.plugin.json" with { type: "json" };
+
+type ProviderAuthEnvVarManifest = {
+  id?: string;
+  providerAuthEnvVars?: Record<string, string[]>;
+};
+
+function collectBundledProviderAuthEnvVars(
+  manifests: readonly ProviderAuthEnvVarManifest[],
+): Record<string, readonly string[]> {
+  const entries: Record<string, readonly string[]> = {};
+  for (const manifest of manifests) {
+    const providerAuthEnvVars = manifest.providerAuthEnvVars;
+    if (!providerAuthEnvVars) {
+      continue;
+    }
+    for (const [providerId, envVars] of Object.entries(providerAuthEnvVars)) {
+      const normalizedProviderId = providerId.trim();
+      const normalizedEnvVars = envVars.map((value) => value.trim()).filter(Boolean);
+      if (!normalizedProviderId || normalizedEnvVars.length === 0) {
+        continue;
+      }
+      entries[normalizedProviderId] = normalizedEnvVars;
+    }
+  }
+  return entries;
+}
+
+// Read bundled provider auth env metadata from manifests so env-based auth
+// lookup stays cheap and does not need to boot plugin runtime code.
+export const BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES = collectBundledProviderAuthEnvVars([
+  ANTHROPIC_MANIFEST,
+  BYTEPLUS_MANIFEST,
+  CLOUDFLARE_AI_GATEWAY_MANIFEST,
+  COPILOT_PROXY_MANIFEST,
+  GITHUB_COPILOT_MANIFEST,
+  GOOGLE_MANIFEST,
+  HUGGINGFACE_MANIFEST,
+  KILOCODE_MANIFEST,
+  KIMI_CODING_MANIFEST,
+  MINIMAX_MANIFEST,
+  MISTRAL_MANIFEST,
+  MODELSTUDIO_MANIFEST,
+  MOONSHOT_MANIFEST,
+  NVIDIA_MANIFEST,
+  OLLAMA_MANIFEST,
+  OPENAI_MANIFEST,
+  OPENCODE_GO_MANIFEST,
+  OPENCODE_MANIFEST,
+  OPENROUTER_MANIFEST,
+  QIANFAN_MANIFEST,
+  QWEN_PORTAL_AUTH_MANIFEST,
+  SGLANG_MANIFEST,
+  SYNTHETIC_MANIFEST,
+  TOGETHER_MANIFEST,
+  VENICE_MANIFEST,
+  VERCEL_AI_GATEWAY_MANIFEST,
+  VLLM_MANIFEST,
+  VOLCENGINE_MANIFEST,
+  XAI_MANIFEST,
+  XIAOMI_MANIFEST,
+  ZAI_MANIFEST,
+]);
diff --git a/src/plugins/bundled-runtime-deps.test.ts b/src/plugins/bundled-runtime-deps.test.ts
index 027651c5a07..c0091a017f5 100644
--- a/src/plugins/bundled-runtime-deps.test.ts
+++ b/src/plugins/bundled-runtime-deps.test.ts
@@ -22,4 +22,15 @@ describe("bundled plugin runtime dependencies", () => {
     expect(rootSpec).toBeTruthy();
     expect(rootSpec).toBe(feishuSpec);
   });
+
+  it("keeps bundled memory-lancedb runtime deps available from the published root package", () => {
+    const rootManifest = readJson<PackageManifest>("package.json");
+    const memoryManifest = readJson<PackageManifest>("extensions/memory-lancedb/package.json");
+    const memorySpec = memoryManifest.dependencies?.["@lancedb/lancedb"];
+    const rootSpec = rootManifest.dependencies?.["@lancedb/lancedb"];
+
+    expect(memorySpec).toBeTruthy();
+    expect(rootSpec).toBeTruthy();
+    expect(rootSpec).toBe(memorySpec);
+  });
 });
diff --git a/src/plugins/commands.test.ts b/src/plugins/commands.test.ts
index 64f953fb014..6f371305a81 100644
--- a/src/plugins/commands.test.ts
+++ b/src/plugins/commands.test.ts
@@ -1,4 +1,6 @@
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 import {
   __testing,
   clearPluginCommands,
@@ -7,6 +9,13 @@ import {
   listPluginCommands,
   registerPluginCommand,
 } from "./commands.js";
+import { setActivePluginRegistry } from "./runtime.js";
+
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "discord", source: "test", plugin: discordPlugin }]),
+  );
+});
 
 afterEach(() => {
   clearPluginCommands();
diff --git a/src/plugins/commands.ts b/src/plugins/commands.ts
index 91e38a6ae99..fdd71d4f31c 100644
--- a/src/plugins/commands.ts
+++ b/src/plugins/commands.ts
@@ -5,8 +5,7 @@
  * These commands are processed before built-in commands and before agent invocation.
  */
 
-import { parseDiscordTarget } from "../../extensions/discord/src/targets.js";
-import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { parseExplicitTargetForChannel } from "../channels/plugins/target-parsing.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { logVerbose } from "../globals.js";
 import {
@@ -286,12 +285,15 @@ function resolveBindingConversationFromCommand(params: {
     if (!rawTarget) {
       return null;
     }
-    const target = parseTelegramTarget(rawTarget);
+    const target = parseExplicitTargetForChannel("telegram", rawTarget);
+    if (!target) {
+      return null;
+    }
     return {
       channel: "telegram",
       accountId,
-      conversationId: target.chatId,
-      threadId: params.messageThreadId ?? target.messageThreadId,
+      conversationId: target.to,
+      threadId: params.messageThreadId ?? target.threadId,
     };
   }
   if (params.channel === "discord") {
@@ -304,14 +306,14 @@ function resolveBindingConversationFromCommand(params: {
     if (!rawTarget || rawTarget.startsWith("slash:")) {
       return null;
     }
-    const target = parseDiscordTarget(rawTarget, { defaultKind: "channel" });
+    const target = parseExplicitTargetForChannel("discord", rawTarget);
     if (!target) {
       return null;
     }
     return {
       channel: "discord",
       accountId,
-      conversationId: `${target.kind}:${target.id}`,
+      conversationId: `${target.chatType === "direct" ? "user" : "channel"}:${target.to}`,
     };
   }
   return null;
diff --git a/src/plugins/config-state.test.ts b/src/plugins/config-state.test.ts
index 2d287a71e34..8becf375f96 100644
--- a/src/plugins/config-state.test.ts
+++ b/src/plugins/config-state.test.ts
@@ -77,6 +77,26 @@ describe("normalizePluginsConfig", () => {
     });
     expect(result.entries["voice-call"]?.hooks).toBeUndefined();
   });
+
+  it("normalizes legacy plugin ids to their merged bundled plugin id", () => {
+    const result = normalizePluginsConfig({
+      allow: ["openai-codex", "minimax-portal-auth"],
+      deny: ["openai-codex", "minimax-portal-auth"],
+      entries: {
+        "openai-codex": {
+          enabled: true,
+        },
+        "minimax-portal-auth": {
+          enabled: false,
+        },
+      },
+    });
+
+    expect(result.allow).toEqual(["openai", "minimax"]);
+    expect(result.deny).toEqual(["openai", "minimax"]);
+    expect(result.entries.openai?.enabled).toBe(true);
+    expect(result.entries.minimax?.enabled).toBe(false);
+  });
 });
 
 describe("resolveEffectiveEnableState", () => {
@@ -193,4 +213,9 @@ describe("resolveEnableState", () => {
       reason: "workspace plugin (disabled by default)",
     });
   });
+
+  it("keeps bundled provider plugins enabled when they are bundled-default providers", () => {
+    const state = resolveEnableState("google", "bundled", normalizePluginsConfig({}));
+    expect(state).toEqual({ enabled: true });
+  });
 });
diff --git a/src/plugins/config-state.ts b/src/plugins/config-state.ts
index 26a65b61cd9..46070deab34 100644
--- a/src/plugins/config-state.ts
+++ b/src/plugins/config-state.ts
@@ -24,23 +24,23 @@ export type NormalizedPluginsConfig = {
 };
 
 export const BUNDLED_ENABLED_BY_DEFAULT = new Set<string>([
+  "amazon-bedrock",
   "anthropic",
   "byteplus",
   "cloudflare-ai-gateway",
   "device-pair",
   "github-copilot",
+  "google",
   "huggingface",
   "kilocode",
   "kimi-coding",
   "minimax",
-  "minimax-portal-auth",
   "mistral",
   "modelstudio",
   "moonshot",
   "nvidia",
   "ollama",
   "openai",
-  "openai-codex",
   "opencode",
   "opencode-go",
   "openrouter",
@@ -55,15 +55,28 @@ export const BUNDLED_ENABLED_BY_DEFAULT = new Set<string>([
   "vercel-ai-gateway",
   "vllm",
   "volcengine",
+  "xai",
   "xiaomi",
   "zai",
 ]);
 
+const PLUGIN_ID_ALIASES: Readonly<Record<string, string>> = {
+  "openai-codex": "openai",
+  "minimax-portal-auth": "minimax",
+};
+
+function normalizePluginId(id: string): string {
+  const trimmed = id.trim();
+  return PLUGIN_ID_ALIASES[trimmed] ?? trimmed;
+}
+
 const normalizeList = (value: unknown): string[] => {
   if (!Array.isArray(value)) {
     return [];
   }
-  return value.map((entry) => (typeof entry === "string" ? entry.trim() : "")).filter(Boolean);
+  return value
+    .map((entry) => (typeof entry === "string" ? normalizePluginId(entry) : ""))
+    .filter(Boolean);
 };
 
 const normalizeSlotValue = (value: unknown): string | null | undefined => {
@@ -86,11 +99,12 @@ const normalizePluginEntries = (entries: unknown): NormalizedPluginsConfig["entr
   }
   const normalized: NormalizedPluginsConfig["entries"] = {};
   for (const [key, value] of Object.entries(entries)) {
-    if (!key.trim()) {
+    const normalizedKey = normalizePluginId(key);
+    if (!normalizedKey) {
       continue;
     }
     if (!value || typeof value !== "object" || Array.isArray(value)) {
-      normalized[key] = {};
+      normalized[normalizedKey] = {};
       continue;
     }
     const entry = value as Record<string, unknown>;
@@ -108,10 +122,12 @@ const normalizePluginEntries = (entries: unknown): NormalizedPluginsConfig["entr
             allowPromptInjection: hooks.allowPromptInjection,
           }
         : undefined;
-    normalized[key] = {
-      enabled: typeof entry.enabled === "boolean" ? entry.enabled : undefined,
-      hooks: normalizedHooks,
-      config: "config" in entry ? entry.config : undefined,
+    normalized[normalizedKey] = {
+      ...normalized[normalizedKey],
+      enabled:
+        typeof entry.enabled === "boolean" ? entry.enabled : normalized[normalizedKey]?.enabled,
+      hooks: normalizedHooks ?? normalized[normalizedKey]?.hooks,
+      config: "config" in entry ? entry.config : normalized[normalizedKey]?.config,
     };
   }
   return normalized;
diff --git a/src/plugins/contracts/auth-choice.contract.test.ts b/src/plugins/contracts/auth-choice.contract.test.ts
new file mode 100644
index 00000000000..fa4f4daa0ad
--- /dev/null
+++ b/src/plugins/contracts/auth-choice.contract.test.ts
@@ -0,0 +1,237 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { clearRuntimeAuthProfileStoreSnapshots } from "../../agents/auth-profiles/store.js";
+import { applyAuthChoiceLoadedPluginProvider } from "../../commands/auth-choice.apply.plugin-provider.js";
+import { resolvePreferredProviderForAuthChoice } from "../../commands/auth-choice.preferred-provider.js";
+import type { AuthChoice } from "../../commands/onboard-types.js";
+import {
+  createAuthTestLifecycle,
+  createExitThrowingRuntime,
+  createWizardPrompter,
+  readAuthProfilesForAgent,
+  requireOpenClawAgentDir,
+  setupAuthTestEnv,
+} from "../../commands/test-wizard-helpers.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+type ResolvePluginProviders =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").resolvePluginProviders;
+type ResolveProviderPluginChoice =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").resolveProviderPluginChoice;
+type RunProviderModelSelectedHook =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").runProviderModelSelectedHook;
+
+const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn());
+const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn());
+const resolvePluginProvidersMock = vi.hoisted(() => vi.fn<ResolvePluginProviders>(() => []));
+const resolveProviderPluginChoiceMock = vi.hoisted(() => vi.fn<ResolveProviderPluginChoice>());
+const runProviderModelSelectedHookMock = vi.hoisted(() =>
+  vi.fn<RunProviderModelSelectedHook>(async () => {}),
+);
+
+vi.mock("../../../extensions/qwen-portal-auth/oauth.js", () => ({
+  loginQwenPortalOAuth: loginQwenPortalOAuthMock,
+}));
+
+vi.mock("../../providers/github-copilot-auth.js", () => ({
+  githubCopilotLoginCommand: githubCopilotLoginCommandMock,
+}));
+
+vi.mock("../../commands/auth-choice.apply.plugin-provider.runtime.js", () => ({
+  resolvePluginProviders: resolvePluginProvidersMock,
+  resolveProviderPluginChoice: resolveProviderPluginChoiceMock,
+  runProviderModelSelectedHook: runProviderModelSelectedHookMock,
+}));
+
+type StoredAuthProfile = {
+  type?: string;
+  provider?: string;
+  access?: string;
+  refresh?: string;
+  key?: string;
+  token?: string;
+};
+
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+describe("provider auth-choice contract", () => {
+  const lifecycle = createAuthTestLifecycle([
+    "OPENCLAW_STATE_DIR",
+    "OPENCLAW_AGENT_DIR",
+    "PI_CODING_AGENT_DIR",
+  ]);
+  let activeStateDir: string | null = null;
+
+  async function setupTempState() {
+    if (activeStateDir) {
+      await lifecycle.cleanup();
+    }
+    const env = await setupAuthTestEnv("openclaw-provider-auth-choice-");
+    activeStateDir = env.stateDir;
+    lifecycle.setStateDir(env.stateDir);
+  }
+
+  afterEach(async () => {
+    loginQwenPortalOAuthMock.mockReset();
+    githubCopilotLoginCommandMock.mockReset();
+    resolvePluginProvidersMock.mockReset();
+    resolvePluginProvidersMock.mockReturnValue([]);
+    resolveProviderPluginChoiceMock.mockReset();
+    resolveProviderPluginChoiceMock.mockReturnValue(null);
+    runProviderModelSelectedHookMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+    await lifecycle.cleanup();
+    activeStateDir = null;
+  });
+
+  it("maps plugin-backed auth choices through the shared preferred-provider resolver", async () => {
+    const scenarios = [
+      { authChoice: "github-copilot" as const, expectedProvider: "github-copilot" },
+      { authChoice: "qwen-portal" as const, expectedProvider: "qwen-portal" },
+      { authChoice: "minimax-global-oauth" as const, expectedProvider: "minimax-portal" },
+      { authChoice: "modelstudio-api-key" as const, expectedProvider: "modelstudio" },
+      { authChoice: "ollama" as const, expectedProvider: "ollama" },
+      { authChoice: "unknown" as AuthChoice, expectedProvider: undefined },
+    ] as const;
+
+    for (const scenario of scenarios) {
+      await expect(
+        resolvePreferredProviderForAuthChoice({ choice: scenario.authChoice }),
+      ).resolves.toBe(scenario.expectedProvider);
+    }
+  });
+
+  it("applies qwen portal auth choices through the shared plugin-provider path", async () => {
+    await setupTempState();
+    const qwenProvider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    resolvePluginProvidersMock.mockReturnValue([qwenProvider]);
+    resolveProviderPluginChoiceMock.mockReturnValue({
+      provider: qwenProvider,
+      method: qwenProvider.auth[0],
+    });
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const note = vi.fn(async () => {});
+    const result = await applyAuthChoiceLoadedPluginProvider({
+      authChoice: "qwen-portal",
+      config: {},
+      prompter: createWizardPrompter({ note }),
+      runtime: createExitThrowingRuntime(),
+      setDefaultModel: true,
+    });
+
+    expect(result?.config.agents?.defaults?.model).toEqual({
+      primary: "qwen-portal/coder-model",
+    });
+    expect(result?.config.auth?.profiles?.["qwen-portal:default"]).toMatchObject({
+      provider: "qwen-portal",
+      mode: "oauth",
+    });
+    expect(result?.config.models?.providers?.["qwen-portal"]).toMatchObject({
+      baseUrl: "https://portal.qwen.ai/v1",
+      models: [],
+    });
+    expect(note).toHaveBeenCalledWith(
+      "Default model set to qwen-portal/coder-model",
+      "Model configured",
+    );
+
+    const stored = await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+      requireOpenClawAgentDir(),
+    );
+    expect(stored.profiles?.["qwen-portal:default"]).toMatchObject({
+      type: "oauth",
+      provider: "qwen-portal",
+      access: "access-token",
+      refresh: "refresh-token",
+    });
+  });
+
+  it("returns provider agent overrides when default-model application is deferred", async () => {
+    await setupTempState();
+    const qwenProvider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    resolvePluginProvidersMock.mockReturnValue([qwenProvider]);
+    resolveProviderPluginChoiceMock.mockReturnValue({
+      provider: qwenProvider,
+      method: qwenProvider.auth[0],
+    });
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const result = await applyAuthChoiceLoadedPluginProvider({
+      authChoice: "qwen-portal",
+      config: {},
+      prompter: createWizardPrompter({}),
+      runtime: createExitThrowingRuntime(),
+      setDefaultModel: false,
+    });
+
+    expect(githubCopilotLoginCommandMock).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      config: {
+        agents: {
+          defaults: {
+            models: {
+              "qwen-portal/coder-model": {
+                alias: "qwen",
+              },
+              "qwen-portal/vision-model": {},
+            },
+          },
+        },
+        auth: {
+          profiles: {
+            "qwen-portal:default": {
+              provider: "qwen-portal",
+              mode: "oauth",
+            },
+          },
+        },
+        models: {
+          providers: {
+            "qwen-portal": {
+              baseUrl: "https://portal.qwen.ai/v1",
+              models: [],
+            },
+          },
+        },
+      },
+      agentModelOverride: "qwen-portal/coder-model",
+    });
+
+    const stored = await readAuthProfilesForAgent<{
+      profiles?: Record<string, StoredAuthProfile>;
+    }>(requireOpenClawAgentDir());
+    expect(stored.profiles?.["qwen-portal:default"]).toMatchObject({
+      type: "oauth",
+      provider: "qwen-portal",
+      access: "access-token",
+      refresh: "refresh-token",
+    });
+  });
+});
diff --git a/src/plugins/contracts/auth.contract.test.ts b/src/plugins/contracts/auth.contract.test.ts
new file mode 100644
index 00000000000..cca85917c59
--- /dev/null
+++ b/src/plugins/contracts/auth.contract.test.ts
@@ -0,0 +1,275 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  replaceRuntimeAuthProfileStoreSnapshots,
+} from "../../agents/auth-profiles/store.js";
+import { createNonExitingRuntime } from "../../runtime.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type {
+  WizardMultiSelectParams,
+  WizardPrompter,
+  WizardProgress,
+  WizardSelectParams,
+} from "../../wizard/prompts.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+type LoginOpenAICodexOAuth =
+  (typeof import("../../commands/openai-codex-oauth.js"))["loginOpenAICodexOAuth"];
+type LoginQwenPortalOAuth =
+  (typeof import("../../../extensions/qwen-portal-auth/oauth.js"))["loginQwenPortalOAuth"];
+type GithubCopilotLoginCommand =
+  (typeof import("../../providers/github-copilot-auth.js"))["githubCopilotLoginCommand"];
+type CreateVpsAwareHandlers =
+  (typeof import("../../commands/oauth-flow.js"))["createVpsAwareOAuthHandlers"];
+
+const loginOpenAICodexOAuthMock = vi.hoisted(() => vi.fn<LoginOpenAICodexOAuth>());
+const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn<LoginQwenPortalOAuth>());
+const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn<GithubCopilotLoginCommand>());
+
+vi.mock("../../commands/openai-codex-oauth.js", () => ({
+  loginOpenAICodexOAuth: loginOpenAICodexOAuthMock,
+}));
+
+vi.mock("../../../extensions/qwen-portal-auth/oauth.js", () => ({
+  loginQwenPortalOAuth: loginQwenPortalOAuthMock,
+}));
+
+vi.mock("../../providers/github-copilot-auth.js", () => ({
+  githubCopilotLoginCommand: githubCopilotLoginCommandMock,
+}));
+
+const openAIPlugin = (await import("../../../extensions/openai/index.js")).default;
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+const githubCopilotPlugin = (await import("../../../extensions/github-copilot/index.js")).default;
+
+function buildPrompter(): WizardPrompter {
+  const progress: WizardProgress = {
+    update() {},
+    stop() {},
+  };
+  return {
+    intro: async () => {},
+    outro: async () => {},
+    note: async () => {},
+    select: async <T>(params: WizardSelectParams<T>) => {
+      const option = params.options[0];
+      if (!option) {
+        throw new Error("missing select option");
+      }
+      return option.value;
+    },
+    multiselect: async <T>(params: WizardMultiSelectParams<T>) => params.initialValues ?? [],
+    text: async () => "",
+    confirm: async () => false,
+    progress: () => progress,
+  };
+}
+
+function buildAuthContext() {
+  return {
+    config: {},
+    prompter: buildPrompter(),
+    runtime: createNonExitingRuntime(),
+    isRemote: false,
+    openUrl: async () => {},
+    oauth: {
+      createVpsAwareHandlers: vi.fn<CreateVpsAwareHandlers>(),
+    },
+  };
+}
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+describe("provider auth contract", () => {
+  afterEach(() => {
+    loginOpenAICodexOAuthMock.mockReset();
+    loginQwenPortalOAuthMock.mockReset();
+    githubCopilotLoginCommandMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+  });
+
+  it("keeps OpenAI Codex OAuth auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    loginOpenAICodexOAuthMock.mockResolvedValueOnce({
+      email: "user@example.com",
+      refresh: "refresh-token",
+      access: "access-token",
+      expires: 1_700_000_000_000,
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toEqual({
+      profiles: [
+        {
+          profileId: "openai-codex:user@example.com",
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+            email: "user@example.com",
+          },
+        },
+      ],
+      configPatch: {
+        agents: {
+          defaults: {
+            models: {
+              "openai-codex/gpt-5.4": {},
+            },
+          },
+        },
+      },
+      defaultModel: "openai-codex/gpt-5.4",
+      notes: undefined,
+    });
+  });
+
+  it("keeps OpenAI Codex OAuth failures non-fatal at the provider layer", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    loginOpenAICodexOAuthMock.mockRejectedValueOnce(new Error("oauth failed"));
+
+    await expect(provider.auth[0]?.run(buildAuthContext() as never)).resolves.toEqual({
+      profiles: [],
+    });
+  });
+
+  it("keeps Qwen portal OAuth auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toMatchObject({
+      profiles: [
+        {
+          profileId: "qwen-portal:default",
+          credential: {
+            type: "oauth",
+            provider: "qwen-portal",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+          },
+        },
+      ],
+      defaultModel: "qwen-portal/coder-model",
+      configPatch: {
+        models: {
+          providers: {
+            "qwen-portal": {
+              baseUrl: "https://portal.qwen.ai/v1",
+              models: [],
+            },
+          },
+        },
+      },
+    });
+    expect(result?.notes).toEqual(
+      expect.arrayContaining([
+        expect.stringContaining("auto-refresh"),
+        expect.stringContaining("Base URL defaults"),
+      ]),
+    );
+  });
+
+  it("keeps GitHub Copilot device auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "github-copilot:github": {
+              type: "token",
+              provider: "github-copilot",
+              token: "github-device-token",
+            },
+          },
+        },
+      },
+    ]);
+
+    const stdin = process.stdin as NodeJS.ReadStream & { isTTY?: boolean };
+    const hadOwnIsTTY = Object.prototype.hasOwnProperty.call(stdin, "isTTY");
+    const previousIsTTYDescriptor = Object.getOwnPropertyDescriptor(stdin, "isTTY");
+    Object.defineProperty(stdin, "isTTY", {
+      configurable: true,
+      enumerable: true,
+      get: () => true,
+    });
+
+    try {
+      const result = await provider.auth[0]?.run(buildAuthContext() as never);
+      expect(githubCopilotLoginCommandMock).toHaveBeenCalledWith(
+        { yes: true, profileId: "github-copilot:github" },
+        expect.any(Object),
+      );
+      expect(result).toEqual({
+        profiles: [
+          {
+            profileId: "github-copilot:github",
+            credential: {
+              type: "token",
+              provider: "github-copilot",
+              token: "github-device-token",
+            },
+          },
+        ],
+        defaultModel: "github-copilot/gpt-4o",
+      });
+    } finally {
+      if (previousIsTTYDescriptor) {
+        Object.defineProperty(stdin, "isTTY", previousIsTTYDescriptor);
+      } else if (!hadOwnIsTTY) {
+        delete (stdin as { isTTY?: boolean }).isTTY;
+      }
+    }
+  });
+
+  it("keeps GitHub Copilot auth gated on interactive TTYs", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    const stdin = process.stdin as NodeJS.ReadStream & { isTTY?: boolean };
+    const hadOwnIsTTY = Object.prototype.hasOwnProperty.call(stdin, "isTTY");
+    const previousIsTTYDescriptor = Object.getOwnPropertyDescriptor(stdin, "isTTY");
+    Object.defineProperty(stdin, "isTTY", {
+      configurable: true,
+      enumerable: true,
+      get: () => false,
+    });
+
+    try {
+      await expect(provider.auth[0]?.run(buildAuthContext() as never)).resolves.toEqual({
+        profiles: [],
+      });
+      expect(githubCopilotLoginCommandMock).not.toHaveBeenCalled();
+    } finally {
+      if (previousIsTTYDescriptor) {
+        Object.defineProperty(stdin, "isTTY", previousIsTTYDescriptor);
+      } else if (!hadOwnIsTTY) {
+        delete (stdin as { isTTY?: boolean }).isTTY;
+      }
+    }
+  });
+});
diff --git a/src/plugins/contracts/catalog.contract.test.ts b/src/plugins/contracts/catalog.contract.test.ts
new file mode 100644
index 00000000000..306162b2dcf
--- /dev/null
+++ b/src/plugins/contracts/catalog.contract.test.ts
@@ -0,0 +1,63 @@
+import { describe, expect, it } from "vitest";
+import {
+  augmentModelCatalogWithProviderPlugins,
+  buildProviderMissingAuthMessageWithPlugin,
+  resolveProviderBuiltInModelSuppression,
+} from "../provider-runtime.js";
+
+describe("provider catalog contract", () => {
+  it("keeps codex-only missing-auth hints wired through the provider runtime", () => {
+    expect(
+      buildProviderMissingAuthMessageWithPlugin({
+        provider: "openai",
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "openai",
+          listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
+        },
+      }),
+    ).toContain("openai-codex/gpt-5.4");
+  });
+
+  it("keeps built-in model suppression wired through the provider runtime", () => {
+    expect(
+      resolveProviderBuiltInModelSuppression({
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "azure-openai-responses",
+          modelId: "gpt-5.3-codex-spark",
+        },
+      }),
+    ).toMatchObject({
+      suppress: true,
+      errorMessage: expect.stringContaining("openai-codex/gpt-5.3-codex-spark"),
+    });
+  });
+
+  it("keeps bundled model augmentation wired through the provider runtime", async () => {
+    await expect(
+      augmentModelCatalogWithProviderPlugins({
+        env: process.env,
+        context: {
+          env: process.env,
+          entries: [
+            { provider: "openai", id: "gpt-5.2", name: "GPT-5.2" },
+            { provider: "openai", id: "gpt-5.2-pro", name: "GPT-5.2 Pro" },
+            { provider: "openai-codex", id: "gpt-5.3-codex", name: "GPT-5.3 Codex" },
+          ],
+        },
+      }),
+    ).resolves.toEqual([
+      { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
+      { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
+      { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
+      {
+        provider: "openai-codex",
+        id: "gpt-5.3-codex-spark",
+        name: "gpt-5.3-codex-spark",
+      },
+    ]);
+  });
+});
diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
new file mode 100644
index 00000000000..9ca5f1184e6
--- /dev/null
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -0,0 +1,537 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  replaceRuntimeAuthProfileStoreSnapshots,
+} from "../../agents/auth-profiles/store.js";
+import { QWEN_OAUTH_MARKER } from "../../agents/model-auth-markers.js";
+import type { ModelDefinitionConfig } from "../../config/types.models.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import { runProviderCatalog } from "../provider-discovery.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
+const buildOllamaProviderMock = vi.hoisted(() => vi.fn());
+const buildVllmProviderMock = vi.hoisted(() => vi.fn());
+const buildSglangProviderMock = vi.hoisted(() => vi.fn());
+
+vi.mock("../../../extensions/github-copilot/token.js", async () => {
+  const actual = await vi.importActual<object>("../../../extensions/github-copilot/token.js");
+  return {
+    ...actual,
+    resolveCopilotApiToken: resolveCopilotApiTokenMock,
+  };
+});
+
+vi.mock("openclaw/plugin-sdk/core", async () => {
+  const actual = await vi.importActual<object>("openclaw/plugin-sdk/core");
+  return {
+    ...actual,
+    buildOllamaProvider: (...args: unknown[]) => buildOllamaProviderMock(...args),
+    buildVllmProvider: (...args: unknown[]) => buildVllmProviderMock(...args),
+    buildSglangProvider: (...args: unknown[]) => buildSglangProviderMock(...args),
+  };
+});
+
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+const githubCopilotPlugin = (await import("../../../extensions/github-copilot/index.js")).default;
+const ollamaPlugin = (await import("../../../extensions/ollama/index.js")).default;
+const vllmPlugin = (await import("../../../extensions/vllm/index.js")).default;
+const sglangPlugin = (await import("../../../extensions/sglang/index.js")).default;
+const minimaxPlugin = (await import("../../../extensions/minimax/index.js")).default;
+const modelStudioPlugin = (await import("../../../extensions/modelstudio/index.js")).default;
+const cloudflareAiGatewayPlugin = (
+  await import("../../../extensions/cloudflare-ai-gateway/index.js")
+).default;
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+function createModelConfig(id: string, name = id): ModelDefinitionConfig {
+  return {
+    id,
+    name,
+    reasoning: false,
+    input: ["text"],
+    cost: {
+      input: 0,
+      output: 0,
+      cacheRead: 0,
+      cacheWrite: 0,
+    },
+    contextWindow: 128_000,
+    maxTokens: 8_192,
+  };
+}
+describe("provider discovery contract", () => {
+  afterEach(() => {
+    resolveCopilotApiTokenMock.mockReset();
+    buildOllamaProviderMock.mockReset();
+    buildVllmProviderMock.mockReset();
+    buildSglangProviderMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+  });
+
+  it("keeps qwen portal oauth marker fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "qwen-portal:default": {
+              type: "oauth",
+              provider: "qwen-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://portal.qwen.ai/v1",
+        apiKey: QWEN_OAUTH_MARKER,
+        api: "openai-completions",
+        models: [
+          expect.objectContaining({ id: "coder-model", name: "Qwen Coder" }),
+          expect.objectContaining({ id: "vision-model", name: "Qwen Vision" }),
+        ],
+      },
+    });
+  });
+
+  it("keeps qwen portal env api keys higher priority than oauth markers", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "qwen-portal:default": {
+              type: "oauth",
+              provider: "qwen-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: { QWEN_PORTAL_API_KEY: "env-key" } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "env-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        apiKey: "env-key",
+      },
+    });
+  });
+
+  it("keeps GitHub Copilot catalog disabled without env tokens or profiles", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+  });
+
+  it("keeps GitHub Copilot profile-only catalog fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "github-copilot:github": {
+              type: "token",
+              provider: "github-copilot",
+              token: "profile-token",
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://api.individual.githubcopilot.com",
+        models: [],
+      },
+    });
+  });
+
+  it("keeps GitHub Copilot env-token base URL resolution provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    resolveCopilotApiTokenMock.mockResolvedValueOnce({
+      token: "copilot-api-token",
+      baseUrl: "https://copilot-proxy.example.com",
+      expiresAt: Date.now() + 60_000,
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          GITHUB_TOKEN: "github-env-token",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://copilot-proxy.example.com",
+        models: [],
+      },
+    });
+    expect(resolveCopilotApiTokenMock).toHaveBeenCalledWith({
+      githubToken: "github-env-token",
+      env: expect.objectContaining({
+        GITHUB_TOKEN: "github-env-token",
+      }),
+    });
+  });
+
+  it("keeps Ollama explicit catalog normalization provider-owned", async () => {
+    const provider = requireProvider(registerProviders(ollamaPlugin), "ollama");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              ollama: {
+                baseUrl: "http://ollama-host:11434/v1/",
+                models: [createModelConfig("llama3.2")],
+              },
+            },
+          },
+        },
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "http://ollama-host:11434",
+        api: "ollama",
+        apiKey: "ollama-local",
+        models: [createModelConfig("llama3.2")],
+      },
+    });
+    expect(buildOllamaProviderMock).not.toHaveBeenCalled();
+  });
+
+  it("keeps Ollama empty autodiscovery disabled without keys or explicit config", async () => {
+    const provider = requireProvider(registerProviders(ollamaPlugin), "ollama");
+    buildOllamaProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:11434",
+      api: "ollama",
+      models: [],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+    expect(buildOllamaProviderMock).toHaveBeenCalledWith(undefined, { quiet: true });
+  });
+
+  it("keeps vLLM self-hosted discovery provider-owned", async () => {
+    const provider = requireProvider(registerProviders(vllmPlugin), "vllm");
+    buildVllmProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:8000/v1",
+      api: "openai-completions",
+      models: [{ id: "meta-llama/Meta-Llama-3-8B-Instruct", name: "Meta Llama 3" }],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          VLLM_API_KEY: "env-vllm-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({
+          apiKey: "VLLM_API_KEY",
+          discoveryApiKey: "env-vllm-key",
+        }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "http://127.0.0.1:8000/v1",
+        api: "openai-completions",
+        apiKey: "VLLM_API_KEY",
+        models: [{ id: "meta-llama/Meta-Llama-3-8B-Instruct", name: "Meta Llama 3" }],
+      },
+    });
+    expect(buildVllmProviderMock).toHaveBeenCalledWith({
+      apiKey: "env-vllm-key",
+    });
+  });
+
+  it("keeps SGLang self-hosted discovery provider-owned", async () => {
+    const provider = requireProvider(registerProviders(sglangPlugin), "sglang");
+    buildSglangProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:30000/v1",
+      api: "openai-completions",
+      models: [{ id: "Qwen/Qwen3-8B", name: "Qwen3-8B" }],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          SGLANG_API_KEY: "env-sglang-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({
+          apiKey: "SGLANG_API_KEY",
+          discoveryApiKey: "env-sglang-key",
+        }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "http://127.0.0.1:30000/v1",
+        api: "openai-completions",
+        apiKey: "SGLANG_API_KEY",
+        models: [{ id: "Qwen/Qwen3-8B", name: "Qwen3-8B" }],
+      },
+    });
+    expect(buildSglangProviderMock).toHaveBeenCalledWith({
+      apiKey: "env-sglang-key",
+    });
+  });
+
+  it("keeps MiniMax API catalog provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          MINIMAX_API_KEY: "minimax-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "minimax-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        api: "anthropic-messages",
+        authHeader: true,
+        apiKey: "minimax-key",
+        models: expect.arrayContaining([
+          expect.objectContaining({ id: "MiniMax-M2.5" }),
+          expect.objectContaining({ id: "MiniMax-VL-01" }),
+        ]),
+      },
+    });
+  });
+
+  it("keeps MiniMax portal oauth marker fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "minimax-portal:default": {
+              type: "oauth",
+              provider: "minimax-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        api: "anthropic-messages",
+        authHeader: true,
+        apiKey: "minimax-oauth",
+        models: expect.arrayContaining([expect.objectContaining({ id: "MiniMax-M2.5" })]),
+      },
+    });
+  });
+
+  it("keeps MiniMax portal explicit base URL override provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax-portal");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              "minimax-portal": {
+                baseUrl: "https://portal-proxy.example.com/anthropic",
+                apiKey: "explicit-key",
+                models: [],
+              },
+            },
+          },
+        },
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://portal-proxy.example.com/anthropic",
+        apiKey: "explicit-key",
+      },
+    });
+  });
+
+  it("keeps Model Studio catalog provider-owned", async () => {
+    const provider = requireProvider(registerProviders(modelStudioPlugin), "modelstudio");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              modelstudio: {
+                baseUrl: "https://coding.dashscope.aliyuncs.com/v1",
+                models: [],
+              },
+            },
+          },
+        },
+        env: {
+          MODELSTUDIO_API_KEY: "modelstudio-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "modelstudio-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://coding.dashscope.aliyuncs.com/v1",
+        api: "openai-completions",
+        apiKey: "modelstudio-key",
+        models: expect.arrayContaining([
+          expect.objectContaining({ id: "qwen3.5-plus" }),
+          expect.objectContaining({ id: "MiniMax-M2.5" }),
+        ]),
+      },
+    });
+  });
+
+  it("keeps Cloudflare AI Gateway catalog disabled without stored metadata", async () => {
+    const provider = requireProvider(
+      registerProviders(cloudflareAiGatewayPlugin),
+      "cloudflare-ai-gateway",
+    );
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+  });
+
+  it("keeps Cloudflare AI Gateway env-managed catalog provider-owned", async () => {
+    const provider = requireProvider(
+      registerProviders(cloudflareAiGatewayPlugin),
+      "cloudflare-ai-gateway",
+    );
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "cloudflare-ai-gateway:default": {
+              type: "api_key",
+              provider: "cloudflare-ai-gateway",
+              keyRef: {
+                source: "env",
+                provider: "default",
+                id: "CLOUDFLARE_AI_GATEWAY_API_KEY",
+              },
+              metadata: {
+                accountId: "acc-123",
+                gatewayId: "gw-456",
+              },
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          CLOUDFLARE_AI_GATEWAY_API_KEY: "secret-value",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://gateway.ai.cloudflare.com/v1/acc-123/gw-456/anthropic",
+        api: "anthropic-messages",
+        apiKey: "CLOUDFLARE_AI_GATEWAY_API_KEY",
+        models: [expect.objectContaining({ id: "claude-sonnet-4-5" })],
+      },
+    });
+  });
+});
diff --git a/src/plugins/contracts/loader.contract.test.ts b/src/plugins/contracts/loader.contract.test.ts
new file mode 100644
index 00000000000..a1f82f56fda
--- /dev/null
+++ b/src/plugins/contracts/loader.contract.test.ts
@@ -0,0 +1,114 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { providerContractRegistry, webSearchProviderContractRegistry } from "./registry.js";
+
+const loadOpenClawPluginsMock = vi.fn();
+
+vi.mock("../loader.js", () => ({
+  loadOpenClawPlugins: (...args: unknown[]) => loadOpenClawPluginsMock(...args),
+}));
+
+const { resolvePluginProviders } = await import("../providers.js");
+const { resolvePluginWebSearchProviders } = await import("../web-search-providers.js");
+
+function uniqueSortedPluginIds(values: string[]) {
+  return [...new Set(values)].toSorted((left, right) => left.localeCompare(right));
+}
+
+describe("plugin loader contract", () => {
+  beforeEach(() => {
+    loadOpenClawPluginsMock.mockReset();
+    loadOpenClawPluginsMock.mockReturnValue({
+      providers: [],
+      webSearchProviders: [],
+    });
+  });
+
+  it("keeps bundled provider compatibility wired to the provider registry", () => {
+    const providerPluginIds = uniqueSortedPluginIds(
+      providerContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginProviders({
+      bundledProviderAllowlistCompat: true,
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            allow: expect.arrayContaining(providerPluginIds),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("keeps vitest bundled provider enablement wired to the provider registry", () => {
+    const providerPluginIds = uniqueSortedPluginIds(
+      providerContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginProviders({
+      bundledProviderVitestCompat: true,
+      env: { VITEST: "1" } as NodeJS.ProcessEnv,
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            enabled: true,
+            allow: expect.arrayContaining(providerPluginIds),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("keeps bundled web search loading scoped to the web search registry", () => {
+    const webSearchPluginIds = uniqueSortedPluginIds(
+      webSearchProviderContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginWebSearchProviders({});
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        onlyPluginIds: webSearchPluginIds,
+        activate: false,
+        cache: false,
+      }),
+    );
+  });
+
+  it("keeps bundled web search allowlist compatibility wired to the web search registry", () => {
+    const webSearchPluginIds = uniqueSortedPluginIds(
+      webSearchProviderContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginWebSearchProviders({
+      bundledAllowlistCompat: true,
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            allow: expect.arrayContaining(webSearchPluginIds),
+          }),
+        }),
+        onlyPluginIds: webSearchPluginIds,
+      }),
+    );
+  });
+});
diff --git a/src/plugins/contracts/provider.contract.test.ts b/src/plugins/contracts/provider.contract.test.ts
new file mode 100644
index 00000000000..9ff8f7458d3
--- /dev/null
+++ b/src/plugins/contracts/provider.contract.test.ts
@@ -0,0 +1,11 @@
+import { describe } from "vitest";
+import { providerContractRegistry } from "./registry.js";
+import { installProviderPluginContractSuite } from "./suites.js";
+
+for (const entry of providerContractRegistry) {
+  describe(`${entry.pluginId}:${entry.provider.id} provider contract`, () => {
+    installProviderPluginContractSuite({
+      provider: entry.provider,
+    });
+  });
+}
diff --git a/src/plugins/contracts/registry.contract.test.ts b/src/plugins/contracts/registry.contract.test.ts
new file mode 100644
index 00000000000..2bf113fe76d
--- /dev/null
+++ b/src/plugins/contracts/registry.contract.test.ts
@@ -0,0 +1,65 @@
+import { describe, expect, it } from "vitest";
+import {
+  pluginRegistrationContractRegistry,
+  providerContractRegistry,
+  webSearchProviderContractRegistry,
+} from "./registry.js";
+
+function findProviderIdsForPlugin(pluginId: string) {
+  return providerContractRegistry
+    .filter((entry) => entry.pluginId === pluginId)
+    .map((entry) => entry.provider.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+function findWebSearchIdsForPlugin(pluginId: string) {
+  return webSearchProviderContractRegistry
+    .filter((entry) => entry.pluginId === pluginId)
+    .map((entry) => entry.provider.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+function findRegistrationForPlugin(pluginId: string) {
+  const entry = pluginRegistrationContractRegistry.find(
+    (candidate) => candidate.pluginId === pluginId,
+  );
+  if (!entry) {
+    throw new Error(`plugin registration contract missing for ${pluginId}`);
+  }
+  return entry;
+}
+
+describe("plugin contract registry", () => {
+  it("does not duplicate bundled provider ids", () => {
+    const ids = providerContractRegistry.map((entry) => entry.provider.id);
+    expect(ids).toEqual([...new Set(ids)]);
+  });
+
+  it("does not duplicate bundled web search provider ids", () => {
+    const ids = webSearchProviderContractRegistry.map((entry) => entry.provider.id);
+    expect(ids).toEqual([...new Set(ids)]);
+  });
+
+  it("keeps multi-provider plugin ownership explicit", () => {
+    expect(findProviderIdsForPlugin("google")).toEqual(["google", "google-gemini-cli"]);
+    expect(findProviderIdsForPlugin("minimax")).toEqual(["minimax", "minimax-portal"]);
+    expect(findProviderIdsForPlugin("openai")).toEqual(["openai", "openai-codex"]);
+  });
+
+  it("keeps bundled web search ownership explicit", () => {
+    expect(findWebSearchIdsForPlugin("brave")).toEqual(["brave"]);
+    expect(findWebSearchIdsForPlugin("firecrawl")).toEqual(["firecrawl"]);
+    expect(findWebSearchIdsForPlugin("google")).toEqual(["gemini"]);
+    expect(findWebSearchIdsForPlugin("moonshot")).toEqual(["kimi"]);
+    expect(findWebSearchIdsForPlugin("perplexity")).toEqual(["perplexity"]);
+    expect(findWebSearchIdsForPlugin("xai")).toEqual(["grok"]);
+  });
+
+  it("keeps bundled provider and web search tool ownership explicit", () => {
+    expect(findRegistrationForPlugin("firecrawl")).toMatchObject({
+      providerIds: [],
+      webSearchProviderIds: ["firecrawl"],
+      toolNames: ["firecrawl_search", "firecrawl_scrape"],
+    });
+  });
+});
diff --git a/src/plugins/contracts/registry.ts b/src/plugins/contracts/registry.ts
new file mode 100644
index 00000000000..8099ce4ca44
--- /dev/null
+++ b/src/plugins/contracts/registry.ts
@@ -0,0 +1,145 @@
+import anthropicPlugin from "../../../extensions/anthropic/index.js";
+import bravePlugin from "../../../extensions/brave/index.js";
+import byteplusPlugin from "../../../extensions/byteplus/index.js";
+import cloudflareAiGatewayPlugin from "../../../extensions/cloudflare-ai-gateway/index.js";
+import copilotProxyPlugin from "../../../extensions/copilot-proxy/index.js";
+import firecrawlPlugin from "../../../extensions/firecrawl/index.js";
+import githubCopilotPlugin from "../../../extensions/github-copilot/index.js";
+import googlePlugin from "../../../extensions/google/index.js";
+import huggingFacePlugin from "../../../extensions/huggingface/index.js";
+import kilocodePlugin from "../../../extensions/kilocode/index.js";
+import kimiCodingPlugin from "../../../extensions/kimi-coding/index.js";
+import minimaxPlugin from "../../../extensions/minimax/index.js";
+import mistralPlugin from "../../../extensions/mistral/index.js";
+import modelStudioPlugin from "../../../extensions/modelstudio/index.js";
+import moonshotPlugin from "../../../extensions/moonshot/index.js";
+import nvidiaPlugin from "../../../extensions/nvidia/index.js";
+import ollamaPlugin from "../../../extensions/ollama/index.js";
+import openAIPlugin from "../../../extensions/openai/index.js";
+import opencodeGoPlugin from "../../../extensions/opencode-go/index.js";
+import opencodePlugin from "../../../extensions/opencode/index.js";
+import openRouterPlugin from "../../../extensions/openrouter/index.js";
+import perplexityPlugin from "../../../extensions/perplexity/index.js";
+import qianfanPlugin from "../../../extensions/qianfan/index.js";
+import qwenPortalPlugin from "../../../extensions/qwen-portal-auth/index.js";
+import sglangPlugin from "../../../extensions/sglang/index.js";
+import syntheticPlugin from "../../../extensions/synthetic/index.js";
+import togetherPlugin from "../../../extensions/together/index.js";
+import venicePlugin from "../../../extensions/venice/index.js";
+import vercelAiGatewayPlugin from "../../../extensions/vercel-ai-gateway/index.js";
+import vllmPlugin from "../../../extensions/vllm/index.js";
+import volcenginePlugin from "../../../extensions/volcengine/index.js";
+import xaiPlugin from "../../../extensions/xai/index.js";
+import xiaomiPlugin from "../../../extensions/xiaomi/index.js";
+import zaiPlugin from "../../../extensions/zai/index.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
+
+type RegistrablePlugin = {
+  id: string;
+  register: (api: ReturnType<typeof createCapturedPluginRegistration>["api"]) => void;
+};
+
+type ProviderContractEntry = {
+  pluginId: string;
+  provider: ProviderPlugin;
+};
+
+type WebSearchProviderContractEntry = {
+  pluginId: string;
+  provider: WebSearchProviderPlugin;
+  credentialValue: unknown;
+};
+
+type PluginRegistrationContractEntry = {
+  pluginId: string;
+  providerIds: string[];
+  webSearchProviderIds: string[];
+  toolNames: string[];
+};
+
+const bundledProviderPlugins: RegistrablePlugin[] = [
+  anthropicPlugin,
+  byteplusPlugin,
+  cloudflareAiGatewayPlugin,
+  copilotProxyPlugin,
+  githubCopilotPlugin,
+  googlePlugin,
+  huggingFacePlugin,
+  kilocodePlugin,
+  kimiCodingPlugin,
+  minimaxPlugin,
+  mistralPlugin,
+  modelStudioPlugin,
+  moonshotPlugin,
+  nvidiaPlugin,
+  ollamaPlugin,
+  opencodeGoPlugin,
+  opencodePlugin,
+  openAIPlugin,
+  openRouterPlugin,
+  qianfanPlugin,
+  qwenPortalPlugin,
+  sglangPlugin,
+  syntheticPlugin,
+  togetherPlugin,
+  venicePlugin,
+  vercelAiGatewayPlugin,
+  vllmPlugin,
+  volcenginePlugin,
+  xaiPlugin,
+  xiaomiPlugin,
+  zaiPlugin,
+];
+
+const bundledWebSearchPlugins: Array<RegistrablePlugin & { credentialValue: unknown }> = [
+  { ...bravePlugin, credentialValue: "BSA-test" },
+  { ...firecrawlPlugin, credentialValue: "fc-test" },
+  { ...googlePlugin, credentialValue: "AIza-test" },
+  { ...moonshotPlugin, credentialValue: "sk-test" },
+  { ...perplexityPlugin, credentialValue: "pplx-test" },
+  { ...xaiPlugin, credentialValue: "xai-test" },
+];
+
+function captureRegistrations(plugin: RegistrablePlugin) {
+  const captured = createCapturedPluginRegistration();
+  plugin.register(captured.api);
+  return captured;
+}
+
+export const providerContractRegistry: ProviderContractEntry[] = bundledProviderPlugins.flatMap(
+  (plugin) => {
+    const captured = captureRegistrations(plugin);
+    return captured.providers.map((provider) => ({
+      pluginId: plugin.id,
+      provider,
+    }));
+  },
+);
+
+export const webSearchProviderContractRegistry: WebSearchProviderContractEntry[] =
+  bundledWebSearchPlugins.flatMap((plugin) => {
+    const captured = captureRegistrations(plugin);
+    return captured.webSearchProviders.map((provider) => ({
+      pluginId: plugin.id,
+      provider,
+      credentialValue: plugin.credentialValue,
+    }));
+  });
+
+const bundledPluginRegistrationList = [
+  ...new Map(
+    [...bundledProviderPlugins, ...bundledWebSearchPlugins].map((plugin) => [plugin.id, plugin]),
+  ).values(),
+];
+
+export const pluginRegistrationContractRegistry: PluginRegistrationContractEntry[] =
+  bundledPluginRegistrationList.map((plugin) => {
+    const captured = captureRegistrations(plugin);
+    return {
+      pluginId: plugin.id,
+      providerIds: captured.providers.map((provider) => provider.id),
+      webSearchProviderIds: captured.webSearchProviders.map((provider) => provider.id),
+      toolNames: captured.tools.map((tool) => tool.name),
+    };
+  });
diff --git a/src/plugins/contracts/runtime.contract.test.ts b/src/plugins/contracts/runtime.contract.test.ts
new file mode 100644
index 00000000000..ee8503d88bf
--- /dev/null
+++ b/src/plugins/contracts/runtime.contract.test.ts
@@ -0,0 +1,567 @@
+import { describe, expect, it, vi } from "vitest";
+import { createProviderUsageFetch, makeResponse } from "../../test-utils/provider-usage-fetch.js";
+import type { ProviderRuntimeModel } from "../types.js";
+
+const getOAuthApiKeyMock = vi.hoisted(() => vi.fn());
+const refreshQwenPortalCredentialsMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@mariozechner/pi-ai/oauth", async () => {
+  const actual = await vi.importActual<object>("@mariozechner/pi-ai/oauth");
+  return {
+    ...actual,
+    getOAuthApiKey: getOAuthApiKeyMock,
+  };
+});
+
+vi.mock("../../providers/qwen-portal-oauth.js", () => ({
+  refreshQwenPortalCredentials: refreshQwenPortalCredentialsMock,
+}));
+
+const { providerContractRegistry } = await import("./registry.js");
+
+function requireProvider(providerId: string) {
+  const entry = providerContractRegistry.find((candidate) => candidate.provider.id === providerId);
+  if (!entry) {
+    throw new Error(`provider contract entry missing for ${providerId}`);
+  }
+  return entry.provider;
+}
+
+function createModel(overrides: Partial<ProviderRuntimeModel> & Pick<ProviderRuntimeModel, "id">) {
+  return {
+    id: overrides.id,
+    name: overrides.name ?? overrides.id,
+    api: overrides.api ?? "openai-responses",
+    provider: overrides.provider ?? "demo",
+    baseUrl: overrides.baseUrl ?? "https://api.example.com/v1",
+    reasoning: overrides.reasoning ?? true,
+    input: overrides.input ?? ["text"],
+    cost: overrides.cost ?? { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: overrides.contextWindow ?? 200_000,
+    maxTokens: overrides.maxTokens ?? 8_192,
+  } satisfies ProviderRuntimeModel;
+}
+
+describe("provider runtime contract", () => {
+  describe("anthropic", () => {
+    it("owns anthropic 4.6 forward-compat resolution", () => {
+      const provider = requireProvider("anthropic");
+      const model = provider.resolveDynamicModel?.({
+        provider: "anthropic",
+        modelId: "claude-sonnet-4.6-20260219",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "claude-sonnet-4.5-20260219"
+              ? createModel({
+                  id: id,
+                  api: "anthropic-messages",
+                  provider: "anthropic",
+                  baseUrl: "https://api.anthropic.com",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "claude-sonnet-4.6-20260219",
+        provider: "anthropic",
+        api: "anthropic-messages",
+        baseUrl: "https://api.anthropic.com",
+      });
+    });
+
+    it("owns usage auth resolution", async () => {
+      const provider = requireProvider("anthropic");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "anthropic",
+          resolveApiKeyFromConfigAndStore: () => undefined,
+          resolveOAuthToken: async () => ({
+            token: "anthropic-oauth-token",
+          }),
+        }),
+      ).resolves.toEqual({
+        token: "anthropic-oauth-token",
+      });
+    });
+
+    it("owns auth doctor hint generation", () => {
+      const provider = requireProvider("anthropic");
+      const hint = provider.buildAuthDoctorHint?.({
+        provider: "anthropic",
+        profileId: "anthropic:default",
+        config: {
+          auth: {
+            profiles: {
+              "anthropic:default": {
+                provider: "anthropic",
+                mode: "oauth",
+              },
+            },
+          },
+        } as never,
+        store: {
+          version: 1,
+          profiles: {
+            "anthropic:oauth-user@example.com": {
+              type: "oauth",
+              provider: "anthropic",
+              access: "oauth-access",
+              refresh: "oauth-refresh",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      });
+
+      expect(hint).toContain("suggested profile: anthropic:oauth-user@example.com");
+      expect(hint).toContain("openclaw doctor --yes");
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("anthropic");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("api.anthropic.com/api/oauth/usage")) {
+          return makeResponse(200, {
+            five_hour: { utilization: 20, resets_at: "2026-01-07T01:00:00Z" },
+            seven_day: { utilization: 35, resets_at: "2026-01-09T01:00:00Z" },
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "anthropic",
+          token: "anthropic-oauth-token",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "anthropic",
+        displayName: "Claude",
+        windows: [
+          { label: "5h", usedPercent: 20, resetAt: Date.parse("2026-01-07T01:00:00Z") },
+          { label: "Week", usedPercent: 35, resetAt: Date.parse("2026-01-09T01:00:00Z") },
+        ],
+      });
+    });
+  });
+
+  describe("github-copilot", () => {
+    it("owns Copilot-specific forward-compat fallbacks", () => {
+      const provider = requireProvider("github-copilot");
+      const model = provider.resolveDynamicModel?.({
+        provider: "github-copilot",
+        modelId: "gpt-5.3-codex",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-codex"
+              ? createModel({
+                  id,
+                  api: "openai-codex-responses",
+                  provider: "github-copilot",
+                  baseUrl: "https://api.copilot.example",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.3-codex",
+        provider: "github-copilot",
+        api: "openai-codex-responses",
+      });
+    });
+  });
+
+  describe("google", () => {
+    it("owns google direct gemini 3.1 forward-compat resolution", () => {
+      const provider = requireProvider("google");
+      const model = provider.resolveDynamicModel?.({
+        provider: "google",
+        modelId: "gemini-3.1-pro-preview",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gemini-3-pro-preview"
+              ? createModel({
+                  id,
+                  api: "google-generative-ai",
+                  provider: "google",
+                  baseUrl: "https://generativelanguage.googleapis.com",
+                  reasoning: false,
+                  contextWindow: 1_048_576,
+                  maxTokens: 65_536,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gemini-3.1-pro-preview",
+        provider: "google",
+        api: "google-generative-ai",
+        baseUrl: "https://generativelanguage.googleapis.com",
+        reasoning: true,
+      });
+    });
+  });
+
+  describe("google-gemini-cli", () => {
+    it("owns gemini cli 3.1 forward-compat resolution", () => {
+      const provider = requireProvider("google-gemini-cli");
+      const model = provider.resolveDynamicModel?.({
+        provider: "google-gemini-cli",
+        modelId: "gemini-3.1-pro-preview",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gemini-3-pro-preview"
+              ? createModel({
+                  id,
+                  api: "google-gemini-cli",
+                  provider: "google-gemini-cli",
+                  baseUrl: "https://cloudcode-pa.googleapis.com",
+                  reasoning: false,
+                  contextWindow: 1_048_576,
+                  maxTokens: 65_536,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gemini-3.1-pro-preview",
+        provider: "google-gemini-cli",
+        reasoning: true,
+      });
+    });
+
+    it("owns usage-token parsing", async () => {
+      const provider = requireProvider("google-gemini-cli");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "google-gemini-cli",
+          resolveApiKeyFromConfigAndStore: () => undefined,
+          resolveOAuthToken: async () => ({
+            token: '{"token":"google-oauth-token"}',
+            accountId: "google-account",
+          }),
+        }),
+      ).resolves.toEqual({
+        token: "google-oauth-token",
+        accountId: "google-account",
+      });
+    });
+
+    it("owns OAuth auth-profile formatting", () => {
+      const provider = requireProvider("google-gemini-cli");
+
+      expect(
+        provider.formatApiKey?.({
+          type: "oauth",
+          provider: "google-gemini-cli",
+          access: "google-oauth-token",
+          refresh: "refresh-token",
+          expires: Date.now() + 60_000,
+          projectId: "proj-123",
+        }),
+      ).toBe('{"token":"google-oauth-token","projectId":"proj-123"}');
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("google-gemini-cli");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("cloudcode-pa.googleapis.com/v1internal:retrieveUserQuota")) {
+          return makeResponse(200, {
+            buckets: [
+              { modelId: "gemini-3.1-pro-preview", remainingFraction: 0.4 },
+              { modelId: "gemini-3.1-flash-preview", remainingFraction: 0.8 },
+            ],
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      const snapshot = await provider.fetchUsageSnapshot?.({
+        config: {} as never,
+        env: {} as NodeJS.ProcessEnv,
+        provider: "google-gemini-cli",
+        token: "google-oauth-token",
+        timeoutMs: 5_000,
+        fetchFn: mockFetch as unknown as typeof fetch,
+      });
+
+      expect(snapshot).toMatchObject({
+        provider: "google-gemini-cli",
+        displayName: "Gemini",
+      });
+      expect(snapshot?.windows[0]).toEqual({ label: "Pro", usedPercent: 60 });
+      expect(snapshot?.windows[1]?.label).toBe("Flash");
+      expect(snapshot?.windows[1]?.usedPercent).toBeCloseTo(20);
+    });
+  });
+
+  describe("openai", () => {
+    it("owns openai gpt-5.4 forward-compat resolution", () => {
+      const provider = requireProvider("openai");
+      const model = provider.resolveDynamicModel?.({
+        provider: "openai",
+        modelId: "gpt-5.4-pro",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-pro"
+              ? createModel({
+                  id,
+                  provider: "openai",
+                  baseUrl: "https://api.openai.com/v1",
+                  input: ["text", "image"],
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.4-pro",
+        provider: "openai",
+        api: "openai-responses",
+        baseUrl: "https://api.openai.com/v1",
+        contextWindow: 1_050_000,
+        maxTokens: 128_000,
+      });
+    });
+
+    it("owns direct openai transport normalization", () => {
+      const provider = requireProvider("openai");
+      expect(
+        provider.normalizeResolvedModel?.({
+          provider: "openai",
+          modelId: "gpt-5.4",
+          model: createModel({
+            id: "gpt-5.4",
+            provider: "openai",
+            api: "openai-completions",
+            baseUrl: "https://api.openai.com/v1",
+            input: ["text", "image"],
+            contextWindow: 1_050_000,
+            maxTokens: 128_000,
+          }),
+        }),
+      ).toMatchObject({
+        api: "openai-responses",
+      });
+    });
+  });
+
+  describe("openai-codex", () => {
+    it("owns refresh fallback for accountId extraction failures", async () => {
+      const provider = requireProvider("openai-codex");
+      const credential = {
+        type: "oauth" as const,
+        provider: "openai-codex",
+        access: "cached-access-token",
+        refresh: "refresh-token",
+        expires: Date.now() - 60_000,
+      };
+
+      getOAuthApiKeyMock.mockReset();
+      getOAuthApiKeyMock.mockRejectedValueOnce(new Error("Failed to extract accountId from token"));
+
+      await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
+    });
+
+    it("owns forward-compat codex models", () => {
+      const provider = requireProvider("openai-codex");
+      const model = provider.resolveDynamicModel?.({
+        provider: "openai-codex",
+        modelId: "gpt-5.4",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-codex"
+              ? createModel({
+                  id,
+                  api: "openai-codex-responses",
+                  provider: "openai-codex",
+                  baseUrl: "https://chatgpt.com/backend-api",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.4",
+        provider: "openai-codex",
+        api: "openai-codex-responses",
+        contextWindow: 1_050_000,
+        maxTokens: 128_000,
+      });
+    });
+
+    it("owns codex transport defaults", () => {
+      const provider = requireProvider("openai-codex");
+      expect(
+        provider.prepareExtraParams?.({
+          provider: "openai-codex",
+          modelId: "gpt-5.4",
+          extraParams: { temperature: 0.2 },
+        }),
+      ).toEqual({
+        temperature: 0.2,
+        transport: "auto",
+      });
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("openai-codex");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("chatgpt.com/backend-api/wham/usage")) {
+          return makeResponse(200, {
+            rate_limit: {
+              primary_window: {
+                used_percent: 12,
+                limit_window_seconds: 10800,
+                reset_at: 1_705_000,
+              },
+            },
+            plan_type: "Plus",
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "openai-codex",
+          token: "codex-token",
+          accountId: "acc-1",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "openai-codex",
+        displayName: "Codex",
+        windows: [{ label: "3h", usedPercent: 12, resetAt: 1_705_000_000 }],
+        plan: "Plus",
+      });
+    });
+  });
+
+  describe("qwen-portal", () => {
+    it("owns OAuth refresh", async () => {
+      const provider = requireProvider("qwen-portal");
+      const credential = {
+        type: "oauth" as const,
+        provider: "qwen-portal",
+        access: "stale-access-token",
+        refresh: "refresh-token",
+        expires: Date.now() - 60_000,
+      };
+      const refreshed = {
+        ...credential,
+        access: "fresh-access-token",
+        expires: Date.now() + 60_000,
+      };
+
+      refreshQwenPortalCredentialsMock.mockReset();
+      refreshQwenPortalCredentialsMock.mockResolvedValueOnce(refreshed);
+
+      await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(refreshed);
+    });
+  });
+
+  describe("zai", () => {
+    it("owns glm-5 forward-compat resolution", () => {
+      const provider = requireProvider("zai");
+      const model = provider.resolveDynamicModel?.({
+        provider: "zai",
+        modelId: "glm-5",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "glm-4.7"
+              ? createModel({
+                  id,
+                  api: "openai-completions",
+                  provider: "zai",
+                  baseUrl: "https://api.z.ai/api/paas/v4",
+                  reasoning: false,
+                  contextWindow: 202_752,
+                  maxTokens: 16_384,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "glm-5",
+        provider: "zai",
+        api: "openai-completions",
+        reasoning: true,
+      });
+    });
+
+    it("owns usage auth resolution", async () => {
+      const provider = requireProvider("zai");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {
+            ZAI_API_KEY: "env-zai-token",
+          } as NodeJS.ProcessEnv,
+          provider: "zai",
+          resolveApiKeyFromConfigAndStore: () => "env-zai-token",
+          resolveOAuthToken: async () => null,
+        }),
+      ).resolves.toEqual({
+        token: "env-zai-token",
+      });
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("zai");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("api.z.ai/api/monitor/usage/quota/limit")) {
+          return makeResponse(200, {
+            success: true,
+            code: 200,
+            data: {
+              planName: "Pro",
+              limits: [
+                {
+                  type: "TOKENS_LIMIT",
+                  percentage: 25,
+                  unit: 3,
+                  number: 6,
+                  nextResetTime: "2026-01-07T06:00:00Z",
+                },
+              ],
+            },
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "zai",
+          token: "env-zai-token",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "zai",
+        displayName: "z.ai",
+        windows: [{ label: "Tokens (6h)", usedPercent: 25, resetAt: 1_767_765_600_000 }],
+        plan: "Pro",
+      });
+    });
+  });
+});
diff --git a/src/plugins/contracts/suites.ts b/src/plugins/contracts/suites.ts
new file mode 100644
index 00000000000..25798dd8439
--- /dev/null
+++ b/src/plugins/contracts/suites.ts
@@ -0,0 +1,124 @@
+import { expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
+
+export function installProviderPluginContractSuite(params: { provider: ProviderPlugin }) {
+  it("satisfies the base provider plugin contract", () => {
+    const { provider } = params;
+    const authIds = provider.auth.map((method) => method.id);
+    const wizardChoiceIds = new Set<string>();
+
+    expect(provider.id).toMatch(/^[a-z0-9][a-z0-9-]*$/);
+    expect(provider.label.trim()).not.toBe("");
+
+    if (provider.docsPath) {
+      expect(provider.docsPath.startsWith("/")).toBe(true);
+    }
+    if (provider.aliases) {
+      expect(provider.aliases).toEqual([...new Set(provider.aliases)]);
+    }
+    if (provider.envVars) {
+      expect(provider.envVars).toEqual([...new Set(provider.envVars)]);
+      expect(provider.envVars.every((entry) => entry.trim().length > 0)).toBe(true);
+    }
+
+    expect(Array.isArray(provider.auth)).toBe(true);
+    expect(authIds).toEqual([...new Set(authIds)]);
+    for (const method of provider.auth) {
+      expect(method.id.trim()).not.toBe("");
+      expect(method.label.trim()).not.toBe("");
+      if (method.hint !== undefined) {
+        expect(method.hint.trim()).not.toBe("");
+      }
+      if (method.wizard) {
+        if (method.wizard.choiceId) {
+          expect(method.wizard.choiceId.trim()).not.toBe("");
+          expect(wizardChoiceIds.has(method.wizard.choiceId)).toBe(false);
+          wizardChoiceIds.add(method.wizard.choiceId);
+        }
+        if (method.wizard.methodId) {
+          expect(authIds).toContain(method.wizard.methodId);
+        }
+        if (method.wizard.modelAllowlist?.allowedKeys) {
+          expect(method.wizard.modelAllowlist.allowedKeys).toEqual([
+            ...new Set(method.wizard.modelAllowlist.allowedKeys),
+          ]);
+        }
+        if (method.wizard.modelAllowlist?.initialSelections) {
+          expect(method.wizard.modelAllowlist.initialSelections).toEqual([
+            ...new Set(method.wizard.modelAllowlist.initialSelections),
+          ]);
+        }
+      }
+      expect(typeof method.run).toBe("function");
+    }
+
+    if (provider.wizard?.setup || provider.wizard?.modelPicker) {
+      expect(provider.auth.length).toBeGreaterThan(0);
+    }
+    if (provider.wizard?.setup) {
+      if (provider.wizard.setup.choiceId) {
+        expect(provider.wizard.setup.choiceId.trim()).not.toBe("");
+        expect(wizardChoiceIds.has(provider.wizard.setup.choiceId)).toBe(false);
+      }
+      if (provider.wizard.setup.methodId) {
+        expect(authIds).toContain(provider.wizard.setup.methodId);
+      }
+      if (provider.wizard.setup.modelAllowlist?.allowedKeys) {
+        expect(provider.wizard.setup.modelAllowlist.allowedKeys).toEqual([
+          ...new Set(provider.wizard.setup.modelAllowlist.allowedKeys),
+        ]);
+      }
+      if (provider.wizard.setup.modelAllowlist?.initialSelections) {
+        expect(provider.wizard.setup.modelAllowlist.initialSelections).toEqual([
+          ...new Set(provider.wizard.setup.modelAllowlist.initialSelections),
+        ]);
+      }
+    }
+    if (provider.wizard?.modelPicker?.methodId) {
+      expect(authIds).toContain(provider.wizard.modelPicker.methodId);
+    }
+  });
+}
+
+export function installWebSearchProviderContractSuite(params: {
+  provider: WebSearchProviderPlugin;
+  credentialValue: unknown;
+}) {
+  it("satisfies the base web search provider contract", () => {
+    const { provider } = params;
+
+    expect(provider.id).toMatch(/^[a-z0-9][a-z0-9-]*$/);
+    expect(provider.label.trim()).not.toBe("");
+    expect(provider.hint.trim()).not.toBe("");
+    expect(provider.placeholder.trim()).not.toBe("");
+    expect(provider.signupUrl.startsWith("https://")).toBe(true);
+    if (provider.docsUrl) {
+      expect(provider.docsUrl.startsWith("http")).toBe(true);
+    }
+
+    expect(provider.envVars).toEqual([...new Set(provider.envVars)]);
+    expect(provider.envVars.every((entry) => entry.trim().length > 0)).toBe(true);
+
+    const searchConfigTarget: Record<string, unknown> = {};
+    provider.setCredentialValue(searchConfigTarget, params.credentialValue);
+    expect(provider.getCredentialValue(searchConfigTarget)).toEqual(params.credentialValue);
+
+    const config = {
+      tools: {
+        web: {
+          search: {
+            provider: provider.id,
+            ...searchConfigTarget,
+          },
+        },
+      },
+    } as OpenClawConfig;
+    const tool = provider.createTool({ config, searchConfig: searchConfigTarget });
+
+    expect(tool).not.toBeNull();
+    expect(tool?.description.trim()).not.toBe("");
+    expect(tool?.parameters).toEqual(expect.any(Object));
+    expect(typeof tool?.execute).toBe("function");
+  });
+}
diff --git a/src/plugins/contracts/web-search-provider.contract.test.ts b/src/plugins/contracts/web-search-provider.contract.test.ts
new file mode 100644
index 00000000000..c07eebaf6b5
--- /dev/null
+++ b/src/plugins/contracts/web-search-provider.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { webSearchProviderContractRegistry } from "./registry.js";
+import { installWebSearchProviderContractSuite } from "./suites.js";
+
+for (const entry of webSearchProviderContractRegistry) {
+  describe(`${entry.pluginId}:${entry.provider.id} web search contract`, () => {
+    installWebSearchProviderContractSuite({
+      provider: entry.provider,
+      credentialValue: entry.credentialValue,
+    });
+  });
+}
diff --git a/src/plugins/contracts/wizard.contract.test.ts b/src/plugins/contracts/wizard.contract.test.ts
new file mode 100644
index 00000000000..ee0cd879b25
--- /dev/null
+++ b/src/plugins/contracts/wizard.contract.test.ts
@@ -0,0 +1,142 @@
+import { describe, expect, it } from "vitest";
+import {
+  buildProviderPluginMethodChoice,
+  resolveProviderModelPickerEntries,
+  resolveProviderPluginChoice,
+  resolveProviderWizardOptions,
+} from "../provider-wizard.js";
+import { resolvePluginProviders } from "../providers.js";
+import type { ProviderPlugin } from "../types.js";
+import { providerContractRegistry } from "./registry.js";
+
+function createBundledProviderConfig() {
+  return {
+    plugins: {
+      enabled: true,
+      allow: [...new Set(providerContractRegistry.map((entry) => entry.pluginId))],
+      slots: {
+        memory: "none",
+      },
+    },
+  };
+}
+
+function resolveExpectedWizardChoiceValues(providers: ProviderPlugin[]) {
+  const values: string[] = [];
+
+  for (const provider of providers) {
+    const methodSetups = provider.auth.filter((method) => method.wizard);
+    if (methodSetups.length > 0) {
+      values.push(
+        ...methodSetups.map(
+          (method) =>
+            method.wizard?.choiceId?.trim() ||
+            buildProviderPluginMethodChoice(provider.id, method.id),
+        ),
+      );
+      continue;
+    }
+
+    const setup = provider.wizard?.setup;
+    if (!setup) {
+      continue;
+    }
+
+    const explicitMethodId = setup.methodId?.trim();
+    if (explicitMethodId && provider.auth.some((method) => method.id === explicitMethodId)) {
+      values.push(
+        setup.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, explicitMethodId),
+      );
+      continue;
+    }
+
+    values.push(
+      ...provider.auth.map((method) => buildProviderPluginMethodChoice(provider.id, method.id)),
+    );
+  }
+
+  return values.toSorted((left, right) => left.localeCompare(right));
+}
+
+function resolveExpectedModelPickerValues(providers: ProviderPlugin[]) {
+  return providers
+    .flatMap((provider) => {
+      const modelPicker = provider.wizard?.modelPicker;
+      if (!modelPicker) {
+        return [];
+      }
+      const explicitMethodId = modelPicker.methodId?.trim();
+      if (explicitMethodId) {
+        return [buildProviderPluginMethodChoice(provider.id, explicitMethodId)];
+      }
+      if (provider.auth.length === 1) {
+        return [provider.id];
+      }
+      return [buildProviderPluginMethodChoice(provider.id, provider.auth[0]?.id ?? "default")];
+    })
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+describe("provider wizard contract", () => {
+  it("exposes every registered provider setup choice through the shared wizard layer", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    const options = resolveProviderWizardOptions({
+      config,
+      env: process.env,
+    });
+
+    expect(
+      options.map((option) => option.value).toSorted((left, right) => left.localeCompare(right)),
+    ).toEqual(resolveExpectedWizardChoiceValues(providers));
+    expect(options.map((option) => option.value)).toEqual([
+      ...new Set(options.map((option) => option.value)),
+    ]);
+  });
+
+  it("round-trips every shared wizard choice back to its provider and auth method", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    for (const option of resolveProviderWizardOptions({ config, env: process.env })) {
+      const resolved = resolveProviderPluginChoice({
+        providers,
+        choice: option.value,
+      });
+      expect(resolved).not.toBeNull();
+      expect(resolved?.provider.id).toBeTruthy();
+      expect(resolved?.method.id).toBeTruthy();
+    }
+  });
+
+  it("exposes every registered model-picker entry through the shared wizard layer", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    const entries = resolveProviderModelPickerEntries({
+      config,
+      env: process.env,
+    });
+
+    expect(
+      entries.map((entry) => entry.value).toSorted((left, right) => left.localeCompare(right)),
+    ).toEqual(resolveExpectedModelPickerValues(providers));
+    for (const entry of entries) {
+      const resolved = resolveProviderPluginChoice({
+        providers,
+        choice: entry.value,
+      });
+      expect(resolved).not.toBeNull();
+    }
+  });
+});
diff --git a/src/plugins/conversation-binding.ts b/src/plugins/conversation-binding.ts
index 3de655abbe1..4b5cb0671da 100644
--- a/src/plugins/conversation-binding.ts
+++ b/src/plugins/conversation-binding.ts
@@ -1,8 +1,6 @@
 import crypto from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
-import { Button, Row, type TopLevelComponents } from "@buape/carbon";
-import { ButtonStyle } from "discord-api-types/v10";
 import type { ReplyPayload } from "../auto-reply/types.js";
 import { expandHomePrefix } from "../infra/home-dir.js";
 import { writeJsonAtomic } from "../infra/json-files.js";
@@ -119,24 +117,6 @@ function getPluginBindingGlobalState(): PluginBindingGlobalState {
   });
 }
 
-class PluginBindingApprovalButton extends Button {
-  customId: string;
-  label: string;
-  style: ButtonStyle;
-
-  constructor(params: {
-    approvalId: string;
-    decision: PluginBindingApprovalDecision;
-    label: string;
-    style: ButtonStyle;
-  }) {
-    super();
-    this.customId = buildPluginBindingApprovalCustomId(params.approvalId, params.decision);
-    this.label = params.label;
-    this.style = params.style;
-  }
-}
-
 function resolveApprovalsPath(): string {
   return expandHomePrefix(APPROVALS_PATH);
 }
@@ -236,54 +216,33 @@ function isLegacyPluginBindingRecord(params: {
   );
 }
 
-function buildDiscordButtonRow(
+function buildApprovalInteractiveReply(
   approvalId: string,
-  labels?: { once?: string; always?: string; deny?: string },
-): TopLevelComponents[] {
-  return [
-    new Row([
-      new PluginBindingApprovalButton({
-        approvalId,
-        decision: "allow-once",
-        label: labels?.once ?? "Allow once",
-        style: ButtonStyle.Success,
-      }),
-      new PluginBindingApprovalButton({
-        approvalId,
-        decision: "allow-always",
-        label: labels?.always ?? "Always allow",
-        style: ButtonStyle.Primary,
-      }),
-      new PluginBindingApprovalButton({
-        approvalId,
-        decision: "deny",
-        label: labels?.deny ?? "Deny",
-        style: ButtonStyle.Danger,
-      }),
-    ]),
-  ];
-}
-
-function buildTelegramButtons(approvalId: string) {
-  return [
-    [
+): NonNullable<ReplyPayload["interactive"]> {
+  return {
+    blocks: [
       {
-        text: "Allow once",
-        callback_data: buildPluginBindingApprovalCustomId(approvalId, "allow-once"),
-        style: "success" as const,
-      },
-      {
-        text: "Always allow",
-        callback_data: buildPluginBindingApprovalCustomId(approvalId, "allow-always"),
-        style: "primary" as const,
-      },
-      {
-        text: "Deny",
-        callback_data: buildPluginBindingApprovalCustomId(approvalId, "deny"),
-        style: "danger" as const,
+        type: "buttons",
+        buttons: [
+          {
+            label: "Allow once",
+            value: buildPluginBindingApprovalCustomId(approvalId, "allow-once"),
+            style: "success",
+          },
+          {
+            label: "Always allow",
+            value: buildPluginBindingApprovalCustomId(approvalId, "allow-always"),
+            style: "primary",
+          },
+          {
+            label: "Deny",
+            value: buildPluginBindingApprovalCustomId(approvalId, "deny"),
+            style: "danger",
+          },
+        ],
       },
     ],
-  ];
+  };
 }
 
 function createApprovalRequestId(): string {
@@ -547,14 +506,7 @@ export function markPluginBindingFallbackNoticeShown(bindingId: string): void {
 function buildPendingReply(request: PendingPluginBindingRequest): ReplyPayload {
   return {
     text: buildApprovalMessage(request),
-    channelData: {
-      telegram: {
-        buttons: buildTelegramButtons(request.id),
-      },
-      discord: {
-        components: buildDiscordButtonRow(request.id),
-      },
-    },
+    interactive: buildApprovalInteractiveReply(request.id),
   };
 }
 
diff --git a/src/plugins/copy-bundled-plugin-metadata.test.ts b/src/plugins/copy-bundled-plugin-metadata.test.ts
index 88da85b0dda..48fe75cf02b 100644
--- a/src/plugins/copy-bundled-plugin-metadata.test.ts
+++ b/src/plugins/copy-bundled-plugin-metadata.test.ts
@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import {
   copyBundledPluginMetadata,
   rewritePackageExtensions,
@@ -237,6 +237,47 @@ describe("copyBundledPluginMetadata", () => {
     expect(fs.existsSync(staleNodeModulesDir)).toBe(false);
   });
 
+  it("retries transient skill copy races from concurrent runtime postbuilds", () => {
+    const repoRoot = makeRepoRoot("openclaw-bundled-plugin-retry-");
+    const pluginDir = path.join(repoRoot, "extensions", "diffs");
+    fs.mkdirSync(path.join(pluginDir, "skills", "diffs"), { recursive: true });
+    fs.writeFileSync(path.join(pluginDir, "skills", "diffs", "SKILL.md"), "# Diffs\n", "utf8");
+    writeJson(path.join(pluginDir, "openclaw.plugin.json"), {
+      id: "diffs",
+      configSchema: { type: "object" },
+      skills: ["./skills"],
+    });
+    writeJson(path.join(pluginDir, "package.json"), {
+      name: "@openclaw/diffs",
+      openclaw: { extensions: ["./index.ts"] },
+    });
+
+    const realCpSync = fs.cpSync.bind(fs);
+    let attempts = 0;
+    const cpSyncSpy = vi.spyOn(fs, "cpSync").mockImplementation((...args) => {
+      attempts += 1;
+      if (attempts === 1) {
+        const error = Object.assign(new Error("race"), { code: "EEXIST" });
+        throw error;
+      }
+      return realCpSync(...args);
+    });
+
+    try {
+      copyBundledPluginMetadata({ repoRoot });
+    } finally {
+      cpSyncSpy.mockRestore();
+    }
+
+    expect(attempts).toBe(2);
+    expect(
+      fs.readFileSync(
+        path.join(repoRoot, "dist", "extensions", "diffs", "skills", "diffs", "SKILL.md"),
+        "utf8",
+      ),
+    ).toContain("Diffs");
+  });
+
   it("removes generated outputs for plugins no longer present in source", () => {
     const repoRoot = makeRepoRoot("openclaw-bundled-plugin-removed-");
     const staleBundledSkillDir = path.join(
@@ -258,6 +299,11 @@ describe("copyBundledPluginMetadata", () => {
       "node_modules",
     );
     fs.mkdirSync(staleNodeModulesDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(repoRoot, "dist", "extensions", "removed-plugin", "index.js"),
+      "export default {}\n",
+      "utf8",
+    );
     writeJson(path.join(repoRoot, "dist", "extensions", "removed-plugin", "openclaw.plugin.json"), {
       id: "removed-plugin",
       configSchema: { type: "object" },
@@ -270,17 +316,26 @@ describe("copyBundledPluginMetadata", () => {
 
     copyBundledPluginMetadata({ repoRoot });
 
-    expect(
-      fs.existsSync(
-        path.join(repoRoot, "dist", "extensions", "removed-plugin", "openclaw.plugin.json"),
-      ),
-    ).toBe(false);
-    expect(
-      fs.existsSync(path.join(repoRoot, "dist", "extensions", "removed-plugin", "package.json")),
-    ).toBe(false);
-    expect(
-      fs.existsSync(path.join(repoRoot, "dist", "extensions", "removed-plugin", "bundled-skills")),
-    ).toBe(false);
-    expect(fs.existsSync(staleNodeModulesDir)).toBe(false);
+    expect(fs.existsSync(path.join(repoRoot, "dist", "extensions", "removed-plugin"))).toBe(false);
+  });
+
+  it("removes stale dist outputs when a source extension directory no longer has a manifest", () => {
+    const repoRoot = makeRepoRoot("openclaw-bundled-plugin-manifestless-source-");
+    const sourcePluginDir = path.join(repoRoot, "extensions", "google-gemini-cli-auth");
+    fs.mkdirSync(path.join(sourcePluginDir, "node_modules"), { recursive: true });
+    const staleDistDir = path.join(repoRoot, "dist", "extensions", "google-gemini-cli-auth");
+    fs.mkdirSync(staleDistDir, { recursive: true });
+    fs.writeFileSync(path.join(staleDistDir, "index.js"), "export default {}\n", "utf8");
+    writeJson(path.join(staleDistDir, "openclaw.plugin.json"), {
+      id: "google-gemini-cli-auth",
+      configSchema: { type: "object" },
+    });
+    writeJson(path.join(staleDistDir, "package.json"), {
+      name: "@openclaw/google-gemini-cli-auth",
+    });
+
+    copyBundledPluginMetadata({ repoRoot });
+
+    expect(fs.existsSync(staleDistDir)).toBe(false);
   });
 });
diff --git a/src/plugins/discovery.test.ts b/src/plugins/discovery.test.ts
index a61c21e4125..ea84b562729 100644
--- a/src/plugins/discovery.test.ts
+++ b/src/plugins/discovery.test.ts
@@ -16,6 +16,23 @@ function makeTempDir() {
 
 const mkdirSafe = mkdirSafeDir;
 
+function normalizePathForAssertion(value: string | undefined): string | undefined {
+  if (!value) {
+    return value;
+  }
+  return value.replace(/\\/g, "/");
+}
+
+function hasDiagnosticSourceSuffix(
+  diagnostics: Array<{ source?: string }>,
+  suffix: string,
+): boolean {
+  const normalizedSuffix = normalizePathForAssertion(suffix);
+  return diagnostics.some((entry) =>
+    normalizePathForAssertion(entry.source)?.endsWith(normalizedSuffix ?? suffix),
+  );
+}
+
 function buildDiscoveryEnv(stateDir: string): NodeJS.ProcessEnv {
   return {
     OPENCLAW_STATE_DIR: stateDir,
@@ -242,7 +259,9 @@ describe("discoverOpenClawPlugins", () => {
     expect(bundle?.format).toBe("bundle");
     expect(bundle?.bundleFormat).toBe("codex");
     expect(bundle?.source).toBe(bundleDir);
-    expect(bundle?.rootDir).toBe(fs.realpathSync.native(bundleDir));
+    expect(normalizePathForAssertion(bundle?.rootDir)).toBe(
+      normalizePathForAssertion(fs.realpathSync(bundleDir)),
+    );
   });
 
   it("auto-detects manifestless Claude bundles from the default layout", async () => {
@@ -296,9 +315,7 @@ describe("discoverOpenClawPlugins", () => {
 
     expect(legacy).toBeDefined();
     expect(legacy?.format).toBe("openclaw");
-    expect(
-      result.diagnostics.some((entry) => entry.source?.endsWith(".claude-plugin/plugin.json")),
-    ).toBe(true);
+    expect(hasDiagnosticSourceSuffix(result.diagnostics, ".claude-plugin/plugin.json")).toBe(true);
   });
 
   it("falls back to legacy index discovery for configured paths with malformed bundle sidecars", async () => {
@@ -317,9 +334,7 @@ describe("discoverOpenClawPlugins", () => {
 
     expect(legacy).toBeDefined();
     expect(legacy?.format).toBe("openclaw");
-    expect(
-      result.diagnostics.some((entry) => entry.source?.endsWith(".codex-plugin/plugin.json")),
-    ).toBe(true);
+    expect(hasDiagnosticSourceSuffix(result.diagnostics, ".codex-plugin/plugin.json")).toBe(true);
   });
 
   it("blocks extension entries that escape package directory", async () => {
diff --git a/src/plugins/discovery.ts b/src/plugins/discovery.ts
index c102ffc80c7..743b0b569f9 100644
--- a/src/plugins/discovery.ts
+++ b/src/plugins/discovery.ts
@@ -19,6 +19,7 @@ const EXTENSION_EXTS = new Set([".ts", ".js", ".mts", ".cts", ".mjs", ".cjs"]);
 export type PluginCandidate = {
   idHint: string;
   source: string;
+  setupSource?: string;
   rootDir: string;
   origin: PluginOrigin;
   format?: PluginFormat;
@@ -355,6 +356,7 @@ function addCandidate(params: {
   seen: Set<string>;
   idHint: string;
   source: string;
+  setupSource?: string;
   rootDir: string;
   origin: PluginOrigin;
   format?: PluginFormat;
@@ -385,6 +387,7 @@ function addCandidate(params: {
   params.candidates.push({
     idHint: params.idHint,
     source: resolved,
+    setupSource: params.setupSource,
     rootDir: resolvedRoot,
     origin: params.origin,
     format: params.format ?? "openclaw",
@@ -520,6 +523,17 @@ function discoverInDirectory(params: {
     const manifest = readPackageManifest(fullPath, rejectHardlinks);
     const extensionResolution = resolvePackageExtensionEntries(manifest ?? undefined);
     const extensions = extensionResolution.status === "ok" ? extensionResolution.entries : [];
+    const setupEntryPath = getPackageManifestMetadata(manifest ?? undefined)?.setupEntry;
+    const setupSource =
+      typeof setupEntryPath === "string" && setupEntryPath.trim().length > 0
+        ? resolvePackageEntrySource({
+            packageDir: fullPath,
+            entryPath: setupEntryPath,
+            sourceLabel: fullPath,
+            diagnostics: params.diagnostics,
+            rejectHardlinks,
+          })
+        : null;
 
     if (extensions.length > 0) {
       for (const extPath of extensions) {
@@ -543,6 +557,7 @@ function discoverInDirectory(params: {
             hasMultipleExtensions: extensions.length > 1,
           }),
           source: resolved,
+          ...(setupSource ? { setupSource } : {}),
           rootDir: fullPath,
           origin: params.origin,
           ownershipUid: params.ownershipUid,
@@ -577,6 +592,7 @@ function discoverInDirectory(params: {
         seen: params.seen,
         idHint: entry.name,
         source: indexFile,
+        ...(setupSource ? { setupSource } : {}),
         rootDir: fullPath,
         origin: params.origin,
         ownershipUid: params.ownershipUid,
@@ -637,6 +653,17 @@ function discoverFromPath(params: {
     const manifest = readPackageManifest(resolved, rejectHardlinks);
     const extensionResolution = resolvePackageExtensionEntries(manifest ?? undefined);
     const extensions = extensionResolution.status === "ok" ? extensionResolution.entries : [];
+    const setupEntryPath = getPackageManifestMetadata(manifest ?? undefined)?.setupEntry;
+    const setupSource =
+      typeof setupEntryPath === "string" && setupEntryPath.trim().length > 0
+        ? resolvePackageEntrySource({
+            packageDir: resolved,
+            entryPath: setupEntryPath,
+            sourceLabel: resolved,
+            diagnostics: params.diagnostics,
+            rejectHardlinks,
+          })
+        : null;
 
     if (extensions.length > 0) {
       for (const extPath of extensions) {
@@ -660,6 +687,7 @@ function discoverFromPath(params: {
             hasMultipleExtensions: extensions.length > 1,
           }),
           source,
+          ...(setupSource ? { setupSource } : {}),
           rootDir: resolved,
           origin: params.origin,
           ownershipUid: params.ownershipUid,
@@ -695,6 +723,7 @@ function discoverFromPath(params: {
         seen: params.seen,
         idHint: path.basename(resolved),
         source: indexFile,
+        ...(setupSource ? { setupSource } : {}),
         rootDir: resolved,
         origin: params.origin,
         ownershipUid: params.ownershipUid,
diff --git a/src/plugins/enable.test.ts b/src/plugins/enable.test.ts
index 793ed1c7ffe..89259b8a583 100644
--- a/src/plugins/enable.test.ts
+++ b/src/plugins/enable.test.ts
@@ -5,9 +5,9 @@ import { enablePluginInConfig } from "./enable.js";
 describe("enablePluginInConfig", () => {
   it("enables a plugin entry", () => {
     const cfg: OpenClawConfig = {};
-    const result = enablePluginInConfig(cfg, "google-gemini-cli-auth");
+    const result = enablePluginInConfig(cfg, "google");
     expect(result.enabled).toBe(true);
-    expect(result.config.plugins?.entries?.["google-gemini-cli-auth"]?.enabled).toBe(true);
+    expect(result.config.plugins?.entries?.google?.enabled).toBe(true);
   });
 
   it("adds plugin to allowlist when allowlist is configured", () => {
@@ -16,18 +16,18 @@ describe("enablePluginInConfig", () => {
         allow: ["memory-core"],
       },
     };
-    const result = enablePluginInConfig(cfg, "google-gemini-cli-auth");
+    const result = enablePluginInConfig(cfg, "google");
     expect(result.enabled).toBe(true);
-    expect(result.config.plugins?.allow).toEqual(["memory-core", "google-gemini-cli-auth"]);
+    expect(result.config.plugins?.allow).toEqual(["memory-core", "google"]);
   });
 
   it("refuses enable when plugin is denylisted", () => {
     const cfg: OpenClawConfig = {
       plugins: {
-        deny: ["google-gemini-cli-auth"],
+        deny: ["google"],
       },
     };
-    const result = enablePluginInConfig(cfg, "google-gemini-cli-auth");
+    const result = enablePluginInConfig(cfg, "google");
     expect(result.enabled).toBe(false);
     expect(result.reason).toBe("blocked by denylist");
   });
diff --git a/src/plugins/http-registry.test.ts b/src/plugins/http-registry.test.ts
index 9993c7cb39d..05bd337eed6 100644
--- a/src/plugins/http-registry.test.ts
+++ b/src/plugins/http-registry.test.ts
@@ -1,6 +1,11 @@
-import { describe, expect, it, vi } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { registerPluginHttpRoute } from "./http-registry.js";
 import { createEmptyPluginRegistry } from "./registry.js";
+import {
+  pinActivePluginHttpRouteRegistry,
+  releasePinnedPluginHttpRouteRegistry,
+  setActivePluginRegistry,
+} from "./runtime.js";
 
 function expectRouteRegistrationDenied(params: {
   replaceExisting: boolean;
@@ -38,6 +43,11 @@ function expectRouteRegistrationDenied(params: {
 }
 
 describe("registerPluginHttpRoute", () => {
+  afterEach(() => {
+    releasePinnedPluginHttpRouteRegistry();
+    setActivePluginRegistry(createEmptyPluginRegistry());
+  });
+
   it("registers route and unregisters it", () => {
     const registry = createEmptyPluginRegistry();
     const handler = vi.fn();
@@ -164,4 +174,26 @@ describe("registerPluginHttpRoute", () => {
     unregister();
     expect(registry.httpRoutes).toHaveLength(1);
   });
+
+  it("uses the pinned route registry when the active registry changes later", () => {
+    const startupRegistry = createEmptyPluginRegistry();
+    const laterActiveRegistry = createEmptyPluginRegistry();
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+    setActivePluginRegistry(laterActiveRegistry);
+
+    const unregister = registerPluginHttpRoute({
+      path: "/bluebubbles-webhook",
+      auth: "plugin",
+      handler: vi.fn(),
+    });
+
+    expect(startupRegistry.httpRoutes).toHaveLength(1);
+    expect(startupRegistry.httpRoutes[0]?.path).toBe("/bluebubbles-webhook");
+    expect(laterActiveRegistry.httpRoutes).toHaveLength(0);
+
+    unregister();
+    expect(startupRegistry.httpRoutes).toHaveLength(0);
+  });
 });
diff --git a/src/plugins/http-registry.ts b/src/plugins/http-registry.ts
index bf45f1b076a..4dc5bfd23b5 100644
--- a/src/plugins/http-registry.ts
+++ b/src/plugins/http-registry.ts
@@ -2,7 +2,7 @@ import type { IncomingMessage, ServerResponse } from "node:http";
 import { normalizePluginHttpPath } from "./http-path.js";
 import { findOverlappingPluginHttpRoute } from "./http-route-overlap.js";
 import type { PluginHttpRouteRegistration, PluginRegistry } from "./registry.js";
-import { requireActivePluginRegistry } from "./runtime.js";
+import { requireActivePluginHttpRouteRegistry } from "./runtime.js";
 
 export type PluginHttpRouteHandler = (
   req: IncomingMessage,
@@ -22,7 +22,7 @@ export function registerPluginHttpRoute(params: {
   log?: (message: string) => void;
   registry?: PluginRegistry;
 }): () => void {
-  const registry = params.registry ?? requireActivePluginRegistry();
+  const registry = params.registry ?? requireActivePluginHttpRouteRegistry();
   const routes = registry.httpRoutes ?? [];
   registry.httpRoutes = routes;
 
diff --git a/src/plugins/interactive-dispatch-adapters.ts b/src/plugins/interactive-dispatch-adapters.ts
new file mode 100644
index 00000000000..4050e707958
--- /dev/null
+++ b/src/plugins/interactive-dispatch-adapters.ts
@@ -0,0 +1,219 @@
+import {
+  detachPluginConversationBinding,
+  getCurrentPluginConversationBinding,
+  requestPluginConversationBinding,
+} from "./conversation-binding.js";
+import type {
+  PluginConversationBindingRequestParams,
+  PluginInteractiveDiscordHandlerContext,
+  PluginInteractiveDiscordHandlerRegistration,
+  PluginInteractiveSlackHandlerContext,
+  PluginInteractiveSlackHandlerRegistration,
+  PluginInteractiveTelegramHandlerContext,
+  PluginInteractiveTelegramHandlerRegistration,
+} from "./types.js";
+
+type RegisteredInteractiveMetadata = {
+  pluginId: string;
+  pluginName?: string;
+  pluginRoot?: string;
+};
+
+type PluginBindingConversation = Parameters<
+  typeof requestPluginConversationBinding
+>[0]["conversation"];
+
+export type TelegramInteractiveDispatchContext = Omit<
+  PluginInteractiveTelegramHandlerContext,
+  | "callback"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  callbackMessage: {
+    messageId: number;
+    chatId: string;
+    messageText?: string;
+  };
+};
+
+export type DiscordInteractiveDispatchContext = Omit<
+  PluginInteractiveDiscordHandlerContext,
+  | "interaction"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  interaction: Omit<
+    PluginInteractiveDiscordHandlerContext["interaction"],
+    "data" | "namespace" | "payload"
+  >;
+};
+
+export type SlackInteractiveDispatchContext = Omit<
+  PluginInteractiveSlackHandlerContext,
+  | "interaction"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  interaction: Omit<
+    PluginInteractiveSlackHandlerContext["interaction"],
+    "data" | "namespace" | "payload"
+  >;
+};
+
+function createConversationBindingHelpers(params: {
+  registration: RegisteredInteractiveMetadata;
+  senderId?: string;
+  conversation: PluginBindingConversation;
+}) {
+  const { registration, senderId, conversation } = params;
+  const pluginRoot = registration.pluginRoot;
+
+  return {
+    requestConversationBinding: async (binding: PluginConversationBindingRequestParams = {}) => {
+      if (!pluginRoot) {
+        return {
+          status: "error" as const,
+          message: "This interaction cannot bind the current conversation.",
+        };
+      }
+      return requestPluginConversationBinding({
+        pluginId: registration.pluginId,
+        pluginName: registration.pluginName,
+        pluginRoot,
+        requestedBySenderId: senderId,
+        conversation,
+        binding,
+      });
+    },
+    detachConversationBinding: async () => {
+      if (!pluginRoot) {
+        return { removed: false };
+      }
+      return detachPluginConversationBinding({
+        pluginRoot,
+        conversation,
+      });
+    },
+    getCurrentConversationBinding: async () => {
+      if (!pluginRoot) {
+        return null;
+      }
+      return getCurrentPluginConversationBinding({
+        pluginRoot,
+        conversation,
+      });
+    },
+  };
+}
+
+export function dispatchTelegramInteractiveHandler(params: {
+  registration: PluginInteractiveTelegramHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: TelegramInteractiveDispatchContext;
+  respond: PluginInteractiveTelegramHandlerContext["respond"];
+}) {
+  const { callbackMessage, ...handlerContext } = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "telegram",
+    callback: {
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+      messageId: callbackMessage.messageId,
+      chatId: callbackMessage.chatId,
+      messageText: callbackMessage.messageText,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "telegram",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+        threadId: handlerContext.threadId,
+      },
+    }),
+  });
+}
+
+export function dispatchDiscordInteractiveHandler(params: {
+  registration: PluginInteractiveDiscordHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: DiscordInteractiveDispatchContext;
+  respond: PluginInteractiveDiscordHandlerContext["respond"];
+}) {
+  const handlerContext = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "discord",
+    interaction: {
+      ...handlerContext.interaction,
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "discord",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+      },
+    }),
+  });
+}
+
+export function dispatchSlackInteractiveHandler(params: {
+  registration: PluginInteractiveSlackHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: SlackInteractiveDispatchContext;
+  respond: PluginInteractiveSlackHandlerContext["respond"];
+}) {
+  const handlerContext = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "slack",
+    interaction: {
+      ...handlerContext.interaction,
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "slack",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+        threadId: handlerContext.threadId,
+      },
+    }),
+  });
+}
diff --git a/src/plugins/interactive.test.ts b/src/plugins/interactive.test.ts
index f794cde4037..14980ec4545 100644
--- a/src/plugins/interactive.test.ts
+++ b/src/plugins/interactive.test.ts
@@ -1,13 +1,62 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi, type MockInstance } from "vitest";
+import * as conversationBinding from "./conversation-binding.js";
 import {
   clearPluginInteractiveHandlers,
   dispatchPluginInteractiveHandler,
   registerPluginInteractiveHandler,
 } from "./interactive.js";
 
+let requestPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.requestPluginConversationBinding
+>;
+let detachPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.detachPluginConversationBinding
+>;
+let getCurrentPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.getCurrentPluginConversationBinding
+>;
+
 describe("plugin interactive handlers", () => {
   beforeEach(() => {
     clearPluginInteractiveHandlers();
+    requestPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "requestPluginConversationBinding")
+      .mockResolvedValue({
+        status: "bound",
+        binding: {
+          bindingId: "binding-1",
+          pluginId: "codex-plugin",
+          pluginName: "Codex",
+          pluginRoot: "/plugins/codex",
+          channel: "telegram",
+          accountId: "default",
+          conversationId: "-10099:topic:77",
+          parentConversationId: "-10099",
+          threadId: 77,
+          boundAt: 1,
+        },
+      });
+    detachPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "detachPluginConversationBinding")
+      .mockResolvedValue({ removed: true });
+    getCurrentPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "getCurrentPluginConversationBinding")
+      .mockResolvedValue({
+        bindingId: "binding-1",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+        boundAt: 1,
+      });
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
   });
 
   it("routes Telegram callbacks by namespace and dedupes callback ids", async () => {
@@ -147,6 +196,425 @@ describe("plugin interactive handlers", () => {
     );
   });
 
+  it("routes Slack interactions by namespace and dedupes interaction ids", async () => {
+    const handler = vi.fn(async () => ({ handled: true }));
+    expect(
+      registerPluginInteractiveHandler("codex-plugin", {
+        channel: "slack",
+        namespace: "codex",
+        handler,
+      }),
+    ).toEqual({ ok: true });
+
+    const baseParams = {
+      channel: "slack" as const,
+      data: "codex:approve:thread-1",
+      interactionId: "slack-ix-1",
+      ctx: {
+        channel: "slack" as const,
+        accountId: "default",
+        interactionId: "slack-ix-1",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+        senderId: "U123",
+        senderUsername: "ada",
+        auth: { isAuthorizedSender: true },
+        interaction: {
+          kind: "button" as const,
+          actionId: "codex",
+          blockId: "codex_actions",
+          messageTs: "1710000000.000200",
+          threadTs: "1710000000.000100",
+          value: "approve:thread-1",
+          selectedValues: ["approve:thread-1"],
+          selectedLabels: ["Approve"],
+          triggerId: "trigger-1",
+          responseUrl: "https://hooks.slack.test/response",
+        },
+      },
+      respond: {
+        acknowledge: vi.fn(async () => {}),
+        reply: vi.fn(async () => {}),
+        followUp: vi.fn(async () => {}),
+        editMessage: vi.fn(async () => {}),
+      },
+    };
+
+    const first = await dispatchPluginInteractiveHandler(baseParams);
+    const duplicate = await dispatchPluginInteractiveHandler(baseParams);
+
+    expect(first).toEqual({ matched: true, handled: true, duplicate: false });
+    expect(duplicate).toEqual({ matched: true, handled: true, duplicate: true });
+    expect(handler).toHaveBeenCalledTimes(1);
+    expect(handler).toHaveBeenCalledWith(
+      expect.objectContaining({
+        channel: "slack",
+        conversationId: "C123",
+        threadId: "1710000000.000100",
+        interaction: expect.objectContaining({
+          namespace: "codex",
+          payload: "approve:thread-1",
+          actionId: "codex",
+          messageTs: "1710000000.000200",
+        }),
+      }),
+    );
+  });
+
+  it("wires Telegram conversation binding helpers with topic context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-telegram",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(
+        ctx.requestConversationBinding({
+          summary: "Bind this topic",
+          detachHint: "Use /new to detach",
+        }),
+      ).resolves.toEqual(requestResult);
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "telegram",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "telegram",
+        data: "codex:bind",
+        callbackId: "cb-bind",
+        ctx: {
+          accountId: "default",
+          callbackId: "cb-bind",
+          conversationId: "-10099:topic:77",
+          parentConversationId: "-10099",
+          senderId: "user-1",
+          senderUsername: "ada",
+          threadId: 77,
+          isGroup: true,
+          isForum: true,
+          auth: { isAuthorizedSender: true },
+          callbackMessage: {
+            messageId: 55,
+            chatId: "-10099",
+            messageText: "Pick a thread",
+          },
+        },
+        respond: {
+          reply: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+          editButtons: vi.fn(async () => {}),
+          clearButtons: vi.fn(async () => {}),
+          deleteMessage: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+      binding: {
+        summary: "Bind this topic",
+        detachHint: "Use /new to detach",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+    });
+  });
+
+  it("wires Discord conversation binding helpers with parent channel context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-discord",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(ctx.requestConversationBinding({ summary: "Bind Discord" })).resolves.toEqual(
+        requestResult,
+      );
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "discord",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "discord",
+        data: "codex:bind",
+        interactionId: "ix-bind",
+        ctx: {
+          accountId: "default",
+          interactionId: "ix-bind",
+          conversationId: "channel-1",
+          parentConversationId: "parent-1",
+          guildId: "guild-1",
+          senderId: "user-1",
+          senderUsername: "ada",
+          auth: { isAuthorizedSender: true },
+          interaction: {
+            kind: "button",
+            messageId: "message-1",
+            values: ["allow"],
+          },
+        },
+        respond: {
+          acknowledge: vi.fn(async () => {}),
+          reply: vi.fn(async () => {}),
+          followUp: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+          clearComponents: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+      binding: {
+        summary: "Bind Discord",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+    });
+  });
+
+  it("wires Slack conversation binding helpers with thread context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-slack",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(ctx.requestConversationBinding({ summary: "Bind Slack" })).resolves.toEqual(
+        requestResult,
+      );
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "slack",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "slack",
+        data: "codex:bind",
+        interactionId: "slack-bind",
+        ctx: {
+          accountId: "default",
+          interactionId: "slack-bind",
+          conversationId: "C123",
+          parentConversationId: "C123",
+          threadId: "1710000000.000100",
+          senderId: "user-1",
+          senderUsername: "ada",
+          auth: { isAuthorizedSender: true },
+          interaction: {
+            kind: "button",
+            actionId: "codex",
+            blockId: "codex_actions",
+            messageTs: "1710000000.000200",
+            threadTs: "1710000000.000100",
+            value: "bind",
+            selectedValues: ["bind"],
+            selectedLabels: ["Bind"],
+            triggerId: "trigger-1",
+            responseUrl: "https://hooks.slack.test/response",
+          },
+        },
+        respond: {
+          acknowledge: vi.fn(async () => {}),
+          reply: vi.fn(async () => {}),
+          followUp: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+      binding: {
+        summary: "Bind Slack",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+    });
+  });
+
   it("does not consume dedupe keys when a handler throws", async () => {
     const handler = vi
       .fn(async () => ({ handled: true }))
diff --git a/src/plugins/interactive.ts b/src/plugins/interactive.ts
index 66d79fd71ec..04403c80fa2 100644
--- a/src/plugins/interactive.ts
+++ b/src/plugins/interactive.ts
@@ -1,14 +1,19 @@
 import { createDedupeCache } from "../infra/dedupe.js";
 import {
-  detachPluginConversationBinding,
-  getCurrentPluginConversationBinding,
-  requestPluginConversationBinding,
-} from "./conversation-binding.js";
+  dispatchDiscordInteractiveHandler,
+  dispatchSlackInteractiveHandler,
+  dispatchTelegramInteractiveHandler,
+  type DiscordInteractiveDispatchContext,
+  type SlackInteractiveDispatchContext,
+  type TelegramInteractiveDispatchContext,
+} from "./interactive-dispatch-adapters.js";
 import type {
   PluginInteractiveDiscordHandlerContext,
   PluginInteractiveButtons,
   PluginInteractiveDiscordHandlerRegistration,
   PluginInteractiveHandlerRegistration,
+  PluginInteractiveSlackHandlerContext,
+  PluginInteractiveSlackHandlerRegistration,
   PluginInteractiveTelegramHandlerRegistration,
   PluginInteractiveTelegramHandlerContext,
 } from "./types.js";
@@ -28,37 +33,6 @@ type InteractiveDispatchResult =
   | { matched: false; handled: false; duplicate: false }
   | { matched: true; handled: boolean; duplicate: boolean };
 
-type TelegramInteractiveDispatchContext = Omit<
-  PluginInteractiveTelegramHandlerContext,
-  | "callback"
-  | "respond"
-  | "channel"
-  | "requestConversationBinding"
-  | "detachConversationBinding"
-  | "getCurrentConversationBinding"
-> & {
-  callbackMessage: {
-    messageId: number;
-    chatId: string;
-    messageText?: string;
-  };
-};
-
-type DiscordInteractiveDispatchContext = Omit<
-  PluginInteractiveDiscordHandlerContext,
-  | "interaction"
-  | "respond"
-  | "channel"
-  | "requestConversationBinding"
-  | "detachConversationBinding"
-  | "getCurrentConversationBinding"
-> & {
-  interaction: Omit<
-    PluginInteractiveDiscordHandlerContext["interaction"],
-    "data" | "namespace" | "payload"
-  >;
-};
-
 const interactiveHandlers = new Map<string, RegisteredInteractiveHandler>();
 const callbackDedupe = createDedupeCache({
   ttlMs: 5 * 60_000,
@@ -134,6 +108,15 @@ export function registerPluginInteractiveHandler(
       pluginName: opts?.pluginName,
       pluginRoot: opts?.pluginRoot,
     });
+  } else if (registration.channel === "slack") {
+    interactiveHandlers.set(key, {
+      ...registration,
+      namespace,
+      channel: "slack",
+      pluginId,
+      pluginName: opts?.pluginName,
+      pluginRoot: opts?.pluginRoot,
+    });
   } else {
     interactiveHandlers.set(key, {
       ...registration,
@@ -181,11 +164,21 @@ export async function dispatchPluginInteractiveHandler(params: {
   respond: PluginInteractiveDiscordHandlerContext["respond"];
 }): Promise<InteractiveDispatchResult>;
 export async function dispatchPluginInteractiveHandler(params: {
-  channel: "telegram" | "discord";
+  channel: "slack";
+  data: string;
+  interactionId: string;
+  ctx: SlackInteractiveDispatchContext;
+  respond: PluginInteractiveSlackHandlerContext["respond"];
+}): Promise<InteractiveDispatchResult>;
+export async function dispatchPluginInteractiveHandler(params: {
+  channel: "telegram" | "discord" | "slack";
   data: string;
   callbackId?: string;
   interactionId?: string;
-  ctx: TelegramInteractiveDispatchContext | DiscordInteractiveDispatchContext;
+  ctx:
+    | TelegramInteractiveDispatchContext
+    | DiscordInteractiveDispatchContext
+    | SlackInteractiveDispatchContext;
   respond:
     | {
         reply: (params: { text: string; buttons?: PluginInteractiveButtons }) => Promise<void>;
@@ -197,7 +190,8 @@ export async function dispatchPluginInteractiveHandler(params: {
         clearButtons: () => Promise<void>;
         deleteMessage: () => Promise<void>;
       }
-    | PluginInteractiveDiscordHandlerContext["respond"];
+    | PluginInteractiveDiscordHandlerContext["respond"]
+    | PluginInteractiveSlackHandlerContext["respond"];
 }): Promise<InteractiveDispatchResult> {
   const match = resolveNamespaceMatch(params.channel, params.data);
   if (!match) {
@@ -212,145 +206,37 @@ export async function dispatchPluginInteractiveHandler(params: {
 
   let result:
     | ReturnType<PluginInteractiveTelegramHandlerRegistration["handler"]>
-    | ReturnType<PluginInteractiveDiscordHandlerRegistration["handler"]>;
+    | ReturnType<PluginInteractiveDiscordHandlerRegistration["handler"]>
+    | ReturnType<PluginInteractiveSlackHandlerRegistration["handler"]>;
   if (params.channel === "telegram") {
-    const pluginRoot = match.registration.pluginRoot;
-    const { callbackMessage, ...handlerContext } = params.ctx as TelegramInteractiveDispatchContext;
-    result = (
-      match.registration as RegisteredInteractiveHandler &
-        PluginInteractiveTelegramHandlerRegistration
-    ).handler({
-      ...handlerContext,
-      channel: "telegram",
-      callback: {
-        data: params.data,
-        namespace: match.namespace,
-        payload: match.payload,
-        messageId: callbackMessage.messageId,
-        chatId: callbackMessage.chatId,
-        messageText: callbackMessage.messageText,
-      },
+    result = dispatchTelegramInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveTelegramHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as TelegramInteractiveDispatchContext,
       respond: params.respond as PluginInteractiveTelegramHandlerContext["respond"],
-      requestConversationBinding: async (bindingParams) => {
-        if (!pluginRoot) {
-          return {
-            status: "error",
-            message: "This interaction cannot bind the current conversation.",
-          };
-        }
-        return requestPluginConversationBinding({
-          pluginId: match.registration.pluginId,
-          pluginName: match.registration.pluginName,
-          pluginRoot,
-          requestedBySenderId: handlerContext.senderId,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-          binding: bindingParams,
-        });
-      },
-      detachConversationBinding: async () => {
-        if (!pluginRoot) {
-          return { removed: false };
-        }
-        return detachPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
-      getCurrentConversationBinding: async () => {
-        if (!pluginRoot) {
-          return null;
-        }
-        return getCurrentPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
+    });
+  } else if (params.channel === "discord") {
+    result = dispatchDiscordInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveDiscordHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as DiscordInteractiveDispatchContext,
+      respond: params.respond as PluginInteractiveDiscordHandlerContext["respond"],
     });
   } else {
-    const pluginRoot = match.registration.pluginRoot;
-    result = (
-      match.registration as RegisteredInteractiveHandler &
-        PluginInteractiveDiscordHandlerRegistration
-    ).handler({
-      ...(params.ctx as DiscordInteractiveDispatchContext),
-      channel: "discord",
-      interaction: {
-        ...(params.ctx as DiscordInteractiveDispatchContext).interaction,
-        data: params.data,
-        namespace: match.namespace,
-        payload: match.payload,
-      },
-      respond: params.respond as PluginInteractiveDiscordHandlerContext["respond"],
-      requestConversationBinding: async (bindingParams) => {
-        if (!pluginRoot) {
-          return {
-            status: "error",
-            message: "This interaction cannot bind the current conversation.",
-          };
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return requestPluginConversationBinding({
-          pluginId: match.registration.pluginId,
-          pluginName: match.registration.pluginName,
-          pluginRoot,
-          requestedBySenderId: handlerContext.senderId,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-          binding: bindingParams,
-        });
-      },
-      detachConversationBinding: async () => {
-        if (!pluginRoot) {
-          return { removed: false };
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return detachPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-        });
-      },
-      getCurrentConversationBinding: async () => {
-        if (!pluginRoot) {
-          return null;
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return getCurrentPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-        });
-      },
+    result = dispatchSlackInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveSlackHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as SlackInteractiveDispatchContext,
+      respond: params.respond as PluginInteractiveSlackHandlerContext["respond"],
     });
   }
   const resolved = await result;
diff --git a/src/plugins/loader.test.ts b/src/plugins/loader.test.ts
index 0460e481b25..82867213fdd 100644
--- a/src/plugins/loader.test.ts
+++ b/src/plugins/loader.test.ts
@@ -7,13 +7,13 @@ import { afterAll, afterEach, describe, expect, it, vi } from "vitest";
 import { withEnv } from "../test-utils/env.js";
 async function importFreshPluginTestModules() {
   vi.resetModules();
-  vi.unmock("node:fs");
-  vi.unmock("node:fs/promises");
-  vi.unmock("node:module");
-  vi.unmock("./hook-runner-global.js");
-  vi.unmock("./hooks.js");
-  vi.unmock("./loader.js");
-  vi.unmock("jiti");
+  vi.doUnmock("node:fs");
+  vi.doUnmock("node:fs/promises");
+  vi.doUnmock("node:module");
+  vi.doUnmock("./hook-runner-global.js");
+  vi.doUnmock("./hooks.js");
+  vi.doUnmock("./loader.js");
+  vi.doUnmock("jiti");
   const [loader, hookRunnerGlobal, hooks, runtime, registry] = await Promise.all([
     import("./loader.js"),
     import("./hook-runner-global.js"),
@@ -287,6 +287,11 @@ function createPluginSdkAliasFixture(params?: {
   const distFile = path.join(root, "dist", "plugin-sdk", params?.distFile ?? "index.js");
   mkdirSafe(path.dirname(srcFile));
   mkdirSafe(path.dirname(distFile));
+  fs.writeFileSync(
+    path.join(root, "package.json"),
+    JSON.stringify({ name: "openclaw", type: "module" }, null, 2),
+    "utf-8",
+  );
   fs.writeFileSync(srcFile, params?.srcBody ?? "export {};\n", "utf-8");
   fs.writeFileSync(distFile, params?.distBody ?? "export {};\n", "utf-8");
   return { root, srcFile, distFile };
@@ -308,6 +313,30 @@ function createExtensionApiAliasFixture(params?: { srcBody?: string; distBody?:
   return { root, srcFile, distFile };
 }
 
+function createPluginRuntimeAliasFixture(params?: { srcBody?: string; distBody?: string }) {
+  const root = makeTempDir();
+  const srcFile = path.join(root, "src", "plugins", "runtime", "index.ts");
+  const distFile = path.join(root, "dist", "plugins", "runtime", "index.js");
+  mkdirSafe(path.dirname(srcFile));
+  mkdirSafe(path.dirname(distFile));
+  fs.writeFileSync(
+    path.join(root, "package.json"),
+    JSON.stringify({ name: "openclaw", type: "module" }, null, 2),
+    "utf-8",
+  );
+  fs.writeFileSync(
+    srcFile,
+    params?.srcBody ?? "export const createPluginRuntime = () => ({});\n",
+    "utf-8",
+  );
+  fs.writeFileSync(
+    distFile,
+    params?.distBody ?? "export const createPluginRuntime = () => ({});\n",
+    "utf-8",
+  );
+  return { root, srcFile, distFile };
+}
+
 afterEach(() => {
   clearPluginLoaderCache();
   if (prevBundledDir === undefined) {
@@ -1703,6 +1732,289 @@ module.exports = { id: "skipped", register() { throw new Error("skipped plugin s
     expect(disabled?.status).toBe("disabled");
   });
 
+  it("skips disabled channel imports unless setup-only loading is explicitly enabled", () => {
+    useNoBundledPlugins();
+    const marker = path.join(makeTempDir(), "lazy-channel-imported.txt");
+    const plugin = writePlugin({
+      id: "lazy-channel",
+      filename: "lazy-channel.cjs",
+      body: `require("node:fs").writeFileSync(${JSON.stringify(marker)}, "loaded", "utf-8");
+module.exports = {
+  id: "lazy-channel",
+  register(api) {
+    api.registerChannel({
+      plugin: {
+        id: "lazy-channel",
+        meta: {
+          id: "lazy-channel",
+          label: "Lazy Channel",
+          selectionLabel: "Lazy Channel",
+          docsPath: "/channels/lazy-channel",
+          blurb: "lazy test channel",
+        },
+        capabilities: { chatTypes: ["direct"] },
+        config: {
+          listAccountIds: () => [],
+          resolveAccount: () => ({ accountId: "default" }),
+        },
+        outbound: { deliveryMode: "direct" },
+      },
+    });
+  },
+};`,
+    });
+    fs.writeFileSync(
+      path.join(plugin.dir, "openclaw.plugin.json"),
+      JSON.stringify(
+        {
+          id: "lazy-channel",
+          configSchema: EMPTY_PLUGIN_SCHEMA,
+          channels: ["lazy-channel"],
+        },
+        null,
+        2,
+      ),
+      "utf-8",
+    );
+    const config = {
+      plugins: {
+        load: { paths: [plugin.file] },
+        allow: ["lazy-channel"],
+        entries: {
+          "lazy-channel": { enabled: false },
+        },
+      },
+    };
+
+    const registry = loadOpenClawPlugins({
+      cache: false,
+      config,
+    });
+
+    expect(fs.existsSync(marker)).toBe(false);
+    expect(registry.channelSetups).toHaveLength(0);
+    expect(registry.plugins.find((entry) => entry.id === "lazy-channel")?.status).toBe("disabled");
+
+    const setupRegistry = loadOpenClawPlugins({
+      cache: false,
+      config,
+      includeSetupOnlyChannelPlugins: true,
+    });
+
+    expect(fs.existsSync(marker)).toBe(true);
+    expect(setupRegistry.channelSetups).toHaveLength(1);
+    expect(setupRegistry.channels).toHaveLength(0);
+    expect(setupRegistry.plugins.find((entry) => entry.id === "lazy-channel")?.status).toBe(
+      "disabled",
+    );
+  });
+
+  it("uses package setupEntry for setup-only channel loads", () => {
+    useNoBundledPlugins();
+    const pluginDir = makeTempDir();
+    const fullMarker = path.join(pluginDir, "full-loaded.txt");
+    const setupMarker = path.join(pluginDir, "setup-loaded.txt");
+    fs.writeFileSync(
+      path.join(pluginDir, "package.json"),
+      JSON.stringify(
+        {
+          name: "@openclaw/setup-entry-test",
+          openclaw: {
+            extensions: ["./index.cjs"],
+            setupEntry: "./setup-entry.cjs",
+          },
+        },
+        null,
+        2,
+      ),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "openclaw.plugin.json"),
+      JSON.stringify(
+        {
+          id: "setup-entry-test",
+          configSchema: EMPTY_PLUGIN_SCHEMA,
+          channels: ["setup-entry-test"],
+        },
+        null,
+        2,
+      ),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "index.cjs"),
+      `require("node:fs").writeFileSync(${JSON.stringify(fullMarker)}, "loaded", "utf-8");
+module.exports = {
+  id: "setup-entry-test",
+  register(api) {
+    api.registerChannel({
+      plugin: {
+        id: "setup-entry-test",
+        meta: {
+          id: "setup-entry-test",
+          label: "Setup Entry Test",
+          selectionLabel: "Setup Entry Test",
+          docsPath: "/channels/setup-entry-test",
+          blurb: "full entry should not run in setup-only mode",
+        },
+        capabilities: { chatTypes: ["direct"] },
+        config: {
+          listAccountIds: () => [],
+          resolveAccount: () => ({ accountId: "default" }),
+        },
+        outbound: { deliveryMode: "direct" },
+      },
+    });
+  },
+};`,
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "setup-entry.cjs"),
+      `require("node:fs").writeFileSync(${JSON.stringify(setupMarker)}, "loaded", "utf-8");
+module.exports = {
+  plugin: {
+    id: "setup-entry-test",
+    meta: {
+      id: "setup-entry-test",
+      label: "Setup Entry Test",
+      selectionLabel: "Setup Entry Test",
+      docsPath: "/channels/setup-entry-test",
+      blurb: "setup entry",
+    },
+    capabilities: { chatTypes: ["direct"] },
+    config: {
+      listAccountIds: () => [],
+      resolveAccount: () => ({ accountId: "default" }),
+    },
+    outbound: { deliveryMode: "direct" },
+  },
+};`,
+      "utf-8",
+    );
+
+    const setupRegistry = loadOpenClawPlugins({
+      cache: false,
+      config: {
+        plugins: {
+          load: { paths: [pluginDir] },
+          allow: ["setup-entry-test"],
+          entries: {
+            "setup-entry-test": { enabled: false },
+          },
+        },
+      },
+      includeSetupOnlyChannelPlugins: true,
+    });
+
+    expect(fs.existsSync(setupMarker)).toBe(true);
+    expect(fs.existsSync(fullMarker)).toBe(false);
+    expect(setupRegistry.channelSetups).toHaveLength(1);
+    expect(setupRegistry.channels).toHaveLength(0);
+  });
+
+  it("uses package setupEntry for enabled but unconfigured channel loads", () => {
+    useNoBundledPlugins();
+    const pluginDir = makeTempDir();
+    const fullMarker = path.join(pluginDir, "full-loaded.txt");
+    const setupMarker = path.join(pluginDir, "setup-loaded.txt");
+    fs.writeFileSync(
+      path.join(pluginDir, "package.json"),
+      JSON.stringify(
+        {
+          name: "@openclaw/setup-runtime-test",
+          openclaw: {
+            extensions: ["./index.cjs"],
+            setupEntry: "./setup-entry.cjs",
+          },
+        },
+        null,
+        2,
+      ),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "openclaw.plugin.json"),
+      JSON.stringify(
+        {
+          id: "setup-runtime-test",
+          configSchema: EMPTY_PLUGIN_SCHEMA,
+          channels: ["setup-runtime-test"],
+        },
+        null,
+        2,
+      ),
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "index.cjs"),
+      `require("node:fs").writeFileSync(${JSON.stringify(fullMarker)}, "loaded", "utf-8");
+module.exports = {
+  id: "setup-runtime-test",
+  register(api) {
+    api.registerChannel({
+      plugin: {
+        id: "setup-runtime-test",
+        meta: {
+          id: "setup-runtime-test",
+          label: "Setup Runtime Test",
+          selectionLabel: "Setup Runtime Test",
+          docsPath: "/channels/setup-runtime-test",
+          blurb: "full entry should not run while unconfigured",
+        },
+        capabilities: { chatTypes: ["direct"] },
+        config: {
+          listAccountIds: () => [],
+          resolveAccount: () => ({ accountId: "default" }),
+        },
+        outbound: { deliveryMode: "direct" },
+      },
+    });
+  },
+};`,
+      "utf-8",
+    );
+    fs.writeFileSync(
+      path.join(pluginDir, "setup-entry.cjs"),
+      `require("node:fs").writeFileSync(${JSON.stringify(setupMarker)}, "loaded", "utf-8");
+module.exports = {
+  plugin: {
+    id: "setup-runtime-test",
+    meta: {
+      id: "setup-runtime-test",
+      label: "Setup Runtime Test",
+      selectionLabel: "Setup Runtime Test",
+      docsPath: "/channels/setup-runtime-test",
+      blurb: "setup runtime",
+    },
+    capabilities: { chatTypes: ["direct"] },
+    config: {
+      listAccountIds: () => [],
+      resolveAccount: () => ({ accountId: "default" }),
+    },
+    outbound: { deliveryMode: "direct" },
+  },
+};`,
+      "utf-8",
+    );
+
+    const registry = loadOpenClawPlugins({
+      cache: false,
+      config: {
+        plugins: {
+          load: { paths: [pluginDir] },
+          allow: ["setup-runtime-test"],
+        },
+      },
+    });
+
+    expect(fs.existsSync(setupMarker)).toBe(true);
+    expect(fs.existsSync(fullMarker)).toBe(false);
+    expect(registry.channelSetups).toHaveLength(1);
+    expect(registry.channels).toHaveLength(1);
+  });
+
   it("blocks before_prompt_build but preserves legacy model overrides when prompt injection is disabled", async () => {
     useNoBundledPlugins();
     const plugin = writePlugin({
@@ -2674,4 +2986,42 @@ module.exports = { id: "skipped", register() { throw new Error("skipped plugin s
     );
     expect(resolved).toBe(srcFile);
   });
+
+  it("resolves plugin-sdk alias from package root when loader runs from transpiler cache path", () => {
+    const { root, srcFile } = createPluginSdkAliasFixture();
+
+    const resolved = withEnv({ NODE_ENV: undefined }, () =>
+      __testing.resolvePluginSdkAliasFile({
+        srcFile: "index.ts",
+        distFile: "index.js",
+        modulePath: "/tmp/tsx-cache/openclaw-loader.js",
+        argv1: path.join(root, "openclaw.mjs"),
+      }),
+    );
+    expect(resolved).toBe(srcFile);
+  });
+
+  it("resolves extension-api alias from package root when loader runs from transpiler cache path", () => {
+    const { root, srcFile } = createExtensionApiAliasFixture();
+
+    const resolved = withEnv({ NODE_ENV: undefined }, () =>
+      __testing.resolveExtensionApiAlias({
+        modulePath: "/tmp/tsx-cache/openclaw-loader.js",
+        argv1: path.join(root, "openclaw.mjs"),
+      }),
+    );
+    expect(resolved).toBe(srcFile);
+  });
+
+  it("resolves plugin runtime module from package root when loader runs from transpiler cache path", () => {
+    const { root, srcFile } = createPluginRuntimeAliasFixture();
+
+    const resolved = withEnv({ NODE_ENV: undefined }, () =>
+      __testing.resolvePluginRuntimeModulePath({
+        modulePath: "/tmp/tsx-cache/openclaw-loader.js",
+        argv1: path.join(root, "openclaw.mjs"),
+      }),
+    );
+    expect(resolved).toBe(srcFile);
+  });
 });
diff --git a/src/plugins/loader.ts b/src/plugins/loader.ts
index 6f32ee0d151..da9bcd3e993 100644
--- a/src/plugins/loader.ts
+++ b/src/plugins/loader.ts
@@ -2,7 +2,9 @@ import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { createJiti } from "jiti";
+import type { ChannelPlugin } from "../channels/plugins/types.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { isChannelConfigured } from "../config/plugin-auto-enable.js";
 import type { PluginInstallRecord } from "../config/types.plugins.js";
 import type { GatewayRequestHandler } from "../gateway/server-methods/types.js";
 import { openBoundaryFileSync } from "../infra/boundary-file-read.js";
@@ -25,7 +27,7 @@ import { isPathInside, safeStatSync } from "./path-safety.js";
 import { createPluginRegistry, type PluginRecord, type PluginRegistry } from "./registry.js";
 import { resolvePluginCacheInputs } from "./roots.js";
 import { setActivePluginRegistry } from "./runtime.js";
-import { createPluginRuntime, type CreatePluginRuntimeOptions } from "./runtime/index.js";
+import type { CreatePluginRuntimeOptions } from "./runtime/index.js";
 import type { PluginRuntime } from "./runtime/types.js";
 import { validateJsonSchemaValue } from "./schema-validator.js";
 import type {
@@ -51,6 +53,7 @@ export type PluginLoadOptions = {
   cache?: boolean;
   mode?: "full" | "validate";
   onlyPluginIds?: string[];
+  includeSetupOnlyChannelPlugins?: boolean;
   activate?: boolean;
 };
 
@@ -67,6 +70,34 @@ const defaultLogger = () => createSubsystemLogger("plugins");
 
 type PluginSdkAliasCandidateKind = "dist" | "src";
 
+type LoaderModuleResolveParams = {
+  modulePath?: string;
+  argv1?: string;
+  cwd?: string;
+  moduleUrl?: string;
+};
+
+function resolveLoaderModulePath(params: LoaderModuleResolveParams = {}): string {
+  return params.modulePath ?? fileURLToPath(params.moduleUrl ?? import.meta.url);
+}
+
+function resolveLoaderPackageRoot(
+  params: LoaderModuleResolveParams & { modulePath: string },
+): string | null {
+  const cwd = params.cwd ?? path.dirname(params.modulePath);
+  const fromModulePath = resolveOpenClawPackageRootSync({ cwd });
+  if (fromModulePath) {
+    return fromModulePath;
+  }
+  const argv1 = params.argv1 ?? process.argv[1];
+  const moduleUrl = params.moduleUrl ?? (params.modulePath ? undefined : import.meta.url);
+  return resolveOpenClawPackageRootSync({
+    cwd,
+    ...(argv1 ? { argv1 } : {}),
+    ...(moduleUrl ? { moduleUrl } : {}),
+  });
+}
+
 function resolvePluginSdkAliasCandidateOrder(params: {
   modulePath: string;
   isProduction: boolean;
@@ -80,11 +111,22 @@ function listPluginSdkAliasCandidates(params: {
   srcFile: string;
   distFile: string;
   modulePath: string;
+  argv1?: string;
+  cwd?: string;
+  moduleUrl?: string;
 }) {
   const orderedKinds = resolvePluginSdkAliasCandidateOrder({
     modulePath: params.modulePath,
     isProduction: process.env.NODE_ENV === "production",
   });
+  const packageRoot = resolveLoaderPackageRoot(params);
+  if (packageRoot) {
+    const candidateMap = {
+      src: path.join(packageRoot, "src", "plugin-sdk", params.srcFile),
+      dist: path.join(packageRoot, "dist", "plugin-sdk", params.distFile),
+    } as const;
+    return orderedKinds.map((kind) => candidateMap[kind]);
+  }
   let cursor = path.dirname(params.modulePath);
   const candidates: string[] = [];
   for (let i = 0; i < 6; i += 1) {
@@ -108,13 +150,19 @@ const resolvePluginSdkAliasFile = (params: {
   srcFile: string;
   distFile: string;
   modulePath?: string;
+  argv1?: string;
+  cwd?: string;
+  moduleUrl?: string;
 }): string | null => {
   try {
-    const modulePath = params.modulePath ?? fileURLToPath(import.meta.url);
+    const modulePath = resolveLoaderModulePath(params);
     for (const candidate of listPluginSdkAliasCandidates({
       srcFile: params.srcFile,
       distFile: params.distFile,
       modulePath,
+      argv1: params.argv1,
+      cwd: params.cwd,
+      moduleUrl: params.moduleUrl,
     })) {
       if (fs.existsSync(candidate)) {
         return candidate;
@@ -129,12 +177,10 @@ const resolvePluginSdkAliasFile = (params: {
 const resolvePluginSdkAlias = (): string | null =>
   resolvePluginSdkAliasFile({ srcFile: "root-alias.cjs", distFile: "root-alias.cjs" });
 
-const resolveExtensionApiAlias = (params: { modulePath?: string } = {}): string | null => {
+const resolveExtensionApiAlias = (params: LoaderModuleResolveParams = {}): string | null => {
   try {
-    const modulePath = params.modulePath ?? fileURLToPath(import.meta.url);
-    const packageRoot = resolveOpenClawPackageRootSync({
-      cwd: path.dirname(modulePath),
-    });
+    const modulePath = resolveLoaderModulePath(params);
+    const packageRoot = resolveLoaderPackageRoot({ ...params, modulePath });
     if (!packageRoot) {
       return null;
     }
@@ -159,6 +205,35 @@ const resolveExtensionApiAlias = (params: { modulePath?: string } = {}): string
   return null;
 };
 
+function resolvePluginRuntimeModulePath(params: LoaderModuleResolveParams = {}): string | null {
+  try {
+    const modulePath = resolveLoaderModulePath(params);
+    const orderedKinds = resolvePluginSdkAliasCandidateOrder({
+      modulePath,
+      isProduction: process.env.NODE_ENV === "production",
+    });
+    const packageRoot = resolveLoaderPackageRoot({ ...params, modulePath });
+    const candidates = packageRoot
+      ? orderedKinds.map((kind) =>
+          kind === "src"
+            ? path.join(packageRoot, "src", "plugins", "runtime", "index.ts")
+            : path.join(packageRoot, "dist", "plugins", "runtime", "index.js"),
+        )
+      : [
+          path.join(path.dirname(modulePath), "runtime", "index.ts"),
+          path.join(path.dirname(modulePath), "runtime", "index.js"),
+        ];
+    for (const candidate of candidates) {
+      if (fs.existsSync(candidate)) {
+        return candidate;
+      }
+    }
+  } catch {
+    // ignore
+  }
+  return null;
+}
+
 const cachedPluginSdkExportedSubpaths = new Map<string, string[]>();
 
 function listPluginSdkExportedSubpaths(params: { modulePath?: string } = {}): string[] {
@@ -210,6 +285,7 @@ export const __testing = {
   resolveExtensionApiAlias,
   resolvePluginSdkAliasCandidateOrder,
   resolvePluginSdkAliasFile,
+  resolvePluginRuntimeModulePath,
   maxPluginRegistryCacheEntries: MAX_PLUGIN_REGISTRY_CACHE_ENTRIES,
 };
 
@@ -244,6 +320,7 @@ function buildCacheKey(params: {
   installs?: Record<string, PluginInstallRecord>;
   env: NodeJS.ProcessEnv;
   onlyPluginIds?: string[];
+  includeSetupOnlyChannelPlugins?: boolean;
 }): string {
   const { roots, loadPaths } = resolvePluginCacheInputs({
     workspaceDir: params.workspaceDir,
@@ -267,11 +344,12 @@ function buildCacheKey(params: {
     ]),
   );
   const scopeKey = JSON.stringify(params.onlyPluginIds ?? []);
+  const setupOnlyKey = params.includeSetupOnlyChannelPlugins === true ? "setup-only" : "runtime";
   return `${roots.workspace ?? ""}::${roots.global ?? ""}::${roots.stock ?? ""}::${JSON.stringify({
     ...params.plugins,
     installs,
     loadPaths,
-  })}::${scopeKey}`;
+  })}::${scopeKey}::${setupOnlyKey}`;
 }
 
 function normalizeScopedPluginIds(ids?: string[]): string[] | undefined {
@@ -326,6 +404,43 @@ function resolvePluginModuleExport(moduleExport: unknown): {
   return {};
 }
 
+function resolveSetupChannelRegistration(moduleExport: unknown): {
+  plugin?: ChannelPlugin;
+} {
+  const resolved =
+    moduleExport &&
+    typeof moduleExport === "object" &&
+    "default" in (moduleExport as Record<string, unknown>)
+      ? (moduleExport as { default: unknown }).default
+      : moduleExport;
+  if (!resolved || typeof resolved !== "object") {
+    return {};
+  }
+  const setup = resolved as {
+    plugin?: unknown;
+  };
+  if (!setup.plugin || typeof setup.plugin !== "object") {
+    return {};
+  }
+  return {
+    plugin: setup.plugin as ChannelPlugin,
+  };
+}
+
+function shouldLoadChannelPluginInSetupRuntime(params: {
+  manifestChannels: string[];
+  setupSource?: string;
+  cfg: OpenClawConfig;
+  env: NodeJS.ProcessEnv;
+}): boolean {
+  if (!params.setupSource || params.manifestChannels.length === 0) {
+    return false;
+  }
+  return !params.manifestChannels.some((channelId) =>
+    isChannelConfigured(params.cfg, channelId, params.env),
+  );
+}
+
 function createPluginRecord(params: {
   id: string;
   name?: string;
@@ -359,6 +474,7 @@ function createPluginRecord(params: {
     hookNames: [],
     channelIds: [],
     providerIds: [],
+    webSearchProviderIds: [],
     gatewayMethods: [],
     cliCommands: [],
     services: [],
@@ -668,6 +784,7 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
   const normalized = normalizePluginsConfig(cfg.plugins);
   const onlyPluginIds = normalizeScopedPluginIds(options.onlyPluginIds);
   const onlyPluginIdSet = onlyPluginIds ? new Set(onlyPluginIds) : null;
+  const includeSetupOnlyChannelPlugins = options.includeSetupOnlyChannelPlugins === true;
   const shouldActivate = options.activate !== false;
   // NOTE: `activate` is intentionally excluded from the cache key. All non-activating
   // (snapshot) callers pass `cache: false` via loadOnboardingPluginRegistry(), so they
@@ -679,6 +796,7 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
     installs: cfg.plugins?.installs,
     env,
     onlyPluginIds,
+    includeSetupOnlyChannelPlugins,
   });
   const cacheEnabled = options.cache !== false;
   if (cacheEnabled) {
@@ -698,11 +816,58 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
     clearPluginInteractiveHandlers();
   }
 
+  // Lazy: avoid creating the Jiti loader when all plugins are disabled (common in unit tests).
+  let jitiLoader: ReturnType<typeof createJiti> | null = null;
+  const getJiti = () => {
+    if (jitiLoader) {
+      return jitiLoader;
+    }
+    const pluginSdkAlias = resolvePluginSdkAlias();
+    const extensionApiAlias = resolveExtensionApiAlias();
+    const aliasMap = {
+      ...(extensionApiAlias ? { "openclaw/extension-api": extensionApiAlias } : {}),
+      ...(pluginSdkAlias ? { "openclaw/plugin-sdk": pluginSdkAlias } : {}),
+      ...resolvePluginSdkScopedAliasMap(),
+    };
+    jitiLoader = createJiti(import.meta.url, {
+      interopDefault: true,
+      extensions: [".ts", ".tsx", ".mts", ".cts", ".mtsx", ".ctsx", ".js", ".mjs", ".cjs", ".json"],
+      ...(Object.keys(aliasMap).length > 0
+        ? {
+            alias: aliasMap,
+          }
+        : {}),
+    });
+    return jitiLoader;
+  };
+
+  let createPluginRuntimeFactory: ((options?: CreatePluginRuntimeOptions) => PluginRuntime) | null =
+    null;
+  const resolveCreatePluginRuntime = (): ((
+    options?: CreatePluginRuntimeOptions,
+  ) => PluginRuntime) => {
+    if (createPluginRuntimeFactory) {
+      return createPluginRuntimeFactory;
+    }
+    const runtimeModulePath = resolvePluginRuntimeModulePath();
+    if (!runtimeModulePath) {
+      throw new Error("Unable to resolve plugin runtime module");
+    }
+    const runtimeModule = getJiti()(runtimeModulePath) as {
+      createPluginRuntime?: (options?: CreatePluginRuntimeOptions) => PluginRuntime;
+    };
+    if (typeof runtimeModule.createPluginRuntime !== "function") {
+      throw new Error("Plugin runtime module missing createPluginRuntime export");
+    }
+    createPluginRuntimeFactory = runtimeModule.createPluginRuntime;
+    return createPluginRuntimeFactory;
+  };
+
   // Lazily initialize the runtime so startup paths that discover/skip plugins do
-  // not eagerly load every channel runtime dependency.
+  // not eagerly load every channel/runtime dependency tree.
   let resolvedRuntime: PluginRuntime | null = null;
   const resolveRuntime = (): PluginRuntime => {
-    resolvedRuntime ??= createPluginRuntime(options.runtimeOptions);
+    resolvedRuntime ??= resolveCreatePluginRuntime()(options.runtimeOptions);
     return resolvedRuntime;
   };
   const runtime = new Proxy({} as PluginRuntime, {
@@ -731,6 +896,7 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
       return Reflect.getPrototypeOf(resolveRuntime() as object);
     },
   });
+
   const { registry, createApi } = createPluginRegistry({
     logger,
     runtime,
@@ -774,31 +940,6 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
     env,
   });
 
-  // Lazy: avoid creating the Jiti loader when all plugins are disabled (common in unit tests).
-  let jitiLoader: ReturnType<typeof createJiti> | null = null;
-  const getJiti = () => {
-    if (jitiLoader) {
-      return jitiLoader;
-    }
-    const pluginSdkAlias = resolvePluginSdkAlias();
-    const extensionApiAlias = resolveExtensionApiAlias();
-    const aliasMap = {
-      ...(extensionApiAlias ? { "openclaw/extension-api": extensionApiAlias } : {}),
-      ...(pluginSdkAlias ? { "openclaw/plugin-sdk": pluginSdkAlias } : {}),
-      ...resolvePluginSdkScopedAliasMap(),
-    };
-    jitiLoader = createJiti(import.meta.url, {
-      interopDefault: true,
-      extensions: [".ts", ".tsx", ".mts", ".cts", ".mtsx", ".ctsx", ".js", ".mjs", ".cjs", ".json"],
-      ...(Object.keys(aliasMap).length > 0
-        ? {
-            alias: aliasMap,
-          }
-        : {}),
-    });
-    return jitiLoader;
-  };
-
   const manifestByRoot = new Map(
     manifestRegistry.plugins.map((record) => [record.rootDir, record]),
   );
@@ -890,8 +1031,16 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
     };
 
     const registrationMode = enableState.enabled
-      ? "full"
-      : !validateOnly && manifestRecord.channels.length > 0
+      ? !validateOnly &&
+        shouldLoadChannelPluginInSetupRuntime({
+          manifestChannels: manifestRecord.channels,
+          setupSource: manifestRecord.setupSource,
+          cfg,
+          env,
+        })
+        ? "setup-runtime"
+        : "full"
+      : includeSetupOnlyChannelPlugins && !validateOnly && manifestRecord.channels.length > 0
         ? "setup-only"
         : null;
 
@@ -959,8 +1108,13 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
     }
 
     const pluginRoot = safeRealpathOrResolve(candidate.rootDir);
+    const loadSource =
+      (registrationMode === "setup-only" || registrationMode === "setup-runtime") &&
+      manifestRecord.setupSource
+        ? manifestRecord.setupSource
+        : candidate.source;
     const opened = openBoundaryFileSync({
-      absolutePath: candidate.source,
+      absolutePath: loadSource,
       rootPath: pluginRoot,
       boundaryLabel: "plugin root",
       rejectHardlinks: candidate.origin !== "bundled",
@@ -991,6 +1145,31 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
       continue;
     }
 
+    if (
+      (registrationMode === "setup-only" || registrationMode === "setup-runtime") &&
+      manifestRecord.setupSource
+    ) {
+      const setupRegistration = resolveSetupChannelRegistration(mod);
+      if (setupRegistration.plugin) {
+        if (setupRegistration.plugin.id && setupRegistration.plugin.id !== record.id) {
+          pushPluginLoadError(
+            `plugin id mismatch (config uses "${record.id}", setup export uses "${setupRegistration.plugin.id}")`,
+          );
+          continue;
+        }
+        const api = createApi(record, {
+          config: cfg,
+          pluginConfig: {},
+          hookPolicy: entry?.hooks,
+          registrationMode,
+        });
+        api.registerChannel(setupRegistration.plugin);
+        registry.plugins.push(record);
+        seenIds.set(pluginId, candidate.origin);
+        continue;
+      }
+    }
+
     const resolved = resolvePluginModuleExport(mod);
     const definition = resolved.definition;
     const register = resolved.register;
diff --git a/src/plugins/manifest-registry.test.ts b/src/plugins/manifest-registry.test.ts
index 6f4c0353330..c60e5444443 100644
--- a/src/plugins/manifest-registry.test.ts
+++ b/src/plugins/manifest-registry.test.ts
@@ -199,6 +199,44 @@ describe("loadPluginManifestRegistry", () => {
     ).toBe(true);
   });
 
+  it("preserves provider auth env metadata from plugin manifests", () => {
+    const dir = makeTempDir();
+    writeManifest(dir, {
+      id: "openai",
+      providers: ["openai", "openai-codex"],
+      providerAuthEnvVars: {
+        openai: ["OPENAI_API_KEY"],
+      },
+      providerAuthChoices: [
+        {
+          provider: "openai",
+          method: "api-key",
+          choiceId: "openai-api-key",
+          choiceLabel: "OpenAI API key",
+        },
+      ],
+      configSchema: { type: "object" },
+    });
+
+    const registry = loadSingleCandidateRegistry({
+      idHint: "openai",
+      rootDir: dir,
+      origin: "bundled",
+    });
+
+    expect(registry.plugins[0]?.providerAuthEnvVars).toEqual({
+      openai: ["OPENAI_API_KEY"],
+    });
+    expect(registry.plugins[0]?.providerAuthChoices).toEqual([
+      {
+        provider: "openai",
+        method: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
+  });
+
   it("reports bundled plugins as the duplicate winner for auto-discovered globals", () => {
     const bundledDir = makeTempDir();
     const globalDir = makeTempDir();
@@ -331,6 +369,40 @@ describe("loadPluginManifestRegistry", () => {
     );
   });
 
+  it("accepts plugin-style id hints without warning", () => {
+    const dir = makeTempDir();
+    writeManifest(dir, { id: "brave", configSchema: { type: "object" } });
+
+    const registry = loadRegistry([
+      createPluginCandidate({
+        idHint: "brave-plugin",
+        rootDir: dir,
+        origin: "bundled",
+      }),
+    ]);
+
+    expect(registry.diagnostics.some((diag) => diag.message.includes("plugin id mismatch"))).toBe(
+      false,
+    );
+  });
+
+  it("accepts sandbox-style id hints without warning", () => {
+    const dir = makeTempDir();
+    writeManifest(dir, { id: "openshell", configSchema: { type: "object" } });
+
+    const registry = loadRegistry([
+      createPluginCandidate({
+        idHint: "openshell-sandbox",
+        rootDir: dir,
+        origin: "bundled",
+      }),
+    ]);
+
+    expect(registry.diagnostics.some((diag) => diag.message.includes("plugin id mismatch"))).toBe(
+      false,
+    );
+  });
+
   it("still warns for unrelated id hint mismatches", () => {
     const dir = makeTempDir();
     writeManifest(dir, { id: "openai", configSchema: { type: "object" } });
diff --git a/src/plugins/manifest-registry.ts b/src/plugins/manifest-registry.ts
index 48fdae50d95..ea646f38797 100644
--- a/src/plugins/manifest-registry.ts
+++ b/src/plugins/manifest-registry.ts
@@ -41,6 +41,8 @@ export type PluginManifestRecord = {
   kind?: PluginKind;
   channels: string[];
   providers: string[];
+  providerAuthEnvVars?: Record<string, string[]>;
+  providerAuthChoices?: PluginManifest["providerAuthChoices"];
   skills: string[];
   settingsFiles?: string[];
   hooks: string[];
@@ -48,6 +50,7 @@ export type PluginManifestRecord = {
   workspaceDir?: string;
   rootDir: string;
   source: string;
+  setupSource?: string;
   manifestPath: string;
   schemaCacheKey?: string;
   configSchema?: Record<string, unknown>;
@@ -130,7 +133,11 @@ function isCompatiblePluginIdHint(idHint: string | undefined, manifestId: string
   if (normalizedHint === manifestId) {
     return true;
   }
-  return normalizedHint === `${manifestId}-provider`;
+  return (
+    normalizedHint === `${manifestId}-provider` ||
+    normalizedHint === `${manifestId}-plugin` ||
+    normalizedHint === `${manifestId}-sandbox`
+  );
 }
 
 function buildRecord(params: {
@@ -151,6 +158,8 @@ function buildRecord(params: {
     kind: params.manifest.kind,
     channels: params.manifest.channels ?? [],
     providers: params.manifest.providers ?? [],
+    providerAuthEnvVars: params.manifest.providerAuthEnvVars,
+    providerAuthChoices: params.manifest.providerAuthChoices,
     skills: params.manifest.skills ?? [],
     settingsFiles: [],
     hooks: [],
@@ -158,6 +167,7 @@ function buildRecord(params: {
     workspaceDir: params.candidate.workspaceDir,
     rootDir: params.candidate.rootDir,
     source: params.candidate.source,
+    setupSource: params.candidate.setupSource,
     manifestPath: params.manifestPath,
     schemaCacheKey: params.schemaCacheKey,
     configSchema: params.configSchema,
diff --git a/src/plugins/manifest.ts b/src/plugins/manifest.ts
index 3a3abe0a620..d330b982ce1 100644
--- a/src/plugins/manifest.ts
+++ b/src/plugins/manifest.ts
@@ -14,6 +14,13 @@ export type PluginManifest = {
   kind?: PluginKind;
   channels?: string[];
   providers?: string[];
+  /** Cheap provider-auth env lookup without booting plugin runtime. */
+  providerAuthEnvVars?: Record<string, string[]>;
+  /**
+   * Cheap onboarding/auth-choice metadata used by config validation, CLI help,
+   * and non-runtime auth-choice routing before provider runtime loads.
+   */
+  providerAuthChoices?: PluginManifestProviderAuthChoice[];
   skills?: string[];
   name?: string;
   description?: string;
@@ -21,6 +28,27 @@ export type PluginManifest = {
   uiHints?: Record<string, PluginConfigUiHint>;
 };
 
+export type PluginManifestProviderAuthChoice = {
+  /** Provider id owned by this manifest entry. */
+  provider: string;
+  /** Provider auth method id that this choice should dispatch to. */
+  method: string;
+  /** Stable auth-choice id used by onboarding and other CLI auth flows. */
+  choiceId: string;
+  /** Optional user-facing choice label/hint for grouped onboarding UI. */
+  choiceLabel?: string;
+  choiceHint?: string;
+  /** Optional grouping metadata for auth-choice pickers. */
+  groupId?: string;
+  groupLabel?: string;
+  groupHint?: string;
+  /** Optional CLI flag metadata for one-flag auth flows such as API keys. */
+  optionKey?: string;
+  cliFlag?: string;
+  cliOption?: string;
+  cliDescription?: string;
+};
+
 export type PluginManifestLoadResult =
   | { ok: true; manifest: PluginManifest; manifestPath: string }
   | { ok: false; error: string; manifestPath: string };
@@ -32,6 +60,70 @@ function normalizeStringList(value: unknown): string[] {
   return value.map((entry) => (typeof entry === "string" ? entry.trim() : "")).filter(Boolean);
 }
 
+function normalizeStringListRecord(value: unknown): Record<string, string[]> | undefined {
+  if (!isRecord(value)) {
+    return undefined;
+  }
+  const normalized: Record<string, string[]> = {};
+  for (const [key, rawValues] of Object.entries(value)) {
+    const providerId = typeof key === "string" ? key.trim() : "";
+    if (!providerId) {
+      continue;
+    }
+    const values = normalizeStringList(rawValues);
+    if (values.length === 0) {
+      continue;
+    }
+    normalized[providerId] = values;
+  }
+  return Object.keys(normalized).length > 0 ? normalized : undefined;
+}
+
+function normalizeProviderAuthChoices(
+  value: unknown,
+): PluginManifestProviderAuthChoice[] | undefined {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+  const normalized: PluginManifestProviderAuthChoice[] = [];
+  for (const entry of value) {
+    if (!isRecord(entry)) {
+      continue;
+    }
+    const provider = typeof entry.provider === "string" ? entry.provider.trim() : "";
+    const method = typeof entry.method === "string" ? entry.method.trim() : "";
+    const choiceId = typeof entry.choiceId === "string" ? entry.choiceId.trim() : "";
+    if (!provider || !method || !choiceId) {
+      continue;
+    }
+    const choiceLabel = typeof entry.choiceLabel === "string" ? entry.choiceLabel.trim() : "";
+    const choiceHint = typeof entry.choiceHint === "string" ? entry.choiceHint.trim() : "";
+    const groupId = typeof entry.groupId === "string" ? entry.groupId.trim() : "";
+    const groupLabel = typeof entry.groupLabel === "string" ? entry.groupLabel.trim() : "";
+    const groupHint = typeof entry.groupHint === "string" ? entry.groupHint.trim() : "";
+    const optionKey = typeof entry.optionKey === "string" ? entry.optionKey.trim() : "";
+    const cliFlag = typeof entry.cliFlag === "string" ? entry.cliFlag.trim() : "";
+    const cliOption = typeof entry.cliOption === "string" ? entry.cliOption.trim() : "";
+    const cliDescription =
+      typeof entry.cliDescription === "string" ? entry.cliDescription.trim() : "";
+    normalized.push({
+      provider,
+      method,
+      choiceId,
+      ...(choiceLabel ? { choiceLabel } : {}),
+      ...(choiceHint ? { choiceHint } : {}),
+      ...(groupId ? { groupId } : {}),
+      ...(groupLabel ? { groupLabel } : {}),
+      ...(groupHint ? { groupHint } : {}),
+      ...(optionKey ? { optionKey } : {}),
+      ...(cliFlag ? { cliFlag } : {}),
+      ...(cliOption ? { cliOption } : {}),
+      ...(cliDescription ? { cliDescription } : {}),
+    });
+  }
+  return normalized.length > 0 ? normalized : undefined;
+}
+
 export function resolvePluginManifestPath(rootDir: string): string {
   for (const filename of PLUGIN_MANIFEST_FILENAMES) {
     const candidate = path.join(rootDir, filename);
@@ -93,6 +185,8 @@ export function loadPluginManifest(
   const version = typeof raw.version === "string" ? raw.version.trim() : undefined;
   const channels = normalizeStringList(raw.channels);
   const providers = normalizeStringList(raw.providers);
+  const providerAuthEnvVars = normalizeStringListRecord(raw.providerAuthEnvVars);
+  const providerAuthChoices = normalizeProviderAuthChoices(raw.providerAuthChoices);
   const skills = normalizeStringList(raw.skills);
 
   let uiHints: Record<string, PluginConfigUiHint> | undefined;
@@ -108,6 +202,8 @@ export function loadPluginManifest(
       kind,
       channels,
       providers,
+      providerAuthEnvVars,
+      providerAuthChoices,
       skills,
       name,
       description,
@@ -118,7 +214,7 @@ export function loadPluginManifest(
   };
 }
 
-// package.json "openclaw" metadata (used for onboarding/catalog)
+// package.json "openclaw" metadata (used for setup/catalog)
 export type PluginPackageChannel = {
   id?: string;
   label?: string;
@@ -148,6 +244,7 @@ export type PluginPackageInstall = {
 
 export type OpenClawPackageManifest = {
   extensions?: string[];
+  setupEntry?: string;
   channel?: PluginPackageChannel;
   install?: PluginPackageInstall;
 };
diff --git a/src/plugins/marketplace.test.ts b/src/plugins/marketplace.test.ts
new file mode 100644
index 00000000000..14d3bda0323
--- /dev/null
+++ b/src/plugins/marketplace.test.ts
@@ -0,0 +1,141 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { withEnvAsync } from "../test-utils/env.js";
+
+const installPluginFromPathMock = vi.fn();
+
+vi.mock("./install.js", () => ({
+  installPluginFromPath: (...args: unknown[]) => installPluginFromPathMock(...args),
+}));
+
+async function withTempDir<T>(fn: (dir: string) => Promise<T>): Promise<T> {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-test-"));
+  try {
+    return await fn(dir);
+  } finally {
+    await fs.rm(dir, { recursive: true, force: true });
+  }
+}
+
+describe("marketplace plugins", () => {
+  afterEach(() => {
+    installPluginFromPathMock.mockReset();
+  });
+
+  it("lists plugins from a local marketplace root", async () => {
+    await withTempDir(async (rootDir) => {
+      await fs.mkdir(path.join(rootDir, ".claude-plugin"), { recursive: true });
+      await fs.writeFile(
+        path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        JSON.stringify({
+          name: "Example Marketplace",
+          version: "1.0.0",
+          plugins: [
+            {
+              name: "frontend-design",
+              version: "0.1.0",
+              description: "Design system bundle",
+              source: "./plugins/frontend-design",
+            },
+          ],
+        }),
+      );
+
+      const { listMarketplacePlugins } = await import("./marketplace.js");
+      const result = await listMarketplacePlugins({ marketplace: rootDir });
+      expect(result).toEqual({
+        ok: true,
+        sourceLabel: expect.stringContaining(".claude-plugin/marketplace.json"),
+        manifest: {
+          name: "Example Marketplace",
+          version: "1.0.0",
+          plugins: [
+            {
+              name: "frontend-design",
+              version: "0.1.0",
+              description: "Design system bundle",
+              source: { kind: "path", path: "./plugins/frontend-design" },
+            },
+          ],
+        },
+      });
+    });
+  });
+
+  it("resolves relative plugin paths against the marketplace root", async () => {
+    await withTempDir(async (rootDir) => {
+      const pluginDir = path.join(rootDir, "plugins", "frontend-design");
+      await fs.mkdir(path.join(rootDir, ".claude-plugin"), { recursive: true });
+      await fs.mkdir(pluginDir, { recursive: true });
+      await fs.writeFile(
+        path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        JSON.stringify({
+          plugins: [
+            {
+              name: "frontend-design",
+              source: "./plugins/frontend-design",
+            },
+          ],
+        }),
+      );
+      installPluginFromPathMock.mockResolvedValue({
+        ok: true,
+        pluginId: "frontend-design",
+        targetDir: "/tmp/frontend-design",
+        version: "0.1.0",
+        extensions: ["index.ts"],
+      });
+
+      const { installPluginFromMarketplace } = await import("./marketplace.js");
+      const result = await installPluginFromMarketplace({
+        marketplace: path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        plugin: "frontend-design",
+      });
+
+      expect(installPluginFromPathMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          path: pluginDir,
+        }),
+      );
+      expect(result).toMatchObject({
+        ok: true,
+        pluginId: "frontend-design",
+        marketplacePlugin: "frontend-design",
+        marketplaceSource: path.join(rootDir, ".claude-plugin", "marketplace.json"),
+      });
+    });
+  });
+
+  it("resolves Claude-style plugin@marketplace shortcuts from known_marketplaces.json", async () => {
+    await withTempDir(async (homeDir) => {
+      await fs.mkdir(path.join(homeDir, ".claude", "plugins"), { recursive: true });
+      await fs.writeFile(
+        path.join(homeDir, ".claude", "plugins", "known_marketplaces.json"),
+        JSON.stringify({
+          "claude-plugins-official": {
+            source: {
+              source: "github",
+              repo: "anthropics/claude-plugins-official",
+            },
+            installLocation: path.join(homeDir, ".claude", "plugins", "marketplaces", "official"),
+          },
+        }),
+      );
+
+      const { resolveMarketplaceInstallShortcut } = await import("./marketplace.js");
+      const shortcut = await withEnvAsync(
+        { HOME: homeDir },
+        async () => await resolveMarketplaceInstallShortcut("superpowers@claude-plugins-official"),
+      );
+
+      expect(shortcut).toEqual({
+        ok: true,
+        plugin: "superpowers",
+        marketplaceName: "claude-plugins-official",
+        marketplaceSource: "claude-plugins-official",
+      });
+    });
+  });
+});
diff --git a/src/plugins/marketplace.ts b/src/plugins/marketplace.ts
new file mode 100644
index 00000000000..4999c3c8828
--- /dev/null
+++ b/src/plugins/marketplace.ts
@@ -0,0 +1,832 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { resolveArchiveKind } from "../infra/archive.js";
+import { runCommandWithTimeout } from "../process/exec.js";
+import { resolveUserPath } from "../utils.js";
+import { installPluginFromPath, type InstallPluginResult } from "./install.js";
+
+const DEFAULT_GIT_TIMEOUT_MS = 120_000;
+const MARKETPLACE_MANIFEST_CANDIDATES = [
+  path.join(".claude-plugin", "marketplace.json"),
+  "marketplace.json",
+] as const;
+const CLAUDE_KNOWN_MARKETPLACES_PATH = path.join(
+  "~",
+  ".claude",
+  "plugins",
+  "known_marketplaces.json",
+);
+
+type MarketplaceLogger = {
+  info?: (message: string) => void;
+  warn?: (message: string) => void;
+};
+
+type MarketplaceEntrySource =
+  | { kind: "path"; path: string }
+  | { kind: "github"; repo: string; path?: string; ref?: string }
+  | { kind: "git"; url: string; path?: string; ref?: string }
+  | { kind: "git-subdir"; url: string; path: string; ref?: string }
+  | { kind: "url"; url: string };
+
+export type MarketplacePluginEntry = {
+  name: string;
+  version?: string;
+  description?: string;
+  source: MarketplaceEntrySource;
+};
+
+export type MarketplaceManifest = {
+  name?: string;
+  version?: string;
+  plugins: MarketplacePluginEntry[];
+};
+
+type LoadedMarketplace = {
+  manifest: MarketplaceManifest;
+  rootDir: string;
+  sourceLabel: string;
+  cleanup?: () => Promise<void>;
+};
+
+type KnownMarketplaceRecord = {
+  installLocation?: string;
+  source?: unknown;
+};
+
+export type MarketplacePluginListResult =
+  | {
+      ok: true;
+      manifest: MarketplaceManifest;
+      sourceLabel: string;
+    }
+  | {
+      ok: false;
+      error: string;
+    };
+
+export type MarketplaceInstallResult =
+  | ({
+      ok: true;
+      marketplaceName?: string;
+      marketplaceVersion?: string;
+      marketplacePlugin: string;
+      marketplaceSource: string;
+      marketplaceEntryVersion?: string;
+    } & Extract<InstallPluginResult, { ok: true }>)
+  | Extract<InstallPluginResult, { ok: false }>;
+
+export type MarketplaceShortcutResolution =
+  | {
+      ok: true;
+      plugin: string;
+      marketplaceName: string;
+      marketplaceSource: string;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+  | null;
+
+function isHttpUrl(value: string): boolean {
+  return /^https?:\/\//i.test(value);
+}
+
+function isGitUrl(value: string): boolean {
+  return (
+    /^git@/i.test(value) || /^ssh:\/\//i.test(value) || /^https?:\/\/.+\.git(?:#.*)?$/i.test(value)
+  );
+}
+
+function looksLikeGitHubRepoShorthand(value: string): boolean {
+  return /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+(?:#.+)?$/.test(value.trim());
+}
+
+function splitRef(value: string): { base: string; ref?: string } {
+  const trimmed = value.trim();
+  const hashIndex = trimmed.lastIndexOf("#");
+  if (hashIndex <= 0 || hashIndex >= trimmed.length - 1) {
+    return { base: trimmed };
+  }
+  return {
+    base: trimmed.slice(0, hashIndex),
+    ref: trimmed.slice(hashIndex + 1).trim() || undefined,
+  };
+}
+
+function toOptionalString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+}
+
+function normalizeEntrySource(
+  raw: unknown,
+): { ok: true; source: MarketplaceEntrySource } | { ok: false; error: string } {
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+      return { ok: false, error: "empty plugin source" };
+    }
+    if (isHttpUrl(trimmed)) {
+      return { ok: true, source: { kind: "url", url: trimmed } };
+    }
+    return { ok: true, source: { kind: "path", path: trimmed } };
+  }
+
+  if (!raw || typeof raw !== "object") {
+    return { ok: false, error: "plugin source must be a string or object" };
+  }
+
+  const rec = raw as Record<string, unknown>;
+  const kind = toOptionalString(rec.type) ?? toOptionalString(rec.source);
+  if (!kind) {
+    return { ok: false, error: 'plugin source object missing "type" or "source"' };
+  }
+
+  if (kind === "path") {
+    const sourcePath = toOptionalString(rec.path);
+    if (!sourcePath) {
+      return { ok: false, error: 'path source missing "path"' };
+    }
+    return { ok: true, source: { kind: "path", path: sourcePath } };
+  }
+
+  if (kind === "github") {
+    const repo = toOptionalString(rec.repo) ?? toOptionalString(rec.url);
+    if (!repo) {
+      return { ok: false, error: 'github source missing "repo"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "github",
+        repo,
+        path: toOptionalString(rec.path),
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "git") {
+    const url = toOptionalString(rec.url) ?? toOptionalString(rec.repo);
+    if (!url) {
+      return { ok: false, error: 'git source missing "url"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "git",
+        url,
+        path: toOptionalString(rec.path),
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "git-subdir") {
+    const url = toOptionalString(rec.url) ?? toOptionalString(rec.repo);
+    const sourcePath = toOptionalString(rec.path) ?? toOptionalString(rec.subdir);
+    if (!url) {
+      return { ok: false, error: 'git-subdir source missing "url"' };
+    }
+    if (!sourcePath) {
+      return { ok: false, error: 'git-subdir source missing "path"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "git-subdir",
+        url,
+        path: sourcePath,
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "url") {
+    const url = toOptionalString(rec.url);
+    if (!url) {
+      return { ok: false, error: 'url source missing "url"' };
+    }
+    return { ok: true, source: { kind: "url", url } };
+  }
+
+  return { ok: false, error: `unsupported plugin source kind: ${kind}` };
+}
+
+function marketplaceEntrySourceToInput(source: MarketplaceEntrySource): string {
+  switch (source.kind) {
+    case "path":
+      return source.path;
+    case "github":
+      return `${source.repo}${source.ref ? `#${source.ref}` : ""}`;
+    case "git":
+      return `${source.url}${source.ref ? `#${source.ref}` : ""}`;
+    case "git-subdir":
+      return `${source.url}${source.ref ? `#${source.ref}` : ""}`;
+    case "url":
+      return source.url;
+  }
+}
+
+function parseMarketplaceManifest(
+  raw: string,
+  sourceLabel: string,
+): { ok: true; manifest: MarketplaceManifest } | { ok: false; error: string } {
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: ${String(err)}` };
+  }
+
+  if (!parsed || typeof parsed !== "object") {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: expected object` };
+  }
+
+  const rec = parsed as Record<string, unknown>;
+  if (!Array.isArray(rec.plugins)) {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: missing plugins[]` };
+  }
+
+  const plugins: MarketplacePluginEntry[] = [];
+  for (const entry of rec.plugins) {
+    if (!entry || typeof entry !== "object") {
+      return { ok: false, error: `invalid marketplace entry in ${sourceLabel}: expected object` };
+    }
+    const plugin = entry as Record<string, unknown>;
+    const name = toOptionalString(plugin.name);
+    if (!name) {
+      return { ok: false, error: `invalid marketplace entry in ${sourceLabel}: missing name` };
+    }
+    const normalizedSource = normalizeEntrySource(plugin.source);
+    if (!normalizedSource.ok) {
+      return {
+        ok: false,
+        error: `invalid marketplace entry "${name}" in ${sourceLabel}: ${normalizedSource.error}`,
+      };
+    }
+    plugins.push({
+      name,
+      version: toOptionalString(plugin.version),
+      description: toOptionalString(plugin.description),
+      source: normalizedSource.source,
+    });
+  }
+
+  return {
+    ok: true,
+    manifest: {
+      name: toOptionalString(rec.name),
+      version: toOptionalString(rec.version),
+      plugins,
+    },
+  };
+}
+
+async function pathExists(target: string): Promise<boolean> {
+  try {
+    await fs.access(target);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function readClaudeKnownMarketplaces(): Promise<Record<string, KnownMarketplaceRecord>> {
+  const knownPath = resolveUserPath(CLAUDE_KNOWN_MARKETPLACES_PATH);
+  if (!(await pathExists(knownPath))) {
+    return {};
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(await fs.readFile(knownPath, "utf-8"));
+  } catch {
+    return {};
+  }
+
+  if (!parsed || typeof parsed !== "object") {
+    return {};
+  }
+
+  const entries = parsed as Record<string, unknown>;
+  const result: Record<string, KnownMarketplaceRecord> = {};
+  for (const [name, value] of Object.entries(entries)) {
+    if (!value || typeof value !== "object") {
+      continue;
+    }
+    const record = value as Record<string, unknown>;
+    result[name] = {
+      installLocation: toOptionalString(record.installLocation),
+      source: record.source,
+    };
+  }
+  return result;
+}
+
+function deriveMarketplaceRootFromManifestPath(manifestPath: string): string {
+  const manifestDir = path.dirname(manifestPath);
+  return path.basename(manifestDir) === ".claude-plugin" ? path.dirname(manifestDir) : manifestDir;
+}
+
+async function resolveLocalMarketplaceSource(
+  input: string,
+): Promise<
+  { ok: true; rootDir: string; manifestPath: string } | { ok: false; error: string } | null
+> {
+  const resolved = resolveUserPath(input);
+  if (!(await pathExists(resolved))) {
+    return null;
+  }
+
+  const stat = await fs.stat(resolved);
+  if (stat.isFile()) {
+    return {
+      ok: true,
+      rootDir: deriveMarketplaceRootFromManifestPath(resolved),
+      manifestPath: resolved,
+    };
+  }
+
+  if (!stat.isDirectory()) {
+    return { ok: false, error: `unsupported marketplace source: ${resolved}` };
+  }
+
+  const rootDir = path.basename(resolved) === ".claude-plugin" ? path.dirname(resolved) : resolved;
+  for (const candidate of MARKETPLACE_MANIFEST_CANDIDATES) {
+    const manifestPath = path.join(rootDir, candidate);
+    if (await pathExists(manifestPath)) {
+      return { ok: true, rootDir, manifestPath };
+    }
+  }
+
+  return { ok: false, error: `marketplace manifest not found under ${resolved}` };
+}
+
+function normalizeGitCloneSource(
+  source: string,
+): { url: string; ref?: string; label: string } | null {
+  const split = splitRef(source);
+  if (looksLikeGitHubRepoShorthand(split.base)) {
+    return {
+      url: `https://github.com/${split.base}.git`,
+      ref: split.ref,
+      label: split.base,
+    };
+  }
+
+  if (isGitUrl(source)) {
+    return {
+      url: split.base,
+      ref: split.ref,
+      label: split.base,
+    };
+  }
+
+  if (isHttpUrl(source)) {
+    try {
+      const url = new URL(split.base);
+      if (url.hostname !== "github.com") {
+        return null;
+      }
+      const parts = url.pathname.replace(/\/+$/, "").split("/").filter(Boolean);
+      if (parts.length < 2) {
+        return null;
+      }
+      const repo = `${parts[0]}/${parts[1]?.replace(/\.git$/i, "")}`;
+      return {
+        url: `https://github.com/${repo}.git`,
+        ref: split.ref,
+        label: repo,
+      };
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+async function cloneMarketplaceRepo(params: {
+  source: string;
+  timeoutMs?: number;
+  logger?: MarketplaceLogger;
+}): Promise<
+  | { ok: true; rootDir: string; cleanup: () => Promise<void>; label: string }
+  | { ok: false; error: string }
+> {
+  const normalized = normalizeGitCloneSource(params.source);
+  if (!normalized) {
+    return { ok: false, error: `unsupported marketplace source: ${params.source}` };
+  }
+
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-"));
+  const repoDir = path.join(tmpDir, "repo");
+  const argv = ["git", "clone", "--depth", "1"];
+  if (normalized.ref) {
+    argv.push("--branch", normalized.ref);
+  }
+  argv.push(normalized.url, repoDir);
+  params.logger?.info?.(`Cloning marketplace source ${normalized.label}...`);
+  const res = await runCommandWithTimeout(argv, {
+    timeoutMs: params.timeoutMs ?? DEFAULT_GIT_TIMEOUT_MS,
+  });
+  if (res.code !== 0) {
+    await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    const detail = res.stderr.trim() || res.stdout.trim() || "git clone failed";
+    return {
+      ok: false,
+      error: `failed to clone marketplace source ${normalized.label}: ${detail}`,
+    };
+  }
+
+  return {
+    ok: true,
+    rootDir: repoDir,
+    label: normalized.label,
+    cleanup: async () => {
+      await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    },
+  };
+}
+
+async function loadMarketplace(params: {
+  source: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<{ ok: true; marketplace: LoadedMarketplace } | { ok: false; error: string }> {
+  const knownMarketplaces = await readClaudeKnownMarketplaces();
+  const known = knownMarketplaces[params.source];
+  if (known) {
+    if (known.installLocation) {
+      const local = await resolveLocalMarketplaceSource(known.installLocation);
+      if (local?.ok) {
+        const raw = await fs.readFile(local.manifestPath, "utf-8");
+        const parsed = parseMarketplaceManifest(raw, local.manifestPath);
+        if (!parsed.ok) {
+          return parsed;
+        }
+        return {
+          ok: true,
+          marketplace: {
+            manifest: parsed.manifest,
+            rootDir: local.rootDir,
+            sourceLabel: params.source,
+          },
+        };
+      }
+    }
+
+    const normalizedSource = normalizeEntrySource(known.source);
+    if (normalizedSource.ok) {
+      return await loadMarketplace({
+        source: marketplaceEntrySourceToInput(normalizedSource.source),
+        logger: params.logger,
+        timeoutMs: params.timeoutMs,
+      });
+    }
+  }
+
+  const local = await resolveLocalMarketplaceSource(params.source);
+  if (local?.ok === false) {
+    return local;
+  }
+
+  if (local?.ok) {
+    const raw = await fs.readFile(local.manifestPath, "utf-8");
+    const parsed = parseMarketplaceManifest(raw, local.manifestPath);
+    if (!parsed.ok) {
+      return parsed;
+    }
+    return {
+      ok: true,
+      marketplace: {
+        manifest: parsed.manifest,
+        rootDir: local.rootDir,
+        sourceLabel: local.manifestPath,
+      },
+    };
+  }
+
+  const cloned = await cloneMarketplaceRepo({
+    source: params.source,
+    timeoutMs: params.timeoutMs,
+    logger: params.logger,
+  });
+  if (!cloned.ok) {
+    return cloned;
+  }
+
+  let manifestPath: string | undefined;
+  for (const candidate of MARKETPLACE_MANIFEST_CANDIDATES) {
+    const next = path.join(cloned.rootDir, candidate);
+    if (await pathExists(next)) {
+      manifestPath = next;
+      break;
+    }
+  }
+  if (!manifestPath) {
+    await cloned.cleanup();
+    return { ok: false, error: `marketplace manifest not found in ${cloned.label}` };
+  }
+
+  const raw = await fs.readFile(manifestPath, "utf-8");
+  const parsed = parseMarketplaceManifest(raw, manifestPath);
+  if (!parsed.ok) {
+    await cloned.cleanup();
+    return parsed;
+  }
+
+  return {
+    ok: true,
+    marketplace: {
+      manifest: parsed.manifest,
+      rootDir: cloned.rootDir,
+      sourceLabel: cloned.label,
+      cleanup: cloned.cleanup,
+    },
+  };
+}
+
+async function downloadUrlToTempFile(url: string): Promise<
+  | {
+      ok: true;
+      path: string;
+      cleanup: () => Promise<void>;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+> {
+  const response = await fetch(url);
+  if (!response.ok) {
+    return { ok: false, error: `failed to download ${url}: HTTP ${response.status}` };
+  }
+
+  const pathname = new URL(url).pathname;
+  const fileName = path.basename(pathname) || "plugin.tgz";
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-download-"));
+  const targetPath = path.join(tmpDir, fileName);
+  await fs.writeFile(targetPath, Buffer.from(await response.arrayBuffer()));
+  return {
+    ok: true,
+    path: targetPath,
+    cleanup: async () => {
+      await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    },
+  };
+}
+
+function ensureInsideMarketplaceRoot(
+  rootDir: string,
+  candidate: string,
+): { ok: true; path: string } | { ok: false; error: string } {
+  const resolved = path.resolve(rootDir, candidate);
+  const relative = path.relative(rootDir, resolved);
+  if (relative === ".." || relative.startsWith(`..${path.sep}`)) {
+    return {
+      ok: false,
+      error: `plugin source escapes marketplace root: ${candidate}`,
+    };
+  }
+  return { ok: true, path: resolved };
+}
+
+async function resolveMarketplaceEntryInstallPath(params: {
+  source: MarketplaceEntrySource;
+  marketplaceRootDir: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<
+  | {
+      ok: true;
+      path: string;
+      cleanup?: () => Promise<void>;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+> {
+  if (params.source.kind === "path") {
+    if (isHttpUrl(params.source.path)) {
+      if (resolveArchiveKind(params.source.path)) {
+        return await downloadUrlToTempFile(params.source.path);
+      }
+      return {
+        ok: false,
+        error: `unsupported remote plugin path source: ${params.source.path}`,
+      };
+    }
+    const resolved = path.isAbsolute(params.source.path)
+      ? { ok: true as const, path: params.source.path }
+      : ensureInsideMarketplaceRoot(params.marketplaceRootDir, params.source.path);
+    if (!resolved.ok) {
+      return resolved;
+    }
+    return { ok: true, path: resolved.path };
+  }
+
+  if (
+    params.source.kind === "github" ||
+    params.source.kind === "git" ||
+    params.source.kind === "git-subdir"
+  ) {
+    const sourceSpec =
+      params.source.kind === "github"
+        ? `${params.source.repo}${params.source.ref ? `#${params.source.ref}` : ""}`
+        : `${params.source.url}${params.source.ref ? `#${params.source.ref}` : ""}`;
+    const cloned = await cloneMarketplaceRepo({
+      source: sourceSpec,
+      timeoutMs: params.timeoutMs,
+      logger: params.logger,
+    });
+    if (!cloned.ok) {
+      return cloned;
+    }
+    const subPath =
+      params.source.kind === "github" || params.source.kind === "git"
+        ? params.source.path?.trim() || "."
+        : params.source.path.trim();
+    const target = ensureInsideMarketplaceRoot(cloned.rootDir, subPath);
+    if (!target.ok) {
+      await cloned.cleanup();
+      return target;
+    }
+    return {
+      ok: true,
+      path: target.path,
+      cleanup: cloned.cleanup,
+    };
+  }
+
+  if (resolveArchiveKind(params.source.url)) {
+    return await downloadUrlToTempFile(params.source.url);
+  }
+
+  if (!normalizeGitCloneSource(params.source.url)) {
+    return {
+      ok: false,
+      error: `unsupported URL plugin source: ${params.source.url}`,
+    };
+  }
+
+  const cloned = await cloneMarketplaceRepo({
+    source: params.source.url,
+    timeoutMs: params.timeoutMs,
+    logger: params.logger,
+  });
+  if (!cloned.ok) {
+    return cloned;
+  }
+  return {
+    ok: true,
+    path: cloned.rootDir,
+    cleanup: cloned.cleanup,
+  };
+}
+
+export async function listMarketplacePlugins(params: {
+  marketplace: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<MarketplacePluginListResult> {
+  const loaded = await loadMarketplace({
+    source: params.marketplace,
+    logger: params.logger,
+    timeoutMs: params.timeoutMs,
+  });
+  if (!loaded.ok) {
+    return loaded;
+  }
+  try {
+    return {
+      ok: true,
+      manifest: loaded.marketplace.manifest,
+      sourceLabel: loaded.marketplace.sourceLabel,
+    };
+  } finally {
+    await loaded.marketplace.cleanup?.();
+  }
+}
+
+export async function resolveMarketplaceInstallShortcut(
+  raw: string,
+): Promise<MarketplaceShortcutResolution> {
+  const trimmed = raw.trim();
+  const atIndex = trimmed.lastIndexOf("@");
+  if (atIndex <= 0 || atIndex >= trimmed.length - 1) {
+    return null;
+  }
+
+  const plugin = trimmed.slice(0, atIndex).trim();
+  const marketplaceName = trimmed.slice(atIndex + 1).trim();
+  if (!plugin || !marketplaceName || plugin.includes("/")) {
+    return null;
+  }
+
+  const knownMarketplaces = await readClaudeKnownMarketplaces();
+  const known = knownMarketplaces[marketplaceName];
+  if (!known) {
+    return null;
+  }
+
+  if (known.installLocation) {
+    return {
+      ok: true,
+      plugin,
+      marketplaceName,
+      marketplaceSource: marketplaceName,
+    };
+  }
+
+  const normalizedSource = normalizeEntrySource(known.source);
+  if (!normalizedSource.ok) {
+    return {
+      ok: false,
+      error: `known Claude marketplace "${marketplaceName}" has an invalid source: ${normalizedSource.error}`,
+    };
+  }
+
+  return {
+    ok: true,
+    plugin,
+    marketplaceName,
+    marketplaceSource: marketplaceName,
+  };
+}
+
+export async function installPluginFromMarketplace(params: {
+  marketplace: string;
+  plugin: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+  mode?: "install" | "update";
+  dryRun?: boolean;
+  expectedPluginId?: string;
+}): Promise<MarketplaceInstallResult> {
+  const loaded = await loadMarketplace({
+    source: params.marketplace,
+    logger: params.logger,
+    timeoutMs: params.timeoutMs,
+  });
+  if (!loaded.ok) {
+    return loaded;
+  }
+
+  let installCleanup: (() => Promise<void>) | undefined;
+  try {
+    const entry = loaded.marketplace.manifest.plugins.find(
+      (plugin) => plugin.name === params.plugin,
+    );
+    if (!entry) {
+      const known = loaded.marketplace.manifest.plugins.map((plugin) => plugin.name).toSorted();
+      return {
+        ok: false,
+        error:
+          `plugin "${params.plugin}" not found in marketplace ${loaded.marketplace.sourceLabel}` +
+          (known.length > 0 ? ` (available: ${known.join(", ")})` : ""),
+      };
+    }
+
+    const resolved = await resolveMarketplaceEntryInstallPath({
+      source: entry.source,
+      marketplaceRootDir: loaded.marketplace.rootDir,
+      logger: params.logger,
+      timeoutMs: params.timeoutMs,
+    });
+    if (!resolved.ok) {
+      return resolved;
+    }
+    installCleanup = resolved.cleanup;
+
+    const result = await installPluginFromPath({
+      path: resolved.path,
+      logger: params.logger,
+      mode: params.mode,
+      dryRun: params.dryRun,
+      expectedPluginId: params.expectedPluginId,
+    });
+    if (!result.ok) {
+      return result;
+    }
+    return {
+      ...result,
+      marketplaceName: loaded.marketplace.manifest.name,
+      marketplaceVersion: loaded.marketplace.manifest.version,
+      marketplacePlugin: entry.name,
+      marketplaceSource: params.marketplace,
+      marketplaceEntryVersion: entry.version,
+    };
+  } finally {
+    await installCleanup?.();
+    await loaded.marketplace.cleanup?.();
+  }
+}
diff --git a/src/plugins/provider-api-key-auth.ts b/src/plugins/provider-api-key-auth.ts
new file mode 100644
index 00000000000..75fa4afb77d
--- /dev/null
+++ b/src/plugins/provider-api-key-auth.ts
@@ -0,0 +1,183 @@
+import { upsertAuthProfile } from "../agents/auth-profiles.js";
+import { normalizeApiKeyInput, validateApiKeyInput } from "../commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../commands/auth-choice.apply-helpers.js";
+import { applyPrimaryModel } from "../commands/model-picker.js";
+import { buildApiKeyCredential } from "../commands/onboard-auth.credentials.js";
+import { applyAuthProfileConfig } from "../commands/onboard-auth.js";
+import type { OpenClawConfig } from "../config/config.js";
+import type { SecretInput } from "../config/types.secrets.js";
+import { normalizeOptionalSecretInput } from "../utils/normalize-secret-input.js";
+import type {
+  ProviderAuthMethod,
+  ProviderAuthMethodNonInteractiveContext,
+  ProviderPluginWizardSetup,
+} from "./types.js";
+
+type ProviderApiKeyAuthMethodOptions = {
+  providerId: string;
+  methodId: string;
+  label: string;
+  hint?: string;
+  wizard?: ProviderPluginWizardSetup;
+  optionKey: string;
+  flagName: `--${string}`;
+  envVar: string;
+  promptMessage: string;
+  profileId?: string;
+  profileIds?: string[];
+  allowProfile?: boolean;
+  defaultModel?: string;
+  expectedProviders?: string[];
+  metadata?: Record<string, string>;
+  noteMessage?: string;
+  noteTitle?: string;
+  applyConfig?: (cfg: OpenClawConfig) => OpenClawConfig;
+};
+
+function resolveStringOption(opts: Record<string, unknown> | undefined, optionKey: string) {
+  return normalizeOptionalSecretInput(opts?.[optionKey]);
+}
+
+function resolveProfileId(params: { providerId: string; profileId?: string }) {
+  return params.profileId?.trim() || `${params.providerId}:default`;
+}
+
+function resolveProfileIds(params: {
+  providerId: string;
+  profileId?: string;
+  profileIds?: string[];
+}) {
+  const explicit = Array.from(
+    new Set((params.profileIds ?? []).map((value) => value.trim()).filter(Boolean)),
+  );
+  if (explicit.length > 0) {
+    return explicit;
+  }
+  return [resolveProfileId(params)];
+}
+
+function applyApiKeyConfig(params: {
+  ctx: ProviderAuthMethodNonInteractiveContext;
+  providerId: string;
+  profileIds: string[];
+  defaultModel?: string;
+  applyConfig?: (cfg: OpenClawConfig) => OpenClawConfig;
+}) {
+  let next = params.ctx.config;
+  for (const profileId of params.profileIds) {
+    next = applyAuthProfileConfig(next, {
+      profileId,
+      provider: profileId.split(":", 1)[0]?.trim() || params.providerId,
+      mode: "api_key",
+    });
+  }
+  if (params.applyConfig) {
+    next = params.applyConfig(next);
+  }
+  return params.defaultModel ? applyPrimaryModel(next, params.defaultModel) : next;
+}
+
+export function createProviderApiKeyAuthMethod(
+  params: ProviderApiKeyAuthMethodOptions,
+): ProviderAuthMethod {
+  return {
+    id: params.methodId,
+    label: params.label,
+    hint: params.hint,
+    kind: "api_key",
+    wizard: params.wizard,
+    run: async (ctx) => {
+      const opts = ctx.opts as Record<string, unknown> | undefined;
+      const flagValue = resolveStringOption(opts, params.optionKey);
+      let capturedSecretInput: SecretInput | undefined;
+      let capturedCredential = false;
+      let capturedMode: "plaintext" | "ref" | undefined;
+
+      await ensureApiKeyFromOptionEnvOrPrompt({
+        token: flagValue ?? normalizeOptionalSecretInput(ctx.opts?.token),
+        tokenProvider: flagValue
+          ? params.providerId
+          : normalizeOptionalSecretInput(ctx.opts?.tokenProvider),
+        secretInputMode:
+          ctx.allowSecretRefPrompt === false
+            ? (ctx.secretInputMode ?? "plaintext")
+            : ctx.secretInputMode,
+        config: ctx.config,
+        expectedProviders: params.expectedProviders ?? [params.providerId],
+        provider: params.providerId,
+        envLabel: params.envVar,
+        promptMessage: params.promptMessage,
+        normalize: normalizeApiKeyInput,
+        validate: validateApiKeyInput,
+        prompter: ctx.prompter,
+        noteMessage: params.noteMessage,
+        noteTitle: params.noteTitle,
+        setCredential: async (apiKey, mode) => {
+          capturedSecretInput = apiKey;
+          capturedCredential = true;
+          capturedMode = mode;
+        },
+      });
+
+      if (!capturedCredential) {
+        throw new Error(`Missing API key input for provider "${params.providerId}".`);
+      }
+      const credentialInput = capturedSecretInput ?? "";
+      const profileIds = resolveProfileIds(params);
+
+      return {
+        profiles: profileIds.map((profileId) => ({
+          profileId,
+          credential: buildApiKeyCredential(
+            profileId.split(":", 1)[0]?.trim() || params.providerId,
+            credentialInput,
+            params.metadata,
+            capturedMode ? { secretInputMode: capturedMode } : undefined,
+          ),
+        })),
+        ...(params.applyConfig ? { configPatch: params.applyConfig(ctx.config) } : {}),
+        ...(params.defaultModel ? { defaultModel: params.defaultModel } : {}),
+      };
+    },
+    runNonInteractive: async (ctx) => {
+      const opts = ctx.opts as Record<string, unknown> | undefined;
+      const resolved = await ctx.resolveApiKey({
+        provider: params.providerId,
+        flagValue: resolveStringOption(opts, params.optionKey),
+        flagName: params.flagName,
+        envVar: params.envVar,
+        ...(params.allowProfile === false ? { allowProfile: false } : {}),
+      });
+      if (!resolved) {
+        return null;
+      }
+
+      const profileIds = resolveProfileIds(params);
+      if (resolved.source !== "profile") {
+        for (const profileId of profileIds) {
+          const credential = ctx.toApiKeyCredential({
+            provider: profileId.split(":", 1)[0]?.trim() || params.providerId,
+            resolved,
+            ...(params.metadata ? { metadata: params.metadata } : {}),
+          });
+          if (!credential) {
+            return null;
+          }
+          upsertAuthProfile({
+            profileId,
+            credential,
+            agentDir: ctx.agentDir,
+          });
+        }
+      }
+
+      return applyApiKeyConfig({
+        ctx,
+        providerId: params.providerId,
+        profileIds,
+        defaultModel: params.defaultModel,
+        applyConfig: params.applyConfig,
+      });
+    },
+  };
+}
diff --git a/src/plugins/provider-auth-choices.test.ts b/src/plugins/provider-auth-choices.test.ts
new file mode 100644
index 00000000000..0b9c9ccb5d2
--- /dev/null
+++ b/src/plugins/provider-auth-choices.test.ts
@@ -0,0 +1,92 @@
+import { describe, expect, it, vi } from "vitest";
+
+const loadPluginManifestRegistry = vi.hoisted(() => vi.fn());
+
+vi.mock("./manifest-registry.js", () => ({
+  loadPluginManifestRegistry,
+}));
+
+import {
+  resolveManifestProviderAuthChoice,
+  resolveManifestProviderAuthChoices,
+  resolveManifestProviderOnboardAuthFlags,
+} from "./provider-auth-choices.js";
+
+describe("provider auth choice manifest helpers", () => {
+  it("flattens manifest auth choices", () => {
+    loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "openai",
+          providerAuthChoices: [
+            {
+              provider: "openai",
+              method: "api-key",
+              choiceId: "openai-api-key",
+              choiceLabel: "OpenAI API key",
+              optionKey: "openaiApiKey",
+              cliFlag: "--openai-api-key",
+              cliOption: "--openai-api-key <key>",
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(resolveManifestProviderAuthChoices()).toEqual([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+        optionKey: "openaiApiKey",
+        cliFlag: "--openai-api-key",
+        cliOption: "--openai-api-key <key>",
+      },
+    ]);
+    expect(resolveManifestProviderAuthChoice("openai-api-key")?.providerId).toBe("openai");
+  });
+
+  it("deduplicates flag metadata by option key + flag", () => {
+    loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "moonshot",
+          providerAuthChoices: [
+            {
+              provider: "moonshot",
+              method: "api-key",
+              choiceId: "moonshot-api-key",
+              choiceLabel: "Kimi API key (.ai)",
+              optionKey: "moonshotApiKey",
+              cliFlag: "--moonshot-api-key",
+              cliOption: "--moonshot-api-key <key>",
+              cliDescription: "Moonshot API key",
+            },
+            {
+              provider: "moonshot",
+              method: "api-key-cn",
+              choiceId: "moonshot-api-key-cn",
+              choiceLabel: "Kimi API key (.cn)",
+              optionKey: "moonshotApiKey",
+              cliFlag: "--moonshot-api-key",
+              cliOption: "--moonshot-api-key <key>",
+              cliDescription: "Moonshot API key",
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(resolveManifestProviderOnboardAuthFlags()).toEqual([
+      {
+        optionKey: "moonshotApiKey",
+        authChoice: "moonshot-api-key",
+        cliFlag: "--moonshot-api-key",
+        cliOption: "--moonshot-api-key <key>",
+        description: "Moonshot API key",
+      },
+    ]);
+  });
+});
diff --git a/src/plugins/provider-auth-choices.ts b/src/plugins/provider-auth-choices.ts
new file mode 100644
index 00000000000..86388d9b6e5
--- /dev/null
+++ b/src/plugins/provider-auth-choices.ts
@@ -0,0 +1,122 @@
+import { normalizeProviderIdForAuth } from "../agents/model-selection.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { loadPluginManifestRegistry } from "./manifest-registry.js";
+
+export type ProviderAuthChoiceMetadata = {
+  pluginId: string;
+  providerId: string;
+  methodId: string;
+  choiceId: string;
+  choiceLabel: string;
+  choiceHint?: string;
+  groupId?: string;
+  groupLabel?: string;
+  groupHint?: string;
+  optionKey?: string;
+  cliFlag?: string;
+  cliOption?: string;
+  cliDescription?: string;
+};
+
+export type ProviderOnboardAuthFlag = {
+  optionKey: string;
+  authChoice: string;
+  cliFlag: string;
+  cliOption: string;
+  description: string;
+};
+
+export function resolveManifestProviderAuthChoices(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderAuthChoiceMetadata[] {
+  const registry = loadPluginManifestRegistry({
+    config: params?.config,
+    workspaceDir: params?.workspaceDir,
+    env: params?.env,
+  });
+
+  return registry.plugins.flatMap((plugin) =>
+    (plugin.providerAuthChoices ?? []).map((choice) => ({
+      pluginId: plugin.id,
+      providerId: choice.provider,
+      methodId: choice.method,
+      choiceId: choice.choiceId,
+      choiceLabel: choice.choiceLabel ?? choice.choiceId,
+      ...(choice.choiceHint ? { choiceHint: choice.choiceHint } : {}),
+      ...(choice.groupId ? { groupId: choice.groupId } : {}),
+      ...(choice.groupLabel ? { groupLabel: choice.groupLabel } : {}),
+      ...(choice.groupHint ? { groupHint: choice.groupHint } : {}),
+      ...(choice.optionKey ? { optionKey: choice.optionKey } : {}),
+      ...(choice.cliFlag ? { cliFlag: choice.cliFlag } : {}),
+      ...(choice.cliOption ? { cliOption: choice.cliOption } : {}),
+      ...(choice.cliDescription ? { cliDescription: choice.cliDescription } : {}),
+    })),
+  );
+}
+
+export function resolveManifestProviderAuthChoice(
+  choiceId: string,
+  params?: {
+    config?: OpenClawConfig;
+    workspaceDir?: string;
+    env?: NodeJS.ProcessEnv;
+  },
+): ProviderAuthChoiceMetadata | undefined {
+  const normalized = choiceId.trim();
+  if (!normalized) {
+    return undefined;
+  }
+  return resolveManifestProviderAuthChoices(params).find(
+    (choice) => choice.choiceId === normalized,
+  );
+}
+
+export function resolveManifestProviderApiKeyChoice(params: {
+  providerId: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderAuthChoiceMetadata | undefined {
+  const normalizedProviderId = normalizeProviderIdForAuth(params.providerId);
+  if (!normalizedProviderId) {
+    return undefined;
+  }
+
+  return resolveManifestProviderAuthChoices(params).find((choice) => {
+    if (!choice.optionKey) {
+      return false;
+    }
+    return normalizeProviderIdForAuth(choice.providerId) === normalizedProviderId;
+  });
+}
+
+export function resolveManifestProviderOnboardAuthFlags(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderOnboardAuthFlag[] {
+  const flags: ProviderOnboardAuthFlag[] = [];
+  const seen = new Set<string>();
+
+  for (const choice of resolveManifestProviderAuthChoices(params)) {
+    if (!choice.optionKey || !choice.cliFlag || !choice.cliOption) {
+      continue;
+    }
+    const dedupeKey = `${choice.optionKey}::${choice.cliFlag}`;
+    if (seen.has(dedupeKey)) {
+      continue;
+    }
+    seen.add(dedupeKey);
+    flags.push({
+      optionKey: choice.optionKey,
+      authChoice: choice.choiceId,
+      cliFlag: choice.cliFlag,
+      cliOption: choice.cliOption,
+      description: choice.cliDescription ?? choice.choiceLabel,
+    });
+  }
+
+  return flags;
+}
diff --git a/src/plugins/provider-runtime.runtime.ts b/src/plugins/provider-runtime.runtime.ts
new file mode 100644
index 00000000000..d4f036e1cf8
--- /dev/null
+++ b/src/plugins/provider-runtime.runtime.ts
@@ -0,0 +1,7 @@
+export {
+  augmentModelCatalogWithProviderPlugins,
+  buildProviderAuthDoctorHintWithPlugin,
+  buildProviderMissingAuthMessageWithPlugin,
+  formatProviderAuthProfileApiKeyWithPlugin,
+  refreshProviderOAuthCredentialWithPlugin,
+} from "./provider-runtime.js";
diff --git a/src/plugins/provider-runtime.test.ts b/src/plugins/provider-runtime.test.ts
index 1ca9ef446b6..266abe24556 100644
--- a/src/plugins/provider-runtime.test.ts
+++ b/src/plugins/provider-runtime.test.ts
@@ -2,20 +2,35 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { ProviderPlugin, ProviderRuntimeModel } from "./types.js";
 
 const resolvePluginProvidersMock = vi.fn((_: unknown) => [] as ProviderPlugin[]);
+const resolveOwningPluginIdsForProviderMock = vi.fn(
+  (_: unknown) => undefined as string[] | undefined,
+);
 
 vi.mock("./providers.js", () => ({
   resolvePluginProviders: (params: unknown) => resolvePluginProvidersMock(params as never),
+  resolveOwningPluginIdsForProvider: (params: unknown) =>
+    resolveOwningPluginIdsForProviderMock(params as never),
 }));
 
 import {
+  augmentModelCatalogWithProviderPlugins,
+  buildProviderAuthDoctorHintWithPlugin,
+  buildProviderMissingAuthMessageWithPlugin,
+  formatProviderAuthProfileApiKeyWithPlugin,
   prepareProviderExtraParams,
   resolveProviderCacheTtlEligibility,
+  resolveProviderBinaryThinking,
+  resolveProviderBuiltInModelSuppression,
+  resolveProviderDefaultThinkingLevel,
+  resolveProviderModernModelRef,
   resolveProviderUsageSnapshotWithPlugin,
   resolveProviderCapabilitiesWithPlugin,
   resolveProviderUsageAuthWithPlugin,
+  resolveProviderXHighThinking,
   normalizeProviderResolvedModelWithPlugin,
   prepareProviderDynamicModel,
   prepareProviderRuntimeAuth,
+  refreshProviderOAuthCredentialWithPlugin,
   resolveProviderRuntimePlugin,
   runProviderDynamicModel,
   wrapProviderStreamFn,
@@ -38,6 +53,8 @@ describe("provider-runtime", () => {
   beforeEach(() => {
     resolvePluginProvidersMock.mockReset();
     resolvePluginProvidersMock.mockReturnValue([]);
+    resolveOwningPluginIdsForProviderMock.mockReset();
+    resolveOwningPluginIdsForProviderMock.mockReturnValue(undefined);
   });
 
   it("matches providers by alias for runtime hook lookup", () => {
@@ -53,10 +70,15 @@ describe("provider-runtime", () => {
     const plugin = resolveProviderRuntimePlugin({ provider: "Open Router" });
 
     expect(plugin?.id).toBe("openrouter");
-    expect(resolvePluginProvidersMock).toHaveBeenCalledWith(
+    expect(resolveOwningPluginIdsForProviderMock).toHaveBeenCalledWith(
       expect.objectContaining({
         provider: "Open Router",
+      }),
+    );
+    expect(resolvePluginProvidersMock).toHaveBeenCalledWith(
+      expect.objectContaining({
         bundledProviderAllowlistCompat: true,
+        bundledProviderVitestCompat: true,
       }),
     );
   });
@@ -68,6 +90,10 @@ describe("provider-runtime", () => {
       baseUrl: "https://runtime.example.com/v1",
       expiresAt: 123,
     }));
+    const refreshOAuth = vi.fn(async (cred) => ({
+      ...cred,
+      access: "refreshed-access-token",
+    }));
     const resolveUsageAuth = vi.fn(async () => ({
       token: "usage-token",
       accountId: "usage-account",
@@ -77,31 +103,63 @@ describe("provider-runtime", () => {
       displayName: "Demo",
       windows: [{ label: "Day", usedPercent: 25 }],
     }));
-    resolvePluginProvidersMock.mockReturnValue([
-      {
-        id: "demo",
-        label: "Demo",
-        auth: [],
-        resolveDynamicModel: () => MODEL,
-        prepareDynamicModel,
-        capabilities: {
-          providerFamily: "openai",
+    resolvePluginProvidersMock.mockImplementation((_params: unknown) => {
+      return [
+        {
+          id: "demo",
+          label: "Demo",
+          auth: [],
+          resolveDynamicModel: () => MODEL,
+          prepareDynamicModel,
+          capabilities: {
+            providerFamily: "openai",
+          },
+          prepareExtraParams: ({ extraParams }) => ({
+            ...extraParams,
+            transport: "auto",
+          }),
+          wrapStreamFn: ({ streamFn }) => streamFn,
+          normalizeResolvedModel: ({ model }) => ({
+            ...model,
+            api: "openai-codex-responses",
+          }),
+          formatApiKey: (cred) =>
+            cred.type === "oauth" ? JSON.stringify({ token: cred.access }) : "",
+          refreshOAuth,
+          buildAuthDoctorHint: ({ provider, profileId }) =>
+            provider === "demo" ? `Repair ${profileId}` : undefined,
+          prepareRuntimeAuth,
+          resolveUsageAuth,
+          fetchUsageSnapshot,
+          isCacheTtlEligible: ({ modelId }) => modelId.startsWith("anthropic/"),
+          isBinaryThinking: () => true,
+          supportsXHighThinking: ({ modelId }) => modelId === "gpt-5.4",
+          resolveDefaultThinkingLevel: ({ reasoning }) => (reasoning ? "low" : "off"),
+          isModernModelRef: ({ modelId }) => modelId.startsWith("gpt-5"),
         },
-        prepareExtraParams: ({ extraParams }) => ({
-          ...extraParams,
-          transport: "auto",
-        }),
-        wrapStreamFn: ({ streamFn }) => streamFn,
-        normalizeResolvedModel: ({ model }) => ({
-          ...model,
-          api: "openai-codex-responses",
-        }),
-        prepareRuntimeAuth,
-        resolveUsageAuth,
-        fetchUsageSnapshot,
-        isCacheTtlEligible: ({ modelId }) => modelId.startsWith("anthropic/"),
-      },
-    ]);
+        {
+          id: "openai",
+          label: "OpenAI",
+          auth: [],
+          buildMissingAuthMessage: () =>
+            'No API key found for provider "openai". Use openai-codex/gpt-5.4.',
+          suppressBuiltInModel: ({ provider, modelId }) =>
+            provider === "azure-openai-responses" && modelId === "gpt-5.3-codex-spark"
+              ? { suppress: true, errorMessage: "openai-codex/gpt-5.3-codex-spark" }
+              : undefined,
+          augmentModelCatalog: () => [
+            { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
+            { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
+            { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
+            {
+              provider: "openai-codex",
+              id: "gpt-5.3-codex-spark",
+              name: "gpt-5.3-codex-spark",
+            },
+          ],
+        },
+      ];
+    });
 
     expect(
       runProviderDynamicModel({
@@ -189,6 +247,45 @@ describe("provider-runtime", () => {
       expiresAt: 123,
     });
 
+    expect(
+      formatProviderAuthProfileApiKeyWithPlugin({
+        provider: "demo",
+        context: {
+          type: "oauth",
+          provider: "demo",
+          access: "oauth-access",
+          refresh: "oauth-refresh",
+          expires: Date.now() + 60_000,
+        },
+      }),
+    ).toBe('{"token":"oauth-access"}');
+
+    await expect(
+      refreshProviderOAuthCredentialWithPlugin({
+        provider: "demo",
+        context: {
+          type: "oauth",
+          provider: "demo",
+          access: "oauth-access",
+          refresh: "oauth-refresh",
+          expires: Date.now() + 60_000,
+        },
+      }),
+    ).resolves.toMatchObject({
+      access: "refreshed-access-token",
+    });
+
+    await expect(
+      buildProviderAuthDoctorHintWithPlugin({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          profileId: "demo:default",
+          store: { version: 1, profiles: {} },
+        },
+      }),
+    ).resolves.toBe("Repair demo:default");
+
     await expect(
       resolveProviderUsageAuthWithPlugin({
         provider: "demo",
@@ -234,7 +331,98 @@ describe("provider-runtime", () => {
       }),
     ).toBe(true);
 
+    expect(
+      resolveProviderBinaryThinking({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          modelId: "glm-5",
+        },
+      }),
+    ).toBe(true);
+
+    expect(
+      resolveProviderXHighThinking({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          modelId: "gpt-5.4",
+        },
+      }),
+    ).toBe(true);
+
+    expect(
+      resolveProviderDefaultThinkingLevel({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          modelId: "gpt-5.4",
+          reasoning: true,
+        },
+      }),
+    ).toBe("low");
+
+    expect(
+      resolveProviderModernModelRef({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          modelId: "gpt-5.4",
+        },
+      }),
+    ).toBe(true);
+
+    expect(
+      buildProviderMissingAuthMessageWithPlugin({
+        provider: "openai",
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "openai",
+          listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
+        },
+      }),
+    ).toContain("openai-codex/gpt-5.4");
+
+    expect(
+      resolveProviderBuiltInModelSuppression({
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "azure-openai-responses",
+          modelId: "gpt-5.3-codex-spark",
+        },
+      }),
+    ).toMatchObject({
+      suppress: true,
+      errorMessage: expect.stringContaining("openai-codex/gpt-5.3-codex-spark"),
+    });
+
+    await expect(
+      augmentModelCatalogWithProviderPlugins({
+        env: process.env,
+        context: {
+          env: process.env,
+          entries: [
+            { provider: "openai", id: "gpt-5.2", name: "GPT-5.2" },
+            { provider: "openai", id: "gpt-5.2-pro", name: "GPT-5.2 Pro" },
+            { provider: "openai-codex", id: "gpt-5.3-codex", name: "GPT-5.3 Codex" },
+          ],
+        },
+      }),
+    ).resolves.toEqual([
+      { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
+      { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
+      { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
+      {
+        provider: "openai-codex",
+        id: "gpt-5.3-codex-spark",
+        name: "gpt-5.3-codex-spark",
+      },
+    ]);
+
     expect(prepareDynamicModel).toHaveBeenCalledTimes(1);
+    expect(refreshOAuth).toHaveBeenCalledTimes(1);
     expect(prepareRuntimeAuth).toHaveBeenCalledTimes(1);
     expect(resolveUsageAuth).toHaveBeenCalledTimes(1);
     expect(fetchUsageSnapshot).toHaveBeenCalledTimes(1);
diff --git a/src/plugins/provider-runtime.ts b/src/plugins/provider-runtime.ts
index 7397a52abae..189b5ccef0c 100644
--- a/src/plugins/provider-runtime.ts
+++ b/src/plugins/provider-runtime.ts
@@ -1,9 +1,16 @@
+import type { AuthProfileCredential, OAuthCredential } from "../agents/auth-profiles/types.js";
 import { normalizeProviderId } from "../agents/model-selection.js";
 import type { OpenClawConfig } from "../config/config.js";
-import { resolvePluginProviders } from "./providers.js";
+import { resolveOwningPluginIdsForProvider, resolvePluginProviders } from "./providers.js";
 import type {
+  ProviderAuthDoctorHintContext,
+  ProviderAugmentModelCatalogContext,
+  ProviderBuildMissingAuthMessageContext,
+  ProviderBuiltInModelSuppressionContext,
   ProviderCacheTtlEligibilityContext,
+  ProviderDefaultThinkingPolicyContext,
   ProviderFetchUsageSnapshotContext,
+  ProviderModernModelPolicyContext,
   ProviderPrepareExtraParamsContext,
   ProviderPrepareDynamicModelContext,
   ProviderPrepareRuntimeAuthContext,
@@ -11,6 +18,7 @@ import type {
   ProviderPlugin,
   ProviderResolveDynamicModelContext,
   ProviderRuntimeModel,
+  ProviderThinkingPolicyContext,
   ProviderWrapStreamFnContext,
 } from "./types.js";
 
@@ -25,15 +33,35 @@ function matchesProviderId(provider: ProviderPlugin, providerId: string): boolea
   return (provider.aliases ?? []).some((alias) => normalizeProviderId(alias) === normalized);
 }
 
+function resolveProviderPluginsForHooks(params: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  onlyPluginIds?: string[];
+}): ProviderPlugin[] {
+  return resolvePluginProviders({
+    ...params,
+    activate: false,
+    cache: false,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+}
+
 export function resolveProviderRuntimePlugin(params: {
   provider: string;
   config?: OpenClawConfig;
   workspaceDir?: string;
   env?: NodeJS.ProcessEnv;
 }): ProviderPlugin | undefined {
-  return resolvePluginProviders({
+  return resolveProviderPluginsForHooks({
     ...params,
-    bundledProviderAllowlistCompat: true,
+    onlyPluginIds: resolveOwningPluginIdsForProvider({
+      provider: params.provider,
+      config: params.config,
+      workspaceDir: params.workspaceDir,
+      env: params.env,
+    }),
   }).find((plugin) => matchesProviderId(plugin, params.provider));
 }
 
@@ -135,6 +163,36 @@ export async function resolveProviderUsageSnapshotWithPlugin(params: {
   return await resolveProviderRuntimePlugin(params)?.fetchUsageSnapshot?.(params.context);
 }
 
+export function formatProviderAuthProfileApiKeyWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: AuthProfileCredential;
+}) {
+  return resolveProviderRuntimePlugin(params)?.formatApiKey?.(params.context);
+}
+
+export async function refreshProviderOAuthCredentialWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: OAuthCredential;
+}) {
+  return await resolveProviderRuntimePlugin(params)?.refreshOAuth?.(params.context);
+}
+
+export async function buildProviderAuthDoctorHintWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderAuthDoctorHintContext;
+}) {
+  return await resolveProviderRuntimePlugin(params)?.buildAuthDoctorHint?.(params.context);
+}
+
 export function resolveProviderCacheTtlEligibility(params: {
   provider: string;
   config?: OpenClawConfig;
@@ -144,3 +202,87 @@ export function resolveProviderCacheTtlEligibility(params: {
 }) {
   return resolveProviderRuntimePlugin(params)?.isCacheTtlEligible?.(params.context);
 }
+
+export function resolveProviderBinaryThinking(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderThinkingPolicyContext;
+}) {
+  return resolveProviderRuntimePlugin(params)?.isBinaryThinking?.(params.context);
+}
+
+export function resolveProviderXHighThinking(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderThinkingPolicyContext;
+}) {
+  return resolveProviderRuntimePlugin(params)?.supportsXHighThinking?.(params.context);
+}
+
+export function resolveProviderDefaultThinkingLevel(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderDefaultThinkingPolicyContext;
+}) {
+  return resolveProviderRuntimePlugin(params)?.resolveDefaultThinkingLevel?.(params.context);
+}
+
+export function resolveProviderModernModelRef(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderModernModelPolicyContext;
+}) {
+  return resolveProviderRuntimePlugin(params)?.isModernModelRef?.(params.context);
+}
+
+export function buildProviderMissingAuthMessageWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderBuildMissingAuthMessageContext;
+}) {
+  return (
+    resolveProviderRuntimePlugin(params)?.buildMissingAuthMessage?.(params.context) ?? undefined
+  );
+}
+
+export function resolveProviderBuiltInModelSuppression(params: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderBuiltInModelSuppressionContext;
+}) {
+  for (const plugin of resolveProviderPluginsForHooks(params)) {
+    const result = plugin.suppressBuiltInModel?.(params.context);
+    if (result?.suppress) {
+      return result;
+    }
+  }
+  return undefined;
+}
+
+export async function augmentModelCatalogWithProviderPlugins(params: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderAugmentModelCatalogContext;
+}) {
+  const supplemental = [] as ProviderAugmentModelCatalogContext["entries"];
+  for (const plugin of resolveProviderPluginsForHooks(params)) {
+    const next = await plugin.augmentModelCatalog?.(params.context);
+    if (!next || next.length === 0) {
+      continue;
+    }
+    supplemental.push(...next);
+  }
+  return supplemental;
+}
diff --git a/src/plugins/provider-validation.test.ts b/src/plugins/provider-validation.test.ts
index fc91a74576d..fe934aa6578 100644
--- a/src/plugins/provider-validation.test.ts
+++ b/src/plugins/provider-validation.test.ts
@@ -32,12 +32,21 @@ describe("normalizeRegisteredProvider", () => {
         id: " demo ",
         label: " Demo Provider ",
         aliases: [" alias-one ", "alias-one", ""],
+        deprecatedProfileIds: [" demo:legacy ", "demo:legacy", ""],
         envVars: [" DEMO_API_KEY ", "DEMO_API_KEY"],
         auth: [
           {
             id: " primary ",
             label: " Primary ",
             kind: "custom",
+            wizard: {
+              choiceId: " demo-primary ",
+              modelAllowlist: {
+                allowedKeys: [" demo/model ", "demo/model"],
+                initialSelections: [" demo/model "],
+                message: " Demo models ",
+              },
+            },
             run: async () => ({ profiles: [] }),
           },
           {
@@ -49,7 +58,7 @@ describe("normalizeRegisteredProvider", () => {
           { id: "   ", label: "Missing", kind: "custom", run: async () => ({ profiles: [] }) },
         ],
         wizard: {
-          onboarding: {
+          setup: {
             choiceId: " demo-choice ",
             methodId: " missing ",
           },
@@ -66,10 +75,24 @@ describe("normalizeRegisteredProvider", () => {
       id: "demo",
       label: "Demo Provider",
       aliases: ["alias-one"],
+      deprecatedProfileIds: ["demo:legacy"],
       envVars: ["DEMO_API_KEY"],
-      auth: [{ id: "primary", label: "Primary" }],
+      auth: [
+        {
+          id: "primary",
+          label: "Primary",
+          wizard: {
+            choiceId: "demo-primary",
+            modelAllowlist: {
+              allowedKeys: ["demo/model"],
+              initialSelections: ["demo/model"],
+              message: "Demo models",
+            },
+          },
+        },
+      ],
       wizard: {
-        onboarding: {
+        setup: {
           choiceId: "demo-choice",
         },
         modelPicker: {
@@ -89,7 +112,7 @@ describe("normalizeRegisteredProvider", () => {
       {
         level: "warn",
         message:
-          'provider "demo" onboarding method "missing" not found; falling back to available methods',
+          'provider "demo" setup method "missing" not found; falling back to available methods',
       },
       {
         level: "warn",
@@ -107,7 +130,7 @@ describe("normalizeRegisteredProvider", () => {
       source: "/tmp/demo/index.ts",
       provider: makeProvider({
         wizard: {
-          onboarding: {
+          setup: {
             choiceId: "demo",
           },
           modelPicker: {
@@ -120,7 +143,7 @@ describe("normalizeRegisteredProvider", () => {
 
     expect(provider?.wizard).toBeUndefined();
     expect(diagnostics.map((diag) => diag.message)).toEqual([
-      'provider "demo" onboarding metadata ignored because it has no auth methods',
+      'provider "demo" setup metadata ignored because it has no auth methods',
       'provider "demo" model-picker metadata ignored because it has no auth methods',
     ]);
   });
diff --git a/src/plugins/provider-validation.ts b/src/plugins/provider-validation.ts
index 5401144929c..f53abc8bd6d 100644
--- a/src/plugins/provider-validation.ts
+++ b/src/plugins/provider-validation.ts
@@ -27,6 +27,80 @@ function normalizeTextList(values: string[] | undefined): string[] | undefined {
   return normalized.length > 0 ? normalized : undefined;
 }
 
+function normalizeProviderWizardSetup(params: {
+  providerId: string;
+  pluginId: string;
+  source: string;
+  auth: ProviderAuthMethod[];
+  setup: NonNullable<ProviderPlugin["wizard"]>["setup"];
+  pushDiagnostic: (diag: PluginDiagnostic) => void;
+}): NonNullable<ProviderPlugin["wizard"]>["setup"] {
+  const hasAuthMethods = params.auth.length > 0;
+  if (!params.setup) {
+    return undefined;
+  }
+  if (!hasAuthMethods) {
+    pushProviderDiagnostic({
+      level: "warn",
+      pluginId: params.pluginId,
+      source: params.source,
+      message: `provider "${params.providerId}" setup metadata ignored because it has no auth methods`,
+      pushDiagnostic: params.pushDiagnostic,
+    });
+    return undefined;
+  }
+  const methodId = normalizeText(params.setup.methodId);
+  if (methodId && !params.auth.some((method) => method.id === methodId)) {
+    pushProviderDiagnostic({
+      level: "warn",
+      pluginId: params.pluginId,
+      source: params.source,
+      message: `provider "${params.providerId}" setup method "${methodId}" not found; falling back to available methods`,
+      pushDiagnostic: params.pushDiagnostic,
+    });
+  }
+  return {
+    ...(normalizeText(params.setup.choiceId)
+      ? { choiceId: normalizeText(params.setup.choiceId) }
+      : {}),
+    ...(normalizeText(params.setup.choiceLabel)
+      ? { choiceLabel: normalizeText(params.setup.choiceLabel) }
+      : {}),
+    ...(normalizeText(params.setup.choiceHint)
+      ? { choiceHint: normalizeText(params.setup.choiceHint) }
+      : {}),
+    ...(normalizeText(params.setup.groupId)
+      ? { groupId: normalizeText(params.setup.groupId) }
+      : {}),
+    ...(normalizeText(params.setup.groupLabel)
+      ? { groupLabel: normalizeText(params.setup.groupLabel) }
+      : {}),
+    ...(normalizeText(params.setup.groupHint)
+      ? { groupHint: normalizeText(params.setup.groupHint) }
+      : {}),
+    ...(methodId && params.auth.some((method) => method.id === methodId) ? { methodId } : {}),
+    ...(params.setup.modelAllowlist
+      ? {
+          modelAllowlist: {
+            ...(normalizeTextList(params.setup.modelAllowlist.allowedKeys)
+              ? { allowedKeys: normalizeTextList(params.setup.modelAllowlist.allowedKeys) }
+              : {}),
+            ...(normalizeTextList(params.setup.modelAllowlist.initialSelections)
+              ? {
+                  initialSelections: normalizeTextList(
+                    params.setup.modelAllowlist.initialSelections,
+                  ),
+                }
+              : {}),
+            ...(normalizeText(params.setup.modelAllowlist.message)
+              ? { message: normalizeText(params.setup.modelAllowlist.message) }
+              : {}),
+          },
+        }
+      : {}),
+  };
+}
+
 function normalizeProviderAuthMethods(params: {
   providerId: string;
   pluginId: string;
@@ -60,11 +134,20 @@ function normalizeProviderAuthMethods(params: {
       continue;
     }
     seenMethodIds.add(methodId);
+    const wizard = normalizeProviderWizardSetup({
+      providerId: params.providerId,
+      pluginId: params.pluginId,
+      source: params.source,
+      auth: [{ ...method, id: methodId }],
+      setup: method.wizard,
+      pushDiagnostic: params.pushDiagnostic,
+    });
     normalized.push({
       ...method,
       id: methodId,
       label: normalizeText(method.label) ?? methodId,
       ...(normalizeText(method.hint) ? { hint: normalizeText(method.hint) } : {}),
+      ...(wizard ? { wizard } : {}),
     });
   }
 
@@ -87,50 +170,19 @@ function normalizeProviderWizard(params: {
   const hasMethod = (methodId: string | undefined) =>
     Boolean(methodId && params.auth.some((method) => method.id === methodId));
 
-  const normalizeOnboarding = () => {
-    const onboarding = params.wizard?.onboarding;
-    if (!onboarding) {
+  const normalizeSetup = () => {
+    const setup = params.wizard?.setup;
+    if (!setup) {
       return undefined;
     }
-    if (!hasAuthMethods) {
-      pushProviderDiagnostic({
-        level: "warn",
-        pluginId: params.pluginId,
-        source: params.source,
-        message: `provider "${params.providerId}" onboarding metadata ignored because it has no auth methods`,
-        pushDiagnostic: params.pushDiagnostic,
-      });
-      return undefined;
-    }
-    const methodId = normalizeText(onboarding.methodId);
-    if (methodId && !hasMethod(methodId)) {
-      pushProviderDiagnostic({
-        level: "warn",
-        pluginId: params.pluginId,
-        source: params.source,
-        message: `provider "${params.providerId}" onboarding method "${methodId}" not found; falling back to available methods`,
-        pushDiagnostic: params.pushDiagnostic,
-      });
-    }
-    return {
-      ...(normalizeText(onboarding.choiceId)
-        ? { choiceId: normalizeText(onboarding.choiceId) }
-        : {}),
-      ...(normalizeText(onboarding.choiceLabel)
-        ? { choiceLabel: normalizeText(onboarding.choiceLabel) }
-        : {}),
-      ...(normalizeText(onboarding.choiceHint)
-        ? { choiceHint: normalizeText(onboarding.choiceHint) }
-        : {}),
-      ...(normalizeText(onboarding.groupId) ? { groupId: normalizeText(onboarding.groupId) } : {}),
-      ...(normalizeText(onboarding.groupLabel)
-        ? { groupLabel: normalizeText(onboarding.groupLabel) }
-        : {}),
-      ...(normalizeText(onboarding.groupHint)
-        ? { groupHint: normalizeText(onboarding.groupHint) }
-        : {}),
-      ...(methodId && hasMethod(methodId) ? { methodId } : {}),
-    };
+    return normalizeProviderWizardSetup({
+      providerId: params.providerId,
+      pluginId: params.pluginId,
+      source: params.source,
+      auth: params.auth,
+      setup,
+      pushDiagnostic: params.pushDiagnostic,
+    });
   };
 
   const normalizeModelPicker = () => {
@@ -165,13 +217,13 @@ function normalizeProviderWizard(params: {
     };
   };
 
-  const onboarding = normalizeOnboarding();
+  const setup = normalizeSetup();
   const modelPicker = normalizeModelPicker();
-  if (!onboarding && !modelPicker) {
+  if (!setup && !modelPicker) {
     return undefined;
   }
   return {
-    ...(onboarding ? { onboarding } : {}),
+    ...(setup ? { setup } : {}),
     ...(modelPicker ? { modelPicker } : {}),
   };
 }
@@ -203,6 +255,7 @@ export function normalizeRegisteredProvider(params: {
   });
   const docsPath = normalizeText(params.provider.docsPath);
   const aliases = normalizeTextList(params.provider.aliases);
+  const deprecatedProfileIds = normalizeTextList(params.provider.deprecatedProfileIds);
   const envVars = normalizeTextList(params.provider.envVars);
   const wizard = normalizeProviderWizard({
     providerId: id,
@@ -238,6 +291,7 @@ export function normalizeRegisteredProvider(params: {
     label: normalizeText(params.provider.label) ?? id,
     ...(docsPath ? { docsPath } : {}),
     ...(aliases ? { aliases } : {}),
+    ...(deprecatedProfileIds ? { deprecatedProfileIds } : {}),
     ...(envVars ? { envVars } : {}),
     auth,
     ...(catalog ? { catalog } : {}),
diff --git a/src/plugins/provider-wizard.test.ts b/src/plugins/provider-wizard.test.ts
index c6e265231a0..d7b8348f9b2 100644
--- a/src/plugins/provider-wizard.test.ts
+++ b/src/plugins/provider-wizard.test.ts
@@ -25,7 +25,7 @@ describe("provider wizard boundaries", () => {
     vi.clearAllMocks();
   });
 
-  it("uses explicit onboarding choice ids and bound method ids", () => {
+  it("uses explicit setup choice ids and bound method ids", () => {
     const provider = makeProvider({
       id: "vllm",
       label: "vLLM",
@@ -34,7 +34,7 @@ describe("provider wizard boundaries", () => {
         { id: "cloud", label: "Cloud", kind: "custom", run: vi.fn() },
       ],
       wizard: {
-        onboarding: {
+        setup: {
           choiceId: "self-hosted-vllm",
           methodId: "local",
           choiceLabel: "vLLM local",
@@ -61,6 +61,82 @@ describe("provider wizard boundaries", () => {
     ).toEqual({
       provider,
       method: provider.auth[0],
+      wizard: provider.wizard?.setup,
+    });
+  });
+
+  it("builds wizard options from method-level metadata", () => {
+    const provider = makeProvider({
+      id: "openai",
+      label: "OpenAI",
+      auth: [
+        {
+          id: "api-key",
+          label: "OpenAI API key",
+          kind: "api_key",
+          wizard: {
+            choiceId: "openai-api-key",
+            choiceLabel: "OpenAI API key",
+            groupId: "openai",
+            groupLabel: "OpenAI",
+          },
+          run: vi.fn(),
+        },
+      ],
+    });
+    resolvePluginProviders.mockReturnValue([provider]);
+
+    expect(resolveProviderWizardOptions({})).toEqual([
+      {
+        value: "openai-api-key",
+        label: "OpenAI API key",
+        groupId: "openai",
+        groupLabel: "OpenAI",
+      },
+    ]);
+    expect(
+      resolveProviderPluginChoice({
+        providers: [provider],
+        choice: "openai-api-key",
+      }),
+    ).toEqual({
+      provider,
+      method: provider.auth[0],
+      wizard: provider.auth[0]?.wizard,
+    });
+  });
+
+  it("returns method wizard metadata for canonical choices", () => {
+    const provider = makeProvider({
+      id: "anthropic",
+      label: "Anthropic",
+      auth: [
+        {
+          id: "setup-token",
+          label: "setup-token",
+          kind: "token",
+          wizard: {
+            choiceId: "token",
+            modelAllowlist: {
+              allowedKeys: ["anthropic/claude-sonnet-4-6"],
+              initialSelections: ["anthropic/claude-sonnet-4-6"],
+              message: "Anthropic OAuth models",
+            },
+          },
+          run: vi.fn(),
+        },
+      ],
+    });
+
+    expect(
+      resolveProviderPluginChoice({
+        providers: [provider],
+        choice: "token",
+      }),
+    ).toEqual({
+      provider,
+      method: provider.auth[0],
+      wizard: provider.auth[0]?.wizard,
     });
   });
 
diff --git a/src/plugins/provider-wizard.ts b/src/plugins/provider-wizard.ts
index 4b02fcd3cf7..0b95a07f2b5 100644
--- a/src/plugins/provider-wizard.ts
+++ b/src/plugins/provider-wizard.ts
@@ -8,7 +8,7 @@ import type {
   ProviderAuthMethod,
   ProviderPlugin,
   ProviderPluginWizardModelPicker,
-  ProviderPluginWizardOnboarding,
+  ProviderPluginWizardSetup,
 } from "./types.js";
 
 export const PROVIDER_PLUGIN_CHOICE_PREFIX = "provider-plugin:";
@@ -32,9 +32,9 @@ function normalizeChoiceId(choiceId: string): string {
   return choiceId.trim();
 }
 
-function resolveWizardOnboardingChoiceId(
+function resolveWizardSetupChoiceId(
   provider: ProviderPlugin,
-  wizard: ProviderPluginWizardOnboarding,
+  wizard: ProviderPluginWizardSetup,
 ): string {
   const explicit = wizard.choiceId?.trim();
   if (explicit) {
@@ -61,9 +61,20 @@ function resolveMethodById(
   return provider.auth.find((method) => method.id.trim().toLowerCase() === normalizedMethodId);
 }
 
-function buildOnboardingOptionForMethod(params: {
+function listMethodWizardSetups(provider: ProviderPlugin): Array<{
+  method: ProviderAuthMethod;
+  wizard: ProviderPluginWizardSetup;
+}> {
+  return provider.auth
+    .map((method) => (method.wizard ? { method, wizard: method.wizard } : null))
+    .filter((entry): entry is { method: ProviderAuthMethod; wizard: ProviderPluginWizardSetup } =>
+      Boolean(entry),
+    );
+}
+
+function buildSetupOptionForMethod(params: {
   provider: ProviderPlugin;
-  wizard: ProviderPluginWizardOnboarding;
+  wizard: ProviderPluginWizardSetup;
   method: ProviderAuthMethod;
   value: string;
 }): ProviderWizardOption {
@@ -93,18 +104,32 @@ export function resolveProviderWizardOptions(params: {
   const options: ProviderWizardOption[] = [];
 
   for (const provider of providers) {
-    const wizard = provider.wizard?.onboarding;
-    if (!wizard) {
-      continue;
-    }
-    const explicitMethod = resolveMethodById(provider, wizard.methodId);
-    if (explicitMethod) {
+    const methodSetups = listMethodWizardSetups(provider);
+    for (const { method, wizard } of methodSetups) {
       options.push(
-        buildOnboardingOptionForMethod({
+        buildSetupOptionForMethod({
           provider,
           wizard,
+          method,
+          value: wizard.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, method.id),
+        }),
+      );
+    }
+    if (methodSetups.length > 0) {
+      continue;
+    }
+    const setup = provider.wizard?.setup;
+    if (!setup) {
+      continue;
+    }
+    const explicitMethod = resolveMethodById(provider, setup.methodId);
+    if (explicitMethod) {
+      options.push(
+        buildSetupOptionForMethod({
+          provider,
+          wizard: setup,
           method: explicitMethod,
-          value: resolveWizardOnboardingChoiceId(provider, wizard),
+          value: resolveWizardSetupChoiceId(provider, setup),
         }),
       );
       continue;
@@ -112,9 +137,9 @@ export function resolveProviderWizardOptions(params: {
 
     for (const method of provider.auth) {
       options.push(
-        buildOnboardingOptionForMethod({
+        buildSetupOptionForMethod({
           provider,
-          wizard,
+          wizard: setup,
           method,
           value: buildProviderPluginMethodChoice(provider.id, method.id),
         }),
@@ -165,7 +190,11 @@ export function resolveProviderModelPickerEntries(params: {
 export function resolveProviderPluginChoice(params: {
   providers: ProviderPlugin[];
   choice: string;
-}): { provider: ProviderPlugin; method: ProviderAuthMethod } | null {
+}): {
+  provider: ProviderPlugin;
+  method: ProviderAuthMethod;
+  wizard?: ProviderPluginWizardSetup;
+} | null {
   const choice = params.choice.trim();
   if (!choice) {
     return null;
@@ -187,13 +216,20 @@ export function resolveProviderPluginChoice(params: {
   }
 
   for (const provider of params.providers) {
-    const onboarding = provider.wizard?.onboarding;
-    if (onboarding) {
-      const onboardingChoiceId = resolveWizardOnboardingChoiceId(provider, onboarding);
-      if (normalizeChoiceId(onboardingChoiceId) === choice) {
-        const method = resolveMethodById(provider, onboarding.methodId);
+    for (const { method, wizard } of listMethodWizardSetups(provider)) {
+      const choiceId =
+        wizard.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, method.id);
+      if (normalizeChoiceId(choiceId) === choice) {
+        return { provider, method, wizard };
+      }
+    }
+    const setup = provider.wizard?.setup;
+    if (setup) {
+      const setupChoiceId = resolveWizardSetupChoiceId(provider, setup);
+      if (normalizeChoiceId(setupChoiceId) === choice) {
+        const method = resolveMethodById(provider, setup.methodId);
         if (method) {
-          return { provider, method };
+          return { provider, method, wizard: setup };
         }
       }
     }
diff --git a/src/plugins/providers.test.ts b/src/plugins/providers.test.ts
index 7df6432b4c3..50530a3c051 100644
--- a/src/plugins/providers.test.ts
+++ b/src/plugins/providers.test.ts
@@ -1,17 +1,33 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { resolvePluginProviders } from "./providers.js";
+import { resolveOwningPluginIdsForProvider, resolvePluginProviders } from "./providers.js";
 
 const loadOpenClawPluginsMock = vi.fn();
+const loadPluginManifestRegistryMock = vi.fn();
 
 vi.mock("./loader.js", () => ({
   loadOpenClawPlugins: (...args: unknown[]) => loadOpenClawPluginsMock(...args),
 }));
 
+vi.mock("./manifest-registry.js", () => ({
+  loadPluginManifestRegistry: (...args: unknown[]) => loadPluginManifestRegistryMock(...args),
+}));
+
 describe("resolvePluginProviders", () => {
   beforeEach(() => {
     loadOpenClawPluginsMock.mockReset();
     loadOpenClawPluginsMock.mockReturnValue({
-      providers: [{ provider: { id: "demo-provider" } }],
+      providers: [{ pluginId: "google", provider: { id: "demo-provider" } }],
+    });
+    loadPluginManifestRegistryMock.mockReset();
+    loadPluginManifestRegistryMock.mockReturnValue({
+      plugins: [
+        { id: "google", providers: ["google"], origin: "bundled" },
+        { id: "kilocode", providers: ["kilocode"], origin: "bundled" },
+        { id: "moonshot", providers: ["moonshot"], origin: "bundled" },
+        { id: "google-gemini-cli-auth", providers: [], origin: "bundled" },
+        { id: "workspace-provider", providers: ["workspace-provider"], origin: "workspace" },
+      ],
+      diagnostics: [],
     });
   });
 
@@ -23,11 +39,13 @@ describe("resolvePluginProviders", () => {
       env,
     });
 
-    expect(providers).toEqual([{ id: "demo-provider" }]);
+    expect(providers).toEqual([{ id: "demo-provider", pluginId: "google" }]);
     expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
       expect.objectContaining({
         workspaceDir: "/workspace/explicit",
         env,
+        cache: false,
+        activate: false,
       }),
     );
   });
@@ -46,10 +64,78 @@ describe("resolvePluginProviders", () => {
       expect.objectContaining({
         config: expect.objectContaining({
           plugins: expect.objectContaining({
-            allow: expect.arrayContaining(["openrouter", "kilocode", "moonshot"]),
+            allow: expect.arrayContaining(["openrouter", "google", "kilocode", "moonshot"]),
           }),
         }),
+        cache: false,
+        activate: false,
       }),
     );
   });
+  it("can enable bundled provider plugins under Vitest when no explicit plugin config exists", () => {
+    resolvePluginProviders({
+      env: { VITEST: "1" } as NodeJS.ProcessEnv,
+      bundledProviderVitestCompat: true,
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            enabled: true,
+            allow: expect.arrayContaining(["google", "moonshot"]),
+          }),
+        }),
+        cache: false,
+        activate: false,
+      }),
+    );
+  });
+
+  it("does not reintroduce the retired google auth plugin id into compat allowlists", () => {
+    resolvePluginProviders({
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+      bundledProviderAllowlistCompat: true,
+    });
+
+    const call = loadOpenClawPluginsMock.mock.calls.at(-1)?.[0];
+    const allow = call?.config?.plugins?.allow;
+
+    expect(allow).toContain("google");
+    expect(allow).not.toContain("google-gemini-cli-auth");
+  });
+
+  it("does not inject non-bundled provider plugin ids into compat allowlists", () => {
+    resolvePluginProviders({
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+      bundledProviderAllowlistCompat: true,
+    });
+
+    const call = loadOpenClawPluginsMock.mock.calls.at(-1)?.[0];
+    const allow = call?.config?.plugins?.allow;
+
+    expect(allow).not.toContain("workspace-provider");
+  });
+
+  it("maps provider ids to owning plugin ids via manifests", () => {
+    loadPluginManifestRegistryMock.mockReturnValue({
+      plugins: [
+        { id: "minimax", providers: ["minimax", "minimax-portal"] },
+        { id: "openai", providers: ["openai", "openai-codex"] },
+      ],
+      diagnostics: [],
+    });
+
+    expect(resolveOwningPluginIdsForProvider({ provider: "minimax-portal" })).toEqual(["minimax"]);
+    expect(resolveOwningPluginIdsForProvider({ provider: "openai-codex" })).toEqual(["openai"]);
+    expect(resolveOwningPluginIdsForProvider({ provider: "gemini-cli" })).toBeUndefined();
+  });
 });
diff --git a/src/plugins/providers.ts b/src/plugins/providers.ts
index 68b83561461..f2a2b4497c9 100644
--- a/src/plugins/providers.ts
+++ b/src/plugins/providers.ts
@@ -1,90 +1,143 @@
+import { normalizeProviderId } from "../agents/model-selection.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
+import { withBundledPluginAllowlistCompat } from "./bundled-compat.js";
 import { loadOpenClawPlugins, type PluginLoadOptions } from "./loader.js";
 import { createPluginLoaderLogger } from "./logger.js";
+import { loadPluginManifestRegistry } from "./manifest-registry.js";
 import type { ProviderPlugin } from "./types.js";
 
 const log = createSubsystemLogger("plugins");
-const BUNDLED_PROVIDER_ALLOWLIST_COMPAT_PLUGIN_IDS = [
-  "anthropic",
-  "byteplus",
-  "cloudflare-ai-gateway",
-  "copilot-proxy",
-  "github-copilot",
-  "google-gemini-cli-auth",
-  "huggingface",
-  "kilocode",
-  "kimi-coding",
-  "minimax",
-  "minimax-portal-auth",
-  "mistral",
-  "modelstudio",
-  "moonshot",
-  "nvidia",
-  "ollama",
-  "openai",
-  "openai-codex",
-  "opencode",
-  "opencode-go",
-  "openrouter",
-  "qianfan",
-  "qwen-portal-auth",
-  "sglang",
-  "synthetic",
-  "together",
-  "venice",
-  "vercel-ai-gateway",
-  "volcengine",
-  "vllm",
-  "xiaomi",
-  "zai",
-] as const;
 
-function withBundledProviderAllowlistCompat(
-  config: PluginLoadOptions["config"],
-): PluginLoadOptions["config"] {
-  const allow = config?.plugins?.allow;
-  if (!Array.isArray(allow) || allow.length === 0) {
-    return config;
+function hasExplicitPluginConfig(config: PluginLoadOptions["config"]): boolean {
+  const plugins = config?.plugins;
+  if (!plugins) {
+    return false;
   }
-
-  const allowSet = new Set(allow.map((entry) => entry.trim()).filter(Boolean));
-  let changed = false;
-  for (const pluginId of BUNDLED_PROVIDER_ALLOWLIST_COMPAT_PLUGIN_IDS) {
-    if (!allowSet.has(pluginId)) {
-      allowSet.add(pluginId);
-      changed = true;
-    }
+  if (typeof plugins.enabled === "boolean") {
+    return true;
   }
+  if (Array.isArray(plugins.allow) && plugins.allow.length > 0) {
+    return true;
+  }
+  if (Array.isArray(plugins.deny) && plugins.deny.length > 0) {
+    return true;
+  }
+  if (Array.isArray(plugins.load?.paths) && plugins.load.paths.length > 0) {
+    return true;
+  }
+  if (plugins.entries && Object.keys(plugins.entries).length > 0) {
+    return true;
+  }
+  if (plugins.slots && Object.keys(plugins.slots).length > 0) {
+    return true;
+  }
+  return false;
+}
 
-  if (!changed) {
-    return config;
+function withBundledProviderVitestCompat(params: {
+  config: PluginLoadOptions["config"];
+  pluginIds: readonly string[];
+  env?: PluginLoadOptions["env"];
+}): PluginLoadOptions["config"] {
+  const env = params.env ?? process.env;
+  if (!env.VITEST || hasExplicitPluginConfig(params.config) || params.pluginIds.length === 0) {
+    return params.config;
   }
 
   return {
-    ...config,
+    ...params.config,
     plugins: {
-      ...config?.plugins,
-      // Backward compat: bundled implicit providers historically stayed
-      // available even when operators kept a restrictive plugin allowlist.
-      allow: [...allowSet],
+      ...params.config?.plugins,
+      enabled: true,
+      allow: [...params.pluginIds],
+      slots: {
+        ...params.config?.plugins?.slots,
+        memory: "none",
+      },
     },
   };
 }
 
+function resolveBundledProviderCompatPluginIds(params: {
+  config?: PluginLoadOptions["config"];
+  workspaceDir?: string;
+  env?: PluginLoadOptions["env"];
+}): string[] {
+  const registry = loadPluginManifestRegistry({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+  });
+  return registry.plugins
+    .filter((plugin) => plugin.origin === "bundled" && plugin.providers.length > 0)
+    .map((plugin) => plugin.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+export function resolveOwningPluginIdsForProvider(params: {
+  provider: string;
+  config?: PluginLoadOptions["config"];
+  workspaceDir?: string;
+  env?: PluginLoadOptions["env"];
+}): string[] | undefined {
+  const normalizedProvider = normalizeProviderId(params.provider);
+  if (!normalizedProvider) {
+    return undefined;
+  }
+
+  const registry = loadPluginManifestRegistry({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+  });
+  const pluginIds = registry.plugins
+    .filter((plugin) =>
+      plugin.providers.some((providerId) => normalizeProviderId(providerId) === normalizedProvider),
+    )
+    .map((plugin) => plugin.id);
+
+  return pluginIds.length > 0 ? pluginIds : undefined;
+}
+
 export function resolvePluginProviders(params: {
   config?: PluginLoadOptions["config"];
   workspaceDir?: string;
   /** Use an explicit env when plugin roots should resolve independently from process.env. */
   env?: PluginLoadOptions["env"];
   bundledProviderAllowlistCompat?: boolean;
+  bundledProviderVitestCompat?: boolean;
+  onlyPluginIds?: string[];
+  activate?: boolean;
+  cache?: boolean;
 }): ProviderPlugin[] {
-  const config = params.bundledProviderAllowlistCompat
-    ? withBundledProviderAllowlistCompat(params.config)
+  const bundledProviderCompatPluginIds =
+    params.bundledProviderAllowlistCompat || params.bundledProviderVitestCompat
+      ? resolveBundledProviderCompatPluginIds({
+          config: params.config,
+          workspaceDir: params.workspaceDir,
+          env: params.env,
+        })
+      : [];
+  const maybeAllowlistCompat = params.bundledProviderAllowlistCompat
+    ? withBundledPluginAllowlistCompat({
+        config: params.config,
+        pluginIds: bundledProviderCompatPluginIds,
+      })
     : params.config;
+  const config = params.bundledProviderVitestCompat
+    ? withBundledProviderVitestCompat({
+        config: maybeAllowlistCompat,
+        pluginIds: bundledProviderCompatPluginIds,
+        env: params.env,
+      })
+    : maybeAllowlistCompat;
   const registry = loadOpenClawPlugins({
     config,
     workspaceDir: params.workspaceDir,
     env: params.env,
+    onlyPluginIds: params.onlyPluginIds,
+    cache: params.cache ?? false,
+    activate: params.activate ?? false,
     logger: createPluginLoaderLogger(log),
   });
 
diff --git a/src/plugins/registry.ts b/src/plugins/registry.ts
index 56abbe79bb4..fabf9fa1069 100644
--- a/src/plugins/registry.ts
+++ b/src/plugins/registry.ts
@@ -1,6 +1,5 @@
 import path from "node:path";
 import type { AnyAgentTool } from "../agents/tools/common.js";
-import type { ChannelDock } from "../channels/dock.js";
 import type { ChannelPlugin } from "../channels/plugins/types.js";
 import { registerContextEngineForOwner } from "../context-engine/registry.js";
 import type {
@@ -43,9 +42,11 @@ import type {
   PluginLogger,
   PluginOrigin,
   PluginKind,
+  PluginRegistrationMode,
   PluginHookName,
   PluginHookHandlerMap,
   PluginHookRegistration as TypedPluginHookRegistration,
+  WebSearchProviderPlugin,
 } from "./types.js";
 
 export type PluginToolRegistration = {
@@ -80,7 +81,6 @@ export type PluginChannelRegistration = {
   pluginId: string;
   pluginName?: string;
   plugin: ChannelPlugin;
-  dock?: ChannelDock;
   source: string;
   rootDir?: string;
 };
@@ -102,6 +102,14 @@ export type PluginProviderRegistration = {
   rootDir?: string;
 };
 
+export type PluginWebSearchProviderRegistration = {
+  pluginId: string;
+  pluginName?: string;
+  provider: WebSearchProviderPlugin;
+  source: string;
+  rootDir?: string;
+};
+
 export type PluginHookRegistration = {
   pluginId: string;
   entry: HookEntry;
@@ -146,6 +154,7 @@ export type PluginRecord = {
   hookNames: string[];
   channelIds: string[];
   providerIds: string[];
+  webSearchProviderIds: string[];
   gatewayMethods: string[];
   cliCommands: string[];
   services: string[];
@@ -165,6 +174,7 @@ export type PluginRegistry = {
   channels: PluginChannelRegistration[];
   channelSetups: PluginChannelSetupRegistration[];
   providers: PluginProviderRegistration[];
+  webSearchProviders: PluginWebSearchProviderRegistration[];
   gatewayHandlers: GatewayRequestHandlers;
   httpRoutes: PluginHttpRouteRegistration[];
   cliRegistrars: PluginCliRegistration[];
@@ -186,8 +196,6 @@ type PluginTypedHookPolicy = {
   allowPromptInjection?: boolean;
 };
 
-type PluginRegistrationMode = "full" | "setup-only";
-
 const constrainLegacyPromptInjectionHook = (
   handler: PluginHookHandlerMap["before_agent_start"],
 ): PluginHookHandlerMap["before_agent_start"] => {
@@ -211,6 +219,7 @@ export function createEmptyPluginRegistry(): PluginRegistry {
     channels: [],
     channelSetups: [],
     providers: [],
+    webSearchProviders: [],
     gatewayHandlers: {},
     httpRoutes: [],
     cliRegistrars: [],
@@ -470,7 +479,7 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
       return;
     }
     const existingRuntime = registry.channels.find((entry) => entry.plugin.id === id);
-    if (mode === "full" && existingRuntime) {
+    if (mode !== "setup-only" && existingRuntime) {
       pushDiagnostic({
         level: "error",
         pluginId: record.id,
@@ -505,7 +514,6 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
       pluginId: record.id,
       pluginName: record.name,
       plugin,
-      dock: normalized.dock,
       source: record.source,
       rootDir: record.rootDir,
     });
@@ -542,6 +550,37 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
     });
   };
 
+  const registerWebSearchProvider = (record: PluginRecord, provider: WebSearchProviderPlugin) => {
+    const id = provider.id.trim();
+    if (!id) {
+      pushDiagnostic({
+        level: "error",
+        pluginId: record.id,
+        source: record.source,
+        message: "web search provider registration missing id",
+      });
+      return;
+    }
+    const existing = registry.webSearchProviders.find((entry) => entry.provider.id === id);
+    if (existing) {
+      pushDiagnostic({
+        level: "error",
+        pluginId: record.id,
+        source: record.source,
+        message: `web search provider already registered: ${id} (${existing.pluginId})`,
+      });
+      return;
+    }
+    record.webSearchProviderIds.push(id);
+    registry.webSearchProviders.push({
+      pluginId: record.id,
+      pluginName: record.name,
+      provider,
+      source: record.source,
+      rootDir: record.rootDir,
+    });
+  };
+
   const registerCli = (
     record: PluginRecord,
     registrar: OpenClawPluginCliRegistrar,
@@ -734,6 +773,7 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
       description: record.description,
       source: record.source,
       rootDir: record.rootDir,
+      registrationMode,
       config: params.config,
       pluginConfig: params.pluginConfig,
       runtime: registryParams.runtime,
@@ -749,6 +789,10 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
       registerChannel: (registration) => registerChannel(record, registration, registrationMode),
       registerProvider:
         registrationMode === "full" ? (provider) => registerProvider(record, provider) : () => {},
+      registerWebSearchProvider:
+        registrationMode === "full"
+          ? (provider) => registerWebSearchProvider(record, provider)
+          : () => {},
       registerGatewayMethod:
         registrationMode === "full"
           ? (method, handler) => registerGatewayMethod(record, method, handler)
@@ -818,6 +862,7 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
     registerTool,
     registerChannel,
     registerProvider,
+    registerWebSearchProvider,
     registerGatewayMethod,
     registerCli,
     registerService,
diff --git a/src/plugins/runtime.test.ts b/src/plugins/runtime.test.ts
new file mode 100644
index 00000000000..b62a81314aa
--- /dev/null
+++ b/src/plugins/runtime.test.ts
@@ -0,0 +1,70 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { createEmptyPluginRegistry } from "./registry.js";
+import {
+  pinActivePluginHttpRouteRegistry,
+  releasePinnedPluginHttpRouteRegistry,
+  resolveActivePluginHttpRouteRegistry,
+  setActivePluginRegistry,
+} from "./runtime.js";
+
+describe("plugin runtime route registry", () => {
+  afterEach(() => {
+    releasePinnedPluginHttpRouteRegistry();
+    setActivePluginRegistry(createEmptyPluginRegistry());
+  });
+
+  it("keeps the pinned route registry when the active plugin registry changes", () => {
+    const startupRegistry = createEmptyPluginRegistry();
+    const laterRegistry = createEmptyPluginRegistry();
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+    setActivePluginRegistry(laterRegistry);
+
+    expect(resolveActivePluginHttpRouteRegistry(laterRegistry)).toBe(startupRegistry);
+  });
+
+  it("falls back to the provided registry when the pinned route registry has no routes", () => {
+    const startupRegistry = createEmptyPluginRegistry();
+    const explicitRegistry = createEmptyPluginRegistry();
+    explicitRegistry.httpRoutes.push({
+      path: "/demo",
+      auth: "plugin",
+      match: "exact",
+      handler: () => true,
+      pluginId: "demo",
+      source: "test",
+    });
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+
+    expect(resolveActivePluginHttpRouteRegistry(explicitRegistry)).toBe(explicitRegistry);
+  });
+
+  it("prefers the pinned route registry when it already owns routes", () => {
+    const startupRegistry = createEmptyPluginRegistry();
+    const explicitRegistry = createEmptyPluginRegistry();
+    startupRegistry.httpRoutes.push({
+      path: "/bluebubbles-webhook",
+      auth: "plugin",
+      match: "exact",
+      handler: () => true,
+      pluginId: "bluebubbles",
+      source: "test",
+    });
+    explicitRegistry.httpRoutes.push({
+      path: "/plugins/diffs",
+      auth: "plugin",
+      match: "prefix",
+      handler: () => true,
+      pluginId: "diffs",
+      source: "test",
+    });
+
+    setActivePluginRegistry(startupRegistry);
+    pinActivePluginHttpRouteRegistry(startupRegistry);
+
+    expect(resolveActivePluginHttpRouteRegistry(explicitRegistry)).toBe(startupRegistry);
+  });
+});
diff --git a/src/plugins/runtime.ts b/src/plugins/runtime.ts
index 752908ddf75..d159ad42758 100644
--- a/src/plugins/runtime.ts
+++ b/src/plugins/runtime.ts
@@ -4,6 +4,8 @@ const REGISTRY_STATE = Symbol.for("openclaw.pluginRegistryState");
 
 type RegistryState = {
   registry: PluginRegistry | null;
+  httpRouteRegistry: PluginRegistry | null;
+  httpRouteRegistryPinned: boolean;
   key: string | null;
   version: number;
 };
@@ -15,6 +17,8 @@ const state: RegistryState = (() => {
   if (!globalState[REGISTRY_STATE]) {
     globalState[REGISTRY_STATE] = {
       registry: createEmptyPluginRegistry(),
+      httpRouteRegistry: null,
+      httpRouteRegistryPinned: false,
       key: null,
       version: 0,
     };
@@ -24,6 +28,9 @@ const state: RegistryState = (() => {
 
 export function setActivePluginRegistry(registry: PluginRegistry, cacheKey?: string) {
   state.registry = registry;
+  if (!state.httpRouteRegistryPinned) {
+    state.httpRouteRegistry = registry;
+  }
   state.key = cacheKey ?? null;
   state.version += 1;
 }
@@ -35,11 +42,54 @@ export function getActivePluginRegistry(): PluginRegistry | null {
 export function requireActivePluginRegistry(): PluginRegistry {
   if (!state.registry) {
     state.registry = createEmptyPluginRegistry();
+    if (!state.httpRouteRegistryPinned) {
+      state.httpRouteRegistry = state.registry;
+    }
     state.version += 1;
   }
   return state.registry;
 }
 
+export function pinActivePluginHttpRouteRegistry(registry: PluginRegistry) {
+  state.httpRouteRegistry = registry;
+  state.httpRouteRegistryPinned = true;
+}
+
+export function releasePinnedPluginHttpRouteRegistry(registry?: PluginRegistry) {
+  if (registry && state.httpRouteRegistry !== registry) {
+    return;
+  }
+  state.httpRouteRegistryPinned = false;
+  state.httpRouteRegistry = state.registry;
+}
+
+export function getActivePluginHttpRouteRegistry(): PluginRegistry | null {
+  return state.httpRouteRegistry ?? state.registry;
+}
+
+export function requireActivePluginHttpRouteRegistry(): PluginRegistry {
+  const existing = getActivePluginHttpRouteRegistry();
+  if (existing) {
+    return existing;
+  }
+  const created = requireActivePluginRegistry();
+  state.httpRouteRegistry = created;
+  return created;
+}
+
+export function resolveActivePluginHttpRouteRegistry(fallback: PluginRegistry): PluginRegistry {
+  const routeRegistry = getActivePluginHttpRouteRegistry();
+  if (!routeRegistry) {
+    return fallback;
+  }
+  const routeCount = routeRegistry.httpRoutes?.length ?? 0;
+  const fallbackRouteCount = fallback.httpRoutes?.length ?? 0;
+  if (routeCount === 0 && fallbackRouteCount > 0) {
+    return fallback;
+  }
+  return routeRegistry;
+}
+
 export function getActivePluginRegistryKey(): string | null {
   return state.key;
 }
diff --git a/src/plugins/runtime/runtime-channel.ts b/src/plugins/runtime/runtime-channel.ts
index 94ea9a0b8cb..80bb1aba736 100644
--- a/src/plugins/runtime/runtime-channel.ts
+++ b/src/plugins/runtime/runtime-channel.ts
@@ -1,59 +1,4 @@
-import { auditDiscordChannelPermissions } from "../../../extensions/discord/src/audit.js";
-import {
-  listDiscordDirectoryGroupsLive,
-  listDiscordDirectoryPeersLive,
-} from "../../../extensions/discord/src/directory-live.js";
-import { monitorDiscordProvider } from "../../../extensions/discord/src/monitor.js";
-import { probeDiscord } from "../../../extensions/discord/src/probe.js";
-import { resolveDiscordChannelAllowlist } from "../../../extensions/discord/src/resolve-channels.js";
-import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
-import {
-  createThreadDiscord,
-  deleteMessageDiscord,
-  editChannelDiscord,
-  editMessageDiscord,
-  pinMessageDiscord,
-  sendDiscordComponentMessage,
-  sendMessageDiscord,
-  sendPollDiscord,
-  sendTypingDiscord,
-  unpinMessageDiscord,
-} from "../../../extensions/discord/src/send.js";
-import { monitorIMessageProvider } from "../../../extensions/imessage/src/monitor.js";
-import { probeIMessage } from "../../../extensions/imessage/src/probe.js";
-import { sendMessageIMessage } from "../../../extensions/imessage/src/send.js";
-import { monitorSignalProvider } from "../../../extensions/signal/src/index.js";
-import { probeSignal } from "../../../extensions/signal/src/probe.js";
-import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
-import {
-  listSlackDirectoryGroupsLive,
-  listSlackDirectoryPeersLive,
-} from "../../../extensions/slack/src/directory-live.js";
-import { monitorSlackProvider } from "../../../extensions/slack/src/index.js";
-import { probeSlack } from "../../../extensions/slack/src/probe.js";
-import { resolveSlackChannelAllowlist } from "../../../extensions/slack/src/resolve-channels.js";
-import { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
-import { sendMessageSlack } from "../../../extensions/slack/src/send.js";
-import {
-  auditTelegramGroupMembership,
-  collectTelegramUnmentionedGroupIds,
-} from "../../../extensions/telegram/src/audit.js";
-import { monitorTelegramProvider } from "../../../extensions/telegram/src/monitor.js";
-import { probeTelegram } from "../../../extensions/telegram/src/probe.js";
-import {
-  deleteMessageTelegram,
-  editMessageReplyMarkupTelegram,
-  editMessageTelegram,
-  pinMessageTelegram,
-  renameForumTopicTelegram,
-  sendMessageTelegram,
-  sendPollTelegram,
-  sendTypingTelegram,
-  unpinMessageTelegram,
-} from "../../../extensions/telegram/src/send.js";
-import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
 import { resolveEffectiveMessagesConfig, resolveHumanDelayConfig } from "../../agents/identity.js";
-import { handleSlackAction } from "../../agents/tools/slack-actions.js";
 import {
   chunkByNewline,
   chunkMarkdownText,
@@ -90,9 +35,6 @@ import { dispatchReplyWithBufferedBlockDispatcher } from "../../auto-reply/reply
 import { createReplyDispatcherWithTyping } from "../../auto-reply/reply/reply-dispatcher.js";
 import { removeAckReactionAfterReply, shouldAckReaction } from "../../channels/ack-reactions.js";
 import { resolveCommandAuthorizedFromAuthorizers } from "../../channels/command-gating.js";
-import { discordMessageActions } from "../../channels/plugins/actions/discord.js";
-import { signalMessageActions } from "../../channels/plugins/actions/signal.js";
-import { telegramMessageActions } from "../../channels/plugins/actions/telegram.js";
 import { recordInboundSession } from "../../channels/session.js";
 import {
   resolveChannelGroupPolicy,
@@ -134,13 +76,36 @@ import {
   upsertChannelPairingRequest,
 } from "../../pairing/pairing-store.js";
 import { buildAgentSessionKey, resolveAgentRoute } from "../../routing/resolve-route.js";
-import { createDiscordTypingLease } from "./runtime-discord-typing.js";
-import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
+import { createRuntimeDiscord } from "./runtime-discord.js";
+import { createRuntimeIMessage } from "./runtime-imessage.js";
+import { createRuntimeSignal } from "./runtime-signal.js";
+import { createRuntimeSlack } from "./runtime-slack.js";
+import { createRuntimeTelegram } from "./runtime-telegram.js";
 import { createRuntimeWhatsApp } from "./runtime-whatsapp.js";
 import type { PluginRuntime } from "./types.js";
 
+function defineCachedValue<T extends object, K extends PropertyKey>(
+  target: T,
+  key: K,
+  create: () => unknown,
+): void {
+  let cached: unknown;
+  let ready = false;
+  Object.defineProperty(target, key, {
+    configurable: true,
+    enumerable: true,
+    get() {
+      if (!ready) {
+        cached = create();
+        ready = true;
+      }
+      return cached;
+    },
+  });
+}
+
 export function createRuntimeChannel(): PluginRuntime["channel"] {
-  return {
+  const channelRuntime = {
     text: {
       chunkByNewline,
       chunkMarkdownText,
@@ -222,101 +187,6 @@ export function createRuntimeChannel(): PluginRuntime["channel"] {
       shouldComputeCommandAuthorized,
       shouldHandleTextCommands,
     },
-    discord: {
-      messageActions: discordMessageActions,
-      auditChannelPermissions: auditDiscordChannelPermissions,
-      listDirectoryGroupsLive: listDiscordDirectoryGroupsLive,
-      listDirectoryPeersLive: listDiscordDirectoryPeersLive,
-      probeDiscord,
-      resolveChannelAllowlist: resolveDiscordChannelAllowlist,
-      resolveUserAllowlist: resolveDiscordUserAllowlist,
-      sendComponentMessage: sendDiscordComponentMessage,
-      sendMessageDiscord,
-      sendPollDiscord,
-      monitorDiscordProvider,
-      typing: {
-        pulse: sendTypingDiscord,
-        start: async ({ channelId, accountId, cfg, intervalMs }) =>
-          await createDiscordTypingLease({
-            channelId,
-            accountId,
-            cfg,
-            intervalMs,
-            pulse: async ({ channelId, accountId, cfg }) =>
-              void (await sendTypingDiscord(channelId, {
-                accountId,
-                cfg,
-              })),
-          }),
-      },
-      conversationActions: {
-        editMessage: editMessageDiscord,
-        deleteMessage: deleteMessageDiscord,
-        pinMessage: pinMessageDiscord,
-        unpinMessage: unpinMessageDiscord,
-        createThread: createThreadDiscord,
-        editChannel: editChannelDiscord,
-      },
-    },
-    slack: {
-      listDirectoryGroupsLive: listSlackDirectoryGroupsLive,
-      listDirectoryPeersLive: listSlackDirectoryPeersLive,
-      probeSlack,
-      resolveChannelAllowlist: resolveSlackChannelAllowlist,
-      resolveUserAllowlist: resolveSlackUserAllowlist,
-      sendMessageSlack,
-      monitorSlackProvider,
-      handleSlackAction,
-    },
-    telegram: {
-      auditGroupMembership: auditTelegramGroupMembership,
-      collectUnmentionedGroupIds: collectTelegramUnmentionedGroupIds,
-      probeTelegram,
-      resolveTelegramToken,
-      sendMessageTelegram,
-      sendPollTelegram,
-      monitorTelegramProvider,
-      messageActions: telegramMessageActions,
-      typing: {
-        pulse: sendTypingTelegram,
-        start: async ({ to, accountId, cfg, intervalMs, messageThreadId }) =>
-          await createTelegramTypingLease({
-            to,
-            accountId,
-            cfg,
-            intervalMs,
-            messageThreadId,
-            pulse: async ({ to, accountId, cfg, messageThreadId }) =>
-              await sendTypingTelegram(to, {
-                accountId,
-                cfg,
-                messageThreadId,
-              }),
-          }),
-      },
-      conversationActions: {
-        editMessage: editMessageTelegram,
-        editReplyMarkup: editMessageReplyMarkupTelegram,
-        clearReplyMarkup: async (chatIdInput, messageIdInput, opts = {}) =>
-          await editMessageReplyMarkupTelegram(chatIdInput, messageIdInput, [], opts),
-        deleteMessage: deleteMessageTelegram,
-        renameTopic: renameForumTopicTelegram,
-        pinMessage: pinMessageTelegram,
-        unpinMessage: unpinMessageTelegram,
-      },
-    },
-    signal: {
-      probeSignal,
-      sendMessageSignal,
-      monitorSignalProvider,
-      messageActions: signalMessageActions,
-    },
-    imessage: {
-      monitorIMessageProvider,
-      probeIMessage,
-      sendMessageIMessage,
-    },
-    whatsapp: createRuntimeWhatsApp(),
     line: {
       listLineAccountIds,
       resolveDefaultLineAccountId,
@@ -334,5 +204,23 @@ export function createRuntimeChannel(): PluginRuntime["channel"] {
       buildTemplateMessageFromPayload,
       monitorLineProvider,
     },
-  };
+  } satisfies Omit<
+    PluginRuntime["channel"],
+    "discord" | "slack" | "telegram" | "signal" | "imessage" | "whatsapp"
+  > &
+    Partial<
+      Pick<
+        PluginRuntime["channel"],
+        "discord" | "slack" | "telegram" | "signal" | "imessage" | "whatsapp"
+      >
+    >;
+
+  defineCachedValue(channelRuntime, "discord", createRuntimeDiscord);
+  defineCachedValue(channelRuntime, "slack", createRuntimeSlack);
+  defineCachedValue(channelRuntime, "telegram", createRuntimeTelegram);
+  defineCachedValue(channelRuntime, "signal", createRuntimeSignal);
+  defineCachedValue(channelRuntime, "imessage", createRuntimeIMessage);
+  defineCachedValue(channelRuntime, "whatsapp", createRuntimeWhatsApp);
+
+  return channelRuntime as PluginRuntime["channel"];
 }
diff --git a/src/plugins/runtime/runtime-discord-ops.runtime.ts b/src/plugins/runtime/runtime-discord-ops.runtime.ts
new file mode 100644
index 00000000000..d10daac5a35
--- /dev/null
+++ b/src/plugins/runtime/runtime-discord-ops.runtime.ts
@@ -0,0 +1,21 @@
+export { auditDiscordChannelPermissions } from "../../../extensions/discord/src/audit.js";
+export {
+  listDiscordDirectoryGroupsLive,
+  listDiscordDirectoryPeersLive,
+} from "../../../extensions/discord/src/directory-live.js";
+export { monitorDiscordProvider } from "../../../extensions/discord/src/monitor.js";
+export { probeDiscord } from "../../../extensions/discord/src/probe.js";
+export { resolveDiscordChannelAllowlist } from "../../../extensions/discord/src/resolve-channels.js";
+export { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
+export {
+  createThreadDiscord,
+  deleteMessageDiscord,
+  editChannelDiscord,
+  editMessageDiscord,
+  pinMessageDiscord,
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendTypingDiscord,
+  unpinMessageDiscord,
+} from "../../../extensions/discord/src/send.js";
diff --git a/src/plugins/runtime/runtime-discord.ts b/src/plugins/runtime/runtime-discord.ts
new file mode 100644
index 00000000000..ae302ad0e5f
--- /dev/null
+++ b/src/plugins/runtime/runtime-discord.ts
@@ -0,0 +1,171 @@
+import { discordMessageActions } from "../../../extensions/discord/src/channel-actions.js";
+import {
+  getThreadBindingManager,
+  resolveThreadBindingIdleTimeoutMs,
+  resolveThreadBindingInactivityExpiresAt,
+  resolveThreadBindingMaxAgeExpiresAt,
+  resolveThreadBindingMaxAgeMs,
+  setThreadBindingIdleTimeoutBySessionKey,
+  setThreadBindingMaxAgeBySessionKey,
+  unbindThreadBindingsBySessionKey,
+} from "../../../extensions/discord/src/monitor/thread-bindings.js";
+import { createDiscordTypingLease } from "./runtime-discord-typing.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+let runtimeDiscordOpsPromise: Promise<typeof import("./runtime-discord-ops.runtime.js")> | null =
+  null;
+
+function loadRuntimeDiscordOps() {
+  runtimeDiscordOpsPromise ??= import("./runtime-discord-ops.runtime.js");
+  return runtimeDiscordOpsPromise;
+}
+
+const auditChannelPermissionsLazy: PluginRuntimeChannel["discord"]["auditChannelPermissions"] =
+  async (...args) => {
+    const { auditDiscordChannelPermissions } = await loadRuntimeDiscordOps();
+    return auditDiscordChannelPermissions(...args);
+  };
+
+const listDirectoryGroupsLiveLazy: PluginRuntimeChannel["discord"]["listDirectoryGroupsLive"] =
+  async (...args) => {
+    const { listDiscordDirectoryGroupsLive } = await loadRuntimeDiscordOps();
+    return listDiscordDirectoryGroupsLive(...args);
+  };
+
+const listDirectoryPeersLiveLazy: PluginRuntimeChannel["discord"]["listDirectoryPeersLive"] =
+  async (...args) => {
+    const { listDiscordDirectoryPeersLive } = await loadRuntimeDiscordOps();
+    return listDiscordDirectoryPeersLive(...args);
+  };
+
+const probeDiscordLazy: PluginRuntimeChannel["discord"]["probeDiscord"] = async (...args) => {
+  const { probeDiscord } = await loadRuntimeDiscordOps();
+  return probeDiscord(...args);
+};
+
+const resolveChannelAllowlistLazy: PluginRuntimeChannel["discord"]["resolveChannelAllowlist"] =
+  async (...args) => {
+    const { resolveDiscordChannelAllowlist } = await loadRuntimeDiscordOps();
+    return resolveDiscordChannelAllowlist(...args);
+  };
+
+const resolveUserAllowlistLazy: PluginRuntimeChannel["discord"]["resolveUserAllowlist"] = async (
+  ...args
+) => {
+  const { resolveDiscordUserAllowlist } = await loadRuntimeDiscordOps();
+  return resolveDiscordUserAllowlist(...args);
+};
+
+const sendComponentMessageLazy: PluginRuntimeChannel["discord"]["sendComponentMessage"] = async (
+  ...args
+) => {
+  const { sendDiscordComponentMessage } = await loadRuntimeDiscordOps();
+  return sendDiscordComponentMessage(...args);
+};
+
+const sendMessageDiscordLazy: PluginRuntimeChannel["discord"]["sendMessageDiscord"] = async (
+  ...args
+) => {
+  const { sendMessageDiscord } = await loadRuntimeDiscordOps();
+  return sendMessageDiscord(...args);
+};
+
+const sendPollDiscordLazy: PluginRuntimeChannel["discord"]["sendPollDiscord"] = async (...args) => {
+  const { sendPollDiscord } = await loadRuntimeDiscordOps();
+  return sendPollDiscord(...args);
+};
+
+const monitorDiscordProviderLazy: PluginRuntimeChannel["discord"]["monitorDiscordProvider"] =
+  async (...args) => {
+    const { monitorDiscordProvider } = await loadRuntimeDiscordOps();
+    return monitorDiscordProvider(...args);
+  };
+
+const sendTypingDiscordLazy: PluginRuntimeChannel["discord"]["typing"]["pulse"] = async (
+  ...args
+) => {
+  const { sendTypingDiscord } = await loadRuntimeDiscordOps();
+  return sendTypingDiscord(...args);
+};
+
+const editMessageDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["editMessage"] =
+  async (...args) => {
+    const { editMessageDiscord } = await loadRuntimeDiscordOps();
+    return editMessageDiscord(...args);
+  };
+
+const deleteMessageDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["deleteMessage"] =
+  async (...args) => {
+    const { deleteMessageDiscord } = await loadRuntimeDiscordOps();
+    return deleteMessageDiscord(...args);
+  };
+
+const pinMessageDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["pinMessage"] =
+  async (...args) => {
+    const { pinMessageDiscord } = await loadRuntimeDiscordOps();
+    return pinMessageDiscord(...args);
+  };
+
+const unpinMessageDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["unpinMessage"] =
+  async (...args) => {
+    const { unpinMessageDiscord } = await loadRuntimeDiscordOps();
+    return unpinMessageDiscord(...args);
+  };
+
+const createThreadDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["createThread"] =
+  async (...args) => {
+    const { createThreadDiscord } = await loadRuntimeDiscordOps();
+    return createThreadDiscord(...args);
+  };
+
+const editChannelDiscordLazy: PluginRuntimeChannel["discord"]["conversationActions"]["editChannel"] =
+  async (...args) => {
+    const { editChannelDiscord } = await loadRuntimeDiscordOps();
+    return editChannelDiscord(...args);
+  };
+
+export function createRuntimeDiscord(): PluginRuntimeChannel["discord"] {
+  return {
+    messageActions: discordMessageActions,
+    auditChannelPermissions: auditChannelPermissionsLazy,
+    listDirectoryGroupsLive: listDirectoryGroupsLiveLazy,
+    listDirectoryPeersLive: listDirectoryPeersLiveLazy,
+    probeDiscord: probeDiscordLazy,
+    resolveChannelAllowlist: resolveChannelAllowlistLazy,
+    resolveUserAllowlist: resolveUserAllowlistLazy,
+    sendComponentMessage: sendComponentMessageLazy,
+    sendMessageDiscord: sendMessageDiscordLazy,
+    sendPollDiscord: sendPollDiscordLazy,
+    monitorDiscordProvider: monitorDiscordProviderLazy,
+    threadBindings: {
+      getManager: getThreadBindingManager,
+      resolveIdleTimeoutMs: resolveThreadBindingIdleTimeoutMs,
+      resolveInactivityExpiresAt: resolveThreadBindingInactivityExpiresAt,
+      resolveMaxAgeMs: resolveThreadBindingMaxAgeMs,
+      resolveMaxAgeExpiresAt: resolveThreadBindingMaxAgeExpiresAt,
+      setIdleTimeoutBySessionKey: setThreadBindingIdleTimeoutBySessionKey,
+      setMaxAgeBySessionKey: setThreadBindingMaxAgeBySessionKey,
+      unbindBySessionKey: unbindThreadBindingsBySessionKey,
+    },
+    typing: {
+      pulse: sendTypingDiscordLazy,
+      start: async ({ channelId, accountId, cfg, intervalMs }) =>
+        await createDiscordTypingLease({
+          channelId,
+          accountId,
+          cfg,
+          intervalMs,
+          pulse: async ({ channelId, accountId, cfg }) =>
+            void (await sendTypingDiscordLazy(channelId, { accountId, cfg })),
+        }),
+    },
+    conversationActions: {
+      editMessage: editMessageDiscordLazy,
+      deleteMessage: deleteMessageDiscordLazy,
+      pinMessage: pinMessageDiscordLazy,
+      unpinMessage: unpinMessageDiscordLazy,
+      createThread: createThreadDiscordLazy,
+      editChannel: editChannelDiscordLazy,
+    },
+  };
+}
diff --git a/src/plugins/runtime/runtime-imessage.ts b/src/plugins/runtime/runtime-imessage.ts
new file mode 100644
index 00000000000..01430cacc3c
--- /dev/null
+++ b/src/plugins/runtime/runtime-imessage.ts
@@ -0,0 +1,12 @@
+import { monitorIMessageProvider } from "../../../extensions/imessage/src/monitor.js";
+import { probeIMessage } from "../../../extensions/imessage/src/probe.js";
+import { sendMessageIMessage } from "../../../extensions/imessage/src/send.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeIMessage(): PluginRuntimeChannel["imessage"] {
+  return {
+    monitorIMessageProvider,
+    probeIMessage,
+    sendMessageIMessage,
+  };
+}
diff --git a/src/plugins/runtime/runtime-signal.ts b/src/plugins/runtime/runtime-signal.ts
new file mode 100644
index 00000000000..2465ecbdbbc
--- /dev/null
+++ b/src/plugins/runtime/runtime-signal.ts
@@ -0,0 +1,14 @@
+import { monitorSignalProvider } from "../../../extensions/signal/src/index.js";
+import { probeSignal } from "../../../extensions/signal/src/probe.js";
+import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
+import { signalMessageActions } from "../../channels/plugins/actions/signal.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeSignal(): PluginRuntimeChannel["signal"] {
+  return {
+    probeSignal,
+    sendMessageSignal,
+    monitorSignalProvider,
+    messageActions: signalMessageActions,
+  };
+}
diff --git a/src/plugins/runtime/runtime-slack-ops.runtime.ts b/src/plugins/runtime/runtime-slack-ops.runtime.ts
new file mode 100644
index 00000000000..e22662c3b7f
--- /dev/null
+++ b/src/plugins/runtime/runtime-slack-ops.runtime.ts
@@ -0,0 +1,10 @@
+export {
+  listSlackDirectoryGroupsLive,
+  listSlackDirectoryPeersLive,
+} from "../../../extensions/slack/src/directory-live.js";
+export { monitorSlackProvider } from "../../../extensions/slack/src/index.js";
+export { probeSlack } from "../../../extensions/slack/src/probe.js";
+export { resolveSlackChannelAllowlist } from "../../../extensions/slack/src/resolve-channels.js";
+export { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
+export { sendMessageSlack } from "../../../extensions/slack/src/send.js";
+export { handleSlackAction } from "../../agents/tools/slack-actions.js";
diff --git a/src/plugins/runtime/runtime-slack.ts b/src/plugins/runtime/runtime-slack.ts
new file mode 100644
index 00000000000..9579aed4c1b
--- /dev/null
+++ b/src/plugins/runtime/runtime-slack.ts
@@ -0,0 +1,71 @@
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+let runtimeSlackOpsPromise: Promise<typeof import("./runtime-slack-ops.runtime.js")> | null = null;
+
+function loadRuntimeSlackOps() {
+  runtimeSlackOpsPromise ??= import("./runtime-slack-ops.runtime.js");
+  return runtimeSlackOpsPromise;
+}
+
+const listDirectoryGroupsLiveLazy: PluginRuntimeChannel["slack"]["listDirectoryGroupsLive"] =
+  async (...args) => {
+    const { listSlackDirectoryGroupsLive } = await loadRuntimeSlackOps();
+    return listSlackDirectoryGroupsLive(...args);
+  };
+
+const listDirectoryPeersLiveLazy: PluginRuntimeChannel["slack"]["listDirectoryPeersLive"] = async (
+  ...args
+) => {
+  const { listSlackDirectoryPeersLive } = await loadRuntimeSlackOps();
+  return listSlackDirectoryPeersLive(...args);
+};
+
+const probeSlackLazy: PluginRuntimeChannel["slack"]["probeSlack"] = async (...args) => {
+  const { probeSlack } = await loadRuntimeSlackOps();
+  return probeSlack(...args);
+};
+
+const resolveChannelAllowlistLazy: PluginRuntimeChannel["slack"]["resolveChannelAllowlist"] =
+  async (...args) => {
+    const { resolveSlackChannelAllowlist } = await loadRuntimeSlackOps();
+    return resolveSlackChannelAllowlist(...args);
+  };
+
+const resolveUserAllowlistLazy: PluginRuntimeChannel["slack"]["resolveUserAllowlist"] = async (
+  ...args
+) => {
+  const { resolveSlackUserAllowlist } = await loadRuntimeSlackOps();
+  return resolveSlackUserAllowlist(...args);
+};
+
+const sendMessageSlackLazy: PluginRuntimeChannel["slack"]["sendMessageSlack"] = async (...args) => {
+  const { sendMessageSlack } = await loadRuntimeSlackOps();
+  return sendMessageSlack(...args);
+};
+
+const monitorSlackProviderLazy: PluginRuntimeChannel["slack"]["monitorSlackProvider"] = async (
+  ...args
+) => {
+  const { monitorSlackProvider } = await loadRuntimeSlackOps();
+  return monitorSlackProvider(...args);
+};
+
+const handleSlackActionLazy: PluginRuntimeChannel["slack"]["handleSlackAction"] = async (
+  ...args
+) => {
+  const { handleSlackAction } = await loadRuntimeSlackOps();
+  return handleSlackAction(...args);
+};
+
+export function createRuntimeSlack(): PluginRuntimeChannel["slack"] {
+  return {
+    listDirectoryGroupsLive: listDirectoryGroupsLiveLazy,
+    listDirectoryPeersLive: listDirectoryPeersLiveLazy,
+    probeSlack: probeSlackLazy,
+    resolveChannelAllowlist: resolveChannelAllowlistLazy,
+    resolveUserAllowlist: resolveUserAllowlistLazy,
+    sendMessageSlack: sendMessageSlackLazy,
+    monitorSlackProvider: monitorSlackProviderLazy,
+    handleSlackAction: handleSlackActionLazy,
+  };
+}
diff --git a/src/plugins/runtime/runtime-telegram-ops.runtime.ts b/src/plugins/runtime/runtime-telegram-ops.runtime.ts
new file mode 100644
index 00000000000..dc463625b4f
--- /dev/null
+++ b/src/plugins/runtime/runtime-telegram-ops.runtime.ts
@@ -0,0 +1,18 @@
+export {
+  auditTelegramGroupMembership,
+  collectTelegramUnmentionedGroupIds,
+} from "../../../extensions/telegram/src/audit.js";
+export { monitorTelegramProvider } from "../../../extensions/telegram/src/monitor.js";
+export { probeTelegram } from "../../../extensions/telegram/src/probe.js";
+export {
+  deleteMessageTelegram,
+  editMessageReplyMarkupTelegram,
+  editMessageTelegram,
+  pinMessageTelegram,
+  renameForumTopicTelegram,
+  sendMessageTelegram,
+  sendPollTelegram,
+  sendTypingTelegram,
+  unpinMessageTelegram,
+} from "../../../extensions/telegram/src/send.js";
+export { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
diff --git a/src/plugins/runtime/runtime-telegram.ts b/src/plugins/runtime/runtime-telegram.ts
new file mode 100644
index 00000000000..22061a7e00d
--- /dev/null
+++ b/src/plugins/runtime/runtime-telegram.ts
@@ -0,0 +1,136 @@
+import { collectTelegramUnmentionedGroupIds } from "../../../extensions/telegram/src/audit.js";
+import { telegramMessageActions } from "../../../extensions/telegram/src/channel-actions.js";
+import {
+  setTelegramThreadBindingIdleTimeoutBySessionKey,
+  setTelegramThreadBindingMaxAgeBySessionKey,
+} from "../../../extensions/telegram/src/thread-bindings.js";
+import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
+import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+let runtimeTelegramOpsPromise: Promise<typeof import("./runtime-telegram-ops.runtime.js")> | null =
+  null;
+
+function loadRuntimeTelegramOps() {
+  runtimeTelegramOpsPromise ??= import("./runtime-telegram-ops.runtime.js");
+  return runtimeTelegramOpsPromise;
+}
+
+const auditGroupMembershipLazy: PluginRuntimeChannel["telegram"]["auditGroupMembership"] = async (
+  ...args
+) => {
+  const { auditTelegramGroupMembership } = await loadRuntimeTelegramOps();
+  return auditTelegramGroupMembership(...args);
+};
+
+const probeTelegramLazy: PluginRuntimeChannel["telegram"]["probeTelegram"] = async (...args) => {
+  const { probeTelegram } = await loadRuntimeTelegramOps();
+  return probeTelegram(...args);
+};
+
+const sendMessageTelegramLazy: PluginRuntimeChannel["telegram"]["sendMessageTelegram"] = async (
+  ...args
+) => {
+  const { sendMessageTelegram } = await loadRuntimeTelegramOps();
+  return sendMessageTelegram(...args);
+};
+
+const sendPollTelegramLazy: PluginRuntimeChannel["telegram"]["sendPollTelegram"] = async (
+  ...args
+) => {
+  const { sendPollTelegram } = await loadRuntimeTelegramOps();
+  return sendPollTelegram(...args);
+};
+
+const monitorTelegramProviderLazy: PluginRuntimeChannel["telegram"]["monitorTelegramProvider"] =
+  async (...args) => {
+    const { monitorTelegramProvider } = await loadRuntimeTelegramOps();
+    return monitorTelegramProvider(...args);
+  };
+
+const sendTypingTelegramLazy: PluginRuntimeChannel["telegram"]["typing"]["pulse"] = async (
+  ...args
+) => {
+  const { sendTypingTelegram } = await loadRuntimeTelegramOps();
+  return sendTypingTelegram(...args);
+};
+
+const editMessageTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["editMessage"] =
+  async (...args) => {
+    const { editMessageTelegram } = await loadRuntimeTelegramOps();
+    return editMessageTelegram(...args);
+  };
+
+const editMessageReplyMarkupTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["editReplyMarkup"] =
+  async (...args) => {
+    const { editMessageReplyMarkupTelegram } = await loadRuntimeTelegramOps();
+    return editMessageReplyMarkupTelegram(...args);
+  };
+
+const deleteMessageTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["deleteMessage"] =
+  async (...args) => {
+    const { deleteMessageTelegram } = await loadRuntimeTelegramOps();
+    return deleteMessageTelegram(...args);
+  };
+
+const renameForumTopicTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["renameTopic"] =
+  async (...args) => {
+    const { renameForumTopicTelegram } = await loadRuntimeTelegramOps();
+    return renameForumTopicTelegram(...args);
+  };
+
+const pinMessageTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["pinMessage"] =
+  async (...args) => {
+    const { pinMessageTelegram } = await loadRuntimeTelegramOps();
+    return pinMessageTelegram(...args);
+  };
+
+const unpinMessageTelegramLazy: PluginRuntimeChannel["telegram"]["conversationActions"]["unpinMessage"] =
+  async (...args) => {
+    const { unpinMessageTelegram } = await loadRuntimeTelegramOps();
+    return unpinMessageTelegram(...args);
+  };
+
+export function createRuntimeTelegram(): PluginRuntimeChannel["telegram"] {
+  return {
+    auditGroupMembership: auditGroupMembershipLazy,
+    collectUnmentionedGroupIds: collectTelegramUnmentionedGroupIds,
+    probeTelegram: probeTelegramLazy,
+    resolveTelegramToken,
+    sendMessageTelegram: sendMessageTelegramLazy,
+    sendPollTelegram: sendPollTelegramLazy,
+    monitorTelegramProvider: monitorTelegramProviderLazy,
+    messageActions: telegramMessageActions,
+    threadBindings: {
+      setIdleTimeoutBySessionKey: setTelegramThreadBindingIdleTimeoutBySessionKey,
+      setMaxAgeBySessionKey: setTelegramThreadBindingMaxAgeBySessionKey,
+    },
+    typing: {
+      pulse: sendTypingTelegramLazy,
+      start: async ({ to, accountId, cfg, intervalMs, messageThreadId }) =>
+        await createTelegramTypingLease({
+          to,
+          accountId,
+          cfg,
+          intervalMs,
+          messageThreadId,
+          pulse: async ({ to, accountId, cfg, messageThreadId }) =>
+            await sendTypingTelegramLazy(to, {
+              accountId,
+              cfg,
+              messageThreadId,
+            }),
+        }),
+    },
+    conversationActions: {
+      editMessage: editMessageTelegramLazy,
+      editReplyMarkup: editMessageReplyMarkupTelegramLazy,
+      clearReplyMarkup: async (chatIdInput, messageIdInput, opts = {}) =>
+        await editMessageReplyMarkupTelegramLazy(chatIdInput, messageIdInput, [], opts),
+      deleteMessage: deleteMessageTelegramLazy,
+      renameTopic: renameForumTopicTelegramLazy,
+      pinMessage: pinMessageTelegramLazy,
+      unpinMessage: unpinMessageTelegramLazy,
+    },
+  };
+}
diff --git a/src/plugins/runtime/types-channel.ts b/src/plugins/runtime/types-channel.ts
index f2e775b7275..f8e6e095ef5 100644
--- a/src/plugins/runtime/types-channel.ts
+++ b/src/plugins/runtime/types-channel.ts
@@ -87,7 +87,7 @@ export type PluginRuntimeChannel = {
     shouldHandleTextCommands: typeof import("../../auto-reply/commands-registry.js").shouldHandleTextCommands;
   };
   discord: {
-    messageActions: typeof import("../../channels/plugins/actions/discord.js").discordMessageActions;
+    messageActions: typeof import("../../../extensions/discord/src/channel-actions.js").discordMessageActions;
     auditChannelPermissions: typeof import("../../../extensions/discord/src/audit.js").auditDiscordChannelPermissions;
     listDirectoryGroupsLive: typeof import("../../../extensions/discord/src/directory-live.js").listDiscordDirectoryGroupsLive;
     listDirectoryPeersLive: typeof import("../../../extensions/discord/src/directory-live.js").listDiscordDirectoryPeersLive;
@@ -98,6 +98,16 @@ export type PluginRuntimeChannel = {
     sendMessageDiscord: typeof import("../../../extensions/discord/src/send.js").sendMessageDiscord;
     sendPollDiscord: typeof import("../../../extensions/discord/src/send.js").sendPollDiscord;
     monitorDiscordProvider: typeof import("../../../extensions/discord/src/monitor.js").monitorDiscordProvider;
+    threadBindings: {
+      getManager: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").getThreadBindingManager;
+      resolveIdleTimeoutMs: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingIdleTimeoutMs;
+      resolveInactivityExpiresAt: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingInactivityExpiresAt;
+      resolveMaxAgeMs: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingMaxAgeMs;
+      resolveMaxAgeExpiresAt: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingMaxAgeExpiresAt;
+      setIdleTimeoutBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").setThreadBindingIdleTimeoutBySessionKey;
+      setMaxAgeBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").setThreadBindingMaxAgeBySessionKey;
+      unbindBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").unbindThreadBindingsBySessionKey;
+    };
     typing: {
       pulse: typeof import("../../../extensions/discord/src/send.js").sendTypingDiscord;
       start: (params: {
@@ -137,7 +147,11 @@ export type PluginRuntimeChannel = {
     sendMessageTelegram: typeof import("../../../extensions/telegram/src/send.js").sendMessageTelegram;
     sendPollTelegram: typeof import("../../../extensions/telegram/src/send.js").sendPollTelegram;
     monitorTelegramProvider: typeof import("../../../extensions/telegram/src/monitor.js").monitorTelegramProvider;
-    messageActions: typeof import("../../channels/plugins/actions/telegram.js").telegramMessageActions;
+    messageActions: typeof import("../../../extensions/telegram/src/channel-actions.js").telegramMessageActions;
+    threadBindings: {
+      setIdleTimeoutBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingIdleTimeoutBySessionKey;
+      setMaxAgeBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingMaxAgeBySessionKey;
+    };
     typing: {
       pulse: typeof import("../../../extensions/telegram/src/send.js").sendTypingTelegram;
       start: (params: {
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index 6b26dfd8fe6..b9b6e801214 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -9,12 +9,13 @@ import type {
   ApiKeyCredential,
   AuthProfileCredential,
   OAuthCredential,
+  AuthProfileStore,
 } from "../agents/auth-profiles/types.js";
+import type { ModelCatalogEntry } from "../agents/model-catalog.js";
 import type { ProviderCapabilities } from "../agents/provider-capabilities.js";
 import type { AnyAgentTool } from "../agents/tools/common.js";
 import type { ThinkLevel } from "../auto-reply/thinking.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
-import type { ChannelDock } from "../channels/dock.js";
 import type { ChannelId, ChannelPlugin } from "../channels/plugins/types.js";
 import type { createVpsAwareOAuthHandlers } from "../commands/oauth-flow.js";
 import type { OnboardOptions } from "../commands/onboard-types.js";
@@ -25,6 +26,7 @@ import type { InternalHookHandler } from "../hooks/internal-hooks.js";
 import type { HookEntry } from "../hooks/types.js";
 import type { ProviderUsageSnapshot } from "../infra/provider-usage.types.js";
 import type { RuntimeEnv } from "../runtime.js";
+import type { RuntimeWebSearchMetadata } from "../secrets/runtime-web-tools.types.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import type { PluginRuntime } from "./runtime/types.js";
 
@@ -105,6 +107,13 @@ export type ProviderAuthKind = "oauth" | "api_key" | "token" | "device_code" | "
 
 export type ProviderAuthResult = {
   profiles: Array<{ profileId: string; credential: AuthProfileCredential }>;
+  /**
+   * Optional config patch to merge after credentials are written.
+   *
+   * Use this for provider-owned onboarding defaults such as
+   * `models.providers.<id>` entries, default aliases, or agent model helpers.
+   * The caller still persists auth-profile bindings separately.
+   */
   configPatch?: Partial<OpenClawConfig>;
   defaultModel?: string;
   notes?: string[];
@@ -116,6 +125,32 @@ export type ProviderAuthContext = {
   workspaceDir?: string;
   prompter: WizardPrompter;
   runtime: RuntimeEnv;
+  /**
+   * Optional onboarding CLI options that triggered this auth flow.
+   *
+   * Present for setup/configure/auth-choice flows so provider methods can
+   * honor preseeded flags like `--openai-api-key` or generic
+   * `--token/--token-provider` pairs. Direct `models auth login` usually
+   * leaves this undefined.
+   */
+  opts?: Partial<OnboardOptions>;
+  /**
+   * Onboarding secret persistence preference.
+   *
+   * Interactive wizard flows set this when the caller explicitly requested
+   * plaintext or env/file/exec ref storage. Ad-hoc `models auth login` flows
+   * usually leave it undefined.
+   */
+  secretInputMode?: OnboardOptions["secretInputMode"];
+  /**
+   * Whether the provider auth flow should offer the onboarding secret-storage
+   * mode picker when `secretInputMode` is unset.
+   *
+   * This is true for onboarding/configure flows and false for direct
+   * `models auth` commands, which should keep a tighter, provider-owned prompt
+   * surface.
+   */
+  allowSecretRefPrompt?: boolean;
   isRemote: boolean;
   openUrl: (url: string) => Promise<void>;
   oauth: {
@@ -167,6 +202,14 @@ export type ProviderAuthMethod = {
   label: string;
   hint?: string;
   kind: ProviderAuthKind;
+  /**
+   * Optional wizard/onboarding metadata for this specific auth method.
+   *
+   * Use this when one provider exposes multiple setup entries (for example API
+   * key + OAuth, or region-specific login flows). OpenClaw uses this to expose
+   * method-specific auth choices while keeping the provider id stable.
+   */
+  wizard?: ProviderPluginWizardSetup;
   run: (ctx: ProviderAuthContext) => Promise<ProviderAuthResult>;
   runNonInteractive?: (
     ctx: ProviderAuthMethodNonInteractiveContext,
@@ -335,8 +378,6 @@ export type ProviderResolvedUsageAuth = {
  * This hook runs after `resolveUsageAuth` succeeds. Core still owns summary
  * fan-out, timeout wrapping, filtering, and formatting; the provider plugin
  * owns the provider-specific HTTP request + response normalization.
- *
- * Return `null`/`undefined` to fall back to legacy core fetchers.
  */
 export type ProviderFetchUsageSnapshotContext = {
   config: OpenClawConfig;
@@ -350,6 +391,20 @@ export type ProviderFetchUsageSnapshotContext = {
   fetchFn: typeof fetch;
 };
 
+/**
+ * Provider-owned auth-doctor hint input.
+ *
+ * Called when OAuth refresh fails and OpenClaw wants a provider-specific repair
+ * hint to append to the generic re-auth message. Use this for legacy profile-id
+ * migrations or other provider-owned auth-store cleanup guidance.
+ */
+export type ProviderAuthDoctorHintContext = {
+  config?: OpenClawConfig;
+  store: AuthProfileStore;
+  provider: string;
+  profileId?: string;
+};
+
 /**
  * Provider-owned extra-param normalization before OpenClaw builds its generic
  * stream option wrapper.
@@ -389,6 +444,93 @@ export type ProviderCacheTtlEligibilityContext = {
   modelId: string;
 };
 
+/**
+ * Provider-owned missing-auth message override.
+ *
+ * Runs only after OpenClaw exhausts normal env/profile/config auth resolution
+ * for the requested provider. Return a custom message to replace the generic
+ * "No API key found" error.
+ */
+export type ProviderBuildMissingAuthMessageContext = {
+  config?: OpenClawConfig;
+  agentDir?: string;
+  workspaceDir?: string;
+  env: NodeJS.ProcessEnv;
+  provider: string;
+  listProfileIds: (providerId: string) => string[];
+};
+
+/**
+ * Built-in model suppression hook.
+ *
+ * Use this when a provider/plugin needs to hide stale upstream catalog rows or
+ * replace them with a vendor-specific hint. This hook is consulted by model
+ * resolution, model listing, and catalog loading.
+ */
+export type ProviderBuiltInModelSuppressionContext = {
+  config?: OpenClawConfig;
+  agentDir?: string;
+  workspaceDir?: string;
+  env: NodeJS.ProcessEnv;
+  provider: string;
+  modelId: string;
+};
+
+export type ProviderBuiltInModelSuppressionResult = {
+  suppress: boolean;
+  errorMessage?: string;
+};
+
+/**
+ * Provider-owned thinking policy input.
+ *
+ * Used by shared `/think`, ACP controls, and directive parsing to ask a
+ * provider whether a model supports special reasoning UX such as xhigh or a
+ * binary on/off toggle.
+ */
+export type ProviderThinkingPolicyContext = {
+  provider: string;
+  modelId: string;
+};
+
+/**
+ * Provider-owned default thinking policy input.
+ *
+ * `reasoning` is the merged catalog hint for the selected model when one is
+ * available. Providers can use it to keep "reasoning model => low" behavior
+ * without re-reading the catalog themselves.
+ */
+export type ProviderDefaultThinkingPolicyContext = ProviderThinkingPolicyContext & {
+  reasoning?: boolean;
+};
+
+/**
+ * Provider-owned "modern model" policy input.
+ *
+ * Live smoke/model-profile selection uses this to keep provider-specific
+ * inclusion/exclusion rules out of core.
+ */
+export type ProviderModernModelPolicyContext = {
+  provider: string;
+  modelId: string;
+};
+
+/**
+ * Final catalog augmentation hook.
+ *
+ * Runs after OpenClaw loads the discovered model catalog and merges configured
+ * opt-in providers. Use this for forward-compat rows or vendor-owned synthetic
+ * entries that should appear in `models list` and model pickers even when the
+ * upstream registry has not caught up yet.
+ */
+export type ProviderAugmentModelCatalogContext = {
+  config?: OpenClawConfig;
+  agentDir?: string;
+  workspaceDir?: string;
+  env: NodeJS.ProcessEnv;
+  entries: ModelCatalogEntry[];
+};
+
 /**
  * @deprecated Use ProviderCatalogOrder.
  */
@@ -409,7 +551,7 @@ export type ProviderDiscoveryResult = ProviderCatalogResult;
  */
 export type ProviderPluginDiscovery = ProviderPluginCatalog;
 
-export type ProviderPluginWizardOnboarding = {
+export type ProviderPluginWizardSetup = {
   choiceId?: string;
   choiceLabel?: string;
   choiceHint?: string;
@@ -417,6 +559,18 @@ export type ProviderPluginWizardOnboarding = {
   groupLabel?: string;
   groupHint?: string;
   methodId?: string;
+  /**
+   * Optional model-allowlist prompt policy applied after this auth choice is
+   * selected in configure/onboarding flows.
+   *
+   * Keep this UI-facing and static. Provider logic that needs runtime state
+   * should stay in `run`/`runNonInteractive`.
+   */
+  modelAllowlist?: {
+    allowedKeys?: string[];
+    initialSelections?: string[];
+    message?: string;
+  };
 };
 
 export type ProviderPluginWizardModelPicker = {
@@ -426,7 +580,7 @@ export type ProviderPluginWizardModelPicker = {
 };
 
 export type ProviderPluginWizard = {
-  onboarding?: ProviderPluginWizardOnboarding;
+  setup?: ProviderPluginWizardSetup;
   modelPicker?: ProviderPluginWizardModelPicker;
 };
 
@@ -444,6 +598,12 @@ export type ProviderPlugin = {
   label: string;
   docsPath?: string;
   aliases?: string[];
+  /**
+   * Provider-related env vars shown in setup/search/help surfaces.
+   *
+   * Keep entries in preferred display order. This can include direct auth env
+   * vars or setup inputs such as OAuth client id/secret vars.
+   */
   envVars?: string[];
   auth: ProviderAuthMethod[];
   /**
@@ -529,10 +689,9 @@ export type ProviderPlugin = {
   /**
    * Usage/billing auth resolution hook.
    *
-   * Called by provider-usage surfaces (`/usage`, status snapshots, reporting)
-   * before OpenClaw falls back to legacy core auth resolution. Use this when a
-   * provider's usage endpoint needs provider-owned token extraction, blob
-   * parsing, or alias handling.
+   * Called by provider-usage surfaces (`/usage`, status snapshots, reporting).
+   * Use this when a provider's usage endpoint needs provider-owned token
+   * extraction, blob parsing, or alias handling.
    */
   resolveUsageAuth?: (
     ctx: ProviderResolveUsageAuthContext,
@@ -559,12 +718,137 @@ export type ProviderPlugin = {
    * only a subset of upstream models.
    */
   isCacheTtlEligible?: (ctx: ProviderCacheTtlEligibilityContext) => boolean | undefined;
+  /**
+   * Provider-owned missing-auth message override.
+   *
+   * Return a custom message when the provider wants a more specific recovery
+   * hint than OpenClaw's generic auth-store guidance.
+   */
+  buildMissingAuthMessage?: (
+    ctx: ProviderBuildMissingAuthMessageContext,
+  ) => string | null | undefined;
+  /**
+   * Provider-owned built-in model suppression.
+   *
+   * Return `{ suppress: true }` to hide a stale upstream row. Include
+   * `errorMessage` when OpenClaw should surface a provider-specific hint for
+   * direct model resolution failures.
+   */
+  suppressBuiltInModel?: (
+    ctx: ProviderBuiltInModelSuppressionContext,
+  ) => ProviderBuiltInModelSuppressionResult | null | undefined;
+  /**
+   * Provider-owned final catalog augmentation.
+   *
+   * Return extra rows to append to the final catalog after discovery/config
+   * merging. OpenClaw deduplicates by `provider/id`, so plugins only need to
+   * describe the desired supplemental rows.
+   */
+  augmentModelCatalog?: (
+    ctx: ProviderAugmentModelCatalogContext,
+  ) =>
+    | Array<ModelCatalogEntry>
+    | ReadonlyArray<ModelCatalogEntry>
+    | Promise<Array<ModelCatalogEntry> | ReadonlyArray<ModelCatalogEntry> | null | undefined>
+    | null
+    | undefined;
+  /**
+   * Provider-owned binary thinking toggle.
+   *
+   * Return true when the provider exposes a coarse on/off reasoning control
+   * instead of the normal multi-level ladder shown by `/think`.
+   */
+  isBinaryThinking?: (ctx: ProviderThinkingPolicyContext) => boolean | undefined;
+  /**
+   * Provider-owned xhigh reasoning support.
+   *
+   * Return true only for models that should expose the `xhigh` thinking level.
+   */
+  supportsXHighThinking?: (ctx: ProviderThinkingPolicyContext) => boolean | undefined;
+  /**
+   * Provider-owned default thinking level.
+   *
+   * Use this to keep model-family defaults (for example Claude 4.6 =>
+   * adaptive) out of core command logic.
+   */
+  resolveDefaultThinkingLevel?: (
+    ctx: ProviderDefaultThinkingPolicyContext,
+  ) => "off" | "minimal" | "low" | "medium" | "high" | "xhigh" | "adaptive" | null | undefined;
+  /**
+   * Provider-owned "modern model" matcher used by live profile/smoke filters.
+   *
+   * Return true when the given provider/model ref should be treated as a
+   * preferred modern model candidate.
+   */
+  isModernModelRef?: (ctx: ProviderModernModelPolicyContext) => boolean | undefined;
   wizard?: ProviderPluginWizard;
+  /**
+   * Provider-owned auth-profile API-key formatter.
+   *
+   * OpenClaw uses this when a stored auth profile is already valid and needs to
+   * be converted into the runtime `apiKey` string expected by the provider. Use
+   * this for providers whose auth profile stores extra metadata alongside the
+   * bearer token (for example Gemini CLI's `{ token, projectId }` payload).
+   */
   formatApiKey?: (cred: AuthProfileCredential) => string;
+  /**
+   * Legacy auth-profile ids that should be retired by `openclaw doctor`.
+   *
+   * Use this when a provider plugin replaces an older core-managed profile id
+   * and wants cleanup/migration messaging to live with the provider instead of
+   * in hardcoded doctor tables.
+   */
+  deprecatedProfileIds?: string[];
+  /**
+   * Provider-owned OAuth refresh.
+   *
+   * OpenClaw calls this before falling back to the shared `pi-ai` OAuth
+   * refreshers. Use it when the provider has a custom refresh endpoint, or when
+   * the provider needs custom refresh-failure behavior that should stay out of
+   * core auth-profile code.
+   */
   refreshOAuth?: (cred: OAuthCredential) => Promise<OAuthCredential>;
+  /**
+   * Provider-owned auth-doctor hint.
+   *
+   * Return a multiline repair hint when OAuth refresh fails and the provider
+   * wants to steer users toward a specific auth-profile migration or recovery
+   * path. Return nothing to keep OpenClaw's generic error text.
+   */
+  buildAuthDoctorHint?: (
+    ctx: ProviderAuthDoctorHintContext,
+  ) => string | Promise<string | null | undefined> | null | undefined;
   onModelSelected?: (ctx: ProviderModelSelectedContext) => Promise<void>;
 };
 
+export type WebSearchProviderId = string;
+
+export type WebSearchProviderToolDefinition = {
+  description: string;
+  parameters: Record<string, unknown>;
+  execute: (args: Record<string, unknown>) => Promise<Record<string, unknown>>;
+};
+
+export type WebSearchProviderContext = {
+  config?: OpenClawConfig;
+  searchConfig?: Record<string, unknown>;
+  runtimeMetadata?: RuntimeWebSearchMetadata;
+};
+
+export type WebSearchProviderPlugin = {
+  id: WebSearchProviderId;
+  label: string;
+  hint: string;
+  envVars: string[];
+  placeholder: string;
+  signupUrl: string;
+  docsUrl?: string;
+  autoDetectOrder?: number;
+  getCredentialValue: (searchConfig?: Record<string, unknown>) => unknown;
+  setCredentialValue: (searchConfigTarget: Record<string, unknown>, value: unknown) => void;
+  createTool: (ctx: WebSearchProviderContext) => WebSearchProviderToolDefinition | null;
+};
+
 export type OpenClawPluginGatewayMethod = {
   method: string;
   handler: GatewayRequestHandler;
@@ -676,7 +960,7 @@ export type OpenClawPluginCommandDefinition = {
   handler: PluginCommandHandler;
 };
 
-export type PluginInteractiveChannel = "telegram" | "discord";
+export type PluginInteractiveChannel = "telegram" | "discord" | "slack";
 
 export type PluginInteractiveButtons = Array<
   Array<{ text: string; callback_data: string; style?: "danger" | "success" | "primary" }>
@@ -761,6 +1045,53 @@ export type PluginInteractiveDiscordHandlerContext = {
   getCurrentConversationBinding: () => Promise<PluginConversationBinding | null>;
 };
 
+export type PluginInteractiveSlackHandlerResult = {
+  handled?: boolean;
+} | void;
+
+export type PluginInteractiveSlackHandlerContext = {
+  channel: "slack";
+  accountId: string;
+  interactionId: string;
+  conversationId: string;
+  parentConversationId?: string;
+  senderId?: string;
+  senderUsername?: string;
+  threadId?: string;
+  auth: {
+    isAuthorizedSender: boolean;
+  };
+  interaction: {
+    kind: "button" | "select";
+    data: string;
+    namespace: string;
+    payload: string;
+    actionId: string;
+    blockId?: string;
+    messageTs?: string;
+    threadTs?: string;
+    value?: string;
+    selectedValues?: string[];
+    selectedLabels?: string[];
+    triggerId?: string;
+    responseUrl?: string;
+  };
+  respond: {
+    acknowledge: () => Promise<void>;
+    reply: (params: { text: string; responseType?: "ephemeral" | "in_channel" }) => Promise<void>;
+    followUp: (params: {
+      text: string;
+      responseType?: "ephemeral" | "in_channel";
+    }) => Promise<void>;
+    editMessage: (params: { text?: string; blocks?: unknown[] }) => Promise<void>;
+  };
+  requestConversationBinding: (
+    params?: PluginConversationBindingRequestParams,
+  ) => Promise<PluginConversationBindingRequestResult>;
+  detachConversationBinding: () => Promise<{ removed: boolean }>;
+  getCurrentConversationBinding: () => Promise<PluginConversationBinding | null>;
+};
+
 export type PluginInteractiveTelegramHandlerRegistration = {
   channel: "telegram";
   namespace: string;
@@ -777,9 +1108,18 @@ export type PluginInteractiveDiscordHandlerRegistration = {
   ) => Promise<PluginInteractiveDiscordHandlerResult> | PluginInteractiveDiscordHandlerResult;
 };
 
+export type PluginInteractiveSlackHandlerRegistration = {
+  channel: "slack";
+  namespace: string;
+  handler: (
+    ctx: PluginInteractiveSlackHandlerContext,
+  ) => Promise<PluginInteractiveSlackHandlerResult> | PluginInteractiveSlackHandlerResult;
+};
+
 export type PluginInteractiveHandlerRegistration =
   | PluginInteractiveTelegramHandlerRegistration
-  | PluginInteractiveDiscordHandlerRegistration;
+  | PluginInteractiveDiscordHandlerRegistration
+  | PluginInteractiveSlackHandlerRegistration;
 
 export type OpenClawPluginHttpRouteAuth = "gateway" | "plugin";
 export type OpenClawPluginHttpRouteMatch = "exact" | "prefix";
@@ -821,7 +1161,6 @@ export type OpenClawPluginService = {
 
 export type OpenClawPluginChannelRegistration = {
   plugin: ChannelPlugin;
-  dock?: ChannelDock;
 };
 
 export type OpenClawPluginDefinition = {
@@ -839,6 +1178,8 @@ export type OpenClawPluginModule =
   | OpenClawPluginDefinition
   | ((api: OpenClawPluginApi) => void | Promise<void>);
 
+export type PluginRegistrationMode = "full" | "setup-only" | "setup-runtime";
+
 export type OpenClawPluginApi = {
   id: string;
   name: string;
@@ -846,6 +1187,7 @@ export type OpenClawPluginApi = {
   description?: string;
   source: string;
   rootDir?: string;
+  registrationMode: PluginRegistrationMode;
   config: OpenClawConfig;
   pluginConfig?: Record<string, unknown>;
   runtime: PluginRuntime;
@@ -865,6 +1207,7 @@ export type OpenClawPluginApi = {
   registerCli: (registrar: OpenClawPluginCliRegistrar, opts?: { commands?: string[] }) => void;
   registerService: (service: OpenClawPluginService) => void;
   registerProvider: (provider: ProviderPlugin) => void;
+  registerWebSearchProvider: (provider: WebSearchProviderPlugin) => void;
   registerInteractiveHandler: (registration: PluginInteractiveHandlerRegistration) => void;
   /**
    * Register a custom command that bypasses the LLM agent.
diff --git a/src/plugins/update.test.ts b/src/plugins/update.test.ts
index 4d3b72ed65d..e3c21e8d7ef 100644
--- a/src/plugins/update.test.ts
+++ b/src/plugins/update.test.ts
@@ -1,6 +1,7 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const installPluginFromNpmSpecMock = vi.fn();
+const installPluginFromMarketplaceMock = vi.fn();
 const resolveBundledPluginSourcesMock = vi.fn();
 
 vi.mock("./install.js", () => ({
@@ -11,6 +12,10 @@ vi.mock("./install.js", () => ({
   },
 }));
 
+vi.mock("./marketplace.js", () => ({
+  installPluginFromMarketplace: (...args: unknown[]) => installPluginFromMarketplaceMock(...args),
+}));
+
 vi.mock("./bundled-sources.js", () => ({
   resolveBundledPluginSources: (...args: unknown[]) => resolveBundledPluginSourcesMock(...args),
 }));
@@ -18,6 +23,7 @@ vi.mock("./bundled-sources.js", () => ({
 describe("updateNpmInstalledPlugins", () => {
   beforeEach(() => {
     installPluginFromNpmSpecMock.mockReset();
+    installPluginFromMarketplaceMock.mockReset();
     resolveBundledPluginSourcesMock.mockReset();
   });
 
@@ -213,6 +219,95 @@ describe("updateNpmInstalledPlugins", () => {
     });
     expect(result.config.plugins?.installs?.["voice-call"]).toBeUndefined();
   });
+
+  it("checks marketplace installs during dry-run updates", async () => {
+    installPluginFromMarketplaceMock.mockResolvedValue({
+      ok: true,
+      pluginId: "claude-bundle",
+      targetDir: "/tmp/claude-bundle",
+      version: "1.2.0",
+      extensions: ["index.ts"],
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+
+    const { updateNpmInstalledPlugins } = await import("./update.js");
+    const result = await updateNpmInstalledPlugins({
+      config: {
+        plugins: {
+          installs: {
+            "claude-bundle": {
+              source: "marketplace",
+              marketplaceSource: "vincentkoc/claude-marketplace",
+              marketplacePlugin: "claude-bundle",
+              installPath: "/tmp/claude-bundle",
+            },
+          },
+        },
+      },
+      pluginIds: ["claude-bundle"],
+      dryRun: true,
+    });
+
+    expect(installPluginFromMarketplaceMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        marketplace: "vincentkoc/claude-marketplace",
+        plugin: "claude-bundle",
+        expectedPluginId: "claude-bundle",
+        dryRun: true,
+      }),
+    );
+    expect(result.outcomes).toEqual([
+      {
+        pluginId: "claude-bundle",
+        status: "updated",
+        currentVersion: undefined,
+        nextVersion: "1.2.0",
+        message: "Would update claude-bundle: unknown -> 1.2.0.",
+      },
+    ]);
+  });
+
+  it("updates marketplace installs and preserves source metadata", async () => {
+    installPluginFromMarketplaceMock.mockResolvedValue({
+      ok: true,
+      pluginId: "claude-bundle",
+      targetDir: "/tmp/claude-bundle",
+      version: "1.3.0",
+      extensions: ["index.ts"],
+      marketplaceName: "Vincent's Claude Plugins",
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+
+    const { updateNpmInstalledPlugins } = await import("./update.js");
+    const result = await updateNpmInstalledPlugins({
+      config: {
+        plugins: {
+          installs: {
+            "claude-bundle": {
+              source: "marketplace",
+              marketplaceName: "Vincent's Claude Plugins",
+              marketplaceSource: "vincentkoc/claude-marketplace",
+              marketplacePlugin: "claude-bundle",
+              installPath: "/tmp/claude-bundle",
+            },
+          },
+        },
+      },
+      pluginIds: ["claude-bundle"],
+    });
+
+    expect(result.changed).toBe(true);
+    expect(result.config.plugins?.installs?.["claude-bundle"]).toMatchObject({
+      source: "marketplace",
+      installPath: "/tmp/claude-bundle",
+      version: "1.3.0",
+      marketplaceName: "Vincent's Claude Plugins",
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+  });
 });
 
 describe("syncPluginsForUpdateChannel", () => {
diff --git a/src/plugins/update.ts b/src/plugins/update.ts
index af6434e84cc..83733159cac 100644
--- a/src/plugins/update.ts
+++ b/src/plugins/update.ts
@@ -12,6 +12,7 @@ import {
   resolvePluginInstallDir,
 } from "./install.js";
 import { buildNpmResolutionInstallFields, recordPluginInstall } from "./installs.js";
+import { installPluginFromMarketplace } from "./marketplace.js";
 
 export type PluginUpdateLogger = {
   info?: (message: string) => void;
@@ -70,6 +71,19 @@ function formatNpmInstallFailure(params: {
   return `Failed to ${params.phase} ${params.pluginId}: ${params.result.error}`;
 }
 
+function formatMarketplaceInstallFailure(params: {
+  pluginId: string;
+  marketplaceSource: string;
+  marketplacePlugin: string;
+  phase: "check" | "update";
+  error: string;
+}): string {
+  return (
+    `Failed to ${params.phase} ${params.pluginId}: ` +
+    `${params.error} (marketplace plugin ${params.marketplacePlugin} from ${params.marketplaceSource}).`
+  );
+}
+
 type InstallIntegrityDrift = {
   spec: string;
   expectedIntegrity: string;
@@ -306,7 +320,7 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    if (record.source !== "npm") {
+    if (record.source !== "npm" && record.source !== "marketplace") {
       outcomes.push({
         pluginId,
         status: "skipped",
@@ -315,7 +329,7 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    if (!record.spec) {
+    if (record.source === "npm" && !record.spec) {
       outcomes.push({
         pluginId,
         status: "skipped",
@@ -324,6 +338,18 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
+    if (
+      record.source === "marketplace" &&
+      (!record.marketplaceSource || !record.marketplacePlugin)
+    ) {
+      outcomes.push({
+        pluginId,
+        status: "skipped",
+        message: `Skipping "${pluginId}" (missing marketplace source metadata).`,
+      });
+      continue;
+    }
+
     let installPath: string;
     try {
       installPath = record.installPath ?? resolvePluginInstallDir(pluginId);
@@ -338,22 +364,34 @@ export async function updateNpmInstalledPlugins(params: {
     const currentVersion = await readInstalledPackageVersion(installPath);
 
     if (params.dryRun) {
-      let probe: Awaited<ReturnType<typeof installPluginFromNpmSpec>>;
+      let probe:
+        | Awaited<ReturnType<typeof installPluginFromNpmSpec>>
+        | Awaited<ReturnType<typeof installPluginFromMarketplace>>;
       try {
-        probe = await installPluginFromNpmSpec({
-          spec: record.spec,
-          mode: "update",
-          dryRun: true,
-          expectedPluginId: pluginId,
-          expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
-          onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
-            pluginId,
-            dryRun: true,
-            logger,
-            onIntegrityDrift: params.onIntegrityDrift,
-          }),
-          logger,
-        });
+        probe =
+          record.source === "npm"
+            ? await installPluginFromNpmSpec({
+                spec: record.spec!,
+                mode: "update",
+                dryRun: true,
+                expectedPluginId: pluginId,
+                expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
+                onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                  pluginId,
+                  dryRun: true,
+                  logger,
+                  onIntegrityDrift: params.onIntegrityDrift,
+                }),
+                logger,
+              })
+            : await installPluginFromMarketplace({
+                marketplace: record.marketplaceSource!,
+                plugin: record.marketplacePlugin!,
+                mode: "update",
+                dryRun: true,
+                expectedPluginId: pluginId,
+                logger,
+              });
       } catch (err) {
         outcomes.push({
           pluginId,
@@ -366,12 +404,21 @@ export async function updateNpmInstalledPlugins(params: {
         outcomes.push({
           pluginId,
           status: "error",
-          message: formatNpmInstallFailure({
-            pluginId,
-            spec: record.spec,
-            phase: "check",
-            result: probe,
-          }),
+          message:
+            record.source === "npm"
+              ? formatNpmInstallFailure({
+                  pluginId,
+                  spec: record.spec!,
+                  phase: "check",
+                  result: probe,
+                })
+              : formatMarketplaceInstallFailure({
+                  pluginId,
+                  marketplaceSource: record.marketplaceSource!,
+                  marketplacePlugin: record.marketplacePlugin!,
+                  phase: "check",
+                  error: probe.error,
+                }),
         });
         continue;
       }
@@ -398,21 +445,32 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    let result: Awaited<ReturnType<typeof installPluginFromNpmSpec>>;
+    let result:
+      | Awaited<ReturnType<typeof installPluginFromNpmSpec>>
+      | Awaited<ReturnType<typeof installPluginFromMarketplace>>;
     try {
-      result = await installPluginFromNpmSpec({
-        spec: record.spec,
-        mode: "update",
-        expectedPluginId: pluginId,
-        expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
-        onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
-          pluginId,
-          dryRun: false,
-          logger,
-          onIntegrityDrift: params.onIntegrityDrift,
-        }),
-        logger,
-      });
+      result =
+        record.source === "npm"
+          ? await installPluginFromNpmSpec({
+              spec: record.spec!,
+              mode: "update",
+              expectedPluginId: pluginId,
+              expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
+              onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                pluginId,
+                dryRun: false,
+                logger,
+                onIntegrityDrift: params.onIntegrityDrift,
+              }),
+              logger,
+            })
+          : await installPluginFromMarketplace({
+              marketplace: record.marketplaceSource!,
+              plugin: record.marketplacePlugin!,
+              mode: "update",
+              expectedPluginId: pluginId,
+              logger,
+            });
     } catch (err) {
       outcomes.push({
         pluginId,
@@ -425,12 +483,21 @@ export async function updateNpmInstalledPlugins(params: {
       outcomes.push({
         pluginId,
         status: "error",
-        message: formatNpmInstallFailure({
-          pluginId,
-          spec: record.spec,
-          phase: "update",
-          result: result,
-        }),
+        message:
+          record.source === "npm"
+            ? formatNpmInstallFailure({
+                pluginId,
+                spec: record.spec!,
+                phase: "update",
+                result: result,
+              })
+            : formatMarketplaceInstallFailure({
+                pluginId,
+                marketplaceSource: record.marketplaceSource!,
+                marketplacePlugin: record.marketplacePlugin!,
+                phase: "update",
+                error: result.error,
+              }),
       });
       continue;
     }
@@ -441,14 +508,30 @@ export async function updateNpmInstalledPlugins(params: {
     }
 
     const nextVersion = result.version ?? (await readInstalledPackageVersion(result.targetDir));
-    next = recordPluginInstall(next, {
-      pluginId: resolvedPluginId,
-      source: "npm",
-      spec: record.spec,
-      installPath: result.targetDir,
-      version: nextVersion,
-      ...buildNpmResolutionInstallFields(result.npmResolution),
-    });
+    if (record.source === "npm") {
+      next = recordPluginInstall(next, {
+        pluginId: resolvedPluginId,
+        source: "npm",
+        spec: record.spec,
+        installPath: result.targetDir,
+        version: nextVersion,
+        ...buildNpmResolutionInstallFields(result.npmResolution),
+      });
+    } else {
+      const marketplaceResult = result as Extract<
+        Awaited<ReturnType<typeof installPluginFromMarketplace>>,
+        { ok: true }
+      >;
+      next = recordPluginInstall(next, {
+        pluginId: resolvedPluginId,
+        source: "marketplace",
+        installPath: result.targetDir,
+        version: nextVersion,
+        marketplaceName: marketplaceResult.marketplaceName ?? record.marketplaceName,
+        marketplaceSource: record.marketplaceSource,
+        marketplacePlugin: record.marketplacePlugin,
+      });
+    }
     changed = true;
 
     const currentLabel = currentVersion ?? "unknown";
diff --git a/src/plugins/web-search-providers.test.ts b/src/plugins/web-search-providers.test.ts
new file mode 100644
index 00000000000..26c9f847bf9
--- /dev/null
+++ b/src/plugins/web-search-providers.test.ts
@@ -0,0 +1,134 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { resolvePluginWebSearchProviders } from "./web-search-providers.js";
+
+const loadOpenClawPluginsMock = vi.fn();
+
+vi.mock("./loader.js", () => ({
+  loadOpenClawPlugins: (...args: unknown[]) => loadOpenClawPluginsMock(...args),
+}));
+
+describe("resolvePluginWebSearchProviders", () => {
+  beforeEach(() => {
+    loadOpenClawPluginsMock.mockReset();
+    loadOpenClawPluginsMock.mockReturnValue({
+      webSearchProviders: [
+        {
+          pluginId: "google",
+          provider: {
+            id: "gemini",
+            label: "Gemini",
+            hint: "hint",
+            envVars: ["GEMINI_API_KEY"],
+            placeholder: "AIza...",
+            signupUrl: "https://example.com",
+            autoDetectOrder: 20,
+          },
+        },
+        {
+          pluginId: "brave",
+          provider: {
+            id: "brave",
+            label: "Brave",
+            hint: "hint",
+            envVars: ["BRAVE_API_KEY"],
+            placeholder: "BSA...",
+            signupUrl: "https://example.com",
+            autoDetectOrder: 10,
+          },
+        },
+      ],
+    });
+  });
+
+  it("forwards an explicit env to plugin loading", () => {
+    const env = { OPENCLAW_HOME: "/srv/openclaw-home" } as NodeJS.ProcessEnv;
+
+    const providers = resolvePluginWebSearchProviders({
+      workspaceDir: "/workspace/explicit",
+      env,
+    });
+
+    expect(providers.map((provider) => provider.id)).toEqual(["brave", "gemini"]);
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        workspaceDir: "/workspace/explicit",
+        env,
+      }),
+    );
+  });
+
+  it("can augment restrictive allowlists for bundled compatibility", () => {
+    resolvePluginWebSearchProviders({
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+      bundledAllowlistCompat: true,
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            allow: expect.arrayContaining(["openrouter", "brave", "perplexity"]),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("auto-enables bundled web search provider plugins when entries are missing", () => {
+    resolvePluginWebSearchProviders({
+      config: {
+        plugins: {
+          entries: {
+            openrouter: { enabled: true },
+          },
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            entries: expect.objectContaining({
+              openrouter: { enabled: true },
+              brave: { enabled: true },
+              firecrawl: { enabled: true },
+              google: { enabled: true },
+              moonshot: { enabled: true },
+              perplexity: { enabled: true },
+              xai: { enabled: true },
+            }),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("preserves explicit bundled provider entry state", () => {
+    resolvePluginWebSearchProviders({
+      config: {
+        plugins: {
+          entries: {
+            perplexity: { enabled: false },
+          },
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            entries: expect.objectContaining({
+              perplexity: { enabled: false },
+            }),
+          }),
+        }),
+      }),
+    );
+  });
+});
diff --git a/src/plugins/web-search-providers.ts b/src/plugins/web-search-providers.ts
new file mode 100644
index 00000000000..c44bb6f2a93
--- /dev/null
+++ b/src/plugins/web-search-providers.ts
@@ -0,0 +1,60 @@
+import { createSubsystemLogger } from "../logging/subsystem.js";
+import {
+  withBundledPluginAllowlistCompat,
+  withBundledPluginEnablementCompat,
+} from "./bundled-compat.js";
+import { loadOpenClawPlugins, type PluginLoadOptions } from "./loader.js";
+import { createPluginLoaderLogger } from "./logger.js";
+import type { WebSearchProviderPlugin } from "./types.js";
+
+const log = createSubsystemLogger("plugins");
+
+const BUNDLED_WEB_SEARCH_ALLOWLIST_COMPAT_PLUGIN_IDS = [
+  "brave",
+  "firecrawl",
+  "google",
+  "moonshot",
+  "perplexity",
+  "xai",
+] as const;
+
+export function resolvePluginWebSearchProviders(params: {
+  config?: PluginLoadOptions["config"];
+  workspaceDir?: string;
+  env?: PluginLoadOptions["env"];
+  bundledAllowlistCompat?: boolean;
+}): WebSearchProviderPlugin[] {
+  const allowlistCompat = params.bundledAllowlistCompat
+    ? withBundledPluginAllowlistCompat({
+        config: params.config,
+        pluginIds: BUNDLED_WEB_SEARCH_ALLOWLIST_COMPAT_PLUGIN_IDS,
+      })
+    : params.config;
+  const config = withBundledPluginEnablementCompat({
+    config: allowlistCompat,
+    pluginIds: BUNDLED_WEB_SEARCH_ALLOWLIST_COMPAT_PLUGIN_IDS,
+  });
+  const registry = loadOpenClawPlugins({
+    config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+    logger: createPluginLoaderLogger(log),
+    activate: false,
+    cache: false,
+    onlyPluginIds: [...BUNDLED_WEB_SEARCH_ALLOWLIST_COMPAT_PLUGIN_IDS],
+  });
+
+  return registry.webSearchProviders
+    .map((entry) => ({
+      ...entry.provider,
+      pluginId: entry.pluginId,
+    }))
+    .toSorted((a, b) => {
+      const aOrder = a.autoDetectOrder ?? Number.MAX_SAFE_INTEGER;
+      const bOrder = b.autoDetectOrder ?? Number.MAX_SAFE_INTEGER;
+      if (aOrder !== bOrder) {
+        return aOrder - bOrder;
+      }
+      return a.id.localeCompare(b.id);
+    });
+}
diff --git a/src/providers/kilocode-shared.ts b/src/providers/kilocode-shared.ts
index a06ba873e54..0be37e44622 100644
--- a/src/providers/kilocode-shared.ts
+++ b/src/providers/kilocode-shared.ts
@@ -11,7 +11,7 @@ export type KilocodeModelCatalogEntry = {
   maxTokens?: number;
 };
 /**
- * Static fallback catalog — used by the sync onboarding path and as a
+ * Static fallback catalog — used by the sync setup path and as a
  * fallback when dynamic model discovery from the gateway API fails.
  * The full model list is fetched dynamically by {@link discoverKilocodeModels}
  * in `src/agents/kilocode-models.ts`.
diff --git a/src/secrets/provider-env-vars.test.ts b/src/secrets/provider-env-vars.test.ts
index 6e5b78f6643..6405d322e2f 100644
--- a/src/secrets/provider-env-vars.test.ts
+++ b/src/secrets/provider-env-vars.test.ts
@@ -10,10 +10,12 @@ describe("provider env vars", () => {
     expect(listKnownProviderAuthEnvVarNames()).toEqual(
       expect.arrayContaining(["GITHUB_TOKEN", "GH_TOKEN", "ANTHROPIC_OAUTH_TOKEN"]),
     );
-    expect(listKnownSecretEnvVarNames()).not.toEqual(listKnownProviderAuthEnvVarNames());
-    expect(listKnownSecretEnvVarNames()).not.toEqual(
+    expect(listKnownSecretEnvVarNames()).toEqual(
       expect.arrayContaining(["GITHUB_TOKEN", "GH_TOKEN", "ANTHROPIC_OAUTH_TOKEN"]),
     );
+    expect(listKnownProviderAuthEnvVarNames()).toEqual(
+      expect.arrayContaining(["MINIMAX_CODE_PLAN_KEY"]),
+    );
     expect(listKnownSecretEnvVarNames()).not.toContain("OPENCLAW_API_KEY");
   });
 
diff --git a/src/secrets/provider-env-vars.ts b/src/secrets/provider-env-vars.ts
index 88900893376..269b37d836a 100644
--- a/src/secrets/provider-env-vars.ts
+++ b/src/secrets/provider-env-vars.ts
@@ -1,50 +1,47 @@
-export const PROVIDER_ENV_VARS: Record<string, readonly string[]> = {
-  openai: ["OPENAI_API_KEY"],
-  anthropic: ["ANTHROPIC_API_KEY"],
-  google: ["GEMINI_API_KEY"],
-  minimax: ["MINIMAX_API_KEY"],
-  "minimax-cn": ["MINIMAX_API_KEY"],
-  moonshot: ["MOONSHOT_API_KEY"],
-  "kimi-coding": ["KIMI_API_KEY", "KIMICODE_API_KEY"],
-  synthetic: ["SYNTHETIC_API_KEY"],
-  venice: ["VENICE_API_KEY"],
-  zai: ["ZAI_API_KEY", "Z_AI_API_KEY"],
-  xiaomi: ["XIAOMI_API_KEY"],
-  openrouter: ["OPENROUTER_API_KEY"],
-  "cloudflare-ai-gateway": ["CLOUDFLARE_AI_GATEWAY_API_KEY"],
+import { BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES } from "../plugins/bundled-provider-auth-env-vars.js";
+
+const CORE_PROVIDER_AUTH_ENV_VAR_CANDIDATES = {
+  chutes: ["CHUTES_OAUTH_TOKEN", "CHUTES_API_KEY"],
+  voyage: ["VOYAGE_API_KEY"],
+  groq: ["GROQ_API_KEY"],
+  deepgram: ["DEEPGRAM_API_KEY"],
+  cerebras: ["CEREBRAS_API_KEY"],
   litellm: ["LITELLM_API_KEY"],
-  "vercel-ai-gateway": ["AI_GATEWAY_API_KEY"],
-  opencode: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-  "opencode-go": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-  together: ["TOGETHER_API_KEY"],
-  huggingface: ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"],
-  qianfan: ["QIANFAN_API_KEY"],
-  xai: ["XAI_API_KEY"],
-  mistral: ["MISTRAL_API_KEY"],
-  kilocode: ["KILOCODE_API_KEY"],
-  modelstudio: ["MODELSTUDIO_API_KEY"],
-  volcengine: ["VOLCANO_ENGINE_API_KEY"],
-  byteplus: ["BYTEPLUS_API_KEY"],
+} as const;
+
+const CORE_PROVIDER_SETUP_ENV_VAR_OVERRIDES = {
+  anthropic: ["ANTHROPIC_API_KEY", "ANTHROPIC_OAUTH_TOKEN"],
+  chutes: ["CHUTES_API_KEY", "CHUTES_OAUTH_TOKEN"],
+  "minimax-cn": ["MINIMAX_API_KEY"],
+} as const;
+
+/**
+ * Provider auth env candidates used by generic auth resolution.
+ *
+ * Order matters: the first non-empty value wins for helpers such as
+ * `resolveEnvApiKey()`. Bundled providers source this from plugin manifest
+ * metadata so auth probes do not need to load plugin runtime.
+ */
+export const PROVIDER_AUTH_ENV_VAR_CANDIDATES: Record<string, readonly string[]> = {
+  ...BUNDLED_PROVIDER_AUTH_ENV_VAR_CANDIDATES,
+  ...CORE_PROVIDER_AUTH_ENV_VAR_CANDIDATES,
 };
 
-const EXTRA_PROVIDER_AUTH_ENV_VARS = [
-  "VOYAGE_API_KEY",
-  "GROQ_API_KEY",
-  "DEEPGRAM_API_KEY",
-  "CEREBRAS_API_KEY",
-  "NVIDIA_API_KEY",
-  "COPILOT_GITHUB_TOKEN",
-  "GH_TOKEN",
-  "GITHUB_TOKEN",
-  "ANTHROPIC_OAUTH_TOKEN",
-  "CHUTES_OAUTH_TOKEN",
-  "CHUTES_API_KEY",
-  "QWEN_OAUTH_TOKEN",
-  "QWEN_PORTAL_API_KEY",
-  "MINIMAX_OAUTH_TOKEN",
-  "OLLAMA_API_KEY",
-  "VLLM_API_KEY",
-] as const;
+/**
+ * Provider env vars used for setup/default secret refs and broad secret
+ * scrubbing. This can include non-model providers and may intentionally choose
+ * a different preferred first env var than auth resolution.
+ *
+ * Bundled provider auth envs come from plugin manifests. The override map here
+ * is only for true core/non-plugin providers and a few setup-specific ordering
+ * overrides where generic onboarding wants a different preferred env var.
+ */
+export const PROVIDER_ENV_VARS: Record<string, readonly string[]> = {
+  ...PROVIDER_AUTH_ENV_VAR_CANDIDATES,
+  ...CORE_PROVIDER_SETUP_ENV_VAR_OVERRIDES,
+};
+
+const EXTRA_PROVIDER_AUTH_ENV_VARS = ["MINIMAX_CODE_PLAN_KEY"] as const;
 
 const KNOWN_SECRET_ENV_VARS = [
   ...new Set(Object.values(PROVIDER_ENV_VARS).flatMap((keys) => keys)),
@@ -53,7 +50,11 @@ const KNOWN_SECRET_ENV_VARS = [
 // OPENCLAW_API_KEY authenticates the local OpenClaw bridge itself and must
 // remain available to child bridge/runtime processes.
 const KNOWN_PROVIDER_AUTH_ENV_VARS = [
-  ...new Set([...KNOWN_SECRET_ENV_VARS, ...EXTRA_PROVIDER_AUTH_ENV_VARS]),
+  ...new Set([
+    ...Object.values(PROVIDER_AUTH_ENV_VAR_CANDIDATES).flatMap((keys) => keys),
+    ...KNOWN_SECRET_ENV_VARS,
+    ...EXTRA_PROVIDER_AUTH_ENV_VARS,
+  ]),
 ];
 
 export function listKnownProviderAuthEnvVarNames(): string[] {
diff --git a/src/secrets/runtime-config-collectors-core.ts b/src/secrets/runtime-config-collectors-core.ts
index 99668371ad1..ef571b3f54f 100644
--- a/src/secrets/runtime-config-collectors-core.ts
+++ b/src/secrets/runtime-config-collectors-core.ts
@@ -313,6 +313,90 @@ function collectCronAssignments(params: {
   });
 }
 
+function collectSandboxSshAssignments(params: {
+  config: OpenClawConfig;
+  defaults: SecretDefaults | undefined;
+  context: ResolverContext;
+}): void {
+  const agents = isRecord(params.config.agents) ? params.config.agents : undefined;
+  if (!agents) {
+    return;
+  }
+  const defaultsAgent = isRecord(agents.defaults) ? agents.defaults : undefined;
+  const defaultsSandbox = isRecord(defaultsAgent?.sandbox) ? defaultsAgent.sandbox : undefined;
+  const defaultsSsh = isRecord(defaultsSandbox?.ssh)
+    ? (defaultsSandbox.ssh as Record<string, unknown>)
+    : undefined;
+  const defaultsBackend =
+    typeof defaultsSandbox?.backend === "string" ? defaultsSandbox.backend : undefined;
+  const defaultsMode = typeof defaultsSandbox?.mode === "string" ? defaultsSandbox.mode : undefined;
+
+  const inheritedDefaultsUsage = {
+    identityData: false,
+    certificateData: false,
+    knownHostsData: false,
+  };
+
+  const list = Array.isArray(agents.list) ? agents.list : [];
+  list.forEach((rawAgent, index) => {
+    const agentRecord = isRecord(rawAgent) ? (rawAgent as Record<string, unknown>) : null;
+    if (!agentRecord || agentRecord.enabled === false) {
+      return;
+    }
+    const sandbox = isRecord(agentRecord.sandbox) ? agentRecord.sandbox : undefined;
+    const ssh = isRecord(sandbox?.ssh) ? sandbox.ssh : undefined;
+    const effectiveBackend =
+      (typeof sandbox?.backend === "string" ? sandbox.backend : undefined) ??
+      defaultsBackend ??
+      "docker";
+    const effectiveMode =
+      (typeof sandbox?.mode === "string" ? sandbox.mode : undefined) ?? defaultsMode ?? "off";
+    const active = effectiveBackend.trim().toLowerCase() === "ssh" && effectiveMode !== "off";
+    for (const key of ["identityData", "certificateData", "knownHostsData"] as const) {
+      if (ssh && Object.prototype.hasOwnProperty.call(ssh, key)) {
+        collectSecretInputAssignment({
+          value: ssh[key],
+          path: `agents.list.${index}.sandbox.ssh.${key}`,
+          expected: "string",
+          defaults: params.defaults,
+          context: params.context,
+          active,
+          inactiveReason: "sandbox SSH backend is not active for this agent.",
+          apply: (value) => {
+            ssh[key] = value;
+          },
+        });
+      } else if (active) {
+        inheritedDefaultsUsage[key] = true;
+      }
+    }
+  });
+
+  if (!defaultsSsh) {
+    return;
+  }
+
+  const defaultsActive =
+    (defaultsBackend?.trim().toLowerCase() === "ssh" && defaultsMode !== "off") ||
+    inheritedDefaultsUsage.identityData ||
+    inheritedDefaultsUsage.certificateData ||
+    inheritedDefaultsUsage.knownHostsData;
+  for (const key of ["identityData", "certificateData", "knownHostsData"] as const) {
+    collectSecretInputAssignment({
+      value: defaultsSsh[key],
+      path: `agents.defaults.sandbox.ssh.${key}`,
+      expected: "string",
+      defaults: params.defaults,
+      context: params.context,
+      active: defaultsActive || inheritedDefaultsUsage[key],
+      inactiveReason: "sandbox SSH backend is not active.",
+      apply: (value) => {
+        defaultsSsh[key] = value;
+      },
+    });
+  }
+}
+
 export function collectCoreConfigAssignments(params: {
   config: OpenClawConfig;
   defaults: SecretDefaults | undefined;
@@ -339,6 +423,7 @@ export function collectCoreConfigAssignments(params: {
   collectAgentMemorySearchAssignments(params);
   collectTalkAssignments(params);
   collectGatewayAssignments(params);
+  collectSandboxSshAssignments(params);
   collectMessagesTtsAssignments(params);
   collectCronAssignments(params);
 }
diff --git a/src/secrets/runtime-web-tools.ts b/src/secrets/runtime-web-tools.ts
index 883aac6bd02..71b346cc462 100644
--- a/src/secrets/runtime-web-tools.ts
+++ b/src/secrets/runtime-web-tools.ts
@@ -1,5 +1,6 @@
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveSecretInputRef } from "../config/types.secrets.js";
+import { resolvePluginWebSearchProviders } from "../plugins/web-search-providers.js";
 import { normalizeSecretInput } from "../utils/normalize-secret-input.js";
 import { secretRefKey } from "./ref-contract.js";
 import { resolveSecretRefValues } from "./resolve.js";
@@ -9,53 +10,28 @@ import {
   type ResolverContext,
   type SecretDefaults,
 } from "./runtime-shared.js";
+import type {
+  RuntimeWebDiagnostic,
+  RuntimeWebDiagnosticCode,
+  RuntimeWebFetchFirecrawlMetadata,
+  RuntimeWebSearchMetadata,
+  RuntimeWebToolsMetadata,
+} from "./runtime-web-tools.types.js";
 
-const WEB_SEARCH_PROVIDERS = ["brave", "gemini", "grok", "kimi", "perplexity"] as const;
 const PERPLEXITY_DIRECT_BASE_URL = "https://api.perplexity.ai";
 const DEFAULT_PERPLEXITY_BASE_URL = "https://openrouter.ai/api/v1";
 const PERPLEXITY_KEY_PREFIXES = ["pplx-"];
 const OPENROUTER_KEY_PREFIXES = ["sk-or-"];
 
-type WebSearchProvider = (typeof WEB_SEARCH_PROVIDERS)[number];
+type WebSearchProvider = string;
 
 type SecretResolutionSource = "config" | "secretRef" | "env" | "missing"; // pragma: allowlist secret
-type RuntimeWebProviderSource = "configured" | "auto-detect" | "none";
-
-export type RuntimeWebDiagnosticCode =
-  | "WEB_SEARCH_PROVIDER_INVALID_AUTODETECT"
-  | "WEB_SEARCH_AUTODETECT_SELECTED"
-  | "WEB_SEARCH_KEY_UNRESOLVED_FALLBACK_USED"
-  | "WEB_SEARCH_KEY_UNRESOLVED_NO_FALLBACK"
-  | "WEB_FETCH_FIRECRAWL_KEY_UNRESOLVED_FALLBACK_USED"
-  | "WEB_FETCH_FIRECRAWL_KEY_UNRESOLVED_NO_FALLBACK";
-
-export type RuntimeWebDiagnostic = {
-  code: RuntimeWebDiagnosticCode;
-  message: string;
-  path?: string;
-};
-
-export type RuntimeWebSearchMetadata = {
-  providerConfigured?: WebSearchProvider;
-  providerSource: RuntimeWebProviderSource;
-  selectedProvider?: WebSearchProvider;
-  selectedProviderKeySource?: SecretResolutionSource;
-  perplexityTransport?: "search_api" | "chat_completions";
-  diagnostics: RuntimeWebDiagnostic[];
-};
-
-export type RuntimeWebFetchFirecrawlMetadata = {
-  active: boolean;
-  apiKeySource: SecretResolutionSource;
-  diagnostics: RuntimeWebDiagnostic[];
-};
-
-export type RuntimeWebToolsMetadata = {
-  search: RuntimeWebSearchMetadata;
-  fetch: {
-    firecrawl: RuntimeWebFetchFirecrawlMetadata;
-  };
-  diagnostics: RuntimeWebDiagnostic[];
+export type {
+  RuntimeWebDiagnostic,
+  RuntimeWebDiagnosticCode,
+  RuntimeWebFetchFirecrawlMetadata,
+  RuntimeWebSearchMetadata,
+  RuntimeWebToolsMetadata,
 };
 
 type FetchConfig = NonNullable<OpenClawConfig["tools"]>["web"] extends infer Web
@@ -77,18 +53,15 @@ function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
-function normalizeProvider(value: unknown): WebSearchProvider | undefined {
+function normalizeProvider(
+  value: unknown,
+  providers: ReturnType<typeof resolvePluginWebSearchProviders>,
+): WebSearchProvider | undefined {
   if (typeof value !== "string") {
     return undefined;
   }
   const normalized = value.trim().toLowerCase();
-  if (
-    normalized === "brave" ||
-    normalized === "gemini" ||
-    normalized === "grok" ||
-    normalized === "kimi" ||
-    normalized === "perplexity"
-  ) {
+  if (providers.some((provider) => provider.id === normalized)) {
     return normalized;
   }
   return undefined;
@@ -293,16 +266,18 @@ function setResolvedWebSearchApiKey(params: {
   resolvedConfig: OpenClawConfig;
   provider: WebSearchProvider;
   value: string;
+  sourceConfig: OpenClawConfig;
+  env: NodeJS.ProcessEnv;
 }): void {
   const tools = ensureObject(params.resolvedConfig as Record<string, unknown>, "tools");
   const web = ensureObject(tools, "web");
   const search = ensureObject(web, "search");
-  if (params.provider === "brave") {
-    search.apiKey = params.value;
-    return;
-  }
-  const providerConfig = ensureObject(search, params.provider);
-  providerConfig.apiKey = params.value;
+  const provider = resolvePluginWebSearchProviders({
+    config: params.sourceConfig,
+    env: params.env,
+    bundledAllowlistCompat: true,
+  }).find((entry) => entry.id === params.provider);
+  provider?.setCredentialValue(search, params.value);
 }
 
 function setResolvedFirecrawlApiKey(params: {
@@ -316,34 +291,8 @@ function setResolvedFirecrawlApiKey(params: {
   firecrawl.apiKey = params.value;
 }
 
-function envVarsForProvider(provider: WebSearchProvider): string[] {
-  if (provider === "brave") {
-    return ["BRAVE_API_KEY"];
-  }
-  if (provider === "gemini") {
-    return ["GEMINI_API_KEY"];
-  }
-  if (provider === "grok") {
-    return ["XAI_API_KEY"];
-  }
-  if (provider === "kimi") {
-    return ["KIMI_API_KEY", "MOONSHOT_API_KEY"];
-  }
-  return ["PERPLEXITY_API_KEY", "OPENROUTER_API_KEY"];
-}
-
-function resolveProviderKeyValue(
-  search: Record<string, unknown>,
-  provider: WebSearchProvider,
-): unknown {
-  if (provider === "brave") {
-    return search.apiKey;
-  }
-  const scoped = search[provider];
-  if (!isRecord(scoped)) {
-    return undefined;
-  }
-  return scoped.apiKey;
+function keyPathForProvider(provider: WebSearchProvider): string {
+  return provider === "brave" ? "tools.web.search.apiKey" : `tools.web.search.${provider}.apiKey`;
 }
 
 function hasConfiguredSecretRef(value: unknown, defaults: SecretDefaults | undefined): boolean {
@@ -366,6 +315,11 @@ export async function resolveRuntimeWebTools(params: {
   const tools = isRecord(params.sourceConfig.tools) ? params.sourceConfig.tools : undefined;
   const web = isRecord(tools?.web) ? tools.web : undefined;
   const search = isRecord(web?.search) ? web.search : undefined;
+  const providers = resolvePluginWebSearchProviders({
+    config: params.sourceConfig,
+    env: params.context.env,
+    bundledAllowlistCompat: true,
+  });
 
   const searchMetadata: RuntimeWebSearchMetadata = {
     providerSource: "none",
@@ -375,7 +329,7 @@ export async function resolveRuntimeWebTools(params: {
   const searchEnabled = search?.enabled !== false;
   const rawProvider =
     typeof search?.provider === "string" ? search.provider.trim().toLowerCase() : "";
-  const configuredProvider = normalizeProvider(rawProvider);
+  const configuredProvider = normalizeProvider(rawProvider, providers);
 
   if (rawProvider && !configuredProvider) {
     const diagnostic: RuntimeWebDiagnostic = {
@@ -398,7 +352,9 @@ export async function resolveRuntimeWebTools(params: {
   }
 
   if (searchEnabled && search) {
-    const candidates = configuredProvider ? [configuredProvider] : [...WEB_SEARCH_PROVIDERS];
+    const candidates = configuredProvider
+      ? providers.filter((provider) => provider.id === configuredProvider)
+      : providers;
     const unresolvedWithoutFallback: Array<{
       provider: WebSearchProvider;
       path: string;
@@ -409,16 +365,15 @@ export async function resolveRuntimeWebTools(params: {
     let selectedResolution: SecretResolutionResult | undefined;
 
     for (const provider of candidates) {
-      const path =
-        provider === "brave" ? "tools.web.search.apiKey" : `tools.web.search.${provider}.apiKey`;
-      const value = resolveProviderKeyValue(search, provider);
+      const path = keyPathForProvider(provider.id);
+      const value = provider.getCredentialValue(search);
       const resolution = await resolveSecretInputWithEnvFallback({
         sourceConfig: params.sourceConfig,
         context: params.context,
         defaults,
         value,
         path,
-        envVars: envVarsForProvider(provider),
+        envVars: provider.envVars,
       });
 
       if (resolution.secretRefConfigured && resolution.fallbackUsedAfterRefFailure) {
@@ -440,32 +395,36 @@ export async function resolveRuntimeWebTools(params: {
 
       if (resolution.secretRefConfigured && !resolution.value && resolution.unresolvedRefReason) {
         unresolvedWithoutFallback.push({
-          provider,
+          provider: provider.id,
           path,
           reason: resolution.unresolvedRefReason,
         });
       }
 
       if (configuredProvider) {
-        selectedProvider = provider;
+        selectedProvider = provider.id;
         selectedResolution = resolution;
         if (resolution.value) {
           setResolvedWebSearchApiKey({
             resolvedConfig: params.resolvedConfig,
-            provider,
+            provider: provider.id,
             value: resolution.value,
+            sourceConfig: params.sourceConfig,
+            env: params.context.env,
           });
         }
         break;
       }
 
       if (resolution.value) {
-        selectedProvider = provider;
+        selectedProvider = provider.id;
         selectedResolution = resolution;
         setResolvedWebSearchApiKey({
           resolvedConfig: params.resolvedConfig,
-          provider,
+          provider: provider.id,
           value: resolution.value,
+          sourceConfig: params.sourceConfig,
+          env: params.context.env,
         });
         break;
       }
@@ -526,13 +485,12 @@ export async function resolveRuntimeWebTools(params: {
   }
 
   if (searchEnabled && search && !configuredProvider && searchMetadata.selectedProvider) {
-    for (const provider of WEB_SEARCH_PROVIDERS) {
-      if (provider === searchMetadata.selectedProvider) {
+    for (const provider of providers) {
+      if (provider.id === searchMetadata.selectedProvider) {
         continue;
       }
-      const path =
-        provider === "brave" ? "tools.web.search.apiKey" : `tools.web.search.${provider}.apiKey`;
-      const value = resolveProviderKeyValue(search, provider);
+      const path = keyPathForProvider(provider.id);
+      const value = provider.getCredentialValue(search);
       if (!hasConfiguredSecretRef(value, defaults)) {
         continue;
       }
@@ -543,10 +501,9 @@ export async function resolveRuntimeWebTools(params: {
       });
     }
   } else if (search && !searchEnabled) {
-    for (const provider of WEB_SEARCH_PROVIDERS) {
-      const path =
-        provider === "brave" ? "tools.web.search.apiKey" : `tools.web.search.${provider}.apiKey`;
-      const value = resolveProviderKeyValue(search, provider);
+    for (const provider of providers) {
+      const path = keyPathForProvider(provider.id);
+      const value = provider.getCredentialValue(search);
       if (!hasConfiguredSecretRef(value, defaults)) {
         continue;
       }
@@ -559,13 +516,12 @@ export async function resolveRuntimeWebTools(params: {
   }
 
   if (searchEnabled && search && configuredProvider) {
-    for (const provider of WEB_SEARCH_PROVIDERS) {
-      if (provider === configuredProvider) {
+    for (const provider of providers) {
+      if (provider.id === configuredProvider) {
         continue;
       }
-      const path =
-        provider === "brave" ? "tools.web.search.apiKey" : `tools.web.search.${provider}.apiKey`;
-      const value = resolveProviderKeyValue(search, provider);
+      const path = keyPathForProvider(provider.id);
+      const value = provider.getCredentialValue(search);
       if (!hasConfiguredSecretRef(value, defaults)) {
         continue;
       }
diff --git a/src/secrets/runtime-web-tools.types.ts b/src/secrets/runtime-web-tools.types.ts
new file mode 100644
index 00000000000..fe5fdb24cd0
--- /dev/null
+++ b/src/secrets/runtime-web-tools.types.ts
@@ -0,0 +1,36 @@
+export type RuntimeWebDiagnosticCode =
+  | "WEB_SEARCH_PROVIDER_INVALID_AUTODETECT"
+  | "WEB_SEARCH_AUTODETECT_SELECTED"
+  | "WEB_SEARCH_KEY_UNRESOLVED_FALLBACK_USED"
+  | "WEB_SEARCH_KEY_UNRESOLVED_NO_FALLBACK"
+  | "WEB_FETCH_FIRECRAWL_KEY_UNRESOLVED_FALLBACK_USED"
+  | "WEB_FETCH_FIRECRAWL_KEY_UNRESOLVED_NO_FALLBACK";
+
+export type RuntimeWebDiagnostic = {
+  code: RuntimeWebDiagnosticCode;
+  message: string;
+  path?: string;
+};
+
+export type RuntimeWebSearchMetadata = {
+  providerConfigured?: string;
+  providerSource: "configured" | "auto-detect" | "none";
+  selectedProvider?: string;
+  selectedProviderKeySource?: "config" | "secretRef" | "env" | "missing";
+  perplexityTransport?: "search_api" | "chat_completions";
+  diagnostics: RuntimeWebDiagnostic[];
+};
+
+export type RuntimeWebFetchFirecrawlMetadata = {
+  active: boolean;
+  apiKeySource: "config" | "secretRef" | "env" | "missing";
+  diagnostics: RuntimeWebDiagnostic[];
+};
+
+export type RuntimeWebToolsMetadata = {
+  search: RuntimeWebSearchMetadata;
+  fetch: {
+    firecrawl: RuntimeWebFetchFirecrawlMetadata;
+  };
+  diagnostics: RuntimeWebDiagnostic[];
+};
diff --git a/src/secrets/runtime.test.ts b/src/secrets/runtime.test.ts
index 47628f1bfe2..8e7e549ae51 100644
--- a/src/secrets/runtime.test.ts
+++ b/src/secrets/runtime.test.ts
@@ -221,6 +221,79 @@ describe("secrets runtime snapshot", () => {
     ).toEqual({ source: "env", provider: "default", id: "OPENAI_API_KEY" });
   });
 
+  it("resolves sandbox ssh secret refs for active ssh backends", async () => {
+    const snapshot = await prepareSecretsRuntimeSnapshot({
+      config: asConfig({
+        agents: {
+          defaults: {
+            sandbox: {
+              mode: "all",
+              backend: "ssh",
+              ssh: {
+                target: "peter@example.com:22",
+                identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" },
+                certificateData: {
+                  source: "env",
+                  provider: "default",
+                  id: "SSH_CERTIFICATE_DATA",
+                },
+                knownHostsData: {
+                  source: "env",
+                  provider: "default",
+                  id: "SSH_KNOWN_HOSTS_DATA",
+                },
+              },
+            },
+          },
+        },
+      }),
+      env: {
+        SSH_IDENTITY_DATA: "PRIVATE KEY",
+        SSH_CERTIFICATE_DATA: "SSH CERT",
+        SSH_KNOWN_HOSTS_DATA: "example.com ssh-ed25519 AAAATEST",
+      },
+    });
+
+    expect(snapshot.config.agents?.defaults?.sandbox?.ssh).toMatchObject({
+      identityData: "PRIVATE KEY",
+      certificateData: "SSH CERT",
+      knownHostsData: "example.com ssh-ed25519 AAAATEST",
+    });
+  });
+
+  it("treats sandbox ssh secret refs as inactive when ssh backend is not selected", async () => {
+    const snapshot = await prepareSecretsRuntimeSnapshot({
+      config: asConfig({
+        agents: {
+          defaults: {
+            sandbox: {
+              mode: "all",
+              backend: "docker",
+              ssh: {
+                identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" },
+              },
+            },
+          },
+        },
+      }),
+      env: {},
+    });
+
+    expect(snapshot.config.agents?.defaults?.sandbox?.ssh?.identityData).toEqual({
+      source: "env",
+      provider: "default",
+      id: "SSH_IDENTITY_DATA",
+    });
+    expect(snapshot.warnings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          code: "SECRETS_REF_IGNORED_INACTIVE_SURFACE",
+          path: "agents.defaults.sandbox.ssh.identityData",
+        }),
+      ]),
+    );
+  });
+
   it("normalizes inline SecretRef object on token to tokenRef", async () => {
     const config: OpenClawConfig = { models: {}, secrets: {} };
     const snapshot = await prepareSecretsRuntimeSnapshot({
diff --git a/src/security/audit-channel.collect.runtime.ts b/src/security/audit-channel.collect.runtime.ts
new file mode 100644
index 00000000000..6a33ff6a93a
--- /dev/null
+++ b/src/security/audit-channel.collect.runtime.ts
@@ -0,0 +1 @@
+export { collectChannelSecurityFindings } from "./audit-channel.js";
diff --git a/src/security/audit-channel.runtime.ts b/src/security/audit-channel.runtime.ts
new file mode 100644
index 00000000000..c3435fc2a64
--- /dev/null
+++ b/src/security/audit-channel.runtime.ts
@@ -0,0 +1,9 @@
+export { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+export {
+  isDiscordMutableAllowEntry,
+  isZalouserMutableGroupEntry,
+} from "./mutable-allowlist-detectors.js";
+export {
+  isNumericTelegramUserId,
+  normalizeTelegramAllowFromEntry,
+} from "../plugin-sdk-internal/telegram.js";
diff --git a/src/security/audit-channel.ts b/src/security/audit-channel.ts
index ca0e69722e3..44b83c28cc3 100644
--- a/src/security/audit-channel.ts
+++ b/src/security/audit-channel.ts
@@ -1,7 +1,3 @@
-import {
-  isNumericTelegramUserId,
-  normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
 import {
   hasConfiguredUnavailableCredentialStatus,
   hasResolvedCredentialValue,
@@ -14,14 +10,19 @@ import { formatCliCommand } from "../cli/command-format.js";
 import { resolveNativeCommandsEnabled, resolveNativeSkillsEnabled } from "../config/commands.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { isDangerousNameMatchingEnabled } from "../config/dangerous-name-matching.js";
-import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import { formatErrorMessage } from "../infra/errors.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";
 import type { SecurityAuditFinding, SecurityAuditSeverity } from "./audit.js";
 import { resolveDmAllowState } from "./dm-policy-shared.js";
-import {
-  isDiscordMutableAllowEntry,
-  isZalouserMutableGroupEntry,
-} from "./mutable-allowlist-detectors.js";
+
+let auditChannelRuntimeModulePromise:
+  | Promise<typeof import("./audit-channel.runtime.js")>
+  | undefined;
+
+function loadAuditChannelRuntimeModule() {
+  auditChannelRuntimeModulePromise ??= import("./audit-channel.runtime.js");
+  return auditChannelRuntimeModulePromise;
+}
 
 function normalizeAllowFromList(list: Array<string | number> | undefined | null): string[] {
   return normalizeStringEntries(Array.isArray(list) ? list : undefined);
@@ -31,12 +32,13 @@ function addDiscordNameBasedEntries(params: {
   target: Set<string>;
   values: unknown;
   source: string;
+  isDiscordMutableAllowEntry: (value: string) => boolean;
 }): void {
   if (!Array.isArray(params.values)) {
     return;
   }
   for (const value of params.values) {
-    if (!isDiscordMutableAllowEntry(String(value))) {
+    if (!params.isDiscordMutableAllowEntry(String(value))) {
       continue;
     }
     const text = String(value).trim();
@@ -51,25 +53,28 @@ function addZalouserMutableGroupEntries(params: {
   target: Set<string>;
   groups: unknown;
   source: string;
+  isZalouserMutableGroupEntry: (value: string) => boolean;
 }): void {
   if (!params.groups || typeof params.groups !== "object" || Array.isArray(params.groups)) {
     return;
   }
   for (const key of Object.keys(params.groups as Record<string, unknown>)) {
-    if (!isZalouserMutableGroupEntry(key)) {
+    if (!params.isZalouserMutableGroupEntry(key)) {
       continue;
     }
     params.target.add(`${params.source}:${key}`);
   }
 }
 
-function collectInvalidTelegramAllowFromEntries(params: {
+async function collectInvalidTelegramAllowFromEntries(params: {
   entries: unknown;
   target: Set<string>;
-}): void {
+}): Promise<void> {
   if (!Array.isArray(params.entries)) {
     return;
   }
+  const { isNumericTelegramUserId, normalizeTelegramAllowFromEntry } =
+    await loadAuditChannelRuntimeModule();
   for (const entry of params.entries) {
     const normalized = normalizeTelegramAllowFromEntry(entry);
     if (!normalized || normalized === "*") {
@@ -143,17 +148,17 @@ export async function collectChannelSecurityFindings(params: {
   const findings: SecurityAuditFinding[] = [];
   const sourceConfig = params.sourceConfig ?? params.cfg;
 
-  const inspectChannelAccount = (
+  const inspectChannelAccount = async (
     plugin: (typeof params.plugins)[number],
     cfg: OpenClawConfig,
     accountId: string,
   ) =>
     plugin.config.inspectAccount?.(cfg, accountId) ??
-    inspectReadOnlyChannelAccount({
+    (await inspectReadOnlyChannelAccount({
       channelId: plugin.id,
       cfg,
       accountId,
-    });
+    }));
 
   const asAccountRecord = (value: unknown): Record<string, unknown> | null =>
     value && typeof value === "object" && !Array.isArray(value)
@@ -164,8 +169,9 @@ export async function collectChannelSecurityFindings(params: {
     plugin: (typeof params.plugins)[number],
     accountId: string,
   ) => {
-    const sourceInspectedAccount = inspectChannelAccount(plugin, sourceConfig, accountId);
-    const resolvedInspectedAccount = inspectChannelAccount(plugin, params.cfg, accountId);
+    const diagnostics: string[] = [];
+    const sourceInspectedAccount = await inspectChannelAccount(plugin, sourceConfig, accountId);
+    const resolvedInspectedAccount = await inspectChannelAccount(plugin, params.cfg, accountId);
     const sourceInspection = sourceInspectedAccount as {
       enabled?: boolean;
       configured?: boolean;
@@ -174,8 +180,27 @@ export async function collectChannelSecurityFindings(params: {
       enabled?: boolean;
       configured?: boolean;
     } | null;
-    const resolvedAccount =
-      resolvedInspectedAccount ?? plugin.config.resolveAccount(params.cfg, accountId);
+    let resolvedAccount = resolvedInspectedAccount;
+    if (!resolvedAccount) {
+      try {
+        resolvedAccount = plugin.config.resolveAccount(params.cfg, accountId);
+      } catch (error) {
+        diagnostics.push(
+          `${plugin.id}:${accountId}: failed to resolve account (${formatErrorMessage(error)}).`,
+        );
+      }
+    }
+    if (!resolvedAccount && sourceInspectedAccount) {
+      resolvedAccount = sourceInspectedAccount;
+    }
+    if (!resolvedAccount) {
+      return {
+        account: {},
+        enabled: false,
+        configured: false,
+        diagnostics,
+      };
+    }
     const useSourceUnavailableAccount = Boolean(
       sourceInspectedAccount &&
       hasConfiguredUnavailableCredentialStatus(sourceInspectedAccount) &&
@@ -185,23 +210,49 @@ export async function collectChannelSecurityFindings(params: {
     const account = useSourceUnavailableAccount ? sourceInspectedAccount : resolvedAccount;
     const selectedInspection = useSourceUnavailableAccount ? sourceInspection : resolvedInspection;
     const accountRecord = asAccountRecord(account);
-    const enabled =
+    let enabled =
       typeof selectedInspection?.enabled === "boolean"
         ? selectedInspection.enabled
         : typeof accountRecord?.enabled === "boolean"
           ? accountRecord.enabled
-          : plugin.config.isEnabled
-            ? plugin.config.isEnabled(account, params.cfg)
-            : true;
-    const configured =
+          : true;
+    if (
+      typeof selectedInspection?.enabled !== "boolean" &&
+      typeof accountRecord?.enabled !== "boolean" &&
+      plugin.config.isEnabled
+    ) {
+      try {
+        enabled = plugin.config.isEnabled(account, params.cfg);
+      } catch (error) {
+        enabled = false;
+        diagnostics.push(
+          `${plugin.id}:${accountId}: failed to evaluate enabled state (${formatErrorMessage(error)}).`,
+        );
+      }
+    }
+
+    let configured =
       typeof selectedInspection?.configured === "boolean"
         ? selectedInspection.configured
         : typeof accountRecord?.configured === "boolean"
           ? accountRecord.configured
-          : plugin.config.isConfigured
-            ? await plugin.config.isConfigured(account, params.cfg)
-            : true;
-    return { account, enabled, configured };
+          : true;
+    if (
+      typeof selectedInspection?.configured !== "boolean" &&
+      typeof accountRecord?.configured !== "boolean" &&
+      plugin.config.isConfigured
+    ) {
+      try {
+        configured = await plugin.config.isConfigured(account, params.cfg);
+      } catch (error) {
+        configured = false;
+        diagnostics.push(
+          `${plugin.id}:${accountId}: failed to evaluate configured state (${formatErrorMessage(error)}).`,
+        );
+      }
+    }
+
+    return { account, enabled, configured, diagnostics };
   };
 
   const coerceNativeSetting = (value: unknown): boolean | "auto" | undefined => {
@@ -298,7 +349,20 @@ export async function collectChannelSecurityFindings(params: {
         plugin.id,
         accountId,
       );
-      const { account, enabled, configured } = await resolveChannelAuditAccount(plugin, accountId);
+      const { account, enabled, configured, diagnostics } = await resolveChannelAuditAccount(
+        plugin,
+        accountId,
+      );
+      for (const diagnostic of diagnostics) {
+        findings.push({
+          checkId: `channels.${plugin.id}.account.read_only_resolution`,
+          severity: "warn",
+          title: `${plugin.meta.label ?? plugin.id} account could not be fully resolved`,
+          detail: diagnostic,
+          remediation:
+            "Ensure referenced secrets are available in this shell or run with a running gateway snapshot so security audit can inspect the full channel configuration.",
+        });
+      }
       if (!enabled) {
         continue;
       }
@@ -323,6 +387,8 @@ export async function collectChannelSecurityFindings(params: {
       }
 
       if (plugin.id === "discord") {
+        const { isDiscordMutableAllowEntry, readChannelAllowFromStore } =
+          await loadAuditChannelRuntimeModule();
         const discordCfg =
           (account as { config?: Record<string, unknown> } | null)?.config ??
           ({} as Record<string, unknown>);
@@ -341,16 +407,19 @@ export async function collectChannelSecurityFindings(params: {
           target: discordNameBasedAllowEntries,
           values: discordCfg.allowFrom,
           source: `${discordPathPrefix}.allowFrom`,
+          isDiscordMutableAllowEntry,
         });
         addDiscordNameBasedEntries({
           target: discordNameBasedAllowEntries,
           values: (discordCfg.dm as { allowFrom?: unknown } | undefined)?.allowFrom,
           source: `${discordPathPrefix}.dm.allowFrom`,
+          isDiscordMutableAllowEntry,
         });
         addDiscordNameBasedEntries({
           target: discordNameBasedAllowEntries,
           values: storeAllowFrom,
           source: "~/.openclaw/credentials/discord-allowFrom.json",
+          isDiscordMutableAllowEntry,
         });
         const discordGuildEntries =
           (discordCfg.guilds as Record<string, unknown> | undefined) ?? {};
@@ -363,6 +432,7 @@ export async function collectChannelSecurityFindings(params: {
             target: discordNameBasedAllowEntries,
             values: guild.users,
             source: `${discordPathPrefix}.guilds.${guildKey}.users`,
+            isDiscordMutableAllowEntry,
           });
           const channels = guild.channels;
           if (!channels || typeof channels !== "object") {
@@ -379,6 +449,7 @@ export async function collectChannelSecurityFindings(params: {
               target: discordNameBasedAllowEntries,
               values: channel.users,
               source: `${discordPathPrefix}.guilds.${guildKey}.channels.${channelKey}.users`,
+              isDiscordMutableAllowEntry,
             });
           }
         }
@@ -487,6 +558,7 @@ export async function collectChannelSecurityFindings(params: {
       }
 
       if (plugin.id === "zalouser") {
+        const { isZalouserMutableGroupEntry } = await loadAuditChannelRuntimeModule();
         const zalouserCfg =
           (account as { config?: Record<string, unknown> } | null)?.config ??
           ({} as Record<string, unknown>);
@@ -500,6 +572,7 @@ export async function collectChannelSecurityFindings(params: {
           target: mutableGroupEntries,
           groups: zalouserCfg.groups,
           source: `${zalouserPathPrefix}.groups`,
+          isZalouserMutableGroupEntry,
         });
         if (mutableGroupEntries.size > 0) {
           const examples = Array.from(mutableGroupEntries).slice(0, 5);
@@ -526,6 +599,7 @@ export async function collectChannelSecurityFindings(params: {
       }
 
       if (plugin.id === "slack") {
+        const { readChannelAllowFromStore } = await loadAuditChannelRuntimeModule();
         const slackCfg =
           (account as { config?: Record<string, unknown>; dm?: Record<string, unknown> } | null)
             ?.config ?? ({} as Record<string, unknown>);
@@ -664,6 +738,7 @@ export async function collectChannelSecurityFindings(params: {
         continue;
       }
 
+      const { readChannelAllowFromStore } = await loadAuditChannelRuntimeModule();
       const storeAllowFrom = await readChannelAllowFromStore(
         "telegram",
         process.env,
@@ -671,7 +746,7 @@ export async function collectChannelSecurityFindings(params: {
       ).catch(() => []);
       const storeHasWildcard = storeAllowFrom.some((v) => String(v).trim() === "*");
       const invalidTelegramAllowFromEntries = new Set<string>();
-      collectInvalidTelegramAllowFromEntries({
+      await collectInvalidTelegramAllowFromEntries({
         entries: storeAllowFrom,
         target: invalidTelegramAllowFromEntries,
       });
@@ -679,48 +754,50 @@ export async function collectChannelSecurityFindings(params: {
         ? telegramCfg.groupAllowFrom
         : [];
       const groupAllowFromHasWildcard = groupAllowFrom.some((v) => String(v).trim() === "*");
-      collectInvalidTelegramAllowFromEntries({
+      await collectInvalidTelegramAllowFromEntries({
         entries: groupAllowFrom,
         target: invalidTelegramAllowFromEntries,
       });
       const dmAllowFrom = Array.isArray(telegramCfg.allowFrom) ? telegramCfg.allowFrom : [];
-      collectInvalidTelegramAllowFromEntries({
+      await collectInvalidTelegramAllowFromEntries({
         entries: dmAllowFrom,
         target: invalidTelegramAllowFromEntries,
       });
-      const anyGroupOverride = Boolean(
-        groups &&
-        Object.values(groups).some((value) => {
+      let anyGroupOverride = false;
+      if (groups) {
+        for (const value of Object.values(groups)) {
           if (!value || typeof value !== "object") {
-            return false;
+            continue;
           }
           const group = value as Record<string, unknown>;
           const allowFrom = Array.isArray(group.allowFrom) ? group.allowFrom : [];
           if (allowFrom.length > 0) {
-            collectInvalidTelegramAllowFromEntries({
+            anyGroupOverride = true;
+            await collectInvalidTelegramAllowFromEntries({
               entries: allowFrom,
               target: invalidTelegramAllowFromEntries,
             });
-            return true;
           }
           const topics = group.topics;
           if (!topics || typeof topics !== "object") {
-            return false;
+            continue;
           }
-          return Object.values(topics as Record<string, unknown>).some((topicValue) => {
+          for (const topicValue of Object.values(topics as Record<string, unknown>)) {
             if (!topicValue || typeof topicValue !== "object") {
-              return false;
+              continue;
             }
             const topic = topicValue as Record<string, unknown>;
             const topicAllow = Array.isArray(topic.allowFrom) ? topic.allowFrom : [];
-            collectInvalidTelegramAllowFromEntries({
+            if (topicAllow.length > 0) {
+              anyGroupOverride = true;
+            }
+            await collectInvalidTelegramAllowFromEntries({
               entries: topicAllow,
               target: invalidTelegramAllowFromEntries,
             });
-            return topicAllow.length > 0;
-          });
-        }),
-      );
+          }
+        }
+      }
 
       const hasAnySenderAllowlist =
         storeAllowFrom.length > 0 || groupAllowFrom.length > 0 || anyGroupOverride;
@@ -739,7 +816,7 @@ export async function collectChannelSecurityFindings(params: {
             "Telegram sender authorization requires numeric Telegram user IDs. " +
             `Found non-numeric allowFrom entries: ${examples.join(", ")}${more}.`,
           remediation:
-            "Replace @username entries with numeric Telegram user IDs (use onboarding to resolve), then re-run the audit.",
+            "Replace @username entries with numeric Telegram user IDs (use setup to resolve), then re-run the audit.",
         });
       }
 
diff --git a/src/security/audit-extra.async.ts b/src/security/audit-extra.async.ts
index 7ad36855852..5e9c4036e09 100644
--- a/src/security/audit-extra.async.ts
+++ b/src/security/audit-extra.async.ts
@@ -6,22 +6,18 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
-import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
-import {
-  resolveSandboxConfigForAgent,
-  resolveSandboxToolPolicyForAgent,
-} from "../agents/sandbox.js";
+import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
 import { SANDBOX_BROWSER_SECURITY_HASH_EPOCH } from "../agents/sandbox/constants.js";
 import { execDockerRaw, type ExecDockerRawResult } from "../agents/sandbox/docker.js";
+import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
-import { loadWorkspaceSkillEntries } from "../agents/skills.js";
+import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { listAgentWorkspaceDirs } from "../agents/workspace-dirs.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import { MANIFEST_KEY } from "../compat/legacy-names.js";
 import { resolveNativeSkillsEnabled } from "../config/commands.js";
 import type { OpenClawConfig, ConfigFileSnapshot } from "../config/config.js";
-import { createConfigIO } from "../config/config.js";
 import { collectIncludePathsRecursive } from "../config/includes-scan.js";
 import { resolveOAuthDir } from "../config/paths.js";
 import { hasConfiguredSecretInput } from "../config/types.secrets.js";
@@ -56,6 +52,18 @@ type ExecDockerRawFn = (
 type CodeSafetySummaryCache = Map<string, Promise<unknown>>;
 const MAX_WORKSPACE_SKILL_SCAN_FILES_PER_WORKSPACE = 2_000;
 const MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS = 12;
+let skillsModulePromise: Promise<typeof import("../agents/skills.js")> | undefined;
+let configModulePromise: Promise<typeof import("../config/config.js")> | undefined;
+
+function loadSkillsModule() {
+  skillsModulePromise ??= import("../agents/skills.js");
+  return skillsModulePromise;
+}
+
+function loadConfigModule() {
+  configModulePromise ??= import("../config/config.js");
+  return configModulePromise;
+}
 
 // --------------------------------------------------------------------------
 // Helpers
@@ -1130,6 +1138,7 @@ export async function readConfigSnapshotForAudit(params: {
   env: NodeJS.ProcessEnv;
   configPath: string;
 }): Promise<ConfigFileSnapshot> {
+  const { createConfigIO } = await loadConfigModule();
   return await createConfigIO({
     env: params.env,
     configPath: params.configPath,
@@ -1247,6 +1256,7 @@ export async function collectInstalledSkillsCodeSafetyFindings(params: {
   const pluginExtensionsDir = path.join(params.stateDir, "extensions");
   const scannedSkillDirs = new Set<string>();
   const workspaceDirs = listAgentWorkspaceDirs(params.cfg);
+  const { loadWorkspaceSkillEntries } = await loadSkillsModule();
 
   for (const workspaceDir of workspaceDirs) {
     const entries = loadWorkspaceSkillEntries(workspaceDir, { config: params.cfg });
diff --git a/src/security/audit-extra.sync.ts b/src/security/audit-extra.sync.ts
index 79a701c5489..bebcc44c0d0 100644
--- a/src/security/audit-extra.sync.ts
+++ b/src/security/audit-extra.sync.ts
@@ -1,16 +1,14 @@
-import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
-import {
-  resolveSandboxConfigForAgent,
-  resolveSandboxToolPolicyForAgent,
-} from "../agents/sandbox.js";
+import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
 import { isDangerousNetworkMode, normalizeNetworkMode } from "../agents/sandbox/network-mode.js";
 /**
  * Synchronous security audit collector functions.
  *
  * These functions analyze config-based security properties without I/O.
  */
+import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
 import { getBlockedBindReason } from "../agents/sandbox/validate-sandbox-security.js";
+import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { resolveBrowserConfig } from "../browser/config.js";
 import { formatCliCommand } from "../cli/command-format.js";
@@ -21,7 +19,7 @@ import {
 } from "../config/model-input.js";
 import type { AgentToolsConfig } from "../config/types.tools.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
-import { resolveAllowedAgentIds } from "../gateway/hooks.js";
+import { resolveAllowedAgentIds } from "../gateway/hooks-policy.js";
 import {
   DEFAULT_DANGEROUS_NODE_COMMANDS,
   resolveNodeCommandAllowlist,
diff --git a/src/security/audit.deep.runtime.ts b/src/security/audit.deep.runtime.ts
new file mode 100644
index 00000000000..25662225d9c
--- /dev/null
+++ b/src/security/audit.deep.runtime.ts
@@ -0,0 +1,4 @@
+export {
+  collectInstalledSkillsCodeSafetyFindings,
+  collectPluginsCodeSafetyFindings,
+} from "./audit-extra.async.js";
diff --git a/src/security/audit.nondeep.runtime.ts b/src/security/audit.nondeep.runtime.ts
new file mode 100644
index 00000000000..5a962bf8386
--- /dev/null
+++ b/src/security/audit.nondeep.runtime.ts
@@ -0,0 +1,26 @@
+export {
+  collectAttackSurfaceSummaryFindings,
+  collectExposureMatrixFindings,
+  collectGatewayHttpNoAuthFindings,
+  collectGatewayHttpSessionKeyOverrideFindings,
+  collectHooksHardeningFindings,
+  collectLikelyMultiUserSetupFindings,
+  collectMinimalProfileOverrideFindings,
+  collectModelHygieneFindings,
+  collectNodeDangerousAllowCommandFindings,
+  collectNodeDenyCommandPatternFindings,
+  collectSandboxDangerousConfigFindings,
+  collectSandboxDockerNoopFindings,
+  collectSecretsInConfigFindings,
+  collectSmallModelRiskFindings,
+  collectSyncedFolderFindings,
+} from "./audit-extra.sync.js";
+
+export {
+  collectSandboxBrowserHashLabelFindings,
+  collectIncludeFilePermFindings,
+  collectPluginsTrustFindings,
+  collectStateDeepFilesystemFindings,
+  collectWorkspaceSkillSymlinkEscapeFindings,
+  readConfigSnapshotForAudit,
+} from "./audit-extra.async.js";
diff --git a/src/security/audit.runtime.ts b/src/security/audit.runtime.ts
new file mode 100644
index 00000000000..349d2f26fe5
--- /dev/null
+++ b/src/security/audit.runtime.ts
@@ -0,0 +1 @@
+export { runSecurityAudit } from "./audit.js";
diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts
index 84fcadf1f98..dedc789773c 100644
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -346,6 +346,43 @@ description: test skill
     expectNoFinding(res, "gateway.bind_no_auth");
   });
 
+  it("does not flag missing gateway auth when read-only scrubbed config omits unavailable auth SecretRefs", async () => {
+    const sourceConfig: OpenClawConfig = {
+      gateway: {
+        bind: "lan",
+        auth: {
+          token: {
+            source: "env",
+            provider: "default",
+            id: "OPENCLAW_GATEWAY_TOKEN",
+          },
+        },
+      },
+      secrets: {
+        providers: {
+          default: { source: "env" },
+        },
+      },
+    };
+    const resolvedConfig: OpenClawConfig = {
+      gateway: {
+        bind: "lan",
+        auth: {},
+      },
+      secrets: sourceConfig.secrets,
+    };
+
+    const res = await runSecurityAudit({
+      config: resolvedConfig,
+      sourceConfig,
+      env: {},
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+    });
+
+    expectNoFinding(res, "gateway.bind_no_auth");
+  });
+
   it("evaluates gateway auth rate-limit warning based on configuration", async () => {
     const cases: Array<{
       name: string;
@@ -1803,7 +1840,10 @@ description: test skill
   });
 
   it("warns when multiple DM senders share the main session", async () => {
-    const cfg: OpenClawConfig = { session: { dmScope: "main" } };
+    const cfg: OpenClawConfig = {
+      session: { dmScope: "main" },
+      channels: { whatsapp: { enabled: true } },
+    };
     const plugins: ChannelPlugin[] = [
       {
         id: "whatsapp",
@@ -1977,6 +2017,40 @@ description: test skill
     });
   });
 
+  it("adds a read-only resolution warning when channel account resolveAccount throws", async () => {
+    const plugin = stubChannelPlugin({
+      id: "zalouser",
+      label: "Zalo Personal",
+      listAccountIds: () => ["default"],
+      resolveAccount: () => {
+        throw new Error("missing SecretRef");
+      },
+    });
+
+    const cfg: OpenClawConfig = {
+      channels: {
+        zalouser: {
+          enabled: true,
+        },
+      },
+    };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      includeFilesystem: false,
+      includeChannelSecurity: true,
+      plugins: [plugin],
+    });
+
+    const finding = res.findings.find(
+      (entry) => entry.checkId === "channels.zalouser.account.read_only_resolution",
+    );
+    expect(finding?.severity).toBe("warn");
+    expect(finding?.title).toContain("could not be fully resolved");
+    expect(finding?.detail).toContain("zalouser:default: failed to resolve account");
+    expect(finding?.detail).toContain("missing SecretRef");
+  });
+
   it("keeps Slack HTTP slash-command findings when resolved inspection only exposes signingSecret status", async () => {
     await withChannelSecurityStateDir(async () => {
       const sourceConfig: OpenClawConfig = {
diff --git a/src/security/audit.ts b/src/security/audit.ts
index 113ec2bd067..ba809a1714c 100644
--- a/src/security/audit.ts
+++ b/src/security/audit.ts
@@ -1,51 +1,22 @@
 import { isIP } from "node:net";
 import path from "node:path";
 import { resolveSandboxConfigForAgent } from "../agents/sandbox.js";
-import { execDockerRaw } from "../agents/sandbox/docker.js";
 import { redactCdpUrl } from "../browser/cdp.helpers.js";
 import { resolveBrowserConfig, resolveProfile } from "../browser/config.js";
 import { resolveBrowserControlAuth } from "../browser/control-auth.js";
-import { listChannelPlugins } from "../channels/plugins/index.js";
+import { hasPotentialConfiguredChannels } from "../channels/config-presence.js";
+import type { listChannelPlugins } from "../channels/plugins/index.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import type { ConfigFileSnapshot, OpenClawConfig } from "../config/config.js";
 import { resolveConfigPath, resolveStateDir } from "../config/paths.js";
 import { hasConfiguredSecretInput } from "../config/types.secrets.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
-import { buildGatewayConnectionDetails } from "../gateway/call.js";
-import { resolveGatewayProbeAuthSafe } from "../gateway/probe-auth.js";
-import { probeGateway } from "../gateway/probe.js";
 import {
   listInterpreterLikeSafeBins,
   resolveMergedSafeBinProfileFixtures,
 } from "../infra/exec-safe-bin-runtime-policy.js";
 import { normalizeTrustedSafeBinDirs } from "../infra/exec-safe-bin-trust.js";
 import { isBlockedHostnameOrIp, isPrivateNetworkAllowedByPolicy } from "../infra/net/ssrf.js";
-import { collectChannelSecurityFindings } from "./audit-channel.js";
-import {
-  collectAttackSurfaceSummaryFindings,
-  collectExposureMatrixFindings,
-  collectGatewayHttpNoAuthFindings,
-  collectGatewayHttpSessionKeyOverrideFindings,
-  collectHooksHardeningFindings,
-  collectIncludeFilePermFindings,
-  collectInstalledSkillsCodeSafetyFindings,
-  collectLikelyMultiUserSetupFindings,
-  collectSandboxBrowserHashLabelFindings,
-  collectMinimalProfileOverrideFindings,
-  collectModelHygieneFindings,
-  collectNodeDangerousAllowCommandFindings,
-  collectNodeDenyCommandPatternFindings,
-  collectSmallModelRiskFindings,
-  collectSandboxDangerousConfigFindings,
-  collectSandboxDockerNoopFindings,
-  collectPluginsTrustFindings,
-  collectSecretsInConfigFindings,
-  collectPluginsCodeSafetyFindings,
-  collectStateDeepFilesystemFindings,
-  collectSyncedFolderFindings,
-  collectWorkspaceSkillSymlinkEscapeFindings,
-  readConfigSnapshotForAudit,
-} from "./audit-extra.js";
 import {
   formatPermissionDetail,
   formatPermissionRemediation,
@@ -55,6 +26,9 @@ import { collectEnabledInsecureOrDangerousFlags } from "./dangerous-config-flags
 import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
 import type { ExecFn } from "./windows-acl.js";
 
+type ExecDockerRawFn = typeof import("../agents/sandbox/docker.js").execDockerRaw;
+type ProbeGatewayFn = typeof import("../gateway/probe.js").probeGateway;
+
 export type SecurityAuditSeverity = "info" | "warn" | "critical";
 
 export type SecurityAuditFinding = {
@@ -102,16 +76,18 @@ export type SecurityAuditOptions = {
   deepTimeoutMs?: number;
   /** Dependency injection for tests. */
   plugins?: ReturnType<typeof listChannelPlugins>;
-  /** Dependency injection for tests. */
-  probeGatewayFn?: typeof probeGateway;
   /** Dependency injection for tests (Windows ACL checks). */
   execIcacls?: ExecFn;
   /** Dependency injection for tests (Docker label checks). */
-  execDockerRawFn?: typeof execDockerRaw;
+  execDockerRawFn?: ExecDockerRawFn;
   /** Optional preloaded config snapshot to skip audit-time config file reads. */
   configSnapshot?: ConfigFileSnapshot | null;
   /** Optional cache for code-safety summaries across repeated deep audits. */
   codeSafetySummaryCache?: Map<string, Promise<unknown>>;
+  /** Optional explicit auth for deep gateway probe. */
+  deepProbeAuth?: { token?: string; password?: string };
+  /** Dependency injection for tests. */
+  probeGatewayFn?: ProbeGatewayFn;
 };
 
 type AuditExecutionContext = {
@@ -126,13 +102,61 @@ type AuditExecutionContext = {
   stateDir: string;
   configPath: string;
   execIcacls?: ExecFn;
-  execDockerRawFn?: typeof execDockerRaw;
-  probeGatewayFn?: typeof probeGateway;
+  execDockerRawFn?: ExecDockerRawFn;
+  probeGatewayFn?: ProbeGatewayFn;
   plugins?: ReturnType<typeof listChannelPlugins>;
   configSnapshot: ConfigFileSnapshot | null;
   codeSafetySummaryCache: Map<string, Promise<unknown>>;
+  deepProbeAuth?: { token?: string; password?: string };
 };
 
+let channelPluginsModulePromise: Promise<typeof import("../channels/plugins/index.js")> | undefined;
+let auditNonDeepModulePromise: Promise<typeof import("./audit.nondeep.runtime.js")> | undefined;
+let auditDeepModulePromise: Promise<typeof import("./audit.deep.runtime.js")> | undefined;
+let auditChannelModulePromise:
+  | Promise<typeof import("./audit-channel.collect.runtime.js")>
+  | undefined;
+let gatewayProbeDepsPromise:
+  | Promise<{
+      buildGatewayConnectionDetails: typeof import("../gateway/call.js").buildGatewayConnectionDetails;
+      resolveGatewayProbeAuthSafe: typeof import("../gateway/probe-auth.js").resolveGatewayProbeAuthSafe;
+      probeGateway: typeof import("../gateway/probe.js").probeGateway;
+    }>
+  | undefined;
+
+async function loadChannelPlugins() {
+  channelPluginsModulePromise ??= import("../channels/plugins/index.js");
+  return await channelPluginsModulePromise;
+}
+
+async function loadAuditNonDeepModule() {
+  auditNonDeepModulePromise ??= import("./audit.nondeep.runtime.js");
+  return await auditNonDeepModulePromise;
+}
+
+async function loadAuditDeepModule() {
+  auditDeepModulePromise ??= import("./audit.deep.runtime.js");
+  return await auditDeepModulePromise;
+}
+
+async function loadAuditChannelModule() {
+  auditChannelModulePromise ??= import("./audit-channel.collect.runtime.js");
+  return await auditChannelModulePromise;
+}
+
+async function loadGatewayProbeDeps() {
+  gatewayProbeDepsPromise ??= Promise.all([
+    import("../gateway/call.js"),
+    import("../gateway/probe-auth.js"),
+    import("../gateway/probe.js"),
+  ]).then(([callModule, probeAuthModule, probeModule]) => ({
+    buildGatewayConnectionDetails: callModule.buildGatewayConnectionDetails,
+    resolveGatewayProbeAuthSafe: probeAuthModule.resolveGatewayProbeAuthSafe,
+    probeGateway: probeModule.probeGateway,
+  }));
+  return await gatewayProbeDepsPromise;
+}
+
 function countBySeverity(findings: SecurityAuditFinding[]): SecurityAuditSummary {
   let critical = 0;
   let warn = 0;
@@ -340,6 +364,7 @@ async function collectFilesystemFindings(params: {
 
 function collectGatewayConfigFindings(
   cfg: OpenClawConfig,
+  sourceConfig: OpenClawConfig,
   env: NodeJS.ProcessEnv,
 ): SecurityAuditFinding[] {
   const findings: SecurityAuditFinding[] = [];
@@ -364,18 +389,18 @@ function collectGatewayConfigFindings(
     hasNonEmptyString(env.OPENCLAW_GATEWAY_PASSWORD) ||
     hasNonEmptyString(env.CLAWDBOT_GATEWAY_PASSWORD);
   const tokenConfiguredFromConfig = hasConfiguredSecretInput(
-    cfg.gateway?.auth?.token,
-    cfg.secrets?.defaults,
+    sourceConfig.gateway?.auth?.token,
+    sourceConfig.secrets?.defaults,
   );
   const passwordConfiguredFromConfig = hasConfiguredSecretInput(
-    cfg.gateway?.auth?.password,
-    cfg.secrets?.defaults,
+    sourceConfig.gateway?.auth?.password,
+    sourceConfig.secrets?.defaults,
   );
   const remoteTokenConfigured = hasConfiguredSecretInput(
-    cfg.gateway?.remote?.token,
-    cfg.secrets?.defaults,
+    sourceConfig.gateway?.remote?.token,
+    sourceConfig.secrets?.defaults,
   );
-  const explicitAuthMode = cfg.gateway?.auth?.mode;
+  const explicitAuthMode = sourceConfig.gateway?.auth?.mode;
   const tokenCanWin =
     hasToken || envTokenConfigured || tokenConfiguredFromConfig || remoteTokenConfigured;
   const passwordCanWin =
@@ -1060,11 +1085,14 @@ async function maybeProbeGateway(params: {
   cfg: OpenClawConfig;
   env: NodeJS.ProcessEnv;
   timeoutMs: number;
-  probe: typeof probeGateway;
+  probe: ProbeGatewayFn;
+  explicitAuth?: { token?: string; password?: string };
 }): Promise<{
   deep: SecurityAuditReport["deep"];
   authWarning?: string;
 }> {
+  const { buildGatewayConnectionDetails, resolveGatewayProbeAuthSafe } =
+    await loadGatewayProbeDeps();
   const connection = buildGatewayConnectionDetails({ config: params.cfg });
   const url = connection.url;
   const isRemoteMode = params.cfg.gateway?.mode === "remote";
@@ -1074,8 +1102,18 @@ async function maybeProbeGateway(params: {
 
   const authResolution =
     !isRemoteMode || remoteUrlMissing
-      ? resolveGatewayProbeAuthSafe({ cfg: params.cfg, env: params.env, mode: "local" })
-      : resolveGatewayProbeAuthSafe({ cfg: params.cfg, env: params.env, mode: "remote" });
+      ? resolveGatewayProbeAuthSafe({
+          cfg: params.cfg,
+          env: params.env,
+          mode: "local",
+          explicitAuth: params.explicitAuth,
+        })
+      : resolveGatewayProbeAuthSafe({
+          cfg: params.cfg,
+          env: params.env,
+          mode: "remote",
+          explicitAuth: params.explicitAuth,
+        });
   const res = await params
     .probe({ url, auth: authResolution.auth, timeoutMs: params.timeoutMs })
     .catch((err) => ({
@@ -1121,6 +1159,7 @@ async function createAuditExecutionContext(
   const deepTimeoutMs = Math.max(250, opts.deepTimeoutMs ?? 5000);
   const stateDir = opts.stateDir ?? resolveStateDir(env);
   const configPath = opts.configPath ?? resolveConfigPath(env, stateDir);
+  const { readConfigSnapshotForAudit } = await loadAuditNonDeepModule();
   const configSnapshot = includeFilesystem
     ? opts.configSnapshot !== undefined
       ? opts.configSnapshot
@@ -1143,6 +1182,7 @@ async function createAuditExecutionContext(
     plugins: opts.plugins,
     configSnapshot,
     codeSafetySummaryCache: opts.codeSafetySummaryCache ?? new Map<string, Promise<unknown>>(),
+    deepProbeAuth: opts.deepProbeAuth,
   };
 }
 
@@ -1150,28 +1190,29 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
   const findings: SecurityAuditFinding[] = [];
   const context = await createAuditExecutionContext(opts);
   const { cfg, env, platform, stateDir, configPath } = context;
+  const auditNonDeep = await loadAuditNonDeepModule();
 
-  findings.push(...collectAttackSurfaceSummaryFindings(cfg));
-  findings.push(...collectSyncedFolderFindings({ stateDir, configPath }));
+  findings.push(...auditNonDeep.collectAttackSurfaceSummaryFindings(cfg));
+  findings.push(...auditNonDeep.collectSyncedFolderFindings({ stateDir, configPath }));
 
-  findings.push(...collectGatewayConfigFindings(cfg, env));
+  findings.push(...collectGatewayConfigFindings(cfg, context.sourceConfig, env));
   findings.push(...collectBrowserControlFindings(cfg, env));
   findings.push(...collectLoggingFindings(cfg));
   findings.push(...collectElevatedFindings(cfg));
   findings.push(...collectExecRuntimeFindings(cfg));
-  findings.push(...collectHooksHardeningFindings(cfg, env));
-  findings.push(...collectGatewayHttpNoAuthFindings(cfg, env));
-  findings.push(...collectGatewayHttpSessionKeyOverrideFindings(cfg));
-  findings.push(...collectSandboxDockerNoopFindings(cfg));
-  findings.push(...collectSandboxDangerousConfigFindings(cfg));
-  findings.push(...collectNodeDenyCommandPatternFindings(cfg));
-  findings.push(...collectNodeDangerousAllowCommandFindings(cfg));
-  findings.push(...collectMinimalProfileOverrideFindings(cfg));
-  findings.push(...collectSecretsInConfigFindings(cfg));
-  findings.push(...collectModelHygieneFindings(cfg));
-  findings.push(...collectSmallModelRiskFindings({ cfg, env }));
-  findings.push(...collectExposureMatrixFindings(cfg));
-  findings.push(...collectLikelyMultiUserSetupFindings(cfg));
+  findings.push(...auditNonDeep.collectHooksHardeningFindings(cfg, env));
+  findings.push(...auditNonDeep.collectGatewayHttpNoAuthFindings(cfg, env));
+  findings.push(...auditNonDeep.collectGatewayHttpSessionKeyOverrideFindings(cfg));
+  findings.push(...auditNonDeep.collectSandboxDockerNoopFindings(cfg));
+  findings.push(...auditNonDeep.collectSandboxDangerousConfigFindings(cfg));
+  findings.push(...auditNonDeep.collectNodeDenyCommandPatternFindings(cfg));
+  findings.push(...auditNonDeep.collectNodeDangerousAllowCommandFindings(cfg));
+  findings.push(...auditNonDeep.collectMinimalProfileOverrideFindings(cfg));
+  findings.push(...auditNonDeep.collectSecretsInConfigFindings(cfg));
+  findings.push(...auditNonDeep.collectModelHygieneFindings(cfg));
+  findings.push(...auditNonDeep.collectSmallModelRiskFindings({ cfg, env }));
+  findings.push(...auditNonDeep.collectExposureMatrixFindings(cfg));
+  findings.push(...auditNonDeep.collectLikelyMultiUserSetupFindings(cfg));
 
   if (context.includeFilesystem) {
     findings.push(
@@ -1185,7 +1226,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
     );
     if (context.configSnapshot) {
       findings.push(
-        ...(await collectIncludeFilePermFindings({
+        ...(await auditNonDeep.collectIncludeFilePermFindings({
           configSnapshot: context.configSnapshot,
           env,
           platform,
@@ -1194,7 +1235,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
       );
     }
     findings.push(
-      ...(await collectStateDeepFilesystemFindings({
+      ...(await auditNonDeep.collectStateDeepFilesystemFindings({
         cfg,
         env,
         stateDir,
@@ -1202,22 +1243,23 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
         execIcacls: context.execIcacls,
       })),
     );
-    findings.push(...(await collectWorkspaceSkillSymlinkEscapeFindings({ cfg })));
+    findings.push(...(await auditNonDeep.collectWorkspaceSkillSymlinkEscapeFindings({ cfg })));
     findings.push(
-      ...(await collectSandboxBrowserHashLabelFindings({
+      ...(await auditNonDeep.collectSandboxBrowserHashLabelFindings({
         execDockerRawFn: context.execDockerRawFn,
       })),
     );
-    findings.push(...(await collectPluginsTrustFindings({ cfg, stateDir })));
+    findings.push(...(await auditNonDeep.collectPluginsTrustFindings({ cfg, stateDir })));
     if (context.deep) {
+      const auditDeep = await loadAuditDeepModule();
       findings.push(
-        ...(await collectPluginsCodeSafetyFindings({
+        ...(await auditDeep.collectPluginsCodeSafetyFindings({
           stateDir,
           summaryCache: context.codeSafetySummaryCache,
         })),
       );
       findings.push(
-        ...(await collectInstalledSkillsCodeSafetyFindings({
+        ...(await auditDeep.collectInstalledSkillsCodeSafetyFindings({
           cfg,
           stateDir,
           summaryCache: context.codeSafetySummaryCache,
@@ -1226,13 +1268,17 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
     }
   }
 
-  if (context.includeChannelSecurity) {
-    const plugins = context.plugins ?? listChannelPlugins();
+  const shouldAuditChannelSecurity =
+    context.includeChannelSecurity &&
+    (context.plugins !== undefined || hasPotentialConfiguredChannels(cfg, env));
+  if (shouldAuditChannelSecurity) {
+    const channelPlugins = context.plugins ?? (await loadChannelPlugins()).listChannelPlugins();
+    const { collectChannelSecurityFindings } = await loadAuditChannelModule();
     findings.push(
       ...(await collectChannelSecurityFindings({
         cfg,
         sourceConfig: context.sourceConfig,
-        plugins,
+        plugins: channelPlugins,
       })),
     );
   }
@@ -1242,7 +1288,8 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
         cfg,
         env,
         timeoutMs: context.deepTimeoutMs,
-        probe: context.probeGatewayFn ?? probeGateway,
+        probe: context.probeGatewayFn ?? (await loadGatewayProbeDeps()).probeGateway,
+        explicitAuth: context.deepProbeAuth,
       })
     : undefined;
   const deep = deepProbeResult?.deep;
diff --git a/src/test-utils/channel-plugins.ts b/src/test-utils/channel-plugins.ts
index ebec4f2c747..4f52350f8fc 100644
--- a/src/test-utils/channel-plugins.ts
+++ b/src/test-utils/channel-plugins.ts
@@ -1,6 +1,7 @@
 import type {
   ChannelCapabilities,
   ChannelId,
+  ChannelMessagingAdapter,
   ChannelOutboundAdapter,
   ChannelPlugin,
 } from "../channels/plugins/types.js";
@@ -25,6 +26,7 @@ export const createTestRegistry = (channels: TestChannelRegistration[] = []): Pl
     enabled: true,
   })),
   providers: [],
+  webSearchProviders: [],
   gatewayHandlers: {},
   httpRoutes: [],
   cliRegistrars: [],
@@ -95,6 +97,7 @@ export const createMSTeamsTestPlugin = (params?: {
 export const createOutboundTestPlugin = (params: {
   id: ChannelId;
   outbound: ChannelOutboundAdapter;
+  messaging?: ChannelMessagingAdapter;
   label?: string;
   docsPath?: string;
   capabilities?: ChannelCapabilities;
@@ -107,4 +110,5 @@ export const createOutboundTestPlugin = (params: {
     config: { listAccountIds: () => [] },
   }),
   outbound: params.outbound,
+  ...(params.messaging ? { messaging: params.messaging } : {}),
 });
diff --git a/src/test-utils/imessage-test-plugin.ts b/src/test-utils/imessage-test-plugin.ts
index 962a1f7c33e..201ad3f9897 100644
--- a/src/test-utils/imessage-test-plugin.ts
+++ b/src/test-utils/imessage-test-plugin.ts
@@ -1,5 +1,5 @@
 import { normalizeIMessageHandle } from "../../extensions/imessage/src/targets.js";
-import { imessageOutbound } from "../channels/plugins/outbound/imessage.js";
+import { imessageOutbound } from "../../test/channel-outbounds.js";
 import type { ChannelOutboundAdapter, ChannelPlugin } from "../channels/plugins/types.js";
 import { collectStatusIssuesFromLastError } from "../plugin-sdk/status-helpers.js";
 
diff --git a/src/test-utils/plugin-registration.ts b/src/test-utils/plugin-registration.ts
new file mode 100644
index 00000000000..e17e4a2520d
--- /dev/null
+++ b/src/test-utils/plugin-registration.ts
@@ -0,0 +1,48 @@
+import type {
+  AnyAgentTool,
+  OpenClawPluginApi,
+  ProviderPlugin,
+  WebSearchProviderPlugin,
+} from "../plugins/types.js";
+
+export type CapturedPluginRegistration = {
+  api: OpenClawPluginApi;
+  providers: ProviderPlugin[];
+  webSearchProviders: WebSearchProviderPlugin[];
+  tools: AnyAgentTool[];
+};
+
+export function createCapturedPluginRegistration(): CapturedPluginRegistration {
+  const providers: ProviderPlugin[] = [];
+  const webSearchProviders: WebSearchProviderPlugin[] = [];
+  const tools: AnyAgentTool[] = [];
+
+  return {
+    providers,
+    webSearchProviders,
+    tools,
+    api: {
+      registerProvider(provider: ProviderPlugin) {
+        providers.push(provider);
+      },
+      registerWebSearchProvider(provider: WebSearchProviderPlugin) {
+        webSearchProviders.push(provider);
+      },
+      registerTool(tool: AnyAgentTool) {
+        tools.push(tool);
+      },
+    } as OpenClawPluginApi,
+  };
+}
+
+export function registerSingleProviderPlugin(params: {
+  register(api: OpenClawPluginApi): void;
+}): ProviderPlugin {
+  const captured = createCapturedPluginRegistration();
+  params.register(captured.api);
+  const provider = captured.providers[0];
+  if (!provider) {
+    throw new Error("provider registration missing");
+  }
+  return provider;
+}
diff --git a/src/test-utils/runtime-group-policy-contract.ts b/src/test-utils/runtime-group-policy-contract.ts
deleted file mode 100644
index 65a0e0b8ef3..00000000000
--- a/src/test-utils/runtime-group-policy-contract.ts
+++ /dev/null
@@ -1,43 +0,0 @@
-import { expect, it } from "vitest";
-import type {
-  ResolveProviderRuntimeGroupPolicyParams,
-  RuntimeGroupPolicyResolution,
-} from "../config/runtime-group-policy.js";
-import type { GroupPolicy } from "../config/types.base.js";
-
-type RuntimeGroupPolicyResolver = (
-  params: ResolveProviderRuntimeGroupPolicyParams,
-) => RuntimeGroupPolicyResolution;
-
-export function installProviderRuntimeGroupPolicyFallbackSuite(params: {
-  configuredLabel: string;
-  defaultGroupPolicyUnderTest: GroupPolicy;
-  missingConfigLabel: string;
-  missingDefaultLabel: string;
-  resolve: RuntimeGroupPolicyResolver;
-}) {
-  it(params.missingConfigLabel, () => {
-    const resolved = params.resolve({
-      providerConfigPresent: false,
-    });
-    expect(resolved.groupPolicy).toBe("allowlist");
-    expect(resolved.providerMissingFallbackApplied).toBe(true);
-  });
-
-  it(params.configuredLabel, () => {
-    const resolved = params.resolve({
-      providerConfigPresent: true,
-    });
-    expect(resolved.groupPolicy).toBe("open");
-    expect(resolved.providerMissingFallbackApplied).toBe(false);
-  });
-
-  it(params.missingDefaultLabel, () => {
-    const resolved = params.resolve({
-      providerConfigPresent: false,
-      defaultGroupPolicy: params.defaultGroupPolicyUnderTest,
-    });
-    expect(resolved.groupPolicy).toBe("allowlist");
-    expect(resolved.providerMissingFallbackApplied).toBe(true);
-  });
-}
diff --git a/src/test-utils/send-payload-contract.ts b/src/test-utils/send-payload-contract.ts
deleted file mode 100644
index 5e78e406a74..00000000000
--- a/src/test-utils/send-payload-contract.ts
+++ /dev/null
@@ -1,138 +0,0 @@
-import { expect, it, type Mock } from "vitest";
-
-type PayloadLike = {
-  mediaUrl?: string;
-  mediaUrls?: string[];
-  text?: string;
-};
-
-type SendResultLike = {
-  messageId: string;
-  [key: string]: unknown;
-};
-
-type ChunkingMode =
-  | {
-      longTextLength: number;
-      maxChunkLength: number;
-      mode: "split";
-    }
-  | {
-      longTextLength: number;
-      mode: "passthrough";
-    };
-
-export function installSendPayloadContractSuite(params: {
-  channel: string;
-  chunking: ChunkingMode;
-  createHarness: (params: { payload: PayloadLike; sendResults?: SendResultLike[] }) => {
-    run: () => Promise<Record<string, unknown>>;
-    sendMock: Mock;
-    to: string;
-  };
-}) {
-  it("text-only delegates to sendText", async () => {
-    const { run, sendMock, to } = params.createHarness({
-      payload: { text: "hello" },
-    });
-    const result = await run();
-
-    expect(sendMock).toHaveBeenCalledTimes(1);
-    expect(sendMock).toHaveBeenCalledWith(to, "hello", expect.any(Object));
-    expect(result).toMatchObject({ channel: params.channel });
-  });
-
-  it("single media delegates to sendMedia", async () => {
-    const { run, sendMock, to } = params.createHarness({
-      payload: { text: "cap", mediaUrl: "https://example.com/a.jpg" },
-    });
-    const result = await run();
-
-    expect(sendMock).toHaveBeenCalledTimes(1);
-    expect(sendMock).toHaveBeenCalledWith(
-      to,
-      "cap",
-      expect.objectContaining({ mediaUrl: "https://example.com/a.jpg" }),
-    );
-    expect(result).toMatchObject({ channel: params.channel });
-  });
-
-  it("multi-media iterates URLs with caption on first", async () => {
-    const { run, sendMock, to } = params.createHarness({
-      payload: {
-        text: "caption",
-        mediaUrls: ["https://example.com/1.jpg", "https://example.com/2.jpg"],
-      },
-      sendResults: [{ messageId: "m-1" }, { messageId: "m-2" }],
-    });
-    const result = await run();
-
-    expect(sendMock).toHaveBeenCalledTimes(2);
-    expect(sendMock).toHaveBeenNthCalledWith(
-      1,
-      to,
-      "caption",
-      expect.objectContaining({ mediaUrl: "https://example.com/1.jpg" }),
-    );
-    expect(sendMock).toHaveBeenNthCalledWith(
-      2,
-      to,
-      "",
-      expect.objectContaining({ mediaUrl: "https://example.com/2.jpg" }),
-    );
-    expect(result).toMatchObject({ channel: params.channel, messageId: "m-2" });
-  });
-
-  it("empty payload returns no-op", async () => {
-    const { run, sendMock } = params.createHarness({ payload: {} });
-    const result = await run();
-
-    expect(sendMock).not.toHaveBeenCalled();
-    expect(result).toEqual({ channel: params.channel, messageId: "" });
-  });
-
-  if (params.chunking.mode === "passthrough") {
-    it("text exceeding chunk limit is sent as-is when chunker is null", async () => {
-      const text = "a".repeat(params.chunking.longTextLength);
-      const { run, sendMock, to } = params.createHarness({ payload: { text } });
-      const result = await run();
-
-      expect(sendMock).toHaveBeenCalledTimes(1);
-      expect(sendMock).toHaveBeenCalledWith(to, text, expect.any(Object));
-      expect(result).toMatchObject({ channel: params.channel });
-    });
-    return;
-  }
-
-  const chunking = params.chunking;
-
-  it("chunking splits long text", async () => {
-    const text = "a".repeat(chunking.longTextLength);
-    const { run, sendMock } = params.createHarness({
-      payload: { text },
-      sendResults: [{ messageId: "c-1" }, { messageId: "c-2" }],
-    });
-    const result = await run();
-
-    expect(sendMock.mock.calls.length).toBeGreaterThanOrEqual(2);
-    for (const call of sendMock.mock.calls) {
-      expect((call[1] as string).length).toBeLessThanOrEqual(chunking.maxChunkLength);
-    }
-    expect(result).toMatchObject({ channel: params.channel });
-  });
-}
-
-export function primeSendMock(
-  sendMock: Mock,
-  fallbackResult: Record<string, unknown>,
-  sendResults: SendResultLike[] = [],
-) {
-  sendMock.mockReset();
-  if (sendResults.length === 0) {
-    sendMock.mockResolvedValue(fallbackResult);
-    return;
-  }
-  for (const result of sendResults) {
-    sendMock.mockResolvedValueOnce(result);
-  }
-}
diff --git a/src/wizard/onboarding.completion.test.ts b/src/wizard/setup.completion.test.ts
similarity index 78%
rename from src/wizard/onboarding.completion.test.ts
rename to src/wizard/setup.completion.test.ts
index 031bad31919..4086d745c07 100644
--- a/src/wizard/onboarding.completion.test.ts
+++ b/src/wizard/setup.completion.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
-import { setupOnboardingShellCompletion } from "./onboarding.completion.js";
+import { setupWizardShellCompletion } from "./setup.completion.js";
 
 function createPrompter(confirmValue = false) {
   return {
@@ -9,7 +9,7 @@ function createPrompter(confirmValue = false) {
 }
 
 function createDeps() {
-  const deps: NonNullable<Parameters<typeof setupOnboardingShellCompletion>[0]["deps"]> = {
+  const deps: NonNullable<Parameters<typeof setupWizardShellCompletion>[0]["deps"]> = {
     resolveCliName: () => "openclaw",
     checkShellCompletionStatus: vi.fn(async (_binName: string) => ({
       shell: "zsh" as const,
@@ -24,12 +24,12 @@ function createDeps() {
   return deps;
 }
 
-describe("setupOnboardingShellCompletion", () => {
+describe("setupWizardShellCompletion", () => {
   it("QuickStart: installs without prompting", async () => {
     const prompter = createPrompter();
     const deps = createDeps();
 
-    await setupOnboardingShellCompletion({ flow: "quickstart", prompter, deps });
+    await setupWizardShellCompletion({ flow: "quickstart", prompter, deps });
 
     expect(prompter.confirm).not.toHaveBeenCalled();
     expect(deps.ensureCompletionCacheExists).toHaveBeenCalledWith("openclaw");
@@ -41,7 +41,7 @@ describe("setupOnboardingShellCompletion", () => {
     const prompter = createPrompter();
     const deps = createDeps();
 
-    await setupOnboardingShellCompletion({ flow: "advanced", prompter, deps });
+    await setupWizardShellCompletion({ flow: "advanced", prompter, deps });
 
     expect(prompter.confirm).toHaveBeenCalledTimes(1);
     expect(deps.ensureCompletionCacheExists).not.toHaveBeenCalled();
diff --git a/src/wizard/onboarding.completion.ts b/src/wizard/setup.completion.ts
similarity index 96%
rename from src/wizard/onboarding.completion.ts
rename to src/wizard/setup.completion.ts
index f0888a9e6a2..be00151db36 100644
--- a/src/wizard/onboarding.completion.ts
+++ b/src/wizard/setup.completion.ts
@@ -8,8 +8,8 @@ import {
   ensureCompletionCacheExists,
 } from "../commands/doctor-completion.js";
 import { pathExists } from "../utils.js";
-import type { WizardFlow } from "./onboarding.types.js";
 import type { WizardPrompter } from "./prompts.js";
+import type { WizardFlow } from "./setup.types.js";
 
 type CompletionDeps = {
   resolveCliName: () => string;
@@ -41,7 +41,7 @@ function formatReloadHint(shell: ShellCompletionStatus["shell"], profileHint: st
   return `Restart your shell or run: source ${profileHint}`;
 }
 
-export async function setupOnboardingShellCompletion(params: {
+export async function setupWizardShellCompletion(params: {
   flow: WizardFlow;
   prompter: Pick<WizardPrompter, "confirm" | "note">;
   deps?: Partial<CompletionDeps>;
diff --git a/src/wizard/onboarding.finalize.test.ts b/src/wizard/setup.finalize.test.ts
similarity index 95%
rename from src/wizard/onboarding.finalize.test.ts
rename to src/wizard/setup.finalize.test.ts
index 0fa67d16a8f..269c96e347c 100644
--- a/src/wizard/onboarding.finalize.test.ts
+++ b/src/wizard/setup.finalize.test.ts
@@ -4,7 +4,7 @@ import type { RuntimeEnv } from "../runtime.js";
 
 const runTui = vi.hoisted(() => vi.fn(async () => {}));
 const probeGatewayReachable = vi.hoisted(() => vi.fn(async () => ({ ok: true })));
-const setupOnboardingShellCompletion = vi.hoisted(() => vi.fn(async () => {}));
+const setupWizardShellCompletion = vi.hoisted(() => vi.fn(async () => {}));
 const buildGatewayInstallPlan = vi.hoisted(() =>
   vi.fn(async () => ({
     programArguments: [],
@@ -96,11 +96,11 @@ vi.mock("../tui/tui.js", () => ({
   runTui,
 }));
 
-vi.mock("./onboarding.completion.js", () => ({
-  setupOnboardingShellCompletion,
+vi.mock("./setup.completion.js", () => ({
+  setupWizardShellCompletion,
 }));
 
-import { finalizeOnboardingWizard } from "./onboarding.finalize.js";
+import { finalizeSetupWizard } from "./setup.finalize.js";
 
 function createRuntime(): RuntimeEnv {
   return {
@@ -117,11 +117,11 @@ function expectFirstOnboardingInstallPlanCallOmitsToken() {
   expect(firstArg && "token" in firstArg).toBe(false);
 }
 
-describe("finalizeOnboardingWizard", () => {
+describe("finalizeSetupWizard", () => {
   beforeEach(() => {
     runTui.mockClear();
     probeGatewayReachable.mockClear();
-    setupOnboardingShellCompletion.mockClear();
+    setupWizardShellCompletion.mockClear();
     buildGatewayInstallPlan.mockClear();
     gatewayServiceInstall.mockClear();
     gatewayServiceIsLoaded.mockReset();
@@ -150,7 +150,7 @@ describe("finalizeOnboardingWizard", () => {
     const runtime = createRuntime();
 
     try {
-      await finalizeOnboardingWizard({
+      await finalizeSetupWizard({
         flow: "quickstart",
         opts: {
           acceptRisk: true,
@@ -220,7 +220,7 @@ describe("finalizeOnboardingWizard", () => {
     });
     const runtime = createRuntime();
 
-    await finalizeOnboardingWizard({
+    await finalizeSetupWizard({
       flow: "advanced",
       opts: {
         acceptRisk: true,
@@ -277,7 +277,7 @@ describe("finalizeOnboardingWizard", () => {
       progress: vi.fn(() => ({ update: progressUpdate, stop: progressStop })),
     });
 
-    await finalizeOnboardingWizard({
+    await finalizeSetupWizard({
       flow: "advanced",
       opts: {
         acceptRisk: true,
diff --git a/src/wizard/onboarding.finalize.ts b/src/wizard/setup.finalize.ts
similarity index 96%
rename from src/wizard/onboarding.finalize.ts
rename to src/wizard/setup.finalize.ts
index b218e160ed5..74738facd63 100644
--- a/src/wizard/onboarding.finalize.ts
+++ b/src/wizard/setup.finalize.ts
@@ -30,10 +30,10 @@ import type { RuntimeEnv } from "../runtime.js";
 import { restoreTerminalState } from "../terminal/restore.js";
 import { runTui } from "../tui/tui.js";
 import { resolveUserPath } from "../utils.js";
-import { setupOnboardingShellCompletion } from "./onboarding.completion.js";
-import { resolveOnboardingSecretInputString } from "./onboarding.secret-input.js";
-import type { GatewayWizardSettings, WizardFlow } from "./onboarding.types.js";
 import type { WizardPrompter } from "./prompts.js";
+import { setupWizardShellCompletion } from "./setup.completion.js";
+import { resolveSetupSecretInputString } from "./setup.secret-input.js";
+import type { GatewayWizardSettings, WizardFlow } from "./setup.types.js";
 
 type FinalizeOnboardingOptions = {
   flow: WizardFlow;
@@ -46,7 +46,7 @@ type FinalizeOnboardingOptions = {
   runtime: RuntimeEnv;
 };
 
-export async function finalizeOnboardingWizard(
+export async function finalizeSetupWizard(
   options: FinalizeOnboardingOptions,
 ): Promise<{ launchedTui: boolean }> {
   const { flow, opts, baseConfig, nextConfig, settings, prompter, runtime } = options;
@@ -187,7 +187,7 @@ export async function finalizeOnboardingWizard(
           installError = [
             "Gateway install blocked:",
             tokenResolution.unavailableReason,
-            "Fix gateway auth config/token input and rerun onboarding.",
+            "Fix gateway auth config/token input and rerun setup.",
           ].join(" ");
         } else {
           const { programArguments, workingDirectory, environment } = await buildGatewayInstallPlan(
@@ -286,7 +286,7 @@ export async function finalizeOnboardingWizard(
   if (settings.authMode === "password") {
     try {
       resolvedGatewayPassword =
-        (await resolveOnboardingSecretInputString({
+        (await resolveSetupSecretInputString({
           config: nextConfig,
           value: nextConfig.gateway?.auth?.password,
           path: "gateway.auth.password",
@@ -295,7 +295,7 @@ export async function finalizeOnboardingWizard(
     } catch (error) {
       await prompter.note(
         [
-          "Could not resolve gateway.auth.password SecretRef for onboarding auth.",
+          "Could not resolve gateway.auth.password SecretRef for setup auth.",
           error instanceof Error ? error.message : String(error),
         ].join("\n"),
         "Gateway auth",
@@ -378,12 +378,12 @@ export async function finalizeOnboardingWizard(
     });
 
     if (hatchChoice === "tui") {
-      restoreTerminalState("pre-onboarding tui", { resumeStdinIfPaused: true });
+      restoreTerminalState("pre-setup tui", { resumeStdinIfPaused: true });
       await runTui({
         url: links.wsUrl,
         token: settings.authMode === "token" ? settings.gatewayToken : undefined,
         password: settings.authMode === "password" ? resolvedGatewayPassword : "",
-        // Safety: onboarding TUI should not auto-deliver to lastProvider/lastTo.
+        // Safety: setup TUI should not auto-deliver to lastProvider/lastTo.
         deliver: false,
         message: hasBootstrap ? "Wake up, my friend!" : undefined,
       });
@@ -441,7 +441,7 @@ export async function finalizeOnboardingWizard(
     "Security",
   );
 
-  await setupOnboardingShellCompletion({ flow, prompter });
+  await setupWizardShellCompletion({ flow, prompter });
 
   const shouldOpenControlUi =
     !opts.skipUi &&
diff --git a/src/wizard/onboarding.gateway-config.test.ts b/src/wizard/setup.gateway-config.test.ts
similarity index 95%
rename from src/wizard/onboarding.gateway-config.test.ts
rename to src/wizard/setup.gateway-config.test.ts
index 1345b8f4954..3df835e3283 100644
--- a/src/wizard/onboarding.gateway-config.test.ts
+++ b/src/wizard/setup.gateway-config.test.ts
@@ -22,9 +22,9 @@ vi.mock("../infra/tailscale.js", () => ({
   getTailnetHostname: mocks.getTailnetHostname,
 }));
 
-import { configureGatewayForOnboarding } from "./onboarding.gateway-config.js";
+import { configureGatewayForSetup } from "./setup.gateway-config.js";
 
-describe("configureGatewayForOnboarding", () => {
+describe("configureGatewayForSetup", () => {
   function createPrompter(params: { selectQueue: string[]; textQueue: Array<string | undefined> }) {
     const selectQueue = [...params.selectQueue];
     const textQueue = [...params.textQueue];
@@ -78,7 +78,7 @@ describe("configureGatewayForOnboarding", () => {
       textQueue: params?.textQueue ?? ["18789", undefined],
     });
     const runtime = createRuntime();
-    return configureGatewayForOnboarding({
+    return configureGatewayForSetup({
       flow: params?.flow ?? "advanced",
       baseConfig: {},
       nextConfig: params?.nextConfig ?? {},
@@ -153,7 +153,7 @@ describe("configureGatewayForOnboarding", () => {
       });
       const runtime = createRuntime();
 
-      const result = await configureGatewayForOnboarding({
+      const result = await configureGatewayForSetup({
         flow: "advanced",
         baseConfig: {},
         nextConfig: {},
@@ -189,7 +189,7 @@ describe("configureGatewayForOnboarding", () => {
       });
       const runtime = createRuntime();
 
-      const result = await configureGatewayForOnboarding({
+      const result = await configureGatewayForSetup({
         flow: "advanced",
         baseConfig: {},
         nextConfig: {},
@@ -231,7 +231,7 @@ describe("configureGatewayForOnboarding", () => {
       textQueue: [],
     });
 
-    const result = await configureGatewayForOnboarding({
+    const result = await configureGatewayForSetup({
       flow: "quickstart",
       baseConfig: {},
       nextConfig: {
diff --git a/src/wizard/onboarding.gateway-config.ts b/src/wizard/setup.gateway-config.ts
similarity index 96%
rename from src/wizard/onboarding.gateway-config.ts
rename to src/wizard/setup.gateway-config.ts
index c6d9111c3e4..74420c1dac2 100644
--- a/src/wizard/onboarding.gateway-config.ts
+++ b/src/wizard/setup.gateway-config.ts
@@ -1,5 +1,5 @@
 import {
-  promptSecretRefForOnboarding,
+  promptSecretRefForSetup,
   resolveSecretInputModeForEnvSelection,
 } from "../commands/auth-choice.apply-helpers.js";
 import {
@@ -25,13 +25,13 @@ import { DEFAULT_DANGEROUS_NODE_COMMANDS } from "../gateway/node-command-policy.
 import { findTailscaleBinary } from "../infra/tailscale.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { validateIPv4AddressInput } from "../shared/net/ipv4.js";
-import { resolveOnboardingSecretInputString } from "./onboarding.secret-input.js";
+import type { WizardPrompter } from "./prompts.js";
+import { resolveSetupSecretInputString } from "./setup.secret-input.js";
 import type {
   GatewayWizardSettings,
   QuickstartGatewayDefaults,
   WizardFlow,
-} from "./onboarding.types.js";
-import type { WizardPrompter } from "./prompts.js";
+} from "./setup.types.js";
 
 type ConfigureGatewayOptions = {
   flow: WizardFlow;
@@ -49,7 +49,7 @@ type ConfigureGatewayResult = {
   settings: GatewayWizardSettings;
 };
 
-export async function configureGatewayForOnboarding(
+export async function configureGatewayForSetup(
   opts: ConfigureGatewayOptions,
 ): Promise<ConfigureGatewayResult> {
   const { flow, localPort, quickstartGateway, prompter } = opts;
@@ -183,14 +183,14 @@ export async function configureGatewayForOnboarding(
     if (tokenMode === "ref") {
       if (flow === "quickstart" && quickstartTokenRef) {
         gatewayTokenInput = quickstartTokenRef;
-        gatewayToken = await resolveOnboardingSecretInputString({
+        gatewayToken = await resolveSetupSecretInputString({
           config: nextConfig,
           value: quickstartTokenRef,
           path: "gateway.auth.token",
           env: process.env,
         });
       } else {
-        const resolved = await promptSecretRefForOnboarding({
+        const resolved = await promptSecretRefForSetup({
           provider: "gateway-auth-token",
           config: nextConfig,
           prompter,
@@ -236,7 +236,7 @@ export async function configureGatewayForOnboarding(
         },
       });
       if (selectedMode === "ref") {
-        const resolved = await promptSecretRefForOnboarding({
+        const resolved = await promptSecretRefForSetup({
           provider: "gateway-auth-password",
           config: nextConfig,
           prompter,
diff --git a/src/wizard/onboarding.secret-input.test.ts b/src/wizard/setup.secret-input.test.ts
similarity index 79%
rename from src/wizard/onboarding.secret-input.test.ts
rename to src/wizard/setup.secret-input.test.ts
index 4258d6df6cd..94abbfd55c8 100644
--- a/src/wizard/onboarding.secret-input.test.ts
+++ b/src/wizard/setup.secret-input.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/config.js";
-import { resolveOnboardingSecretInputString } from "./onboarding.secret-input.js";
+import { resolveSetupSecretInputString } from "./setup.secret-input.js";
 
 function makeConfig(): OpenClawConfig {
   return {
@@ -12,9 +12,9 @@ function makeConfig(): OpenClawConfig {
   } as OpenClawConfig;
 }
 
-describe("resolveOnboardingSecretInputString", () => {
+describe("resolveSetupSecretInputString", () => {
   it("resolves env-template SecretInput strings", async () => {
-    const resolved = await resolveOnboardingSecretInputString({
+    const resolved = await resolveSetupSecretInputString({
       config: makeConfig(),
       value: "${OPENCLAW_GATEWAY_PASSWORD}",
       path: "gateway.auth.password",
@@ -27,7 +27,7 @@ describe("resolveOnboardingSecretInputString", () => {
   });
 
   it("returns plaintext strings when value is not a SecretRef", async () => {
-    const resolved = await resolveOnboardingSecretInputString({
+    const resolved = await resolveSetupSecretInputString({
       config: makeConfig(),
       value: "plain-text",
       path: "gateway.auth.password",
@@ -38,7 +38,7 @@ describe("resolveOnboardingSecretInputString", () => {
 
   it("throws with path context when env-template SecretRef cannot resolve", async () => {
     await expect(
-      resolveOnboardingSecretInputString({
+      resolveSetupSecretInputString({
         config: makeConfig(),
         value: "${OPENCLAW_GATEWAY_PASSWORD}",
         path: "gateway.auth.password",
diff --git a/src/wizard/onboarding.secret-input.ts b/src/wizard/setup.secret-input.ts
similarity index 94%
rename from src/wizard/onboarding.secret-input.ts
rename to src/wizard/setup.secret-input.ts
index cbb071690fa..1ccfdde1644 100644
--- a/src/wizard/onboarding.secret-input.ts
+++ b/src/wizard/setup.secret-input.ts
@@ -11,7 +11,7 @@ function formatSecretResolutionError(error: unknown): string {
   return String(error);
 }
 
-export async function resolveOnboardingSecretInputString(params: {
+export async function resolveSetupSecretInputString(params: {
   config: OpenClawConfig;
   value: unknown;
   path: string;
diff --git a/src/wizard/onboarding.test.ts b/src/wizard/setup.test.ts
similarity index 93%
rename from src/wizard/onboarding.test.ts
rename to src/wizard/setup.test.ts
index 14c3183c323..0f280244231 100644
--- a/src/wizard/onboarding.test.ts
+++ b/src/wizard/setup.test.ts
@@ -5,8 +5,8 @@ import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 import { createWizardPrompter as buildWizardPrompter } from "../../test/helpers/wizard-prompter.js";
 import { DEFAULT_BOOTSTRAP_FILENAME } from "../agents/workspace.js";
 import type { RuntimeEnv } from "../runtime.js";
-import { runOnboardingWizard } from "./onboarding.js";
 import type { WizardPrompter, WizardSelectParams } from "./prompts.js";
+import { runSetupWizard } from "./setup.js";
 
 const ensureAuthProfileStore = vi.hoisted(() => vi.fn(() => ({ profiles: {} })));
 const promptAuthChoiceGrouped = vi.hoisted(() => vi.fn(async () => "skip"));
@@ -16,7 +16,7 @@ const warnIfModelConfigLooksOff = vi.hoisted(() => vi.fn(async () => {}));
 const applyPrimaryModel = vi.hoisted(() => vi.fn((cfg) => cfg));
 const promptDefaultModel = vi.hoisted(() => vi.fn(async () => ({ config: null, model: null })));
 const promptCustomApiConfig = vi.hoisted(() => vi.fn(async (args) => ({ config: args.config })));
-const configureGatewayForOnboarding = vi.hoisted(() =>
+const configureGatewayForSetup = vi.hoisted(() =>
   vi.fn(async (args) => ({
     nextConfig: args.nextConfig,
     settings: {
@@ -29,7 +29,7 @@ const configureGatewayForOnboarding = vi.hoisted(() =>
     },
   })),
 );
-const finalizeOnboardingWizard = vi.hoisted(() =>
+const finalizeSetupWizard = vi.hoisted(() =>
   vi.fn(async (options) => {
     if (!options.nextConfig?.tools?.web?.search?.provider) {
       await options.prompter.note("Web search was skipped.", "Web search");
@@ -86,7 +86,7 @@ const ensureSystemdUserLingerInteractive = vi.hoisted(() => vi.fn(async () => {}
 const isSystemdUserServiceAvailable = vi.hoisted(() => vi.fn(async () => true));
 const ensureControlUiAssetsBuilt = vi.hoisted(() => vi.fn(async () => ({ ok: true })));
 const runTui = vi.hoisted(() => vi.fn(async (_options: unknown) => {}));
-const setupOnboardingShellCompletion = vi.hoisted(() => vi.fn(async () => {}));
+const setupWizardShellCompletion = vi.hoisted(() => vi.fn(async () => {}));
 const probeGatewayReachable = vi.hoisted(() => vi.fn(async () => ({ ok: true })));
 
 vi.mock("../commands/onboard-channels.js", () => ({
@@ -184,16 +184,16 @@ vi.mock("../tui/tui.js", () => ({
   runTui,
 }));
 
-vi.mock("./onboarding.gateway-config.js", () => ({
-  configureGatewayForOnboarding,
+vi.mock("./setup.gateway-config.js", () => ({
+  configureGatewayForSetup,
 }));
 
-vi.mock("./onboarding.finalize.js", () => ({
-  finalizeOnboardingWizard,
+vi.mock("./setup.finalize.js", () => ({
+  finalizeSetupWizard,
 }));
 
-vi.mock("./onboarding.completion.js", () => ({
-  setupOnboardingShellCompletion,
+vi.mock("./setup.completion.js", () => ({
+  setupWizardShellCompletion,
 }));
 
 function createRuntime(opts?: { throwsOnExit?: boolean }): RuntimeEnv {
@@ -214,7 +214,7 @@ function createRuntime(opts?: { throwsOnExit?: boolean }): RuntimeEnv {
   };
 }
 
-describe("runOnboardingWizard", () => {
+describe("runSetupWizard", () => {
   let suiteRoot = "";
   let suiteCase = 0;
 
@@ -255,7 +255,7 @@ describe("runOnboardingWizard", () => {
     const runtime = createRuntime({ throwsOnExit: true });
 
     await expect(
-      runOnboardingWizard(
+      runSetupWizard(
         {
           acceptRisk: true,
           flow: "quickstart",
@@ -284,7 +284,7 @@ describe("runOnboardingWizard", () => {
     const prompter = buildWizardPrompter({ select, multiselect });
     const runtime = createRuntime({ throwsOnExit: true });
 
-    await runOnboardingWizard(
+    await runSetupWizard(
       {
         acceptRisk: true,
         flow: "quickstart",
@@ -328,7 +328,7 @@ describe("runOnboardingWizard", () => {
     const prompter = buildWizardPrompter({ select });
     const runtime = createRuntime({ throwsOnExit: true });
 
-    await runOnboardingWizard(
+    await runSetupWizard(
       {
         acceptRisk: true,
         flow: "quickstart",
@@ -361,7 +361,7 @@ describe("runOnboardingWizard", () => {
     await runTuiHatchTest({ writeBootstrapFile: false, expectedMessage: undefined });
   });
 
-  it("shows the web search hint at the end of onboarding", async () => {
+  it("shows the web search hint at the end of setup", async () => {
     const prevBraveKey = process.env.BRAVE_API_KEY;
     delete process.env.BRAVE_API_KEY;
 
@@ -370,7 +370,7 @@ describe("runOnboardingWizard", () => {
       const prompter = buildWizardPrompter({ note });
       const runtime = createRuntime();
 
-      await runOnboardingWizard(
+      await runSetupWizard(
         {
           acceptRisk: true,
           flow: "quickstart",
@@ -398,7 +398,7 @@ describe("runOnboardingWizard", () => {
     }
   });
 
-  it("resolves gateway.auth.password SecretRef for local onboarding probe", async () => {
+  it("resolves gateway.auth.password SecretRef for local setup probe", async () => {
     const previous = process.env.OPENCLAW_GATEWAY_PASSWORD;
     process.env.OPENCLAW_GATEWAY_PASSWORD = "gateway-ref-password"; // pragma: allowlist secret
     probeGatewayReachable.mockClear();
@@ -435,7 +435,7 @@ describe("runOnboardingWizard", () => {
     const runtime = createRuntime();
 
     try {
-      await runOnboardingWizard(
+      await runSetupWizard(
         {
           acceptRisk: true,
           flow: "quickstart",
@@ -468,11 +468,11 @@ describe("runOnboardingWizard", () => {
   });
 
   it("passes secretInputMode through to local gateway config step", async () => {
-    configureGatewayForOnboarding.mockClear();
+    configureGatewayForSetup.mockClear();
     const prompter = buildWizardPrompter({});
     const runtime = createRuntime();
 
-    await runOnboardingWizard(
+    await runSetupWizard(
       {
         acceptRisk: true,
         flow: "quickstart",
@@ -490,7 +490,7 @@ describe("runOnboardingWizard", () => {
       prompter,
     );
 
-    expect(configureGatewayForOnboarding).toHaveBeenCalledWith(
+    expect(configureGatewayForSetup).toHaveBeenCalledWith(
       expect.objectContaining({
         secretInputMode: "ref", // pragma: allowlist secret
       }),
diff --git a/src/wizard/onboarding.ts b/src/wizard/setup.ts
similarity index 93%
rename from src/wizard/onboarding.ts
rename to src/wizard/setup.ts
index d2c35a022da..6ffa4d9a2d4 100644
--- a/src/wizard/onboarding.ts
+++ b/src/wizard/setup.ts
@@ -16,9 +16,9 @@ import { normalizeSecretInputString } from "../config/types.secrets.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { defaultRuntime } from "../runtime.js";
 import { resolveUserPath } from "../utils.js";
-import { resolveOnboardingSecretInputString } from "./onboarding.secret-input.js";
-import type { QuickstartGatewayDefaults, WizardFlow } from "./onboarding.types.js";
 import { WizardCancelledError, type WizardPrompter } from "./prompts.js";
+import { resolveSetupSecretInputString } from "./setup.secret-input.js";
+import type { QuickstartGatewayDefaults, WizardFlow } from "./setup.types.js";
 
 async function requireRiskAcknowledgement(params: {
   opts: OnboardOptions;
@@ -70,14 +70,14 @@ async function requireRiskAcknowledgement(params: {
   }
 }
 
-export async function runOnboardingWizard(
+export async function runSetupWizard(
   opts: OnboardOptions,
   runtime: RuntimeEnv = defaultRuntime,
   prompter: WizardPrompter,
 ) {
   const onboardHelpers = await import("../commands/onboard-helpers.js");
   onboardHelpers.printWizardHeader(runtime);
-  await prompter.intro("OpenClaw onboarding");
+  await prompter.intro("OpenClaw setup");
   await requireRiskAcknowledgement({ opts, prompter });
 
   const snapshot = await readConfigFileSnapshot();
@@ -96,7 +96,7 @@ export async function runOnboardingWizard(
       );
     }
     await prompter.outro(
-      `Config invalid. Run \`${formatCliCommand("openclaw doctor")}\` to repair it, then re-run onboarding.`,
+      `Config invalid. Run \`${formatCliCommand("openclaw doctor")}\` to repair it, then re-run setup.`,
     );
     runtime.exit(1);
     return;
@@ -122,7 +122,7 @@ export async function runOnboardingWizard(
   let flow: WizardFlow =
     explicitFlow ??
     (await prompter.select({
-      message: "Onboarding mode",
+      message: "Setup mode",
       options: [
         { value: "quickstart", label: "QuickStart", hint: quickstartHint },
         { value: "advanced", label: "Manual", hint: manualHint },
@@ -283,7 +283,7 @@ export async function runOnboardingWizard(
   const localUrl = `ws://127.0.0.1:${localPort}`;
   let localGatewayToken = process.env.OPENCLAW_GATEWAY_TOKEN ?? process.env.CLAWDBOT_GATEWAY_TOKEN;
   try {
-    const resolvedGatewayToken = await resolveOnboardingSecretInputString({
+    const resolvedGatewayToken = await resolveSetupSecretInputString({
       config: baseConfig,
       value: baseConfig.gateway?.auth?.token,
       path: "gateway.auth.token",
@@ -295,7 +295,7 @@ export async function runOnboardingWizard(
   } catch (error) {
     await prompter.note(
       [
-        "Could not resolve gateway.auth.token SecretRef for onboarding probe.",
+        "Could not resolve gateway.auth.token SecretRef for setup probe.",
         error instanceof Error ? error.message : String(error),
       ].join("\n"),
       "Gateway auth",
@@ -304,7 +304,7 @@ export async function runOnboardingWizard(
   let localGatewayPassword =
     process.env.OPENCLAW_GATEWAY_PASSWORD ?? process.env.CLAWDBOT_GATEWAY_PASSWORD;
   try {
-    const resolvedGatewayPassword = await resolveOnboardingSecretInputString({
+    const resolvedGatewayPassword = await resolveSetupSecretInputString({
       config: baseConfig,
       value: baseConfig.gateway?.auth?.password,
       path: "gateway.auth.password",
@@ -316,7 +316,7 @@ export async function runOnboardingWizard(
   } catch (error) {
     await prompter.note(
       [
-        "Could not resolve gateway.auth.password SecretRef for onboarding probe.",
+        "Could not resolve gateway.auth.password SecretRef for setup probe.",
         error instanceof Error ? error.message : String(error),
       ].join("\n"),
       "Gateway auth",
@@ -331,7 +331,7 @@ export async function runOnboardingWizard(
   const remoteUrl = baseConfig.gateway?.remote?.url?.trim() ?? "";
   let remoteGatewayToken = normalizeSecretInputString(baseConfig.gateway?.remote?.token);
   try {
-    const resolvedRemoteGatewayToken = await resolveOnboardingSecretInputString({
+    const resolvedRemoteGatewayToken = await resolveSetupSecretInputString({
       config: baseConfig,
       value: baseConfig.gateway?.remote?.token,
       path: "gateway.remote.token",
@@ -343,7 +343,7 @@ export async function runOnboardingWizard(
   } catch (error) {
     await prompter.note(
       [
-        "Could not resolve gateway.remote.token SecretRef for onboarding probe.",
+        "Could not resolve gateway.remote.token SecretRef for setup probe.",
         error instanceof Error ? error.message : String(error),
       ].join("\n"),
       "Gateway auth",
@@ -406,8 +406,8 @@ export async function runOnboardingWizard(
 
   const workspaceDir = resolveUserPath(workspaceInput.trim() || onboardHelpers.DEFAULT_WORKSPACE);
 
-  const { applyOnboardingLocalWorkspaceConfig } = await import("../commands/onboard-config.js");
-  let nextConfig: OpenClawConfig = applyOnboardingLocalWorkspaceConfig(baseConfig, workspaceDir);
+  const { applyLocalSetupWorkspaceConfig } = await import("../commands/onboard-config.js");
+  let nextConfig: OpenClawConfig = applyLocalSetupWorkspaceConfig(baseConfig, workspaceDir);
 
   const { ensureAuthProfileStore } = await import("../agents/auth-profiles.runtime.js");
   const { promptAuthChoiceGrouped } = await import("../commands/auth-choice-prompt.js");
@@ -482,8 +482,8 @@ export async function runOnboardingWizard(
 
   await warnIfModelConfigLooksOff(nextConfig, prompter);
 
-  const { configureGatewayForOnboarding } = await import("./onboarding.gateway-config.js");
-  const gateway = await configureGatewayForOnboarding({
+  const { configureGatewayForSetup } = await import("./setup.gateway-config.js");
+  const gateway = await configureGatewayForSetup({
     flow,
     baseConfig,
     nextConfig,
@@ -548,8 +548,8 @@ export async function runOnboardingWizard(
   nextConfig = onboardHelpers.applyWizardMetadata(nextConfig, { command: "onboard", mode });
   await writeConfigFile(nextConfig);
 
-  const { finalizeOnboardingWizard } = await import("./onboarding.finalize.js");
-  const { launchedTui } = await finalizeOnboardingWizard({
+  const { finalizeSetupWizard } = await import("./setup.finalize.js");
+  const { launchedTui } = await finalizeSetupWizard({
     flow,
     opts,
     baseConfig,
diff --git a/src/wizard/onboarding.types.ts b/src/wizard/setup.types.ts
similarity index 100%
rename from src/wizard/onboarding.types.ts
rename to src/wizard/setup.types.ts
diff --git a/test/channel-outbounds.ts b/test/channel-outbounds.ts
new file mode 100644
index 00000000000..a6da5a1c333
--- /dev/null
+++ b/test/channel-outbounds.ts
@@ -0,0 +1,6 @@
+export { discordOutbound } from "../extensions/discord/src/outbound-adapter.js";
+export { imessageOutbound } from "../extensions/imessage/src/outbound-adapter.js";
+export { signalOutbound } from "../extensions/signal/src/outbound-adapter.js";
+export { slackOutbound } from "../extensions/slack/src/outbound-adapter.js";
+export { telegramOutbound } from "../extensions/telegram/src/outbound-adapter.js";
+export { whatsappOutbound } from "../extensions/whatsapp/src/outbound-adapter.js";
diff --git a/test/helpers/inbound-contract.ts b/test/helpers/inbound-contract.ts
deleted file mode 100644
index 4ac4c2cc516..00000000000
--- a/test/helpers/inbound-contract.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-import { expect } from "vitest";
-import type { MsgContext } from "../../src/auto-reply/templating.js";
-import { normalizeChatType } from "../../src/channels/chat-type.js";
-import { resolveConversationLabel } from "../../src/channels/conversation-label.js";
-import { validateSenderIdentity } from "../../src/channels/sender-identity.js";
-
-export function expectInboundContextContract(ctx: MsgContext) {
-  expect(validateSenderIdentity(ctx)).toEqual([]);
-
-  expect(ctx.Body).toBeTypeOf("string");
-  expect(ctx.BodyForAgent).toBeTypeOf("string");
-  expect(ctx.BodyForCommands).toBeTypeOf("string");
-
-  const chatType = normalizeChatType(ctx.ChatType);
-  if (chatType && chatType !== "direct") {
-    const label = ctx.ConversationLabel?.trim() || resolveConversationLabel(ctx);
-    expect(label).toBeTruthy();
-  }
-}
diff --git a/test/openshell-sandbox.e2e.test.ts b/test/openshell-sandbox.e2e.test.ts
new file mode 100644
index 00000000000..21824db38ee
--- /dev/null
+++ b/test/openshell-sandbox.e2e.test.ts
@@ -0,0 +1,585 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs/promises";
+import net from "node:net";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { createOpenShellSandboxBackendFactory } from "../extensions/openshell/src/backend.js";
+import { resolveOpenShellPluginConfig } from "../extensions/openshell/src/config.js";
+import { createSandboxTestContext } from "../src/agents/sandbox/test-fixtures.js";
+
+const OPENCLAW_OPENSHELL_E2E = process.env.OPENCLAW_E2E_OPENSHELL === "1";
+const OPENCLAW_OPENSHELL_E2E_TIMEOUT_MS = 12 * 60_000;
+const OPENCLAW_OPENSHELL_COMMAND =
+  process.env.OPENCLAW_E2E_OPENSHELL_COMMAND?.trim() || "openshell";
+
+const CUSTOM_IMAGE_DOCKERFILE = `FROM python:3.13-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    coreutils \\
+    curl \\
+    findutils \\
+    iproute2 \\
+  && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -g 1000 sandbox && \\
+    useradd -m -u 1000 -g sandbox sandbox
+
+RUN echo "openclaw-openshell-e2e" > /opt/openshell-e2e-marker.txt
+
+WORKDIR /sandbox
+CMD ["sleep", "infinity"]
+`;
+
+type ExecResult = {
+  code: number;
+  stdout: string;
+  stderr: string;
+};
+
+type HostPolicyServer = {
+  port: number;
+  close(): Promise<void>;
+};
+
+async function runCommand(params: {
+  command: string;
+  args: string[];
+  cwd?: string;
+  env?: NodeJS.ProcessEnv;
+  stdin?: string | Buffer;
+  allowFailure?: boolean;
+  timeoutMs?: number;
+}): Promise<ExecResult> {
+  return await new Promise((resolve, reject) => {
+    const child = spawn(params.command, params.args, {
+      cwd: params.cwd,
+      env: params.env,
+      stdio: ["pipe", "pipe", "pipe"],
+    });
+    const stdoutChunks: Buffer[] = [];
+    const stderrChunks: Buffer[] = [];
+    let timedOut = false;
+    const timeout =
+      params.timeoutMs && params.timeoutMs > 0
+        ? setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGKILL");
+          }, params.timeoutMs)
+        : null;
+
+    child.stdout.on("data", (chunk) => stdoutChunks.push(Buffer.from(chunk)));
+    child.stderr.on("data", (chunk) => stderrChunks.push(Buffer.from(chunk)));
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (timeout) {
+        clearTimeout(timeout);
+      }
+      const stdout = Buffer.concat(stdoutChunks).toString("utf8");
+      const stderr = Buffer.concat(stderrChunks).toString("utf8");
+      if (timedOut) {
+        reject(new Error(`command timed out: ${params.command} ${params.args.join(" ")}`));
+        return;
+      }
+      const exitCode = code ?? 0;
+      if (exitCode !== 0 && !params.allowFailure) {
+        reject(
+          new Error(
+            [
+              `command failed: ${params.command} ${params.args.join(" ")}`,
+              `exit: ${exitCode}`,
+              stdout.trim() ? `stdout:\n${stdout}` : "",
+              stderr.trim() ? `stderr:\n${stderr}` : "",
+            ]
+              .filter(Boolean)
+              .join("\n"),
+          ),
+        );
+        return;
+      }
+      resolve({ code: exitCode, stdout, stderr });
+    });
+
+    child.stdin.end(params.stdin);
+  });
+}
+
+async function commandAvailable(command: string): Promise<boolean> {
+  try {
+    const result = await runCommand({
+      command,
+      args: ["--help"],
+      allowFailure: true,
+      timeoutMs: 20_000,
+    });
+    return result.code === 0 || result.stdout.length > 0 || result.stderr.length > 0;
+  } catch {
+    return false;
+  }
+}
+
+async function dockerReady(): Promise<boolean> {
+  try {
+    const result = await runCommand({
+      command: "docker",
+      args: ["version"],
+      allowFailure: true,
+      timeoutMs: 20_000,
+    });
+    return result.code === 0;
+  } catch {
+    return false;
+  }
+}
+
+async function allocatePort(): Promise<number> {
+  return await new Promise((resolve, reject) => {
+    const server = net.createServer();
+    server.on("error", reject);
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        server.close(() => reject(new Error("failed to allocate local port")));
+        return;
+      }
+      const { port } = address;
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve(port);
+      });
+    });
+  });
+}
+
+function openshellEnv(rootDir: string): NodeJS.ProcessEnv {
+  const homeDir = path.join(rootDir, "home");
+  const xdgDir = path.join(rootDir, "xdg");
+  const cacheDir = path.join(rootDir, "xdg-cache");
+  return {
+    ...process.env,
+    HOME: homeDir,
+    XDG_CONFIG_HOME: xdgDir,
+    XDG_CACHE_HOME: cacheDir,
+  };
+}
+
+function trimTrailingNewline(value: string): string {
+  return value.replace(/\r?\n$/, "");
+}
+
+async function startHostPolicyServer(): Promise<HostPolicyServer> {
+  const port = await allocatePort();
+  const responseBody = JSON.stringify({ ok: true, message: "hello-from-host" });
+  const serverScript = `from http.server import BaseHTTPRequestHandler, HTTPServer
+import os
+
+BODY = os.environ["RESPONSE_BODY"].encode()
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(BODY)))
+        self.end_headers()
+        self.wfile.write(BODY)
+
+    def do_POST(self):
+        length = int(self.headers.get("Content-Length", "0"))
+        if length:
+            self.rfile.read(length)
+        self.send_response(200)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(BODY)))
+        self.end_headers()
+        self.wfile.write(BODY)
+
+    def log_message(self, _format, *_args):
+        pass
+
+HTTPServer(("0.0.0.0", 8000), Handler).serve_forever()
+`;
+  const startResult = await runCommand({
+    command: "docker",
+    args: [
+      "run",
+      "--detach",
+      "--rm",
+      "-e",
+      `RESPONSE_BODY=${responseBody}`,
+      "-p",
+      `${port}:8000`,
+      "python:3.13-alpine",
+      "python3",
+      "-c",
+      serverScript,
+    ],
+    timeoutMs: 60_000,
+  });
+  const containerId = trimTrailingNewline(startResult.stdout.trim());
+  if (!containerId) {
+    throw new Error("failed to start docker-backed host policy server");
+  }
+
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < 30_000) {
+    const readyResult = await runCommand({
+      command: "docker",
+      args: [
+        "exec",
+        containerId,
+        "python3",
+        "-c",
+        "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8000', timeout=1).read()",
+      ],
+      allowFailure: true,
+      timeoutMs: 15_000,
+    });
+    if (readyResult.code === 0) {
+      return {
+        port,
+        async close() {
+          await runCommand({
+            command: "docker",
+            args: ["rm", "-f", containerId],
+            allowFailure: true,
+            timeoutMs: 30_000,
+          });
+        },
+      };
+    }
+    await new Promise((resolve) => setTimeout(resolve, 500));
+  }
+
+  await runCommand({
+    command: "docker",
+    args: ["rm", "-f", containerId],
+    allowFailure: true,
+    timeoutMs: 30_000,
+  });
+  throw new Error("docker-backed host policy server did not become ready");
+}
+
+function buildOpenShellPolicyYaml(params: { port: number; binaryPath: string }): string {
+  const networkPolicies = `  host_echo:
+    name: host-echo
+    endpoints:
+      - host: host.openshell.internal
+        port: ${params.port}
+        allowed_ips:
+          - "0.0.0.0/0"
+    binaries:
+      - path: ${params.binaryPath}`;
+  return `version: 1
+
+filesystem_policy:
+  include_workdir: true
+  read_only: [/usr, /lib, /proc, /dev/urandom, /app, /etc, /var/log]
+  read_write: [/sandbox, /tmp, /dev/null]
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+network_policies:
+${networkPolicies}
+`;
+}
+
+async function runBackendExec(params: {
+  backend: Awaited<ReturnType<ReturnType<typeof createOpenShellSandboxBackendFactory>>>;
+  command: string;
+  allowFailure?: boolean;
+  timeoutMs?: number;
+}): Promise<ExecResult> {
+  const execSpec = await params.backend.buildExecSpec({
+    command: params.command,
+    env: {},
+    usePty: false,
+  });
+  let result: ExecResult | null = null;
+  try {
+    result = await runCommand({
+      command: execSpec.argv[0] ?? "ssh",
+      args: execSpec.argv.slice(1),
+      env: execSpec.env,
+      allowFailure: params.allowFailure,
+      timeoutMs: params.timeoutMs,
+    });
+    return result;
+  } finally {
+    await params.backend.finalizeExec?.({
+      status: result?.code === 0 ? "completed" : "failed",
+      exitCode: result?.code ?? 1,
+      timedOut: false,
+      token: execSpec.finalizeToken,
+    });
+  }
+}
+
+describe("openshell sandbox backend e2e", () => {
+  it.runIf(process.platform !== "win32" && OPENCLAW_OPENSHELL_E2E)(
+    "creates a remote-canonical sandbox through OpenShell and executes over SSH",
+    { timeout: OPENCLAW_OPENSHELL_E2E_TIMEOUT_MS },
+    async () => {
+      if (!(await dockerReady())) {
+        return;
+      }
+      if (!(await commandAvailable(OPENCLAW_OPENSHELL_COMMAND))) {
+        return;
+      }
+
+      const rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-openshell-e2e-"));
+      const env = openshellEnv(rootDir);
+      const previousHome = process.env.HOME;
+      const previousXdgConfigHome = process.env.XDG_CONFIG_HOME;
+      const previousXdgCacheHome = process.env.XDG_CACHE_HOME;
+      const workspaceDir = path.join(rootDir, "workspace");
+      const dockerfileDir = path.join(rootDir, "custom-image");
+      const dockerfilePath = path.join(dockerfileDir, "Dockerfile");
+      const denyPolicyPath = path.join(rootDir, "deny-policy.yaml");
+      const allowPolicyPath = path.join(rootDir, "allow-policy.yaml");
+      const scopeSuffix = `${process.pid}-${Date.now()}`;
+      const gatewayName = `openclaw-e2e-${scopeSuffix}`;
+      const scopeKey = `session:openshell-e2e-deny:${scopeSuffix}`;
+      const allowSandboxName = `openclaw-policy-allow-${scopeSuffix}`;
+      const gatewayPort = await allocatePort();
+      let hostPolicyServer: HostPolicyServer | null = null;
+      const sandboxCfg = {
+        mode: "all" as const,
+        backend: "openshell" as const,
+        scope: "session" as const,
+        workspaceAccess: "rw" as const,
+        workspaceRoot: path.join(rootDir, "sandboxes"),
+        docker: {
+          image: "openclaw-sandbox:bookworm-slim",
+          containerPrefix: "openclaw-sbx-",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp"],
+          network: "none",
+          capDrop: ["ALL"],
+          env: {},
+        },
+        ssh: {
+          command: "ssh",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+        },
+        browser: {
+          enabled: false,
+          image: "openclaw-browser",
+          containerPrefix: "openclaw-browser-",
+          network: "bridge",
+          cdpPort: 9222,
+          vncPort: 5900,
+          noVncPort: 6080,
+          headless: true,
+          enableNoVnc: false,
+          allowHostControl: false,
+          autoStart: false,
+          autoStartTimeoutMs: 1000,
+        },
+        tools: { allow: [], deny: [] },
+        prune: { idleHours: 24, maxAgeDays: 7 },
+      };
+
+      const pluginConfig = resolveOpenShellPluginConfig({
+        command: OPENCLAW_OPENSHELL_COMMAND,
+        gateway: gatewayName,
+        from: dockerfilePath,
+        mode: "remote",
+        autoProviders: false,
+        policy: denyPolicyPath,
+      });
+      const backendFactory = createOpenShellSandboxBackendFactory({ pluginConfig });
+      const backend = await backendFactory({
+        sessionKey: scopeKey,
+        scopeKey,
+        workspaceDir,
+        agentWorkspaceDir: workspaceDir,
+        cfg: sandboxCfg,
+      });
+
+      try {
+        process.env.HOME = env.HOME;
+        process.env.XDG_CONFIG_HOME = env.XDG_CONFIG_HOME;
+        process.env.XDG_CACHE_HOME = env.XDG_CACHE_HOME;
+        hostPolicyServer = await startHostPolicyServer();
+        if (!hostPolicyServer) {
+          throw new Error("failed to start host policy server");
+        }
+        await fs.mkdir(workspaceDir, { recursive: true });
+        await fs.mkdir(dockerfileDir, { recursive: true });
+        await fs.writeFile(path.join(workspaceDir, "seed.txt"), "seed-from-local\n", "utf8");
+        await fs.writeFile(dockerfilePath, CUSTOM_IMAGE_DOCKERFILE, "utf8");
+        await fs.writeFile(
+          denyPolicyPath,
+          buildOpenShellPolicyYaml({
+            port: hostPolicyServer.port,
+            binaryPath: "/usr/bin/false",
+          }),
+          "utf8",
+        );
+        await fs.writeFile(
+          allowPolicyPath,
+          buildOpenShellPolicyYaml({
+            port: hostPolicyServer.port,
+            binaryPath: "/**",
+          }),
+          "utf8",
+        );
+
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: [
+            "gateway",
+            "start",
+            "--name",
+            gatewayName,
+            "--port",
+            String(gatewayPort),
+            "--recreate",
+          ],
+          env,
+          timeoutMs: 8 * 60_000,
+        });
+
+        const execResult = await runBackendExec({
+          backend,
+          command: "pwd && cat /opt/openshell-e2e-marker.txt && cat seed.txt",
+          timeoutMs: 2 * 60_000,
+        });
+
+        expect(execResult.code).toBe(0);
+        const stdout = execResult.stdout.trim();
+        expect(stdout).toContain("/sandbox");
+        expect(stdout).toContain("openclaw-openshell-e2e");
+        expect(stdout).toContain("seed-from-local");
+
+        const curlPathResult = await runBackendExec({
+          backend,
+          command: "command -v curl",
+          timeoutMs: 60_000,
+        });
+        expect(trimTrailingNewline(curlPathResult.stdout.trim())).toMatch(/^\/.+\/curl$/);
+
+        const sandbox = createSandboxTestContext({
+          overrides: {
+            backendId: "openshell",
+            workspaceDir,
+            agentWorkspaceDir: workspaceDir,
+            runtimeId: backend.runtimeId,
+            runtimeLabel: backend.runtimeLabel,
+            containerName: backend.runtimeId,
+            containerWorkdir: backend.workdir,
+            backend,
+          },
+        });
+        const bridge = backend.createFsBridge?.({ sandbox });
+        if (!bridge) {
+          throw new Error("openshell backend did not create a filesystem bridge");
+        }
+
+        await bridge.writeFile({ filePath: "nested/remote-only.txt", data: "hello-remote\n" });
+        await expect(
+          fs.readFile(path.join(workspaceDir, "nested", "remote-only.txt"), "utf8"),
+        ).rejects.toThrow();
+        await expect(bridge.readFile({ filePath: "nested/remote-only.txt" })).resolves.toEqual(
+          Buffer.from("hello-remote\n"),
+        );
+
+        const verifyResult = await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "ssh-config", backend.runtimeId],
+          env,
+          timeoutMs: 60_000,
+        });
+        expect(verifyResult.code).toBe(0);
+        expect(trimTrailingNewline(verifyResult.stdout)).toContain("Host ");
+
+        const blockedGetResult = await runBackendExec({
+          backend,
+          command: `curl --fail --silent --show-error --max-time 15 "http://host.openshell.internal:${hostPolicyServer.port}/policy-test"`,
+          allowFailure: true,
+          timeoutMs: 60_000,
+        });
+        expect(blockedGetResult.code).not.toBe(0);
+        expect(`${blockedGetResult.stdout}\n${blockedGetResult.stderr}`).toMatch(/403|deny/i);
+
+        const allowedGetResult = await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: [
+            "sandbox",
+            "create",
+            "--name",
+            allowSandboxName,
+            "--from",
+            dockerfilePath,
+            "--policy",
+            allowPolicyPath,
+            "--no-auto-providers",
+            "--no-keep",
+            "--",
+            "curl",
+            "--fail",
+            "--silent",
+            "--show-error",
+            "--max-time",
+            "15",
+            `http://host.openshell.internal:${hostPolicyServer.port}/policy-test`,
+          ],
+          env,
+          timeoutMs: 60_000,
+        });
+        expect(allowedGetResult.code).toBe(0);
+        expect(allowedGetResult.stdout).toContain('"message":"hello-from-host"');
+      } finally {
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "delete", backend.runtimeId],
+          env,
+          allowFailure: true,
+          timeoutMs: 2 * 60_000,
+        });
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "delete", allowSandboxName],
+          env,
+          allowFailure: true,
+          timeoutMs: 2 * 60_000,
+        });
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["gateway", "destroy", "--name", gatewayName],
+          env,
+          allowFailure: true,
+          timeoutMs: 3 * 60_000,
+        });
+        await hostPolicyServer?.close().catch(() => {});
+        await fs.rm(rootDir, { recursive: true, force: true });
+        if (previousHome === undefined) {
+          delete process.env.HOME;
+        } else {
+          process.env.HOME = previousHome;
+        }
+        if (previousXdgConfigHome === undefined) {
+          delete process.env.XDG_CONFIG_HOME;
+        } else {
+          process.env.XDG_CONFIG_HOME = previousXdgConfigHome;
+        }
+        if (previousXdgCacheHome === undefined) {
+          delete process.env.XDG_CACHE_HOME;
+        } else {
+          process.env.XDG_CACHE_HOME = previousXdgCacheHome;
+        }
+      }
+    },
+  );
+});
diff --git a/test/scripts/test-extension.test.ts b/test/scripts/test-extension.test.ts
new file mode 100644
index 00000000000..63561cb5151
--- /dev/null
+++ b/test/scripts/test-extension.test.ts
@@ -0,0 +1,64 @@
+import { execFileSync } from "node:child_process";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import {
+  detectChangedExtensionIds,
+  resolveExtensionTestPlan,
+} from "../../scripts/test-extension.mjs";
+
+const scriptPath = path.join(process.cwd(), "scripts", "test-extension.mjs");
+
+function readPlan(args: string[], cwd = process.cwd()) {
+  const stdout = execFileSync(process.execPath, [scriptPath, ...args, "--dry-run", "--json"], {
+    cwd,
+    encoding: "utf8",
+  });
+  return JSON.parse(stdout) as ReturnType<typeof resolveExtensionTestPlan>;
+}
+
+describe("scripts/test-extension.mjs", () => {
+  it("resolves channel-root extensions onto the channel vitest config", () => {
+    const plan = resolveExtensionTestPlan({ targetArg: "slack", cwd: process.cwd() });
+
+    expect(plan.extensionId).toBe("slack");
+    expect(plan.extensionDir).toBe("extensions/slack");
+    expect(plan.config).toBe("vitest.channels.config.ts");
+    expect(plan.testFiles.some((file) => file.startsWith("extensions/slack/"))).toBe(true);
+  });
+
+  it("resolves provider extensions onto the extensions vitest config", () => {
+    const plan = resolveExtensionTestPlan({ targetArg: "firecrawl", cwd: process.cwd() });
+
+    expect(plan.extensionId).toBe("firecrawl");
+    expect(plan.config).toBe("vitest.extensions.config.ts");
+    expect(plan.testFiles.some((file) => file.startsWith("extensions/firecrawl/"))).toBe(true);
+  });
+
+  it("includes paired src roots when they contain tests", () => {
+    const plan = resolveExtensionTestPlan({ targetArg: "line", cwd: process.cwd() });
+
+    expect(plan.roots).toContain("extensions/line");
+    expect(plan.roots).toContain("src/line");
+    expect(plan.config).toBe("vitest.channels.config.ts");
+    expect(plan.testFiles.some((file) => file.startsWith("src/line/"))).toBe(true);
+  });
+
+  it("infers the extension from the current working directory", () => {
+    const cwd = path.join(process.cwd(), "extensions", "slack");
+    const plan = readPlan([], cwd);
+
+    expect(plan.extensionId).toBe("slack");
+    expect(plan.extensionDir).toBe("extensions/slack");
+  });
+
+  it("maps changed paths back to extension ids", () => {
+    const extensionIds = detectChangedExtensionIds([
+      "extensions/slack/src/channel.ts",
+      "src/line/message.test.ts",
+      "extensions/firecrawl/package.json",
+      "src/not-a-plugin/file.ts",
+    ]);
+
+    expect(extensionIds).toEqual(["firecrawl", "line", "slack"]);
+  });
+});
diff --git a/tsconfig.plugin-sdk.dts.json b/tsconfig.plugin-sdk.dts.json
index f938dcc8262..b182b3e30e4 100644
--- a/tsconfig.plugin-sdk.dts.json
+++ b/tsconfig.plugin-sdk.dts.json
@@ -10,52 +10,6 @@
     "rootDir": ".",
     "tsBuildInfoFile": "dist/plugin-sdk/.tsbuildinfo"
   },
-  "include": [
-    "src/plugin-sdk/index.ts",
-    "src/plugin-sdk/core.ts",
-    "src/plugin-sdk/compat.ts",
-    "src/plugin-sdk/telegram.ts",
-    "src/plugin-sdk/discord.ts",
-    "src/plugin-sdk/slack.ts",
-    "src/plugin-sdk/signal.ts",
-    "src/plugin-sdk/imessage.ts",
-    "src/plugin-sdk/whatsapp.ts",
-    "src/plugin-sdk/line.ts",
-    "src/plugin-sdk/msteams.ts",
-    "src/plugin-sdk/account-id.ts",
-    "src/plugin-sdk/keyed-async-queue.ts",
-    "src/plugin-sdk/acpx.ts",
-    "src/plugin-sdk/bluebubbles.ts",
-    "src/plugin-sdk/copilot-proxy.ts",
-    "src/plugin-sdk/device-pair.ts",
-    "src/plugin-sdk/diagnostics-otel.ts",
-    "src/plugin-sdk/diffs.ts",
-    "src/plugin-sdk/feishu.ts",
-    "src/plugin-sdk/google-gemini-cli-auth.ts",
-    "src/plugin-sdk/googlechat.ts",
-    "src/plugin-sdk/irc.ts",
-    "src/plugin-sdk/llm-task.ts",
-    "src/plugin-sdk/lobster.ts",
-    "src/plugin-sdk/matrix.ts",
-    "src/plugin-sdk/mattermost.ts",
-    "src/plugin-sdk/memory-core.ts",
-    "src/plugin-sdk/memory-lancedb.ts",
-    "src/plugin-sdk/minimax-portal-auth.ts",
-    "src/plugin-sdk/nextcloud-talk.ts",
-    "src/plugin-sdk/nostr.ts",
-    "src/plugin-sdk/open-prose.ts",
-    "src/plugin-sdk/phone-control.ts",
-    "src/plugin-sdk/qwen-portal-auth.ts",
-    "src/plugin-sdk/synology-chat.ts",
-    "src/plugin-sdk/talk-voice.ts",
-    "src/plugin-sdk/test-utils.ts",
-    "src/plugin-sdk/thread-ownership.ts",
-    "src/plugin-sdk/tlon.ts",
-    "src/plugin-sdk/twitch.ts",
-    "src/plugin-sdk/voice-call.ts",
-    "src/plugin-sdk/zalo.ts",
-    "src/plugin-sdk/zalouser.ts",
-    "src/types/**/*.d.ts"
-  ],
+  "include": ["src/plugin-sdk/**/*.ts", "src/types/**/*.d.ts"],
   "exclude": ["node_modules", "dist", "src/**/*.test.ts"]
 }
diff --git a/tsdown.config.ts b/tsdown.config.ts
index 6ed9ccb930b..60ae26d04e0 100644
--- a/tsdown.config.ts
+++ b/tsdown.config.ts
@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import { defineConfig } from "tsdown";
+import { buildPluginSdkEntrySources } from "./scripts/lib/plugin-sdk-entries.mjs";
 
 const env = {
   NODE_ENV: "production",
@@ -58,53 +59,6 @@ function nodeBuildConfig(config: Record<string, unknown>) {
   };
 }
 
-const pluginSdkEntrypoints = [
-  "index",
-  "core",
-  "compat",
-  "telegram",
-  "discord",
-  "slack",
-  "signal",
-  "imessage",
-  "whatsapp",
-  "line",
-  "msteams",
-  "acpx",
-  "bluebubbles",
-  "copilot-proxy",
-  "device-pair",
-  "diagnostics-otel",
-  "diffs",
-  "feishu",
-  "google-gemini-cli-auth",
-  "googlechat",
-  "irc",
-  "llm-task",
-  "lobster",
-  "matrix",
-  "mattermost",
-  "memory-core",
-  "memory-lancedb",
-  "minimax-portal-auth",
-  "nextcloud-talk",
-  "nostr",
-  "open-prose",
-  "phone-control",
-  "qwen-portal-auth",
-  "synology-chat",
-  "talk-voice",
-  "test-utils",
-  "thread-ownership",
-  "tlon",
-  "twitch",
-  "voice-call",
-  "zalo",
-  "zalouser",
-  "account-id",
-  "keyed-async-queue",
-] as const;
-
 function listBundledPluginBuildEntries(): Record<string, string> {
   const extensionsRoot = path.join(process.cwd(), "extensions");
   const entries: Record<string, string> = {};
@@ -125,13 +79,21 @@ function listBundledPluginBuildEntries(): Record<string, string> {
     if (fs.existsSync(packageJsonPath)) {
       try {
         const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8")) as {
-          openclaw?: { extensions?: unknown };
+          openclaw?: { extensions?: unknown; setupEntry?: unknown };
         };
         packageEntries = Array.isArray(packageJson.openclaw?.extensions)
           ? packageJson.openclaw.extensions.filter(
               (entry): entry is string => typeof entry === "string" && entry.trim().length > 0,
             )
           : [];
+        const setupEntry =
+          typeof packageJson.openclaw?.setupEntry === "string" &&
+          packageJson.openclaw.setupEntry.trim().length > 0
+            ? packageJson.openclaw.setupEntry
+            : undefined;
+        if (setupEntry) {
+          packageEntries = Array.from(new Set([...packageEntries, setupEntry]));
+        }
       } catch {
         packageEntries = [];
       }
@@ -182,7 +144,7 @@ export default defineConfig([
   nodeBuildConfig({
     // Bundle all plugin-sdk entries in a single build so the bundler can share
     // common chunks instead of duplicating them per entry (~712MB heap saved).
-    entry: Object.fromEntries(pluginSdkEntrypoints.map((e) => [e, `src/plugin-sdk/${e}.ts`])),
+    entry: buildPluginSdkEntrySources(),
     outDir: "dist/plugin-sdk",
   }),
   nodeBuildConfig({
@@ -190,6 +152,9 @@ export default defineConfig([
     // directly from dist/extensions instead of transpiling extensions/*.ts via Jiti.
     entry: bundledPluginBuildEntries,
     outDir: "dist",
+    deps: {
+      neverBundle: ["@lancedb/lancedb"],
+    },
   }),
   nodeBuildConfig({
     entry: "src/extensionAPI.ts",
diff --git a/ui/src/i18n/lib/translate.ts b/ui/src/i18n/lib/translate.ts
index fc18f36c8e5..11759bc6d8d 100644
--- a/ui/src/i18n/lib/translate.ts
+++ b/ui/src/i18n/lib/translate.ts
@@ -1,3 +1,4 @@
+import { getSafeLocalStorage } from "../../local-storage.ts";
 import { en } from "../locales/en.ts";
 import {
   DEFAULT_LOCALE,
@@ -22,8 +23,8 @@ class I18nManager {
   }
 
   private readStoredLocale(): string | null {
-    const storage = globalThis.localStorage;
-    if (!storage || typeof storage.getItem !== "function") {
+    const storage = getSafeLocalStorage();
+    if (!storage) {
       return null;
     }
     try {
@@ -34,8 +35,8 @@ class I18nManager {
   }
 
   private persistLocale(locale: Locale) {
-    const storage = globalThis.localStorage;
-    if (!storage || typeof storage.setItem !== "function") {
+    const storage = getSafeLocalStorage();
+    if (!storage) {
       return;
     }
     try {
diff --git a/ui/src/i18n/locales/en.ts b/ui/src/i18n/locales/en.ts
index 2e0853ed079..4d7beb928ad 100644
--- a/ui/src/i18n/locales/en.ts
+++ b/ui/src/i18n/locales/en.ts
@@ -166,7 +166,7 @@ export const en: TranslationMap = {
     hideCronSessions: "Hide cron sessions",
     showCronSessions: "Show cron sessions",
     showCronSessionsHidden: "Show cron sessions ({count} hidden)",
-    onboardingDisabled: "Disabled during onboarding",
+    onboardingDisabled: "Disabled during setup",
   },
   languages: {
     en: "English",
diff --git a/ui/src/i18n/test/translate.test.ts b/ui/src/i18n/test/translate.test.ts
index d373d3a47c9..14344b9079b 100644
--- a/ui/src/i18n/test/translate.test.ts
+++ b/ui/src/i18n/test/translate.test.ts
@@ -92,6 +92,22 @@ describe("i18n", () => {
     expect(fresh.t("common.health")).toBe("健康状况");
   });
 
+  it("skips node localStorage accessors that warn without a storage file", async () => {
+    vi.resetModules();
+    vi.unstubAllGlobals();
+    vi.stubGlobal("navigator", { language: "en-US" } as Navigator);
+    const warningSpy = vi.spyOn(process, "emitWarning");
+
+    const fresh = await import("../lib/translate.ts");
+
+    expect(fresh.i18n.getLocale()).toBe("en");
+    expect(warningSpy).not.toHaveBeenCalledWith(
+      "`--localstorage-file` was provided without a valid path",
+      expect.anything(),
+      expect.anything(),
+    );
+  });
+
   it("keeps the version label available in shipped locales", () => {
     expect((pt_BR.common as { version?: string }).version).toBeTruthy();
     expect((zh_CN.common as { version?: string }).version).toBeTruthy();
diff --git a/ui/src/local-storage.ts b/ui/src/local-storage.ts
new file mode 100644
index 00000000000..a1e80d9d32a
--- /dev/null
+++ b/ui/src/local-storage.ts
@@ -0,0 +1,25 @@
+function isStorage(value: unknown): value is Storage {
+  return (
+    Boolean(value) &&
+    typeof (value as Storage).getItem === "function" &&
+    typeof (value as Storage).setItem === "function"
+  );
+}
+
+export function getSafeLocalStorage(): Storage | null {
+  const descriptor = Object.getOwnPropertyDescriptor(globalThis, "localStorage");
+
+  if (process.env.VITEST) {
+    return descriptor && !descriptor.get && isStorage(descriptor.value) ? descriptor.value : null;
+  }
+
+  if (typeof window !== "undefined" && typeof document !== "undefined") {
+    try {
+      return isStorage(window.localStorage) ? window.localStorage : null;
+    } catch {
+      return null;
+    }
+  }
+
+  return descriptor && !descriptor.get && isStorage(descriptor.value) ? descriptor.value : null;
+}
diff --git a/ui/src/ui/app-chat.test.ts b/ui/src/ui/app-chat.test.ts
index 9a3e86d375d..b0df28cd947 100644
--- a/ui/src/ui/app-chat.test.ts
+++ b/ui/src/ui/app-chat.test.ts
@@ -83,7 +83,14 @@ describe("handleSendChat", () => {
     );
     const request = vi.fn(async (method: string, _params?: unknown) => {
       if (method === "sessions.patch") {
-        return { ok: true, key: "main" };
+        return {
+          ok: true,
+          key: "main",
+          resolved: {
+            modelProvider: "openai",
+            model: "gpt-5-mini",
+          },
+        };
       }
       if (method === "chat.history") {
         return { messages: [], thinkingLevel: null };
@@ -93,7 +100,7 @@ describe("handleSendChat", () => {
           ts: 0,
           path: "",
           count: 0,
-          defaults: { model: "gpt-5", contextTokens: null },
+          defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
           sessions: [],
         };
       }
@@ -116,6 +123,9 @@ describe("handleSendChat", () => {
       key: "main",
       model: "gpt-5-mini",
     });
-    expect(host.chatModelOverrides.main).toBe("gpt-5-mini");
+    expect(host.chatModelOverrides.main).toEqual({
+      kind: "qualified",
+      value: "openai/gpt-5-mini",
+    });
   });
 });
diff --git a/ui/src/ui/app-chat.ts b/ui/src/ui/app-chat.ts
index c877b4c5a5d..ec5f7300000 100644
--- a/ui/src/ui/app-chat.ts
+++ b/ui/src/ui/app-chat.ts
@@ -10,7 +10,7 @@ import { loadModels } from "./controllers/models.ts";
 import { loadSessions } from "./controllers/sessions.ts";
 import type { GatewayBrowserClient, GatewayHelloOk } from "./gateway.ts";
 import { normalizeBasePath } from "./navigation.ts";
-import type { ModelCatalogEntry } from "./types.ts";
+import type { ChatModelOverride, ModelCatalogEntry } from "./types.ts";
 import type { ChatAttachment, ChatQueueItem } from "./ui-types.ts";
 import { generateUUID } from "./uuid.ts";
 
@@ -29,7 +29,7 @@ export type ChatHost = {
   basePath: string;
   hello: GatewayHelloOk | null;
   chatAvatarUrl: string | null;
-  chatModelOverrides: Record<string, string | null>;
+  chatModelOverrides: Record<string, ChatModelOverride | null>;
   chatModelsLoading: boolean;
   chatModelCatalog: ModelCatalogEntry[];
   updateComplete?: Promise<unknown>;
@@ -308,10 +308,10 @@ async function dispatchSlashCommand(
     injectCommandResult(host, result.content);
   }
 
-  if (result.sessionPatch && "model" in result.sessionPatch) {
+  if (result.sessionPatch && "modelOverride" in result.sessionPatch) {
     host.chatModelOverrides = {
       ...host.chatModelOverrides,
-      [targetSessionKey]: result.sessionPatch.model ?? null,
+      [targetSessionKey]: result.sessionPatch.modelOverride ?? null,
     };
   }
 
diff --git a/ui/src/ui/app-render.helpers.ts b/ui/src/ui/app-render.helpers.ts
index 77ba247a26d..e83825ab899 100644
--- a/ui/src/ui/app-render.helpers.ts
+++ b/ui/src/ui/app-render.helpers.ts
@@ -6,6 +6,13 @@ import { refreshChat } from "./app-chat.ts";
 import { syncUrlWithSessionKey } from "./app-settings.ts";
 import type { AppViewState } from "./app-view-state.ts";
 import { OpenClawApp } from "./app.ts";
+import {
+  buildChatModelOption,
+  createChatModelOverride,
+  formatChatModelDisplay,
+  normalizeChatModelOverrideValue,
+  resolveServerChatModelValue,
+} from "./chat-model-ref.ts";
 import { ChatState, loadChatHistory } from "./controllers/chat.ts";
 import { loadSessions } from "./controllers/sessions.ts";
 import { icons } from "./icons.ts";
@@ -521,24 +528,25 @@ function resolveActiveSessionRow(state: AppViewState) {
 function resolveModelOverrideValue(state: AppViewState): string {
   // Prefer the local cache — it reflects in-flight patches before sessionsResult refreshes.
   const cached = state.chatModelOverrides[state.sessionKey];
-  if (typeof cached === "string") {
-    return cached.trim();
+  if (cached) {
+    return normalizeChatModelOverrideValue(cached, state.chatModelCatalog ?? []);
   }
   // cached === null means explicitly cleared to default.
   if (cached === null) {
     return "";
   }
   // No local override recorded yet — fall back to server data.
+  // Include provider prefix so the value matches option keys (provider/model).
   const activeRow = resolveActiveSessionRow(state);
-  if (activeRow) {
-    return typeof activeRow.model === "string" ? activeRow.model.trim() : "";
+  if (activeRow && typeof activeRow.model === "string" && activeRow.model.trim()) {
+    return resolveServerChatModelValue(activeRow.model, activeRow.modelProvider);
   }
   return "";
 }
 
 function resolveDefaultModelValue(state: AppViewState): string {
-  const model = state.sessionsResult?.defaults?.model;
-  return typeof model === "string" ? model.trim() : "";
+  const defaults = state.sessionsResult?.defaults;
+  return resolveServerChatModelValue(defaults?.model, defaults?.modelProvider);
 }
 
 function buildChatModelOptions(
@@ -562,8 +570,8 @@ function buildChatModelOptions(
   };
 
   for (const entry of catalog) {
-    const provider = entry.provider?.trim();
-    addOption(entry.id, provider ? `${entry.id} · ${provider}` : entry.id);
+    const option = buildChatModelOption(entry);
+    addOption(option.value, option.label);
   }
 
   if (currentOverride) {
@@ -583,7 +591,8 @@ function renderChatModelSelect(state: AppViewState) {
     currentOverride,
     defaultModel,
   );
-  const defaultLabel = defaultModel ? `Default (${defaultModel})` : "Default model";
+  const defaultDisplay = formatChatModelDisplay(defaultModel);
+  const defaultLabel = defaultModel ? `Default (${defaultDisplay})` : "Default model";
   const busy =
     state.chatLoading || state.chatSending || Boolean(state.chatRunId) || state.chatStream !== null;
   const disabled =
@@ -627,7 +636,7 @@ async function switchChatModel(state: AppViewState, nextModel: string) {
   // Write the override cache immediately so the picker stays in sync during the RPC round-trip.
   state.chatModelOverrides = {
     ...state.chatModelOverrides,
-    [targetSessionKey]: nextModel || null,
+    [targetSessionKey]: createChatModelOverride(nextModel),
   };
   try {
     await state.client.request("sessions.patch", {
diff --git a/ui/src/ui/app-render.ts b/ui/src/ui/app-render.ts
index 328f2cb6e33..11bcacae1ee 100644
--- a/ui/src/ui/app-render.ts
+++ b/ui/src/ui/app-render.ts
@@ -4,6 +4,7 @@ import {
   parseAgentSessionKey,
 } from "../../../src/routing/session-key.js";
 import { t } from "../i18n/index.ts";
+import { getSafeLocalStorage } from "../local-storage.ts";
 import { refreshChatAvatar } from "./app-chat.ts";
 import { renderUsageTab } from "./app-render-usage-tab.ts";
 import {
@@ -181,7 +182,7 @@ type DismissedUpdateBanner = {
 
 function loadDismissedUpdateBanner(): DismissedUpdateBanner | null {
   try {
-    const raw = localStorage.getItem(UPDATE_BANNER_DISMISS_KEY);
+    const raw = getSafeLocalStorage()?.getItem(UPDATE_BANNER_DISMISS_KEY);
     if (!raw) {
       return null;
     }
@@ -225,7 +226,7 @@ function dismissUpdateBanner(updateAvailable: unknown) {
     dismissedAtMs: Date.now(),
   };
   try {
-    localStorage.setItem(UPDATE_BANNER_DISMISS_KEY, JSON.stringify(payload));
+    getSafeLocalStorage()?.setItem(UPDATE_BANNER_DISMISS_KEY, JSON.stringify(payload));
   } catch {
     // ignore
   }
diff --git a/ui/src/ui/app-scroll.ts b/ui/src/ui/app-scroll.ts
index d8bd1d5b077..c5b75d24a64 100644
--- a/ui/src/ui/app-scroll.ts
+++ b/ui/src/ui/app-scroll.ts
@@ -15,6 +15,10 @@ type ScrollHost = {
   topbarObserver: ResizeObserver | null;
 };
 
+function queryHost(host: Partial<ScrollHost>, selectors: string): Element | null {
+  return typeof host.querySelector === "function" ? host.querySelector(selectors) : null;
+}
+
 export function scheduleChatScroll(host: ScrollHost, force = false, smooth = false) {
   if (host.chatScrollFrame) {
     cancelAnimationFrame(host.chatScrollFrame);
@@ -24,7 +28,7 @@ export function scheduleChatScroll(host: ScrollHost, force = false, smooth = fal
     host.chatScrollTimeout = null;
   }
   const pickScrollTarget = () => {
-    const container = host.querySelector(".chat-thread") as HTMLElement | null;
+    const container = queryHost(host, ".chat-thread") as HTMLElement | null;
     if (container) {
       const overflowY = getComputedStyle(container).overflowY;
       const canScroll =
@@ -104,7 +108,7 @@ export function scheduleLogsScroll(host: ScrollHost, force = false) {
   void host.updateComplete.then(() => {
     host.logsScrollFrame = requestAnimationFrame(() => {
       host.logsScrollFrame = null;
-      const container = host.querySelector(".log-stream") as HTMLElement | null;
+      const container = queryHost(host, ".log-stream") as HTMLElement | null;
       if (!container) {
         return;
       }
@@ -165,7 +169,7 @@ export function observeTopbar(host: ScrollHost) {
   if (typeof ResizeObserver === "undefined") {
     return;
   }
-  const topbar = host.querySelector(".topbar");
+  const topbar = queryHost(host, ".topbar");
   if (!topbar) {
     return;
   }
diff --git a/ui/src/ui/app-view-state.ts b/ui/src/ui/app-view-state.ts
index ad2910625b6..375faa43137 100644
--- a/ui/src/ui/app-view-state.ts
+++ b/ui/src/ui/app-view-state.ts
@@ -21,6 +21,7 @@ import type {
   HealthSummary,
   LogEntry,
   LogLevel,
+  ChatModelOverride,
   ModelCatalogEntry,
   NostrProfile,
   PresenceEntry,
@@ -71,7 +72,7 @@ export type AppViewState = {
   fallbackStatus: FallbackStatus | null;
   chatAvatarUrl: string | null;
   chatThinkingLevel: string | null;
-  chatModelOverrides: Record<string, string | null>;
+  chatModelOverrides: Record<string, ChatModelOverride | null>;
   chatModelsLoading: boolean;
   chatModelCatalog: ModelCatalogEntry[];
   chatQueue: ChatQueueItem[];
diff --git a/ui/src/ui/app.ts b/ui/src/ui/app.ts
index 1b3971a41f6..af0d0cb9c96 100644
--- a/ui/src/ui/app.ts
+++ b/ui/src/ui/app.ts
@@ -69,6 +69,7 @@ import type {
   AgentIdentityResult,
   ConfigSnapshot,
   ConfigUiHints,
+  ChatModelOverride,
   CronJob,
   CronRunLogEntry,
   CronStatus,
@@ -158,7 +159,7 @@ export class OpenClawApp extends LitElement {
   @state() fallbackStatus: FallbackStatus | null = null;
   @state() chatAvatarUrl: string | null = null;
   @state() chatThinkingLevel: string | null = null;
-  @state() chatModelOverrides: Record<string, string | null> = {};
+  @state() chatModelOverrides: Record<string, ChatModelOverride | null> = {};
   @state() chatModelsLoading = false;
   @state() chatModelCatalog: ModelCatalogEntry[] = [];
   @state() chatQueue: ChatQueueItem[] = [];
diff --git a/ui/src/ui/chat-model-ref.test.ts b/ui/src/ui/chat-model-ref.test.ts
new file mode 100644
index 00000000000..86b46f3fe7f
--- /dev/null
+++ b/ui/src/ui/chat-model-ref.test.ts
@@ -0,0 +1,50 @@
+import { describe, expect, it } from "vitest";
+import {
+  buildChatModelOption,
+  createChatModelOverride,
+  formatChatModelDisplay,
+  normalizeChatModelOverrideValue,
+  resolveServerChatModelValue,
+} from "./chat-model-ref.ts";
+import type { ModelCatalogEntry } from "./types.ts";
+
+const catalog: ModelCatalogEntry[] = [
+  { id: "gpt-5-mini", name: "GPT-5 Mini", provider: "openai" },
+  { id: "claude-sonnet-4-5", name: "Claude Sonnet 4.5", provider: "anthropic" },
+];
+
+describe("chat-model-ref helpers", () => {
+  it("builds provider-qualified option values and labels", () => {
+    expect(buildChatModelOption(catalog[0])).toEqual({
+      value: "openai/gpt-5-mini",
+      label: "gpt-5-mini · openai",
+    });
+  });
+
+  it("normalizes raw overrides when the catalog match is unique", () => {
+    expect(normalizeChatModelOverrideValue(createChatModelOverride("gpt-5-mini"), catalog)).toBe(
+      "openai/gpt-5-mini",
+    );
+  });
+
+  it("keeps ambiguous raw overrides unchanged", () => {
+    const ambiguousCatalog: ModelCatalogEntry[] = [
+      { id: "gpt-5-mini", name: "GPT-5 Mini", provider: "openai" },
+      { id: "gpt-5-mini", name: "GPT-5 Mini", provider: "openrouter" },
+    ];
+
+    expect(
+      normalizeChatModelOverrideValue(createChatModelOverride("gpt-5-mini"), ambiguousCatalog),
+    ).toBe("gpt-5-mini");
+  });
+
+  it("formats qualified model refs consistently for default labels", () => {
+    expect(formatChatModelDisplay("openai/gpt-5-mini")).toBe("gpt-5-mini · openai");
+    expect(formatChatModelDisplay("alias-only")).toBe("alias-only");
+  });
+
+  it("resolves server session data to qualified option values", () => {
+    expect(resolveServerChatModelValue("gpt-5-mini", "openai")).toBe("openai/gpt-5-mini");
+    expect(resolveServerChatModelValue("alias-only", null)).toBe("alias-only");
+  });
+});
diff --git a/ui/src/ui/chat-model-ref.ts b/ui/src/ui/chat-model-ref.ts
new file mode 100644
index 00000000000..351b8544bad
--- /dev/null
+++ b/ui/src/ui/chat-model-ref.ts
@@ -0,0 +1,93 @@
+import type { ModelCatalogEntry } from "./types.ts";
+
+export type ChatModelOverride =
+  | {
+      kind: "qualified";
+      value: string;
+    }
+  | {
+      kind: "raw";
+      value: string;
+    };
+
+export function buildQualifiedChatModelValue(model: string, provider?: string | null): string {
+  const trimmedModel = model.trim();
+  if (!trimmedModel) {
+    return "";
+  }
+  const trimmedProvider = provider?.trim();
+  return trimmedProvider ? `${trimmedProvider}/${trimmedModel}` : trimmedModel;
+}
+
+export function createChatModelOverride(value: string): ChatModelOverride | null {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return null;
+  }
+  if (trimmed.includes("/")) {
+    return { kind: "qualified", value: trimmed };
+  }
+  return { kind: "raw", value: trimmed };
+}
+
+export function normalizeChatModelOverrideValue(
+  override: ChatModelOverride | null | undefined,
+  catalog: ModelCatalogEntry[],
+): string {
+  if (!override) {
+    return "";
+  }
+  const trimmed = override?.value.trim();
+  if (!trimmed) {
+    return "";
+  }
+  if (override.kind === "qualified") {
+    return trimmed;
+  }
+
+  let matchedValue = "";
+  for (const entry of catalog) {
+    if (entry.id.trim().toLowerCase() !== trimmed.toLowerCase()) {
+      continue;
+    }
+    const candidate = buildQualifiedChatModelValue(entry.id, entry.provider);
+    if (!matchedValue) {
+      matchedValue = candidate;
+      continue;
+    }
+    if (matchedValue.toLowerCase() !== candidate.toLowerCase()) {
+      return trimmed;
+    }
+  }
+  return matchedValue || trimmed;
+}
+
+export function resolveServerChatModelValue(
+  model?: string | null,
+  provider?: string | null,
+): string {
+  if (typeof model !== "string") {
+    return "";
+  }
+  return buildQualifiedChatModelValue(model, provider);
+}
+
+export function formatChatModelDisplay(value: string): string {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "";
+  }
+  const separator = trimmed.indexOf("/");
+  if (separator <= 0) {
+    return trimmed;
+  }
+  return `${trimmed.slice(separator + 1)} · ${trimmed.slice(0, separator)}`;
+}
+
+export function buildChatModelOption(entry: ModelCatalogEntry): { value: string; label: string } {
+  const provider = entry.provider?.trim();
+  return {
+    value: buildQualifiedChatModelValue(entry.id, provider),
+    label: provider ? `${entry.id} · ${provider}` : entry.id,
+  };
+}
diff --git a/ui/src/ui/chat/deleted-messages.ts b/ui/src/ui/chat/deleted-messages.ts
index 21094bb9e83..316b659baa8 100644
--- a/ui/src/ui/chat/deleted-messages.ts
+++ b/ui/src/ui/chat/deleted-messages.ts
@@ -1,3 +1,5 @@
+import { getSafeLocalStorage } from "../../local-storage.ts";
+
 const PREFIX = "openclaw:deleted:";
 
 export class DeletedMessages {
@@ -30,7 +32,7 @@ export class DeletedMessages {
 
   private load(): void {
     try {
-      const raw = localStorage.getItem(this.key);
+      const raw = getSafeLocalStorage()?.getItem(this.key);
       if (!raw) {
         return;
       }
@@ -45,7 +47,7 @@ export class DeletedMessages {
 
   private save(): void {
     try {
-      localStorage.setItem(this.key, JSON.stringify([...this._keys]));
+      getSafeLocalStorage()?.setItem(this.key, JSON.stringify([...this._keys]));
     } catch {
       // ignore
     }
diff --git a/ui/src/ui/chat/grouped-render.ts b/ui/src/ui/chat/grouped-render.ts
index 5b7549c8d64..7dcc0b62e19 100644
--- a/ui/src/ui/chat/grouped-render.ts
+++ b/ui/src/ui/chat/grouped-render.ts
@@ -1,5 +1,6 @@
 import { html, nothing } from "lit";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
+import { getSafeLocalStorage } from "../../local-storage.ts";
 import type { AssistantIdentity } from "../assistant-identity.ts";
 import { icons } from "../icons.ts";
 import { toSanitizedMarkdownHtml } from "../markdown.ts";
@@ -322,7 +323,7 @@ type DeleteConfirmSide = "left" | "right";
 
 function shouldSkipDeleteConfirm(): boolean {
   try {
-    return localStorage.getItem(SKIP_DELETE_CONFIRM_KEY) === "1";
+    return getSafeLocalStorage()?.getItem(SKIP_DELETE_CONFIRM_KEY) === "1";
   } catch {
     return false;
   }
@@ -370,7 +371,7 @@ function renderDeleteButton(onDelete: () => void, side: DeleteConfirmSide) {
           yes.addEventListener("click", () => {
             if (check.checked) {
               try {
-                localStorage.setItem(SKIP_DELETE_CONFIRM_KEY, "1");
+                getSafeLocalStorage()?.setItem(SKIP_DELETE_CONFIRM_KEY, "1");
               } catch {}
             }
             popover.remove();
diff --git a/ui/src/ui/chat/pinned-messages.ts b/ui/src/ui/chat/pinned-messages.ts
index a3e77a9483b..3bd7b9d6603 100644
--- a/ui/src/ui/chat/pinned-messages.ts
+++ b/ui/src/ui/chat/pinned-messages.ts
@@ -1,3 +1,5 @@
+import { getSafeLocalStorage } from "../../local-storage.ts";
+
 const PREFIX = "openclaw:pinned:";
 
 export class PinnedMessages {
@@ -42,7 +44,7 @@ export class PinnedMessages {
 
   private load(): void {
     try {
-      const raw = localStorage.getItem(this.key);
+      const raw = getSafeLocalStorage()?.getItem(this.key);
       if (!raw) {
         return;
       }
@@ -57,7 +59,7 @@ export class PinnedMessages {
 
   private save(): void {
     try {
-      localStorage.setItem(this.key, JSON.stringify([...this._indices]));
+      getSafeLocalStorage()?.setItem(this.key, JSON.stringify([...this._indices]));
     } catch {
       // ignore
     }
diff --git a/ui/src/ui/chat/slash-command-executor.node.test.ts b/ui/src/ui/chat/slash-command-executor.node.test.ts
index d08c62b97d9..96170fa8940 100644
--- a/ui/src/ui/chat/slash-command-executor.node.test.ts
+++ b/ui/src/ui/chat/slash-command-executor.node.test.ts
@@ -235,7 +235,7 @@ describe("executeSlashCommand directives", () => {
     const request = vi.fn(async (method: string, _payload?: unknown) => {
       if (method === "sessions.list") {
         return {
-          defaults: { model: "default-model" },
+          defaults: { modelProvider: "openai", model: "default-model" },
           sessions: [
             row("agent:main:main", {
               model: "gpt-4.1-mini",
@@ -265,6 +265,38 @@ describe("executeSlashCommand directives", () => {
     expect(request).toHaveBeenNthCalledWith(2, "models.list", {});
   });
 
+  it("mirrors resolved provider-qualified model refs after /model changes", async () => {
+    const request = vi.fn(async (method: string, _payload?: unknown) => {
+      if (method === "sessions.patch") {
+        return {
+          ok: true,
+          key: "main",
+          resolved: {
+            modelProvider: "openai",
+            model: "gpt-5-mini",
+          },
+        };
+      }
+      throw new Error(`unexpected method: ${method}`);
+    });
+
+    const result = await executeSlashCommand(
+      { request } as unknown as GatewayBrowserClient,
+      "main",
+      "model",
+      "gpt-5-mini",
+    );
+
+    expect(request).toHaveBeenCalledWith("sessions.patch", {
+      key: "main",
+      model: "gpt-5-mini",
+    });
+    expect(result.sessionPatch?.modelOverride).toEqual({
+      kind: "qualified",
+      value: "openai/gpt-5-mini",
+    });
+  });
+
   it("resolves the legacy main alias for /usage", async () => {
     const request = vi.fn(async (method: string, _payload?: unknown) => {
       if (method === "sessions.list") {
diff --git a/ui/src/ui/chat/slash-command-executor.ts b/ui/src/ui/chat/slash-command-executor.ts
index 38b1690fe29..b1d06d5e2b2 100644
--- a/ui/src/ui/chat/slash-command-executor.ts
+++ b/ui/src/ui/chat/slash-command-executor.ts
@@ -9,15 +9,22 @@ import {
   normalizeThinkLevel,
   normalizeVerboseLevel,
   resolveThinkingDefaultForModel,
-} from "../../../../src/auto-reply/thinking.js";
+} from "../../../../src/auto-reply/thinking.shared.js";
 import {
   DEFAULT_AGENT_ID,
   DEFAULT_MAIN_KEY,
   isSubagentSessionKey,
   parseAgentSessionKey,
 } from "../../../../src/routing/session-key.js";
+import { createChatModelOverride, resolveServerChatModelValue } from "../chat-model-ref.ts";
 import type { GatewayBrowserClient } from "../gateway.ts";
-import type { AgentsListResult, GatewaySessionRow, SessionsListResult } from "../types.ts";
+import type {
+  AgentsListResult,
+  ChatModelOverride,
+  GatewaySessionRow,
+  SessionsListResult,
+  SessionsPatchResult,
+} from "../types.ts";
 import { SLASH_COMMANDS } from "./slash-commands.ts";
 
 export type SlashCommandResult = {
@@ -35,7 +42,7 @@ export type SlashCommandResult = {
     | "navigate-usage";
   /** Optional session-level directive changes that the caller should mirror locally. */
   sessionPatch?: {
-    model?: string | null;
+    modelOverride?: ChatModelOverride | null;
   };
 };
 
@@ -144,11 +151,18 @@ async function executeModel(
   }
 
   try {
-    await client.request("sessions.patch", { key: sessionKey, model: args.trim() });
+    const patched = await client.request<SessionsPatchResult>("sessions.patch", {
+      key: sessionKey,
+      model: args.trim(),
+    });
+    const resolvedValue = resolveServerChatModelValue(
+      patched.resolved?.model ?? args.trim(),
+      patched.resolved?.modelProvider,
+    );
     return {
       content: `Model set to \`${args.trim()}\`.`,
       action: "refresh",
-      sessionPatch: { model: args.trim() },
+      sessionPatch: { modelOverride: createChatModelOverride(resolvedValue) },
     };
   } catch (err) {
     return { content: `Failed to set model: ${String(err)}` };
diff --git a/ui/src/ui/controllers/usage.ts b/ui/src/ui/controllers/usage.ts
index 0fe257ae8e7..5862bd82e72 100644
--- a/ui/src/ui/controllers/usage.ts
+++ b/ui/src/ui/controllers/usage.ts
@@ -1,3 +1,4 @@
+import { getSafeLocalStorage } from "../../local-storage.ts";
 import type { GatewayBrowserClient } from "../gateway.ts";
 import type { SessionsUsageResult, CostUsageSummary, SessionUsageTimeSeries } from "../types.ts";
 import type { SessionLogEntry } from "../views/usage.ts";
@@ -39,14 +40,7 @@ const LEGACY_USAGE_DATE_PARAMS_INVALID_RE = /invalid sessions\.usage params/i;
 let legacyUsageDateParamsCache: Set<string> | null = null;
 
 function getLocalStorage(): Storage | null {
-  // Support browser runtime and node tests (when localStorage is stubbed globally).
-  if (typeof window !== "undefined" && window.localStorage) {
-    return window.localStorage;
-  }
-  if (typeof localStorage !== "undefined") {
-    return localStorage;
-  }
-  return null;
+  return getSafeLocalStorage();
 }
 
 function loadLegacyUsageDateParamsCache(): Set<string> {
diff --git a/ui/src/ui/device-auth.ts b/ui/src/ui/device-auth.ts
index 1adcf7deda9..1238a859f1c 100644
--- a/ui/src/ui/device-auth.ts
+++ b/ui/src/ui/device-auth.ts
@@ -5,12 +5,13 @@ import {
   storeDeviceAuthTokenInStore,
 } from "../../../src/shared/device-auth-store.js";
 import type { DeviceAuthStore } from "../../../src/shared/device-auth.js";
+import { getSafeLocalStorage } from "../local-storage.ts";
 
 const STORAGE_KEY = "openclaw.device.auth.v1";
 
 function readStore(): DeviceAuthStore | null {
   try {
-    const raw = window.localStorage.getItem(STORAGE_KEY);
+    const raw = getSafeLocalStorage()?.getItem(STORAGE_KEY);
     if (!raw) {
       return null;
     }
@@ -32,7 +33,7 @@ function readStore(): DeviceAuthStore | null {
 
 function writeStore(store: DeviceAuthStore) {
   try {
-    window.localStorage.setItem(STORAGE_KEY, JSON.stringify(store));
+    getSafeLocalStorage()?.setItem(STORAGE_KEY, JSON.stringify(store));
   } catch {
     // best-effort
   }
diff --git a/ui/src/ui/device-identity.ts b/ui/src/ui/device-identity.ts
index 947b8185038..ff20c68649e 100644
--- a/ui/src/ui/device-identity.ts
+++ b/ui/src/ui/device-identity.ts
@@ -1,4 +1,5 @@
 import { getPublicKeyAsync, signAsync, utils } from "@noble/ed25519";
+import { getSafeLocalStorage } from "../local-storage.ts";
 
 type StoredIdentity = {
   version: 1;
@@ -58,8 +59,9 @@ async function generateIdentity(): Promise<DeviceIdentity> {
 }
 
 export async function loadOrCreateDeviceIdentity(): Promise<DeviceIdentity> {
+  const storage = getSafeLocalStorage();
   try {
-    const raw = localStorage.getItem(STORAGE_KEY);
+    const raw = storage?.getItem(STORAGE_KEY);
     if (raw) {
       const parsed = JSON.parse(raw) as StoredIdentity;
       if (
@@ -74,7 +76,7 @@ export async function loadOrCreateDeviceIdentity(): Promise<DeviceIdentity> {
             ...parsed,
             deviceId: derivedId,
           };
-          localStorage.setItem(STORAGE_KEY, JSON.stringify(updated));
+          storage?.setItem(STORAGE_KEY, JSON.stringify(updated));
           return {
             deviceId: derivedId,
             publicKey: parsed.publicKey,
@@ -100,7 +102,7 @@ export async function loadOrCreateDeviceIdentity(): Promise<DeviceIdentity> {
     privateKey: identity.privateKey,
     createdAtMs: Date.now(),
   };
-  localStorage.setItem(STORAGE_KEY, JSON.stringify(stored));
+  storage?.setItem(STORAGE_KEY, JSON.stringify(stored));
   return identity;
 }
 
diff --git a/ui/src/ui/storage.ts b/ui/src/ui/storage.ts
index 450c5124592..aea47188bd3 100644
--- a/ui/src/ui/storage.ts
+++ b/ui/src/ui/storage.ts
@@ -1,8 +1,12 @@
-const KEY = "openclaw.control.settings.v1";
+const SETTINGS_KEY_PREFIX = "openclaw.control.settings.v1:";
 const LEGACY_TOKEN_SESSION_KEY = "openclaw.control.token.v1";
 const TOKEN_SESSION_KEY_PREFIX = "openclaw.control.token.v1:";
 const MAX_SCOPED_SESSION_ENTRIES = 10;
 
+function settingsKeyForGateway(gatewayUrl: string): string {
+  return `${SETTINGS_KEY_PREFIX}${normalizeGatewayTokenScope(gatewayUrl)}`;
+}
+
 type ScopedSessionSelection = {
   sessionKey: string;
   lastActiveSessionKey: string;
@@ -16,6 +20,7 @@ type PersistedUiSettings = Omit<UiSettings, "token" | "sessionKey" | "lastActive
 };
 
 import { isSupportedLocale } from "../i18n/index.ts";
+import { getSafeLocalStorage } from "../local-storage.ts";
 import { inferBasePathFromPathname, normalizeBasePath } from "./navigation.ts";
 import { parseThemeSelection, type ThemeMode, type ThemeName } from "./theme.ts";
 
@@ -168,6 +173,7 @@ function persistSessionToken(gatewayUrl: string, token: string) {
 
 export function loadSettings(): UiSettings {
   const { pageUrl: pageDerivedUrl, effectiveUrl: defaultUrl } = deriveDefaultGatewayUrl();
+  const storage = getSafeLocalStorage();
 
   const defaults: UiSettings = {
     gatewayUrl: defaultUrl,
@@ -186,7 +192,12 @@ export function loadSettings(): UiSettings {
   };
 
   try {
-    const raw = localStorage.getItem(KEY);
+    // First check for legacy key (no scope), then check for scoped key
+    const scopedKey = settingsKeyForGateway(defaults.gatewayUrl);
+    const raw =
+      storage?.getItem(scopedKey) ??
+      storage?.getItem(SETTINGS_KEY_PREFIX + "default") ??
+      storage?.getItem("openclaw.control.settings.v1");
     if (!raw) {
       return defaults;
     }
@@ -252,10 +263,16 @@ export function saveSettings(next: UiSettings) {
 
 function persistSettings(next: UiSettings) {
   persistSessionToken(next.gatewayUrl, next.token);
+  const storage = getSafeLocalStorage();
   const scope = normalizeGatewayTokenScope(next.gatewayUrl);
+  const scopedKey = settingsKeyForGateway(next.gatewayUrl);
   let existingSessionsByGateway: Record<string, ScopedSessionSelection> = {};
   try {
-    const raw = localStorage.getItem(KEY);
+    // Try to migrate from legacy key or other scopes
+    const raw =
+      storage?.getItem(scopedKey) ??
+      storage?.getItem(SETTINGS_KEY_PREFIX + "default") ??
+      storage?.getItem("openclaw.control.settings.v1");
     if (raw) {
       const parsed = JSON.parse(raw) as PersistedUiSettings;
       if (parsed.sessionsByGateway && typeof parsed.sessionsByGateway === "object") {
@@ -291,5 +308,5 @@ function persistSettings(next: UiSettings) {
     sessionsByGateway,
     ...(next.locale ? { locale: next.locale } : {}),
   };
-  localStorage.setItem(KEY, JSON.stringify(persisted));
+  storage?.setItem(scopedKey, JSON.stringify(persisted));
 }
diff --git a/ui/src/ui/types.ts b/ui/src/ui/types.ts
index d9764a024e6..0d5aa3d61cd 100644
--- a/ui/src/ui/types.ts
+++ b/ui/src/ui/types.ts
@@ -316,10 +316,13 @@ export type PresenceEntry = {
 };
 
 export type GatewaySessionsDefaults = {
+  modelProvider: string | null;
   model: string | null;
   contextTokens: number | null;
 };
 
+export type ChatModelOverride = import("./chat-model-ref.ts").ChatModelOverride;
+
 export type GatewayAgentRow = SharedGatewayAgentRow;
 
 export type AgentsListResult = {
@@ -401,7 +404,12 @@ export type SessionsPatchResult = SessionsPatchResultBase<{
   verboseLevel?: string;
   reasoningLevel?: string;
   elevatedLevel?: string;
-}>;
+}> & {
+  resolved?: {
+    modelProvider?: string;
+    model?: string;
+  };
+};
 
 export type {
   CostUsageDailyEntry,
diff --git a/ui/src/ui/views/chat.browser.test.ts b/ui/src/ui/views/chat.browser.test.ts
index fa7947a328a..c17525bb60b 100644
--- a/ui/src/ui/views/chat.browser.test.ts
+++ b/ui/src/ui/views/chat.browser.test.ts
@@ -31,7 +31,7 @@ function createProps(overrides: Partial<ChatProps> = {}): ChatProps {
       ts: 0,
       path: "",
       count: 1,
-      defaults: { model: "gpt-5", contextTokens: null },
+      defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
       sessions: [
         {
           key: "main",
diff --git a/ui/src/ui/views/chat.test.ts b/ui/src/ui/views/chat.test.ts
index 860727c1927..68e4a3afe01 100644
--- a/ui/src/ui/views/chat.test.ts
+++ b/ui/src/ui/views/chat.test.ts
@@ -2,6 +2,7 @@
 
 import { render } from "lit";
 import { describe, expect, it, vi } from "vitest";
+import { getSafeLocalStorage } from "../../local-storage.ts";
 import { renderChatSessionSelect } from "../app-render.helpers.ts";
 import type { AppViewState } from "../app-view-state.ts";
 import type { GatewayBrowserClient } from "../gateway.ts";
@@ -14,7 +15,7 @@ function createSessions(): SessionsListResult {
     ts: 0,
     path: "",
     count: 0,
-    defaults: { model: null, contextTokens: null },
+    defaults: { modelProvider: null, model: null, contextTokens: null },
     sessions: [],
   };
 }
@@ -27,6 +28,7 @@ function createChatHeaderState(
   } = {},
 ): { state: AppViewState; request: ReturnType<typeof vi.fn> } {
   let currentModel = overrides.model ?? null;
+  let currentModelProvider = currentModel ? "openai" : null;
   const omitSessionFromList = overrides.omitSessionFromList ?? false;
   const catalog = overrides.models ?? [
     { id: "gpt-5", name: "GPT-5", provider: "openai" },
@@ -34,7 +36,26 @@ function createChatHeaderState(
   ];
   const request = vi.fn(async (method: string, params: Record<string, unknown>) => {
     if (method === "sessions.patch") {
-      currentModel = (params.model as string | null | undefined) ?? null;
+      const nextModel = (params.model as string | null | undefined) ?? null;
+      if (!nextModel) {
+        currentModel = null;
+        currentModelProvider = null;
+      } else {
+        const normalized = nextModel.trim();
+        const slashIndex = normalized.indexOf("/");
+        if (slashIndex > 0) {
+          currentModelProvider = normalized.slice(0, slashIndex);
+          currentModel = normalized.slice(slashIndex + 1);
+        } else {
+          currentModel = normalized;
+          const matchingProviders = catalog
+            .filter((entry) => entry.id === normalized)
+            .map((entry) => entry.provider)
+            .filter(Boolean);
+          currentModelProvider =
+            matchingProviders.length === 1 ? matchingProviders[0] : currentModelProvider;
+        }
+      }
       return { ok: true, key: "main" };
     }
     if (method === "chat.history") {
@@ -45,10 +66,18 @@ function createChatHeaderState(
         ts: 0,
         path: "",
         count: omitSessionFromList ? 0 : 1,
-        defaults: { model: "gpt-5", contextTokens: null },
+        defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
         sessions: omitSessionFromList
           ? []
-          : [{ key: "main", kind: "direct", updatedAt: null, model: currentModel }],
+          : [
+              {
+                key: "main",
+                kind: "direct",
+                updatedAt: null,
+                modelProvider: currentModelProvider,
+                model: currentModel,
+              },
+            ],
       };
     }
     if (method === "models.list") {
@@ -64,10 +93,18 @@ function createChatHeaderState(
       ts: 0,
       path: "",
       count: omitSessionFromList ? 0 : 1,
-      defaults: { model: "gpt-5", contextTokens: null },
+      defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
       sessions: omitSessionFromList
         ? []
-        : [{ key: "main", kind: "direct", updatedAt: null, model: currentModel }],
+        : [
+            {
+              key: "main",
+              kind: "direct",
+              updatedAt: null,
+              modelProvider: currentModelProvider,
+              model: currentModel,
+            },
+          ],
     },
     chatModelOverrides: {},
     chatModelCatalog: catalog,
@@ -482,7 +519,7 @@ describe("chat view", () => {
 
   it("opens delete confirm on the left for user messages", () => {
     try {
-      localStorage.removeItem("openclaw:skipDeleteConfirm");
+      getSafeLocalStorage()?.removeItem("openclaw:skipDeleteConfirm");
     } catch {
       /* noop */
     }
@@ -515,7 +552,7 @@ describe("chat view", () => {
 
   it("opens delete confirm on the right for assistant messages", () => {
     try {
-      localStorage.removeItem("openclaw:skipDeleteConfirm");
+      getSafeLocalStorage()?.removeItem("openclaw:skipDeleteConfirm");
     } catch {
       /* noop */
     }
@@ -565,16 +602,17 @@ describe("chat view", () => {
     expect(modelSelect).not.toBeNull();
     expect(modelSelect?.value).toBe("");
 
-    modelSelect!.value = "gpt-5-mini";
+    modelSelect!.value = "openai/gpt-5-mini";
     modelSelect!.dispatchEvent(new Event("change", { bubbles: true }));
     await flushTasks();
 
     expect(request).toHaveBeenCalledWith("sessions.patch", {
       key: "main",
-      model: "gpt-5-mini",
+      model: "openai/gpt-5-mini",
     });
     expect(request).not.toHaveBeenCalledWith("chat.history", expect.anything());
     expect(state.sessionsResult?.sessions[0]?.model).toBe("gpt-5-mini");
+    expect(state.sessionsResult?.sessions[0]?.modelProvider).toBe("openai");
     vi.unstubAllGlobals();
   });
 
@@ -593,7 +631,7 @@ describe("chat view", () => {
       'select[data-chat-model-select="true"]',
     );
     expect(modelSelect).not.toBeNull();
-    expect(modelSelect?.value).toBe("gpt-5-mini");
+    expect(modelSelect?.value).toBe("openai/gpt-5-mini");
 
     modelSelect!.value = "";
     modelSelect!.dispatchEvent(new Event("change", { bubbles: true }));
@@ -637,7 +675,7 @@ describe("chat view", () => {
     );
     expect(modelSelect).not.toBeNull();
 
-    modelSelect!.value = "gpt-5-mini";
+    modelSelect!.value = "openai/gpt-5-mini";
     modelSelect!.dispatchEvent(new Event("change", { bubbles: true }));
     await flushTasks();
     render(renderChatSessionSelect(state), container);
@@ -645,10 +683,30 @@ describe("chat view", () => {
     const rerendered = container.querySelector<HTMLSelectElement>(
       'select[data-chat-model-select="true"]',
     );
-    expect(rerendered?.value).toBe("gpt-5-mini");
+    expect(rerendered?.value).toBe("openai/gpt-5-mini");
     vi.unstubAllGlobals();
   });
 
+  it("normalizes cached bare /model overrides to the matching catalog option", () => {
+    const { state } = createChatHeaderState();
+    state.chatModelOverrides = { main: { kind: "raw", value: "gpt-5-mini" } };
+
+    const container = document.createElement("div");
+    render(renderChatSessionSelect(state), container);
+
+    const modelSelect = container.querySelector<HTMLSelectElement>(
+      'select[data-chat-model-select="true"]',
+    );
+    expect(modelSelect).not.toBeNull();
+    expect(modelSelect?.value).toBe("openai/gpt-5-mini");
+
+    const optionValues = Array.from(modelSelect?.querySelectorAll("option") ?? []).map(
+      (option) => option.value,
+    );
+    expect(optionValues).toContain("openai/gpt-5-mini");
+    expect(optionValues).not.toContain("gpt-5-mini");
+  });
+
   it("prefers the session label over displayName in the grouped chat session selector", () => {
     const { state } = createChatHeaderState({ omitSessionFromList: true });
     state.sessionKey = "agent:main:subagent:4f2146de-887b-4176-9abe-91140082959b";
@@ -657,7 +715,7 @@ describe("chat view", () => {
       ts: 0,
       path: "",
       count: 1,
-      defaults: { model: "gpt-5", contextTokens: null },
+      defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
       sessions: [
         {
           key: state.sessionKey,
@@ -707,7 +765,7 @@ describe("chat view", () => {
       ts: 0,
       path: "",
       count: 1,
-      defaults: { model: "gpt-5", contextTokens: null },
+      defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
       sessions: [
         {
           key: state.sessionKey,
@@ -736,7 +794,7 @@ describe("chat view", () => {
       ts: 0,
       path: "",
       count: 2,
-      defaults: { model: "gpt-5", contextTokens: null },
+      defaults: { modelProvider: "openai", model: "gpt-5", contextTokens: null },
       sessions: [
         {
           key: "agent:main:subagent:4f2146de-887b-4176-9abe-91140082959b",
diff --git a/ui/src/ui/views/sessions.test.ts b/ui/src/ui/views/sessions.test.ts
index fe650fef8fb..342af136a75 100644
--- a/ui/src/ui/views/sessions.test.ts
+++ b/ui/src/ui/views/sessions.test.ts
@@ -8,7 +8,7 @@ function buildResult(session: SessionsListResult["sessions"][number]): SessionsL
     ts: Date.now(),
     path: "(multiple)",
     count: 1,
-    defaults: { model: null, contextTokens: null },
+    defaults: { modelProvider: null, model: null, contextTokens: null },
     sessions: [session],
   };
 }
diff --git a/vitest.config.ts b/vitest.config.ts
index 70011a6a0b8..564065be9e3 100644
--- a/vitest.config.ts
+++ b/vitest.config.ts
@@ -2,58 +2,13 @@ import os from "node:os";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { defineConfig } from "vitest/config";
+import { pluginSdkSubpaths } from "./scripts/lib/plugin-sdk-entries.mjs";
 
 const repoRoot = path.dirname(fileURLToPath(import.meta.url));
 const isCI = process.env.CI === "true" || process.env.GITHUB_ACTIONS === "true";
 const isWindows = process.platform === "win32";
 const localWorkers = Math.max(4, Math.min(16, os.cpus().length));
 const ciWorkers = isWindows ? 2 : 3;
-const pluginSdkSubpaths = [
-  "account-id",
-  "core",
-  "compat",
-  "telegram",
-  "discord",
-  "slack",
-  "signal",
-  "imessage",
-  "whatsapp",
-  "line",
-  "msteams",
-  "acpx",
-  "bluebubbles",
-  "copilot-proxy",
-  "device-pair",
-  "diagnostics-otel",
-  "diffs",
-  "feishu",
-  "google-gemini-cli-auth",
-  "googlechat",
-  "irc",
-  "llm-task",
-  "lobster",
-  "matrix",
-  "mattermost",
-  "memory-core",
-  "memory-lancedb",
-  "minimax-portal-auth",
-  "nextcloud-talk",
-  "nostr",
-  "open-prose",
-  "phone-control",
-  "qwen-portal-auth",
-  "synology-chat",
-  "talk-voice",
-  "test-utils",
-  "thread-ownership",
-  "tlon",
-  "twitch",
-  "voice-call",
-  "zalo",
-  "zalouser",
-  "keyed-async-queue",
-] as const;
-
 export default defineConfig({
   resolve: {
     // Keep this ordered: the base `openclaw/plugin-sdk` alias is a prefix match.